1# DANGEROUS-CONTENT-PATTERNS.RC
2#
3#  Patterns to catch email with attachments that could be
4#  a virus or trojan, or with links to content that could
5#  be a virus or trojan.
6#
7#  Last updated: 10/14/2016
8
9
10# Hidden executables (typical of viruses)
11#
12#  This catches those file attachment names like IEEE802WAPTER.doc.pif,
13#  hello.doc.bat, and readme.HTML.vbs.
14#
15:0 BH
16* DANGEROUS ?? ^no$
17* B ?? (^|[^0-9a-z])name[^0-9a-z]*=[^0-9a-z]*([0-9a-z][-_0-9a-z]+\.)+\
18                    [0-9a-z][0-9a-z]?[0-9a-z]?\.(bat|com|cmd|cpl|dll|\
19                    exe|hqx|hta|lnk|pif|scr)([^0-9a-z.]|$)
20{
21 SPAMTAG=yes
22 DANGEROUS=yes
23 SBLOG="A1S-DANGER! Hidden Executable Attachment"
24 INCLUDERC=${SBDIR}/functions/loglevel.rc
25}
26
27# EXECUTABLE ATTACHMENTS
28#
29#  This section contains URLs that link to known or probable
30#  trojans, viruses, spyware, or other active content that
31#  poses a direct risk to at least some computer users.
32
33# Document Attachments with Scripts Explicitly Enabled
34:0
35* B ?? ([-][-]_com\.android\.email|\
36        application/vnd\.ms-word\.document\.macroEnabled\.[0-9][0-9];)
37{
38 SPAMTAG=yes
39 DANGEROUS=yes
40 SBLOG="A1S-DANGER! Malware Attachment (Document w/Scripts Explicity Enabled)"
41 INCLUDERC=${SBDIR}/functions/loglevel.rc
42}
43
44# Trojan URLs
45:0 B
46* DANGEROUS ?? ^no$
47*       -1^0
48* B ??   2^0  application/vnd\.ms-word\.document\.macroEnabled\.[0-9][0-9]
49* B ??   2^0  (^|[^0-9a-z])Content-Type: application/vnd\.ms-word\.document\.macroEnabled([^0-9a-z.]|$)
50* B ??   2^0  (^|[^0-9a-z])(file)?name[^0-9a-z]*=[^0-9a-z]*([0-9a-z][-_0-9a-z]+\.)+\
51                           (bat|com|cmd|cpl|dll|exe|hqx|hta|jar|lnk|pif|scr)([^0-9a-z.]|$)
52{
53 SPAMTAG=yes
54 DANGEROUS=yes
55 SBLOG="A1S-DANGER! Probable Malware Attachment (Pattern Match)"
56 INCLUDERC=${SBDIR}/functions/loglevel.rc
57}
58
59
60# GENERIC DANGEROUS CONTENT
61
62# Embedded IFRAME
63#
64#  This catches email with embedded IFRAMEs, which can run remote
65#  executable content on some email programs and are therefore
66#  dangerous.
67#
68:0 BH
69* DANGEROUS ?? ^no$
70* IFRAMECHECKING ?? ^yes$
71* -1000^0
72*  1100^1    ()<iframe.*src=.*height=.*width=
73*  1100^1      iframe>
74{
75 SPAMTAG=yes
76 DANGEROUS=yes
77 SBLOG="A1S-DANGER! Embedded iframe"
78 INCLUDERC=${SBDIR}/functions/loglevel.rc
79}
80
81
82# Embedded Scripts
83#
84#  This catches HTML-based email with embedded Scripting code,
85#  Javascript or others.
86#
87:0 BH
88* DANGEROUS ?? ^no$
89* SCRIPTCHECKING ?? ^yes$
90* -1000^0
91*   600^1 ()<SCRIPT language=
92*   600^1 ()</SCRIPT>
93*   500^0 ()<object
94*   300^0 codebase
95*   300^0 data
96*   300^0 (file:/)?.*[a-z]?:/
97*   100^0 classid
98*   100^0 clsid:[-0-9a-f]+
99{
100 SPAMTAG=yes
101 DANGEROUS=yes
102 SBLOG="A1S-DANGER! Embedded Script"
103 INCLUDERC=${SBDIR}/functions/loglevel.rc
104}
105
106
107# Help.chm exploit
108#
109#  This catches email with a URL that downloads a help.chm file,
110#  which on Microsoft Windows computers running IE, in turn exploits
111#  a known bug.  Email with this type of URL is rarely, if ever,
112#  legitimate.
113#
114:0 B
115* DANGEROUS ?? ^no$
116* CHMEXPLOITCHECKING ?? ^yes$
117* (^|[^-_0-9a-z])https?://[0-9a-z][-_0-9a-z.]+:8888/help\.chm::/
118{
119 SPAMTAG=yes
120 DANGEROUS=yes
121 SBLOG="A1S-DANGER! Help.CHM Exploit"
122 INCLUDERC=${SBDIR}/functions/loglevel.rc
123}
124
125
126# Hidden CLSID
127#
128#  This catches email with hidden CLSID objects.
129#
130:0 BH
131* DANGEROUS ?? ^no$
132* CLSIDCHECKING ?? yes
133* ^Content-Type[ ]*:.*\(text\)
134*  name[ ]*.?[ ]*=.*\.[ ]*\{[-0-9a-f]+\}(\.....?)?"?[ ]*$
135{
136 SPAMTAG=yes
137 DANGEROUS=yes
138 SBLOG="A1S-DANGER! Hidden CLSID"
139 INCLUDERC=${SBDIR}/functions/loglevel.rc
140}
141
142# .ZIP, .RAR, and other binary archive attachments
143#
144#  This catches any email with an attached binary archive file and puts it
145#  in your ${BLOCKFOLDER}.  This filter should intercept many new
146#  email viruses.
147#
148:0
149* DANGEROUS ?? ^no$
150* ZIPCHECKING ?? ^yes$
151* ! H ?? ^Subject:.*${BYPASSWD}
152*   B ?? (^|[^0-9a-z])name[^0-9a-z]*=[^0-9a-z]*([0-9a-z][-_0-9a-z]+\.)+(arc|bz2?|\
153                      gz|rar|tar|tbz|tgz|vbe|vbs|Z|zip)([^0-9a-z.]|$)
154{
155 SPAMTAG=yes
156 DANGEROUS=yes
157 SBLOG="A1S-DANGER! Binary Archive Attachment"
158 INCLUDERC=${SBDIR}/functions/loglevel.rc
159}
160
161
162# Document Files with Executable Code (also too dangerous)
163#
164#  This catches any email containing a document file of a type that
165#  can contain executable macros, such as most Microsoft Office files
166#  can, and puts it in your ${BLOCKFOLDER}.  This filter should
167#  intercept many new email viruses.
168#
169:0 BH
170* DANGEROUS ?? ^no$
171* EXEDOCCHECKING ?? ^yes$
172* !^Subject:.*${BYPASSWD}
173*  -1000^0
174*   1100^0    ^Content-Type: application/[0-9a-z][-_0-9az-.]+$\
175               Content-Disposition: attachment; (file)?name( )*=( )*(\")?[0-9a-z][-_0-9a-z.]+\.\
176               (cd.|doc|pdf|ppt|prj|vs.|xl.)(\")?$(.*$)+$\
177               [^ ]+$
178*   1100^0    ^Content-Transfer-Encoding: base64$Content-Disposition: attachment; \
179               (file)?name( )*=( )*(\")?[0-9a-z][-_0-9a-z.]+\.\
180               (cd.|doc|pdf|ppt|prj|vs.|xl.)(\")?$(.*$)+$\
181               [^ ]+$
182*   1100^0    ^Content-Type: application/octet-stream;$\
183               [^0-9a-z]*name=\"[^"]*\.(cd.|doc|pdf|ppt|prj|vs.|xl.)\"$\
184*   1100^0    ^Content-Transfer-Encoding: base64$\
185               Content-Disposition: attachment;$\
186               [^0-9a-z]*filename=\"[^"]*\.(cd.|doc|pdf|ppt|prj|vs.|xl.)\"$
187*   1100^0    ^Content-Type: application/msword(;|$)
188{
189 SPAMTAG=yes
190 DANGEROUS=yes
191 SBLOG="A1S-DANGER! Executable Document Type"
192 INCLUDERC=${SBDIR}/functions/loglevel.rc
193}
194
195
196# URL to executable download
197#
198#  This catches email with links to an executable download.
199#
200:0 B
201* DANGEROUS ?? ^no$
202* EXELINKCHECKING ?? ^yes$
203* -1000^0
204*  1100^0 (^|[^-_0-9a-z])(ftp|https?)://([0-9a-z][-_0-9a-z]+(�|\.|[=%]2E))+\
205                         [a-z][a-z][a-z]?[a-z]?/\
206                         ((~)?[-_0-9a-z.]+/*)*([0-9a-z][-_0-9a-z]+(�|\.|[=%]2E))+\
207                         (hta|vbs|exe|scr|pif|lnk|bat)([^a-z0-9.]|\. |\.$|$)
208*  1100^0 (^|[^-_0-9a-z])(ftp|https?)://[0-9][0-9]?[0-9]?(�|\.|[=%]2E)\
209                         [0-9][0-9]?[0-9]?(�|\.|[=%]2E)[0-9][0-9]?[0-9]?(�|\.|[=%]2E)\
210                         [0-9][0-9]?[0-9]?/\
211                         ((~)?[-_0-9a-z.]+/*)*([0-9a-z][-_0-9a-z]+(�|\.|[=%]2E))+\
212                         (hta|vbs|exe|scr|pif|lnk|bat)([^a-z0-9.]|\. |\.$|$)
213{
214 SPAMTAG=yes
215 DANGEROUS=yes
216 SBLOG="A1S-DANGER! URL link to executable file"
217 INCLUDERC=${SBDIR}/functions/loglevel.rc
218}
219