Jhon,
thanks a lot for your suggestions I will apply them in my rule, thanks!.
Just a little bit more information about this emails, here is another
header where I got the CommuniGate Pro SMTP 5.2.3:
*******************************
Received: from [81.145.136.213] (helo=dhl-usa.com)
by MY SERVER IP with smtp (Exim 4.69)
(envelope-from <charlescv...@dhl-usa.com>)
id 1RQvs4-0006uH-Do
for MY CUSTOMER EMAIL; Thu, 17 Nov 2011 00:54:54 -0600
Received: from [53.166.161.121] (account charlescv...@dhl-usa.com HELO
msrertiksp.dxnbmrblb.com)
by (CommuniGate Pro SMTP 5.2.3)
with ESMTPA id 144361206 for <MY CUSTOMER EMAIL>; Thu, 17 Nov 2011
06:54:57 +0000
From: UPS Support <nore...@ups.com>
To: <MY CUSTOMER EMAIL>
Subject: UPS Delivery Notification TrackNum 73-2868202-M56DIEQ
Date: Thu, 17 Nov 2011 06:54:57 +0000
Message-ID: <0199874162.asz95ik6314...@wrfgijnsf.ozyaj.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_000E_01CCA4F5.D1299D90"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2741.2600
Importance: Normal
*******************************
Right now I have set this two rules:
header __VIRUS_DHL1 FROM =~ /\b(?dhl-usa|ups)\.com/i
header __VIRUS_DHL2 ALL =~ /CommuniGate Pro SMTP 5.2.3/i
meta VIRUS_DHLTOTAL (__VIRUS_DHL1 && __VIRUS_DHL2)
describe VIRUS_DHLTOTAL Correo con virus de DHL-USA
score VIRUS_DHLTOTAL 11
header __ENV_FROM_DHL Received =~ /envelope-from [^ @]+@dhl[^
.]+\.com/i
header __FROM_DHL From =~ /\bdhl[^ .]+\.com/i
header __ENV_FROM_UPS Received =~ /envelope-from [^ @]+@ups\.com/i
header __FROM_UPS From =~ /\bups\.com/i
meta DHL_UPS_MISMATCH (__ENV_FROM_DHL && __FROM_UPS) ||
(__ENV_FROM_UPS && __FROM_DHL)
score VIRUS_DHLTOTAL 11
Once again, thank you for helping me.
Best Regards,
Sergio Cabrera
On Sat, Nov 19, 2011 at 1:27 PM, John Hardin <jhar...@impsec.org> wrote:
> On Sat, 19 Nov 2011, Sergio wrote:
>
> this is one header of the emails that I received:
>>
>> *********************************
>> Received: from
>> 90.red-217-126-251.staticip.**rima-tde.net<http://90.red-217-126-251.staticip.rima-tde.net>([217.126.251.90])
>> by MY-SERVER with smtp (Exim 4.69)
>> (envelope-from <plaintiveo...@dhl-usa.com>)
>> id 1RQNQZ-0002Q1-QD
>> for my-u...@domain.com; Tue, 15 Nov 2011 12:08:15 -0600
>> Received: from [116.54.126.71] (helo=mflmo.gquvpofbkojyxb.ua)
>> by
>> 90.Red-217-126-251.staticIP.**rima-tde.net<http://90.Red-217-126-251.staticIP.rima-tde.net>with
>> esmtpa (Exim 4.69)
>> (envelope-from )
>> id 1MMQJ8-3051eb-TY
>> for <my-u...@domain.com>; Tue, 15 Nov 2011 19:08:13 +0100
>> Message-ID: <1232210117.3Q65WY5I448622@**azbvbczcdgxeoq.mqfphqgytobofv.**
>> com <1232210117.3q65wy5i448...@azbvbczcdgxeoq.mqfphqgytobofv.com>>
>> From: UPS Support <auto-not...@ups.com>
>> To: <pa...@macred.com>
>> Subject: UPS Delivery Notification, Tracking Number B2HVYOSTJB101NXOM5
>> Date: Tue, 15 Nov 2011 19:08:13 +0100
>> MIME-Version: 1.0
>> Content-Type: multipart/mixed;
>> boundary="----=_NextPart_000_**0006_01CCA3C9.EBFEF390"
>> X-Priority: 3
>> X-MSMail-Priority: Normal
>> X-Mailer: Microsoft Outlook Express 5.00.2919.6600
>> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
>> *********************************
>>
>
> Your rules:
>
>
> header __VIRUS_DHL1 FROM =~ /dhl-usa.com/i
> header __VIRUS_DHL2 ALL =~ /CommuniGate Pro SMTP 5.2.3/i
>
> __VIRUS_DHL1 won't hit on this, it's from UPS.COM. Perhaps:
>
> header __VIRUS_DHL1 FROM =~ /\b(?dhl-usa|ups)\.com/i
>
> No "CommuniGate Pro", so _that_ won't hit on this.
>
> I note that the envelope-from _is_ dhl-usa.com; Are DHL and UPS
> affiliated? If not, and if that appears regularly, then perhaps this (off
> the top of my head, untested) would help:
>
> header __ENV_FROM_DHL Received =~ /envelope-from [^ @]+@dhl[^ .]+\.com/i
> header __FROM_DHL From =~ /\bdhl[^ .]+\.com/i
>
> header __ENV_FROM_UPS Received =~ /envelope-from [^ @]+@ups\.com/i
> header __FROM_UPS From =~ /\bups\.com/i
>
> meta DHL_UPS_MISMATCH (__ENV_FROM_DHL && __FROM_UPS) ||
> (__ENV_FROM_UPS && __FROM_DHL)
>
>
> --
> John Hardin KA7OHZ
> http://www.impsec.org/~**jhardin/<http://www.impsec.org/%7Ejhardin/>
> jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> ------------------------------**------------------------------**
> -----------
> Microsoft is not a standards body.
>
> ------------------------------**------------------------------**
> -----------
> 346 days since the first successful private orbital launch (SpaceX)
>
