# THUNDER PRM LIBRARY # Copyright 2008 Tenable Network Security # This library may only be used with the Thunder server and may not # be used with other products or open source projects # # NAME: # MailScanner Spam filter # # DESCRIPTION: # This library is used to parse events generated by MailFilter Spam Filter. # # LAST UPDATED: $Date: 2011/08/22 00:54:47 $ id=250 name=This MailScanner scored one or more email messages as SPAM. match=lScanner[ match=an match= Spam Checks: Found log=event:MailScanner-Spam_Blocked type:spam NEXT id=251 name=This MailScanner application detected one or more email infected viruses. match=lScanner[ match=an match=ing match= Virus Scanning: match=ound log=event:MailScanner-Virus_Found type:virus NEXT id=252 name=This MailScanner application detected one or more email infected viruses. match=lScanner[ match=an match=ect match=ed match=ss match= Infected message match=rom match= came from regex= came from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)$ log=event:MailScanner-Virus_Found type:virus srcip:$1 NEXT id=253 name=This MailScanner application detected one or more email infected viruses. match=lScanner[ match=an match=ent match=ar match=le match=ed match= Viruses marked as silent log=event:MailScanner-Virus_Found_and_Marked type:virus NEXT id=254 name=This MailScanner application detected an email which contained a phishing attempt. match=lScanner[ match=an match=rom match=ing match= Found phishing fraud from log=event:MailScanner-Phishing_Email type:spam NEXT id=255 name=This MailScanner application detected and disarmed an email which contained a phishing attempt. match=an match=lScanner[ match=ect match=ing match=ar match=ed match= Detected and have disarmed phishing tags log=event:MailScanner-Phishing_Email_Disarmed type:spam NEXT id=256 name=This MailScanner application detected and disarmed an email which contained a trojan file. match=lScanner[ match=an match=Found the match= trojan !!! log=event:MailScanner-Trojan_Found type:virus NEXT id=257 name=This MailScanner application detected and disarmed an email which contained a trojan file. match=an match=lScanner[ match=ar match=Found trojan or variant log=event:MailScanner-Trojan_Or_Variant_Found type:virus proto:6 NEXT id=258 name=This MailScanner application detected and disarmed an email which contained a phishing attempt with content coming from a specific IP address. match=an match=lScanner[ match=rom match=ing match=ed match=Found ip-based phishing fraud from regex= fraud from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) in log=event:MailScanner-IP_Based_Phishing type:spam srcip:$1 proto:6 NEXT id=259 name=This MailScanner application detected and disarmed an email which contained a trojan file. match=lScanner[ match=an match=Found the match= virus !!! log=event:MailScanner-Virus_Found type:virus proto:6 NEXT id=260 name=This MailScanner application detected found a virus in a specific file name. match=lScanner[ match=an match=le match=found in file match= >>> Virus log=event:MailScanner-Virus_Found_In_File type:virus proto:6 NEXT id=261 name=This MailScanner application, through the use of a call to SpamAssassin, found a server sending SPAM email. match=an match=lScanner[ match=ss match=Message match=is spam, match=ass match=, SpamAssassin regex=.* from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) \( log=event:MailScanner-Spam_Detection type:spam srcip:$1 proto:6 NEXT id=262 name=This MailScanner application has started and has logged its version. match=an match=lScanner[ match=ail match= MailScanner E-Mail Virus Scanner match=sta match=ing match=ar match=starting. match=start log=event:MailScanner-Version type:restart NEXT id=263 name=This MailScanner application has found a possible malicious file based on the name of the attachment. match=an match=lScanner[ match=le match= Filename Checks: log= event:MailScanner-Malicious_Filename type:virus NEXT id=264 name=This MailScanner application has found an email which contains phishing and other types of potential web based email attacks. match=an match=lScanner[ match=ent match=ont match= Content Checks: log= event:MailScanner-Malicious_Mail_Content type:spam