1 #KAM.cf aka the KAM ruleset - Apache SpamAssassin Rules
3 #Authors: Kevin A. McGrail with key contributions from Joe Quinn, Karsten Bräckelmann,
4 # Bill Cole & Giovanni Bechis
6 #Email: Kevin.McGrail@McGrail.com
8 #Questions: Questions about the KAM Ruleset are best submitted at:
9 # https://raptor.pccc.com/raptor.cgim?template=report_problem
11 #HomePage: https://mcgrail.com/template/projects#KAM1
14 #Installation: There are multiple files that make up the KAM ruleset including
15 #heavyweight, deadweight, & nonKAMrules. The KAM ruleset is now a channel!
17 #Please see https://mcgrail.com/template/kam.cf_channel for more information
20 #The ruleset includes internal rules so not every rule will be useful but
21 #we encapsulate those in a KAMOnly defined loop.
23 #KAM.cf is maintained by The McGrail Foundation, a 501(c)(3) charity. Donations
24 #are appreciated. See www.mcgrail.com for more information on donations and
27 #THANK YOU TO OUR SPONSORS (in Alphabetical Order):
28 #cPanel, INKY, Invaluement, iSpark, Linode, PCCC, ShipShapeIT and Zix/Appriver
31 #This is a collection of special rules that KAM developed and uses for
32 #https://raptoremailsecurity.com/.
34 #The exact date is lost to the sands of time but we have been publishing this
35 #ruleset since at least May 2004 at no charge for the benefit of all.
37 #They were intended as live research for committal to SpamAssassin's SVN sandbox but
38 #often rely on our corpora so they do not fair well in masschecks.
41 #Problems and suggestions are best sent by this form to avoid being caught by our
42 #filters: #https://raptor.pccc.com/raptor.cgim?template=report_problem
43 #We do respond to most problem reports *especially* if you send an email sample.
44 #Samples in mbox format are preferred.
47 #The KAM Ruleset is production ready and in use on production systems protecting
48 #many millions of mailboxes every day.
50 #IMPORTANT: This ruleset cf file is designed for systems at a threshold of 5.0+.
53 #NOTE: We do use some poison pill (i.e. Automatic HAM/SPAM rules).
55 # - Because we use meta rules, false positives are minimized and a larger score
58 # - In developing these rules and the associated RBL, we use a consent litmus
59 # test. We do not block solely based on content except for the sexually
60 # explicit rules. You can, of course, locally disable these rules.
63 #Copyright (c) 2022 Kevin A. McGrail and The McGrail Foundation
65 # Licensed under the Apache License, Version 2.0 (the "License");
66 # you may not use this file except in compliance with the License.
67 # You may obtain a copy of the License at
69 # http://www.apache.org/licenses/LICENSE-2.0
71 # Unless required by applicable law or agreed to in writing, software
72 # distributed under the License is distributed on an "AS IS" BASIS,
73 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
74 # See the License for the specific language governing permissions and
75 # limitations under the License.
77 # Thanks to Wolfgang Breyha for his help fixing a few rules
79 # COURTESY OF Marcin Miros
80 body __KAM_MM_FOREX_1 /program.{0,10}ktory\ssam\sgra\sna\sgieldzie|program\sdo\sgry\sna\sgieldzie|Potega\stego\sprogramu\stkwi|program.{0,10}handluje.{0,10}zarabia.{0,10}gieldzie.{0,10}udzialu.{0,10}czlowieka|zarabiaj.{0,10}program.{0,10}nie.{0,10}jest.{0,10}zabroniony|Program.{0,10}zrobi.{0,10}wszystko.{0,10}sam|handluj.{0,10}na.{0,10}gieldzie.{0,10}programowi|100.{0,10}%.{0,10}pewnych.{0,10}transakcji|program.{0,10}100.{0,10}%.{0,10}zysk|handel.{0,10}bedzie.{0,10}zabroniony|program.{0,10}odmieni.{0,10}twoje.{0,10}zycie|system.{0,10}finansow.{0,10}przed.{0,10}upadkiem|grupa.{0,10}niemieckich.{0,10}matematykow.{0,10}inteligentny.{0,10}program|zostan\sobrzydliwie\sbogaty|technologia.{0,10}100%.{0,10}pewne.{0,10}decyzje|zarabianie.{0,10}w.{0,10}sieci|swoja.{0,10}szanse.{0,10}zarabianie|internet.{0,10}doprowadzil.{0,10}pieniedzy|zarabia.{0,10}(w|przez).{0,10}internet|karaluch.{0,10}dom.{0,10}brzeg.{0,10}morza|odmieni.{0,10}zycie|pieniadz|pieniedz|zarabia|zarobi/i
82 rawbody __KAM_MM_FOREX_2 /(\[|\<).{1,10}http:\/\/.{1,50}php\?.{1,30}\=.{1,30}(\]|\>).{0,20}(klik|odwiedz|dowiedz|przegap|odnosnik|zarobi|spiesz|majatek|wiecej\sinformacji\sna\sten\stemat\sznajdziesz\s-\stutaj|tutaj\sznajdziesz.{0,10}szczegolowe.{0,10}informacje|odwiedz|zarabia|wchodz)/i
84 meta KAM_MM_FOREX __KAM_MM_FOREX_1 && __KAM_MM_FOREX_2
85 score KAM_MM_FOREX 2.5
86 describe KAM_MM_FOREX Polish-language spam from the Forex botnet
89 rawbody KAM_PHISH1 /u style="cursor: pointer"/
90 describe KAM_PHISH1 Test for PHISH that changes the cursor
93 header __KAM_PHISH4_1 From =~ /host|apple|amazon|microsoft|windows|express|app.serv|goodluck|bank|support/i
94 body __KAM_PHISH4_2 /dear.{0,50}customer|automated.message|spam.activities|attempted.gaining.access|your.account.expires|authorized.government|important.message|message.alert|suspended/i
95 body __KAM_PHISH4_3 /(confirm|verify|update).your.(identity|account)|account.password|credit.(bureau|profile)|identity.theft|accredited.commission|security.concern|kindly.find.enclosed|owner of this account/i
97 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
98 mimeheader __KAM_PHISH4_4 Content-Type =~ /(verification|information|form)\.htm/i
101 meta KAM_PHISH4 (__KAM_PHISH4_1 + __KAM_PHISH4_2 + __KAM_PHISH4_3 + __KAM_PHISH4_4 >= 3)
103 describe KAM_PHISH4 Another phishing attempt
105 #KAM REALESTATE / RE-FINANCE SCAM EMAILS - Thanks to David Goldsmith for pointing out my error in the meta rule!
106 body __KAM_REAL1 /(^|\b)RE market/is
107 body __KAM_REAL2 /(crashing|declining)/i
108 body __KAM_REAL3 /(vacation|second) (home|place)/is
109 meta KAM_REAL (__KAM_REAL1 + __KAM_REAL2 + __KAM_REAL3 >= 3)
110 describe KAM_REAL Real Estate or Re-Finance Spam
113 #REFINANCE SCAM EMAILS
114 header __KAM_REFI1 Subject =~ /(refinance|rates) at \d\.\d*%|(?:I would like to offer you my help|Lower your house payment|follow up email|evaluation enclosed|submit a bid|fixed rates|ARM program|New Program|regardless of credit|loan request|accepting your application|refinance appl?ication|ready to (give a (business )?loan|lend)|good credit or not|refinance without perfect credit|financial independence|Loan Offer|Get a Loan|your urgent loan|credit report|time to refinance|refi.(rates|requirements|plus|program|plan|advice)|rates at historical low|EQUIFAX|TRANSUNION|Experian|rates can be cut|save your home)|Reverse.?Mortgage|obama (extends|waives)|VA loan|harp program|re.?fi.advice|homeowners.owe|harp.extension|\d+\.\d+%.fixed|\d+\.\d+.pct|this.rate|refi(nance)?.rate|lower.refi|refinance.your.mortgage|refinance.now|obama.?s?.refi|monthly.payment|house.payment|monthly.savings|modified.payment|new.payment|overpaying|calculate.your|your.saving|housing.plan|obama.?s.hous|l.f..insuranc.|offer.for.your.home|second.mortgage/i
115 body __KAM_REFI2 /(Free Evaluation (?:online|on your (?:current )?home loan)|No hidden costs|no strings attached|good credit or not|personalized consultation|in need of loan|consolidation loan|loan processing|apply by sending|loan of any amount|clean up any inacccuracies|lock in saving|save on monthly mortgage|absolutely no cost|underwater)|Reverse.?Mortgage|qualify for a VA loan|Refi now.? and Save|obama..?announces|rate.calculator|save.thousands|update: \d.\d\d..available|homeowner|over.your.head|rate.service|now.eligi?[bl]{2}e|a.second.mortgage|urgent.loan|loan.offer/is
116 body __KAM_REFI3 /(restructure (?:proposal|program|opportunity|your loan)|switch from an adjustable rate to a fixed|new lending program|(low|reasonable) interest (loan|rate)|lowest monthly payment|\d% interest|unsecured personal|better credit terms|lower your mortgage|low-interest refinance|see your credit score|credit score.{1,15}updated|refi with HARP)|obama announce(s|d) (the )?harp program|obama'?s.refi|a.fortune.off|lower.home.rate|your.home|home.loan|gov.program|official.harp|currently.overpaying/is
117 body __KAM_REFI4 /(\$\d{1,3},\d{1,3}|\d{2,3}k of funds|\d{4,6} USD|\d{4,6}\$ per month|\d{3,5}\/mo)|refinance at \d\.\d%|\$\d{3,}(\.\d\d)?.(a|per).year|extend.harp|spending.too.much|new.payment|better.rate/i
118 body __KAM_REFI5 /([\d,]{5,6}|\d{2}\s*%) savings|principal \d+% less|\d+\.\d+%.fixed|refi.calculator|lowered.requirements|home.?owner/is
119 body __KAM_REFI6 /((?:reduce your monthly payment|save you) (between )?\d{2}\s*%|save yourself hundreds of dollars|great rate available|completely unsecured|instantly connect with\s+lenders|get you back on the right financial|get report today|protect against identity|know your credit score|crazy payments)|u.?s.? homeowners|drop.your.rate|in.your.pocket|our.records|apply.for.your/is
120 body __KAM_REFI7 /(?:loan product|equity cash|house.payment|home.payment|no up front fees|seasoned equity|pay off high rate cards|ARM Program|credit is less than perfect|credit (score )?will not disqualify|plastic money|charge card balances|we offer out loans|floating loan scheme|unsecured guaranteed|President.?s new program|Home Affordable Refinance Program)|save $?[\d\.]+ per (year|month)|low.rate|harp.?2|rates.like.th(is|ese)/is
121 header __KAM_REFI8 From =~ /great loan|mortgage|financ|Delta|Rate\.?market|credit score|free.?score|harp|mtge|foreclosure|VA loan|lower.my.(bills|debt|mortgage|rate)|refi.(alert|advantage|quote|calc|rate)|obama|lendingtree|(house|home).?payment|home.?payment|lower.rate|\d+\.\d+%|saving|d.r.ct.l.f.|helpline/i
123 meta KAM_REFI (__KAM_REFI1 + __KAM_REFI2 + __KAM_REFI3 + __KAM_REFI4 + (__KAM_REFI5 + __KAM_REFI6 >= 1) + __KAM_REFI7 + __KAM_REFI8 + (KAM_SHORT || AC_HTML_NONSENSE_TAGS || KAM_EU) >= 4)
124 describe KAM_REFI Real Estate / Re-Finance Spam
127 meta KAM_REFI2 (__KAM_REFI1 + __KAM_REFI2 + __KAM_REFI3 + __KAM_REFI4 + (__KAM_REFI5 + __KAM_REFI6 >= 1) + __KAM_REFI7 + __KAM_REFI8 + (KAM_SHORT || AC_HTML_NONSENSE_TAGS || KAM_EU) >= 6)
128 describe KAM_REFI2 Real Estate / Re-Finance Spam
132 body __KAM_DEBT1 /(debts disappear|reduce your payments|piling bills|creditors|late bills|vanish some of your bills|reduce your payments|looming bills|all that debt|outstanding debt|debt.{0,7}accumulated|all my debt|penalties,? and fees are gone|banking laws|select legal|change your life|get out of .?d.?e.?b.?t|Free[- ]Credit Report|debt relief options|are you in debt|pay off all your debt|get better rates|credit card debt|could.be.easy)/is
133 header __KAM_DEBT2 Subject =~ /(all that you owe|all you owe|everything you owe|eradicate|indebted|sick of bills|debt.{0,7}accumulated|tired of (the )?debt|looming debt|creditors|bank[ ]?rupt|debt ?free|out ?of ?debt|take control of your monthly payments|bills disappear|We can help|consultation regarding bills|get better rates|credit score|FICO Score|eliminate\s{1,2}debt|Erase the debt|loan offer|consolidating.debt)/i
134 body __KAM_DEBT3 /(bills keeping you|brink of bankruptcy|take all the (stress|pain) away|all the bills|tired of high credit card|make your bills disappear|improve your credit score|b.?a.?n.?k.?r.?u.?p.?t.?c?.?y|monitor your[- ]credit|Wipes out debt|being debt free|interest rates are reasonable|view your credit score|manage.your.finance)/is
136 meta KAM_DEBT ((__KAM_DEBT1 + __KAM_DEBT2 + __KAM_DEBT3) >= 3)
137 describe KAM_DEBT Debt eradication spams
140 meta KAM_DEBT2 ((__KAM_DEBT1 + __KAM_DEBT2 + __KAM_DEBT3 + __KAM_ADVERT2) >= 2)
141 describe KAM_DEBT2 Likely Debt eradication spams
144 #XtraSize+ Penis Enlargement Scam
145 header __KAM_SILD1 Subject =~ /Sildenafil Citrate/i
146 body __KAM_SILD2 /(XtraSize\+|Sildenafil Citrate)/i
148 meta KAM_SILD (__KAM_SILD1 + __KAM_SILD2 >= 1)
150 describe KAM_SILD Simple rule to block one more enhancement message
153 #if (version < 3.002000)
154 # #HTML_SHORT_LENGTH DEPENDENCY RULE REMOVED FROM SA 3.2.X
155 # #KAM NUMBER EMAILS - Thanks to Mark Damrose for the NUMBER3 idea & Jan-Pieter Cornet
156 # header __KAM_NUMBER1 Subject =~ /^\d+$/
157 # body __KAM_NUMBER2 /\d{1,6}/
158 # header __KAM_NUMBER3 Message-ID =~ /\<[a-z]{19}\@/i
160 # meta KAM_NUMBER ((__KAM_NUMBER1 + __KAM_NUMBER2 + MIME_HTML_ONLY + HTML_SHORT_LENGTH + __KAM_NUMBER3) >= 5)
161 # describe KAM_NUMBER Silly Number Emails
162 # score KAM_NUMBER 1.0
165 #KAM MEDICATION KAM_OVERPAY
166 body KAM_OVERPAY /O . V . E . R . P . A . Y/i
167 describe KAM_OVERPAY Common Medicinal Ad Trick
168 score KAM_OVERPAY 3.5
170 #VIAGRA AD - CHANGED DUE TO FPS on 2010-05-06 - Replaced [VACLXPSI] with separate rules space separated
171 replace_rules __KAM_VIAGRA2
173 body __KAM_VIAGRA1 /V I A G R A|C I A L I S|V A L I U M|X A N A X/i
174 header __KAM_VIAGRA2 Subject =~ /<V1><I1><A1><G1><R1><A1>/i
176 meta KAM_VIAGRA1 (__KAM_VIAGRA1 + __KAM_VIAGRA2 >= 1)
177 describe KAM_VIAGRA1 Common Viagra and Medicinal Table Trick
178 score KAM_VIAGRA1 3.0
181 body KAM_VIAGRA2 /(?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer) (?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer) (?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer)/i
182 describe KAM_VIAGRA2 Common Viagra and Medicinal Table Trick
183 score KAM_VIAGRA2 3.1
185 #VIAGRA AD 3 - REMOVED FOR LOW S/O - Thanks to Shane Williams for reporting the FP
186 #body KAM_VIAGRA3 /(?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer)( \w )(?:ax|lis|ra|ium)/i
187 #describe KAM_VIAGRA3 Common Viagra and Medicinal Table Trick
188 #score KAM_VIAGRA3 3.1
191 body __KAM_VIAGRA4A /V (. )?A (. )?L (. )?[I\/t] (. )?U (. )?M/i
192 body __KAM_VIAGRA4B /V (. )?[I\/t] (. )?A (. )?G (. )?R (. )?A/i
193 body __KAM_VIAGRA4C /M (. )?E (. )?R (. )?[I\/t] (. )?D (. )?[I\/] (. )?A/i
195 # FP FOR "Les Iles du Monde Via Gramsci" OR ITALIAN "WE WISH YOU"
196 # FP for Via Great thanks to Shane Williams
197 body __KAM_VIAGRA_FPS /via gre?a|i augur/i
199 meta KAM_VIAGRA4 ((__KAM_VIAGRA4A + __KAM_VIAGRA4B + __KAM_VIAGRA4C) >= 2)
200 describe KAM_VIAGRA4 Common Viagra and Medicinal Table Trick
201 score KAM_VIAGRA4 3.1
204 body KAM_VIAGRA5 /(V [1li|\]] [a&] G R A|VljAG+R+A)/i
205 describe KAM_VIAGRA5 Viagra Obfuscation Technique SPAM
206 score KAM_VIAGRA5 3.1
209 #Switch to [-_\. ]? to avoid FP's reported by Robin Tan
210 #Also added a few more boundary checks thanks to Daniele Duca
211 body __KAM_VIAGRA6A /V[-_\. ]?[IL1][-_\. ]?A.?G.?R.?A/i
212 body __KAM_VIAGRA6B /(\b|^)A.?M.?B.?[il1].?E.?N($|\b)/i
213 body __KAM_VIAGRA6C /V.?A.?L.?[il1].?U.?M/i
214 body __KAM_VIAGRA6D /(\b|^)C.?[il1].?A.?L.?[Il1].?S($|\b)/i
215 header __KAM_VIAGRA6E From =~ /(Viagra|Cialis)(\b|$)/i
217 meta KAM_VIAGRA6 (__KAM_VIAGRA6A + __KAM_VIAGRA6B + __KAM_VIAGRA6C + __KAM_VIAGRA6D + __KAM_VIAGRA6E >= 2)
218 describe KAM_VIAGRA6 Viagra Obfuscation Technique SPAM
219 score KAM_VIAGRA6 3.1
221 #VIAGRA AD 7 - TWEAKING RULE 7B TO PREVENT HITS ON SPECIALIST
222 body __KAM_VIAGRA7A /V[ij]+AGRA/i
223 body __KAM_VIAGRA7B /(^|\b)C[ij]+AL[ij]+S($|\b)/i
224 body __KAM_VIAGRA7C /(^|\b)AMB[ij]+EN($|\b)/i
225 body __KAM_VIAGRA7D /VAL[ij]+UM/i
227 meta KAM_VIAGRA7 ((__KAM_VIAGRA7A + __KAM_VIAGRA7B + __KAM_VIAGRA7C + __KAM_VIAGRA7D >= 2) && (KAM_VIAGRA6 < 1))
228 describe KAM_VIAGRA7 Viagra Obfuscation Technique SPAM
229 score KAM_VIAGRA7 3.1
232 body __KAM_VIAGRA8A /VI...?AGRA/i
233 body __KAM_VIAGRA8B /AM...?BIEN/i
234 body __KAM_VIAGRA8C /VA...?LIUM/i
235 body __KAM_VIAGRA8D /CI...?ALIS/i
237 meta KAM_VIAGRA8 ((__KAM_VIAGRA8A + __KAM_VIAGRA8B + __KAM_VIAGRA8C + __KAM_VIAGRA8D) >= 2)
238 describe KAM_VIAGRA8 Viagra Obfuscation Technique SPAM
239 score KAM_VIAGRA8 5.1
242 body __KAM_VIAGRA9A /V[IL1]A..GRA/i
243 body __KAM_VIAGRA9B /AMB..IEN/i
244 body __KAM_VIAGRA9C /VAL..IUM/i
245 body __KAM_VIAGRA9D /C[IL1]A..LIS/i
247 meta KAM_VIAGRA9 ((__KAM_VIAGRA9A + __KAM_VIAGRA9B + __KAM_VIAGRA9C + __KAM_VIAGRA9D) >= 2)
248 describe KAM_VIAGRA9 Viagra Obfuscation Technique SPAM
249 score KAM_VIAGRA9 5.1
251 #VIAGRA AD 10 - CONTENT-LESS EMAIL FROM "MALE ENHANCEMENT"
252 header __KAM_VIAGRA10A From =~ /male enhancement|mens.renewal/i
253 header __KAM_VIAGRA10B Subject =~ /your intimate partner will (thank|love)|grow.your.manhood|satisfy.your.woman/i
255 meta KAM_VIAGRA10 (__KAM_VIAGRA10A + __KAM_VIAGRA10B >= 1)
256 describe KAM_VIAGRA10 Male enhancement spam with no content
257 score KAM_VIAGRA10 8.0
259 #NITROXIN - A NEW AND SPAMMY COMPETITOR TO VIAGRA
260 header __KAM_NITROXIN1A From =~ /nitroxin/i
262 meta KAM_NITROXIN1 (__KAM_NITROXIN1A >= 1)
263 describe KAM_NITROXIN1 Another variant of Viagra spam
264 score KAM_NITROXIN1 8.0
267 #NOTE: Thanks to Jason Haar" <Jason.Haar@trimble.co.nz> for pointing out that I was only doing >=1!
268 header KAM_RE Subject =~ /^Re(?:\s)*\[\d\]+(?:\s)*:?$/i
269 describe KAM_RE Subject of Re[0]: etc prevalent in Spam
272 meta KAM_RE_PLUS (HTML_IMAGE_ONLY_08+KAM_RE >= 2)
273 describe KAM_RE_PLUS Bad Subject and Image Only rule hit == SPAM!
274 score KAM_RE_PLUS 4.0
277 #RE-WEIGHTING - Thanks to Martin Kaempf and Gareth Blades for pointing out the False Positives!!
278 #Changed to escape + for 920\+ and changed to rawbody because we don't want to check the subject twice.
279 #thansk to Michael Denney for the FP report
280 header __KAM_HOODIA1 Subject =~ /(hoodia|920\+|serotonin|reduce your appetite)/i
281 rawbody __KAM_HOODIA2 /(?:hoodia|920\+)/i
282 body __KAM_HOODIA3 /(?:fat loss product|sur?p?press appetite|Reduce Your Appetite)/is
284 meta KAM_HOODIA (__KAM_HOODIA1 + __KAM_HOODIA2 + __KAM_HOODIA3 >= 2)
285 describe KAM_HOODIA Hoodia / Weight Loss Product Promotion Spam
290 ##1 through 120 disabld 5-12-2014 due to age
291 ##body __KAM_STOCKTIP1 /(?:Reynaldo's Mexican Food|RYNL)/is
292 ##body __KAM_STOCKTIP2 /(?:KOKO PETROLEUM|KKPT)/is
293 ##body __KAM_STOCKTIP3 /(?:DARK DYNAMITE|DKDY|D K D Y)/is
294 ##body __KAM_STOCKTIP4 /(?:Remington Ventures|RMVN)/is
295 ##body __KAM_STOCKTIP5 /(?:m-Wise|MWIS|M W I S)/is
296 ##body __KAM_STOCKTIP6 /(?:China World Trade Corporation|CWTD)/is
297 ##body __KAM_STOCKTIP7 /(?:Packets International|IPKL)/is
298 ##body __KAM_STOCKTIP8 /(?:Infinex Ventures|IFNX)/is
299 ##body __KAM_STOCKTIP9 /(?:FacePrint Global Solutions|FCPG)/is
300 ###THANKS TO HOMER PARKER FOR THE FALSE POSSITIVE NOTE!
301 ##body __KAM_STOCKTIP10 /(?:Ever[-_ ~]{0,3}Gl[o0]ry|(^|\b)E[-_~\. =]{0,3}G[-_~\. =]{0,3}L[-_~\. =]{0,3}Y($|\b))/is
302 ##body __KAM_STOCKTIP11 /(?:Gulf Petroleum|GFPE)/is
303 ##body __KAM_STOCKTIP12 /(?:Patriot Mechanical Handling|PMHH)/is
304 ##body __KAM_STOCKTIP13 /(?:KSW Industries|KSWJ)/is
305 ##body __KAM_STOCKTIP14 /(?:Conforce International|CFRI)/is
306 ##body __KAM_STOCKTIP15 /(?:Nano Superlattice Technology|NSLT)/is
307 ##body __KAM_STOCKTIP16 /(?:Morgan Beaumont|MBEU)/is
308 ##body __KAM_STOCKTIP17 /(?:Relay Capital|(^|\b)RLYC($|\b))/is
309 ###THANKS TO DAVID GOLDSMITH FOR POINTING OUT THE POTENTIAL FPs FROM THIS RULE
310 ##body __KAM_STOCKTIP18 /(?:Madison Explorations|(?:^|\b)MDEX(?:$|\b))/is
311 ##body __KAM_STOCKTIP19 /(?:CTR Investments and Consulting|C ?I ?V ?X)/is
312 ##body __KAM_STOCKTIP20 /(?:PREMIER INFORMATION|(?:^|\b)PIFR(?:$|\b))/is
313 ##body __KAM_STOCKTIP21 /(?:Harbin Pingchuan|P G C N|PGCN)/is
314 ##body __KAM_STOCKTIP22 /(?:CLIENT TRACK CORP|CTKR)/is
315 ##body __KAM_STOCKTIP23 /(?:EXTREME INNOVATIONS|(^|\b)EXTI($|\b))/is
316 ##body __KAM_STOCKTIP24 /(?:Medical Home Products|\bMHPT\b)/is
317 ##body __KAM_STOCKTIP25 /(?:AmeraMex International|AMMX)/is
318 ##body __KAM_STOCKTIP26 /(?:Equipment & Systems Engineering|EQUIPMENT & SYS ENGR|EQSE)/is
319 ##body __KAM_STOCKTIP27 /(?:NANOFORCE|NNFC)/i
320 ##body __KAM_STOCKTIP28 /(?:\b|^)(?:Resort Clubs (I|\|)nternational|R[ ]*T[ ]*C[ ]*(?:I|\|))(?:\b|$)/is
321 ##body __KAM_STOCKTIP29 /(?:Innovation Holdings|IVHN)/is
322 ##body __KAM_STOCKTIP30 /(?:GOLDEN APPLE OIL|GAPJ)/is
323 ##body __KAM_STOCKTIP31 /(?:inZon Corporation|(^|\b)I ?Z ?O ?N($|\b))/is
324 ##body __KAM_STOCKTIP32 /(?:Midland Baring Financial Group|MDBF)/is
325 ##body __KAM_STOCKTIP33 /(?:Aradyme Corporation|A D Y E)/is
326 ##body __KAM_STOCKTIP34 /(?:TRANSAKT CORP|TKTJF)/is
327 ##body __KAM_STOCKTIP35 /(?:CTXE|CANTEX ENERGY CORP)/is
328 ##body __KAM_STOCKTIP36 /(?:De Greko|DGKO)/is
329 ##body __KAM_STOCKTIP37 /(?:Deep Earth Resource, Inc|CTFE|DPER)/is
330 ##body __KAM_STOCKTIP38 /(?:Vemics|(\b|^)VMCI(\b|$)|Summit Financial Resources)/is
331 ##body __KAM_STOCKTIP39 /Premium Petroleum/is
332 ##body __KAM_STOCKTIP40 /(?:F ?a ?l ?c ?o ?n ?E ?n ?e ?r ?g ?y|F.?C.?Y.?I)/s
333 ##body __KAM_STOCKTIP41 /(?:CHINA GOLD CORP|CGDC)/is
334 ##body __KAM_STOCKTIP42 /DPEK/i
335 ###FIXED FP THANKS TO BEN LENTZ - Also found that the X ?X ?X ?X concept is causing too many FPs thanks to Homer Parker
336 ##body __KAM_STOCKTIP43 /(?:Amerossi International Group|A M S N(\b|$)|AMSN)/is
337 ##body __KAM_STOCKTIP44 /(?:WATAIRE INDUSTRIES|W ?T ?A ?F)/is
338 ##body __KAM_STOCKTIP45 /(?:ABSOLUTESKY|A ?B ?S ?Y)/i
339 ##body __KAM_STOCKTIP46 /(?:Infinex Ventures|I ?N ? ?F ?X)/is
340 ##body __KAM_STOCKTIP47 /(?:Holly ?wood Intermediate|HYWI|H Y W I)/is
341 ###DISABLED DUPLICATE OF 40
342 ###body __KAM_STOCKTIP48 /(?:Falcon Energy|F ?C ?Y ?I)/is
343 ##body __KAM_STOCKTIP49 /(?:\b|^)(?:AGA Resources|A ?G ?A)(?:\b|$)/is
344 ##body __KAM_STOCKTIP50 /(?:COSCO|CCPI)/i
345 ##body __KAM_STOCKTIP51 /(?:PETRO([- ?])?SUN DRILLING|P[- ]?S[- ]?U[- ]?D)/is
346 ##body __KAM_STOCKTIP52 /(?:KMA Global Solutions International|KMAG)/is
347 ##body __KAM_STOCKTIP53 /(?:Advanced Powerline Technologies|APWL)/is
348 ##body __KAM_STOCKTIP54 /(?:GOLDMARK INDUSTRIES|GDKI)/is
349 ##body __KAM_STOCKTIP55 /(?:QUANTUM ENERGY|QEGY)/is
350 ###FP FIXED THANKS TO Homer Parker
351 ##body __KAM_STOCKTIP56 /(?:AAGA RESOURCE+S NEW|A G A O|(\b|^)AGAO(\b|$))/is
352 ###FP FIXED THANKS TO Homer Parker
353 ##body __KAM_STOCKTIP57 /(?:Bicoastal Communications|BCLC|B C L C)/is
354 ##body __KAM_STOCKTIP58 /(?:Greater China Media \& Ent|G ?C ?M ?E)/is
355 ##body __KAM_STOCKTIP59 /(?:Viva International|(\b|^)VIVI(\b|$))/s
356 ##body __KAM_STOCKTIP60 /(?:WILON RESOURCES|(\b|^)WLON(\b|$))/is
357 ##body __KAM_STOCKTIP61 /(?:Am+erica+n U+ni+ty I+nve+stments|(\b|^)A[ _]?U[ _]?N[ _]?I[ _]?(\b|$))/is
358 ##body __KAM_STOCKTIP62 /(?:DEFENSE DIRECTIVE|(\b|^)DFSE(\b|$))/is
359 ##body __KAM_STOCKTIP63 /(?:Cyberhand Technologies|(\b|^)CYHD(\b|$))/is
360 ##body __KAM_STOCKTIP64 /(?:Texhoma Energy|(\b|^)TXHE(\b|$))/is
361 ##body __KAM_STOCKTIP65 /(?:Equal Trading|(\b|^)EQTD(\b|$))/is
362 ###DISABLED FOR FALSE POSITIVES AND AGE
363 ###body __KAM_STOCKTIP66 /(?:\b|^)W.?B.?R.?S(?:\b|$)/is
364 ##body __KAM_STOCKTIP67 /(?:Mobile Airwaves|(\b|^)M.?W.?B.?C.?(\b|$))/is
365 ##body __KAM_STOCKTIP68 /(?:X-tra Petroleum|(\b|^)XTPT(\b|$))/is
366 ###ADDED FP BOUNDARY CHECK THANKS TO Greg Troxel for reporting the issue
367 ##body __KAM_STOCKTIP69 /(?:Red Reef Laboratories|(\b|^)RREF(\b|$))/is
368 ##body __KAM_STOCKTIP70 /(?:Great American Food Chain|(\b|^)GAMN(\b|$))/is
369 ##body __KAM_STOCKTIP71 /(?:Cana Petroleum|(\b|^)CNPM(\b|$))/is
370 ##body __KAM_STOCKTIP72 /(?:China Health Management|(\b|^)CNHC(\b|$))/is
371 ##body __KAM_STOCKTIP73 /(?:Makeup Limited|MAKU)/is
372 ##body __KAM_STOCKTIP74 /(?:Premier Holdings Group|PMHD)/is
373 ###FP FIXED THANKS TO Christopher X. Candreva
374 ##body __KAM_STOCKTIP75 /(?:VSUS technologies|(\b|^)VSUS($|\b))/is
375 ##body __KAM_STOCKTIP76 /(?:FLAIR PETROLEUM|FPMC)/is
376 ##body __KAM_STOCKTIP77 /(?:Physician Adult Daycare|PHYA)/is
377 ###FP FIXED THANKS TO Homer Parker
378 ##body __KAM_STOCKTIP78 /(?:AlgoDyne Ethanol Energy|(\b|^)ADYN(\b|$))/is
379 ##body __KAM_STOCKTIP79 /(?:Critical Care.{1,3}Inc|CTCX)/is
380 ##body __KAM_STOCKTIP80 /(?:Aerofoam Metals|AFML)/is
381 ##body __KAM_STOCKTIP81 /(?:Ten \& 10|(?:\b|^)TTEN)/is
382 ##body __KAM_STOCKTIP82 /(?:Medical Institutional Services|MISJ(\b|$))/is
383 ##body __KAM_STOCKTIP83 /(?:Harris Exploration|HXPN)/is
384 ##body __KAM_STOCKTIP84 /(?:MARSHAL HOLDINGS|MHII)/is
385 ##body __KAM_STOCKTIP85 /(?:ADVANCED GROWING SYSTEMS|AGWS)/is
386 ##body __KAM_STOCKTIP86 /(?:WEST EXCELSIOR ENT|WEXE)/is
387 ##body __KAM_STOCKTIP87 /(?:Hemisphere Gold|HPGI)/is
388 ##body __KAM_STOCKTIP88 /(?:Victory Energy Corporation|VYEY)/is
389 ##body __KAM_STOCKTIP89 /UTEV/i
390 ##body __KAM_STOCKTIP90 /(?:CHINA BIOLIFE ENTERP|CBFE)/is
391 ##body __KAM_STOCKTIP91 /(?:Critical Care|C ?T ?C ?X)/is
392 ##body __KAM_STOCKTIP92 /CBRJ/i
393 ##body __KAM_STOCKTIP93 /(?:LAS VEGAS CENTRAL RESERVATIONS|LVCC)/is
394 ##body __KAM_STOCKTIP94 /GTAP/i
395 ##body __KAM_STOCKTIP95 /(North American Energy Group|N-?N-?Y-?R)/is
396 ###FP FIXED THANKS TO BRETT GARRETT
397 ##body __KAM_STOCKTIP96 /(\b|^)C\.?C\.?T\.?I(\b|$)/i
398 ##body __KAM_STOCKTIP97 /(C ?E ?O AMERICA|C ? E ? O ?A)/is
399 ##body __KAM_STOCKTIP98 /PLMA/i
400 ##body __KAM_STOCKTIP99 /CDYV/i
401 ##body __KAM_STOCKTIP100 /(Fire (Mountain|Mtn) Beverage Company|(^|\b)F[ _]?B[ _]?V[ _]?G($|\b))/is
402 ###Added boundary check thanks to Michael Denney
403 ##body __KAM_STOCKTIP101 /(\b|^)WDSC(\b|$)/i
404 ##body __KAM_STOCKTIP102 /(Distributed Power|DPWI)/is
405 ##body __KAM_STOCKTIP103 /(HUMET-PBC|L9Z\.F)/is
406 ##body __KAM_STOCKTIP104 /ASVP/is
407 ##body __KAM_STOCKTIP105 /CHVC/is
408 ##body __KAM_STOCKTIP106 /(China Datacom|CDPN)/is
409 ##body __KAM_STOCKTIP107 /(ORAMED PHARMA|OJU\.F)/is
410 ##body __KAM_STOCKTIP108 /(DSDI|DSI Direct Sales)/is
411 ##body __KAM_STOCKTIP109 /(Monolith Athletic Club|M[-_ ]?N[-_ ]?A[-_ ]?B)/is
412 ###DUPLICATED STOCKTIP #51
413 ###body __KAM_STOCKTIP110 /(PETRO-SUN|P[- ]?S[- ]?U[- ]?D)/is
414 ##body __KAM_STOCKTIP111 /(COMPLIANCE SYSTEMS|(\b|^)COPI(\b|$))/is
415 ###FP Fixed thanks to Greg Troxel
416 ##body __KAM_STOCKTIP112 /(Global Pay Solutions|(\b|^)GPSI(\b|$))/is
417 ##body __KAM_STOCKTIP113 /(MEGOLA|MGOA)/i
418 ###FP FIXED THANKS TO Antonio Falzarano
419 ##body __KAM_STOCKTIP114 /(\b|^)ADOV(\b|$)/i
420 ##body __KAM_STOCKTIP115 /(Oncology Med|(\b|^)ONCO(\b|$))/is
421 ##body __KAM_STOCKTIP116 /(Strategy X|SGXI)/is
422 ##body __KAM_STOCKTIP117 /(Spotlight Homes|COST CONTAINMENT TEC|SPHM)/is
423 ###FALSE POSITIVE ON DANSREALESTATE.
424 ##body __KAM_STOCKTIP118 /((\b|^)SREA(\b|$)|Score One)/is
425 ##body __KAM_STOCKTIP119 /(Monster Motors|MRMT)/is
426 ##body __KAM_STOCKTIP120 /(EntreMetrix|ERMX)/i
428 body __KAM_STOCKTIP121 /(VISION AIRSHIPS|(\b|^)VPSN(\b|$))/is
429 body __KAM_STOCKTIP122 /(Shandong Zhouyuan Seed and Nursery|(\b|^)SZSN(\b|$))/is
430 body __KAM_STOCKTIP123 /(Puerto Rico 7|(\b|^)P ?R ?T ?H(\b|$))/is
431 body __KAM_STOCKTIP124 /((\b|^)VGPM(\b|$)|Vega Promotional Sys)/is
432 body __KAM_STOCKTIP125 /((\b|^)D[- ]?M[- ]?X[- ]?C(\b|$))/i
433 body __KAM_STOCKTIP126 /((\b|^)C\.?W\.?T\.?E(\b|$)|C'Watre International)/is
434 body __KAM_STOCKTIP127 /(Physical Property Holdings|(\b|^)PPYH(\b|$))/is
435 #FP ON MNUM IN PLAIN TEXT HTML CONVERSION - Thanks to Kevin Lewis
436 body __KAM_STOCKTIP128 /(MONUMENTAL MARKETING|(\b|^)MNUM(\b|$))/is
437 body __KAM_STOCKTIP129 /(EnerBrite Technologies Group|(\b|^)eTgU(\b|$))/is
438 body __KAM_STOCKTIP130 /(Pricester|(\b|^)PRCC(\b|$))/is
439 #Added boundary check thanks to Michael Denney
440 body __KAM_STOCKTIP131 /(Greenstone Holdings|(\b|^)GSHN(\b|$))/is
441 body __KAM_STOCKTIP132 /((\b|^)AGMS(\b|$)|Angstrom[- ]Microsystems)/is
442 body __KAM_STOCKTIP133 /(Pluris Energy|(\b|^)PEYG(\b|$))/is
443 body __KAM_STOCKTIP134 /(United Consortium|(\b|^)UCSO(\b|$))/is
444 body __KAM_STOCKTIP135 /(Dominion Minerals|(\b|^)DMNM(\b|$))/is
445 body __KAM_STOCKTIP136 /(PrimeGen Energy|(\b|$)PGNE(\b|^))/is
446 body __KAM_STOCKTIP137 /Dynamic Response Group|(\b|^)DRGZ(\b|$)/is
447 body __KAM_STOCKTIP138 /Cobra Oil (and|&) Gas|(\b|^)CGCA(\b|$)/is
448 body __KAM_STOCKTIP139 /Solanex Management|(\b|^)SLNX(\b|$)/is
449 body __KAM_STOCKTIP140 /BIO-SOLUTIONS|(\b|^)BISU(\b|$)/is
450 #FP IN French email on 3/2/2017
451 #body __KAM_STOCKTIP141 /(\b|^)FORC(\b|$)/is
452 body __KAM_STOCKTIP142 /Hawk Systems Inc|(\b|^)HWSYD(\b|$)/is
453 body __KAM_STOCKTIP143 /AmeriLithium/is #|(\b|^)AMEL(\b|$)/is # FP 9/10/15
454 body __KAM_STOCKTIP144 /Fleet Management Solutions|(\b|^)FLMG(\b|$)/is
455 body __KAM_STOCKTIP145 /Nuvilex|(\b|^)N.?V.?L.?X.?(\b|$)/is
456 body __KAM_STOCKTIP146 /Plandai|(\b|^)PLPL(\b|$)/is
457 #FP on Bozic 3/9/2021 - Thanks to Lars Einarsen
458 body __KAM_STOCKTIP147 /Beamz Interactive|(\b|^)BZIC(\b|$)/is
459 body __KAM_STOCKTIP148 /(\b|^)STBV(\b|$)/i
460 body __KAM_STOCKTIP149 /LifeApps|(\b|^)LFAP(\b|$)/i
461 body __KAM_STOCKTIP150 /MONARCHY RESOURCES/i
462 body __KAM_STOCKTIP151 /Alanco Tech/i
463 body __KAM_STOCKTIP152 /Siga Resources/i
464 body __KAM_STOCKTIP153 /INSCOR|(\b|^)IOGA(\b|$)/is
465 body __KAM_STOCKTIP154 /mLight Tech|(\b|^)MLGT(\b|$)/is
466 body __KAM_STOCKTIP155 /Alanco Technologies/is
467 body __KAM_STOCKTIP156 /Progress Watch|(\b|^)PROW(\b|$)/is
468 #body __KAM_STOCKTIP157 /(\b|^)PRFC(\b|$)/is
469 body __KAM_STOCKTIP158 /(\b|^)(RCHA|R\.+C\.+H\.+A|R\/C\/H\/A)(\b|$)/is
470 body __KAM_STOCKTIP159 /(\b|^)(RNBI|R.N.B.I)(\b|$)/is
471 body __KAM_STOCKTIP160 /(\b|^)(CNRMF|C.N.R.M.F)(\b|$)/is
472 body __KAM_STOCKTIP161 /(\b|^)(NUAN|N[- ]U[- ]A[- ]N)(\b|$)|NUANCE COMMUNICATIONS/is
473 body __KAM_STOCKTIP162 /(\b|^)(CHICF|C.H.I.C.F)(\b|$)/is
474 body __KAM_STOCKTIP163 /(\b|^)(brixmor)(\b|$)/is
475 body __KAM_STOCKTIP164 /(\b|^)(KBLB|K.B.L.B)(\b|$)/is
476 body __KAM_STOCKTIP165 /(\b|^)(SCRF|S.C.R.F)(\b|$)/is
477 body __KAM_STOCKTIP166 /(\b|^)(INCT|Incapta)(\b|$)/is
478 body __KAM_STOCKTIP167 /(\b|^)(QSMS|Quest Science Management Gate)(\b|$)/is
479 body __KAM_STOCKTIP168 /(\b|^)(QSMG|Q.S.M.G|Stemvax)(\b|$)/is
480 body __KAM_STOCKTIP169 /(\b|^)E.?C.?G.?R(\b|$)/s
483 body __KAM_STOCKOTC /(OTC|OTC ?BB|OTC Pink Sheets|NASDAQ|NYSE|StockWatch):/is
484 body __KAM_STOCKSYM /S[ ]?[iy][ ]?m[ ]?[ßb8][ ]?[o0][ ]?[l1]|Siymbol/i
485 body __KAM_STOCKSYM2 /(SYM[ ]?[-\:]|\bTicker|Pr+ice\s*\:|Volume\s*\:|Target\s*\:|Current(ly)? ?\??:|Projected:|Smybol:|Stcok\s*\:|Stock\s*\:|S\s*t\s*o\s*c\s*k\s*\:|Trad[ ]?e\:|short-?sell|book value|S\.umbol|Action:|Symb\s?[-:]|Price Today:|SYmN-|Lookup:|RADAR:|PK PAPER:|PINKSHEETS:|f[o0]rward ?l[0o]{2}king)/i
486 body __KAM_STOCKSHR /\b(Shares|Investments|invest|Stock|acquisitions?|broker|joint[ -]?venture|underperforming|(uncap|ventilated|public(ity)?) on friday|dividend opportunities|set your buy|financial safe haven|before the bell)\b/i
487 body __KAM_STOCKBULL /bull (run|market)|very.rich|high.return/is
488 body __KAM_STOCKSCTR /(energy sector|mineral rights|mineral wealth|natural resources|gold deposits)/is
489 header __KAM_STOCKHEAD Subject =~ /{stk-sub}|on your radar|st0ck|best.stocktip|huge.winner|breaking.news/i
490 body __KAM_STOCKJUMP /(up|jumps) \d\d(\.\d)?\%/i
491 body __KAM_INSTOCK /in stock/i
493 # ADDED A CAVEAT FOR in stock so gibberish links don't hit a stock symbol
494 meta KAM_STOCKTIP (__KAM_STOCKHEAD + __KAM_STOCKOTC + __KAM_STOCKSYM + __KAM_STOCKJUMP + __KAM_STOCKSHR + __KAM_STOCKSYM2 + __KAM_STOCKBULL + __KAM_STOCKSCTR >= 1) && (__KAM_INSTOCK < 1) && (__KAM_STOCKTIP121 + __KAM_STOCKTIP122 + __KAM_STOCKTIP123 + __KAM_STOCKTIP124 + __KAM_STOCKTIP125 + __KAM_STOCKTIP126 + __KAM_STOCKTIP127 + __KAM_STOCKTIP128 + __KAM_STOCKTIP129 + __KAM_STOCKTIP130 + __KAM_STOCKTIP131 + __KAM_STOCKTIP132 + __KAM_STOCKTIP133 + __KAM_STOCKTIP134 + __KAM_STOCKTIP135 + __KAM_STOCKTIP136 + __KAM_STOCKTIP137 + __KAM_STOCKTIP138 + __KAM_STOCKTIP139 + __KAM_STOCKTIP140 + __KAM_STOCKTIP142 + __KAM_STOCKTIP143 + __KAM_STOCKTIP144 + __KAM_STOCKTIP145 + __KAM_STOCKTIP146 + __KAM_STOCKTIP147 + __KAM_STOCKTIP148 + __KAM_STOCKTIP149 + __KAM_STOCKTIP150 + __KAM_STOCKTIP151 + __KAM_STOCKTIP152 + __KAM_STOCKTIP153 + __KAM_STOCKTIP154 + __KAM_STOCKTIP155 + __KAM_STOCKTIP156 + __KAM_STOCKTIP158 + __KAM_STOCKTIP159 + __KAM_STOCKTIP160 + __KAM_STOCKTIP161 + __KAM_STOCKTIP162 + __KAM_STOCKTIP163 + __KAM_STOCKTIP164 + __KAM_STOCKTIP165 + __KAM_STOCKTIP166 + __KAM_STOCKTIP167 + __KAM_STOCKTIP168 + __KAM_STOCKTIP169 >= 1)
496 describe KAM_STOCKTIP Email Contains Pump & Dump Stock Tip
497 score KAM_STOCKTIP 7.1
499 #KAM STOCK RULE #3 BASED HEAVILY ON WONDERFUL INPUT BY GARETH OF LINGUAPHONE
500 body __KAM_STOCK3 /([sS].?ymbol|Sym|SYM|SYMB|Symb|SYMBOL|SYmN|SYMN|Symn|Ticker|TICKER|Lookup|PINKSHEETS)\s*[-_:]\s*[A-Z0-9][-\._ ]?[A-Z0-9][-\._ ]?[A-Z0-9][-\._ ]?[A-Z0-9]/
501 score __KAM_STOCK3 0.1
502 describe __KAM_STOCK3 Email Looks like it references a 4 character stock symbol
505 meta KAM_STOCKGEN (__KAM_STOCKHEAD + __KAM_STOCKOTC + __KAM_STOCKSYM + __KAM_STOCKSHR + __KAM_STOCKSYM2 + __KAM_STOCKBULL + __KAM_STOCKSCTR >= 1) && (__KAM_STOCK3 >= 1) && (KAM_STOCKTIP < 1)
506 describe KAM_STOCKGEN Email Contains Generic Pump & Dump Stock Tip
507 score KAM_STOCKGEN 1.5
510 body __KAM_STOCK2_1 /(good trader|trading experience|bad trading day|hard trading day|FREE Stock Market Outlook|Market Watch)|more.than.\d+%|most.valuable|morning.report|real.?estate.authority|commercial.real.estate/i
511 body __KAM_STOCK2_2 /(easy cash|losses and victories|backstage trading|market facts|succeed in trading|destined to skyrocket|make traders rich|times your principal)|good.investment|overvalued.companies|company.is.soaring|economic.opportunity|amazing.company|take.notice|rental.yield|high.return/i
512 body __KAM_STOCK2_3 /stock/i
513 body __KAM_STOCK2_4 /trader|investor|analyst|royalties/i
514 header __KAM_STOCK2_5 Subject =~ /stock|bull market|penny|traders|go.getter|thousand.percent|this.company|opportunity|pct.rally|private.investment/i
515 header __KAM_STOCK2_6 From =~ /investment|daily.tip|bloomberg|selectedotc|penny|fortune|stock|finance|real.?estate|promotion/i
517 meta KAM_STOCK2 (__KAM_STOCK2_1 + __KAM_STOCK2_2 + __KAM_STOCK2_3 + __KAM_STOCK2_4 + __KAM_STOCK2_5 + __KAM_STOCK2_6) >= 4
519 describe KAM_STOCK2 Another Round of Pump & Dump Stock Scams
522 body __KAM_JUDGE1 /(unpaid court|(un-?collected|unsatisfied) judgments)/is
523 body __KAM_JUDGE2 /(funds|receive what) you are (due|owed)/is
525 body __KAM_JUDGE3 /collect your money/is
526 body __KAM_JUDGE4 /judgment/i
528 header __KAM_JUDGE5 Subject =~ /judgment/i
530 meta KAM_JUDGE (__KAM_JUDGE1 + __KAM_JUDGE2 + ((__KAM_JUDGE3 + __KAM_JUDGE4) / 2) + __KAM_JUDGE5 >= 2)
531 describe KAM_JUDGE Email Contains Judicial Judgment Solicitation
535 body __KAM_MED1 /e.?c.?o.?n.?o.?m.?i.?z.?e.{1,10}med/i
536 body __KAM_MED2 /\d\d ?%/
538 describe KAM_MED Economizing your meds spam
539 meta KAM_MED (__KAM_MED1 + __KAM_MED2 >= 2)
542 #MEDS2- THANKS TO RES FOR POINTING OUT A REGEX STUPIDITY
543 header __KAM_MED2_1 Subject =~ /Pharmacy order \#\d{5}/i
545 describe KAM_MED2 More Medical SPAM
546 meta KAM_MED2 (__KAM_MED2_1 >= 1)
550 header __KAM_TIME1 Subject =~ /(replica(\b|$)|designer[-_ ](watch|piece|collection)|(old|replica|style|luxury|trendy|elegant) watch|time[-_ ](keeper|piece)|wrist|chronometer|watches are in fashion|low budget|deliver your watch|(number|amount) of watches)|excellent.watch/i
553 body __KAM_TIME2 /(replica(\b|$)|diamond|designer[-_ ](piece|collections|watch)|time[-_ ]piece|wrist|time-keeper|\/\/atch)/is
554 header __KAM_TIME3 Subject =~ /(\b|^)(time|watch)(\b|$)/i
555 body __KAM_TIME4 /(\b|^)(time|watch)(\b|$)/i
556 body __KAM_TIME5 /(funny|low) price|treat.yourself/i
557 #REMOVED WORD OMEGA FROM BRANDS. TOO MANY FPs.
558 body __KAM_TIME6 /(Cx?ARTIER|Bx?REITLING|Px?ATEK|Rx?OLEX|Bx?VLGARI|Tx?IFFANY)/i
561 meta KAM_TIME __KAM_TIME1 + ((__KAM_TIME2 + __KAM_TIME3 + __KAM_TIME4 + __KAM_TIME5 + __KAM_TIME6)/2) >= 2
562 describe KAM_TIME Pssss. Hey Buddy, wanna buy a watch?
565 meta KAM_TIMEGEO (KAM_GEO_STRING2 && KAM_TIME)
566 describe KAM_TIMEGEO Email references geocities & wrist watch sales
567 score KAM_TIMEGEO 3.5
570 body __KAM_HOME1 /YOUR HOME|Federal Housing Assistance Program|near.your.area/i
571 body __KAM_HOME2 /Build your equity faster|refund is not reversible|rent.to.own/i
572 body __KAM_HOME3 /tax saving plans|\d+K Mortgage Credit|no.more.of/i
573 header __KAM_HOME4 From =~ /rent.?and.?own|rent.own.list/i
574 header __KAM_HOME5 Subject =~ /homes.near.you|near.your.city|\d+ (bed|bath)|low.monthly/i
576 meta KAM_HOME (__KAM_HOME1 + __KAM_HOME2 + __KAM_HOME3 + __KAM_HOME4 + __KAM_HOME5 >= 3)
577 describe KAM_HOME Mortage & Refinance Spam Rule
581 replace_rules __KAM_UNIV11 __KAM_UNIV15 __KAM_UNIV3B
583 body __KAM_UNIV1 /(University Administration|University Enrollment|Education Assessment|Faculty Assessment|University Degree|Administration Office|Education office|Schools office|Enrollment Office|Online University)/is
584 body __KAM_UNIV2 /\d (week|month).{0,30}degree/is
585 body __KAM_UNIV3 /(past work|based on your|earned from|life|life and work|present work) experience/is
586 body __KAM_UNIV4 /not official degree|non[ -]?accredited/is
587 body __KAM_UNIV5 /novelty (degree|use)/is
588 body __KAM_UNIV6 /verifiable University Degree/is
589 body __KAM_UNIV7 /(life|work) experience (diploma|degree|transcript)/is
590 body __KAM_UNIV8 /Career Path/is
591 body __KAM_UNIV9 /non[- ]?ac(creditee?d)?.{1,10}universit/is
592 body __KAM_UNIV10 /(graduating|diploma) (within|in) (as little as)? (one|two|three|\d) (week|month)/is
593 body __KAM_UNIV11 /(degree|transcript) in any field|Field of yourr? ch<O1>/is
594 body __KAM_UNIV12 /(obtain your diploma|diploma that you want|Criminal Justice or Homeland Security degree)/is
595 body __KAM_UNIV13 /(degree|field|diploma) of your (choice|expertise)/is
596 body __KAM_UNIV14 /(earn a|full) transcript/is
597 body __KAM_UNIV15 /(No Study Required|Without Exams|No ex<A1>ms|without attending a single class|no classes|no textbooks|no (?:required )?tests|degree .{0,30}you deserve)/is
598 body __KAM_UNIV16 /\d weeks.{0,30}graduated/is
599 header __KAM_UNIV17 Subject =~ /(dip(i|l)oma|degree|transcript|award|increase ?your ?income|degree online|Ph\.?D|Add an mba)/i
600 body __KAM_UNIV18 /100% discrete/is
602 body __KAM_UNIV1B /\d (months|weeks)/i
603 body __KAM_UNIV2B /d[_\. ]?e[_\. ]?g[_\. ]?r[_\. ]?e[_\. ]?e/i
604 body __KAM_UNIV3B /(dead end job|improve your future, and your income|high paying jobs|bec<O1>me a do<C1>|get your diploma today)/is
605 body __KAM_UNIV4B /1.?0.?0.?% (legit|verifiable|online|no pre|non[- ]?accredited)/is
606 body __KAM_UNIV5B /F A S T[ ]{0,4}T R A C K/is
607 body __KAM_UNIV6B /DIP\sLOMA/
609 meta KAM_UNIV ((__KAM_UNIV1 + __KAM_UNIV2 + __KAM_UNIV3 + __KAM_UNIV4 + __KAM_UNIV5 + __KAM_UNIV6 + __KAM_UNIV7 + __KAM_UNIV8 + __KAM_UNIV9 + __KAM_UNIV10 + __KAM_UNIV11 + __KAM_UNIV12 + __KAM_UNIV13 + __KAM_UNIV14 + __KAM_UNIV15 + __KAM_UNIV16 + __KAM_UNIV17 + __KAM_UNIV18) >= 2 || (__KAM_UNIV1B + __KAM_UNIV2B + __KAM_UNIV3B + __KAM_UNIV4B + __KAM_UNIV5B + __KAM_UNIV6B) >= 3)
610 describe KAM_UNIV Diploma Mill Rule
614 body __KAM_URUNIT1 /\bur (unit|liveliness|energy level|endurance level)/is
615 body __KAM_URUNIT2 /\bur (gf|girl|wife|size|thing|partner|significant other)/is
616 body __KAM_URUNIT3A /\b(exasperated|fatigued|drained|tired) all the time/is
618 body __KAM_URUNIT3 /(unsatisfied|not satisfied|nagging|complaining|complaints|complained|unlimited prowess|increase your volume)/is
619 body __KAM_URUNIT4 /(bedroom|the bed|nighttime activit|male power|show your girl)/is
620 body __KAM_URUNIT5 /(size of (there|their|your) .{0,11}(unit|thing)|using them for a couple months|enhancing formula)/is
621 body __KAM_URUNIT6 /(majority of women|shrinking .{0,12} baby fat|winning guy|huge explosion)/is
623 header __KAM_URUNIT7 Subject =~ /(\b|^)ur (unit|wife|girlfriend|GF|size|thing|partner|significant other|livelyehood)/i
624 header __KAM_URUNIT8 Subject =~ /(pleasure|sensation|grow|your teeny|impress your mate|being small|how big|more intense)/i
626 meta KAM_URUNIT ((__KAM_URUNIT1 + __KAM_URUNIT2 + ((__KAM_URUNIT3 + __KAM_URUNIT4 + __KAM_URUNIT5 + __KAM_URUNIT6) / 2) + __KAM_URUNIT7 + __KAM_URUNIT8 + __KAM_URUNIT3A) >= 2)
628 describe KAM_URUNIT Recent penile and body enhancement spams
632 body __KAM_URZEST1 /(?:your|ur) (?:power|strength|zal|zeal|liveliness|zest|intensity|spontaneity|activity)(?: level)?(?: been)?(?: feeling| down)? ?(?:lately|recently|anew)?/i
633 body __KAM_URZEST2 /or still (?:jaded|worn|drained|exasperated) all the time/i
634 body __KAM_URZEST3 /(?:(?:wanting|looking|seeking) to get in the gym|(?:dreaming|seeking|hoping) to get (?:into shape|fit))/i
635 body __KAM_URZEST4 /(wks it has been|been mos) since we('| ha)ve chatted/i
636 body __KAM_URZEST5 /(back into shape|made me healthier after my disease)/i
638 meta KAM_URZEST (__KAM_URZEST1 + __KAM_URZEST2 + __KAM_URZEST3 + __KAM_URZEST4 + __KAM_URZEST5 >= 2)
639 describe KAM_URZEST Recent penile and body enhancement spams
643 body __KAM_JOB1 /let go from (a job|my employment) I held for.{1,19} (month|year|forever|life)/is
644 body __KAM_JOB2 /twice as much/is
646 meta KAM_JOB (__KAM_JOB1 + __KAM_JOB2 >=2)
647 describe KAM_JOB People let go, work at home, earn billions!
651 body KAM_PERPARK /P e r i m e t e r P a r k C e n t e r/i
652 describe KAM_PERPARK Obfuscated address appearing in SPAM Feb 06
653 score KAM_PERPARK 2.5
656 body KAM_HOLLY /1 0 2 0 N H o l l y w o o d W a y /i
657 describe KAM_HOLLY Obfuscated address appearing in SPAM Jun 06
660 #PUMP & DUMP STOCK GRAPHICS
661 header __KAM_STOCKG1 Subject =~ /^Fw: \d{6}$/i
662 header __KAM_STOCKG2 Subject =~ /(^|\b)(stocks?|small-cap)(\b|$)/i
663 meta KAM_STOCKG ((HTML_IMAGE_ONLY_12 || HTML_IMAGE_ONLY_16 || HTML_IMAGE_ONLY_24) && HTML_MESSAGE && (__KAM_STOCKG1 || __KAM_STOCKG2))
664 describe KAM_STOCKG Graphical Pump and Dump Scams
668 body __KAM_CEP1 /Job Prospect Newsletter|training.workshop/i
669 body __KAM_CEP2 /legitimate verifiable degree|build a better you|domain.knowledge/i
670 body __KAM_CEP3 /Career Education program|customize a learning program|certified.instructor/i
671 body __KAM_CEP4 /(MBA|CEP)/
672 body __KAM_CEP5 /degree\/certificates|certification/i
673 body __KAM_CEP6 /\d (week|month)/i
674 header __KAM_CEP7 From =~ /certificate program/i
676 meta KAM_CEP ((__KAM_CEP1 + __KAM_CEP2 + __KAM_CEP3 + __KAM_CEP4 + __KAM_CEP5 + __KAM_CEP6 + __KAM_CEP7) >= 3)
677 describe KAM_CEP CEP Diploma Mill Rule
681 #Commented since 3.2.0 is pretty old now
682 #if (version < 3.200000)
683 # #BLANK EMAILS - CURRENTLY REQUIRES 99_FVGT_meta.cf for FM_NO_FROM AND NO_TO. UNDISC_RECIPS MIGHT BE REMOVED IN 3.2+
684 # #HTML_SHORT_LENGTH DEPENDENCY RULE REMOVED FROM SA 3.2
685 # meta KAM_BLANK01 (MISSING_SUBJECT && (UNDISC_RECIPS || FM_NO_FROM_OR_TO || FM_NO_TO))
686 # describe KAM_BLANK01 Blank emails
687 # score KAM_BLANK01 1.0
689 # #MSGID_FROM_MTA_ID REMOVED IN NEWER SPAMASSASSIN 3.2
690 # meta KAM_BLANK02 (KAM_BLANK01 && MSGID_FROM_MTA_ID)
691 # describe KAM_BLANK02 Blank emails with MTA Headers
692 # score KAM_BLANK02 1.0
696 # Updated by KAM based on Work by Dallas L. Engelken <dallase@nmgi.com> (T_GEO_QUERY_STRING)
697 uri KAM_GEO_STRING2 /^http:\/\/(?:\w{1,5}\.)?geocities(?:\.yahoo)?\.com(?:\.\w{1,5})?(?::\d*)?\/.+?/i
698 describe KAM_GEO_STRING2 Use of geocities/yahoo very likely spam as of Dec 2005
699 score KAM_GEO_STRING2 4.7
702 uri __KAM_GOOGLE_REDIR /^https?:\/\/www\.google\.{0,5}\/url\?q=/i
704 meta KAM_GOOGLE_REDIR __KAM_GOOGLE_REDIR
705 describe KAM_GOOGLE_REDIR Use of Google redir
706 score KAM_GOOGLE_REDIR 1.5
708 #MSN Brasil REDIRECTOR - Known exploit since at least 2007!! http://www.xssed.com/mirror/14129/
709 uri KAM_MSNBR_REDIR /g.msn.com.br\/BR9\/1369.0/i
710 describe KAM_MSNBR_REDIR Use of MSN Brasil Redirector for Spam seen in 2011
711 score KAM_MSNBR_REDIR 5.0
714 uri __KAM_MSN_STRING1 /^http:\/\/spaces\.msn\.com(?::\d*)?\/.+\//i
715 uri __KAM_MSN_STRING2 /^http:\/\/.{0,20}\.spaces\.live\.com/i
716 meta KAM_MSN_STRING (__KAM_MSN_STRING1 + __KAM_MSN_STRING2 >=1)
717 describe KAM_MSN_STRING spaces.msn.com likely spam (Mar 2006) + spaces.live.com (Mar 2010)
718 score KAM_MSN_STRING 2.5
720 #KAM LIVEJOURNAL SPAM
721 uri __KAM_LIVE1 /^http:\/\/.{0,20}\.(blogspot|livejournal)\.com/i
722 meta KAM_LIVE (__KAM_LIVE1)
723 describe KAM_LIVE blogspot.com & livejournal.com likely spam (Apr 2010)
726 #KAM PAGE.TL SPAM - idea from Benny Pedersen
727 uri __KAM_PAGE1 /^http:\/\/.{0,20}\.(page\.tl)/i
728 meta KAM_PAGE (__KAM_PAGE1)
729 describe KAM_PAGE Page.TL likely spam (Nov 2011)
732 # .html link stored on S3
733 uri GB_S3_HTM /^https?:\/\/s3\.amazonaws\.com\/.{3,128}\.html?/i
734 describe GB_S3_HTM .html link stored on AWS S3
737 if (version >= 4.000000)
738 if can(Mail::SpamAssassin::Conf::feature_capture_rules)
739 header __GB_TO_ADDR To:addr =~ /(?<GB_TO_ADDR>.*)/
741 # Links to malware stored on Google storage
742 uri GB_STORAGE_GOOGLE_EMAIL m|^https?://storage\.cloud\.google\.com/.{4,128}\#%{GB_TO_ADDR}|i
743 describe GB_STORAGE_GOOGLE_EMAIL Google storage cloud abuse
744 score GB_STORAGE_GOOGLE_EMAIL 2.000
747 uri __GB_CUSTOM_HTM_URI0 m;^https?://.{10,128}(?:\.html?|\.php|\/)(?:\#|\?&e=)?%{GB_TO_ADDR};i
748 uri __GB_CUSTOM_HTM_URI1 m|^https?://.{10,64}\=https?://.{4,64}\#%{GB_TO_ADDR}|i
749 uri __GB_CUSTOM_HTM_URI2 m;^https?://.{10,256}(?:\/\?)?(?:email=|wapp\#)%{GB_TO_ADDR};i
750 uri __GB_DRUPAL_URI m|^https?://.{10,64}/default/files/(?:\@)?\#%{GB_TO_ADDR}|i
751 meta GB_CUSTOM_HTM_URI ( __GB_CUSTOM_HTM_URI0 || __GB_CUSTOM_HTM_URI1 || __GB_CUSTOM_HTM_URI2 || __GB_DRUPAL_URI )
752 describe GB_CUSTOM_HTM_URI Custom html uri
753 score GB_CUSTOM_HTM_URI 1.500
758 # This rule is to mark emails using the exploit of the URI parsing
759 uri KAM_URIPARSE /(\%0[01]|\0).{1,100}\@/i
760 describe KAM_URIPARSE Attempted use of URI bug-high probability of fraud
761 score KAM_URIPARSE 7.0
763 #Ebay Closed their Redirector - Disabled 4-9-05
764 # This rule is to mark emails using the exploit of the eBay redirector
765 #uri KAM_EBAYREDIR /.*.ebay.com.*RedirectToDomain/i
766 #describe KAM_EBAYREDIR Attempted use of eBay redirect-likely fraud
767 #score KAM_EBAYREDIR 7.0
769 # Rule based on Kelson Vibber's MD code for bogus AOL Addresses
770 # Check for bogus AOL addresses as described at
771 # http://postmaster.aol.com/faq/mailerfaq.html#syntax
772 # - all alphanumeric, starting with a letter, from 3 to 16 characters long.
775 #What is the correct syntax for AOL e-mail addresses?
776 #The "user name" is the part of the address that appears before the @ symbol: username@aol.com.
777 #Valid AOL e-mail addresses can not:
778 #Be shorter than 3 or longer than 16 characters.
780 #Contain punctuation of any kind (such as periods, underscores, or dashes).
784 #2017-10-24 upon evidence that AOL no longer follows their syntax.
785 #Awaiting an updated version however KAM predicts that with the merger that this
786 #is likely to accommodate other systems like Verizon coming under the same infrastructure.
789 #THANKS to Angel from 16bits for this research:
790 #Based on tests at https://i.aol.com/reg/signup shows:
794 #a) "Be shorter than 3"
795 # This is being enforced: «Please make sure that the username field is at
796 #least 3 characters long
798 #b) or longer than 16 characters.
799 #The userName field has a maxlength of 32
800 #(intriguingly, there's also a hidden usernameEmail of up to 97
803 #c) Begin with numbers.
804 #This is being enforced «Your username must begin with a letter.»
806 #d) Contain punctuation of any kind (such as periods, underscores, or
808 #Both periods and underscores are accepted (they are even offered in the
809 #dropbox), dashes are not.
810 #«Your username may not contain characters such as @, !, * or $.»
812 #Periods and underscores may not begin or end the username, or be
813 #consecutive (not between themselves), ie. these two characters may only
814 #appear when surrounded by alphanumeric ones.
816 #(this condition for periods actually comes from rfc5321, assuming you
817 #want to avoid quoting the local part)
820 #Basically, it seems they added . and _ to the allowed characters, and
821 #doubled the username size.
824 #The error messages at
825 #https://sns-static.aolcdn.com/1.19/reg/resources/js/webreg_validate5-built.js also provide relevant information for gathering the rules:
827 #"Please make sure that the username field is at least 3 characters
830 #"Your username may not exceed "+regPageData.snMax+" characters."
831 #"Your username must begin with a letter."
832 #"Your username may not contain characters such as @, !, * or $.",
833 #"Your username may not contain characters such as @, !, * or $." (funnily, this is shown if you enter a space)
834 #"Your username may not contain characters such as @, !, * or $." (this is if it is deemed "not alphanumeric")
835 #"Usernames cannot end with a dot (.) or underscore (_)."
836 #"Usernames cannot have consecutive dots (..) or underscores (__)."
838 #"Please make sure that the email address is at least 3 characters long."
839 #"Your email address may not exceed 97 characters."
841 #Missed updating the length to 32. Fixed thanks to Ramon Medina
843 header __KAM_AOL From:addr =~ /\@aol\.(com|co\.uk)/i
845 # username portion must be between 3 & 32 chars, starting with a letter
846 header __KAM_GOODAOL1 From:addr =~ /^[a-z].{2,32}\@aol\.(com|co\.uk)/i
848 # certain punctuation not allowed - This is likely not exhaustive
849 header __KAM_BADAOL1 From:addr =~ /[-\!\*\$].*\@aol\.(com|co\.uk)/
850 # no consectutive periods or underscores
851 header __KAM_BADAOL2 From:addr =~ /(\.\.|__).*\@aol\.(com|co\.uk)/
852 # cannot end with . or underscore
853 header __KAM_BADAOL3 From:addr =~ /(\.|_)\@aol\.(com|co\.uk)/i
855 meta KAM_BADAOL (__KAM_AOL && !__KAM_GOODAOL1) || (__KAM_BADAOL1 + __KAM_BADAOL2 + __KAM_BADAOL3 >= 1)
856 describe KAM_BADAOL Invalid AOL Address
859 meta KAM_GOODAOL __KAM_AOL && (__KAM_GOODAOL1 && !KAM_BADAOL) && SPF_PASS
860 describe KAM_GOODAOL Valid AOL Email Address
861 score KAM_GOODAOL -1.0
863 # Rule to mark emails from adv@somewhere accounts a bit higher on the SPAM scale
864 header KAM_ADV_EMAIL From:addr =~ /adv\@/i
865 describe KAM_ADV_EMAIL Marks adv@<domain.com> Addresses as likely SPAM
866 score KAM_ADV_EMAIL 5.0
868 #SEXUALLY EXPLICIT EMAILS - With updates courtesy of Mark Damrose
869 header __KAM_SEX_EXPLICIT1 Subject =~ /SEXUAL{2,3}Y[-_, ]{0,1}EXPL{1,2}I{1,2}CI{1,2}T/i
870 #EXPANDED TO INCLUDE HEADERS FOR SPAMS PREVALENT MAR 2007
871 header __KAM_SEX_EXPLICIT2 Subject =~ /(?:fuck .*suck|suck .*fuck|pussy .*cock|cock .*pussy|horny amateur|couch sex|slut fuck|naked celebrity|pissing babes|ass[- ]fuck|animal cock|(^|\b)P[^a-zA-Z\d]O[^a-zA-Z\d]R[^a-zA-Z\d]N |exposes sexy ass|drunk babe nude|masturbate|looking.for.sex|breast.implants|pedophile|child predator|explore.being.bad|double.penetration|hardcore.slut|getting.laid|your.disco.stick|having.sex.*begging|f.ckbook|xxx gay|asian porn|blow ?job|anal xxx|huge tits tube|xxx tube|porn tube|porn video|sexy.clip|portal for xxx|3d porn|hard(er)?.erect)|dreaming of f.?cking|(^|\b)sex.in.the.car|horny.virgin|sex.acts|best.intercourse|sex request|dripping wet and need to get|S*?exy granny|shagmate|her squirt|elongation secret|small member|g-spot|XXX life|cart.?bloom.?jigsaw|clogged.?colon|Peppy.?Pet.?ball|derma.?correct|secret to squirting|monstrous cock|adult film star extension secret|inches to your manhood|lack of sex|harrys.?affiliate|numerologist|your prostate|stiffening tonic|need sex partner/i
873 #TRYING TO GET RID OF FPs WITH LAST NAMES
874 header __KAM_SEX_EXPLICIT3 From =~ /(?:better sex|sextrick|ashleymadison|booty.call|breast.(aug|surg|redu)|throbing.member|f[\*u]?ckbook|Local MILFs|fuck(s|ing)?(\b|^)|Dating Granny|school.?of.?squirt)|hookup.?alert|bedroom.?partner|hookup.?online|lovely.?asian|squirting.?school|sex.?portal|sex.?club|liberator.?x2|instahard|eat me with your dick/i
876 #MODIFIED TO FIX FP THANKS TO DOC SCHNEIDER AND MARK MARTINEC - REMOVED castrate|sexual.encounter|casual.sex|discreet.encounter 5/19/15
877 body __KAM_SEX_EXPLICIT4 /(?:fucked hardcore|dildoes her tight ass|kinky watersports|schoolgirls? slut|teens? porn|first anal(\b|$)|pussy lips|kinky lesbian|sucks? cock|rub puss|spreads? cunt|fetish babe|kinky pee|muffdived \& fuck|deepthroat on knees|hello.naughty.boy|certain.type.of.guy|girlfriend.trick|sexual.stamina|sex...toy|porn.link|cunt.fuck|c-o-c-k|non.stop.sex|porn.industry|stronger.erection|make.her.moan|extreme.pro.abortion|erection.problem|your.erection|get.an.erection|hardest.erection|get.erect|xxx gay|asian porn|blow ?job (comm?unity|porn)|anal xxx|huge tits tube|xxx tube|porn tube|fuckbook|portal for xxx|3d porn|DrPEnterprise|girlfriends.porn|\bsex.galler|pussy.eaten|shemale|(\b|^)anal.adventure|black.girls.video|gay.porn|pussy.wet|make.her.horny|crave sex|women.fuck|women.horny|wanting.to.bang|getting.laid.is.simple|woman.on.her.knees|b r e a s t|generic.ed.product|best.sex|f[^a-z]cking.you|f[^a-z]ckbuddy|F\#ckFriends|Milf Selfies|need.a.horny.man|cute.sex.lover|horny.as.f.ck|fun.in.the.bedroom|my.tits.are|be.horny|horny.girl|horny.i.am|horny.latina|huge.dildo|made.me.climax|sex in my office|a.good.f\@ck|married.horny.woman|sucked.your.d\@ck|(naughty|horny).milf|suck.you.off|horny.stories|all.my.h[o0]les|cum.heavily|sucking.your.c[o0]ck|to.get.f[^a-z]cked)|h00kup|s\*xy|\bh0rny|ch0ked|pu\$\$y|f\*cked|F\*ck_|find milfs|girls (from|in) your city|rock.?hard boner|reclaiming your manhood|sexy and horny|bad girls from your city|awesome in bed|turbo\-charge your bed|shocking erection|stiffening tonic|anal fun|fingering videos/i
878 #remove f\#ck for FPs
879 tflags __KAM_SEX_EXPLICIT4 nosubject
881 header __KAM_SEX_EXPLICIT5 Subject =~ /(?:Babe.*dildo|milk.*pussy|licks.*lesbian.*tits|mud.*wrestling.*sluts|rock.*hard.*cock|working.*pussy|(anal|suck|lick|hot|cock|wife).*f.?u.?c.?k|sneaky.*upskirt.*shots|hairy.*(pussy|cunt)|chicks.*cum|shows.*off.*titties|tits.*milf.*sex|riding.*big.*dick|dildo.*pussy|slut.*sex|suck.*dick|show.*off.*pink.*slit|coed.*pussy|squirt.*pussy|polish.*cock|femdom.*fist|schoolgirl.*(f.?u.?c.?k|blowjob)|mistress.*finger.*slave|cervix.*examined|tits.*vibrator|licks.*lesbian|slut.*anal|slurp.*pecker|master.*hogtie|bitch.*stroke.*guy|huge.*cock.*bang|take.*dick.*ride|milf.*nailed|girl.*in.*panties|Slut.*Doing.*it|barely.*legal.*teen|perverted.*girl.*works.*ass|slut.*milking|caught.*fucking|F.?u.?c.?k.*(dick)|shemale.*strips|chick.*drilled|\bass.*screw|teen.*pussy|fucked.*hard|bimbo.*hooter|cuntbanged|tittyfucked|fuck.*cock|blowing and nailed|lesbians.*masturbat|shaking wet booty|pussy.*lip|lick.*asshole|kinky lesbian|suck.*cock|rub puss|tits.*cunt|kinky pee|fetish babe|exposes sexy ass|drunk babe nude|muff.*fuck|cock.?suck.*blonde|fuck.*vibrator|threeway.*orgy|sex.life.*new.level|your.sex.life|hotsex|f.cktonight|my.?pu[s\$]{1,5}y|InstaSext|SnapHookup|InstaAffair|InstaHookup|SexiSnap|SnapF.ck|snapbangmsg)/i
883 body __KAM_SEX_EXPLICIT6 /virus on a porn web/i
885 meta KAM_SEX_EXPLICIT (__KAM_SEX_EXPLICIT1 + __KAM_SEX_EXPLICIT2 + __KAM_SEX_EXPLICIT3 + __KAM_SEX_EXPLICIT4 + __KAM_SEX_EXPLICIT5 + __KAM_SEX_EXPLICIT6 >= 1)
886 describe KAM_SEX_EXPLICIT Subject or body indicates Sexually Explicit material
887 score KAM_SEX_EXPLICIT 16.0
889 #SOLICITING AFFAIR SPAM
890 header __KAM_SEX_AFFAIR1 Subject =~ /Have an affair|Your Affair is Waiting|sick of your wife|find you a girlfriend/i
891 header __KAM_SEX_AFFAIR2 From =~ /Ashley.?Madison|Let's have fun/i
892 rawbody __KAM_SEX_AFFAIR3 /have an affair|ashleymadison/i
893 rawbody __KAM_SEX_AFFAIR4 /looking.for.affair/i
895 meta KAM_SEX_AFFAIR (__KAM_SEX_AFFAIR1 + __KAM_SEX_AFFAIR2 + __KAM_SEX_AFFAIR3 + __KAM_SEX_AFFAIR4 >= 2)
896 describe KAM_SEX_AFFAIR Subject or body soliciting an affair
897 score KAM_SEX_AFFAIR 8.0
900 body __KAM_TELEWORK1 /(generate|make) .{0,10}1.5K? (to|-) 3.5K (a day|daily|per day|per month)|makes? \$[\d,]+\/month|upgrade your salary/is
901 body __KAM_TELEWORK2 /have a (?:tele)?phone|money making challenge|has full internet/is
902 body __KAM_TELEWORK3 /return(?:ing)? (phone )?calls|working a few hours each day|positive work environment/is
903 body __KAM_TELEWORK4 /fully qualified|no experience needed|all the training|managing expectations|accountability|stronger results/is
904 body __KAM_TELEWORK5 /work (?:online )?from home|process(?:ing)? rebates (?:at|from) home|set your own hours|100% no risk|Western Union fees|new job or career/is
905 body __KAM_TELEWORK6 /earning up to \d+USD|earn thousands of dollars|\d% commission|get rich quick|manager training|real.payoff/is
906 header __KAM_TELEWORK7 Subject =~ /process rebates|easy work and great pay|making money today|earn money|vacancies in your city|internet jobs|bad ecomomy|(manager|supervisor).training|handling difficult|work.from.home/i
907 header __KAM_TELEWORK8 From =~ /training|online/i
909 meta KAM_TELEWORK (__KAM_TELEWORK1 + __KAM_TELEWORK2 + __KAM_TELEWORK3 + __KAM_TELEWORK4 + __KAM_TELEWORK5 + __KAM_TELEWORK6 + __KAM_TELEWORK7 + __KAM_TELEWORK8 >= 3)
910 describe KAM_TELEWORK Stupid telework and training scams
911 score KAM_TELEWORK 3.0
913 #Changed to meta 2017-10-17
915 #2017-10-23 - Removed .link. Uniregistry has committed to reviewing abuse concerns.
916 #2019-11-24 - Removed .bid for FPs
917 #2020-06-04 - Added FP check for td.date and div.top
918 #2021-08-14 - Thanks to Giovanni for the new regex and Kenneth Porter for the FP for things that ended in one of the TLDs but wasn't part of the domain
919 #2021-08-25 - Added a FP fix for date with { from programming discussions
920 #2022-04-26 - Sort tlds and add .cfp domain
921 #2022-09-21 - adding .link back due to prevalence
922 header __KAM_SOMETLD_ARE_BAD_TLD_FROM From:addr =~ /\.(bar|beauty|buzz|cam|casa|cfd|club|date|guru|link|live|online|press|pw|quest|rest|sbs|shop|stream|top|trade|work|xyz)$/i
923 uri __KAM_SOMETLD_ARE_BAD_TLD_URI /:\/{2}([a-z0-9-\.]+)\.(bar|beauty|buzz|cam|casa|cfd|club|date|guru|link|live|online|press|pw|quest|rest|sbs|shop|stream|top|trade|work|xyz)($|\/|\:)/i
926 uri __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE /(^|\b)td\.date|de[b|l]\.date|div\.top($|\/)/i
927 body __KAM_SOMETLD_ARE_BAD_TLD_PROGRAM_REF /\.date ?\{/i
929 meta KAM_SOMETLD_ARE_BAD_TLD (__KAM_SOMETLD_ARE_BAD_TLD_FROM) || (__KAM_SOMETLD_ARE_BAD_TLD_URI && !(__KAM_SOMETLD_ARE_BAD_TLD_PROGRAM_REF + __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE))
930 describe KAM_SOMETLD_ARE_BAD_TLD .bar, .beauty, .buzz, .cam, .casa, .cfd, .club, .date, .guru, .link, .live, .online, .press, .pw, .quest, .rest, .sbs, .shop, .stream, .top, .trade, .work, .xyz TLD abuse
931 score KAM_SOMETLD_ARE_BAD_TLD 5.0
933 #2019-11-24 - Test to do the SOMETLD with WLBLEval - Doesn't work because no uri check for the body
934 #ifplugin Mail::SpamAssassin::Plugin::WLBLEval
935 # enlist_addrlist (BADTLDS) *@*.pw
936 # enlist_addrlist (BADTLDS) *@*.stream
937 # enlist_addrlist (BADTLDS) *@*.trade
938 # enlist_addrlist (BADTLDS) *@*.bid
939 # enlist_addrlist (BADTLDS) *@*.press
940 # enlist_addrlist (BADTLDS) *@*.top
941 # enlist_addrlist (BADTLDS) *@*.date
943 # header __KAM_SOMETLD_ARE_BAD_TLD_FROM eval:check_from_in_list('BADTLDS')
944 # body __KAM_SOMETLD_ARE_BAD_TLD_URI eval:check_uri_host_listed('BADTLDS')
948 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
951 body KAM_LOCAL_TEST1 /myspamtest12341234/
952 describe KAM_LOCAL_TEST1 This is a unique phrase to trigger a + score
953 score KAM_LOCAL_TEST1 50
955 #REVERSE DNS TESTS FROM MIMEDEFANG - UNLESS YOU HAVE A TEST FOR REVERSE POINTERS, YOU CAN COMMENT THIS OUT
956 header KAM_RPTR_FAILED X-Raptor-Reverse =~ /^Failed/
957 describe KAM_RPTR_FAILED Failed Mail Relay Reverse DNS Test
958 score KAM_RPTR_FAILED 6.0
960 header __KAM_RPTR_SUSPECT X-Raptor-Reverse =~ /^Suspect/
961 meta KAM_RPTR_SUSPECT (KAM_BODY_MARKETINGBL_PCCC < 1 && __KAM_RPTR_SUSPECT >= 1)
962 describe KAM_RPTR_SUSPECT Suspected Dynamic IP/Bad TLD/Spammy TLD from Mail Relay Reverse DNS Test
963 score KAM_RPTR_SUSPECT 2.45
965 #REMOVED __URIBL_ANY DEPENDENCY AS THE RULE IS GONE. NOTED by David Goldsmith.
966 header __KAM_RPTR_PASSED X-Raptor-Reverse =~ /^Passed/
967 meta KAM_RPTR_PASSED (__KAM_RPTR_PASSED && (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + KAM_SPAMJDR + KAM_LOTTO3 + __KAM_URIBL_PCCC + __KAM_MX + SPF_SOFTFAIL + SPF_FAIL + KAM_INFOUSMEBIZ + KAM_TOLL < 1))
968 describe KAM_RPTR_PASSED Passed Mail Relay Reverse DNS Test
969 score KAM_RPTR_PASSED -1.0
971 header KAM_RPTR_MISSING X-Raptor-Reverse =~ /^Missing/
972 describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing!
973 score KAM_RPTR_MISSING 6.0 #Lowered to 6.0 temporarily
976 header KAM_RPTR_BADHOST X-Raptor-Reverse =~ /dwdtechllc.com|inculloop.net|donapex.net|wriltay.com|raptornode.com|voicitr.us|premiumjobhunt.com|newsocialdeals.com|dailysummercoupons.com|nm-priorityhosting.com|hypernia.com|queryfoundry.net|colocrossing.com|pawlitenews.com|hosted-by-i3d.net/i
977 describe KAM_RPTR_BADHOST Very Spammy Hosting Company Identified
978 score KAM_RPTR_BADHOST 9.0
980 header KAM_NOTLS X-Raptor-TLS =~ /False/
981 describe KAM_NOTLS Mail has been sent using an unsecure connection
982 score KAM_NOTLS 0.001
984 #CUSTOM SCORES THAT KAM LIKES
985 #score SARE_GIF_ATTACH 3.0
986 score CHARSET_FARAWAY_HEADER 1.6
987 score MIME_CHARSET_FARAWAY 1.25
988 score FH_FROM_CASH 2.0
992 score FREEMAIL_ENVFROM_END_DIGIT 1.0
993 score FREEMAIL_REPLYTO 1.0
994 score KHOP_BIG_TO_CC 1.5
995 score URIBL_DBL_SPAM 5.0
996 score AC_HTML_NONSENSE_TAGS 4.0
999 #ENABLING DNSWL - BUG 6668
1000 score RCVD_IN_DNSWL_NONE 0 -0.0001 0 -0.0001
1001 score RCVD_IN_DNSWL_LOW 0 -0.7 0 -0.7
1002 score RCVD_IN_DNSWL_MED 0 -2.3 0 -2.3
1003 score RCVD_IN_DNSWL_HI 0 -5 0 -5
1005 #COMPLETE WHOIS IS DOWN
1006 #score __RCVD_IN_WHOIS 0
1007 #score RCVD_IN_WHOIS_INVALID 0
1008 #score URIBL_COMPLETEWHOIS 0
1010 #Custom subject whitelist
1011 #header FRANCHISE_JERRY Subject =~ /: (Franchise Application|Request Franchise Information)$/i
1012 #score FRANCHISE_JERRY -99.0
1013 #describe FRANCHISE_JERRY Jerry's Franchise Application or Request
1015 header KAM_INVALID_FROM X-Raptor-From =~ /From Header Missing Host/
1016 describe KAM_INVALID_FROM From header missing host portion
1017 score KAM_INVALID_FROM 6.0
1019 #RAPTOR ALTERED EMAILS
1020 #body __KAM_RAPTOR1 /altered by our Raptor filters/i
1021 #header __KAM_RAPTOR2 X-Raptor-Alter =~ /True/
1023 #meta KAM_RAPTOR (__KAM_RAPTOR1 + __KAM_RAPTOR2 >= 1)
1024 #describe KAM_RAPTOR PCCC Raptor altered the email
1025 #score KAM_RAPTOR 3.5
1027 #NJABL Shutdown Bug 6913 - Check after 3/3/2013 update if these can be removed
1028 score RCVD_IN_NJABL_CGI 0
1029 score RCVD_IN_NJABL_MULTI 0
1030 score RCVD_IN_NJABL_PROXY 0
1031 score RCVD_IN_NJABL_RELAY 0
1032 score RCVD_IN_NJABL_SPAM 0
1033 score __RCVD_IN_NJABL 0
1035 if can(Mail::SpamAssassin::Conf::feature_dns_query_restriction)
1036 dns_query_restriction deny njabl.org
1040 header KAM_RPTR_MISSING X-Raptor-Reverse =~ /^Missing/
1041 describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing!
1042 score KAM_RPTR_MISSING 9.0
1046 header KAM_RPTR_MISSING X-Raptor-Reverse =~ /^Missing/
1047 describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing!
1048 score KAM_RPTR_MISSING 9.0
1052 header KAM_RPTR_MISSING X-Raptor-Reverse =~ /^Missing/
1053 describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing!
1054 score KAM_RPTR_MISSING 9.0
1058 header KAM_BADATTACH X-Raptor-BadAttach =~ /^True/
1059 describe KAM_BADATTACH Mail contains a bad attachment
1060 score KAM_BADATTACH 15.0
1062 #RHS_DOB not working 10/6/2014 - Resolved 10/9/2014
1063 #score URIBL_RHS_DOB 0.0
1066 # no KAMOnly, stub rules
1067 meta KAM_RAPTOR_ALTERED 0
1068 score KAM_RAPTOR_ALTERED 0
1069 meta CBJ_GiveMeABreak 0
1070 score CBJ_GiveMeABreak 0
1071 meta KAM_RPTR_SUSPECT 0
1072 score KAM_RPTR_SUSPECT 0
1073 meta KAM_RPTR_FAILED 0
1074 score KAM_RPTR_FAILED 0
1075 meta KAM_RPTR_PASSED 0
1076 score KAM_RPTR_PASSED 0
1079 #$6c822ecf@ - Idea from Jailer-Daemon on SARE
1080 header KAM_6C822ECF Message-Id =~ /\$6c822ecf\@/i
1081 describe KAM_6C822ECF $6c822ecf@ VERY prevalent message-ID header in SPAMs
1082 score KAM_6C822ECF 7.0
1084 #DRILLING & MUST READ - With updates courtesy of Mark Damrose
1085 header __KAM_MUSTREAD1 Subject =~ /you (?:must|should|require|need|have) to read\.$/i
1086 header __KAM_MUSTREAD2 Subject =~ /^(?:Weighty|Very important|Serious|Momentous|Significant|Grand|Essential) (?:message|letter|note)\./i
1088 meta KAM_MUSTREAD (__KAM_MUSTREAD1 + __KAM_MUSTREAD2 >= 1)
1089 describe KAM_MUSTREAD Subject indicative of a SPAM message
1090 score KAM_MUSTREAD 1.25
1092 body __KAM_DRILL1 /drilling/i
1093 body __KAM_DRILL2 /oil (company|partnership|and gas rights)/i
1094 body __KAM_DRILL3 /(exceed(ed)? .{0,10}expectations|see your brokers website)/i
1095 body __KAM_DRILL4 /(buy today|Check this deal out)/i
1097 meta KAM_DRILL (KAM_MUSTREAD + __KAM_DRILL1 + __KAM_DRILL2 + __KAM_DRILL3 + __KAM_DRILL4 >= 4)
1098 describe KAM_DRILL Oil Drilling SPAM
1102 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
1104 #WE USE MIMEDEFANG TO DISABLE ANY IFRAME, OBJECT OR SCRIPT TAGS IN EMAILS
1105 header KAM_IFRAME X-Raptor-IframeWarning =~ /Iframe\/Object\/Script tag\(s\) deactivated by MIMEDefang/
1106 describe KAM_IFRAME Email contained Iframe, Object or Script tags
1107 if can(Mail::SpamAssassin::Conf::feature_subjprefix)
1108 subjprefix KAM_IFRAME [Javascript]
1110 score KAM_IFRAME 2.0
1112 body KAM_IFRAME2 /you need a browser with javascript/i
1113 describe KAM_IFRAME2 Email contains phrase instructing javascript use
1114 score KAM_IFRAME2 1.0
1116 meta KAM_IFRAME3 (KAM_IFRAME + KAM_IFRAME2 + T_HTML_ATTACH >=3)
1117 score KAM_IFRAME3 5.0
1118 describe KAM_IFRAME3 Likely email exploit - Email shouldn't require javascript in an email attachment
1121 header __KAM_XEROX1 Subject =~ /Scan from a Xerox WorkCentre Pro \#\d+|Scanned from a Xerox Multifunction Device|document from xerox scanner/i
1122 meta KAM_XEROX (__KAM_XEROX1 + (KAM_IFRAME && T_HTML_ATTACH) + KAM_RAPTOR_ALTERED >= 2)
1124 describe KAM_XEROX Likely Fake Xerox Attachment
1127 # no KAMOnly, stub rules
1132 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
1133 #WE USE MIMEDEFANG TO DISABLE TRACKING IMG TAGS
1134 header KAM_IMG_TRACKING X-Raptor-TrackingWarning =~ /remote tracking image\(s\) deactivated by MIMEDefang/
1135 describe KAM_IMG_TRACKING Email contained a tracking img tag
1136 score KAM_IMG_TRACKING 0.001
1139 #STUPID REMOVE "*" to make the link working.
1140 body __KAM_STAR1 /REMOVE ("\*"|space) (in the above|to make the) link/i
1142 meta KAM_STAR (__KAM_STAR1 >= 1)
1143 describe KAM_STAR Stupid Obfuscated Link SPAMs
1146 #IN LATE FEB 2007, WE BEGAN RECEIVING TONS OF EMAILS FORMATED ALL THE SAME.
1147 body __KAM_SPAMKING1 /This advertisement is presented by/is
1148 body __KAM_SPAMKING2 /If you have any questions or concerns regarding this communication, please send correspondence/is
1149 body __KAM_SPAMKING3 /To .{0,30}(?:unsubscribe|stop|remove) .{0,35}(?:email|messages) from third party advertisers/is
1150 body __KAM_SPAMKING4 /notify .{0,30} that you no longer wish to receive (?:promotional )?messages/is
1151 body __KAM_SPAMKING5 /This (communication|message) was delivered to you by/is
1152 body __KAM_SPAMKING6 /(?:please send|Forward postal) correspondence to/is
1154 meta KAM_SPAMKING (__KAM_SPAMKING1 + __KAM_SPAMKING2 + __KAM_SPAMKING3 + __KAM_SPAMKING4 + __KAM_SPAMKING5 + __KAM_SPAMKING6 >= 3)
1155 describe KAM_SPAMKING SPAM using throw-away domains and addresses. SpamKing's Heir!
1156 score KAM_SPAMKING 1.0
1158 #THIS HEADER SEEMS TO BE PREVALENT IN SPAMS
1159 header KAM_SPAMJDR X-Mailerinfo =~ /OTHR_JDR/
1160 describe KAM_SPAMJDR Emails seen with SPAM containing this header X-Mailerinfo: OTHR_JDR1173771
1161 score KAM_SPAMJDR 2.0
1163 meta KAM_COMBOJDR (KAM_SPAMJDR + KAM_SPAMKING >= 2)
1164 describe KAM_COMBOJDR Spam Test for Rules Combined with KAM_SPAMJDR
1165 score KAM_COMBOJDR 5.0
1168 body __KAM_LOTTO1 /((you |e-?mail )(?:address,? )?(has |have )?(emerged as one of (the|our) winning|emerged as a category "A" Winner|came out as the winning coupon|emerged a winner|has won|(?:was |is )?attached( to)?\s+(winning number|serial|ticket|reference)|was one of the ten winners|has been selected as one of the lucky)|random selection in our computerized email selection system|procuring your prize|email id identified with coupon|e-mail addresses are picked randomly|send your winning identification|final recipients? of a cash|selected as the one of the beneficiaries|receiving your donation|facebook name was selected)/is
1170 body __KAM_LOTTO2 /((ticket|serial|lucky) number|secret pin ?code|pin number|batch number|reference number|promotion date|lottery|sweepstake|\d+ lucky recipients|for claim and inquiring)|Micros(oft)? ID/is
1172 body __KAM_LOTTO3 /(won|claim|cash prize|pounds? sterling|over \$500|award sum of US\$|NOTIFICATION FOR CASH AID)/is
1174 body __KAM_LOTTO4 /(claims (office|agent|manager|requirement)|lottery coordinator|(certificate|fiduciary) (officer|agent|claims)|accredited agent|payment agency board|promotion manager|promotions? department|Name of +Agent:|executive secretary|claims & Management|lottery approved courier|promo.team)/is
1176 body __KAM_LOTTO5 /(POWERBALL-?LOTTO|freelotto group|(microsoft|Royal Heritage) (promotion|Lottery)|(British|UK) National( Online)? Lottery|U\.?K\.? Grand Promotions|Lottery Department UK|Euromillion Loteria|Luckyday International Lottery|International Lottery|Euro - Afro Asian Sweepstake|urawinner|Free Lotto Sweepstakes|PROMOTION DEPARTMENT|PROMOTION\/PRIZE AWARD|Nederlandse Internationale Loterij|EURO MILLIONS|APPLE LOTTERY ONLINE|MSW MEGA JACKPOT|MICROSOFT EMAIL PROMO|MSNlottery|ECOWAS|Nigeria|National Lottery|claim.{1,10}your.gbp|won.you.{1,10}gbp)|cola lotto online|on-?line promotion/is
1178 body __KAM_LOTTO6 /(Dear (Award|Consultation Prize|Lucky) Winner|Winning Notification|Attention:Winner|Dear:? Winner|Amount won:|Sincere Congratulations|Lucky Numbers:|you are a winner|prize attached|prize notification|claims requirement|winning number|winning sum|payout of|qualification number)|attached.file|numbers.on.email|active email address|dear e-?mail/is
1180 header __KAM_LOTTO7 Subject =~ /(Your Lucky Day|Final Notice|CONGRATULATION|(Attention:|ONLINE) WINNER|Winning Notification|Claim Fund|YOU HAVE WON|Online Notification|Your Winning Amount|PROMOTIONS MANAGER|Winnin?g Alert|NOTICE FOR YOUR CLAIM|WINNER|Reference Number|payment of (prize|claim))/i
1182 header __KAM_LOTTO8 From =~ /Lottery|powerball|western.union/i
1184 header __KAM_LOTTO9 Subject =~ /\d{3},\d{3}|eligibility.for.claims|promo.desk|deserves.\$\d/i
1186 meta KAM_LOTTO1 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 >= 3)
1187 describe KAM_LOTTO1 Likely to be an e-Lotto Scam Email
1188 score KAM_LOTTO1 0.75
1190 meta KAM_LOTTO2 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 >= 4)
1191 describe KAM_LOTTO2 Highly Likely to be an e-Lotto Scam Email
1192 score KAM_LOTTO2 1.25
1194 meta KAM_LOTTO3 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 + LOTS_OF_MONEY >= 5)
1195 describe KAM_LOTTO3 Almost certain to be an e-Lotto Scam Email
1196 score KAM_LOTTO3 3.0
1198 #ABOUT YOUR INTERNET ACTIVITIES SPYWARE CRUD
1199 header __KAM_ABOUT1 Subject =~ /About your Internet (activities|activity)/i
1200 body __KAM_ABOUT2 /Spyware/i
1202 meta KAM_ABOUT (__KAM_ABOUT1 + __KAM_ABOUT2 >=2)
1203 describe KAM_ABOUT Email Scam Hawking Anti-Spyware
1207 body __KAM_ADVERT1 /email advertising|\d{3}%.roi/is
1208 body __KAM_ADVERT2 /instant traffic (to your website|and sales)|demand.generation/is
1209 body __KAM_ADVERT3 /Email Ad Broadcast|Double OPT IN list|making.some.changes/is
1210 header __KAM_ADVERT4 Subject =~ /(get (instant|more) (sales|business|orders)|instant traffic, leads and sales|within 24 hours|increase in business|Ten Time Increase in Sales and Traffic|Emails Sent to Get You Sales)|sales.goal/i
1212 meta KAM_ADVERT (__KAM_ADVERT1 + __KAM_ADVERT2 + __KAM_ADVERT3 + __KAM_ADVERT4 >= 4)
1213 describe KAM_ADVERT Mailing List Scammers Hawking Their Lists / Services
1214 score KAM_ADVERT 2.5
1217 body KAM_ADVERT3 /AllExpiringDomains.com/i
1218 describe KAM_ADVERT3 Traffic / Expiring Domain List Spam
1219 score KAM_ADVERT3 5.0
1222 body KAM_ADVERT2 /No longer interested in our offers|This (message|email)? is an Ad|Continue in your Secure Web Browser|Can\'t see the images( below|, continue)|To view this email as a webpage|see images for this offer|support best practices in responsible email marketing|This email is not unsolicited|You registered with one of our partners websites|a d v e r t i s (?:e )?m e n t|No\-?Images? Click|Program is not endorsed, sponsored by or affiliated|can\'t read or see this email|By clicking any image and\/or text link in this Email|This is a (commercial|commericial)|This message brought to you|THIS EMAIL IS A COMMERCIAL|If you no longer wish to receive further offers|business solicitation message|link is for removal|end these weekly ad\-messages|cancel these Ads go|This is an email advertisement|end all Advertisements go below|We are not spammers|Unsolicited email\?|Quit receiving these admail|I.{0,3}am not spamming|commercial.advertisement|adv.ertisement|if.you.are.not.interested|Brought to you by\:|This (message|entire message|communication) is an ad|removal from further update|inbox by requesting removal|No more incoming messages will be delivered|Never receive these again|This is an ad\-coresspondance|this page is an advertise?ment|this is an \(adver\-?tisement\)|this page are an.ad|statements above are an.ad|advertis.e.ment|share your contact/is
1223 describe KAM_ADVERT2 This is probably an unwanted commercial email...
1224 score KAM_ADVERT2 0.75
1226 #ONE LINE ADVERTISEMENTS
1227 body __KAM_1LINE1 /(free score and report|Did you overpay\?)/is
1228 header __KAM_1LINE2 Subject =~ /(free online score & report|I need tax savings? tip)/i
1230 meta KAM_1LINE (__KAM_1LINE1 + __KAM_1LINE2 >= 2)
1231 describe KAM_1LINE One liner SPAMs
1235 body KAM_CANSPAM /(full compliance with the U.S. Federal-?Can-?Spam-Act|provides CAN-SPAM compliant email|consistent with the provisions of the CAN-SPAM Act|compliance with the CanSpam Act|no deceptive subject lines|compliant with all legal provisions of the CAN-SPAM Act)/is
1236 describe KAM_CANSPAM SPAM = Lack of Consent (not a Legal Definition)
1237 score KAM_CANSPAM 1.0
1240 body __KAM_GIFT1 /(Claim your free \$500 Target Gift Card|complimentary gift-?card|received a Victoria's Secret Giftcard|\$500 airline gift card|\$1000 gift card for you to shop|\$\d+.{0,50}gift card|Secret gift card)|costco.coupon|facebook.gift|claim.my.credit/is
1241 body __KAM_GIFT2 /(unsubscribe from this advertiseme(tn|nt)|exit future communications|to unsubscribe from this|to stop any offers from us)/is
1242 body __KAM_GIFT3 /every girl loves to buy|do you need a new|offer pass you by|shopping.online|best.price|activate.my|valued.{0,20}user|extra.deals|sign.up.today/i
1243 body __KAM_GIFT4 /card will be yours free|card on us|buy you the dyson animal|amazon.gift.?card|superstore|starbucks.card|card.egift|redeem.before|offering.you.this|enter.promo.code/i
1244 body __KAM_GIFT5 /member incentive program|complet(e|ing) the survey|your.customer.id|security.code|promotional.points/i
1245 header __KAM_GIFT6 From =~ /\$\d+ ?gift ?card|coupon|home.improvement|reward|voucher|starbucks|exclusive|amazon|ehost/i
1247 meta KAM_GIFT ((__KAM_GIFT1 + __KAM_GIFT2 + __KAM_GIFT3 + __KAM_GIFT4 + __KAM_GIFT5 + KAM_LOTSOFHASH + KAM_SHORT >= 3) && __KAM_GIFT6)
1248 describe KAM_GIFT Gift Card Scams
1251 meta KAM_GIFT2 ((__KAM_GIFT1 + __KAM_GIFT2 + __KAM_GIFT3 + __KAM_GIFT4 + __KAM_GIFT5 + KAM_LOTSOFHASH + KAM_ADVERT2 >= 4) && __KAM_GIFT6)
1252 describe KAM_GIFT2 Gift Card Scams
1256 body __KAM_SHOP1 /chosen to participate as a Mystery Shopper/is
1257 body __KAM_SHOP2 /Do you like to shop/is
1258 body __KAM_SHOP3 /make money while you shop/is
1259 meta KAM_SHOP (__KAM_SHOP1 + __KAM_SHOP2 + __KAM_SHOP3 >= 3)
1260 describe KAM_SHOP Mystery Shopper Scams
1264 rawbody __KAM_FAST1 /make fast cash in real estate/is
1265 meta KAM_FAST (__KAM_FAST1 + KAM_ADVERT2 >=2)
1266 describe KAM_FAST Get Rich Quick, Make Money Fast Schemes
1270 body __KAM_BIZ1 /You always need new cards|free full color business cards|get 250 more ?- ?free|business card offer|500 business cards/is
1271 header __KAM_BIZ2 Subject =~ /(do not pay for|Stop paying for|free) business cards|get( your)? 250 Free|BOGO|500 cards for|all for \$1\.99/i
1272 header __KAM_BIZ3 From =~ /Free Business Cards|Custom Printing|Premium Cards/i
1274 meta KAM_BIZ (__KAM_BIZ1 + __KAM_BIZ2 + __KAM_BIZ3 >= 2)
1275 describe KAM_BIZ Free Business Card Emails
1279 body __KAM_FDA1 /statements.{1,10}not.{1,10}evaluated.{1,10}(FDA|Food ?(and|&) ?Drug Administration)/i
1280 body __KAM_FDA2 /not intended to diagnose,? treat,? cure,? or prevent/i
1281 body __KAM_FDA3 /FDA Recall/i
1283 meta KAM_FDA (__KAM_FDA1 + __KAM_FDA2 + __KAM_FDA3)
1284 describe KAM_FDA Carries a not evaluated by the FDA warning or recall warning
1288 body __KAM_WEIGHT1 /(overweight|extra weight|glutting|shed fat|burns fat|burn calories|appetite suppressant|stimulate your metabolism|unwanted weight|duet of the year|healthy energy boost|Suppresses Appetite|internal cleansing|detoxify|cellulite|unsightly bulges|fat burn|Diet of the year|acai|cuts cholesterol|cleanse excess waste|free sample|unwanted weight|Acai suppl[ie]ments|Diet\/Detox|\#1 Weight Loss|lose body fat|(lose|drop) (about )?\d+\s*[li]b|calorie burning machine|before eating carbs)|flush.fat.away|slimming.down|\d+.pounds.gone|lose.\dx|highest.rated.episode|unwanted..?gain|too.goo?d.to.be.true|get.slim|tv.segment|weird.solution/is
1289 body __KAM_WEIGHT2 /(\d pounds|lose[_ ]weight|suppress appetite|appetite out of control|Oprah|for cancer patients|colon cure|colon cleanse|colonmate|avai berry|acai burn|ultraslim|feel energized|excess[_ ]weight|no diet changes|no exercise|hollywood'?s hottest -?diet|acai berry edge|Acai Diet|top secret diet|Power HCG|Sensa|shocking method|Jennifer Aniston|before eating carbs|all natural weight.?loss|green fruit|top celeb's diet)|one.secret|enjoying.food|f-a-t|melt.fat|squeeze into them|crazy.workout|celebs.everywhere|zero.effort|nothing.to.lose/is
1290 header __KAM_WEIGHT3 Subject =~ /(leaner|slimmer|stop gaining weight|fat loss|weight management|now available without a script|wuYi tea|(drop|lost|shed|knocked) \d+.?(pounds|[li]bs?)|FRS Healthy Energy|instant diet|colonmate|trimmer you|body cleanse|acai berry|acai burn|Fatburner|cholesterol reduction|cholestapro|Ephedra|W[EA]IGHT[- ]LOSS PRODUCT OF THE YEAR|t-r-i-a-l|try our trial|cleanse your system|no exc?ercise|Acai Advanced|toxic sludge|cleanse your body|Acai Diet|Acai Elite|Acai Super|losing weight fast|weight loss|detox product|Power HCG|Weight Loss System|shocking (?:weight|weihgt) loss)|before eating carbs|all natural weight.?loss|eat this fruit|Jennifer An+iston's secret|drop.\d.dress.sizes|fat.burning|burn..?fat|get.slim|drop.the.weight|(drop|shed).[li]bs?|move.\.*.?the scale|step.by.step|drop..?pounds|perfect.body|lose.the.weight|half.my.size|special.nutrition|workout|skinny|simple.way|to.get.slim|workout.for.the..?lazy|start.losing.weight|melt.fat|celebs.boycott|celebs.did|overeating|without.any.effort|doctors.tv|oprah|results.are.in|as.seen.on|slim.?spray|zero.effort/i
1291 #rawbody __KAM_WEIGHT4 /shocking method|Jennifer Aniston|nationally known|never.seen.anything.like.this|unusual.(new.)?tip|your.metabolism|need.a.boost|this.is.not.a."?(joke|hoax|fad|trend)|no working out|no starving|a trimmer you|celebrity.doctor|seen.on.(cnn|abc|cbs)|\d+%.?off|oprah.and.celeb|beer.belly|thunder.thigh|flush.fat.fast|get.skinny|Women's Health|dress.size|feel.good|physical.activity|starving|hit.a.plateau|flat.belly|brakes on your appetite/i
1292 header __KAM_WEIGHT5 From =~ /celeb.weightloss|no.work.workout|(drop|shed).pounds|(drop|shed).\d+[il]bs?|inches off|your.waist|nutrisystem|fat.burn|magic.slim|slim.pack|get.?slim|overweight|becomingslim|slimmer|skinny.tee|flush.fat|slimming.down|hot.trend|curves.?\dweek|stubborn.fat|\d+.pounds|look.great|lazy.workout|bikini|fit.community|slim.?spray|shave.off.(the.)?(pound|lb)|f-a-t|fit.in.\d+.day|days.to.slim|oprah|belly|biggestloser/i
1294 #ANATRIM / GREEN TEA / CORTITHERM / ETC
1295 body __KAM_ANA1 /(anatrim|Green ?Tea|cortitherm|PHENTERTHIN|Phentremine|Acai Ultra|Civ-xR|WuYi Tea|Wu-?Yi Source|FRS Healthy Energy|Acai Berry|Chinese secret|Ephedra|Cholestapro|ColonMedic|Pure Cleanse|AcaiBurn|Acai Elite|Garcinia|Chlorogenic Acid|green coffee)/i
1296 header __KAM_ANA2 From =~ /green ?tea|Ultra ?Energy|weight ?loss|colon? ?clean|colon ?aid|acai|As seen on|Garcinia|sensa/i
1298 meta KAM_ANA (__KAM_ANA1 + __KAM_ANA2 + (__KAM_OZ1 || __KAM_OZ2 || __KAM_OZ3) + __KAM_WEIGHT1 + __KAM_WEIGHT2 + __KAM_WEIGHT3 + __KAM_WEIGHT5 + KAM_FDA + (__KAM_HTML1 || KAM_INFOUSMEBIZ) >= 3)
1299 describe KAM_ANA Likely Weight-loss / Medical Spam
1302 meta KAM_ANA2 (__KAM_ANA1 + __KAM_ANA2 + __KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 + __KAM_WEIGHT1 + __KAM_WEIGHT2 + __KAM_WEIGHT3 + __KAM_WEIGHT5 + KAM_FDA + (__KAM_HTML1 || KAM_INFOUSMEBIZ) >= 5)
1303 describe KAM_ANA2 Higher probability of Weight-loss / Medical Spam
1307 body __KAM_REP1 /Replace \[?[-!~\.]\]? with \./is
1308 body __KAM_REP2 /www\s+[-!~\.]/i
1310 body __KAM_REP2_1 /(Just|Please|all you need to do is to) (copy|type):? (www\s)?.{0,10}[\[\(]([-!~\.]|dot)[\]\)]/is
1311 body __KAM_REP2_2 /in your (IE|internet|explorer|browser)/i
1313 body __KAM_REP3_1 /\*omit empty spaces/is
1314 body __KAM_REP3_2 /.\s+(COM|org|net|info)$/i
1316 meta KAM_REPLACE (__KAM_REP1 + __KAM_REP2 >= 2) || (__KAM_REP2_1 + __KAM_REP2_2 >=2) || (__KAM_REP3_1 + __KAM_REP3_2 >=2)
1317 describe KAM_REPLACE Spams that use obfuscated URLs with instructions
1318 score KAM_REPLACE 2.0
1320 #EVEN MORE NIGERIAN SCAMS AND VARIANTS
1321 body __KAM_NIGERIAN1 /(?:payment officer|personal treasurer|experienced marketers|Chairman of the Finance Committee|contact my secretary|field of Financial Services|Head of Human Resources|Public Relation Officer|field of Business Services|payment agent|representing partner|vacancy in my company|representative\/book ?keeper|executor|search and selection of both experienced|retired chief economist|foreign partner|diplomatic courier|senior auditor|online book-?keeper)|in.your.country|united.state[^s]|states?.citizen|retired.ceo|nigeria|origin.finland|serious.illness|brain.(tumor|cancer)|former.minister|investment.partner|got.mugged|losing.my.(wife|only.son)/is
1322 body __KAM_NIGERIAN2 /(?:looking for dynamic representative|seek your partnership|new online business model|seek to transfer this money|completely legal activity|never ask you to pay or invest|in search of trustworthy representatives|establishing a new liaison network|rec[ei]{2}ving payment on our behalf|assist me in transferring those funds|make money at home|requiring rep to work on a part time|part time job\/full time|organization for the good work of the lord|job search directory|investor willing to invest in lebanon|invest in Real Estate|Your kind assistance|next of kin|gold.exportation|calgary.lotto)|oil.producing|import.firm|oil.and.gas|petroleum|asset.available|urgent.reply|(cash|credit.cards?|cell(.phone)?).(were|was).stolen/is
1323 body __KAM_NIGERIAN3 /(?:\d{1,2}\% (?:commission on each transaction|of the total will be set|will be mapped out|is made available to you|of the total sum for your partner|of the money for your effort|for\s+sales)|pay for performance|floating deficit|for your compensation|financial independence|their financial dreams|work from home part\s*-?\s*time|employing your services|get extra income|deduct your weekly salary \d\d%|transfer of the funds|make successful career at us|you will get \d{1,2}% on each|funds can be directed to your account as a grant|reasonable parentage|dormant domiciliary account|share would be \d+\%|pay you \d+%)|invest|have.a.sum|make.a.donation|immense.benefits|transact.a?.?business|company.sponsor|loan me \$/is
1324 body __KAM_NIGERIAN4 /(?:American oil merchant|independent contractor|removallink|claim the funds|international corporation|bank draft|becoming our contract staff|contractual employment|customers\s*in Europe,\s*America|new partner from UK|great investment site|money orders|cashiers check|access to the funds|piloting the business|moving the funds|next of kin|syrian.refugees|reply.for.detail)|security.reason|(his|her).account|new.investor|directly.beneficial|business.discussion|promise.to|need.to.spend/is
1325 body __KAM_NIGERIAN5 /Western Union Money Transfer|Money Gram|form of Money Orders|to apply for this job, please send the following|process our payments|not traceable|risk free transation|transfer to a designated bank account|inheritance return|my.inheritance|my.wealth|donation.to.you|out.of.country|charitable.trust/i
1327 meta KAM_NIGERIAN (__KAM_NIGERIAN1 + __KAM_NIGERIAN2 + __KAM_NIGERIAN3 + __KAM_NIGERIAN4 + __KAM_NIGERIAN5 + LOTS_OF_MONEY + __KAM_REFI4 >= 4)
1328 describe KAM_NIGERIAN Nigerian Scam and Variants
1329 score KAM_NIGERIAN 2.25
1332 body __KAM_LIKE1 /been working (extremely|very) hard on my friend's website/is
1333 body __KAM_LIKE2 /a link from .{1,54} would be greatly appreciated/is
1334 body __KAM_LIKE3 /(link exchange|in return to me linking back)/is
1335 body __KAM_LIKE4 /HTML code for the link/is
1336 body __KAM_LIKE5 /I apologize if this message was sent, in error/is
1338 meta KAM_LIKE (__KAM_LIKE1 + __KAM_LIKE2 + __KAM_LIKE3 + __KAM_LIKE4 + __KAM_LIKE5 >= 5)
1339 describe KAM_LIKE I like your website link exchange spam
1342 #PUBLICLY AVAILABLE LISTS?
1343 body KAM_PUBLIC /obtained your email address from a publicly available list|find your mail in public forum/is
1344 describe KAM_PUBLIC Obtained from Public List != to Consent == SPAM!
1345 score KAM_PUBLIC 9.0
1347 #SEXUALLY EXPLICIT RULES ROUND TWO - Fixed some FPs from Scunthorpe thanks to Stefan Morrell
1348 body __KAM_SEX1 /(?:double[ -]?headed|pornstar|huge weenie|male power|\d\dper\. of men|male enhancement product|enlarge patch|boost up your virility|clinically tested|improve manhood|Bigger Pen..is|Big Penis|incredible gains to your manhood|muscular manhood|nights unsatisfied|climaxes|sensual enhancer|love instrument|bigger member|excitement with girls|fucker|animal sex)|adds \d inches to your manhood|pussy licked|hard.erection/i
1349 body __KAM_SEX2 /(?:(\b|^)cunt(\b|$)|busty|interracial|hardcore|peni(s|le) enlarge|generic quality|enlarge your manhood|stone-hard manhood|XXL Dick|intense pleasure|spend a night with you|efficient medicine|turn on your wife|with your boner|dick dangl)|\d.(extra.)?inches.of.girth|best.sex/i
1350 header __KAM_SEX3 Subject =~ /(double dildo|bunsfuck|dominatrix|huge tits|anti-ED|most confident man|for men over 30|peni(s|le) enlargement|interracial gobble|bitch sucking dong|product actually does work|update your penis|mans mall|endurerx|more excitement|love package|add more fire|her best male|average guys|monster cocks|first anal|anal fucking|love with monsters|horse sex|be the stud)|have an affair/i
1351 body __KAM_SEX4 /(?:bring your girlfriend back|satisfied with their size|penis so huge and heavy|more semen|volume of your loads|wondercum|ejaculate|bargain offers on medic|improve xxx|improve your lovemaking|youngest teen|teen pics|monster in his pants|(female|multiple) orgasms|extreme penetration)/i
1353 describe KAM_SEX Sexually Explicit SPAM / Penis Enlargement Scam
1355 meta KAM_SEX (__KAM_SEX1 + __KAM_SEX2 + __KAM_SEX3 + __KAM_SEX4 + __HTML_IMG_ONLY + (__KAM_VIAGRA6A + __KAM_VIAGRA6E + __KAM_VIAGRA7A >= 1 && !__KAM_VIAGRA_FPS) >= 2)
1357 #STUPID PICTURE SPAMS
1358 body __KAM_PIC1 /(tired|bored) (this )?(today|tonight|evening|morning|afternoon)|saw your email address|online right now|can name me|found you on this site|I am alone|my next boyfriend|blonde with blue|like the girls|crush on you/is
1359 body __KAM_PIC2 /(nice girl|2\d years old|25 y.o. girl|pretty russian|I russian girl|age is 25|long legs, cute|see my pictures|I'm 19|searching for a bad girl|meet with such attractive|cute lady)/is
1360 body __KAM_PIC3 /like to chat|feelings can be true|like to have friendship|friendly guy|gave me your photos|waiting on you|found your pictures|send me a note|more information about you|text me ASAP/is
1361 body __KAM_PIC4 /(like to share some of my pics|some (?:great )?pictures of me|sending some of my pictures|To see my pic|hope you like my pic|will reply with my pics|show you some pic|chat with me and see|that's my photo)|will send you my pictures|view my profile|describe yourself|chat with me|bad girl|view your snapshot|want to watch video|erotic pics/is
1362 body __KAM_PIC5 /picture|photo|my pics|appended my pic/i
1364 describe KAM_PIC Share Pictures and Chat SPAM
1366 meta KAM_PIC (__KAM_PIC1 + __KAM_PIC2 + __KAM_PIC3 + __KAM_PIC4 + __KAM_PIC5 + __KAM_PRIV3 >= 4)
1368 #STUPID MAILING LIST SPAMS
1369 body __KAM_LIST1 /((Hospital|MD) directory|Nursing Home (List|directory)|doctor lists|marketing lists|Licensed Physicians|practicing MDs|practicing Medical doctors|Physicians in America|emails for every state|(vip|laywers|planners|Business Email|HR Directors Email|Sales & Marketing Directors|Managing Director Email) database)/is
1370 body __KAM_LIST2 /(?:hospital|dentist|chiropractor|physician|medical doctors|nursing directors|medical marketing|\d sortable fields|records all with emails|business director(y|ies)|direct marketing data)|nursing assistant/is
1371 body __KAM_LIST3 /price\:|prices for our director/is
1372 body __KAM_LIST4 /(?:database|list|[\d,]+ (total records|e-?mails))/is
1373 body __KAM_LIST5 /(reply with "stop" as a subject|Send an email with "rem" in the subject to discontinue|put "cease" in the subject of an email|for termination of this e?mail|reply with .{1,8} in the subject)|you will have your email taken off|for the datacard|send.a.reply/is
1374 header __KAM_LIST6 Subject =~ /Database of (neurological|surgeons|doctors|nurses|mds)|MD Database|looking for list|email database|we have that list|marketing database|list.of.\d/i
1376 describe KAM_LIST Mailing List Database SPAM
1378 meta KAM_LIST (__KAM_LIST1 + __KAM_LIST2 + __KAM_LIST3 + __KAM_LIST4 + __KAM_LIST5 + __KAM_LIST6 >= 4)
1380 #YET MORE DRUG SCAMS
1381 body __KAM_DRUG1 /Quality and cheap|premier quality|supor-collosal mixture|Discount-?Pharmacy|hi.quality.drug/is
1382 body __KAM_DRUG2 /cheaper|redeem in bulk and save|bigger quantities and Save|drugstore accredi[dt]ations|economical (?:value|amount)|drug.online.supplies/is
1383 rawbody __KAM_DRUG3 /local drugstore|(hush-hush|secret) with no waiting rooms|confidential package|distributed securely|shape is our main concern/is
1384 body __KAM_DRUG4 /click to buy|no previous doctors direction|No prescript[oi]{2}n needed|no script necessary|medicine assistance supplier|mail[- ]?order medicine/is
1386 describe KAM_DRUG More Viagra, Medicine, et al Scams
1388 meta KAM_DRUG (__KAM_DRUG1 + __KAM_DRUG2 + __KAM_DRUG3 + __KAM_DRUG4 + __KAM_VIAGRA6A + __KAM_VIAGRA7A + KAM_REPLACE >= 4)
1390 #DUE TO THE RASH OF IP BASED LINKS IN EMAILS DUE TO STORM BOTS, THESE ARE TESTS FOR IPS IN EMAILS
1391 #Thanks to Jamie for pointing out I missed a 1918 range.
1392 rawbody __KAM_GOODIPHTTP /https?:\/\/(192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)/i
1393 rawbody __KAM_IPHTTP /https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/i
1394 describe KAM_BADIPHTTP Due to the Storm Bot Network, IPs in emails is bad
1395 score KAM_BADIPHTTP 2.0
1396 meta KAM_BADIPHTTP (__KAM_IPHTTP - __KAM_GOODIPHTTP >= 1)
1398 body __KAM_HIDDEN_URI1 /\[DOT\]com/is
1399 body __KAM_HIDDEN_URI2 /replace "?\[DOT\]/is
1400 meta KAM_HIDDEN_URI (__KAM_HIDDEN_URI1 + __KAM_HIDDEN_URI2 >= 2)
1401 describe KAM_HIDDEN_URI URI obfuscation techniques
1402 score KAM_HIDDEN_URI 4.0
1404 #ODD INFO URL - MATCH A URL-LIKE STRING THAT ENDS IN A QUESTIONABLE TLD, FOLLOWED BY A WORD BOUNDARY OR A SLASH (BUT NOT A DOT, OR IT WILL FP ON SUBDOMAINS LIKE FOO.INFO.LEGIT.COM)
1405 # Thanks to Lucas Rolff for the https idea
1406 rawbody __KAM_INFOUSMEBIZ1 /https?:\/\/(?:www.)?.{4,30}\.(info|us|me|me\.uk|biz)(?![-\.])(\b|\/)/i
1407 header __KAM_INFOUSMEBIZ2 From:addr =~ /\.(info|us|me|me\.uk|biz|xyz|id|rocks|life)$/i
1408 header __KAM_INFOUSMEBIZ3 Return-Path =~ /\.(info|us|me|me\.uk|biz|xyz|id|rocks|life)>?$/i
1410 meta KAM_INFOUSMEBIZ (__KAM_INFOUSMEBIZ1 + __KAM_INFOUSMEBIZ2 + __KAM_INFOUSMEBIZ3 >= 1)
1411 score KAM_INFOUSMEBIZ 0.75
1412 describe KAM_INFOUSMEBIZ Prevalent use of .info|.us|.me|.me.uk|.biz|xyz|id|rocks|life domains in spam/malware
1414 # OTHER QUESTIONABLE / CHEAP TLDS - .click, .work, .rocks, .science, .casa
1415 rawbody __KAM_OTHER_BAD_TLD1 /http:\/\/(?:www.)?.{4,30}\.(click|farm|work|rocks|science|club|casa)(?![-\.])(\b|\/)/i
1416 header __KAM_OTHER_BAD_TLD2 From:addr =~ /\.(click|farm|work|rocks|science|club|casa)$/i
1417 header __KAM_OTHER_BAD_TLD3 Return-Path =~ /\.(click|farm|work|rocks|science|club|casa)>?$/i
1419 meta KAM_OTHER_BAD_TLD (__KAM_OTHER_BAD_TLD1 + __KAM_OTHER_BAD_TLD2 + __KAM_OTHER_BAD_TLD3 >= 1)
1420 score KAM_OTHER_BAD_TLD 0.75
1421 describe KAM_OTHER_BAD_TLD Other untrustworthy TLDs
1424 #RECENT RASH OF VIRII/TROJAN PAYLOADS USING GREETING CARD NOTICES - IPHTTP IDEA BY STEPHEN FORD
1425 body __KAM_CARD1 /(worshipper|friend|Neighbou?r|partner|mate|colleague|member|worshipper|cousin|pal|brother|somebody|father|mother|uncle|aunt|daughter|son|nephew)(\(.{0,35}\))?(?: has)? (?:sen[dt] you|created) (?:an|a)?\s*(?:funny|love|post|greeting|birthday|animated|musical|holiday|love|hallmark|thank you|e)\s*(e|post)?-?card/i
1426 body __KAM_CARD2 /(laughing kitty|crazy cat) card|enjoy your awesome card|Click on your .{0,15}card('s)? (link|direct www address) below|To see your custom .{0,15}card, simply click on the (link below|following)|(as you can see on the ecard)|^your .{1,15}card link:$|I bet your wife won\'?t do this for you|Your temporary Login Info|temp\.? password id|pics I took of my Ex-Wife|card will be aviailable|our.new.collection/i
1427 body __KAM_CARD3 /I['`]m in hurry, but i still love you...|has (issued you a greeting|made you an Ecard)|^(Follow this link:|click (here to enter our secure server:))?\s*?http:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|eCard, open attached/i
1428 header __KAM_CARD4 Subject =~ /Here is some pics to say thanks|do you like em?|here is my picture|bra is too tight|look what I like to do|hot news|(\s|^)e-?cards?(\s|$)|greeting.e?card/i
1429 rawbody __KAM_CARD5 /postcard(\.gif)?\.exe|card.zip|groups.google.com|blaqseal/i
1431 describe KAM_CARD Trojan or Virus Payload from fake ecard notice
1433 meta KAM_CARD (__KAM_CARD1 + __KAM_CARD2 + __KAM_CARD3 + __KAM_CARD4 + __KAM_CARD5 + KAM_INFOUSMEBIZ + __KAM_IPHTTP + KAM_RPTR_SUSPECT >= 3)
1435 #INSURANCE / CAR / LIFE / HEALTH SCAMS - fixed $ bug thanks to Mark Chaney
1436 header __KAM_INSURE1 Subject =~ /get (low )?affordable health (coverage|insurance)|reduce health costs|without health coverage|\d+K(?:.in)?.(term.)?life|overypay for auto insurance|Policy.Payment|GAs Prices|Auto Insurance|get your 20\d\d quote|\$\d00,000 coverage|no exam|Insurance.Payment|child's financial future|\d+K in coverage|health insurance (?:plans|coverage)|(Omaba|obama).?care|Secure \d+k coverage|\$\d\d\d,\d\d\d of term life|life insurance coverage|save up to \d+% on .{0,10}insurance|Protect.your.family|homeowners insurance|home.?.?protection|read.asap|auto.policy|protect your|\$\d+K..?term|auto.?insurance|\d+k.available|simplified.protection|policy.update|view.policy|med(ical)?.exam|term.life|protection|\d+k.available|policy.review|business.insurance|your.health|care.policy|life.cover|life.secure|life.insured/i
1437 body __KAM_INSURE2 /find better Health Insurance Rates Today|get information about health coverage|protect your family|overpay for auto insurance|been recently,? lowered|gas prices are going up|Auto Insurnace go with it|no examination|get (?:a )?free quote|have been.{0,2}reduced|AutoWarranty|plans as low as|plans starting at|complete your health profile|Secure \d+k coverage|growing.family|milestone|special.enroll|updated.rate|lifeinsurance|no.medical.exam|accuquote|no.tobacco.rate|denied.coverage|business.policy|reduced.rate|coverage.starts.immediately|obama|respect.your.privacy/i
1438 header __KAM_INSURE3 From =~ /Cheaper Auto|Insurance|health.quote.direct|fidelity|gerber|lifeplan|notice|warranty.expir|auto-repairs.{0,30}no longer covered|affordable.?health|Health.?care|AIG|accuquote|life.?rate|eCoverage|humana|ahs.warranty|policy|farmer|qualify|term.life|milestone|payout|secure|out.of.pocket|\d+k|take.comfort/i
1439 body __KAM_INSURE4 /why pay more for.{0,30}coverage|save up to \d+%|accuquote|Life Insurance Coverage|protect.your.family.{1,20}insurance|Protect home and belonging|Affordable Care Act|new health insurance plan for you|home.?.?protection|\d+k.life.insurance|eligible for auto.coverage|set to expire|\$\d+\/mo|new.rate|your.auto.?insurance.policy|term.life|update.policy|legacy|estate|your.package|your.own.life|prepared.for.anything|paying.(far.)?too/i
1441 describe KAM_INSURE Life, Health, Auto, etc. Insurance SPAMs
1442 score KAM_INSURE 2.5
1443 meta KAM_INSURE (__KAM_INSURE1 + __KAM_INSURE2 + __KAM_INSURE3 + __KAM_INSURE4 + (KAM_ADVERT2 || KAM_LOTSOFHASH || KAM_INFOUSMEBIZ || CBJ_GiveMeABreak) >= 3)
1445 describe KAM_INSURE2 Higher Probability of Life, Health, Auto, etc. Insurance SPAMs
1446 score KAM_INSURE2 2.5
1447 meta KAM_INSURE2 (__KAM_INSURE1 + __KAM_INSURE2 + __KAM_INSURE3 + __KAM_INSURE4 + (KAM_ADVERT2 || KAM_LOTSOFHASH || KAM_INFOUSMEBIZ || CBJ_GiveMeABreak) >= 4)
1450 body __KAM_HEALTH1 /as low as \$\d+\s*(per|\/)\s*month|at \$\d+ including dental/i
1451 body __KAM_HEALTH2 /save up to \d+% on health insurance|affordable health coverage|quality term life insurance|nationalhealthxchange.com|view.rate|no.obligation|start.saving/i
1452 rawbody __KAM_HEALTH3 /easy and it's free|receive daily health news|check our rates|Call to qualify|no physical exam|set.to.expire|immediately.available|you.can.afford/i
1453 rawbody __KAM_HEALTH4 /health insurance (coverage|rates)|free .{0,3}personalized.quote|get a quote for health insurance|fast and easy term|life.milestone|instant.free.quote/i
1454 header __KAM_HEALTH5 Subject =~ /\$38 Health Insurance|health insurance quote|Save up to \d%|term.life|New Health Insurance|\$\d+\/mo|lifepolicy/i
1456 describe KAM_HEALTH Health/Life Insurance Spam Emails
1457 score KAM_HEALTH 3.0
1458 meta KAM_HEALTH (__KAM_HEALTH1 + __KAM_HEALTH2 + __KAM_HEALTH3 + __KAM_HEALTH4 + __KAM_HEALTH5 + KAM_ADVERT2 >= 4)
1461 body __KAM_HEALTH2_1 /affordable health coverage/i
1462 header __KAM_HEALTH2_2 Subject =~ /health insurance quote/i
1464 describe KAM_HEALTH2 Health Insurance Spam Emails
1465 score KAM_HEALTH2 3.0
1466 meta KAM_HEALTH2 (__KAM_HEALTH2_1 + __KAM_HEALTH2_2 + HTML_MESSAGE >= 3)
1469 header __KAM_HEALTH3_1 Subject =~ /Term Life Coverage/i
1470 header __KAM_HEALTH3_2 Subject =~ /\d\d\/mo/i
1471 header __KAM_HEALTH3_3 From =~ /fidelity/i
1473 describe KAM_HEALTH3 Term Life Insurance Spam
1474 score KAM_HEALTH3 3.0
1475 meta KAM_HEALTH3 (__KAM_HEALTH3_1 + __KAM_HEALTH3_2 + __KAM_HEALTH3_3 >= 3)
1477 #REAL ESTATE INVESTMENT SCAMS
1478 body __KAM_REAL2_1 /(?:Property available|on the water|costa rica|mountain.top)/i
1479 body __KAM_REAL2_2 /(?:pre-development prices|finish building|torn down to build|exclusive place|ready.for.construction)/i
1480 body __KAM_REAL2_3 /(?:unbelievable deals|buyer with CA[s\$]h|pennies.on.the.dollar)/i
1481 body __KAM_REAL2_4 /(?:home sites|raw land|vacation home|wooded.property)/i
1482 body __KAM_REAL2_5 /(?:developers|estates|buyer flying in|retirement plans|liquidation)/i
1484 describe KAM_REAL2 Real-estate investment scams
1486 meta KAM_REAL2 (__KAM_REAL2_1 + __KAM_REAL2_2 + __KAM_REAL2_3 + __KAM_REAL2_4 + __KAM_REAL2_5 >= 5)
1488 #BASED on JIM MCCULLARS' IDEA AND DALLAS' GREAT PDFINFO RULES
1490 ifplugin Mail::SpamAssassin::Plugin::PDFInfo
1491 #Thanks to Ben Lentz for pointing out a lint error with this.
1493 describe KAM_BADPDF Prevalent Junk PDF SPAMs - BAD SUBJECT
1494 score KAM_BADPDF 2.5
1495 header KAM_BADPDF Subject =~ /(?:^.{0,15}(document|confirmation|marketwatch|pinksheets|wire info|pinksheets|investor_report|proposal|invest_today|alert|invoice|investor_letter|check)-\d{5,12}$|^basic[- _]chart-|^Active[- _](stocks|trader)|^Analyst[- _]Coverage|^Income[- _](report|details|statement)|^Market[- _](advice|watch)|^Investor[- _]news|^real-?time[- _]quotes)/i
1497 describe KAM_BADPDF1 Prevalent Junk PDF SPAMs - EMPTY BODY & ENCRYPTED
1498 score KAM_BADPDF1 2.5
1499 meta KAM_BADPDF1 (GMD_PDF_EMPTY_BODY + GMD_PDF_ENCRYPTED >= 2)
1501 #2009-03-11 - Found FP on this rule where a bad reverse PTR and a Subject triggered this rule. That was NOT the intent.
1502 describe KAM_BADPDF2 Prevalent Junk PDF SPAMs - 3 STRIKES
1503 score KAM_BADPDF2 2.5
1504 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
1505 meta KAM_BADPDF2 (KAM_BADPDF + KAM_BADPDF1 + MISSING_SUBJECT >= 2) && (KAM_RPTR_SUSPECT + KAM_RPTR_FAILED >=1)
1507 meta KAM_BADPDF2 (KAM_BADPDF + KAM_BADPDF1 + MISSING_SUBJECT >= 2) && (KAM_RPTR_SUSPECT >=1)
1512 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
1513 mimeheader __KAM_BADPO1 Content-Type =~ /Purchase.Order|New.Invoice/i
1514 mimeheader __KAM_BADPO2 Content-type =~ /PDF\.html?/i
1517 header __KAM_BADPO3 Subject =~ /New Order|PO(\b|$)|PO\d\d\d|Purchase Order|Invoice/i
1519 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
1520 meta KAM_BADPO (KAM_RAPTOR_ALTERED + __KAM_BADPO3 >= 2)
1521 describe KAM_BADPO Bad Purchase Orders
1525 meta KAM_BADPO2 (__KAM_BADPO1 + __KAM_BADPO2 + T_HTML_ATTACH >= 3)
1526 describe KAM_BADPO2 Bad Purchase Orders
1527 score KAM_BADPO2 5.0
1531 #FAKE PDF READER/WRITE
1532 body __KAM_FAKEPDF1 /Download PDF Reader.Writer/is
1533 body __KAM_FAKEPDF2 /Reader 2010/is
1534 header __KAM_FAKEPDF3 From =~ /adobe/is
1535 header __KAM_FAKEPDF4 Subject =~ /reader.writer version 2010/is
1537 meta KAM_FAKEPDF (__KAM_FAKEPDF1 + __KAM_FAKEPDF2 + __KAM_FAKEPDF3 + __KAM_FAKEPDF4 >= 3)
1538 describe KAM_FAKEPDF Fake PDF Reader / Writer
1539 score KAM_FAKEPDF 4.0
1541 #VACU AND VARIOUS PHISHING SCAMS
1543 header __KAM_PHISH2_1 Subject =~ /(VACU Message|Virgini?a Credit|Account Verification|account might be compromised|Account Status Notification|important.alert|payment.advice|important.update|card.declined)/i
1545 body __KAM_PHISH2_2 /Virginia Credit Union|Lloyds|HSBC|usaa|barclay|credit card account/is
1547 rawbody __KAM_PHISH2_3 /https?:\/\/.{5,30}\.(kr|hk|edu|pl|ie|it|pro)\//i
1549 body __KAM_PHISH2_4 /unauthori[sz]ed use|security.enhancement|dropbox|hold.(on.)?your.fund/i
1550 body __KAM_PHISH2_5 /account suspension|temporary locked|temporarily.suspend|your.reference|accurately.detail/i
1551 body __KAM_PHISH2_6 /confirm your online banking details|payment.advice|online.fraud|billing.information/i
1552 body __KAM_PHISH2_7 /extra security check|security.tip/i
1554 describe KAM_PHISH2 Prevalent Phishing Scam emails
1555 score KAM_PHISH2 2.0
1556 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
1557 meta KAM_PHISH2 (__KAM_PHISH2_1 + __KAM_PHISH2_2 >= 2) && ((__KAM_IPHTTP + __KAM_URIBL_PCCC + __KAM_PHISH2_3 >= 1) || (__KAM_PHISH2_4 + __KAM_PHISH2_5 + __KAM_PHISH2_6 + __KAM_PHISH2_7 >= 4))
1559 meta KAM_PHISH2 (__KAM_PHISH2_1 + __KAM_PHISH2_2 >= 2) && ((__KAM_IPHTTP + __KAM_PHISH2_3 >= 1) || (__KAM_PHISH2_4 + __KAM_PHISH2_5 + __KAM_PHISH2_6 + __KAM_PHISH2_7 >= 4))
1562 #CRAZY HEX EMPTY MESSAGE
1563 body __KAM_HEX1 /^[a-f0-9]{8}(\b|$)/i
1564 header __KAM_HEX2 Subject =~ /^\d{5,6}$/
1566 describe KAM_HEX Crazy Empty Hex Messages
1568 meta KAM_HEX (__KAM_HEX1 + __KAM_HEX2 >= 2)
1570 #THE BAT! MAILER USED TOO MUCH FOR SPAM
1571 # I'VE LOOKED AT THIS AND JUST CAN'T ARGUE THAT IT LOOKS LIKE IT WILL HELP.
1572 header KAM_THEBAT X-Mailer =~ /The Bat!/i
1573 describe KAM_THEBAT Abused X-Mailer Header for The Bat! MUA
1574 score KAM_THEBAT 1.9
1577 body __KAM_MAILER1 /{!firstname_fix}/i
1579 meta KAM_MAILER (__KAM_MAILER1 >= 1)
1580 score KAM_MAILER 2.0
1581 describe KAM_MAILER Automated Mailer Tag Left in Email
1583 #YET ANOTHER NIGERIAN SCAM VARIANT
1584 body __KAM_CHECK1 /delivery fee for your che(que|ck) draft/i
1585 body __KAM_CHECK2 /let me know when you recieve your money/i
1587 describe KAM_CHECK Another Nigerian Bank Draft Scam
1589 meta KAM_CHECK (__KAM_CHECK1 + __KAM_CHECK2 + __KAM_REFI4 >= 3)
1592 body __KAM_OPRAH1 /airfare/i
1593 body __KAM_OPRAH2 /hotel/i
1594 body __KAM_OPRAH3 /oprah/i
1595 header __KAM_OPRAH4 Subject =~ /see\s+.*oprah\s+.*live/i
1597 describe KAM_OPRAH SPAMs re: Oprah Winfrey Show
1599 meta KAM_OPRAH (__KAM_OPRAH1 + __KAM_OPRAH2 + __KAM_OPRAH3 + __KAM_OPRAH4 >= 4)
1602 body __KAM_EBAY1 /Succeed on ebay|thousands with ebay|ebay success|money-making secret/i
1603 body __KAM_EBAY2 /Auction success kit|Great Money Maker|documented program|Chuck Mullaney|more bills than money/i
1604 header __KAM_EBAY3 Subject =~ /ebay .*for dummies|ebay expert|work online|ebay business|secrets to ebay|Chuck Mullaney|living on ebay|build a business|huge cash flows/i
1606 describe KAM_EBAY SPAMs re: eBay Auction Tips
1608 meta KAM_EBAY (__KAM_EBAY1 + __KAM_EBAY2 + __KAM_EBAY3 >= 3)
1610 #GAS PRICES, GAS CARDS, OTHER FUEL-RELATED SPAM
1611 body __KAM_GAS1 /Gas prices are at an? all time high|\$\d per gallon|gasoline cards/i
1612 body __KAM_GAS2 /We have a solution|save \d+ cents per gallon|competitive rewards/i
1613 header __KAM_GAS3 Subject =~ /High Gas Prices|ripped off for gas|Save \d+c per gallon/i
1614 header __KAM_GAS4 From =~ /gas/i
1616 describe KAM_GAS SPAMs re: High Gas Prices
1618 meta KAM_GAS (__KAM_GAS1 + __KAM_GAS2 + __KAM_GAS3 + __KAM_GAS4 >=3)
1620 #WEIRD BODY MESSAGES
1621 body KAM_BODY /{_BODY_HTML}/i
1623 describe KAM_BODY Odd Erectile Dysfunction Messages with Poor Formatting
1625 #FREE TV, SATELLITE, CABLE INTERNET, ETC
1626 body __KAM_TV1 /watch unlimited television|DTV4PC|Online TV Code|Free DVD-CD Burner|100% legal|Rabbit TV|reliable.cable.service|existing.smart.tv/i
1627 body __KAM_TV2 /without a monthly fee|pay a cable or satellite bill|no monthly fee|watch uncensored|movies online|no censorship|favorite.channels|online.television|\d{3}.channels|high.speed|sysview/i
1628 header __KAM_TV3 Subject =~ /watch uncensored tv|digital TV|internet TV|Free TV|tv online for free|(shows|movies).with.cable|less.than.dish|stream.*channels|\$\d{2}.mo|smart.tv/i
1629 header __KAM_TV4 From =~ /Unlock Internet TV|Movie Download|product alert|cable.tv|tv.stream|high.speed/i
1631 meta KAM_TV (__KAM_TV1 + __KAM_TV2 + __KAM_TV3 + __KAM_TV4 >= 2)
1633 describe KAM_TV Free TV/Cable/etc. Scams
1635 meta KAM_TV2 (KAM_TV + KAM_INFOUSMEBIZ >=2)
1637 describe KAM_TV2 Higher probability of Free TV/Cable/etc. Spams
1640 body __KAM_CAREER1 /Hospitals need you|Medical Billing and Coding|medical.coding/is
1641 body __KAM_CAREER2 /Get your Healthcare Degree|Billing and Coding degree|job.placement|great.opportunity|training.start(s|ing).soon|job.growth/is
1642 body __KAM_CAREER3 /unstable.economy|secure.a.position|fast.growing|extraordinary.benefits|work.from.home/is
1644 meta KAM_CAREER (__KAM_CAREER1 + __KAM_CAREER2 + __KAM_CAREER3 + KAM_ADVERT2 >= 3)
1645 score KAM_CAREER 5.0
1646 describe KAM_CAREER Spam for Career/Diploma Mills
1649 header __KAM_NURSE1 From =~ /nursing|nurses|health.?care/i
1650 header __KAM_NURSE2 Subject =~ /nurses (?:are now in high.?demand|are needed)|become a nurse|open.position|training|cna.education/i
1651 body __KAM_NURSE3 /nurses (?:are NOW in high.?demand|are needed)|nursing Degree|indispensable.position|growing.career|nursing.assist|certified.nurs/i
1653 meta KAM_NURSE (__KAM_NURSE1 + __KAM_NURSE2 + __KAM_NURSE3 >= 3)
1655 describe KAM_NURSE Spam for Career/Diploma Mills
1658 header __KAM_PILLS1 Subject =~ /save \d\d% on your (pills|drugs|medications)/i
1659 body __KAM_PILLS2 /be (thrifty|smart|clever), buy your (pills|drugs|medications)/i
1661 meta KAM_PILLS (__KAM_PILLS1 + __KAM_PILLS2 >=2)
1663 describe KAM_PILLS Spam for scam pharmacy
1666 header __KAM_PILLS2_1 From =~ /Enlarge|Men's Supplement/i
1667 header __KAM_PILLS2_2 From =~ /Free Sample/i
1669 meta KAM_PILLS2 (__KAM_PILLS2_1 + __KAM_PILLS2_2 >= 2)
1670 describe KAM_PILLS2 Male enhancement spams
1671 score KAM_PILLS2 2.5
1674 body __KAM_ALT1 /reply to my alternative E-?mail/is
1676 meta KAM_ALT (__KAM_ALT1 >= 1)
1678 describe KAM_ALT Requests use of an alternate email which may indicate spam
1682 #AS WE ENTER AN ELECTION PERIOD, WE SEE UNSOLICITED MAILS FROM ORGS
1685 header __KAM_POLITICS1 From =~ /Right vs Left|Minuteman|Senator|Pennsylvania Transportation Partners|Americans for Limited Government|special election|conservative|liberal|congress|judge|usa.?net|senate|fedup|sen\. |tea.party|the.right.to/i
1686 body __KAM_POLITICS2 /Minuteman Civil Defense Corps|National Campaign Fund|Right vs Left|Restore America PAC|penntransportation.com|getliberty.org|Americans for Limited Government|radical|true.conservative|true.liberal|job.killing|wasteful.spending|senate.takeover|liberal.agenda|smear.campaign|america.s future|liberty|obama|governor|election.day|v-o-t-e|sign.the.petition|paid.for.by|dear.conservative|dear.liberal|winning.the.senate|election.cycle|return.power|failed.policy|(left|right).is.claiming|bigwigs|favorable.voters/i
1687 header __KAM_POLITICS3 Received =~ /\.politicalsystems.net|republican.com|democrat.com|inboxfirst.com/i
1688 header __KAM_POLITICS4 Subject =~ /alert:?.?election|(republican|democratic).party|and.vote|impeach|insanity|election.ad|liberals|conservatives|back.?room.deal|urgent.obama|social.security.mistake|big.social|absentee.info/i
1690 meta KAM_POLITICS (__KAM_POLITICS1 + __KAM_POLITICS2 + (__KAM_POLITICS3 + __KAM_POLITICS4 >= 1) >= 2)
1691 score KAM_POLITICS 4.5
1692 describe KAM_POLITICS Political E-Mails
1697 header __KAM_COMPANY1 From =~ /W\$[LM]( |_)(Insurance|Mortgage)( |_)New\$/i
1699 meta KAM_COMPANY1 (__KAM_COMPANY1 >= 1)
1700 score KAM_COMPANY1 5.0
1701 describe KAM_COMPANY1 Egregious spammers that should also be on RBLs (and might be)
1704 body __KAM_COMPANY2_1 /Member Services MGM, LLC/is
1706 meta KAM_COMPANY2 (__KAM_COMPANY2_1 >= 1)
1707 score KAM_COMPANY2 5.0
1708 describe KAM_COMPANY2 Egregious spammers that should also be on RBLs (and might be)
1710 ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
1712 #PCCC URIBL Check for bad URIs in body, Received, From and Reply-to
1713 #Thanks to AXB for his help with these!
1717 #These RBL's below can contain domains that can cause collateral damage.
1718 #We try and only add these domains when the evidence is overwhelming and points to a culture or architecture prone to spaminess.
1719 #And this can include services that have legitimate and illegitimate users; servers for legitimate firms that are compromised; and hosting firms which fail to have adequate anti-spam procedures.
1720 #The lists have high scores which we believe are consistent with the veracity of the research used to compile the lists.
1721 #Additionally, we ONLY use this RBL to improve our scoring and it is not used to block emails outright.
1722 #However, your mileage may very and you might want to seriously dial down the scores especially if you do block/reject/blackhole emails.
1723 #Feedback is appreciated and requests to de-list can be sent via https://raptor.pccc.com/raptor.cgim?template=report_problem
1724 #Or to explicitly skip RBL testing for a domain, use uridnsbl_skip_domain example.com
1726 if (version >= 3.003000)
1727 #HOSTS THAT BEHAVE LIKE TLDS, SUCH AS BLOGSPOT.COM AND OTHER FREE HOSTING - NOTE BLOGSPOT is in 20_aux_tlds.cf ALREADY
1728 util_rb_2tld ning.com
1729 util_rb_2tld mygbiz.com
1730 util_rb_2tld web.com
1731 util_rb_2tld onmicrosoft.com
1732 util_rb_2tld online.de
1733 util_rb_2tld wix.com
1734 util_rb_2tld netdna-cdn.com
1735 util_rb_2tld dreamhost.com
1736 util_rb_2tld noip.us
1737 util_rb_2tld mmsend.com
1738 util_rb_2tld cu-portland.edu
1739 util_rb_2tld jimdo.com
1740 util_rb_2tld doesphotography.com
1741 util_rb_2tld isteaching.com
1742 util_rb_2tld googleapis.com
1743 util_rb_2tld a2hosted.com
1744 util_rb_2tld netlify.app
1745 util_rb_2tld kriya.ai
1746 util_rb_2tld usekalendarai.com
1747 util_rb_2tld trykalendarai.com
1748 util_rb_2tld outrch.com
1749 util_rb_2tld campaign-view.com
1750 util_rb_2tld fameup.net
1751 util_rb_2tld msgfocus.com
1752 util_rb_2tld herokuapp.com
1753 util_rb_2tld boxmode.io
1754 util_rb_2tld amplifyapp.com
1755 util_rb_2tld azurewebsites.net
1756 util_rb_2tld wixsite.com
1757 util_rb_2tld workers.dev
1762 util_rb_2tld hubspot-inbox.com
1763 util_rb_3tld en.alibaba.com
1765 util_rb_2tld firebaseapp.com
1766 util_rb_2tld glitch.me
1767 util_rb_2tld awsapps.com
1768 util_rb_2tld app.link
1769 util_rb_2tld glueup.com
1770 util_rb_2tld radio.am
1771 util_rb_2tld wufoo.com
1774 # allow URI rules to look at DKIM headers if they exist and our SA version supports it
1775 if (version >= 3.004001)
1779 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
1781 urirhssub KAM_BODY_URIBL_PCCC wild.pccc.com. A 127.0.0.4
1782 body KAM_BODY_URIBL_PCCC eval:check_uridnsbl('KAM_URIBL_PCCC')
1783 describe KAM_BODY_URIBL_PCCC Body contains URI listed in PCCC URIBL (https://raptor.pccc.com/RBL)
1784 tflags KAM_BODY_URIBL_PCCC net
1785 score KAM_BODY_URIBL_PCCC 9.0
1787 if (version >= 3.004001)
1789 #all from addresses domains - This is a new check available in 3.4.1-rc1+ which will check bob.com for something like bob@test.bob.com - The old code did not properly handle octet subtests
1790 header KAM_FROM_URIBL_PCCC eval:check_rbl_from_domain('pccc-from-uribl', 'wild.pccc.com.', '127.0.0.4')
1791 describe KAM_FROM_URIBL_PCCC From address listed in PCCC URIBL (https://raptor.pccc.com/RBL)
1792 tflags KAM_FROM_URIBL_PCCC net
1793 score KAM_FROM_URIBL_PCCC 9.0
1796 #MARKETING IN BODY - MARKETING RBL IS PRIMARILY FOR META TESTS
1797 urirhssub KAM_BODY_MARKETINGBL_PCCC wild.pccc.com. A 127.0.0.32
1798 body KAM_BODY_MARKETINGBL_PCCC eval:check_uridnsbl('KAM_MARKETINGBL_PCCC')
1799 describe KAM_BODY_MARKETINGBL_PCCC Body contains URI associated with mass-marketing (https://raptor.pccc.com/RBL)
1800 tflags KAM_BODY_MARKETINGBL_PCCC net
1801 score KAM_BODY_MARKETINGBL_PCCC 0.001
1803 if (version >= 3.004001)
1805 header KAM_FROM_MARKETINGBL_PCCC eval:check_rbl_from_domain('pccc-marketing', 'wild.pccc.com.', '127.0.0.32')
1806 describe KAM_FROM_MARKETINGBL_PCCC From address associated with mass-marketing (https://raptor.pccc.com/RBL)
1807 tflags KAM_FROM_MARKETINGBL_PCCC net
1809 score KAM_FROM_MARKETINGBL_PCCC 0.001
1811 meta KAM_MARKETINGBL_PCCC (KAM_BODY_MARKETINGBL_PCCC || KAM_FROM_MARKETINGBL_PCCC)
1812 describe KAM_MARKETINGBL_PCCC Message contains URI associated with mass-marketing (https://raptor.pccc.com/RBL)
1813 score KAM_MARKETINGBL_PCCC 1.0
1814 tflags KAM_MARKETINGBL_PCCC net
1818 urirhssub SEM_FRESHZERO freshzero.spameatingmonkey.net. A 2
1819 body SEM_FRESHZERO eval:check_uridnsbl('SEM_FRESHZERO')
1820 describe SEM_FRESHZERO Contains a domain never seen before
1821 tflags SEM_FRESHZERO net
1822 score SEM_FRESHZERO 2.5
1824 urirhssub SEM_FRESH fresh.spameatingmonkey.net. A 2
1825 body SEM_FRESH eval:check_uridnsbl('SEM_FRESH')
1826 describe SEM_FRESH Contains a domain registered less than 5 days ago
1827 tflags SEM_FRESH net
1830 urirhssub SEM_FRESH10 fresh10.spameatingmonkey.net. A 2
1831 body SEM_FRESH10 eval:check_uridnsbl('SEM_FRESH10')
1832 describe SEM_FRESH10 Contains a domain registered less than 10 days ago
1833 tflags SEM_FRESH10 net
1834 score SEM_FRESH10 1.5
1836 meta KAM_SEMFRESH (SEM_FRESHZERO || SEM_FRESH || SEM_FRESH10 )
1837 describe KAM_SEMFRESH Contains a domain recently registered
1838 tflags KAM_SEMFRESH net
1839 score KAM_SEMFRESH 0.001
1842 if (version >= 3.004001)
1843 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
1844 #Compromised URI - In Body
1845 urirhssub KAM_BODY_COMPROMISED_URIBL_PCCC wild.pccc.com. A 127.0.1.2
1846 body KAM_BODY_COMPROMISED_URIBL_PCCC eval:check_uridnsbl('KAM_URIBL2_PCCC')
1847 describe KAM_BODY_COMPROMISED_URIBL_PCCC Body contains URI listed in PCCC Compromised URIBL (https://raptor.pccc.com/RBL)
1848 tflags KAM_BODY_COMPROMISED_URIBL_PCCC net
1849 score KAM_BODY_COMPROMISED_URIBL_PCCC 9.0
1851 #Contains a likely good URI but otherwise compromised by malware/hackers
1852 header KAM_FROM_COMPROMISED_URIBL_PCCC eval:check_rbl_from_domain('pccc-compromised-uribl', 'wild.pccc.com.', '127.0.1.2')
1853 describe KAM_FROM_COMPROMISED_URIBL_PCCC From address listed in PCCC Compromised URIBL (https://raptor.pccc.com/RBL)
1854 tflags KAM_FROM_COMPROMISED_URIBL_PCCC net
1855 score KAM_FROM_COMPROMISED_URIBL_PCCC 9.0
1857 #Welcome List URI - In Body
1858 urirhssub KAM_BODY_WELCOMELIST_URIBL_PCCC wild.pccc.com. A 127.0.1.8
1859 body KAM_BODY_WELCOMELIST_URIBL_PCCC eval:check_uridnsbl('KAM_URIBL2_PCCC')
1860 describe KAM_BODY_WELCOMELIST_URIBL_PCCC Body contains URI listed in PCCC Welcome List URIBL (https://raptor.pccc.com/RBL)
1861 tflags KAM_BODY_WELCOMELIST_URIBL_PCCC net nice
1862 score KAM_BODY_WELCOMELIST_URIBL_PCCC -7.0
1866 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
1867 #Received - Currently disabled for more research on FPs
1868 #header KAM_RCVD_URIBL_PCCC eval:check_rbl_sub('pccc', '^127\.0\.0\.4$')
1869 #describe KAM_RCVD_URIBL_PCCC Received header contains URL listed in PCCC URIBL (https://raptor.pccc.com/RBL)
1870 #tflags KAM_RCVD_URIBL_PCCC net
1871 #score KAM_RCVD_URIBL_PCCC 5.0
1874 #NO SOLUTION - Would make a Good Bugzila for a FR
1876 #Test for any hits on PCCC URIBL Rules
1877 meta __KAM_URIBL_PCCC (KAM_BODY_URIBL_PCCC + KAM_FROM_URIBL_PCCC >= 1)
1881 #Test for URIBL Black and Spamhaus DBL per discussion ith Alex Broens
1882 meta KAM_VERY_BLACK_DBL (URIBL_BLACK && URIBL_DBL_SPAM)
1883 describe KAM_VERY_BLACK_DBL Email that hits both URIBL Black and Spamhaus DBL
1884 score KAM_VERY_BLACK_DBL 5.0
1885 tflags KAM_VERY_BLACK_DBL net
1889 #EMAIL BLACKLIST CHECK FOR PCCC RBL
1890 if (version >= 3.004003)
1891 ifplugin Mail::SpamAssassin::Plugin::HashBL
1892 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
1893 header KAM_MESSAGE_HASHBL_FREEMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5/max=10/shuffle', 'ALLFROM/Reply-To/body', '^127\.0\.0\.64', 'freemail')
1894 describe KAM_MESSAGE_HASHBL_FREEMAIL Message contains freemail address listed in PCCC URIBL (https://raptor.pccc.com/RBL)
1895 tflags KAM_MESSAGE_HASHBL_FREEMAIL net
1896 score KAM_MESSAGE_HASHBL_FREEMAIL 6.0
1901 #FREEMAIL SPAMMY ADDRESSES IN UNWANTED LANGUAGES
1902 header __GB_FREEMAIL_NUM0 From:addr =~ /[a-z]\.?\d{3}\@(gmail|hotmail|yahoo)\.com/i
1903 header __GB_FREEMAIL_NUM1 From:addr =~ /[a-z]\.?\d{5,10}\@(gmail|hotmail|yahoo)\.com/i
1904 meta GB_FREEMAIL_NUM ( __GB_FREEMAIL_NUM0 || __GB_FREEMAIL_NUM1 )
1905 describe GB_FREEMAIL_NUM Freemail spammy address
1906 score GB_FREEMAIL_NUM 1.0
1908 header __GB_FREEMAIL_GMAIL From:addr =~ /\@gmail\.com/i
1909 meta GB_GMAIL_NUM ( GB_FREEMAIL_NUM && __GB_FREEMAIL_GMAIL && ( KAM_DMARC_NONE || KAM_DMARC_QUARANTINE ) )
1910 describe GB_GMAIL_NUM Spam from random Gmail address
1911 score GB_GMAIL_NUM 2.0
1913 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
1914 meta GB_UNWANTED_FREE_NUM ( GB_FREEMAIL_NUM && UNWANTED_LANGUAGE_BODY )
1915 describe GB_UNWANTED_FREE_NUM Freemail spammy address and unwanted language
1916 score GB_UNWANTED_FREE_NUM 3.0
1919 #FAKERBL MX RELATED RULES
1920 header __KAM_MX1 Reply-To =~ /\@mx\d+\./i
1921 header __KAM_MX2 Return-Path =~ /\@mx\d+\./i
1922 header __KAM_MX3 Received =~ /(\(|\b)(pet|ptr|tech|host|mta|mx|vps|vsp|colo|sox|m)\d+\./i
1923 header __KAM_MX4 Received =~ /(\(|\b)[0-9A-F]{8}\.ptr\./i
1924 # Thanks to Markus Clardy for feedback!
1925 header __KAM_MX5 Received =~ /(\(|\b)[a-z]{2,4}[0-9]{1,3}\.[^\s]{1,20}\.info\b/i
1927 meta __KAM_MX (__KAM_MX1 + __KAM_MX2 + __KAM_MX3 + __KAM_MX4 + __KAM_MX5 >= 1)
1928 describe __KAM_MX Odd prevalence of mx records associated with the FAKERBL Spammers
1931 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
1933 meta KAM_MX (__KAM_MX + (__KAM_URIBL_PCCC + URIBL_BLACK >=1) >= 2)
1935 describe KAM_MX Spammers and MX Rule
1939 meta KAM_MXINFO (__KAM_MX5)
1940 score KAM_MXINFO 1.0
1941 describe KAM_MXINFO MX Record and dot info domains associated with FAKERBL Spammers
1944 body __KAM_BADNAME1 /CocoMedia|CMI Free Stuff|Vista Del Mar Productions|by SuperClub|Buil tech Services|eMarketing Alliance|aSHARPi Media|Satell Center for Executive Education|Pacific Shores Investments|R. Allen Media|The Only Virginia Team|Ban Amnesty Now|Intrust Domains|New Heights Development and Research|Red Base Interactive|RateMarketplace|WORLD COMPANY REGISTER|Mobie Concepts, Inc.|Clickingz IT Research Lab|Leadz[,\.].?Co|Pimsleur Approach|Business Who's Who|Who's Who Among Executives|Buena Vista Catalogue|Ashray Medical Center|Bethany Christian Services|Preston Energy|SteelCityAds|Beyond Human, LLC|Research Promo Center|OmegaK, Inc|Momentum.Ads|Dove Lighting Co|BrandRoot SEO|Team TPW|WEB ANALYTICS MEDIA LLC/i
1946 header __KAM_BADNAME2 From =~ /CMI Free Stuff|Vista Del Mar Productions|Buil tech Services|eMarketing Alliance|aSHARPi Media|Plaza Neptuno|Satell Center for Executive Education|Pacific Shores Investments|rx ?unit|R. Allen Media|The Only Virginia Team|Intrust Domains|American Arbitration Association|Rate\.?Marketplace|Health.Quote.Direct|Pimsleur|Ethika Politika|Disney Movie Club/i
1949 header __KAM_GRASS1 From =~ /(Patch|Perfect|Lawn)/i
1950 header __KAM_GRASS2 Subject =~ /rich beautiful lawn|grow grass|grass seed on steroids/i
1951 body __KAM_GRASS3 /Grass Seed On Steroids|rich beautiful lawn|Patch Perfect Seeds|Grow Grass (anywhere|in the shade)/i
1953 meta KAM_GRASS (__KAM_GRASS1 + __KAM_GRASS2 + __KAM_GRASS3 >= 3)
1955 describe KAM_GRASS Spammers hawking lawn products
1957 #PED EGG / BELISI / SKIN PRODUCTS
1958 header __KAM_SKIN1 From =~ /(Ped ?Egg|Healthy Feet|beautiful feet|belisi|skin tightener|medical|Wrinkle|Face ?Lift|Skin Reju|Nuforia|LifeCEll|Miracle Hydrate|beauty tip|lifestyle lift|marine essentials|nufori?a)|skin transformer|lifecell|oz.show|botox|your.skin|rejuvenate|youth|ellen/i
1959 header __KAM_SKIN2 Subject =~ /Ped ?Egg|Healthy Feet|beautiful feet|tighter skin|works for wrinkles|Sera Concepts|Wrinkle Eraser|\d\d years younger|Hollywood(?:'s)? Secret|years younger|perfect skin|anti.?aging|look younger in \d+ day|regain your youthful|years off your appear|flawless.skin|youthful appear|fine.lines|collagen.production|dark.circles|your.skin|looks?.like.this|looks?.great|images?.leaked|looks.\d|ellen.looks/i
1960 rawbody __KAM_SKIN3 /Ped ?Egg|Belisi|Botox|Gabamed|Sera Concepts|Purelift|nuforia|natural collagen|complimentary trials|nugenics|marine essentials|Nufori?a|ellen.has.a|flawless.skin|phyto|facelift|hype.is.real|celeb.trend|twenty.years.younger|face.lift|pics.leaked|rejuvenate/i
1961 body __KAM_SKIN4 /feet feel smooth and healthy|calluses and dead skin|silky smooth skin|tighter skin|\d.years.younger|anti[- ]aging|look younger|free trial|lose 25 years|angered plastic surge|quick and easy trick|anti-?aging|blood pressure low|heart rate monitor|selfies|just.one.month|just.four.weeks|medical.research|rebuild.your.skin|decades.younger|erase.time|gossip|smooth.lines/i
1963 meta KAM_SKIN (KAM_ADVERT2 + __KAM_SKIN1 + __KAM_SKIN2 + __KAM_SKIN3 + __KAM_SKIN4 + __KAM_TRIAL + __KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 >= 3)
1965 describe KAM_SKIN Spammers hawking skin/medical/foot products
1967 meta KAM_SKIN2 (KAM_ADVERT2 + __KAM_SKIN1 + __KAM_SKIN2 + __KAM_SKIN3 + __KAM_SKIN4 + __KAM_TRIAL + __KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 >= 4)
1969 describe KAM_SKIN2 Spammers hawking skin/medical/foot products
1971 #NEW CAR / WARRANTY SCAMS
1972 header __KAM_CAR1 Subject =~ /(save thousands|vehicle warranty|paying too much for auto|skyrocketing cost of car|car deals|deal on a new car|cheap(er)? auto insurance|warranty options|afford the car|blowout|auto repair bills)/i
1973 body __KAM_CAR2 /buying a new car|dream car|new car you want|free auto insurance(?:-| )quote|save money on your auto|roadside assistance|extended warranty/i
1974 body __KAM_CAR3 /unbelievable payment terms|no commitment|free price quote|get competitive quotes|offering better rates|no obligation quote|Pay Later|No risk|save up to \d+%/i
1975 header __KAM_CAR4 From =~ /warranty|lender|clearance/i
1977 meta KAM_CAR (__KAM_CAR1 + __KAM_CAR2 + __KAM_CAR3 + __KAM_CAR4 >= 2)
1979 describe KAM_CAR Spammers hawking new car, insurance or warranties
1981 # MORE NEW CAR SPAMS
1982 header __KAM_AUTO1 Subject =~ /new.vehicle|biggest.discounts|clearance.event|must.go|half.off.auto|blue.book|cars.priced|dirt.cheap|new.car|new.truck|half.off|dealership|dealers.compete|trade.it.in|auto(motive)?.parts|inventory.must.go|\d\d%.off.msrp|all \d\d\d\d.s must go|time.to.drive|all.vehicle|clearance.pric|all.\d\d\d\d.(cars|trucks)/i
1983 header __KAM_AUTO2 From =~ /car.?saving|auto.?deals|%.off|half.(off|price)|ford|gm|clearing.lots|model.year|latest.auto|dealership|clearance|cars?.discount|\d+.model|\d+.half.off|auto.price|best.auto|motor|trade.in|auto.part|imotor|autotrend/i
1984 body __KAM_AUTO3 /(car|truck).dealer|clearance.price|shop.cars|\d+.vehicles|dealership|deep.discount|liquidating|vehicle.options|auto.news|old.clunker|dream.car|clearance.inventory|dealer.clearance|special.clearance|auto(mobile?).recall|clearance.pric|new.ride|dealers.{1,40}.scrambling|sell.yours.for.more|car.is.worth|auto.parts.brand|blowout|incredible.discount/i
1986 meta KAM_AUTO (__KAM_AUTO1 + __KAM_AUTO2 + __KAM_AUTO3 + (KAM_COUK || KAM_OTHER_BAD_TLD || CBJ_GiveMeABreak) >= 3)
1987 describe KAM_AUTO Spam for new cars
1990 #HOME WARRANTY SPAMS
1991 header __KAM_WARRANTY1 Subject =~ /home warrant|protect your home|home repair|homeowners insurance|repairing your house|have you covered/i
1992 body __KAM_WARRANTY2 /Protect your home|choice home warranty|unexpected repair/i
1993 body __KAM_WARRANTY3 /home warrant|complimentary insurance quote/i
1994 header __KAM_WARRANTY4 From =~ /Choice.?Home.?Warrant|TotalProtect|home.?Insurance|CHW Home Warranty|AHS.warranty/i
1996 meta KAM_WARRANTY (__KAM_WARRANTY1 + __KAM_WARRANTY2 + __KAM_WARRANTY3 + __KAM_WARRANTY4 + CBJ_GiveMeABreak >= 3)
1997 score KAM_WARRANTY 1.5
1998 describe KAM_WARRANTY Spammers hawking home warranties
2000 meta KAM_WARRANTY2 (KAM_WARRANTY + KAM_INFOUSMEBIZ >= 2)
2001 score KAM_WARRANTY2 3.5
2002 describe KAM_WARRANTY2 Spammers pushing home warranties
2004 meta KAM_WARRANTY3 (__KAM_WARRANTY1 + __KAM_WARRANTY2 + __KAM_WARRANTY3 + __KAM_WARRANTY4 + CBJ_GiveMeABreak >= 4)
2005 score KAM_WARRANTY3 1.5
2006 describe KAM_WARRANTY3 Spammers hawking home warranties
2009 header __KAM_AUGER1 Subject =~ /Dig Holes|plant Trees/i
2010 body __KAM_AUGER2 /Awesome Auger/i
2012 meta KAM_AUGER (__KAM_AUGER1 + __KAM_AUGER2 >= 2)
2014 describe KAM_AUGER Spammers hawking Awesome Augers?!?
2017 header __KAM_MOVIE1 Subject =~ /Movie Extra/i
2018 body __KAM_MOVIE2 /Movie Extra/i
2020 meta KAM_MOVIE (__KAM_MOVIE1 + __KAM_MOVIE2 >= 2)
2022 describe KAM_MOVIE Spammers hawking Movie Extra positions
2025 header __KAM_COLLECT1 Subject =~ /You Pay Nothing/i
2026 body __KAM_COLLECT2 /No Fee/i
2027 body __KAM_COLLECT3 /collection professionals/i
2028 body __KAM_COLLECT4 /recovery rate/i
2030 meta KAM_COLLECT (__KAM_COLLECT1 + __KAM_COLLECT2 + __KAM_COLLECT3 + __KAM_COLLECT4 + __KAM_SEARCH5 + KAM_ADVERT2 >= 4)
2031 score KAM_COLLECT 5.0
2032 describe KAM_COLLECT Spammers hawking debt collection
2037 header __KAM_SEARCH1 Subject =~ /be seen first on (google|msn|yahoo)|get ranked high|rank high|(no cost|free) website (analysis|search engine)|WEBSITE PROMOTION|social media|blog leads|infotech|(first|1st)(.page)?.result|seo.(optimiz|package|service)|seo.{1,30}expert|on.your.website|organic.seo|site.ranking|website.health|(first|1st) page|^proposal$|marketing proposal|top (o|i)n google|looking for an SEO|web design|on page 1|top rank|info & cost/i
2039 body __KAM_SEARCH2 /search (ranking|engine)|S\.?E\.?O|bring.traffic|business.development|marketing (manager|strateg)/i
2040 tflags __KAM_SEARCH2 nosubject
2042 body __KAM_SEARCH3 /(first on|all of) the major search|not ranked number one|Website promotion|popular keywords|mobile.website|complete.solution|back.link|company in india|india.based|\(India\)|surfing|not.ranking.on|top in Google|1st page|more (clients|customers)|organic search|generate leads|specialization includes SEO|rank on page (1|one)|top page ranking|white.?hat SEO/i
2043 tflags __KAM_SEARCH3 nosubject
2045 body __KAM_SEARCH4 /guaranteed type of exposure|free website (analysis|report|search engine optimiz)|increase your revenue|improve your website traffice|website rank higher|marketing service|popular.keyword|media.presence|media.portal|brand.awareness|analytics.certified|optimized.content|white.label|website.optimization|digital.marketing|in.your.industry|high.revenue|plans? and pric|keyword|full proposal|online reputation|(blog|article|pr|search engine) (promotion|submission)|competitive quote|send you (our past work|quote)|website audit|seo (package|campaign)|package for \d+ keyword/i
2047 rawbody __KAM_SEARCH5 /Click2Call|a1-solutions|fast-response.net|action-pros.net|tops-1.com|vividinfotech.com|internet.marketing|web.solution|(development|marketing|business) (executive|consultant)|(search engine|SEO) (company|consultant|expert|Service)|(marketing|sales) manager/i
2049 meta KAM_SEARCH (__KAM_SEARCH1 + __KAM_SEARCH2 + __KAM_SEARCH3 + __KAM_SEARCH4 + __KAM_SEARCH5 + FREEMAIL_FROM >= 5)
2050 score KAM_SEARCH 7.5
2051 describe KAM_SEARCH Spammers hawking SEO
2054 header __KAM_SEO1 Subject =~ /Idea for \[|can rank 1st on Google|Organic SEO|SEO (Solution|rank|proposal)|integrated marketing|optimization.service|SEO Outsourcing|affordable package|quick result|ranking report|why your website|getting online sales/i
2056 body __KAM_SEO2 /(?:top|first page) (?:in|of) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building|business SEO|(audit|ranking) report|higher search rank|top \d+ search engine rank/i
2057 tflags __KAM_SEO2 nosubject
2059 body __KAM_SEO3 /(came across|never find) your web.?site|major search engines|paid access to tools|WEBSITE AUDIT REPORT|specific.keyword|targeted.email|visited.your.website|not ranking well|Google rankings|issues bugging your website|increase your organic traffic/i
2061 body __KAM_SEO4 /SEO Specialists|online marketing services|S.?E.?O.? Company in INDIA|google.panda|google.penguin|not.ranking|SEO Packages/i
2063 body __KAM_SEO5 /more traffic guaranteed|results in thirty day|top 5 organic|high revenue|free.analysis|guaranteed.top|pricelist|completely free|No upfront fees|free trial|(plan of action|proposal) for your website/i
2065 body __KAM_SEO6 /will not get your website banned|Google.?s SEO policies|six month ongoing campaign|web.promotion|quality junk spam|promotional online marketing|panda.?safe|digital marketing/i
2066 # LEGITIMATE SEO EMAILS WOULD SURELY HAVE AT LEAST ONE URL TO THEIR WEBSITE...
2069 meta KAM_SEO (__KAM_SEO1 + __KAM_SEO2 + __KAM_SEO3 + __KAM_SEO4 + __KAM_SEO5 + __KAM_SEO6 + !__KAM_SEO7 + KAM_ADVERT2 >= 5)
2071 describe KAM_SEO Spammers hawking SEO
2073 #ABUSED FREEMAIL ACCOUNTS
2074 #header __KAM_FREEMAIL1 From =~ /(?:websolution|seo).{0,15}\@gmail.com/i
2075 #header __KAM_FREEMAIL2 From =~ /speakeasylingerie\@gmail.com/i
2076 #meta __KAM_FREEMAIL (__KAM_FREEMAIL1 + __KAM_FREEMAIL2 >= 1)
2079 #header __KAM_LINGERIE1 From =~ /lexi campbell/i
2080 #header __KAM_LINGERIE2 Subject =~ /Exotic modeling Videos/i
2081 #header __KAM_LINGERIE3 Subject =~ /Hustler Magazine/i
2082 #body __KAM_LINGERIE4 /Exotic modelling videos/i
2084 #meta KAM_LINGERIE (__KAM_FREEMAIL + __KAM_LINGERIE1 + __KAM_LINGERIE2 + __KAM_LINGERIE3 >= 4)
2085 #score KAM_LINGERIE 10.0
2086 #describe KAM_LINGERIE Sexually Explicity Lingerie Spam
2090 header __KAM_WEB1 Subject =~ /(app|Web|software).?(proposal|Design|programming|Development)/i
2093 body __KAM_WEB2 /indian?.based.(web|it)|certified.it.company|offering Website Design|(expert|based) in india|software development.{0,2}firm|develop your web/i
2094 tflags __KAM_WEB2 nosubject
2096 body __KAM_WEB3 /Online Marketing (Executive|Consultant)|possible.redesign|seo.service|mobiles?.app|business.develop|commerce.solution/i
2098 meta KAM_WEB (__KAM_WEB1 + __KAM_WEB2 + __KAM_WEB3 + KAM_ADVERT2 >= 3)
2100 describe KAM_WEB Web design spams
2102 #DOMAIN NAME AND OTHER RELATED SPAMS
2103 body __KAM_DOMAIN1 /Domain (opportunity|notification|release|Availability|club)|Notification for Domain|availability.notice|time.draws.near|submit.a.bid|exclusive.rights|free.registration|the.domain.provider|website.wizard|increase.your.{0,50}.traffic|domain.extension|brand.can.leverage|like.to.obtain|buy(ing)?.this.domain/i
2104 body __KAM_DOMAIN2 /(?:available|listed) (?:by|for|at|in) auction|confirm interest in (this domain|owning)|capturing this domain|proposal.on.the.domain|exclusive.owner|online.search|web.form|counting.down|potential.buyer|interested.parties|secure.{1,50}.today|drive.more.leads|targeted.traffic|similar.domain|exclusive.regis/i
2105 body __KAM_DOMAIN3 /(?:have|own) a domain (that is )?.{0,5}similar|(have|own) a similar domain|offer on the Domain|similar to your (current )?domain|Domain Division|all.domains|main.webpage|visibility.platform|solicitation|potential.owner|your.offer|domain.match|domain.notification|domain.will.be|interest.{1,20}.domain.name|fully.responsive|website.included|list.your.website|opportt?unity.regarding|courtesy.notification/i
2106 header __KAM_DOMAIN4 From =~ /domain|submit.site/i
2107 #header __KAM_DOMAIN5 Subject =~ /\.com$/i
2109 meta KAM_DOMAIN (__KAM_DOMAIN1 + __KAM_DOMAIN2 + __KAM_DOMAIN3 + (__KAM_DOMAIN4 + FREEMAIL_FROM >= 1) >= 3)
2110 score KAM_DOMAIN 8.5
2111 describe KAM_DOMAIN Domain Selling Spams
2113 #MEDICAL TOURISM SPAM
2114 body __KAM_MEDTOUR1 /medical.tourism/i
2115 body __KAM_MEDTOUR2 /lowest cost in India/i
2116 header __KAM_MEDTOUR3 Subject =~ /Medical.Tourism/i
2118 meta KAM_MEDTOUR (__KAM_MEDTOUR1 + __KAM_MEDTOUR2 + __KAM_MEDTOUR3 >= 3)
2119 score KAM_MEDTOUR 3.0
2120 describe KAM_MEDTOUR Medical Tourism Spam
2123 header __KAM_ACNE1 Subject =~ /Proactiv/i
2124 header __KAM_ACNE2 From =~ /Acne/i
2125 body __KAM_ACNE3 /proactiv/i
2126 body __KAM_ACNE4 /Online Gift Rewards/i
2128 meta KAM_ACNE (__KAM_ACNE1 + __KAM_ACNE2 + __KAM_ACNE3 + __KAM_ACNE4 >= 4)
2130 describe KAM_ACNE Spammers hawking Acne products
2133 header __KAM_SOFTWARE1 Subject =~ /fix Windows File Errors/i
2134 header __KAM_SOFTWARE2 From =~ /registry/i
2135 body __KAM_SOFTWARE3 /Fix file errors/i
2136 body __KAM_SOFTWARE4 /download for no cost|FREE Software|Free Analysis|Free Report/i
2138 meta KAM_SOFTWARE (__KAM_SOFTWARE1 + __KAM_SOFTWARE2 + __KAM_SOFTWARE3 + __KAM_SOFTWARE4 >= 4)
2139 score KAM_SOFTWARE 5.0
2140 describe KAM_SOFTWARE Spammers hawking Software products
2143 header __KAM_NIGERIAN2_1 Subject =~ /high court|contact fedex courier|WIRE TRANSFER/i
2144 body __KAM_NIGERIAN2_2 /barrister|director of central bank|bank director|former.minister|gold.dealer/i
2145 body __KAM_NIGERIAN2_3 /high court|central bank|payment center|customs?.officer/i
2146 body __KAM_NIGERIAN2_4 /e-?mail id is found among those that have been scammed|paid the fee for your cheque draft|contact the bank director/i
2147 body __KAM_NIGERIAN2_5 /fund code|cheque|bank draft|oil.and.gas/i
2148 body __KAM_NIGERIAN2_6 /full contact information requested|need your contacts informations|your bank account information|out.of.the.country/i
2149 body __KAM_NIGERIAN2_7 /bank|smuggle/i
2150 body __KAM_NIGERIAN2_8 /courier|diplomat agent|direct wire transfer|my.gold|the.gold/i
2151 body __KAM_NIGERIAN2_9 /scam|don't let them know that it is money|bank transfer charges/i
2153 meta KAM_NIGERIAN2 (__KAM_REFI4 + __KAM_NIGERIAN2_1 + __KAM_NIGERIAN2_2 + __KAM_NIGERIAN2_3 + __KAM_NIGERIAN2_4 + __KAM_NIGERIAN2_5 + __KAM_NIGERIAN2_6 + __KAM_NIGERIAN2_7 + __KAM_NIGERIAN2_8 + __KAM_NIGERIAN2_9 >= 6)
2154 score KAM_NIGERIAN2 5.0
2155 describe KAM_NIGERIAN2 Yet more Nigerian scams. Some even explaining the scam.
2158 body __KAM_MEDICAL1 /million who suffer from|suffered from organ failure|Medical Billing and Coding|medical doctor/i
2159 body __KAM_MEDICAL2 /Safe - Natural - Effective/i
2160 header __KAM_MEDICAL3 From =~ /Medical/i
2161 header __KAM_MEDICAL4 Subject =~ /Medical Billing/i
2163 meta KAM_MEDICAL (__KAM_MEDICAL1 + __KAM_MEDICAL2 + __KAM_MEDICAL3 + __KAM_MEDICAL4 >= 3)
2164 score KAM_MEDICAL 4.0
2165 describe KAM_MEDICAL Misc medical spam
2168 body __KAM_TINNI1 /TinniFix/i
2169 body __KAM_TINNI2 /Stop the ringing in your ears/i
2170 header __KAM_TINNI3 Subject =~ /(ringing|buzz) in your ears/i
2172 meta KAM_TINNI (__KAM_MEDICAL1 + __KAM_MEDICAL2 + __KAM_TRIAL + __KAM_TINNI1 + __KAM_TINNI2 + __KAM_TINNI3 >= 5)
2174 describe KAM_TINNI Another Medical Scam
2177 body __KAM_GIVE1 /receive your gift/i
2178 body __KAM_GIVE2 /laptop giveaway|deliver your dell.? laptop/i
2179 body __KAM_GIVE3 /answering a short survey/i
2180 body __KAM_GIVE4 /verify your shipping address/i
2182 meta KAM_GIVE (__KAM_GIVE1 + __KAM_GIVE2 + __KAM_GIVE3 + __KAM_GIVE4 >= 4)
2184 describe KAM_GIVE Free stuff "giveaway" scam
2187 header __KAM_GOVT1 Subject =~ /Government Funding/i
2188 body __KAM_GOVT2 /government funding/i
2189 body __KAM_GOVT3 /complimentary information kit/i
2190 body __KAM_GOVT4 /No.Money?.{0,4}No.Problem/i
2192 meta KAM_GOVT (__KAM_GOVT1 + __KAM_GOVT2 + __KAM_GOVT3 + __KAM_GOVT4 >= 4)
2194 describe KAM_GOVT Your tax dollars at work scam...
2197 meta KAM_RBL (URIBL_BLACK + RCVD_IN_PBL >=2)
2199 describe KAM_RBL Higher scores for hitting multiple trusted RBLs
2202 header __KAM_CNN1 Subject =~ /CNN.com Daily Top/i
2204 meta KAM_CNN (__KAM_CNN1 == 1)
2206 describe KAM_CNN CNN Daily Top 10 Link Obfuscation spams
2208 #SNUGGIE BLANKETS / SHAM WOW
2209 header __KAM_SHAM1 Subject =~ /Hold 20 times|ShamWow/i
2210 header __KAM_SHAM2 From =~ /Sham ?Wow/i
2211 body __KAM_SHAM3 /ShamWow/i
2212 body __KAM_SHAM4 /20(X| times) its weight/i
2214 meta KAM_SHAM (__KAM_SHAM1 + __KAM_SHAM2 + __KAM_SHAM3 + __KAM_SHAM4 + KAM_ADVERT2 >= 3)
2216 describe KAM_SHAM More product scams...
2219 header __KAM_SANTA1 Subject =~ /Santa Letter|Letter from Santa|Santa send a letter|Sent by Santa/i
2220 body __KAM_SANTA2 /Santa Letter|Letter from Santa|sent by Santa/i
2221 body __KAM_SANTA3 /the .?perfect.? gift|personalized letter/i
2223 meta KAM_SANTA (__KAM_SANTA1 + __KAM_SANTA2 + __KAM_SANTA3 >= 3)
2225 describe KAM_SANTA Ho Ho Holy smokes Batman another Santa Letter spam...
2227 #WORK FOR / LEARN GOOGLE
2228 header __KAM_GOOGLE1 Subject =~ /Learn Google|Google Starter Kit|with Google|Use Google|Google Work|google millionaire|Google Business|Google Pro Sucess|with my Google|Google Home Business|Google ATM|One Hour On Google|Free Money Making|make a fortune on ?line/i
2229 body __KAM_GOOGLE2 /learn how to earn|automated income kit|online from home|as much money as you wish|be the boss/i
2230 body __KAM_GOOGLE3 /tons of money|making \$[\d,]*s with Google|extra cash|making serious money/i
2231 body __KAM_GOOGLE4 /with Google|Google Pie|Google Cash/i
2232 header __KAM_GOOGLE5 From =~ /Google Money/i
2234 meta KAM_GOOGLE (__KAM_GOOGLE1 + __KAM_GOOGLE2 + __KAM_GOOGLE3 + __KAM_GOOGLE4 + __KAM_GOOGLE5 >= 3)
2235 score KAM_GOOGLE 3.5
2236 describe KAM_GOOGLE Google Pyramid Scams
2239 header __KAM_ALARM1 Subject =~ /Free Alarm Quotes|home security|protect your.(house|home)|protect.what.matters.most|adt monitor|keep.watch|monitor.the.home|home.alarm|feel safe|burglar|high.crime|free.security|with.this.offer|crime.can|watching.your.home|adt.is.here|ADT-monitoring/i
2240 body __KAM_ALARM2 /free Quote|burglaries|wireless.security.camera|(Guard|protect) Your Family|ADT is Number One|monitored security system|install from ADT|with ADT security|keep(ing)?.your.home.safe|home.is.your.castle|sleep.with.security|home.security.system|remote.access|video.security/i
2241 rawbody __KAM_ALARM3 /Great rates on Home Security|(1|one) in Alarm System Monitoring|protect your loved ones|protect your business|your source for home security|event on home security|keep.the.home.safe|night.vision|online.monitoring|surveill?ance.camera|ADT.monitor|top.notch.security|exclusive.to.you|home security system/i
2242 header __KAM_ALARM4 From =~ /adt|security.?cam|home.security|wireless.security|security.?camera|author.zed|home.?alarm/i
2244 meta KAM_ALARM (__KAM_ALARM1 + __KAM_ALARM2 + __KAM_ALARM3 + __KAM_ALARM4 + KAM_COUK >= 3)
2246 describe KAM_ALARM Security and Alarm Company Spams
2248 rawbody __KAM_ALARM5 /gaylord/i
2250 meta KAM_ALARM2 (KAM_ALARM && __KAM_ALARM5)
2251 score KAM_ALARM2 2.5
2252 describe KAM_ALARM2 High Probability of Security and Alarm Company Spams
2255 header __KAM_SELL1 Subject =~ /Market Credit Cards/i
2256 body __KAM_SELL2 /Easy Money/i
2257 body __KAM_SELL3 /Selling Credit Cards/i
2259 meta KAM_SELL (__KAM_SELL1 + __KAM_SELL2 + __KAM_SELL3 >= 3)
2261 describe KAM_SELL Selling Cards Marketing Scams
2264 header __KAM_WHITEN1 Subject =~ /whiten your teeth/i
2265 body __KAM_WHITEN2 /whitener/i
2266 body __KAM_WHITEN3 /(Celebrity Smile|Carbamide Peroxide)/i
2268 meta KAM_WHITEN (__KAM_WHITEN1 + __KAM_WHITEN2 + __KAM_WHITEN3 >= 3)
2269 score KAM_WHITEN 3.5
2270 describe KAM_WHITEN Teeth Whitening Scams
2273 body __KAM_URONLINE1 /(chat|chat with me|hook ?up) on Y ?A ?H ?O ?O (tonight|or MSN)|add me with yahoo or msn|view now|press this web link|send me your? photo|can u turn me on|kissing you|begin.a.chat/i
2274 body __KAM_URONLINE2 /wanna talk|ur info|found your mail|found ur profile|mutual friend|katya from russia|you came to russia|my gentle sun|see this page I made|match making heaven|meet that special|comee see it over here|hexten.net|looking for a man|waiting for ur mail|found ur account|waiting for your message|casual.hookup/i
2275 body __KAM_URONLINE3 /get (naked|naughty)|horny|naughty toys|I will do anything|TOTALLY msg me on MSN|tell me your mobile|I remember you|let's talk|ran across someone like u|sexywebdating|chatting with someone|saw you by BJs|private e-?mail|dating portal|looking.for.fun/i
2276 header __KAM_URONLINE4 Subject =~ /i'?m so ho?rny|ur really cute|flirt with u|get the party|lets hookup|MSN messanger|\d\d y.o.|russian soul-?mate|my handsome|want you now|russian girl|costs you nothing|can you feel this|came to russia|I remember you|sexual Russia|take a look|attractive girl writes|found u by accident|tell u something special|hookups.waiting/i
2278 meta KAM_URONLINE (__KAM_URONLINE1 + __KAM_URONLINE2 + __KAM_URONLINE3 + __KAM_URONLINE4 >= 3)
2279 score KAM_URONLINE 4.5
2280 describe KAM_URONLINE Chat Scams
2283 body __KAM_TIMESHARE1 /Get[- ]Cash for Your Timeshare|not using your timeshare|(unwanted|ugly) timeshare|cash out quickly/is
2284 body __KAM_TIMESHARE2 /goldmine|sell or rent it|we pay cash|sell\/rent your time|own a timeshare or condo|get.cash|find.your.value/is
2285 header __KAM_TIMESHARE3 Subject =~ /(rent|sell|buy) your Timeshare|have a timeshare|timeshare money|unwanted timeshare/i
2286 header __KAM_TIMESHARE4 From =~ /Resort.*sales|timeshare/i
2288 meta KAM_TIMESHARE (__KAM_TIMESHARE1 + __KAM_TIMESHARE2 + __KAM_TIMESHARE3 + __KAM_TIMESHARE4>= 3)
2289 score KAM_TIMESHARE 4.0
2290 describe KAM_TIMESHARE Timeshare Scams
2293 body __KAM_AQUA1 /Aqua Globe/is
2294 body __KAM_AQUA2 /watering your plants/is
2295 body __KAM_AQUA3 /while on vacation/is
2296 header __KAM_AQUA4 Subject =~ /Waters your Plants/i
2298 meta KAM_AQUA (__KAM_AQUA1 + __KAM_AQUA2 + __KAM_AQUA3 + __KAM_AQUA4 >= 3)
2300 describe KAM_AQUA Spams of yet another product du jour
2303 body __KAM_GEVALIA1 /Gevalia Kaffe|premium coffee delivered/is
2304 body __KAM_GEVALIA2 /(Gevalia coffee lover's|I love coffee) kit/is
2305 body __KAM_GEVALIA3 /No Further Obligation/is
2306 header __KAM_GEVALIA4 Subject =~ /gevalia|cup of coffee/i
2308 meta KAM_GEVALIA (__KAM_GEVALIA1 + __KAM_GEVALIA2 + __KAM_GEVALIA3 + __KAM_GEVALIA4 >=3)
2309 score KAM_GEVALIA 3.0
2310 describe KAM_GEVALIA Spams of yet another product du jour
2313 body __KAM_INK1 /Ink (and|&|n) Toner|SimplyInk|101 inks|1ink|printer ink sale|full.price/is
2314 header __KAM_INK2 From =~ /Simply ?Ink|Ink and toner|1ink|ink.*budget|ink.?saver|printer[- ]{0,4}ink/i
2315 header __KAM_INK3 Subject =~ /Ink (and|&) Toner|SimplyInk|printer ink/i
2317 meta KAM_INK (__KAM_INK1 + __KAM_INK2 + __KAM_INK3 >=3)
2319 describe KAM_INK Spams of yet another product du jour
2321 meta KAM_INK2 (KAM_INK + KAM_INFOUSMEBIZ >= 2)
2323 describe KAM_INK2 Spams for Ink refills
2326 body __KAM_PEEL1 /Titan Peeler/is
2327 header __KAM_PEEL2 From =~ /Titan Peeler/i
2328 header __KAM_PEEL3 Subject =~ /peeler|stainless|titan peeler/i
2330 meta KAM_PEEL (__KAM_PEEL1 + __KAM_PEEL2 + __KAM_PEEL3 >=2)
2332 describe KAM_PEEL Spams of yet another product du jour
2334 #HTML EMAIL REQUIRING IMAGES?
2335 rawbody __KAM_HTML1 /Please enable image viewing in order to view this message/is
2338 header __KAM_RAT1_1 From =~ /\@fromname\@/i
2339 header __KAM_RAT1_2 Subject =~ /(\[FName\]|\%\{AUTOVALS)/i
2341 meta KAM_RAT1 (__KAM_RAT1_1 + __KAM_RAT1_2 >= 1)
2343 describe KAM_RAT1 Variable Replacements Indicative of RatWare/Mass Mailing
2345 body __KAM_RAT2_1 /job description/i
2346 body __KAM_RAT2_2 /dear shopper/i
2347 header __KAM_RAT2_3 From =~ /mystery/i
2349 meta KAM_RAT2 (__KAM_RAT2_1 + __KAM_RAT2_2 + __KAM_RAT2_3 >= 3)
2351 describe KAM_RAT2 Another ratware mistake, uninterpolated text
2354 body __KAM_EGG1 /Egg Genie/is
2355 header __KAM_EGG2 From =~ /Egg Genie/i
2356 header __KAM_EGG3 Subject =~ /medium eggs/i
2358 meta KAM_EGG (__KAM_EGG1 + __KAM_EGG2 + __KAM_EGG3 >=2)
2360 describe KAM_EGG Spams of yet another product du jour
2363 body __KAM_USB1 /(debi|deborah brown|Melissa Sylvan)/i
2364 body __KAM_USB2 /person (that|who) handles the promotions/i
2365 body __KAM_USB3 /usbsmg.com/i
2367 meta KAM_USB (__KAM_USB1 + __KAM_USB2 + __KAM_USB3 >= 2)
2369 describe KAM_USB USB Promotion Spammer
2372 body __KAM_GRANT1 /government grant/i
2373 body __KAM_GRANT2 /find out if you qualify/i
2374 body __KAM_GRANT3 /discontinue from this promotion/i
2376 meta KAM_GRANT (__KAM_GRANT1 + __KAM_GRANT2 + __KAM_GRANT3 + __KAM_REFI4 >= 3)
2378 describe KAM_GRANT Government Grant Scams
2381 #MEDICINE REFERENCES
2382 body __KAM_SEX04_1 /(curative|medicinal|salutary|wholesome|beneficial|satisfaction) effect|(first-rated|splendid) drugs|(yellow|blue|famos) (tablet|pill)|good medical supplies|(commendable|valuable) medicines|canadian pharmacy|GNC|nugenix/is
2384 body __KAM_SEX04_2 /fun in bed|(bed|night) adventures|aid your bed|(lift|heave|ascent|hoist|raise|boost|aid) your (belove|love|darling|sex|sweet)|sexuality with assistance|ascent your sweet|bed experience|love sexuality/is
2386 header __KAM_SEX04_3 Subject =~ /your manhood|(bed|night) adventures|sexual experience|empower your (belove|sex)|sweet sex|bed (event|experience)|lover sexuality|(lift|heave|ascent|hoist|raise|boost|aid) your (belove|love|darling|sex|sweet)|discounted drugs/i
2388 body __KAM_SEX04_4 /longer your tool|sexual experience|empower your (belove|sex)|sweet sex|(not bad|great|nice|special|awesome|free) bonus|sex all night|lovers package|male.vitality|sex with new boys/is
2390 meta KAM_SEX04 (__KAM_SEX04_1 + __KAM_SEX04_2 + __KAM_SEX04_3 + __KAM_SEX04_4 >= 3)
2391 score KAM_SEX04 10.0
2392 describe KAM_SEX04 Sexually Explicit SPAM
2395 meta KAM_SEX04_2 (__KAM_SEX04_1 + __KAM_SEX04_2 + __KAM_SEX04_3 + __KAM_SEX04_4 >= 2 && (KAM_SEX04 < 1))
2396 score KAM_SEX04_2 2.0
2397 describe KAM_SEX04_2 Likely Sexually Explicit SPAM
2399 #Another Sexually Explicit Email
2400 meta KAM_SEX07 (__KAM_SUBJECT_SINGLEWORD + __KAM_SEX04_4 >= 2)
2402 describe KAM_SEX07 Sexually Explicit SPAM
2405 header __KAM_SEX05_1 Subject =~ /upgrade your virility|become a man|bigger instrument|admire your stick|enlarge your member|you have a tiny tool|with more inches|your mega size|improve your love/i
2406 body __KAM_SEX05_2 /buy rubber friends|big bait in your pants|she sees your size|women will be funk|biggest tool|immense monster|women will be daydreaming|have so much meat|prolonging your size|last a lot longer/i
2408 meta KAM_SEX05 (__KAM_SEX05_1 + __KAM_SEX05_2 >= 2)
2410 describe KAM_SEX05 Sexually Explicit SPAM
2412 #FOOTBALL CLUB SPAMS
2413 header __KAM_FOOTBALL1 Subject =~ /Amateur Club|Seeks? Player/i
2414 header __KAM_FOOTBALL2 From =~ /Football/i
2415 body __KAM_FOOTBALL3 /Mercato/i
2416 body __KAM_FOOTBALL4 /Football/i
2418 meta KAM_FOOTBALL (__KAM_FOOTBALL1 + __KAM_FOOTBALL2 + __KAM_FOOTBALL3 + __KAM_FOOTBALL4 >= 4)
2419 score KAM_FOOTBALL 4.0
2420 describe KAM_FOOTBALL Spammy Football Club
2422 #DISH NETWORK SPAMS AND OTHER TV SPAM
2423 header __KAM_DISH1 From =~ /Dish Network|TVUpgrade|Satellite|Satellite|Dish.*Promo|dish.author|Wireless.Internet|cable.tv|tv.\&|tv.cable|tv.internet|liveteam/i
2424 header __KAM_DISH2 Subject =~ /Free Next Day Install|Free HD Receiver|Free HBO|free w\/Dish|Holiday Special|Redzone is back|Web-Only Offer|Free HD|with DISH|dish gives you|dish.offers|Wireless Internet provider|sports.package|dish.vs.cable|switch.to.satellite|dish.just|watch.everything|satellite.dish|cable.bill|satellite.bill|paying.too.much|try.satellite|stream.live.tv/i
2425 rawbody __KAM_DISH3 /(American Satellite|Wireless Internet) Provider|gethdsat|free dvr|Satellite Deals|Dish Network|dish.gives.you.more|packages under \$\d+|compare plans|internet service provider|premium.channel|best.cable.deals|fit.your.budget|deals.near.you|online.television|quality.tv/i
2427 meta KAM_DISH (__KAM_DISH1 + __KAM_DISH2 + __KAM_DISH3 >=3)
2429 describe KAM_DISH Dish Network Spams
2431 meta KAM_DISH2 (KAM_DISH + KAM_INFOUSMEBIZ >= 2)
2433 describe KAM_DISH2 Dish Network Spams
2436 header __KAM_IDENTNET1 From =~ /\@identitynetwork.net/i
2437 body __KAM_IDENTNET2 /ADVERTISE WITH IDENTITY NETWORK/i
2439 meta KAM_IDENTNET (__KAM_IDENTNET1 + __KAM_IDENTNET2 >=2)
2440 score KAM_IDENTNET 8.0
2441 describe KAM_IDENTNET Identity Network Spams
2444 #body __KAM_HONEY1 /Intacct Corporation|Miles Technologies|EcoPhones|businessbrief\.com|pbpinfo\.com|pbp-executivereports\.net|b21pubs\.com|sonar6\.com|cheetahsend\.com|voip-news|microcappress.com|myrtlebeachnow|sosonlinebackup.com|Landslide Technologies|The Performance Institute|ASMI Corporate|Kaseya|Cascio|CarProperty|HSRUpdates.com/i
2445 #header __KAM_HONEY2 From =~ /\@intacct\.com|\@(staff\.)?milestechnologies\.com|\@greenschoolfundraiser\.org|\@business-brief\.(net|com)|\@b21pubs\.com|\@pbp-executivereports\.net|\@sonar6\.com|\@cheetahsend\.com|\@ripple.us.com|\@voip-news\.com|\@.{0,8}.microcappress.com|\@BetterBuysReports.com|\@MyrtleBeachNow.com|\@sosonlinebackup.com|\@next-gen-crm.com|\@TheInstituteWeb.org|\@ASMIweb.com|\@performanceinstitute.org|\@kaseya.com|\@news.interstatemusic.com|\@interstatemusic.com|\@carproperty.com|\@hsrupdates.com/i
2447 #meta KAM_HONEY (__KAM_HONEY1 + __KAM_HONEY2 >= 2)
2448 #score KAM_HONEY 12.0
2449 #describe KAM_HONEY Spammer sending to a honeypot or known spammer through other means
2452 header __KAM_DUCHESS1 Received =~ /mediaduchessstore.info|mediaduchesslive.info|mymediaduchess.info|mediaduchessonline.info|mytvduchess.info|mediaduchesspro.info|mileshop.info|freegrampro.info|radioduchess.info|acreforyou.info|mileblog.info/i
2453 header __KAM_DUCHESS2 From =~ /mediaduchessstore.info|mediaduchesslive.info|mymediaduchess.info|mediaduchessonline.info|mytvduchess.info|mediaduchesspro.info|mileshop.info|freegrampro.info|radioduchess.info|acreforyou.info|mileblog.info/i
2455 body __KAM_DUCHESS3 /Mr. Media Group|BLM Marketing Services|4801 l[yi]nton b/i
2456 rawbody __KAM_DUCHESS4 /duchess/i
2457 rawbody __KAM_DUCHESS5 /http:\/\/.{4,30}\.info\/[A-Za-z]{30}("|\/)/i
2458 body __KAM_DUCHESS6 /For account number:/i
2460 meta KAM_DUCHESS ((__KAM_DUCHESS1 + __KAM_DUCHESS2 >= 1) + __KAM_DUCHESS3 + __KAM_DUCHESS4 + __KAM_DUCHESS5 + __KAM_DUCHESS6 >= 4)
2461 score KAM_DUCHESS 5.0
2462 describe KAM_DUCHESS Spammer sending emails using a variety of domains and linked images
2465 header __KAM_UPS1 Subject =~ /UPS Delivery problem/i
2466 header __KAM_UPS2 From !~ /\@ups\.com[ |>]/i
2467 body __KAM_UPS3 /invoice copy attached/i
2469 meta KAM_UPS (__KAM_UPS1 + __KAM_UPS2 + __KAM_UPS3 >=3)
2471 describe KAM_UPS UPS doesn't send invoices with delivery problem notes
2474 header __KAM_SKYPE1 Subject =~ /Free Calls/i
2475 header __KAM_SKYPE2 Received =~ /releasesourcek.com/i
2476 header __KAM_SKYPE3 From =~ /VOIP News/i
2477 body __KAM_SKYPE4 /Promo Code: \d/i
2479 meta KAM_SKYPE (__KAM_SKYPE1 + __KAM_SKYPE2 + __KAM_SKYPE3 + __KAM_SKYPE4 >=3)
2481 describe KAM_SKYPE Skype/Voip scams likely to spread malware
2484 rawbody KAM_OWAPHISH1 /http:\/\/.{5,30}\/owa\/service_directory\/settings.php/i
2486 score KAM_OWAPHISH1 6.0
2487 describe KAM_OWAPHISH1 Rash of OWA setting change emails for phishing
2489 #MORE DRUG SPAM - 2009-05-03
2490 header __KAM_DRUG2_1 Subject =~ /Viagra|male enhanc|easier time making her|hot infatuations|bed tempera?ment|resigned slaves|prick be soft|increased performance|guys in bed|bedroom fun|love more passion|cure ED|(bed|sex) games|spices? (it up in|to the) bed|(bedroom|nights of) pleasure|ladies love|stay hard|satis?fy (your spouse|her)|(problems|strong|help|good) (in|for) bed|bedtime enhanc|p[0o]rn ?star|blue ?pill|great sex|please your gf|(help in the|king of the|great time in|strong night in|performance in|advice for the) bed|intimate life|gain 3\+? inches|sexual (excitement|anxiety|act)|love tool|sexual treatment|make love|make your girl happ|completely impotent|do.you.suffer/i
2492 header __KAM_DRUG2_2 Subject =~ /ambien|Percocet|vicod[i1]n|Meridia|look slim|Phentermin|adderall|codeine|Hydrocodone|Phetermin|oxycodone|no prescription need|(help|trouble) falling asleep|overpriced pharmacy|prescript.medz|Xanx?ax|RxMed|your.rx.meds|fill your meds|pharmacy offers|international pharm|(loved|preferred|favor[ite]{3}) (rx)?med|pain killer|Medi?cati[o0]ns|canadianrx|weightl0ss|no ?prescription|weight l0ss|l0seweight|ritalin|look great|brain.function|cognition|enhance.memory|amazing.energy|joint.pain|nerve.pain/i
2494 body __KAM_DRUG2_3 /Medi?cati[o0]ns|desired meds|favou?red (rx)?med|buy remedies|drug store|medicants|medicaments|sexual stim|sex stim|pain killer|(purchase|loved|preferred|favou?rite) (?:rx.?)?(deal|med)[sz]|rx.?Meds?.?deal|buy your meds|choice of meds|Rx.?(deal|Med|Sale)|v[i1]agra|medz.special|loved meds|(rx|medication) ?discount|Get the edge|joint.pain.relief|neuropathy|nerve.pain/i
2496 body __KAM_DRUG2_4 /grab hold|at[_ ~]your[_ ~]finger[_ ~]?tip|placing your order|questions about drugs|prescription is not|don't care about prescription|without a doctor|no need for a doctor|affor[df]able.prices|best daily rx|Fav.Prescript|unmatched.prices|rx.med|millions.are.praising/i
2498 body __KAM_DRUG2_5 /0nline|hassle[~-]free|favored rx|branded solutions|branded remedies|v[1i]cod[!i]n|Penhtremine|prxpills|ultimaterxhere|insanerx|speedymed4u|mightymeds1|coolestrxhere|hotrxmedspot|topshoprx|mightyrxhere|qualityrxmedz|legitrxlife|dealsformeds|simplyrxdeals|bestrxlight|ezprescriptz|reliablerxsource1|freetrusted-rx|hotmedsourcehere|CabinetOfMeds|mytrusted-rx|RxwarehouseHere|WarehouseofRxMeds|GreatrxMedsRus|rxmedsrus|(come by|Come to|Check Out) our web site|browse [0o]ur (website|selection)|Visit_0ur Web|Order_Now|available_this week|(buy|order) (n[0o]w|today|right.now|instantly|at [0o]nce|immediately)|check it out today|ord3r|0rder|0rd3r|browseour|rx ?unit/i
2500 body __KAM_DRUG2_6 /(Express|Prompt|Day|Trusty|Trustworthy|Reliable|fast|true|discreet|confidential|rapid)[_ ~\.]?Shippin|anonymous packing|shipped.right.away|adderrx|clinically.proven|support.formula/i
2502 header __KAM_DRUG2_7 Subject =~ / {4}[a-z0-9]{2,4}$/i
2504 header __KAM_DRUG2_8 From =~ /aquaflexin/i
2506 meta KAM_DRUG2 ( __KAM_DRUG2_1 + __KAM_DRUG2_2 + __KAM_DRUG2_3 + __KAM_DRUG2_4 + __KAM_DRUG2_5 + __KAM_DRUG2_6 + __KAM_DRUG2_7 + __KAM_DRUG2_8 + KAM_SHORT + KAM_UNSUB1 >= 3)
2508 describe KAM_DRUG2 More online Drug Scams
2510 meta KAM_DRUG2_2 ( __KAM_DRUG2_1 + __KAM_DRUG2_2 + __KAM_DRUG2_3 + __KAM_DRUG2_4 + __KAM_DRUG2_5 + __KAM_DRUG2_6 + __KAM_DRUG2_7 + __KAM_DRUG2_8 + KAM_SHORT + KAM_UNSUB1 >= 5)
2511 score KAM_DRUG2_2 3.0
2512 describe KAM_DRUG2_2 Higher Certainty of Drug Scam
2514 meta KAM_SEXSUBJECT __KAM_DRUG2_1
2515 score KAM_SEXSUBJECT 2.0
2516 describe KAM_SEXSUBJECT Sexually Explicit Subject
2518 #RUSSIAN WIFE/BRIDE SCAMS - Raising to >= 3 for FPs due to Russian Invasion of Ukraine 2/25/2023
2519 header __KAM_WIFE1 Subject =~ /Remember me|(Russian|asian|Ukrai?nian) ?(dating|beaut|single|women|bride|lad|babe|girls)/i
2520 body __KAM_WIFE2 /marry a Russian|sizzling photos|(russian|asian|ukrai?nian) (women|beaut|bride|girl)|Slavic babes|Russian ?lad(y|ies)|sexy photos/i
2521 tflags __KAM_WIFE2 nosubject
2522 header __KAM_WIFE3 From =~ /(asian|russian|ukrai?nian).?(dat|bride|single|women|beaut|lad)|(date|nice|hot).?(russian|asian)/i
2524 meta KAM_WIFE ( __KAM_WIFE1 + __KAM_WIFE2 + __KAM_WIFE3 >= 3)
2526 describe KAM_WIFE Mail order bride scams
2529 header __KAM_PRODUCT1 Subject =~ /Beauty Phone/i
2530 body __KAM_PRODUCT2 /phones for discerning individuals/i
2532 meta KAM_PRODUCT ( __KAM_PRODUCT1 + __KAM_PRODUCT2 >= 2)
2533 score KAM_PRODUCT 3.0
2534 describe KAM_PRODUCT Product scams often used with MSN/Live URIs
2536 #SPACES / LIVE / MSN / ETC. SCAMS
2537 meta KAM_LIVEURI2 ( (KAM_PRODUCT + KAM_DRUG2 + KAM_WIFE >=1) + (KAM_WEBS + KAM_MSN_STRING + KAM_BADSWF >=1) >= 2)
2538 score KAM_LIVEURI2 3.0
2539 describe KAM_LIVEURI2 More online Scams + Known URI
2542 uri KAM_WEBS /.{3,25}\.webs.com/i
2544 describe KAM_WEBS webs.com links used in Spams
2546 #IMAGESHACK SWF Files
2547 uri KAM_BADSWF /imageshack.us\/.{3,25}.swf$/i
2548 score KAM_BADSWF 3.0
2549 describe KAM_BADSWF SWF embedded links in Email Scams
2552 uri KAM_EXEURI /.exe$/i
2553 score KAM_EXEURI 0.5
2554 describe KAM_EXEURI EXE embedded link
2556 #SETTINGS FILE PHISH
2557 header __KAM_SETTING1 Subject =~ /settings file|maintenance!!/i
2558 body __KAM_SETTING2 /security upgrade|Maintenance Process on our email system /i
2559 body __KAM_SETTING3 /settings?.zip/i
2561 meta KAM_SETTING ( __KAM_SETTING1 + __KAM_SETTING2 >= 2)
2562 score KAM_SETTING 2.5
2563 describe KAM_SETTING Phishing scams w/Setting Files or Webmail
2565 #Fixed small misspelling thanks to Jameel Akari
2566 meta KAM_SETTING2 ( KAM_SETTING + (KAM_EXEURI + __KAM_SETTING3 >=1) >= 2)
2567 score KAM_SETTING2 4.0
2568 describe KAM_SETTING2 Phishing scams w/Setting Files or Webmail + Bad File link
2571 header __KAM_FARM1 Subject =~ /supersized (blueberr|tomato)|(blueberry|tomatoe?) giant|grows in sun or shade|giant (blueberry|tomatoe?)/i
2572 header __KAM_FARM2 From =~ /blueberr|tomato|DIY|garden/i
2573 body __KAM_FARM3 /(blueberry|Tomatoe?) giant/i
2575 meta KAM_FARM (__KAM_FARM1 + __KAM_FARM2 + __KAM_FARM3 >= 3)
2577 describe KAM_FARM Farming related Spams
2579 #MX URI - Scored lowered from 2.5 to 1.5 due to FPs reported by Christopher X. Candreva - see https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6700 for bug on issue
2580 uri KAM_MXURI /^(?:http:\/\/)?(mail|mx)\.(?!microsoft).{1,40}\..{1,8}/i
2582 describe KAM_MXURI URI begins with a mail exchange prefix, i.e. mx.[...]
2585 body __KAM_FLASH1 /Flash Player Code: \d\d/i
2586 body __KAM_FLASH2 /Flash Player Update/i
2587 header __KAM_FLASH3 Subject =~ /Flash Player/i
2588 header __KAM_FLASH4 Subject =~ /activation code/i
2589 header __KAM_FLASH5 From =~ /Flash Player/i
2591 meta KAM_FLASH (__KAM_FLASH1 + __KAM_FLASH2 + __KAM_FLASH3 + __KAM_FLASH4 + __KAM_FLASH5 >= 3)
2593 describe KAM_FLASH Fake Flash Player Phishing Scam
2597 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
2599 body __KAM_ADWORD1 /(Advertisement|Adwords) Campaign/i
2600 header __KAM_ADWORD2 From =~ /adwords.com|salesdirect.com/i
2601 header __KAM_ADWORD3 Subject =~ /adwords campaign|ads in adwords/i
2602 body __KAM_ADWORD4 /adwords\.php|index\.php\?isgoogle/i
2604 meta KAM_ADWORD (__KAM_ADWORD1 + __KAM_ADWORD2 + __KAM_ADWORD3 + __KAM_ADWORD4 >= 3) + (KAM_RPTR_SUSPECT + KAM_RPTR_FAILED >= 1) >= 2
2605 score KAM_ADWORD 10.0
2606 describe KAM_ADWORD Fake Adword Campaign notices
2610 #DON NOB & WORK FROM HOME SCAMS
2611 header __KAM_DON1 X-Raptor-Reverse =~ /donnob\.(?:biz|net)|emarketnow.com/i
2612 header __KAM_DON2 Subject =~ /(?:\b|^)ATM(?:\b|$)|Just Over Broke|J\.O\.B\./
2613 body __KAM_DON3 /donnob\.(?:biz|net)|emarketnow.com|watersolutiontoday.com/i
2614 body __KAM_DON4 /\$1,000 A Day ATM|J\.O\.B\./i
2616 meta KAM_DON (__KAM_DON1 + __KAM_DON2 + __KAM_DON3 + __KAM_DON4 + __KAM_MED2 + __KAM_REFI4 + __KAM_TV2 >= 4)
2618 describe KAM_DON Work at Home Scams
2620 meta KAM_DON2 (__KAM_DON1 + __KAM_DON2 + __KAM_DON3 + __KAM_DON4 + __KAM_MED2 + __KAM_REFI4 + __KAM_TV2 >= 6)
2622 describe KAM_DON2 Egregious Work at Home Scams
2625 header __KAM_GINA1 From =~ /GINA deadline|GINA Update|compliance/i
2626 header __KAM_GINA2 Subject =~ /GINA deadline/i
2627 body __KAM_GINA3 /Genetic Information Nondiscrimination Act/i
2628 body __KAM_GINA4 /mandatory poster|remain in compliance|GINA regulations/i
2630 meta KAM_GINA (__KAM_GINA1 + __KAM_GINA2 + __KAM_GINA3 + __KAM_GINA4 + __KAM_REFI4 >= 4)
2632 describe KAM_GINA Employment Poster Marketing Spams
2635 header __KAM_TAX1 Subject =~ /Free (IRS )?Tax Filing|Tax Filing Exten[st]ion|taxes online|irs audit|wage garnish|collections|tax.relief|tax.penalt|tax.resolution|settlement.option|remove.tax|irs.penalt|payback.package|get.help|down.your.neck|tax.research|urgent.tax/i
2636 header __KAM_TAX2 From =~ /tax|HRBlock|marketing|garnish|settlement|installment|IRS|debt|advisory|government|payback|protection.agency/i
2637 body __KAM_TAX3 /File your taxes for free|need more time|back.taxes|tax relief|irs offer|avoid penalty|stop.aggressive.collections|relief.(program|package)|tax.settlement|settlement.package|paying.bills|paying.tax|back.tax|wage..?garnish|tax.help|remove.lien|bankrupt|urgent.tax.notice|could.change.everything|instantly.save.you/i
2638 body __KAM_TAX4 /MSNBC|fox news|\bCNN\b|please.confirm|you.qualify|obtain.now|must.see.tax/i
2640 meta KAM_TAX (__KAM_TAX1 + __KAM_TAX2 + __KAM_TAX3 + __KAM_TAX4 + KAM_LOTSOFHASH >=3)
2642 describe KAM_TAX Tax Filing Scams
2644 meta KAM_TAX2 (__KAM_TAX1 + __KAM_TAX2 + __KAM_TAX3 + __KAM_TAX4 + KAM_LOTSOFHASH >=4)
2646 describe KAM_TAX2 Higher Probability of Tax Filing Scams
2649 body __KAM_SEX06_1 /more fire and passion/i
2651 meta KAM_SEX06 (__KAM_SEX06_1 + KAM_MSN_STRING >= 2)
2653 describe KAM_SEX06 Sexual Stimulant Spam
2655 #DOG BARK AND OTHER DOG SPAM
2656 body __KAM_BARK1 /Bark.Off|petzoom sonic|comfy control harness|dogs? behavior|four legged/i
2657 header __KAM_BARK2 Subject =~ /Barking|petzoom sonic|dogs any size|dog (is )?misbehaving/i
2658 header __KAM_BARK3 From =~ /Bark.Off|petzoom|control harnesss|dog whisperer/i
2660 meta KAM_BARK (__KAM_BARK1 + __KAM_BARK2 + __KAM_BARK3 >=2)
2662 describe KAM_BARK Dog Product Scam
2665 body __KAM_CASINO1 /Elite World Casino/i
2666 body __KAM_CASINO2 /Online Casino/i
2667 header __KAM_CASINO3 Subject =~ /chances to win/i
2669 meta KAM_CASINO (__KAM_CASINO1 + __KAM_CASINO2 + __KAM_CASINO3 >= 3)
2670 score KAM_CASINO 3.5
2671 describe KAM_CASINO Online Casino Spam
2674 header __KAM_TWIT1 From =~ /twitter/i
2675 header __KAM_TWIT2 Subject =~ /twitter \d{3}-\d{2}/i
2677 meta KAM_TWIT (__KAM_TWIT1 + __KAM_TWIT2 + KAM_THEBAT >= 3)
2679 describe KAM_TWIT Twitter bogus phishing emails
2683 header __KAM_FACE1 From =~ /password/i
2684 header __KAM_FACE2 Subject =~ /reset your facebook/i
2685 header __KAM_FACE3 X-Mailer =~ /Zuckmail/i
2687 meta KAM_FACE (__KAM_FACE1 + __KAM_FACE2 + __KAM_FACE3 >= 3)
2689 describe KAM_FACE Facebook bogus phishing emails
2691 header __KAM_PHISH3_1 Subject =~ /account notification/i
2692 body __KAM_PHISH3_2 /accessed by someone else./
2694 meta KAM_PHISH3 (__KAM_PHISH3_1 + __KAM_PHISH3_2 + __KAM_CLICK >= 3)
2696 describe KAM_PHISH3 Phishing emails for account notification
2699 #GENERIC TEST FOR CLICK NOTICES INDICATIVE OF SPAM IN META RULES BUT NOT BY ITSELF
2700 body __KAM_CLICK /Please click on the link below|Copy and paste this link into your internet browser/i
2703 header __KAM_DIRECT1 From =~ /Direct ?Buy|Wholesale/i
2704 header __KAM_DIRECT2 Subject=~ /complimentary|visitor|settle for retail|top .rands at wholesale|guest pass and catalog|direct.?buy/i
2705 body __KAM_DIRECT3 /(Complimentary|Visitor|attend our open house|30-day member|VIP Pass|Wholesale Direct Pricing|guest pass and catalog)/i
2706 body __KAM_DIRECT4 /Direct.?Buy/i
2708 meta KAM_DIRECT (__KAM_DIRECT1 + __KAM_DIRECT2 + __KAM_DIRECT3 + __KAM_DIRECT4 >= 3)
2709 score KAM_DIRECT 3.0
2710 describe KAM_DIRECT DirectBuy Spam
2713 header __KAM_SWIPE1 From =~ /SwipeBids|Auction|Deal ?hunter|bigger.bid|bidder|Overstocked|daily.?deals|quibids|iphone|penny.stock/i
2714 header __KAM_SWIPE2 Subject=~ /auction|bid on great|\d% off retail|Iphones for Under|Big Items|ipads|Macbook Pro|top.?.?of the line..?electronic|buy or sell|never.pay.retail|2011 line up|ebay|pay retail|ipad for \$\d\d\.|bids in real.?time|penny.stock|exclusive.savings|economic|prediction:/i
2715 body __KAM_SWIPE3 /pennies on the dollar|join, bid|penny (auctions|stock)|\d% .{0,10}retail|ipads on auction|bid now|factory sealed ipads|cheap ipads|for pennies|ebay killer|Inventory Clearance on iPads|crazy auctions|XPS for \d\dUSD|iphone.{1,10}clearance|the.hottest/i
2716 body __KAM_SWIPE4 /SwipeBids|Swipe Auction|CIRCLE MEDIA BIDS|Wavee|BIGGER BIDDER|Bidooka|Sellmoo|overstocked auctions|for pennies|\d{1,2} cent/i
2718 meta KAM_SWIPE (__KAM_SWIPE1 + __KAM_SWIPE2 + __KAM_SWIPE3 + __KAM_SWIPE4 >= 3)
2720 describe KAM_SWIPE SwipeBid Spam / Penny Auction Spams
2722 meta KAM_SWIPE2 (__KAM_SWIPE1 + __KAM_SWIPE2 >= 2)
2723 score KAM_SWIPE2 0.5
2724 describe KAM_SWIPE2 SwipeBid Spam / Penny Auction Spams
2727 header __KAM_WTA1 From =~ /@(wethealliance\.(org|com|net)|wta\d\d\d\.com|socalsecurityinstitute.org)|Lawrence.{0,4}Hunter/i
2728 body __KAM_WTA2 /Alliance for Retirement Prosperity Association|Social Security Institute/is
2730 meta KAM_WTA (__KAM_WTA1 + __KAM_WTA2 >= 2)
2732 describe KAM_WTA Ridiculous campaign by unapologetic spammers purposefully using throwaway domains
2735 body __KAM_SMOKE1 /smoke.anywhere|electronic cig|smoking alternative|prado|e.?-?cig|wanting to quit/i
2736 header __KAM_SMOKE2 Subject =~ /smoke|e-cig|perfect.?.gift|no cancer|electronic cig|never smoke|e.?-?cig/i
2737 header __KAM_SMOKE3 From =~ /smoke|smoking|e.?-?cig|electronic cig|vapex|vapor|starter.kit/i
2738 body __KAM_SMOKE4 /No carbon monoxide|Smokeless Direct|No Tobacco|no tar|no cancer|quit smoking|electronic cig|sinless.vapor/i
2739 body __KAM_SMOKE5 /you have qualified/i
2741 meta KAM_SMOKE (__KAM_CLICK + __KAM_SMOKE1 + __KAM_SMOKE2 + __KAM_SMOKE3 + __KAM_SMOKE4 + __KAM_SMOKE5 >= 3)
2743 describe KAM_SMOKE Smokeless cigarette and quitting spam
2745 meta KAM_SMOKE2 (__KAM_CLICK + __KAM_SMOKE1 + __KAM_SMOKE2 + __KAM_SMOKE3 + __KAM_SMOKE4 + __KAM_SMOKE5 >= 4)
2746 score KAM_SMOKE2 3.0
2747 describe KAM_SMOKE2 Higher probability of spam
2749 #OBF URL - need to make this more generic and perhaps something for RBL lookups when these techniques are used.
2750 body __KAM_OBFURL1 /A\s+D\s+I\s+L\s+I\s+Z\+E\s+R\s+.\s+C\s+O\s+M|insidesaleswiz\.\s+com/i
2752 meta KAM_OBFURL (__KAM_OBFURL1 >= 1)
2753 score KAM_OBFURL 15.0
2754 describe KAM_OBFURL Obfuscated URL
2757 body __KAM_SHARP1 /sharp for life/i
2758 body __KAM_SHARP2 /yoshiblade/i
2759 body __KAM_SHARP3 /zirconium oxide/i
2760 body __KAM_SHARP4 /ceramic knife/i
2761 header __KAM_SHARP5 Subject =~ /ceramic knief|yoshiblade|sharp for life/i
2762 header __KAM_SHARP6 From =~ /yoshi/i
2764 meta KAM_SHARP (__KAM_SHARP1 + __KAM_SHARP2 + __KAM_SHARP3 + __KAM_SHARP4 + __KAM_SHARP5 + __KAM_SHARP6 >= 4)
2766 describe KAM_SHARP Ceramic Blade Spam
2769 body __KAM_HIP1 /hip replacement|medical alert/i
2770 body __KAM_HIP2 /implant recall|recall list/i
2771 header __KAM_HIP3 Subject =~ /dupuy recall|hip recall|hip implants|hip replacement/i
2772 header __KAM_HIP4 From =~ /recall/i
2774 meta KAM_HIP (__KAM_HIP1 + __KAM_HIP2 + __KAM_HIP3 + __KAM_HIP4 >= 3)
2776 describe KAM_HIP Hip Replacement Recall Spam
2779 body __KAM_WORKHOME1 /online jobs|Full-time (and|&) Part-time|at home employment/i
2780 body __KAM_WORKHOME2 /\#1 site|view here|information here/i
2781 header __KAM_WORKHOME3 Subject =~ /work at home|work \@ home|home positions/i
2783 meta KAM_WORKHOME (__KAM_WORKHOME1 + __KAM_WORKHOME2 + __KAM_WORKHOME3 >= 3)
2784 score KAM_WORKHOME 4.5
2785 describe KAM_WORKHOME Work at Home Spam
2787 meta KAM_WORKHOME2 (__KAM_WORKHOME3 + KAM_SHORT + __KAM_REFI4 >=3)
2788 score KAM_WORKHOME2 4.5
2789 describe KAM_WORKHOME2 Work at Home Spam
2792 body __KAM_HSR1 /hsrupdates.com|progressiverailroading.com/i
2793 header __KAM_HSR2 Subject =~ /hi-speed rail|HSR Funds|U.?S.? DOT|railroads/i
2794 header __KAM_HSR3 From =~ /HSRUpdates.com|progressive ?railroading/i
2796 meta KAM_HSR (__KAM_HSR1 + __KAM_HSR2 + __KAM_HSR3 >= 3)
2798 describe KAM_HSR High Speed Rail Spam
2801 body __KAM_SELLPHONE1 /Turn iphones into cash/i
2802 body __KAM_SELLPHONE2 /used or broken|pre-paid envelope/i
2803 header __KAM_SELLPHONE3 Subject =~ /sell your old iphone/i
2805 meta KAM_SELLPHONE (__KAM_SELLPHONE1 + __KAM_SELLPHONE2 + __KAM_SELLPHONE3 >= 3)
2806 score KAM_SELLPHONE 4.5
2807 describe KAM_SELLPHONE Used Equipment Spam
2810 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2812 replace_rules __KAM_MAILBOX1 __KAM_MAILBOX2 __KAM_MAILBOX3
2815 body __KAM_MAILBOX1 /mailbox .{0,12}exceeded|(storage|e-?mail|mailbox|bandwidth).(limit|quota|size|capacity)|(box|quota) is (a<L1>most )?(exhausted|fu<L1><L1>)|have been rejected|new version|(prevented|pending) (the )?(delivery|messages)|quota is low|annual upgrade|(held|important) message|messages pending|messages (are|placed) on.?hold|upgrade to our service|recent attack|(request(ed)? to|account) de-?activat|de-?activat(ed|e|ing) (from using|all mailbox)|close down.{0,10}account|(sync|communication) failure|de<A1>ctiv<A1>ted if no <A1>ction|invalid users|request .{0,13}shutdown|migrating all email|del<I1>v<E1>ry <O1>f \d|messages.{0,6}returned|\d.{0,2}(unreceived|failed|undelivered|incoming|valid) (undelivered|incoming|message|e?mail)|synchronize \d email|messages.{1,10}suspend|report your account|(validation|configuration|service|mail) error|updating stage|blacklisted|(server|quota|quarantine|suspension|mail|upgrade) (alert|noti)|mailbox agreement|(system|security|server) (reasons|update|upgrade|alert)|system malfunction|due for an update|mailbox managment|automatically renew|.\d. pending|due for (upgrade|update|reconfirmation)|has been outdated|(due|about) to expire|not confirmed the email|(failed|couldn't be|refused to) deliver|temporarily suspend|failure to proceed|data plan limit|blocked from (sending|receiving)|sending unsolicited|\d\% full|confirm your request|security turned off|blocked or suspended|update warning|account .{1,9}?(restricted|closed)|old versions|mail malfunction|messages now queue|password expir|virus|expire on \d+\/|DNS Upgrad|encountered error|will be (locked|shut ?down)|unauthorized (person|access)|prevent (further reject|loss of account)|ensure safety|problem occurred|wrong password|suspicious sign.?in|\d quarantined? (e?mail|message|incoming)|deactivated tempor|low disk space|shutdown robot|suspended email|webmail security|account hijacked|(has been|will be) (hacked|suspended)|will.{0,2}expire.{0,2}(today|soon)|IP below was used|password.{1,5}expires? today|server is totally full|account is almost full|(irregular|suspicious) activit|locked out of your account|login (interruption|problem)|automatic shut.?down|lose your contact|not receive (more|new) e?mail|deactivation of the email|Expired today|exceeded the limit|disruption of your email|message might be pre<V1>ented|mail delivery blocked|email gets locked|shut down on your account|refusal in updating your email|avoid (lose access|shut.?down|being barred)|losing (of )?your account|undelivered e?-?mail|SSL Port server error|refusal of email security|blocked access to your inbox|web-?mail support|change your password|pending (e-?mail|mail) message|terminated in \d+ hour|messages were rejected|server error|platform is outdated|need to validate.{2,40}owned by you|password notification|expires today|Reconfirm(?: your) password|out of storage|mail quota full|email password will expire/i
2816 tflags __KAM_MAILBOX1 nosubject
2818 body __KAM_MAILBOX2 /(verify|update|upgrade|increase|validate|confirm|disable)"? (their|your)? {0,5}(address|password|<A1>ccount|(web-?)?mail|info|email|web ?mail|ownership|mailbox)|(increase|upgrade) (my|your?) (inbox |email )?quota|quota (configuration|upgrade)|(increase disk|create some additional|update|add) storage|(setup|upgrade) (your )?mailbox|mail malfunction|update account|validated within \d\d|deleted (automatically|in our server)|release .{0,40}(message|pending mess)|account to be close|remain active|termination of your account|choose what happens|blacklisting inactive|continue (using|the usage)|untrusted activity|(retrieve|review|view) (message|e?mail)|(verify|validate) (it )?(here|now)|reset below|verification (check|process)|email disk usage|auto extend your disk|confirm your (email|details)|mandetory file|retrieve here|expected to reactivate|keep your webmail|data will be lost|(block|release|review) (them|below)|view undelivered sent|reconfirm .{0,40}password|will be deactivat|avoid suspension|start the process|fake payment|(will be|automatically) cancel|mail verification|turn on (security|authentication)|Office 365-?Secure|an usual location|(avoid|automatically) delet|(retrieve|review|reload) (your )?(undelivered|pending)|view, release or delete|reload below|unblock (your )?incoming|rectify below|fix now|Company.Assigned Outlook|fix delivery|restore your roundcube|re-?authenticate (now|below)|manage your quarantine|manually fi|manually fix|review and take action|view (your )?(pending|withheld|recent) (incoming|message|e?mail)|use the button|reduce your mai<L1>|deliver recent mail|(use|using|keep) (current|same|my) password|change password|stop (this action|account removal)|fix (the problem here|your email)|(maintain|keep).{0,6}current.{0,2}(signing|password)|verify login|apply update|deliver pending message|archive emails|initiate the upgrad|(approve|continue with) the (current|same) password|free up space|quick re-?validation|cancel the request|prevent lock of account|back under the limit|update no<W1>|re<A1>ctiv<A1>te <A1>ccess|consider keeping your password|account will work effectively|portal to prompt delivery|open the attachment|Reload Email message|secure your account|authenticate account|keep (the )?same password|(keep|use) (the|your) current password|proper verification|restoration of your account|systematically updated|synchronization errors|activate Improved security|(restore|recover) messages (here|below)|recover your delayed messages|validate your (?:mailbox|e\-mail)|conveyed to each sender|Please security access key|account password is due to expire|avoid missing important e?-?mail|pending e?-?mail message|clear cache quick|avoid loss of e?mail/i
2819 tflags __KAM_MAILBOX2 nosubject
2821 header __KAM_MAILBOX3 Subject =~ /(mail|exceeded|insufficient) (storage|quota|upgrade)|(@.*?is|Inbox) almost full|(urgent|important|admin|last|suspension|server|account|administrator|system|disk ?usage|max size) (alert|rectification|attention|warning|noti)|needs to be upgraded|(incoming|pending|unreceived) +((e-?)?mail|document|message)|(del<I1>v<E1>ry|synchronization|processing) (problem|is blocked|failure|err<O1>r)|(mailbox|storage) (is )?full|(disc|disk|inbox) full|(unread|upgrade|delayed) (messages|e?mail)|release your message|pending (new )?((e-?)?mail|message)|365 .{0,10} Update|new privacy policy|mandatory up|(sign in|Final|account|password|emails?) (closing|removal|update|upgrade|alert|notification|review)|quarantine|rejected|undelivered|(mailbox|limit|quota) .{0,10}exceeded|(action|confirmation|\..{2,6} update).?required|(mail|mailbox|account|password) (error|shutdown|verification|Veirification|Verfication|account)|(blocked|held) message|technology services|(server|mail|account).{1,8}err<O1>r|validat|messages.{1,10}(suspend|hinder)|account (is )?(blocked|limited)|please verify.{1,10}account|mail.{1,6}Notice|email account.{1,11}full|final warning|help\-?desk|mail ownership|point files|(d|r)e-?activation|delayed for \d+ (hour|day)|undeliverable|closure of.{1,15}(\@|account)|(password|mail) (has|will) expire|did you make|password.(due|recovery|expir)|recovery option|(confirm|email) activity|Immediate action|action required|avoid block|review recent e?mail|final +alert|storage (error|limit)|ver<I1>f<I1>cat<I1>on|\@.{1,25}notification|notification \d+\/\d+\/|notification for .{1,25}\@|New Sign-in|deliver.{1,4}(cancel|issue|error|fail)|Unsuccessful Email|Mail DNS|ICT Maintenance|sync err|mailer un.?delivery|unauthorized (person|access)|configuration setting|reminder +for|re-?authenticate|change in your ip|shutdown request|Failure.{0,2}Report|(mail delivery|\d emails?) suspended|error sync|(e-?mails?|messages) (are )?pending|\d \(?new\)? notice|new IP address|expir(y|ation) notif|reached their disk quota|webmail support|notification for|change.{0,30}account password now|(mail|mail-?box) termination|office? ?365 access|(Attention|urgent):? update (required|needed)|(full|out of) storage|quota (limit|reached)|access.{1,4}expire|renew your e?-?mail pass|mail protection update|e-?mail .{0,30}still pending|unauthorized (login|logging) attempt|^suspended$|message failed|security upgrade|password.*expires today|password activity|mail (access blocked|delayed)|account has been hacked|prevent account malfunction|password change notification|Critical(?:\-|\s)Status on|(storage|upgrade) notice/i
2823 #NON OBFUSCATED VARIANT NOT A SPAM INDICATOR
2824 header __KAM_MAILBOX3FP Subject =~ /verification/i
2826 #COMPROMISED SYSTEMS
2827 uri __KAM_WPADMIN /\/wp-admin\//i
2829 meta KAM_MAILBOX (__KAM_MAILBOX1 + __KAM_MAILBOX2 + (__KAM_MAILBOX3 && !__KAM_MAILBOX3FP) >=2) && (T_FREEMAIL_DOC_PDF + (KAM_SENDGRID + KAM_SENDGRID2 >= 1) + HTML_MIME_NO_HTML_TAG + T_HTML_ATTACH + __KAM_WPADMIN) >= 2
2830 score KAM_MAILBOX 7.75
2831 describe KAM_MAILBOX Mailbox Quota Phishing Scams
2833 meta KAM_MAILBOX2 (__KAM_MAILBOX1 + __KAM_MAILBOX2 + (__KAM_MAILBOX3 && !__KAM_MAILBOX3FP) + KAM_SHORT >=3) && !KAM_MAILBOX
2834 score KAM_MAILBOX2 6.25
2835 describe KAM_MAILBOX2 Mailbox Quota Phishing Scams
2837 meta KAM_MAILBOX3 (KAM_MAILBOX + KAM_MAILBOX2 >= 1) && (KAM_SENDGRID + KAM_SENDGRID2 >= 1)
2838 describe KAM_MAILBOX3 Enhanced Scoring for Mailbox Quota Phishing
2839 score KAM_MAILBOX3 3.75
2842 meta KAM_SHORT (__KAM_SHORT + __KAM_TINYDOMAIN >= 1)
2843 tflags KAM_SHORT net
2844 score KAM_SHORT 0.001
2845 describe KAM_SHORT Use of a URL Shortener for very short URL
2847 #URL SHORTENER - META RULE TO SEE IF URL SHORTENER IS IN USE - THANKS TO SHANE WILLIAMS and RW for HELP - More thanks to Giovanni Bechis
2848 ifplugin Mail::SpamAssassin::Plugin::DecodeShortURLs
2849 if can(Mail::SpamAssassin::Plugin::DecodeShortURLs::has_short_url)
2850 # use DecodeShortURLs plugin and disable __KAM_TINYDOMAIN
2851 body __KAM_SHORT eval:short_url()
2852 tflags __KAM_SHORT net
2854 #OLDER RULE, SHOULD USE DecodeShortURLS and the kam_urlshorterners.cf which is more comprehensive than this.
2855 uri __KAM_SHORT /^https?:\/\/(?:bit\.(do|ly)|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|urlshortener\.teams\.microsoft\.com|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|justpaste\.it|l\.linklyhq\.com)\/[^\/]{3}\/?/
2857 # GENERIC RULE FOR TINY DOMAINS, WHICH WILL LIKELY BE URL SHORTENERS
2858 uri __KAM_TINYDOMAIN /https?:\/\/(?:[^\/]{1,4})\.(?!avg|ibm|gov).{2,7}\//i
2862 #OLDER RULE, SHOULD USE DecodeShortURLS and the kam_urlshorterners.cf which is more comprehensive than this.
2863 uri __KAM_SHORT /^https?:\/\/(?:bit\.(do|ly)|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|urlshortener\.teams\.microsoft\.com|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|justpaste\.it|l\.linklyhq\.com)\/[^\/]{3}\/?/
2864 # GENERIC RULE FOR TINY DOMAINS, WHICH WILL LIKELY BE URL SHORTENERS
2865 uri __KAM_TINYDOMAIN /https?:\/\/(?:[^\/]{1,4})\.(?!avg|ibm|gov).{2,7}\//i
2869 body __KAM_POWER1 /hoveround/i
2870 header __KAM_POWER2 Subject =~ /Get your freedom|power Chairs/i
2871 header __KAM_POWER3 From =~ /Get your freedom|power Chairs/i
2873 meta KAM_POWER (__KAM_POWER1 + __KAM_POWER2 + __KAM_POWER3 >= 3)
2875 describe KAM_POWER Motorized Chair Spams
2878 body __KAM_GUN1 /Keep and Bear Arms/i
2879 header __KAM_GUN2 From =~ /gunalerts.com/i
2880 header __KAM_GUN3 Subject =~ /gun/i
2882 meta KAM_GUN (__KAM_GUN1 + __KAM_GUN2 + __KAM_GUN3 >= 3)
2884 describe KAM_GUN Gun Alert Spams
2886 #GET RICH QUICK SCHEME
2887 body __KAM_RICH1 /financial.success story/i
2888 body __KAM_RICH2 /see me on the channel \d news/i
2889 body __KAM_RICH3 /talking about my blog/i
2890 body __KAM_RICH4 /bec.me financially independent/i
2892 meta KAM_RICH (__KAM_RICH1 + __KAM_RICH2 + __KAM_RICH3 + __KAM_RICH4 >= 4)
2894 describe KAM_RICH Get Rich Quick Schemes
2896 #INVALID FROM HEADER
2897 header __KAM_INVFROM1 From =~ /<[^>]*$/
2898 header __KAM_INVFROM2 From =~ /^[^<]*>/
2900 meta KAM_INVFROM (__KAM_INVFROM1 + __KAM_INVFROM2 >= 1)
2901 score KAM_INVFROM 2.0
2902 describe KAM_INVFROM Invalid From Header containing mismatched <>'s
2904 #YAHOO GROUP EMAIL RULE BASED ON WORK FROM Jim McCullars - University of Alabama in Huntsville
2905 header __KAM_UAH_YAHOOGR_4 X-Mailer =~ /Yahoo Groups Message Poster/
2906 ifplugin Mail::SpamAssassin::Plugin::DKIM
2907 meta KAM_UAH_YAHOOGROUP_SENDER __DOS_HAS_LIST_UNSUB && __ML2 && __DOS_HAS_MAILING_LIST && __KAM_UAH_YAHOOGR_4 && !FORGED_YAHOO_RCVD && DKIM_VALID
2909 meta KAM_UAH_YAHOOGROUP_SENDER __DOS_HAS_LIST_UNSUB && __ML2 && __DOS_HAS_MAILING_LIST && __KAM_UAH_YAHOOGR_4 && !FORGED_YAHOO_RCVD
2911 describe KAM_UAH_YAHOOGROUP_SENDER Sender appears to be a legit Yahoo! Group Mail
2912 score KAM_UAH_YAHOOGROUP_SENDER -20.0
2915 header __KAM_GALLERY1 Subject =~ /(Infinite|Multi|Elite|Extreme|Complete|Instant|Ultimate|Multi|approved|Free|HD|Guaranteed|Unreal) Access|(Ultimate|Babes|Elite|Extreme|P.?o.?r.?n) Collection|(Girls|Adu.?lt|Babes|Celeb.?rities) Passwords|(Ultimate|p.?o.?r.?n|extreme|elite|Girls) gallery|HD Video|Access Now/i
2916 body __KAM_GALLERY2 /(?:Infinite|Multi|Elite|Extreme|Complete|Instant|Ultimate|Multi|approved|Free|HD|Guaranteed|Unreal) Access|(?:Ultimate|Babes|Elite|Extreme|P.?o.?r.?n) Collection|(?:Girls|Adu.?lt|Babes|Celeb.?rities) Passwords|(?:Ultimate|p.?o.?r.?n|extreme|elite|Girls) gallery|HD Video|Access Now/i
2918 header __KAM_GALLERY3 Subject =~ /(Fantastic|Insane|Mega|Extreme|Extreme|New|Many|Fresh|Your|Check) P.?o.?r.?n|cele.?brities elite|(Insane|P.?o.?r.?n|More|Awesome|All|Mega) Model|(Your|Mega|Asian|Bad|Cool|Fresh|Real|Awesome|More) Girl|(Sweet|Incredible|Insane|The|Grand) chick|(Many|New|Infinite|Cool|All) Cele.?b|The N.?u.?des|(Infinite|Awesome|Many|Sweet|Bad|Get|Fresh|Hot|More|Black) Babe|Amat.?e.?urs|(All|Fresh|Fantastic|The|Mega) Adu.?lt|(Extraordinary) Chicks/i
2919 body __KAM_GALLERY4 /(Fantastic|Insane|Mega|Extreme|Extreme|New|Many|Fresh|Your|Check) P.?o.?r.?n|cele.?brities elite|(Insane|P.?o.?r.?n|More|Awesome|All|Mega) Model|(Your|Mega|Asian|Bad|Cool|Fresh|Real|Awesome|More) Girl|(Sweet|Incredible|Insane|The|Grand) chick|(Many|New|Infinite|Cool|All) Cele.?b|The N.?u.?des|(Infinite|Awesome|Many|Sweet|Bad|Get|Fresh|Hot|More|Black) Babe|Amat.?e.?urs|(All|Fresh|Fantastic|The|Mega) Adu.?lt|(Extraordinary) Chicks/i
2920 rawbody __KAM_GALLERY5 /wp-content|_vti_cnf|cache|wp-admin|wordpress/i
2922 meta KAM_GALLERY (__KAM_GALLERY1 + __KAM_GALLERY2 + __KAM_GALLERY3 + __KAM_GALLERY4 + __KAM_GALLERY5 >=4)
2923 describe KAM_GALLERY Exploited Gallery with Porn
2924 score KAM_GALLERY 5.0
2926 meta KAM_GALLERY2 (__KAM_GALLERY1 + __KAM_GALLERY2 + __KAM_GALLERY3 + __KAM_GALLERY4 + __KAM_GALLERY5 >=5)
2927 describe KAM_GALLERY2 Higher Likelihood of Exploited Gallery with Porn
2928 score KAM_GALLERY2 2.0
2931 header __KAM_CHANGELOG1 Subject =~ /^Re: Changelog (Oct.|Nov.|Dec.)$/i
2932 body __KAM_CHANGELOG2 /as promised chnglog update/i
2934 meta KAM_CHANGELOG (__KAM_CHANGELOG1 + __KAM_CHANGELOG2 >= 2)
2935 describe KAM_CHANGELOG Phishing Email
2936 score KAM_CHANGELOG 2.5
2939 body __KAM_BUS1 /business proposal/i
2940 body __KAM_BUS2 /sensitive by nature/i
2941 body __KAM_BUS3 /have not met/i
2942 body __KAM_BUS4 /view my attach/i
2944 meta KAM_BUS (__KAM_BUS1 + __KAM_BUS2 + __KAM_BUS3 + __KAM_BUS4 >= 4)
2945 describe KAM_BUS Yet another Nigerian Scam/Phishing Variant
2949 body __KAM_PRIV1 /private message|horny|sweet ass/i
2950 body __KAM_PRIV2 /(personal|private) video/i
2951 body __KAM_PRIV3 /the attache?ment|attached file/i
2953 meta KAM_PRIV (__KAM_PRIV1 + __KAM_PRIV2 + __KAM_PRIV3 >=2 && T_HTML_ATTACH)
2954 describe KAM_PRIV Private Messages using Exploits in attached HTML files
2958 rawbody __KAM_DIV1 /(Viagr?|Cial?)<div/i
2959 rawbody __KAM_DIV2 /<\/div>r?a\|l?is/i
2961 meta KAM_DIV (__KAM_DIV1 + __KAM_DIV2 >= 2)
2962 describe KAM_DIV Use of divs to hide Medical Spams
2966 header __KAM_CREDIT1 Subject =~ /CRITICAL:.*change to.* (EXPERIAN|Transunion|Equifax) score|Recent 3 Bureau Credit|(credit|score).score|credit has changed|check your rating|yearly review|scores?.(?:may.have|has.been|have.been).changed|(?:EXPERIAN|Transunion|Equifax) scores? delivered|your credit report|all three sources|credit (may )?ha(ve|s) been revised|credit ?card ?processing|merchant account|TransUnion..?Experian . Equifax Scores|all 3 scores|update to your score|your 3 scores|is your score correct|score (report|review)|latest.score|updated.score|update:|derogatory.(info|item)|affecting.your.score|scores.this.week|EQUIFAX..?EXPERIAN..?(and|&).TRANSUNION|(EXPERIAN|Transunion|Equifax)..?score|\d{4}.scores?.detail|((equifax|experian|transunion)..?){3}|score.today|score.w\//i
2967 body __KAM_CREDIT2 /View (all 3 reports|your credit score|your up.to.the.minute credit)|(EXPERIAN|Transunion|Equifax) report|check my credit score|3.free credit scores|credit restoration|changes in your.score|get your \d+ score online|3 major sources|all three bureau|all 3 credit score|credit (may )?ha(ve|s) been revised|payment.options|complimentary 3 scores|credit scores? in seconds|TRANSUNION,\s+EQUIFAX,\s+(and|.)\s+EXPERIAN|just (been )?changed|score.breakdown|credit.summary|score.is.waiting|confirmation \#\d+|average.credit.score|what.?s.your.score|(3|three).free.score|check.your.score|we.can.help|credit.record|complimentary.score/i
2968 body __KAM_CREDIT3 /NO COST|it's on us|3 companies for free|freescore360|Scoresense|score.report(?:ing)?.team|stand in the rating scales|view your higher credit|(score|credit).alert|provide.faster.service|your credit score|free.credit.score|score.generation|new.score.immediately|score.notification|your report/i
2969 body __KAM_CREDIT4 /CHANGES TO YOUR CREDIT[- ]SCORE|credit score has changed|Triple Bureau Credit Alerts|score\s+may\s+have\s+(been)?\s*changed|ThinkCredit|Debunk Credit Card Processing Myths|costs for your business|TransUnion,? Experian and Equifax Scores|ha(s|ve).been.updated|what.?s.your.credit|sensitive.information/i
2970 header __KAM_CREDIT5 From =~ /Credit|score|bureau|finance|report|advisory/i
2973 # SecureCRT in UTF-8 Session Options - terminal>appearance>character encoding and set to utf-8 & Set this in VI :set encoding=utf-8 :set fileencodings=utf-8
2975 #Useful Resources for Tags
2976 #https://www.utf8-chartable.de/unicode-utf8-table.pl?start=1024&number=128&names=-&utf8=string-literal
2977 #https://www.branah.com/unicode-converter
2978 #look at the encoding type and the charset. For base64 utf-8, something like this tool will help https://www.base64decode.org/ then hexdump -C or something like https://onlineutf8tools.com/convert-utf8-to-hexadecimal or perl -e '$u=unpack("H*",$ARGV[0]);print "[\\x$1]" while ($u=~/(..)/g)' '<PASTE>'
2980 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2982 #renamed to A1, C1, etc. to avoid collissions with stock rules
2983 #Thanks to John Hardin for his help! and thanks to Giovanni for the help with the 4-byte chars
2984 #thanks as well to Henrik Krohns
2986 #Write a very broad regex like g.*k.?squ.* and the debug outputs something like G\x{CF}\x{B5}\x{CF}\x{B5}k Squ" Then you can Edit the tag for E1 to add |[\xcf][\xb5]
2987 # replace_tag A1 (?:a|[\xf0\x9d\x97\xae]|[\xf0\x9d\x9a\x8a]|[\xd0][\xb0]|[\xc9][\x91]|α|\@)
2988 replace_tag A1 (?:a|[\xf0\x9d\x97][\xae]|[\xc3][\xa3]|[\xf0\x9d\x9a][\x8a]|[\xd0][\xb0]|[\xc9][\x91]|α|\@)
2989 replace_tag B1 (?:b|[\xce][\x92]|[\xce][\xb2]|[\xc2]|[\xe2]|[\xf0\x9d\x97\xaf]|[xf0\x9d\x9a\x8b])
2990 replace_tag C1 (?:c|[\xd0][\xa1]|[\xd1][\x81]|[\xf0\x9d\x97\xb0]|[\xf0\x9d\x9a\x8c]|[xd0\xa1])
2991 replace_tag D1 (?:d|[\xf0\x9d\x9a\x8d])
2992 replace_tag E1 (?:e|[\xd0][\xb5]|[\xc4][\x97]|[\xf0\x9d\x97\xb2]|[\xf0\x9d\x9a\x8e]|[\xc3][\xaa]|[\xcf][\xb5]|[\xc3][\xab])
2993 replace_tag G1 (?:g|[\xf0\x9d\x97\x80])
2994 replace_tag I1 (?:i|[\xd1][\x96]|[\xc4][\xab]|[\xce][\xb9]|[\xe9]|[\xf0\x9d\x97\xb6]|[\xf0\x9d\x9a\x92]|l|1)
2995 replace_tag K1 (?:k|[\xd0][\xba])
2996 replace_tag L1 (?:l|i)
2997 replace_tag M1 (?:m|[\xca][\x8d]|[\xf0\x9d\x97\xba])
2998 replace_tag N1 (?:n|[\xe7]|[\xf0\x9d\x97\xbc]|[\xf0\x9d\x9a\x97])
2999 replace_tag O1 (?:o|0|[\xd0][\xbe]|[\xce][\xbf]|[\xef]|[\xf0\x9d\x97\xbc]|[\xf0\x9d\x9a\x98]|[\xd0][\x9e]|[\xc3][\xb4])
3000 replace_tag P1 (?:p|[\xd1][\x80]|[\xc7][\xb7]|[\xcf][\x81]|[\xf1]|[\xf0\x9d\x97\xbd]|[\xf0\x9d\x9a\x99]|[\xd0\xa0])
3001 replace_tag R1 (?:r|[\xf0\x9d\x97\xbf]|[\xf0\x9d\x9a\x9b])
3002 replace_tag S1 (?:s|[\xd0][\x85]|[\xf0\x9d\x98\x80]|[\xf0\x9d\x9a\x9c])
3003 replace_tag T1 (?:t|[\xcf][\x84]|[\xf4]|[\xf0\x9d\x98\x81]|[\xf0\x9d\x9a\x9d])
3004 replace_tag U1 (?:u|[\xf0\x9d\x98\x82])
3005 replace_tag V1 (?:v|[\xf0\x9d\x96\xb5]|[\xce][\xbd])
3006 replace_tag W1 (?:w|[\xf0\x9d\x98\x84]|[\xf0\x9d\x9a\xa0]|[\xd1\xa1])
3007 replace_tag Y1 (?:y|[\xf0\x9d\x98\x80]|[\xf0\x9d\x9a\xa2])
3008 replace_tag SPACE1 (?: |[\xc2\xa0])
3010 header __KAM_CREDIT6 Subject =~ /<C1>ompl<I1>mentary (<C1>red<I1>t|EXPERIAN|Transunion|Equifax)/i
3011 header __KAM_CREDIT7 From =~ /<S1>core.?<S1>ense/i
3013 replace_rules __KAM_CREDIT6 __KAM_CREDIT7
3017 meta KAM_CREDIT (__KAM_CREDIT1 + __KAM_CREDIT2 + __KAM_CREDIT3 + __KAM_CREDIT4 + __KAM_CREDIT5 + __KAM_CREDIT6 + __KAM_CREDIT7 + (__KAM_THIRD || KAM_LOTSOFHASH || KAM_INFOUSMEBIZ) >= 4)
3018 describe KAM_CREDIT Credit Score Spams
3019 score KAM_CREDIT 4.5
3021 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
3022 meta KAM_CREDIT2 (__KAM_CREDIT1 + __KAM_CREDIT5 + __KAM_CREDIT6 + __KAM_CREDIT7 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3 && KAM_CREDIT < 1)
3023 describe KAM_CREDIT2 Credit Score Spams
3024 score KAM_CREDIT2 4.5
3028 rawbody KAM_OBFURI /http:\/\/.{2,30}\.c=E2=93=9Em?/
3029 describe KAM_OBFURI Obfuscated URI trick
3030 score KAM_OBFURI 4.0
3033 header __KAM_ADVANCE1 Subject =~ /Advance for \d.\d\d\d/i
3034 body __KAM_ADVANCE2 /Advance Details/i
3035 body __KAM_ADVANCE3 /Pre-Approved/i
3036 header __KAM_ADVANCE4 From =~ /Advance|Approv|Financ/i
3038 meta KAM_ADVANCE (__KAM_ADVANCE1 + __KAM_ADVANCE2 + __KAM_ADVANCE3 + __KAM_ADVANCE4 >= 3)
3039 describe KAM_ADVANCE Advance Spams
3040 score KAM_ADVANCE 3.5
3042 #PAYPAL NON SPF - FP fixed by Piper Andreas
3043 header __KAM_PAYPAL1A From =~ /\@[a-z\.]*paypal.com>?$/i
3045 meta KAM_PAYPAL1 (__KAM_PAYPAL1A + SPF_FAIL >=2)
3046 describe KAM_PAYPAL1 rampant paypal phishing scams
3047 score KAM_PAYPAL1 16.0
3049 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
3050 #PAYPAL IMPERSONATING MALWARE
3051 body __KAM_PAYPAL2A /paypal/i
3052 body __KAM_PAYPAL2B /protection services department|download(ing)?.the.attach/i
3054 meta KAM_PAYPAL2 (__KAM_PAYPAL2A + __KAM_PAYPAL2B + KAM_RAPTOR_ALTERED >= 3)
3055 describe KAM_PAYPAL2 Malware disguised as a paypal email
3056 score KAM_PAYPAL2 8.0
3060 header __KAM_PAYPAL3A From =~ /paypal/i
3061 header __KAM_PAYPAL3B From !~ /paypal(\.com|\.com\.au|\.co\.uk)?>?$/i
3062 header __KAM_PAYPAL3C Subject =~ /your.paypal.account|Invoice PP|order Confirmation/i
3063 body __KAM_PAYPAL3D /security.process|more.information|has.limitation|verify.your.information|bitcoin|\d\d hours from today/i
3065 meta KAM_PAYPAL3 ((__KAM_PAYPAL3A && __KAM_PAYPAL3B) + __KAM_PAYPAL3C + __KAM_PAYPAL3D + KAM_LAZY_DOMAIN_SECURITY >= 3)
3066 score KAM_PAYPAL3 8.0
3067 describe KAM_PAYPAL3 Phish disguised as a paypal email
3069 #COMPROMISED ACCOUNT SPAMS - SCORED HIGH BECAUSE THESE ARE COMPROMISED ACCOUNTS
3070 header __KAM_COMPROMISED1A From =~ /\@(yahoo.com|yahoo.com.id|rocketmail.com)/i
3071 header __KAM_COMPROMISED1B X-Mailer =~ /Yahoo/i
3072 header __KAM_COMPROMISED2 Subject =~ /^(FOR |Hey$|hi$|look at this$|great!?$|amazing!?|the best!?$|excellent!?$|very good!?$|great!?$|question?$|Fwd: (?:latest |top )?news$)|have a look/
3073 body __KAM_COMPROMISED3 /\d{1,2}[\\\/]\d{1,2}[\\\/]\d{2,4} \d{1,2}\:\d{1,2}\:\d{1,2} (AM|PM)/
3074 body __KAM_COMPROMISED4 /How are you\? Look at this.{0,70}Do you know about this site|look at this site right now|I found (an amazing|great) site|hey\. please have a look|have a look right now|breaking news/i
3076 meta KAM_COMPROMISED ((__KAM_COMPROMISED1A + __KAM_COMPROMISED1B >=1 ) + __KAM_COMPROMISED2 + __KAM_COMPROMISED3 + __KAM_COMPROMISED4 + __KAM_BODY_LENGTH_LT_128 + MISSING_SUBJECT >= 3)
3077 describe KAM_COMPROMISED Compromised Accounts Sending Spam
3078 score KAM_COMPROMISED 8.25
3080 #GROUPS THAT ARE BAD - RENAMED TO AVOID COLLISSION - THANKS TO DAVID FUNK
3081 header __KAM_LIST2A List-ID =~ /^<?(wareeed\d*|ArabBusinessmen-and-DecisionMakers-Network|MediaJO\d*|arabjo\d*|prime\-?media\d*|mediajoshoot\d*|bareedw\d*|mghadeh\d*|tawzeef-online|jordanianadd\d*|ssjo\d*|jaracast|ads-shooter-j\d*|jomarketing\d*|jomedia\d*|jobird\d*info|uhrda-\d*|mohanndahad\d*|caragcom\d*|marwahr\d*|sonjobonjo\d*|golrozz\d*|golbanoo\d*)\.googlegroups.com>?$/i
3082 header __KAM_LIST2B Sender =~ /(mediajo\d*|aloulaonline\d*|jomedia\d*|golbanoo\d*)\@googlegroups\.com/i
3084 meta KAM_LIST2 (__KAM_LIST2A + __KAM_LIST2B >= 1)
3085 describe KAM_LIST2 Known Bad Groups
3086 score KAM_LIST2 60.0
3088 #LIMITED ACCESS/QUOTA SCAMS - ISP THAT SEND LEGITIMATE NOTICES MIGHT WANT TO LOWER THE SCORE
3089 body __KAM_QUOTA1 /Mailbox Quota Has Exceeded|exceeded its storage limit/i
3090 body __KAM_QUOTA2 /Limited Access|termination of your email|restore.your.account|will.not.be.able/i
3092 meta KAM_QUOTA (__KAM_QUOTA1 + __KAM_QUOTA2 >= 2)
3093 describe KAM_QUOTA Limited Access / Quota Phishing Scam
3096 # BACKGROUND CHECK SPAM
3097 body __KAM_BACK1 /backgrounds in seconds|Instant..?Checkmate|federal.record|background.report|reputation/i
3098 body __KAM_BACK2 /(Property & Personal history|Asset & Background) (Investigation|Search)|check anyone|know.anything|registered.offense|their.name|publicly.available/is
3099 body __KAM_BACK3 /(background check|detective|investigator|investigate backgrounds|arrest.record|public.record)|remain.anonymous|anonymous.report|says.about.you|instant.database|the.truth|reveal.the.information|screening.services/is
3100 header __KAM_BACK4 Subject =~ /background..?check|date-smart|detective|finding people|instant checkmate|pedophile|who.lives.next.?door|reports.are.now.posted|screening.results|police.record|confirm.identity|records.enclosed|local.report|criminal|public.record|complete.record|arrest|posted.online|information.posted|info.updated|who.they.are|uncover.any|public.records|private.eye|investigate.background/i
3101 header __KAM_BACK5 From =~ /Background.?check|instant.?check|arrest.record|pedophile|trust|criminal|urgent.info|find.out|who.is.s?he|trouble|shady|public.record|private.?eye/i
3103 describe KAM_BACK Background Check SPAM
3104 meta KAM_BACK (__KAM_BACK1 + __KAM_BACK2 + __KAM_BACK3 + __KAM_BACK4 + __KAM_BACK5 >=3)
3107 #ARREST RECORD SCAMS
3108 header __KAM_ARREST1 Subject =~ /arrest record|with.a.criminal|child.predator|public.safety.alert|full.report|reports?.now.posted|records?.(now.)?(available|posted)|predator.identified/i
3109 body __KAM_ARREST2 /Instant Checkmate|dirty Truth|\brapist\b|criminal.(background|record)|predator|stay.safe|child.offender|think.you.know|know.everything|database.screening|know.something|wanted.to.know|arrest.record/i
3110 header __KAM_ARREST3 From =~ /Checkmate|alert|protect|arrest|neighborhood|criminal|live.safe/i
3112 meta KAM_ARREST (__KAM_ARREST1 + __KAM_ARREST2 + __KAM_ARREST3 >=3) || (__KAM_ARREST1 + KAM_SHORT + __KAM_BODY_LENGTH_LT_128 >=3)
3113 describe KAM_ARREST Arrest Record Scams
3114 score KAM_ARREST 5.0
3117 header __KAM_DIET2_1 From =~ /Coffee.?Bean|Fat.?Burning.?Hormone|Saffron|Lifestyle|burn.fat|slim|dieting/i
3118 header __KAM_DIET2_2 Subject =~ /diet|flatten your belly|calorie count|metabolism|lose the belly|belly flub/i
3119 body __KAM_DIET2_3 /secret to being skinny|doctors? are raving|testosterone|could be \d+ ?lbs? lighter|feeling chubby|burn stubborn fat|lose weight fast/i
3121 meta KAM_DIET2 (__KAM_DIET2_1 + __KAM_DIET2_2 + __KAM_DIET2_3 + KAM_INFOUSMEBIZ >=3)
3122 describe KAM_DIET2 Diet Scams
3126 header __KAM_CIGAR1 Subject =~ /Premium Cigar|Essentials for Dad|cigar lover/i
3127 header __KAM_CIGAR2 From =~ /Cigar/i
3128 body __KAM_CIGAR3 /Thompson Cigar|Premium Cigar/i
3130 meta KAM_CIGAR (__KAM_CIGAR1 + __KAM_CIGAR2 + __KAM_CIGAR3 + __KAM_THIRD >= 3)
3131 describe KAM_CIGAR Cigar Scam Emails
3136 rawbody KAM_TK /https?:\/\/.{5,30}\.tk\//i
3137 describe KAM_TK Abuse of .tk domain registrar which offers free domains
3140 #THIRD PARTY / SENT BY XXXX
3141 body __KAM_THIRD /advertisement.{0,12}sent by a third-?party|sent.by.tb.systems|is.an.advert[il]se?ment/i
3144 header __KAM_LASIK1 From =~ /Lasik/i
3145 header __KAM_LASIK2 Subject =~ /Lasik|free eval|A great use for your Tax Refund|eye.surgery/i
3146 body __KAM_LASIK3 /free (?:Lasik )?eval|\d+ per eye|get lasik info|L.SI. V....n In.t.tut. Summ.r S.v.ng.|works.faster.than/i
3147 uri __KAM_LASIK4 /lasik\.php/i
3149 meta KAM_LASIK (__KAM_LASIK1 + __KAM_LASIK2 + __KAM_LASIK3 + (__KAM_LASIK4 || KAM_EU) >= 3)
3150 describe KAM_LASIK Lasik Treatment Spams
3154 header __KAM_NOTIFY1 From =~ /Support|Notifier|Reminder|Assistance|Administrator|RuneScape|Wells ?Fargo|Scotia|Diablo|MAILER-DAEMON|Notifications/i
3155 body __KAM_NOTIFY2 /[2-9] friend request( |\b)|sell your personal|mandatory validation|verify your Account|unread messages/i
3156 header __KAM_NOTIFY3 From =~ /\.br>/i
3158 meta KAM_NOTIFY (__KAM_NOTIFY1 + __KAM_PHISH2_3 + __KAM_NOTIFY2 + __KAM_NOTIFY3 >= 3)
3159 describe KAM_NOTIFY Fake Notifications
3160 score KAM_NOTIFY 4.0
3162 meta KAM_NOTIFY2 (KAM_NOTIFY + (KAM_IFRAME || HEADER_FROM_DIFFERENT_DOMAINS) >= 2)
3163 describe KAM_NOTIFY2 Higher likelihood of fake notification
3164 score KAM_NOTIFY2 3.0
3167 header __KAM_LANG1 From =~ /Pimsleur|learnalanguage/i
3168 header __KAM_LANG2 Subject =~ /language barrier|(?:learn|speak)(?:ing)? (?:a|any) (?:new )?language|Pimsleur/i
3169 body __KAM_LANG3 /pimsleur|Language in just \d+ Day/i
3171 meta KAM_LANG (__KAM_LANG1 + __KAM_LANG2 + __KAM_LANG3 + KAM_INFOUSMEBIZ >= 3)
3172 describe KAM_LANG Language Method Spams
3176 header __KAM_TRACK1 From =~ /Worldwide Express|Priority Mail|First-Class Mail|Express Mail/i
3178 meta KAM_TRACK (__KAM_PHISH2_3 + __KAM_TRACK1 >= 2)
3179 describe KAM_TRACK Fake Tracking Emails
3183 header __KAM_SCHOOL1 From =~ /Classes/i
3184 header __KAM_SCHOOL2 Subject =~ /(?:Return|Back) to School/i
3186 meta KAM_SCHOOL (__KAM_SCHOOL1 + __KAM_SCHOOL2 + KAM_INFOUSMEBIZ >= 3)
3187 describe KAM_SCHOOL School Spams
3188 score KAM_SCHOOL 5.0
3191 header __KAM_MEMBER1 From =~ /(\b|^|)Date|(\b|^|)Dating|eharmony(.com)?.?partner|(..?en..?or|black)..?e.ple..?eet|cougars|singles|match|our.?time|lonely|affair/i
3192 header __KAM_MEMBER2 Subject =~ /naughty|looking for love|single & dating|Dating.site|free.this.weekend|free.communication.weekend|True Love|(Older|black|available|latin[oa]|jewish) Single|single.women|single.photo|local.cougar|want to date|fall in love|meet...1000s|dream.date|meet.single|your.matches|for.single|singles|eharmony(.com)?.match|50\+.{0,5}ngles|your.ex.back|married.dating|(anonymous|secret).affair|unlimited.pics|dating.(video|movie)|fetish|still.single/i
3193 body __KAM_MEMBER3 /(\b|^)dating|eharmony|Find.Your.Perfect.Match|thousands.of.single.women|singles?.photos?|local.cougar|successfully matched|blind date|(available|black|latin[oa]|jewish).singles|photos of 50\+/i
3194 rawbody __KAM_MEMBER4 /special promotion|free.this.weekend|personal matchmaker|dating service|fall in love|looking.for.someone|kindle.the.passion|cheating.member|dating.mega.site|free.dating|free.fetish/i
3195 meta __KAM_MEMBER5 (KAM_INFOUSMEBIZ || KAM_COUK)
3196 #header __KAM_MEMBER6 From =~ /Updat/i
3198 meta KAM_MEMBER (__KAM_MEMBER1 + __KAM_MEMBER2 + __KAM_MEMBER3 + __KAM_MEMBER4 + __KAM_MEMBER5 >= 3)
3199 describe KAM_MEMBER Dating Scams
3200 score KAM_MEMBER 4.5
3203 header __KAM_MEDICARE1 From =~ /(Medicare|health.?options|enrollment)/i
3204 header __KAM_MEDICARE2 Subject =~ /medicare|message for senior|baby-boomer|save up to|compare.quotes|enrollment.plan/i
3205 body __KAM_MEDICARE3 /medicare.(plan|recipient|annual election)/i
3206 tflags __KAM_MEDICARE3 nosubject
3207 body __KAM_MEDICARE4 /over.(65|sixty.?five)|most.affordable|lower.your.premium|medicare basics guide/i
3209 meta KAM_MEDICARE (__KAM_MEDICARE1 + __KAM_MEDICARE2 + (__KAM_MEDICARE3 + __KAM_MEDICARE4 >= 1) + (KAM_INFOUSMEBIZ || KAM_COUK) >= 3)
3210 describe KAM_MEDICARE Medicare Scams
3211 score KAM_MEDICARE 4.0
3214 header __KAM_BILLS1 From =~ /LowerMyBills|mortgage/i
3215 header __KAM_BILLS2 Subject =~ /Save up to \$\d|refi requirement|refi.program/i
3217 meta KAM_BILLS (__KAM_BILLS1 + __KAM_BILLS2 + KAM_INFOUSMEBIZ >= 3)
3218 describe KAM_BILLS Bill Pay Spams
3222 header __KAM_HOSE1 From:name =~ /Pocket Hose|gardening|hydroeasy/i
3223 header __KAM_HOSE1A From:addr =~ /\.(house|co|store)$/i
3224 header __KAM_HOSE2 Subject =~ /(best|garden|expandable) hose|garden(ing)? and lawn|hose is ready|hose gets tangled/i
3225 body __KAM_HOSE3 /(pocket|garden|expandable).hose|(anti|never).kink|FLEX Technology|hydroeasy/i
3226 tflags __KAM_HOSE3 nosubject
3228 meta KAM_HOSE (__KAM_HOSE1 + __KAM_HOSE2 + __KAM_HOSE3 + (__KAM_HOSE1A + KAM_INFOUSMEBIZ + KAM_SOMETLD_ARE_BAD_TLD + DKIM_INVALID >=1) >= 3)
3229 describe KAM_HOSE Garden Hose Spams
3233 #header __KAM_FLEXHOSE1 Subject =~ /stretch but not kink|flex.{0,8}hose|expands.and.contracts|\d-in-\d.hose/i
3234 #header __KAM_FLEXHOSE2 From =~ /hose/i
3235 #body __KAM_FLEXHOSE3 /stretch but not kink|flex.?hose|expanding.hose|garden.hose/i
3237 #meta KAM_FLEXHOSE (__KAM_FLEXHOSE1 + __KAM_FLEXHOSE2 + __KAM_FLEXHOSE3 >= 3)
3238 #describe KAM_FLEXHOSE Product Spam du Jour
3239 #score KAM_FLEXHOSE 3.5
3242 header __KAM_AV1 From =~ /Norton/i
3243 header __KAM_AV2 Subject =~ /Update now|Are you protected/i
3245 meta KAM_AV (__KAM_AV1 + __KAM_AV2 + KAM_INFOUSMEBIZ >= 3)
3246 describe KAM_AV Anti-Virus Spams
3250 header __KAM_MASCARA1 From =~ /smartlash/i
3251 header __KAM_MASCARA2 Subject =~ /mascara/i
3252 body __KAM_MASCARA3 /smartlash/i
3254 meta KAM_MASCARA (__KAM_MASCARA1 + __KAM_MASCARA2 + __KAM_MASCARA3 + KAM_INFOUSMEBIZ >= 3)
3255 describe KAM_MASCARA Make-up Spams
3256 score KAM_MASCARA 4.5
3259 header __KAM_COLLEGE1 From =~ /degree|doctorate|online/i
3260 header __KAM_COLLEGE2 Subject =~ /college|ph\.?d|earning your degree|online doctorate|advance your career/i
3261 rawbody __KAM_COLLEGE3 /online degree|ph\.?d online|online doctorate|advance your career with a degree/i
3263 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
3264 meta KAM_COLLEGE (__KAM_COLLEGE1 + __KAM_COLLEGE2 + __KAM_COLLEGE3 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3)
3265 describe KAM_COLLEGE Online Degree/Aid Spams
3266 score KAM_COLLEGE 4.0
3270 header __KAM_SURVEY1 From =~ /Survey|safecount|privacy/i
3271 header __KAM_SURVEY2 Subject =~ /win an ipad/i
3272 body __KAM_SURVEY3 /Do You Use Instagram|Complete the survey|win a great prize/i
3274 meta KAM_SURVEY (__KAM_SURVEY1 + __KAM_SURVEY2 + __KAM_SURVEY3 + KAM_INFOUSMEBIZ >= 3)
3275 describe KAM_SURVEY Online Survey Spams
3276 score KAM_SURVEY 4.5
3280 #rawbody KAM_LAKE /http:\/\/.{0,13}(lak|ake|iver).{0,10}\.(com|info)\//i
3281 #describe KAM_LAKE Odd spamming engine LAKE signature on URLs
3282 #score KAM_LAKE 0.25
3285 header __KAM_SNORE1 From =~ /snoring|zquiet/i
3286 header __KAM_SNORE2 Subject =~ /zquiet|Jaw Supporter|z{6}|the.only.thing/i
3287 body __KAM_SNORE3 /stop snoring|zquiet|Jaw Supporter|get.rest|end.snoring|more.rest|to.be.tired/i
3289 meta KAM_SNORE (__KAM_SNORE1 + __KAM_SNORE2 + __KAM_SNORE3 + KAM_INFOUSMEBIZ >= 3)
3290 describe KAM_SNORE Snoring Aid Spams
3294 header __KAM_VACATION1 From =~ /Promotions|cruise|vacation/i
3295 header __KAM_VACATION2 Subject =~ /Free Florida vacation|(carr?ibb?ean|alaskan?).cruise|european destination/i
3296 body __KAM_VACATION3 /Resorts FOR FREE|(carr?ibb?ean|alaskan?).cruise|top deals/i
3298 meta KAM_VACATION (__KAM_VACATION1 + __KAM_VACATION2 + __KAM_VACATION3 + KAM_INFOUSMEBIZ >= 3)
3299 describe KAM_VACATION Vacation Spams
3300 score KAM_VACATION 4.0
3303 header __KAM_BLOOD1 From =~ /Marine Essent|blood.pressure/i
3304 header __KAM_BLOOD2 Subject =~ /Blood Pressure|the.(nurse|doctor).said|do.this.or.die|bp.med/i
3305 body __KAM_BLOOD3 /Secret Big Pharma|conspiracy|Breaking.Health.Stories/i
3306 body __KAM_BLOOD4 /Marine Essentials|this mineral|drug.companies.hate/i
3307 body __KAM_BLOOD5 /Anti-Aging Expert|worst.food/i
3308 body __KAM_BLOOD6 /Blood pressure/i
3310 meta KAM_BLOOD ( __KAM_BLOOD1 + __KAM_BLOOD2 + __KAM_BLOOD3 + __KAM_BLOOD4 + __KAM_BLOOD5 + __KAM_BLOOD6 + KAM_INFOUSMEBIZ >= 4)
3311 describe KAM_BLOOD Blood Pressure Spams
3312 score KAM_BLOOD 4.75
3315 header __KAM_SCOOTER1 From =~ /Scooter Store/i
3316 header __KAM_SCOOTER2 Subject =~ /lack of mobility/i
3317 body __KAM_SCOOTER3 /the scooter store/i
3319 meta KAM_SCOOTER ( __KAM_SCOOTER1 + __KAM_SCOOTER2 + __KAM_SCOOTER3 + __KAM_MEDICARE2 + KAM_INFOUSMEBIZ >= 4)
3320 describe KAM_SCOOTER Blood Pressure Spams
3321 score KAM_SCOOTER 4.75
3324 header __KAM_ANATA1 From:name =~ /Anatabloc|joint.?pain/i
3325 header __KAM_ANATA2 Subject =~ /(back|joint) pain|arthritis/i
3326 body __KAM_ANATA3 /Doctor (expose|shock|fix)|conglomerates threatening/i
3327 tflags __KAM_ANATA3 nosubject
3329 meta KAM_ANATA (__KAM_ANATA1 + __KAM_ANATA2 + __KAM_ANATA3 >= 3)
3330 describe KAM_ANATA Drug Spam
3333 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
3335 header __KAM_BBB1 From =~ /bbb.org/i
3336 body __KAM_BBB2 /consumer's *(?:worry|uneasiness|anxiety|disturbance|concern|trouble)/i
3337 body __KAM_BBB3 /has been registered the above|(?:visiting|review at) a link below|above-referenced complaint/i
3338 body __KAM_BBB4 /about your *(?:glance|belief|judgment)/i
3339 header __KAM_BBB5 Subject =~ /(?:client|customer).{0,5}preten|(?:Appeal|Claim|Case|No\.|Complaint).{0,3}[A-Z\d]{5}/i
3341 meta KAM_BBB (__KAM_BBB1 + __KAM_BBB2 + __KAM_BBB3 + __KAM_BBB4 + __KAM_BBB5 + SPF_FAIL + __KAM_GALLERY5 + KAM_RAPTOR_ALTERED >= 4)
3342 describe KAM_BBB Better Business Bureau Phishing
3347 header __KAM_MARK1 Subject =~ /[\[\<]ADV[\>\]]/i
3348 header __KAM_MARK2 Subject =~ /[\(\[\<\{\*]\s*(BULK|SPAM)\??\s*[\*\>\]\)\}]|\[\#+ ?SPAM\]/i
3349 header __KAM_MARK3 Subject =~ /[\[\<\*]\s*VIRUS\s*[\*\>\]]/i
3351 meta KAM_MARKADV (__KAM_MARK1 >= 1)
3352 describe KAM_MARKADV Email arrived marked as an Advertisement
3353 score KAM_MARKADV 10.0
3355 meta KAM_MARKSPAM (__KAM_MARK2 >= 1)
3356 describe KAM_MARKSPAM Email arrived marked as Spam
3357 score KAM_MARKSPAM 4.0
3359 meta KAM_MARKVIRI (__KAM_MARK3 >= 1)
3360 describe KAM_MARKVIRI Email arrived marked as Virus
3361 score KAM_MARKVIRI 10.0
3364 rawbody __KAM_H1QNUM1 /<h1>(vv5|ORG1|IN2|OR3|AR1|FO1|Q22)<\/h1>/i
3365 header __KAM_H1QNUM2 Subject =~ /Russian Women|Free Lasik|Criminal Records|Background Check|Stop Alcoholism|Alcohol Addiction|Hybrid cars|solar energy|electrical bill|fly in luxury/i
3366 uri __KAM_H1QNUM3 /\.co\.uk/i
3368 meta KAM_H1QNUM (__KAM_H1QNUM1 >= 1)
3369 describe KAM_H1QNUM H1 Qnum indicator
3370 score KAM_H1QNUM 4.0
3372 meta KAM_H1QNUM2 ( KAM_H1QNUM + __KAM_H1QNUM2 + __KAM_H1QNUM3 >= 2 )
3373 describe KAM_H1QNUM2 H1 Qnum higher spamminess indicators
3374 score KAM_H1QNUM2 5.0
3377 header __KAM_AP1 From =~ /AP/
3378 header __KAM_AP2 Subject =~ /Community & educational development/i
3379 body __KAM_AP3 /American Grants and Loans Catalog/i
3381 meta KAM_AP (__KAM_AP1 + __KAM_AP2 + __KAM_AP3 >= 3)
3382 describe KAM_AP American Publishing Spam
3386 header KAM_COUK From =~ /\@.{1,30}\.co\.uk/i
3387 describe KAM_COUK Scoring .co.uk emails higher due to poor registry security.
3392 header __KAM_FACEBOOKMAIL1 From =~ /\@facebookmail.com/i
3394 header __KAM_FACEBOOKMAIL2 From =~ /Ramakanth Raavi/i
3396 meta KAM_FACEBOOKMAIL ((__KAM_FACEBOOKMAIL2 >= 1) || (__KAM_FACEBOOKMAIL1 >=1 && (SPF_FAIL + DKIM_ADSP_ALL >=1)))
3397 describe KAM_FACEBOOKMAIL Fake or Abused Facebook Mail
3398 score KAM_FACEBOOKMAIL 8.0
3401 body __KAM_FAKE_DELIVER1 /courier couldn.?t make the delivery|Courier was unable to deliver|courier company was not able to deliver|memo.of.application|delivering.address|make.the.delivery|see.attached.file|attention.please|event.invitation|could not deliver|delivery.label|postal.noti(fication|ce)|parcels.(has|have).been.shipped|shipment.label.is.attached|confirm your shipping|view file in attach|unable to locate your address|stored in our local depot|delivery failed/i
3403 header __KAM_FAKE_DELIVER2 Subject =~ /Invalid Address|shipping service|(ship|postal|delivery) notification|Delivery Failure|Delivery Information|Delivery status|(pending|Package) Delivery|package is available for pickup|your.package.(has.)?arrived|attention.please|delivery.(attempt|problem)|id.\d{6}|deliver.(your|the).parcel|shipping confirmation|confirm your address|shipment request|parcel is on hold/i
3406 header __KAM_FAKE_DELIVER3 From:name =~ /DHL/i
3407 header __KAM_FAKE_DELIVER4 From:addr !~ /dhl\.com/i
3408 body __KAM_FAKE_DELIVER4A /dhl team/i
3411 rawbody __KAM_FAKE_DELIVER5 /Fed ?ex/i
3412 header __KAM_FAKE_DELIVER6 From !~ /fedex.com/i
3415 body __KAM_FAKE_DELIVER7 /USPS/i
3416 header __KAM_FAKE_DELIVER8 From !~ /usps.com/i
3419 body __KAM_FAKE_DELIVER9 /CARGO/
3420 header __KAM_FAKE_DELIVER10 From =~ /shipping|economy|priority/i
3423 body __KAM_FAKE_DELIVER11 /DPD/i
3424 header __KAM_FAKE_DELIVER12 From !~ /dpd.com|dpd.co.uk/i
3427 uri __KAM_FAKE_DELIVER13 /(cdn\.discordapp\.com|wp-conten|wp\d+\.server|onedrive\.live\.com)/i
3428 body __KAM_FAKE_DELIVER13A /open the enclosed receipt|print the receipt/i
3430 meta KAM_FAKE_DELIVER (__KAM_FAKE_DELIVER1 + __KAM_FAKE_DELIVER2 + ((__KAM_FAKE_DELIVER3 + __KAM_FAKE_DELIVER4 + __KAM_FAKE_DELIVER4A >= 2) + (__KAM_FAKE_DELIVER5 + __KAM_FAKE_DELIVER6 >= 2) + (__KAM_FAKE_DELIVER7 + __KAM_FAKE_DELIVER8 >= 2) + (__KAM_FAKE_DELIVER11 + __KAM_FAKE_DELIVER12 >= 2) + (__KAM_FAKE_DELIVER9 + __KAM_FAKE_DELIVER10 >= 2) >= 1) + (HEADER_FROM_DIFFERENT_DOMAINS + SPF_SOFTFAIL + KAM_RAPTOR_ALTERED + __KAM_FAKE_DELIVER13 + __KAM_FAKE_DELIVER13A >= 1) >= 3)
3431 describe KAM_FAKE_DELIVER Fake delivery notifications
3432 score KAM_FAKE_DELIVER 6.25
3434 meta KAM_REALLY_FAKE_DELIVER (KAM_FAKE_DELIVER + KAM_RPTR_PASSED + (__KAM_FAKE_DELIVER4 && __KAM_FAKE_DELIVER6 && __KAM_FAKE_DELIVER8) >= 3)
3435 score KAM_REALLY_FAKE_DELIVER 2.5
3436 describe KAM_REALLY_FAKE_DELIVER Definitely fake delivery notifications
3439 header __KAM_SOLAR1 From =~ /Solar|electric|regard|energy|.olar..etwork/i
3440 header __KAM_SOLAR2 Subject =~ /power bill|sells power|electric(al)? bill|subsidize your solar|switching to solar|save \d+\%|solar system saves|solar power plant|solar.america|energy.use|solar.incentive|utility.option|go.solar|govt.rebate|.overnment.incentive|electricity|obama.rebate/i
3441 body __KAM_SOLAR3 /power bill in half|go solar|approved for solar|solar system saves|reduce your electric|energy.cost|energy.bill|government.incentive|can.profit|utility.bill|switch(ing)?.to.solar|solar.incentive|solar.now|US Solar Dept|your.electric.bill|your.home.qualifies|yard lights|solarglow/i
3443 meta KAM_SOLAR (__KAM_SOLAR1 + __KAM_SOLAR2 + __KAM_SOLAR3 >=2)
3444 describe KAM_SOLAR Solar Power Spams
3447 meta KAM_SOLAR2 (__KAM_SOLAR1 + __KAM_SOLAR2 + __KAM_SOLAR3 >=3)
3448 describe KAM_SOLAR2 Definite Solar Power Spams
3449 score KAM_SOLAR2 1.9
3452 header __KAM_ASIAN1 Subject =~ /(Chinese|Asian) (girl|Lad|Bride)|heart?beat when seeing her|such a beauty/i
3453 body __KAM_ASIAN2 /Adoring Asian|(\d\+|thousands of) Asian (women|Girls)|Asian Girlfriend|pics of hot|date an? asian|chat and cam/i
3454 header __KAM_ASIAN3 From =~ /asian/i
3456 meta KAM_ASIAN (__KAM_ASIAN1 + __KAM_ASIAN2 + __KAM_ASIAN3 >= 3)
3457 describe KAM_ASIAN Asian Bride/Dating Spams
3461 header __KAM_OZ1 From =~ /(Dr|Doc).{0,2}[o0]z|[o0]z.([a-z]+.)?(daily|tip|show|weight)|rapid.loss|ellen|drop.lbs/i #NOTE THE ZERO
3462 header __KAM_OZ2 Subject =~ /Fatburning|healthy?.tip|melt your fat|must.read.tip|i can help|fat to flat|perfect.skin|workout|drop.\d+.?[il]bs?|without.exercise|must.read|oz.in.your.corner|It (does not|doesn't) have to be hard|racha?el and oz|doc.?oz insid|life.changing|\d+%.increase|anti.aging|she.looks.\d+|ellen.did.this|(Dr|Doc).{0,2}[o0]z|[o0]z.([a-z]+.)?(daily|tip|show)/i
3463 body __KAM_OZ3 /burn off your (?:body.?)?fat|(?:burn away|burn|melt) your fat|fox news video|melt the extra pounds|lost (an average of )?\d+ lbs|body.flab|look years younger|get perfect skin|healthy tips|without diet|it was just gossip|weight.loss|dropping.pounds|losing.weight|\d+.years|facelift|(Dr|Doc).{0,2}[o0]z/i
3465 #meta KAM_OZ (__KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 >= 3)
3466 #describe KAM_OZ Fake Dr. Oz Spam's
3470 header __KAM_STUDENT1 From =~ /Student.?Loan|government/i
3471 header __KAM_STUDENT2 Subject =~ /NEW GOVERNMENT PROGRAM|payback.package|assistance.package|student.loan|consolidate.loan/i
3472 body __KAM_STUDENT3 /penalt(y|ies)|garnish|your.debt|president.loan|reduce.(your.)?(student.)?loan|forgiveness.plan|qualify.for|federal.program|low.monthly/i
3474 meta KAM_STUDENT (__KAM_STUDENT1 + __KAM_STUDENT2 + __KAM_STUDENT3 + (KAM_INFOUSMEBIZ || KAM_COUK || KAM_HTMLNOISE || KAM_SHORT) >= 3)
3475 describe KAM_STUDENT Student Loan Forgiveness Spams
3476 score KAM_STUDENT 4.0
3479 header __KAM_TIP1 From =~ /Beauty Tips/i
3480 header __KAM_TIP2 Subject =~ /Dark-Circles|undereye bags/i
3481 body __KAM_TIP3 /undereye bags/i
3482 body __KAM_TIP4 /Find Out This Quick New Trick/i
3484 meta KAM_TIP (__KAM_TIP1 + __KAM_TIP2 + __KAM_TIP3 + __KAM_TIP4 >= 3)
3485 describe KAM_TIP Beauty Tip Spams
3489 header __KAM_WHATS1 From =~ /WhatsApp/i
3490 header __KAM_WHATS2 Subject =~ /Voice Message Notification/i
3491 body __KAM_WHATS3 /WhatsApp/
3493 meta KAM_WHATS (__KAM_WHATS1 + __KAM_WHATS2 + __KAM_WHATS3 >= 3)
3494 describe KAM_WHATS WhatsApp Spams
3499 header __KAM_QTJARS1 From =~ /qtjar/i
3500 header __KAM_QTJARS2 Subject =~ /qtjar|left you a message|new message/i
3501 body __KAM_QTJARS3 /qtjars/
3502 body __KAM_QTJARS4 /private message/
3504 meta KAM_QTJARS (__KAM_QTJARS1 + __KAM_QTJARS2 + __KAM_QTJARS3 + __KAM_QTJARS4 >= 3)
3505 describe KAM_QTJARS QTJars Spams
3506 score KAM_QTJARS 3.0
3509 # view the agreement.
3510 body __KAM_GOOGLEPHISH1 /copy of the signed agreement/i
3511 rawbody __KAM_GOOGLEPHISH2 /http:\/\/.{5,50}\/http\/docs\.google\.com\/login\//i
3513 meta KAM_GOOGLEPHISH (__KAM_GOOGLEPHISH1 + __KAM_GOOGLEPHISH2 >= 2)
3514 describe KAM_GOOGLEPHISH Google Login Phishing Scam
3515 score KAM_GOOGLEPHISH 5.0
3518 header __KAM_POLY1 Subject =~ /Barack Obama/i
3519 body __KAM_POLY2 /The End of Barack Obama/i
3521 meta KAM_POLY (__KAM_POLY1 + __KAM_POLY2 >= 2)
3522 describe KAM_POLY Political Spams
3526 header __KAM_MAID1 Subject =~ /Maid Services|housekeeping.service/i
3527 header __KAM_MAID2 From =~ /Maid|Housekeeper/i
3528 body __KAM_MAID3 /Pre-Screened Housekeepers|local.maid/i
3530 meta KAM_MAID (__KAM_MAID1 + __KAM_MAID2 + __KAM_MAID3 >= 3)
3531 describe KAM_MAID Maid Service Spams
3535 header __KAM_TUB1 Subject =~ /Walk.?in.*tub|bath and massage/i
3536 header __KAM_TUB2 From =~ /jacuzzi|walk.?in.?tub|premier.?care|improvement.center|bathing..?easy/i
3537 body __KAM_TUB3 /Walk.?in (hot.?|bath.?)?tub|bath and massage|easy transfer from a wheelchair/i
3539 meta KAM_TUB (__KAM_TUB1 + __KAM_TUB2 + __KAM_TUB3 >= 3)
3540 describe KAM_TUB Tub Spams
3544 header __KAM_OBF1 Subject =~ /(\b|^)(P.{0,2}O.{0,2}R.{0,2}N|S.{0,2}E.{0,2}.X.{0,2})/i
3545 header __KAM_OBF2 Subject =~ /[-:\#\/_\(\)].{0,10}[-:\#\/_\(\)].{0,10}[-:\#\/_\(\)]/
3546 header __KAM_OBF3 Subject =~ /(\b|^)P.{0,2}r.{0,2}e.{0,2}m.{0,2}i.{0,2}u.{0,2}m/i
3547 header __KAM_OBF4 Subject =~ /(\b|^)P.{0,2}a.{0,2}s.{0,2}s.{0,2}/i
3548 header __KAM_OBF5 Subject =~ /(\b|^)S.{0,2}i.{0,2}t.{0,2}e.{0,2}/i
3549 header __KAM_OBF6 Subject =~ /(\b|^)F.{0,2}r.{0,2}e.{0,2}e.{0,2}/i
3550 header __KAM_OBF7 Subject =~ /(\b|^)F.{0,2}i.{0,2}l.{0,2}m.{0,2}/i
3551 header __KAM_OBF8 Subject =~ /X.X.X/
3553 meta KAM_OBF ((__KAM_OBF3 + __KAM_OBF4 + __KAM_OBF5 + __KAM_OBF6 + __KAM_OBF7 >= 1) + __KAM_OBF1 + (__KAM_OBF2 - BODY_8BITS) >= 3)
3554 describe KAM_OBF Obfuscated Porn Spams
3557 meta KAM_OBF (__KAM_OBF8 + __KAM_OBF2 >= 2)
3558 describe KAM_OBF Obfuscated Porn Spams
3562 header __KAM_SHARKTANK_SUBJ Subject =~ /shark tank/i
3563 body __KAM_SHARKTANK_BODY /shark tank/i
3565 meta KAM_SHARKTANK (__KAM_SHARKTANK_SUBJ + __KAM_SHARKTANK_BODY >= 1)
3566 score KAM_SHARKTANK 1.0
3567 describe KAM_SHARKTANK Mentions Shark Tank
3569 rawbody __KAM_SHARKPROD /high blood pressure|Dermabellix|follicles|drop 20|(^|\b)IQ($|\b)|keto SS/is
3571 meta KAM_SHARKPROD (__KAM_SHARKPROD + KAM_SHARKTANK >= 2)
3572 score KAM_SHARKPROD 5.0
3573 describe KAM_SHARKPROD Shark Tank Spam
3576 header __KAM_ICUTLD_FROM From:addr =~ /\.icu$/i
3577 uri __KAM_ICUTLD_URI /\.icu($|\/)/i
3579 meta KAM_ICU_BAD_TLD (__KAM_ICUTLD_FROM + __KAM_ICUTLD_URI) >= 1
3580 describe KAM_ICU_BAD_TLD .icu TLD Abuse
3581 score KAM_ICU_BAD_TLD 2.0
3583 #HAIR LOSS / GREYING / REMOVAL
3584 header __KAM_HAIR1 Subject =~ /(Regrows?|restore your|regain your|thinning) hair|Get Your Hair Back|hair regrowth|masculine|gr[ae]y hair|hair.loss|the.hottest.concept|hair.removal|all.your.hair|(fuller|thicker).hair|hair growth/i
3585 header __KAM_HAIR2 From =~ /K.ranique|Hair Loss Solutions|hair transplant|bosley|gr[ae]y hair|hair.removal|preserve|keranique|hair.?news/i
3586 rawbody __KAM_HAIR3 /k.ranique|Hair Los Solution|Get Your Hair Back|restore your hair naturally and permanently|hair restoration|original color|dye gr[ae]y hair|defeat.your.hair.loss|stop.hair.loss|fda.approve|hair will return|reactivate dormant hair/i
3587 rawbody __KAM_HAIR4 /Hair Regrowth|Hair Club for Men|Bosley|Rejuvalex/i
3589 rawbody __KAM_NEWSLETTER /<title>Newsletter<\/title>/i
3591 meta KAM_HAIR (__KAM_HAIR1 + __KAM_HAIR2 + __KAM_HAIR3 + __KAM_HAIR4 + __KAM_TRIAL + __KAM_NEWSLETTER + KAM_WEIRDTRICK1 + KAM_SHARKTANK + KAM_ADVERT2 >=4)
3592 describe KAM_HAIR Hair Loss / Removal Spams
3596 body __KAM_TRIAL /RISK-FREE Trial|Free \d+ day trial|try it free|free.dvd.info|free.info.kit|limited..?trial|claim.package/i
3599 body __KAM_UNSUB1 /cancel 0ffers/i #note the zero
3600 body __KAM_UNSUB2 /u +n +s +u +b +s +c +r +i +b +e/i
3602 meta KAM_UNSUB (__KAM_UNSUB1 + __KAM_UNSUB2 >= 1)
3603 describe KAM_UNSUB Completely ridiculous unsubscribe text found
3606 #MAINTENANCE / Email Phish Scams
3607 body __KAM_EMAILPHISH1 /Please login to complete update process/i
3609 meta KAM_EMAILPHISH (__KAM_EMAILPHISH1 + KAM_SHORT >= 2)
3610 describe KAM_EMAILPHISH Email Phishing Scams
3611 score KAM_EMAILPHISH 3.5
3614 header __KAM_MASSERROR1 Reply-to =~ /\@domain\]\]/i
3616 meta KAM_MASSERROR (__KAM_MASSERROR1 >= 1)
3617 describe KAM_MASSERROR Error in usage of a mass mailing software
3618 score KAM_MASSERROR 2.0
3621 header __KAM_CARDEAL1 Subject =~ /great car deal|new vehicles near you|brand new cars|cars on clearance/i
3622 header __KAM_CARDEAL2 From =~ /dealer|clearance|veh.cle/i
3623 body __KAM_CARDEAL3 /201\d Closeout pricing|New Vehicles near you|new automobiles|brand new car|\d{4} makes and models/i
3625 meta KAM_CARDEAL (__KAM_CARDEAL1 + __KAM_CARDEAL2 + __KAM_CARDEAL3 >= 3)
3626 describe KAM_CARDEAL Car Deal Spams
3627 score KAM_CARDEAL 3.0
3630 header __KAM_HOMESALE1 Subject =~ /buyer interested in your ho/i
3631 header __KAM_HOMESALE2 From =~ /Fastcash/i
3632 body __KAM_HOMESALE3 /Cash Offer for Your Home/i
3634 meta KAM_HOMESALE (__KAM_HOMESALE1 + __KAM_HOMESALE2 + __KAM_HOMESALE3 >= 3)
3635 describe KAM_HOMESALE Home Sale Spams
3636 score KAM_HOMESALE 3.5
3638 #ADVERTISEMENTS FOR LOANS
3639 header __KAM_LOAN1 Subject =~ /pay bills|borrow|business loan|help your business grow|small business|propel your business goals|with a loan|results you need|\$[\d.,]+ (tomorrow|down loan)|loan.fund|lender|are.you.broke|get.cash|approval.notice|loan \d.\d% offer|money by tomorrow|one monthly payment/i
3640 header __KAM_LOAN2 From =~ /payday|loans for you|approval|small.?business|direct.wire|cash|loan offer|loan department|zippy ?loan|clear ?one/i
3641 body __KAM_LOAN3 /Financial Relief|need to borrow|Business Loan|instant.funds|approval department|\$\d+ down|loan option|offer.loan|expenses|times.are.tough|money.problems|zippy ?loan|advanced lender|pay off debt|development.project|just.been.approved|for.your.business|loan.solution|ease your stress/i
3643 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3644 mimeheader __KAM_LOAN5A Content-Type =~ /loan offer/i
3645 mimeheader __KAM_LOAN5B Content-Disposition =~ /loan offer/i
3648 meta KAM_LOAN (__KAM_LOAN1 + __KAM_LOAN2 + __KAM_LOAN3 + (__KAM_LOAN5A + __KAM_LOAN5B >= 1) >= 3)
3649 describe KAM_LOAN Payday and other loan spams
3653 header __KAM_HANGOVER1 Subject =~ /hangover patch/i
3654 header __KAM_HANGOVER2 From =~ /hangover/i
3655 body __KAM_HANGOVER3 /hangover patch/i
3657 meta KAM_HANGOVER (__KAM_HANGOVER1 + __KAM_HANGOVER2 + __KAM_HANGOVER3 >= 3)
3658 describe KAM_HANGOVER Hangover Patch Spams
3659 score KAM_HANGOVER 3.5
3662 header __KAM_RXPLAN1 Subject =~ /Medigap|prescription drug plan/i
3663 header __KAM_RXPLAN2 From =~ /Better.?Rx|medigap/i
3664 body __KAM_RXPLAN3 /gap coverage/i
3666 meta KAM_RXPLAN (__KAM_RXPLAN1 + __KAM_RXPLAN2 + __KAM_RXPLAN3 >= 3)
3667 describe KAM_RXPLAN Rx Plan Spams
3668 score KAM_RXPLAN 3.5
3671 header __KAM_SOCKET1 Subject =~ /tangled mess|socket capacity|messy cords/i
3672 header __KAM_SOCKET2 From =~ /side.?socket/i
3673 body __KAM_SOCKET3 /side socket/i
3675 meta KAM_SOCKET (__KAM_SOCKET1 + __KAM_SOCKET2 + __KAM_SOCKET3 >= 3)
3676 describe KAM_SOCKET Product Spam du Jour
3677 score KAM_SOCKET 3.5
3680 header __KAM_TESTOSTERONE1 Subject =~ /Boost your testosterone|Testoril|turning you into a woman|men into women|low.testosterone/i
3681 header __KAM_TESTOSTERONE2 From =~ /Testoril|mens health|low-T|for.men/i
3682 body __KAM_TESTOSTERONE3 /Boost your testosterone|get your body back|low.testosterone/i
3683 body __KAM_TESTOSTERONE4 /Testoril|sexual confidence|androgel|axiron+androderm/i
3685 meta KAM_TESTOSTERONE (__KAM_TESTOSTERONE1 + __KAM_TESTOSTERONE2 + __KAM_TESTOSTERONE3 + __KAM_TESTOSTERONE4 >= 3)
3686 describe KAM_TESTOSTERONE Product Spam du Jour
3687 score KAM_TESTOSTERONE 4.5
3690 header __KAM_PET1 Subject =~ /pet health insurance|dog.product.coupon/i
3691 header __KAM_PET2 From =~ /pet.?insurance|dog.?coupon/i
3692 body __KAM_PET3 /pet health insurance|doggy.loot|coupon.notice|reduce.your.cost/i
3694 meta KAM_PET (__KAM_PET1 + __KAM_PET2 + __KAM_PET3 >= 3)
3695 describe KAM_PET Insurance and other pet-related spam
3698 meta KAM_PET2 (KAM_PET + KAM_INFOUSMEBIZ >= 2)
3699 describe KAM_PET2 Even more likely insurance and other pet-related spam
3703 header __KAM_COBRA1 Subject =~ /Cobra Health/i
3704 header __KAM_COBRA2 From =~ /Cobra|Health/i
3705 body __KAM_COBRA3 /find cobra health/i
3707 meta KAM_COBRA (__KAM_COBRA1 + __KAM_COBRA2 + __KAM_COBRA3 >= 3)
3708 describe KAM_COBRA Cobra Insurance Spam
3712 header __KAM_DISCAIR1 Subject =~ /Fly Cheap|Discount Air/i
3713 header __KAM_DISCAIR2 From =~ /Discount Air/i
3714 body __KAM_DISCAIR3 /Fly Cheap in Business Class/i
3716 meta KAM_DISCAIR (__KAM_DISCAIR1 + __KAM_DISCAIR2 + __KAM_DISCAIR3 >= 3)
3717 describe KAM_DISCAIR Discount Airfare Spam
3718 score KAM_DISCAIR 3.5
3721 header __KAM_PEST1 Subject =~ /pes?t control system/i
3722 header __KAM_PEST2 From =~ /Riddex|pest/i
3723 body __KAM_PEST3 /revolutionary pes?t control system/i
3725 meta KAM_PEST (__KAM_PEST1 + __KAM_PEST2 + __KAM_PEST3 >= 3)
3726 describe KAM_PEST Spam for Pest Control
3731 header __KAM_PROPHET1 Subject =~ /beezelbub|communique|prophecy|Christian Media/i
3732 header __KAM_PROPHET2 From =~ /christian.*(media|prophe)|twintongues|spiritualisraelnumber\d|TheLeastOfThese\d/i
3733 body __KAM_PROPHET3 /Dear Christian Friend|revelation \d+\:/i
3734 body __KAM_PROPHET4 /Christian ?Media\*? ?(Daily|Ministry|Prophecy)|spiritualisraelnumber\d/i
3735 body __KAM_PROPHET5 /prophecy|rapture/i
3737 meta KAM_PROPHET (__KAM_PROPHET1 + __KAM_PROPHET2 + __KAM_PROPHET3 + __KAM_PROPHET4 + __KAM_PROPHET5 >= 4)
3738 describe KAM_PROPHET Spam for Prophecy
3739 score KAM_PROPHET 8.5
3742 header __KAM_HEART1 Subject =~ /save your life|prevent (a|your)?.?heart attacks?|\d+ second trick|sudden death|easy trick|heart health secret/i
3743 header __KAM_HEART2 From =~ /He.rt.?Att.ck|omegaK/i
3744 body __KAM_HEART3 /Knowing this could very well save your life|\d+.second trick|\#1 Trick|Prevent(ing)? A Heart Attack|will you be killed|heart disease|silent heart attack/i
3746 meta KAM_HEART (__KAM_HEART1 + __KAM_HEART2 + __KAM_HEART3 >= 3)
3747 describe KAM_HEART Spam for Heart Attack prevention
3751 header __KAM_JOINT1 Subject =~ /joint relief/i
3752 header __KAM_JOINT2 From =~ /Tfx/i
3753 body __KAM_JOINT3 /TFX.?(?:health|flex)|tflex/i
3754 body __KAM_JOINT4 /Joint Relief|effective as glucosamine/i
3755 body __KAM_JOINT5 /free bottle/i
3757 meta KAM_JOINT (__KAM_JOINT1 + __KAM_JOINT2 + __KAM_JOINT3 + __KAM_JOINT4 + __KAM_JOINT5 + __KAM_SKIN4 >= 4)
3758 describe KAM_JOINT Joint relief Spam
3762 header __KAM_REHAB1 Subject =~ /(?:drug|alcohol) (recovery|rehab|dependenc|addict|treatment)|choose sobriety|battling alcohol|stop drinking|addiction|drinking problem|normal life|tr..?at..?ng.alcohol|overcome..lcohol|change.your.life/i
3763 header __KAM_REHAB2 From =~ /(?:drug|alcohol).?(recovery|rehab|dependenc|add..?ct|treatment)|alcoholism|rehab center|.lc.h.lism|rehabdirectory/i
3764 body __KAM_REHAB3 /(?:drug|alcohol) (recovery|rehab|dependenc|addict|treatment)|help for alcoholism|life from alcohol|end your drinking|think about rehab/i
3766 meta KAM_REHAB (__KAM_REHAB1 + __KAM_REHAB2 + (__KAM_REHAB3 || KAM_OTHER_BAD_TLD) >= 2)
3767 describe KAM_REHAB Rehab Spam
3771 header __KAM_HAIRTRANS1 Subject =~ /hair restoration|man look as young|losing your hair|hair ?loss|consultations?.available/i
3772 header __KAM_HAIRTRANS2 From =~ /Bosley|hair restoration|hair.loss.expert/i
3773 body __KAM_HAIRTRANS3 /hair restoration|man look as young|losing your hair|hair ?loss|get.your.hair|(look|feel).younger/i
3775 meta KAM_HAIRTRANS (__KAM_HAIRTRANS1 + __KAM_HAIRTRANS2 + __KAM_HAIRTRANS3 + KAM_GIFT >= 2)
3776 describe KAM_HAIRTRANS Spam for Hair Restoration
3777 score KAM_HAIRTRANS 3.5
3779 meta KAM_HAIRTRANS2 (__KAM_HAIRTRANS1 + __KAM_HAIRTRANS2 + __KAM_HAIRTRANS3 + (KAM_GIFT || KAM_UNSUB1) >= 3)
3780 describe KAM_HAIRTRANS2 Higher probability of spam for Hair Restoration
3781 score KAM_HAIRTRANS2 2.0
3784 body __KAM_GIFTCERT1 /Our gift to you/i
3785 body __KAM_GIFTCERT2 /\$\d+ gift certificate/i
3786 header __KAM_GIFTCERT3 Subject =~ /Our gift to you/i
3788 meta KAM_GIFTCERT (__KAM_GIFTCERT1 + __KAM_GIFTCERT2 + __KAM_GIFTCERT3 >= 2)
3789 score KAM_GIFTCERT 1.5
3790 describe KAM_GIFTCERT Gift Certificate Spams
3793 header __KAM_TIRES1 Subject =~ /discount tire|tire coupon|tire offers|best deals/i
3794 header __KAM_TIRES2 From =~ /Tire/i
3795 body __KAM_TIRES3 /savings on tire|new tires/i
3797 meta KAM_TIRES (__KAM_TIRES1 + __KAM_TIRES2 + __KAM_TIRES3 >= 3)
3798 describe KAM_TIRES Spam for Tires
3802 header __KAM_SLICEOMATIC1 Subject =~ /Slice-O-Matic|Precision Cutting Blade/i
3803 header __KAM_SLICEOMATIC2 From =~ /Slice-o-matic/i
3804 body __KAM_SLICEOMATIC3 /Slice-o-matic/i
3806 meta KAM_SLICEOMATIC (__KAM_SLICEOMATIC1 + __KAM_SLICEOMATIC2 + __KAM_SLICEOMATIC3 >= 3)
3807 describe KAM_SLICEOMATIC Spam for Kitchen Tools
3808 score KAM_SLICEOMATIC 3.0
3810 #FINDYOURWINDOWS AND OTHER WINDOW SPAM
3811 header __KAM_WINDOWS1 Subject =~ /Top Window Companies|(old|your|bedroom|new|replacement|discounted|awning|cheap).window|allow.(light|ventilation)|window.(installation|discount|replacement)|home.depot|anders.n.window/i
3812 header __KAM_WINDOWS2 From =~ /FindYourWindows|(old|your|bedroom|new|replacement|discounted).?window|window.?(install|discount|replacement)|install.windows|remodel/i
3813 body __KAM_WINDOWS3 /Find Your Windows|replacement.window|window.design|home.a.new.look|dingy.old.windows|high.heating|high.cooling|let a draft|energy.efficient|double.pane.window|shop.windows|energy.tax|window.(installation|discount|replacement)|summer.is.coming/i
3815 meta KAM_WINDOWS (__KAM_WINDOWS1 + __KAM_WINDOWS2 + __KAM_WINDOWS3 + KAM_ADVERT2 >= 3)
3816 describe KAM_WINDOWS Spam for House Windows
3817 score KAM_WINDOWS 4.5
3819 #EMMAPP.WEB.COM - DUE TO SA SILLINESS WE ARE UNABLE TO RBL THIS PARTICULAR SUBDOMAIN WITHOUT BLOCKING ALL OF WEB.COM
3821 uri __KAM_EMMAP_WEB_COM1 /emmapp\.web\.com/i
3823 meta KAM_EMMAPP_WEB_COM (__KAM_EMMAP_WEB_COM1 >= 1)
3824 describe KAM_EMMAPP_WEB_COM Spam from emmapp.web.com
3825 score KAM_EMMAPP_WEB_COM 20.0
3828 header __KAM_NEW_CREDITCARD1 Subject =~ /with this credit card|charge card|credit card|cards?.reward|cards?.rate|top.rated/i
3829 header __KAM_NEW_CREDITCARD2 From =~ /Spend-Charge|platinum credit|business credit|card.approval|approval.match/i
3830 body __KAM_NEW_CREDITCARD3 /Select your new card|Increase Your Spending|Higher Limit|rewards|business credit|which.credit.card|find.out.now/i
3832 meta KAM_NEW_CREDITCARD (__KAM_NEW_CREDITCARD1 + __KAM_NEW_CREDITCARD2 + __KAM_NEW_CREDITCARD3 >= 3)
3833 describe KAM_NEW_CREDITCARD Spam for new credit cards
3834 score KAM_NEW_CREDITCARD 4.0
3837 header __KAM_GERMAN_BUSINESS_CONTACTS1 Subject =~ /Wichtige Nach?richt|Important message/i
3838 header __KAM_GERMAN_BUSINESS_CONTACTS2 From =~ /Merkel/i
3839 body __KAM_GERMAN_BUSINESS_CONTACTS3 /German business phone numbers/i
3840 body __KAM_GERMAN_BUSINESS_CONTACTS4 /Unlimited exportation capabilities/i
3842 meta KAM_GERMAN_BUSINESS_CONTACTS (__KAM_GERMAN_BUSINESS_CONTACTS1 + __KAM_GERMAN_BUSINESS_CONTACTS2 + __KAM_GERMAN_BUSINESS_CONTACTS3 + __KAM_GERMAN_BUSINESS_CONTACTS4 >= 3)
3843 describe KAM_GERMAN_BUSINESS_CONTACTS Weird German business contact info spam
3844 score KAM_GERMAN_BUSINESS_CONTACTS 3.0
3846 #WEIRD SENIOR DATING SPAM
3847 header __KAM_SENIOR_DATING1 From =~ /SeniorPeopleMeet/i
3849 meta KAM_SENIOR_DATING (__KAM_SENIOR_DATING1 >= 1)
3850 describe KAM_SENIOR_DATING Senior dating spam
3851 score KAM_SENIOR_DATING 2.0
3854 header __KAM_NEWS1 Subject =~ /^(?:Fwd: ?)?(?:NEWS|WEBSITE|ARTICLE)$|how.are.you/i
3855 body __KAM_NEWS2 /(?:Hello|hey|hi)!/i
3857 meta KAM_NEWS (__KAM_NEWS1 + __KAM_NEWS2 + __KAM_BODY_LENGTH_LT_128 + KAM_MANYTO >= 3)
3858 describe KAM_NEWS Forged Emails with NEWS!
3861 #URI COUNT - REQUIRES 3.3 OR LATER
3862 if (version >= 3.003000)
3863 uri __KAM_COUNT_URIS /^./
3864 tflags __KAM_COUNT_URIS multiple maxhits=16
3865 describe __KAM_COUNT_URIS A multiple match used to count URIs in a message, including http:// and email@email.com - use one of the meta rules below instead of directly using this one
3867 meta __KAM_HAS_0_URIS (__KAM_COUNT_URIS == 0)
3868 meta __KAM_HAS_1_URIS (__KAM_COUNT_URIS >= 1)
3869 meta __KAM_HAS_2_URIS (__KAM_COUNT_URIS >= 2)
3870 meta __KAM_HAS_3_URIS (__KAM_COUNT_URIS >= 3)
3871 meta __KAM_HAS_4_URIS (__KAM_COUNT_URIS >= 4)
3872 meta __KAM_HAS_5_URIS (__KAM_COUNT_URIS >= 5)
3873 meta __KAM_HAS_10_URIS (__KAM_COUNT_URIS >= 10)
3874 meta __KAM_HAS_15_URIS (__KAM_COUNT_URIS >= 15)
3877 #DISCLAIMER STUB FOR FUTURE RESOURCE
3878 body __KAM_DISCLAIMER1 /receives compensation/i
3881 #header __KAM_FAKE_ATT1 From =~ /AT.?T/i
3882 #header __KAM_FAKE_ATT2 Subject =~ /AT.?T cordless phone|deals.at.at.?t|phone.from.at.?t/i
3883 #uri __KAM_FAKE_ATT3 /att-mail.com/i
3885 #meta KAM_FAKE_ATT (__KAM_FAKE_ATT1 + __KAM_FAKE_ATT2 + __KAM_FAKE_ATT3 >= 2)
3886 #describe KAM_FAKE_ATT Fake AT&T newsletters
3887 #score KAM_FAKE_ATT 3.0
3889 #YOU HAVE BEEN CHOSEN
3890 header __KAM_CHOSEN1 Subject =~ /Invitation to|open.house|come.join.me/i
3891 header __KAM_CHOSEN2 From =~ /marketing|invitation/i
3892 body __KAM_CHOSEN3 /You (were|have been|are) (recently )?(chosen|invited)|you.are.(very.)?welcome/i
3894 meta KAM_CHOSEN (__KAM_CHOSEN1 + __KAM_CHOSEN2 + __KAM_CHOSEN3 >= 3)
3895 describe KAM_CHOSEN Spam claiming the recipient has been chosen for something
3896 score KAM_CHOSEN 2.0
3898 #JURY DUTY AND OTHER FAKE COURT NOTICES
3899 header __KAM_JURY1 Subject =~ /in court|court (hearing )?notice|judicial summons|hearing.of.your.case|case.in.court|notice.of.appearance/i
3900 header __KAM_JURY2 From =~ /Notice (to|of) Appear|court attendance|pretrial notice|lawyer/i
3901 header __KAM_JURY3 From !~ /\.gov/i
3902 body __KAM_JURY4 /in Court|hearing date|notice to appear|Pretrial notice|compulsory.attendance|court.notice/i
3904 meta KAM_JURY (__KAM_JURY1 + __KAM_JURY2 + __KAM_JURY3 + __KAM_JURY4 + KAM_RAPTOR_ALTERED >= 4)
3905 describe KAM_JURY Spam claiming the recipient must serve jury duty
3909 header __KAM_BITCOIN1 Subject =~ /bitcoin|dumping.?their.?gold|dumped.?the.?dollar/i
3910 body __KAM_BITCOIN2 /price.of.bitcoin|bitcoin.price|crypto.?currenc(y|ies)|currency.pioneer|cartel|financial.security|abandoned.our.dollar|money.map/i
3911 header __KAM_BITCOIN3 From =~ /bitcoin/i
3913 meta KAM_BITCOIN (KAM_INFOUSMEBIZ + __KAM_BITCOIN1 + __KAM_BITCOIN2 + __KAM_BITCOIN3 >= 3)
3914 describe KAM_BITCOIN Spam related to investing in bitcoin and other cryptocurrency
3915 score KAM_BITCOIN 4.5
3918 header __KAM_RELIGION1 Subject =~ /Christian Media/i
3919 header __KAM_RELIGION2 From =~ /Bible Prophecy/i
3920 body __KAM_RELIGION3 /Dear Christian|Christian Media/i
3922 meta KAM_RELIGION (__KAM_RELIGION1 + __KAM_RELIGION2 + __KAM_RELIGION3 >= 3)
3923 describe KAM_RELIGION Generic religious spam
3924 score KAM_RELIGION 2.5
3927 header __KAM_BUSINESSPHONE1 Subject =~ /customer calls|phone system|phone system upgrade|business success/i
3928 header __KAM_BUSINESSPHONE2 From =~ /business phone/i
3929 body __KAM_BUSINESSPHONE3 /business phone system/i
3931 meta KAM_BUSINESSPHONE (__KAM_BUSINESSPHONE1 + __KAM_BUSINESSPHONE2 + __KAM_BUSINESSPHONE3 >= 3)
3932 describe KAM_BUSINESSPHONE Advertising for business phone systems
3933 score KAM_BUSINESSPHONE 5.5
3936 header __KAM_NUMEROLOGY1 Subject =~ /success and joy in life/i
3937 header __KAM_NUMEROLOGY2 From =~ /Numerology/i
3938 body __KAM_NUMEROLOGY3 /Control your destiny/i
3940 meta KAM_NUMEROLOGY (__KAM_NUMEROLOGY1 + __KAM_NUMEROLOGY2 + __KAM_NUMEROLOGY3 >= 3)
3941 describe KAM_NUMEROLOGY Pseudo-scientific spam
3942 score KAM_NUMEROLOGY 3.5
3944 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
3946 header __KAM_VOICEMAIL1 Subject =~ /new voice.?mail message|news|Fax Message for/i
3947 header __KAM_VOICEMAIL2 From =~ /voice.?mail|news/i
3948 body __KAM_VOICEMAIL3 /new voice.?mail message|voice.redirected/i
3950 meta KAM_VOICEMAIL (__KAM_VOICEMAIL1 + __KAM_VOICEMAIL2 + __KAM_VOICEMAIL3 + KAM_RAPTOR_ALTERED >= 3)
3951 describe KAM_VOICEMAIL Common malware that tricks the user into opening a fake VOIP voicemail
3952 score KAM_VOICEMAIL 5.0
3955 #SPAM ADVERTISING SPAM - HAS SCIENCE GONE TOO FAR?
3956 header __KAM_SPAMFORSPAM1 Subject =~ /email marketing|marketing solution|connect with your audience|reaching your customers|marketing ideas|business.contacts/i
3957 header __KAM_SPAMFORSPAM2 From =~ /email marketing|mailing lists|listz/i
3958 rawbody __KAM_SPAMFORSPAM3 /email marketing|Keep your customers informed|expand your brand|(grow|improve) your business|Acquire New Customers|business reach|your.customer.base|demand.generation/i
3960 meta KAM_SPAMFORSPAM (__KAM_SPAMFORSPAM1 + __KAM_SPAMFORSPAM2 + __KAM_SPAMFORSPAM3 + KAM_INFOUSMEBIZ >= 3)
3961 describe KAM_SPAMFORSPAM Spam advertising spam services
3962 score KAM_SPAMFORSPAM 5.5
3964 #ALZHEIMERS / NEUROLOGICAL MEDICAL SPAM
3965 header __KAM_NEUROLOGICAL1 Subject =~ /alzheimers|doctors hate him/i
3966 header __KAM_NEUROLOGICAL2 From =~ /alzheimers|cognizine/i
3967 body __KAM_NEUROLOGICAL3 /at risk for alzheimers|alzheimers conspiracy|doctors hate him/i
3969 meta KAM_NEUROLOGICAL (__KAM_NEUROLOGICAL1 + __KAM_NEUROLOGICAL2 + __KAM_NEUROLOGICAL3 >= 3)
3970 describe KAM_NEUROLOGICAL Variant of medical spam targeting neurological ailments
3971 score KAM_NEUROLOGICAL 3.5
3973 #EXCESSIVE HASHES AND OTHER IDENTIFIER STRINGS
3974 body __KAM_LOTSOFHASH /[abcdef1234567890]{20}/i
3975 tflags __KAM_LOTSOFHASH multiple maxhits=10
3977 meta KAM_LOTSOFHASH (__KAM_LOTSOFHASH >= 10)
3978 describe KAM_LOTSOFHASH Emails with lots of hash-like gibberish
3979 score KAM_LOTSOFHASH 0.25
3981 #SPAM THAT SHOWS SEVERAL QUESTIONABLE BEHAVIORS IN COMBINATION
3982 meta KAM_GRABBAG1 (__KAM_THIRD + __KAM_DOMAINDOTCOM + __KAM_TILDEFROM + HTML_FONT_LOW_CONTRAST + T_REMOTE_IMAGE + __KAM_EPISODE + __KAM_LOTSOFNBSP + __KAM_IPUNSUB + (__KAM_LOTSOFHASH >= 6) >= 4)
3983 describe KAM_GRABBAG1 A combination of tricks that when combined indicate spam
3984 score KAM_GRABBAG1 3.5
3987 header __KAM_TVDOCTOR1 Subject =~ /hormones|(dr.?|doc.?) [o0]z|flatter belly|anti.?.?aging.tip|\d+.years.younger|wrinkle.(reduction|prevention)|weight.loss|models.use.this|reverse.\d+.years/i
3988 header __KAM_TVDOCTOR2 From =~ /(dr.?|doc.?) ?[o0]z|dr.? steve|oz skin tip|skinny|drop \d+lb/i
3989 body __KAM_TVDOCTOR3 /clinical|miracle|dermatologist|anti.?.?aging.tip|\d+.years.younger|wrinkle.(reduction|prevention)|\bOMG!\b|loose.\d+.lb|tv.doctor/i
3991 meta KAM_TVDOCTOR (__KAM_TVDOCTOR1 + __KAM_TVDOCTOR2 + __KAM_TVDOCTOR3 + (KAM_INFOUSMEBIZ || KAM_WEIRDTRICK1) >= 3)
3992 describe KAM_TVDOCTOR Spam for TV doctor stuff
3993 score KAM_TVDOCTOR 3.5
3996 header __KAM_DENTIST1 Subject =~ /dentist/i
3997 header __KAM_DENTIST2 From =~ /1-?800-?dentist/i
3998 body __KAM_DENTIST3 /Find a dentist/i
4000 meta KAM_DENTIST (__KAM_DENTIST1 + __KAM_DENTIST2 + __KAM_DENTIST3 + KAM_INFOUSMEBIZ >= 3)
4001 describe KAM_DENTIST Spam for 1-800-DENTIST
4002 score KAM_DENTIST 3.5
4004 # GOLD AND DIAMOND JEWELRY
4005 header __KAM_JEWELRY1 Subject =~ /jewell?rey online|shop now/i
4006 header __KAM_JEWELRY2 From =~ /bluestone.com/i
4008 meta KAM_JEWELRY (__KAM_JEWELRY1 + __KAM_JEWELRY2 >= 2)
4009 describe KAM_JEWELRY Spam for Gold and Diamond Jewelry
4010 score KAM_JEWELRY 3.5
4012 # PSSST, WANNA BUY SOME POT
4013 body __KAM_MARIJUANA1 /marijuana|cannabis/i
4014 body __KAM_MARIJUANA2 /medicinal|recreational|legal.cannabis/i
4015 body __KAM_MARIJUANA3 /colorado|washington|profit|without.a.(prescription|doctor)|lets.you.vape|no.doctor/i
4016 header __KAM_MARIJUANA4 From =~ /marijuana|cannabis/i
4018 meta KAM_MARIJUANA (__KAM_MARIJUANA1 + __KAM_MARIJUANA2 + (__KAM_MARIJUANA3 + KAM_INFOUSMEBIZ >= 1) >= 3)
4019 describe KAM_MARIJUANA Spam pertaining to marijuana
4020 score KAM_MARIJUANA 3.5
4022 meta KAM_MARIJUANA2 (__KAM_MARIJUANA4 + (__KAM_MARIJUANA3 || __KAM_MARIJUANA2) >= 2)
4023 score KAM_MARIJUANA2 8.0
4024 describe KAM_MARIJUANA2 Definitely spam for marijuana
4026 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
4028 header __KAM_EVICTION1 From =~ /eviction|vacate immediately/i
4029 header __KAM_EVICTION2 Subject =~ /notice|notification|occupant/i
4030 body __KAM_EVICTION3 /eviction|foreclosed|trespasser/i
4032 meta KAM_EVICTION (__KAM_EVICTION1 + __KAM_EVICTION2 + __KAM_EVICTION3 + KAM_RAPTOR_ALTERED >= 4)
4033 describe KAM_EVICTION Malware disguised as eviction notice
4034 score KAM_EVICTION 4.5
4038 header __KAM_WALKINTUB1 From =~ /walk.?in.?tub/i
4039 header __KAM_WALKINTUB2 Subject =~ /walk.?in.?tub/i
4040 body __KAM_WALKINTUB3 /walk.?in.?tub/i
4042 meta KAM_WALKINTUB (__KAM_WALKINTUB1 + __KAM_WALKINTUB2 + __KAM_WALKINTUB3 >= 3)
4043 describe KAM_WALKINTUB Ads for walk-in tubs
4044 score KAM_WALKINTUB 3.5
4046 # SUBJECTS BEGINNING WITH "EMAIL - QUESTION" AND OTHER VARIANTS
4047 header __KAM_EMAILQUESTION1 Subject =~ /^(<)?([^@\s]+@[^@\s]+)( - |> )/i
4048 header __KAM_EMAILQUESTION2 Subject =~ /break away from the pack|make your own wine|\d figures a day|unlock the secret|you need to see|let me show you|at their own game|drop \d+ pounds|potty trained|you can actually|your dog is being poisoned|control your destiny|buy a new|check out these|arthritis/i
4050 meta KAM_EMAILQUESTION (__KAM_EMAILQUESTION1 + __KAM_EMAILQUESTION2 >= 2)
4051 describe KAM_EMAILQUESTION Subjects beginning with an email address and followed by a spammy subject
4052 score KAM_EMAILQUESTION 3.5
4054 # BECOME BEYOND SUPERHUMAN / SUPERMAN
4055 header __KAM_SUPERHUMAN1 From =~ /(become[ _]?)?(beyond[ _]?)?(super|hu)man/i
4056 header __KAM_SUPERHUMAN2 Subject =~ /relationship problems|better sex|regain your former glory|(male|men) over (\d\d|fou?rty)/i
4057 body __KAM_SUPERHUMAN3 /reclaim your glory|stay hot and sexy|unfair.advantage|better sex|weird trick|testosterone/i
4059 meta KAM_SUPERHUMAN (__KAM_SUPERHUMAN1 + __KAM_SUPERHUMAN2 + __KAM_SUPERHUMAN3 >= 3)
4060 describe KAM_SUPERHUMAN Male enhancement of the day
4061 score KAM_SUPERHUMAN 8.0
4064 header __KAM_VALENTINE1 From =~ /smartbuys|valentine|ecard|flower|fingerhut/i
4065 header __KAM_VALENTINE2 Subject =~ /valentine|(bouquets|expressions) of love|win her over|swoon.?worthy bouquet|grow more in love|\$\d\d.\d\d bouquet|love at (the )?first/i
4066 rawbody __KAM_VALENTINE3 /amazing gifts|perfect for valentine|irresist.ble perfume|send an ecard|most memorable flowers|(bouquets|expressions) of love|valentine.?s?.(day.)?(gift|ecard|flower|delivery|is february 14|bouquet)|grow more in love|Saint Valentine|your valentine/i
4068 meta KAM_VALENTINE (__KAM_VALENTINE1 + __KAM_VALENTINE2 + __KAM_VALENTINE3 + KAM_INFOUSMEBIZ >= 3)
4069 describe KAM_VALENTINE Spam for valentine gifts and other holiday stuff
4070 score KAM_VALENTINE 4.5
4072 header __KAM_MOTHER1 From =~ /flower|seventeen/i
4073 header __KAM_MOTHER2 Subject =~ /mother.?s.?day|\d+%.off.flower|pro.?flowers|guaranteed.delivery|beautiful bouquets|celebrate.mom/i
4074 body __KAM_MOTHER3 /pro.?flowers|flowers.fresh|freshness.guarantee|shop.now|mom.?s.delight/i
4076 meta KAM_MOTHER (__KAM_MOTHER1 + __KAM_MOTHER2 + __KAM_MOTHER3 >= 3)
4077 describe KAM_MOTHER Spam for mother's day
4078 score KAM_MOTHER 4.5
4081 header __KAM_WHOSWHO1 From =~ /whos_who|who.?s.who/i
4082 header __KAM_WHOSWHO2 Subject =~ /your exclusive invitation|who.?s.who|your invitation|you have been selected/i
4083 body __KAM_WHOSWHO3 /(global|executive) who.s who|represent your community|you have been selected|complete your listing|prominent registry|accomplished individuals/i
4084 uri __KAM_WHOSWHO4 /whoswho/i
4086 meta KAM_WHOSWHO (__KAM_WHOSWHO1 + __KAM_WHOSWHO2 + __KAM_WHOSWHO3 >= 2)
4087 describe KAM_WHOSWHO Ads for network of important people
4088 score KAM_WHOSWHO 5.0
4090 meta KAM_WHOSWHO2 (KAM_WHOSWHO && __KAM_WHOSWHO4)
4091 describe KAM_WHOSWHO2 Definitely ads for network of important people
4092 score KAM_WHOSWHO2 1.0
4094 # GARAGE FLOOR COATING
4095 header __KAM_GARAGE1 From =~ /garage|surface.protection|protection.plus|esurface/i
4096 header __KAM_GARAGE2 Subject =~ /garage floor coating|industrial strength|protect your floors|protect.and.beautify|esurface|what.you.should.know/i
4097 body __KAM_GARAGE3 /surface protection plus|industrial strength|Concrete.{0,5}metal.{0,8}wood|protect.and.beautify|industrial.grade|common.flooring|treat.your.deck|professional.coating/i
4099 meta KAM_GARAGE (__KAM_GARAGE1 + __KAM_GARAGE2 + __KAM_GARAGE3 + (HTML_FONT_LOW_CONTRAST || SPF_FAIL || SPF_HELO_FAIL) >= 3)
4100 describe KAM_GARAGE Garage floor coating product of the day
4101 score KAM_GARAGE 4.0
4103 meta KAM_GARAGE2 (KAM_GARAGE + (HTML_FONT_LOW_CONTRAST || SPF_FAIL) >= 2)
4104 score KAM_GARAGE2 1.0
4105 describe KAM_GARAGE2 More likely garage floor coating spam
4107 #PAINT - NEED TO LOOK FOR CROSSOVER ON KAM_GARAGE AND KAM_PAINT
4108 header __KAM_PAINT1 From =~ /Coating|Paint|Surface|Sealer/i
4109 header __KAM_PAINT2 Subject =~ /surface Paint/i
4111 meta KAM_PAINT (__KAM_PAINT1 + __KAM_PAINT2 + KAM_INFOUSMEBIZ >= 3)
4112 describe KAM_PAINT Paint Spams
4116 header __KAM_MOP1 From =~ /hurricane mop/i
4117 header __KAM_MOP2 Subject =~ /filthy floor|cut cleaning time|absorbs \d+x its own weight|the mop that/i
4118 body __KAM_MOP3 /filthy floor|cut cleaning time+absorbs \d+x its own weight|the mop that/i
4120 meta KAM_MOP (__KAM_MOP1 + __KAM_MOP2 + __KAM_MOP3 >= 3)
4121 describe KAM_MOP Hurricane mop product of the day
4125 header __KAM_DATINGTIPS1 From =~ /girlfriendtrick|seduction|the.real/i
4126 header __KAM_DATINGTIPS2 Subject =~ /girlfriend.trick|women.excited|real.moment/i
4127 body __KAM_DATINGTIPS3 /seduction|certain.type.of.guy|secret to their hearts|women.excited|real.love|one.night.stand/i
4129 meta KAM_DATINGTIPS (__KAM_DATINGTIPS1 + __KAM_DATINGTIPS2 + __KAM_DATINGTIPS3 >= 3)
4130 describe KAM_DATINGTIPS Tips for dating
4131 score KAM_DATINGTIPS 4.5
4134 header __KAM_CANDY1 From =~ /candy/i
4135 header __KAM_CANDY2 Subject =~ /candy/i
4136 body __KAM_CANDY3 /you deserve a treat|sweet tooth/i
4138 meta KAM_CANDY (__KAM_CANDY1 + __KAM_CANDY2 + __KAM_CANDY3 >= 3)
4139 describe KAM_CANDY Ads for candy
4142 # EXCESSIVE TEXT IN THE FORMAT OF =## - http://en.wikipedia.org/wiki/Quoted-printable
4143 # MATCH ONLY ESCAPES THAT ARE LESS THAN 0x80 - HIGH BIT NOT SET - THESE CAN BE EXPRESSED JUST FINE AS ASCII
4144 # DISABLED PENDING UPDATES TO SA - RAWBODY IS NOT RAW ENOUGH TO GET UN-DECODED QP
4145 #rawbody KAM_EXCESSIVEQP /(=[0-7][a-f0-9]){10}/i
4146 #score KAM_EXCESSIVEQP 2.5
4147 #describe KAM_EXCESSIVEQP Excessive use of pointless Quoted-printable
4149 # ONE WEIRD THING THAT GETS YOU MARKED AS SPAM
4150 header __KAM_WEIRDTRICK1 Subject =~ /(one|ten|\d+) '?weird'?|'?weird'? trick|strange trick|shocking.truth|\d.words.that/i
4151 body __KAM_WEIRDTRICK2 /'?(weird|odd|strange)'?.(new.)?(trick|tip)|strange trick|shocking.truth/i
4152 header __KAM_WEIRDTRICK3 Subject =~ /girlfriend|aging|old.age|cut \d+ years|PSA|horny/i
4153 header __KAM_WEIRDTRICK4 From =~ /girlfriend|freedom/i
4155 meta KAM_WEIRDTRICK1 __KAM_WEIRDTRICK2
4156 describe KAM_WEIRDTRICK1 Huge family of spam that uses the word weird to grab attention
4157 score KAM_WEIRDTRICK1 1.5
4159 meta KAM_WEIRDTRICK2 (__KAM_WEIRDTRICK1 + __KAM_WEIRDTRICK2 + (KAM_INFOUSMEBIZ + KAM_LOTSOFHASH + AC_HTML_NONSENSE_TAGS + HTML_FONT_LOW_CONTRAST + T_REMOTE_IMAGE >= 3) >= 3)
4160 describe KAM_WEIRDTRICK2 Huge family of spam that uses the word weird to grab attention
4161 score KAM_WEIRDTRICK2 3.5
4163 meta KAM_WEIRDTRICK3 (__KAM_WEIRDTRICK1 + __KAM_WEIRDTRICK2 + __KAM_WEIRDTRICK3 + __KAM_WEIRDTRICK4 >= 3)
4164 describe KAM_WEIRDTRICK3 Weird/Strange Trick
4165 score KAM_WEIRDTRICK3 3.0
4168 header __KAM_MATCH1 From =~ /Match/i
4169 header __KAM_MATCH2 Subject =~ /Find love|available singles|free.to.look|meet.singles/i
4171 meta KAM_MATCH (__KAM_MATCH1 + __KAM_MATCH2 + (HTML_IMAGE_RATIO_06 || SPF_FAIL) >= 3)
4172 describe KAM_MATCH Match Maker Spams
4176 header __KAM_CARINSURE1 From =~ /insurance/i
4177 header __KAM_CARINSURE2 Subject =~ /save on car insurance|smarter.way/i
4179 meta KAM_CARINSURE (__KAM_CARINSURE1 + __KAM_CARINSURE2 >= 2)
4180 describe KAM_CARINSURE Car Insurance Spams
4181 score KAM_CARINSURE 3.0
4184 rawbody __KAM_DATAIMG /<img src="data:image/i
4187 rawbody __KAM_MMS1 /base64,G011K60C12QKQ9790AIFQ5L/s
4189 meta KAM_MMS (__KAM_DATAIMG + __KAM_MMS1 >= 2)
4190 describe KAM_MMS Fake MMS Spam
4194 rawbody __KAM_LEARN1 /base64,R0lGODlh3gA9APcAAAFlmUK/
4196 meta KAM_LEARN (__KAM_DATAIMG + __KAM_LEARN1 >= 2)
4197 describe KAM_LEARN Learn More Spam
4201 header __KAM_UNSUB1_1 List-Unsubscribe =~ /^\<(?:mailto:)?unsub1\@/i
4202 rawbody __KAM_UNSUB1_2 /:\s?unsub1\@|unsubscribe<[^\/]|click here<h/i
4204 meta KAM_UNSUB1 (__KAM_UNSUB1_1 + __KAM_UNSUB1_2 >= 1)
4205 describe KAM_UNSUB1 Unsubscription Spams
4206 score KAM_UNSUB1 0.1
4208 uri __KAM_DOMAINDOTCOM /domain\.com/i
4210 meta KAM_UNSUB2 ((KAM_UNSUB1 || KAM_ADVERT2) + __KAM_DOMAINDOTCOM >= 2)
4211 score KAM_UNSUB2 3.5
4212 describe KAM_UNSUB2 Improperly configured spam engines that leave placeholder domains in the body
4214 # DUTCH GLOW AND OTHER WOODWORKING SPAM
4215 header __KAM_DUTCHGLOW1 From =~ /dutch.?glow|original.?dutch|easy.woodwork/i
4216 header __KAM_DUTCHGLOW2 Subject =~ /wood milk|cleaning the wood|woodwork|cleaning.formula|repel.dust|natural.beauty|furniture|amish|woodworking.plans/i
4217 body __KAM_DUTCHGLOW3 /wood milk|dutch glow|wood's natural beauty|nourish wood|wax build up|your furniture|woodworking.plans/i
4219 meta KAM_DUTCHGLOW (__KAM_DUTCHGLOW1 + __KAM_DUTCHGLOW2 + __KAM_DUTCHGLOW3 >= 3)
4220 describe KAM_DUTCHGLOW Woodworking spam
4221 score KAM_DUTCHGLOW 3.0
4224 header __KAM_FUNERAL1 From =~ /Funeral/i
4225 header __KAM_FUNERAL2 Subject =~ /condolence|funeral announcement|funeral of your friend|death notification|burial.(life.)?insurance/i
4226 body __KAM_FUNERAL3 /untimely death|death notification|funeral.costs/i
4227 uri __KAM_FUNERAL4 /\/home\.php\?funeral/i
4229 meta KAM_FUNERAL (__KAM_FUNERAL1 + __KAM_FUNERAL2 + __KAM_FUNERAL3 >= 3)
4230 describe KAM_FUNERAL Likely Fake funeral notices
4231 score KAM_FUNERAL 2.0
4233 meta KAM_FUNERAL2 (__KAM_FUNERAL4 >= 1)
4234 describe KAM_FUNERAL2 Fake funeral notices
4235 score KAM_FUNERAL2 3.0
4238 # WEB VIEW OBFUSCATION
4239 body __KAM_WEB_OBFUSCATION1 /check over this commercial|see the commercial.advertisement/i
4240 rawbody __KAM_WEB_OBFUSCATION2 /(you'll have to press me)\s*<\/a>/i
4242 meta KAM_WEB_OBFUSCATION (__KAM_WEB_OBFUSCATION1 + __KAM_WEB_OBFUSCATION2 >= 2)
4243 describe KAM_WEB_OBFUSCATION Obfuscated web view links
4244 score KAM_WEB_OBFUSCATION 0.1
4247 header __KAM_TUPPERWARE1 From =~ /Mr\. Lid|Food Storage|Storage Container/i
4248 header __KAM_TUPPERWARE2 Subject =~ /tupperware|food storage|storage container/i
4249 body __KAM_TUPPERWARE3 /tupperware lid|food storage|storage container/i
4251 meta KAM_TUPPERWARE (__KAM_TUPPERWARE1 + __KAM_TUPPERWARE2 + __KAM_TUPPERWARE3 >= 3)
4252 describe KAM_TUPPERWARE Ads for tupperware
4253 score KAM_TUPPERWARE 3.5
4255 # PATRIOT SURVIVAL AND OTHER DISASTER / NATIONALISM / CONSPIRACY SPAM
4256 header __KAM_PATRIOT1 From =~ /patriot|disaster|emergency|USAF|shocking|for.truth|nwo|expat|special.op|christianmedia/i
4257 header __KAM_PATRIOT2 Subject =~ /the truth about|financial collapse|your guns|hidden (agenda|truth)|unprecedented.crisis|worst.crisis|obama.?care|do not ignore|get a lot worse|coffins.ordered.by.fema|depression|prepared.for.war|free.our.marine|survival.guide|beloved.usa|civil war|shocking.footage|cia.economist|collapse.is.imminent|attack.on|wants.war|disturbing.issue|plane.crash|nuke.deal|extortion|prophecy/i
4258 body __KAM_PATRIOT3 /the truth about|financial collapse|your guns|hidden agenda|unprecedented.crisis|disaster|fema (stock.?piling|storing)|Gor?vernment Not Telling|survival.plan|nation.gone.under|blind.with.patriotism|government shutdown|only chance|civil.unrest|high.crimes|behind.our.back|know.the.truth|PatriotNewsNet|second civil war|for.the.cia|market.crash|american.meltdown|concerned.american|military force|we.were.right|our.suspicions|vindicated|abuse.of.power|american.empire/i
4259 body __KAM_PATRIOT4 /projectprophet|financial.threat|nuke.deal/i
4261 meta KAM_PATRIOT (__KAM_PATRIOT1 + __KAM_PATRIOT2 + __KAM_PATRIOT3 + __KAM_PATRIOT4 >= 3)
4262 describe KAM_PATRIOT conspiracy spam
4263 score KAM_PATRIOT 4.0
4265 meta KAM_PATRIOT2 (__KAM_PATRIOT1 + __KAM_PATRIOT2 + __KAM_PATRIOT3 + __KAM_PATRIOT4 >= 2)
4266 describe KAM_PATRIOT2 Likely conspiracy spam
4267 score KAM_PATRIOT2 1.5
4270 header __KAM_PAYMENT_LOWERED1 Subject =~ /insurance payment/i
4271 body __KAM_PAYMENT_LOWERED2 /new monthly payment|just.recently.been..?lowered/i
4272 body __KAM_PAYMENT_LOWERED3 /ID.?\#.?[\da-f]{20}/i
4274 meta KAM_PAYMENT_LOWERED (__KAM_PAYMENT_LOWERED1 + __KAM_PAYMENT_LOWERED2 + __KAM_PAYMENT_LOWERED3 + KAM_LOTSOFHASH >= 3)
4275 describe KAM_PAYMENT_LOWERED Spam that says your insurance payment has already been lowered
4276 score KAM_PAYMENT_LOWERED 4.5
4278 meta KAM_PAYMENT_LOWERED (__KAM_PAYMENT_LOWERED1 + __KAM_PAYMENT_LOWERED2 + __KAM_PAYMENT_LOWERED3 + KAM_LOTSOFHASH >= 4)
4279 describe KAM_PAYMENT_LOWERED Higher probability of lowered payment spam
4280 score KAM_PAYMENT_LOWERED 2.0
4283 body __KAM_NEWNOTICE1 /- - -\s?(start |begin )?(of |new )?(notification|notice)( \d\d\/\d\d\/\d\d)?\s?- - -|notice of/i
4284 body __KAM_NEWNOTICE2 /- - -\s?(finish |end )?(of |new )?(notification|notice)( \d\d\/\d\d\/\d\d)?\s?- - -|end notice:/i
4285 header __KAM_NEWNOTICE3 From =~ /Notice|Notification|Credit/i
4287 meta KAM_NEWNOTICE (__KAM_NEWNOTICE1 + __KAM_NEWNOTICE2 + __KAM_NEWNOTICE3 >= 3)
4288 describe KAM_NEWNOTICE New Notice Spam
4289 score KAM_NEWNOTICE 4.25
4291 meta KAM_NEWNOTICE2 (KAM_NEWNOTICE + KAM_LOTSOFHASH >= 2)
4292 describe KAM_NEWNOTICE2 Higher Probability of New Notice Spam
4293 score KAM_NEWNOTICE2 2.0
4296 header __KAM_REFINEW1 Subject =~ /refl.rates|Rates.(now.)?Dropped.Again|score.*recently.changed/i
4297 body __KAM_REFINEW2 /(rate|payment).reduction|score-update/i
4299 meta KAM_REFINEW (__KAM_REFINEW1 + __KAM_REFINEW2 >=2)
4300 describe KAM_REFINEW New Refi/Credit Notice spam
4301 score KAM_REFINEW 2.0
4303 meta KAM_REFINEW2 (KAM_REFINEW) && (KAM_NEWNOTICE + KAM_LOTSOFHASH >= 1)
4304 describe KAM_REFINEW2 Higher Probability Refi Spam
4305 score KAM_REFINEW2 2.0
4308 header __KAM_AUTONEW1 Subject =~ /Auto.{0,2}(Insurance|policy).{0,2}Payment|auto.warranty|finance|policy.saving|your.quote|car.loan|bad..credit.ok/i
4309 body __KAM_AUTONEW2 /car.{1,2}insurance.{1,2}payment|monthly.payment|plan.has.expired|auto.loan|auto.coverage|coverage.benefits|premium.reduc|compare.quote|financing.your.way/i
4310 body __KAM_AUTONEW3 /just.{1,2}been.{1,2}lowered|reduced.recently|has been reduced|free.repair|easy.steps|overpaying|view.plan|overpaid.your|premiums?.as.low|lenders.compete/i
4311 header __KAM_AUTONEW4 From =~ /notice|credit|coverag3|auto.cover|lower.auto|auto.finance/i
4313 meta KAM_AUTONEW (__KAM_AUTONEW1 + __KAM_AUTONEW2 + __KAM_AUTONEW3 + __KAM_AUTONEW4 >= 3)
4314 describe KAM_AUTONEW New Auto insurance spam
4315 score KAM_AUTONEW 3.0
4317 meta KAM_AUTONEW2 (KAM_AUTONEW) && (KAM_NEWNOTICE + KAM_SUBJECTNOTICE + KAM_LOTSOFHASH + KAM_INFOUSMEBIZ + KAM_ASCII_DIVIDERS >= 1)
4318 describe KAM_AUTONEW2 Higher Probability Insurance Spam
4319 score KAM_AUTONEW2 2.0
4322 header __KAM_STATLER1 Subject =~ /Mike Statler|finance news|invest in ....(\b)/i
4323 header __KAM_STATLER2 Subject =~ /quintuple/i
4324 body __KAM_STATLER3 /Mike Statler/i
4326 meta KAM_STATLER (__KAM_STATLER1 + __KAM_STATLER2 + __KAM_STATLER3 >= 3)
4327 describe KAM_STATLER Mike Statler Spams
4328 score KAM_STATLER 6.0
4331 header __KAM_WRITING1 From =~ /writing/i
4332 header __KAM_WRITING2 Subject =~ /writing resources|get published/i
4333 body __KAM_WRITING3 /Professional Writing|world famous (writer|poet)/i
4335 meta KAM_WRITING (__KAM_WRITING1 + __KAM_WRITING2 + __KAM_WRITING3 >= 3)
4336 describe KAM_WRITING Spam for writing lessons
4337 score KAM_WRITING 3.5
4339 #RASH OF .EU EXPLOITS
4340 rawbody KAM_EU /https?:\/\/(?:www.)?.{4,30}\.(eu)(\b|\/)/i
4342 describe KAM_EU Prevalent use of .eu in spam/malware
4344 #CSS USING A 12-BIT RGBA COLOR, WHICH IS NOT WIDELY SUPPORTED
4345 rawbody __KAM_12BITCOLOR /color: \#[\da-f]{12}/i
4347 meta KAM_GRABBAG2 KAM_EU && (__KAM_12BITCOLOR + KAM_ADVERT2 + AC_HTML_NONSENSE_TAGS + URIBL_BLACK + URIBL_RED >= 1)
4348 score KAM_GRABBAG2 3.0
4349 describe KAM_GRABBAG2 Grabbag of Spams hitting EU domains and other indicators
4352 body __KAM_DIABETES1 /Diabetes News Today|diabetes.health|blood.sugar/i
4353 tflags __KAM_DIABETES1 nosubject
4354 body __KAM_DIABETES2 /Reverse.{0,10}(Diabetes|type.2|type.1)|reverse.type.2|beat.type.2|conventional.medical|doctors don't know|home solution|yellow spice|shocked doctors/i
4355 tflags __KAM_DIABETES2 nosubject
4356 header __KAM_DIABETES3 Subject =~ /End Diabetes|diabetes.association|every.diabetic|blood sugar|yellow spice/i
4357 header __KAM_DIABETES4 From:name =~ /blood.?sugar|clean.?cell/
4359 meta KAM_DIABETES (__KAM_DIABETES1 + __KAM_DIABETES2 + __KAM_DIABETES3 + __KAM_DIABETES4 >= 3)
4360 score KAM_DIABETES 4.5
4361 describe KAM_DIABETES End Diabetes Spam
4364 header __KAM_SPY1 From =~ /spy.?camera|smartcam/i
4365 header __KAM_SPY2 Subject =~ /spy.?camera|small size video/i
4366 body __KAM_SPY3 /spy.?camera.?system|hidden.spy.camera|valuables.safe|protect.your.children|smartcam pro/i
4368 meta KAM_SPY (__KAM_SPY1 + __KAM_SPY2 + __KAM_SPY3 >= 3)
4369 describe KAM_SPY Spy cameras and similar products
4373 header __KAM_HARP1 From =~ /\bharp\b|obamacare|save|healthcare/i
4374 header __KAM_HARP2 Subject =~ /\bHARP\b|obamacare|tax benefit|age bracket|protect yourself|mortgage|save.thousands/i
4375 header __KAM_HARP3 From !~ /\.gov>?$/i
4377 meta KAM_HARP (__KAM_HARP1 + __KAM_HARP2 + __KAM_HARP3 + KAM_SUBJECTNOTICE >= 3)
4378 describe KAM_HARP HARP Refinance Spams
4381 #LUNAR SLEEP AND OTHER SLEEPING AIDS
4382 header __KAM_LUNAR1 From =~ /lunar.?sleep|peak.life/i
4383 header __KAM_LUNAR2 Subject =~ /tired again|sleep(ing)? aid|miracle.sleep|free.sample|sleep.well|fall.asleep|waking.up|sleep.?spray|doctors.discover|the.secret|nights?.sleep/i
4384 uri __KAM_LUNAR3 /lunar.?sleep/i
4385 body __KAM_LUNAR4 /sleep you really need|sleep(ing)? aid|trouble.sleeping|miracle.sleep|lunar.?sleep|all.natural|fall.asleep|refreshed|sleep.cycle|sleep.aid|lack.of.sleep|stay.asleep|somnapure|weird.trick/i
4387 meta KAM_LUNAR (__KAM_LUNAR1 + __KAM_LUNAR2 + MISSING_HEADERS + __KAM_LUNAR3 + __KAM_LUNAR4 >= 3)
4388 describe KAM_LUNAR Sleeping aid spam
4391 meta KAM_LUNAR2 (__KAM_LUNAR1 + __KAM_LUNAR2 + MISSING_HEADERS + __KAM_LUNAR3 + __KAM_LUNAR4 >= 4)
4392 describe KAM_LUNAR2 Definitely sleeping aid spam
4393 score KAM_LUNAR2 2.0
4396 header __KAM_OCEANSBOUNTY1 From =~ /oceans.?bounty/i
4397 header __KAM_OCEANSBOUNTY2 Subject =~ /pain.free|turn.back.the.clock|reactivate.your.heart/i
4398 body __KAM_OCEANSBOUNTY3 /years.of.aging|medical.doctor|age.revers|turn.back.the.clock|reactivate.your.heart/i
4400 meta KAM_OCEANSBOUNTY (__KAM_OCEANSBOUNTY1 + __KAM_OCEANSBOUNTY2 + __KAM_OCEANSBOUNTY3 >= 3)
4401 describe KAM_OCEANSBOUNTY More medical spam
4402 score KAM_OCEANSBOUNTY 4.5
4405 header __KAM_ANDROGEL1 From =~ /testosterone|androgel|entitled|enclosed|medwatch|axiron|fda|natural.man|mega.product|\.mobi/i
4406 header __KAM_ANDROGEL2 Subject =~ /androgel|axiron|product.of.the.year|free.sample|raise.your.testosterone/i
4407 body __KAM_ANDROGEL3 /healthcare|medwatch|drug|testosterone|therapy|manhood|your.woman/i
4409 meta KAM_ANDROGEL (__KAM_ANDROGEL1 + __KAM_ANDROGEL2 + __KAM_ANDROGEL3 >= 3)
4410 describe KAM_ANDROGEL More medical spam
4411 score KAM_ANDROGEL 4.5
4414 header __KAM_CELL1 From =~ /phone/i
4415 header __KAM_CELL2 Subject =~ /cell.?phone|mobile.communication|newest.mobile|smartphone|phones.*get.one|phone.bargain|hottest.phone|new.phone/i
4416 body __KAM_CELL3 /phone.(information|deals|reviews)|(free|latest|hottest)..?(cell)?.?phone|selection.of.phones|hottest.(brands|models)|check.out.these.smartphones|smartphones.do.more|refurbished.phone|bored.with.your.phone/i
4418 meta KAM_CELL (__KAM_CELL1 + __KAM_CELL2 + __KAM_CELL3 >= 3)
4419 describe KAM_CELL Ads for cell phones
4422 header __KAM_FOUNTAINOFYOUTH1 From =~ /deepseasecret/i
4423 header __KAM_FOUNTAINOFYOUTH2 Subject =~ /fountain.of.youth/i
4424 body __KAM_FOUNTAINOFYOUTH3 /look & feel old|\d+.years.of.aging|weird.\d+.second.trick/i
4426 meta KAM_FOUNTAINOFYOUTH (__KAM_FOUNTAINOFYOUTH1 + __KAM_FOUNTAINOFYOUTH2 + __KAM_FOUNTAINOFYOUTH3 >= 3)
4427 score KAM_FOUNTAINOFYOUTH 5.0
4428 describe KAM_FOUNTAINOFYOUTH Anti-aging ad
4431 header __KAM_HERPES1 From =~ /herpes/i
4432 header __KAM_HERPES2 Subject =~ /your.herpes/i
4433 body __KAM_HERPES3 /permanent.remedy|ugly.sores|herpes.episode|got.herpes|your.herpes|herpes.issue/i
4435 meta KAM_HERPES (__KAM_HERPES1 + __KAM_HERPES2 + __KAM_HERPES3 >= 2)
4436 describe KAM_HERPES Ads for herpes medication
4437 score KAM_HERPES 5.0
4439 #FAKE VOUCHER/REWARD EMAIL
4440 header __KAM_FAKEVOUCHER1 From =~ /(amazon|target).*(reward|voucher|appreciation|customer)|\$\d+ gift|(spring|summer|fall|autumn|winter) (reward|bonus)|(january|february|march|april|may|june|july|august|september|october|november|december).?(reward|bonus)|day.reward|macy.?s?.reward|rewards?.?center/i
4441 body __KAM_FAKEVOUCHER2 /\$\d+ amazon(.com)? Card|redeem.your.\$\d+|join.amazon|bonus voucher|spring.rewards|new.gift.card|exclusive.for|shopper.bucks|activate.here|cash.in.your/i
4442 header __KAM_FAKEVOUCHER3 Subject =~ /special.thanks|thank.you|amazon.appreciation|(spring|summer|fall|autumn|winter) .?(reward|bonus|bucks)|short.survey|\$\d+..?(gift|issued|voucher|e.?gift)|register.reward|target.reward|\d+.(dollar.)?gift.card|claim.your.*reward/i
4443 body __KAM_FAKEVOUCHER4 /your.opinion|submit.your.email/i
4445 meta KAM_FAKEVOUCHER (__KAM_FAKEVOUCHER1 + __KAM_FAKEVOUCHER2 + __KAM_FAKEVOUCHER3 + __KAM_FAKEVOUCHER4 >= 3)
4446 describe KAM_FAKEVOUCHER Fake voucher/reward email
4447 score KAM_FAKEVOUCHER 4.5
4450 header __KAM_ATTORNEY1 From =~ /attorney/i
4451 header __KAM_ATTORNEY2 Subject =~ /right.attorney|quick.divorce|advertisement/i
4452 body __KAM_ATTORNEY3 /find.a.\b[a-z]+\b.attorney/i
4454 meta KAM_ATTORNEY (__KAM_ATTORNEY1 + __KAM_ATTORNEY2 + __KAM_ATTORNEY3 >= 3)
4455 score KAM_ATTORNEY 3.5
4456 describe KAM_ATTORNEY Ads for legal services
4459 header __KAM_RECALL1 From =~ /dog.?food/i
4460 header __KAM_RECALL2 Subject =~ /recall|thousands.of.dogs.die/i
4461 body __KAM_RECALL3 /protect.your.dog|recall?s.on.dog.?food|processing.standards|commercial.food/i
4463 meta KAM_RECALL (__KAM_RECALL1 + __KAM_RECALL2 + __KAM_RECALL3 >= 3)
4464 score KAM_RECALL 3.5
4465 describe KAM_RECALL Spam for product recall notices
4467 #REMOTE IMAGES WITH ENORMOUS SRC URLS - COMMONLY USED FOR IMAGE TRACKING
4468 rawbody __KAM_HUGEIMGSRC /<img[^>]*\ssrc=["']?http[^\s>"']{120}/i
4469 tflags __KAM_HUGEIMGSRC multiple maxhits=6
4471 meta KAM_HUGEIMGSRC (__KAM_HUGEIMGSRC >= 6)
4472 score KAM_HUGEIMGSRC 0.2
4473 describe KAM_HUGEIMGSRC Message contains many image tags with huge http urls
4475 describe KAM_REALLYHUGEIMGSRC Spam with image tags with ridiculously huge http urls
4476 rawbody KAM_REALLYHUGEIMGSRC /<img[^>]*\ssrc=["']?http[^\s]{300}/i
4477 score KAM_REALLYHUGEIMGSRC 0.5
4479 rawbody KAM_TRACKIMAGE /<img[^>]*\ssrc=["']?https?:\/\/track/i
4480 describe KAM_TRACKIMAGE Message has a remote image explicitly meant for tracking
4481 score KAM_TRACKIMAGE 0.2
4483 #BAG OF SPAM THAT TRIES DESPERATELY TO TRACK RECIPIENTS
4484 meta KAM_GRABBAG3 (KAM_TRACKIMAGE + KAM_HUGEIMGSRC + (KAM_UNSUB1 || KAM_INFOUSMEBIZ || __KAM_IMGMAP_LINK_OBFU || __KAM_HAS_10_URIS) >= 3)
4485 score KAM_GRABBAG3 3.0
4486 describe KAM_GRABBAG3 Grab bag of spam that employs multiple tricks that indicate tracking of recipients
4488 #MANY SEQUENTIAL EMPTY <A HREF> TAGS WITH NOTHING IN BETWEEN
4489 #IMPORTANTLY, DO NOT MATCH ON EMPTY <A LINK> TAGS, WHICH ARE MEANT TO BE EMPTY
4490 rawbody __KAM_EMPTYLINK /(?:<a[^>]*\shref=[^>]*><\/a>\s*){10}/i
4492 meta KAM_EMPTYLINK (__KAM_EMPTYLINK)
4493 describe KAM_EMPTYLINK Many empty a tags with href all in a row
4494 score KAM_EMPTYLINK 3.5
4496 header __KAM_TILDEFROM From =~ /^\s*"'?\s*~/i
4497 describe __KAM_TILDEFROM Spam with a from name that starts with tilde
4499 # WORDS THAT "A R E S P A C E D O U T" LIKE SO
4500 body __KAM_SPACEY_WORDS /a +v +e +n +u +e/i
4502 # SPAM THAT WOULD LIKE TO INVEST IN YOUR COUNTRY
4503 header __KAM_INVESTCOUNTRY1 Subject =~ /Confidential Contract Proposal|invest in your country/i
4504 body __KAM_INVESTCOUNTRY2 /invest in your country|investment purpose/i
4505 tflags __KAM_INVESTCOUNTRY2 nosubject
4507 meta KAM_INVESTCOUNTRY (__KAM_INVESTCOUNTRY1 + __KAM_INVESTCOUNTRY2 + FREEMAIL_FROM >= 3)
4508 score KAM_INVESTCOUNTRY 4.5
4509 describe KAM_INVESTCOUNTRY Spam for investing in your country
4512 header __KAM_FLAG1 From =~ /flag/i
4513 header __KAM_FLAG2 Subject =~ /find.the.flag|what flags|new.flag|patriotism|looking.for.a.flag/i
4514 body __KAM_FLAG3 /performance.flags|shopping.online|scoop on flags|need your flag|best flag|flag design|new flag|flag.needs|flags?.you.need/i
4516 meta KAM_FLAG (__KAM_FLAG1 + __KAM_FLAG2 + __KAM_FLAG3 >= 3)
4518 describe KAM_FLAG Spam that sells flags
4520 rawbody __KAM_BIGSMALL /<small><big>|<big><small>/i
4521 describe __KAM_BIGSMALL Spam engine that is using nested big and small tags
4523 rawbody __KAM_DIVTITLE /<div (title|alt)/i
4524 describe __KAM_DIVTITLE Div tag with custom alt text
4526 rawbody __KAM_IMGMAP_LINK_OBFU /<map[^>]+><area[^>]+><\/map>/i
4527 describe __KAM_IMGMAP_LINK_OBFU Image links obfuscated by an image map with a single area
4529 meta KAM_GRABBAG4 (__KAM_DIVTITLE + __KAM_IMGMAP_LINK_OBFU + KAM_HUGEIMGSRC >= 3)
4530 describe KAM_GRABBAG4 Another spam engine that displays unique quirks
4531 score KAM_GRABBAG4 3.5
4533 header __KAM_KORS1 From =~ /Michael Kors/i
4534 header __KAM_KORS2 Subject =~ /Michael Kors|out.of.the.ordinary/i
4535 body __KAM_KORS3 /sent you this item|register to receive|latest updates|win great prizes|shop michael kors|kors insider|handbag collection/i
4537 meta KAM_KORS (__KAM_KORS1 + __KAM_KORS2 + __KAM_KORS3 >= 3)
4539 describe KAM_KORS Spam for Michael Kors
4541 header __KAM_HOLIDAY1 From =~ /holidays/i
4542 header __KAM_HOLIDAY2 Subject =~ /\d\d\d\d offers/i
4543 body __KAM_HOLIDAY3 /star special|Hotel Opening|(Request|order) a brochure/i
4545 meta KAM_HOLIDAY (__KAM_HOLIDAY1 + __KAM_HOLIDAY2 + __KAM_HOLIDAY3 >= 3)
4546 describe KAM_HOLIDAY Generic holiday deals
4547 score KAM_HOLIDAY 3.5
4549 #Thanks to Dave Wreski for his idea on commas
4550 header __KAM_MANYTO To =~ />,/i
4551 tflags __KAM_MANYTO multiple maxhits=5
4553 header __KAM_MANYTO2 To =~ /, /
4554 tflags __KAM_MANYTO2 multiple maxhits=25
4556 meta KAM_MANYTO (__KAM_MANYTO >= 5 || __KAM_MANYTO2 >= 25)
4557 score KAM_MANYTO 0.2
4558 describe KAM_MANYTO Email has more than one To Header or more than 25 recipients
4560 meta KAM_GRABBAG5 (KAM_MANYTO && FORGED_YAHOO_RCVD)
4561 score KAM_GRABBAG5 5.0
4562 describe KAM_GRABBAG5 Forged Yahoo emails that are sent to lots of recipients
4564 body __KAM_MILLIONAIRE1 /internet millionai?re/i
4565 body __KAM_MILLIONAIRE2 /huge success stor(y|ies)|controversial/i
4566 header __KAM_MILLIONAIRE3 Subject =~ /see this video/i
4568 meta KAM_MILLIONAIRE (__KAM_MILLIONAIRE1 + __KAM_MILLIONAIRE2 + __KAM_MILLIONAIRE3 + LOTS_OF_MONEY >= 3)
4569 score KAM_MILLIONAIRE 4.5
4570 describe KAM_MILLIONAIRE Internet millionaire guarantees money
4572 header __KAM_OILCHANGE1 From =~ /oil.?change|coupon|vehicle service/i
4573 header __KAM_OILCHANGE2 Subject =~ /oil change|vehicle service/i
4574 body __KAM_OILCHANGE3 /fresh savings|find your favorite|discount.coupons|oil.change.is.due|local.provider|favorite.location|coupon/i
4576 meta KAM_OILCHANGE (__KAM_OILCHANGE1 + __KAM_OILCHANGE2 + __KAM_OILCHANGE3 >= 3)
4577 score KAM_OILCHANGE 4.5
4578 describe KAM_OILCHANGE Spam for oil changes
4580 header __KAM_ADHD1 From =~ /ADH?D/i
4581 header __KAM_ADHD2 Subject =~ /know.the.signs|could.have.adh?d|adult adh?d/i
4582 body __KAM_ADHD3 /struggling with adh?d|treatment options/i
4584 meta KAM_ADHD (__KAM_ADHD1 + __KAM_ADHD2 + __KAM_ADHD3 >= 3)
4586 describe KAM_ADHD Spam for ADD and ADHD treatment
4589 header __KAM_REPAIR1_1 From =~ /repair.your.auto|auto.expert|auto.repair|warranty|support|pops.a.dent|vehicle.protect/i
4590 header __KAM_REPAIR1_2 Subject =~ /auto.service|auto.repair|having.problems|all.repair|take.care.of|car.trouble|save.\d+%|repair.bill|fix.dents/i
4591 body __KAM_REPAIR1_3 /car.repair|Auto Protection|repair.bill|lowest.rates|need.repairs|cost.you.thousands|auto.warranty|costs.keep.rising|repair.cost|do.it.yourself|auto.body|body.repair|protection.quote/i
4593 meta KAM_REPAIR1 (__KAM_REPAIR1_1 + __KAM_REPAIR1_2 + __KAM_REPAIR1_3 >= 3)
4594 score KAM_REPAIR1 3.5
4595 describe KAM_REPAIR1 Spam for auto repair services
4598 header __KAM_REPAIR2_1 From =~ /warranty|support|home.repair|your.roof/i
4599 header __KAM_REPAIR2_2 Subject =~ /roof.repair|warranty.plan|home.warranty|never.pay.for|home.repair|repairing.your|new.roof/i
4600 body __KAM_REPAIR2_3 /never.pay|covered.home.repair|the.trouble|warning.signs|roofing.problem|roof.repair/i
4602 meta KAM_REPAIR2 (__KAM_REPAIR2_1 + __KAM_REPAIR2_2 + __KAM_REPAIR2_3 >= 3)
4603 score KAM_REPAIR2 3.5
4604 describe KAM_REPAIR2 Spam for home repair services
4606 body __KAM_EPISODE /episode \d+/i
4608 header __KAM_CLOUD1 From =~ /cloud.?(storage|computing|provider)|efolder/i
4609 header __KAM_CLOUD2 Subject =~ /private.cloud|data.loss.happens|share.securely/i
4610 body __KAM_CLOUD3 /big data|powering apps|reduce.tech.costs|backup.solution|bundling.the.service/i
4611 body __KAM_CLOUD4 /hacking|complimentary.(lunch|breakfast)/i
4613 meta KAM_CLOUD (__KAM_CLOUD1 + __KAM_CLOUD2 + __KAM_CLOUD3 + __KAM_CLOUD4 >= 3)
4615 describe KAM_CLOUD Spam for cloud services
4617 #FAX AND PAPERLESS SPAM
4618 header __KAM_PAPERLESS1 From =~ /paperless|fax|admin/i
4619 header __KAM_PAPERLESS2 Subject =~ /paperless|fax (document|thru email|to email|message)|send document|(receive|send|new) fax|voice.message|have.received/i
4620 body __KAM_PAPERLESS3 /fax service|service plan|view.(fax|this.fax)|\d.page.fax|voice.message/i
4621 body __KAM_PAPERLESS4 /link expires/i
4623 meta KAM_PAPERLESS (__KAM_PAPERLESS1 + __KAM_PAPERLESS2 + __KAM_PAPERLESS3 + __KAM_PAPERLESS4 + HEADER_FROM_DIFFERENT_DOMAINS >= 4)
4624 score KAM_PAPERLESS 4.5
4625 describe KAM_PAPERLESS Paperless spam for the paperless office
4627 rawbody __KAM_LOTSOFNBSP /( ?){30}/i
4629 header __KAM_IPUNSUB List-Unsubscribe =~ /http:\/\/\d+\.\d+\.\d+\.\d+/i
4631 # PASSWORD PHISH - Fixed FP thanks to Thijs Eilander
4632 header __KAM_PASSWORD1 Subject =~ /password/i
4633 body __KAM_PASSWORD2 /validate.your.email/i
4635 meta KAM_PASSWORD (__KAM_PASSWORD1 + __KAM_PASSWORD2 >= 2)
4636 score KAM_PASSWORD 1.5
4637 describe KAM_PASSWORD Message tries to phish for password
4639 # SEMINARS AND WORKSHOPS SPAM
4640 header __KAM_WEBINAR1 From =~ /education|career|manage|learning|webinar|project|efolder/i
4641 header __KAM_WEBINAR2 Subject =~ /last chance|increase productivity|workplace morale|payroll dept|trauma.training|case.study|issues|follow.up|service.desk|vip.(lunch|breakfast)|manage.your|private.business|professional.checklist|customers.safer|great.timesaver|prep.course|crash.course|hunger.to.learn|(keys|tips).(to|for).smarter/i
4642 header __KAM_WEBINAR3 Subject =~ /webinar|strateg|seminar|owners.meeting|webcast|our.\d.new|sales.video/i
4643 body __KAM_WEBINAR4 /executive.education|contactid|register now|\d+.minute webinar|management.position|supervising.skills|discover.tips|register.early|take.control|marketing.capabilit|drive.more.sales|leveraging.cloud|solution.provider|have.a.handle|plan.to.divest|being.informed|upcoming.webinar|spearfishing.email|increase.revenue|industry.podcast|\d+.in.depth.tips|early.bird.offer|pmp.certified|lunch.briefing/i
4645 meta KAM_WEBINAR (__KAM_WEBINAR1 + __KAM_WEBINAR2 + __KAM_WEBINAR3 + __KAM_WEBINAR4 >= 3)
4646 describe KAM_WEBINAR Spam for webinars
4647 score KAM_WEBINAR 3.5
4649 meta KAM_WEBINAR2 (__KAM_WEBINAR1 + __KAM_WEBINAR2 + __KAM_WEBINAR3 + __KAM_WEBINAR4 >= 4)
4650 describe KAM_WEBINAR2 Spam for webinars
4651 score KAM_WEBINAR2 3.5
4653 header __KAM_CONTACTME1 Subject =~ /^contact me$/i
4654 body __KAM_CONTACTME2 /read the attached letter/i
4656 meta KAM_CONTACTME (__KAM_CONTACTME1 + __KAM_CONTACTME2 >= 2)
4657 score KAM_CONTACTME 3.5
4658 describe KAM_CONTACTME Spam that wants you to reply
4660 header __KAM_MESH1 From =~ /consumer|connect|claim/i
4661 header __KAM_MESH2 Subject =~ /surgical mesh|serious injuries|increased risk|experiencing problems|mesh recall/i
4662 body __KAM_MESH3 /have a mesh implant|entitled to compensation|consumer injury|injured consumer/i
4664 meta KAM_MESH (__KAM_MESH1 + __KAM_MESH2 + __KAM_MESH3 >= 3)
4665 describe KAM_MESH Spam for surgical mesh
4668 header __KAM_ALERT1 From =~ /medical.?alert/i
4669 header __KAM_ALERT2 Subject =~ /medical.alert|emergency coverage/i
4670 body __KAM_ALERT3 /help button/i
4672 meta KAM_ALERT (__KAM_ALERT1 + __KAM_ALERT2 + __KAM_ALERT3 >= 3)
4674 describe KAM_ALERT Spam for medical alerts
4676 # SPAM FOR RECENT HEARTBLEED CVE AND OTHER SECURITY STUFF
4677 header __KAM_SECURITY1 From =~ /Digital Defense/i
4678 header __KAM_SECURITY2 Subject =~ /heartbleed|hijack/i
4679 body __KAM_SECURITY3 /information.security|cyber.?criminal/i
4681 meta KAM_SECURITY (__KAM_SECURITY1 + __KAM_SECURITY2 + __KAM_SECURITY3 >= 3)
4682 describe KAM_SECURITY Spam related to online security
4683 score KAM_SECURITY 6.0
4685 body __KAM_JESUS1 /jesus lovely|the.lord|touched.by.christ/i
4686 body __KAM_JESUS2 /sister.in.the.lord|need for bible/i
4687 body __KAM_JESUS3 /nigeria|muslim.women/i
4689 meta KAM_JESUS (__KAM_JESUS1 + __KAM_JESUS2 >= 2)
4690 describe KAM_JESUS Christian spam
4693 header __KAM_CLAIMS1 From =~ /claims.payment/i
4694 header __KAM_CLAIMS2 Subject =~ /confirm/i
4695 body __KAM_CLAIMS3 /claim.payment|claim.processing|kindly.confirm/i
4697 meta KAM_CLAIMS (__KAM_CLAIMS1 + __KAM_CLAIMS2 + __KAM_CLAIMS3 >= 3)
4698 describe KAM_CLAIMS Spam for claims processing
4699 score KAM_CLAIMS 4.5
4702 header __KAM_VISION1 From =~ /clear.?vision|20.20|glasses|perfect.vision|mind.blowing|my.vision|oakley|quantum.vision/i
4703 header __KAM_VISION2 Subject =~ /20\/20|vision|your.glasses|your.contacts|your.eyes|dangers?.of.glasses|focus.on.here/i
4704 body __KAM_VISION3 /100%.natural|vision.restored|currently.wear.(glasses|contacts)|perfect.vision|risky.surgery|corrective.surgery|dangers.of.surgery|laser.eye|eye.care|making.your.eyes.worse|your.glasses|worsen.your.vision|special.prices|vision.in.\d+.day|vision.in.\d+.week/i
4706 meta KAM_VISION (__KAM_VISION1 + __KAM_VISION2 + __KAM_VISION3 + (KAM_WEIRDTRICK1 || RDNS_NONE) >= 3)
4707 describe KAM_VISION Spam for vision improvement
4708 score KAM_VISION 4.5
4710 body KAM_TRUTHINESS /[Tt]he TRUTH/
4711 describe KAM_TRUTHINESS Spam that wants you to learn "The TRUTH"
4712 score KAM_TRUTHINESS 1.5
4714 header __KAM_KITCHEN1 From =~ /sears|kitchen|cabinet/i
4715 header __KAM_KITCHEN2 Subject =~ /kitchen.upgrade|kitchen.remodel|cabinet.install|new.kitchen/i
4716 body __KAM_KITCHEN3 /special.gift|kitchen.remodel|special.offer/i
4718 meta KAM_KITCHEN (__KAM_KITCHEN1 + __KAM_KITCHEN2 + __KAM_KITCHEN3 >= 3)
4719 score KAM_KITCHEN 4.5
4720 describe KAM_KITCHEN Spam for kitchen improvement
4722 # ALL-ENCOMPASSING RULES FOR HEALTH RELATED SPAM, INCLUDING SKIN, WEIGHT, VISION, ETC
4723 header __KAM_GENERICHEALTH1 From =~ /(dr.?|doc.?)[ -]?([o0]z|gupta)|skinny|\d+.?(pounds|[li1]bs?)|[o0]z.([a-z]+.)?(daily|tip|show|weight)|ellen|rapid|vision|20.20|perfect|mind.blowing|healthy|beaut|medical|wrinkle|miracle|energy|weight|as.seen.on|celeb|workout|inches.off|slim|overweight|skinny|trend|curve|stubborn|bikini|f-a-t|trim|youth|belly|unwanted.pounds|gone.easily|heavy|diabetes|oz.?report|years.younger|anti.?aging|look.\d|old.age|without.trying|annoying.pounds|fat.melt|women.?s.health|forskolin|phyto|garcinia|mayo.clinic|gain.mass|nuforia|miracle.cure|notify|champion|healthly|food.health|health.news|nutrisystem|doctor.s.choice|age..prevention|diet.{0,4}report|sharp..?mind|face.?lift/i
4725 header __KAM_GENERICHEALTH2 Subject =~ /PSA|\[video\]|doctor|\d+.day|(zero|any).effort|oprah|(Dr|Doc).{0,2}[o0]z|[o0]z.([a-z]+.)?(daily|tip|show|weight|quick)|ellen|most.viewed|metabolism|danger|hormone|must.read|life.changing|healthy|perfect|younger|beautiful|hollywood|secret|aging|youth|flawless|as.seen.on|simple.way|workout|nutrition|shocking|detox|exercise|cleanse|diet|\d+(\+?).?(pounds|[li1]bs?)|images?.leaked|wow,|the.pics|don.t.tell|makeup|f-a-t|of.skin|on.(cnn|abc|cbs)|for.(summer|fall|autumn|winter|spring)|unwanted.fat|oz: |backfire|and.oz|and.racha?el|racha?el.talk|your.legs|slim.and.tone|fit.wom[ea]n|tummy|dress.size|wrinkle.reduc|younger.skin|solid.meds|belly.fat|your.calories|champion|is.it.possible|worse.than.smok|meds.online|jump-start.your.weightloss|cure.your.diabetes|weight.loss..?cure|magic.weight.loss|youth.and.vitality|get.thin.with|mental.decline|by.exercising|kidney.beans|drinking.this|treats?.the.(root.)?cause|reverse.\d+.years/i
4727 body __KAM_GENERICHEALTH3 /aging|clinical|dermatologist|aging|younger|wrinkle|omg|reduction|prevention|(body|your).fat|extra.pounds|perfect.skin|healthy|diet|gossip|\d+.years|facelift|(Dr|Doc).{0,2}[o0]z|weight|calories|metabolism|appetite|detox|unsightly|cholesterol|free.sample|\d+\s*[li]b|slimming|episode|tv.segment|oprah|colon|hollywood|shocking|workout|trend|starving|\d+%.?off|dress.size|flat.belly|silky|younger|free.trial|\d+.years|easy.trick|selfies|medical|\d+.?(lb|pounds)|exercise|the.mirror|fda.approved|slimmer|oz.blog|the.bulge|plant.based|online.store|respected.doctor|cure.your.diabete|with.forskolin|belly.fat|miracle.pill|burn.fat.fast|the.root.cause|drink(ing)?.this.shake/i
4729 meta KAM_GENERICHEALTH (__KAM_GENERICHEALTH1 + __KAM_GENERICHEALTH2 + __KAM_GENERICHEALTH3 + (KAM_EU || KAM_OTHER_BAD_TLD) >= 3)
4730 score KAM_GENERICHEALTH 1.75
4731 describe KAM_GENERICHEALTH Matches generic health-related advert/blurbs
4733 header __KAM_SALE1 From =~ /ipad|hdtv|\$\d+|auction|laptop|easyviewing/i
4734 header __KAM_SALE2 Subject =~ /blowout|became.perfect|great.products|your.ipad.forever|weird.device|change.how.you.use|transform.your.piad|laptop.replacement/i
4735 body __KAM_SALE3 /\d+%.off|just.shipped|touch.?fire|just.became.perfect|transform.your.ipad/i
4737 header __KAM_SALEA_1 From =~ /touch.?fire/i
4738 header __KAM_SALEA_2 Received =~ /touchfire|tfire/i
4739 body __KAM_SALEA_3 /touchfire|just.became.perfect|never.be.the.same/i
4741 meta KAM_SALE (__KAM_SALE1 + __KAM_SALE2 + (__KAM_SALE3 || BODY_8BITS) >= 3)
4743 describe KAM_SALE Spam for things on sale
4745 meta KAM_SALEA ((__KAM_SALEA_1 || __KAM_SALE1 || __KAM_SALEA_2) + __KAM_SALEA_3 >= 2)
4747 describe KAM_SALEA A very persistent ipad spam campaign
4749 # SPAM THAT USES ASCII FORMATTING TRICKS TO EVADE HTML-BASED RULES
4750 body __KAM_ASCII_DIVIDERS /[-~<>=_]{20}/i
4751 tflags __KAM_ASCII_DIVIDERS multiple maxhits=4
4753 meta KAM_ASCII_DIVIDERS ((__KAM_ASCII_DIVIDERS >= 4) && !HTML_MESSAGE)
4754 describe KAM_ASCII_DIVIDERS Email that uses ascii formatting dividers and possible spam tricks
4755 score KAM_ASCII_DIVIDERS 0.8
4757 # RATWARE THAT CAN'T EVEN PRETEND TO BE AUTHORIZED
4758 header __KAM_NOTINMYNETWORK1 X-No-Relay =~ /./i
4760 rawbody __KAM_HTMLNOISE1 /<big><\/big>|<small><\/small>|<style><\/style>/i
4762 meta KAM_HTMLNOISE (__KAM_HTMLNOISE1 + __KAM_BIGSMALL >= 1)
4763 score KAM_HTMLNOISE 1.0
4764 describe KAM_HTMLNOISE Spam containing useless HTML padding
4766 header __KAM_CHICKEN1 From =~ /coop/i
4767 header __KAM_CHICKEN2 Subject =~ /chicken.coop|cost.of.buying/i
4768 body __KAM_CHICKEN3 /your.own.chicken|fresh.egg|chicken.coop|build.your.own/i
4770 meta KAM_CHICKEN (__KAM_CHICKEN1 + __KAM_CHICKEN2 + __KAM_CHICKEN3 >= 3)
4771 score KAM_CHICKEN 4.5
4772 describe KAM_CHICKEN Spam for chicken coops
4774 # SPAM THAT TRIES TO BYPASS RULES LIKE CBJ_GiveMeABreak
4775 rawbody __KAM_LINEPADDING /(\n[^\n]){8}/
4777 meta KAM_LINEPADDING (__KAM_LINEPADDING >= 1)
4778 score KAM_LINEPADDING 1.2
4779 describe KAM_LINEPADDING Spam that tries to get past blank line filters
4782 header __KAM_DRAPES1 From =~ /drapes/i
4783 header __KAM_DRAPES2 Subject =~ /table.drapes|visibility/i
4784 body __KAM_DRAPES3 /banner.stand|print.project/i
4786 meta KAM_DRAPES (__KAM_DRAPES1 + __KAM_DRAPES2 + __KAM_DRAPES3 >= 3)
4787 score KAM_DRAPES 3.5
4788 describe KAM_DRAPES Spam for drapes
4790 header __KAM_NUWAVE1 From =~ /nuwave|cooktop/i
4791 header __KAM_NUWAVE2 Subject =~ /cooking.needs/i
4792 body __KAM_NUWAVE3 /nuwave|energy.saving|temperature.control|meal.prep|cooktop/i
4794 meta KAM_NUWAVE (__KAM_NUWAVE1 + __KAM_NUWAVE2 + __KAM_NUWAVE3 >= 3)
4795 describe KAM_NUWAVE Spam for cooking tools
4796 score KAM_NUWAVE 3.5
4798 rawbody __KAM_MANYCOMMENTS /<!--[^>]{200,}-->/i
4799 tflags __KAM_MANYCOMMENTS multiple maxhits=6
4801 meta KAM_MANYCOMMENTS (__KAM_MANYCOMMENTS >= 6)
4802 describe KAM_MANYCOMMENTS Spam engine that uses large html noise comments
4803 score KAM_MANYCOMMENTS 1.2
4805 header __KAM_HIRE1 From =~ /recruit/i
4806 header __KAM_HIRE2 Subject =~ /checking.in/i
4807 body __KAM_HIRE3 /hiring.situation|recruiting|plans.to.hire|altera.staff/i
4809 meta KAM_HIRE (__KAM_HIRE1 + __KAM_HIRE2 + __KAM_HIRE3 >= 3)
4810 describe KAM_HIRE Spam for hiring services
4813 header __KAM_DEALS1 From =~ /deal.?hunter/i
4814 header __KAM_DEALS2 Subject =~ /exclusive.saving|the.hottest/i
4815 body __KAM_DEALS3 /exclusive.savings/i
4817 meta KAM_DEALS (__KAM_DEALS1 + __KAM_DEALS2 + __KAM_DEALS3 >= 3)
4819 describe KAM_DEALS Generic advertising for deals
4821 header __KAM_CONTRACT1 From =~ /samanage/i
4822 header __KAM_CONTRACT2 Subject =~ /contract cost|itsm contract/i
4823 body __KAM_CONTRACT3 /buy you out|service management|management solution/i
4825 meta KAM_CONTRACT (__KAM_CONTRACT1 + __KAM_CONTRACT2 + __KAM_CONTRACT3 >= 3)
4826 score KAM_CONTRACT 4.5
4827 describe KAM_CONTRACT Spam that will buy your service contract
4830 header __KAM_TOLL1 From =~ /e.?z.?pass|collection/i
4831 header __KAM_TOLL2 Subject =~ /on.(the.)?toll.road|(pay|indebted).for.driving/i
4832 body __KAM_TOLL3 /have.not.paid|your.debt|invoice/i
4834 meta KAM_TOLL (__KAM_TOLL1 + __KAM_TOLL2 + __KAM_TOLL3 >= 3)
4835 describe KAM_TOLL Spam for road tolls
4838 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
4840 header __KAM_AMAZON1 From =~ /amazon\.com/i
4842 header __KAM_AMAZON2 From:addr !~ /amazon\.com/i
4843 header __KAM_AMAZON3 From:name =~ /amazon\.com/i
4845 meta KAM_AMAZON (__KAM_AMAZON1 + KAM_RAPTOR_ALTERED >= 2) || (__KAM_AMAZON2 + __KAM_AMAZON3 >= 2)
4846 score KAM_AMAZON 4.5
4847 describe KAM_AMAZON Fake Amazon email with malware
4851 header __KAM_LANDSCAPE1 From =~ /landscaping/i
4852 header __KAM_LANDSCAPE2 Subject =~ /turn.your.yard|mtv.crib|swimming.pool/i
4853 body __KAM_LANDSCAPE3 /landscape.designs|(simple|cheap).strategies|design.troph/i
4854 body __KAM_LANDSCAPE4 /stone.carving/i
4856 meta KAM_LANDSCAPING (__KAM_LANDSCAPE1 + __KAM_LANDSCAPE2 + __KAM_LANDSCAPE3 + __KAM_LANDSCAPE4 >= 3)
4857 describe KAM_LANDSCAPING Spam for landscaping
4858 score KAM_LANDSCAPING 3.5
4861 header __KAM_SINGING1 From =~ /singing/i
4862 header __KAM_SINGING2 Subject =~ /professional.singer/i
4863 body __KAM_SINGING3 /terrible.singer|more.talent|love.songs/i
4865 meta KAM_SINGING (__KAM_SINGING1 + __KAM_SINGING2 + __KAM_SINGING3 >= 3)
4866 describe KAM_SINGING Spam for singing lessons
4867 score KAM_SINGING 4.5
4870 header __KAM_ADVERTISE1 From =~ /gmail/i
4871 header __KAM_ADVERTISE2 Subject =~ /samsung..galaxy.s\d/i
4872 body __KAM_ADVERTISE3 /advertising.for.samsung|no.application.fee|carry.this.advert/i
4874 meta KAM_ADVERTISE (__KAM_ADVERTISE1 + __KAM_ADVERTISE2 + __KAM_ADVERTISE3 >= 3)
4875 describe KAM_ADVERTISE Spam that wants you to advertise for them
4876 score KAM_ADVERTISE 4.5
4878 # RULE FOR DOMAINS THAT HAVE NOT IMPLEMENTED ANY ANTI-FORGERY MECHANISMS - Thanks to Christian Kueppers for the request to encapsulate with DKIM and SPF plugin checks!
4879 if (version >= 3.003002)
4880 ifplugin Mail::SpamAssassin::Plugin::DKIM
4881 ifplugin Mail::SpamAssassin::Plugin::SPF
4882 # We may recommend people start raising the score for this to force more people to use SPF or DKIM Since Gmail and AOL work much better with / require SPF.
4883 header __KAM_SPF_NONE eval:check_for_spf_none()
4884 tflags __KAM_SPF_NONE net
4886 meta KAM_LAZY_DOMAIN_SECURITY (!__DKIM_EXISTS && __KAM_SPF_NONE)
4887 tflags KAM_LAZY_DOMAIN_SECURITY net
4888 score KAM_LAZY_DOMAIN_SECURITY 1.0
4889 describe KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any anti-forgery methods
4894 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
4895 ifplugin Mail::SpamAssassin::Plugin::DKIM
4896 header __KAM_TRUNCATE exists:X-Raptor-Truncate
4897 meta DKIM_FAILED_TRUNCATE ( DKIM_INVALID && __KAM_TRUNCATE )
4898 describe DKIM_FAILED_TRUNCATE DKIM invalid but message truncated by Raptor
4899 score DKIM_FAILED_TRUNCATE -0.1
4900 tflags DKIM_FAILED_TRUNCATE nice
4904 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
4905 # FORGED EMAILS WITH A VIRUS ATTACHED
4906 meta KAM_FORGED_ATTACHED (SPF_HELO_FAIL + KAM_RAPTOR_ALTERED >= 2)
4907 score KAM_FORGED_ATTACHED 4.5
4908 describe KAM_FORGED_ATTACHED Forged email with a malware attachment
4911 # LOTS OF PERIODS IN SUBJECT
4912 header __KAM_MANYDOTS1 Subject =~ /\.{20}/i
4914 meta KAM_MANYDOTS (__KAM_MANYDOTS1 + KAM_HUGEIMGSRC >= 2)
4915 describe KAM_MANYDOTS Spam with lots of periods in subject
4916 score KAM_MANYDOTS 3.5
4919 header __KAM_SUBJECTNOTICE1 Subject =~ /Notice: \d+$|final.notice|rpt: \d+$/i
4921 meta KAM_SUBJECTNOTICE __KAM_SUBJECTNOTICE1
4922 describe KAM_SUBJECTNOTICE Spam notices
4923 score KAM_SUBJECTNOTICE 1.0
4925 # SPAM FOR BACKUP SERVICE
4926 header __KAM_BACKUP1 From =~ /backup/i
4927 header __KAM_BACKUP2 Subject =~ /continuity|\d.reasons|traditional.backup/i
4928 body __KAM_BACKUP3 /backup.necessary|marketing|infographic|charge.more/i
4930 meta KAM_BACKUP (__KAM_BACKUP1 + __KAM_BACKUP2 + __KAM_BACKUP3 >= 3)
4931 describe KAM_BACKUP Spam for backup services
4932 score KAM_BACKUP 4.5
4934 # SPAM THAT TRIES TO AVOID DETECTION WITH NUMBERS IN THE FROM
4935 header KAM_FROMNUM From:name =~ /\.\d{7,}$/
4936 describe KAM_FROMNUM Spam with large numbers in the from header
4937 score KAM_FROMNUM 1.0
4939 # LAZY SPAM WITH BARELY MORE THAN A LINK TO A BAD DOMAIN
4940 meta KAM_LINKBAIT (KAM_LAZY_DOMAIN_SECURITY + __KAM_BODY_LENGTH_LT_512 + (__KAM_COUNT_URIS >= 1) >= 3)
4941 score KAM_LINKBAIT 2.5
4942 describe KAM_LINKBAIT Short messages containing little more than a link, from a domain with no security in place
4944 uri __KAM_WP_INCLUDES /(?:wp-includes|wp-content)/i
4946 meta KAM_LINKBAIT2 KAM_LINKBAIT + __KAM_WP_INCLUDES >= 2
4947 score KAM_LINKBAIT2 1.5
4948 describe KAM_LINKBAIT2 Linkbait that points to wordpress - usually means a compromised site
4951 meta KAM_LINKBAIT3 (KAM_SHORT + FREEMAIL_FROM + __KAM_BODY_LENGTH_LT_512 >= 3)
4952 score KAM_LINKBAIT3 1.5
4953 describe KAM_LINKBAIT3 Freemail linkbait with a url shortener
4955 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
4956 # MALWARE IN EMAILS THAT MENTION LOTS OF MONEY
4957 meta KAM_PHISHY_DOLLARS (KAM_RAPTOR_ALTERED + LOTS_OF_MONEY >= 2)
4958 score KAM_PHISHY_DOLLARS 3.5
4959 describe KAM_PHISHY_DOLLARS Emails with malware and large dollar amounts
4962 # RATWARE DU JOUR, MULTIPLE FROM HEADERS AND WONKY SUBJECT LINE
4963 header __KAM_MULTIPLE_FROM From =~ /^./
4964 tflags __KAM_MULTIPLE_FROM multiple maxhits=2
4966 header __KAM_SUBJECT_WHITESPACE_START Subject =~ /^\s{10}/
4968 meta KAM_GRABBAG6 ((__KAM_MULTIPLE_FROM >= 2) + __KAM_SUBJECT_WHITESPACE_START >= 2)
4969 describe KAM_GRABBAG6 Ratware with multiple from headers and subject beginning with whitespace
4970 score KAM_GRABBAG6 4.5
4972 # GENERIC GREETINGS THAT YOU WOULD NEVER GET FROM A LEGIT EMAIL
4973 header KAM_GENERICHELLO Subject =~ /dear.email.user|hi.there/i
4974 score KAM_GENERICHELLO 1.5
4975 describe KAM_GENERICHELLO Spam with generic greetings in the subject
4977 # FAKE GOOGLE EMAILS - Thanks to Marc Jouan for pointing out the double rule / T_HK rule name change
4978 header __KAM_GOOGLE2_1 From =~ /google\+/i
4979 header __KAM_GOOGLE2_2 From !~ /google.com/i
4981 meta KAM_GOOGLE2 (__KAM_GOOGLE2_1 + __KAM_GOOGLE2_2 + (HK_SPAMMY_FILENAME || KAM_LAZY_DOMAIN_SECURITY) >= 3)
4982 score KAM_GOOGLE2 4.5
4983 describe KAM_GOOGLE2 Fake Google spam
4985 # MORE NIGERIAN VARIANTS
4986 body __KAM_NIGERIAN3_1 /congo/i
4988 meta KAM_NIGERIAN3 (__KAM_NIGERIAN3_1 + DEAR_SOMETHING + LOTS_OF_MONEY >= 3)
4989 score KAM_NIGERIAN3 4.5
4990 describe KAM_NIGERIAN3 Nigerian scam variant
4993 header __KAM_FINGERHUT1 From =~ /finger.?hut/i
4994 header __KAM_FINGERHUT2 Subject =~ /your.budget|credit.account|qualify|finger.?hut|credit|your.account/i
4995 body __KAM_FINGERHUT3 /important.message|what.you.want|monthly.pay|your.account|credit.account|holiday.shopping|are.you.approved|fingerhut.buying/i
4997 meta KAM_FINGERHUT (__KAM_FINGERHUT1 + __KAM_FINGERHUT2 + __KAM_FINGERHUT3 >= 3)
4998 score KAM_FINGERHUT 4.5
4999 describe KAM_FINGERHUT Spam for fingerhut
5001 # FRIEND REQUEST SPAM
5002 header __KAM_FRIEND1 Subject =~ /new.notification/i
5003 body __KAM_FRIEND2 /wants.to.follow/i
5005 meta KAM_FRIEND (__KAM_FRIEND1 + __KAM_FRIEND2 >= 2)
5006 score KAM_FRIEND 1.5
5007 describe KAM_FRIEND Friend request spam
5009 # ELIMINATE A BUNCH OF RECENT BAD ATTACHMENT SPAM
5010 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
5011 meta KAM_VERY_MALWARE (KAM_LAZY_DOMAIN_SECURITY && KAM_RAPTOR_ALTERED >= 2)
5012 score KAM_VERY_MALWARE 3.5
5013 describe KAM_VERY_MALWARE A message with malware that is definitely unwanted
5016 #MERCHANT ACCOUNTS SPAM
5017 header __KAM_MERCHANT1 Subject =~ /finance.department/i
5018 body __KAM_MERCHANT2 /business.owner|merchant.processor|processing.fee|average.bank|interchange.fee/i
5019 body __KAM_MERCHANT3 /merchant.processing|small.business|yearly.credit|monthly.fee|100%.free/i
5021 meta KAM_MERCHANT (__KAM_MERCHANT1 + __KAM_MERCHANT2 + __KAM_MERCHANT3 >= 3)
5022 score KAM_MERCHANT 4.5
5023 describe KAM_MERCHANT Spam for merchant processing
5025 # ZERO DAY ATTACHMENTS THAT ARE OBVIOUSLY CRAP BUT NOT CAUGHT BY AV
5026 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5027 mimeheader __KAM_ZERODAY1 Content-Type =~ /msword|ms-excel|spreadsheet|office|octet/i
5028 header __KAM_ZERODAY2 X-Mailer =~ /foxmail/i
5030 # DISABLED 7/16 FOR NO LONGER BEING RELEVANT
5031 #meta KAM_ZERODAY (__SUBJECT_ENCODED_B64 + __KAM_ZERODAY1 + __KAM_ZERODAY2 >= 3)
5032 #describe KAM_ZERODAY obviously a malware email that was not caught
5033 #score KAM_ZERODAY 8.0
5036 header __KAM_ZERODAY3 Subject =~ /remittance advice|invoice|resume|the.open.message|please.the.open|visa.chip/i
5038 meta KAM_ZERODAY2 (__KAM_ZERODAY1 + __KAM_ZERODAY3 + KAM_LAZY_DOMAIN_SECURITY >= 3)
5039 score KAM_ZERODAY2 1.0
5040 describe KAM_ZERODAY2 Another obvious zero-day malware
5042 meta KAM_ZERODAY3 (KAM_ZERODAY2 + T_OBFU_DOC_ATTACH >= 2)
5043 score KAM_ZERODAY3 3.5
5044 describe KAM_ZERODAY3 Another obvious zero-day malware
5047 #MORE ACCOUNTING DANGEROUS SPAMS
5048 meta KAM_DANGEROUSXLS (__KAM_ZERODAY3 + KAM_OLEMACRO_ENCRYPTED + KAM_OLEMACRO_RENAME >= 3)
5049 describe KAM_DANGEROUSXLS Dangerous accounting emails with zero day payloads
5050 score KAM_DANGEROUSXLS 6.0
5053 header __KAM_ANCESTOR1 From =~ /ancestry/i
5054 header __KAM_ANCESTOR2 Subject =~ /free.family.tree|find.your.ancestor/i
5055 body __KAM_ANCESTOR3 /family.history|your family|share.the.stories/i
5057 meta KAM_ANCESTOR (__KAM_ANCESTOR1 + __KAM_ANCESTOR2 + __KAM_ANCESTOR3 >= 3)
5058 describe KAM_ANCESTOR Spam for family trees
5059 score KAM_ANCESTOR 3.5
5061 # REMEMBER WHEN YOU GOT THAT SPAM
5062 header __KAM_REMEMBERWHEN1 Subject =~ /sup|hello|for.you.bro|how.are.you/i
5063 body __KAM_REMEMBERWHEN2 /hello.brother|remember(ed)?.you|i.remember/i
5064 body __KAM_REMEMBERWHEN3 /medication|\d+%.discount|lots?.of.drug/i
5066 meta KAM_REMEMBERWHEN (__KAM_REMEMBERWHEN1 + __KAM_REMEMBERWHEN2 + __KAM_REMEMBERWHEN3 >= 3)
5067 score KAM_REMEMBERWHEN 4.5
5068 describe KAM_REMEMBERWHEN Reminder of something that never happened
5070 # THE LATEST TRAILING NOISE FORMAT
5071 body __KAM_NOISE1 /([a-z0-9],){12}/i
5072 body __KAM_NOISE2 /([a-z]{1,10},){10}/i
5074 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
5075 meta KAM_NOISE1 (__KAM_NOISE1 + __KAM_NOISE2 + (CBJ_GiveMeABreak || __CBJ_GiveMeABreak2) >= 3)
5076 describe KAM_NOISE1 Pattern of noise words at the end of an email
5077 score KAM_NOISE1 2.5
5081 header __KAM_PIZZA1 From =~ /pizza/i
5082 header __KAM_PIZZA2 Subject =~ /^free pizza$/i
5083 body __KAM_PIZZA3 /free.pizza.coupon/i
5085 meta KAM_PIZZA (__KAM_PIZZA1 + __KAM_PIZZA2 + __KAM_PIZZA3 >= 3)
5087 describe KAM_PIZZA Spam for free pizza
5090 header __KAM_ENGINEER1 Subject =~ /engineering . architect|engineering.industry/i
5091 body __KAM_ENGINEER2 /email.list|target.audience|databank|verified.email/i
5092 body __KAM_ENGINEER3 /construction.engineering|engineering . architect|marketing.manager/i
5094 meta KAM_ENGINEER (__KAM_ENGINEER1 + __KAM_ENGINEER2 + __KAM_ENGINEER3 >= 3)
5095 score KAM_ENGINEER 3.5
5096 describe KAM_ENGINEER Spam for engineering contact information
5099 header __KAM_SUNGLASSES1 Subject =~ /rayban/i
5100 body __KAM_SUNGLASSES2 /great ray|hot.deal/i
5101 body __KAM_SUNGLASSES3 /style rocks|today.only/i
5103 meta KAM_SUNGLASSES (__KAM_SUNGLASSES1 + __KAM_SUNGLASSES2 + __KAM_SUNGLASSES3 >= 3)
5104 describe KAM_SUNGLASSES Spam for sunglasses
5105 score KAM_SUNGLASSES 3.5
5107 # INVOICE SPAM OF THE DAY
5108 header __KAM_INVOICE1 From =~ /billing/i
5109 header __KAM_INVOICE2 Subject =~ /past.due|invoice/i
5110 header __KAM_INVOICE3 Subject =~ /invoice (error|issue)/i
5111 body __KAM_INVOICE4 /(billing error|problem with the address).{2,10}invoice/i
5112 uri __KAM_INVOICE5 /overdue|final.account/i
5114 meta KAM_INVOICE (__KAM_INVOICE1 + __KAM_INVOICE2 + SPF_FAIL >= 3)
5115 score KAM_INVOICE 4.5
5116 describe KAM_INVOICE Phishing invoice spam
5118 meta KAM_INVOICE2 (__KAM_INVOICE1 + __KAM_INVOICE3 + __KAM_INVOICE4 + __KAM_INVOICE5 + SPF_FAIL >= 3)
5119 score KAM_INVOICE2 5.5
5120 describe KAM_INVOICE2 Phishing invoice spam
5123 header __KAM_GRIPPY1 From =~ /gripeez/i
5124 header __KAM_GRIPPY2 Subject =~ /bonus.offer|gripeez/i
5125 body __KAM_GRIPPY3 /gripeez.bonus|interior.decorator|sticky.grip/i
5127 meta KAM_GRIPPY (__KAM_GRIPPY1 + __KAM_GRIPPY2 + __KAM_GRIPPY3 >= 3)
5128 score KAM_GRIPPY 4.5
5129 describe KAM_GRIPPY Spam for sticky grip products
5131 # LIMITED / DISABLED ACCOUNT, ACTIVATION, SECURITY ALERTS, AND OTHER ACCOUNT PHISHES
5132 header __KAM_ACCOUNTPHISH1 From =~ /[il]tunes|account|costco|walgreen|amazon|ebay|internal|admin|gold|webmail|provider|marketing|Bank of America/i
5133 header __KAM_ACCOUNTPHISH2 Subject =~ /your.account|is.limited|activate|recover|acknowledgment|of.order|buying.from|order.(status|confirm)|help.?desk|update.your|security|document|(^secure$)|download.failed|click.to.activate|status.approved|notification.message|storage.exceeded|maintenance routine|storage.warning|size.notification|administrative.notice/i
5134 body __KAM_ACCOUNTPHISH3 /update.your.information|problems.with.your|billing.information|order.details|personal.data|detailed.order|order.information|for.activation|account.{1,30}.inactive|information.required|secure.browser|recently.compromised|classified.document|with.your.email|complete.your.account|account.confirmed|claim.your.order|free.money|forced.to.cancel|immediate.access|upgrading.all.staff|advice.to.update|confirm.your.account/i
5135 body __KAM_ACCOUNTPHISH4 /webmail|all.systems|storage.limit|get.back.into|update.your.account|kindly.click|very.private.message|this.is.honest|fill.the.form|click.on.send|follow.here|for.all.user|one.click.away|mail.desk/i
5137 meta KAM_ACCOUNTPHISH ((__KAM_ACCOUNTPHISH1 || FREEMAIL_FROM || KAM_LAZY_DOMAIN_SECURITY) + __KAM_ACCOUNTPHISH2 + __KAM_ACCOUNTPHISH3 + __KAM_ACCOUNTPHISH4 >= 3)
5138 score KAM_ACCOUNTPHISH 3.20
5139 describe KAM_ACCOUNTPHISH Spam that tries to get account information
5142 header __KAM_PROPERTY1 From =~ /high.rise|condo/i
5143 header __KAM_PROPERTY2 Subject =~ /condo|move.in.soon|developer/i
5144 body __KAM_PROPERTY3 /convenient.location/i
5146 meta KAM_PROPERTY (__KAM_PROPERTY1 + __KAM_PROPERTY2 + __KAM_PROPERTY3 >= 3)
5147 score KAM_PROPERTY 2.5
5148 describe KAM_PROPERTY Spam for buying property
5151 header __KAM_FAKEAMEX1 From =~ /aexp.com/i
5153 meta KAM_FAKEAMEX (__KAM_FAKEAMEX1 + SPF_FAIL >= 2)
5154 score KAM_FAKEAMEX 8.0
5155 describe KAM_FAKEAMEX A rash of spam that is phishing for American Express information
5157 header KAM_HUGESUBJECT Subject =~ /^.{500}/
5158 score KAM_HUGESUBJECT 2.5
5159 describe KAM_HUGESUBJECT Email with a subject longer than any mail client would let you enter
5162 header __KAM_HOOKUP1 Subject =~ /hookup with local singles/i
5163 uri __KAM_HOOKUP2 /justhookup/i
5164 body __KAM_HOOKUP3 /match.?me.?networks/i
5166 meta KAM_HOOKUP (__KAM_HOOKUP1 + __KAM_HOOKUP2 + __KAM_HOOKUP3 >= 3)
5167 score KAM_HOOKUP 10.5
5168 describe KAM_HOOKUP Spam for Local Hookup Service
5171 header __KAM_PSYCHIC1 Subject =~ /horoscope|psychic/i
5172 uri __KAM_PSYCHIC2 /free.psychic/i
5173 body __KAM_PSYCHIC3 /psychic Chris|free psychic reading/i
5175 meta KAM_PSYCHIC (__KAM_PSYCHIC1 + __KAM_PSYCHIC2 + __KAM_PSYCHIC3 >= 3)
5176 score KAM_PSYCHIC 4.5
5177 describe KAM_PSYCHIC Current Psychic Product Spam du Jour
5180 body __KAM_BADUNSUB /(?:remove|Unsubscribe) from (?:MindTCommunications|LunarMessages)/i
5182 meta KAM_BADUNSUB (__KAM_BADUNSUB >= 1)
5183 score KAM_BADUNSUB 3.0
5184 describe KAM_BADUNSUB Bad Unsubscribe Messages
5186 #GRABBAG FOR A ROUND OF WORDPRESS HACKS
5187 rawbody __KAM_GRABBAG7_1 /wp-content|wp-includes|\/plugins\//
5189 meta KAM_GRABBAG7 ((HTML_MIME_NO_HTML_TAG || MIME_HTML_ONLY) + __KAM_GRABBAG7_1 + (SPF_FAIL || SPF_HELO_FAIL) >= 3)
5190 score KAM_GRABBAG7 3.0
5191 describe KAM_GRABBAG7 Spam pattern with bad HTML message
5193 #TINYURL OBFUSCATION
5194 uri __KAM_TINYURL1 /tinyurl.com\/.{0,10}(hookup|sexual|online-riches|predator-zipcode|nothnx|imtaken)/i
5196 meta KAM_TINYURL (__KAM_TINYURL1)
5197 score KAM_TINYURL 4.0
5198 describe KAM_TINYURL Spammy urls that hide behind a link shortener
5200 # FAKE DROPBOX - Adding _ to DROPBOX2 for badly configured ESS servers
5201 header __KAM_DROP_BOX1 From =~ /dropbox/i
5202 header __KAM_DROP_BOX2 From !~ /dropbox.com/i
5203 body __KAM_DROP_BOX3 /shared.a.folder/i
5205 meta KAM_DROPBOX (__KAM_DROP_BOX1 + __KAM_DROP_BOX2 + __KAM_DROP_BOX3 >= 3)
5206 score KAM_DROPBOX 4.5
5207 describe KAM_DROPBOX Fake Dropbox emails
5209 # BAD YAHOO! DON'T SEND EMAIL FROM A MULTICAST IP!
5210 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
5211 header __KAM_YAHOO_MISTAKE1 From =~ /\@yahoo\./i
5213 meta KAM_YAHOO_MISTAKE (SPF_PASS && __KAM_YAHOO_MISTAKE1 && RCVD_ILLEGAL_IP)
5214 describe KAM_YAHOO_MISTAKE Reversing score for some idiotic Yahoo received headers
5215 score KAM_YAHOO_MISTAKE -3.0
5219 meta KAM_GRABBAG9 (MALFORMED_FREEMAIL + SUBJ_ALL_CAPS + FREEMAIL_ENVFROM_END_DIGIT >= 3)
5220 score KAM_GRABBAG9 4.5
5221 describe KAM_GRABBAG9 Garbage email from a garbage freemail account
5224 header __KAM_AQUARUG1 From =~ /aqua.?rug/i
5225 header __KAM_AQUARUG2 Subject =~ /(bath|shower).mat|for.your.shower/i
5226 body __KAM_AQUARUG3 /stop.slipping|unique.carpet|aqua.rug|bare.feet.love/i
5228 meta KAM_AQUARUG (__KAM_AQUARUG1 + __KAM_AQUARUG2 + __KAM_AQUARUG3 >= 3)
5229 score KAM_AQUARUG 3.5
5230 describe KAM_AQUARUG Spam for aqua rug product
5233 # Fixed FP thanks to j.marshall
5234 header __KAM_ITC1 From =~ /thetradecouncil.com/i
5235 body __KAM_ITC2 /International Trade Council/i
5236 body __KAM_ITC3 /enclosed/i
5238 meta KAM_ITC (__KAM_ITC1 < 1) && (__KAM_ITC2 >= 1) && (__KAM_ITC3 + KAM_BADIPHTTP >= 1)
5240 describe KAM_ITC Fake email from International Trade Council
5242 # HAVE YOU SEEN THIS
5243 body __KAM_SEENTHIS1 /have.you.seen|seen.this/i
5245 meta KAM_SEENTHIS (__KAM_SEENTHIS1 + __KAM_OPRAH3 + (KAM_LAZY_DOMAIN_SECURITY || KAM_MANYTO) >= 3)
5246 score KAM_SEENTHIS 4.5
5247 describe KAM_SEENTHIS Have you seen this spam?
5250 header __KAM_DETOX1 From =~ /detox/i
5251 header __KAM_DETOX2 Subject =~ /detox.service|discover.detox|clear.your.system|how.detox.(could|can)/i
5252 body __KAM_DETOX3 /detox.program|right.for.you|clean(ing)? up your life|a.little.easier/i
5254 meta KAM_DETOX (__KAM_DETOX1 + __KAM_DETOX2 + __KAM_DETOX3 >= 3)
5256 describe KAM_DETOX Spam for trendy detox stuff
5259 header __KAM_DEATHINSURE1 From =~ /live.sure/i
5260 header __KAM_DEATHINSURE2 Subject =~ /life.will|cheaper.than.today/i
5261 body __KAM_DEATHINSURE3 /inheritance.tax|your.loved.ones|funeral.costs/i
5263 meta KAM_DEATHINSURE (__KAM_DEATHINSURE1 + __KAM_DEATHINSURE2 + __KAM_DEATHINSURE3 >= 3)
5264 describe KAM_DEATHINSURE Spam for death insurance
5265 score KAM_DEATHINSURE 3.5
5268 body KAM_REACHBASE /ReachBase is committed to providing you with relevant business information/i
5269 score KAM_REACHBASE 2.5
5270 describe KAM_REACHBASE Marketing email pretending to be business info
5272 # DIGITAL WALLET SPAM
5273 header __KAM_DIGITALWALLET1 From =~ /apple.?pay/i
5274 header __KAM_DIGITALWALLET2 Subject =~ /(ready.for|introducing|complimentary).apple.?pay|paying.too.much/i
5275 body __KAM_DIGITALWALLET3 /business.ready|no.setup.fee|only.$?[\d\.]+%?.(per|a).swipe|apple.?pay.equipment|free,equipment/i
5277 meta KAM_DIGITALWALLET (__KAM_DIGITALWALLET1 + __KAM_DIGITALWALLET2 + __KAM_DIGITALWALLET3 + (HELO_DYNAMIC_DHCP || KAM_EU || KAM_INFOUSMEBIZ) >= 3)
5278 score KAM_DIGITALWALLET 3.5
5279 describe KAM_DIGITALWALLET Spam for digital wallet services
5282 header __KAM_BADPHP1 X-PHP-Originating-Script =~ /eval..'d code/i
5283 header __KAM_BADPHP2 X-Source-Args =~ /css.php/i
5285 meta KAM_BADPHP (__KAM_BADPHP1 || __KAM_BADPHP2)
5286 score KAM_BADPHP 3.5
5287 describe KAM_BADPHP Questionable PHP mailer headers
5290 header __KAM_TINNITUS1 From =~ /tinnitus.?(solution|911|breakthrough|ringing)|silencil|tinnitus/i
5291 header __KAM_TINNITUS2 Subject =~ /new.tip|only.(1|one).week|pandemic|ears? ring|removes? tinnitus/i
5292 body __KAM_TINNITUS3 /scientifically.proven|end.tinnitus|get rid of the ringing|shocking presentation|IVY League|doctors are baffled|restores your hearing|no more buzzing/i
5293 tflags __KAM_TINNITUS3 nosubject
5295 meta KAM_TINNITUS (__KAM_TINNITUS1 + __KAM_TINNITUS2 + __KAM_TINNITUS3 >= 3)
5296 describe KAM_TINNITUS Tinnitus spam
5297 score KAM_TINNITUS 4.5
5300 header __KAM_KIWIBANK1 From =~ /kiwibank/i
5301 header __KAM_KIWIBANK2 Subject =~ /verification.required/i
5302 body __KAM_KIWIBANK3 /security.procedure|customer.safety|security.details/i
5304 meta KAM_KIWIBANK (__KAM_KIWIBANK1 + __KAM_KIWIBANK2 + __KAM_KIWIBANK3 >= 3)
5305 describe KAM_KIWIBANK Account phish for Kiwibank
5306 score KAM_KIWIBANK 3.5
5309 header __KAM_HAPPYTALK1 Subject =~ /^hello$/i
5310 body __KAM_HAPPYTALK2 /honest.and.nice/i
5311 body __KAM_HAPPYTALK3 /beautiful.mail/i
5313 meta KAM_HAPPYTALK (__KAM_HAPPYTALK1 + __KAM_HAPPYTALK2 + __KAM_HAPPYTALK3 >= 3)
5314 score KAM_HAPPYTALK 3.5
5315 describe KAM_HAPPYTALK Weirdly happy spam
5318 header __KAM_SETTLEMENT1 From =~ /xarelto/i
5319 header __KAM_SETTLEMENT2 Subject =~ /settlements?.available/i
5320 body __KAM_SETTLEMENT3 /lawsuit.information/i
5322 meta KAM_SETTLEMENT (__KAM_SETTLEMENT1 + __KAM_SETTLEMENT2 + __KAM_SETTLEMENT3 >= 3)
5323 score KAM_SETTLEMENT 3.5
5324 describe KAM_SETTLEMENT Spam offering lawsuit settlement
5327 header __KAM_CAD1 Subject =~ /cad.drawing/i
5328 body __KAM_CAD2 /we.specialize.in/i
5329 body __KAM_CAD3 /our.products/i
5331 meta KAM_CAD (__KAM_CAD1 + __KAM_CAD2 + __KAM_CAD3 >= 3)
5332 describe KAM_CAD Spam for CAD services
5335 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
5336 #SPAM WITH OFFICE MACROS
5337 header __KAM_VBMACRO X-Raptor-VBMacro =~ /True/i
5339 meta KAM_VBMACRO ((__KAM_VBMACRO >= 1) && !KAM_OLEMACRO)
5340 describe KAM_VBMACRO Message contains attachment with VB macro
5341 score KAM_VBMACRO 6.5
5343 #SPAM THAT INDICATES DYNAMIC IP
5344 header KAM_DYNIP X-Raptor-DynamicIndicator =~ /True/i
5345 describe KAM_DYNIP Message contains Dynamic IP Address Indicator
5350 # YELP AND OTHER REVIEW SITES
5351 header __KAM_REVIEW1 From =~ /contractor/i
5352 header __KAM_REVIEW2 Subject =~ /verify.accuracy|your.listing|listing.on.yelp/i
5353 body __KAM_REVIEW3 /unverified|major.local.search|search.sites|company(.s)?.information/i
5355 meta KAM_REVIEW (__KAM_REVIEW1 + __KAM_REVIEW2 + __KAM_REVIEW3 >= 3)
5356 describe KAM_REVIEW Spam for review sites
5357 score KAM_REVIEW 4.5
5360 header __KAM_TOURS1 From =~ /festival/i
5361 header __KAM_TOURS2 Subject =~ /adventure.tour/i
5362 body __KAM_TOURS3 /your.adventure.tour|your.event/i
5364 meta KAM_TOURS (__KAM_TOURS1 + __KAM_TOURS2 + __KAM_TOURS3 >= 3)
5366 describe KAM_TOURS Spam for tours and events
5368 # NO MORE SPAM ENGINES
5369 body __KAM_NOMORE1 /no.more.of.this/i
5370 body __KAM_NOMORE2 /no.more.at.all/i
5372 meta KAM_NOMORE (__KAM_NOMORE1 + __KAM_NOMORE2 >= 2)
5373 describe KAM_NOMORE Another predictable spam engine
5374 score KAM_NOMORE 3.5
5376 # NOT REALLY CONFIDENTIAL
5377 body __KAM_NOCONFIDENCE1 /confidential.information/i
5379 meta KAM_NOCONFIDENCE (KAM_LAZY_DOMAIN_SECURITY + __KAM_NOCONFIDENCE1 >= 2)
5380 score KAM_NOCONFIDENCE 0.5
5381 describe KAM_NOCONFIDENCE Confidential information sent with no security
5383 # YER GON GET SASSINATED
5384 header __KAM_ASSASSIN1 Subject =~ /want you dead/i
5385 body __KAM_ASSASSIN2 /my identity/i
5386 body __KAM_ASSASSIN3 /assassinate/i
5387 body __KAM_ASSASSIN4 /like.an.accident/i
5389 meta KAM_ASSASSIN (__KAM_ASSASSIN1 + __KAM_ASSASSIN2 + __KAM_ASSASSIN3 + __KAM_ASSASSIN4 >= 3)
5390 score KAM_ASSASSIN 4.5
5391 describe KAM_ASSASSIN Assassination spam
5393 # GIMME FLASH DRIVES
5394 header __KAM_DRIVE1 From =~ /purchase|manager/i
5395 header __KAM_DRIVE2 Subject =~ /quotation/i
5396 body __KAM_DRIVE3 /to.be.furnished|office.equipment.item/i
5398 meta KAM_DRIVE (__KAM_DRIVE1 + __KAM_DRIVE2 + __KAM_DRIVE3 >= 3)
5400 describe KAM_DRIVE Spam for ordering office equipment
5402 #BAD TLD - TESTING NEW blacklist_uri_host feature
5403 #PASSED TEST BUT THIS IS 100 points - Instead modify SOMETLD_ARE_BAD_TLD TO PREVENT FPs
5404 #if (version >= 3.004000)
5405 # blacklist_uri_host link
5408 #LOOKING TO SHUTDOWN MISUSE OF DNSWL AND HOSTKARMA
5409 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
5410 meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1)
5411 score KAM_QUITE_BAD_DNSWL 3.25
5412 describe KAM_QUITE_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
5414 meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1)
5415 score KAM_QUITE_BAD_DNSWL 3.25
5416 describe KAM_QUITE_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
5419 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
5420 meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
5421 score KAM_BAD_DNSWL 7.0
5422 describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
5424 meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
5425 score KAM_BAD_DNSWL 7.0
5426 describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
5430 header __JMQ_HEARINGLOSS1 From =~ /hearing.?loss|deaf \& angry|sharpear/i
5431 header __JMQ_HEARINGLOSS2 Subject =~ /reverse.your.hearing|hearing.loss|\d+.year.old.method|hearing.aids|restore your hearing/i
5432 body __JMQ_HEARINGLOSS3 /going.crazy|natural.formula|restore.your.hearing|click.here.to.see|off.hearing.aid|mineral to restore/i
5434 meta JMQ_HEARINGLOSS (__JMQ_HEARINGLOSS1 + __JMQ_HEARINGLOSS2 + __JMQ_HEARINGLOSS3 >= 3)
5435 score JMQ_HEARINGLOSS 3.5
5436 describe JMQ_HEARINGLOSS Spam for hearing loss solutions
5439 header __JMQ_TRACKR1 From =~ /trackr/i
5440 header __JMQ_TRACKR2 Subject =~ /trackr|never.lose|find.any|lost.items/i
5441 body __JMQ_TRACKR3 /locate anything|find.anything|never.lose.anything|new.invention|never.lose.your|tired.of.losing|find.any.lost/i
5443 meta JMQ_TRACKR (__JMQ_TRACKR1 + __JMQ_TRACKR2 + __JMQ_TRACKR3 >= 3)
5444 score JMQ_TRACKR 4.5
5445 describe JMQ_TRACKR Spam for TrackR
5448 header __JMQ_CONGRAT1 From =~ /award|claim/i
5449 header __JMQ_CONGRAT2 Subject =~ /congratulation|open.attachment|good.news.for/i
5451 meta JMQ_CONGRAT (__JMQ_CONGRAT1 + __JMQ_CONGRAT2 + (KAM_RAPTOR_ALTERED || T_FREEMAIL_DOC_PDF || HK_SPAMMY_FILENAME) >= 3)
5452 score JMQ_CONGRAT 3.5
5453 describe JMQ_CONGRAT Open attachment to claim your free spam
5456 header __JMQ_PICKUP1 Subject =~ /hey there|(^hey$)/i
5457 body __JMQ_PICKUP2 /(dirty|freaky|naughty|good)(pix|pic)|hey.cutie/i
5458 header __JMQ_PICKUP3 X-Mailer =~ /php/i
5459 body __JMQ_PICKUP4 /\d+.year.old|female/i
5461 meta JMQ_PICKUP (__JMQ_PICKUP1 + __JMQ_PICKUP2 + __JMQ_PICKUP3 + __JMQ_PICKUP4 >= 3)
5462 score JMQ_PICKUP 8.0
5463 describe JMQ_PICKUP spam that wants your number
5465 # COMPROMISED DROPBOX
5466 header __JMQ_DROPBOX1 Subject =~ /(payment|transfer)/i
5467 header __JMQ_DROPBOX2 Subject =~ /\([a-z]\d+\)/i
5468 body __JMQ_DROPBOX3 /ach.(payment|transfer)/i
5470 meta JMQ_DROPBOX (__JMQ_DROPBOX1 + __JMQ_DROPBOX2 + __JMQ_DROPBOX3 >= 3)
5471 score JMQ_DROPBOX 3.0
5472 describe JMQ_DROPBOX Spam from what appears to be compromised dropbox accounts
5475 header __KAM_BAD_REVIEW1 Subject =~ /fix bad reviews/i
5476 body __KAM_BAD_REVIEW2 /Reputation Giant/i
5478 meta KAM_BAD_REVIEW (__KAM_BAD_REVIEW1 + __KAM_BAD_REVIEW2 >= 2)
5479 score KAM_BAD_REVIEW 4.0
5480 describe KAM_BAD_REVIEW Online reputation spammers
5483 header __KAM_GOOGLE_AWARD1 From =~ /Google UK/i
5484 body __KAM_GOOGLE_AWARD2 /selected as a winner/i
5485 body __KAM_GOOGLE_AWARD3 /Dear Google/i
5486 body __KAM_GOOGLE_AWARD4 /Official Notification Letter/i
5488 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5489 mimeheader __KAM_GOOGLE_AWARD5A Content-Type =~ /Google Award/i
5490 mimeheader __KAM_GOOGLE_AWARD5B Content-Disposition =~ /Google Award/i
5493 meta KAM_GOOGLE_AWARD (__KAM_GOOGLE_AWARD1 + __KAM_GOOGLE_AWARD2 + __KAM_GOOGLE_AWARD3 + __KAM_GOOGLE_AWARD4 + (__KAM_GOOGLE_AWARD5A + __KAM_GOOGLE_AWARD5B >= 1) >= 4)
5494 score KAM_GOOGLE_AWARD 5.0
5495 describe KAM_GOOGLE_AWARD Fake Google Awards
5498 body KAM_OBFU_LOANS /Stüdént Lóans/i
5499 score KAM_OBFU_LOANS 5.0
5500 describe KAM_OBFU_LOANS Obfuscated Loan Verbiage
5503 body __KAM_WORKFROMHOME1 /work from home/i
5505 meta KAM_WORKFROMHOME (KAM_SHORT + __KAM_WORKFROMHOME1 >= 2)
5506 score KAM_WORKFROMHOME 1.75
5507 describe KAM_WORKFROMHOME Work from Home Spams
5510 body __KAM_STUDENTLOAN1 /(National|Federal) Student Loan Status/i
5511 body __KAM_STUDENTLOAN2 /consolidate your loan/i
5512 body __KAM_STUDENTLOAN3 /doesn't injured/i
5513 body __KAM_STUDENTLOAN4 /866-351-4693/i
5514 body __KAM_STUDENTLOAN5 /(financial troubles|debt) is (understood|forgiven)/i
5516 meta KAM_STUDENTLOAN (__KAM_STUDENTLOAN1 + __KAM_STUDENTLOAN2 + __KAM_STUDENTLOAN3 + __KAM_STUDENTLOAN4 + __KAM_STUDENTLOAN5 >= 3)
5517 score KAM_STUDENTLOAN 4.5
5518 describe KAM_STUDENTLOAN Student Loan Scam
5521 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5522 header __JMQ_RESUME1 Subject =~ /resume/i
5523 body __JMQ_RESUME2 /hello my name|my name is/i
5524 body __JMQ_RESUME3 /appreciate.your.cooperation|my.resume.is.pdf|resume.attach|pdf.file.is|is.my.resume/i
5525 mimeheader __JMQ_RESUME4 Content-Type =~ /x-zip-comp/i
5526 mimeheader __JMQ_RESUME5 Content-Type =~ /my_resume\.zip/i
5528 meta JMQ_RESUME ((__JMQ_RESUME1 + __JMQ_RESUME2 + __JMQ_RESUME3 + __JMQ_RESUME5 >= 3) && __JMQ_RESUME4)
5529 score JMQ_RESUME 4.5
5530 describe JMQ_RESUME Spam for bad attached resumes
5534 header __KAM_LED1 From =~ /light? ?bulb|garage ?light|Sun.?like?.?Bulb|LED.?Sun|flood ?light/i
5535 body __KAM_LED2 /(garage|LED Fan) Light|sun-?like|\dx the brightness|security "?must have/i
5536 tflags __KAM_LED2 nosubject
5537 header __KAM_LED3 Subject =~ /LED Lighting|L\.E\.D\.? Bulb|Innovative Light|energy bill|one bulb|Garage LED|security "?must have/i
5539 meta KAM_LED (__KAM_LED1 + __KAM_LED2 + __KAM_LED3 >= 3)
5540 describe KAM_LED LED Lighting Spams
5544 header __JMQ_REALESTATE1 From =~ /tom.brice/i
5545 header __JMQ_REALESTATE2 Subject =~ /real.estate/i
5546 body __JMQ_REALESTATE3 /preferred.choice|looking.for.real.estate|online.platform|systems.placement/i
5548 meta JMQ_REALESTATE (__JMQ_REALESTATE1 + __JMQ_REALESTATE2 + __JMQ_REALESTATE3 >= 3)
5549 describe JMQ_REALESTATE Real estate spam
5550 score JMQ_REALESTATE 4.5
5553 header JMQ_IPINFROM From =~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/
5554 score JMQ_IPINFROM 2.5
5555 describe JMQ_IPINFROM Spam with IP in the from address
5557 # IFFY PAYPAL OF THE DAY
5558 header __JMQ_PAYPAL2 From =~ /paypai/i
5560 meta JMQ_PAYPAL2 (JMQ_IPINFROM + __JMQ_PAYPAL2 >= 2)
5561 score JMQ_PAYPAL2 4.5
5562 describe JMQ_PAYPAL2 PayPal spam of the day
5564 # RESUME SPAM REDUX PART 2 (WOOHOO)
5565 meta JMQ_RESUME3 (__JMQ_RESUME1 && __JMQ_RESUME2 && KAM_THEBAT)
5566 score JMQ_RESUME3 3.5
5567 describe JMQ_RESUME3 Yet more resume spam
5569 # SPF THAT DOESN'T REALLY CARE IF EMAIL IS A FORGERY -
5570 ifplugin Mail::SpamAssassin::Plugin::AskDNS
5571 askdns JMQ_SPF_NEUTRAL _SENDERDOMAIN_ TXT /^v=spf1 .*\?all/
5572 describe JMQ_SPF_NEUTRAL SPF set to ?all
5573 score JMQ_SPF_NEUTRAL 0.5
5574 tflags JMQ_SPF_NEUTRAL net
5576 askdns JMQ_SPF_ALL _SENDERDOMAIN_ TXT /^v=spf1 .*\+all/
5577 describe JMQ_SPF_ALL SPF set to +all!
5578 score JMQ_SPF_ALL 0.5
5579 tflags JMQ_SPF_ALL net
5583 header __JMQ_IMPORTANT1 Subject =~ /(fw|re):? important/i
5584 body __JMQ_IMPORTANT2 /important message/i
5585 body __JMQ_IMPORTANT3 /please visit/i
5587 meta JMQ_IMPORTANT (__JMQ_IMPORTANT1 + __JMQ_IMPORTANT2 + __JMQ_IMPORTANT3 + KAM_LAZY_DOMAIN_SECURITY >= 4)
5588 score JMQ_IMPORTANT 4.5
5589 describe JMQ_IMPORTANT Spam that thinks it is important
5592 uri __JMQ_TRACKER1 /sidekickopen\d*\.com/i
5594 meta JMQ_TRACKER (__JMQ_TRACKER1 >= 1)
5595 score JMQ_TRACKER 0.5
5596 describe JMQ_TRACKER Message uses image-based tracker
5599 header __JMQ_WIRE1 Subject =~ /wire.*fund|request.*wire|(fwd|re): request/i
5600 body __JMQ_WIRE2 /medical.support|payment.sent/i
5601 body __JMQ_WIRE3 /bank.wire|sent.out.asap/i
5603 meta JMQ_WIRE (__JMQ_WIRE1 + __JMQ_WIRE2 + __JMQ_WIRE3 + (LOTS_OF_MONEY || KAM_LAZY_DOMAIN_SECURITY || HEADER_FROM_DIFFERENT_DOMAINS) >= 3)
5605 describe JMQ_WIRE Attempt to steal money via wire transfer
5607 #bindata code in RTF
5608 #rawbody __KAM_BADRTF1 /<w:binData/
5609 #rawbody __KAM_BADRTF2 /QWN0aXZlTWltZQ/
5611 #meta KAM_BADRTF (__KAM_BADRTF1 + __KAM_BADRTF2 >= 2)
5612 #describe KAM_BADRTF Message contains binary data in RTF format
5613 #score KAM_BADRTF 5.0
5616 body __KAM_ORDER1 /Please find document attached/i
5617 header __KAM_ORDER2 Subject =~ /Order \d+ (\(Acknowledgement\))?/i
5619 meta KAM_ORDER __KAM_ORDER1 + __KAM_ORDER2 + __BODY_LE_200 >= 3
5621 describe KAM_ORDER Fraudulent Order Emails
5623 rawbody __RB_LE_200 /^.{2,200}$/s
5624 tflags __RB_LE_200 multiple maxhits=2
5625 rawbody __RB_GT_200 /^.{201}/s
5626 meta __BODY_LE_200 (__RB_LE_200 == 1) && !__RB_GT_200
5629 body __KAM_SHOCK1 /shocking.beverage/i
5630 header __KAM_SHOCK2 Subject =~ /(Bill O.Reilly|Donald Trump)/i
5631 body __KAM_SHOCK3 /drinking this beverage/i
5633 meta KAM_SHOCK __KAM_SHOCK1 + __KAM_SHOCK2 + __KAM_SHOCK3 >= 2
5635 describe KAM_SHOCK Spams with energy drinks
5638 body __KAM_BEAUTY1 /she now looks \d+/i
5639 body __KAM_BEAUTY2 /reveals exactly/i
5640 body __KAM_BEAUTY3 /most amazing transformation/i
5641 header __KAM_BEAUTY4 Subject =~ /now looks \d+/i
5643 meta KAM_BEAUTY __KAM_BEAUTY1 + __KAM_BEAUTY2 + __KAM_BEAUTY3 + __KAM_BEAUTY4 >= 3
5644 score KAM_BEAUTY 4.0
5645 describe KAM_BEAUTY Youth and Beauty Product Scams
5648 body __KAM_WEED1 /legal.weed|jim kramer|kevin james/i
5649 header __KAM_WEED2 Subject =~ /Legal.Weed|pot.stock/i
5650 body __KAM_WEED3 /doubled? (there|their) money|Triple this afternoon/i
5651 body __KAM_WEED4 /(weed|pot).stock/i
5653 meta KAM_WEED __KAM_WEED1 + __KAM_WEED2 + __KAM_WEED3 + __KAM_WEED4 >= 3
5655 describe KAM_WEED Legal Weed and related investment scams
5658 body __KAM_LOGO1 /guru.level logo/i
5659 header __KAM_LOGO2 Subject =~ /guru.level logo/i
5660 body __KAM_LOGO3 /(guru.level|ready.made) logo/i
5662 meta KAM_LOGO __KAM_LOGO1 + __KAM_LOGO2 + __KAM_LOGO3 >= 3
5664 describe KAM_LOGO Logo Spam
5667 body __KAM_TRUMPCOIN1 /Donald Trump/i
5668 header __KAM_TRUMPCOIN2 Subject =~ /trump.coin/i
5669 body __KAM_TRUMPCOIN3 /special colored coin/i
5671 meta KAM_TRUMPCOIN __KAM_TRUMPCOIN1 + __KAM_TRUMPCOIN2 + __KAM_TRUMPCOIN3 >= 3
5672 score KAM_TRUMPCOIN 5.25
5673 describe KAM_TRUMPCOIN Trump Coin Spam
5676 body __KAM_WATER1 /Never Drink Water/i
5677 header __KAM_WATER2 Subject =~ /bottled water/i
5678 body __KAM_WATER3 /filtered tap water/i
5680 meta KAM_WATER __KAM_WATER1 + __KAM_WATER2 + __KAM_WATER3 >= 3
5681 score KAM_WATER 5.25
5682 describe KAM_WATER Water Poison Scam
5685 body __KAM_RUIN1 /do not deposit/i
5686 header __KAM_RUIN2 Subject =~ /money into your bank/i
5687 body __KAM_RUIN3 /banking institutions/i
5689 meta KAM_RUIN __KAM_RUIN1 + __KAM_RUIN2 + __KAM_RUIN3 >= 3
5691 describe KAM_RUIN Bank Phishing Scam
5694 body __KAM_WEIGHT2_1 /goodbye to her waist|wild transformation|researcher has just discovered|weight loss is wrong/i
5695 tflags __KAM_WEIGHT2_1 nosubject
5696 header __KAM_WEIGHT2_2 Subject =~ /looks \d+ overnight|no gym|fat hack|doctor shocked/i
5697 body __KAM_WEIGHT2_3 /melissa mccarthy|now looks \d+|lbs every \d+ hour|(pound|lb)s in \d+ days|melts pounds/i
5698 header __KAM_WEIGHT2_4 From:name =~ /eat this seed|flat.?belly|big.?stomach/i
5700 meta KAM_WEIGHT2 __KAM_WEIGHT2_1 + __KAM_WEIGHT2_2 + __KAM_WEIGHT2_3 + __KAM_WEIGHT2_4 >= 3
5701 score KAM_WEIGHT2 5.25
5702 describe KAM_WEIGHT2 Weight loss process du jour
5705 body __KAM_LENS1 /pro quality (pho|pic)|Bill gates|best camera/i
5706 header __KAM_LENS2 Subject =~ /(amazing|incredible) photos|gadget of the year|coolest product|camera/i
5707 body __KAM_LENS3 /amazing lens|hdx-lens|hdrx/i
5708 header __KAM_LENS4 From =~ /hdcam|lens|inhd/i
5710 meta KAM_LENS __KAM_LENS1 + __KAM_LENS2 + __KAM_LENS3 + __KAM_LENS4 >= 3
5712 describe KAM_LENS Amazing Lens Scam
5715 body __KAM_HONOR1 /greatest thing of your life/i
5716 header __KAM_HONOR2 Subject =~ /Congrats, on the honor/i
5717 body __KAM_HONOR3 /profession women/i
5718 body __KAM_HONOR4 /invitation/i
5720 meta KAM_HONOR __KAM_HONOR1 + __KAM_HONOR2 + __KAM_HONOR3 + __KAM_HONOR4 >= 3
5721 score KAM_HONOR 6.25
5722 describe KAM_HONOR Professional Network Scam
5725 #Idea from John Hardin so you can see all URI's - ONLY for rule development - Then all the detected URIs appear in the rule hits debug output.
5727 #tflags __ALL_URI multiple
5729 #Bad UTF-8 content type and transfer encoding - Thanks to Pedro David Marco for alerting to issue
5730 header __KAM_BAD_UTF8_1 Content-Type =~ /text\/html; charset=\"utf-8\"/i
5731 header __KAM_BAD_UTF8_2 Content-Transfer-Encoding =~ /base64/i
5732 full __RW_BAD_UTF8_3 /^(?:[^\n]|\n(?!\n))*\nContent-Transfer-Encoding:\s+base64(?:[^\n]|\n(?!\n))*\n\n[\s\n]{0,300}[^\s\n].{0,300}[^a-z0-9+\/=\n][^\s\n]/si
5734 meta KAM_BAD_UTF8 (__KAM_BAD_UTF8_1 + __KAM_BAD_UTF8_2 + __RW_BAD_UTF8_3 >= 3)
5735 score KAM_BAD_UTF8 14.0
5736 describe KAM_BAD_UTF8 Bad Content Type and Transfer Encoding that attempts to evade SA scanning
5739 body __KAM_DEATH1 /prevent early.death/i
5740 header __KAM_DEATH2 Subject =~ /(early|unexpected).death/i
5741 body __KAM_DEATH3 /Eating this|before it.?s too late/i
5742 body __KAM_DEATH4 /heart.(attack|stops)/i
5744 meta KAM_DEATH __KAM_DEATH1 + __KAM_DEATH2 + __KAM_DEATH3 + __KAM_DEATH4 >= 4
5745 score KAM_DEATH 6.25
5746 describe KAM_DEATH Supplement Scam
5749 body __KAM_REWARD1 /walgreens|ikea|sephora|sams.?club/i
5750 header __KAM_REWARD2 Subject =~ /weekend.*reward|reward.*weekend|(reward|perk).{0,60}(expiring|ending)/i
5751 header __KAM_REWARD3 Subject =~ /(Cert|coup|ending now|ending|expiring|expiring.now)(..)?(\d+|\[num)/i
5752 header __KAM_REWARD4 From =~ /ikea|sephora|shopper|walgreen|sale/i
5754 meta KAM_REWARD __KAM_REWARD1 + __KAM_REWARD2 + __KAM_REWARD3 + __KAM_REWARD4 + KAM_NUMSUBJECT >= 4
5755 score KAM_REWARD 5.25
5756 describe KAM_REWARD Coupon Scam
5759 body __KAM_PACKAGE1 /dysfunction|\dx longer/i
5760 body __KAM_PACKAGE2 /sexual.performance|longer.in.bed/i
5761 header __KAM_PACKAGE3 Subject =~ /sex/i
5762 header __KAM_PACKAGE4 From =~ /function|fivex/i
5764 meta KAM_PACKAGE __KAM_PACKAGE1 + __KAM_PACKAGE2 + __KAM_PACKAGE3 + __KAM_PACKAGE4 >= 3
5765 score KAM_PACKAGE 4.25
5766 describe KAM_PACKAGE Sexual Enhancement Scam
5769 header __KAM_NUMSUBJECT Subject =~ /\d+$/
5770 header __KAM_SUBJECTYEAR Subject =~ /20[1-2][0-9]$/
5772 meta KAM_NUMSUBJECT (__KAM_NUMSUBJECT >=1 && __KAM_SUBJECTYEAR <= 0)
5773 score KAM_NUMSUBJECT 0.5
5774 describe KAM_NUMSUBJECT Subject ends in numbers excluding current years
5776 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5778 mimeheader KAM_MGCS Content-Type =~ /\+\-\+\-\+\-MGCS\-\+\-\+\-\+|[\xC2\xB7]pdf(?=)?"$/i
5780 describe KAM_MGCS Boundary Content Indicative of Ratware
5783 #NetWeaver - Disabled 7/24
5784 #header KAM_NW X-Mailer =~ /SAP NetWeaver/i
5786 #describe KAM_NW Spam Indicator
5789 body __KAM_STOCKOBFU1 /make up the \d letter symbol/i
5790 body __KAM_STOCKOBFU2 /first letter/i
5791 header __KAM_STOCKOBFU3 Subject =~ /less than \d days|ten bagger|ten ?fold your principle/i
5793 meta KAM_STOCKOBFU (__KAM_STOCKOBFU1 + __KAM_STOCKOBFU2 + __KAM_STOCKOBFU3 >= 3)
5794 describe KAM_STOCKOBFU Stock Spam Tips that are being sneaky
5795 score KAM_STOCKOBFU 4.5
5797 #FAKE BBB/FLSA NOTICES
5798 header __KAM_FAKEBBB1 Subject =~ /(incident:|case:)?[\d:;]{5}/i
5799 body __KAM_FAKEBBB2 /(Fair Labor Standards Act|Safety and Health act|Better Business Bureau|(\b|$)BBB(\b|^))/i
5800 body __KAM_FAKEBBB3 /(complaint|compliant|Abuse) ID/i
5801 body __KAM_FAKEBBB4 /(incident:|case:)[\d:;]{6,}/i
5803 meta KAM_FAKEBBB (__KAM_FAKEBBB1 + __KAM_FAKEBBB2 + KAM_SHORT + __KAM_FAKEBBB3 + __KAM_FAKEBBB4>= 4)
5804 describe KAM_FAKEBBB Fake Notices for Various Business Violations
5805 score KAM_FAKEBBB 12.0
5808 #header __KAM_HOWRU1 Subject =~ /How are you?|Hi|What's Up|Hey, Sweety/i
5809 body __KAM_HOWRU2 /My name is|what's your name|ask your name|keep company with you/i
5810 body __KAM_HOWRU3 /visit the site|visit this site|visiting this website|have some social networks|meet you in private|write me tomorrow/i
5811 body __KAM_HOWRU4 /gmx.com|rambler.ru/i
5813 meta KAM_HOWRU (__KB_WAM_SUBJECT_HELLO_ONLY + __KAM_HOWRU2 + __KAM_HOWRU3 + __KAM_HOWRU4 >=4)
5814 describe KAM_HOWRU Female Chat Scam
5817 # 2017-11-01, note 56146
5819 body __KAM_DOMAIN_SALE1 /\b(related|similar) domain\b/i
5820 body __KAM_DOMAIN_SALE2 /\b(interested in|obtaining) .{5,20} domain\b/i
5821 body __KAM_DOMAIN_SALE3 /\bdomain (name owner|advanced avail|backordering)\b/i
5822 body __KAM_DOMAIN_SALE4 /\b(domain you might be interested|interested in the domain|interested in obtain|benefit acquiring|complete ownership transfer|brokering the domain)\b/i
5824 body __KAM_INTRUDE /\b(hope I am not intruding|out of the blue|I will never contact you again if you go here)\b/i
5826 meta KAM_DOMAIN_SALE_2 (__KAM_DOMAIN_SALE1 + __KAM_DOMAIN_SALE2 + __KAM_DOMAIN_SALE3 + __KAM_DOMAIN_SALE4 >=2)
5828 meta KAM_DOMAIN_SALE_3 (__KAM_DOMAIN_SALE1 + __KAM_DOMAIN_SALE2 + __KAM_DOMAIN_SALE3 + __KAM_DOMAIN_SALE4 >=3)
5830 score KAM_DOMAIN_SALE_2 3.0
5831 score KAM_DOMAIN_SALE_3 1.0
5833 meta KAM_DOMAIN_SALE_INTRUDE (__KAM_INTRUDE && KAM_DOMAIN_SALE_2)
5835 score KAM_DOMAIN_SALE_INTRUDE 1.0
5837 describe KAM_DOMAIN_SALE_2 Domain Selling Spam
5838 describe KAM_DOMAIN_SALE_3 Domain Selling Spam
5839 describe KAM_DOMAIN_SALE_INTRUDE Domain Selling Spam
5841 # 2017-11-08, lonely russian women Whack-A-Mole
5843 # Likely Overlap with HOWRU rules, similar target. No real-life
5844 # overlap in rules hit observed so far, KB_WAM_OVERLAP to look out for
5847 header __KB_WAM_FROM_NAME_SINGLEWORD From:name =~ /^[a-z]+$/i
5848 header __KAM_SUBJECT_SINGLEWORD Subject =~ /^[a-z]+$/i
5849 header __KB_WAM_SUBJECT_HELLO_ONLY Subject =~ /^(hi|hi there|hello|hey|yo|how are you|What's Up|Hey, Sweety)[?!\.]?$/i
5851 meta KB_WAM_LONELY_WOMEN (__KB_WAM_FROM_NAME_SINGLEWORD + __KB_WAM_SUBJECT_HELLO_ONLY + __KAM_HOWRU4 + (__KAM_HOWRU2 || __KB_WAM_LONELY_WOMEN_PHRASE_01) >= 4)
5853 score KB_WAM_LONELY_WOMEN 5.0
5854 describe KB_WAM_LONELY_WOMEN Lonely Women Scam of the Day
5856 body __KB_WAM_LONELY_WOMEN_PHRASE_01 /\b(I am missing you all the time|I am waiting for your answer|I send you my tender love|I would really like to know you|quest of love|I am lonely and tired)\b/i
5858 #meta KB_WAM_OVERLAP ( KAM_HOWRU && KB_WAM_LONELY_WOMEN )
5859 #score KB_WAM_OVERLAP -0.01
5860 #describe KB_WAM_OVERLAP Rule to test for overlap with another similar ruleset
5862 #MAILSPLOIT CONTROL CHARACTER - Thanks to Jan-Pieter Cornet for the idea
5863 #All Control chars like NUL except \n which should exist once legitimately
5864 #Investigating double-byte language FP. Reverting back to just \0
5865 #header __KAM_MAILSPLOIT1 From =~ /[\x00-\x09\x0b-\x1f]/
5866 header __KAM_MAILSPLOIT1 From =~ /[\0]/
5867 describe __KAM_MAILSPLOIT1 RFC2047 Exploit https://www.mailsploit.com/index
5869 #\n Multiple in the From Header
5870 header __KAM_MAILSPLOIT2 From =~ /[\n]/
5871 describe __KAM_MAILSPLOIT2 RFC2047 Exploit https://www.mailsploit.com/index
5872 tflags __KAM_MAILSPLOIT2 multiple maxhits=2
5874 meta KAM_MAILSPLOIT (__KAM_MAILSPLOIT1 || (__KAM_MAILSPLOIT2 >= 2))
5875 describe KAM_MAILSPLOIT Mail triggers known exploits per mailsploit.com
5876 score KAM_MAILSPLOIT 10.0
5878 #cc in From - Thanks to Dave Jones for idea
5879 header KAM_CCFROM1 From =~ /\b(to|cc|bcc|from):/i
5880 describe KAM_CCFROM1 Addition of cc: and similar as a phishing tactic
5881 score KAM_CCFROM1 5.0
5883 #MailBox Verify Phish - Also See KAM_MAILBOX
5884 header __KAM_BOXWARNING_SUBJECT Subject =~ /FINAL WARNING/i
5885 header __KAM_BOXVERIFICATION_SUBJECT Subject =~ /VERIFICATION.{4,20}MAIL.?BOX/i
5886 body __KAM_BOXVERIFY /Verify.{0,10}Mail.?box|retrieve messages/i
5887 body __KAM_BOXQUOTA /mailbox.{0,5}exceeded.{4,14}quota|low email storage/i
5888 header __KAM_MAILBOXFROM From =~ /mailbox/i
5890 meta KAM_BOXPHISH ((__KAM_BOXWARNING_SUBJECT + __KAM_BOXVERIFICATION_SUBJECT >= 1) + __UPGR_MAILBOX + __KAM_MAILBOXFROM + __KAM_BOXVERIFY + __KAM_BOXQUOTA + __KAM_MAILBOX1 >= 4)
5891 describe KAM_BOXPHISH Mailbox verification phishing scams
5892 score KAM_BOXPHISH 6.5
5895 body __KAM_CRYPTO1 /swiss.?coin|[{(]SIC[)}]/i
5896 header __KAM_CRYPTO2 Subject =~ /forget about bitcoin|crypto (currency|coin) .{0,10}could (turn|go)/i
5898 meta KAM_CRYPTO (__KAM_CRYPTO1 + __KAM_CRYPTO2 >= 2)
5899 describe KAM_CRYPTO Crypto Currency Spam Du Jour
5900 score KAM_CRYPTO 8.0
5902 #COMPROMISED CMS - Thanks to Jing Shan for the idea
5903 uri __KAM_CMS1 /VALIDATE\/mail\.htm/i
5904 uri __KAM_CMS2 /\/erroreng\/erroreng\//i
5905 uri __KAM_CMS3 /twentythirteen\/Upgrade\/?email=/i
5907 meta KAM_CMS (__KAM_CMS1 + __KAM_CMS2 + __KAM_CMS3) >= 1
5908 describe KAM_CMS Indicators that a CMS has been exploited for Spammers
5911 #WESTERN UNION SCANS
5912 header __KAM_WU1 from:addr !~ /\@westernunion.com/i
5913 header __KAM_WU2 Subject =~ /WUMT|Western.?Union/i
5914 uri __KAM_WU3 /western.umt/i
5916 meta KAM_WU (__KAM_WU1 + __KAM_WU2 + __KAM_WU3 + LOTS_OF_MONEY >= 3)
5917 describe KAM_WU Western Union Scam
5921 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5923 replace_rules __KAM_CRIM1 __KAM_CRIM2 __KAM_CRIM3 __KAM_CRIM4 __KAM_CRIM5 __KAM_CRIM6 __KAM_CRIM7
5925 body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A1>lw<A1>r<E1> <O1>n th<E1> w<E1>b|footage of you|you do not know who I am|mercenary|hack phones|(monitored|infected) your device|double.screen video|keylogger|ruin your life|collection officer|turned on your c<A1>mera|cameras? and a mic|I am a hacker|brows(er|ing) history|trojan virus|automatically infect|inject some code|google translator|<P1>l<A1><C1><E1>d (a )?m<A1>lw<A1>r<E1>|<S1><P1><Y1><W1><A1><R1><E1>|hacked y<O1>ur (website|OS|operating)|got hacked|hidden app|managed to hack|thr(u|ough) (ur|your) web.?cam|broke\s+into\s+your\s+system/i
5928 body __KAM_CRIM2 /(<B1><I1><T1>\-?<C1><O1><I1><N1>|BTC|DSH|cryptocurrency|bc[13][a-km-zA-HJ-NP-Z0-9]{26,39})|(remove|manually) all spaces|contains spaces|Litecoin/i
5931 body __KAM_CRIM3 /make (<T1>he|a) paymen<T1>|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C1><O1><I1>n w<A1>ll|(m<A1>k<I1>ng|<C1><O1>mpl<E1>et<E1>) th<E1> tr<A1>ns<A1><C1>t<I1><O1>n|send me \d+ dollars|send [\d\.]+ USD|addr<E1>ss f<O1>r p<A1>ym<E1>nt|(dollars|euros) (worth )?in bit-?coin|wallet number|bitcoin network|BTC to this Bitcoin|paym<E1>nt by b<I1>tco<I1>n|\d\d\d usd|DSH\)? address|Address part|<D1><O1><N1><A1><T1><I1><O1><N1>|negotiation|USD.? in bitcoin|transfer\s+me\s+\d+|\d+ in bitcoins/i
5934 body __KAM_CRIM4 /erotica|<P1><O1><R1><N1>|p(ro|or)nographic movie|promising evidence|<M1><A1><S1><T1><U1><R1><B1><A1><T1>|playing with yourself|wanking|l<I1>f<E1> <C1><A1>n b<E1> ru<I1>n<E1>d|explosi|lead azide|hexogen|banana|perversion|secured \d+ video|passion for jerk|creepy addiction|wank off/i
5937 body __KAM_CRIM5 /(twenty.?four|24).?h<O1>urs|(72|24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O1>urs)? <A1>ft<E1>r y<O1><U> <O1>p<E1>n|hours for payment|days?\)? to (send|perform|make|transfer) the (amount|payment|dash|fund)|short-term support|48h plz|deadline|hours *(only )?to send the (pay|fund)|address immediately|tr<A1>nsfer the (amount|funds)|get back to me now|\d\s+working\s+days|make payment within \d+ day/i
5940 header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O1><U> <A1>r<E1> my v<I1><C1>t<I1>m|visit the police|hi. vi<C1>tim|bomb|rescue|your building|<M1>asturbat|hi perv|(website|account) has been (compromised|hacked)|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you|<P1>orn|(share|forward|leak) (your|the) video|Read me now|want to read this|i have you/i
5942 header __KAM_NOT_CRIM6 Subject =~ /Bomb.?cyclone/i
5945 header __KAM_CRIM7 From =~ /h<A1>ck<E1>r|know/i
5948 meta KAM_CRIM (__KAM_CRIM1 + __KAM_CRIM2 + __KAM_CRIM3 + __KAM_CRIM4 + __KAM_CRIM5 + (__KAM_CRIM6 && ! __KAM_NOT_CRIM6) + __KAM_CRIM7 + FUZZY_BITCOIN >= 4)
5949 describe KAM_CRIM Extortion Email
5954 body __KAM_CRIM2_1 /bit.{0,2}coin/i
5955 body __KAM_CRIM2_2 /address\:/i
5956 body __KAM_CRIM2_3 /adult.{0,2}video|sex.{0,2}sites/is
5958 meta KAM_CRIM2 (__KAM_CRIM2_1 + __KAM_CRIM2_2 + __KAM_CRIM2_3 + HTML_FONT_LOW_CONTRAST >= 4)
5959 describe KAM_CRIM2 Extortion Email
5963 #ZWNJ 200C 157 https://en.wikipedia.org/wiki/Windows-1256
5964 # Also want to look at Unicode U+200C.
5965 # Also 'zero-width joiner' which is Windows-1256 0x9E and Unicode U+200D. $a
5967 # Per RW, switching for this to work with 'normalize_charset 1', \x9d needs to be replaced with (?:\x9d|\xe2\x80\x8c)
5968 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5969 mimeheader __KAM_ZWNJ1 Content-Type =~ /charset.+windows-1256/i
5971 body __KAM_ZWNJ2 /(?:\x9D|\xe2\x80\x8c)/
5972 tflags __KAM_ZWNJ2 multiple maxhits=16
5973 body __KAM_ZWNJ3 /\&\#x200B;/i
5975 describe KAM_ZWNJ Use of null characters indicates a goal to elude scanners
5977 meta KAM_ZWNJ (__KAM_ZWNJ1 + (__KAM_ZWNJ2 >= 16) >= 2)
5978 describe KAM_ZWNJ Use of null characters indicates a goal to elude scanners
5981 describe KAM_ZWNJBAD Attempted & failed Use of zero-width characters indicates a goal to elude scanners
5982 meta KAM_ZWNJBAD (__KAM_ZWNJ3 >=1)
5983 score KAM_ZWNJBAD 2.0
5986 body __KAM_GIRLS1 /Lack of sex/i
5988 meta KAM_GIRLS ( __SINGLE_WORD_SUBJ + __KAM_GIRLS1 >= 2)
5989 describe KAM_GIRLS Girl Chat Scam du Jour
5992 #SKINCELL PRO Spam Du Jour
5993 body __KAM_SKINCELL1 /Skincell.Pro/i
5994 header __KAM_SKINCELL2 Subject =~ /Skincell.Pro/i
5996 meta KAM_SKINCELL (__KAM_SKINCELL1 + __KAM_SKINCELL2 >= 1)
5997 describe KAM_SKINCELL Skincare Scam du Jour
5998 score KAM_SKINCELL 7.0
6000 #UK INVOICE - Thanks to Andy Smith for his help on this
6001 uri __KAM_UKINV1 /\/(client|share|documentview)$/i
6002 body __KAM_UKINV2 /View (and pay )?(scan|invoice)/i
6003 body __KAM_UKINV3 /INV-\d+|Check out what .{4,30} shared with you/i
6004 body __KAM_UKINV4 /£/i
6005 header __KAM_UKINV5 Subject =~ /(invoice INV-\d+|wants to share scan)/i
6006 header __KAM_UKINV6 Subject =~ /invoice/i
6008 meta KAM_UKINV (__KAM_UKINV1 + __KAM_UKINV2 + __KAM_UKINV3 + __KAM_UKINV4 + __KAM_UKINV5 >= 4) || (__KAM_UKINV1 + __KAM_UKINV2 + __KAM_UKINV3 + __KAM_UKINV4 + __KAM_UKINV6 + HTML_TITLE_SUBJ_DIFF && HTML_OBFUSCATE_10_20 >= 6)
6009 describe KAM_UKINV Fake Invoice/Scan Scams
6013 body __KAM_LISTSALE1 /interested in acquiring/i
6014 body __KAM_LISTSALE2 /contact list|list of customers|list of decision makers|list for marketing/i
6015 body __KAM_LISTSALE3 /share counts and samples|send focused campaigns|compiled a dataset/i
6017 header __KAM_LISTSALE4 Subject =~ /users|leads/i
6018 header __KAM_LISTSALE5 From =~ /leads/i
6020 meta KAM_LISTSALE (__KAM_LISTSALE1 + __KAM_LISTSALE2 + __KAM_LISTSALE3 >=2) && (__KAM_LISTSALE4 + __KAM_LISTSALE5 >= 1)
6021 describe KAM_LISTSALE List sellers
6022 score KAM_LISTSALE 5.0
6025 uri KAM_GOOGLESHORT /\/www.google.com\/url\?q=.{4,16}bit\.ly/i
6026 describe KAM_GOOGLESHORT Obfuscated links using Google and URL Shorteners
6027 score KAM_GOOGLESHORT 9.0
6030 body __KAM_HEARTPROD1 /heart ?attack/i
6031 body __KAM_HEARTPROD2 /enzyme/i
6032 header __KAM_HEARTPROD3 Subject =~ /heart attack|healthy.{4,10}cells/i
6033 header __KAM_HEARTPROD4 From =~ /clear 7/i
6035 meta KAM_HEARTPROD (__KAM_HEARTPROD1 + __KAM_HEARTPROD2 + __KAM_HEARTPROD3 + __KAM_HEARTPROD4 >= 4)
6036 describe KAM_HEARTPROD Snake Oil Heart Health du Jour
6037 score KAM_HEARTPROD 7.0
6039 # LINES FULL OF SHORT WORDS. SCC='SOLID CLUES CONSULTING'=BILL COLE
6040 # NOTE: Some languages and people using things like ZWNJ repeatedly will cause FPs for this rule.
6041 # This rule disabled in deadweight anyway!
6042 describe __SCC_SHORT_WORDS A line with lots of short words
6043 body __SCC_SHORT_WORDS /\W(\D\w{1,3}\W{1,3}){11}/
6044 tflags __SCC_SHORT_WORDS multiple maxhits=40
6046 describe SCC_5_SHORT_WORD_LINES 5 lines with many short words
6047 meta SCC_5_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 5
6048 describe SCC_10_SHORT_WORD_LINES 10 lines with many short words
6049 meta SCC_10_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 10
6050 describe SCC_20_SHORT_WORD_LINES 20 lines with many short words
6051 meta SCC_20_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 20
6052 describe SCC_35_SHORT_WORD_LINES 35 lines with many short words
6053 meta SCC_35_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 35
6055 # A pattern seen in subscription-bombings
6056 describe SCC_SUBBOMB_SUBJ_1 An unusual string pattern seen in subscription bombing subjects
6057 header SCC_SUBBOMB_SUBJ_1 Subject =~ /[sxz][vwz]usa[fly]me[a-z0-9]{7}GP/
6058 score SCC_SUBBOMB_SUBJ_1 5
6061 header __SCC_HELO_CPANELNET X-Spam-Relays-Untrusted =~ / helo=cpanel\.net /
6062 describe __SCC_HELO_CPANELNET HELO is bare cpanel.net
6063 meta SCC_FAKE_CPANEL __SCC_HELO_CPANELNET && ! (SPF_PASS || SPF_HELO_PASS)
6064 score SCC_FAKE_CPANEL 6
6066 header KAM_PHISHCP From =~ /\@cpanel\d+\.com/i
6067 describe KAM_PHISHCP Fraudulent notices purporting to be from cPanel
6068 score KAM_PHISHCP 15.0
6070 uri KAM_PHISHCP2 /(\.|\/)cpanel\d+\.com(\/|\b|\?)/i
6071 describe KAM_PHISHCP2 Fraudulent notices purporting to be from cPanel
6072 score KAM_PHISHCP2 15.0
6074 body __KAM_PHISHCP3_1 /cPanel Cloud Service/
6076 meta KAM_PHISHCP3 (KAM_SHORT + __KAM_PHISHCP3_1 >=2)
6077 describe KAM_PHISHCP3 Fraudulent notices purporting to be from cPanel
6078 score KAM_PHISHCP3 15.0
6080 uri __KAM_PHISHCP4_1 /defender\.php/i
6082 meta KAM_PHISHCP4 ((KAM_MAILBOX + KAM_MAILBOX2 >= 1) + __KAM_PHISHCP4_1 >= 2)
6083 describe KAM_PHISHCP4 Fraudulent cPanel Notices
6084 score KAM_PHISHCP4 15.0
6086 #https://www.csoonline.com/article/3333916/windows-security/i-can-get-and-crack-your-password-hashes-from-email.html?upd=1547922397157
6087 body KAM_FILE /file:\/\/\/\//i
6088 describe KAM_FILE Potential attempt for NTLM attack
6092 header __KAM_FUN1 From =~ /\.fun|\.icu|\.pro|\.stream|\.world|\.monster|\.best|\.store|\.surf|\.rest|\.bar|\.asia|\.casa|\.uno|\.london|\.info|\.cam|\.work|\.cyou|\.quest>?$/i
6093 header __KAM_FUN1A From:name =~ /Bite Pro|Diabetes|Blood Sugar|Sugar Disease|Fish Oil|ultra ?boost|Gutter|time ?share|Affiliate|arctic ?blast|splash ?wine|date|fat ?loss|nutrisystem|Silver ?Single|Insta ?Heater|Canvas?Print|LeptiSense|Hello.?Fresh/i
6095 body __KAM_FUN2 /Addify Link|Kennett Pike|PetPlan|Newton Sq|1st Avenue|Jones Blvd|permanently opt-out from our all newsletters|(wish|prefer) (to not|not to|to) receive (these|future) (messages|emails)|purehealth|leave any time|too good to be true|try(ing)? this trick|doesn?'t like this update|(click here|wish) +to unsub|send post-mail to|to be removed from receiving|to unsubscribe.+click|no longer like to receive|this is an advertisement/i
6096 body __KAM_FUN3 /This Offer is (only )?for (unite. state|USA)|(can ?not|won\'t|can\'t|unable to) see (the|this)? ?image|visit the page below|Continue Reading|watch now|this is an ad|update preferences|click here now/i
6097 uri __KAM_FUN3A /imgstore.host/i
6100 header __KAM_FUN4 Subject =~ /Gutter|Assisted Living|Refinance|rate|livewave|mortgage|E\.D\.|Single|Superfood|tax|protection|debt|mastercard|safety charge|supplement|pillow|Inogenone|learn a language|Roadside safety|carry a gun|minute survey|roofing Deals|fungus|insurance|pain|gold|hair|knife|warranty|reflexology|accufeet|keto|sound|heartburn|skincare|terminix|zippy|sneeze|healthcare|yoga|heal|jesus|virus|neuropathy|BP med|perfect vision|parasites|wine|willie nelson|InstaFresh|InstaSavings|carriers|CPAP|melt your belly|heart attack|power of plants|immunity|smart.?watch|fever|hearing aids|diabetes|gum problem|bad breath|fish oil|ultra ?boost|boost your internet|christmas list|(energy|cooling) (bill|cost)|time ?share|interstate move|vanishes pain|wine order|chat rooms|\d+ ?lbs|dementia|nutrisystem|personal plan|Printer Ink|america strong|perfect gifts|Someone Special|Insta ?heater|asian girls|audiobooks|memories into art|losing weight|CBD Gum/i
6103 body __KAM_FUN5 /\d million americans|less than \d+ (weeks|days|hours)|temporary feeling|\d+ ?lbs|[\d+,]+ Asian babes/i
6105 body __KAM_FUN6 /finds the secret|new discovery|natural medicine|health channel|medicinal plants|simple tweak|doctors are shocked|mysterious liquid|massive mistake|scientifically shown|chronic pain/i
6107 body __KAM_FUN7 /nerve pain|poor vision|lasik|sleep deeper|smart.?watch|fever|hearing aids|diabetes|gum problem|blood sugar|sugar disease|bad breath|fish oil|ultra ?boost|soothing relief|older women|belly fat|reverse alzheimer|personal safety|gadget.?junk|Insta ?heater|need boyfriends|audiobooks/i
6108 tflags __KAM_FUN7 nosubject
6110 meta KAM_FUN ((__KAM_FUN1 + __KAM_FUN1A >=1) + __KAM_FUN2 + (__KAM_FUN3 + __KAM_FUN3A >= 1) + __KAM_FUN4 >=3)
6111 describe KAM_FUN Spam Engine Hawking Various Goods and Abusing a Lot of Domains
6114 meta KAM_FUN2 ((__KAM_FUN1 + __KAM_FUN1A >= 1) + __KAM_FUN4 + __KAM_FUN5 + __KAM_FUN6 + __KAM_FUN7 >= 5)
6115 describe KAM_FUN2 Spam Engine Hawking Various Goods and Abusing a Lot of Domains
6118 #GOOGLE DRIVE PORN - Thanks to Mark Sapiro for the bug fix
6119 uri KAM_DRIVENUM /\d+\.drive\.google.com/i
6120 describe KAM_DRIVENUM Drive Links Prevalent in Spam
6121 score KAM_DRIVENUM 5.0
6123 #SWIFT PAYMENT SCAMS
6124 header __KAM_SWIFT1 Subject =~ /Swift/i
6125 body __KAM_SWIFT2 /swift copy/i
6126 body __KAM_SWIFT3 /balance payment/i
6128 meta KAM_SWIFT (__KAM_SWIFT1 + __KAM_SWIFT2 + __KAM_SWIFT3 >= 3)
6129 describe KAM_SWIFT SWIFT payment scam
6132 ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
6134 score FROMNAME_SPOOFED_EMAIL 0.3
6136 meta GB_FROMNAME_SPOOF_EQUALS_TO (PDS_FROMNAME_SPOOFED_EMAIL && __PLUGIN_FROMNAME_EQUALS_TO)
6137 describe GB_FROMNAME_SPOOF_EQUALS_TO From:name is spoof to look like To: address
6138 score GB_FROMNAME_SPOOF_EQUALS_TO 0.3
6140 meta GB_FROMNAME_SPOOF_FREEMAIL (FREEMAIL_FROM && PDS_FROMNAME_SPOOFED_EMAIL)
6141 describe GB_FROMNAME_SPOOF_FREEMAIL From:name spoof and Freemail From:address
6142 score GB_FROMNAME_SPOOF_FREEMAIL 0.4
6144 ifplugin Mail::SpamAssassin::Plugin::FreeMail
6145 header __FROM_EQ_REPLY eval:check_fromname_equals_replyto()
6146 meta GB_FREEM_FROM_NOT_REPLY ( !__FROM_EQ_REPLY && FREEMAIL_FROM && FREEMAIL_REPLYTO )
6147 describe GB_FREEM_FROM_NOT_REPLY From: and Reply-To: have different freemail domains
6148 score GB_FREEM_FROM_NOT_REPLY 0.4
6151 rawbody __GB_REGEX_BR /{\:REGEX\:\((<br>){1,3}\|(<br>){1,3}/
6152 meta GB_REGEX_BR_SPOOF ( __GB_REGEX_BR && PDS_FROMNAME_SPOOFED_EMAIL && __ANY_TEXT_ATTACH_DOC )
6153 describe GB_REGEX_BR_SPOOF Office document from spoofed email
6154 score GB_REGEX_BR_SPOOF 2.0
6158 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
6159 header KAM_RAPTOR_ALTERED X-Raptor-Alter =~ /True/i
6160 describe KAM_RAPTOR_ALTERED Raptor identified a dangerous, possible zero day attachment risk
6161 score KAM_RAPTOR_ALTERED 2.0
6165 header __KAM_PROFORMA1 Subject =~ /Proforma/i
6166 body __KAM_PROFORMA2 /no responds/i
6167 body __KAM_PROFORMA3 /highly encrypted/i
6168 body __KAM_PROFORMA4 /Proforma Invoice/i
6169 uri __KAM_PROFORMA5 /\.php/i
6171 meta KAM_PROFORMA (__KAM_PROFORMA1 + __KAM_PROFORMA2 + __KAM_PROFORMA3 + __KAM_PROFORMA4 + __KAM_PROFORMA5 >= 5)
6172 describe KAM_PROFORMA Invoice scam
6173 score KAM_PROFORMA 7.5
6176 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6177 header __KAM_INVOICEPO1 Subject =~ /Invoice copies|EFT +Process|signed +contract|inquiry|PO-\d+|payment receipt/i
6178 body __KAM_INVOICEPO2 /invoice copies|EFT PROCESS|contract signed|attached enquiry|see the attached|Company name\:/i
6179 tflags __KAM_INVOICEPO2 nosubject
6181 meta KAM_INVOICEPO (__KAM_INVOICEPO1 + __KAM_INVOICEPO2 + (KAM_HTMLINVOICE + KAM_HTMLINVOICE2 + T_HTML_ATTACH >= 1) >= 3)
6182 describe KAM_INVOICEPO Invoice scam
6183 score KAM_INVOICEPO 4.5
6185 mimeheader KAM_HTMLINVOICE Content-Type =~ /(remittance|invoice|contract|order|scan).{0,100}\.(rar|html?)/i
6186 describe KAM_HTMLINVOICE Invoice scam
6187 score KAM_HTMLINVOICE 3.0
6189 mimeheader KAM_HTMLINVOICE2 Content-Type =~ /(order confirmation|po attachments.{0,100})\.xls\.html/i
6190 describe KAM_HTMLINVOICE2 Invoice scam
6191 score KAM_HTMLINVOICE2 3.0
6194 # Spear phishing rules
6195 ifplugin Mail::SpamAssassin::Plugin::FreeMail
6196 header __GB_TO_ADDR_FREEMAIL eval:check_freemail_header('To:addr')
6197 header __GB_TO_NAME_FREEMAIL eval:check_freemail_header('To:name')
6198 meta GB_TO_NAME_FREEMAIL ( !__GB_TO_ADDR_FREEMAIL && __GB_TO_NAME_FREEMAIL )
6199 describe GB_TO_NAME_FREEMAIL Freemail spear phish with free mail
6200 score GB_TO_NAME_FREEMAIL 0.01
6202 header __GB_FROM_ADDR_FREEMAIL eval:check_freemail_header('From:addr')
6203 header __GB_FROM_NAME_FREEMAIL eval:check_freemail_header('From:name')
6204 header __GB_FROM_NAME_EMAIL From:name =~ /\@/
6205 meta GB_FROM_NAME_FREEMAIL ( __GB_FROM_NAME_EMAIL && __GB_FROM_ADDR_FREEMAIL && !__GB_FROM_NAME_FREEMAIL )
6206 describe GB_FROM_NAME_FREEMAIL Freemail spear phish with free mail
6207 score GB_FROM_NAME_FREEMAIL 0.01
6210 # Disable possible CPU burning rule, reported to SA users list -- 2019-05-29
6211 # FIXED rule distributed via sa-update since 2019-05-31
6212 # meta __STYLE_GIBBERISH_1 0
6214 ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
6215 # Allow googleapis.com to be blacklisted due to spam runs in June 2019 exploiting it
6216 clear_uridnsbl_skip_domain googleapis.com
6219 # Need a favor phishing
6220 header __KAM_FAVOR1 Subject =~ /Request|Quick Reply/i
6221 body __KAM_FAVOR2 /I need a favor from you|Are you available to work on a request for me today/i
6222 body __KAM_FAVOR3 /email me back as soon as possible|send me your personal cell phone number/i
6224 meta KAM_FAVOR (__KAM_FAVOR1 + __KAM_FAVOR2 + __KAM_FAVOR3 + FREEMAIL_FROM >= 4)
6225 describe KAM_FAVOR Phishing Attempt
6228 # WHITELIST PCCC/MCGRAIL
6229 if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist)
6230 welcomelist_auth *@pccc.com *@mcgrail.com
6232 if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist)
6233 whitelist_auth *@pccc.com *@mcgrail.com
6235 #trusted_networks 69.171.29.0/25
6236 #trusted_networks 38.124.232.0/24
6239 #REPLACED WITH BELOW FOR SINGLE WORD HIT REMOVAL
6240 #header __KAM_LIST3_1 Subject =~ /Contacts|Visitor|Attendee|User|Professional|Meeting|Expo|Emails|Exhibit|Companies|trade ?show|marketing|retailer|list|outreach|customers|campaign|show|data|leaders|partnership|lead|(accou?nt|Contacts?|buyers?) (list|information)|install base|offices and clinics|healthcare|reach qualified buyers|potential prospects|decision maker|reach out|target audience|revenue generation|(potential|reach your) client|Lead list|(list|lead) prospecting|market share/i
6242 # Modified 3/23/2022 to try and remove FPs in this rule
6243 header __KAM_LIST3_1 Subject =~ /(accou?nt|Contacts?|buyers?|registrants?|attendees?|B2B|B2C|mailing) (data|list|information)|reach qualified buyers|potential prospects|(potential|reach your) client|(list|lead) prospecting|build customer|(bitdefender|Acronis) Users|reach clients|Clients records|users accounts|Attendees info|marketing opp|(expo|Summit) Leads|Free Samples|email database|sales prospect|business professionals|prospects|decision.?makers|(email|lead) list|increase your TAM|Booth.?\#\d+/i
6246 body __KAM_LIST3_2 /list (consultant|services)|email campaign|global marketing|(event|campaign|success|purchasing) mana?ger|(tradeshow|marketing) (coordinator|campaign|manager|exec|project|team)|(lead|demand) generation|(business|Data|event|research|marketing) (analyst|coordinator)|(potential|professionals?|qualified) lead|(business development|marketing|lead|attendees?|data|prospect|intelligence|event).(executive|consultant|specialist)|(marketing|Business) Co-?ordinator|marketing (\&|and) comm|inside sales|pre-?sales|global leads|data dep(t|artment)|marketing exec|(right|appropriate) person|info solutions|Sales executive|database coordinator|list provider|business development manager/i
6247 tflags __KAM_LIST3_2 nosubject
6250 body __KAM_LIST3_3 /(information|data|list\'s) (count|field)|verified e?-?mail|with email address|counts and pric|decision maker|specific parameters|job titles|Specific lists|current attendee|each record|post show attendee|(List|contacts|fields) (consists?|Contains?|includes?)|visitors and price|pricing, counts|information about the list|sample (file|record)|direct email|100\% populated|installed users|(compiled|selling) (a )?list|pricing and further|(validated|buy a) dataset|counts, pricing|procure the list|samples for (your )?review|attendees who might|decision.makers|samples and pricing|pricing details|demographics|few (examples|samples)|database (organization|provider)|expense and count|(samples|counts?) and cost|multichannel marketing|count of email|users of the following|your marketing campaign|\d\d% on emails|acquiring (email|the) list|list of retailers|decision maker mailing list|B2B( data)? list|acquiring email|interested in acquiring|quality lists|potential (client|customer)|database and list management|pricing and count|audience you would like to reach|data cleansing/i
6251 tflags __KAM_LIST3_3 nosubject
6254 body __KAM_LIST3_4 /contacts and email|(visitors?|contacts?|attendee.?s?|users?) (contacts? |mailing )?(list|record|database)|end users|our lists|\d\+? (attendee|contact)|users? database|Opt-in email list|(professionals?|user'?s|attendees?) (contact|list)|not spammer|marketing (analyst|campaigns)|(complete|emailed) list|unique account|contacts\:|titles\:|business profiles|database of|list from USA|(complete|contact) (Name|details|information)|geography|list.database|data (intelligence|include)|emails, phone|marketing list|unlimited usage|target (audience|geograph|attendees|audience|industry)|opt-?in (contact|emails|list)|offices and clinics|specialties\:|showcase our capabilit|share samples|sample file|recently compiled|contact details|targeted market|marketing needs|Users of the following|100\% populated|b2b (mailing list|contact)|targeted business list|data list|(job profile|attendees|counts|list contains|Contacts include)\:|Consumer database|every industry sector|quality email list|email list of|titles? includes?\:|including their names|contacts available\:|curated list|fields? includes?\:|contact validation|opt-in dataset|90% on that list type|enence|Lejeune.?Lawsuits|smart.?timeshare|number of attendees/i
6255 tflags __KAM_LIST3_4 nosubject
6257 meta KAM_LIST3 (__KAM_LIST3_1 + __KAM_LIST3_2 + __KAM_LIST3_3 + __KAM_LIST3_4 >= 4)
6258 describe KAM_LIST3 Mailing List Purveyor Spam
6259 score KAM_LIST3 12.25
6262 meta KAM_LIST3_1 (KAM_LIST3 < 1) && (__KAM_LIST3_1 + __KAM_LIST3_2 + __KAM_LIST3_3 + __KAM_LIST3_4 >= 3)
6263 describe KAM_LIST3_1 Likely Mailing List Purveyor Spam
6264 score KAM_LIST3_1 6.75
6267 header __KAM_MONCLER1 Subject =~ /moncler/i
6268 header __KAM_MONCLER2 From =~ /moncler/i
6270 meta KAM_MONCLER (__KAM_MONCLER1 + __KAM_MONCLER2 + KAM_SOMETLD_ARE_BAD_TLD >= 3)
6271 describe KAM_MONCLER Fashionista Spammers
6272 score KAM_MONCLER 6.0
6275 header __KAM_ERP1 Subject =~ /ERP/
6276 body __KAM_ERP2 /K9ERP/i
6278 meta KAM_ERP (__KAM_ERP1 + __KAM_ERP2 >=2)
6279 describe KAM_ERP ERP Spammers
6282 #DMARC POLICY RULES - Thanks to Giovanni Bechis for the original idea plus Jesse Norell and Amir Caspi for additional suggestions & testing!
6284 #https://tools.ietf.org/html/rfc7489 and https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/
6286 #"To pass DMARC, a message must pass SPF authentication and SPF alignment and/or DKIM authentication and DKIM alignment. A message will fail DMARC if the message fails both (1) SPF or SPF alignment and (2) DKIM or DKIM alignment."
6288 # We expect edge cases with DKIM where a parent (gateway) domain signing for a subdomain author (e.g., parent.gov signing for sub.parent.gov). This is a common and a sane implementation of DKIM, but is not supported in the current SA DKIM/DMARC implementation -- it results in DKIM_VALID but not DKIM_VALID_AU. The SPF || DKIM logic below will allow this scenario.
6290 # Note: Certain glues like MailScanner will modify an email before testing. That will cause many DKIM failures. If you have a known broken system for DKIM like this, you should likely disable the plugin.
6292 #Newer Systems with DMARC Plugin
6293 ifplugin Mail::SpamAssassin::Plugin::Dmarc
6294 #Override the default scores
6295 score DMARC_MISSING 0.1
6296 score DMARC_PASS -0.1
6297 score DMARC_REJECT 0.1
6298 score DMARC_QUAR 0.1
6299 score DMARC_NONE 0.1
6302 ifplugin Mail::SpamAssassin::Plugin::AskDNS
6303 ifplugin Mail::SpamAssassin::Plugin::DKIM
6304 ifplugin Mail::SpamAssassin::Plugin::SPF
6305 askdns __KAM_DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=none;/
6306 askdns __KAM_DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=quarantine;/
6307 askdns __KAM_DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=reject;/
6308 askdns __KAM_DMARC_POLICY_DKIM_STRICT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\badkim=s;/
6310 #Checks if either DKIM Passed with Alignment and the policy is strict or VALID and alignment didn't pass
6311 meta KAM_DMARC_STATUS !((DKIM_VALID_AU && __KAM_DMARC_POLICY_DKIM_STRICT) || (DKIM_VALID && !__KAM_DMARC_POLICY_DKIM_STRICT))
6312 describe KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict Alignment
6313 score KAM_DMARC_STATUS 0.01
6315 header KAM_DMARC_REJECT eval:check_dmarc_reject()
6316 priority KAM_DMARC_REJECT 500
6317 tflags KAM_DMARC_REJECT net
6318 reuse KAM_DMARC_REJECT
6319 describe KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message and the domain has a DMARC reject policy
6320 score KAM_DMARC_REJECT 6.0
6322 header KAM_DMARC_QUARANTINE eval:check_dmarc_quarantine()
6323 priority KAM_DMARC_QUARANTINE 500
6324 tflags KAM_DMARC_QUARANTINE net
6325 reuse KAM_DMARC_QUARANTINE
6326 describe KAM_DMARC_QUARANTINE DKIM has Failed or SPF has failed on the message and the domain has a DMARC quarantine policy
6327 score KAM_DMARC_QUARANTINE 1.5
6329 header KAM_DMARC_NONE eval:check_dmarc_none()
6330 priority KAM_DMARC_NONE 500
6331 tflags KAM_DMARC_NONE net
6332 reuse KAM_DMARC_NONE
6333 describe KAM_DMARC_NONE DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy
6334 score KAM_DMARC_NONE 0.25
6336 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
6337 # Add a negative score if email hits Dmarc rules but is truncated
6338 # scores must be kept in sync with Dmarc rules
6339 meta KAM_DMARC_REJECT_TRUNCATE ( KAM_DMARC_REJECT && DKIM_FAILED_TRUNCATE )
6340 describe KAM_DMARC_REJECT_TRUNCATE Dmarc reject on truncated email
6341 priority KAM_DMARC_REJECT_TRUNCATE 500
6342 score KAM_DMARC_REJECT_TRUNCATE -6.0
6343 tflags KAM_DMARC_REJECT_TRUNCATE net nice
6344 reuse KAM_DMARC_REJECT_TRUNCATE
6346 meta KAM_DMARC_QUARANTINE_TRUNCATE ( KAM_DMARC_QUARANTINE && DKIM_FAILED_TRUNCATE )
6347 describe KAM_DMARC_QUARANTINE_TRUNCATE Dmarc quarantine on truncated email
6348 priority KAM_DMARC_QUARANTINE_TRUNCATE 500
6349 score KAM_DMARC_QUARANTINE_TRUNCATE -1.5
6350 tflags KAM_DMARC_QUARANTINE_TRUNCATE net nice
6351 reuse KAM_DMARC_QUARANTINE_TRUNCATE
6353 meta KAM_DMARC_NONE_TRUNCATE ( KAM_DMARC_NONE && DKIM_FAILED_TRUNCATE )
6354 describe KAM_DMARC_NONE_TRUNCATE Dmarc none on trucated email
6355 priority KAM_DMARC_NONE_TRUNCATE 500
6356 score KAM_DMARC_NONE_TRUNCATE -0.25
6357 tflags KAM_DMARC_NONE_TRUNCATE net nice
6358 reuse KAM_DMARC_NONE_TRUNCATE
6364 #Older systems without the DMARC Plugin - Less accurate
6365 ifplugin Mail::SpamAssassin::Plugin::AskDNS
6366 ifplugin Mail::SpamAssassin::Plugin::DKIM
6367 ifplugin Mail::SpamAssassin::Plugin::SPF
6368 askdns __KAM_DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=none;/
6369 tflags __KAM_DMARC_POLICY_NONE net
6370 askdns __KAM_DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=quarantine;/
6371 tflags __KAM_DMARC_POLICY_QUAR net
6372 askdns __KAM_DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=reject;/
6373 tflags __KAM_DMARC_POLICY_REJECT net
6374 askdns __KAM_DMARC_POLICY_DKIM_STRICT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\badkim=s;/
6375 tflags __KAM_DMARC_POLICY_DKIM_STRICT net
6377 #Checks if either DKIM Passed with Alignment and the policy is strict or VALID and alignment didn't pass
6378 meta KAM_DMARC_STATUS !((DKIM_VALID_AU && __KAM_DMARC_POLICY_DKIM_STRICT) || (DKIM_VALID && !__KAM_DMARC_POLICY_DKIM_STRICT))
6379 describe KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict Alignment
6380 score KAM_DMARC_STATUS 0.01
6381 tflags KAM_DMARC_STATUS net
6383 meta KAM_DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_REJECT
6384 describe KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message and the domain has a DMARC reject policy
6385 score KAM_DMARC_REJECT 3.0
6386 tflags KAM_DMARC_REJECT net
6388 meta KAM_DMARC_QUARANTINE !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_QUAR
6389 describe KAM_DMARC_QUARANTINE DKIM has Failed or SPF has failed on the message and the domain has a DMARC quarantine policy
6390 score KAM_DMARC_QUARANTINE 1.5
6391 tflags KAM_DMARC_QUARANTINE net
6393 meta KAM_DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_NONE
6394 describe KAM_DMARC_NONE DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy
6395 score KAM_DMARC_NONE 0.25
6396 tflags KAM_DMARC_NONE net
6403 ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro
6404 # increase number of mime parts checked
6405 olemacro_num_mime 10
6406 # skip psd and other files from macro checks
6407 olemacro_skip_exts (?:dotx|potx|ppsx|pptx|psd|sldx|xltx|oxps)$
6409 if (version >= 3.004005)
6411 body KAM_OLEMACRO eval:check_olemacro()
6412 describe KAM_OLEMACRO Attachment has an Office Macro
6413 score KAM_OLEMACRO 7.5
6415 body KAM_OLEMACRO_MALICE eval:check_olemacro_malice()
6416 describe KAM_OLEMACRO_MALICE Potentially malicious Office Macro
6417 score KAM_OLEMACRO_MALICE 10.0
6419 body KAM_OLEMACRO_ENCRYPTED eval:check_olemacro_encrypted()
6420 describe KAM_OLEMACRO_ENCRYPTED Has an Office doc that is encrypted
6421 score KAM_OLEMACRO_ENCRYPTED 3.0
6423 #This may cause more CPU usage
6424 olemacro_extended_scan 1
6425 body KAM_OLEMACRO_RENAME eval:check_olemacro_renamed()
6426 describe KAM_OLEMACRO_RENAME Has an Office doc that has been renamed
6427 score KAM_OLEMACRO_RENAME 2.5
6429 meta GB_OLEMACRO_REN_VIR ( KAM_OLEMACRO_RENAME && FORGED_OUTLOOK_HTML )
6430 describe GB_OLEMACRO_REN_VIR Olemacro and fake Outlook
6431 score GB_OLEMACRO_REN_VIR 10
6433 if (version >= 3.004006)
6434 if (version >= 4.000000)
6435 olemacro_download_marker ((?:cmd(?:\.exe)? \/c ms\^h\^ta ht\^tps?:\/\^\/)|SysWow.{1,15}\s.{1,5}RETURN|RET.{1,4}URN.{1,25}\.exe)
6437 #NO good reason to add a "cmd.exe" invocation inside an Excel file.
6438 body GB_OLEMACRO_DOWNLOAD_EXE eval:check_olemacro_download_exe()
6439 describe GB_OLEMACRO_DOWNLOAD_EXE Malicious code inside the Office doc that tries to download a .exe file detected
6440 score GB_OLEMACRO_DOWNLOAD_EXE 10
6445 body KAM_OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
6446 describe KAM_OLEMACRO_ZIP_PW Has an Office doc that is password protected in a zip
6447 score KAM_OLEMACRO_ZIP_PW 2.0
6449 body KAM_OLEMACRO_CSV eval:check_olemacro_csv()
6450 describe KAM_OLEMACRO_CSV Macro in csv file
6451 score KAM_OLEMACRO_CSV 5.0
6453 #meta KAM_OLEMACRO_ZIP_PW_NOMID ( KAM_OLEMACRO_ZIP_PW && MISSING_MID )
6454 #describe KAM_OLEMACRO_ZIP_PW_NOMID OLE macro sent by a bot / ratware
6455 #score KAM_OLEMACRO_ZIP_PW_NOMID 5.0
6457 meta KAM_OLEMACRO_ZIP_BOT ( KAM_OLEMACRO_ZIP_PW && ( MISSING_MID || PDS_FROMNAME_SPOOFED_EMAIL ) )
6458 describe KAM_OLEMACRO_ZIP_BOT OLE macro sent by a bot / ratware
6459 score KAM_OLEMACRO_ZIP_BOT 5.0
6461 if (version >= 4.000000)
6462 if can(Mail::SpamAssassin::Plugin::OLEVBMacro::has_olemacro_redirect_uri)
6463 body OLEMACRO_URI_TARGET eval:check_olemacro_redirect_uri()
6464 describe OLEMACRO_URI_TARGET Code inside the Office doc that tries to redirect to an uri
6465 score OLEMACRO_URI_TARGET 0.001
6467 if can(Mail::SpamAssassin::Plugin::OLEVBMacro::has_olertfobject)
6468 body OLEMACRO_RTF eval:check_olertfobject()
6469 describe OLEMACRO_RTF Rtf file embedded in an Office document
6470 score OLEMACRO_RTF 0.01
6476 #Testing Rule for Subject Prefixes - See note 58397
6477 #if can(Mail::SpamAssassin::Conf::feature_subjprefix)
6478 # enlist_addrlist (INTERNAL) *@pccc.com
6479 # header __FROM_INTERNAL eval:check_from_in_list('INTERNAL')
6481 # meta EXTERNAL (!__FROM_INTERNAL)
6482 # describe EXTERNAL External users to PCCC Test Rule
6483 # score EXTERNAL 0.001
6484 # subjprefix EXTERNAL [EXTERNAL]
6487 #Testing Rule for NoSubject Rules - See note 58246
6488 #if (version >= 3.004003)
6490 # body NOSUBJECT_TEST_HIT /example/i
6491 # describe NOSUBJECT_TEST_HIT This should hit on an email with example in the subject but not in the body because subjects are automatically prepending for testing.
6494 # body NOSUBJECT_TEST_FAIL /example/i
6495 # describe NOSUBJECT_TEST_FAIL This should NOT hit on an email with example in the subject not not in the body because the tflags nosubject will stop the automatic prepending of subjects for testing.
6496 # tflags NOSUBJECT_TEST_FAIL nosubject
6499 if (version >= 3.004003)
6500 ifplugin Mail::SpamAssassin::Plugin::HashBL
6501 # BTC address present in BTC blacklist
6502 # thanks to Henrik Krohns for the regexp
6503 body BTC_HASHBL_BLACK eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b(?<!=)([13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,62})\b')
6504 priority BTC_HASHBL_BLACK -100
6505 tflags BTC_HASHBL_BLACK net
6506 describe BTC_HASHBL_BLACK Message contains BTC address found on BTC blacklist
6507 score BTC_HASHBL_BLACK 8.0
6511 #Testing of HASHBL Additions - Note 58246
6512 if (version >= 3.004003)
6513 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
6514 ifplugin Mail::SpamAssassin::Plugin::HashBL
6516 rbl_headers EnvelopeFrom,Reply-To,X-Sender,X-Source-IP
6518 # mass-marketing domain found in headers (EnvelopeFrom,Reply-To,X-Sender,X-Source-IP)
6519 header PCCC_HDR_MARKETINGBL eval:check_rbl_headers('pccc-hdr-marketing', 'wild.pccc.com.', '127.0.0.32')
6520 describe PCCC_HDR_MARKETINGBL Address in email headers associated with mass-marketing (https://raptor.pccc.com/RBL)
6521 tflags PCCC_HDR_MARKETINGBL net
6522 score PCCC_HDR_MARKETINGBL 0.001
6523 priority PCCC_HDR_MARKETINGBL -100
6525 header PCCC_HDR_REPLYTO eval:check_rbl_headers('pccc-hdr-repto', 'wild.pccc.com.', '127.0.0.4', 'Reply-To')
6526 describe PCCC_HDR_REPLYTO Address in email headers associated with compromised uris (https://raptor.pccc.com/RBL)
6527 tflags PCCC_HDR_REPLYTO net
6528 score PCCC_HDR_REPLYTO 7.5
6529 priority PCCC_HDR_REPLYTO -100
6531 # compromised domain found in headers (X-Sender,X-Source-IP,X-SRS-Sender)
6532 header PCCC_SENDER_COMPROMISED eval:check_rbl_headers('pccc-sender', 'wild.pccc.com.', '127.0.1.2', 'X-Sender,X-Source-IP,X-SRS-Sender')
6533 describe PCCC_SENDER_COMPROMISED Sender address associated with compromised uris (https://raptor.pccc.com/RBL)
6534 tflags PCCC_SENDER_COMPROMISED net
6535 score PCCC_SENDER_COMPROMISED 2.0
6536 priority PCCC_SENDER_COMPROMISED -100
6538 # compromised domain found in received headers
6539 header PCCC_RECEIVED_HDR_COMPROMISED eval:check_rbl_rcvd('pccc-rcvd', 'wild.pccc.com.', '127.0.1.2')
6540 describe PCCC_RECEIVED_HDR_COMPROMISED Compromised domain found in received headers found on PCCC RBL (https://raptor.pccc.com/RBL)
6541 tflags PCCC_RECEIVED_HDR_COMPROMISED net
6542 score PCCC_RECEIVED_HDR_COMPROMISED 2.0
6543 priority PCCC_RECEIVED_HDR_COMPROMISED -100
6545 # dns server of From address found on PCCC RBL
6546 header PCCC_FROM_BAD_NS eval:check_rbl_ns_from('pccc-ns', 'wild.pccc.com.', '127.0.1.1')
6547 describe PCCC_FROM_BAD_NS DNS server of From address found on PCCC RBL (https://raptor.pccc.com/RBL)
6548 tflags PCCC_FROM_BAD_NS net
6549 score PCCC_FROM_BAD_NS 2.0
6550 priority PCCC_FROM_BAD_NS -100
6552 # Freemail address in Reply-To header found on PCCC HashBL
6553 # this rule needs 99_hashbl.cf to work
6554 header PCCC_HASHBL_FREEMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5', 'Reply-To', '^127\.', 'freemail')
6555 describe PCCC_HASHBL_FREEMAIL Message contains freemail address in reply-to found on PCCC HashBL (https://raptor.pccc.com/RBL)
6556 tflags PCCC_HASHBL_FREEMAIL net
6557 score PCCC_HASHBL_FREEMAIL 4.5
6558 priority PCCC_HASHBL_FREEMAIL -100
6560 # Email address in X-Sender header found on PCCC HashBL
6561 header PCCC_HASHBL_EMAIL_SEND eval:check_hashbl_emails('wild.pccc.com', 'md5', 'X-Sender', '^127\.', 'all')
6562 describe PCCC_HASHBL_EMAIL_SEND Message contains sender email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
6563 tflags PCCC_HASHBL_EMAIL_SEND net
6564 score PCCC_HASHBL_EMAIL_SEND 3.5
6565 priority PCCC_HASHBL_EMAIL_SEND -100
6567 # Email address in X-SRS-Sender header found on PCCC HashBL
6568 header PCCC_HASHBL_EMAIL_SRS eval:check_hashbl_emails('wild.pccc.com', 'md5', 'X-SRS-Sender', '^127\.', 'all')
6569 describe PCCC_HASHBL_EMAIL_SRS Message contains srs email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
6570 tflags PCCC_HASHBL_EMAIL_SRS net
6571 score PCCC_HASHBL_EMAIL_SRS 1.5
6572 priority PCCC_HASHBL_EMAIL_SRS -100
6574 # Email address in email headers found on PCCC HashBL
6575 header PCCC_HASHBL_EMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5')
6576 describe PCCC_HASHBL_EMAIL Message contains email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
6577 tflags PCCC_HASHBL_EMAIL net
6578 score PCCC_HASHBL_EMAIL 2.5
6579 priority PCCC_HASHBL_EMAIL -100
6581 # Email address in custom email headers found on PCCC HashBL
6582 header PCCC_HASHBL_HDR_EMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5', 'Reply-To/Disposition-Notification-To/X-Original-Sender/X-Sender', '^127\.', 'all')
6583 describe PCCC_HASHBL_HDR_EMAIL Message contains email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
6584 tflags PCCC_HASHBL_HDR_EMAIL net
6585 score PCCC_HASHBL_HDR_EMAIL 0.5
6586 priority PCCC_HASHBL_HDR_EMAIL -100
6588 # Short URL in PCCC HashBL found
6589 header PCCC_HASHBL_SHORT_URI eval:check_hashbl_uris('wild.pccc.com', 'md5', '^127\.0\.1\.4')
6590 describe PCCC_HASHBL_SHORT_URI Message contains short URI found on PCCC HashBL (https://raptor.pccc.com/RBL)
6591 tflags PCCC_HASHBL_SHORT_URI net
6592 score PCCC_HASHBL_SHORT_URI 9.5
6593 priority PCCC_HASHBL_SHORT_URI -100
6598 #END of TEST OF HASHBL ADDITIONS
6601 header __KAM_LABEL1 Subject =~/(Checking in|Appointment|(this|next) week|thoughts|availability|consultation|introduction|let me know|schedule|meeting|tailor)/i
6602 body __KAM_LABEL2 /meet at your office|quick lead time/i
6603 body __KAM_LABEL3a /make custom (shirts|sports|jackets|suits)/i
6604 # bug fix thanks to Moritz Friedrich
6605 body __KAM_LABEL3b /PPE/
6606 body __KAM_LABEL4 /(suits start at \$|shirts at \$)|\d\d per mask|\d masks/i
6607 body __KAM_LABEL5 /(premier|top|luxury) (clothing|fabric)|fortune 500/i
6608 body __KAM_LABEL6 /\| Label|Label Health/i
6610 header __KAM_LABEL7 Subject =~ /(^|\b)PPE(\b|$)|(Ply|Face) ?mask/i
6611 body __KAM_LABEL8 /face ?mask|(^|\b)PPE(\b|$)/i
6613 meta KAM_LABEL (__KAM_LABEL1 + __KAM_LABEL2 + (__KAM_LABEL3a + __KAM_LABEL3b >= 1) + __KAM_LABEL4 + __KAM_LABEL5 + __KAM_LABEL6 + __KAM_LABEL7 + __KAM_LABEL8>= 6)
6614 describe KAM_LABEL Tailored clothier spam
6617 meta KAM_LABEL2 ((__KAM_LABEL1 + __KAM_LABEL5 >= 1) + __KAM_LABEL6 + __KAM_LABEL7 + __KAM_LABEL8 >= 3)
6618 describe KAM_LABEL2 PPE Spam
6619 score KAM_LABEL2 9.0
6622 body __KAM_RBL_OBFU1 /b2b.{1,4}salesprospects.{1,4}com/i
6623 body __KAM_RBL_OBFU2 /quin.{0,3}for.{0,3}ce.com/i
6624 body __KAM_RBL_OBFU3 /jrgpartners\(\.\)com/i
6626 meta KAM_RBL_OBFU ((__KAM_RBL_OBFU1 + __KAM_RBL_OBFU2 >=1) + FREEMAIL_FROM >= 2)
6627 describe KAM_RBL_OBFU Spammers obfuscating their domain and abusing freemail
6628 score KAM_RBL_OBFU 12.0
6630 meta KAM_RBL_OBFU2 __KAM_RBL_OBFU3
6631 describe KAM_RBL_OBFU2 Spammers obfuscating their domain
6632 score KAM_RBL_OBFU2 9.0
6635 body __KAM_SHADYCC1 /(transactions?|purchases?) from your (online store|web-?shop)/i
6636 header __KAM_SHADYCC2 Subject =~ /(illegal|shady) (purchases?|transactions?).*?(credit ?card|mastercard|visa).*?at your site/i
6637 body __KAM_SHADYCC3 /(four|4) of (my|the) (master)?card/i
6638 body __KAM_SHADYCC4 /(detailed|full) statement/i
6640 meta KAM_SHADYCC (__KAM_SHADYCC1 + __KAM_SHADYCC2 + __KAM_SHADYCC3 + __KAM_SHADYCC4 >= 4)
6641 describe KAM_SHADYCC Scam predicated around reporting fraudulent purchase
6642 score KAM_SHADYCC 6.0
6645 header __KAM_EXPOPIRATE1 Subject =~ /Hotel Booking/i
6646 body __KAM_EXPOPIRATE2 /Business Traveller/i
6648 meta KAM_EXPOPIRATE (__KAM_EXPOPIRATE1 + __KAM_EXPOPIRATE2 + __KAM_LIST3_2 >= 2)
6649 describe KAM_EXPOPIRATE Scam Pirates trying to Hijack Event Hotel Bookings
6650 score KAM_EXPOPIRATE 4.5
6652 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6653 #Domain Expiry Scams
6654 header __KAM_DOMAINEXPIRY1 Subject =~ /Domain.*Expiration/i
6655 body __KAM_DOMAINEXPIRY2 /Attached letter/i
6657 meta KAM_DOMAINEXPIRY (__KAM_DOMAINEXPIRY1 + __KAM_DOMAINEXPIRY2 + __KAM_ZERODAY1 >= 3)
6658 describe KAM_DOMAINEXPIRY Domain Expiration Scams
6659 score KAM_DOMAINEXPIRY 4.5
6662 header __KAM_PAYMENTSCAM1 Subject =~ /Payment.*(INV|Bookings|Reference|\/201)/i
6663 body __KAM_PAYMENTSCAM2 /attached (payment|herewith)|ready for release/i
6664 mimeheader __KAM_PAYMENTSCAM3 Content-Type =~ /\.doc/i
6665 full __KAM_PAYMENTSCAM4 /\{\\rtf/
6667 meta KAM_PAYMENTSCAM (__KAM_ZERODAY1 + __KAM_PAYMENTSCAM1 + __KAM_PAYMENTSCAM2 + (__KAM_PAYMENTSCAM3 + __KAM_PAYMENTSCAM4 >=2) >= 4)
6668 describe KAM_PAYMENTSCAM Payment Scams with Malware Payloads
6669 score KAM_PAYMENTSCAM 6.5
6671 meta KAM_PAYMENTSCAM2 (DEAR_BENEFICIARY + __KAM_PAYMENTSCAM1 + __KAM_PAYMENTSCAM2 >= 3) && !(KAM_PAYMENTSCAM)
6672 describe KAM_PAYMENTSCAM2 Payment scams
6673 score KAM_PAYMENTSCAM2 4.5
6677 body __KAM_PASSWORDSCAM1 /pass word/i
6679 meta KAM_PASSWORDSCAM (__KAM_PASSWORDSCAM1 + __SINGLE_WORD_SUBJ + __PDF_ATTACH + __BODY_LE_200 >= 4)
6680 describe KAM_PASSWORDSCAM Password extortion spams
6681 score KAM_PASSWORDSCAM 6.0
6685 header __KAM_TRAINING1 Subject =~ /mandatory.*training/i
6686 body __KAM_TRAINING2 /intranet|training calendar/i
6687 body __KAM_TRAINING3 /Human Resources/i
6689 meta KAM_TRAINING (__KAM_TRAINING1 + __KAM_TRAINING2+ __KAM_TRAINING3 >= 3)
6690 describe KAM_TRAINING Training Phishing
6691 score KAM_TRAINING 4.5
6694 header __KAM_MEDICARE2_1 Subject =~ /Trump Medicare/i
6696 meta KAM_MEDICARE2 __KAM_MEDICARE2_1 >= 1
6697 describe KAM_MEDICARE2 Medicare Scams
6698 score KAM_MEDICARE2 2.0
6701 header __KAM_WATERHACK1 Subject =~ /Water Hack/i
6702 body __KAM_WATERHACK2 /water hack/i
6704 meta KAM_WATERHACK (__KAM_WATERHACK1 + __KAM_WATERHACK2 + KAM_SHORT >= 3)
6705 describe KAM_WATERHACK Diet Scams
6706 score KAM_WATERHACK 5.0
6708 #Web forms used to submit shortened urls
6709 header __XMAIL_CODEIGN X-Mailer =~ /CodeIgniter/
6710 header __XMAIL_PHPMAIL X-Mailer =~ /PHPMailer/
6711 meta GB_WEBFORM ( ( __XMAIL_CODEIGN || __XMAIL_PHPMAIL ) && KAM_SHORT && FREEMAIL_FROM )
6712 describe GB_WEBFORM Webform with url shortener
6713 score GB_WEBFORM 2.0
6716 #thanks to Chip for another Spample on 2020-03-07
6717 header __KAM_SENDGRID1 EnvelopeFrom =~ /\@u\d+\.wl\d+\.sendgrid\.net|bounces.*\@sendgrid\.net/i
6718 header __KAM_SENDGRID1A Return-Path =~ /\@u\d+\.wl\d+\.sendgrid\.net/i
6719 header __KAM_SENDGRID2 Received =~ /ismtp.*?.sendgrid.net|outbound\-mail\.sendgrid\.net \[/i
6721 meta KAM_SENDGRID ((HEADER_FROM_DIFFERENT_DOMAINS || SPF_HELO_NONE) + ((__KAM_SENDGRID1 + __KAM_SENDGRID1A >= 1) + __KAM_SENDGRID2 >= 1) >= 2)
6722 describe KAM_SENDGRID Sendgrid being exploited by scammers
6723 score KAM_SENDGRID 1.50
6725 header __KAM_EDU_FROM From:addr =~ /\.edu$/i
6727 header __KAM_SENDGRID3 Subject =~ /Amex|Wells ?Fargo|American Express|Security (Review|Message)|Quickbooks|Sign-?in Blocked|unusual activity|payment pending|online Payment|Intuit|security Upgrade|you have a document|verify your card|email alert/i
6728 header __KAM_SENDGRID4 From =~ /Amex|Wells ?Fargo|American Express|Schwab|bank|USAA|stripe|intuit|chase/i
6730 meta KAM_SENDGRID2 ((__KAM_EDU_FROM + KAM_SENDGRID >= 1) + (TO_IN_SUBJ + __KAM_SENDGRID3 + __KAM_SENDGRID4 >=1) >= 2)
6731 describe KAM_SENDGRID2 Sendgrid being exploited by scammers
6732 score KAM_SENDGRID2 2.0
6734 #Political (and T-shirt Spam)
6735 header __KAM_2020_1 Subject =~ /Re-?elect Trump|(Guinea pig|science|funny|election|christmas|personalized|mission|collection|engineer|teacher|fishing|jesus|202\d) (tee|(t|tee)( |-)?shirt)|ginsburg shirt|officially licensed|check out our new collection|let.?s go brandon|support truckers|freedom convoy/i
6736 header __KAM_2020_1A From:name =~ /(T|Tee).?shirt|Tee4u/i
6737 #removing (Tee|T)-?shirt for FPs
6738 body __KAM_2020_2 /printed in the US|stink stank stunk|officially licensed|star wars|funny (guinea pig|science|tee|teacher|fishing|halloween)|\d+ designs|let.?s go brandon|blood of jesus|support truckers|freedom convoy/i
6739 tflags __KAM_2020_2 nosubject
6741 uri __KAM_GOOGLE_FORM /docs\.google\.com\/form/i
6743 meta KAM_2020 ((__KAM_2020_1 + __KAM_2020_1A >=1) + __KAM_2020_2 + (__KAM_GOOGLE_FORM + KAM_SHORT >= 1) + FREEMAIL_FROM >= 3)
6744 describe KAM_2020 Political (and Tshirt???) Spams - Vote for KAM & Pedro - donate today at www.mcgrail.com
6748 uri __KAM_WETRANSFER1 /wetransferfiledownload|\?email=|redirecturl/i
6749 header __KAM_WETRANSFER2 From:name =~ /WeTransfer/i
6750 header __KAM_WETRANSFER3 From:addr !~ /wetransfer\.com/i
6751 header __KAM_WETRANSFER4 Subject =~ /via WeTransfer/i
6753 meta KAM_WETRANSFER (__KAM_WETRANSFER1 + __KAM_WETRANSFER2 + __KAM_WETRANSFER3 + (__KAM_WETRANSFER4 + SPF_FAIL >= 1) >= 4)
6754 score KAM_WETRANSFER 6.0
6755 describe KAM_WETRANSFER WeTransfer Impersonators
6758 header __KAM_GREYEAGLE_1 From =~ /greyeagle|funding|capital|banking|lending/i
6759 body __KAM_GREYEAGLE_2 /grey eagle funding/i
6761 meta KAM_GREYEAGLE (__KAM_GREYEAGLE_1 + __KAM_GREYEAGLE_2 >= 2)
6762 describe KAM_GREYEAGLE Spammy Funding Company w/lots of Domains
6763 score KAM_GREYEAGLE 10.0
6765 #Google Storage APIs
6766 uri KAM_STORAGE_GOOGLE /storage.googleapis.com|\.web.app\//i
6767 describe KAM_STORAGE_GOOGLE Google Storage API being abused by spammers
6768 score KAM_STORAGE_GOOGLE 2.25
6770 uri GB_URI_FLEEK_STO_HTM m,^https?://storageapi\.fleek\.co/.*\.html?,i
6771 describe GB_URI_FLEEK_STO_HTM Html file stored on Fleek cloud
6772 score GB_URI_FLEEK_STO_HTM 4.25
6773 tflags GB_URI_FLEEK_STO_HTM multiple maxhits=5
6776 header __KAM_DUJOUR1 Subject =~ /(Worst Food|Tinnitus|Reflux|Gift Card)/i
6778 body __KAM_DUJOUR2 /(Worst Food|Tinnitus|Reflux|CVS Gift Card)/i
6779 tflags __KAM_DUJOUR2 nosubject
6781 header __KAM_DUJOUR3 From =~ /(Probio|Tinnitus|Reflux|CVS)/i
6783 meta KAM_DUJOUR (KAM_STORAGE_GOOGLE + __KAM_DUJOUR1 + __KAM_DUJOUR2 + __KAM_DUJOUR3 >= 3)
6784 describe KAM_DUJOUR Spam of the Day hocking various products
6785 score KAM_DUJOUR 4.5
6788 body __KAM_QUINFORCE1 /q.?u.?i.?n.?f.?o.?r.?c.?e/i
6790 meta KAM_QUINFORCE1 (__KAM_QUINFORCE1 >= 1)
6791 describe KAM_QUINFORCE1 Obfuscating spamming firm
6792 score KAM_QUINFORCE1 6.0
6795 body __KAM_CBD1 /(Prosper|Meridian) CBD/i
6796 header __KAM_CBD2 From:name =~ /CBD/i
6798 meta KAM_CBD (__KAM_CBD1 + __KAM_CBD2 + __KAM_OTHER_BAD_TLD2 >= 2)
6799 describe KAM_CBD Spam du jour for CBD
6803 body __KAM_COVID1 /International Monetary fund|world health organization|empowerment fund/i
6804 header __KAM_COVID2 Subject =~ /COVID?.{0,12}(payment|fund)/i
6805 body __KAM_COVID3 /COVID.{0,12}(empowerment|payment)|W\.?H\.?O\.? trust.?fund/i
6806 tflags __KAM_COVID3 nosubject
6807 header __KAM_COVID4 From =~ /COVID|world ?Health|WHO/i
6809 body __KAM_COVID5 /00 ?(EUR|USD|Dollar)/i
6811 meta KAM_COVID ((__KAM_COVID5 + LOTS_OF_MONEY >= 1) + __KAM_COVID1 + __KAM_COVID2 + __KAM_COVID3 + __KAM_COVID4 >= 4)
6812 describe KAM_COVID Scams revolving around the pandemic
6816 body __KAM_COVID2_1 /COVID-19 (CHARITY )?(fund|donated relief)/i
6817 tflags __KAM_COVID2_1 nosubject
6818 header __KAM_COVID2_2 Subject =~ /(little|COVID-19) (fund|donation)/i
6820 meta KAM_COVID2 (__KAM_COVID2_1 + __KAM_COVID2_2 + LOTS_OF_MONEY >= 2)
6821 describe KAM_COVID2 Scams revolving around the pandemic
6822 score KAM_COVID2 7.5
6825 body __KAM_COVID3_1 /Prince/i
6826 body __KAM_COVID3_2 /reliable source/i
6827 body __KAM_COVID3_3 /\$[\d\.,]+ mil/i
6828 body __KAM_COVID3_4 /assist me/i
6829 body __KAM_COVID3_5 /Saudi Arabia/i
6831 meta KAM_COVID3 (__KAM_COVID3_1 + __KAM_COVID3_2 + __KAM_COVID3_3 + __KAM_COVID3_4 + __KAM_COVID3_5 >= 5)
6832 describe KAM_COVID3 Scams revolving around the pandemic
6833 score KAM_COVID3 7.5
6836 replace_rules __KAM_VM3
6838 uri __KAM_VM1 /storage.googleapis.com\/.*?htm|appspot\.com|safesend\.|\/api\/v1\/click\|\.sharepoint\.com\/personal\/|evernote\.com|github\.io|netlify\.app|sendgrid\.net|dynamics\.com/i
6839 header __KAM_VM2 Subject =~ /VN Audio|message for|voice Message|Voicemail|Fax Message|OneDrive File|voice note duration|voice-audio|telephone vm/i
6840 header __KAM_VM2A From =~ /-xxxx|tele-mail/i
6841 body __KAM_VM3 /(Voice.?Audio|VN Audio|VM Meant|Listen to (your )?Voice|voicemail message|Fax(ed)? (document|message)|new voicemail|Virtual <O1>ffice Extens<I1>on)|ca<L1><L1>er left you a message/i
6842 tflags __KAM_VM3 nosubject
6843 body __KAM_VM4 /recorded voice|audio message|Caller.?id|CID:|mailbox \d|sign document|new vm on/i
6844 tflags __KAM_VM4 nosubject
6845 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6846 mimeheader __KAM_VM5 Content-Type =~ /.s?html?\.?\"?$/i
6849 meta KAM_VM (__KAM_VM1 + (__KAM_VM2A + __KAM_VM2 >= 1) + __KAM_VM3 + __KAM_VM4 + __KAM_VM5 + KAM_RAPTOR_EXTERNAL >= 3)
6851 describe KAM_VM Voice Mail & Fax Scams
6853 meta KAM_VM_HTML (KAM_VM + __KAM_VM5 >= 2)
6854 describe KAM_VM_HTML Likely Phish for VM
6855 score KAM_VM_HTML 3.0
6858 header __KAM_ADMIN1 From =~ /admin/i
6859 header __KAM_ADMIN2 Subject =~ /For /i
6860 body __KAM_ADMIN3 /next tax return/i
6861 body __KAM_ADMIN4 /read this document/i
6863 meta KAM_ADMIN (HEADER_FROM_DIFFERENT_DOMAINS + HTML_OBFUSCATE_10_20 + __KAM_ADMIN1 + __KAM_ADMIN2 + __KAM_ADMIN3 + __KAM_ADMIN4 >= 6)
6864 describe KAM_ADMIN Phishing attempt spoofing admins
6869 replace_rules __KAM_BENEFICIARY2
6871 header __KAM_BENEFICIARY1 Subject =~ /(your|Urgent) Help|refugee|Attention|Inherit|donation|refund|beloved|^Hello$|dear friend|compensated|get back to me|hope to hear|my dear|postal service|From.....|compliment|sincere apology|proposal|How are you|congratulations|ATM VISA Card|good (day|news)|beneficiary|\bcc\b|best regards|dearest one|^Att$|^Reply$|partnership|greeting'?s|atm fund|postmaster general|Investment|shipment|indicate your interest/i
6873 body __KAM_BENEFICIARY2 /(consignment|fund(\b|$)|person of trust|don't know me|emails only|apologize for intrud|formal relationship|diplomatic agent|ATM VISA CARD|unsolicited manner|proposition|solicit your|trustworthy relation|verily|random people|you a beneficiary|help<SPACE1>+widow|same last ?name|(same|similar) surname|investment manager)|level of maturity|important project|jackpot|investment opp|something important|unclaimed trunk|estate investment|donation recipient|bank draft|funding of your business/i
6874 tflags __KAM_BENEFICIARY2 nosubject
6877 body __KAM_BENEFICIARY3 /(gold|diamonds|inherit|foreign customer|risk.?free|less.privilege|next of kin|nearest airport|certain funds|partnership to transfer|repatriation|co.fiscate|separate account|christian activit|receiving bank|donate the sum|money left|sweepstakes|lucky winner|get rich|\d% of the total|investment fund)|moving some money|god has blessed|contributions to humanity|partake in the deal|pledge dep|over-?due compensation|left your check|invest(ment)? in your country|abandoned shipment/i
6879 body __KAM_BENEFICIARY3A /ELECTRONIC TICKET RECeipt/i
6882 body __KAM_BENEFICIARY4 /(Ghana|South Africa|China|Greece|Estonia|United kingdom|foreign|(your|my) country|Benin|africa|Foreign Op|international Airport|portugal|business trip|Ivory Coast|Royal Bank|Syria|Libyan|Ministry of |Buffett Foundation|audit unit)|postmaster general|your country/i
6884 body __KAM_BENEFICIARY5 /\d+ ?(kilo|kg)|donat|assignment|last wishes|charity org|million dollars|secret account|overdue winnings|handsomely compensate|large amount|share of fund|one digit interest|beneficial business|anticipated cooperation|\d% (with|for) you|fiscal cash|huge amount|(half|99 percent) of (his|their|her) fortune|by proxy|\d million|investment in your country/i
6886 body __KAM_BENEFICIARY6 /(deceased|late) (customer|husband|client|father)|death of my husband|cancer|power of attorney|customer who died|orphan|no beneficiary|terminal|family treasure|not criminal|send (you )?more (information|details)|wife ran away|inability to release|terrorist attack|sterile|foreigner who died|corrupt officials|could not complete|Diplomat from|seized all my/i
6888 meta KAM_BENEFICIARY ((LOTS_OF_MONEY + __KAM_BENEFICIARY5 >=1) + (KAM_BLANKSUBJECT + __KAM_BENEFICIARY1 >=1) + __KAM_BENEFICIARY2 + __KAM_BENEFICIARY3 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 + FREEMAIL_FROM >= 6) && (__KAM_BENEFICIARY3A + EXTRACTTEXT <= 0)
6889 describe KAM_BENEFICIARY Beneficiary scams
6890 score KAM_BENEFICIARY 10.5
6892 meta KAM_BENEFICIARYLOW ((LOTS_OF_MONEY + __KAM_BENEFICIARY5 >=1) + (KAM_BLANKSUBJECT + __KAM_BENEFICIARY1 >=1) + __KAM_BENEFICIARY2 + __KAM_BENEFICIARY3 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 + FREEMAIL_FROM >= 5) && !KAM_BENEFICIARY && !__KAM_NPO1 && (__KAM_BENEFICIARY3A + EXTRACTTEXT <= 0)
6893 describe KAM_BENEFICIARYLOW Beneficiary scams (Lower Confidence)
6894 score KAM_BENEFICIARYLOW 6.0
6897 body __KAM_NPO1 /501\(?c\)?\(?3\)?|501 c 3/i
6901 meta KAM_BENEFICIARY2 (GMD_PDF_EMPTY_BODY + DEAR_BENEFICIARY >= 2)
6902 describe KAM_BENEFICIARY2 Beneficiary scams
6903 score KAM_BENEFICIARY2 3.0
6906 body __KAM_BENEFICIARY3_1 /Mikhail Fridman/i
6907 header __KAM_BENEFICIARY3_2 From =~ /Mikhail Fridman/i
6908 uri __KAM_BENEFICIARY3_3 /www.rt.com/i
6910 meta KAM_BENEFICIARY3 (__KAM_BENEFICIARY3_1 + __KAM_BENEFICIARY3_2 + __KAM_BENEFICIARY3_3 + __KAM_DIDYOUSUBJ >= 3)
6911 describe KAM_BENEFICIARY3 Beneficiary scams
6912 score KAM_BENEFICIARY3 4.5
6915 #Did you get my message?
6916 header __KAM_DIDYOUSUBJ Subject =~ /Did you (receive it|get my message)/i
6917 body __KAM_DIDYOUBODY /Did you (receive it|get my message)/i
6918 tflags __KAM_DIDYOUBODY nosubject
6921 header KAM_BLANKSUBJECT Subject =~ /^\s*$/i
6922 describe KAM_BLANKSUBJECT Message has a blank Subject
6923 score KAM_BLANKSUBJECT 0.25
6926 header __KAM_JOB2_1 Subject =~ /doing the job/i
6927 body __KAM_JOB2_2 /represent the company/i
6929 body __KAM_JOB2_3 /Singapore/i
6931 body __KAM_JOB2_4 /\d,?000 USD (monthly|weekly)/i
6933 meta KAM_JOB2 (FREEMAIL_FROM + __KAM_JOB2_1 + __KAM_JOB2_2 + __KAM_JOB2_3 + __KAM_JOB2_4 >= 5)
6934 describe KAM_JOB2 Employment scams
6939 header __KAM_WEB2_1 Subject =~ /follow|next step|website (analysis|builder|design|work)|crazy offer|cRM solution|CMS|worrdpress/i
6941 #price - purposefully looks at subject too
6942 body __KAM_WEB2_2 /affordable (quot|price)|cheap website|less than half|free of cost|low package price|indian web.?design|\(India\)/i
6945 body __KAM_WEB2_3 /web (design|develop)|(better|new|refreshed) website|website audit|fresh look/i
6946 tflags __KAM_WEB2_3 nosubject
6949 body __KAM_WEB2_4 /portfolio|sample|insights|special offer|page 1|(any|your) requirements/i
6950 tflags __KAM_WEB2_4 nosubject
6952 meta KAM_WEB2 (FREEMAIL_FROM + __KAM_WEB2_1 + __KAM_WEB2_2 + __KAM_WEB2_3 + __KAM_WEB2_4 >=5)
6953 describe KAM_WEB2 Unsolicited web workers
6957 header __KAM_BANK_1 Subject =~ /Welcome to (Central )?(Money ?Gram|Bank)|Funding|Banker|congratulations/i
6958 body __KAM_BANK_2 /beneficiary|agent|investment group|deceased/i
6959 body __KAM_BANK_3 /re\-?verification|clearance tax|possible funding|same last name|nominated bank account/i
6961 meta KAM_BANK (FREEMAIL_FROM + LOTS_OF_MONEY + __KAM_BANK_1 + __KAM_BANK_2 + __KAM_BANK_3 >= 5)
6962 describe KAM_BANK Bank scams
6966 header __KAM_CERT1 Subject =~ /Medical Certificate/i
6967 body __KAM_CERT2 /review this certificate/i
6968 body __KAM_CERT3 /link below/i
6970 meta KAM_CERT (__KAM_CERT1 + __KAM_CERT2 + __KAM_CERT3 + __PLUGIN_FROMNAME_SPOOF >= 3)
6971 describe KAM_CERT Fake Certificate Scams
6975 header __KAM_URGENT1 Subject =~ /^Hello$/i
6976 body __KAM_URGENT2 /urgent respond/i
6977 body __KAM_URGENT3 /private e?mail/i
6978 body __KAM_URGENT4 /god bless/i
6979 body __KAM_URGENT5 /address still valid/i
6981 meta KAM_URGENT ( __KAM_URGENT1 + __KAM_URGENT2 + __KAM_URGENT3 + __KAM_URGENT4 + __KAM_URGENT5 >= 5)
6982 describe KAM_URGENT Urgent Scams
6983 score KAM_URGENT 7.5
6986 header __KAM_INVEST1 Subject =~ /Investment|(hello|congrats|dear) friend|urgent|greetings|^HELLO$|mutual business|contact him|mail for you|confirming your email|business opportunity|important|interest|^proposal$/i
6988 body __KAM_INVEST2 /apprehensive|unstable investment|(honest|well.?established|reliable) (individual|partner|person)|wealthy client|legal paper|branch manager|director finance|business man|family asset|personal assistant|found your (detail|contact)|consultant|project financing|my name is|i am the lawyer|need your assistance|investment officer/i
6990 body __KAM_INVEST3 /earn \d+\%|(more|full|elaborate) details|discuss further|risk.?free|give details|profitable|\% (yearly|ROI|commission)|bank draft|remuneration|(needs|seek|seeks|seeking) fund|employ you|split.?ration|(receive|secure) my fund/i
6992 body __KAM_INVEST4 /malta|oil company|joint venture|(fund|business) proposal|dubai|mutual business|bahrain|compensation fund|barrister|minister of|ghana|strategic development|your region|Mineral.Rich|africa|non.?european|your country|outside UAE/i
6993 tflags __KAM_INVEST4 nosubject
6995 meta KAM_INVEST (LOTS_OF_MONEY + FREEMAIL_FROM + __KAM_INVEST1 + __KAM_INVEST2 + __KAM_INVEST3 + __KAM_INVEST4 >= 4)
6996 describe KAM_INVEST Investment Scams
6997 score KAM_INVEST 6.0
7000 header __KAM_SIGN1 Subject =~ /New Sign-?[io]n/i
7001 body __KAM_SIGN2 /review your account/i
7002 body __KAM_SIGN3 /verification is processed/i
7004 meta KAM_SIGN (KAM_STORAGE_GOOGLE + __KAM_SIGN1 + __KAM_SIGN2 + __KAM_SIGN3 >= 4)
7005 describe KAM_SIGN Sign-in Verification Scams
7009 header __KAM_WEIRDC19_1 Subject =~ /The virus that causes COVID-19/i
7010 header __KAM_WEIRDC19_2 From =~ /John Robert/i
7011 body __KAM_WEIRDC19_3 /The virus that causes COVID-19/i
7012 tflags __KAM_WEIRDC19_3 nosubject
7014 meta KAM_WEIRDC19 (FREEMAIL_FROM + __KAM_BODY_LENGTH_LT_512 + __KAM_WEIRDC19_1 + __KAM_WEIRDC19_2 + __KAM_WEIRDC19_3 >= 5)
7015 describe KAM_WEIRDC19 Odd Covid-19 spam with information
7016 score KAM_WEIRDC19 7.5
7019 header __KAM_CELEB1 Subject =~ /Celebrity Doc/i
7020 body __KAM_CELEB2 /resugar/i
7021 body __KAM_CELEB3 /fat.burning/i
7023 meta KAM_CELEB (__KAM_CELEB1 + __KAM_CELEB2 + __KAM_CELEB3 >= 3)
7024 describe KAM_CELEB Celebrity Health Scams
7027 #additional Freemail domains
7028 freemail_domains my.com mediacombb.net tutanota.com mega.nz ntlworld.com
7030 #BEAL AND SIMILAR IMPERSONATOR
7031 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
7033 replace_tag KAM_BEAL_NAMES (?:(Robert|Bob).{1,4}Beal|Geoff White|(James|Jim).{1,4}Hoffman|Kevin (A\. )?Mc ?Grail|Frederic Beuter|Chris(topher)? (K\.? )?Surprise|(mike|michael) Charvat|Sheryl( Brissett)? Chapman|Sheryl Brissett|Janet Smith|Jeff Gardner|Geoff(rey)? White|Jason Davis|Al Nance|Laura (C\.? )?Leach|Guy Neitz|Michael Rowland|Brenda MacDonald|Daram Van Oers|Pat(rick)? (A\. )?Campfield|Toni Kerns|Tina L. Berger|Robert T. Lalka|Karen Holmes|Richard Manship|WILLIAM HYATT|Alex DiJohnson|Mike Rinaldi|Patrick Augustine|Randy Livingston|Michael Schoor|Amy Millar|Gino Renne|Edward Kroman|Bill Stynes|Ralph Belk|gino renne|scott allen|Paula Sherman|Peter Turcik|Chip Anastasi|erik howard|Dyana Forester|Ryan Gardner|Yvan (cote|C\x{C3}\x{B4}t\x{C3}\x{A9}))
7035 replace_rules __KAM_BEAL1 __KAM_BEAL3 __KAM_NOT_BEAL3
7038 header __KAM_BEAL1 From:name =~ /<KAM_BEAL_NAMES>/i
7039 #in addition to freemail
7040 header __KAM_BEAL2 From:addr =~ /\@.+\.rr\.com|\@mail\.ru|\@.*\.cz|\@cox\.net/i
7042 body __KAM_BEAL3 /<KAM_BEAL_NAMES>/i
7043 body __KAM_NOT_BEAL3 /((From|Cc|To)\:\s+)<KAM_BEAL_NAMES>/i
7045 # have a moment removed 4/4
7046 body __KAM_BEAL4 /(reply with|forward|send me|let me have|give me) +your (Cell|Mobile|text)|task (real quick|quickly)|(urgent|quick|fast) (reply|errand|response|task|request)|(handle|make) (some|a) purchase|reimburse you|do something for me fast|spare time right now|confirm if you are free|physical or electronic gift card|(done for me|send out|task done) ASAP|available at the moment|(desk|moment) right now|get some .{0,10}gift card|(run a|important) task for me|certain task to be carried|purchase on my behalf|(urgent|Immediate) (Task|Assignment)|quickly on my behalf|variety of gift card|something important for me|carry out (urgently|swiftly)|codes electronically|make a payment|gifts for their hard|assist me with a task|quick favor|gift cards? for staff|process a payment via Zelle|request I need|purchase done on my behalf|take care of something|handle (some )?task quickly|got a moment|run an errand|are you in\?|purchase urgently|assignment for (me|you)|change my direct deposit|personal (email|text phone|cell|number)|drop your number|(reply me with|confirm|drop) your cell|send me your text|get all the gifts purchase|direct deposit authorization form|list of all unpaid|help me with something|if (you are|you're) available|drop me your personal (cell|phone)|free time for you|you available today/i
7047 # question / privacy
7048 # as soon as you can removed 4/4
7049 body __KAM_BEAL5 /can't talk on the phone|receivable aging report|summary of all w\-?2|look forward to my text|are you (accessible|in the office|busy)|between you and I|closed-?door meeting|get something done|you\'re unoccupied|accurately|I can brief|in a (conference|meeting)|reimburse if personal|what details do you need|(do|handle) discreetly|confidentiality|keep this private|get to a nearby store|(let me know|confirm) if you (are available|can get it done)|no calls just reply|write me back|look out for my text|concise you about it|so much on your plate|let me know if you are free|trust you on this|worry about your reimburse|after the surprise|limited cell service|can you assist|convey a message|entrust you|not want to disclose this|planning a surprise event|confidential assignment|respond back via email|going into a meeting|no calls|reach you at/i
7052 body __KAM_BEAL6 /sent from my mail/i
7054 meta KAM_BEAL (__KAM_BEAL1 + (__KAM_BEAL3 && ! __KAM_NOT_BEAL3) >= 1) && ((SPF_SOFTFAIL + FREEMAIL_FROM + FREEMAIL_FORGED_REPLYTO + __KAM_BEAL2 + KAM_RAPTOR_EXTERNAL >= 1) + __KAM_BEAL4 + __KAM_BEAL5 + __KAM_BEAL6 >= 3) && !EXTRACTTEXT
7055 describe KAM_BEAL IMPOSTER! Will the real Slim Shady, please stand up?
7057 if can(Mail::SpamAssassin::Conf::feature_subjprefix)
7058 subjprefix KAM_BEAL [Imposter]
7061 meta KAM_BEAL2 (__KAM_BEAL1 + (__KAM_BEAL3 && ! __KAM_NOT_BEAL3) >= 1) && (KAM_RAPTOR_EXTERNAL + __KAM_BEAL4 + __KAM_BEAL5 + __KAM_BEAL6 >= 2) && (KAM_BEAL <= 0) && !EXTRACTTEXT
7062 describe KAM_BEAL2 IMPOSTER! Will the real Slim Shady, please stand up?
7063 score KAM_BEAL2 12.0
7064 if can(Mail::SpamAssassin::Conf::feature_subjprefix)
7065 subjprefix KAM_BEAL2 [Imposter]
7068 meta KAM_BEAL3 (__KAM_BEAL1 + __KAM_BEAL3 + FREEMAIL_FROM + KAM_RAPTOR_EXTERNAL >= 4) && ! KAM_BEAL && ! KAM_BEAL2
7069 describe KAM_BEAL3 Likely Imposter email
7073 header KAM_RAPTOR_EXTERNAL X-Raptor-External =~ /Yes/i
7074 describe KAM_RAPTOR_EXTERNAL Raptor identified an External Sender
7075 score KAM_RAPTOR_EXTERNAL 0.1
7079 header __KAM_PROJECT1 Subject =~ /Project/i
7080 body __KAM_PROJECT2 /business project/i
7081 body __KAM_PROJECT3 /email is active/i
7082 body __KAM_PROJECT4 /please respond/i
7084 meta KAM_PROJECT (__KAM_PROJECT1 + __KAM_PROJECT2 + __KAM_PROJECT3 + __KAM_PROJECT4 >= 4)
7085 describe KAM_PROJECT Scam inquiries about amorphous projects
7086 score KAM_PROJECT 6.0
7089 header __KAM_FAKEWEST1 Subject =~ /Attention/i
7090 body __KAM_FAKEWEST2 /Western Union/i
7091 body __KAM_FAKEWEST3 /United Nation/i
7092 body __KAM_FAKEWEST4 /Wrong Transfer/i
7093 body __KAM_FAKEWEST5 /0[\.,]?000[\.,]?00\s?USD/i
7095 meta KAM_FAKEWEST (__KAM_FAKEWEST1 + __KAM_FAKEWEST2 + __KAM_FAKEWEST3 + __KAM_FAKEWEST4 + (__KAM_FAKEWEST5 + LOTS_OF_MONEY >= 1) >= 5)
7096 describe KAM_FAKEWEST Fake money Transfer Scam
7097 score KAM_FAKEWEST 6.0
7100 header __KAM_FAKEDROPBOX2_1 Subject =~ /on Dropbox/i
7102 meta KAM_FAKEDROPBOX2 (__KAM_FAKEDROPBOX2_1 + KAM_SHORT + FREEMAIL_FROM >= 3)
7103 describe KAM_FAKEDROPBOX2 Fake Dropbox Phish
7104 score KAM_FAKEDROPBOX2 4.5
7106 header __KAM_FAKEDROPBOX3_1 Subject =~ /new dropbox message/i
7107 uri __KAM_FAKEDROPBOX3_2 /wp\-includes/i
7109 meta KAM_FAKEDROPBOX3 (__KAM_FAKEDROPBOX3_1 + __KAM_FAKEDROPBOX3_2 >= 2)
7110 describe KAM_FAKEDROPBOX3 Fake Dropbox Phish
7111 score KAM_FAKEDROPBOX3 6.0
7115 header __KAM_FAKEMONEYGRAM1 From =~ /Money.?Gram/i
7117 meta KAM_FAKEMONEYGRAM (__KAM_FAKEMONEYGRAM1 + FREEMAIL_FROM >= 2)
7118 describe KAM_FAKEMONEYGRAM Fake Moneygram Phish
7119 score KAM_FAKEMONEYGRAM 5.5
7122 #FAKESHAREPOINT - SEE FAKE_SHAREPOINT2 for Sexually explicit
7123 header __KAM_FAKE_SHAREPOINT1 Subject =~ /(via|by) Sharepoint|payment reminder|shared|Request for Quot|urgent|far from you/i
7124 header __KAM_FAKE_SHAREPOINT2 from =~ /sharepoint|accounts? payable|RFQ/i
7125 uri __KAM_FAKE_SHAREPOINT3 /my\.sharepoint\.com/i
7126 uri __KAM_FAKE_SHAREPOINT3A /appdomain\.cloud|discordapp\.com|netlify\.app/i
7127 body __KAM_FAKE_SHAREPOINT4 /Sharepoint Fileshare|open.me.{0,3}asap|link will only work/i
7128 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7129 mimeheader __KAM_FAKE_SHAREPOINT5 Content-Type =~ /.html?\"?$/i
7133 # meta KAM_FAKE_SHAREPOINT (__KAM_FAKE_SHAREPOINT1 + __KAM_FAKE_SHAREPOINT2 + (__KAM_FAKE_SHAREPOINT3 + __KAM_FAKE_SHAREPOINT3A + KAM_STORAGE_GOOGLE + __KAM_FAKE_SHAREPOINT4 + KAM_SHORT >= 1) + __KAM_FAKE_SHAREPOINT5 >= 3)
7134 meta KAM_FAKE_SHAREPOINT ( ( __KAM_FAKE_SHAREPOINT1 + __KAM_FAKE_SHAREPOINT2 + __KAM_FAKE_SHAREPOINT5 >= 2 ) && (__KAM_FAKE_SHAREPOINT3 + __KAM_FAKE_SHAREPOINT3A + __KAM_FAKE_SHAREPOINT4 + KAM_STORAGE_GOOGLE + KAM_SHORT >= 2 ) )
7135 describe KAM_FAKE_SHAREPOINT Fake Sharepoint Phish
7136 score KAM_FAKE_SHAREPOINT 6.0
7138 #MORE FAKE SHAREPOINT BAD LINKS IN A SHAREPOINT MESSAGE
7139 meta KAM_FAKE_SHAREPOINTLINK (__KAM_FAKE_SHAREPOINT1 + __KAM_FAKE_SHAREPOINT2 + (__KAM_FAKE_SHAREPOINT3A + KAM_STORAGE_GOOGLE + KAM_SHORT) >= 3) && !KAM_FAKE_SHAREPOINT
7140 describe KAM_FAKE_SHAREPOINTLINK Fake Sharepoint Link Phish
7141 score KAM_FAKE_SHAREPOINTLINK 4.5
7144 body __KAM_BADZIP1 /attached (to email|document)|take a look|send this fax/i
7145 body __KAM_BADZIP2 /Encrypted zip|File password/i
7146 uri __KAM_BADZIP2A /drive.google.com.*export=download/i
7147 body __KAM_BADZIP3 /(order|urgent|report|dialogue|reminder)/i
7148 body __KAM_BADZIP4 /password:/i
7150 meta KAM_BADZIP (__KAM_BADZIP1 + (__KAM_BADZIP2 + __KAM_BADZIP2A >= 1) + __KAM_BADZIP3 + __KAM_BADZIP4 >= 4)
7151 describe KAM_BADZIP Encrypted Zip File Indicating a Scam
7152 score KAM_BADZIP 6.0
7156 header __KAM_VERIZON1 Subject =~ /verizon wireless security message/i
7157 header __KAM_VERIZON2 From:name =~ /Verizon/i
7158 header __KAM_VERIZON3 From:addr !~ /verizon/i
7161 body __KAM_VERIZON4 /Update required immediately/i
7163 body __KAM_VERIZON5 /update your account information/i
7165 body __KAM_VERIZON6 /deactivated/i
7167 body __KAM_VERIZON7 /credit card|bank account/i
7169 meta KAM_VERIZON (__KAM_VERIZON1 + __KAM_VERIZON2 + __KAM_VERIZON3 >= 3) && (__KAM_VERIZON4 + __KAM_VERIZON5 + __KAM_VERIZON6 + __KAM_VERIZON7 >= 3)
7170 describe KAM_VERIZON Fake Wireless account notices
7171 score KAM_VERIZON 9.5
7174 header __KAM_DOCUSIGN1 Subject =~ /New e-DocuSign Signature|new e-signature docusign|docusign electronic signature|transfer notice|docusign (electronic|signature) service|docusign document/i
7175 header __KAM_DOCUSIGN2 From:name =~ /docusign/i
7176 header __KAM_DOCUSIGN3 From:addr !~ /docusign/i
7178 uri __KAM_DOCUSIGN4 /\.weebly\.com|docs\.google\.com|onedrive\.live\.com/i
7180 meta KAM_DOCUSIGN ((__KAM_DOCUSIGN1 >= 1) + (__KAM_DOCUSIGN2 + __KAM_DOCUSIGN3 >= 2) + (FREEMAIL_FROM + LOTS_OF_MONEY + __KAM_DOCUSIGN4 >= 1) >= 3)
7181 describe KAM_DOCUSIGN Fake Document Signature account notices
7182 score KAM_DOCUSIGN 4.5
7184 meta KAM_DOCUSIGN_LOW (__KAM_DOCUSIGN1 + __KAM_DOCUSIGN4 >= 2)
7185 describe KAM_DOCUSIGN_LOW Lower score Fake Document Signature Account Notice
7186 score KAM_DOCUSIGN_LOW 3.0
7189 header __KAM_TWODOTS From:addr =~ /\@.*\.\./i
7191 meta KAM_INVALIDFROM (__KAM_TWODOTS >= 1)
7192 describe KAM_INVALIDFROM Invalid From Address
7193 score KAM_INVALIDFROM 5.0
7195 #Client Fake Invoice
7196 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7197 header __KAM_FAKEINV1 From =~ /headoffice/i
7198 header __KAM_FAKEINV1A Reply-to =~ /no.?reply\@/i
7200 body __KAM_FAKEINV2 /dearest client/i
7202 mimeheader __KAM_FAKEINV3 Content-Type =~ /.xls\"?$/i
7204 meta KAM_FAKEINV ((__KAM_FAKEINV1 + __KAM_FAKEINV1A >=1) + __KAM_FAKEINV2 + __KAM_FAKEINV3 >=3)
7205 describe KAM_FAKEINV Fake Customer Invoices
7206 score KAM_FAKEINV 4.5
7210 meta KAM_IMAGEONLY ((T_PDS_OTHER_BAD_TLD + PDS_OTHER_BAD_TLD >= 1) + HTML_IMAGE_ONLY_08 >= 2)
7211 describe KAM_IMAGEONLY Email from a questionable TLD that contains primarily just an image
7212 score KAM_IMAGEONLY 0.75
7215 header __KAM_HOLIDAY2020_1 Subject =~ /holiday item|blac.?k friday|(vortex|illusional|this|3d).*rug|canvas print|get your (personalized christmas )?ornament|Christmas sale|novelty household|(perfect|seasonal) gift|Rising.? Stand.?|endoscope/i
7216 body __KAM_HOLIDAY2020_2 /(illusional|Vortex|3d) Rug|wireless earbuds|canvas print|get your (personalized christmas )?ornament|holiday novelty|personalized ornament|rising laptop|HOME Ear endoscope|Gadget ?Junk/i
7217 tflags __KAM_HOLIDAY2020_2 nosubject
7218 header __KAM_HOLIDAY2020_3 From =~ /vortex|christmas|novelty|(laptop|new).?tech|rising.?stand|Clean.?ear|Massager/i
7220 meta KAM_HOLIDAY2020 (__KAM_HOLIDAY2020_1 + __KAM_HOLIDAY2020_2 + __KAM_HOLIDAY2020_3 >= 2)
7221 describe KAM_HOLIDAY2020 Holiday Gifts 2020 Spam
7222 score KAM_HOLIDAY2020 4.0
7225 uri __KAM_GOOGLEFORM_1 /docs\.google\.com\/forms\//i
7226 body __KAM_GOOGLEFORM_2 /Untitled|Formulaire sans titre/i
7227 body __KAM_GOOGLEFORM_3 /foundation is donating/i
7229 meta KAM_GOOGLEFORM (__KAM_GOOGLEFORM_1 + (__KAM_GOOGLEFORM_2 + __KAM_GOOGLEFORM_3 >= 1) >= 2)
7230 describe KAM_GOOGLEFORM Untitled or Spam Google Form
7231 score KAM_GOOGLEFORM 4.0
7233 header __GB_RETPATH_GOOG_TRIX Return-Path =~ /\@trix\.bounces\.google\.com/
7235 meta GB_RETPATH_GOOG_TRIX __GB_RETPATH_GOOG_TRIX
7236 describe GB_RETPATH_GOOG_TRIX Email from Google subdomain being abused by spammers
7237 score GB_RETPATH_GOOG_TRIX 2.00
7239 #BENEFICIARY FAKE FORM
7240 body __KAM_DISCLOSE1 /enable me disclose|indicate your? interest|something important/i
7242 meta KAM_FAKEFORM ((__KAM_DISCLOSE1 + LOTS_OF_MONEY >= 1) + (__KAM_BENEFICIARY2 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 >= 1) + (__KAM_GOOGLEFORM_1 >= 1) >= 3)
7243 describe KAM_FAKEFORM Fake Form for Scams
7244 score KAM_FAKEFORM 4.0
7247 body __KAM_2ND_1 /police can no longer be trusted|protect yourself|anti-?gun ban|no classes/i
7248 body __KAM_2ND_2 /2nd am?mendment|concealed carry|right to carry/i
7249 header __KAM_2ND_3 From =~ /2nd amm?endment|Concealed/i
7251 meta KAM_2ND ((__KAM_FUN1 + __KAM_FUN1A >= 1) + __KAM_2ND_1 + __KAM_2ND_2 + __KAM_2ND_3 >= 3)
7252 describe KAM_2ND Political / 2nd Ammendement Spam
7255 #SPAM DU JOUR - MASKS
7256 body __KAM_KN_1 /(respirator|KN95) .{0,25}Mask|Ultramasx|upgrade your mask/i
7257 tflags __KAM_KN_1 nosubject
7258 body __KAM_KN_2 /get your|for the public|biden wants to curb|Prevent Corona|quick delivery|do your part|while supplies last|(smart|your) mask/i
7259 tflags __KAM_KN_2 nosubject
7260 header __KAM_KN_3 Subject =~ /KN95 .{0,25}Mask|(curb|curve?)(ing)? C<O1>vid|(your|mandates?) mask|ultimate protection|Protective (face )?mask/i
7261 header __KAM_KN_4 From =~ /KN95|(smart|Face) ?Mask|Mask.?(dept|Special)|Stay ?safe|protective ?gear|World ?safe/i
7263 meta KAM_KN (__KAM_KN_1 + __KAM_KN_2 + __KAM_KN_3 + __KAM_KN_4 >= 3)
7264 describe KAM_KN Spam Du Jour for Masks
7267 #SPAM DU JOUR - BAD CREDIT
7268 body __KAM_BADCRED_1 /bad credit/i
7269 tflags __KAM_BADCRED_1 nosubject
7270 header __KAM_BADCRED_2 Subject =~ /bad credit.*off track/
7272 meta KAM_BADCRED (__KAM_BADCRED_1 + __KAM_BADCRED_2 >= 2)
7273 describe KAM_BADCRED Spam Du Jour for Bad Credit
7274 score KAM_BADCRED 3.0
7276 #SPAM DU JOUR - SPO2
7277 replace_rules __KAM_SPO2_2 __KAM_SPO2_3
7279 body __KAM_SPO2_1 /pulse oximeter|touchless thermometer/i
7280 body __KAM_SPO2_2 /C<O1>VID/i
7281 tflags __KAM_SPO2_2 nosubject
7282 header __KAM_SPO2_3 Subject =~ /C<O1>VID.*(screening|oximeter)|Laser Thermometer|(detecting|screening) C<O1>VID/i
7283 header __KAM_SPO2_4 From =~ /health|infrared|oximeter|Painless/i
7285 meta KAM_SPO2 (__KAM_SPO2_1 + __KAM_SPO2_2 + __KAM_SPO2_3 + __KAM_SPO2_4 >= 3)
7286 describe KAM_SPO2 COVID Spams
7289 #SPAM DU JOUR - HEATED VEST
7290 body __KAM_VEST1 /(heated|thermal) vest/i
7291 tflags __KAM_VEST1 nosubject
7292 header __KAM_VEST2 Subject =~ /stay toasty/i
7293 header __KAM_VEST3 From =~ /thermal vest/i
7295 meta KAM_VEST (__KAM_VEST1 + __KAM_VEST2 + __KAM_VEST3 >= 3)
7296 describe KAM_VEST Spam Du Jour for Vests
7300 header __KAM_CVS1 From =~ /CVS Pharm/i
7301 header __KAM_CVS1A From:addr !~ /\@cvs.com/i
7302 body __KAM_CVS2 /CVS/
7303 tflags __KAM_CVS2 nosubject
7304 header __KAM_CVS3 Subject =~ /CVS Pharm/i
7306 meta KAM_CVS ((__KAM_CVS1 + (FREEMAIL_FROM + __KAM_CVS1A >= 1) >= 2) + __KAM_CVS2 + __KAM_CVS3 >= 3)
7307 describe KAM_CVS Fake CVS Spams
7311 body __KAM_HACK1 /(phone|electronic|computer) have been hacked|suspected online scam/i
7312 body __KAM_HACK2 /read attached|click here for verification/i
7313 body __KAM_HACK3 /save yourself|lead to your arrest/i
7314 header __KAM_HACK4 From:name =~ /justice dep/i
7316 meta KAM_HACK (__KAM_HACK1 + __KAM_HACK2 + __KAM_HACK3 + __KAM_HACK4 >= 3)
7317 describe KAM_HACK Hacker Exploitation Email
7321 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7323 header __KAM_FAKEINV2_1 Subject =~ /lnv (remittance|\& check)/i
7324 body __KAM_FAKEINV2_2 /(find|see) (the )?attach/i
7325 body __KAM_FAKEINV2_3 /not mail the check|typeform\.com/i
7326 mimeheader __KAM_FAKEINV2_4 Content-Type =~ /(ACH W[il]re|Rem[il]ttance adv[il]ce).*xls/i
7328 meta KAM_FAKEINV2 (__KAM_FAKEINV2_1 + __KAM_FAKEINV2_2 + __KAM_FAKEINV2_3 + __KAM_FAKEINV2_4 >= 3)
7329 describe KAM_FAKEINV2 Fake Invoice Scams
7330 score KAM_FAKEINV2 6.0
7335 header __KAM_FAKEAD1 Subject =~ /brand medication|stubborn fat/i
7336 body __KAM_FAKEAD2 /click here to UNSUBSCRIBE|start shopping|here\'s how/i
7337 uri __KAM_FAKEAD3 /\/bit\.ly/i
7338 body __KAM_FAKEAD4 /Sweet passion|no plastic surgery/i
7340 meta KAM_FAKEAD (__KAM_FAKEAD1 + __KAM_FAKEAD2 + __KAM_FAKEAD3 + __KAM_FAKEAD4 >= 4)
7341 describe KAM_FAKEAD Fake Advertisements
7342 score KAM_FAKEAD 6.0
7344 #FAKE REGISTRY SCAMS
7345 body __KAM_FAKE_REGISTRY1 /www(\.|\(dot\))domainregistryasia(\.|\(dot\))net/i
7346 uri __KAM_FAKE_REGISTRY2 /domainregistryasia\.net|domainregistryasia\.cn/i
7348 meta KAM_FAKE_REGISTRY (__KAM_FAKE_REGISTRY1 + __KAM_FAKE_REGISTRY2 >= 1)
7349 describe KAM_FAKE_REGISTRY Fake Domain Registry Scammers trying to get you to buy unneeded domains
7350 score KAM_FAKE_REGISTRY 5.0
7353 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7354 mimeheader __KAM_FAKE_FAX1 Content-Type =~ /.*(fax).*\.htm/i
7356 body __KAM_FAKE_FAX2 /(new|incoming) fax|fax received/i
7357 header __KAM_FAKE_FAX3 Subject =~ /Fax|new (message|document)/i
7358 body __KAM_FAKE_FAX4 /invoice|xerox scanner|recipient view only|click below to view your fax|refer to attachment/i
7359 tflags __KAM_FAKE_FAX4 nosubject
7360 uri __KAM_FAKE_FAX5 /\/s3\.|quarantine|myqcloud/i
7362 meta KAM_FAKE_FAX ((T_HTML_ATTACH + __KAM_FAKE_FAX1 + __KAM_FAKE_FAX5 >= 1) + __KAM_FAKE_FAX2 + __KAM_FAKE_FAX3 + __KAM_FAKE_FAX4 >= 4)
7363 describe KAM_FAKE_FAX Fake Fax Scam
7364 score KAM_FAKE_FAX 8.0
7367 body __KAM_FAKE_TRUST1 /Message is from a .{0,40}trusted source/i
7369 meta KAM_FAKE_TRUST (__KAM_FAKE_TRUST1 >= 1 )
7370 describe KAM_FAKE_TRUST Scams about trusted sources
7371 score KAM_FAKE_TRUST 3.5
7373 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7374 #SHTML ATTACHMENT ADD TO T_HTML_ATTACH! - 2022-01-14
7375 mimeheader __KAM_SHTML_ATTACH Content-Type =~ /\b(application\/octet-string|text\/html)\b.+\.shtml?\b/i
7380 header __KAM_FAKE_INVOICE1 Subject =~ /(remittance|payment) (receipt|advice)|past.?due|purchase order|(ACH|EFT) (remittance|payment)|invoice copy|swift confirmation|overdue invoice|attached receipt|payment confirmation/i
7381 body __KAM_FAKE_INVOICE2 /(remittance|Payment) (advice|confirmation|breakdown)|past due invoice|new pro.?forma|attached|balance paid|proforma invoice/i
7382 tflags __KAM_FAKE_INVOICE2 nosubject
7384 meta KAM_FAKE_INVOICE ((T_HTML_ATTACH + __KAM_SHTML_ATTACH + KAM_RAPTOR_ALTERED + OLEMACRO_URI_TARGET >= 1) + __KAM_FAKE_INVOICE1 + __KAM_FAKE_INVOICE2 >= 3)
7385 describe KAM_FAKE_INVOICE Fake Invoice / Purchase Order Scam
7386 score KAM_FAKE_INVOICE 6.4
7389 header __KAM_BAD_PRODUCT1 Subject =~ /Dolphin Vacuum|Warm any room|rapid thaw/i
7390 body __KAM_BAD_PRODUCT2 /Dolphin sealer|hotstreak plug|Rapid thaw tray/i
7392 meta KAM_BAD_PRODUCT (__KAM_BAD_PRODUCT1 + __KAM_BAD_PRODUCT2 >= 2)
7393 describe KAM_BAD_PRODUCT Spammy Products
7394 score KAM_BAD_PRODUCT 3.0
7397 uri __KAM_BAD_LINK1 /\.pdf\.iso$/i
7399 meta KAM_BAD_LINK (__KAM_BAD_LINK1 >= 1)
7400 describe KAM_BAD_LINK Potentially dangerous link in email
7401 score KAM_BAD_LINK 10.0
7404 header __KAM_FAKE_CITIZEN1 Subject =~ /Citizens Bank Ealert/i
7405 body __KAM_FAKE_CITIZEN2 /Important (message|Notice) From Citizens/i
7406 uri __KAM_FAKE_CITIZEN3 /phpmailer|wp-admin|.well-known/i
7407 header __KAM_FAKE_CITIZEN4 From:name =~ /Citizens ?Bank/i
7408 header __KAM_FAKE_CITIZEN5 From:addr !~ /citizen/i
7410 meta KAM_FAKE_CITIZEN (__KAM_FAKE_CITIZEN1 + __KAM_FAKE_CITIZEN2 + (KAM_SHORT + __KAM_FAKE_CITIZEN3 >= 1) + __KAM_FAKE_CITIZEN4 + (__KAM_FAKE_CITIZEN5 + SPF_FAIL >= 1) >= 5)
7411 describe KAM_FAKE_CITIZEN Fake Bank Alert Scam
7412 score KAM_FAKE_CITIZEN 7.5
7415 header __KAM_PRODUCT2_1 Subject =~ /meal delivery|no chopping|(sticker|Children'?s?) book|\$[\d,\.]{5,10} Fast|Car ?Shield|Top Vet|Chew a day|trugreen|(perfect|healthy|your) lawn|slice.?n.?seal|kitchen (device|gadget)|butter knive|small penis|make you bigger|(explosive|increase) size|ACs|Wifi Booster|anti.?snore|visceral fat|solar ?bright|mini a\/?c|portable (cooler|air.?condition)|keep cool|wife.caught|banned technique/i
7417 body __KAM_PRODUCT2_2 /meal delivery|no chopping|i ?can ?read|zippy ?loan|car ?shield|Lick their paws|excessive scratching|trugreen|slice.?n.?seal|kitchen (device|gadget)|Better Butter|(elongation|growth) secret|savage.?grow|coolair|Wifi Booster|sleeplab|belly.flat|solar ?bright flood|space Cooler|coolair/i
7418 tflags __KAM_PRODUCT2_2 nosubject
7420 header __KAM_PRODUCT2_3 From =~ /veestro|i ?can ?read|zippy ?loan|car ?shieldi|petscy|trugreen|slice.?n.?seal|better.?butter|savage.?grow|CoolMe|wifi repeater|sleep.?lab|lost.?\d+lbs|solar ?bright|(mini|portable) ?A\/?C|air cooler|savage.grow/i
7422 meta KAM_PRODUCT2 ( __KAM_PRODUCT2_1 + __KAM_PRODUCT2_2 + __KAM_PRODUCT2_3 >= 3)
7423 describe KAM_PRODUCT2 Scammy Products prevalent in spam
7424 score KAM_PRODUCT2 4.5
7427 #uri_detail KAM_PDF_FAKE text =~ /\.PDF/i cleaned =~ /\.github.io\//i
7428 #describe KAM_PDF_FAKE Links to Fake PDFs
7429 #score KAM_PDF_FAKE 5.0
7433 body __KAM_INQUIRY_1 /inquiry for purchase|product catalog|price list|reply with catalog/i
7435 header __KAM_INQUIRY_2 Subject =~ /Purchase Order|Urgent (i|e)nquiry/i
7437 body __KAM_INQUIRY_3 /terms? (\&|and) conditions?|rightful dep/i
7439 body __KAM_INQUIRY_4 /certificate of origin|import\export|trading company/i
7441 meta KAM_INQUIRY (__KAM_INQUIRY_1 + __KAM_INQUIRY_2 + __KAM_INQUIRY_3 + __KAM_INQUIRY_4 >= 4)
7442 describe KAM_INQUIRY Product Inquiry Scams
7443 score KAM_INQUIRY 7.0
7446 header __KAM_FROM_NAME_FAKERBL From:name =~ /Sivagegrowplus\.com|Lifequote\.selectquote\.com|GoldAlliedTrust\.com|MeetAsianLady\.com|Betterbutterspreader\.com|americanhomewarranty\.com|Solarbrightfloodlight\.com|primevision\.website|FijiShowerSpa\.com|easylenders\.website|Burialinsurance\.com|curiousfinds\.com|professionalwhosiswho\.com/i
7448 meta KAM_FROM_NAME_FAKERBL (__KAM_FROM_NAME_FAKERBL >= 1)
7449 describe KAM_FROM_NAME_FAKERBL From name contains a URL that is spammy
7450 score KAM_FROM_NAME_FAKERBL 6.0
7453 replace_rules __KAM_FAKE_NORTON1 __KAM_FAKE_NORTON2 __KAM_FAKE_NORTON3 __KAM_FAKE_NORTON4
7456 header __KAM_FAKE_NORTON1 Subject =~ /IN.?VOICE *\#?NUMBER|(confirmation|ORDER|Invoice|plan.?status) ?(ID_\*|\#|Num|-?No)|\#(ORDER|BILL)|(Purchase|Order|Payment) Confirmation|(RECEIPT|INVOI?CE) ?\#|software subscription|transaction.successful|amount.debited|(subscription|service|Purchase) (renewal|request|serial) \#|renewal service \#|(Unique|Member|purchase|Bill|receipt|service|invoice) id ?(is|:|\#)|using protection|<O1>rder <I1>d|IN(\-|_)VOICE (Number|ID)|Product Id:|security renewal|(Buyer'?s|purchase) receipt|order worth \$|service notice.{0,3}\d+|antivirus activated|order has been (confirmed|processed)|subscription expired|your bill|auto renewal|new message|renewal notice:|annual subscription|transaction code|account key verif|billing team|service required|g-?squad|plan activated|protection alert/i
7457 header __KAM_FAKE_NORTON1A To =~ /norton|billing\@geeksquad/i
7458 header __KAM_FAKE_NORTON1B From =~ /norton|confirmation|no.?reply|service.?updates|billing|devices.?support|service.?dep|order|device.?alert|biliing|receipt/i
7460 body __KAM_FAKE_NORTON2 /N<O1>RT<O1>N(\(?tm\)?|\#)|360 (anti.?virus|Security|protection)|N<O1>rt<O1>N.?Life|norton (\- )?(360|security|deluxe|protection|firewall|plus family)|(nort-.|norton|Mcafee) (Web Pro|Web|Plus(\+| Pro)|pro (net|plus|protection)|all.?round) ((Secure|Family) )?Protection|norton (plan|pro life lock)|(service (name)?|item|Product):?\s+(Norton|Nort.?Pro|geek.?squad)|norton secure plus|nort-(Advance|Pro)|nort-?one 360|life-?lock pro|mal-?ware bites|geeksquad-solutions|Geek(squad)? 360|renewal through geeksquad|Geek Secure Premium|Shield Protection Renewal|G<E1><E1><K1>.?squad security|(symantec|mcafee|norton|geek).{0,3}total protection|geek.?squad.?corp|norton billing team|firewall defender|geek.? advanced network|pro geek PC protection|SQUAD anti-?virus|Norton,? Inc|G<E1><E1>k\s+squ<A1>d|Windows Defender Advanced|Netwrk Shield Protection|(pc|network) (security|protection) (service|shield)|previous annual subscription|windows defender security|norton Tech pc support|\(defender\)/mi
7462 body __KAM_FAKE_NORTON3 /Esteem your assessment|enhance our administration|recharged your club|looking for patron|delight and happiness|touch our group|confirmatory e?mail|customer service board|connect with expert|for transaction|confirmation range|did not place this order|cancel (your|this|the) (membership|service|subscription)|team norton|(claim a|instant) refund|cancel (or continue )?the plan|for more query|void (this|the) charge|account is debited|kindly activate the license|A\/C statement|you can trust them|drop you an email|don't want this plan|deactivate this plan|queries or doubt|issue with the transaction|feel free to contact|hesitate to call|appritiate your decesion|Warm (regards|respects)|(wish|want) (to )?cancel|order +worth +\$|plan has been enacted|change something|salutations|any query related|norton billing team|same has been processed|an confirmation|don\'t want to renew|remove auto-debit|auto renewal request|thanks\/norton|invalidate your subscription|precept copy|payment method.{1,10}on-?line|drop the membership|generously go ahead|want a refund|renewal tenure|believe an unauthorized|contact microsoft for a full refund|\*\-\* (8\-8\-8|8\-5\-0) \*\-\*|really want further explanation|disc<O1>unt benevolently|upgrade or postpone|get the full refund|valued member of us|find the attachment of your invoice|drop the charges|norton.{0,2}helpdesk/i
7463 tflags __KAM_FAKE_NORTON3 nosubject
7465 body __KAM_FAKE_NORTON4 /(bank|Auto(matic)?)-?.?-?(debit|renew)|Updated to premium|order is p<L1>aced|0rder|renewal|successfully (placed|renewed)|(repetitive|annual) charge|have been modified|In_voice id|details pertain|auto pay|online\/card|joined our security program|payment_for_services|yearly payment|\$[\d\.]+ will appear/i
7466 tflags __KAM_FAKE_NORTON4 nosubject
7468 meta KAM_FAKE_NORTON (__KAM_FAKE_NORTON1 + (__KAM_FAKE_NORTON1A + __KAM_FAKE_NORTON1B + FREEMAIL_FROM >= 1)+ __KAM_FAKE_NORTON2 + __KAM_FAKE_NORTON3 + __KAM_FAKE_NORTON4 + FREEMAIL_FROM >= 4) && __KAM_FAKE_NORTON2
7469 describe KAM_FAKE_NORTON Fake Norton / McAfee / Geek Squad / Symantec / etc. Renewal Notices
7470 score KAM_FAKE_NORTON 8.0
7472 meta KAM_FAKE_NORTONLOW (__KAM_FAKE_NORTON1 + (__KAM_FAKE_NORTON1A + __KAM_FAKE_NORTON1B + FREEMAIL_FROM >= 1) + __KAM_FAKE_NORTON2 + __KAM_FAKE_NORTON3 + __KAM_FAKE_NORTON4 + FREEMAIL_FROM >= 3) && !KAM_FAKE_NORTON && __KAM_FAKE_NORTON2
7473 describe KAM_FAKE_NORTONLOW Fake Norton / McAfee / Geek Squad / Symantec / etc. Renewal Notices (Lower Confidence)
7474 score KAM_FAKE_NORTONLOW 6.5
7477 header __KAM_FAKE_CHASE1 Subject =~ /unusual activit|security/i
7478 body __KAM_FAKE_CHASE2 /chase online/i
7479 body __KAM_FAKE_CHASE3 /Fraud Protection|unusual activity/i
7480 header __KAM_FAKE_CHASE4 From:name =~ /chase online/i
7481 header __KAM_FAKE_CHASE5 From:addr !~ /chase/i
7483 meta KAM_FAKE_CHASE (__KAM_FAKE_CHASE1 + __KAM_FAKE_CHASE2 + __KAM_FAKE_CHASE3 + __KAM_FAKE_CHASE4 + __KAM_FAKE_CHASE5 >= 5)
7484 describe KAM_FAKE_CHASE Fake Bank Notice
7485 score KAM_FAKE_CHASE 4.5
7488 replace_rules __KAM_FAKE_CAN_POST2
7490 body __KAM_FAKE_CAN_POST1 /package is (waiting|on hold)/i
7491 body __KAM_FAKE_CAN_POST2 /<C1><A1>n<A1>d<A1>.{0,2}<P1><O1>st/i
7492 body __KAM_FAKE_CAN_POST3 /require additional details|online verification/i
7493 body __KAM_FAKE_CAN_POST4 /redelivery|confirm the payment/i
7494 header __KAM_FAKE_CAN_POST5 From:addr !~ /\.ca$/i
7495 header __KAM_FAKE_CAN_POST6 From:name =~ /canada.?post|Postes.?Canada/i
7496 header __KAM_FAKE_CAN_POST6B From:addr =~ /shipping/i
7498 meta KAM_FAKE_CAN_POST (__KAM_FAKE_CAN_POST1 + __KAM_FAKE_CAN_POST2 + __KAM_FAKE_CAN_POST3 + __KAM_FAKE_CAN_POST4 + __KAM_FAKE_CAN_POST5 + (__KAM_FAKE_CAN_POST6 + __KAM_FAKE_CAN_POST6B >= 1) >= 6)
7499 describe KAM_FAKE_CAN_POST Fake Canada Post Scam
7500 score KAM_FAKE_CAN_POST 9.0
7503 header __KAM_CARING1 Subject =~ /Great in Bed|(looking|Searching) +for +a +(shag|(determined|caring|loving) +(man|guy|dude))/i
7504 body __KAM_CARING2 /shagged|lovemate|online dating|affair|hook.?up/i
7505 tflags __KAM_CARING2 nosubject
7506 body __KAM_CARING3 /(recent|my) (contact|picture|photo)/i
7507 body __KAM_CARING4 /unsub/i
7509 meta KAM_CARING (__KAM_CARING1 + __KAM_CARING2 + __KAM_CARING3 + __KAM_CARING4 >= 4)
7510 describe KAM_CARING Catfishing and related scams
7511 score KAM_CARING 6.0
7515 header __KAM_POLICY1 Subject =~ /PoIicy Update/i
7517 header __KAM_POLICY2 From:name =~ /HR/i
7519 body __KAM_POLICY3 /Attached policy|section can proceed/i
7521 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7522 mimeheader __KAM_POLICY4 Content-Type =~ /\.html?"?$/i
7525 meta KAM_POLICY ((__KAM_POLICY1 + __KAM_POLICY4 >= 1) + __KAM_POLICY2 + __KAM_POLICY3 >= 3)
7526 describe KAM_POLICY Fake policy email phish
7527 score KAM_POLICY 4.5
7530 body KAM_CBTSCRAP /CBT (website scraper|Email Extractor)/i
7531 describe KAM_CBTSCRAP Spamming tool
7532 score KAM_CBTSCRAP 5.0
7535 header __KAM_FOREX1 From =~ /pip ?builder/i
7536 body __KAM_FOREX2 /1000pipbuilder/i
7537 body __KAM_FOREX3 /Forex (trading|signals)/i
7538 header __KAM_FOREX4 Subject =~ /Forex (trading|signals)/i
7540 meta KAM_FOREX (__KAM_FOREX1 + __KAM_FOREX2 + __KAM_FOREX3 + __KAM_FOREX4 >= 4)
7541 describe KAM_FOREX Forex Trading spam
7545 header __KAM_SKYTECH1 From =~ /SkyTech Wifi Booster|ultraboost/i
7546 header __KAM_SKYTECH2 Subject =~ /Wifi Deadspots|buffering/i
7547 body __KAM_SKYTECH3 /skytech wifi|Wifi Booster/i
7549 meta KAM_SKYTECH (__KAM_SKYTECH1 + __KAM_SKYTECH2 + __KAM_SKYTECH3 >= 3)
7550 describe KAM_SKYTECH Wifi Booster Spam
7551 score KAM_SKYTECH 4.5
7554 header __KAM_FAKEPP1 From:name =~ /PayPal/i
7555 header __KAM_FAKEPP2 From:addr =~ /wordpress/i
7557 meta KAM_FAKEPP ( __KAM_FAKEPP1 + __KAM_FAKEPP2 + KAM_SHORT >= 3)
7558 describe KAM_FAKEPP Fake PayPal Notice
7559 score KAM_FAKEPP 4.5
7561 #SEXUALLY EXPLICITY PHOTO
7562 header __KAM_PHOTO1 Subject =~ /My name is/i
7563 body __KAM_PHOTO2 /I am very lonely/i
7564 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7565 mimeheader __KAM_PHOTO3 Content-Type =~ /\.jpe?g/i
7567 body __KAM_PHOTO4 /This is my photo/i
7568 body __KAM_PHOTO5 /get to know you/i
7570 meta KAM_PHOTO (__KAM_PHOTO1 + __KAM_PHOTO2 + __KAM_PHOTO3 + __KAM_PHOTO4 + __KAM_PHOTO5 >=5)
7571 describe KAM_PHOTO Sexually Explicit Photo Emails
7575 header __KAM_FOOTBALL2_1 Subject =~ /Foo[ts]ball Table/i
7576 body __KAM_FOOTBALL2_2 /look at (the thing I brought|this product|what I sent you)/i
7577 body __KAM_FOOTBALL2_3 /foo[st]ball table pric/i
7579 meta KAM_FOOTBALL2 (__KAM_FOOTBALL2_1 + __KAM_FOOTBALL2_2 + __KAM_FOOTBALL2_3 + __KAM_SHOP1 >= 3)
7580 describe KAM_FOOTBALL2 Football table spams
7581 score KAM_FOOTBALL2 4.5
7584 header __KAM_LAWSUIT1 From:name =~ /lawsuit/i
7585 header __KAM_LAWSUIT2 Subject =~ /lawsuit/i
7586 body __KAM_LAWSUIT3 /you or a loved one/i
7587 body __KAM_LAWSUIT4 /(roundup|diagnosed with cancer)/i
7588 tflags __KAM_LAWSUIT4 nosubject
7590 meta KAM_LAWSUIT (__KAM_LAWSUIT1 + __KAM_LAWSUIT2 + __KAM_LAWSUIT3 + __KAM_LAWSUIT4 >= 4)
7591 describe KAM_LAWSUIT Ambulance chaser scams
7592 score KAM_LAWSUIT 6.0
7595 header __KAM_CHEAT1 From:name =~ /Magnum/i
7596 header __KAM_CHEAT2 Subject =~ /women cheat/i
7597 body __KAM_CHEAT3 /(Erectile Dysfunction|erection)/i
7598 tflags __KAM_CHEAT3 nosubject
7600 meta KAM_CHEAT (__KAM_CHEAT1 + __KAM_CHEAT2 + __KAM_CHEAT3 >= 3)
7601 describe KAM_CHEAT ED Spams
7605 body __KAM_DOMAINBROKER1 /DomainBroker/i
7606 header __KAM_DOMAINBROKER2 Subject =~ /Domain on sale/i
7607 header __KAM_DOMAINBROKER3 From:name =~ /Domain.?Agent/i
7609 meta KAM_DOMAINBROKER (__KAM_DOMAINBROKER1 + __KAM_DOMAINBROKER2 + __KAM_DOMAINBROKER3 + KAM_BODY_MARKETINGBL_PCCC >= 3)
7610 describe KAM_DOMAINBROKER Domain seller spams
7611 score KAM_DOMAINBROKER 4.5
7613 #FAKE SHAREPOINT 2 - Sexually explicit
7614 header __KAM_FAKE_SHAREPOINT2_1 From:addr =~ /no\-reply\@sharepointonline\.com|sex|69/i
7615 header __KAM_FAKE_SHAREPOINT2_2 Subject =~ /view my profile|(\b|^|\s)sex+y man|live chat|hook.?up|sweet.?heart|(\b|^|\s)sex|f a c e b o o k|i know you|just fun|my phone|for se+x+|tease|play with my pus|facebook|chat shared|horne?y|see my nu(t|d)e|Video.M(a|e)ssage|bang.?meetup|private massage|confirm your e.?mail|tiktok for sex/i
7616 body __KAM_FAKE_SHAREPOINT2_3 /REAL DATING NETWORK|bad partner|single.hot.mom|chat room|escort girl|hi there|hook.?up|flirty singles|sweet.?heart|(\b|^|\s)sex|(\b|^|\s)dick|escort|Open me\.? asap|intercourse|seeking male|real relationship|suck my kitty|F.ck me|single girl|real man|need a partner|lonely mom|adults? classified|screw many girls|bang.?meetup|(chat|meet) for sex/i
7617 tflags __KAM_FAKE_SHAREPOINT2_3 nosubject
7619 meta KAM_FAKE_SHAREPOINT2 (__KAM_FAKE_SHAREPOINT2_1 + __KAM_FAKE_SHAREPOINT2_2 + __KAM_FAKE_SHAREPOINT2_3 >= 3)
7620 describe KAM_FAKE_SHAREPOINT2 Sexually Explicit Sharepoint Spam
7621 score KAM_FAKE_SHAREPOINT2 8.5
7624 header __KAM_SHOP1 Reply-to =~ /\.shop|drone|\.xyz/i
7625 header __KAM_DRONE2 Subject =~ /follow up on last email|reminder again|drone|quick follow.?up/i
7627 body __KAM_DRONE3 /arrange the (shipment|dispatch)|contact the logistics|logistics to arrange|address for shipping|touch with logistics|location of your shipment/i
7629 body __KAM_DRONE4 /new drone (information|here)|information about the drone|for (two|three) drones|email about this drone/i
7631 body __KAM_DRONE5 /grasp our goods|take one or more|three or more|receiving one or two/i
7633 body __KAM_DRONE6 /GPS Brushless Drone|optical flow/i
7635 meta KAM_DRONE (__KAM_SHOP1 + __KAM_DRONE2 + __KAM_DRONE3 + __KAM_DRONE4 + __KAM_DRONE5 + __KAM_DRONE6 >= 5)
7636 describe KAM_DRONE Drone Spam Du Jour
7640 header __KAM_FAKE_PAYPAL1 From:name =~ /paypal|invoice|confirmation|payapl|receipt|reciept|help.?desk/i
7641 header __KAM_FAKE_PAYPAL2 Subject =~ /Order ?(\#|reference|Confirmation)|your (transaction|purchase)|(buyer'?s|purchase) (receipt|ref|id) \#|transaction|statement|shipping notification|0rder|\$\d\d\d\.\d\d charged|payment info|subscription|paid the invoice/i
7642 body __KAM_FAKE_PAYPAL3 /paypal/i
7643 tflags __KAM_FAKE_PAYPAL3 nosubject
7644 body __KAM_FAKE_PAYPAL4 /if any concern|in order to cancel|(any|open a) dispute|(exact|usual) location|used by someone else|regular IP address|(haven'?t|not) made this purchase|contact us immediately|trust & safety|not authorized|file an issue|cancellation|to cancel/i
7645 body __KAM_FAKE_PAYPAL5 /(accepted|confirmed|USD|purchase) (at|to|by) (Walmart|Target)|(Walmart|Target),?( Inc.?)? has (accepted|received|confirmed)|charge will appear|auto debited|paid instantly|credit wallet balance/i
7646 body __KAM_FAKE_PAYPAL6 /help by phone|call paypal ?(usa|team)|paypal fraud dep|paypal support immediately|before dispatch|paypal consumer credit/i
7648 meta KAM_FAKE_PAYPAL (__KAM_FAKE_PAYPAL1 + __KAM_FAKE_PAYPAL2 + __KAM_FAKE_PAYPAL3 + __KAM_FAKE_PAYPAL4 + __KAM_FAKE_PAYPAL5 + FREEMAIL_FROM + __KAM_FAKE_PAYPAL6 >= 5)
7649 describe KAM_FAKE_PAYPAL Fake PayPal Message
7650 score KAM_FAKE_PAYPAL 6.0
7652 body __KAM_FAKE_PAYPAL2_1 /PayPal (customer service|Support) Team/i
7653 body __KAM_FAKE_PAYPAL2_2 /void this (transaction|order) within/i
7655 meta KAM_FAKE_PAYPAL2 (__KAM_FAKE_PAYPAL2_1 + __KAM_FAKE_PAYPAL2_2 + FREEMAIL_FROM >=3)
7656 describe KAM_FAKE_PAYPAL2 Fake PayPal Message
7657 score KAM_FAKE_PAYPAL2 4.5
7660 uri GB_G_FEEDPROXY /https?\:\/\/feedproxy\.google\.com\/~r\//
7661 describe GB_G_FEEDPROXY Google Feed Proxy Abuse
7662 score GB_G_FEEDPROXY 2.5
7665 uri GB_PULLZONE_B_CDN /https?\:\/\/pullzone-v[0-9]\.b\-cdn\.net/
7666 describe GB_PULLZONE_B_CDN B-Cdn abuse
7667 score GB_PULLZONE_B_CDN 3.0
7670 uri __KAM_DISCORDCDN1 /cdn\.discordapp\.com\/attachment/i
7671 header __KAM_DISCORDCDN2 From:addr !~ /\@discord\.com/i
7672 header __KAM_DISCORDCDN3 DKIM-Signature !~ / d=discord.com;/i
7674 meta KAM_DISCORDCDN (__KAM_DISCORDCDN1 + __KAM_DISCORDCDN2 + __KAM_DISCORDCDN3 >= 3)
7675 describe KAM_DISCORDCDN Abuse of Discord CDN in spams
7676 score KAM_DISCORDCDN 4.5
7678 uri __KAM_DISCORDCDN_BAD1 /cdn\.discordapp\.com\/attachment.*(docu.?sign|\.(iso|gz|exe|jar|zip|xlsm|docm|pptm))/i
7680 meta KAM_DISCORDCDN_BAD (KAM_DISCORDCDN + __KAM_DISCORDCDN_BAD1 >= 2)
7681 describe KAM_DISCORDCDN_BAD Extra Dangerous Discord CDN Content in spams
7682 score KAM_DISCORDCDN_BAD 6.0
7685 body __KAM_PAYROLL1 /(Leveragewages|Savingcredits)/i
7686 body __KAM_PAYROLL2 /(companies|businesses) in CA/i
7687 header __KAM_PAYROLL3 Subject =~ /payroll/i
7689 meta KAM_PAYROLL (__KAM_PAYROLL1 + __KAM_PAYROLL2 + __KAM_PAYROLL3 + FREEMAIL_FROM >= 4)
7690 describe KAM_PAYROLL Payroll spammers
7691 score KAM_PAYROLL 6.0
7694 header __KAM_FAKE_ZIX1 From:addr !~ /zixmessagecenter.com/i
7695 header __KAM_FAKE_ZIX2 Subject =~ /Secure Zix message|remittance advice/i
7696 body __KAM_FAKE_ZIX3 /security system|view document/i
7697 uri __KAM_FAKE_ZIX4 /dynamics\.com|\.html?/i
7699 meta KAM_FAKE_ZIX ( __KAM_FAKE_ZIX1 + __KAM_FAKE_ZIX2 + __KAM_FAKE_ZIX3 + __KAM_FAKE_ZIX4 >=4)
7700 describe KAM_FAKE_ZIX Fake Zix Email
7701 score KAM_FAKE_ZIX 6.0
7704 header __KAM_FAKE_AMAZON1 Subject =~ /Quick Request/i
7705 body __KAM_FAKE_AMAZON2 /have an (Amazon account|account with amazon)/i
7707 meta KAM_FAKE_AMAZON ( __KAM_FAKE_AMAZON1 + __KAM_FAKE_AMAZON2 + FREEMAIL_FROM + __KAM_BODY_LENGTH_LT_512 >= 4)
7708 describe KAM_FAKE_AMAZON Amazon Account Phishes
7709 score KAM_FAKE_AMAZON 4.5
7712 header __KAM_BINANCE1A Subject =~ /income/i
7713 header __KAM_BINANCE1B Subject =~ /crypto.?currenc/i
7715 body __KAM_BINANCE2 /affiliate link/i
7716 body __KAM_BINANCE3 /lifetime commission/i
7717 body __KAM_BINANCE4 /Friends and associates/i
7718 body __KAM_BINANCE5 /Binance/i
7720 meta KAM_BINANCE (( __KAM_BINANCE1A + __KAM_BINANCE1B >=2) + (__KAM_BINANCE2 + __KAM_BINANCE3 + __KAM_BINANCE4 >=2) + ( __KAM_BINANCE5 >= 1) >= 3)
7721 score KAM_BINANCE 6.0
7722 describe KAM_BINANCE Pyramid crypto scams
7725 header __KAM_FAKE_DMCA1 From:name =~ /DMCA.?Tech/i
7726 header __KAM_FAKE_DMCA2 From:addr =~ /DMCA/i
7727 body __KAM_FAKE_DMCA3 /text of the complaint/i
7728 body __KAM_FAKE_DMCA4 /your device violates/i
7729 body __KAM_FAKE_DMCA5 /cancel subscription/i
7731 meta KAM_FAKE_DMCA ( __KAM_FAKE_DMCA1 + __KAM_FAKE_DMCA2 + __KAM_FAKE_DMCA3 + __KAM_FAKE_DMCA4 + __KAM_FAKE_DMCA5 >=5 )
7732 describe KAM_FAKE_DMCA Fake DMCA Notice
7733 score KAM_FAKE_DMCA 7.5
7736 header __KAM_CLARITOX1 From:name =~ /claritox/i
7737 header __KAM_CLARITOX2 Subject =~ /Brain infection/i
7738 body __KAM_CLARITOX3 /claritox/i
7739 tflags __KAM_CLARITOX3 nosubject
7740 body __KAM_CLARITOX4 /brain infection/i
7741 tflags __KAM_CLARITOX4 nosubject
7743 meta KAM_CLARITOX ( __KAM_CLARITOX1 + __KAM_CLARITOX2 + __KAM_CLARITOX3 + __KAM_CLARITOX4 >= 3 )
7744 describe KAM_CLARITOX Product du Jour Spam
7745 score KAM_CLARITOX 4.5
7748 uri __KAM_BAD_CANVA1 /\.canva\.com/i
7749 body __KAM_BAD_CANVA2 /link will not work for only recipients/i
7751 meta KAM_BAD_CANVA ( __KAM_BAD_CANVA1 + __KAM_BAD_CANVA2 >= 2 )
7752 describe KAM_BAD_CANVA Fake link from Canva for phishing
7753 score KAM_BAD_CANVA 5.0
7756 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7757 body __KAM_FAKE_EXCEL1 /details is in Excel File/i
7758 mimeheader __KAM_FAKE_EXCEL2 Content-Type =~ /excel.html?/i
7760 meta KAM_FAKE_EXCEL ( __KAM_FAKE_EXCEL1 + __KAM_FAKE_EXCEL2 >= 2 )
7761 describe KAM_FAKE_EXCEL Excel Phishing Scam
7762 score KAM_FAKE_EXCEL 6.0
7766 uri __KAM_ZOHO1 /zfrmz\.com|zohoinsights\.com/i
7767 body __KAM_ZOHO2 /congrats on win|selected as the winner|expiration notice/i
7768 body __KAM_ZOHO3 /sweepstakes|password/i
7770 meta KAM_ZOHO ( __KAM_ZOHO1 + __KAM_ZOHO2 + __KAM_ZOHO3 >= 3 )
7771 describe KAM_ZOHO Zoho form or insights exploit
7775 header __KAM_FAKE_AFFIL1 From =~ /(eharmony|Get.?Gutter.?Protection|Hello.?Fresh).*(Affil|partner)|(American.?Home.?Warranty|Renewal.?by.?anders.n|TruGreen.?Lawn.?Service|Blissy|Energy.?Bill.?Cruncher|Amy.?Myers|1-ink|Tommy.?Chong|Burial.?Insurance|walk.?in.?tub)/i
7776 uri __KAM_FAKE_AFFIL2 /cdn\.mpp-stage\.com|cdn\.tedbvi\.com/i
7777 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7778 mimeheader __KAM_FAKE_AFFIL3 Content-Type =~ /ATT\d+\.htm/i
7781 meta KAM_FAKE_AFFIL ( __KAM_FAKE_AFFIL1 + __KAM_FAKE_AFFIL2 + __KAM_FAKE_AFFIL3 >= 3)
7782 describe KAM_FAKE_AFFIL Fake Affiliates Garbage
7783 score KAM_FAKE_AFFIL 4.5
7786 #header __KAM_SIREN1 From =~ /Portable Defense Siren/i
7789 #TELEGRA.PH being exploited
7790 uri KAM_TELEGRA /https?:\/\/telegra\.ph/i
7791 describe KAM_TELEGRA Service being exploited by spammers
7792 score KAM_TELEGRA 5.0
7795 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7796 replace_rules __KAM_PHARMA_1
7798 header __KAM_PHARMA_1 From =~ /Canad<I1>an Pharma/i
7799 body __KAM_PHARMA_2 /Online Pharmacy|No Prescription/i
7801 meta KAM_PHARMA ( __KAM_PHARMA_1 + __KAM_PHARMA_2 + KAM_TELEGRA >= 2)
7802 describe KAM_PHARMA Online Pharmacy Spam
7803 score KAM_PHARMA 3.0
7806 #TWO EMAILS OBFUSCATION
7807 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
7808 meta GB_2_EMAILS ( __PDS_FROM_2_EMAILS + KAM_IFRAME + MISSING_HEADERS >= 3)
7809 describe GB_2_EMAILS Phishing Emails using 2 Emails and Other Tricks for Obfuscation
7810 score GB_2_EMAILS 4.5
7814 header __KAM_DRONE2_1 From:name =~ /x.?pro|drone/i
7815 header __KAM_DRONE2_2 Subject =~ /(best|4k) drone|drone x.?pro/i
7816 body __KAM_DRONE2_3 /(best|x.?pro) drone|drone x.?pro/i
7817 tflags __KAM_DRONE2_3 nosubject
7819 meta KAM_DRONE2 ( __KAM_DRONE2_1 + __KAM_DRONE2_2 + __KAM_DRONE2_3 + __KAM_SUBSCRIPTION_INFO >= 4)
7820 describe KAM_DRONE2 Drone Spam
7821 score KAM_DRONE2 6.0
7824 header __KAM_SANDAL1 From:name =~ /quickdry sandal/i
7825 header __KAM_SANDAL2 Subject =~ /on your feet|uncomfortable shoes|comfiest sandal|with any outfit|with every step/i
7826 body __KAM_SANDAL3 /quickdry sandal/i
7827 tflags __KAM_SANDAL3 nosubject
7829 meta KAM_SANDAL ( __KAM_SANDAL1 + __KAM_SANDAL2 + __KAM_SANDAL3 + __KAM_SUBSCRIPTION_INFO >= 4)
7830 describe KAM_SANDAL Shoe Spam (don't bother me...)
7831 score KAM_SANDAL 6.0
7834 header __KAM_FAT1 From:name =~ /fat/i
7835 header __KAM_FAT2 Subject =~ /melt \d.?(lb|pound)/i
7836 body __KAM_FAT3 /island tonic|maverick doctor/i
7837 tflags __KAM_FAT3 nosubject
7839 meta KAM_FAT ( __KAM_FAT1 + __KAM_FAT2 + __KAM_FAT3 + __KAM_SUBSCRIPTION_INFO >= 4)
7840 describe KAM_FAT Weightloss Spam
7844 header __KAM_CAMERA1 From:name =~ /ultrazoom/i
7845 header __KAM_CAMERA2 Subject =~ /(HD|Super) telescope/i
7846 body __KAM_CAMERA3 /super telephoto zoom/i
7847 tflags __KAM_CAMERA3 nosubject
7849 meta KAM_CAMERA ( __KAM_CAMERA1 + __KAM_CAMERA2 + __KAM_CAMERA3 + __KAM_SUBSCRIPTION_INFO >= 4)
7850 describe KAM_CAMERA Camera Lens Spam
7851 score KAM_CAMERA 6.0
7854 body __KAM_UNSUBSCRIBE /can always unsubscribe|unsubscribe here|stop receiving e?mail|send post-?mail/i
7856 meta __KAM_SUBSCRIPTION_INFO ( __SUBSCRIPTION_INFO + __KAM_UNSUBSCRIBE >= 1)
7859 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7860 mimeheader __KAM_QUOTATION1 Content-Type =~ /quotation\.html?/i
7861 header __KAM_QUOTATION2 Subject =~ /Quotation/i
7862 header __KAM_QUOTATION3 From =~ /accounts/i
7864 meta KAM_QUOTATION ( __KAM_QUOTATION1 + __KAM_QUOTATION2 + __KAM_QUOTATION3 + (SPF_SOFTFAIL + SPF_FAIL >=1) >= 4)
7865 describe KAM_QUOTATION Quotation Phishes
7866 score KAM_QUOTATION 6.0
7869 #Sexually Explicit Spam
7870 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7871 header __KAM_SEX2_1 Subject =~ /ready for me|Hello|Wet Invitation|Hi I'm|have fun|ready for me|good evening|private hangout|sex chat/i
7872 body __KAM_SEX2_2 /dating site|bad girls|sexual community|discreet dating|pay for a chat|lover|horny|(adult|sex) chat|free women/i
7874 body __KAM_SEX2_3 /flirt for free|Fuck.?Free|sex.?club|naked glory|free.?sex|start writing me|canada.?sex|hot greetings|private hangout/i
7875 mimeheader __KAM_SEX2_4 Content-type =~ /\.(jpe?g|png)\"?$/i
7876 uri __KAM_SEX2_5 /https?:\/\/(au|en|cad?|canada)\./i
7878 meta KAM_SEX2 ( __KAM_SEX2_1 + __KAM_SEX2_2 + __KAM_SEX2_3 + __KAM_SEX2_4 + (KAM_SHORT + __KAM_SEX2_5 >=1) + FREEMAIL_FROM >= 5)
7879 describe KAM_SEX2 Sexually Explicit Sapm
7884 header __KAM_FAKE_ADOBE1 Subject =~ /(file|Document) Received/i
7885 uri __KAM_FAKE_ADOBE2 /zohoinsights\.com/i
7886 body __KAM_FAKE_ADOBE3 /sign in required|download to view/i
7887 body __KAM_FAKE_ADOBE4 /received a pdf|pdf document has been shared/i
7889 meta KAM_FAKE_ADOBE ( __KAM_FAKE_ADOBE1 + __KAM_FAKE_ADOBE2 + __KAM_FAKE_ADOBE3 + __KAM_FAKE_ADOBE4 >= 4)
7890 describe KAM_FAKE_ADOBE Fake Adobe Email
7891 score KAM_FAKE_ADOBE 6.0
7893 #PEAK BUSINESS FINANCE
7894 header KAM_PEAK From:addr =~ /peak.*business.*financ/i
7895 describe KAM_PEAK Finance Spammer
7899 header __KAM_FROM_SPAM_NOV21 From =~ /(blood.?pressure.?(fix|cure)|20.?amazing.?gadgets|2021.?gadget.?guide|your.?hormones|Be.?Free.?Of.?Your.?Timeshare|unique.?christmas.?gifts|youthful.?brain|veteran.?discounts|VieShield.?Sanitizer|Walgreens.?Shopper.?Feedback|Solar.?Bright|shocking.?truth:|(\b|^)ed.?solution|beauty.?digs|LED.?Beach.?Balls|Pelvic.?Floor.?strong|Leptitox|Clean.?cell|Gadget.?List)|Avoid.?melatonin|My.?Senior.?Perks|explosive.?size|savage.?grow|blood.?pressure.?roulette|ElectronX.?Ruler|Software.?Treats|Grease.?Your.?Knee|late.?night.?peeing|Landscaping.?Ideas|hot.?new.?gadget|Tetrus.?LED.?Lighting|Weedkiller.?Injury|Compressa.?Relief|Shed.?Building.?Guide|plans?.?for.?shed|increase.?size|herpes.?cure|Human.?reproductive.?system|body.?shaper|ear.?wax.?remover|vital.?flow|curious.?finds|get.?skinny.?chocolate|Home.?Depot.?Shopper.?Feedback|modern.?woman|EU.?Business.?Register|comfy.?shoes/i
7901 header __KAM_FROM_SPAM_DEC21 From =~ /Heater.?Pro.?X|Neck.?Massager|Cinna.?Chroma|Sibgazinvest|Striction.?Blood|blood.?pressure.?warning|stamina.?pro|Smart.?Holder.?Pro|Smart.?phone.?Gloves|WiFi.?Ultraboost|HD.?telescope|Doctor.?Holmes\'s.?co.?op|variety.?store.?kerry|Suzi\'s.?potion|Antiseptic.?cathy|flat.?tummy.?recipe|bye.?big.?tummy|Skincell.?2|nail.?dry.?pro|muscle.?relax.?pro|easy.?slippers/i
7903 header __KAM_FROM_SPAM_JAN22 From =~ /Puppy.?Pet.?Ball|ultimate.?keto.?meal|steel.?bite.?pro|he?rpa.?greens|HAIR.?REVITAL|peak.?biome|energy.?cube.?system|perfect.?flush|make.?money.?online|Stops?.?Herpes|blood.?pressure.?911|Fat.?Burning|Personal.?power.?plant|sqribblee.?book.?creator|special.?launch.?price|ringing.?ears|fading.?memory|big.?stomach|apple.?cider.?vinegar|glucofort|do.?this.?at.?breakfast|immune.?defense|sonus.?complete.?basic|introducing.?exi.?pure|blood.?sugar.?defense|shed.?plan|obsession.?method|5g.?male|cold.?war.?generator|tinnitus.?(terminator|guard)|keto.?advantage|senior.?saving.?club|exipure|gold.?plated.?coin|trump.?coin|Prostate.?relief|acida.?burn|back.?pain|fungus.?treat|herpa.?green|neck.?massage|Silencil|\@advid|kishor.?exports|fatty.?liver|gluca.?fix|reservation.?diet|high.?blood.?pressure|energy.?bill.?crunch|muscle.?care|fast charger pro|Tv.?Share.?Max|bar.?x.?health|canad(a|ian).?drug.?store|Duramax.?Fence|vid.?toon|online.?pharmacy|viagra.?shop|circa.?knee|Shoppers.?Drug.?Mart|royal.?numerology/i
7905 header __KAM_FROM_SPAM_FEB22 From =~ /Swag.?Envy|Turn.?Text.?to.?speech|cart.?bloom|Pierre.?Omidyar|copper.?zen.?socks|Muama.?Ryoko|Mindinsole|clipper.?pro|nerve.?control|arthritis.?relief|sleep.?connection|lose.?it.?now|Pioneer.?Travels|bathroom.?remodel/i
7907 header __KAM_FROM_SPAM_FEB22_TLD From =~ /solar.?panels/i
7909 header __KAM_FROM_SPAM_MAR22 From =~ /Whos.?who|ray.?ban|simple.?home.?quotes|laundry.?masher|embarr?ass?ing.?toe|miracle.?sheets|nail.?fungus|Smartcam|tactical.?drone|owl.?vision|hulk.?heater|wifi.?repeater|gluco.?flow.?supplement|blood.?sugar.?blaster|dr\..?phil.?news|Muama.?Ryok|usmile.?pro|power.?pod|never.?snore|snore.?stop|(^|\")usmile|bye.?bye.?fat|chemist.?s.?shop|married.?women|potent.?CBD|diabetes.?gone|US.?concealed.?online|gift.?card.?chance|cardio.?clear|one.?monthly.?fee|online.?learn.?piano|coffee.?secret|shark.?tank.?keto|rots.?your.?teeth|stronger.?vision|Norton.?Lifelock|instant.?translator/i
7911 header __KAM_FROM_SPAM_APR22 From =~ /snoring.?fix|automix|circa.?knee|zoomshot.?pro|Instant.?translator|prostate.?health|stay.?dry.?202|battery.?vault|goodbye.?diabetes|bad eyes|createxdigital|\@.{0,8}advids\.|\@deszy|\@devacc\./i
7913 header __KAM_FROM_SPAM_MAY22 From =~ /butter.?on.?toast|exobone|sharp.?ear|news.?reward.?exclusive|AirBuds|earbuds|Massage.?gun|directaxis|sanlamfinance|grants.?for.?homeowner|manchester.?collection|Power.?drill.?(confirmation|surprise)|gift.?card.?shipment|fast.?keto.?diet|(energy|bill).?cruncher|fun.?drops.?cbd|easy.?warm.?floor|home.?loan.?analyst.?offer/i
7915 header __KAM_FROM_SPAM_JUN22 From =~ /Finance.?the.?big.?lie|cbd.?gumm|vet.?savings|Keto.?maxx|unbreakable.?brain|brain.?blueprint|just.?gi[zs]mo|ice.?house.?portable|portable.?ac|single.?flirt|painful.?knees|russian?.?(babe|bride)|eyesight.?max|blood.?sugar.?formula|brain.?fix|FOLIFORT|PROCompression.?special|por?table.?oxygen|Special.?Oil|Syno.?gut|blissy.?offer|WarHawk.?Binoculars|keto.?diet|match.?seniors|no.?more.?pin.?pricks|Doctors?.?shock|20.?20.?Vision|Windows.?Defender.?Order|fat.?burner/i
7917 header __KAM_FROM_SPAM_JUL22 From =~ /Horrific.?Back|fat.?reducer|smart.?watch|chill.?well|blurred.?vision|Family.?savings|Revifol\.com|Fluxactive|eye.?herb|eco.?chip|Lumbar.?Correct|Air.?Flops|Getinstahard\.com|neurodrine|air.?cooly|Bladder.?relief|Doctor.?Inflammation|Shrink.?your.?prostate|RetailMarketingPro|back.?to.?life/i
7919 header __KAM_FROM_SPAM_AUG22 From =~ /a1c.?fix|LeafProtect\.com|ServicePlus\.Home|Golden.?fx|Arcti.?FREEZE|RensaClub\.com|\@advid\-|nail.?infection|pain.?relief.?sock|leaf.?filter|toxic.?foot|nails.?fungus|cat.?spraying|big.?pharma|vision.?enhancing|battery.?recondition|injecting.?fat|mosquito.?light|black.?surge|tinnitus.?911|sugar.?balance|cardio.?clear|compression.?sock|balanced.?blood|Sqribble|ukraine.?(beauty|bride)|instahard|shop.?icehouse|vital.?flow|Discount.?is.?ready|cinch.?home.?protection|home.?protection.?plan|zander.?term|easy.?canvas.?prints|home.?warranty.?offer|toxic.?water|keto.?202\d|wifi.?booster|restore.?gummies|-advids\.|lost.?superfoods|vantis.?life|roofing.?quote|maasalong|flux.?active|hot.?russian|serious.?daters|anderson.?affiliate|instant.?translator|clipper.?pro|scientific.?nail|6.?secrets|singles.?offer|lower.?my.?bill|SplashWines\.com|leafprotect\.com|columbian.?girl|wifi.?ultraboost|\@clum-?(video|creat)|deadly.?sex|Vita.?Firm/i
7921 header __KAM_FROM_SPAM_SEP22 From =~ /Select.?Quote.?(offer|affiliate|insurance)|light.?bulb.?camera|pitney.?bowes.?presort|carshield.?quote|neckcool|zinc7|term.?life.?insurance|detox.?shower|protection.?from.?pests|Pest.?defense|Life.?Omic|pipelinersales|\.kalendar/i
7923 header __KAM_FROM_SPAM_OCT22 From =~ /Barx.?Busy.?Ball|Nationwide.?Home.?protection|Social Diger|Splash Wine|Holiday.?Wallet.?Guru|no.?more.?joint.?pain|poop.?out.?fat/i
7925 header __KAM_FROM_SPAM_NOV22 From =~ /liveto.?accelerator|tupi.?tea|lT Service Desk|free.?spins?.?Canada|eye.?bag.?cream|amylase.?benefit|bladder.?leak|\@.{0,8}saasee\.|\@saasee|japanese.?delicacy|insure.?my.?car|businesspronews|CFOtrends|COOupdate|\@whizzbridge|phototrakk/i
7927 meta KAM_FROM_SPAM ( __KAM_FROM_SPAM_NOV21 + __KAM_FROM_SPAM_DEC21 + __KAM_FROM_SPAM_JAN22 + __KAM_FROM_SPAM_FEB22 + __KAM_FROM_SPAM_MAR22 + __KAM_FROM_SPAM_APR22 + __KAM_FROM_SPAM_MAY22 + __KAM_FROM_SPAM_JUN22 + __KAM_FROM_SPAM_JUL22 + __KAM_FROM_SPAM_AUG22 + __KAM_FROM_SPAM_SEP22 + __KAM_FROM_SPAM_OCT22 + __KAM_FROM_SPAM_NOV22 >= 1)
7928 describe KAM_FROM_SPAM From Indicates a Product Spam
7929 score KAM_FROM_SPAM 6.75
7931 meta KAM_FROM_SPAM_TLD ( __KAM_FROM_SPAM_FEB22_TLD + KAM_SOMETLD_ARE_BAD_TLD >= 2)
7932 describe KAM_FROM_SPAM_TLD From and TLD Indicates a Product Spam
7933 score KAM_FROM_SPAM_TLD 7.75
7937 #1.?\(?213\)?[-\. ]+?260[-\. ]+?3712
7938 body __KAM_EVIL_NUMBERS1 /(1.?\(?833\)?[-\. ]?900[-\. ]?0864|1.?\(?818\)?[-\. ]?275[-\. ]?7971|1.?\(?855\)?[-\. ]?357[-\. ]?8754|1.?\(?888\)?[-\. ]?683[-\. ]?2877|1.?\(?800\)?[-\. ]?363[-\. ]?9576|1.?\(?888\)?[-\. ]?501[-\. ]?3532|1.?\(?770\)?[-\. ]?406[-\. ]?6871|1.?\(?213\)?[-\. ]?260[-\. ]?3712|1.?\(?844\)?[-\. ]?984[-\. ]?0636|1.?\(?877\)?[-\. ]?483[-\. ]?0915|1.?\(?845\)?[-\. ]?393[-\. ]?0745|1.?\(?888\)?[-\. ]?505[-\. ]?1735|1.?\(?888\)?[-\. ]+?987[-\. ]+?6497|1.?\(?855\)?[-\. ]+?459[-\. ]+?2056|1.?\(?804\)?[-\. ]+?889[-\. ]+?0912|1.?\(?888\)?[-\. ]+?246[-\. ]+?8525|1.?\(?888\)?[-\. ]+?366[-\. ]+?2749|1.?\(?816\)?[-\. ]+?376[-\. ]+?8830|1.?\(?877\)?[-\. ]+?509[-\. ]+?8177|1.?\(?888\)?[-\. ]+?385[-\. ]+?8394|1.?\(?805\)?[-\. ]+?429[-\. ]+?2880|1.?\(?888\)?[-\. ]+?260[-\. ]+?7583|1.?\(?808\)?[-\. ]+?444[-\. ]+?7474|1.?\(?888\)?[-\. ]+?225[-\. ]+?0087|1.?\(?818\)?[-\. ]+?447[-\. ]+?4686|1.?\(?845\)?[-\. ]+?481[-\. ]+?2002|1.?\(?888\)?[-\. ]+?337[-\. ]+?3512|1.?\(?888\)?[-\. ]+?865[-\. ]+?0443|1.?\(?801\)?[-\. ]+?326[-\. ]+?4945|1.?\(?888\)?[-\. ]+?457[-\. ]+?7953|1.?\(?888\)?[-\. ]+?712[-\. ]+?0714|1.?\(?805\)?[-\. ]+?220[-\. ]+?9060|1.?\(?888\)?[-\. ]+?216[-\. ]+?7674|1.?\(?888\)?[-\. ]+?219[-\. ]+?8757|1.?\(?888\)?[-\. ]+?376[-\. ]+?0079|1.?\(?888\)?[-\. ]+?806[-\. ]+?2548|1.?\(?808\)?[-\. ]+?736[-\. ]+?6567|1.?\(?805\)?[-\. ]+?250[-\. ]+?1682|1.?\(?808\)?[-\. ]+?649[-\. ]+?5251|1.?\(?888\)?[-\. ]+?884[-\. ]+?3596|1.?\(?888\)?[-\. ]+?850[-\. ]+?1879|1.?\(?888\)?[-\. ]+?672[-\. ]+?7156|1.?\(?801\)?[-\. ]+?833[-\. ]+?0315|1.?\(?808\)?[-\. ]+?755[-\. ]+?6084|1.?\(?859\)?[-\. ]+?888[-\. ]+?2341|1.?\(?833\)?[-\. ]+?685[-\. ]+?4054|1.?\(?888\)?[-\. ]+?394[-\. ]+?0278|1.?\(?888\)?[-\. ]+?992[-\. ]+?1779|1.?\(?888\)?[-\. ]+?399[-\. ]+?0394|1.?\(?888\)?[-\. ]+?982[-\. ]+?7639|1.?\(?877\)?[-\. ]+?208[-\. ]+?4319|1.?\(?877\)?[-\. ]+?232[-\. ]+?6467|1.?\(?877\)?[-\. ]+?208[-\. ]+?4319|1.?\(?855\)?[-\. ]+?630[-\. ]+?3663|1.?\(?808\)?[-\. ]+?470[-\. ]+?7449|1.?\(?888\)?[-\. ]+?803[-\. ]+?6039|1.?\(?920\)?[-\. ]+?354[-\. ]+?6236|1.?\(?888\)?[-\. ]+?803[-\. ]+?3130|1.?\(?888\)?[-\. ]+?436[-\. ]+?-0785|1.?\(?855\)?[-\. ]+?948[-\. ]+?3820|1.?\(?888\)?[-\. ]+?662[-\. ]+?7908|1.?\(?888\)?[-\. ]+?350[-\. ]+?3529|1.?\(?808\)?[-\. ]+?501[-\. ]+?0625|1.?\(?833\)?[-\. ]+?216[-\. ]+?0511|1.?\(?833\)?[-\. ]+?552[-\. ]+?7144|1.?\(?800\)?[-\. ]+?526[-\. ]+?5742|1.?\(?806\)?[-\. ]+?839[-\. ]+?6096|1.?\(?727\)?[-\. ]+?498[-\. ]+?4899|1.?\(?808\)?[-\. ]+?318[-\. ]+?2838|1.?\(?877\)?[-\. ]+?409[-\. ]+?1087)(\b|$)/i
7940 body __KAM_EVIL_NUMBERS2 /(845)-458-6\.4\.9\.1|850 3285 455|229 5154 934|585 3660 399/i
7942 body __KAM_EVIL_NUMBERS3 /(888\s5\s?3\s?1\s?4\s?0\s?3\s?0|855\s5\s?4\s?5\s?6\s?2\s?0\s?1)/i
7944 meta KAM_EVIL_NUMBERS (__KAM_EVIL_NUMBERS1 + __KAM_EVIL_NUMBERS2 + __KAM_EVIL_NUMBERS3 >= 1)
7945 describe KAM_EVIL_NUMBERS Phone Numbers used by scammers
7946 score KAM_EVIL_NUMBERS 7.0
7948 #FAKE PRODUCTS USING SHAREPOINT
7949 body __KAM_FAKE_SHAREPOINT_PRODUCTS1 /bitdefender security cloud/i
7950 body __KAM_FAKE_SHAREPOINT_PRODUCTS2 /renewed/i
7952 meta KAM_FAKE_SHAREPOINT_PRODUCTS (KAM_FAKE_SHAREPOINT + __KAM_FAKE_SHAREPOINT_PRODUCTS1 + __KAM_FAKE_SHAREPOINT_PRODUCTS2 >= 3)
7953 describe KAM_FAKE_SHAREPOINT_PRODUCTS Spams abusing Sharepoint
7954 score KAM_FAKE_SHAREPOINT_PRODUCTS 3.0
7958 body __KAM_ODDNAME_1 /(Respond|Message back|reply).{0,4}(OPT.?OUT|NOT INTERESTED)/i
7960 body __KAM_ODDNAME_2 /we offer|how about a quote|connect for a quote|good time in mind|number to quickly connect|best time to contact|direct line to connect/i
7962 header __KAM_ODDNAME_3 Subject =~ /best line to reach|payroll|leads|call answering|quick minute|talk tomorrow|available today/i
7964 body __KAM_ODDNAME_4 /high.?speed internet|payroll solution|x more visit|inbound call|marketing (division|arm)|reduce its phone/i
7966 meta KAM_ODDNAME ( __KAM_ODDNAME_1 + __KAM_ODDNAME_2 + __KAM_ODDNAME_3 + __KAM_ODDNAME_4 + FREEMAIL_FROM >= 5 )
7967 describe KAM_ODDNAME Engine Hawking Products with Odd rotating business names
7968 score KAM_ODDNAME 7.5
7972 header __KAM_FAKE_HOLD1 From:name =~ /TD.?Ameritrade/i
7974 header __KAM_FAKE_HOLD2 Subject =~ /account is on hold/i
7976 body __KAM_FAKE_HOLD3 /account has been put on hold/i
7978 body __KAM_FAKE_HOLD4 /verify your identity/i
7980 meta KAM_FAKE_HOLD ( __KAM_FAKE_HOLD1 + __KAM_FAKE_HOLD2 + __KAM_FAKE_HOLD3 + __KAM_FAKE_HOLD4 + KAM_SHORT >= 5)
7981 describe KAM_FAKE_HOLD Fake Account Hold Scams
7982 score KAM_FAKE_HOLD 7.5
7985 header __KAM_PAYROLL_SCANNER1 From =~ /account/i
7986 header __KAM_PAYROLL_SCANNER2 Subject =~ /payroll/i
7987 body __KAM_PAYROLL_SCANNER3 /e-?mail was sent from \"/i
7989 meta KAM_PAYROLL_SCANNER ( __KAM_PAYROLL_SCANNER1 + __KAM_PAYROLL_SCANNER2 + __KAM_PAYROLL_SCANNER3 + (T_HTML_ATTACH + __KAM_SHTML_ATTACH >= 1) + KAM_IFRAME >= 5)
7990 describe KAM_PAYROLL_SCANNER Payroll Scam Emails
7991 score KAM_PAYROLL_SCANNER 7.5
7994 #LIKELY NEED MORE EFFICIENT RAPTOR TAG
7995 rawbody KAM_HTTP_REFRESH /http-equiv=("|')?refresh("|')?/i
7996 describe KAM_HTTP_REFRESH Contains an http refresh
7997 score KAM_HTTP_REFRESH 0.5
8000 meta KAM_BAD_HTML (KAM_SHORT + (T_HTML_ATTACH + __KAM_SHTML_ATTACH >= 1) + KAM_HTTP_REFRESH + UNWANTED_LANGUAGE_BODY >= 3)
8001 describe KAM_BAD_HTML Email With a likely bad or dangerous html attachment
8002 score KAM_BAD_HTML 6.5
8005 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8006 mimeheader KAM_BAD_CONTENT Content-Type =~ /image\/png.*\.s?html?"?$/i
8007 describe KAM_BAD_CONTENT Content likely using evasion techniques
8008 score KAM_BAD_CONTENT 6.0
8012 header __KAM_FAKE_MT1 Subject =~ /Important Notice from M&T/i
8013 body __KAM_FAKE_MT2 /Important (message|Notice) From /i
8014 tflags __KAM_FAKE_MT2 nosubject
8015 #3 removed - looking at X-PHP-Originating-Script: or something similar - header __X_PHP_EXISTS ALL =~ /^X-PHP-/m
8016 header __KAM_FAKE_MT4 From:name =~ /M&T Bank/i
8017 header __KAM_FAKE_MT5 From:addr !~ /mtb\.com/i
8019 meta KAM_FAKE_MT (__KAM_FAKE_MT1 + __KAM_FAKE_MT2 + KAM_SHORT + __HAS_PHP_ORIG_SCRIPT + __KAM_FAKE_MT4 + (__KAM_FAKE_MT5 + SPF_FAIL >= 1) >= 5)
8020 describe KAM_FAKE_MT Fake Bank Alert Scam
8021 score KAM_FAKE_MT 7.5
8023 #FAKE SHARED DOCUMENT
8024 header __KAM_FAKE_SHARE1 Subject =~ /document shared with you/i
8025 body __KAM_FAKE_SHARE2 /sent you the following/i
8027 meta KAM_FAKE_SHARE ( __KAM_FAKE_SHARE1 + __KAM_FAKE_SHARE2 + KAM_GOOGLE_REDIR >= 3)
8028 describe KAM_FAKE_SHARE Fake sharing email scam
8029 score KAM_FAKE_SHARE 4.5
8032 header __KAM_BTC1 Subject =~ /btc|bitcoin/i
8033 body __KAM_BTC2 /passive income/i
8034 tflags __KAM_BTC2 nosubject
8036 meta KAM_BTC ( __KAM_BTC2 + __KAM_BTC2 + KAM_GOOGLE_REDIR >= 3)
8037 describe KAM_BTC BTC Investment Scam
8041 body __KAM_PHOTOPHISH1 /here are the(se)? (pics|pictures|images|photo)|(here is|forwarded|sent) (this|that) (photo|pic)|have a look|send these pics before|photos from last week/i
8042 body __KAM_PHOTOPHISH2 /(guess|not sure if|hope|presume) (it\'s|they\'re|they are) still (appropriate|related|needed|relevant)|still the right time for them|send them to you way sooner|just occurred to me/i
8043 body __KAM_PHOTOPHISH3 /remember the (m[ae]n|wom[ea]n|girls) (in|on) (the|this) (pic|image|photo)|recall the (guys|girls) on the last \d+\s+pictures|assume you know most of these (guys|girls)/i
8045 meta KAM_PHOTOPHISH (( __KAM_PHOTOPHISH1 + __KAM_PHOTOPHISH2 >= 2) + (__HAS_ANY_URI >= 1) >= 2 )
8046 describe KAM_PHOTOPHISH Photograph phishing scam
8047 score KAM_PHOTOPHISH 7.0
8049 meta KAM_PHOTOPHISHLOW __KAM_PHOTOPHISH3 + __HAS_ANY_URI >= 2
8050 describe KAM_PHOTOPHISHLOW Photograph phishing scam [lower confidence]
8051 score KAM_PHOTOPHISHLOW 5.0
8054 body __KAM_DIRECTDEPOSIT1 /payroll|pay account/i
8055 body __KAM_DIRECTDEPOSIT2 /(update|Change) my (pay account|Direct deposit)/i
8056 tflags __KAM_DIRECTDEPOSIT2 nosubject
8057 header __KAM_DIRECTDEPOSIT3 Subject =~/direct deposit change/i
8059 meta KAM_DIRECTDEPOSIT ( __KAM_DIRECTDEPOSIT1 + __KAM_DIRECTDEPOSIT2 + __KAM_DIRECTDEPOSIT3 + ( KAM_RAPTOR_EXTERNAL + FREEMAIL_FROM >= 1) >= 3)
8060 describe KAM_DIRECTDEPOSIT Direct Deposit Phish
8061 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
8062 if can(Mail::SpamAssassin::Conf::feature_subjprefix)
8063 subjprefix KAM_DIRECTDEPOSIT [Phish]
8066 score KAM_DIRECTDEPOSIT 4.5
8068 ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro
8070 header __KAM_MALINVOICE1 Subject =~ /Tax Invoice/i
8071 body __KAM_MALINVOICE2 /tax invoice/i
8072 tflags __KAM_MALINVOICE2 nosubject
8073 mimeheader __KAM_MALINVOICE3 Content-type =~ /Name=\"?Form.*\.xls\"?$/i
8075 meta KAM_MALINVOICE ( KAM_OLEMACRO_RENAME + __KAM_MALINVOICE1 + __KAM_MALINVOICE2 + __KAM_MALINVOICE3 >= 4)
8076 describe KAM_MALINVOICE Malicious Invoice with Dangerous Attachment
8077 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
8078 if can(Mail::SpamAssassin::Conf::feature_subjprefix)
8079 subjprefix KAM_MALINVOICE [Malware]
8082 score KAM_MALINVOICE 10.0
8086 body KAM_LEAD_SUPPLY /The Lead Supply via marketing services from The Email Bureau|The Email Bureau Limited/i
8087 describe KAM_LEAD_SUPPLY Spam from Lead Supply
8088 score KAM_LEAD_SUPPLY 10.0
8091 header __KAM_FAKE_LINKEDIN1 From:name =~ /Linkedin/i
8092 header __KAM_FAKE_LINKEDIN2 From:addr !~ /linkedin\.com$/i
8093 header __KAM_FAKE_LINKEDIN2A From:addr =~ /googleusercontent/i
8094 header __KAM_FAKE_LINKEDIN3 Subject =~ /\d+ searches this week|looking at your profile|found by people|matches this job|have \d+ new message|searching for you/i
8096 meta KAM_FAKE_LINKEDIN (__KAM_FAKE_LINKEDIN1 + __KAM_FAKE_LINKEDIN2 + __KAM_FAKE_LINKEDIN2A + __KAM_FAKE_LINKEDIN3 >= 3)
8097 describe KAM_FAKE_LINKEDIN Fake LinkedIn messages
8098 score KAM_FAKE_LINKEDIN 4.5
8101 header __KAM_GB_INVALID_FROM_NO_DOTS From:addr !~ /\./
8102 header __KAM_GB_INVALID_FROM_NO_AT From:addr !~ /\@/
8104 meta KAM_GB_INVALID_FROM (__KAM_GB_INVALID_FROM_NO_DOTS + __KAM_GB_INVALID_FROM_NO_AT >= 1) && ! ( ALL_TRUSTED || NO_RELAYS || __BOUNCE_CTYPE )
8105 describe KAM_GB_INVALID_FROM From Address is invalid
8106 score KAM_GB_INVALID_FROM 3.0
8109 header __KAM_FAKE_PAYROLL1 Subject =~ /payroll verification/i
8111 body __KAM_FAKE_PAYROLL2 /new payroll directory/i
8113 body __KAM_FAKE_PAYROLL3 /required directive/i
8115 uri __KAM_FAKE_PAYROLL4 /\.boxmode\.io/i
8117 meta KAM_FAKE_PAYROLL ( __KAM_FAKE_PAYROLL1 + __KAM_FAKE_PAYROLL2 + __KAM_FAKE_PAYROLL3 + __KAM_FAKE_PAYROLL4 >= 4)
8118 describe KAM_FAKE_PAYROLL Payroll Scam
8119 score KAM_FAKE_PAYROLL 6.0
8121 #DATING ADD THAT IS EXPLICIT
8122 body __KAM_DATING1 /women seeking happiness/i
8123 body __KAM_DATING2 /18\+ platform/i
8124 mimeheader __KAM_DATING3 Content-type =~ /\.(png|jpe?g)\"?$/i
8126 meta KAM_DATING ( __KAM_DATING1 + __KAM_DATING2 + __KAM_DATING3 + (FREEMAIL_FORGED_REPLYTO + FREEMAIL_FROM >= 1) >= 4)
8127 describe KAM_DATING Explicit Content Dating Advert
8128 score KAM_DATING 4.5
8131 header __KAM_FAKE_EFAX1 From:addr !~ /efax.com/i
8132 header __KAM_FAKE_EFAX2 Subject =~ /new fax document/i
8133 body __KAM_FAKE_EFAX3 /efax/i
8134 uri __KAM_FAKE_EFAX4 /\.html?/i
8136 meta KAM_FAKE_EFAX ( __KAM_FAKE_EFAX1 + __KAM_FAKE_EFAX2 + __KAM_FAKE_EFAX3 + __KAM_FAKE_EFAX4 >=4)
8137 describe KAM_FAKE_EFAX Fake Zix Email
8138 score KAM_FAKE_EFAX 7.0
8141 uri KAM_PIPEDRIVE_HTML /\.pipedrive\.email\/.*\.s?html?/i
8142 describe KAM_PIPEDRIVE_HTML Suspicious HTML Link in an email
8143 score KAM_PIPEDRIVE_HTML 4.0
8146 uri __KAM_GEEKSERVICES1 /geeks?-?(squad)?(hub|services)\d+\.co|gsquad-services\d+\.co/i
8147 header __KAM_GEEKSERVICES1A From:addr =~ /geeks?-?(squad)?(hub|services)\d+\.co|gsquad-services\d+\.co/i
8148 header __KAM_GEEKSERVICES2 Subject =~ /receipt|renewal|renewing|subscription/i
8149 body __KAM_GEEKSERVICES2A /bitcoin|coinbase/i
8151 meta KAM_GEEKSERVICES ( (__KAM_GEEKSERVICES1 + __KAM_GEEKSERVICES1A >= 1) + (__KAM_GEEKSERVICES2 + __KAM_GEEKSERVICES2A >= 1) >= 2)
8152 describe KAM_GEEKSERVICES Fake Geek Squad Services
8153 score KAM_GEEKSERVICES 9.0
8155 #FAKE SECURITY ALERT
8156 body __KAM_FAKE_SECURITY1 /Security Alert/i
8157 header __KAM_FAKE_SECURITY2 Subject =~ /(Failed login|Account must be updated)/i
8159 meta KAM_FAKE_SECURITY (__KAM_FAKE_SECURITY1 + __KAM_FAKE_SECURITY2 + KAM_GOOGLE_REDIR >= 3)
8160 describe KAM_FAKE_SECURITY Likely a fake security alert
8161 score KAM_FAKE_SECURITY 5.5
8164 header KAM_FAKE_GEEKSQUAD From:addr =~ /\@geek-?(squad)?\-?services\d+\.|productshipping-?hub\d+\./i
8165 describe KAM_FAKE_GEEKSQUAD Fake Geek Squad Notice
8166 score KAM_FAKE_GEEKSQUAD 7.0
8168 #FAKE GEEKSQUAD VARIANT 2
8169 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8170 mimeheader __KAM_FAKE_GEEKSQUAD2_1 Content-Type =~ /geeksquad.*\.jpe?g/i
8171 header __KAM_FAKE_GEEKSQUAD2_2 Subject =~ /antivirus receipt/i
8173 meta KAM_FAKE_GEEKSQUAD2 ( __KAM_FAKE_GEEKSQUAD2_1 + __KAM_FAKE_GEEKSQUAD2_2 + FREEMAIL_FROM >= 3)
8174 describe KAM_FAKE_GEEKSQUAD2 Fake Geek Squad Notice
8175 score KAM_FAKE_GEEKSQUAD2 4.5
8178 #FAKE PAYROLL UPDATE
8180 header __KAM_FAKE_PAY_UPDATE1 Subject =~ /Payroll information update|account information|payroll (update|review)|update info|direct deposit|new bank|UPDATE (BANK|PAYCHECK)|BANK (STATUS|CHANGE)|modification request|update salary|quick update|(^|\b)D-?D (pay|information|update)/i
8182 body __KAM_FAKE_PAY_UPDATE2 /before the next payroll|for next payroll|kindly review (payroll|your) statement|when the next payday|current pay cycle|next pay date|Inactive in a few day|right away/i
8183 tflags __KAM_FAKE_PAY_UPDATE2 nosubject
8185 body __KAM_FAKE_PAY_UPDATE3 /(change|updat(e|ing)) my (bank(ing)?|paycheck|paycheck account) info|new bank(ing)? info|change the account on my pay|direct.?deposit\s+information|change my payroll|account information be change|update my bank/i
8186 tflags __KAM_FAKE_PAY_UPDATE3 nosubject
8190 meta KAM_FAKE_PAY_UPDATE ( FREEMAIL_FROM + __KAM_FAKE_PAY_UPDATE1 + __KAM_FAKE_PAY_UPDATE2 + __KAM_FAKE_PAY_UPDATE3 >= 4)
8191 describe KAM_FAKE_PAY_UPDATE Likely a fake ACH/Payroll Scam
8192 score KAM_FAKE_PAY_UPDATE 6.0
8195 uri __KAM_ENCRYPTED_LIVE1 /onedrive\.live\.com/i
8196 body __KAM_ENCRYPTED_LIVE2 /password:/i
8198 meta KAM_ENCRYPTED_LIVE ( __KAM_ENCRYPTED_LIVE1 + __KAM_ENCRYPTED_LIVE2 >= 2)
8199 describe KAM_ENCRYPTED_LIVE Likely malware payload
8200 score KAM_ENCRYPTED_LIVE 7.0
8203 header __KAM_HOMEDEPOTE1 From:addr =~ /\@homedepote\.com/i
8205 meta KAM_HOMEDEPOTE ( __KAM_HOMEDEPOTE1 >= 1)
8206 describe KAM_HOMEDEPOTE Fake Home Depot Messages
8207 score KAM_HOMEDEPOTE 10.0
8209 #SIGNATURE ONLY VERSION 2.0
8210 if (version >= 4.000000)
8211 if can(Mail::SpamAssassin::Plugin::BodyEval::has_plaintext_body_sig_ratio)
8212 body __KAM_SIGONLY_BODY_NONE eval:plaintext_body_length('0','0')
8213 body __KAM_SIGONLY_SIG_100 eval:plaintext_sig_length('100')
8214 meta KAM_SIGONLY __KAM_SIGONLY_BODY_NONE && __KAM_SIGONLY_SIG_100
8215 score KAM_SIGONLY 3.5
8222 meta KAM_GAMBLING (KAM_MANYTO + KAM_SHORT + FORGED_GMAIL_RCVD + __FREEMAIL_DOC_PDF >= 4)
8223 describe KAM_GAMBLING Emails hawking gambling and similar spams
8224 score KAM_GAMBLING 2.0
8227 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8228 mimeheader __KAM_JUNK_INVOICE1 Content-Type =~ /invoice\.jpe?g/i
8229 body __KAM_JUNK_INVOICE2 /\[image\:\s+invoice/i
8230 header __KAM_JUNK_INVOICE3 Subject =~ /Invoice/i
8232 meta KAM_JUNK_INVOICE (FREEMAIL_FROM + __KAM_JUNK_INVOICE1 + __KAM_JUNK_INVOICE2 + __KAM_JUNK_INVOICE3 >= 4)
8234 score KAM_JUNK_INVOICE 6.0
8238 header __KAM_ONMICROSOFT1 From =~ /[-\.]onmicrosoft\.com/i
8239 header __KAM_ONMICROSOFT2 Reply-To =~ /[-\.]onmicrosoft\.com/i
8241 meta KAM_ONMICROSOFT (( __KAM_ONMICROSOFT1 + __KAM_ONMICROSOFT2 >= 1) && !__AUTOREPLY_ASU )
8242 describe KAM_ONMICROSOFT Mail from or reply-to an unprovisioned domain on Microsoft 365
8243 score KAM_ONMICROSOFT 4.0
8246 header __KAM_FAKE_INVOICEMS1 Subject =~ /invoice/i
8247 body __KAM_FAKE_INVOICEMS2 /process ACH/i
8249 meta KAM_FAKE_INVOICEMS KAM_ONMICROSOFT + ( __KAM_FAKE_INVOICEMS1 + __KAM_FAKE_INVOICEMS2 >= 2) >=2
8250 describe KAM_FAKE_INVOICEMS Fake Invoice Scam
8251 score KAM_FAKE_INVOICEMS 4.5
8253 #FAKE ACE/COSTCO/ETC
8254 replace_rules __KAM_FAKE_COSTCO2 __KAM_FAKE_COSTCO3
8257 header __KAM_FAKE_COSTCO1 Subject =~ /(costco|ace.?hardware|cvs|cvs.?pharmacy|t-mobile|target).*(e-?coupon|gift.?voucher|bonus|(e.?)?voucher|gift.?card|give.?away|credit)|ace-hard?ware|massive thank you|give?.?away winner|(\d+|dols|bucks) (for you )?from (Starbuck|Sam|Costco)|gas reward|acehardware|samsclub|free samples|gas drop|\d+\.\d+ vouch from costco|CVS\s+expires|sams_club|(fuel|gas) shopping spree|giveaway from (bud.?light|fox)|glft.?card|thank you from (\(?Home.?Depot\)?|cvs)|cvs e-?rewards|nike sends \d+|Verizon (August|September) Gift|points rwrds|verizonrewards|thanks (from|to) .?(sam\'s club|ace.?hardware)|survey reward|\d+ gift.?card pending|(cvs|verizon) (gift.?cert|coupon|has something special|has \d\.0)|\d+ (bucks|dols)|\d+\.0 for you|your \d+ at Verizon|(home.?depot|t-mobile) bonus|Evouch from Sams Club|_ace.?hardware_|use your\s+from Verizon|glft.?certificate|points rwrds|home.?depot_shopper|\$\d+ at Sam\'?s.?club/i
8259 body __KAM_FAKE_COSTCO2 /C<O1>stc<O1> (giveaway|new gift|credit|local reward)|(erewards?|epoints?|evouch|thank you|\d\.\d) from (starbucks|ace.?hardware)|ace[-_]?hardware|sams[-_]?club|complimentary-(fuel\/gas|gas\/Fuel) card|(monday|tuesday|wednesday|thursday|friday|saturday|sunday) (gift-?cert|bonus)|costco-wholesale|\d from your CVS St<O1>re|cvs-pharmacy.?gift.?voucher|giveaway from (bud.?light|fox)|glft.?card|\d from cvs pharm|one hundred from C.?V.?S|nike sends \d+|Sam\'sClub|amount of \d+\.0(\b|$)|\d+ from Verizon|points rwrds|verizonrewards|UNINQUE GIVEAWAY|em<O1>ney|_Ace.?Hardware_|C Ostco|Sam\'s...Club|\$\-Prize|G[1l]ft.?cert|coupon from C<O1>stc<O1>|(target|T\-mobile) e.?(voucher|coupon)|\(home.?depot\)|homedepot bonus|\brwrds\b|_shopper/i
8260 tflags __KAM_FAKE_COSTCO2 nosubject
8262 body __KAM_FAKE_COSTCO3 /\d buck|your \d+\.0|\d+ dols|sent with joy|chosen as winer|spend you \$|(huge|massive) (thank you|thanks)|tough times|humble gift|evouch|epoint|em<O1>ney|ereward|we are loved|sending some love|(difficult|turbulent) times|nearest-pharm|weekend is on us|wish you a happy (August)|starbucks wishes you|spend bonus|inspire your dreams|unsuscribe here|want to give back|Enjoy_your_weekend|all the-best|e-?vouch|weekly gift.?card|big thanks for (Ace|costco|cvs)|\d+ sent to you by (Ace|costco|cvs)|rewards balance = \d+ USD|this make it better|Ace.?hardware style|awaiting to be spend|dols-voucher|you have been chosen|scary.?reward|tuff times|super.?(monday|tuesday|wednesday|thursday|friday|saturday|sunday).?mega|send a postcard|day-vouch|\d+ bucks coupon|inside = \$\d+|[\d\.] coupon|\%Subscriber|as an important customer/i
8264 body __KAM_FAKE_COSTCO4 /will be expiring|expires|(finishes|change by) (mon|tue|wed|thu|fri|sat|sun)|pending to activate|(use by|until) (Jan|Feb|mar|apr|may|jun|Jul|aug|sep|oct|nov|dec|mon|tue|wed|thu|fri|sat|sun)|pending (to|your) activat|(valid until|(redeem|use|spend) (before|by)) (mid.?night|mon|tue|wed|thu|fri|sat|sun|aug|sep|oct|nov|dec|jan|feb|mar|apr|may|jun|jul)|ending tomorrow|before midnight|received before \d|activat(e|ion) (today|by|before)|end of month giveaway|ends (today|tomorrow)|valid for (today|the weekend|\d+ hours)|August Help|pending to use|by next (Mon|tue|Wed|Thu|Fri|Sat|sun)|(received?|used?) as soon as possible|ends the \d+(nd|th)|yet to be used|this.? (Mon|Tue|Wed|Thu|Fri|Sat|Sun)|use before|used? \d+\.\d+ by (Sun|Mon|Tue|Wed|Thu|Fri|Sat)|last day to activate|ends (Oct(ober)?|Nov(ember)?|Dec(ember)?) \d|\d+ hours to change|grab your \d+|\d hours left|use now|end of today|used today/i
8266 meta KAM_FAKE_COSTCO ( __KAM_FAKE_COSTCO1 + __KAM_FAKE_COSTCO2 + __KAM_FAKE_COSTCO3 + __KAM_FAKE_COSTCO4 >= 4)
8267 describe KAM_FAKE_COSTCO Fake Costco/Ace Hardware/etc. coupons
8268 score KAM_FAKE_COSTCO 6.0
8270 meta KAM_FAKE_COSTCO_LOW !KAM_FAKE_COSTCO && ( __KAM_FAKE_COSTCO1 + __KAM_FAKE_COSTCO2 + __KAM_FAKE_COSTCO3 + __KAM_FAKE_COSTCO4 >= 3)
8271 describe KAM_FAKE_COSTCO_LOW Fake Costco/Ace Hardware/etc. coupons (Lower Confidence)
8272 score KAM_FAKE_COSTCO_LOW 4.5
8275 header __KAM_FAKE_ACE1 From:addr =~ /\@.*ace.*/i
8276 header __KAM_FAKE_ACE2 From:addr !~ /acehardware\.com/i
8278 meta KAM_FAKE_ACE ( (__KAM_FAKE_ACE1 + __KAM_FAKE_ACE2 >=2 ) + (__KAM_FAKE_COSTCO1 + __KAM_FAKE_COSTCO2 >= 1) >= 2)
8279 describe KAM_FAKE_ACE Possible Ace Hardware Forgery
8280 score KAM_FAKE_ACE 2.0
8283 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8284 body __KAM_BAD_SCAN1 /scanned from MFP|\(\d+\) scanned/i
8285 header __KAM_BAD_SCAN2 Subject =~ /scan(ned)? image from MFP/i
8287 meta KAM_BAD_SCAN ( __KAM_BAD_SCAN1 + __KAM_BAD_SCAN2 + (T_HTML_ATTACH + __KAM_VM5 >= 1) >= 3)
8288 describe KAM_BAD_SCAN Likely a fake scan
8289 score KAM_BAD_SCAN 6.5
8294 header __KAM_TRADEBOT1 Subject =~ /(auto|crypto|new|unique|trader?).?bot|(minimum|initial) deposit|without invest|automatic machine/i
8296 header __KAM_TRADEBOT2 Subject =~ /(raise|earn) from \d+ (\$+|USD|Eur|dollar|a (month|day))|earnings on crypto|\d+ (\$+|euro?|USD|dollars?) (every|per) (month|day)/i
8298 body __KAM_TRADEBOT3 /(auto|crypto|new|trader?|unique).?bot|automatic machine|pro tariff|free monthly tariff|fully automatic/i
8299 tflags __KAM_TRADEBOT3 nosubject
8301 body __KAM_TRADEBOT4 /initial deposit|crytpocurrency trading|(field|world) of (trading|crypto)|make money on trading|solution for the trader|without investing|no investment|(find|news) for trader|traders can relax|lazy trader|currency trading/i
8302 tflags __KAM_TRADEBOT4 nosubject
8304 body __KAM_TRADEBOT5 /(make|earn) from \d+ (\$+|USD|Eur|dollar)|(earn|make) \d+ (\$+|USD|Eur|dollar)|(over|more than) [\d,]+ (dollar|USD|Eur)/i
8305 tflags __KAM_TRADEBOT5 nosubject
8308 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8309 mimeheader __KAM_TRADEBOT6A Content-Type =~ /(earn.?from.?\d+.?(USD|Eur|dollar)|novice.?trader|(auto|crypto|trader?).?bot).*\.pdf"?$/i
8311 body __KAM_TRADEBOT6B /(personal|private|your) (secure )?link|link (below )?from PDF/i
8313 meta KAM_TRADEBOT ( __KAM_TRADEBOT1 + __KAM_TRADEBOT2 + __KAM_TRADEBOT3 + __KAM_TRADEBOT4 + __KAM_TRADEBOT5 + (__KAM_TRADEBOT6A + __KAM_TRADEBOT6B >= 1) + FREEMAIL_FROM >= 6 )
8314 describe KAM_TRADEBOT Crypto Currency Trading Spams
8315 score KAM_TRADEBOT 9.0
8319 body __KAM_BIDEST1A /CSI Estimation|crossland estimating|Williams Estimating|Global Estimation|bolt estimating|prestige estimation|bidding estimating|define estimating|dreamland estimation|swift estimating LLC/i
8320 header __KAM_BIDEST1B From =~ /bidding|estimat/i
8321 header __KAM_BIDEST1C Subject =~ /bidding|estimati(on|ng)|takeoffs|take-?off service|(quote|quotation) (to|for) (bid|project|take.?off)/i
8323 body __KAM_BIDEST2 /need assistance with a project|like more information|bidding and estimating service|estimate your projects|project for estimat|need of cost estimation|low cost detailed cost estimates|providing estimation|you really want take-offs|outsourced cost estimation|need any take.?off service|looking for accurate estimat|Take.?off services for any project|need a detailed estimate/i
8325 body __KAM_BIDEST3 /Business Development Manager|(senior|certified) estimator|certified software|marketing manager|estimation company/i
8327 body __KAM_BIDEST4 /(dot)/i
8329 meta KAM_BIDEST ( (__KAM_BIDEST1A + __KAM_BIDEST1B + __KAM_BIDEST1C >= 1) + __KAM_BIDEST2 + __KAM_BIDEST3 + (__KAM_BIDEST4 + FREEMAIL_FROM >=1) >= 3 )
8330 describe KAM_BIDEST Bidding and Estimating Spam
8331 score KAM_BIDEST 5.5
8334 header __KAM_FAKE_BILL1 From:name =~ /alert/i
8335 header __KAM_FAKE_BILL2 Subject =~ /e\-bill copy/i
8336 body __KAM_FAKE_BILL3 /Payment mode: Paypal pro\-credits|paypal billing team/i
8337 body __KAM_FAKE_BILL4 /issues with the transaction/i
8339 meta KAM_FAKE_BILL ( __KAM_FAKE_BILL1 + __KAM_FAKE_BILL2 + __KAM_FAKE_BILL3 + __KAM_FAKE_BILL4 + FREEMAIL_FROM >= 5 )
8340 describe KAM_FAKE_BILL Fake Invoice Scams
8341 score KAM_FAKE_BILL 6.0
8344 body __KAM_FAKE_PO1 /status on our purchase order/i
8345 header __KAM_FAKE_PO2 Subject =~ /PO \d+/i
8346 body __KAM_FAKE_PO3 /attached/i
8348 meta KAM_FAKE_PO (__KAM_FAKE_PO1 + __KAM_FAKE_PO2 + __KAM_FAKE_PO3 + T_HTML_ATTACH >= 4)
8349 describe KAM_FAKE_PO Fake Purchase Orders
8350 score KAM_FAKE_PO 6.0
8353 header __KAM_FAKE_AGING1 Subject =~ /Aging Report/i
8354 body __KAM_FAKE_AGING2 /current aging report/i
8355 tflags __KAM_FAKE_AGING2 nosubject
8356 body __KAM_FAKE_AGING3 /treat it as urgent/i
8357 body __KAM_FAKE_AGING4 /email addresses in an excel/i
8359 meta KAM_FAKE_AGING ( __KAM_FAKE_AGING1 + __KAM_FAKE_AGING2 + __KAM_FAKE_AGING3 + __KAM_FAKE_AGING4 + KAM_RAPTOR_EXTERNAL >= 5)
8360 describe KAM_FAKE_AGING Phishes for Financial Information
8361 score KAM_FAKE_AGING 7.5
8364 header __KAM_PAYPAL_FREEMAIL1 From:name =~ /paypal/i
8365 #body __KAM_PAYPAL_FREEMAIL2 /crypto.?currency/i
8367 meta KAM_PAYPAL_FREEMAIL ( FREEMAIL_FROM + __KAM_PAYPAL_FREEMAIL1 >= 2)
8368 describe KAM_PAYPAL_FREEMAIL PayPal spoofs from Freemail Addresses
8369 score KAM_PAYPAL_FREEMAIL 4.5
8372 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8373 mimeheader __KAM_FAKE_DOCUSIGN1 Content-Type =~ /docusign\.png/i
8375 meta KAM_FAKE_DOCUSIGN (__KAM_FAKE_DOCUSIGN1 + T_HTML_ATTACH >= 2)
8376 describe KAM_FAKE_DOCUSIGN Fake Docusign Document
8377 score KAM_FAKE_DOCUSIGN 3.0
8381 header __KAM_FAKE_REIMB1 Subject =~ /assistance/i
8383 body __KAM_FAKE_REIMB2 /mobile transfer/i
8385 body __KAM_FAKE_REIMB3 /\$[\d,]+/i
8386 #ODDLANG & REIMBURSEMENT REQUEST
8387 body __KAM_FAKE_REIMB4 /reimbursement cheque/i
8389 body __KAM_FAKE_REIMB5 /details for the transfer/i
8391 meta KAM_FAKE_REIMB ( __KAM_FAKE_REIMB1 + __KAM_FAKE_REIMB2 + __KAM_FAKE_REIMB3 + __KAM_FAKE_REIMB4 + __KAM_FAKE_REIMB5 + FREEMAIL_FROM >= 6)
8392 describe KAM_FAKE_REIMB Fake Reimbursement Request
8393 score KAM_FAKE_REIMB 9.0
8396 header __KAM_FAKE_AMAZON1 From:name =~ /\#A.?m.?a.?z.?o.?n/i
8397 header __KAM_FAKE_AMAZON2 Subject =~ /A\-M\-A\-Z\-O\-N|payment confirmation|amazon.?e.?billing/i
8398 #body __KAM_FAKE_AMAZON3 /(888\s5\s?3\s?1\s?4\s?0\s?3\s?0|855\s5\s?4\s?5\s?6\s?2\s?0\s?1)/
8399 body __KAM_FAKE_AMAZON3 /Receipt Id|Bill no/i
8400 uri __KAM_FAKE_AMAZON4 /googleusercontent\.com/i
8402 meta KAM_FAKE_AMAZON ( __KAM_FAKE_AMAZON1 + __KAM_FAKE_AMAZON2 + __KAM_FAKE_AMAZON3 + __KAM_FAKE_AMAZON4 + FREEMAIL_FROM >= 5 )
8403 describe KAM_FAKE_AMAZON Fake Amazon Order
8404 score KAM_FAKE_AMAZON 7.5
8407 header __KAM_FAKE_APPLE1 From:name =~ /\#.?A.?p.?p.?l.?e|statement/i
8408 header __KAM_FAKE_APPLE2 Subject =~ /i\.t\.u\.n\.e|membership confirmation|invoice|billing/i
8409 body __KAM_FAKE_APPLE3 /a\.p\.p\.l\.e|i\.c\.l\.o\.u\.d|app store team/i
8410 tflags __KAM_FAKE_APPLE3 nosubject
8411 uri __KAM_FAKE_APPLE4 /googleusercontent\.com/i
8413 meta KAM_FAKE_APPLE ( __KAM_FAKE_APPLE1 + __KAM_FAKE_APPLE2 + __KAM_FAKE_APPLE3 + __KAM_FAKE_APPLE4 + FREEMAIL_FROM >= 5 )
8414 describe KAM_FAKE_APPLE Fake Apple Order
8415 score KAM_FAKE_APPLE 7.5
8418 header __KAM_FREEMAIL_ORDER1 Subject =~ /thank you for your order/i
8420 meta KAM_FREEMAIL_ORDER ( __KAM_FREEMAIL_ORDER1 + FREEMAIL_FROM >= 2 )
8421 describe KAM_FREEMAIL_ORDER Questionable message about an order but using freemail
8422 score KAM_FREEMAIL_ORDER 3.0
8425 score URI_DOTEDU 0.5
8426 score ADVANCE_FEE_3_NEW 1.5
8428 #PROBLEMATIC 2TLD PROVIDERS
8429 uri KAM_2TLD_PROBLEMS /(\.sa\.com|\.ru\.com|\.plesk\.page)/i
8430 describe KAM_2TLD_PROBLEMS Problematic 2TLD handlers being abused
8431 score KAM_2TLD_PROBLEMS 2.0
8435 header __KAM_CALLING_1 Subject =~ /answering solution/i
8437 body __KAM_CALLING_2 /Itotogit/i
8439 body __KAM_CALLING_3 /answering associate/i
8440 tflags __KAM_CALLING_3 nosubject
8442 meta KAM_CALLING ( __KAM_CALLING_1 + __KAM_CALLING_2 + __KAM_CALLING_3 + FREEMAIL_FROM >= 4)
8443 describe KAM_CALLING Spamming Phone and Answering Solutions
8444 score KAM_CALLING 6.0
8448 replace_tag ABUSE_DOMAINS (?:\.(sa\.com|za\.com|co\.in))(\b|\/|$|\@)
8450 replace_rules __KAM_SA_ZA_ABUSE1 __KAM_SA_ZA_ABUSE2
8452 uri __KAM_SA_ZA_ABUSE1 /<ABUSE_DOMAINS>/i
8453 header __KAM_SA_ZA_ABUSE2 From:addr =~ /<ABUSE_DOMAINS>/i
8455 meta KAM_SA_ZA_ABUSE (__KAM_SA_ZA_ABUSE1 + __KAM_SA_ZA_ABUSE2 >= 1)
8456 describe KAM_SA_ZA_ABUSE 2TLD Providers prevalent in spam abuse
8458 score KAM_SA_ZA_ABUSE 4.5
8461 body __KAM_FAKE_COINBASE1 /C\.O\.I\.N\.B\.A\.S\.E/
8463 meta KAM_FAKE_COINBASE (__KAM_FAKE_COINBASE1 >= 1)
8464 describe KAM_FAKE_COINBASE Fake Coinbase Email
8465 score KAM_FAKE_COINBASE 3.0
8467 #FAKE COINBASE VARIANT
8468 header __KAM_FAKE_COINBASE2_1 Subject =~ /billing/i
8469 body __KAM_FAKE_COINBASE2_2 /sent a payment/i
8470 body __KAM_FAKE_COINBASE2_3 /BTC|paypal/i
8472 meta KAM_FAKE_COINBASE2 (__KAM_FAKE_COINBASE2_1 + __KAM_FAKE_COINBASE2_2 + __KAM_FAKE_COINBASE2_3 + FREEMAIL_FROM + __KAM_FAKE_AMAZON3 >= 5)
8473 describe KAM_FAKE_COINBASE2 Fake Coinbase Email
8474 score KAM_FAKE_COINBASE2 7.5
8478 header __KAM_FAKE_SURVEY1 From:addr =~ /Shopper.?Gift.?Card|survey/i
8479 body __KAM_FAKE_SURVEY2 /gift card (opp|promo)/i
8480 tflags __KAM_FAKE_SURVEY2 nosubject
8481 body __KAM_FAKE_SURVEY3 /\d second survey/i
8482 tflags __KAM_FAKE_SURVEY3 nosubject
8483 header __KAM_FAKE_SURVEY4 Subject =~ /gift card/i
8485 meta KAM_FAKE_SURVEY ( __KAM_FAKE_SURVEY1 + __KAM_FAKE_SURVEY2 + __KAM_FAKE_SURVEY3 + __KAM_FAKE_SURVEY4 + KAM_SA_ZA_ABUSE >= 5)
8486 describe KAM_FAKE_SURVEY Fake gift card surveys
8487 score KAM_FAKE_SURVEY 7.5
8490 header __KAM_FAKE_REWARDS1 Subject =~ /(dollar general|t-mobile|ace hardware) (gift|reward)/i
8492 meta KAM_FAKE_REWARDS ( KAM_STORAGE_GOOGLE + __KAM_FAKE_REWARDS1 >= 2)
8493 describe KAM_FAKE_REWARDS Fake Reward emails
8494 score KAM_FAKE_REWARDS 3.0
8497 header __KAM_FAKE_AHS1 From =~ /AHS Warranty/i
8499 meta KAM_FAKE_AHS ( __KAM_FAKE_AHS1 + KAM_SOMETLD_ARE_BAD_TLD >= 2)
8500 describe KAM_FAKE_AHS Home Warranty Spam
8501 score KAM_FAKE_AHS 3.0
8505 body __KAM_FAKE_FICO1 /F[1l]co/i
8508 body __KAM_FAKE_FICO1A /complimentary\-review/i
8510 header __KAM_FAKE_FICO2 Subject =~ /(cred[1il]t.?(points|score)|score heal?th|202\d score|3 bureaus|Equifax score)/i
8512 meta KAM_FAKE_FICO ((__KAM_FAKE_FICO1 + __KAM_FAKE_FICO1A >= 1) + __KAM_FAKE_FICO2 >= 2 )
8513 describe KAM_FAKE_FICO Credit Score Spam
8514 score KAM_FAKE_FICO 6.0
8517 header __KAM_CAM_DOMAIN From:addr =~ /\.cam$/i
8519 meta KAM_CAM_DOMAIN ( KAM_SEMFRESH + __KAM_CAM_DOMAIN >= 2 )
8520 describe KAM_CAM_DOMAIN Abusive TLD with a new domain
8521 score KAM_CAM_DOMAIN 3.0
8524 header __KAM_UNREAD1 Subject =~ /unread message/i
8525 body __KAM_UNREAD2 /relationship status/i
8526 body __KAM_UNREAD3 /(see more of me here|photo album)/i
8528 meta KAM_UNREAD ( __KAM_UNREAD1 + __KAM_UNREAD2 + __KAM_UNREAD3 >= 3)
8529 describe KAM_UNREAD Singles Message Scams
8530 score KAM_UNREAD 4.5
8533 body KAM_NOT_INTERESTED /reply \"Not Interested\"/i
8534 describe KAM_NOT_INTERESTED Contains Opt-Out Language
8535 score KAM_NOT_INTERESTED 1.5
8537 #OCTET STREAM ISSUE - Updated 2022-11-26 thanks to Judah for the FP
8538 mimeheader __KAM_OCTET_PHISH1 Content-Type =~ /application\/octet-stream.*.s?html?\.?\"?$/i
8540 meta KAM_OCTET_PHISH ( __KAM_OCTET_PHISH1 >= 1 )
8541 describe KAM_OCTET_PHISH HTML File attached with the wrong MIME Type
8542 score KAM_OCTET_PHISH 3.0
8545 header __KAM_FAKE_WALMART1 Subject =~ /transaction code/i
8546 body __KAM_FAKE_WALMART2 /Your order/i
8547 tflags __KAM_FAKE_WALMART2 nosubject
8548 body __KAM_FAKE_WALMART3 /WALMART INC/i
8549 tflags __KAM_FAKE_WALMART3 nosubject
8551 meta KAM_FAKE_WALMART ( __KAM_FAKE_NORTON3 + FREEMAIL_FROM + __KAM_FAKE_WALMART1 + __KAM_FAKE_WALMART2 + __KAM_FAKE_WALMART3 >= 5)
8552 describe KAM_FAKE_WALMART Fake Walmart Scam
8553 score KAM_FAKE_WALMART 7.5
8556 header __KAM_ANALYTICO1 Subject =~ /online course|promotion/i
8557 body __KAM_ANALYTICO2 /Training Manager/i
8558 body __KAM_ANALYTICO3 /Analytico Academy/i
8560 meta KAM_ANALYTICO ( __KAM_ANALYTICO1 + __KAM_ANALYTICO2 + __KAM_ANALYTICO3 >= 3)
8561 describe KAM_ANALYTICO Domain Hopping Spammers
8562 score KAM_ANALYTICO 4.5
8565 header __KAM_DESZY1 From =~ /deszy/i
8566 body __KAM_DESZY2 /Deszy/i
8567 uri __KAM_DESZY3 /search\?q=Deszy/i
8568 header __KAM_DESZY4 Subject =~ /content creation/i
8570 meta KAM_DESZY ( __KAM_DESZY1 + __KAM_DESZY2 + __KAM_DESZY3 + __KAM_DESZY4 >= 4)
8571 describe KAM_DESZY Domain Hopping Spammers
8574 #HEROKU ETC APP EXPLOITS WITH FREEMAIL
8575 uri __KAM_APPS1 /\.herokuapp\.com|app\.connect365\.io|\.appspot\.com|salesforce\.com\/servlet/i
8576 header __KAM_APPS2A Subject =~ /onedrive/i
8577 header __KAM_APPS2B From:name =~ /onedrive/i
8578 header __KAM_APPS3 From:addr =~ /\.awsapps.com>?$/i
8580 meta KAM_APPS ( FREEMAIL_FROM + __KAM_APPS1 >= 2 )
8581 describe KAM_APPS Apps being exploited by Spammers
8584 meta KAM_APPS2 (__KAM_APPS1 + (__KAM_APPS2A + __KAM_APPS2B >= 1) >= 2)
8585 describe KAM_APPS2 Fake OneDrive Notification
8588 meta KAM_APPS3 (__KAM_APPS3)
8589 describe KAM_APPS3 AWS Apps Emailing Directly
8593 body __KAM_PHONE1 /reduce your company phone expense/i
8594 body __KAM_PHONE2 /changes? that takes? less than \d+ min/i
8596 meta KAM_PHONE ( __KAM_PHONE1 + __KAM_PHONE2 + FREEMAIL_FROM >= 3 )
8597 describe KAM_PHONE Phone Service Spam
8600 #PASSWORD EXPIRATIOn
8602 body __KAM_PASSEXP1 /expires today|about to expire/i
8604 body __KAM_PASSEXP2 /(continue with|Keep my) same password/i
8606 uri __KAM_PASSEXP3 /s3\.amazonaws\.com\/.{1,10}\.html/i
8608 meta KAM_PASSEXP ( __KAM_PASSEXP1 + __KAM_PASSEXP2 + ( KAM_IPFS + __KAM_PASSEXP3 >= 1 ) >= 3 )
8609 describe KAM_PASSEXP Credential Scam
8610 score KAM_PASSEXP 4.5
8613 uri KAM_IPFS /(\.|\b|\/)ipfs\.io\//i
8614 describe KAM_IPFS Abused Protocol for Distributed Content
8619 body __KAM_PHONESYS1 /(reduced|lower your) rate|\d+% lower|lower (your|its) telecom/i
8621 body __KAM_PHONESYS2 /Business Dev|tech associate|tele.?specialist|growth dev/i
8623 body __KAM_PHONESYS3 /Top-regarded carriers|(T1|Cloud) (lines|phone)|cloud.?based phone|voip service/i
8625 body __KAM_PHONESYS4 /(worth|Have) \d+ minute|reply with rule.?out|open to this/i
8627 body __KAM_PHONESYS5 /best number to quickly get in touch|quick number to reach you|may i send some info|best direct line to reach/i
8629 meta KAM_PHONESYS ( __KAM_PHONESYS1 + __KAM_PHONESYS2 + __KAM_PHONESYS3 + __KAM_PHONESYS4 + __KAM_PHONESYS5 + FREEMAIL_FROM >= 6 )
8630 describe KAM_PHONESYS New Phone System Spam
8631 score KAM_PHONESYS 9.0
8634 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8635 mimeheader __KAM_CONTRACT2_1 Content-Type =~ /(statement\d+|contract\#?\d+|final.?hud.?\d+|Kyc\d+|check)\.htm/i
8637 meta KAM_CONTRACT2 ( __KAM_CONTRACT2_1 >= 1)
8638 describe KAM_CONTRACT2 Suspect HTML file
8639 score KAM_CONTRACT2 7.0
8643 header __KAM_ALLSCRIPTS1 From:addr !~ /\@allscripts.com/i
8644 header __KAM_ALLSCRIPTS2 From:name =~ /allscripts/i
8645 header __KAM_ALLSCRIPTS3 Subject =~ /invoice|receipt/i
8646 body __KAM_ALLSCRIPTS4 /membership|recurring monthly/i
8648 meta KAM_ALLSCRIPTS ( __KAM_ALLSCRIPTS1 + __KAM_ALLSCRIPTS2 + __KAM_ALLSCRIPTS3 + __KAM_ALLSCRIPTS4 >= 4 )
8649 describe KAM_ALLSCRIPTS Fake Invoice Scam
8650 score KAM_ALLSCRIPTS 6.0
8653 body __KAM_EXPLOIT1 /wallet:/i
8654 body __KAM_EXPLOIT2 /you have three days/i
8655 body __KAM_EXPLOIT3 /countdown will begin/i
8656 body __KAM_EXPLOIT4 /\$\d00/i
8658 meta KAM_EXPLOIT (__KAM_EXPLOIT1 + __KAM_EXPLOIT2 + __KAM_EXPLOIT3 + __KAM_EXPLOIT4 + KAM_SENDGRID >= 5)
8659 describe KAM_EXPLOIT Exploitation Scam
8660 score KAM_EXPLOIT 7.5
projects / proxmox-spamassassin.git / blob