-#KAM.cf - SpamAssassin Rules
+#KAM.cf aka the KAM ruleset - Apache SpamAssassin Rules
#Author: Kevin A. McGrail with contributions from Joe Quinn, Karsten Bräckelmann,
# Bill Cole & Giovanni Bechis
#HomePage: http://www.mcgrail.com/downloads/KAM.cf
-#2018-06-20: We will be moving KAM.cf over to a non-profit to allow for it to
-# continue being maintained. It will continue being ASLv2 licensed
-# but we are soliciting donations to help fund the development.
-#
-# As a 501(c)(3), all donations are tax deductible to the extent
-# permissible by law.
+
+#Installation: There are multiple files that make up the KAM ruleset including
+#heavyweight, deadweight, & nonKAMrules. The KAM ruleset is now a channel!
#
-# Sponsors gifting $5,000USD or greater per year will be thanked
-# in this file and on our website.
+#Please see https://mcgrail.com/template/kam.cf_channel for more information
+
+
+#The ruleset includes internal rules so not every rule will be useful but
+#we encapsulate those in a KAMOnly defined loop.
+
+#KAM.cf is maintained by The McGrail Foundation, a 501(c)(3) charity. Donations
+#are appreciated. See www.mcgrail.com for more information on donations and
+#sponsorships.
+
+#THANK YOU TO OUR SPONSORS (in Alphabetical Order):
+#cPanel, INKY, Invaluement, iSpark, Linode, PCCC, ShipShapeIT and Zix/Appriver
#This is a collection of special rules that I have developed and use on my system.
#I believe the rules are safe and they are in use on production systems so I will
#do my best to respond to FPs *especially* if you can send me an email sample.
#
-#This cf file is designed for systems with a threshold of 5.0 or higher.
+#IMPORTANT: This cf file is designed for systems with a threshold of 5.0 or higher.
#It is best to save an email sample in mbox format and zip it to attach to get
# for content. For example, the sexually explicit items and the stock tips.
# FPs in these rules will be quickly addressed.
-#For a free anti-spam consultation, fill out the form at the following URL:
-#https://raptor.pccc.com/free_spam_consultation.cgim
-
-#
-#Copyright (c) 2019 Kevin A. McGrail and the McGrail Foundation
+#Copyright (c) 2021 Kevin A. McGrail and The McGrail Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# See the License for the specific language governing permissions and
# limitations under the License.
-# NOTE: You should also grab a file we use of some various rules at
-# https://www.mcgrail.com/downloads/nonKAMrules.cf
-# And realize that we have numerous internal rules so not every rule will be
-# useful but we try and encapsulate those in a KAMOnly defined loop.
-
# COURTESY OF Marcin Miros.aw <marcin@mejor.pl>
body __KAM_MM_FOREX_1 /program.{0,10}ktory\ssam\sgra\sna\sgieldzie|program\sdo\sgry\sna\sgieldzie|Potega\stego\sprogramu\stkwi|program.{0,10}handluje.{0,10}zarabia.{0,10}gieldzie.{0,10}udzialu.{0,10}czlowieka|zarabiaj.{0,10}program.{0,10}nie.{0,10}jest.{0,10}zabroniony|Program.{0,10}zrobi.{0,10}wszystko.{0,10}sam|handluj.{0,10}na.{0,10}gieldzie.{0,10}programowi|100.{0,10}%.{0,10}pewnych.{0,10}transakcji|program.{0,10}100.{0,10}%.{0,10}zysk|handel.{0,10}bedzie.{0,10}zabroniony|program.{0,10}odmieni.{0,10}twoje.{0,10}zycie|system.{0,10}finansow.{0,10}przed.{0,10}upadkiem|grupa.{0,10}niemieckich.{0,10}matematykow.{0,10}inteligentny.{0,10}program|zostan\sobrzydliwie\sbogaty|technologia.{0,10}100%.{0,10}pewne.{0,10}decyzje|zarabianie.{0,10}w.{0,10}sieci|swoja.{0,10}szanse.{0,10}zarabianie|internet.{0,10}doprowadzil.{0,10}pieniedzy|zarabia.{0,10}(w|przez).{0,10}internet|karaluch.{0,10}dom.{0,10}brzeg.{0,10}morza|odmieni.{0,10}zycie|pieniadz|pieniedz|zarabia|zarobi/i
+
rawbody __KAM_MM_FOREX_2 /(\[|\<).{1,10}http:\/\/.{1,50}php\?.{1,30}\=.{1,30}(\]|\>).{0,20}(klik|odwiedz|dowiedz|przegap|odnosnik|zarobi|spiesz|majatek|wiecej\sinformacji\sna\sten\stemat\sznajdziesz\s-\stutaj|tutaj\sznajdziesz.{0,10}szczegolowe.{0,10}informacje|odwiedz|zarabia|wchodz)/i
+
meta KAM_MM_FOREX __KAM_MM_FOREX_1 && __KAM_MM_FOREX_2
score KAM_MM_FOREX 2.5
describe KAM_MM_FOREX Polish-language spam from the Forex botnet
score KAM_OVERPAY 3.5
#VIAGRA AD - CHANGED DUE TO FPS on 2010-05-06 - Replaced [VACLXPSI] with separate rules space separated
-body KAM_VIAGRA1 /V I A G R A|C I A L I S|V A L I U M|X A N A X/i
+replace_rules __KAM_VIAGRA2
+
+body __KAM_VIAGRA1 /V I A G R A|C I A L I S|V A L I U M|X A N A X/i
+header __KAM_VIAGRA2 Subject =~ /<V1><I1><A1><G1><R1><A1>/i
+
+meta KAM_VIAGRA1 (__KAM_VIAGRA1 + __KAM_VIAGRA2 >= 1)
describe KAM_VIAGRA1 Common Viagra and Medicinal Table Trick
score KAM_VIAGRA1 3.0
body __KAM_VIAGRA4C /M (. )?E (. )?R (. )?[I\/t] (. )?D (. )?[I\/] (. )?A/i
# FP FOR "Les Iles du Monde Via Gramsci" OR ITALIAN "WE WISH YOU"
-body __KAM_VIAGRA_FPS /via gra|i augur/i
+# FP for Via Great thanks to Shane Williams
+body __KAM_VIAGRA_FPS /via gre?a|i augur/i
meta KAM_VIAGRA4 ((__KAM_VIAGRA4A + __KAM_VIAGRA4B + __KAM_VIAGRA4C) >= 2)
describe KAM_VIAGRA4 Common Viagra and Medicinal Table Trick
body __KAM_STOCKTIP144 /Fleet Management Solutions|(\b|^)FLMG(\b|$)/is
body __KAM_STOCKTIP145 /Nuvilex|(\b|^)N.?V.?L.?X.?(\b|$)/is
body __KAM_STOCKTIP146 /Plandai|(\b|^)PLPL(\b|$)/is
-body __KAM_STOCKTIP147 /Beamz Interactive|(\b|^)B.?Z.?I.?C(\b|$)/is
+#FP on Bozic 3/9/2021 - Thanks to Lars Einarsen
+body __KAM_STOCKTIP147 /Beamz Interactive|(\b|^)BZIC(\b|$)/is
body __KAM_STOCKTIP148 /(\b|^)STBV(\b|$)/i
body __KAM_STOCKTIP149 /LifeApps|(\b|^)LFAP(\b|$)/i
body __KAM_STOCKTIP150 /MONARCHY RESOURCES/i
body __KAM_STOCKTIP154 /mLight Tech|(\b|^)MLGT(\b|$)/is
body __KAM_STOCKTIP155 /Alanco Technologies/is
body __KAM_STOCKTIP156 /Progress Watch|(\b|^)PROW(\b|$)/is
-body __KAM_STOCKTIP157 /(\b|^)PRFC(\b|$)/is
+#body __KAM_STOCKTIP157 /(\b|^)PRFC(\b|$)/is
body __KAM_STOCKTIP158 /(\b|^)(RCHA|R\.+C\.+H\.+A|R\/C\/H\/A)(\b|$)/is
body __KAM_STOCKTIP159 /(\b|^)(RNBI|R.N.B.I)(\b|$)/is
body __KAM_STOCKTIP160 /(\b|^)(CNRMF|C.N.R.M.F)(\b|$)/is
body __KAM_STOCKTIP164 /(\b|^)(KBLB|K.B.L.B)(\b|$)/is
body __KAM_STOCKTIP165 /(\b|^)(SCRF|S.C.R.F)(\b|$)/is
body __KAM_STOCKTIP166 /(\b|^)(INCT|Incapta)(\b|$)/is
-body __KAM_STOCKTIP167 /(\b|^)(QSMS|Quest Management|Quest Science Management Gate)(\b|$)/is
+body __KAM_STOCKTIP167 /(\b|^)(QSMS|Quest Science Management Gate)(\b|$)/is
body __KAM_STOCKTIP168 /(\b|^)(QSMG|Q.S.M.G|Stemvax)(\b|$)/is
body __KAM_STOCKTIP169 /(\b|^)E.?C.?G.?R(\b|$)/s
body __KAM_INSTOCK /in stock/i
# ADDED A CAVEAT FOR in stock so gibberish links don't hit a stock symbol
-meta KAM_STOCKTIP (__KAM_STOCKHEAD + __KAM_STOCKOTC + __KAM_STOCKSYM + __KAM_STOCKJUMP + __KAM_STOCKSHR + __KAM_STOCKSYM2 + __KAM_STOCKBULL + __KAM_STOCKSCTR >= 1) && (__KAM_INSTOCK < 1) && (__KAM_STOCKTIP121 + __KAM_STOCKTIP122 + __KAM_STOCKTIP123 + __KAM_STOCKTIP124 + __KAM_STOCKTIP125 + __KAM_STOCKTIP126 + __KAM_STOCKTIP127 + __KAM_STOCKTIP128 + __KAM_STOCKTIP129 + __KAM_STOCKTIP130 + __KAM_STOCKTIP131 + __KAM_STOCKTIP132 + __KAM_STOCKTIP133 + __KAM_STOCKTIP134 + __KAM_STOCKTIP135 + __KAM_STOCKTIP136 + __KAM_STOCKTIP137 + __KAM_STOCKTIP138 + __KAM_STOCKTIP139 + __KAM_STOCKTIP140 + __KAM_STOCKTIP142 + __KAM_STOCKTIP143 + __KAM_STOCKTIP144 + __KAM_STOCKTIP145 + __KAM_STOCKTIP146 + __KAM_STOCKTIP147 + __KAM_STOCKTIP148 + __KAM_STOCKTIP149 + __KAM_STOCKTIP150 + __KAM_STOCKTIP151 + __KAM_STOCKTIP152 + __KAM_STOCKTIP153 + __KAM_STOCKTIP154 + __KAM_STOCKTIP155 + __KAM_STOCKTIP156 + __KAM_STOCKTIP157 + __KAM_STOCKTIP158 + __KAM_STOCKTIP159 + __KAM_STOCKTIP160 + __KAM_STOCKTIP161 + __KAM_STOCKTIP162 + __KAM_STOCKTIP163 + __KAM_STOCKTIP164 + __KAM_STOCKTIP165 + __KAM_STOCKTIP166 + __KAM_STOCKTIP167 + __KAM_STOCKTIP168 + __KAM_STOCKTIP169 >= 1)
+meta KAM_STOCKTIP (__KAM_STOCKHEAD + __KAM_STOCKOTC + __KAM_STOCKSYM + __KAM_STOCKJUMP + __KAM_STOCKSHR + __KAM_STOCKSYM2 + __KAM_STOCKBULL + __KAM_STOCKSCTR >= 1) && (__KAM_INSTOCK < 1) && (__KAM_STOCKTIP121 + __KAM_STOCKTIP122 + __KAM_STOCKTIP123 + __KAM_STOCKTIP124 + __KAM_STOCKTIP125 + __KAM_STOCKTIP126 + __KAM_STOCKTIP127 + __KAM_STOCKTIP128 + __KAM_STOCKTIP129 + __KAM_STOCKTIP130 + __KAM_STOCKTIP131 + __KAM_STOCKTIP132 + __KAM_STOCKTIP133 + __KAM_STOCKTIP134 + __KAM_STOCKTIP135 + __KAM_STOCKTIP136 + __KAM_STOCKTIP137 + __KAM_STOCKTIP138 + __KAM_STOCKTIP139 + __KAM_STOCKTIP140 + __KAM_STOCKTIP142 + __KAM_STOCKTIP143 + __KAM_STOCKTIP144 + __KAM_STOCKTIP145 + __KAM_STOCKTIP146 + __KAM_STOCKTIP147 + __KAM_STOCKTIP148 + __KAM_STOCKTIP149 + __KAM_STOCKTIP150 + __KAM_STOCKTIP151 + __KAM_STOCKTIP152 + __KAM_STOCKTIP153 + __KAM_STOCKTIP154 + __KAM_STOCKTIP155 + __KAM_STOCKTIP156 + __KAM_STOCKTIP158 + __KAM_STOCKTIP159 + __KAM_STOCKTIP160 + __KAM_STOCKTIP161 + __KAM_STOCKTIP162 + __KAM_STOCKTIP163 + __KAM_STOCKTIP164 + __KAM_STOCKTIP165 + __KAM_STOCKTIP166 + __KAM_STOCKTIP167 + __KAM_STOCKTIP168 + __KAM_STOCKTIP169 >= 1)
describe KAM_STOCKTIP Email Contains Pump & Dump Stock Tip
score KAM_STOCKTIP 7.1
header __KAM_SEX_EXPLICIT1 Subject =~ /SEXUAL{2,3}Y[-_, ]{0,1}EXPL{1,2}I{1,2}CI{1,2}T/i
#EXPANDED TO INCLUDE HEADERS FOR SPAMS PREVALENT MAR 2007
header __KAM_SEX_EXPLICIT2 Subject =~ /(?:fuck .*suck|suck .*fuck|pussy .*cock|cock .*pussy|horny amateur|couch sex|slut fuck|naked celebrity|pissing babes|ass[- ]fuck|animal cock|(^|\b)P[^a-zA-Z\d]O[^a-zA-Z\d]R[^a-zA-Z\d]N |exposes sexy ass|drunk babe nude|masturbate|looking.for.sex|breast.implants|pedophile|child predator|explore.being.bad|double.penetration|hardcore.slut|getting.laid|your.disco.stick|having.sex.*begging|f.ckbook|xxx gay|asian porn|blowjob|anal xxx|huge tits tube|xxx tube|porn tube|porn video|sexy.clip|portal for xxx|3d porn|hard(er)?.erect)|dreaming of f.?cking|(^|\b)sex.in.the.car|horny.virgin|sex.acts|best.intercourse|sex request|dripping wet and need to get/i
-header __KAM_SEX_EXPLICIT3 From =~ /(?:better sex|sextrick|ashleymadison|booty.call|breast.(aug|surg|redu)|throbing.member|f[\*u]?ckbook|Local MILFs|fuck)/i
+
+#TRYING TO GET RID OF FPs WITH LAST NAMES
+header __KAM_SEX_EXPLICIT3 From =~ /(?:better sex|sextrick|ashleymadison|booty.call|breast.(aug|surg|redu)|throbing.member|f[\*u]?ckbook|Local MILFs|fuck(s|ing)?(\b|^))/i
+
#MODIFIED TO FIX FP THANKS TO DOC SCHNEIDER AND MARK MARTINEC - REMOVED castrate|sexual.encounter|casual.sex|discreet.encounter 5/19/15
-body __KAM_SEX_EXPLICIT4 /(?:fucked hardcore|dildoes her tight ass|kinky watersports|schoolgirls? slut|teens? porn|first anal(\b|$)|pussy lips|kinky lesbian|sucks? cock|rub puss|spreads? cunt|fetish babe|kinky pee|muffdived \& fuck|deepthroat on knees|hello.naughty.boy|certain.type.of.guy|girlfriend.trick|sexual.stamina|sex...toy|porn.link|cunt.fuck|c-o-c-k|non.stop.sex|porn.industry|stronger.erection|make.her.moan|extreme.pro.abortion|erection.problem|your.erection|get.an.erection|hardest.erection|get.erect|xxx gay|asian porn|blowjob porn|anal xxx|huge tits tube|xxx tube|porn tube|fuckbook|portal for xxx|3d porn|DrPEnterprise|girlfriends.porn|\bsex.galler|pussy.eaten|shemale|(\b|^)anal.adventure|black.girls.video|gay.porn|pussy.wet|make.her.horny|crave sex|women.fuck|women.horny|wanting.to.bang|getting.laid.is.simple|woman.on.her.knees|b r e a s t|generic.ed.product|best.sex|f[^a-z]cking.you|f[^a-z]ckbuddy|F\#ckFriends|Milf Selfies|need.a.horny.man|cute.sex.lover|horny.as.f.ck|fun.in.the.bedroom|my.tits.are|be.horny|horny.girl|horny.i.am|horny.latina|huge.dildo|made.me.climax|sex in my office|a.good.f\@ck|married.horny.woman|sucked.your.d\@ck|horny.milf|suck.you.off|horny.stories|all.my.h[o0]les|cum.heavily|sucking.your.c[o0]ck|to.get.f[^a-z]cked)|h00kup|s\*xy|\bh0rny|ch0ked|pu\$\$y|f\*cked|F\#ck|F\*ck_|find milfs/i
+body __KAM_SEX_EXPLICIT4 /(?:fucked hardcore|dildoes her tight ass|kinky watersports|schoolgirls? slut|teens? porn|first anal(\b|$)|pussy lips|kinky lesbian|sucks? cock|rub puss|spreads? cunt|fetish babe|kinky pee|muffdived \& fuck|deepthroat on knees|hello.naughty.boy|certain.type.of.guy|girlfriend.trick|sexual.stamina|sex...toy|porn.link|cunt.fuck|c-o-c-k|non.stop.sex|porn.industry|stronger.erection|make.her.moan|extreme.pro.abortion|erection.problem|your.erection|get.an.erection|hardest.erection|get.erect|xxx gay|asian porn|blowjob porn|anal xxx|huge tits tube|xxx tube|porn tube|fuckbook|portal for xxx|3d porn|DrPEnterprise|girlfriends.porn|\bsex.galler|pussy.eaten|shemale|(\b|^)anal.adventure|black.girls.video|gay.porn|pussy.wet|make.her.horny|crave sex|women.fuck|women.horny|wanting.to.bang|getting.laid.is.simple|woman.on.her.knees|b r e a s t|generic.ed.product|best.sex|f[^a-z]cking.you|f[^a-z]ckbuddy|F\#ckFriends|Milf Selfies|need.a.horny.man|cute.sex.lover|horny.as.f.ck|fun.in.the.bedroom|my.tits.are|be.horny|horny.girl|horny.i.am|horny.latina|huge.dildo|made.me.climax|sex in my office|a.good.f\@ck|married.horny.woman|sucked.your.d\@ck|horny.milf|suck.you.off|horny.stories|all.my.h[o0]les|cum.heavily|sucking.your.c[o0]ck|to.get.f[^a-z]cked)|h00kup|s\*xy|\bh0rny|ch0ked|pu\$\$y|f\*cked|F\*ck_|find milfs/i
+#remove f\#ck for FPs
+
header __KAM_SEX_EXPLICIT5 Subject =~ /(?:Babe.*dildo|milk.*pussy|licks.*lesbian.*tits|mud.*wrestling.*sluts|rock.*hard.*cock|working.*pussy|(anal|suck|lick|hot|cock|wife).*f.?u.?c.?k|sneaky.*upskirt.*shots|hairy.*(pussy|cunt)|chicks.*cum|shows.*off.*titties|tits.*milf.*sex|riding.*big.*dick|dildo.*pussy|slut.*sex|suck.*dick|show.*off.*pink.*slit|coed.*pussy|squirt.*pussy|polish.*cock|femdom.*fist|schoolgirl.*(f.?u.?c.?k|blowjob)|mistress.*finger.*slave|cervix.*examined|tits.*vibrator|licks.*lesbian|slut.*anal|slurp.*pecker|master.*hogtie|bitch.*stroke.*guy|huge.*cock.*bang|take.*dick.*ride|milf.*nailed|girl.*in.*panties|Slut.*Doing.*it|barely.*legal.*teen|perverted.*girl.*works.*ass|slut.*milking|caught.*fucking|F.?u.?c.?k.*(dick)|shemale.*strips|chick.*drilled|\bass.*screw|teen.*pussy|fucked.*hard|bimbo.*hooter|cuntbanged|tittyfucked|fuck.*cock|blowing and nailed|lesbians.*masturbat|shaking wet booty|pussy.*lip|lick.*asshole|kinky lesbian|suck.*cock|rub puss|tits.*cunt|kinky pee|fetish babe|exposes sexy ass|drunk babe nude|muff.*fuck|cock.?suck.*blonde|fuck.*vibrator|threeway.*orgy|sex.life.*new.level|your.sex.life|hotsex|f.cktonight|my.?pu[s\$]{1,5}y|InstaSext|SnapHookup|InstaAffair|InstaHookup|SexiSnap|SnapF.ck|snapbangmsg)/i
body __KAM_SEX_EXPLICIT6 /virus on a porn web/i
#Changed to meta 2017-10-17
#2017-10-23 - Removed .link. Uniregistry has committed to reviewing abuse concerns.
#2019-11-24 - Removed .bid for FPs
-header __KAM_SOMETLD_ARE_BAD_TLD_FROM From:addr =~ /\.(pw|stream|trade|press|top|date)$/i
-uri __KAM_SOMETLD_ARE_BAD_TLD_URI /\.(pw|stream|trade|press|top|date)($|\/)/i
+#2020-06-04 - Added FP check for td.date and div.top
+#2020-08-23 - Added guru
+header __KAM_SOMETLD_ARE_BAD_TLD_FROM From:addr =~ /\.(pw|stream|trade|press|top|date|guru|casa)$/i
+uri __KAM_SOMETLD_ARE_BAD_TLD_URI /\.(pw|stream|trade|press|top|date|guru|Casa)($|\/)/i
+
+#FPs
+uri __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE /(^|\b)td\.date|div\.top($|\/)/i
-meta KAM_SOMETLD_ARE_BAD_TLD (__KAM_SOMETLD_ARE_BAD_TLD_FROM + __KAM_SOMETLD_ARE_BAD_TLD_URI) >= 1
-describe KAM_SOMETLD_ARE_BAD_TLD .stream, .trade, .pw, .top, .press & .date TLD Abuse
+meta KAM_SOMETLD_ARE_BAD_TLD (__KAM_SOMETLD_ARE_BAD_TLD_FROM) || (__KAM_SOMETLD_ARE_BAD_TLD_URI && !__KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE)
+describe KAM_SOMETLD_ARE_BAD_TLD .stream, .trade, .pw, .top, .press, .guru, .casa & .date TLD Abuse
score KAM_SOMETLD_ARE_BAD_TLD 5.0
#2019-11-24 - Test to do the SOMETLD with WLBLEval - Doesn't work because no uri check for the body
score KAM_COMBOJDR 5.0
#LOTTO CRUD
-body __KAM_LOTTO1 /((you |e-?mail )(?:address,? )?(has |have )?(emerged as one of (the|our) winning|emerged as a category "A" Winner|came out as the winning coupon|emerged a winner|has won|(?:was |is )?attached( to)?\s+(winning number|serial|ticket|reference)|was one of the ten winners|has been selected as one of the lucky)|random selection in our computerized email selection system|procuring your prize|email id identified with coupon|e-mail addresses are picked randomly|send your winning identification|final recipients? of a cash|selected as the one of the beneficiaries|receiving your donation)/is
-body __KAM_LOTTO2 /((ticket|serial|lucky) number|secret pin ?code|pin number|batch number|reference number|promotion date|lottery|sweepstake|\d+ lucky recipients|for claim and inquiring)/is
+body __KAM_LOTTO1 /((you |e-?mail )(?:address,? )?(has |have )?(emerged as one of (the|our) winning|emerged as a category "A" Winner|came out as the winning coupon|emerged a winner|has won|(?:was |is )?attached( to)?\s+(winning number|serial|ticket|reference)|was one of the ten winners|has been selected as one of the lucky)|random selection in our computerized email selection system|procuring your prize|email id identified with coupon|e-mail addresses are picked randomly|send your winning identification|final recipients? of a cash|selected as the one of the beneficiaries|receiving your donation|facebook name was selected)/is
+
+body __KAM_LOTTO2 /((ticket|serial|lucky) number|secret pin ?code|pin number|batch number|reference number|promotion date|lottery|sweepstake|\d+ lucky recipients|for claim and inquiring)|Micros(oft)? ID/is
+
body __KAM_LOTTO3 /(won|claim|cash prize|pounds? sterling|over \$500|award sum of US\$|NOTIFICATION FOR CASH AID)/is
-body __KAM_LOTTO4 /(claims (office|agent|manager)|lottery coordinator|(certificate|fiduciary) (officer|agent)|fiduaciary claims|accredited agent|payment agency board|promotion manager|promotions? department|Name of +Agent:|executive secretary|claims & Management|lottery approved courier|promo.team)/is
-body __KAM_LOTTO5 /(POWERBALL LOTTO|freelotto group|Royal Heritage Lottery|(British|UK) National( Online)? Lottery|U\.?K\.? Grand Promotions|Lottery Department UK|Euromillion Loteria|Luckyday International Lottery|International Lottery|Euro - Afro Asian Sweepstake|urawinner|Free Lotto Sweepstakes|PROMOTION DEPARTMENT|PROMOTION\/PRIZE AWARD|Nederlandse Internationale Loterij|EURO MILLIONS|APPLE LOTTERY ONLINE|MSW MEGA JACKPOT|MICROSOFT EMAIL PROMO|MSNlottery|ECOWAS|Nigeria|National Lottery|claim.{1,10}your.gbp|won.you.{1,10}gbp)/is
-body __KAM_LOTTO6 /(Dear (Award|Consultation Prize|Lucky) Winner|Winning Notification|Attention:Winner|Dear:? Winner|Amount won:|Sincere Congratulations|Lucky Numbers:|you are a winner|prize attached|prize notification|claims requirement|winning number|winning sum|payout of|qualification number)|attached.file|numbers.on.email/is
-header __KAM_LOTTO7 Subject =~ /(Your Lucky Day|Final Notice|CONGRATULATION|(Attention:|ONLINE) WINNER|Winning Notification|Claim Fund|YOU HAVE WON|Online Notification|Your Winning Amount|PROMOTIONS MANAGER|Winnin?g Alert|NOTICE FOR YOUR CLAIM|WINNER|Reference Number)/i
+
+body __KAM_LOTTO4 /(claims (office|agent|manager|requirement)|lottery coordinator|(certificate|fiduciary) (officer|agent|claims)|accredited agent|payment agency board|promotion manager|promotions? department|Name of +Agent:|executive secretary|claims & Management|lottery approved courier|promo.team)/is
+
+body __KAM_LOTTO5 /(POWERBALL-?LOTTO|freelotto group|(microsoft|Royal Heritage) (promotion|Lottery)|(British|UK) National( Online)? Lottery|U\.?K\.? Grand Promotions|Lottery Department UK|Euromillion Loteria|Luckyday International Lottery|International Lottery|Euro - Afro Asian Sweepstake|urawinner|Free Lotto Sweepstakes|PROMOTION DEPARTMENT|PROMOTION\/PRIZE AWARD|Nederlandse Internationale Loterij|EURO MILLIONS|APPLE LOTTERY ONLINE|MSW MEGA JACKPOT|MICROSOFT EMAIL PROMO|MSNlottery|ECOWAS|Nigeria|National Lottery|claim.{1,10}your.gbp|won.you.{1,10}gbp)|cola lotto online|on-?line promotion/is
+
+body __KAM_LOTTO6 /(Dear (Award|Consultation Prize|Lucky) Winner|Winning Notification|Attention:Winner|Dear:? Winner|Amount won:|Sincere Congratulations|Lucky Numbers:|you are a winner|prize attached|prize notification|claims requirement|winning number|winning sum|payout of|qualification number)|attached.file|numbers.on.email|active email address|dear e-?mail/is
+
+header __KAM_LOTTO7 Subject =~ /(Your Lucky Day|Final Notice|CONGRATULATION|(Attention:|ONLINE) WINNER|Winning Notification|Claim Fund|YOU HAVE WON|Online Notification|Your Winning Amount|PROMOTIONS MANAGER|Winnin?g Alert|NOTICE FOR YOUR CLAIM|WINNER|Reference Number|payment of (prize|claim))/i
+
header __KAM_LOTTO8 From =~ /Lottery|powerball|western.union/i
+
header __KAM_LOTTO9 Subject =~ /\d{3},\d{3}|eligibility.for.claims|promo.desk|deserves.\$\d/i
meta KAM_LOTTO1 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 >= 3)
describe KAM_LOTTO1 Likely to be an e-Lotto Scam Email
-score KAM_LOTTO1 0.5
+score KAM_LOTTO1 0.75
meta KAM_LOTTO2 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 >= 4)
describe KAM_LOTTO2 Highly Likely to be an e-Lotto Scam Email
-score KAM_LOTTO2 1.0
+score KAM_LOTTO2 1.25
-meta KAM_LOTTO3 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 >= 5)
+meta KAM_LOTTO3 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 + LOTS_OF_MONEY >= 5)
describe KAM_LOTTO3 Almost certain to be an e-Lotto Scam Email
-score KAM_LOTTO3 2.0
+score KAM_LOTTO3 3.0
#ABOUT YOUR INTERNET ACTIVITIES SPYWARE CRUD
header __KAM_ABOUT1 Subject =~ /About your Internet (activities|activity)/i
score KAM_INFOUSMEBIZ 0.75
describe KAM_INFOUSMEBIZ Prevalent use of .info|.us|.me|.me.uk|.biz|xyz|id|rocks|life domains in spam/malware
-# OTHER QUESTIONABLE / CHEAP TLDS - .click, .work, .rocks, .science
-rawbody __KAM_OTHER_BAD_TLD1 /http:\/\/(?:www.)?.{4,30}\.(click|work|rocks|science|club)(?![-\.])(\b|\/)/i
-header __KAM_OTHER_BAD_TLD2 From:addr =~ /\.(click|work|rocks|science|club)$/i
-header __KAM_OTHER_BAD_TLD3 Return-Path =~ /\.(click|work|rocks|science|club)>?$/i
+# OTHER QUESTIONABLE / CHEAP TLDS - .click, .work, .rocks, .science, .casa
+rawbody __KAM_OTHER_BAD_TLD1 /http:\/\/(?:www.)?.{4,30}\.(click|farm|work|rocks|science|club|casa)(?![-\.])(\b|\/)/i
+header __KAM_OTHER_BAD_TLD2 From:addr =~ /\.(click|farm|work|rocks|science|club|casa)$/i
+header __KAM_OTHER_BAD_TLD3 Return-Path =~ /\.(click|farm|work|rocks|science|club|casa)>?$/i
meta KAM_OTHER_BAD_TLD (__KAM_OTHER_BAD_TLD1 + __KAM_OTHER_BAD_TLD2 + __KAM_OTHER_BAD_TLD3 >= 1)
score KAM_OTHER_BAD_TLD 0.75
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
- mimeheader __KAM_BADPO1 Content-Type =~ /Purchase.Order/i
- mimeheader __KAM_BADPO2 Content-type =~ /PDF.html/i
+ mimeheader __KAM_BADPO1 Content-Type =~ /Purchase.Order|New.Invoice/i
+ mimeheader __KAM_BADPO2 Content-type =~ /PDF\.html?/i
endif
header __KAM_BADPO3 Subject =~ /New Order|PO(\b|$)|PO\d\d\d|Purchase Order|Invoice/i
endif
if (version >= 3.004001)
- #Compromised URI - In Body
- urirhssub KAM_BODY_COMPROMISED_URIBL_PCCC wild.pccc.com. A 127.0.1.2
- body KAM_BODY_COMPROMISED_URIBL_PCCC eval:check_uridnsbl('KAM_URIBL2_PCCC')
- describe KAM_BODY_COMPROMISED_URIBL_PCCC Body contains URI listed in PCCC Compromised URIBL (https://raptor.pccc.com/RBL)
- tflags KAM_BODY_COMPROMISED_URIBL_PCCC net
- score KAM_BODY_COMPROMISED_URIBL_PCCC 9.0
-
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+ #Compromised URI - In Body
+ urirhssub KAM_BODY_COMPROMISED_URIBL_PCCC wild.pccc.com. A 127.0.1.2
+ body KAM_BODY_COMPROMISED_URIBL_PCCC eval:check_uridnsbl('KAM_URIBL2_PCCC')
+ describe KAM_BODY_COMPROMISED_URIBL_PCCC Body contains URI listed in PCCC Compromised URIBL (https://raptor.pccc.com/RBL)
+ tflags KAM_BODY_COMPROMISED_URIBL_PCCC net
+ score KAM_BODY_COMPROMISED_URIBL_PCCC 9.0
+
#Contains a likely good URI but otherwise compromised by malware/hackers
header KAM_FROM_COMPROMISED_URIBL_PCCC eval:check_rbl_from_domain('pccc-compromised-uribl', 'wild.pccc.com.', '127.0.1.2')
describe KAM_FROM_COMPROMISED_URIBL_PCCC From address listed in PCCC Compromised URIBL (https://raptor.pccc.com/RBL)
header KAM_MESSAGE_EMAILBL_PCCC eval:check_emailbl('freemail-all', 'wild.pccc.com', '127.0.0.64')
describe KAM_MESSAGE_EMAILBL_PCCC Message contains freemail address listed in PCCC URIBL (https://raptor.pccc.com/RBL)
tflags KAM_MESSAGE_EMAILBL_PCCC net
- score KAM_MESSAGE_EMAILBL_PCCC 5.0
+ score KAM_MESSAGE_EMAILBL_PCCC 6.0
endif
endif
#SEARCH ENGINE SPAM
-header __KAM_SEARCH1 Subject =~ /be seen first on (google|msn|yahoo)|get ranked high|rank high|(no cost|free) website (analysis|search engine)|WEBSITE PROMOTION|social media|blog leads|infotech|(first|1st)(.page)?.result|seo.service|seo.{1,30}expert|on.your.website|organic.seo|site.ranking|website.health/i
-body __KAM_SEARCH2 /search engine|SEO|bring.traffic|business.development/i
-body __KAM_SEARCH3 /(first on|all of) the major search|not ranked number one|Website promotion|popular keywords|mobile.website|complete.solution|back.link|india.based|surfing|not.ranking.on/i
-body __KAM_SEARCH4 /guaranteed type of exposure|free website search engine optimi|increase your revenue|improve your website traffice|website rank higher|marketing service|popular.keyword|media.presence|media.portal|brand.awareness|analytics.certified|optimized.content|white.label|website.optimization|digital.marketing|in.your.industry/i
-rawbody __KAM_SEARCH5 /Click2Call|a1-solutions|fast-response.net|action-pros.net|tops-1.com|vividinfotech.com|internet.marketing|web.solution/i
+ #Subj
+header __KAM_SEARCH1 Subject =~ /be seen first on (google|msn|yahoo)|get ranked high|rank high|(no cost|free) website (analysis|search engine)|WEBSITE PROMOTION|social media|blog leads|infotech|(first|1st)(.page)?.result|seo.(optimiz|package|service)|seo.{1,30}expert|on.your.website|organic.seo|site.ranking|website.health|(first|1st) page/i
+ #what specific
+body __KAM_SEARCH2 /search (ranking|engine)|S\.?E\.?O|bring.traffic|business.development|marketing strateg/i
+ #ranging
+body __KAM_SEARCH3 /(first on|all of) the major search|not ranked number one|Website promotion|popular keywords|mobile.website|complete.solution|back.link|india.based|surfing|not.ranking.on|top in Google|1st page|more (clients|customers)|organic search/i
+ #how
+body __KAM_SEARCH4 /guaranteed type of exposure|free website (analysis|report|search engine optimiz)|increase your revenue|improve your website traffice|website rank higher|marketing service|popular.keyword|media.presence|media.portal|brand.awareness|analytics.certified|optimized.content|white.label|website.optimization|digital.marketing|in.your.industry|high.revenue|plans? and pric|keyword|full proposal|online reputation|(blog|article|pr|search engine) (promotion|submission)/i
+ #who
+rawbody __KAM_SEARCH5 /Click2Call|a1-solutions|fast-response.net|action-pros.net|tops-1.com|vividinfotech.com|internet.marketing|web.solution|(development|marketing) (executive|consultant)|(search engine|SEO) (consultant|expert|Service)|sales manager/i
meta KAM_SEARCH (__KAM_SEARCH1 + __KAM_SEARCH2 + __KAM_SEARCH3 + __KAM_SEARCH4 + __KAM_SEARCH5 >= 4)
score KAM_SEARCH 5.0
describe KAM_SEARCH Spammers hawking SEO
#SEO
-header __KAM_SEO1 Subject =~ /Idea for \[|can rank 1st on Google|Organic SEO|SEO (Solution|proposal)|integrated marketing|optimization.service/i
-body __KAM_SEO2 /(?:top|first page) (?:in|of) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building/i
-body __KAM_SEO3 /never find your web site|major search engines|link.building|WEBSITE AUDIT REPORT|specific.keyword|targeted.email|visited.your.website/i
-body __KAM_SEO4 /No upfront fees|SEO Specialists|online marketing services|S.?E.?O.? Company in INDIA|google.panda|google.penguin|not.ranking/i
-body __KAM_SEO5 /more traffic guaranteed|results in thirty day|top 5 organic|high revenue|free.analysis|guaranteed.top/i
-body __KAM_SEO6 /will not get your website banned|Google.?s SEO policies|six month ongoing campaign|web.promotion/i
-uri __KAM_SEO7 /./ # LEGITIMATE SEO EMAILS WOULD SURELY HAVE AT LEAST ONE URL TO THEIR WEBSITE...
-
-meta KAM_SEO (__KAM_SEO1 + __KAM_SEO2 + __KAM_SEO3 + __KAM_SEO4 + __KAM_SEO5 + __KAM_SEO6 + !__KAM_SEO7 + __KAM_FREEMAIL + KAM_ADVERT2 >= 5)
+header __KAM_SEO1 Subject =~ /Idea for \[|can rank 1st on Google|Organic SEO|SEO (Solution|proposal)|integrated marketing|optimization.service|SEO Outsourcing|affordable package|quick result|ranking report/i
+#what we give you
+body __KAM_SEO2 /(?:top|first page) (?:in|of) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building|business SEO|ranking report/i
+tflags __KAM_SEO2 nosubject
+#what we do/fix
+body __KAM_SEO3 /(came across|never find) your web.?site|major search engines|paid access to tools|WEBSITE AUDIT REPORT|specific.keyword|targeted.email|visited.your.website|not ranking well|Google rankings/i
+#SEO
+body __KAM_SEO4 /SEO Specialists|online marketing services|S.?E.?O.? Company in INDIA|google.panda|google.penguin|not.ranking|SEO Packages/i
+#costs
+body __KAM_SEO5 /more traffic guaranteed|results in thirty day|top 5 organic|high revenue|free.analysis|guaranteed.top|pricelist|completely free|No upfront fees|free trial/i
+#SEO Indicators
+body __KAM_SEO6 /will not get your website banned|Google.?s SEO policies|six month ongoing campaign|web.promotion|quality junk spam/i
+# LEGITIMATE SEO EMAILS WOULD SURELY HAVE AT LEAST ONE URL TO THEIR WEBSITE...
+uri __KAM_SEO7 /./
+
+meta KAM_SEO (__KAM_SEO1 + __KAM_SEO2 + __KAM_SEO3 + __KAM_SEO4 + __KAM_SEO5 + __KAM_SEO6 + !__KAM_SEO7 + KAM_ADVERT2 >= 5)
score KAM_SEO 7.0
describe KAM_SEO Spammers hawking SEO
#ABUSED FREEMAIL ACCOUNTS
-header __KAM_FREEMAIL1 From =~ /(?:websolution|seo).{0,15}\@gmail.com/i
-header __KAM_FREEMAIL2 From =~ /speakeasylingerie\@gmail.com/i
-meta __KAM_FREEMAIL (__KAM_FREEMAIL1 + __KAM_FREEMAIL2 >= 1)
+#header __KAM_FREEMAIL1 From =~ /(?:websolution|seo).{0,15}\@gmail.com/i
+#header __KAM_FREEMAIL2 From =~ /speakeasylingerie\@gmail.com/i
+#meta __KAM_FREEMAIL (__KAM_FREEMAIL1 + __KAM_FREEMAIL2 >= 1)
#LINGERIE VIDEOS
-header __KAM_LINGERIE1 From =~ /lexi campbell/i
-header __KAM_LINGERIE2 Subject =~ /Exotic modeling Videos/i
-header __KAM_LINGERIE3 Subject =~ /Hustler Magazine/i
-body __KAM_LINGERIE4 /Exotic modelling videos/i
+#header __KAM_LINGERIE1 From =~ /lexi campbell/i
+#header __KAM_LINGERIE2 Subject =~ /Exotic modeling Videos/i
+#header __KAM_LINGERIE3 Subject =~ /Hustler Magazine/i
+#body __KAM_LINGERIE4 /Exotic modelling videos/i
-meta KAM_LINGERIE (__KAM_FREEMAIL + __KAM_LINGERIE1 + __KAM_LINGERIE2 + __KAM_LINGERIE3 >= 4)
-score KAM_LINGERIE 10.0
-describe KAM_LINGERIE Sexually Explicity Lingerie Spam
+#meta KAM_LINGERIE (__KAM_FREEMAIL + __KAM_LINGERIE1 + __KAM_LINGERIE2 + __KAM_LINGERIE3 >= 4)
+#score KAM_LINGERIE 10.0
+#describe KAM_LINGERIE Sexually Explicity Lingerie Spam
#WEB DESIGN
describe KAM_SEXSUBJECT Sexually Explicit Subject
#RUSSIAN WIFE/BRIDE SCAMS
-header __KAM_WIFE1 Subject =~ /Remember me|(Russian|asian) ?(single|women|bride|lad(y|ies)|babe)/i
-body __KAM_WIFE2 /marry a Russian|sizzling photos|(russian|asian) (women|beauties)|Russian ?bride|Slavic babes|Russian ?lad(y|ies)|russian girl/i
-header __KAM_WIFE3 From =~ /Russian.?Dat|russian.?bride|Russian.?single|russian.?women|asian.?beauties/i
+header __KAM_WIFE1 Subject =~ /Remember me|(Russian|asian|Ukrai?nian) ?(dating|beaut|single|women|bride|lad|babe)/i
+body __KAM_WIFE2 /marry a Russian|sizzling photos|(russian|asian|ukrai?nian) (women|beaut|bride|girl)|Slavic babes|Russian ?lad(y|ies)|sexy photos/i
+tflags __KAM_WIFE2 nosubject
+header __KAM_WIFE3 From =~ /(asian|russian|ukrai?nian).?(dat|bride|single|women|beaut|lad)|(date|nice).?(russian|asian)/i
meta KAM_WIFE ( __KAM_WIFE1 + __KAM_WIFE2 + __KAM_WIFE3 >= 2)
score KAM_WIFE 8.0
describe KAM_SELLPHONE Used Equipment Spam
#STORAGE LIMIT
-body __KAM_MAILBOX1 /mailbox has exceeded|(storage|email).(limit|quota|size)|quota is full|have been rejected|new version|pending messages|quota is low|annual upgrade|important message|messages pending|messages placed on hold|upgrade to our service|recent attack|deactivating all mailbox|close down.{0,10}account/i
-body __KAM_MAILBOX2 /(verify|validate) your (account|mailbox|email)|(increase|upgrade) (my|your?) (inbox |email )?quota|create some additional storage|upgrade your mailbox|mail malfunction|click here to update|update account|validated within \d\d|deleted automatically|release .{0,40}message|account to be close|termination of your account/i
-header __KAM_MAILBOX3 Subject =~ /(mail|exceeded) quota|Inbox almost full|(urgent|important) noti|needs to be upgraded|incoming mails|delivery failure|storage (is )?full|inbox full|upgrade email|delayed email|release your message|pending (new )?message|365 .{0,10} Update|new privacy policy|mandatory up|account upgrade/i
+ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
+
+ replace_rules __KAM_MAILBOX1 __KAM_MAILBOX2 __KAM_MAILBOX3
+
+ #ISSUE
+ body __KAM_MAILBOX1 /mailbox .{0,12}exceeded|(storage|email|mailbox).(limit|quota|size|capacity)|(box|quota) is (a<L1>most )?fu<L1><L1>|have been rejected|new version|(prevented|pending) (the )?(delivery|messages)|quota is low|annual upgrade|(held|important) message|messages pending|messages (are|placed) on.?hold|upgrade to our service|recent attack|(request(ed)? to|account) de-?activat|de-?activat(ed|e|ing) (from using|all mailbox)|close down.{0,10}account|(sync|communication) failure|de<A1>ctiv<A1>ted if no <A1>ction|invalid users|request .{0,13}shutdown|migrating all email|del<I1>v<E1>ry <O1>f \d|messages.{0,6}returned|\d.{0,2}(unreceived|failed|undelivered|incoming|valid) (undelivered|incoming|message|e?mail)|synchronize \d email|messages.{1,10}suspend|report your account|(validation|configuration|service|mail) error|updating stage|blacklisted|(server|quota|quarantine|suspension|mail|upgrade) (alert|noti)|mailbox agreement|(system|security|server) (reasons|update|upgrade|alert)|system malfunction|due for an update|mailbox managment|automatically renew|.\d. pending|due for (upgrade|update|reconfirmation)|has been outdated|(due|about) to expire|not confirmed the email|(failed|couldn't be|refused to) deliver|temporarily suspend|failure to proceed|data plan limit|blocked from (sending|receiving)|sending unsolicited|\d\% full|confirm your request|security turned off|blocked or suspended|update warning|account .{1,9}?(restricted|closed)|old versions|mail malfunction|messages now queue|password expir|virus|expire on \d+\/|DNS Upgrad|encountered error|will be shut ?down|unauthorized (person|access)|prevent (further reject|loss of account)|avoid lose access|ensure safety|problem occurred|wrong password|suspicious sign.?in|\d quarantined? (e?mail|message|incoming)|deactivated tempor|low disk space|shutdown robot|suspended email|webmail security|account hijacked|will be suspended/i
+ tflags __KAM_MAILBOX1 nosubject
+ #ACTION
+ body __KAM_MAILBOX2 /(verify|update|upgrade|increase|validate|confirm|disable)"? (their|your)? {0,5}(address|password|<A1>ccount|(web-?)?mail|info|email|web ?mail|ownership)|(increase|upgrade) (my|your?) (inbox |email )?quota|(security|quota) (configuration|upgrade)|(increase disk|create some additional) storage|(setup|upgrade) (your )?mailbox|mail malfunction|click here to update|update account|validated within \d\d|deleted (automatically|in our server)|release .{0,40}(message|pending mess)|account to be close|remain active|termination of your account|choose what happens|blacklisting inactive|continue (using|the usage)|untrusted activity|(retrieve|review|view) (message|e?mail)|(verify|validate) (here|now)|reset below|verification (check|process)|email disk usage|auto extend your disk|confirm your (email|details)|mandetory file|retrieve here|expected to reactivate|keep your webmail|data will be lost|(block|release|review) (them|below)|view undelivered sent|reconfirm .{0,40}password|will be deactivat|avoid suspension|start the process|fake payment|(will be|automatically) cancel|mail verification|turn on (security|authentication)|Office 365-?Secure|an usual location|automatically delete|(retrieve|review|reload) (your )?(undelivered|pending)|view, release or delete|reload below|unblock (your )?incoming|rectify below|fix now|Company.Assigned Outlook|fix delivery|restore your roundcube|re-?authenticate (now|below)|manage your quarantine|manually fi|manually fix|review and take action|view (withheld|recent) (incoming|messages|e?mail)|use the button|reduce your mai<L1>|deliver recent mail|keep (current|same) password|change password|stop (this action|account removal)|fix your email/i
+ tflags __KAM_MAILBOX2 nosubject
+ #SUBJECT
+ header __KAM_MAILBOX3 Subject =~ /(mail|exceeded|insufficient) (storage|quota|upgrade)|Inbox almost full|(urgent|important|admin|last|suspension|server|account|administrator|system|disk ?usage|max size) (alert|rectification|attention|warning|noti)|needs to be upgraded|(incoming|pending|unreceived) +((e-?)?mail|document|message)|(del<I1>v<E1>ry|synchronization|processing) (problem|is blocked|failure|err<O1>r)|storage (is )?full|inbox full|(unread|upgrade|delayed) (messages|e?mail)|release your message|pending (new )?((e-?)?mail|message)|365 .{0,10} Update|new privacy policy|mandatory up|(sign in|Final|security|account|password|emails?) (closing|removal|update|upgrade|alert|notification|review)|quarantine|rejected|undelivered|(mailbox|limit) .{0,10}exceeded|confirmation required|(mail|mailbox|account|password) (shutdown|verification|Veirification|Verfication|account)|(blocked|held) message|technology services|(server|mail|account).{1,8}err<O1>r|validat|messages.{1,10}(suspend|hinder)|account (is )?(blocked|limited)|please verify.{1,10}account|mail.{1,6}Notice|email account.{1,11}full|final warning|help\-?desk|mail ownership|point files|(d|r)e-?activation|delayed for \d+ (hour|day)|undeliverable|confirmation required|closure of.{1,15}(\@|account)|(password|mail) (has|will) expire|did you make|password (reset|due|recovery|expir)|recovery option|\d+ new mess|email activity|Immediate action|action required|avoid block|review recent e?mail|final +alert|storage limit|ver<I1>f<I1>cat<I1>on|\@.{1,25}notification|notification \d+\/\d+\/|notification for .{1,25}\@|New Sign-in|deliver.{1,4}(cancel|issue|error|fail)|Unsuccessful Email|Mail DNS|ICT Maintenance|sync err|mailer un.?delivery|unauthorized (person|access)|configuration setting|reminder +for|re-?authenticate|change in your ip|shutdown request|Failure.{0,2}Report|\d emails? suspended|error sync|(e-?mails?|messages) (are )?pending/i
+
+ meta KAM_MAILBOX (__KAM_MAILBOX1 + __KAM_MAILBOX2 + __KAM_MAILBOX3 >=2) && (T_FREEMAIL_DOC_PDF + (KAM_SENDGRID + KAM_SENDGRID2 >= 1) + HTML_MIME_NO_HTML_TAG >= 2)
+ score KAM_MAILBOX 7.75
+ describe KAM_MAILBOX Mailbox Quota Phishing Scams
-meta KAM_MAILBOX (__KAM_MAILBOX1 + __KAM_MAILBOX2 + __KAM_MAILBOX3 >= 3)
-score KAM_MAILBOX 6.0
-describe KAM_MAILBOX Mailbox Quota Phishing Scams
+ meta KAM_MAILBOX2 (__KAM_MAILBOX1 + __KAM_MAILBOX2 + __KAM_MAILBOX3 >=3) && !KAM_MAILBOX
+ score KAM_MAILBOX2 6.25
+ describe KAM_MAILBOX2 Mailbox Quota Phishing Scams
+
+ meta KAM_MAILBOX3 (KAM_MAILBOX + KAM_MAILBOX2 >= 1) && (KAM_SENDGRID + KAM_SENDGRID2 >= 1)
+ describe KAM_MAILBOX3 Enhanced Scoring for Mailbox Quota Phishing
+ score KAM_MAILBOX3 3.75
+endif
#SHORTERNERS
meta KAM_SHORT (__KAM_SHORT + __KAM_TINYDOMAIN >= 1)
describe KAM_SHORT Use of a URL Shortener for very short URL
#URL SHORTENER - META RULE TO SEE IF URL SHORTENER IS IN USE - THANKS TO SHANE WILLIAMS and RW for HELP - More thanks to Giovanni Bechis
-uri __KAM_SHORT /^http:\/\/(?:bit\.ly|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|justpaste\.it)\/[^\/]{3}\/?/
+uri __KAM_SHORT /^http:\/\/(?:bit\.(do|ly)|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|justpaste\.it|l\.linklyhq\.com)\/[^\/]{3}\/?/
# GENERIC RULE FOR TINY DOMAINS, WHICH WILL LIKELY BE URL SHORTENERS
uri __KAM_TINYDOMAIN /https?:\/\/(?:[^\/]{1,4})\..{2,7}\//i
#Useful Resources for Tags
#https://www.utf8-chartable.de/unicode-utf8-table.pl?start=1024&number=128&names=-&utf8=string-literal
#https://www.branah.com/unicode-converter
+#look at the encoding type and the charset. For base64 utf-8, something like this tool will help https://www.base64decode.org/ then hexdump -C or something like https://onlineutf8tools.com/convert-utf8-to-hexadecimal or perl -e '$u=unpack("H*",$ARGV[0]);print "[\\x$1]" while ($u=~/(..)/g)' '<PASTE>'
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
-replace_tag A (?:[\xd0][\xb0]|[\xc9][\x91]|a)
-replace_tag C (?:[\xd0][\xa1]|c|[\xd1][\x81])
-replace_tag E (?:[\xd0][\xb5]|[\xc4][\x97]|e)
-replace_tag I (?:[\xd1][\x96]|[\xc4][\xab]|i)
-replace_tag M (?:[\xca][\x8d]|m)
-replace_tag O (?:[\xd0][\xbe]|o)
-replace_tag P (?:[\xd1][\x80]|p|[\xc7][\xb7])
-replace_tag S (?:[\xd0][\x85]|s)
-
-header __KAM_CREDIT6 Subject =~ /<C>ompl<I>mentary (<C>red<I>t|EXPERIAN|Transunion|Equifax)/i
-header __KAM_CREDIT7 From =~ /<S>core.?<S>ense/i
+#renamed to A1, C1, etc. to avoid collissions with stock rules
+#Thanks to John Hardin for his help! and thanks to Giovanni for the help with the 4-byte chars
+#thanks as well to Henrik Krohns
+replace_tag A1 (?:a|[\xf0\x9d\x97\xae]|[\xf0\x9d\x9a\x8a]|[\xd0][\xb0]|[\xc9][\x91]|α|\@)
+replace_tag B1 (?:b|[\xce][\x92]|[\xce][\xb2]|[\xc2]|[\xe2]|[\xf0\x9d\x97\xaf]|[xf0\x9d\x9a\x8b])
+replace_tag C1 (?:c|[\xd0][\xa1]|[\xd1][\x81]|[\xf0\x9d\x97\xb0]|[\xf0\x9d\x9a\x8c])
+replace_tag D1 (?:d|[\xf0\x9d\x9a\x8d])
+replace_tag E1 (?:e|[\xd0][\xb5]|[\xc4][\x97]|[\xf0\x9d\x97\xb2]|[\xf0\x9d\x9a\x8e])
+replace_tag G1 (?:g|[\xf0\x9d\x97\x80])
+replace_tag I1 (?:i|[\xd1][\x96]|[\xc4][\xab]|[\xce][\xb9]|[\xe9]|[\xf0\x9d\x97\xb6]|[\xf0\x9d\x9a\x92]|l|1)
+replace_tag L1 (?:l|i)
+replace_tag M1 (?:m|[\xca][\x8d]|[\xf0\x9d\x97\xba])
+replace_tag N1 (?:n|[\xe7]|[\xf0\x9d\x97\xbc]|[\xf0\x9d\x9a\x97])
+replace_tag O1 (?:o|0|[\xd0][\xbe]|[\xce][\xbf]|[\xef]|[\xf0\x9d\x97\xbc]|[\xf0\x9d\x9a\x98])
+replace_tag P1 (?:p|[\xd1][\x80]|[\xc7][\xb7]|[\xcf][\x81]|[\xf1]|[\xf0\x9d\x97\xbd]|[\xf0\x9d\x9a\x99])
+replace_tag R1 (?:r|[\xf0\x9d\x97\xbf]|[\xf0\x9d\x9a\x9b])
+replace_tag S1 (?:s|[\xd0][\x85]|[\xf0\x9d\x98\x80]|[\xf0\x9d\x9a\x9c])
+replace_tag T1 (?:t|[\xcf][\x84]|[\xf4]|[\xf0\x9d\x98\x81]|[\xf0\x9d\x9a\x9d])
+replace_tag U1 (?:u|[\xf0\x9d\x98\x82])
+replace_tag V1 (?:v|[\xf0\x9d\x96\xb5])
+replace_tag W1 (?:w|[\xf0\x9d\x98\x84]|[\xf0\x9d\x9a\xa0])
+replace_tag Y1 (?:y|[\xf0\x9d\x98\x80]|[\xf0\x9d\x9a\xa2])
+replace_tag SPACE1 (?: |[\xc2\xa0])
+
+header __KAM_CREDIT6 Subject =~ /<C1>ompl<I1>mentary (<C1>red<I1>t|EXPERIAN|Transunion|Equifax)/i
+header __KAM_CREDIT7 From =~ /<S1>core.?<S1>ense/i
replace_rules __KAM_CREDIT6 __KAM_CREDIT7
#PAYPAL PHISH
header __KAM_PAYPAL3A From =~ /paypal/i
header __KAM_PAYPAL3B From !~ /paypal.com(\.au)?>?$/i
-header __KAM_PAYPAL3C Subject =~ /your.paypal.account/i
-body __KAM_PAYPAL3D /security.process|more.information|has.limitation|verify.your.information/i
+header __KAM_PAYPAL3C Subject =~ /your.paypal.account|Invoice PP/i
+body __KAM_PAYPAL3D /security.process|more.information|has.limitation|verify.your.information|bitcoin/i
meta KAM_PAYPAL3 ((__KAM_PAYPAL3A && __KAM_PAYPAL3B) + __KAM_PAYPAL3C + __KAM_PAYPAL3D + KAM_LAZY_DOMAIN_SECURITY >= 3)
score KAM_PAYPAL3 8.0
score KAM_LASIK 4.5
#FAKE NOTIFIES
-header __KAM_NOTIFY1 From =~ /Support|Notifier|Reminder|Assistance|Administrator|RuneScape|Wells Fargo|Scotia|Diablo|MAILER-DAEMON|Notifications/i
+header __KAM_NOTIFY1 From =~ /Support|Notifier|Reminder|Assistance|Administrator|RuneScape|Wells ?Fargo|Scotia|Diablo|MAILER-DAEMON|Notifications/i
body __KAM_NOTIFY2 /[2-9] friend request( |\b)|sell your personal|mandatory validation|verify your Account|unread messages/i
header __KAM_NOTIFY3 From =~ /\.br>/i
score KAM_MEMBER 4.5
#MEDICARE
-header __KAM_MEDICARE1 From =~ /Medicare|health.?options|enrollment/i
+header __KAM_MEDICARE1 From =~ /(Medicare|health.?options|enrollment)/i
header __KAM_MEDICARE2 Subject =~ /medicare|message for senior|baby-boomer|save up to|compare.quotes|enrollment.plan/i
-body __KAM_MEDICARE3 /medicare.(plan|recipient)/i
-body __KAM_MEDICARE4 /over.(65|sixty.?five)|most.affordable|lower.your.premium/i
+body __KAM_MEDICARE3 /medicare.(plan|recipient|annual election)/i
+tflags __KAM_MEDICARE3 nosubject
+body __KAM_MEDICARE4 /over.(65|sixty.?five)|most.affordable|lower.your.premium|medicare basics guide/i
meta KAM_MEDICARE (__KAM_MEDICARE1 + __KAM_MEDICARE2 + (__KAM_MEDICARE3 + __KAM_MEDICARE4 >= 1) + (KAM_INFOUSMEBIZ || KAM_COUK) >= 3)
describe KAM_MEDICARE Medicare Scams
#PREV MARK
header __KAM_MARK1 Subject =~ /[\[\<]ADV[\>\]]/i
-header __KAM_MARK2 Subject =~ /[\[\<]SPAM[\>\]]/i
-header __KAM_MARK3 Subject =~ /[\[\<]VIRUS[\>\]]/i
+header __KAM_MARK2 Subject =~ /[\(\[\<\{\*]\s*(BULK|SPAM)\??\s*[\*\>\]\)\}]/i
+header __KAM_MARK3 Subject =~ /[\[\<\*]\s*VIRUS\s*[\*\>\]]/i
meta KAM_MARKADV (__KAM_MARK1 >= 1)
describe KAM_MARKADV Email arrived marked as an Advertisement
score KAM_FACEBOOKMAIL 8.0
#FAKE DHL/FEDEX/ETC
-body __KAM_FAKEDELIVER1 /courier couldn.?t make the delivery|Courier was unable to deliver|courier company was not able to deliver|memo.of.application|delivering.address|make.the.delivery|see.attached.file|attention.please|event.invitation|could not deliver|delivery.label|postal.noti(fication|ce)|parcels.(has|have).been.shipped|shipment.label.is.attached/i
-header __KAM_FAKEDELIVER2 Subject =~ /Invalid Address|shipping service|(ship|postal|delivery) notification|Delivery Failure|Delivery Information|Delivery status|Package Delivery|package is available for pickup|your.package.arrived|attention.please|delivery.problem|id.\d{6}|deliver.(your|the).parcel/i
+body __KAM_FAKEDELIVER1 /courier couldn.?t make the delivery|Courier was unable to deliver|courier company was not able to deliver|memo.of.application|delivering.address|make.the.delivery|see.attached.file|attention.please|event.invitation|could not deliver|delivery.label|postal.noti(fication|ce)|parcels.(has|have).been.shipped|shipment.label.is.attached|confirm your shipping|view file in attach|unable to locate your address/i
+
+header __KAM_FAKEDELIVER2 Subject =~ /Invalid Address|shipping service|(ship|postal|delivery) notification|Delivery Failure|Delivery Information|Delivery status|Package Delivery|package is available for pickup|your.package.arrived|attention.please|delivery.problem|id.\d{6}|deliver.(your|the).parcel|shipping confirmation|confirm your address|shipment request/i
#DHL
-body __KAM_FAKEDELIVER3 /DHL/
-header __KAM_FAKEDELIVER4 From !~ /dhl.com/i
+header __KAM_FAKEDELIVER3 From:name =~ /DHL/i
+header __KAM_FAKEDELIVER4 From:addr !~ /dhl.com/i
#FEDEX
rawbody __KAM_FAKEDELIVER5 /Fed ?ex/i
body __KAM_FAKEDELIVER11 /DPD/i
header __KAM_FAKEDELIVER12 From !~ /dpd.com|dpd.co.uk/i
+uri __KAM_FAKEDELIVER13 /(cdn.discordapp.com|wp-conten)/i
-meta KAM_FAKE_DELIVER (__KAM_FAKEDELIVER1 + __KAM_FAKEDELIVER2 + ((__KAM_FAKEDELIVER3 + __KAM_FAKEDELIVER4 >= 2) + (__KAM_FAKEDELIVER5 + __KAM_FAKEDELIVER6 >= 2) + (__KAM_FAKEDELIVER7 + __KAM_FAKEDELIVER8 >= 2) + (__KAM_FAKEDELIVER11 + __KAM_FAKEDELIVER12 >= 2) + (__KAM_FAKEDELIVER9 + __KAM_FAKEDELIVER10 >= 2) >= 1) + (HEADER_FROM_DIFFERENT_DOMAINS + SPF_SOFTFAIL + KAM_RAPTOR_ALTERED >= 1) >= 3)
+meta KAM_FAKE_DELIVER (__KAM_FAKEDELIVER1 + __KAM_FAKEDELIVER2 + ((__KAM_FAKEDELIVER3 + __KAM_FAKEDELIVER4 >= 2) + (__KAM_FAKEDELIVER5 + __KAM_FAKEDELIVER6 >= 2) + (__KAM_FAKEDELIVER7 + __KAM_FAKEDELIVER8 >= 2) + (__KAM_FAKEDELIVER11 + __KAM_FAKEDELIVER12 >= 2) + (__KAM_FAKEDELIVER9 + __KAM_FAKEDELIVER10 >= 2) >= 1) + (HEADER_FROM_DIFFERENT_DOMAINS + SPF_SOFTFAIL + KAM_RAPTOR_ALTERED + __KAM_FAKEDELIVER13 >= 1) >= 3)
describe KAM_FAKE_DELIVER Fake delivery notifications
-score KAM_FAKE_DELIVER 5.0
+score KAM_FAKE_DELIVER 6.25
meta KAM_REALLY_FAKE_DELIVER (KAM_FAKE_DELIVER + KAM_RPTR_PASSED + (__KAM_FAKEDELIVER4 && __KAM_FAKEDELIVER6 && __KAM_FAKEDELIVER8) >= 3)
score KAM_REALLY_FAKE_DELIVER 2.5
#SOLAR POWER
header __KAM_SOLAR1 From =~ /Solar|electric|regard|energy|.olar..etwork/i
-header __KAM_SOLAR2 Subject =~ /power bill|sells power|electrical bill|subsidize your solar|switching to solar|save \d+\%|solar system saves|solar power plant|solar.america|energy.use|solar.incentive|utility.option|go.solar|govt.rebate|.overnment.incentive|electricity|obama.rebate/i
-body __KAM_SOLAR3 /power bill in half|go solar|approved for solar|solar system saves|reduce your electric|energy.cost|energy.bill|government.incentive|can.profit|utility.bill|switch(ing)?.to.solar|solar.incentive|solar.now|US Solar Dept|your.electric.bill|your.home.qualifies/i
+header __KAM_SOLAR2 Subject =~ /power bill|sells power|electric(al)? bill|subsidize your solar|switching to solar|save \d+\%|solar system saves|solar power plant|solar.america|energy.use|solar.incentive|utility.option|go.solar|govt.rebate|.overnment.incentive|electricity|obama.rebate/i
+body __KAM_SOLAR3 /power bill in half|go solar|approved for solar|solar system saves|reduce your electric|energy.cost|energy.bill|government.incentive|can.profit|utility.bill|switch(ing)?.to.solar|solar.incentive|solar.now|US Solar Dept|your.electric.bill|your.home.qualifies|yard lights|solarglow/i
meta KAM_SOLAR (__KAM_SOLAR1 + __KAM_SOLAR2 + __KAM_SOLAR3 >=2)
describe KAM_SOLAR Solar Power Spams
#GOOGLE DOCS PHISH
# view the agreement.
body __KAM_GOOGLEPHISH1 /copy of the signed agreement/i
-rawbody __KAM_GOOGLEPHISH2 /http:\/\/.{5,50}\/http\/docs.google.com\/login\//i
+rawbody __KAM_GOOGLEPHISH2 /http:\/\/.{5,50}\/http\/docs\.google\.com\/login\//i
meta KAM_GOOGLEPHISH (__KAM_GOOGLEPHISH1 + __KAM_GOOGLEPHISH2 >= 2)
describe KAM_GOOGLEPHISH Google Login Phishing Scam
score KAM_SHARKTANK 1.0
describe KAM_SHARKTANK Mentions Shark Tank
-body __KAM_SHARKPROD /high blood pressure|moles|Dermabellix|follicles|drop 20|IQ/is
+rawbody __KAM_SHARKPROD /high blood pressure|moles|Dermabellix|follicles|drop 20|(^|\b)IQ($|\b)|keto SS/is
meta KAM_SHARKPROD (__KAM_SHARKPROD + KAM_SHARKTANK >= 2)
score KAM_SHARKPROD 5.0
score KAM_HOMESALE 3.5
#ADVERTISEMENTS FOR LOANS
-header __KAM_LOAN1 Subject =~ /pay bills|borrow|business loan|help your business grow|small business|propel your business goals|with a loan|results you need|\$\d+ down loan|loan.fund|lender|are.you.broke|get.cash|approval.notice|loan \d.\d% offer/i
-header __KAM_LOAN2 From =~ /payday|loans for you|approval|small.?business|direct.wire|cash|loan offer/i
-body __KAM_LOAN3 /Financial Relief|need to borrow|Business Loan|instant.funds|approval department|\$\d+ down|loan option|offer.loan|expenses|times.are.tough|money.problems/i
-body __KAM_LOAN4 /development.project|just.been.approved|for.your.business|loan.solution/i
+header __KAM_LOAN1 Subject =~ /pay bills|borrow|business loan|help your business grow|small business|propel your business goals|with a loan|results you need|\$[\d.,]+ (tomorrow|down loan)|loan.fund|lender|are.you.broke|get.cash|approval.notice|loan \d.\d% offer|money by tomorrow|one monthly payment/i
+header __KAM_LOAN2 From =~ /payday|loans for you|approval|small.?business|direct.wire|cash|loan offer|loan department|zippy ?loan|clear ?one/i
+body __KAM_LOAN3 /Financial Relief|need to borrow|Business Loan|instant.funds|approval department|\$\d+ down|loan option|offer.loan|expenses|times.are.tough|money.problems|zippy ?loan|advanced lender|pay off debt|development.project|just.been.approved|for.your.business|loan.solution|ease your stress/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_LOAN5A Content-Type =~ /loan offer/i
mimeheader __KAM_LOAN5B Content-Disposition =~ /loan offer/i
endif
-meta KAM_LOAN (__KAM_LOAN1 + __KAM_LOAN2 + __KAM_LOAN3 + __KAM_LOAN4 + (__KAM_LOAN5A + __KAM_LOAN5B >= 1) >= 3)
+meta KAM_LOAN (__KAM_LOAN1 + __KAM_LOAN2 + __KAM_LOAN3 + (__KAM_LOAN5A + __KAM_LOAN5B >= 1) >= 3)
describe KAM_LOAN Payday and other loan spams
score KAM_LOAN 4.5
#PROPHET
header __KAM_PROPHET1 Subject =~ /beezelbub|communique|prophecy|Christian Media/i
-header __KAM_PROPHET2 From =~ /christian.*prophe|twintongues/i
+header __KAM_PROPHET2 From =~ /christian.*(media|prophe)|twintongues/i
body __KAM_PROPHET3 /Dear Christian Friend/i
body __KAM_PROPHET4 /Christian ?Media ?(Daily|Ministry)/i
body __KAM_PROPHET5 /prophecy|rapture/i
score KAM_NUMEROLOGY 3.5
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
- #VOICEMAIL SPAM
- header __KAM_VOICEMAIL1 Subject =~ /new voice.?mail message|news/i
- header __KAM_VOICEMAIL2 From =~ /voice.?mail|news/i
- body __KAM_VOICEMAIL3 /new voice.?mail message|voice.redirected/i
-
- meta KAM_VOICEMAIL (__KAM_VOICEMAIL1 + __KAM_VOICEMAIL2 + __KAM_VOICEMAIL3 + KAM_RAPTOR_ALTERED >= 3)
- describe KAM_VOICEMAIL Common malware that tricks the user into opening a fake VOIP voicemail
- score KAM_VOICEMAIL 5.0
+#VOICEMAIL SPAM
+header __KAM_VOICEMAIL1 Subject =~ /new voice.?mail message|news|Fax Message for/i
+header __KAM_VOICEMAIL2 From =~ /voice.?mail|news/i
+body __KAM_VOICEMAIL3 /new voice.?mail message|voice.redirected/i
+
+meta KAM_VOICEMAIL (__KAM_VOICEMAIL1 + __KAM_VOICEMAIL2 + __KAM_VOICEMAIL3 + KAM_RAPTOR_ALTERED >= 3)
+describe KAM_VOICEMAIL Common malware that tricks the user into opening a fake VOIP voicemail
+score KAM_VOICEMAIL 5.0
endif
#SPAM ADVERTISING SPAM - HAS SCIENCE GONE TOO FAR?
describe KAM_MARIJUANA2 Definitely spam for marijuana
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
- # EVICTION NOTICE
- header __KAM_EVICTION1 From =~ /eviction|vacate immediately/i
- header __KAM_EVICTION2 Subject =~ /notice|notification|occupant/i
- body __KAM_EVICTION3 /eviction|foreclosed|trespasser/i
-
- meta KAM_EVICTION (__KAM_EVICTION1 + __KAM_EVICTION2 + __KAM_EVICTION3 + KAM_RAPTOR_ALTERED >= 4)
- describe KAM_EVICTION Malware disguised as eviction notice
- score KAM_EVICTION 4.5
+# EVICTION NOTICE
+header __KAM_EVICTION1 From =~ /eviction|vacate immediately/i
+header __KAM_EVICTION2 Subject =~ /notice|notification|occupant/i
+body __KAM_EVICTION3 /eviction|foreclosed|trespasser/i
+
+meta KAM_EVICTION (__KAM_EVICTION1 + __KAM_EVICTION2 + __KAM_EVICTION3 + KAM_RAPTOR_ALTERED >= 4)
+describe KAM_EVICTION Malware disguised as eviction notice
+score KAM_EVICTION 4.5
endif
# WALK IN TUBS
describe KAM_REALLYHUGEIMGSRC Spam with image tags with ridiculously huge http urls
rawbody KAM_REALLYHUGEIMGSRC /<img[^>]*\ssrc=["']?http[^\s]{300}/i
-score KAM_REALLYHUGEIMGSRC 1.1
+score KAM_REALLYHUGEIMGSRC 0.5
rawbody KAM_TRACKIMAGE /<img[^>]*\ssrc=["']?https?:\/\/track/i
describe KAM_TRACKIMAGE Message has a remote image explicitly meant for tracking
score KAM_CLOUD 3.5
describe KAM_CLOUD Spam for cloud services
+#FAX AND PAPERLESS SPAM
header __KAM_PAPERLESS1 From =~ /paperless|fax|admin/i
-header __KAM_PAPERLESS2 Subject =~ /paperless|fax to email|send document|fax thru email|receive faxes|send faxes|fax.message|voice.message|new.fax|have.received/i
-body __KAM_PAPERLESS3 /fax service|service plan|view.this.fax|\d.page.fax|voice.message/i
+header __KAM_PAPERLESS2 Subject =~ /paperless|fax (document|thru email|to email|message)|send document|(receive|send|new) fax|voice.message|have.received/i
+body __KAM_PAPERLESS3 /fax service|service plan|view.(fax|this.fax)|\d.page.fax|voice.message/i
+body __KAM_PAPERLESS4 /link expires/i
-meta KAM_PAPERLESS (__KAM_PAPERLESS1 + __KAM_PAPERLESS2 + __KAM_PAPERLESS3 + HEADER_FROM_DIFFERENT_DOMAINS >= 4)
+meta KAM_PAPERLESS (__KAM_PAPERLESS1 + __KAM_PAPERLESS2 + __KAM_PAPERLESS3 + __KAM_PAPERLESS4 + HEADER_FROM_DIFFERENT_DOMAINS >= 4)
score KAM_PAPERLESS 4.5
describe KAM_PAPERLESS Paperless spam for the paperless office
score KAM_TOLL 8.0
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
- #KAM_AMAZON
- header __KAM_AMAZON1 From =~ /amazon\.com/i
+#KAM_AMAZON
+header __KAM_AMAZON1 From =~ /amazon\.com/i
- meta KAM_AMAZON (__KAM_AMAZON1 + KAM_RAPTOR_ALTERED >= 2)
- score KAM_AMAZON 4.5
- describe KAM_AMAZON Fake Amazon email with malware
+meta KAM_AMAZON (__KAM_AMAZON1 + KAM_RAPTOR_ALTERED >= 2)
+score KAM_AMAZON 4.5
+describe KAM_AMAZON Fake Amazon email with malware
endif
# LANDSCAPING
# RULE FOR DOMAINS THAT HAVE NOT IMPLEMENTED ANY ANTI-FORGERY MECHANISMS - Thanks to Christian Kueppers for the request to encapsulate with DKIM and SPF plugin checks!
if (version >= 3.003002)
- ifplugin Mail::SpamAssassin::Plugin::DKIM
- ifplugin Mail::SpamAssassin::Plugin::SPF
- # We may recommend people start raising the score for this to force more people to use SPF or DKIM Since Gmail and AOL work much better with / require SPF.
- header __KAM_SPF_NONE eval:check_for_spf_none()
+ifplugin Mail::SpamAssassin::Plugin::DKIM
+ifplugin Mail::SpamAssassin::Plugin::SPF
+# We may recommend people start raising the score for this to force more people to use SPF or DKIM Since Gmail and AOL work much better with / require SPF.
+header __KAM_SPF_NONE eval:check_for_spf_none()
- meta KAM_LAZY_DOMAIN_SECURITY (!__DKIM_EXISTS && __KAM_SPF_NONE)
- score KAM_LAZY_DOMAIN_SECURITY 1.0
- describe KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any anti-forgery methods
- endif
- endif
+meta KAM_LAZY_DOMAIN_SECURITY (!__DKIM_EXISTS && __KAM_SPF_NONE)
+score KAM_LAZY_DOMAIN_SECURITY 1.0
+describe KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any anti-forgery methods
+endif
+endif
endif
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
- # FORGED EMAILS WITH A VIRUS ATTACHED
- meta KAM_FORGED_ATTACHED (SPF_HELO_FAIL + KAM_RAPTOR_ALTERED >= 2)
- score KAM_FORGED_ATTACHED 4.5
- describe KAM_FORGED_ATTACHED Forged email with a malware attachment
+# FORGED EMAILS WITH A VIRUS ATTACHED
+meta KAM_FORGED_ATTACHED (SPF_HELO_FAIL + KAM_RAPTOR_ALTERED >= 2)
+score KAM_FORGED_ATTACHED 4.5
+describe KAM_FORGED_ATTACHED Forged email with a malware attachment
endif
# LOTS OF PERIODS IN SUBJECT
describe KAM_LINKBAIT3 Freemail linkbait with a url shortener
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
- # MALWARE IN EMAILS THAT MENTION LOTS OF MONEY
- meta KAM_PHISHY_DOLLARS (KAM_RAPTOR_ALTERED + LOTS_OF_MONEY >= 2)
- score KAM_PHISHY_DOLLARS 3.5
- describe KAM_PHISHY_DOLLARS Emails with malware and large dollar amounts
+# MALWARE IN EMAILS THAT MENTION LOTS OF MONEY
+meta KAM_PHISHY_DOLLARS (KAM_RAPTOR_ALTERED + LOTS_OF_MONEY >= 2)
+score KAM_PHISHY_DOLLARS 3.5
+describe KAM_PHISHY_DOLLARS Emails with malware and large dollar amounts
endif
# RATWARE DU JOUR, MULTIPLE FROM HEADERS AND WONKY SUBJECT LINE
describe KAM_GOOGLE2 Fake Google spam
# MORE NIGERIAN VARIANTS
-body __KAM_NIGERIAN2_1 /congo/i
+body __KAM_NIGERIAN3_1 /congo/i
-meta KAM_NIGERIAN2 (__KAM_NIGERIAN2_1 + DEAR_SOMETHING + LOTS_OF_MONEY >= 3)
-score KAM_NIGERIAN2 4.5
-describe KAM_NIGERIAN2 Nigerian scam variant
+meta KAM_NIGERIAN3 (__KAM_NIGERIAN3_1 + DEAR_SOMETHING + LOTS_OF_MONEY >= 3)
+score KAM_NIGERIAN3 4.5
+describe KAM_NIGERIAN3 Nigerian scam variant
# FINGERHUT SPAMS
header __KAM_FINGERHUT1 From =~ /finger.?hut/i
# ELIMINATE A BUNCH OF RECENT BAD ATTACHMENT SPAM
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
- meta KAM_VERY_MALWARE (KAM_LAZY_DOMAIN_SECURITY && KAM_RAPTOR_ALTERED >= 2)
- score KAM_VERY_MALWARE 3.5
- describe KAM_VERY_MALWARE A message with malware that is definitely unwanted
+meta KAM_VERY_MALWARE (KAM_LAZY_DOMAIN_SECURITY && KAM_RAPTOR_ALTERED >= 2)
+score KAM_VERY_MALWARE 3.5
+describe KAM_VERY_MALWARE A message with malware that is definitely unwanted
endif
#MERCHANT ACCOUNTS SPAM
# ZERO DAY ATTACHMENTS THAT ARE OBVIOUSLY CRAP BUT NOT CAUGHT BY AV
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
- mimeheader __KAM_ZERODAY1 Content-Type =~ /msword|ms-excel|spreadsheet|office|octet/i
- header __KAM_ZERODAY2 X-Mailer =~ /foxmail/i
+mimeheader __KAM_ZERODAY1 Content-Type =~ /msword|ms-excel|spreadsheet|office|octet/i
+header __KAM_ZERODAY2 X-Mailer =~ /foxmail/i
- # DISABLED 7/16 FOR NO LONGER BEING RELEVANT
- #meta KAM_ZERODAY (__SUBJECT_ENCODED_B64 + __KAM_ZERODAY1 + __KAM_ZERODAY2 >= 3)
- #describe KAM_ZERODAY obviously a malware email that was not caught
- #score KAM_ZERODAY 8.0
+# DISABLED 7/16 FOR NO LONGER BEING RELEVANT
+#meta KAM_ZERODAY (__SUBJECT_ENCODED_B64 + __KAM_ZERODAY1 + __KAM_ZERODAY2 >= 3)
+#describe KAM_ZERODAY obviously a malware email that was not caught
+#score KAM_ZERODAY 8.0
- # ANOTHER ONE
- header __KAM_ZERODAY3 Subject =~ /remittance advice|invoice|resume|the.open.message|please.the.open|visa.chip/i
+# ANOTHER ONE
+header __KAM_ZERODAY3 Subject =~ /remittance advice|invoice|resume|the.open.message|please.the.open|visa.chip/i
- meta KAM_ZERODAY2 (__KAM_ZERODAY1 + __KAM_ZERODAY3 + KAM_LAZY_DOMAIN_SECURITY >= 3)
- score KAM_ZERODAY2 1.0
- describe KAM_ZERODAY2 Another obvious zero-day malware
+meta KAM_ZERODAY2 (__KAM_ZERODAY1 + __KAM_ZERODAY3 + KAM_LAZY_DOMAIN_SECURITY >= 3)
+score KAM_ZERODAY2 1.0
+describe KAM_ZERODAY2 Another obvious zero-day malware
- meta KAM_ZERODAY3 (KAM_ZERODAY2 + T_OBFU_DOC_ATTACH >= 2)
- score KAM_ZERODAY3 3.5
- describe KAM_ZERODAY3 Another obvious zero-day malware
+meta KAM_ZERODAY3 (KAM_ZERODAY2 + T_OBFU_DOC_ATTACH >= 2)
+score KAM_ZERODAY3 3.5
+describe KAM_ZERODAY3 Another obvious zero-day malware
endif
# FAMILY TREE SPAM
body __KAM_NOISE2 /([a-z]{1,10},){10}/i
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
- meta KAM_NOISE1 (__KAM_NOISE1 + __KAM_NOISE2 + (CBJ_GiveMeABreak || __CBJ_GiveMeABreak2) >= 3)
- describe KAM_NOISE1 Pattern of noise words at the end of an email
- score KAM_NOISE1 2.5
+meta KAM_NOISE1 (__KAM_NOISE1 + __KAM_NOISE2 + (CBJ_GiveMeABreak || __CBJ_GiveMeABreak2) >= 3)
+describe KAM_NOISE1 Pattern of noise words at the end of an email
+score KAM_NOISE1 2.5
endif
# FREE PIZZA WOO!
# BAD YAHOO! DON'T SEND EMAIL FROM A MULTICAST IP!
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
- header __KAM_YAHOO_MISTAKE1 From =~ /\@yahoo\./i
+header __KAM_YAHOO_MISTAKE1 From =~ /\@yahoo\./i
- meta KAM_YAHOO_MISTAKE (SPF_PASS && __KAM_YAHOO_MISTAKE1 && RCVD_ILLEGAL_IP)
- describe KAM_YAHOO_MISTAKE Reversing score for some idiotic Yahoo received headers
- score KAM_YAHOO_MISTAKE -3.0
+meta KAM_YAHOO_MISTAKE (SPF_PASS && __KAM_YAHOO_MISTAKE1 && RCVD_ILLEGAL_IP)
+describe KAM_YAHOO_MISTAKE Reversing score for some idiotic Yahoo received headers
+score KAM_YAHOO_MISTAKE -3.0
endif
# GARBAGE FREEMAIL
header __KAM_BADPHP2 X-Source-Args =~ /css.php/i
meta KAM_BADPHP (__KAM_BADPHP1 || __KAM_BADPHP2)
-score KAM_BADPHP 2.5
+score KAM_BADPHP 3.5
describe KAM_BADPHP Questionable PHP mailer headers
# TINNITUS
-header __KAM_TINNITUS1 From =~ /tinnitus.breakthrough/i
-header __KAM_TINNITUS2 Subject =~ /new.tip|only.(1|one).week/i
-body __KAM_TINNITUS3 /scientifically.proven|end.tinnitus/i
+header __KAM_TINNITUS1 From =~ /tinnitus.?(911|breakthrough)/i
+header __KAM_TINNITUS2 Subject =~ /new.tip|only.(1|one).week|pandemic/i
+body __KAM_TINNITUS3 /scientifically.proven|end.tinnitus|get rid of the ringing/i
meta KAM_TINNITUS (__KAM_TINNITUS1 + __KAM_TINNITUS2 + __KAM_TINNITUS3 >= 3)
describe KAM_TINNITUS Tinnitus spam
-score KAM_TINNITUS 3.5
+score KAM_TINNITUS 4.5
# KIWIBANK
header __KAM_KIWIBANK1 From =~ /kiwibank/i
score KAM_CAD 3.5
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
- #SPAM WITH OFFICE MACROS
- header __KAM_VBMACRO X-KAM-VBMacro =~ /True/i
+#SPAM WITH OFFICE MACROS
+header __KAM_VBMACRO X-KAM-VBMacro =~ /True/i
- meta KAM_VBMACRO ((__KAM_VBMACRO >= 1) && !KAM_OLEMACRO)
- describe KAM_VBMACRO Message contains attachment with VB macro
- score KAM_VBMACRO 6.5
-
- #SPAM THAT INDICATES DYNAMIC IP
- header KAM_DYNIP X-KAM-DynamicIndicator =~ /True/i
- describe KAM_DYNIP Message contains Dynamic IP Address Indicator
- score KAM_DYNIP 6.5
+meta KAM_VBMACRO ((__KAM_VBMACRO >= 1) && !KAM_OLEMACRO)
+describe KAM_VBMACRO Message contains attachment with VB macro
+score KAM_VBMACRO 6.5
+
+#SPAM THAT INDICATES DYNAMIC IP
+header KAM_DYNIP X-KAM-DynamicIndicator =~ /True/i
+describe KAM_DYNIP Message contains Dynamic IP Address Indicator
+score KAM_DYNIP 6.5
endif
#LOOKING TO SHUTDOWN MISUSE OF DNSWL AND HOSTKARMA
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
- meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + RCVD_IN_LASHBACK + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1)
- score KAM_QUITE_BAD_DNSWL 3.25
- describe KAM_QUITE_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
+meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1)
+score KAM_QUITE_BAD_DNSWL 3.25
+describe KAM_QUITE_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
else
- meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + RCVD_IN_LASHBACK + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1)
- score KAM_QUITE_BAD_DNSWL 3.25
- describe KAM_QUITE_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
+meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1)
+score KAM_QUITE_BAD_DNSWL 3.25
+describe KAM_QUITE_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
endif
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
- meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + RCVD_IN_LASHBACK + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
- score KAM_BAD_DNSWL 7.0
- describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
+meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
+score KAM_BAD_DNSWL 7.0
+describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
else
- meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + RCVD_IN_LASHBACK + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
- score KAM_BAD_DNSWL 7.0
- describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
+meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
+score KAM_BAD_DNSWL 7.0
+describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
endif
# HEARING LOSS
body __KAM_GOOGLE_AWARD4 /Official Notification Letter/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
- mimeheader __KAM_GOOGLE_AWARD5A Content-Type =~ /Google Award/i
- mimeheader __KAM_GOOGLE_AWARD5B Content-Disposition =~ /Google Award/i
+mimeheader __KAM_GOOGLE_AWARD5A Content-Type =~ /Google Award/i
+mimeheader __KAM_GOOGLE_AWARD5B Content-Disposition =~ /Google Award/i
endif
meta KAM_GOOGLE_AWARD (__KAM_GOOGLE_AWARD1 + __KAM_GOOGLE_AWARD2 + __KAM_GOOGLE_AWARD3 + __KAM_GOOGLE_AWARD4 + (__KAM_GOOGLE_AWARD5A + __KAM_GOOGLE_AWARD5B >= 1) >= 4)
#RESUME
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
- header __JMQ_RESUME1 Subject =~ /resume/i
- body __JMQ_RESUME2 /hello my name|my name is/i
- body __JMQ_RESUME3 /appreciate.your.cooperation|my.resume.is.pdf|resume.attach|pdf.file.is|is.my.resume/i
- mimeheader __JMQ_RESUME4 Content-Type =~ /x-zip-comp/i
- mimeheader __JMQ_RESUME5 Content-Type =~ /my_resume\.zip/i
-
- meta JMQ_RESUME ((__JMQ_RESUME1 + __JMQ_RESUME2 + __JMQ_RESUME3 + __JMQ_RESUME5 >= 3) && __JMQ_RESUME4)
- score JMQ_RESUME 4.5
- describe JMQ_RESUME Spam for bad attached resumes
+header __JMQ_RESUME1 Subject =~ /resume/i
+body __JMQ_RESUME2 /hello my name|my name is/i
+body __JMQ_RESUME3 /appreciate.your.cooperation|my.resume.is.pdf|resume.attach|pdf.file.is|is.my.resume/i
+mimeheader __JMQ_RESUME4 Content-Type =~ /x-zip-comp/i
+mimeheader __JMQ_RESUME5 Content-Type =~ /my_resume\.zip/i
+
+meta JMQ_RESUME ((__JMQ_RESUME1 + __JMQ_RESUME2 + __JMQ_RESUME3 + __JMQ_RESUME5 >= 3) && __JMQ_RESUME4)
+score JMQ_RESUME 4.5
+describe JMQ_RESUME Spam for bad attached resumes
endif
#LED/SOLAR LIGHTS
-header __KAM_LED1 Reply-to =~ /huixinsoft\d*\@foxmail.com/i
-body __KAM_LED2 /solar (lighting|led)/i
-body __KAM_LED3 /China aier/i
+header __KAM_LED1 From =~ /light? ?bulb|garage ?light|Sun.?like?.?Bulb|LED.?Sun/i
+body __KAM_LED2 /(garage|LED Fan) Light|sun-?like|\dx the brightness/i
+tflags __KAM_LED2 nosubject
+header __KAM_LED3 Subject =~ /LED Lighting|L\.E\.D\.? Bulb|Innovative Light|energy bill|one bulb|Garage LED/i
-meta KAM_LED (__KAM_LED1 + __KAM_LED2 + __KAM_LED3 >= 2)
-describe KAM_LED Solar LED Lighting Spams
-score KAM_LED 5.5
+meta KAM_LED (__KAM_LED1 + __KAM_LED2 + __KAM_LED3 >= 3)
+describe KAM_LED LED Lighting Spams
+score KAM_LED 4.5
# REAL ESTATE
header __JMQ_REALESTATE1 From =~ /tom.brice/i
# SPF THAT DOESN'T REALLY CARE IF EMAIL IS A FORGERY -
ifplugin Mail::SpamAssassin::Plugin::AskDNS
- askdns JMQ_SPF_NEUTRAL _SENDERDOMAIN_ TXT /^v=spf1 .*\?all/
- describe JMQ_SPF_NEUTRAL SPF set to ?all
- score JMQ_SPF_NEUTRAL 0.5
+askdns JMQ_SPF_NEUTRAL _SENDERDOMAIN_ TXT /^v=spf1 .*\?all/
+describe JMQ_SPF_NEUTRAL SPF set to ?all
+score JMQ_SPF_NEUTRAL 0.5
- askdns JMQ_SPF_ALL _SENDERDOMAIN_ TXT /^v=spf1 .*\+all/
- describe JMQ_SPF_ALL SPF set to +all!
- score JMQ_SPF_ALL 0.5
+askdns JMQ_SPF_ALL _SENDERDOMAIN_ TXT /^v=spf1 .*\+all/
+describe JMQ_SPF_ALL SPF set to +all!
+score JMQ_SPF_ALL 0.5
endif
# IMPORTANT MESSAGE
score KAM_RUIN 5.25
describe KAM_RUIN Bank Phishing Scam
-#BANK
+#WEIGHT
body __KAM_WEIGHT2_1 /goodbye to her waist|wild transformation/i
header __KAM_WEIGHT2_2 Subject =~ /looks \d+ overnight|no gym/i
body __KAM_WEIGHT2_3 /melissa mccarthy|now looks \d+/i
describe KAM_NUMSUBJECT Subject ends in numbers excluding current years
#BAD PDF
-header KAM_MGCS Content-Type =~ /\+\-\+\-\+\-MGCS\-\+\-\+\-\+/i
+mimeheader KAM_MGCS Content-Type =~ /\+\-\+\-\+\-MGCS\-\+\-\+\-\+|[\xC2\xB7]pdf(?=)?"$/i
score KAM_MGCS 10.0
describe KAM_MGCS Boundary Content Indicative of Ratware
#describe KB_WAM_OVERLAP Rule to test for overlap with another similar ruleset
#MAILSPLOIT CONTROL CHARACTER - Thanks to Jan-Pieter Cornet for the idea
- #All Control chars like NUL except \n which should exist once legitimately
- #Investigating double-byte language FP. Reverting back to just \0
+#All Control chars like NUL except \n which should exist once legitimately
+#Investigating double-byte language FP. Reverting back to just \0
#header __KAM_MAILSPLOIT1 From =~ /[\x00-\x09\x0b-\x1f]/
header __KAM_MAILSPLOIT1 From =~ /[\0]/
describe __KAM_MAILSPLOIT1 RFC2047 Exploit https://www.mailsploit.com/index
- #\n Multiple in the From Header
+#\n Multiple in the From Header
header __KAM_MAILSPLOIT2 From =~ /[\n]/
describe __KAM_MAILSPLOIT2 RFC2047 Exploit https://www.mailsploit.com/index
tflags __KAM_MAILSPLOIT2 multiple maxhits=2
replace_rules __KAM_CRIM1 __KAM_CRIM2 __KAM_CRIM3 __KAM_CRIM4 __KAM_CRIM5 __KAM_CRIM6 __KAM_CRIM7
- body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A>lw<A>r<E> <O>n th<E> w<E>b|footage of you|you do not know who I am|mercenary|hack phones|infected your device|double.screen video|keylogger|ruin your life|collection officer|turned on your c<A>mera|cameras? and a mic|I am a hacker|browser history|trojan virus|automatically infect|inject some code/i
- #Different encodings
- body __KAM_CRIM2 /(bit-?<C><O><I>n|BTC|DSH|cryptocurrency)/i
- body __KAM_CRIM3 /make a payment|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C><O><I>n w<A>ll|(m<A>k<I>ng|<C><O>mpl<E>et<E>) th<E> tr<A>ns<A><C>t<I><O>n|send me \d+ dollars|send [\d\.]+ USD|addr<E>ss f<O>r p<A>ym<E>nt|euros in bitcoin|wallet number|bitcoin network|BTC to this Bitcoin|paym<E>nt by b<I>tco<I>n|\d\d\d usd|DSH\)? address|Address part/i
- body __KAM_CRIM4 /erotica|<P>orn|promising evidence|video|<M>asturbat|playing with yourself|wanking|l<I>f<E> <C><A>n b<E> ru<I>n<E>d|explosi|lead azide|hexogen|banana|perversion/i
+ body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A1>lw<A1>r<E1> <O1>n th<E1> w<E1>b|footage of you|you do not know who I am|mercenary|hack phones|(monitored|infected) your device|double.screen video|keylogger|ruin your life|collection officer|turned on your c<A1>mera|cameras? and a mic|I am a hacker|brows(er|ing) history|trojan virus|automatically infect|inject some code|google translator|<P1>l<A1><C1><E1>d (a )?m<A1>lw<A1>r<E1>|<S1><P1><Y1><W1><A1><R1><E1>|hacked your (OS|operating)|got hacked|hidden app|managed to hack/i
- body __KAM_CRIM5 /(twenty.?four|24).?hours|(72|24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O>urs)? <A>ft<E>r y<O><U> <O>p<E>n|hours for payment|days?\)? to (send|perform|make|transfer) the (payment|dash)|short-term support|48h plz|deadline|hours only to send the fund|address immediately|tr\@nsfer the amount/i
+ #Bitcoin
+ body __KAM_CRIM2 /(<B1><I1><T1>\-?<C1><O1><I1><N1>|BTC|DSH|cryptocurrency|bc[13][a-km-zA-HJ-NP-Z0-9]{26,39})|(remove|manually) all spaces|contains spaces/i
- header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O><U> <A>r<E> my v<I><C>t<I>m|visit the police|hi. vi<C>tim|bomb|rescue|your building|<M>asturbat|hi perv|account has been hacked|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you|porn/i
+ #Payment
+ body __KAM_CRIM3 /make (<T1>he|a) paymen<T1>|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C1><O1><I1>n w<A1>ll|(m<A1>k<I1>ng|<C1><O1>mpl<E1>et<E1>) th<E1> tr<A1>ns<A1><C1>t<I1><O1>n|send me \d+ dollars|send [\d\.]+ USD|addr<E1>ss f<O1>r p<A1>ym<E1>nt|(dollars|euros) (worth )?in bit-?coin|wallet number|bitcoin network|BTC to this Bitcoin|paym<E1>nt by b<I1>tco<I1>n|\d\d\d usd|DSH\)? address|Address part|<D1><O1><N1><A1><T1><I1><O1><N1>|negotiation|USD.? in bitcoin/i
- header __KAM_CRIM7 From =~ /h<A>ck<E>r|know/i
+ #Sexually explicit
+ body __KAM_CRIM4 /erotica|<P1><O1><R1><N1>|p(ro|or)nographic movie|promising evidence|<M1><A1><S1><T1><U1><R1><B1><A1><T1>|playing with yourself|wanking|l<I1>f<E1> <C1><A1>n b<E1> ru<I1>n<E1>d|explosi|lead azide|hexogen|banana|perversion|secured \d+ video/i
+ #TIME
+ body __KAM_CRIM5 /(twenty.?four|24).?h<O1>urs|(72|24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O1>urs)? <A1>ft<E1>r y<O1><U> <O1>p<E1>n|hours for payment|days?\)? to (send|perform|make|transfer) the (amount|payment|dash|fund)|short-term support|48h plz|deadline|hours *(only )?to send the (pay|fund)|address immediately|tr<A1>nsfer the (amount|funds)|get back to me now/i
- meta KAM_CRIM (__KAM_CRIM1 + __KAM_CRIM2 + __KAM_CRIM3 + __KAM_CRIM4 + __KAM_CRIM5 + __KAM_CRIM6 >= 4)
+ #Subject
+ header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O1><U> <A1>r<E1> my v<I1><C1>t<I1>m|visit the police|hi. vi<C1>tim|bomb|rescue|your building|<M1>asturbat|hi perv|account has been hacked|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you|<P1>orn|(share|forward|leak) (your|the) video|Read me now|want to read this|i have you/i
+
+ #From
+ header __KAM_CRIM7 From =~ /h<A1>ck<E1>r|know/i
+
+
+ meta KAM_CRIM (__KAM_CRIM1 + __KAM_CRIM2 + __KAM_CRIM3 + __KAM_CRIM4 + __KAM_CRIM5 + __KAM_CRIM6 + __KAM_CRIM7 + FUZZY_BITCOIN >= 4)
describe KAM_CRIM Extortion Email
- score KAM_CRIM 7.5
+ score KAM_CRIM 8.5
endif
#KAM_CRIM_V2
meta KAM_CRIM2 (__KAM_CRIM2_1 + __KAM_CRIM2_2 + __KAM_CRIM2_3 + HTML_FONT_LOW_CONTRAST >= 4)
describe KAM_CRIM2 Extortion Email
score KAM_CRIM2 7.5
+
#ZWNJ
#ZWNJ 200C 157 https://en.wikipedia.org/wiki/Windows-1256
# Also want to look at Unicode U+200C.
score SCC_SUBBOMB_SUBJ_1 5
# cPanel Phishing
-header __SCC_HELO_CPANELNET X-Spam-Relays-Untrusted =~ / helo=cpanel\.net /
-describe __SCC_HELO_CPANELNET HELO is bare cpanel.net
-meta SCC_FAKE_CPANEL __SCC_HELO_CPANELNET && ! (SPF_PASS || SPF_HELO_PASS)
-score SCC_FAKE_CPANEL 6
+header __SCC_HELO_CPANELNET X-Spam-Relays-Untrusted =~ / helo=cpanel\.net /
+describe __SCC_HELO_CPANELNET HELO is bare cpanel.net
+meta SCC_FAKE_CPANEL __SCC_HELO_CPANELNET && ! (SPF_PASS || SPF_HELO_PASS)
+score SCC_FAKE_CPANEL 6
+
+header KAM_PHISHCP From =~ /\@cpanel\d+\.com/i
+describe KAM_PHISHCP Fraudulent notices purporting to be from cPanel
+score KAM_PHISHCP 15.0
+
+uri KAM_PHISHCP2 /(\.|\/)cpanel\d+\.com(\/|\b|\?)/i
+describe KAM_PHISHCP2 Fraudulent notices purporting to be from cPanel
+score KAM_PHISHCP2 15.0
+
+body __KAM_PHISHCP3_1 /cPanel Cloud Service/
+
+meta KAM_PHISHCP3 (__KAM_TINYDOMAIN + __KAM_PHISHCP3_1 >=2)
+describe KAM_PHISHCP3 Fraudulent notices purporting to be from cPanel
+score KAM_PHISHCP3 15.0
+
#https://www.csoonline.com/article/3333916/windows-security/i-can-get-and-crack-your-password-hashes-from-email.html?upd=1547922397157
body KAM_FILE /file:\/\/\/\//i
score KAM_FILE 4.5
#FUN SPAM RUN
-header __KAM_FUN1 From =~ /\.fun|\.icu|\.pro|\.stream|\.world|\.monster|\.best|\.store>?$/i
-body __KAM_FUN2 /Addify Link|Kennett Pike|PetPlan|Newton Sq|1st Avenue|Jones Blvd|permanently opt-out from our all newsletters/i
-body __KAM_FUN3 /This Offer is (only )?for (unite. state|USA)|can't see this image/i
-header __KAM_FUN4 Subject =~ /Gutters|Assisted Living|Refi|rate|livewave|mortgage|E\.D\.|Single|Superfood|tax|protection|debt|mastercard|safety charge|supplement|pillow|Inogenone|learn a language|Roadside safety|carry a gun|minute survey|roofing Deals|fungus|insurance|pain|gold|hair|knife|warranty|reflexology|accufeet/i
+header __KAM_FUN1 From =~ /\.fun|\.icu|\.pro|\.stream|\.world|\.monster|\.best|\.store|\.surf|\.rest|\.bar|\.asia|\.casa|\.uno|\.london|\.info|\.cam|\.work|\.cyou>?$/i
+header __KAM_FUN1A From:name =~ /Bite Pro|Diabetes|Blood Sugar|Sugar Disease|Fish Oil|ultra ?boost|Gutter|time ?share|Affiliate|arctic ?blast|splash ?wine|date|fat ?loss|nutrisystem|Silver ?Single|Insta ?Heater/i
-meta KAM_FUN (__KAM_FUN1 + __KAM_FUN2 + __KAM_FUN3 + __KAM_FUN4 >=3)
+body __KAM_FUN2 /Addify Link|Kennett Pike|PetPlan|Newton Sq|1st Avenue|Jones Blvd|permanently opt-out from our all newsletters|(wish|prefer) (to not|not to|to) receive (these|future) (messages|emails)|purehealth|leave any time|too good to be true|try(ing)? this trick|doesn?'t like this update|(click here|wish) +to unsubscribe|send post-mail to|to be removed from receiving|to unsubscribe.+click|no longer like to receive|this is an advertisement/i
+body __KAM_FUN3 /This Offer is (only )?for (unite. state|USA)|(can ?not|won\'t|can\'t) see this image|visit the page below|Continue Reading|watch now|this is an ad|update preferences|click here now/i
+uri __KAM_FUN3A /imgstore.host/i
+
+#Subject
+header __KAM_FUN4 Subject =~ /Gutter|Assisted Living|Refi|rate|livewave|mortgage|E\.D\.|Single|Superfood|tax|protection|debt|mastercard|safety charge|supplement|pillow|Inogenone|learn a language|Roadside safety|carry a gun|minute survey|roofing Deals|fungus|insurance|pain|gold|hair|knife|warranty|reflexology|accufeet|keto|sound|heartburn|skincare|terminix|zippy|sneeze|healthcare|yoga|heal|jesus|virus|neuropathy|BP med|perfect vision|parasites|wine|willie nelson|InstaFresh|InstaSavings|carriers|CPAP|melt your belly|heart attack|power of plants|immunity|smart.?watch|fever|hearing aids|diabetes|gum problem|bad breath|fish oil|ultra ?boost|boost your internet|christmas list|(energy|cooling) (bill|cost)|time ?share|interstate move|vanishes pain|wine order|chat rooms|\d+ ?lbs|dementia|nutrisystem|personal plan|Printer Ink|america strong|perfect gifts|Someone Special|Insta ?heater|asian girls/i
+
+#How many/How Soon
+body __KAM_FUN5 /\d million americans|less than \d+ (weeks|days|hours)|temporary feeling|\d+ ?lbs|[\d+,]+ Asian babes/i
+#miracle!
+body __KAM_FUN6 /finds the secret|new discovery|natural medicine|health channel|medicinal plants|simple tweak|doctors are shocked|mysterious liquid|massive mistake|scientifically shown/i
+#what
+body __KAM_FUN7 /nerve pain|poor vision|lasik|sleep deeper|smart.?watch|fever|hearing aids|diabetes|gum problem|blood sugar|sugar disease|bad breath|fish oil|ultra ?boost|soothing relief|older women|belly fat|reverse alzheimer|personal safety|gadget.?junk|Insta ?heater|need boyfriends/i
+tflags __KAM_FUN7 nosubject
+
+meta KAM_FUN ((__KAM_FUN1 + __KAM_FUN1A >=1) + __KAM_FUN2 + (__KAM_FUN3 + __KAM_FUN3A >= 1) + __KAM_FUN4 >=3)
describe KAM_FUN Spam Engine Hawking Various Goods and Abusing a Lot of Domains
-score KAM_FUN 7.5
+score KAM_FUN 7.75
+
+meta KAM_FUN2 ((__KAM_FUN1 + __KAM_FUN1A >= 1) + __KAM_FUN4 + __KAM_FUN5 + __KAM_FUN6 + __KAM_FUN7 >= 5)
+describe KAM_FUN2 Spam Engine Hawking Various Goods and Abusing a Lot of Domains
+score KAM_FUN2 7.5
#GOOGLE DRIVE PORN - Thanks to Mark Sapiro for the bug fix
uri KAM_DRIVENUM /\d+\.drive\.google.com/i
ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
# Custom score
score FROMNAME_SPOOFED_EMAIL 0.3
+
+ meta GB_FROMNAME_SPOOF_EQUALS_TO (PDS_FROMNAME_SPOOFED_EMAIL && __PLUGIN_FROMNAME_EQUALS_TO)
+ describe GB_FROMNAME_SPOOF_EQUALS_TO From:name is spoof to look like To: address
+ score GB_FROMNAME_SPOOF_EQUALS_TO 0.3
+
+ meta GB_FROMNAME_SPOOF_FREEMAIL (FREEMAIL_FROM && PDS_FROMNAME_SPOOFED_EMAIL)
+ describe GB_FROMNAME_SPOOF_FREEMAIL From:name spoof and Freemail From:address
+ score GB_FROMNAME_SPOOF_FREEMAIL 0.4
+
+ ifplugin Mail::SpamAssassin::Plugin::FreeMail
+ header __FROM_EQ_REPLY eval:check_fromname_equals_replyto()
+ meta GB_FREEM_FROM_NOT_REPLY ( !__FROM_EQ_REPLY && FREEMAIL_FROM && FREEMAIL_REPLYTO )
+ describe GB_FREEM_FROM_NOT_REPLY From: and Reply-To: have different freemail domains
+ score GB_FREEM_FROM_NOT_REPLY 0.4
+ endif
endif
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
describe KAM_FAVOR Phishing Attempt
score KAM_FAVOR 7.5
-# WHITELIST
-#whitelist_auth_from *@pccc.com *@mcgrail.com
+# WHITELIST PCCC/MCGRAIL
+whitelist_auth *@pccc.com *@mcgrail.com
#trusted_networks 69.171.29.0/25
#trusted_networks 38.124.232.0/24
# CONTACTS / LISTS - This would be a good rule for tflags nosubject which requires 3.4.3 release
-header __KAM_LIST3_1 Subject =~ /Contacts|Visitor|Attendee|User|Professional|Meeting|Expo|Emails|Exhibit|Companies|trade ?show|marketing|retailer|list|outreach|customers|campaign/i
+header __KAM_LIST3_1 Subject =~ /Contacts|Visitor|Attendee|User|Professional|Meeting|Expo|Emails|Exhibit|Companies|trade ?show|marketing|retailer|list|outreach|customers|campaign|show|data|leaders|partnership|lead|(accou?nt|Contacts?|buyers?) (list|information)|install base|offices and clinics|healthcare/i
#title
-body __KAM_LIST3_2 /list services|email campaign|global marketing|(sales|event) manager|marketing (campaign|manager|exec|project)|(lead|demand) generation|(business|Data|event) (analyst|coordinator)|qualified leads|(marketing|lead|attendees?) specialist|Business Co-?ordinator|marketing and comm|inside sales|unlimited usage|target (attendees|audience|industry)|opt-?in (contact|emails)|pre-?sales|attendees list/i
+body __KAM_LIST3_2 /list services|email campaign|global marketing|(sales|event|campaign) manager|marketing (coordinator|campaign|manager|exec|project|team)|(lead|demand) generation|(business|Data|event) (analyst|coordinator)|(potential|professionals?|qualified) lead|(marketing|lead|attendees?|data) specialist|(marketing|Business) Co-?ordinator|marketing and comm|inside sales|pre-?sales|(email|attendee)s? list|global leads/i
#db for sale
-body __KAM_LIST3_3 /(information|data) fields|verified email|complete (contact|details)|with email address|target geograph|counts and pric|decision maker|specific parameters|job titles|Specific lists|current attendee|each record|post show attendee|(attendees|counts)\:|(List|contacts|fields) (consists?|Contains?|includes?)|visitors and price|pricing, counts|information about the list|sample (file|record)|direct email|100\% populated|installed users|selling list|pricing and further|buy a dataset|counts, pricing|procure the list/i
+body __KAM_LIST3_3 /(information|data) field|verified email|(\d{4,8}|complete) (contact|details)|with email address|target geograph|counts and pric|decision maker|specific parameters|job titles|Specific lists|current attendee|each record|post show attendee|(attendees|counts)\:|(List|contacts|fields) (consists?|Contains?|includes?)|visitors and price|pricing, counts|information about the list|sample (file|record)|direct email|100\% populated|installed users|(compiled|selling) (a )?list|pricing and further|(validated|buy a) dataset|counts, pricing|procure the list|samples for (your )?review|attendees who might|decision.makers|samples and pricing|pricing details|demographics|few samples|database (organization|provider)|expense and count|(samples|counts?) and cost|multichannel marketing|count of email|users of the following/i
#db what
-body __KAM_LIST3_4 /contacts and email|(visitors?|contacts?|attendee.?s?|users?) (mailing )?(list|record|database)|end users|our lists|\d\+? (attendee|contact)|database organization|users? database|Opt-in email list|(professionals?|user'?s|attendees?) (contact|list)|not spammer|delegates|marketing (analyst|campaigns)|(complete|emailed) list|job title|unique account|available titles\:|business profiles|database of/i
+body __KAM_LIST3_4 /contacts and email|(visitors?|contacts?|attendee.?s?|users?) (mailing )?(list|record|database)|end users|our lists|\d\+? (attendee|contact)|users? database|Opt-in email list|(professionals?|user'?s|attendees?) (contact|list)|not spammer|delegates|marketing (analyst|campaigns)|(complete|emailed) list|unique account|contacts\:|titles\:|business profiles|database of|list from USA|(complete|contact) (Name|information|details)|geography|target audience|list.database|data (intelligence|include)|emails, phone|marketing list|unlimited usage|target (attendees|audience|industry)|opt-?in (contact|emails)|offices and clinics|specialties\:|showcase our capabilit|share samples|list includes|recently compiled/i
meta KAM_LIST3 (__KAM_LIST3_1 + __KAM_LIST3_2 + __KAM_LIST3_3 + __KAM_LIST3_4 >= 4)
describe KAM_LIST3 Mailing List Purveyor Spam
-score KAM_LIST3 9.0
+score KAM_LIST3 12.25
#NO SUBJ MATCH
meta KAM_LIST3_1 (KAM_LIST3 < 1) && (__KAM_LIST3_1 + __KAM_LIST3_2 + __KAM_LIST3_3 + __KAM_LIST3_4 >= 3)
describe KAM_LIST3_1 Likely Mailing List Purveyor Spam
-score KAM_LIST3_1 7.5
+score KAM_LIST3_1 5.75
#MONCLER
header __KAM_MONCLER1 Subject =~ /moncler/i
#OLE/VB MACROs
ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro
- body KAM_OLEMACRO eval:check_olemacro()
- describe KAM_OLEMACRO Attachment has an Office Macro
- score KAM_OLEMACRO 6.5
+ # increase number of mime parts checked
+ olemacro_num_mime 10
+
+ if (version >= 3.0040005)
- body KAM_OLEMACRO_MALICE eval:check_olemacro_malice()
- describe KAM_OLEMACRO_MALICE Potentially malicious Office Macro
- score KAM_OLEMACRO_MALICE 10.0
+ body KAM_OLEMACRO eval:check_olemacro()
+ describe KAM_OLEMACRO Attachment has an Office Macro
+ score KAM_OLEMACRO 7.5
- body KAM_OLEMACRO_ENCRYPTED eval:check_olemacro_encrypted()
- describe KAM_OLEMACRO_ENCRYPTED Has an Office doc that is encrypted
- score KAM_OLEMACRO_ENCRYPTED 2.0
+ body KAM_OLEMACRO_MALICE eval:check_olemacro_malice()
+ describe KAM_OLEMACRO_MALICE Potentially malicious Office Macro
+ score KAM_OLEMACRO_MALICE 10.0
- #This may cause more CPU usage
- olemacro_extended_scan 1
- body KAM_OLEMACRO_RENAME eval:check_olemacro_renamed()
- describe KAM_OLEMACRO_RENAME Has an Office doc that has been renamed
- score KAM_OLEMACRO_RENAME 0.1
+ body KAM_OLEMACRO_ENCRYPTED eval:check_olemacro_encrypted()
+ describe KAM_OLEMACRO_ENCRYPTED Has an Office doc that is encrypted
+ score KAM_OLEMACRO_ENCRYPTED 3.0
+
+ #This may cause more CPU usage
+ olemacro_extended_scan 1
+ body KAM_OLEMACRO_RENAME eval:check_olemacro_renamed()
+ describe KAM_OLEMACRO_RENAME Has an Office doc that has been renamed
+ score KAM_OLEMACRO_RENAME 0.5
+
+ meta GB_OLEMACRO_REN_VIR ( KAM_OLEMACRO_RENAME && FORGED_OUTLOOK_HTML )
+ describe GB_OLEMACRO_REN_VIR Olemacro and fake Outlook
+ score GB_OLEMACRO_REN_VIR 10
+
+ endif
body KAM_OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
describe KAM_OLEMACRO_ZIP_PW Has an Office doc that is password protected in a zip
body KAM_OLEMACRO_CSV eval:check_olemacro_csv()
describe KAM_OLEMACRO_CSV Macro in csv file
- score KAM_OLEMACRO_CSV 4.0
+ score KAM_OLEMACRO_CSV 5.0
+
+ #meta KAM_OLEMACRO_ZIP_PW_NOMID ( KAM_OLEMACRO_ZIP_PW && MISSING_MID )
+ #describe KAM_OLEMACRO_ZIP_PW_NOMID OLE macro sent by a bot / ratware
+ #score KAM_OLEMACRO_ZIP_PW_NOMID 5.0
+
+ meta KAM_OLEMACRO_ZIP_BOT ( KAM_OLEMACRO_ZIP_PW && ( MISSING_MID || PDS_FROMNAME_SPOOFED_EMAIL ) )
+ describe KAM_OLEMACRO_ZIP_BOT OLE macro sent by a bot / ratware
+ score KAM_OLEMACRO_ZIP_BOT 5.0
endif
#Testing Rule for Subject Prefixes - See note 58397
#
# #SHOULD NOT HIT
# body NOSUBJECT_TEST_FAIL /example/i
-# describe NOSUBJECT_TEST_FAIL This should NOT hit on an email with example in the subject not not in the body because the tflag nosubject will stop the automatic prepending of subjects for testing.
+# describe NOSUBJECT_TEST_FAIL This should NOT hit on an email with example in the subject not not in the body because the tflags nosubject will stop the automatic prepending of subjects for testing.
# tflags NOSUBJECT_TEST_FAIL nosubject
#endif
+if (version >= 3.004003)
+ ifplugin Mail::SpamAssassin::Plugin::HashBL
+ # BTC address present in BTC blacklist
+ # thanks to Henrik Krohns for the regexp
+ body BTC_HASHBL_BLACK eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b(?<!=)([13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})\b')
+ priority BTC_HASHBL_BLACK -100
+ tflags BTC_HASHBL_BLACK net
+ describe BTC_HASHBL_BLACK Message contains BTC address found on BTC blacklist
+ score BTC_HASHBL_BLACK 5.0
+ endif
+endif
+
#Testing of HASHBL Additions - Note 58246
if (version >= 3.004003)
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
header PCCC_HASHBL_EMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5')
describe PCCC_HASHBL_EMAIL Message contains email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
tflags PCCC_HASHBL_EMAIL net
- score PCCC_HASHBL_EMAIL 0.5
+ score PCCC_HASHBL_EMAIL 1.5
priority PCCC_HASHBL_EMAIL -100
- # BTC address present in BTC blacklist
- body __HASHBL_BTC eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b([13][a-km-zA-HJ-NP-Z1-9]{25,34})\b')
- priority __HASHBL_BTC -100
- tflags __HASHBL_BTC net
- meta BTC_HASHBL_BLACK ( __HASHBL_BTC && __BITCOIN_ID && !__URL_BTC_ID )
- describe BTC_HASHBL_BLACK Message contains BTC address found on BTC blacklist
- score BTC_HASHBL_BLACK 5.0
+ # Email address in custom email headers found on PCCC HashBL
+ header PCCC_HASHBL_HDR_EMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5', 'Reply-To/Disposition-Notification-To/X-Original-Sender/X-Sender', '^127\.', 'all')
+ describe PCCC_HASHBL_HDR_EMAIL Message contains email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
+ tflags PCCC_HASHBL_HDR_EMAIL net
+ score PCCC_HASHBL_HDR_EMAIL 0.5
+ priority PCCC_HASHBL_HDR_EMAIL -100
#Move this to a file like 99_hashbl_settings.cf when KAM rules become a channel
hashbl_acl_freemail 020.co.uk
#END of TEST OF HASHBL ADDITIONS
#LABEL
-header __KAM_LABEL1 Subject =~/(Checking in|(this|next) week)/i
-body __KAM_LABEL2 /meet at your office/i
-body __KAM_LABEL3 /make custom (shirts|sports|jackets|suits)/i
-body __KAM_LABEL4 /(suits start at \$|shirts at \$)/i
-body __KAM_LABEL5 /top fabrics/i
-body __KAM_LABEL6 /\| Label/i
-
-meta KAM_LABEL (__KAM_LABEL1 + __KAM_LABEL2 + __KAM_LABEL3 + __KAM_LABEL4 + __KAM_LABEL5 + __KAM_LABEL6 >= 6)
+header __KAM_LABEL1 Subject =~/(Checking in|Appointment|(this|next) week|thoughts|availability|consultation|introduction|let me know|schedule|meeting)/i
+body __KAM_LABEL2 /meet at your office|quick lead time/i
+body __KAM_LABEL3a /make custom (shirts|sports|jackets|suits)/i
+# bug fix thanks to Moritz Friedrich
+body __KAM_LABEL3b /PPE/
+body __KAM_LABEL4 /(suits start at \$|shirts at \$)|\d\d per mask|\d masks/i
+body __KAM_LABEL5 /(premier|top|luxury) (clothing|fabric)|fortune 500/i
+body __KAM_LABEL6 /\| Label|Label Health/i
+
+header __KAM_LABEL7 Subject =~ /(^|\b)PPE(\b|$)|(Ply|Face) ?mask/i
+body __KAM_LABEL8 /face ?mask|(^|\b)PPE(\b|$)/i
+
+meta KAM_LABEL (__KAM_LABEL1 + __KAM_LABEL2 + (__KAM_LABEL3a + __KAM_LABEL3b >= 1) + __KAM_LABEL4 + __KAM_LABEL5 + __KAM_LABEL6 + __KAM_LABEL7 + __KAM_LABEL8>= 6)
describe KAM_LABEL Tailored clothier spam
score KAM_LABEL 9.0
+meta KAM_LABEL2 ((__KAM_LABEL1 + __KAM_LABEL5 >= 1) + __KAM_LABEL6 + __KAM_LABEL7 + __KAM_LABEL8 >= 3)
+describe KAM_LABEL2 PPE Spam
+score KAM_LABEL2 9.0
+
#RBLOBFU
body __KAM_RBL_OBFU1 /b2b.{1,4}salesprospects.{1,4}com/i
body __KAM_RBL_OBFU2 /quin.{0,3}for.{0,3}ce.com/i
+body __KAM_RBL_OBFU3 /jrgpartners\(\.\)com/i
meta KAM_RBL_OBFU ((__KAM_RBL_OBFU1 + __KAM_RBL_OBFU2 >=1) + FREEMAIL_FROM >= 2)
describe KAM_RBL_OBFU Spammers obfuscating their domain and abusing freemail
score KAM_RBL_OBFU 12.0
+meta KAM_RBL_OBFU2 __KAM_RBL_OBFU3
+describe KAM_RBL_OBFU2 Spammers obfuscating their domain
+score KAM_RBL_OBFU2 9.0
+
#Shady CC's
body __KAM_SHADYCC1 /(transactions?|purchases?) from your (online store|web-?shop)/i
header __KAM_SHADYCC2 Subject =~ /(illegal|shady) (purchases?|transactions?).*?(credit ?card|mastercard|visa).*?at your site/i
score KAM_TRAINING 4.5
#Trump Medicare
-header __KAM_MEDICARE1 Subject =~ /Trump Medicare/i
+header __KAM_MEDICARE2_1 Subject =~ /Trump Medicare/i
+
+meta KAM_MEDICARE2 __KAM_MEDICARE2_1 >= 1
+describe KAM_MEDICARE2 Medicare Scams
+score KAM_MEDICARE2 2.0
+
+#Water hack
+header __KAM_WATERHACK1 Subject =~ /Water Hack/i
+body __KAM_WATERHACK2 /water hack/i
+
+meta KAM_WATERHACK (__KAM_WATERHACK1 + __KAM_WATERHACK2 + KAM_SHORT >= 3)
+describe KAM_WATERHACK Diet Scams
+score KAM_WATERHACK 5.0
+
+#Sendgrid Exploits
+ #thanks to Chip for another Spample on 2020-03-07
+header __KAM_SENDGRID1 EnvelopeFrom =~ /\@u\d+\.wl\d+\.sendgrid\.net|bounces.*\@sendgrid\.net/i
+header __KAM_SENDGRID1A Return-Path =~ /\@u\d+\.wl\d+\.sendgrid\.net/i
+header __KAM_SENDGRID2 Received =~ /ismtp.*?.sendgrid.net|outbound\-mail\.sendgrid\.net \[/i
+
+meta KAM_SENDGRID ((HEADER_FROM_DIFFERENT_DOMAINS || SPF_HELO_NONE) + ((__KAM_SENDGRID1 + __KAM_SENDGRID1A >= 1) + __KAM_SENDGRID2 >= 1) >= 2)
+describe KAM_SENDGRID Sendgrid being exploited by scammers
+score KAM_SENDGRID 1.50
+
+header __KAM_EDU_FROM From:addr =~ /\.edu$/i
+
+header __KAM_SENDGRID3 Subject =~ /Amex|Wells ?Fargo|American Express|Security (Review|Message)|Quickbooks|Sign-?in Blocked|unusual activity|payment pending|online Payment|Intuit|security Upgrade|you have a document|verify your card|email alert/i
+header __KAM_SENDGRID4 From =~ /Amex|Wells ?Fargo|American Express|Schwab|bank|USAA|stripe|intuit|chase/i
+
+meta KAM_SENDGRID2 ((__KAM_EDU_FROM + KAM_SENDGRID >= 1) + (TO_IN_SUBJ + __KAM_SENDGRID3 + __KAM_SENDGRID4 >=1) >= 2)
+describe KAM_SENDGRID2 Sendgrid being exploited by scammers
+score KAM_SENDGRID2 2.0
+
+#Political Spam
+header __KAM_2020_1 Subject =~ /Re-?elect Trump|(science|funny|election|christmas|personalized|mission) (t|tee)( |-)?shirt|ginsburg shirt|officially licensed/i
+body __KAM_2020_2 /T-?shirt|printed in the US|stink stank stunk|officially licensed|star wars/i
+tflags __KAM_2020_2 nosubject
+
+meta KAM_2020 (__KAM_2020_1 + __KAM_2020_2 + FREEMAIL_FROM >= 3)
+describe KAM_2020 2020 Political (and Tshirt???) Spams - Vote for KAM & Pedro - donate today at www.mcgrail.com
+score KAM_2020 7.0
+
+#WeTransfer Spam
+uri __KAM_WETRANSFER1 /wetransferfiledownload|\?email=|redirecturl/i
+header __KAM_WETRANSFER2 From:name =~ /WeTransfer/i
+header __KAM_WETRANSFER3 From:addr !~ /wetransfer\.com/i
+header __KAM_WETRANSFER4 Subject =~ /via WeTransfer/i
+
+meta KAM_WETRANSFER (__KAM_WETRANSFER1 + __KAM_WETRANSFER2 + __KAM_WETRANSFER3 + (__KAM_WETRANSFER4 + SPF_FAIL >= 1) >= 4)
+score KAM_WETRANSFER 6.0
+describe KAM_WETRANSFER WeTransfer Impersonators
+
+#Grey Eagle
+header __KAM_GREYEAGLE_1 From =~ /greyeagle|funding|capital|banking|lending/i
+body __KAM_GREYEAGLE_2 /grey eagle funding/i
+
+meta KAM_GREYEAGLE (__KAM_GREYEAGLE_1 + __KAM_GREYEAGLE_2 >= 2)
+describe KAM_GREYEAGLE Spammy Funding Company w/lots of Domains
+score KAM_GREYEAGLE 10.0
+
+#Google Storage APIs
+uri KAM_STORAGE_GOOGLE /storage.googleapis.com|\.web.app\//i
+describe KAM_STORAGE_GOOGLE Google Storage API being abused by spammers
+score KAM_STORAGE_GOOGLE 2.25
+
+#Spam Du Jour
+header __KAM_DUJOUR1 Subject =~ /(Worst Food|Tinnitus|Reflux|Gift Card)/i
+
+body __KAM_DUJOUR2 /(Worst Food|Tinnitus|Reflux|CVS Gift Card)/i
+tflags __KAM_DUJOUR2 nosubject
+
+header __KAM_DUJOUR3 From =~ /(Probio|Tinnitus|Reflux|CVS)/i
+
+meta KAM_DUJOUR (KAM_STORAGE_GOOGLE + __KAM_DUJOUR1 + __KAM_DUJOUR2 + __KAM_DUJOUR3 >= 3)
+describe KAM_DUJOUR Spam of the Day hocking various products
+score KAM_DUJOUR 4.5
+
+#QUINFORCE
+body __KAM_QUINFORCE1 /q.?u.?i.?n.?f.?o.?r.?c.?e/i
+
+meta KAM_QUINFORCE1 (__KAM_QUINFORCE1 >= 1)
+describe KAM_QUINFORCE1 Obfuscating spamming firm
+score KAM_QUINFORCE1 6.0
+
+#SPAMDUJOUR
+body __KAM_CBD1 /Meridian CBD/i
+
+meta KAM_CBD (__KAM_CBD1 + __KAM_OTHER_BAD_TLD2 >= 2)
+describe KAM_CBD Spam du jour for CBD
+score KAM_CBD 4.5
+
+#COVID SCAMS
+body __KAM_COVID1 /International Monetary fund|world health organization|empowerment fund/i
+header __KAM_COVID2 Subject =~ /COVID?.{0,12}(payment|fund)/i
+body __KAM_COVID3 /COVID.{0,12}(empowerment|payment)|W\.?H\.?O\.? trust.?fund/i
+tflags __KAM_COVID3 nosubject
+header __KAM_COVID4 From =~ /COVID|world ?Health|WHO/i
+
+body __KAM_COVID5 /00 ?(EUR|USD|Dollar)/i
+
+meta KAM_COVID ((__KAM_COVID5 + LOTS_OF_MONEY >= 1) + __KAM_COVID1 + __KAM_COVID2 + __KAM_COVID3 + __KAM_COVID4 >= 4)
+describe KAM_COVID Scams revolving around the pandemic
+score KAM_COVID 6.0
+
+#COVID SCAMS
+body __KAM_COVID2_1 /COVID-19 (CHARITY )?(fund|donated relief)/i
+tflags __KAM_COVID2_1 nosubject
+header __KAM_COVID2_2 Subject =~ /(little|COVID-19) (fund|donation)/i
+
+meta KAM_COVID2 (__KAM_COVID2_1 + __KAM_COVID2_2 + LOTS_OF_MONEY >= 2)
+describe KAM_COVID2 Scams revolving around the pandemic
+score KAM_COVID2 7.5
+
+#COVID SCAMS
+body __KAM_COVID3_1 /Prince/i
+body __KAM_COVID3_2 /reliable source/i
+body __KAM_COVID3_3 /\$[\d\.,]+ mil/i
+body __KAM_COVID3_4 /assist me/i
+body __KAM_COVID3_5 /Saudi Arabia/i
+
+meta KAM_COVID3 (__KAM_COVID3_1 + __KAM_COVID3_2 + __KAM_COVID3_3 + __KAM_COVID3_4 + __KAM_COVID3_5 >= 5)
+describe KAM_COVID3 Scams revolving around the pandemic
+score KAM_COVID3 7.5
+
+#VOICEMAIL SCAM
+uri __KAM_VM1 /storage.googleapis.com\/.*?htm|appspot\.com|safesend\.|\/api\/v1\/click\|\.sharepoint\.com\/personal\/|evernote\.com/i
+header __KAM_VM2 Subject =~ /VN Audio|message for|voice Message|Voicemail|Fax Message|OneDrive File/i
+body __KAM_VM3 /(Voice ?Audio|VN Audio|VM Meant|Listen to (your )?Voice|voicemail message|Fax(ed)? (document|message)|new voicemail)/i
+tflags __KAM_VM3 nosubject
+body __KAM_VM4 /recorded voice|audio message|Caller.id|CID:|mailbox \d|sign document/i
+tflags __KAM_VM4 nosubject
+
+meta KAM_VM (__KAM_VM1 + __KAM_VM2 + __KAM_VM3 + __KAM_VM4 >= 3)
+score KAM_VM 4.5
+describe KAM_VM Voice Mail & Fax Scams
+
+#Admin Notice Fraud
+header __KAM_ADMIN1 From =~ /admin/i
+header __KAM_ADMIN2 Subject =~ /For /i
+body __KAM_ADMIN3 /next tax return/i
+body __KAM_ADMIN4 /read this document/i
+
+meta KAM_ADMIN (HEADER_FROM_DIFFERENT_DOMAINS + HTML_OBFUSCATE_10_20 + __KAM_ADMIN1 + __KAM_ADMIN2 + __KAM_ADMIN3 + __KAM_ADMIN4 >= 6)
+describe KAM_ADMIN Phishing attempt spoofing admins
+score KAM_ADMIN 9.0
+
+
+#BENEFICIARY
+replace_rules __KAM_BENEFICIARY2
+
+header __KAM_BENEFICIARY1 Subject =~ /(your|Urgent) Help|refugee|Attention|Inherit|donation|refund|beloved|^Hello$|dear friend|compensated|get back to me|hope to hear|my dear|postal service|From.....|compliment|sincere apology|proposal|How are you|congratulations|ATM VISA Card|good (day|news)|beneficiary|cc|best regards|dearest one|^Att$|^Reply$|partnership|greeting'?s|atm fund|postmaster general|Investment/i
+#what
+body __KAM_BENEFICIARY2 /(consignment|fund(\b|$)|person of trust|don't know me|emails only|apologize for intrud|formal relationship|diplomatic agent|ATM VISA CARD|unsolicited manner|proposition|solicit your|trustworthy relation|verily|random people|you a beneficiary|help<SPACE1>+widow|same last ?name|(same|similar) surname|investment manager)|level of maturity|important project|jackpot|investment opp|something important|unclaimed trunk|estate investment|donation recipient|bank draft|funding of your business/i
+tflags __KAM_BENEFICIARY2 nosubject
+
+#bus
+body __KAM_BENEFICIARY3 /(gold|diamonds|inherit|foreign customer|risk.?free|less.privilege|next of kin|nearest airport|certain funds|partnership to transfer|repatriation|co.fiscate|separate account|christian activit|receiving bank|donate the sum|money left|sweepstakes|lucky winner|get rich|\d% of the total|investment fund)|moving some money|god has blessed|contributions to humanity|partake in the deal|pledge dep|over-?due compensation|left your check|invest(ment)? in your country/i
+#where
+body __KAM_BENEFICIARY4 /(Ghana|South Africa|China|Greece|Estonia|United kingdom|foreign|(your|my) country|Benin|africa|Foreign Op|international Airport|portugal|business trip|Ivory Coast|Royal Bank|Syria|Libyan|Ministry of |Buffett Foundation|audit unit)|postmaster general|your country/i
+#how much
+body __KAM_BENEFICIARY5 /\d+ ?(kilo|kg)|donat|assignment|last wishes|charity org|million dollars|secret account|overdue winnings|handsomely compensate|large amount|share of fund|one digit interest|beneficial business|anticipated cooperation|\d% (with|for) you|fiscal cash|huge amount|(half|99 percent) of (his|their|her) fortune|by proxy/i
+#sob
+body __KAM_BENEFICIARY6 /(deceased|late) (customer|husband|client|father)|death of my husband|cancer|power of attorney|customer who died|orphan|no beneficiary|terminal|family treasure|not criminal|send (you )?more (information|details)|wife ran away|inability to release|terrorist attack|sterile|foreigner who died|corrupt officials|could not complete/i
+
+meta KAM_BENEFICIARY ((LOTS_OF_MONEY + __KAM_BENEFICIARY5 >=1) + (KAM_BLANKSUBJECT + __KAM_BENEFICIARY1 >=1) + __KAM_BENEFICIARY2 + __KAM_BENEFICIARY3 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 + FREEMAIL_FROM >= 6)
+describe KAM_BENEFICIARY Beneficiary scams
+score KAM_BENEFICIARY 10.5
+
+meta KAM_BENEFICIARYLOW ((LOTS_OF_MONEY + __KAM_BENEFICIARY5 >=1) + (KAM_BLANKSUBJECT + __KAM_BENEFICIARY1 >=1) + __KAM_BENEFICIARY2 + __KAM_BENEFICIARY3 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 + FREEMAIL_FROM >= 5) && !KAM_BENEFICIARY && !__KAM_NPO1
+describe KAM_BENEFICIARYLOW Beneficiary scams (Lower Confidence)
+score KAM_BENEFICIARYLOW 6.0
+
+#NPO
+body __KAM_NPO1 /501\(?c\)?\(?3\)?|501 c 3/i
+
+
+#BENEFICIARY
+meta KAM_BENEFICIARY2 (GMD_PDF_EMPTY_BODY + DEAR_BENEFICIARY >= 2)
+describe KAM_BENEFICIARY2 Beneficiary scams
+score KAM_BENEFICIARY2 3.0
+
+#Person Beneficiary
+body __KAM_BENEFICIARY3_1 /Mikhail Fridman/i
+header __KAM_BENEFICIARY3_2 From =~ /Mikhail Fridman/i
+uri __KAM_BENEFICIARY3_3 /www.rt.com/i
+
+meta KAM_BENEFICIARY3 (__KAM_BENEFICIARY3_1 + __KAM_BENEFICIARY3_2 + __KAM_BENEFICIARY3_3 + __KAM_DIDYOUSUBJ >= 3)
+describe KAM_BENEFICIARY3 Beneficiary scams
+score KAM_BENEFICIARY3 4.5
+
+
+#Did you get my message?
+header __KAM_DIDYOUSUBJ Subject =~ /Did you (receive it|get my message)/i
+body __KAM_DIDYOUBODY /Did you (receive it|get my message)/i
+tflags __KAM_DIDYOUBODY nosubject
+
+#Nothing but sig
+#body __KAM_SIGONLY1 /^.{0,10}--\b/im
+#tflags __KAM_SIGONLY1 nosubject
+#
+#meta KAM_SIGONLY (__KAM_SIGONLY1 >= 2)
+#score KAM_SIGONLY 1.5
+#describe KAM_SIGONLY Messages is (mostly) just a signature
+#
+##SigOnly spam
+#meta KAM_SIGONLY2 (KAM_SIGONLY + (__KAM_DIDYOUBODY + __KAM_DIDYOUSUBJ >= 1) >= 2)
+#score KAM_SIGONLY2 1.5
+#describe KAM_SIGONLY2 Junk Messages using (mostly) just a signature
+
+#Blank Subject
+header KAM_BLANKSUBJECT Subject =~ /^\s*$/i
+describe KAM_BLANKSUBJECT Message has a blank Subject
+score KAM_BLANKSUBJECT 0.25
+#Job
+#what
+header __KAM_JOB2_1 Subject =~ /doing the job/i
+body __KAM_JOB2_2 /represent the company/i
+#Where
+body __KAM_JOB2_3 /Singapore/i
+#how much
+body __KAM_JOB2_4 /\d,?000 USD (monthly|weekly)/i
+
+meta KAM_JOB2 (FREEMAIL_FROM + __KAM_JOB2_1 + __KAM_JOB2_2 + __KAM_JOB2_3 + __KAM_JOB2_4 >= 5)
+describe KAM_JOB2 Employment scams
+score KAM_JOB2 7.5
+
+#WEB
+header __KAM_WEB2_1 Subject =~ /follow|next step|website work/i
+body __KAM_WEB2_2 /affordable (quot|price)|less than half/i
+body __KAM_WEB2_3 /web (designer|develop)|new website/i
+body __KAM_WEB2_4 /portfolio|sample|insights/i
+
+meta KAM_WEB2 (FREEMAIL_FROM + __KAM_WEB2_1 + __KAM_WEB2_2 + __KAM_WEB2_3 + __KAM_WEB2_4 >=5)
+describe KAM_WEB2 Unsolicited web workers
+score KAM_WEB2 7.5
+
+#BANK
+header __KAM_BANK_1 Subject =~ /Welcome to (Central )?(Money ?Gram|Bank)|Funding|Banker|congratulations/i
+body __KAM_BANK_2 /beneficiary|agent|investment group|deceased/i
+body __KAM_BANK_3 /re\-?verification|clearance tax|possible funding|same last name|nominated bank account/i
+
+meta KAM_BANK (FREEMAIL_FROM + LOTS_OF_MONEY + __KAM_BANK_1 + __KAM_BANK_2 + __KAM_BANK_3 >= 5)
+describe KAM_BANK Bank scams
+score KAM_BANK 7.5
+
+#FAKE CERTIFICATES
+header __KAM_CERT1 Subject =~ /Medical Certificate/i
+body __KAM_CERT2 /review this certificate/i
+body __KAM_CERT3 /link below/i
+
+meta KAM_CERT (__KAM_CERT1 + __KAM_CERT2 + __KAM_CERT3 + __PLUGIN_FROMNAME_SPOOF >= 3)
+describe KAM_CERT Fake Certificate Scams
+score KAM_CERT 4.5
+
+#URGENT
+header __KAM_URGENT1 Subject =~ /^Hello$/i
+body __KAM_URGENT2 /urgent respond/i
+body __KAM_URGENT3 /private e?mail/i
+body __KAM_URGENT4 /god bless/i
+body __KAM_URGENT5 /address still valid/i
+
+meta KAM_URGENT ( __KAM_URGENT1 + __KAM_URGENT2 + __KAM_URGENT3 + __KAM_URGENT4 + __KAM_URGENT5 >= 5)
+describe KAM_URGENT Urgent Scams
+score KAM_URGENT 7.5
+
+#INVESTMENT
+header __KAM_INVEST1 Subject =~ /Investment|(hello|congrats|dear) friend|urgent|greetings|^HELLO$|mutual business|contact him|mail for you|confirming your email|business opportunity|important|interest/i
+#looking/why
+body __KAM_INVEST2 /apprehensive|unstable investment|(honest|well.?established|reliable) (individual|partner|person)|wealthy client|legal paper|branch manager|director finance|business man|family asset|personal assistant|found your (detail|contact)|consultant|project financing|my name is|i am the lawyer|need your assistance/i
+#money/deal
+body __KAM_INVEST3 /earn \d+\%|(more|full|elaborate) details|discuss further|risk.?free|give details|profitable|\% (yearly|commission)|bank draft|remuneration|(needs|seek|seeks|seeking) fund|employ you|split.?ration|(receive|secure) my fund/i
+#what/where
+body __KAM_INVEST4 /malta|oil company|joint venture|(fund|business) proposal|dubai|mutual business|bahrain|compensation fund|barrister|minister of|ghana|strategic development|your region|Mineral.Rich|africa|non.?european|your country/i
+tflags __KAM_INVEST4 nosubject
+
+meta KAM_INVEST (LOTS_OF_MONEY + FREEMAIL_FROM + __KAM_INVEST1 + __KAM_INVEST2 + __KAM_INVEST3 + __KAM_INVEST4 >= 4)
+describe KAM_INVEST Investment Scams
+score KAM_INVEST 6.0
+
+#SIGNON
+header __KAM_SIGN1 Subject =~ /New Sign-?[io]n/i
+body __KAM_SIGN2 /review your account/i
+body __KAM_SIGN3 /verification is processed/i
+
+meta KAM_SIGN (KAM_STORAGE_GOOGLE + __KAM_SIGN1 + __KAM_SIGN2 + __KAM_SIGN3 >= 4)
+describe KAM_SIGN Sign-in Verification Scams
+score KAM_SIGN 6.0
+
+#COVID SPAM
+header __KAM_WEIRDC19_1 Subject =~ /The virus that causes COVID-19/i
+header __KAM_WEIRDC19_2 From =~ /John Robert/i
+body __KAM_WEIRDC19_3 /The virus that causes COVID-19/i
+tflags __KAM_WEIRDC19_3 nosubject
+
+meta KAM_WEIRDC19 (FREEMAIL_FROM + __KAM_BODY_LENGTH_LT_512 + __KAM_WEIRDC19_1 + __KAM_WEIRDC19_2 + __KAM_WEIRDC19_3 >= 5)
+describe KAM_WEIRDC19 Odd Covid-19 spam with information
+score KAM_WEIRDC19 7.5
+
+#PRODUCT DUJOUR
+header __KAM_CELEB1 Subject =~ /Celebrity Doc/i
+body __KAM_CELEB2 /resugar/i
+body __KAM_CELEB3 /fat.burning/i
+
+meta KAM_CELEB (__KAM_CELEB1 + __KAM_CELEB2 + __KAM_CELEB3 >= 3)
+describe KAM_CELEB Celebrity Health Scams
+score KAM_CELEB 4.5
+
+#BEAL AND SIMILAR IMPERSONATOR
+ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+ header __KAM_BEAL1 From:name =~ /Geoff White|(Robert|Bob)( E.)? Beal|(James|Jim) Hoffman|Kevin (A\. )?Mc ?Grail|Chad Coney|Frederic Beuter|Chris(topher)? Surprise|(mike|michael) Charvat|Sheryl Brissett Chapman|janet smith/i
+ #header __KAM_BEAL2 From:addr =~ /\@gmail\.com|\@mail\.ru/i
+ body __KAM_BEAL3 /(Robert|Bob).{1,4}Beal|Geoff White|(James|Jim).{1,4}Hoffman|Kevin (A\. )?Mc ?Grail|Frederic Beuter|Chris(topher)? Surprise|(mike|michael) Charvat|SHERYL Brissett Chapman|Janet Smith/i
+ body __KAM_BEAL4 /(reply with|forward|send me|let me have) your (Cell|Mobile)|task (real quick|quickly)|(urgent|quick|fast) (reply|errand|response|task|request)|make (some|a) purchase|reimburse you|do something for me fast|spare time right now|confirm if you are free|physical or electronic gift card|(done for me|send out) ASAP|available at the moment|(desk|moment) right now/i
+ body __KAM_BEAL5 /can't talk on the phone|receivable aging report|summary of all w\-?2/i
+
+ meta KAM_BEAL ((__KAM_BEAL1 + __KAM_BEAL3 >= 1) + (SPF_SOFTFAIL + FREEMAIL_FROM + FREEMAIL_FORGED_REPLYTO >= 1) + __KAM_BEAL4 + __KAM_BEAL5 >= 3)
+ describe KAM_BEAL IMPOSTER! Will the real slim shady, please stand up?
+ score KAM_BEAL 11.0
+endif
+
+#PROJECT
+header __KAM_PROJECT1 Subject =~ /Project/i
+body __KAM_PROJECT2 /business project/i
+body __KAM_PROJECT3 /email is active/i
+body __KAM_PROJECT4 /please respond/i
+
+meta KAM_PROJECT (__KAM_PROJECT1 + __KAM_PROJECT2 + __KAM_PROJECT3 + __KAM_PROJECT4 >= 4)
+describe KAM_PROJECT Scam inquiries about amorphous projects
+score KAM_PROJECT 6.0
+
+#FAKEWESTERN
+header __KAM_FAKEWEST1 Subject =~ /Attention/i
+body __KAM_FAKEWEST2 /Western Union/i
+body __KAM_FAKEWEST3 /United Nation/i
+body __KAM_FAKEWEST4 /Wrong Transfer/i
+body __KAM_FAKEWEST5 /0[\.,]?000[\.,]?00\s?USD/i
+
+meta KAM_FAKEWEST (__KAM_FAKEWEST1 + __KAM_FAKEWEST2 + __KAM_FAKEWEST3 + __KAM_FAKEWEST4 + (__KAM_FAKEWEST5 + LOTS_OF_MONEY >= 1) >= 5)
+describe KAM_FAKEWEST Fake money Transfer Scam
+score KAM_FAKEWEST 6.0
+
+#FAKEDROPBOX
+header __KAM_FAKEDROPBOX2_1 Subject =~ /on Dropbox/i
+
+meta KAM_FAKEDROPBOX2 (__KAM_FAKEDROPBOX2_1 + __KAM_TINYDOMAIN + FREEMAIL_FROM >= 3)
+describe KAM_FAKEDROPBOX2 Fake Dropbox Phish
+score KAM_FAKEDROPBOX2 4.5
+
+header __KAM_FAKEDROPBOX3_1 Subject =~ /new dropbox message/i
+uri __KAM_FAKEDROPBOX3_2 /wp\-includes/i
+
+meta KAM_FAKEDROPBOX3 (__KAM_FAKEDROPBOX3_1 + __KAM_FAKEDROPBOX3_2 >= 2)
+describe KAM_FAKEDROPBOX3 Fake Dropbox Phish
+score KAM_FAKEDROPBOX3 6.0
+
+
+#FAKEMONEYGRAM
+header __KAM_FAKEMONEYGRAM1 From =~ /Money.?Gram/i
+
+meta KAM_FAKEMONEYGRAM (__KAM_FAKEMONEYGRAM1 + FREEMAIL_FROM >= 2)
+describe KAM_FAKEMONEYGRAM Fake Moneygram Phish
+score KAM_FAKEMONEYGRAM 5.5
+
+
+#FAKESHAREPOINT
+header __KAM_FAKESHAREPOINT1 Subject =~ /by Sharepoint|payment reminder|shared|Request for Quot/i
+header __KAM_FAKESHAREPOINT2 from =~ /sharepoint|accounts? payable|RFQ/i
+uri __KAM_FAKESHAREPOINT3 /my\.sharepoint\.com|appdomain\.cloud/i
+body __KAM_FAKESHAREPOINT4 /Sharepoint Fileshare/i
+mimeheader __KAM_FAKESHAREPOINT5 Content-Type =~ /.html?\"?$/i
+
+
+meta KAM_FAKESHAREPOINT (__KAM_FAKESHAREPOINT1 + __KAM_FAKESHAREPOINT2 + (__KAM_FAKESHAREPOINT3 + KAM_STORAGE_GOOGLE + __KAM_FAKESHAREPOINT4 >= 1) + __KAM_FAKESHAREPOINT5 >= 3)
+describe KAM_FAKESHAREPOINT Fake Sharepoint Phish
+score KAM_FAKESHAREPOINT 4.0
+
+#ENCRYPTED ZIP
+body __KAM_BADZIP1 /attached (to email|document)|take a look/i
+body __KAM_BADZIP2 /Encrypted zip/i
+uri __KAM_BADZIP2A /drive.google.com.*export=download/i
+body __KAM_BADZIP3 /(order|urgent|report|dialogue)/i
+body __KAM_BADZIP4 /password:/i
+
+meta KAM_BADZIP (__KAM_BADZIP1 + (__KAM_BADZIP2 + __KAM_BADZIP2A >= 1) + __KAM_BADZIP3 + __KAM_BADZIP4 >= 4)
+describe KAM_BADZIP Encrypted Zip File Indicating a Scam
+score KAM_BADZIP 6.0
+
+#VERIZON SCAM
+
+header __KAM_VERIZON1 Subject =~ /verizon wireless security message/i
+header __KAM_VERIZON2 From:name =~ /Verizon/i
+header __KAM_VERIZON3 From:addr !~ /verizon/i
+
+#What
+body __KAM_VERIZON4 /Update required immediately/i
+#how
+body __KAM_VERIZON5 /update your account information/i
+#Problem
+body __KAM_VERIZON6 /deactivated/i
+#Money
+body __KAM_VERIZON7 /credit card|bank account/i
+
+meta KAM_VERIZON (__KAM_VERIZON1 + __KAM_VERIZON2 + __KAM_VERIZON3 >= 3) && (__KAM_VERIZON4 + __KAM_VERIZON5 + __KAM_VERIZON6 + __KAM_VERIZON7 >= 3)
+describe KAM_VERIZON Fake Wireless account notices
+score KAM_VERIZON 9.5
+
+#Docusign SCAM
+header __KAM_DOCUSIGN1 Subject =~ /New e-DocuSign Signature|new e-signature docusign|docusign electronic signature|transfer notice|docusign (electronic|signature) service/i
+header __KAM_DOCUSIGN2 From:name =~ /docusign/i
+header __KAM_DOCUSIGN3 From:addr !~ /docusign/i
+
+uri __KAM_DOCUSIGN4 /\.weebly\.com|docs\.google\.com/i
+
+meta KAM_DOCUSIGN ((__KAM_DOCUSIGN1 >= 1) + (__KAM_DOCUSIGN2 + __KAM_DOCUSIGN3 >= 2) + (FREEMAIL_FROM + LOTS_OF_MONEY + __KAM_DOCUSIGN4 >= 1) >= 3)
+describe KAM_DOCUSIGN Fake Document Signature account notices
+score KAM_DOCUSIGN 4.5
+
+#Invalid From
+header __KAM_TWODOTS From:addr =~ /\@.*\.\./i
+
+meta KAM_INVALIDFROM (__KAM_TWODOTS >= 1)
+describe KAM_INVALIDFROM Invalid From Address
+score KAM_INVALIDFROM 5.0
+
+#Client Fake Invoice
+ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+ header __KAM_FAKEINV1 From =~ /headoffice/i
+ header __KAM_FAKEINV1A Reply-to =~ /no.?reply\@/i
+
+ body __KAM_FAKEINV2 /dearest client/i
+
+ mimeheader __KAM_FAKEINV3 Content-Type =~ /.xls\"?$/i
+
+ meta KAM_FAKEINV ((__KAM_FAKEINV1 + __KAM_FAKEINV1A >=1) + __KAM_FAKEINV2 + __KAM_FAKEINV3 >=3)
+ describe KAM_FAKEINV Fake Customer Invoices
+ score KAM_FAKEINV 4.5
+endif
+
+#IMAGE ONLY
+meta KAM_IMAGEONLY (PDS_OTHER_BAD_TLD + HTML_IMAGE_ONLY_08 >= 2)
+describe KAM_IMAGEONLY Email from a questionable TLD that contains primarily just an image
+score KAM_IMAGEONLY 0.75
+
+#HOLIDAY 2020 GIFTS
+header __KAM_HOLIDAY2020_1 Subject =~ /holiday item|blac.?k friday|(vortex|illusional|this|3d).*rug|canvas print|get your (personalized christmas )?ornament|Christmas sale|novelty household|(perfect|seasonal) gift|Rising.? Stand.?|endoscope/i
+body __KAM_HOLIDAY2020_2 /(illusional|Vortex|3d) Rug|wireless earbuds|canvas print|get your (personalized christmas )?ornament|holiday novelty|personalized ornament|rising laptop|HOME Ear endoscope|Gadget ?Junk/i
+tflags __KAM_HOLIDAY2020_2 nosubject
+header __KAM_HOLIDAY2020_3 From =~ /vortex|christmas|novelty|(laptop|new).?tech|rising.?stand|Clean.?ear|Massager/i
+
+meta KAM_HOLIDAY2020 (__KAM_HOLIDAY2020_1 + __KAM_HOLIDAY2020_2 + __KAM_HOLIDAY2020_3 >= 2)
+describe KAM_HOLIDAY2020 Holiday Gifts 2020 Spam
+score KAM_HOLIDAY2020 4.0
+
+#GOOGLE FORM
+uri __KAM_GOOGLEFORM_1 /docs\.google\.com\/forms\//i
+body __KAM_GOOGLEFORM_2 /Untitled|Formulaire sans titre/i
+body __KAM_GOOGLEFORM_3 /foundation is donating/i
+
+meta KAM_GOOGLEFORM (__KAM_GOOGLEFORM_1 + (__KAM_GOOGLEFORM_2 + __KAM_GOOGLEFORM_3 >= 1) >= 2)
+describe KAM_GOOGLEFORM Untitled or Spam Google Form
+score KAM_GOOGLEFORM 4.0
+
+header __GB_RETPATH_GOOG_TRIX Return-Path =~ /\@trix\.bounces\.google\.com/
+
+meta GB_RETPATH_GOOG_TRIX __GB_RETPATH_GOOG_TRIX
+describe GB_RETPATH_GOOG_TRIX Email from Google subdomain being abused by spammers
+score GB_RETPATH_GOOG_TRIX 2.00
+
+#BENEFICIARY FAKE FORM
+body __KAM_DISCLOSE1 /enable me disclose|indicate your? interest|something important/i
+
+meta KAM_FAKEFORM ((__KAM_DISCLOSE1 + LOTS_OF_MONEY >= 1) + (__KAM_BENEFICIARY2 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 >= 1) + (__KAM_GOOGLEFORM_1 >= 1) >= 3)
+describe KAM_FAKEFORM Fake Form for Scams
+score KAM_FAKEFORM 4.0
+
+#2ND AMMENDMENT
+body __KAM_2ND_1 /police can no longer be trusted|protect yourself|anti-?gun ban|no classes/i
+body __KAM_2ND_2 /2nd am?mendment|concealed carry|right to carry/i
+header __KAM_2ND_3 From =~ /2nd amm?endment|Concealed/i
+
+meta KAM_2ND ((__KAM_FUN1 + __KAM_FUN1A >= 1) + __KAM_2ND_1 + __KAM_2ND_2 + __KAM_2ND_3 >= 3)
+describe KAM_2ND Political / 2nd Ammendement Spam
+score KAM_2ND 4.5
+
+#SPAM DU JOUR - MASKS
+body __KAM_KN_1 /(respirator|KN95) .{0,25}Mask|Ultramasx|upgrade your mask/i
+tflags __KAM_KN_1 nosubject
+body __KAM_KN_2 /get your|for the public|biden wants to curb|Prevent Corona|quick delivery|do your part|while supplies last|(smart|your) mask/i
+tflags __KAM_KN_2 nosubject
+header __KAM_KN_3 Subject =~ /KN95 .{0,25}Mask|(curb|curve?)(ing)? C<O1>vid|(your|mandates?) mask|ultimate protection|Protective (face )?mask/i
+header __KAM_KN_4 From =~ /KN95|(smart|Face) ?Mask|Mask.?(dept|Special)|Stay ?safe|protective ?gear|World ?safe/i
+
+meta KAM_KN (__KAM_KN_1 + __KAM_KN_2 + __KAM_KN_3 + __KAM_KN_4 >= 3)
+describe KAM_KN Spam Du Jour for Masks
+score KAM_KN 4.5
+
+#SPAM DU JOUR - BAD CREDIT
+body __KAM_BADCRED_1 /bad credit/i
+tflags __KAM_BADCRED_1 nosubject
+header __KAM_BADCRED_2 Subject =~ /bad credit.*off track/
+
+meta KAM_BADCRED (__KAM_BADCRED_1 + __KAM_BADCRED_2 >= 2)
+describe KAM_BADCRED Spam Du Jour for Bad Credit
+score KAM_BADCRED 3.0
+
+#SPAM DU JOUR - SPO2
+replace_rules __KAM_SPO2_2 __KAM_SPO2_3
+
+body __KAM_SPO2_1 /pulse oximeter|touchless thermometer/i
+body __KAM_SPO2_2 /C<O1>VID/i
+tflags __KAM_SPO2_2 nosubject
+header __KAM_SPO2_3 Subject =~ /C<O1>VID.*(screening|oximeter)|Laser Thermometer|(detecting|screening) C<O1>VID/i
+header __KAM_SPO2_4 From =~ /health|infrared|oximeter|Painless/i
+
+meta KAM_SPO2 (__KAM_SPO2_1 + __KAM_SPO2_2 + __KAM_SPO2_3 + __KAM_SPO2_4 >= 3)
+describe KAM_SPO2 COVID Spams
+score KAM_SPO2 4.5
+
+#SPAM DU JOUR - HEATED VEST
+body __KAM_VEST1 /(heated|thermal) vest/i
+tflags __KAM_VEST1 nosubject
+header __KAM_VEST2 Subject =~ /stay toasty/i
+header __KAM_VEST3 From =~ /thermal vest/i
+
+meta KAM_VEST (__KAM_VEST1 + __KAM_VEST2 + __KAM_VEST3 >= 3)
+describe KAM_VEST Spam Du Jour for Vests
+score KAM_VEST 4.5
+
+#FAKE CVS
+header __KAM_CVS1 From =~ /CVS Pharm/i
+header __KAM_CVS1A From:addr !~ /\@cvs.com/i
+body __KAM_CVS2 /CVS/
+tflags __KAM_CVS2 nosubject
+header __KAM_CVS3 Subject =~ /CVS Pharm/i
+
+meta KAM_CVS ((__KAM_CVS1 + (FREEMAIL_FROM + __KAM_CVS1A >= 1) >= 2) + __KAM_CVS2 + __KAM_CVS3 >= 3)
+describe KAM_CVS Fake CVS Spams
+score KAM_CVS 6.0
+
+#HACKED EXPLOIT
+body __KAM_HACK1 /(phone|electronic|computer) have been hacked|suspected online scam/i
+body __KAM_HACK2 /read attached|click here for verification/i
+body __KAM_HACK3 /save yourself|lead to your arrest/i
+header __KAM_HACK4 From:name =~ /justice dep/i
+
+meta KAM_HACK (__KAM_HACK1 + __KAM_HACK2 + __KAM_HACK3 + __KAM_HACK4 >= 3)
+describe KAM_HACK Hacker Exploitation Email
+score KAM_HACK 4.5
+
+#FAKE INVOICES
+ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+
+header __KAM_FAKEINV2_1 Subject =~ /lnv (remittance|\& check)/i
+body __KAM_FAKEINV2_2 /(find|see) (the )?attach/i
+body __KAM_FAKEINV2_3 /not mail the check|typeform\.com/i
+mimeheader __KAM_FAKEINV2_4 Content-Type =~ /(ACH W[il]re|Rem[il]ttance adv[il]ce).*xls/i
+
+meta KAM_FAKEINV2 (__KAM_FAKEINV2_1 + __KAM_FAKEINV2_2 + __KAM_FAKEINV2_3 + __KAM_FAKEINV2_4 >= 3)
+describe KAM_FAKEINV2 Fake Invoice Scams
+score KAM_FAKEINV2 6.0
+
+endif
+
+#FAKE ADS
+header __KAM_FAKEAD1 Subject =~ /brand medication|stubborn fat/i
+body __KAM_FAKEAD2 /click here to UNSUBSCRIBE|start shopping|here\'s how/i
+uri __KAM_FAKEAD3 /\/bit\.ly/i
+body __KAM_FAKEAD4 /Sweet passion|no plastic surgery/i
+
+meta KAM_FAKEAD (__KAM_FAKEAD1 + __KAM_FAKEAD2 + __KAM_FAKEAD3 + __KAM_FAKEAD4 >= 4)
+describe KAM_FAKEAD Fake Advertisements
+score KAM_FAKEAD 6.0
+
+#FAKE REGISTRY SCAMS
+body __KAM_FAKE_REGISTRY1 /www(\.|\(dot\))domainregistryasia(\.|\(dot\))net/i
+uri __KAM_FAKE_REGISTRY2 /domainregistryasia\.net|domainregistryasia\.cn/i
+
+meta KAM_FAKE_REGISTRY (__KAM_FAKE_REGISTRY1 + __KAM_FAKE_REGISTRY2 >= 1)
+describe KAM_FAKE_REGISTRY Fake Domain Registry Scammers trying to get you to buy unneeded domains
+score KAM_FAKE_REGISTRY 5.0
+
+#FAKE Fax
+ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+ mimeheader __KAM_FAKE_FAX1 Content-Type =~ /.*(fax).*\.htm/i
+endif
+body __KAM_FAKE_FAX2 /incoming fax|fax received/i
+header __KAM_FAKE_FAX3 Subject =~ /Fax/i
+body __KAM_FAKE_FAX4 /invoice/i
+
+meta KAM_FAKE_FAX (T_HTML_ATTACH + __KAM_FAKE_FAX1 + __KAM_FAKE_FAX2 + __KAM_FAKE_FAX3 + __KAM_FAKE_FAX4 >= 4)
+describe KAM_FAKE_FAX Fake Fax Scam
+score KAM_FAKE_FAX 8.0
+
+#FAKE TRUST
+body __KAM_FAKE_TRUST1 /Message is from a .{0,40}trusted source/i
+
+meta KAM_FAKE_TRUST (__KAM_FAKE_TRUST1 >= 1 )
+describe KAM_FAKE_TRUST Scams about trusted sources
+score KAM_FAKE_TRUST 3.5
+
+#FAKE INVOICE
+header __KAM_FAKE_INVOICE1 Subject =~ /payment advice/i
+body __KAM_FAKE_INVOICE2 /Payment advice/i
+
+meta KAM_FAKE_INVOICE (T_HTML_ATTACH + __KAM_FAKE_INVOICE1 + __KAM_FAKE_INVOICE2 >= 3)
+describe KAM_FAKE_INVOICE Fake Invoice Scam
+score KAM_FAKE_INVOICE 6.0
+
+#BAD PRODUCTS
+header __KAM_BAD_PRODUCT1 Subject =~ /Dolphin Vacuum|Warm any room|rapid thaw/i
+body __KAM_BAD_PRODUCT2 /Dolphin sealer|hotstreak plug|Rapid thaw tray/i
+
+meta KAM_BAD_PRODUCT (__KAM_BAD_PRODUCT1 + __KAM_BAD_PRODUCT2 >= 2)
+describe KAM_BAD_PRODUCT Spammy Products
+score KAM_BAD_PRODUCT 3.0
+
+#BAD LINK
+uri __KAM_BAD_LINK1 /\.pdf\.iso$/i
+
+meta KAM_BAD_LINK (__KAM_BAD_LINK1 >= 1)
+describe KAM_BAD_LINK Potentially dangerous link in email
+score KAM_BAD_LINK 10.0
+
+#BAD CITIZENS
+header __KAM_CITIZEN1 Subject =~ /Citizens Bank Ealert/i
+body __KAM_CITIZEN2 /Important (message|Notice) From Citizens/i
+uri __KAM_CITIZEN3 /phpmailer|wp-admin|.well-known/i
+header __KAM_CITIZEN4 From:name =~ /Citizens ?Bank/i
+header __KAM_CITIZEN5 From:addr !~ /citizen/i
+
+meta KAM_CITIZEN (__KAM_CITIZEN1 + __KAM_CITIZEN2 + __KAM_CITIZEN3 + __KAM_CITIZEN4 + (__KAM_CITIZEN5 + SPF_FAIL >= 1) >= 5)
+describe KAM_CITIZEN Fake Bank Alert Scam
+score KAM_CITIZEN 7.5
+
+#BAD PRODUCTS
+header __KAM_PRODUCT2_1 Subject =~ /meal delivery|no chopping|(sticker|Children'?s?) book|\$[\d,\.]{5,10} Fast|Car ?Shield|Top Vet|Chew a day|trugreen|(perfect|healthy|your) lawn|slice.?n.?seal|kitchen (device|gadget)|butter knive|small penis|make you bigger/i
+body __KAM_PRODUCT2_2 /meal delivery|no chopping|i ?can ?read|zippy ?loan|car ?shield|Lick their paws|excessive scratching|trugreen|slice.?n.?seal|kitchen (device|gadget)|Better Butter|savage.?grow/i
+header __KAM_PRODUCT2_3 From =~ /veestro|i ?can ?read|zippy ?loan|car ?shieldi|petscy|trugreen|slice.?n.?seal|better.?butter|savage.?grow/i
+
+meta KAM_PRODUCT2 ( __KAM_PRODUCT2_1 + __KAM_PRODUCT2_2 + __KAM_PRODUCT2_3 >= 3)
+describe KAM_PRODUCT2 Scammy Products prevalent in spam
+score KAM_PRODUCT2 4.5
+
+#BAD_PDF_LINK
+#uri_detail KAM_PDF_FAKE text =~ /\.PDF/i cleaned =~ /\.github.io\//i
+#describe KAM_PDF_FAKE Links to Fake PDFs
+#score KAM_PDF_FAKE 5.0
+
+#SCAM INQUIRY
+#what
+body __KAM_INQUIRY_1 /inquiry for purchase|product catalog|price list|reply with catalog/i
+#subj
+header __KAM_INQUIRY_2 Subject =~ /Purchase Order|Urgent (i|e)nquiry/i
+#oddities
+body __KAM_INQUIRY_3 /terms? (\&|and) conditions?|rightful dep/i
+#Forwarder
+body __KAM_INQUIRY_4 /certificate of origin|import\export|trading company/i
+
+meta KAM_INQUIRY (__KAM_INQUIRY_1 + __KAM_INQUIRY_2 + __KAM_INQUIRY_3 + __KAM_INQUIRY_4 >= 4)
+describe KAM_INQUIRY Product Inquiry Scams
+score KAM_INQUIRY 7.0
+
+#FROM NAME SPAM
+header __KAM_FROM_NAME_FAKERBL From:name =~ /Savagegrowplus\.com|Lifequote\.selectquote\.com|GoldAlliedTrust\.com|MeetAsianLady.com|Betterbutterspreader.com/i
+
+meta KAM_FROM_NAME_FAKERBL (__KAM_FROM_NAME_FAKERBL >= 1)
+describe KAM_FROM_NAME_FAKERBL From name contains a URL that is spammy
+score KAM_FROM_NAME_FAKERBL 6.0
-meta KAM_MEDICARE __KAM_MEDICARE1 >= 1
-describe KAM_MEDICARE Medicare Scams
-score KAM_MEDICARE 2.0
# EOF
projects / proxmox-spamassassin.git / blobdiff