-#KAM.cf - Apache SpamAssassin Rules
+#KAM.cf aka the KAM ruleset - Apache SpamAssassin Rules
#Author: Kevin A. McGrail with contributions from Joe Quinn, Karsten Bräckelmann,
# Bill Cole & Giovanni Bechis
#Installation: There are multiple files that make up the KAM ruleset including
-#heavyweight, deadweight, & nonKAMrules. KAM.cf is changing to a channel-based
-#distribution. Watch the users@spamassassin.apache.org mailing list for an
-#announcement in early November 2020.
+#heavyweight, deadweight, & nonKAMrules. The KAM ruleset is now a channel!
+#
+#Please see https://mcgrail.com/template/kam.cf_channel for more information
+
#The ruleset includes internal rules so not every rule will be useful but
#we encapsulate those in a KAMOnly defined loop.
# for content. For example, the sexually explicit items and the stock tips.
# FPs in these rules will be quickly addressed.
-#Copyright (c) 2020 Kevin A. McGrail and the McGrail Foundation
+#Copyright (c) 2021 Kevin A. McGrail and The McGrail Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
body __KAM_VIAGRA4C /M (. )?E (. )?R (. )?[I\/t] (. )?D (. )?[I\/] (. )?A/i
# FP FOR "Les Iles du Monde Via Gramsci" OR ITALIAN "WE WISH YOU"
-body __KAM_VIAGRA_FPS /via gra|i augur/i
+# FP for Via Great thanks to Shane Williams
+body __KAM_VIAGRA_FPS /via gre?a|i augur/i
meta KAM_VIAGRA4 ((__KAM_VIAGRA4A + __KAM_VIAGRA4B + __KAM_VIAGRA4C) >= 2)
describe KAM_VIAGRA4 Common Viagra and Medicinal Table Trick
body __KAM_STOCKTIP144 /Fleet Management Solutions|(\b|^)FLMG(\b|$)/is
body __KAM_STOCKTIP145 /Nuvilex|(\b|^)N.?V.?L.?X.?(\b|$)/is
body __KAM_STOCKTIP146 /Plandai|(\b|^)PLPL(\b|$)/is
-body __KAM_STOCKTIP147 /Beamz Interactive|(\b|^)B.?Z.?I.?C(\b|$)/is
+#FP on Bozic 3/9/2021 - Thanks to Lars Einarsen
+body __KAM_STOCKTIP147 /Beamz Interactive|(\b|^)BZIC(\b|$)/is
body __KAM_STOCKTIP148 /(\b|^)STBV(\b|$)/i
body __KAM_STOCKTIP149 /LifeApps|(\b|^)LFAP(\b|$)/i
body __KAM_STOCKTIP150 /MONARCHY RESOURCES/i
header __KAM_SEX_EXPLICIT1 Subject =~ /SEXUAL{2,3}Y[-_, ]{0,1}EXPL{1,2}I{1,2}CI{1,2}T/i
#EXPANDED TO INCLUDE HEADERS FOR SPAMS PREVALENT MAR 2007
header __KAM_SEX_EXPLICIT2 Subject =~ /(?:fuck .*suck|suck .*fuck|pussy .*cock|cock .*pussy|horny amateur|couch sex|slut fuck|naked celebrity|pissing babes|ass[- ]fuck|animal cock|(^|\b)P[^a-zA-Z\d]O[^a-zA-Z\d]R[^a-zA-Z\d]N |exposes sexy ass|drunk babe nude|masturbate|looking.for.sex|breast.implants|pedophile|child predator|explore.being.bad|double.penetration|hardcore.slut|getting.laid|your.disco.stick|having.sex.*begging|f.ckbook|xxx gay|asian porn|blowjob|anal xxx|huge tits tube|xxx tube|porn tube|porn video|sexy.clip|portal for xxx|3d porn|hard(er)?.erect)|dreaming of f.?cking|(^|\b)sex.in.the.car|horny.virgin|sex.acts|best.intercourse|sex request|dripping wet and need to get/i
-header __KAM_SEX_EXPLICIT3 From =~ /(?:better sex|sextrick|ashleymadison|booty.call|breast.(aug|surg|redu)|throbing.member|f[\*u]?ckbook|Local MILFs|fuck)/i
+
+#TRYING TO GET RID OF FPs WITH LAST NAMES
+header __KAM_SEX_EXPLICIT3 From =~ /(?:better sex|sextrick|ashleymadison|booty.call|breast.(aug|surg|redu)|throbing.member|f[\*u]?ckbook|Local MILFs|fuck(s|ing)?(\b|^))/i
+
#MODIFIED TO FIX FP THANKS TO DOC SCHNEIDER AND MARK MARTINEC - REMOVED castrate|sexual.encounter|casual.sex|discreet.encounter 5/19/15
body __KAM_SEX_EXPLICIT4 /(?:fucked hardcore|dildoes her tight ass|kinky watersports|schoolgirls? slut|teens? porn|first anal(\b|$)|pussy lips|kinky lesbian|sucks? cock|rub puss|spreads? cunt|fetish babe|kinky pee|muffdived \& fuck|deepthroat on knees|hello.naughty.boy|certain.type.of.guy|girlfriend.trick|sexual.stamina|sex...toy|porn.link|cunt.fuck|c-o-c-k|non.stop.sex|porn.industry|stronger.erection|make.her.moan|extreme.pro.abortion|erection.problem|your.erection|get.an.erection|hardest.erection|get.erect|xxx gay|asian porn|blowjob porn|anal xxx|huge tits tube|xxx tube|porn tube|fuckbook|portal for xxx|3d porn|DrPEnterprise|girlfriends.porn|\bsex.galler|pussy.eaten|shemale|(\b|^)anal.adventure|black.girls.video|gay.porn|pussy.wet|make.her.horny|crave sex|women.fuck|women.horny|wanting.to.bang|getting.laid.is.simple|woman.on.her.knees|b r e a s t|generic.ed.product|best.sex|f[^a-z]cking.you|f[^a-z]ckbuddy|F\#ckFriends|Milf Selfies|need.a.horny.man|cute.sex.lover|horny.as.f.ck|fun.in.the.bedroom|my.tits.are|be.horny|horny.girl|horny.i.am|horny.latina|huge.dildo|made.me.climax|sex in my office|a.good.f\@ck|married.horny.woman|sucked.your.d\@ck|horny.milf|suck.you.off|horny.stories|all.my.h[o0]les|cum.heavily|sucking.your.c[o0]ck|to.get.f[^a-z]cked)|h00kup|s\*xy|\bh0rny|ch0ked|pu\$\$y|f\*cked|F\*ck_|find milfs/i
#remove f\#ck for FPs
#2019-11-24 - Removed .bid for FPs
#2020-06-04 - Added FP check for td.date and div.top
#2020-08-23 - Added guru
-header __KAM_SOMETLD_ARE_BAD_TLD_FROM From:addr =~ /\.(pw|stream|trade|press|top|date|guru)$/i
-uri __KAM_SOMETLD_ARE_BAD_TLD_URI /\.(pw|stream|trade|press|top|date|guru)($|\/)/i
+header __KAM_SOMETLD_ARE_BAD_TLD_FROM From:addr =~ /\.(pw|stream|trade|press|top|date|guru|casa)$/i
+uri __KAM_SOMETLD_ARE_BAD_TLD_URI /\.(pw|stream|trade|press|top|date|guru|Casa)($|\/)/i
#FPs
uri __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE /(^|\b)td\.date|div\.top($|\/)/i
meta KAM_SOMETLD_ARE_BAD_TLD (__KAM_SOMETLD_ARE_BAD_TLD_FROM) || (__KAM_SOMETLD_ARE_BAD_TLD_URI && !__KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE)
-describe KAM_SOMETLD_ARE_BAD_TLD .stream, .trade, .pw, .top, .press, .guru & .date TLD Abuse
+describe KAM_SOMETLD_ARE_BAD_TLD .stream, .trade, .pw, .top, .press, .guru, .casa & .date TLD Abuse
score KAM_SOMETLD_ARE_BAD_TLD 5.0
#2019-11-24 - Test to do the SOMETLD with WLBLEval - Doesn't work because no uri check for the body
#LOTTO CRUD
body __KAM_LOTTO1 /((you |e-?mail )(?:address,? )?(has |have )?(emerged as one of (the|our) winning|emerged as a category "A" Winner|came out as the winning coupon|emerged a winner|has won|(?:was |is )?attached( to)?\s+(winning number|serial|ticket|reference)|was one of the ten winners|has been selected as one of the lucky)|random selection in our computerized email selection system|procuring your prize|email id identified with coupon|e-mail addresses are picked randomly|send your winning identification|final recipients? of a cash|selected as the one of the beneficiaries|receiving your donation|facebook name was selected)/is
-body __KAM_LOTTO2 /((ticket|serial|lucky) number|secret pin ?code|pin number|batch number|reference number|promotion date|lottery|sweepstake|\d+ lucky recipients|for claim and inquiring)/is
+body __KAM_LOTTO2 /((ticket|serial|lucky) number|secret pin ?code|pin number|batch number|reference number|promotion date|lottery|sweepstake|\d+ lucky recipients|for claim and inquiring)|Micros(oft)? ID/is
body __KAM_LOTTO3 /(won|claim|cash prize|pounds? sterling|over \$500|award sum of US\$|NOTIFICATION FOR CASH AID)/is
-body __KAM_LOTTO4 /(claims (office|agent|manager|requirement)|lottery coordinator|(certificate|fiduciary) (officer|agent)|fiduaciary claims|accredited agent|payment agency board|promotion manager|promotions? department|Name of +Agent:|executive secretary|claims & Management|lottery approved courier|promo.team)/is
+body __KAM_LOTTO4 /(claims (office|agent|manager|requirement)|lottery coordinator|(certificate|fiduciary) (officer|agent|claims)|accredited agent|payment agency board|promotion manager|promotions? department|Name of +Agent:|executive secretary|claims & Management|lottery approved courier|promo.team)/is
-body __KAM_LOTTO5 /(POWERBALL-?LOTTO|freelotto group|(microsoft|Royal Heritage) Lottery|(British|UK) National( Online)? Lottery|U\.?K\.? Grand Promotions|Lottery Department UK|Euromillion Loteria|Luckyday International Lottery|International Lottery|Euro - Afro Asian Sweepstake|urawinner|Free Lotto Sweepstakes|PROMOTION DEPARTMENT|PROMOTION\/PRIZE AWARD|Nederlandse Internationale Loterij|EURO MILLIONS|APPLE LOTTERY ONLINE|MSW MEGA JACKPOT|MICROSOFT EMAIL PROMO|MSNlottery|ECOWAS|Nigeria|National Lottery|claim.{1,10}your.gbp|won.you.{1,10}gbp)|cola lotto online|on-?line promotion/is
+body __KAM_LOTTO5 /(POWERBALL-?LOTTO|freelotto group|(microsoft|Royal Heritage) (promotion|Lottery)|(British|UK) National( Online)? Lottery|U\.?K\.? Grand Promotions|Lottery Department UK|Euromillion Loteria|Luckyday International Lottery|International Lottery|Euro - Afro Asian Sweepstake|urawinner|Free Lotto Sweepstakes|PROMOTION DEPARTMENT|PROMOTION\/PRIZE AWARD|Nederlandse Internationale Loterij|EURO MILLIONS|APPLE LOTTERY ONLINE|MSW MEGA JACKPOT|MICROSOFT EMAIL PROMO|MSNlottery|ECOWAS|Nigeria|National Lottery|claim.{1,10}your.gbp|won.you.{1,10}gbp)|cola lotto online|on-?line promotion/is
-body __KAM_LOTTO6 /(Dear (Award|Consultation Prize|Lucky) Winner|Winning Notification|Attention:Winner|Dear:? Winner|Amount won:|Sincere Congratulations|Lucky Numbers:|you are a winner|prize attached|prize notification|claims requirement|winning number|winning sum|payout of|qualification number)|attached.file|numbers.on.email|active email address/is
+body __KAM_LOTTO6 /(Dear (Award|Consultation Prize|Lucky) Winner|Winning Notification|Attention:Winner|Dear:? Winner|Amount won:|Sincere Congratulations|Lucky Numbers:|you are a winner|prize attached|prize notification|claims requirement|winning number|winning sum|payout of|qualification number)|attached.file|numbers.on.email|active email address|dear e-?mail/is
header __KAM_LOTTO7 Subject =~ /(Your Lucky Day|Final Notice|CONGRATULATION|(Attention:|ONLINE) WINNER|Winning Notification|Claim Fund|YOU HAVE WON|Online Notification|Your Winning Amount|PROMOTIONS MANAGER|Winnin?g Alert|NOTICE FOR YOUR CLAIM|WINNER|Reference Number|payment of (prize|claim))/i
describe KAM_LOTTO2 Highly Likely to be an e-Lotto Scam Email
score KAM_LOTTO2 1.25
-meta KAM_LOTTO3 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 >= 5)
+meta KAM_LOTTO3 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 + LOTS_OF_MONEY >= 5)
describe KAM_LOTTO3 Almost certain to be an e-Lotto Scam Email
score KAM_LOTTO3 3.0
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
- mimeheader __KAM_BADPO1 Content-Type =~ /Purchase.Order/i
- mimeheader __KAM_BADPO2 Content-type =~ /PDF.html/i
+ mimeheader __KAM_BADPO1 Content-Type =~ /Purchase.Order|New.Invoice/i
+ mimeheader __KAM_BADPO2 Content-type =~ /PDF\.html?/i
endif
header __KAM_BADPO3 Subject =~ /New Order|PO(\b|$)|PO\d\d\d|Purchase Order|Invoice/i
#SEARCH ENGINE SPAM
#Subj
-header __KAM_SEARCH1 Subject =~ /be seen first on (google|msn|yahoo)|get ranked high|rank high|(no cost|free) website (analysis|search engine)|WEBSITE PROMOTION|social media|blog leads|infotech|(first|1st)(.page)?.result|seo.(package|service)|seo.{1,30}expert|on.your.website|organic.seo|site.ranking|website.health|1st page/i
+header __KAM_SEARCH1 Subject =~ /be seen first on (google|msn|yahoo)|get ranked high|rank high|(no cost|free) website (analysis|search engine)|WEBSITE PROMOTION|social media|blog leads|infotech|(first|1st)(.page)?.result|seo.(optimiz|package|service)|seo.{1,30}expert|on.your.website|organic.seo|site.ranking|website.health|(first|1st) page/i
#what specific
-body __KAM_SEARCH2 /search engine|S\.?E\.?O|bring.traffic|business.development|marketing strateg/i
+body __KAM_SEARCH2 /search (ranking|engine)|S\.?E\.?O|bring.traffic|business.development|marketing strateg/i
#ranging
body __KAM_SEARCH3 /(first on|all of) the major search|not ranked number one|Website promotion|popular keywords|mobile.website|complete.solution|back.link|india.based|surfing|not.ranking.on|top in Google|1st page|more (clients|customers)|organic search/i
#how
-body __KAM_SEARCH4 /guaranteed type of exposure|free website search engine optimi|increase your revenue|improve your website traffice|website rank higher|marketing service|popular.keyword|media.presence|media.portal|brand.awareness|analytics.certified|optimized.content|white.label|website.optimization|digital.marketing|in.your.industry|high.revenue|plans? and pric|keyword|full proposal|online reputation|(blog|article|pr|search engine) (promotion|submission)/i
+body __KAM_SEARCH4 /guaranteed type of exposure|free website (analysis|report|search engine optimiz)|increase your revenue|improve your website traffice|website rank higher|marketing service|popular.keyword|media.presence|media.portal|brand.awareness|analytics.certified|optimized.content|white.label|website.optimization|digital.marketing|in.your.industry|high.revenue|plans? and pric|keyword|full proposal|online reputation|(blog|article|pr|search engine) (promotion|submission)/i
#who
-rawbody __KAM_SEARCH5 /Click2Call|a1-solutions|fast-response.net|action-pros.net|tops-1.com|vividinfotech.com|internet.marketing|web.solution|(development|marketing) (executive|consultant)|SEO expert|sales manager/i
+rawbody __KAM_SEARCH5 /Click2Call|a1-solutions|fast-response.net|action-pros.net|tops-1.com|vividinfotech.com|internet.marketing|web.solution|(development|marketing) (executive|consultant)|(search engine|SEO) (consultant|expert|Service)|sales manager/i
meta KAM_SEARCH (__KAM_SEARCH1 + __KAM_SEARCH2 + __KAM_SEARCH3 + __KAM_SEARCH4 + __KAM_SEARCH5 >= 4)
score KAM_SEARCH 5.0
describe KAM_SEXSUBJECT Sexually Explicit Subject
#RUSSIAN WIFE/BRIDE SCAMS
-header __KAM_WIFE1 Subject =~ /Remember me|(Russian|asian) ?(beaut|single|women|bride|lad(y|ies)|babe)/i
-body __KAM_WIFE2 /marry a Russian|sizzling photos|(russian|asian) (women|beaut)|Russian ?bride|Slavic babes|Russian ?lad(y|ies)|russian girl|sexy photos/i
-header __KAM_WIFE3 From =~ /(asian|russian).?(dat|bride|single|women|beaut)|(date|nice).?(russian|asian)/i
+header __KAM_WIFE1 Subject =~ /Remember me|(Russian|asian|Ukrai?nian) ?(dating|beaut|single|women|bride|lad|babe)/i
+body __KAM_WIFE2 /marry a Russian|sizzling photos|(russian|asian|ukrai?nian) (women|beaut|bride|girl)|Slavic babes|Russian ?lad(y|ies)|sexy photos/i
+tflags __KAM_WIFE2 nosubject
+header __KAM_WIFE3 From =~ /(asian|russian|ukrai?nian).?(dat|bride|single|women|beaut|lad)|(date|nice).?(russian|asian)/i
meta KAM_WIFE ( __KAM_WIFE1 + __KAM_WIFE2 + __KAM_WIFE3 >= 2)
score KAM_WIFE 8.0
replace_rules __KAM_MAILBOX1 __KAM_MAILBOX2 __KAM_MAILBOX3
#ISSUE
- body __KAM_MAILBOX1 /mailbox .{0,12}exceeded|(storage|email).(limit|quota|size|capacity)|(box|quota) is (almost )?full|have been rejected|new version|(prevented|pending) (the )?(delivery|messages)|quota is low|annual upgrade|(held|important) message|messages pending|messages (are|placed) on.?hold|upgrade to our service|recent attack|(request(ed)? to|account) de-?activat|de-?activat(ed|e|ing) (from using|all mailbox)|close down.{0,10}account|(sync|communication) failure|de<A1>ctiv<A1>ted if no <A1>ction|invalid users|request .{0,13}shutdown|migrating all email|del<I1>v<E1>ry <O1>f \d|messages.{0,6}returned|\d.{0,2}(unreceived|failed|undelivered|incoming) (message|e?mail)|synchronize \d email|messages.{1,10}suspend|report your account|(validation|configuration|service) error|updating stage|blacklisted|(server|quota|quarantine|suspension|mail|upgrade) noti|mailbox agreement|(system|security|server) (reasons|update|upgrade|alert)|system malfunction|due for an update|mailbox managment|automatically renew|.\d. pending|due for (upgrade|update|reconfirmation)|has been outdated|(due|about) to expire|not confirmed the email|(failed|couldn't be|refused to) deliver|temporarily suspend|failure to proceed|data plan limit|blocked from (sending|receiving)|sending unsolicited|\d\% full|confirm your request|security turned off|blocked or suspended|update warning|account .{1,9}?(restricted|closed)|old versions|mail malfunction|messages now queue|password expir|virus|expire on \d+\/|DNS Upgrad|encountered error|will be shut ?down|unauthorized (person|access)|prevent (further reject|loss of account)|avoid lose access|ensure safety|problem occurred/i
+ body __KAM_MAILBOX1 /mailbox .{0,12}exceeded|(storage|email|mailbox).(limit|quota|size|capacity)|(box|quota) is (a<L1>most )?fu<L1><L1>|have been rejected|new version|(prevented|pending) (the )?(delivery|messages)|quota is low|annual upgrade|(held|important) message|messages pending|messages (are|placed) on.?hold|upgrade to our service|recent attack|(request(ed)? to|account) de-?activat|de-?activat(ed|e|ing) (from using|all mailbox)|close down.{0,10}account|(sync|communication) failure|de<A1>ctiv<A1>ted if no <A1>ction|invalid users|request .{0,13}shutdown|migrating all email|del<I1>v<E1>ry <O1>f \d|messages.{0,6}returned|\d.{0,2}(unreceived|failed|undelivered|incoming|valid) (undelivered|incoming|message|e?mail)|synchronize \d email|messages.{1,10}suspend|report your account|(validation|configuration|service|mail) error|updating stage|blacklisted|(server|quota|quarantine|suspension|mail|upgrade) (alert|noti)|mailbox agreement|(system|security|server) (reasons|update|upgrade|alert)|system malfunction|due for an update|mailbox managment|automatically renew|.\d. pending|due for (upgrade|update|reconfirmation)|has been outdated|(due|about) to expire|not confirmed the email|(failed|couldn't be|refused to) deliver|temporarily suspend|failure to proceed|data plan limit|blocked from (sending|receiving)|sending unsolicited|\d\% full|confirm your request|security turned off|blocked or suspended|update warning|account .{1,9}?(restricted|closed)|old versions|mail malfunction|messages now queue|password expir|virus|expire on \d+\/|DNS Upgrad|encountered error|will be shut ?down|unauthorized (person|access)|prevent (further reject|loss of account)|avoid lose access|ensure safety|problem occurred|wrong password|suspicious sign.?in|\d quarantined? (e?mail|message|incoming)|deactivated tempor|low disk space|shutdown robot|suspended email|webmail security|account hijacked|will be suspended/i
tflags __KAM_MAILBOX1 nosubject
#ACTION
- body __KAM_MAILBOX2 /(verify|update|upgrade|increase|validate|confirm|disable)"? (their|your)? {0,5}(<A1>ccount|(web-?)?mail|info|email|web ?mail)|(increase|upgrade) (my|your?) (inbox |email )?quota|(security|quota) upgrade|create some additional storage|(setup|upgrade) (your )?mailbox|mail malfunction|click here to update|update account|validated within \d\d|deleted (automatically|in our server)|release .{0,40}(message|pending mess)|account to be close|remain active|termination of your account|choose what happens|blacklisting inactive|continue (using|the usage)|untrusted activity|(retrieve|review|view) (message|e?mail)|(verify|validate) (here|now)|reset below|verification (check|process)|email disk usage|auto extend your disk|confirm your (email|details)|mandetory file|retrieve here|expected to reactivate|keep your webmail|data will be lost|(block|release|review) them|view undelivered sent|reconfirm .{0,40}password|will be deactivat|avoid suspension|start the process|fake payment|(will be|automatically) cancel|same password|mail verification|same password|turn on (security|authentication)|Office 365-?Secure|an usual location|automatically delete|(retrieve|review|reload) (your )?pending|view, release or delete|reload below|unblock (your )?incoming|rectify below|fix now|Company.Assigned Outlook|fix delivery|restore your roundcube|re-?authenticate (now|below)/i
+ body __KAM_MAILBOX2 /(verify|update|upgrade|increase|validate|confirm|disable)"? (their|your)? {0,5}(address|password|<A1>ccount|(web-?)?mail|info|email|web ?mail|ownership)|(increase|upgrade) (my|your?) (inbox |email )?quota|(security|quota) (configuration|upgrade)|(increase disk|create some additional) storage|(setup|upgrade) (your )?mailbox|mail malfunction|click here to update|update account|validated within \d\d|deleted (automatically|in our server)|release .{0,40}(message|pending mess)|account to be close|remain active|termination of your account|choose what happens|blacklisting inactive|continue (using|the usage)|untrusted activity|(retrieve|review|view) (message|e?mail)|(verify|validate) (here|now)|reset below|verification (check|process)|email disk usage|auto extend your disk|confirm your (email|details)|mandetory file|retrieve here|expected to reactivate|keep your webmail|data will be lost|(block|release|review) (them|below)|view undelivered sent|reconfirm .{0,40}password|will be deactivat|avoid suspension|start the process|fake payment|(will be|automatically) cancel|mail verification|turn on (security|authentication)|Office 365-?Secure|an usual location|automatically delete|(retrieve|review|reload) (your )?(undelivered|pending)|view, release or delete|reload below|unblock (your )?incoming|rectify below|fix now|Company.Assigned Outlook|fix delivery|restore your roundcube|re-?authenticate (now|below)|manage your quarantine|manually fi|manually fix|review and take action|view (withheld|recent) (incoming|messages|e?mail)|use the button|reduce your mai<L1>|deliver recent mail|keep (current|same) password|change password|stop (this action|account removal)|fix your email/i
tflags __KAM_MAILBOX2 nosubject
#SUBJECT
- header __KAM_MAILBOX3 Subject =~ /(mail|exceeded|insufficient) (storage|quota|upgrade)|Inbox almost full|(urgent|important|admin|last|suspension|server|account|administrator|system) (attention|warning|noti)|needs to be upgraded|(incoming|pending) ((e-?)?mails|document|message)|(del<I1>v<E1>ry|synchronization) (problem|is blocked|failure|err<O1>r)|storage (is )?full|inbox full|(unread|upgrade|delayed) e?mail|release your message|pending (new )?((e-?)?mail|message)|365 .{0,10} Update|new privacy policy|mandatory up|(Final|security|account|password) (update|upgrade|alert|notification|review)|quarantine|rejected|undelivered|(mailbox|limit) .{0,10}exceeded|confirmation required|(mail|mailbox|account) (shutdown|verification|Veirification|Verfication|account)|(blocked|held) message|technology services|(server|mail|account).{1,8}err<O1>r|validat|messages.{1,10}suspend|account (is )?(blocked|limited)|please verify.{1,10}account|mail.{1,6}Notice|email account.{1,11}full|final warning|help\-?desk|mail ownership|point files|(d|r)e-?activation|delayed for \d+ (hour|day)|undeliverable|confirmation required|closure of.{1,15}(\@|account)|(password|mail) (has|will) expire|did you make|password (reset|due|recovery|expir)|recovery option|\d+ new mess|email activity|Immediate action|avoid block|review recent e?mail|final +alert|storage limit|ver<I1>f<I1>cat<I1>on|\@.{1,25}notification|notification \d+\/\d+\/|notification for .{1,25}\@|New Sign-in|deliver.{1,4}(error|fail)|Unsuccessful Email|Mail DNS|ICT Maintenance|sync err|mailer un.?delivery|unauthorized (person|access)|configuration setting|reminder +for|re-?authenticate/i
+ header __KAM_MAILBOX3 Subject =~ /(mail|exceeded|insufficient) (storage|quota|upgrade)|Inbox almost full|(urgent|important|admin|last|suspension|server|account|administrator|system|disk ?usage|max size) (alert|rectification|attention|warning|noti)|needs to be upgraded|(incoming|pending|unreceived) +((e-?)?mail|document|message)|(del<I1>v<E1>ry|synchronization|processing) (problem|is blocked|failure|err<O1>r)|storage (is )?full|inbox full|(unread|upgrade|delayed) (messages|e?mail)|release your message|pending (new )?((e-?)?mail|message)|365 .{0,10} Update|new privacy policy|mandatory up|(sign in|Final|security|account|password|emails?) (closing|removal|update|upgrade|alert|notification|review)|quarantine|rejected|undelivered|(mailbox|limit) .{0,10}exceeded|confirmation required|(mail|mailbox|account|password) (shutdown|verification|Veirification|Verfication|account)|(blocked|held) message|technology services|(server|mail|account).{1,8}err<O1>r|validat|messages.{1,10}(suspend|hinder)|account (is )?(blocked|limited)|please verify.{1,10}account|mail.{1,6}Notice|email account.{1,11}full|final warning|help\-?desk|mail ownership|point files|(d|r)e-?activation|delayed for \d+ (hour|day)|undeliverable|confirmation required|closure of.{1,15}(\@|account)|(password|mail) (has|will) expire|did you make|password (reset|due|recovery|expir)|recovery option|\d+ new mess|email activity|Immediate action|action required|avoid block|review recent e?mail|final +alert|storage limit|ver<I1>f<I1>cat<I1>on|\@.{1,25}notification|notification \d+\/\d+\/|notification for .{1,25}\@|New Sign-in|deliver.{1,4}(cancel|issue|error|fail)|Unsuccessful Email|Mail DNS|ICT Maintenance|sync err|mailer un.?delivery|unauthorized (person|access)|configuration setting|reminder +for|re-?authenticate|change in your ip|shutdown request|Failure.{0,2}Report|\d emails? suspended|error sync|(e-?mails?|messages) (are )?pending/i
meta KAM_MAILBOX (__KAM_MAILBOX1 + __KAM_MAILBOX2 + __KAM_MAILBOX3 >=2) && (T_FREEMAIL_DOC_PDF + (KAM_SENDGRID + KAM_SENDGRID2 >= 1) + HTML_MIME_NO_HTML_TAG >= 2)
- score KAM_MAILBOX 6.75
+ score KAM_MAILBOX 7.75
describe KAM_MAILBOX Mailbox Quota Phishing Scams
meta KAM_MAILBOX2 (__KAM_MAILBOX1 + __KAM_MAILBOX2 + __KAM_MAILBOX3 >=3) && !KAM_MAILBOX
- score KAM_MAILBOX2 4.5
+ score KAM_MAILBOX2 6.25
describe KAM_MAILBOX2 Mailbox Quota Phishing Scams
meta KAM_MAILBOX3 (KAM_MAILBOX + KAM_MAILBOX2 >= 1) && (KAM_SENDGRID + KAM_SENDGRID2 >= 1)
describe KAM_MAILBOX3 Enhanced Scoring for Mailbox Quota Phishing
- score KAM_MAILBOX3 2.5
+ score KAM_MAILBOX3 3.75
endif
#SHORTERNERS
replace_tag D1 (?:d|[\xf0\x9d\x9a\x8d])
replace_tag E1 (?:e|[\xd0][\xb5]|[\xc4][\x97]|[\xf0\x9d\x97\xb2]|[\xf0\x9d\x9a\x8e])
replace_tag G1 (?:g|[\xf0\x9d\x97\x80])
-replace_tag I1 (?:i|[\xd1][\x96]|[\xc4][\xab]|[\xce][\xb9]|[\xe9]|[\xf0\x9d\x97\xb6]|[\xf0\x9d\x9a\x92]|l)
+replace_tag I1 (?:i|[\xd1][\x96]|[\xc4][\xab]|[\xce][\xb9]|[\xe9]|[\xf0\x9d\x97\xb6]|[\xf0\x9d\x9a\x92]|l|1)
+replace_tag L1 (?:l|i)
replace_tag M1 (?:m|[\xca][\x8d]|[\xf0\x9d\x97\xba])
replace_tag N1 (?:n|[\xe7]|[\xf0\x9d\x97\xbc]|[\xf0\x9d\x9a\x97])
replace_tag O1 (?:o|0|[\xd0][\xbe]|[\xce][\xbf]|[\xef]|[\xf0\x9d\x97\xbc]|[\xf0\x9d\x9a\x98])
#PAYPAL PHISH
header __KAM_PAYPAL3A From =~ /paypal/i
header __KAM_PAYPAL3B From !~ /paypal.com(\.au)?>?$/i
-header __KAM_PAYPAL3C Subject =~ /your.paypal.account/i
-body __KAM_PAYPAL3D /security.process|more.information|has.limitation|verify.your.information/i
+header __KAM_PAYPAL3C Subject =~ /your.paypal.account|Invoice PP/i
+body __KAM_PAYPAL3D /security.process|more.information|has.limitation|verify.your.information|bitcoin/i
meta KAM_PAYPAL3 ((__KAM_PAYPAL3A && __KAM_PAYPAL3B) + __KAM_PAYPAL3C + __KAM_PAYPAL3D + KAM_LAZY_DOMAIN_SECURITY >= 3)
score KAM_PAYPAL3 8.0
score KAM_LASIK 4.5
#FAKE NOTIFIES
-header __KAM_NOTIFY1 From =~ /Support|Notifier|Reminder|Assistance|Administrator|RuneScape|Wells Fargo|Scotia|Diablo|MAILER-DAEMON|Notifications/i
+header __KAM_NOTIFY1 From =~ /Support|Notifier|Reminder|Assistance|Administrator|RuneScape|Wells ?Fargo|Scotia|Diablo|MAILER-DAEMON|Notifications/i
body __KAM_NOTIFY2 /[2-9] friend request( |\b)|sell your personal|mandatory validation|verify your Account|unread messages/i
header __KAM_NOTIFY3 From =~ /\.br>/i
#PREV MARK
header __KAM_MARK1 Subject =~ /[\[\<]ADV[\>\]]/i
-header __KAM_MARK2 Subject =~ /[\(\[\<\{](BULK|SPAM)\??[\>\]\)\}]/i
-header __KAM_MARK3 Subject =~ /[\[\<]VIRUS[\>\]]/i
+header __KAM_MARK2 Subject =~ /[\(\[\<\{\*]\s*(BULK|SPAM)\??\s*[\*\>\]\)\}]/i
+header __KAM_MARK3 Subject =~ /[\[\<\*]\s*VIRUS\s*[\*\>\]]/i
meta KAM_MARKADV (__KAM_MARK1 >= 1)
describe KAM_MARKADV Email arrived marked as an Advertisement
score KAM_FACEBOOKMAIL 8.0
#FAKE DHL/FEDEX/ETC
-body __KAM_FAKEDELIVER1 /courier couldn.?t make the delivery|Courier was unable to deliver|courier company was not able to deliver|memo.of.application|delivering.address|make.the.delivery|see.attached.file|attention.please|event.invitation|could not deliver|delivery.label|postal.noti(fication|ce)|parcels.(has|have).been.shipped|shipment.label.is.attached|confirm your shipping/i
-header __KAM_FAKEDELIVER2 Subject =~ /Invalid Address|shipping service|(ship|postal|delivery) notification|Delivery Failure|Delivery Information|Delivery status|Package Delivery|package is available for pickup|your.package.arrived|attention.please|delivery.problem|id.\d{6}|deliver.(your|the).parcel|shipping confirmation/i
+body __KAM_FAKEDELIVER1 /courier couldn.?t make the delivery|Courier was unable to deliver|courier company was not able to deliver|memo.of.application|delivering.address|make.the.delivery|see.attached.file|attention.please|event.invitation|could not deliver|delivery.label|postal.noti(fication|ce)|parcels.(has|have).been.shipped|shipment.label.is.attached|confirm your shipping|view file in attach|unable to locate your address/i
+
+header __KAM_FAKEDELIVER2 Subject =~ /Invalid Address|shipping service|(ship|postal|delivery) notification|Delivery Failure|Delivery Information|Delivery status|Package Delivery|package is available for pickup|your.package.arrived|attention.please|delivery.problem|id.\d{6}|deliver.(your|the).parcel|shipping confirmation|confirm your address|shipment request/i
#DHL
-body __KAM_FAKEDELIVER3 /DHL/
-header __KAM_FAKEDELIVER4 From !~ /dhl.com/i
+header __KAM_FAKEDELIVER3 From:name =~ /DHL/i
+header __KAM_FAKEDELIVER4 From:addr !~ /dhl.com/i
#FEDEX
rawbody __KAM_FAKEDELIVER5 /Fed ?ex/i
body __KAM_FAKEDELIVER11 /DPD/i
header __KAM_FAKEDELIVER12 From !~ /dpd.com|dpd.co.uk/i
-uri __KAM_FAKEDELIVER13 /cdn.discordapp.com/i
+uri __KAM_FAKEDELIVER13 /(cdn.discordapp.com|wp-conten)/i
meta KAM_FAKE_DELIVER (__KAM_FAKEDELIVER1 + __KAM_FAKEDELIVER2 + ((__KAM_FAKEDELIVER3 + __KAM_FAKEDELIVER4 >= 2) + (__KAM_FAKEDELIVER5 + __KAM_FAKEDELIVER6 >= 2) + (__KAM_FAKEDELIVER7 + __KAM_FAKEDELIVER8 >= 2) + (__KAM_FAKEDELIVER11 + __KAM_FAKEDELIVER12 >= 2) + (__KAM_FAKEDELIVER9 + __KAM_FAKEDELIVER10 >= 2) >= 1) + (HEADER_FROM_DIFFERENT_DOMAINS + SPF_SOFTFAIL + KAM_RAPTOR_ALTERED + __KAM_FAKEDELIVER13 >= 1) >= 3)
describe KAM_FAKE_DELIVER Fake delivery notifications
#SOLAR POWER
header __KAM_SOLAR1 From =~ /Solar|electric|regard|energy|.olar..etwork/i
-header __KAM_SOLAR2 Subject =~ /power bill|sells power|electrical bill|subsidize your solar|switching to solar|save \d+\%|solar system saves|solar power plant|solar.america|energy.use|solar.incentive|utility.option|go.solar|govt.rebate|.overnment.incentive|electricity|obama.rebate/i
-body __KAM_SOLAR3 /power bill in half|go solar|approved for solar|solar system saves|reduce your electric|energy.cost|energy.bill|government.incentive|can.profit|utility.bill|switch(ing)?.to.solar|solar.incentive|solar.now|US Solar Dept|your.electric.bill|your.home.qualifies/i
+header __KAM_SOLAR2 Subject =~ /power bill|sells power|electric(al)? bill|subsidize your solar|switching to solar|save \d+\%|solar system saves|solar power plant|solar.america|energy.use|solar.incentive|utility.option|go.solar|govt.rebate|.overnment.incentive|electricity|obama.rebate/i
+body __KAM_SOLAR3 /power bill in half|go solar|approved for solar|solar system saves|reduce your electric|energy.cost|energy.bill|government.incentive|can.profit|utility.bill|switch(ing)?.to.solar|solar.incentive|solar.now|US Solar Dept|your.electric.bill|your.home.qualifies|yard lights|solarglow/i
meta KAM_SOLAR (__KAM_SOLAR1 + __KAM_SOLAR2 + __KAM_SOLAR3 >=2)
describe KAM_SOLAR Solar Power Spams
score KAM_SHARKTANK 1.0
describe KAM_SHARKTANK Mentions Shark Tank
-rawbody __KAM_SHARKPROD /high blood pressure|moles|Dermabellix|follicles|drop 20|IQ|keto SS/is
+rawbody __KAM_SHARKPROD /high blood pressure|moles|Dermabellix|follicles|drop 20|(^|\b)IQ($|\b)|keto SS/is
meta KAM_SHARKPROD (__KAM_SHARKPROD + KAM_SHARKTANK >= 2)
score KAM_SHARKPROD 5.0
score KAM_HOMESALE 3.5
#ADVERTISEMENTS FOR LOANS
-header __KAM_LOAN1 Subject =~ /pay bills|borrow|business loan|help your business grow|small business|propel your business goals|with a loan|results you need|\$\d+ down loan|loan.fund|lender|are.you.broke|get.cash|approval.notice|loan \d.\d% offer/i
-header __KAM_LOAN2 From =~ /payday|loans for you|approval|small.?business|direct.wire|cash|loan offer/i
-body __KAM_LOAN3 /Financial Relief|need to borrow|Business Loan|instant.funds|approval department|\$\d+ down|loan option|offer.loan|expenses|times.are.tough|money.problems/i
-body __KAM_LOAN4 /development.project|just.been.approved|for.your.business|loan.solution/i
+header __KAM_LOAN1 Subject =~ /pay bills|borrow|business loan|help your business grow|small business|propel your business goals|with a loan|results you need|\$[\d.,]+ (tomorrow|down loan)|loan.fund|lender|are.you.broke|get.cash|approval.notice|loan \d.\d% offer|money by tomorrow|one monthly payment/i
+header __KAM_LOAN2 From =~ /payday|loans for you|approval|small.?business|direct.wire|cash|loan offer|loan department|zippy ?loan|clear ?one/i
+body __KAM_LOAN3 /Financial Relief|need to borrow|Business Loan|instant.funds|approval department|\$\d+ down|loan option|offer.loan|expenses|times.are.tough|money.problems|zippy ?loan|advanced lender|pay off debt|development.project|just.been.approved|for.your.business|loan.solution|ease your stress/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_LOAN5A Content-Type =~ /loan offer/i
mimeheader __KAM_LOAN5B Content-Disposition =~ /loan offer/i
endif
-meta KAM_LOAN (__KAM_LOAN1 + __KAM_LOAN2 + __KAM_LOAN3 + __KAM_LOAN4 + (__KAM_LOAN5A + __KAM_LOAN5B >= 1) >= 3)
+meta KAM_LOAN (__KAM_LOAN1 + __KAM_LOAN2 + __KAM_LOAN3 + (__KAM_LOAN5A + __KAM_LOAN5B >= 1) >= 3)
describe KAM_LOAN Payday and other loan spams
score KAM_LOAN 4.5
describe KAM_BADPHP Questionable PHP mailer headers
# TINNITUS
-header __KAM_TINNITUS1 From =~ /tinnitus.breakthrough/i
-header __KAM_TINNITUS2 Subject =~ /new.tip|only.(1|one).week/i
-body __KAM_TINNITUS3 /scientifically.proven|end.tinnitus/i
+header __KAM_TINNITUS1 From =~ /tinnitus.?(911|breakthrough)/i
+header __KAM_TINNITUS2 Subject =~ /new.tip|only.(1|one).week|pandemic/i
+body __KAM_TINNITUS3 /scientifically.proven|end.tinnitus|get rid of the ringing/i
meta KAM_TINNITUS (__KAM_TINNITUS1 + __KAM_TINNITUS2 + __KAM_TINNITUS3 >= 3)
describe KAM_TINNITUS Tinnitus spam
-score KAM_TINNITUS 3.5
+score KAM_TINNITUS 4.5
# KIWIBANK
header __KAM_KIWIBANK1 From =~ /kiwibank/i
#LOOKING TO SHUTDOWN MISUSE OF DNSWL AND HOSTKARMA
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
-meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + RCVD_IN_LASHBACK + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1)
+meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1)
score KAM_QUITE_BAD_DNSWL 3.25
describe KAM_QUITE_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
else
-meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + RCVD_IN_LASHBACK + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1)
+meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1)
score KAM_QUITE_BAD_DNSWL 3.25
describe KAM_QUITE_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
endif
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
-meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + RCVD_IN_LASHBACK + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
+meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
score KAM_BAD_DNSWL 7.0
describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
else
-meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + RCVD_IN_LASHBACK + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
+meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
score KAM_BAD_DNSWL 7.0
describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
endif
endif
#LED/SOLAR LIGHTS
-header __KAM_LED1 Reply-to =~ /huixinsoft\d*\@foxmail.com/i
-body __KAM_LED2 /solar (lighting|led)/i
-body __KAM_LED3 /China aier/i
+header __KAM_LED1 From =~ /light? ?bulb|garage ?light|Sun.?like?.?Bulb|LED.?Sun/i
+body __KAM_LED2 /(garage|LED Fan) Light|sun-?like|\dx the brightness/i
+tflags __KAM_LED2 nosubject
+header __KAM_LED3 Subject =~ /LED Lighting|L\.E\.D\.? Bulb|Innovative Light|energy bill|one bulb|Garage LED/i
-meta KAM_LED (__KAM_LED1 + __KAM_LED2 + __KAM_LED3 >= 2)
-describe KAM_LED Solar LED Lighting Spams
-score KAM_LED 5.5
+meta KAM_LED (__KAM_LED1 + __KAM_LED2 + __KAM_LED3 >= 3)
+describe KAM_LED LED Lighting Spams
+score KAM_LED 4.5
# REAL ESTATE
header __JMQ_REALESTATE1 From =~ /tom.brice/i
score KAM_RUIN 5.25
describe KAM_RUIN Bank Phishing Scam
-#BANK
+#WEIGHT
body __KAM_WEIGHT2_1 /goodbye to her waist|wild transformation/i
header __KAM_WEIGHT2_2 Subject =~ /looks \d+ overnight|no gym/i
body __KAM_WEIGHT2_3 /melissa mccarthy|now looks \d+/i
replace_rules __KAM_CRIM1 __KAM_CRIM2 __KAM_CRIM3 __KAM_CRIM4 __KAM_CRIM5 __KAM_CRIM6 __KAM_CRIM7
- body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A1>lw<A1>r<E1> <O1>n th<E1> w<E1>b|footage of you|you do not know who I am|mercenary|hack phones|infected your device|double.screen video|keylogger|ruin your life|collection officer|turned on your c<A1>mera|cameras? and a mic|I am a hacker|brows(er|ing) history|trojan virus|automatically infect|inject some code|google translator|<P1>l<A1><C1><E1>d (a )?m<A1>lw<A1>r<E1>|<S1><P1><Y1><W1><A1><R1><E1>|hacked your (OS|operating)|got hacked|hidden app/i
+ body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A1>lw<A1>r<E1> <O1>n th<E1> w<E1>b|footage of you|you do not know who I am|mercenary|hack phones|(monitored|infected) your device|double.screen video|keylogger|ruin your life|collection officer|turned on your c<A1>mera|cameras? and a mic|I am a hacker|brows(er|ing) history|trojan virus|automatically infect|inject some code|google translator|<P1>l<A1><C1><E1>d (a )?m<A1>lw<A1>r<E1>|<S1><P1><Y1><W1><A1><R1><E1>|hacked your (OS|operating)|got hacked|hidden app|managed to hack/i
#Bitcoin
- body __KAM_CRIM2 /(<B1><I1><T1>\-?<C1><O1><I1><N1>|BTC|DSH|cryptocurrency|bc[13][a-km-zA-HJ-NP-Z0-9]{26,39})|remove manually all spaces|contains spaces/i
+ body __KAM_CRIM2 /(<B1><I1><T1>\-?<C1><O1><I1><N1>|BTC|DSH|cryptocurrency|bc[13][a-km-zA-HJ-NP-Z0-9]{26,39})|(remove|manually) all spaces|contains spaces/i
#Payment
- body __KAM_CRIM3 /make (<T1>he|a) paymen<T1>|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C1><O1><I1>n w<A1>ll|(m<A1>k<I1>ng|<C1><O1>mpl<E1>et<E1>) th<E1> tr<A1>ns<A1><C1>t<I1><O1>n|send me \d+ dollars|send [\d\.]+ USD|addr<E1>ss f<O1>r p<A1>ym<E1>nt|(dollars|euros) (worth )?in bit-?coin|wallet number|bitcoin network|BTC to this Bitcoin|paym<E1>nt by b<I1>tco<I1>n|\d\d\d usd|DSH\)? address|Address part|<D1><O1><N1><A1><T1><I1><O1><N1>|negotiation/i
+ body __KAM_CRIM3 /make (<T1>he|a) paymen<T1>|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C1><O1><I1>n w<A1>ll|(m<A1>k<I1>ng|<C1><O1>mpl<E1>et<E1>) th<E1> tr<A1>ns<A1><C1>t<I1><O1>n|send me \d+ dollars|send [\d\.]+ USD|addr<E1>ss f<O1>r p<A1>ym<E1>nt|(dollars|euros) (worth )?in bit-?coin|wallet number|bitcoin network|BTC to this Bitcoin|paym<E1>nt by b<I1>tco<I1>n|\d\d\d usd|DSH\)? address|Address part|<D1><O1><N1><A1><T1><I1><O1><N1>|negotiation|USD.? in bitcoin/i
#Sexually explicit
- body __KAM_CRIM4 /erotica|<P1><O1><R1><N1>|promising evidence|<M1><A1><S1><T1><U1><R1><B1><A1><T1>|playing with yourself|wanking|l<I1>f<E1> <C1><A1>n b<E1> ru<I1>n<E1>d|explosi|lead azide|hexogen|banana|perversion|secured \d+ video/i
+ body __KAM_CRIM4 /erotica|<P1><O1><R1><N1>|p(ro|or)nographic movie|promising evidence|<M1><A1><S1><T1><U1><R1><B1><A1><T1>|playing with yourself|wanking|l<I1>f<E1> <C1><A1>n b<E1> ru<I1>n<E1>d|explosi|lead azide|hexogen|banana|perversion|secured \d+ video/i
#TIME
- body __KAM_CRIM5 /(twenty.?four|24).?h<O1>urs|(72|24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O1>urs)? <A1>ft<E1>r y<O1><U> <O1>p<E1>n|hours for payment|days?\)? to (send|perform|make|transfer) the (payment|dash)|short-term support|48h plz|deadline|hours *(only )?to send the (pay|fund)|address immediately|tr<A1>nsfer the (amount|funds)|get back to me now/i
+ body __KAM_CRIM5 /(twenty.?four|24).?h<O1>urs|(72|24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O1>urs)? <A1>ft<E1>r y<O1><U> <O1>p<E1>n|hours for payment|days?\)? to (send|perform|make|transfer) the (amount|payment|dash|fund)|short-term support|48h plz|deadline|hours *(only )?to send the (pay|fund)|address immediately|tr<A1>nsfer the (amount|funds)|get back to me now/i
#Subject
- header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O1><U> <A1>r<E1> my v<I1><C1>t<I1>m|visit the police|hi. vi<C1>tim|bomb|rescue|your building|<M1>asturbat|hi perv|account has been hacked|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you|<P1>orn|(share|forward) the video|Read me now|want to read this/i
+ header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O1><U> <A1>r<E1> my v<I1><C1>t<I1>m|visit the police|hi. vi<C1>tim|bomb|rescue|your building|<M1>asturbat|hi perv|account has been hacked|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you|<P1>orn|(share|forward|leak) (your|the) video|Read me now|want to read this|i have you/i
#From
header __KAM_CRIM7 From =~ /h<A1>ck<E1>r|know/i
#FUN SPAM RUN
header __KAM_FUN1 From =~ /\.fun|\.icu|\.pro|\.stream|\.world|\.monster|\.best|\.store|\.surf|\.rest|\.bar|\.asia|\.casa|\.uno|\.london|\.info|\.cam|\.work|\.cyou>?$/i
-header __KAM_FUN1A From:name =~ /Bite Pro|Diabetes|Blood Sugar|Sugar Disease|Fish Oil|ultra ?boost|Gutter|time ?share/i
+header __KAM_FUN1A From:name =~ /Bite Pro|Diabetes|Blood Sugar|Sugar Disease|Fish Oil|ultra ?boost|Gutter|time ?share|Affiliate|arctic ?blast|splash ?wine|date|fat ?loss|nutrisystem|Silver ?Single|Insta ?Heater/i
-body __KAM_FUN2 /Addify Link|Kennett Pike|PetPlan|Newton Sq|1st Avenue|Jones Blvd|permanently opt-out from our all newsletters|(wish|prefer) (to not|not to|to) receive (these|future) (messages|emails)|purehealth|leave any time|too good to be true|try(ing)? this trick|doesn?'t like this update|(click here|wish) +to unsubscribe|send post-mail to/i
-body __KAM_FUN3 /This Offer is (only )?for (unite. state|USA)|(can ?not|won\'t|can\'t) see this image|visit the page below|Continue Reading|watch now/i
+body __KAM_FUN2 /Addify Link|Kennett Pike|PetPlan|Newton Sq|1st Avenue|Jones Blvd|permanently opt-out from our all newsletters|(wish|prefer) (to not|not to|to) receive (these|future) (messages|emails)|purehealth|leave any time|too good to be true|try(ing)? this trick|doesn?'t like this update|(click here|wish) +to unsubscribe|send post-mail to|to be removed from receiving|to unsubscribe.+click|no longer like to receive|this is an advertisement/i
+body __KAM_FUN3 /This Offer is (only )?for (unite. state|USA)|(can ?not|won\'t|can\'t) see this image|visit the page below|Continue Reading|watch now|this is an ad|update preferences|click here now/i
uri __KAM_FUN3A /imgstore.host/i
#Subject
-header __KAM_FUN4 Subject =~ /Gutter|Assisted Living|Refi|rate|livewave|mortgage|E\.D\.|Single|Superfood|tax|protection|debt|mastercard|safety charge|supplement|pillow|Inogenone|learn a language|Roadside safety|carry a gun|minute survey|roofing Deals|fungus|insurance|pain|gold|hair|knife|warranty|reflexology|accufeet|keto|sound|heartburn|skincare|terminix|zippy|sneeze|healthcare|yoga|heal|jesus|virus|neuropathy|BP med|perfect vision|parasites|wine|willie nelson|InstaFresh|InstaSavings|carriers|CPAP|melt your belly|heart attack|power of plants|immunity|smart.?watch|fever|hearing aids|diabetes|gum problem|bad breath|fish oil|ultra ?boost|boost your internet|christmas list|cooling costs|time ?share/i
+header __KAM_FUN4 Subject =~ /Gutter|Assisted Living|Refi|rate|livewave|mortgage|E\.D\.|Single|Superfood|tax|protection|debt|mastercard|safety charge|supplement|pillow|Inogenone|learn a language|Roadside safety|carry a gun|minute survey|roofing Deals|fungus|insurance|pain|gold|hair|knife|warranty|reflexology|accufeet|keto|sound|heartburn|skincare|terminix|zippy|sneeze|healthcare|yoga|heal|jesus|virus|neuropathy|BP med|perfect vision|parasites|wine|willie nelson|InstaFresh|InstaSavings|carriers|CPAP|melt your belly|heart attack|power of plants|immunity|smart.?watch|fever|hearing aids|diabetes|gum problem|bad breath|fish oil|ultra ?boost|boost your internet|christmas list|(energy|cooling) (bill|cost)|time ?share|interstate move|vanishes pain|wine order|chat rooms|\d+ ?lbs|dementia|nutrisystem|personal plan|Printer Ink|america strong|perfect gifts|Someone Special|Insta ?heater|asian girls/i
#How many/How Soon
-body __KAM_FUN5 /\d million americans|less than \d+ (weeks|days|hours)/i
+body __KAM_FUN5 /\d million americans|less than \d+ (weeks|days|hours)|temporary feeling|\d+ ?lbs|[\d+,]+ Asian babes/i
#miracle!
-body __KAM_FUN6 /finds the secret|new discovery|natural medicine|health channel|medicinal plants|simple tweak|doctors are shocked/i
+body __KAM_FUN6 /finds the secret|new discovery|natural medicine|health channel|medicinal plants|simple tweak|doctors are shocked|mysterious liquid|massive mistake|scientifically shown/i
#what
-body __KAM_FUN7 /nerve pain|poor vision|lasik|sleep deeper|smart.?watch|fever|hearing aids|diabetes|gum problem|blood sugar|sugar disease|bad breath|fish oil|ultra ?boost/i
+body __KAM_FUN7 /nerve pain|poor vision|lasik|sleep deeper|smart.?watch|fever|hearing aids|diabetes|gum problem|blood sugar|sugar disease|bad breath|fish oil|ultra ?boost|soothing relief|older women|belly fat|reverse alzheimer|personal safety|gadget.?junk|Insta ?heater|need boyfriends/i
tflags __KAM_FUN7 nosubject
meta KAM_FUN ((__KAM_FUN1 + __KAM_FUN1A >=1) + __KAM_FUN2 + (__KAM_FUN3 + __KAM_FUN3A >= 1) + __KAM_FUN4 >=3)
describe KAM_FUN Spam Engine Hawking Various Goods and Abusing a Lot of Domains
-score KAM_FUN 7.5
+score KAM_FUN 7.75
meta KAM_FUN2 ((__KAM_FUN1 + __KAM_FUN1A >= 1) + __KAM_FUN4 + __KAM_FUN5 + __KAM_FUN6 + __KAM_FUN7 >= 5)
describe KAM_FUN2 Spam Engine Hawking Various Goods and Abusing a Lot of Domains
#trusted_networks 38.124.232.0/24
# CONTACTS / LISTS - This would be a good rule for tflags nosubject which requires 3.4.3 release
-header __KAM_LIST3_1 Subject =~ /Contacts|Visitor|Attendee|User|Professional|Meeting|Expo|Emails|Exhibit|Companies|trade ?show|marketing|retailer|list|outreach|customers|campaign|show|data|leaders|partnership|lead|(accou?nt|Contacts?) (list|information)|install base/i
+header __KAM_LIST3_1 Subject =~ /Contacts|Visitor|Attendee|User|Professional|Meeting|Expo|Emails|Exhibit|Companies|trade ?show|marketing|retailer|list|outreach|customers|campaign|show|data|leaders|partnership|lead|(accou?nt|Contacts?|buyers?) (list|information)|install base|offices and clinics|healthcare/i
#title
-body __KAM_LIST3_2 /list services|email campaign|global marketing|(sales|event|campaign) manager|marketing (coordinator|campaign|manager|exec|project)|(lead|demand) generation|(business|Data|event) (analyst|coordinator)|(potential|professionals?|qualified) lead|(marketing|lead|attendees?) specialist|(marketing|Business) Co-?ordinator|marketing and comm|inside sales|unlimited usage|target (attendees|audience|industry)|opt-?in (contact|emails)|pre-?sales|(email|attendee)s? list/i
+body __KAM_LIST3_2 /list services|email campaign|global marketing|(sales|event|campaign) manager|marketing (coordinator|campaign|manager|exec|project|team)|(lead|demand) generation|(business|Data|event) (analyst|coordinator)|(potential|professionals?|qualified) lead|(marketing|lead|attendees?|data) specialist|(marketing|Business) Co-?ordinator|marketing and comm|inside sales|pre-?sales|(email|attendee)s? list|global leads/i
#db for sale
-body __KAM_LIST3_3 /(information|data) fields|verified email|(\d{4,8}|complete) (contact|details)|with email address|target geograph|counts and pric|decision maker|specific parameters|job titles|Specific lists|current attendee|each record|post show attendee|(attendees|counts)\:|(List|contacts|fields) (consists?|Contains?|includes?)|visitors and price|pricing, counts|information about the list|sample (file|record)|direct email|100\% populated|installed users|(compiled|selling) (a )?list|pricing and further|(validated|buy a) dataset|counts, pricing|procure the list|samples for (your )?review|attendees who might|decision.makers|samples and pricing|pricing details|demographics|few samples|database (organization|provider)|expense and count|count and cost|multichannel marketing|count of email/i
+body __KAM_LIST3_3 /(information|data) field|verified email|(\d{4,8}|complete) (contact|details)|with email address|target geograph|counts and pric|decision maker|specific parameters|job titles|Specific lists|current attendee|each record|post show attendee|(attendees|counts)\:|(List|contacts|fields) (consists?|Contains?|includes?)|visitors and price|pricing, counts|information about the list|sample (file|record)|direct email|100\% populated|installed users|(compiled|selling) (a )?list|pricing and further|(validated|buy a) dataset|counts, pricing|procure the list|samples for (your )?review|attendees who might|decision.makers|samples and pricing|pricing details|demographics|few samples|database (organization|provider)|expense and count|(samples|counts?) and cost|multichannel marketing|count of email|users of the following/i
#db what
-body __KAM_LIST3_4 /contacts and email|(visitors?|contacts?|attendee.?s?|users?) (mailing )?(list|record|database)|end users|our lists|\d\+? (attendee|contact)|users? database|Opt-in email list|(professionals?|user'?s|attendees?) (contact|list)|not spammer|delegates|marketing (analyst|campaigns)|(complete|emailed) list|unique account|titles\:|business profiles|database of|list from USA|(complete|contact) (Name|information|details)|geography|target audience|list.database|data (intelligence|include)|emails, phone|marketing list/i
+body __KAM_LIST3_4 /contacts and email|(visitors?|contacts?|attendee.?s?|users?) (mailing )?(list|record|database)|end users|our lists|\d\+? (attendee|contact)|users? database|Opt-in email list|(professionals?|user'?s|attendees?) (contact|list)|not spammer|delegates|marketing (analyst|campaigns)|(complete|emailed) list|unique account|contacts\:|titles\:|business profiles|database of|list from USA|(complete|contact) (Name|information|details)|geography|target audience|list.database|data (intelligence|include)|emails, phone|marketing list|unlimited usage|target (attendees|audience|industry)|opt-?in (contact|emails)|offices and clinics|specialties\:|showcase our capabilit|share samples|list includes|recently compiled/i
meta KAM_LIST3 (__KAM_LIST3_1 + __KAM_LIST3_2 + __KAM_LIST3_3 + __KAM_LIST3_4 >= 4)
describe KAM_LIST3 Mailing List Purveyor Spam
ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro
# increase number of mime parts checked
olemacro_num_mime 10
- body KAM_OLEMACRO eval:check_olemacro()
- describe KAM_OLEMACRO Attachment has an Office Macro
- score KAM_OLEMACRO 7.5
- body KAM_OLEMACRO_MALICE eval:check_olemacro_malice()
- describe KAM_OLEMACRO_MALICE Potentially malicious Office Macro
- score KAM_OLEMACRO_MALICE 10.0
+ if (version >= 3.0040005)
+
+ body KAM_OLEMACRO eval:check_olemacro()
+ describe KAM_OLEMACRO Attachment has an Office Macro
+ score KAM_OLEMACRO 7.5
+
+ body KAM_OLEMACRO_MALICE eval:check_olemacro_malice()
+ describe KAM_OLEMACRO_MALICE Potentially malicious Office Macro
+ score KAM_OLEMACRO_MALICE 10.0
- body KAM_OLEMACRO_ENCRYPTED eval:check_olemacro_encrypted()
- describe KAM_OLEMACRO_ENCRYPTED Has an Office doc that is encrypted
- score KAM_OLEMACRO_ENCRYPTED 3.0
+ body KAM_OLEMACRO_ENCRYPTED eval:check_olemacro_encrypted()
+ describe KAM_OLEMACRO_ENCRYPTED Has an Office doc that is encrypted
+ score KAM_OLEMACRO_ENCRYPTED 3.0
- #This may cause more CPU usage
- olemacro_extended_scan 1
- body KAM_OLEMACRO_RENAME eval:check_olemacro_renamed()
- describe KAM_OLEMACRO_RENAME Has an Office doc that has been renamed
- score KAM_OLEMACRO_RENAME 0.5
+ #This may cause more CPU usage
+ olemacro_extended_scan 1
+ body KAM_OLEMACRO_RENAME eval:check_olemacro_renamed()
+ describe KAM_OLEMACRO_RENAME Has an Office doc that has been renamed
+ score KAM_OLEMACRO_RENAME 0.5
- meta GB_OLEMACRO_REN_VIR ( KAM_OLEMACRO_RENAME && FORGED_OUTLOOK_HTML )
- describe GB_OLEMACRO_REN_VIR Olemacro and fake Outlook
- score GB_OLEMACRO_REN_VIR 10
+ meta GB_OLEMACRO_REN_VIR ( KAM_OLEMACRO_RENAME && FORGED_OUTLOOK_HTML )
+ describe GB_OLEMACRO_REN_VIR Olemacro and fake Outlook
+ score GB_OLEMACRO_REN_VIR 10
+
+ endif
body KAM_OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
describe KAM_OLEMACRO_ZIP_PW Has an Office doc that is password protected in a zip
body KAM_OLEMACRO_CSV eval:check_olemacro_csv()
describe KAM_OLEMACRO_CSV Macro in csv file
score KAM_OLEMACRO_CSV 5.0
+
+ #meta KAM_OLEMACRO_ZIP_PW_NOMID ( KAM_OLEMACRO_ZIP_PW && MISSING_MID )
+ #describe KAM_OLEMACRO_ZIP_PW_NOMID OLE macro sent by a bot / ratware
+ #score KAM_OLEMACRO_ZIP_PW_NOMID 5.0
+
+ meta KAM_OLEMACRO_ZIP_BOT ( KAM_OLEMACRO_ZIP_PW && ( MISSING_MID || PDS_FROMNAME_SPOOFED_EMAIL ) )
+ describe KAM_OLEMACRO_ZIP_BOT OLE macro sent by a bot / ratware
+ score KAM_OLEMACRO_ZIP_BOT 5.0
endif
#Testing Rule for Subject Prefixes - See note 58397
header __KAM_EDU_FROM From:addr =~ /\.edu$/i
-header __KAM_SENDGRID3 Subject =~ /Amex|Wells ?Fargo|American Express|Security (Review|Message)|Quickbooks|Sign-?in Blocked|unusual activity|payment pending|online Payment|Intuit|security Upgrade|you have a document|verify your card/i
+header __KAM_SENDGRID3 Subject =~ /Amex|Wells ?Fargo|American Express|Security (Review|Message)|Quickbooks|Sign-?in Blocked|unusual activity|payment pending|online Payment|Intuit|security Upgrade|you have a document|verify your card|email alert/i
header __KAM_SENDGRID4 From =~ /Amex|Wells ?Fargo|American Express|Schwab|bank|USAA|stripe|intuit|chase/i
meta KAM_SENDGRID2 ((__KAM_EDU_FROM + KAM_SENDGRID >= 1) + (TO_IN_SUBJ + __KAM_SENDGRID3 + __KAM_SENDGRID4 >=1) >= 2)
score KAM_SENDGRID2 2.0
#Political Spam
-header __KAM_2020_1 Subject =~ /Re-?elect Trump|election t-?shirt|ginsburg shirt/i
-body __KAM_2020_2 /T-?shirt|printed in the US/i
+header __KAM_2020_1 Subject =~ /Re-?elect Trump|(science|funny|election|christmas|personalized|mission) (t|tee)( |-)?shirt|ginsburg shirt|officially licensed/i
+body __KAM_2020_2 /T-?shirt|printed in the US|stink stank stunk|officially licensed|star wars/i
tflags __KAM_2020_2 nosubject
meta KAM_2020 (__KAM_2020_1 + __KAM_2020_2 + FREEMAIL_FROM >= 3)
-describe KAM_2020 2020 Political Spams - Vote KAM for 2020 - donate today at www.mcgrail.com
+describe KAM_2020 2020 Political (and Tshirt???) Spams - Vote for KAM & Pedro - donate today at www.mcgrail.com
score KAM_2020 7.0
-#WeTransfer Spam
-#header __FROM_NAME_WETRANSFER From:name =~ /WeTransfer/i
-#header __SUBJ_WETRANSFER Subject =~ /WeTransfer Files/i
-#meta GB_WETRANSFER_HTM ( T_HTML_ATTACH && (__SUBJ_WETRANSFER + __FROM_NAME_WETRANSFER >= 1) )
-#describe GB_WETRANSFER_HTM WeTransfer html attachment
-#score GB_WETRANSFER_HTM 3.0
+#WeTransfer Spam
+uri __KAM_WETRANSFER1 /wetransferfiledownload|\?email=|redirecturl/i
+header __KAM_WETRANSFER2 From:name =~ /WeTransfer/i
+header __KAM_WETRANSFER3 From:addr !~ /wetransfer\.com/i
+header __KAM_WETRANSFER4 Subject =~ /via WeTransfer/i
+
+meta KAM_WETRANSFER (__KAM_WETRANSFER1 + __KAM_WETRANSFER2 + __KAM_WETRANSFER3 + (__KAM_WETRANSFER4 + SPF_FAIL >= 1) >= 4)
+score KAM_WETRANSFER 6.0
+describe KAM_WETRANSFER WeTransfer Impersonators
#Grey Eagle
header __KAM_GREYEAGLE_1 From =~ /greyeagle|funding|capital|banking|lending/i
score KAM_CBD 4.5
#COVID SCAMS
-body __KAM_COVID1 /International Monetary fund|world health organization/i
-header __KAM_COVID2 Subject =~ /COVID.{0,12}payment|support/i
-body __KAM_COVID3 /COVID.{0,12}payment|W\.?H\.?O\.? trust.?fund/i
+body __KAM_COVID1 /International Monetary fund|world health organization|empowerment fund/i
+header __KAM_COVID2 Subject =~ /COVID?.{0,12}(payment|fund)/i
+body __KAM_COVID3 /COVID.{0,12}(empowerment|payment)|W\.?H\.?O\.? trust.?fund/i
tflags __KAM_COVID3 nosubject
header __KAM_COVID4 From =~ /COVID|world ?Health|WHO/i
body __KAM_COVID5 /00 ?(EUR|USD|Dollar)/i
-meta KAM_COVID ((__KAM_COVID5 + LOTS_OF_MONEY >= 1) + __KAM_COVID1 + __KAM_COVID2 + __KAM_COVID3 + __KAM_COVID4 >= 5)
+meta KAM_COVID ((__KAM_COVID5 + LOTS_OF_MONEY >= 1) + __KAM_COVID1 + __KAM_COVID2 + __KAM_COVID3 + __KAM_COVID4 >= 4)
describe KAM_COVID Scams revolving around the pandemic
-score KAM_COVID 7.5
+score KAM_COVID 6.0
#COVID SCAMS
body __KAM_COVID2_1 /COVID-19 (CHARITY )?(fund|donated relief)/i
score KAM_COVID3 7.5
#VOICEMAIL SCAM
-uri __KAM_VM1 /storage.googleapis.com\/.*?htm|appspot\.com|\/api\/v1\/click\|\.sharepoint\.com\/personal\//i
+uri __KAM_VM1 /storage.googleapis.com\/.*?htm|appspot\.com|safesend\.|\/api\/v1\/click\|\.sharepoint\.com\/personal\/|evernote\.com/i
header __KAM_VM2 Subject =~ /VN Audio|message for|voice Message|Voicemail|Fax Message|OneDrive File/i
body __KAM_VM3 /(Voice ?Audio|VN Audio|VM Meant|Listen to (your )?Voice|voicemail message|Fax(ed)? (document|message)|new voicemail)/i
tflags __KAM_VM3 nosubject
#BENEFICIARY
replace_rules __KAM_BENEFICIARY2
-header __KAM_BENEFICIARY1 Subject =~ /(your|Urgent) Help|refugee|Attention|Inherit|donation|refund|beloved|^Hello$|dear friend|compensated|get back to me|hope to hear|my dear|postal service|From.....|compliment|sincere apology|proposal|How are you|congratulations|ATM VISA Card|good (day|news)|beneficiary|cc|best regards|dearest one|^Att$/i
+header __KAM_BENEFICIARY1 Subject =~ /(your|Urgent) Help|refugee|Attention|Inherit|donation|refund|beloved|^Hello$|dear friend|compensated|get back to me|hope to hear|my dear|postal service|From.....|compliment|sincere apology|proposal|How are you|congratulations|ATM VISA Card|good (day|news)|beneficiary|cc|best regards|dearest one|^Att$|^Reply$|partnership|greeting'?s|atm fund|postmaster general|Investment/i
#what
-body __KAM_BENEFICIARY2 /(consignment|fund|person of trust|don't know me|emails only|apologize for intrud|formal relationship|diplomatic agent|ATM VISA CARD|unsolicited manner|proposition|solicit your|trustworthy relation|verily|random people|you a beneficiary|help<SPACE1>+widow|same last ?name|similar surname|investment manager)|level of maturity|important project/i
+body __KAM_BENEFICIARY2 /(consignment|fund(\b|$)|person of trust|don't know me|emails only|apologize for intrud|formal relationship|diplomatic agent|ATM VISA CARD|unsolicited manner|proposition|solicit your|trustworthy relation|verily|random people|you a beneficiary|help<SPACE1>+widow|same last ?name|(same|similar) surname|investment manager)|level of maturity|important project|jackpot|investment opp|something important|unclaimed trunk|estate investment|donation recipient|bank draft|funding of your business/i
tflags __KAM_BENEFICIARY2 nosubject
#bus
-body __KAM_BENEFICIARY3 /(gold|diamonds|inherit|foreign customer|risk.?free|less.privilege|next of kin|nearest airport|certain funds|partnership to transfer|repatriation|co.fiscate|separate account|christian activit|receiving bank|donate the sum|money left|sweepstakes|lucky winner|get rich|\d% of the total|investment fund)|moving some money/i
+body __KAM_BENEFICIARY3 /(gold|diamonds|inherit|foreign customer|risk.?free|less.privilege|next of kin|nearest airport|certain funds|partnership to transfer|repatriation|co.fiscate|separate account|christian activit|receiving bank|donate the sum|money left|sweepstakes|lucky winner|get rich|\d% of the total|investment fund)|moving some money|god has blessed|contributions to humanity|partake in the deal|pledge dep|over-?due compensation|left your check|invest(ment)? in your country/i
#where
-body __KAM_BENEFICIARY4 /(Ghana|South Africa|China|Greece|Estonia|United kingdom|foreign|(your|my) country|Benin|africa|Foreign Op|international Airport|portugal|business trip|Ivory Coast|Royal Bank|Syria|Libyan)/i
+body __KAM_BENEFICIARY4 /(Ghana|South Africa|China|Greece|Estonia|United kingdom|foreign|(your|my) country|Benin|africa|Foreign Op|international Airport|portugal|business trip|Ivory Coast|Royal Bank|Syria|Libyan|Ministry of |Buffett Foundation|audit unit)|postmaster general|your country/i
#how much
-body __KAM_BENEFICIARY5 /\d+ ?(kilo|kg)|donat|assignment|last wishes|charity org|million dollars|secret account|overdue winnings|handsomely compensate|large amount|share of fund|one digit interest|beneficial business/i
+body __KAM_BENEFICIARY5 /\d+ ?(kilo|kg)|donat|assignment|last wishes|charity org|million dollars|secret account|overdue winnings|handsomely compensate|large amount|share of fund|one digit interest|beneficial business|anticipated cooperation|\d% (with|for) you|fiscal cash|huge amount|(half|99 percent) of (his|their|her) fortune|by proxy/i
#sob
-body __KAM_BENEFICIARY6 /(deceased|late) (husband|client|father)|death of my husband|cancer|power of attorney|customer who died|orphan|no beneficiary|terminal|family treasure|not criminal|send (you )?more (information|details)|wife ran away|inability to release|terrorist attack|sterile/i
+body __KAM_BENEFICIARY6 /(deceased|late) (customer|husband|client|father)|death of my husband|cancer|power of attorney|customer who died|orphan|no beneficiary|terminal|family treasure|not criminal|send (you )?more (information|details)|wife ran away|inability to release|terrorist attack|sterile|foreigner who died|corrupt officials|could not complete/i
meta KAM_BENEFICIARY ((LOTS_OF_MONEY + __KAM_BENEFICIARY5 >=1) + (KAM_BLANKSUBJECT + __KAM_BENEFICIARY1 >=1) + __KAM_BENEFICIARY2 + __KAM_BENEFICIARY3 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 + FREEMAIL_FROM >= 6)
describe KAM_BENEFICIARY Beneficiary scams
score KAM_BENEFICIARY 10.5
-meta KAM_BENEFICIARYLOW ((LOTS_OF_MONEY + __KAM_BENEFICIARY5 >=1) + (KAM_BLANKSUBJECT + __KAM_BENEFICIARY1 >=1) + __KAM_BENEFICIARY2 + __KAM_BENEFICIARY3 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 + FREEMAIL_FROM >= 5) && !KAM_BENEFICIARY
+meta KAM_BENEFICIARYLOW ((LOTS_OF_MONEY + __KAM_BENEFICIARY5 >=1) + (KAM_BLANKSUBJECT + __KAM_BENEFICIARY1 >=1) + __KAM_BENEFICIARY2 + __KAM_BENEFICIARY3 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 + FREEMAIL_FROM >= 5) && !KAM_BENEFICIARY && !__KAM_NPO1
describe KAM_BENEFICIARYLOW Beneficiary scams (Lower Confidence)
score KAM_BENEFICIARYLOW 6.0
+#NPO
+body __KAM_NPO1 /501\(?c\)?\(?3\)?|501 c 3/i
+
#BENEFICIARY
meta KAM_BENEFICIARY2 (GMD_PDF_EMPTY_BODY + DEAR_BENEFICIARY >= 2)
#BEAL AND SIMILAR IMPERSONATOR
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
- header __KAM_BEAL1 From:name =~ /Geoff White|(Robert|Bob) Beal|(James|Jim) Hoffman|Kevin (A\.)? Mc ?Grail|Chad Coney|Frederic Beuter/i
+ header __KAM_BEAL1 From:name =~ /Geoff White|(Robert|Bob)( E.)? Beal|(James|Jim) Hoffman|Kevin (A\. )?Mc ?Grail|Chad Coney|Frederic Beuter|Chris(topher)? Surprise|(mike|michael) Charvat|Sheryl Brissett Chapman|janet smith/i
#header __KAM_BEAL2 From:addr =~ /\@gmail\.com|\@mail\.ru/i
- body __KAM_BEAL3 /(Robert|Bob).{1,4}Beal|Geoff White|(James|Jim).{1,4}Hoffman|Kevin (A\.)? Mc ?Grail|Frederic Beuter/i
- body __KAM_BEAL4 /(reply with|forward) your (Cell|Mobile)|task quickly|urgent task|quick errand|make (some|a) purchase|reimburse you/i
+ body __KAM_BEAL3 /(Robert|Bob).{1,4}Beal|Geoff White|(James|Jim).{1,4}Hoffman|Kevin (A\. )?Mc ?Grail|Frederic Beuter|Chris(topher)? Surprise|(mike|michael) Charvat|SHERYL Brissett Chapman|Janet Smith/i
+ body __KAM_BEAL4 /(reply with|forward|send me|let me have) your (Cell|Mobile)|task (real quick|quickly)|(urgent|quick|fast) (reply|errand|response|task|request)|make (some|a) purchase|reimburse you|do something for me fast|spare time right now|confirm if you are free|physical or electronic gift card|(done for me|send out) ASAP|available at the moment|(desk|moment) right now/i
+ body __KAM_BEAL5 /can't talk on the phone|receivable aging report|summary of all w\-?2/i
- meta KAM_BEAL ((__KAM_BEAL1 + __KAM_BEAL3 >= 1) + FREEMAIL_FROM + __KAM_BEAL4 >= 3)
+ meta KAM_BEAL ((__KAM_BEAL1 + __KAM_BEAL3 >= 1) + (SPF_SOFTFAIL + FREEMAIL_FROM + FREEMAIL_FORGED_REPLYTO >= 1) + __KAM_BEAL4 + __KAM_BEAL5 >= 3)
describe KAM_BEAL IMPOSTER! Will the real slim shady, please stand up?
- score KAM_BEAL 9.0
+ score KAM_BEAL 11.0
endif
#PROJECT
#FAKESHAREPOINT
-header __KAM_FAKESHAREPOINT1 Subject =~ /by Sharepoint/i
-header __KAM_FAKESHAREPOINT2 From =~ /sharepoint/i
+header __KAM_FAKESHAREPOINT1 Subject =~ /by Sharepoint|payment reminder|shared|Request for Quot/i
+header __KAM_FAKESHAREPOINT2 from =~ /sharepoint|accounts? payable|RFQ/i
+uri __KAM_FAKESHAREPOINT3 /my\.sharepoint\.com|appdomain\.cloud/i
+body __KAM_FAKESHAREPOINT4 /Sharepoint Fileshare/i
+mimeheader __KAM_FAKESHAREPOINT5 Content-Type =~ /.html?\"?$/i
+
-meta KAM_FAKESHAREPOINT (__KAM_FAKESHAREPOINT1 + __KAM_FAKESHAREPOINT2 + KAM_STORAGE_GOOGLE >= 3)
-describe KAM_FAKESHAREPOINT Fake Sharepoint Phish
-score KAM_FAKESHAREPOINT 3.0
+meta KAM_FAKESHAREPOINT (__KAM_FAKESHAREPOINT1 + __KAM_FAKESHAREPOINT2 + (__KAM_FAKESHAREPOINT3 + KAM_STORAGE_GOOGLE + __KAM_FAKESHAREPOINT4 >= 1) + __KAM_FAKESHAREPOINT5 >= 3)
+describe KAM_FAKESHAREPOINT Fake Sharepoint Phish
+score KAM_FAKESHAREPOINT 4.0
#ENCRYPTED ZIP
body __KAM_BADZIP1 /attached (to email|document)|take a look/i
score KAM_VERIZON 9.5
#Docusign SCAM
-header __KAM_DOCUSIGN1 Subject =~ /New e-DocuSign Signature|new e-signature docusign|docusign electronic signature|transfer notice|docusign signature service/i
+header __KAM_DOCUSIGN1 Subject =~ /New e-DocuSign Signature|new e-signature docusign|docusign electronic signature|transfer notice|docusign (electronic|signature) service/i
header __KAM_DOCUSIGN2 From:name =~ /docusign/i
header __KAM_DOCUSIGN3 From:addr !~ /docusign/i
score KAM_IMAGEONLY 0.75
#HOLIDAY 2020 GIFTS
-header __KAM_HOLIDAY2020_1 Subject =~ /holiday item|blac.?k friday|(vortex|illusional|this) rug|canvas print|get your ornament/i
-body __KAM_HOLIDAY2020_2 /(illusional|Vortex) Rug|wireless earbuds|canvas print|get your ornament|holiday novelty/i
+header __KAM_HOLIDAY2020_1 Subject =~ /holiday item|blac.?k friday|(vortex|illusional|this|3d).*rug|canvas print|get your (personalized christmas )?ornament|Christmas sale|novelty household|(perfect|seasonal) gift|Rising.? Stand.?|endoscope/i
+body __KAM_HOLIDAY2020_2 /(illusional|Vortex|3d) Rug|wireless earbuds|canvas print|get your (personalized christmas )?ornament|holiday novelty|personalized ornament|rising laptop|HOME Ear endoscope|Gadget ?Junk/i
tflags __KAM_HOLIDAY2020_2 nosubject
+header __KAM_HOLIDAY2020_3 From =~ /vortex|christmas|novelty|(laptop|new).?tech|rising.?stand|Clean.?ear|Massager/i
-meta KAM_HOLIDAY2020 (__KAM_HOLIDAY2020_1 + __KAM_HOLIDAY2020_2 >= 2)
+meta KAM_HOLIDAY2020 (__KAM_HOLIDAY2020_1 + __KAM_HOLIDAY2020_2 + __KAM_HOLIDAY2020_3 >= 2)
describe KAM_HOLIDAY2020 Holiday Gifts 2020 Spam
score KAM_HOLIDAY2020 4.0
#GOOGLE FORM
uri __KAM_GOOGLEFORM_1 /docs\.google\.com\/forms\//i
-body __KAM_GOOGLEFORM_2 /Untitled Form|Formulaire sans titre/i
+body __KAM_GOOGLEFORM_2 /Untitled|Formulaire sans titre/i
+body __KAM_GOOGLEFORM_3 /foundation is donating/i
-meta KAM_GOOGLEFORM (__KAM_GOOGLEFORM_1 + __KAM_GOOGLEFORM_2 >= 2)
-describe KAM_GOOGLEFORM Untitled Google Form
-score KAM_GOOGLEFORM 2.0
+meta KAM_GOOGLEFORM (__KAM_GOOGLEFORM_1 + (__KAM_GOOGLEFORM_2 + __KAM_GOOGLEFORM_3 >= 1) >= 2)
+describe KAM_GOOGLEFORM Untitled or Spam Google Form
+score KAM_GOOGLEFORM 4.0
+
+header __GB_RETPATH_GOOG_TRIX Return-Path =~ /\@trix\.bounces\.google\.com/
+
+meta GB_RETPATH_GOOG_TRIX __GB_RETPATH_GOOG_TRIX
+describe GB_RETPATH_GOOG_TRIX Email from Google subdomain being abused by spammers
+score GB_RETPATH_GOOG_TRIX 2.00
#BENEFICIARY FAKE FORM
-meta KAM_FAKEFORM (LOTS_OF_MONEY + (__KAM_BENEFICIARY2 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 >= 1) + __KAM_GOOGLEFORM_1 >= 2)
+body __KAM_DISCLOSE1 /enable me disclose|indicate your? interest|something important/i
+
+meta KAM_FAKEFORM ((__KAM_DISCLOSE1 + LOTS_OF_MONEY >= 1) + (__KAM_BENEFICIARY2 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 >= 1) + (__KAM_GOOGLEFORM_1 >= 1) >= 3)
describe KAM_FAKEFORM Fake Form for Scams
score KAM_FAKEFORM 4.0
#2ND AMMENDMENT
-body __KAM_2ND_1 /police can no longer be trusted/i
-body __KAM_2ND_2 /2nd am?mendment/i
-header __KAM_2ND_3 From =~ /2nd amm?endment/i
+body __KAM_2ND_1 /police can no longer be trusted|protect yourself|anti-?gun ban|no classes/i
+body __KAM_2ND_2 /2nd am?mendment|concealed carry|right to carry/i
+header __KAM_2ND_3 From =~ /2nd amm?endment|Concealed/i
-meta KAM_2ND (__KAM_FUN1 + __KAM_2ND_1 + __KAM_2ND_2 + __KAM_2ND_3 >= 4)
-describe KAM_2ND Political Spam
-score KAM_2ND 6.0
+meta KAM_2ND ((__KAM_FUN1 + __KAM_FUN1A >= 1) + __KAM_2ND_1 + __KAM_2ND_2 + __KAM_2ND_3 >= 3)
+describe KAM_2ND Political / 2nd Ammendement Spam
+score KAM_2ND 4.5
#SPAM DU JOUR - MASKS
-body __KAM_KN_1 /KN95 (Face )?Mask/i
+body __KAM_KN_1 /(respirator|KN95) .{0,25}Mask|Ultramasx|upgrade your mask/i
tflags __KAM_KN_1 nosubject
-body __KAM_KN_2 /get your|for the public/i
+body __KAM_KN_2 /get your|for the public|biden wants to curb|Prevent Corona|quick delivery|do your part|while supplies last|(smart|your) mask/i
tflags __KAM_KN_2 nosubject
-header __KAM_KN_3 Subject =~ /KN95 (Official |Face )?Mask/i
-header __KAM_KN_4 From =~ /KN95|Mask Special/i
+header __KAM_KN_3 Subject =~ /KN95 .{0,25}Mask|(curb|curve?)(ing)? C<O1>vid|(your|mandates?) mask|ultimate protection|Protective (face )?mask/i
+header __KAM_KN_4 From =~ /KN95|(smart|Face) ?Mask|Mask.?(dept|Special)|Stay ?safe|protective ?gear|World ?safe/i
meta KAM_KN (__KAM_KN_1 + __KAM_KN_2 + __KAM_KN_3 + __KAM_KN_4 >= 3)
describe KAM_KN Spam Du Jour for Masks
-score KAM_KN 3.0
+score KAM_KN 4.5
#SPAM DU JOUR - BAD CREDIT
body __KAM_BADCRED_1 /bad credit/i
#SPAM DU JOUR - SPO2
replace_rules __KAM_SPO2_2 __KAM_SPO2_3
-body __KAM_SPO2_1 /pulse oximeter/i
+body __KAM_SPO2_1 /pulse oximeter|touchless thermometer/i
body __KAM_SPO2_2 /C<O1>VID/i
tflags __KAM_SPO2_2 nosubject
-header __KAM_SPO2_3 Subject =~ /C<O1>VID.*(screening|oximeter)/i
-header __KAM_SPO2_4 From =~ /health/i
+header __KAM_SPO2_3 Subject =~ /C<O1>VID.*(screening|oximeter)|Laser Thermometer|(detecting|screening) C<O1>VID/i
+header __KAM_SPO2_4 From =~ /health|infrared|oximeter|Painless/i
meta KAM_SPO2 (__KAM_SPO2_1 + __KAM_SPO2_2 + __KAM_SPO2_3 + __KAM_SPO2_4 >= 3)
describe KAM_SPO2 COVID Spams
describe KAM_VEST Spam Du Jour for Vests
score KAM_VEST 4.5
-
#FAKE CVS
header __KAM_CVS1 From =~ /CVS Pharm/i
header __KAM_CVS1A From:addr !~ /\@cvs.com/i
meta KAM_CVS ((__KAM_CVS1 + (FREEMAIL_FROM + __KAM_CVS1A >= 1) >= 2) + __KAM_CVS2 + __KAM_CVS3 >= 3)
describe KAM_CVS Fake CVS Spams
score KAM_CVS 6.0
+
+#HACKED EXPLOIT
+body __KAM_HACK1 /(phone|electronic|computer) have been hacked|suspected online scam/i
+body __KAM_HACK2 /read attached|click here for verification/i
+body __KAM_HACK3 /save yourself|lead to your arrest/i
+header __KAM_HACK4 From:name =~ /justice dep/i
+
+meta KAM_HACK (__KAM_HACK1 + __KAM_HACK2 + __KAM_HACK3 + __KAM_HACK4 >= 3)
+describe KAM_HACK Hacker Exploitation Email
+score KAM_HACK 4.5
+
+#FAKE INVOICES
+ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+
+header __KAM_FAKEINV2_1 Subject =~ /lnv (remittance|\& check)/i
+body __KAM_FAKEINV2_2 /(find|see) (the )?attach/i
+body __KAM_FAKEINV2_3 /not mail the check|typeform\.com/i
+mimeheader __KAM_FAKEINV2_4 Content-Type =~ /(ACH W[il]re|Rem[il]ttance adv[il]ce).*xls/i
+
+meta KAM_FAKEINV2 (__KAM_FAKEINV2_1 + __KAM_FAKEINV2_2 + __KAM_FAKEINV2_3 + __KAM_FAKEINV2_4 >= 3)
+describe KAM_FAKEINV2 Fake Invoice Scams
+score KAM_FAKEINV2 6.0
+
+endif
+
+#FAKE ADS
+header __KAM_FAKEAD1 Subject =~ /brand medication|stubborn fat/i
+body __KAM_FAKEAD2 /click here to UNSUBSCRIBE|start shopping|here\'s how/i
+uri __KAM_FAKEAD3 /\/bit\.ly/i
+body __KAM_FAKEAD4 /Sweet passion|no plastic surgery/i
+
+meta KAM_FAKEAD (__KAM_FAKEAD1 + __KAM_FAKEAD2 + __KAM_FAKEAD3 + __KAM_FAKEAD4 >= 4)
+describe KAM_FAKEAD Fake Advertisements
+score KAM_FAKEAD 6.0
+
+#FAKE REGISTRY SCAMS
+body __KAM_FAKE_REGISTRY1 /www(\.|\(dot\))domainregistryasia(\.|\(dot\))net/i
+uri __KAM_FAKE_REGISTRY2 /domainregistryasia\.net|domainregistryasia\.cn/i
+
+meta KAM_FAKE_REGISTRY (__KAM_FAKE_REGISTRY1 + __KAM_FAKE_REGISTRY2 >= 1)
+describe KAM_FAKE_REGISTRY Fake Domain Registry Scammers trying to get you to buy unneeded domains
+score KAM_FAKE_REGISTRY 5.0
+
+#FAKE Fax
+ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+ mimeheader __KAM_FAKE_FAX1 Content-Type =~ /.*(fax).*\.htm/i
+endif
+body __KAM_FAKE_FAX2 /incoming fax|fax received/i
+header __KAM_FAKE_FAX3 Subject =~ /Fax/i
+body __KAM_FAKE_FAX4 /invoice/i
+
+meta KAM_FAKE_FAX (T_HTML_ATTACH + __KAM_FAKE_FAX1 + __KAM_FAKE_FAX2 + __KAM_FAKE_FAX3 + __KAM_FAKE_FAX4 >= 4)
+describe KAM_FAKE_FAX Fake Fax Scam
+score KAM_FAKE_FAX 8.0
+
+#FAKE TRUST
+body __KAM_FAKE_TRUST1 /Message is from a .{0,40}trusted source/i
+
+meta KAM_FAKE_TRUST (__KAM_FAKE_TRUST1 >= 1 )
+describe KAM_FAKE_TRUST Scams about trusted sources
+score KAM_FAKE_TRUST 3.5
+
+#FAKE INVOICE
+header __KAM_FAKE_INVOICE1 Subject =~ /payment advice/i
+body __KAM_FAKE_INVOICE2 /Payment advice/i
+
+meta KAM_FAKE_INVOICE (T_HTML_ATTACH + __KAM_FAKE_INVOICE1 + __KAM_FAKE_INVOICE2 >= 3)
+describe KAM_FAKE_INVOICE Fake Invoice Scam
+score KAM_FAKE_INVOICE 6.0
+
+#BAD PRODUCTS
+header __KAM_BAD_PRODUCT1 Subject =~ /Dolphin Vacuum|Warm any room|rapid thaw/i
+body __KAM_BAD_PRODUCT2 /Dolphin sealer|hotstreak plug|Rapid thaw tray/i
+
+meta KAM_BAD_PRODUCT (__KAM_BAD_PRODUCT1 + __KAM_BAD_PRODUCT2 >= 2)
+describe KAM_BAD_PRODUCT Spammy Products
+score KAM_BAD_PRODUCT 3.0
+
+#BAD LINK
+uri __KAM_BAD_LINK1 /\.pdf\.iso$/i
+
+meta KAM_BAD_LINK (__KAM_BAD_LINK1 >= 1)
+describe KAM_BAD_LINK Potentially dangerous link in email
+score KAM_BAD_LINK 10.0
+
+#BAD CITIZENS
+header __KAM_CITIZEN1 Subject =~ /Citizens Bank Ealert/i
+body __KAM_CITIZEN2 /Important (message|Notice) From Citizens/i
+uri __KAM_CITIZEN3 /phpmailer|wp-admin|.well-known/i
+header __KAM_CITIZEN4 From:name =~ /Citizens ?Bank/i
+header __KAM_CITIZEN5 From:addr !~ /citizen/i
+
+meta KAM_CITIZEN (__KAM_CITIZEN1 + __KAM_CITIZEN2 + __KAM_CITIZEN3 + __KAM_CITIZEN4 + (__KAM_CITIZEN5 + SPF_FAIL >= 1) >= 5)
+describe KAM_CITIZEN Fake Bank Alert Scam
+score KAM_CITIZEN 7.5
+
+#BAD PRODUCTS
+header __KAM_PRODUCT2_1 Subject =~ /meal delivery|no chopping|(sticker|Children'?s?) book|\$[\d,\.]{5,10} Fast|Car ?Shield|Top Vet|Chew a day|trugreen|(perfect|healthy|your) lawn|slice.?n.?seal|kitchen (device|gadget)|butter knive|small penis|make you bigger/i
+body __KAM_PRODUCT2_2 /meal delivery|no chopping|i ?can ?read|zippy ?loan|car ?shield|Lick their paws|excessive scratching|trugreen|slice.?n.?seal|kitchen (device|gadget)|Better Butter|savage.?grow/i
+header __KAM_PRODUCT2_3 From =~ /veestro|i ?can ?read|zippy ?loan|car ?shieldi|petscy|trugreen|slice.?n.?seal|better.?butter|savage.?grow/i
+
+meta KAM_PRODUCT2 ( __KAM_PRODUCT2_1 + __KAM_PRODUCT2_2 + __KAM_PRODUCT2_3 >= 3)
+describe KAM_PRODUCT2 Scammy Products prevalent in spam
+score KAM_PRODUCT2 4.5
+
+#BAD_PDF_LINK
+#uri_detail KAM_PDF_FAKE text =~ /\.PDF/i cleaned =~ /\.github.io\//i
+#describe KAM_PDF_FAKE Links to Fake PDFs
+#score KAM_PDF_FAKE 5.0
+
+#SCAM INQUIRY
+#what
+body __KAM_INQUIRY_1 /inquiry for purchase|product catalog|price list|reply with catalog/i
+#subj
+header __KAM_INQUIRY_2 Subject =~ /Purchase Order|Urgent (i|e)nquiry/i
+#oddities
+body __KAM_INQUIRY_3 /terms? (\&|and) conditions?|rightful dep/i
+#Forwarder
+body __KAM_INQUIRY_4 /certificate of origin|import\export|trading company/i
+
+meta KAM_INQUIRY (__KAM_INQUIRY_1 + __KAM_INQUIRY_2 + __KAM_INQUIRY_3 + __KAM_INQUIRY_4 >= 4)
+describe KAM_INQUIRY Product Inquiry Scams
+score KAM_INQUIRY 7.0
+
+#FROM NAME SPAM
+header __KAM_FROM_NAME_FAKERBL From:name =~ /Savagegrowplus\.com|Lifequote\.selectquote\.com|GoldAlliedTrust\.com|MeetAsianLady.com|Betterbutterspreader.com/i
+
+meta KAM_FROM_NAME_FAKERBL (__KAM_FROM_NAME_FAKERBL >= 1)
+describe KAM_FROM_NAME_FAKERBL From name contains a URL that is spammy
+score KAM_FROM_NAME_FAKERBL 6.0
+
# EOF