#KAM.cf - SpamAssassin Rules
-#Author: Kevin A. McGrail with contributions from Joe Quinn, Karsten Bräckelmnn,
+#Author: Kevin A. McGrail with contributions from Joe Quinn, Karsten Bräckelmann,
# & Bill Cole
#Email: Kevin.McGrail@McGrail.com - NOTE: Questions about spam are best submitted
#https://raptor.pccc.com/free_spam_consultation.cgim
#
-#Copyright (c) 2018 Kevin A. McGrail and the McGrail Foundation
+#Copyright (c) 2019 Kevin A. McGrail and the McGrail Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
body __KAM_PHISH4_3 /(confirm|verify|update).your.(identity|account)|account.password|credit.(bureau|profile)|identity.theft|accredited.commission|security.concern|kindly.find.enclosed/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
- mimeheader __KAM_PHISH4_4 Content-Type =~ /(verification|information|form).htm/i
+ mimeheader __KAM_PHISH4_4 Content-Type =~ /(verification|information|form)\.htm/i
endif
meta KAM_PHISH4 (__KAM_PHISH4_1 + __KAM_PHISH4_2 + __KAM_PHISH4_3 + __KAM_PHISH4_4 >= 3)
describe KAM_PHISH2 Prevalent Phishing Scam emails
score KAM_PHISH2 2.0
-meta KAM_PHISH2 (__KAM_PHISH2_1 + __KAM_PHISH2_2 >= 2) && ((__KAM_IPHTTP + __KAM_URIBL_PCCC + __KAM_PHISH2_3 >= 1) || (__KAM_PHISH2_4 + __KAM_PHISH2_5 + __KAM_PHISH2_6 + __KAM_PHISH2_7 >= 4))
-
+ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+ meta KAM_PHISH2 (__KAM_PHISH2_1 + __KAM_PHISH2_2 >= 2) && ((__KAM_IPHTTP + __KAM_URIBL_PCCC + __KAM_PHISH2_3 >= 1) || (__KAM_PHISH2_4 + __KAM_PHISH2_5 + __KAM_PHISH2_6 + __KAM_PHISH2_7 >= 4))
+else
+ meta KAM_PHISH2 (__KAM_PHISH2_1 + __KAM_PHISH2_2 >= 2) && ((__KAM_IPHTTP + __KAM_PHISH2_3 >= 1) || (__KAM_PHISH2_4 + __KAM_PHISH2_5 + __KAM_PHISH2_6 + __KAM_PHISH2_7 >= 4))
+endif
#CRAZY HEX EMPTY MESSAGE
body __KAM_HEX1 /^[a-f0-9]{8}(\b|$)/i
describe KAM_SHORT Use of a URL Shortener for very short URL
#URL SHORTENER - META RULE TO SEE IF URL SHORTENER IS IN USE - THANKS TO SHANE WILLIAMS and RW for HELP - More thanks to Giovanni Bechis
-uri __KAM_SHORT /^http:\/\/(?:bit\.ly|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly)\/[^\/]{3}\/?/
+uri __KAM_SHORT /^http:\/\/(?:bit\.ly|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|justpaste\.it)\/[^\/]{3}\/?/
# GENERIC RULE FOR TINY DOMAINS, WHICH WILL LIKELY BE URL SHORTENERS
uri __KAM_TINYDOMAIN /https?:\/\/(?:[^\/]{1,4})\..{2,7}\//i
score KAM_PRIV 5.0
#DIV
-rawbody __KAM_DIV1 /
Viagr?|Cial?<div/i
+rawbody __KAM_DIV1 /
(Viagr?|Cial?)<div/i
rawbody __KAM_DIV2 /<\/div>r?a\|l?is/i
meta KAM_DIV (__KAM_DIV1 + __KAM_DIV2 >= 2)
#EXPERIMENTAL UTF-8
# SecureCRT in UTF-8 Session Options - terminal>appearance>character encoding and set to utf-8 & Set this in VI :set encoding=utf-8 :set fileencodings=utf-8
+#Useful Resources for Tags
#https://www.utf8-chartable.de/unicode-utf8-table.pl?start=1024&number=128&names=-&utf8=string-literal
+#https://www.branah.com/unicode-converter
+
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
replace_tag A (?:[\xd0][\xb0]|a)
replace_tag C (?:[\xd0][\xa1]|c|[\xd1][\x81])
replace_tag E (?:[\xd0][\xb5]|e)
replace_tag I (?:[\xd1][\x96]|i)
+replace_tag M (?:[\xca][\x8d]|m)
replace_tag O (?:[\xd0][\xbe]|o)
-replace_tag P (?:[\xd1][\x80]|p)
+replace_tag P (?:[\xd1][\x80]|p|[\xc7][\xb7])
replace_tag S (?:[\xd0][\x85]|s)
header __KAM_CREDIT6 Subject =~ /<C>ompl<I>mentary (<C>red<I>t|EXPERIAN|Transunion|Equifax)/i
describe KAM_CREDIT Credit Score Spams
score KAM_CREDIT 4.5
-meta KAM_CREDIT2 (__KAM_CREDIT1 + __KAM_CREDIT5 + __KAM_CREDIT6 + __KAM_CREDIT7 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3 && KAM_CREDIT < 1)
-describe KAM_CREDIT2 Credit Score Spams
-score KAM_CREDIT2 4.5
+ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+ meta KAM_CREDIT2 (__KAM_CREDIT1 + __KAM_CREDIT5 + __KAM_CREDIT6 + __KAM_CREDIT7 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3 && KAM_CREDIT < 1)
+ describe KAM_CREDIT2 Credit Score Spams
+ score KAM_CREDIT2 4.5
+endif
#OBFUSCATED URI
rawbody KAM_OBFURI /http:\/\/.{2,30}\.c=E2=93=9Em?/
header __KAM_COLLEGE2 Subject =~ /college|ph\.?d|earning your degree|online doctorate|advance your career/i
rawbody __KAM_COLLEGE3 /online degree|ph\.?d online|online doctorate|advance your career with a degree/i
-meta KAM_COLLEGE (__KAM_COLLEGE1 + __KAM_COLLEGE2 + __KAM_COLLEGE3 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3)
-describe KAM_COLLEGE Online Degree/Aid Spams
-score KAM_COLLEGE 4.0
+ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+ meta KAM_COLLEGE (__KAM_COLLEGE1 + __KAM_COLLEGE2 + __KAM_COLLEGE3 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3)
+ describe KAM_COLLEGE Online Degree/Aid Spams
+ score KAM_COLLEGE 4.0
+endif
#SURVEY
header __KAM_SURVEY1 From =~ /Survey|safecount|privacy/i
describe KAM_ANATA Drug Spam
score KAM_ANATA 4.5
-#BBB Phish
-header __KAM_BBB1 From =~ /bbb.org/i
-body __KAM_BBB2 /consumer's *(?:worry|uneasiness|anxiety|disturbance|concern|trouble)/i
-body __KAM_BBB3 /has been registered the above|(?:visiting|review at) a link below|above-referenced complaint/i
-body __KAM_BBB4 /about your *(?:glance|belief|judgment)/i
-header __KAM_BBB5 Subject =~ /(?:client|customer).{0,5}preten|(?:Appeal|Claim|Case|No\.|Complaint).{0,3}[A-Z\d]{5}/i
-
-meta KAM_BBB (__KAM_BBB1 + __KAM_BBB2 + __KAM_BBB3 + __KAM_BBB4 + __KAM_BBB5 + SPF_FAIL + __KAM_GALLERY5 + KAM_RAPTOR >= 4)
-describe KAM_BBB Better Business Bureau Phishing
-score KAM_BBB 5.0
+ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+ #BBB Phish
+ header __KAM_BBB1 From =~ /bbb.org/i
+ body __KAM_BBB2 /consumer's *(?:worry|uneasiness|anxiety|disturbance|concern|trouble)/i
+ body __KAM_BBB3 /has been registered the above|(?:visiting|review at) a link below|above-referenced complaint/i
+ body __KAM_BBB4 /about your *(?:glance|belief|judgment)/i
+ header __KAM_BBB5 Subject =~ /(?:client|customer).{0,5}preten|(?:Appeal|Claim|Case|No\.|Complaint).{0,3}[A-Z\d]{5}/i
+
+ meta KAM_BBB (__KAM_BBB1 + __KAM_BBB2 + __KAM_BBB3 + __KAM_BBB4 + __KAM_BBB5 + SPF_FAIL + __KAM_GALLERY5 + KAM_RAPTOR >= 4)
+ describe KAM_BBB Better Business Bureau Phishing
+ score KAM_BBB 5.0
+endif
#PREV MARK
header __KAM_MARK1 Subject =~ /[\[\<]ADV[\>\]]/i
#PROPHET
-header __KAM_PROPHET1 Subject =~ /beezelbub|communique/i
-header __KAM_PROPHET2 From =~ /christian.*prophe/i
+header __KAM_PROPHET1 Subject =~ /beezelbub|communique|prophecy|Christian Media/i
+header __KAM_PROPHET2 From =~ /christian.*prophe|twintongues/i
body __KAM_PROPHET3 /Dear Christian Friend/i
-body __KAM_PROPHET4 /Christian Media Ministry/i
-body __KAM_PROPHET5 /prophecy article|rapture/i
+body __KAM_PROPHET4 /Christian ?Media ?(Daily|Ministry)/i
+body __KAM_PROPHET5 /prophecy|rapture/i
-meta KAM_PROPHET (__KAM_PROPHET1 + __KAM_PROPHET2 + __KAM_PROPHET3 + __KAM_PROPHET4 + __KAM_PROPHET5 >= 4)
+meta KAM_PROPHET (__KAM_PROPHET1 + __KAM_PROPHET2 + __KAM_PROPHET3 + __KAM_PROPHET4 + __KAM_PROPHET5 >= 4)
describe KAM_PROPHET Spam for Prophecy
score KAM_PROPHET 6.0
describe KAM_NUMEROLOGY Pseudo-scientific spam
score KAM_NUMEROLOGY 3.5
-#VOICEMAIL SPAM
-header __KAM_VOICEMAIL1 Subject =~ /new voice.?mail message|news/i
-header __KAM_VOICEMAIL2 From =~ /voice.?mail|news/i
-body __KAM_VOICEMAIL3 /new voice.?mail message|voice.redirected/i
-
-meta KAM_VOICEMAIL (__KAM_VOICEMAIL1 + __KAM_VOICEMAIL2 + __KAM_VOICEMAIL3 + KAM_RAPTOR >= 3)
-describe KAM_VOICEMAIL Common malware that tricks the user into opening a fake VOIP voicemail
-score KAM_VOICEMAIL 5.0
+ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+ #VOICEMAIL SPAM
+ header __KAM_VOICEMAIL1 Subject =~ /new voice.?mail message|news/i
+ header __KAM_VOICEMAIL2 From =~ /voice.?mail|news/i
+ body __KAM_VOICEMAIL3 /new voice.?mail message|voice.redirected/i
+
+ meta KAM_VOICEMAIL (__KAM_VOICEMAIL1 + __KAM_VOICEMAIL2 + __KAM_VOICEMAIL3 + KAM_RAPTOR >= 3)
+ describe KAM_VOICEMAIL Common malware that tricks the user into opening a fake VOIP voicemail
+ score KAM_VOICEMAIL 5.0
+endif
#SPAM ADVERTISING SPAM - HAS SCIENCE GONE TOO FAR?
header __KAM_SPAMFORSPAM1 Subject =~ /email marketing|marketing solution|connect with your audience|reaching your customers|marketing ideas|business.contacts/i
score KAM_WRITING 3.5
#RASH OF .EU EXPLOITS
-rawbody KAM_EU /http:\/\/(?:www.)?.{4,30}\.(eu)(\b|\/)/i
+rawbody KAM_EU /https?:\/\/(?:www.)?.{4,30}\.(eu)(\b|\/)/i
score KAM_EU 0.50
describe KAM_EU Prevalent use of .eu in spam/malware
describe KAM_TOLL Spam for road tolls
score KAM_TOLL 8.0
-#KAM_AMAZON
-header __KAM_AMAZON1 From =~ /amazon\.com/i
+ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+ #KAM_AMAZON
+ header __KAM_AMAZON1 From =~ /amazon\.com/i
-meta KAM_AMAZON (__KAM_AMAZON1 + KAM_RAPTOR >= 2)
-score KAM_AMAZON 4.5
-describe KAM_AMAZON Fake Amazon email with malware
+ meta KAM_AMAZON (__KAM_AMAZON1 + KAM_RAPTOR >= 2)
+ score KAM_AMAZON 4.5
+ describe KAM_AMAZON Fake Amazon email with malware
+endif
# LANDSCAPING
header __KAM_LANDSCAPE1 From =~ /landscaping/i
#endif
#LOOKING TO SHUTDOWN MISUSE OF DNSWL AND HOSTKARMA
-meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
-score KAM_BAD_DNSWL 7.0
-describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
+ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+ meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + RCVD_IN_LASHBACK + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1)
+ score KAM_QUITE_BAD_DNSWL 3.25
+ describe KAM_QUITE_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
+else
+ meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + RCVD_IN_LASHBACK + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1)
+ score KAM_QUITE_BAD_DNSWL 3.25
+ describe KAM_QUITE_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
+endif
+
+ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+ meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + RCVD_IN_LASHBACK + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
+ score KAM_BAD_DNSWL 7.0
+ describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
+else
+ meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + RCVD_IN_LASHBACK + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
+ score KAM_BAD_DNSWL 7.0
+ describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
+endif
# HEARING LOSS
header __JMQ_HEARINGLOSS1 From =~ /hearing.?loss|deaf \& angry/i
replace_rules __KAM_CRIM1 __KAM_CRIM2 __KAM_CRIM3 __KAM_CRIM4 __KAM_CRIM5 __KAM_CRIM6
-body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A>lw<A>r<E> <O>n th<E> w<E>b|footage of you|you do not know who I am|mercenary|hack phones|infected your device|double.screen video|keylogger|ruin your life/i
+body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A>lw<A>r<E> <O>n th<E> w<E>b|footage of you|you do not know who I am|mercenary|hack phones|infected your device|double.screen video|keylogger|ruin your life|collection officer|cameras? and a mic|I am a hacker/i
#Different encodings
-body __KAM_CRIM2 /(bit<C><O><I>n|BTC)/
-body __KAM_CRIM3 /make a payment|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C><O><I>n w<A>ll|(m<A>k<I>ng|<C><O>mpl<E>et<E>) th<E> tr<A>ns<A><C>t<I><O>n|send me \d+ dollars|send [\d\.]+ USD|addr<E>ss f<O>r p<A>ym<E>nt|euros in bitcoin|wallet number/i
-body __KAM_CRIM4 /erotica|<P>orn|promising evidence|video|masturbat|playing with yourself|wanking|l<I>f<E> <C><A>n b<E> ru<I>n<E>d|explosi|lead azide|hexogen/i
+body __KAM_CRIM2 /(bit<C><O><I>n|BTC)/i
+body __KAM_CRIM3 /make a payment|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C><O><I>n w<A>ll|(m<A>k<I>ng|<C><O>mpl<E>et<E>) th<E> tr<A>ns<A><C>t<I><O>n|send me \d+ dollars|send [\d\.]+ USD|addr<E>ss f<O>r p<A>ym<E>nt|euros in bitcoin|wallet number|bitcoin network/i
+body __KAM_CRIM4 /erotica|<P>orn|promising evidence|video|masturbat|playing with yourself|wanking|l<I>f<E> <C><A>n b<E> ru<I>n<E>d|explosi|lead azide|hexogen|banana/i
endif
-body __KAM_CRIM5 /(twenty.?four|24).?hours|(24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O>urs)? <A>ft<E>r y<O><U> <O>p<E>n|hours for payment|days? to (perform|make) the payment|short-term support|48h plz/i
-header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O><U> <A>r<E> my v<I><C>t<I>m|visit the police|hi. vi<C>tim|bomb|rescue|your building|masturbat|hi perv|account has been hacked|last warning|dirty little secret|bad news/i
+body __KAM_CRIM5 /(twenty.?four|24).?hours|(24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O>urs)? <A>ft<E>r y<O><U> <O>p<E>n|hours for payment|days? to (perform|make) the payment|short-term support|48h plz|deadline|hours only to send the fund/i
+header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O><U> <A>r<E> my v<I><C>t<I>m|visit the police|hi. vi<C>tim|bomb|rescue|your building|<M>asturbat|hi perv|account has been hacked|last warning|dirty little secret|bad news|central intelligence|pervert/i
meta KAM_CRIM (__KAM_CRIM1 + __KAM_CRIM2 + __KAM_CRIM3 + __KAM_CRIM4 + __KAM_CRIM5 + __KAM_CRIM6 >= 4)
describe KAM_CRIM Extortion Email
score KAM_CRIM 7.5
+#KAM_CRIM_V2
+body __KAM_CRIM2_1 /bit.{0,2}coin/i
+body __KAM_CRIM2_2 /address\:/i
+body __KAM_CRIM2_3 /adult.{0,2}video|sex.{0,2}sites/is
+
+meta KAM_CRIM2 (__KAM_CRIM2_1 + __KAM_CRIM2_2 + __KAM_CRIM2_3 + HTML_FONT_LOW_CONTRAST >= 4)
+describe KAM_CRIM2 Extortion Email
+score KAM_CRIM2 7.5
#ZWNJ
#ZWNJ 200C 157 https://en.wikipedia.org/wiki/Windows-1256
# Also want to look at Unicode U+200C.
# Switch rawbody check to Mail::SpamAssassin::Plugin::MIMEHeader
# Per RW, switching for this to work with 'normalize_charset 1', \x9d needs to be replaced with (?:\x9d|\xe2\x80\x8c)
-rawbody __KAM_ZWNJ1 /Content\-Type.*charset.*windows\-1256/i
+rawbody __KAM_ZWNJ1 /Content\-Type.{1,1000}charset.{1,1000}windows\-1256/i
body __KAM_ZWNJ2 /(?:\x9D|\xe2\x80\x8c)/
tflags __KAM_ZWNJ2 multiple maxhits=16
describe SCC_35_SHORT_WORD_LINES 35 lines with many short words
meta SCC_35_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 35
+# A pattern seen in subscription-bombings
+describe SCC_SUBBOMB_SUBJ_1 An unusual string pattern seen in subscription bombing subjects
+header SCC_SUBBOMB_SUBJ_1 Subject =~ /[sxz][vwz]usa[fly]me[a-z0-9]{7}GP/
+score SCC_SUBBOMB_SUBJ_1 5
+
+# cPanel Phishing
+header __SCC_HELO_CPANELNET X-Spam-Relays-Untrusted =~ / helo=cpanel\.net /
+describe __SCC_HELO_CPANELNET HELO is bare cpanel.net
+meta SCC_FAKE_CPANEL __SCC_HELO_CPANELNET && ! (SPF_PASS || SPF_HELO_PASS)
+score SCC_FAKE_CPANEL 6
+
#https://www.csoonline.com/article/3333916/windows-security/i-can-get-and-crack-your-password-hashes-from-email.html?upd=1547922397157
body KAM_FILE /file:\/\/\/\//i
describe KAM_FILE Potential attempt for NTLM attack
describe KAM_FUN Spam Engine Hawking Various Goods and Abusing a Lot of Domains
score KAM_FUN 4.5
+#GOOGLE DRIVE PORN - Thanks to Mark Sapiro for the bug fix
+uri KAM_DRIVENUM /\d+\.drive\.google.com/i
+describe KAM_DRIVENUM Drive Links Prevalent in Spam
+score KAM_DRIVENUM 5.0
+
+#SWIFT PAYMENT SCAMS
+header __KAM_SWIFT1 Subject =~ /Swift/i
+body __KAM_SWIFT2 /swift copy/i
+body __KAM_SWIFT3 /balance payment/i
+
+meta KAM_SWIFT (__KAM_SWIFT1 + __KAM_SWIFT2 + __KAM_SWIFT3 >= 3)
+describe KAM_SWIFT SWIFT payment scam
+score KAM_SWIFT 3.0
+
+ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
+ # Custom score
+ score FROMNAME_SPOOFED_EMAIL 0.3
+endif
+
+ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+ header KAM_RAPTOR_ALTERED X-KAM-Raptor-Alter =~ /True/
+ describe KAM_RAPTOR_ALTERED Raptor identified a dangerous attachment
+ score KAM_RAPTOR_ALTERED 2.0
+endif
+
+#BAD INVOICE SCAMS
+header __KAM_PROFORMA1 Subject =~ /Proforma/i
+body __KAM_PROFORMA2 /no responds/i
+body __KAM_PROFORMA3 /highly encrypted/i
+body __KAM_PROFORMA4 /Proforma Invoice/i
+uri __KAM_PROFORMA5 /\.php/i
+
+meta KAM_PROFORMA (__KAM_PROFORMA1 + __KAM_PROFORMA2 + __KAM_PROFORMA3 + __KAM_PROFORMA4 + __KAM_PROFORMA5 >= 5)
+describe KAM_PROFORMA Invoice scam
+score KAM_PROFORMA 7.5
+
+#BAD INVOICE SCAMS
+ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+ header __KAM_INVOICEPO1 Subject =~ /Invoice copies/i
+ body __KAM_INVOICEPO2 /consignment/i
+ body __KAM_INVOICEPO3 /invoice copies/i
+ mimeheader __KAM_INVOICEPO4 Content-Type =~ /invoice copies.{0,100}\.html/i
+
+ meta KAM_INVOICEPO (__KAM_INVOICEPO1 + __KAM_INVOICEPO2 + __KAM_INVOICEPO3 + __KAM_INVOICEPO4 >= 4)
+ describe KAM_INVOICEPO Invoice scam
+ score KAM_INVOICEPO 4.0
+
+ mimeheader KAM_HTMLINVOICE Content-Type =~ /invoice.{0,100}\.html/i
+ describe KAM_HTMLINVOICE Invoice scam
+ score KAM_HTMLINVOICE 1.5
+
+ mimeheader KAM_HTMLINVOICE2 Content-Type =~ /(order confirmation|po attachments.{0,100})\.xls\.html/i
+ describe KAM_HTMLINVOICE2 Invoice scam
+ score KAM_HTMLINVOICE2 3.5
+endif
+
+# Disable possible CPU burning rule, reported to SA users list -- 2019-05-29
+# FIXED rule distributed via sa-update since 2019-05-31
+# meta __STYLE_GIBBERISH_1 0
+
+
# EOF
projects / proxmox-spamassassin.git / commitdiff