bump version to 3.4.1-4

[proxmox-spamassassin.git] / KAM.cf

#KAM.cf - SpamAssassin Rules
#
#Author: Kevin A. McGrail with contributions from Joe Quinn & Karsten Bräckelmann
#
#Email: Kevin.McGrail@McGrail.com - NOTE: Questions about spam are best submitted
#       at https://raptor.pccc.com/raptor.cgim?template=report_problem
#
#HomePage: http://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf
#
#This is a collection of special rules that I have developed and use on my system.
#
#They are intended as live research for committal to SpamAssassin's SVN sandbox but
#often rely on my corpora so they do not fair well in masschecks.
#
#You are welcome and encouraged to email me directly regarding suggestions.
#
#To avoid being caught by our filters, False positives and negatives should be
#submitted to https://raptor.pccc.com/raptor.cgim?template=report_problem
#
#I believe the rules are safe and they are in use on production systems so I will
#do my best to respond to FPs *especially* if you can send me an email sample.
#
#This cf file is designed for systems with a threshold of 5.0 or higher.  
#
#
#It is best to save an email sample in mbox format and zip it to attach to get 
#around my filters.  It is sometimes best to send samples in a second email so I
#know to go looking for it in my spam folders.
#
#NOTE: I do use some poison pill (i.e. Automatic HAM/SPAM rules).
#
# - I don't view many of my rules as single rules as I typically use meta rules.  
#   I view meta rules as multiple rules hence a larger score is acceptable.
#
# - Some content needs to be blocked either due to large number of complaints or
#    for content.  For example, the sexually explicit items and the stock tips.  
#    FPs in these rules will be quickly addressed.
#
#For a free anti-spam consultation, fill out the form at the following URL:
#https://raptor.pccc.com/free_spam_consultation.cgim

#
#Copyright (c) 2017 Kevin A. McGrail
#
#   Licensed under the Apache License, Version 2.0 (the "License");
#   you may not use this file except in compliance with the License.
#   You may obtain a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
#   Unless required by applicable law or agreed to in writing, software
#   distributed under the License is distributed on an "AS IS" BASIS,
#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#   See the License for the specific language governing permissions and
#   limitations under the License.

# NOTE: You might want to also grab a file we use of some various rules at
# https://www.pccc.com/downloads/SpamAssassin/contrib/nonKAMrules.cf
# And realize that we have numerous internal rules so not every rule will be 
# useful but we try and encapsulate those in a KAMOnly defined loop.

# COURTESY OF Marcin Miros.aw <marcin@mejor.pl>
body     __KAM_MM_FOREX_1 /program.{0,10}ktory\ssam\sgra\sna\sgieldzie|program\sdo\sgry\sna\sgieldzie|Potega\stego\sprogramu\stkwi|program.{0,10}handluje.{0,10}zarabia.{0,10}gieldzie.{0,10}udzialu.{0,10}czlowieka|zarabiaj.{0,10}program.{0,10}nie.{0,10}jest.{0,10}zabroniony|Program.{0,10}zrobi.{0,10}wszystko.{0,10}sam|handluj.{0,10}na.{0,10}gieldzie.{0,10}programowi|100.{0,10}%.{0,10}pewnych.{0,10}transakcji|program.{0,10}100.{0,10}%.{0,10}zysk|handel.{0,10}bedzie.{0,10}zabroniony|program.{0,10}odmieni.{0,10}twoje.{0,10}zycie|system.{0,10}finansow.{0,10}przed.{0,10}upadkiem|grupa.{0,10}niemieckich.{0,10}matematykow.{0,10}inteligentny.{0,10}program|zostan\sobrzydliwie\sbogaty|technologia.{0,10}100%.{0,10}pewne.{0,10}decyzje|zarabianie.{0,10}w.{0,10}sieci|swoja.{0,10}szanse.{0,10}zarabianie|internet.{0,10}doprowadzil.{0,10}pieniedzy|zarabia.{0,10}(w|przez).{0,10}internet|karaluch.{0,10}dom.{0,10}brzeg.{0,10}morza|odmieni.{0,10}zycie|pieniadz|pieniedz|zarabia|zarobi/i
rawbody  __KAM_MM_FOREX_2 /(\[|\<).{1,10}http:\/\/.{1,50}php\?.{1,30}\=.{1,30}(\]|\>).{0,20}(klik|odwiedz|dowiedz|przegap|odnosnik|zarobi|spiesz|majatek|wiecej\sinformacji\sna\sten\stemat\sznajdziesz\s-\stutaj|tutaj\sznajdziesz.{0,10}szczegolowe.{0,10}informacje|odwiedz|zarabia|wchodz)/i
meta     KAM_MM_FOREX    __KAM_MM_FOREX_1 && __KAM_MM_FOREX_2
score    KAM_MM_FOREX 2.5
describe KAM_MM_FOREX Polish-language spam from the Forex botnet

#PHISHING TEST
rawbody         KAM_PHISH1      /u style="cursor: pointer"/
describe        KAM_PHISH1      Test for PHISH that changes the cursor
score           KAM_PHISH1      0.01

header          __KAM_PHISH4_1 From =~ /host|apple|amazon|microsoft|windows|express|app.serv|goodluck|bank/i
body            __KAM_PHISH4_2 /dear.{0,50}customer|automated.message|spam.activities|attempted.gaining.access|your.account.expires|authorized.government|important.message|message.alert/i
body            __KAM_PHISH4_3 /(confirm|verify|update).your.(identity|account)|account.password|credit.(bureau|profile)|identity.theft|accredited.commission|security.concern|kindly.find.enclosed/i

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader    __KAM_PHISH4_4 Content-Type =~ /(verification|information|form).htm/i
endif

meta            KAM_PHISH4 (__KAM_PHISH4_1 + __KAM_PHISH4_2 + __KAM_PHISH4_3 + __KAM_PHISH4_4 >= 3)
score           KAM_PHISH4 3.5
describe        KAM_PHISH4 Another phishing attempt

#KAM REALESTATE / RE-FINANCE SCAM EMAILS - Thanks to David Goldsmith for pointing out my error in the meta rule!
body            __KAM_REAL1     /(^|\b)RE market/is
body            __KAM_REAL2     /(crashing|declining)/i
body            __KAM_REAL3     /(vacation|second) (home|place)/is
meta            KAM_REAL        (__KAM_REAL1 + __KAM_REAL2 + __KAM_REAL3 >= 3)
describe        KAM_REAL        Real Estate or Re-Finance Spam
score           KAM_REAL        0.5

#REFINANCE SCAM EMAILS
header          __KAM_REFI1     Subject =~ /(refinance|rates) at \d\.\d*%|(?:I would like to offer you my help|Lower your house payment|follow up email|evaluation enclosed|submit a bid|fixed rates|ARM program|New Program|regardless of credit|loan request|accepting your application|refinance appl?ication|ready to (give a (business )?loan|lend)|good credit or not|refinance without perfect credit|financial independence|Loan Offer|Get a Loan|your urgent loan|credit report|time to refinance|refi.(rates|requirements|plus|program|plan|advice)|rates at historical low|EQUIFAX|TRANSUNION|Experian|rates can be cut|save your home)|Reverse.?Mortgage|obama (extends|waives)|VA loan|harp program|re.?fi.advice|homeowners.owe|harp.extension|\d+\.\d+%.fixed|\d+\.\d+.pct|this.rate|refi(nance)?.rate|lower.refi|refinance.your.mortgage|refinance.now|obama.?s?.refi|monthly.payment|house.payment|monthly.savings|modified.payment|new.payment|overpaying|calculate.your|your.saving|housing.plan|obama.?s.hous|l.f..insuranc.|offer.for.your.home|second.mortgage/i
body            __KAM_REFI2     /(Free Evaluation (?:online|on your (?:current )?home loan)|No hidden costs|no strings attached|good credit or not|personalized consultation|in need of loan|consolidation loan|loan processing|apply by sending|loan of any amount|clean up any inacccuracies|lock in saving|save on monthly mortgage|absolutely no cost|underwater)|Reverse.?Mortgage|qualify for a VA loan|Refi now.? and Save|obama..?announces|rate.calculator|save.thousands|update: \d.\d\d..available|homeowner|over.your.head|rate.service|now.eligi?[bl]{2}e|a.second.mortgage|urgent.loan|loan.offer/is
body            __KAM_REFI3     /(restructure (?:proposal|program|opportunity|your loan)|switch from an adjustable rate to a fixed|new lending program|(low|reasonable) interest (loan|rate)|lowest monthly payment|\d% interest|unsecured personal|better credit terms|lower your mortgage|low-interest refinance|see your credit score|credit score.{1,15}updated|refi with HARP)|obama announce(s|d) (the )?harp program|obama'?s.refi|a.fortune.off|lower.home.rate|your.home|home.loan|gov.program|official.harp|currently.overpaying/is
body            __KAM_REFI4     /(\$\d{1,3},\d{1,3}|\d{2,3}k of funds|\d{4,6} USD|\d{4,6}\$ per month|\d{3,5}\/mo)|refinance at \d\.\d%|\$\d{3,}(\.\d\d)?.(a|per).year|extend.harp|spending.too.much|new.payment|better.rate/i
body            __KAM_REFI5     /([\d,]{5,6}|\d{2}\s*%) savings|principal \d+% less|\d+\.\d+%.fixed|refi.calculator|lowered.requirements|home.?owner/is
body            __KAM_REFI6     /((?:reduce your monthly payment|save you) (between )?\d{2}\s*%|save yourself hundreds of dollars|great rate available|completely unsecured|instantly connect with\s+lenders|get you back on the right financial|get report today|protect against identity|know your credit score|crazy payments)|u.?s.? homeowners|drop.your.rate|in.your.pocket|our.records|apply.for.your/is
body            __KAM_REFI7     /(?:loan product|equity cash|house.payment|home.payment|no up front fees|seasoned equity|pay off high rate cards|ARM Program|credit is less than perfect|credit (score )?will not disqualify|plastic money|charge card balances|we offer out loans|floating loan scheme|unsecured guaranteed|President.?s new program|Home Affordable Refinance Program)|save $?[\d\.]+ per (year|month)|low.rate|harp.?2|rates.like.th(is|ese)/is
header          __KAM_REFI8     From =~ /great loan|mortgage|financ|Delta|Rate\.?market|credit score|free.?score|harp|mtge|foreclosure|VA loan|lower.my.(bills|debt|mortgage|rate)|refi.(alert|advantage|quote|calc|rate)|obama|lendingtree|(house|home).?payment|home.?payment|lower.rate|\d+\.\d+%|saving|d.r.ct.l.f.|helpline/i

meta            KAM_REFI        (__KAM_REFI1 + __KAM_REFI2 + __KAM_REFI3 + __KAM_REFI4 + (__KAM_REFI5 + __KAM_REFI6 >= 1) + __KAM_REFI7 + __KAM_REFI8 + (KAM_SHORT || AC_HTML_NONSENSE_TAGS || KAM_EU) >= 4)
describe        KAM_REFI        Real Estate / Re-Finance Spam
score           KAM_REFI        3.0

meta            KAM_REFI2       (__KAM_REFI1 + __KAM_REFI2 + __KAM_REFI3 + __KAM_REFI4 + (__KAM_REFI5 + __KAM_REFI6 >= 1) + __KAM_REFI7 + __KAM_REFI8 + (KAM_SHORT || AC_HTML_NONSENSE_TAGS || KAM_EU) >= 6)
describe        KAM_REFI2       Real Estate / Re-Finance Spam
score           KAM_REFI2       2.75

#KAM ERADICATE DEBTS
body            __KAM_DEBT1     /(debts disappear|reduce your payments|piling bills|creditors|late bills|vanish some of your bills|reduce your payments|looming bills|all that debt|outstanding debt|debt.{0,7}accumulated|all my debt|penalties,? and fees are gone|banking laws|select legal|change your life|get out of .?d.?e.?b.?t|Free[- ]Credit Report|debt relief options|are you in debt|pay off all your debt|get better rates|credit card debt|could.be.easy)/is
header          __KAM_DEBT2     Subject =~ /(all that you owe|all you owe|everything you owe|eradicate|indebted|sick of bills|debt.{0,7}accumulated|tired of (the )?debt|looming debt|creditors|bank[ ]?rupt|debt ?free|out ?of ?debt|take control of your monthly payments|bills disappear|We can help|consultation regarding bills|get better rates|credit score|FICO Score|eliminate\s{1,2}debt|Erase the debt|loan offer|consolidating.debt)/i
body            __KAM_DEBT3     /(bills keeping you|brink of bankruptcy|take all the (stress|pain) away|all the bills|tired of high credit card|make your bills disappear|improve your credit score|b.?a.?n.?k.?r.?u.?p.?t.?c?.?y|monitor your[- ]credit|Wipes out debt|being debt free|interest rates are reasonable|view your credit score|manage.your.finance)/is

meta            KAM_DEBT        ((__KAM_DEBT1 + __KAM_DEBT2 + __KAM_DEBT3) >= 3)
describe        KAM_DEBT        Debt eradication spams
score           KAM_DEBT        2.5

meta            KAM_DEBT2       ((__KAM_DEBT1 + __KAM_DEBT2 + __KAM_DEBT3 + __KAM_ADVERT2) >= 2)
describe        KAM_DEBT2       Likely Debt eradication spams
score           KAM_DEBT2       1.0

#XtraSize+ Penis Enlargement Scam
header          __KAM_SILD1     Subject =~ /Sildenafil Citrate/i
body            __KAM_SILD2     /(XtraSize\+|Sildenafil Citrate)/i

meta            KAM_SILD        (__KAM_SILD1 + __KAM_SILD2 >= 1)

describe        KAM_SILD        Simple rule to block one more enhancement message
score           KAM_SILD        5.0

#if (version < 3.002000)
#  #HTML_SHORT_LENGTH DEPENDENCY RULE REMOVED FROM SA 3.2.X
#  #KAM NUMBER EMAILS - Thanks to Mark Damrose for the NUMBER3 idea & Jan-Pieter Cornet
#  header        __KAM_NUMBER1   Subject =~ /^\d+$/
#  body         __KAM_NUMBER2   /\d{1,6}/
#  header       __KAM_NUMBER3   Message-ID =~ /\<[a-z]{19}\@/i
#
#  meta          KAM_NUMBER      ((__KAM_NUMBER1 + __KAM_NUMBER2 + MIME_HTML_ONLY + HTML_SHORT_LENGTH + __KAM_NUMBER3) >= 5)
#  describe      KAM_NUMBER      Silly Number Emails
#  score         KAM_NUMBER      1.0
#endif

#KAM MEDICATION KAM_OVERPAY     
body            KAM_OVERPAY     /O . V . E . R . P . A . Y/i
describe        KAM_OVERPAY     Common Medicinal Ad Trick
score           KAM_OVERPAY     3.5

#VIAGRA AD - CHANGED DUE TO FPS on 2010-05-06 - Replaced [VACLXPSI] with separate rules space separated
body            KAM_VIAGRA1     /V I A G R A|C I A L I S|V A L I U M|X A N A X/i
describe        KAM_VIAGRA1     Common Viagra and Medicinal Table Trick
score           KAM_VIAGRA1     3.0

#VIAGRA AD 2
body            KAM_VIAGRA2     /(?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer) (?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer) (?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer)/i
describe        KAM_VIAGRA2     Common Viagra and Medicinal Table Trick
score           KAM_VIAGRA2     3.1

#VIAGRA AD 3 - REMOVED FOR LOW S/O - Thanks to Shane Williams for reporting the FP
#body            KAM_VIAGRA3     /(?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer)( \w )(?:ax|lis|ra|ium)/i
#describe        KAM_VIAGRA3     Common Viagra and Medicinal Table Trick
#score           KAM_VIAGRA3     3.1

#VIAGRA AD 4
body            __KAM_VIAGRA4A  /V (. )?A (. )?L (. )?[I\/t] (. )?U (. )?M/i
body            __KAM_VIAGRA4B  /V (. )?[I\/t] (. )?A (. )?G (. )?R (. )?A/i
body            __KAM_VIAGRA4C  /M (. )?E (. )?R (. )?[I\/t] (. )?D (. )?[I\/] (. )?A/i

# FP FOR "Les Iles du Monde Via Gramsci" OR ITALIAN "WE WISH YOU"
body            __KAM_VIAGRA_FPS /via gra|i augur/i

meta            KAM_VIAGRA4     ((__KAM_VIAGRA4A + __KAM_VIAGRA4B + __KAM_VIAGRA4C) >= 2)
describe        KAM_VIAGRA4     Common Viagra and Medicinal Table Trick
score           KAM_VIAGRA4     3.1

#VIAGRA AD 5
body            KAM_VIAGRA5     /(V [1li|\]] [a&] G R A|VljAG+R+A)/i 
describe        KAM_VIAGRA5     Viagra Obfuscation Technique SPAM
score           KAM_VIAGRA5     3.1

#VIAGRA AD 6
#Switch to [-_\. ]? to avoid FP's reported by Robin Tan
body            __KAM_VIAGRA6A  /V[-_\. ]?[IL1][-_\. ]?A.?G.?R.?A/i
body            __KAM_VIAGRA6B  /(\b|^)A.?M.?B.?[il1].?E.?N/i
body            __KAM_VIAGRA6C  /V.?A.?L.?[il1].?U.?M/i
body            __KAM_VIAGRA6D  /(\b|^)C.?[il1].?A.?L.?[Il1].?S($|\b)/i
header          __KAM_VIAGRA6E  From =~ /Viagra|Cialis(\b|$)/i

meta            KAM_VIAGRA6     (__KAM_VIAGRA6A + __KAM_VIAGRA6B + __KAM_VIAGRA6C + __KAM_VIAGRA6D + __KAM_VIAGRA6E >= 2)
describe        KAM_VIAGRA6     Viagra Obfuscation Technique SPAM
score           KAM_VIAGRA6     3.1

#VIAGRA AD 7 - TWEAKING RULE 7B TO PREVENT HITS ON SPECIALIST
body            __KAM_VIAGRA7A  /V[ij]+AGRA/i
body            __KAM_VIAGRA7B  /C[ij]+AL[ij]+S($|\b)/i
body            __KAM_VIAGRA7C  /AMB[ij]+EN/i
body            __KAM_VIAGRA7D  /VAL[ij]+UM/i

meta            KAM_VIAGRA7     ((__KAM_VIAGRA7A + __KAM_VIAGRA7B + __KAM_VIAGRA7C + __KAM_VIAGRA7D >= 2) && (KAM_VIAGRA6 < 1))
describe        KAM_VIAGRA7     Viagra Obfuscation Technique SPAM
score           KAM_VIAGRA7     3.1

#VIAGRA AD 8
body            __KAM_VIAGRA8A  /VI...?AGRA/i
body            __KAM_VIAGRA8B  /AM...?BIEN/i
body            __KAM_VIAGRA8C  /VA...?LIUM/i
body            __KAM_VIAGRA8D  /CI...?ALIS/i

meta            KAM_VIAGRA8     ((__KAM_VIAGRA8A + __KAM_VIAGRA8B + __KAM_VIAGRA8C + __KAM_VIAGRA8D) >= 2)
describe        KAM_VIAGRA8     Viagra Obfuscation Technique SPAM
score           KAM_VIAGRA8     5.1

#VIAGRA AD 9
body            __KAM_VIAGRA9A  /V[IL1]A..GRA/i
body            __KAM_VIAGRA9B  /AMB..IEN/i
body            __KAM_VIAGRA9C  /VAL..IUM/i
body            __KAM_VIAGRA9D  /C[IL1]A..LIS/i

meta            KAM_VIAGRA9     ((__KAM_VIAGRA9A + __KAM_VIAGRA9B + __KAM_VIAGRA9C + __KAM_VIAGRA9D) >= 2)
describe        KAM_VIAGRA9     Viagra Obfuscation Technique SPAM
score           KAM_VIAGRA9     5.1

#VIAGRA AD 10 - CONTENT-LESS EMAIL FROM "MALE ENHANCEMENT"
header          __KAM_VIAGRA10A    From =~ /male enhancement|mens.renewal/i
header          __KAM_VIAGRA10B    Subject =~ /your intimate partner will (thank|love)|grow.your.manhood|satisfy.your.woman/i

meta            KAM_VIAGRA10    (__KAM_VIAGRA10A + __KAM_VIAGRA10B >= 1)
describe        KAM_VIAGRA10    Male enhancement spam with no content
score           KAM_VIAGRA10    8.0

#NITROXIN - A NEW AND SPAMMY COMPETITOR TO VIAGRA
header          __KAM_NITROXIN1A   From =~ /nitroxin/i

meta            KAM_NITROXIN1   (__KAM_NITROXIN1A >= 1)
describe        KAM_NITROXIN1   Another variant of Viagra spam
score           KAM_NITROXIN1   8.0

#RE[#] SPAM
#NOTE: Thanks to Jason Haar" <Jason.Haar@trimble.co.nz> for pointing out that I was only doing >=1!
header          KAM_RE          Subject =~ /^Re(?:\s)*\[\d\]+(?:\s)*:?$/i
describe        KAM_RE          Subject of Re[0]: etc prevalent in Spam
score           KAM_RE          2.0

meta            KAM_RE_PLUS     (HTML_IMAGE_ONLY_08+KAM_RE >= 2)
describe        KAM_RE_PLUS     Bad Subject and Image Only rule hit == SPAM!
score           KAM_RE_PLUS     4.0

#HOODIA
#RE-WEIGHTING - Thanks to Martin Kaempf and Gareth Blades for pointing out the False Positives!!
#Changed to escape + for 920\+ and changed to rawbody because we don't want to check the subject twice.
#thansk to Michael Denney for the FP report
header          __KAM_HOODIA1   Subject =~ /(hoodia|920\+|serotonin|reduce your appetite)/i
rawbody         __KAM_HOODIA2   /(?:hoodia|920\+)/i
body            __KAM_HOODIA3   /(?:fat loss product|sur?p?press appetite|Reduce Your Appetite)/is

meta            KAM_HOODIA      (__KAM_HOODIA1 + __KAM_HOODIA2 + __KAM_HOODIA3 >= 2)
describe        KAM_HOODIA      Hoodia / Weight Loss Product Promotion Spam
score           KAM_HOODIA      3.0

#STOCK TIPS

##1 through 120 disabld 5-12-2014 due to age
##body            __KAM_STOCKTIP1 /(?:Reynaldo's Mexican Food|RYNL)/is
##body            __KAM_STOCKTIP2 /(?:KOKO PETROLEUM|KKPT)/is
##body          __KAM_STOCKTIP3 /(?:DARK DYNAMITE|DKDY|D K D Y)/is
##body            __KAM_STOCKTIP4 /(?:Remington Ventures|RMVN)/is
##body          __KAM_STOCKTIP5 /(?:m-Wise|MWIS|M W I S)/is
##body          __KAM_STOCKTIP6 /(?:China World Trade Corporation|CWTD)/is
##body          __KAM_STOCKTIP7 /(?:Packets International|IPKL)/is
##body          __KAM_STOCKTIP8 /(?:Infinex Ventures|IFNX)/is
##body          __KAM_STOCKTIP9 /(?:FacePrint Global Solutions|FCPG)/is
###THANKS TO HOMER PARKER FOR THE FALSE POSSITIVE NOTE!
##body            __KAM_STOCKTIP10 /(?:Ever[-_ ~]{0,3}Gl[o0]ry|(^|\b)E[-_~\. =]{0,3}G[-_~\. =]{0,3}L[-_~\. =]{0,3}Y($|\b))/is
##body          __KAM_STOCKTIP11 /(?:Gulf Petroleum|GFPE)/is
##body          __KAM_STOCKTIP12 /(?:Patriot Mechanical Handling|PMHH)/is
##body          __KAM_STOCKTIP13 /(?:KSW Industries|KSWJ)/is
##body          __KAM_STOCKTIP14 /(?:Conforce International|CFRI)/is
##body          __KAM_STOCKTIP15 /(?:Nano Superlattice Technology|NSLT)/is
##body          __KAM_STOCKTIP16 /(?:Morgan Beaumont|MBEU)/is
##body          __KAM_STOCKTIP17 /(?:Relay Capital|(^|\b)RLYC($|\b))/is
###THANKS TO DAVID GOLDSMITH FOR POINTING OUT THE POTENTIAL FPs FROM THIS RULE
##body          __KAM_STOCKTIP18 /(?:Madison Explorations|(?:^|\b)MDEX(?:$|\b))/is
##body          __KAM_STOCKTIP19 /(?:CTR Investments and Consulting|C ?I ?V ?X)/is
##body          __KAM_STOCKTIP20 /(?:PREMIER INFORMATION|(?:^|\b)PIFR(?:$|\b))/is
##body          __KAM_STOCKTIP21 /(?:Harbin Pingchuan|P G C N|PGCN)/is
##body          __KAM_STOCKTIP22 /(?:CLIENT TRACK CORP|CTKR)/is
##body          __KAM_STOCKTIP23 /(?:EXTREME INNOVATIONS|(^|\b)EXTI($|\b))/is
##body          __KAM_STOCKTIP24 /(?:Medical Home Products|\bMHPT\b)/is
##body          __KAM_STOCKTIP25 /(?:AmeraMex International|AMMX)/is
##body          __KAM_STOCKTIP26 /(?:Equipment & Systems Engineering|EQUIPMENT & SYS ENGR|EQSE)/is
##body          __KAM_STOCKTIP27 /(?:NANOFORCE|NNFC)/i
##body          __KAM_STOCKTIP28 /(?:\b|^)(?:Resort Clubs (I|\|)nternational|R[ ]*T[ ]*C[ ]*(?:I|\|))(?:\b|$)/is
##body          __KAM_STOCKTIP29 /(?:Innovation Holdings|IVHN)/is
##body          __KAM_STOCKTIP30 /(?:GOLDEN APPLE OIL|GAPJ)/is
##body          __KAM_STOCKTIP31 /(?:inZon Corporation|(^|\b)I ?Z ?O ?N($|\b))/is
##body          __KAM_STOCKTIP32 /(?:Midland Baring Financial Group|MDBF)/is
##body            __KAM_STOCKTIP33 /(?:Aradyme Corporation|A D Y E)/is
##body          __KAM_STOCKTIP34 /(?:TRANSAKT CORP|TKTJF)/is
##body          __KAM_STOCKTIP35 /(?:CTXE|CANTEX ENERGY CORP)/is
##body          __KAM_STOCKTIP36 /(?:De Greko|DGKO)/is
##body          __KAM_STOCKTIP37 /(?:Deep Earth Resource, Inc|CTFE|DPER)/is
##body          __KAM_STOCKTIP38 /(?:Vemics|(\b|^)VMCI(\b|$)|Summit Financial Resources)/is
##body          __KAM_STOCKTIP39 /Premium Petroleum/is
##body          __KAM_STOCKTIP40 /(?:F ?a ?l ?c ?o ?n  ?E ?n ?e ?r ?g ?y|F.?C.?Y.?I)/s
##body          __KAM_STOCKTIP41 /(?:CHINA GOLD CORP|CGDC)/is
##body          __KAM_STOCKTIP42 /DPEK/i
###FIXED FP THANKS TO BEN LENTZ - Also found that the X ?X ?X ?X concept is causing too many FPs thanks to Homer Parker
##body          __KAM_STOCKTIP43 /(?:Amerossi International Group|A M S N(\b|$)|AMSN)/is 
##body          __KAM_STOCKTIP44 /(?:WATAIRE INDUSTRIES|W ?T ?A ?F)/is
##body          __KAM_STOCKTIP45 /(?:ABSOLUTESKY|A ?B ?S ?Y)/i
##body          __KAM_STOCKTIP46 /(?:Infinex Ventures|I ?N ? ?F ?X)/is
##body          __KAM_STOCKTIP47 /(?:Holly ?wood Intermediate|HYWI|H Y W I)/is
###DISABLED DUPLICATE OF 40
###body         __KAM_STOCKTIP48 /(?:Falcon Energy|F ?C ?Y ?I)/is
##body          __KAM_STOCKTIP49 /(?:\b|^)(?:AGA Resources|A ?G ?A)(?:\b|$)/is
##body          __KAM_STOCKTIP50 /(?:COSCO|CCPI)/i
##body          __KAM_STOCKTIP51 /(?:PETRO([- ?])?SUN DRILLING|P[- ]?S[- ]?U[- ]?D)/is
##body          __KAM_STOCKTIP52 /(?:KMA Global Solutions International|KMAG)/is
##body          __KAM_STOCKTIP53 /(?:Advanced Powerline Technologies|APWL)/is
##body          __KAM_STOCKTIP54 /(?:GOLDMARK INDUSTRIES|GDKI)/is
##body          __KAM_STOCKTIP55 /(?:QUANTUM ENERGY|QEGY)/is
###FP FIXED THANKS TO Homer Parker
##body          __KAM_STOCKTIP56 /(?:AAGA RESOURCE+S NEW|A G A O|(\b|^)AGAO(\b|$))/is
###FP FIXED THANKS TO Homer Parker
##body          __KAM_STOCKTIP57 /(?:Bicoastal Communications|BCLC|B C L C)/is
##body            __KAM_STOCKTIP58 /(?:Greater China Media \& Ent|G ?C ?M ?E)/is
##body          __KAM_STOCKTIP59 /(?:Viva International|(\b|^)VIVI(\b|$))/s
##body          __KAM_STOCKTIP60 /(?:WILON RESOURCES|(\b|^)WLON(\b|$))/is
##body          __KAM_STOCKTIP61 /(?:Am+erica+n U+ni+ty I+nve+stments|(\b|^)A[ _]?U[ _]?N[ _]?I[ _]?(\b|$))/is
##body          __KAM_STOCKTIP62 /(?:DEFENSE DIRECTIVE|(\b|^)DFSE(\b|$))/is
##body          __KAM_STOCKTIP63 /(?:Cyberhand Technologies|(\b|^)CYHD(\b|$))/is
##body          __KAM_STOCKTIP64 /(?:Texhoma Energy|(\b|^)TXHE(\b|$))/is
##body          __KAM_STOCKTIP65 /(?:Equal Trading|(\b|^)EQTD(\b|$))/is
###DISABLED FOR FALSE POSITIVES AND AGE
###body         __KAM_STOCKTIP66 /(?:\b|^)W.?B.?R.?S(?:\b|$)/is
##body          __KAM_STOCKTIP67 /(?:Mobile Airwaves|(\b|^)M.?W.?B.?C.?(\b|$))/is
##body          __KAM_STOCKTIP68 /(?:X-tra Petroleum|(\b|^)XTPT(\b|$))/is
###ADDED FP BOUNDARY CHECK THANKS TO Greg Troxel for reporting the issue
##body          __KAM_STOCKTIP69 /(?:Red Reef Laboratories|(\b|^)RREF(\b|$))/is
##body          __KAM_STOCKTIP70 /(?:Great American Food Chain|(\b|^)GAMN(\b|$))/is
##body          __KAM_STOCKTIP71 /(?:Cana Petroleum|(\b|^)CNPM(\b|$))/is
##body          __KAM_STOCKTIP72 /(?:China Health Management|(\b|^)CNHC(\b|$))/is
##body          __KAM_STOCKTIP73 /(?:Makeup Limited|MAKU)/is
##body          __KAM_STOCKTIP74 /(?:Premier Holdings Group|PMHD)/is
###FP FIXED THANKS TO Christopher X. Candreva
##body          __KAM_STOCKTIP75 /(?:VSUS technologies|(\b|^)VSUS($|\b))/is
##body          __KAM_STOCKTIP76 /(?:FLAIR PETROLEUM|FPMC)/is
##body          __KAM_STOCKTIP77 /(?:Physician Adult Daycare|PHYA)/is
###FP FIXED THANKS TO Homer Parker
##body          __KAM_STOCKTIP78 /(?:AlgoDyne Ethanol Energy|(\b|^)ADYN(\b|$))/is
##body          __KAM_STOCKTIP79 /(?:Critical Care.{1,3}Inc|CTCX)/is
##body          __KAM_STOCKTIP80 /(?:Aerofoam Metals|AFML)/is
##body          __KAM_STOCKTIP81 /(?:Ten \& 10|(?:\b|^)TTEN)/is
##body          __KAM_STOCKTIP82 /(?:Medical Institutional Services|MISJ(\b|$))/is
##body          __KAM_STOCKTIP83 /(?:Harris Exploration|HXPN)/is
##body          __KAM_STOCKTIP84 /(?:MARSHAL HOLDINGS|MHII)/is
##body          __KAM_STOCKTIP85 /(?:ADVANCED GROWING SYSTEMS|AGWS)/is
##body          __KAM_STOCKTIP86 /(?:WEST EXCELSIOR ENT|WEXE)/is
##body          __KAM_STOCKTIP87 /(?:Hemisphere Gold|HPGI)/is
##body          __KAM_STOCKTIP88 /(?:Victory Energy Corporation|VYEY)/is
##body          __KAM_STOCKTIP89 /UTEV/i
##body          __KAM_STOCKTIP90 /(?:CHINA BIOLIFE ENTERP|CBFE)/is
##body          __KAM_STOCKTIP91 /(?:Critical Care|C ?T ?C ?X)/is
##body          __KAM_STOCKTIP92 /CBRJ/i
##body          __KAM_STOCKTIP93 /(?:LAS VEGAS CENTRAL RESERVATIONS|LVCC)/is
##body          __KAM_STOCKTIP94 /GTAP/i
##body          __KAM_STOCKTIP95 /(North American Energy Group|N-?N-?Y-?R)/is
###FP FIXED THANKS TO BRETT GARRETT
##body          __KAM_STOCKTIP96 /(\b|^)C\.?C\.?T\.?I(\b|$)/i
##body          __KAM_STOCKTIP97 /(C ?E ?O AMERICA|C ? E ? O ?A)/is
##body            __KAM_STOCKTIP98 /PLMA/i
##body          __KAM_STOCKTIP99 /CDYV/i
##body          __KAM_STOCKTIP100 /(Fire (Mountain|Mtn) Beverage Company|(^|\b)F[ _]?B[ _]?V[ _]?G($|\b))/is
###Added boundary check thanks to Michael Denney
##body          __KAM_STOCKTIP101 /(\b|^)WDSC(\b|$)/i
##body          __KAM_STOCKTIP102 /(Distributed Power|DPWI)/is
##body          __KAM_STOCKTIP103 /(HUMET-PBC|L9Z\.F)/is
##body          __KAM_STOCKTIP104 /ASVP/is
##body          __KAM_STOCKTIP105 /CHVC/is
##body          __KAM_STOCKTIP106 /(China Datacom|CDPN)/is
##body          __KAM_STOCKTIP107 /(ORAMED PHARMA|OJU\.F)/is
##body          __KAM_STOCKTIP108 /(DSDI|DSI Direct Sales)/is
##body          __KAM_STOCKTIP109 /(Monolith Athletic Club|M[-_ ]?N[-_ ]?A[-_ ]?B)/is
###DUPLICATED STOCKTIP #51
###body         __KAM_STOCKTIP110 /(PETRO-SUN|P[- ]?S[- ]?U[- ]?D)/is
##body          __KAM_STOCKTIP111 /(COMPLIANCE SYSTEMS|(\b|^)COPI(\b|$))/is
###FP Fixed thanks to Greg Troxel
##body          __KAM_STOCKTIP112 /(Global Pay Solutions|(\b|^)GPSI(\b|$))/is
##body          __KAM_STOCKTIP113 /(MEGOLA|MGOA)/i
###FP FIXED THANKS TO Antonio Falzarano
##body          __KAM_STOCKTIP114 /(\b|^)ADOV(\b|$)/i
##body            __KAM_STOCKTIP115 /(Oncology Med|(\b|^)ONCO(\b|$))/is
##body          __KAM_STOCKTIP116 /(Strategy X|SGXI)/is
##body          __KAM_STOCKTIP117 /(Spotlight Homes|COST CONTAINMENT TEC|SPHM)/is
###FALSE POSITIVE ON DANSREALESTATE.
##body          __KAM_STOCKTIP118 /((\b|^)SREA(\b|$)|Score One)/is
##body          __KAM_STOCKTIP119 /(Monster Motors|MRMT)/is
##body          __KAM_STOCKTIP120 /(EntreMetrix|ERMX)/i

body            __KAM_STOCKTIP121 /(VISION AIRSHIPS|(\b|^)VPSN(\b|$))/is
body            __KAM_STOCKTIP122 /(Shandong Zhouyuan Seed and Nursery|(\b|^)SZSN(\b|$))/is
body            __KAM_STOCKTIP123 /(Puerto Rico 7|(\b|^)P ?R ?T ?H(\b|$))/is
body            __KAM_STOCKTIP124 /(VGPM|Vega Promotional Sys)/is
body            __KAM_STOCKTIP125 /((\b|^)D[- ]?M[- ]?X[- ]?C(\b|$))/i
body            __KAM_STOCKTIP126 /((\b|^)C\.?W\.?T\.?E(\b|$)|C'Watre International)/is
body            __KAM_STOCKTIP127 /(Physical Property Holdings|(\b|^)PPYH(\b|$))/is
#FP ON MNUM IN PLAIN TEXT HTML CONVERSION - Thanks to Kevin Lewis
body            __KAM_STOCKTIP128 /(MONUMENTAL MARKETING|(\b|^)MNUM(\b|$))/is
body            __KAM_STOCKTIP129 /(EnerBrite Technologies Group|(\b|^)eTgU(\b|$))/is
body            __KAM_STOCKTIP130 /(Pricester|(\b|^)PRCC(\b|$))/is
#Added boundary check thanks to Michael Denney
body            __KAM_STOCKTIP131 /(Greenstone Holdings|(\b|^)GSHN(\b|$))/is
body            __KAM_STOCKTIP132 /((\b|^)AGMS(\b|$)|Angstrom[- ]Microsystems)/is
body            __KAM_STOCKTIP133 /(Pluris Energy|(\b|^)PEYG(\b|$))/is
body            __KAM_STOCKTIP134 /(United Consortium|(\b|^)UCSO(\b|$))/is
body            __KAM_STOCKTIP135 /(Dominion Minerals|(\b|^)DMNM(\b|$))/is
body            __KAM_STOCKTIP136 /(PrimeGen Energy|(\b|$)PGNE(\b|^))/is
body            __KAM_STOCKTIP137 /Dynamic Response Group|(\b|^)DRGZ(\b|$)/is
body            __KAM_STOCKTIP138 /Cobra Oil (and|&) Gas|(\b|^)CGCA(\b|$)/is
body            __KAM_STOCKTIP139 /Solanex Management|(\b|^)SLNX(\b|$)/is
body            __KAM_STOCKTIP140 /BIO-SOLUTIONS|(\b|^)BISU(\b|$)/is
#FP IN French email on 3/2/2017
#body           __KAM_STOCKTIP141 /(\b|^)FORC(\b|$)/is
body            __KAM_STOCKTIP142 /Hawk Systems Inc|(\b|^)HWSYD(\b|$)/is
body            __KAM_STOCKTIP143 /AmeriLithium/is #|(\b|^)AMEL(\b|$)/is # FP 9/10/15
body            __KAM_STOCKTIP144 /Fleet Management Solutions|(\b|^)FLMG(\b|$)/is
body            __KAM_STOCKTIP145 /Nuvilex|(\b|^)N.?V.?L.?X.?(\b|$)/is
body            __KAM_STOCKTIP146 /Plandai|(\b|^)PLPL(\b|$)/is
body            __KAM_STOCKTIP147 /Beamz Interactive|(\b|^)B.?Z.?I.?C(\b|$)/is
body            __KAM_STOCKTIP148 /(\b|^)STBV(\b|$)/i
body            __KAM_STOCKTIP149 /LifeApps|(\b|^)LFAP(\b|$)/i
body            __KAM_STOCKTIP150 /MONARCHY RESOURCES/i
body            __KAM_STOCKTIP151 /Alanco Tech/i
body            __KAM_STOCKTIP152 /Siga Resources/i
body            __KAM_STOCKTIP153 /INSCOR|(\b|^)IOGA(\b|$)/is
body            __KAM_STOCKTIP154 /mLight Tech|(\b|^)MLGT(\b|$)/is
body            __KAM_STOCKTIP155 /Alanco Technologies/is
body            __KAM_STOCKTIP156 /Progress Watch|(\b|^)PROW(\b|$)/is
body            __KAM_STOCKTIP157 /(\b|^)PRFC(\b|$)/is
body            __KAM_STOCKTIP158 /(\b|^)(RCHA|R\.+C\.+H\.+A|R\/C\/H\/A)(\b|$)/is
body            __KAM_STOCKTIP159 /(\b|^)(RNBI|R.N.B.I)(\b|$)/is
body            __KAM_STOCKTIP160 /(\b|^)(CNRMF|C.N.R.M.F)(\b|$)/is
body            __KAM_STOCKTIP161 /(\b|^)(NUAN|N[- ]U[- ]A[- ]N)(\b|$)|NUANCE COMMUNICATIONS/is
body            __KAM_STOCKTIP162 /(\b|^)(CHICF|C.H.I.C.F)(\b|$)/is
body            __KAM_STOCKTIP163 /(\b|^)(brixmor)(\b|$)/is
body            __KAM_STOCKTIP164 /(\b|^)(KBLB|K.B.L.B)(\b|$)/is
body            __KAM_STOCKTIP165 /(\b|^)(SCRF|S.C.R.F)(\b|$)/is
body            __KAM_STOCKTIP166 /(\b|^)(INCT|Incapta)(\b|$)/is
body            __KAM_STOCKTIP167 /(\b|^)(QSMS|Quest Management|Quest Science Management Gate)(\b|$)/is
body            __KAM_STOCKTIP168 /(\b|^)(QSMG|Q.S.M.G|Stemvax)(\b|$)/is
body            __KAM_STOCKTIP169 /(\b|^)E.?C.?G.?R(\b|$)/is


body            __KAM_STOCKOTC  /(OTC|OTC ?BB|OTC Pink Sheets|NASDAQ|NYSE|StockWatch):/is
body            __KAM_STOCKSYM  /S[ ]?[iy][ ]?m[ ]?[ßb8][ ]?[o0][ ]?[l1]|Siymbol/i
body            __KAM_STOCKSYM2 /(SYM[ ]?[-\:]|\bTicker|Pr+ice\s*\:|Volume\s*\:|Target\s*\:|Current(ly)? ?\??:|Projected:|Smybol:|Stcok\s*\:|Stock\s*\:|S\s*t\s*o\s*c\s*k\s*\:|Trad[ ]?e\:|short-?sell|book value|S\.umbol|Action:|Symb\s?[-:]|Price Today:|SYmN-|Lookup:|RADAR:|PK PAPER:|PINKSHEETS:|f[o0]rward ?l[0o]{2}king)/i
body            __KAM_STOCKSHR  /\b(Shares|Investments|invest|Stock|acquisitions?|broker|joint[ -]?venture|underperforming|(uncap|ventilated|public(ity)?) on friday|dividend opportunities|set your buy|financial safe haven|before the bell)\b/i
body            __KAM_STOCKBULL /bull (run|market)|very.rich|high.return/is
body            __KAM_STOCKSCTR /(energy sector|mineral rights|mineral wealth|natural resources|gold deposits)/is
header          __KAM_STOCKHEAD Subject =~ /{stk-sub}|on your radar|st0ck|best.stocktip|huge.winner|breaking.news/i
body            __KAM_STOCKJUMP /(up|jumps) \d\d(\.\d)?\%/i
body            __KAM_INSTOCK   /in stock/i

# ADDED A CAVEAT FOR in stock so gibberish links don't hit a stock symbol
meta            KAM_STOCKTIP    (__KAM_STOCKHEAD + __KAM_STOCKOTC + __KAM_STOCKSYM + __KAM_STOCKJUMP + __KAM_STOCKSHR + __KAM_STOCKSYM2 + __KAM_STOCKBULL + __KAM_STOCKSCTR >= 1) && (__KAM_INSTOCK < 1) && (__KAM_STOCKTIP121 + __KAM_STOCKTIP122 + __KAM_STOCKTIP123 + __KAM_STOCKTIP124 + __KAM_STOCKTIP125 + __KAM_STOCKTIP126 + __KAM_STOCKTIP127 + __KAM_STOCKTIP128 + __KAM_STOCKTIP129 + __KAM_STOCKTIP130 + __KAM_STOCKTIP131 + __KAM_STOCKTIP132 + __KAM_STOCKTIP133 + __KAM_STOCKTIP134 + __KAM_STOCKTIP135 + __KAM_STOCKTIP136 + __KAM_STOCKTIP137 + __KAM_STOCKTIP138 + __KAM_STOCKTIP139 + __KAM_STOCKTIP140 + __KAM_STOCKTIP142 + __KAM_STOCKTIP143 + __KAM_STOCKTIP144 + __KAM_STOCKTIP145 + __KAM_STOCKTIP146 + __KAM_STOCKTIP147 + __KAM_STOCKTIP148 + __KAM_STOCKTIP149 + __KAM_STOCKTIP150 + __KAM_STOCKTIP151 + __KAM_STOCKTIP152 + __KAM_STOCKTIP153 + __KAM_STOCKTIP154 + __KAM_STOCKTIP155 + __KAM_STOCKTIP156 + __KAM_STOCKTIP157 + __KAM_STOCKTIP158 + __KAM_STOCKTIP159 + __KAM_STOCKTIP160 + __KAM_STOCKTIP161 + __KAM_STOCKTIP162 + __KAM_STOCKTIP163 + __KAM_STOCKTIP164 + __KAM_STOCKTIP165 + __KAM_STOCKTIP166 + __KAM_STOCKTIP167 + __KAM_STOCKTIP168 + __KAM_STOCKTIP169 >= 1)

describe        KAM_STOCKTIP    Email Contains Pump & Dump Stock Tip
score           KAM_STOCKTIP    7.1

#KAM STOCK RULE #3 BASED HEAVILY ON WONDERFUL INPUT BY GARETH OF LINGUAPHONE
body            __KAM_STOCK3    /([sS].?ymbol|Sym|SYM|SYMB|Symb|SYMBOL|SYmN|SYMN|Symn|Ticker|TICKER|Lookup|PINKSHEETS)\s*[-_:]\s*[A-Z0-9][-\._ ]?[A-Z0-9][-\._ ]?[A-Z0-9][-\._ ]?[A-Z0-9]/
score           __KAM_STOCK3    0.1
describe        __KAM_STOCK3    Email Looks like it references a 4 character stock symbol

#GENERIC STOCK RULE
meta            KAM_STOCKGEN    (__KAM_STOCKHEAD + __KAM_STOCKOTC + __KAM_STOCKSYM + __KAM_STOCKSHR + __KAM_STOCKSYM2 + __KAM_STOCKBULL + __KAM_STOCKSCTR >= 1) && (__KAM_STOCK3 >= 1) && (KAM_STOCKTIP < 1)
describe        KAM_STOCKGEN    Email Contains Generic Pump & Dump Stock Tip
score           KAM_STOCKGEN    1.5

#KAM STOCK RULE #2
body            __KAM_STOCK2_1  /(good trader|trading experience|bad trading day|hard trading day|FREE Stock Market Outlook|Market Watch)|more.than.\d+%|most.valuable|morning.report|real.?estate.authority|commercial.real.estate/i
body            __KAM_STOCK2_2  /(easy cash|losses and victories|backstage trading|market facts|succeed in trading|destined to skyrocket|make traders rich|times your principal)|good.investment|overvalued.companies|company.is.soaring|economic.opportunity|amazing.company|take.notice|rental.yield|high.return/i
body            __KAM_STOCK2_3  /stock/i
body            __KAM_STOCK2_4  /trader|investor|analyst|royalties/i
header          __KAM_STOCK2_5  Subject =~ /stock|bull market|penny|traders|go.getter|thousand.percent|this.company|opportunity|pct.rally|private.investment/i
header          __KAM_STOCK2_6  From =~ /investment|daily.tip|bloomberg|selectedotc|penny|fortune|stock|finance|real.?estate|promotion/i

meta            KAM_STOCK2      (__KAM_STOCK2_1 +  __KAM_STOCK2_2 +  __KAM_STOCK2_3 +  __KAM_STOCK2_4 +  __KAM_STOCK2_5 + __KAM_STOCK2_6) >= 4
score           KAM_STOCK2      2.5
describe        KAM_STOCK2      Another Round of Pump & Dump Stock Scams

#JUDGEMENTS
body            __KAM_JUDGE1    /(unpaid court|(un-?collected|unsatisfied) judgments)/is
body            __KAM_JUDGE2    /(funds|receive what) you are (due|owed)/is
#HALF-WEIGHTED RULES
body            __KAM_JUDGE3    /collect your money/is
body            __KAM_JUDGE4    /judgment/i
#FULL-WEIGHT
header          __KAM_JUDGE5    Subject =~ /judgment/i

meta            KAM_JUDGE       (__KAM_JUDGE1 + __KAM_JUDGE2 + ((__KAM_JUDGE3 + __KAM_JUDGE4) / 2) + __KAM_JUDGE5 >= 2)
describe        KAM_JUDGE       Email Contains Judicial Judgment Solicitation
score           KAM_JUDGE       2.5

#MEDS
body            __KAM_MED1      /e.?c.?o.?n.?o.?m.?i.?z.?e.{1,10}med/i
body            __KAM_MED2      /\d\d ?%/

describe        KAM_MED         Economizing your meds spam
meta            KAM_MED         (__KAM_MED1 + __KAM_MED2 >= 2)
score           KAM_MED         1.5

#MEDS2- THANKS TO RES FOR POINTING OUT A REGEX STUPIDITY
header          __KAM_MED2_1    Subject =~ /Pharmacy order \#\d{5}/i      

describe        KAM_MED2        More Medical SPAM
meta            KAM_MED2        (__KAM_MED2_1 >= 1)
score           KAM_MED2        1.0

#TIME PIECE
header          __KAM_TIME1     Subject =~ /(replica(\b|$)|designer[-_ ](watch|piece|collection)|(old|replica|style|luxury|trendy|elegant) watch|time[-_ ](keeper|piece)|wrist|chronometer|watches are in fashion|low budget|deliver your watch|(number|amount) of watches)|excellent.watch/i

#0.50 WEIGHTED TESTS
body            __KAM_TIME2     /(replica(\b|$)|diamond|designer[-_ ](piece|collections|watch)|time[-_ ]piece|wrist|time-keeper|\/\/atch)/is
header          __KAM_TIME3     Subject =~ /time|watch/i
body            __KAM_TIME4     /time|watch/i
body            __KAM_TIME5     /(funny|low) price|treat.yourself/i
 #REMOVED WORD OMEGA FROM BRANDS.  TOO MANY FPs.
body            __KAM_TIME6     /(Cx?ARTIER|Bx?REITLING|Px?ATEK|Rx?OLEX|Bx?VLGARI|Tx?IFFANY)/i


meta            KAM_TIME        ((__KAM_TIME1 + ((__KAM_TIME2 + __KAM_TIME3 + __KAM_TIME4 + __KAM_TIME5 + __KAM_TIME6)/2)) >= 2)
describe        KAM_TIME        Pssss.  Hey Buddy, wanna buy a watch?
score           KAM_TIME        3.0

meta            KAM_TIMEGEO     (KAM_GEO_STRING2 && KAM_TIME)
describe        KAM_TIMEGEO     Email references geocities & wrist watch sales
score           KAM_TIMEGEO     3.5

#YOUR HOME
body            __KAM_HOME1     /YOUR HOME|Federal Housing Assistance Program|near.your.area/i
body            __KAM_HOME2     /Build your equity faster|refund is not reversible|rent.to.own/i
body            __KAM_HOME3     /tax saving plans|\d+K Mortgage Credit|no.more.of/i
header          __KAM_HOME4     From =~ /rent.?and.?own|rent.own.list/i
header          __KAM_HOME5     Subject =~ /homes.near.you|near.your.city|\d+ (bed|bath)|low.monthly/i

meta            KAM_HOME        (__KAM_HOME1 + __KAM_HOME2 + __KAM_HOME3 + __KAM_HOME4 + __KAM_HOME5 >= 3)
describe        KAM_HOME        Mortage & Refinance Spam Rule
score           KAM_HOME        3.5

#UNIVERSITY RULE
body            __KAM_UNIV1     /(University Administration|University Enrollment|Education Assessment|Faculty Assessment|University Degree|Administration Office|Education office|Schools office|Enrollment Office|Online University)/is
body            __KAM_UNIV2     /\d (week|month).{0,30}degree/is
body            __KAM_UNIV3     /(past work|based on your|earned from|life|life and work|present work) experience/is
body            __KAM_UNIV4     /not official degree|non[ -]?accredited/is
body            __KAM_UNIV5     /novelty (degree|use)/is
body            __KAM_UNIV6     /verifiable University Degree/is
body            __KAM_UNIV7     /(life|work) experience (diploma|degree|transcript)/is
body            __KAM_UNIV8     /Career Path/is
body            __KAM_UNIV9     /non[- ]?ac(creditee?d)?.{1,10}universit/is
body            __KAM_UNIV10    /(graduating|diploma) (within|in) (as little as)? (one|two|three|\d) (week|month)/is
body            __KAM_UNIV11    /(degree|transcript) in any field|Field of yourr? ch[oò][iì]ce/is
body            __KAM_UNIV12    /(obtain your diploma|diploma that you want|Criminal Justice or Homeland Security degree)/is
body            __KAM_UNIV13    /(degree|field|diploma) of your (choice|expertise)/is
body            __KAM_UNIV14    /(earn a|full) transcript/is
body            __KAM_UNIV15    /(No Study Required|Without Exams|No (examinations|[eÉ]xams)|without attending a single class|no classes|no textbooks|no (?:required )?tests|degree .{0,30}you deserve)/is
body            __KAM_UNIV16    /\d weeks.{0,30}graduated/is
header          __KAM_UNIV17    Subject =~ /(dip(i|l)oma|degree|transcript|award|increase ?your ?income|degree online|Ph\.?D|Add an mba)/i
body            __KAM_UNIV18    /100% discrete/is

body            __KAM_UNIV1B    /\d (months|weeks)/i
body            __KAM_UNIV2B    /d[_\. ]?e[_\. ]?g[_\. ]?r[_\. ]?e[_\. ]?e/i
body            __KAM_UNIV3B    /(dead end job|improve your future, and your income|high paying jobs|bec[óo]me a do[cç]tor|get your diploma today)/is
body            __KAM_UNIV4B    /1.?0.?0.?% (legit|verifiable|online|no pre|non[- ]?accredited)/is
body            __KAM_UNIV5B    /F A S T[ ]{0,4}T R A C K/is
body            __KAM_UNIV6B    /DIP\sLOMA/

meta            KAM_UNIV        ((__KAM_UNIV1 + __KAM_UNIV2 + __KAM_UNIV3 + __KAM_UNIV4 + __KAM_UNIV5 + __KAM_UNIV6 + __KAM_UNIV7 + __KAM_UNIV8 + __KAM_UNIV9 + __KAM_UNIV10 + __KAM_UNIV11 + __KAM_UNIV12 + __KAM_UNIV13 + __KAM_UNIV14 + __KAM_UNIV15 + __KAM_UNIV16 + __KAM_UNIV17 + __KAM_UNIV18) >= 2 || (__KAM_UNIV1B + __KAM_UNIV2B + __KAM_UNIV3B + __KAM_UNIV4B + __KAM_UNIV5B + __KAM_UNIV6B) >= 3)
describe        KAM_UNIV        Diploma Mill Rule
score           KAM_UNIV        4.5

#URUNIT
body            __KAM_URUNIT1   /\bur (unit|liveliness|energy level|endurance level)/is
body            __KAM_URUNIT2   /\bur (gf|girl|wife|size|thing|partner|significant other)/is
body            __KAM_URUNIT3A  /\b(exasperated|fatigued|drained|tired) all the time/is
#HALF-WEIGHTED RULES
body            __KAM_URUNIT3   /(unsatisfied|not satisfied|nagging|complaining|complaints|complained|unlimited prowess|increase your volume)/is
body            __KAM_URUNIT4   /(bedroom|the bed|nighttime activit|male power|show your girl)/is
body            __KAM_URUNIT5   /(size of (there|their|your) .{0,11}(unit|thing)|using them for a couple months|enhancing formula)/is
body            __KAM_URUNIT6   /(majority of women|shrinking .{0,12} baby fat|winning guy|huge explosion)/is
#FULL-WEIGHT
header          __KAM_URUNIT7   Subject =~ /(\b|^)ur (unit|wife|girlfriend|GF|size|thing|partner|significant other|livelyehood)/i
header          __KAM_URUNIT8   Subject =~ /(pleasure|sensation|grow|your teeny|impress your mate|being small|how big|more intense)/i

meta            KAM_URUNIT      ((__KAM_URUNIT1 + __KAM_URUNIT2 + ((__KAM_URUNIT3 + __KAM_URUNIT4 + __KAM_URUNIT5 + __KAM_URUNIT6) / 2) + __KAM_URUNIT7 + __KAM_URUNIT8 + __KAM_URUNIT3A) >= 2)

describe        KAM_URUNIT      Recent penile and body enhancement spams
score           KAM_URUNIT      0.5

#UR ZEST
body            __KAM_URZEST1   /(?:your|ur) (?:power|strength|zal|zeal|liveliness|zest|intensity|spontaneity|activity)(?: level)?(?: been)?(?: feeling| down)? ?(?:lately|recently|anew)?/i
body            __KAM_URZEST2   /or still (?:jaded|worn|drained|exasperated) all the time/i
body            __KAM_URZEST3   /(?:(?:wanting|looking|seeking) to get in the gym|(?:dreaming|seeking|hoping) to get (?:into shape|fit))/i
body            __KAM_URZEST4   /(wks it has been|been mos) since we('| ha)ve chatted/i
body            __KAM_URZEST5   /(back into shape|made me healthier after my disease)/i

meta            KAM_URZEST      (__KAM_URZEST1 + __KAM_URZEST2 + __KAM_URZEST3 + __KAM_URZEST4 + __KAM_URZEST5 >= 2)
describe        KAM_URZEST      Recent penile and body enhancement spams
score           KAM_URZEST      3.0

#JOB LET GO
body            __KAM_JOB1      /let go from (a job|my employment) I held for.{1,19} (month|year|forever|life)/is
body            __KAM_JOB2      /twice as much/is

meta            KAM_JOB         (__KAM_JOB1 + __KAM_JOB2 >=2)
describe        KAM_JOB         People let go, work at home, earn billions!
score           KAM_JOB         4.3

#PERIMETERPARK
body            KAM_PERPARK     /P e r i m e t e r P a r k C e n t e r/i
describe        KAM_PERPARK     Obfuscated address appearing in SPAM Feb 06
score           KAM_PERPARK     2.5

#HOLLYWOOD WAY
body            KAM_HOLLY       /1 0 2 0 N H o l l y w o o d W a y /i
describe        KAM_HOLLY       Obfuscated address appearing in SPAM Jun 06
score           KAM_HOLLY       2.5

#PUMP & DUMP STOCK GRAPHICS
header          __KAM_STOCKG1   Subject =~ /^Fw: \d{6}$/i
header          __KAM_STOCKG2   Subject =~ /(^|\b)(stocks?|small-cap)(\b|$)/i
meta            KAM_STOCKG      ((HTML_IMAGE_ONLY_12 || HTML_IMAGE_ONLY_16 || HTML_IMAGE_ONLY_24) && HTML_MESSAGE && (__KAM_STOCKG1 || __KAM_STOCKG2))
describe        KAM_STOCKG      Graphical Pump and Dump Scams
score           KAM_STOCKG      3.0

#CEP Diploma Mill
body            __KAM_CEP1      /Job Prospect Newsletter|training.workshop/i
body            __KAM_CEP2      /legitimate verifiable degree|build a better you|domain.knowledge/i
body            __KAM_CEP3      /Career Education program|customize a learning program|certified.instructor/i
body            __KAM_CEP4      /(MBA|CEP)/
body            __KAM_CEP5      /degree\/certificates|certification/i
body            __KAM_CEP6      /\d (week|month)/i
header          __KAM_CEP7      From =~ /certificate program/i

meta            KAM_CEP        ((__KAM_CEP1 + __KAM_CEP2 + __KAM_CEP3 + __KAM_CEP4 + __KAM_CEP5 + __KAM_CEP6 + __KAM_CEP7) >= 3)
describe        KAM_CEP        CEP Diploma Mill Rule
score           KAM_CEP        3.5


#Commented since 3.2.0 is pretty old now
#if (version < 3.200000)
#  #BLANK EMAILS - CURRENTLY REQUIRES 99_FVGT_meta.cf for FM_NO_FROM AND NO_TO. UNDISC_RECIPS MIGHT BE REMOVED IN 3.2+
#    #HTML_SHORT_LENGTH DEPENDENCY RULE REMOVED FROM SA 3.2
#  meta         KAM_BLANK01     (MISSING_SUBJECT && (UNDISC_RECIPS || FM_NO_FROM_OR_TO || FM_NO_TO))
#  describe     KAM_BLANK01     Blank emails
#  score        KAM_BLANK01     1.0
#  
#    #MSGID_FROM_MTA_ID REMOVED IN NEWER SPAMASSASSIN 3.2
#  meta         KAM_BLANK02     (KAM_BLANK01 && MSGID_FROM_MTA_ID)
#  describe     KAM_BLANK02     Blank emails with MTA Headers
#  score        KAM_BLANK02     1.0
#endif

#KAM GEOCITIES SPAM
# Updated by KAM based on Work by Dallas L. Engelken <dallase@nmgi.com> (T_GEO_QUERY_STRING)
uri             KAM_GEO_STRING2         /^http:\/\/(?:\w{1,5}\.)?geocities(?:\.yahoo)?\.com(?:\.\w{1,5})?(?::\d*)?\/.+?/i
describe        KAM_GEO_STRING2         Use of geocities/yahoo very likely spam as of Dec 2005
score           KAM_GEO_STRING2         4.7

#KAM GOOGLE SPAM
uri             KAM_GOOGLE_STRING       /^http:\/\/www.google.com\/url\?q=/i
describe        KAM_GOOGLE_STRING       Use of Google redir appearing in spam July 2006
score           KAM_GOOGLE_STRING       1.0

#MSN Brasil REDIRECTOR - Known exploit since at least 2007!! http://www.xssed.com/mirror/14129/
uri             KAM_MSNBR_REDIR         /g.msn.com.br\/BR9\/1369.0/i
describe        KAM_MSNBR_REDIR         Use of MSN Brasil Redirector for Spam seen in 2011
score           KAM_MSNBR_REDIR         5.0

#KAM MSN SPAM
uri             __KAM_MSN_STRING1         /^http:\/\/spaces\.msn\.com(?::\d*)?\/.+\//i
uri             __KAM_MSN_STRING2              /^http:\/\/.{0,20}\.spaces\.live\.com/i
meta            KAM_MSN_STRING          (__KAM_MSN_STRING1 + __KAM_MSN_STRING2 >=1)
describe        KAM_MSN_STRING         spaces.msn.com likely spam (Mar 2006) + spaces.live.com (Mar 2010)
score           KAM_MSN_STRING         2.5

#KAM LIVEJOURNAL SPAM
uri             __KAM_LIVE1              /^http:\/\/.{0,20}\.(blogspot|livejournal)\.com/i
meta            KAM_LIVE          (__KAM_LIVE1)
describe        KAM_LIVE         blogspot.com & livejournal.com likely spam (Apr 2010)
score           KAM_LIVE         1.0

#KAM PAGE.TL SPAM - idea from Benny Pedersen
uri             __KAM_PAGE1              /^http:\/\/.{0,20}\.(page\.tl)/i
meta            KAM_PAGE          (__KAM_PAGE1)
describe        KAM_PAGE         Page.TL likely spam (Nov 2011)
score           KAM_PAGE         2.0

# This rule is to mark emails using the exploit of the URI parsing
uri             KAM_URIPARSE       /(\%0[01]|\0).{1,100}\@/i
describe        KAM_URIPARSE    Attempted use of URI bug-high probability of fraud
score           KAM_URIPARSE     7.0

#Ebay Closed their Redirector - Disabled 4-9-05
# This rule is to mark emails using the exploit of the eBay redirector
#uri             KAM_EBAYREDIR    /.*.ebay.com.*RedirectToDomain/i
#describe        KAM_EBAYREDIR    Attempted use of eBay redirect-likely fraud
#score           KAM_EBAYREDIR    7.0

# Rule based on Kelson Vibber's MD code for bogus AOL Addresses
# Check for bogus AOL addresses as described at
# http://postmaster.aol.com/faq/mailerfaq.html#syntax
# - all alphanumeric, starting with a letter, from 3 to 16 characters long.
#
#
#What is the correct syntax for AOL e-mail addresses?
#The "user name" is the part of the address that appears before the @ symbol: username@aol.com.
#Valid AOL e-mail addresses can not:
#Be shorter than 3 or longer than 16 characters.
#Begin with numbers.
#Contain punctuation of any kind (such as periods, underscores, or dashes).
#
#

#Disabled 2017-10-24 upon evidence that AOL no longer follows their syntax.  
#Awaiting an updated version however KAM predicts that with the merger that this
#is likely to accommodate other systems like Verizon coming under the same infrastructure.

header          __KAM_AOL               From =~ /\@aol.com/i
describe        __KAM_AOL               Partial Rule: Marks AOL Addresses
header          __KAM_GOODAOL           From =~ /[a-z][a-z0-9]{2,15}\@aol.com/i
describe        __KAM_GOODAOL           Partial Rule: Marks Bad AOL Addresses
meta            KAM_COMBO_BADAOL        __KAM_AOL && !(__KAM_GOODAOL)
describe        KAM_COMBO_BADAOL        Invalid AOL Email Address-High probability of spam
score           KAM_COMBO_BADAOL        3.0

# Rule to mark emails from adv@somewhere accounts a bit higher on the SPAM scale
header          KAM_ADV_EMAIL           From =~ /(^| |<)ADV\@/i
describe        KAM_ADV_EMAIL           Marks adv@<domain.com> Addresses as likely SPAM
score           KAM_ADV_EMAIL           16.0

#SEXUALLY EXPLICIT EMAILS - With updates courtesy of Mark Damrose
header    __KAM_SEX_EXPLICIT1    Subject =~ /SEXUAL{2,3}Y[-_, ]{0,1}EXPL{1,2}I{1,2}CI{1,2}T/i
#EXPANDED TO INCLUDE HEADERS FOR SPAMS PREVALENT MAR 2007
header    __KAM_SEX_EXPLICIT2    Subject =~ /(?:fuck .*suck|suck .*fuck|pussy .*cock|cock .*pussy|horny amateur|couch sex|slut fuck|naked celebrity|pissing babes|ass[- ]fuck|animal cock|(^|\b)P[^a-zA-Z\d]O[^a-zA-Z\d]R[^a-zA-Z\d]N |exposes sexy ass|drunk babe nude|masturbate|looking.for.sex|breast.implants|pedophile|child predator|explore.being.bad|double.penetration|hardcore.slut|getting.laid|your.disco.stick|having.sex.*begging|f.ckbook|xxx gay|asian porn|blowjob|anal xxx|huge tits tube|xxx tube|porn tube|porn video|sexy.clip|portal for xxx|3d porn|hard(er)?.erect)|dreaming of f.?cking|(^|\b)sex.in.the.car|horny.virgin|sex.acts|best.intercourse|sex request|dripping wet and need to get/i
header    __KAM_SEX_EXPLICIT3    From =~ /(?:better sex|sextrick|ashleymadison|booty.call|breast.(aug|surg|redu)|throbing.member|f[\*u]?ckbook|Local MILFs|fuck)/i
#MODIFIED TO FIX FP THANKS TO DOC SCHNEIDER AND MARK MARTINEC - REMOVED castrate|sexual.encounter|casual.sex|discreet.encounter 5/19/15
body      __KAM_SEX_EXPLICIT4    /(?:fucked hardcore|dildoes her tight ass|kinky watersports|schoolgirls? slut|teens? porn|first anal(\b|$)|pussy lips|kinky lesbian|sucks? cock|rub puss|spreads? cunt|fetish babe|kinky pee|muffdived \& fuck|deepthroat on knees|hello.naughty.boy|certain.type.of.guy|girlfriend.trick|sexual.stamina|sex...toy|porn.link|cunt.fuck|c-o-c-k|non.stop.sex|porn.industry|stronger.erection|make.her.moan|extreme.pro.abortion|erection.problem|your.erection|get.an.erection|hardest.erection|get.erect|xxx gay|asian porn|blowjob porn|anal xxx|huge tits tube|xxx tube|porn tube|fuckbook|portal for xxx|3d porn|DrPEnterprise|girlfriends.porn|\bsex.galler|pussy.eaten|shemale|anal.adventure|black.girls.video|gay.porn|pussy.wet|make.her.horny|crave sex|women.fuck|women.horny|wanting.to.bang|getting.laid.is.simple|woman.on.her.knees|b r e a s t|generic.ed.product|best.sex|f[^a-z]cking.you|f[^a-z]ckbuddy|F\#ckFriends|Milf Selfies|need.a.horny.man|cute.sex.lover|horny.as.f.ck|fun.in.the.bedroom|my.tits.are|be.horny|horny.girl|horny.i.am|horny.latina|huge.dildo|made.me.climax|sex in my office|a.good.f\@ck|married.horny.woman|sucked.your.d\@ck|horny.milf|suck.you.off|horny.stories|all.my.h[o0]les|cum.heavily|sucking.your.c[o0]ck|to.get.f[^a-z]cked)|h00kup|s\*xy|\bh0rny|ch0ked|pu\$\$y|f\*cked|F\#ck|F\*ck_|find milfs/i
header    __KAM_SEX_EXPLICIT5    Subject =~ /(?:Babe.*dildo|milk.*pussy|licks.*lesbian.*tits|mud.*wrestling.*sluts|rock.*hard.*cock|working.*pussy|(anal|suck|lick|hot|cock|wife).*f.?u.?c.?k|sneaky.*upskirt.*shots|hairy.*(pussy|cunt)|chicks.*cum|shows.*off.*titties|tits.*milf.*sex|riding.*big.*dick|dildo.*pussy|slut.*sex|suck.*dick|show.*off.*pink.*slit|coed.*pussy|squirt.*pussy|polish.*cock|femdom.*fist|schoolgirl.*(f.?u.?c.?k|blowjob)|mistress.*finger.*slave|cervix.*examined|tits.*vibrator|licks.*lesbian|slut.*anal|slurp.*pecker|master.*hogtie|bitch.*stroke.*guy|huge.*cock.*bang|take.*dick.*ride|milf.*nailed|girl.*in.*panties|Slut.*Doing.*it|barely.*legal.*teen|perverted.*girl.*works.*ass|slut.*milking|caught.*fucking|F.?u.?c.?k.*(dick)|shemale.*strips|chick.*drilled|\bass.*screw|teen.*pussy|fucked.*hard|bimbo.*hooter|cuntbanged|tittyfucked|fuck.*cock|blowing and nailed|lesbians.*masturbat|shaking wet booty|pussy.*lip|lick.*asshole|kinky lesbian|suck.*cock|rub puss|tits.*cunt|kinky pee|fetish babe|exposes sexy ass|drunk babe nude|muff.*fuck|cock.?suck.*blonde|fuck.*vibrator|threeway.*orgy|sex.life.*new.level|your.sex.life|hotsex|f.cktonight|my.?pu[s\$]{1,5}y|InstaSext|SnapHookup|InstaAffair|InstaHookup|SexiSnap|SnapF.ck|snapbangmsg)/i

meta      KAM_SEX_EXPLICIT      (__KAM_SEX_EXPLICIT1 + __KAM_SEX_EXPLICIT2 + __KAM_SEX_EXPLICIT3 + __KAM_SEX_EXPLICIT4 + __KAM_SEX_EXPLICIT5 >= 1)
describe  KAM_SEX_EXPLICIT      Subject or body indicates Sexually Explicit material
score     KAM_SEX_EXPLICIT      16.0

#SOLICITING AFFAIR SPAM
header    __KAM_SEX_AFFAIR1 Subject =~ /Have an affair|Your Affair is Waiting|sick of your wife|find you a girlfriend/i
header    __KAM_SEX_AFFAIR2 From =~ /Ashley.?Madison|Let's have fun/i
rawbody   __KAM_SEX_AFFAIR3 /have an affair|ashleymadison/i
rawbody   __KAM_SEX_AFFAIR4 /looking.for.affair/i

meta      KAM_SEX_AFFAIR    (__KAM_SEX_AFFAIR1 + __KAM_SEX_AFFAIR2 + __KAM_SEX_AFFAIR3 + __KAM_SEX_AFFAIR4 >= 2)
describe  KAM_SEX_AFFAIR    Subject or body soliciting an affair
score     KAM_SEX_AFFAIR    8.0

#KAM_TELEWORK
body            __KAM_TELEWORK1 /(generate|make) .{0,10}1.5K? (to|-) 3.5K (a day|daily|per day|per month)|makes? \$[\d,]+\/month|upgrade your salary/is
body            __KAM_TELEWORK2 /have a (?:tele)?phone|money making challenge|has full internet/is
body            __KAM_TELEWORK3 /return(?:ing)? (phone )?calls|working a few hours each day|positive work environment/is
body            __KAM_TELEWORK4 /fully qualified|no experience needed|all the training|managing expectations|accountability|stronger results/is
body            __KAM_TELEWORK5 /work (?:online )?from home|process(?:ing)? rebates (?:at|from) home|set your own hours|100% no risk|Western Union fees|new job or career/is
body            __KAM_TELEWORK6 /earning up to \d+USD|earn thousands of dollars|\d% commission|get rich quick|manager training|real.payoff/is
header          __KAM_TELEWORK7 Subject =~ /process rebates|easy work and great pay|making money today|earn money|vacancies in your city|internet jobs|bad ecomomy|(manager|supervisor).training|handling difficult|work.from.home/i
header          __KAM_TELEWORK8 From =~ /training|online/i

meta            KAM_TELEWORK    (__KAM_TELEWORK1 + __KAM_TELEWORK2 + __KAM_TELEWORK3 + __KAM_TELEWORK4 + __KAM_TELEWORK5 + __KAM_TELEWORK6 + __KAM_TELEWORK7 + __KAM_TELEWORK8 >= 3)
describe        KAM_TELEWORK    Stupid telework and training scams
score           KAM_TELEWORK    3.0

#Changed to meta 2017-10-17
#2017-10-23 - Removed .link.  Uniregistry has committed to reviewing abuse concerns.
header          __KAM_SOMETLD_ARE_BAD_TLD_FROM          From:addr =~ /\.(pw|stream|trade|bid|press|top)$/i
uri             __KAM_SOMETLD_ARE_BAD_TLD_URI           /\.(pw|stream|trade|bid|press|top)($|\/)/i

meta            KAM_SOMETLD_ARE_BAD_TLD         (__KAM_SOMETLD_ARE_BAD_TLD_FROM + __KAM_SOMETLD_ARE_BAD_TLD_URI) >= 1
describe        KAM_SOMETLD_ARE_BAD_TLD         .stream, .trade, .pw, .top, .press, & .bid TLD Abuse
score           KAM_SOMETLD_ARE_BAD_TLD         5.0



#CHANGED TO KAMOnly
ifplugin Mail::SpamAssassin::Plugin::KAMOnly

  #TESTING RULE
  body            KAM_LOCAL_TEST1       /myspamtest12341234/
  describe        KAM_LOCAL_TEST1       This is a unique phrase to trigger a + score
  score           KAM_LOCAL_TEST1       50

  #REVERSE DNS TESTS FROM MIMEDEFANG - UNLESS YOU HAVE A TEST FOR REVERSE POINTERS, YOU CAN COMMENT THIS OUT
  header          KAM_RPTR_FAILED         X-KAM-Reverse =~ /^Failed/
  describe        KAM_RPTR_FAILED         Failed Mail Relay Reverse DNS Test
  score           KAM_RPTR_FAILED         6.0
  
  header          KAM_RPTR_SUSPECT        X-KAM-Reverse =~ /^Suspect/
  describe        KAM_RPTR_SUSPECT        Suspected Dynamic IP/Bad TLD/Spammy TLD from Mail Relay Reverse DNS Test
  score           KAM_RPTR_SUSPECT        2.45
  
    #REMOVED __URIBL_ANY DEPENDENCY AS THE RULE IS GONE.  NOTED by David Goldsmith.
  header          __KAM_RPTR_PASSED       X-KAM-Reverse =~ /^Passed/
  meta            KAM_RPTR_PASSED         (__KAM_RPTR_PASSED && (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + KAM_SPAMJDR + KAM_LOTTO3 + __KAM_URIBL_PCCC + __KAM_MX + SPF_SOFTFAIL + SPF_FAIL + KAM_INFOUSMEBIZ + KAM_TOLL < 1))
  describe        KAM_RPTR_PASSED         Passed Mail Relay Reverse DNS Test
  score           KAM_RPTR_PASSED         -1.0
  
  header          KAM_RPTR_MISSING        X-KAM-Reverse =~ /^Missing/
  describe        KAM_RPTR_MISSING        Mail Relay Reverse DNS Entry Missing!
  score           KAM_RPTR_MISSING        9.0

  #DWDTECHSPAM /ETC
  header          KAM_RPTR_BADHOST        X-KAM-Reverse =~ /dwdtechllc.com|inculloop.net|donapex.net|wriltay.com|raptornode.com|voicitr.us|premiumjobhunt.com|newsocialdeals.com|dailysummercoupons.com|nm-priorityhosting.com|hypernia.com|queryfoundry.net|colocrossing.com|pawlitenews.com|hosted-by-i3d.net/i
  describe        KAM_RPTR_BADHOST        Very Spammy Hosting Company Identified
  score           KAM_RPTR_BADHOST        9.0

  #CUSTOM SCORES THAT KAM LIKES
  #score          SARE_GIF_ATTACH         3.0
  score           CHARSET_FARAWAY_HEADER  1.6
  score           MIME_CHARSET_FARAWAY    1.25
  score           FH_FROM_CASH            2.0
  score           EWG_BAD_40              1.5
  score           EWG_BAD_47              1.5
  score           EWG_BAD_54              1.5
  score           FREEMAIL_ENVFROM_END_DIGIT      1.0
  score           FREEMAIL_REPLYTO        1.0
  score           KHOP_BIG_TO_CC          1.5
  score           URIBL_DBL_SPAM          5.0
  score           AC_HTML_NONSENSE_TAGS   4.0


  #ENABLING DNSWL - BUG 6668
  score RCVD_IN_DNSWL_NONE 0 -0.0001 0 -0.0001
  score RCVD_IN_DNSWL_LOW 0 -0.7 0 -0.7
  score RCVD_IN_DNSWL_MED 0 -2.3 0 -2.3
  score RCVD_IN_DNSWL_HI 0 -5 0 -5

  #COMPLETE WHOIS IS DOWN
  #score __RCVD_IN_WHOIS 0
  #score RCVD_IN_WHOIS_INVALID 0
  #score URIBL_COMPLETEWHOIS 0

  #Custom subject whitelist
  #header       FRANCHISE_JERRY         Subject =~ /: (Franchise Application|Request Franchise Information)$/i
  #score        FRANCHISE_JERRY         -99.0
  #describe      FRANCHISE_JERRY        Jerry's Franchise Application or Request

  header        KAM_INVALID_FROM        X-KAM-From =~ /From Header Missing Host/
  describe      KAM_INVALID_FROM        From header missing host portion
  score         KAM_INVALID_FROM        4.0

  #RAPTOR ALTERED EMAILS
  body          __KAM_RAPTOR1           /altered by our Raptor filters/i
  header        __KAM_RAPTOR2           X-KAM-Raptor-Alter =~ /True/

  meta          KAM_RAPTOR              (__KAM_RAPTOR1 + __KAM_RAPTOR2 >= 1)
  describe      KAM_RAPTOR              PCCC Raptor altered the email
  score         KAM_RAPTOR              3.5

  #NJABL Shutdown Bug 6913 - Check after 3/3/2013 update if these can be removed
  score RCVD_IN_NJABL_CGI 0
  score RCVD_IN_NJABL_MULTI 0
  score RCVD_IN_NJABL_PROXY 0
  score RCVD_IN_NJABL_RELAY 0
  score RCVD_IN_NJABL_SPAM 0
  score __RCVD_IN_NJABL 0

  if can(Mail::SpamAssassin::Conf::feature_dns_query_restriction)
    dns_query_restriction deny njabl.org 
  endif

  #KAM Bad Attach
  header          KAM_RPTR_MISSING        X-KAM-Reverse =~ /^Missing/
  describe        KAM_RPTR_MISSING        Mail Relay Reverse DNS Entry Missing!
  score           KAM_RPTR_MISSING        9.0


  #KAM Bad Attach
  header          KAM_RPTR_MISSING        X-KAM-Reverse =~ /^Missing/
  describe        KAM_RPTR_MISSING        Mail Relay Reverse DNS Entry Missing!
  score           KAM_RPTR_MISSING        9.0


  #KAM Bad Attach
  header          KAM_RPTR_MISSING        X-KAM-Reverse =~ /^Missing/
  describe        KAM_RPTR_MISSING        Mail Relay Reverse DNS Entry Missing!
  score           KAM_RPTR_MISSING        9.0


  #KAM Bad Attach
  header          KAM_BADATTACH        X-KAM-BadAttach =~ /^True/
  describe        KAM_BADATTACH        Mail contains a bad attachment
  score           KAM_BADATTACH        15.0

  #RHS_DOB not working 10/6/2014 - Resolved 10/9/2014
  #score          URIBL_RHS_DOB         0.0

else
  # no KAMOnly, stub rules
  meta  KAM_RAPTOR 0
  score KAM_RAPTOR 0
  meta  CBJ_GiveMeABreak 0
  score CBJ_GiveMeABreak 0
  meta  KAM_RPTR_SUSPECT 0
  score KAM_RPTR_SUSPECT 0
  meta  KAM_RPTR_FAILED 0
  score KAM_RPTR_FAILED 0
  meta  KAM_RPTR_PASSED 0
  score KAM_RPTR_PASSED 0
endif

#$6c822ecf@ - Idea from Jailer-Daemon on SARE
header          KAM_6C822ECF            Message-Id =~ /\$6c822ecf\@/i
describe        KAM_6C822ECF            $6c822ecf@ VERY prevalent message-ID header in SPAMs
score           KAM_6C822ECF            7.0

#DRILLING & MUST READ - With updates courtesy of Mark Damrose
header          __KAM_MUSTREAD1 Subject =~ /you (?:must|should|require|need|have) to read\.$/i
header          __KAM_MUSTREAD2 Subject =~ /^(?:Weighty|Very important|Serious|Momentous|Significant|Grand|Essential) (?:message|letter|note)\./i

meta            KAM_MUSTREAD    (__KAM_MUSTREAD1 + __KAM_MUSTREAD2 >= 1)
describe        KAM_MUSTREAD    Subject indicative of a SPAM message
score           KAM_MUSTREAD    1.25

body            __KAM_DRILL1    /drilling/i
body            __KAM_DRILL2    /oil (company|partnership|and gas rights)/i
body            __KAM_DRILL3    /(exceed(ed)? .{0,10}expectations|see your brokers website)/i
body            __KAM_DRILL4    /(buy today|Check this deal out)/i

meta            KAM_DRILL       (KAM_MUSTREAD + __KAM_DRILL1 + __KAM_DRILL2 + __KAM_DRILL3 + __KAM_DRILL4 >= 4)
describe        KAM_DRILL       Oil Drilling SPAM
score           KAM_DRILL       1.5

#CHANGED TO KAMOnly
ifplugin Mail::SpamAssassin::Plugin::KAMOnly

  #WE USE MIMEDEFANG TO DISABLE ANY IFRAME, OBJECT OR SCRIPT TAGS IN EMAILS
  header        KAM_IFRAME      X-IframeWarning =~ /Iframe\/Object\/Script tag\(s\) deactivated by MIMEDefang/
  describe      KAM_IFRAME      Email contained Iframe, Object or Script tags
  score         KAM_IFRAME      1.0
  
  body          KAM_IFRAME2     /you need a browser with javascript/i
  describe      KAM_IFRAME2     Email contains phrase instructing javascript use
  score         KAM_IFRAME2     1.0
  
  meta          KAM_IFRAME3     (KAM_IFRAME + KAM_IFRAME2 + T_HTML_ATTACH >=3)
  score         KAM_IFRAME3     5.0
  describe      KAM_IFRAME3     Likely email exploit - Email shouldn't require javascript in an email attachment

  #XEROX SCANS
  header          __KAM_XEROX1    Subject =~ /Scan from a Xerox WorkCentre Pro \#\d+|Scanned from a Xerox Multifunction Device/i
  meta            KAM_XEROX       (__KAM_XEROX1 + (KAM_IFRAME && T_HTML_ATTACH) + KAM_RAPTOR >= 2)
  score           KAM_XEROX       5.0
  describe        KAM_XEROX       Likely Fake Xerox Attachment

else
  # no KAMOnly, stub rules
  meta  KAM_IFRAME 0
  score KAM_IFRAME 0
endif

#STUPID REMOVE "*" to make the link working.
body            __KAM_STAR1     /REMOVE ("\*"|space) (in the above|to make the) link/i

meta            KAM_STAR        (__KAM_STAR1 >= 1)
describe        KAM_STAR        Stupid Obfuscated Link SPAMs
score           KAM_STAR        2.0

#IN LATE FEB 2007, WE BEGAN RECEIVING TONS OF EMAILS FORMATED ALL THE SAME. 
body            __KAM_SPAMKING1 /This advertisement is presented by/is
body            __KAM_SPAMKING2 /If you have any questions or concerns regarding this communication, please send correspondence/is
body            __KAM_SPAMKING3 /To .{0,30}(?:unsubscribe|stop|remove) .{0,35}(?:email|messages) from third party advertisers/is
body            __KAM_SPAMKING4 /notify .{0,30} that you no longer wish to receive (?:promotional )?messages/is
body            __KAM_SPAMKING5 /This (communication|message) was delivered to you by/is
body            __KAM_SPAMKING6 /(?:please send|Forward postal) correspondence to/is

meta            KAM_SPAMKING    (__KAM_SPAMKING1 + __KAM_SPAMKING2 + __KAM_SPAMKING3 + __KAM_SPAMKING4 + __KAM_SPAMKING5 + __KAM_SPAMKING6 >= 3)
describe        KAM_SPAMKING    SPAM using throw-away domains and addresses.  SpamKing's Heir!
score           KAM_SPAMKING    1.0

#THIS HEADER SEEMS TO BE PREVALENT IN SPAMS
header          KAM_SPAMJDR     X-Mailerinfo =~ /OTHR_JDR/
describe        KAM_SPAMJDR     Emails seen with SPAM containing this header X-Mailerinfo: OTHR_JDR1173771 
score           KAM_SPAMJDR     2.0

meta            KAM_COMBOJDR    (KAM_SPAMJDR + KAM_SPAMKING >= 2)
describe        KAM_COMBOJDR    Spam Test for Rules Combined with KAM_SPAMJDR
score           KAM_COMBOJDR    5.0

#LOTTO CRUD
body            __KAM_LOTTO1    /((you |e-?mail )(?:address,? )?(has |have )?(emerged as one of (the|our) winning|emerged as a category "A" Winner|came out as the winning coupon|emerged a winner|has won|(?:was |is )?attached( to)?\s+(winning number|serial|ticket|reference)|was one of the ten winners|has been selected as one of the lucky)|random selection in our computerized email selection system|procuring your prize|email id identified with coupon|e-mail addresses are picked randomly|send your winning identification|final recipients? of a cash|selected as the one of the beneficiaries|receiving your donation)/is
body            __KAM_LOTTO2    /((ticket|serial|lucky) number|secret pin ?code|pin number|batch number|reference number|promotion date|lottery|sweepstake|\d+ lucky recipients|for claim and inquiring)/is
body            __KAM_LOTTO3    /(won|claim|cash prize|pounds? sterling|over \$500|award sum of US\$|NOTIFICATION FOR CASH AID)/is
body            __KAM_LOTTO4    /(claims (office|agent|manager)|lottery coordinator|(certificate|fiduciary) (officer|agent)|fiduaciary claims|accredited agent|payment agency board|promotion manager|promotions? department|Name of +Agent:|executive secretary|claims & Management|lottery approved courier|promo.team)/is
body            __KAM_LOTTO5    /(POWERBALL LOTTO|freelotto group|Royal Heritage Lottery|(British|UK) National( Online)? Lottery|U\.?K\.? Grand Promotions|Lottery Department UK|Euromillion Loteria|Luckyday International Lottery|International Lottery|Euro - Afro Asian Sweepstake|urawinner|Free Lotto Sweepstakes|PROMOTION DEPARTMENT|PROMOTION\/PRIZE AWARD|Nederlandse Internationale Loterij|EURO MILLIONS|APPLE LOTTERY ONLINE|MSW MEGA JACKPOT|MICROSOFT EMAIL PROMO|MSNlottery|ECOWAS|Nigeria|National Lottery|claim.{1,10}your.gbp|won.you.{1,10]gbp)/is
body            __KAM_LOTTO6    /(Dear (Award|Consultation Prize|Lucky) Winner|Winning Notification|Attention:Winner|Dear:? Winner|Amount won:|Sincere Congratulations|Lucky Numbers:|you are a winner|prize attached|prize notification|claims requirement|winning number|winning sum|payout of|qualification number)|attached.file|numbers.on.email/is
header          __KAM_LOTTO7    Subject =~ /(Your Lucky Day|Final Notice|CONGRATULATION|(Attention:|ONLINE) WINNER|Winning Notification|Claim Fund|YOU HAVE WON|Online Notification|Your Winning Amount|PROMOTIONS MANAGER|Winnin?g Alert|NOTICE FOR YOUR CLAIM|WINNER|Reference Number)/i
header          __KAM_LOTTO8    From =~ /Lottery|powerball|western.union/i
header          __KAM_LOTTO9    Subject =~ /\d{3},\d{3}|eligibility.for.claims|promo.desk|deserves.\$\d/i

meta            KAM_LOTTO1      (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 >= 3)
describe        KAM_LOTTO1      Likely to be an e-Lotto Scam Email
score           KAM_LOTTO1      0.5

meta            KAM_LOTTO2      (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 >= 4)
describe        KAM_LOTTO2      Highly Likely to be an e-Lotto Scam Email
score           KAM_LOTTO2      1.0

meta            KAM_LOTTO3      (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 >= 5)
describe        KAM_LOTTO3      Almost certain to be an e-Lotto Scam Email
score           KAM_LOTTO3      2.0

#ABOUT YOUR INTERNET ACTIVITIES SPYWARE CRUD
header          __KAM_ABOUT1    Subject =~ /About your Internet (activities|activity)/i
body            __KAM_ABOUT2    /Spyware/i

meta            KAM_ABOUT       (__KAM_ABOUT1 + __KAM_ABOUT2 >=2) 
describe        KAM_ABOUT       Email Scam Hawking Anti-Spyware
score           KAM_ABOUT       1.0

#EMAIL ADVERTISING
body            __KAM_ADVERT1   /email advertising|\d{3}%.roi/is
body            __KAM_ADVERT2   /instant traffic (to your website|and sales)|demand.generation/is
body            __KAM_ADVERT3   /Email Ad Broadcast|Double OPT IN list|making.some.changes/is
header          __KAM_ADVERT4   Subject =~ /(get (instant|more) (sales|business|orders)|instant traffic, leads and sales|within 24 hours|increase in business|Ten Time Increase in Sales and Traffic|Emails Sent to Get You Sales)|sales.goal/i

meta            KAM_ADVERT      (__KAM_ADVERT1 + __KAM_ADVERT2 + __KAM_ADVERT3 + __KAM_ADVERT4 >= 4)
describe        KAM_ADVERT      Mailing List Scammers Hawking Their Lists / Services
score           KAM_ADVERT      2.5

#DOMAIN ADVERTISING
body            KAM_ADVERT3     /AllExpiringDomains.com/i
describe        KAM_ADVERT3     Traffic / Expiring Domain List Spam
score           KAM_ADVERT3     5.0

#ADVERTISEMENT
rawbody         KAM_ADVERT2     /(?:No longer interested in our offers|This (?: message| email)?is an Ad|Continue in your Secure Web Browser|Can\'t see the images( below|, continue)|To view this email as a webpage|see images for this offer|support best practices in responsible email marketing|This email is not unsolicited|You registered with one of our partners websites|a d v e r t i s (?:e )?m e n t|No-?Images? Click|Program is not endorsed, sponsored by or affiliated|can\'t read or see this email|By clicking any image and\/or text link in this Email|This is a commercial message|This message brought to you|THIS EMAIL IS A COMMERCIAL SOLICITATION|If you no longer wish to receive further offers|business solicitation message|link is for removal|end these weekly ad-messages|cancel these Ads go|This is an email advertisement|end all Advertisements go below|We are not spammers|Unsolicited email\?|Quit receiving these admail|I.{0,3}am not spamming)|commercial.advertisement|adv.ertisement|if.you.are.not.interested|Brought to you by:|This communication is an advertisement|removal from further update|inbox by requesting removal|No more incoming messages will be delivered|Never receive these again|This is an ad-coresspondance/is
describe        KAM_ADVERT2     This is probably an unwanted commercial email...
score           KAM_ADVERT2     0.75

#ONE LINE ADVERTISEMENTS
body            __KAM_1LINE1    /(free score and report|Did you overpay\?)/is
header          __KAM_1LINE2    Subject =~ /(free online score & report|I need tax savings? tip)/i

meta            KAM_1LINE       (__KAM_1LINE1 + __KAM_1LINE2 >= 2)
describe        KAM_1LINE       One liner SPAMs
score           KAM_1LINE       2.5

#CAN SPAM
body            KAM_CANSPAM     /(full compliance with the U.S. Federal-?Can-?Spam-Act|provides CAN-SPAM compliant email|consistent with the provisions of the CAN-SPAM Act|compliance with the CanSpam Act|no deceptive subject lines|compliant with all legal provisions of the CAN-SPAM Act)/is
describe        KAM_CANSPAM     SPAM = Lack of Consent (not a Legal Definition)
score           KAM_CANSPAM     1.0

#GIFTS / GIFT CARDS
body            __KAM_GIFT1     /(Claim your free \$500 Target Gift Card|complimentary gift-?card|received a Victoria's Secret Giftcard|\$500 airline gift card|\$1000 gift card for you to shop|\$\d+.{0,50}gift card|Secret gift card)|costco.coupon|facebook.gift|claim.my.credit/is
body            __KAM_GIFT2     /(unsubscribe from this advertiseme(tn|nt)|exit future communications|to unsubscribe from this|to stop any offers from us)/is
body            __KAM_GIFT3     /every girl loves to buy|do you need a new|offer pass you by|shopping.online|best.price|activate.my|valued.{0,20}user|extra.deals|sign.up.today/i
body            __KAM_GIFT4     /card will be yours free|card on us|buy you the dyson animal|amazon.gift.?card|superstore|starbucks.card|card.egift|redeem.before|offering.you.this|enter.promo.code/i
body            __KAM_GIFT5     /member incentive program|complet(e|ing) the survey|your.customer.id|security.code|promotional.points/i
header          __KAM_GIFT6     From =~ /\$\d+ ?gift ?card|coupon|home.improvement|reward|voucher|starbucks|exclusive|amazon|ehost/i

meta            KAM_GIFT        ((__KAM_GIFT1 + __KAM_GIFT2 + __KAM_GIFT3 + __KAM_GIFT4 + __KAM_GIFT5 + KAM_LOTSOFHASH + KAM_SHORT >= 3) && __KAM_GIFT6)
describe        KAM_GIFT        Gift Card Scams
score           KAM_GIFT        3.5

meta            KAM_GIFT2       ((__KAM_GIFT1 + __KAM_GIFT2 + __KAM_GIFT3 + __KAM_GIFT4 + __KAM_GIFT5 + KAM_LOTSOFHASH + KAM_ADVERT2 >= 4) && __KAM_GIFT6)
describe        KAM_GIFT2       Gift Card Scams
score           KAM_GIFT2       3.5

#MYSTERY SHOPPER
body            __KAM_SHOP1     /chosen to participate as a Mystery Shopper/is
body            __KAM_SHOP2     /Do you like to shop/is
body            __KAM_SHOP3     /make money while you shop/is
meta            KAM_SHOP        (__KAM_SHOP1 + __KAM_SHOP2 + __KAM_SHOP3 >= 3)
describe        KAM_SHOP        Mystery Shopper Scams
score           KAM_SHOP        2.0

#FAST CASH
rawbody         __KAM_FAST1     /make fast cash in real estate/is
meta            KAM_FAST        (__KAM_FAST1 + KAM_ADVERT2 >=2)
describe        KAM_FAST        Get Rich Quick, Make Money Fast Schemes
score           KAM_FAST        1.8

#BIZ CARDS FREE!
body            __KAM_BIZ1      /You always need new cards|free full color business cards|get 250 more ?- ?free|business card offer|500 business cards/is
header          __KAM_BIZ2      Subject =~ /(do not pay for|Stop paying for|free) business cards|get( your)? 250 Free|BOGO|500 cards for|all for \$1\.99/i
header          __KAM_BIZ3      From =~ /Free Business Cards|Custom Printing|Premium Cards/i

meta            KAM_BIZ         (__KAM_BIZ1 + __KAM_BIZ2 + __KAM_BIZ3 >= 2)
describe        KAM_BIZ         Free Business Card Emails
score           KAM_BIZ         2.5

#FDA
body            __KAM_FDA1      /statements.{1,10}not.{1,10}evaluated.{1,10}(FDA|Food ?(and|&) ?Drug Administration)/i
body            __KAM_FDA2      /not intended to diagnose,? treat,? cure,? or prevent/i
body            __KAM_FDA3      /FDA Recall/i

meta            KAM_FDA         (__KAM_FDA1 + __KAM_FDA2 + __KAM_FDA3)
describe        KAM_FDA         Carries a not evaluated by the FDA warning or recall warning
score           KAM_FDA         0.5

#WEIGHT LOSS
body            __KAM_WEIGHT1   /(overweight|extra weight|glutting|shed fat|burns fat|burn calories|appetite suppressant|stimulate your metabolism|unwanted weight|duet of the year|healthy energy boost|Suppresses Appetite|internal cleansing|detoxify|cellulite|unsightly bulges|fat burn|Diet of the year|acai|cuts cholesterol|cleanse excess waste|free sample|unwanted weight|Acai suppl[ie]ments|Diet\/Detox|\#1 Weight Loss|lose body fat|(lose|drop) (about )?\d+\s*[li]b|calorie burning machine|before eating carbs)|flush.fat.away|slimming.down|\d+.pounds.gone|lose.\dx|highest.rated.episode|unwanted..?gain|too.goo?d.to.be.true|get.slim|tv.segment|weird.solution/is
body            __KAM_WEIGHT2   /(\d pounds|lose[_ ]weight|suppress appetite|appetite out of control|Oprah|for cancer patients|colon cure|colon cleanse|colonmate|avai berry|acai burn|ultraslim|feel energized|excess[_ ]weight|no diet changes|no exercise|hollywood'?s hottest -?diet|acai berry edge|Acai Diet|top secret diet|Power HCG|Sensa|shocking method|Jennifer Aniston|before eating carbs|all natural weight.?loss|green fruit|top celeb's diet)|one.secret|enjoying.food|f-a-t|melt.fat|squeeze into them|crazy.workout|celebs.everywhere|zero.effort|nothing.to.lose/is
header          __KAM_WEIGHT3   Subject =~ /(leaner|slimmer|stop gaining weight|fat loss|weight management|now available without a script|wuYi tea|(drop|lost|shed|knocked) \d+.?(pounds|[li]bs?)|FRS Healthy Energy|instant diet|colonmate|trimmer you|body cleanse|acai berry|acai burn|Fatburner|cholesterol reduction|cholestapro|Ephedra|W[EA]IGHT[- ]LOSS PRODUCT OF THE YEAR|t-r-i-a-l|try our trial|cleanse your system|no exc?ercise|Acai Advanced|toxic sludge|cleanse your body|Acai Diet|Acai Elite|Acai Super|losing weight fast|weight loss|detox product|Power HCG|Weight Loss System|shocking (?:weight|weihgt) loss)|before eating carbs|all natural weight.?loss|eat this fruit|Jennifer An+iston's secret|drop.\d.dress.sizes|fat.burning|burn..?fat|get.slim|drop.the.weight|(drop|shed).[li]bs?|move.\.*.?the scale|step.by.step|drop..?pounds|perfect.body|lose.the.weight|half.my.size|special.nutrition|workout|skinny|simple.way|to.get.slim|workout.for.the..?lazy|start.losing.weight|melt.fat|celebs.boycott|celebs.did|overeating|without.any.effort|doctors.tv|oprah|results.are.in|as.seen.on|slim.?spray|zero.effort/i
rawbody         __KAM_WEIGHT4   /shocking method|Jennifer Aniston|nationally known|never.seen.anything.like.this|unusual.(new.)?tip|your.metabolism|need.a.boost|this.is.not.a."?(joke|hoax|fad|trend)|no working out|no starving|a trimmer you|celebrity.doctor|seen.on.(cnn|abc|cbs)|\d+%.?off|oprah.and.celeb|beer.belly|thunder.thigh|flush.fat.fast|get.skinny|Women's Health|dress.size|feel.good|physical.activity|starving|hit.a.plateau|flat.belly|brakes on your appetite/i
header          __KAM_WEIGHT5   From =~ /celeb.weightloss|no.work.workout|(drop|shed).pounds|(drop|shed).\d+[il]bs?|inches off|your.waist|nutrisystem|fat.burn|magic.slim|slim.pack|get.?slim|overweight|becomingslim|slimmer|skinny.tee|flush.fat|slimming.down|hot.trend|curves.?\dweek|stubborn.fat|\d+.pounds|look.great|lazy.workout|bikini|fit.community|slim.?spray|shave.off.(the.)?(pound|lb)|f-a-t|fit.in.\d+.day|days.to.slim|oprah|belly|biggestloser/i

#ANATRIM / GREEN TEA / CORTITHERM / ETC
body            __KAM_ANA1      /(anatrim|Green ?Tea|cortitherm|PHENTERTHIN|Phentremine|Acai Ultra|Civ-xR|WuYi Tea|Wu-?Yi Source|FRS Healthy Energy|Acai Berry|Chinese secret|Ephedra|Cholestapro|ColonMedic|Pure Cleanse|AcaiBurn|Acai Elite|Garcinia|Chlorogenic Acid|green coffee)/i
header          __KAM_ANA2      From =~ /green ?tea|Ultra ?Energy|weight ?loss|colon? ?clean|colon ?aid|acai|As seen on|Garcinia|sensa/i

meta            KAM_ANA         (__KAM_ANA1 + __KAM_ANA2 + (__KAM_OZ1 || __KAM_OZ2 || __KAM_OZ3) + __KAM_WEIGHT1 + __KAM_WEIGHT2 + __KAM_WEIGHT3 + __KAM_WEIGHT4 + __KAM_WEIGHT5 + KAM_FDA + (__KAM_HTML1 || KAM_INFOUSMEBIZ) >= 3)
describe        KAM_ANA         Likely Weight-loss / Medical Spam
score           KAM_ANA         3.5

meta            KAM_ANA2        (__KAM_ANA1 + __KAM_ANA2 + __KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 + __KAM_WEIGHT1 + __KAM_WEIGHT2 + __KAM_WEIGHT3 + __KAM_WEIGHT4 + __KAM_WEIGHT5 + KAM_FDA + (__KAM_HTML1 || KAM_INFOUSMEBIZ) >= 5)
describe        KAM_ANA2        Higher probability of Weight-loss / Medical Spam
score           KAM_ANA2        3.5

#REPLACE
body            __KAM_REP1      /Replace \[?[-!~\.]\]? with \./is
body            __KAM_REP2      /www\s+[-!~\.]/i

body            __KAM_REP2_1    /(Just|Please|all you need to do is to) (copy|type):? (www\s)?.{0,10}[\[\(]([-!~\.]|dot)[\]\)]/is
body            __KAM_REP2_2    /in your (IE|internet|explorer|browser)/i

body            __KAM_REP3_1    /\*omit empty spaces/is
body            __KAM_REP3_2    /.\s+(COM|org|net|info)$/i

meta            KAM_REPLACE     (__KAM_REP1 + __KAM_REP2 >= 2) || (__KAM_REP2_1 + __KAM_REP2_2 >=2) || (__KAM_REP3_1 + __KAM_REP3_2 >=2)
describe        KAM_REPLACE     Spams that use obfuscated URLs with instructions
score           KAM_REPLACE     2.0

#EVEN MORE NIGERIAN SCAMS AND VARIANTS
body            __KAM_NIGERIAN1 /(?:payment officer|personal treasurer|experienced marketers|Chairman of the Finance Committee|contact my secretary|field of Financial Services|Head of Human Resources|Public Relation Officer|field of Business Services|payment agent|representing partner|vacancy in my company|representative\/book ?keeper|executor|search and selection of both experienced|retired chief economist|foreign partner|diplomatic courier|senior auditor|online book-?keeper)|in.your.country|united.state[^s]|states?.citizen|retired.ceo|nigeria|origin.finland|serious.illness|brain.(tumor|cancer)|former.minister|investment.partner|got.mugged|losing.my.(wife|only.son)/is
body            __KAM_NIGERIAN2 /(?:looking for dynamic representative|seek your partnership|new online business model|seek to transfer this money|completely legal activity|never ask you to pay or invest|in search of trustworthy representatives|establishing a new liaison network|rec[ei]{2}ving payment on our behalf|assist me in transferring those funds|make money at home|requiring rep to work on a part time|part time job\/full time|organization for the good work of the lord|job search directory|investor willing to invest in lebanon|invest in Real Estate|Your kind assistance|next of kin|gold.exportation|calgary.lotto)|oil.producing|import.firm|oil.and.gas|petroleum|asset.available|urgent.reply|(cash|credit.cards?|cell(.phone)?).(were|was).stolen/is
body            __KAM_NIGERIAN3 /(?:\d{1,2}\% (?:commission on each transaction|of the total will be set|will be mapped out|is made available to you|of the total sum for your partner|of the money for your effort|for\s+sales)|pay for performance|floating deficit|for your compensation|financial independence|their financial dreams|work from home part\s*-?\s*time|employing your services|get extra income|deduct your weekly salary \d\d%|transfer of the funds|make successful career at us|you will get \d{1,2}% on each|funds can be directed to your account as a grant|reasonable parentage|dormant domiciliary account|share would be \d+\%|pay you \d+%)|invest|have.a.sum|make.a.donation|immense.benefits|transact.a?.?business|company.sponsor|loan me \$/is
body            __KAM_NIGERIAN4 /(?:American oil merchant|independent contractor|removallink|claim the funds|international corporation|bank draft|becoming our contract staff|contractual employment|customers\s*in Europe,\s*America|new partner from UK|great investment site|money orders|cashiers check|access to the funds|piloting the business|moving the funds|next of kin|syrian.refugees|reply.for.detail)|security.reason|(his|her).account|new.investor|directly.beneficial|business.discussion|promise.to|need.to.spend/is
body            __KAM_NIGERIAN5 /Western Union Money Transfer|Money Gram|form of Money Orders|to apply for this job, please send the following|process our payments|not traceable|risk free transation|transfer to a designated bank account|inheritance return|my.inheritance|my.wealth|donation.to.you|out.of.country|charitable.trust/i

meta            KAM_NIGERIAN    (__KAM_NIGERIAN1 + __KAM_NIGERIAN2 + __KAM_NIGERIAN3 + __KAM_NIGERIAN4 + __KAM_NIGERIAN5 + LOTS_OF_MONEY + __KAM_REFI4 >= 4)
describe        KAM_NIGERIAN    Nigerian Scam and Variants
score           KAM_NIGERIAN    2.5

#I LIKE YOUR SPAM
body            __KAM_LIKE1     /been working (extremely|very) hard on my friend's website/is
body            __KAM_LIKE2     /a link from .{1,54} would be greatly appreciated/is
body            __KAM_LIKE3     /(link exchange|in return to me linking back)/is
body            __KAM_LIKE4     /HTML code for the link/is
body            __KAM_LIKE5     /I apologize if this message was sent, in error/is

meta            KAM_LIKE        (__KAM_LIKE1 + __KAM_LIKE2 + __KAM_LIKE3 + __KAM_LIKE4 + __KAM_LIKE5 >= 5)
describe        KAM_LIKE        I like your website link exchange spam
score           KAM_LIKE        2.0

#PUBLICLY AVAILABLE LISTS?
body            KAM_PUBLIC      /obtained your email address from a publicly available list|find your mail in public forum/is
describe        KAM_PUBLIC      Obtained from Public List != to Consent == SPAM!
score           KAM_PUBLIC      9.0

#SEXUALLY EXPLICIT RULES ROUND TWO - Fixed some FPs from Scunthorpe thanks to Stefan Morrell
body            __KAM_SEX1      /(?:double[ -]?headed|pornstar|huge weenie|male power|\d\dper\. of men|male enhancement product|enlarge patch|boost up your virility|clinically tested|improve manhood|Bigger Pen..is|Big Penis|incredible gains to your manhood|muscular manhood|nights unsatisfied|climaxes|sensual enhancer|love instrument|bigger member|excitement with girls|fucker|animal sex)|adds \d inches to your manhood|pussy licked|hard.erection/i
body            __KAM_SEX2      /(?:(\b|^)cunt(\b|$)|busty|interracial|hardcore|peni(s|le) enlarge|generic quality|enlarge your manhood|stone-hard manhood|XXL Dick|intense pleasure|spend a night with you|efficient medicine|turn on your wife|with your boner|dick dangl)|\d.(extra.)?inches.of.girth|best.sex/i
header          __KAM_SEX3      Subject =~ /(double dildo|bunsfuck|dominatrix|huge tits|anti-ED|most confident man|for men over 30|peni(s|le) enlargement|interracial gobble|bitch sucking dong|product actually does work|update your penis|mans mall|endurerx|more excitement|love package|add more fire|her best male|average guys|monster cocks|first anal|anal fucking|love with monsters|horse sex|be the stud)/i
body            __KAM_SEX4      /(?:bring your girlfriend back|satisfied with their size|penis so huge and heavy|more semen|volume of your loads|wondercum|ejaculate|bargain offers on medic|improve xxx|improve your lovemaking|youngest teen|teen pics|monster in his pants|(female|multiple) orgasms|extreme penetration)/i

describe        KAM_SEX         Sexually Explicit SPAM / Penis Enlargement Scam
score           KAM_SEX         7.0
meta            KAM_SEX         (__KAM_SEX1 + __KAM_SEX2 + __KAM_SEX3 + __KAM_SEX4 + __HTML_IMG_ONLY + (__KAM_VIAGRA6A + __KAM_VIAGRA6E + __KAM_VIAGRA7A >= 1 && !__KAM_VIAGRA_FPS) >= 2)

#STUPID PICTURE SPAMS
body            __KAM_PIC1      /(tired|bored) (this )?(today|tonight|evening|morning|afternoon)|saw your email address|online right now|can name me|found you on this site|I am alone|my next boyfriend|blonde with blue|like the girls|crush on you/is
body            __KAM_PIC2      /(nice girl|2\d years old|25 y.o. girl|pretty russian|I russian girl|age is 25|long legs, cute|see my pictures|I'm 19|searching for a bad girl|meet with such attractive|cute lady)/is
body            __KAM_PIC3      /like to chat|feelings can be true|like to have friendship|friendly guy|gave me your photos|waiting on you|found your pictures|send me a note|more information about you|text me ASAP/is
body            __KAM_PIC4      /(like to share some of my pics|some (?:great )?pictures of me|sending some of my pictures|To see my pic|hope you like my pic|will reply with my pics|show you some pic|chat with me and see|that's my photo)|will send you my pictures|view my profile|describe yourself|chat with me|bad girl|view your snapshot|want to watch video|erotic pics/is
body            __KAM_PIC5      /picture|photo|my pics|appended my pic/i

describe        KAM_PIC         Share Pictures and Chat SPAM
score           KAM_PIC         3.5
meta            KAM_PIC         (__KAM_PIC1 + __KAM_PIC2 + __KAM_PIC3 + __KAM_PIC4 + __KAM_PIC5 + __KAM_PRIV3 >= 4)

#STUPID MAILING LIST SPAMS
body            __KAM_LIST1     /((Hospital|MD) directory|Nursing Home (List|directory)|doctor lists|marketing lists|Licensed Physicians|practicing MDs|practicing Medical doctors|Physicians in America|emails for every state|(vip|laywers|planners|Business Email|HR Directors Email|Sales & Marketing Directors|Managing Director Email) database)/is
body            __KAM_LIST2     /(?:hospital|dentist|chiropractor|physician|medical doctors|nursing directors|medical marketing|\d sortable fields|records all with emails|business director(y|ies)|direct marketing data)|nursing assistant/is
body            __KAM_LIST3     /price\:|prices for our director/is
body            __KAM_LIST4     /(?:database|list|[\d,]+ (total records|e-?mails))/is
body            __KAM_LIST5     /(reply with "stop" as a subject|Send an email with "rem" in the subject to discontinue|put "cease" in the subject of an email|for termination of this e?mail|reply with .{1,8} in the subject)|you will have your email taken off|for the datacard|send.a.reply/is
header          __KAM_LIST6     Subject =~ /Database of (neurological|surgeons|doctors|nurses|mds)|MD Database|looking for list|email database|we have that list|marketing database|list.of.\d/i

describe        KAM_LIST        Mailing List Database SPAM
score           KAM_LIST        3.0
meta            KAM_LIST        (__KAM_LIST1 + __KAM_LIST2 + __KAM_LIST3 + __KAM_LIST4 + __KAM_LIST5 + __KAM_LIST6 >= 4)

#YET MORE DRUG SCAMS
body            __KAM_DRUG1     /Quality and cheap|premier quality|supor-collosal mixture|Discount-?Pharmacy|hi.quality.drug/is
body            __KAM_DRUG2     /cheaper|redeem in bulk and save|bigger quantities and Save|drugstore accredi[dt]ations|economical (?:value|amount)|drug.online.supplies/is
rawbody         __KAM_DRUG3     /local drugstore|(hush-hush|secret) with no waiting rooms|confidential package|distributed securely|shape is our main concern/is
body            __KAM_DRUG4     /click to buy|no previous doctors direction|No prescript[oi]{2}n needed|no script necessary|medicine assistance supplier|mail[- ]?order medicine/is

describe        KAM_DRUG        More Viagra, Medicine, et al Scams
score           KAM_DRUG        2.5
meta            KAM_DRUG        (__KAM_DRUG1 + __KAM_DRUG2 + __KAM_DRUG3 + __KAM_DRUG4 + __KAM_VIAGRA6A + __KAM_VIAGRA7A + KAM_REPLACE >= 4)

#DUE TO THE RASH OF IP BASED LINKS IN EMAILS DUE TO STORM BOTS, THESE ARE TESTS FOR IPS IN EMAILS
# I'D LIKE TO TEST THIS WITH ONE RULE BUT HAVEN'T FIGURED OUT HOW.  RIGHT NOW, ONE URL THAT IS BAD 
# AND ONE THAT IS GOOD WILL PASS :-(  I'D LIKE TO FIX THAT
rawbody            __KAM_GOODIPHTTP        /https?:\/\/(192\.168|10\.)/i
rawbody            __KAM_IPHTTP            /https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/i
describe        KAM_BADIPHTTP           Due to the Storm Bot Network, IPs in emails is bad
score           KAM_BADIPHTTP           2.0
meta            KAM_BADIPHTTP           (__KAM_IPHTTP - __KAM_GOODIPHTTP >= 1)

body            __KAM_HIDDEN_URI1       /\[DOT\]com/is
body            __KAM_HIDDEN_URI2       /replace "?\[DOT\]/is
meta            KAM_HIDDEN_URI          (__KAM_HIDDEN_URI1 + __KAM_HIDDEN_URI2 >= 2)
describe        KAM_HIDDEN_URI          URI obfuscation techniques
score           KAM_HIDDEN_URI          4.0

#ODD INFO URL - MATCH A URL-LIKE STRING THAT ENDS IN A QUESTIONABLE TLD, FOLLOWED BY A WORD BOUNDARY OR A SLASH (BUT NOT A DOT, OR IT WILL FP ON SUBDOMAINS LIKE FOO.INFO.LEGIT.COM)
rawbody         __KAM_INFOUSMEBIZ1      /http:\/\/(?:www.)?.{4,30}\.(info|us|me|me\.uk|biz)(?![-\.])(\b|\/)/i
header          __KAM_INFOUSMEBIZ2      From:addr =~ /\.(info|us|me|me\.uk|biz)$/i
header          __KAM_INFOUSMEBIZ3      Return-Path =~ /\.(info|us|me|me\.uk|biz)>?$/i

meta            KAM_INFOUSMEBIZ (__KAM_INFOUSMEBIZ1 + __KAM_INFOUSMEBIZ2 + __KAM_INFOUSMEBIZ3 >= 1)
score           KAM_INFOUSMEBIZ 0.75
describe        KAM_INFOUSMEBIZ Prevalent use of .info|.us|.me|.me.uk|.biz domains in spam/malware

# OTHER QUESTIONABLE / CHEAP TLDS - .click, .work, .rocks, .science
rawbody         __KAM_OTHER_BAD_TLD1      /http:\/\/(?:www.)?.{4,30}\.(click|work|rocks|science|club)(?![-\.])(\b|\/)/i
header          __KAM_OTHER_BAD_TLD2      From:addr =~ /\.(click|work|rocks|science|club)$/i
header          __KAM_OTHER_BAD_TLD3      Return-Path =~ /\.(click|work|rocks|science|club)>?$/i

meta            KAM_OTHER_BAD_TLD (__KAM_OTHER_BAD_TLD1 + __KAM_OTHER_BAD_TLD2 + __KAM_OTHER_BAD_TLD3 >= 1)
score           KAM_OTHER_BAD_TLD 0.75
describe        KAM_OTHER_BAD_TLD Other untrustworthy TLDs


#RECENT RASH OF VIRII/TROJAN PAYLOADS USING GREETING CARD NOTICES - IPHTTP IDEA BY STEPHEN FORD
body            __KAM_CARD1     /(worshipper|friend|Neighbou?r|partner|mate|colleague|member|worshipper|cousin|pal|brother|somebody|father|mother|uncle|aunt|daughter|son|nephew)(\(.{0,35}\))?(?: has)? (?:sen[dt] you|created) (?:an|a)?\s*(?:funny|love|post|greeting|birthday|animated|musical|holiday|love|hallmark|thank you|e)\s*(e|post)?-?card/i
body            __KAM_CARD2     /(laughing kitty|crazy cat) card|enjoy your awesome card|Click on your .{0,15}card('s)? (link|direct www address) below|To see your custom .{0,15}card, simply click on the (link below|following)|(as you can see on the ecard)|^your .{1,15}card link:$|I bet your wife won\'?t do this for you|Your temporary Login Info|temp\.? password id|pics I took of my Ex-Wife|card will be aviailable|our.new.collection/i
body            __KAM_CARD3     /I['`]m in hurry, but i still love you...|has (issued you a greeting|made you an Ecard)|^(Follow this link:|click (here to enter our secure server:))?\s*?http:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|eCard, open attached/i
header          __KAM_CARD4     Subject =~ /Here is some pics to say thanks|do you like em?|here is my picture|bra is too tight|look what I like to do|hot news|(\s|^)e-?cards?(\s|$)|greeting.e?card/i
rawbody         __KAM_CARD5     /postcard(\.gif)?\.exe|card.zip|groups.google.com|blaqseal/i

describe        KAM_CARD        Trojan or Virus Payload from fake ecard notice
score           KAM_CARD        3.5
meta            KAM_CARD        (__KAM_CARD1 + __KAM_CARD2 + __KAM_CARD3 + __KAM_CARD4 + __KAM_CARD5 + KAM_INFOUSMEBIZ + __KAM_IPHTTP + KAM_RPTR_SUSPECT >= 3)

#INSURANCE / CAR / LIFE / HEALTH SCAMS - fixed $ bug thanks to Mark Chaney
header          __KAM_INSURE1   Subject =~ /get (low )?affordable health (coverage|insurance)|reduce health costs|without health coverage|\d+K(?:.in)?.(term.)?life|overypay for auto insurance|Policy.Payment|GAs Prices|Auto Insurance|get your 20\d\d quote|\$\d00,000 coverage|no exam|Insurance.Payment|child's financial future|\d+K in coverage|health insurance (?:plans|coverage)|(Omaba|obama).?care|Secure \d+k coverage|\$\d\d\d,\d\d\d of term life|life insurance coverage|save up to \d+% on .{0,10}insurance|Protect.your.family|homeowners insurance|home.?.?protection|read.asap|auto.policy|protect your|\$\d+K..?term|auto.?insurance|\d+k.available|simplified.protection|policy.update|view.policy|med(ical)?.exam|term.life|protection|\d+k.available|policy.review|business.insurance|your.health|care.policy|life.cover|life.secure|life.insured/i
body            __KAM_INSURE2   /find better Health Insurance Rates Today|get information about health coverage|protect your family|overpay for auto insurance|been recently,? lowered|gas prices are going up|Auto Insurnace go with it|no examination|get (?:a )?free quote|have been.{0,2}reduced|AutoWarranty|plans as low as|plans starting at|complete your health profile|Secure \d+k coverage|growing.family|milestone|special.enroll|updated.rate|lifeinsurance|no.medical.exam|accuquote|no.tobacco.rate|denied.coverage|business.policy|reduced.rate|coverage.starts.immediately|obama|respect.your.privacy/i
header          __KAM_INSURE3   From =~ /Cheaper Auto|Insurance|health.quote.direct|fidelity|gerber|lifeplan|notice|warranty.expir|auto-repairs.{0,30}no longer covered|affordable.?health|Health.?care|AIG|accuquote|life.?rate|eCoverage|humana|ahs.warranty|policy|farmer|qualify|term.life|milestone|payout|secure|out.of.pocket|\d+k|take.comfort/i
body            __KAM_INSURE4   /why pay more for.{0,30}coverage|save up to \d+%|accuquote|Life Insurance Coverage|protect.your.family.{1,20}insurance|Protect home and belonging|Affordable Care Act|new health insurance plan for you|home.?.?protection|\d+k.life.insurance|eligible for auto.coverage|set to expire|\$\d+\/mo|new.rate|your.auto.?insurance.policy|term.life|update.policy|legacy|estate|your.package|your.own.life|prepared.for.anything|paying.(far.)?too/i

describe        KAM_INSURE      Life, Health, Auto, etc. Insurance SPAMs
score           KAM_INSURE      2.5
meta            KAM_INSURE      (__KAM_INSURE1 + __KAM_INSURE2 + __KAM_INSURE3 + __KAM_INSURE4 + (KAM_ADVERT2 || KAM_LOTSOFHASH || KAM_INFOUSMEBIZ || CBJ_GiveMeABreak) >= 3)

describe        KAM_INSURE2     Higher Probability of Life, Health, Auto, etc. Insurance SPAMs
score           KAM_INSURE2     2.5
meta            KAM_INSURE2     (__KAM_INSURE1 + __KAM_INSURE2 + __KAM_INSURE3 + __KAM_INSURE4 + (KAM_ADVERT2 || KAM_LOTSOFHASH || KAM_INFOUSMEBIZ || CBJ_GiveMeABreak) >= 4)

#HEALTH INSURANCE
body            __KAM_HEALTH1   /as low as \$\d+\s*(per|\/)\s*month|at \$\d+ including dental/i
body            __KAM_HEALTH2   /save up to \d+% on health insurance|affordable health coverage|quality term life insurance|nationalhealthxchange.com|view.rate|no.obligation|start.saving/i
rawbody         __KAM_HEALTH3   /easy and it's free|receive daily health news|check our rates|Call to qualify|no physical exam|set.to.expire|immediately.available|you.can.afford/i
rawbody         __KAM_HEALTH4   /health insurance (coverage|rates)|free .{0,3}personalized.quote|get a quote for health insurance|fast and easy term|life.milestone|instant.free.quote/i
header          __KAM_HEALTH5   Subject =~ /\$38 Health Insurance|health insurance quote|Save up to \d%|term.life|New Health Insurance|\$\d+\/mo|lifepolicy/i

describe        KAM_HEALTH      Health/Life Insurance Spam Emails
score           KAM_HEALTH      3.0
meta            KAM_HEALTH      (__KAM_HEALTH1 + __KAM_HEALTH2 + __KAM_HEALTH3 + __KAM_HEALTH4 + __KAM_HEALTH5 + KAM_ADVERT2 >= 4)

#HEALTH INSURANCE
body            __KAM_HEALTH2_1   /affordable health coverage/i
header          __KAM_HEALTH2_2   Subject =~ /health insurance quote/i

describe        KAM_HEALTH2     Health Insurance Spam Emails
score           KAM_HEALTH2     3.0
meta            KAM_HEALTH2     (__KAM_HEALTH2_1 + __KAM_HEALTH2_2 + HTML_MESSAGE >= 3)

#HEALTH INSURANCE
header          __KAM_HEALTH3_1   Subject =~ /Term Life Coverage/i
header          __KAM_HEALTH3_2   Subject =~ /\d\d\/mo/i
header          __KAM_HEALTH3_3   From =~ /fidelity/i

describe        KAM_HEALTH3     Term Life Insurance Spam
score           KAM_HEALTH3     3.0
meta            KAM_HEALTH3     (__KAM_HEALTH3_1 + __KAM_HEALTH3_2 + __KAM_HEALTH3_3 >= 3)

#REAL ESTATE INVESTMENT SCAMS
body            __KAM_REAL2_1   /(?:Property available|on the water|costa rica|mountain.top)/i
body            __KAM_REAL2_2   /(?:pre-development prices|finish building|torn down to build|exclusive place|ready.for.construction)/i
body            __KAM_REAL2_3   /(?:unbelievable deals|buyer with CA[s\$]h|pennies.on.the.dollar)/i
body            __KAM_REAL2_4   /(?:home sites|raw land|vacation home|wooded.property)/i
body            __KAM_REAL2_5   /(?:developers|estates|buyer flying in|retirement plans|liquidation)/i

describe        KAM_REAL2       Real-estate investment scams
score           KAM_REAL2       1.0
meta            KAM_REAL2       (__KAM_REAL2_1 + __KAM_REAL2_2 + __KAM_REAL2_3 + __KAM_REAL2_4 + __KAM_REAL2_5 >= 5)

#BASED on JIM MCCULLARS' IDEA AND DALLAS' GREAT PDFINFO RULES

ifplugin Mail::SpamAssassin::Plugin::PDFInfo
  #Thanks to Ben Lentz for pointing out a lint error with this.

  describe      KAM_BADPDF      Prevalent Junk PDF SPAMs - BAD SUBJECT
  score         KAM_BADPDF      2.5
  header                KAM_BADPDF      Subject =~ /(?:^.{0,15}(document|confirmation|marketwatch|pinksheets|wire info|pinksheets|investor_report|proposal|invest_today|alert|invoice|investor_letter|check)-\d{5,12}$|^basic[- _]chart-|^Active[- _](stocks|trader)|^Analyst[- _]Coverage|^Income[- _](report|details|statement)|^Market[- _](advice|watch)|^Investor[- _]news|^real-?time[- _]quotes)/i
  
  describe      KAM_BADPDF1     Prevalent Junk PDF SPAMs - EMPTY BODY & ENCRYPTED
  score         KAM_BADPDF1     2.5
  meta            KAM_BADPDF1     (GMD_PDF_EMPTY_BODY + GMD_PDF_ENCRYPTED >= 2)
 
  #2009-03-11 - Found FP on this rule where a bad reverse PTR and a Subject triggered this rule.  That was NOT the intent. 
  describe        KAM_BADPDF2     Prevalent Junk PDF SPAMs - 3 STRIKES
  score           KAM_BADPDF2     2.5
  ifplugin Mail::SpamAssassin::Plugin::KAMOnly
    meta            KAM_BADPDF2     (KAM_BADPDF + KAM_BADPDF1 + MISSING_SUBJECT >= 2) && (KAM_RPTR_SUSPECT + KAM_RPTR_FAILED >=1)
  else
    meta            KAM_BADPDF2     (KAM_BADPDF + KAM_BADPDF1 + MISSING_SUBJECT >= 2) && (KAM_RPTR_SUSPECT >=1)
  endif

endif

#FAKE PDF READER/WRITE
body            __KAM_FAKEPDF1  /Download PDF Reader.Writer/is
body            __KAM_FAKEPDF2  /Reader 2010/is
header          __KAM_FAKEPDF3  From =~ /adobe/is
header          __KAM_FAKEPDF4  Subject =~ /reader.writer version 2010/is

meta            KAM_FAKEPDF     (__KAM_FAKEPDF1 + __KAM_FAKEPDF2 + __KAM_FAKEPDF3 + __KAM_FAKEPDF4 >= 3) 
describe        KAM_FAKEPDF     Fake PDF Reader / Writer
score           KAM_FAKEPDF     4.0

#VACU AND VARIOUS PHISHING SCAMS
  #SUBJECTS
header          __KAM_PHISH2_1  Subject =~ /(VACU Message|Virgini?a Credit|Account Verification|account might be compromised|Account Status Notification|important.alert|payment.advice|important.update|card.declined)/i
  #BANKS
body            __KAM_PHISH2_2  /Virginia Credit Union|Lloyds|HSBC|usaa|barclay|credit card account/is
  #BAD LINKS
rawbody         __KAM_PHISH2_3  /https?:\/\/.{5,30}\.(kr|hk|edu|pl|ie|it|pro)\//i
  #STUPID STATEMENTS
body            __KAM_PHISH2_4  /unauthori[sz]ed use|security.enhancement|dropbox|hold.(on.)?your.fund/i
body            __KAM_PHISH2_5  /account suspension|temporary locked|temporarily.suspend|your.reference|accurately.detail/i
body            __KAM_PHISH2_6  /confirm your online banking details|payment.advice|online.fraud|billing.information/i
body            __KAM_PHISH2_7  /extra security check|security.tip/i

describe        KAM_PHISH2      Prevalent Phishing Scam emails
score           KAM_PHISH2      2.0
meta            KAM_PHISH2      (__KAM_PHISH2_1 + __KAM_PHISH2_2 >= 2) && ((__KAM_IPHTTP + __KAM_URIBL_PCCC + __KAM_PHISH2_3 >= 1) || (__KAM_PHISH2_4 + __KAM_PHISH2_5 + __KAM_PHISH2_6 + __KAM_PHISH2_7 >= 4))


#CRAZY HEX EMPTY MESSAGE
body            __KAM_HEX1      /^[a-f0-9]{8}(\b|$)/i
header          __KAM_HEX2      Subject =~ /^\d{5,6}$/

describe        KAM_HEX         Crazy Empty Hex Messages
score           KAM_HEX         5.5
meta            KAM_HEX         (__KAM_HEX1 + __KAM_HEX2 >= 2)

#THE BAT! MAILER USED TOO MUCH FOR SPAM
# I'VE LOOKED AT THIS AND JUST CAN'T ARGUE THAT IT LOOKS LIKE IT WILL HELP. 
header          KAM_THEBAT      X-Mailer =~ /The Bat!/i
describe        KAM_THEBAT      Abused X-Mailer Header for The Bat! MUA
score           KAM_THEBAT      1.9

#MAILER BUGS
body            __KAM_MAILER1   /{!firstname_fix}/i

meta            KAM_MAILER      (__KAM_MAILER1 >= 1)
score           KAM_MAILER      2.0
describe        KAM_MAILER      Automated Mailer Tag Left in Email

#YET ANOTHER NIGERIAN SCAM VARIANT
body            __KAM_CHECK1    /delivery fee for your che(que|ck) draft/i
body            __KAM_CHECK2    /let me know when you recieve your money/i

describe        KAM_CHECK       Another Nigerian Bank Draft Scam
score           KAM_CHECK       3.0
meta            KAM_CHECK       (__KAM_CHECK1 + __KAM_CHECK2 + __KAM_REFI4 >= 3)

#SEE OPRAH LIVE!
body            __KAM_OPRAH1    /airfare/i
body            __KAM_OPRAH2    /hotel/i
body            __KAM_OPRAH3    /oprah/i
header          __KAM_OPRAH4    Subject =~ /see\s+.*oprah\s+.*live/i

describe        KAM_OPRAH       SPAMs re: Oprah Winfrey Show
score           KAM_OPRAH       2.5
meta            KAM_OPRAH       (__KAM_OPRAH1 + __KAM_OPRAH2  + __KAM_OPRAH3 + __KAM_OPRAH4 >= 4)

#EBAY TIPS
body            __KAM_EBAY1     /Succeed on ebay|thousands with ebay|ebay success|money-making secret/i
body            __KAM_EBAY2     /Auction success kit|Great Money Maker|documented program|Chuck Mullaney|more bills than money/i
header          __KAM_EBAY3     Subject =~ /ebay .*for dummies|ebay expert|work online|ebay business|secrets to ebay|Chuck Mullaney|living on ebay|build a business|huge cash flows/i

describe        KAM_EBAY        SPAMs re: eBay Auction Tips
score           KAM_EBAY        3.5
meta            KAM_EBAY        (__KAM_EBAY1 + __KAM_EBAY2 + __KAM_EBAY3 >= 3)

#GAS PRICES, GAS CARDS, OTHER FUEL-RELATED SPAM
body            __KAM_GAS1      /Gas prices are at an? all time high|\$\d per gallon|gasoline cards/i
body            __KAM_GAS2      /We have a solution|save \d+ cents per gallon|competitive rewards/i
header          __KAM_GAS3      Subject =~ /High Gas Prices|ripped off for gas|Save \d+c per gallon/i
header          __KAM_GAS4      From =~ /gas/i

describe        KAM_GAS         SPAMs re: High Gas Prices
score           KAM_GAS         4.5
meta            KAM_GAS         (__KAM_GAS1 + __KAM_GAS2 + __KAM_GAS3 + __KAM_GAS4 >=3)

#WEIRD BODY MESSAGES
body            KAM_BODY        /{_BODY_HTML}/i
score           KAM_BODY        1.0
describe        KAM_BODY        Odd Erectile Dysfunction Messages with Poor Formatting

#FREE TV, SATELLITE, CABLE INTERNET, ETC
body            __KAM_TV1       /watch unlimited television|DTV4PC|Online TV Code|Free DVD-CD Burner|100% legal|Rabbit TV|reliable.cable.service|existing.smart.tv/i
body            __KAM_TV2       /without a monthly fee|pay a cable or satellite bill|no monthly fee|watch uncensored|movies online|no censorship|favorite.channels|online.television|\d{3}.channels|high.speed|sysview/i
header          __KAM_TV3       Subject =~ /watch uncensored tv|digital TV|internet TV|Free TV|tv online for free|(shows|movies).with.cable|less.than.dish|stream.*channels|\$\d{2}.mo|smart.tv/i
header          __KAM_TV4       From =~ /Unlock Internet TV|Movie Download|product alert|cable.tv|tv.stream|high.speed/i

meta            KAM_TV          (__KAM_TV1 + __KAM_TV2 + __KAM_TV3 + __KAM_TV4 >= 2)
score           KAM_TV          3.0
describe        KAM_TV          Free TV/Cable/etc. Scams

meta            KAM_TV2         (KAM_TV + KAM_INFOUSMEBIZ >=2)
score           KAM_TV2         3.5
describe        KAM_TV2         Higher probability of Free TV/Cable/etc. Spams

#DEGREE SPAMS
body            __KAM_CAREER1   /Hospitals need you|Medical Billing and Coding|medical.coding/is
body            __KAM_CAREER2   /Get your Healthcare Degree|Billing and Coding degree|job.placement|great.opportunity|training.start(s|ing).soon|job.growth/is
body            __KAM_CAREER3   /unstable.economy|secure.a.position|fast.growing|extraordinary.benefits|work.from.home/is

meta            KAM_CAREER      (__KAM_CAREER1 + __KAM_CAREER2 + __KAM_CAREER3 + KAM_ADVERT2 >= 3)
score           KAM_CAREER      5.0
describe        KAM_CAREER      Spam for Career/Diploma Mills

#NURSE SPAMS
header          __KAM_NURSE1   From =~ /nursing|nurses|health.?care/i
header          __KAM_NURSE2   Subject =~ /nurses (?:are now in high.?demand|are needed)|become a nurse|open.position|training|cna.education/i
body            __KAM_NURSE3   /nurses (?:are NOW in high.?demand|are needed)|nursing Degree|indispensable.position|growing.career|nursing.assist|certified.nurs/i

meta            KAM_NURSE      (__KAM_NURSE1 + __KAM_NURSE2 + __KAM_NURSE3 >= 3)
score           KAM_NURSE      3.0
describe        KAM_NURSE      Spam for Career/Diploma Mills

#PILLS
header          __KAM_PILLS1    Subject =~ /save \d\d% on your (pills|drugs|medications)/i
body            __KAM_PILLS2    /be (thrifty|smart|clever), buy your (pills|drugs|medications)/i

meta            KAM_PILLS       (__KAM_PILLS1 + __KAM_PILLS2 >=2)
score           KAM_PILLS       4.0
describe        KAM_PILLS       Spam for scam pharmacy

#PILLS 2.0
header          __KAM_PILLS2_1  From =~ /Enlarge|Men's Supplement/i
header          __KAM_PILLS2_2  From =~ /Free Sample/i

meta            KAM_PILLS2      (__KAM_PILLS2_1 + __KAM_PILLS2_2 >= 2)
describe        KAM_PILLS2      Male enhancement spams
score           KAM_PILLS2      2.5

#ALTERNATE EMAIL
body            __KAM_ALT1      /reply to my alternative E-?mail/is

meta            KAM_ALT         (__KAM_ALT1 >= 1)
score           KAM_ALT         0.5
describe        KAM_ALT         Requests use of an alternate email which may indicate spam


#POLITICAL SPAMS
#AS WE ENTER AN ELECTION PERIOD, WE SEE UNSOLICITED MAILS FROM ORGS

#Right vs Left
header          __KAM_POLITICS1 From =~ /Right vs Left|Minuteman|Senator|Pennsylvania Transportation Partners|Americans for Limited Government|special election|conservative|liberal|congress|judge|usa.?net|senate|fedup|sen\. |tea.party|the.right.to/i
body            __KAM_POLITICS2 /Minuteman Civil Defense Corps|National Campaign Fund|Right vs Left|Restore America PAC|penntransportation.com|getliberty.org|Americans for Limited Government|radical|true.conservative|true.liberal|job.killing|wasteful.spending|senate.takeover|liberal.agenda|smear.campaign|america.s future|liberty|obama|governor|election.day|v-o-t-e|sign.the.petition|paid.for.by|dear.conservative|dear.liberal|winning.the.senate|election.cycle|return.power|failed.policy|(left|right).is.claiming|bigwigs|favorable.voters/i
header          __KAM_POLITICS3 Received =~ /\.politicalsystems.net|republican.com|democrat.com|inboxfirst.com/i
header          __KAM_POLITICS4 Subject =~ /alert:?.?election|^elect|(republican|democratic).party|and.vote|impeach|insanity|election.ad|liberals|conservatives|back.?room.deal|urgent.obama|social.security.mistake|big.social|absentee.info/i

meta            KAM_POLITICS    (__KAM_POLITICS1 + __KAM_POLITICS2 + (__KAM_POLITICS3 + __KAM_POLITICS4 >= 1) >= 2)
score           KAM_POLITICS    9.0
describe        KAM_POLITICS    Unsolicited Political E-Mails

#SPAMMING COMPANIES

#Wall Street Media
header          __KAM_COMPANY1  From =~ /W\$[LM]( |_)(Insurance|Mortgage)( |_)New\$/i

meta            KAM_COMPANY1    (__KAM_COMPANY1 >= 1)
score           KAM_COMPANY1    5.0
describe        KAM_COMPANY1    Egregious spammers that should also be on RBLs (and might be)

#MGM,LLC
body            __KAM_COMPANY2_1        /Member Services MGM, LLC/is

meta            KAM_COMPANY2            (__KAM_COMPANY2_1 >= 1)
score           KAM_COMPANY2            5.0
describe        KAM_COMPANY2            Egregious spammers that should also be on RBLs (and might be)

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL

  #PCCC URIBL Check for bad URIs in body, Received, From and Reply-to
  #Thanks to AXB for his help with these!

  #2013-10-09 Note
  #
  #These RBL's below can contain domains that can cause collateral damage.  
  #We try and only add these domains when the evidence is overwhelming and points to a culture or architecture prone to spaminess.
  #And this can include services that have legitimate and illegitimate users; servers for legitimate firms that are compromised; and hosting firms which fail to have adequate anti-spam procedures.
  #The lists have high scores which we believe are consistent with the veracity of the research used to compile the lists.
  #Additionally, we ONLY use this RBL to improve our scoring and it is not used to block emails outright.
  #However, your mileage may very and you might want to seriously dial down the scores especially if you do block/reject/blackhole emails.
  #Feedback is appreciated and requests to de-list can be sent via https://raptor.pccc.com/raptor.cgim?template=report_problem
  #Or to explicitly skip RBL testing for a domain, use uridnsbl_skip_domain example.com

  if (version >= 3.003000)
    #HOSTS THAT BEHAVE LIKE TLDS, SUCH AS BLOGSPOT.COM AND OTHER FREE HOSTING - NOTE BLOGSPOT is in 20_aux_tlds.cf ALREADY
    util_rb_2tld ning.com
    util_rb_2tld mygbiz.com
    util_rb_2tld web.com
    util_rb_2tld onmicrosoft.com
    util_rb_2tld online.de
    util_rb_2tld wix.com
    util_rb_2tld netdna-cdn.com
    util_rb_2tld dreamhost.com
    util_rb_2tld noip.us
    util_rb_2tld mmsend.com
    util_rb_2tld cu-portland.edu
    util_rb_2tld jimdo.com
    util_rb_2tld doesphotography.com
    util_rb_2tld isteaching.com
  endif

  # allow URI rules to look at DKIM headers if they exist and our SA version supports it
  if (version >= 3.0040001)
    parse_dkim_uris 1
  endif

  ifplugin Mail::SpamAssassin::Plugin::KAMOnly
    #body
    urirhssub  KAM_BODY_URIBL_PCCC    wild.pccc.com. A 127.0.0.4
    body       KAM_BODY_URIBL_PCCC    eval:check_uridnsbl('KAM_URIBL_PCCC')
    describe   KAM_BODY_URIBL_PCCC    Body contains URI listed in PCCC URIBL (https://raptor.pccc.com/RBL)
    tflags     KAM_BODY_URIBL_PCCC    net
    score      KAM_BODY_URIBL_PCCC    9.0
  
    urirhssub  KAM_BODY_MARKETINGBL_PCCC    wild.pccc.com. A 127.0.0.32
    body       KAM_BODY_MARKETINGBL_PCCC    eval:check_uridnsbl('KAM_MARKETINGBL_PCCC')
    describe   KAM_BODY_MARKETINGBL_PCCC    Body contains URI associated with mass-marketing (https://raptor.pccc.com/RBL)
    tflags     KAM_BODY_MARKETINGBL_PCCC    net
    score      KAM_BODY_MARKETINGBL_PCCC    0.001
  endif


  if (version >= 3.004001) 
    ifplugin Mail::SpamAssassin::Plugin::KAMOnly
      #all from addresses domains - This is a new check available in 3.4.1-rc1+ which will check bob.com for something like bob@test.bob.com - The old code did not properly handle octet subtests
      header     KAM_FROM_URIBL_PCCC    eval:check_rbl_from_domain('pccc', 'wild.pccc.com.', '127.0.0.4')
      describe   KAM_FROM_URIBL_PCCC    From address listed in PCCC URIBL (https://raptor.pccc.com/RBL)
      tflags     KAM_FROM_URIBL_PCCC    net
      score      KAM_FROM_URIBL_PCCC    9.0
  
      header     KAM_FROM_MARKETINGBL_PCCC    eval:check_rbl_from_domain('pccc', 'wild.pccc.com.', '127.0.0.32')
      describe   KAM_FROM_MARKETINGBL_PCCC    From address associated with mass-marketing (https://raptor.pccc.com/RBL)
      tflags     KAM_FROM_MARKETINGBL_PCCC    net
  
      score      KAM_FROM_MARKETINGBL_PCCC    0.001
  
      meta       KAM_MARKETINGBL_PCCC (KAM_BODY_MARKETINGBL_PCCC || KAM_FROM_MARKETINGBL_PCCC)
      describe   KAM_MARKETINGBL_PCCC Message contains URI associated with mass-marketing (https://raptor.pccc.com/RBL)
      score      KAM_MARKETINGBL_PCCC 1.0
    endif
  endif

  ifplugin Mail::SpamAssassin::Plugin::KAMOnly
    #Received
    #header     KAM_RCVD_URIBL_PCCC    eval:check_rbl_sub('pccc', '^127\.0\.0\.4$')
    #describe   KAM_RCVD_URIBL_PCCC    Received header contains URL listed in PCCC URIBL (https://raptor.pccc.com/RBL)
    #tflags     KAM_RCVD_URIBL_PCCC    net
    #score      KAM_RCVD_URIBL_PCCC    5.0
  
    #Reply-to
    #NO SOLUTION
  
    #Test for any hits
    meta             __KAM_URIBL_PCCC  (KAM_BODY_URIBL_PCCC + KAM_FROM_URIBL_PCCC >= 1) 

  endif

  #Test for URIBL Blank and Spamhaus DBL per discussion ith Alex Broens
  meta     KAM_VERY_BLACK_DBL    (URIBL_BLACK && URIBL_DBL_SPAM)
  describe KAM_VERY_BLACK_DBL    Email that hits both URIBL Black and Spamhaus DBL
  score    KAM_VERY_BLACK_DBL    5.0 

endif

#EMAIL BLACKLIST CHECK FOR PCCC RBL
ifplugin Mail::SpamAssassin::Plugin::EmailBL
  ifplugin Mail::SpamAssassin::Plugin::KAMOnly
    #uses emailbl -all which is the same as -headers and -bodysafe
    header   KAM_MESSAGE_EMAILBL_PCCC  eval:check_emailbl('freemail-all', 'wild.pccc.com', '127.0.0.64')
    describe KAM_MESSAGE_EMAILBL_PCCC  Message contains freemail address listed in PCCC URIBL (https://raptor.pccc.com/RBL)
    tflags   KAM_MESSAGE_EMAILBL_PCCC  net
    score    KAM_MESSAGE_EMAILBL_PCCC  5.0
  endif
endif

#FAKERBL MX RELATED RULES
header          __KAM_MX1               Reply-To =~ /\@mx\d+\./i
header          __KAM_MX2               Return-Path =~ /\@mx\d+\./i
header          __KAM_MX3               Received =~ /(\(|\b)(pet|ptr|tech|host|mta|mx|vps|vsp|colo|sox|m)\d+\./i
header          __KAM_MX4               Received =~ /(\(|\b)[0-9A-F]{8}\.ptr\./i
header          __KAM_MX5               Received =~ /(\(|\b)[a-z]{2,4}[0-9]{1,3}\..{1,20}\.info/i

meta            __KAM_MX                (__KAM_MX1 + __KAM_MX2 + __KAM_MX3 + __KAM_MX4 + __KAM_MX5 >= 1)
describe        __KAM_MX                Odd prevalence of mx records associated with the FAKERBL Spammers

#CHANGED KAMOnly
ifplugin Mail::SpamAssassin::Plugin::KAMOnly

  meta            KAM_MX2                 (__KAM_MX + (__KAM_URIBL_PCCC + URIBL_BLACK >=1) >= 2)
  score           KAM_MX2                 4.0
  describe        KAM_MX2                 Spammers and MX Rule 

  #meta            KAM_MX3                 (__KAM_MX + URIBL_BLACK >= 2 && KAM_MX2 == 0)
  #score           KAM_MX3                 4.1
  #describe        KAM_MX3                 Odd prevalence of MX records for non-identified Spammers

endif

meta            KAM_MX4                 (__KAM_MX5)
score           KAM_MX4                 1.0
describe        KAM_MX4                 MX Record and dot info domains associated with FAKERBL Spammers


#BAD ADDRESS / COMPANY NAMES 
#FINISHED URL CLEANUP BUT MOST URLS MOVED TO PCCC URIBL
body            __KAM_ADDRESS1          /204 N. El Camino Real|CocoMedia|17 Patchogue Road|1128-274 Royal Palm Beach|(848|500) N. Rainbow Dr. Ste \#?(2511|300)|CMI Free Stuff|Vista Del Mar Productions|by SuperClub|Buil tech Services|eMarketing Alliance|aSHARPi Media|Plaza Neptuno|Satell Center for Executive Education|Pacific Shores Investments|R. Allen Media|The Only Virginia Team|Ban Amnesty Now|Intrust Domains|8001 Irvine Center Dr|American Arbitration Association, 1633 Broadway|\+962 79 668 2974|7025 County Rd. 46A|1001 E.Hillsdale Blvd|New Heights Development and Research|Red Base Interactive|RateMarketplace|WORLD COMPANY REGISTER|WhatsApp Inc|Streetdirectory Pte Ltd|4399 Church Street, Brooklyn|Mobie Concepts, Inc.|Clickingz IT Research Lab|Leadz[,\.].?Co|DLF Cyber City Gurgaon India|4447 N Central Expressway, Office \#110|5401 Hangar Court|Pimsleur Approach|1600 JFK Boulevard, 3rd|Business Who's Who|Who's Who Among Executives|Buena Vista Catalogue|10620 Southern Highlands|Ashray Medical Center|Bethany Christian Services|Ashland.Avenue.{0,4}95761|Preston Energy|SteelCityAds|Beyond Human, LLC|Research Promo Center|OmegaK, Inc|320 S. Lemon Blvd \# 1803|1063 (suite.)?([\#\d]+.)?King St|8 White Ln. Mansfield|Momentum.Ads|PO Box 29502 \#24912 Las Vegas|2383.Mystic Dr..Sarasota.FL|1107 Valeria Dr, Marion|321 N Central Expressway Suite 341|PO Box 540488 Houston|Post Office Box 4668 NY|9100 Wilshire Blvd. East Tower Penthouse|Headquarters, 18 True Tower Building|111 Customer Way, Irving|B a y t o w n, TX|adilizer..?com Post.Office.Box 540488|353 Chadwick Pl Fairborn|PO.?Box.295[O0]2.Las.?Vegas|1103 St. Michel|Suite 115-243, San Diego|100 E. Campus View|(3.?2.?0.?5|three two zero five)..?L.?a.?k.?e.S.?a.?r.?a.?h|100 RITCHIE ROAD|M i n n e s o t a|3801 D..?o..?w..?n..?s..?W..?a..?y|515 Oaklane McPherson|74.Lancaster..?RD|202.Albion|One Kimeric Ln|302 Washington St|One.One.Eight.Jason.Ln|PO.Box.227.Moran|V a l e r i a|Dove Lighting Co|BrandRoot SEO|Team TPW|WEB ANALYTICS MEDIA LLC|Scott Walker Inc. Testing the Waters|CARLY for America|Scott Walker for America|Jeb 2016, Inc/i

header          __KAM_ADDRESS2          From =~ /CMI Free Stuff|Vista Del Mar Productions|SuperClub|Buil tech Services|eMarketing Alliance|aSHARPi Media|Plaza Neptuno|Satell Center for Executive Education|Pacific Shores Investments|rx ?unit|R. Allen Media|The Only Virginia Team|Intrust Domains|American Arbitration Association|Rate\.?Marketplace|Health.Quote.Direct|Pimsleur|Ethika Politika|Disney Movie Club/i

meta            KAM_ADDRESS             (__KAM_ADDRESS1 + __KAM_ADDRESS2 >= 1)
score           KAM_ADDRESS             13.0
describe        KAM_ADDRESS             Addresses and Companies prevalent in spams

# END SPAMMING COMPANIES

#GRASS SEED
header          __KAM_GRASS1    From =~ /(Patch|Perfect|Lawn)/i
header          __KAM_GRASS2    Subject =~ /rich beautiful lawn|grow grass|grass seed on steroids/i
body            __KAM_GRASS3    /Grass Seed On Steroids|rich beautiful lawn|Patch Perfect Seeds|Grow Grass (anywhere|in the shade)/i

meta            KAM_GRASS       (__KAM_GRASS1 + __KAM_GRASS2 + __KAM_GRASS3 >= 3)
score           KAM_GRASS       2.5
describe        KAM_GRASS       Spammers hawking lawn products

#PED EGG / BELISI / SKIN PRODUCTS
header          __KAM_SKIN1     From =~ /(Ped ?Egg|Healthy Feet|beautiful feet|belisi|skin tightener|medical|Wrinkle|Face ?Lift|Skin Reju|Nuforia|LifeCEll|Miracle Hydrate|beauty tip|lifestyle lift|marine essentials|nufori?a)|skin transformer|lifecell|oz.show|botox|your.skin|rejuvenate|youth|ellen/i
header          __KAM_SKIN2     Subject =~ /Ped ?Egg|Healthy Feet|beautiful feet|tighter skin|works for wrinkles|Sera Concepts|Wrinkle Eraser|\d\d years younger|Hollywood(?:'s)? Secret|years younger|perfect skin|anti.?aging|look younger in \d+ day|regain your youthful|years off your appear|flawless.skin|youthful appear|fine.lines|collagen.production|dark.circles|your.skin|looks?.like.this|looks?.great|images?.leaked|looks.\d|ellen.looks/i
rawbody         __KAM_SKIN3     /Ped ?Egg|Belisi|Botox|Gabamed|Sera Concepts|Purelift|nuforia|natural collagen|complimentary trials|nugenics|marine essentials|Nufori?a|ellen.has.a|flawless.skin|phyto|facelift|hype.is.real|celeb.trend|twenty.years.younger|face.lift|pics.leaked|rejuvenate/i
body            __KAM_SKIN4     /feet feel smooth and healthy|calluses and dead skin|silky smooth skin|tighter skin|\d.years.younger|anti[- ]aging|look younger|free trial|lose 25 years|angered plastic surge|quick and easy trick|anti-?aging|blood pressure low|heart rate monitor|selfies|just.one.month|just.four.weeks|medical.research|rebuild.your.skin|decades.younger|erase.time|gossip|smooth.lines/i

meta            KAM_SKIN       (KAM_ADVERT2 + __KAM_SKIN1 + __KAM_SKIN2 + __KAM_SKIN3 + __KAM_SKIN4 +  __KAM_TRIAL + __KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 >= 3)
score           KAM_SKIN       3.5
describe        KAM_SKIN       Spammers hawking skin/medical/foot products

meta            KAM_SKIN2      (KAM_ADVERT2 + __KAM_SKIN1 + __KAM_SKIN2 + __KAM_SKIN3 + __KAM_SKIN4 +  __KAM_TRIAL + __KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 >= 4)
score           KAM_SKIN2      2.5
describe        KAM_SKIN2      Spammers hawking skin/medical/foot products

#NEW CAR / WARRANTY SCAMS
header          __KAM_CAR1      Subject =~ /(save thousands|vehicle warranty|paying too much for auto|skyrocketing cost of car|car deals|deal on a new car|cheap(er)? auto insurance|warranty options|afford the car|blowout|auto repair bills)/i
body            __KAM_CAR2      /buying a new car|dream car|new car you want|free auto insurance(?:-| )quote|save money on your auto|roadside assistance|extended warranty/i
body            __KAM_CAR3      /unbelievable payment terms|no commitment|free price quote|get competitive quotes|offering better rates|no obligation quote|Pay Later|No risk|save up to \d+%/i
header          __KAM_CAR4      From =~ /warranty|lender|clearance/i

meta            KAM_CAR       (__KAM_CAR1 + __KAM_CAR2 + __KAM_CAR3 + __KAM_CAR4 >= 2)
score           KAM_CAR       2.0
describe        KAM_CAR       Spammers hawking new car, insurance or warranties

# MORE NEW CAR SPAMS
header          __KAM_AUTO1 Subject =~ /new.vehicle|biggest.discounts|clearance.event|must.go|half.off.auto|blue.book|cars.priced|dirt.cheap|new.car|new.truck|half.off|dealership|dealers.compete|trade.it.in|auto(motive)?.parts|inventory.must.go|\d\d%.off.msrp|all \d\d\d\d.s must go|time.to.drive|all.vehicle|clearance.pric|all.\d\d\d\d.(cars|trucks)/i
header          __KAM_AUTO2 From =~ /car.?saving|auto.?deals|%.off|half.(off|price)|ford|gm|clearing.lots|model.year|latest.auto|dealership|clearance|cars?.discount|\d+.model|\d+.half.off|auto.price|best.auto|motor|trade.in|auto.part|imotor|autotrend/i
body            __KAM_AUTO3 /(car|truck).dealer|clearance.price|shop.cars|\d+.vehicles|dealership|deep.discount|liquidating|vehicle.options|auto.news|old.clunker|dream.car|clearance.inventory|dealer.clearance|special.clearance|auto(mobile?).recall|clearance.pric|new.ride|dealers.{1,40}.scrambling|sell.yours.for.more|car.is.worth|auto.parts.brand|blowout|incredible.discount/i

meta            KAM_AUTO (__KAM_AUTO1 + __KAM_AUTO2 + __KAM_AUTO3 + (KAM_COUK || KAM_OTHER_BAD_TLD || CBJ_GiveMeABreak) >= 3)
describe        KAM_AUTO Spam for new cars
score           KAM_AUTO 4.5

#HOME WARRANTY SPAMS
header          __KAM_WARRANTY1  Subject =~ /home warrant|protect your home|home repair|homeowners insurance|repairing your house/i
body            __KAM_WARRANTY2  /Protect your home|choice home warranty|unexpected repair/i
body            __KAM_WARRANTY3  /home warrant|complimentary insurance quote/i
header          __KAM_WARRANTY4  From =~ /ChoiceHomeWarrant|TotalProtect|home.?Insurance|CHW Home Warranty|AHS.warranty/i

meta            KAM_WARRANTY    (__KAM_WARRANTY1 + __KAM_WARRANTY2 + __KAM_WARRANTY3 + __KAM_WARRANTY4 + CBJ_GiveMeABreak >= 3)
score           KAM_WARRANTY    1.5
describe        KAM_WARRANTY    Spammers hawking home warranties

meta            KAM_WARRANTY2   (KAM_WARRANTY + KAM_INFOUSMEBIZ >= 2)
score           KAM_WARRANTY2   3.5
describe        KAM_WARRANTY2   Spammers pushing home warranties

meta            KAM_WARRANTY3   (__KAM_WARRANTY1 + __KAM_WARRANTY2 + __KAM_WARRANTY3 + __KAM_WARRANTY4 + CBJ_GiveMeABreak >= 4)
score           KAM_WARRANTY3   1.5
describe        KAM_WARRANTY3   Spammers hawking home warranties

#AWESOME AUGER
header          __KAM_AUGER1    Subject =~ /Dig Holes|plant Trees/i
body            __KAM_AUGER2    /Awesome Auger/i

meta            KAM_AUGER       (__KAM_AUGER1 + __KAM_AUGER2 >= 2) 
score           KAM_AUGER       4.0
describe        KAM_AUGER       Spammers hawking Awesome Augers?!?

#MOVIE EXTRA
header          __KAM_MOVIE1    Subject =~ /Movie Extra/i
body            __KAM_MOVIE2    /Movie Extra/i

meta            KAM_MOVIE       (__KAM_MOVIE1 + __KAM_MOVIE2 >= 2)
score           KAM_MOVIE       3.0
describe        KAM_MOVIE       Spammers hawking Movie Extra positions

#DEBT COLLECTION
header          __KAM_COLLECT1  Subject =~ /You Pay Nothing/i
body            __KAM_COLLECT2  /No Fee/i
body            __KAM_COLLECT3  /collection professionals/i
body            __KAM_COLLECT4  /recovery rate/i

meta            KAM_COLLECT     (__KAM_COLLECT1 + __KAM_COLLECT2 + __KAM_COLLECT3 + __KAM_COLLECT4 + __KAM_SEARCH5 + KAM_ADVERT2 >= 4)
score           KAM_COLLECT     5.0
describe        KAM_COLLECT     Spammers hawking debt collection


#SEARCH ENGINE SPAM
header          __KAM_SEARCH1   Subject =~ /be seen first on (google|msn|yahoo)|get ranked high|rank high|(no cost|free) website (analysis|search engine)|WEBSITE PROMOTION|social media|blog leads|infotech|(first|1st)(.page)?.result|seo.service|seo.{1,30}expert|on.your.website|organic.seo|site.ranking|website.health/i
body            __KAM_SEARCH2   /search engine|SEO|bring.traffic|business.development/i
body            __KAM_SEARCH3   /(first on|all of) the major search|not ranked number one|Website promotion|popular keywords|mobile.website|complete.solution|back.link|india.based|surfing|not.ranking.on/i
body            __KAM_SEARCH4   /guaranteed type of exposure|free website search engine optimi|increase your revenue|improve your website traffice|website rank higher|marketing service|popular.keyword|media.presence|media.portal|brand.awareness|analytics.certified|optimized.content|white.label|website.optimization|digital.marketing|in.your.industry/i
rawbody         __KAM_SEARCH5   /Click2Call|a1-solutions|fast-response.net|action-pros.net|tops-1.com|vividinfotech.com|internet.marketing|web.solution/i

meta            KAM_SEARCH      (__KAM_SEARCH1 + __KAM_SEARCH2 + __KAM_SEARCH3 + __KAM_SEARCH4 + __KAM_SEARCH5 >= 4)
score           KAM_SEARCH      5.0
describe        KAM_SEARCH      Spammers hawking SEO

#SEO
header          __KAM_SEO1      Subject =~ /Idea for \[|can rank 1st on Google|Organic SEO|SEO (Solution|proposal)|integrated marketing|optimization.service/i
body            __KAM_SEO2      /(?:top|first page) (?:in|of) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building/i
body            __KAM_SEO3      /never find your web site|major search engines|link.building|WEBSITE AUDIT REPORT|specific.keyword|targeted.email|visited.your.website/i
body            __KAM_SEO4      /No upfront fees|SEO Specialists|online marketing services|S.?E.?O.? Company in INDIA|google.panda|google.penguin|not.ranking/i
body            __KAM_SEO5      /more traffic guaranteed|results in thirty day|top 5 organic|high revenue|free.analysis|guaranteed.top/i
body            __KAM_SEO6      /will not get your website banned|Google.?s SEO policies|six month ongoing campaign|web.promotion/i
uri             __KAM_SEO7      /./ # LEGITIMATE SEO EMAILS WOULD SURELY HAVE AT LEAST ONE URL TO THEIR WEBSITE...

meta            KAM_SEO         (__KAM_SEO1 + __KAM_SEO2 + __KAM_SEO3 + __KAM_SEO4 + __KAM_SEO5 + __KAM_SEO6 + !__KAM_SEO7 + __KAM_FREEMAIL + KAM_ADVERT2 >= 5)
score           KAM_SEO         7.0
describe        KAM_SEO         Spammers hawking SEO

#ABUSED FREEMAIL ACCOUNTS
header          __KAM_FREEMAIL1 From =~ /(?:websolution|seo).{0,15}\@gmail.com/i
header          __KAM_FREEMAIL2 From =~ /speakeasylingerie\@gmail.com/i
meta            __KAM_FREEMAIL  (__KAM_FREEMAIL1 + __KAM_FREEMAIL2 >= 1)

#LINGERIE VIDEOS
header          __KAM_LINGERIE1 From =~ /lexi campbell/i
header          __KAM_LINGERIE2 Subject =~ /Exotic modeling Videos/i
header          __KAM_LINGERIE3 Subject =~ /Hustler Magazine/i
body            __KAM_LINGERIE4 /Exotic modelling videos/i

meta            KAM_LINGERIE    (__KAM_FREEMAIL + __KAM_LINGERIE1 + __KAM_LINGERIE2 + __KAM_LINGERIE3 >= 4)
score           KAM_LINGERIE    10.0
describe        KAM_LINGERIE    Sexually Explicity Lingerie Spam


#WEB DESIGN
header          __KAM_WEB1      Subject =~ /Web.?(Design|programming).?Services|Web.?Designing/i
body            __KAM_WEB2      /INDIA based IT|indian.based.website|certified.it.company/i
body            __KAM_WEB3      /Online Marketing Consultant|possible.redesign|seo.service|mobiles?.app|business.develop|commerce.solution/i

meta            KAM_WEB         (__KAM_WEB1 + __KAM_WEB2 + __KAM_WEB3 + KAM_ADVERT2 >= 3)
score           KAM_WEB         4.0
describe        KAM_WEB         Web design spams

#DOMAIN NAME AND OTHER RELATED SPAMS
body            __KAM_DOMAIN1   /Domain (opportunity|notification|release|Availability|club)|Notification for Domain|availability.notice|time.draws.near|submit.a.bid|your.business|exclusive.rights|free.registration|the.domain.provider|website.wizard|increase.your.{0,50}.traffic|domain.extension|brand.can.leverage|like.to.obtain|buy(ing)?.this.domain/i
body            __KAM_DOMAIN2   /(?:available|listed) (?:by|for|at|in) auction|confirm interest in (this domain|owning)|capturing this domain|proposal.on.the.domain|exclusive.owner|online.search|web.form|counting.down|potential.buyer|interested.parties|secure.{1,50}.today|drive.more.leads|targeted.traffic|similar.domain|exclusive.regis/i
body            __KAM_DOMAIN3   /(?:have|own) a domain (that is )?.{0,5}similar|(have|own) a similar domain|offer on the Domain|similar to your (current )?domain|Domain Division|all.domains|main.webpage|visibility.platform|solicitation|potential.owner|your.offer|domain.match|domain.notification|domain.will.be|interest.{1,20}.domain.name|fully.responsive|website.included|list.your.website|opportt?unity.regarding|courtesy.notification/i
header          __KAM_DOMAIN4   From =~ /domain|submit.site/i
header          __KAM_DOMAIN5   Subject =~ /\.com$/i

meta            KAM_DOMAIN      (__KAM_DOMAIN1 + __KAM_DOMAIN2 + __KAM_DOMAIN3 + __KAM_DOMAIN4 + __KAM_DOMAIN5 >= 3)
score           KAM_DOMAIN      8.5
describe        KAM_DOMAIN      Domain Selling Spams

#MEDICAL TOURISM SPAM
body            __KAM_MEDTOUR1  /medical.tourism/i
body            __KAM_MEDTOUR2  /lowest cost in India/i
header          __KAM_MEDTOUR3  Subject =~ /Medical.Tourism/i

meta            KAM_MEDTOUR     (__KAM_MEDTOUR1 + __KAM_MEDTOUR2 + __KAM_MEDTOUR3 >= 3)
score           KAM_MEDTOUR     3.0
describe        KAM_MEDTOUR     Medical Tourism Spam

#ACNE SPAM
header          __KAM_ACNE1     Subject =~ /Proactiv/i
header          __KAM_ACNE2     From =~ /Acne/i
body            __KAM_ACNE3     /proactiv/i
body            __KAM_ACNE4     /Online Gift Rewards/i

meta            KAM_ACNE      (__KAM_ACNE1 + __KAM_ACNE2 + __KAM_ACNE3 + __KAM_ACNE4 >= 4)
score           KAM_ACNE      5.0
describe        KAM_ACNE      Spammers hawking Acne products

#SOFTWARE SPAM
header          __KAM_SOFTWARE1         Subject =~ /fix Windows File Errors/i
header          __KAM_SOFTWARE2         From =~ /registry/i
body            __KAM_SOFTWARE3         /Fix file errors/i
body            __KAM_SOFTWARE4         /download for no cost|FREE Software|Free Analysis|Free Report/i

meta            KAM_SOFTWARE    (__KAM_SOFTWARE1 + __KAM_SOFTWARE2 + __KAM_SOFTWARE3 + __KAM_SOFTWARE4 >= 4)
score           KAM_SOFTWARE    5.0
describe        KAM_SOFTWARE    Spammers hawking Software products

#NIGERIAN SCAM SCAN
header          __KAM_NIGERIAN2_1       Subject =~ /high court|contact fedex courier|WIRE TRANSFER/i
body            __KAM_NIGERIAN2_2       /barrister|director of central bank|bank director|former.minister|gold.dealer/i
body            __KAM_NIGERIAN2_3       /high court|central bank|payment center|customs?.officer/i
body            __KAM_NIGERIAN2_4       /e-?mail id is found among those that have been scammed|paid the fee for your cheque draft|contact the bank director/i
body            __KAM_NIGERIAN2_5       /fund code|cheque|bank draft|oil.and.gas/i
body            __KAM_NIGERIAN2_6       /full contact information requested|need your contacts informations|your bank account information|out.of.the.country/i
body            __KAM_NIGERIAN2_7       /bank|smuggle/i
body            __KAM_NIGERIAN2_8       /courier|diplomat agent|direct wire transfer|my.gold|the.gold/i
body            __KAM_NIGERIAN2_9       /scam|don't let them know that it is money|bank transfer charges/i

meta            KAM_NIGERIAN2           (__KAM_REFI4 + __KAM_NIGERIAN2_1 + __KAM_NIGERIAN2_2 + __KAM_NIGERIAN2_3 + __KAM_NIGERIAN2_4 + __KAM_NIGERIAN2_5 + __KAM_NIGERIAN2_6 + __KAM_NIGERIAN2_7 + __KAM_NIGERIAN2_8 + __KAM_NIGERIAN2_9 >= 6)
score           KAM_NIGERIAN2           5.0
describe        KAM_NIGERIAN2           Yet more Nigerian scams. Some even explaining the scam.

#MEDICAL
body            __KAM_MEDICAL1          /million who suffer from|suffered from organ failure|Medical Billing and Coding|medical doctor/i
body            __KAM_MEDICAL2          /Safe - Natural - Effective/i
header          __KAM_MEDICAL3          From =~ /Medical/i
header          __KAM_MEDICAL4          Subject =~ /Medical Billing/i

meta            KAM_MEDICAL             (__KAM_MEDICAL1 + __KAM_MEDICAL2 + __KAM_MEDICAL3 + __KAM_MEDICAL4 >= 3)
score           KAM_MEDICAL             4.0
describe        KAM_MEDICAL             Misc medical spam

#EAR RINGING
body            __KAM_TINNI1            /TinniFix/i
body            __KAM_TINNI2            /Stop the ringing in your ears/i
header          __KAM_TINNI3            Subject =~ /(ringing|buzz) in your ears/i

meta            KAM_TINNI               (__KAM_MEDICAL1 + __KAM_MEDICAL2 + __KAM_TRIAL + __KAM_TINNI1 + __KAM_TINNI2 + __KAM_TINNI3 >= 5)
score           KAM_TINNI               5.0
describe        KAM_TINNI               Another Medical Scam

#GIVEAWAY
body            __KAM_GIVE1             /receive your gift/i
body            __KAM_GIVE2             /laptop giveaway|deliver your dell.? laptop/i
body            __KAM_GIVE3             /answering a short survey/i
body            __KAM_GIVE4             /verify your shipping address/i

meta            KAM_GIVE                (__KAM_GIVE1 + __KAM_GIVE2 + __KAM_GIVE3 + __KAM_GIVE4 >= 4)
score           KAM_GIVE                4.0
describe        KAM_GIVE                Free stuff "giveaway" scam

#GOVERNMENT MONEY
header          __KAM_GOVT1             Subject =~ /Government Funding/i
body            __KAM_GOVT2             /government funding/i
body            __KAM_GOVT3             /complimentary information kit/i
body            __KAM_GOVT4             /No.Money?.{0,4}No.Problem/i

meta            KAM_GOVT                (__KAM_GOVT1 + __KAM_GOVT2 + __KAM_GOVT3 + __KAM_GOVT4 >= 4)
score           KAM_GOVT                4.0
describe        KAM_GOVT                Your tax dollars at work scam...

#RBL TRUST RULES
meta            KAM_RBL         (URIBL_BLACK + RCVD_IN_PBL >=2)
score           KAM_RBL         2.0
describe        KAM_RBL         Higher scores for hitting multiple trusted RBLs

#KAM CNN
header          __KAM_CNN1      Subject =~ /CNN.com Daily Top/i

meta            KAM_CNN         (__KAM_CNN1 == 1)
score           KAM_CNN         2.0
describe        KAM_CNN         CNN Daily Top 10 Link Obfuscation spams

#SNUGGIE BLANKETS / SHAM WOW
header          __KAM_SHAM1             Subject =~ /Hold 20 times|ShamWow/i
header          __KAM_SHAM2             From =~ /Sham ?Wow/i
body            __KAM_SHAM3             /ShamWow/i
body            __KAM_SHAM4             /20(X| times) its weight/i

meta            KAM_SHAM                (__KAM_SHAM1 + __KAM_SHAM2 + __KAM_SHAM3 + __KAM_SHAM4 + KAM_ADVERT2 >= 3)
score           KAM_SHAM                2.0
describe        KAM_SHAM                More product scams...

#SANTA LETTERS
header          __KAM_SANTA1            Subject =~ /Santa Letter|Letter from Santa|Santa send a letter|Sent by Santa/i
body            __KAM_SANTA2            /Santa Letter|Letter from Santa|sent by Santa/i
body            __KAM_SANTA3            /the .?perfect.? gift|personalized letter/i

meta            KAM_SANTA               (__KAM_SANTA1 + __KAM_SANTA2 + __KAM_SANTA3 >= 3)
score           KAM_SANTA               3.5
describe        KAM_SANTA               Ho Ho Holy smokes Batman another Santa Letter spam...

#WORK FOR / LEARN GOOGLE
header          __KAM_GOOGLE1            Subject =~ /Learn Google|Google Starter Kit|with Google|Use Google|Google Work|google millionaire|Google Business|Google Pro Sucess|with my Google|Google Home Business|Google ATM|One Hour On Google|Free Money Making|make a fortune on ?line/i
body            __KAM_GOOGLE2            /learn how to earn|automated income kit|online from home|as much money as you wish|be the boss/i
body            __KAM_GOOGLE3            /tons of money|making \$[\d,]*s with Google|extra cash|making serious money/i
body            __KAM_GOOGLE4            /with Google|Google Pie|Google Cash/i
header          __KAM_GOOGLE5            From =~ /Google Money/i

meta            KAM_GOOGLE               (__KAM_GOOGLE1 + __KAM_GOOGLE2 + __KAM_GOOGLE3 + __KAM_GOOGLE4 + __KAM_GOOGLE5 >= 3)
score           KAM_GOOGLE               3.5
describe        KAM_GOOGLE               Google Pyramid Scams

#SECURITY / ALARM 
header          __KAM_ALARM1            Subject =~ /Free Alarm Quotes|home security|protect your.(house|home)|protect.what.matters.most|adt monitor|keep.watch|monitor.the.home|home.alarm|feel safe|burglar|high.crime|free.security|with.this.offer|crime.can|watching.your.home|adt.is.here|ADT-monitoring/i
body            __KAM_ALARM2            /free Quote|burglaries|wireless.security.camera|(Guard|protect) Your Family|ADT is Number One|monitored security system|install from ADT|with ADT security|keep(ing)?.your.home.safe|home.is.your.castle|sleep.with.security|home.security.system|remote.access|video.security/i
rawbody         __KAM_ALARM3            /Great rates on Home Security|(1|one) in Alarm System Monitoring|protect your loved ones|protect your business|your source for home security|event on home security|keep.the.home.safe|night.vision|online.monitoring|surveill?ance.camera|ADT.monitor|top.notch.security|exclusive.to.you|home security system/i
header          __KAM_ALARM4            From =~ /adt|security.?cam|home.security|wireless.security|security.?camera|author.zed|home.?alarm/i

meta            KAM_ALARM               (__KAM_ALARM1 + __KAM_ALARM2 + __KAM_ALARM3 + __KAM_ALARM4 + KAM_COUK >= 3)
score           KAM_ALARM               4.5
describe        KAM_ALARM               Security and Alarm Company Spams

rawbody         __KAM_ALARM5            /gaylord/i

meta            KAM_ALARM2              (KAM_ALARM && __KAM_ALARM5)
score           KAM_ALARM2              2.5
describe        KAM_ALARM2              High Probability of Security and Alarm Company Spams

#SELL CARDS
header          __KAM_SELL1            Subject =~ /Market Credit Cards/i
body            __KAM_SELL2            /Easy Money/i
body            __KAM_SELL3            /Selling Credit Cards/i

meta            KAM_SELL               (__KAM_SELL1 + __KAM_SELL2 + __KAM_SELL3 >= 3)
score           KAM_SELL               3.5
describe        KAM_SELL               Selling Cards Marketing Scams

#WHITEN TEETH
header          __KAM_WHITEN1            Subject =~ /whiten your teeth/i
body            __KAM_WHITEN2            /whitener/i
body            __KAM_WHITEN3            /(Celebrity Smile|Carbamide Peroxide)/i

meta            KAM_WHITEN               (__KAM_WHITEN1 + __KAM_WHITEN2 + __KAM_WHITEN3 >= 3)
score           KAM_WHITEN               3.5
describe        KAM_WHITEN               Teeth Whitening Scams

#URONLINE
body            __KAM_URONLINE1         /(chat|chat with me|hook ?up) on Y ?A ?H ?O ?O (tonight|or MSN)|add me with yahoo or msn|view now|press this web link|send me your? photo|can u turn me on|kissing you|begin.a.chat/i
body            __KAM_URONLINE2         /wanna talk|ur info|found your mail|found ur profile|mutual friend|katya from russia|you came to russia|my gentle sun|see this page I made|match making heaven|meet that special|comee see it over here|hexten.net|looking for a man|waiting for ur mail|found ur account|waiting for your message|casual.hookup/i
body            __KAM_URONLINE3         /get (naked|naughty)|horny|naughty toys|I will do anything|TOTALLY msg me on MSN|tell me your mobile|I remember you|let's talk|ran across someone like u|sexywebdating|chatting with someone|saw you by BJs|private e-?mail|dating portal|looking.for.fun/i
header          __KAM_URONLINE4         Subject =~ /i'?m so ho?rny|ur really cute|flirt with u|get the party|lets hookup|MSN messanger|\d\d y.o.|russian soul-?mate|my handsome|want you now|russian girl|costs you nothing|can you feel this|came to russia|I remember you|sexual Russia|take a look|attractive girl writes|found u by accident|tell u something special|hookups.waiting/i

meta            KAM_URONLINE            (__KAM_URONLINE1 + __KAM_URONLINE2 + __KAM_URONLINE3 + __KAM_URONLINE4 >= 3)
score           KAM_URONLINE            4.5
describe        KAM_URONLINE            Chat Scams

#TIMESHARE
body            __KAM_TIMESHARE1        /Get[- ]Cash for Your Timeshare|not using your timeshare|(unwanted|ugly) timeshare|cash out quickly/is
body            __KAM_TIMESHARE2        /goldmine|sell or rent it|we pay cash|sell\/rent your time|own a timeshare or condo|get.cash|find.your.value/is
header          __KAM_TIMESHARE3        Subject =~ /(rent|sell|buy) your Timeshare|have a timeshare|timeshare money|unwanted timeshare/i
header          __KAM_TIMESHARE4        From =~ /Resort.*sales|timeshare/i

meta            KAM_TIMESHARE           (__KAM_TIMESHARE1 + __KAM_TIMESHARE2 + __KAM_TIMESHARE3 + __KAM_TIMESHARE4>= 3)
score           KAM_TIMESHARE           4.0
describe        KAM_TIMESHARE           Timeshare Scams

#AQUA GLOBE
body            __KAM_AQUA1             /Aqua Globe/is
body            __KAM_AQUA2             /watering your plants/is
body            __KAM_AQUA3             /while on vacation/is
header          __KAM_AQUA4             Subject =~ /Waters your Plants/i

meta            KAM_AQUA                (__KAM_AQUA1 + __KAM_AQUA2 + __KAM_AQUA3 + __KAM_AQUA4 >= 3)
score           KAM_AQUA                3.0
describe        KAM_AQUA                Spams of yet another product du jour

#GEVALIA
body            __KAM_GEVALIA1          /Gevalia Kaffe|premium coffee delivered/is
body            __KAM_GEVALIA2          /(Gevalia coffee lover's|I love coffee) kit/is
body            __KAM_GEVALIA3          /No Further Obligation/is
header          __KAM_GEVALIA4          Subject =~ /gevalia|cup of coffee/i

meta            KAM_GEVALIA             (__KAM_GEVALIA1 + __KAM_GEVALIA2 + __KAM_GEVALIA3 + __KAM_GEVALIA4 >=3)
score           KAM_GEVALIA             3.0
describe        KAM_GEVALIA             Spams of yet another product du jour

#SIMPLYINK
body            __KAM_INK1          /Ink (and|&|n) Toner|SimplyInk|101 inks|1ink|printer ink sale|full.price/is
header          __KAM_INK2          From =~ /Simply ?Ink|Ink and toner|1ink|ink.*budget|ink.?saver|printer[- ]{0,4}ink/i
header          __KAM_INK3          Subject =~ /Ink (and|&) Toner|SimplyInk|printer ink/i

meta            KAM_INK             (__KAM_INK1 + __KAM_INK2 + __KAM_INK3 >=3)
score           KAM_INK             4.0
describe        KAM_INK             Spams of yet another product du jour

meta            KAM_INK2            (KAM_INK + KAM_INFOUSMEBIZ >= 2)
score           KAM_INK2            3.0
describe        KAM_INK2            Spams for Ink refills

#TITAN PEELER
body            __KAM_PEEL1          /Titan Peeler/is 
header          __KAM_PEEL2          From =~ /Titan Peeler/i
header          __KAM_PEEL3          Subject =~ /peeler|stainless|titan peeler/i

meta            KAM_PEEL             (__KAM_PEEL1 + __KAM_PEEL2 + __KAM_PEEL3 >=2)
score           KAM_PEEL             3.0
describe        KAM_PEEL             Spams of yet another product du jour

#HTML EMAIL REQUIRING IMAGES?
rawbody         __KAM_HTML1     /Please enable image viewing in order to view this message/is

#RATWARE
header          __KAM_RAT1_1    From =~ /\@fromname\@/i
header          __KAM_RAT1_2    Subject =~ /(\[FName\]|\%\{AUTOVALS)/i

meta            KAM_RAT1        (__KAM_RAT1_1 + __KAM_RAT1_2 >= 1)
score           KAM_RAT1        5.0
describe        KAM_RAT1        Variable Replacements Indicative of RatWare/Mass Mailing

body            __KAM_RAT2_1    /job description/i
body            __KAM_RAT2_2    /dear shopper/i
header          __KAM_RAT2_3    From =~ /mystery/i

meta            KAM_RAT2        (__KAM_RAT2_1 + __KAM_RAT2_2 + __KAM_RAT2_3 >= 3)
score           KAM_RAT2        5.0
describe        KAM_RAT2        Another ratware mistake, uninterpolated text

#TITAN EGGER
body            __KAM_EGG1          /Egg Genie/is
header          __KAM_EGG2          From =~ /Egg Genie/i
header          __KAM_EGG3          Subject =~ /medium eggs/i

meta            KAM_EGG             (__KAM_EGG1 + __KAM_EGG2 + __KAM_EGG3 >=2)
score           KAM_EGG             3.0
describe        KAM_EGG             Spams of yet another product du jour

#USBDRIVES
body            __KAM_USB1      /(debi|deborah brown|Melissa Sylvan)/i
body            __KAM_USB2      /person (that|who) handles the promotions/i
body            __KAM_USB3      /usbsmg.com/i

meta            KAM_USB         (__KAM_USB1 + __KAM_USB2 + __KAM_USB3 >= 2)
score           KAM_USB         4.0
describe        KAM_USB         USB Promotion Spammer

#GOVT GRANT
body            __KAM_GRANT1    /government grant/i
body            __KAM_GRANT2    /find out if you qualify/i
body            __KAM_GRANT3    /discontinue from this promotion/i

meta            KAM_GRANT       (__KAM_GRANT1 + __KAM_GRANT2 + __KAM_GRANT3 + __KAM_REFI4 >= 3)
score           KAM_GRANT       5.0
describe        KAM_GRANT       Government Grant Scams

#SEX SCAMS
 #MEDICINE REFERENCES
body            __KAM_SEX04_1   /(curative|medicinal|salutary|wholesome|beneficial|satisfaction) effect|(first-rated|splendid) drugs|(yellow|blue|famos) (tablet|pill)|good medical supplies|(commendable|valuable) medicines|canadian pharmacy|GNC|nugenix/is
 #BED REFERENCES
body            __KAM_SEX04_2   /fun in bed|(bed|night) adventures|aid your bed|(lift|heave|ascent|hoist|raise|boost|aid) your (belove|love|darling|sex|sweet)|sexuality with assistance|ascent your sweet|bed experience|love sexuality/is
 #SUBJECT REFERENCES
header          __KAM_SEX04_3   Subject =~ /your manhood|(bed|night) adventures|sexual experience|empower your (belove|sex)|sweet sex|bed (event|experience)|lover sexuality|(lift|heave|ascent|hoist|raise|boost|aid) your (belove|love|darling|sex|sweet)|discounted drugs/i
 #SEXUAL REFENCES
body            __KAM_SEX04_4   /longer your tool|sexual experience|empower your (belove|sex)|sweet sex|(not bad|great|nice|special|awesome|free) bonus|sex all night|lovers package|male.vitality/is

meta            KAM_SEX04       (__KAM_SEX04_1 + __KAM_SEX04_2 + __KAM_SEX04_3 + __KAM_SEX04_4 >= 3)
score           KAM_SEX04       10.0
describe        KAM_SEX04       Sexually Explicit SPAM


meta            KAM_SEX04_2       (__KAM_SEX04_1 + __KAM_SEX04_2 + __KAM_SEX04_3 + __KAM_SEX04_4 >= 2 && (KAM_SEX04 < 1))
score           KAM_SEX04_2       2.0
describe        KAM_SEX04_2       Likely Sexually Explicit SPAM

#SEX SCAMS ROUND 5
header          __KAM_SEX05_1   Subject =~ /upgrade your virility|become a man|bigger instrument|admire your stick|enlarge your member|you have a tiny tool|with more inches|your mega size|improve your love/i
body            __KAM_SEX05_2   /buy rubber friends|big bait in your pants|she sees your size|women will be funk|biggest tool|immense monster|women will be daydreaming|have so much meat|prolonging your size|last a lot longer/i

meta            KAM_SEX05       (__KAM_SEX05_1 + __KAM_SEX05_2 >= 2)
score           KAM_SEX05       5.0
describe        KAM_SEX05       Sexually Explicit SPAM

#FOOTBALL CLUB SPAMS
header          __KAM_FOOTBALL1         Subject =~ /Amateur Club|Seeks? Player/i
header          __KAM_FOOTBALL2         From =~ /Football/i
body            __KAM_FOOTBALL3         /Mercato/i
body            __KAM_FOOTBALL4         /Football/i

meta            KAM_FOOTBALL    (__KAM_FOOTBALL1 + __KAM_FOOTBALL2 + __KAM_FOOTBALL3 + __KAM_FOOTBALL4 >= 4)
score           KAM_FOOTBALL    4.0
describe        KAM_FOOTBALL    Spammy Football Club

#DISH NETWORK SPAMS AND OTHER TV SPAM
header          __KAM_DISH1     From =~ /Dish Network|TVUpgrade|Satellite|Satellite|Dish.*Promo|dish.author|Wireless.Internet|cable.tv|tv.\&|tv.cable|tv.internet|liveteam/i
header          __KAM_DISH2     Subject =~ /Free Next Day Install|Free HD Receiver|Free HBO|free w\/Dish|Holiday Special|Redzone is back|Web-Only Offer|Free HD|with DISH|dish gives you|dish.offers|Wireless Internet provider|sports.package|dish.vs.cable|switch.to.satellite|dish.just|watch.everything|satellite.dish|cable.bill|satellite.bill|paying.too.much|try.satellite|stream.live.tv/i
rawbody         __KAM_DISH3     /(American Satellite|Wireless Internet) Provider|gethdsat|free dvr|Satellite Deals|Dish Network|dish.gives.you.more|packages under \$\d+|compare plans|internet service provider|premium.channel|best.cable.deals|fit.your.budget|deals.near.you|online.television|quality.tv/i

meta            KAM_DISH        (__KAM_DISH1 + __KAM_DISH2 + __KAM_DISH3 >=3)
score           KAM_DISH        4.0
describe        KAM_DISH        Dish Network Spams

meta            KAM_DISH2       (KAM_DISH + KAM_INFOUSMEBIZ >= 2)
score           KAM_DISH2       4.0
describe        KAM_DISH2       Dish Network Spams

#IDENTITY NETWORK
header          __KAM_IDENTNET1         From =~ /\@identitynetwork.net/i
body            __KAM_IDENTNET2         /ADVERTISE WITH IDENTITY NETWORK/i

meta            KAM_IDENTNET    (__KAM_IDENTNET1 + __KAM_IDENTNET2 >=2)
score           KAM_IDENTNET    8.0
describe        KAM_IDENTNET    Identity Network Spams

#HONEYPOT HITS
#body           __KAM_HONEY1    /Intacct Corporation|Miles Technologies|EcoPhones|businessbrief\.com|pbpinfo\.com|pbp-executivereports\.net|b21pubs\.com|sonar6\.com|cheetahsend\.com|voip-news|microcappress.com|myrtlebeachnow|sosonlinebackup.com|Landslide Technologies|The Performance Institute|ASMI Corporate|Kaseya|Cascio|CarProperty|HSRUpdates.com/i
#header         __KAM_HONEY2    From =~ /\@intacct\.com|\@(staff\.)?milestechnologies\.com|\@greenschoolfundraiser\.org|\@business-brief\.(net|com)|\@b21pubs\.com|\@pbp-executivereports\.net|\@sonar6\.com|\@cheetahsend\.com|\@ripple.us.com|\@voip-news\.com|\@.{0,8}.microcappress.com|\@BetterBuysReports.com|\@MyrtleBeachNow.com|\@sosonlinebackup.com|\@next-gen-crm.com|\@TheInstituteWeb.org|\@ASMIweb.com|\@performanceinstitute.org|\@kaseya.com|\@news.interstatemusic.com|\@interstatemusic.com|\@carproperty.com|\@hsrupdates.com/i

#meta           KAM_HONEY       (__KAM_HONEY1 + __KAM_HONEY2 >= 2)
#score          KAM_HONEY       12.0
#describe       KAM_HONEY       Spammer sending to a honeypot or known spammer through other means

#MEDIA DUCHESS
header          __KAM_DUCHESS1  Received =~ /mediaduchessstore.info|mediaduchesslive.info|mymediaduchess.info|mediaduchessonline.info|mytvduchess.info|mediaduchesspro.info|mileshop.info|freegrampro.info|radioduchess.info|acreforyou.info|mileblog.info/i
header          __KAM_DUCHESS2  From =~ /mediaduchessstore.info|mediaduchesslive.info|mymediaduchess.info|mediaduchessonline.info|mytvduchess.info|mediaduchesspro.info|mileshop.info|freegrampro.info|radioduchess.info|acreforyou.info|mileblog.info/i

body            __KAM_DUCHESS3  /Mr. Media Group|BLM Marketing Services|4801 l[yi]nton b/i
rawbody         __KAM_DUCHESS4  /duchess/i
rawbody         __KAM_DUCHESS5  /http:\/\/.{4,30}\.info\/[A-Za-z]{30}("|\/)/i
body            __KAM_DUCHESS6  /For account number:/i

meta            KAM_DUCHESS     ((__KAM_DUCHESS1 + __KAM_DUCHESS2 >= 1) + __KAM_DUCHESS3 + __KAM_DUCHESS4 + __KAM_DUCHESS5 + __KAM_DUCHESS6 >= 4)
score           KAM_DUCHESS     5.0
describe        KAM_DUCHESS     Spammer sending emails using a variety of domains and linked images

#UPS
header          __KAM_UPS1      Subject =~ /UPS Delivery problem/i
header          __KAM_UPS2      From !~ /\@ups\.com[ |>]/i
body            __KAM_UPS3      /invoice copy attached/i

meta            KAM_UPS         (__KAM_UPS1 + __KAM_UPS2 + __KAM_UPS3 >=3)
score           KAM_UPS         6.0
describe        KAM_UPS         UPS doesn't send invoices with delivery problem notes

#Free Calls
header          __KAM_SKYPE1    Subject =~ /Free Calls/i
header          __KAM_SKYPE2    Received =~ /releasesourcek.com/i
header          __KAM_SKYPE3    From =~ /VOIP News/i
body            __KAM_SKYPE4    /Promo Code: \d/i

meta            KAM_SKYPE       (__KAM_SKYPE1 + __KAM_SKYPE2 + __KAM_SKYPE3 + __KAM_SKYPE4 >=3)
score           KAM_SKYPE       5.0
describe        KAM_SKYPE       Skype/Voip scams likely to spread malware

#OWA/EMAIL PHISH
rawbody         KAM_OWAPHISH1   /http:\/\/.{5,30}\/owa\/service_directory\/settings.php/i

score           KAM_OWAPHISH1   6.0
describe        KAM_OWAPHISH1   Rash of OWA setting change emails for phishing

#MORE DRUG SPAM - 2009-05-03
header          __KAM_DRUG2_1   Subject =~ /Viagra|male enhanc|easier time making her|hot infatuations|bed tempera?ment|resigned slaves|prick be soft|increased performance|guys in bed|bedroom fun|love more passion|cure ED|(bed|sex) games|spices? (it up in|to the) bed|(bedroom|nights of) pleasure|ladies love|stay hard|satis?fy (your spouse|her)|(problems|strong|help|good) (in|for) bed|bedtime enhanc|p[0o]rn ?star|blue ?pill|great sex|please your gf|(help in the|king of the|great time in|strong night in|performance in|advice for the) bed|intimate life|gain 3\+? inches|sexual (excitement|anxiety|act)|love tool|sexual treatment|make love|make your girl happ|completely impotent|do.you.suffer/i

header          __KAM_DRUG2_2   Subject =~ /ambien|Percocet|vicod[i1]n|Meridia|look slim|Phentermin|adderall|codeine|Hydrocodone|Phetermin|oxycodone|no prescription need|(help|trouble) falling asleep|overpriced pharmacy|prescript.medz|Xanx?ax|RxMed|your.rx.meds|fill your meds|pharmacy offers|international pharm|(loved|preferred|favor[ite]{3}) (rx)?med|pain killer|Medi?cati[o0]ns|canadianrx|weightl0ss|no ?prescription|weight l0ss|l0seweight|ritalin|look great|brain.function|cognition|enhance.memory|amazing.energy|joint.pain|nerve.pain/i

body            __KAM_DRUG2_3   /Medi?cati[o0]ns|desired meds|favou?red (rx)?med|buy remedies|drug store|medicants|medicaments|sexual stim|sex stim|pain killer|(purchase|loved|preferred|favou?rite) (?:rx.?)?(deal|med)[sz]|rx.?Meds?.?deal|buy your meds|choice of meds|Rx.?(deal|Med|Sale)|v[i1]agra|medz.special|loved meds|(rx|medication) ?discount|Get the edge|joint.pain.relief|neuropathy|nerve.pain/i

body            __KAM_DRUG2_4   /grab hold|at[_ ~]your[_ ~]finger[_ ~]?tip|placing your order|questions about drugs|prescription is not|don't care about prescription|without a doctor|no need for a doctor|affor[df]able.prices|best daily rx|Fav.Prescript|unmatched.prices|rx.med|millions.are.praising/i

body            __KAM_DRUG2_5   /0nline|hassle[~-]free|favored rx|branded solutions|branded remedies|v[1i]cod[!i]n|Penhtremine|prxpills|ultimaterxhere|insanerx|speedymed4u|mightymeds1|coolestrxhere|hotrxmedspot|topshoprx|mightyrxhere|qualityrxmedz|legitrxlife|dealsformeds|simplyrxdeals|bestrxlight|ezprescriptz|reliablerxsource1|freetrusted-rx|hotmedsourcehere|CabinetOfMeds|mytrusted-rx|RxwarehouseHere|WarehouseofRxMeds|GreatrxMedsRus|rxmedsrus|(come by|Come to|Check Out) our web site|browse [0o]ur (website|selection)|Visit_0ur Web|Order_Now|available_this week|(buy|order) (n[0o]w|today|right.now|instantly|at [0o]nce|immediately)|check it out today|ord3r|0rder|0rd3r|browseour|rx ?unit/i

body            __KAM_DRUG2_6   /(Express|Prompt|Day|Trusty|Trustworthy|Reliable|fast|true|discreet|confidential|rapid)[_ ~\.]?Shippin|anonymous packing|shipped.right.away|adderrx|clinically.proven|support.formula/i

header          __KAM_DRUG2_7   Subject =~ / {4}[a-z0-9]{2,4}$/i

header          __KAM_DRUG2_8   From =~ /aquaflexin/i

meta            KAM_DRUG2       ( __KAM_DRUG2_1 +  __KAM_DRUG2_2 +  __KAM_DRUG2_3 +  __KAM_DRUG2_4 +  __KAM_DRUG2_5 + __KAM_DRUG2_6 + __KAM_DRUG2_7 + __KAM_DRUG2_8 + KAM_SHORT + KAM_UNSUB1 >= 3)
score           KAM_DRUG2       3.5
describe        KAM_DRUG2       More online Drug Scams

meta            KAM_DRUG2_2     ( __KAM_DRUG2_1 +  __KAM_DRUG2_2 +  __KAM_DRUG2_3 +  __KAM_DRUG2_4 +  __KAM_DRUG2_5 + __KAM_DRUG2_6 + __KAM_DRUG2_7 + __KAM_DRUG2_8 + KAM_SHORT + KAM_UNSUB1 >= 5)
score           KAM_DRUG2_2     3.0
describe        KAM_DRUG2_2     Higher Certainty of Drug Scam

meta            KAM_SEXSUBJECT  __KAM_DRUG2_1
score           KAM_SEXSUBJECT  2.0
describe        KAM_SEXSUBJECT  Sexually Explicit Subject

#RUSSIAN WIFE/BRIDE SCAMS
header          __KAM_WIFE1     Subject =~ /Remember me|(Russian|asian) ?(single|women|bride|lad(y|ies)|babe)/i
body            __KAM_WIFE2     /marry a Russian|sizzling photos|(russian|asian) (women|beauties)|Russian ?bride|Slavic babes|Russian ?lad(y|ies)|russian girl/i
header          __KAM_WIFE3     From =~ /Russian.?Dat|russian.?bride|Russian.?single|russian.?women|asian.?beauties/i

meta            KAM_WIFE       ( __KAM_WIFE1 +  __KAM_WIFE2 + __KAM_WIFE3 >= 2)
score           KAM_WIFE       8.0
describe        KAM_WIFE       Mail order bride scams

#PRODUCT SCAMS
header          __KAM_PRODUCT1  Subject =~ /Beauty Phone/i
body            __KAM_PRODUCT2  /phones for discerning individuals/i

meta            KAM_PRODUCT    ( __KAM_PRODUCT1 +  __KAM_PRODUCT2 >= 2)
score           KAM_PRODUCT    3.0
describe        KAM_PRODUCT    Product scams often used with MSN/Live URIs

#SPACES / LIVE / MSN / ETC. SCAMS
meta            KAM_LIVEURI2     ( (KAM_PRODUCT + KAM_DRUG2 + KAM_WIFE >=1) + (KAM_WEBS + KAM_MSN_STRING + KAM_BADSWF >=1) >= 2)
score           KAM_LIVEURI2     3.0
describe        KAM_LIVEURI2     More online Scams + Known URI

#WEBS.COM
uri             KAM_WEBS        /.{3,25}\.webs.com/i
score           KAM_WEBS        0.5
describe        KAM_WEBS        webs.com links used in Spams

#IMAGESHACK SWF Files
uri             KAM_BADSWF      /imageshack.us\/.{3,25}.swf$/i
score           KAM_BADSWF      3.0
describe        KAM_BADSWF      SWF embedded links in Email Scams

#EXE LINK
uri             KAM_EXEURI      /.exe$/i
score           KAM_EXEURI      0.5
describe        KAM_EXEURI      EXE embedded link

#SETTINGS FILE PHISH
header          __KAM_SETTING1  Subject =~ /settings file|maintenance!!/i
body            __KAM_SETTING2  /security upgrade|Maintenance Process on our email system /i
body            __KAM_SETTING3  /settings?.zip/i

meta            KAM_SETTING    ( __KAM_SETTING1 +  __KAM_SETTING2 >= 2)
score           KAM_SETTING    2.5
describe        KAM_SETTING    Phishing scams w/Setting Files or Webmail

 #Fixed small misspelling thanks to Jameel Akari
meta            KAM_SETTING2    ( KAM_SETTING + (KAM_EXEURI + __KAM_SETTING3 >=1) >= 2)
score           KAM_SETTING2    4.0
describe        KAM_SETTING2    Phishing scams w/Setting Files or Webmail + Bad File link

#FARM SPAM
header          __KAM_FARM1     Subject =~ /supersized (blueberr|tomato)|(blueberry|tomatoe?) giant|grows in sun or shade|giant (blueberry|tomatoe?)/i
header          __KAM_FARM2     From =~ /blueberr|tomato|DIY|garden/i
body            __KAM_FARM3     /(blueberry|Tomatoe?) giant/i

meta            KAM_FARM        (__KAM_FARM1 + __KAM_FARM2 + __KAM_FARM3 >= 3)
score           KAM_FARM        4.0
describe        KAM_FARM        Farming related Spams

#MX URI - Scored lowered from 2.5 to 1.5 due to FPs reported by Christopher X. Candreva - see https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6700 for bug on issue
uri             KAM_MXURI       /^(?:http:\/\/)?(mail|mx)\..{1,40}\..{1,8}/i
score           KAM_MXURI       1.5
describe        KAM_MXURI       URI begins with a mail exchange prefix, i.e. mx.[...]

#FLASH PLAYER
body            __KAM_FLASH1    /Flash Player Code: \d\d/i
body            __KAM_FLASH2    /Flash Player Update/i
header          __KAM_FLASH3    Subject =~ /Flash Player/i
header          __KAM_FLASH4    Subject =~ /activation code/i
header          __KAM_FLASH5    From =~ /Flash Player/i

meta            KAM_FLASH       (__KAM_FLASH1 + __KAM_FLASH2 + __KAM_FLASH3 + __KAM_FLASH4 + __KAM_FLASH5 >= 3)
score           KAM_FLASH       4.0
describe        KAM_FLASH       Fake Flash Player Phishing Scam


#CHANGED TO KAMOnly
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
        #FAKE ADWORDS
        body            __KAM_ADWORD1   /(Advertisement|Adwords) Campaign/i
        header          __KAM_ADWORD2   From =~ /adwords.com|salesdirect.com/i
        header          __KAM_ADWORD3   Subject =~ /adwords campaign|ads in adwords/i
        body            __KAM_ADWORD4   /adwords\.php|index\.php\?isgoogle/i
        
        meta            KAM_ADWORD      (__KAM_ADWORD1 + __KAM_ADWORD2 + __KAM_ADWORD3  + __KAM_ADWORD4 >= 3) + (KAM_RPTR_SUSPECT + KAM_RPTR_FAILED >= 1) >= 2
        score           KAM_ADWORD      10.0
        describe        KAM_ADWORD      Fake Adword Campaign notices
endif


#DON NOB & WORK FROM HOME SCAMS
header          __KAM_DON1      X-KAM-Reverse =~ /donnob\.(?:biz|net)|emarketnow.com/i
header          __KAM_DON2      Subject =~ /(?:\b|^)ATM(?:\b|$)|Just Over Broke|J\.O\.B\./
body            __KAM_DON3      /donnob\.(?:biz|net)|emarketnow.com|watersolutiontoday.com/i
body            __KAM_DON4      /\$1,000 A Day ATM|J\.O\.B\./i

meta            KAM_DON         (__KAM_DON1 + __KAM_DON2 + __KAM_DON3 + __KAM_DON4 + __KAM_MED2 + __KAM_REFI4 + __KAM_TV2 >= 4)
score           KAM_DON         6.0
describe        KAM_DON         Work at Home Scams

meta            KAM_DON2        (__KAM_DON1 + __KAM_DON2 + __KAM_DON3 + __KAM_DON4 + __KAM_MED2 + __KAM_REFI4 + __KAM_TV2 >= 6)
score           KAM_DON2        4.0
describe        KAM_DON2        Egregious Work at Home Scams

#GINA SCAMS
header          __KAM_GINA1     From =~ /GINA deadline|GINA Update|compliance/i
header          __KAM_GINA2     Subject =~ /GINA deadline/i
body            __KAM_GINA3     /Genetic Information Nondiscrimination Act/i
body            __KAM_GINA4     /mandatory poster|remain in compliance|GINA regulations/i

meta            KAM_GINA        (__KAM_GINA1 + __KAM_GINA2 + __KAM_GINA3 + __KAM_GINA4 + __KAM_REFI4  >= 4)
score           KAM_GINA        6.0
describe        KAM_GINA        Employment Poster Marketing Spams

#TAX SCAMS
header          __KAM_TAX1      Subject =~ /Free (IRS )?Tax Filing|Tax Filing Exten[st]ion|taxes online|irs audit|wage garnish|collections|tax.relief|tax.penalt|tax.resolution|settlement.option|remove.tax|irs.penalt|payback.package|get.help|down.your.neck|tax.research|urgent.tax/i
header          __KAM_TAX2      From =~ /tax|HRBlock|marketing|garnish|settlement|installment|IRS|debt|advisory|government|payback|protection.agency/i
body            __KAM_TAX3      /File your taxes for free|need more time|back.taxes|tax relief|irs offer|avoid penalty|stop.aggressive.collections|relief.(program|package)|tax.settlement|settlement.package|paying.bills|paying.tax|back.tax|wage..?garnish|tax.help|remove.lien|bankrupt|urgent.tax.notice|could.change.everything|instantly.save.you/i
body            __KAM_TAX4      /MSNBC|fox news|CNN|please.confirm|you.qualify|obtain.now|must.see.tax/i

meta            KAM_TAX         (__KAM_TAX1 + __KAM_TAX2 + __KAM_TAX3 + __KAM_TAX4 + KAM_LOTSOFHASH >=3)
score           KAM_TAX         2.5
describe        KAM_TAX         Tax Filing Scams

meta            KAM_TAX2        (__KAM_TAX1 + __KAM_TAX2 + __KAM_TAX3 + __KAM_TAX4 + KAM_LOTSOFHASH >=4)
score           KAM_TAX2        2.5
describe        KAM_TAX2        Higher Probability of Tax Filing Scams

#SEX SCAM
body            __KAM_SEX06_1   /more fire and passion/i

meta            KAM_SEX06       (__KAM_SEX06_1 + KAM_MSN_STRING >= 2)
score           KAM_SEX06       5.0
describe        KAM_SEX06       Sexual Stimulant Spam

#DOG BARK AND OTHER DOG SPAM
body            __KAM_BARK1     /Bark.Off|petzoom sonic|comfy control harness|dogs? behavior|four legged/i
header          __KAM_BARK2     Subject =~ /Barking|petzoom sonic|dogs any size|dog (is )?misbehaving/i
header          __KAM_BARK3     From =~ /Bark.Off|petzoom|control harnesss|dog whisperer/i

meta            KAM_BARK        (__KAM_BARK1 + __KAM_BARK2 + __KAM_BARK3 >=2)
score           KAM_BARK        3.5
describe        KAM_BARK        Dog Product Scam

#CASINO SPAM
body            __KAM_CASINO1   /Elite World Casino/i
body            __KAM_CASINO2   /Online Casino/i
header          __KAM_CASINO3   Subject =~ /chances to win/i

meta            KAM_CASINO      (__KAM_CASINO1 + __KAM_CASINO2 + __KAM_CASINO3 >= 3)
score           KAM_CASINO      3.5
describe        KAM_CASINO      Online Casino Spam

#TWITTER PHISHING
header          __KAM_TWIT1     From =~ /twitter/i
header          __KAM_TWIT2     Subject =~ /twitter \d{3}-\d{2}/i

meta            KAM_TWIT        (__KAM_TWIT1 + __KAM_TWIT2 + KAM_THEBAT >= 3)
score           KAM_TWIT        10
describe        KAM_TWIT        Twitter bogus phishing emails


#FACEBOOK PHISHING
header          __KAM_FACE1     From =~ /password/i
header          __KAM_FACE2     Subject =~ /reset your facebook/i
header          __KAM_FACE3     X-Mailer =~ /Zuckmail/i

meta            KAM_FACE        (__KAM_FACE1 + __KAM_FACE2 + __KAM_FACE3 >= 3)
score           KAM_FACE        10
describe        KAM_FACE        Facebook bogus phishing emails

header          __KAM_PHISH3_1  Subject =~ /account notification/i
body            __KAM_PHISH3_2  /accessed by someone else./

meta            KAM_PHISH3      (__KAM_PHISH3_1 + __KAM_PHISH3_2 + __KAM_CLICK >= 3)
score           KAM_PHISH3      4
describe        KAM_PHISH3      Phishing emails for account notification


#GENERIC TEST FOR CLICK NOTICES INDICATIVE OF SPAM IN META RULES BUT NOT BY ITSELF
body            __KAM_CLICK     /Please click on the link below|Copy and paste this link into your internet browser/i

#DIRECT BUY
header          __KAM_DIRECT1   From =~ /Direct ?Buy|Wholesale/i
header          __KAM_DIRECT2   Subject=~ /complimentary|visitor|settle for retail|top .rands at wholesale|guest pass and catalog|direct.?buy/i
body            __KAM_DIRECT3   /(Complimentary|Visitor|attend our open house|30-day member|VIP Pass|Wholesale Direct Pricing|guest pass and catalog)/i
body            __KAM_DIRECT4   /Direct.?Buy/i

meta            KAM_DIRECT      (__KAM_DIRECT1 + __KAM_DIRECT2 + __KAM_DIRECT3 + __KAM_DIRECT4 >= 3)
score           KAM_DIRECT      3.0
describe        KAM_DIRECT      DirectBuy Spam

#SWIPE BIDS
header          __KAM_SWIPE1   From =~ /SwipeBids|Auction|Deal ?hunter|bigger.bid|bidder|Overstocked|daily.?deals|quibids|iphone|penny.stock/i
header          __KAM_SWIPE2   Subject=~ /auction|bid on great|\d% off retail|Iphones for Under|Big Items|ipads|Macbook Pro|top.?.?of the line..?electronic|buy or sell|never.pay.retail|2011 line up|ebay|pay retail|ipad for \$\d\d\.|bids in real.?time|penny.stock|exclusive.savings|economic|prediction:/i
body            __KAM_SWIPE3   /pennies on the dollar|join, bid|penny (auctions|stock)|\d% .{0,10}retail|ipads on auction|bid now|factory sealed ipads|cheap ipads|for pennies|ebay killer|Inventory Clearance on iPads|crazy auctions|XPS for \d\dUSD|iphone.{1,10}clearance|the.hottest/i
body            __KAM_SWIPE4   /SwipeBids|Swipe Auction|CIRCLE MEDIA BIDS|Wavee|BIGGER BIDDER|Bidooka|Sellmoo|overstocked auctions|for pennies|\d{1,2} cent/i

meta            KAM_SWIPE      (__KAM_SWIPE1 + __KAM_SWIPE2 + __KAM_SWIPE3 + __KAM_SWIPE4 >= 3)
score           KAM_SWIPE      2.5
describe        KAM_SWIPE      SwipeBid Spam / Penny Auction Spams

meta            KAM_SWIPE2     (__KAM_SWIPE1 + __KAM_SWIPE2 >= 2)
score           KAM_SWIPE2     1.5
describe        KAM_SWIPE2     SwipeBid Spam / Penny Auction Spams

#WE THE SPAMMERS
header          __KAM_WTA1      From =~ /@(wethealliance\.(org|com|net)|wta\d\d\d\.com|socalsecurityinstitute.org)|Lawrence.{0,4}Hunter/i
body            __KAM_WTA2      /Alliance for Retirement Prosperity Association|Social Security Institute/is

meta            KAM_WTA         (__KAM_WTA1 + __KAM_WTA2 >= 2)
score           KAM_WTA         9.0
describe        KAM_WTA         Ridiculous campaign by unapologetic spammers purposefully using throwaway domains

#SMOKELESS
body            __KAM_SMOKE1    /smoke.anywhere|electronic cig|smoking alternative|prado|e.?-?cig|wanting to quit/i
header          __KAM_SMOKE2    Subject =~ /smoke|e-cig|perfect.?.gift|no cancer|electronic cig|never smoke|e.?-?cig/i
header          __KAM_SMOKE3    From =~ /smoke|smoking|e.?-?cig|electronic cig|vapex|vapor|starter.kit/i
body            __KAM_SMOKE4    /No carbon monoxide|Smokeless Direct|No Tobacco|no tar|no cancer|quit smoking|electronic cig|sinless.vapor/i
body            __KAM_SMOKE5    /you have qualified/i

meta            KAM_SMOKE       (__KAM_CLICK + __KAM_SMOKE1 + __KAM_SMOKE2 + __KAM_SMOKE3 + __KAM_SMOKE4 + __KAM_SMOKE5 >= 3)
score           KAM_SMOKE       4.5
describe        KAM_SMOKE       Smokeless cigarette and quitting spam

meta            KAM_SMOKE2       (__KAM_CLICK + __KAM_SMOKE1 + __KAM_SMOKE2 + __KAM_SMOKE3 + __KAM_SMOKE4 + __KAM_SMOKE5 >= 4)
score           KAM_SMOKE2       3.0
describe        KAM_SMOKE2       Higher probability of spam

#OBF URL
body            __KAM_OBFURL1   /A\s+D\s+I\s+L\s+I\s+Z\+E\s+R\s+.\s+C\s+O\s+M/i

meta            KAM_OBFURL      (__KAM_OBFURL1 >= 1)
score           KAM_OBFURL      5.0
describe        KAM_OBFURL      Obfuscated URL

#SHARP FOR LIFE
body            __KAM_SHARP1    /sharp for life/i
body            __KAM_SHARP2    /yoshiblade/i
body            __KAM_SHARP3    /zirconium oxide/i
body            __KAM_SHARP4    /ceramic knife/i
header          __KAM_SHARP5    Subject =~ /ceramic knief|yoshiblade|sharp for life/i
header          __KAM_SHARP6    From =~ /yoshi/i

meta            KAM_SHARP       (__KAM_SHARP1 + __KAM_SHARP2 + __KAM_SHARP3 + __KAM_SHARP4 + __KAM_SHARP5 + __KAM_SHARP6 >= 4)
score           KAM_SHARP       4.5
describe        KAM_SHARP       Ceramic Blade Spam

#HIP REPLACEMENT
body            __KAM_HIP1      /hip replacement|medical alert/i
body            __KAM_HIP2      /implant recall|recall list/i
header          __KAM_HIP3      Subject =~ /dupuy recall|hip recall|hip implants|hip replacement/i
header          __KAM_HIP4      From =~ /recall/i

meta            KAM_HIP         (__KAM_HIP1 + __KAM_HIP2 + __KAM_HIP3 + __KAM_HIP4 >= 3)
score           KAM_HIP         4.5
describe        KAM_HIP         Hip Replacement Recall Spam

#WORK AT HOME
body            __KAM_WORKHOME1      /online jobs|Full-time (and|&) Part-time|at home employment/i
body            __KAM_WORKHOME2      /\#1 site|view here|information here/i
header          __KAM_WORKHOME3      Subject =~ /work at home|work \@ home|home positions/i

meta            KAM_WORKHOME         (__KAM_WORKHOME1 + __KAM_WORKHOME2 + __KAM_WORKHOME3 >= 3)
score           KAM_WORKHOME         4.5
describe        KAM_WORKHOME         Work at Home Spam

meta            KAM_WORKHOME2   (__KAM_WORKHOME3 + KAM_SHORT + __KAM_REFI4 >=3)
score           KAM_WORKHOME2   4.5
describe        KAM_WORKHOME2   Work at Home Spam

#HSR UPDATES
body            __KAM_HSR1      /hsrupdates.com|progressiverailroading.com/i
header          __KAM_HSR2      Subject =~ /hi-speed rail|HSR Funds|U.?S.? DOT|railroads/i
header          __KAM_HSR3      From =~ /HSRUpdates.com|progressive ?railroading/i

meta            KAM_HSR         (__KAM_HSR1 + __KAM_HSR2 + __KAM_HSR3 >= 3)
score           KAM_HSR         4.5
describe        KAM_HSR         High Speed Rail Spam

#SELLPHONE
body            __KAM_SELLPHONE1        /Turn iphones into cash/i
body            __KAM_SELLPHONE2        /used or broken|pre-paid envelope/i
header          __KAM_SELLPHONE3        Subject =~ /sell your old iphone/i

meta            KAM_SELLPHONE   (__KAM_SELLPHONE1 + __KAM_SELLPHONE2 + __KAM_SELLPHONE3 >= 3)
score           KAM_SELLPHONE   4.5
describe        KAM_SELLPHONE   Used Equipment Spam

#STORAGE LIMIT
body            __KAM_MAILBOX1  /mailbox has exceeded the storage limit|storage.quota/i
body            __KAM_MAILBOX2  /re-validate your (mailbox|email)/i

meta            KAM_MAILBOX     (__KAM_MAILBOX1 + __KAM_MAILBOX2 >=2)
score           KAM_MAILBOX     4.0
describe        KAM_MAILBOX     Mailbox Quota Phishing Scams

meta            KAM_SHORT       (__KAM_SHORT + __KAM_TINYDOMAIN >= 1)
score           KAM_SHORT       0.001
describe        KAM_SHORT       Use of a URL Shortener for very short URL

#URL SHORTENER - META RULE TO SEE IF URL SHORTENER IS IN USE - THANKS TO SHANE WILLIAMS and RW for HELP
uri             __KAM_SHORT     /https?:\/\/(?:j\.mp|bit\.ly|goo\.gl|x\.co|t\.co|t\.cn|tinyurl\.com|hop\.kz|urla\.ru|fw\.to)(\/)/i
# GENERIC RULE FOR TINY DOMAINS, WHICH WILL LIKELY BE URL SHORTENERS
uri             __KAM_TINYDOMAIN /https?:\/\/(?:[^\/]{1,4})\..{2,7}\//i

#POWER CHAIRS
body            __KAM_POWER1    /hoveround/i
header          __KAM_POWER2    Subject =~ /Get your freedom|power Chairs/i
header          __KAM_POWER3    From =~ /Get your freedom|power Chairs/i

meta            KAM_POWER       (__KAM_POWER1 + __KAM_POWER2 + __KAM_POWER3 >= 3)
score           KAM_POWER       3.0
describe        KAM_POWER       Motorized Chair Spams

#GUN ALERTS
body            __KAM_GUN1      /Keep and Bear Arms/i
header          __KAM_GUN2      From =~ /gunalerts.com/i
header          __KAM_GUN3      Subject =~ /gun/i

meta            KAM_GUN         (__KAM_GUN1 + __KAM_GUN2 + __KAM_GUN3 >= 3)
score           KAM_GUN         2.0
describe        KAM_GUN         Gun Alert Spams

#GET RICH QUICK SCHEME
body            __KAM_RICH1     /financial.success story/i
body            __KAM_RICH2     /see me on the channel \d news/i
body            __KAM_RICH3     /talking about my blog/i
body            __KAM_RICH4     /bec.me financially independent/i

meta            KAM_RICH        (__KAM_RICH1 + __KAM_RICH2 + __KAM_RICH3 + __KAM_RICH4 >= 4)
score           KAM_RICH        3.5
describe        KAM_RICH        Get Rich Quick Schemes

#INVALID FROM HEADER
header          __KAM_INVFROM1  From =~ /<[^>]*$/
header          __KAM_INVFROM2  From =~ /^[^<]*>/

meta            KAM_INVFROM     (__KAM_INVFROM1 + __KAM_INVFROM2 >= 1)
score           KAM_INVFROM     2.0
describe        KAM_INVFROM     Invalid From Header containing mismatched <>'s

#YAHOO GROUP EMAIL RULE BASED ON WORK FROM Jim McCullars - University of Alabama in Huntsville
header          __KAM_UAH_YAHOOGR_4 X-Mailer =~ /Yahoo Groups Message Poster/
ifplugin Mail::SpamAssassin::Plugin::DKIM
  meta            KAM_UAH_YAHOOGROUP_SENDER __DOS_HAS_LIST_UNSUB && __ML2 && __DOS_HAS_MAILING_LIST && __KAM_UAH_YAHOOGR_4 && !FORGED_YAHOO_RCVD && DKIM_VALID
else
  meta            KAM_UAH_YAHOOGROUP_SENDER __DOS_HAS_LIST_UNSUB && __ML2 && __DOS_HAS_MAILING_LIST && __KAM_UAH_YAHOOGR_4 && !FORGED_YAHOO_RCVD
endif
describe        KAM_UAH_YAHOOGROUP_SENDER Sender appears to be a legit Yahoo! Group Mail
score           KAM_UAH_YAHOOGROUP_SENDER -20.0

#GALLERY
header          __KAM_GALLERY1  Subject =~ /(Infinite|Multi|Elite|Extreme|Complete|Instant|Ultimate|Multi|approved|Free|HD|Guaranteed|Unreal) Access|(Ultimate|Babes|Elite|Extreme|P.?o.?r.?n) Collection|(Girls|Adu.?lt|Babes|Celeb.?rities) Passwords|(Ultimate|p.?o.?r.?n|extreme|elite|Girls) gallery|HD Video|Access Now/i
body            __KAM_GALLERY2             /(?:Infinite|Multi|Elite|Extreme|Complete|Instant|Ultimate|Multi|approved|Free|HD|Guaranteed|Unreal) Access|(?:Ultimate|Babes|Elite|Extreme|P.?o.?r.?n) Collection|(?:Girls|Adu.?lt|Babes|Celeb.?rities) Passwords|(?:Ultimate|p.?o.?r.?n|extreme|elite|Girls) gallery|HD Video|Access Now/i

header          __KAM_GALLERY3  Subject =~ /(Fantastic|Insane|Mega|Extreme|Extreme|New|Many|Fresh|Your|Check) P.?o.?r.?n|cele.?brities elite|(Insane|P.?o.?r.?n|More|Awesome|All|Mega) Model|(Your|Mega|Asian|Bad|Cool|Fresh|Real|Awesome|More) Girl|(Sweet|Incredible|Insane|The|Grand) chick|(Many|New|Infinite|Cool|All) Cele.?b|The N.?u.?des|(Infinite|Awesome|Many|Sweet|Bad|Get|Fresh|Hot|More|Black) Babe|Amat.?e.?urs|(All|Fresh|Fantastic|The|Mega) Adu.?lt|(Extraordinary) Chicks/i
body            __KAM_GALLERY4             /(Fantastic|Insane|Mega|Extreme|Extreme|New|Many|Fresh|Your|Check) P.?o.?r.?n|cele.?brities elite|(Insane|P.?o.?r.?n|More|Awesome|All|Mega) Model|(Your|Mega|Asian|Bad|Cool|Fresh|Real|Awesome|More) Girl|(Sweet|Incredible|Insane|The|Grand) chick|(Many|New|Infinite|Cool|All) Cele.?b|The N.?u.?des|(Infinite|Awesome|Many|Sweet|Bad|Get|Fresh|Hot|More|Black) Babe|Amat.?e.?urs|(All|Fresh|Fantastic|The|Mega) Adu.?lt|(Extraordinary) Chicks/i
rawbody         __KAM_GALLERY5  /wp-content|_vti_cnf|cache|wp-admin|wordpress/i

meta            KAM_GALLERY     (__KAM_GALLERY1 + __KAM_GALLERY2 + __KAM_GALLERY3 + __KAM_GALLERY4 + __KAM_GALLERY5 >=4)
describe        KAM_GALLERY     Exploited Gallery with Porn
score           KAM_GALLERY     5.0

meta            KAM_GALLERY2    (__KAM_GALLERY1 + __KAM_GALLERY2 + __KAM_GALLERY3 + __KAM_GALLERY4 + __KAM_GALLERY5 >=5)
describe        KAM_GALLERY2    Higher Likelihood of Exploited Gallery with Porn
score           KAM_GALLERY2    2.0

#CHANGELOG
header          __KAM_CHANGELOG1        Subject =~ /^Re: Changelog (Oct.|Nov.|Dec.)$/i
body            __KAM_CHANGELOG2        /as promised chnglog update/i

meta            KAM_CHANGELOG           (__KAM_CHANGELOG1 + __KAM_CHANGELOG2 >= 2)
describe        KAM_CHANGELOG           Phishing Email
score           KAM_CHANGELOG           2.5

#NIGERIAN VARIANT
body            __KAM_BUS1      /business proposal/i
body            __KAM_BUS2      /sensitive by nature/i
body            __KAM_BUS3      /have not met/i
body            __KAM_BUS4      /view my attach/i

meta            KAM_BUS         (__KAM_BUS1 + __KAM_BUS2 +  __KAM_BUS3 + __KAM_BUS4 >= 4)
describe        KAM_BUS         Yet another Nigerian Scam/Phishing Variant
score           KAM_BUS         4.0

#PRIVATE MESSAGE
body            __KAM_PRIV1     /private message|horny|sweet ass/i
body            __KAM_PRIV2     /(personal|private) video/i
body            __KAM_PRIV3     /the attache?ment|attached file/i

meta            KAM_PRIV        (__KAM_PRIV1 + __KAM_PRIV2 + __KAM_PRIV3 >=2 && T_HTML_ATTACH)
describe        KAM_PRIV        Private Messages using Exploits in attached HTML files
score           KAM_PRIV        5.0

#DIV
rawbody         __KAM_DIV1      /Viagr?|Cial?<div/i
rawbody         __KAM_DIV2      /<\/div>r?a\|l?is/i

meta            KAM_DIV         (__KAM_DIV1 + __KAM_DIV2 >= 2)
describe        KAM_DIV         Use of divs to hide Medical Spams
score           KAM_DIV         2.0

#CREDIT SCORE
header          __KAM_CREDIT1   Subject =~ /CRITICAL:.*change to.* (EXPERIAN|Transunion|Equifax) score|Recent 3 Bureau Credit|(credit|score).score|credit has changed|check your rating|yearly review|scores?.(?:may.have|has.been|have.been).changed|(?:EXPERIAN|Transunion|Equifax) scores? delivered|your credit report|all three sources|credit (may )?ha(ve|s) been revised|credit ?card ?processing|merchant account|TransUnion..?Experian . Equifax Scores|all 3 scores|update to your score|your 3 scores|is your score correct|score (report|review)|latest.score|updated.score|update:|derogatory.(info|item)|affecting.your.score|scores.this.week|EQUIFAX..?EXPERIAN..?(and|&).TRANSUNION|(EXPERIAN|Transunion|Equifax)..?score|\d{4}.scores?.detail|((equifax|experian|transunion)..?){3}|score.today|score.w\//i
body            __KAM_CREDIT2   /View (all 3 reports|your credit score|your up.to.the.minute credit)|(EXPERIAN|Transunion|Equifax) report|check my credit score|3.free credit scores|credit restoration|changes in your.score|get your \d+ score online|3 major sources|all three bureau|all 3 credit score|credit (may )?ha(ve|s) been revised|payment.options|complimentary 3 scores|credit scores? in seconds|TRANSUNION,\s+EQUIFAX,\s+(and|.)\s+EXPERIAN|just (been )?changed|score.breakdown|credit.summary|score.is.waiting|confirmation \#\d+|average.credit.score|what.?s.your.score|(3|three).free.score|check.your.score|we.can.help|credit.record|complimentary.score/i
body            __KAM_CREDIT3   /NO COST|it's on us|3 companies for free|freescore360|Scoresense|score.report(?:ing)?.team|stand in the rating scales|view your higher credit|(score|credit).alert|provide.faster.service|your credit score|free.credit.score|score.generation|new.score.immediately|score.notification|your report/i
body            __KAM_CREDIT4   /CHANGES TO YOUR CREDIT[- ]SCORE|credit score has changed|Triple Bureau Credit Alerts|score\s+may\s+have\s+(been)?\s*changed|ThinkCredit|Debunk Credit Card Processing Myths|costs for your business|TransUnion,? Experian and Equifax Scores|ha(s|ve).been.updated|what.?s.your.credit|sensitive.information/i
header          __KAM_CREDIT5   From =~ /Credit|score|bureau|finance|report|advisory/i

#EXPERIMENTAL UTF-8
# SecureCRT in UTF-8 Session Options - terminal>appearance>character encoding and set to utf-8 &  Set this in VI :set encoding=utf-8 :set fileencodings=utf-8

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

replace_tag     C       (?:[\xd0][\xa1]|c)
replace_tag     I       (?:[\xd1][\x96]|i)
replace_tag     S       (?:[\xd0][\x85]|s)

header          __KAM_CREDIT6   Subject =~ /<C>ompl<I>mentary (<C>red<I>t|EXPERIAN|Transunion|Equifax)/i
header          __KAM_CREDIT7   From =~ /<S>core.?<S>ense/i

replace_rules   __KAM_CREDIT6 __KAM_CREDIT7

endif

meta            KAM_CREDIT      (__KAM_CREDIT1 + __KAM_CREDIT2 + __KAM_CREDIT3 + __KAM_CREDIT4 + __KAM_CREDIT5 + __KAM_CREDIT6 + __KAM_CREDIT7 + (__KAM_THIRD || KAM_LOTSOFHASH || KAM_INFOUSMEBIZ) >= 4)
describe        KAM_CREDIT      Credit Score Spams
score           KAM_CREDIT      4.5

meta            KAM_CREDIT2     (__KAM_CREDIT1 + __KAM_CREDIT5 + __KAM_CREDIT6 + __KAM_CREDIT7 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3 && KAM_CREDIT < 1)
describe        KAM_CREDIT2     Credit Score Spams
score           KAM_CREDIT2     4.5

#OBFUSCATED URI
rawbody         KAM_OBFURI      /http:\/\/.{2,30}\.c=E2=93=9Em?/
describe        KAM_OBFURI      Obfuscated URI trick
score           KAM_OBFURI      4.0

#ADVANCE
header          __KAM_ADVANCE1  Subject =~ /Advance for \d.\d\d\d/i
body            __KAM_ADVANCE2  /Advance Details/i
body            __KAM_ADVANCE3  /Pre-Approved/i
header          __KAM_ADVANCE4  From =~ /Advance|Approv|Financ/i

meta            KAM_ADVANCE     (__KAM_ADVANCE1 + __KAM_ADVANCE2 + __KAM_ADVANCE3 + __KAM_ADVANCE4 >= 3)
describe        KAM_ADVANCE     Advance Spams
score           KAM_ADVANCE     3.5

#PAYPAL NON SPF - FP fixed by Piper Andreas
header          __KAM_PAYPAL1A  From =~ /\@[a-z\.]*paypal.com>?$/i

meta            KAM_PAYPAL1     (__KAM_PAYPAL1A + SPF_FAIL >=2)
describe        KAM_PAYPAL1     rampant paypal phishing scams
score           KAM_PAYPAL1     16.0

#PAYPAL IMPERSONATING MALWARE
body            __KAM_PAYPAL2A  /paypal/i
body            __KAM_PAYPAL2B  /protection services department|download(ing)?.the.attach/i

meta            KAM_PAYPAL2     (__KAM_PAYPAL2A + __KAM_PAYPAL2B + KAM_RAPTOR >= 3)
describe        KAM_PAYPAL2     Malware disguised as a paypal email
score           KAM_PAYPAL2     8.0

#PAYPAL PHISH
header          __KAM_PAYPAL3A  From =~ /paypal/i
header          __KAM_PAYPAL3B  From !~ /paypal.com>?$/i
header          __KAM_PAYPAL3C  Subject =~ /your.paypal.account/i
body            __KAM_PAYPAL3D  /security.process|more.information|has.limitation|verify.your.information/i

meta            KAM_PAYPAL3     ((__KAM_PAYPAL3A && __KAM_PAYPAL3B) + __KAM_PAYPAL3C + __KAM_PAYPAL3D + KAM_LAZY_DOMAIN_SECURITY >= 3)
score           KAM_PAYPAL3     8.0
describe        KAM_PAYPAL3     Phish disguised as a paypal email

#COMPROMISED ACCOUNT SPAMS - SCORED HIGH BECAUSE THESE ARE COMPROMISED ACCOUNTS
header          __KAM_COMPROMISED1A     From =~ /\@(yahoo.com|yahoo.com.id|rocketmail.com)/i
header          __KAM_COMPROMISED1B     X-Mailer =~ /Yahoo/i
header          __KAM_COMPROMISED2      Subject =~ /^(FOR |Hey$|hi$|look at this$|great!?$|amazing!?|the best!?$|excellent!?$|very good!?$|great!?$|question?$|Fwd: (?:latest |top )?news$)|have a look/
body            __KAM_COMPROMISED3      /\d{1,2}[\\\/]\d{1,2}[\\\/]\d{2,4} \d{1,2}\:\d{1,2}\:\d{1,2} (AM|PM)/
body            __KAM_COMPROMISED4      /How are you\? Look at this.{0,70}Do you know about this site|look at this site right now|I found (an amazing|great) site|hey\. please have a look|have a look right now|breaking news/i

meta            KAM_COMPROMISED ((__KAM_COMPROMISED1A + __KAM_COMPROMISED1B >=1 ) + __KAM_COMPROMISED2 + __KAM_COMPROMISED3 + __KAM_COMPROMISED4 + __KAM_BODY_LENGTH_LT_128 + MISSING_SUBJECT >= 3)
describe        KAM_COMPROMISED Compromised Accounts Sending Spam
score           KAM_COMPROMISED 8.25

#GROUPS THAT ARE BAD - RENAMED TO AVOID COLLISSION - THANKS TO DAVID FUNK
header          __KAM_LIST2A    List-ID =~ /^<?(wareeed\d*|ArabBusinessmen-and-DecisionMakers-Network|MediaJO\d*|arabjo\d*|prime\-?media\d*|mediajoshoot\d*|bareedw\d*|mghadeh\d*|tawzeef-online|jordanianadd\d*|ssjo\d*|jaracast|ads-shooter-j\d*|jomarketing\d*|jomedia\d*|jobird\d*info|uhrda-\d*|mohanndahad\d*|caragcom\d*|marwahr\d*|sonjobonjo\d*|golrozz\d*|golbanoo\d*)\.googlegroups.com>?$/i
header          __KAM_LIST2B    Sender =~ /(mediajo\d*|aloulaonline\d*|jomedia\d*|golbanoo\d*)\@googlegroups\.com/i

meta            KAM_LIST2       (__KAM_LIST2A + __KAM_LIST2B >= 1)
describe        KAM_LIST2       Known Bad Groups
score           KAM_LIST2       60.0

#LIMITED ACCESS/QUOTA SCAMS  - ISP THAT SEND LEGITIMATE NOTICES MIGHT WANT TO LOWER THE SCORE 
body            __KAM_QUOTA1    /Mailbox Quota Has Exceeded|exceeded its storage limit/i
body            __KAM_QUOTA2    /Limited Access|termination of your email|restore.your.account|will.not.be.able/i

meta            KAM_QUOTA       (__KAM_QUOTA1 + __KAM_QUOTA2 >= 2)
describe        KAM_QUOTA       Limited Access / Quota Phishing Scam
score           KAM_QUOTA       3.0

# BACKGROUND CHECK SPAM
body            __KAM_BACK1     /backgrounds in seconds|Instant..?Checkmate|federal.record|background.report|criminal|reputation/i
body            __KAM_BACK2     /(Property & Personal history|Asset & Background) (Investigation|Search)|check anyone|know.anything|registered.offense|their.name|publicly.available/is
body            __KAM_BACK3     /(background check|detective|investigator|investigate backgrounds|arrest.record|public.record)|remain.anonymous|anonymous.report|says.about.you|instant.database|the.truth|reveal.the.information|screening.services/is
header          __KAM_BACK4     Subject =~ /background..?check|date-smart|detective|finding people|instant checkmate|pedophile|who.lives.next.?door|reports.are.now.posted|screening.results|police.record|confirm.identity|records.enclosed|local.report|criminal|public.record|complete.record|arrest|posted.online|information.posted|info.updated|who.they.are|uncover.any|public.records|private.eye|investigate.background/i
header          __KAM_BACK5     From =~ /Background.?check|instant.?check|arrest.record|pedophile|trust|criminal|urgent.info|find.out|who.is.s?he|trouble|shady|public.record|private.?eye/i

describe        KAM_BACK        Background Check SPAM
meta            KAM_BACK        (__KAM_BACK1 + __KAM_BACK2 + __KAM_BACK3 + __KAM_BACK4 + __KAM_BACK5 >=3)
score           KAM_BACK        5.5

#ARREST RECORD SCAMS
header          __KAM_ARREST1   Subject =~ /arrest record|with.a.criminal|child.predator|public.safety.alert|full.report|reports?.now.posted|records?.(now.)?(available|posted)|predator.identified/i
body            __KAM_ARREST2   /Instant Checkmate|dirty Truth|\brapist\b|criminal.(background|record)|predator|stay.safe|child.offender|think.you.know|know.everything|database.screening|know.something|wanted.to.know|arrest.record/i
header          __KAM_ARREST3   From =~ /Checkmate|alert|protect|arrest|neighborhood|criminal|live.safe/i

meta            KAM_ARREST      (__KAM_ARREST1 + __KAM_ARREST2 + __KAM_ARREST3 >=3) || (__KAM_ARREST1  + KAM_SHORT + __KAM_BODY_LENGTH_LT_128 >=3)
describe        KAM_ARREST      Arrest Record Scams
score           KAM_ARREST      5.0

#MORE DIET SCAMS
header          __KAM_DIET2_1   From =~ /Coffee.?Bean|Fat.?Burning.?Hormone|Saffron|Lifestyle|burn.fat|slim/i
header          __KAM_DIET2_2   Subject =~ /diet|flatten your belly|calorie count|metabolism|lose the belly|belly flub/i
body            __KAM_DIET2_3   /secret to being skinny|doctors? are raving|testosterone|could be \d+ ?lbs? lighter|feeling chubby/i

meta            KAM_DIET2       (__KAM_DIET2_1 + __KAM_DIET2_2 + __KAM_DIET2_3 + KAM_INFOUSMEBIZ >=3)
describe        KAM_DIET2       Diet Scams
score           KAM_DIET2       5.0

#CIGAR SCAMS
header          __KAM_CIGAR1    Subject =~ /Premium Cigar|Essentials for Dad|cigar lover/i
header          __KAM_CIGAR2    From =~ /Cigar/i
body            __KAM_CIGAR3    /Thompson Cigar|Premium Cigar/i

meta            KAM_CIGAR       (__KAM_CIGAR1 + __KAM_CIGAR2 + __KAM_CIGAR3 + __KAM_THIRD >= 3)
describe        KAM_CIGAR       Cigar Scam Emails
score           KAM_CIGAR       6.0


#TK DOMAINS
rawbody         KAM_TK  /https?:\/\/.{5,30}\.tk\//i
describe        KAM_TK  Abuse of .tk domain registrar which offers free domains
score           KAM_TK  5.0

#THIRD PARTY / SENT BY XXXX
body            __KAM_THIRD     /advertisement.{0,12}sent by a third-?party|sent.by.tb.systems|is.an.advert[il]se?ment/i

#LASIK
header          __KAM_LASIK1    From =~ /Lasik/i
header          __KAM_LASIK2    Subject =~ /Lasik|free eval|A great use for your Tax Refund|eye.surgery/i
body            __KAM_LASIK3    /free (?:Lasik )?eval|\d+ per eye|get lasik info|L.SI. V....n In.t.tut. Summ.r S.v.ng.|works.faster.than/i
uri             __KAM_LASIK4    /lasik\.php/i

meta            KAM_LASIK       (__KAM_LASIK1 + __KAM_LASIK2 + __KAM_LASIK3 + (__KAM_LASIK4 || KAM_EU) >= 3)
describe        KAM_LASIK       Lasik Treatment Spams
score           KAM_LASIK       4.5

#FAKE NOTIFIES
header          __KAM_NOTIFY1   From =~ /Support|Notifier|Reminder|Assistance|Administrator|RuneScape|Wells Fargo|Scotia|Diablo|MAILER-DAEMON|Notifications/i
body            __KAM_NOTIFY2   /[2-9] friend request( |\b)|sell your personal|mandatory validation|verify your Account|unread messages/i
header          __KAM_NOTIFY3   From =~ /\.br>/i

meta            KAM_NOTIFY      (__KAM_NOTIFY1 + __KAM_PHISH2_3 + __KAM_NOTIFY2 + __KAM_NOTIFY3 >= 3)
describe        KAM_NOTIFY      Fake Notifications
score           KAM_NOTIFY      4.0

meta            KAM_NOTIFY2     (KAM_NOTIFY + (KAM_IFRAME || HEADER_FROM_DIFFERENT_DOMAINS) >= 2)
describe        KAM_NOTIFY2     Higher likelihood of fake notification
score           KAM_NOTIFY2     3.0

#LANGUAGE
header          __KAM_LANG1     From =~ /Pimsleur|learnalanguage/i
header          __KAM_LANG2     Subject =~ /language barrier|(?:learn|speak)(?:ing)? (?:a|any) (?:new )?language|Pimsleur/i
body            __KAM_LANG3     /pimsleur|Language in just \d+ Day/i

meta            KAM_LANG        (__KAM_LANG1 + __KAM_LANG2 + __KAM_LANG3 + KAM_INFOUSMEBIZ >= 3)
describe        KAM_LANG        Language Method Spams
score           KAM_LANG        4.5

#FAKE TRACK
header          __KAM_TRACK1    From =~ /Worldwide Express|Priority Mail|First-Class Mail|Express Mail/i

meta            KAM_TRACK       (__KAM_PHISH2_3 + __KAM_TRACK1 >= 2)
describe        KAM_TRACK       Fake Tracking Emails
score           KAM_TRACK       3.0

#BACK TO SCHOOL
header          __KAM_SCHOOL1   From =~ /Classes/i
header          __KAM_SCHOOL2   Subject =~ /(?:Return|Back) to School/i

meta            KAM_SCHOOL      (__KAM_SCHOOL1 + __KAM_SCHOOL2 + KAM_INFOUSMEBIZ >= 3)
describe        KAM_SCHOOL      School Spams
score           KAM_SCHOOL      5.0

#MEMBERS
header          __KAM_MEMBER1   From =~ /(\b|^|)Date|(\b|^|)Dating|eharmony(.com)?.?partner|(..?en..?or|black)..?e.ple..?eet|cougars|singles|match|our.?time|lonely|affair/i
header          __KAM_MEMBER2   Subject =~ /naughty|looking for love|single & dating|Dating.site|free.this.weekend|free.communication.weekend|True Love|(Older|black|available|latin[oa]|jewish) Single|single.women|single.photo|local.cougar|want to date|fall in love|meet...1000s|dream.date|meet.single|your.matches|for.single|singles|eharmony(.com)?.match|50\+.{0,5}ngles|your.ex.back|married.dating|(anonymous|secret).affair|unlimited.pics|dating.(video|movie)|fetish|still.single/i
body            __KAM_MEMBER3   /(\b|^)dating|eharmony|Find.Your.Perfect.Match|thousands.of.single.women|singles?.photos?|local.cougar|successfully matched|blind date|(available|black|latin[oa]|jewish).singles|photos of 50\+/i
rawbody         __KAM_MEMBER4   /special promotion|free.this.weekend|personal matchmaker|dating service|fall in love|looking.for.someone|kindle.the.passion|cheating.member|dating.mega.site|free.dating|free.fetish/i
meta            __KAM_MEMBER5   (KAM_INFOUSMEBIZ || KAM_COUK)
#header         __KAM_MEMBER6   From =~ /Updat/i

meta            KAM_MEMBER      (__KAM_MEMBER1 + __KAM_MEMBER2 + __KAM_MEMBER3 + __KAM_MEMBER4 + __KAM_MEMBER5 >= 3)
describe        KAM_MEMBER      Dating Scams
score           KAM_MEMBER      4.5

#MEDICARE
header          __KAM_MEDICARE1   From =~ /Medicare|health.?options|enrollment/i
header          __KAM_MEDICARE2   Subject =~ /medicare|message for senior|baby-boomer|save up to|compare.quotes|enrollment.plan/i
body            __KAM_MEDICARE3   /medicare.(plan|recipient)/i
body            __KAM_MEDICARE4   /over.(65|sixty.?five)|most.affordable|lower.your.premium/i

meta            KAM_MEDICARE      (__KAM_MEDICARE1 + __KAM_MEDICARE2 + (__KAM_MEDICARE3 + __KAM_MEDICARE4 >= 1) + (KAM_INFOUSMEBIZ || KAM_COUK) >= 3)
describe        KAM_MEDICARE      Medicare Scams
score           KAM_MEDICARE      4.0

#BILLS
header          __KAM_BILLS1   From =~ /LowerMyBills|mortgage/i
header          __KAM_BILLS2   Subject =~ /Save up to \$\d|refi requirement|refi.program/i

meta            KAM_BILLS      (__KAM_BILLS1 + __KAM_BILLS2 + KAM_INFOUSMEBIZ >= 3)
describe        KAM_BILLS      Bill Pay Spams
score           KAM_BILLS      4.0

#HOSE
header          __KAM_HOSE1   From =~ /Pocket Hose/i
header          __KAM_HOSE2   Subject =~ /garden hose|kinks/i
body            __KAM_HOSE3   /pocket hose|garden.hose|stays.strong|grows.to.full.size|never.kinks/i

meta            KAM_HOSE      (__KAM_HOSE1 + __KAM_HOSE2 + __KAM_HOSE3 + KAM_INFOUSMEBIZ >= 3)
describe        KAM_HOSE      Garden Hose Spams
score           KAM_HOSE      4.5

#AV
header          __KAM_AV1   From =~ /Norton/i
header          __KAM_AV2   Subject =~ /Update now|Are you protected/i

meta            KAM_AV      (__KAM_AV1 + __KAM_AV2 + KAM_INFOUSMEBIZ >= 3)
describe        KAM_AV      Anti-Virus Spams
score           KAM_AV      4.0

#MASCARA
header          __KAM_MASCARA1   From =~ /smartlash/i
header          __KAM_MASCARA2   Subject =~ /mascara/i
body            __KAM_MASCARA3   /smartlash/i

meta            KAM_MASCARA      (__KAM_MASCARA1 + __KAM_MASCARA2 + __KAM_MASCARA3 + KAM_INFOUSMEBIZ >= 3)
describe        KAM_MASCARA      Make-up Spams
score           KAM_MASCARA      4.5

#COLLEGE
header          __KAM_COLLEGE1   From =~ /degree|doctorate|online/i
header          __KAM_COLLEGE2   Subject =~ /college|ph\.?d|earning your degree|online doctorate|advance your career/i
rawbody         __KAM_COLLEGE3   /online degree|ph\.?d online|online doctorate|advance your career with a degree/i

meta            KAM_COLLEGE      (__KAM_COLLEGE1 + __KAM_COLLEGE2 + __KAM_COLLEGE3 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3)
describe        KAM_COLLEGE      Online Degree/Aid Spams
score           KAM_COLLEGE      4.0

#SURVEY
header          __KAM_SURVEY1   From =~ /Survey|safecount|privacy/i
header          __KAM_SURVEY2   Subject =~ /win an ipad/i
body            __KAM_SURVEY3   /Do You Use Instagram|Complete the survey|win a great prize/i

meta            KAM_SURVEY      (__KAM_SURVEY1 + __KAM_SURVEY2 + __KAM_SURVEY3 + KAM_INFOUSMEBIZ >= 3)
describe        KAM_SURVEY      Online Survey Spams
score           KAM_SURVEY      4.5

#LAKE
#REMOVED 1/7/2014
#rawbody         KAM_LAKE       /http:\/\/.{0,13}(lak|ake|iver).{0,10}\.(com|info)\//i
#describe       KAM_LAKE        Odd spamming engine LAKE signature on URLs
#score          KAM_LAKE        0.25

#SNORE
header          __KAM_SNORE1   From =~ /snoring|zquiet/i
header          __KAM_SNORE2   Subject =~ /zquiet|Jaw Supporter|z{6}|the.only.thing/i
body            __KAM_SNORE3   /stop snoring|zquiet|Jaw Supporter|get.rest|end.snoring|more.rest|to.be.tired/i

meta            KAM_SNORE      (__KAM_SNORE1 + __KAM_SNORE2 + __KAM_SNORE3 + KAM_INFOUSMEBIZ >= 3)
describe        KAM_SNORE      Snoring Aid Spams
score           KAM_SNORE      4.0

#VACATION
header          __KAM_VACATION1   From =~ /Promotions|cruise|vacation/i
header          __KAM_VACATION2   Subject =~ /Free Florida vacation|(carr?ibb?ean|alaskan?).cruise|european destination/i
body            __KAM_VACATION3   /Resorts FOR FREE|(carr?ibb?ean|alaskan?).cruise|top deals/i

meta            KAM_VACATION      (__KAM_VACATION1 + __KAM_VACATION2 + __KAM_VACATION3 + KAM_INFOUSMEBIZ >= 3)
describe        KAM_VACATION      Vacation Spams
score           KAM_VACATION      4.0

#BLOOD PRESSURE
header          __KAM_BLOOD1    From =~ /Marine Essent|blood.pressure/i
header          __KAM_BLOOD2    Subject =~ /Blood Pressure|the.(nurse|doctor).said|do.this.or.die|bp.med/i
body            __KAM_BLOOD3    /Secret Big Pharma|conspiracy|Breaking.Health.Stories/i
body            __KAM_BLOOD4    /Marine Essentials|this mineral|drug.companies.hate/i
body            __KAM_BLOOD5    /Anti-Aging Expert|worst.food/i
body            __KAM_BLOOD6    /Blood pressure/i

meta            KAM_BLOOD       ( __KAM_BLOOD1 + __KAM_BLOOD2 + __KAM_BLOOD3 + __KAM_BLOOD4 + __KAM_BLOOD5 + __KAM_BLOOD6  + KAM_INFOUSMEBIZ >= 4)
describe        KAM_BLOOD       Blood Pressure Spams
score           KAM_BLOOD       4.75

#SCOOTER
header          __KAM_SCOOTER1    From =~ /Scooter Store/i
header          __KAM_SCOOTER2    Subject =~ /lack of mobility/i
body            __KAM_SCOOTER3    /the scooter store/i

meta            KAM_SCOOTER       ( __KAM_SCOOTER1 + __KAM_SCOOTER2 + __KAM_SCOOTER3 + __KAM_MEDICARE2 + KAM_INFOUSMEBIZ >= 4)
describe        KAM_SCOOTER       Blood Pressure Spams
score           KAM_SCOOTER       4.75

#ANATABLOC
header          __KAM_ANATA1    From =~ /Anatabloc/i
header          __KAM_ANATA2    Subject =~ /(back|joint) pain|arthritis/i

meta            KAM_ANATA       (__KAM_ANATA1 + __KAM_ANATA2 >= 2)
describe        KAM_ANATA       Drug Spam
score           KAM_ANATA       4.5

#BBB Phish
header          __KAM_BBB1      From =~ /bbb.org/i
body            __KAM_BBB2      /consumer's *(?:worry|uneasiness|anxiety|disturbance|concern|trouble)/i
body            __KAM_BBB3      /has been registered the above|(?:visiting|review at) a link below|above-referenced complaint/i
body            __KAM_BBB4      /about your *(?:glance|belief|judgment)/i
header          __KAM_BBB5      Subject =~ /(?:client|customer).{0,5}preten|(?:Appeal|Claim|Case|No\.|Complaint).{0,3}[A-Z\d]{5}/i

meta            KAM_BBB         (__KAM_BBB1 + __KAM_BBB2 + __KAM_BBB3 + __KAM_BBB4 + __KAM_BBB5 + SPF_FAIL + __KAM_GALLERY5 + KAM_RAPTOR >= 4)
describe        KAM_BBB         Better Business Bureau Phishing
score           KAM_BBB         5.0

#PREV MARK
header          __KAM_MARK1     Subject =~ /[\[\<](?:ADV|SPAM)[\>\]]/i

meta            KAM_MARK        (__KAM_MARK1 >= 1)
describe        KAM_MARK        Email arrived marked as Spam
score           KAM_MARK        10.0

#H1QNUM ENGINE
rawbody         __KAM_H1QNUM1   /<h1>(vv5|ORG1|IN2|OR3|AR1|FO1|Q22)<\/h1>/i
header          __KAM_H1QNUM2   Subject =~ /Russian Women|Free Lasik|Criminal Records|Background Check|Stop Alcoholism|Alcohol Addiction|Hybrid cars|solar energy|electrical bill|fly in luxury/i
uri             __KAM_H1QNUM3   /\.co\.uk/i

meta            KAM_H1QNUM      (__KAM_H1QNUM1 >= 1)
describe        KAM_H1QNUM      H1 Qnum indicator
score           KAM_H1QNUM      4.0

meta            KAM_H1QNUM2     ( KAM_H1QNUM + __KAM_H1QNUM2 + __KAM_H1QNUM3 >= 2 )
describe        KAM_H1QNUM2     H1 Qnum higher spamminess indicators
score           KAM_H1QNUM2     5.0

#AP
header          __KAM_AP1       From =~ /AP/
header          __KAM_AP2       Subject =~ /Community & educational development/i
body            __KAM_AP3       /American Grants and Loans Catalog/i

meta            KAM_AP          (__KAM_AP1 + __KAM_AP2 + __KAM_AP3 >= 3)
describe        KAM_AP          American Publishing Spam
score           KAM_AP          4.5

#CO.UK
header          KAM_COUK        From =~ /\@.{1,30}\.co\.uk/i
describe        KAM_COUK        Scoring .co.uk emails higher due to poor registry security.
score           KAM_COUK        0.85

#FAKE FACEBOOKMAIL
 #REAL FB DOMAIN 
header          __KAM_FACEBOOKMAIL1     From =~ /\@facebookmail.com/i
 #SPECIFIC PEOPLE
header          __KAM_FACEBOOKMAIL2     From =~ /Ramakanth Raavi/i

meta            KAM_FACEBOOKMAIL        ((__KAM_FACEBOOKMAIL2 >= 1) || (__KAM_FACEBOOKMAIL1 >=1 && (SPF_FAIL + DKIM_ADSP_ALL >=1)))
describe        KAM_FACEBOOKMAIL        Fake or Abused Facebook Mail
score           KAM_FACEBOOKMAIL        8.0

#FAKE DHL/FEDEX/ETC
body            __KAM_FAKEDELIVER1      /courier couldn.?t make the delivery|Courier was unable to deliver|courier company was not able to deliver|memo.of.application|delivering.address|make.the.delivery|see.attached.file|attention.please|event.invitation|could not deliver|delivery.label|postal.noti(fication|ce)|parcels.(has|have).been.shipped|shipment.label.is.attached/i
header          __KAM_FAKEDELIVER2      Subject =~ /Invalid Address|shipping service|(ship|postal|delivery) notification|Delivery Failure|Delivery Information|Delivery status|Package Delivery|package is available for pickup|your.package.arrived|attention.please|delivery.problem|id.\d{6}|deliver.(your|the).parcel/i

 #DHL
body            __KAM_FAKEDELIVER3      /DHL/
header          __KAM_FAKEDELIVER4      From !~ /dhl.com/i

 #FEDEX
rawbody         __KAM_FAKEDELIVER5      /Fed ?ex/i
header          __KAM_FAKEDELIVER6      From !~ /fedex.com/i

 #USPS
body            __KAM_FAKEDELIVER7      /USPS/i
header          __KAM_FAKEDELIVER8      From !~ /usps.com/i

 #CARGO
body            __KAM_FAKEDELIVER9      /CARGO/
header          __KAM_FAKEDELIVER10     From =~ /shipping|economy|priority/i

 #USPS
body            __KAM_FAKEDELIVER11     /DPD/i
header          __KAM_FAKEDELIVER12     From !~ /dpd.com|dpd.co.uk/i


meta            KAM_FAKE_DELIVER        (__KAM_FAKEDELIVER1 + __KAM_FAKEDELIVER2 + ((__KAM_FAKEDELIVER3 + __KAM_FAKEDELIVER4 >= 2) + (__KAM_FAKEDELIVER5 + __KAM_FAKEDELIVER6 >= 2) + (__KAM_FAKEDELIVER7 + __KAM_FAKEDELIVER8 >= 2) + (__KAM_FAKEDELIVER11 + __KAM_FAKEDELIVER12 >= 2) + (__KAM_FAKEDELIVER9 + __KAM_FAKEDELIVER10 >= 2) >= 1) + (HEADER_FROM_DIFFERENT_DOMAINS + SPF_SOFTFAIL + KAM_RAPTOR >= 1) >= 3)
describe        KAM_FAKE_DELIVER        Fake delivery notifications
score           KAM_FAKE_DELIVER        5.0

meta            KAM_REALLY_FAKE_DELIVER   (KAM_FAKE_DELIVER + KAM_RPTR_PASSED + (__KAM_FAKEDELIVER4 && __KAM_FAKEDELIVER6 && __KAM_FAKEDELIVER8) >= 3)
score           KAM_REALLY_FAKE_DELIVER   2.5
describe        KAM_REALLY_FAKE_DELIVER   Definitely fake delivery notifications

#SOLAR POWER
header          __KAM_SOLAR1    From =~ /Solar|electric|regard|energy|.olar..etwork/i
header          __KAM_SOLAR2    Subject =~ /power bill|sells power|electrical bill|subsidize your solar|switching to solar|save \d+\%|solar system saves|solar power plant|solar.america|energy.use|solar.incentive|utility.option|go.solar|govt.rebate|.overnment.incentive|electricity|obama.rebate/i
body            __KAM_SOLAR3    /power bill in half|go solar|approved for solar|solar system saves|reduce your electric|energy.cost|energy.bill|government.incentive|can.profit|utility.bill|switch(ing)?.to.solar|solar.incentive|solar.now|US Solar Dept|your.electric.bill|your.home.qualifies/i

meta            KAM_SOLAR       (__KAM_SOLAR1 + __KAM_SOLAR2 + __KAM_SOLAR3 >=2)
describe        KAM_SOLAR       Solar Power Spams
score           KAM_SOLAR       2.0

meta            KAM_SOLAR2      (__KAM_SOLAR1 + __KAM_SOLAR2 + __KAM_SOLAR3 >=3)
describe        KAM_SOLAR2      Definite Solar Power Spams
score           KAM_SOLAR2      2.0

#ASIAN BRIDE
header          __KAM_ASIAN1    Subject =~ /Asian Bride/i
body            __KAM_ASIAN2    /Adoring Asian/i
header          __KAM_ASIAN3    From =~ /asian/i

meta            KAM_ASIAN       (__KAM_ASIAN1 + __KAM_ASIAN2 + __KAM_ASIAN3 >= 3)
describe        KAM_ASIAN       Asian Bride Spams
score           KAM_ASIAN       3.5

#DR OZ SPAM
header          __KAM_OZ1       From =~ /(Dr|Doc).{0,2}[o0]z|[o0]z.([a-z]+.)?(daily|tip|show|weight)|rapid.loss|ellen|drop.lbs/i #NOTE THE ZERO
header          __KAM_OZ2       Subject =~ /Fatburning|healthy?.tip|melt your fat|must.read.tip|i can help|fat to flat|perfect.skin|workout|drop.\d+.?[il]bs?|without.exercise|must.read|oz.in.your.corner|It (does not|doesn't) have to be hard|racha?el and oz|doc.?oz insid|life.changing|\d+%.increase|anti.aging|she.looks.\d+|ellen.did.this|(Dr|Doc).{0,2}[o0]z|[o0]z.([a-z]+.)?(daily|tip|show)/i
body            __KAM_OZ3       /burn off your (?:body.?)?fat|(?:burn away|burn|melt) your fat|fox news video|melt the extra pounds|lost (an average of )?\d+ lbs|body.flab|look years younger|get perfect skin|healthy tips|without diet|it was just gossip|weight.loss|dropping.pounds|losing.weight|\d+.years|facelift|(Dr|Doc).{0,2}[o0]z/i

#meta           KAM_OZ          (__KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 >= 3)
#describe       KAM_OZ          Fake Dr. Oz Spam's
#score          KAM_OZ          3.5

#STUDENT LOAN
header          __KAM_STUDENT1  From =~ /Student.?Loan|government/i
header          __KAM_STUDENT2  Subject =~ /NEW GOVERNMENT PROGRAM|payback.package|assistance.package|student.loan|consolidate.loan/i
body            __KAM_STUDENT3  /penalt(y|ies)|garnish|your.debt|president.loan|reduce.(your.)?(student.)?loan|forgiveness.plan|qualify.for|federal.program|low.monthly/i

meta            KAM_STUDENT     (__KAM_STUDENT1 + __KAM_STUDENT2 + __KAM_STUDENT3 + (KAM_INFOUSMEBIZ || KAM_COUK || KAM_HTMLNOISE || KAM_SHORT) >= 3)
describe        KAM_STUDENT     Student Loan Forgiveness Spams
score           KAM_STUDENT     4.0

#TIP
header          __KAM_TIP1  From =~ /Beauty Tips/i
header          __KAM_TIP2  Subject =~ /Dark-Circles|undereye bags/i
body            __KAM_TIP3  /undereye bags/i
body            __KAM_TIP4  /Find Out This Quick New Trick/i

meta            KAM_TIP     (__KAM_TIP1 + __KAM_TIP2 + __KAM_TIP3 + __KAM_TIP4 >= 3)
describe        KAM_TIP     Beauty Tip Spams
score           KAM_TIP     4.3

#WhatsApp
header          __KAM_WHATS1    From =~ /WhatsApp/i
header          __KAM_WHATS2    Subject =~ /Voice Message Notification/i
body            __KAM_WHATS3    /WhatsApp/

meta            KAM_WHATS       (__KAM_WHATS1 + __KAM_WHATS2 + __KAM_WHATS3 >= 3)
describe        KAM_WHATS       WhatsApp Spams
score           KAM_WHATS       3.0


#QTJars
header          __KAM_QTJARS1    From =~ /qtjar/i
header          __KAM_QTJARS2    Subject =~ /qtjar|left you a message|new message/i
body            __KAM_QTJARS3    /qtjars/
body            __KAM_QTJARS4    /private message/

meta            KAM_QTJARS       (__KAM_QTJARS1 + __KAM_QTJARS2 + __KAM_QTJARS3 + __KAM_QTJARS4 >= 3)
describe        KAM_QTJARS       QTJars Spams
score           KAM_QTJARS       3.0

#GOOGLE DOCS PHISH
# view the agreement.
body            __KAM_GOOGLEPHISH1      /copy of the signed agreement/i
rawbody         __KAM_GOOGLEPHISH2      /http:\/\/.{5,50}\/http\/docs.google.com\/login\//i

meta            KAM_GOOGLEPHISH         (__KAM_GOOGLEPHISH1 + __KAM_GOOGLEPHISH2 >= 2)
describe        KAM_GOOGLEPHISH         Google Login Phishing Scam
score           KAM_GOOGLEPHISH         5.0

#POLITICAL SPAM
header          __KAM_POLY1     Subject =~ /Barack Obama/i
body            __KAM_POLY2     /The End of Barack Obama/i

meta            KAM_POLY        (__KAM_POLY1 + __KAM_POLY2 >= 2)
describe        KAM_POLY        Political Spams
score           KAM_POLY        3.0

#MAID
header          __KAM_MAID1     Subject =~ /Maid Services|housekeeping.service/i
header          __KAM_MAID2     From =~ /Maid|Housekeeper/i
body            __KAM_MAID3     /Pre-Screened Housekeepers|local.maid/i

meta            KAM_MAID        (__KAM_MAID1 + __KAM_MAID2 + __KAM_MAID3 >= 3)
describe        KAM_MAID        Maid Service Spams
score           KAM_MAID        3.0

#TUB
header          __KAM_TUB1     Subject =~ /Walk.?in.*tub|bath and massage/i
header          __KAM_TUB2     From =~ /jacuzzi|walk.?in.?tub|premier.?care|improvement.center|bathing..?easy/i
body            __KAM_TUB3     /Walk.?in (hot.?|bath.?)?tub|bath and massage|easy transfer from a wheelchair/i

meta            KAM_TUB        (__KAM_TUB1 + __KAM_TUB2 + __KAM_TUB3 >= 3)
describe        KAM_TUB        Tub Spams
score           KAM_TUB        4.0

#OBFUSCATE PORN
header          __KAM_OBF1      Subject =~ /(\b|^)(P.{0,2}O.{0,2}R.{0,2}N|S.{0,2}E.{0,2}.X.{0,2})/i
header          __KAM_OBF2      Subject =~ /[-:\#\/_\(\)].{0,10}[-:\#\/_\(\)].{0,10}[-:\#\/_\(\)]/
header          __KAM_OBF3      Subject =~ /(\b|^)P.{0,2}r.{0,2}e.{0,2}m.{0,2}i.{0,2}u.{0,2}m/i
header          __KAM_OBF4      Subject =~ /(\b|^)P.{0,2}a.{0,2}s.{0,2}s.{0,2}/i
header          __KAM_OBF5      Subject =~ /(\b|^)S.{0,2}i.{0,2}t.{0,2}e.{0,2}/i
header          __KAM_OBF6      Subject =~ /(\b|^)F.{0,2}r.{0,2}e.{0,2}e.{0,2}/i
header          __KAM_OBF7      Subject =~ /(\b|^)F.{0,2}i.{0,2}l.{0,2}m.{0,2}/i
header          __KAM_OBF8      Subject =~ /X.X.X/

meta            KAM_OBF         ((__KAM_OBF3 + __KAM_OBF4 + __KAM_OBF5 + __KAM_OBF6 + __KAM_OBF7 >= 1) + __KAM_OBF1 + (__KAM_OBF2 - BODY_8BITS) >= 3)
describe        KAM_OBF         Obfuscated Porn Spams
score           KAM_OBF         4.0

meta            KAM_OBF         (__KAM_OBF8 + __KAM_OBF2 >= 2)
describe        KAM_OBF         Obfuscated Porn Spams
score           KAM_OBF         2.0


#HAIR LOSS / GREYING / REMOVAL
header          __KAM_HAIR1     Subject =~ /(Regrow|restore your|thinning) hair|Get Your Hair Back|hair regrowth|masculine|gr[ae]y hair|hair.loss|the.hottest.concept|hair.removal|all.your.hair|(fuller|thicker).hair/i
header          __KAM_HAIR2     From =~ /K.ranique|Hair Loss Solutions|hair transplant|bosley|gr[ae]y hair|hair.removal|preserve/i
rawbody         __KAM_HAIR3     /k.ranique|Hair Los Solution|Get Your Hair Back|restore your hair naturally and permanently|hair restoration|original color|dye gr[ae]y hair|defeat.your.hair.loss|stop.hair.loss|fda.approve/i
rawbody         __KAM_HAIR4     /Hair Regrowth|Hair Club for Men|Bosley/i

meta            KAM_HAIR        (__KAM_HAIR1 + __KAM_HAIR2 + __KAM_HAIR3 + __KAM_HAIR4 + __KAM_TRIAL + KAM_WEIRDTRICK1 >=4)
describe        KAM_HAIR        Hair Loss / Removal Spams
score           KAM_HAIR        4.5

#TRIAL
body            __KAM_TRIAL     /RISK-FREE Trial|Free \d+ day trial|try it free|free.dvd.info|free.info.kit|limited..?trial|claim.package/i

#UNSUB
body            __KAM_UNSUB1    /cancel 0ffers/i #note the zero
body            __KAM_UNSUB2    /u +n +s +u +b +s +c +r +i +b +e/i

meta            KAM_UNSUB       (__KAM_UNSUB1 + __KAM_UNSUB2 >= 1)
describe        KAM_UNSUB       Completely ridiculous unsubscribe text found
score           KAM_UNSUB       5.0

#MAINTENANCE / Email Phish Scams
body            __KAM_EMAILPHISH1       /Please login to complete update process/i

meta            KAM_EMAILPHISH  (__KAM_EMAILPHISH1 + KAM_SHORT >= 2)
describe        KAM_EMAILPHISH  Email Phishing Scams
score           KAM_EMAILPHISH  3.5

#MASSMAILER ERRORS
header          __KAM_MASSERROR1  Reply-to =~ /\@domain\]\]/i

meta            KAM_MASSERROR   (__KAM_MASSERROR1 >= 1)
describe        KAM_MASSERROR   Error in usage of a mass mailing software
score           KAM_MASSERROR   2.0

#CAR DEAL SPAMS
header          __KAM_CARDEAL1  Subject =~ /great car deal|new vehicles near you|brand new cars|cars on clearance/i
header          __KAM_CARDEAL2  From =~ /dealer|clearance|veh.cle/i
body            __KAM_CARDEAL3  /201\d Closeout pricing|New Vehicles near you|new automobiles|brand new car|\d{4} makes and models/i

meta            KAM_CARDEAL     (__KAM_CARDEAL1 + __KAM_CARDEAL2 + __KAM_CARDEAL3 >= 3)
describe        KAM_CARDEAL     Car Deal Spams
score           KAM_CARDEAL     3.0

#Quick Sale Scams
header          __KAM_HOMESALE1 Subject =~ /buyer interested in your ho/i
header          __KAM_HOMESALE2 From =~ /Fastcash/i
body            __KAM_HOMESALE3 /Cash Offer for Your Home/i

meta            KAM_HOMESALE    (__KAM_HOMESALE1 + __KAM_HOMESALE2 + __KAM_HOMESALE3 >= 3)
describe        KAM_HOMESALE    Home Sale Spams
score           KAM_HOMESALE    3.5

#ADVERTISEMENTS FOR LOANS
header          __KAM_LOAN1 Subject =~ /pay bills|borrow|business loan|help your business grow|small business|propel your business goals|with a loan|results you need|\$\d+ down loan|loan.fund|lender|are.you.broke|get.cash|approval.notice|loan \d.\d% offer/i
header          __KAM_LOAN2 From =~ /payday|loans for you|approval|small.?business|direct.wire|cash|loan offer/i
body            __KAM_LOAN3 /Financial Relief|need to borrow|Business Loan|instant.funds|approval department|\$\d+ down|loan option|offer.loan|expenses|times.are.tough|money.problems/i
body            __KAM_LOAN4 /development.project|just.been.approved|for.your.business|loan.solution/i

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader    __KAM_LOAN5A Content-Type =~ /loan offer/i
  mimeheader    __KAM_LOAN5B Content-Disposition =~ /loan offer/i
endif

meta            KAM_LOAN    (__KAM_LOAN1 + __KAM_LOAN2 + __KAM_LOAN3 + __KAM_LOAN4 + (__KAM_LOAN5A + __KAM_LOAN5B >= 1) >= 3)
describe        KAM_LOAN    Payday and other loan spams
score           KAM_LOAN    4.5

#HANGOVER SPAM
header          __KAM_HANGOVER1 Subject =~ /hangover patch/i
header          __KAM_HANGOVER2 From =~ /hangover/i
body            __KAM_HANGOVER3 /hangover patch/i

meta            KAM_HANGOVER    (__KAM_HANGOVER1 + __KAM_HANGOVER2 + __KAM_HANGOVER3 >= 3)
describe        KAM_HANGOVER    Hangover Patch Spams
score           KAM_HANGOVER    3.5

#RX PLAN SPAM
header          __KAM_RXPLAN1 Subject =~ /Medigap|prescription drug plan/i
header          __KAM_RXPLAN2 From =~ /Better.?Rx|medigap/i
body            __KAM_RXPLAN3 /gap coverage/i

meta            KAM_RXPLAN    (__KAM_RXPLAN1 + __KAM_RXPLAN2 + __KAM_RXPLAN3 >= 3)
describe        KAM_RXPLAN    Rx Plan Spams
score           KAM_RXPLAN    3.5

#SIDE SOCKET
header          __KAM_SOCKET1 Subject =~ /tangled mess|socket capacity|messy cords/i
header          __KAM_SOCKET2 From =~ /side.?socket/i
body            __KAM_SOCKET3 /side socket/i

meta            KAM_SOCKET    (__KAM_SOCKET1 + __KAM_SOCKET2 + __KAM_SOCKET3 >= 3)
describe        KAM_SOCKET    Product Spam du Jour
score           KAM_SOCKET    3.5

#TESTOSTERONE
header          __KAM_TESTOSTERONE1 Subject =~ /Boost your testosterone|Testoril|turning you into a woman|men into women|low.testosterone/i
header          __KAM_TESTOSTERONE2 From =~ /Testoril|mens health|low-T|for.men/i
body            __KAM_TESTOSTERONE3 /Boost your testosterone|get your body back|low.testosterone/i
body            __KAM_TESTOSTERONE4 /Testoril|sexual confidence|androgel|axiron+androderm/i

meta            KAM_TESTOSTERONE    (__KAM_TESTOSTERONE1 + __KAM_TESTOSTERONE2 + __KAM_TESTOSTERONE3 + __KAM_TESTOSTERONE4 >= 3)
describe        KAM_TESTOSTERONE    Product Spam du Jour
score           KAM_TESTOSTERONE    4.5

#FLEXHOSE
header          __KAM_FLEXHOSE1 Subject =~ /stretch but not kink|flex.{0,8}hose|expands.and.contracts|\d-in-\d.hose/i
header          __KAM_FLEXHOSE2 From =~ /hose/i
body            __KAM_FLEXHOSE3 /stretch but not kink|flex.?hose|expanding.hose|garden.hose/i

meta            KAM_FLEXHOSE    (__KAM_FLEXHOSE1 + __KAM_FLEXHOSE2 + __KAM_FLEXHOSE3 >= 3)
describe        KAM_FLEXHOSE    Product Spam du Jour
score           KAM_FLEXHOSE    3.5

#PET
header          __KAM_PET1 Subject =~ /pet health insurance|dog.product.coupon/i
header          __KAM_PET2 From =~ /pet.?insurance|dog.?coupon/i
body            __KAM_PET3 /pet health insurance|doggy.loot|coupon.notice|reduce.your.cost/i

meta            KAM_PET    (__KAM_PET1 + __KAM_PET2 + __KAM_PET3 >= 3)
describe        KAM_PET    Insurance and other pet-related spam
score           KAM_PET    4.5

meta            KAM_PET2   (KAM_PET + KAM_INFOUSMEBIZ >= 2)
describe        KAM_PET2    Even more likely insurance and other pet-related spam
score           KAM_PET2    3.5

#COBRA
header          __KAM_COBRA1 Subject =~ /Cobra Health/i
header          __KAM_COBRA2 From =~ /Cobra|Health/i
body            __KAM_COBRA3 /find cobra health/i

meta            KAM_COBRA    (__KAM_COBRA1 + __KAM_COBRA2 + __KAM_COBRA3 >= 3)
describe        KAM_COBRA    Cobra Insurance Spam
score           KAM_COBRA    3.5

#Discount Air
header          __KAM_DISCAIR1 Subject =~ /Fly Cheap|Discount Air/i
header          __KAM_DISCAIR2 From =~ /Discount Air/i
body            __KAM_DISCAIR3 /Fly Cheap in Business Class/i

meta            KAM_DISCAIR    (__KAM_DISCAIR1 + __KAM_DISCAIR2 + __KAM_DISCAIR3 >= 3)
describe        KAM_DISCAIR    Discount Airfare Spam
score           KAM_DISCAIR    3.5

#PEST
header          __KAM_PEST1 Subject =~ /pes?t control system/i
header          __KAM_PEST2 From =~ /Riddex|pest/i
body            __KAM_PEST3 /revolutionary pes?t control system/i

meta            KAM_PEST    (__KAM_PEST1 + __KAM_PEST2 + __KAM_PEST3 >= 3)
describe        KAM_PEST    Spam for Pest Control
score           KAM_PEST    3.5


#PROPHET
header          __KAM_PROPHET1 Subject =~ /beezelbub|communique/i
header          __KAM_PROPHET2 From =~ /christian.*prophe/i
body            __KAM_PROPHET3 /Dear Christian Friend/i
body            __KAM_PROPHET4 /Christian Media Ministry/i
body            __KAM_PROPHET5 /prophecy article|rapture/i

meta            KAM_PROPHET    (__KAM_PROPHET1 + __KAM_PROPHET2 + __KAM_PROPHET3 + __KAM_PROPHET4 + __KAM_PROPHET5 >= 4) 
describe        KAM_PROPHET    Spam for Prophecy 
score           KAM_PROPHET    6.0

#HEART
header          __KAM_HEART1 Subject =~ /save your life|prevent (a|your)?.?heart attacks?|\d+ second trick|sudden death|easy trick|heart health secret/i
header          __KAM_HEART2 From =~ /He.rt.?Att.ck|omegaK/i
body            __KAM_HEART3 /Knowing this could very well save your life|\d+.second trick|\#1 Trick|Prevent(ing)? A Heart Attack|will you be killed|heart disease|silent heart attack/i

meta            KAM_HEART    (__KAM_HEART1 + __KAM_HEART2 + __KAM_HEART3  >= 3)
describe        KAM_HEART    Spam for Heart Attack prevention
score           KAM_HEART    4.5

#JOINT
header          __KAM_JOINT1 Subject =~ /joint relief/i
header          __KAM_JOINT2 From =~ /Tfx/i
body            __KAM_JOINT3 /TFX.?(?:health|flex)|tflex/i
body            __KAM_JOINT4 /Joint Relief|effective as glucosamine/i
body            __KAM_JOINT5 /free bottle/i

meta            KAM_JOINT    (__KAM_JOINT1 + __KAM_JOINT2 + __KAM_JOINT3 + __KAM_JOINT4 + __KAM_JOINT5 + __KAM_SKIN4  >= 4)
describe        KAM_JOINT    Joint relief Spam 
score           KAM_JOINT    4.0

#REHAB
header          __KAM_REHAB1 Subject =~ /(?:drug|alcohol) (recovery|rehab|dependenc|addict|treatment)|choose sobriety|battling alcohol|stop drinking|addiction|drinking problem|normal life|tr..?at..?ng.alcohol|overcome..lcohol|change.your.life/i
header          __KAM_REHAB2 From =~ /(?:drug|alcohol).?(recovery|rehab|dependenc|add..?ct|treatment)|alcoholism|rehab center|.lc.h.lism|rehabdirectory/i
body            __KAM_REHAB3 /(?:drug|alcohol) (recovery|rehab|dependenc|addict|treatment)|help for alcoholism|life from alcohol|end your drinking|think about rehab/i

meta            KAM_REHAB    (__KAM_REHAB1 + __KAM_REHAB2 + (__KAM_REHAB3 || KAM_OTHER_BAD_TLD)  >= 2)
describe        KAM_REHAB    Rehab Spam
score           KAM_REHAB    3.0

#HAIRTRANS
header          __KAM_HAIRTRANS1 Subject =~ /hair restoration|man look as young|losing your hair|hair ?loss|consultations?.available/i
header          __KAM_HAIRTRANS2 From =~ /Bosley|hair restoration|hair.loss.expert/i
body            __KAM_HAIRTRANS3 /hair restoration|man look as young|losing your hair|hair ?loss|get.your.hair|(look|feel).younger/i

meta            KAM_HAIRTRANS    (__KAM_HAIRTRANS1 + __KAM_HAIRTRANS2 + __KAM_HAIRTRANS3 + KAM_GIFT >= 2)
describe        KAM_HAIRTRANS    Spam for Hair Restoration
score           KAM_HAIRTRANS    3.5

meta            KAM_HAIRTRANS2   (__KAM_HAIRTRANS1 + __KAM_HAIRTRANS2 + __KAM_HAIRTRANS3 + (KAM_GIFT || KAM_UNSUB1) >= 3)
describe        KAM_HAIRTRANS2   Higher probability of spam for Hair Restoration
score           KAM_HAIRTRANS2   2.0

#OUR GIFT
body            __KAM_GIFTCERT1 /Our gift to you/i
body            __KAM_GIFTCERT2 /\$\d+ gift certificate/i
header          __KAM_GIFTCERT3 Subject =~ /Our gift to you/i

meta            KAM_GIFTCERT    (__KAM_GIFTCERT1 + __KAM_GIFTCERT2 + __KAM_GIFTCERT3 >= 2)
score           KAM_GIFTCERT    1.5
describe        KAM_GIFTCERT    Gift Certificate Spams

#TIRES
header          __KAM_TIRES1 Subject =~ /discount tire|tire coupon|tire offers|best deals/i
header          __KAM_TIRES2 From =~ /Tire/i
body            __KAM_TIRES3 /savings on tire|new tires/i

meta            KAM_TIRES    (__KAM_TIRES1 + __KAM_TIRES2 + __KAM_TIRES3  >= 3)
describe        KAM_TIRES    Spam for Tires
score           KAM_TIRES    3.0

#SLICEOMATIC
header          __KAM_SLICEOMATIC1 Subject =~ /Slice-O-Matic|Precision Cutting Blade/i
header          __KAM_SLICEOMATIC2 From =~ /Slice-o-matic/i
body            __KAM_SLICEOMATIC3 /Slice-o-matic/i

meta            KAM_SLICEOMATIC    (__KAM_SLICEOMATIC1 + __KAM_SLICEOMATIC2 + __KAM_SLICEOMATIC3  >= 3)
describe        KAM_SLICEOMATIC    Spam for Kitchen Tools
score           KAM_SLICEOMATIC    3.0

#FINDYOURWINDOWS AND OTHER WINDOW SPAM
header          __KAM_WINDOWS1 Subject =~ /Top Window Companies|(old|your|bedroom|new|replacement|discounted|awning|cheap).window|allow.(light|ventilation)|window.(installation|discount|replacement)|home.depot|anders.n.window/i
header          __KAM_WINDOWS2 From =~ /FindYourWindows|(old|your|bedroom|new|replacement|discounted).?window|window.?(install|discount|replacement)|install.windows|remodel/i
body            __KAM_WINDOWS3 /Find Your Windows|replacement.window|window.design|home.a.new.look|dingy.old.windows|high.heating|high.cooling|let a draft|energy.efficient|double.pane.window|shop.windows|energy.tax|window.(installation|discount|replacement)|summer.is.coming/i

meta            KAM_WINDOWS    (__KAM_WINDOWS1 + __KAM_WINDOWS2 + __KAM_WINDOWS3 + KAM_ADVERT2 >= 3)
describe        KAM_WINDOWS    Spam for House Windows
score           KAM_WINDOWS    4.5

#EMMAPP.WEB.COM - DUE TO SA SILLINESS WE ARE UNABLE TO RBL THIS PARTICULAR SUBDOMAIN WITHOUT BLOCKING ALL OF WEB.COM
#POISON PILL
uri             __KAM_EMMAP_WEB_COM1 /emmapp\.web\.com/i

meta            KAM_EMMAPP_WEB_COM   (__KAM_EMMAP_WEB_COM1 >= 1)
describe        KAM_EMMAPP_WEB_COM   Spam from emmapp.web.com
score           KAM_EMMAPP_WEB_COM   20.0

#NEW CREDIT CARD
header          __KAM_NEW_CREDITCARD1 Subject =~ /with this credit card|charge card|credit card|cards?.reward|cards?.rate|top.rated/i
header          __KAM_NEW_CREDITCARD2 From =~ /Spend-Charge|platinum credit|business credit|card.approval|approval.match/i
body            __KAM_NEW_CREDITCARD3 /Select your new card|Increase Your Spending|Higher Limit|rewards|business credit|which.credit.card|find.out.now/i

meta           KAM_NEW_CREDITCARD     (__KAM_NEW_CREDITCARD1 + __KAM_NEW_CREDITCARD2 + __KAM_NEW_CREDITCARD3 >= 3)
describe       KAM_NEW_CREDITCARD     Spam for new credit cards
score          KAM_NEW_CREDITCARD     4.0

#WEIRD GERMAN SPAM
header         __KAM_GERMAN_BUSINESS_CONTACTS1 Subject =~ /Wichtige Nach?richt|Important message/i
header         __KAM_GERMAN_BUSINESS_CONTACTS2 From =~ /Merkel/i
body           __KAM_GERMAN_BUSINESS_CONTACTS3 /German business phone numbers/i
body           __KAM_GERMAN_BUSINESS_CONTACTS4 /Unlimited exportation capabilities/i

meta           KAM_GERMAN_BUSINESS_CONTACTS    (__KAM_GERMAN_BUSINESS_CONTACTS1 + __KAM_GERMAN_BUSINESS_CONTACTS2 + __KAM_GERMAN_BUSINESS_CONTACTS3 + __KAM_GERMAN_BUSINESS_CONTACTS4 >= 3)
describe       KAM_GERMAN_BUSINESS_CONTACTS    Weird German business contact info spam
score          KAM_GERMAN_BUSINESS_CONTACTS    3.0

#WEIRD SENIOR DATING SPAM
header         __KAM_SENIOR_DATING1 From =~ /SeniorPeopleMeet/i

meta           KAM_SENIOR_DATING    (__KAM_SENIOR_DATING1 >= 1)
describe       KAM_SENIOR_DATING    Senior dating spam
score          KAM_SENIOR_DATING    2.0

#NEWS!
header          __KAM_NEWS1     Subject =~ /^(?:Fwd: ?)?(?:NEWS|WEBSITE|ARTICLE)$|how.are.you/i
body            __KAM_NEWS2     /(?:Hello|hey|hi)!/i

meta            KAM_NEWS        (__KAM_NEWS1 + __KAM_NEWS2 + __KAM_BODY_LENGTH_LT_128 + KAM_MANYTO >= 3)
describe        KAM_NEWS        Forged Emails with NEWS!
score           KAM_NEWS        9.0

#URI COUNT - REQUIRES 3.3 OR LATER
if (version >= 3.003000)
  uri      __KAM_COUNT_URIS /^./
  tflags   __KAM_COUNT_URIS multiple maxhits=16
  describe __KAM_COUNT_URIS A multiple match used to count URIs in a message, including http:// and email@email.com - use one of the meta rules below instead of directly using this one

  meta __KAM_HAS_0_URIS (__KAM_COUNT_URIS == 0)
  meta __KAM_HAS_1_URIS (__KAM_COUNT_URIS >= 1)
  meta __KAM_HAS_2_URIS (__KAM_COUNT_URIS >= 2)
  meta __KAM_HAS_3_URIS (__KAM_COUNT_URIS >= 3)
  meta __KAM_HAS_4_URIS (__KAM_COUNT_URIS >= 4)
  meta __KAM_HAS_5_URIS (__KAM_COUNT_URIS >= 5)
  meta __KAM_HAS_10_URIS (__KAM_COUNT_URIS >= 10)
  meta __KAM_HAS_15_URIS (__KAM_COUNT_URIS >= 15)
endif

#DISCLAIMER STUB FOR FUTURE RESOURCE
body __KAM_DISCLAIMER1 /receives compensation/i

#FAKE AT&T
#header   __KAM_FAKE_ATT1 From =~ /AT.?T/i
#header   __KAM_FAKE_ATT2 Subject =~ /AT.?T cordless phone|deals.at.at.?t|phone.from.at.?t/i
#uri      __KAM_FAKE_ATT3 /att-mail.com/i
#
#meta     KAM_FAKE_ATT (__KAM_FAKE_ATT1 + __KAM_FAKE_ATT2 + __KAM_FAKE_ATT3 >= 2)
#describe KAM_FAKE_ATT Fake AT&T newsletters
#score    KAM_FAKE_ATT 3.0

#YOU HAVE BEEN CHOSEN
header   __KAM_CHOSEN1 Subject =~ /Invitation to|open.house|come.join.me/i
header   __KAM_CHOSEN2 From =~ /marketing|invitation/i
body     __KAM_CHOSEN3 /You (were|have been|are) (recently )?(chosen|invited)|you.are.(very.)?welcome/i

meta     KAM_CHOSEN (__KAM_CHOSEN1 + __KAM_CHOSEN2 + __KAM_CHOSEN3 >= 3)
describe KAM_CHOSEN Spam claiming the recipient has been chosen for something
score    KAM_CHOSEN 2.0

#JURY DUTY AND OTHER FAKE COURT NOTICES
header   __KAM_JURY1 Subject =~ /in court|court (hearing )?notice|judicial summons|hearing.of.your.case|case.in.court|notice.of.appearance/i
header   __KAM_JURY2 From =~ /Notice (to|of) Appear|court attendance|pretrial notice|lawyer/i
header   __KAM_JURY3 From !~ /\.gov/i
body     __KAM_JURY4 /in Court|hearing date|notice to appear|Pretrial notice|compulsory.attendance|court.notice/i

meta     KAM_JURY (__KAM_JURY1 + __KAM_JURY2 + __KAM_JURY3 + __KAM_JURY4 + KAM_RAPTOR >= 4)
describe KAM_JURY Spam claiming the recipient must serve jury duty
score    KAM_JURY 8.0

#BITCOIN
header   __KAM_BITCOIN1 Subject =~ /bitcoin|dumping.?their.?gold|dumped.?the.?dollar/i
body     __KAM_BITCOIN2 /price.of.bitcoin|bitcoin.price|crypto.?currenc(y|ies)|currency.pioneer|cartel|financial.security|abandoned.our.dollar|money.map/i
header   __KAM_BITCOIN3 From =~ /bitcoin/i

meta     KAM_BITCOIN (KAM_INFOUSMEBIZ + __KAM_BITCOIN1 + __KAM_BITCOIN2 + __KAM_BITCOIN3 >= 3)
describe KAM_BITCOIN Spam related to investing in bitcoin and other cryptocurrency
score    KAM_BITCOIN 4.5

#RELIGIOUS
header   __KAM_RELIGION1 Subject =~ /Christian Media/i
header   __KAM_RELIGION2 From =~ /Bible Prophecy/i
body     __KAM_RELIGION3 /Dear Christian|Christian Media/i

meta     KAM_RELIGION (__KAM_RELIGION1 + __KAM_RELIGION2 + __KAM_RELIGION3 >= 3)
describe KAM_RELIGION Generic religious spam
score    KAM_RELIGION 2.5

#BUSINESS PHONE
header   __KAM_BUSINESSPHONE1 Subject =~ /customer calls|phone system|phone system upgrade|business success/i
header   __KAM_BUSINESSPHONE2 From =~ /business phone/i
body     __KAM_BUSINESSPHONE3 /business phone system/i

meta     KAM_BUSINESSPHONE (__KAM_BUSINESSPHONE1 + __KAM_BUSINESSPHONE2 + __KAM_BUSINESSPHONE3 >= 3)
describe KAM_BUSINESSPHONE Advertising for business phone systems
score    KAM_BUSINESSPHONE 5.5

#NUMEROLOGY
header   __KAM_NUMEROLOGY1 Subject =~ /success and joy in life/i
header   __KAM_NUMEROLOGY2 From =~ /Numerology/i
body     __KAM_NUMEROLOGY3 /Control your destiny/i

meta     KAM_NUMEROLOGY (__KAM_NUMEROLOGY1 + __KAM_NUMEROLOGY2 + __KAM_NUMEROLOGY3 >= 3)
describe KAM_NUMEROLOGY Pseudo-scientific spam
score    KAM_NUMEROLOGY 3.5

#VOICEMAIL SPAM
header   __KAM_VOICEMAIL1 Subject =~ /new voice.?mail message|news/i
header   __KAM_VOICEMAIL2 From =~ /voice.?mail|news/i
body     __KAM_VOICEMAIL3 /new voice.?mail message|voice.redirected/i

meta     KAM_VOICEMAIL (__KAM_VOICEMAIL1 + __KAM_VOICEMAIL2 + __KAM_VOICEMAIL3 + KAM_RAPTOR >= 3)
describe KAM_VOICEMAIL Common malware that tricks the user into opening a fake VOIP voicemail
score    KAM_VOICEMAIL 5.0

#SPAM ADVERTISING SPAM - HAS SCIENCE GONE TOO FAR?
header   __KAM_SPAMFORSPAM1 Subject =~ /email marketing|marketing solution|connect with your audience|reaching your customers|marketing ideas|business.contacts/i
header   __KAM_SPAMFORSPAM2 From =~ /email marketing|mailing lists|listz/i
rawbody  __KAM_SPAMFORSPAM3 /email marketing|Keep your customers informed|expand your brand|(grow|improve) your business|Acquire New Customers|business reach|your.customer.base|demand.generation/i

meta     KAM_SPAMFORSPAM (__KAM_SPAMFORSPAM1 + __KAM_SPAMFORSPAM2 + __KAM_SPAMFORSPAM3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_SPAMFORSPAM Spam advertising spam services
score    KAM_SPAMFORSPAM 5.5

#ALZHEIMERS / NEUROLOGICAL MEDICAL SPAM
header   __KAM_NEUROLOGICAL1 Subject =~ /alzheimers|doctors hate him/i
header   __KAM_NEUROLOGICAL2 From =~ /alzheimers|cognizine/i
body     __KAM_NEUROLOGICAL3 /at risk for alzheimers|alzheimers conspiracy|doctors hate him/i

meta     KAM_NEUROLOGICAL (__KAM_NEUROLOGICAL1 + __KAM_NEUROLOGICAL2 + __KAM_NEUROLOGICAL3 >= 3)
describe KAM_NEUROLOGICAL Variant of medical spam targeting neurological ailments
score    KAM_NEUROLOGICAL 3.5

#EXCESSIVE HASHES AND OTHER IDENTIFIER STRINGS
body     __KAM_LOTSOFHASH /[abcdef1234567890]{20}/i
tflags   __KAM_LOTSOFHASH multiple maxhits=10

meta     KAM_LOTSOFHASH (__KAM_LOTSOFHASH >= 10)
describe KAM_LOTSOFHASH Emails with lots of hash-like gibberish
score    KAM_LOTSOFHASH 0.25

#SPAM THAT SHOWS SEVERAL QUESTIONABLE BEHAVIORS IN COMBINATION
meta     KAM_GRABBAG1 (__KAM_THIRD + __KAM_DOMAINDOTCOM + __KAM_TILDEFROM + HTML_FONT_LOW_CONTRAST + T_REMOTE_IMAGE + __KAM_EPISODE + __KAM_LOTSOFNBSP + __KAM_IPUNSUB + (__KAM_LOTSOFHASH >= 6) >= 4)
describe KAM_GRABBAG1 A combination of tricks that when combined indicate spam
score    KAM_GRABBAG1 3.5

#TV DOCTOR TRASH
header   __KAM_TVDOCTOR1 Subject =~ /hormones|(dr.?|doc.?) [o0]z|flatter belly|anti.?.?aging.tip|\d+.years.younger|wrinkle.(reduction|prevention)|weight.loss|models.use.this|reverse.\d+.years/i
header   __KAM_TVDOCTOR2 From =~ /(dr.?|doc.?) ?[o0]z|dr.? steve|oz skin tip|skinny|drop \d+lb/i
body     __KAM_TVDOCTOR3 /clinical|miracle|dermatologist|anti.?.?aging.tip|\d+.years.younger|wrinkle.(reduction|prevention)|\bOMG!\b|loose.\d+.lb|tv.doctor/i

meta     KAM_TVDOCTOR    (__KAM_TVDOCTOR1 + __KAM_TVDOCTOR2 + __KAM_TVDOCTOR3 + (KAM_INFOUSMEBIZ || KAM_WEIRDTRICK1) >= 3)
describe KAM_TVDOCTOR    Spam for TV doctor stuff
score    KAM_TVDOCTOR    3.5

# 1-800-DENTIST
header   __KAM_DENTIST1   Subject =~ /dentist/i
header   __KAM_DENTIST2   From =~ /1-?800-?dentist/i
body     __KAM_DENTIST3   /Find a dentist/i

meta     KAM_DENTIST    (__KAM_DENTIST1 + __KAM_DENTIST2 + __KAM_DENTIST3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_DENTIST    Spam for 1-800-DENTIST
score    KAM_DENTIST    3.5

# GOLD AND DIAMOND JEWELRY
header   __KAM_JEWELRY1   Subject =~ /jewell?rey online|shop now/i
header   __KAM_JEWELRY2   From =~ /bluestone.com/i

meta     KAM_JEWELRY    (__KAM_JEWELRY1 + __KAM_JEWELRY2 >= 2)
describe KAM_JEWELRY    Spam for Gold and Diamond Jewelry
score    KAM_JEWELRY    3.5

# PSSST, WANNA BUY SOME POT
body     __KAM_MARIJUANA1 /marijuana|cannabis/i
body     __KAM_MARIJUANA2 /medicinal|recreational|legal.cannabis/i
body     __KAM_MARIJUANA3 /colorado|washington|profit|without.a.(prescription|doctor)|lets.you.vape|no.doctor/i
header   __KAM_MARIJUANA4 From =~ /marijuana|cannabis/i

meta     KAM_MARIJUANA    (__KAM_MARIJUANA1 + __KAM_MARIJUANA2 + (__KAM_MARIJUANA3 + KAM_INFOUSMEBIZ >= 1) >= 3)
describe KAM_MARIJUANA    Spam pertaining to marijuana
score    KAM_MARIJUANA    4.5

meta     KAM_MARIJUANA2   (__KAM_MARIJUANA4 + (__KAM_MARIJUANA3 || __KAM_MARIJUANA2) >= 2)
score    KAM_MARIJUANA2   8.0
describe KAM_MARIJUANA2   Definitely spam for marijuana

# EVICTION NOTICE
header   __KAM_EVICTION1 From =~ /eviction|vacate immediately/i
header   __KAM_EVICTION2 Subject =~ /notice|notification|occupant/i
body     __KAM_EVICTION3 /eviction|foreclosed|trespasser/i

meta     KAM_EVICTION    (__KAM_EVICTION1 + __KAM_EVICTION2 + __KAM_EVICTION3 + KAM_RAPTOR >= 4)
describe KAM_EVICTION    Malware disguised as eviction notice
score    KAM_EVICTION    4.5

# WALK IN TUBS
header   __KAM_WALKINTUB1 From =~ /walk.?in.?tub/i
header   __KAM_WALKINTUB2 Subject =~ /walk.?in.?tub/i
body     __KAM_WALKINTUB3 /walk.?in.?tub/i

meta     KAM_WALKINTUB (__KAM_WALKINTUB1 + __KAM_WALKINTUB2 + __KAM_WALKINTUB3 >= 3)
describe KAM_WALKINTUB Ads for walk-in tubs
score    KAM_WALKINTUB 3.5

# SUBJECTS BEGINNING WITH "EMAIL - QUESTION" AND OTHER VARIANTS
header   __KAM_EMAILQUESTION1 Subject =~ /^(<)?([^@\s]+@[^@\s]+)( - |> )/i
header   __KAM_EMAILQUESTION2 Subject =~ /break away from the pack|make your own wine|\d figures a day|unlock the secret|you need to see|let me show you|at their own game|drop \d+ pounds|potty trained|you can actually|your dog is being poisoned|control your destiny|buy a new|check out these|arthritis/i

meta     KAM_EMAILQUESTION (__KAM_EMAILQUESTION1 + __KAM_EMAILQUESTION2 >= 2)
describe KAM_EMAILQUESTION Subjects beginning with an email address and followed by a spammy subject
score    KAM_EMAILQUESTION 3.5

# BECOME BEYOND SUPERHUMAN / SUPERMAN
header   __KAM_SUPERHUMAN1 From =~ /(become[ _]?)?(beyond[ _]?)?(super|hu)man/i
header   __KAM_SUPERHUMAN2 Subject =~ /relationship problems|better sex|regain your former glory|(male|men) over (\d\d|fou?rty)/i
body     __KAM_SUPERHUMAN3 /reclaim your glory|stay hot and sexy|unfair.advantage|better sex|weird trick|testosterone/i

meta     KAM_SUPERHUMAN (__KAM_SUPERHUMAN1 + __KAM_SUPERHUMAN2 + __KAM_SUPERHUMAN3 >= 3)
describe KAM_SUPERHUMAN Male enhancement of the day
score    KAM_SUPERHUMAN 8.0

# VALENTINES
header   __KAM_VALENTINE1 From =~ /smartbuys|valentine|ecard|flower|fingerhut/i
header   __KAM_VALENTINE2 Subject =~ /valentine|(bouquets|expressions) of love|win her over|swoon.?worthy bouquet|grow more in love|\$\d\d.\d\d bouquet|love at (the )?first/i
rawbody  __KAM_VALENTINE3 /amazing gifts|perfect for valentine|irresist.ble perfume|send an ecard|most memorable flowers|(bouquets|expressions) of love|valentine.?s?.(day.)?(gift|ecard|flower|delivery|is february 14|bouquet)|grow more in love|Saint Valentine|your valentine/i

meta     KAM_VALENTINE (__KAM_VALENTINE1 + __KAM_VALENTINE2 + __KAM_VALENTINE3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_VALENTINE Spam for valentine gifts and other holiday stuff
score    KAM_VALENTINE 4.5

header   __KAM_MOTHER1 From =~ /flower|seventeen/i
header   __KAM_MOTHER2 Subject =~ /mother.?s.?day|\d+%.off.flower|pro.?flowers|guaranteed.delivery|beautiful bouquets|celebrate.mom/i
body     __KAM_MOTHER3 /pro.?flowers|flowers.fresh|freshness.guarantee|shop.now|mom.?s.delight/i

meta     KAM_MOTHER (__KAM_MOTHER1 + __KAM_MOTHER2 + __KAM_MOTHER3 >= 3)
describe KAM_MOTHER Spam for mother's day
score    KAM_MOTHER 4.5

# WHO'S WHO
header   __KAM_WHOSWHO1 From =~ /whos_who|who.?s.who/i
header   __KAM_WHOSWHO2 Subject =~ /your exclusive invitation|who.?s.who|your invitation|you have been selected/i
body     __KAM_WHOSWHO3 /(global|executive) who.s who|represent your community|you have been selected|complete your listing|prominent registry|accomplished individuals/i
uri      __KAM_WHOSWHO4 /whoswho/i

meta     KAM_WHOSWHO (__KAM_WHOSWHO1 + __KAM_WHOSWHO2 + __KAM_WHOSWHO3 >= 2)
describe KAM_WHOSWHO Ads for network of important people
score    KAM_WHOSWHO 5.0

meta     KAM_WHOSWHO2 (KAM_WHOSWHO && __KAM_WHOSWHO4)
describe KAM_WHOSWHO2 Definitely ads for network of important people
score    KAM_WHOSWHO2 1.0

# GARAGE FLOOR COATING
header   __KAM_GARAGE1 From =~ /garage|surface.protection|protection.plus|esurface/i
header   __KAM_GARAGE2 Subject =~ /garage floor coating|industrial strength|protect your floors|protect.and.beautify|esurface|what.you.should.know/i
body     __KAM_GARAGE3 /surface protection plus|industrial strength|Concrete.{0,5}metal.{0,8}wood|protect.and.beautify|industrial.grade|common.flooring|treat.your.deck|professional.coating/i

meta     KAM_GARAGE (__KAM_GARAGE1 + __KAM_GARAGE2 + __KAM_GARAGE3 + (HTML_FONT_LOW_CONTRAST || SPF_FAIL || SPF_HELO_FAIL) >= 3)
describe KAM_GARAGE Garage floor coating product of the day
score    KAM_GARAGE 4.0

meta     KAM_GARAGE2 (KAM_GARAGE + (HTML_FONT_LOW_CONTRAST || SPF_FAIL) >= 2)
score    KAM_GARAGE2 1.0
describe KAM_GARAGE2 More likely garage floor coating spam

#PAINT - NEED TO LOOK FOR CROSSOVER ON KAM_GARAGE AND KAM_PAINT
header          __KAM_PAINT1   From =~ /Coating|Paint|Surface|Sealer/i
header          __KAM_PAINT2   Subject =~ /surface Paint/i

meta            KAM_PAINT      (__KAM_PAINT1 + __KAM_PAINT2 + KAM_INFOUSMEBIZ >= 3)
describe        KAM_PAINT      Paint Spams
score           KAM_PAINT      4.0

# HURRICANE MOP
header   __KAM_MOP1 From =~ /hurricane mop/i
header   __KAM_MOP2 Subject =~ /filthy floor|cut cleaning time|absorbs \d+x its own weight|the mop that/i
body     __KAM_MOP3 /filthy floor|cut cleaning time+absorbs \d+x its own weight|the mop that/i

meta     KAM_MOP (__KAM_MOP1 + __KAM_MOP2 + __KAM_MOP3 >= 3)
describe KAM_MOP Hurricane mop product of the day
score    KAM_MOP 3.5

# DATING TIPS
header   __KAM_DATINGTIPS1 From =~ /girlfriendtrick|seduction|the.real/i
header   __KAM_DATINGTIPS2 Subject =~ /girlfriend.trick|women.excited|real.moment/i
body     __KAM_DATINGTIPS3 /seduction|certain.type.of.guy|secret to their hearts|women.excited|real.love|one.night.stand/i

meta     KAM_DATINGTIPS (__KAM_DATINGTIPS1 + __KAM_DATINGTIPS2 + __KAM_DATINGTIPS3 >= 3)
describe KAM_DATINGTIPS Tips for dating
score    KAM_DATINGTIPS 4.5

# CANDY
header   __KAM_CANDY1 From =~ /candy/i
header   __KAM_CANDY2 Subject =~ /candy/i
body     __KAM_CANDY3 /you deserve a treat|sweet tooth/i

meta     KAM_CANDY (__KAM_CANDY1 + __KAM_CANDY2 + __KAM_CANDY3 >= 3)
describe KAM_CANDY Ads for candy
score    KAM_CANDY 4.5

# EXCESSIVE TEXT IN THE FORMAT OF =## - http://en.wikipedia.org/wiki/Quoted-printable
# MATCH ONLY ESCAPES THAT ARE LESS THAN 0x80 - HIGH BIT NOT SET - THESE CAN BE EXPRESSED JUST FINE AS ASCII
# DISABLED PENDING UPDATES TO SA - RAWBODY IS NOT RAW ENOUGH TO GET UN-DECODED QP
#rawbody  KAM_EXCESSIVEQP /(=[0-7][a-f0-9]){10}/i
#score    KAM_EXCESSIVEQP 2.5
#describe KAM_EXCESSIVEQP Excessive use of pointless Quoted-printable

# ONE WEIRD THING THAT GETS YOU MARKED AS SPAM
header   __KAM_WEIRDTRICK1 Subject =~ /(one|ten|\d+) '?weird'?|'?weird'? trick|strange trick|shocking.truth|\d.words.that/i
body     __KAM_WEIRDTRICK2 /'?(weird|odd|strange)'?.(new.)?(trick|tip)|strange trick|shocking.truth/i
header   __KAM_WEIRDTRICK3 Subject =~ /girlfriend|aging|old.age|cut \d+ years|PSA|horny/i
header   __KAM_WEIRDTRICK4 From =~ /girlfriend|freedom/i

meta     KAM_WEIRDTRICK1 __KAM_WEIRDTRICK2
describe KAM_WEIRDTRICK1 Huge family of spam that uses the word weird to grab attention
score    KAM_WEIRDTRICK1 1.5

meta     KAM_WEIRDTRICK2 (__KAM_WEIRDTRICK1 + __KAM_WEIRDTRICK2 + (KAM_INFOUSMEBIZ + KAM_LOTSOFHASH + AC_HTML_NONSENSE_TAGS + HTML_FONT_LOW_CONTRAST + T_REMOTE_IMAGE >= 3) >= 3)
describe KAM_WEIRDTRICK2 Huge family of spam that uses the word weird to grab attention
score    KAM_WEIRDTRICK2 3.5

meta     KAM_WEIRDTRICK3 (__KAM_WEIRDTRICK1 + __KAM_WEIRDTRICK2 + __KAM_WEIRDTRICK3 + __KAM_WEIRDTRICK4 >= 3)
describe KAM_WEIRDTRICK3 Weird/Strange Trick
score    KAM_WEIRDTRICK3 3.0

#MATCH MAKER SPAM
header  __KAM_MATCH1    From =~ /Match/i
header  __KAM_MATCH2    Subject =~ /Find love|available singles|free.to.look|meet.singles/i

meta            KAM_MATCH       (__KAM_MATCH1 + __KAM_MATCH2 + (HTML_IMAGE_RATIO_06 || SPF_FAIL) >= 3)
describe        KAM_MATCH       Match Maker Spams
score           KAM_MATCH       3.5

#CAR INSURANCE
header  __KAM_CARINSURE1        From =~ /insurance/i
header  __KAM_CARINSURE2        Subject =~ /save on car insurance|smarter.way/i

meta            KAM_CARINSURE   (__KAM_CARINSURE1 + __KAM_CARINSURE2 >= 2)
describe        KAM_CARINSURE   Car Insurance Spams
score           KAM_CARINSURE   3.0

#DATA IMG
rawbody         __KAM_DATAIMG   /<img src="data:image/i

#FAKE MMS
rawbody         __KAM_MMS1      /base64,G011K60C12QKQ9790AIFQ5L/s

meta            KAM_MMS         (__KAM_DATAIMG + __KAM_MMS1 >= 2)
describe        KAM_MMS         Fake MMS Spam
score           KAM_MMS         6.0

#LEARNMORE
rawbody         __KAM_LEARN1    /base64,R0lGODlh3gA9APcAAAFlmUK/

meta            KAM_LEARN       (__KAM_DATAIMG + __KAM_LEARN1 >= 2)
describe        KAM_LEARN       Learn More Spam
score           KAM_LEARN       6.0

#UNSUB1
header          __KAM_UNSUB1_1  List-Unsubscribe =~ /^\<(?:mailto:)?unsub1\@/i
rawbody         __KAM_UNSUB1_2  /:\s?unsub1\@|unsubscribe<[^\/]|click here<h/i

meta            KAM_UNSUB1      (__KAM_UNSUB1_1 + __KAM_UNSUB1_2 >= 1)
describe        KAM_UNSUB1      Unsubscription Spams
score           KAM_UNSUB1      0.1

uri             __KAM_DOMAINDOTCOM /domain\.com/i

meta            KAM_UNSUB2      ((KAM_UNSUB1 || KAM_ADVERT2) + __KAM_DOMAINDOTCOM >= 2)
score           KAM_UNSUB2      3.5
describe        KAM_UNSUB2      Improperly configured spam engines that leave placeholder domains in the body

# DUTCH GLOW AND OTHER WOODWORKING SPAM
header   __KAM_DUTCHGLOW1 From =~ /dutch.?glow|original.?dutch|easy.woodwork/i
header   __KAM_DUTCHGLOW2 Subject =~ /wood milk|cleaning the wood|woodwork|cleaning.formula|repel.dust|natural.beauty|furniture|amish|woodworking.plans/i
body     __KAM_DUTCHGLOW3 /wood milk|dutch glow|wood's natural beauty|nourish wood|wax build up|your furniture|woodworking.plans/i

meta     KAM_DUTCHGLOW (__KAM_DUTCHGLOW1 + __KAM_DUTCHGLOW2 + __KAM_DUTCHGLOW3 >= 2)
describe KAM_DUTCHGLOW Woodworking spam
score    KAM_DUTCHGLOW 3.0

# FUNERAL HOME SPAM
header   __KAM_FUNERAL1 From =~ /Funeral/i
header   __KAM_FUNERAL2 Subject =~ /condolence|funeral announcement|funeral of your friend|death notification|burial.(life.)?insurance/i
body     __KAM_FUNERAL3 /untimely death|death notification|funeral.costs/i
uri      __KAM_FUNERAL4 /\/home\.php\?funeral/i

meta     KAM_FUNERAL (__KAM_FUNERAL1 + __KAM_FUNERAL2 + __KAM_FUNERAL3 >= 3)
describe KAM_FUNERAL Likely Fake funeral notices
score    KAM_FUNERAL 2.0

meta     KAM_FUNERAL2 (__KAM_FUNERAL4 >= 1)
describe KAM_FUNERAL2 Fake funeral notices
score    KAM_FUNERAL2 3.0


# WEB VIEW OBFUSCATION
body     __KAM_WEB_OBFUSCATION1 /check over this commercial|see the commercial.advertisement/i
rawbody  __KAM_WEB_OBFUSCATION2 /(you'll have to press me)\s*<\/a>/i

meta     KAM_WEB_OBFUSCATION (__KAM_WEB_OBFUSCATION1 + __KAM_WEB_OBFUSCATION2 >= 2)
describe KAM_WEB_OBFUSCATION Obfuscated web view links
score    KAM_WEB_OBFUSCATION 0.1

# TUPPERWARE
header   __KAM_TUPPERWARE1 From =~ /Mr\. Lid|Food Storage|Storage Container/i
header   __KAM_TUPPERWARE2 Subject =~ /tupperware|food storage|storage container/i
body     __KAM_TUPPERWARE3 /tupperware lid|food storage|storage container/i

meta     KAM_TUPPERWARE (__KAM_TUPPERWARE1 + __KAM_TUPPERWARE2 + __KAM_TUPPERWARE3 >= 3)
describe KAM_TUPPERWARE Ads for tupperware
score    KAM_TUPPERWARE 3.5

# PATRIOT SURVIVAL AND OTHER DISASTER / NATIONALISM / CONSPIRACY SPAM
header   __KAM_PATRIOT1 From =~ /patriot|disaster|emergency|USAF|shocking|for.truth|nwo|expat|special.op|christianmedia/i
header   __KAM_PATRIOT2 Subject =~ /the truth about|financial collapse|your guns|hidden (agenda|truth)|unprecedented.crisis|worst.crisis|obama.?care|do not ignore|get a lot worse|coffins.ordered.by.fema|depression|prepared.for.war|free.our.marine|survival.guide|beloved.usa|civil war|shocking.footage|cia.economist|collapse.is.imminent|attack.on|wants.war|disturbing.issue|plane.crash|nuke.deal|extortion|prophecy/i
body     __KAM_PATRIOT3 /the truth about|financial collapse|your guns|hidden agenda|unprecedented.crisis|disaster|fema (stock.?piling|storing)|Gor?vernment Not Telling|survival.plan|nation.gone.under|blind.with.patriotism|government shutdown|only chance|civil.unrest|high.crimes|behind.our.back|know.the.truth|PatriotNewsNet|second civil war|for.the.cia|market.crash|american.meltdown|concerned.american|military force|we.were.right|our.suspicions|vindicated|abuse.of.power|american.empire/i
body     __KAM_PATRIOT4 /projectprophet|financial.threat|nuke.deal/i

meta     KAM_PATRIOT (__KAM_PATRIOT1 + __KAM_PATRIOT2 + __KAM_PATRIOT3 + __KAM_PATRIOT4 >= 3)
describe KAM_PATRIOT conspiracy spam
score    KAM_PATRIOT 4.0

meta     KAM_PATRIOT2 (__KAM_PATRIOT1 + __KAM_PATRIOT2 + __KAM_PATRIOT3 + __KAM_PATRIOT4 >= 2)
describe KAM_PATRIOT2 Likely conspiracy spam
score    KAM_PATRIOT2 1.5

# PAYMENT LOWERED
header   __KAM_PAYMENT_LOWERED1 Subject =~ /insurance payment/i
body     __KAM_PAYMENT_LOWERED2 /new monthly payment|just.recently.been..?lowered/i
body     __KAM_PAYMENT_LOWERED3 /ID.?\#.?[\da-f]{20}/i

meta     KAM_PAYMENT_LOWERED (__KAM_PAYMENT_LOWERED1 + __KAM_PAYMENT_LOWERED2 + __KAM_PAYMENT_LOWERED3 + KAM_LOTSOFHASH >= 3)
describe KAM_PAYMENT_LOWERED Spam that says your insurance payment has already been lowered
score    KAM_PAYMENT_LOWERED 4.5

meta     KAM_PAYMENT_LOWERED (__KAM_PAYMENT_LOWERED1 + __KAM_PAYMENT_LOWERED2 + __KAM_PAYMENT_LOWERED3 + KAM_LOTSOFHASH >= 4)
describe KAM_PAYMENT_LOWERED Higher probability of lowered payment spam
score    KAM_PAYMENT_LOWERED 2.0

#NEW NOTICE
body    __KAM_NEWNOTICE1        /- - -\s?(start |begin )?(of |new )?(notification|notice)( \d\d\/\d\d\/\d\d)?\s?- - -|notice of/i
body    __KAM_NEWNOTICE2        /- - -\s?(finish |end )?(of |new )?(notification|notice)( \d\d\/\d\d\/\d\d)?\s?- - -|end notice:/i
header  __KAM_NEWNOTICE3        From =~ /Notice|Notification|Credit/i

meta            KAM_NEWNOTICE   (__KAM_NEWNOTICE1 + __KAM_NEWNOTICE2 + __KAM_NEWNOTICE3 >= 3)
describe        KAM_NEWNOTICE   New Notice Spam
score           KAM_NEWNOTICE   4.25

meta            KAM_NEWNOTICE2  (KAM_NEWNOTICE + KAM_LOTSOFHASH >= 2)
describe        KAM_NEWNOTICE2  Higher Probability of New Notice Spam
score           KAM_NEWNOTICE2  2.0

#REFI NEW NOTICE
header          __KAM_REFINEW1  Subject =~ /refl.rates|Rates.(now.)?Dropped.Again|score.*recently.changed/i
body            __KAM_REFINEW2  /(rate|payment).reduction|score-update/i

meta            KAM_REFINEW     (__KAM_REFINEW1 + __KAM_REFINEW2 >=2)
describe        KAM_REFINEW     New Refi/Credit Notice spam
score           KAM_REFINEW     2.0

meta            KAM_REFINEW2    (KAM_REFINEW) && (KAM_NEWNOTICE + KAM_LOTSOFHASH >= 1)
describe        KAM_REFINEW2    Higher Probability Refi Spam
score           KAM_REFINEW2    2.0

#AUTO INSURE / LOAN
header          __KAM_AUTONEW1  Subject =~ /Auto.{0,2}(Insurance|policy).{0,2}Payment|auto.warranty|finance|policy.saving|your.quote|car.loan|bad..credit.ok/i
body            __KAM_AUTONEW2  /car.{1,2}insurance.{1,2}payment|monthly.payment|plan.has.expired|auto.loan|auto.coverage|coverage.benefits|premium.reduc|compare.quote|financing.your.way/i
body            __KAM_AUTONEW3  /just.{1,2}been.{1,2}lowered|reduced.recently|has been reduced|free.repair|easy.steps|overpaying|view.plan|overpaid.your|premiums?.as.low|lenders.compete/i
header          __KAM_AUTONEW4  From =~ /notice|credit|coverag3|auto.cover|lower.auto|auto.finance/i

meta            KAM_AUTONEW     (__KAM_AUTONEW1 + __KAM_AUTONEW2 + __KAM_AUTONEW3 + __KAM_AUTONEW4 >= 3)
describe        KAM_AUTONEW     New Auto insurance spam
score           KAM_AUTONEW     3.0

meta            KAM_AUTONEW2    (KAM_AUTONEW) && (KAM_NEWNOTICE + KAM_SUBJECTNOTICE + KAM_LOTSOFHASH + KAM_INFOUSMEBIZ + KAM_ASCII_DIVIDERS >= 1)
describe        KAM_AUTONEW2    Higher Probability Insurance Spam
score           KAM_AUTONEW2    2.0

#STATLER
header          __KAM_STATLER1  Subject =~ /Mike Statler|finance news|invest in ....(\b)/i
header          __KAM_STATLER2  Subject =~ /quintuple/i
body            __KAM_STATLER3  /Mike Statler/i

meta            KAM_STATLER     (__KAM_STATLER1 + __KAM_STATLER2 + __KAM_STATLER3 >= 3)
describe        KAM_STATLER     Mike Statler Spams
score           KAM_STATLER     6.0

#LEARNING TO WRITE
header   __KAM_WRITING1 From =~ /writing/i
header   __KAM_WRITING2 Subject =~ /writing resources|get published/i
body     __KAM_WRITING3 /Professional Writing|world famous (writer|poet)/i

meta     KAM_WRITING (__KAM_WRITING1 + __KAM_WRITING2 + __KAM_WRITING3 >= 3)
describe KAM_WRITING Spam for writing lessons
score    KAM_WRITING 3.5

#RASH OF .EU EXPLOITS
rawbody         KAM_EU /http:\/\/(?:www.)?.{4,30}\.(eu)(\b|\/)/i
score           KAM_EU 0.50
describe        KAM_EU Prevalent use of .eu in spam/malware

#CSS USING A 12-BIT RGBA COLOR, WHICH IS NOT WIDELY SUPPORTED
rawbody         __KAM_12BITCOLOR /color: \#[\da-f]{12}/i

meta            KAM_GRABBAG2    KAM_EU && (__KAM_12BITCOLOR + KAM_ADVERT2 + AC_HTML_NONSENSE_TAGS + URIBL_BLACK + URIBL_RED >= 1)
score           KAM_GRABBAG2    5.0
describe        KAM_GRABBAG2    Grabbag of Spams hitting EU domains and other indicators

#END DIABETES SPAM
body            __KAM_DIABETES1 /- - Diabetes News Today - -|diabetes.health|blood.sugar/i
body            __KAM_DIABETES2 /Reverse.{0,10}(Diabetes|type.2|type.1)|reverse.type.2|beat.type.2|conventional.medical/i
header          __KAM_DIABETES3 Subject =~ /End Diabetes|diabetes.association|every.diabetic/i

meta            KAM_DIABETES    (__KAM_DIABETES1 + __KAM_DIABETES2 + __KAM_DIABETES3 >= 2)
score           KAM_DIABETES    4.5
describe        KAM_DIABETES    End Diabetes Spam

#SPY CAMERAS, ETC
header   __KAM_SPY1 From =~ /spy.?camera/i
header   __KAM_SPY2 Subject =~ /spy.?camera/i
body     __KAM_SPY3 /spy.?camera.?system|hidden.spy.camera|valuables.safe|protect.your.children/i

meta     KAM_SPY (__KAM_SPY1 + __KAM_SPY2 + __KAM_SPY3 >= 3)
describe KAM_SPY Spy cameras and similar products
score    KAM_SPY 3.5

#HARP
header  __KAM_HARP1     From =~ /\bharp\b|obamacare|save|healthcare/i
header  __KAM_HARP2     Subject =~ /\bHARP\b|obamacare|tax benefit|age bracket|protect yourself|mortgage|save.thousands/i
header  __KAM_HARP3     From !~ /\.gov>?$/i

meta     KAM_HARP       (__KAM_HARP1 + __KAM_HARP2 + __KAM_HARP3 + KAM_SUBJECTNOTICE >= 3)
describe KAM_HARP       HARP Refinance Spams
score    KAM_HARP       4.5

#LUNAR SLEEP AND OTHER SLEEPING AIDS
header   __KAM_LUNAR1   From =~ /lunar.?sleep|peak.life/i
header   __KAM_LUNAR2   Subject =~ /tired again|sleep(ing)? aid|miracle.sleep|free.sample|sleep.well|fall.asleep|waking.up|sleep.?spray|doctors.discover|the.secret|nights?.sleep/i
uri      __KAM_LUNAR3   /lunar.?sleep/i
body     __KAM_LUNAR4   /sleep you really need|sleep(ing)? aid|trouble.sleeping|miracle.sleep|lunar.?sleep|all.natural|fall.asleep|refreshed|sleep.cycle|sleep.aid|lack.of.sleep|stay.asleep|somnapure|weird.trick/i

meta     KAM_LUNAR (__KAM_LUNAR1 + __KAM_LUNAR2 + MISSING_HEADERS + __KAM_LUNAR3 + __KAM_LUNAR4 >= 3)
describe KAM_LUNAR Sleeping aid spam
score    KAM_LUNAR 4.5

meta     KAM_LUNAR2 (__KAM_LUNAR1 + __KAM_LUNAR2 + MISSING_HEADERS + __KAM_LUNAR3 + __KAM_LUNAR4 >= 4)
describe KAM_LUNAR2 Definitely sleeping aid spam
score    KAM_LUNAR2 2.0

#OCEANS BOUNTY
header   __KAM_OCEANSBOUNTY1 From =~ /oceans.?bounty/i
header   __KAM_OCEANSBOUNTY2 Subject =~ /pain.free|turn.back.the.clock|reactivate.your.heart/i
body     __KAM_OCEANSBOUNTY3 /years.of.aging|medical.doctor|age.revers|turn.back.the.clock|reactivate.your.heart/i

meta     KAM_OCEANSBOUNTY (__KAM_OCEANSBOUNTY1 + __KAM_OCEANSBOUNTY2 + __KAM_OCEANSBOUNTY3 >= 3)
describe KAM_OCEANSBOUNTY More medical spam
score    KAM_OCEANSBOUNTY 4.5

#ANDROGEL
header   __KAM_ANDROGEL1 From =~ /testosterone|androgel|entitled|enclosed|medwatch|axiron|fda|natural.man|mega.product|\.mobi/i
header   __KAM_ANDROGEL2 Subject =~ /androgel|axiron|product.of.the.year|free.sample|raise.your.testosterone/i
body     __KAM_ANDROGEL3 /healthcare|medwatch|drug|testosterone|therapy|manhood|your.woman/i

meta     KAM_ANDROGEL (__KAM_ANDROGEL1 + __KAM_ANDROGEL2 + __KAM_ANDROGEL3 >= 3)
describe KAM_ANDROGEL More medical spam
score    KAM_ANDROGEL 4.5

#CELL PHONES
header   __KAM_CELL1 From =~ /phone/i
header   __KAM_CELL2 Subject =~ /cell.?phone|mobile.communication|newest.mobile|smartphone|phones.*get.one|phone.bargain|hottest.phone|new.phone/i
body     __KAM_CELL3 /phone.(information|deals|reviews)|(free|latest|hottest)..?(cell)?.?phone|selection.of.phones|hottest.(brands|models)|check.out.these.smartphones|smartphones.do.more|refurbished.phone|bored.with.your.phone/i

meta     KAM_CELL (__KAM_CELL1 + __KAM_CELL2 + __KAM_CELL3 >= 3)
describe KAM_CELL Ads for cell phones
score    KAM_CELL 3.5

header   __KAM_FOUNTAINOFYOUTH1 From =~ /deepseasecret/i
header   __KAM_FOUNTAINOFYOUTH2 Subject =~ /fountain.of.youth/i
body     __KAM_FOUNTAINOFYOUTH3 /look & feel old|\d+.years.of.aging|weird.\d+.second.trick/i

meta     KAM_FOUNTAINOFYOUTH (__KAM_FOUNTAINOFYOUTH1 + __KAM_FOUNTAINOFYOUTH2 + __KAM_FOUNTAINOFYOUTH3 >= 3)
score    KAM_FOUNTAINOFYOUTH 5.0
describe KAM_FOUNTAINOFYOUTH Anti-aging ad

#HERPES
header   __KAM_HERPES1 From =~ /herpes/i
header   __KAM_HERPES2 Subject =~ /your.herpes/i
body     __KAM_HERPES3 /permanent.remedy|ugly.sores|herpes.episode|got.herpes|your.herpes|herpes.issue/i

meta     KAM_HERPES (__KAM_HERPES1 + __KAM_HERPES2 + __KAM_HERPES3 >= 2)
describe KAM_HERPES Ads for herpes medication
score    KAM_HERPES 5.0

#FAKE VOUCHER/REWARD EMAIL
header   __KAM_FAKEVOUCHER1 From =~ /(amazon|target).*(reward|voucher|appreciation|customer)|\$\d+ gift|(spring|summer|fall|autumn|winter) (reward|bonus)|(january|february|march|april|may|june|july|august|september|october|november|december).?(reward|bonus)|day.reward|macy.?s?.reward|rewards?.?center/i
body     __KAM_FAKEVOUCHER2 /\$\d+ amazon(.com)? Card|redeem.your.\$\d+|join.amazon|bonus voucher|spring.rewards|new.gift.card|exclusive.for|shopper.bucks|activate.here|cash.in.your/i
header   __KAM_FAKEVOUCHER3 Subject =~ /special.thanks|thank.you|amazon.appreciation|(spring|summer|fall|autumn|winter) .?(reward|bonus|bucks)|short.survey|\$\d+..?(gift|issued|voucher|e.?gift)|register.reward|target.reward|\d+.(dollar.)?gift.card|claim.your.*reward/i
body     __KAM_FAKEVOUCHER4 /your.opinion|submit.your.email/i

meta     KAM_FAKEVOUCHER (__KAM_FAKEVOUCHER1 + __KAM_FAKEVOUCHER2 + __KAM_FAKEVOUCHER3 + __KAM_FAKEVOUCHER4 >= 3)
describe KAM_FAKEVOUCHER Fake voucher/reward email
score    KAM_FAKEVOUCHER 4.5

#ATTORNEY SPAM
header   __KAM_ATTORNEY1 From =~ /attorney/i
header   __KAM_ATTORNEY2 Subject =~ /right.attorney|quick.divorce|advertisement/i
body     __KAM_ATTORNEY3 /find.a.\b[a-z]+\b.attorney/i

meta     KAM_ATTORNEY (__KAM_ATTORNEY1 + __KAM_ATTORNEY2 + __KAM_ATTORNEY3 >= 3)
score    KAM_ATTORNEY 3.5
describe KAM_ATTORNEY Ads for legal services

#PRODUCT RECALL
header   __KAM_RECALL1 From =~ /dog.?food/i
header   __KAM_RECALL2 Subject =~ /recall|thousands.of.dogs.die/i
body     __KAM_RECALL3 /protect.your.dog|recall?s.on.dog.?food|processing.standards|commercial.food/i

meta     KAM_RECALL (__KAM_RECALL1 + __KAM_RECALL2 + __KAM_RECALL3 >= 3)
score    KAM_RECALL 3.5
describe KAM_RECALL Spam for product recall notices

#REMOTE IMAGES WITH ENORMOUS SRC URLS - COMMONLY USED FOR IMAGE TRACKING
rawbody  __KAM_HUGEIMGSRC /<img[^>]*\ssrc=["']?http[^\s>"']{120}/i
tflags   __KAM_HUGEIMGSRC multiple maxhits=6

meta     KAM_HUGEIMGSRC (__KAM_HUGEIMGSRC >= 6)
score    KAM_HUGEIMGSRC 0.2
describe KAM_HUGEIMGSRC Message contains many image tags with huge http urls

describe KAM_REALLYHUGEIMGSRC Spam with image tags with ridiculously huge http urls
rawbody  KAM_REALLYHUGEIMGSRC /<img[^>]*\ssrc=["']?http[^\s]{300}/i
score    KAM_REALLYHUGEIMGSRC 1.1

rawbody  KAM_TRACKIMAGE /<img[^>]*\ssrc=["']?https?:\/\/track/i
describe KAM_TRACKIMAGE Message has a remote image explicitly meant for tracking
score    KAM_TRACKIMAGE 0.2

#BAG OF SPAM THAT TRIES DESPERATELY TO TRACK RECIPIENTS
meta     KAM_GRABBAG3 (KAM_TRACKIMAGE + KAM_HUGEIMGSRC + (KAM_UNSUB1 || KAM_INFOUSMEBIZ || __KAM_IMGMAP_LINK_OBFU || __KAM_HAS_10_URIS) >= 3)
score    KAM_GRABBAG3 3.0
describe KAM_GRABBAG3 Grab bag of spam that employs multiple tricks that indicate tracking of recipients

#MANY SEQUENTIAL EMPTY <A HREF> TAGS WITH NOTHING IN BETWEEN
#IMPORTANTLY, DO NOT MATCH ON EMPTY <A LINK> TAGS, WHICH ARE MEANT TO BE EMPTY
rawbody  __KAM_EMPTYLINK /(?:<a[^>]*\shref=[^>]*><\/a>\s*){10}/i

meta     KAM_EMPTYLINK (__KAM_EMPTYLINK)
describe KAM_EMPTYLINK Many empty a tags with href all in a row
score    KAM_EMPTYLINK 3.5

header   __KAM_TILDEFROM From =~ /^\s*"'?\s*~/i
describe __KAM_TILDEFROM Spam with a from name that starts with tilde

# WORDS THAT "A R E  S P A C E D  O U T" LIKE SO
body     __KAM_SPACEY_WORDS /a +v +e +n +u +e/i

# SPAM THAT WOULD LIKE TO INVEST IN YOUR COUNTRY
header   __KAM_INVESTCOUNTRY1 Subject =~ /Confidential Contract Proposal/i
body     __KAM_INVESTCOUNTRY2 /invest in your country/i

meta     KAM_INVESTCOUNTRY (__KAM_INVESTCOUNTRY1 + __KAM_INVESTCOUNTRY2 >= 2)
score    KAM_INVESTCOUNTRY 3.5
describe KAM_INVESTCOUNTRY Spam for investing in your country

# SPAM FOR FLAGS
header   __KAM_FLAG1 From =~ /flag/i
header   __KAM_FLAG2 Subject =~ /find.the.flag|what flags|new.flag|patriotism|looking.for.a.flag/i
body     __KAM_FLAG3 /performance.flags|shopping.online|scoop on flags|need your flag|best flag|flag design|new flag|flag.needs|flags?.you.need/i

meta     KAM_FLAG (__KAM_FLAG1 + __KAM_FLAG2 + __KAM_FLAG3 >= 3)
score    KAM_FLAG 3.5
describe KAM_FLAG Spam that sells flags

rawbody  __KAM_BIGSMALL /<small><big>|<big><small>/i
describe __KAM_BIGSMALL Spam engine that is using nested big and small tags

rawbody  __KAM_DIVTITLE /<div (title|alt)/i
describe __KAM_DIVTITLE Div tag with custom alt text

rawbody  __KAM_IMGMAP_LINK_OBFU /<map[^>]+><area[^>]+><\/map>/i
describe __KAM_IMGMAP_LINK_OBFU Image links obfuscated by an image map with a single area

meta     KAM_GRABBAG4 (__KAM_DIVTITLE + __KAM_IMGMAP_LINK_OBFU + KAM_HUGEIMGSRC >= 3)
describe KAM_GRABBAG4 Another spam engine that displays unique quirks
score    KAM_GRABBAG4 3.5

header   __KAM_KORS1 From =~ /Michael Kors/i
header   __KAM_KORS2 Subject =~ /Michael Kors|out.of.the.ordinary/i
body     __KAM_KORS3 /sent you this item|register to receive|latest updates|win great prizes|shop michael kors|kors insider|handbag collection/i

meta     KAM_KORS (__KAM_KORS1 + __KAM_KORS2 + __KAM_KORS3 >= 3)
score    KAM_KORS 3.5
describe KAM_KORS Spam for Michael Kors

header   __KAM_HOLIDAY1 From =~ /holidays/i
header   __KAM_HOLIDAY2 Subject =~ /\d\d\d\d offers/i
body     __KAM_HOLIDAY3 /star special|Hotel Opening|(Request|order) a brochure/i

meta     KAM_HOLIDAY (__KAM_HOLIDAY1 + __KAM_HOLIDAY2 + __KAM_HOLIDAY3 >= 3)
describe KAM_HOLIDAY Generic holiday deals
score    KAM_HOLIDAY 3.5

header   __KAM_MANYTO To =~ />,/i
tflags   __KAM_MANYTO multiple,maxhits=5

meta     KAM_MANYTO (__KAM_MANYTO >= 5)
score    KAM_MANYTO 0.2
describe KAM_MANYTO Email has more than one To Header

meta     KAM_GRABBAG5 (KAM_MANYTO && FORGED_YAHOO_RCVD)
score    KAM_GRABBAG5 5.0
describe KAM_GRABBAG5 Forged Yahoo emails that are sent to lots of recipients

body     __KAM_MILLIONAIRE1 /internet millionai?re/i
body     __KAM_MILLIONAIRE2 /huge success stor(y|ies)|controversial/i
header   __KAM_MILLIONAIRE3 Subject =~ /see this video/i

meta     KAM_MILLIONAIRE (__KAM_MILLIONAIRE1 + __KAM_MILLIONAIRE2 + __KAM_MILLIONAIRE3 + LOTS_OF_MONEY >= 3)
score    KAM_MILLIONAIRE 4.5
describe KAM_MILLIONAIRE Internet millionaire guarantees money

header   __KAM_OILCHANGE1 From =~ /oil.?change|coupon/i
header   __KAM_OILCHANGE2 Subject =~ /oil change/i
body     __KAM_OILCHANGE3 /fresh savings|find your favorite|discount.coupons|oil.change.is.due|local.provider|favorite.location|coupon/i

meta     KAM_OILCHANGE (__KAM_OILCHANGE1 + __KAM_OILCHANGE2 + __KAM_OILCHANGE3 >= 3)
score    KAM_OILCHANGE 4.5
describe KAM_OILCHANGE Spam for oil changes

header   __KAM_ADHD1 From =~ /ADH?D/i
header   __KAM_ADHD2 Subject =~ /know.the.signs|could.have.adh?d|adult adh?d/i
body     __KAM_ADHD3 /struggling with adh?d|treatment options/i

meta     KAM_ADHD (__KAM_ADHD1 + __KAM_ADHD2 + __KAM_ADHD3 >= 3)
score    KAM_ADHD 3.5
describe KAM_ADHD Spam for ADD and ADHD treatment

# AUTO REPAIR
header   __KAM_REPAIR1_1 From =~ /repair.your.auto|auto.expert|auto.repair|warranty|support|pops.a.dent|vehicle.protect/i
header   __KAM_REPAIR1_2 Subject =~ /auto.service|auto.repair|having.problems|all.repair|take.care.of|car.trouble|save.\d+%|repair.bill|fix.dents/i
body     __KAM_REPAIR1_3 /car.repair|Auto Protection|repair.bill|lowest.rates|need.repairs|cost.you.thousands|auto.warranty|costs.keep.rising|repair.cost|do.it.yourself|auto.body|body.repair|protection.quote/i

meta     KAM_REPAIR1 (__KAM_REPAIR1_1 + __KAM_REPAIR1_2 + __KAM_REPAIR1_3 >= 3)
score    KAM_REPAIR1 3.5
describe KAM_REPAIR1 Spam for auto repair services

# HOME REPAIR
header   __KAM_REPAIR2_1 From =~ /warranty|support|home.repair|your.roof/i
header   __KAM_REPAIR2_2 Subject =~ /roof.repair|warranty.plan|home.warranty|never.pay.for|home.repair|repairing.your|new.roof/i
body     __KAM_REPAIR2_3 /never.pay|covered.home.repair|the.trouble|warning.signs|roofing.problem|roof.repair/i

meta     KAM_REPAIR2 (__KAM_REPAIR2_1 + __KAM_REPAIR2_2 + __KAM_REPAIR2_3 >= 3)
score    KAM_REPAIR2 3.5
describe KAM_REPAIR2 Spam for home repair services

body __KAM_EPISODE /episode \d+/i

header   __KAM_CLOUD1 From =~ /cloud.?(storage|computing|provider)|efolder/i
header   __KAM_CLOUD2 Subject =~ /private.cloud|data.loss.happens|share.securely/i
body     __KAM_CLOUD3 /big data|powering apps|reduce.tech.costs|backup.solution|bundling.the.service/i
body     __KAM_CLOUD4 /hacking|complimentary.(lunch|breakfast)/i

meta     KAM_CLOUD (__KAM_CLOUD1 + __KAM_CLOUD2 + __KAM_CLOUD3 + __KAM_CLOUD4 >= 3)
score    KAM_CLOUD 3.5
describe KAM_CLOUD Spam for cloud services

header   __KAM_PAPERLESS1 From =~ /paperless|fax|admin/i
header   __KAM_PAPERLESS2 Subject =~ /paperless|fax to email|send document|fax thru email|receive faxes|send faxes|fax.message|voice.message|new.fax|have.received/i
body     __KAM_PAPERLESS3 /fax service|service plan|view.this.fax|\d.page.fax|voice.message/i

meta     KAM_PAPERLESS (__KAM_PAPERLESS1 + __KAM_PAPERLESS2 + __KAM_PAPERLESS3 + HEADER_FROM_DIFFERENT_DOMAINS >= 4)
score    KAM_PAPERLESS 4.5
describe KAM_PAPERLESS Paperless spam for the paperless office

rawbody  __KAM_LOTSOFNBSP /(&nbsp; ?){30}/i

header   __KAM_IPUNSUB List-Unsubscribe =~ /http:\/\/\d+\.\d+\.\d+\.\d+/i

# PASSWORD PHISH - Fixed FP thanks to Thijs Eilander
header   __KAM_PASSWORD1 Subject =~ /password/i
body     __KAM_PASSWORD2 /validate.your.email/i

meta     KAM_PASSWORD (__KAM_PASSWORD1 + __KAM_PASSWORD2 >= 2)
score    KAM_PASSWORD 1.5
describe KAM_PASSWORD Message tries to phish for password

# SEMINARS AND WORKSHOPS SPAM
header   __KAM_WEBINAR1 From =~ /education|career|manage|learning|webinar|project|efolder/i
header   __KAM_WEBINAR2 Subject =~ /last chance|increase productivity|workplace morale|payroll dept|trauma.training|case.study|issues|follow.up|service.desk|vip.(lunch|breakfast)|manage.your|private.business|professional.checklist|customers.safer|great.timesaver|prep.course|crash.course|hunger.to.learn|(keys|tips).(to|for).smarter/i
header   __KAM_WEBINAR3 Subject =~ /webinar|strateg|seminar|owners.meeting|webcast|our.\d.new|sales.video/i
body     __KAM_WEBINAR4 /executive.education|contactid|register now|\d+.minute webinar|management.position|supervising.skills|discover.tips|register.early|take.control|marketing.capabilit|drive.more.sales|leveraging.cloud|solution.provider|have.a.handle|plan.to.divest|being.informed|upcoming.webinar|spearfishing.email|increase.revenue|industry.podcast|\d+.in.depth.tips|early.bird.offer|pmp.certified|lunch.briefing/i

meta     KAM_WEBINAR (__KAM_WEBINAR1 + __KAM_WEBINAR2 + __KAM_WEBINAR3 + __KAM_WEBINAR4 >= 3)
describe KAM_WEBINAR Spam for webinars
score    KAM_WEBINAR 3.5

meta     KAM_WEBINAR2 (__KAM_WEBINAR1 + __KAM_WEBINAR2 + __KAM_WEBINAR3 + __KAM_WEBINAR4 >= 4)
describe KAM_WEBINAR2 Spam for webinars
score    KAM_WEBINAR2 3.5

header   __KAM_CONTACTME1 Subject =~ /^contact me$/i
body     __KAM_CONTACTME2 /read the attached letter/i

meta     KAM_CONTACTME (__KAM_CONTACTME1 + __KAM_CONTACTME2 >= 2)
score    KAM_CONTACTME 3.5
describe KAM_CONTACTME Spam that wants you to reply

header   __KAM_MESH1 From =~ /consumer|connect|claim/i
header   __KAM_MESH2 Subject =~ /surgical mesh|serious injuries|increased risk|experiencing problems|mesh recall/i
body     __KAM_MESH3 /have a mesh implant|entitled to compensation|consumer injury|injured consumer/i

meta     KAM_MESH (__KAM_MESH1 + __KAM_MESH2 + __KAM_MESH3 >= 3)
describe KAM_MESH Spam for surgical mesh
score    KAM_MESH 3.5

header   __KAM_ALERT1 From =~ /medical.?alert/i
header   __KAM_ALERT2 Subject =~ /medical.alert|emergency coverage/i
body     __KAM_ALERT3 /help button/i

meta     KAM_ALERT (__KAM_ALERT1 + __KAM_ALERT2 + __KAM_ALERT3 >= 3)
score    KAM_ALERT 3.5
describe KAM_ALERT Spam for medical alerts

# SPAM FOR RECENT HEARTBLEED CVE AND OTHER SECURITY STUFF
header   __KAM_SECURITY1 From =~ /Digital Defense/i
header   __KAM_SECURITY2 Subject =~ /heartbleed|hijack/i
body     __KAM_SECURITY3 /information.security|cyber.?criminal/i

meta     KAM_SECURITY (__KAM_SECURITY1 + __KAM_SECURITY2 + __KAM_SECURITY3 >= 3)
describe KAM_SECURITY Spam related to online security
score    KAM_SECURITY 6.0

body     __KAM_JESUS1 /jesus lovely|the.lord|touched.by.christ/i
body     __KAM_JESUS2 /sister.in.the.lord|need for bible/i
body     __KAM_JESUS3 /nigeria|muslim.women/i

meta     KAM_JESUS (__KAM_JESUS1 + __KAM_JESUS2 >= 2)
describe KAM_JESUS Christian spam
score    KAM_JESUS 4.5

header   __KAM_CLAIMS1 From =~ /claims.payment/i
header   __KAM_CLAIMS2 Subject =~ /confirm/i
body     __KAM_CLAIMS3 /claim.payment|claim.processing|kindly.confirm/i

meta     KAM_CLAIMS (__KAM_CLAIMS1 + __KAM_CLAIMS2 + __KAM_CLAIMS3 >= 3)
describe KAM_CLAIMS Spam for claims processing
score    KAM_CLAIMS 4.5

# VISION SPAM
header   __KAM_VISION1 From =~ /clear.?vision|20.20|glasses|perfect.vision|mind.blowing|my.vision|oakley|quantum.vision/i
header   __KAM_VISION2 Subject =~ /20\/20|vision|your.glasses|your.contacts|your.eyes|dangers?.of.glasses|focus.on.here/i
body     __KAM_VISION3 /100%.natural|vision.restored|currently.wear.(glasses|contacts)|perfect.vision|risky.surgery|corrective.surgery|dangers.of.surgery|laser.eye|eye.care|making.your.eyes.worse|your.glasses|worsen.your.vision|special.prices|vision.in.\d+.day|vision.in.\d+.week/i

meta     KAM_VISION (__KAM_VISION1 + __KAM_VISION2 + __KAM_VISION3 + (KAM_WEIRDTRICK1 || RDNS_NONE) >= 3)
describe KAM_VISION Spam for vision improvement
score    KAM_VISION 4.5

body     KAM_TRUTHINESS /[Tt]he TRUTH/
describe KAM_TRUTHINESS Spam that wants you to learn "The TRUTH"
score    KAM_TRUTHINESS 1.5

header   __KAM_KITCHEN1 From =~ /sears|kitchen|cabinet/i
header   __KAM_KITCHEN2 Subject =~ /kitchen.upgrade|kitchen.remodel|cabinet.install|new.kitchen/i
body     __KAM_KITCHEN3 /special.gift|kitchen.remodel|special.offer/i

meta     KAM_KITCHEN (__KAM_KITCHEN1 + __KAM_KITCHEN2 + __KAM_KITCHEN3 >= 3)
score    KAM_KITCHEN 4.5
describe KAM_KITCHEN Spam for kitchen improvement

# ALL-ENCOMPASSING RULES FOR HEALTH RELATED SPAM, INCLUDING SKIN, WEIGHT, VISION, ETC
header   __KAM_GENERICHEALTH1 From =~ /(dr.?|doc.?)[ -]?([o0]z|gupta)|skinny|\d+.?(pounds|[li1]bs?)|[o0]z.([a-z]+.)?(daily|tip|show|weight)|ellen|rapid|vision|20.20|perfect|mind.blowing|healthy|beaut|medical|wrinkle|miracle|energy|weight|as.seen.on|celeb|workout|inches.off|slim|overweight|skinny|trend|curve|stubborn|bikini|f-a-t|trim|youth|belly|unwanted.pounds|gone.easily|heavy|diabetes|oz.?report|years.younger|anti.?aging|look.\d|old.age|without.trying|annoying.pounds|fat.melt|women.?s.health|forskolin|phyto|garcinia|mayo.clinic|gain.mass|nuforia|miracle.cure|notify|champion|healthly|food.health|health.news|nutrisystem|doctor.s.choice|age..prevention|diet.{0,4}report|sharp..?mind|face.?lift/i

header   __KAM_GENERICHEALTH2 Subject =~ /PSA|\[video\]|doctor|\d+.day|(zero|any).effort|oprah|(Dr|Doc).{0,2}[o0]z|[o0]z.([a-z]+.)?(daily|tip|show|weight|quick)|ellen|most.viewed|metabolism|danger|hormone|must.read|life.changing|healthy|perfect|younger|beautiful|hollywood|secret|aging|youth|flawless|as.seen.on|simple.way|workout|nutrition|shocking|detox|exercise|cleanse|diet|\d+(\+?).?(pounds|[li1]bs?)|images?.leaked|wow,|the.pics|don.t.tell|makeup|f-a-t|of.skin|on.(cnn|abc|cbs)|for.(summer|fall|autumn|winter|spring)|unwanted.fat|oz: |backfire|and.oz|and.racha?el|racha?el.talk|your.legs|slim.and.tone|fit.wom[ea]n|tummy|dress.size|wrinkle.reduc|younger.skin|solid.meds|belly.fat|your.calories|champion|is.it.possible|worse.than.smok|meds.online|jump-start.your.weightloss|cure.your.diabetes|weight.loss..?cure|magic.weight.loss|youth.and.vitality|get.thin.with|mental.decline|by.exercising|kidney.beans|drinking.this|treats?.the.(root.)?cause|reverse.\d+.years/i

body     __KAM_GENERICHEALTH3 /aging|clinical|dermatologist|aging|younger|wrinkle|omg|reduction|prevention|(body|your).fat|extra.pounds|perfect.skin|healthy|diet|gossip|\d+.years|facelift|(Dr|Doc).{0,2}[o0]z|weight|calories|metabolism|appetite|detox|unsightly|cholesterol|free.sample|\d+\s*[li]b|slimming|episode|tv.segment|oprah|colon|hollywood|shocking|workout|trend|starving|\d+%.?off|dress.size|flat.belly|silky|younger|free.trial|\d+.years|easy.trick|selfies|medical|\d+.?(lb|pounds)|exercise|the.mirror|fda.approved|slimmer|oz.blog|the.bulge|plant.based|online.store|respected.doctor|cure.your.diabete|with.forskolin|belly.fat|miracle.pill|burn.fat.fast|the.root.cause|drink(ing)?.this.shake/i

meta     KAM_GENERICHEALTH (__KAM_GENERICHEALTH1 + __KAM_GENERICHEALTH2 + __KAM_GENERICHEALTH3 + (KAM_EU || KAM_OTHER_BAD_TLD) >= 3)
score    KAM_GENERICHEALTH 5.0
describe KAM_GENERICHEALTH Matches generic health-related advert/blurbs

header   __KAM_SALE1 From =~ /ipad|hdtv|\$\d+|auction|laptop|easyviewing/i
header   __KAM_SALE2 Subject =~ /blowout|became.perfect|great.products|your.ipad.forever|weird.device|change.how.you.use|transform.your.piad|laptop.replacement/i
body     __KAM_SALE3 /\d+%.off|just.shipped|touch.?fire|just.became.perfect|transform.your.ipad/i

header   __KAM_SALEA_1 From =~ /touch.?fire/i
header   __KAM_SALEA_2 Received =~ /touchfire|tfire/i
body     __KAM_SALEA_3 /touchfire|just.became.perfect|never.be.the.same/i

meta     KAM_SALE (__KAM_SALE1 + __KAM_SALE2 + (__KAM_SALE3 || BODY_8BITS) >= 3)
score    KAM_SALE 4.0
describe KAM_SALE Spam for things on sale

meta     KAM_SALEA ((__KAM_SALEA_1 || __KAM_SALE1 || __KAM_SALEA_2) + __KAM_SALEA_3 >= 2)
score    KAM_SALEA 8.0
describe KAM_SALEA A very persistent ipad spam campaign

# SPAM THAT USES ASCII FORMATTING TRICKS TO EVADE HTML-BASED RULES
body     __KAM_ASCII_DIVIDERS /[-~<>=_]{20}/i
tflags   __KAM_ASCII_DIVIDERS multiple, maxhits=4

meta     KAM_ASCII_DIVIDERS ((__KAM_ASCII_DIVIDERS >= 4) && !HTML_MESSAGE)
describe KAM_ASCII_DIVIDERS Spam that uses ascii formatting tricks
score    KAM_ASCII_DIVIDERS 0.8

# RATWARE THAT CAN'T EVEN PRETEND TO BE AUTHORIZED
header   __KAM_NOTINMYNETWORK1 X-No-Relay =~ /./i

rawbody  __KAM_HTMLNOISE1 /<big><big>|<small><\/small>|<style><\/style>/i

meta     KAM_HTMLNOISE (__KAM_HTMLNOISE1 + __KAM_BIGSMALL >= 1)
score    KAM_HTMLNOISE 1.0
describe KAM_HTMLNOISE Spam containing useless HTML padding

header   __KAM_CHICKEN1 From =~ /coop/i
header   __KAM_CHICKEN2 Subject =~ /chicken.coop|cost.of.buying/i
body     __KAM_CHICKEN3 /your.own.chicken|fresh.egg|chicken.coop|build.your.own/i

meta     KAM_CHICKEN (__KAM_CHICKEN1 + __KAM_CHICKEN2 + __KAM_CHICKEN3 >= 3)
score    KAM_CHICKEN 4.5
describe KAM_CHICKEN Spam for chicken coops

# SPAM THAT TRIES TO BYPASS RULES LIKE CBJ_GiveMeABreak
rawbody  __KAM_LINEPADDING /(\n[^\n]){8}/

meta     KAM_LINEPADDING (__KAM_LINEPADDING >= 1)
score    KAM_LINEPADDING 1.2
describe KAM_LINEPADDING Spam that tries to get past blank line filters

# DRAPES SPAM
header   __KAM_DRAPES1 From =~ /drapes/i
header   __KAM_DRAPES2 Subject =~ /table.drapes|visibility/i
body     __KAM_DRAPES3 /banner.stand|print.project/i

meta     KAM_DRAPES (__KAM_DRAPES1 + __KAM_DRAPES2 + __KAM_DRAPES3 >= 3)
score    KAM_DRAPES 3.5
describe KAM_DRAPES Spam for drapes

header   __KAM_NUWAVE1 From =~ /nuwave|cooktop/i
header   __KAM_NUWAVE2 Subject =~ /cooking.needs/i
body     __KAM_NUWAVE3 /nuwave|energy.saving|temperature.control|meal.prep|cooktop/i

meta     KAM_NUWAVE (__KAM_NUWAVE1 + __KAM_NUWAVE2 + __KAM_NUWAVE3 >= 3)
describe KAM_NUWAVE Spam for cooking tools
score    KAM_NUWAVE 3.5

rawbody  __KAM_MANYCOMMENTS /<!--[^>]{200,}-->/i
tflags   __KAM_MANYCOMMENTS multiple,maxhits=6

meta     KAM_MANYCOMMENTS (__KAM_MANYCOMMENTS >= 6)
describe KAM_MANYCOMMENTS Spam engine that uses large html noise comments
score    KAM_MANYCOMMENTS 1.2

header   __KAM_HIRE1 From =~ /recruit/i
header   __KAM_HIRE2 Subject =~ /checking.in/i
body     __KAM_HIRE3 /hiring.situation|recruiting|plans.to.hire|altera.staff/i

meta     KAM_HIRE (__KAM_HIRE1 + __KAM_HIRE2 + __KAM_HIRE3 >= 3)
describe KAM_HIRE Spam for hiring services
score    KAM_HIRE 4.5

header   __KAM_DEALS1 From =~ /deal.?hunter/i
header   __KAM_DEALS2 Subject =~ /exclusive.saving|the.hottest/i
body     __KAM_DEALS3 /exclusive.savings/i

meta     KAM_DEALS (__KAM_DEALS1 + __KAM_DEALS2 + __KAM_DEALS3 >= 3)
score    KAM_DEALS 3.5
describe KAM_DEALS Generic advertising for deals

header   __KAM_CONTRACT1 From =~ /samanage/i
header   __KAM_CONTRACT2 Subject =~ /contract cost|itsm contract/i
body     __KAM_CONTRACT3 /buy you out|service management|management solution/i

meta     KAM_CONTRACT (__KAM_CONTRACT1 + __KAM_CONTRACT2 + __KAM_CONTRACT3 >= 3)
score    KAM_CONTRACT 4.5
describe KAM_CONTRACT Spam that will buy your service contract

#KAM_TOLL
header   __KAM_TOLL1 From =~ /e.?z.?pass|collection/i
header   __KAM_TOLL2 Subject =~ /on.(the.)?toll.road|(pay|indebted).for.driving/i
body     __KAM_TOLL3 /have.not.paid|your.debt|invoice/i

meta     KAM_TOLL (__KAM_TOLL1 + __KAM_TOLL2 + __KAM_TOLL3 >= 3)
describe KAM_TOLL Spam for road tolls
score    KAM_TOLL 8.0

#KAM_AMAZON
header   __KAM_AMAZON1 From =~ /amazon\.com/i

meta     KAM_AMAZON (__KAM_AMAZON1 + KAM_RAPTOR >= 2)
score    KAM_AMAZON 4.5
describe KAM_AMAZON Fake Amazon email with malware

# LANDSCAPING
header   __KAM_LANDSCAPE1 From =~ /landscaping/i
header   __KAM_LANDSCAPE2 Subject =~ /turn.your.yard|mtv.crib|swimming.pool/i
body     __KAM_LANDSCAPE3 /landscape.designs|(simple|cheap).strategies|design.troph/i
body     __KAM_LANDSCAPE4 /stone.carving/i

meta     KAM_LANDSCAPING (__KAM_LANDSCAPE1 + __KAM_LANDSCAPE2 + __KAM_LANDSCAPE3 + __KAM_LANDSCAPE4 >= 3)
describe KAM_LANDSCAPING Spam for landscaping
score    KAM_LANDSCAPING 3.5

# SINGING LESSONS
header   __KAM_SINGING1 From =~ /singing/i
header   __KAM_SINGING2 Subject =~ /professional.singer/i
body     __KAM_SINGING3 /terrible.singer|more.talent|love.songs/i

meta     KAM_SINGING (__KAM_SINGING1 + __KAM_SINGING2 + __KAM_SINGING3 >= 3)
describe KAM_SINGING Spam for singing lessons
score    KAM_SINGING 4.5

# SPAM FOR ADS
header   __KAM_ADVERTISE1 From =~ /gmail/i
header   __KAM_ADVERTISE2 Subject =~ /samsung..galaxy.s\d/i
body     __KAM_ADVERTISE3 /advertising.for.samsung|no.application.fee|carry.this.advert/i

meta     KAM_ADVERTISE (__KAM_ADVERTISE1 + __KAM_ADVERTISE2 + __KAM_ADVERTISE3 >= 3)
describe KAM_ADVERTISE Spam that wants you to advertise for them
score    KAM_ADVERTISE 4.5

# RULE FOR DOMAINS THAT HAVE NOT IMPLEMENTED ANY ANTI-FORGERY MECHANISMS
if (version >= 3.003002)
  # We may recommend people start raising the score for this to force more people to use SPF or DKIM Since Gmail and AOL work much better with / require SPF.
  header   __KAM_SPF_NONE    eval:check_for_spf_none()

  meta     KAM_LAZY_DOMAIN_SECURITY (!__DKIM_EXISTS && __KAM_SPF_NONE)
  score    KAM_LAZY_DOMAIN_SECURITY 1.0
  describe KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any anti-forgery methods
endif

# FORGED EMAILS WITH A VIRUS ATTACHED
meta     KAM_FORGED_ATTACHED (SPF_HELO_FAIL + KAM_RAPTOR >= 2)
score    KAM_FORGED_ATTACHED 4.5
describe KAM_FORGED_ATTACHED Forged email with a malware attachment

# LOTS OF PERIODS IN SUBJECT
header   __KAM_MANYDOTS1 Subject =~ /\.{20}/i

meta     KAM_MANYDOTS (__KAM_MANYDOTS1 + KAM_HUGEIMGSRC >= 2)
describe KAM_MANYDOTS Spam with lots of periods in subject
score    KAM_MANYDOTS 3.5

# FINAL NOTICE SPAM
header   __KAM_SUBJECTNOTICE1 Subject =~ /Notice: \d+$|final.notice|rpt: \d+$/i

meta     KAM_SUBJECTNOTICE __KAM_SUBJECTNOTICE1
describe KAM_SUBJECTNOTICE Spam notices
score    KAM_SUBJECTNOTICE 1.0

# SPAM FOR BACKUP SERVICE
header   __KAM_BACKUP1 From =~ /backup/i
header   __KAM_BACKUP2 Subject =~ /continuity|\d.reasons|traditional.backup/i
body     __KAM_BACKUP3 /backup.necessary|marketing|infographic|charge.more/i

meta     KAM_BACKUP (__KAM_BACKUP1 + __KAM_BACKUP2 + __KAM_BACKUP3 >= 3)
describe KAM_BACKUP Spam for backup services
score    KAM_BACKUP 4.5

# SPAM THAT TRIES TO AVOID DETECTION WITH NUMBERS IN THE FROM
header   KAM_FROMNUM From:name =~ /\.\d{7,}$/
describe KAM_FROMNUM Spam with large numbers in the from header
score    KAM_FROMNUM 1.0

# LAZY SPAM WITH BARELY MORE THAN A LINK TO A BAD DOMAIN
meta     KAM_LINKBAIT (KAM_LAZY_DOMAIN_SECURITY + __KAM_BODY_LENGTH_LT_512 + (__KAM_COUNT_URIS >= 1) >= 3)
score    KAM_LINKBAIT 0.5
describe KAM_LINKBAIT Short messages containing little more than a link, from a domain with no security in place

uri      __KAM_WP_INCLUDES /(?:wp-includes|wp-content)/i

meta     KAM_LINKBAIT2  KAM_LINKBAIT + __KAM_WP_INCLUDES >= 2
score    KAM_LINKBAIT2  1.5
describe KAM_LINKBAIT2  Linkbait that points to wordpress - usually means a compromised site

# FREEMAIL LINKBAIT
meta     KAM_LINKBAIT3 (KAM_SHORT + FREEMAIL_FROM + __KAM_BODY_LENGTH_LT_512 >= 3)
score    KAM_LINKBAIT3 1.5
describe KAM_LINKBAIT3 Freemail linkbait with a url shortener

# MALWARE IN EMAILS THAT MENTION LOTS OF MONEY
meta     KAM_PHISHY_DOLLARS (KAM_RAPTOR + LOTS_OF_MONEY >= 2)
score    KAM_PHISHY_DOLLARS 3.5
describe KAM_PHISHY_DOLLARS Emails with malware and large dollar amounts

# RATWARE DU JOUR, MULTIPLE FROM HEADERS AND WONKY SUBJECT LINE
header   __KAM_MULTIPLE_FROM From =~ /^./
tflags   __KAM_MULTIPLE_FROM multiple,maxhits=2

header   __KAM_SUBJECT_WHITESPACE_START Subject =~ /^\s{10}/

meta     KAM_GRABBAG6 (__KAM_MULTIPLE_FROM + __KAM_SUBJECT_WHITESPACE_START >= 2)
describe KAM_GRABBAG6 Ratware with multiple from headers and subject beginning with whitespace
score    KAM_GRABBAG6 4.5

# GENERIC GREETINGS THAT YOU WOULD NEVER GET FROM A LEGIT EMAIL
header   KAM_GENERICHELLO Subject =~ /dear.email.user|hi.there/i
score    KAM_GENERICHELLO 1.5
describe KAM_GENERICHELLO Spam with generic greetings in the subject

# FAKE GOOGLE EMAILS - Thanks to Marc Jouan for pointing out the double rule / T_HK rule name change
header   __KAM_GOOGLE2_1 From =~ /google\+/i
header   __KAM_GOOGLE2_2 From !~ /google.com/i

meta     KAM_GOOGLE2 (__KAM_GOOGLE2_1 + __KAM_GOOGLE2_2 + (HK_SPAMMY_FILENAME || KAM_LAZY_DOMAIN_SECURITY) >= 3)
score    KAM_GOOGLE2 4.5
describe KAM_GOOGLE2 Fake Google spam

# MORE NIGERIAN VARIANTS
body     __KAM_NIGERIAN2_1 /congo/i

meta     KAM_NIGERIAN2 (__KAM_NIGERIAN2_1 + DEAR_SOMETHING + LOTS_OF_MONEY >= 3)
score    KAM_NIGERIAN2 4.5
describe KAM_NIGERIAN2 Nigerian scam variant

# FINGERHUT SPAMS
header   __KAM_FINGERHUT1 From =~ /finger.?hut/i
header   __KAM_FINGERHUT2 Subject =~ /your.budget|credit.account|qualify|finger.?hut|credit|your.account/i
body     __KAM_FINGERHUT3 /important.message|what.you.want|monthly.pay|your.account|credit.account|holiday.shopping|are.you.approved|fingerhut.buying/i

meta     KAM_FINGERHUT (__KAM_FINGERHUT1 + __KAM_FINGERHUT2 + __KAM_FINGERHUT3 >= 3)
score    KAM_FINGERHUT 4.5
describe KAM_FINGERHUT Spam for fingerhut

# FRIEND REQUEST SPAM
header   __KAM_FRIEND1 Subject =~ /new.notification/i
body     __KAM_FRIEND2 /wants.to.follow/i

meta     KAM_FRIEND (__KAM_FRIEND1 + __KAM_FRIEND2 >= 2)
score    KAM_FRIEND 1.5
describe KAM_FRIEND Friend request spam

# ELIMINATE A BUNCH OF RECENT BAD ATTACHMENT SPAM
meta     KAM_VERY_MALWARE (KAM_LAZY_DOMAIN_SECURITY && KAM_RAPTOR)
score    KAM_VERY_MALWARE 3.5
describe KAM_VERY_MALWARE A message with malware that is definitely unwanted

#MERCHANT ACCOUNTS SPAM
header   __KAM_MERCHANT1 Subject =~ /finance.department/i
body     __KAM_MERCHANT2 /business.owner|merchant.processor|processing.fee|average.bank|interchange.fee/i
body     __KAM_MERCHANT3 /merchant.processing|small.business|yearly.credit|monthly.fee|100%.free/i

meta     KAM_MERCHANT (__KAM_MERCHANT1 + __KAM_MERCHANT2 + __KAM_MERCHANT3 >= 3)
score    KAM_MERCHANT 4.5
describe KAM_MERCHANT Spam for merchant processing

# ZERO DAY ATTACHMENTS THAT ARE OBVIOUSLY CRAP BUT NOT CAUGHT BY AV
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader __KAM_ZERODAY1 Content-Type =~ /msword|ms-excel|spreadsheet|office|octet/i
  header     __KAM_ZERODAY2 X-Mailer =~ /foxmail/i

  # DISABLED 7/16 FOR NO LONGER BEING RELEVANT
  #meta     KAM_ZERODAY (__SUBJECT_ENCODED_B64 + __KAM_ZERODAY1 + __KAM_ZERODAY2 >= 3)
  #describe KAM_ZERODAY obviously a malware email that was not caught
  #score    KAM_ZERODAY 8.0

  # ANOTHER ONE
  header   __KAM_ZERODAY3 Subject =~ /remittance advice|invoice|resume|the.open.message|please.the.open|visa.chip/i

  meta     KAM_ZERODAY2 (__KAM_ZERODAY1 + __KAM_ZERODAY3 + KAM_LAZY_DOMAIN_SECURITY >= 3)
  score    KAM_ZERODAY2 1.0
  describe KAM_ZERODAY2 Another obvious zero-day malware

  meta     KAM_ZERODAY3 (KAM_ZERODAY2 + T_OBFU_DOC_ATTACH >= 2)
  score    KAM_ZERODAY3 3.5
  describe KAM_ZERODAY3 Another obvious zero-day malware
endif

# FAMILY TREE SPAM
header   __KAM_ANCESTOR1 From =~ /ancestry/i
header   __KAM_ANCESTOR2 Subject =~ /free.family.tree|find.your.ancestor/i
body     __KAM_ANCESTOR3 /family.history|your family|share.the.stories/i

meta     KAM_ANCESTOR (__KAM_ANCESTOR1 + __KAM_ANCESTOR2 + __KAM_ANCESTOR3 >= 3)
describe KAM_ANCESTOR Spam for family trees
score    KAM_ANCESTOR 3.5

# REMEMBER WHEN YOU GOT THAT SPAM
header   __KAM_REMEMBERWHEN1 Subject =~ /sup|hello|for.you.bro|how.are.you/i
body     __KAM_REMEMBERWHEN2 /hello.brother|remember(ed)?.you|i.remember/i
body     __KAM_REMEMBERWHEN3 /medication|\d+%.discount|lots?.of.drug/i

meta     KAM_REMEMBERWHEN (__KAM_REMEMBERWHEN1 + __KAM_REMEMBERWHEN2 + __KAM_REMEMBERWHEN3 >= 3)
score    KAM_REMEMBERWHEN 4.5
describe KAM_REMEMBERWHEN Reminder of something that never happened

# THE LATEST TRAILING NOISE FORMAT
body     __KAM_NOISE1 /([a-z0-9],){12}/i
body     __KAM_NOISE2 /([a-z]{1,10},){10}/i

ifplugin Mail::SpamAssassin::Plugin::KAMOnly
  meta     KAM_NOISE1 (__KAM_NOISE1 + __KAM_NOISE2 + (CBJ_GiveMeABreak || __CBJ_GiveMeABreak2) >= 3)
  describe KAM_NOISE1 Pattern of noise words at the end of an email
  score    KAM_NOISE1 2.5
endif

# FREE PIZZA WOO!
header   __KAM_PIZZA1 From =~ /pizza/i
header   __KAM_PIZZA2 Subject =~ /^free pizza$/i
body     __KAM_PIZZA3 /free.pizza.coupon/i

meta     KAM_PIZZA (__KAM_PIZZA1 + __KAM_PIZZA2 + __KAM_PIZZA3 >= 3)
score    KAM_PIZZA 3.5
describe KAM_PIZZA Spam for free pizza

# ENGINEERING SPAM
header   __KAM_ENGINEER1 Subject =~ /engineering . architect|engineering.industry/i
body     __KAM_ENGINEER2 /email.list|target.audience|databank|verified.email/i
body     __KAM_ENGINEER3 /construction.engineering|engineering . architect|marketing.manager/i

meta     KAM_ENGINEER (__KAM_ENGINEER1 + __KAM_ENGINEER2 + __KAM_ENGINEER3 >= 3)
score    KAM_ENGINEER 3.5
describe KAM_ENGINEER Spam for engineering contact information

# SUNGLASSES
header   __KAM_SUNGLASSES1 Subject =~ /rayban/i
body     __KAM_SUNGLASSES2 /great ray|hot.deal/i
body     __KAM_SUNGLASSES3 /style rocks|today.only/i

meta     KAM_SUNGLASSES (__KAM_SUNGLASSES1 + __KAM_SUNGLASSES2 + __KAM_SUNGLASSES3 >= 3)
describe KAM_SUNGLASSES Spam for sunglasses
score    KAM_SUNGLASSES 3.5

# INVOICE SPAM OF THE DAY
header   __KAM_INVOICE1 From =~ /billing/i
header   __KAM_INVOICE2 Subject =~ /past.due|invoice/i

meta     KAM_INVOICE (__KAM_INVOICE1 + __KAM_INVOICE2 + SPF_FAIL >= 3)
score    KAM_INVOICE 4.5
describe KAM_INVOICE Spam for invoices

# GRIPEEZ
header   __KAM_GRIPPY1 From =~ /gripeez/i
header   __KAM_GRIPPY2 Subject =~ /bonus.offer|gripeez/i
body     __KAM_GRIPPY3 /gripeez.bonus|interior.decorator|sticky.grip/i

meta     KAM_GRIPPY (__KAM_GRIPPY1 + __KAM_GRIPPY2 + __KAM_GRIPPY3 >= 3)
score    KAM_GRIPPY 4.5
describe KAM_GRIPPY Spam for sticky grip products

# LIMITED / DISABLED ACCOUNT, ACTIVATION, SECURITY ALERTS, AND OTHER ACCOUNT PHISHES
header   __KAM_ACCOUNTPHISH1 From =~ /[il]tunes|account|costco|walgreen|amazon|ebay|internal|admin|gold|webmail|provider|marketing/i
header   __KAM_ACCOUNTPHISH2 Subject =~ /your.account|is.limited|activate|recover|acknowledgment|of.order|buying.from|order.(status|confirm)|help.?desk|update.your|security|document|(^secure$)|download.failed|click.to.activate|status.approved|notification.message|storage.exceeded|maintenance routine|storage.warning|size.notification|administrative.notice/i
body     __KAM_ACCOUNTPHISH3 /update.your.information|problems.with.your|billing.information|order.details|personal.data|detailed.order|order.information|for.activation|account.{1,30}.inactive|information.required|secure.browser|recently.compromised|classified.document|with.your.email|complete.your.account|account.confirmed|claim.your.order|free.money|forced.to.cancel|immediate.access|upgrading.all.staff|advice.to.update|confirm.your.account/i
body     __KAM_ACCOUNTPHISH4 /webmail|all.systems|storage.limit|get.back.into|update.your.account|kindly.click|very.private.message|this.is.honest|fill.the.form|click.on.send|follow.here|for.all.user|one.click.away|mail.desk/i

meta     KAM_ACCOUNTPHISH ((__KAM_ACCOUNTPHISH1 || FREEMAIL_FROM || KAM_LAZY_DOMAIN_SECURITY) + __KAM_ACCOUNTPHISH2 + __KAM_ACCOUNTPHISH3 + __KAM_ACCOUNTPHISH4 >= 3)
score    KAM_ACCOUNTPHISH 3.20
describe KAM_ACCOUNTPHISH Spam that tries to get account information

# BUY PROPERTY
header   __KAM_PROPERTY1 From =~ /high.rise|condo/i
header   __KAM_PROPERTY2 Subject =~ /condo|move.in.soon|developer/i
body     __KAM_PROPERTY3 /convenient.location/i

meta     KAM_PROPERTY (__KAM_PROPERTY1 + __KAM_PROPERTY2 + __KAM_PROPERTY3 >= 3)
score    KAM_PROPERTY 2.5
describe KAM_PROPERTY Spam for buying property

# FAKE AMEX
header   __KAM_FAKEAMEX1 From =~ /aexp.com/i

meta     KAM_FAKEAMEX (__KAM_FAKEAMEX1 + SPF_FAIL >= 2)
score    KAM_FAKEAMEX 8.0
describe KAM_FAKEAMEX A rash of spam that is phishing for American Express information

header   KAM_HUGESUBJECT Subject =~ /^.{500}/
score    KAM_HUGESUBJECT 2.5
describe KAM_HUGESUBJECT Email with a subject longer than any mail client would let you enter

#HOOKUP
header   __KAM_HOOKUP1 Subject =~ /hookup with local singles/i
uri      __KAM_HOOKUP2 /justhookup/i
body     __KAM_HOOKUP3 /match.?me.?networks/i

meta     KAM_HOOKUP (__KAM_HOOKUP1 + __KAM_HOOKUP2 + __KAM_HOOKUP3 >= 3)
score    KAM_HOOKUP 10.5
describe KAM_HOOKUP Spam for Local Hookup Service

#PSYCHIC
header   __KAM_PSYCHIC1 Subject =~ /horoscope|psychic/i
uri      __KAM_PSYCHIC2 /free.psychic/i
body     __KAM_PSYCHIC3 /psychic Chris|free psychic reading/i

meta     KAM_PSYCHIC    (__KAM_PSYCHIC1 + __KAM_PSYCHIC2 + __KAM_PSYCHIC3 >= 3)
score    KAM_PSYCHIC    4.5
describe KAM_PSYCHIC    Current Psychic Product Spam du Jour

#UNSUB BADDIES
body    __KAM_BADUNSUB  /(?:remove|Unsubscribe) from (?:MindTCommunications|LunarMessages)/i

meta     KAM_BADUNSUB   (__KAM_BADUNSUB >= 1)
score    KAM_BADUNSUB   3.0
describe KAM_BADUNSUB   Bad Unsubscribe Messages

#GRABBAG FOR A ROUND OF WORDPRESS HACKS
rawbody  __KAM_GRABBAG7_1 /wp-content|wp-includes|\/plugins\//

meta     KAM_GRABBAG7 ((HTML_MIME_NO_HTML_TAG || MIME_HTML_ONLY) + __KAM_GRABBAG7_1 + (SPF_FAIL || SPF_HELO_FAIL) >= 3)
score    KAM_GRABBAG7 3.0
describe KAM_GRABBAG7 Spam pattern with bad HTML message

#TINYURL OBFUSCATION
uri      __KAM_TINYURL1 /tinyurl.com\/.{0,10}(hookup|sexual|online-riches|predator-zipcode|nothnx|imtaken)/i

meta     KAM_TINYURL (__KAM_TINYURL1)
score    KAM_TINYURL 4.0
describe KAM_TINYURL Spammy urls that hide behind a link shortener

# FAKE DROPBOX
header   __KAM_DROPBOX1 From =~ /dropbox/i
header   __KAM_DROPBOX2 From !~ /dropbox.com/i
body     __KAM_DROPBOX3 /shared.a.folder/i

meta     KAM_DROPBOX (__KAM_DROPBOX1 + __KAM_DROPBOX2 + __KAM_DROPBOX3 >= 3)
score    KAM_DROPBOX 4.5
describe KAM_DROPBOX Fake Dropbox emails

# BAD YAHOO! DON'T SEND EMAIL FROM A MULTICAST IP!
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
  header __KAM_YAHOO_MISTAKE1 From =~ /\@yahoo\./i

  meta     KAM_YAHOO_MISTAKE (SPF_PASS && __KAM_YAHOO_MISTAKE1 && RCVD_ILLEGAL_IP)
  describe KAM_YAHOO_MISTAKE Reversing score for some idiotic Yahoo received headers
  score    KAM_YAHOO_MISTAKE -3.0
endif

# GARBAGE FREEMAIL
meta     KAM_GRABBAG9 (MALFORMED_FREEMAIL + SUBJ_ALL_CAPS + FREEMAIL_ENVFROM_END_DIGIT >= 3)
score    KAM_GRABBAG9 4.5
describe KAM_GRABBAG9 Garbage email from a garbage freemail account

# AQUA RUG
header   __KAM_AQUARUG1 From =~ /aqua.?rug/i
header   __KAM_AQUARUG2 Subject =~ /(bath|shower).mat|for.your.shower/i
body     __KAM_AQUARUG3 /stop.slipping|unique.carpet|aqua.rug|bare.feet.love/i

meta     KAM_AQUARUG (__KAM_AQUARUG1 + __KAM_AQUARUG2 + __KAM_AQUARUG3 >= 3)
score    KAM_AQUARUG 3.5
describe KAM_AQUARUG Spam for aqua rug product

# FAKE ITC SPAM
# Fixed FP thanks to j.marshall
header   __KAM_ITC1 From =~ /thetradecouncil.com/i
body     __KAM_ITC2 /International Trade Council/i
body     __KAM_ITC3 /enclosed/i

meta     KAM_ITC (__KAM_ITC1 < 1) && (__KAM_ITC2 >= 1) && (__KAM_ITC3 + KAM_BADIPHTTP >= 1)
score    KAM_ITC 4.5
describe KAM_ITC Fake email from International Trade Council

# HAVE YOU SEEN THIS
body     __KAM_SEENTHIS1 /have.you.seen|seen.this/i

meta     KAM_SEENTHIS (__KAM_SEENTHIS1 + __KAM_OPRAH3 + (KAM_LAZY_DOMAIN_SECURITY || KAM_MANYTO) >= 3)
score    KAM_SEENTHIS 4.5
describe KAM_SEENTHIS Have you seen this spam?

# DETOX
header   __KAM_DETOX1 From =~ /detox/i
header   __KAM_DETOX2 Subject =~ /detox.service|discover.detox|clear.your.system|how.detox.(could|can)/i
body     __KAM_DETOX3 /detox.program|right.for.you|clean(ing)? up your life|a.little.easier/i

meta     KAM_DETOX (__KAM_DETOX1 + __KAM_DETOX2 + __KAM_DETOX3 >= 3)
score    KAM_DETOX 2.5
describe KAM_DETOX Spam for trendy detox stuff

# DEATH INSURANCE
header   __KAM_DEATHINSURE1 From =~ /live.sure/i
header   __KAM_DEATHINSURE2 Subject =~ /life.will|cheaper.than.today/i
body     __KAM_DEATHINSURE3 /inheritance.tax|your.loved.ones|funeral.costs/i

meta     KAM_DEATHINSURE (__KAM_DEATHINSURE1 + __KAM_DEATHINSURE2 + __KAM_DEATHINSURE3 >= 3)
describe KAM_DEATHINSURE Spam for death insurance
score    KAM_DEATHINSURE 3.5

# REACHBASE
body     KAM_REACHBASE /ReachBase is committed to providing you with relevant business information/i
score    KAM_REACHBASE 2.5
describe KAM_REACHBASE Marketing email pretending to be business info

# DIGITAL WALLET SPAM
header   __KAM_DIGITALWALLET1 From =~ /apple.?pay/i
header   __KAM_DIGITALWALLET2 Subject =~ /(ready.for|introducing|complimentary).apple.?pay|paying.too.much/i
body     __KAM_DIGITALWALLET3 /business.ready|no.setup.fee|only.$?[\d\.]+%?.(per|a).swipe|apple.?pay.equipment|free,equipment/i

meta     KAM_DIGITALWALLET (__KAM_DIGITALWALLET1 + __KAM_DIGITALWALLET2 + __KAM_DIGITALWALLET3 + (HELO_DYNAMIC_DHCP || KAM_EU || KAM_INFOUSMEBIZ) >= 3)
score    KAM_DIGITALWALLET 3.5
describe KAM_DIGITALWALLET Spam for digital wallet services

# BAD PHP
header   __KAM_BADPHP1 X-PHP-Originating-Script =~ /eval..'d code/i
header   __KAM_BADPHP2 X-Source-Args =~ /css.php/i

meta     KAM_BADPHP (__KAM_BADPHP1 || __KAM_BADPHP2)
score    KAM_BADPHP 2.5
describe KAM_BADPHP Questionable PHP mailer headers

# TINNITUS
header   __KAM_TINNITUS1 From =~ /tinnitus.breakthrough/i
header   __KAM_TINNITUS2 Subject =~ /new.tip|only.(1|one).week/i
body     __KAM_TINNITUS3 /scientifically.proven|end.tinnitus/i

meta     KAM_TINNITUS (__KAM_TINNITUS1 + __KAM_TINNITUS2 + __KAM_TINNITUS3 >= 3)
describe KAM_TINNITUS Tinnitus spam
score    KAM_TINNITUS 3.5

# KIWIBANK
header   __KAM_KIWIBANK1 From =~ /kiwibank/i
header   __KAM_KIWIBANK2 Subject =~ /verification.required/i
body     __KAM_KIWIBANK3 /security.procedure|customer.safety|security.details/i

meta     KAM_KIWIBANK (__KAM_KIWIBANK1 + __KAM_KIWIBANK2 + __KAM_KIWIBANK3 >= 3)
describe KAM_KIWIBANK Account phish for Kiwibank
score    KAM_KIWIBANK 3.5

# HAPPY TALK
header   __KAM_HAPPYTALK1 Subject =~ /^hello$/i
body     __KAM_HAPPYTALK2 /honest.and.nice/i
body     __KAM_HAPPYTALK3 /beautiful.mail/i

meta     KAM_HAPPYTALK (__KAM_HAPPYTALK1 + __KAM_HAPPYTALK2 + __KAM_HAPPYTALK3 >= 3)
score    KAM_HAPPYTALK 3.5
describe KAM_HAPPYTALK Weirdly happy spam

# SETTLEMENT SPAM
header   __KAM_SETTLEMENT1 From =~ /xarelto/i
header   __KAM_SETTLEMENT2 Subject =~ /settlements?.available/i
body     __KAM_SETTLEMENT3 /lawsuit.information/i

meta     KAM_SETTLEMENT (__KAM_SETTLEMENT1 + __KAM_SETTLEMENT2 + __KAM_SETTLEMENT3 >= 3)
score    KAM_SETTLEMENT 3.5
describe KAM_SETTLEMENT Spam offering lawsuit settlement

# CAD SPAM
header   __KAM_CAD1 Subject =~ /cad.drawing/i
body     __KAM_CAD2 /we.specialize.in/i
body     __KAM_CAD3 /our.products/i

meta     KAM_CAD (__KAM_CAD1 + __KAM_CAD2 + __KAM_CAD3 >= 3)
describe KAM_CAD Spam for CAD services
score    KAM_CAD 3.5

ifplugin Mail::SpamAssassin::Plugin::KAMOnly
  #SPAM WITH OFFICE MACROS
  header   KAM_VBMACRO X-KAM-VBMacro =~ /True/i
  describe KAM_VBMACRO Message contains attachment with VB macro
  score    KAM_VBMACRO 6.5
  
  #SPAM THAT INDICATES DYNAMIC IP
  header   KAM_DYNIP   X-KAM-DynamicIndicator =~ /True/i 
  describe KAM_DYNIP   Message contains Dynamic IP Address Indicator
  score    KAM_DYNIP   6.5
endif


# YELP AND OTHER REVIEW SITES
header   __KAM_REVIEW1 From =~ /contractor/i
header   __KAM_REVIEW2 Subject =~ /verify.accuracy|your.listing|listing.on.yelp/i
body     __KAM_REVIEW3 /unverified|major.local.search|search.sites|company(.s)?.information/i

meta     KAM_REVIEW (__KAM_REVIEW1 + __KAM_REVIEW2 + __KAM_REVIEW3 >= 3)
describe KAM_REVIEW Spam for review sites
score    KAM_REVIEW 4.5

# TOURS AND EVENTS
header   __KAM_TOURS1 From =~ /festival/i
header   __KAM_TOURS2 Subject =~ /adventure.tour/i
body     __KAM_TOURS3 /your.adventure.tour|your.event/i

meta     KAM_TOURS (__KAM_TOURS1 + __KAM_TOURS2 + __KAM_TOURS3 >= 3)
score    KAM_TOURS 3.5
describe KAM_TOURS Spam for tours and events

# NO MORE SPAM ENGINES
body     __KAM_NOMORE1 /no.more.of.this/i
body     __KAM_NOMORE2 /no.more.at.all/i

meta     KAM_NOMORE (__KAM_NOMORE1 + __KAM_NOMORE2 >= 2)
describe KAM_NOMORE Another predictable spam engine
score    KAM_NOMORE 3.5

# NOT REALLY CONFIDENTIAL
body     __KAM_NOCONFIDENCE1 /confidential.information/i

meta     KAM_NOCONFIDENCE (KAM_LAZY_DOMAIN_SECURITY + __KAM_NOCONFIDENCE1 >= 2)
score    KAM_NOCONFIDENCE 0.5
describe KAM_NOCONFIDENCE Confidential information sent with no security

# YER GON GET SASSINATED
header   __KAM_ASSASSIN1 Subject =~ /want you dead/i
body     __KAM_ASSASSIN2 /my identity/i
body     __KAM_ASSASSIN3 /assassinate/i
body     __KAM_ASSASSIN4 /like.an.accident/i

meta     KAM_ASSASSIN (__KAM_ASSASSIN1 + __KAM_ASSASSIN2 + __KAM_ASSASSIN3 + __KAM_ASSASSIN4 >= 3)
score    KAM_ASSASSIN 4.5
describe KAM_ASSASSIN Assassination spam

# GIMME FLASH DRIVES
header   __KAM_DRIVE1 From =~ /purchase|manager/i
header   __KAM_DRIVE2 Subject =~ /quotation/i
body     __KAM_DRIVE3 /to.be.furnished|office.equipment.item/i

meta     KAM_DRIVE (__KAM_DRIVE1 + __KAM_DRIVE2 + __KAM_DRIVE3 >= 3)
score    KAM_DRIVE 3.5
describe KAM_DRIVE Spam for ordering office equipment

#BAD TLD - TESTING NEW blacklist_uri_host feature
#PASSED TEST BUT THIS IS 100 points - Instead modify SOMETLD_ARE_BAD_TLD TO PREVENT FPs
#if (version >= 3.004000)
#  blacklist_uri_host link
#endif 

#LOOKING TO SHUTDOWN MISUSE OF DNSWL AND HOSTKARMA
meta     KAM_BAD_DNSWL  (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + __KAM_URIBL_PCCC +  KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
score    KAM_BAD_DNSWL  7.0
describe KAM_BAD_DNSWL  Removing HostKarma and DNSWL HI Scoring for Emails in various RBL 

# HEARING LOSS
header   __JMQ_HEARINGLOSS1 From =~ /hearing.?loss|deaf \& angry/i
header   __JMQ_HEARINGLOSS2 Subject =~ /reverse.your.hearing|hearing.loss|\d+.year.old.method|hearing.aids/i
body     __JMQ_HEARINGLOSS3 /going.crazy|natural.formula|restore.your.hearing|click.here.to.see|off.hearing.aid/i

meta     JMQ_HEARINGLOSS (__JMQ_HEARINGLOSS1 + __JMQ_HEARINGLOSS2 + __JMQ_HEARINGLOSS3 >= 3)
score    JMQ_HEARINGLOSS 3.5
describe JMQ_HEARINGLOSS Spam for hearing loss solutions

# TRACKR
header   __JMQ_TRACKR1 From =~ /trackr/i
header   __JMQ_TRACKR2 Subject =~ /trackr|never.lose|find.any|lost.items/i
body     __JMQ_TRACKR3 /locate anything|find.anything|never.lose.anything|new.invention|never.lose.your|tired.of.losing|find.any.lost/i

meta     JMQ_TRACKR (__JMQ_TRACKR1 + __JMQ_TRACKR2 + __JMQ_TRACKR3 >= 3)
score    JMQ_TRACKR 4.5
describe JMQ_TRACKR Spam for TrackR

# CONGRATULATION
header   __JMQ_CONGRAT1 From =~ /award|claim/i
header   __JMQ_CONGRAT2 Subject =~ /congratulation|open.attachment|good.news.for/i

meta     JMQ_CONGRAT (__JMQ_CONGRAT1 + __JMQ_CONGRAT2 + (KAM_RAPTOR || T_FREEMAIL_DOC_PDF || HK_SPAMMY_FILENAME) >= 3)
score    JMQ_CONGRAT 3.5
describe JMQ_CONGRAT Open attachment to claim your free spam

# PICKUP
header   __JMQ_PICKUP1 Subject =~ /hey there|(^hey$)/i
body     __JMQ_PICKUP2 /(dirty|freaky|naughty|good)(pix|pic)|hey.cutie/i
header   __JMQ_PICKUP3 X-Mailer =~ /php/i
body     __JMQ_PICKUP4 /\d+.year.old|female/i

meta     JMQ_PICKUP (__JMQ_PICKUP1 + __JMQ_PICKUP2 + __JMQ_PICKUP3 + __JMQ_PICKUP4 >= 3)
score    JMQ_PICKUP 8.0
describe JMQ_PICKUP spam that wants your number

# COMPROMISED DROPBOX
header   __JMQ_DROPBOX1 Subject =~ /(payment|transfer)/i
header   __JMQ_DROPBOX2 Subject =~ /\([a-z]\d+\)/i
body     __JMQ_DROPBOX3 /ach.(payment|transfer)/i

meta     JMQ_DROPBOX (__JMQ_DROPBOX1 + __JMQ_DROPBOX2 + __JMQ_DROPBOX3 >= 3)
score    JMQ_DROPBOX 3.0
describe JMQ_DROPBOX Spam from what appears to be compromised dropbox accounts

#FIX BAD REVIEW
header __KAM_BAD_REVIEW1 Subject =~ /fix bad reviews/i
body   __KAM_BAD_REVIEW2 /Reputation Giant/i

meta    KAM_BAD_REVIEW  (__KAM_BAD_REVIEW1 +  __KAM_BAD_REVIEW2 >= 2)
score   KAM_BAD_REVIEW  4.0
describe KAM_BAD_REVIEW Online reputation spammers

#GOOGLE AWARD
header  __KAM_GOOGLE_AWARD1     From =~ /Google UK/i
body    __KAM_GOOGLE_AWARD2     /selected as a winner/i
body    __KAM_GOOGLE_AWARD3     /Dear Google/i
body    __KAM_GOOGLE_AWARD4     /Official Notification Letter/i

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader    __KAM_GOOGLE_AWARD5A    Content-Type =~ /Google Award/i
  mimeheader    __KAM_GOOGLE_AWARD5B    Content-Disposition =~ /Google Award/i
endif

meta    KAM_GOOGLE_AWARD        (__KAM_GOOGLE_AWARD1 + __KAM_GOOGLE_AWARD2 + __KAM_GOOGLE_AWARD3 + __KAM_GOOGLE_AWARD4 + (__KAM_GOOGLE_AWARD5A + __KAM_GOOGLE_AWARD5B >= 1)  >= 4)
score   KAM_GOOGLE_AWARD        5.0
describe        KAM_GOOGLE_AWARD        Fake Google Awards

#OBFUSCATED LOANS
body    KAM_OBFU_LOANS  /Stüdént Lóans/i
score   KAM_OBFU_LOANS  5.0
describe KAM_OBFU_LOANS Obfuscated Loan Verbiage

#WORK FROM HOME
body    __KAM_WORKFROMHOME1     /work from home/i

meta    KAM_WORKFROMHOME        (KAM_SHORT + __KAM_WORKFROMHOME1 >= 2)
score   KAM_WORKFROMHOME        2.5
describe KAM_WORKFROMHOME       Work from Home Spams

#STUDENT LOAN
body    __KAM_STUDENTLOAN1      /(National|Federal) Student Loan Status/i
body    __KAM_STUDENTLOAN2      /consolidate your loan/i
body    __KAM_STUDENTLOAN3      /doesn't injured/i
body    __KAM_STUDENTLOAN4      /866-351-4693/i
body    __KAM_STUDENTLOAN5      /(financial troubles|debt) is (understood|forgiven)/i

meta    KAM_STUDENTLOAN         (__KAM_STUDENTLOAN1 + __KAM_STUDENTLOAN2 + __KAM_STUDENTLOAN3 + __KAM_STUDENTLOAN4 + __KAM_STUDENTLOAN5 >= 3)
score   KAM_STUDENTLOAN         4.5
describe        KAM_STUDENTLOAN Student Loan Scam

#RESUME
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  header   __JMQ_RESUME1 Subject =~ /resume/i
  body     __JMQ_RESUME2 /hello my name|my name is/i
  body     __JMQ_RESUME3 /appreciate.your.cooperation|my.resume.is.pdf|resume.attach|pdf.file.is|is.my.resume/i
  mimeheader    __JMQ_RESUME4 Content-Type =~ /x-zip-comp/i
  mimeheader    __JMQ_RESUME5 Content-Type =~ /my_resume\.zip/i

  meta     JMQ_RESUME ((__JMQ_RESUME1 + __JMQ_RESUME2 + __JMQ_RESUME3 + __JMQ_RESUME5 >= 3) && __JMQ_RESUME4)
  score    JMQ_RESUME 4.5
  describe JMQ_RESUME Spam for bad attached resumes
endif

#LED/SOLAR LIGHTS
header          __KAM_LED1  Reply-to =~ /huixinsoft\d*\@foxmail.com/i
body            __KAM_LED2      /solar (lighting|led)/i
body            __KAM_LED3      /China aier/i

meta            KAM_LED         (__KAM_LED1 + __KAM_LED2 + __KAM_LED3 >= 2)
describe        KAM_LED         Solar LED Lighting Spams
score           KAM_LED         5.5

# REAL ESTATE
header   __JMQ_REALESTATE1 From =~ /tom.brice/i
header   __JMQ_REALESTATE2 Subject =~ /real.estate/i
body     __JMQ_REALESTATE3 /preferred.choice|looking.for.real.estate|online.platform|systems.placement/i

meta     JMQ_REALESTATE (__JMQ_REALESTATE1 + __JMQ_REALESTATE2 + __JMQ_REALESTATE3 >= 3)
describe JMQ_REALESTATE Real estate spam
score    JMQ_REALESTATE 4.5

# IP IN FROM
header   JMQ_IPINFROM From =~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/
score    JMQ_IPINFROM 2.5
describe JMQ_IPINFROM Spam with IP in the from address

# IFFY PAYPAL OF THE DAY
header   __JMQ_PAYPAL2 From =~ /paypai/i

meta     JMQ_PAYPAL2 (JMQ_IPINFROM + __JMQ_PAYPAL2 >= 2)
score    JMQ_PAYPAL2 4.5
describe JMQ_PAYPAL2 PayPal spam of the day

# RESUME SPAM REDUX PART 2 (WOOHOO)
meta     JMQ_RESUME3 (__JMQ_RESUME1 && __JMQ_RESUME2 && KAM_THEBAT)
score    JMQ_RESUME3 3.5
describe JMQ_RESUME3 Yet more resume spam

# SPF THAT DOESN'T REALLY CARE IF EMAIL IS A FORGERY
ifplugin Mail::SpamAssassin::Plugin::AskDNS
  askdns   JMQ_SPF_NEUTRAL_ALL _SENDERDOMAIN_ TXT /^v=spf1 .+\?all$/
  describe JMQ_SPF_NEUTRAL_ALL SPF set to ?all!
  score    JMQ_SPF_NEUTRAL_ALL 0.5
endif

# IMPORTANT MESSAGE
header   __JMQ_IMPORTANT1 Subject =~ /(fw|re):? important/i
body     __JMQ_IMPORTANT2 /important message/i
body     __JMQ_IMPORTANT3 /please visit/i

meta     JMQ_IMPORTANT (__JMQ_IMPORTANT1 + __JMQ_IMPORTANT2 + __JMQ_IMPORTANT3 + KAM_LAZY_DOMAIN_SECURITY >= 4)
score    JMQ_IMPORTANT 4.5
describe JMQ_IMPORTANT Spam that thinks it is important

# IMAGE TRACKERS
uri      __JMQ_TRACKER1 /sidekickopen\d*\.com/i

meta     JMQ_TRACKER (__JMQ_TRACKER1 >= 1)
score    JMQ_TRACKER 0.5
describe JMQ_TRACKER Message uses image-based tracker

# WIRE TRANSFERS
header   __JMQ_WIRE1 Subject =~ /wire.*fund|request.*wire|(fwd|re): request/i
body     __JMQ_WIRE2 /medical.support|payment.sent/i
body     __JMQ_WIRE3 /bank.wire|sent.out.asap/i

meta     JMQ_WIRE (__JMQ_WIRE1 + __JMQ_WIRE2 + __JMQ_WIRE3 + (LOTS_OF_MONEY || KAM_LAZY_DOMAIN_SECURITY || HEADER_FROM_DIFFERENT_DOMAINS) >= 3)
score    JMQ_WIRE 4.5
describe JMQ_WIRE Attempt to steal money via wire transfer

#bindata code in RTF
#rawbody         __KAM_BADRTF1 /<w:binData/
#rawbody         __KAM_BADRTF2 /QWN0aXZlTWltZQ/

#meta     KAM_BADRTF (__KAM_BADRTF1 + __KAM_BADRTF2 >= 2)
#describe KAM_BADRTF Message contains binary data in RTF format
#score    KAM_BADRTF 5.0

#Fake Order
body     __KAM_ORDER1   /Please find document attached/i
header   __KAM_ORDER2   Subject =~ /Order \d+ (\(Acknowledgement\))?/i

meta     KAM_ORDER      __KAM_ORDER1 + __KAM_ORDER2 + __BODY_LE_200 >= 3
score    KAM_ORDER      3.0
describe KAM_ORDER      Fraudulent Order Emails

rawbody __RB_LE_200 /^.{2,200}$/s 
tflags  __RB_LE_200 multiple maxhits=2 
rawbody __RB_GT_200 /^.{201}/s 
meta    __BODY_LE_200 (__RB_LE_200 == 1) && !__RB_GT_200 

#SHOCKING BEVERAGE
body    __KAM_SHOCK1    /shocking.beverage/i
header  __KAM_SHOCK2    Subject =~ /(Bill O.Reilly|Donald Trump)/i
body    __KAM_SHOCK3    /drinking this beverage/i

meta     KAM_SHOCK      __KAM_SHOCK1 + __KAM_SHOCK2 + __KAM_SHOCK3 >= 2
score    KAM_SHOCK      4.0
describe KAM_SHOCK      Spams with energy drinks

#BEAUTY SCAM
body    __KAM_BEAUTY1   /she now looks \d+/i
body    __KAM_BEAUTY2   /reveals exactly/i
body    __KAM_BEAUTY3   /most amazing transformation/i
header  __KAM_BEAUTY4   Subject =~ /now looks \d+/i

meta     KAM_BEAUTY     __KAM_BEAUTY1 + __KAM_BEAUTY2 + __KAM_BEAUTY3 + __KAM_BEAUTY4 >= 3
score    KAM_BEAUTY     4.0
describe KAM_BEAUTY     Youth and Beauty Product Scams

#WEED
body    __KAM_WEED1     /legal.weed|jim kramer|kevin james/i
header  __KAM_WEED2     Subject =~ /Legal.Weed|pot.stock/i
body    __KAM_WEED3     /doubled? (there|their) money|Triple this afternoon/i
body    __KAM_WEED4     /(weed|pot).stock/i

meta     KAM_WEED       __KAM_WEED1 + __KAM_WEED2 + __KAM_WEED3 + __KAM_WEED4 >= 3
score    KAM_WEED       8.0
describe KAM_WEED       Legal Weed and related investment scams

#LOGOS
body    __KAM_LOGO1     /guru.level logo/i
header  __KAM_LOGO2     Subject =~ /guru.level logo/i
body    __KAM_LOGO3     /(guru.level|ready.made) logo/i

meta     KAM_LOGO       __KAM_LOGO1 + __KAM_LOGO2 + __KAM_LOGO3 >= 3
score    KAM_LOGO       5.25
describe KAM_LOGO       Logo Spam

#TRUMP COIN
body    __KAM_TRUMPCOIN1     /Donald Trump/i
header  __KAM_TRUMPCOIN2     Subject =~ /trump.coin/i
body    __KAM_TRUMPCOIN3     /special colored coin/i

meta     KAM_TRUMPCOIN       __KAM_TRUMPCOIN1 + __KAM_TRUMPCOIN2 + __KAM_TRUMPCOIN3 >= 3
score    KAM_TRUMPCOIN       5.25
describe KAM_TRUMPCOIN       Trump Coin Spam

#WATER
body    __KAM_WATER1     /Never Drink Water/i
header  __KAM_WATER2     Subject =~ /bottled water/i
body    __KAM_WATER3     /filtered tap water/i

meta     KAM_WATER       __KAM_WATER1 + __KAM_WATER2 + __KAM_WATER3 >= 3
score    KAM_WATER       5.25
describe KAM_WATER       Water Poison Scam

#BANK
body    __KAM_RUIN1     /do not deposit/i
header  __KAM_RUIN2     Subject =~ /money into your bank/i
body    __KAM_RUIN3     /banking institutions/i

meta     KAM_RUIN       __KAM_RUIN1 + __KAM_RUIN2 + __KAM_RUIN3 >= 3
score    KAM_RUIN       5.25
describe KAM_RUIN       Bank Phishing Scam

#BANK
body    __KAM_WEIGHT2_1     /goodbye to her waist|wild transformation/i
header  __KAM_WEIGHT2_2     Subject =~ /looks \d+ overnight|no gym/i
body    __KAM_WEIGHT2_3     /melissa mccarthy|now looks \d+/i

meta     KAM_WEIGHT2       __KAM_WEIGHT2_1 + __KAM_WEIGHT2_2 + __KAM_WEIGHT2_3 >= 3
score    KAM_WEIGHT2       5.25
describe KAM_WEIGHT2       Weight loss process du jour

#AMAZING LENS
body    __KAM_LENS1     /pro quality (pho|pic)|Bill gates|best camera/i
header  __KAM_LENS2     Subject =~ /(amazing|incredible) photos|gadget of the year|coolest product|camera/i
body    __KAM_LENS3     /amazing lens|hdx-lens|hdrx/i
header  __KAM_LENS4     From =~ /hdcam|lens|inhd/i

meta     KAM_LENS       __KAM_LENS1 + __KAM_LENS2 + __KAM_LENS3 + __KAM_LENS4 >= 3
score    KAM_LENS       5.25
describe KAM_LENS       Amazing Lens Scam

#HONOR           
body    __KAM_HONOR1     /greatest thing of your life/i 
header  __KAM_HONOR2     Subject =~ /Congrats, on the honor/i
body    __KAM_HONOR3     /profession women/i
body    __KAM_HONOR4     /invitation/i

meta     KAM_HONOR       __KAM_HONOR1 + __KAM_HONOR2 + __KAM_HONOR3 + __KAM_HONOR4 >= 3
score    KAM_HONOR       6.25
describe KAM_HONOR       Professional Network Scam

#Rule Dev
#Idea from John Hardin so you can see all URI's - ONLY for rule development - Then all the detected URIs appear in the rule hits debug output. 
#uri     __ALL_URI   /.*/
#tflags  __ALL_URI   multiple

#Bad UTF-8 content type and transfer encoding - Thanks to Pedro David Marco for alerting to issue
header   __KAM_BAD_UTF8_1               Content-Type =~ /text\/html; charset=\"utf-8\"/i
header   __KAM_BAD_UTF8_2               Content-Transfer-Encoding =~ /base64/i
full     __RW_BAD_UTF8_3                /^(?:[^\n]|\n(?!\n))*\nContent-Transfer-Encoding:\s+base64(?:[^\n]|\n(?!\n))*\n\n[\s\n]{0,300}[^\s\n].{0,300}[^a-z0-9+\/=\n][^\s\n]/si

meta    KAM_BAD_UTF8    (__KAM_BAD_UTF8_1 + __KAM_BAD_UTF8_2 + __RW_BAD_UTF8_3 >= 3)
score   KAM_BAD_UTF8    14.0
describe KAM_BAD_UTF8   Bad Content Type and Transfer Encoding that attempts to evade SA scanning

#DEATH           
body    __KAM_DEATH1     /prevent early.death/i
header  __KAM_DEATH2     Subject =~ /(early|unexpected).death/i
body    __KAM_DEATH3     /Eating this|before it.?s too late/i
body    __KAM_DEATH4     /heart.(attack|stops)/i

meta     KAM_DEATH       __KAM_DEATH1 + __KAM_DEATH2 + __KAM_DEATH3 + __KAM_DEATH4 >= 4
score    KAM_DEATH       6.25
describe KAM_DEATH       Supplement Scam

#REWARD           
body    __KAM_REWARD1     /walgreens|ikea|sephora|sams.?club/i
header  __KAM_REWARD2     Subject =~ /weekend.*reward|reward.*weekend|(reward|perk).{0,60}(expiring|ending)/i
header  __KAM_REWARD3     Subject =~ /(Cert|coup|ending now|ending|expiring|expiring.now)(..)?(\d+|\[num)/i
header  __KAM_REWARD4     From =~ /ikea|sephora|shopper|walgreen|sale/i

meta     KAM_REWARD       __KAM_REWARD1 + __KAM_REWARD2 + __KAM_REWARD3 + __KAM_REWARD4 + KAM_NUMSUBJECT >= 4
score    KAM_REWARD       5.25
describe KAM_REWARD       Coupon Scam

#PACKAGE           
body    __KAM_PACKAGE1     /dysfunction|\dx longer/i
body    __KAM_PACKAGE2     /sexual.performance|longer.in.bed/i
header  __KAM_PACKAGE3     Subject =~ /sex/i
header  __KAM_PACKAGE4     From =~ /function|fivex/i

meta     KAM_PACKAGE       __KAM_PACKAGE1 + __KAM_PACKAGE2 + __KAM_PACKAGE3 + __KAM_PACKAGE4 >= 3
score    KAM_PACKAGE       4.25
describe KAM_PACKAGE       Sexual Enhancement Scam

#NUM
header  KAM_NUMSUBJECT          Subject =~ /\d+$/
score   KAM_NUMSUBJECT          0.5
describe KAM_NUMSUBJECT         Subject ends in numbers

#BAD PDF
header          KAM_MGCS        Content-Type =~ /\+\-\+\-\+\-MGCS\-\+\-\+\-\+/i
score           KAM_MGCS        10.0
describe        KAM_MGCS        Boundary Content Indicative of Ratware

#NetWeaver
header          KAM_NW          X-Mailer =~ /SAP NetWeaver/i
score           KAM_NW          3.0
describe        KAM_NW          Spam Indicator

#STOCKTIP OBFU
body            __KAM_STOCKOBFU1        /make up the \d letter symbol/i
body            __KAM_STOCKOBFU2        /first letter/i
header          __KAM_STOCKOBFU3        Subject =~ /less than \d days|ten bagger|ten ?fold your principle/i

meta            KAM_STOCKOBFU           (__KAM_STOCKOBFU1 + __KAM_STOCKOBFU2 + __KAM_STOCKOBFU3 >= 3)
describe        KAM_STOCKOBFU           Stock Spam Tips that are being sneaky
score           KAM_STOCKOBFU           4.5

#FAKE BBB/FLSA NOTICES
header          __KAM_FAKEBBB1          Subject =~ /(incident:|case:)?[\d:;]{5}/i
body            __KAM_FAKEBBB2          /(Fair Labor Standards Act|Safety and Health act|Better Business Bureau|BBB)/i
body            __KAM_FAKEBBB3          /(complaint|compliant|Abuse) ID/i
body            __KAM_FAKEBBB4          /(incident:|case:)[\d:;]{6,}/i

meta            KAM_FAKEBBB             (__KAM_FAKEBBB1 + __KAM_FAKEBBB2 + KAM_SHORT + __KAM_FAKEBBB3 + __KAM_FAKEBBB4>= 4)
describe        KAM_FAKEBBB             Fake Notices for Various Business Violations
score           KAM_FAKEBBB             12.0

#HOWRU
#header         __KAM_HOWRU1            Subject =~ /How are you?|Hi|What's Up|Hey, Sweety/i
body            __KAM_HOWRU2            /My name is|what's your name|ask your name|keep company with you/i
body            __KAM_HOWRU3            /visit the site|visit this site|visiting this website|have some social networks|meet you in private|write me tomorrow/i
body            __KAM_HOWRU4            /gmx.com|rambler.ru/i

meta            KAM_HOWRU               (__KB_WAM_SUBJECT_HELLO_ONLY +  __KAM_HOWRU2 +  __KAM_HOWRU3 + __KAM_HOWRU4 >=4)
describe        KAM_HOWRU               Female Chat Scam
score           KAM_HOWRU               8.0

# 2017-11-01, note 56146

body __KAM_DOMAIN_SALE1  /\b(related|similar) domain\b/i
body __KAM_DOMAIN_SALE2  /\b(interested in|obtaining) .{5,20} domain\b/i
body __KAM_DOMAIN_SALE3  /\bdomain (name owner|advanced avail|backordering)\b/i
body __KAM_DOMAIN_SALE4  /\b(domain you might be interested|interested in the domain|interested in obtain|benefit acquiring|complete ownership transfer|brokering the domain)\b/i

body __KAM_INTRUDE  /\b(hope I am not intruding|out of the blue|I will never contact you again if you go here)\b/i

meta KAM_DOMAIN_SALE_2  (__KAM_DOMAIN_SALE1 + __KAM_DOMAIN_SALE2 + __KAM_DOMAIN_SALE3 + __KAM_DOMAIN_SALE4 >=2)

meta KAM_DOMAIN_SALE_3  (__KAM_DOMAIN_SALE1 + __KAM_DOMAIN_SALE2 + __KAM_DOMAIN_SALE3 + __KAM_DOMAIN_SALE4 >=3)

score KAM_DOMAIN_SALE_2  3.0
score KAM_DOMAIN_SALE_3  1.0

meta KAM_DOMAIN_SALE_INTRUDE (__KAM_INTRUDE && KAM_DOMAIN_SALE_2)

score KAM_DOMAIN_SALE_INTRUDE  1.0

describe  KAM_DOMAIN_SALE_2        Domain Selling Spam
describe  KAM_DOMAIN_SALE_3        Domain Selling Spam
describe  KAM_DOMAIN_SALE_INTRUDE  Domain Selling Spam

# 2017-11-08, lonely russian women Whack-A-Mole

# Likely Overlap with HOWRU rules, similar target.  No real-life
# overlap in rules hit observed so far, KB_WAM_OVERLAP to look out for
# it.

header   __KB_WAM_FROM_NAME_SINGLEWORD From:name =~ /[a-z]+$/i
header   __KB_WAM_SUBJECT_HELLO_ONLY   Subject =~ /^(hi|hi there|hello|hey|yo|how are you|What's Up|Hey, Sweety)[?!\.]?$/i

meta KB_WAM_LONELY_WOMEN    (__KB_WAM_FROM_NAME_SINGLEWORD + __KB_WAM_SUBJECT_HELLO_ONLY + __KAM_HOWRU4 + (__KAM_HOWRU2 || __KB_WAM_LONELY_WOMEN_PHRASE_01) >= 4)

score KB_WAM_LONELY_WOMEN   5.0
describe KB_WAM_LONELY_WOMEN  Lonely Women Scam of the Day

body __KB_WAM_LONELY_WOMEN_PHRASE_01 /\b(I am missing you all the time|I am waiting for your answer|I send you my tender love|I would really like to know you)\b/i

#meta KB_WAM_OVERLAP  ( KAM_HOWRU && KB_WAM_LONELY_WOMEN )
#score KB_WAM_OVERLAP  -0.01
#describe KB_WAM_OVERLAP Rule to test for overlap with another similar ruleset

#EOF