1 #KAM.cf aka the KAM ruleset - Apache SpamAssassin Rules
3 #Author: Kevin A. McGrail with contributions from Joe Quinn, Karsten Bräckelmann,
4 # Bill Cole & Giovanni Bechis
6 #Email: Kevin.McGrail@McGrail.com - NOTE: Questions about spam are best submitted
7 # at https://raptor.pccc.com/raptor.cgim?template=report_problem
9 #HomePage: http://www.mcgrail.com/downloads/KAM.cf
12 #Installation: There are multiple files that make up the KAM ruleset including
13 #heavyweight, deadweight, & nonKAMrules. The KAM ruleset is now a channel!
15 #Please see https://mcgrail.com/template/kam.cf_channel for more information
18 #The ruleset includes internal rules so not every rule will be useful but
19 #we encapsulate those in a KAMOnly defined loop.
21 #KAM.cf is maintained by The McGrail Foundation, a 501(c)(3) charity. Donations
22 #are appreciated. See www.mcgrail.com for more information on donations and
25 #THANK YOU TO OUR SPONSORS (in Alphabetical Order):
26 #cPanel, INKY, Invaluement, iSpark, Linode, PCCC, ShipShapeIT and Zix/Appriver
29 #This is a collection of special rules that I have developed and use on my system.
31 #The exact date is lost to the sands of time but we have been publishing this
32 #ruleset since at least May 2004.
34 #They are intended as live research for committal to SpamAssassin's SVN sandbox but
35 #often rely on my corpora so they do not fair well in masschecks.
37 #You are welcome and encouraged to email me directly regarding suggestions.
39 #To avoid being caught by our filters, False positives and negatives should be
40 #submitted to https://raptor.pccc.com/raptor.cgim?template=report_problem
42 #I believe the rules are safe and they are in use on production systems so I will
43 #do my best to respond to FPs *especially* if you can send me an email sample.
45 #IMPORTANT: This cf file is designed for systems with a threshold of 5.0 or higher.
48 #It is best to save an email sample in mbox format and zip it to attach to get
49 #around my filters. It is sometimes best to send samples in a second email so I
50 #know to go looking for it in my spam folders.
52 #NOTE: I do use some poison pill (i.e. Automatic HAM/SPAM rules).
54 # - I don't view many of my rules as single rules as I typically use meta rules.
55 # I view meta rules as multiple rules hence a larger score is acceptable.
57 # - Some content needs to be blocked either due to large number of complaints or
58 # for content. For example, the sexually explicit items and the stock tips.
59 # FPs in these rules will be quickly addressed.
61 #Copyright (c) 2021 Kevin A. McGrail and The McGrail Foundation
63 # Licensed under the Apache License, Version 2.0 (the "License");
64 # you may not use this file except in compliance with the License.
65 # You may obtain a copy of the License at
67 # http://www.apache.org/licenses/LICENSE-2.0
69 # Unless required by applicable law or agreed to in writing, software
70 # distributed under the License is distributed on an "AS IS" BASIS,
71 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
72 # See the License for the specific language governing permissions and
73 # limitations under the License.
75 # COURTESY OF Marcin Miros.aw <marcin@mejor.pl>
76 body __KAM_MM_FOREX_1 /program.{0,10}ktory\ssam\sgra\sna\sgieldzie|program\sdo\sgry\sna\sgieldzie|Potega\stego\sprogramu\stkwi|program.{0,10}handluje.{0,10}zarabia.{0,10}gieldzie.{0,10}udzialu.{0,10}czlowieka|zarabiaj.{0,10}program.{0,10}nie.{0,10}jest.{0,10}zabroniony|Program.{0,10}zrobi.{0,10}wszystko.{0,10}sam|handluj.{0,10}na.{0,10}gieldzie.{0,10}programowi|100.{0,10}%.{0,10}pewnych.{0,10}transakcji|program.{0,10}100.{0,10}%.{0,10}zysk|handel.{0,10}bedzie.{0,10}zabroniony|program.{0,10}odmieni.{0,10}twoje.{0,10}zycie|system.{0,10}finansow.{0,10}przed.{0,10}upadkiem|grupa.{0,10}niemieckich.{0,10}matematykow.{0,10}inteligentny.{0,10}program|zostan\sobrzydliwie\sbogaty|technologia.{0,10}100%.{0,10}pewne.{0,10}decyzje|zarabianie.{0,10}w.{0,10}sieci|swoja.{0,10}szanse.{0,10}zarabianie|internet.{0,10}doprowadzil.{0,10}pieniedzy|zarabia.{0,10}(w|przez).{0,10}internet|karaluch.{0,10}dom.{0,10}brzeg.{0,10}morza|odmieni.{0,10}zycie|pieniadz|pieniedz|zarabia|zarobi/i
78 rawbody __KAM_MM_FOREX_2 /(\[|\<).{1,10}http:\/\/.{1,50}php\?.{1,30}\=.{1,30}(\]|\>).{0,20}(klik|odwiedz|dowiedz|przegap|odnosnik|zarobi|spiesz|majatek|wiecej\sinformacji\sna\sten\stemat\sznajdziesz\s-\stutaj|tutaj\sznajdziesz.{0,10}szczegolowe.{0,10}informacje|odwiedz|zarabia|wchodz)/i
80 meta KAM_MM_FOREX __KAM_MM_FOREX_1 && __KAM_MM_FOREX_2
81 score KAM_MM_FOREX 2.5
82 describe KAM_MM_FOREX Polish-language spam from the Forex botnet
85 rawbody KAM_PHISH1 /u style="cursor: pointer"/
86 describe KAM_PHISH1 Test for PHISH that changes the cursor
89 header __KAM_PHISH4_1 From =~ /host|apple|amazon|microsoft|windows|express|app.serv|goodluck|bank|support/i
90 body __KAM_PHISH4_2 /dear.{0,50}customer|automated.message|spam.activities|attempted.gaining.access|your.account.expires|authorized.government|important.message|message.alert|suspended/i
91 body __KAM_PHISH4_3 /(confirm|verify|update).your.(identity|account)|account.password|credit.(bureau|profile)|identity.theft|accredited.commission|security.concern|kindly.find.enclosed|owner of this account/i
93 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
94 mimeheader __KAM_PHISH4_4 Content-Type =~ /(verification|information|form)\.htm/i
97 meta KAM_PHISH4 (__KAM_PHISH4_1 + __KAM_PHISH4_2 + __KAM_PHISH4_3 + __KAM_PHISH4_4 >= 3)
99 describe KAM_PHISH4 Another phishing attempt
101 #KAM REALESTATE / RE-FINANCE SCAM EMAILS - Thanks to David Goldsmith for pointing out my error in the meta rule!
102 body __KAM_REAL1 /(^|\b)RE market/is
103 body __KAM_REAL2 /(crashing|declining)/i
104 body __KAM_REAL3 /(vacation|second) (home|place)/is
105 meta KAM_REAL (__KAM_REAL1 + __KAM_REAL2 + __KAM_REAL3 >= 3)
106 describe KAM_REAL Real Estate or Re-Finance Spam
109 #REFINANCE SCAM EMAILS
110 header __KAM_REFI1 Subject =~ /(refinance|rates) at \d\.\d*%|(?:I would like to offer you my help|Lower your house payment|follow up email|evaluation enclosed|submit a bid|fixed rates|ARM program|New Program|regardless of credit|loan request|accepting your application|refinance appl?ication|ready to (give a (business )?loan|lend)|good credit or not|refinance without perfect credit|financial independence|Loan Offer|Get a Loan|your urgent loan|credit report|time to refinance|refi.(rates|requirements|plus|program|plan|advice)|rates at historical low|EQUIFAX|TRANSUNION|Experian|rates can be cut|save your home)|Reverse.?Mortgage|obama (extends|waives)|VA loan|harp program|re.?fi.advice|homeowners.owe|harp.extension|\d+\.\d+%.fixed|\d+\.\d+.pct|this.rate|refi(nance)?.rate|lower.refi|refinance.your.mortgage|refinance.now|obama.?s?.refi|monthly.payment|house.payment|monthly.savings|modified.payment|new.payment|overpaying|calculate.your|your.saving|housing.plan|obama.?s.hous|l.f..insuranc.|offer.for.your.home|second.mortgage/i
111 body __KAM_REFI2 /(Free Evaluation (?:online|on your (?:current )?home loan)|No hidden costs|no strings attached|good credit or not|personalized consultation|in need of loan|consolidation loan|loan processing|apply by sending|loan of any amount|clean up any inacccuracies|lock in saving|save on monthly mortgage|absolutely no cost|underwater)|Reverse.?Mortgage|qualify for a VA loan|Refi now.? and Save|obama..?announces|rate.calculator|save.thousands|update: \d.\d\d..available|homeowner|over.your.head|rate.service|now.eligi?[bl]{2}e|a.second.mortgage|urgent.loan|loan.offer/is
112 body __KAM_REFI3 /(restructure (?:proposal|program|opportunity|your loan)|switch from an adjustable rate to a fixed|new lending program|(low|reasonable) interest (loan|rate)|lowest monthly payment|\d% interest|unsecured personal|better credit terms|lower your mortgage|low-interest refinance|see your credit score|credit score.{1,15}updated|refi with HARP)|obama announce(s|d) (the )?harp program|obama'?s.refi|a.fortune.off|lower.home.rate|your.home|home.loan|gov.program|official.harp|currently.overpaying/is
113 body __KAM_REFI4 /(\$\d{1,3},\d{1,3}|\d{2,3}k of funds|\d{4,6} USD|\d{4,6}\$ per month|\d{3,5}\/mo)|refinance at \d\.\d%|\$\d{3,}(\.\d\d)?.(a|per).year|extend.harp|spending.too.much|new.payment|better.rate/i
114 body __KAM_REFI5 /([\d,]{5,6}|\d{2}\s*%) savings|principal \d+% less|\d+\.\d+%.fixed|refi.calculator|lowered.requirements|home.?owner/is
115 body __KAM_REFI6 /((?:reduce your monthly payment|save you) (between )?\d{2}\s*%|save yourself hundreds of dollars|great rate available|completely unsecured|instantly connect with\s+lenders|get you back on the right financial|get report today|protect against identity|know your credit score|crazy payments)|u.?s.? homeowners|drop.your.rate|in.your.pocket|our.records|apply.for.your/is
116 body __KAM_REFI7 /(?:loan product|equity cash|house.payment|home.payment|no up front fees|seasoned equity|pay off high rate cards|ARM Program|credit is less than perfect|credit (score )?will not disqualify|plastic money|charge card balances|we offer out loans|floating loan scheme|unsecured guaranteed|President.?s new program|Home Affordable Refinance Program)|save $?[\d\.]+ per (year|month)|low.rate|harp.?2|rates.like.th(is|ese)/is
117 header __KAM_REFI8 From =~ /great loan|mortgage|financ|Delta|Rate\.?market|credit score|free.?score|harp|mtge|foreclosure|VA loan|lower.my.(bills|debt|mortgage|rate)|refi.(alert|advantage|quote|calc|rate)|obama|lendingtree|(house|home).?payment|home.?payment|lower.rate|\d+\.\d+%|saving|d.r.ct.l.f.|helpline/i
119 meta KAM_REFI (__KAM_REFI1 + __KAM_REFI2 + __KAM_REFI3 + __KAM_REFI4 + (__KAM_REFI5 + __KAM_REFI6 >= 1) + __KAM_REFI7 + __KAM_REFI8 + (KAM_SHORT || AC_HTML_NONSENSE_TAGS || KAM_EU) >= 4)
120 describe KAM_REFI Real Estate / Re-Finance Spam
123 meta KAM_REFI2 (__KAM_REFI1 + __KAM_REFI2 + __KAM_REFI3 + __KAM_REFI4 + (__KAM_REFI5 + __KAM_REFI6 >= 1) + __KAM_REFI7 + __KAM_REFI8 + (KAM_SHORT || AC_HTML_NONSENSE_TAGS || KAM_EU) >= 6)
124 describe KAM_REFI2 Real Estate / Re-Finance Spam
128 body __KAM_DEBT1 /(debts disappear|reduce your payments|piling bills|creditors|late bills|vanish some of your bills|reduce your payments|looming bills|all that debt|outstanding debt|debt.{0,7}accumulated|all my debt|penalties,? and fees are gone|banking laws|select legal|change your life|get out of .?d.?e.?b.?t|Free[- ]Credit Report|debt relief options|are you in debt|pay off all your debt|get better rates|credit card debt|could.be.easy)/is
129 header __KAM_DEBT2 Subject =~ /(all that you owe|all you owe|everything you owe|eradicate|indebted|sick of bills|debt.{0,7}accumulated|tired of (the )?debt|looming debt|creditors|bank[ ]?rupt|debt ?free|out ?of ?debt|take control of your monthly payments|bills disappear|We can help|consultation regarding bills|get better rates|credit score|FICO Score|eliminate\s{1,2}debt|Erase the debt|loan offer|consolidating.debt)/i
130 body __KAM_DEBT3 /(bills keeping you|brink of bankruptcy|take all the (stress|pain) away|all the bills|tired of high credit card|make your bills disappear|improve your credit score|b.?a.?n.?k.?r.?u.?p.?t.?c?.?y|monitor your[- ]credit|Wipes out debt|being debt free|interest rates are reasonable|view your credit score|manage.your.finance)/is
132 meta KAM_DEBT ((__KAM_DEBT1 + __KAM_DEBT2 + __KAM_DEBT3) >= 3)
133 describe KAM_DEBT Debt eradication spams
136 meta KAM_DEBT2 ((__KAM_DEBT1 + __KAM_DEBT2 + __KAM_DEBT3 + __KAM_ADVERT2) >= 2)
137 describe KAM_DEBT2 Likely Debt eradication spams
140 #XtraSize+ Penis Enlargement Scam
141 header __KAM_SILD1 Subject =~ /Sildenafil Citrate/i
142 body __KAM_SILD2 /(XtraSize\+|Sildenafil Citrate)/i
144 meta KAM_SILD (__KAM_SILD1 + __KAM_SILD2 >= 1)
146 describe KAM_SILD Simple rule to block one more enhancement message
149 #if (version < 3.002000)
150 # #HTML_SHORT_LENGTH DEPENDENCY RULE REMOVED FROM SA 3.2.X
151 # #KAM NUMBER EMAILS - Thanks to Mark Damrose for the NUMBER3 idea & Jan-Pieter Cornet
152 # header __KAM_NUMBER1 Subject =~ /^\d+$/
153 # body __KAM_NUMBER2 /\d{1,6}/
154 # header __KAM_NUMBER3 Message-ID =~ /\<[a-z]{19}\@/i
156 # meta KAM_NUMBER ((__KAM_NUMBER1 + __KAM_NUMBER2 + MIME_HTML_ONLY + HTML_SHORT_LENGTH + __KAM_NUMBER3) >= 5)
157 # describe KAM_NUMBER Silly Number Emails
158 # score KAM_NUMBER 1.0
161 #KAM MEDICATION KAM_OVERPAY
162 body KAM_OVERPAY /O . V . E . R . P . A . Y/i
163 describe KAM_OVERPAY Common Medicinal Ad Trick
164 score KAM_OVERPAY 3.5
166 #VIAGRA AD - CHANGED DUE TO FPS on 2010-05-06 - Replaced [VACLXPSI] with separate rules space separated
167 replace_rules __KAM_VIAGRA2
169 body __KAM_VIAGRA1 /V I A G R A|C I A L I S|V A L I U M|X A N A X/i
170 header __KAM_VIAGRA2 Subject =~ /<V1><I1><A1><G1><R1><A1>/i
172 meta KAM_VIAGRA1 (__KAM_VIAGRA1 + __KAM_VIAGRA2 >= 1)
173 describe KAM_VIAGRA1 Common Viagra and Medicinal Table Trick
174 score KAM_VIAGRA1 3.0
177 body KAM_VIAGRA2 /(?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer) (?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer) (?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer)/i
178 describe KAM_VIAGRA2 Common Viagra and Medicinal Table Trick
179 score KAM_VIAGRA2 3.1
181 #VIAGRA AD 3 - REMOVED FOR LOW S/O - Thanks to Shane Williams for reporting the FP
182 #body KAM_VIAGRA3 /(?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer)( \w )(?:ax|lis|ra|ium)/i
183 #describe KAM_VIAGRA3 Common Viagra and Medicinal Table Trick
184 #score KAM_VIAGRA3 3.1
187 body __KAM_VIAGRA4A /V (. )?A (. )?L (. )?[I\/t] (. )?U (. )?M/i
188 body __KAM_VIAGRA4B /V (. )?[I\/t] (. )?A (. )?G (. )?R (. )?A/i
189 body __KAM_VIAGRA4C /M (. )?E (. )?R (. )?[I\/t] (. )?D (. )?[I\/] (. )?A/i
191 # FP FOR "Les Iles du Monde Via Gramsci" OR ITALIAN "WE WISH YOU"
192 # FP for Via Great thanks to Shane Williams
193 body __KAM_VIAGRA_FPS /via gre?a|i augur/i
195 meta KAM_VIAGRA4 ((__KAM_VIAGRA4A + __KAM_VIAGRA4B + __KAM_VIAGRA4C) >= 2)
196 describe KAM_VIAGRA4 Common Viagra and Medicinal Table Trick
197 score KAM_VIAGRA4 3.1
200 body KAM_VIAGRA5 /(V [1li|\]] [a&] G R A|VljAG+R+A)/i
201 describe KAM_VIAGRA5 Viagra Obfuscation Technique SPAM
202 score KAM_VIAGRA5 3.1
205 #Switch to [-_\. ]? to avoid FP's reported by Robin Tan
206 #Also added a few more boundary checks thanks to Daniele Duca
207 body __KAM_VIAGRA6A /V[-_\. ]?[IL1][-_\. ]?A.?G.?R.?A/i
208 body __KAM_VIAGRA6B /(\b|^)A.?M.?B.?[il1].?E.?N($|\b)/i
209 body __KAM_VIAGRA6C /V.?A.?L.?[il1].?U.?M/i
210 body __KAM_VIAGRA6D /(\b|^)C.?[il1].?A.?L.?[Il1].?S($|\b)/i
211 header __KAM_VIAGRA6E From =~ /(Viagra|Cialis)(\b|$)/i
213 meta KAM_VIAGRA6 (__KAM_VIAGRA6A + __KAM_VIAGRA6B + __KAM_VIAGRA6C + __KAM_VIAGRA6D + __KAM_VIAGRA6E >= 2)
214 describe KAM_VIAGRA6 Viagra Obfuscation Technique SPAM
215 score KAM_VIAGRA6 3.1
217 #VIAGRA AD 7 - TWEAKING RULE 7B TO PREVENT HITS ON SPECIALIST
218 body __KAM_VIAGRA7A /V[ij]+AGRA/i
219 body __KAM_VIAGRA7B /(^|\b)C[ij]+AL[ij]+S($|\b)/i
220 body __KAM_VIAGRA7C /(^|\b)AMB[ij]+EN($|\b)/i
221 body __KAM_VIAGRA7D /VAL[ij]+UM/i
223 meta KAM_VIAGRA7 ((__KAM_VIAGRA7A + __KAM_VIAGRA7B + __KAM_VIAGRA7C + __KAM_VIAGRA7D >= 2) && (KAM_VIAGRA6 < 1))
224 describe KAM_VIAGRA7 Viagra Obfuscation Technique SPAM
225 score KAM_VIAGRA7 3.1
228 body __KAM_VIAGRA8A /VI...?AGRA/i
229 body __KAM_VIAGRA8B /AM...?BIEN/i
230 body __KAM_VIAGRA8C /VA...?LIUM/i
231 body __KAM_VIAGRA8D /CI...?ALIS/i
233 meta KAM_VIAGRA8 ((__KAM_VIAGRA8A + __KAM_VIAGRA8B + __KAM_VIAGRA8C + __KAM_VIAGRA8D) >= 2)
234 describe KAM_VIAGRA8 Viagra Obfuscation Technique SPAM
235 score KAM_VIAGRA8 5.1
238 body __KAM_VIAGRA9A /V[IL1]A..GRA/i
239 body __KAM_VIAGRA9B /AMB..IEN/i
240 body __KAM_VIAGRA9C /VAL..IUM/i
241 body __KAM_VIAGRA9D /C[IL1]A..LIS/i
243 meta KAM_VIAGRA9 ((__KAM_VIAGRA9A + __KAM_VIAGRA9B + __KAM_VIAGRA9C + __KAM_VIAGRA9D) >= 2)
244 describe KAM_VIAGRA9 Viagra Obfuscation Technique SPAM
245 score KAM_VIAGRA9 5.1
247 #VIAGRA AD 10 - CONTENT-LESS EMAIL FROM "MALE ENHANCEMENT"
248 header __KAM_VIAGRA10A From =~ /male enhancement|mens.renewal/i
249 header __KAM_VIAGRA10B Subject =~ /your intimate partner will (thank|love)|grow.your.manhood|satisfy.your.woman/i
251 meta KAM_VIAGRA10 (__KAM_VIAGRA10A + __KAM_VIAGRA10B >= 1)
252 describe KAM_VIAGRA10 Male enhancement spam with no content
253 score KAM_VIAGRA10 8.0
255 #NITROXIN - A NEW AND SPAMMY COMPETITOR TO VIAGRA
256 header __KAM_NITROXIN1A From =~ /nitroxin/i
258 meta KAM_NITROXIN1 (__KAM_NITROXIN1A >= 1)
259 describe KAM_NITROXIN1 Another variant of Viagra spam
260 score KAM_NITROXIN1 8.0
263 #NOTE: Thanks to Jason Haar" <Jason.Haar@trimble.co.nz> for pointing out that I was only doing >=1!
264 header KAM_RE Subject =~ /^Re(?:\s)*\[\d\]+(?:\s)*:?$/i
265 describe KAM_RE Subject of Re[0]: etc prevalent in Spam
268 meta KAM_RE_PLUS (HTML_IMAGE_ONLY_08+KAM_RE >= 2)
269 describe KAM_RE_PLUS Bad Subject and Image Only rule hit == SPAM!
270 score KAM_RE_PLUS 4.0
273 #RE-WEIGHTING - Thanks to Martin Kaempf and Gareth Blades for pointing out the False Positives!!
274 #Changed to escape + for 920\+ and changed to rawbody because we don't want to check the subject twice.
275 #thansk to Michael Denney for the FP report
276 header __KAM_HOODIA1 Subject =~ /(hoodia|920\+|serotonin|reduce your appetite)/i
277 rawbody __KAM_HOODIA2 /(?:hoodia|920\+)/i
278 body __KAM_HOODIA3 /(?:fat loss product|sur?p?press appetite|Reduce Your Appetite)/is
280 meta KAM_HOODIA (__KAM_HOODIA1 + __KAM_HOODIA2 + __KAM_HOODIA3 >= 2)
281 describe KAM_HOODIA Hoodia / Weight Loss Product Promotion Spam
286 ##1 through 120 disabld 5-12-2014 due to age
287 ##body __KAM_STOCKTIP1 /(?:Reynaldo's Mexican Food|RYNL)/is
288 ##body __KAM_STOCKTIP2 /(?:KOKO PETROLEUM|KKPT)/is
289 ##body __KAM_STOCKTIP3 /(?:DARK DYNAMITE|DKDY|D K D Y)/is
290 ##body __KAM_STOCKTIP4 /(?:Remington Ventures|RMVN)/is
291 ##body __KAM_STOCKTIP5 /(?:m-Wise|MWIS|M W I S)/is
292 ##body __KAM_STOCKTIP6 /(?:China World Trade Corporation|CWTD)/is
293 ##body __KAM_STOCKTIP7 /(?:Packets International|IPKL)/is
294 ##body __KAM_STOCKTIP8 /(?:Infinex Ventures|IFNX)/is
295 ##body __KAM_STOCKTIP9 /(?:FacePrint Global Solutions|FCPG)/is
296 ###THANKS TO HOMER PARKER FOR THE FALSE POSSITIVE NOTE!
297 ##body __KAM_STOCKTIP10 /(?:Ever[-_ ~]{0,3}Gl[o0]ry|(^|\b)E[-_~\. =]{0,3}G[-_~\. =]{0,3}L[-_~\. =]{0,3}Y($|\b))/is
298 ##body __KAM_STOCKTIP11 /(?:Gulf Petroleum|GFPE)/is
299 ##body __KAM_STOCKTIP12 /(?:Patriot Mechanical Handling|PMHH)/is
300 ##body __KAM_STOCKTIP13 /(?:KSW Industries|KSWJ)/is
301 ##body __KAM_STOCKTIP14 /(?:Conforce International|CFRI)/is
302 ##body __KAM_STOCKTIP15 /(?:Nano Superlattice Technology|NSLT)/is
303 ##body __KAM_STOCKTIP16 /(?:Morgan Beaumont|MBEU)/is
304 ##body __KAM_STOCKTIP17 /(?:Relay Capital|(^|\b)RLYC($|\b))/is
305 ###THANKS TO DAVID GOLDSMITH FOR POINTING OUT THE POTENTIAL FPs FROM THIS RULE
306 ##body __KAM_STOCKTIP18 /(?:Madison Explorations|(?:^|\b)MDEX(?:$|\b))/is
307 ##body __KAM_STOCKTIP19 /(?:CTR Investments and Consulting|C ?I ?V ?X)/is
308 ##body __KAM_STOCKTIP20 /(?:PREMIER INFORMATION|(?:^|\b)PIFR(?:$|\b))/is
309 ##body __KAM_STOCKTIP21 /(?:Harbin Pingchuan|P G C N|PGCN)/is
310 ##body __KAM_STOCKTIP22 /(?:CLIENT TRACK CORP|CTKR)/is
311 ##body __KAM_STOCKTIP23 /(?:EXTREME INNOVATIONS|(^|\b)EXTI($|\b))/is
312 ##body __KAM_STOCKTIP24 /(?:Medical Home Products|\bMHPT\b)/is
313 ##body __KAM_STOCKTIP25 /(?:AmeraMex International|AMMX)/is
314 ##body __KAM_STOCKTIP26 /(?:Equipment & Systems Engineering|EQUIPMENT & SYS ENGR|EQSE)/is
315 ##body __KAM_STOCKTIP27 /(?:NANOFORCE|NNFC)/i
316 ##body __KAM_STOCKTIP28 /(?:\b|^)(?:Resort Clubs (I|\|)nternational|R[ ]*T[ ]*C[ ]*(?:I|\|))(?:\b|$)/is
317 ##body __KAM_STOCKTIP29 /(?:Innovation Holdings|IVHN)/is
318 ##body __KAM_STOCKTIP30 /(?:GOLDEN APPLE OIL|GAPJ)/is
319 ##body __KAM_STOCKTIP31 /(?:inZon Corporation|(^|\b)I ?Z ?O ?N($|\b))/is
320 ##body __KAM_STOCKTIP32 /(?:Midland Baring Financial Group|MDBF)/is
321 ##body __KAM_STOCKTIP33 /(?:Aradyme Corporation|A D Y E)/is
322 ##body __KAM_STOCKTIP34 /(?:TRANSAKT CORP|TKTJF)/is
323 ##body __KAM_STOCKTIP35 /(?:CTXE|CANTEX ENERGY CORP)/is
324 ##body __KAM_STOCKTIP36 /(?:De Greko|DGKO)/is
325 ##body __KAM_STOCKTIP37 /(?:Deep Earth Resource, Inc|CTFE|DPER)/is
326 ##body __KAM_STOCKTIP38 /(?:Vemics|(\b|^)VMCI(\b|$)|Summit Financial Resources)/is
327 ##body __KAM_STOCKTIP39 /Premium Petroleum/is
328 ##body __KAM_STOCKTIP40 /(?:F ?a ?l ?c ?o ?n ?E ?n ?e ?r ?g ?y|F.?C.?Y.?I)/s
329 ##body __KAM_STOCKTIP41 /(?:CHINA GOLD CORP|CGDC)/is
330 ##body __KAM_STOCKTIP42 /DPEK/i
331 ###FIXED FP THANKS TO BEN LENTZ - Also found that the X ?X ?X ?X concept is causing too many FPs thanks to Homer Parker
332 ##body __KAM_STOCKTIP43 /(?:Amerossi International Group|A M S N(\b|$)|AMSN)/is
333 ##body __KAM_STOCKTIP44 /(?:WATAIRE INDUSTRIES|W ?T ?A ?F)/is
334 ##body __KAM_STOCKTIP45 /(?:ABSOLUTESKY|A ?B ?S ?Y)/i
335 ##body __KAM_STOCKTIP46 /(?:Infinex Ventures|I ?N ? ?F ?X)/is
336 ##body __KAM_STOCKTIP47 /(?:Holly ?wood Intermediate|HYWI|H Y W I)/is
337 ###DISABLED DUPLICATE OF 40
338 ###body __KAM_STOCKTIP48 /(?:Falcon Energy|F ?C ?Y ?I)/is
339 ##body __KAM_STOCKTIP49 /(?:\b|^)(?:AGA Resources|A ?G ?A)(?:\b|$)/is
340 ##body __KAM_STOCKTIP50 /(?:COSCO|CCPI)/i
341 ##body __KAM_STOCKTIP51 /(?:PETRO([- ?])?SUN DRILLING|P[- ]?S[- ]?U[- ]?D)/is
342 ##body __KAM_STOCKTIP52 /(?:KMA Global Solutions International|KMAG)/is
343 ##body __KAM_STOCKTIP53 /(?:Advanced Powerline Technologies|APWL)/is
344 ##body __KAM_STOCKTIP54 /(?:GOLDMARK INDUSTRIES|GDKI)/is
345 ##body __KAM_STOCKTIP55 /(?:QUANTUM ENERGY|QEGY)/is
346 ###FP FIXED THANKS TO Homer Parker
347 ##body __KAM_STOCKTIP56 /(?:AAGA RESOURCE+S NEW|A G A O|(\b|^)AGAO(\b|$))/is
348 ###FP FIXED THANKS TO Homer Parker
349 ##body __KAM_STOCKTIP57 /(?:Bicoastal Communications|BCLC|B C L C)/is
350 ##body __KAM_STOCKTIP58 /(?:Greater China Media \& Ent|G ?C ?M ?E)/is
351 ##body __KAM_STOCKTIP59 /(?:Viva International|(\b|^)VIVI(\b|$))/s
352 ##body __KAM_STOCKTIP60 /(?:WILON RESOURCES|(\b|^)WLON(\b|$))/is
353 ##body __KAM_STOCKTIP61 /(?:Am+erica+n U+ni+ty I+nve+stments|(\b|^)A[ _]?U[ _]?N[ _]?I[ _]?(\b|$))/is
354 ##body __KAM_STOCKTIP62 /(?:DEFENSE DIRECTIVE|(\b|^)DFSE(\b|$))/is
355 ##body __KAM_STOCKTIP63 /(?:Cyberhand Technologies|(\b|^)CYHD(\b|$))/is
356 ##body __KAM_STOCKTIP64 /(?:Texhoma Energy|(\b|^)TXHE(\b|$))/is
357 ##body __KAM_STOCKTIP65 /(?:Equal Trading|(\b|^)EQTD(\b|$))/is
358 ###DISABLED FOR FALSE POSITIVES AND AGE
359 ###body __KAM_STOCKTIP66 /(?:\b|^)W.?B.?R.?S(?:\b|$)/is
360 ##body __KAM_STOCKTIP67 /(?:Mobile Airwaves|(\b|^)M.?W.?B.?C.?(\b|$))/is
361 ##body __KAM_STOCKTIP68 /(?:X-tra Petroleum|(\b|^)XTPT(\b|$))/is
362 ###ADDED FP BOUNDARY CHECK THANKS TO Greg Troxel for reporting the issue
363 ##body __KAM_STOCKTIP69 /(?:Red Reef Laboratories|(\b|^)RREF(\b|$))/is
364 ##body __KAM_STOCKTIP70 /(?:Great American Food Chain|(\b|^)GAMN(\b|$))/is
365 ##body __KAM_STOCKTIP71 /(?:Cana Petroleum|(\b|^)CNPM(\b|$))/is
366 ##body __KAM_STOCKTIP72 /(?:China Health Management|(\b|^)CNHC(\b|$))/is
367 ##body __KAM_STOCKTIP73 /(?:Makeup Limited|MAKU)/is
368 ##body __KAM_STOCKTIP74 /(?:Premier Holdings Group|PMHD)/is
369 ###FP FIXED THANKS TO Christopher X. Candreva
370 ##body __KAM_STOCKTIP75 /(?:VSUS technologies|(\b|^)VSUS($|\b))/is
371 ##body __KAM_STOCKTIP76 /(?:FLAIR PETROLEUM|FPMC)/is
372 ##body __KAM_STOCKTIP77 /(?:Physician Adult Daycare|PHYA)/is
373 ###FP FIXED THANKS TO Homer Parker
374 ##body __KAM_STOCKTIP78 /(?:AlgoDyne Ethanol Energy|(\b|^)ADYN(\b|$))/is
375 ##body __KAM_STOCKTIP79 /(?:Critical Care.{1,3}Inc|CTCX)/is
376 ##body __KAM_STOCKTIP80 /(?:Aerofoam Metals|AFML)/is
377 ##body __KAM_STOCKTIP81 /(?:Ten \& 10|(?:\b|^)TTEN)/is
378 ##body __KAM_STOCKTIP82 /(?:Medical Institutional Services|MISJ(\b|$))/is
379 ##body __KAM_STOCKTIP83 /(?:Harris Exploration|HXPN)/is
380 ##body __KAM_STOCKTIP84 /(?:MARSHAL HOLDINGS|MHII)/is
381 ##body __KAM_STOCKTIP85 /(?:ADVANCED GROWING SYSTEMS|AGWS)/is
382 ##body __KAM_STOCKTIP86 /(?:WEST EXCELSIOR ENT|WEXE)/is
383 ##body __KAM_STOCKTIP87 /(?:Hemisphere Gold|HPGI)/is
384 ##body __KAM_STOCKTIP88 /(?:Victory Energy Corporation|VYEY)/is
385 ##body __KAM_STOCKTIP89 /UTEV/i
386 ##body __KAM_STOCKTIP90 /(?:CHINA BIOLIFE ENTERP|CBFE)/is
387 ##body __KAM_STOCKTIP91 /(?:Critical Care|C ?T ?C ?X)/is
388 ##body __KAM_STOCKTIP92 /CBRJ/i
389 ##body __KAM_STOCKTIP93 /(?:LAS VEGAS CENTRAL RESERVATIONS|LVCC)/is
390 ##body __KAM_STOCKTIP94 /GTAP/i
391 ##body __KAM_STOCKTIP95 /(North American Energy Group|N-?N-?Y-?R)/is
392 ###FP FIXED THANKS TO BRETT GARRETT
393 ##body __KAM_STOCKTIP96 /(\b|^)C\.?C\.?T\.?I(\b|$)/i
394 ##body __KAM_STOCKTIP97 /(C ?E ?O AMERICA|C ? E ? O ?A)/is
395 ##body __KAM_STOCKTIP98 /PLMA/i
396 ##body __KAM_STOCKTIP99 /CDYV/i
397 ##body __KAM_STOCKTIP100 /(Fire (Mountain|Mtn) Beverage Company|(^|\b)F[ _]?B[ _]?V[ _]?G($|\b))/is
398 ###Added boundary check thanks to Michael Denney
399 ##body __KAM_STOCKTIP101 /(\b|^)WDSC(\b|$)/i
400 ##body __KAM_STOCKTIP102 /(Distributed Power|DPWI)/is
401 ##body __KAM_STOCKTIP103 /(HUMET-PBC|L9Z\.F)/is
402 ##body __KAM_STOCKTIP104 /ASVP/is
403 ##body __KAM_STOCKTIP105 /CHVC/is
404 ##body __KAM_STOCKTIP106 /(China Datacom|CDPN)/is
405 ##body __KAM_STOCKTIP107 /(ORAMED PHARMA|OJU\.F)/is
406 ##body __KAM_STOCKTIP108 /(DSDI|DSI Direct Sales)/is
407 ##body __KAM_STOCKTIP109 /(Monolith Athletic Club|M[-_ ]?N[-_ ]?A[-_ ]?B)/is
408 ###DUPLICATED STOCKTIP #51
409 ###body __KAM_STOCKTIP110 /(PETRO-SUN|P[- ]?S[- ]?U[- ]?D)/is
410 ##body __KAM_STOCKTIP111 /(COMPLIANCE SYSTEMS|(\b|^)COPI(\b|$))/is
411 ###FP Fixed thanks to Greg Troxel
412 ##body __KAM_STOCKTIP112 /(Global Pay Solutions|(\b|^)GPSI(\b|$))/is
413 ##body __KAM_STOCKTIP113 /(MEGOLA|MGOA)/i
414 ###FP FIXED THANKS TO Antonio Falzarano
415 ##body __KAM_STOCKTIP114 /(\b|^)ADOV(\b|$)/i
416 ##body __KAM_STOCKTIP115 /(Oncology Med|(\b|^)ONCO(\b|$))/is
417 ##body __KAM_STOCKTIP116 /(Strategy X|SGXI)/is
418 ##body __KAM_STOCKTIP117 /(Spotlight Homes|COST CONTAINMENT TEC|SPHM)/is
419 ###FALSE POSITIVE ON DANSREALESTATE.
420 ##body __KAM_STOCKTIP118 /((\b|^)SREA(\b|$)|Score One)/is
421 ##body __KAM_STOCKTIP119 /(Monster Motors|MRMT)/is
422 ##body __KAM_STOCKTIP120 /(EntreMetrix|ERMX)/i
424 body __KAM_STOCKTIP121 /(VISION AIRSHIPS|(\b|^)VPSN(\b|$))/is
425 body __KAM_STOCKTIP122 /(Shandong Zhouyuan Seed and Nursery|(\b|^)SZSN(\b|$))/is
426 body __KAM_STOCKTIP123 /(Puerto Rico 7|(\b|^)P ?R ?T ?H(\b|$))/is
427 body __KAM_STOCKTIP124 /(VGPM|Vega Promotional Sys)/is
428 body __KAM_STOCKTIP125 /((\b|^)D[- ]?M[- ]?X[- ]?C(\b|$))/i
429 body __KAM_STOCKTIP126 /((\b|^)C\.?W\.?T\.?E(\b|$)|C'Watre International)/is
430 body __KAM_STOCKTIP127 /(Physical Property Holdings|(\b|^)PPYH(\b|$))/is
431 #FP ON MNUM IN PLAIN TEXT HTML CONVERSION - Thanks to Kevin Lewis
432 body __KAM_STOCKTIP128 /(MONUMENTAL MARKETING|(\b|^)MNUM(\b|$))/is
433 body __KAM_STOCKTIP129 /(EnerBrite Technologies Group|(\b|^)eTgU(\b|$))/is
434 body __KAM_STOCKTIP130 /(Pricester|(\b|^)PRCC(\b|$))/is
435 #Added boundary check thanks to Michael Denney
436 body __KAM_STOCKTIP131 /(Greenstone Holdings|(\b|^)GSHN(\b|$))/is
437 body __KAM_STOCKTIP132 /((\b|^)AGMS(\b|$)|Angstrom[- ]Microsystems)/is
438 body __KAM_STOCKTIP133 /(Pluris Energy|(\b|^)PEYG(\b|$))/is
439 body __KAM_STOCKTIP134 /(United Consortium|(\b|^)UCSO(\b|$))/is
440 body __KAM_STOCKTIP135 /(Dominion Minerals|(\b|^)DMNM(\b|$))/is
441 body __KAM_STOCKTIP136 /(PrimeGen Energy|(\b|$)PGNE(\b|^))/is
442 body __KAM_STOCKTIP137 /Dynamic Response Group|(\b|^)DRGZ(\b|$)/is
443 body __KAM_STOCKTIP138 /Cobra Oil (and|&) Gas|(\b|^)CGCA(\b|$)/is
444 body __KAM_STOCKTIP139 /Solanex Management|(\b|^)SLNX(\b|$)/is
445 body __KAM_STOCKTIP140 /BIO-SOLUTIONS|(\b|^)BISU(\b|$)/is
446 #FP IN French email on 3/2/2017
447 #body __KAM_STOCKTIP141 /(\b|^)FORC(\b|$)/is
448 body __KAM_STOCKTIP142 /Hawk Systems Inc|(\b|^)HWSYD(\b|$)/is
449 body __KAM_STOCKTIP143 /AmeriLithium/is #|(\b|^)AMEL(\b|$)/is # FP 9/10/15
450 body __KAM_STOCKTIP144 /Fleet Management Solutions|(\b|^)FLMG(\b|$)/is
451 body __KAM_STOCKTIP145 /Nuvilex|(\b|^)N.?V.?L.?X.?(\b|$)/is
452 body __KAM_STOCKTIP146 /Plandai|(\b|^)PLPL(\b|$)/is
453 #FP on Bozic 3/9/2021 - Thanks to Lars Einarsen
454 body __KAM_STOCKTIP147 /Beamz Interactive|(\b|^)BZIC(\b|$)/is
455 body __KAM_STOCKTIP148 /(\b|^)STBV(\b|$)/i
456 body __KAM_STOCKTIP149 /LifeApps|(\b|^)LFAP(\b|$)/i
457 body __KAM_STOCKTIP150 /MONARCHY RESOURCES/i
458 body __KAM_STOCKTIP151 /Alanco Tech/i
459 body __KAM_STOCKTIP152 /Siga Resources/i
460 body __KAM_STOCKTIP153 /INSCOR|(\b|^)IOGA(\b|$)/is
461 body __KAM_STOCKTIP154 /mLight Tech|(\b|^)MLGT(\b|$)/is
462 body __KAM_STOCKTIP155 /Alanco Technologies/is
463 body __KAM_STOCKTIP156 /Progress Watch|(\b|^)PROW(\b|$)/is
464 #body __KAM_STOCKTIP157 /(\b|^)PRFC(\b|$)/is
465 body __KAM_STOCKTIP158 /(\b|^)(RCHA|R\.+C\.+H\.+A|R\/C\/H\/A)(\b|$)/is
466 body __KAM_STOCKTIP159 /(\b|^)(RNBI|R.N.B.I)(\b|$)/is
467 body __KAM_STOCKTIP160 /(\b|^)(CNRMF|C.N.R.M.F)(\b|$)/is
468 body __KAM_STOCKTIP161 /(\b|^)(NUAN|N[- ]U[- ]A[- ]N)(\b|$)|NUANCE COMMUNICATIONS/is
469 body __KAM_STOCKTIP162 /(\b|^)(CHICF|C.H.I.C.F)(\b|$)/is
470 body __KAM_STOCKTIP163 /(\b|^)(brixmor)(\b|$)/is
471 body __KAM_STOCKTIP164 /(\b|^)(KBLB|K.B.L.B)(\b|$)/is
472 body __KAM_STOCKTIP165 /(\b|^)(SCRF|S.C.R.F)(\b|$)/is
473 body __KAM_STOCKTIP166 /(\b|^)(INCT|Incapta)(\b|$)/is
474 body __KAM_STOCKTIP167 /(\b|^)(QSMS|Quest Science Management Gate)(\b|$)/is
475 body __KAM_STOCKTIP168 /(\b|^)(QSMG|Q.S.M.G|Stemvax)(\b|$)/is
476 body __KAM_STOCKTIP169 /(\b|^)E.?C.?G.?R(\b|$)/s
479 body __KAM_STOCKOTC /(OTC|OTC ?BB|OTC Pink Sheets|NASDAQ|NYSE|StockWatch):/is
480 body __KAM_STOCKSYM /S[ ]?[iy][ ]?m[ ]?[ßb8][ ]?[o0][ ]?[l1]|Siymbol/i
481 body __KAM_STOCKSYM2 /(SYM[ ]?[-\:]|\bTicker|Pr+ice\s*\:|Volume\s*\:|Target\s*\:|Current(ly)? ?\??:|Projected:|Smybol:|Stcok\s*\:|Stock\s*\:|S\s*t\s*o\s*c\s*k\s*\:|Trad[ ]?e\:|short-?sell|book value|S\.umbol|Action:|Symb\s?[-:]|Price Today:|SYmN-|Lookup:|RADAR:|PK PAPER:|PINKSHEETS:|f[o0]rward ?l[0o]{2}king)/i
482 body __KAM_STOCKSHR /\b(Shares|Investments|invest|Stock|acquisitions?|broker|joint[ -]?venture|underperforming|(uncap|ventilated|public(ity)?) on friday|dividend opportunities|set your buy|financial safe haven|before the bell)\b/i
483 body __KAM_STOCKBULL /bull (run|market)|very.rich|high.return/is
484 body __KAM_STOCKSCTR /(energy sector|mineral rights|mineral wealth|natural resources|gold deposits)/is
485 header __KAM_STOCKHEAD Subject =~ /{stk-sub}|on your radar|st0ck|best.stocktip|huge.winner|breaking.news/i
486 body __KAM_STOCKJUMP /(up|jumps) \d\d(\.\d)?\%/i
487 body __KAM_INSTOCK /in stock/i
489 # ADDED A CAVEAT FOR in stock so gibberish links don't hit a stock symbol
490 meta KAM_STOCKTIP (__KAM_STOCKHEAD + __KAM_STOCKOTC + __KAM_STOCKSYM + __KAM_STOCKJUMP + __KAM_STOCKSHR + __KAM_STOCKSYM2 + __KAM_STOCKBULL + __KAM_STOCKSCTR >= 1) && (__KAM_INSTOCK < 1) && (__KAM_STOCKTIP121 + __KAM_STOCKTIP122 + __KAM_STOCKTIP123 + __KAM_STOCKTIP124 + __KAM_STOCKTIP125 + __KAM_STOCKTIP126 + __KAM_STOCKTIP127 + __KAM_STOCKTIP128 + __KAM_STOCKTIP129 + __KAM_STOCKTIP130 + __KAM_STOCKTIP131 + __KAM_STOCKTIP132 + __KAM_STOCKTIP133 + __KAM_STOCKTIP134 + __KAM_STOCKTIP135 + __KAM_STOCKTIP136 + __KAM_STOCKTIP137 + __KAM_STOCKTIP138 + __KAM_STOCKTIP139 + __KAM_STOCKTIP140 + __KAM_STOCKTIP142 + __KAM_STOCKTIP143 + __KAM_STOCKTIP144 + __KAM_STOCKTIP145 + __KAM_STOCKTIP146 + __KAM_STOCKTIP147 + __KAM_STOCKTIP148 + __KAM_STOCKTIP149 + __KAM_STOCKTIP150 + __KAM_STOCKTIP151 + __KAM_STOCKTIP152 + __KAM_STOCKTIP153 + __KAM_STOCKTIP154 + __KAM_STOCKTIP155 + __KAM_STOCKTIP156 + __KAM_STOCKTIP158 + __KAM_STOCKTIP159 + __KAM_STOCKTIP160 + __KAM_STOCKTIP161 + __KAM_STOCKTIP162 + __KAM_STOCKTIP163 + __KAM_STOCKTIP164 + __KAM_STOCKTIP165 + __KAM_STOCKTIP166 + __KAM_STOCKTIP167 + __KAM_STOCKTIP168 + __KAM_STOCKTIP169 >= 1)
492 describe KAM_STOCKTIP Email Contains Pump & Dump Stock Tip
493 score KAM_STOCKTIP 7.1
495 #KAM STOCK RULE #3 BASED HEAVILY ON WONDERFUL INPUT BY GARETH OF LINGUAPHONE
496 body __KAM_STOCK3 /([sS].?ymbol|Sym|SYM|SYMB|Symb|SYMBOL|SYmN|SYMN|Symn|Ticker|TICKER|Lookup|PINKSHEETS)\s*[-_:]\s*[A-Z0-9][-\._ ]?[A-Z0-9][-\._ ]?[A-Z0-9][-\._ ]?[A-Z0-9]/
497 score __KAM_STOCK3 0.1
498 describe __KAM_STOCK3 Email Looks like it references a 4 character stock symbol
501 meta KAM_STOCKGEN (__KAM_STOCKHEAD + __KAM_STOCKOTC + __KAM_STOCKSYM + __KAM_STOCKSHR + __KAM_STOCKSYM2 + __KAM_STOCKBULL + __KAM_STOCKSCTR >= 1) && (__KAM_STOCK3 >= 1) && (KAM_STOCKTIP < 1)
502 describe KAM_STOCKGEN Email Contains Generic Pump & Dump Stock Tip
503 score KAM_STOCKGEN 1.5
506 body __KAM_STOCK2_1 /(good trader|trading experience|bad trading day|hard trading day|FREE Stock Market Outlook|Market Watch)|more.than.\d+%|most.valuable|morning.report|real.?estate.authority|commercial.real.estate/i
507 body __KAM_STOCK2_2 /(easy cash|losses and victories|backstage trading|market facts|succeed in trading|destined to skyrocket|make traders rich|times your principal)|good.investment|overvalued.companies|company.is.soaring|economic.opportunity|amazing.company|take.notice|rental.yield|high.return/i
508 body __KAM_STOCK2_3 /stock/i
509 body __KAM_STOCK2_4 /trader|investor|analyst|royalties/i
510 header __KAM_STOCK2_5 Subject =~ /stock|bull market|penny|traders|go.getter|thousand.percent|this.company|opportunity|pct.rally|private.investment/i
511 header __KAM_STOCK2_6 From =~ /investment|daily.tip|bloomberg|selectedotc|penny|fortune|stock|finance|real.?estate|promotion/i
513 meta KAM_STOCK2 (__KAM_STOCK2_1 + __KAM_STOCK2_2 + __KAM_STOCK2_3 + __KAM_STOCK2_4 + __KAM_STOCK2_5 + __KAM_STOCK2_6) >= 4
515 describe KAM_STOCK2 Another Round of Pump & Dump Stock Scams
518 body __KAM_JUDGE1 /(unpaid court|(un-?collected|unsatisfied) judgments)/is
519 body __KAM_JUDGE2 /(funds|receive what) you are (due|owed)/is
521 body __KAM_JUDGE3 /collect your money/is
522 body __KAM_JUDGE4 /judgment/i
524 header __KAM_JUDGE5 Subject =~ /judgment/i
526 meta KAM_JUDGE (__KAM_JUDGE1 + __KAM_JUDGE2 + ((__KAM_JUDGE3 + __KAM_JUDGE4) / 2) + __KAM_JUDGE5 >= 2)
527 describe KAM_JUDGE Email Contains Judicial Judgment Solicitation
531 body __KAM_MED1 /e.?c.?o.?n.?o.?m.?i.?z.?e.{1,10}med/i
532 body __KAM_MED2 /\d\d ?%/
534 describe KAM_MED Economizing your meds spam
535 meta KAM_MED (__KAM_MED1 + __KAM_MED2 >= 2)
538 #MEDS2- THANKS TO RES FOR POINTING OUT A REGEX STUPIDITY
539 header __KAM_MED2_1 Subject =~ /Pharmacy order \#\d{5}/i
541 describe KAM_MED2 More Medical SPAM
542 meta KAM_MED2 (__KAM_MED2_1 >= 1)
546 header __KAM_TIME1 Subject =~ /(replica(\b|$)|designer[-_ ](watch|piece|collection)|(old|replica|style|luxury|trendy|elegant) watch|time[-_ ](keeper|piece)|wrist|chronometer|watches are in fashion|low budget|deliver your watch|(number|amount) of watches)|excellent.watch/i
549 body __KAM_TIME2 /(replica(\b|$)|diamond|designer[-_ ](piece|collections|watch)|time[-_ ]piece|wrist|time-keeper|\/\/atch)/is
550 header __KAM_TIME3 Subject =~ /(\b|^)(time|watch)(\b|$)/i
551 body __KAM_TIME4 /(\b|^)(time|watch)(\b|$)/i
552 body __KAM_TIME5 /(funny|low) price|treat.yourself/i
553 #REMOVED WORD OMEGA FROM BRANDS. TOO MANY FPs.
554 body __KAM_TIME6 /(Cx?ARTIER|Bx?REITLING|Px?ATEK|Rx?OLEX|Bx?VLGARI|Tx?IFFANY)/i
557 meta KAM_TIME __KAM_TIME1 + ((__KAM_TIME2 + __KAM_TIME3 + __KAM_TIME4 + __KAM_TIME5 + __KAM_TIME6)/2) >= 2
558 describe KAM_TIME Pssss. Hey Buddy, wanna buy a watch?
561 meta KAM_TIMEGEO (KAM_GEO_STRING2 && KAM_TIME)
562 describe KAM_TIMEGEO Email references geocities & wrist watch sales
563 score KAM_TIMEGEO 3.5
566 body __KAM_HOME1 /YOUR HOME|Federal Housing Assistance Program|near.your.area/i
567 body __KAM_HOME2 /Build your equity faster|refund is not reversible|rent.to.own/i
568 body __KAM_HOME3 /tax saving plans|\d+K Mortgage Credit|no.more.of/i
569 header __KAM_HOME4 From =~ /rent.?and.?own|rent.own.list/i
570 header __KAM_HOME5 Subject =~ /homes.near.you|near.your.city|\d+ (bed|bath)|low.monthly/i
572 meta KAM_HOME (__KAM_HOME1 + __KAM_HOME2 + __KAM_HOME3 + __KAM_HOME4 + __KAM_HOME5 >= 3)
573 describe KAM_HOME Mortage & Refinance Spam Rule
577 body __KAM_UNIV1 /(University Administration|University Enrollment|Education Assessment|Faculty Assessment|University Degree|Administration Office|Education office|Schools office|Enrollment Office|Online University)/is
578 body __KAM_UNIV2 /\d (week|month).{0,30}degree/is
579 body __KAM_UNIV3 /(past work|based on your|earned from|life|life and work|present work) experience/is
580 body __KAM_UNIV4 /not official degree|non[ -]?accredited/is
581 body __KAM_UNIV5 /novelty (degree|use)/is
582 body __KAM_UNIV6 /verifiable University Degree/is
583 body __KAM_UNIV7 /(life|work) experience (diploma|degree|transcript)/is
584 body __KAM_UNIV8 /Career Path/is
585 body __KAM_UNIV9 /non[- ]?ac(creditee?d)?.{1,10}universit/is
586 body __KAM_UNIV10 /(graduating|diploma) (within|in) (as little as)? (one|two|three|\d) (week|month)/is
587 body __KAM_UNIV11 /(degree|transcript) in any field|Field of yourr? ch[oò][iì]ce/is
588 body __KAM_UNIV12 /(obtain your diploma|diploma that you want|Criminal Justice or Homeland Security degree)/is
589 body __KAM_UNIV13 /(degree|field|diploma) of your (choice|expertise)/is
590 body __KAM_UNIV14 /(earn a|full) transcript/is
591 body __KAM_UNIV15 /(No Study Required|Without Exams|No (examinations|[eÉ]xams)|without attending a single class|no classes|no textbooks|no (?:required )?tests|degree .{0,30}you deserve)/is
592 body __KAM_UNIV16 /\d weeks.{0,30}graduated/is
593 header __KAM_UNIV17 Subject =~ /(dip(i|l)oma|degree|transcript|award|increase ?your ?income|degree online|Ph\.?D|Add an mba)/i
594 body __KAM_UNIV18 /100% discrete/is
596 body __KAM_UNIV1B /\d (months|weeks)/i
597 body __KAM_UNIV2B /d[_\. ]?e[_\. ]?g[_\. ]?r[_\. ]?e[_\. ]?e/i
598 body __KAM_UNIV3B /(dead end job|improve your future, and your income|high paying jobs|bec[óo]me a do[cç]tor|get your diploma today)/is
599 body __KAM_UNIV4B /1.?0.?0.?% (legit|verifiable|online|no pre|non[- ]?accredited)/is
600 body __KAM_UNIV5B /F A S T[ ]{0,4}T R A C K/is
601 body __KAM_UNIV6B /DIP\sLOMA/
603 meta KAM_UNIV ((__KAM_UNIV1 + __KAM_UNIV2 + __KAM_UNIV3 + __KAM_UNIV4 + __KAM_UNIV5 + __KAM_UNIV6 + __KAM_UNIV7 + __KAM_UNIV8 + __KAM_UNIV9 + __KAM_UNIV10 + __KAM_UNIV11 + __KAM_UNIV12 + __KAM_UNIV13 + __KAM_UNIV14 + __KAM_UNIV15 + __KAM_UNIV16 + __KAM_UNIV17 + __KAM_UNIV18) >= 2 || (__KAM_UNIV1B + __KAM_UNIV2B + __KAM_UNIV3B + __KAM_UNIV4B + __KAM_UNIV5B + __KAM_UNIV6B) >= 3)
604 describe KAM_UNIV Diploma Mill Rule
608 body __KAM_URUNIT1 /\bur (unit|liveliness|energy level|endurance level)/is
609 body __KAM_URUNIT2 /\bur (gf|girl|wife|size|thing|partner|significant other)/is
610 body __KAM_URUNIT3A /\b(exasperated|fatigued|drained|tired) all the time/is
612 body __KAM_URUNIT3 /(unsatisfied|not satisfied|nagging|complaining|complaints|complained|unlimited prowess|increase your volume)/is
613 body __KAM_URUNIT4 /(bedroom|the bed|nighttime activit|male power|show your girl)/is
614 body __KAM_URUNIT5 /(size of (there|their|your) .{0,11}(unit|thing)|using them for a couple months|enhancing formula)/is
615 body __KAM_URUNIT6 /(majority of women|shrinking .{0,12} baby fat|winning guy|huge explosion)/is
617 header __KAM_URUNIT7 Subject =~ /(\b|^)ur (unit|wife|girlfriend|GF|size|thing|partner|significant other|livelyehood)/i
618 header __KAM_URUNIT8 Subject =~ /(pleasure|sensation|grow|your teeny|impress your mate|being small|how big|more intense)/i
620 meta KAM_URUNIT ((__KAM_URUNIT1 + __KAM_URUNIT2 + ((__KAM_URUNIT3 + __KAM_URUNIT4 + __KAM_URUNIT5 + __KAM_URUNIT6) / 2) + __KAM_URUNIT7 + __KAM_URUNIT8 + __KAM_URUNIT3A) >= 2)
622 describe KAM_URUNIT Recent penile and body enhancement spams
626 body __KAM_URZEST1 /(?:your|ur) (?:power|strength|zal|zeal|liveliness|zest|intensity|spontaneity|activity)(?: level)?(?: been)?(?: feeling| down)? ?(?:lately|recently|anew)?/i
627 body __KAM_URZEST2 /or still (?:jaded|worn|drained|exasperated) all the time/i
628 body __KAM_URZEST3 /(?:(?:wanting|looking|seeking) to get in the gym|(?:dreaming|seeking|hoping) to get (?:into shape|fit))/i
629 body __KAM_URZEST4 /(wks it has been|been mos) since we('| ha)ve chatted/i
630 body __KAM_URZEST5 /(back into shape|made me healthier after my disease)/i
632 meta KAM_URZEST (__KAM_URZEST1 + __KAM_URZEST2 + __KAM_URZEST3 + __KAM_URZEST4 + __KAM_URZEST5 >= 2)
633 describe KAM_URZEST Recent penile and body enhancement spams
637 body __KAM_JOB1 /let go from (a job|my employment) I held for.{1,19} (month|year|forever|life)/is
638 body __KAM_JOB2 /twice as much/is
640 meta KAM_JOB (__KAM_JOB1 + __KAM_JOB2 >=2)
641 describe KAM_JOB People let go, work at home, earn billions!
645 body KAM_PERPARK /P e r i m e t e r P a r k C e n t e r/i
646 describe KAM_PERPARK Obfuscated address appearing in SPAM Feb 06
647 score KAM_PERPARK 2.5
650 body KAM_HOLLY /1 0 2 0 N H o l l y w o o d W a y /i
651 describe KAM_HOLLY Obfuscated address appearing in SPAM Jun 06
654 #PUMP & DUMP STOCK GRAPHICS
655 header __KAM_STOCKG1 Subject =~ /^Fw: \d{6}$/i
656 header __KAM_STOCKG2 Subject =~ /(^|\b)(stocks?|small-cap)(\b|$)/i
657 meta KAM_STOCKG ((HTML_IMAGE_ONLY_12 || HTML_IMAGE_ONLY_16 || HTML_IMAGE_ONLY_24) && HTML_MESSAGE && (__KAM_STOCKG1 || __KAM_STOCKG2))
658 describe KAM_STOCKG Graphical Pump and Dump Scams
662 body __KAM_CEP1 /Job Prospect Newsletter|training.workshop/i
663 body __KAM_CEP2 /legitimate verifiable degree|build a better you|domain.knowledge/i
664 body __KAM_CEP3 /Career Education program|customize a learning program|certified.instructor/i
665 body __KAM_CEP4 /(MBA|CEP)/
666 body __KAM_CEP5 /degree\/certificates|certification/i
667 body __KAM_CEP6 /\d (week|month)/i
668 header __KAM_CEP7 From =~ /certificate program/i
670 meta KAM_CEP ((__KAM_CEP1 + __KAM_CEP2 + __KAM_CEP3 + __KAM_CEP4 + __KAM_CEP5 + __KAM_CEP6 + __KAM_CEP7) >= 3)
671 describe KAM_CEP CEP Diploma Mill Rule
675 #Commented since 3.2.0 is pretty old now
676 #if (version < 3.200000)
677 # #BLANK EMAILS - CURRENTLY REQUIRES 99_FVGT_meta.cf for FM_NO_FROM AND NO_TO. UNDISC_RECIPS MIGHT BE REMOVED IN 3.2+
678 # #HTML_SHORT_LENGTH DEPENDENCY RULE REMOVED FROM SA 3.2
679 # meta KAM_BLANK01 (MISSING_SUBJECT && (UNDISC_RECIPS || FM_NO_FROM_OR_TO || FM_NO_TO))
680 # describe KAM_BLANK01 Blank emails
681 # score KAM_BLANK01 1.0
683 # #MSGID_FROM_MTA_ID REMOVED IN NEWER SPAMASSASSIN 3.2
684 # meta KAM_BLANK02 (KAM_BLANK01 && MSGID_FROM_MTA_ID)
685 # describe KAM_BLANK02 Blank emails with MTA Headers
686 # score KAM_BLANK02 1.0
690 # Updated by KAM based on Work by Dallas L. Engelken <dallase@nmgi.com> (T_GEO_QUERY_STRING)
691 uri KAM_GEO_STRING2 /^http:\/\/(?:\w{1,5}\.)?geocities(?:\.yahoo)?\.com(?:\.\w{1,5})?(?::\d*)?\/.+?/i
692 describe KAM_GEO_STRING2 Use of geocities/yahoo very likely spam as of Dec 2005
693 score KAM_GEO_STRING2 4.7
696 uri KAM_GOOGLE_STRING /^http:\/\/www.google.com\/url\?q=/i
697 describe KAM_GOOGLE_STRING Use of Google redir appearing in spam July 2006
698 score KAM_GOOGLE_STRING 1.0
700 #MSN Brasil REDIRECTOR - Known exploit since at least 2007!! http://www.xssed.com/mirror/14129/
701 uri KAM_MSNBR_REDIR /g.msn.com.br\/BR9\/1369.0/i
702 describe KAM_MSNBR_REDIR Use of MSN Brasil Redirector for Spam seen in 2011
703 score KAM_MSNBR_REDIR 5.0
706 uri __KAM_MSN_STRING1 /^http:\/\/spaces\.msn\.com(?::\d*)?\/.+\//i
707 uri __KAM_MSN_STRING2 /^http:\/\/.{0,20}\.spaces\.live\.com/i
708 meta KAM_MSN_STRING (__KAM_MSN_STRING1 + __KAM_MSN_STRING2 >=1)
709 describe KAM_MSN_STRING spaces.msn.com likely spam (Mar 2006) + spaces.live.com (Mar 2010)
710 score KAM_MSN_STRING 2.5
712 #KAM LIVEJOURNAL SPAM
713 uri __KAM_LIVE1 /^http:\/\/.{0,20}\.(blogspot|livejournal)\.com/i
714 meta KAM_LIVE (__KAM_LIVE1)
715 describe KAM_LIVE blogspot.com & livejournal.com likely spam (Apr 2010)
718 #KAM PAGE.TL SPAM - idea from Benny Pedersen
719 uri __KAM_PAGE1 /^http:\/\/.{0,20}\.(page\.tl)/i
720 meta KAM_PAGE (__KAM_PAGE1)
721 describe KAM_PAGE Page.TL likely spam (Nov 2011)
724 # This rule is to mark emails using the exploit of the URI parsing
725 uri KAM_URIPARSE /(\%0[01]|\0).{1,100}\@/i
726 describe KAM_URIPARSE Attempted use of URI bug-high probability of fraud
727 score KAM_URIPARSE 7.0
729 #Ebay Closed their Redirector - Disabled 4-9-05
730 # This rule is to mark emails using the exploit of the eBay redirector
731 #uri KAM_EBAYREDIR /.*.ebay.com.*RedirectToDomain/i
732 #describe KAM_EBAYREDIR Attempted use of eBay redirect-likely fraud
733 #score KAM_EBAYREDIR 7.0
735 # Rule based on Kelson Vibber's MD code for bogus AOL Addresses
736 # Check for bogus AOL addresses as described at
737 # http://postmaster.aol.com/faq/mailerfaq.html#syntax
738 # - all alphanumeric, starting with a letter, from 3 to 16 characters long.
741 #What is the correct syntax for AOL e-mail addresses?
742 #The "user name" is the part of the address that appears before the @ symbol: username@aol.com.
743 #Valid AOL e-mail addresses can not:
744 #Be shorter than 3 or longer than 16 characters.
746 #Contain punctuation of any kind (such as periods, underscores, or dashes).
750 #2017-10-24 upon evidence that AOL no longer follows their syntax.
751 #Awaiting an updated version however KAM predicts that with the merger that this
752 #is likely to accommodate other systems like Verizon coming under the same infrastructure.
755 #THANKS to Angel from 16bits for this research:
756 #Based on tests at https://i.aol.com/reg/signup shows:
760 #a) "Be shorter than 3"
761 # This is being enforced: «Please make sure that the username field is at
762 #least 3 characters long
764 #b) or longer than 16 characters.
765 #The userName field has a maxlength of 32
766 #(intriguingly, there's also a hidden usernameEmail of up to 97
769 #c) Begin with numbers.
770 #This is being enforced «Your username must begin with a letter.»
772 #d) Contain punctuation of any kind (such as periods, underscores, or
774 #Both periods and underscores are accepted (they are even offered in the
775 #dropbox), dashes are not.
776 #«Your username may not contain characters such as @, !, * or $.»
778 #Periods and underscores may not begin or end the username, or be
779 #consecutive (not between themselves), ie. these two characters may only
780 #appear when surrounded by alphanumeric ones.
782 #(this condition for periods actually comes from rfc5321, assuming you
783 #want to avoid quoting the local part)
786 #Basically, it seems they added . and _ to the allowed characters, and
787 #doubled the username size.
790 #The error messages at
791 #https://sns-static.aolcdn.com/1.19/reg/resources/js/webreg_validate5-built.js also provide relevant information for gathering the rules:
793 #"Please make sure that the username field is at least 3 characters
796 #"Your username may not exceed "+regPageData.snMax+" characters."
797 #"Your username must begin with a letter."
798 #"Your username may not contain characters such as @, !, * or $.",
799 #"Your username may not contain characters such as @, !, * or $." (funnily, this is shown if you enter a space)
800 #"Your username may not contain characters such as @, !, * or $." (this is if it is deemed "not alphanumeric")
801 #"Usernames cannot end with a dot (.) or underscore (_)."
802 #"Usernames cannot have consecutive dots (..) or underscores (__)."
804 #"Please make sure that the email address is at least 3 characters long."
805 #"Your email address may not exceed 97 characters."
807 #Missed updating the length to 32. Fixed thanks to Ramon Medina
809 header __KAM_AOL From:addr =~ /\@aol\.(com|co\.uk)/i
811 # username portion must be between 3 & 32 chars, starting with a letter
812 header __KAM_GOODAOL1 From:addr =~ /^[a-z].{2,32}\@aol\.(com|co\.uk)/i
814 # certain punctuation not allowed - This is likely not exhaustive
815 header __KAM_BADAOL1 From:addr =~ /[-\!\*\$].*\@aol\.(com|co\.uk)/
816 # no consectutive periods or underscores
817 header __KAM_BADAOL2 From:addr =~ /(\.\.|__).*\@aol\.(com|co\.uk)/
818 # cannot end with . or underscore
819 header __KAM_BADAOL3 From:addr =~ /(\.|_)\@aol\.(com|co\.uk)/i
821 meta KAM_BADAOL (__KAM_AOL && !__KAM_GOODAOL1) || (__KAM_BADAOL1 + __KAM_BADAOL2 + __KAM_BADAOL3 >= 1)
822 describe KAM_BADAOL Invalid AOL Address
825 meta KAM_GOODAOL __KAM_AOL && (__KAM_GOODAOL1 && !KAM_BADAOL) && SPF_PASS
826 describe KAM_GOODAOL Valid AOL Email Address
827 score KAM_GOODAOL -1.0
829 # Rule to mark emails from adv@somewhere accounts a bit higher on the SPAM scale
830 header KAM_ADV_EMAIL From:addr =~ /adv\@/i
831 describe KAM_ADV_EMAIL Marks adv@<domain.com> Addresses as likely SPAM
832 score KAM_ADV_EMAIL 5.0
834 #SEXUALLY EXPLICIT EMAILS - With updates courtesy of Mark Damrose
835 header __KAM_SEX_EXPLICIT1 Subject =~ /SEXUAL{2,3}Y[-_, ]{0,1}EXPL{1,2}I{1,2}CI{1,2}T/i
836 #EXPANDED TO INCLUDE HEADERS FOR SPAMS PREVALENT MAR 2007
837 header __KAM_SEX_EXPLICIT2 Subject =~ /(?:fuck .*suck|suck .*fuck|pussy .*cock|cock .*pussy|horny amateur|couch sex|slut fuck|naked celebrity|pissing babes|ass[- ]fuck|animal cock|(^|\b)P[^a-zA-Z\d]O[^a-zA-Z\d]R[^a-zA-Z\d]N |exposes sexy ass|drunk babe nude|masturbate|looking.for.sex|breast.implants|pedophile|child predator|explore.being.bad|double.penetration|hardcore.slut|getting.laid|your.disco.stick|having.sex.*begging|f.ckbook|xxx gay|asian porn|blow ?job|anal xxx|huge tits tube|xxx tube|porn tube|porn video|sexy.clip|portal for xxx|3d porn|hard(er)?.erect)|dreaming of f.?cking|(^|\b)sex.in.the.car|horny.virgin|sex.acts|best.intercourse|sex request|dripping wet and need to get|S*?exy granny|shagmate|her squirt|elongation secret/i
839 #TRYING TO GET RID OF FPs WITH LAST NAMES
840 header __KAM_SEX_EXPLICIT3 From =~ /(?:better sex|sextrick|ashleymadison|booty.call|breast.(aug|surg|redu)|throbing.member|f[\*u]?ckbook|Local MILFs|fuck(s|ing)?(\b|^)|Dating Granny|school of squirt)|hookup.?alert|horny|bedroom.?partner|hookup.?online|lovely.?asian/i
842 #MODIFIED TO FIX FP THANKS TO DOC SCHNEIDER AND MARK MARTINEC - REMOVED castrate|sexual.encounter|casual.sex|discreet.encounter 5/19/15
843 body __KAM_SEX_EXPLICIT4 /(?:fucked hardcore|dildoes her tight ass|kinky watersports|schoolgirls? slut|teens? porn|first anal(\b|$)|pussy lips|kinky lesbian|sucks? cock|rub puss|spreads? cunt|fetish babe|kinky pee|muffdived \& fuck|deepthroat on knees|hello.naughty.boy|certain.type.of.guy|girlfriend.trick|sexual.stamina|sex...toy|porn.link|cunt.fuck|c-o-c-k|non.stop.sex|porn.industry|stronger.erection|make.her.moan|extreme.pro.abortion|erection.problem|your.erection|get.an.erection|hardest.erection|get.erect|xxx gay|asian porn|blow ?job (comm?unity|porn)|anal xxx|huge tits tube|xxx tube|porn tube|fuckbook|portal for xxx|3d porn|DrPEnterprise|girlfriends.porn|\bsex.galler|pussy.eaten|shemale|(\b|^)anal.adventure|black.girls.video|gay.porn|pussy.wet|make.her.horny|crave sex|women.fuck|women.horny|wanting.to.bang|getting.laid.is.simple|woman.on.her.knees|b r e a s t|generic.ed.product|best.sex|f[^a-z]cking.you|f[^a-z]ckbuddy|F\#ckFriends|Milf Selfies|need.a.horny.man|cute.sex.lover|horny.as.f.ck|fun.in.the.bedroom|my.tits.are|be.horny|horny.girl|horny.i.am|horny.latina|huge.dildo|made.me.climax|sex in my office|a.good.f\@ck|married.horny.woman|sucked.your.d\@ck|horny.milf|suck.you.off|horny.stories|all.my.h[o0]les|cum.heavily|sucking.your.c[o0]ck|to.get.f[^a-z]cked)|h00kup|s\*xy|\bh0rny|ch0ked|pu\$\$y|f\*cked|F\*ck_|find milfs|girls in your city/i
844 #remove f\#ck for FPs
846 header __KAM_SEX_EXPLICIT5 Subject =~ /(?:Babe.*dildo|milk.*pussy|licks.*lesbian.*tits|mud.*wrestling.*sluts|rock.*hard.*cock|working.*pussy|(anal|suck|lick|hot|cock|wife).*f.?u.?c.?k|sneaky.*upskirt.*shots|hairy.*(pussy|cunt)|chicks.*cum|shows.*off.*titties|tits.*milf.*sex|riding.*big.*dick|dildo.*pussy|slut.*sex|suck.*dick|show.*off.*pink.*slit|coed.*pussy|squirt.*pussy|polish.*cock|femdom.*fist|schoolgirl.*(f.?u.?c.?k|blowjob)|mistress.*finger.*slave|cervix.*examined|tits.*vibrator|licks.*lesbian|slut.*anal|slurp.*pecker|master.*hogtie|bitch.*stroke.*guy|huge.*cock.*bang|take.*dick.*ride|milf.*nailed|girl.*in.*panties|Slut.*Doing.*it|barely.*legal.*teen|perverted.*girl.*works.*ass|slut.*milking|caught.*fucking|F.?u.?c.?k.*(dick)|shemale.*strips|chick.*drilled|\bass.*screw|teen.*pussy|fucked.*hard|bimbo.*hooter|cuntbanged|tittyfucked|fuck.*cock|blowing and nailed|lesbians.*masturbat|shaking wet booty|pussy.*lip|lick.*asshole|kinky lesbian|suck.*cock|rub puss|tits.*cunt|kinky pee|fetish babe|exposes sexy ass|drunk babe nude|muff.*fuck|cock.?suck.*blonde|fuck.*vibrator|threeway.*orgy|sex.life.*new.level|your.sex.life|hotsex|f.cktonight|my.?pu[s\$]{1,5}y|InstaSext|SnapHookup|InstaAffair|InstaHookup|SexiSnap|SnapF.ck|snapbangmsg)/i
848 body __KAM_SEX_EXPLICIT6 /virus on a porn web/i
850 meta KAM_SEX_EXPLICIT (__KAM_SEX_EXPLICIT1 + __KAM_SEX_EXPLICIT2 + __KAM_SEX_EXPLICIT3 + __KAM_SEX_EXPLICIT4 + __KAM_SEX_EXPLICIT5 + __KAM_SEX_EXPLICIT6 >= 1)
851 describe KAM_SEX_EXPLICIT Subject or body indicates Sexually Explicit material
852 score KAM_SEX_EXPLICIT 16.0
854 #SOLICITING AFFAIR SPAM
855 header __KAM_SEX_AFFAIR1 Subject =~ /Have an affair|Your Affair is Waiting|sick of your wife|find you a girlfriend/i
856 header __KAM_SEX_AFFAIR2 From =~ /Ashley.?Madison|Let's have fun/i
857 rawbody __KAM_SEX_AFFAIR3 /have an affair|ashleymadison/i
858 rawbody __KAM_SEX_AFFAIR4 /looking.for.affair/i
860 meta KAM_SEX_AFFAIR (__KAM_SEX_AFFAIR1 + __KAM_SEX_AFFAIR2 + __KAM_SEX_AFFAIR3 + __KAM_SEX_AFFAIR4 >= 2)
861 describe KAM_SEX_AFFAIR Subject or body soliciting an affair
862 score KAM_SEX_AFFAIR 8.0
865 body __KAM_TELEWORK1 /(generate|make) .{0,10}1.5K? (to|-) 3.5K (a day|daily|per day|per month)|makes? \$[\d,]+\/month|upgrade your salary/is
866 body __KAM_TELEWORK2 /have a (?:tele)?phone|money making challenge|has full internet/is
867 body __KAM_TELEWORK3 /return(?:ing)? (phone )?calls|working a few hours each day|positive work environment/is
868 body __KAM_TELEWORK4 /fully qualified|no experience needed|all the training|managing expectations|accountability|stronger results/is
869 body __KAM_TELEWORK5 /work (?:online )?from home|process(?:ing)? rebates (?:at|from) home|set your own hours|100% no risk|Western Union fees|new job or career/is
870 body __KAM_TELEWORK6 /earning up to \d+USD|earn thousands of dollars|\d% commission|get rich quick|manager training|real.payoff/is
871 header __KAM_TELEWORK7 Subject =~ /process rebates|easy work and great pay|making money today|earn money|vacancies in your city|internet jobs|bad ecomomy|(manager|supervisor).training|handling difficult|work.from.home/i
872 header __KAM_TELEWORK8 From =~ /training|online/i
874 meta KAM_TELEWORK (__KAM_TELEWORK1 + __KAM_TELEWORK2 + __KAM_TELEWORK3 + __KAM_TELEWORK4 + __KAM_TELEWORK5 + __KAM_TELEWORK6 + __KAM_TELEWORK7 + __KAM_TELEWORK8 >= 3)
875 describe KAM_TELEWORK Stupid telework and training scams
876 score KAM_TELEWORK 3.0
878 #Changed to meta 2017-10-17
879 #2017-10-23 - Removed .link. Uniregistry has committed to reviewing abuse concerns.
880 #2019-11-24 - Removed .bid for FPs
881 #2020-06-04 - Added FP check for td.date and div.top
882 #2020-08-23 - Added guru
883 #2021-08-14 - Thanks to Giovanni for the new regex and Kenneth Porter for the FP for things that ended in one of the TLDs but wasn't part of the domain
884 #2021-08-25 - Added a FP fix for date with { from programming discussions
885 header __KAM_SOMETLD_ARE_BAD_TLD_FROM From:addr =~ /\.(pw|stream|trade|press|top|date|guru|casa|online|cam|shop|club|bar|sbs)$/i
886 uri __KAM_SOMETLD_ARE_BAD_TLD_URI /:\/{2}([a-z0-9-\.]+)\.(pw|stream|trade|press|top|date|guru|casa|online|cam|shop|club|bar|sbs)($|\/|\:)/i
889 uri __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE /(^|\b)td\.date|div\.top($|\/)/i
890 body __KAM_SOMETLD_ARE_BAD_TLD_PROGRAM_REF /\.date ?\{/i
892 meta KAM_SOMETLD_ARE_BAD_TLD (__KAM_SOMETLD_ARE_BAD_TLD_FROM) || (__KAM_SOMETLD_ARE_BAD_TLD_URI && !(__KAM_SOMETLD_ARE_BAD_TLD_PROGRAM_REF + __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE))
893 describe KAM_SOMETLD_ARE_BAD_TLD .stream, .trade, .pw, .top, .press, .guru, .casa, .online, .cam, .shop, .bar, .club, .sbs & .date TLD Abuse
894 score KAM_SOMETLD_ARE_BAD_TLD 5.0
896 #2019-11-24 - Test to do the SOMETLD with WLBLEval - Doesn't work because no uri check for the body
897 #ifplugin Mail::SpamAssassin::Plugin::WLBLEval
898 # enlist_addrlist (BADTLDS) *@*.pw
899 # enlist_addrlist (BADTLDS) *@*.stream
900 # enlist_addrlist (BADTLDS) *@*.trade
901 # enlist_addrlist (BADTLDS) *@*.bid
902 # enlist_addrlist (BADTLDS) *@*.press
903 # enlist_addrlist (BADTLDS) *@*.top
904 # enlist_addrlist (BADTLDS) *@*.date
906 # header __KAM_SOMETLD_ARE_BAD_TLD_FROM eval:check_from_in_list('BADTLDS')
907 # body __KAM_SOMETLD_ARE_BAD_TLD_URI eval:check_uri_host_listed('BADTLDS')
911 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
914 body KAM_LOCAL_TEST1 /myspamtest12341234/
915 describe KAM_LOCAL_TEST1 This is a unique phrase to trigger a + score
916 score KAM_LOCAL_TEST1 50
918 #REVERSE DNS TESTS FROM MIMEDEFANG - UNLESS YOU HAVE A TEST FOR REVERSE POINTERS, YOU CAN COMMENT THIS OUT
919 header KAM_RPTR_FAILED X-KAM-Reverse =~ /^Failed/
920 describe KAM_RPTR_FAILED Failed Mail Relay Reverse DNS Test
921 score KAM_RPTR_FAILED 6.0
923 header __KAM_RPTR_SUSPECT X-KAM-Reverse =~ /^Suspect/
924 meta KAM_RPTR_SUSPECT (KAM_BODY_MARKETINGBL_PCCC < 1 && __KAM_RPTR_SUSPECT >= 1)
925 describe KAM_RPTR_SUSPECT Suspected Dynamic IP/Bad TLD/Spammy TLD from Mail Relay Reverse DNS Test
926 score KAM_RPTR_SUSPECT 2.45
928 #REMOVED __URIBL_ANY DEPENDENCY AS THE RULE IS GONE. NOTED by David Goldsmith.
929 header __KAM_RPTR_PASSED X-KAM-Reverse =~ /^Passed/
930 meta KAM_RPTR_PASSED (__KAM_RPTR_PASSED && (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + KAM_SPAMJDR + KAM_LOTTO3 + __KAM_URIBL_PCCC + __KAM_MX + SPF_SOFTFAIL + SPF_FAIL + KAM_INFOUSMEBIZ + KAM_TOLL < 1))
931 describe KAM_RPTR_PASSED Passed Mail Relay Reverse DNS Test
932 score KAM_RPTR_PASSED -1.0
934 header KAM_RPTR_MISSING X-KAM-Reverse =~ /^Missing/
935 describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing!
936 score KAM_RPTR_MISSING 9.0
939 header KAM_RPTR_BADHOST X-KAM-Reverse =~ /dwdtechllc.com|inculloop.net|donapex.net|wriltay.com|raptornode.com|voicitr.us|premiumjobhunt.com|newsocialdeals.com|dailysummercoupons.com|nm-priorityhosting.com|hypernia.com|queryfoundry.net|colocrossing.com|pawlitenews.com|hosted-by-i3d.net/i
940 describe KAM_RPTR_BADHOST Very Spammy Hosting Company Identified
941 score KAM_RPTR_BADHOST 9.0
943 #CUSTOM SCORES THAT KAM LIKES
944 #score SARE_GIF_ATTACH 3.0
945 score CHARSET_FARAWAY_HEADER 1.6
946 score MIME_CHARSET_FARAWAY 1.25
947 score FH_FROM_CASH 2.0
951 score FREEMAIL_ENVFROM_END_DIGIT 1.0
952 score FREEMAIL_REPLYTO 1.0
953 score KHOP_BIG_TO_CC 1.5
954 score URIBL_DBL_SPAM 5.0
955 score AC_HTML_NONSENSE_TAGS 4.0
958 #ENABLING DNSWL - BUG 6668
959 score RCVD_IN_DNSWL_NONE 0 -0.0001 0 -0.0001
960 score RCVD_IN_DNSWL_LOW 0 -0.7 0 -0.7
961 score RCVD_IN_DNSWL_MED 0 -2.3 0 -2.3
962 score RCVD_IN_DNSWL_HI 0 -5 0 -5
964 #COMPLETE WHOIS IS DOWN
965 #score __RCVD_IN_WHOIS 0
966 #score RCVD_IN_WHOIS_INVALID 0
967 #score URIBL_COMPLETEWHOIS 0
969 #Custom subject whitelist
970 #header FRANCHISE_JERRY Subject =~ /: (Franchise Application|Request Franchise Information)$/i
971 #score FRANCHISE_JERRY -99.0
972 #describe FRANCHISE_JERRY Jerry's Franchise Application or Request
974 header KAM_INVALID_FROM X-KAM-From =~ /From Header Missing Host/
975 describe KAM_INVALID_FROM From header missing host portion
976 score KAM_INVALID_FROM 4.0
978 #RAPTOR ALTERED EMAILS
979 #body __KAM_RAPTOR1 /altered by our Raptor filters/i
980 #header __KAM_RAPTOR2 X-KAM-Raptor-Alter =~ /True/
982 #meta KAM_RAPTOR (__KAM_RAPTOR1 + __KAM_RAPTOR2 >= 1)
983 #describe KAM_RAPTOR PCCC Raptor altered the email
984 #score KAM_RAPTOR 3.5
986 #NJABL Shutdown Bug 6913 - Check after 3/3/2013 update if these can be removed
987 score RCVD_IN_NJABL_CGI 0
988 score RCVD_IN_NJABL_MULTI 0
989 score RCVD_IN_NJABL_PROXY 0
990 score RCVD_IN_NJABL_RELAY 0
991 score RCVD_IN_NJABL_SPAM 0
992 score __RCVD_IN_NJABL 0
994 if can(Mail::SpamAssassin::Conf::feature_dns_query_restriction)
995 dns_query_restriction deny njabl.org
999 header KAM_RPTR_MISSING X-KAM-Reverse =~ /^Missing/
1000 describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing!
1001 score KAM_RPTR_MISSING 9.0
1005 header KAM_RPTR_MISSING X-KAM-Reverse =~ /^Missing/
1006 describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing!
1007 score KAM_RPTR_MISSING 9.0
1011 header KAM_RPTR_MISSING X-KAM-Reverse =~ /^Missing/
1012 describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing!
1013 score KAM_RPTR_MISSING 9.0
1017 header KAM_BADATTACH X-KAM-BadAttach =~ /^True/
1018 describe KAM_BADATTACH Mail contains a bad attachment
1019 score KAM_BADATTACH 15.0
1021 #RHS_DOB not working 10/6/2014 - Resolved 10/9/2014
1022 #score URIBL_RHS_DOB 0.0
1025 # no KAMOnly, stub rules
1026 meta KAM_RAPTOR_ALTERED 0
1027 score KAM_RAPTOR_ALTERED 0
1028 meta CBJ_GiveMeABreak 0
1029 score CBJ_GiveMeABreak 0
1030 meta KAM_RPTR_SUSPECT 0
1031 score KAM_RPTR_SUSPECT 0
1032 meta KAM_RPTR_FAILED 0
1033 score KAM_RPTR_FAILED 0
1034 meta KAM_RPTR_PASSED 0
1035 score KAM_RPTR_PASSED 0
1038 #$6c822ecf@ - Idea from Jailer-Daemon on SARE
1039 header KAM_6C822ECF Message-Id =~ /\$6c822ecf\@/i
1040 describe KAM_6C822ECF $6c822ecf@ VERY prevalent message-ID header in SPAMs
1041 score KAM_6C822ECF 7.0
1043 #DRILLING & MUST READ - With updates courtesy of Mark Damrose
1044 header __KAM_MUSTREAD1 Subject =~ /you (?:must|should|require|need|have) to read\.$/i
1045 header __KAM_MUSTREAD2 Subject =~ /^(?:Weighty|Very important|Serious|Momentous|Significant|Grand|Essential) (?:message|letter|note)\./i
1047 meta KAM_MUSTREAD (__KAM_MUSTREAD1 + __KAM_MUSTREAD2 >= 1)
1048 describe KAM_MUSTREAD Subject indicative of a SPAM message
1049 score KAM_MUSTREAD 1.25
1051 body __KAM_DRILL1 /drilling/i
1052 body __KAM_DRILL2 /oil (company|partnership|and gas rights)/i
1053 body __KAM_DRILL3 /(exceed(ed)? .{0,10}expectations|see your brokers website)/i
1054 body __KAM_DRILL4 /(buy today|Check this deal out)/i
1056 meta KAM_DRILL (KAM_MUSTREAD + __KAM_DRILL1 + __KAM_DRILL2 + __KAM_DRILL3 + __KAM_DRILL4 >= 4)
1057 describe KAM_DRILL Oil Drilling SPAM
1061 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
1063 #WE USE MIMEDEFANG TO DISABLE ANY IFRAME, OBJECT OR SCRIPT TAGS IN EMAILS
1064 header KAM_IFRAME X-IframeWarning =~ /Iframe\/Object\/Script tag\(s\) deactivated by MIMEDefang/
1065 describe KAM_IFRAME Email contained Iframe, Object or Script tags
1066 score KAM_IFRAME 1.0
1068 body KAM_IFRAME2 /you need a browser with javascript/i
1069 describe KAM_IFRAME2 Email contains phrase instructing javascript use
1070 score KAM_IFRAME2 1.0
1072 meta KAM_IFRAME3 (KAM_IFRAME + KAM_IFRAME2 + T_HTML_ATTACH >=3)
1073 score KAM_IFRAME3 5.0
1074 describe KAM_IFRAME3 Likely email exploit - Email shouldn't require javascript in an email attachment
1077 header __KAM_XEROX1 Subject =~ /Scan from a Xerox WorkCentre Pro \#\d+|Scanned from a Xerox Multifunction Device/i
1078 meta KAM_XEROX (__KAM_XEROX1 + (KAM_IFRAME && T_HTML_ATTACH) + KAM_RAPTOR_ALTERED >= 2)
1080 describe KAM_XEROX Likely Fake Xerox Attachment
1083 # no KAMOnly, stub rules
1088 #STUPID REMOVE "*" to make the link working.
1089 body __KAM_STAR1 /REMOVE ("\*"|space) (in the above|to make the) link/i
1091 meta KAM_STAR (__KAM_STAR1 >= 1)
1092 describe KAM_STAR Stupid Obfuscated Link SPAMs
1095 #IN LATE FEB 2007, WE BEGAN RECEIVING TONS OF EMAILS FORMATED ALL THE SAME.
1096 body __KAM_SPAMKING1 /This advertisement is presented by/is
1097 body __KAM_SPAMKING2 /If you have any questions or concerns regarding this communication, please send correspondence/is
1098 body __KAM_SPAMKING3 /To .{0,30}(?:unsubscribe|stop|remove) .{0,35}(?:email|messages) from third party advertisers/is
1099 body __KAM_SPAMKING4 /notify .{0,30} that you no longer wish to receive (?:promotional )?messages/is
1100 body __KAM_SPAMKING5 /This (communication|message) was delivered to you by/is
1101 body __KAM_SPAMKING6 /(?:please send|Forward postal) correspondence to/is
1103 meta KAM_SPAMKING (__KAM_SPAMKING1 + __KAM_SPAMKING2 + __KAM_SPAMKING3 + __KAM_SPAMKING4 + __KAM_SPAMKING5 + __KAM_SPAMKING6 >= 3)
1104 describe KAM_SPAMKING SPAM using throw-away domains and addresses. SpamKing's Heir!
1105 score KAM_SPAMKING 1.0
1107 #THIS HEADER SEEMS TO BE PREVALENT IN SPAMS
1108 header KAM_SPAMJDR X-Mailerinfo =~ /OTHR_JDR/
1109 describe KAM_SPAMJDR Emails seen with SPAM containing this header X-Mailerinfo: OTHR_JDR1173771
1110 score KAM_SPAMJDR 2.0
1112 meta KAM_COMBOJDR (KAM_SPAMJDR + KAM_SPAMKING >= 2)
1113 describe KAM_COMBOJDR Spam Test for Rules Combined with KAM_SPAMJDR
1114 score KAM_COMBOJDR 5.0
1117 body __KAM_LOTTO1 /((you |e-?mail )(?:address,? )?(has |have )?(emerged as one of (the|our) winning|emerged as a category "A" Winner|came out as the winning coupon|emerged a winner|has won|(?:was |is )?attached( to)?\s+(winning number|serial|ticket|reference)|was one of the ten winners|has been selected as one of the lucky)|random selection in our computerized email selection system|procuring your prize|email id identified with coupon|e-mail addresses are picked randomly|send your winning identification|final recipients? of a cash|selected as the one of the beneficiaries|receiving your donation|facebook name was selected)/is
1119 body __KAM_LOTTO2 /((ticket|serial|lucky) number|secret pin ?code|pin number|batch number|reference number|promotion date|lottery|sweepstake|\d+ lucky recipients|for claim and inquiring)|Micros(oft)? ID/is
1121 body __KAM_LOTTO3 /(won|claim|cash prize|pounds? sterling|over \$500|award sum of US\$|NOTIFICATION FOR CASH AID)/is
1123 body __KAM_LOTTO4 /(claims (office|agent|manager|requirement)|lottery coordinator|(certificate|fiduciary) (officer|agent|claims)|accredited agent|payment agency board|promotion manager|promotions? department|Name of +Agent:|executive secretary|claims & Management|lottery approved courier|promo.team)/is
1125 body __KAM_LOTTO5 /(POWERBALL-?LOTTO|freelotto group|(microsoft|Royal Heritage) (promotion|Lottery)|(British|UK) National( Online)? Lottery|U\.?K\.? Grand Promotions|Lottery Department UK|Euromillion Loteria|Luckyday International Lottery|International Lottery|Euro - Afro Asian Sweepstake|urawinner|Free Lotto Sweepstakes|PROMOTION DEPARTMENT|PROMOTION\/PRIZE AWARD|Nederlandse Internationale Loterij|EURO MILLIONS|APPLE LOTTERY ONLINE|MSW MEGA JACKPOT|MICROSOFT EMAIL PROMO|MSNlottery|ECOWAS|Nigeria|National Lottery|claim.{1,10}your.gbp|won.you.{1,10}gbp)|cola lotto online|on-?line promotion/is
1127 body __KAM_LOTTO6 /(Dear (Award|Consultation Prize|Lucky) Winner|Winning Notification|Attention:Winner|Dear:? Winner|Amount won:|Sincere Congratulations|Lucky Numbers:|you are a winner|prize attached|prize notification|claims requirement|winning number|winning sum|payout of|qualification number)|attached.file|numbers.on.email|active email address|dear e-?mail/is
1129 header __KAM_LOTTO7 Subject =~ /(Your Lucky Day|Final Notice|CONGRATULATION|(Attention:|ONLINE) WINNER|Winning Notification|Claim Fund|YOU HAVE WON|Online Notification|Your Winning Amount|PROMOTIONS MANAGER|Winnin?g Alert|NOTICE FOR YOUR CLAIM|WINNER|Reference Number|payment of (prize|claim))/i
1131 header __KAM_LOTTO8 From =~ /Lottery|powerball|western.union/i
1133 header __KAM_LOTTO9 Subject =~ /\d{3},\d{3}|eligibility.for.claims|promo.desk|deserves.\$\d/i
1135 meta KAM_LOTTO1 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 >= 3)
1136 describe KAM_LOTTO1 Likely to be an e-Lotto Scam Email
1137 score KAM_LOTTO1 0.75
1139 meta KAM_LOTTO2 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 >= 4)
1140 describe KAM_LOTTO2 Highly Likely to be an e-Lotto Scam Email
1141 score KAM_LOTTO2 1.25
1143 meta KAM_LOTTO3 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 + LOTS_OF_MONEY >= 5)
1144 describe KAM_LOTTO3 Almost certain to be an e-Lotto Scam Email
1145 score KAM_LOTTO3 3.0
1147 #ABOUT YOUR INTERNET ACTIVITIES SPYWARE CRUD
1148 header __KAM_ABOUT1 Subject =~ /About your Internet (activities|activity)/i
1149 body __KAM_ABOUT2 /Spyware/i
1151 meta KAM_ABOUT (__KAM_ABOUT1 + __KAM_ABOUT2 >=2)
1152 describe KAM_ABOUT Email Scam Hawking Anti-Spyware
1156 body __KAM_ADVERT1 /email advertising|\d{3}%.roi/is
1157 body __KAM_ADVERT2 /instant traffic (to your website|and sales)|demand.generation/is
1158 body __KAM_ADVERT3 /Email Ad Broadcast|Double OPT IN list|making.some.changes/is
1159 header __KAM_ADVERT4 Subject =~ /(get (instant|more) (sales|business|orders)|instant traffic, leads and sales|within 24 hours|increase in business|Ten Time Increase in Sales and Traffic|Emails Sent to Get You Sales)|sales.goal/i
1161 meta KAM_ADVERT (__KAM_ADVERT1 + __KAM_ADVERT2 + __KAM_ADVERT3 + __KAM_ADVERT4 >= 4)
1162 describe KAM_ADVERT Mailing List Scammers Hawking Their Lists / Services
1163 score KAM_ADVERT 2.5
1166 body KAM_ADVERT3 /AllExpiringDomains.com/i
1167 describe KAM_ADVERT3 Traffic / Expiring Domain List Spam
1168 score KAM_ADVERT3 5.0
1171 body KAM_ADVERT2 /No longer interested in our offers|This (message|email)? is an Ad|Continue in your Secure Web Browser|Can\'t see the images( below|, continue)|To view this email as a webpage|see images for this offer|support best practices in responsible email marketing|This email is not unsolicited|You registered with one of our partners websites|a d v e r t i s (?:e )?m e n t|No\-?Images? Click|Program is not endorsed, sponsored by or affiliated|can\'t read or see this email|By clicking any image and\/or text link in this Email|This is a (commercial|commericial)|This message brought to you|THIS EMAIL IS A COMMERCIAL|If you no longer wish to receive further offers|business solicitation message|link is for removal|end these weekly ad\-messages|cancel these Ads go|This is an email advertisement|end all Advertisements go below|We are not spammers|Unsolicited email\?|Quit receiving these admail|I.{0,3}am not spamming|commercial.advertisement|adv.ertisement|if.you.are.not.interested|Brought to you by\:|This communication is an advertisement|removal from further update|inbox by requesting removal|No more incoming messages will be delivered|Never receive these again|This is an ad\-coresspondance|this page is an advertise?ment|this is an \(adver\-?tisement\)|this page are an.ad|statements above are an.ad|advertis.e.ment|share your contact/is
1172 describe KAM_ADVERT2 This is probably an unwanted commercial email...
1173 score KAM_ADVERT2 0.75
1175 #ONE LINE ADVERTISEMENTS
1176 body __KAM_1LINE1 /(free score and report|Did you overpay\?)/is
1177 header __KAM_1LINE2 Subject =~ /(free online score & report|I need tax savings? tip)/i
1179 meta KAM_1LINE (__KAM_1LINE1 + __KAM_1LINE2 >= 2)
1180 describe KAM_1LINE One liner SPAMs
1184 body KAM_CANSPAM /(full compliance with the U.S. Federal-?Can-?Spam-Act|provides CAN-SPAM compliant email|consistent with the provisions of the CAN-SPAM Act|compliance with the CanSpam Act|no deceptive subject lines|compliant with all legal provisions of the CAN-SPAM Act)/is
1185 describe KAM_CANSPAM SPAM = Lack of Consent (not a Legal Definition)
1186 score KAM_CANSPAM 1.0
1189 body __KAM_GIFT1 /(Claim your free \$500 Target Gift Card|complimentary gift-?card|received a Victoria's Secret Giftcard|\$500 airline gift card|\$1000 gift card for you to shop|\$\d+.{0,50}gift card|Secret gift card)|costco.coupon|facebook.gift|claim.my.credit/is
1190 body __KAM_GIFT2 /(unsubscribe from this advertiseme(tn|nt)|exit future communications|to unsubscribe from this|to stop any offers from us)/is
1191 body __KAM_GIFT3 /every girl loves to buy|do you need a new|offer pass you by|shopping.online|best.price|activate.my|valued.{0,20}user|extra.deals|sign.up.today/i
1192 body __KAM_GIFT4 /card will be yours free|card on us|buy you the dyson animal|amazon.gift.?card|superstore|starbucks.card|card.egift|redeem.before|offering.you.this|enter.promo.code/i
1193 body __KAM_GIFT5 /member incentive program|complet(e|ing) the survey|your.customer.id|security.code|promotional.points/i
1194 header __KAM_GIFT6 From =~ /\$\d+ ?gift ?card|coupon|home.improvement|reward|voucher|starbucks|exclusive|amazon|ehost/i
1196 meta KAM_GIFT ((__KAM_GIFT1 + __KAM_GIFT2 + __KAM_GIFT3 + __KAM_GIFT4 + __KAM_GIFT5 + KAM_LOTSOFHASH + KAM_SHORT >= 3) && __KAM_GIFT6)
1197 describe KAM_GIFT Gift Card Scams
1200 meta KAM_GIFT2 ((__KAM_GIFT1 + __KAM_GIFT2 + __KAM_GIFT3 + __KAM_GIFT4 + __KAM_GIFT5 + KAM_LOTSOFHASH + KAM_ADVERT2 >= 4) && __KAM_GIFT6)
1201 describe KAM_GIFT2 Gift Card Scams
1205 body __KAM_SHOP1 /chosen to participate as a Mystery Shopper/is
1206 body __KAM_SHOP2 /Do you like to shop/is
1207 body __KAM_SHOP3 /make money while you shop/is
1208 meta KAM_SHOP (__KAM_SHOP1 + __KAM_SHOP2 + __KAM_SHOP3 >= 3)
1209 describe KAM_SHOP Mystery Shopper Scams
1213 rawbody __KAM_FAST1 /make fast cash in real estate/is
1214 meta KAM_FAST (__KAM_FAST1 + KAM_ADVERT2 >=2)
1215 describe KAM_FAST Get Rich Quick, Make Money Fast Schemes
1219 body __KAM_BIZ1 /You always need new cards|free full color business cards|get 250 more ?- ?free|business card offer|500 business cards/is
1220 header __KAM_BIZ2 Subject =~ /(do not pay for|Stop paying for|free) business cards|get( your)? 250 Free|BOGO|500 cards for|all for \$1\.99/i
1221 header __KAM_BIZ3 From =~ /Free Business Cards|Custom Printing|Premium Cards/i
1223 meta KAM_BIZ (__KAM_BIZ1 + __KAM_BIZ2 + __KAM_BIZ3 >= 2)
1224 describe KAM_BIZ Free Business Card Emails
1228 body __KAM_FDA1 /statements.{1,10}not.{1,10}evaluated.{1,10}(FDA|Food ?(and|&) ?Drug Administration)/i
1229 body __KAM_FDA2 /not intended to diagnose,? treat,? cure,? or prevent/i
1230 body __KAM_FDA3 /FDA Recall/i
1232 meta KAM_FDA (__KAM_FDA1 + __KAM_FDA2 + __KAM_FDA3)
1233 describe KAM_FDA Carries a not evaluated by the FDA warning or recall warning
1237 body __KAM_WEIGHT1 /(overweight|extra weight|glutting|shed fat|burns fat|burn calories|appetite suppressant|stimulate your metabolism|unwanted weight|duet of the year|healthy energy boost|Suppresses Appetite|internal cleansing|detoxify|cellulite|unsightly bulges|fat burn|Diet of the year|acai|cuts cholesterol|cleanse excess waste|free sample|unwanted weight|Acai suppl[ie]ments|Diet\/Detox|\#1 Weight Loss|lose body fat|(lose|drop) (about )?\d+\s*[li]b|calorie burning machine|before eating carbs)|flush.fat.away|slimming.down|\d+.pounds.gone|lose.\dx|highest.rated.episode|unwanted..?gain|too.goo?d.to.be.true|get.slim|tv.segment|weird.solution/is
1238 body __KAM_WEIGHT2 /(\d pounds|lose[_ ]weight|suppress appetite|appetite out of control|Oprah|for cancer patients|colon cure|colon cleanse|colonmate|avai berry|acai burn|ultraslim|feel energized|excess[_ ]weight|no diet changes|no exercise|hollywood'?s hottest -?diet|acai berry edge|Acai Diet|top secret diet|Power HCG|Sensa|shocking method|Jennifer Aniston|before eating carbs|all natural weight.?loss|green fruit|top celeb's diet)|one.secret|enjoying.food|f-a-t|melt.fat|squeeze into them|crazy.workout|celebs.everywhere|zero.effort|nothing.to.lose/is
1239 header __KAM_WEIGHT3 Subject =~ /(leaner|slimmer|stop gaining weight|fat loss|weight management|now available without a script|wuYi tea|(drop|lost|shed|knocked) \d+.?(pounds|[li]bs?)|FRS Healthy Energy|instant diet|colonmate|trimmer you|body cleanse|acai berry|acai burn|Fatburner|cholesterol reduction|cholestapro|Ephedra|W[EA]IGHT[- ]LOSS PRODUCT OF THE YEAR|t-r-i-a-l|try our trial|cleanse your system|no exc?ercise|Acai Advanced|toxic sludge|cleanse your body|Acai Diet|Acai Elite|Acai Super|losing weight fast|weight loss|detox product|Power HCG|Weight Loss System|shocking (?:weight|weihgt) loss)|before eating carbs|all natural weight.?loss|eat this fruit|Jennifer An+iston's secret|drop.\d.dress.sizes|fat.burning|burn..?fat|get.slim|drop.the.weight|(drop|shed).[li]bs?|move.\.*.?the scale|step.by.step|drop..?pounds|perfect.body|lose.the.weight|half.my.size|special.nutrition|workout|skinny|simple.way|to.get.slim|workout.for.the..?lazy|start.losing.weight|melt.fat|celebs.boycott|celebs.did|overeating|without.any.effort|doctors.tv|oprah|results.are.in|as.seen.on|slim.?spray|zero.effort/i
1240 #rawbody __KAM_WEIGHT4 /shocking method|Jennifer Aniston|nationally known|never.seen.anything.like.this|unusual.(new.)?tip|your.metabolism|need.a.boost|this.is.not.a."?(joke|hoax|fad|trend)|no working out|no starving|a trimmer you|celebrity.doctor|seen.on.(cnn|abc|cbs)|\d+%.?off|oprah.and.celeb|beer.belly|thunder.thigh|flush.fat.fast|get.skinny|Women's Health|dress.size|feel.good|physical.activity|starving|hit.a.plateau|flat.belly|brakes on your appetite/i
1241 header __KAM_WEIGHT5 From =~ /celeb.weightloss|no.work.workout|(drop|shed).pounds|(drop|shed).\d+[il]bs?|inches off|your.waist|nutrisystem|fat.burn|magic.slim|slim.pack|get.?slim|overweight|becomingslim|slimmer|skinny.tee|flush.fat|slimming.down|hot.trend|curves.?\dweek|stubborn.fat|\d+.pounds|look.great|lazy.workout|bikini|fit.community|slim.?spray|shave.off.(the.)?(pound|lb)|f-a-t|fit.in.\d+.day|days.to.slim|oprah|belly|biggestloser/i
1243 #ANATRIM / GREEN TEA / CORTITHERM / ETC
1244 body __KAM_ANA1 /(anatrim|Green ?Tea|cortitherm|PHENTERTHIN|Phentremine|Acai Ultra|Civ-xR|WuYi Tea|Wu-?Yi Source|FRS Healthy Energy|Acai Berry|Chinese secret|Ephedra|Cholestapro|ColonMedic|Pure Cleanse|AcaiBurn|Acai Elite|Garcinia|Chlorogenic Acid|green coffee)/i
1245 header __KAM_ANA2 From =~ /green ?tea|Ultra ?Energy|weight ?loss|colon? ?clean|colon ?aid|acai|As seen on|Garcinia|sensa/i
1247 meta KAM_ANA (__KAM_ANA1 + __KAM_ANA2 + (__KAM_OZ1 || __KAM_OZ2 || __KAM_OZ3) + __KAM_WEIGHT1 + __KAM_WEIGHT2 + __KAM_WEIGHT3 + __KAM_WEIGHT5 + KAM_FDA + (__KAM_HTML1 || KAM_INFOUSMEBIZ) >= 3)
1248 describe KAM_ANA Likely Weight-loss / Medical Spam
1251 meta KAM_ANA2 (__KAM_ANA1 + __KAM_ANA2 + __KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 + __KAM_WEIGHT1 + __KAM_WEIGHT2 + __KAM_WEIGHT3 + __KAM_WEIGHT5 + KAM_FDA + (__KAM_HTML1 || KAM_INFOUSMEBIZ) >= 5)
1252 describe KAM_ANA2 Higher probability of Weight-loss / Medical Spam
1256 body __KAM_REP1 /Replace \[?[-!~\.]\]? with \./is
1257 body __KAM_REP2 /www\s+[-!~\.]/i
1259 body __KAM_REP2_1 /(Just|Please|all you need to do is to) (copy|type):? (www\s)?.{0,10}[\[\(]([-!~\.]|dot)[\]\)]/is
1260 body __KAM_REP2_2 /in your (IE|internet|explorer|browser)/i
1262 body __KAM_REP3_1 /\*omit empty spaces/is
1263 body __KAM_REP3_2 /.\s+(COM|org|net|info)$/i
1265 meta KAM_REPLACE (__KAM_REP1 + __KAM_REP2 >= 2) || (__KAM_REP2_1 + __KAM_REP2_2 >=2) || (__KAM_REP3_1 + __KAM_REP3_2 >=2)
1266 describe KAM_REPLACE Spams that use obfuscated URLs with instructions
1267 score KAM_REPLACE 2.0
1269 #EVEN MORE NIGERIAN SCAMS AND VARIANTS
1270 body __KAM_NIGERIAN1 /(?:payment officer|personal treasurer|experienced marketers|Chairman of the Finance Committee|contact my secretary|field of Financial Services|Head of Human Resources|Public Relation Officer|field of Business Services|payment agent|representing partner|vacancy in my company|representative\/book ?keeper|executor|search and selection of both experienced|retired chief economist|foreign partner|diplomatic courier|senior auditor|online book-?keeper)|in.your.country|united.state[^s]|states?.citizen|retired.ceo|nigeria|origin.finland|serious.illness|brain.(tumor|cancer)|former.minister|investment.partner|got.mugged|losing.my.(wife|only.son)/is
1271 body __KAM_NIGERIAN2 /(?:looking for dynamic representative|seek your partnership|new online business model|seek to transfer this money|completely legal activity|never ask you to pay or invest|in search of trustworthy representatives|establishing a new liaison network|rec[ei]{2}ving payment on our behalf|assist me in transferring those funds|make money at home|requiring rep to work on a part time|part time job\/full time|organization for the good work of the lord|job search directory|investor willing to invest in lebanon|invest in Real Estate|Your kind assistance|next of kin|gold.exportation|calgary.lotto)|oil.producing|import.firm|oil.and.gas|petroleum|asset.available|urgent.reply|(cash|credit.cards?|cell(.phone)?).(were|was).stolen/is
1272 body __KAM_NIGERIAN3 /(?:\d{1,2}\% (?:commission on each transaction|of the total will be set|will be mapped out|is made available to you|of the total sum for your partner|of the money for your effort|for\s+sales)|pay for performance|floating deficit|for your compensation|financial independence|their financial dreams|work from home part\s*-?\s*time|employing your services|get extra income|deduct your weekly salary \d\d%|transfer of the funds|make successful career at us|you will get \d{1,2}% on each|funds can be directed to your account as a grant|reasonable parentage|dormant domiciliary account|share would be \d+\%|pay you \d+%)|invest|have.a.sum|make.a.donation|immense.benefits|transact.a?.?business|company.sponsor|loan me \$/is
1273 body __KAM_NIGERIAN4 /(?:American oil merchant|independent contractor|removallink|claim the funds|international corporation|bank draft|becoming our contract staff|contractual employment|customers\s*in Europe,\s*America|new partner from UK|great investment site|money orders|cashiers check|access to the funds|piloting the business|moving the funds|next of kin|syrian.refugees|reply.for.detail)|security.reason|(his|her).account|new.investor|directly.beneficial|business.discussion|promise.to|need.to.spend/is
1274 body __KAM_NIGERIAN5 /Western Union Money Transfer|Money Gram|form of Money Orders|to apply for this job, please send the following|process our payments|not traceable|risk free transation|transfer to a designated bank account|inheritance return|my.inheritance|my.wealth|donation.to.you|out.of.country|charitable.trust/i
1276 meta KAM_NIGERIAN (__KAM_NIGERIAN1 + __KAM_NIGERIAN2 + __KAM_NIGERIAN3 + __KAM_NIGERIAN4 + __KAM_NIGERIAN5 + LOTS_OF_MONEY + __KAM_REFI4 >= 4)
1277 describe KAM_NIGERIAN Nigerian Scam and Variants
1278 score KAM_NIGERIAN 2.5
1281 body __KAM_LIKE1 /been working (extremely|very) hard on my friend's website/is
1282 body __KAM_LIKE2 /a link from .{1,54} would be greatly appreciated/is
1283 body __KAM_LIKE3 /(link exchange|in return to me linking back)/is
1284 body __KAM_LIKE4 /HTML code for the link/is
1285 body __KAM_LIKE5 /I apologize if this message was sent, in error/is
1287 meta KAM_LIKE (__KAM_LIKE1 + __KAM_LIKE2 + __KAM_LIKE3 + __KAM_LIKE4 + __KAM_LIKE5 >= 5)
1288 describe KAM_LIKE I like your website link exchange spam
1291 #PUBLICLY AVAILABLE LISTS?
1292 body KAM_PUBLIC /obtained your email address from a publicly available list|find your mail in public forum/is
1293 describe KAM_PUBLIC Obtained from Public List != to Consent == SPAM!
1294 score KAM_PUBLIC 9.0
1296 #SEXUALLY EXPLICIT RULES ROUND TWO - Fixed some FPs from Scunthorpe thanks to Stefan Morrell
1297 body __KAM_SEX1 /(?:double[ -]?headed|pornstar|huge weenie|male power|\d\dper\. of men|male enhancement product|enlarge patch|boost up your virility|clinically tested|improve manhood|Bigger Pen..is|Big Penis|incredible gains to your manhood|muscular manhood|nights unsatisfied|climaxes|sensual enhancer|love instrument|bigger member|excitement with girls|fucker|animal sex)|adds \d inches to your manhood|pussy licked|hard.erection/i
1298 body __KAM_SEX2 /(?:(\b|^)cunt(\b|$)|busty|interracial|hardcore|peni(s|le) enlarge|generic quality|enlarge your manhood|stone-hard manhood|XXL Dick|intense pleasure|spend a night with you|efficient medicine|turn on your wife|with your boner|dick dangl)|\d.(extra.)?inches.of.girth|best.sex/i
1299 header __KAM_SEX3 Subject =~ /(double dildo|bunsfuck|dominatrix|huge tits|anti-ED|most confident man|for men over 30|peni(s|le) enlargement|interracial gobble|bitch sucking dong|product actually does work|update your penis|mans mall|endurerx|more excitement|love package|add more fire|her best male|average guys|monster cocks|first anal|anal fucking|love with monsters|horse sex|be the stud)/i
1300 body __KAM_SEX4 /(?:bring your girlfriend back|satisfied with their size|penis so huge and heavy|more semen|volume of your loads|wondercum|ejaculate|bargain offers on medic|improve xxx|improve your lovemaking|youngest teen|teen pics|monster in his pants|(female|multiple) orgasms|extreme penetration)/i
1302 describe KAM_SEX Sexually Explicit SPAM / Penis Enlargement Scam
1304 meta KAM_SEX (__KAM_SEX1 + __KAM_SEX2 + __KAM_SEX3 + __KAM_SEX4 + __HTML_IMG_ONLY + (__KAM_VIAGRA6A + __KAM_VIAGRA6E + __KAM_VIAGRA7A >= 1 && !__KAM_VIAGRA_FPS) >= 2)
1306 #STUPID PICTURE SPAMS
1307 body __KAM_PIC1 /(tired|bored) (this )?(today|tonight|evening|morning|afternoon)|saw your email address|online right now|can name me|found you on this site|I am alone|my next boyfriend|blonde with blue|like the girls|crush on you/is
1308 body __KAM_PIC2 /(nice girl|2\d years old|25 y.o. girl|pretty russian|I russian girl|age is 25|long legs, cute|see my pictures|I'm 19|searching for a bad girl|meet with such attractive|cute lady)/is
1309 body __KAM_PIC3 /like to chat|feelings can be true|like to have friendship|friendly guy|gave me your photos|waiting on you|found your pictures|send me a note|more information about you|text me ASAP/is
1310 body __KAM_PIC4 /(like to share some of my pics|some (?:great )?pictures of me|sending some of my pictures|To see my pic|hope you like my pic|will reply with my pics|show you some pic|chat with me and see|that's my photo)|will send you my pictures|view my profile|describe yourself|chat with me|bad girl|view your snapshot|want to watch video|erotic pics/is
1311 body __KAM_PIC5 /picture|photo|my pics|appended my pic/i
1313 describe KAM_PIC Share Pictures and Chat SPAM
1315 meta KAM_PIC (__KAM_PIC1 + __KAM_PIC2 + __KAM_PIC3 + __KAM_PIC4 + __KAM_PIC5 + __KAM_PRIV3 >= 4)
1317 #STUPID MAILING LIST SPAMS
1318 body __KAM_LIST1 /((Hospital|MD) directory|Nursing Home (List|directory)|doctor lists|marketing lists|Licensed Physicians|practicing MDs|practicing Medical doctors|Physicians in America|emails for every state|(vip|laywers|planners|Business Email|HR Directors Email|Sales & Marketing Directors|Managing Director Email) database)/is
1319 body __KAM_LIST2 /(?:hospital|dentist|chiropractor|physician|medical doctors|nursing directors|medical marketing|\d sortable fields|records all with emails|business director(y|ies)|direct marketing data)|nursing assistant/is
1320 body __KAM_LIST3 /price\:|prices for our director/is
1321 body __KAM_LIST4 /(?:database|list|[\d,]+ (total records|e-?mails))/is
1322 body __KAM_LIST5 /(reply with "stop" as a subject|Send an email with "rem" in the subject to discontinue|put "cease" in the subject of an email|for termination of this e?mail|reply with .{1,8} in the subject)|you will have your email taken off|for the datacard|send.a.reply/is
1323 header __KAM_LIST6 Subject =~ /Database of (neurological|surgeons|doctors|nurses|mds)|MD Database|looking for list|email database|we have that list|marketing database|list.of.\d/i
1325 describe KAM_LIST Mailing List Database SPAM
1327 meta KAM_LIST (__KAM_LIST1 + __KAM_LIST2 + __KAM_LIST3 + __KAM_LIST4 + __KAM_LIST5 + __KAM_LIST6 >= 4)
1329 #YET MORE DRUG SCAMS
1330 body __KAM_DRUG1 /Quality and cheap|premier quality|supor-collosal mixture|Discount-?Pharmacy|hi.quality.drug/is
1331 body __KAM_DRUG2 /cheaper|redeem in bulk and save|bigger quantities and Save|drugstore accredi[dt]ations|economical (?:value|amount)|drug.online.supplies/is
1332 rawbody __KAM_DRUG3 /local drugstore|(hush-hush|secret) with no waiting rooms|confidential package|distributed securely|shape is our main concern/is
1333 body __KAM_DRUG4 /click to buy|no previous doctors direction|No prescript[oi]{2}n needed|no script necessary|medicine assistance supplier|mail[- ]?order medicine/is
1335 describe KAM_DRUG More Viagra, Medicine, et al Scams
1337 meta KAM_DRUG (__KAM_DRUG1 + __KAM_DRUG2 + __KAM_DRUG3 + __KAM_DRUG4 + __KAM_VIAGRA6A + __KAM_VIAGRA7A + KAM_REPLACE >= 4)
1339 #DUE TO THE RASH OF IP BASED LINKS IN EMAILS DUE TO STORM BOTS, THESE ARE TESTS FOR IPS IN EMAILS
1340 #Thanks to Jamie for pointing out I missed a 1918 range.
1341 rawbody __KAM_GOODIPHTTP /https?:\/\/(192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)/i
1342 rawbody __KAM_IPHTTP /https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/i
1343 describe KAM_BADIPHTTP Due to the Storm Bot Network, IPs in emails is bad
1344 score KAM_BADIPHTTP 2.0
1345 meta KAM_BADIPHTTP (__KAM_IPHTTP - __KAM_GOODIPHTTP >= 1)
1347 body __KAM_HIDDEN_URI1 /\[DOT\]com/is
1348 body __KAM_HIDDEN_URI2 /replace "?\[DOT\]/is
1349 meta KAM_HIDDEN_URI (__KAM_HIDDEN_URI1 + __KAM_HIDDEN_URI2 >= 2)
1350 describe KAM_HIDDEN_URI URI obfuscation techniques
1351 score KAM_HIDDEN_URI 4.0
1353 #ODD INFO URL - MATCH A URL-LIKE STRING THAT ENDS IN A QUESTIONABLE TLD, FOLLOWED BY A WORD BOUNDARY OR A SLASH (BUT NOT A DOT, OR IT WILL FP ON SUBDOMAINS LIKE FOO.INFO.LEGIT.COM)
1354 # Thanks to Lucas Rolff for the https idea
1355 rawbody __KAM_INFOUSMEBIZ1 /https?:\/\/(?:www.)?.{4,30}\.(info|us|me|me\.uk|biz)(?![-\.])(\b|\/)/i
1356 header __KAM_INFOUSMEBIZ2 From:addr =~ /\.(info|us|me|me\.uk|biz|xyz|id|rocks|life)$/i
1357 header __KAM_INFOUSMEBIZ3 Return-Path =~ /\.(info|us|me|me\.uk|biz|xyz|id|rocks|life)>?$/i
1359 meta KAM_INFOUSMEBIZ (__KAM_INFOUSMEBIZ1 + __KAM_INFOUSMEBIZ2 + __KAM_INFOUSMEBIZ3 >= 1)
1360 score KAM_INFOUSMEBIZ 0.75
1361 describe KAM_INFOUSMEBIZ Prevalent use of .info|.us|.me|.me.uk|.biz|xyz|id|rocks|life domains in spam/malware
1363 # OTHER QUESTIONABLE / CHEAP TLDS - .click, .work, .rocks, .science, .casa
1364 rawbody __KAM_OTHER_BAD_TLD1 /http:\/\/(?:www.)?.{4,30}\.(click|farm|work|rocks|science|club|casa)(?![-\.])(\b|\/)/i
1365 header __KAM_OTHER_BAD_TLD2 From:addr =~ /\.(click|farm|work|rocks|science|club|casa)$/i
1366 header __KAM_OTHER_BAD_TLD3 Return-Path =~ /\.(click|farm|work|rocks|science|club|casa)>?$/i
1368 meta KAM_OTHER_BAD_TLD (__KAM_OTHER_BAD_TLD1 + __KAM_OTHER_BAD_TLD2 + __KAM_OTHER_BAD_TLD3 >= 1)
1369 score KAM_OTHER_BAD_TLD 0.75
1370 describe KAM_OTHER_BAD_TLD Other untrustworthy TLDs
1373 #RECENT RASH OF VIRII/TROJAN PAYLOADS USING GREETING CARD NOTICES - IPHTTP IDEA BY STEPHEN FORD
1374 body __KAM_CARD1 /(worshipper|friend|Neighbou?r|partner|mate|colleague|member|worshipper|cousin|pal|brother|somebody|father|mother|uncle|aunt|daughter|son|nephew)(\(.{0,35}\))?(?: has)? (?:sen[dt] you|created) (?:an|a)?\s*(?:funny|love|post|greeting|birthday|animated|musical|holiday|love|hallmark|thank you|e)\s*(e|post)?-?card/i
1375 body __KAM_CARD2 /(laughing kitty|crazy cat) card|enjoy your awesome card|Click on your .{0,15}card('s)? (link|direct www address) below|To see your custom .{0,15}card, simply click on the (link below|following)|(as you can see on the ecard)|^your .{1,15}card link:$|I bet your wife won\'?t do this for you|Your temporary Login Info|temp\.? password id|pics I took of my Ex-Wife|card will be aviailable|our.new.collection/i
1376 body __KAM_CARD3 /I['`]m in hurry, but i still love you...|has (issued you a greeting|made you an Ecard)|^(Follow this link:|click (here to enter our secure server:))?\s*?http:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|eCard, open attached/i
1377 header __KAM_CARD4 Subject =~ /Here is some pics to say thanks|do you like em?|here is my picture|bra is too tight|look what I like to do|hot news|(\s|^)e-?cards?(\s|$)|greeting.e?card/i
1378 rawbody __KAM_CARD5 /postcard(\.gif)?\.exe|card.zip|groups.google.com|blaqseal/i
1380 describe KAM_CARD Trojan or Virus Payload from fake ecard notice
1382 meta KAM_CARD (__KAM_CARD1 + __KAM_CARD2 + __KAM_CARD3 + __KAM_CARD4 + __KAM_CARD5 + KAM_INFOUSMEBIZ + __KAM_IPHTTP + KAM_RPTR_SUSPECT >= 3)
1384 #INSURANCE / CAR / LIFE / HEALTH SCAMS - fixed $ bug thanks to Mark Chaney
1385 header __KAM_INSURE1 Subject =~ /get (low )?affordable health (coverage|insurance)|reduce health costs|without health coverage|\d+K(?:.in)?.(term.)?life|overypay for auto insurance|Policy.Payment|GAs Prices|Auto Insurance|get your 20\d\d quote|\$\d00,000 coverage|no exam|Insurance.Payment|child's financial future|\d+K in coverage|health insurance (?:plans|coverage)|(Omaba|obama).?care|Secure \d+k coverage|\$\d\d\d,\d\d\d of term life|life insurance coverage|save up to \d+% on .{0,10}insurance|Protect.your.family|homeowners insurance|home.?.?protection|read.asap|auto.policy|protect your|\$\d+K..?term|auto.?insurance|\d+k.available|simplified.protection|policy.update|view.policy|med(ical)?.exam|term.life|protection|\d+k.available|policy.review|business.insurance|your.health|care.policy|life.cover|life.secure|life.insured/i
1386 body __KAM_INSURE2 /find better Health Insurance Rates Today|get information about health coverage|protect your family|overpay for auto insurance|been recently,? lowered|gas prices are going up|Auto Insurnace go with it|no examination|get (?:a )?free quote|have been.{0,2}reduced|AutoWarranty|plans as low as|plans starting at|complete your health profile|Secure \d+k coverage|growing.family|milestone|special.enroll|updated.rate|lifeinsurance|no.medical.exam|accuquote|no.tobacco.rate|denied.coverage|business.policy|reduced.rate|coverage.starts.immediately|obama|respect.your.privacy/i
1387 header __KAM_INSURE3 From =~ /Cheaper Auto|Insurance|health.quote.direct|fidelity|gerber|lifeplan|notice|warranty.expir|auto-repairs.{0,30}no longer covered|affordable.?health|Health.?care|AIG|accuquote|life.?rate|eCoverage|humana|ahs.warranty|policy|farmer|qualify|term.life|milestone|payout|secure|out.of.pocket|\d+k|take.comfort/i
1388 body __KAM_INSURE4 /why pay more for.{0,30}coverage|save up to \d+%|accuquote|Life Insurance Coverage|protect.your.family.{1,20}insurance|Protect home and belonging|Affordable Care Act|new health insurance plan for you|home.?.?protection|\d+k.life.insurance|eligible for auto.coverage|set to expire|\$\d+\/mo|new.rate|your.auto.?insurance.policy|term.life|update.policy|legacy|estate|your.package|your.own.life|prepared.for.anything|paying.(far.)?too/i
1390 describe KAM_INSURE Life, Health, Auto, etc. Insurance SPAMs
1391 score KAM_INSURE 2.5
1392 meta KAM_INSURE (__KAM_INSURE1 + __KAM_INSURE2 + __KAM_INSURE3 + __KAM_INSURE4 + (KAM_ADVERT2 || KAM_LOTSOFHASH || KAM_INFOUSMEBIZ || CBJ_GiveMeABreak) >= 3)
1394 describe KAM_INSURE2 Higher Probability of Life, Health, Auto, etc. Insurance SPAMs
1395 score KAM_INSURE2 2.5
1396 meta KAM_INSURE2 (__KAM_INSURE1 + __KAM_INSURE2 + __KAM_INSURE3 + __KAM_INSURE4 + (KAM_ADVERT2 || KAM_LOTSOFHASH || KAM_INFOUSMEBIZ || CBJ_GiveMeABreak) >= 4)
1399 body __KAM_HEALTH1 /as low as \$\d+\s*(per|\/)\s*month|at \$\d+ including dental/i
1400 body __KAM_HEALTH2 /save up to \d+% on health insurance|affordable health coverage|quality term life insurance|nationalhealthxchange.com|view.rate|no.obligation|start.saving/i
1401 rawbody __KAM_HEALTH3 /easy and it's free|receive daily health news|check our rates|Call to qualify|no physical exam|set.to.expire|immediately.available|you.can.afford/i
1402 rawbody __KAM_HEALTH4 /health insurance (coverage|rates)|free .{0,3}personalized.quote|get a quote for health insurance|fast and easy term|life.milestone|instant.free.quote/i
1403 header __KAM_HEALTH5 Subject =~ /\$38 Health Insurance|health insurance quote|Save up to \d%|term.life|New Health Insurance|\$\d+\/mo|lifepolicy/i
1405 describe KAM_HEALTH Health/Life Insurance Spam Emails
1406 score KAM_HEALTH 3.0
1407 meta KAM_HEALTH (__KAM_HEALTH1 + __KAM_HEALTH2 + __KAM_HEALTH3 + __KAM_HEALTH4 + __KAM_HEALTH5 + KAM_ADVERT2 >= 4)
1410 body __KAM_HEALTH2_1 /affordable health coverage/i
1411 header __KAM_HEALTH2_2 Subject =~ /health insurance quote/i
1413 describe KAM_HEALTH2 Health Insurance Spam Emails
1414 score KAM_HEALTH2 3.0
1415 meta KAM_HEALTH2 (__KAM_HEALTH2_1 + __KAM_HEALTH2_2 + HTML_MESSAGE >= 3)
1418 header __KAM_HEALTH3_1 Subject =~ /Term Life Coverage/i
1419 header __KAM_HEALTH3_2 Subject =~ /\d\d\/mo/i
1420 header __KAM_HEALTH3_3 From =~ /fidelity/i
1422 describe KAM_HEALTH3 Term Life Insurance Spam
1423 score KAM_HEALTH3 3.0
1424 meta KAM_HEALTH3 (__KAM_HEALTH3_1 + __KAM_HEALTH3_2 + __KAM_HEALTH3_3 >= 3)
1426 #REAL ESTATE INVESTMENT SCAMS
1427 body __KAM_REAL2_1 /(?:Property available|on the water|costa rica|mountain.top)/i
1428 body __KAM_REAL2_2 /(?:pre-development prices|finish building|torn down to build|exclusive place|ready.for.construction)/i
1429 body __KAM_REAL2_3 /(?:unbelievable deals|buyer with CA[s\$]h|pennies.on.the.dollar)/i
1430 body __KAM_REAL2_4 /(?:home sites|raw land|vacation home|wooded.property)/i
1431 body __KAM_REAL2_5 /(?:developers|estates|buyer flying in|retirement plans|liquidation)/i
1433 describe KAM_REAL2 Real-estate investment scams
1435 meta KAM_REAL2 (__KAM_REAL2_1 + __KAM_REAL2_2 + __KAM_REAL2_3 + __KAM_REAL2_4 + __KAM_REAL2_5 >= 5)
1437 #BASED on JIM MCCULLARS' IDEA AND DALLAS' GREAT PDFINFO RULES
1439 ifplugin Mail::SpamAssassin::Plugin::PDFInfo
1440 #Thanks to Ben Lentz for pointing out a lint error with this.
1442 describe KAM_BADPDF Prevalent Junk PDF SPAMs - BAD SUBJECT
1443 score KAM_BADPDF 2.5
1444 header KAM_BADPDF Subject =~ /(?:^.{0,15}(document|confirmation|marketwatch|pinksheets|wire info|pinksheets|investor_report|proposal|invest_today|alert|invoice|investor_letter|check)-\d{5,12}$|^basic[- _]chart-|^Active[- _](stocks|trader)|^Analyst[- _]Coverage|^Income[- _](report|details|statement)|^Market[- _](advice|watch)|^Investor[- _]news|^real-?time[- _]quotes)/i
1446 describe KAM_BADPDF1 Prevalent Junk PDF SPAMs - EMPTY BODY & ENCRYPTED
1447 score KAM_BADPDF1 2.5
1448 meta KAM_BADPDF1 (GMD_PDF_EMPTY_BODY + GMD_PDF_ENCRYPTED >= 2)
1450 #2009-03-11 - Found FP on this rule where a bad reverse PTR and a Subject triggered this rule. That was NOT the intent.
1451 describe KAM_BADPDF2 Prevalent Junk PDF SPAMs - 3 STRIKES
1452 score KAM_BADPDF2 2.5
1453 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
1454 meta KAM_BADPDF2 (KAM_BADPDF + KAM_BADPDF1 + MISSING_SUBJECT >= 2) && (KAM_RPTR_SUSPECT + KAM_RPTR_FAILED >=1)
1456 meta KAM_BADPDF2 (KAM_BADPDF + KAM_BADPDF1 + MISSING_SUBJECT >= 2) && (KAM_RPTR_SUSPECT >=1)
1461 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
1462 mimeheader __KAM_BADPO1 Content-Type =~ /Purchase.Order|New.Invoice/i
1463 mimeheader __KAM_BADPO2 Content-type =~ /PDF\.html?/i
1466 header __KAM_BADPO3 Subject =~ /New Order|PO(\b|$)|PO\d\d\d|Purchase Order|Invoice/i
1468 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
1469 meta KAM_BADPO (KAM_RAPTOR_ALTERED + __KAM_BADPO3 >= 2)
1470 describe KAM_BADPO Bad Purchase Orders
1474 meta KAM_BADPO2 (__KAM_BADPO1 + __KAM_BADPO2 + T_HTML_ATTACH >= 3)
1475 describe KAM_BADPO2 Bad Purchase Orders
1476 score KAM_BADPO2 5.0
1480 #FAKE PDF READER/WRITE
1481 body __KAM_FAKEPDF1 /Download PDF Reader.Writer/is
1482 body __KAM_FAKEPDF2 /Reader 2010/is
1483 header __KAM_FAKEPDF3 From =~ /adobe/is
1484 header __KAM_FAKEPDF4 Subject =~ /reader.writer version 2010/is
1486 meta KAM_FAKEPDF (__KAM_FAKEPDF1 + __KAM_FAKEPDF2 + __KAM_FAKEPDF3 + __KAM_FAKEPDF4 >= 3)
1487 describe KAM_FAKEPDF Fake PDF Reader / Writer
1488 score KAM_FAKEPDF 4.0
1490 #VACU AND VARIOUS PHISHING SCAMS
1492 header __KAM_PHISH2_1 Subject =~ /(VACU Message|Virgini?a Credit|Account Verification|account might be compromised|Account Status Notification|important.alert|payment.advice|important.update|card.declined)/i
1494 body __KAM_PHISH2_2 /Virginia Credit Union|Lloyds|HSBC|usaa|barclay|credit card account/is
1496 rawbody __KAM_PHISH2_3 /https?:\/\/.{5,30}\.(kr|hk|edu|pl|ie|it|pro)\//i
1498 body __KAM_PHISH2_4 /unauthori[sz]ed use|security.enhancement|dropbox|hold.(on.)?your.fund/i
1499 body __KAM_PHISH2_5 /account suspension|temporary locked|temporarily.suspend|your.reference|accurately.detail/i
1500 body __KAM_PHISH2_6 /confirm your online banking details|payment.advice|online.fraud|billing.information/i
1501 body __KAM_PHISH2_7 /extra security check|security.tip/i
1503 describe KAM_PHISH2 Prevalent Phishing Scam emails
1504 score KAM_PHISH2 2.0
1505 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
1506 meta KAM_PHISH2 (__KAM_PHISH2_1 + __KAM_PHISH2_2 >= 2) && ((__KAM_IPHTTP + __KAM_URIBL_PCCC + __KAM_PHISH2_3 >= 1) || (__KAM_PHISH2_4 + __KAM_PHISH2_5 + __KAM_PHISH2_6 + __KAM_PHISH2_7 >= 4))
1508 meta KAM_PHISH2 (__KAM_PHISH2_1 + __KAM_PHISH2_2 >= 2) && ((__KAM_IPHTTP + __KAM_PHISH2_3 >= 1) || (__KAM_PHISH2_4 + __KAM_PHISH2_5 + __KAM_PHISH2_6 + __KAM_PHISH2_7 >= 4))
1511 #CRAZY HEX EMPTY MESSAGE
1512 body __KAM_HEX1 /^[a-f0-9]{8}(\b|$)/i
1513 header __KAM_HEX2 Subject =~ /^\d{5,6}$/
1515 describe KAM_HEX Crazy Empty Hex Messages
1517 meta KAM_HEX (__KAM_HEX1 + __KAM_HEX2 >= 2)
1519 #THE BAT! MAILER USED TOO MUCH FOR SPAM
1520 # I'VE LOOKED AT THIS AND JUST CAN'T ARGUE THAT IT LOOKS LIKE IT WILL HELP.
1521 header KAM_THEBAT X-Mailer =~ /The Bat!/i
1522 describe KAM_THEBAT Abused X-Mailer Header for The Bat! MUA
1523 score KAM_THEBAT 1.9
1526 body __KAM_MAILER1 /{!firstname_fix}/i
1528 meta KAM_MAILER (__KAM_MAILER1 >= 1)
1529 score KAM_MAILER 2.0
1530 describe KAM_MAILER Automated Mailer Tag Left in Email
1532 #YET ANOTHER NIGERIAN SCAM VARIANT
1533 body __KAM_CHECK1 /delivery fee for your che(que|ck) draft/i
1534 body __KAM_CHECK2 /let me know when you recieve your money/i
1536 describe KAM_CHECK Another Nigerian Bank Draft Scam
1538 meta KAM_CHECK (__KAM_CHECK1 + __KAM_CHECK2 + __KAM_REFI4 >= 3)
1541 body __KAM_OPRAH1 /airfare/i
1542 body __KAM_OPRAH2 /hotel/i
1543 body __KAM_OPRAH3 /oprah/i
1544 header __KAM_OPRAH4 Subject =~ /see\s+.*oprah\s+.*live/i
1546 describe KAM_OPRAH SPAMs re: Oprah Winfrey Show
1548 meta KAM_OPRAH (__KAM_OPRAH1 + __KAM_OPRAH2 + __KAM_OPRAH3 + __KAM_OPRAH4 >= 4)
1551 body __KAM_EBAY1 /Succeed on ebay|thousands with ebay|ebay success|money-making secret/i
1552 body __KAM_EBAY2 /Auction success kit|Great Money Maker|documented program|Chuck Mullaney|more bills than money/i
1553 header __KAM_EBAY3 Subject =~ /ebay .*for dummies|ebay expert|work online|ebay business|secrets to ebay|Chuck Mullaney|living on ebay|build a business|huge cash flows/i
1555 describe KAM_EBAY SPAMs re: eBay Auction Tips
1557 meta KAM_EBAY (__KAM_EBAY1 + __KAM_EBAY2 + __KAM_EBAY3 >= 3)
1559 #GAS PRICES, GAS CARDS, OTHER FUEL-RELATED SPAM
1560 body __KAM_GAS1 /Gas prices are at an? all time high|\$\d per gallon|gasoline cards/i
1561 body __KAM_GAS2 /We have a solution|save \d+ cents per gallon|competitive rewards/i
1562 header __KAM_GAS3 Subject =~ /High Gas Prices|ripped off for gas|Save \d+c per gallon/i
1563 header __KAM_GAS4 From =~ /gas/i
1565 describe KAM_GAS SPAMs re: High Gas Prices
1567 meta KAM_GAS (__KAM_GAS1 + __KAM_GAS2 + __KAM_GAS3 + __KAM_GAS4 >=3)
1569 #WEIRD BODY MESSAGES
1570 body KAM_BODY /{_BODY_HTML}/i
1572 describe KAM_BODY Odd Erectile Dysfunction Messages with Poor Formatting
1574 #FREE TV, SATELLITE, CABLE INTERNET, ETC
1575 body __KAM_TV1 /watch unlimited television|DTV4PC|Online TV Code|Free DVD-CD Burner|100% legal|Rabbit TV|reliable.cable.service|existing.smart.tv/i
1576 body __KAM_TV2 /without a monthly fee|pay a cable or satellite bill|no monthly fee|watch uncensored|movies online|no censorship|favorite.channels|online.television|\d{3}.channels|high.speed|sysview/i
1577 header __KAM_TV3 Subject =~ /watch uncensored tv|digital TV|internet TV|Free TV|tv online for free|(shows|movies).with.cable|less.than.dish|stream.*channels|\$\d{2}.mo|smart.tv/i
1578 header __KAM_TV4 From =~ /Unlock Internet TV|Movie Download|product alert|cable.tv|tv.stream|high.speed/i
1580 meta KAM_TV (__KAM_TV1 + __KAM_TV2 + __KAM_TV3 + __KAM_TV4 >= 2)
1582 describe KAM_TV Free TV/Cable/etc. Scams
1584 meta KAM_TV2 (KAM_TV + KAM_INFOUSMEBIZ >=2)
1586 describe KAM_TV2 Higher probability of Free TV/Cable/etc. Spams
1589 body __KAM_CAREER1 /Hospitals need you|Medical Billing and Coding|medical.coding/is
1590 body __KAM_CAREER2 /Get your Healthcare Degree|Billing and Coding degree|job.placement|great.opportunity|training.start(s|ing).soon|job.growth/is
1591 body __KAM_CAREER3 /unstable.economy|secure.a.position|fast.growing|extraordinary.benefits|work.from.home/is
1593 meta KAM_CAREER (__KAM_CAREER1 + __KAM_CAREER2 + __KAM_CAREER3 + KAM_ADVERT2 >= 3)
1594 score KAM_CAREER 5.0
1595 describe KAM_CAREER Spam for Career/Diploma Mills
1598 header __KAM_NURSE1 From =~ /nursing|nurses|health.?care/i
1599 header __KAM_NURSE2 Subject =~ /nurses (?:are now in high.?demand|are needed)|become a nurse|open.position|training|cna.education/i
1600 body __KAM_NURSE3 /nurses (?:are NOW in high.?demand|are needed)|nursing Degree|indispensable.position|growing.career|nursing.assist|certified.nurs/i
1602 meta KAM_NURSE (__KAM_NURSE1 + __KAM_NURSE2 + __KAM_NURSE3 >= 3)
1604 describe KAM_NURSE Spam for Career/Diploma Mills
1607 header __KAM_PILLS1 Subject =~ /save \d\d% on your (pills|drugs|medications)/i
1608 body __KAM_PILLS2 /be (thrifty|smart|clever), buy your (pills|drugs|medications)/i
1610 meta KAM_PILLS (__KAM_PILLS1 + __KAM_PILLS2 >=2)
1612 describe KAM_PILLS Spam for scam pharmacy
1615 header __KAM_PILLS2_1 From =~ /Enlarge|Men's Supplement/i
1616 header __KAM_PILLS2_2 From =~ /Free Sample/i
1618 meta KAM_PILLS2 (__KAM_PILLS2_1 + __KAM_PILLS2_2 >= 2)
1619 describe KAM_PILLS2 Male enhancement spams
1620 score KAM_PILLS2 2.5
1623 body __KAM_ALT1 /reply to my alternative E-?mail/is
1625 meta KAM_ALT (__KAM_ALT1 >= 1)
1627 describe KAM_ALT Requests use of an alternate email which may indicate spam
1631 #AS WE ENTER AN ELECTION PERIOD, WE SEE UNSOLICITED MAILS FROM ORGS
1634 header __KAM_POLITICS1 From =~ /Right vs Left|Minuteman|Senator|Pennsylvania Transportation Partners|Americans for Limited Government|special election|conservative|liberal|congress|judge|usa.?net|senate|fedup|sen\. |tea.party|the.right.to/i
1635 body __KAM_POLITICS2 /Minuteman Civil Defense Corps|National Campaign Fund|Right vs Left|Restore America PAC|penntransportation.com|getliberty.org|Americans for Limited Government|radical|true.conservative|true.liberal|job.killing|wasteful.spending|senate.takeover|liberal.agenda|smear.campaign|america.s future|liberty|obama|governor|election.day|v-o-t-e|sign.the.petition|paid.for.by|dear.conservative|dear.liberal|winning.the.senate|election.cycle|return.power|failed.policy|(left|right).is.claiming|bigwigs|favorable.voters/i
1636 header __KAM_POLITICS3 Received =~ /\.politicalsystems.net|republican.com|democrat.com|inboxfirst.com/i
1637 header __KAM_POLITICS4 Subject =~ /alert:?.?election|(republican|democratic).party|and.vote|impeach|insanity|election.ad|liberals|conservatives|back.?room.deal|urgent.obama|social.security.mistake|big.social|absentee.info/i
1639 meta KAM_POLITICS (__KAM_POLITICS1 + __KAM_POLITICS2 + (__KAM_POLITICS3 + __KAM_POLITICS4 >= 1) >= 2)
1640 score KAM_POLITICS 4.5
1641 describe KAM_POLITICS Political E-Mails
1646 header __KAM_COMPANY1 From =~ /W\$[LM]( |_)(Insurance|Mortgage)( |_)New\$/i
1648 meta KAM_COMPANY1 (__KAM_COMPANY1 >= 1)
1649 score KAM_COMPANY1 5.0
1650 describe KAM_COMPANY1 Egregious spammers that should also be on RBLs (and might be)
1653 body __KAM_COMPANY2_1 /Member Services MGM, LLC/is
1655 meta KAM_COMPANY2 (__KAM_COMPANY2_1 >= 1)
1656 score KAM_COMPANY2 5.0
1657 describe KAM_COMPANY2 Egregious spammers that should also be on RBLs (and might be)
1659 ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
1661 #PCCC URIBL Check for bad URIs in body, Received, From and Reply-to
1662 #Thanks to AXB for his help with these!
1666 #These RBL's below can contain domains that can cause collateral damage.
1667 #We try and only add these domains when the evidence is overwhelming and points to a culture or architecture prone to spaminess.
1668 #And this can include services that have legitimate and illegitimate users; servers for legitimate firms that are compromised; and hosting firms which fail to have adequate anti-spam procedures.
1669 #The lists have high scores which we believe are consistent with the veracity of the research used to compile the lists.
1670 #Additionally, we ONLY use this RBL to improve our scoring and it is not used to block emails outright.
1671 #However, your mileage may very and you might want to seriously dial down the scores especially if you do block/reject/blackhole emails.
1672 #Feedback is appreciated and requests to de-list can be sent via https://raptor.pccc.com/raptor.cgim?template=report_problem
1673 #Or to explicitly skip RBL testing for a domain, use uridnsbl_skip_domain example.com
1675 if (version >= 3.003000)
1676 #HOSTS THAT BEHAVE LIKE TLDS, SUCH AS BLOGSPOT.COM AND OTHER FREE HOSTING - NOTE BLOGSPOT is in 20_aux_tlds.cf ALREADY
1677 util_rb_2tld ning.com
1678 util_rb_2tld mygbiz.com
1679 util_rb_2tld web.com
1680 util_rb_2tld onmicrosoft.com
1681 util_rb_2tld online.de
1682 util_rb_2tld wix.com
1683 util_rb_2tld netdna-cdn.com
1684 util_rb_2tld dreamhost.com
1685 util_rb_2tld noip.us
1686 util_rb_2tld mmsend.com
1687 util_rb_2tld cu-portland.edu
1688 util_rb_2tld jimdo.com
1689 util_rb_2tld doesphotography.com
1690 util_rb_2tld isteaching.com
1691 util_rb_2tld googleapis.com
1692 util_rb_2tld a2hosted.com
1693 util_rb_2tld netlify.app
1696 # allow URI rules to look at DKIM headers if they exist and our SA version supports it
1697 if (version >= 3.0040001)
1701 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
1703 urirhssub KAM_BODY_URIBL_PCCC wild.pccc.com. A 127.0.0.4
1704 body KAM_BODY_URIBL_PCCC eval:check_uridnsbl('KAM_URIBL_PCCC')
1705 describe KAM_BODY_URIBL_PCCC Body contains URI listed in PCCC URIBL (https://raptor.pccc.com/RBL)
1706 tflags KAM_BODY_URIBL_PCCC net
1707 score KAM_BODY_URIBL_PCCC 9.0
1709 if (version >= 3.004001)
1711 #all from addresses domains - This is a new check available in 3.4.1-rc1+ which will check bob.com for something like bob@test.bob.com - The old code did not properly handle octet subtests
1712 header KAM_FROM_URIBL_PCCC eval:check_rbl_from_domain('pccc-from-uribl', 'wild.pccc.com.', '127.0.0.4')
1713 describe KAM_FROM_URIBL_PCCC From address listed in PCCC URIBL (https://raptor.pccc.com/RBL)
1714 tflags KAM_FROM_URIBL_PCCC net
1715 score KAM_FROM_URIBL_PCCC 9.0
1718 #MARKETING IN BODY - MARKETING RBL IS PRIMARILY FOR META TESTS
1719 urirhssub KAM_BODY_MARKETINGBL_PCCC wild.pccc.com. A 127.0.0.32
1720 body KAM_BODY_MARKETINGBL_PCCC eval:check_uridnsbl('KAM_MARKETINGBL_PCCC')
1721 describe KAM_BODY_MARKETINGBL_PCCC Body contains URI associated with mass-marketing (https://raptor.pccc.com/RBL)
1722 tflags KAM_BODY_MARKETINGBL_PCCC net
1723 score KAM_BODY_MARKETINGBL_PCCC 0.001
1725 if (version >= 3.004001)
1727 header KAM_FROM_MARKETINGBL_PCCC eval:check_rbl_from_domain('pccc-marketing', 'wild.pccc.com.', '127.0.0.32')
1728 describe KAM_FROM_MARKETINGBL_PCCC From address associated with mass-marketing (https://raptor.pccc.com/RBL)
1729 tflags KAM_FROM_MARKETINGBL_PCCC net
1731 score KAM_FROM_MARKETINGBL_PCCC 0.001
1733 meta KAM_MARKETINGBL_PCCC (KAM_BODY_MARKETINGBL_PCCC || KAM_FROM_MARKETINGBL_PCCC)
1734 describe KAM_MARKETINGBL_PCCC Message contains URI associated with mass-marketing (https://raptor.pccc.com/RBL)
1735 score KAM_MARKETINGBL_PCCC 1.0
1739 if (version >= 3.004001)
1740 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
1741 #Compromised URI - In Body
1742 urirhssub KAM_BODY_COMPROMISED_URIBL_PCCC wild.pccc.com. A 127.0.1.2
1743 body KAM_BODY_COMPROMISED_URIBL_PCCC eval:check_uridnsbl('KAM_URIBL2_PCCC')
1744 describe KAM_BODY_COMPROMISED_URIBL_PCCC Body contains URI listed in PCCC Compromised URIBL (https://raptor.pccc.com/RBL)
1745 tflags KAM_BODY_COMPROMISED_URIBL_PCCC net
1746 score KAM_BODY_COMPROMISED_URIBL_PCCC 9.0
1748 #Contains a likely good URI but otherwise compromised by malware/hackers
1749 header KAM_FROM_COMPROMISED_URIBL_PCCC eval:check_rbl_from_domain('pccc-compromised-uribl', 'wild.pccc.com.', '127.0.1.2')
1750 describe KAM_FROM_COMPROMISED_URIBL_PCCC From address listed in PCCC Compromised URIBL (https://raptor.pccc.com/RBL)
1751 tflags KAM_FROM_COMPROMISED_URIBL_PCCC net
1752 score KAM_FROM_COMPROMISED_URIBL_PCCC 9.0
1754 #Welcome List URI - In Body
1755 urirhssub KAM_BODY_WELCOMELIST_URIBL_PCCC wild.pccc.com. A 127.0.1.8
1756 body KAM_BODY_WELCOMELIST_URIBL_PCCC eval:check_uridnsbl('KAM_URIBL2_PCCC')
1757 describe KAM_BODY_WELCOMELIST_URIBL_PCCC Body contains URI listed in PCCC Welcome List URIBL (https://raptor.pccc.com/RBL)
1758 tflags KAM_BODY_WELCOMELIST_URIBL_PCCC net
1759 score KAM_BODY_WELCOMELIST_URIBL_PCCC -7.0
1763 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
1764 #Received - Currently disabled for more research on FPs
1765 #header KAM_RCVD_URIBL_PCCC eval:check_rbl_sub('pccc', '^127\.0\.0\.4$')
1766 #describe KAM_RCVD_URIBL_PCCC Received header contains URL listed in PCCC URIBL (https://raptor.pccc.com/RBL)
1767 #tflags KAM_RCVD_URIBL_PCCC net
1768 #score KAM_RCVD_URIBL_PCCC 5.0
1771 #NO SOLUTION - Would make a Good Bugzila for a FR
1773 #Test for any hits on PCCC URIBL Rules
1774 meta __KAM_URIBL_PCCC (KAM_BODY_URIBL_PCCC + KAM_FROM_URIBL_PCCC >= 1)
1778 #Test for URIBL Black and Spamhaus DBL per discussion ith Alex Broens
1779 meta KAM_VERY_BLACK_DBL (URIBL_BLACK && URIBL_DBL_SPAM)
1780 describe KAM_VERY_BLACK_DBL Email that hits both URIBL Black and Spamhaus DBL
1781 score KAM_VERY_BLACK_DBL 5.0
1785 #EMAIL BLACKLIST CHECK FOR PCCC RBL
1786 if (version >= 3.004003)
1787 ifplugin Mail::SpamAssassin::Plugin::HashBL
1788 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
1789 header KAM_MESSAGE_HASHBL_FREEMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5/max=10/shuffle', 'ALLFROM/Reply-To/body', '^127\.0\.0\.64', 'freemail')
1790 describe KAM_MESSAGE_HASHBL_FREEMAIL Message contains freemail address listed in PCCC URIBL (https://raptor.pccc.com/RBL)
1791 tflags KAM_MESSAGE_HASHBL_FREEMAIL net
1792 score KAM_MESSAGE_HASHBL_FREEMAIL 6.0
1797 #FREEMAIL SPAMMY ADDRESSES IN UNWANTED LANGUAGES
1798 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
1799 header __GB_FREEMAIL_NUM0 From:addr =~ /[a-z]\d{3}\@(gmail|hotmail|yahoo)\.com/i
1800 header __GB_FREEMAIL_NUM1 From:addr =~ /[a-z]\d{5,10}\@(gmail|hotmail|yahoo)\.com/i
1801 meta GB_FREEMAIL_NUM ( __GB_FREEMAIL_NUM0 || __GB_FREEMAIL_NUM1 )
1802 describe GB_FREEMAIL_NUM Freemail spammy address
1803 score GB_FREEMAIL_NUM 1.0
1804 meta GB_UNWANTED_FREE_NUM ( GB_FREEMAIL_NUM && UNWANTED_LANGUAGE_BODY )
1805 describe GB_UNWANTED_FREE_NUM Freemail spammy address and unwanted language
1806 score GB_UNWANTED_FREE_NUM 3.0
1809 #FAKERBL MX RELATED RULES
1810 header __KAM_MX1 Reply-To =~ /\@mx\d+\./i
1811 header __KAM_MX2 Return-Path =~ /\@mx\d+\./i
1812 header __KAM_MX3 Received =~ /(\(|\b)(pet|ptr|tech|host|mta|mx|vps|vsp|colo|sox|m)\d+\./i
1813 header __KAM_MX4 Received =~ /(\(|\b)[0-9A-F]{8}\.ptr\./i
1814 # Thanks to Markus Clardy for feedback!
1815 header __KAM_MX5 Received =~ /(\(|\b)[a-z]{2,4}[0-9]{1,3}\.[^\s]{1,20}\.info\b/i
1817 meta __KAM_MX (__KAM_MX1 + __KAM_MX2 + __KAM_MX3 + __KAM_MX4 + __KAM_MX5 >= 1)
1818 describe __KAM_MX Odd prevalence of mx records associated with the FAKERBL Spammers
1821 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
1823 meta KAM_MX (__KAM_MX + (__KAM_URIBL_PCCC + URIBL_BLACK >=1) >= 2)
1825 describe KAM_MX Spammers and MX Rule
1829 meta KAM_MXINFO (__KAM_MX5)
1830 score KAM_MXINFO 1.0
1831 describe KAM_MXINFO MX Record and dot info domains associated with FAKERBL Spammers
1834 body __KAM_BADNAME1 /CocoMedia|CMI Free Stuff|Vista Del Mar Productions|by SuperClub|Buil tech Services|eMarketing Alliance|aSHARPi Media|Satell Center for Executive Education|Pacific Shores Investments|R. Allen Media|The Only Virginia Team|Ban Amnesty Now|Intrust Domains|New Heights Development and Research|Red Base Interactive|RateMarketplace|WORLD COMPANY REGISTER|Mobie Concepts, Inc.|Clickingz IT Research Lab|Leadz[,\.].?Co|Pimsleur Approach|Business Who's Who|Who's Who Among Executives|Buena Vista Catalogue|Ashray Medical Center|Bethany Christian Services|Preston Energy|SteelCityAds|Beyond Human, LLC|Research Promo Center|OmegaK, Inc|Momentum.Ads|Dove Lighting Co|BrandRoot SEO|Team TPW|WEB ANALYTICS MEDIA LLC/i
1836 header __KAM_BADNAME2 From =~ /CMI Free Stuff|Vista Del Mar Productions|Buil tech Services|eMarketing Alliance|aSHARPi Media|Plaza Neptuno|Satell Center for Executive Education|Pacific Shores Investments|rx ?unit|R. Allen Media|The Only Virginia Team|Intrust Domains|American Arbitration Association|Rate\.?Marketplace|Health.Quote.Direct|Pimsleur|Ethika Politika|Disney Movie Club/i
1839 header __KAM_GRASS1 From =~ /(Patch|Perfect|Lawn)/i
1840 header __KAM_GRASS2 Subject =~ /rich beautiful lawn|grow grass|grass seed on steroids/i
1841 body __KAM_GRASS3 /Grass Seed On Steroids|rich beautiful lawn|Patch Perfect Seeds|Grow Grass (anywhere|in the shade)/i
1843 meta KAM_GRASS (__KAM_GRASS1 + __KAM_GRASS2 + __KAM_GRASS3 >= 3)
1845 describe KAM_GRASS Spammers hawking lawn products
1847 #PED EGG / BELISI / SKIN PRODUCTS
1848 header __KAM_SKIN1 From =~ /(Ped ?Egg|Healthy Feet|beautiful feet|belisi|skin tightener|medical|Wrinkle|Face ?Lift|Skin Reju|Nuforia|LifeCEll|Miracle Hydrate|beauty tip|lifestyle lift|marine essentials|nufori?a)|skin transformer|lifecell|oz.show|botox|your.skin|rejuvenate|youth|ellen/i
1849 header __KAM_SKIN2 Subject =~ /Ped ?Egg|Healthy Feet|beautiful feet|tighter skin|works for wrinkles|Sera Concepts|Wrinkle Eraser|\d\d years younger|Hollywood(?:'s)? Secret|years younger|perfect skin|anti.?aging|look younger in \d+ day|regain your youthful|years off your appear|flawless.skin|youthful appear|fine.lines|collagen.production|dark.circles|your.skin|looks?.like.this|looks?.great|images?.leaked|looks.\d|ellen.looks/i
1850 rawbody __KAM_SKIN3 /Ped ?Egg|Belisi|Botox|Gabamed|Sera Concepts|Purelift|nuforia|natural collagen|complimentary trials|nugenics|marine essentials|Nufori?a|ellen.has.a|flawless.skin|phyto|facelift|hype.is.real|celeb.trend|twenty.years.younger|face.lift|pics.leaked|rejuvenate/i
1851 body __KAM_SKIN4 /feet feel smooth and healthy|calluses and dead skin|silky smooth skin|tighter skin|\d.years.younger|anti[- ]aging|look younger|free trial|lose 25 years|angered plastic surge|quick and easy trick|anti-?aging|blood pressure low|heart rate monitor|selfies|just.one.month|just.four.weeks|medical.research|rebuild.your.skin|decades.younger|erase.time|gossip|smooth.lines/i
1853 meta KAM_SKIN (KAM_ADVERT2 + __KAM_SKIN1 + __KAM_SKIN2 + __KAM_SKIN3 + __KAM_SKIN4 + __KAM_TRIAL + __KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 >= 3)
1855 describe KAM_SKIN Spammers hawking skin/medical/foot products
1857 meta KAM_SKIN2 (KAM_ADVERT2 + __KAM_SKIN1 + __KAM_SKIN2 + __KAM_SKIN3 + __KAM_SKIN4 + __KAM_TRIAL + __KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 >= 4)
1859 describe KAM_SKIN2 Spammers hawking skin/medical/foot products
1861 #NEW CAR / WARRANTY SCAMS
1862 header __KAM_CAR1 Subject =~ /(save thousands|vehicle warranty|paying too much for auto|skyrocketing cost of car|car deals|deal on a new car|cheap(er)? auto insurance|warranty options|afford the car|blowout|auto repair bills)/i
1863 body __KAM_CAR2 /buying a new car|dream car|new car you want|free auto insurance(?:-| )quote|save money on your auto|roadside assistance|extended warranty/i
1864 body __KAM_CAR3 /unbelievable payment terms|no commitment|free price quote|get competitive quotes|offering better rates|no obligation quote|Pay Later|No risk|save up to \d+%/i
1865 header __KAM_CAR4 From =~ /warranty|lender|clearance/i
1867 meta KAM_CAR (__KAM_CAR1 + __KAM_CAR2 + __KAM_CAR3 + __KAM_CAR4 >= 2)
1869 describe KAM_CAR Spammers hawking new car, insurance or warranties
1871 # MORE NEW CAR SPAMS
1872 header __KAM_AUTO1 Subject =~ /new.vehicle|biggest.discounts|clearance.event|must.go|half.off.auto|blue.book|cars.priced|dirt.cheap|new.car|new.truck|half.off|dealership|dealers.compete|trade.it.in|auto(motive)?.parts|inventory.must.go|\d\d%.off.msrp|all \d\d\d\d.s must go|time.to.drive|all.vehicle|clearance.pric|all.\d\d\d\d.(cars|trucks)/i
1873 header __KAM_AUTO2 From =~ /car.?saving|auto.?deals|%.off|half.(off|price)|ford|gm|clearing.lots|model.year|latest.auto|dealership|clearance|cars?.discount|\d+.model|\d+.half.off|auto.price|best.auto|motor|trade.in|auto.part|imotor|autotrend/i
1874 body __KAM_AUTO3 /(car|truck).dealer|clearance.price|shop.cars|\d+.vehicles|dealership|deep.discount|liquidating|vehicle.options|auto.news|old.clunker|dream.car|clearance.inventory|dealer.clearance|special.clearance|auto(mobile?).recall|clearance.pric|new.ride|dealers.{1,40}.scrambling|sell.yours.for.more|car.is.worth|auto.parts.brand|blowout|incredible.discount/i
1876 meta KAM_AUTO (__KAM_AUTO1 + __KAM_AUTO2 + __KAM_AUTO3 + (KAM_COUK || KAM_OTHER_BAD_TLD || CBJ_GiveMeABreak) >= 3)
1877 describe KAM_AUTO Spam for new cars
1880 #HOME WARRANTY SPAMS
1881 header __KAM_WARRANTY1 Subject =~ /home warrant|protect your home|home repair|homeowners insurance|repairing your house|have you covered/i
1882 body __KAM_WARRANTY2 /Protect your home|choice home warranty|unexpected repair/i
1883 body __KAM_WARRANTY3 /home warrant|complimentary insurance quote/i
1884 header __KAM_WARRANTY4 From =~ /Choice.?Home.?Warrant|TotalProtect|home.?Insurance|CHW Home Warranty|AHS.warranty/i
1886 meta KAM_WARRANTY (__KAM_WARRANTY1 + __KAM_WARRANTY2 + __KAM_WARRANTY3 + __KAM_WARRANTY4 + CBJ_GiveMeABreak >= 3)
1887 score KAM_WARRANTY 1.5
1888 describe KAM_WARRANTY Spammers hawking home warranties
1890 meta KAM_WARRANTY2 (KAM_WARRANTY + KAM_INFOUSMEBIZ >= 2)
1891 score KAM_WARRANTY2 3.5
1892 describe KAM_WARRANTY2 Spammers pushing home warranties
1894 meta KAM_WARRANTY3 (__KAM_WARRANTY1 + __KAM_WARRANTY2 + __KAM_WARRANTY3 + __KAM_WARRANTY4 + CBJ_GiveMeABreak >= 4)
1895 score KAM_WARRANTY3 1.5
1896 describe KAM_WARRANTY3 Spammers hawking home warranties
1899 header __KAM_AUGER1 Subject =~ /Dig Holes|plant Trees/i
1900 body __KAM_AUGER2 /Awesome Auger/i
1902 meta KAM_AUGER (__KAM_AUGER1 + __KAM_AUGER2 >= 2)
1904 describe KAM_AUGER Spammers hawking Awesome Augers?!?
1907 header __KAM_MOVIE1 Subject =~ /Movie Extra/i
1908 body __KAM_MOVIE2 /Movie Extra/i
1910 meta KAM_MOVIE (__KAM_MOVIE1 + __KAM_MOVIE2 >= 2)
1912 describe KAM_MOVIE Spammers hawking Movie Extra positions
1915 header __KAM_COLLECT1 Subject =~ /You Pay Nothing/i
1916 body __KAM_COLLECT2 /No Fee/i
1917 body __KAM_COLLECT3 /collection professionals/i
1918 body __KAM_COLLECT4 /recovery rate/i
1920 meta KAM_COLLECT (__KAM_COLLECT1 + __KAM_COLLECT2 + __KAM_COLLECT3 + __KAM_COLLECT4 + __KAM_SEARCH5 + KAM_ADVERT2 >= 4)
1921 score KAM_COLLECT 5.0
1922 describe KAM_COLLECT Spammers hawking debt collection
1927 header __KAM_SEARCH1 Subject =~ /be seen first on (google|msn|yahoo)|get ranked high|rank high|(no cost|free) website (analysis|search engine)|WEBSITE PROMOTION|social media|blog leads|infotech|(first|1st)(.page)?.result|seo.(optimiz|package|service)|seo.{1,30}expert|on.your.website|organic.seo|site.ranking|website.health|(first|1st) page|^proposal$|marketing proposal|top (o|i)n google|looking for an SEO/i
1929 body __KAM_SEARCH2 /search (ranking|engine)|S\.?E\.?O|bring.traffic|business.development|marketing strateg/i
1931 body __KAM_SEARCH3 /(first on|all of) the major search|not ranked number one|Website promotion|popular keywords|mobile.website|complete.solution|back.link|company in india|india.based|surfing|not.ranking.on|top in Google|1st page|more (clients|customers)|organic search|generate leads|specialization includes SEO/i
1932 tflags __KAM_SEARCH3 nosubject
1934 body __KAM_SEARCH4 /guaranteed type of exposure|free website (analysis|report|search engine optimiz)|increase your revenue|improve your website traffice|website rank higher|marketing service|popular.keyword|media.presence|media.portal|brand.awareness|analytics.certified|optimized.content|white.label|website.optimization|digital.marketing|in.your.industry|high.revenue|plans? and pric|keyword|full proposal|online reputation|(blog|article|pr|search engine) (promotion|submission)|competitive quote|send you quote/i
1936 rawbody __KAM_SEARCH5 /Click2Call|a1-solutions|fast-response.net|action-pros.net|tops-1.com|vividinfotech.com|internet.marketing|web.solution|(development|marketing|business) (executive|consultant)|(search engine|SEO) (company|consultant|expert|Service)|sales manager/i
1938 meta KAM_SEARCH (__KAM_SEARCH1 + __KAM_SEARCH2 + __KAM_SEARCH3 + __KAM_SEARCH4 + __KAM_SEARCH5 >= 4)
1939 score KAM_SEARCH 6.0
1940 describe KAM_SEARCH Spammers hawking SEO
1943 header __KAM_SEO1 Subject =~ /Idea for \[|can rank 1st on Google|Organic SEO|SEO (Solution|proposal)|integrated marketing|optimization.service|SEO Outsourcing|affordable package|quick result|ranking report|why your website/i
1945 body __KAM_SEO2 /(?:top|first page) (?:in|of) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building|business SEO|(audit|ranking) report/i
1946 tflags __KAM_SEO2 nosubject
1948 body __KAM_SEO3 /(came across|never find) your web.?site|major search engines|paid access to tools|WEBSITE AUDIT REPORT|specific.keyword|targeted.email|visited.your.website|not ranking well|Google rankings|issues bugging your website/i
1950 body __KAM_SEO4 /SEO Specialists|online marketing services|S.?E.?O.? Company in INDIA|google.panda|google.penguin|not.ranking|SEO Packages/i
1952 body __KAM_SEO5 /more traffic guaranteed|results in thirty day|top 5 organic|high revenue|free.analysis|guaranteed.top|pricelist|completely free|No upfront fees|free trial|proposal for your website/i
1954 body __KAM_SEO6 /will not get your website banned|Google.?s SEO policies|six month ongoing campaign|web.promotion|quality junk spam|promotional online marketing/i
1955 # LEGITIMATE SEO EMAILS WOULD SURELY HAVE AT LEAST ONE URL TO THEIR WEBSITE...
1958 meta KAM_SEO (__KAM_SEO1 + __KAM_SEO2 + __KAM_SEO3 + __KAM_SEO4 + __KAM_SEO5 + __KAM_SEO6 + !__KAM_SEO7 + KAM_ADVERT2 >= 5)
1960 describe KAM_SEO Spammers hawking SEO
1962 #ABUSED FREEMAIL ACCOUNTS
1963 #header __KAM_FREEMAIL1 From =~ /(?:websolution|seo).{0,15}\@gmail.com/i
1964 #header __KAM_FREEMAIL2 From =~ /speakeasylingerie\@gmail.com/i
1965 #meta __KAM_FREEMAIL (__KAM_FREEMAIL1 + __KAM_FREEMAIL2 >= 1)
1968 #header __KAM_LINGERIE1 From =~ /lexi campbell/i
1969 #header __KAM_LINGERIE2 Subject =~ /Exotic modeling Videos/i
1970 #header __KAM_LINGERIE3 Subject =~ /Hustler Magazine/i
1971 #body __KAM_LINGERIE4 /Exotic modelling videos/i
1973 #meta KAM_LINGERIE (__KAM_FREEMAIL + __KAM_LINGERIE1 + __KAM_LINGERIE2 + __KAM_LINGERIE3 >= 4)
1974 #score KAM_LINGERIE 10.0
1975 #describe KAM_LINGERIE Sexually Explicity Lingerie Spam
1979 header __KAM_WEB1 Subject =~ /Web.?(Design|programming|Development)/i
1981 body __KAM_WEB2 /indian?.based.(web|it)|certified.it.company|offering Website Design/i
1982 tflags __KAM_WEB2 nosubject
1984 body __KAM_WEB3 /Online Marketing (Executive|Consultant)|possible.redesign|seo.service|mobiles?.app|business.develop|commerce.solution/i
1986 meta KAM_WEB (__KAM_WEB1 + __KAM_WEB2 + __KAM_WEB3 + KAM_ADVERT2 >= 3)
1988 describe KAM_WEB Web design spams
1990 #DOMAIN NAME AND OTHER RELATED SPAMS
1991 body __KAM_DOMAIN1 /Domain (opportunity|notification|release|Availability|club)|Notification for Domain|availability.notice|time.draws.near|submit.a.bid|your.business|exclusive.rights|free.registration|the.domain.provider|website.wizard|increase.your.{0,50}.traffic|domain.extension|brand.can.leverage|like.to.obtain|buy(ing)?.this.domain/i
1992 body __KAM_DOMAIN2 /(?:available|listed) (?:by|for|at|in) auction|confirm interest in (this domain|owning)|capturing this domain|proposal.on.the.domain|exclusive.owner|online.search|web.form|counting.down|potential.buyer|interested.parties|secure.{1,50}.today|drive.more.leads|targeted.traffic|similar.domain|exclusive.regis/i
1993 body __KAM_DOMAIN3 /(?:have|own) a domain (that is )?.{0,5}similar|(have|own) a similar domain|offer on the Domain|similar to your (current )?domain|Domain Division|all.domains|main.webpage|visibility.platform|solicitation|potential.owner|your.offer|domain.match|domain.notification|domain.will.be|interest.{1,20}.domain.name|fully.responsive|website.included|list.your.website|opportt?unity.regarding|courtesy.notification/i
1994 header __KAM_DOMAIN4 From =~ /domain|submit.site/i
1995 #header __KAM_DOMAIN5 Subject =~ /\.com$/i
1997 meta KAM_DOMAIN (__KAM_DOMAIN1 + __KAM_DOMAIN2 + __KAM_DOMAIN3 + (__KAM_DOMAIN4 + FREEMAIL_FROM >= 1) >= 3)
1998 score KAM_DOMAIN 8.5
1999 describe KAM_DOMAIN Domain Selling Spams
2001 #MEDICAL TOURISM SPAM
2002 body __KAM_MEDTOUR1 /medical.tourism/i
2003 body __KAM_MEDTOUR2 /lowest cost in India/i
2004 header __KAM_MEDTOUR3 Subject =~ /Medical.Tourism/i
2006 meta KAM_MEDTOUR (__KAM_MEDTOUR1 + __KAM_MEDTOUR2 + __KAM_MEDTOUR3 >= 3)
2007 score KAM_MEDTOUR 3.0
2008 describe KAM_MEDTOUR Medical Tourism Spam
2011 header __KAM_ACNE1 Subject =~ /Proactiv/i
2012 header __KAM_ACNE2 From =~ /Acne/i
2013 body __KAM_ACNE3 /proactiv/i
2014 body __KAM_ACNE4 /Online Gift Rewards/i
2016 meta KAM_ACNE (__KAM_ACNE1 + __KAM_ACNE2 + __KAM_ACNE3 + __KAM_ACNE4 >= 4)
2018 describe KAM_ACNE Spammers hawking Acne products
2021 header __KAM_SOFTWARE1 Subject =~ /fix Windows File Errors/i
2022 header __KAM_SOFTWARE2 From =~ /registry/i
2023 body __KAM_SOFTWARE3 /Fix file errors/i
2024 body __KAM_SOFTWARE4 /download for no cost|FREE Software|Free Analysis|Free Report/i
2026 meta KAM_SOFTWARE (__KAM_SOFTWARE1 + __KAM_SOFTWARE2 + __KAM_SOFTWARE3 + __KAM_SOFTWARE4 >= 4)
2027 score KAM_SOFTWARE 5.0
2028 describe KAM_SOFTWARE Spammers hawking Software products
2031 header __KAM_NIGERIAN2_1 Subject =~ /high court|contact fedex courier|WIRE TRANSFER/i
2032 body __KAM_NIGERIAN2_2 /barrister|director of central bank|bank director|former.minister|gold.dealer/i
2033 body __KAM_NIGERIAN2_3 /high court|central bank|payment center|customs?.officer/i
2034 body __KAM_NIGERIAN2_4 /e-?mail id is found among those that have been scammed|paid the fee for your cheque draft|contact the bank director/i
2035 body __KAM_NIGERIAN2_5 /fund code|cheque|bank draft|oil.and.gas/i
2036 body __KAM_NIGERIAN2_6 /full contact information requested|need your contacts informations|your bank account information|out.of.the.country/i
2037 body __KAM_NIGERIAN2_7 /bank|smuggle/i
2038 body __KAM_NIGERIAN2_8 /courier|diplomat agent|direct wire transfer|my.gold|the.gold/i
2039 body __KAM_NIGERIAN2_9 /scam|don't let them know that it is money|bank transfer charges/i
2041 meta KAM_NIGERIAN2 (__KAM_REFI4 + __KAM_NIGERIAN2_1 + __KAM_NIGERIAN2_2 + __KAM_NIGERIAN2_3 + __KAM_NIGERIAN2_4 + __KAM_NIGERIAN2_5 + __KAM_NIGERIAN2_6 + __KAM_NIGERIAN2_7 + __KAM_NIGERIAN2_8 + __KAM_NIGERIAN2_9 >= 6)
2042 score KAM_NIGERIAN2 5.0
2043 describe KAM_NIGERIAN2 Yet more Nigerian scams. Some even explaining the scam.
2046 body __KAM_MEDICAL1 /million who suffer from|suffered from organ failure|Medical Billing and Coding|medical doctor/i
2047 body __KAM_MEDICAL2 /Safe - Natural - Effective/i
2048 header __KAM_MEDICAL3 From =~ /Medical/i
2049 header __KAM_MEDICAL4 Subject =~ /Medical Billing/i
2051 meta KAM_MEDICAL (__KAM_MEDICAL1 + __KAM_MEDICAL2 + __KAM_MEDICAL3 + __KAM_MEDICAL4 >= 3)
2052 score KAM_MEDICAL 4.0
2053 describe KAM_MEDICAL Misc medical spam
2056 body __KAM_TINNI1 /TinniFix/i
2057 body __KAM_TINNI2 /Stop the ringing in your ears/i
2058 header __KAM_TINNI3 Subject =~ /(ringing|buzz) in your ears/i
2060 meta KAM_TINNI (__KAM_MEDICAL1 + __KAM_MEDICAL2 + __KAM_TRIAL + __KAM_TINNI1 + __KAM_TINNI2 + __KAM_TINNI3 >= 5)
2062 describe KAM_TINNI Another Medical Scam
2065 body __KAM_GIVE1 /receive your gift/i
2066 body __KAM_GIVE2 /laptop giveaway|deliver your dell.? laptop/i
2067 body __KAM_GIVE3 /answering a short survey/i
2068 body __KAM_GIVE4 /verify your shipping address/i
2070 meta KAM_GIVE (__KAM_GIVE1 + __KAM_GIVE2 + __KAM_GIVE3 + __KAM_GIVE4 >= 4)
2072 describe KAM_GIVE Free stuff "giveaway" scam
2075 header __KAM_GOVT1 Subject =~ /Government Funding/i
2076 body __KAM_GOVT2 /government funding/i
2077 body __KAM_GOVT3 /complimentary information kit/i
2078 body __KAM_GOVT4 /No.Money?.{0,4}No.Problem/i
2080 meta KAM_GOVT (__KAM_GOVT1 + __KAM_GOVT2 + __KAM_GOVT3 + __KAM_GOVT4 >= 4)
2082 describe KAM_GOVT Your tax dollars at work scam...
2085 meta KAM_RBL (URIBL_BLACK + RCVD_IN_PBL >=2)
2087 describe KAM_RBL Higher scores for hitting multiple trusted RBLs
2090 header __KAM_CNN1 Subject =~ /CNN.com Daily Top/i
2092 meta KAM_CNN (__KAM_CNN1 == 1)
2094 describe KAM_CNN CNN Daily Top 10 Link Obfuscation spams
2096 #SNUGGIE BLANKETS / SHAM WOW
2097 header __KAM_SHAM1 Subject =~ /Hold 20 times|ShamWow/i
2098 header __KAM_SHAM2 From =~ /Sham ?Wow/i
2099 body __KAM_SHAM3 /ShamWow/i
2100 body __KAM_SHAM4 /20(X| times) its weight/i
2102 meta KAM_SHAM (__KAM_SHAM1 + __KAM_SHAM2 + __KAM_SHAM3 + __KAM_SHAM4 + KAM_ADVERT2 >= 3)
2104 describe KAM_SHAM More product scams...
2107 header __KAM_SANTA1 Subject =~ /Santa Letter|Letter from Santa|Santa send a letter|Sent by Santa/i
2108 body __KAM_SANTA2 /Santa Letter|Letter from Santa|sent by Santa/i
2109 body __KAM_SANTA3 /the .?perfect.? gift|personalized letter/i
2111 meta KAM_SANTA (__KAM_SANTA1 + __KAM_SANTA2 + __KAM_SANTA3 >= 3)
2113 describe KAM_SANTA Ho Ho Holy smokes Batman another Santa Letter spam...
2115 #WORK FOR / LEARN GOOGLE
2116 header __KAM_GOOGLE1 Subject =~ /Learn Google|Google Starter Kit|with Google|Use Google|Google Work|google millionaire|Google Business|Google Pro Sucess|with my Google|Google Home Business|Google ATM|One Hour On Google|Free Money Making|make a fortune on ?line/i
2117 body __KAM_GOOGLE2 /learn how to earn|automated income kit|online from home|as much money as you wish|be the boss/i
2118 body __KAM_GOOGLE3 /tons of money|making \$[\d,]*s with Google|extra cash|making serious money/i
2119 body __KAM_GOOGLE4 /with Google|Google Pie|Google Cash/i
2120 header __KAM_GOOGLE5 From =~ /Google Money/i
2122 meta KAM_GOOGLE (__KAM_GOOGLE1 + __KAM_GOOGLE2 + __KAM_GOOGLE3 + __KAM_GOOGLE4 + __KAM_GOOGLE5 >= 3)
2123 score KAM_GOOGLE 3.5
2124 describe KAM_GOOGLE Google Pyramid Scams
2127 header __KAM_ALARM1 Subject =~ /Free Alarm Quotes|home security|protect your.(house|home)|protect.what.matters.most|adt monitor|keep.watch|monitor.the.home|home.alarm|feel safe|burglar|high.crime|free.security|with.this.offer|crime.can|watching.your.home|adt.is.here|ADT-monitoring/i
2128 body __KAM_ALARM2 /free Quote|burglaries|wireless.security.camera|(Guard|protect) Your Family|ADT is Number One|monitored security system|install from ADT|with ADT security|keep(ing)?.your.home.safe|home.is.your.castle|sleep.with.security|home.security.system|remote.access|video.security/i
2129 rawbody __KAM_ALARM3 /Great rates on Home Security|(1|one) in Alarm System Monitoring|protect your loved ones|protect your business|your source for home security|event on home security|keep.the.home.safe|night.vision|online.monitoring|surveill?ance.camera|ADT.monitor|top.notch.security|exclusive.to.you|home security system/i
2130 header __KAM_ALARM4 From =~ /adt|security.?cam|home.security|wireless.security|security.?camera|author.zed|home.?alarm/i
2132 meta KAM_ALARM (__KAM_ALARM1 + __KAM_ALARM2 + __KAM_ALARM3 + __KAM_ALARM4 + KAM_COUK >= 3)
2134 describe KAM_ALARM Security and Alarm Company Spams
2136 rawbody __KAM_ALARM5 /gaylord/i
2138 meta KAM_ALARM2 (KAM_ALARM && __KAM_ALARM5)
2139 score KAM_ALARM2 2.5
2140 describe KAM_ALARM2 High Probability of Security and Alarm Company Spams
2143 header __KAM_SELL1 Subject =~ /Market Credit Cards/i
2144 body __KAM_SELL2 /Easy Money/i
2145 body __KAM_SELL3 /Selling Credit Cards/i
2147 meta KAM_SELL (__KAM_SELL1 + __KAM_SELL2 + __KAM_SELL3 >= 3)
2149 describe KAM_SELL Selling Cards Marketing Scams
2152 header __KAM_WHITEN1 Subject =~ /whiten your teeth/i
2153 body __KAM_WHITEN2 /whitener/i
2154 body __KAM_WHITEN3 /(Celebrity Smile|Carbamide Peroxide)/i
2156 meta KAM_WHITEN (__KAM_WHITEN1 + __KAM_WHITEN2 + __KAM_WHITEN3 >= 3)
2157 score KAM_WHITEN 3.5
2158 describe KAM_WHITEN Teeth Whitening Scams
2161 body __KAM_URONLINE1 /(chat|chat with me|hook ?up) on Y ?A ?H ?O ?O (tonight|or MSN)|add me with yahoo or msn|view now|press this web link|send me your? photo|can u turn me on|kissing you|begin.a.chat/i
2162 body __KAM_URONLINE2 /wanna talk|ur info|found your mail|found ur profile|mutual friend|katya from russia|you came to russia|my gentle sun|see this page I made|match making heaven|meet that special|comee see it over here|hexten.net|looking for a man|waiting for ur mail|found ur account|waiting for your message|casual.hookup/i
2163 body __KAM_URONLINE3 /get (naked|naughty)|horny|naughty toys|I will do anything|TOTALLY msg me on MSN|tell me your mobile|I remember you|let's talk|ran across someone like u|sexywebdating|chatting with someone|saw you by BJs|private e-?mail|dating portal|looking.for.fun/i
2164 header __KAM_URONLINE4 Subject =~ /i'?m so ho?rny|ur really cute|flirt with u|get the party|lets hookup|MSN messanger|\d\d y.o.|russian soul-?mate|my handsome|want you now|russian girl|costs you nothing|can you feel this|came to russia|I remember you|sexual Russia|take a look|attractive girl writes|found u by accident|tell u something special|hookups.waiting/i
2166 meta KAM_URONLINE (__KAM_URONLINE1 + __KAM_URONLINE2 + __KAM_URONLINE3 + __KAM_URONLINE4 >= 3)
2167 score KAM_URONLINE 4.5
2168 describe KAM_URONLINE Chat Scams
2171 body __KAM_TIMESHARE1 /Get[- ]Cash for Your Timeshare|not using your timeshare|(unwanted|ugly) timeshare|cash out quickly/is
2172 body __KAM_TIMESHARE2 /goldmine|sell or rent it|we pay cash|sell\/rent your time|own a timeshare or condo|get.cash|find.your.value/is
2173 header __KAM_TIMESHARE3 Subject =~ /(rent|sell|buy) your Timeshare|have a timeshare|timeshare money|unwanted timeshare/i
2174 header __KAM_TIMESHARE4 From =~ /Resort.*sales|timeshare/i
2176 meta KAM_TIMESHARE (__KAM_TIMESHARE1 + __KAM_TIMESHARE2 + __KAM_TIMESHARE3 + __KAM_TIMESHARE4>= 3)
2177 score KAM_TIMESHARE 4.0
2178 describe KAM_TIMESHARE Timeshare Scams
2181 body __KAM_AQUA1 /Aqua Globe/is
2182 body __KAM_AQUA2 /watering your plants/is
2183 body __KAM_AQUA3 /while on vacation/is
2184 header __KAM_AQUA4 Subject =~ /Waters your Plants/i
2186 meta KAM_AQUA (__KAM_AQUA1 + __KAM_AQUA2 + __KAM_AQUA3 + __KAM_AQUA4 >= 3)
2188 describe KAM_AQUA Spams of yet another product du jour
2191 body __KAM_GEVALIA1 /Gevalia Kaffe|premium coffee delivered/is
2192 body __KAM_GEVALIA2 /(Gevalia coffee lover's|I love coffee) kit/is
2193 body __KAM_GEVALIA3 /No Further Obligation/is
2194 header __KAM_GEVALIA4 Subject =~ /gevalia|cup of coffee/i
2196 meta KAM_GEVALIA (__KAM_GEVALIA1 + __KAM_GEVALIA2 + __KAM_GEVALIA3 + __KAM_GEVALIA4 >=3)
2197 score KAM_GEVALIA 3.0
2198 describe KAM_GEVALIA Spams of yet another product du jour
2201 body __KAM_INK1 /Ink (and|&|n) Toner|SimplyInk|101 inks|1ink|printer ink sale|full.price/is
2202 header __KAM_INK2 From =~ /Simply ?Ink|Ink and toner|1ink|ink.*budget|ink.?saver|printer[- ]{0,4}ink/i
2203 header __KAM_INK3 Subject =~ /Ink (and|&) Toner|SimplyInk|printer ink/i
2205 meta KAM_INK (__KAM_INK1 + __KAM_INK2 + __KAM_INK3 >=3)
2207 describe KAM_INK Spams of yet another product du jour
2209 meta KAM_INK2 (KAM_INK + KAM_INFOUSMEBIZ >= 2)
2211 describe KAM_INK2 Spams for Ink refills
2214 body __KAM_PEEL1 /Titan Peeler/is
2215 header __KAM_PEEL2 From =~ /Titan Peeler/i
2216 header __KAM_PEEL3 Subject =~ /peeler|stainless|titan peeler/i
2218 meta KAM_PEEL (__KAM_PEEL1 + __KAM_PEEL2 + __KAM_PEEL3 >=2)
2220 describe KAM_PEEL Spams of yet another product du jour
2222 #HTML EMAIL REQUIRING IMAGES?
2223 rawbody __KAM_HTML1 /Please enable image viewing in order to view this message/is
2226 header __KAM_RAT1_1 From =~ /\@fromname\@/i
2227 header __KAM_RAT1_2 Subject =~ /(\[FName\]|\%\{AUTOVALS)/i
2229 meta KAM_RAT1 (__KAM_RAT1_1 + __KAM_RAT1_2 >= 1)
2231 describe KAM_RAT1 Variable Replacements Indicative of RatWare/Mass Mailing
2233 body __KAM_RAT2_1 /job description/i
2234 body __KAM_RAT2_2 /dear shopper/i
2235 header __KAM_RAT2_3 From =~ /mystery/i
2237 meta KAM_RAT2 (__KAM_RAT2_1 + __KAM_RAT2_2 + __KAM_RAT2_3 >= 3)
2239 describe KAM_RAT2 Another ratware mistake, uninterpolated text
2242 body __KAM_EGG1 /Egg Genie/is
2243 header __KAM_EGG2 From =~ /Egg Genie/i
2244 header __KAM_EGG3 Subject =~ /medium eggs/i
2246 meta KAM_EGG (__KAM_EGG1 + __KAM_EGG2 + __KAM_EGG3 >=2)
2248 describe KAM_EGG Spams of yet another product du jour
2251 body __KAM_USB1 /(debi|deborah brown|Melissa Sylvan)/i
2252 body __KAM_USB2 /person (that|who) handles the promotions/i
2253 body __KAM_USB3 /usbsmg.com/i
2255 meta KAM_USB (__KAM_USB1 + __KAM_USB2 + __KAM_USB3 >= 2)
2257 describe KAM_USB USB Promotion Spammer
2260 body __KAM_GRANT1 /government grant/i
2261 body __KAM_GRANT2 /find out if you qualify/i
2262 body __KAM_GRANT3 /discontinue from this promotion/i
2264 meta KAM_GRANT (__KAM_GRANT1 + __KAM_GRANT2 + __KAM_GRANT3 + __KAM_REFI4 >= 3)
2266 describe KAM_GRANT Government Grant Scams
2269 #MEDICINE REFERENCES
2270 body __KAM_SEX04_1 /(curative|medicinal|salutary|wholesome|beneficial|satisfaction) effect|(first-rated|splendid) drugs|(yellow|blue|famos) (tablet|pill)|good medical supplies|(commendable|valuable) medicines|canadian pharmacy|GNC|nugenix/is
2272 body __KAM_SEX04_2 /fun in bed|(bed|night) adventures|aid your bed|(lift|heave|ascent|hoist|raise|boost|aid) your (belove|love|darling|sex|sweet)|sexuality with assistance|ascent your sweet|bed experience|love sexuality/is
2274 header __KAM_SEX04_3 Subject =~ /your manhood|(bed|night) adventures|sexual experience|empower your (belove|sex)|sweet sex|bed (event|experience)|lover sexuality|(lift|heave|ascent|hoist|raise|boost|aid) your (belove|love|darling|sex|sweet)|discounted drugs/i
2276 body __KAM_SEX04_4 /longer your tool|sexual experience|empower your (belove|sex)|sweet sex|(not bad|great|nice|special|awesome|free) bonus|sex all night|lovers package|male.vitality|sex with new boys/is
2278 meta KAM_SEX04 (__KAM_SEX04_1 + __KAM_SEX04_2 + __KAM_SEX04_3 + __KAM_SEX04_4 >= 3)
2279 score KAM_SEX04 10.0
2280 describe KAM_SEX04 Sexually Explicit SPAM
2283 meta KAM_SEX04_2 (__KAM_SEX04_1 + __KAM_SEX04_2 + __KAM_SEX04_3 + __KAM_SEX04_4 >= 2 && (KAM_SEX04 < 1))
2284 score KAM_SEX04_2 2.0
2285 describe KAM_SEX04_2 Likely Sexually Explicit SPAM
2287 #Another Sexually Explicit Email
2288 meta KAM_SEX07 (__KAM_SUBJECT_SINGLEWORD + __KAM_SEX04_4 >= 2)
2290 describe KAM_SEX07 Sexually Explicit SPAM
2293 header __KAM_SEX05_1 Subject =~ /upgrade your virility|become a man|bigger instrument|admire your stick|enlarge your member|you have a tiny tool|with more inches|your mega size|improve your love/i
2294 body __KAM_SEX05_2 /buy rubber friends|big bait in your pants|she sees your size|women will be funk|biggest tool|immense monster|women will be daydreaming|have so much meat|prolonging your size|last a lot longer/i
2296 meta KAM_SEX05 (__KAM_SEX05_1 + __KAM_SEX05_2 >= 2)
2298 describe KAM_SEX05 Sexually Explicit SPAM
2300 #FOOTBALL CLUB SPAMS
2301 header __KAM_FOOTBALL1 Subject =~ /Amateur Club|Seeks? Player/i
2302 header __KAM_FOOTBALL2 From =~ /Football/i
2303 body __KAM_FOOTBALL3 /Mercato/i
2304 body __KAM_FOOTBALL4 /Football/i
2306 meta KAM_FOOTBALL (__KAM_FOOTBALL1 + __KAM_FOOTBALL2 + __KAM_FOOTBALL3 + __KAM_FOOTBALL4 >= 4)
2307 score KAM_FOOTBALL 4.0
2308 describe KAM_FOOTBALL Spammy Football Club
2310 #DISH NETWORK SPAMS AND OTHER TV SPAM
2311 header __KAM_DISH1 From =~ /Dish Network|TVUpgrade|Satellite|Satellite|Dish.*Promo|dish.author|Wireless.Internet|cable.tv|tv.\&|tv.cable|tv.internet|liveteam/i
2312 header __KAM_DISH2 Subject =~ /Free Next Day Install|Free HD Receiver|Free HBO|free w\/Dish|Holiday Special|Redzone is back|Web-Only Offer|Free HD|with DISH|dish gives you|dish.offers|Wireless Internet provider|sports.package|dish.vs.cable|switch.to.satellite|dish.just|watch.everything|satellite.dish|cable.bill|satellite.bill|paying.too.much|try.satellite|stream.live.tv/i
2313 rawbody __KAM_DISH3 /(American Satellite|Wireless Internet) Provider|gethdsat|free dvr|Satellite Deals|Dish Network|dish.gives.you.more|packages under \$\d+|compare plans|internet service provider|premium.channel|best.cable.deals|fit.your.budget|deals.near.you|online.television|quality.tv/i
2315 meta KAM_DISH (__KAM_DISH1 + __KAM_DISH2 + __KAM_DISH3 >=3)
2317 describe KAM_DISH Dish Network Spams
2319 meta KAM_DISH2 (KAM_DISH + KAM_INFOUSMEBIZ >= 2)
2321 describe KAM_DISH2 Dish Network Spams
2324 header __KAM_IDENTNET1 From =~ /\@identitynetwork.net/i
2325 body __KAM_IDENTNET2 /ADVERTISE WITH IDENTITY NETWORK/i
2327 meta KAM_IDENTNET (__KAM_IDENTNET1 + __KAM_IDENTNET2 >=2)
2328 score KAM_IDENTNET 8.0
2329 describe KAM_IDENTNET Identity Network Spams
2332 #body __KAM_HONEY1 /Intacct Corporation|Miles Technologies|EcoPhones|businessbrief\.com|pbpinfo\.com|pbp-executivereports\.net|b21pubs\.com|sonar6\.com|cheetahsend\.com|voip-news|microcappress.com|myrtlebeachnow|sosonlinebackup.com|Landslide Technologies|The Performance Institute|ASMI Corporate|Kaseya|Cascio|CarProperty|HSRUpdates.com/i
2333 #header __KAM_HONEY2 From =~ /\@intacct\.com|\@(staff\.)?milestechnologies\.com|\@greenschoolfundraiser\.org|\@business-brief\.(net|com)|\@b21pubs\.com|\@pbp-executivereports\.net|\@sonar6\.com|\@cheetahsend\.com|\@ripple.us.com|\@voip-news\.com|\@.{0,8}.microcappress.com|\@BetterBuysReports.com|\@MyrtleBeachNow.com|\@sosonlinebackup.com|\@next-gen-crm.com|\@TheInstituteWeb.org|\@ASMIweb.com|\@performanceinstitute.org|\@kaseya.com|\@news.interstatemusic.com|\@interstatemusic.com|\@carproperty.com|\@hsrupdates.com/i
2335 #meta KAM_HONEY (__KAM_HONEY1 + __KAM_HONEY2 >= 2)
2336 #score KAM_HONEY 12.0
2337 #describe KAM_HONEY Spammer sending to a honeypot or known spammer through other means
2340 header __KAM_DUCHESS1 Received =~ /mediaduchessstore.info|mediaduchesslive.info|mymediaduchess.info|mediaduchessonline.info|mytvduchess.info|mediaduchesspro.info|mileshop.info|freegrampro.info|radioduchess.info|acreforyou.info|mileblog.info/i
2341 header __KAM_DUCHESS2 From =~ /mediaduchessstore.info|mediaduchesslive.info|mymediaduchess.info|mediaduchessonline.info|mytvduchess.info|mediaduchesspro.info|mileshop.info|freegrampro.info|radioduchess.info|acreforyou.info|mileblog.info/i
2343 body __KAM_DUCHESS3 /Mr. Media Group|BLM Marketing Services|4801 l[yi]nton b/i
2344 rawbody __KAM_DUCHESS4 /duchess/i
2345 rawbody __KAM_DUCHESS5 /http:\/\/.{4,30}\.info\/[A-Za-z]{30}("|\/)/i
2346 body __KAM_DUCHESS6 /For account number:/i
2348 meta KAM_DUCHESS ((__KAM_DUCHESS1 + __KAM_DUCHESS2 >= 1) + __KAM_DUCHESS3 + __KAM_DUCHESS4 + __KAM_DUCHESS5 + __KAM_DUCHESS6 >= 4)
2349 score KAM_DUCHESS 5.0
2350 describe KAM_DUCHESS Spammer sending emails using a variety of domains and linked images
2353 header __KAM_UPS1 Subject =~ /UPS Delivery problem/i
2354 header __KAM_UPS2 From !~ /\@ups\.com[ |>]/i
2355 body __KAM_UPS3 /invoice copy attached/i
2357 meta KAM_UPS (__KAM_UPS1 + __KAM_UPS2 + __KAM_UPS3 >=3)
2359 describe KAM_UPS UPS doesn't send invoices with delivery problem notes
2362 header __KAM_SKYPE1 Subject =~ /Free Calls/i
2363 header __KAM_SKYPE2 Received =~ /releasesourcek.com/i
2364 header __KAM_SKYPE3 From =~ /VOIP News/i
2365 body __KAM_SKYPE4 /Promo Code: \d/i
2367 meta KAM_SKYPE (__KAM_SKYPE1 + __KAM_SKYPE2 + __KAM_SKYPE3 + __KAM_SKYPE4 >=3)
2369 describe KAM_SKYPE Skype/Voip scams likely to spread malware
2372 rawbody KAM_OWAPHISH1 /http:\/\/.{5,30}\/owa\/service_directory\/settings.php/i
2374 score KAM_OWAPHISH1 6.0
2375 describe KAM_OWAPHISH1 Rash of OWA setting change emails for phishing
2377 #MORE DRUG SPAM - 2009-05-03
2378 header __KAM_DRUG2_1 Subject =~ /Viagra|male enhanc|easier time making her|hot infatuations|bed tempera?ment|resigned slaves|prick be soft|increased performance|guys in bed|bedroom fun|love more passion|cure ED|(bed|sex) games|spices? (it up in|to the) bed|(bedroom|nights of) pleasure|ladies love|stay hard|satis?fy (your spouse|her)|(problems|strong|help|good) (in|for) bed|bedtime enhanc|p[0o]rn ?star|blue ?pill|great sex|please your gf|(help in the|king of the|great time in|strong night in|performance in|advice for the) bed|intimate life|gain 3\+? inches|sexual (excitement|anxiety|act)|love tool|sexual treatment|make love|make your girl happ|completely impotent|do.you.suffer/i
2380 header __KAM_DRUG2_2 Subject =~ /ambien|Percocet|vicod[i1]n|Meridia|look slim|Phentermin|adderall|codeine|Hydrocodone|Phetermin|oxycodone|no prescription need|(help|trouble) falling asleep|overpriced pharmacy|prescript.medz|Xanx?ax|RxMed|your.rx.meds|fill your meds|pharmacy offers|international pharm|(loved|preferred|favor[ite]{3}) (rx)?med|pain killer|Medi?cati[o0]ns|canadianrx|weightl0ss|no ?prescription|weight l0ss|l0seweight|ritalin|look great|brain.function|cognition|enhance.memory|amazing.energy|joint.pain|nerve.pain/i
2382 body __KAM_DRUG2_3 /Medi?cati[o0]ns|desired meds|favou?red (rx)?med|buy remedies|drug store|medicants|medicaments|sexual stim|sex stim|pain killer|(purchase|loved|preferred|favou?rite) (?:rx.?)?(deal|med)[sz]|rx.?Meds?.?deal|buy your meds|choice of meds|Rx.?(deal|Med|Sale)|v[i1]agra|medz.special|loved meds|(rx|medication) ?discount|Get the edge|joint.pain.relief|neuropathy|nerve.pain/i
2384 body __KAM_DRUG2_4 /grab hold|at[_ ~]your[_ ~]finger[_ ~]?tip|placing your order|questions about drugs|prescription is not|don't care about prescription|without a doctor|no need for a doctor|affor[df]able.prices|best daily rx|Fav.Prescript|unmatched.prices|rx.med|millions.are.praising/i
2386 body __KAM_DRUG2_5 /0nline|hassle[~-]free|favored rx|branded solutions|branded remedies|v[1i]cod[!i]n|Penhtremine|prxpills|ultimaterxhere|insanerx|speedymed4u|mightymeds1|coolestrxhere|hotrxmedspot|topshoprx|mightyrxhere|qualityrxmedz|legitrxlife|dealsformeds|simplyrxdeals|bestrxlight|ezprescriptz|reliablerxsource1|freetrusted-rx|hotmedsourcehere|CabinetOfMeds|mytrusted-rx|RxwarehouseHere|WarehouseofRxMeds|GreatrxMedsRus|rxmedsrus|(come by|Come to|Check Out) our web site|browse [0o]ur (website|selection)|Visit_0ur Web|Order_Now|available_this week|(buy|order) (n[0o]w|today|right.now|instantly|at [0o]nce|immediately)|check it out today|ord3r|0rder|0rd3r|browseour|rx ?unit/i
2388 body __KAM_DRUG2_6 /(Express|Prompt|Day|Trusty|Trustworthy|Reliable|fast|true|discreet|confidential|rapid)[_ ~\.]?Shippin|anonymous packing|shipped.right.away|adderrx|clinically.proven|support.formula/i
2390 header __KAM_DRUG2_7 Subject =~ / {4}[a-z0-9]{2,4}$/i
2392 header __KAM_DRUG2_8 From =~ /aquaflexin/i
2394 meta KAM_DRUG2 ( __KAM_DRUG2_1 + __KAM_DRUG2_2 + __KAM_DRUG2_3 + __KAM_DRUG2_4 + __KAM_DRUG2_5 + __KAM_DRUG2_6 + __KAM_DRUG2_7 + __KAM_DRUG2_8 + KAM_SHORT + KAM_UNSUB1 >= 3)
2396 describe KAM_DRUG2 More online Drug Scams
2398 meta KAM_DRUG2_2 ( __KAM_DRUG2_1 + __KAM_DRUG2_2 + __KAM_DRUG2_3 + __KAM_DRUG2_4 + __KAM_DRUG2_5 + __KAM_DRUG2_6 + __KAM_DRUG2_7 + __KAM_DRUG2_8 + KAM_SHORT + KAM_UNSUB1 >= 5)
2399 score KAM_DRUG2_2 3.0
2400 describe KAM_DRUG2_2 Higher Certainty of Drug Scam
2402 meta KAM_SEXSUBJECT __KAM_DRUG2_1
2403 score KAM_SEXSUBJECT 2.0
2404 describe KAM_SEXSUBJECT Sexually Explicit Subject
2406 #RUSSIAN WIFE/BRIDE SCAMS
2407 header __KAM_WIFE1 Subject =~ /Remember me|(Russian|asian|Ukrai?nian) ?(dating|beaut|single|women|bride|lad|babe|girls)/i
2408 body __KAM_WIFE2 /marry a Russian|sizzling photos|(russian|asian|ukrai?nian) (women|beaut|bride|girl)|Slavic babes|Russian ?lad(y|ies)|sexy photos/i
2409 tflags __KAM_WIFE2 nosubject
2410 header __KAM_WIFE3 From =~ /(asian|russian|ukrai?nian).?(dat|bride|single|women|beaut|lad)|(date|nice|hot).?(russian|asian)/i
2412 meta KAM_WIFE ( __KAM_WIFE1 + __KAM_WIFE2 + __KAM_WIFE3 >= 2)
2414 describe KAM_WIFE Mail order bride scams
2417 header __KAM_PRODUCT1 Subject =~ /Beauty Phone/i
2418 body __KAM_PRODUCT2 /phones for discerning individuals/i
2420 meta KAM_PRODUCT ( __KAM_PRODUCT1 + __KAM_PRODUCT2 >= 2)
2421 score KAM_PRODUCT 3.0
2422 describe KAM_PRODUCT Product scams often used with MSN/Live URIs
2424 #SPACES / LIVE / MSN / ETC. SCAMS
2425 meta KAM_LIVEURI2 ( (KAM_PRODUCT + KAM_DRUG2 + KAM_WIFE >=1) + (KAM_WEBS + KAM_MSN_STRING + KAM_BADSWF >=1) >= 2)
2426 score KAM_LIVEURI2 3.0
2427 describe KAM_LIVEURI2 More online Scams + Known URI
2430 uri KAM_WEBS /.{3,25}\.webs.com/i
2432 describe KAM_WEBS webs.com links used in Spams
2434 #IMAGESHACK SWF Files
2435 uri KAM_BADSWF /imageshack.us\/.{3,25}.swf$/i
2436 score KAM_BADSWF 3.0
2437 describe KAM_BADSWF SWF embedded links in Email Scams
2440 uri KAM_EXEURI /.exe$/i
2441 score KAM_EXEURI 0.5
2442 describe KAM_EXEURI EXE embedded link
2444 #SETTINGS FILE PHISH
2445 header __KAM_SETTING1 Subject =~ /settings file|maintenance!!/i
2446 body __KAM_SETTING2 /security upgrade|Maintenance Process on our email system /i
2447 body __KAM_SETTING3 /settings?.zip/i
2449 meta KAM_SETTING ( __KAM_SETTING1 + __KAM_SETTING2 >= 2)
2450 score KAM_SETTING 2.5
2451 describe KAM_SETTING Phishing scams w/Setting Files or Webmail
2453 #Fixed small misspelling thanks to Jameel Akari
2454 meta KAM_SETTING2 ( KAM_SETTING + (KAM_EXEURI + __KAM_SETTING3 >=1) >= 2)
2455 score KAM_SETTING2 4.0
2456 describe KAM_SETTING2 Phishing scams w/Setting Files or Webmail + Bad File link
2459 header __KAM_FARM1 Subject =~ /supersized (blueberr|tomato)|(blueberry|tomatoe?) giant|grows in sun or shade|giant (blueberry|tomatoe?)/i
2460 header __KAM_FARM2 From =~ /blueberr|tomato|DIY|garden/i
2461 body __KAM_FARM3 /(blueberry|Tomatoe?) giant/i
2463 meta KAM_FARM (__KAM_FARM1 + __KAM_FARM2 + __KAM_FARM3 >= 3)
2465 describe KAM_FARM Farming related Spams
2467 #MX URI - Scored lowered from 2.5 to 1.5 due to FPs reported by Christopher X. Candreva - see https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6700 for bug on issue
2468 uri KAM_MXURI /^(?:http:\/\/)?(mail|mx)\.(?!microsoft).{1,40}\..{1,8}/i
2470 describe KAM_MXURI URI begins with a mail exchange prefix, i.e. mx.[...]
2473 body __KAM_FLASH1 /Flash Player Code: \d\d/i
2474 body __KAM_FLASH2 /Flash Player Update/i
2475 header __KAM_FLASH3 Subject =~ /Flash Player/i
2476 header __KAM_FLASH4 Subject =~ /activation code/i
2477 header __KAM_FLASH5 From =~ /Flash Player/i
2479 meta KAM_FLASH (__KAM_FLASH1 + __KAM_FLASH2 + __KAM_FLASH3 + __KAM_FLASH4 + __KAM_FLASH5 >= 3)
2481 describe KAM_FLASH Fake Flash Player Phishing Scam
2485 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
2487 body __KAM_ADWORD1 /(Advertisement|Adwords) Campaign/i
2488 header __KAM_ADWORD2 From =~ /adwords.com|salesdirect.com/i
2489 header __KAM_ADWORD3 Subject =~ /adwords campaign|ads in adwords/i
2490 body __KAM_ADWORD4 /adwords\.php|index\.php\?isgoogle/i
2492 meta KAM_ADWORD (__KAM_ADWORD1 + __KAM_ADWORD2 + __KAM_ADWORD3 + __KAM_ADWORD4 >= 3) + (KAM_RPTR_SUSPECT + KAM_RPTR_FAILED >= 1) >= 2
2493 score KAM_ADWORD 10.0
2494 describe KAM_ADWORD Fake Adword Campaign notices
2498 #DON NOB & WORK FROM HOME SCAMS
2499 header __KAM_DON1 X-KAM-Reverse =~ /donnob\.(?:biz|net)|emarketnow.com/i
2500 header __KAM_DON2 Subject =~ /(?:\b|^)ATM(?:\b|$)|Just Over Broke|J\.O\.B\./
2501 body __KAM_DON3 /donnob\.(?:biz|net)|emarketnow.com|watersolutiontoday.com/i
2502 body __KAM_DON4 /\$1,000 A Day ATM|J\.O\.B\./i
2504 meta KAM_DON (__KAM_DON1 + __KAM_DON2 + __KAM_DON3 + __KAM_DON4 + __KAM_MED2 + __KAM_REFI4 + __KAM_TV2 >= 4)
2506 describe KAM_DON Work at Home Scams
2508 meta KAM_DON2 (__KAM_DON1 + __KAM_DON2 + __KAM_DON3 + __KAM_DON4 + __KAM_MED2 + __KAM_REFI4 + __KAM_TV2 >= 6)
2510 describe KAM_DON2 Egregious Work at Home Scams
2513 header __KAM_GINA1 From =~ /GINA deadline|GINA Update|compliance/i
2514 header __KAM_GINA2 Subject =~ /GINA deadline/i
2515 body __KAM_GINA3 /Genetic Information Nondiscrimination Act/i
2516 body __KAM_GINA4 /mandatory poster|remain in compliance|GINA regulations/i
2518 meta KAM_GINA (__KAM_GINA1 + __KAM_GINA2 + __KAM_GINA3 + __KAM_GINA4 + __KAM_REFI4 >= 4)
2520 describe KAM_GINA Employment Poster Marketing Spams
2523 header __KAM_TAX1 Subject =~ /Free (IRS )?Tax Filing|Tax Filing Exten[st]ion|taxes online|irs audit|wage garnish|collections|tax.relief|tax.penalt|tax.resolution|settlement.option|remove.tax|irs.penalt|payback.package|get.help|down.your.neck|tax.research|urgent.tax/i
2524 header __KAM_TAX2 From =~ /tax|HRBlock|marketing|garnish|settlement|installment|IRS|debt|advisory|government|payback|protection.agency/i
2525 body __KAM_TAX3 /File your taxes for free|need more time|back.taxes|tax relief|irs offer|avoid penalty|stop.aggressive.collections|relief.(program|package)|tax.settlement|settlement.package|paying.bills|paying.tax|back.tax|wage..?garnish|tax.help|remove.lien|bankrupt|urgent.tax.notice|could.change.everything|instantly.save.you/i
2526 body __KAM_TAX4 /MSNBC|fox news|CNN|please.confirm|you.qualify|obtain.now|must.see.tax/i
2528 meta KAM_TAX (__KAM_TAX1 + __KAM_TAX2 + __KAM_TAX3 + __KAM_TAX4 + KAM_LOTSOFHASH >=3)
2530 describe KAM_TAX Tax Filing Scams
2532 meta KAM_TAX2 (__KAM_TAX1 + __KAM_TAX2 + __KAM_TAX3 + __KAM_TAX4 + KAM_LOTSOFHASH >=4)
2534 describe KAM_TAX2 Higher Probability of Tax Filing Scams
2537 body __KAM_SEX06_1 /more fire and passion/i
2539 meta KAM_SEX06 (__KAM_SEX06_1 + KAM_MSN_STRING >= 2)
2541 describe KAM_SEX06 Sexual Stimulant Spam
2543 #DOG BARK AND OTHER DOG SPAM
2544 body __KAM_BARK1 /Bark.Off|petzoom sonic|comfy control harness|dogs? behavior|four legged/i
2545 header __KAM_BARK2 Subject =~ /Barking|petzoom sonic|dogs any size|dog (is )?misbehaving/i
2546 header __KAM_BARK3 From =~ /Bark.Off|petzoom|control harnesss|dog whisperer/i
2548 meta KAM_BARK (__KAM_BARK1 + __KAM_BARK2 + __KAM_BARK3 >=2)
2550 describe KAM_BARK Dog Product Scam
2553 body __KAM_CASINO1 /Elite World Casino/i
2554 body __KAM_CASINO2 /Online Casino/i
2555 header __KAM_CASINO3 Subject =~ /chances to win/i
2557 meta KAM_CASINO (__KAM_CASINO1 + __KAM_CASINO2 + __KAM_CASINO3 >= 3)
2558 score KAM_CASINO 3.5
2559 describe KAM_CASINO Online Casino Spam
2562 header __KAM_TWIT1 From =~ /twitter/i
2563 header __KAM_TWIT2 Subject =~ /twitter \d{3}-\d{2}/i
2565 meta KAM_TWIT (__KAM_TWIT1 + __KAM_TWIT2 + KAM_THEBAT >= 3)
2567 describe KAM_TWIT Twitter bogus phishing emails
2571 header __KAM_FACE1 From =~ /password/i
2572 header __KAM_FACE2 Subject =~ /reset your facebook/i
2573 header __KAM_FACE3 X-Mailer =~ /Zuckmail/i
2575 meta KAM_FACE (__KAM_FACE1 + __KAM_FACE2 + __KAM_FACE3 >= 3)
2577 describe KAM_FACE Facebook bogus phishing emails
2579 header __KAM_PHISH3_1 Subject =~ /account notification/i
2580 body __KAM_PHISH3_2 /accessed by someone else./
2582 meta KAM_PHISH3 (__KAM_PHISH3_1 + __KAM_PHISH3_2 + __KAM_CLICK >= 3)
2584 describe KAM_PHISH3 Phishing emails for account notification
2587 #GENERIC TEST FOR CLICK NOTICES INDICATIVE OF SPAM IN META RULES BUT NOT BY ITSELF
2588 body __KAM_CLICK /Please click on the link below|Copy and paste this link into your internet browser/i
2591 header __KAM_DIRECT1 From =~ /Direct ?Buy|Wholesale/i
2592 header __KAM_DIRECT2 Subject=~ /complimentary|visitor|settle for retail|top .rands at wholesale|guest pass and catalog|direct.?buy/i
2593 body __KAM_DIRECT3 /(Complimentary|Visitor|attend our open house|30-day member|VIP Pass|Wholesale Direct Pricing|guest pass and catalog)/i
2594 body __KAM_DIRECT4 /Direct.?Buy/i
2596 meta KAM_DIRECT (__KAM_DIRECT1 + __KAM_DIRECT2 + __KAM_DIRECT3 + __KAM_DIRECT4 >= 3)
2597 score KAM_DIRECT 3.0
2598 describe KAM_DIRECT DirectBuy Spam
2601 header __KAM_SWIPE1 From =~ /SwipeBids|Auction|Deal ?hunter|bigger.bid|bidder|Overstocked|daily.?deals|quibids|iphone|penny.stock/i
2602 header __KAM_SWIPE2 Subject=~ /auction|bid on great|\d% off retail|Iphones for Under|Big Items|ipads|Macbook Pro|top.?.?of the line..?electronic|buy or sell|never.pay.retail|2011 line up|ebay|pay retail|ipad for \$\d\d\.|bids in real.?time|penny.stock|exclusive.savings|economic|prediction:/i
2603 body __KAM_SWIPE3 /pennies on the dollar|join, bid|penny (auctions|stock)|\d% .{0,10}retail|ipads on auction|bid now|factory sealed ipads|cheap ipads|for pennies|ebay killer|Inventory Clearance on iPads|crazy auctions|XPS for \d\dUSD|iphone.{1,10}clearance|the.hottest/i
2604 body __KAM_SWIPE4 /SwipeBids|Swipe Auction|CIRCLE MEDIA BIDS|Wavee|BIGGER BIDDER|Bidooka|Sellmoo|overstocked auctions|for pennies|\d{1,2} cent/i
2606 meta KAM_SWIPE (__KAM_SWIPE1 + __KAM_SWIPE2 + __KAM_SWIPE3 + __KAM_SWIPE4 >= 3)
2608 describe KAM_SWIPE SwipeBid Spam / Penny Auction Spams
2610 meta KAM_SWIPE2 (__KAM_SWIPE1 + __KAM_SWIPE2 >= 2)
2611 score KAM_SWIPE2 0.5
2612 describe KAM_SWIPE2 SwipeBid Spam / Penny Auction Spams
2615 header __KAM_WTA1 From =~ /@(wethealliance\.(org|com|net)|wta\d\d\d\.com|socalsecurityinstitute.org)|Lawrence.{0,4}Hunter/i
2616 body __KAM_WTA2 /Alliance for Retirement Prosperity Association|Social Security Institute/is
2618 meta KAM_WTA (__KAM_WTA1 + __KAM_WTA2 >= 2)
2620 describe KAM_WTA Ridiculous campaign by unapologetic spammers purposefully using throwaway domains
2623 body __KAM_SMOKE1 /smoke.anywhere|electronic cig|smoking alternative|prado|e.?-?cig|wanting to quit/i
2624 header __KAM_SMOKE2 Subject =~ /smoke|e-cig|perfect.?.gift|no cancer|electronic cig|never smoke|e.?-?cig/i
2625 header __KAM_SMOKE3 From =~ /smoke|smoking|e.?-?cig|electronic cig|vapex|vapor|starter.kit/i
2626 body __KAM_SMOKE4 /No carbon monoxide|Smokeless Direct|No Tobacco|no tar|no cancer|quit smoking|electronic cig|sinless.vapor/i
2627 body __KAM_SMOKE5 /you have qualified/i
2629 meta KAM_SMOKE (__KAM_CLICK + __KAM_SMOKE1 + __KAM_SMOKE2 + __KAM_SMOKE3 + __KAM_SMOKE4 + __KAM_SMOKE5 >= 3)
2631 describe KAM_SMOKE Smokeless cigarette and quitting spam
2633 meta KAM_SMOKE2 (__KAM_CLICK + __KAM_SMOKE1 + __KAM_SMOKE2 + __KAM_SMOKE3 + __KAM_SMOKE4 + __KAM_SMOKE5 >= 4)
2634 score KAM_SMOKE2 3.0
2635 describe KAM_SMOKE2 Higher probability of spam
2637 #OBF URL - need to make this more generic and perhaps something for RBL lookups when these techniques are used.
2638 body __KAM_OBFURL1 /A\s+D\s+I\s+L\s+I\s+Z\+E\s+R\s+.\s+C\s+O\s+M|insidesaleswiz\.\s+com/i
2640 meta KAM_OBFURL (__KAM_OBFURL1 >= 1)
2641 score KAM_OBFURL 15.0
2642 describe KAM_OBFURL Obfuscated URL
2645 body __KAM_SHARP1 /sharp for life/i
2646 body __KAM_SHARP2 /yoshiblade/i
2647 body __KAM_SHARP3 /zirconium oxide/i
2648 body __KAM_SHARP4 /ceramic knife/i
2649 header __KAM_SHARP5 Subject =~ /ceramic knief|yoshiblade|sharp for life/i
2650 header __KAM_SHARP6 From =~ /yoshi/i
2652 meta KAM_SHARP (__KAM_SHARP1 + __KAM_SHARP2 + __KAM_SHARP3 + __KAM_SHARP4 + __KAM_SHARP5 + __KAM_SHARP6 >= 4)
2654 describe KAM_SHARP Ceramic Blade Spam
2657 body __KAM_HIP1 /hip replacement|medical alert/i
2658 body __KAM_HIP2 /implant recall|recall list/i
2659 header __KAM_HIP3 Subject =~ /dupuy recall|hip recall|hip implants|hip replacement/i
2660 header __KAM_HIP4 From =~ /recall/i
2662 meta KAM_HIP (__KAM_HIP1 + __KAM_HIP2 + __KAM_HIP3 + __KAM_HIP4 >= 3)
2664 describe KAM_HIP Hip Replacement Recall Spam
2667 body __KAM_WORKHOME1 /online jobs|Full-time (and|&) Part-time|at home employment/i
2668 body __KAM_WORKHOME2 /\#1 site|view here|information here/i
2669 header __KAM_WORKHOME3 Subject =~ /work at home|work \@ home|home positions/i
2671 meta KAM_WORKHOME (__KAM_WORKHOME1 + __KAM_WORKHOME2 + __KAM_WORKHOME3 >= 3)
2672 score KAM_WORKHOME 4.5
2673 describe KAM_WORKHOME Work at Home Spam
2675 meta KAM_WORKHOME2 (__KAM_WORKHOME3 + KAM_SHORT + __KAM_REFI4 >=3)
2676 score KAM_WORKHOME2 4.5
2677 describe KAM_WORKHOME2 Work at Home Spam
2680 body __KAM_HSR1 /hsrupdates.com|progressiverailroading.com/i
2681 header __KAM_HSR2 Subject =~ /hi-speed rail|HSR Funds|U.?S.? DOT|railroads/i
2682 header __KAM_HSR3 From =~ /HSRUpdates.com|progressive ?railroading/i
2684 meta KAM_HSR (__KAM_HSR1 + __KAM_HSR2 + __KAM_HSR3 >= 3)
2686 describe KAM_HSR High Speed Rail Spam
2689 body __KAM_SELLPHONE1 /Turn iphones into cash/i
2690 body __KAM_SELLPHONE2 /used or broken|pre-paid envelope/i
2691 header __KAM_SELLPHONE3 Subject =~ /sell your old iphone/i
2693 meta KAM_SELLPHONE (__KAM_SELLPHONE1 + __KAM_SELLPHONE2 + __KAM_SELLPHONE3 >= 3)
2694 score KAM_SELLPHONE 4.5
2695 describe KAM_SELLPHONE Used Equipment Spam
2698 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2700 replace_rules __KAM_MAILBOX1 __KAM_MAILBOX2 __KAM_MAILBOX3
2703 body __KAM_MAILBOX1 /mailbox .{0,12}exceeded|(storage|e-?mail|mailbox|bandwidth).(limit|quota|size|capacity)|(box|quota) is (a<L1>most )?(exhausted|fu<L1><L1>)|have been rejected|new version|(prevented|pending) (the )?(delivery|messages)|quota is low|annual upgrade|(held|important) message|messages pending|messages (are|placed) on.?hold|upgrade to our service|recent attack|(request(ed)? to|account) de-?activat|de-?activat(ed|e|ing) (from using|all mailbox)|close down.{0,10}account|(sync|communication) failure|de<A1>ctiv<A1>ted if no <A1>ction|invalid users|request .{0,13}shutdown|migrating all email|del<I1>v<E1>ry <O1>f \d|messages.{0,6}returned|\d.{0,2}(unreceived|failed|undelivered|incoming|valid) (undelivered|incoming|message|e?mail)|synchronize \d email|messages.{1,10}suspend|report your account|(validation|configuration|service|mail) error|updating stage|blacklisted|(server|quota|quarantine|suspension|mail|upgrade) (alert|noti)|mailbox agreement|(system|security|server) (reasons|update|upgrade|alert)|system malfunction|due for an update|mailbox managment|automatically renew|.\d. pending|due for (upgrade|update|reconfirmation)|has been outdated|(due|about) to expire|not confirmed the email|(failed|couldn't be|refused to) deliver|temporarily suspend|failure to proceed|data plan limit|blocked from (sending|receiving)|sending unsolicited|\d\% full|confirm your request|security turned off|blocked or suspended|update warning|account .{1,9}?(restricted|closed)|old versions|mail malfunction|messages now queue|password expir|virus|expire on \d+\/|DNS Upgrad|encountered error|will be shut ?down|unauthorized (person|access)|prevent (further reject|loss of account)|avoid lose access|ensure safety|problem occurred|wrong password|suspicious sign.?in|\d quarantined? (e?mail|message|incoming)|deactivated tempor|low disk space|shutdown robot|suspended email|webmail security|account hijacked|will be suspended|will.{0,2}expire.{0,2}(today|soon)|IP below was used|password.{1,5}expires? today|server is totally full|account is almost full|suspicious activities|locked out of your account|login (interruption|problem)|automatic shut.?down|lose your contact|not receive new e?mail|deactivation of the email|Expired today|exceeded the limit|disruption of your email|message might be pre<V1>ented|mail delivery blocked|email gets locked|shut down on your account|refusal in updating your email|avoid being barred|losing (of )?your account|undelivered e?-?mail|SSL Port server error|refusal of email security|blocked access to your inbox/i
2704 tflags __KAM_MAILBOX1 nosubject
2706 body __KAM_MAILBOX2 /(verify|update|upgrade|increase|validate|confirm|disable)"? (their|your)? {0,5}(address|password|<A1>ccount|(web-?)?mail|info|email|web ?mail|ownership|mailbox)|(increase|upgrade) (my|your?) (inbox |email )?quota|quota (configuration|upgrade)|(increase disk|create some additional) storage|(setup|upgrade) (your )?mailbox|mail malfunction|click here to update|update account|validated within \d\d|deleted (automatically|in our server)|release .{0,40}(message|pending mess)|account to be close|remain active|termination of your account|choose what happens|blacklisting inactive|continue (using|the usage)|untrusted activity|(retrieve|review|view) (message|e?mail)|(verify|validate) (it )?(here|now)|reset below|verification (check|process)|email disk usage|auto extend your disk|confirm your (email|details)|mandetory file|retrieve here|expected to reactivate|keep your webmail|data will be lost|(block|release|review) (them|below)|view undelivered sent|reconfirm .{0,40}password|will be deactivat|avoid suspension|start the process|fake payment|(will be|automatically) cancel|mail verification|turn on (security|authentication)|Office 365-?Secure|an usual location|automatically delete|(retrieve|review|reload) (your )?(undelivered|pending)|view, release or delete|reload below|unblock (your )?incoming|rectify below|fix now|Company.Assigned Outlook|fix delivery|restore your roundcube|re-?authenticate (now|below)|manage your quarantine|manually fi|manually fix|review and take action|view (your )?(pending|withheld|recent) (incoming|message|e?mail)|use the button|reduce your mai<L1>|deliver recent mail|(use|using|keep) (current|same) password|change password|stop (this action|account removal)|fix your email|(maintain|keep).{0,6}current.{0,2}(signing|password)|verify login|apply update|deliver pending message|archive emails|initiate the upgrad|(approve|continue with) the (current|same) password|free up space|quick re-?validation|cancel the request|prevent lock of account|back under the limit|update no<W1>|re<A1>ctiv<A1>te <A1>ccess|consider keeping your password|account will work effectively|portal to prompt delivery|open the attachment|Reload Email message|secure your account|authenticate account/i
2707 tflags __KAM_MAILBOX2 nosubject
2709 header __KAM_MAILBOX3 Subject =~ /(mail|exceeded|insufficient) (storage|quota|upgrade)|(@.*?is|Inbox) almost full|(urgent|important|admin|last|suspension|server|account|administrator|system|disk ?usage|max size) (alert|rectification|attention|warning|noti)|needs to be upgraded|(incoming|pending|unreceived) +((e-?)?mail|document|message)|(del<I1>v<E1>ry|synchronization|processing) (problem|is blocked|failure|err<O1>r)|(mailbox|storage) (is )?full|(disc|disk|inbox) full|(unread|upgrade|delayed) (messages|e?mail)|release your message|pending (new )?((e-?)?mail|message)|365 .{0,10} Update|new privacy policy|mandatory up|(sign in|Final|account|password|emails?) (closing|removal|update|upgrade|alert|notification|review)|quarantine|rejected|undelivered|(mailbox|limit|quota) .{0,10}exceeded|confirmation required|(mail|mailbox|account|password) (error|shutdown|verification|Veirification|Verfication|account)|(blocked|held) message|technology services|(server|mail|account).{1,8}err<O1>r|validat|messages.{1,10}(suspend|hinder)|account (is )?(blocked|limited)|please verify.{1,10}account|mail.{1,6}Notice|email account.{1,11}full|final warning|help\-?desk|mail ownership|point files|(d|r)e-?activation|delayed for \d+ (hour|day)|undeliverable|confirmation required|closure of.{1,15}(\@|account)|(password|mail) (has|will) expire|did you make|password.(reset|due|recovery|expir)|recovery option|\d+ new mess|email activity|Immediate action|action required|avoid block|review recent e?mail|final +alert|storage (error|limit)|ver<I1>f<I1>cat<I1>on|\@.{1,25}notification|notification \d+\/\d+\/|notification for .{1,25}\@|New Sign-in|deliver.{1,4}(cancel|issue|error|fail)|Unsuccessful Email|Mail DNS|ICT Maintenance|sync err|mailer un.?delivery|unauthorized (person|access)|configuration setting|reminder +for|re-?authenticate|change in your ip|shutdown request|Failure.{0,2}Report|(mail delivery|\d emails?) suspended|error sync|(e-?mails?|messages) (are )?pending|\d \(?new\)? notice|new IP address|expir(y|ation) notif|reached their disk quota|webmail support|notification for|change.{0,30}account password now|(mail|mail-?box) termination|office? ?365 access|(Attention|urgent):? update (required|needed)|out of storage|quota (limit|reached)|access.{1,4}expire|renew your e?-?mail pass|mail protection update|e-?mail .{0,30}still pending|unauthorized (login|logging) attempt/i
2711 meta KAM_MAILBOX (__KAM_MAILBOX1 + __KAM_MAILBOX2 + __KAM_MAILBOX3 >=2) && (T_FREEMAIL_DOC_PDF + (KAM_SENDGRID + KAM_SENDGRID2 >= 1) + HTML_MIME_NO_HTML_TAG + T_HTML_ATTACH) >= 2
2712 score KAM_MAILBOX 7.75
2713 describe KAM_MAILBOX Mailbox Quota Phishing Scams
2715 meta KAM_MAILBOX2 (__KAM_MAILBOX1 + __KAM_MAILBOX2 + __KAM_MAILBOX3 >=3) && !KAM_MAILBOX
2716 score KAM_MAILBOX2 6.25
2717 describe KAM_MAILBOX2 Mailbox Quota Phishing Scams
2719 meta KAM_MAILBOX3 (KAM_MAILBOX + KAM_MAILBOX2 >= 1) && (KAM_SENDGRID + KAM_SENDGRID2 >= 1)
2720 describe KAM_MAILBOX3 Enhanced Scoring for Mailbox Quota Phishing
2721 score KAM_MAILBOX3 3.75
2724 meta KAM_SHORT (__KAM_SHORT + __KAM_TINYDOMAIN >= 1)
2725 score KAM_SHORT 0.001
2726 describe KAM_SHORT Use of a URL Shortener for very short URL
2728 #URL SHORTENER - META RULE TO SEE IF URL SHORTENER IS IN USE - THANKS TO SHANE WILLIAMS and RW for HELP - More thanks to Giovanni Bechis
2729 ifplugin Mail::SpamAssassin::Plugin::DecodeShortURLs
2730 if can(Mail::SpamAssassin::Plugin::DecodeShortURLs::has_short_url)
2731 # use DecodeShortURLs plugin and disable __KAM_TINYDOMAIN
2732 body __KAM_SHORT eval:short_url()
2734 #OLDER RULE, SHOULD USE DecodeShortURLS and the kam_urlshorterners.cf which is more comprehensive than this.
2735 uri __KAM_SHORT /^https?:\/\/(?:bit\.(do|ly)|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|urlshortener\.teams\.microsoft\.com|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|justpaste\.it|l\.linklyhq\.com)\/[^\/]{3}\/?/
2737 # GENERIC RULE FOR TINY DOMAINS, WHICH WILL LIKELY BE URL SHORTENERS
2738 uri __KAM_TINYDOMAIN /https?:\/\/(?:[^\/]{1,4})\.(?!avg|ibm).{2,7}\//i
2742 #OLDER RULE, SHOULD USE DecodeShortURLS and the kam_urlshorterners.cf which is more comprehensive than this.
2743 uri __KAM_SHORT /^https?:\/\/(?:bit\.(do|ly)|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|urlshortener\.teams\.microsoft\.com|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|justpaste\.it|l\.linklyhq\.com)\/[^\/]{3}\/?/
2744 # GENERIC RULE FOR TINY DOMAINS, WHICH WILL LIKELY BE URL SHORTENERS
2745 uri __KAM_TINYDOMAIN /https?:\/\/(?:[^\/]{1,4})\.(?!avg|ibm).{2,7}\//i
2749 body __KAM_POWER1 /hoveround/i
2750 header __KAM_POWER2 Subject =~ /Get your freedom|power Chairs/i
2751 header __KAM_POWER3 From =~ /Get your freedom|power Chairs/i
2753 meta KAM_POWER (__KAM_POWER1 + __KAM_POWER2 + __KAM_POWER3 >= 3)
2755 describe KAM_POWER Motorized Chair Spams
2758 body __KAM_GUN1 /Keep and Bear Arms/i
2759 header __KAM_GUN2 From =~ /gunalerts.com/i
2760 header __KAM_GUN3 Subject =~ /gun/i
2762 meta KAM_GUN (__KAM_GUN1 + __KAM_GUN2 + __KAM_GUN3 >= 3)
2764 describe KAM_GUN Gun Alert Spams
2766 #GET RICH QUICK SCHEME
2767 body __KAM_RICH1 /financial.success story/i
2768 body __KAM_RICH2 /see me on the channel \d news/i
2769 body __KAM_RICH3 /talking about my blog/i
2770 body __KAM_RICH4 /bec.me financially independent/i
2772 meta KAM_RICH (__KAM_RICH1 + __KAM_RICH2 + __KAM_RICH3 + __KAM_RICH4 >= 4)
2774 describe KAM_RICH Get Rich Quick Schemes
2776 #INVALID FROM HEADER
2777 header __KAM_INVFROM1 From =~ /<[^>]*$/
2778 header __KAM_INVFROM2 From =~ /^[^<]*>/
2780 meta KAM_INVFROM (__KAM_INVFROM1 + __KAM_INVFROM2 >= 1)
2781 score KAM_INVFROM 2.0
2782 describe KAM_INVFROM Invalid From Header containing mismatched <>'s
2784 #YAHOO GROUP EMAIL RULE BASED ON WORK FROM Jim McCullars - University of Alabama in Huntsville
2785 header __KAM_UAH_YAHOOGR_4 X-Mailer =~ /Yahoo Groups Message Poster/
2786 ifplugin Mail::SpamAssassin::Plugin::DKIM
2787 meta KAM_UAH_YAHOOGROUP_SENDER __DOS_HAS_LIST_UNSUB && __ML2 && __DOS_HAS_MAILING_LIST && __KAM_UAH_YAHOOGR_4 && !FORGED_YAHOO_RCVD && DKIM_VALID
2789 meta KAM_UAH_YAHOOGROUP_SENDER __DOS_HAS_LIST_UNSUB && __ML2 && __DOS_HAS_MAILING_LIST && __KAM_UAH_YAHOOGR_4 && !FORGED_YAHOO_RCVD
2791 describe KAM_UAH_YAHOOGROUP_SENDER Sender appears to be a legit Yahoo! Group Mail
2792 score KAM_UAH_YAHOOGROUP_SENDER -20.0
2795 header __KAM_GALLERY1 Subject =~ /(Infinite|Multi|Elite|Extreme|Complete|Instant|Ultimate|Multi|approved|Free|HD|Guaranteed|Unreal) Access|(Ultimate|Babes|Elite|Extreme|P.?o.?r.?n) Collection|(Girls|Adu.?lt|Babes|Celeb.?rities) Passwords|(Ultimate|p.?o.?r.?n|extreme|elite|Girls) gallery|HD Video|Access Now/i
2796 body __KAM_GALLERY2 /(?:Infinite|Multi|Elite|Extreme|Complete|Instant|Ultimate|Multi|approved|Free|HD|Guaranteed|Unreal) Access|(?:Ultimate|Babes|Elite|Extreme|P.?o.?r.?n) Collection|(?:Girls|Adu.?lt|Babes|Celeb.?rities) Passwords|(?:Ultimate|p.?o.?r.?n|extreme|elite|Girls) gallery|HD Video|Access Now/i
2798 header __KAM_GALLERY3 Subject =~ /(Fantastic|Insane|Mega|Extreme|Extreme|New|Many|Fresh|Your|Check) P.?o.?r.?n|cele.?brities elite|(Insane|P.?o.?r.?n|More|Awesome|All|Mega) Model|(Your|Mega|Asian|Bad|Cool|Fresh|Real|Awesome|More) Girl|(Sweet|Incredible|Insane|The|Grand) chick|(Many|New|Infinite|Cool|All) Cele.?b|The N.?u.?des|(Infinite|Awesome|Many|Sweet|Bad|Get|Fresh|Hot|More|Black) Babe|Amat.?e.?urs|(All|Fresh|Fantastic|The|Mega) Adu.?lt|(Extraordinary) Chicks/i
2799 body __KAM_GALLERY4 /(Fantastic|Insane|Mega|Extreme|Extreme|New|Many|Fresh|Your|Check) P.?o.?r.?n|cele.?brities elite|(Insane|P.?o.?r.?n|More|Awesome|All|Mega) Model|(Your|Mega|Asian|Bad|Cool|Fresh|Real|Awesome|More) Girl|(Sweet|Incredible|Insane|The|Grand) chick|(Many|New|Infinite|Cool|All) Cele.?b|The N.?u.?des|(Infinite|Awesome|Many|Sweet|Bad|Get|Fresh|Hot|More|Black) Babe|Amat.?e.?urs|(All|Fresh|Fantastic|The|Mega) Adu.?lt|(Extraordinary) Chicks/i
2800 rawbody __KAM_GALLERY5 /wp-content|_vti_cnf|cache|wp-admin|wordpress/i
2802 meta KAM_GALLERY (__KAM_GALLERY1 + __KAM_GALLERY2 + __KAM_GALLERY3 + __KAM_GALLERY4 + __KAM_GALLERY5 >=4)
2803 describe KAM_GALLERY Exploited Gallery with Porn
2804 score KAM_GALLERY 5.0
2806 meta KAM_GALLERY2 (__KAM_GALLERY1 + __KAM_GALLERY2 + __KAM_GALLERY3 + __KAM_GALLERY4 + __KAM_GALLERY5 >=5)
2807 describe KAM_GALLERY2 Higher Likelihood of Exploited Gallery with Porn
2808 score KAM_GALLERY2 2.0
2811 header __KAM_CHANGELOG1 Subject =~ /^Re: Changelog (Oct.|Nov.|Dec.)$/i
2812 body __KAM_CHANGELOG2 /as promised chnglog update/i
2814 meta KAM_CHANGELOG (__KAM_CHANGELOG1 + __KAM_CHANGELOG2 >= 2)
2815 describe KAM_CHANGELOG Phishing Email
2816 score KAM_CHANGELOG 2.5
2819 body __KAM_BUS1 /business proposal/i
2820 body __KAM_BUS2 /sensitive by nature/i
2821 body __KAM_BUS3 /have not met/i
2822 body __KAM_BUS4 /view my attach/i
2824 meta KAM_BUS (__KAM_BUS1 + __KAM_BUS2 + __KAM_BUS3 + __KAM_BUS4 >= 4)
2825 describe KAM_BUS Yet another Nigerian Scam/Phishing Variant
2829 body __KAM_PRIV1 /private message|horny|sweet ass/i
2830 body __KAM_PRIV2 /(personal|private) video/i
2831 body __KAM_PRIV3 /the attache?ment|attached file/i
2833 meta KAM_PRIV (__KAM_PRIV1 + __KAM_PRIV2 + __KAM_PRIV3 >=2 && T_HTML_ATTACH)
2834 describe KAM_PRIV Private Messages using Exploits in attached HTML files
2838 rawbody __KAM_DIV1 /(Viagr?|Cial?)<div/i
2839 rawbody __KAM_DIV2 /<\/div>r?a\|l?is/i
2841 meta KAM_DIV (__KAM_DIV1 + __KAM_DIV2 >= 2)
2842 describe KAM_DIV Use of divs to hide Medical Spams
2846 header __KAM_CREDIT1 Subject =~ /CRITICAL:.*change to.* (EXPERIAN|Transunion|Equifax) score|Recent 3 Bureau Credit|(credit|score).score|credit has changed|check your rating|yearly review|scores?.(?:may.have|has.been|have.been).changed|(?:EXPERIAN|Transunion|Equifax) scores? delivered|your credit report|all three sources|credit (may )?ha(ve|s) been revised|credit ?card ?processing|merchant account|TransUnion..?Experian . Equifax Scores|all 3 scores|update to your score|your 3 scores|is your score correct|score (report|review)|latest.score|updated.score|update:|derogatory.(info|item)|affecting.your.score|scores.this.week|EQUIFAX..?EXPERIAN..?(and|&).TRANSUNION|(EXPERIAN|Transunion|Equifax)..?score|\d{4}.scores?.detail|((equifax|experian|transunion)..?){3}|score.today|score.w\//i
2847 body __KAM_CREDIT2 /View (all 3 reports|your credit score|your up.to.the.minute credit)|(EXPERIAN|Transunion|Equifax) report|check my credit score|3.free credit scores|credit restoration|changes in your.score|get your \d+ score online|3 major sources|all three bureau|all 3 credit score|credit (may )?ha(ve|s) been revised|payment.options|complimentary 3 scores|credit scores? in seconds|TRANSUNION,\s+EQUIFAX,\s+(and|.)\s+EXPERIAN|just (been )?changed|score.breakdown|credit.summary|score.is.waiting|confirmation \#\d+|average.credit.score|what.?s.your.score|(3|three).free.score|check.your.score|we.can.help|credit.record|complimentary.score/i
2848 body __KAM_CREDIT3 /NO COST|it's on us|3 companies for free|freescore360|Scoresense|score.report(?:ing)?.team|stand in the rating scales|view your higher credit|(score|credit).alert|provide.faster.service|your credit score|free.credit.score|score.generation|new.score.immediately|score.notification|your report/i
2849 body __KAM_CREDIT4 /CHANGES TO YOUR CREDIT[- ]SCORE|credit score has changed|Triple Bureau Credit Alerts|score\s+may\s+have\s+(been)?\s*changed|ThinkCredit|Debunk Credit Card Processing Myths|costs for your business|TransUnion,? Experian and Equifax Scores|ha(s|ve).been.updated|what.?s.your.credit|sensitive.information/i
2850 header __KAM_CREDIT5 From =~ /Credit|score|bureau|finance|report|advisory/i
2853 # SecureCRT in UTF-8 Session Options - terminal>appearance>character encoding and set to utf-8 & Set this in VI :set encoding=utf-8 :set fileencodings=utf-8
2855 #Useful Resources for Tags
2856 #https://www.utf8-chartable.de/unicode-utf8-table.pl?start=1024&number=128&names=-&utf8=string-literal
2857 #https://www.branah.com/unicode-converter
2858 #look at the encoding type and the charset. For base64 utf-8, something like this tool will help https://www.base64decode.org/ then hexdump -C or something like https://onlineutf8tools.com/convert-utf8-to-hexadecimal or perl -e '$u=unpack("H*",$ARGV[0]);print "[\\x$1]" while ($u=~/(..)/g)' '<PASTE>'
2860 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2862 #renamed to A1, C1, etc. to avoid collissions with stock rules
2863 #Thanks to John Hardin for his help! and thanks to Giovanni for the help with the 4-byte chars
2864 #thanks as well to Henrik Krohns
2865 replace_tag A1 (?:a|[\xf0\x9d\x97\xae]|[\xf0\x9d\x9a\x8a]|[\xd0][\xb0]|[\xc9][\x91]|α|\@)
2866 replace_tag B1 (?:b|[\xce][\x92]|[\xce][\xb2]|[\xc2]|[\xe2]|[\xf0\x9d\x97\xaf]|[xf0\x9d\x9a\x8b])
2867 replace_tag C1 (?:c|[\xd0][\xa1]|[\xd1][\x81]|[\xf0\x9d\x97\xb0]|[\xf0\x9d\x9a\x8c])
2868 replace_tag D1 (?:d|[\xf0\x9d\x9a\x8d])
2869 replace_tag E1 (?:e|[\xd0][\xb5]|[\xc4][\x97]|[\xf0\x9d\x97\xb2]|[\xf0\x9d\x9a\x8e])
2870 replace_tag G1 (?:g|[\xf0\x9d\x97\x80])
2871 replace_tag I1 (?:i|[\xd1][\x96]|[\xc4][\xab]|[\xce][\xb9]|[\xe9]|[\xf0\x9d\x97\xb6]|[\xf0\x9d\x9a\x92]|l|1)
2872 replace_tag L1 (?:l|i)
2873 replace_tag M1 (?:m|[\xca][\x8d]|[\xf0\x9d\x97\xba])
2874 replace_tag N1 (?:n|[\xe7]|[\xf0\x9d\x97\xbc]|[\xf0\x9d\x9a\x97])
2875 replace_tag O1 (?:o|0|[\xd0][\xbe]|[\xce][\xbf]|[\xef]|[\xf0\x9d\x97\xbc]|[\xf0\x9d\x9a\x98]|[\xd0][\x9e])
2876 replace_tag P1 (?:p|[\xd1][\x80]|[\xc7][\xb7]|[\xcf][\x81]|[\xf1]|[\xf0\x9d\x97\xbd]|[\xf0\x9d\x9a\x99])
2877 replace_tag R1 (?:r|[\xf0\x9d\x97\xbf]|[\xf0\x9d\x9a\x9b])
2878 replace_tag S1 (?:s|[\xd0][\x85]|[\xf0\x9d\x98\x80]|[\xf0\x9d\x9a\x9c])
2879 replace_tag T1 (?:t|[\xcf][\x84]|[\xf4]|[\xf0\x9d\x98\x81]|[\xf0\x9d\x9a\x9d])
2880 replace_tag U1 (?:u|[\xf0\x9d\x98\x82])
2881 replace_tag V1 (?:v|[\xf0\x9d\x96\xb5]|[\xce][\xbd])
2882 replace_tag W1 (?:w|[\xf0\x9d\x98\x84]|[\xf0\x9d\x9a\xa0]|[\xd1\xa1])
2883 replace_tag Y1 (?:y|[\xf0\x9d\x98\x80]|[\xf0\x9d\x9a\xa2])
2884 replace_tag SPACE1 (?: |[\xc2\xa0])
2886 header __KAM_CREDIT6 Subject =~ /<C1>ompl<I1>mentary (<C1>red<I1>t|EXPERIAN|Transunion|Equifax)/i
2887 header __KAM_CREDIT7 From =~ /<S1>core.?<S1>ense/i
2889 replace_rules __KAM_CREDIT6 __KAM_CREDIT7
2893 meta KAM_CREDIT (__KAM_CREDIT1 + __KAM_CREDIT2 + __KAM_CREDIT3 + __KAM_CREDIT4 + __KAM_CREDIT5 + __KAM_CREDIT6 + __KAM_CREDIT7 + (__KAM_THIRD || KAM_LOTSOFHASH || KAM_INFOUSMEBIZ) >= 4)
2894 describe KAM_CREDIT Credit Score Spams
2895 score KAM_CREDIT 4.5
2897 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
2898 meta KAM_CREDIT2 (__KAM_CREDIT1 + __KAM_CREDIT5 + __KAM_CREDIT6 + __KAM_CREDIT7 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3 && KAM_CREDIT < 1)
2899 describe KAM_CREDIT2 Credit Score Spams
2900 score KAM_CREDIT2 4.5
2904 rawbody KAM_OBFURI /http:\/\/.{2,30}\.c=E2=93=9Em?/
2905 describe KAM_OBFURI Obfuscated URI trick
2906 score KAM_OBFURI 4.0
2909 header __KAM_ADVANCE1 Subject =~ /Advance for \d.\d\d\d/i
2910 body __KAM_ADVANCE2 /Advance Details/i
2911 body __KAM_ADVANCE3 /Pre-Approved/i
2912 header __KAM_ADVANCE4 From =~ /Advance|Approv|Financ/i
2914 meta KAM_ADVANCE (__KAM_ADVANCE1 + __KAM_ADVANCE2 + __KAM_ADVANCE3 + __KAM_ADVANCE4 >= 3)
2915 describe KAM_ADVANCE Advance Spams
2916 score KAM_ADVANCE 3.5
2918 #PAYPAL NON SPF - FP fixed by Piper Andreas
2919 header __KAM_PAYPAL1A From =~ /\@[a-z\.]*paypal.com>?$/i
2921 meta KAM_PAYPAL1 (__KAM_PAYPAL1A + SPF_FAIL >=2)
2922 describe KAM_PAYPAL1 rampant paypal phishing scams
2923 score KAM_PAYPAL1 16.0
2925 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
2926 #PAYPAL IMPERSONATING MALWARE
2927 body __KAM_PAYPAL2A /paypal/i
2928 body __KAM_PAYPAL2B /protection services department|download(ing)?.the.attach/i
2930 meta KAM_PAYPAL2 (__KAM_PAYPAL2A + __KAM_PAYPAL2B + KAM_RAPTOR_ALTERED >= 3)
2931 describe KAM_PAYPAL2 Malware disguised as a paypal email
2932 score KAM_PAYPAL2 8.0
2936 header __KAM_PAYPAL3A From =~ /paypal/i
2937 header __KAM_PAYPAL3B From !~ /paypal(\.com|\.com\.au|\.co\.uk)?>?$/i
2938 header __KAM_PAYPAL3C Subject =~ /your.paypal.account|Invoice PP|order Confirmation/i
2939 body __KAM_PAYPAL3D /security.process|more.information|has.limitation|verify.your.information|bitcoin|\d\d hours from today/i
2941 meta KAM_PAYPAL3 ((__KAM_PAYPAL3A && __KAM_PAYPAL3B) + __KAM_PAYPAL3C + __KAM_PAYPAL3D + KAM_LAZY_DOMAIN_SECURITY >= 3)
2942 score KAM_PAYPAL3 8.0
2943 describe KAM_PAYPAL3 Phish disguised as a paypal email
2945 #COMPROMISED ACCOUNT SPAMS - SCORED HIGH BECAUSE THESE ARE COMPROMISED ACCOUNTS
2946 header __KAM_COMPROMISED1A From =~ /\@(yahoo.com|yahoo.com.id|rocketmail.com)/i
2947 header __KAM_COMPROMISED1B X-Mailer =~ /Yahoo/i
2948 header __KAM_COMPROMISED2 Subject =~ /^(FOR |Hey$|hi$|look at this$|great!?$|amazing!?|the best!?$|excellent!?$|very good!?$|great!?$|question?$|Fwd: (?:latest |top )?news$)|have a look/
2949 body __KAM_COMPROMISED3 /\d{1,2}[\\\/]\d{1,2}[\\\/]\d{2,4} \d{1,2}\:\d{1,2}\:\d{1,2} (AM|PM)/
2950 body __KAM_COMPROMISED4 /How are you\? Look at this.{0,70}Do you know about this site|look at this site right now|I found (an amazing|great) site|hey\. please have a look|have a look right now|breaking news/i
2952 meta KAM_COMPROMISED ((__KAM_COMPROMISED1A + __KAM_COMPROMISED1B >=1 ) + __KAM_COMPROMISED2 + __KAM_COMPROMISED3 + __KAM_COMPROMISED4 + __KAM_BODY_LENGTH_LT_128 + MISSING_SUBJECT >= 3)
2953 describe KAM_COMPROMISED Compromised Accounts Sending Spam
2954 score KAM_COMPROMISED 8.25
2956 #GROUPS THAT ARE BAD - RENAMED TO AVOID COLLISSION - THANKS TO DAVID FUNK
2957 header __KAM_LIST2A List-ID =~ /^<?(wareeed\d*|ArabBusinessmen-and-DecisionMakers-Network|MediaJO\d*|arabjo\d*|prime\-?media\d*|mediajoshoot\d*|bareedw\d*|mghadeh\d*|tawzeef-online|jordanianadd\d*|ssjo\d*|jaracast|ads-shooter-j\d*|jomarketing\d*|jomedia\d*|jobird\d*info|uhrda-\d*|mohanndahad\d*|caragcom\d*|marwahr\d*|sonjobonjo\d*|golrozz\d*|golbanoo\d*)\.googlegroups.com>?$/i
2958 header __KAM_LIST2B Sender =~ /(mediajo\d*|aloulaonline\d*|jomedia\d*|golbanoo\d*)\@googlegroups\.com/i
2960 meta KAM_LIST2 (__KAM_LIST2A + __KAM_LIST2B >= 1)
2961 describe KAM_LIST2 Known Bad Groups
2962 score KAM_LIST2 60.0
2964 #LIMITED ACCESS/QUOTA SCAMS - ISP THAT SEND LEGITIMATE NOTICES MIGHT WANT TO LOWER THE SCORE
2965 body __KAM_QUOTA1 /Mailbox Quota Has Exceeded|exceeded its storage limit/i
2966 body __KAM_QUOTA2 /Limited Access|termination of your email|restore.your.account|will.not.be.able/i
2968 meta KAM_QUOTA (__KAM_QUOTA1 + __KAM_QUOTA2 >= 2)
2969 describe KAM_QUOTA Limited Access / Quota Phishing Scam
2972 # BACKGROUND CHECK SPAM
2973 body __KAM_BACK1 /backgrounds in seconds|Instant..?Checkmate|federal.record|background.report|reputation/i
2974 body __KAM_BACK2 /(Property & Personal history|Asset & Background) (Investigation|Search)|check anyone|know.anything|registered.offense|their.name|publicly.available/is
2975 body __KAM_BACK3 /(background check|detective|investigator|investigate backgrounds|arrest.record|public.record)|remain.anonymous|anonymous.report|says.about.you|instant.database|the.truth|reveal.the.information|screening.services/is
2976 header __KAM_BACK4 Subject =~ /background..?check|date-smart|detective|finding people|instant checkmate|pedophile|who.lives.next.?door|reports.are.now.posted|screening.results|police.record|confirm.identity|records.enclosed|local.report|criminal|public.record|complete.record|arrest|posted.online|information.posted|info.updated|who.they.are|uncover.any|public.records|private.eye|investigate.background/i
2977 header __KAM_BACK5 From =~ /Background.?check|instant.?check|arrest.record|pedophile|trust|criminal|urgent.info|find.out|who.is.s?he|trouble|shady|public.record|private.?eye/i
2979 describe KAM_BACK Background Check SPAM
2980 meta KAM_BACK (__KAM_BACK1 + __KAM_BACK2 + __KAM_BACK3 + __KAM_BACK4 + __KAM_BACK5 >=3)
2983 #ARREST RECORD SCAMS
2984 header __KAM_ARREST1 Subject =~ /arrest record|with.a.criminal|child.predator|public.safety.alert|full.report|reports?.now.posted|records?.(now.)?(available|posted)|predator.identified/i
2985 body __KAM_ARREST2 /Instant Checkmate|dirty Truth|\brapist\b|criminal.(background|record)|predator|stay.safe|child.offender|think.you.know|know.everything|database.screening|know.something|wanted.to.know|arrest.record/i
2986 header __KAM_ARREST3 From =~ /Checkmate|alert|protect|arrest|neighborhood|criminal|live.safe/i
2988 meta KAM_ARREST (__KAM_ARREST1 + __KAM_ARREST2 + __KAM_ARREST3 >=3) || (__KAM_ARREST1 + KAM_SHORT + __KAM_BODY_LENGTH_LT_128 >=3)
2989 describe KAM_ARREST Arrest Record Scams
2990 score KAM_ARREST 5.0
2993 header __KAM_DIET2_1 From =~ /Coffee.?Bean|Fat.?Burning.?Hormone|Saffron|Lifestyle|burn.fat|slim|dieting/i
2994 header __KAM_DIET2_2 Subject =~ /diet|flatten your belly|calorie count|metabolism|lose the belly|belly flub/i
2995 body __KAM_DIET2_3 /secret to being skinny|doctors? are raving|testosterone|could be \d+ ?lbs? lighter|feeling chubby|burn stubborn fat|lose weight fast/i
2997 meta KAM_DIET2 (__KAM_DIET2_1 + __KAM_DIET2_2 + __KAM_DIET2_3 + KAM_INFOUSMEBIZ >=3)
2998 describe KAM_DIET2 Diet Scams
3002 header __KAM_CIGAR1 Subject =~ /Premium Cigar|Essentials for Dad|cigar lover/i
3003 header __KAM_CIGAR2 From =~ /Cigar/i
3004 body __KAM_CIGAR3 /Thompson Cigar|Premium Cigar/i
3006 meta KAM_CIGAR (__KAM_CIGAR1 + __KAM_CIGAR2 + __KAM_CIGAR3 + __KAM_THIRD >= 3)
3007 describe KAM_CIGAR Cigar Scam Emails
3012 rawbody KAM_TK /https?:\/\/.{5,30}\.tk\//i
3013 describe KAM_TK Abuse of .tk domain registrar which offers free domains
3016 #THIRD PARTY / SENT BY XXXX
3017 body __KAM_THIRD /advertisement.{0,12}sent by a third-?party|sent.by.tb.systems|is.an.advert[il]se?ment/i
3020 header __KAM_LASIK1 From =~ /Lasik/i
3021 header __KAM_LASIK2 Subject =~ /Lasik|free eval|A great use for your Tax Refund|eye.surgery/i
3022 body __KAM_LASIK3 /free (?:Lasik )?eval|\d+ per eye|get lasik info|L.SI. V....n In.t.tut. Summ.r S.v.ng.|works.faster.than/i
3023 uri __KAM_LASIK4 /lasik\.php/i
3025 meta KAM_LASIK (__KAM_LASIK1 + __KAM_LASIK2 + __KAM_LASIK3 + (__KAM_LASIK4 || KAM_EU) >= 3)
3026 describe KAM_LASIK Lasik Treatment Spams
3030 header __KAM_NOTIFY1 From =~ /Support|Notifier|Reminder|Assistance|Administrator|RuneScape|Wells ?Fargo|Scotia|Diablo|MAILER-DAEMON|Notifications/i
3031 body __KAM_NOTIFY2 /[2-9] friend request( |\b)|sell your personal|mandatory validation|verify your Account|unread messages/i
3032 header __KAM_NOTIFY3 From =~ /\.br>/i
3034 meta KAM_NOTIFY (__KAM_NOTIFY1 + __KAM_PHISH2_3 + __KAM_NOTIFY2 + __KAM_NOTIFY3 >= 3)
3035 describe KAM_NOTIFY Fake Notifications
3036 score KAM_NOTIFY 4.0
3038 meta KAM_NOTIFY2 (KAM_NOTIFY + (KAM_IFRAME || HEADER_FROM_DIFFERENT_DOMAINS) >= 2)
3039 describe KAM_NOTIFY2 Higher likelihood of fake notification
3040 score KAM_NOTIFY2 3.0
3043 header __KAM_LANG1 From =~ /Pimsleur|learnalanguage/i
3044 header __KAM_LANG2 Subject =~ /language barrier|(?:learn|speak)(?:ing)? (?:a|any) (?:new )?language|Pimsleur/i
3045 body __KAM_LANG3 /pimsleur|Language in just \d+ Day/i
3047 meta KAM_LANG (__KAM_LANG1 + __KAM_LANG2 + __KAM_LANG3 + KAM_INFOUSMEBIZ >= 3)
3048 describe KAM_LANG Language Method Spams
3052 header __KAM_TRACK1 From =~ /Worldwide Express|Priority Mail|First-Class Mail|Express Mail/i
3054 meta KAM_TRACK (__KAM_PHISH2_3 + __KAM_TRACK1 >= 2)
3055 describe KAM_TRACK Fake Tracking Emails
3059 header __KAM_SCHOOL1 From =~ /Classes/i
3060 header __KAM_SCHOOL2 Subject =~ /(?:Return|Back) to School/i
3062 meta KAM_SCHOOL (__KAM_SCHOOL1 + __KAM_SCHOOL2 + KAM_INFOUSMEBIZ >= 3)
3063 describe KAM_SCHOOL School Spams
3064 score KAM_SCHOOL 5.0
3067 header __KAM_MEMBER1 From =~ /(\b|^|)Date|(\b|^|)Dating|eharmony(.com)?.?partner|(..?en..?or|black)..?e.ple..?eet|cougars|singles|match|our.?time|lonely|affair/i
3068 header __KAM_MEMBER2 Subject =~ /naughty|looking for love|single & dating|Dating.site|free.this.weekend|free.communication.weekend|True Love|(Older|black|available|latin[oa]|jewish) Single|single.women|single.photo|local.cougar|want to date|fall in love|meet...1000s|dream.date|meet.single|your.matches|for.single|singles|eharmony(.com)?.match|50\+.{0,5}ngles|your.ex.back|married.dating|(anonymous|secret).affair|unlimited.pics|dating.(video|movie)|fetish|still.single/i
3069 body __KAM_MEMBER3 /(\b|^)dating|eharmony|Find.Your.Perfect.Match|thousands.of.single.women|singles?.photos?|local.cougar|successfully matched|blind date|(available|black|latin[oa]|jewish).singles|photos of 50\+/i
3070 rawbody __KAM_MEMBER4 /special promotion|free.this.weekend|personal matchmaker|dating service|fall in love|looking.for.someone|kindle.the.passion|cheating.member|dating.mega.site|free.dating|free.fetish/i
3071 meta __KAM_MEMBER5 (KAM_INFOUSMEBIZ || KAM_COUK)
3072 #header __KAM_MEMBER6 From =~ /Updat/i
3074 meta KAM_MEMBER (__KAM_MEMBER1 + __KAM_MEMBER2 + __KAM_MEMBER3 + __KAM_MEMBER4 + __KAM_MEMBER5 >= 3)
3075 describe KAM_MEMBER Dating Scams
3076 score KAM_MEMBER 4.5
3079 header __KAM_MEDICARE1 From =~ /(Medicare|health.?options|enrollment)/i
3080 header __KAM_MEDICARE2 Subject =~ /medicare|message for senior|baby-boomer|save up to|compare.quotes|enrollment.plan/i
3081 body __KAM_MEDICARE3 /medicare.(plan|recipient|annual election)/i
3082 tflags __KAM_MEDICARE3 nosubject
3083 body __KAM_MEDICARE4 /over.(65|sixty.?five)|most.affordable|lower.your.premium|medicare basics guide/i
3085 meta KAM_MEDICARE (__KAM_MEDICARE1 + __KAM_MEDICARE2 + (__KAM_MEDICARE3 + __KAM_MEDICARE4 >= 1) + (KAM_INFOUSMEBIZ || KAM_COUK) >= 3)
3086 describe KAM_MEDICARE Medicare Scams
3087 score KAM_MEDICARE 4.0
3090 header __KAM_BILLS1 From =~ /LowerMyBills|mortgage/i
3091 header __KAM_BILLS2 Subject =~ /Save up to \$\d|refi requirement|refi.program/i
3093 meta KAM_BILLS (__KAM_BILLS1 + __KAM_BILLS2 + KAM_INFOUSMEBIZ >= 3)
3094 describe KAM_BILLS Bill Pay Spams
3098 header __KAM_HOSE1 From:name =~ /Pocket Hose|gardening|hydroeasy/i
3099 header __KAM_HOSE1A From:addr =~ /\.(house|co|store)$/i
3100 header __KAM_HOSE2 Subject =~ /(best|garden|expandable) hose|garden(ing)? and lawn|hose is ready|hose gets tangled/i
3101 body __KAM_HOSE3 /(pocket|garden|expandable).hose|(anti|never).kink|FLEX Technology|hydroeasy/i
3102 tflags __KAM_HOSE3 nosubject
3104 meta KAM_HOSE (__KAM_HOSE1 + __KAM_HOSE2 + __KAM_HOSE3 + (__KAM_HOSE1A + KAM_INFOUSMEBIZ + KAM_SOMETLD_ARE_BAD_TLD + DKIM_INVALID >=1) >= 3)
3105 describe KAM_HOSE Garden Hose Spams
3109 #header __KAM_FLEXHOSE1 Subject =~ /stretch but not kink|flex.{0,8}hose|expands.and.contracts|\d-in-\d.hose/i
3110 #header __KAM_FLEXHOSE2 From =~ /hose/i
3111 #body __KAM_FLEXHOSE3 /stretch but not kink|flex.?hose|expanding.hose|garden.hose/i
3113 #meta KAM_FLEXHOSE (__KAM_FLEXHOSE1 + __KAM_FLEXHOSE2 + __KAM_FLEXHOSE3 >= 3)
3114 #describe KAM_FLEXHOSE Product Spam du Jour
3115 #score KAM_FLEXHOSE 3.5
3118 header __KAM_AV1 From =~ /Norton/i
3119 header __KAM_AV2 Subject =~ /Update now|Are you protected/i
3121 meta KAM_AV (__KAM_AV1 + __KAM_AV2 + KAM_INFOUSMEBIZ >= 3)
3122 describe KAM_AV Anti-Virus Spams
3126 header __KAM_MASCARA1 From =~ /smartlash/i
3127 header __KAM_MASCARA2 Subject =~ /mascara/i
3128 body __KAM_MASCARA3 /smartlash/i
3130 meta KAM_MASCARA (__KAM_MASCARA1 + __KAM_MASCARA2 + __KAM_MASCARA3 + KAM_INFOUSMEBIZ >= 3)
3131 describe KAM_MASCARA Make-up Spams
3132 score KAM_MASCARA 4.5
3135 header __KAM_COLLEGE1 From =~ /degree|doctorate|online/i
3136 header __KAM_COLLEGE2 Subject =~ /college|ph\.?d|earning your degree|online doctorate|advance your career/i
3137 rawbody __KAM_COLLEGE3 /online degree|ph\.?d online|online doctorate|advance your career with a degree/i
3139 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
3140 meta KAM_COLLEGE (__KAM_COLLEGE1 + __KAM_COLLEGE2 + __KAM_COLLEGE3 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3)
3141 describe KAM_COLLEGE Online Degree/Aid Spams
3142 score KAM_COLLEGE 4.0
3146 header __KAM_SURVEY1 From =~ /Survey|safecount|privacy/i
3147 header __KAM_SURVEY2 Subject =~ /win an ipad/i
3148 body __KAM_SURVEY3 /Do You Use Instagram|Complete the survey|win a great prize/i
3150 meta KAM_SURVEY (__KAM_SURVEY1 + __KAM_SURVEY2 + __KAM_SURVEY3 + KAM_INFOUSMEBIZ >= 3)
3151 describe KAM_SURVEY Online Survey Spams
3152 score KAM_SURVEY 4.5
3156 #rawbody KAM_LAKE /http:\/\/.{0,13}(lak|ake|iver).{0,10}\.(com|info)\//i
3157 #describe KAM_LAKE Odd spamming engine LAKE signature on URLs
3158 #score KAM_LAKE 0.25
3161 header __KAM_SNORE1 From =~ /snoring|zquiet/i
3162 header __KAM_SNORE2 Subject =~ /zquiet|Jaw Supporter|z{6}|the.only.thing/i
3163 body __KAM_SNORE3 /stop snoring|zquiet|Jaw Supporter|get.rest|end.snoring|more.rest|to.be.tired/i
3165 meta KAM_SNORE (__KAM_SNORE1 + __KAM_SNORE2 + __KAM_SNORE3 + KAM_INFOUSMEBIZ >= 3)
3166 describe KAM_SNORE Snoring Aid Spams
3170 header __KAM_VACATION1 From =~ /Promotions|cruise|vacation/i
3171 header __KAM_VACATION2 Subject =~ /Free Florida vacation|(carr?ibb?ean|alaskan?).cruise|european destination/i
3172 body __KAM_VACATION3 /Resorts FOR FREE|(carr?ibb?ean|alaskan?).cruise|top deals/i
3174 meta KAM_VACATION (__KAM_VACATION1 + __KAM_VACATION2 + __KAM_VACATION3 + KAM_INFOUSMEBIZ >= 3)
3175 describe KAM_VACATION Vacation Spams
3176 score KAM_VACATION 4.0
3179 header __KAM_BLOOD1 From =~ /Marine Essent|blood.pressure/i
3180 header __KAM_BLOOD2 Subject =~ /Blood Pressure|the.(nurse|doctor).said|do.this.or.die|bp.med/i
3181 body __KAM_BLOOD3 /Secret Big Pharma|conspiracy|Breaking.Health.Stories/i
3182 body __KAM_BLOOD4 /Marine Essentials|this mineral|drug.companies.hate/i
3183 body __KAM_BLOOD5 /Anti-Aging Expert|worst.food/i
3184 body __KAM_BLOOD6 /Blood pressure/i
3186 meta KAM_BLOOD ( __KAM_BLOOD1 + __KAM_BLOOD2 + __KAM_BLOOD3 + __KAM_BLOOD4 + __KAM_BLOOD5 + __KAM_BLOOD6 + KAM_INFOUSMEBIZ >= 4)
3187 describe KAM_BLOOD Blood Pressure Spams
3188 score KAM_BLOOD 4.75
3191 header __KAM_SCOOTER1 From =~ /Scooter Store/i
3192 header __KAM_SCOOTER2 Subject =~ /lack of mobility/i
3193 body __KAM_SCOOTER3 /the scooter store/i
3195 meta KAM_SCOOTER ( __KAM_SCOOTER1 + __KAM_SCOOTER2 + __KAM_SCOOTER3 + __KAM_MEDICARE2 + KAM_INFOUSMEBIZ >= 4)
3196 describe KAM_SCOOTER Blood Pressure Spams
3197 score KAM_SCOOTER 4.75
3200 header __KAM_ANATA1 From:name =~ /Anatabloc|joint.?pain/i
3201 header __KAM_ANATA2 Subject =~ /(back|joint) pain|arthritis/i
3202 body __KAM_ANATA3 /Doctor (expose|shock|fix)|conglomerates threatening/i
3203 tflags __KAM_ANATA3 nosubject
3205 meta KAM_ANATA (__KAM_ANATA1 + __KAM_ANATA2 + __KAM_ANATA3 >= 3)
3206 describe KAM_ANATA Drug Spam
3209 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
3211 header __KAM_BBB1 From =~ /bbb.org/i
3212 body __KAM_BBB2 /consumer's *(?:worry|uneasiness|anxiety|disturbance|concern|trouble)/i
3213 body __KAM_BBB3 /has been registered the above|(?:visiting|review at) a link below|above-referenced complaint/i
3214 body __KAM_BBB4 /about your *(?:glance|belief|judgment)/i
3215 header __KAM_BBB5 Subject =~ /(?:client|customer).{0,5}preten|(?:Appeal|Claim|Case|No\.|Complaint).{0,3}[A-Z\d]{5}/i
3217 meta KAM_BBB (__KAM_BBB1 + __KAM_BBB2 + __KAM_BBB3 + __KAM_BBB4 + __KAM_BBB5 + SPF_FAIL + __KAM_GALLERY5 + KAM_RAPTOR_ALTERED >= 4)
3218 describe KAM_BBB Better Business Bureau Phishing
3223 header __KAM_MARK1 Subject =~ /[\[\<]ADV[\>\]]/i
3224 header __KAM_MARK2 Subject =~ /[\(\[\<\{\*]\s*(BULK|SPAM)\??\s*[\*\>\]\)\}]|\[\#+ ?SPAM\]/i
3225 header __KAM_MARK3 Subject =~ /[\[\<\*]\s*VIRUS\s*[\*\>\]]/i
3227 meta KAM_MARKADV (__KAM_MARK1 >= 1)
3228 describe KAM_MARKADV Email arrived marked as an Advertisement
3229 score KAM_MARKADV 10.0
3231 meta KAM_MARKSPAM (__KAM_MARK2 >= 1)
3232 describe KAM_MARKSPAM Email arrived marked as Spam
3233 score KAM_MARKSPAM 4.0
3235 meta KAM_MARKVIRI (__KAM_MARK3 >= 1)
3236 describe KAM_MARKVIRI Email arrived marked as Virus
3237 score KAM_MARKVIRI 10.0
3240 rawbody __KAM_H1QNUM1 /<h1>(vv5|ORG1|IN2|OR3|AR1|FO1|Q22)<\/h1>/i
3241 header __KAM_H1QNUM2 Subject =~ /Russian Women|Free Lasik|Criminal Records|Background Check|Stop Alcoholism|Alcohol Addiction|Hybrid cars|solar energy|electrical bill|fly in luxury/i
3242 uri __KAM_H1QNUM3 /\.co\.uk/i
3244 meta KAM_H1QNUM (__KAM_H1QNUM1 >= 1)
3245 describe KAM_H1QNUM H1 Qnum indicator
3246 score KAM_H1QNUM 4.0
3248 meta KAM_H1QNUM2 ( KAM_H1QNUM + __KAM_H1QNUM2 + __KAM_H1QNUM3 >= 2 )
3249 describe KAM_H1QNUM2 H1 Qnum higher spamminess indicators
3250 score KAM_H1QNUM2 5.0
3253 header __KAM_AP1 From =~ /AP/
3254 header __KAM_AP2 Subject =~ /Community & educational development/i
3255 body __KAM_AP3 /American Grants and Loans Catalog/i
3257 meta KAM_AP (__KAM_AP1 + __KAM_AP2 + __KAM_AP3 >= 3)
3258 describe KAM_AP American Publishing Spam
3262 header KAM_COUK From =~ /\@.{1,30}\.co\.uk/i
3263 describe KAM_COUK Scoring .co.uk emails higher due to poor registry security.
3268 header __KAM_FACEBOOKMAIL1 From =~ /\@facebookmail.com/i
3270 header __KAM_FACEBOOKMAIL2 From =~ /Ramakanth Raavi/i
3272 meta KAM_FACEBOOKMAIL ((__KAM_FACEBOOKMAIL2 >= 1) || (__KAM_FACEBOOKMAIL1 >=1 && (SPF_FAIL + DKIM_ADSP_ALL >=1)))
3273 describe KAM_FACEBOOKMAIL Fake or Abused Facebook Mail
3274 score KAM_FACEBOOKMAIL 8.0
3277 body __KAM_FAKE_DELIVER1 /courier couldn.?t make the delivery|Courier was unable to deliver|courier company was not able to deliver|memo.of.application|delivering.address|make.the.delivery|see.attached.file|attention.please|event.invitation|could not deliver|delivery.label|postal.noti(fication|ce)|parcels.(has|have).been.shipped|shipment.label.is.attached|confirm your shipping|view file in attach|unable to locate your address|stored in our local depot|delivery failed/i
3279 header __KAM_FAKE_DELIVER2 Subject =~ /Invalid Address|shipping service|(ship|postal|delivery) notification|Delivery Failure|Delivery Information|Delivery status|(pending|Package) Delivery|package is available for pickup|your.package.(has.)?arrived|attention.please|delivery.(attempt|problem)|id.\d{6}|deliver.(your|the).parcel|shipping confirmation|confirm your address|shipment request|parcel is on hold/i
3282 header __KAM_FAKE_DELIVER3 From:name =~ /DHL/i
3283 header __KAM_FAKE_DELIVER4 From:addr !~ /dhl.com/i
3284 body __KAM_FAKE_DELIVER4A /dhl team/i
3287 rawbody __KAM_FAKE_DELIVER5 /Fed ?ex/i
3288 header __KAM_FAKE_DELIVER6 From !~ /fedex.com/i
3291 body __KAM_FAKE_DELIVER7 /USPS/i
3292 header __KAM_FAKE_DELIVER8 From !~ /usps.com/i
3295 body __KAM_FAKE_DELIVER9 /CARGO/
3296 header __KAM_FAKE_DELIVER10 From =~ /shipping|economy|priority/i
3299 body __KAM_FAKE_DELIVER11 /DPD/i
3300 header __KAM_FAKE_DELIVER12 From !~ /dpd.com|dpd.co.uk/i
3303 uri __KAM_FAKE_DELIVER13 /(cdn\.discordapp\.com|wp-conten|wp\d+\.server|onedrive\.live\.com)/i
3304 body __KAM_FAKE_DELIVER13A /open the enclosed receipt|print the receipt/i
3306 meta KAM_FAKE_DELIVER (__KAM_FAKE_DELIVER1 + __KAM_FAKE_DELIVER2 + ((__KAM_FAKE_DELIVER3 + __KAM_FAKE_DELIVER4 + __KAM_FAKE_DELIVER4A >= 2) + (__KAM_FAKE_DELIVER5 + __KAM_FAKE_DELIVER6 >= 2) + (__KAM_FAKE_DELIVER7 + __KAM_FAKE_DELIVER8 >= 2) + (__KAM_FAKE_DELIVER11 + __KAM_FAKE_DELIVER12 >= 2) + (__KAM_FAKE_DELIVER9 + __KAM_FAKE_DELIVER10 >= 2) >= 1) + (HEADER_FROM_DIFFERENT_DOMAINS + SPF_SOFTFAIL + KAM_RAPTOR_ALTERED + __KAM_FAKE_DELIVER13 + __KAM_FAKE_DELIVER13A >= 1) >= 3)
3307 describe KAM_FAKE_DELIVER Fake delivery notifications
3308 score KAM_FAKE_DELIVER 6.25
3310 meta KAM_REALLY_FAKE_DELIVER (KAM_FAKE_DELIVER + KAM_RPTR_PASSED + (__KAM_FAKE_DELIVER4 && __KAM_FAKE_DELIVER6 && __KAM_FAKE_DELIVER8) >= 3)
3311 score KAM_REALLY_FAKE_DELIVER 2.5
3312 describe KAM_REALLY_FAKE_DELIVER Definitely fake delivery notifications
3315 header __KAM_SOLAR1 From =~ /Solar|electric|regard|energy|.olar..etwork/i
3316 header __KAM_SOLAR2 Subject =~ /power bill|sells power|electric(al)? bill|subsidize your solar|switching to solar|save \d+\%|solar system saves|solar power plant|solar.america|energy.use|solar.incentive|utility.option|go.solar|govt.rebate|.overnment.incentive|electricity|obama.rebate/i
3317 body __KAM_SOLAR3 /power bill in half|go solar|approved for solar|solar system saves|reduce your electric|energy.cost|energy.bill|government.incentive|can.profit|utility.bill|switch(ing)?.to.solar|solar.incentive|solar.now|US Solar Dept|your.electric.bill|your.home.qualifies|yard lights|solarglow/i
3319 meta KAM_SOLAR (__KAM_SOLAR1 + __KAM_SOLAR2 + __KAM_SOLAR3 >=2)
3320 describe KAM_SOLAR Solar Power Spams
3323 meta KAM_SOLAR2 (__KAM_SOLAR1 + __KAM_SOLAR2 + __KAM_SOLAR3 >=3)
3324 describe KAM_SOLAR2 Definite Solar Power Spams
3325 score KAM_SOLAR2 1.9
3328 header __KAM_ASIAN1 Subject =~ /(Chinese|Asian) (girl|Lad|Bride)|heart?beat when seeing her|such a beauty/i
3329 body __KAM_ASIAN2 /Adoring Asian|(\d\+|thousands of) Asian (women|Girls)|Asian Girlfriend|pics of hot|date an? asian|chat and cam/i
3330 header __KAM_ASIAN3 From =~ /asian/i
3332 meta KAM_ASIAN (__KAM_ASIAN1 + __KAM_ASIAN2 + __KAM_ASIAN3 >= 3)
3333 describe KAM_ASIAN Asian Bride/Dating Spams
3337 header __KAM_OZ1 From =~ /(Dr|Doc).{0,2}[o0]z|[o0]z.([a-z]+.)?(daily|tip|show|weight)|rapid.loss|ellen|drop.lbs/i #NOTE THE ZERO
3338 header __KAM_OZ2 Subject =~ /Fatburning|healthy?.tip|melt your fat|must.read.tip|i can help|fat to flat|perfect.skin|workout|drop.\d+.?[il]bs?|without.exercise|must.read|oz.in.your.corner|It (does not|doesn't) have to be hard|racha?el and oz|doc.?oz insid|life.changing|\d+%.increase|anti.aging|she.looks.\d+|ellen.did.this|(Dr|Doc).{0,2}[o0]z|[o0]z.([a-z]+.)?(daily|tip|show)/i
3339 body __KAM_OZ3 /burn off your (?:body.?)?fat|(?:burn away|burn|melt) your fat|fox news video|melt the extra pounds|lost (an average of )?\d+ lbs|body.flab|look years younger|get perfect skin|healthy tips|without diet|it was just gossip|weight.loss|dropping.pounds|losing.weight|\d+.years|facelift|(Dr|Doc).{0,2}[o0]z/i
3341 #meta KAM_OZ (__KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 >= 3)
3342 #describe KAM_OZ Fake Dr. Oz Spam's
3346 header __KAM_STUDENT1 From =~ /Student.?Loan|government/i
3347 header __KAM_STUDENT2 Subject =~ /NEW GOVERNMENT PROGRAM|payback.package|assistance.package|student.loan|consolidate.loan/i
3348 body __KAM_STUDENT3 /penalt(y|ies)|garnish|your.debt|president.loan|reduce.(your.)?(student.)?loan|forgiveness.plan|qualify.for|federal.program|low.monthly/i
3350 meta KAM_STUDENT (__KAM_STUDENT1 + __KAM_STUDENT2 + __KAM_STUDENT3 + (KAM_INFOUSMEBIZ || KAM_COUK || KAM_HTMLNOISE || KAM_SHORT) >= 3)
3351 describe KAM_STUDENT Student Loan Forgiveness Spams
3352 score KAM_STUDENT 4.0
3355 header __KAM_TIP1 From =~ /Beauty Tips/i
3356 header __KAM_TIP2 Subject =~ /Dark-Circles|undereye bags/i
3357 body __KAM_TIP3 /undereye bags/i
3358 body __KAM_TIP4 /Find Out This Quick New Trick/i
3360 meta KAM_TIP (__KAM_TIP1 + __KAM_TIP2 + __KAM_TIP3 + __KAM_TIP4 >= 3)
3361 describe KAM_TIP Beauty Tip Spams
3365 header __KAM_WHATS1 From =~ /WhatsApp/i
3366 header __KAM_WHATS2 Subject =~ /Voice Message Notification/i
3367 body __KAM_WHATS3 /WhatsApp/
3369 meta KAM_WHATS (__KAM_WHATS1 + __KAM_WHATS2 + __KAM_WHATS3 >= 3)
3370 describe KAM_WHATS WhatsApp Spams
3375 header __KAM_QTJARS1 From =~ /qtjar/i
3376 header __KAM_QTJARS2 Subject =~ /qtjar|left you a message|new message/i
3377 body __KAM_QTJARS3 /qtjars/
3378 body __KAM_QTJARS4 /private message/
3380 meta KAM_QTJARS (__KAM_QTJARS1 + __KAM_QTJARS2 + __KAM_QTJARS3 + __KAM_QTJARS4 >= 3)
3381 describe KAM_QTJARS QTJars Spams
3382 score KAM_QTJARS 3.0
3385 # view the agreement.
3386 body __KAM_GOOGLEPHISH1 /copy of the signed agreement/i
3387 rawbody __KAM_GOOGLEPHISH2 /http:\/\/.{5,50}\/http\/docs\.google\.com\/login\//i
3389 meta KAM_GOOGLEPHISH (__KAM_GOOGLEPHISH1 + __KAM_GOOGLEPHISH2 >= 2)
3390 describe KAM_GOOGLEPHISH Google Login Phishing Scam
3391 score KAM_GOOGLEPHISH 5.0
3394 header __KAM_POLY1 Subject =~ /Barack Obama/i
3395 body __KAM_POLY2 /The End of Barack Obama/i
3397 meta KAM_POLY (__KAM_POLY1 + __KAM_POLY2 >= 2)
3398 describe KAM_POLY Political Spams
3402 header __KAM_MAID1 Subject =~ /Maid Services|housekeeping.service/i
3403 header __KAM_MAID2 From =~ /Maid|Housekeeper/i
3404 body __KAM_MAID3 /Pre-Screened Housekeepers|local.maid/i
3406 meta KAM_MAID (__KAM_MAID1 + __KAM_MAID2 + __KAM_MAID3 >= 3)
3407 describe KAM_MAID Maid Service Spams
3411 header __KAM_TUB1 Subject =~ /Walk.?in.*tub|bath and massage/i
3412 header __KAM_TUB2 From =~ /jacuzzi|walk.?in.?tub|premier.?care|improvement.center|bathing..?easy/i
3413 body __KAM_TUB3 /Walk.?in (hot.?|bath.?)?tub|bath and massage|easy transfer from a wheelchair/i
3415 meta KAM_TUB (__KAM_TUB1 + __KAM_TUB2 + __KAM_TUB3 >= 3)
3416 describe KAM_TUB Tub Spams
3420 header __KAM_OBF1 Subject =~ /(\b|^)(P.{0,2}O.{0,2}R.{0,2}N|S.{0,2}E.{0,2}.X.{0,2})/i
3421 header __KAM_OBF2 Subject =~ /[-:\#\/_\(\)].{0,10}[-:\#\/_\(\)].{0,10}[-:\#\/_\(\)]/
3422 header __KAM_OBF3 Subject =~ /(\b|^)P.{0,2}r.{0,2}e.{0,2}m.{0,2}i.{0,2}u.{0,2}m/i
3423 header __KAM_OBF4 Subject =~ /(\b|^)P.{0,2}a.{0,2}s.{0,2}s.{0,2}/i
3424 header __KAM_OBF5 Subject =~ /(\b|^)S.{0,2}i.{0,2}t.{0,2}e.{0,2}/i
3425 header __KAM_OBF6 Subject =~ /(\b|^)F.{0,2}r.{0,2}e.{0,2}e.{0,2}/i
3426 header __KAM_OBF7 Subject =~ /(\b|^)F.{0,2}i.{0,2}l.{0,2}m.{0,2}/i
3427 header __KAM_OBF8 Subject =~ /X.X.X/
3429 meta KAM_OBF ((__KAM_OBF3 + __KAM_OBF4 + __KAM_OBF5 + __KAM_OBF6 + __KAM_OBF7 >= 1) + __KAM_OBF1 + (__KAM_OBF2 - BODY_8BITS) >= 3)
3430 describe KAM_OBF Obfuscated Porn Spams
3433 meta KAM_OBF (__KAM_OBF8 + __KAM_OBF2 >= 2)
3434 describe KAM_OBF Obfuscated Porn Spams
3438 header __KAM_SHARKTANK_SUBJ Subject =~ /shark tank/i
3439 body __KAM_SHARKTANK_BODY /shark tank/i
3441 meta KAM_SHARKTANK (__KAM_SHARKTANK_SUBJ + __KAM_SHARKTANK_BODY >= 1)
3442 score KAM_SHARKTANK 1.0
3443 describe KAM_SHARKTANK Mentions Shark Tank
3445 rawbody __KAM_SHARKPROD /high blood pressure|moles|Dermabellix|follicles|drop 20|(^|\b)IQ($|\b)|keto SS/is
3447 meta KAM_SHARKPROD (__KAM_SHARKPROD + KAM_SHARKTANK >= 2)
3448 score KAM_SHARKPROD 5.0
3449 describe KAM_SHARKPROD Shark Tank Spam
3452 header __KAM_ICUTLD_FROM From:addr =~ /\.icu$/i
3453 uri __KAM_ICUTLD_URI /\.icu($|\/)/i
3455 meta KAM_ICU_BAD_TLD (__KAM_ICUTLD_FROM + __KAM_ICUTLD_URI) >= 1
3456 describe KAM_ICU_BAD_TLD .icu TLD Abuse
3457 score KAM_ICU_BAD_TLD 2.0
3459 #HAIR LOSS / GREYING / REMOVAL
3460 header __KAM_HAIR1 Subject =~ /(Regrows?|restore your|regain your|thinning) hair|Get Your Hair Back|hair regrowth|masculine|gr[ae]y hair|hair.loss|the.hottest.concept|hair.removal|all.your.hair|(fuller|thicker).hair|hair growth/i
3461 header __KAM_HAIR2 From =~ /K.ranique|Hair Loss Solutions|hair transplant|bosley|gr[ae]y hair|hair.removal|preserve|keranique|hair.?news/i
3462 rawbody __KAM_HAIR3 /k.ranique|Hair Los Solution|Get Your Hair Back|restore your hair naturally and permanently|hair restoration|original color|dye gr[ae]y hair|defeat.your.hair.loss|stop.hair.loss|fda.approve|hair will return|reactivate dormant hair/i
3463 rawbody __KAM_HAIR4 /Hair Regrowth|Hair Club for Men|Bosley|Rejuvalex/i
3465 rawbody __KAM_NEWSLETTER /<title>Newsletter<\/title>/i
3467 meta KAM_HAIR (__KAM_HAIR1 + __KAM_HAIR2 + __KAM_HAIR3 + __KAM_HAIR4 + __KAM_TRIAL + __KAM_NEWSLETTER + KAM_WEIRDTRICK1 + KAM_SHARKTANK + KAM_ADVERT2 >=4)
3468 describe KAM_HAIR Hair Loss / Removal Spams
3472 body __KAM_TRIAL /RISK-FREE Trial|Free \d+ day trial|try it free|free.dvd.info|free.info.kit|limited..?trial|claim.package/i
3475 body __KAM_UNSUB1 /cancel 0ffers/i #note the zero
3476 body __KAM_UNSUB2 /u +n +s +u +b +s +c +r +i +b +e/i
3478 meta KAM_UNSUB (__KAM_UNSUB1 + __KAM_UNSUB2 >= 1)
3479 describe KAM_UNSUB Completely ridiculous unsubscribe text found
3482 #MAINTENANCE / Email Phish Scams
3483 body __KAM_EMAILPHISH1 /Please login to complete update process/i
3485 meta KAM_EMAILPHISH (__KAM_EMAILPHISH1 + KAM_SHORT >= 2)
3486 describe KAM_EMAILPHISH Email Phishing Scams
3487 score KAM_EMAILPHISH 3.5
3490 header __KAM_MASSERROR1 Reply-to =~ /\@domain\]\]/i
3492 meta KAM_MASSERROR (__KAM_MASSERROR1 >= 1)
3493 describe KAM_MASSERROR Error in usage of a mass mailing software
3494 score KAM_MASSERROR 2.0
3497 header __KAM_CARDEAL1 Subject =~ /great car deal|new vehicles near you|brand new cars|cars on clearance/i
3498 header __KAM_CARDEAL2 From =~ /dealer|clearance|veh.cle/i
3499 body __KAM_CARDEAL3 /201\d Closeout pricing|New Vehicles near you|new automobiles|brand new car|\d{4} makes and models/i
3501 meta KAM_CARDEAL (__KAM_CARDEAL1 + __KAM_CARDEAL2 + __KAM_CARDEAL3 >= 3)
3502 describe KAM_CARDEAL Car Deal Spams
3503 score KAM_CARDEAL 3.0
3506 header __KAM_HOMESALE1 Subject =~ /buyer interested in your ho/i
3507 header __KAM_HOMESALE2 From =~ /Fastcash/i
3508 body __KAM_HOMESALE3 /Cash Offer for Your Home/i
3510 meta KAM_HOMESALE (__KAM_HOMESALE1 + __KAM_HOMESALE2 + __KAM_HOMESALE3 >= 3)
3511 describe KAM_HOMESALE Home Sale Spams
3512 score KAM_HOMESALE 3.5
3514 #ADVERTISEMENTS FOR LOANS
3515 header __KAM_LOAN1 Subject =~ /pay bills|borrow|business loan|help your business grow|small business|propel your business goals|with a loan|results you need|\$[\d.,]+ (tomorrow|down loan)|loan.fund|lender|are.you.broke|get.cash|approval.notice|loan \d.\d% offer|money by tomorrow|one monthly payment/i
3516 header __KAM_LOAN2 From =~ /payday|loans for you|approval|small.?business|direct.wire|cash|loan offer|loan department|zippy ?loan|clear ?one/i
3517 body __KAM_LOAN3 /Financial Relief|need to borrow|Business Loan|instant.funds|approval department|\$\d+ down|loan option|offer.loan|expenses|times.are.tough|money.problems|zippy ?loan|advanced lender|pay off debt|development.project|just.been.approved|for.your.business|loan.solution|ease your stress/i
3519 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3520 mimeheader __KAM_LOAN5A Content-Type =~ /loan offer/i
3521 mimeheader __KAM_LOAN5B Content-Disposition =~ /loan offer/i
3524 meta KAM_LOAN (__KAM_LOAN1 + __KAM_LOAN2 + __KAM_LOAN3 + (__KAM_LOAN5A + __KAM_LOAN5B >= 1) >= 3)
3525 describe KAM_LOAN Payday and other loan spams
3529 header __KAM_HANGOVER1 Subject =~ /hangover patch/i
3530 header __KAM_HANGOVER2 From =~ /hangover/i
3531 body __KAM_HANGOVER3 /hangover patch/i
3533 meta KAM_HANGOVER (__KAM_HANGOVER1 + __KAM_HANGOVER2 + __KAM_HANGOVER3 >= 3)
3534 describe KAM_HANGOVER Hangover Patch Spams
3535 score KAM_HANGOVER 3.5
3538 header __KAM_RXPLAN1 Subject =~ /Medigap|prescription drug plan/i
3539 header __KAM_RXPLAN2 From =~ /Better.?Rx|medigap/i
3540 body __KAM_RXPLAN3 /gap coverage/i
3542 meta KAM_RXPLAN (__KAM_RXPLAN1 + __KAM_RXPLAN2 + __KAM_RXPLAN3 >= 3)
3543 describe KAM_RXPLAN Rx Plan Spams
3544 score KAM_RXPLAN 3.5
3547 header __KAM_SOCKET1 Subject =~ /tangled mess|socket capacity|messy cords/i
3548 header __KAM_SOCKET2 From =~ /side.?socket/i
3549 body __KAM_SOCKET3 /side socket/i
3551 meta KAM_SOCKET (__KAM_SOCKET1 + __KAM_SOCKET2 + __KAM_SOCKET3 >= 3)
3552 describe KAM_SOCKET Product Spam du Jour
3553 score KAM_SOCKET 3.5
3556 header __KAM_TESTOSTERONE1 Subject =~ /Boost your testosterone|Testoril|turning you into a woman|men into women|low.testosterone/i
3557 header __KAM_TESTOSTERONE2 From =~ /Testoril|mens health|low-T|for.men/i
3558 body __KAM_TESTOSTERONE3 /Boost your testosterone|get your body back|low.testosterone/i
3559 body __KAM_TESTOSTERONE4 /Testoril|sexual confidence|androgel|axiron+androderm/i
3561 meta KAM_TESTOSTERONE (__KAM_TESTOSTERONE1 + __KAM_TESTOSTERONE2 + __KAM_TESTOSTERONE3 + __KAM_TESTOSTERONE4 >= 3)
3562 describe KAM_TESTOSTERONE Product Spam du Jour
3563 score KAM_TESTOSTERONE 4.5
3566 header __KAM_PET1 Subject =~ /pet health insurance|dog.product.coupon/i
3567 header __KAM_PET2 From =~ /pet.?insurance|dog.?coupon/i
3568 body __KAM_PET3 /pet health insurance|doggy.loot|coupon.notice|reduce.your.cost/i
3570 meta KAM_PET (__KAM_PET1 + __KAM_PET2 + __KAM_PET3 >= 3)
3571 describe KAM_PET Insurance and other pet-related spam
3574 meta KAM_PET2 (KAM_PET + KAM_INFOUSMEBIZ >= 2)
3575 describe KAM_PET2 Even more likely insurance and other pet-related spam
3579 header __KAM_COBRA1 Subject =~ /Cobra Health/i
3580 header __KAM_COBRA2 From =~ /Cobra|Health/i
3581 body __KAM_COBRA3 /find cobra health/i
3583 meta KAM_COBRA (__KAM_COBRA1 + __KAM_COBRA2 + __KAM_COBRA3 >= 3)
3584 describe KAM_COBRA Cobra Insurance Spam
3588 header __KAM_DISCAIR1 Subject =~ /Fly Cheap|Discount Air/i
3589 header __KAM_DISCAIR2 From =~ /Discount Air/i
3590 body __KAM_DISCAIR3 /Fly Cheap in Business Class/i
3592 meta KAM_DISCAIR (__KAM_DISCAIR1 + __KAM_DISCAIR2 + __KAM_DISCAIR3 >= 3)
3593 describe KAM_DISCAIR Discount Airfare Spam
3594 score KAM_DISCAIR 3.5
3597 header __KAM_PEST1 Subject =~ /pes?t control system/i
3598 header __KAM_PEST2 From =~ /Riddex|pest/i
3599 body __KAM_PEST3 /revolutionary pes?t control system/i
3601 meta KAM_PEST (__KAM_PEST1 + __KAM_PEST2 + __KAM_PEST3 >= 3)
3602 describe KAM_PEST Spam for Pest Control
3607 header __KAM_PROPHET1 Subject =~ /beezelbub|communique|prophecy|Christian Media/i
3608 header __KAM_PROPHET2 From =~ /christian.*(media|prophe)|twintongues|spiritualisraelnumber\d|TheLeastOfThese\d/i
3609 body __KAM_PROPHET3 /Dear Christian Friend|revelation \d+\:/i
3610 body __KAM_PROPHET4 /Christian ?Media\*? ?(Daily|Ministry|Prophecy)|spiritualisraelnumber\d/i
3611 body __KAM_PROPHET5 /prophecy|rapture/i
3613 meta KAM_PROPHET (__KAM_PROPHET1 + __KAM_PROPHET2 + __KAM_PROPHET3 + __KAM_PROPHET4 + __KAM_PROPHET5 >= 4)
3614 describe KAM_PROPHET Spam for Prophecy
3615 score KAM_PROPHET 8.5
3618 header __KAM_HEART1 Subject =~ /save your life|prevent (a|your)?.?heart attacks?|\d+ second trick|sudden death|easy trick|heart health secret/i
3619 header __KAM_HEART2 From =~ /He.rt.?Att.ck|omegaK/i
3620 body __KAM_HEART3 /Knowing this could very well save your life|\d+.second trick|\#1 Trick|Prevent(ing)? A Heart Attack|will you be killed|heart disease|silent heart attack/i
3622 meta KAM_HEART (__KAM_HEART1 + __KAM_HEART2 + __KAM_HEART3 >= 3)
3623 describe KAM_HEART Spam for Heart Attack prevention
3627 header __KAM_JOINT1 Subject =~ /joint relief/i
3628 header __KAM_JOINT2 From =~ /Tfx/i
3629 body __KAM_JOINT3 /TFX.?(?:health|flex)|tflex/i
3630 body __KAM_JOINT4 /Joint Relief|effective as glucosamine/i
3631 body __KAM_JOINT5 /free bottle/i
3633 meta KAM_JOINT (__KAM_JOINT1 + __KAM_JOINT2 + __KAM_JOINT3 + __KAM_JOINT4 + __KAM_JOINT5 + __KAM_SKIN4 >= 4)
3634 describe KAM_JOINT Joint relief Spam
3638 header __KAM_REHAB1 Subject =~ /(?:drug|alcohol) (recovery|rehab|dependenc|addict|treatment)|choose sobriety|battling alcohol|stop drinking|addiction|drinking problem|normal life|tr..?at..?ng.alcohol|overcome..lcohol|change.your.life/i
3639 header __KAM_REHAB2 From =~ /(?:drug|alcohol).?(recovery|rehab|dependenc|add..?ct|treatment)|alcoholism|rehab center|.lc.h.lism|rehabdirectory/i
3640 body __KAM_REHAB3 /(?:drug|alcohol) (recovery|rehab|dependenc|addict|treatment)|help for alcoholism|life from alcohol|end your drinking|think about rehab/i
3642 meta KAM_REHAB (__KAM_REHAB1 + __KAM_REHAB2 + (__KAM_REHAB3 || KAM_OTHER_BAD_TLD) >= 2)
3643 describe KAM_REHAB Rehab Spam
3647 header __KAM_HAIRTRANS1 Subject =~ /hair restoration|man look as young|losing your hair|hair ?loss|consultations?.available/i
3648 header __KAM_HAIRTRANS2 From =~ /Bosley|hair restoration|hair.loss.expert/i
3649 body __KAM_HAIRTRANS3 /hair restoration|man look as young|losing your hair|hair ?loss|get.your.hair|(look|feel).younger/i
3651 meta KAM_HAIRTRANS (__KAM_HAIRTRANS1 + __KAM_HAIRTRANS2 + __KAM_HAIRTRANS3 + KAM_GIFT >= 2)
3652 describe KAM_HAIRTRANS Spam for Hair Restoration
3653 score KAM_HAIRTRANS 3.5
3655 meta KAM_HAIRTRANS2 (__KAM_HAIRTRANS1 + __KAM_HAIRTRANS2 + __KAM_HAIRTRANS3 + (KAM_GIFT || KAM_UNSUB1) >= 3)
3656 describe KAM_HAIRTRANS2 Higher probability of spam for Hair Restoration
3657 score KAM_HAIRTRANS2 2.0
3660 body __KAM_GIFTCERT1 /Our gift to you/i
3661 body __KAM_GIFTCERT2 /\$\d+ gift certificate/i
3662 header __KAM_GIFTCERT3 Subject =~ /Our gift to you/i
3664 meta KAM_GIFTCERT (__KAM_GIFTCERT1 + __KAM_GIFTCERT2 + __KAM_GIFTCERT3 >= 2)
3665 score KAM_GIFTCERT 1.5
3666 describe KAM_GIFTCERT Gift Certificate Spams
3669 header __KAM_TIRES1 Subject =~ /discount tire|tire coupon|tire offers|best deals/i
3670 header __KAM_TIRES2 From =~ /Tire/i
3671 body __KAM_TIRES3 /savings on tire|new tires/i
3673 meta KAM_TIRES (__KAM_TIRES1 + __KAM_TIRES2 + __KAM_TIRES3 >= 3)
3674 describe KAM_TIRES Spam for Tires
3678 header __KAM_SLICEOMATIC1 Subject =~ /Slice-O-Matic|Precision Cutting Blade/i
3679 header __KAM_SLICEOMATIC2 From =~ /Slice-o-matic/i
3680 body __KAM_SLICEOMATIC3 /Slice-o-matic/i
3682 meta KAM_SLICEOMATIC (__KAM_SLICEOMATIC1 + __KAM_SLICEOMATIC2 + __KAM_SLICEOMATIC3 >= 3)
3683 describe KAM_SLICEOMATIC Spam for Kitchen Tools
3684 score KAM_SLICEOMATIC 3.0
3686 #FINDYOURWINDOWS AND OTHER WINDOW SPAM
3687 header __KAM_WINDOWS1 Subject =~ /Top Window Companies|(old|your|bedroom|new|replacement|discounted|awning|cheap).window|allow.(light|ventilation)|window.(installation|discount|replacement)|home.depot|anders.n.window/i
3688 header __KAM_WINDOWS2 From =~ /FindYourWindows|(old|your|bedroom|new|replacement|discounted).?window|window.?(install|discount|replacement)|install.windows|remodel/i
3689 body __KAM_WINDOWS3 /Find Your Windows|replacement.window|window.design|home.a.new.look|dingy.old.windows|high.heating|high.cooling|let a draft|energy.efficient|double.pane.window|shop.windows|energy.tax|window.(installation|discount|replacement)|summer.is.coming/i
3691 meta KAM_WINDOWS (__KAM_WINDOWS1 + __KAM_WINDOWS2 + __KAM_WINDOWS3 + KAM_ADVERT2 >= 3)
3692 describe KAM_WINDOWS Spam for House Windows
3693 score KAM_WINDOWS 4.5
3695 #EMMAPP.WEB.COM - DUE TO SA SILLINESS WE ARE UNABLE TO RBL THIS PARTICULAR SUBDOMAIN WITHOUT BLOCKING ALL OF WEB.COM
3697 uri __KAM_EMMAP_WEB_COM1 /emmapp\.web\.com/i
3699 meta KAM_EMMAPP_WEB_COM (__KAM_EMMAP_WEB_COM1 >= 1)
3700 describe KAM_EMMAPP_WEB_COM Spam from emmapp.web.com
3701 score KAM_EMMAPP_WEB_COM 20.0
3704 header __KAM_NEW_CREDITCARD1 Subject =~ /with this credit card|charge card|credit card|cards?.reward|cards?.rate|top.rated/i
3705 header __KAM_NEW_CREDITCARD2 From =~ /Spend-Charge|platinum credit|business credit|card.approval|approval.match/i
3706 body __KAM_NEW_CREDITCARD3 /Select your new card|Increase Your Spending|Higher Limit|rewards|business credit|which.credit.card|find.out.now/i
3708 meta KAM_NEW_CREDITCARD (__KAM_NEW_CREDITCARD1 + __KAM_NEW_CREDITCARD2 + __KAM_NEW_CREDITCARD3 >= 3)
3709 describe KAM_NEW_CREDITCARD Spam for new credit cards
3710 score KAM_NEW_CREDITCARD 4.0
3713 header __KAM_GERMAN_BUSINESS_CONTACTS1 Subject =~ /Wichtige Nach?richt|Important message/i
3714 header __KAM_GERMAN_BUSINESS_CONTACTS2 From =~ /Merkel/i
3715 body __KAM_GERMAN_BUSINESS_CONTACTS3 /German business phone numbers/i
3716 body __KAM_GERMAN_BUSINESS_CONTACTS4 /Unlimited exportation capabilities/i
3718 meta KAM_GERMAN_BUSINESS_CONTACTS (__KAM_GERMAN_BUSINESS_CONTACTS1 + __KAM_GERMAN_BUSINESS_CONTACTS2 + __KAM_GERMAN_BUSINESS_CONTACTS3 + __KAM_GERMAN_BUSINESS_CONTACTS4 >= 3)
3719 describe KAM_GERMAN_BUSINESS_CONTACTS Weird German business contact info spam
3720 score KAM_GERMAN_BUSINESS_CONTACTS 3.0
3722 #WEIRD SENIOR DATING SPAM
3723 header __KAM_SENIOR_DATING1 From =~ /SeniorPeopleMeet/i
3725 meta KAM_SENIOR_DATING (__KAM_SENIOR_DATING1 >= 1)
3726 describe KAM_SENIOR_DATING Senior dating spam
3727 score KAM_SENIOR_DATING 2.0
3730 header __KAM_NEWS1 Subject =~ /^(?:Fwd: ?)?(?:NEWS|WEBSITE|ARTICLE)$|how.are.you/i
3731 body __KAM_NEWS2 /(?:Hello|hey|hi)!/i
3733 meta KAM_NEWS (__KAM_NEWS1 + __KAM_NEWS2 + __KAM_BODY_LENGTH_LT_128 + KAM_MANYTO >= 3)
3734 describe KAM_NEWS Forged Emails with NEWS!
3737 #URI COUNT - REQUIRES 3.3 OR LATER
3738 if (version >= 3.003000)
3739 uri __KAM_COUNT_URIS /^./
3740 tflags __KAM_COUNT_URIS multiple maxhits=16
3741 describe __KAM_COUNT_URIS A multiple match used to count URIs in a message, including http:// and email@email.com - use one of the meta rules below instead of directly using this one
3743 meta __KAM_HAS_0_URIS (__KAM_COUNT_URIS == 0)
3744 meta __KAM_HAS_1_URIS (__KAM_COUNT_URIS >= 1)
3745 meta __KAM_HAS_2_URIS (__KAM_COUNT_URIS >= 2)
3746 meta __KAM_HAS_3_URIS (__KAM_COUNT_URIS >= 3)
3747 meta __KAM_HAS_4_URIS (__KAM_COUNT_URIS >= 4)
3748 meta __KAM_HAS_5_URIS (__KAM_COUNT_URIS >= 5)
3749 meta __KAM_HAS_10_URIS (__KAM_COUNT_URIS >= 10)
3750 meta __KAM_HAS_15_URIS (__KAM_COUNT_URIS >= 15)
3753 #DISCLAIMER STUB FOR FUTURE RESOURCE
3754 body __KAM_DISCLAIMER1 /receives compensation/i
3757 #header __KAM_FAKE_ATT1 From =~ /AT.?T/i
3758 #header __KAM_FAKE_ATT2 Subject =~ /AT.?T cordless phone|deals.at.at.?t|phone.from.at.?t/i
3759 #uri __KAM_FAKE_ATT3 /att-mail.com/i
3761 #meta KAM_FAKE_ATT (__KAM_FAKE_ATT1 + __KAM_FAKE_ATT2 + __KAM_FAKE_ATT3 >= 2)
3762 #describe KAM_FAKE_ATT Fake AT&T newsletters
3763 #score KAM_FAKE_ATT 3.0
3765 #YOU HAVE BEEN CHOSEN
3766 header __KAM_CHOSEN1 Subject =~ /Invitation to|open.house|come.join.me/i
3767 header __KAM_CHOSEN2 From =~ /marketing|invitation/i
3768 body __KAM_CHOSEN3 /You (were|have been|are) (recently )?(chosen|invited)|you.are.(very.)?welcome/i
3770 meta KAM_CHOSEN (__KAM_CHOSEN1 + __KAM_CHOSEN2 + __KAM_CHOSEN3 >= 3)
3771 describe KAM_CHOSEN Spam claiming the recipient has been chosen for something
3772 score KAM_CHOSEN 2.0
3774 #JURY DUTY AND OTHER FAKE COURT NOTICES
3775 header __KAM_JURY1 Subject =~ /in court|court (hearing )?notice|judicial summons|hearing.of.your.case|case.in.court|notice.of.appearance/i
3776 header __KAM_JURY2 From =~ /Notice (to|of) Appear|court attendance|pretrial notice|lawyer/i
3777 header __KAM_JURY3 From !~ /\.gov/i
3778 body __KAM_JURY4 /in Court|hearing date|notice to appear|Pretrial notice|compulsory.attendance|court.notice/i
3780 meta KAM_JURY (__KAM_JURY1 + __KAM_JURY2 + __KAM_JURY3 + __KAM_JURY4 + KAM_RAPTOR_ALTERED >= 4)
3781 describe KAM_JURY Spam claiming the recipient must serve jury duty
3785 header __KAM_BITCOIN1 Subject =~ /bitcoin|dumping.?their.?gold|dumped.?the.?dollar/i
3786 body __KAM_BITCOIN2 /price.of.bitcoin|bitcoin.price|crypto.?currenc(y|ies)|currency.pioneer|cartel|financial.security|abandoned.our.dollar|money.map/i
3787 header __KAM_BITCOIN3 From =~ /bitcoin/i
3789 meta KAM_BITCOIN (KAM_INFOUSMEBIZ + __KAM_BITCOIN1 + __KAM_BITCOIN2 + __KAM_BITCOIN3 >= 3)
3790 describe KAM_BITCOIN Spam related to investing in bitcoin and other cryptocurrency
3791 score KAM_BITCOIN 4.5
3794 header __KAM_RELIGION1 Subject =~ /Christian Media/i
3795 header __KAM_RELIGION2 From =~ /Bible Prophecy/i
3796 body __KAM_RELIGION3 /Dear Christian|Christian Media/i
3798 meta KAM_RELIGION (__KAM_RELIGION1 + __KAM_RELIGION2 + __KAM_RELIGION3 >= 3)
3799 describe KAM_RELIGION Generic religious spam
3800 score KAM_RELIGION 2.5
3803 header __KAM_BUSINESSPHONE1 Subject =~ /customer calls|phone system|phone system upgrade|business success/i
3804 header __KAM_BUSINESSPHONE2 From =~ /business phone/i
3805 body __KAM_BUSINESSPHONE3 /business phone system/i
3807 meta KAM_BUSINESSPHONE (__KAM_BUSINESSPHONE1 + __KAM_BUSINESSPHONE2 + __KAM_BUSINESSPHONE3 >= 3)
3808 describe KAM_BUSINESSPHONE Advertising for business phone systems
3809 score KAM_BUSINESSPHONE 5.5
3812 header __KAM_NUMEROLOGY1 Subject =~ /success and joy in life/i
3813 header __KAM_NUMEROLOGY2 From =~ /Numerology/i
3814 body __KAM_NUMEROLOGY3 /Control your destiny/i
3816 meta KAM_NUMEROLOGY (__KAM_NUMEROLOGY1 + __KAM_NUMEROLOGY2 + __KAM_NUMEROLOGY3 >= 3)
3817 describe KAM_NUMEROLOGY Pseudo-scientific spam
3818 score KAM_NUMEROLOGY 3.5
3820 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
3822 header __KAM_VOICEMAIL1 Subject =~ /new voice.?mail message|news|Fax Message for/i
3823 header __KAM_VOICEMAIL2 From =~ /voice.?mail|news/i
3824 body __KAM_VOICEMAIL3 /new voice.?mail message|voice.redirected/i
3826 meta KAM_VOICEMAIL (__KAM_VOICEMAIL1 + __KAM_VOICEMAIL2 + __KAM_VOICEMAIL3 + KAM_RAPTOR_ALTERED >= 3)
3827 describe KAM_VOICEMAIL Common malware that tricks the user into opening a fake VOIP voicemail
3828 score KAM_VOICEMAIL 5.0
3831 #SPAM ADVERTISING SPAM - HAS SCIENCE GONE TOO FAR?
3832 header __KAM_SPAMFORSPAM1 Subject =~ /email marketing|marketing solution|connect with your audience|reaching your customers|marketing ideas|business.contacts/i
3833 header __KAM_SPAMFORSPAM2 From =~ /email marketing|mailing lists|listz/i
3834 rawbody __KAM_SPAMFORSPAM3 /email marketing|Keep your customers informed|expand your brand|(grow|improve) your business|Acquire New Customers|business reach|your.customer.base|demand.generation/i
3836 meta KAM_SPAMFORSPAM (__KAM_SPAMFORSPAM1 + __KAM_SPAMFORSPAM2 + __KAM_SPAMFORSPAM3 + KAM_INFOUSMEBIZ >= 3)
3837 describe KAM_SPAMFORSPAM Spam advertising spam services
3838 score KAM_SPAMFORSPAM 5.5
3840 #ALZHEIMERS / NEUROLOGICAL MEDICAL SPAM
3841 header __KAM_NEUROLOGICAL1 Subject =~ /alzheimers|doctors hate him/i
3842 header __KAM_NEUROLOGICAL2 From =~ /alzheimers|cognizine/i
3843 body __KAM_NEUROLOGICAL3 /at risk for alzheimers|alzheimers conspiracy|doctors hate him/i
3845 meta KAM_NEUROLOGICAL (__KAM_NEUROLOGICAL1 + __KAM_NEUROLOGICAL2 + __KAM_NEUROLOGICAL3 >= 3)
3846 describe KAM_NEUROLOGICAL Variant of medical spam targeting neurological ailments
3847 score KAM_NEUROLOGICAL 3.5
3849 #EXCESSIVE HASHES AND OTHER IDENTIFIER STRINGS
3850 body __KAM_LOTSOFHASH /[abcdef1234567890]{20}/i
3851 tflags __KAM_LOTSOFHASH multiple maxhits=10
3853 meta KAM_LOTSOFHASH (__KAM_LOTSOFHASH >= 10)
3854 describe KAM_LOTSOFHASH Emails with lots of hash-like gibberish
3855 score KAM_LOTSOFHASH 0.25
3857 #SPAM THAT SHOWS SEVERAL QUESTIONABLE BEHAVIORS IN COMBINATION
3858 meta KAM_GRABBAG1 (__KAM_THIRD + __KAM_DOMAINDOTCOM + __KAM_TILDEFROM + HTML_FONT_LOW_CONTRAST + T_REMOTE_IMAGE + __KAM_EPISODE + __KAM_LOTSOFNBSP + __KAM_IPUNSUB + (__KAM_LOTSOFHASH >= 6) >= 4)
3859 describe KAM_GRABBAG1 A combination of tricks that when combined indicate spam
3860 score KAM_GRABBAG1 3.5
3863 header __KAM_TVDOCTOR1 Subject =~ /hormones|(dr.?|doc.?) [o0]z|flatter belly|anti.?.?aging.tip|\d+.years.younger|wrinkle.(reduction|prevention)|weight.loss|models.use.this|reverse.\d+.years/i
3864 header __KAM_TVDOCTOR2 From =~ /(dr.?|doc.?) ?[o0]z|dr.? steve|oz skin tip|skinny|drop \d+lb/i
3865 body __KAM_TVDOCTOR3 /clinical|miracle|dermatologist|anti.?.?aging.tip|\d+.years.younger|wrinkle.(reduction|prevention)|\bOMG!\b|loose.\d+.lb|tv.doctor/i
3867 meta KAM_TVDOCTOR (__KAM_TVDOCTOR1 + __KAM_TVDOCTOR2 + __KAM_TVDOCTOR3 + (KAM_INFOUSMEBIZ || KAM_WEIRDTRICK1) >= 3)
3868 describe KAM_TVDOCTOR Spam for TV doctor stuff
3869 score KAM_TVDOCTOR 3.5
3872 header __KAM_DENTIST1 Subject =~ /dentist/i
3873 header __KAM_DENTIST2 From =~ /1-?800-?dentist/i
3874 body __KAM_DENTIST3 /Find a dentist/i
3876 meta KAM_DENTIST (__KAM_DENTIST1 + __KAM_DENTIST2 + __KAM_DENTIST3 + KAM_INFOUSMEBIZ >= 3)
3877 describe KAM_DENTIST Spam for 1-800-DENTIST
3878 score KAM_DENTIST 3.5
3880 # GOLD AND DIAMOND JEWELRY
3881 header __KAM_JEWELRY1 Subject =~ /jewell?rey online|shop now/i
3882 header __KAM_JEWELRY2 From =~ /bluestone.com/i
3884 meta KAM_JEWELRY (__KAM_JEWELRY1 + __KAM_JEWELRY2 >= 2)
3885 describe KAM_JEWELRY Spam for Gold and Diamond Jewelry
3886 score KAM_JEWELRY 3.5
3888 # PSSST, WANNA BUY SOME POT
3889 body __KAM_MARIJUANA1 /marijuana|cannabis/i
3890 body __KAM_MARIJUANA2 /medicinal|recreational|legal.cannabis/i
3891 body __KAM_MARIJUANA3 /colorado|washington|profit|without.a.(prescription|doctor)|lets.you.vape|no.doctor/i
3892 header __KAM_MARIJUANA4 From =~ /marijuana|cannabis/i
3894 meta KAM_MARIJUANA (__KAM_MARIJUANA1 + __KAM_MARIJUANA2 + (__KAM_MARIJUANA3 + KAM_INFOUSMEBIZ >= 1) >= 3)
3895 describe KAM_MARIJUANA Spam pertaining to marijuana
3896 score KAM_MARIJUANA 3.5
3898 meta KAM_MARIJUANA2 (__KAM_MARIJUANA4 + (__KAM_MARIJUANA3 || __KAM_MARIJUANA2) >= 2)
3899 score KAM_MARIJUANA2 8.0
3900 describe KAM_MARIJUANA2 Definitely spam for marijuana
3902 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
3904 header __KAM_EVICTION1 From =~ /eviction|vacate immediately/i
3905 header __KAM_EVICTION2 Subject =~ /notice|notification|occupant/i
3906 body __KAM_EVICTION3 /eviction|foreclosed|trespasser/i
3908 meta KAM_EVICTION (__KAM_EVICTION1 + __KAM_EVICTION2 + __KAM_EVICTION3 + KAM_RAPTOR_ALTERED >= 4)
3909 describe KAM_EVICTION Malware disguised as eviction notice
3910 score KAM_EVICTION 4.5
3914 header __KAM_WALKINTUB1 From =~ /walk.?in.?tub/i
3915 header __KAM_WALKINTUB2 Subject =~ /walk.?in.?tub/i
3916 body __KAM_WALKINTUB3 /walk.?in.?tub/i
3918 meta KAM_WALKINTUB (__KAM_WALKINTUB1 + __KAM_WALKINTUB2 + __KAM_WALKINTUB3 >= 3)
3919 describe KAM_WALKINTUB Ads for walk-in tubs
3920 score KAM_WALKINTUB 3.5
3922 # SUBJECTS BEGINNING WITH "EMAIL - QUESTION" AND OTHER VARIANTS
3923 header __KAM_EMAILQUESTION1 Subject =~ /^(<)?([^@\s]+@[^@\s]+)( - |> )/i
3924 header __KAM_EMAILQUESTION2 Subject =~ /break away from the pack|make your own wine|\d figures a day|unlock the secret|you need to see|let me show you|at their own game|drop \d+ pounds|potty trained|you can actually|your dog is being poisoned|control your destiny|buy a new|check out these|arthritis/i
3926 meta KAM_EMAILQUESTION (__KAM_EMAILQUESTION1 + __KAM_EMAILQUESTION2 >= 2)
3927 describe KAM_EMAILQUESTION Subjects beginning with an email address and followed by a spammy subject
3928 score KAM_EMAILQUESTION 3.5
3930 # BECOME BEYOND SUPERHUMAN / SUPERMAN
3931 header __KAM_SUPERHUMAN1 From =~ /(become[ _]?)?(beyond[ _]?)?(super|hu)man/i
3932 header __KAM_SUPERHUMAN2 Subject =~ /relationship problems|better sex|regain your former glory|(male|men) over (\d\d|fou?rty)/i
3933 body __KAM_SUPERHUMAN3 /reclaim your glory|stay hot and sexy|unfair.advantage|better sex|weird trick|testosterone/i
3935 meta KAM_SUPERHUMAN (__KAM_SUPERHUMAN1 + __KAM_SUPERHUMAN2 + __KAM_SUPERHUMAN3 >= 3)
3936 describe KAM_SUPERHUMAN Male enhancement of the day
3937 score KAM_SUPERHUMAN 8.0
3940 header __KAM_VALENTINE1 From =~ /smartbuys|valentine|ecard|flower|fingerhut/i
3941 header __KAM_VALENTINE2 Subject =~ /valentine|(bouquets|expressions) of love|win her over|swoon.?worthy bouquet|grow more in love|\$\d\d.\d\d bouquet|love at (the )?first/i
3942 rawbody __KAM_VALENTINE3 /amazing gifts|perfect for valentine|irresist.ble perfume|send an ecard|most memorable flowers|(bouquets|expressions) of love|valentine.?s?.(day.)?(gift|ecard|flower|delivery|is february 14|bouquet)|grow more in love|Saint Valentine|your valentine/i
3944 meta KAM_VALENTINE (__KAM_VALENTINE1 + __KAM_VALENTINE2 + __KAM_VALENTINE3 + KAM_INFOUSMEBIZ >= 3)
3945 describe KAM_VALENTINE Spam for valentine gifts and other holiday stuff
3946 score KAM_VALENTINE 4.5
3948 header __KAM_MOTHER1 From =~ /flower|seventeen/i
3949 header __KAM_MOTHER2 Subject =~ /mother.?s.?day|\d+%.off.flower|pro.?flowers|guaranteed.delivery|beautiful bouquets|celebrate.mom/i
3950 body __KAM_MOTHER3 /pro.?flowers|flowers.fresh|freshness.guarantee|shop.now|mom.?s.delight/i
3952 meta KAM_MOTHER (__KAM_MOTHER1 + __KAM_MOTHER2 + __KAM_MOTHER3 >= 3)
3953 describe KAM_MOTHER Spam for mother's day
3954 score KAM_MOTHER 4.5
3957 header __KAM_WHOSWHO1 From =~ /whos_who|who.?s.who/i
3958 header __KAM_WHOSWHO2 Subject =~ /your exclusive invitation|who.?s.who|your invitation|you have been selected/i
3959 body __KAM_WHOSWHO3 /(global|executive) who.s who|represent your community|you have been selected|complete your listing|prominent registry|accomplished individuals/i
3960 uri __KAM_WHOSWHO4 /whoswho/i
3962 meta KAM_WHOSWHO (__KAM_WHOSWHO1 + __KAM_WHOSWHO2 + __KAM_WHOSWHO3 >= 2)
3963 describe KAM_WHOSWHO Ads for network of important people
3964 score KAM_WHOSWHO 5.0
3966 meta KAM_WHOSWHO2 (KAM_WHOSWHO && __KAM_WHOSWHO4)
3967 describe KAM_WHOSWHO2 Definitely ads for network of important people
3968 score KAM_WHOSWHO2 1.0
3970 # GARAGE FLOOR COATING
3971 header __KAM_GARAGE1 From =~ /garage|surface.protection|protection.plus|esurface/i
3972 header __KAM_GARAGE2 Subject =~ /garage floor coating|industrial strength|protect your floors|protect.and.beautify|esurface|what.you.should.know/i
3973 body __KAM_GARAGE3 /surface protection plus|industrial strength|Concrete.{0,5}metal.{0,8}wood|protect.and.beautify|industrial.grade|common.flooring|treat.your.deck|professional.coating/i
3975 meta KAM_GARAGE (__KAM_GARAGE1 + __KAM_GARAGE2 + __KAM_GARAGE3 + (HTML_FONT_LOW_CONTRAST || SPF_FAIL || SPF_HELO_FAIL) >= 3)
3976 describe KAM_GARAGE Garage floor coating product of the day
3977 score KAM_GARAGE 4.0
3979 meta KAM_GARAGE2 (KAM_GARAGE + (HTML_FONT_LOW_CONTRAST || SPF_FAIL) >= 2)
3980 score KAM_GARAGE2 1.0
3981 describe KAM_GARAGE2 More likely garage floor coating spam
3983 #PAINT - NEED TO LOOK FOR CROSSOVER ON KAM_GARAGE AND KAM_PAINT
3984 header __KAM_PAINT1 From =~ /Coating|Paint|Surface|Sealer/i
3985 header __KAM_PAINT2 Subject =~ /surface Paint/i
3987 meta KAM_PAINT (__KAM_PAINT1 + __KAM_PAINT2 + KAM_INFOUSMEBIZ >= 3)
3988 describe KAM_PAINT Paint Spams
3992 header __KAM_MOP1 From =~ /hurricane mop/i
3993 header __KAM_MOP2 Subject =~ /filthy floor|cut cleaning time|absorbs \d+x its own weight|the mop that/i
3994 body __KAM_MOP3 /filthy floor|cut cleaning time+absorbs \d+x its own weight|the mop that/i
3996 meta KAM_MOP (__KAM_MOP1 + __KAM_MOP2 + __KAM_MOP3 >= 3)
3997 describe KAM_MOP Hurricane mop product of the day
4001 header __KAM_DATINGTIPS1 From =~ /girlfriendtrick|seduction|the.real/i
4002 header __KAM_DATINGTIPS2 Subject =~ /girlfriend.trick|women.excited|real.moment/i
4003 body __KAM_DATINGTIPS3 /seduction|certain.type.of.guy|secret to their hearts|women.excited|real.love|one.night.stand/i
4005 meta KAM_DATINGTIPS (__KAM_DATINGTIPS1 + __KAM_DATINGTIPS2 + __KAM_DATINGTIPS3 >= 3)
4006 describe KAM_DATINGTIPS Tips for dating
4007 score KAM_DATINGTIPS 4.5
4010 header __KAM_CANDY1 From =~ /candy/i
4011 header __KAM_CANDY2 Subject =~ /candy/i
4012 body __KAM_CANDY3 /you deserve a treat|sweet tooth/i
4014 meta KAM_CANDY (__KAM_CANDY1 + __KAM_CANDY2 + __KAM_CANDY3 >= 3)
4015 describe KAM_CANDY Ads for candy
4018 # EXCESSIVE TEXT IN THE FORMAT OF =## - http://en.wikipedia.org/wiki/Quoted-printable
4019 # MATCH ONLY ESCAPES THAT ARE LESS THAN 0x80 - HIGH BIT NOT SET - THESE CAN BE EXPRESSED JUST FINE AS ASCII
4020 # DISABLED PENDING UPDATES TO SA - RAWBODY IS NOT RAW ENOUGH TO GET UN-DECODED QP
4021 #rawbody KAM_EXCESSIVEQP /(=[0-7][a-f0-9]){10}/i
4022 #score KAM_EXCESSIVEQP 2.5
4023 #describe KAM_EXCESSIVEQP Excessive use of pointless Quoted-printable
4025 # ONE WEIRD THING THAT GETS YOU MARKED AS SPAM
4026 header __KAM_WEIRDTRICK1 Subject =~ /(one|ten|\d+) '?weird'?|'?weird'? trick|strange trick|shocking.truth|\d.words.that/i
4027 body __KAM_WEIRDTRICK2 /'?(weird|odd|strange)'?.(new.)?(trick|tip)|strange trick|shocking.truth/i
4028 header __KAM_WEIRDTRICK3 Subject =~ /girlfriend|aging|old.age|cut \d+ years|PSA|horny/i
4029 header __KAM_WEIRDTRICK4 From =~ /girlfriend|freedom/i
4031 meta KAM_WEIRDTRICK1 __KAM_WEIRDTRICK2
4032 describe KAM_WEIRDTRICK1 Huge family of spam that uses the word weird to grab attention
4033 score KAM_WEIRDTRICK1 1.5
4035 meta KAM_WEIRDTRICK2 (__KAM_WEIRDTRICK1 + __KAM_WEIRDTRICK2 + (KAM_INFOUSMEBIZ + KAM_LOTSOFHASH + AC_HTML_NONSENSE_TAGS + HTML_FONT_LOW_CONTRAST + T_REMOTE_IMAGE >= 3) >= 3)
4036 describe KAM_WEIRDTRICK2 Huge family of spam that uses the word weird to grab attention
4037 score KAM_WEIRDTRICK2 3.5
4039 meta KAM_WEIRDTRICK3 (__KAM_WEIRDTRICK1 + __KAM_WEIRDTRICK2 + __KAM_WEIRDTRICK3 + __KAM_WEIRDTRICK4 >= 3)
4040 describe KAM_WEIRDTRICK3 Weird/Strange Trick
4041 score KAM_WEIRDTRICK3 3.0
4044 header __KAM_MATCH1 From =~ /Match/i
4045 header __KAM_MATCH2 Subject =~ /Find love|available singles|free.to.look|meet.singles/i
4047 meta KAM_MATCH (__KAM_MATCH1 + __KAM_MATCH2 + (HTML_IMAGE_RATIO_06 || SPF_FAIL) >= 3)
4048 describe KAM_MATCH Match Maker Spams
4052 header __KAM_CARINSURE1 From =~ /insurance/i
4053 header __KAM_CARINSURE2 Subject =~ /save on car insurance|smarter.way/i
4055 meta KAM_CARINSURE (__KAM_CARINSURE1 + __KAM_CARINSURE2 >= 2)
4056 describe KAM_CARINSURE Car Insurance Spams
4057 score KAM_CARINSURE 3.0
4060 rawbody __KAM_DATAIMG /<img src="data:image/i
4063 rawbody __KAM_MMS1 /base64,G011K60C12QKQ9790AIFQ5L/s
4065 meta KAM_MMS (__KAM_DATAIMG + __KAM_MMS1 >= 2)
4066 describe KAM_MMS Fake MMS Spam
4070 rawbody __KAM_LEARN1 /base64,R0lGODlh3gA9APcAAAFlmUK/
4072 meta KAM_LEARN (__KAM_DATAIMG + __KAM_LEARN1 >= 2)
4073 describe KAM_LEARN Learn More Spam
4077 header __KAM_UNSUB1_1 List-Unsubscribe =~ /^\<(?:mailto:)?unsub1\@/i
4078 rawbody __KAM_UNSUB1_2 /:\s?unsub1\@|unsubscribe<[^\/]|click here<h/i
4080 meta KAM_UNSUB1 (__KAM_UNSUB1_1 + __KAM_UNSUB1_2 >= 1)
4081 describe KAM_UNSUB1 Unsubscription Spams
4082 score KAM_UNSUB1 0.1
4084 uri __KAM_DOMAINDOTCOM /domain\.com/i
4086 meta KAM_UNSUB2 ((KAM_UNSUB1 || KAM_ADVERT2) + __KAM_DOMAINDOTCOM >= 2)
4087 score KAM_UNSUB2 3.5
4088 describe KAM_UNSUB2 Improperly configured spam engines that leave placeholder domains in the body
4090 # DUTCH GLOW AND OTHER WOODWORKING SPAM
4091 header __KAM_DUTCHGLOW1 From =~ /dutch.?glow|original.?dutch|easy.woodwork/i
4092 header __KAM_DUTCHGLOW2 Subject =~ /wood milk|cleaning the wood|woodwork|cleaning.formula|repel.dust|natural.beauty|furniture|amish|woodworking.plans/i
4093 body __KAM_DUTCHGLOW3 /wood milk|dutch glow|wood's natural beauty|nourish wood|wax build up|your furniture|woodworking.plans/i
4095 meta KAM_DUTCHGLOW (__KAM_DUTCHGLOW1 + __KAM_DUTCHGLOW2 + __KAM_DUTCHGLOW3 >= 3)
4096 describe KAM_DUTCHGLOW Woodworking spam
4097 score KAM_DUTCHGLOW 3.0
4100 header __KAM_FUNERAL1 From =~ /Funeral/i
4101 header __KAM_FUNERAL2 Subject =~ /condolence|funeral announcement|funeral of your friend|death notification|burial.(life.)?insurance/i
4102 body __KAM_FUNERAL3 /untimely death|death notification|funeral.costs/i
4103 uri __KAM_FUNERAL4 /\/home\.php\?funeral/i
4105 meta KAM_FUNERAL (__KAM_FUNERAL1 + __KAM_FUNERAL2 + __KAM_FUNERAL3 >= 3)
4106 describe KAM_FUNERAL Likely Fake funeral notices
4107 score KAM_FUNERAL 2.0
4109 meta KAM_FUNERAL2 (__KAM_FUNERAL4 >= 1)
4110 describe KAM_FUNERAL2 Fake funeral notices
4111 score KAM_FUNERAL2 3.0
4114 # WEB VIEW OBFUSCATION
4115 body __KAM_WEB_OBFUSCATION1 /check over this commercial|see the commercial.advertisement/i
4116 rawbody __KAM_WEB_OBFUSCATION2 /(you'll have to press me)\s*<\/a>/i
4118 meta KAM_WEB_OBFUSCATION (__KAM_WEB_OBFUSCATION1 + __KAM_WEB_OBFUSCATION2 >= 2)
4119 describe KAM_WEB_OBFUSCATION Obfuscated web view links
4120 score KAM_WEB_OBFUSCATION 0.1
4123 header __KAM_TUPPERWARE1 From =~ /Mr\. Lid|Food Storage|Storage Container/i
4124 header __KAM_TUPPERWARE2 Subject =~ /tupperware|food storage|storage container/i
4125 body __KAM_TUPPERWARE3 /tupperware lid|food storage|storage container/i
4127 meta KAM_TUPPERWARE (__KAM_TUPPERWARE1 + __KAM_TUPPERWARE2 + __KAM_TUPPERWARE3 >= 3)
4128 describe KAM_TUPPERWARE Ads for tupperware
4129 score KAM_TUPPERWARE 3.5
4131 # PATRIOT SURVIVAL AND OTHER DISASTER / NATIONALISM / CONSPIRACY SPAM
4132 header __KAM_PATRIOT1 From =~ /patriot|disaster|emergency|USAF|shocking|for.truth|nwo|expat|special.op|christianmedia/i
4133 header __KAM_PATRIOT2 Subject =~ /the truth about|financial collapse|your guns|hidden (agenda|truth)|unprecedented.crisis|worst.crisis|obama.?care|do not ignore|get a lot worse|coffins.ordered.by.fema|depression|prepared.for.war|free.our.marine|survival.guide|beloved.usa|civil war|shocking.footage|cia.economist|collapse.is.imminent|attack.on|wants.war|disturbing.issue|plane.crash|nuke.deal|extortion|prophecy/i
4134 body __KAM_PATRIOT3 /the truth about|financial collapse|your guns|hidden agenda|unprecedented.crisis|disaster|fema (stock.?piling|storing)|Gor?vernment Not Telling|survival.plan|nation.gone.under|blind.with.patriotism|government shutdown|only chance|civil.unrest|high.crimes|behind.our.back|know.the.truth|PatriotNewsNet|second civil war|for.the.cia|market.crash|american.meltdown|concerned.american|military force|we.were.right|our.suspicions|vindicated|abuse.of.power|american.empire/i
4135 body __KAM_PATRIOT4 /projectprophet|financial.threat|nuke.deal/i
4137 meta KAM_PATRIOT (__KAM_PATRIOT1 + __KAM_PATRIOT2 + __KAM_PATRIOT3 + __KAM_PATRIOT4 >= 3)
4138 describe KAM_PATRIOT conspiracy spam
4139 score KAM_PATRIOT 4.0
4141 meta KAM_PATRIOT2 (__KAM_PATRIOT1 + __KAM_PATRIOT2 + __KAM_PATRIOT3 + __KAM_PATRIOT4 >= 2)
4142 describe KAM_PATRIOT2 Likely conspiracy spam
4143 score KAM_PATRIOT2 1.5
4146 header __KAM_PAYMENT_LOWERED1 Subject =~ /insurance payment/i
4147 body __KAM_PAYMENT_LOWERED2 /new monthly payment|just.recently.been..?lowered/i
4148 body __KAM_PAYMENT_LOWERED3 /ID.?\#.?[\da-f]{20}/i
4150 meta KAM_PAYMENT_LOWERED (__KAM_PAYMENT_LOWERED1 + __KAM_PAYMENT_LOWERED2 + __KAM_PAYMENT_LOWERED3 + KAM_LOTSOFHASH >= 3)
4151 describe KAM_PAYMENT_LOWERED Spam that says your insurance payment has already been lowered
4152 score KAM_PAYMENT_LOWERED 4.5
4154 meta KAM_PAYMENT_LOWERED (__KAM_PAYMENT_LOWERED1 + __KAM_PAYMENT_LOWERED2 + __KAM_PAYMENT_LOWERED3 + KAM_LOTSOFHASH >= 4)
4155 describe KAM_PAYMENT_LOWERED Higher probability of lowered payment spam
4156 score KAM_PAYMENT_LOWERED 2.0
4159 body __KAM_NEWNOTICE1 /- - -\s?(start |begin )?(of |new )?(notification|notice)( \d\d\/\d\d\/\d\d)?\s?- - -|notice of/i
4160 body __KAM_NEWNOTICE2 /- - -\s?(finish |end )?(of |new )?(notification|notice)( \d\d\/\d\d\/\d\d)?\s?- - -|end notice:/i
4161 header __KAM_NEWNOTICE3 From =~ /Notice|Notification|Credit/i
4163 meta KAM_NEWNOTICE (__KAM_NEWNOTICE1 + __KAM_NEWNOTICE2 + __KAM_NEWNOTICE3 >= 3)
4164 describe KAM_NEWNOTICE New Notice Spam
4165 score KAM_NEWNOTICE 4.25
4167 meta KAM_NEWNOTICE2 (KAM_NEWNOTICE + KAM_LOTSOFHASH >= 2)
4168 describe KAM_NEWNOTICE2 Higher Probability of New Notice Spam
4169 score KAM_NEWNOTICE2 2.0
4172 header __KAM_REFINEW1 Subject =~ /refl.rates|Rates.(now.)?Dropped.Again|score.*recently.changed/i
4173 body __KAM_REFINEW2 /(rate|payment).reduction|score-update/i
4175 meta KAM_REFINEW (__KAM_REFINEW1 + __KAM_REFINEW2 >=2)
4176 describe KAM_REFINEW New Refi/Credit Notice spam
4177 score KAM_REFINEW 2.0
4179 meta KAM_REFINEW2 (KAM_REFINEW) && (KAM_NEWNOTICE + KAM_LOTSOFHASH >= 1)
4180 describe KAM_REFINEW2 Higher Probability Refi Spam
4181 score KAM_REFINEW2 2.0
4184 header __KAM_AUTONEW1 Subject =~ /Auto.{0,2}(Insurance|policy).{0,2}Payment|auto.warranty|finance|policy.saving|your.quote|car.loan|bad..credit.ok/i
4185 body __KAM_AUTONEW2 /car.{1,2}insurance.{1,2}payment|monthly.payment|plan.has.expired|auto.loan|auto.coverage|coverage.benefits|premium.reduc|compare.quote|financing.your.way/i
4186 body __KAM_AUTONEW3 /just.{1,2}been.{1,2}lowered|reduced.recently|has been reduced|free.repair|easy.steps|overpaying|view.plan|overpaid.your|premiums?.as.low|lenders.compete/i
4187 header __KAM_AUTONEW4 From =~ /notice|credit|coverag3|auto.cover|lower.auto|auto.finance/i
4189 meta KAM_AUTONEW (__KAM_AUTONEW1 + __KAM_AUTONEW2 + __KAM_AUTONEW3 + __KAM_AUTONEW4 >= 3)
4190 describe KAM_AUTONEW New Auto insurance spam
4191 score KAM_AUTONEW 3.0
4193 meta KAM_AUTONEW2 (KAM_AUTONEW) && (KAM_NEWNOTICE + KAM_SUBJECTNOTICE + KAM_LOTSOFHASH + KAM_INFOUSMEBIZ + KAM_ASCII_DIVIDERS >= 1)
4194 describe KAM_AUTONEW2 Higher Probability Insurance Spam
4195 score KAM_AUTONEW2 2.0
4198 header __KAM_STATLER1 Subject =~ /Mike Statler|finance news|invest in ....(\b)/i
4199 header __KAM_STATLER2 Subject =~ /quintuple/i
4200 body __KAM_STATLER3 /Mike Statler/i
4202 meta KAM_STATLER (__KAM_STATLER1 + __KAM_STATLER2 + __KAM_STATLER3 >= 3)
4203 describe KAM_STATLER Mike Statler Spams
4204 score KAM_STATLER 6.0
4207 header __KAM_WRITING1 From =~ /writing/i
4208 header __KAM_WRITING2 Subject =~ /writing resources|get published/i
4209 body __KAM_WRITING3 /Professional Writing|world famous (writer|poet)/i
4211 meta KAM_WRITING (__KAM_WRITING1 + __KAM_WRITING2 + __KAM_WRITING3 >= 3)
4212 describe KAM_WRITING Spam for writing lessons
4213 score KAM_WRITING 3.5
4215 #RASH OF .EU EXPLOITS
4216 rawbody KAM_EU /https?:\/\/(?:www.)?.{4,30}\.(eu)(\b|\/)/i
4218 describe KAM_EU Prevalent use of .eu in spam/malware
4220 #CSS USING A 12-BIT RGBA COLOR, WHICH IS NOT WIDELY SUPPORTED
4221 rawbody __KAM_12BITCOLOR /color: \#[\da-f]{12}/i
4223 meta KAM_GRABBAG2 KAM_EU && (__KAM_12BITCOLOR + KAM_ADVERT2 + AC_HTML_NONSENSE_TAGS + URIBL_BLACK + URIBL_RED >= 1)
4224 score KAM_GRABBAG2 3.0
4225 describe KAM_GRABBAG2 Grabbag of Spams hitting EU domains and other indicators
4228 body __KAM_DIABETES1 /Diabetes News Today|diabetes.health|blood.sugar/i
4229 tflags __KAM_DIABETES1 nosubject
4230 body __KAM_DIABETES2 /Reverse.{0,10}(Diabetes|type.2|type.1)|reverse.type.2|beat.type.2|conventional.medical|doctors don't know|home solution|yellow spice|shocked doctors/i
4231 tflags __KAM_DIABETES2 nosubject
4232 header __KAM_DIABETES3 Subject =~ /End Diabetes|diabetes.association|every.diabetic|blood sugar|yellow spice/i
4233 header __KAM_DIABETES4 From:name =~ /blood.?sugar|clean.?cell/
4235 meta KAM_DIABETES (__KAM_DIABETES1 + __KAM_DIABETES2 + __KAM_DIABETES3 + __KAM_DIABETES4 >= 3)
4236 score KAM_DIABETES 4.5
4237 describe KAM_DIABETES End Diabetes Spam
4240 header __KAM_SPY1 From =~ /spy.?camera|smartcam/i
4241 header __KAM_SPY2 Subject =~ /spy.?camera|small size video/i
4242 body __KAM_SPY3 /spy.?camera.?system|hidden.spy.camera|valuables.safe|protect.your.children|smartcam pro/i
4244 meta KAM_SPY (__KAM_SPY1 + __KAM_SPY2 + __KAM_SPY3 >= 3)
4245 describe KAM_SPY Spy cameras and similar products
4249 header __KAM_HARP1 From =~ /\bharp\b|obamacare|save|healthcare/i
4250 header __KAM_HARP2 Subject =~ /\bHARP\b|obamacare|tax benefit|age bracket|protect yourself|mortgage|save.thousands/i
4251 header __KAM_HARP3 From !~ /\.gov>?$/i
4253 meta KAM_HARP (__KAM_HARP1 + __KAM_HARP2 + __KAM_HARP3 + KAM_SUBJECTNOTICE >= 3)
4254 describe KAM_HARP HARP Refinance Spams
4257 #LUNAR SLEEP AND OTHER SLEEPING AIDS
4258 header __KAM_LUNAR1 From =~ /lunar.?sleep|peak.life/i
4259 header __KAM_LUNAR2 Subject =~ /tired again|sleep(ing)? aid|miracle.sleep|free.sample|sleep.well|fall.asleep|waking.up|sleep.?spray|doctors.discover|the.secret|nights?.sleep/i
4260 uri __KAM_LUNAR3 /lunar.?sleep/i
4261 body __KAM_LUNAR4 /sleep you really need|sleep(ing)? aid|trouble.sleeping|miracle.sleep|lunar.?sleep|all.natural|fall.asleep|refreshed|sleep.cycle|sleep.aid|lack.of.sleep|stay.asleep|somnapure|weird.trick/i
4263 meta KAM_LUNAR (__KAM_LUNAR1 + __KAM_LUNAR2 + MISSING_HEADERS + __KAM_LUNAR3 + __KAM_LUNAR4 >= 3)
4264 describe KAM_LUNAR Sleeping aid spam
4267 meta KAM_LUNAR2 (__KAM_LUNAR1 + __KAM_LUNAR2 + MISSING_HEADERS + __KAM_LUNAR3 + __KAM_LUNAR4 >= 4)
4268 describe KAM_LUNAR2 Definitely sleeping aid spam
4269 score KAM_LUNAR2 2.0
4272 header __KAM_OCEANSBOUNTY1 From =~ /oceans.?bounty/i
4273 header __KAM_OCEANSBOUNTY2 Subject =~ /pain.free|turn.back.the.clock|reactivate.your.heart/i
4274 body __KAM_OCEANSBOUNTY3 /years.of.aging|medical.doctor|age.revers|turn.back.the.clock|reactivate.your.heart/i
4276 meta KAM_OCEANSBOUNTY (__KAM_OCEANSBOUNTY1 + __KAM_OCEANSBOUNTY2 + __KAM_OCEANSBOUNTY3 >= 3)
4277 describe KAM_OCEANSBOUNTY More medical spam
4278 score KAM_OCEANSBOUNTY 4.5
4281 header __KAM_ANDROGEL1 From =~ /testosterone|androgel|entitled|enclosed|medwatch|axiron|fda|natural.man|mega.product|\.mobi/i
4282 header __KAM_ANDROGEL2 Subject =~ /androgel|axiron|product.of.the.year|free.sample|raise.your.testosterone/i
4283 body __KAM_ANDROGEL3 /healthcare|medwatch|drug|testosterone|therapy|manhood|your.woman/i
4285 meta KAM_ANDROGEL (__KAM_ANDROGEL1 + __KAM_ANDROGEL2 + __KAM_ANDROGEL3 >= 3)
4286 describe KAM_ANDROGEL More medical spam
4287 score KAM_ANDROGEL 4.5
4290 header __KAM_CELL1 From =~ /phone/i
4291 header __KAM_CELL2 Subject =~ /cell.?phone|mobile.communication|newest.mobile|smartphone|phones.*get.one|phone.bargain|hottest.phone|new.phone/i
4292 body __KAM_CELL3 /phone.(information|deals|reviews)|(free|latest|hottest)..?(cell)?.?phone|selection.of.phones|hottest.(brands|models)|check.out.these.smartphones|smartphones.do.more|refurbished.phone|bored.with.your.phone/i
4294 meta KAM_CELL (__KAM_CELL1 + __KAM_CELL2 + __KAM_CELL3 >= 3)
4295 describe KAM_CELL Ads for cell phones
4298 header __KAM_FOUNTAINOFYOUTH1 From =~ /deepseasecret/i
4299 header __KAM_FOUNTAINOFYOUTH2 Subject =~ /fountain.of.youth/i
4300 body __KAM_FOUNTAINOFYOUTH3 /look & feel old|\d+.years.of.aging|weird.\d+.second.trick/i
4302 meta KAM_FOUNTAINOFYOUTH (__KAM_FOUNTAINOFYOUTH1 + __KAM_FOUNTAINOFYOUTH2 + __KAM_FOUNTAINOFYOUTH3 >= 3)
4303 score KAM_FOUNTAINOFYOUTH 5.0
4304 describe KAM_FOUNTAINOFYOUTH Anti-aging ad
4307 header __KAM_HERPES1 From =~ /herpes/i
4308 header __KAM_HERPES2 Subject =~ /your.herpes/i
4309 body __KAM_HERPES3 /permanent.remedy|ugly.sores|herpes.episode|got.herpes|your.herpes|herpes.issue/i
4311 meta KAM_HERPES (__KAM_HERPES1 + __KAM_HERPES2 + __KAM_HERPES3 >= 2)
4312 describe KAM_HERPES Ads for herpes medication
4313 score KAM_HERPES 5.0
4315 #FAKE VOUCHER/REWARD EMAIL
4316 header __KAM_FAKEVOUCHER1 From =~ /(amazon|target).*(reward|voucher|appreciation|customer)|\$\d+ gift|(spring|summer|fall|autumn|winter) (reward|bonus)|(january|february|march|april|may|june|july|august|september|october|november|december).?(reward|bonus)|day.reward|macy.?s?.reward|rewards?.?center/i
4317 body __KAM_FAKEVOUCHER2 /\$\d+ amazon(.com)? Card|redeem.your.\$\d+|join.amazon|bonus voucher|spring.rewards|new.gift.card|exclusive.for|shopper.bucks|activate.here|cash.in.your/i
4318 header __KAM_FAKEVOUCHER3 Subject =~ /special.thanks|thank.you|amazon.appreciation|(spring|summer|fall|autumn|winter) .?(reward|bonus|bucks)|short.survey|\$\d+..?(gift|issued|voucher|e.?gift)|register.reward|target.reward|\d+.(dollar.)?gift.card|claim.your.*reward/i
4319 body __KAM_FAKEVOUCHER4 /your.opinion|submit.your.email/i
4321 meta KAM_FAKEVOUCHER (__KAM_FAKEVOUCHER1 + __KAM_FAKEVOUCHER2 + __KAM_FAKEVOUCHER3 + __KAM_FAKEVOUCHER4 >= 3)
4322 describe KAM_FAKEVOUCHER Fake voucher/reward email
4323 score KAM_FAKEVOUCHER 4.5
4326 header __KAM_ATTORNEY1 From =~ /attorney/i
4327 header __KAM_ATTORNEY2 Subject =~ /right.attorney|quick.divorce|advertisement/i
4328 body __KAM_ATTORNEY3 /find.a.\b[a-z]+\b.attorney/i
4330 meta KAM_ATTORNEY (__KAM_ATTORNEY1 + __KAM_ATTORNEY2 + __KAM_ATTORNEY3 >= 3)
4331 score KAM_ATTORNEY 3.5
4332 describe KAM_ATTORNEY Ads for legal services
4335 header __KAM_RECALL1 From =~ /dog.?food/i
4336 header __KAM_RECALL2 Subject =~ /recall|thousands.of.dogs.die/i
4337 body __KAM_RECALL3 /protect.your.dog|recall?s.on.dog.?food|processing.standards|commercial.food/i
4339 meta KAM_RECALL (__KAM_RECALL1 + __KAM_RECALL2 + __KAM_RECALL3 >= 3)
4340 score KAM_RECALL 3.5
4341 describe KAM_RECALL Spam for product recall notices
4343 #REMOTE IMAGES WITH ENORMOUS SRC URLS - COMMONLY USED FOR IMAGE TRACKING
4344 rawbody __KAM_HUGEIMGSRC /<img[^>]*\ssrc=["']?http[^\s>"']{120}/i
4345 tflags __KAM_HUGEIMGSRC multiple maxhits=6
4347 meta KAM_HUGEIMGSRC (__KAM_HUGEIMGSRC >= 6)
4348 score KAM_HUGEIMGSRC 0.2
4349 describe KAM_HUGEIMGSRC Message contains many image tags with huge http urls
4351 describe KAM_REALLYHUGEIMGSRC Spam with image tags with ridiculously huge http urls
4352 rawbody KAM_REALLYHUGEIMGSRC /<img[^>]*\ssrc=["']?http[^\s]{300}/i
4353 score KAM_REALLYHUGEIMGSRC 0.5
4355 rawbody KAM_TRACKIMAGE /<img[^>]*\ssrc=["']?https?:\/\/track/i
4356 describe KAM_TRACKIMAGE Message has a remote image explicitly meant for tracking
4357 score KAM_TRACKIMAGE 0.2
4359 #BAG OF SPAM THAT TRIES DESPERATELY TO TRACK RECIPIENTS
4360 meta KAM_GRABBAG3 (KAM_TRACKIMAGE + KAM_HUGEIMGSRC + (KAM_UNSUB1 || KAM_INFOUSMEBIZ || __KAM_IMGMAP_LINK_OBFU || __KAM_HAS_10_URIS) >= 3)
4361 score KAM_GRABBAG3 3.0
4362 describe KAM_GRABBAG3 Grab bag of spam that employs multiple tricks that indicate tracking of recipients
4364 #MANY SEQUENTIAL EMPTY <A HREF> TAGS WITH NOTHING IN BETWEEN
4365 #IMPORTANTLY, DO NOT MATCH ON EMPTY <A LINK> TAGS, WHICH ARE MEANT TO BE EMPTY
4366 rawbody __KAM_EMPTYLINK /(?:<a[^>]*\shref=[^>]*><\/a>\s*){10}/i
4368 meta KAM_EMPTYLINK (__KAM_EMPTYLINK)
4369 describe KAM_EMPTYLINK Many empty a tags with href all in a row
4370 score KAM_EMPTYLINK 3.5
4372 header __KAM_TILDEFROM From =~ /^\s*"'?\s*~/i
4373 describe __KAM_TILDEFROM Spam with a from name that starts with tilde
4375 # WORDS THAT "A R E S P A C E D O U T" LIKE SO
4376 body __KAM_SPACEY_WORDS /a +v +e +n +u +e/i
4378 # SPAM THAT WOULD LIKE TO INVEST IN YOUR COUNTRY
4379 header __KAM_INVESTCOUNTRY1 Subject =~ /Confidential Contract Proposal|invest in your country/i
4380 body __KAM_INVESTCOUNTRY2 /invest in your country|investment purpose/i
4381 tflags __KAM_INVESTCOUNTRY2 nosubject
4383 meta KAM_INVESTCOUNTRY (__KAM_INVESTCOUNTRY1 + __KAM_INVESTCOUNTRY2 + FREEMAIL_FROM >= 3)
4384 score KAM_INVESTCOUNTRY 4.5
4385 describe KAM_INVESTCOUNTRY Spam for investing in your country
4388 header __KAM_FLAG1 From =~ /flag/i
4389 header __KAM_FLAG2 Subject =~ /find.the.flag|what flags|new.flag|patriotism|looking.for.a.flag/i
4390 body __KAM_FLAG3 /performance.flags|shopping.online|scoop on flags|need your flag|best flag|flag design|new flag|flag.needs|flags?.you.need/i
4392 meta KAM_FLAG (__KAM_FLAG1 + __KAM_FLAG2 + __KAM_FLAG3 >= 3)
4394 describe KAM_FLAG Spam that sells flags
4396 rawbody __KAM_BIGSMALL /<small><big>|<big><small>/i
4397 describe __KAM_BIGSMALL Spam engine that is using nested big and small tags
4399 rawbody __KAM_DIVTITLE /<div (title|alt)/i
4400 describe __KAM_DIVTITLE Div tag with custom alt text
4402 rawbody __KAM_IMGMAP_LINK_OBFU /<map[^>]+><area[^>]+><\/map>/i
4403 describe __KAM_IMGMAP_LINK_OBFU Image links obfuscated by an image map with a single area
4405 meta KAM_GRABBAG4 (__KAM_DIVTITLE + __KAM_IMGMAP_LINK_OBFU + KAM_HUGEIMGSRC >= 3)
4406 describe KAM_GRABBAG4 Another spam engine that displays unique quirks
4407 score KAM_GRABBAG4 3.5
4409 header __KAM_KORS1 From =~ /Michael Kors/i
4410 header __KAM_KORS2 Subject =~ /Michael Kors|out.of.the.ordinary/i
4411 body __KAM_KORS3 /sent you this item|register to receive|latest updates|win great prizes|shop michael kors|kors insider|handbag collection/i
4413 meta KAM_KORS (__KAM_KORS1 + __KAM_KORS2 + __KAM_KORS3 >= 3)
4415 describe KAM_KORS Spam for Michael Kors
4417 header __KAM_HOLIDAY1 From =~ /holidays/i
4418 header __KAM_HOLIDAY2 Subject =~ /\d\d\d\d offers/i
4419 body __KAM_HOLIDAY3 /star special|Hotel Opening|(Request|order) a brochure/i
4421 meta KAM_HOLIDAY (__KAM_HOLIDAY1 + __KAM_HOLIDAY2 + __KAM_HOLIDAY3 >= 3)
4422 describe KAM_HOLIDAY Generic holiday deals
4423 score KAM_HOLIDAY 3.5
4425 #Thanks to Dave Wreski for his idea on commas
4426 header __KAM_MANYTO To =~ />,/i
4427 tflags __KAM_MANYTO multiple maxhits=5
4429 header __KAM_MANYTO2 To =~ /, /
4430 tflags __KAM_MANYTO2 multiple maxhits=25
4432 meta KAM_MANYTO (__KAM_MANYTO >= 5 || __KAM_MANYTO2 >= 25)
4433 score KAM_MANYTO 0.2
4434 describe KAM_MANYTO Email has more than one To Header or more than 25 recipients
4436 meta KAM_GRABBAG5 (KAM_MANYTO && FORGED_YAHOO_RCVD)
4437 score KAM_GRABBAG5 5.0
4438 describe KAM_GRABBAG5 Forged Yahoo emails that are sent to lots of recipients
4440 body __KAM_MILLIONAIRE1 /internet millionai?re/i
4441 body __KAM_MILLIONAIRE2 /huge success stor(y|ies)|controversial/i
4442 header __KAM_MILLIONAIRE3 Subject =~ /see this video/i
4444 meta KAM_MILLIONAIRE (__KAM_MILLIONAIRE1 + __KAM_MILLIONAIRE2 + __KAM_MILLIONAIRE3 + LOTS_OF_MONEY >= 3)
4445 score KAM_MILLIONAIRE 4.5
4446 describe KAM_MILLIONAIRE Internet millionaire guarantees money
4448 header __KAM_OILCHANGE1 From =~ /oil.?change|coupon|vehicle service/i
4449 header __KAM_OILCHANGE2 Subject =~ /oil change|vehicle service/i
4450 body __KAM_OILCHANGE3 /fresh savings|find your favorite|discount.coupons|oil.change.is.due|local.provider|favorite.location|coupon/i
4452 meta KAM_OILCHANGE (__KAM_OILCHANGE1 + __KAM_OILCHANGE2 + __KAM_OILCHANGE3 >= 3)
4453 score KAM_OILCHANGE 4.5
4454 describe KAM_OILCHANGE Spam for oil changes
4456 header __KAM_ADHD1 From =~ /ADH?D/i
4457 header __KAM_ADHD2 Subject =~ /know.the.signs|could.have.adh?d|adult adh?d/i
4458 body __KAM_ADHD3 /struggling with adh?d|treatment options/i
4460 meta KAM_ADHD (__KAM_ADHD1 + __KAM_ADHD2 + __KAM_ADHD3 >= 3)
4462 describe KAM_ADHD Spam for ADD and ADHD treatment
4465 header __KAM_REPAIR1_1 From =~ /repair.your.auto|auto.expert|auto.repair|warranty|support|pops.a.dent|vehicle.protect/i
4466 header __KAM_REPAIR1_2 Subject =~ /auto.service|auto.repair|having.problems|all.repair|take.care.of|car.trouble|save.\d+%|repair.bill|fix.dents/i
4467 body __KAM_REPAIR1_3 /car.repair|Auto Protection|repair.bill|lowest.rates|need.repairs|cost.you.thousands|auto.warranty|costs.keep.rising|repair.cost|do.it.yourself|auto.body|body.repair|protection.quote/i
4469 meta KAM_REPAIR1 (__KAM_REPAIR1_1 + __KAM_REPAIR1_2 + __KAM_REPAIR1_3 >= 3)
4470 score KAM_REPAIR1 3.5
4471 describe KAM_REPAIR1 Spam for auto repair services
4474 header __KAM_REPAIR2_1 From =~ /warranty|support|home.repair|your.roof/i
4475 header __KAM_REPAIR2_2 Subject =~ /roof.repair|warranty.plan|home.warranty|never.pay.for|home.repair|repairing.your|new.roof/i
4476 body __KAM_REPAIR2_3 /never.pay|covered.home.repair|the.trouble|warning.signs|roofing.problem|roof.repair/i
4478 meta KAM_REPAIR2 (__KAM_REPAIR2_1 + __KAM_REPAIR2_2 + __KAM_REPAIR2_3 >= 3)
4479 score KAM_REPAIR2 3.5
4480 describe KAM_REPAIR2 Spam for home repair services
4482 body __KAM_EPISODE /episode \d+/i
4484 header __KAM_CLOUD1 From =~ /cloud.?(storage|computing|provider)|efolder/i
4485 header __KAM_CLOUD2 Subject =~ /private.cloud|data.loss.happens|share.securely/i
4486 body __KAM_CLOUD3 /big data|powering apps|reduce.tech.costs|backup.solution|bundling.the.service/i
4487 body __KAM_CLOUD4 /hacking|complimentary.(lunch|breakfast)/i
4489 meta KAM_CLOUD (__KAM_CLOUD1 + __KAM_CLOUD2 + __KAM_CLOUD3 + __KAM_CLOUD4 >= 3)
4491 describe KAM_CLOUD Spam for cloud services
4493 #FAX AND PAPERLESS SPAM
4494 header __KAM_PAPERLESS1 From =~ /paperless|fax|admin/i
4495 header __KAM_PAPERLESS2 Subject =~ /paperless|fax (document|thru email|to email|message)|send document|(receive|send|new) fax|voice.message|have.received/i
4496 body __KAM_PAPERLESS3 /fax service|service plan|view.(fax|this.fax)|\d.page.fax|voice.message/i
4497 body __KAM_PAPERLESS4 /link expires/i
4499 meta KAM_PAPERLESS (__KAM_PAPERLESS1 + __KAM_PAPERLESS2 + __KAM_PAPERLESS3 + __KAM_PAPERLESS4 + HEADER_FROM_DIFFERENT_DOMAINS >= 4)
4500 score KAM_PAPERLESS 4.5
4501 describe KAM_PAPERLESS Paperless spam for the paperless office
4503 rawbody __KAM_LOTSOFNBSP /( ?){30}/i
4505 header __KAM_IPUNSUB List-Unsubscribe =~ /http:\/\/\d+\.\d+\.\d+\.\d+/i
4507 # PASSWORD PHISH - Fixed FP thanks to Thijs Eilander
4508 header __KAM_PASSWORD1 Subject =~ /password/i
4509 body __KAM_PASSWORD2 /validate.your.email/i
4511 meta KAM_PASSWORD (__KAM_PASSWORD1 + __KAM_PASSWORD2 >= 2)
4512 score KAM_PASSWORD 1.5
4513 describe KAM_PASSWORD Message tries to phish for password
4515 # SEMINARS AND WORKSHOPS SPAM
4516 header __KAM_WEBINAR1 From =~ /education|career|manage|learning|webinar|project|efolder/i
4517 header __KAM_WEBINAR2 Subject =~ /last chance|increase productivity|workplace morale|payroll dept|trauma.training|case.study|issues|follow.up|service.desk|vip.(lunch|breakfast)|manage.your|private.business|professional.checklist|customers.safer|great.timesaver|prep.course|crash.course|hunger.to.learn|(keys|tips).(to|for).smarter/i
4518 header __KAM_WEBINAR3 Subject =~ /webinar|strateg|seminar|owners.meeting|webcast|our.\d.new|sales.video/i
4519 body __KAM_WEBINAR4 /executive.education|contactid|register now|\d+.minute webinar|management.position|supervising.skills|discover.tips|register.early|take.control|marketing.capabilit|drive.more.sales|leveraging.cloud|solution.provider|have.a.handle|plan.to.divest|being.informed|upcoming.webinar|spearfishing.email|increase.revenue|industry.podcast|\d+.in.depth.tips|early.bird.offer|pmp.certified|lunch.briefing/i
4521 meta KAM_WEBINAR (__KAM_WEBINAR1 + __KAM_WEBINAR2 + __KAM_WEBINAR3 + __KAM_WEBINAR4 >= 3)
4522 describe KAM_WEBINAR Spam for webinars
4523 score KAM_WEBINAR 3.5
4525 meta KAM_WEBINAR2 (__KAM_WEBINAR1 + __KAM_WEBINAR2 + __KAM_WEBINAR3 + __KAM_WEBINAR4 >= 4)
4526 describe KAM_WEBINAR2 Spam for webinars
4527 score KAM_WEBINAR2 3.5
4529 header __KAM_CONTACTME1 Subject =~ /^contact me$/i
4530 body __KAM_CONTACTME2 /read the attached letter/i
4532 meta KAM_CONTACTME (__KAM_CONTACTME1 + __KAM_CONTACTME2 >= 2)
4533 score KAM_CONTACTME 3.5
4534 describe KAM_CONTACTME Spam that wants you to reply
4536 header __KAM_MESH1 From =~ /consumer|connect|claim/i
4537 header __KAM_MESH2 Subject =~ /surgical mesh|serious injuries|increased risk|experiencing problems|mesh recall/i
4538 body __KAM_MESH3 /have a mesh implant|entitled to compensation|consumer injury|injured consumer/i
4540 meta KAM_MESH (__KAM_MESH1 + __KAM_MESH2 + __KAM_MESH3 >= 3)
4541 describe KAM_MESH Spam for surgical mesh
4544 header __KAM_ALERT1 From =~ /medical.?alert/i
4545 header __KAM_ALERT2 Subject =~ /medical.alert|emergency coverage/i
4546 body __KAM_ALERT3 /help button/i
4548 meta KAM_ALERT (__KAM_ALERT1 + __KAM_ALERT2 + __KAM_ALERT3 >= 3)
4550 describe KAM_ALERT Spam for medical alerts
4552 # SPAM FOR RECENT HEARTBLEED CVE AND OTHER SECURITY STUFF
4553 header __KAM_SECURITY1 From =~ /Digital Defense/i
4554 header __KAM_SECURITY2 Subject =~ /heartbleed|hijack/i
4555 body __KAM_SECURITY3 /information.security|cyber.?criminal/i
4557 meta KAM_SECURITY (__KAM_SECURITY1 + __KAM_SECURITY2 + __KAM_SECURITY3 >= 3)
4558 describe KAM_SECURITY Spam related to online security
4559 score KAM_SECURITY 6.0
4561 body __KAM_JESUS1 /jesus lovely|the.lord|touched.by.christ/i
4562 body __KAM_JESUS2 /sister.in.the.lord|need for bible/i
4563 body __KAM_JESUS3 /nigeria|muslim.women/i
4565 meta KAM_JESUS (__KAM_JESUS1 + __KAM_JESUS2 >= 2)
4566 describe KAM_JESUS Christian spam
4569 header __KAM_CLAIMS1 From =~ /claims.payment/i
4570 header __KAM_CLAIMS2 Subject =~ /confirm/i
4571 body __KAM_CLAIMS3 /claim.payment|claim.processing|kindly.confirm/i
4573 meta KAM_CLAIMS (__KAM_CLAIMS1 + __KAM_CLAIMS2 + __KAM_CLAIMS3 >= 3)
4574 describe KAM_CLAIMS Spam for claims processing
4575 score KAM_CLAIMS 4.5
4578 header __KAM_VISION1 From =~ /clear.?vision|20.20|glasses|perfect.vision|mind.blowing|my.vision|oakley|quantum.vision/i
4579 header __KAM_VISION2 Subject =~ /20\/20|vision|your.glasses|your.contacts|your.eyes|dangers?.of.glasses|focus.on.here/i
4580 body __KAM_VISION3 /100%.natural|vision.restored|currently.wear.(glasses|contacts)|perfect.vision|risky.surgery|corrective.surgery|dangers.of.surgery|laser.eye|eye.care|making.your.eyes.worse|your.glasses|worsen.your.vision|special.prices|vision.in.\d+.day|vision.in.\d+.week/i
4582 meta KAM_VISION (__KAM_VISION1 + __KAM_VISION2 + __KAM_VISION3 + (KAM_WEIRDTRICK1 || RDNS_NONE) >= 3)
4583 describe KAM_VISION Spam for vision improvement
4584 score KAM_VISION 4.5
4586 body KAM_TRUTHINESS /[Tt]he TRUTH/
4587 describe KAM_TRUTHINESS Spam that wants you to learn "The TRUTH"
4588 score KAM_TRUTHINESS 1.5
4590 header __KAM_KITCHEN1 From =~ /sears|kitchen|cabinet/i
4591 header __KAM_KITCHEN2 Subject =~ /kitchen.upgrade|kitchen.remodel|cabinet.install|new.kitchen/i
4592 body __KAM_KITCHEN3 /special.gift|kitchen.remodel|special.offer/i
4594 meta KAM_KITCHEN (__KAM_KITCHEN1 + __KAM_KITCHEN2 + __KAM_KITCHEN3 >= 3)
4595 score KAM_KITCHEN 4.5
4596 describe KAM_KITCHEN Spam for kitchen improvement
4598 # ALL-ENCOMPASSING RULES FOR HEALTH RELATED SPAM, INCLUDING SKIN, WEIGHT, VISION, ETC
4599 header __KAM_GENERICHEALTH1 From =~ /(dr.?|doc.?)[ -]?([o0]z|gupta)|skinny|\d+.?(pounds|[li1]bs?)|[o0]z.([a-z]+.)?(daily|tip|show|weight)|ellen|rapid|vision|20.20|perfect|mind.blowing|healthy|beaut|medical|wrinkle|miracle|energy|weight|as.seen.on|celeb|workout|inches.off|slim|overweight|skinny|trend|curve|stubborn|bikini|f-a-t|trim|youth|belly|unwanted.pounds|gone.easily|heavy|diabetes|oz.?report|years.younger|anti.?aging|look.\d|old.age|without.trying|annoying.pounds|fat.melt|women.?s.health|forskolin|phyto|garcinia|mayo.clinic|gain.mass|nuforia|miracle.cure|notify|champion|healthly|food.health|health.news|nutrisystem|doctor.s.choice|age..prevention|diet.{0,4}report|sharp..?mind|face.?lift/i
4601 header __KAM_GENERICHEALTH2 Subject =~ /PSA|\[video\]|doctor|\d+.day|(zero|any).effort|oprah|(Dr|Doc).{0,2}[o0]z|[o0]z.([a-z]+.)?(daily|tip|show|weight|quick)|ellen|most.viewed|metabolism|danger|hormone|must.read|life.changing|healthy|perfect|younger|beautiful|hollywood|secret|aging|youth|flawless|as.seen.on|simple.way|workout|nutrition|shocking|detox|exercise|cleanse|diet|\d+(\+?).?(pounds|[li1]bs?)|images?.leaked|wow,|the.pics|don.t.tell|makeup|f-a-t|of.skin|on.(cnn|abc|cbs)|for.(summer|fall|autumn|winter|spring)|unwanted.fat|oz: |backfire|and.oz|and.racha?el|racha?el.talk|your.legs|slim.and.tone|fit.wom[ea]n|tummy|dress.size|wrinkle.reduc|younger.skin|solid.meds|belly.fat|your.calories|champion|is.it.possible|worse.than.smok|meds.online|jump-start.your.weightloss|cure.your.diabetes|weight.loss..?cure|magic.weight.loss|youth.and.vitality|get.thin.with|mental.decline|by.exercising|kidney.beans|drinking.this|treats?.the.(root.)?cause|reverse.\d+.years/i
4603 body __KAM_GENERICHEALTH3 /aging|clinical|dermatologist|aging|younger|wrinkle|omg|reduction|prevention|(body|your).fat|extra.pounds|perfect.skin|healthy|diet|gossip|\d+.years|facelift|(Dr|Doc).{0,2}[o0]z|weight|calories|metabolism|appetite|detox|unsightly|cholesterol|free.sample|\d+\s*[li]b|slimming|episode|tv.segment|oprah|colon|hollywood|shocking|workout|trend|starving|\d+%.?off|dress.size|flat.belly|silky|younger|free.trial|\d+.years|easy.trick|selfies|medical|\d+.?(lb|pounds)|exercise|the.mirror|fda.approved|slimmer|oz.blog|the.bulge|plant.based|online.store|respected.doctor|cure.your.diabete|with.forskolin|belly.fat|miracle.pill|burn.fat.fast|the.root.cause|drink(ing)?.this.shake/i
4605 meta KAM_GENERICHEALTH (__KAM_GENERICHEALTH1 + __KAM_GENERICHEALTH2 + __KAM_GENERICHEALTH3 + (KAM_EU || KAM_OTHER_BAD_TLD) >= 3)
4606 score KAM_GENERICHEALTH 1.75
4607 describe KAM_GENERICHEALTH Matches generic health-related advert/blurbs
4609 header __KAM_SALE1 From =~ /ipad|hdtv|\$\d+|auction|laptop|easyviewing/i
4610 header __KAM_SALE2 Subject =~ /blowout|became.perfect|great.products|your.ipad.forever|weird.device|change.how.you.use|transform.your.piad|laptop.replacement/i
4611 body __KAM_SALE3 /\d+%.off|just.shipped|touch.?fire|just.became.perfect|transform.your.ipad/i
4613 header __KAM_SALEA_1 From =~ /touch.?fire/i
4614 header __KAM_SALEA_2 Received =~ /touchfire|tfire/i
4615 body __KAM_SALEA_3 /touchfire|just.became.perfect|never.be.the.same/i
4617 meta KAM_SALE (__KAM_SALE1 + __KAM_SALE2 + (__KAM_SALE3 || BODY_8BITS) >= 3)
4619 describe KAM_SALE Spam for things on sale
4621 meta KAM_SALEA ((__KAM_SALEA_1 || __KAM_SALE1 || __KAM_SALEA_2) + __KAM_SALEA_3 >= 2)
4623 describe KAM_SALEA A very persistent ipad spam campaign
4625 # SPAM THAT USES ASCII FORMATTING TRICKS TO EVADE HTML-BASED RULES
4626 body __KAM_ASCII_DIVIDERS /[-~<>=_]{20}/i
4627 tflags __KAM_ASCII_DIVIDERS multiple maxhits=4
4629 meta KAM_ASCII_DIVIDERS ((__KAM_ASCII_DIVIDERS >= 4) && !HTML_MESSAGE)
4630 describe KAM_ASCII_DIVIDERS Spam that uses ascii formatting tricks
4631 score KAM_ASCII_DIVIDERS 0.8
4633 # RATWARE THAT CAN'T EVEN PRETEND TO BE AUTHORIZED
4634 header __KAM_NOTINMYNETWORK1 X-No-Relay =~ /./i
4636 rawbody __KAM_HTMLNOISE1 /<big><\/big>|<small><\/small>|<style><\/style>/i
4638 meta KAM_HTMLNOISE (__KAM_HTMLNOISE1 + __KAM_BIGSMALL >= 1)
4639 score KAM_HTMLNOISE 1.0
4640 describe KAM_HTMLNOISE Spam containing useless HTML padding
4642 header __KAM_CHICKEN1 From =~ /coop/i
4643 header __KAM_CHICKEN2 Subject =~ /chicken.coop|cost.of.buying/i
4644 body __KAM_CHICKEN3 /your.own.chicken|fresh.egg|chicken.coop|build.your.own/i
4646 meta KAM_CHICKEN (__KAM_CHICKEN1 + __KAM_CHICKEN2 + __KAM_CHICKEN3 >= 3)
4647 score KAM_CHICKEN 4.5
4648 describe KAM_CHICKEN Spam for chicken coops
4650 # SPAM THAT TRIES TO BYPASS RULES LIKE CBJ_GiveMeABreak
4651 rawbody __KAM_LINEPADDING /(\n[^\n]){8}/
4653 meta KAM_LINEPADDING (__KAM_LINEPADDING >= 1)
4654 score KAM_LINEPADDING 1.2
4655 describe KAM_LINEPADDING Spam that tries to get past blank line filters
4658 header __KAM_DRAPES1 From =~ /drapes/i
4659 header __KAM_DRAPES2 Subject =~ /table.drapes|visibility/i
4660 body __KAM_DRAPES3 /banner.stand|print.project/i
4662 meta KAM_DRAPES (__KAM_DRAPES1 + __KAM_DRAPES2 + __KAM_DRAPES3 >= 3)
4663 score KAM_DRAPES 3.5
4664 describe KAM_DRAPES Spam for drapes
4666 header __KAM_NUWAVE1 From =~ /nuwave|cooktop/i
4667 header __KAM_NUWAVE2 Subject =~ /cooking.needs/i
4668 body __KAM_NUWAVE3 /nuwave|energy.saving|temperature.control|meal.prep|cooktop/i
4670 meta KAM_NUWAVE (__KAM_NUWAVE1 + __KAM_NUWAVE2 + __KAM_NUWAVE3 >= 3)
4671 describe KAM_NUWAVE Spam for cooking tools
4672 score KAM_NUWAVE 3.5
4674 rawbody __KAM_MANYCOMMENTS /<!--[^>]{200,}-->/i
4675 tflags __KAM_MANYCOMMENTS multiple maxhits=6
4677 meta KAM_MANYCOMMENTS (__KAM_MANYCOMMENTS >= 6)
4678 describe KAM_MANYCOMMENTS Spam engine that uses large html noise comments
4679 score KAM_MANYCOMMENTS 1.2
4681 header __KAM_HIRE1 From =~ /recruit/i
4682 header __KAM_HIRE2 Subject =~ /checking.in/i
4683 body __KAM_HIRE3 /hiring.situation|recruiting|plans.to.hire|altera.staff/i
4685 meta KAM_HIRE (__KAM_HIRE1 + __KAM_HIRE2 + __KAM_HIRE3 >= 3)
4686 describe KAM_HIRE Spam for hiring services
4689 header __KAM_DEALS1 From =~ /deal.?hunter/i
4690 header __KAM_DEALS2 Subject =~ /exclusive.saving|the.hottest/i
4691 body __KAM_DEALS3 /exclusive.savings/i
4693 meta KAM_DEALS (__KAM_DEALS1 + __KAM_DEALS2 + __KAM_DEALS3 >= 3)
4695 describe KAM_DEALS Generic advertising for deals
4697 header __KAM_CONTRACT1 From =~ /samanage/i
4698 header __KAM_CONTRACT2 Subject =~ /contract cost|itsm contract/i
4699 body __KAM_CONTRACT3 /buy you out|service management|management solution/i
4701 meta KAM_CONTRACT (__KAM_CONTRACT1 + __KAM_CONTRACT2 + __KAM_CONTRACT3 >= 3)
4702 score KAM_CONTRACT 4.5
4703 describe KAM_CONTRACT Spam that will buy your service contract
4706 header __KAM_TOLL1 From =~ /e.?z.?pass|collection/i
4707 header __KAM_TOLL2 Subject =~ /on.(the.)?toll.road|(pay|indebted).for.driving/i
4708 body __KAM_TOLL3 /have.not.paid|your.debt|invoice/i
4710 meta KAM_TOLL (__KAM_TOLL1 + __KAM_TOLL2 + __KAM_TOLL3 >= 3)
4711 describe KAM_TOLL Spam for road tolls
4714 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
4716 header __KAM_AMAZON1 From =~ /amazon\.com/i
4718 header __KAM_AMAZON2 From:addr !~ /amazon\.com/i
4719 header __KAM_AMAZON3 From:name =~ /amazon\.com/i
4721 meta KAM_AMAZON (__KAM_AMAZON1 + KAM_RAPTOR_ALTERED >= 2) || (__KAM_AMAZON2 + __KAM_AMAZON3 >= 2)
4722 score KAM_AMAZON 4.5
4723 describe KAM_AMAZON Fake Amazon email with malware
4727 header __KAM_LANDSCAPE1 From =~ /landscaping/i
4728 header __KAM_LANDSCAPE2 Subject =~ /turn.your.yard|mtv.crib|swimming.pool/i
4729 body __KAM_LANDSCAPE3 /landscape.designs|(simple|cheap).strategies|design.troph/i
4730 body __KAM_LANDSCAPE4 /stone.carving/i
4732 meta KAM_LANDSCAPING (__KAM_LANDSCAPE1 + __KAM_LANDSCAPE2 + __KAM_LANDSCAPE3 + __KAM_LANDSCAPE4 >= 3)
4733 describe KAM_LANDSCAPING Spam for landscaping
4734 score KAM_LANDSCAPING 3.5
4737 header __KAM_SINGING1 From =~ /singing/i
4738 header __KAM_SINGING2 Subject =~ /professional.singer/i
4739 body __KAM_SINGING3 /terrible.singer|more.talent|love.songs/i
4741 meta KAM_SINGING (__KAM_SINGING1 + __KAM_SINGING2 + __KAM_SINGING3 >= 3)
4742 describe KAM_SINGING Spam for singing lessons
4743 score KAM_SINGING 4.5
4746 header __KAM_ADVERTISE1 From =~ /gmail/i
4747 header __KAM_ADVERTISE2 Subject =~ /samsung..galaxy.s\d/i
4748 body __KAM_ADVERTISE3 /advertising.for.samsung|no.application.fee|carry.this.advert/i
4750 meta KAM_ADVERTISE (__KAM_ADVERTISE1 + __KAM_ADVERTISE2 + __KAM_ADVERTISE3 >= 3)
4751 describe KAM_ADVERTISE Spam that wants you to advertise for them
4752 score KAM_ADVERTISE 4.5
4754 # RULE FOR DOMAINS THAT HAVE NOT IMPLEMENTED ANY ANTI-FORGERY MECHANISMS - Thanks to Christian Kueppers for the request to encapsulate with DKIM and SPF plugin checks!
4755 if (version >= 3.003002)
4756 ifplugin Mail::SpamAssassin::Plugin::DKIM
4757 ifplugin Mail::SpamAssassin::Plugin::SPF
4758 # We may recommend people start raising the score for this to force more people to use SPF or DKIM Since Gmail and AOL work much better with / require SPF.
4759 header __KAM_SPF_NONE eval:check_for_spf_none()
4761 meta KAM_LAZY_DOMAIN_SECURITY (!__DKIM_EXISTS && __KAM_SPF_NONE)
4762 score KAM_LAZY_DOMAIN_SECURITY 1.0
4763 describe KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any anti-forgery methods
4768 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
4769 # FORGED EMAILS WITH A VIRUS ATTACHED
4770 meta KAM_FORGED_ATTACHED (SPF_HELO_FAIL + KAM_RAPTOR_ALTERED >= 2)
4771 score KAM_FORGED_ATTACHED 4.5
4772 describe KAM_FORGED_ATTACHED Forged email with a malware attachment
4775 # LOTS OF PERIODS IN SUBJECT
4776 header __KAM_MANYDOTS1 Subject =~ /\.{20}/i
4778 meta KAM_MANYDOTS (__KAM_MANYDOTS1 + KAM_HUGEIMGSRC >= 2)
4779 describe KAM_MANYDOTS Spam with lots of periods in subject
4780 score KAM_MANYDOTS 3.5
4783 header __KAM_SUBJECTNOTICE1 Subject =~ /Notice: \d+$|final.notice|rpt: \d+$/i
4785 meta KAM_SUBJECTNOTICE __KAM_SUBJECTNOTICE1
4786 describe KAM_SUBJECTNOTICE Spam notices
4787 score KAM_SUBJECTNOTICE 1.0
4789 # SPAM FOR BACKUP SERVICE
4790 header __KAM_BACKUP1 From =~ /backup/i
4791 header __KAM_BACKUP2 Subject =~ /continuity|\d.reasons|traditional.backup/i
4792 body __KAM_BACKUP3 /backup.necessary|marketing|infographic|charge.more/i
4794 meta KAM_BACKUP (__KAM_BACKUP1 + __KAM_BACKUP2 + __KAM_BACKUP3 >= 3)
4795 describe KAM_BACKUP Spam for backup services
4796 score KAM_BACKUP 4.5
4798 # SPAM THAT TRIES TO AVOID DETECTION WITH NUMBERS IN THE FROM
4799 header KAM_FROMNUM From:name =~ /\.\d{7,}$/
4800 describe KAM_FROMNUM Spam with large numbers in the from header
4801 score KAM_FROMNUM 1.0
4803 # LAZY SPAM WITH BARELY MORE THAN A LINK TO A BAD DOMAIN
4804 meta KAM_LINKBAIT (KAM_LAZY_DOMAIN_SECURITY + __KAM_BODY_LENGTH_LT_512 + (__KAM_COUNT_URIS >= 1) >= 3)
4805 score KAM_LINKBAIT 2.5
4806 describe KAM_LINKBAIT Short messages containing little more than a link, from a domain with no security in place
4808 uri __KAM_WP_INCLUDES /(?:wp-includes|wp-content)/i
4810 meta KAM_LINKBAIT2 KAM_LINKBAIT + __KAM_WP_INCLUDES >= 2
4811 score KAM_LINKBAIT2 1.5
4812 describe KAM_LINKBAIT2 Linkbait that points to wordpress - usually means a compromised site
4815 meta KAM_LINKBAIT3 (KAM_SHORT + FREEMAIL_FROM + __KAM_BODY_LENGTH_LT_512 >= 3)
4816 score KAM_LINKBAIT3 1.5
4817 describe KAM_LINKBAIT3 Freemail linkbait with a url shortener
4819 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
4820 # MALWARE IN EMAILS THAT MENTION LOTS OF MONEY
4821 meta KAM_PHISHY_DOLLARS (KAM_RAPTOR_ALTERED + LOTS_OF_MONEY >= 2)
4822 score KAM_PHISHY_DOLLARS 3.5
4823 describe KAM_PHISHY_DOLLARS Emails with malware and large dollar amounts
4826 # RATWARE DU JOUR, MULTIPLE FROM HEADERS AND WONKY SUBJECT LINE
4827 header __KAM_MULTIPLE_FROM From =~ /^./
4828 tflags __KAM_MULTIPLE_FROM multiple maxhits=2
4830 header __KAM_SUBJECT_WHITESPACE_START Subject =~ /^\s{10}/
4832 meta KAM_GRABBAG6 ((__KAM_MULTIPLE_FROM >= 2) + __KAM_SUBJECT_WHITESPACE_START >= 2)
4833 describe KAM_GRABBAG6 Ratware with multiple from headers and subject beginning with whitespace
4834 score KAM_GRABBAG6 4.5
4836 # GENERIC GREETINGS THAT YOU WOULD NEVER GET FROM A LEGIT EMAIL
4837 header KAM_GENERICHELLO Subject =~ /dear.email.user|hi.there/i
4838 score KAM_GENERICHELLO 1.5
4839 describe KAM_GENERICHELLO Spam with generic greetings in the subject
4841 # FAKE GOOGLE EMAILS - Thanks to Marc Jouan for pointing out the double rule / T_HK rule name change
4842 header __KAM_GOOGLE2_1 From =~ /google\+/i
4843 header __KAM_GOOGLE2_2 From !~ /google.com/i
4845 meta KAM_GOOGLE2 (__KAM_GOOGLE2_1 + __KAM_GOOGLE2_2 + (HK_SPAMMY_FILENAME || KAM_LAZY_DOMAIN_SECURITY) >= 3)
4846 score KAM_GOOGLE2 4.5
4847 describe KAM_GOOGLE2 Fake Google spam
4849 # MORE NIGERIAN VARIANTS
4850 body __KAM_NIGERIAN3_1 /congo/i
4852 meta KAM_NIGERIAN3 (__KAM_NIGERIAN3_1 + DEAR_SOMETHING + LOTS_OF_MONEY >= 3)
4853 score KAM_NIGERIAN3 4.5
4854 describe KAM_NIGERIAN3 Nigerian scam variant
4857 header __KAM_FINGERHUT1 From =~ /finger.?hut/i
4858 header __KAM_FINGERHUT2 Subject =~ /your.budget|credit.account|qualify|finger.?hut|credit|your.account/i
4859 body __KAM_FINGERHUT3 /important.message|what.you.want|monthly.pay|your.account|credit.account|holiday.shopping|are.you.approved|fingerhut.buying/i
4861 meta KAM_FINGERHUT (__KAM_FINGERHUT1 + __KAM_FINGERHUT2 + __KAM_FINGERHUT3 >= 3)
4862 score KAM_FINGERHUT 4.5
4863 describe KAM_FINGERHUT Spam for fingerhut
4865 # FRIEND REQUEST SPAM
4866 header __KAM_FRIEND1 Subject =~ /new.notification/i
4867 body __KAM_FRIEND2 /wants.to.follow/i
4869 meta KAM_FRIEND (__KAM_FRIEND1 + __KAM_FRIEND2 >= 2)
4870 score KAM_FRIEND 1.5
4871 describe KAM_FRIEND Friend request spam
4873 # ELIMINATE A BUNCH OF RECENT BAD ATTACHMENT SPAM
4874 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
4875 meta KAM_VERY_MALWARE (KAM_LAZY_DOMAIN_SECURITY && KAM_RAPTOR_ALTERED >= 2)
4876 score KAM_VERY_MALWARE 3.5
4877 describe KAM_VERY_MALWARE A message with malware that is definitely unwanted
4880 #MERCHANT ACCOUNTS SPAM
4881 header __KAM_MERCHANT1 Subject =~ /finance.department/i
4882 body __KAM_MERCHANT2 /business.owner|merchant.processor|processing.fee|average.bank|interchange.fee/i
4883 body __KAM_MERCHANT3 /merchant.processing|small.business|yearly.credit|monthly.fee|100%.free/i
4885 meta KAM_MERCHANT (__KAM_MERCHANT1 + __KAM_MERCHANT2 + __KAM_MERCHANT3 >= 3)
4886 score KAM_MERCHANT 4.5
4887 describe KAM_MERCHANT Spam for merchant processing
4889 # ZERO DAY ATTACHMENTS THAT ARE OBVIOUSLY CRAP BUT NOT CAUGHT BY AV
4890 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4891 mimeheader __KAM_ZERODAY1 Content-Type =~ /msword|ms-excel|spreadsheet|office|octet/i
4892 header __KAM_ZERODAY2 X-Mailer =~ /foxmail/i
4894 # DISABLED 7/16 FOR NO LONGER BEING RELEVANT
4895 #meta KAM_ZERODAY (__SUBJECT_ENCODED_B64 + __KAM_ZERODAY1 + __KAM_ZERODAY2 >= 3)
4896 #describe KAM_ZERODAY obviously a malware email that was not caught
4897 #score KAM_ZERODAY 8.0
4900 header __KAM_ZERODAY3 Subject =~ /remittance advice|invoice|resume|the.open.message|please.the.open|visa.chip/i
4902 meta KAM_ZERODAY2 (__KAM_ZERODAY1 + __KAM_ZERODAY3 + KAM_LAZY_DOMAIN_SECURITY >= 3)
4903 score KAM_ZERODAY2 1.0
4904 describe KAM_ZERODAY2 Another obvious zero-day malware
4906 meta KAM_ZERODAY3 (KAM_ZERODAY2 + T_OBFU_DOC_ATTACH >= 2)
4907 score KAM_ZERODAY3 3.5
4908 describe KAM_ZERODAY3 Another obvious zero-day malware
4911 #MORE ACCOUNTING DANGEROUS SPAMS
4912 meta KAM_DANGEROUSXLS (__KAM_ZERODAY3 + KAM_OLEMACRO_ENCRYPTED + KAM_OLEMACRO_RENAME >= 3)
4913 describe KAM_DANGEROUSXLS Dangerous accounting emails with zero day payloads
4914 score KAM_DANGEROUSXLS 6.0
4917 header __KAM_ANCESTOR1 From =~ /ancestry/i
4918 header __KAM_ANCESTOR2 Subject =~ /free.family.tree|find.your.ancestor/i
4919 body __KAM_ANCESTOR3 /family.history|your family|share.the.stories/i
4921 meta KAM_ANCESTOR (__KAM_ANCESTOR1 + __KAM_ANCESTOR2 + __KAM_ANCESTOR3 >= 3)
4922 describe KAM_ANCESTOR Spam for family trees
4923 score KAM_ANCESTOR 3.5
4925 # REMEMBER WHEN YOU GOT THAT SPAM
4926 header __KAM_REMEMBERWHEN1 Subject =~ /sup|hello|for.you.bro|how.are.you/i
4927 body __KAM_REMEMBERWHEN2 /hello.brother|remember(ed)?.you|i.remember/i
4928 body __KAM_REMEMBERWHEN3 /medication|\d+%.discount|lots?.of.drug/i
4930 meta KAM_REMEMBERWHEN (__KAM_REMEMBERWHEN1 + __KAM_REMEMBERWHEN2 + __KAM_REMEMBERWHEN3 >= 3)
4931 score KAM_REMEMBERWHEN 4.5
4932 describe KAM_REMEMBERWHEN Reminder of something that never happened
4934 # THE LATEST TRAILING NOISE FORMAT
4935 body __KAM_NOISE1 /([a-z0-9],){12}/i
4936 body __KAM_NOISE2 /([a-z]{1,10},){10}/i
4938 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
4939 meta KAM_NOISE1 (__KAM_NOISE1 + __KAM_NOISE2 + (CBJ_GiveMeABreak || __CBJ_GiveMeABreak2) >= 3)
4940 describe KAM_NOISE1 Pattern of noise words at the end of an email
4941 score KAM_NOISE1 2.5
4945 header __KAM_PIZZA1 From =~ /pizza/i
4946 header __KAM_PIZZA2 Subject =~ /^free pizza$/i
4947 body __KAM_PIZZA3 /free.pizza.coupon/i
4949 meta KAM_PIZZA (__KAM_PIZZA1 + __KAM_PIZZA2 + __KAM_PIZZA3 >= 3)
4951 describe KAM_PIZZA Spam for free pizza
4954 header __KAM_ENGINEER1 Subject =~ /engineering . architect|engineering.industry/i
4955 body __KAM_ENGINEER2 /email.list|target.audience|databank|verified.email/i
4956 body __KAM_ENGINEER3 /construction.engineering|engineering . architect|marketing.manager/i
4958 meta KAM_ENGINEER (__KAM_ENGINEER1 + __KAM_ENGINEER2 + __KAM_ENGINEER3 >= 3)
4959 score KAM_ENGINEER 3.5
4960 describe KAM_ENGINEER Spam for engineering contact information
4963 header __KAM_SUNGLASSES1 Subject =~ /rayban/i
4964 body __KAM_SUNGLASSES2 /great ray|hot.deal/i
4965 body __KAM_SUNGLASSES3 /style rocks|today.only/i
4967 meta KAM_SUNGLASSES (__KAM_SUNGLASSES1 + __KAM_SUNGLASSES2 + __KAM_SUNGLASSES3 >= 3)
4968 describe KAM_SUNGLASSES Spam for sunglasses
4969 score KAM_SUNGLASSES 3.5
4971 # INVOICE SPAM OF THE DAY
4972 header __KAM_INVOICE1 From =~ /billing/i
4973 header __KAM_INVOICE2 Subject =~ /past.due|invoice/i
4974 header __KAM_INVOICE3 Subject =~ /invoice (error|issue)/i
4975 body __KAM_INVOICE4 /(billing error|problem with the address).{2,10}invoice/i
4976 uri __KAM_INVOICE5 /overdue|final.account/i
4978 meta KAM_INVOICE (__KAM_INVOICE1 + __KAM_INVOICE2 + SPF_FAIL >= 3)
4979 score KAM_INVOICE 4.5
4980 describe KAM_INVOICE Phishing invoice spam
4982 meta KAM_INVOICE2 (__KAM_INVOICE1 + __KAM_INVOICE3 + __KAM_INVOICE4 + __KAM_INVOICE5 + SPF_FAIL >= 3)
4983 score KAM_INVOICE2 5.5
4984 describe KAM_INVOICE2 Phishing invoice spam
4987 header __KAM_GRIPPY1 From =~ /gripeez/i
4988 header __KAM_GRIPPY2 Subject =~ /bonus.offer|gripeez/i
4989 body __KAM_GRIPPY3 /gripeez.bonus|interior.decorator|sticky.grip/i
4991 meta KAM_GRIPPY (__KAM_GRIPPY1 + __KAM_GRIPPY2 + __KAM_GRIPPY3 >= 3)
4992 score KAM_GRIPPY 4.5
4993 describe KAM_GRIPPY Spam for sticky grip products
4995 # LIMITED / DISABLED ACCOUNT, ACTIVATION, SECURITY ALERTS, AND OTHER ACCOUNT PHISHES
4996 header __KAM_ACCOUNTPHISH1 From =~ /[il]tunes|account|costco|walgreen|amazon|ebay|internal|admin|gold|webmail|provider|marketing|Bank of America/i
4997 header __KAM_ACCOUNTPHISH2 Subject =~ /your.account|is.limited|activate|recover|acknowledgment|of.order|buying.from|order.(status|confirm)|help.?desk|update.your|security|document|(^secure$)|download.failed|click.to.activate|status.approved|notification.message|storage.exceeded|maintenance routine|storage.warning|size.notification|administrative.notice/i
4998 body __KAM_ACCOUNTPHISH3 /update.your.information|problems.with.your|billing.information|order.details|personal.data|detailed.order|order.information|for.activation|account.{1,30}.inactive|information.required|secure.browser|recently.compromised|classified.document|with.your.email|complete.your.account|account.confirmed|claim.your.order|free.money|forced.to.cancel|immediate.access|upgrading.all.staff|advice.to.update|confirm.your.account/i
4999 body __KAM_ACCOUNTPHISH4 /webmail|all.systems|storage.limit|get.back.into|update.your.account|kindly.click|very.private.message|this.is.honest|fill.the.form|click.on.send|follow.here|for.all.user|one.click.away|mail.desk/i
5001 meta KAM_ACCOUNTPHISH ((__KAM_ACCOUNTPHISH1 || FREEMAIL_FROM || KAM_LAZY_DOMAIN_SECURITY) + __KAM_ACCOUNTPHISH2 + __KAM_ACCOUNTPHISH3 + __KAM_ACCOUNTPHISH4 >= 3)
5002 score KAM_ACCOUNTPHISH 3.20
5003 describe KAM_ACCOUNTPHISH Spam that tries to get account information
5006 header __KAM_PROPERTY1 From =~ /high.rise|condo/i
5007 header __KAM_PROPERTY2 Subject =~ /condo|move.in.soon|developer/i
5008 body __KAM_PROPERTY3 /convenient.location/i
5010 meta KAM_PROPERTY (__KAM_PROPERTY1 + __KAM_PROPERTY2 + __KAM_PROPERTY3 >= 3)
5011 score KAM_PROPERTY 2.5
5012 describe KAM_PROPERTY Spam for buying property
5015 header __KAM_FAKEAMEX1 From =~ /aexp.com/i
5017 meta KAM_FAKEAMEX (__KAM_FAKEAMEX1 + SPF_FAIL >= 2)
5018 score KAM_FAKEAMEX 8.0
5019 describe KAM_FAKEAMEX A rash of spam that is phishing for American Express information
5021 header KAM_HUGESUBJECT Subject =~ /^.{500}/
5022 score KAM_HUGESUBJECT 2.5
5023 describe KAM_HUGESUBJECT Email with a subject longer than any mail client would let you enter
5026 header __KAM_HOOKUP1 Subject =~ /hookup with local singles/i
5027 uri __KAM_HOOKUP2 /justhookup/i
5028 body __KAM_HOOKUP3 /match.?me.?networks/i
5030 meta KAM_HOOKUP (__KAM_HOOKUP1 + __KAM_HOOKUP2 + __KAM_HOOKUP3 >= 3)
5031 score KAM_HOOKUP 10.5
5032 describe KAM_HOOKUP Spam for Local Hookup Service
5035 header __KAM_PSYCHIC1 Subject =~ /horoscope|psychic/i
5036 uri __KAM_PSYCHIC2 /free.psychic/i
5037 body __KAM_PSYCHIC3 /psychic Chris|free psychic reading/i
5039 meta KAM_PSYCHIC (__KAM_PSYCHIC1 + __KAM_PSYCHIC2 + __KAM_PSYCHIC3 >= 3)
5040 score KAM_PSYCHIC 4.5
5041 describe KAM_PSYCHIC Current Psychic Product Spam du Jour
5044 body __KAM_BADUNSUB /(?:remove|Unsubscribe) from (?:MindTCommunications|LunarMessages)/i
5046 meta KAM_BADUNSUB (__KAM_BADUNSUB >= 1)
5047 score KAM_BADUNSUB 3.0
5048 describe KAM_BADUNSUB Bad Unsubscribe Messages
5050 #GRABBAG FOR A ROUND OF WORDPRESS HACKS
5051 rawbody __KAM_GRABBAG7_1 /wp-content|wp-includes|\/plugins\//
5053 meta KAM_GRABBAG7 ((HTML_MIME_NO_HTML_TAG || MIME_HTML_ONLY) + __KAM_GRABBAG7_1 + (SPF_FAIL || SPF_HELO_FAIL) >= 3)
5054 score KAM_GRABBAG7 3.0
5055 describe KAM_GRABBAG7 Spam pattern with bad HTML message
5057 #TINYURL OBFUSCATION
5058 uri __KAM_TINYURL1 /tinyurl.com\/.{0,10}(hookup|sexual|online-riches|predator-zipcode|nothnx|imtaken)/i
5060 meta KAM_TINYURL (__KAM_TINYURL1)
5061 score KAM_TINYURL 4.0
5062 describe KAM_TINYURL Spammy urls that hide behind a link shortener
5064 # FAKE DROPBOX - Adding _ to DROPBOX2 for badly configured ESS servers
5065 header __KAM_DROP_BOX1 From =~ /dropbox/i
5066 header __KAM_DROP_BOX2 From !~ /dropbox.com/i
5067 body __KAM_DROP_BOX3 /shared.a.folder/i
5069 meta KAM_DROPBOX (__KAM_DROP_BOX1 + __KAM_DROP_BOX2 + __KAM_DROP_BOX3 >= 3)
5070 score KAM_DROPBOX 4.5
5071 describe KAM_DROPBOX Fake Dropbox emails
5073 # BAD YAHOO! DON'T SEND EMAIL FROM A MULTICAST IP!
5074 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
5075 header __KAM_YAHOO_MISTAKE1 From =~ /\@yahoo\./i
5077 meta KAM_YAHOO_MISTAKE (SPF_PASS && __KAM_YAHOO_MISTAKE1 && RCVD_ILLEGAL_IP)
5078 describe KAM_YAHOO_MISTAKE Reversing score for some idiotic Yahoo received headers
5079 score KAM_YAHOO_MISTAKE -3.0
5083 meta KAM_GRABBAG9 (MALFORMED_FREEMAIL + SUBJ_ALL_CAPS + FREEMAIL_ENVFROM_END_DIGIT >= 3)
5084 score KAM_GRABBAG9 4.5
5085 describe KAM_GRABBAG9 Garbage email from a garbage freemail account
5088 header __KAM_AQUARUG1 From =~ /aqua.?rug/i
5089 header __KAM_AQUARUG2 Subject =~ /(bath|shower).mat|for.your.shower/i
5090 body __KAM_AQUARUG3 /stop.slipping|unique.carpet|aqua.rug|bare.feet.love/i
5092 meta KAM_AQUARUG (__KAM_AQUARUG1 + __KAM_AQUARUG2 + __KAM_AQUARUG3 >= 3)
5093 score KAM_AQUARUG 3.5
5094 describe KAM_AQUARUG Spam for aqua rug product
5097 # Fixed FP thanks to j.marshall
5098 header __KAM_ITC1 From =~ /thetradecouncil.com/i
5099 body __KAM_ITC2 /International Trade Council/i
5100 body __KAM_ITC3 /enclosed/i
5102 meta KAM_ITC (__KAM_ITC1 < 1) && (__KAM_ITC2 >= 1) && (__KAM_ITC3 + KAM_BADIPHTTP >= 1)
5104 describe KAM_ITC Fake email from International Trade Council
5106 # HAVE YOU SEEN THIS
5107 body __KAM_SEENTHIS1 /have.you.seen|seen.this/i
5109 meta KAM_SEENTHIS (__KAM_SEENTHIS1 + __KAM_OPRAH3 + (KAM_LAZY_DOMAIN_SECURITY || KAM_MANYTO) >= 3)
5110 score KAM_SEENTHIS 4.5
5111 describe KAM_SEENTHIS Have you seen this spam?
5114 header __KAM_DETOX1 From =~ /detox/i
5115 header __KAM_DETOX2 Subject =~ /detox.service|discover.detox|clear.your.system|how.detox.(could|can)/i
5116 body __KAM_DETOX3 /detox.program|right.for.you|clean(ing)? up your life|a.little.easier/i
5118 meta KAM_DETOX (__KAM_DETOX1 + __KAM_DETOX2 + __KAM_DETOX3 >= 3)
5120 describe KAM_DETOX Spam for trendy detox stuff
5123 header __KAM_DEATHINSURE1 From =~ /live.sure/i
5124 header __KAM_DEATHINSURE2 Subject =~ /life.will|cheaper.than.today/i
5125 body __KAM_DEATHINSURE3 /inheritance.tax|your.loved.ones|funeral.costs/i
5127 meta KAM_DEATHINSURE (__KAM_DEATHINSURE1 + __KAM_DEATHINSURE2 + __KAM_DEATHINSURE3 >= 3)
5128 describe KAM_DEATHINSURE Spam for death insurance
5129 score KAM_DEATHINSURE 3.5
5132 body KAM_REACHBASE /ReachBase is committed to providing you with relevant business information/i
5133 score KAM_REACHBASE 2.5
5134 describe KAM_REACHBASE Marketing email pretending to be business info
5136 # DIGITAL WALLET SPAM
5137 header __KAM_DIGITALWALLET1 From =~ /apple.?pay/i
5138 header __KAM_DIGITALWALLET2 Subject =~ /(ready.for|introducing|complimentary).apple.?pay|paying.too.much/i
5139 body __KAM_DIGITALWALLET3 /business.ready|no.setup.fee|only.$?[\d\.]+%?.(per|a).swipe|apple.?pay.equipment|free,equipment/i
5141 meta KAM_DIGITALWALLET (__KAM_DIGITALWALLET1 + __KAM_DIGITALWALLET2 + __KAM_DIGITALWALLET3 + (HELO_DYNAMIC_DHCP || KAM_EU || KAM_INFOUSMEBIZ) >= 3)
5142 score KAM_DIGITALWALLET 3.5
5143 describe KAM_DIGITALWALLET Spam for digital wallet services
5146 header __KAM_BADPHP1 X-PHP-Originating-Script =~ /eval..'d code/i
5147 header __KAM_BADPHP2 X-Source-Args =~ /css.php/i
5149 meta KAM_BADPHP (__KAM_BADPHP1 || __KAM_BADPHP2)
5150 score KAM_BADPHP 3.5
5151 describe KAM_BADPHP Questionable PHP mailer headers
5154 header __KAM_TINNITUS1 From =~ /tinnitus.?(solution|911|breakthrough|ringing)/i
5155 header __KAM_TINNITUS2 Subject =~ /new.tip|only.(1|one).week|pandemic|ears? ring/i
5156 body __KAM_TINNITUS3 /scientifically.proven|end.tinnitus|get rid of the ringing|shocking presentation|IVY League|doctors are baffled/i
5158 meta KAM_TINNITUS (__KAM_TINNITUS1 + __KAM_TINNITUS2 + __KAM_TINNITUS3 >= 3)
5159 describe KAM_TINNITUS Tinnitus spam
5160 score KAM_TINNITUS 4.5
5163 header __KAM_KIWIBANK1 From =~ /kiwibank/i
5164 header __KAM_KIWIBANK2 Subject =~ /verification.required/i
5165 body __KAM_KIWIBANK3 /security.procedure|customer.safety|security.details/i
5167 meta KAM_KIWIBANK (__KAM_KIWIBANK1 + __KAM_KIWIBANK2 + __KAM_KIWIBANK3 >= 3)
5168 describe KAM_KIWIBANK Account phish for Kiwibank
5169 score KAM_KIWIBANK 3.5
5172 header __KAM_HAPPYTALK1 Subject =~ /^hello$/i
5173 body __KAM_HAPPYTALK2 /honest.and.nice/i
5174 body __KAM_HAPPYTALK3 /beautiful.mail/i
5176 meta KAM_HAPPYTALK (__KAM_HAPPYTALK1 + __KAM_HAPPYTALK2 + __KAM_HAPPYTALK3 >= 3)
5177 score KAM_HAPPYTALK 3.5
5178 describe KAM_HAPPYTALK Weirdly happy spam
5181 header __KAM_SETTLEMENT1 From =~ /xarelto/i
5182 header __KAM_SETTLEMENT2 Subject =~ /settlements?.available/i
5183 body __KAM_SETTLEMENT3 /lawsuit.information/i
5185 meta KAM_SETTLEMENT (__KAM_SETTLEMENT1 + __KAM_SETTLEMENT2 + __KAM_SETTLEMENT3 >= 3)
5186 score KAM_SETTLEMENT 3.5
5187 describe KAM_SETTLEMENT Spam offering lawsuit settlement
5190 header __KAM_CAD1 Subject =~ /cad.drawing/i
5191 body __KAM_CAD2 /we.specialize.in/i
5192 body __KAM_CAD3 /our.products/i
5194 meta KAM_CAD (__KAM_CAD1 + __KAM_CAD2 + __KAM_CAD3 >= 3)
5195 describe KAM_CAD Spam for CAD services
5198 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
5199 #SPAM WITH OFFICE MACROS
5200 header __KAM_VBMACRO X-KAM-VBMacro =~ /True/i
5202 meta KAM_VBMACRO ((__KAM_VBMACRO >= 1) && !KAM_OLEMACRO)
5203 describe KAM_VBMACRO Message contains attachment with VB macro
5204 score KAM_VBMACRO 6.5
5206 #SPAM THAT INDICATES DYNAMIC IP
5207 header KAM_DYNIP X-KAM-DynamicIndicator =~ /True/i
5208 describe KAM_DYNIP Message contains Dynamic IP Address Indicator
5213 # YELP AND OTHER REVIEW SITES
5214 header __KAM_REVIEW1 From =~ /contractor/i
5215 header __KAM_REVIEW2 Subject =~ /verify.accuracy|your.listing|listing.on.yelp/i
5216 body __KAM_REVIEW3 /unverified|major.local.search|search.sites|company(.s)?.information/i
5218 meta KAM_REVIEW (__KAM_REVIEW1 + __KAM_REVIEW2 + __KAM_REVIEW3 >= 3)
5219 describe KAM_REVIEW Spam for review sites
5220 score KAM_REVIEW 4.5
5223 header __KAM_TOURS1 From =~ /festival/i
5224 header __KAM_TOURS2 Subject =~ /adventure.tour/i
5225 body __KAM_TOURS3 /your.adventure.tour|your.event/i
5227 meta KAM_TOURS (__KAM_TOURS1 + __KAM_TOURS2 + __KAM_TOURS3 >= 3)
5229 describe KAM_TOURS Spam for tours and events
5231 # NO MORE SPAM ENGINES
5232 body __KAM_NOMORE1 /no.more.of.this/i
5233 body __KAM_NOMORE2 /no.more.at.all/i
5235 meta KAM_NOMORE (__KAM_NOMORE1 + __KAM_NOMORE2 >= 2)
5236 describe KAM_NOMORE Another predictable spam engine
5237 score KAM_NOMORE 3.5
5239 # NOT REALLY CONFIDENTIAL
5240 body __KAM_NOCONFIDENCE1 /confidential.information/i
5242 meta KAM_NOCONFIDENCE (KAM_LAZY_DOMAIN_SECURITY + __KAM_NOCONFIDENCE1 >= 2)
5243 score KAM_NOCONFIDENCE 0.5
5244 describe KAM_NOCONFIDENCE Confidential information sent with no security
5246 # YER GON GET SASSINATED
5247 header __KAM_ASSASSIN1 Subject =~ /want you dead/i
5248 body __KAM_ASSASSIN2 /my identity/i
5249 body __KAM_ASSASSIN3 /assassinate/i
5250 body __KAM_ASSASSIN4 /like.an.accident/i
5252 meta KAM_ASSASSIN (__KAM_ASSASSIN1 + __KAM_ASSASSIN2 + __KAM_ASSASSIN3 + __KAM_ASSASSIN4 >= 3)
5253 score KAM_ASSASSIN 4.5
5254 describe KAM_ASSASSIN Assassination spam
5256 # GIMME FLASH DRIVES
5257 header __KAM_DRIVE1 From =~ /purchase|manager/i
5258 header __KAM_DRIVE2 Subject =~ /quotation/i
5259 body __KAM_DRIVE3 /to.be.furnished|office.equipment.item/i
5261 meta KAM_DRIVE (__KAM_DRIVE1 + __KAM_DRIVE2 + __KAM_DRIVE3 >= 3)
5263 describe KAM_DRIVE Spam for ordering office equipment
5265 #BAD TLD - TESTING NEW blacklist_uri_host feature
5266 #PASSED TEST BUT THIS IS 100 points - Instead modify SOMETLD_ARE_BAD_TLD TO PREVENT FPs
5267 #if (version >= 3.004000)
5268 # blacklist_uri_host link
5271 #LOOKING TO SHUTDOWN MISUSE OF DNSWL AND HOSTKARMA
5272 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
5273 meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1)
5274 score KAM_QUITE_BAD_DNSWL 3.25
5275 describe KAM_QUITE_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
5277 meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1)
5278 score KAM_QUITE_BAD_DNSWL 3.25
5279 describe KAM_QUITE_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
5282 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
5283 meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
5284 score KAM_BAD_DNSWL 7.0
5285 describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
5287 meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
5288 score KAM_BAD_DNSWL 7.0
5289 describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
5293 header __JMQ_HEARINGLOSS1 From =~ /hearing.?loss|deaf \& angry|sharpear/i
5294 header __JMQ_HEARINGLOSS2 Subject =~ /reverse.your.hearing|hearing.loss|\d+.year.old.method|hearing.aids|restore your hearing/i
5295 body __JMQ_HEARINGLOSS3 /going.crazy|natural.formula|restore.your.hearing|click.here.to.see|off.hearing.aid|mineral to restore/i
5297 meta JMQ_HEARINGLOSS (__JMQ_HEARINGLOSS1 + __JMQ_HEARINGLOSS2 + __JMQ_HEARINGLOSS3 >= 3)
5298 score JMQ_HEARINGLOSS 3.5
5299 describe JMQ_HEARINGLOSS Spam for hearing loss solutions
5302 header __JMQ_TRACKR1 From =~ /trackr/i
5303 header __JMQ_TRACKR2 Subject =~ /trackr|never.lose|find.any|lost.items/i
5304 body __JMQ_TRACKR3 /locate anything|find.anything|never.lose.anything|new.invention|never.lose.your|tired.of.losing|find.any.lost/i
5306 meta JMQ_TRACKR (__JMQ_TRACKR1 + __JMQ_TRACKR2 + __JMQ_TRACKR3 >= 3)
5307 score JMQ_TRACKR 4.5
5308 describe JMQ_TRACKR Spam for TrackR
5311 header __JMQ_CONGRAT1 From =~ /award|claim/i
5312 header __JMQ_CONGRAT2 Subject =~ /congratulation|open.attachment|good.news.for/i
5314 meta JMQ_CONGRAT (__JMQ_CONGRAT1 + __JMQ_CONGRAT2 + (KAM_RAPTOR_ALTERED || T_FREEMAIL_DOC_PDF || HK_SPAMMY_FILENAME) >= 3)
5315 score JMQ_CONGRAT 3.5
5316 describe JMQ_CONGRAT Open attachment to claim your free spam
5319 header __JMQ_PICKUP1 Subject =~ /hey there|(^hey$)/i
5320 body __JMQ_PICKUP2 /(dirty|freaky|naughty|good)(pix|pic)|hey.cutie/i
5321 header __JMQ_PICKUP3 X-Mailer =~ /php/i
5322 body __JMQ_PICKUP4 /\d+.year.old|female/i
5324 meta JMQ_PICKUP (__JMQ_PICKUP1 + __JMQ_PICKUP2 + __JMQ_PICKUP3 + __JMQ_PICKUP4 >= 3)
5325 score JMQ_PICKUP 8.0
5326 describe JMQ_PICKUP spam that wants your number
5328 # COMPROMISED DROPBOX
5329 header __JMQ_DROPBOX1 Subject =~ /(payment|transfer)/i
5330 header __JMQ_DROPBOX2 Subject =~ /\([a-z]\d+\)/i
5331 body __JMQ_DROPBOX3 /ach.(payment|transfer)/i
5333 meta JMQ_DROPBOX (__JMQ_DROPBOX1 + __JMQ_DROPBOX2 + __JMQ_DROPBOX3 >= 3)
5334 score JMQ_DROPBOX 3.0
5335 describe JMQ_DROPBOX Spam from what appears to be compromised dropbox accounts
5338 header __KAM_BAD_REVIEW1 Subject =~ /fix bad reviews/i
5339 body __KAM_BAD_REVIEW2 /Reputation Giant/i
5341 meta KAM_BAD_REVIEW (__KAM_BAD_REVIEW1 + __KAM_BAD_REVIEW2 >= 2)
5342 score KAM_BAD_REVIEW 4.0
5343 describe KAM_BAD_REVIEW Online reputation spammers
5346 header __KAM_GOOGLE_AWARD1 From =~ /Google UK/i
5347 body __KAM_GOOGLE_AWARD2 /selected as a winner/i
5348 body __KAM_GOOGLE_AWARD3 /Dear Google/i
5349 body __KAM_GOOGLE_AWARD4 /Official Notification Letter/i
5351 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5352 mimeheader __KAM_GOOGLE_AWARD5A Content-Type =~ /Google Award/i
5353 mimeheader __KAM_GOOGLE_AWARD5B Content-Disposition =~ /Google Award/i
5356 meta KAM_GOOGLE_AWARD (__KAM_GOOGLE_AWARD1 + __KAM_GOOGLE_AWARD2 + __KAM_GOOGLE_AWARD3 + __KAM_GOOGLE_AWARD4 + (__KAM_GOOGLE_AWARD5A + __KAM_GOOGLE_AWARD5B >= 1) >= 4)
5357 score KAM_GOOGLE_AWARD 5.0
5358 describe KAM_GOOGLE_AWARD Fake Google Awards
5361 body KAM_OBFU_LOANS /Stüdént Lóans/i
5362 score KAM_OBFU_LOANS 5.0
5363 describe KAM_OBFU_LOANS Obfuscated Loan Verbiage
5366 body __KAM_WORKFROMHOME1 /work from home/i
5368 meta KAM_WORKFROMHOME (KAM_SHORT + __KAM_WORKFROMHOME1 >= 2)
5369 score KAM_WORKFROMHOME 1.75
5370 describe KAM_WORKFROMHOME Work from Home Spams
5373 body __KAM_STUDENTLOAN1 /(National|Federal) Student Loan Status/i
5374 body __KAM_STUDENTLOAN2 /consolidate your loan/i
5375 body __KAM_STUDENTLOAN3 /doesn't injured/i
5376 body __KAM_STUDENTLOAN4 /866-351-4693/i
5377 body __KAM_STUDENTLOAN5 /(financial troubles|debt) is (understood|forgiven)/i
5379 meta KAM_STUDENTLOAN (__KAM_STUDENTLOAN1 + __KAM_STUDENTLOAN2 + __KAM_STUDENTLOAN3 + __KAM_STUDENTLOAN4 + __KAM_STUDENTLOAN5 >= 3)
5380 score KAM_STUDENTLOAN 4.5
5381 describe KAM_STUDENTLOAN Student Loan Scam
5384 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5385 header __JMQ_RESUME1 Subject =~ /resume/i
5386 body __JMQ_RESUME2 /hello my name|my name is/i
5387 body __JMQ_RESUME3 /appreciate.your.cooperation|my.resume.is.pdf|resume.attach|pdf.file.is|is.my.resume/i
5388 mimeheader __JMQ_RESUME4 Content-Type =~ /x-zip-comp/i
5389 mimeheader __JMQ_RESUME5 Content-Type =~ /my_resume\.zip/i
5391 meta JMQ_RESUME ((__JMQ_RESUME1 + __JMQ_RESUME2 + __JMQ_RESUME3 + __JMQ_RESUME5 >= 3) && __JMQ_RESUME4)
5392 score JMQ_RESUME 4.5
5393 describe JMQ_RESUME Spam for bad attached resumes
5397 header __KAM_LED1 From =~ /light? ?bulb|garage ?light|Sun.?like?.?Bulb|LED.?Sun|flood ?light/i
5398 body __KAM_LED2 /(garage|LED Fan) Light|sun-?like|\dx the brightness|security "?must have/i
5399 tflags __KAM_LED2 nosubject
5400 header __KAM_LED3 Subject =~ /LED Lighting|L\.E\.D\.? Bulb|Innovative Light|energy bill|one bulb|Garage LED|security "?must have/i
5402 meta KAM_LED (__KAM_LED1 + __KAM_LED2 + __KAM_LED3 >= 3)
5403 describe KAM_LED LED Lighting Spams
5407 header __JMQ_REALESTATE1 From =~ /tom.brice/i
5408 header __JMQ_REALESTATE2 Subject =~ /real.estate/i
5409 body __JMQ_REALESTATE3 /preferred.choice|looking.for.real.estate|online.platform|systems.placement/i
5411 meta JMQ_REALESTATE (__JMQ_REALESTATE1 + __JMQ_REALESTATE2 + __JMQ_REALESTATE3 >= 3)
5412 describe JMQ_REALESTATE Real estate spam
5413 score JMQ_REALESTATE 4.5
5416 header JMQ_IPINFROM From =~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/
5417 score JMQ_IPINFROM 2.5
5418 describe JMQ_IPINFROM Spam with IP in the from address
5420 # IFFY PAYPAL OF THE DAY
5421 header __JMQ_PAYPAL2 From =~ /paypai/i
5423 meta JMQ_PAYPAL2 (JMQ_IPINFROM + __JMQ_PAYPAL2 >= 2)
5424 score JMQ_PAYPAL2 4.5
5425 describe JMQ_PAYPAL2 PayPal spam of the day
5427 # RESUME SPAM REDUX PART 2 (WOOHOO)
5428 meta JMQ_RESUME3 (__JMQ_RESUME1 && __JMQ_RESUME2 && KAM_THEBAT)
5429 score JMQ_RESUME3 3.5
5430 describe JMQ_RESUME3 Yet more resume spam
5432 # SPF THAT DOESN'T REALLY CARE IF EMAIL IS A FORGERY -
5433 ifplugin Mail::SpamAssassin::Plugin::AskDNS
5434 askdns JMQ_SPF_NEUTRAL _SENDERDOMAIN_ TXT /^v=spf1 .*\?all/
5435 describe JMQ_SPF_NEUTRAL SPF set to ?all
5436 score JMQ_SPF_NEUTRAL 0.5
5438 askdns JMQ_SPF_ALL _SENDERDOMAIN_ TXT /^v=spf1 .*\+all/
5439 describe JMQ_SPF_ALL SPF set to +all!
5440 score JMQ_SPF_ALL 0.5
5444 header __JMQ_IMPORTANT1 Subject =~ /(fw|re):? important/i
5445 body __JMQ_IMPORTANT2 /important message/i
5446 body __JMQ_IMPORTANT3 /please visit/i
5448 meta JMQ_IMPORTANT (__JMQ_IMPORTANT1 + __JMQ_IMPORTANT2 + __JMQ_IMPORTANT3 + KAM_LAZY_DOMAIN_SECURITY >= 4)
5449 score JMQ_IMPORTANT 4.5
5450 describe JMQ_IMPORTANT Spam that thinks it is important
5453 uri __JMQ_TRACKER1 /sidekickopen\d*\.com/i
5455 meta JMQ_TRACKER (__JMQ_TRACKER1 >= 1)
5456 score JMQ_TRACKER 0.5
5457 describe JMQ_TRACKER Message uses image-based tracker
5460 header __JMQ_WIRE1 Subject =~ /wire.*fund|request.*wire|(fwd|re): request/i
5461 body __JMQ_WIRE2 /medical.support|payment.sent/i
5462 body __JMQ_WIRE3 /bank.wire|sent.out.asap/i
5464 meta JMQ_WIRE (__JMQ_WIRE1 + __JMQ_WIRE2 + __JMQ_WIRE3 + (LOTS_OF_MONEY || KAM_LAZY_DOMAIN_SECURITY || HEADER_FROM_DIFFERENT_DOMAINS) >= 3)
5466 describe JMQ_WIRE Attempt to steal money via wire transfer
5468 #bindata code in RTF
5469 #rawbody __KAM_BADRTF1 /<w:binData/
5470 #rawbody __KAM_BADRTF2 /QWN0aXZlTWltZQ/
5472 #meta KAM_BADRTF (__KAM_BADRTF1 + __KAM_BADRTF2 >= 2)
5473 #describe KAM_BADRTF Message contains binary data in RTF format
5474 #score KAM_BADRTF 5.0
5477 body __KAM_ORDER1 /Please find document attached/i
5478 header __KAM_ORDER2 Subject =~ /Order \d+ (\(Acknowledgement\))?/i
5480 meta KAM_ORDER __KAM_ORDER1 + __KAM_ORDER2 + __BODY_LE_200 >= 3
5482 describe KAM_ORDER Fraudulent Order Emails
5484 rawbody __RB_LE_200 /^.{2,200}$/s
5485 tflags __RB_LE_200 multiple maxhits=2
5486 rawbody __RB_GT_200 /^.{201}/s
5487 meta __BODY_LE_200 (__RB_LE_200 == 1) && !__RB_GT_200
5490 body __KAM_SHOCK1 /shocking.beverage/i
5491 header __KAM_SHOCK2 Subject =~ /(Bill O.Reilly|Donald Trump)/i
5492 body __KAM_SHOCK3 /drinking this beverage/i
5494 meta KAM_SHOCK __KAM_SHOCK1 + __KAM_SHOCK2 + __KAM_SHOCK3 >= 2
5496 describe KAM_SHOCK Spams with energy drinks
5499 body __KAM_BEAUTY1 /she now looks \d+/i
5500 body __KAM_BEAUTY2 /reveals exactly/i
5501 body __KAM_BEAUTY3 /most amazing transformation/i
5502 header __KAM_BEAUTY4 Subject =~ /now looks \d+/i
5504 meta KAM_BEAUTY __KAM_BEAUTY1 + __KAM_BEAUTY2 + __KAM_BEAUTY3 + __KAM_BEAUTY4 >= 3
5505 score KAM_BEAUTY 4.0
5506 describe KAM_BEAUTY Youth and Beauty Product Scams
5509 body __KAM_WEED1 /legal.weed|jim kramer|kevin james/i
5510 header __KAM_WEED2 Subject =~ /Legal.Weed|pot.stock/i
5511 body __KAM_WEED3 /doubled? (there|their) money|Triple this afternoon/i
5512 body __KAM_WEED4 /(weed|pot).stock/i
5514 meta KAM_WEED __KAM_WEED1 + __KAM_WEED2 + __KAM_WEED3 + __KAM_WEED4 >= 3
5516 describe KAM_WEED Legal Weed and related investment scams
5519 body __KAM_LOGO1 /guru.level logo/i
5520 header __KAM_LOGO2 Subject =~ /guru.level logo/i
5521 body __KAM_LOGO3 /(guru.level|ready.made) logo/i
5523 meta KAM_LOGO __KAM_LOGO1 + __KAM_LOGO2 + __KAM_LOGO3 >= 3
5525 describe KAM_LOGO Logo Spam
5528 body __KAM_TRUMPCOIN1 /Donald Trump/i
5529 header __KAM_TRUMPCOIN2 Subject =~ /trump.coin/i
5530 body __KAM_TRUMPCOIN3 /special colored coin/i
5532 meta KAM_TRUMPCOIN __KAM_TRUMPCOIN1 + __KAM_TRUMPCOIN2 + __KAM_TRUMPCOIN3 >= 3
5533 score KAM_TRUMPCOIN 5.25
5534 describe KAM_TRUMPCOIN Trump Coin Spam
5537 body __KAM_WATER1 /Never Drink Water/i
5538 header __KAM_WATER2 Subject =~ /bottled water/i
5539 body __KAM_WATER3 /filtered tap water/i
5541 meta KAM_WATER __KAM_WATER1 + __KAM_WATER2 + __KAM_WATER3 >= 3
5542 score KAM_WATER 5.25
5543 describe KAM_WATER Water Poison Scam
5546 body __KAM_RUIN1 /do not deposit/i
5547 header __KAM_RUIN2 Subject =~ /money into your bank/i
5548 body __KAM_RUIN3 /banking institutions/i
5550 meta KAM_RUIN __KAM_RUIN1 + __KAM_RUIN2 + __KAM_RUIN3 >= 3
5552 describe KAM_RUIN Bank Phishing Scam
5555 body __KAM_WEIGHT2_1 /goodbye to her waist|wild transformation|researcher has just discovered|weight loss is wrong/i
5556 tflags __KAM_WEIGHT2_1 nosubject
5557 header __KAM_WEIGHT2_2 Subject =~ /looks \d+ overnight|no gym|fat hack|doctor shocked/i
5558 body __KAM_WEIGHT2_3 /melissa mccarthy|now looks \d+|lbs every \d+ hour|(pound|lb)s in \d+ days|melts pounds/i
5559 header __KAM_WEIGHT2_4 From:name =~ /eat this seed|flat.?belly|big.?stomach/i
5561 meta KAM_WEIGHT2 __KAM_WEIGHT2_1 + __KAM_WEIGHT2_2 + __KAM_WEIGHT2_3 + __KAM_WEIGHT2_4 >= 3
5562 score KAM_WEIGHT2 5.25
5563 describe KAM_WEIGHT2 Weight loss process du jour
5566 body __KAM_LENS1 /pro quality (pho|pic)|Bill gates|best camera/i
5567 header __KAM_LENS2 Subject =~ /(amazing|incredible) photos|gadget of the year|coolest product|camera/i
5568 body __KAM_LENS3 /amazing lens|hdx-lens|hdrx/i
5569 header __KAM_LENS4 From =~ /hdcam|lens|inhd/i
5571 meta KAM_LENS __KAM_LENS1 + __KAM_LENS2 + __KAM_LENS3 + __KAM_LENS4 >= 3
5573 describe KAM_LENS Amazing Lens Scam
5576 body __KAM_HONOR1 /greatest thing of your life/i
5577 header __KAM_HONOR2 Subject =~ /Congrats, on the honor/i
5578 body __KAM_HONOR3 /profession women/i
5579 body __KAM_HONOR4 /invitation/i
5581 meta KAM_HONOR __KAM_HONOR1 + __KAM_HONOR2 + __KAM_HONOR3 + __KAM_HONOR4 >= 3
5582 score KAM_HONOR 6.25
5583 describe KAM_HONOR Professional Network Scam
5586 #Idea from John Hardin so you can see all URI's - ONLY for rule development - Then all the detected URIs appear in the rule hits debug output.
5588 #tflags __ALL_URI multiple
5590 #Bad UTF-8 content type and transfer encoding - Thanks to Pedro David Marco for alerting to issue
5591 header __KAM_BAD_UTF8_1 Content-Type =~ /text\/html; charset=\"utf-8\"/i
5592 header __KAM_BAD_UTF8_2 Content-Transfer-Encoding =~ /base64/i
5593 full __RW_BAD_UTF8_3 /^(?:[^\n]|\n(?!\n))*\nContent-Transfer-Encoding:\s+base64(?:[^\n]|\n(?!\n))*\n\n[\s\n]{0,300}[^\s\n].{0,300}[^a-z0-9+\/=\n][^\s\n]/si
5595 meta KAM_BAD_UTF8 (__KAM_BAD_UTF8_1 + __KAM_BAD_UTF8_2 + __RW_BAD_UTF8_3 >= 3)
5596 score KAM_BAD_UTF8 14.0
5597 describe KAM_BAD_UTF8 Bad Content Type and Transfer Encoding that attempts to evade SA scanning
5600 body __KAM_DEATH1 /prevent early.death/i
5601 header __KAM_DEATH2 Subject =~ /(early|unexpected).death/i
5602 body __KAM_DEATH3 /Eating this|before it.?s too late/i
5603 body __KAM_DEATH4 /heart.(attack|stops)/i
5605 meta KAM_DEATH __KAM_DEATH1 + __KAM_DEATH2 + __KAM_DEATH3 + __KAM_DEATH4 >= 4
5606 score KAM_DEATH 6.25
5607 describe KAM_DEATH Supplement Scam
5610 body __KAM_REWARD1 /walgreens|ikea|sephora|sams.?club/i
5611 header __KAM_REWARD2 Subject =~ /weekend.*reward|reward.*weekend|(reward|perk).{0,60}(expiring|ending)/i
5612 header __KAM_REWARD3 Subject =~ /(Cert|coup|ending now|ending|expiring|expiring.now)(..)?(\d+|\[num)/i
5613 header __KAM_REWARD4 From =~ /ikea|sephora|shopper|walgreen|sale/i
5615 meta KAM_REWARD __KAM_REWARD1 + __KAM_REWARD2 + __KAM_REWARD3 + __KAM_REWARD4 + KAM_NUMSUBJECT >= 4
5616 score KAM_REWARD 5.25
5617 describe KAM_REWARD Coupon Scam
5620 body __KAM_PACKAGE1 /dysfunction|\dx longer/i
5621 body __KAM_PACKAGE2 /sexual.performance|longer.in.bed/i
5622 header __KAM_PACKAGE3 Subject =~ /sex/i
5623 header __KAM_PACKAGE4 From =~ /function|fivex/i
5625 meta KAM_PACKAGE __KAM_PACKAGE1 + __KAM_PACKAGE2 + __KAM_PACKAGE3 + __KAM_PACKAGE4 >= 3
5626 score KAM_PACKAGE 4.25
5627 describe KAM_PACKAGE Sexual Enhancement Scam
5630 header __KAM_NUMSUBJECT Subject =~ /\d+$/
5631 header __KAM_SUBJECTYEAR Subject =~ /20[1-2][0-9]$/
5633 meta KAM_NUMSUBJECT (__KAM_NUMSUBJECT >=1 && __KAM_SUBJECTYEAR <= 0)
5634 score KAM_NUMSUBJECT 0.5
5635 describe KAM_NUMSUBJECT Subject ends in numbers excluding current years
5637 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5639 mimeheader KAM_MGCS Content-Type =~ /\+\-\+\-\+\-MGCS\-\+\-\+\-\+|[\xC2\xB7]pdf(?=)?"$/i
5641 describe KAM_MGCS Boundary Content Indicative of Ratware
5644 #NetWeaver - Disabled 7/24
5645 #header KAM_NW X-Mailer =~ /SAP NetWeaver/i
5647 #describe KAM_NW Spam Indicator
5650 body __KAM_STOCKOBFU1 /make up the \d letter symbol/i
5651 body __KAM_STOCKOBFU2 /first letter/i
5652 header __KAM_STOCKOBFU3 Subject =~ /less than \d days|ten bagger|ten ?fold your principle/i
5654 meta KAM_STOCKOBFU (__KAM_STOCKOBFU1 + __KAM_STOCKOBFU2 + __KAM_STOCKOBFU3 >= 3)
5655 describe KAM_STOCKOBFU Stock Spam Tips that are being sneaky
5656 score KAM_STOCKOBFU 4.5
5658 #FAKE BBB/FLSA NOTICES
5659 header __KAM_FAKEBBB1 Subject =~ /(incident:|case:)?[\d:;]{5}/i
5660 body __KAM_FAKEBBB2 /(Fair Labor Standards Act|Safety and Health act|Better Business Bureau|(\b|$)BBB(\b|^))/i
5661 body __KAM_FAKEBBB3 /(complaint|compliant|Abuse) ID/i
5662 body __KAM_FAKEBBB4 /(incident:|case:)[\d:;]{6,}/i
5664 meta KAM_FAKEBBB (__KAM_FAKEBBB1 + __KAM_FAKEBBB2 + KAM_SHORT + __KAM_FAKEBBB3 + __KAM_FAKEBBB4>= 4)
5665 describe KAM_FAKEBBB Fake Notices for Various Business Violations
5666 score KAM_FAKEBBB 12.0
5669 #header __KAM_HOWRU1 Subject =~ /How are you?|Hi|What's Up|Hey, Sweety/i
5670 body __KAM_HOWRU2 /My name is|what's your name|ask your name|keep company with you/i
5671 body __KAM_HOWRU3 /visit the site|visit this site|visiting this website|have some social networks|meet you in private|write me tomorrow/i
5672 body __KAM_HOWRU4 /gmx.com|rambler.ru/i
5674 meta KAM_HOWRU (__KB_WAM_SUBJECT_HELLO_ONLY + __KAM_HOWRU2 + __KAM_HOWRU3 + __KAM_HOWRU4 >=4)
5675 describe KAM_HOWRU Female Chat Scam
5678 # 2017-11-01, note 56146
5680 body __KAM_DOMAIN_SALE1 /\b(related|similar) domain\b/i
5681 body __KAM_DOMAIN_SALE2 /\b(interested in|obtaining) .{5,20} domain\b/i
5682 body __KAM_DOMAIN_SALE3 /\bdomain (name owner|advanced avail|backordering)\b/i
5683 body __KAM_DOMAIN_SALE4 /\b(domain you might be interested|interested in the domain|interested in obtain|benefit acquiring|complete ownership transfer|brokering the domain)\b/i
5685 body __KAM_INTRUDE /\b(hope I am not intruding|out of the blue|I will never contact you again if you go here)\b/i
5687 meta KAM_DOMAIN_SALE_2 (__KAM_DOMAIN_SALE1 + __KAM_DOMAIN_SALE2 + __KAM_DOMAIN_SALE3 + __KAM_DOMAIN_SALE4 >=2)
5689 meta KAM_DOMAIN_SALE_3 (__KAM_DOMAIN_SALE1 + __KAM_DOMAIN_SALE2 + __KAM_DOMAIN_SALE3 + __KAM_DOMAIN_SALE4 >=3)
5691 score KAM_DOMAIN_SALE_2 3.0
5692 score KAM_DOMAIN_SALE_3 1.0
5694 meta KAM_DOMAIN_SALE_INTRUDE (__KAM_INTRUDE && KAM_DOMAIN_SALE_2)
5696 score KAM_DOMAIN_SALE_INTRUDE 1.0
5698 describe KAM_DOMAIN_SALE_2 Domain Selling Spam
5699 describe KAM_DOMAIN_SALE_3 Domain Selling Spam
5700 describe KAM_DOMAIN_SALE_INTRUDE Domain Selling Spam
5702 # 2017-11-08, lonely russian women Whack-A-Mole
5704 # Likely Overlap with HOWRU rules, similar target. No real-life
5705 # overlap in rules hit observed so far, KB_WAM_OVERLAP to look out for
5708 header __KB_WAM_FROM_NAME_SINGLEWORD From:name =~ /^[a-z]+$/i
5709 header __KAM_SUBJECT_SINGLEWORD Subject =~ /^[a-z]+$/i
5710 header __KB_WAM_SUBJECT_HELLO_ONLY Subject =~ /^(hi|hi there|hello|hey|yo|how are you|What's Up|Hey, Sweety)[?!\.]?$/i
5712 meta KB_WAM_LONELY_WOMEN (__KB_WAM_FROM_NAME_SINGLEWORD + __KB_WAM_SUBJECT_HELLO_ONLY + __KAM_HOWRU4 + (__KAM_HOWRU2 || __KB_WAM_LONELY_WOMEN_PHRASE_01) >= 4)
5714 score KB_WAM_LONELY_WOMEN 5.0
5715 describe KB_WAM_LONELY_WOMEN Lonely Women Scam of the Day
5717 body __KB_WAM_LONELY_WOMEN_PHRASE_01 /\b(I am missing you all the time|I am waiting for your answer|I send you my tender love|I would really like to know you|quest of love|I am lonely and tired)\b/i
5719 #meta KB_WAM_OVERLAP ( KAM_HOWRU && KB_WAM_LONELY_WOMEN )
5720 #score KB_WAM_OVERLAP -0.01
5721 #describe KB_WAM_OVERLAP Rule to test for overlap with another similar ruleset
5723 #MAILSPLOIT CONTROL CHARACTER - Thanks to Jan-Pieter Cornet for the idea
5724 #All Control chars like NUL except \n which should exist once legitimately
5725 #Investigating double-byte language FP. Reverting back to just \0
5726 #header __KAM_MAILSPLOIT1 From =~ /[\x00-\x09\x0b-\x1f]/
5727 header __KAM_MAILSPLOIT1 From =~ /[\0]/
5728 describe __KAM_MAILSPLOIT1 RFC2047 Exploit https://www.mailsploit.com/index
5730 #\n Multiple in the From Header
5731 header __KAM_MAILSPLOIT2 From =~ /[\n]/
5732 describe __KAM_MAILSPLOIT2 RFC2047 Exploit https://www.mailsploit.com/index
5733 tflags __KAM_MAILSPLOIT2 multiple maxhits=2
5735 meta KAM_MAILSPLOIT (__KAM_MAILSPLOIT1 || (__KAM_MAILSPLOIT2 >= 2))
5736 describe KAM_MAILSPLOIT Mail triggers known exploits per mailsploit.com
5737 score KAM_MAILSPLOIT 10.0
5739 #cc in From - Thanks to Dave Jones for idea
5740 header KAM_CCFROM1 From =~ /\b(to|cc|bcc|from):/i
5741 describe KAM_CCFROM1 Addition of cc: and similar as a phishing tactic
5742 score KAM_CCFROM1 5.0
5744 #MailBox Verify Phish - Also See KAM_MAILBOX
5745 header __KAM_BOXWARNING_SUBJECT Subject =~ /FINAL WARNING/i
5746 header __KAM_BOXVERIFICATION_SUBJECT Subject =~ /VERIFICATION.{4,20}MAIL.?BOX/i
5747 body __KAM_BOXVERIFY /Verify.{0,10}Mail.?box|retrieve messages/i
5748 body __KAM_BOXQUOTA /mailbox.{0,5}exceeded.{4,14}quota|low email storage/i
5749 header __KAM_MAILBOXFROM From =~ /mailbox/i
5751 meta KAM_BOXPHISH ((__KAM_BOXWARNING_SUBJECT + __KAM_BOXVERIFICATION_SUBJECT >= 1) + __UPGR_MAILBOX + __KAM_MAILBOXFROM + __KAM_BOXVERIFY + __KAM_BOXQUOTA + __KAM_MAILBOX1 >= 4)
5752 describe KAM_BOXPHISH Mailbox verification phishing scams
5753 score KAM_BOXPHISH 6.5
5756 body __KAM_CRYPTO1 /swiss.?coin|[{(]SIC[)}]/i
5757 header __KAM_CRYPTO2 Subject =~ /forget about bitcoin|crypto (currency|coin) .{0,10}could (turn|go)/i
5759 meta KAM_CRYPTO (__KAM_CRYPTO1 + __KAM_CRYPTO2 >= 2)
5760 describe KAM_CRYPTO Crypto Currency Spam Du Jour
5761 score KAM_CRYPTO 8.0
5763 #COMPROMISED CMS - Thanks to Jing Shan for the idea
5764 uri __KAM_CMS1 /VALIDATE\/mail\.htm/i
5765 uri __KAM_CMS2 /\/erroreng\/erroreng\//i
5766 uri __KAM_CMS3 /twentythirteen\/Upgrade\/?email=/i
5768 meta KAM_CMS (__KAM_CMS1 + __KAM_CMS2 + __KAM_CMS3) >= 1
5769 describe KAM_CMS Indicators that a CMS has been exploited for Spammers
5772 #WESTERN UNION SCANS
5773 header __KAM_WU1 from:addr !~ /\@westernunion.com/i
5774 header __KAM_WU2 Subject =~ /WUMT|Western.?Union/i
5775 uri __KAM_WU3 /western.umt/i
5777 meta KAM_WU (__KAM_WU1 + __KAM_WU2 + __KAM_WU3 + LOTS_OF_MONEY >= 3)
5778 describe KAM_WU Western Union Scam
5782 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5784 replace_rules __KAM_CRIM1 __KAM_CRIM2 __KAM_CRIM3 __KAM_CRIM4 __KAM_CRIM5 __KAM_CRIM6 __KAM_CRIM7
5786 body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A1>lw<A1>r<E1> <O1>n th<E1> w<E1>b|footage of you|you do not know who I am|mercenary|hack phones|(monitored|infected) your device|double.screen video|keylogger|ruin your life|collection officer|turned on your c<A1>mera|cameras? and a mic|I am a hacker|brows(er|ing) history|trojan virus|automatically infect|inject some code|google translator|<P1>l<A1><C1><E1>d (a )?m<A1>lw<A1>r<E1>|<S1><P1><Y1><W1><A1><R1><E1>|hacked your (OS|operating)|got hacked|hidden app|managed to hack/i
5789 body __KAM_CRIM2 /(<B1><I1><T1>\-?<C1><O1><I1><N1>|BTC|DSH|cryptocurrency|bc[13][a-km-zA-HJ-NP-Z0-9]{26,39})|(remove|manually) all spaces|contains spaces/i
5792 body __KAM_CRIM3 /make (<T1>he|a) paymen<T1>|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C1><O1><I1>n w<A1>ll|(m<A1>k<I1>ng|<C1><O1>mpl<E1>et<E1>) th<E1> tr<A1>ns<A1><C1>t<I1><O1>n|send me \d+ dollars|send [\d\.]+ USD|addr<E1>ss f<O1>r p<A1>ym<E1>nt|(dollars|euros) (worth )?in bit-?coin|wallet number|bitcoin network|BTC to this Bitcoin|paym<E1>nt by b<I1>tco<I1>n|\d\d\d usd|DSH\)? address|Address part|<D1><O1><N1><A1><T1><I1><O1><N1>|negotiation|USD.? in bitcoin/i
5795 body __KAM_CRIM4 /erotica|<P1><O1><R1><N1>|p(ro|or)nographic movie|promising evidence|<M1><A1><S1><T1><U1><R1><B1><A1><T1>|playing with yourself|wanking|l<I1>f<E1> <C1><A1>n b<E1> ru<I1>n<E1>d|explosi|lead azide|hexogen|banana|perversion|secured \d+ video/i
5798 body __KAM_CRIM5 /(twenty.?four|24).?h<O1>urs|(72|24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O1>urs)? <A1>ft<E1>r y<O1><U> <O1>p<E1>n|hours for payment|days?\)? to (send|perform|make|transfer) the (amount|payment|dash|fund)|short-term support|48h plz|deadline|hours *(only )?to send the (pay|fund)|address immediately|tr<A1>nsfer the (amount|funds)|get back to me now/i
5801 header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O1><U> <A1>r<E1> my v<I1><C1>t<I1>m|visit the police|hi. vi<C1>tim|bomb|rescue|your building|<M1>asturbat|hi perv|account has been hacked|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you|<P1>orn|(share|forward|leak) (your|the) video|Read me now|want to read this|i have you/i
5804 header __KAM_CRIM7 From =~ /h<A1>ck<E1>r|know/i
5807 meta KAM_CRIM (__KAM_CRIM1 + __KAM_CRIM2 + __KAM_CRIM3 + __KAM_CRIM4 + __KAM_CRIM5 + __KAM_CRIM6 + __KAM_CRIM7 + FUZZY_BITCOIN >= 4)
5808 describe KAM_CRIM Extortion Email
5813 body __KAM_CRIM2_1 /bit.{0,2}coin/i
5814 body __KAM_CRIM2_2 /address\:/i
5815 body __KAM_CRIM2_3 /adult.{0,2}video|sex.{0,2}sites/is
5817 meta KAM_CRIM2 (__KAM_CRIM2_1 + __KAM_CRIM2_2 + __KAM_CRIM2_3 + HTML_FONT_LOW_CONTRAST >= 4)
5818 describe KAM_CRIM2 Extortion Email
5822 #ZWNJ 200C 157 https://en.wikipedia.org/wiki/Windows-1256
5823 # Also want to look at Unicode U+200C.
5824 # Also 'zero-width joiner' which is Windows-1256 0x9E and Unicode U+200D. $a
5826 # Per RW, switching for this to work with 'normalize_charset 1', \x9d needs to be replaced with (?:\x9d|\xe2\x80\x8c)
5827 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5828 mimeheader __KAM_ZWNJ1 Content-Type =~ /charset.+windows-1256/i
5830 body __KAM_ZWNJ2 /(?:\x9D|\xe2\x80\x8c)/
5831 tflags __KAM_ZWNJ2 multiple maxhits=16
5832 body __KAM_ZWNJ3 /\&\#x200B;/i
5834 describe KAM_ZWNJ Use of null characters indicates a goal to elude scanners
5836 meta KAM_ZWNJ (__KAM_ZWNJ1 + (__KAM_ZWNJ2 >= 16) >= 2)
5837 describe KAM_ZWNJ Use of null characters indicates a goal to elude scanners
5840 describe KAM_ZWNJBAD Attempted & failed Use of zero-width characters indicates a goal to elude scanners
5841 meta KAM_ZWNJBAD (__KAM_ZWNJ3 >=1)
5842 score KAM_ZWNJBAD 2.0
5845 body __KAM_GIRLS1 /Lack of sex/i
5847 meta KAM_GIRLS ( __SINGLE_WORD_SUBJ + __KAM_GIRLS1 >= 2)
5848 describe KAM_GIRLS Girl Chat Scam du Jour
5851 #SKINCELL PRO Spam Du Jour
5852 body __KAM_SKINCELL1 /Skincell.Pro/i
5853 header __KAM_SKINCELL2 Subject =~ /Skincell.Pro/i
5855 meta KAM_SKINCELL (__KAM_SKINCELL1 + __KAM_SKINCELL2 >= 1)
5856 describe KAM_SKINCELL Skincare Scam du Jour
5857 score KAM_SKINCELL 7.0
5859 #UK INVOICE - Thanks to Andy Smith for his help on this
5860 uri __KAM_UKINV1 /\/(client|share|documentview)$/i
5861 body __KAM_UKINV2 /View (and pay )?(scan|invoice)/i
5862 body __KAM_UKINV3 /INV-\d+|Check out what .{4,30} shared with you/i
5863 body __KAM_UKINV4 /£/i
5864 header __KAM_UKINV5 Subject =~ /(invoice INV-\d+|wants to share scan)/i
5865 header __KAM_UKINV6 Subject =~ /invoice/i
5867 meta KAM_UKINV (__KAM_UKINV1 + __KAM_UKINV2 + __KAM_UKINV3 + __KAM_UKINV4 + __KAM_UKINV5 >= 4) || (__KAM_UKINV1 + __KAM_UKINV2 + __KAM_UKINV3 + __KAM_UKINV4 + __KAM_UKINV6 + HTML_TITLE_SUBJ_DIFF && HTML_OBFUSCATE_10_20 >= 6)
5868 describe KAM_UKINV Fake Invoice/Scan Scams
5872 body __KAM_LISTSALE1 /interested in acquiring/i
5873 body __KAM_LISTSALE2 /contact list|list of customers|list of decision makers|list for marketing/i
5874 body __KAM_LISTSALE3 /share counts and samples|send focused campaigns|compiled a dataset/i
5876 header __KAM_LISTSALE4 Subject =~ /users|leads/i
5877 header __KAM_LISTSALE5 From =~ /leads/i
5879 meta KAM_LISTSALE (__KAM_LISTSALE1 + __KAM_LISTSALE2 + __KAM_LISTSALE3 >=2) && (__KAM_LISTSALE4 + __KAM_LISTSALE5 >= 1)
5880 describe KAM_LISTSALE List sellers
5881 score KAM_LISTSALE 5.0
5884 uri KAM_GOOGLESHORT /\/www.google.com\/url\?q=.{4,16}bit\.ly/i
5885 describe KAM_GOOGLESHORT Obfuscated links using Google and URL Shorteners
5886 score KAM_GOOGLESHORT 9.0
5889 body __KAM_HEARTPROD1 /heart ?attack/i
5890 body __KAM_HEARTPROD2 /enzyme/i
5891 header __KAM_HEARTPROD3 Subject =~ /heart attack|healthy.{4,10}cells/i
5892 header __KAM_HEARTPROD4 From =~ /clear 7/i
5894 meta KAM_HEARTPROD (__KAM_HEARTPROD1 + __KAM_HEARTPROD2 + __KAM_HEARTPROD3 + __KAM_HEARTPROD4 >= 4)
5895 describe KAM_HEARTPROD Snake Oil Heart Health du Jour
5896 score KAM_HEARTPROD 7.0
5898 # LINES FULL OF SHORT WORDS. SCC='SOLID CLUES CONSULTING'=BILL COLE
5899 # NOTE: Some languages and people using things like ZWNJ repeatedly will cause FPs for this rule.
5900 # This rule disabled in deadweight anyway!
5901 describe __SCC_SHORT_WORDS A line with lots of short words
5902 body __SCC_SHORT_WORDS /\W(\D\w{1,3}\W{1,3}){11}/
5903 tflags __SCC_SHORT_WORDS multiple maxhits=40
5905 describe SCC_5_SHORT_WORD_LINES 5 lines with many short words
5906 meta SCC_5_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 5
5907 describe SCC_10_SHORT_WORD_LINES 10 lines with many short words
5908 meta SCC_10_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 10
5909 describe SCC_20_SHORT_WORD_LINES 20 lines with many short words
5910 meta SCC_20_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 20
5911 describe SCC_35_SHORT_WORD_LINES 35 lines with many short words
5912 meta SCC_35_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 35
5914 # A pattern seen in subscription-bombings
5915 describe SCC_SUBBOMB_SUBJ_1 An unusual string pattern seen in subscription bombing subjects
5916 header SCC_SUBBOMB_SUBJ_1 Subject =~ /[sxz][vwz]usa[fly]me[a-z0-9]{7}GP/
5917 score SCC_SUBBOMB_SUBJ_1 5
5920 header __SCC_HELO_CPANELNET X-Spam-Relays-Untrusted =~ / helo=cpanel\.net /
5921 describe __SCC_HELO_CPANELNET HELO is bare cpanel.net
5922 meta SCC_FAKE_CPANEL __SCC_HELO_CPANELNET && ! (SPF_PASS || SPF_HELO_PASS)
5923 score SCC_FAKE_CPANEL 6
5925 header KAM_PHISHCP From =~ /\@cpanel\d+\.com/i
5926 describe KAM_PHISHCP Fraudulent notices purporting to be from cPanel
5927 score KAM_PHISHCP 15.0
5929 uri KAM_PHISHCP2 /(\.|\/)cpanel\d+\.com(\/|\b|\?)/i
5930 describe KAM_PHISHCP2 Fraudulent notices purporting to be from cPanel
5931 score KAM_PHISHCP2 15.0
5933 body __KAM_PHISHCP3_1 /cPanel Cloud Service/
5935 meta KAM_PHISHCP3 (KAM_SHORT + __KAM_PHISHCP3_1 >=2)
5936 describe KAM_PHISHCP3 Fraudulent notices purporting to be from cPanel
5937 score KAM_PHISHCP3 15.0
5939 uri __KAM_PHISHCP4_1 /defender\.php/i
5941 meta KAM_PHISHCP4 ((KAM_MAILBOX + KAM_MAILBOX2 >= 1) + __KAM_PHISHCP4_1 >= 2)
5942 describe KAM_PHISHCP4 Fraudulent cPanel Notices
5943 score KAM_PHISHCP4 15.0
5945 #https://www.csoonline.com/article/3333916/windows-security/i-can-get-and-crack-your-password-hashes-from-email.html?upd=1547922397157
5946 body KAM_FILE /file:\/\/\/\//i
5947 describe KAM_FILE Potential attempt for NTLM attack
5951 header __KAM_FUN1 From =~ /\.fun|\.icu|\.pro|\.stream|\.world|\.monster|\.best|\.store|\.surf|\.rest|\.bar|\.asia|\.casa|\.uno|\.london|\.info|\.cam|\.work|\.cyou|\.quest>?$/i
5952 header __KAM_FUN1A From:name =~ /Bite Pro|Diabetes|Blood Sugar|Sugar Disease|Fish Oil|ultra ?boost|Gutter|time ?share|Affiliate|arctic ?blast|splash ?wine|date|fat ?loss|nutrisystem|Silver ?Single|Insta ?Heater|Canvas?Print|LeptiSense|Hello.?Fresh/i
5954 body __KAM_FUN2 /Addify Link|Kennett Pike|PetPlan|Newton Sq|1st Avenue|Jones Blvd|permanently opt-out from our all newsletters|(wish|prefer) (to not|not to|to) receive (these|future) (messages|emails)|purehealth|leave any time|too good to be true|try(ing)? this trick|doesn?'t like this update|(click here|wish) +to unsub|send post-mail to|to be removed from receiving|to unsubscribe.+click|no longer like to receive|this is an advertisement/i
5955 body __KAM_FUN3 /This Offer is (only )?for (unite. state|USA)|(can ?not|won\'t|can\'t|unable to) see (the|this)? ?image|visit the page below|Continue Reading|watch now|this is an ad|update preferences|click here now/i
5956 uri __KAM_FUN3A /imgstore.host/i
5959 header __KAM_FUN4 Subject =~ /Gutter|Assisted Living|Refinance|rate|livewave|mortgage|E\.D\.|Single|Superfood|tax|protection|debt|mastercard|safety charge|supplement|pillow|Inogenone|learn a language|Roadside safety|carry a gun|minute survey|roofing Deals|fungus|insurance|pain|gold|hair|knife|warranty|reflexology|accufeet|keto|sound|heartburn|skincare|terminix|zippy|sneeze|healthcare|yoga|heal|jesus|virus|neuropathy|BP med|perfect vision|parasites|wine|willie nelson|InstaFresh|InstaSavings|carriers|CPAP|melt your belly|heart attack|power of plants|immunity|smart.?watch|fever|hearing aids|diabetes|gum problem|bad breath|fish oil|ultra ?boost|boost your internet|christmas list|(energy|cooling) (bill|cost)|time ?share|interstate move|vanishes pain|wine order|chat rooms|\d+ ?lbs|dementia|nutrisystem|personal plan|Printer Ink|america strong|perfect gifts|Someone Special|Insta ?heater|asian girls|audiobooks|memories into art|losing weight|CBD Gum/i
5962 body __KAM_FUN5 /\d million americans|less than \d+ (weeks|days|hours)|temporary feeling|\d+ ?lbs|[\d+,]+ Asian babes/i
5964 body __KAM_FUN6 /finds the secret|new discovery|natural medicine|health channel|medicinal plants|simple tweak|doctors are shocked|mysterious liquid|massive mistake|scientifically shown|chronic pain/i
5966 body __KAM_FUN7 /nerve pain|poor vision|lasik|sleep deeper|smart.?watch|fever|hearing aids|diabetes|gum problem|blood sugar|sugar disease|bad breath|fish oil|ultra ?boost|soothing relief|older women|belly fat|reverse alzheimer|personal safety|gadget.?junk|Insta ?heater|need boyfriends|audiobooks/i
5967 tflags __KAM_FUN7 nosubject
5969 meta KAM_FUN ((__KAM_FUN1 + __KAM_FUN1A >=1) + __KAM_FUN2 + (__KAM_FUN3 + __KAM_FUN3A >= 1) + __KAM_FUN4 >=3)
5970 describe KAM_FUN Spam Engine Hawking Various Goods and Abusing a Lot of Domains
5973 meta KAM_FUN2 ((__KAM_FUN1 + __KAM_FUN1A >= 1) + __KAM_FUN4 + __KAM_FUN5 + __KAM_FUN6 + __KAM_FUN7 >= 5)
5974 describe KAM_FUN2 Spam Engine Hawking Various Goods and Abusing a Lot of Domains
5977 #GOOGLE DRIVE PORN - Thanks to Mark Sapiro for the bug fix
5978 uri KAM_DRIVENUM /\d+\.drive\.google.com/i
5979 describe KAM_DRIVENUM Drive Links Prevalent in Spam
5980 score KAM_DRIVENUM 5.0
5982 #SWIFT PAYMENT SCAMS
5983 header __KAM_SWIFT1 Subject =~ /Swift/i
5984 body __KAM_SWIFT2 /swift copy/i
5985 body __KAM_SWIFT3 /balance payment/i
5987 meta KAM_SWIFT (__KAM_SWIFT1 + __KAM_SWIFT2 + __KAM_SWIFT3 >= 3)
5988 describe KAM_SWIFT SWIFT payment scam
5991 ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
5993 score FROMNAME_SPOOFED_EMAIL 0.3
5995 meta GB_FROMNAME_SPOOF_EQUALS_TO (PDS_FROMNAME_SPOOFED_EMAIL && __PLUGIN_FROMNAME_EQUALS_TO)
5996 describe GB_FROMNAME_SPOOF_EQUALS_TO From:name is spoof to look like To: address
5997 score GB_FROMNAME_SPOOF_EQUALS_TO 0.3
5999 meta GB_FROMNAME_SPOOF_FREEMAIL (FREEMAIL_FROM && PDS_FROMNAME_SPOOFED_EMAIL)
6000 describe GB_FROMNAME_SPOOF_FREEMAIL From:name spoof and Freemail From:address
6001 score GB_FROMNAME_SPOOF_FREEMAIL 0.4
6003 ifplugin Mail::SpamAssassin::Plugin::FreeMail
6004 header __FROM_EQ_REPLY eval:check_fromname_equals_replyto()
6005 meta GB_FREEM_FROM_NOT_REPLY ( !__FROM_EQ_REPLY && FREEMAIL_FROM && FREEMAIL_REPLYTO )
6006 describe GB_FREEM_FROM_NOT_REPLY From: and Reply-To: have different freemail domains
6007 score GB_FREEM_FROM_NOT_REPLY 0.4
6011 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
6012 header KAM_RAPTOR_ALTERED X-KAM-Raptor-Alter =~ /True/i
6013 describe KAM_RAPTOR_ALTERED Raptor identified a dangerous attachment
6014 score KAM_RAPTOR_ALTERED 2.0
6018 header __KAM_PROFORMA1 Subject =~ /Proforma/i
6019 body __KAM_PROFORMA2 /no responds/i
6020 body __KAM_PROFORMA3 /highly encrypted/i
6021 body __KAM_PROFORMA4 /Proforma Invoice/i
6022 uri __KAM_PROFORMA5 /\.php/i
6024 meta KAM_PROFORMA (__KAM_PROFORMA1 + __KAM_PROFORMA2 + __KAM_PROFORMA3 + __KAM_PROFORMA4 + __KAM_PROFORMA5 >= 5)
6025 describe KAM_PROFORMA Invoice scam
6026 score KAM_PROFORMA 7.5
6029 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6030 header __KAM_INVOICEPO1 Subject =~ /Invoice copies|EFT +Process|signed +contract|inquiry|PO-\d+|payment receipt/i
6031 body __KAM_INVOICEPO2 /invoice copies|EFT PROCESS|contract signed|attached enquiry|see the attached|Company name\:/i
6032 tflags __KAM_INVOICEPO2 nosubject
6034 meta KAM_INVOICEPO (__KAM_INVOICEPO1 + __KAM_INVOICEPO2 + (KAM_HTMLINVOICE + KAM_HTMLINVOICE2 + T_HTML_ATTACH >= 1) >= 3)
6035 describe KAM_INVOICEPO Invoice scam
6036 score KAM_INVOICEPO 4.5
6038 mimeheader KAM_HTMLINVOICE Content-Type =~ /(remittance|invoice|contract|order|scan).{0,100}\.(rar|html?)/i
6039 describe KAM_HTMLINVOICE Invoice scam
6040 score KAM_HTMLINVOICE 3.0
6042 mimeheader KAM_HTMLINVOICE2 Content-Type =~ /(order confirmation|po attachments.{0,100})\.xls\.html/i
6043 describe KAM_HTMLINVOICE2 Invoice scam
6044 score KAM_HTMLINVOICE2 3.0
6047 # Spear phishing rules
6048 ifplugin Mail::SpamAssassin::Plugin::FreeMail
6049 header __GB_TO_ADDR_FREEMAIL eval:check_freemail_header('To:addr')
6050 header __GB_TO_NAME_FREEMAIL eval:check_freemail_header('To:name')
6051 meta GB_TO_NAME_FREEMAIL ( !__GB_TO_ADDR_FREEMAIL && __GB_TO_NAME_FREEMAIL )
6052 describe GB_TO_NAME_FREEMAIL Freemail spear phish with free mail
6053 score GB_TO_NAME_FREEMAIL 0.01
6055 header __GB_FROM_ADDR_FREEMAIL eval:check_freemail_header('From:addr')
6056 header __GB_FROM_NAME_FREEMAIL eval:check_freemail_header('From:name')
6057 header __GB_FROM_NAME_EMAIL From:name =~ /\@/
6058 meta GB_FROM_NAME_FREEMAIL ( __GB_FROM_NAME_EMAIL && __GB_FROM_ADDR_FREEMAIL && !__GB_FROM_NAME_FREEMAIL )
6059 describe GB_FROM_NAME_FREEMAIL Freemail spear phish with free mail
6060 score GB_FROM_NAME_FREEMAIL 0.01
6063 # Disable possible CPU burning rule, reported to SA users list -- 2019-05-29
6064 # FIXED rule distributed via sa-update since 2019-05-31
6065 # meta __STYLE_GIBBERISH_1 0
6067 ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
6068 # Allow googleapis.com to be blacklisted due to spam runs in June 2019 exploiting it
6069 clear_uridnsbl_skip_domain googleapis.com
6072 # Need a favor phishing
6073 header __KAM_FAVOR1 Subject =~ /Request|Quick Reply/i
6074 body __KAM_FAVOR2 /I need a favor from you|Are you available to work on a request for me today/i
6075 body __KAM_FAVOR3 /email me back as soon as possible|send me your personal cell phone number/i
6077 meta KAM_FAVOR (__KAM_FAVOR1 + __KAM_FAVOR2 + __KAM_FAVOR3 + FREEMAIL_FROM >= 4)
6078 describe KAM_FAVOR Phishing Attempt
6081 # WHITELIST PCCC/MCGRAIL
6082 whitelist_auth *@pccc.com *@mcgrail.com
6083 #trusted_networks 69.171.29.0/25
6084 #trusted_networks 38.124.232.0/24
6087 header __KAM_LIST3_1 Subject =~ /Contacts|Visitor|Attendee|User|Professional|Meeting|Expo|Emails|Exhibit|Companies|trade ?show|marketing|retailer|list|outreach|customers|campaign|show|data|leaders|partnership|lead|(accou?nt|Contacts?|buyers?) (list|information)|install base|offices and clinics|healthcare|reach qualified buyers|potential prospects|decision maker|reach out|target audience|revenue generation|(potential|reach your) client|Lead list|(list|lead) prospecting|market share/i
6090 body __KAM_LIST3_2 /list services|email campaign|global marketing|(event|campaign|success|purchasing) mana?ger|(tradeshow|marketing) (coordinator|campaign|manager|exec|project|team)|(lead|demand) generation|(business|Data|event|research|marketing) (analyst|coordinator)|(potential|professionals?|qualified) lead|(business development|marketing|lead|attendees?|data|prospect|intelligence).(consultant|specialist)|(marketing|Business) Co-?ordinator|marketing and comm|inside sales|pre-?sales|global leads|data dep(t|artment)/i
6091 tflags __KAM_LIST3_2 nosubject
6094 body __KAM_LIST3_3 /(information|data) (count|field)|verified email|with email address|counts and pric|decision maker|specific parameters|job titles|Specific lists|current attendee|each record|post show attendee|(attendees|counts)\:|(List|contacts|fields) (consists?|Contains?|includes?)|visitors and price|pricing, counts|information about the list|sample (file|record)|direct email|100\% populated|installed users|(compiled|selling) (a )?list|pricing and further|(validated|buy a) dataset|counts, pricing|procure the list|samples for (your )?review|attendees who might|decision.makers|samples and pricing|pricing details|demographics|few samples|database (organization|provider)|expense and count|(samples|counts?) and cost|multichannel marketing|count of email|users of the following|your marketing campaign|\d\d% on emails|acquiring (email|the) list|list of retailers|decision maker mailing list|B2B list|acquiring email|contacts? list|interested in acquiring/i
6095 tflags __KAM_LIST3_3 nosubject
6098 body __KAM_LIST3_4 /contacts and email|(visitors?|contacts?|attendee.?s?|users?) (contacts? |mailing )?(list|record|database)|end users|our lists|\d\+? (attendee|contact)|users? database|Opt-in email list|(professionals?|user'?s|attendees?) (contact|list)|not spammer|delegates|marketing (analyst|campaigns)|(complete|emailed) list|unique account|contacts\:|titles\:|business profiles|database of|list from USA|(complete|contact) (Name|information)|geography|list.database|data (intelligence|include)|emails, phone|marketing list|unlimited usage|target (audience|geograph|attendees|audience|industry)|opt-?in (contact|emails)|offices and clinics|specialties\:|showcase our capabilit|share samples|recently compiled|contact details|targeted market|marketing needs|Users of the following|100\% populated|b2b contact/i
6099 tflags __KAM_LIST3_4 nosubject
6101 meta KAM_LIST3 (__KAM_LIST3_1 + __KAM_LIST3_2 + __KAM_LIST3_3 + __KAM_LIST3_4 >= 4)
6102 describe KAM_LIST3 Mailing List Purveyor Spam
6103 score KAM_LIST3 12.25
6106 meta KAM_LIST3_1 (KAM_LIST3 < 1) && (__KAM_LIST3_1 + __KAM_LIST3_2 + __KAM_LIST3_3 + __KAM_LIST3_4 >= 3)
6107 describe KAM_LIST3_1 Likely Mailing List Purveyor Spam
6108 score KAM_LIST3_1 6.75
6111 header __KAM_MONCLER1 Subject =~ /moncler/i
6112 header __KAM_MONCLER2 From =~ /moncler/i
6114 meta KAM_MONCLER (__KAM_MONCLER1 + __KAM_MONCLER2 + KAM_SOMETLD_ARE_BAD_TLD >= 3)
6115 describe KAM_MONCLER Fashionista Spammers
6116 score KAM_MONCLER 6.0
6119 header __KAM_ERP1 Subject =~ /ERP/
6120 body __KAM_ERP2 /K9ERP/i
6122 meta KAM_ERP (__KAM_ERP1 + __KAM_ERP2 >=2)
6123 describe KAM_ERP ERP Spammers
6126 #DMARC POLICY RULES - Thanks to Giovanni Bechis for the original idea plus Jesse Norell and Amir Caspi for additional suggestions & testing!
6128 #https://tools.ietf.org/html/rfc7489 and https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/
6130 #"To pass DMARC, a message must pass SPF authentication and SPF alignment and/or DKIM authentication and DKIM alignment. A message will fail DMARC if the message fails both (1) SPF or SPF alignment and (2) DKIM or DKIM alignment."
6132 # We expect edge cases with DKIM where a parent (gateway) domain signing for a subdomain author (e.g., parent.gov signing for sub.parent.gov). This is a common and a sane implementation of DKIM, but is not supported in the current SA DKIM/DMARC implementation -- it results in DKIM_VALID but not DKIM_VALID_AU. The SPF || DKIM logic below will allow this scenario.
6134 # Note: Certain glues like MailScanner will modify an email before testing. That will cause many DKIM failures. If you have a known broken system for DKIM like this, you should likely disable the plugin.
6136 ifplugin Mail::SpamAssassin::Plugin::Dmarc
6137 ifplugin Mail::SpamAssassin::Plugin::AskDNS
6138 ifplugin Mail::SpamAssassin::Plugin::DKIM
6139 ifplugin Mail::SpamAssassin::Plugin::SPF
6140 askdns __KAM_DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=none;/
6141 askdns __KAM_DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=quarantine;/
6142 askdns __KAM_DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=reject;/
6143 askdns __KAM_DMARC_POLICY_DKIM_STRICT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\badkim=s;/
6145 #Checks if either DKIM Passed with Alignment and the policy is strict or VALID and alignment didn't pass
6146 meta KAM_DMARC_STATUS !((DKIM_VALID_AU && __KAM_DMARC_POLICY_DKIM_STRICT) || (DKIM_VALID && !__KAM_DMARC_POLICY_DKIM_STRICT))
6147 describe KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict Alignment
6148 score KAM_DMARC_STATUS 0.01
6150 header KAM_DMARC_REJECT eval:check_dmarc_reject()
6151 priority KAM_DMARC_REJECT 500
6152 describe KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message and the domain has a DMARC reject policy
6153 score KAM_DMARC_REJECT 3.0
6155 header KAM_DMARC_QUARANTINE eval:check_dmarc_quarantine()
6156 priority KAM_DMARC_QUARANTINE 500
6157 describe KAM_DMARC_QUARANTINE DKIM has Failed or SPF has failed on the message and the domain has a DMARC quarantine policy
6158 score KAM_DMARC_QUARANTINE 1.5
6160 header KAM_DMARC_NONE eval:check_dmarc_none()
6161 priority KAM_DMARC_NONE 500
6162 describe KAM_DMARC_NONE DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy
6163 score KAM_DMARC_NONE 0.25
6168 ifplugin Mail::SpamAssassin::Plugin::AskDNS
6169 ifplugin Mail::SpamAssassin::Plugin::DKIM
6170 ifplugin Mail::SpamAssassin::Plugin::SPF
6171 askdns __KAM_DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=none;/
6172 askdns __KAM_DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=quarantine;/
6173 askdns __KAM_DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=reject;/
6174 askdns __KAM_DMARC_POLICY_DKIM_STRICT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\badkim=s;/
6176 #Checks if either DKIM Passed with Alignment and the policy is strict or VALID and alignment didn't pass
6177 meta KAM_DMARC_STATUS !((DKIM_VALID_AU && __KAM_DMARC_POLICY_DKIM_STRICT) || (DKIM_VALID && !__KAM_DMARC_POLICY_DKIM_STRICT))
6178 describe KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict Alignment
6179 score KAM_DMARC_STATUS 0.01
6181 meta KAM_DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_REJECT
6182 describe KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message and the domain has a DMARC reject policy
6183 score KAM_DMARC_REJECT 3.0
6185 meta KAM_DMARC_QUARANTINE !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_QUAR
6186 describe KAM_DMARC_QUARANTINE DKIM has Failed or SPF has failed on the message and the domain has a DMARC quarantine policy
6187 score KAM_DMARC_QUARANTINE 1.5
6189 meta KAM_DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_NONE
6190 describe KAM_DMARC_NONE DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy
6191 score KAM_DMARC_NONE 0.25
6198 ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro
6199 # increase number of mime parts checked
6200 olemacro_num_mime 10
6201 # skip psd and other files from macro checks
6202 olemacro_skip_exts (?:dotx|potx|ppsx|pptx|psd|sldx|xltx|oxps)$
6204 if (version >= 3.0040005)
6206 body KAM_OLEMACRO eval:check_olemacro()
6207 describe KAM_OLEMACRO Attachment has an Office Macro
6208 score KAM_OLEMACRO 7.5
6210 body KAM_OLEMACRO_MALICE eval:check_olemacro_malice()
6211 describe KAM_OLEMACRO_MALICE Potentially malicious Office Macro
6212 score KAM_OLEMACRO_MALICE 10.0
6214 body KAM_OLEMACRO_ENCRYPTED eval:check_olemacro_encrypted()
6215 describe KAM_OLEMACRO_ENCRYPTED Has an Office doc that is encrypted
6216 score KAM_OLEMACRO_ENCRYPTED 3.0
6218 #This may cause more CPU usage
6219 olemacro_extended_scan 1
6220 body KAM_OLEMACRO_RENAME eval:check_olemacro_renamed()
6221 describe KAM_OLEMACRO_RENAME Has an Office doc that has been renamed
6222 score KAM_OLEMACRO_RENAME 0.5
6224 meta GB_OLEMACRO_REN_VIR ( KAM_OLEMACRO_RENAME && FORGED_OUTLOOK_HTML )
6225 describe GB_OLEMACRO_REN_VIR Olemacro and fake Outlook
6226 score GB_OLEMACRO_REN_VIR 10
6230 body KAM_OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
6231 describe KAM_OLEMACRO_ZIP_PW Has an Office doc that is password protected in a zip
6232 score KAM_OLEMACRO_ZIP_PW 1.0
6234 body KAM_OLEMACRO_CSV eval:check_olemacro_csv()
6235 describe KAM_OLEMACRO_CSV Macro in csv file
6236 score KAM_OLEMACRO_CSV 5.0
6238 #meta KAM_OLEMACRO_ZIP_PW_NOMID ( KAM_OLEMACRO_ZIP_PW && MISSING_MID )
6239 #describe KAM_OLEMACRO_ZIP_PW_NOMID OLE macro sent by a bot / ratware
6240 #score KAM_OLEMACRO_ZIP_PW_NOMID 5.0
6242 meta KAM_OLEMACRO_ZIP_BOT ( KAM_OLEMACRO_ZIP_PW && ( MISSING_MID || PDS_FROMNAME_SPOOFED_EMAIL ) )
6243 describe KAM_OLEMACRO_ZIP_BOT OLE macro sent by a bot / ratware
6244 score KAM_OLEMACRO_ZIP_BOT 5.0
6246 if (version >= 4.000000)
6247 if can(Mail::SpamAssassin::Plugin::OLEVBMacro::has_olemacro_redirect_uri)
6248 body OLEMACRO_URI_TARGET eval:check_olemacro_redirect_uri()
6249 describe OLEMACRO_URI_TARGET Malicious code inside the Office doc that tries to redirect to an uri
6250 score OLEMACRO_URI_TARGET 0.001
6256 #Testing Rule for Subject Prefixes - See note 58397
6257 #if can(Mail::SpamAssassin::Conf::feature_subjprefix)
6258 # enlist_addrlist (INTERNAL) *@pccc.com
6259 # header __FROM_INTERNAL eval:check_from_in_list('INTERNAL')
6261 # meta EXTERNAL (!__FROM_INTERNAL)
6262 # describe EXTERNAL External users to PCCC Test Rule
6263 # score EXTERNAL 0.001
6264 # subjprefix EXTERNAL [EXTERNAL]
6267 #Testing Rule for NoSubject Rules - See note 58246
6268 #if (version >= 3.004003)
6270 # body NOSUBJECT_TEST_HIT /example/i
6271 # describe NOSUBJECT_TEST_HIT This should hit on an email with example in the subject but not in the body because subjects are automatically prepending for testing.
6274 # body NOSUBJECT_TEST_FAIL /example/i
6275 # describe NOSUBJECT_TEST_FAIL This should NOT hit on an email with example in the subject not not in the body because the tflags nosubject will stop the automatic prepending of subjects for testing.
6276 # tflags NOSUBJECT_TEST_FAIL nosubject
6279 if (version >= 3.004003)
6280 ifplugin Mail::SpamAssassin::Plugin::HashBL
6281 # BTC address present in BTC blacklist
6282 # thanks to Henrik Krohns for the regexp
6283 body BTC_HASHBL_BLACK eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b(?<!=)([13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})\b')
6284 priority BTC_HASHBL_BLACK -100
6285 tflags BTC_HASHBL_BLACK net
6286 describe BTC_HASHBL_BLACK Message contains BTC address found on BTC blacklist
6287 score BTC_HASHBL_BLACK 5.0
6291 #Testing of HASHBL Additions - Note 58246
6292 if (version >= 3.004003)
6293 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
6294 ifplugin Mail::SpamAssassin::Plugin::HashBL
6296 rbl_headers EnvelopeFrom,Reply-To,X-Sender,X-Source-IP
6298 # mass-marketing domain found in headers (EnvelopeFrom,Reply-To,X-Sender,X-Source-IP)
6299 header PCCC_HDR_MARKETINGBL eval:check_rbl_headers('pccc-hdr-marketing', 'wild.pccc.com.', '127.0.0.32')
6300 describe PCCC_HDR_MARKETINGBL Address in email headers associated with mass-marketing (https://raptor.pccc.com/RBL)
6301 tflags PCCC_HDR_MARKETINGBL net
6302 score PCCC_HDR_MARKETINGBL 0.001
6303 priority PCCC_HDR_MARKETINGBL -100
6305 header PCCC_HDR_REPLYTO eval:check_rbl_headers('pccc-hdr-repto', 'wild.pccc.com.', '127.0.0.4', 'Reply-To')
6306 describe PCCC_HDR_REPLYTO Address in email headers associated with compromised uris (https://raptor.pccc.com/RBL)
6307 tflags PCCC_HDR_REPLYTO net
6308 score PCCC_HDR_REPLYTO 3.5
6309 priority PCCC_HDR_REPLYTO -100
6311 # compromised domain found in headers (X-Sender,X-Source-IP,X-SRS-Sender)
6312 header PCCC_SENDER_COMPROMISED eval:check_rbl_headers('pccc-sender', 'wild.pccc.com.', '127.0.1.2', 'X-Sender,X-Source-IP,X-SRS-Sender')
6313 describe PCCC_SENDER_COMPROMISED Sender address associated with compromised uris (https://raptor.pccc.com/RBL)
6314 tflags PCCC_SENDER_COMPROMISED net
6315 score PCCC_SENDER_COMPROMISED 2.0
6316 priority PCCC_SENDER_COMPROMISED -100
6318 # compromised domain found in received headers
6319 header PCCC_RECEIVED_HDR_COMPROMISED eval:check_rbl_rcvd('pccc-rcvd', 'wild.pccc.com.', '127.0.1.2')
6320 describe PCCC_RECEIVED_HDR_COMPROMISED Compromised domain found in received headers found on PCCC RBL (https://raptor.pccc.com/RBL)
6321 tflags PCCC_RECEIVED_HDR_COMPROMISED net
6322 score PCCC_RECEIVED_HDR_COMPROMISED 2.0
6323 priority PCCC_RECEIVED_HDR_COMPROMISED -100
6325 # dns server of From address found on PCCC RBL
6326 header PCCC_FROM_BAD_NS eval:check_rbl_ns_from('pccc-ns', 'wild.pccc.com.', '127.0.1.1')
6327 describe PCCC_FROM_BAD_NS DNS server of From address found on PCCC RBL (https://raptor.pccc.com/RBL)
6328 tflags PCCC_FROM_BAD_NS net
6329 score PCCC_FROM_BAD_NS 2.0
6330 priority PCCC_FROM_BAD_NS -100
6332 # Freemail address in Reply-To header found on PCCC HashBL
6333 # this rule needs 99_hashbl.cf to work
6334 header PCCC_HASHBL_FREEMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5', 'Reply-To', '^127\.', 'freemail')
6335 describe PCCC_HASHBL_FREEMAIL Message contains freemail address in reply-to found on PCCC HashBL (https://raptor.pccc.com/RBL)
6336 tflags PCCC_HASHBL_FREEMAIL net
6337 score PCCC_HASHBL_FREEMAIL 3.5
6338 priority PCCC_HASHBL_FREEMAIL -100
6340 # Email address in X-Sender header found on PCCC HashBL
6341 header PCCC_HASHBL_EMAIL_SEND eval:check_hashbl_emails('wild.pccc.com', 'md5', 'X-Sender', '^127\.', 'all')
6342 describe PCCC_HASHBL_EMAIL_SEND Message contains sender email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
6343 tflags PCCC_HASHBL_EMAIL_SEND net
6344 score PCCC_HASHBL_EMAIL_SEND 1.5
6345 priority PCCC_HASHBL_EMAIL_SEND -100
6347 # Email address in X-SRS-Sender header found on PCCC HashBL
6348 header PCCC_HASHBL_EMAIL_SRS eval:check_hashbl_emails('wild.pccc.com', 'md5', 'X-SRS-Sender', '^127\.', 'all')
6349 describe PCCC_HASHBL_EMAIL_SRS Message contains srs email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
6350 tflags PCCC_HASHBL_EMAIL_SRS net
6351 score PCCC_HASHBL_EMAIL_SRS 1.5
6352 priority PCCC_HASHBL_EMAIL_SRS -100
6354 # Email address in email headers found on PCCC HashBL
6355 header PCCC_HASHBL_EMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5')
6356 describe PCCC_HASHBL_EMAIL Message contains email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
6357 tflags PCCC_HASHBL_EMAIL net
6358 score PCCC_HASHBL_EMAIL 1.5
6359 priority PCCC_HASHBL_EMAIL -100
6361 # Email address in custom email headers found on PCCC HashBL
6362 header PCCC_HASHBL_HDR_EMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5', 'Reply-To/Disposition-Notification-To/X-Original-Sender/X-Sender', '^127\.', 'all')
6363 describe PCCC_HASHBL_HDR_EMAIL Message contains email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
6364 tflags PCCC_HASHBL_HDR_EMAIL net
6365 score PCCC_HASHBL_HDR_EMAIL 0.5
6366 priority PCCC_HASHBL_HDR_EMAIL -100
6368 # Short URL in PCCC HashBL found
6369 header PCCC_HASHBL_SHORT_URI eval:check_hashbl_uris('wild.pccc.com', 'md5', '^127\.0\.1\.4')
6370 describe PCCC_HASHBL_SHORT_URI Message contains short URI found on PCCC HashBL (https://raptor.pccc.com/RBL)
6371 tflags PCCC_HASHBL_SHORT_URI net
6372 score PCCC_HASHBL_SHORT_URI 9.5
6373 priority PCCC_HASHBL_SHORT_URI -100
6378 #END of TEST OF HASHBL ADDITIONS
6381 header __KAM_LABEL1 Subject =~/(Checking in|Appointment|(this|next) week|thoughts|availability|consultation|introduction|let me know|schedule|meeting|tailor)/i
6382 body __KAM_LABEL2 /meet at your office|quick lead time/i
6383 body __KAM_LABEL3a /make custom (shirts|sports|jackets|suits)/i
6384 # bug fix thanks to Moritz Friedrich
6385 body __KAM_LABEL3b /PPE/
6386 body __KAM_LABEL4 /(suits start at \$|shirts at \$)|\d\d per mask|\d masks/i
6387 body __KAM_LABEL5 /(premier|top|luxury) (clothing|fabric)|fortune 500/i
6388 body __KAM_LABEL6 /\| Label|Label Health/i
6390 header __KAM_LABEL7 Subject =~ /(^|\b)PPE(\b|$)|(Ply|Face) ?mask/i
6391 body __KAM_LABEL8 /face ?mask|(^|\b)PPE(\b|$)/i
6393 meta KAM_LABEL (__KAM_LABEL1 + __KAM_LABEL2 + (__KAM_LABEL3a + __KAM_LABEL3b >= 1) + __KAM_LABEL4 + __KAM_LABEL5 + __KAM_LABEL6 + __KAM_LABEL7 + __KAM_LABEL8>= 6)
6394 describe KAM_LABEL Tailored clothier spam
6397 meta KAM_LABEL2 ((__KAM_LABEL1 + __KAM_LABEL5 >= 1) + __KAM_LABEL6 + __KAM_LABEL7 + __KAM_LABEL8 >= 3)
6398 describe KAM_LABEL2 PPE Spam
6399 score KAM_LABEL2 9.0
6402 body __KAM_RBL_OBFU1 /b2b.{1,4}salesprospects.{1,4}com/i
6403 body __KAM_RBL_OBFU2 /quin.{0,3}for.{0,3}ce.com/i
6404 body __KAM_RBL_OBFU3 /jrgpartners\(\.\)com/i
6406 meta KAM_RBL_OBFU ((__KAM_RBL_OBFU1 + __KAM_RBL_OBFU2 >=1) + FREEMAIL_FROM >= 2)
6407 describe KAM_RBL_OBFU Spammers obfuscating their domain and abusing freemail
6408 score KAM_RBL_OBFU 12.0
6410 meta KAM_RBL_OBFU2 __KAM_RBL_OBFU3
6411 describe KAM_RBL_OBFU2 Spammers obfuscating their domain
6412 score KAM_RBL_OBFU2 9.0
6415 body __KAM_SHADYCC1 /(transactions?|purchases?) from your (online store|web-?shop)/i
6416 header __KAM_SHADYCC2 Subject =~ /(illegal|shady) (purchases?|transactions?).*?(credit ?card|mastercard|visa).*?at your site/i
6417 body __KAM_SHADYCC3 /(four|4) of (my|the) (master)?card/i
6418 body __KAM_SHADYCC4 /(detailed|full) statement/i
6420 meta KAM_SHADYCC (__KAM_SHADYCC1 + __KAM_SHADYCC2 + __KAM_SHADYCC3 + __KAM_SHADYCC4 >= 4)
6421 describe KAM_SHADYCC Scam predicated around reporting fraudulent purchase
6422 score KAM_SHADYCC 6.0
6425 header __KAM_EXPOPIRATE1 Subject =~ /Hotel Booking/i
6426 body __KAM_EXPOPIRATE2 /Business Traveller/i
6428 meta KAM_EXPOPIRATE (__KAM_EXPOPIRATE1 + __KAM_EXPOPIRATE2 + __KAM_LIST3_2 >= 2)
6429 describe KAM_EXPOPIRATE Scam Pirates trying to Hijack Event Hotel Bookings
6430 score KAM_EXPOPIRATE 4.5
6432 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6433 #Domain Expiry Scams
6434 header __KAM_DOMAINEXPIRY1 Subject =~ /Domain.*Expiration/i
6435 body __KAM_DOMAINEXPIRY2 /Attached letter/i
6437 meta KAM_DOMAINEXPIRY (__KAM_DOMAINEXPIRY1 + __KAM_DOMAINEXPIRY2 + __KAM_ZERODAY1 >= 3)
6438 describe KAM_DOMAINEXPIRY Domain Expiration Scams
6439 score KAM_DOMAINEXPIRY 4.5
6442 header __KAM_PAYMENTSCAM1 Subject =~ /Payment.*(INV|Bookings|Reference|\/201)/i
6443 body __KAM_PAYMENTSCAM2 /attached (payment|herewith)|ready for release/i
6444 mimeheader __KAM_PAYMENTSCAM3 Content-Type =~ /\.doc/i
6445 full __KAM_PAYMENTSCAM4 /\{\\rtf/
6447 meta KAM_PAYMENTSCAM (__KAM_ZERODAY1 + __KAM_PAYMENTSCAM1 + __KAM_PAYMENTSCAM2 + (__KAM_PAYMENTSCAM3 + __KAM_PAYMENTSCAM4 >=2) >= 4)
6448 describe KAM_PAYMENTSCAM Payment Scams with Malware Payloads
6449 score KAM_PAYMENTSCAM 6.5
6451 meta KAM_PAYMENTSCAM2 (DEAR_BENEFICIARY + __KAM_PAYMENTSCAM1 + __KAM_PAYMENTSCAM2 >= 3) && !(KAM_PAYMENTSCAM)
6452 describe KAM_PAYMENTSCAM2 Payment scams
6453 score KAM_PAYMENTSCAM2 4.5
6457 body __KAM_PASSWORDSCAM1 /pass word/i
6459 meta KAM_PASSWORDSCAM (__KAM_PASSWORDSCAM1 + __SINGLE_WORD_SUBJ + __PDF_ATTACH + __BODY_LE_200 >= 4)
6460 describe KAM_PASSWORDSCAM Password extortion spams
6461 score KAM_PASSWORDSCAM 6.0
6465 header __KAM_TRAINING1 Subject =~ /mandatory.*training/i
6466 body __KAM_TRAINING2 /intranet|training calendar/i
6467 body __KAM_TRAINING3 /Human Resources/i
6469 meta KAM_TRAINING (__KAM_TRAINING1 + __KAM_TRAINING2+ __KAM_TRAINING3 >= 3)
6470 describe KAM_TRAINING Training Phishing
6471 score KAM_TRAINING 4.5
6474 header __KAM_MEDICARE2_1 Subject =~ /Trump Medicare/i
6476 meta KAM_MEDICARE2 __KAM_MEDICARE2_1 >= 1
6477 describe KAM_MEDICARE2 Medicare Scams
6478 score KAM_MEDICARE2 2.0
6481 header __KAM_WATERHACK1 Subject =~ /Water Hack/i
6482 body __KAM_WATERHACK2 /water hack/i
6484 meta KAM_WATERHACK (__KAM_WATERHACK1 + __KAM_WATERHACK2 + KAM_SHORT >= 3)
6485 describe KAM_WATERHACK Diet Scams
6486 score KAM_WATERHACK 5.0
6488 #Web forms used to submit shortened urls
6489 header __XMAIL_CODEIGN X-Mailer =~ /CodeIgniter/
6490 header __XMAIL_PHPMAIL X-Mailer =~ /PHPMailer/
6491 meta GB_WEBFORM ( ( __XMAIL_CODEIGN || __XMAIL_PHPMAIL ) && KAM_SHORT && FREEMAIL_FROM )
6492 describe GB_WEBFORM Webform with url shortener
6493 score GB_WEBFORM 2.0
6496 #thanks to Chip for another Spample on 2020-03-07
6497 header __KAM_SENDGRID1 EnvelopeFrom =~ /\@u\d+\.wl\d+\.sendgrid\.net|bounces.*\@sendgrid\.net/i
6498 header __KAM_SENDGRID1A Return-Path =~ /\@u\d+\.wl\d+\.sendgrid\.net/i
6499 header __KAM_SENDGRID2 Received =~ /ismtp.*?.sendgrid.net|outbound\-mail\.sendgrid\.net \[/i
6501 meta KAM_SENDGRID ((HEADER_FROM_DIFFERENT_DOMAINS || SPF_HELO_NONE) + ((__KAM_SENDGRID1 + __KAM_SENDGRID1A >= 1) + __KAM_SENDGRID2 >= 1) >= 2)
6502 describe KAM_SENDGRID Sendgrid being exploited by scammers
6503 score KAM_SENDGRID 1.50
6505 header __KAM_EDU_FROM From:addr =~ /\.edu$/i
6507 header __KAM_SENDGRID3 Subject =~ /Amex|Wells ?Fargo|American Express|Security (Review|Message)|Quickbooks|Sign-?in Blocked|unusual activity|payment pending|online Payment|Intuit|security Upgrade|you have a document|verify your card|email alert/i
6508 header __KAM_SENDGRID4 From =~ /Amex|Wells ?Fargo|American Express|Schwab|bank|USAA|stripe|intuit|chase/i
6510 meta KAM_SENDGRID2 ((__KAM_EDU_FROM + KAM_SENDGRID >= 1) + (TO_IN_SUBJ + __KAM_SENDGRID3 + __KAM_SENDGRID4 >=1) >= 2)
6511 describe KAM_SENDGRID2 Sendgrid being exploited by scammers
6512 score KAM_SENDGRID2 2.0
6514 #Political (and T-shirt Spam)
6515 header __KAM_2020_1 Subject =~ /Re-?elect Trump|(Guinea pig|science|funny|election|christmas|personalized|mission|collection|engineer|teacher|fishing) (t|tee)( |-)?shirt|ginsburg shirt|officially licensed|check out our new collection|let.?s go brandon/i
6516 header __KAM_2020_1A From:name =~ /(T|Tee).?shirt|Tee4u/i
6517 body __KAM_2020_2 /(Tee|T)-?shirt|printed in the US|stink stank stunk|officially licensed|star wars|funny (guinea pig|science|tee|teacher|fishing|halloween)|\d+ designs|let.?s go brandon/i
6518 tflags __KAM_2020_2 nosubject
6520 uri __KAM_GOOGLE_FORM /docs\.google\.com\/form/i
6522 meta KAM_2020 ((__KAM_2020_1 + __KAM_2020_1A >=1) + __KAM_2020_2 + __KAM_GOOGLE_FORM + FREEMAIL_FROM >= 3)
6523 describe KAM_2020 Political (and Tshirt???) Spams - Vote for KAM & Pedro - donate today at www.mcgrail.com
6527 uri __KAM_WETRANSFER1 /wetransferfiledownload|\?email=|redirecturl/i
6528 header __KAM_WETRANSFER2 From:name =~ /WeTransfer/i
6529 header __KAM_WETRANSFER3 From:addr !~ /wetransfer\.com/i
6530 header __KAM_WETRANSFER4 Subject =~ /via WeTransfer/i
6532 meta KAM_WETRANSFER (__KAM_WETRANSFER1 + __KAM_WETRANSFER2 + __KAM_WETRANSFER3 + (__KAM_WETRANSFER4 + SPF_FAIL >= 1) >= 4)
6533 score KAM_WETRANSFER 6.0
6534 describe KAM_WETRANSFER WeTransfer Impersonators
6537 header __KAM_GREYEAGLE_1 From =~ /greyeagle|funding|capital|banking|lending/i
6538 body __KAM_GREYEAGLE_2 /grey eagle funding/i
6540 meta KAM_GREYEAGLE (__KAM_GREYEAGLE_1 + __KAM_GREYEAGLE_2 >= 2)
6541 describe KAM_GREYEAGLE Spammy Funding Company w/lots of Domains
6542 score KAM_GREYEAGLE 10.0
6544 #Google Storage APIs
6545 uri KAM_STORAGE_GOOGLE /storage.googleapis.com|\.web.app\//i
6546 describe KAM_STORAGE_GOOGLE Google Storage API being abused by spammers
6547 score KAM_STORAGE_GOOGLE 2.25
6550 header __KAM_DUJOUR1 Subject =~ /(Worst Food|Tinnitus|Reflux|Gift Card)/i
6552 body __KAM_DUJOUR2 /(Worst Food|Tinnitus|Reflux|CVS Gift Card)/i
6553 tflags __KAM_DUJOUR2 nosubject
6555 header __KAM_DUJOUR3 From =~ /(Probio|Tinnitus|Reflux|CVS)/i
6557 meta KAM_DUJOUR (KAM_STORAGE_GOOGLE + __KAM_DUJOUR1 + __KAM_DUJOUR2 + __KAM_DUJOUR3 >= 3)
6558 describe KAM_DUJOUR Spam of the Day hocking various products
6559 score KAM_DUJOUR 4.5
6562 body __KAM_QUINFORCE1 /q.?u.?i.?n.?f.?o.?r.?c.?e/i
6564 meta KAM_QUINFORCE1 (__KAM_QUINFORCE1 >= 1)
6565 describe KAM_QUINFORCE1 Obfuscating spamming firm
6566 score KAM_QUINFORCE1 6.0
6569 body __KAM_CBD1 /(Prosper|Meridian) CBD/i
6570 header __KAM_CBD2 From:name =~ /CBD/i
6572 meta KAM_CBD (__KAM_CBD1 + __KAM_CBD2 + __KAM_OTHER_BAD_TLD2 >= 2)
6573 describe KAM_CBD Spam du jour for CBD
6577 body __KAM_COVID1 /International Monetary fund|world health organization|empowerment fund/i
6578 header __KAM_COVID2 Subject =~ /COVID?.{0,12}(payment|fund)/i
6579 body __KAM_COVID3 /COVID.{0,12}(empowerment|payment)|W\.?H\.?O\.? trust.?fund/i
6580 tflags __KAM_COVID3 nosubject
6581 header __KAM_COVID4 From =~ /COVID|world ?Health|WHO/i
6583 body __KAM_COVID5 /00 ?(EUR|USD|Dollar)/i
6585 meta KAM_COVID ((__KAM_COVID5 + LOTS_OF_MONEY >= 1) + __KAM_COVID1 + __KAM_COVID2 + __KAM_COVID3 + __KAM_COVID4 >= 4)
6586 describe KAM_COVID Scams revolving around the pandemic
6590 body __KAM_COVID2_1 /COVID-19 (CHARITY )?(fund|donated relief)/i
6591 tflags __KAM_COVID2_1 nosubject
6592 header __KAM_COVID2_2 Subject =~ /(little|COVID-19) (fund|donation)/i
6594 meta KAM_COVID2 (__KAM_COVID2_1 + __KAM_COVID2_2 + LOTS_OF_MONEY >= 2)
6595 describe KAM_COVID2 Scams revolving around the pandemic
6596 score KAM_COVID2 7.5
6599 body __KAM_COVID3_1 /Prince/i
6600 body __KAM_COVID3_2 /reliable source/i
6601 body __KAM_COVID3_3 /\$[\d\.,]+ mil/i
6602 body __KAM_COVID3_4 /assist me/i
6603 body __KAM_COVID3_5 /Saudi Arabia/i
6605 meta KAM_COVID3 (__KAM_COVID3_1 + __KAM_COVID3_2 + __KAM_COVID3_3 + __KAM_COVID3_4 + __KAM_COVID3_5 >= 5)
6606 describe KAM_COVID3 Scams revolving around the pandemic
6607 score KAM_COVID3 7.5
6610 replace_rules __KAM_VM3
6612 uri __KAM_VM1 /storage.googleapis.com\/.*?htm|appspot\.com|safesend\.|\/api\/v1\/click\|\.sharepoint\.com\/personal\/|evernote\.com|github\.io|netlify\.app|sendgrid\.net|dynamics\.com/i
6613 header __KAM_VM2 Subject =~ /VN Audio|message for|voice Message|Voicemail|Fax Message|OneDrive File|voice note duration|voice-audio|telephone vm/i
6614 header __KAM_VM2A From =~ /-xxxx|tele-mail/i
6615 body __KAM_VM3 /(Voice.?Audio|VN Audio|VM Meant|Listen to (your )?Voice|voicemail message|Fax(ed)? (document|message)|new voicemail|Virtual <O1>ffice Extens<I1>on)|ca<L1><L1>er left you a message/i
6616 tflags __KAM_VM3 nosubject
6617 body __KAM_VM4 /recorded voice|audio message|Caller.?id|CID:|mailbox \d|sign document|new vm on/i
6618 tflags __KAM_VM4 nosubject
6619 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6620 mimeheader __KAM_VM5 Content-Type =~ /.html?\"?$/i
6623 meta KAM_VM (__KAM_VM1 + (__KAM_VM2A + __KAM_VM2 >= 1) + __KAM_VM3 + __KAM_VM4 + __KAM_VM5 + KAM_RAPTOR_EXTERNAL >= 3)
6625 describe KAM_VM Voice Mail & Fax Scams
6628 header __KAM_ADMIN1 From =~ /admin/i
6629 header __KAM_ADMIN2 Subject =~ /For /i
6630 body __KAM_ADMIN3 /next tax return/i
6631 body __KAM_ADMIN4 /read this document/i
6633 meta KAM_ADMIN (HEADER_FROM_DIFFERENT_DOMAINS + HTML_OBFUSCATE_10_20 + __KAM_ADMIN1 + __KAM_ADMIN2 + __KAM_ADMIN3 + __KAM_ADMIN4 >= 6)
6634 describe KAM_ADMIN Phishing attempt spoofing admins
6639 replace_rules __KAM_BENEFICIARY2
6641 header __KAM_BENEFICIARY1 Subject =~ /(your|Urgent) Help|refugee|Attention|Inherit|donation|refund|beloved|^Hello$|dear friend|compensated|get back to me|hope to hear|my dear|postal service|From.....|compliment|sincere apology|proposal|How are you|congratulations|ATM VISA Card|good (day|news)|beneficiary|cc|best regards|dearest one|^Att$|^Reply$|partnership|greeting'?s|atm fund|postmaster general|Investment|shipment|indicate your interest/i
6643 body __KAM_BENEFICIARY2 /(consignment|fund(\b|$)|person of trust|don't know me|emails only|apologize for intrud|formal relationship|diplomatic agent|ATM VISA CARD|unsolicited manner|proposition|solicit your|trustworthy relation|verily|random people|you a beneficiary|help<SPACE1>+widow|same last ?name|(same|similar) surname|investment manager)|level of maturity|important project|jackpot|investment opp|something important|unclaimed trunk|estate investment|donation recipient|bank draft|funding of your business/i
6644 tflags __KAM_BENEFICIARY2 nosubject
6647 body __KAM_BENEFICIARY3 /(gold|diamonds|inherit|foreign customer|risk.?free|less.privilege|next of kin|nearest airport|certain funds|partnership to transfer|repatriation|co.fiscate|separate account|christian activit|receiving bank|donate the sum|money left|sweepstakes|lucky winner|get rich|\d% of the total|investment fund)|moving some money|god has blessed|contributions to humanity|partake in the deal|pledge dep|over-?due compensation|left your check|invest(ment)? in your country|abandoned shipment/i
6649 body __KAM_BENEFICIARY4 /(Ghana|South Africa|China|Greece|Estonia|United kingdom|foreign|(your|my) country|Benin|africa|Foreign Op|international Airport|portugal|business trip|Ivory Coast|Royal Bank|Syria|Libyan|Ministry of |Buffett Foundation|audit unit)|postmaster general|your country/i
6651 body __KAM_BENEFICIARY5 /\d+ ?(kilo|kg)|donat|assignment|last wishes|charity org|million dollars|secret account|overdue winnings|handsomely compensate|large amount|share of fund|one digit interest|beneficial business|anticipated cooperation|\d% (with|for) you|fiscal cash|huge amount|(half|99 percent) of (his|their|her) fortune|by proxy|\d million|investment in your country/i
6653 body __KAM_BENEFICIARY6 /(deceased|late) (customer|husband|client|father)|death of my husband|cancer|power of attorney|customer who died|orphan|no beneficiary|terminal|family treasure|not criminal|send (you )?more (information|details)|wife ran away|inability to release|terrorist attack|sterile|foreigner who died|corrupt officials|could not complete|Diplomat from|seized all my/i
6655 meta KAM_BENEFICIARY ((LOTS_OF_MONEY + __KAM_BENEFICIARY5 >=1) + (KAM_BLANKSUBJECT + __KAM_BENEFICIARY1 >=1) + __KAM_BENEFICIARY2 + __KAM_BENEFICIARY3 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 + FREEMAIL_FROM >= 6)
6656 describe KAM_BENEFICIARY Beneficiary scams
6657 score KAM_BENEFICIARY 10.5
6659 meta KAM_BENEFICIARYLOW ((LOTS_OF_MONEY + __KAM_BENEFICIARY5 >=1) + (KAM_BLANKSUBJECT + __KAM_BENEFICIARY1 >=1) + __KAM_BENEFICIARY2 + __KAM_BENEFICIARY3 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 + FREEMAIL_FROM >= 5) && !KAM_BENEFICIARY && !__KAM_NPO1
6660 describe KAM_BENEFICIARYLOW Beneficiary scams (Lower Confidence)
6661 score KAM_BENEFICIARYLOW 6.0
6664 body __KAM_NPO1 /501\(?c\)?\(?3\)?|501 c 3/i
6668 meta KAM_BENEFICIARY2 (GMD_PDF_EMPTY_BODY + DEAR_BENEFICIARY >= 2)
6669 describe KAM_BENEFICIARY2 Beneficiary scams
6670 score KAM_BENEFICIARY2 3.0
6673 body __KAM_BENEFICIARY3_1 /Mikhail Fridman/i
6674 header __KAM_BENEFICIARY3_2 From =~ /Mikhail Fridman/i
6675 uri __KAM_BENEFICIARY3_3 /www.rt.com/i
6677 meta KAM_BENEFICIARY3 (__KAM_BENEFICIARY3_1 + __KAM_BENEFICIARY3_2 + __KAM_BENEFICIARY3_3 + __KAM_DIDYOUSUBJ >= 3)
6678 describe KAM_BENEFICIARY3 Beneficiary scams
6679 score KAM_BENEFICIARY3 4.5
6682 #Did you get my message?
6683 header __KAM_DIDYOUSUBJ Subject =~ /Did you (receive it|get my message)/i
6684 body __KAM_DIDYOUBODY /Did you (receive it|get my message)/i
6685 tflags __KAM_DIDYOUBODY nosubject
6688 #body __KAM_SIGONLY1 /^.{0,10}--\b/im
6689 #tflags __KAM_SIGONLY1 nosubject
6691 #meta KAM_SIGONLY (__KAM_SIGONLY1 >= 2)
6692 #score KAM_SIGONLY 1.5
6693 #describe KAM_SIGONLY Messages is (mostly) just a signature
6696 #meta KAM_SIGONLY2 (KAM_SIGONLY + (__KAM_DIDYOUBODY + __KAM_DIDYOUSUBJ >= 1) >= 2)
6697 #score KAM_SIGONLY2 1.5
6698 #describe KAM_SIGONLY2 Junk Messages using (mostly) just a signature
6701 header KAM_BLANKSUBJECT Subject =~ /^\s*$/i
6702 describe KAM_BLANKSUBJECT Message has a blank Subject
6703 score KAM_BLANKSUBJECT 0.25
6706 header __KAM_JOB2_1 Subject =~ /doing the job/i
6707 body __KAM_JOB2_2 /represent the company/i
6709 body __KAM_JOB2_3 /Singapore/i
6711 body __KAM_JOB2_4 /\d,?000 USD (monthly|weekly)/i
6713 meta KAM_JOB2 (FREEMAIL_FROM + __KAM_JOB2_1 + __KAM_JOB2_2 + __KAM_JOB2_3 + __KAM_JOB2_4 >= 5)
6714 describe KAM_JOB2 Employment scams
6719 header __KAM_WEB2_1 Subject =~ /follow|next step|website (analysis|builder|work)|crazy offer|cRM solution/i
6721 #price - purposefully looks at subject too
6722 body __KAM_WEB2_2 /affordable (quot|price)|cheap website|less than half|free of cost|low package price|indian web.?design/i
6725 body __KAM_WEB2_3 /web (design|develop)|(better|new|refreshed) website|website audit|fresh look/i
6726 tflags __KAM_WEB2_3 nosubject
6729 body __KAM_WEB2_4 /portfolio|sample|insights|special offer|page 1|your requirements/i
6730 tflags __KAM_WEB2_4 nosubject
6732 meta KAM_WEB2 (FREEMAIL_FROM + __KAM_WEB2_1 + __KAM_WEB2_2 + __KAM_WEB2_3 + __KAM_WEB2_4 >=5)
6733 describe KAM_WEB2 Unsolicited web workers
6737 header __KAM_BANK_1 Subject =~ /Welcome to (Central )?(Money ?Gram|Bank)|Funding|Banker|congratulations/i
6738 body __KAM_BANK_2 /beneficiary|agent|investment group|deceased/i
6739 body __KAM_BANK_3 /re\-?verification|clearance tax|possible funding|same last name|nominated bank account/i
6741 meta KAM_BANK (FREEMAIL_FROM + LOTS_OF_MONEY + __KAM_BANK_1 + __KAM_BANK_2 + __KAM_BANK_3 >= 5)
6742 describe KAM_BANK Bank scams
6746 header __KAM_CERT1 Subject =~ /Medical Certificate/i
6747 body __KAM_CERT2 /review this certificate/i
6748 body __KAM_CERT3 /link below/i
6750 meta KAM_CERT (__KAM_CERT1 + __KAM_CERT2 + __KAM_CERT3 + __PLUGIN_FROMNAME_SPOOF >= 3)
6751 describe KAM_CERT Fake Certificate Scams
6755 header __KAM_URGENT1 Subject =~ /^Hello$/i
6756 body __KAM_URGENT2 /urgent respond/i
6757 body __KAM_URGENT3 /private e?mail/i
6758 body __KAM_URGENT4 /god bless/i
6759 body __KAM_URGENT5 /address still valid/i
6761 meta KAM_URGENT ( __KAM_URGENT1 + __KAM_URGENT2 + __KAM_URGENT3 + __KAM_URGENT4 + __KAM_URGENT5 >= 5)
6762 describe KAM_URGENT Urgent Scams
6763 score KAM_URGENT 7.5
6766 header __KAM_INVEST1 Subject =~ /Investment|(hello|congrats|dear) friend|urgent|greetings|^HELLO$|mutual business|contact him|mail for you|confirming your email|business opportunity|important|interest|^proposal$/i
6768 body __KAM_INVEST2 /apprehensive|unstable investment|(honest|well.?established|reliable) (individual|partner|person)|wealthy client|legal paper|branch manager|director finance|business man|family asset|personal assistant|found your (detail|contact)|consultant|project financing|my name is|i am the lawyer|need your assistance|investment officer/i
6770 body __KAM_INVEST3 /earn \d+\%|(more|full|elaborate) details|discuss further|risk.?free|give details|profitable|\% (yearly|ROI|commission)|bank draft|remuneration|(needs|seek|seeks|seeking) fund|employ you|split.?ration|(receive|secure) my fund/i
6772 body __KAM_INVEST4 /malta|oil company|joint venture|(fund|business) proposal|dubai|mutual business|bahrain|compensation fund|barrister|minister of|ghana|strategic development|your region|Mineral.Rich|africa|non.?european|your country|outside UAE/i
6773 tflags __KAM_INVEST4 nosubject
6775 meta KAM_INVEST (LOTS_OF_MONEY + FREEMAIL_FROM + __KAM_INVEST1 + __KAM_INVEST2 + __KAM_INVEST3 + __KAM_INVEST4 >= 4)
6776 describe KAM_INVEST Investment Scams
6777 score KAM_INVEST 6.0
6780 header __KAM_SIGN1 Subject =~ /New Sign-?[io]n/i
6781 body __KAM_SIGN2 /review your account/i
6782 body __KAM_SIGN3 /verification is processed/i
6784 meta KAM_SIGN (KAM_STORAGE_GOOGLE + __KAM_SIGN1 + __KAM_SIGN2 + __KAM_SIGN3 >= 4)
6785 describe KAM_SIGN Sign-in Verification Scams
6789 header __KAM_WEIRDC19_1 Subject =~ /The virus that causes COVID-19/i
6790 header __KAM_WEIRDC19_2 From =~ /John Robert/i
6791 body __KAM_WEIRDC19_3 /The virus that causes COVID-19/i
6792 tflags __KAM_WEIRDC19_3 nosubject
6794 meta KAM_WEIRDC19 (FREEMAIL_FROM + __KAM_BODY_LENGTH_LT_512 + __KAM_WEIRDC19_1 + __KAM_WEIRDC19_2 + __KAM_WEIRDC19_3 >= 5)
6795 describe KAM_WEIRDC19 Odd Covid-19 spam with information
6796 score KAM_WEIRDC19 7.5
6799 header __KAM_CELEB1 Subject =~ /Celebrity Doc/i
6800 body __KAM_CELEB2 /resugar/i
6801 body __KAM_CELEB3 /fat.burning/i
6803 meta KAM_CELEB (__KAM_CELEB1 + __KAM_CELEB2 + __KAM_CELEB3 >= 3)
6804 describe KAM_CELEB Celebrity Health Scams
6807 #additional Freemail domains
6808 freemail_domains my.com mediacombb.net tutanota.com
6810 #BEAL AND SIMILAR IMPERSONATOR
6811 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
6813 header __KAM_BEAL1 From:name =~ /Geoff White|(Robert|Bob)( E.)? Beal|(James|Jim) Hoffman|Kevin (A\. )?Mc ?Grail|Chad Coney|Frederic Beuter|Chris(topher)? (K\.? )?Surprise|(mike|michael) Charvat|Sheryl Brissett Chapman|janet smith|Jeff Gardner|Geoff(rey)? White|Jason Davis|Al Nance|Laura (C\.? )?Leach|Guy Neitz|Michael Rowland|Brenda MacDonald|Daram Van Oers|Pat(rick)? (A\. )?Campfield|toni Kerns|Tina L. Berger|Robert T. Lalka|Karen Holmes|Richard Manship|WILLIAM HYATT|Alex DiJohnson|Mike Rinaldi|Patrick Augustine|Randy Livingston|Michael Schoor|Amy Millar|Gino Renne/i
6814 #in addition to freemail
6815 header __KAM_BEAL2 From:addr =~ /\@.+\.rr\.com|\@mail\.ru|\@.*\.cz|\@cox\.net/i
6817 body __KAM_BEAL3 /(Robert|Bob).{1,4}Beal|Geoff White|(James|Jim).{1,4}Hoffman|Kevin (A\. )?Mc ?Grail|Frederic Beuter|Chris(topher)? (K\.? )?Surprise|(mike|michael) Charvat|SHERYL Brissett Chapman|Janet Smith|Jeff Gardner|Geoff(rey)? White|Jason Davis|Al Nance|Laura (C\.? )?Leach|Guy Neitz|Michael Rowland|Brenda MacDonald|Daram Van Oers|Pat(rick)? (A\. )?Campfield|Toni Kerns|Tina L. Berger|Robert T. Lalka|Karen Holmes|Richard Manship|WILLIAM HYATT|Alex DiJohnson|Mike Rinaldi|Patrick Augustine|Randy Livingston|Michael Schoor|Amy Millar|Gino Renne/i
6819 body __KAM_BEAL4 /(reply with|forward|send me|let me have|give me) +your (Cell|Mobile)|task (real quick|quickly)|(urgent|quick|fast) (reply|errand|response|task|request)|make (some|a) purchase|reimburse you|do something for me fast|spare time right now|confirm if you are free|physical or electronic gift card|(done for me|send out|task done) ASAP|available at the moment|(desk|moment) right now|get some .{0,10}gift card|(reply me with|confirm|drop) your cell|(run a|important) task for me|certain task to be carried|purchase on my behalf|(urgent|Immediate) (Task|Assignment)|quickly on my behalf|variety of gift card|something important for me|carry out (urgently|swiftly)|codes electronically|make a payment|gifts for their hard|have a moment|assist me with a task|quick favor|gift cards? for staff|process a payment via Zelle|request I need|purchase done on my behalf|take care of something|handle (some )?task quickly|got a moment/i
6820 # question / privacy
6821 body __KAM_BEAL5 /can't talk on the phone|receivable aging report|summary of all w\-?2|look forward to my text|are you (accessible|in the office|busy)|between you and I|closed-?door meeting|as soon as you can|get something done|you\'re unoccupied|accurately|I can brief|in a (conference|meeting)|personal (email|text phone|cell|number)|drop your number|reimburse if personal|what details do you need|(do|handle) discreetly|confidentiality|keep this private|get to a nearby store|confirm if you can get it done|no calls just reply|write me back|look out for my text|concise you about it|so much on your plate/i
6823 meta KAM_BEAL (__KAM_BEAL1 + __KAM_BEAL3 >= 1) && ((SPF_SOFTFAIL + FREEMAIL_FROM + FREEMAIL_FORGED_REPLYTO + __KAM_BEAL2 + KAM_RAPTOR_EXTERNAL >= 1) + __KAM_BEAL4 + __KAM_BEAL5 >= 3)
6824 describe KAM_BEAL IMPOSTER! Will the real Slim Shady, please stand up?
6826 subjprefix KAM_BEAL [Imposter]
6828 meta KAM_BEAL2 (__KAM_BEAL1 + __KAM_BEAL3 >= 1) && (KAM_RAPTOR_EXTERNAL + __KAM_BEAL4 + __KAM_BEAL5 >= 2) && (KAM_BEAL <= 0)
6829 describe KAM_BEAL2 IMPOSTER! Will the real Slim Shady, please stand up?
6830 score KAM_BEAL2 10.0
6831 subjprefix KAM_BEAL2 [Imposter]
6834 header KAM_RAPTOR_EXTERNAL X-Raptor-External =~ /Yes/i
6835 describe KAM_RAPTOR_EXTERNAL Raptor identified an External Sender
6836 score KAM_RAPTOR_EXTERNAL 0.1
6840 header __KAM_PROJECT1 Subject =~ /Project/i
6841 body __KAM_PROJECT2 /business project/i
6842 body __KAM_PROJECT3 /email is active/i
6843 body __KAM_PROJECT4 /please respond/i
6845 meta KAM_PROJECT (__KAM_PROJECT1 + __KAM_PROJECT2 + __KAM_PROJECT3 + __KAM_PROJECT4 >= 4)
6846 describe KAM_PROJECT Scam inquiries about amorphous projects
6847 score KAM_PROJECT 6.0
6850 header __KAM_FAKEWEST1 Subject =~ /Attention/i
6851 body __KAM_FAKEWEST2 /Western Union/i
6852 body __KAM_FAKEWEST3 /United Nation/i
6853 body __KAM_FAKEWEST4 /Wrong Transfer/i
6854 body __KAM_FAKEWEST5 /0[\.,]?000[\.,]?00\s?USD/i
6856 meta KAM_FAKEWEST (__KAM_FAKEWEST1 + __KAM_FAKEWEST2 + __KAM_FAKEWEST3 + __KAM_FAKEWEST4 + (__KAM_FAKEWEST5 + LOTS_OF_MONEY >= 1) >= 5)
6857 describe KAM_FAKEWEST Fake money Transfer Scam
6858 score KAM_FAKEWEST 6.0
6861 header __KAM_FAKEDROPBOX2_1 Subject =~ /on Dropbox/i
6863 meta KAM_FAKEDROPBOX2 (__KAM_FAKEDROPBOX2_1 + KAM_SHORT + FREEMAIL_FROM >= 3)
6864 describe KAM_FAKEDROPBOX2 Fake Dropbox Phish
6865 score KAM_FAKEDROPBOX2 4.5
6867 header __KAM_FAKEDROPBOX3_1 Subject =~ /new dropbox message/i
6868 uri __KAM_FAKEDROPBOX3_2 /wp\-includes/i
6870 meta KAM_FAKEDROPBOX3 (__KAM_FAKEDROPBOX3_1 + __KAM_FAKEDROPBOX3_2 >= 2)
6871 describe KAM_FAKEDROPBOX3 Fake Dropbox Phish
6872 score KAM_FAKEDROPBOX3 6.0
6876 header __KAM_FAKEMONEYGRAM1 From =~ /Money.?Gram/i
6878 meta KAM_FAKEMONEYGRAM (__KAM_FAKEMONEYGRAM1 + FREEMAIL_FROM >= 2)
6879 describe KAM_FAKEMONEYGRAM Fake Moneygram Phish
6880 score KAM_FAKEMONEYGRAM 5.5
6883 #FAKESHAREPOINT - SEE FAKESHAREPOINT2 for Sexually explicit
6884 header __KAM_FAKE_SHAREPOINT1 Subject =~ /(via|by) Sharepoint|payment reminder|shared|Request for Quot|urgent|far from you/i
6885 header __KAM_FAKE_SHAREPOINT2 from =~ /sharepoint|accounts? payable|RFQ/i
6886 uri __KAM_FAKE_SHAREPOINT3 /my\.sharepoint\.com/i
6887 uri __KAM_FAKE_SHAREPOINT3A /appdomain\.cloud|discordapp\.com|netlify\.app/i
6888 body __KAM_FAKE_SHAREPOINT4 /Sharepoint Fileshare|open.me.{0,3}asap/i
6889 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6890 mimeheader __KAM_FAKE_SHAREPOINT5 Content-Type =~ /.html?\"?$/i
6894 meta KAM_FAKE_SHAREPOINT (__KAM_FAKE_SHAREPOINT1 + __KAM_FAKE_SHAREPOINT2 + (__KAM_FAKE_SHAREPOINT3 + __KAM_FAKE_SHAREPOINT3A + KAM_STORAGE_GOOGLE + __KAM_FAKE_SHAREPOINT4 >= 1) + __KAM_FAKE_SHAREPOINT5 >= 3)
6895 describe KAM_FAKE_SHAREPOINT Fake Sharepoint Phish
6896 score KAM_FAKE_SHAREPOINT 6.0
6898 #MORE FAKE SHAREPOINT BAD LINKS IN A SHAREPOINT MESSAGE
6899 meta KAM_FAKE_SHAREPOINTLINK (__KAM_FAKE_SHAREPOINT1 + __KAM_FAKE_SHAREPOINT2 + (__KAM_FAKE_SHAREPOINT3A + KAM_STORAGE_GOOGLE) >= 3) && !KAM_FAKE_SHAREPOINT
6900 describe KAM_FAKE_SHAREPOINTLINK Fake Sharepoint Link Phish
6901 score KAM_FAKE_SHAREPOINTLINK 4.5
6904 body __KAM_BADZIP1 /attached (to email|document)|take a look/i
6905 body __KAM_BADZIP2 /Encrypted zip/i
6906 uri __KAM_BADZIP2A /drive.google.com.*export=download/i
6907 body __KAM_BADZIP3 /(order|urgent|report|dialogue)/i
6908 body __KAM_BADZIP4 /password:/i
6910 meta KAM_BADZIP (__KAM_BADZIP1 + (__KAM_BADZIP2 + __KAM_BADZIP2A >= 1) + __KAM_BADZIP3 + __KAM_BADZIP4 >= 4)
6911 describe KAM_BADZIP Encrypted Zip File Indicating a Scam
6912 score KAM_BADZIP 6.0
6916 header __KAM_VERIZON1 Subject =~ /verizon wireless security message/i
6917 header __KAM_VERIZON2 From:name =~ /Verizon/i
6918 header __KAM_VERIZON3 From:addr !~ /verizon/i
6921 body __KAM_VERIZON4 /Update required immediately/i
6923 body __KAM_VERIZON5 /update your account information/i
6925 body __KAM_VERIZON6 /deactivated/i
6927 body __KAM_VERIZON7 /credit card|bank account/i
6929 meta KAM_VERIZON (__KAM_VERIZON1 + __KAM_VERIZON2 + __KAM_VERIZON3 >= 3) && (__KAM_VERIZON4 + __KAM_VERIZON5 + __KAM_VERIZON6 + __KAM_VERIZON7 >= 3)
6930 describe KAM_VERIZON Fake Wireless account notices
6931 score KAM_VERIZON 9.5
6934 header __KAM_DOCUSIGN1 Subject =~ /New e-DocuSign Signature|new e-signature docusign|docusign electronic signature|transfer notice|docusign (electronic|signature) service|docusign document/i
6935 header __KAM_DOCUSIGN2 From:name =~ /docusign/i
6936 header __KAM_DOCUSIGN3 From:addr !~ /docusign/i
6938 uri __KAM_DOCUSIGN4 /\.weebly\.com|docs\.google\.com|onedrive\.live\.com/i
6940 meta KAM_DOCUSIGN ((__KAM_DOCUSIGN1 >= 1) + (__KAM_DOCUSIGN2 + __KAM_DOCUSIGN3 >= 2) + (FREEMAIL_FROM + LOTS_OF_MONEY + __KAM_DOCUSIGN4 >= 1) >= 3)
6941 describe KAM_DOCUSIGN Fake Document Signature account notices
6942 score KAM_DOCUSIGN 4.5
6944 meta KAM_DOCUSIGN_LOW (__KAM_DOCUSIGN1 + __KAM_DOCUSIGN4 >= 2)
6945 describe KAM_DOCUSIGN_LOW Lower score Fake Document Signature Account Notice
6946 score KAM_DOCUSIGN_LOW 3.0
6949 header __KAM_TWODOTS From:addr =~ /\@.*\.\./i
6951 meta KAM_INVALIDFROM (__KAM_TWODOTS >= 1)
6952 describe KAM_INVALIDFROM Invalid From Address
6953 score KAM_INVALIDFROM 5.0
6955 #Client Fake Invoice
6956 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6957 header __KAM_FAKEINV1 From =~ /headoffice/i
6958 header __KAM_FAKEINV1A Reply-to =~ /no.?reply\@/i
6960 body __KAM_FAKEINV2 /dearest client/i
6962 mimeheader __KAM_FAKEINV3 Content-Type =~ /.xls\"?$/i
6964 meta KAM_FAKEINV ((__KAM_FAKEINV1 + __KAM_FAKEINV1A >=1) + __KAM_FAKEINV2 + __KAM_FAKEINV3 >=3)
6965 describe KAM_FAKEINV Fake Customer Invoices
6966 score KAM_FAKEINV 4.5
6970 meta KAM_IMAGEONLY (PDS_OTHER_BAD_TLD + HTML_IMAGE_ONLY_08 >= 2)
6971 describe KAM_IMAGEONLY Email from a questionable TLD that contains primarily just an image
6972 score KAM_IMAGEONLY 0.75
6975 header __KAM_HOLIDAY2020_1 Subject =~ /holiday item|blac.?k friday|(vortex|illusional|this|3d).*rug|canvas print|get your (personalized christmas )?ornament|Christmas sale|novelty household|(perfect|seasonal) gift|Rising.? Stand.?|endoscope/i
6976 body __KAM_HOLIDAY2020_2 /(illusional|Vortex|3d) Rug|wireless earbuds|canvas print|get your (personalized christmas )?ornament|holiday novelty|personalized ornament|rising laptop|HOME Ear endoscope|Gadget ?Junk/i
6977 tflags __KAM_HOLIDAY2020_2 nosubject
6978 header __KAM_HOLIDAY2020_3 From =~ /vortex|christmas|novelty|(laptop|new).?tech|rising.?stand|Clean.?ear|Massager/i
6980 meta KAM_HOLIDAY2020 (__KAM_HOLIDAY2020_1 + __KAM_HOLIDAY2020_2 + __KAM_HOLIDAY2020_3 >= 2)
6981 describe KAM_HOLIDAY2020 Holiday Gifts 2020 Spam
6982 score KAM_HOLIDAY2020 4.0
6985 uri __KAM_GOOGLEFORM_1 /docs\.google\.com\/forms\//i
6986 body __KAM_GOOGLEFORM_2 /Untitled|Formulaire sans titre/i
6987 body __KAM_GOOGLEFORM_3 /foundation is donating/i
6989 meta KAM_GOOGLEFORM (__KAM_GOOGLEFORM_1 + (__KAM_GOOGLEFORM_2 + __KAM_GOOGLEFORM_3 >= 1) >= 2)
6990 describe KAM_GOOGLEFORM Untitled or Spam Google Form
6991 score KAM_GOOGLEFORM 4.0
6993 header __GB_RETPATH_GOOG_TRIX Return-Path =~ /\@trix\.bounces\.google\.com/
6995 meta GB_RETPATH_GOOG_TRIX __GB_RETPATH_GOOG_TRIX
6996 describe GB_RETPATH_GOOG_TRIX Email from Google subdomain being abused by spammers
6997 score GB_RETPATH_GOOG_TRIX 2.00
6999 #BENEFICIARY FAKE FORM
7000 body __KAM_DISCLOSE1 /enable me disclose|indicate your? interest|something important/i
7002 meta KAM_FAKEFORM ((__KAM_DISCLOSE1 + LOTS_OF_MONEY >= 1) + (__KAM_BENEFICIARY2 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 >= 1) + (__KAM_GOOGLEFORM_1 >= 1) >= 3)
7003 describe KAM_FAKEFORM Fake Form for Scams
7004 score KAM_FAKEFORM 4.0
7007 body __KAM_2ND_1 /police can no longer be trusted|protect yourself|anti-?gun ban|no classes/i
7008 body __KAM_2ND_2 /2nd am?mendment|concealed carry|right to carry/i
7009 header __KAM_2ND_3 From =~ /2nd amm?endment|Concealed/i
7011 meta KAM_2ND ((__KAM_FUN1 + __KAM_FUN1A >= 1) + __KAM_2ND_1 + __KAM_2ND_2 + __KAM_2ND_3 >= 3)
7012 describe KAM_2ND Political / 2nd Ammendement Spam
7015 #SPAM DU JOUR - MASKS
7016 body __KAM_KN_1 /(respirator|KN95) .{0,25}Mask|Ultramasx|upgrade your mask/i
7017 tflags __KAM_KN_1 nosubject
7018 body __KAM_KN_2 /get your|for the public|biden wants to curb|Prevent Corona|quick delivery|do your part|while supplies last|(smart|your) mask/i
7019 tflags __KAM_KN_2 nosubject
7020 header __KAM_KN_3 Subject =~ /KN95 .{0,25}Mask|(curb|curve?)(ing)? C<O1>vid|(your|mandates?) mask|ultimate protection|Protective (face )?mask/i
7021 header __KAM_KN_4 From =~ /KN95|(smart|Face) ?Mask|Mask.?(dept|Special)|Stay ?safe|protective ?gear|World ?safe/i
7023 meta KAM_KN (__KAM_KN_1 + __KAM_KN_2 + __KAM_KN_3 + __KAM_KN_4 >= 3)
7024 describe KAM_KN Spam Du Jour for Masks
7027 #SPAM DU JOUR - BAD CREDIT
7028 body __KAM_BADCRED_1 /bad credit/i
7029 tflags __KAM_BADCRED_1 nosubject
7030 header __KAM_BADCRED_2 Subject =~ /bad credit.*off track/
7032 meta KAM_BADCRED (__KAM_BADCRED_1 + __KAM_BADCRED_2 >= 2)
7033 describe KAM_BADCRED Spam Du Jour for Bad Credit
7034 score KAM_BADCRED 3.0
7036 #SPAM DU JOUR - SPO2
7037 replace_rules __KAM_SPO2_2 __KAM_SPO2_3
7039 body __KAM_SPO2_1 /pulse oximeter|touchless thermometer/i
7040 body __KAM_SPO2_2 /C<O1>VID/i
7041 tflags __KAM_SPO2_2 nosubject
7042 header __KAM_SPO2_3 Subject =~ /C<O1>VID.*(screening|oximeter)|Laser Thermometer|(detecting|screening) C<O1>VID/i
7043 header __KAM_SPO2_4 From =~ /health|infrared|oximeter|Painless/i
7045 meta KAM_SPO2 (__KAM_SPO2_1 + __KAM_SPO2_2 + __KAM_SPO2_3 + __KAM_SPO2_4 >= 3)
7046 describe KAM_SPO2 COVID Spams
7049 #SPAM DU JOUR - HEATED VEST
7050 body __KAM_VEST1 /(heated|thermal) vest/i
7051 tflags __KAM_VEST1 nosubject
7052 header __KAM_VEST2 Subject =~ /stay toasty/i
7053 header __KAM_VEST3 From =~ /thermal vest/i
7055 meta KAM_VEST (__KAM_VEST1 + __KAM_VEST2 + __KAM_VEST3 >= 3)
7056 describe KAM_VEST Spam Du Jour for Vests
7060 header __KAM_CVS1 From =~ /CVS Pharm/i
7061 header __KAM_CVS1A From:addr !~ /\@cvs.com/i
7062 body __KAM_CVS2 /CVS/
7063 tflags __KAM_CVS2 nosubject
7064 header __KAM_CVS3 Subject =~ /CVS Pharm/i
7066 meta KAM_CVS ((__KAM_CVS1 + (FREEMAIL_FROM + __KAM_CVS1A >= 1) >= 2) + __KAM_CVS2 + __KAM_CVS3 >= 3)
7067 describe KAM_CVS Fake CVS Spams
7071 body __KAM_HACK1 /(phone|electronic|computer) have been hacked|suspected online scam/i
7072 body __KAM_HACK2 /read attached|click here for verification/i
7073 body __KAM_HACK3 /save yourself|lead to your arrest/i
7074 header __KAM_HACK4 From:name =~ /justice dep/i
7076 meta KAM_HACK (__KAM_HACK1 + __KAM_HACK2 + __KAM_HACK3 + __KAM_HACK4 >= 3)
7077 describe KAM_HACK Hacker Exploitation Email
7081 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7083 header __KAM_FAKEINV2_1 Subject =~ /lnv (remittance|\& check)/i
7084 body __KAM_FAKEINV2_2 /(find|see) (the )?attach/i
7085 body __KAM_FAKEINV2_3 /not mail the check|typeform\.com/i
7086 mimeheader __KAM_FAKEINV2_4 Content-Type =~ /(ACH W[il]re|Rem[il]ttance adv[il]ce).*xls/i
7088 meta KAM_FAKEINV2 (__KAM_FAKEINV2_1 + __KAM_FAKEINV2_2 + __KAM_FAKEINV2_3 + __KAM_FAKEINV2_4 >= 3)
7089 describe KAM_FAKEINV2 Fake Invoice Scams
7090 score KAM_FAKEINV2 6.0
7095 header __KAM_FAKEAD1 Subject =~ /brand medication|stubborn fat/i
7096 body __KAM_FAKEAD2 /click here to UNSUBSCRIBE|start shopping|here\'s how/i
7097 uri __KAM_FAKEAD3 /\/bit\.ly/i
7098 body __KAM_FAKEAD4 /Sweet passion|no plastic surgery/i
7100 meta KAM_FAKEAD (__KAM_FAKEAD1 + __KAM_FAKEAD2 + __KAM_FAKEAD3 + __KAM_FAKEAD4 >= 4)
7101 describe KAM_FAKEAD Fake Advertisements
7102 score KAM_FAKEAD 6.0
7104 #FAKE REGISTRY SCAMS
7105 body __KAM_FAKE_REGISTRY1 /www(\.|\(dot\))domainregistryasia(\.|\(dot\))net/i
7106 uri __KAM_FAKE_REGISTRY2 /domainregistryasia\.net|domainregistryasia\.cn/i
7108 meta KAM_FAKE_REGISTRY (__KAM_FAKE_REGISTRY1 + __KAM_FAKE_REGISTRY2 >= 1)
7109 describe KAM_FAKE_REGISTRY Fake Domain Registry Scammers trying to get you to buy unneeded domains
7110 score KAM_FAKE_REGISTRY 5.0
7113 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7114 mimeheader __KAM_FAKE_FAX1 Content-Type =~ /.*(fax).*\.htm/i
7116 body __KAM_FAKE_FAX2 /incoming fax|fax received/i
7117 header __KAM_FAKE_FAX3 Subject =~ /Fax/i
7118 body __KAM_FAKE_FAX4 /invoice/i
7120 meta KAM_FAKE_FAX (T_HTML_ATTACH + __KAM_FAKE_FAX1 + __KAM_FAKE_FAX2 + __KAM_FAKE_FAX3 + __KAM_FAKE_FAX4 >= 4)
7121 describe KAM_FAKE_FAX Fake Fax Scam
7122 score KAM_FAKE_FAX 8.0
7125 body __KAM_FAKE_TRUST1 /Message is from a .{0,40}trusted source/i
7127 meta KAM_FAKE_TRUST (__KAM_FAKE_TRUST1 >= 1 )
7128 describe KAM_FAKE_TRUST Scams about trusted sources
7129 score KAM_FAKE_TRUST 3.5
7132 header __KAM_FAKE_INVOICE1 Subject =~ /(remittance|payment) advice|past.?due|purchase order|EFT payment/i
7133 body __KAM_FAKE_INVOICE2 /(remittance|Payment) advice|past due invoice|new proforma/i
7134 tflags __KAM_FAKE_INVOICE2 nosubject
7136 meta KAM_FAKE_INVOICE ((T_HTML_ATTACH + OLEMACRO_URI_TARGET >= 1) + __KAM_FAKE_INVOICE1 + __KAM_FAKE_INVOICE2 >= 3)
7137 describe KAM_FAKE_INVOICE Fake Invoice / Purchase Order Scam
7138 score KAM_FAKE_INVOICE 6.4
7141 header __KAM_BAD_PRODUCT1 Subject =~ /Dolphin Vacuum|Warm any room|rapid thaw/i
7142 body __KAM_BAD_PRODUCT2 /Dolphin sealer|hotstreak plug|Rapid thaw tray/i
7144 meta KAM_BAD_PRODUCT (__KAM_BAD_PRODUCT1 + __KAM_BAD_PRODUCT2 >= 2)
7145 describe KAM_BAD_PRODUCT Spammy Products
7146 score KAM_BAD_PRODUCT 3.0
7149 uri __KAM_BAD_LINK1 /\.pdf\.iso$/i
7151 meta KAM_BAD_LINK (__KAM_BAD_LINK1 >= 1)
7152 describe KAM_BAD_LINK Potentially dangerous link in email
7153 score KAM_BAD_LINK 10.0
7156 header __KAM_CITIZEN1 Subject =~ /Citizens Bank Ealert/i
7157 body __KAM_CITIZEN2 /Important (message|Notice) From Citizens/i
7158 uri __KAM_CITIZEN3 /phpmailer|wp-admin|.well-known/i
7159 header __KAM_CITIZEN4 From:name =~ /Citizens ?Bank/i
7160 header __KAM_CITIZEN5 From:addr !~ /citizen/i
7162 meta KAM_CITIZEN (__KAM_CITIZEN1 + __KAM_CITIZEN2 + __KAM_CITIZEN3 + __KAM_CITIZEN4 + (__KAM_CITIZEN5 + SPF_FAIL >= 1) >= 5)
7163 describe KAM_CITIZEN Fake Bank Alert Scam
7164 score KAM_CITIZEN 7.5
7167 header __KAM_PRODUCT2_1 Subject =~ /meal delivery|no chopping|(sticker|Children'?s?) book|\$[\d,\.]{5,10} Fast|Car ?Shield|Top Vet|Chew a day|trugreen|(perfect|healthy|your) lawn|slice.?n.?seal|kitchen (device|gadget)|butter knive|small penis|make you bigger|(explosive|increase) size|ACs|Wifi Booster|anti.?snore|visceral fat|solar ?bright|mini a\/?c|portable (cooler|air.?condition)|keep cool|wife.caught|banned technique/i
7169 body __KAM_PRODUCT2_2 /meal delivery|no chopping|i ?can ?read|zippy ?loan|car ?shield|Lick their paws|excessive scratching|trugreen|slice.?n.?seal|kitchen (device|gadget)|Better Butter|(elongation|growth) secret|savage.?grow|coolair|Wifi Booster|sleeplab|belly.flat|solar ?bright flood|space Cooler|coolair/i
7170 tflags __KAM_PRODUCT2_2 nosubject
7172 header __KAM_PRODUCT2_3 From =~ /veestro|i ?can ?read|zippy ?loan|car ?shieldi|petscy|trugreen|slice.?n.?seal|better.?butter|savage.?grow|CoolMe|wifi repeater|sleep.?lab|lost.?\d+lbs|solar ?bright|(mini|portable) ?A\/?C|air cooler|savage.grow/i
7174 meta KAM_PRODUCT2 ( __KAM_PRODUCT2_1 + __KAM_PRODUCT2_2 + __KAM_PRODUCT2_3 >= 3)
7175 describe KAM_PRODUCT2 Scammy Products prevalent in spam
7176 score KAM_PRODUCT2 4.5
7179 #uri_detail KAM_PDF_FAKE text =~ /\.PDF/i cleaned =~ /\.github.io\//i
7180 #describe KAM_PDF_FAKE Links to Fake PDFs
7181 #score KAM_PDF_FAKE 5.0
7185 body __KAM_INQUIRY_1 /inquiry for purchase|product catalog|price list|reply with catalog/i
7187 header __KAM_INQUIRY_2 Subject =~ /Purchase Order|Urgent (i|e)nquiry/i
7189 body __KAM_INQUIRY_3 /terms? (\&|and) conditions?|rightful dep/i
7191 body __KAM_INQUIRY_4 /certificate of origin|import\export|trading company/i
7193 meta KAM_INQUIRY (__KAM_INQUIRY_1 + __KAM_INQUIRY_2 + __KAM_INQUIRY_3 + __KAM_INQUIRY_4 >= 4)
7194 describe KAM_INQUIRY Product Inquiry Scams
7195 score KAM_INQUIRY 7.0
7198 header __KAM_FROM_NAME_FAKERBL From:name =~ /Sivagegrowplus\.com|Lifequote\.selectquote\.com|GoldAlliedTrust\.com|MeetAsianLady\.com|Betterbutterspreader\.com|americanhomewarranty\.com|Solarbrightfloodlight\.com|primevision\.website|FijiShowerSpa\.com|easylenders\.website|Burialinsurance\.com|curiousfinds\.com/i
7200 meta KAM_FROM_NAME_FAKERBL (__KAM_FROM_NAME_FAKERBL >= 1)
7201 describe KAM_FROM_NAME_FAKERBL From name contains a URL that is spammy
7202 score KAM_FROM_NAME_FAKERBL 6.0
7205 replace_rules __KAM_FAKE_NORTON1 __KAM_FAKE_NORTON2 __KAM_FAKE_NORTON4
7208 header __KAM_FAKE_NORTON1 Subject =~ /IN.?VOICE *\#?NUMBER|(confirmation|ORDER|Invoice) ?(\#|Num|-?No)|\#(ORDER|BILL)|(Purchase|Order) Confirmation|(RECEIPT|INVOI?CE) ?\#|software subscription|transaction.successful|amount.debited|(subscription|service|Purchase) (renewal|request|serial) \#|renewal service \#|(Unique|Member|purchase|Bill|receipt|service|invoice) id ?(is|:|\#)|using protection|<O1>rder <I1>d|IN(\-|_)VOICE (Number|ID)|Product Id:|security renewal|(Buyer'?s|purchase) receipt|order worth \$|service notice.{0,3}\d+|antivirus activated/i
7209 header __KAM_FAKE_NORTON1A To =~ /norton/i
7210 header __KAM_FAKE_NORTON1B From =~ /norton|confirmation|renew|no.?reply/i
7212 body __KAM_FAKE_NORTON2 /N<O1>RT<O1>N(\(?tm\)?|\#)|360 (anti.?virus|Security|protection)|N<O1>rt<O1>N.?Life|norton (\- )?(360|security|deluxe|protection|firewall|plus family)|(nort-.|norton|Mcafee) (Web Pro|Web|Plus(\+| Pro)|pro (net|plus|protection)|all.?round) ((Secure|Family) )?Protection|norton (plan|pro life lock)|(service (name)?|item|Product):?\s+(Norton|Nort.?Pro|geek.?squad)|norton secure plus|nort-(Advance|Pro)|nort-?one 360|life-?lock pro|mal-?ware bites|geeksquad-solutions/mi
7214 body __KAM_FAKE_NORTON3 /Esteem your assessment|enhance our administration|recharged your club|looking for patron|delight and happiness|touch our group|confirmatory e?mail|customer service board|connect with expert|for transaction|confirmation range|did not place this order|cancel (your|this) subscription|team norton|(claim a|instant) refund|cancel (or continue )?the plan|for more query|void (this|the) charge|account is debited|kindly activate the license|A\/C statement|you can trust them|drop you an email|don't want this plan|deactivate this plan|queries or doubt|issue with the transaction|feel free to contact|hesitate to call|appritiate your decesion|Warm (regards|respects)|(wish|want) (to )?cancel|order +worth +\$|plan has been enacted|change something|salutations|any query related|norton billing team|same has been processed|an confirmation|don\'t want to renew|remove auto-debit|auto renewal request|thanks\/norton|invalidate your subscription|precept copy|payment method.{1,10}on-?line/i
7215 tflags __KAM_FAKE_NORTON3 nosubject
7217 body __KAM_FAKE_NORTON4 /Auto(matic)?-?.?-?(debit|renew)|Updated to premium|order is p<L1>aced|0rder|renewal|successfully (placed|renewed)|annual charge|have been modified|In_voice id|details pertain|auto pay|online\/card|joined our security program|payment_for_services/i
7218 tflags __KAM_FAKE_NORTON4 nosubject
7220 meta KAM_FAKE_NORTON (__KAM_FAKE_NORTON1 + (__KAM_FAKE_NORTON1A + __KAM_FAKE_NORTON1B >= 1)+ __KAM_FAKE_NORTON2 + __KAM_FAKE_NORTON3 + __KAM_FAKE_NORTON4 + FREEMAIL_FROM >= 4)
7221 describe KAM_FAKE_NORTON Fake Norton / McAfee / Geek Squad Renewal Notices
7222 score KAM_FAKE_NORTON 8.0
7224 meta KAM_FAKE_NORTONLOW (__KAM_FAKE_NORTON1 + (__KAM_FAKE_NORTON1A + __KAM_FAKE_NORTON1B >= 1) + __KAM_FAKE_NORTON2 + __KAM_FAKE_NORTON3 + __KAM_FAKE_NORTON4 + FREEMAIL_FROM >= 3) && !KAM_FAKE_NORTON
7225 describe KAM_FAKE_NORTONLOW Fake Norton / McAfee / Geek Squad Renewal Notices (Lower Confidence)
7226 score KAM_FAKE_NORTONLOW 6.5
7229 header __KAM_FAKE_BANK1 Subject =~ /unusual activit|security/i
7230 body __KAM_FAKE_BANK2 /chase online/i
7231 body __KAM_FAKE_BANK3 /Fraud Protection|unusual activity/i
7232 header __KAM_FAKE_BANK4 From:name =~ /chase online/i
7233 header __KAM_FAKE_BANK5 From:addr !~ /chase/i
7235 meta KAM_FAKE_BANK (__KAM_FAKE_BANK1 + __KAM_FAKE_BANK2 + __KAM_FAKE_BANK3 + __KAM_FAKE_BANK4 + __KAM_FAKE_BANK5 >= 5)
7236 describe KAM_FAKE_BANK Fake Bank Notice
7237 score KAM_FAKE_BANK 4.5
7240 body __KAM_FAKE_CAN_POST1 /package is on hold/i
7241 body __KAM_FAKE_CAN_POST2 /CANADAPOST/i
7242 body __KAM_FAKE_CAN_POST3 /require additional details/i
7243 body __KAM_FAKE_CAN_POST4 /redelivery/i
7244 header __KAM_FAKE_CAN_POST5 From:addr !~ /\.ca$/i
7245 header __KAM_FAKE_CAN_POST6 From:name =~ /canada.?post/i
7247 meta KAM_FAKE_CAN_POST (__KAM_FAKE_CAN_POST1 + __KAM_FAKE_CAN_POST2 + __KAM_FAKE_CAN_POST3 + __KAM_FAKE_CAN_POST4 + __KAM_FAKE_CAN_POST5 + __KAM_FAKE_CAN_POST6 >= 6)
7248 describe KAM_FAKE_CAN_POST Fake Canada Post Scam
7249 score KAM_FAKE_CAN_POST 9.0
7252 header __KAM_CARING1 Subject =~ /Great in Bed|(looking|Searching) +for +a +(shag|(determined|caring|loving) +(man|guy|dude))/i
7253 body __KAM_CARING2 /shagged|lovemate|online dating|affair|hook.?up/i
7254 tflags __KAM_CARING2 nosubject
7255 body __KAM_CARING3 /(recent|my) (contact|picture|photo)/i
7256 body __KAM_CARING4 /unsub/i
7258 meta KAM_CARING (__KAM_CARING1 + __KAM_CARING2 + __KAM_CARING3 + __KAM_CARING4 >= 4)
7259 describe KAM_CARING Catfishing and related scams
7260 score KAM_CARING 6.0
7264 header __KAM_POLICY1 Subject =~ /PoIicy Update/i
7266 header __KAM_POLICY2 From:name =~ /HR/i
7268 body __KAM_POLICY3 /Attached policy|section can proceed/i
7270 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7271 mimeheader __KAM_POLICY4 Content-Type =~ /\.html?"?$/i
7274 meta KAM_POLICY ((__KAM_POLICY1 + __KAM_POLICY4 >= 1) + __KAM_POLICY2 + __KAM_POLICY3 >= 3)
7275 describe KAM_POLICY Fake policy email phish
7276 score KAM_POLICY 4.5
7279 body KAM_CBTSCRAP /CBT (website scraper|Email Extractor)/i
7280 describe KAM_CBTSCRAP Spamming tool
7281 score KAM_CBTSCRAP 5.0
7284 header __KAM_FOREX1 From =~ /pip ?builder/i
7285 body __KAM_FOREX2 /1000pipbuilder/i
7286 body __KAM_FOREX3 /Forex (trading|signals)/i
7287 header __KAM_FOREX4 Subject =~ /Forex (trading|signals)/i
7289 meta KAM_FOREX (__KAM_FOREX1 + __KAM_FOREX2 + __KAM_FOREX3 + __KAM_FOREX4 >= 4)
7290 describe KAM_FOREX Forex Trading spam
7294 header __KAM_SKYTECH1 From =~ /SkyTech Wifi Booster|ultraboost/i
7295 header __KAM_SKYTECH2 Subject =~ /Wifi Deadspots|buffering/i
7296 body __KAM_SKYTECH3 /skytech wifi|Wifi Booster/i
7298 meta KAM_SKYTECH (__KAM_SKYTECH1 + __KAM_SKYTECH2 + __KAM_SKYTECH3 >= 3)
7299 describe KAM_SKYTECH Wifi Booster Spam
7300 score KAM_SKYTECH 4.5
7303 header __KAM_FAKEPP1 From:name =~ /PayPal/i
7304 header __KAM_FAKEPP2 From:addr =~ /wordpress/i
7306 meta KAM_FAKEPP ( __KAM_FAKEPP1 + __KAM_FAKEPP2 + KAM_SHORT >= 3)
7307 describe KAM_FAKEPP Fake PayPal Notice
7308 score KAM_FAKEPP 4.5
7310 #SEXUALLY EXPLICITY PHOTO
7311 header __KAM_PHOTO1 Subject =~ /My name is/i
7312 body __KAM_PHOTO2 /I am very lonely/i
7313 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7314 mimeheader __KAM_PHOTO3 Content-Type =~ /\.jpe?g/i
7316 body __KAM_PHOTO4 /This is my photo/i
7317 body __KAM_PHOTO5 /get to know you/i
7319 meta KAM_PHOTO (__KAM_PHOTO1 + __KAM_PHOTO2 + __KAM_PHOTO3 + __KAM_PHOTO4 + __KAM_PHOTO5 >=5)
7320 describe KAM_PHOTO Sexually Explicit Photo Emails
7324 header __KAM_FOOTBALL2_1 Subject =~ /Foo[ts]ball Table/i
7325 body __KAM_FOOTBALL2_2 /look at (the thing I brought|this product|what I sent you)/i
7326 body __KAM_FOOTBALL2_3 /foo[st]ball table pric/i
7328 meta KAM_FOOTBALL2 (__KAM_FOOTBALL2_1 + __KAM_FOOTBALL2_2 + __KAM_FOOTBALL2_3 + __KAM_SHOP1 >= 3)
7329 describe KAM_FOOTBALL2 Football table spams
7330 score KAM_FOOTBALL2 4.5
7333 header __KAM_LAWSUIT1 From:name =~ /lawsuit/i
7334 header __KAM_LAWSUIT2 Subject =~ /lawsuit/i
7335 body __KAM_LAWSUIT3 /you or a loved one/i
7336 body __KAM_LAWSUIT4 /(roundup|diagnosed with cancer)/i
7337 tflags __KAM_LAWSUIT4 nosubject
7339 meta KAM_LAWSUIT (__KAM_LAWSUIT1 + __KAM_LAWSUIT2 + __KAM_LAWSUIT3 + __KAM_LAWSUIT4 >= 4)
7340 describe KAM_LAWSUIT Ambulance chaser scams
7341 score KAM_LAWSUIT 6.0
7344 header __KAM_CHEAT1 From:name =~ /Magnum/i
7345 header __KAM_CHEAT2 Subject =~ /women cheat/i
7346 body __KAM_CHEAT3 /(Erectile Dysfunction|erection)/i
7347 tflags __KAM_CHEAT3 nosubject
7349 meta KAM_CHEAT (__KAM_CHEAT1 + __KAM_CHEAT2 + __KAM_CHEAT3 >= 3)
7350 describe KAM_CHEAT ED Spams
7354 body __KAM_DOMAINBROKER1 /DomainBroker/i
7355 header __KAM_DOMAINBROKER2 Subject =~ /Domain on sale/i
7356 header __KAM_DOMAINBROKER3 From:name =~ /Domain.?Agent/i
7358 meta KAM_DOMAINBROKER (__KAM_DOMAINBROKER1 + __KAM_DOMAINBROKER2 + __KAM_DOMAINBROKER3 + KAM_BODY_MARKETINGBL_PCCC >= 3)
7359 describe KAM_DOMAINBROKER Domain seller spams
7360 score KAM_DOMAINBROKER 4.5
7362 #FAKE SHAREPOINT 2 - Sexually explicit
7363 header __KAM_FAKE_SHAREPOINT2_1 From:addr =~ /no\-reply\@sharepointonline\.com|sex|69/i
7364 header __KAM_FAKE_SHAREPOINT2_2 Subject =~ /view my profile|(\b|^|\s)sex+y man|live chat|hook.?up|sweet.?heart|(\b|^|\s)sex|f a c e b o o k|i know you|just fun|my phone|for se+x+|tease|play with my pus|facebook|chat shared|horne?y/i
7365 body __KAM_FAKE_SHAREPOINT2_3 /REAL DATING NETWORK|bad partner|single.hot.mom|chat room|escort girl|hi there|hook.?up|flirty singles|sweet.?heart|(\b|^|\s)sex|(\b|^|\s)dick|escort|Open me\.? asap|intercourse|seeking male|real relationship|suck my kitty|F.ck me|single girl|real man|need a partner/i
7366 tflags __KAM_FAKE_SHAREPOINT2_3 nosubject
7368 meta KAM_FAKE_SHAREPOINT2 (__KAM_FAKE_SHAREPOINT2_1 + __KAM_FAKE_SHAREPOINT2_2 + __KAM_FAKE_SHAREPOINT2_3 >= 3)
7369 describe KAM_FAKE_SHAREPOINT2 Sexually Explicit Sharepoint Spam
7370 score KAM_FAKE_SHAREPOINT2 8.5
7373 header __KAM_SHOP1 Reply-to =~ /\.shop|drone|\.xyz/i
7374 header __KAM_DRONE2 Subject =~ /follow up on last email|reminder again|drone|quick follow.?up/i
7376 body __KAM_DRONE3 /arrange the (shipment|dispatch)|contact the logistics|logistics to arrange|address for shipping|touch with logistics|location of your shipment/i
7378 body __KAM_DRONE4 /new drone (information|here)|information about the drone|for (two|three) drones|email about this drone/i
7380 body __KAM_DRONE5 /grasp our goods|take one or more|three or more|receiving one or two/i
7382 body __KAM_DRONE6 /GPS Brushless Drone|optical flow/i
7384 meta KAM_DRONE (__KAM_SHOP1 + __KAM_DRONE2 + __KAM_DRONE3 + __KAM_DRONE4 + __KAM_DRONE5 + __KAM_DRONE6 >= 5)
7385 describe KAM_DRONE Drone Spam Du Jour
7389 header __KAM_FAKE_PAYPAL1 From:name =~ /paypal|invoice|confirmation|payapl/i
7390 header __KAM_FAKE_PAYPAL2 Subject =~ /Order ?(\#|reference|Confirmation)|your (transaction|purchase)|(buyer'?s|purchase) (receipt|ref|id) \#|transaction|statement|shipping notification/i
7391 body __KAM_FAKE_PAYPAL3 /paypal/i
7392 tflags __KAM_FAKE_PAYPAL3 nosubject
7393 body __KAM_FAKE_PAYPAL4 /if any concern|in order to cancel|(any|open a) dispute|(exact|usual) location|used by someone else|regular IP address|not made this purchase|contact us immediately|trust & safety|not authorized/i
7394 body __KAM_FAKE_PAYPAL5 /(accepted|confirmed|USD|purchase) (at|to|by) (Walmart|Target)|(Walmart|Target),?( Inc.?)? has (accepted|received|confirmed)|charge will appear|auto debited/i
7395 body __KAM_FAKE_PAYPAL6 /help by phone|call paypal team|paypal fraud dep/i
7397 meta KAM_FAKE_PAYPAL (__KAM_FAKE_PAYPAL1 + __KAM_FAKE_PAYPAL2 + __KAM_FAKE_PAYPAL3 + __KAM_FAKE_PAYPAL4 + __KAM_FAKE_PAYPAL5 + FREEMAIL_FROM + __KAM_FAKE_PAYPAL6 >= 5)
7398 describe KAM_FAKE_PAYPAL Fake PayPal Message
7399 score KAM_FAKE_PAYPAL 6.0
7401 body __KAM_FAKE_PAYPAL2_1 /PayPal (customer service|Support) Team/i
7402 body __KAM_FAKE_PAYPAL2_2 /void this (transaction|order) within/i
7404 meta KAM_FAKE_PAYPAL2 (__KAM_FAKE_PAYPAL2_1 + __KAM_FAKE_PAYPAL2_2 + FREEMAIL_FROM >=3)
7405 describe KAM_FAKE_PAYPAL2 Fake PayPal Message
7406 score KAM_FAKE_PAYPAL2 4.5
7409 uri GB_G_FEEDPROXY /https?\:\/\/feedproxy\.google\.com\/~r\//
7410 describe GB_G_FEEDPROXY Google Feed Proxy Abuse
7411 score GB_G_FEEDPROXY 2.5
7414 uri __KAM_DISCORDCDN1 /cdn\.discordapp\.com\/attachment/i
7415 header __KAM_DISCORDCDN2 From:addr !~ /\@discord\.com/i
7416 header __KAM_DISCORDCDN3 DKIM-Signature !~ / d=discord.com;/i
7418 meta KAM_DISCORDCDN (__KAM_DISCORDCDN1 + __KAM_DISCORDCDN2 + __KAM_DISCORDCDN3 >= 3)
7419 describe KAM_DISCORDCDN Abuse of Discord CDN in spams
7420 score KAM_DISCORDCDN 4.5
7422 uri __KAM_DISCORDCDN_BAD1 /cdn\.discordapp\.com\/attachment.*(docu.?sign|\.(iso|gz|exe|jar|zip|xlsm|docm|pptm))/i
7424 meta KAM_DISCORDCDN_BAD (KAM_DISCORDCDN + __KAM_DISCORDCDN_BAD1 >= 2)
7425 describe KAM_DISCORDCDN_BAD Extra Dangerous Discord CDN Content in spams
7426 score KAM_DISCORDCDN_BAD 6.0
7429 body __KAM_PAYROLL1 /(Leveragewages|Savingcredits)/i
7430 body __KAM_PAYROLL2 /(companies|businesses) in CA/i
7431 header __KAM_PAYROLL3 Subject =~ /payroll/i
7433 meta KAM_PAYROLL (__KAM_PAYROLL1 + __KAM_PAYROLL2 + __KAM_PAYROLL3 + FREEMAIL_FROM >= 4)
7434 describe KAM_PAYROLL Payroll spammers
7435 score KAM_PAYROLL 6.0
7438 header __KAM_FAKE_ZIX1 From:addr !~ /zixmessagecenter.com/i
7439 header __KAM_FAKE_ZIX2 Subject =~ /Secure Zix message/i
7440 body __KAM_FAKE_ZIX3 /security system/i
7441 uri __KAM_FAKE_ZIX4 /dynamics\.com/i
7443 meta KAM_FAKE_ZIX ( __KAM_FAKE_ZIX1 + __KAM_FAKE_ZIX2 + __KAM_FAKE_ZIX3 + __KAM_FAKE_ZIX4 >=4)
7444 describe KAM_FAKE_ZIX Fake Zix Email
7445 score KAM_FAKE_ZIX 6.0
7448 header __KAM_FAKE_AMAZON1 Subject =~ /Quick Request/i
7449 body __KAM_FAKE_AMAZON2 /have an (Amazon account|account with amazon)/i
7451 meta KAM_FAKE_AMAZON ( __KAM_FAKE_AMAZON1 + __KAM_FAKE_AMAZON2 + FREEMAIL_FROM + __KAM_BODY_LENGTH_LT_512 >= 4)
7452 describe KAM_FAKE_AMAZON Amazon Account Phishes
7453 score KAM_FAKE_AMAZON 4.5
7456 header __KAM_BINANCE1A Subject =~ /income/i
7457 header __KAM_BINANCE1B Subject =~ /crypto.?currenc/i
7459 body __KAM_BINANCE2 /affiliate link/i
7460 body __KAM_BINANCE3 /lifetime commission/i
7461 body __KAM_BINANCE4 /Friends and associates/i
7462 body __KAM_BINANCE5 /Binance/i
7464 meta KAM_BINANCE (( __KAM_BINANCE1A + __KAM_BINANCE1B >=2) + (__KAM_BINANCE2 + __KAM_BINANCE3 + __KAM_BINANCE4 >=2) + ( __KAM_BINANCE5 >= 1) >= 3)
7465 score KAM_BINANCE 6.0
7466 describe KAM_BINANCE Pyramid crypto scams
7469 header __KAM_FAKE_DMCA1 From:name =~ /DMCA.?Tech/i
7470 header __KAM_FAKE_DMCA2 From:addr =~ /DMCA/i
7471 body __KAM_FAKE_DMCA3 /text of the complaint/i
7472 body __KAM_FAKE_DMCA4 /your device violates/i
7473 body __KAM_FAKE_DMCA5 /cancel subscription/i
7475 meta KAM_FAKE_DMCA ( __KAM_FAKE_DMCA1 + __KAM_FAKE_DMCA2 + __KAM_FAKE_DMCA3 + __KAM_FAKE_DMCA4 + __KAM_FAKE_DMCA5 >=5 )
7476 describe KAM_FAKE_DMCA Fake DMCA Notice
7477 score KAM_FAKE_DMCA 7.5
7480 header __KAM_CLARITOX1 From:name =~ /claritox/i
7481 header __KAM_CLARITOX2 Subject =~ /Brain infection/i
7482 body __KAM_CLARITOX3 /claritox/i
7483 tflags __KAM_CLARITOX3 nosubject
7484 body __KAM_CLARITOX4 /brain infection/i
7485 tflags __KAM_CLARITOX4 nosubject
7487 meta KAM_CLARITOX ( __KAM_CLARITOX1 + __KAM_CLARITOX2 + __KAM_CLARITOX3 + __KAM_CLARITOX4 >= 3 )
7488 describe KAM_CLARITOX Product du Jour Spam
7489 score KAM_CLARITOX 4.5
7492 uri __KAM_BAD_CANVA1 /\.canva\.com/i
7493 body __KAM_BAD_CANVA2 /link will not work for only recipients/i
7495 meta KAM_BAD_CANVA ( __KAM_BAD_CANVA1 + __KAM_BAD_CANVA2 >= 2 )
7496 describe KAM_BAD_CANVA Fake link from Canva for phishing
7497 score KAM_BAD_CANVA 5.0
7500 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7501 body __KAM_FAKE_EXCEL1 /details is in Excel File/i
7502 mimeheader __KAM_FAKE_EXCEL2 Content-Type =~ /excel.html?/i
7504 meta KAM_FAKE_EXCEL ( __KAM_FAKE_EXCEL1 + __KAM_FAKE_EXCEL2 >= 2 )
7505 describe KAM_FAKE_EXCEL Excel Phishing Scam
7506 score KAM_FAKE_EXCEL 6.0
7510 uri __KAM_ZOHO1 /zfrmz\.com|zohoinsights\.com/i
7511 body __KAM_ZOHO2 /congrats on win|selected as the winner|expiration notice/i
7512 body __KAM_ZOHO3 /sweepstakes|password/i
7514 meta KAM_ZOHO ( __KAM_ZOHO1 + __KAM_ZOHO2 + __KAM_ZOHO3 >= 3 )
7515 describe KAM_ZOHO Zoho form or insights exploit
7519 header __KAM_FAKE_AFFIL1 From =~ /(eharmony|Get.?Gutter.?Protection|Hello.?Fresh).*(Affil|partner)|(American.?Home.?Warranty|Renewal.?by.?anders.n|TruGreen.?Lawn.?Service|Blissy|Energy.?Bill.?Cruncher|Amy.?Myers|1-ink|Tommy.?Chong|Burial.?Insurance|walk.?in.?tub)/i
7520 uri __KAM_FAKE_AFFIL2 /cdn\.mpp-stage\.com|cdn\.tedbvi\.com/i
7521 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7522 mimeheader __KAM_FAKE_AFFIL3 Content-Type =~ /ATT\d+\.htm/i
7525 meta KAM_FAKE_AFFIL ( __KAM_FAKE_AFFIL1 + __KAM_FAKE_AFFIL2 + __KAM_FAKE_AFFIL3 >= 3)
7526 describe KAM_FAKE_AFFIL Fake Affiliates Garbage
7527 score KAM_FAKE_AFFIL 4.5
7530 #header __KAM_SIREN1 From =~ /Portable Defense Siren/i
7533 #TELEGRA.PH being exploited
7534 uri KAM_TELEGRA /https?:\/\/telegra\.ph/i
7535 describe KAM_TELEGRA Service being exploited by spammers
7536 score KAM_TELEGRA 5.0
7539 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7540 replace_rules __KAM_PHARMA_1
7542 header __KAM_PHARMA_1 From =~ /Canad<I1>an Pharma/i
7543 body __KAM_PHARMA_2 /Online Pharmacy|No Prescription/i
7545 meta KAM_PHARMA ( __KAM_PHARMA_1 + __KAM_PHARMA_2 + KAM_TELEGRA >= 2)
7546 describe KAM_PHARMA Online Pharmacy Spam
7547 score KAM_PHARMA 3.0
7550 #TWO EMAILS OBFUSCATION
7551 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
7552 meta GB_2_EMAILS ( __PDS_FROM_2_EMAILS + KAM_IFRAME + MISSING_HEADERS >= 3)
7553 describe GB_2_EMAILS Phishing Emails using 2 Emails and Other Tricks for Obfuscation
7554 score GB_2_EMAILS 4.5
7558 header __KAM_DRONE2_1 From:name =~ /x.?pro|drone/i
7559 header __KAM_DRONE2_2 Subject =~ /(best|4k) drone|drone x.?pro/i
7560 body __KAM_DRONE2_3 /(best|x.?pro) drone|drone x.?pro/i
7561 tflags __KAM_DRONE2_3 nosubject
7563 meta KAM_DRONE2 ( __KAM_DRONE2_1 + __KAM_DRONE2_2 + __KAM_DRONE2_3 + __KAM_SUBSCRIPTION_INFO >= 4)
7564 describe KAM_DRONE2 Drone Spam
7565 score KAM_DRONE2 6.0
7568 header __KAM_SANDAL1 From:name =~ /quickdry sandal/i
7569 header __KAM_SANDAL2 Subject =~ /on your feet|uncomfortable shoes|comfiest sandal|with any outfit|with every step/i
7570 body __KAM_SANDAL3 /quickdry sandal/i
7571 tflags __KAM_SANDAL3 nosubject
7573 meta KAM_SANDAL ( __KAM_SANDAL1 + __KAM_SANDAL2 + __KAM_SANDAL3 + __KAM_SUBSCRIPTION_INFO >= 4)
7574 describe KAM_SANDAL Shoe Spam (don't bother me...)
7575 score KAM_SANDAL 6.0
7578 header __KAM_FAT1 From:name =~ /fat/i
7579 header __KAM_FAT2 Subject =~ /melt \d.?(lb|pound)/i
7580 body __KAM_FAT3 /island tonic|maverick doctor/i
7581 tflags __KAM_FAT3 nosubject
7583 meta KAM_FAT ( __KAM_FAT1 + __KAM_FAT2 + __KAM_FAT3 + __KAM_SUBSCRIPTION_INFO >= 4)
7584 describe KAM_FAT Weightloss Spam
7588 header __KAM_CAMERA1 From:name =~ /ultrazoom/i
7589 header __KAM_CAMERA2 Subject =~ /(HD|Super) telescope/i
7590 body __KAM_CAMERA3 /super telephoto zoom/i
7591 tflags __KAM_CAMERA3 nosubject
7593 meta KAM_CAMERA ( __KAM_CAMERA1 + __KAM_CAMERA2 + __KAM_CAMERA3 + __KAM_SUBSCRIPTION_INFO >= 4)
7594 describe KAM_CAMERA Camera Lens Spam
7595 score KAM_CAMERA 6.0
7598 body __KAM_UNSUBSCRIBE /can always unsubscribe|unsubscribe here|stop receiving e?mail|send post-?mail/i
7600 meta __KAM_SUBSCRIPTION_INFO ( __SUBSCRIPTION_INFO + __KAM_UNSUBSCRIBE >= 1)
7603 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7604 mimeheader __KAM_QUOTATION1 Content-Type =~ /quotation\.html?/i
7605 header __KAM_QUOTATION2 Subject =~ /Quotation/i
7606 header __KAM_QUOTATION3 From =~ /accounts/i
7608 meta KAM_QUOTATION ( __KAM_QUOTATION1 + __KAM_QUOTATION2 + __KAM_QUOTATION3 + (SPF_SOFTFAIL + SPF_FAIL >=1) >= 4)
7609 describe KAM_QUOTATION Quotation Phishes
7610 score KAM_QUOTATION 6.0
7613 #Sexually Explicit Spam
7614 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7615 header __KAM_SEX2_1 Subject =~ /ready for me|Hello|Wet Invitation|Hi I'm|have fun|ready for me|good evening|private hangout|sex chat/i
7616 body __KAM_SEX2_2 /dating site|bad girls|sexual community|discreet dating|pay for a chat|lover|horny|(adult|sex) chat|free women/i
7618 body __KAM_SEX2_3 /flirt for free|Fuck.?Free|sex.?club|naked glory|free.?sex|start writing me|canada.?sex|hot greetings|private hangout/i
7619 mimeheader __KAM_SEX2_4 Content-type =~ /\.(jpe?g|png)\"?$/i
7620 uri __KAM_SEX2_5 /https?:\/\/(au|en|cad?|canada)\./i
7622 meta KAM_SEX2 ( __KAM_SEX2_1 + __KAM_SEX2_2 + __KAM_SEX2_3 + __KAM_SEX2_4 + (KAM_SHORT + __KAM_SEX2_5 >=1) + FREEMAIL_FROM >= 5)
7623 describe KAM_SEX2 Sexually Explicit Sapm
7628 header __KAM_FAKE_ADOBE1 Subject =~ /(file|Document) Received/i
7629 uri __KAM_FAKE_ADOBE2 /zohoinsights\.com/i
7630 body __KAM_FAKE_ADOBE3 /sign in required|download to view/i
7631 body __KAM_FAKE_ADOBE4 /received a pdf|pdf document has been shared/i
7633 meta KAM_FAKE_ADOBE ( __KAM_FAKE_ADOBE1 + __KAM_FAKE_ADOBE2 + __KAM_FAKE_ADOBE3 + __KAM_FAKE_ADOBE4 >= 4)
7634 describe KAM_FAKE_ADOBE Fake Adobe Email
7635 score KAM_FAKE_ADOBE 6.0
7637 #PEAK BUSINESS FINANCE
7638 header KAM_PEAK From:addr =~ /peak.*business.*financ/i
7639 describe KAM_PEAK Finance Spammer
7643 header KAM_FROM_SPAM From =~ /(blood.?pressure.?(fix|cure)|20.?amazing.?gadgets|2021.?gadget.?guide|your.?hormones|Be.?Free.?Of.?Your.?Timeshare|unique.?christmas.?gifts|youthful.?brain|veteran.?discounts|VieShield.?Sanitizer|Walgreens.?Shopper.?Feedback|Solar.?Bright|shocking.?truth:|(\b|^)ed.?solution|beauty.?digs|LED.?Beach.?Balls|Pelvic.?Floor.?strong|Leptitox|Clean.?cell|Gadget.?List)|Avoid.?melatonin|My.?Senior.?Perks|explosive.?size|savage.?grow|blood.?pressure.?roulette|ElectronX.?Ruler|Software.?Treats/i
7645 describe KAM_FROM_SPAM From Indicates a Product Spam
7646 score KAM_FROM_SPAM 4.0
projects / proxmox-spamassassin.git / blob