1 #KAM.cf aka the KAM ruleset - Apache SpamAssassin Rules
3 #Author: Kevin A. McGrail with contributions from Joe Quinn, Karsten Bräckelmann,
4 # Bill Cole & Giovanni Bechis
6 #Email: Kevin.McGrail@McGrail.com - NOTE: Questions about spam are best submitted
7 # at https://raptor.pccc.com/raptor.cgim?template=report_problem
9 #HomePage: http://www.mcgrail.com/downloads/KAM.cf
12 #Installation: There are multiple files that make up the KAM ruleset including
13 #heavyweight, deadweight, & nonKAMrules. The KAM ruleset is now a channel!
15 #Please see https://mcgrail.com/template/kam.cf_channel for more information
18 #The ruleset includes internal rules so not every rule will be useful but
19 #we encapsulate those in a KAMOnly defined loop.
21 #KAM.cf is maintained by The McGrail Foundation, a 501(c)(3) charity. Donations
22 #are appreciated. See www.mcgrail.com for more information on donations and
25 #THANK YOU TO OUR SPONSORS (in Alphabetical Order):
26 #cPanel, INKY, Invaluement, iSpark, Linode, PCCC, ShipShapeIT and Zix/Appriver
29 #This is a collection of special rules that I have developed and use on my system.
31 #The exact date is lost to the sands of time but we have been publishing this
32 #ruleset since at least May 2004.
34 #They are intended as live research for committal to SpamAssassin's SVN sandbox but
35 #often rely on my corpora so they do not fair well in masschecks.
37 #You are welcome and encouraged to email me directly regarding suggestions.
39 #To avoid being caught by our filters, False positives and negatives should be
40 #submitted to https://raptor.pccc.com/raptor.cgim?template=report_problem
42 #I believe the rules are safe and they are in use on production systems so I will
43 #do my best to respond to FPs *especially* if you can send me an email sample.
45 #IMPORTANT: This cf file is designed for systems with a threshold of 5.0 or higher.
48 #It is best to save an email sample in mbox format and zip it to attach to get
49 #around my filters. It is sometimes best to send samples in a second email so I
50 #know to go looking for it in my spam folders.
52 #NOTE: I do use some poison pill (i.e. Automatic HAM/SPAM rules).
54 # - I don't view many of my rules as single rules as I typically use meta rules.
55 # I view meta rules as multiple rules hence a larger score is acceptable.
57 # - Some content needs to be blocked either due to large number of complaints or
58 # for content. For example, the sexually explicit items and the stock tips.
59 # FPs in these rules will be quickly addressed.
61 #Copyright (c) 2021 Kevin A. McGrail and The McGrail Foundation
63 # Licensed under the Apache License, Version 2.0 (the "License");
64 # you may not use this file except in compliance with the License.
65 # You may obtain a copy of the License at
67 # http://www.apache.org/licenses/LICENSE-2.0
69 # Unless required by applicable law or agreed to in writing, software
70 # distributed under the License is distributed on an "AS IS" BASIS,
71 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
72 # See the License for the specific language governing permissions and
73 # limitations under the License.
75 # COURTESY OF Marcin Miros.aw <marcin@mejor.pl>
76 body __KAM_MM_FOREX_1 /program.{0,10}ktory\ssam\sgra\sna\sgieldzie|program\sdo\sgry\sna\sgieldzie|Potega\stego\sprogramu\stkwi|program.{0,10}handluje.{0,10}zarabia.{0,10}gieldzie.{0,10}udzialu.{0,10}czlowieka|zarabiaj.{0,10}program.{0,10}nie.{0,10}jest.{0,10}zabroniony|Program.{0,10}zrobi.{0,10}wszystko.{0,10}sam|handluj.{0,10}na.{0,10}gieldzie.{0,10}programowi|100.{0,10}%.{0,10}pewnych.{0,10}transakcji|program.{0,10}100.{0,10}%.{0,10}zysk|handel.{0,10}bedzie.{0,10}zabroniony|program.{0,10}odmieni.{0,10}twoje.{0,10}zycie|system.{0,10}finansow.{0,10}przed.{0,10}upadkiem|grupa.{0,10}niemieckich.{0,10}matematykow.{0,10}inteligentny.{0,10}program|zostan\sobrzydliwie\sbogaty|technologia.{0,10}100%.{0,10}pewne.{0,10}decyzje|zarabianie.{0,10}w.{0,10}sieci|swoja.{0,10}szanse.{0,10}zarabianie|internet.{0,10}doprowadzil.{0,10}pieniedzy|zarabia.{0,10}(w|przez).{0,10}internet|karaluch.{0,10}dom.{0,10}brzeg.{0,10}morza|odmieni.{0,10}zycie|pieniadz|pieniedz|zarabia|zarobi/i
78 rawbody __KAM_MM_FOREX_2 /(\[|\<).{1,10}http:\/\/.{1,50}php\?.{1,30}\=.{1,30}(\]|\>).{0,20}(klik|odwiedz|dowiedz|przegap|odnosnik|zarobi|spiesz|majatek|wiecej\sinformacji\sna\sten\stemat\sznajdziesz\s-\stutaj|tutaj\sznajdziesz.{0,10}szczegolowe.{0,10}informacje|odwiedz|zarabia|wchodz)/i
80 meta KAM_MM_FOREX __KAM_MM_FOREX_1 && __KAM_MM_FOREX_2
81 score KAM_MM_FOREX 2.5
82 describe KAM_MM_FOREX Polish-language spam from the Forex botnet
85 rawbody KAM_PHISH1 /u style="cursor: pointer"/
86 describe KAM_PHISH1 Test for PHISH that changes the cursor
89 header __KAM_PHISH4_1 From =~ /host|apple|amazon|microsoft|windows|express|app.serv|goodluck|bank|support/i
90 body __KAM_PHISH4_2 /dear.{0,50}customer|automated.message|spam.activities|attempted.gaining.access|your.account.expires|authorized.government|important.message|message.alert|suspended/i
91 body __KAM_PHISH4_3 /(confirm|verify|update).your.(identity|account)|account.password|credit.(bureau|profile)|identity.theft|accredited.commission|security.concern|kindly.find.enclosed|owner of this account/i
93 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
94 mimeheader __KAM_PHISH4_4 Content-Type =~ /(verification|information|form)\.htm/i
97 meta KAM_PHISH4 (__KAM_PHISH4_1 + __KAM_PHISH4_2 + __KAM_PHISH4_3 + __KAM_PHISH4_4 >= 3)
99 describe KAM_PHISH4 Another phishing attempt
101 #KAM REALESTATE / RE-FINANCE SCAM EMAILS - Thanks to David Goldsmith for pointing out my error in the meta rule!
102 body __KAM_REAL1 /(^|\b)RE market/is
103 body __KAM_REAL2 /(crashing|declining)/i
104 body __KAM_REAL3 /(vacation|second) (home|place)/is
105 meta KAM_REAL (__KAM_REAL1 + __KAM_REAL2 + __KAM_REAL3 >= 3)
106 describe KAM_REAL Real Estate or Re-Finance Spam
109 #REFINANCE SCAM EMAILS
110 header __KAM_REFI1 Subject =~ /(refinance|rates) at \d\.\d*%|(?:I would like to offer you my help|Lower your house payment|follow up email|evaluation enclosed|submit a bid|fixed rates|ARM program|New Program|regardless of credit|loan request|accepting your application|refinance appl?ication|ready to (give a (business )?loan|lend)|good credit or not|refinance without perfect credit|financial independence|Loan Offer|Get a Loan|your urgent loan|credit report|time to refinance|refi.(rates|requirements|plus|program|plan|advice)|rates at historical low|EQUIFAX|TRANSUNION|Experian|rates can be cut|save your home)|Reverse.?Mortgage|obama (extends|waives)|VA loan|harp program|re.?fi.advice|homeowners.owe|harp.extension|\d+\.\d+%.fixed|\d+\.\d+.pct|this.rate|refi(nance)?.rate|lower.refi|refinance.your.mortgage|refinance.now|obama.?s?.refi|monthly.payment|house.payment|monthly.savings|modified.payment|new.payment|overpaying|calculate.your|your.saving|housing.plan|obama.?s.hous|l.f..insuranc.|offer.for.your.home|second.mortgage/i
111 body __KAM_REFI2 /(Free Evaluation (?:online|on your (?:current )?home loan)|No hidden costs|no strings attached|good credit or not|personalized consultation|in need of loan|consolidation loan|loan processing|apply by sending|loan of any amount|clean up any inacccuracies|lock in saving|save on monthly mortgage|absolutely no cost|underwater)|Reverse.?Mortgage|qualify for a VA loan|Refi now.? and Save|obama..?announces|rate.calculator|save.thousands|update: \d.\d\d..available|homeowner|over.your.head|rate.service|now.eligi?[bl]{2}e|a.second.mortgage|urgent.loan|loan.offer/is
112 body __KAM_REFI3 /(restructure (?:proposal|program|opportunity|your loan)|switch from an adjustable rate to a fixed|new lending program|(low|reasonable) interest (loan|rate)|lowest monthly payment|\d% interest|unsecured personal|better credit terms|lower your mortgage|low-interest refinance|see your credit score|credit score.{1,15}updated|refi with HARP)|obama announce(s|d) (the )?harp program|obama'?s.refi|a.fortune.off|lower.home.rate|your.home|home.loan|gov.program|official.harp|currently.overpaying/is
113 body __KAM_REFI4 /(\$\d{1,3},\d{1,3}|\d{2,3}k of funds|\d{4,6} USD|\d{4,6}\$ per month|\d{3,5}\/mo)|refinance at \d\.\d%|\$\d{3,}(\.\d\d)?.(a|per).year|extend.harp|spending.too.much|new.payment|better.rate/i
114 body __KAM_REFI5 /([\d,]{5,6}|\d{2}\s*%) savings|principal \d+% less|\d+\.\d+%.fixed|refi.calculator|lowered.requirements|home.?owner/is
115 body __KAM_REFI6 /((?:reduce your monthly payment|save you) (between )?\d{2}\s*%|save yourself hundreds of dollars|great rate available|completely unsecured|instantly connect with\s+lenders|get you back on the right financial|get report today|protect against identity|know your credit score|crazy payments)|u.?s.? homeowners|drop.your.rate|in.your.pocket|our.records|apply.for.your/is
116 body __KAM_REFI7 /(?:loan product|equity cash|house.payment|home.payment|no up front fees|seasoned equity|pay off high rate cards|ARM Program|credit is less than perfect|credit (score )?will not disqualify|plastic money|charge card balances|we offer out loans|floating loan scheme|unsecured guaranteed|President.?s new program|Home Affordable Refinance Program)|save $?[\d\.]+ per (year|month)|low.rate|harp.?2|rates.like.th(is|ese)/is
117 header __KAM_REFI8 From =~ /great loan|mortgage|financ|Delta|Rate\.?market|credit score|free.?score|harp|mtge|foreclosure|VA loan|lower.my.(bills|debt|mortgage|rate)|refi.(alert|advantage|quote|calc|rate)|obama|lendingtree|(house|home).?payment|home.?payment|lower.rate|\d+\.\d+%|saving|d.r.ct.l.f.|helpline/i
119 meta KAM_REFI (__KAM_REFI1 + __KAM_REFI2 + __KAM_REFI3 + __KAM_REFI4 + (__KAM_REFI5 + __KAM_REFI6 >= 1) + __KAM_REFI7 + __KAM_REFI8 + (KAM_SHORT || AC_HTML_NONSENSE_TAGS || KAM_EU) >= 4)
120 describe KAM_REFI Real Estate / Re-Finance Spam
123 meta KAM_REFI2 (__KAM_REFI1 + __KAM_REFI2 + __KAM_REFI3 + __KAM_REFI4 + (__KAM_REFI5 + __KAM_REFI6 >= 1) + __KAM_REFI7 + __KAM_REFI8 + (KAM_SHORT || AC_HTML_NONSENSE_TAGS || KAM_EU) >= 6)
124 describe KAM_REFI2 Real Estate / Re-Finance Spam
128 body __KAM_DEBT1 /(debts disappear|reduce your payments|piling bills|creditors|late bills|vanish some of your bills|reduce your payments|looming bills|all that debt|outstanding debt|debt.{0,7}accumulated|all my debt|penalties,? and fees are gone|banking laws|select legal|change your life|get out of .?d.?e.?b.?t|Free[- ]Credit Report|debt relief options|are you in debt|pay off all your debt|get better rates|credit card debt|could.be.easy)/is
129 header __KAM_DEBT2 Subject =~ /(all that you owe|all you owe|everything you owe|eradicate|indebted|sick of bills|debt.{0,7}accumulated|tired of (the )?debt|looming debt|creditors|bank[ ]?rupt|debt ?free|out ?of ?debt|take control of your monthly payments|bills disappear|We can help|consultation regarding bills|get better rates|credit score|FICO Score|eliminate\s{1,2}debt|Erase the debt|loan offer|consolidating.debt)/i
130 body __KAM_DEBT3 /(bills keeping you|brink of bankruptcy|take all the (stress|pain) away|all the bills|tired of high credit card|make your bills disappear|improve your credit score|b.?a.?n.?k.?r.?u.?p.?t.?c?.?y|monitor your[- ]credit|Wipes out debt|being debt free|interest rates are reasonable|view your credit score|manage.your.finance)/is
132 meta KAM_DEBT ((__KAM_DEBT1 + __KAM_DEBT2 + __KAM_DEBT3) >= 3)
133 describe KAM_DEBT Debt eradication spams
136 meta KAM_DEBT2 ((__KAM_DEBT1 + __KAM_DEBT2 + __KAM_DEBT3 + __KAM_ADVERT2) >= 2)
137 describe KAM_DEBT2 Likely Debt eradication spams
140 #XtraSize+ Penis Enlargement Scam
141 header __KAM_SILD1 Subject =~ /Sildenafil Citrate/i
142 body __KAM_SILD2 /(XtraSize\+|Sildenafil Citrate)/i
144 meta KAM_SILD (__KAM_SILD1 + __KAM_SILD2 >= 1)
146 describe KAM_SILD Simple rule to block one more enhancement message
149 #if (version < 3.002000)
150 # #HTML_SHORT_LENGTH DEPENDENCY RULE REMOVED FROM SA 3.2.X
151 # #KAM NUMBER EMAILS - Thanks to Mark Damrose for the NUMBER3 idea & Jan-Pieter Cornet
152 # header __KAM_NUMBER1 Subject =~ /^\d+$/
153 # body __KAM_NUMBER2 /\d{1,6}/
154 # header __KAM_NUMBER3 Message-ID =~ /\<[a-z]{19}\@/i
156 # meta KAM_NUMBER ((__KAM_NUMBER1 + __KAM_NUMBER2 + MIME_HTML_ONLY + HTML_SHORT_LENGTH + __KAM_NUMBER3) >= 5)
157 # describe KAM_NUMBER Silly Number Emails
158 # score KAM_NUMBER 1.0
161 #KAM MEDICATION KAM_OVERPAY
162 body KAM_OVERPAY /O . V . E . R . P . A . Y/i
163 describe KAM_OVERPAY Common Medicinal Ad Trick
164 score KAM_OVERPAY 3.5
166 #VIAGRA AD - CHANGED DUE TO FPS on 2010-05-06 - Replaced [VACLXPSI] with separate rules space separated
167 replace_rules __KAM_VIAGRA2
169 body __KAM_VIAGRA1 /V I A G R A|C I A L I S|V A L I U M|X A N A X/i
170 header __KAM_VIAGRA2 Subject =~ /<V1><I1><A1><G1><R1><A1>/i
172 meta KAM_VIAGRA1 (__KAM_VIAGRA1 + __KAM_VIAGRA2 >= 1)
173 describe KAM_VIAGRA1 Common Viagra and Medicinal Table Trick
174 score KAM_VIAGRA1 3.0
177 body KAM_VIAGRA2 /(?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer) (?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer) (?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer)/i
178 describe KAM_VIAGRA2 Common Viagra and Medicinal Table Trick
179 score KAM_VIAGRA2 3.1
181 #VIAGRA AD 3 - REMOVED FOR LOW S/O - Thanks to Shane Williams for reporting the FP
182 #body KAM_VIAGRA3 /(?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer)( \w )(?:ax|lis|ra|ium)/i
183 #describe KAM_VIAGRA3 Common Viagra and Medicinal Table Trick
184 #score KAM_VIAGRA3 3.1
187 body __KAM_VIAGRA4A /V (. )?A (. )?L (. )?[I\/t] (. )?U (. )?M/i
188 body __KAM_VIAGRA4B /V (. )?[I\/t] (. )?A (. )?G (. )?R (. )?A/i
189 body __KAM_VIAGRA4C /M (. )?E (. )?R (. )?[I\/t] (. )?D (. )?[I\/] (. )?A/i
191 # FP FOR "Les Iles du Monde Via Gramsci" OR ITALIAN "WE WISH YOU"
192 # FP for Via Great thanks to Shane Williams
193 body __KAM_VIAGRA_FPS /via gre?a|i augur/i
195 meta KAM_VIAGRA4 ((__KAM_VIAGRA4A + __KAM_VIAGRA4B + __KAM_VIAGRA4C) >= 2)
196 describe KAM_VIAGRA4 Common Viagra and Medicinal Table Trick
197 score KAM_VIAGRA4 3.1
200 body KAM_VIAGRA5 /(V [1li|\]] [a&] G R A|VljAG+R+A)/i
201 describe KAM_VIAGRA5 Viagra Obfuscation Technique SPAM
202 score KAM_VIAGRA5 3.1
205 #Switch to [-_\. ]? to avoid FP's reported by Robin Tan
206 #Also added a few more boundary checks thanks to Daniele Duca
207 body __KAM_VIAGRA6A /V[-_\. ]?[IL1][-_\. ]?A.?G.?R.?A/i
208 body __KAM_VIAGRA6B /(\b|^)A.?M.?B.?[il1].?E.?N($|\b)/i
209 body __KAM_VIAGRA6C /V.?A.?L.?[il1].?U.?M/i
210 body __KAM_VIAGRA6D /(\b|^)C.?[il1].?A.?L.?[Il1].?S($|\b)/i
211 header __KAM_VIAGRA6E From =~ /Viagra|Cialis(\b|$)/i
213 meta KAM_VIAGRA6 (__KAM_VIAGRA6A + __KAM_VIAGRA6B + __KAM_VIAGRA6C + __KAM_VIAGRA6D + __KAM_VIAGRA6E >= 2)
214 describe KAM_VIAGRA6 Viagra Obfuscation Technique SPAM
215 score KAM_VIAGRA6 3.1
217 #VIAGRA AD 7 - TWEAKING RULE 7B TO PREVENT HITS ON SPECIALIST
218 body __KAM_VIAGRA7A /V[ij]+AGRA/i
219 body __KAM_VIAGRA7B /(^|\b)C[ij]+AL[ij]+S($|\b)/i
220 body __KAM_VIAGRA7C /(^|\b)AMB[ij]+EN($|\b)/i
221 body __KAM_VIAGRA7D /VAL[ij]+UM/i
223 meta KAM_VIAGRA7 ((__KAM_VIAGRA7A + __KAM_VIAGRA7B + __KAM_VIAGRA7C + __KAM_VIAGRA7D >= 2) && (KAM_VIAGRA6 < 1))
224 describe KAM_VIAGRA7 Viagra Obfuscation Technique SPAM
225 score KAM_VIAGRA7 3.1
228 body __KAM_VIAGRA8A /VI...?AGRA/i
229 body __KAM_VIAGRA8B /AM...?BIEN/i
230 body __KAM_VIAGRA8C /VA...?LIUM/i
231 body __KAM_VIAGRA8D /CI...?ALIS/i
233 meta KAM_VIAGRA8 ((__KAM_VIAGRA8A + __KAM_VIAGRA8B + __KAM_VIAGRA8C + __KAM_VIAGRA8D) >= 2)
234 describe KAM_VIAGRA8 Viagra Obfuscation Technique SPAM
235 score KAM_VIAGRA8 5.1
238 body __KAM_VIAGRA9A /V[IL1]A..GRA/i
239 body __KAM_VIAGRA9B /AMB..IEN/i
240 body __KAM_VIAGRA9C /VAL..IUM/i
241 body __KAM_VIAGRA9D /C[IL1]A..LIS/i
243 meta KAM_VIAGRA9 ((__KAM_VIAGRA9A + __KAM_VIAGRA9B + __KAM_VIAGRA9C + __KAM_VIAGRA9D) >= 2)
244 describe KAM_VIAGRA9 Viagra Obfuscation Technique SPAM
245 score KAM_VIAGRA9 5.1
247 #VIAGRA AD 10 - CONTENT-LESS EMAIL FROM "MALE ENHANCEMENT"
248 header __KAM_VIAGRA10A From =~ /male enhancement|mens.renewal/i
249 header __KAM_VIAGRA10B Subject =~ /your intimate partner will (thank|love)|grow.your.manhood|satisfy.your.woman/i
251 meta KAM_VIAGRA10 (__KAM_VIAGRA10A + __KAM_VIAGRA10B >= 1)
252 describe KAM_VIAGRA10 Male enhancement spam with no content
253 score KAM_VIAGRA10 8.0
255 #NITROXIN - A NEW AND SPAMMY COMPETITOR TO VIAGRA
256 header __KAM_NITROXIN1A From =~ /nitroxin/i
258 meta KAM_NITROXIN1 (__KAM_NITROXIN1A >= 1)
259 describe KAM_NITROXIN1 Another variant of Viagra spam
260 score KAM_NITROXIN1 8.0
263 #NOTE: Thanks to Jason Haar" <Jason.Haar@trimble.co.nz> for pointing out that I was only doing >=1!
264 header KAM_RE Subject =~ /^Re(?:\s)*\[\d\]+(?:\s)*:?$/i
265 describe KAM_RE Subject of Re[0]: etc prevalent in Spam
268 meta KAM_RE_PLUS (HTML_IMAGE_ONLY_08+KAM_RE >= 2)
269 describe KAM_RE_PLUS Bad Subject and Image Only rule hit == SPAM!
270 score KAM_RE_PLUS 4.0
273 #RE-WEIGHTING - Thanks to Martin Kaempf and Gareth Blades for pointing out the False Positives!!
274 #Changed to escape + for 920\+ and changed to rawbody because we don't want to check the subject twice.
275 #thansk to Michael Denney for the FP report
276 header __KAM_HOODIA1 Subject =~ /(hoodia|920\+|serotonin|reduce your appetite)/i
277 rawbody __KAM_HOODIA2 /(?:hoodia|920\+)/i
278 body __KAM_HOODIA3 /(?:fat loss product|sur?p?press appetite|Reduce Your Appetite)/is
280 meta KAM_HOODIA (__KAM_HOODIA1 + __KAM_HOODIA2 + __KAM_HOODIA3 >= 2)
281 describe KAM_HOODIA Hoodia / Weight Loss Product Promotion Spam
286 ##1 through 120 disabld 5-12-2014 due to age
287 ##body __KAM_STOCKTIP1 /(?:Reynaldo's Mexican Food|RYNL)/is
288 ##body __KAM_STOCKTIP2 /(?:KOKO PETROLEUM|KKPT)/is
289 ##body __KAM_STOCKTIP3 /(?:DARK DYNAMITE|DKDY|D K D Y)/is
290 ##body __KAM_STOCKTIP4 /(?:Remington Ventures|RMVN)/is
291 ##body __KAM_STOCKTIP5 /(?:m-Wise|MWIS|M W I S)/is
292 ##body __KAM_STOCKTIP6 /(?:China World Trade Corporation|CWTD)/is
293 ##body __KAM_STOCKTIP7 /(?:Packets International|IPKL)/is
294 ##body __KAM_STOCKTIP8 /(?:Infinex Ventures|IFNX)/is
295 ##body __KAM_STOCKTIP9 /(?:FacePrint Global Solutions|FCPG)/is
296 ###THANKS TO HOMER PARKER FOR THE FALSE POSSITIVE NOTE!
297 ##body __KAM_STOCKTIP10 /(?:Ever[-_ ~]{0,3}Gl[o0]ry|(^|\b)E[-_~\. =]{0,3}G[-_~\. =]{0,3}L[-_~\. =]{0,3}Y($|\b))/is
298 ##body __KAM_STOCKTIP11 /(?:Gulf Petroleum|GFPE)/is
299 ##body __KAM_STOCKTIP12 /(?:Patriot Mechanical Handling|PMHH)/is
300 ##body __KAM_STOCKTIP13 /(?:KSW Industries|KSWJ)/is
301 ##body __KAM_STOCKTIP14 /(?:Conforce International|CFRI)/is
302 ##body __KAM_STOCKTIP15 /(?:Nano Superlattice Technology|NSLT)/is
303 ##body __KAM_STOCKTIP16 /(?:Morgan Beaumont|MBEU)/is
304 ##body __KAM_STOCKTIP17 /(?:Relay Capital|(^|\b)RLYC($|\b))/is
305 ###THANKS TO DAVID GOLDSMITH FOR POINTING OUT THE POTENTIAL FPs FROM THIS RULE
306 ##body __KAM_STOCKTIP18 /(?:Madison Explorations|(?:^|\b)MDEX(?:$|\b))/is
307 ##body __KAM_STOCKTIP19 /(?:CTR Investments and Consulting|C ?I ?V ?X)/is
308 ##body __KAM_STOCKTIP20 /(?:PREMIER INFORMATION|(?:^|\b)PIFR(?:$|\b))/is
309 ##body __KAM_STOCKTIP21 /(?:Harbin Pingchuan|P G C N|PGCN)/is
310 ##body __KAM_STOCKTIP22 /(?:CLIENT TRACK CORP|CTKR)/is
311 ##body __KAM_STOCKTIP23 /(?:EXTREME INNOVATIONS|(^|\b)EXTI($|\b))/is
312 ##body __KAM_STOCKTIP24 /(?:Medical Home Products|\bMHPT\b)/is
313 ##body __KAM_STOCKTIP25 /(?:AmeraMex International|AMMX)/is
314 ##body __KAM_STOCKTIP26 /(?:Equipment & Systems Engineering|EQUIPMENT & SYS ENGR|EQSE)/is
315 ##body __KAM_STOCKTIP27 /(?:NANOFORCE|NNFC)/i
316 ##body __KAM_STOCKTIP28 /(?:\b|^)(?:Resort Clubs (I|\|)nternational|R[ ]*T[ ]*C[ ]*(?:I|\|))(?:\b|$)/is
317 ##body __KAM_STOCKTIP29 /(?:Innovation Holdings|IVHN)/is
318 ##body __KAM_STOCKTIP30 /(?:GOLDEN APPLE OIL|GAPJ)/is
319 ##body __KAM_STOCKTIP31 /(?:inZon Corporation|(^|\b)I ?Z ?O ?N($|\b))/is
320 ##body __KAM_STOCKTIP32 /(?:Midland Baring Financial Group|MDBF)/is
321 ##body __KAM_STOCKTIP33 /(?:Aradyme Corporation|A D Y E)/is
322 ##body __KAM_STOCKTIP34 /(?:TRANSAKT CORP|TKTJF)/is
323 ##body __KAM_STOCKTIP35 /(?:CTXE|CANTEX ENERGY CORP)/is
324 ##body __KAM_STOCKTIP36 /(?:De Greko|DGKO)/is
325 ##body __KAM_STOCKTIP37 /(?:Deep Earth Resource, Inc|CTFE|DPER)/is
326 ##body __KAM_STOCKTIP38 /(?:Vemics|(\b|^)VMCI(\b|$)|Summit Financial Resources)/is
327 ##body __KAM_STOCKTIP39 /Premium Petroleum/is
328 ##body __KAM_STOCKTIP40 /(?:F ?a ?l ?c ?o ?n ?E ?n ?e ?r ?g ?y|F.?C.?Y.?I)/s
329 ##body __KAM_STOCKTIP41 /(?:CHINA GOLD CORP|CGDC)/is
330 ##body __KAM_STOCKTIP42 /DPEK/i
331 ###FIXED FP THANKS TO BEN LENTZ - Also found that the X ?X ?X ?X concept is causing too many FPs thanks to Homer Parker
332 ##body __KAM_STOCKTIP43 /(?:Amerossi International Group|A M S N(\b|$)|AMSN)/is
333 ##body __KAM_STOCKTIP44 /(?:WATAIRE INDUSTRIES|W ?T ?A ?F)/is
334 ##body __KAM_STOCKTIP45 /(?:ABSOLUTESKY|A ?B ?S ?Y)/i
335 ##body __KAM_STOCKTIP46 /(?:Infinex Ventures|I ?N ? ?F ?X)/is
336 ##body __KAM_STOCKTIP47 /(?:Holly ?wood Intermediate|HYWI|H Y W I)/is
337 ###DISABLED DUPLICATE OF 40
338 ###body __KAM_STOCKTIP48 /(?:Falcon Energy|F ?C ?Y ?I)/is
339 ##body __KAM_STOCKTIP49 /(?:\b|^)(?:AGA Resources|A ?G ?A)(?:\b|$)/is
340 ##body __KAM_STOCKTIP50 /(?:COSCO|CCPI)/i
341 ##body __KAM_STOCKTIP51 /(?:PETRO([- ?])?SUN DRILLING|P[- ]?S[- ]?U[- ]?D)/is
342 ##body __KAM_STOCKTIP52 /(?:KMA Global Solutions International|KMAG)/is
343 ##body __KAM_STOCKTIP53 /(?:Advanced Powerline Technologies|APWL)/is
344 ##body __KAM_STOCKTIP54 /(?:GOLDMARK INDUSTRIES|GDKI)/is
345 ##body __KAM_STOCKTIP55 /(?:QUANTUM ENERGY|QEGY)/is
346 ###FP FIXED THANKS TO Homer Parker
347 ##body __KAM_STOCKTIP56 /(?:AAGA RESOURCE+S NEW|A G A O|(\b|^)AGAO(\b|$))/is
348 ###FP FIXED THANKS TO Homer Parker
349 ##body __KAM_STOCKTIP57 /(?:Bicoastal Communications|BCLC|B C L C)/is
350 ##body __KAM_STOCKTIP58 /(?:Greater China Media \& Ent|G ?C ?M ?E)/is
351 ##body __KAM_STOCKTIP59 /(?:Viva International|(\b|^)VIVI(\b|$))/s
352 ##body __KAM_STOCKTIP60 /(?:WILON RESOURCES|(\b|^)WLON(\b|$))/is
353 ##body __KAM_STOCKTIP61 /(?:Am+erica+n U+ni+ty I+nve+stments|(\b|^)A[ _]?U[ _]?N[ _]?I[ _]?(\b|$))/is
354 ##body __KAM_STOCKTIP62 /(?:DEFENSE DIRECTIVE|(\b|^)DFSE(\b|$))/is
355 ##body __KAM_STOCKTIP63 /(?:Cyberhand Technologies|(\b|^)CYHD(\b|$))/is
356 ##body __KAM_STOCKTIP64 /(?:Texhoma Energy|(\b|^)TXHE(\b|$))/is
357 ##body __KAM_STOCKTIP65 /(?:Equal Trading|(\b|^)EQTD(\b|$))/is
358 ###DISABLED FOR FALSE POSITIVES AND AGE
359 ###body __KAM_STOCKTIP66 /(?:\b|^)W.?B.?R.?S(?:\b|$)/is
360 ##body __KAM_STOCKTIP67 /(?:Mobile Airwaves|(\b|^)M.?W.?B.?C.?(\b|$))/is
361 ##body __KAM_STOCKTIP68 /(?:X-tra Petroleum|(\b|^)XTPT(\b|$))/is
362 ###ADDED FP BOUNDARY CHECK THANKS TO Greg Troxel for reporting the issue
363 ##body __KAM_STOCKTIP69 /(?:Red Reef Laboratories|(\b|^)RREF(\b|$))/is
364 ##body __KAM_STOCKTIP70 /(?:Great American Food Chain|(\b|^)GAMN(\b|$))/is
365 ##body __KAM_STOCKTIP71 /(?:Cana Petroleum|(\b|^)CNPM(\b|$))/is
366 ##body __KAM_STOCKTIP72 /(?:China Health Management|(\b|^)CNHC(\b|$))/is
367 ##body __KAM_STOCKTIP73 /(?:Makeup Limited|MAKU)/is
368 ##body __KAM_STOCKTIP74 /(?:Premier Holdings Group|PMHD)/is
369 ###FP FIXED THANKS TO Christopher X. Candreva
370 ##body __KAM_STOCKTIP75 /(?:VSUS technologies|(\b|^)VSUS($|\b))/is
371 ##body __KAM_STOCKTIP76 /(?:FLAIR PETROLEUM|FPMC)/is
372 ##body __KAM_STOCKTIP77 /(?:Physician Adult Daycare|PHYA)/is
373 ###FP FIXED THANKS TO Homer Parker
374 ##body __KAM_STOCKTIP78 /(?:AlgoDyne Ethanol Energy|(\b|^)ADYN(\b|$))/is
375 ##body __KAM_STOCKTIP79 /(?:Critical Care.{1,3}Inc|CTCX)/is
376 ##body __KAM_STOCKTIP80 /(?:Aerofoam Metals|AFML)/is
377 ##body __KAM_STOCKTIP81 /(?:Ten \& 10|(?:\b|^)TTEN)/is
378 ##body __KAM_STOCKTIP82 /(?:Medical Institutional Services|MISJ(\b|$))/is
379 ##body __KAM_STOCKTIP83 /(?:Harris Exploration|HXPN)/is
380 ##body __KAM_STOCKTIP84 /(?:MARSHAL HOLDINGS|MHII)/is
381 ##body __KAM_STOCKTIP85 /(?:ADVANCED GROWING SYSTEMS|AGWS)/is
382 ##body __KAM_STOCKTIP86 /(?:WEST EXCELSIOR ENT|WEXE)/is
383 ##body __KAM_STOCKTIP87 /(?:Hemisphere Gold|HPGI)/is
384 ##body __KAM_STOCKTIP88 /(?:Victory Energy Corporation|VYEY)/is
385 ##body __KAM_STOCKTIP89 /UTEV/i
386 ##body __KAM_STOCKTIP90 /(?:CHINA BIOLIFE ENTERP|CBFE)/is
387 ##body __KAM_STOCKTIP91 /(?:Critical Care|C ?T ?C ?X)/is
388 ##body __KAM_STOCKTIP92 /CBRJ/i
389 ##body __KAM_STOCKTIP93 /(?:LAS VEGAS CENTRAL RESERVATIONS|LVCC)/is
390 ##body __KAM_STOCKTIP94 /GTAP/i
391 ##body __KAM_STOCKTIP95 /(North American Energy Group|N-?N-?Y-?R)/is
392 ###FP FIXED THANKS TO BRETT GARRETT
393 ##body __KAM_STOCKTIP96 /(\b|^)C\.?C\.?T\.?I(\b|$)/i
394 ##body __KAM_STOCKTIP97 /(C ?E ?O AMERICA|C ? E ? O ?A)/is
395 ##body __KAM_STOCKTIP98 /PLMA/i
396 ##body __KAM_STOCKTIP99 /CDYV/i
397 ##body __KAM_STOCKTIP100 /(Fire (Mountain|Mtn) Beverage Company|(^|\b)F[ _]?B[ _]?V[ _]?G($|\b))/is
398 ###Added boundary check thanks to Michael Denney
399 ##body __KAM_STOCKTIP101 /(\b|^)WDSC(\b|$)/i
400 ##body __KAM_STOCKTIP102 /(Distributed Power|DPWI)/is
401 ##body __KAM_STOCKTIP103 /(HUMET-PBC|L9Z\.F)/is
402 ##body __KAM_STOCKTIP104 /ASVP/is
403 ##body __KAM_STOCKTIP105 /CHVC/is
404 ##body __KAM_STOCKTIP106 /(China Datacom|CDPN)/is
405 ##body __KAM_STOCKTIP107 /(ORAMED PHARMA|OJU\.F)/is
406 ##body __KAM_STOCKTIP108 /(DSDI|DSI Direct Sales)/is
407 ##body __KAM_STOCKTIP109 /(Monolith Athletic Club|M[-_ ]?N[-_ ]?A[-_ ]?B)/is
408 ###DUPLICATED STOCKTIP #51
409 ###body __KAM_STOCKTIP110 /(PETRO-SUN|P[- ]?S[- ]?U[- ]?D)/is
410 ##body __KAM_STOCKTIP111 /(COMPLIANCE SYSTEMS|(\b|^)COPI(\b|$))/is
411 ###FP Fixed thanks to Greg Troxel
412 ##body __KAM_STOCKTIP112 /(Global Pay Solutions|(\b|^)GPSI(\b|$))/is
413 ##body __KAM_STOCKTIP113 /(MEGOLA|MGOA)/i
414 ###FP FIXED THANKS TO Antonio Falzarano
415 ##body __KAM_STOCKTIP114 /(\b|^)ADOV(\b|$)/i
416 ##body __KAM_STOCKTIP115 /(Oncology Med|(\b|^)ONCO(\b|$))/is
417 ##body __KAM_STOCKTIP116 /(Strategy X|SGXI)/is
418 ##body __KAM_STOCKTIP117 /(Spotlight Homes|COST CONTAINMENT TEC|SPHM)/is
419 ###FALSE POSITIVE ON DANSREALESTATE.
420 ##body __KAM_STOCKTIP118 /((\b|^)SREA(\b|$)|Score One)/is
421 ##body __KAM_STOCKTIP119 /(Monster Motors|MRMT)/is
422 ##body __KAM_STOCKTIP120 /(EntreMetrix|ERMX)/i
424 body __KAM_STOCKTIP121 /(VISION AIRSHIPS|(\b|^)VPSN(\b|$))/is
425 body __KAM_STOCKTIP122 /(Shandong Zhouyuan Seed and Nursery|(\b|^)SZSN(\b|$))/is
426 body __KAM_STOCKTIP123 /(Puerto Rico 7|(\b|^)P ?R ?T ?H(\b|$))/is
427 body __KAM_STOCKTIP124 /(VGPM|Vega Promotional Sys)/is
428 body __KAM_STOCKTIP125 /((\b|^)D[- ]?M[- ]?X[- ]?C(\b|$))/i
429 body __KAM_STOCKTIP126 /((\b|^)C\.?W\.?T\.?E(\b|$)|C'Watre International)/is
430 body __KAM_STOCKTIP127 /(Physical Property Holdings|(\b|^)PPYH(\b|$))/is
431 #FP ON MNUM IN PLAIN TEXT HTML CONVERSION - Thanks to Kevin Lewis
432 body __KAM_STOCKTIP128 /(MONUMENTAL MARKETING|(\b|^)MNUM(\b|$))/is
433 body __KAM_STOCKTIP129 /(EnerBrite Technologies Group|(\b|^)eTgU(\b|$))/is
434 body __KAM_STOCKTIP130 /(Pricester|(\b|^)PRCC(\b|$))/is
435 #Added boundary check thanks to Michael Denney
436 body __KAM_STOCKTIP131 /(Greenstone Holdings|(\b|^)GSHN(\b|$))/is
437 body __KAM_STOCKTIP132 /((\b|^)AGMS(\b|$)|Angstrom[- ]Microsystems)/is
438 body __KAM_STOCKTIP133 /(Pluris Energy|(\b|^)PEYG(\b|$))/is
439 body __KAM_STOCKTIP134 /(United Consortium|(\b|^)UCSO(\b|$))/is
440 body __KAM_STOCKTIP135 /(Dominion Minerals|(\b|^)DMNM(\b|$))/is
441 body __KAM_STOCKTIP136 /(PrimeGen Energy|(\b|$)PGNE(\b|^))/is
442 body __KAM_STOCKTIP137 /Dynamic Response Group|(\b|^)DRGZ(\b|$)/is
443 body __KAM_STOCKTIP138 /Cobra Oil (and|&) Gas|(\b|^)CGCA(\b|$)/is
444 body __KAM_STOCKTIP139 /Solanex Management|(\b|^)SLNX(\b|$)/is
445 body __KAM_STOCKTIP140 /BIO-SOLUTIONS|(\b|^)BISU(\b|$)/is
446 #FP IN French email on 3/2/2017
447 #body __KAM_STOCKTIP141 /(\b|^)FORC(\b|$)/is
448 body __KAM_STOCKTIP142 /Hawk Systems Inc|(\b|^)HWSYD(\b|$)/is
449 body __KAM_STOCKTIP143 /AmeriLithium/is #|(\b|^)AMEL(\b|$)/is # FP 9/10/15
450 body __KAM_STOCKTIP144 /Fleet Management Solutions|(\b|^)FLMG(\b|$)/is
451 body __KAM_STOCKTIP145 /Nuvilex|(\b|^)N.?V.?L.?X.?(\b|$)/is
452 body __KAM_STOCKTIP146 /Plandai|(\b|^)PLPL(\b|$)/is
453 #FP on Bozic 3/9/2021 - Thanks to Lars Einarsen
454 body __KAM_STOCKTIP147 /Beamz Interactive|(\b|^)BZIC(\b|$)/is
455 body __KAM_STOCKTIP148 /(\b|^)STBV(\b|$)/i
456 body __KAM_STOCKTIP149 /LifeApps|(\b|^)LFAP(\b|$)/i
457 body __KAM_STOCKTIP150 /MONARCHY RESOURCES/i
458 body __KAM_STOCKTIP151 /Alanco Tech/i
459 body __KAM_STOCKTIP152 /Siga Resources/i
460 body __KAM_STOCKTIP153 /INSCOR|(\b|^)IOGA(\b|$)/is
461 body __KAM_STOCKTIP154 /mLight Tech|(\b|^)MLGT(\b|$)/is
462 body __KAM_STOCKTIP155 /Alanco Technologies/is
463 body __KAM_STOCKTIP156 /Progress Watch|(\b|^)PROW(\b|$)/is
464 #body __KAM_STOCKTIP157 /(\b|^)PRFC(\b|$)/is
465 body __KAM_STOCKTIP158 /(\b|^)(RCHA|R\.+C\.+H\.+A|R\/C\/H\/A)(\b|$)/is
466 body __KAM_STOCKTIP159 /(\b|^)(RNBI|R.N.B.I)(\b|$)/is
467 body __KAM_STOCKTIP160 /(\b|^)(CNRMF|C.N.R.M.F)(\b|$)/is
468 body __KAM_STOCKTIP161 /(\b|^)(NUAN|N[- ]U[- ]A[- ]N)(\b|$)|NUANCE COMMUNICATIONS/is
469 body __KAM_STOCKTIP162 /(\b|^)(CHICF|C.H.I.C.F)(\b|$)/is
470 body __KAM_STOCKTIP163 /(\b|^)(brixmor)(\b|$)/is
471 body __KAM_STOCKTIP164 /(\b|^)(KBLB|K.B.L.B)(\b|$)/is
472 body __KAM_STOCKTIP165 /(\b|^)(SCRF|S.C.R.F)(\b|$)/is
473 body __KAM_STOCKTIP166 /(\b|^)(INCT|Incapta)(\b|$)/is
474 body __KAM_STOCKTIP167 /(\b|^)(QSMS|Quest Science Management Gate)(\b|$)/is
475 body __KAM_STOCKTIP168 /(\b|^)(QSMG|Q.S.M.G|Stemvax)(\b|$)/is
476 body __KAM_STOCKTIP169 /(\b|^)E.?C.?G.?R(\b|$)/s
479 body __KAM_STOCKOTC /(OTC|OTC ?BB|OTC Pink Sheets|NASDAQ|NYSE|StockWatch):/is
480 body __KAM_STOCKSYM /S[ ]?[iy][ ]?m[ ]?[ßb8][ ]?[o0][ ]?[l1]|Siymbol/i
481 body __KAM_STOCKSYM2 /(SYM[ ]?[-\:]|\bTicker|Pr+ice\s*\:|Volume\s*\:|Target\s*\:|Current(ly)? ?\??:|Projected:|Smybol:|Stcok\s*\:|Stock\s*\:|S\s*t\s*o\s*c\s*k\s*\:|Trad[ ]?e\:|short-?sell|book value|S\.umbol|Action:|Symb\s?[-:]|Price Today:|SYmN-|Lookup:|RADAR:|PK PAPER:|PINKSHEETS:|f[o0]rward ?l[0o]{2}king)/i
482 body __KAM_STOCKSHR /\b(Shares|Investments|invest|Stock|acquisitions?|broker|joint[ -]?venture|underperforming|(uncap|ventilated|public(ity)?) on friday|dividend opportunities|set your buy|financial safe haven|before the bell)\b/i
483 body __KAM_STOCKBULL /bull (run|market)|very.rich|high.return/is
484 body __KAM_STOCKSCTR /(energy sector|mineral rights|mineral wealth|natural resources|gold deposits)/is
485 header __KAM_STOCKHEAD Subject =~ /{stk-sub}|on your radar|st0ck|best.stocktip|huge.winner|breaking.news/i
486 body __KAM_STOCKJUMP /(up|jumps) \d\d(\.\d)?\%/i
487 body __KAM_INSTOCK /in stock/i
489 # ADDED A CAVEAT FOR in stock so gibberish links don't hit a stock symbol
490 meta KAM_STOCKTIP (__KAM_STOCKHEAD + __KAM_STOCKOTC + __KAM_STOCKSYM + __KAM_STOCKJUMP + __KAM_STOCKSHR + __KAM_STOCKSYM2 + __KAM_STOCKBULL + __KAM_STOCKSCTR >= 1) && (__KAM_INSTOCK < 1) && (__KAM_STOCKTIP121 + __KAM_STOCKTIP122 + __KAM_STOCKTIP123 + __KAM_STOCKTIP124 + __KAM_STOCKTIP125 + __KAM_STOCKTIP126 + __KAM_STOCKTIP127 + __KAM_STOCKTIP128 + __KAM_STOCKTIP129 + __KAM_STOCKTIP130 + __KAM_STOCKTIP131 + __KAM_STOCKTIP132 + __KAM_STOCKTIP133 + __KAM_STOCKTIP134 + __KAM_STOCKTIP135 + __KAM_STOCKTIP136 + __KAM_STOCKTIP137 + __KAM_STOCKTIP138 + __KAM_STOCKTIP139 + __KAM_STOCKTIP140 + __KAM_STOCKTIP142 + __KAM_STOCKTIP143 + __KAM_STOCKTIP144 + __KAM_STOCKTIP145 + __KAM_STOCKTIP146 + __KAM_STOCKTIP147 + __KAM_STOCKTIP148 + __KAM_STOCKTIP149 + __KAM_STOCKTIP150 + __KAM_STOCKTIP151 + __KAM_STOCKTIP152 + __KAM_STOCKTIP153 + __KAM_STOCKTIP154 + __KAM_STOCKTIP155 + __KAM_STOCKTIP156 + __KAM_STOCKTIP158 + __KAM_STOCKTIP159 + __KAM_STOCKTIP160 + __KAM_STOCKTIP161 + __KAM_STOCKTIP162 + __KAM_STOCKTIP163 + __KAM_STOCKTIP164 + __KAM_STOCKTIP165 + __KAM_STOCKTIP166 + __KAM_STOCKTIP167 + __KAM_STOCKTIP168 + __KAM_STOCKTIP169 >= 1)
492 describe KAM_STOCKTIP Email Contains Pump & Dump Stock Tip
493 score KAM_STOCKTIP 7.1
495 #KAM STOCK RULE #3 BASED HEAVILY ON WONDERFUL INPUT BY GARETH OF LINGUAPHONE
496 body __KAM_STOCK3 /([sS].?ymbol|Sym|SYM|SYMB|Symb|SYMBOL|SYmN|SYMN|Symn|Ticker|TICKER|Lookup|PINKSHEETS)\s*[-_:]\s*[A-Z0-9][-\._ ]?[A-Z0-9][-\._ ]?[A-Z0-9][-\._ ]?[A-Z0-9]/
497 score __KAM_STOCK3 0.1
498 describe __KAM_STOCK3 Email Looks like it references a 4 character stock symbol
501 meta KAM_STOCKGEN (__KAM_STOCKHEAD + __KAM_STOCKOTC + __KAM_STOCKSYM + __KAM_STOCKSHR + __KAM_STOCKSYM2 + __KAM_STOCKBULL + __KAM_STOCKSCTR >= 1) && (__KAM_STOCK3 >= 1) && (KAM_STOCKTIP < 1)
502 describe KAM_STOCKGEN Email Contains Generic Pump & Dump Stock Tip
503 score KAM_STOCKGEN 1.5
506 body __KAM_STOCK2_1 /(good trader|trading experience|bad trading day|hard trading day|FREE Stock Market Outlook|Market Watch)|more.than.\d+%|most.valuable|morning.report|real.?estate.authority|commercial.real.estate/i
507 body __KAM_STOCK2_2 /(easy cash|losses and victories|backstage trading|market facts|succeed in trading|destined to skyrocket|make traders rich|times your principal)|good.investment|overvalued.companies|company.is.soaring|economic.opportunity|amazing.company|take.notice|rental.yield|high.return/i
508 body __KAM_STOCK2_3 /stock/i
509 body __KAM_STOCK2_4 /trader|investor|analyst|royalties/i
510 header __KAM_STOCK2_5 Subject =~ /stock|bull market|penny|traders|go.getter|thousand.percent|this.company|opportunity|pct.rally|private.investment/i
511 header __KAM_STOCK2_6 From =~ /investment|daily.tip|bloomberg|selectedotc|penny|fortune|stock|finance|real.?estate|promotion/i
513 meta KAM_STOCK2 (__KAM_STOCK2_1 + __KAM_STOCK2_2 + __KAM_STOCK2_3 + __KAM_STOCK2_4 + __KAM_STOCK2_5 + __KAM_STOCK2_6) >= 4
515 describe KAM_STOCK2 Another Round of Pump & Dump Stock Scams
518 body __KAM_JUDGE1 /(unpaid court|(un-?collected|unsatisfied) judgments)/is
519 body __KAM_JUDGE2 /(funds|receive what) you are (due|owed)/is
521 body __KAM_JUDGE3 /collect your money/is
522 body __KAM_JUDGE4 /judgment/i
524 header __KAM_JUDGE5 Subject =~ /judgment/i
526 meta KAM_JUDGE (__KAM_JUDGE1 + __KAM_JUDGE2 + ((__KAM_JUDGE3 + __KAM_JUDGE4) / 2) + __KAM_JUDGE5 >= 2)
527 describe KAM_JUDGE Email Contains Judicial Judgment Solicitation
531 body __KAM_MED1 /e.?c.?o.?n.?o.?m.?i.?z.?e.{1,10}med/i
532 body __KAM_MED2 /\d\d ?%/
534 describe KAM_MED Economizing your meds spam
535 meta KAM_MED (__KAM_MED1 + __KAM_MED2 >= 2)
538 #MEDS2- THANKS TO RES FOR POINTING OUT A REGEX STUPIDITY
539 header __KAM_MED2_1 Subject =~ /Pharmacy order \#\d{5}/i
541 describe KAM_MED2 More Medical SPAM
542 meta KAM_MED2 (__KAM_MED2_1 >= 1)
546 header __KAM_TIME1 Subject =~ /(replica(\b|$)|designer[-_ ](watch|piece|collection)|(old|replica|style|luxury|trendy|elegant) watch|time[-_ ](keeper|piece)|wrist|chronometer|watches are in fashion|low budget|deliver your watch|(number|amount) of watches)|excellent.watch/i
549 body __KAM_TIME2 /(replica(\b|$)|diamond|designer[-_ ](piece|collections|watch)|time[-_ ]piece|wrist|time-keeper|\/\/atch)/is
550 header __KAM_TIME3 Subject =~ /(\b|^)(time|watch)(\b|$)/i
551 body __KAM_TIME4 /(\b|^)(time|watch)(\b|$)/i
552 body __KAM_TIME5 /(funny|low) price|treat.yourself/i
553 #REMOVED WORD OMEGA FROM BRANDS. TOO MANY FPs.
554 body __KAM_TIME6 /(Cx?ARTIER|Bx?REITLING|Px?ATEK|Rx?OLEX|Bx?VLGARI|Tx?IFFANY)/i
557 meta KAM_TIME __KAM_TIME1 + ((__KAM_TIME2 + __KAM_TIME3 + __KAM_TIME4 + __KAM_TIME5 + __KAM_TIME6)/2) >= 2
558 describe KAM_TIME Pssss. Hey Buddy, wanna buy a watch?
561 meta KAM_TIMEGEO (KAM_GEO_STRING2 && KAM_TIME)
562 describe KAM_TIMEGEO Email references geocities & wrist watch sales
563 score KAM_TIMEGEO 3.5
566 body __KAM_HOME1 /YOUR HOME|Federal Housing Assistance Program|near.your.area/i
567 body __KAM_HOME2 /Build your equity faster|refund is not reversible|rent.to.own/i
568 body __KAM_HOME3 /tax saving plans|\d+K Mortgage Credit|no.more.of/i
569 header __KAM_HOME4 From =~ /rent.?and.?own|rent.own.list/i
570 header __KAM_HOME5 Subject =~ /homes.near.you|near.your.city|\d+ (bed|bath)|low.monthly/i
572 meta KAM_HOME (__KAM_HOME1 + __KAM_HOME2 + __KAM_HOME3 + __KAM_HOME4 + __KAM_HOME5 >= 3)
573 describe KAM_HOME Mortage & Refinance Spam Rule
577 body __KAM_UNIV1 /(University Administration|University Enrollment|Education Assessment|Faculty Assessment|University Degree|Administration Office|Education office|Schools office|Enrollment Office|Online University)/is
578 body __KAM_UNIV2 /\d (week|month).{0,30}degree/is
579 body __KAM_UNIV3 /(past work|based on your|earned from|life|life and work|present work) experience/is
580 body __KAM_UNIV4 /not official degree|non[ -]?accredited/is
581 body __KAM_UNIV5 /novelty (degree|use)/is
582 body __KAM_UNIV6 /verifiable University Degree/is
583 body __KAM_UNIV7 /(life|work) experience (diploma|degree|transcript)/is
584 body __KAM_UNIV8 /Career Path/is
585 body __KAM_UNIV9 /non[- ]?ac(creditee?d)?.{1,10}universit/is
586 body __KAM_UNIV10 /(graduating|diploma) (within|in) (as little as)? (one|two|three|\d) (week|month)/is
587 body __KAM_UNIV11 /(degree|transcript) in any field|Field of yourr? ch[oò][iì]ce/is
588 body __KAM_UNIV12 /(obtain your diploma|diploma that you want|Criminal Justice or Homeland Security degree)/is
589 body __KAM_UNIV13 /(degree|field|diploma) of your (choice|expertise)/is
590 body __KAM_UNIV14 /(earn a|full) transcript/is
591 body __KAM_UNIV15 /(No Study Required|Without Exams|No (examinations|[eÉ]xams)|without attending a single class|no classes|no textbooks|no (?:required )?tests|degree .{0,30}you deserve)/is
592 body __KAM_UNIV16 /\d weeks.{0,30}graduated/is
593 header __KAM_UNIV17 Subject =~ /(dip(i|l)oma|degree|transcript|award|increase ?your ?income|degree online|Ph\.?D|Add an mba)/i
594 body __KAM_UNIV18 /100% discrete/is
596 body __KAM_UNIV1B /\d (months|weeks)/i
597 body __KAM_UNIV2B /d[_\. ]?e[_\. ]?g[_\. ]?r[_\. ]?e[_\. ]?e/i
598 body __KAM_UNIV3B /(dead end job|improve your future, and your income|high paying jobs|bec[óo]me a do[cç]tor|get your diploma today)/is
599 body __KAM_UNIV4B /1.?0.?0.?% (legit|verifiable|online|no pre|non[- ]?accredited)/is
600 body __KAM_UNIV5B /F A S T[ ]{0,4}T R A C K/is
601 body __KAM_UNIV6B /DIP\sLOMA/
603 meta KAM_UNIV ((__KAM_UNIV1 + __KAM_UNIV2 + __KAM_UNIV3 + __KAM_UNIV4 + __KAM_UNIV5 + __KAM_UNIV6 + __KAM_UNIV7 + __KAM_UNIV8 + __KAM_UNIV9 + __KAM_UNIV10 + __KAM_UNIV11 + __KAM_UNIV12 + __KAM_UNIV13 + __KAM_UNIV14 + __KAM_UNIV15 + __KAM_UNIV16 + __KAM_UNIV17 + __KAM_UNIV18) >= 2 || (__KAM_UNIV1B + __KAM_UNIV2B + __KAM_UNIV3B + __KAM_UNIV4B + __KAM_UNIV5B + __KAM_UNIV6B) >= 3)
604 describe KAM_UNIV Diploma Mill Rule
608 body __KAM_URUNIT1 /\bur (unit|liveliness|energy level|endurance level)/is
609 body __KAM_URUNIT2 /\bur (gf|girl|wife|size|thing|partner|significant other)/is
610 body __KAM_URUNIT3A /\b(exasperated|fatigued|drained|tired) all the time/is
612 body __KAM_URUNIT3 /(unsatisfied|not satisfied|nagging|complaining|complaints|complained|unlimited prowess|increase your volume)/is
613 body __KAM_URUNIT4 /(bedroom|the bed|nighttime activit|male power|show your girl)/is
614 body __KAM_URUNIT5 /(size of (there|their|your) .{0,11}(unit|thing)|using them for a couple months|enhancing formula)/is
615 body __KAM_URUNIT6 /(majority of women|shrinking .{0,12} baby fat|winning guy|huge explosion)/is
617 header __KAM_URUNIT7 Subject =~ /(\b|^)ur (unit|wife|girlfriend|GF|size|thing|partner|significant other|livelyehood)/i
618 header __KAM_URUNIT8 Subject =~ /(pleasure|sensation|grow|your teeny|impress your mate|being small|how big|more intense)/i
620 meta KAM_URUNIT ((__KAM_URUNIT1 + __KAM_URUNIT2 + ((__KAM_URUNIT3 + __KAM_URUNIT4 + __KAM_URUNIT5 + __KAM_URUNIT6) / 2) + __KAM_URUNIT7 + __KAM_URUNIT8 + __KAM_URUNIT3A) >= 2)
622 describe KAM_URUNIT Recent penile and body enhancement spams
626 body __KAM_URZEST1 /(?:your|ur) (?:power|strength|zal|zeal|liveliness|zest|intensity|spontaneity|activity)(?: level)?(?: been)?(?: feeling| down)? ?(?:lately|recently|anew)?/i
627 body __KAM_URZEST2 /or still (?:jaded|worn|drained|exasperated) all the time/i
628 body __KAM_URZEST3 /(?:(?:wanting|looking|seeking) to get in the gym|(?:dreaming|seeking|hoping) to get (?:into shape|fit))/i
629 body __KAM_URZEST4 /(wks it has been|been mos) since we('| ha)ve chatted/i
630 body __KAM_URZEST5 /(back into shape|made me healthier after my disease)/i
632 meta KAM_URZEST (__KAM_URZEST1 + __KAM_URZEST2 + __KAM_URZEST3 + __KAM_URZEST4 + __KAM_URZEST5 >= 2)
633 describe KAM_URZEST Recent penile and body enhancement spams
637 body __KAM_JOB1 /let go from (a job|my employment) I held for.{1,19} (month|year|forever|life)/is
638 body __KAM_JOB2 /twice as much/is
640 meta KAM_JOB (__KAM_JOB1 + __KAM_JOB2 >=2)
641 describe KAM_JOB People let go, work at home, earn billions!
645 body KAM_PERPARK /P e r i m e t e r P a r k C e n t e r/i
646 describe KAM_PERPARK Obfuscated address appearing in SPAM Feb 06
647 score KAM_PERPARK 2.5
650 body KAM_HOLLY /1 0 2 0 N H o l l y w o o d W a y /i
651 describe KAM_HOLLY Obfuscated address appearing in SPAM Jun 06
654 #PUMP & DUMP STOCK GRAPHICS
655 header __KAM_STOCKG1 Subject =~ /^Fw: \d{6}$/i
656 header __KAM_STOCKG2 Subject =~ /(^|\b)(stocks?|small-cap)(\b|$)/i
657 meta KAM_STOCKG ((HTML_IMAGE_ONLY_12 || HTML_IMAGE_ONLY_16 || HTML_IMAGE_ONLY_24) && HTML_MESSAGE && (__KAM_STOCKG1 || __KAM_STOCKG2))
658 describe KAM_STOCKG Graphical Pump and Dump Scams
662 body __KAM_CEP1 /Job Prospect Newsletter|training.workshop/i
663 body __KAM_CEP2 /legitimate verifiable degree|build a better you|domain.knowledge/i
664 body __KAM_CEP3 /Career Education program|customize a learning program|certified.instructor/i
665 body __KAM_CEP4 /(MBA|CEP)/
666 body __KAM_CEP5 /degree\/certificates|certification/i
667 body __KAM_CEP6 /\d (week|month)/i
668 header __KAM_CEP7 From =~ /certificate program/i
670 meta KAM_CEP ((__KAM_CEP1 + __KAM_CEP2 + __KAM_CEP3 + __KAM_CEP4 + __KAM_CEP5 + __KAM_CEP6 + __KAM_CEP7) >= 3)
671 describe KAM_CEP CEP Diploma Mill Rule
675 #Commented since 3.2.0 is pretty old now
676 #if (version < 3.200000)
677 # #BLANK EMAILS - CURRENTLY REQUIRES 99_FVGT_meta.cf for FM_NO_FROM AND NO_TO. UNDISC_RECIPS MIGHT BE REMOVED IN 3.2+
678 # #HTML_SHORT_LENGTH DEPENDENCY RULE REMOVED FROM SA 3.2
679 # meta KAM_BLANK01 (MISSING_SUBJECT && (UNDISC_RECIPS || FM_NO_FROM_OR_TO || FM_NO_TO))
680 # describe KAM_BLANK01 Blank emails
681 # score KAM_BLANK01 1.0
683 # #MSGID_FROM_MTA_ID REMOVED IN NEWER SPAMASSASSIN 3.2
684 # meta KAM_BLANK02 (KAM_BLANK01 && MSGID_FROM_MTA_ID)
685 # describe KAM_BLANK02 Blank emails with MTA Headers
686 # score KAM_BLANK02 1.0
690 # Updated by KAM based on Work by Dallas L. Engelken <dallase@nmgi.com> (T_GEO_QUERY_STRING)
691 uri KAM_GEO_STRING2 /^http:\/\/(?:\w{1,5}\.)?geocities(?:\.yahoo)?\.com(?:\.\w{1,5})?(?::\d*)?\/.+?/i
692 describe KAM_GEO_STRING2 Use of geocities/yahoo very likely spam as of Dec 2005
693 score KAM_GEO_STRING2 4.7
696 uri KAM_GOOGLE_STRING /^http:\/\/www.google.com\/url\?q=/i
697 describe KAM_GOOGLE_STRING Use of Google redir appearing in spam July 2006
698 score KAM_GOOGLE_STRING 1.0
700 #MSN Brasil REDIRECTOR - Known exploit since at least 2007!! http://www.xssed.com/mirror/14129/
701 uri KAM_MSNBR_REDIR /g.msn.com.br\/BR9\/1369.0/i
702 describe KAM_MSNBR_REDIR Use of MSN Brasil Redirector for Spam seen in 2011
703 score KAM_MSNBR_REDIR 5.0
706 uri __KAM_MSN_STRING1 /^http:\/\/spaces\.msn\.com(?::\d*)?\/.+\//i
707 uri __KAM_MSN_STRING2 /^http:\/\/.{0,20}\.spaces\.live\.com/i
708 meta KAM_MSN_STRING (__KAM_MSN_STRING1 + __KAM_MSN_STRING2 >=1)
709 describe KAM_MSN_STRING spaces.msn.com likely spam (Mar 2006) + spaces.live.com (Mar 2010)
710 score KAM_MSN_STRING 2.5
712 #KAM LIVEJOURNAL SPAM
713 uri __KAM_LIVE1 /^http:\/\/.{0,20}\.(blogspot|livejournal)\.com/i
714 meta KAM_LIVE (__KAM_LIVE1)
715 describe KAM_LIVE blogspot.com & livejournal.com likely spam (Apr 2010)
718 #KAM PAGE.TL SPAM - idea from Benny Pedersen
719 uri __KAM_PAGE1 /^http:\/\/.{0,20}\.(page\.tl)/i
720 meta KAM_PAGE (__KAM_PAGE1)
721 describe KAM_PAGE Page.TL likely spam (Nov 2011)
724 # This rule is to mark emails using the exploit of the URI parsing
725 uri KAM_URIPARSE /(\%0[01]|\0).{1,100}\@/i
726 describe KAM_URIPARSE Attempted use of URI bug-high probability of fraud
727 score KAM_URIPARSE 7.0
729 #Ebay Closed their Redirector - Disabled 4-9-05
730 # This rule is to mark emails using the exploit of the eBay redirector
731 #uri KAM_EBAYREDIR /.*.ebay.com.*RedirectToDomain/i
732 #describe KAM_EBAYREDIR Attempted use of eBay redirect-likely fraud
733 #score KAM_EBAYREDIR 7.0
735 # Rule based on Kelson Vibber's MD code for bogus AOL Addresses
736 # Check for bogus AOL addresses as described at
737 # http://postmaster.aol.com/faq/mailerfaq.html#syntax
738 # - all alphanumeric, starting with a letter, from 3 to 16 characters long.
741 #What is the correct syntax for AOL e-mail addresses?
742 #The "user name" is the part of the address that appears before the @ symbol: username@aol.com.
743 #Valid AOL e-mail addresses can not:
744 #Be shorter than 3 or longer than 16 characters.
746 #Contain punctuation of any kind (such as periods, underscores, or dashes).
750 #2017-10-24 upon evidence that AOL no longer follows their syntax.
751 #Awaiting an updated version however KAM predicts that with the merger that this
752 #is likely to accommodate other systems like Verizon coming under the same infrastructure.
755 #THANKS to Angel from 16bits for this research:
756 #Based on tests at https://i.aol.com/reg/signup shows:
760 #a) "Be shorter than 3"
761 # This is being enforced: «Please make sure that the username field is at
762 #least 3 characters long
764 #b) or longer than 16 characters.
765 #The userName field has a maxlength of 32
766 #(intriguingly, there's also a hidden usernameEmail of up to 97
769 #c) Begin with numbers.
770 #This is being enforced «Your username must begin with a letter.»
772 #d) Contain punctuation of any kind (such as periods, underscores, or
774 #Both periods and underscores are accepted (they are even offered in the
775 #dropbox), dashes are not.
776 #«Your username may not contain characters such as @, !, * or $.»
778 #Periods and underscores may not begin or end the username, or be
779 #consecutive (not between themselves), ie. these two characters may only
780 #appear when surrounded by alphanumeric ones.
782 #(this condition for periods actually comes from rfc5321, assuming you
783 #want to avoid quoting the local part)
786 #Basically, it seems they added . and _ to the allowed characters, and
787 #doubled the username size.
790 #The error messages at
791 #https://sns-static.aolcdn.com/1.19/reg/resources/js/webreg_validate5-built.js also provide relevant information for gathering the rules:
793 #"Please make sure that the username field is at least 3 characters
796 #"Your username may not exceed "+regPageData.snMax+" characters."
797 #"Your username must begin with a letter."
798 #"Your username may not contain characters such as @, !, * or $.",
799 #"Your username may not contain characters such as @, !, * or $." (funnily, this is shown if you enter a space)
800 #"Your username may not contain characters such as @, !, * or $." (this is if it is deemed "not alphanumeric")
801 #"Usernames cannot end with a dot (.) or underscore (_)."
802 #"Usernames cannot have consecutive dots (..) or underscores (__)."
804 #"Please make sure that the email address is at least 3 characters long."
805 #"Your email address may not exceed 97 characters."
807 #Missed updating the length to 32. Fixed thanks to Ramon Medina
809 header __KAM_AOL From:addr =~ /\@aol\.(com|co\.uk)/i
811 # username portion must be between 3 & 32 chars, starting with a letter
812 header __KAM_GOODAOL1 From:addr =~ /^[a-z].{2,32}\@aol\.(com|co\.uk)/i
814 # certain punctuation not allowed - This is likely not exhaustive
815 header __KAM_BADAOL1 From:addr =~ /[-\!\*\$].*\@aol\.(com|co\.uk)/
816 # no consectutive periods or underscores
817 header __KAM_BADAOL2 From:addr =~ /(\.\.|__).*\@aol\.(com|co\.uk)/
818 # cannot end with . or underscore
819 header __KAM_BADAOL3 From:addr =~ /(\.|_)\@aol\.(com|co\.uk)/i
821 meta KAM_BADAOL (__KAM_AOL && !__KAM_GOODAOL1) || (__KAM_BADAOL1 + __KAM_BADAOL2 + __KAM_BADAOL3 >= 1)
822 describe KAM_BADAOL Invalid AOL Address
825 meta KAM_GOODAOL __KAM_AOL && (__KAM_GOODAOL1 && !KAM_BADAOL) && SPF_PASS
826 describe KAM_GOODAOL Valid AOL Email Address
827 score KAM_GOODAOL -1.0
829 # Rule to mark emails from adv@somewhere accounts a bit higher on the SPAM scale
830 header KAM_ADV_EMAIL From:addr =~ /adv\@/i
831 describe KAM_ADV_EMAIL Marks adv@<domain.com> Addresses as likely SPAM
832 score KAM_ADV_EMAIL 5.0
834 #SEXUALLY EXPLICIT EMAILS - With updates courtesy of Mark Damrose
835 header __KAM_SEX_EXPLICIT1 Subject =~ /SEXUAL{2,3}Y[-_, ]{0,1}EXPL{1,2}I{1,2}CI{1,2}T/i
836 #EXPANDED TO INCLUDE HEADERS FOR SPAMS PREVALENT MAR 2007
837 header __KAM_SEX_EXPLICIT2 Subject =~ /(?:fuck .*suck|suck .*fuck|pussy .*cock|cock .*pussy|horny amateur|couch sex|slut fuck|naked celebrity|pissing babes|ass[- ]fuck|animal cock|(^|\b)P[^a-zA-Z\d]O[^a-zA-Z\d]R[^a-zA-Z\d]N |exposes sexy ass|drunk babe nude|masturbate|looking.for.sex|breast.implants|pedophile|child predator|explore.being.bad|double.penetration|hardcore.slut|getting.laid|your.disco.stick|having.sex.*begging|f.ckbook|xxx gay|asian porn|blowjob|anal xxx|huge tits tube|xxx tube|porn tube|porn video|sexy.clip|portal for xxx|3d porn|hard(er)?.erect)|dreaming of f.?cking|(^|\b)sex.in.the.car|horny.virgin|sex.acts|best.intercourse|sex request|dripping wet and need to get/i
839 #TRYING TO GET RID OF FPs WITH LAST NAMES
840 header __KAM_SEX_EXPLICIT3 From =~ /(?:better sex|sextrick|ashleymadison|booty.call|breast.(aug|surg|redu)|throbing.member|f[\*u]?ckbook|Local MILFs|fuck(s|ing)?(\b|^))/i
842 #MODIFIED TO FIX FP THANKS TO DOC SCHNEIDER AND MARK MARTINEC - REMOVED castrate|sexual.encounter|casual.sex|discreet.encounter 5/19/15
843 body __KAM_SEX_EXPLICIT4 /(?:fucked hardcore|dildoes her tight ass|kinky watersports|schoolgirls? slut|teens? porn|first anal(\b|$)|pussy lips|kinky lesbian|sucks? cock|rub puss|spreads? cunt|fetish babe|kinky pee|muffdived \& fuck|deepthroat on knees|hello.naughty.boy|certain.type.of.guy|girlfriend.trick|sexual.stamina|sex...toy|porn.link|cunt.fuck|c-o-c-k|non.stop.sex|porn.industry|stronger.erection|make.her.moan|extreme.pro.abortion|erection.problem|your.erection|get.an.erection|hardest.erection|get.erect|xxx gay|asian porn|blowjob porn|anal xxx|huge tits tube|xxx tube|porn tube|fuckbook|portal for xxx|3d porn|DrPEnterprise|girlfriends.porn|\bsex.galler|pussy.eaten|shemale|(\b|^)anal.adventure|black.girls.video|gay.porn|pussy.wet|make.her.horny|crave sex|women.fuck|women.horny|wanting.to.bang|getting.laid.is.simple|woman.on.her.knees|b r e a s t|generic.ed.product|best.sex|f[^a-z]cking.you|f[^a-z]ckbuddy|F\#ckFriends|Milf Selfies|need.a.horny.man|cute.sex.lover|horny.as.f.ck|fun.in.the.bedroom|my.tits.are|be.horny|horny.girl|horny.i.am|horny.latina|huge.dildo|made.me.climax|sex in my office|a.good.f\@ck|married.horny.woman|sucked.your.d\@ck|horny.milf|suck.you.off|horny.stories|all.my.h[o0]les|cum.heavily|sucking.your.c[o0]ck|to.get.f[^a-z]cked)|h00kup|s\*xy|\bh0rny|ch0ked|pu\$\$y|f\*cked|F\*ck_|find milfs/i
844 #remove f\#ck for FPs
846 header __KAM_SEX_EXPLICIT5 Subject =~ /(?:Babe.*dildo|milk.*pussy|licks.*lesbian.*tits|mud.*wrestling.*sluts|rock.*hard.*cock|working.*pussy|(anal|suck|lick|hot|cock|wife).*f.?u.?c.?k|sneaky.*upskirt.*shots|hairy.*(pussy|cunt)|chicks.*cum|shows.*off.*titties|tits.*milf.*sex|riding.*big.*dick|dildo.*pussy|slut.*sex|suck.*dick|show.*off.*pink.*slit|coed.*pussy|squirt.*pussy|polish.*cock|femdom.*fist|schoolgirl.*(f.?u.?c.?k|blowjob)|mistress.*finger.*slave|cervix.*examined|tits.*vibrator|licks.*lesbian|slut.*anal|slurp.*pecker|master.*hogtie|bitch.*stroke.*guy|huge.*cock.*bang|take.*dick.*ride|milf.*nailed|girl.*in.*panties|Slut.*Doing.*it|barely.*legal.*teen|perverted.*girl.*works.*ass|slut.*milking|caught.*fucking|F.?u.?c.?k.*(dick)|shemale.*strips|chick.*drilled|\bass.*screw|teen.*pussy|fucked.*hard|bimbo.*hooter|cuntbanged|tittyfucked|fuck.*cock|blowing and nailed|lesbians.*masturbat|shaking wet booty|pussy.*lip|lick.*asshole|kinky lesbian|suck.*cock|rub puss|tits.*cunt|kinky pee|fetish babe|exposes sexy ass|drunk babe nude|muff.*fuck|cock.?suck.*blonde|fuck.*vibrator|threeway.*orgy|sex.life.*new.level|your.sex.life|hotsex|f.cktonight|my.?pu[s\$]{1,5}y|InstaSext|SnapHookup|InstaAffair|InstaHookup|SexiSnap|SnapF.ck|snapbangmsg)/i
847 body __KAM_SEX_EXPLICIT6 /virus on a porn web/i
849 meta KAM_SEX_EXPLICIT (__KAM_SEX_EXPLICIT1 + __KAM_SEX_EXPLICIT2 + __KAM_SEX_EXPLICIT3 + __KAM_SEX_EXPLICIT4 + __KAM_SEX_EXPLICIT5 + __KAM_SEX_EXPLICIT6 >= 1)
850 describe KAM_SEX_EXPLICIT Subject or body indicates Sexually Explicit material
851 score KAM_SEX_EXPLICIT 16.0
853 #SOLICITING AFFAIR SPAM
854 header __KAM_SEX_AFFAIR1 Subject =~ /Have an affair|Your Affair is Waiting|sick of your wife|find you a girlfriend/i
855 header __KAM_SEX_AFFAIR2 From =~ /Ashley.?Madison|Let's have fun/i
856 rawbody __KAM_SEX_AFFAIR3 /have an affair|ashleymadison/i
857 rawbody __KAM_SEX_AFFAIR4 /looking.for.affair/i
859 meta KAM_SEX_AFFAIR (__KAM_SEX_AFFAIR1 + __KAM_SEX_AFFAIR2 + __KAM_SEX_AFFAIR3 + __KAM_SEX_AFFAIR4 >= 2)
860 describe KAM_SEX_AFFAIR Subject or body soliciting an affair
861 score KAM_SEX_AFFAIR 8.0
864 body __KAM_TELEWORK1 /(generate|make) .{0,10}1.5K? (to|-) 3.5K (a day|daily|per day|per month)|makes? \$[\d,]+\/month|upgrade your salary/is
865 body __KAM_TELEWORK2 /have a (?:tele)?phone|money making challenge|has full internet/is
866 body __KAM_TELEWORK3 /return(?:ing)? (phone )?calls|working a few hours each day|positive work environment/is
867 body __KAM_TELEWORK4 /fully qualified|no experience needed|all the training|managing expectations|accountability|stronger results/is
868 body __KAM_TELEWORK5 /work (?:online )?from home|process(?:ing)? rebates (?:at|from) home|set your own hours|100% no risk|Western Union fees|new job or career/is
869 body __KAM_TELEWORK6 /earning up to \d+USD|earn thousands of dollars|\d% commission|get rich quick|manager training|real.payoff/is
870 header __KAM_TELEWORK7 Subject =~ /process rebates|easy work and great pay|making money today|earn money|vacancies in your city|internet jobs|bad ecomomy|(manager|supervisor).training|handling difficult|work.from.home/i
871 header __KAM_TELEWORK8 From =~ /training|online/i
873 meta KAM_TELEWORK (__KAM_TELEWORK1 + __KAM_TELEWORK2 + __KAM_TELEWORK3 + __KAM_TELEWORK4 + __KAM_TELEWORK5 + __KAM_TELEWORK6 + __KAM_TELEWORK7 + __KAM_TELEWORK8 >= 3)
874 describe KAM_TELEWORK Stupid telework and training scams
875 score KAM_TELEWORK 3.0
877 #Changed to meta 2017-10-17
878 #2017-10-23 - Removed .link. Uniregistry has committed to reviewing abuse concerns.
879 #2019-11-24 - Removed .bid for FPs
880 #2020-06-04 - Added FP check for td.date and div.top
881 #2020-08-23 - Added guru
882 header __KAM_SOMETLD_ARE_BAD_TLD_FROM From:addr =~ /\.(pw|stream|trade|press|top|date|guru|casa)$/i
883 uri __KAM_SOMETLD_ARE_BAD_TLD_URI /\.(pw|stream|trade|press|top|date|guru|Casa)($|\/)/i
886 uri __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE /(^|\b)td\.date|div\.top($|\/)/i
888 meta KAM_SOMETLD_ARE_BAD_TLD (__KAM_SOMETLD_ARE_BAD_TLD_FROM) || (__KAM_SOMETLD_ARE_BAD_TLD_URI && !__KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE)
889 describe KAM_SOMETLD_ARE_BAD_TLD .stream, .trade, .pw, .top, .press, .guru, .casa & .date TLD Abuse
890 score KAM_SOMETLD_ARE_BAD_TLD 5.0
892 #2019-11-24 - Test to do the SOMETLD with WLBLEval - Doesn't work because no uri check for the body
893 #ifplugin Mail::SpamAssassin::Plugin::WLBLEval
894 # enlist_addrlist (BADTLDS) *@*.pw
895 # enlist_addrlist (BADTLDS) *@*.stream
896 # enlist_addrlist (BADTLDS) *@*.trade
897 # enlist_addrlist (BADTLDS) *@*.bid
898 # enlist_addrlist (BADTLDS) *@*.press
899 # enlist_addrlist (BADTLDS) *@*.top
900 # enlist_addrlist (BADTLDS) *@*.date
902 # header __KAM_SOMETLD_ARE_BAD_TLD_FROM eval:check_from_in_list('BADTLDS')
903 # body __KAM_SOMETLD_ARE_BAD_TLD_URI eval:check_uri_host_listed('BADTLDS')
907 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
910 body KAM_LOCAL_TEST1 /myspamtest12341234/
911 describe KAM_LOCAL_TEST1 This is a unique phrase to trigger a + score
912 score KAM_LOCAL_TEST1 50
914 #REVERSE DNS TESTS FROM MIMEDEFANG - UNLESS YOU HAVE A TEST FOR REVERSE POINTERS, YOU CAN COMMENT THIS OUT
915 header KAM_RPTR_FAILED X-KAM-Reverse =~ /^Failed/
916 describe KAM_RPTR_FAILED Failed Mail Relay Reverse DNS Test
917 score KAM_RPTR_FAILED 6.0
919 header __KAM_RPTR_SUSPECT X-KAM-Reverse =~ /^Suspect/
920 meta KAM_RPTR_SUSPECT (KAM_BODY_MARKETINGBL_PCCC < 1 && __KAM_RPTR_SUSPECT >= 1)
921 describe KAM_RPTR_SUSPECT Suspected Dynamic IP/Bad TLD/Spammy TLD from Mail Relay Reverse DNS Test
922 score KAM_RPTR_SUSPECT 2.45
924 #REMOVED __URIBL_ANY DEPENDENCY AS THE RULE IS GONE. NOTED by David Goldsmith.
925 header __KAM_RPTR_PASSED X-KAM-Reverse =~ /^Passed/
926 meta KAM_RPTR_PASSED (__KAM_RPTR_PASSED && (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + KAM_SPAMJDR + KAM_LOTTO3 + __KAM_URIBL_PCCC + __KAM_MX + SPF_SOFTFAIL + SPF_FAIL + KAM_INFOUSMEBIZ + KAM_TOLL < 1))
927 describe KAM_RPTR_PASSED Passed Mail Relay Reverse DNS Test
928 score KAM_RPTR_PASSED -1.0
930 header KAM_RPTR_MISSING X-KAM-Reverse =~ /^Missing/
931 describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing!
932 score KAM_RPTR_MISSING 9.0
935 header KAM_RPTR_BADHOST X-KAM-Reverse =~ /dwdtechllc.com|inculloop.net|donapex.net|wriltay.com|raptornode.com|voicitr.us|premiumjobhunt.com|newsocialdeals.com|dailysummercoupons.com|nm-priorityhosting.com|hypernia.com|queryfoundry.net|colocrossing.com|pawlitenews.com|hosted-by-i3d.net/i
936 describe KAM_RPTR_BADHOST Very Spammy Hosting Company Identified
937 score KAM_RPTR_BADHOST 9.0
939 #CUSTOM SCORES THAT KAM LIKES
940 #score SARE_GIF_ATTACH 3.0
941 score CHARSET_FARAWAY_HEADER 1.6
942 score MIME_CHARSET_FARAWAY 1.25
943 score FH_FROM_CASH 2.0
947 score FREEMAIL_ENVFROM_END_DIGIT 1.0
948 score FREEMAIL_REPLYTO 1.0
949 score KHOP_BIG_TO_CC 1.5
950 score URIBL_DBL_SPAM 5.0
951 score AC_HTML_NONSENSE_TAGS 4.0
954 #ENABLING DNSWL - BUG 6668
955 score RCVD_IN_DNSWL_NONE 0 -0.0001 0 -0.0001
956 score RCVD_IN_DNSWL_LOW 0 -0.7 0 -0.7
957 score RCVD_IN_DNSWL_MED 0 -2.3 0 -2.3
958 score RCVD_IN_DNSWL_HI 0 -5 0 -5
960 #COMPLETE WHOIS IS DOWN
961 #score __RCVD_IN_WHOIS 0
962 #score RCVD_IN_WHOIS_INVALID 0
963 #score URIBL_COMPLETEWHOIS 0
965 #Custom subject whitelist
966 #header FRANCHISE_JERRY Subject =~ /: (Franchise Application|Request Franchise Information)$/i
967 #score FRANCHISE_JERRY -99.0
968 #describe FRANCHISE_JERRY Jerry's Franchise Application or Request
970 header KAM_INVALID_FROM X-KAM-From =~ /From Header Missing Host/
971 describe KAM_INVALID_FROM From header missing host portion
972 score KAM_INVALID_FROM 4.0
974 #RAPTOR ALTERED EMAILS
975 #body __KAM_RAPTOR1 /altered by our Raptor filters/i
976 #header __KAM_RAPTOR2 X-KAM-Raptor-Alter =~ /True/
978 #meta KAM_RAPTOR (__KAM_RAPTOR1 + __KAM_RAPTOR2 >= 1)
979 #describe KAM_RAPTOR PCCC Raptor altered the email
980 #score KAM_RAPTOR 3.5
982 #NJABL Shutdown Bug 6913 - Check after 3/3/2013 update if these can be removed
983 score RCVD_IN_NJABL_CGI 0
984 score RCVD_IN_NJABL_MULTI 0
985 score RCVD_IN_NJABL_PROXY 0
986 score RCVD_IN_NJABL_RELAY 0
987 score RCVD_IN_NJABL_SPAM 0
988 score __RCVD_IN_NJABL 0
990 if can(Mail::SpamAssassin::Conf::feature_dns_query_restriction)
991 dns_query_restriction deny njabl.org
995 header KAM_RPTR_MISSING X-KAM-Reverse =~ /^Missing/
996 describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing!
997 score KAM_RPTR_MISSING 9.0
1001 header KAM_RPTR_MISSING X-KAM-Reverse =~ /^Missing/
1002 describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing!
1003 score KAM_RPTR_MISSING 9.0
1007 header KAM_RPTR_MISSING X-KAM-Reverse =~ /^Missing/
1008 describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing!
1009 score KAM_RPTR_MISSING 9.0
1013 header KAM_BADATTACH X-KAM-BadAttach =~ /^True/
1014 describe KAM_BADATTACH Mail contains a bad attachment
1015 score KAM_BADATTACH 15.0
1017 #RHS_DOB not working 10/6/2014 - Resolved 10/9/2014
1018 #score URIBL_RHS_DOB 0.0
1021 # no KAMOnly, stub rules
1022 meta KAM_RAPTOR_ALTERED 0
1023 score KAM_RAPTOR_ALTERED 0
1024 meta CBJ_GiveMeABreak 0
1025 score CBJ_GiveMeABreak 0
1026 meta KAM_RPTR_SUSPECT 0
1027 score KAM_RPTR_SUSPECT 0
1028 meta KAM_RPTR_FAILED 0
1029 score KAM_RPTR_FAILED 0
1030 meta KAM_RPTR_PASSED 0
1031 score KAM_RPTR_PASSED 0
1034 #$6c822ecf@ - Idea from Jailer-Daemon on SARE
1035 header KAM_6C822ECF Message-Id =~ /\$6c822ecf\@/i
1036 describe KAM_6C822ECF $6c822ecf@ VERY prevalent message-ID header in SPAMs
1037 score KAM_6C822ECF 7.0
1039 #DRILLING & MUST READ - With updates courtesy of Mark Damrose
1040 header __KAM_MUSTREAD1 Subject =~ /you (?:must|should|require|need|have) to read\.$/i
1041 header __KAM_MUSTREAD2 Subject =~ /^(?:Weighty|Very important|Serious|Momentous|Significant|Grand|Essential) (?:message|letter|note)\./i
1043 meta KAM_MUSTREAD (__KAM_MUSTREAD1 + __KAM_MUSTREAD2 >= 1)
1044 describe KAM_MUSTREAD Subject indicative of a SPAM message
1045 score KAM_MUSTREAD 1.25
1047 body __KAM_DRILL1 /drilling/i
1048 body __KAM_DRILL2 /oil (company|partnership|and gas rights)/i
1049 body __KAM_DRILL3 /(exceed(ed)? .{0,10}expectations|see your brokers website)/i
1050 body __KAM_DRILL4 /(buy today|Check this deal out)/i
1052 meta KAM_DRILL (KAM_MUSTREAD + __KAM_DRILL1 + __KAM_DRILL2 + __KAM_DRILL3 + __KAM_DRILL4 >= 4)
1053 describe KAM_DRILL Oil Drilling SPAM
1057 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
1059 #WE USE MIMEDEFANG TO DISABLE ANY IFRAME, OBJECT OR SCRIPT TAGS IN EMAILS
1060 header KAM_IFRAME X-IframeWarning =~ /Iframe\/Object\/Script tag\(s\) deactivated by MIMEDefang/
1061 describe KAM_IFRAME Email contained Iframe, Object or Script tags
1062 score KAM_IFRAME 1.0
1064 body KAM_IFRAME2 /you need a browser with javascript/i
1065 describe KAM_IFRAME2 Email contains phrase instructing javascript use
1066 score KAM_IFRAME2 1.0
1068 meta KAM_IFRAME3 (KAM_IFRAME + KAM_IFRAME2 + T_HTML_ATTACH >=3)
1069 score KAM_IFRAME3 5.0
1070 describe KAM_IFRAME3 Likely email exploit - Email shouldn't require javascript in an email attachment
1073 header __KAM_XEROX1 Subject =~ /Scan from a Xerox WorkCentre Pro \#\d+|Scanned from a Xerox Multifunction Device/i
1074 meta KAM_XEROX (__KAM_XEROX1 + (KAM_IFRAME && T_HTML_ATTACH) + KAM_RAPTOR_ALTERED >= 2)
1076 describe KAM_XEROX Likely Fake Xerox Attachment
1079 # no KAMOnly, stub rules
1084 #STUPID REMOVE "*" to make the link working.
1085 body __KAM_STAR1 /REMOVE ("\*"|space) (in the above|to make the) link/i
1087 meta KAM_STAR (__KAM_STAR1 >= 1)
1088 describe KAM_STAR Stupid Obfuscated Link SPAMs
1091 #IN LATE FEB 2007, WE BEGAN RECEIVING TONS OF EMAILS FORMATED ALL THE SAME.
1092 body __KAM_SPAMKING1 /This advertisement is presented by/is
1093 body __KAM_SPAMKING2 /If you have any questions or concerns regarding this communication, please send correspondence/is
1094 body __KAM_SPAMKING3 /To .{0,30}(?:unsubscribe|stop|remove) .{0,35}(?:email|messages) from third party advertisers/is
1095 body __KAM_SPAMKING4 /notify .{0,30} that you no longer wish to receive (?:promotional )?messages/is
1096 body __KAM_SPAMKING5 /This (communication|message) was delivered to you by/is
1097 body __KAM_SPAMKING6 /(?:please send|Forward postal) correspondence to/is
1099 meta KAM_SPAMKING (__KAM_SPAMKING1 + __KAM_SPAMKING2 + __KAM_SPAMKING3 + __KAM_SPAMKING4 + __KAM_SPAMKING5 + __KAM_SPAMKING6 >= 3)
1100 describe KAM_SPAMKING SPAM using throw-away domains and addresses. SpamKing's Heir!
1101 score KAM_SPAMKING 1.0
1103 #THIS HEADER SEEMS TO BE PREVALENT IN SPAMS
1104 header KAM_SPAMJDR X-Mailerinfo =~ /OTHR_JDR/
1105 describe KAM_SPAMJDR Emails seen with SPAM containing this header X-Mailerinfo: OTHR_JDR1173771
1106 score KAM_SPAMJDR 2.0
1108 meta KAM_COMBOJDR (KAM_SPAMJDR + KAM_SPAMKING >= 2)
1109 describe KAM_COMBOJDR Spam Test for Rules Combined with KAM_SPAMJDR
1110 score KAM_COMBOJDR 5.0
1113 body __KAM_LOTTO1 /((you |e-?mail )(?:address,? )?(has |have )?(emerged as one of (the|our) winning|emerged as a category "A" Winner|came out as the winning coupon|emerged a winner|has won|(?:was |is )?attached( to)?\s+(winning number|serial|ticket|reference)|was one of the ten winners|has been selected as one of the lucky)|random selection in our computerized email selection system|procuring your prize|email id identified with coupon|e-mail addresses are picked randomly|send your winning identification|final recipients? of a cash|selected as the one of the beneficiaries|receiving your donation|facebook name was selected)/is
1115 body __KAM_LOTTO2 /((ticket|serial|lucky) number|secret pin ?code|pin number|batch number|reference number|promotion date|lottery|sweepstake|\d+ lucky recipients|for claim and inquiring)|Micros(oft)? ID/is
1117 body __KAM_LOTTO3 /(won|claim|cash prize|pounds? sterling|over \$500|award sum of US\$|NOTIFICATION FOR CASH AID)/is
1119 body __KAM_LOTTO4 /(claims (office|agent|manager|requirement)|lottery coordinator|(certificate|fiduciary) (officer|agent|claims)|accredited agent|payment agency board|promotion manager|promotions? department|Name of +Agent:|executive secretary|claims & Management|lottery approved courier|promo.team)/is
1121 body __KAM_LOTTO5 /(POWERBALL-?LOTTO|freelotto group|(microsoft|Royal Heritage) (promotion|Lottery)|(British|UK) National( Online)? Lottery|U\.?K\.? Grand Promotions|Lottery Department UK|Euromillion Loteria|Luckyday International Lottery|International Lottery|Euro - Afro Asian Sweepstake|urawinner|Free Lotto Sweepstakes|PROMOTION DEPARTMENT|PROMOTION\/PRIZE AWARD|Nederlandse Internationale Loterij|EURO MILLIONS|APPLE LOTTERY ONLINE|MSW MEGA JACKPOT|MICROSOFT EMAIL PROMO|MSNlottery|ECOWAS|Nigeria|National Lottery|claim.{1,10}your.gbp|won.you.{1,10}gbp)|cola lotto online|on-?line promotion/is
1123 body __KAM_LOTTO6 /(Dear (Award|Consultation Prize|Lucky) Winner|Winning Notification|Attention:Winner|Dear:? Winner|Amount won:|Sincere Congratulations|Lucky Numbers:|you are a winner|prize attached|prize notification|claims requirement|winning number|winning sum|payout of|qualification number)|attached.file|numbers.on.email|active email address|dear e-?mail/is
1125 header __KAM_LOTTO7 Subject =~ /(Your Lucky Day|Final Notice|CONGRATULATION|(Attention:|ONLINE) WINNER|Winning Notification|Claim Fund|YOU HAVE WON|Online Notification|Your Winning Amount|PROMOTIONS MANAGER|Winnin?g Alert|NOTICE FOR YOUR CLAIM|WINNER|Reference Number|payment of (prize|claim))/i
1127 header __KAM_LOTTO8 From =~ /Lottery|powerball|western.union/i
1129 header __KAM_LOTTO9 Subject =~ /\d{3},\d{3}|eligibility.for.claims|promo.desk|deserves.\$\d/i
1131 meta KAM_LOTTO1 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 >= 3)
1132 describe KAM_LOTTO1 Likely to be an e-Lotto Scam Email
1133 score KAM_LOTTO1 0.75
1135 meta KAM_LOTTO2 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 >= 4)
1136 describe KAM_LOTTO2 Highly Likely to be an e-Lotto Scam Email
1137 score KAM_LOTTO2 1.25
1139 meta KAM_LOTTO3 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 + LOTS_OF_MONEY >= 5)
1140 describe KAM_LOTTO3 Almost certain to be an e-Lotto Scam Email
1141 score KAM_LOTTO3 3.0
1143 #ABOUT YOUR INTERNET ACTIVITIES SPYWARE CRUD
1144 header __KAM_ABOUT1 Subject =~ /About your Internet (activities|activity)/i
1145 body __KAM_ABOUT2 /Spyware/i
1147 meta KAM_ABOUT (__KAM_ABOUT1 + __KAM_ABOUT2 >=2)
1148 describe KAM_ABOUT Email Scam Hawking Anti-Spyware
1152 body __KAM_ADVERT1 /email advertising|\d{3}%.roi/is
1153 body __KAM_ADVERT2 /instant traffic (to your website|and sales)|demand.generation/is
1154 body __KAM_ADVERT3 /Email Ad Broadcast|Double OPT IN list|making.some.changes/is
1155 header __KAM_ADVERT4 Subject =~ /(get (instant|more) (sales|business|orders)|instant traffic, leads and sales|within 24 hours|increase in business|Ten Time Increase in Sales and Traffic|Emails Sent to Get You Sales)|sales.goal/i
1157 meta KAM_ADVERT (__KAM_ADVERT1 + __KAM_ADVERT2 + __KAM_ADVERT3 + __KAM_ADVERT4 >= 4)
1158 describe KAM_ADVERT Mailing List Scammers Hawking Their Lists / Services
1159 score KAM_ADVERT 2.5
1162 body KAM_ADVERT3 /AllExpiringDomains.com/i
1163 describe KAM_ADVERT3 Traffic / Expiring Domain List Spam
1164 score KAM_ADVERT3 5.0
1167 body KAM_ADVERT2 /No longer interested in our offers|This (message|email)? is an Ad|Continue in your Secure Web Browser|Can\'t see the images( below|, continue)|To view this email as a webpage|see images for this offer|support best practices in responsible email marketing|This email is not unsolicited|You registered with one of our partners websites|a d v e r t i s (?:e )?m e n t|No\-?Images? Click|Program is not endorsed, sponsored by or affiliated|can\'t read or see this email|By clicking any image and\/or text link in this Email|This is a (commercial|commericial)|This message brought to you|THIS EMAIL IS A COMMERCIAL|If you no longer wish to receive further offers|business solicitation message|link is for removal|end these weekly ad\-messages|cancel these Ads go|This is an email advertisement|end all Advertisements go below|We are not spammers|Unsolicited email\?|Quit receiving these admail|I.{0,3}am not spamming|commercial.advertisement|adv.ertisement|if.you.are.not.interested|Brought to you by\:|This communication is an advertisement|removal from further update|inbox by requesting removal|No more incoming messages will be delivered|Never receive these again|This is an ad\-coresspondance|this page is an advertise?ment|this is an \(adver\-?tisement\)|this page are an.ad|statements above are an.ad|advertis.e.ment/is
1168 describe KAM_ADVERT2 This is probably an unwanted commercial email...
1169 score KAM_ADVERT2 0.75
1171 #ONE LINE ADVERTISEMENTS
1172 body __KAM_1LINE1 /(free score and report|Did you overpay\?)/is
1173 header __KAM_1LINE2 Subject =~ /(free online score & report|I need tax savings? tip)/i
1175 meta KAM_1LINE (__KAM_1LINE1 + __KAM_1LINE2 >= 2)
1176 describe KAM_1LINE One liner SPAMs
1180 body KAM_CANSPAM /(full compliance with the U.S. Federal-?Can-?Spam-Act|provides CAN-SPAM compliant email|consistent with the provisions of the CAN-SPAM Act|compliance with the CanSpam Act|no deceptive subject lines|compliant with all legal provisions of the CAN-SPAM Act)/is
1181 describe KAM_CANSPAM SPAM = Lack of Consent (not a Legal Definition)
1182 score KAM_CANSPAM 1.0
1185 body __KAM_GIFT1 /(Claim your free \$500 Target Gift Card|complimentary gift-?card|received a Victoria's Secret Giftcard|\$500 airline gift card|\$1000 gift card for you to shop|\$\d+.{0,50}gift card|Secret gift card)|costco.coupon|facebook.gift|claim.my.credit/is
1186 body __KAM_GIFT2 /(unsubscribe from this advertiseme(tn|nt)|exit future communications|to unsubscribe from this|to stop any offers from us)/is
1187 body __KAM_GIFT3 /every girl loves to buy|do you need a new|offer pass you by|shopping.online|best.price|activate.my|valued.{0,20}user|extra.deals|sign.up.today/i
1188 body __KAM_GIFT4 /card will be yours free|card on us|buy you the dyson animal|amazon.gift.?card|superstore|starbucks.card|card.egift|redeem.before|offering.you.this|enter.promo.code/i
1189 body __KAM_GIFT5 /member incentive program|complet(e|ing) the survey|your.customer.id|security.code|promotional.points/i
1190 header __KAM_GIFT6 From =~ /\$\d+ ?gift ?card|coupon|home.improvement|reward|voucher|starbucks|exclusive|amazon|ehost/i
1192 meta KAM_GIFT ((__KAM_GIFT1 + __KAM_GIFT2 + __KAM_GIFT3 + __KAM_GIFT4 + __KAM_GIFT5 + KAM_LOTSOFHASH + KAM_SHORT >= 3) && __KAM_GIFT6)
1193 describe KAM_GIFT Gift Card Scams
1196 meta KAM_GIFT2 ((__KAM_GIFT1 + __KAM_GIFT2 + __KAM_GIFT3 + __KAM_GIFT4 + __KAM_GIFT5 + KAM_LOTSOFHASH + KAM_ADVERT2 >= 4) && __KAM_GIFT6)
1197 describe KAM_GIFT2 Gift Card Scams
1201 body __KAM_SHOP1 /chosen to participate as a Mystery Shopper/is
1202 body __KAM_SHOP2 /Do you like to shop/is
1203 body __KAM_SHOP3 /make money while you shop/is
1204 meta KAM_SHOP (__KAM_SHOP1 + __KAM_SHOP2 + __KAM_SHOP3 >= 3)
1205 describe KAM_SHOP Mystery Shopper Scams
1209 rawbody __KAM_FAST1 /make fast cash in real estate/is
1210 meta KAM_FAST (__KAM_FAST1 + KAM_ADVERT2 >=2)
1211 describe KAM_FAST Get Rich Quick, Make Money Fast Schemes
1215 body __KAM_BIZ1 /You always need new cards|free full color business cards|get 250 more ?- ?free|business card offer|500 business cards/is
1216 header __KAM_BIZ2 Subject =~ /(do not pay for|Stop paying for|free) business cards|get( your)? 250 Free|BOGO|500 cards for|all for \$1\.99/i
1217 header __KAM_BIZ3 From =~ /Free Business Cards|Custom Printing|Premium Cards/i
1219 meta KAM_BIZ (__KAM_BIZ1 + __KAM_BIZ2 + __KAM_BIZ3 >= 2)
1220 describe KAM_BIZ Free Business Card Emails
1224 body __KAM_FDA1 /statements.{1,10}not.{1,10}evaluated.{1,10}(FDA|Food ?(and|&) ?Drug Administration)/i
1225 body __KAM_FDA2 /not intended to diagnose,? treat,? cure,? or prevent/i
1226 body __KAM_FDA3 /FDA Recall/i
1228 meta KAM_FDA (__KAM_FDA1 + __KAM_FDA2 + __KAM_FDA3)
1229 describe KAM_FDA Carries a not evaluated by the FDA warning or recall warning
1233 body __KAM_WEIGHT1 /(overweight|extra weight|glutting|shed fat|burns fat|burn calories|appetite suppressant|stimulate your metabolism|unwanted weight|duet of the year|healthy energy boost|Suppresses Appetite|internal cleansing|detoxify|cellulite|unsightly bulges|fat burn|Diet of the year|acai|cuts cholesterol|cleanse excess waste|free sample|unwanted weight|Acai suppl[ie]ments|Diet\/Detox|\#1 Weight Loss|lose body fat|(lose|drop) (about )?\d+\s*[li]b|calorie burning machine|before eating carbs)|flush.fat.away|slimming.down|\d+.pounds.gone|lose.\dx|highest.rated.episode|unwanted..?gain|too.goo?d.to.be.true|get.slim|tv.segment|weird.solution/is
1234 body __KAM_WEIGHT2 /(\d pounds|lose[_ ]weight|suppress appetite|appetite out of control|Oprah|for cancer patients|colon cure|colon cleanse|colonmate|avai berry|acai burn|ultraslim|feel energized|excess[_ ]weight|no diet changes|no exercise|hollywood'?s hottest -?diet|acai berry edge|Acai Diet|top secret diet|Power HCG|Sensa|shocking method|Jennifer Aniston|before eating carbs|all natural weight.?loss|green fruit|top celeb's diet)|one.secret|enjoying.food|f-a-t|melt.fat|squeeze into them|crazy.workout|celebs.everywhere|zero.effort|nothing.to.lose/is
1235 header __KAM_WEIGHT3 Subject =~ /(leaner|slimmer|stop gaining weight|fat loss|weight management|now available without a script|wuYi tea|(drop|lost|shed|knocked) \d+.?(pounds|[li]bs?)|FRS Healthy Energy|instant diet|colonmate|trimmer you|body cleanse|acai berry|acai burn|Fatburner|cholesterol reduction|cholestapro|Ephedra|W[EA]IGHT[- ]LOSS PRODUCT OF THE YEAR|t-r-i-a-l|try our trial|cleanse your system|no exc?ercise|Acai Advanced|toxic sludge|cleanse your body|Acai Diet|Acai Elite|Acai Super|losing weight fast|weight loss|detox product|Power HCG|Weight Loss System|shocking (?:weight|weihgt) loss)|before eating carbs|all natural weight.?loss|eat this fruit|Jennifer An+iston's secret|drop.\d.dress.sizes|fat.burning|burn..?fat|get.slim|drop.the.weight|(drop|shed).[li]bs?|move.\.*.?the scale|step.by.step|drop..?pounds|perfect.body|lose.the.weight|half.my.size|special.nutrition|workout|skinny|simple.way|to.get.slim|workout.for.the..?lazy|start.losing.weight|melt.fat|celebs.boycott|celebs.did|overeating|without.any.effort|doctors.tv|oprah|results.are.in|as.seen.on|slim.?spray|zero.effort/i
1236 #rawbody __KAM_WEIGHT4 /shocking method|Jennifer Aniston|nationally known|never.seen.anything.like.this|unusual.(new.)?tip|your.metabolism|need.a.boost|this.is.not.a."?(joke|hoax|fad|trend)|no working out|no starving|a trimmer you|celebrity.doctor|seen.on.(cnn|abc|cbs)|\d+%.?off|oprah.and.celeb|beer.belly|thunder.thigh|flush.fat.fast|get.skinny|Women's Health|dress.size|feel.good|physical.activity|starving|hit.a.plateau|flat.belly|brakes on your appetite/i
1237 header __KAM_WEIGHT5 From =~ /celeb.weightloss|no.work.workout|(drop|shed).pounds|(drop|shed).\d+[il]bs?|inches off|your.waist|nutrisystem|fat.burn|magic.slim|slim.pack|get.?slim|overweight|becomingslim|slimmer|skinny.tee|flush.fat|slimming.down|hot.trend|curves.?\dweek|stubborn.fat|\d+.pounds|look.great|lazy.workout|bikini|fit.community|slim.?spray|shave.off.(the.)?(pound|lb)|f-a-t|fit.in.\d+.day|days.to.slim|oprah|belly|biggestloser/i
1239 #ANATRIM / GREEN TEA / CORTITHERM / ETC
1240 body __KAM_ANA1 /(anatrim|Green ?Tea|cortitherm|PHENTERTHIN|Phentremine|Acai Ultra|Civ-xR|WuYi Tea|Wu-?Yi Source|FRS Healthy Energy|Acai Berry|Chinese secret|Ephedra|Cholestapro|ColonMedic|Pure Cleanse|AcaiBurn|Acai Elite|Garcinia|Chlorogenic Acid|green coffee)/i
1241 header __KAM_ANA2 From =~ /green ?tea|Ultra ?Energy|weight ?loss|colon? ?clean|colon ?aid|acai|As seen on|Garcinia|sensa/i
1243 meta KAM_ANA (__KAM_ANA1 + __KAM_ANA2 + (__KAM_OZ1 || __KAM_OZ2 || __KAM_OZ3) + __KAM_WEIGHT1 + __KAM_WEIGHT2 + __KAM_WEIGHT3 + __KAM_WEIGHT5 + KAM_FDA + (__KAM_HTML1 || KAM_INFOUSMEBIZ) >= 3)
1244 describe KAM_ANA Likely Weight-loss / Medical Spam
1247 meta KAM_ANA2 (__KAM_ANA1 + __KAM_ANA2 + __KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 + __KAM_WEIGHT1 + __KAM_WEIGHT2 + __KAM_WEIGHT3 + __KAM_WEIGHT5 + KAM_FDA + (__KAM_HTML1 || KAM_INFOUSMEBIZ) >= 5)
1248 describe KAM_ANA2 Higher probability of Weight-loss / Medical Spam
1252 body __KAM_REP1 /Replace \[?[-!~\.]\]? with \./is
1253 body __KAM_REP2 /www\s+[-!~\.]/i
1255 body __KAM_REP2_1 /(Just|Please|all you need to do is to) (copy|type):? (www\s)?.{0,10}[\[\(]([-!~\.]|dot)[\]\)]/is
1256 body __KAM_REP2_2 /in your (IE|internet|explorer|browser)/i
1258 body __KAM_REP3_1 /\*omit empty spaces/is
1259 body __KAM_REP3_2 /.\s+(COM|org|net|info)$/i
1261 meta KAM_REPLACE (__KAM_REP1 + __KAM_REP2 >= 2) || (__KAM_REP2_1 + __KAM_REP2_2 >=2) || (__KAM_REP3_1 + __KAM_REP3_2 >=2)
1262 describe KAM_REPLACE Spams that use obfuscated URLs with instructions
1263 score KAM_REPLACE 2.0
1265 #EVEN MORE NIGERIAN SCAMS AND VARIANTS
1266 body __KAM_NIGERIAN1 /(?:payment officer|personal treasurer|experienced marketers|Chairman of the Finance Committee|contact my secretary|field of Financial Services|Head of Human Resources|Public Relation Officer|field of Business Services|payment agent|representing partner|vacancy in my company|representative\/book ?keeper|executor|search and selection of both experienced|retired chief economist|foreign partner|diplomatic courier|senior auditor|online book-?keeper)|in.your.country|united.state[^s]|states?.citizen|retired.ceo|nigeria|origin.finland|serious.illness|brain.(tumor|cancer)|former.minister|investment.partner|got.mugged|losing.my.(wife|only.son)/is
1267 body __KAM_NIGERIAN2 /(?:looking for dynamic representative|seek your partnership|new online business model|seek to transfer this money|completely legal activity|never ask you to pay or invest|in search of trustworthy representatives|establishing a new liaison network|rec[ei]{2}ving payment on our behalf|assist me in transferring those funds|make money at home|requiring rep to work on a part time|part time job\/full time|organization for the good work of the lord|job search directory|investor willing to invest in lebanon|invest in Real Estate|Your kind assistance|next of kin|gold.exportation|calgary.lotto)|oil.producing|import.firm|oil.and.gas|petroleum|asset.available|urgent.reply|(cash|credit.cards?|cell(.phone)?).(were|was).stolen/is
1268 body __KAM_NIGERIAN3 /(?:\d{1,2}\% (?:commission on each transaction|of the total will be set|will be mapped out|is made available to you|of the total sum for your partner|of the money for your effort|for\s+sales)|pay for performance|floating deficit|for your compensation|financial independence|their financial dreams|work from home part\s*-?\s*time|employing your services|get extra income|deduct your weekly salary \d\d%|transfer of the funds|make successful career at us|you will get \d{1,2}% on each|funds can be directed to your account as a grant|reasonable parentage|dormant domiciliary account|share would be \d+\%|pay you \d+%)|invest|have.a.sum|make.a.donation|immense.benefits|transact.a?.?business|company.sponsor|loan me \$/is
1269 body __KAM_NIGERIAN4 /(?:American oil merchant|independent contractor|removallink|claim the funds|international corporation|bank draft|becoming our contract staff|contractual employment|customers\s*in Europe,\s*America|new partner from UK|great investment site|money orders|cashiers check|access to the funds|piloting the business|moving the funds|next of kin|syrian.refugees|reply.for.detail)|security.reason|(his|her).account|new.investor|directly.beneficial|business.discussion|promise.to|need.to.spend/is
1270 body __KAM_NIGERIAN5 /Western Union Money Transfer|Money Gram|form of Money Orders|to apply for this job, please send the following|process our payments|not traceable|risk free transation|transfer to a designated bank account|inheritance return|my.inheritance|my.wealth|donation.to.you|out.of.country|charitable.trust/i
1272 meta KAM_NIGERIAN (__KAM_NIGERIAN1 + __KAM_NIGERIAN2 + __KAM_NIGERIAN3 + __KAM_NIGERIAN4 + __KAM_NIGERIAN5 + LOTS_OF_MONEY + __KAM_REFI4 >= 4)
1273 describe KAM_NIGERIAN Nigerian Scam and Variants
1274 score KAM_NIGERIAN 2.5
1277 body __KAM_LIKE1 /been working (extremely|very) hard on my friend's website/is
1278 body __KAM_LIKE2 /a link from .{1,54} would be greatly appreciated/is
1279 body __KAM_LIKE3 /(link exchange|in return to me linking back)/is
1280 body __KAM_LIKE4 /HTML code for the link/is
1281 body __KAM_LIKE5 /I apologize if this message was sent, in error/is
1283 meta KAM_LIKE (__KAM_LIKE1 + __KAM_LIKE2 + __KAM_LIKE3 + __KAM_LIKE4 + __KAM_LIKE5 >= 5)
1284 describe KAM_LIKE I like your website link exchange spam
1287 #PUBLICLY AVAILABLE LISTS?
1288 body KAM_PUBLIC /obtained your email address from a publicly available list|find your mail in public forum/is
1289 describe KAM_PUBLIC Obtained from Public List != to Consent == SPAM!
1290 score KAM_PUBLIC 9.0
1292 #SEXUALLY EXPLICIT RULES ROUND TWO - Fixed some FPs from Scunthorpe thanks to Stefan Morrell
1293 body __KAM_SEX1 /(?:double[ -]?headed|pornstar|huge weenie|male power|\d\dper\. of men|male enhancement product|enlarge patch|boost up your virility|clinically tested|improve manhood|Bigger Pen..is|Big Penis|incredible gains to your manhood|muscular manhood|nights unsatisfied|climaxes|sensual enhancer|love instrument|bigger member|excitement with girls|fucker|animal sex)|adds \d inches to your manhood|pussy licked|hard.erection/i
1294 body __KAM_SEX2 /(?:(\b|^)cunt(\b|$)|busty|interracial|hardcore|peni(s|le) enlarge|generic quality|enlarge your manhood|stone-hard manhood|XXL Dick|intense pleasure|spend a night with you|efficient medicine|turn on your wife|with your boner|dick dangl)|\d.(extra.)?inches.of.girth|best.sex/i
1295 header __KAM_SEX3 Subject =~ /(double dildo|bunsfuck|dominatrix|huge tits|anti-ED|most confident man|for men over 30|peni(s|le) enlargement|interracial gobble|bitch sucking dong|product actually does work|update your penis|mans mall|endurerx|more excitement|love package|add more fire|her best male|average guys|monster cocks|first anal|anal fucking|love with monsters|horse sex|be the stud)/i
1296 body __KAM_SEX4 /(?:bring your girlfriend back|satisfied with their size|penis so huge and heavy|more semen|volume of your loads|wondercum|ejaculate|bargain offers on medic|improve xxx|improve your lovemaking|youngest teen|teen pics|monster in his pants|(female|multiple) orgasms|extreme penetration)/i
1298 describe KAM_SEX Sexually Explicit SPAM / Penis Enlargement Scam
1300 meta KAM_SEX (__KAM_SEX1 + __KAM_SEX2 + __KAM_SEX3 + __KAM_SEX4 + __HTML_IMG_ONLY + (__KAM_VIAGRA6A + __KAM_VIAGRA6E + __KAM_VIAGRA7A >= 1 && !__KAM_VIAGRA_FPS) >= 2)
1302 #STUPID PICTURE SPAMS
1303 body __KAM_PIC1 /(tired|bored) (this )?(today|tonight|evening|morning|afternoon)|saw your email address|online right now|can name me|found you on this site|I am alone|my next boyfriend|blonde with blue|like the girls|crush on you/is
1304 body __KAM_PIC2 /(nice girl|2\d years old|25 y.o. girl|pretty russian|I russian girl|age is 25|long legs, cute|see my pictures|I'm 19|searching for a bad girl|meet with such attractive|cute lady)/is
1305 body __KAM_PIC3 /like to chat|feelings can be true|like to have friendship|friendly guy|gave me your photos|waiting on you|found your pictures|send me a note|more information about you|text me ASAP/is
1306 body __KAM_PIC4 /(like to share some of my pics|some (?:great )?pictures of me|sending some of my pictures|To see my pic|hope you like my pic|will reply with my pics|show you some pic|chat with me and see|that's my photo)|will send you my pictures|view my profile|describe yourself|chat with me|bad girl|view your snapshot|want to watch video|erotic pics/is
1307 body __KAM_PIC5 /picture|photo|my pics|appended my pic/i
1309 describe KAM_PIC Share Pictures and Chat SPAM
1311 meta KAM_PIC (__KAM_PIC1 + __KAM_PIC2 + __KAM_PIC3 + __KAM_PIC4 + __KAM_PIC5 + __KAM_PRIV3 >= 4)
1313 #STUPID MAILING LIST SPAMS
1314 body __KAM_LIST1 /((Hospital|MD) directory|Nursing Home (List|directory)|doctor lists|marketing lists|Licensed Physicians|practicing MDs|practicing Medical doctors|Physicians in America|emails for every state|(vip|laywers|planners|Business Email|HR Directors Email|Sales & Marketing Directors|Managing Director Email) database)/is
1315 body __KAM_LIST2 /(?:hospital|dentist|chiropractor|physician|medical doctors|nursing directors|medical marketing|\d sortable fields|records all with emails|business director(y|ies)|direct marketing data)|nursing assistant/is
1316 body __KAM_LIST3 /price\:|prices for our director/is
1317 body __KAM_LIST4 /(?:database|list|[\d,]+ (total records|e-?mails))/is
1318 body __KAM_LIST5 /(reply with "stop" as a subject|Send an email with "rem" in the subject to discontinue|put "cease" in the subject of an email|for termination of this e?mail|reply with .{1,8} in the subject)|you will have your email taken off|for the datacard|send.a.reply/is
1319 header __KAM_LIST6 Subject =~ /Database of (neurological|surgeons|doctors|nurses|mds)|MD Database|looking for list|email database|we have that list|marketing database|list.of.\d/i
1321 describe KAM_LIST Mailing List Database SPAM
1323 meta KAM_LIST (__KAM_LIST1 + __KAM_LIST2 + __KAM_LIST3 + __KAM_LIST4 + __KAM_LIST5 + __KAM_LIST6 >= 4)
1325 #YET MORE DRUG SCAMS
1326 body __KAM_DRUG1 /Quality and cheap|premier quality|supor-collosal mixture|Discount-?Pharmacy|hi.quality.drug/is
1327 body __KAM_DRUG2 /cheaper|redeem in bulk and save|bigger quantities and Save|drugstore accredi[dt]ations|economical (?:value|amount)|drug.online.supplies/is
1328 rawbody __KAM_DRUG3 /local drugstore|(hush-hush|secret) with no waiting rooms|confidential package|distributed securely|shape is our main concern/is
1329 body __KAM_DRUG4 /click to buy|no previous doctors direction|No prescript[oi]{2}n needed|no script necessary|medicine assistance supplier|mail[- ]?order medicine/is
1331 describe KAM_DRUG More Viagra, Medicine, et al Scams
1333 meta KAM_DRUG (__KAM_DRUG1 + __KAM_DRUG2 + __KAM_DRUG3 + __KAM_DRUG4 + __KAM_VIAGRA6A + __KAM_VIAGRA7A + KAM_REPLACE >= 4)
1335 #DUE TO THE RASH OF IP BASED LINKS IN EMAILS DUE TO STORM BOTS, THESE ARE TESTS FOR IPS IN EMAILS
1336 #Thanks to Jamie for pointing out I missed a 1918 range.
1337 rawbody __KAM_GOODIPHTTP /https?:\/\/(192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)/i
1338 rawbody __KAM_IPHTTP /https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/i
1339 describe KAM_BADIPHTTP Due to the Storm Bot Network, IPs in emails is bad
1340 score KAM_BADIPHTTP 2.0
1341 meta KAM_BADIPHTTP (__KAM_IPHTTP - __KAM_GOODIPHTTP >= 1)
1343 body __KAM_HIDDEN_URI1 /\[DOT\]com/is
1344 body __KAM_HIDDEN_URI2 /replace "?\[DOT\]/is
1345 meta KAM_HIDDEN_URI (__KAM_HIDDEN_URI1 + __KAM_HIDDEN_URI2 >= 2)
1346 describe KAM_HIDDEN_URI URI obfuscation techniques
1347 score KAM_HIDDEN_URI 4.0
1349 #ODD INFO URL - MATCH A URL-LIKE STRING THAT ENDS IN A QUESTIONABLE TLD, FOLLOWED BY A WORD BOUNDARY OR A SLASH (BUT NOT A DOT, OR IT WILL FP ON SUBDOMAINS LIKE FOO.INFO.LEGIT.COM)
1350 rawbody __KAM_INFOUSMEBIZ1 /http:\/\/(?:www.)?.{4,30}\.(info|us|me|me\.uk|biz)(?![-\.])(\b|\/)/i
1351 header __KAM_INFOUSMEBIZ2 From:addr =~ /\.(info|us|me|me\.uk|biz|xyz|id|rocks|life)$/i
1352 header __KAM_INFOUSMEBIZ3 Return-Path =~ /\.(info|us|me|me\.uk|biz|xyz|id|rocks|life)>?$/i
1354 meta KAM_INFOUSMEBIZ (__KAM_INFOUSMEBIZ1 + __KAM_INFOUSMEBIZ2 + __KAM_INFOUSMEBIZ3 >= 1)
1355 score KAM_INFOUSMEBIZ 0.75
1356 describe KAM_INFOUSMEBIZ Prevalent use of .info|.us|.me|.me.uk|.biz|xyz|id|rocks|life domains in spam/malware
1358 # OTHER QUESTIONABLE / CHEAP TLDS - .click, .work, .rocks, .science, .casa
1359 rawbody __KAM_OTHER_BAD_TLD1 /http:\/\/(?:www.)?.{4,30}\.(click|farm|work|rocks|science|club|casa)(?![-\.])(\b|\/)/i
1360 header __KAM_OTHER_BAD_TLD2 From:addr =~ /\.(click|farm|work|rocks|science|club|casa)$/i
1361 header __KAM_OTHER_BAD_TLD3 Return-Path =~ /\.(click|farm|work|rocks|science|club|casa)>?$/i
1363 meta KAM_OTHER_BAD_TLD (__KAM_OTHER_BAD_TLD1 + __KAM_OTHER_BAD_TLD2 + __KAM_OTHER_BAD_TLD3 >= 1)
1364 score KAM_OTHER_BAD_TLD 0.75
1365 describe KAM_OTHER_BAD_TLD Other untrustworthy TLDs
1368 #RECENT RASH OF VIRII/TROJAN PAYLOADS USING GREETING CARD NOTICES - IPHTTP IDEA BY STEPHEN FORD
1369 body __KAM_CARD1 /(worshipper|friend|Neighbou?r|partner|mate|colleague|member|worshipper|cousin|pal|brother|somebody|father|mother|uncle|aunt|daughter|son|nephew)(\(.{0,35}\))?(?: has)? (?:sen[dt] you|created) (?:an|a)?\s*(?:funny|love|post|greeting|birthday|animated|musical|holiday|love|hallmark|thank you|e)\s*(e|post)?-?card/i
1370 body __KAM_CARD2 /(laughing kitty|crazy cat) card|enjoy your awesome card|Click on your .{0,15}card('s)? (link|direct www address) below|To see your custom .{0,15}card, simply click on the (link below|following)|(as you can see on the ecard)|^your .{1,15}card link:$|I bet your wife won\'?t do this for you|Your temporary Login Info|temp\.? password id|pics I took of my Ex-Wife|card will be aviailable|our.new.collection/i
1371 body __KAM_CARD3 /I['`]m in hurry, but i still love you...|has (issued you a greeting|made you an Ecard)|^(Follow this link:|click (here to enter our secure server:))?\s*?http:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|eCard, open attached/i
1372 header __KAM_CARD4 Subject =~ /Here is some pics to say thanks|do you like em?|here is my picture|bra is too tight|look what I like to do|hot news|(\s|^)e-?cards?(\s|$)|greeting.e?card/i
1373 rawbody __KAM_CARD5 /postcard(\.gif)?\.exe|card.zip|groups.google.com|blaqseal/i
1375 describe KAM_CARD Trojan or Virus Payload from fake ecard notice
1377 meta KAM_CARD (__KAM_CARD1 + __KAM_CARD2 + __KAM_CARD3 + __KAM_CARD4 + __KAM_CARD5 + KAM_INFOUSMEBIZ + __KAM_IPHTTP + KAM_RPTR_SUSPECT >= 3)
1379 #INSURANCE / CAR / LIFE / HEALTH SCAMS - fixed $ bug thanks to Mark Chaney
1380 header __KAM_INSURE1 Subject =~ /get (low )?affordable health (coverage|insurance)|reduce health costs|without health coverage|\d+K(?:.in)?.(term.)?life|overypay for auto insurance|Policy.Payment|GAs Prices|Auto Insurance|get your 20\d\d quote|\$\d00,000 coverage|no exam|Insurance.Payment|child's financial future|\d+K in coverage|health insurance (?:plans|coverage)|(Omaba|obama).?care|Secure \d+k coverage|\$\d\d\d,\d\d\d of term life|life insurance coverage|save up to \d+% on .{0,10}insurance|Protect.your.family|homeowners insurance|home.?.?protection|read.asap|auto.policy|protect your|\$\d+K..?term|auto.?insurance|\d+k.available|simplified.protection|policy.update|view.policy|med(ical)?.exam|term.life|protection|\d+k.available|policy.review|business.insurance|your.health|care.policy|life.cover|life.secure|life.insured/i
1381 body __KAM_INSURE2 /find better Health Insurance Rates Today|get information about health coverage|protect your family|overpay for auto insurance|been recently,? lowered|gas prices are going up|Auto Insurnace go with it|no examination|get (?:a )?free quote|have been.{0,2}reduced|AutoWarranty|plans as low as|plans starting at|complete your health profile|Secure \d+k coverage|growing.family|milestone|special.enroll|updated.rate|lifeinsurance|no.medical.exam|accuquote|no.tobacco.rate|denied.coverage|business.policy|reduced.rate|coverage.starts.immediately|obama|respect.your.privacy/i
1382 header __KAM_INSURE3 From =~ /Cheaper Auto|Insurance|health.quote.direct|fidelity|gerber|lifeplan|notice|warranty.expir|auto-repairs.{0,30}no longer covered|affordable.?health|Health.?care|AIG|accuquote|life.?rate|eCoverage|humana|ahs.warranty|policy|farmer|qualify|term.life|milestone|payout|secure|out.of.pocket|\d+k|take.comfort/i
1383 body __KAM_INSURE4 /why pay more for.{0,30}coverage|save up to \d+%|accuquote|Life Insurance Coverage|protect.your.family.{1,20}insurance|Protect home and belonging|Affordable Care Act|new health insurance plan for you|home.?.?protection|\d+k.life.insurance|eligible for auto.coverage|set to expire|\$\d+\/mo|new.rate|your.auto.?insurance.policy|term.life|update.policy|legacy|estate|your.package|your.own.life|prepared.for.anything|paying.(far.)?too/i
1385 describe KAM_INSURE Life, Health, Auto, etc. Insurance SPAMs
1386 score KAM_INSURE 2.5
1387 meta KAM_INSURE (__KAM_INSURE1 + __KAM_INSURE2 + __KAM_INSURE3 + __KAM_INSURE4 + (KAM_ADVERT2 || KAM_LOTSOFHASH || KAM_INFOUSMEBIZ || CBJ_GiveMeABreak) >= 3)
1389 describe KAM_INSURE2 Higher Probability of Life, Health, Auto, etc. Insurance SPAMs
1390 score KAM_INSURE2 2.5
1391 meta KAM_INSURE2 (__KAM_INSURE1 + __KAM_INSURE2 + __KAM_INSURE3 + __KAM_INSURE4 + (KAM_ADVERT2 || KAM_LOTSOFHASH || KAM_INFOUSMEBIZ || CBJ_GiveMeABreak) >= 4)
1394 body __KAM_HEALTH1 /as low as \$\d+\s*(per|\/)\s*month|at \$\d+ including dental/i
1395 body __KAM_HEALTH2 /save up to \d+% on health insurance|affordable health coverage|quality term life insurance|nationalhealthxchange.com|view.rate|no.obligation|start.saving/i
1396 rawbody __KAM_HEALTH3 /easy and it's free|receive daily health news|check our rates|Call to qualify|no physical exam|set.to.expire|immediately.available|you.can.afford/i
1397 rawbody __KAM_HEALTH4 /health insurance (coverage|rates)|free .{0,3}personalized.quote|get a quote for health insurance|fast and easy term|life.milestone|instant.free.quote/i
1398 header __KAM_HEALTH5 Subject =~ /\$38 Health Insurance|health insurance quote|Save up to \d%|term.life|New Health Insurance|\$\d+\/mo|lifepolicy/i
1400 describe KAM_HEALTH Health/Life Insurance Spam Emails
1401 score KAM_HEALTH 3.0
1402 meta KAM_HEALTH (__KAM_HEALTH1 + __KAM_HEALTH2 + __KAM_HEALTH3 + __KAM_HEALTH4 + __KAM_HEALTH5 + KAM_ADVERT2 >= 4)
1405 body __KAM_HEALTH2_1 /affordable health coverage/i
1406 header __KAM_HEALTH2_2 Subject =~ /health insurance quote/i
1408 describe KAM_HEALTH2 Health Insurance Spam Emails
1409 score KAM_HEALTH2 3.0
1410 meta KAM_HEALTH2 (__KAM_HEALTH2_1 + __KAM_HEALTH2_2 + HTML_MESSAGE >= 3)
1413 header __KAM_HEALTH3_1 Subject =~ /Term Life Coverage/i
1414 header __KAM_HEALTH3_2 Subject =~ /\d\d\/mo/i
1415 header __KAM_HEALTH3_3 From =~ /fidelity/i
1417 describe KAM_HEALTH3 Term Life Insurance Spam
1418 score KAM_HEALTH3 3.0
1419 meta KAM_HEALTH3 (__KAM_HEALTH3_1 + __KAM_HEALTH3_2 + __KAM_HEALTH3_3 >= 3)
1421 #REAL ESTATE INVESTMENT SCAMS
1422 body __KAM_REAL2_1 /(?:Property available|on the water|costa rica|mountain.top)/i
1423 body __KAM_REAL2_2 /(?:pre-development prices|finish building|torn down to build|exclusive place|ready.for.construction)/i
1424 body __KAM_REAL2_3 /(?:unbelievable deals|buyer with CA[s\$]h|pennies.on.the.dollar)/i
1425 body __KAM_REAL2_4 /(?:home sites|raw land|vacation home|wooded.property)/i
1426 body __KAM_REAL2_5 /(?:developers|estates|buyer flying in|retirement plans|liquidation)/i
1428 describe KAM_REAL2 Real-estate investment scams
1430 meta KAM_REAL2 (__KAM_REAL2_1 + __KAM_REAL2_2 + __KAM_REAL2_3 + __KAM_REAL2_4 + __KAM_REAL2_5 >= 5)
1432 #BASED on JIM MCCULLARS' IDEA AND DALLAS' GREAT PDFINFO RULES
1434 ifplugin Mail::SpamAssassin::Plugin::PDFInfo
1435 #Thanks to Ben Lentz for pointing out a lint error with this.
1437 describe KAM_BADPDF Prevalent Junk PDF SPAMs - BAD SUBJECT
1438 score KAM_BADPDF 2.5
1439 header KAM_BADPDF Subject =~ /(?:^.{0,15}(document|confirmation|marketwatch|pinksheets|wire info|pinksheets|investor_report|proposal|invest_today|alert|invoice|investor_letter|check)-\d{5,12}$|^basic[- _]chart-|^Active[- _](stocks|trader)|^Analyst[- _]Coverage|^Income[- _](report|details|statement)|^Market[- _](advice|watch)|^Investor[- _]news|^real-?time[- _]quotes)/i
1441 describe KAM_BADPDF1 Prevalent Junk PDF SPAMs - EMPTY BODY & ENCRYPTED
1442 score KAM_BADPDF1 2.5
1443 meta KAM_BADPDF1 (GMD_PDF_EMPTY_BODY + GMD_PDF_ENCRYPTED >= 2)
1445 #2009-03-11 - Found FP on this rule where a bad reverse PTR and a Subject triggered this rule. That was NOT the intent.
1446 describe KAM_BADPDF2 Prevalent Junk PDF SPAMs - 3 STRIKES
1447 score KAM_BADPDF2 2.5
1448 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
1449 meta KAM_BADPDF2 (KAM_BADPDF + KAM_BADPDF1 + MISSING_SUBJECT >= 2) && (KAM_RPTR_SUSPECT + KAM_RPTR_FAILED >=1)
1451 meta KAM_BADPDF2 (KAM_BADPDF + KAM_BADPDF1 + MISSING_SUBJECT >= 2) && (KAM_RPTR_SUSPECT >=1)
1456 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
1457 mimeheader __KAM_BADPO1 Content-Type =~ /Purchase.Order|New.Invoice/i
1458 mimeheader __KAM_BADPO2 Content-type =~ /PDF\.html?/i
1461 header __KAM_BADPO3 Subject =~ /New Order|PO(\b|$)|PO\d\d\d|Purchase Order|Invoice/i
1463 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
1464 meta KAM_BADPO (KAM_RAPTOR_ALTERED + __KAM_BADPO3 >= 2)
1465 describe KAM_BADPO Bad Purchase Orders
1469 meta KAM_BADPO2 (__KAM_BADPO1 + __KAM_BADPO2 + T_HTML_ATTACH >= 3)
1470 describe KAM_BADPO2 Bad Purchase Orders
1471 score KAM_BADPO2 5.0
1475 #FAKE PDF READER/WRITE
1476 body __KAM_FAKEPDF1 /Download PDF Reader.Writer/is
1477 body __KAM_FAKEPDF2 /Reader 2010/is
1478 header __KAM_FAKEPDF3 From =~ /adobe/is
1479 header __KAM_FAKEPDF4 Subject =~ /reader.writer version 2010/is
1481 meta KAM_FAKEPDF (__KAM_FAKEPDF1 + __KAM_FAKEPDF2 + __KAM_FAKEPDF3 + __KAM_FAKEPDF4 >= 3)
1482 describe KAM_FAKEPDF Fake PDF Reader / Writer
1483 score KAM_FAKEPDF 4.0
1485 #VACU AND VARIOUS PHISHING SCAMS
1487 header __KAM_PHISH2_1 Subject =~ /(VACU Message|Virgini?a Credit|Account Verification|account might be compromised|Account Status Notification|important.alert|payment.advice|important.update|card.declined)/i
1489 body __KAM_PHISH2_2 /Virginia Credit Union|Lloyds|HSBC|usaa|barclay|credit card account/is
1491 rawbody __KAM_PHISH2_3 /https?:\/\/.{5,30}\.(kr|hk|edu|pl|ie|it|pro)\//i
1493 body __KAM_PHISH2_4 /unauthori[sz]ed use|security.enhancement|dropbox|hold.(on.)?your.fund/i
1494 body __KAM_PHISH2_5 /account suspension|temporary locked|temporarily.suspend|your.reference|accurately.detail/i
1495 body __KAM_PHISH2_6 /confirm your online banking details|payment.advice|online.fraud|billing.information/i
1496 body __KAM_PHISH2_7 /extra security check|security.tip/i
1498 describe KAM_PHISH2 Prevalent Phishing Scam emails
1499 score KAM_PHISH2 2.0
1500 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
1501 meta KAM_PHISH2 (__KAM_PHISH2_1 + __KAM_PHISH2_2 >= 2) && ((__KAM_IPHTTP + __KAM_URIBL_PCCC + __KAM_PHISH2_3 >= 1) || (__KAM_PHISH2_4 + __KAM_PHISH2_5 + __KAM_PHISH2_6 + __KAM_PHISH2_7 >= 4))
1503 meta KAM_PHISH2 (__KAM_PHISH2_1 + __KAM_PHISH2_2 >= 2) && ((__KAM_IPHTTP + __KAM_PHISH2_3 >= 1) || (__KAM_PHISH2_4 + __KAM_PHISH2_5 + __KAM_PHISH2_6 + __KAM_PHISH2_7 >= 4))
1506 #CRAZY HEX EMPTY MESSAGE
1507 body __KAM_HEX1 /^[a-f0-9]{8}(\b|$)/i
1508 header __KAM_HEX2 Subject =~ /^\d{5,6}$/
1510 describe KAM_HEX Crazy Empty Hex Messages
1512 meta KAM_HEX (__KAM_HEX1 + __KAM_HEX2 >= 2)
1514 #THE BAT! MAILER USED TOO MUCH FOR SPAM
1515 # I'VE LOOKED AT THIS AND JUST CAN'T ARGUE THAT IT LOOKS LIKE IT WILL HELP.
1516 header KAM_THEBAT X-Mailer =~ /The Bat!/i
1517 describe KAM_THEBAT Abused X-Mailer Header for The Bat! MUA
1518 score KAM_THEBAT 1.9
1521 body __KAM_MAILER1 /{!firstname_fix}/i
1523 meta KAM_MAILER (__KAM_MAILER1 >= 1)
1524 score KAM_MAILER 2.0
1525 describe KAM_MAILER Automated Mailer Tag Left in Email
1527 #YET ANOTHER NIGERIAN SCAM VARIANT
1528 body __KAM_CHECK1 /delivery fee for your che(que|ck) draft/i
1529 body __KAM_CHECK2 /let me know when you recieve your money/i
1531 describe KAM_CHECK Another Nigerian Bank Draft Scam
1533 meta KAM_CHECK (__KAM_CHECK1 + __KAM_CHECK2 + __KAM_REFI4 >= 3)
1536 body __KAM_OPRAH1 /airfare/i
1537 body __KAM_OPRAH2 /hotel/i
1538 body __KAM_OPRAH3 /oprah/i
1539 header __KAM_OPRAH4 Subject =~ /see\s+.*oprah\s+.*live/i
1541 describe KAM_OPRAH SPAMs re: Oprah Winfrey Show
1543 meta KAM_OPRAH (__KAM_OPRAH1 + __KAM_OPRAH2 + __KAM_OPRAH3 + __KAM_OPRAH4 >= 4)
1546 body __KAM_EBAY1 /Succeed on ebay|thousands with ebay|ebay success|money-making secret/i
1547 body __KAM_EBAY2 /Auction success kit|Great Money Maker|documented program|Chuck Mullaney|more bills than money/i
1548 header __KAM_EBAY3 Subject =~ /ebay .*for dummies|ebay expert|work online|ebay business|secrets to ebay|Chuck Mullaney|living on ebay|build a business|huge cash flows/i
1550 describe KAM_EBAY SPAMs re: eBay Auction Tips
1552 meta KAM_EBAY (__KAM_EBAY1 + __KAM_EBAY2 + __KAM_EBAY3 >= 3)
1554 #GAS PRICES, GAS CARDS, OTHER FUEL-RELATED SPAM
1555 body __KAM_GAS1 /Gas prices are at an? all time high|\$\d per gallon|gasoline cards/i
1556 body __KAM_GAS2 /We have a solution|save \d+ cents per gallon|competitive rewards/i
1557 header __KAM_GAS3 Subject =~ /High Gas Prices|ripped off for gas|Save \d+c per gallon/i
1558 header __KAM_GAS4 From =~ /gas/i
1560 describe KAM_GAS SPAMs re: High Gas Prices
1562 meta KAM_GAS (__KAM_GAS1 + __KAM_GAS2 + __KAM_GAS3 + __KAM_GAS4 >=3)
1564 #WEIRD BODY MESSAGES
1565 body KAM_BODY /{_BODY_HTML}/i
1567 describe KAM_BODY Odd Erectile Dysfunction Messages with Poor Formatting
1569 #FREE TV, SATELLITE, CABLE INTERNET, ETC
1570 body __KAM_TV1 /watch unlimited television|DTV4PC|Online TV Code|Free DVD-CD Burner|100% legal|Rabbit TV|reliable.cable.service|existing.smart.tv/i
1571 body __KAM_TV2 /without a monthly fee|pay a cable or satellite bill|no monthly fee|watch uncensored|movies online|no censorship|favorite.channels|online.television|\d{3}.channels|high.speed|sysview/i
1572 header __KAM_TV3 Subject =~ /watch uncensored tv|digital TV|internet TV|Free TV|tv online for free|(shows|movies).with.cable|less.than.dish|stream.*channels|\$\d{2}.mo|smart.tv/i
1573 header __KAM_TV4 From =~ /Unlock Internet TV|Movie Download|product alert|cable.tv|tv.stream|high.speed/i
1575 meta KAM_TV (__KAM_TV1 + __KAM_TV2 + __KAM_TV3 + __KAM_TV4 >= 2)
1577 describe KAM_TV Free TV/Cable/etc. Scams
1579 meta KAM_TV2 (KAM_TV + KAM_INFOUSMEBIZ >=2)
1581 describe KAM_TV2 Higher probability of Free TV/Cable/etc. Spams
1584 body __KAM_CAREER1 /Hospitals need you|Medical Billing and Coding|medical.coding/is
1585 body __KAM_CAREER2 /Get your Healthcare Degree|Billing and Coding degree|job.placement|great.opportunity|training.start(s|ing).soon|job.growth/is
1586 body __KAM_CAREER3 /unstable.economy|secure.a.position|fast.growing|extraordinary.benefits|work.from.home/is
1588 meta KAM_CAREER (__KAM_CAREER1 + __KAM_CAREER2 + __KAM_CAREER3 + KAM_ADVERT2 >= 3)
1589 score KAM_CAREER 5.0
1590 describe KAM_CAREER Spam for Career/Diploma Mills
1593 header __KAM_NURSE1 From =~ /nursing|nurses|health.?care/i
1594 header __KAM_NURSE2 Subject =~ /nurses (?:are now in high.?demand|are needed)|become a nurse|open.position|training|cna.education/i
1595 body __KAM_NURSE3 /nurses (?:are NOW in high.?demand|are needed)|nursing Degree|indispensable.position|growing.career|nursing.assist|certified.nurs/i
1597 meta KAM_NURSE (__KAM_NURSE1 + __KAM_NURSE2 + __KAM_NURSE3 >= 3)
1599 describe KAM_NURSE Spam for Career/Diploma Mills
1602 header __KAM_PILLS1 Subject =~ /save \d\d% on your (pills|drugs|medications)/i
1603 body __KAM_PILLS2 /be (thrifty|smart|clever), buy your (pills|drugs|medications)/i
1605 meta KAM_PILLS (__KAM_PILLS1 + __KAM_PILLS2 >=2)
1607 describe KAM_PILLS Spam for scam pharmacy
1610 header __KAM_PILLS2_1 From =~ /Enlarge|Men's Supplement/i
1611 header __KAM_PILLS2_2 From =~ /Free Sample/i
1613 meta KAM_PILLS2 (__KAM_PILLS2_1 + __KAM_PILLS2_2 >= 2)
1614 describe KAM_PILLS2 Male enhancement spams
1615 score KAM_PILLS2 2.5
1618 body __KAM_ALT1 /reply to my alternative E-?mail/is
1620 meta KAM_ALT (__KAM_ALT1 >= 1)
1622 describe KAM_ALT Requests use of an alternate email which may indicate spam
1626 #AS WE ENTER AN ELECTION PERIOD, WE SEE UNSOLICITED MAILS FROM ORGS
1629 header __KAM_POLITICS1 From =~ /Right vs Left|Minuteman|Senator|Pennsylvania Transportation Partners|Americans for Limited Government|special election|conservative|liberal|congress|judge|usa.?net|senate|fedup|sen\. |tea.party|the.right.to/i
1630 body __KAM_POLITICS2 /Minuteman Civil Defense Corps|National Campaign Fund|Right vs Left|Restore America PAC|penntransportation.com|getliberty.org|Americans for Limited Government|radical|true.conservative|true.liberal|job.killing|wasteful.spending|senate.takeover|liberal.agenda|smear.campaign|america.s future|liberty|obama|governor|election.day|v-o-t-e|sign.the.petition|paid.for.by|dear.conservative|dear.liberal|winning.the.senate|election.cycle|return.power|failed.policy|(left|right).is.claiming|bigwigs|favorable.voters/i
1631 header __KAM_POLITICS3 Received =~ /\.politicalsystems.net|republican.com|democrat.com|inboxfirst.com/i
1632 header __KAM_POLITICS4 Subject =~ /alert:?.?election|(republican|democratic).party|and.vote|impeach|insanity|election.ad|liberals|conservatives|back.?room.deal|urgent.obama|social.security.mistake|big.social|absentee.info/i
1634 meta KAM_POLITICS (__KAM_POLITICS1 + __KAM_POLITICS2 + (__KAM_POLITICS3 + __KAM_POLITICS4 >= 1) >= 2)
1635 score KAM_POLITICS 4.5
1636 describe KAM_POLITICS Unsolicited Political E-Mails
1641 header __KAM_COMPANY1 From =~ /W\$[LM]( |_)(Insurance|Mortgage)( |_)New\$/i
1643 meta KAM_COMPANY1 (__KAM_COMPANY1 >= 1)
1644 score KAM_COMPANY1 5.0
1645 describe KAM_COMPANY1 Egregious spammers that should also be on RBLs (and might be)
1648 body __KAM_COMPANY2_1 /Member Services MGM, LLC/is
1650 meta KAM_COMPANY2 (__KAM_COMPANY2_1 >= 1)
1651 score KAM_COMPANY2 5.0
1652 describe KAM_COMPANY2 Egregious spammers that should also be on RBLs (and might be)
1654 ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
1656 #PCCC URIBL Check for bad URIs in body, Received, From and Reply-to
1657 #Thanks to AXB for his help with these!
1661 #These RBL's below can contain domains that can cause collateral damage.
1662 #We try and only add these domains when the evidence is overwhelming and points to a culture or architecture prone to spaminess.
1663 #And this can include services that have legitimate and illegitimate users; servers for legitimate firms that are compromised; and hosting firms which fail to have adequate anti-spam procedures.
1664 #The lists have high scores which we believe are consistent with the veracity of the research used to compile the lists.
1665 #Additionally, we ONLY use this RBL to improve our scoring and it is not used to block emails outright.
1666 #However, your mileage may very and you might want to seriously dial down the scores especially if you do block/reject/blackhole emails.
1667 #Feedback is appreciated and requests to de-list can be sent via https://raptor.pccc.com/raptor.cgim?template=report_problem
1668 #Or to explicitly skip RBL testing for a domain, use uridnsbl_skip_domain example.com
1670 if (version >= 3.003000)
1671 #HOSTS THAT BEHAVE LIKE TLDS, SUCH AS BLOGSPOT.COM AND OTHER FREE HOSTING - NOTE BLOGSPOT is in 20_aux_tlds.cf ALREADY
1672 util_rb_2tld ning.com
1673 util_rb_2tld mygbiz.com
1674 util_rb_2tld web.com
1675 util_rb_2tld onmicrosoft.com
1676 util_rb_2tld online.de
1677 util_rb_2tld wix.com
1678 util_rb_2tld netdna-cdn.com
1679 util_rb_2tld dreamhost.com
1680 util_rb_2tld noip.us
1681 util_rb_2tld mmsend.com
1682 util_rb_2tld cu-portland.edu
1683 util_rb_2tld jimdo.com
1684 util_rb_2tld doesphotography.com
1685 util_rb_2tld isteaching.com
1686 util_rb_2tld googleapis.com
1687 util_rb_2tld a2hosted.com
1690 # allow URI rules to look at DKIM headers if they exist and our SA version supports it
1691 if (version >= 3.0040001)
1695 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
1697 urirhssub KAM_BODY_URIBL_PCCC wild.pccc.com. A 127.0.0.4
1698 body KAM_BODY_URIBL_PCCC eval:check_uridnsbl('KAM_URIBL_PCCC')
1699 describe KAM_BODY_URIBL_PCCC Body contains URI listed in PCCC URIBL (https://raptor.pccc.com/RBL)
1700 tflags KAM_BODY_URIBL_PCCC net
1701 score KAM_BODY_URIBL_PCCC 9.0
1703 if (version >= 3.004001)
1705 #all from addresses domains - This is a new check available in 3.4.1-rc1+ which will check bob.com for something like bob@test.bob.com - The old code did not properly handle octet subtests
1706 header KAM_FROM_URIBL_PCCC eval:check_rbl_from_domain('pccc-from-uribl', 'wild.pccc.com.', '127.0.0.4')
1707 describe KAM_FROM_URIBL_PCCC From address listed in PCCC URIBL (https://raptor.pccc.com/RBL)
1708 tflags KAM_FROM_URIBL_PCCC net
1709 score KAM_FROM_URIBL_PCCC 9.0
1712 #MARKETING IN BODY - MARKETING RBL IS PRIMARILY FOR META TESTS
1713 urirhssub KAM_BODY_MARKETINGBL_PCCC wild.pccc.com. A 127.0.0.32
1714 body KAM_BODY_MARKETINGBL_PCCC eval:check_uridnsbl('KAM_MARKETINGBL_PCCC')
1715 describe KAM_BODY_MARKETINGBL_PCCC Body contains URI associated with mass-marketing (https://raptor.pccc.com/RBL)
1716 tflags KAM_BODY_MARKETINGBL_PCCC net
1717 score KAM_BODY_MARKETINGBL_PCCC 0.001
1719 if (version >= 3.004001)
1721 header KAM_FROM_MARKETINGBL_PCCC eval:check_rbl_from_domain('pccc-marketing', 'wild.pccc.com.', '127.0.0.32')
1722 describe KAM_FROM_MARKETINGBL_PCCC From address associated with mass-marketing (https://raptor.pccc.com/RBL)
1723 tflags KAM_FROM_MARKETINGBL_PCCC net
1725 score KAM_FROM_MARKETINGBL_PCCC 0.001
1727 meta KAM_MARKETINGBL_PCCC (KAM_BODY_MARKETINGBL_PCCC || KAM_FROM_MARKETINGBL_PCCC)
1728 describe KAM_MARKETINGBL_PCCC Message contains URI associated with mass-marketing (https://raptor.pccc.com/RBL)
1729 score KAM_MARKETINGBL_PCCC 1.0
1733 if (version >= 3.004001)
1734 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
1735 #Compromised URI - In Body
1736 urirhssub KAM_BODY_COMPROMISED_URIBL_PCCC wild.pccc.com. A 127.0.1.2
1737 body KAM_BODY_COMPROMISED_URIBL_PCCC eval:check_uridnsbl('KAM_URIBL2_PCCC')
1738 describe KAM_BODY_COMPROMISED_URIBL_PCCC Body contains URI listed in PCCC Compromised URIBL (https://raptor.pccc.com/RBL)
1739 tflags KAM_BODY_COMPROMISED_URIBL_PCCC net
1740 score KAM_BODY_COMPROMISED_URIBL_PCCC 9.0
1742 #Contains a likely good URI but otherwise compromised by malware/hackers
1743 header KAM_FROM_COMPROMISED_URIBL_PCCC eval:check_rbl_from_domain('pccc-compromised-uribl', 'wild.pccc.com.', '127.0.1.2')
1744 describe KAM_FROM_COMPROMISED_URIBL_PCCC From address listed in PCCC Compromised URIBL (https://raptor.pccc.com/RBL)
1745 tflags KAM_FROM_COMPROMISED_URIBL_PCCC net
1746 score KAM_FROM_COMPROMISED_URIBL_PCCC 9.0
1750 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
1751 #Received - Currently disabled for more research on FPs
1752 #header KAM_RCVD_URIBL_PCCC eval:check_rbl_sub('pccc', '^127\.0\.0\.4$')
1753 #describe KAM_RCVD_URIBL_PCCC Received header contains URL listed in PCCC URIBL (https://raptor.pccc.com/RBL)
1754 #tflags KAM_RCVD_URIBL_PCCC net
1755 #score KAM_RCVD_URIBL_PCCC 5.0
1758 #NO SOLUTION - Would make a Good Bugzila for a FR
1760 #Test for any hits on PCCC URIBL Rules
1761 meta __KAM_URIBL_PCCC (KAM_BODY_URIBL_PCCC + KAM_FROM_URIBL_PCCC >= 1)
1765 #Test for URIBL Black and Spamhaus DBL per discussion ith Alex Broens
1766 meta KAM_VERY_BLACK_DBL (URIBL_BLACK && URIBL_DBL_SPAM)
1767 describe KAM_VERY_BLACK_DBL Email that hits both URIBL Black and Spamhaus DBL
1768 score KAM_VERY_BLACK_DBL 5.0
1772 #EMAIL BLACKLIST CHECK FOR PCCC RBL
1773 ifplugin Mail::SpamAssassin::Plugin::EmailBL
1774 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
1775 #uses emailbl -all which is the same as -headers and -bodysafe
1776 header KAM_MESSAGE_EMAILBL_PCCC eval:check_emailbl('freemail-all', 'wild.pccc.com', '127.0.0.64')
1777 describe KAM_MESSAGE_EMAILBL_PCCC Message contains freemail address listed in PCCC URIBL (https://raptor.pccc.com/RBL)
1778 tflags KAM_MESSAGE_EMAILBL_PCCC net
1779 score KAM_MESSAGE_EMAILBL_PCCC 6.0
1783 #FAKERBL MX RELATED RULES
1784 header __KAM_MX1 Reply-To =~ /\@mx\d+\./i
1785 header __KAM_MX2 Return-Path =~ /\@mx\d+\./i
1786 header __KAM_MX3 Received =~ /(\(|\b)(pet|ptr|tech|host|mta|mx|vps|vsp|colo|sox|m)\d+\./i
1787 header __KAM_MX4 Received =~ /(\(|\b)[0-9A-F]{8}\.ptr\./i
1788 # Thanks to Markus Clardy for feedback!
1789 header __KAM_MX5 Received =~ /(\(|\b)[a-z]{2,4}[0-9]{1,3}\.[^\s]{1,20}\.info\b/i
1791 meta __KAM_MX (__KAM_MX1 + __KAM_MX2 + __KAM_MX3 + __KAM_MX4 + __KAM_MX5 >= 1)
1792 describe __KAM_MX Odd prevalence of mx records associated with the FAKERBL Spammers
1795 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
1797 meta KAM_MX (__KAM_MX + (__KAM_URIBL_PCCC + URIBL_BLACK >=1) >= 2)
1799 describe KAM_MX Spammers and MX Rule
1803 meta KAM_MXINFO (__KAM_MX5)
1804 score KAM_MXINFO 1.0
1805 describe KAM_MXINFO MX Record and dot info domains associated with FAKERBL Spammers
1808 body __KAM_BADNAME1 /CocoMedia|CMI Free Stuff|Vista Del Mar Productions|by SuperClub|Buil tech Services|eMarketing Alliance|aSHARPi Media|Satell Center for Executive Education|Pacific Shores Investments|R. Allen Media|The Only Virginia Team|Ban Amnesty Now|Intrust Domains|New Heights Development and Research|Red Base Interactive|RateMarketplace|WORLD COMPANY REGISTER|Mobie Concepts, Inc.|Clickingz IT Research Lab|Leadz[,\.].?Co|Pimsleur Approach|Business Who's Who|Who's Who Among Executives|Buena Vista Catalogue|Ashray Medical Center|Bethany Christian Services|Preston Energy|SteelCityAds|Beyond Human, LLC|Research Promo Center|OmegaK, Inc|Momentum.Ads|Dove Lighting Co|BrandRoot SEO|Team TPW|WEB ANALYTICS MEDIA LLC/i
1810 header __KAM_BADNAME2 From =~ /CMI Free Stuff|Vista Del Mar Productions|Buil tech Services|eMarketing Alliance|aSHARPi Media|Plaza Neptuno|Satell Center for Executive Education|Pacific Shores Investments|rx ?unit|R. Allen Media|The Only Virginia Team|Intrust Domains|American Arbitration Association|Rate\.?Marketplace|Health.Quote.Direct|Pimsleur|Ethika Politika|Disney Movie Club/i
1813 header __KAM_GRASS1 From =~ /(Patch|Perfect|Lawn)/i
1814 header __KAM_GRASS2 Subject =~ /rich beautiful lawn|grow grass|grass seed on steroids/i
1815 body __KAM_GRASS3 /Grass Seed On Steroids|rich beautiful lawn|Patch Perfect Seeds|Grow Grass (anywhere|in the shade)/i
1817 meta KAM_GRASS (__KAM_GRASS1 + __KAM_GRASS2 + __KAM_GRASS3 >= 3)
1819 describe KAM_GRASS Spammers hawking lawn products
1821 #PED EGG / BELISI / SKIN PRODUCTS
1822 header __KAM_SKIN1 From =~ /(Ped ?Egg|Healthy Feet|beautiful feet|belisi|skin tightener|medical|Wrinkle|Face ?Lift|Skin Reju|Nuforia|LifeCEll|Miracle Hydrate|beauty tip|lifestyle lift|marine essentials|nufori?a)|skin transformer|lifecell|oz.show|botox|your.skin|rejuvenate|youth|ellen/i
1823 header __KAM_SKIN2 Subject =~ /Ped ?Egg|Healthy Feet|beautiful feet|tighter skin|works for wrinkles|Sera Concepts|Wrinkle Eraser|\d\d years younger|Hollywood(?:'s)? Secret|years younger|perfect skin|anti.?aging|look younger in \d+ day|regain your youthful|years off your appear|flawless.skin|youthful appear|fine.lines|collagen.production|dark.circles|your.skin|looks?.like.this|looks?.great|images?.leaked|looks.\d|ellen.looks/i
1824 rawbody __KAM_SKIN3 /Ped ?Egg|Belisi|Botox|Gabamed|Sera Concepts|Purelift|nuforia|natural collagen|complimentary trials|nugenics|marine essentials|Nufori?a|ellen.has.a|flawless.skin|phyto|facelift|hype.is.real|celeb.trend|twenty.years.younger|face.lift|pics.leaked|rejuvenate/i
1825 body __KAM_SKIN4 /feet feel smooth and healthy|calluses and dead skin|silky smooth skin|tighter skin|\d.years.younger|anti[- ]aging|look younger|free trial|lose 25 years|angered plastic surge|quick and easy trick|anti-?aging|blood pressure low|heart rate monitor|selfies|just.one.month|just.four.weeks|medical.research|rebuild.your.skin|decades.younger|erase.time|gossip|smooth.lines/i
1827 meta KAM_SKIN (KAM_ADVERT2 + __KAM_SKIN1 + __KAM_SKIN2 + __KAM_SKIN3 + __KAM_SKIN4 + __KAM_TRIAL + __KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 >= 3)
1829 describe KAM_SKIN Spammers hawking skin/medical/foot products
1831 meta KAM_SKIN2 (KAM_ADVERT2 + __KAM_SKIN1 + __KAM_SKIN2 + __KAM_SKIN3 + __KAM_SKIN4 + __KAM_TRIAL + __KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 >= 4)
1833 describe KAM_SKIN2 Spammers hawking skin/medical/foot products
1835 #NEW CAR / WARRANTY SCAMS
1836 header __KAM_CAR1 Subject =~ /(save thousands|vehicle warranty|paying too much for auto|skyrocketing cost of car|car deals|deal on a new car|cheap(er)? auto insurance|warranty options|afford the car|blowout|auto repair bills)/i
1837 body __KAM_CAR2 /buying a new car|dream car|new car you want|free auto insurance(?:-| )quote|save money on your auto|roadside assistance|extended warranty/i
1838 body __KAM_CAR3 /unbelievable payment terms|no commitment|free price quote|get competitive quotes|offering better rates|no obligation quote|Pay Later|No risk|save up to \d+%/i
1839 header __KAM_CAR4 From =~ /warranty|lender|clearance/i
1841 meta KAM_CAR (__KAM_CAR1 + __KAM_CAR2 + __KAM_CAR3 + __KAM_CAR4 >= 2)
1843 describe KAM_CAR Spammers hawking new car, insurance or warranties
1845 # MORE NEW CAR SPAMS
1846 header __KAM_AUTO1 Subject =~ /new.vehicle|biggest.discounts|clearance.event|must.go|half.off.auto|blue.book|cars.priced|dirt.cheap|new.car|new.truck|half.off|dealership|dealers.compete|trade.it.in|auto(motive)?.parts|inventory.must.go|\d\d%.off.msrp|all \d\d\d\d.s must go|time.to.drive|all.vehicle|clearance.pric|all.\d\d\d\d.(cars|trucks)/i
1847 header __KAM_AUTO2 From =~ /car.?saving|auto.?deals|%.off|half.(off|price)|ford|gm|clearing.lots|model.year|latest.auto|dealership|clearance|cars?.discount|\d+.model|\d+.half.off|auto.price|best.auto|motor|trade.in|auto.part|imotor|autotrend/i
1848 body __KAM_AUTO3 /(car|truck).dealer|clearance.price|shop.cars|\d+.vehicles|dealership|deep.discount|liquidating|vehicle.options|auto.news|old.clunker|dream.car|clearance.inventory|dealer.clearance|special.clearance|auto(mobile?).recall|clearance.pric|new.ride|dealers.{1,40}.scrambling|sell.yours.for.more|car.is.worth|auto.parts.brand|blowout|incredible.discount/i
1850 meta KAM_AUTO (__KAM_AUTO1 + __KAM_AUTO2 + __KAM_AUTO3 + (KAM_COUK || KAM_OTHER_BAD_TLD || CBJ_GiveMeABreak) >= 3)
1851 describe KAM_AUTO Spam for new cars
1854 #HOME WARRANTY SPAMS
1855 header __KAM_WARRANTY1 Subject =~ /home warrant|protect your home|home repair|homeowners insurance|repairing your house/i
1856 body __KAM_WARRANTY2 /Protect your home|choice home warranty|unexpected repair/i
1857 body __KAM_WARRANTY3 /home warrant|complimentary insurance quote/i
1858 header __KAM_WARRANTY4 From =~ /ChoiceHomeWarrant|TotalProtect|home.?Insurance|CHW Home Warranty|AHS.warranty/i
1860 meta KAM_WARRANTY (__KAM_WARRANTY1 + __KAM_WARRANTY2 + __KAM_WARRANTY3 + __KAM_WARRANTY4 + CBJ_GiveMeABreak >= 3)
1861 score KAM_WARRANTY 1.5
1862 describe KAM_WARRANTY Spammers hawking home warranties
1864 meta KAM_WARRANTY2 (KAM_WARRANTY + KAM_INFOUSMEBIZ >= 2)
1865 score KAM_WARRANTY2 3.5
1866 describe KAM_WARRANTY2 Spammers pushing home warranties
1868 meta KAM_WARRANTY3 (__KAM_WARRANTY1 + __KAM_WARRANTY2 + __KAM_WARRANTY3 + __KAM_WARRANTY4 + CBJ_GiveMeABreak >= 4)
1869 score KAM_WARRANTY3 1.5
1870 describe KAM_WARRANTY3 Spammers hawking home warranties
1873 header __KAM_AUGER1 Subject =~ /Dig Holes|plant Trees/i
1874 body __KAM_AUGER2 /Awesome Auger/i
1876 meta KAM_AUGER (__KAM_AUGER1 + __KAM_AUGER2 >= 2)
1878 describe KAM_AUGER Spammers hawking Awesome Augers?!?
1881 header __KAM_MOVIE1 Subject =~ /Movie Extra/i
1882 body __KAM_MOVIE2 /Movie Extra/i
1884 meta KAM_MOVIE (__KAM_MOVIE1 + __KAM_MOVIE2 >= 2)
1886 describe KAM_MOVIE Spammers hawking Movie Extra positions
1889 header __KAM_COLLECT1 Subject =~ /You Pay Nothing/i
1890 body __KAM_COLLECT2 /No Fee/i
1891 body __KAM_COLLECT3 /collection professionals/i
1892 body __KAM_COLLECT4 /recovery rate/i
1894 meta KAM_COLLECT (__KAM_COLLECT1 + __KAM_COLLECT2 + __KAM_COLLECT3 + __KAM_COLLECT4 + __KAM_SEARCH5 + KAM_ADVERT2 >= 4)
1895 score KAM_COLLECT 5.0
1896 describe KAM_COLLECT Spammers hawking debt collection
1901 header __KAM_SEARCH1 Subject =~ /be seen first on (google|msn|yahoo)|get ranked high|rank high|(no cost|free) website (analysis|search engine)|WEBSITE PROMOTION|social media|blog leads|infotech|(first|1st)(.page)?.result|seo.(optimiz|package|service)|seo.{1,30}expert|on.your.website|organic.seo|site.ranking|website.health|(first|1st) page/i
1903 body __KAM_SEARCH2 /search (ranking|engine)|S\.?E\.?O|bring.traffic|business.development|marketing strateg/i
1905 body __KAM_SEARCH3 /(first on|all of) the major search|not ranked number one|Website promotion|popular keywords|mobile.website|complete.solution|back.link|india.based|surfing|not.ranking.on|top in Google|1st page|more (clients|customers)|organic search/i
1907 body __KAM_SEARCH4 /guaranteed type of exposure|free website (analysis|report|search engine optimiz)|increase your revenue|improve your website traffice|website rank higher|marketing service|popular.keyword|media.presence|media.portal|brand.awareness|analytics.certified|optimized.content|white.label|website.optimization|digital.marketing|in.your.industry|high.revenue|plans? and pric|keyword|full proposal|online reputation|(blog|article|pr|search engine) (promotion|submission)/i
1909 rawbody __KAM_SEARCH5 /Click2Call|a1-solutions|fast-response.net|action-pros.net|tops-1.com|vividinfotech.com|internet.marketing|web.solution|(development|marketing) (executive|consultant)|(search engine|SEO) (consultant|expert|Service)|sales manager/i
1911 meta KAM_SEARCH (__KAM_SEARCH1 + __KAM_SEARCH2 + __KAM_SEARCH3 + __KAM_SEARCH4 + __KAM_SEARCH5 >= 4)
1912 score KAM_SEARCH 5.0
1913 describe KAM_SEARCH Spammers hawking SEO
1916 header __KAM_SEO1 Subject =~ /Idea for \[|can rank 1st on Google|Organic SEO|SEO (Solution|proposal)|integrated marketing|optimization.service|SEO Outsourcing|affordable package|quick result|ranking report/i
1918 body __KAM_SEO2 /(?:top|first page) (?:in|of) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building|business SEO|ranking report/i
1919 tflags __KAM_SEO2 nosubject
1921 body __KAM_SEO3 /(came across|never find) your web.?site|major search engines|paid access to tools|WEBSITE AUDIT REPORT|specific.keyword|targeted.email|visited.your.website|not ranking well|Google rankings/i
1923 body __KAM_SEO4 /SEO Specialists|online marketing services|S.?E.?O.? Company in INDIA|google.panda|google.penguin|not.ranking|SEO Packages/i
1925 body __KAM_SEO5 /more traffic guaranteed|results in thirty day|top 5 organic|high revenue|free.analysis|guaranteed.top|pricelist|completely free|No upfront fees|free trial/i
1927 body __KAM_SEO6 /will not get your website banned|Google.?s SEO policies|six month ongoing campaign|web.promotion|quality junk spam/i
1928 # LEGITIMATE SEO EMAILS WOULD SURELY HAVE AT LEAST ONE URL TO THEIR WEBSITE...
1931 meta KAM_SEO (__KAM_SEO1 + __KAM_SEO2 + __KAM_SEO3 + __KAM_SEO4 + __KAM_SEO5 + __KAM_SEO6 + !__KAM_SEO7 + KAM_ADVERT2 >= 5)
1933 describe KAM_SEO Spammers hawking SEO
1935 #ABUSED FREEMAIL ACCOUNTS
1936 #header __KAM_FREEMAIL1 From =~ /(?:websolution|seo).{0,15}\@gmail.com/i
1937 #header __KAM_FREEMAIL2 From =~ /speakeasylingerie\@gmail.com/i
1938 #meta __KAM_FREEMAIL (__KAM_FREEMAIL1 + __KAM_FREEMAIL2 >= 1)
1941 #header __KAM_LINGERIE1 From =~ /lexi campbell/i
1942 #header __KAM_LINGERIE2 Subject =~ /Exotic modeling Videos/i
1943 #header __KAM_LINGERIE3 Subject =~ /Hustler Magazine/i
1944 #body __KAM_LINGERIE4 /Exotic modelling videos/i
1946 #meta KAM_LINGERIE (__KAM_FREEMAIL + __KAM_LINGERIE1 + __KAM_LINGERIE2 + __KAM_LINGERIE3 >= 4)
1947 #score KAM_LINGERIE 10.0
1948 #describe KAM_LINGERIE Sexually Explicity Lingerie Spam
1952 header __KAM_WEB1 Subject =~ /Web.?(Design|programming).?Services|Web.?Designing/i
1953 body __KAM_WEB2 /INDIA based IT|indian.based.website|certified.it.company/i
1954 body __KAM_WEB3 /Online Marketing Consultant|possible.redesign|seo.service|mobiles?.app|business.develop|commerce.solution/i
1956 meta KAM_WEB (__KAM_WEB1 + __KAM_WEB2 + __KAM_WEB3 + KAM_ADVERT2 >= 3)
1958 describe KAM_WEB Web design spams
1960 #DOMAIN NAME AND OTHER RELATED SPAMS
1961 body __KAM_DOMAIN1 /Domain (opportunity|notification|release|Availability|club)|Notification for Domain|availability.notice|time.draws.near|submit.a.bid|your.business|exclusive.rights|free.registration|the.domain.provider|website.wizard|increase.your.{0,50}.traffic|domain.extension|brand.can.leverage|like.to.obtain|buy(ing)?.this.domain/i
1962 body __KAM_DOMAIN2 /(?:available|listed) (?:by|for|at|in) auction|confirm interest in (this domain|owning)|capturing this domain|proposal.on.the.domain|exclusive.owner|online.search|web.form|counting.down|potential.buyer|interested.parties|secure.{1,50}.today|drive.more.leads|targeted.traffic|similar.domain|exclusive.regis/i
1963 body __KAM_DOMAIN3 /(?:have|own) a domain (that is )?.{0,5}similar|(have|own) a similar domain|offer on the Domain|similar to your (current )?domain|Domain Division|all.domains|main.webpage|visibility.platform|solicitation|potential.owner|your.offer|domain.match|domain.notification|domain.will.be|interest.{1,20}.domain.name|fully.responsive|website.included|list.your.website|opportt?unity.regarding|courtesy.notification/i
1964 header __KAM_DOMAIN4 From =~ /domain|submit.site/i
1965 header __KAM_DOMAIN5 Subject =~ /\.com$/i
1967 meta KAM_DOMAIN (__KAM_DOMAIN1 + __KAM_DOMAIN2 + __KAM_DOMAIN3 + __KAM_DOMAIN4 + __KAM_DOMAIN5 >= 3)
1968 score KAM_DOMAIN 8.5
1969 describe KAM_DOMAIN Domain Selling Spams
1971 #MEDICAL TOURISM SPAM
1972 body __KAM_MEDTOUR1 /medical.tourism/i
1973 body __KAM_MEDTOUR2 /lowest cost in India/i
1974 header __KAM_MEDTOUR3 Subject =~ /Medical.Tourism/i
1976 meta KAM_MEDTOUR (__KAM_MEDTOUR1 + __KAM_MEDTOUR2 + __KAM_MEDTOUR3 >= 3)
1977 score KAM_MEDTOUR 3.0
1978 describe KAM_MEDTOUR Medical Tourism Spam
1981 header __KAM_ACNE1 Subject =~ /Proactiv/i
1982 header __KAM_ACNE2 From =~ /Acne/i
1983 body __KAM_ACNE3 /proactiv/i
1984 body __KAM_ACNE4 /Online Gift Rewards/i
1986 meta KAM_ACNE (__KAM_ACNE1 + __KAM_ACNE2 + __KAM_ACNE3 + __KAM_ACNE4 >= 4)
1988 describe KAM_ACNE Spammers hawking Acne products
1991 header __KAM_SOFTWARE1 Subject =~ /fix Windows File Errors/i
1992 header __KAM_SOFTWARE2 From =~ /registry/i
1993 body __KAM_SOFTWARE3 /Fix file errors/i
1994 body __KAM_SOFTWARE4 /download for no cost|FREE Software|Free Analysis|Free Report/i
1996 meta KAM_SOFTWARE (__KAM_SOFTWARE1 + __KAM_SOFTWARE2 + __KAM_SOFTWARE3 + __KAM_SOFTWARE4 >= 4)
1997 score KAM_SOFTWARE 5.0
1998 describe KAM_SOFTWARE Spammers hawking Software products
2001 header __KAM_NIGERIAN2_1 Subject =~ /high court|contact fedex courier|WIRE TRANSFER/i
2002 body __KAM_NIGERIAN2_2 /barrister|director of central bank|bank director|former.minister|gold.dealer/i
2003 body __KAM_NIGERIAN2_3 /high court|central bank|payment center|customs?.officer/i
2004 body __KAM_NIGERIAN2_4 /e-?mail id is found among those that have been scammed|paid the fee for your cheque draft|contact the bank director/i
2005 body __KAM_NIGERIAN2_5 /fund code|cheque|bank draft|oil.and.gas/i
2006 body __KAM_NIGERIAN2_6 /full contact information requested|need your contacts informations|your bank account information|out.of.the.country/i
2007 body __KAM_NIGERIAN2_7 /bank|smuggle/i
2008 body __KAM_NIGERIAN2_8 /courier|diplomat agent|direct wire transfer|my.gold|the.gold/i
2009 body __KAM_NIGERIAN2_9 /scam|don't let them know that it is money|bank transfer charges/i
2011 meta KAM_NIGERIAN2 (__KAM_REFI4 + __KAM_NIGERIAN2_1 + __KAM_NIGERIAN2_2 + __KAM_NIGERIAN2_3 + __KAM_NIGERIAN2_4 + __KAM_NIGERIAN2_5 + __KAM_NIGERIAN2_6 + __KAM_NIGERIAN2_7 + __KAM_NIGERIAN2_8 + __KAM_NIGERIAN2_9 >= 6)
2012 score KAM_NIGERIAN2 5.0
2013 describe KAM_NIGERIAN2 Yet more Nigerian scams. Some even explaining the scam.
2016 body __KAM_MEDICAL1 /million who suffer from|suffered from organ failure|Medical Billing and Coding|medical doctor/i
2017 body __KAM_MEDICAL2 /Safe - Natural - Effective/i
2018 header __KAM_MEDICAL3 From =~ /Medical/i
2019 header __KAM_MEDICAL4 Subject =~ /Medical Billing/i
2021 meta KAM_MEDICAL (__KAM_MEDICAL1 + __KAM_MEDICAL2 + __KAM_MEDICAL3 + __KAM_MEDICAL4 >= 3)
2022 score KAM_MEDICAL 4.0
2023 describe KAM_MEDICAL Misc medical spam
2026 body __KAM_TINNI1 /TinniFix/i
2027 body __KAM_TINNI2 /Stop the ringing in your ears/i
2028 header __KAM_TINNI3 Subject =~ /(ringing|buzz) in your ears/i
2030 meta KAM_TINNI (__KAM_MEDICAL1 + __KAM_MEDICAL2 + __KAM_TRIAL + __KAM_TINNI1 + __KAM_TINNI2 + __KAM_TINNI3 >= 5)
2032 describe KAM_TINNI Another Medical Scam
2035 body __KAM_GIVE1 /receive your gift/i
2036 body __KAM_GIVE2 /laptop giveaway|deliver your dell.? laptop/i
2037 body __KAM_GIVE3 /answering a short survey/i
2038 body __KAM_GIVE4 /verify your shipping address/i
2040 meta KAM_GIVE (__KAM_GIVE1 + __KAM_GIVE2 + __KAM_GIVE3 + __KAM_GIVE4 >= 4)
2042 describe KAM_GIVE Free stuff "giveaway" scam
2045 header __KAM_GOVT1 Subject =~ /Government Funding/i
2046 body __KAM_GOVT2 /government funding/i
2047 body __KAM_GOVT3 /complimentary information kit/i
2048 body __KAM_GOVT4 /No.Money?.{0,4}No.Problem/i
2050 meta KAM_GOVT (__KAM_GOVT1 + __KAM_GOVT2 + __KAM_GOVT3 + __KAM_GOVT4 >= 4)
2052 describe KAM_GOVT Your tax dollars at work scam...
2055 meta KAM_RBL (URIBL_BLACK + RCVD_IN_PBL >=2)
2057 describe KAM_RBL Higher scores for hitting multiple trusted RBLs
2060 header __KAM_CNN1 Subject =~ /CNN.com Daily Top/i
2062 meta KAM_CNN (__KAM_CNN1 == 1)
2064 describe KAM_CNN CNN Daily Top 10 Link Obfuscation spams
2066 #SNUGGIE BLANKETS / SHAM WOW
2067 header __KAM_SHAM1 Subject =~ /Hold 20 times|ShamWow/i
2068 header __KAM_SHAM2 From =~ /Sham ?Wow/i
2069 body __KAM_SHAM3 /ShamWow/i
2070 body __KAM_SHAM4 /20(X| times) its weight/i
2072 meta KAM_SHAM (__KAM_SHAM1 + __KAM_SHAM2 + __KAM_SHAM3 + __KAM_SHAM4 + KAM_ADVERT2 >= 3)
2074 describe KAM_SHAM More product scams...
2077 header __KAM_SANTA1 Subject =~ /Santa Letter|Letter from Santa|Santa send a letter|Sent by Santa/i
2078 body __KAM_SANTA2 /Santa Letter|Letter from Santa|sent by Santa/i
2079 body __KAM_SANTA3 /the .?perfect.? gift|personalized letter/i
2081 meta KAM_SANTA (__KAM_SANTA1 + __KAM_SANTA2 + __KAM_SANTA3 >= 3)
2083 describe KAM_SANTA Ho Ho Holy smokes Batman another Santa Letter spam...
2085 #WORK FOR / LEARN GOOGLE
2086 header __KAM_GOOGLE1 Subject =~ /Learn Google|Google Starter Kit|with Google|Use Google|Google Work|google millionaire|Google Business|Google Pro Sucess|with my Google|Google Home Business|Google ATM|One Hour On Google|Free Money Making|make a fortune on ?line/i
2087 body __KAM_GOOGLE2 /learn how to earn|automated income kit|online from home|as much money as you wish|be the boss/i
2088 body __KAM_GOOGLE3 /tons of money|making \$[\d,]*s with Google|extra cash|making serious money/i
2089 body __KAM_GOOGLE4 /with Google|Google Pie|Google Cash/i
2090 header __KAM_GOOGLE5 From =~ /Google Money/i
2092 meta KAM_GOOGLE (__KAM_GOOGLE1 + __KAM_GOOGLE2 + __KAM_GOOGLE3 + __KAM_GOOGLE4 + __KAM_GOOGLE5 >= 3)
2093 score KAM_GOOGLE 3.5
2094 describe KAM_GOOGLE Google Pyramid Scams
2097 header __KAM_ALARM1 Subject =~ /Free Alarm Quotes|home security|protect your.(house|home)|protect.what.matters.most|adt monitor|keep.watch|monitor.the.home|home.alarm|feel safe|burglar|high.crime|free.security|with.this.offer|crime.can|watching.your.home|adt.is.here|ADT-monitoring/i
2098 body __KAM_ALARM2 /free Quote|burglaries|wireless.security.camera|(Guard|protect) Your Family|ADT is Number One|monitored security system|install from ADT|with ADT security|keep(ing)?.your.home.safe|home.is.your.castle|sleep.with.security|home.security.system|remote.access|video.security/i
2099 rawbody __KAM_ALARM3 /Great rates on Home Security|(1|one) in Alarm System Monitoring|protect your loved ones|protect your business|your source for home security|event on home security|keep.the.home.safe|night.vision|online.monitoring|surveill?ance.camera|ADT.monitor|top.notch.security|exclusive.to.you|home security system/i
2100 header __KAM_ALARM4 From =~ /adt|security.?cam|home.security|wireless.security|security.?camera|author.zed|home.?alarm/i
2102 meta KAM_ALARM (__KAM_ALARM1 + __KAM_ALARM2 + __KAM_ALARM3 + __KAM_ALARM4 + KAM_COUK >= 3)
2104 describe KAM_ALARM Security and Alarm Company Spams
2106 rawbody __KAM_ALARM5 /gaylord/i
2108 meta KAM_ALARM2 (KAM_ALARM && __KAM_ALARM5)
2109 score KAM_ALARM2 2.5
2110 describe KAM_ALARM2 High Probability of Security and Alarm Company Spams
2113 header __KAM_SELL1 Subject =~ /Market Credit Cards/i
2114 body __KAM_SELL2 /Easy Money/i
2115 body __KAM_SELL3 /Selling Credit Cards/i
2117 meta KAM_SELL (__KAM_SELL1 + __KAM_SELL2 + __KAM_SELL3 >= 3)
2119 describe KAM_SELL Selling Cards Marketing Scams
2122 header __KAM_WHITEN1 Subject =~ /whiten your teeth/i
2123 body __KAM_WHITEN2 /whitener/i
2124 body __KAM_WHITEN3 /(Celebrity Smile|Carbamide Peroxide)/i
2126 meta KAM_WHITEN (__KAM_WHITEN1 + __KAM_WHITEN2 + __KAM_WHITEN3 >= 3)
2127 score KAM_WHITEN 3.5
2128 describe KAM_WHITEN Teeth Whitening Scams
2131 body __KAM_URONLINE1 /(chat|chat with me|hook ?up) on Y ?A ?H ?O ?O (tonight|or MSN)|add me with yahoo or msn|view now|press this web link|send me your? photo|can u turn me on|kissing you|begin.a.chat/i
2132 body __KAM_URONLINE2 /wanna talk|ur info|found your mail|found ur profile|mutual friend|katya from russia|you came to russia|my gentle sun|see this page I made|match making heaven|meet that special|comee see it over here|hexten.net|looking for a man|waiting for ur mail|found ur account|waiting for your message|casual.hookup/i
2133 body __KAM_URONLINE3 /get (naked|naughty)|horny|naughty toys|I will do anything|TOTALLY msg me on MSN|tell me your mobile|I remember you|let's talk|ran across someone like u|sexywebdating|chatting with someone|saw you by BJs|private e-?mail|dating portal|looking.for.fun/i
2134 header __KAM_URONLINE4 Subject =~ /i'?m so ho?rny|ur really cute|flirt with u|get the party|lets hookup|MSN messanger|\d\d y.o.|russian soul-?mate|my handsome|want you now|russian girl|costs you nothing|can you feel this|came to russia|I remember you|sexual Russia|take a look|attractive girl writes|found u by accident|tell u something special|hookups.waiting/i
2136 meta KAM_URONLINE (__KAM_URONLINE1 + __KAM_URONLINE2 + __KAM_URONLINE3 + __KAM_URONLINE4 >= 3)
2137 score KAM_URONLINE 4.5
2138 describe KAM_URONLINE Chat Scams
2141 body __KAM_TIMESHARE1 /Get[- ]Cash for Your Timeshare|not using your timeshare|(unwanted|ugly) timeshare|cash out quickly/is
2142 body __KAM_TIMESHARE2 /goldmine|sell or rent it|we pay cash|sell\/rent your time|own a timeshare or condo|get.cash|find.your.value/is
2143 header __KAM_TIMESHARE3 Subject =~ /(rent|sell|buy) your Timeshare|have a timeshare|timeshare money|unwanted timeshare/i
2144 header __KAM_TIMESHARE4 From =~ /Resort.*sales|timeshare/i
2146 meta KAM_TIMESHARE (__KAM_TIMESHARE1 + __KAM_TIMESHARE2 + __KAM_TIMESHARE3 + __KAM_TIMESHARE4>= 3)
2147 score KAM_TIMESHARE 4.0
2148 describe KAM_TIMESHARE Timeshare Scams
2151 body __KAM_AQUA1 /Aqua Globe/is
2152 body __KAM_AQUA2 /watering your plants/is
2153 body __KAM_AQUA3 /while on vacation/is
2154 header __KAM_AQUA4 Subject =~ /Waters your Plants/i
2156 meta KAM_AQUA (__KAM_AQUA1 + __KAM_AQUA2 + __KAM_AQUA3 + __KAM_AQUA4 >= 3)
2158 describe KAM_AQUA Spams of yet another product du jour
2161 body __KAM_GEVALIA1 /Gevalia Kaffe|premium coffee delivered/is
2162 body __KAM_GEVALIA2 /(Gevalia coffee lover's|I love coffee) kit/is
2163 body __KAM_GEVALIA3 /No Further Obligation/is
2164 header __KAM_GEVALIA4 Subject =~ /gevalia|cup of coffee/i
2166 meta KAM_GEVALIA (__KAM_GEVALIA1 + __KAM_GEVALIA2 + __KAM_GEVALIA3 + __KAM_GEVALIA4 >=3)
2167 score KAM_GEVALIA 3.0
2168 describe KAM_GEVALIA Spams of yet another product du jour
2171 body __KAM_INK1 /Ink (and|&|n) Toner|SimplyInk|101 inks|1ink|printer ink sale|full.price/is
2172 header __KAM_INK2 From =~ /Simply ?Ink|Ink and toner|1ink|ink.*budget|ink.?saver|printer[- ]{0,4}ink/i
2173 header __KAM_INK3 Subject =~ /Ink (and|&) Toner|SimplyInk|printer ink/i
2175 meta KAM_INK (__KAM_INK1 + __KAM_INK2 + __KAM_INK3 >=3)
2177 describe KAM_INK Spams of yet another product du jour
2179 meta KAM_INK2 (KAM_INK + KAM_INFOUSMEBIZ >= 2)
2181 describe KAM_INK2 Spams for Ink refills
2184 body __KAM_PEEL1 /Titan Peeler/is
2185 header __KAM_PEEL2 From =~ /Titan Peeler/i
2186 header __KAM_PEEL3 Subject =~ /peeler|stainless|titan peeler/i
2188 meta KAM_PEEL (__KAM_PEEL1 + __KAM_PEEL2 + __KAM_PEEL3 >=2)
2190 describe KAM_PEEL Spams of yet another product du jour
2192 #HTML EMAIL REQUIRING IMAGES?
2193 rawbody __KAM_HTML1 /Please enable image viewing in order to view this message/is
2196 header __KAM_RAT1_1 From =~ /\@fromname\@/i
2197 header __KAM_RAT1_2 Subject =~ /(\[FName\]|\%\{AUTOVALS)/i
2199 meta KAM_RAT1 (__KAM_RAT1_1 + __KAM_RAT1_2 >= 1)
2201 describe KAM_RAT1 Variable Replacements Indicative of RatWare/Mass Mailing
2203 body __KAM_RAT2_1 /job description/i
2204 body __KAM_RAT2_2 /dear shopper/i
2205 header __KAM_RAT2_3 From =~ /mystery/i
2207 meta KAM_RAT2 (__KAM_RAT2_1 + __KAM_RAT2_2 + __KAM_RAT2_3 >= 3)
2209 describe KAM_RAT2 Another ratware mistake, uninterpolated text
2212 body __KAM_EGG1 /Egg Genie/is
2213 header __KAM_EGG2 From =~ /Egg Genie/i
2214 header __KAM_EGG3 Subject =~ /medium eggs/i
2216 meta KAM_EGG (__KAM_EGG1 + __KAM_EGG2 + __KAM_EGG3 >=2)
2218 describe KAM_EGG Spams of yet another product du jour
2221 body __KAM_USB1 /(debi|deborah brown|Melissa Sylvan)/i
2222 body __KAM_USB2 /person (that|who) handles the promotions/i
2223 body __KAM_USB3 /usbsmg.com/i
2225 meta KAM_USB (__KAM_USB1 + __KAM_USB2 + __KAM_USB3 >= 2)
2227 describe KAM_USB USB Promotion Spammer
2230 body __KAM_GRANT1 /government grant/i
2231 body __KAM_GRANT2 /find out if you qualify/i
2232 body __KAM_GRANT3 /discontinue from this promotion/i
2234 meta KAM_GRANT (__KAM_GRANT1 + __KAM_GRANT2 + __KAM_GRANT3 + __KAM_REFI4 >= 3)
2236 describe KAM_GRANT Government Grant Scams
2239 #MEDICINE REFERENCES
2240 body __KAM_SEX04_1 /(curative|medicinal|salutary|wholesome|beneficial|satisfaction) effect|(first-rated|splendid) drugs|(yellow|blue|famos) (tablet|pill)|good medical supplies|(commendable|valuable) medicines|canadian pharmacy|GNC|nugenix/is
2242 body __KAM_SEX04_2 /fun in bed|(bed|night) adventures|aid your bed|(lift|heave|ascent|hoist|raise|boost|aid) your (belove|love|darling|sex|sweet)|sexuality with assistance|ascent your sweet|bed experience|love sexuality/is
2244 header __KAM_SEX04_3 Subject =~ /your manhood|(bed|night) adventures|sexual experience|empower your (belove|sex)|sweet sex|bed (event|experience)|lover sexuality|(lift|heave|ascent|hoist|raise|boost|aid) your (belove|love|darling|sex|sweet)|discounted drugs/i
2246 body __KAM_SEX04_4 /longer your tool|sexual experience|empower your (belove|sex)|sweet sex|(not bad|great|nice|special|awesome|free) bonus|sex all night|lovers package|male.vitality|sex with new boys/is
2248 meta KAM_SEX04 (__KAM_SEX04_1 + __KAM_SEX04_2 + __KAM_SEX04_3 + __KAM_SEX04_4 >= 3)
2249 score KAM_SEX04 10.0
2250 describe KAM_SEX04 Sexually Explicit SPAM
2253 meta KAM_SEX04_2 (__KAM_SEX04_1 + __KAM_SEX04_2 + __KAM_SEX04_3 + __KAM_SEX04_4 >= 2 && (KAM_SEX04 < 1))
2254 score KAM_SEX04_2 2.0
2255 describe KAM_SEX04_2 Likely Sexually Explicit SPAM
2257 #Another Sexually Explicit Email
2258 meta KAM_SEX07 (__KAM_SUBJECT_SINGLEWORD + __KAM_SEX04_4 >= 2)
2260 describe KAM_SEX07 Sexually Explicit SPAM
2263 header __KAM_SEX05_1 Subject =~ /upgrade your virility|become a man|bigger instrument|admire your stick|enlarge your member|you have a tiny tool|with more inches|your mega size|improve your love/i
2264 body __KAM_SEX05_2 /buy rubber friends|big bait in your pants|she sees your size|women will be funk|biggest tool|immense monster|women will be daydreaming|have so much meat|prolonging your size|last a lot longer/i
2266 meta KAM_SEX05 (__KAM_SEX05_1 + __KAM_SEX05_2 >= 2)
2268 describe KAM_SEX05 Sexually Explicit SPAM
2270 #FOOTBALL CLUB SPAMS
2271 header __KAM_FOOTBALL1 Subject =~ /Amateur Club|Seeks? Player/i
2272 header __KAM_FOOTBALL2 From =~ /Football/i
2273 body __KAM_FOOTBALL3 /Mercato/i
2274 body __KAM_FOOTBALL4 /Football/i
2276 meta KAM_FOOTBALL (__KAM_FOOTBALL1 + __KAM_FOOTBALL2 + __KAM_FOOTBALL3 + __KAM_FOOTBALL4 >= 4)
2277 score KAM_FOOTBALL 4.0
2278 describe KAM_FOOTBALL Spammy Football Club
2280 #DISH NETWORK SPAMS AND OTHER TV SPAM
2281 header __KAM_DISH1 From =~ /Dish Network|TVUpgrade|Satellite|Satellite|Dish.*Promo|dish.author|Wireless.Internet|cable.tv|tv.\&|tv.cable|tv.internet|liveteam/i
2282 header __KAM_DISH2 Subject =~ /Free Next Day Install|Free HD Receiver|Free HBO|free w\/Dish|Holiday Special|Redzone is back|Web-Only Offer|Free HD|with DISH|dish gives you|dish.offers|Wireless Internet provider|sports.package|dish.vs.cable|switch.to.satellite|dish.just|watch.everything|satellite.dish|cable.bill|satellite.bill|paying.too.much|try.satellite|stream.live.tv/i
2283 rawbody __KAM_DISH3 /(American Satellite|Wireless Internet) Provider|gethdsat|free dvr|Satellite Deals|Dish Network|dish.gives.you.more|packages under \$\d+|compare plans|internet service provider|premium.channel|best.cable.deals|fit.your.budget|deals.near.you|online.television|quality.tv/i
2285 meta KAM_DISH (__KAM_DISH1 + __KAM_DISH2 + __KAM_DISH3 >=3)
2287 describe KAM_DISH Dish Network Spams
2289 meta KAM_DISH2 (KAM_DISH + KAM_INFOUSMEBIZ >= 2)
2291 describe KAM_DISH2 Dish Network Spams
2294 header __KAM_IDENTNET1 From =~ /\@identitynetwork.net/i
2295 body __KAM_IDENTNET2 /ADVERTISE WITH IDENTITY NETWORK/i
2297 meta KAM_IDENTNET (__KAM_IDENTNET1 + __KAM_IDENTNET2 >=2)
2298 score KAM_IDENTNET 8.0
2299 describe KAM_IDENTNET Identity Network Spams
2302 #body __KAM_HONEY1 /Intacct Corporation|Miles Technologies|EcoPhones|businessbrief\.com|pbpinfo\.com|pbp-executivereports\.net|b21pubs\.com|sonar6\.com|cheetahsend\.com|voip-news|microcappress.com|myrtlebeachnow|sosonlinebackup.com|Landslide Technologies|The Performance Institute|ASMI Corporate|Kaseya|Cascio|CarProperty|HSRUpdates.com/i
2303 #header __KAM_HONEY2 From =~ /\@intacct\.com|\@(staff\.)?milestechnologies\.com|\@greenschoolfundraiser\.org|\@business-brief\.(net|com)|\@b21pubs\.com|\@pbp-executivereports\.net|\@sonar6\.com|\@cheetahsend\.com|\@ripple.us.com|\@voip-news\.com|\@.{0,8}.microcappress.com|\@BetterBuysReports.com|\@MyrtleBeachNow.com|\@sosonlinebackup.com|\@next-gen-crm.com|\@TheInstituteWeb.org|\@ASMIweb.com|\@performanceinstitute.org|\@kaseya.com|\@news.interstatemusic.com|\@interstatemusic.com|\@carproperty.com|\@hsrupdates.com/i
2305 #meta KAM_HONEY (__KAM_HONEY1 + __KAM_HONEY2 >= 2)
2306 #score KAM_HONEY 12.0
2307 #describe KAM_HONEY Spammer sending to a honeypot or known spammer through other means
2310 header __KAM_DUCHESS1 Received =~ /mediaduchessstore.info|mediaduchesslive.info|mymediaduchess.info|mediaduchessonline.info|mytvduchess.info|mediaduchesspro.info|mileshop.info|freegrampro.info|radioduchess.info|acreforyou.info|mileblog.info/i
2311 header __KAM_DUCHESS2 From =~ /mediaduchessstore.info|mediaduchesslive.info|mymediaduchess.info|mediaduchessonline.info|mytvduchess.info|mediaduchesspro.info|mileshop.info|freegrampro.info|radioduchess.info|acreforyou.info|mileblog.info/i
2313 body __KAM_DUCHESS3 /Mr. Media Group|BLM Marketing Services|4801 l[yi]nton b/i
2314 rawbody __KAM_DUCHESS4 /duchess/i
2315 rawbody __KAM_DUCHESS5 /http:\/\/.{4,30}\.info\/[A-Za-z]{30}("|\/)/i
2316 body __KAM_DUCHESS6 /For account number:/i
2318 meta KAM_DUCHESS ((__KAM_DUCHESS1 + __KAM_DUCHESS2 >= 1) + __KAM_DUCHESS3 + __KAM_DUCHESS4 + __KAM_DUCHESS5 + __KAM_DUCHESS6 >= 4)
2319 score KAM_DUCHESS 5.0
2320 describe KAM_DUCHESS Spammer sending emails using a variety of domains and linked images
2323 header __KAM_UPS1 Subject =~ /UPS Delivery problem/i
2324 header __KAM_UPS2 From !~ /\@ups\.com[ |>]/i
2325 body __KAM_UPS3 /invoice copy attached/i
2327 meta KAM_UPS (__KAM_UPS1 + __KAM_UPS2 + __KAM_UPS3 >=3)
2329 describe KAM_UPS UPS doesn't send invoices with delivery problem notes
2332 header __KAM_SKYPE1 Subject =~ /Free Calls/i
2333 header __KAM_SKYPE2 Received =~ /releasesourcek.com/i
2334 header __KAM_SKYPE3 From =~ /VOIP News/i
2335 body __KAM_SKYPE4 /Promo Code: \d/i
2337 meta KAM_SKYPE (__KAM_SKYPE1 + __KAM_SKYPE2 + __KAM_SKYPE3 + __KAM_SKYPE4 >=3)
2339 describe KAM_SKYPE Skype/Voip scams likely to spread malware
2342 rawbody KAM_OWAPHISH1 /http:\/\/.{5,30}\/owa\/service_directory\/settings.php/i
2344 score KAM_OWAPHISH1 6.0
2345 describe KAM_OWAPHISH1 Rash of OWA setting change emails for phishing
2347 #MORE DRUG SPAM - 2009-05-03
2348 header __KAM_DRUG2_1 Subject =~ /Viagra|male enhanc|easier time making her|hot infatuations|bed tempera?ment|resigned slaves|prick be soft|increased performance|guys in bed|bedroom fun|love more passion|cure ED|(bed|sex) games|spices? (it up in|to the) bed|(bedroom|nights of) pleasure|ladies love|stay hard|satis?fy (your spouse|her)|(problems|strong|help|good) (in|for) bed|bedtime enhanc|p[0o]rn ?star|blue ?pill|great sex|please your gf|(help in the|king of the|great time in|strong night in|performance in|advice for the) bed|intimate life|gain 3\+? inches|sexual (excitement|anxiety|act)|love tool|sexual treatment|make love|make your girl happ|completely impotent|do.you.suffer/i
2350 header __KAM_DRUG2_2 Subject =~ /ambien|Percocet|vicod[i1]n|Meridia|look slim|Phentermin|adderall|codeine|Hydrocodone|Phetermin|oxycodone|no prescription need|(help|trouble) falling asleep|overpriced pharmacy|prescript.medz|Xanx?ax|RxMed|your.rx.meds|fill your meds|pharmacy offers|international pharm|(loved|preferred|favor[ite]{3}) (rx)?med|pain killer|Medi?cati[o0]ns|canadianrx|weightl0ss|no ?prescription|weight l0ss|l0seweight|ritalin|look great|brain.function|cognition|enhance.memory|amazing.energy|joint.pain|nerve.pain/i
2352 body __KAM_DRUG2_3 /Medi?cati[o0]ns|desired meds|favou?red (rx)?med|buy remedies|drug store|medicants|medicaments|sexual stim|sex stim|pain killer|(purchase|loved|preferred|favou?rite) (?:rx.?)?(deal|med)[sz]|rx.?Meds?.?deal|buy your meds|choice of meds|Rx.?(deal|Med|Sale)|v[i1]agra|medz.special|loved meds|(rx|medication) ?discount|Get the edge|joint.pain.relief|neuropathy|nerve.pain/i
2354 body __KAM_DRUG2_4 /grab hold|at[_ ~]your[_ ~]finger[_ ~]?tip|placing your order|questions about drugs|prescription is not|don't care about prescription|without a doctor|no need for a doctor|affor[df]able.prices|best daily rx|Fav.Prescript|unmatched.prices|rx.med|millions.are.praising/i
2356 body __KAM_DRUG2_5 /0nline|hassle[~-]free|favored rx|branded solutions|branded remedies|v[1i]cod[!i]n|Penhtremine|prxpills|ultimaterxhere|insanerx|speedymed4u|mightymeds1|coolestrxhere|hotrxmedspot|topshoprx|mightyrxhere|qualityrxmedz|legitrxlife|dealsformeds|simplyrxdeals|bestrxlight|ezprescriptz|reliablerxsource1|freetrusted-rx|hotmedsourcehere|CabinetOfMeds|mytrusted-rx|RxwarehouseHere|WarehouseofRxMeds|GreatrxMedsRus|rxmedsrus|(come by|Come to|Check Out) our web site|browse [0o]ur (website|selection)|Visit_0ur Web|Order_Now|available_this week|(buy|order) (n[0o]w|today|right.now|instantly|at [0o]nce|immediately)|check it out today|ord3r|0rder|0rd3r|browseour|rx ?unit/i
2358 body __KAM_DRUG2_6 /(Express|Prompt|Day|Trusty|Trustworthy|Reliable|fast|true|discreet|confidential|rapid)[_ ~\.]?Shippin|anonymous packing|shipped.right.away|adderrx|clinically.proven|support.formula/i
2360 header __KAM_DRUG2_7 Subject =~ / {4}[a-z0-9]{2,4}$/i
2362 header __KAM_DRUG2_8 From =~ /aquaflexin/i
2364 meta KAM_DRUG2 ( __KAM_DRUG2_1 + __KAM_DRUG2_2 + __KAM_DRUG2_3 + __KAM_DRUG2_4 + __KAM_DRUG2_5 + __KAM_DRUG2_6 + __KAM_DRUG2_7 + __KAM_DRUG2_8 + KAM_SHORT + KAM_UNSUB1 >= 3)
2366 describe KAM_DRUG2 More online Drug Scams
2368 meta KAM_DRUG2_2 ( __KAM_DRUG2_1 + __KAM_DRUG2_2 + __KAM_DRUG2_3 + __KAM_DRUG2_4 + __KAM_DRUG2_5 + __KAM_DRUG2_6 + __KAM_DRUG2_7 + __KAM_DRUG2_8 + KAM_SHORT + KAM_UNSUB1 >= 5)
2369 score KAM_DRUG2_2 3.0
2370 describe KAM_DRUG2_2 Higher Certainty of Drug Scam
2372 meta KAM_SEXSUBJECT __KAM_DRUG2_1
2373 score KAM_SEXSUBJECT 2.0
2374 describe KAM_SEXSUBJECT Sexually Explicit Subject
2376 #RUSSIAN WIFE/BRIDE SCAMS
2377 header __KAM_WIFE1 Subject =~ /Remember me|(Russian|asian|Ukrai?nian) ?(dating|beaut|single|women|bride|lad|babe)/i
2378 body __KAM_WIFE2 /marry a Russian|sizzling photos|(russian|asian|ukrai?nian) (women|beaut|bride|girl)|Slavic babes|Russian ?lad(y|ies)|sexy photos/i
2379 tflags __KAM_WIFE2 nosubject
2380 header __KAM_WIFE3 From =~ /(asian|russian|ukrai?nian).?(dat|bride|single|women|beaut|lad)|(date|nice).?(russian|asian)/i
2382 meta KAM_WIFE ( __KAM_WIFE1 + __KAM_WIFE2 + __KAM_WIFE3 >= 2)
2384 describe KAM_WIFE Mail order bride scams
2387 header __KAM_PRODUCT1 Subject =~ /Beauty Phone/i
2388 body __KAM_PRODUCT2 /phones for discerning individuals/i
2390 meta KAM_PRODUCT ( __KAM_PRODUCT1 + __KAM_PRODUCT2 >= 2)
2391 score KAM_PRODUCT 3.0
2392 describe KAM_PRODUCT Product scams often used with MSN/Live URIs
2394 #SPACES / LIVE / MSN / ETC. SCAMS
2395 meta KAM_LIVEURI2 ( (KAM_PRODUCT + KAM_DRUG2 + KAM_WIFE >=1) + (KAM_WEBS + KAM_MSN_STRING + KAM_BADSWF >=1) >= 2)
2396 score KAM_LIVEURI2 3.0
2397 describe KAM_LIVEURI2 More online Scams + Known URI
2400 uri KAM_WEBS /.{3,25}\.webs.com/i
2402 describe KAM_WEBS webs.com links used in Spams
2404 #IMAGESHACK SWF Files
2405 uri KAM_BADSWF /imageshack.us\/.{3,25}.swf$/i
2406 score KAM_BADSWF 3.0
2407 describe KAM_BADSWF SWF embedded links in Email Scams
2410 uri KAM_EXEURI /.exe$/i
2411 score KAM_EXEURI 0.5
2412 describe KAM_EXEURI EXE embedded link
2414 #SETTINGS FILE PHISH
2415 header __KAM_SETTING1 Subject =~ /settings file|maintenance!!/i
2416 body __KAM_SETTING2 /security upgrade|Maintenance Process on our email system /i
2417 body __KAM_SETTING3 /settings?.zip/i
2419 meta KAM_SETTING ( __KAM_SETTING1 + __KAM_SETTING2 >= 2)
2420 score KAM_SETTING 2.5
2421 describe KAM_SETTING Phishing scams w/Setting Files or Webmail
2423 #Fixed small misspelling thanks to Jameel Akari
2424 meta KAM_SETTING2 ( KAM_SETTING + (KAM_EXEURI + __KAM_SETTING3 >=1) >= 2)
2425 score KAM_SETTING2 4.0
2426 describe KAM_SETTING2 Phishing scams w/Setting Files or Webmail + Bad File link
2429 header __KAM_FARM1 Subject =~ /supersized (blueberr|tomato)|(blueberry|tomatoe?) giant|grows in sun or shade|giant (blueberry|tomatoe?)/i
2430 header __KAM_FARM2 From =~ /blueberr|tomato|DIY|garden/i
2431 body __KAM_FARM3 /(blueberry|Tomatoe?) giant/i
2433 meta KAM_FARM (__KAM_FARM1 + __KAM_FARM2 + __KAM_FARM3 >= 3)
2435 describe KAM_FARM Farming related Spams
2437 #MX URI - Scored lowered from 2.5 to 1.5 due to FPs reported by Christopher X. Candreva - see https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6700 for bug on issue
2438 uri KAM_MXURI /^(?:http:\/\/)?(mail|mx)\..{1,40}\..{1,8}/i
2440 describe KAM_MXURI URI begins with a mail exchange prefix, i.e. mx.[...]
2443 body __KAM_FLASH1 /Flash Player Code: \d\d/i
2444 body __KAM_FLASH2 /Flash Player Update/i
2445 header __KAM_FLASH3 Subject =~ /Flash Player/i
2446 header __KAM_FLASH4 Subject =~ /activation code/i
2447 header __KAM_FLASH5 From =~ /Flash Player/i
2449 meta KAM_FLASH (__KAM_FLASH1 + __KAM_FLASH2 + __KAM_FLASH3 + __KAM_FLASH4 + __KAM_FLASH5 >= 3)
2451 describe KAM_FLASH Fake Flash Player Phishing Scam
2455 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
2457 body __KAM_ADWORD1 /(Advertisement|Adwords) Campaign/i
2458 header __KAM_ADWORD2 From =~ /adwords.com|salesdirect.com/i
2459 header __KAM_ADWORD3 Subject =~ /adwords campaign|ads in adwords/i
2460 body __KAM_ADWORD4 /adwords\.php|index\.php\?isgoogle/i
2462 meta KAM_ADWORD (__KAM_ADWORD1 + __KAM_ADWORD2 + __KAM_ADWORD3 + __KAM_ADWORD4 >= 3) + (KAM_RPTR_SUSPECT + KAM_RPTR_FAILED >= 1) >= 2
2463 score KAM_ADWORD 10.0
2464 describe KAM_ADWORD Fake Adword Campaign notices
2468 #DON NOB & WORK FROM HOME SCAMS
2469 header __KAM_DON1 X-KAM-Reverse =~ /donnob\.(?:biz|net)|emarketnow.com/i
2470 header __KAM_DON2 Subject =~ /(?:\b|^)ATM(?:\b|$)|Just Over Broke|J\.O\.B\./
2471 body __KAM_DON3 /donnob\.(?:biz|net)|emarketnow.com|watersolutiontoday.com/i
2472 body __KAM_DON4 /\$1,000 A Day ATM|J\.O\.B\./i
2474 meta KAM_DON (__KAM_DON1 + __KAM_DON2 + __KAM_DON3 + __KAM_DON4 + __KAM_MED2 + __KAM_REFI4 + __KAM_TV2 >= 4)
2476 describe KAM_DON Work at Home Scams
2478 meta KAM_DON2 (__KAM_DON1 + __KAM_DON2 + __KAM_DON3 + __KAM_DON4 + __KAM_MED2 + __KAM_REFI4 + __KAM_TV2 >= 6)
2480 describe KAM_DON2 Egregious Work at Home Scams
2483 header __KAM_GINA1 From =~ /GINA deadline|GINA Update|compliance/i
2484 header __KAM_GINA2 Subject =~ /GINA deadline/i
2485 body __KAM_GINA3 /Genetic Information Nondiscrimination Act/i
2486 body __KAM_GINA4 /mandatory poster|remain in compliance|GINA regulations/i
2488 meta KAM_GINA (__KAM_GINA1 + __KAM_GINA2 + __KAM_GINA3 + __KAM_GINA4 + __KAM_REFI4 >= 4)
2490 describe KAM_GINA Employment Poster Marketing Spams
2493 header __KAM_TAX1 Subject =~ /Free (IRS )?Tax Filing|Tax Filing Exten[st]ion|taxes online|irs audit|wage garnish|collections|tax.relief|tax.penalt|tax.resolution|settlement.option|remove.tax|irs.penalt|payback.package|get.help|down.your.neck|tax.research|urgent.tax/i
2494 header __KAM_TAX2 From =~ /tax|HRBlock|marketing|garnish|settlement|installment|IRS|debt|advisory|government|payback|protection.agency/i
2495 body __KAM_TAX3 /File your taxes for free|need more time|back.taxes|tax relief|irs offer|avoid penalty|stop.aggressive.collections|relief.(program|package)|tax.settlement|settlement.package|paying.bills|paying.tax|back.tax|wage..?garnish|tax.help|remove.lien|bankrupt|urgent.tax.notice|could.change.everything|instantly.save.you/i
2496 body __KAM_TAX4 /MSNBC|fox news|CNN|please.confirm|you.qualify|obtain.now|must.see.tax/i
2498 meta KAM_TAX (__KAM_TAX1 + __KAM_TAX2 + __KAM_TAX3 + __KAM_TAX4 + KAM_LOTSOFHASH >=3)
2500 describe KAM_TAX Tax Filing Scams
2502 meta KAM_TAX2 (__KAM_TAX1 + __KAM_TAX2 + __KAM_TAX3 + __KAM_TAX4 + KAM_LOTSOFHASH >=4)
2504 describe KAM_TAX2 Higher Probability of Tax Filing Scams
2507 body __KAM_SEX06_1 /more fire and passion/i
2509 meta KAM_SEX06 (__KAM_SEX06_1 + KAM_MSN_STRING >= 2)
2511 describe KAM_SEX06 Sexual Stimulant Spam
2513 #DOG BARK AND OTHER DOG SPAM
2514 body __KAM_BARK1 /Bark.Off|petzoom sonic|comfy control harness|dogs? behavior|four legged/i
2515 header __KAM_BARK2 Subject =~ /Barking|petzoom sonic|dogs any size|dog (is )?misbehaving/i
2516 header __KAM_BARK3 From =~ /Bark.Off|petzoom|control harnesss|dog whisperer/i
2518 meta KAM_BARK (__KAM_BARK1 + __KAM_BARK2 + __KAM_BARK3 >=2)
2520 describe KAM_BARK Dog Product Scam
2523 body __KAM_CASINO1 /Elite World Casino/i
2524 body __KAM_CASINO2 /Online Casino/i
2525 header __KAM_CASINO3 Subject =~ /chances to win/i
2527 meta KAM_CASINO (__KAM_CASINO1 + __KAM_CASINO2 + __KAM_CASINO3 >= 3)
2528 score KAM_CASINO 3.5
2529 describe KAM_CASINO Online Casino Spam
2532 header __KAM_TWIT1 From =~ /twitter/i
2533 header __KAM_TWIT2 Subject =~ /twitter \d{3}-\d{2}/i
2535 meta KAM_TWIT (__KAM_TWIT1 + __KAM_TWIT2 + KAM_THEBAT >= 3)
2537 describe KAM_TWIT Twitter bogus phishing emails
2541 header __KAM_FACE1 From =~ /password/i
2542 header __KAM_FACE2 Subject =~ /reset your facebook/i
2543 header __KAM_FACE3 X-Mailer =~ /Zuckmail/i
2545 meta KAM_FACE (__KAM_FACE1 + __KAM_FACE2 + __KAM_FACE3 >= 3)
2547 describe KAM_FACE Facebook bogus phishing emails
2549 header __KAM_PHISH3_1 Subject =~ /account notification/i
2550 body __KAM_PHISH3_2 /accessed by someone else./
2552 meta KAM_PHISH3 (__KAM_PHISH3_1 + __KAM_PHISH3_2 + __KAM_CLICK >= 3)
2554 describe KAM_PHISH3 Phishing emails for account notification
2557 #GENERIC TEST FOR CLICK NOTICES INDICATIVE OF SPAM IN META RULES BUT NOT BY ITSELF
2558 body __KAM_CLICK /Please click on the link below|Copy and paste this link into your internet browser/i
2561 header __KAM_DIRECT1 From =~ /Direct ?Buy|Wholesale/i
2562 header __KAM_DIRECT2 Subject=~ /complimentary|visitor|settle for retail|top .rands at wholesale|guest pass and catalog|direct.?buy/i
2563 body __KAM_DIRECT3 /(Complimentary|Visitor|attend our open house|30-day member|VIP Pass|Wholesale Direct Pricing|guest pass and catalog)/i
2564 body __KAM_DIRECT4 /Direct.?Buy/i
2566 meta KAM_DIRECT (__KAM_DIRECT1 + __KAM_DIRECT2 + __KAM_DIRECT3 + __KAM_DIRECT4 >= 3)
2567 score KAM_DIRECT 3.0
2568 describe KAM_DIRECT DirectBuy Spam
2571 header __KAM_SWIPE1 From =~ /SwipeBids|Auction|Deal ?hunter|bigger.bid|bidder|Overstocked|daily.?deals|quibids|iphone|penny.stock/i
2572 header __KAM_SWIPE2 Subject=~ /auction|bid on great|\d% off retail|Iphones for Under|Big Items|ipads|Macbook Pro|top.?.?of the line..?electronic|buy or sell|never.pay.retail|2011 line up|ebay|pay retail|ipad for \$\d\d\.|bids in real.?time|penny.stock|exclusive.savings|economic|prediction:/i
2573 body __KAM_SWIPE3 /pennies on the dollar|join, bid|penny (auctions|stock)|\d% .{0,10}retail|ipads on auction|bid now|factory sealed ipads|cheap ipads|for pennies|ebay killer|Inventory Clearance on iPads|crazy auctions|XPS for \d\dUSD|iphone.{1,10}clearance|the.hottest/i
2574 body __KAM_SWIPE4 /SwipeBids|Swipe Auction|CIRCLE MEDIA BIDS|Wavee|BIGGER BIDDER|Bidooka|Sellmoo|overstocked auctions|for pennies|\d{1,2} cent/i
2576 meta KAM_SWIPE (__KAM_SWIPE1 + __KAM_SWIPE2 + __KAM_SWIPE3 + __KAM_SWIPE4 >= 3)
2578 describe KAM_SWIPE SwipeBid Spam / Penny Auction Spams
2580 meta KAM_SWIPE2 (__KAM_SWIPE1 + __KAM_SWIPE2 >= 2)
2581 score KAM_SWIPE2 0.5
2582 describe KAM_SWIPE2 SwipeBid Spam / Penny Auction Spams
2585 header __KAM_WTA1 From =~ /@(wethealliance\.(org|com|net)|wta\d\d\d\.com|socalsecurityinstitute.org)|Lawrence.{0,4}Hunter/i
2586 body __KAM_WTA2 /Alliance for Retirement Prosperity Association|Social Security Institute/is
2588 meta KAM_WTA (__KAM_WTA1 + __KAM_WTA2 >= 2)
2590 describe KAM_WTA Ridiculous campaign by unapologetic spammers purposefully using throwaway domains
2593 body __KAM_SMOKE1 /smoke.anywhere|electronic cig|smoking alternative|prado|e.?-?cig|wanting to quit/i
2594 header __KAM_SMOKE2 Subject =~ /smoke|e-cig|perfect.?.gift|no cancer|electronic cig|never smoke|e.?-?cig/i
2595 header __KAM_SMOKE3 From =~ /smoke|smoking|e.?-?cig|electronic cig|vapex|vapor|starter.kit/i
2596 body __KAM_SMOKE4 /No carbon monoxide|Smokeless Direct|No Tobacco|no tar|no cancer|quit smoking|electronic cig|sinless.vapor/i
2597 body __KAM_SMOKE5 /you have qualified/i
2599 meta KAM_SMOKE (__KAM_CLICK + __KAM_SMOKE1 + __KAM_SMOKE2 + __KAM_SMOKE3 + __KAM_SMOKE4 + __KAM_SMOKE5 >= 3)
2601 describe KAM_SMOKE Smokeless cigarette and quitting spam
2603 meta KAM_SMOKE2 (__KAM_CLICK + __KAM_SMOKE1 + __KAM_SMOKE2 + __KAM_SMOKE3 + __KAM_SMOKE4 + __KAM_SMOKE5 >= 4)
2604 score KAM_SMOKE2 3.0
2605 describe KAM_SMOKE2 Higher probability of spam
2607 #OBF URL - need to make this more generic and perhaps something for RBL lookups when these techniques are used.
2608 body __KAM_OBFURL1 /A\s+D\s+I\s+L\s+I\s+Z\+E\s+R\s+.\s+C\s+O\s+M|insidesaleswiz\.\s+com/i
2610 meta KAM_OBFURL (__KAM_OBFURL1 >= 1)
2611 score KAM_OBFURL 15.0
2612 describe KAM_OBFURL Obfuscated URL
2615 body __KAM_SHARP1 /sharp for life/i
2616 body __KAM_SHARP2 /yoshiblade/i
2617 body __KAM_SHARP3 /zirconium oxide/i
2618 body __KAM_SHARP4 /ceramic knife/i
2619 header __KAM_SHARP5 Subject =~ /ceramic knief|yoshiblade|sharp for life/i
2620 header __KAM_SHARP6 From =~ /yoshi/i
2622 meta KAM_SHARP (__KAM_SHARP1 + __KAM_SHARP2 + __KAM_SHARP3 + __KAM_SHARP4 + __KAM_SHARP5 + __KAM_SHARP6 >= 4)
2624 describe KAM_SHARP Ceramic Blade Spam
2627 body __KAM_HIP1 /hip replacement|medical alert/i
2628 body __KAM_HIP2 /implant recall|recall list/i
2629 header __KAM_HIP3 Subject =~ /dupuy recall|hip recall|hip implants|hip replacement/i
2630 header __KAM_HIP4 From =~ /recall/i
2632 meta KAM_HIP (__KAM_HIP1 + __KAM_HIP2 + __KAM_HIP3 + __KAM_HIP4 >= 3)
2634 describe KAM_HIP Hip Replacement Recall Spam
2637 body __KAM_WORKHOME1 /online jobs|Full-time (and|&) Part-time|at home employment/i
2638 body __KAM_WORKHOME2 /\#1 site|view here|information here/i
2639 header __KAM_WORKHOME3 Subject =~ /work at home|work \@ home|home positions/i
2641 meta KAM_WORKHOME (__KAM_WORKHOME1 + __KAM_WORKHOME2 + __KAM_WORKHOME3 >= 3)
2642 score KAM_WORKHOME 4.5
2643 describe KAM_WORKHOME Work at Home Spam
2645 meta KAM_WORKHOME2 (__KAM_WORKHOME3 + KAM_SHORT + __KAM_REFI4 >=3)
2646 score KAM_WORKHOME2 4.5
2647 describe KAM_WORKHOME2 Work at Home Spam
2650 body __KAM_HSR1 /hsrupdates.com|progressiverailroading.com/i
2651 header __KAM_HSR2 Subject =~ /hi-speed rail|HSR Funds|U.?S.? DOT|railroads/i
2652 header __KAM_HSR3 From =~ /HSRUpdates.com|progressive ?railroading/i
2654 meta KAM_HSR (__KAM_HSR1 + __KAM_HSR2 + __KAM_HSR3 >= 3)
2656 describe KAM_HSR High Speed Rail Spam
2659 body __KAM_SELLPHONE1 /Turn iphones into cash/i
2660 body __KAM_SELLPHONE2 /used or broken|pre-paid envelope/i
2661 header __KAM_SELLPHONE3 Subject =~ /sell your old iphone/i
2663 meta KAM_SELLPHONE (__KAM_SELLPHONE1 + __KAM_SELLPHONE2 + __KAM_SELLPHONE3 >= 3)
2664 score KAM_SELLPHONE 4.5
2665 describe KAM_SELLPHONE Used Equipment Spam
2668 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2670 replace_rules __KAM_MAILBOX1 __KAM_MAILBOX2 __KAM_MAILBOX3
2673 body __KAM_MAILBOX1 /mailbox .{0,12}exceeded|(storage|email|mailbox).(limit|quota|size|capacity)|(box|quota) is (a<L1>most )?fu<L1><L1>|have been rejected|new version|(prevented|pending) (the )?(delivery|messages)|quota is low|annual upgrade|(held|important) message|messages pending|messages (are|placed) on.?hold|upgrade to our service|recent attack|(request(ed)? to|account) de-?activat|de-?activat(ed|e|ing) (from using|all mailbox)|close down.{0,10}account|(sync|communication) failure|de<A1>ctiv<A1>ted if no <A1>ction|invalid users|request .{0,13}shutdown|migrating all email|del<I1>v<E1>ry <O1>f \d|messages.{0,6}returned|\d.{0,2}(unreceived|failed|undelivered|incoming|valid) (undelivered|incoming|message|e?mail)|synchronize \d email|messages.{1,10}suspend|report your account|(validation|configuration|service|mail) error|updating stage|blacklisted|(server|quota|quarantine|suspension|mail|upgrade) (alert|noti)|mailbox agreement|(system|security|server) (reasons|update|upgrade|alert)|system malfunction|due for an update|mailbox managment|automatically renew|.\d. pending|due for (upgrade|update|reconfirmation)|has been outdated|(due|about) to expire|not confirmed the email|(failed|couldn't be|refused to) deliver|temporarily suspend|failure to proceed|data plan limit|blocked from (sending|receiving)|sending unsolicited|\d\% full|confirm your request|security turned off|blocked or suspended|update warning|account .{1,9}?(restricted|closed)|old versions|mail malfunction|messages now queue|password expir|virus|expire on \d+\/|DNS Upgrad|encountered error|will be shut ?down|unauthorized (person|access)|prevent (further reject|loss of account)|avoid lose access|ensure safety|problem occurred|wrong password|suspicious sign.?in|\d quarantined? (e?mail|message|incoming)|deactivated tempor|low disk space|shutdown robot|suspended email|webmail security|account hijacked|will be suspended|will.{0,2}expire.{0,2}(today|soon)|IP below was used/i
2674 tflags __KAM_MAILBOX1 nosubject
2676 body __KAM_MAILBOX2 /(verify|update|upgrade|increase|validate|confirm|disable)"? (their|your)? {0,5}(address|password|<A1>ccount|(web-?)?mail|info|email|web ?mail|ownership)|(increase|upgrade) (my|your?) (inbox |email )?quota|(security|quota) (configuration|upgrade)|(increase disk|create some additional) storage|(setup|upgrade) (your )?mailbox|mail malfunction|click here to update|update account|validated within \d\d|deleted (automatically|in our server)|release .{0,40}(message|pending mess)|account to be close|remain active|termination of your account|choose what happens|blacklisting inactive|continue (using|the usage)|untrusted activity|(retrieve|review|view) (message|e?mail)|(verify|validate) (here|now)|reset below|verification (check|process)|email disk usage|auto extend your disk|confirm your (email|details)|mandetory file|retrieve here|expected to reactivate|keep your webmail|data will be lost|(block|release|review) (them|below)|view undelivered sent|reconfirm .{0,40}password|will be deactivat|avoid suspension|start the process|fake payment|(will be|automatically) cancel|mail verification|turn on (security|authentication)|Office 365-?Secure|an usual location|automatically delete|(retrieve|review|reload) (your )?(undelivered|pending)|view, release or delete|reload below|unblock (your )?incoming|rectify below|fix now|Company.Assigned Outlook|fix delivery|restore your roundcube|re-?authenticate (now|below)|manage your quarantine|manually fi|manually fix|review and take action|view (withheld|recent) (incoming|messages|e?mail)|use the button|reduce your mai<L1>|deliver recent mail|keep (current|same) password|change password|stop (this action|account removal)|fix your email|keep.{0,2}current.{0,2}password|verify login/i
2677 tflags __KAM_MAILBOX2 nosubject
2679 header __KAM_MAILBOX3 Subject =~ /(mail|exceeded|insufficient) (storage|quota|upgrade)|Inbox almost full|(urgent|important|admin|last|suspension|server|account|administrator|system|disk ?usage|max size) (alert|rectification|attention|warning|noti)|needs to be upgraded|(incoming|pending|unreceived) +((e-?)?mail|document|message)|(del<I1>v<E1>ry|synchronization|processing) (problem|is blocked|failure|err<O1>r)|storage (is )?full|inbox full|(unread|upgrade|delayed) (messages|e?mail)|release your message|pending (new )?((e-?)?mail|message)|365 .{0,10} Update|new privacy policy|mandatory up|(sign in|Final|security|account|password|emails?) (closing|removal|update|upgrade|alert|notification|review)|quarantine|rejected|undelivered|(mailbox|limit) .{0,10}exceeded|confirmation required|(mail|mailbox|account|password) (shutdown|verification|Veirification|Verfication|account)|(blocked|held) message|technology services|(server|mail|account).{1,8}err<O1>r|validat|messages.{1,10}(suspend|hinder)|account (is )?(blocked|limited)|please verify.{1,10}account|mail.{1,6}Notice|email account.{1,11}full|final warning|help\-?desk|mail ownership|point files|(d|r)e-?activation|delayed for \d+ (hour|day)|undeliverable|confirmation required|closure of.{1,15}(\@|account)|(password|mail) (has|will) expire|did you make|password (reset|due|recovery|expir)|recovery option|\d+ new mess|email activity|Immediate action|action required|avoid block|review recent e?mail|final +alert|storage limit|ver<I1>f<I1>cat<I1>on|\@.{1,25}notification|notification \d+\/\d+\/|notification for .{1,25}\@|New Sign-in|deliver.{1,4}(cancel|issue|error|fail)|Unsuccessful Email|Mail DNS|ICT Maintenance|sync err|mailer un.?delivery|unauthorized (person|access)|configuration setting|reminder +for|re-?authenticate|change in your ip|shutdown request|Failure.{0,2}Report|\d emails? suspended|error sync|(e-?mails?|messages) (are )?pending|\d \(?new\)? notice|new IP address/i
2681 meta KAM_MAILBOX (__KAM_MAILBOX1 + __KAM_MAILBOX2 + __KAM_MAILBOX3 >=2) && (T_FREEMAIL_DOC_PDF + (KAM_SENDGRID + KAM_SENDGRID2 >= 1) + HTML_MIME_NO_HTML_TAG >= 2)
2682 score KAM_MAILBOX 7.75
2683 describe KAM_MAILBOX Mailbox Quota Phishing Scams
2685 meta KAM_MAILBOX2 (__KAM_MAILBOX1 + __KAM_MAILBOX2 + __KAM_MAILBOX3 >=3) && !KAM_MAILBOX
2686 score KAM_MAILBOX2 6.25
2687 describe KAM_MAILBOX2 Mailbox Quota Phishing Scams
2689 meta KAM_MAILBOX3 (KAM_MAILBOX + KAM_MAILBOX2 >= 1) && (KAM_SENDGRID + KAM_SENDGRID2 >= 1)
2690 describe KAM_MAILBOX3 Enhanced Scoring for Mailbox Quota Phishing
2691 score KAM_MAILBOX3 3.75
2695 meta KAM_SHORT (__KAM_SHORT + __KAM_TINYDOMAIN >= 1)
2696 score KAM_SHORT 0.001
2697 describe KAM_SHORT Use of a URL Shortener for very short URL
2699 #URL SHORTENER - META RULE TO SEE IF URL SHORTENER IS IN USE - THANKS TO SHANE WILLIAMS and RW for HELP - More thanks to Giovanni Bechis
2700 uri __KAM_SHORT /^http:\/\/(?:bit\.(do|ly)|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|justpaste\.it|l\.linklyhq\.com)\/[^\/]{3}\/?/
2702 # GENERIC RULE FOR TINY DOMAINS, WHICH WILL LIKELY BE URL SHORTENERS
2703 uri __KAM_TINYDOMAIN /https?:\/\/(?:[^\/]{1,4})\..{2,7}\//i
2706 body __KAM_POWER1 /hoveround/i
2707 header __KAM_POWER2 Subject =~ /Get your freedom|power Chairs/i
2708 header __KAM_POWER3 From =~ /Get your freedom|power Chairs/i
2710 meta KAM_POWER (__KAM_POWER1 + __KAM_POWER2 + __KAM_POWER3 >= 3)
2712 describe KAM_POWER Motorized Chair Spams
2715 body __KAM_GUN1 /Keep and Bear Arms/i
2716 header __KAM_GUN2 From =~ /gunalerts.com/i
2717 header __KAM_GUN3 Subject =~ /gun/i
2719 meta KAM_GUN (__KAM_GUN1 + __KAM_GUN2 + __KAM_GUN3 >= 3)
2721 describe KAM_GUN Gun Alert Spams
2723 #GET RICH QUICK SCHEME
2724 body __KAM_RICH1 /financial.success story/i
2725 body __KAM_RICH2 /see me on the channel \d news/i
2726 body __KAM_RICH3 /talking about my blog/i
2727 body __KAM_RICH4 /bec.me financially independent/i
2729 meta KAM_RICH (__KAM_RICH1 + __KAM_RICH2 + __KAM_RICH3 + __KAM_RICH4 >= 4)
2731 describe KAM_RICH Get Rich Quick Schemes
2733 #INVALID FROM HEADER
2734 header __KAM_INVFROM1 From =~ /<[^>]*$/
2735 header __KAM_INVFROM2 From =~ /^[^<]*>/
2737 meta KAM_INVFROM (__KAM_INVFROM1 + __KAM_INVFROM2 >= 1)
2738 score KAM_INVFROM 2.0
2739 describe KAM_INVFROM Invalid From Header containing mismatched <>'s
2741 #YAHOO GROUP EMAIL RULE BASED ON WORK FROM Jim McCullars - University of Alabama in Huntsville
2742 header __KAM_UAH_YAHOOGR_4 X-Mailer =~ /Yahoo Groups Message Poster/
2743 ifplugin Mail::SpamAssassin::Plugin::DKIM
2744 meta KAM_UAH_YAHOOGROUP_SENDER __DOS_HAS_LIST_UNSUB && __ML2 && __DOS_HAS_MAILING_LIST && __KAM_UAH_YAHOOGR_4 && !FORGED_YAHOO_RCVD && DKIM_VALID
2746 meta KAM_UAH_YAHOOGROUP_SENDER __DOS_HAS_LIST_UNSUB && __ML2 && __DOS_HAS_MAILING_LIST && __KAM_UAH_YAHOOGR_4 && !FORGED_YAHOO_RCVD
2748 describe KAM_UAH_YAHOOGROUP_SENDER Sender appears to be a legit Yahoo! Group Mail
2749 score KAM_UAH_YAHOOGROUP_SENDER -20.0
2752 header __KAM_GALLERY1 Subject =~ /(Infinite|Multi|Elite|Extreme|Complete|Instant|Ultimate|Multi|approved|Free|HD|Guaranteed|Unreal) Access|(Ultimate|Babes|Elite|Extreme|P.?o.?r.?n) Collection|(Girls|Adu.?lt|Babes|Celeb.?rities) Passwords|(Ultimate|p.?o.?r.?n|extreme|elite|Girls) gallery|HD Video|Access Now/i
2753 body __KAM_GALLERY2 /(?:Infinite|Multi|Elite|Extreme|Complete|Instant|Ultimate|Multi|approved|Free|HD|Guaranteed|Unreal) Access|(?:Ultimate|Babes|Elite|Extreme|P.?o.?r.?n) Collection|(?:Girls|Adu.?lt|Babes|Celeb.?rities) Passwords|(?:Ultimate|p.?o.?r.?n|extreme|elite|Girls) gallery|HD Video|Access Now/i
2755 header __KAM_GALLERY3 Subject =~ /(Fantastic|Insane|Mega|Extreme|Extreme|New|Many|Fresh|Your|Check) P.?o.?r.?n|cele.?brities elite|(Insane|P.?o.?r.?n|More|Awesome|All|Mega) Model|(Your|Mega|Asian|Bad|Cool|Fresh|Real|Awesome|More) Girl|(Sweet|Incredible|Insane|The|Grand) chick|(Many|New|Infinite|Cool|All) Cele.?b|The N.?u.?des|(Infinite|Awesome|Many|Sweet|Bad|Get|Fresh|Hot|More|Black) Babe|Amat.?e.?urs|(All|Fresh|Fantastic|The|Mega) Adu.?lt|(Extraordinary) Chicks/i
2756 body __KAM_GALLERY4 /(Fantastic|Insane|Mega|Extreme|Extreme|New|Many|Fresh|Your|Check) P.?o.?r.?n|cele.?brities elite|(Insane|P.?o.?r.?n|More|Awesome|All|Mega) Model|(Your|Mega|Asian|Bad|Cool|Fresh|Real|Awesome|More) Girl|(Sweet|Incredible|Insane|The|Grand) chick|(Many|New|Infinite|Cool|All) Cele.?b|The N.?u.?des|(Infinite|Awesome|Many|Sweet|Bad|Get|Fresh|Hot|More|Black) Babe|Amat.?e.?urs|(All|Fresh|Fantastic|The|Mega) Adu.?lt|(Extraordinary) Chicks/i
2757 rawbody __KAM_GALLERY5 /wp-content|_vti_cnf|cache|wp-admin|wordpress/i
2759 meta KAM_GALLERY (__KAM_GALLERY1 + __KAM_GALLERY2 + __KAM_GALLERY3 + __KAM_GALLERY4 + __KAM_GALLERY5 >=4)
2760 describe KAM_GALLERY Exploited Gallery with Porn
2761 score KAM_GALLERY 5.0
2763 meta KAM_GALLERY2 (__KAM_GALLERY1 + __KAM_GALLERY2 + __KAM_GALLERY3 + __KAM_GALLERY4 + __KAM_GALLERY5 >=5)
2764 describe KAM_GALLERY2 Higher Likelihood of Exploited Gallery with Porn
2765 score KAM_GALLERY2 2.0
2768 header __KAM_CHANGELOG1 Subject =~ /^Re: Changelog (Oct.|Nov.|Dec.)$/i
2769 body __KAM_CHANGELOG2 /as promised chnglog update/i
2771 meta KAM_CHANGELOG (__KAM_CHANGELOG1 + __KAM_CHANGELOG2 >= 2)
2772 describe KAM_CHANGELOG Phishing Email
2773 score KAM_CHANGELOG 2.5
2776 body __KAM_BUS1 /business proposal/i
2777 body __KAM_BUS2 /sensitive by nature/i
2778 body __KAM_BUS3 /have not met/i
2779 body __KAM_BUS4 /view my attach/i
2781 meta KAM_BUS (__KAM_BUS1 + __KAM_BUS2 + __KAM_BUS3 + __KAM_BUS4 >= 4)
2782 describe KAM_BUS Yet another Nigerian Scam/Phishing Variant
2786 body __KAM_PRIV1 /private message|horny|sweet ass/i
2787 body __KAM_PRIV2 /(personal|private) video/i
2788 body __KAM_PRIV3 /the attache?ment|attached file/i
2790 meta KAM_PRIV (__KAM_PRIV1 + __KAM_PRIV2 + __KAM_PRIV3 >=2 && T_HTML_ATTACH)
2791 describe KAM_PRIV Private Messages using Exploits in attached HTML files
2795 rawbody __KAM_DIV1 /(Viagr?|Cial?)<div/i
2796 rawbody __KAM_DIV2 /<\/div>r?a\|l?is/i
2798 meta KAM_DIV (__KAM_DIV1 + __KAM_DIV2 >= 2)
2799 describe KAM_DIV Use of divs to hide Medical Spams
2803 header __KAM_CREDIT1 Subject =~ /CRITICAL:.*change to.* (EXPERIAN|Transunion|Equifax) score|Recent 3 Bureau Credit|(credit|score).score|credit has changed|check your rating|yearly review|scores?.(?:may.have|has.been|have.been).changed|(?:EXPERIAN|Transunion|Equifax) scores? delivered|your credit report|all three sources|credit (may )?ha(ve|s) been revised|credit ?card ?processing|merchant account|TransUnion..?Experian . Equifax Scores|all 3 scores|update to your score|your 3 scores|is your score correct|score (report|review)|latest.score|updated.score|update:|derogatory.(info|item)|affecting.your.score|scores.this.week|EQUIFAX..?EXPERIAN..?(and|&).TRANSUNION|(EXPERIAN|Transunion|Equifax)..?score|\d{4}.scores?.detail|((equifax|experian|transunion)..?){3}|score.today|score.w\//i
2804 body __KAM_CREDIT2 /View (all 3 reports|your credit score|your up.to.the.minute credit)|(EXPERIAN|Transunion|Equifax) report|check my credit score|3.free credit scores|credit restoration|changes in your.score|get your \d+ score online|3 major sources|all three bureau|all 3 credit score|credit (may )?ha(ve|s) been revised|payment.options|complimentary 3 scores|credit scores? in seconds|TRANSUNION,\s+EQUIFAX,\s+(and|.)\s+EXPERIAN|just (been )?changed|score.breakdown|credit.summary|score.is.waiting|confirmation \#\d+|average.credit.score|what.?s.your.score|(3|three).free.score|check.your.score|we.can.help|credit.record|complimentary.score/i
2805 body __KAM_CREDIT3 /NO COST|it's on us|3 companies for free|freescore360|Scoresense|score.report(?:ing)?.team|stand in the rating scales|view your higher credit|(score|credit).alert|provide.faster.service|your credit score|free.credit.score|score.generation|new.score.immediately|score.notification|your report/i
2806 body __KAM_CREDIT4 /CHANGES TO YOUR CREDIT[- ]SCORE|credit score has changed|Triple Bureau Credit Alerts|score\s+may\s+have\s+(been)?\s*changed|ThinkCredit|Debunk Credit Card Processing Myths|costs for your business|TransUnion,? Experian and Equifax Scores|ha(s|ve).been.updated|what.?s.your.credit|sensitive.information/i
2807 header __KAM_CREDIT5 From =~ /Credit|score|bureau|finance|report|advisory/i
2810 # SecureCRT in UTF-8 Session Options - terminal>appearance>character encoding and set to utf-8 & Set this in VI :set encoding=utf-8 :set fileencodings=utf-8
2812 #Useful Resources for Tags
2813 #https://www.utf8-chartable.de/unicode-utf8-table.pl?start=1024&number=128&names=-&utf8=string-literal
2814 #https://www.branah.com/unicode-converter
2815 #look at the encoding type and the charset. For base64 utf-8, something like this tool will help https://www.base64decode.org/ then hexdump -C or something like https://onlineutf8tools.com/convert-utf8-to-hexadecimal or perl -e '$u=unpack("H*",$ARGV[0]);print "[\\x$1]" while ($u=~/(..)/g)' '<PASTE>'
2817 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2819 #renamed to A1, C1, etc. to avoid collissions with stock rules
2820 #Thanks to John Hardin for his help! and thanks to Giovanni for the help with the 4-byte chars
2821 #thanks as well to Henrik Krohns
2822 replace_tag A1 (?:a|[\xf0\x9d\x97\xae]|[\xf0\x9d\x9a\x8a]|[\xd0][\xb0]|[\xc9][\x91]|α|\@)
2823 replace_tag B1 (?:b|[\xce][\x92]|[\xce][\xb2]|[\xc2]|[\xe2]|[\xf0\x9d\x97\xaf]|[xf0\x9d\x9a\x8b])
2824 replace_tag C1 (?:c|[\xd0][\xa1]|[\xd1][\x81]|[\xf0\x9d\x97\xb0]|[\xf0\x9d\x9a\x8c])
2825 replace_tag D1 (?:d|[\xf0\x9d\x9a\x8d])
2826 replace_tag E1 (?:e|[\xd0][\xb5]|[\xc4][\x97]|[\xf0\x9d\x97\xb2]|[\xf0\x9d\x9a\x8e])
2827 replace_tag G1 (?:g|[\xf0\x9d\x97\x80])
2828 replace_tag I1 (?:i|[\xd1][\x96]|[\xc4][\xab]|[\xce][\xb9]|[\xe9]|[\xf0\x9d\x97\xb6]|[\xf0\x9d\x9a\x92]|l|1)
2829 replace_tag L1 (?:l|i)
2830 replace_tag M1 (?:m|[\xca][\x8d]|[\xf0\x9d\x97\xba])
2831 replace_tag N1 (?:n|[\xe7]|[\xf0\x9d\x97\xbc]|[\xf0\x9d\x9a\x97])
2832 replace_tag O1 (?:o|0|[\xd0][\xbe]|[\xce][\xbf]|[\xef]|[\xf0\x9d\x97\xbc]|[\xf0\x9d\x9a\x98])
2833 replace_tag P1 (?:p|[\xd1][\x80]|[\xc7][\xb7]|[\xcf][\x81]|[\xf1]|[\xf0\x9d\x97\xbd]|[\xf0\x9d\x9a\x99])
2834 replace_tag R1 (?:r|[\xf0\x9d\x97\xbf]|[\xf0\x9d\x9a\x9b])
2835 replace_tag S1 (?:s|[\xd0][\x85]|[\xf0\x9d\x98\x80]|[\xf0\x9d\x9a\x9c])
2836 replace_tag T1 (?:t|[\xcf][\x84]|[\xf4]|[\xf0\x9d\x98\x81]|[\xf0\x9d\x9a\x9d])
2837 replace_tag U1 (?:u|[\xf0\x9d\x98\x82])
2838 replace_tag V1 (?:v|[\xf0\x9d\x96\xb5])
2839 replace_tag W1 (?:w|[\xf0\x9d\x98\x84]|[\xf0\x9d\x9a\xa0])
2840 replace_tag Y1 (?:y|[\xf0\x9d\x98\x80]|[\xf0\x9d\x9a\xa2])
2841 replace_tag SPACE1 (?: |[\xc2\xa0])
2843 header __KAM_CREDIT6 Subject =~ /<C1>ompl<I1>mentary (<C1>red<I1>t|EXPERIAN|Transunion|Equifax)/i
2844 header __KAM_CREDIT7 From =~ /<S1>core.?<S1>ense/i
2846 replace_rules __KAM_CREDIT6 __KAM_CREDIT7
2850 meta KAM_CREDIT (__KAM_CREDIT1 + __KAM_CREDIT2 + __KAM_CREDIT3 + __KAM_CREDIT4 + __KAM_CREDIT5 + __KAM_CREDIT6 + __KAM_CREDIT7 + (__KAM_THIRD || KAM_LOTSOFHASH || KAM_INFOUSMEBIZ) >= 4)
2851 describe KAM_CREDIT Credit Score Spams
2852 score KAM_CREDIT 4.5
2854 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
2855 meta KAM_CREDIT2 (__KAM_CREDIT1 + __KAM_CREDIT5 + __KAM_CREDIT6 + __KAM_CREDIT7 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3 && KAM_CREDIT < 1)
2856 describe KAM_CREDIT2 Credit Score Spams
2857 score KAM_CREDIT2 4.5
2861 rawbody KAM_OBFURI /http:\/\/.{2,30}\.c=E2=93=9Em?/
2862 describe KAM_OBFURI Obfuscated URI trick
2863 score KAM_OBFURI 4.0
2866 header __KAM_ADVANCE1 Subject =~ /Advance for \d.\d\d\d/i
2867 body __KAM_ADVANCE2 /Advance Details/i
2868 body __KAM_ADVANCE3 /Pre-Approved/i
2869 header __KAM_ADVANCE4 From =~ /Advance|Approv|Financ/i
2871 meta KAM_ADVANCE (__KAM_ADVANCE1 + __KAM_ADVANCE2 + __KAM_ADVANCE3 + __KAM_ADVANCE4 >= 3)
2872 describe KAM_ADVANCE Advance Spams
2873 score KAM_ADVANCE 3.5
2875 #PAYPAL NON SPF - FP fixed by Piper Andreas
2876 header __KAM_PAYPAL1A From =~ /\@[a-z\.]*paypal.com>?$/i
2878 meta KAM_PAYPAL1 (__KAM_PAYPAL1A + SPF_FAIL >=2)
2879 describe KAM_PAYPAL1 rampant paypal phishing scams
2880 score KAM_PAYPAL1 16.0
2882 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
2883 #PAYPAL IMPERSONATING MALWARE
2884 body __KAM_PAYPAL2A /paypal/i
2885 body __KAM_PAYPAL2B /protection services department|download(ing)?.the.attach/i
2887 meta KAM_PAYPAL2 (__KAM_PAYPAL2A + __KAM_PAYPAL2B + KAM_RAPTOR_ALTERED >= 3)
2888 describe KAM_PAYPAL2 Malware disguised as a paypal email
2889 score KAM_PAYPAL2 8.0
2893 header __KAM_PAYPAL3A From =~ /paypal/i
2894 header __KAM_PAYPAL3B From !~ /paypal.com(\.au)?>?$/i
2895 header __KAM_PAYPAL3C Subject =~ /your.paypal.account|Invoice PP/i
2896 body __KAM_PAYPAL3D /security.process|more.information|has.limitation|verify.your.information|bitcoin/i
2898 meta KAM_PAYPAL3 ((__KAM_PAYPAL3A && __KAM_PAYPAL3B) + __KAM_PAYPAL3C + __KAM_PAYPAL3D + KAM_LAZY_DOMAIN_SECURITY >= 3)
2899 score KAM_PAYPAL3 8.0
2900 describe KAM_PAYPAL3 Phish disguised as a paypal email
2902 #COMPROMISED ACCOUNT SPAMS - SCORED HIGH BECAUSE THESE ARE COMPROMISED ACCOUNTS
2903 header __KAM_COMPROMISED1A From =~ /\@(yahoo.com|yahoo.com.id|rocketmail.com)/i
2904 header __KAM_COMPROMISED1B X-Mailer =~ /Yahoo/i
2905 header __KAM_COMPROMISED2 Subject =~ /^(FOR |Hey$|hi$|look at this$|great!?$|amazing!?|the best!?$|excellent!?$|very good!?$|great!?$|question?$|Fwd: (?:latest |top )?news$)|have a look/
2906 body __KAM_COMPROMISED3 /\d{1,2}[\\\/]\d{1,2}[\\\/]\d{2,4} \d{1,2}\:\d{1,2}\:\d{1,2} (AM|PM)/
2907 body __KAM_COMPROMISED4 /How are you\? Look at this.{0,70}Do you know about this site|look at this site right now|I found (an amazing|great) site|hey\. please have a look|have a look right now|breaking news/i
2909 meta KAM_COMPROMISED ((__KAM_COMPROMISED1A + __KAM_COMPROMISED1B >=1 ) + __KAM_COMPROMISED2 + __KAM_COMPROMISED3 + __KAM_COMPROMISED4 + __KAM_BODY_LENGTH_LT_128 + MISSING_SUBJECT >= 3)
2910 describe KAM_COMPROMISED Compromised Accounts Sending Spam
2911 score KAM_COMPROMISED 8.25
2913 #GROUPS THAT ARE BAD - RENAMED TO AVOID COLLISSION - THANKS TO DAVID FUNK
2914 header __KAM_LIST2A List-ID =~ /^<?(wareeed\d*|ArabBusinessmen-and-DecisionMakers-Network|MediaJO\d*|arabjo\d*|prime\-?media\d*|mediajoshoot\d*|bareedw\d*|mghadeh\d*|tawzeef-online|jordanianadd\d*|ssjo\d*|jaracast|ads-shooter-j\d*|jomarketing\d*|jomedia\d*|jobird\d*info|uhrda-\d*|mohanndahad\d*|caragcom\d*|marwahr\d*|sonjobonjo\d*|golrozz\d*|golbanoo\d*)\.googlegroups.com>?$/i
2915 header __KAM_LIST2B Sender =~ /(mediajo\d*|aloulaonline\d*|jomedia\d*|golbanoo\d*)\@googlegroups\.com/i
2917 meta KAM_LIST2 (__KAM_LIST2A + __KAM_LIST2B >= 1)
2918 describe KAM_LIST2 Known Bad Groups
2919 score KAM_LIST2 60.0
2921 #LIMITED ACCESS/QUOTA SCAMS - ISP THAT SEND LEGITIMATE NOTICES MIGHT WANT TO LOWER THE SCORE
2922 body __KAM_QUOTA1 /Mailbox Quota Has Exceeded|exceeded its storage limit/i
2923 body __KAM_QUOTA2 /Limited Access|termination of your email|restore.your.account|will.not.be.able/i
2925 meta KAM_QUOTA (__KAM_QUOTA1 + __KAM_QUOTA2 >= 2)
2926 describe KAM_QUOTA Limited Access / Quota Phishing Scam
2929 # BACKGROUND CHECK SPAM
2930 body __KAM_BACK1 /backgrounds in seconds|Instant..?Checkmate|federal.record|background.report|reputation/i
2931 body __KAM_BACK2 /(Property & Personal history|Asset & Background) (Investigation|Search)|check anyone|know.anything|registered.offense|their.name|publicly.available/is
2932 body __KAM_BACK3 /(background check|detective|investigator|investigate backgrounds|arrest.record|public.record)|remain.anonymous|anonymous.report|says.about.you|instant.database|the.truth|reveal.the.information|screening.services/is
2933 header __KAM_BACK4 Subject =~ /background..?check|date-smart|detective|finding people|instant checkmate|pedophile|who.lives.next.?door|reports.are.now.posted|screening.results|police.record|confirm.identity|records.enclosed|local.report|criminal|public.record|complete.record|arrest|posted.online|information.posted|info.updated|who.they.are|uncover.any|public.records|private.eye|investigate.background/i
2934 header __KAM_BACK5 From =~ /Background.?check|instant.?check|arrest.record|pedophile|trust|criminal|urgent.info|find.out|who.is.s?he|trouble|shady|public.record|private.?eye/i
2936 describe KAM_BACK Background Check SPAM
2937 meta KAM_BACK (__KAM_BACK1 + __KAM_BACK2 + __KAM_BACK3 + __KAM_BACK4 + __KAM_BACK5 >=3)
2940 #ARREST RECORD SCAMS
2941 header __KAM_ARREST1 Subject =~ /arrest record|with.a.criminal|child.predator|public.safety.alert|full.report|reports?.now.posted|records?.(now.)?(available|posted)|predator.identified/i
2942 body __KAM_ARREST2 /Instant Checkmate|dirty Truth|\brapist\b|criminal.(background|record)|predator|stay.safe|child.offender|think.you.know|know.everything|database.screening|know.something|wanted.to.know|arrest.record/i
2943 header __KAM_ARREST3 From =~ /Checkmate|alert|protect|arrest|neighborhood|criminal|live.safe/i
2945 meta KAM_ARREST (__KAM_ARREST1 + __KAM_ARREST2 + __KAM_ARREST3 >=3) || (__KAM_ARREST1 + KAM_SHORT + __KAM_BODY_LENGTH_LT_128 >=3)
2946 describe KAM_ARREST Arrest Record Scams
2947 score KAM_ARREST 5.0
2950 header __KAM_DIET2_1 From =~ /Coffee.?Bean|Fat.?Burning.?Hormone|Saffron|Lifestyle|burn.fat|slim/i
2951 header __KAM_DIET2_2 Subject =~ /diet|flatten your belly|calorie count|metabolism|lose the belly|belly flub/i
2952 body __KAM_DIET2_3 /secret to being skinny|doctors? are raving|testosterone|could be \d+ ?lbs? lighter|feeling chubby/i
2954 meta KAM_DIET2 (__KAM_DIET2_1 + __KAM_DIET2_2 + __KAM_DIET2_3 + KAM_INFOUSMEBIZ >=3)
2955 describe KAM_DIET2 Diet Scams
2959 header __KAM_CIGAR1 Subject =~ /Premium Cigar|Essentials for Dad|cigar lover/i
2960 header __KAM_CIGAR2 From =~ /Cigar/i
2961 body __KAM_CIGAR3 /Thompson Cigar|Premium Cigar/i
2963 meta KAM_CIGAR (__KAM_CIGAR1 + __KAM_CIGAR2 + __KAM_CIGAR3 + __KAM_THIRD >= 3)
2964 describe KAM_CIGAR Cigar Scam Emails
2969 rawbody KAM_TK /https?:\/\/.{5,30}\.tk\//i
2970 describe KAM_TK Abuse of .tk domain registrar which offers free domains
2973 #THIRD PARTY / SENT BY XXXX
2974 body __KAM_THIRD /advertisement.{0,12}sent by a third-?party|sent.by.tb.systems|is.an.advert[il]se?ment/i
2977 header __KAM_LASIK1 From =~ /Lasik/i
2978 header __KAM_LASIK2 Subject =~ /Lasik|free eval|A great use for your Tax Refund|eye.surgery/i
2979 body __KAM_LASIK3 /free (?:Lasik )?eval|\d+ per eye|get lasik info|L.SI. V....n In.t.tut. Summ.r S.v.ng.|works.faster.than/i
2980 uri __KAM_LASIK4 /lasik\.php/i
2982 meta KAM_LASIK (__KAM_LASIK1 + __KAM_LASIK2 + __KAM_LASIK3 + (__KAM_LASIK4 || KAM_EU) >= 3)
2983 describe KAM_LASIK Lasik Treatment Spams
2987 header __KAM_NOTIFY1 From =~ /Support|Notifier|Reminder|Assistance|Administrator|RuneScape|Wells ?Fargo|Scotia|Diablo|MAILER-DAEMON|Notifications/i
2988 body __KAM_NOTIFY2 /[2-9] friend request( |\b)|sell your personal|mandatory validation|verify your Account|unread messages/i
2989 header __KAM_NOTIFY3 From =~ /\.br>/i
2991 meta KAM_NOTIFY (__KAM_NOTIFY1 + __KAM_PHISH2_3 + __KAM_NOTIFY2 + __KAM_NOTIFY3 >= 3)
2992 describe KAM_NOTIFY Fake Notifications
2993 score KAM_NOTIFY 4.0
2995 meta KAM_NOTIFY2 (KAM_NOTIFY + (KAM_IFRAME || HEADER_FROM_DIFFERENT_DOMAINS) >= 2)
2996 describe KAM_NOTIFY2 Higher likelihood of fake notification
2997 score KAM_NOTIFY2 3.0
3000 header __KAM_LANG1 From =~ /Pimsleur|learnalanguage/i
3001 header __KAM_LANG2 Subject =~ /language barrier|(?:learn|speak)(?:ing)? (?:a|any) (?:new )?language|Pimsleur/i
3002 body __KAM_LANG3 /pimsleur|Language in just \d+ Day/i
3004 meta KAM_LANG (__KAM_LANG1 + __KAM_LANG2 + __KAM_LANG3 + KAM_INFOUSMEBIZ >= 3)
3005 describe KAM_LANG Language Method Spams
3009 header __KAM_TRACK1 From =~ /Worldwide Express|Priority Mail|First-Class Mail|Express Mail/i
3011 meta KAM_TRACK (__KAM_PHISH2_3 + __KAM_TRACK1 >= 2)
3012 describe KAM_TRACK Fake Tracking Emails
3016 header __KAM_SCHOOL1 From =~ /Classes/i
3017 header __KAM_SCHOOL2 Subject =~ /(?:Return|Back) to School/i
3019 meta KAM_SCHOOL (__KAM_SCHOOL1 + __KAM_SCHOOL2 + KAM_INFOUSMEBIZ >= 3)
3020 describe KAM_SCHOOL School Spams
3021 score KAM_SCHOOL 5.0
3024 header __KAM_MEMBER1 From =~ /(\b|^|)Date|(\b|^|)Dating|eharmony(.com)?.?partner|(..?en..?or|black)..?e.ple..?eet|cougars|singles|match|our.?time|lonely|affair/i
3025 header __KAM_MEMBER2 Subject =~ /naughty|looking for love|single & dating|Dating.site|free.this.weekend|free.communication.weekend|True Love|(Older|black|available|latin[oa]|jewish) Single|single.women|single.photo|local.cougar|want to date|fall in love|meet...1000s|dream.date|meet.single|your.matches|for.single|singles|eharmony(.com)?.match|50\+.{0,5}ngles|your.ex.back|married.dating|(anonymous|secret).affair|unlimited.pics|dating.(video|movie)|fetish|still.single/i
3026 body __KAM_MEMBER3 /(\b|^)dating|eharmony|Find.Your.Perfect.Match|thousands.of.single.women|singles?.photos?|local.cougar|successfully matched|blind date|(available|black|latin[oa]|jewish).singles|photos of 50\+/i
3027 rawbody __KAM_MEMBER4 /special promotion|free.this.weekend|personal matchmaker|dating service|fall in love|looking.for.someone|kindle.the.passion|cheating.member|dating.mega.site|free.dating|free.fetish/i
3028 meta __KAM_MEMBER5 (KAM_INFOUSMEBIZ || KAM_COUK)
3029 #header __KAM_MEMBER6 From =~ /Updat/i
3031 meta KAM_MEMBER (__KAM_MEMBER1 + __KAM_MEMBER2 + __KAM_MEMBER3 + __KAM_MEMBER4 + __KAM_MEMBER5 >= 3)
3032 describe KAM_MEMBER Dating Scams
3033 score KAM_MEMBER 4.5
3036 header __KAM_MEDICARE1 From =~ /(Medicare|health.?options|enrollment)/i
3037 header __KAM_MEDICARE2 Subject =~ /medicare|message for senior|baby-boomer|save up to|compare.quotes|enrollment.plan/i
3038 body __KAM_MEDICARE3 /medicare.(plan|recipient|annual election)/i
3039 tflags __KAM_MEDICARE3 nosubject
3040 body __KAM_MEDICARE4 /over.(65|sixty.?five)|most.affordable|lower.your.premium|medicare basics guide/i
3042 meta KAM_MEDICARE (__KAM_MEDICARE1 + __KAM_MEDICARE2 + (__KAM_MEDICARE3 + __KAM_MEDICARE4 >= 1) + (KAM_INFOUSMEBIZ || KAM_COUK) >= 3)
3043 describe KAM_MEDICARE Medicare Scams
3044 score KAM_MEDICARE 4.0
3047 header __KAM_BILLS1 From =~ /LowerMyBills|mortgage/i
3048 header __KAM_BILLS2 Subject =~ /Save up to \$\d|refi requirement|refi.program/i
3050 meta KAM_BILLS (__KAM_BILLS1 + __KAM_BILLS2 + KAM_INFOUSMEBIZ >= 3)
3051 describe KAM_BILLS Bill Pay Spams
3055 header __KAM_HOSE1 From =~ /Pocket Hose/i
3056 header __KAM_HOSE2 Subject =~ /garden hose|kinks/i
3057 body __KAM_HOSE3 /pocket hose|garden.hose|stays.strong|grows.to.full.size|never.kinks/i
3059 meta KAM_HOSE (__KAM_HOSE1 + __KAM_HOSE2 + __KAM_HOSE3 + KAM_INFOUSMEBIZ >= 3)
3060 describe KAM_HOSE Garden Hose Spams
3064 header __KAM_AV1 From =~ /Norton/i
3065 header __KAM_AV2 Subject =~ /Update now|Are you protected/i
3067 meta KAM_AV (__KAM_AV1 + __KAM_AV2 + KAM_INFOUSMEBIZ >= 3)
3068 describe KAM_AV Anti-Virus Spams
3072 header __KAM_MASCARA1 From =~ /smartlash/i
3073 header __KAM_MASCARA2 Subject =~ /mascara/i
3074 body __KAM_MASCARA3 /smartlash/i
3076 meta KAM_MASCARA (__KAM_MASCARA1 + __KAM_MASCARA2 + __KAM_MASCARA3 + KAM_INFOUSMEBIZ >= 3)
3077 describe KAM_MASCARA Make-up Spams
3078 score KAM_MASCARA 4.5
3081 header __KAM_COLLEGE1 From =~ /degree|doctorate|online/i
3082 header __KAM_COLLEGE2 Subject =~ /college|ph\.?d|earning your degree|online doctorate|advance your career/i
3083 rawbody __KAM_COLLEGE3 /online degree|ph\.?d online|online doctorate|advance your career with a degree/i
3085 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
3086 meta KAM_COLLEGE (__KAM_COLLEGE1 + __KAM_COLLEGE2 + __KAM_COLLEGE3 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3)
3087 describe KAM_COLLEGE Online Degree/Aid Spams
3088 score KAM_COLLEGE 4.0
3092 header __KAM_SURVEY1 From =~ /Survey|safecount|privacy/i
3093 header __KAM_SURVEY2 Subject =~ /win an ipad/i
3094 body __KAM_SURVEY3 /Do You Use Instagram|Complete the survey|win a great prize/i
3096 meta KAM_SURVEY (__KAM_SURVEY1 + __KAM_SURVEY2 + __KAM_SURVEY3 + KAM_INFOUSMEBIZ >= 3)
3097 describe KAM_SURVEY Online Survey Spams
3098 score KAM_SURVEY 4.5
3102 #rawbody KAM_LAKE /http:\/\/.{0,13}(lak|ake|iver).{0,10}\.(com|info)\//i
3103 #describe KAM_LAKE Odd spamming engine LAKE signature on URLs
3104 #score KAM_LAKE 0.25
3107 header __KAM_SNORE1 From =~ /snoring|zquiet/i
3108 header __KAM_SNORE2 Subject =~ /zquiet|Jaw Supporter|z{6}|the.only.thing/i
3109 body __KAM_SNORE3 /stop snoring|zquiet|Jaw Supporter|get.rest|end.snoring|more.rest|to.be.tired/i
3111 meta KAM_SNORE (__KAM_SNORE1 + __KAM_SNORE2 + __KAM_SNORE3 + KAM_INFOUSMEBIZ >= 3)
3112 describe KAM_SNORE Snoring Aid Spams
3116 header __KAM_VACATION1 From =~ /Promotions|cruise|vacation/i
3117 header __KAM_VACATION2 Subject =~ /Free Florida vacation|(carr?ibb?ean|alaskan?).cruise|european destination/i
3118 body __KAM_VACATION3 /Resorts FOR FREE|(carr?ibb?ean|alaskan?).cruise|top deals/i
3120 meta KAM_VACATION (__KAM_VACATION1 + __KAM_VACATION2 + __KAM_VACATION3 + KAM_INFOUSMEBIZ >= 3)
3121 describe KAM_VACATION Vacation Spams
3122 score KAM_VACATION 4.0
3125 header __KAM_BLOOD1 From =~ /Marine Essent|blood.pressure/i
3126 header __KAM_BLOOD2 Subject =~ /Blood Pressure|the.(nurse|doctor).said|do.this.or.die|bp.med/i
3127 body __KAM_BLOOD3 /Secret Big Pharma|conspiracy|Breaking.Health.Stories/i
3128 body __KAM_BLOOD4 /Marine Essentials|this mineral|drug.companies.hate/i
3129 body __KAM_BLOOD5 /Anti-Aging Expert|worst.food/i
3130 body __KAM_BLOOD6 /Blood pressure/i
3132 meta KAM_BLOOD ( __KAM_BLOOD1 + __KAM_BLOOD2 + __KAM_BLOOD3 + __KAM_BLOOD4 + __KAM_BLOOD5 + __KAM_BLOOD6 + KAM_INFOUSMEBIZ >= 4)
3133 describe KAM_BLOOD Blood Pressure Spams
3134 score KAM_BLOOD 4.75
3137 header __KAM_SCOOTER1 From =~ /Scooter Store/i
3138 header __KAM_SCOOTER2 Subject =~ /lack of mobility/i
3139 body __KAM_SCOOTER3 /the scooter store/i
3141 meta KAM_SCOOTER ( __KAM_SCOOTER1 + __KAM_SCOOTER2 + __KAM_SCOOTER3 + __KAM_MEDICARE2 + KAM_INFOUSMEBIZ >= 4)
3142 describe KAM_SCOOTER Blood Pressure Spams
3143 score KAM_SCOOTER 4.75
3146 header __KAM_ANATA1 From =~ /Anatabloc/i
3147 header __KAM_ANATA2 Subject =~ /(back|joint) pain|arthritis/i
3149 meta KAM_ANATA (__KAM_ANATA1 + __KAM_ANATA2 >= 2)
3150 describe KAM_ANATA Drug Spam
3153 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
3155 header __KAM_BBB1 From =~ /bbb.org/i
3156 body __KAM_BBB2 /consumer's *(?:worry|uneasiness|anxiety|disturbance|concern|trouble)/i
3157 body __KAM_BBB3 /has been registered the above|(?:visiting|review at) a link below|above-referenced complaint/i
3158 body __KAM_BBB4 /about your *(?:glance|belief|judgment)/i
3159 header __KAM_BBB5 Subject =~ /(?:client|customer).{0,5}preten|(?:Appeal|Claim|Case|No\.|Complaint).{0,3}[A-Z\d]{5}/i
3161 meta KAM_BBB (__KAM_BBB1 + __KAM_BBB2 + __KAM_BBB3 + __KAM_BBB4 + __KAM_BBB5 + SPF_FAIL + __KAM_GALLERY5 + KAM_RAPTOR_ALTERED >= 4)
3162 describe KAM_BBB Better Business Bureau Phishing
3167 header __KAM_MARK1 Subject =~ /[\[\<]ADV[\>\]]/i
3168 header __KAM_MARK2 Subject =~ /[\(\[\<\{\*]\s*(BULK|SPAM)\??\s*[\*\>\]\)\}]/i
3169 header __KAM_MARK3 Subject =~ /[\[\<\*]\s*VIRUS\s*[\*\>\]]/i
3171 meta KAM_MARKADV (__KAM_MARK1 >= 1)
3172 describe KAM_MARKADV Email arrived marked as an Advertisement
3173 score KAM_MARKADV 10.0
3175 meta KAM_MARKSPAM (__KAM_MARK2 >= 1)
3176 describe KAM_MARKSPAM Email arrived marked as Spam
3177 score KAM_MARKSPAM 4.0
3179 meta KAM_MARKVIRI (__KAM_MARK3 >= 1)
3180 describe KAM_MARKVIRI Email arrived marked as Virus
3181 score KAM_MARKVIRI 10.0
3184 rawbody __KAM_H1QNUM1 /<h1>(vv5|ORG1|IN2|OR3|AR1|FO1|Q22)<\/h1>/i
3185 header __KAM_H1QNUM2 Subject =~ /Russian Women|Free Lasik|Criminal Records|Background Check|Stop Alcoholism|Alcohol Addiction|Hybrid cars|solar energy|electrical bill|fly in luxury/i
3186 uri __KAM_H1QNUM3 /\.co\.uk/i
3188 meta KAM_H1QNUM (__KAM_H1QNUM1 >= 1)
3189 describe KAM_H1QNUM H1 Qnum indicator
3190 score KAM_H1QNUM 4.0
3192 meta KAM_H1QNUM2 ( KAM_H1QNUM + __KAM_H1QNUM2 + __KAM_H1QNUM3 >= 2 )
3193 describe KAM_H1QNUM2 H1 Qnum higher spamminess indicators
3194 score KAM_H1QNUM2 5.0
3197 header __KAM_AP1 From =~ /AP/
3198 header __KAM_AP2 Subject =~ /Community & educational development/i
3199 body __KAM_AP3 /American Grants and Loans Catalog/i
3201 meta KAM_AP (__KAM_AP1 + __KAM_AP2 + __KAM_AP3 >= 3)
3202 describe KAM_AP American Publishing Spam
3206 header KAM_COUK From =~ /\@.{1,30}\.co\.uk/i
3207 describe KAM_COUK Scoring .co.uk emails higher due to poor registry security.
3212 header __KAM_FACEBOOKMAIL1 From =~ /\@facebookmail.com/i
3214 header __KAM_FACEBOOKMAIL2 From =~ /Ramakanth Raavi/i
3216 meta KAM_FACEBOOKMAIL ((__KAM_FACEBOOKMAIL2 >= 1) || (__KAM_FACEBOOKMAIL1 >=1 && (SPF_FAIL + DKIM_ADSP_ALL >=1)))
3217 describe KAM_FACEBOOKMAIL Fake or Abused Facebook Mail
3218 score KAM_FACEBOOKMAIL 8.0
3221 body __KAM_FAKEDELIVER1 /courier couldn.?t make the delivery|Courier was unable to deliver|courier company was not able to deliver|memo.of.application|delivering.address|make.the.delivery|see.attached.file|attention.please|event.invitation|could not deliver|delivery.label|postal.noti(fication|ce)|parcels.(has|have).been.shipped|shipment.label.is.attached|confirm your shipping|view file in attach|unable to locate your address/i
3223 header __KAM_FAKEDELIVER2 Subject =~ /Invalid Address|shipping service|(ship|postal|delivery) notification|Delivery Failure|Delivery Information|Delivery status|Package Delivery|package is available for pickup|your.package.arrived|attention.please|delivery.problem|id.\d{6}|deliver.(your|the).parcel|shipping confirmation|confirm your address|shipment request/i
3226 header __KAM_FAKEDELIVER3 From:name =~ /DHL/i
3227 header __KAM_FAKEDELIVER4 From:addr !~ /dhl.com/i
3230 rawbody __KAM_FAKEDELIVER5 /Fed ?ex/i
3231 header __KAM_FAKEDELIVER6 From !~ /fedex.com/i
3234 body __KAM_FAKEDELIVER7 /USPS/i
3235 header __KAM_FAKEDELIVER8 From !~ /usps.com/i
3238 body __KAM_FAKEDELIVER9 /CARGO/
3239 header __KAM_FAKEDELIVER10 From =~ /shipping|economy|priority/i
3242 body __KAM_FAKEDELIVER11 /DPD/i
3243 header __KAM_FAKEDELIVER12 From !~ /dpd.com|dpd.co.uk/i
3245 uri __KAM_FAKEDELIVER13 /(cdn.discordapp.com|wp-conten)/i
3247 meta KAM_FAKE_DELIVER (__KAM_FAKEDELIVER1 + __KAM_FAKEDELIVER2 + ((__KAM_FAKEDELIVER3 + __KAM_FAKEDELIVER4 >= 2) + (__KAM_FAKEDELIVER5 + __KAM_FAKEDELIVER6 >= 2) + (__KAM_FAKEDELIVER7 + __KAM_FAKEDELIVER8 >= 2) + (__KAM_FAKEDELIVER11 + __KAM_FAKEDELIVER12 >= 2) + (__KAM_FAKEDELIVER9 + __KAM_FAKEDELIVER10 >= 2) >= 1) + (HEADER_FROM_DIFFERENT_DOMAINS + SPF_SOFTFAIL + KAM_RAPTOR_ALTERED + __KAM_FAKEDELIVER13 >= 1) >= 3)
3248 describe KAM_FAKE_DELIVER Fake delivery notifications
3249 score KAM_FAKE_DELIVER 6.25
3251 meta KAM_REALLY_FAKE_DELIVER (KAM_FAKE_DELIVER + KAM_RPTR_PASSED + (__KAM_FAKEDELIVER4 && __KAM_FAKEDELIVER6 && __KAM_FAKEDELIVER8) >= 3)
3252 score KAM_REALLY_FAKE_DELIVER 2.5
3253 describe KAM_REALLY_FAKE_DELIVER Definitely fake delivery notifications
3256 header __KAM_SOLAR1 From =~ /Solar|electric|regard|energy|.olar..etwork/i
3257 header __KAM_SOLAR2 Subject =~ /power bill|sells power|electric(al)? bill|subsidize your solar|switching to solar|save \d+\%|solar system saves|solar power plant|solar.america|energy.use|solar.incentive|utility.option|go.solar|govt.rebate|.overnment.incentive|electricity|obama.rebate/i
3258 body __KAM_SOLAR3 /power bill in half|go solar|approved for solar|solar system saves|reduce your electric|energy.cost|energy.bill|government.incentive|can.profit|utility.bill|switch(ing)?.to.solar|solar.incentive|solar.now|US Solar Dept|your.electric.bill|your.home.qualifies|yard lights|solarglow/i
3260 meta KAM_SOLAR (__KAM_SOLAR1 + __KAM_SOLAR2 + __KAM_SOLAR3 >=2)
3261 describe KAM_SOLAR Solar Power Spams
3264 meta KAM_SOLAR2 (__KAM_SOLAR1 + __KAM_SOLAR2 + __KAM_SOLAR3 >=3)
3265 describe KAM_SOLAR2 Definite Solar Power Spams
3266 score KAM_SOLAR2 1.9
3269 header __KAM_ASIAN1 Subject =~ /Asian Bride/i
3270 body __KAM_ASIAN2 /Adoring Asian/i
3271 header __KAM_ASIAN3 From =~ /asian/i
3273 meta KAM_ASIAN (__KAM_ASIAN1 + __KAM_ASIAN2 + __KAM_ASIAN3 >= 3)
3274 describe KAM_ASIAN Asian Bride Spams
3278 header __KAM_OZ1 From =~ /(Dr|Doc).{0,2}[o0]z|[o0]z.([a-z]+.)?(daily|tip|show|weight)|rapid.loss|ellen|drop.lbs/i #NOTE THE ZERO
3279 header __KAM_OZ2 Subject =~ /Fatburning|healthy?.tip|melt your fat|must.read.tip|i can help|fat to flat|perfect.skin|workout|drop.\d+.?[il]bs?|without.exercise|must.read|oz.in.your.corner|It (does not|doesn't) have to be hard|racha?el and oz|doc.?oz insid|life.changing|\d+%.increase|anti.aging|she.looks.\d+|ellen.did.this|(Dr|Doc).{0,2}[o0]z|[o0]z.([a-z]+.)?(daily|tip|show)/i
3280 body __KAM_OZ3 /burn off your (?:body.?)?fat|(?:burn away|burn|melt) your fat|fox news video|melt the extra pounds|lost (an average of )?\d+ lbs|body.flab|look years younger|get perfect skin|healthy tips|without diet|it was just gossip|weight.loss|dropping.pounds|losing.weight|\d+.years|facelift|(Dr|Doc).{0,2}[o0]z/i
3282 #meta KAM_OZ (__KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 >= 3)
3283 #describe KAM_OZ Fake Dr. Oz Spam's
3287 header __KAM_STUDENT1 From =~ /Student.?Loan|government/i
3288 header __KAM_STUDENT2 Subject =~ /NEW GOVERNMENT PROGRAM|payback.package|assistance.package|student.loan|consolidate.loan/i
3289 body __KAM_STUDENT3 /penalt(y|ies)|garnish|your.debt|president.loan|reduce.(your.)?(student.)?loan|forgiveness.plan|qualify.for|federal.program|low.monthly/i
3291 meta KAM_STUDENT (__KAM_STUDENT1 + __KAM_STUDENT2 + __KAM_STUDENT3 + (KAM_INFOUSMEBIZ || KAM_COUK || KAM_HTMLNOISE || KAM_SHORT) >= 3)
3292 describe KAM_STUDENT Student Loan Forgiveness Spams
3293 score KAM_STUDENT 4.0
3296 header __KAM_TIP1 From =~ /Beauty Tips/i
3297 header __KAM_TIP2 Subject =~ /Dark-Circles|undereye bags/i
3298 body __KAM_TIP3 /undereye bags/i
3299 body __KAM_TIP4 /Find Out This Quick New Trick/i
3301 meta KAM_TIP (__KAM_TIP1 + __KAM_TIP2 + __KAM_TIP3 + __KAM_TIP4 >= 3)
3302 describe KAM_TIP Beauty Tip Spams
3306 header __KAM_WHATS1 From =~ /WhatsApp/i
3307 header __KAM_WHATS2 Subject =~ /Voice Message Notification/i
3308 body __KAM_WHATS3 /WhatsApp/
3310 meta KAM_WHATS (__KAM_WHATS1 + __KAM_WHATS2 + __KAM_WHATS3 >= 3)
3311 describe KAM_WHATS WhatsApp Spams
3316 header __KAM_QTJARS1 From =~ /qtjar/i
3317 header __KAM_QTJARS2 Subject =~ /qtjar|left you a message|new message/i
3318 body __KAM_QTJARS3 /qtjars/
3319 body __KAM_QTJARS4 /private message/
3321 meta KAM_QTJARS (__KAM_QTJARS1 + __KAM_QTJARS2 + __KAM_QTJARS3 + __KAM_QTJARS4 >= 3)
3322 describe KAM_QTJARS QTJars Spams
3323 score KAM_QTJARS 3.0
3326 # view the agreement.
3327 body __KAM_GOOGLEPHISH1 /copy of the signed agreement/i
3328 rawbody __KAM_GOOGLEPHISH2 /http:\/\/.{5,50}\/http\/docs\.google\.com\/login\//i
3330 meta KAM_GOOGLEPHISH (__KAM_GOOGLEPHISH1 + __KAM_GOOGLEPHISH2 >= 2)
3331 describe KAM_GOOGLEPHISH Google Login Phishing Scam
3332 score KAM_GOOGLEPHISH 5.0
3335 header __KAM_POLY1 Subject =~ /Barack Obama/i
3336 body __KAM_POLY2 /The End of Barack Obama/i
3338 meta KAM_POLY (__KAM_POLY1 + __KAM_POLY2 >= 2)
3339 describe KAM_POLY Political Spams
3343 header __KAM_MAID1 Subject =~ /Maid Services|housekeeping.service/i
3344 header __KAM_MAID2 From =~ /Maid|Housekeeper/i
3345 body __KAM_MAID3 /Pre-Screened Housekeepers|local.maid/i
3347 meta KAM_MAID (__KAM_MAID1 + __KAM_MAID2 + __KAM_MAID3 >= 3)
3348 describe KAM_MAID Maid Service Spams
3352 header __KAM_TUB1 Subject =~ /Walk.?in.*tub|bath and massage/i
3353 header __KAM_TUB2 From =~ /jacuzzi|walk.?in.?tub|premier.?care|improvement.center|bathing..?easy/i
3354 body __KAM_TUB3 /Walk.?in (hot.?|bath.?)?tub|bath and massage|easy transfer from a wheelchair/i
3356 meta KAM_TUB (__KAM_TUB1 + __KAM_TUB2 + __KAM_TUB3 >= 3)
3357 describe KAM_TUB Tub Spams
3361 header __KAM_OBF1 Subject =~ /(\b|^)(P.{0,2}O.{0,2}R.{0,2}N|S.{0,2}E.{0,2}.X.{0,2})/i
3362 header __KAM_OBF2 Subject =~ /[-:\#\/_\(\)].{0,10}[-:\#\/_\(\)].{0,10}[-:\#\/_\(\)]/
3363 header __KAM_OBF3 Subject =~ /(\b|^)P.{0,2}r.{0,2}e.{0,2}m.{0,2}i.{0,2}u.{0,2}m/i
3364 header __KAM_OBF4 Subject =~ /(\b|^)P.{0,2}a.{0,2}s.{0,2}s.{0,2}/i
3365 header __KAM_OBF5 Subject =~ /(\b|^)S.{0,2}i.{0,2}t.{0,2}e.{0,2}/i
3366 header __KAM_OBF6 Subject =~ /(\b|^)F.{0,2}r.{0,2}e.{0,2}e.{0,2}/i
3367 header __KAM_OBF7 Subject =~ /(\b|^)F.{0,2}i.{0,2}l.{0,2}m.{0,2}/i
3368 header __KAM_OBF8 Subject =~ /X.X.X/
3370 meta KAM_OBF ((__KAM_OBF3 + __KAM_OBF4 + __KAM_OBF5 + __KAM_OBF6 + __KAM_OBF7 >= 1) + __KAM_OBF1 + (__KAM_OBF2 - BODY_8BITS) >= 3)
3371 describe KAM_OBF Obfuscated Porn Spams
3374 meta KAM_OBF (__KAM_OBF8 + __KAM_OBF2 >= 2)
3375 describe KAM_OBF Obfuscated Porn Spams
3379 header __KAM_SHARKTANK_SUBJ Subject =~ /shark tank/i
3380 body __KAM_SHARKTANK_BODY /shark tank/i
3382 meta KAM_SHARKTANK (__KAM_SHARKTANK_SUBJ + __KAM_SHARKTANK_BODY >= 1)
3383 score KAM_SHARKTANK 1.0
3384 describe KAM_SHARKTANK Mentions Shark Tank
3386 rawbody __KAM_SHARKPROD /high blood pressure|moles|Dermabellix|follicles|drop 20|(^|\b)IQ($|\b)|keto SS/is
3388 meta KAM_SHARKPROD (__KAM_SHARKPROD + KAM_SHARKTANK >= 2)
3389 score KAM_SHARKPROD 5.0
3390 describe KAM_SHARKPROD Shark Tank Spam
3393 header __KAM_ICUTLD_FROM From:addr =~ /\.icu$/i
3394 uri __KAM_ICUTLD_URI /\.icu($|\/)/i
3396 meta KAM_ICU_BAD_TLD (__KAM_ICUTLD_FROM + __KAM_ICUTLD_URI) >= 1
3397 describe KAM_ICU_BAD_TLD .icu TLD Abuse
3398 score KAM_ICU_BAD_TLD 2.0
3400 #HAIR LOSS / GREYING / REMOVAL
3401 header __KAM_HAIR1 Subject =~ /(Regrows?|restore your|regain your|thinning) hair|Get Your Hair Back|hair regrowth|masculine|gr[ae]y hair|hair.loss|the.hottest.concept|hair.removal|all.your.hair|(fuller|thicker).hair|hair growth/i
3402 header __KAM_HAIR2 From =~ /K.ranique|Hair Loss Solutions|hair transplant|bosley|gr[ae]y hair|hair.removal|preserve|keranique|hair.?news/i
3403 rawbody __KAM_HAIR3 /k.ranique|Hair Los Solution|Get Your Hair Back|restore your hair naturally and permanently|hair restoration|original color|dye gr[ae]y hair|defeat.your.hair.loss|stop.hair.loss|fda.approve|hair will return|reactivate dormant hair/i
3404 rawbody __KAM_HAIR4 /Hair Regrowth|Hair Club for Men|Bosley|Rejuvalex/i
3406 rawbody __KAM_NEWSLETTER /<title>Newsletter<\/title>/i
3408 meta KAM_HAIR (__KAM_HAIR1 + __KAM_HAIR2 + __KAM_HAIR3 + __KAM_HAIR4 + __KAM_TRIAL + __KAM_NEWSLETTER + KAM_WEIRDTRICK1 + KAM_SHARKTANK + KAM_ADVERT2 >=4)
3409 describe KAM_HAIR Hair Loss / Removal Spams
3413 body __KAM_TRIAL /RISK-FREE Trial|Free \d+ day trial|try it free|free.dvd.info|free.info.kit|limited..?trial|claim.package/i
3416 body __KAM_UNSUB1 /cancel 0ffers/i #note the zero
3417 body __KAM_UNSUB2 /u +n +s +u +b +s +c +r +i +b +e/i
3419 meta KAM_UNSUB (__KAM_UNSUB1 + __KAM_UNSUB2 >= 1)
3420 describe KAM_UNSUB Completely ridiculous unsubscribe text found
3423 #MAINTENANCE / Email Phish Scams
3424 body __KAM_EMAILPHISH1 /Please login to complete update process/i
3426 meta KAM_EMAILPHISH (__KAM_EMAILPHISH1 + KAM_SHORT >= 2)
3427 describe KAM_EMAILPHISH Email Phishing Scams
3428 score KAM_EMAILPHISH 3.5
3431 header __KAM_MASSERROR1 Reply-to =~ /\@domain\]\]/i
3433 meta KAM_MASSERROR (__KAM_MASSERROR1 >= 1)
3434 describe KAM_MASSERROR Error in usage of a mass mailing software
3435 score KAM_MASSERROR 2.0
3438 header __KAM_CARDEAL1 Subject =~ /great car deal|new vehicles near you|brand new cars|cars on clearance/i
3439 header __KAM_CARDEAL2 From =~ /dealer|clearance|veh.cle/i
3440 body __KAM_CARDEAL3 /201\d Closeout pricing|New Vehicles near you|new automobiles|brand new car|\d{4} makes and models/i
3442 meta KAM_CARDEAL (__KAM_CARDEAL1 + __KAM_CARDEAL2 + __KAM_CARDEAL3 >= 3)
3443 describe KAM_CARDEAL Car Deal Spams
3444 score KAM_CARDEAL 3.0
3447 header __KAM_HOMESALE1 Subject =~ /buyer interested in your ho/i
3448 header __KAM_HOMESALE2 From =~ /Fastcash/i
3449 body __KAM_HOMESALE3 /Cash Offer for Your Home/i
3451 meta KAM_HOMESALE (__KAM_HOMESALE1 + __KAM_HOMESALE2 + __KAM_HOMESALE3 >= 3)
3452 describe KAM_HOMESALE Home Sale Spams
3453 score KAM_HOMESALE 3.5
3455 #ADVERTISEMENTS FOR LOANS
3456 header __KAM_LOAN1 Subject =~ /pay bills|borrow|business loan|help your business grow|small business|propel your business goals|with a loan|results you need|\$[\d.,]+ (tomorrow|down loan)|loan.fund|lender|are.you.broke|get.cash|approval.notice|loan \d.\d% offer|money by tomorrow|one monthly payment/i
3457 header __KAM_LOAN2 From =~ /payday|loans for you|approval|small.?business|direct.wire|cash|loan offer|loan department|zippy ?loan|clear ?one/i
3458 body __KAM_LOAN3 /Financial Relief|need to borrow|Business Loan|instant.funds|approval department|\$\d+ down|loan option|offer.loan|expenses|times.are.tough|money.problems|zippy ?loan|advanced lender|pay off debt|development.project|just.been.approved|for.your.business|loan.solution|ease your stress/i
3460 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3461 mimeheader __KAM_LOAN5A Content-Type =~ /loan offer/i
3462 mimeheader __KAM_LOAN5B Content-Disposition =~ /loan offer/i
3465 meta KAM_LOAN (__KAM_LOAN1 + __KAM_LOAN2 + __KAM_LOAN3 + (__KAM_LOAN5A + __KAM_LOAN5B >= 1) >= 3)
3466 describe KAM_LOAN Payday and other loan spams
3470 header __KAM_HANGOVER1 Subject =~ /hangover patch/i
3471 header __KAM_HANGOVER2 From =~ /hangover/i
3472 body __KAM_HANGOVER3 /hangover patch/i
3474 meta KAM_HANGOVER (__KAM_HANGOVER1 + __KAM_HANGOVER2 + __KAM_HANGOVER3 >= 3)
3475 describe KAM_HANGOVER Hangover Patch Spams
3476 score KAM_HANGOVER 3.5
3479 header __KAM_RXPLAN1 Subject =~ /Medigap|prescription drug plan/i
3480 header __KAM_RXPLAN2 From =~ /Better.?Rx|medigap/i
3481 body __KAM_RXPLAN3 /gap coverage/i
3483 meta KAM_RXPLAN (__KAM_RXPLAN1 + __KAM_RXPLAN2 + __KAM_RXPLAN3 >= 3)
3484 describe KAM_RXPLAN Rx Plan Spams
3485 score KAM_RXPLAN 3.5
3488 header __KAM_SOCKET1 Subject =~ /tangled mess|socket capacity|messy cords/i
3489 header __KAM_SOCKET2 From =~ /side.?socket/i
3490 body __KAM_SOCKET3 /side socket/i
3492 meta KAM_SOCKET (__KAM_SOCKET1 + __KAM_SOCKET2 + __KAM_SOCKET3 >= 3)
3493 describe KAM_SOCKET Product Spam du Jour
3494 score KAM_SOCKET 3.5
3497 header __KAM_TESTOSTERONE1 Subject =~ /Boost your testosterone|Testoril|turning you into a woman|men into women|low.testosterone/i
3498 header __KAM_TESTOSTERONE2 From =~ /Testoril|mens health|low-T|for.men/i
3499 body __KAM_TESTOSTERONE3 /Boost your testosterone|get your body back|low.testosterone/i
3500 body __KAM_TESTOSTERONE4 /Testoril|sexual confidence|androgel|axiron+androderm/i
3502 meta KAM_TESTOSTERONE (__KAM_TESTOSTERONE1 + __KAM_TESTOSTERONE2 + __KAM_TESTOSTERONE3 + __KAM_TESTOSTERONE4 >= 3)
3503 describe KAM_TESTOSTERONE Product Spam du Jour
3504 score KAM_TESTOSTERONE 4.5
3507 header __KAM_FLEXHOSE1 Subject =~ /stretch but not kink|flex.{0,8}hose|expands.and.contracts|\d-in-\d.hose/i
3508 header __KAM_FLEXHOSE2 From =~ /hose/i
3509 body __KAM_FLEXHOSE3 /stretch but not kink|flex.?hose|expanding.hose|garden.hose/i
3511 meta KAM_FLEXHOSE (__KAM_FLEXHOSE1 + __KAM_FLEXHOSE2 + __KAM_FLEXHOSE3 >= 3)
3512 describe KAM_FLEXHOSE Product Spam du Jour
3513 score KAM_FLEXHOSE 3.5
3516 header __KAM_PET1 Subject =~ /pet health insurance|dog.product.coupon/i
3517 header __KAM_PET2 From =~ /pet.?insurance|dog.?coupon/i
3518 body __KAM_PET3 /pet health insurance|doggy.loot|coupon.notice|reduce.your.cost/i
3520 meta KAM_PET (__KAM_PET1 + __KAM_PET2 + __KAM_PET3 >= 3)
3521 describe KAM_PET Insurance and other pet-related spam
3524 meta KAM_PET2 (KAM_PET + KAM_INFOUSMEBIZ >= 2)
3525 describe KAM_PET2 Even more likely insurance and other pet-related spam
3529 header __KAM_COBRA1 Subject =~ /Cobra Health/i
3530 header __KAM_COBRA2 From =~ /Cobra|Health/i
3531 body __KAM_COBRA3 /find cobra health/i
3533 meta KAM_COBRA (__KAM_COBRA1 + __KAM_COBRA2 + __KAM_COBRA3 >= 3)
3534 describe KAM_COBRA Cobra Insurance Spam
3538 header __KAM_DISCAIR1 Subject =~ /Fly Cheap|Discount Air/i
3539 header __KAM_DISCAIR2 From =~ /Discount Air/i
3540 body __KAM_DISCAIR3 /Fly Cheap in Business Class/i
3542 meta KAM_DISCAIR (__KAM_DISCAIR1 + __KAM_DISCAIR2 + __KAM_DISCAIR3 >= 3)
3543 describe KAM_DISCAIR Discount Airfare Spam
3544 score KAM_DISCAIR 3.5
3547 header __KAM_PEST1 Subject =~ /pes?t control system/i
3548 header __KAM_PEST2 From =~ /Riddex|pest/i
3549 body __KAM_PEST3 /revolutionary pes?t control system/i
3551 meta KAM_PEST (__KAM_PEST1 + __KAM_PEST2 + __KAM_PEST3 >= 3)
3552 describe KAM_PEST Spam for Pest Control
3557 header __KAM_PROPHET1 Subject =~ /beezelbub|communique|prophecy|Christian Media/i
3558 header __KAM_PROPHET2 From =~ /christian.*(media|prophe)|twintongues/i
3559 body __KAM_PROPHET3 /Dear Christian Friend/i
3560 body __KAM_PROPHET4 /Christian ?Media ?(Daily|Ministry)/i
3561 body __KAM_PROPHET5 /prophecy|rapture/i
3563 meta KAM_PROPHET (__KAM_PROPHET1 + __KAM_PROPHET2 + __KAM_PROPHET3 + __KAM_PROPHET4 + __KAM_PROPHET5 >= 4)
3564 describe KAM_PROPHET Spam for Prophecy
3565 score KAM_PROPHET 6.0
3568 header __KAM_HEART1 Subject =~ /save your life|prevent (a|your)?.?heart attacks?|\d+ second trick|sudden death|easy trick|heart health secret/i
3569 header __KAM_HEART2 From =~ /He.rt.?Att.ck|omegaK/i
3570 body __KAM_HEART3 /Knowing this could very well save your life|\d+.second trick|\#1 Trick|Prevent(ing)? A Heart Attack|will you be killed|heart disease|silent heart attack/i
3572 meta KAM_HEART (__KAM_HEART1 + __KAM_HEART2 + __KAM_HEART3 >= 3)
3573 describe KAM_HEART Spam for Heart Attack prevention
3577 header __KAM_JOINT1 Subject =~ /joint relief/i
3578 header __KAM_JOINT2 From =~ /Tfx/i
3579 body __KAM_JOINT3 /TFX.?(?:health|flex)|tflex/i
3580 body __KAM_JOINT4 /Joint Relief|effective as glucosamine/i
3581 body __KAM_JOINT5 /free bottle/i
3583 meta KAM_JOINT (__KAM_JOINT1 + __KAM_JOINT2 + __KAM_JOINT3 + __KAM_JOINT4 + __KAM_JOINT5 + __KAM_SKIN4 >= 4)
3584 describe KAM_JOINT Joint relief Spam
3588 header __KAM_REHAB1 Subject =~ /(?:drug|alcohol) (recovery|rehab|dependenc|addict|treatment)|choose sobriety|battling alcohol|stop drinking|addiction|drinking problem|normal life|tr..?at..?ng.alcohol|overcome..lcohol|change.your.life/i
3589 header __KAM_REHAB2 From =~ /(?:drug|alcohol).?(recovery|rehab|dependenc|add..?ct|treatment)|alcoholism|rehab center|.lc.h.lism|rehabdirectory/i
3590 body __KAM_REHAB3 /(?:drug|alcohol) (recovery|rehab|dependenc|addict|treatment)|help for alcoholism|life from alcohol|end your drinking|think about rehab/i
3592 meta KAM_REHAB (__KAM_REHAB1 + __KAM_REHAB2 + (__KAM_REHAB3 || KAM_OTHER_BAD_TLD) >= 2)
3593 describe KAM_REHAB Rehab Spam
3597 header __KAM_HAIRTRANS1 Subject =~ /hair restoration|man look as young|losing your hair|hair ?loss|consultations?.available/i
3598 header __KAM_HAIRTRANS2 From =~ /Bosley|hair restoration|hair.loss.expert/i
3599 body __KAM_HAIRTRANS3 /hair restoration|man look as young|losing your hair|hair ?loss|get.your.hair|(look|feel).younger/i
3601 meta KAM_HAIRTRANS (__KAM_HAIRTRANS1 + __KAM_HAIRTRANS2 + __KAM_HAIRTRANS3 + KAM_GIFT >= 2)
3602 describe KAM_HAIRTRANS Spam for Hair Restoration
3603 score KAM_HAIRTRANS 3.5
3605 meta KAM_HAIRTRANS2 (__KAM_HAIRTRANS1 + __KAM_HAIRTRANS2 + __KAM_HAIRTRANS3 + (KAM_GIFT || KAM_UNSUB1) >= 3)
3606 describe KAM_HAIRTRANS2 Higher probability of spam for Hair Restoration
3607 score KAM_HAIRTRANS2 2.0
3610 body __KAM_GIFTCERT1 /Our gift to you/i
3611 body __KAM_GIFTCERT2 /\$\d+ gift certificate/i
3612 header __KAM_GIFTCERT3 Subject =~ /Our gift to you/i
3614 meta KAM_GIFTCERT (__KAM_GIFTCERT1 + __KAM_GIFTCERT2 + __KAM_GIFTCERT3 >= 2)
3615 score KAM_GIFTCERT 1.5
3616 describe KAM_GIFTCERT Gift Certificate Spams
3619 header __KAM_TIRES1 Subject =~ /discount tire|tire coupon|tire offers|best deals/i
3620 header __KAM_TIRES2 From =~ /Tire/i
3621 body __KAM_TIRES3 /savings on tire|new tires/i
3623 meta KAM_TIRES (__KAM_TIRES1 + __KAM_TIRES2 + __KAM_TIRES3 >= 3)
3624 describe KAM_TIRES Spam for Tires
3628 header __KAM_SLICEOMATIC1 Subject =~ /Slice-O-Matic|Precision Cutting Blade/i
3629 header __KAM_SLICEOMATIC2 From =~ /Slice-o-matic/i
3630 body __KAM_SLICEOMATIC3 /Slice-o-matic/i
3632 meta KAM_SLICEOMATIC (__KAM_SLICEOMATIC1 + __KAM_SLICEOMATIC2 + __KAM_SLICEOMATIC3 >= 3)
3633 describe KAM_SLICEOMATIC Spam for Kitchen Tools
3634 score KAM_SLICEOMATIC 3.0
3636 #FINDYOURWINDOWS AND OTHER WINDOW SPAM
3637 header __KAM_WINDOWS1 Subject =~ /Top Window Companies|(old|your|bedroom|new|replacement|discounted|awning|cheap).window|allow.(light|ventilation)|window.(installation|discount|replacement)|home.depot|anders.n.window/i
3638 header __KAM_WINDOWS2 From =~ /FindYourWindows|(old|your|bedroom|new|replacement|discounted).?window|window.?(install|discount|replacement)|install.windows|remodel/i
3639 body __KAM_WINDOWS3 /Find Your Windows|replacement.window|window.design|home.a.new.look|dingy.old.windows|high.heating|high.cooling|let a draft|energy.efficient|double.pane.window|shop.windows|energy.tax|window.(installation|discount|replacement)|summer.is.coming/i
3641 meta KAM_WINDOWS (__KAM_WINDOWS1 + __KAM_WINDOWS2 + __KAM_WINDOWS3 + KAM_ADVERT2 >= 3)
3642 describe KAM_WINDOWS Spam for House Windows
3643 score KAM_WINDOWS 4.5
3645 #EMMAPP.WEB.COM - DUE TO SA SILLINESS WE ARE UNABLE TO RBL THIS PARTICULAR SUBDOMAIN WITHOUT BLOCKING ALL OF WEB.COM
3647 uri __KAM_EMMAP_WEB_COM1 /emmapp\.web\.com/i
3649 meta KAM_EMMAPP_WEB_COM (__KAM_EMMAP_WEB_COM1 >= 1)
3650 describe KAM_EMMAPP_WEB_COM Spam from emmapp.web.com
3651 score KAM_EMMAPP_WEB_COM 20.0
3654 header __KAM_NEW_CREDITCARD1 Subject =~ /with this credit card|charge card|credit card|cards?.reward|cards?.rate|top.rated/i
3655 header __KAM_NEW_CREDITCARD2 From =~ /Spend-Charge|platinum credit|business credit|card.approval|approval.match/i
3656 body __KAM_NEW_CREDITCARD3 /Select your new card|Increase Your Spending|Higher Limit|rewards|business credit|which.credit.card|find.out.now/i
3658 meta KAM_NEW_CREDITCARD (__KAM_NEW_CREDITCARD1 + __KAM_NEW_CREDITCARD2 + __KAM_NEW_CREDITCARD3 >= 3)
3659 describe KAM_NEW_CREDITCARD Spam for new credit cards
3660 score KAM_NEW_CREDITCARD 4.0
3663 header __KAM_GERMAN_BUSINESS_CONTACTS1 Subject =~ /Wichtige Nach?richt|Important message/i
3664 header __KAM_GERMAN_BUSINESS_CONTACTS2 From =~ /Merkel/i
3665 body __KAM_GERMAN_BUSINESS_CONTACTS3 /German business phone numbers/i
3666 body __KAM_GERMAN_BUSINESS_CONTACTS4 /Unlimited exportation capabilities/i
3668 meta KAM_GERMAN_BUSINESS_CONTACTS (__KAM_GERMAN_BUSINESS_CONTACTS1 + __KAM_GERMAN_BUSINESS_CONTACTS2 + __KAM_GERMAN_BUSINESS_CONTACTS3 + __KAM_GERMAN_BUSINESS_CONTACTS4 >= 3)
3669 describe KAM_GERMAN_BUSINESS_CONTACTS Weird German business contact info spam
3670 score KAM_GERMAN_BUSINESS_CONTACTS 3.0
3672 #WEIRD SENIOR DATING SPAM
3673 header __KAM_SENIOR_DATING1 From =~ /SeniorPeopleMeet/i
3675 meta KAM_SENIOR_DATING (__KAM_SENIOR_DATING1 >= 1)
3676 describe KAM_SENIOR_DATING Senior dating spam
3677 score KAM_SENIOR_DATING 2.0
3680 header __KAM_NEWS1 Subject =~ /^(?:Fwd: ?)?(?:NEWS|WEBSITE|ARTICLE)$|how.are.you/i
3681 body __KAM_NEWS2 /(?:Hello|hey|hi)!/i
3683 meta KAM_NEWS (__KAM_NEWS1 + __KAM_NEWS2 + __KAM_BODY_LENGTH_LT_128 + KAM_MANYTO >= 3)
3684 describe KAM_NEWS Forged Emails with NEWS!
3687 #URI COUNT - REQUIRES 3.3 OR LATER
3688 if (version >= 3.003000)
3689 uri __KAM_COUNT_URIS /^./
3690 tflags __KAM_COUNT_URIS multiple maxhits=16
3691 describe __KAM_COUNT_URIS A multiple match used to count URIs in a message, including http:// and email@email.com - use one of the meta rules below instead of directly using this one
3693 meta __KAM_HAS_0_URIS (__KAM_COUNT_URIS == 0)
3694 meta __KAM_HAS_1_URIS (__KAM_COUNT_URIS >= 1)
3695 meta __KAM_HAS_2_URIS (__KAM_COUNT_URIS >= 2)
3696 meta __KAM_HAS_3_URIS (__KAM_COUNT_URIS >= 3)
3697 meta __KAM_HAS_4_URIS (__KAM_COUNT_URIS >= 4)
3698 meta __KAM_HAS_5_URIS (__KAM_COUNT_URIS >= 5)
3699 meta __KAM_HAS_10_URIS (__KAM_COUNT_URIS >= 10)
3700 meta __KAM_HAS_15_URIS (__KAM_COUNT_URIS >= 15)
3703 #DISCLAIMER STUB FOR FUTURE RESOURCE
3704 body __KAM_DISCLAIMER1 /receives compensation/i
3707 #header __KAM_FAKE_ATT1 From =~ /AT.?T/i
3708 #header __KAM_FAKE_ATT2 Subject =~ /AT.?T cordless phone|deals.at.at.?t|phone.from.at.?t/i
3709 #uri __KAM_FAKE_ATT3 /att-mail.com/i
3711 #meta KAM_FAKE_ATT (__KAM_FAKE_ATT1 + __KAM_FAKE_ATT2 + __KAM_FAKE_ATT3 >= 2)
3712 #describe KAM_FAKE_ATT Fake AT&T newsletters
3713 #score KAM_FAKE_ATT 3.0
3715 #YOU HAVE BEEN CHOSEN
3716 header __KAM_CHOSEN1 Subject =~ /Invitation to|open.house|come.join.me/i
3717 header __KAM_CHOSEN2 From =~ /marketing|invitation/i
3718 body __KAM_CHOSEN3 /You (were|have been|are) (recently )?(chosen|invited)|you.are.(very.)?welcome/i
3720 meta KAM_CHOSEN (__KAM_CHOSEN1 + __KAM_CHOSEN2 + __KAM_CHOSEN3 >= 3)
3721 describe KAM_CHOSEN Spam claiming the recipient has been chosen for something
3722 score KAM_CHOSEN 2.0
3724 #JURY DUTY AND OTHER FAKE COURT NOTICES
3725 header __KAM_JURY1 Subject =~ /in court|court (hearing )?notice|judicial summons|hearing.of.your.case|case.in.court|notice.of.appearance/i
3726 header __KAM_JURY2 From =~ /Notice (to|of) Appear|court attendance|pretrial notice|lawyer/i
3727 header __KAM_JURY3 From !~ /\.gov/i
3728 body __KAM_JURY4 /in Court|hearing date|notice to appear|Pretrial notice|compulsory.attendance|court.notice/i
3730 meta KAM_JURY (__KAM_JURY1 + __KAM_JURY2 + __KAM_JURY3 + __KAM_JURY4 + KAM_RAPTOR_ALTERED >= 4)
3731 describe KAM_JURY Spam claiming the recipient must serve jury duty
3735 header __KAM_BITCOIN1 Subject =~ /bitcoin|dumping.?their.?gold|dumped.?the.?dollar/i
3736 body __KAM_BITCOIN2 /price.of.bitcoin|bitcoin.price|crypto.?currenc(y|ies)|currency.pioneer|cartel|financial.security|abandoned.our.dollar|money.map/i
3737 header __KAM_BITCOIN3 From =~ /bitcoin/i
3739 meta KAM_BITCOIN (KAM_INFOUSMEBIZ + __KAM_BITCOIN1 + __KAM_BITCOIN2 + __KAM_BITCOIN3 >= 3)
3740 describe KAM_BITCOIN Spam related to investing in bitcoin and other cryptocurrency
3741 score KAM_BITCOIN 4.5
3744 header __KAM_RELIGION1 Subject =~ /Christian Media/i
3745 header __KAM_RELIGION2 From =~ /Bible Prophecy/i
3746 body __KAM_RELIGION3 /Dear Christian|Christian Media/i
3748 meta KAM_RELIGION (__KAM_RELIGION1 + __KAM_RELIGION2 + __KAM_RELIGION3 >= 3)
3749 describe KAM_RELIGION Generic religious spam
3750 score KAM_RELIGION 2.5
3753 header __KAM_BUSINESSPHONE1 Subject =~ /customer calls|phone system|phone system upgrade|business success/i
3754 header __KAM_BUSINESSPHONE2 From =~ /business phone/i
3755 body __KAM_BUSINESSPHONE3 /business phone system/i
3757 meta KAM_BUSINESSPHONE (__KAM_BUSINESSPHONE1 + __KAM_BUSINESSPHONE2 + __KAM_BUSINESSPHONE3 >= 3)
3758 describe KAM_BUSINESSPHONE Advertising for business phone systems
3759 score KAM_BUSINESSPHONE 5.5
3762 header __KAM_NUMEROLOGY1 Subject =~ /success and joy in life/i
3763 header __KAM_NUMEROLOGY2 From =~ /Numerology/i
3764 body __KAM_NUMEROLOGY3 /Control your destiny/i
3766 meta KAM_NUMEROLOGY (__KAM_NUMEROLOGY1 + __KAM_NUMEROLOGY2 + __KAM_NUMEROLOGY3 >= 3)
3767 describe KAM_NUMEROLOGY Pseudo-scientific spam
3768 score KAM_NUMEROLOGY 3.5
3770 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
3772 header __KAM_VOICEMAIL1 Subject =~ /new voice.?mail message|news|Fax Message for/i
3773 header __KAM_VOICEMAIL2 From =~ /voice.?mail|news/i
3774 body __KAM_VOICEMAIL3 /new voice.?mail message|voice.redirected/i
3776 meta KAM_VOICEMAIL (__KAM_VOICEMAIL1 + __KAM_VOICEMAIL2 + __KAM_VOICEMAIL3 + KAM_RAPTOR_ALTERED >= 3)
3777 describe KAM_VOICEMAIL Common malware that tricks the user into opening a fake VOIP voicemail
3778 score KAM_VOICEMAIL 5.0
3781 #SPAM ADVERTISING SPAM - HAS SCIENCE GONE TOO FAR?
3782 header __KAM_SPAMFORSPAM1 Subject =~ /email marketing|marketing solution|connect with your audience|reaching your customers|marketing ideas|business.contacts/i
3783 header __KAM_SPAMFORSPAM2 From =~ /email marketing|mailing lists|listz/i
3784 rawbody __KAM_SPAMFORSPAM3 /email marketing|Keep your customers informed|expand your brand|(grow|improve) your business|Acquire New Customers|business reach|your.customer.base|demand.generation/i
3786 meta KAM_SPAMFORSPAM (__KAM_SPAMFORSPAM1 + __KAM_SPAMFORSPAM2 + __KAM_SPAMFORSPAM3 + KAM_INFOUSMEBIZ >= 3)
3787 describe KAM_SPAMFORSPAM Spam advertising spam services
3788 score KAM_SPAMFORSPAM 5.5
3790 #ALZHEIMERS / NEUROLOGICAL MEDICAL SPAM
3791 header __KAM_NEUROLOGICAL1 Subject =~ /alzheimers|doctors hate him/i
3792 header __KAM_NEUROLOGICAL2 From =~ /alzheimers|cognizine/i
3793 body __KAM_NEUROLOGICAL3 /at risk for alzheimers|alzheimers conspiracy|doctors hate him/i
3795 meta KAM_NEUROLOGICAL (__KAM_NEUROLOGICAL1 + __KAM_NEUROLOGICAL2 + __KAM_NEUROLOGICAL3 >= 3)
3796 describe KAM_NEUROLOGICAL Variant of medical spam targeting neurological ailments
3797 score KAM_NEUROLOGICAL 3.5
3799 #EXCESSIVE HASHES AND OTHER IDENTIFIER STRINGS
3800 body __KAM_LOTSOFHASH /[abcdef1234567890]{20}/i
3801 tflags __KAM_LOTSOFHASH multiple maxhits=10
3803 meta KAM_LOTSOFHASH (__KAM_LOTSOFHASH >= 10)
3804 describe KAM_LOTSOFHASH Emails with lots of hash-like gibberish
3805 score KAM_LOTSOFHASH 0.25
3807 #SPAM THAT SHOWS SEVERAL QUESTIONABLE BEHAVIORS IN COMBINATION
3808 meta KAM_GRABBAG1 (__KAM_THIRD + __KAM_DOMAINDOTCOM + __KAM_TILDEFROM + HTML_FONT_LOW_CONTRAST + T_REMOTE_IMAGE + __KAM_EPISODE + __KAM_LOTSOFNBSP + __KAM_IPUNSUB + (__KAM_LOTSOFHASH >= 6) >= 4)
3809 describe KAM_GRABBAG1 A combination of tricks that when combined indicate spam
3810 score KAM_GRABBAG1 3.5
3813 header __KAM_TVDOCTOR1 Subject =~ /hormones|(dr.?|doc.?) [o0]z|flatter belly|anti.?.?aging.tip|\d+.years.younger|wrinkle.(reduction|prevention)|weight.loss|models.use.this|reverse.\d+.years/i
3814 header __KAM_TVDOCTOR2 From =~ /(dr.?|doc.?) ?[o0]z|dr.? steve|oz skin tip|skinny|drop \d+lb/i
3815 body __KAM_TVDOCTOR3 /clinical|miracle|dermatologist|anti.?.?aging.tip|\d+.years.younger|wrinkle.(reduction|prevention)|\bOMG!\b|loose.\d+.lb|tv.doctor/i
3817 meta KAM_TVDOCTOR (__KAM_TVDOCTOR1 + __KAM_TVDOCTOR2 + __KAM_TVDOCTOR3 + (KAM_INFOUSMEBIZ || KAM_WEIRDTRICK1) >= 3)
3818 describe KAM_TVDOCTOR Spam for TV doctor stuff
3819 score KAM_TVDOCTOR 3.5
3822 header __KAM_DENTIST1 Subject =~ /dentist/i
3823 header __KAM_DENTIST2 From =~ /1-?800-?dentist/i
3824 body __KAM_DENTIST3 /Find a dentist/i
3826 meta KAM_DENTIST (__KAM_DENTIST1 + __KAM_DENTIST2 + __KAM_DENTIST3 + KAM_INFOUSMEBIZ >= 3)
3827 describe KAM_DENTIST Spam for 1-800-DENTIST
3828 score KAM_DENTIST 3.5
3830 # GOLD AND DIAMOND JEWELRY
3831 header __KAM_JEWELRY1 Subject =~ /jewell?rey online|shop now/i
3832 header __KAM_JEWELRY2 From =~ /bluestone.com/i
3834 meta KAM_JEWELRY (__KAM_JEWELRY1 + __KAM_JEWELRY2 >= 2)
3835 describe KAM_JEWELRY Spam for Gold and Diamond Jewelry
3836 score KAM_JEWELRY 3.5
3838 # PSSST, WANNA BUY SOME POT
3839 body __KAM_MARIJUANA1 /marijuana|cannabis/i
3840 body __KAM_MARIJUANA2 /medicinal|recreational|legal.cannabis/i
3841 body __KAM_MARIJUANA3 /colorado|washington|profit|without.a.(prescription|doctor)|lets.you.vape|no.doctor/i
3842 header __KAM_MARIJUANA4 From =~ /marijuana|cannabis/i
3844 meta KAM_MARIJUANA (__KAM_MARIJUANA1 + __KAM_MARIJUANA2 + (__KAM_MARIJUANA3 + KAM_INFOUSMEBIZ >= 1) >= 3)
3845 describe KAM_MARIJUANA Spam pertaining to marijuana
3846 score KAM_MARIJUANA 3.5
3848 meta KAM_MARIJUANA2 (__KAM_MARIJUANA4 + (__KAM_MARIJUANA3 || __KAM_MARIJUANA2) >= 2)
3849 score KAM_MARIJUANA2 8.0
3850 describe KAM_MARIJUANA2 Definitely spam for marijuana
3852 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
3854 header __KAM_EVICTION1 From =~ /eviction|vacate immediately/i
3855 header __KAM_EVICTION2 Subject =~ /notice|notification|occupant/i
3856 body __KAM_EVICTION3 /eviction|foreclosed|trespasser/i
3858 meta KAM_EVICTION (__KAM_EVICTION1 + __KAM_EVICTION2 + __KAM_EVICTION3 + KAM_RAPTOR_ALTERED >= 4)
3859 describe KAM_EVICTION Malware disguised as eviction notice
3860 score KAM_EVICTION 4.5
3864 header __KAM_WALKINTUB1 From =~ /walk.?in.?tub/i
3865 header __KAM_WALKINTUB2 Subject =~ /walk.?in.?tub/i
3866 body __KAM_WALKINTUB3 /walk.?in.?tub/i
3868 meta KAM_WALKINTUB (__KAM_WALKINTUB1 + __KAM_WALKINTUB2 + __KAM_WALKINTUB3 >= 3)
3869 describe KAM_WALKINTUB Ads for walk-in tubs
3870 score KAM_WALKINTUB 3.5
3872 # SUBJECTS BEGINNING WITH "EMAIL - QUESTION" AND OTHER VARIANTS
3873 header __KAM_EMAILQUESTION1 Subject =~ /^(<)?([^@\s]+@[^@\s]+)( - |> )/i
3874 header __KAM_EMAILQUESTION2 Subject =~ /break away from the pack|make your own wine|\d figures a day|unlock the secret|you need to see|let me show you|at their own game|drop \d+ pounds|potty trained|you can actually|your dog is being poisoned|control your destiny|buy a new|check out these|arthritis/i
3876 meta KAM_EMAILQUESTION (__KAM_EMAILQUESTION1 + __KAM_EMAILQUESTION2 >= 2)
3877 describe KAM_EMAILQUESTION Subjects beginning with an email address and followed by a spammy subject
3878 score KAM_EMAILQUESTION 3.5
3880 # BECOME BEYOND SUPERHUMAN / SUPERMAN
3881 header __KAM_SUPERHUMAN1 From =~ /(become[ _]?)?(beyond[ _]?)?(super|hu)man/i
3882 header __KAM_SUPERHUMAN2 Subject =~ /relationship problems|better sex|regain your former glory|(male|men) over (\d\d|fou?rty)/i
3883 body __KAM_SUPERHUMAN3 /reclaim your glory|stay hot and sexy|unfair.advantage|better sex|weird trick|testosterone/i
3885 meta KAM_SUPERHUMAN (__KAM_SUPERHUMAN1 + __KAM_SUPERHUMAN2 + __KAM_SUPERHUMAN3 >= 3)
3886 describe KAM_SUPERHUMAN Male enhancement of the day
3887 score KAM_SUPERHUMAN 8.0
3890 header __KAM_VALENTINE1 From =~ /smartbuys|valentine|ecard|flower|fingerhut/i
3891 header __KAM_VALENTINE2 Subject =~ /valentine|(bouquets|expressions) of love|win her over|swoon.?worthy bouquet|grow more in love|\$\d\d.\d\d bouquet|love at (the )?first/i
3892 rawbody __KAM_VALENTINE3 /amazing gifts|perfect for valentine|irresist.ble perfume|send an ecard|most memorable flowers|(bouquets|expressions) of love|valentine.?s?.(day.)?(gift|ecard|flower|delivery|is february 14|bouquet)|grow more in love|Saint Valentine|your valentine/i
3894 meta KAM_VALENTINE (__KAM_VALENTINE1 + __KAM_VALENTINE2 + __KAM_VALENTINE3 + KAM_INFOUSMEBIZ >= 3)
3895 describe KAM_VALENTINE Spam for valentine gifts and other holiday stuff
3896 score KAM_VALENTINE 4.5
3898 header __KAM_MOTHER1 From =~ /flower|seventeen/i
3899 header __KAM_MOTHER2 Subject =~ /mother.?s.?day|\d+%.off.flower|pro.?flowers|guaranteed.delivery|beautiful bouquets|celebrate.mom/i
3900 body __KAM_MOTHER3 /pro.?flowers|flowers.fresh|freshness.guarantee|shop.now|mom.?s.delight/i
3902 meta KAM_MOTHER (__KAM_MOTHER1 + __KAM_MOTHER2 + __KAM_MOTHER3 >= 3)
3903 describe KAM_MOTHER Spam for mother's day
3904 score KAM_MOTHER 4.5
3907 header __KAM_WHOSWHO1 From =~ /whos_who|who.?s.who/i
3908 header __KAM_WHOSWHO2 Subject =~ /your exclusive invitation|who.?s.who|your invitation|you have been selected/i
3909 body __KAM_WHOSWHO3 /(global|executive) who.s who|represent your community|you have been selected|complete your listing|prominent registry|accomplished individuals/i
3910 uri __KAM_WHOSWHO4 /whoswho/i
3912 meta KAM_WHOSWHO (__KAM_WHOSWHO1 + __KAM_WHOSWHO2 + __KAM_WHOSWHO3 >= 2)
3913 describe KAM_WHOSWHO Ads for network of important people
3914 score KAM_WHOSWHO 5.0
3916 meta KAM_WHOSWHO2 (KAM_WHOSWHO && __KAM_WHOSWHO4)
3917 describe KAM_WHOSWHO2 Definitely ads for network of important people
3918 score KAM_WHOSWHO2 1.0
3920 # GARAGE FLOOR COATING
3921 header __KAM_GARAGE1 From =~ /garage|surface.protection|protection.plus|esurface/i
3922 header __KAM_GARAGE2 Subject =~ /garage floor coating|industrial strength|protect your floors|protect.and.beautify|esurface|what.you.should.know/i
3923 body __KAM_GARAGE3 /surface protection plus|industrial strength|Concrete.{0,5}metal.{0,8}wood|protect.and.beautify|industrial.grade|common.flooring|treat.your.deck|professional.coating/i
3925 meta KAM_GARAGE (__KAM_GARAGE1 + __KAM_GARAGE2 + __KAM_GARAGE3 + (HTML_FONT_LOW_CONTRAST || SPF_FAIL || SPF_HELO_FAIL) >= 3)
3926 describe KAM_GARAGE Garage floor coating product of the day
3927 score KAM_GARAGE 4.0
3929 meta KAM_GARAGE2 (KAM_GARAGE + (HTML_FONT_LOW_CONTRAST || SPF_FAIL) >= 2)
3930 score KAM_GARAGE2 1.0
3931 describe KAM_GARAGE2 More likely garage floor coating spam
3933 #PAINT - NEED TO LOOK FOR CROSSOVER ON KAM_GARAGE AND KAM_PAINT
3934 header __KAM_PAINT1 From =~ /Coating|Paint|Surface|Sealer/i
3935 header __KAM_PAINT2 Subject =~ /surface Paint/i
3937 meta KAM_PAINT (__KAM_PAINT1 + __KAM_PAINT2 + KAM_INFOUSMEBIZ >= 3)
3938 describe KAM_PAINT Paint Spams
3942 header __KAM_MOP1 From =~ /hurricane mop/i
3943 header __KAM_MOP2 Subject =~ /filthy floor|cut cleaning time|absorbs \d+x its own weight|the mop that/i
3944 body __KAM_MOP3 /filthy floor|cut cleaning time+absorbs \d+x its own weight|the mop that/i
3946 meta KAM_MOP (__KAM_MOP1 + __KAM_MOP2 + __KAM_MOP3 >= 3)
3947 describe KAM_MOP Hurricane mop product of the day
3951 header __KAM_DATINGTIPS1 From =~ /girlfriendtrick|seduction|the.real/i
3952 header __KAM_DATINGTIPS2 Subject =~ /girlfriend.trick|women.excited|real.moment/i
3953 body __KAM_DATINGTIPS3 /seduction|certain.type.of.guy|secret to their hearts|women.excited|real.love|one.night.stand/i
3955 meta KAM_DATINGTIPS (__KAM_DATINGTIPS1 + __KAM_DATINGTIPS2 + __KAM_DATINGTIPS3 >= 3)
3956 describe KAM_DATINGTIPS Tips for dating
3957 score KAM_DATINGTIPS 4.5
3960 header __KAM_CANDY1 From =~ /candy/i
3961 header __KAM_CANDY2 Subject =~ /candy/i
3962 body __KAM_CANDY3 /you deserve a treat|sweet tooth/i
3964 meta KAM_CANDY (__KAM_CANDY1 + __KAM_CANDY2 + __KAM_CANDY3 >= 3)
3965 describe KAM_CANDY Ads for candy
3968 # EXCESSIVE TEXT IN THE FORMAT OF =## - http://en.wikipedia.org/wiki/Quoted-printable
3969 # MATCH ONLY ESCAPES THAT ARE LESS THAN 0x80 - HIGH BIT NOT SET - THESE CAN BE EXPRESSED JUST FINE AS ASCII
3970 # DISABLED PENDING UPDATES TO SA - RAWBODY IS NOT RAW ENOUGH TO GET UN-DECODED QP
3971 #rawbody KAM_EXCESSIVEQP /(=[0-7][a-f0-9]){10}/i
3972 #score KAM_EXCESSIVEQP 2.5
3973 #describe KAM_EXCESSIVEQP Excessive use of pointless Quoted-printable
3975 # ONE WEIRD THING THAT GETS YOU MARKED AS SPAM
3976 header __KAM_WEIRDTRICK1 Subject =~ /(one|ten|\d+) '?weird'?|'?weird'? trick|strange trick|shocking.truth|\d.words.that/i
3977 body __KAM_WEIRDTRICK2 /'?(weird|odd|strange)'?.(new.)?(trick|tip)|strange trick|shocking.truth/i
3978 header __KAM_WEIRDTRICK3 Subject =~ /girlfriend|aging|old.age|cut \d+ years|PSA|horny/i
3979 header __KAM_WEIRDTRICK4 From =~ /girlfriend|freedom/i
3981 meta KAM_WEIRDTRICK1 __KAM_WEIRDTRICK2
3982 describe KAM_WEIRDTRICK1 Huge family of spam that uses the word weird to grab attention
3983 score KAM_WEIRDTRICK1 1.5
3985 meta KAM_WEIRDTRICK2 (__KAM_WEIRDTRICK1 + __KAM_WEIRDTRICK2 + (KAM_INFOUSMEBIZ + KAM_LOTSOFHASH + AC_HTML_NONSENSE_TAGS + HTML_FONT_LOW_CONTRAST + T_REMOTE_IMAGE >= 3) >= 3)
3986 describe KAM_WEIRDTRICK2 Huge family of spam that uses the word weird to grab attention
3987 score KAM_WEIRDTRICK2 3.5
3989 meta KAM_WEIRDTRICK3 (__KAM_WEIRDTRICK1 + __KAM_WEIRDTRICK2 + __KAM_WEIRDTRICK3 + __KAM_WEIRDTRICK4 >= 3)
3990 describe KAM_WEIRDTRICK3 Weird/Strange Trick
3991 score KAM_WEIRDTRICK3 3.0
3994 header __KAM_MATCH1 From =~ /Match/i
3995 header __KAM_MATCH2 Subject =~ /Find love|available singles|free.to.look|meet.singles/i
3997 meta KAM_MATCH (__KAM_MATCH1 + __KAM_MATCH2 + (HTML_IMAGE_RATIO_06 || SPF_FAIL) >= 3)
3998 describe KAM_MATCH Match Maker Spams
4002 header __KAM_CARINSURE1 From =~ /insurance/i
4003 header __KAM_CARINSURE2 Subject =~ /save on car insurance|smarter.way/i
4005 meta KAM_CARINSURE (__KAM_CARINSURE1 + __KAM_CARINSURE2 >= 2)
4006 describe KAM_CARINSURE Car Insurance Spams
4007 score KAM_CARINSURE 3.0
4010 rawbody __KAM_DATAIMG /<img src="data:image/i
4013 rawbody __KAM_MMS1 /base64,G011K60C12QKQ9790AIFQ5L/s
4015 meta KAM_MMS (__KAM_DATAIMG + __KAM_MMS1 >= 2)
4016 describe KAM_MMS Fake MMS Spam
4020 rawbody __KAM_LEARN1 /base64,R0lGODlh3gA9APcAAAFlmUK/
4022 meta KAM_LEARN (__KAM_DATAIMG + __KAM_LEARN1 >= 2)
4023 describe KAM_LEARN Learn More Spam
4027 header __KAM_UNSUB1_1 List-Unsubscribe =~ /^\<(?:mailto:)?unsub1\@/i
4028 rawbody __KAM_UNSUB1_2 /:\s?unsub1\@|unsubscribe<[^\/]|click here<h/i
4030 meta KAM_UNSUB1 (__KAM_UNSUB1_1 + __KAM_UNSUB1_2 >= 1)
4031 describe KAM_UNSUB1 Unsubscription Spams
4032 score KAM_UNSUB1 0.1
4034 uri __KAM_DOMAINDOTCOM /domain\.com/i
4036 meta KAM_UNSUB2 ((KAM_UNSUB1 || KAM_ADVERT2) + __KAM_DOMAINDOTCOM >= 2)
4037 score KAM_UNSUB2 3.5
4038 describe KAM_UNSUB2 Improperly configured spam engines that leave placeholder domains in the body
4040 # DUTCH GLOW AND OTHER WOODWORKING SPAM
4041 header __KAM_DUTCHGLOW1 From =~ /dutch.?glow|original.?dutch|easy.woodwork/i
4042 header __KAM_DUTCHGLOW2 Subject =~ /wood milk|cleaning the wood|woodwork|cleaning.formula|repel.dust|natural.beauty|furniture|amish|woodworking.plans/i
4043 body __KAM_DUTCHGLOW3 /wood milk|dutch glow|wood's natural beauty|nourish wood|wax build up|your furniture|woodworking.plans/i
4045 meta KAM_DUTCHGLOW (__KAM_DUTCHGLOW1 + __KAM_DUTCHGLOW2 + __KAM_DUTCHGLOW3 >= 3)
4046 describe KAM_DUTCHGLOW Woodworking spam
4047 score KAM_DUTCHGLOW 3.0
4050 header __KAM_FUNERAL1 From =~ /Funeral/i
4051 header __KAM_FUNERAL2 Subject =~ /condolence|funeral announcement|funeral of your friend|death notification|burial.(life.)?insurance/i
4052 body __KAM_FUNERAL3 /untimely death|death notification|funeral.costs/i
4053 uri __KAM_FUNERAL4 /\/home\.php\?funeral/i
4055 meta KAM_FUNERAL (__KAM_FUNERAL1 + __KAM_FUNERAL2 + __KAM_FUNERAL3 >= 3)
4056 describe KAM_FUNERAL Likely Fake funeral notices
4057 score KAM_FUNERAL 2.0
4059 meta KAM_FUNERAL2 (__KAM_FUNERAL4 >= 1)
4060 describe KAM_FUNERAL2 Fake funeral notices
4061 score KAM_FUNERAL2 3.0
4064 # WEB VIEW OBFUSCATION
4065 body __KAM_WEB_OBFUSCATION1 /check over this commercial|see the commercial.advertisement/i
4066 rawbody __KAM_WEB_OBFUSCATION2 /(you'll have to press me)\s*<\/a>/i
4068 meta KAM_WEB_OBFUSCATION (__KAM_WEB_OBFUSCATION1 + __KAM_WEB_OBFUSCATION2 >= 2)
4069 describe KAM_WEB_OBFUSCATION Obfuscated web view links
4070 score KAM_WEB_OBFUSCATION 0.1
4073 header __KAM_TUPPERWARE1 From =~ /Mr\. Lid|Food Storage|Storage Container/i
4074 header __KAM_TUPPERWARE2 Subject =~ /tupperware|food storage|storage container/i
4075 body __KAM_TUPPERWARE3 /tupperware lid|food storage|storage container/i
4077 meta KAM_TUPPERWARE (__KAM_TUPPERWARE1 + __KAM_TUPPERWARE2 + __KAM_TUPPERWARE3 >= 3)
4078 describe KAM_TUPPERWARE Ads for tupperware
4079 score KAM_TUPPERWARE 3.5
4081 # PATRIOT SURVIVAL AND OTHER DISASTER / NATIONALISM / CONSPIRACY SPAM
4082 header __KAM_PATRIOT1 From =~ /patriot|disaster|emergency|USAF|shocking|for.truth|nwo|expat|special.op|christianmedia/i
4083 header __KAM_PATRIOT2 Subject =~ /the truth about|financial collapse|your guns|hidden (agenda|truth)|unprecedented.crisis|worst.crisis|obama.?care|do not ignore|get a lot worse|coffins.ordered.by.fema|depression|prepared.for.war|free.our.marine|survival.guide|beloved.usa|civil war|shocking.footage|cia.economist|collapse.is.imminent|attack.on|wants.war|disturbing.issue|plane.crash|nuke.deal|extortion|prophecy/i
4084 body __KAM_PATRIOT3 /the truth about|financial collapse|your guns|hidden agenda|unprecedented.crisis|disaster|fema (stock.?piling|storing)|Gor?vernment Not Telling|survival.plan|nation.gone.under|blind.with.patriotism|government shutdown|only chance|civil.unrest|high.crimes|behind.our.back|know.the.truth|PatriotNewsNet|second civil war|for.the.cia|market.crash|american.meltdown|concerned.american|military force|we.were.right|our.suspicions|vindicated|abuse.of.power|american.empire/i
4085 body __KAM_PATRIOT4 /projectprophet|financial.threat|nuke.deal/i
4087 meta KAM_PATRIOT (__KAM_PATRIOT1 + __KAM_PATRIOT2 + __KAM_PATRIOT3 + __KAM_PATRIOT4 >= 3)
4088 describe KAM_PATRIOT conspiracy spam
4089 score KAM_PATRIOT 4.0
4091 meta KAM_PATRIOT2 (__KAM_PATRIOT1 + __KAM_PATRIOT2 + __KAM_PATRIOT3 + __KAM_PATRIOT4 >= 2)
4092 describe KAM_PATRIOT2 Likely conspiracy spam
4093 score KAM_PATRIOT2 1.5
4096 header __KAM_PAYMENT_LOWERED1 Subject =~ /insurance payment/i
4097 body __KAM_PAYMENT_LOWERED2 /new monthly payment|just.recently.been..?lowered/i
4098 body __KAM_PAYMENT_LOWERED3 /ID.?\#.?[\da-f]{20}/i
4100 meta KAM_PAYMENT_LOWERED (__KAM_PAYMENT_LOWERED1 + __KAM_PAYMENT_LOWERED2 + __KAM_PAYMENT_LOWERED3 + KAM_LOTSOFHASH >= 3)
4101 describe KAM_PAYMENT_LOWERED Spam that says your insurance payment has already been lowered
4102 score KAM_PAYMENT_LOWERED 4.5
4104 meta KAM_PAYMENT_LOWERED (__KAM_PAYMENT_LOWERED1 + __KAM_PAYMENT_LOWERED2 + __KAM_PAYMENT_LOWERED3 + KAM_LOTSOFHASH >= 4)
4105 describe KAM_PAYMENT_LOWERED Higher probability of lowered payment spam
4106 score KAM_PAYMENT_LOWERED 2.0
4109 body __KAM_NEWNOTICE1 /- - -\s?(start |begin )?(of |new )?(notification|notice)( \d\d\/\d\d\/\d\d)?\s?- - -|notice of/i
4110 body __KAM_NEWNOTICE2 /- - -\s?(finish |end )?(of |new )?(notification|notice)( \d\d\/\d\d\/\d\d)?\s?- - -|end notice:/i
4111 header __KAM_NEWNOTICE3 From =~ /Notice|Notification|Credit/i
4113 meta KAM_NEWNOTICE (__KAM_NEWNOTICE1 + __KAM_NEWNOTICE2 + __KAM_NEWNOTICE3 >= 3)
4114 describe KAM_NEWNOTICE New Notice Spam
4115 score KAM_NEWNOTICE 4.25
4117 meta KAM_NEWNOTICE2 (KAM_NEWNOTICE + KAM_LOTSOFHASH >= 2)
4118 describe KAM_NEWNOTICE2 Higher Probability of New Notice Spam
4119 score KAM_NEWNOTICE2 2.0
4122 header __KAM_REFINEW1 Subject =~ /refl.rates|Rates.(now.)?Dropped.Again|score.*recently.changed/i
4123 body __KAM_REFINEW2 /(rate|payment).reduction|score-update/i
4125 meta KAM_REFINEW (__KAM_REFINEW1 + __KAM_REFINEW2 >=2)
4126 describe KAM_REFINEW New Refi/Credit Notice spam
4127 score KAM_REFINEW 2.0
4129 meta KAM_REFINEW2 (KAM_REFINEW) && (KAM_NEWNOTICE + KAM_LOTSOFHASH >= 1)
4130 describe KAM_REFINEW2 Higher Probability Refi Spam
4131 score KAM_REFINEW2 2.0
4134 header __KAM_AUTONEW1 Subject =~ /Auto.{0,2}(Insurance|policy).{0,2}Payment|auto.warranty|finance|policy.saving|your.quote|car.loan|bad..credit.ok/i
4135 body __KAM_AUTONEW2 /car.{1,2}insurance.{1,2}payment|monthly.payment|plan.has.expired|auto.loan|auto.coverage|coverage.benefits|premium.reduc|compare.quote|financing.your.way/i
4136 body __KAM_AUTONEW3 /just.{1,2}been.{1,2}lowered|reduced.recently|has been reduced|free.repair|easy.steps|overpaying|view.plan|overpaid.your|premiums?.as.low|lenders.compete/i
4137 header __KAM_AUTONEW4 From =~ /notice|credit|coverag3|auto.cover|lower.auto|auto.finance/i
4139 meta KAM_AUTONEW (__KAM_AUTONEW1 + __KAM_AUTONEW2 + __KAM_AUTONEW3 + __KAM_AUTONEW4 >= 3)
4140 describe KAM_AUTONEW New Auto insurance spam
4141 score KAM_AUTONEW 3.0
4143 meta KAM_AUTONEW2 (KAM_AUTONEW) && (KAM_NEWNOTICE + KAM_SUBJECTNOTICE + KAM_LOTSOFHASH + KAM_INFOUSMEBIZ + KAM_ASCII_DIVIDERS >= 1)
4144 describe KAM_AUTONEW2 Higher Probability Insurance Spam
4145 score KAM_AUTONEW2 2.0
4148 header __KAM_STATLER1 Subject =~ /Mike Statler|finance news|invest in ....(\b)/i
4149 header __KAM_STATLER2 Subject =~ /quintuple/i
4150 body __KAM_STATLER3 /Mike Statler/i
4152 meta KAM_STATLER (__KAM_STATLER1 + __KAM_STATLER2 + __KAM_STATLER3 >= 3)
4153 describe KAM_STATLER Mike Statler Spams
4154 score KAM_STATLER 6.0
4157 header __KAM_WRITING1 From =~ /writing/i
4158 header __KAM_WRITING2 Subject =~ /writing resources|get published/i
4159 body __KAM_WRITING3 /Professional Writing|world famous (writer|poet)/i
4161 meta KAM_WRITING (__KAM_WRITING1 + __KAM_WRITING2 + __KAM_WRITING3 >= 3)
4162 describe KAM_WRITING Spam for writing lessons
4163 score KAM_WRITING 3.5
4165 #RASH OF .EU EXPLOITS
4166 rawbody KAM_EU /https?:\/\/(?:www.)?.{4,30}\.(eu)(\b|\/)/i
4168 describe KAM_EU Prevalent use of .eu in spam/malware
4170 #CSS USING A 12-BIT RGBA COLOR, WHICH IS NOT WIDELY SUPPORTED
4171 rawbody __KAM_12BITCOLOR /color: \#[\da-f]{12}/i
4173 meta KAM_GRABBAG2 KAM_EU && (__KAM_12BITCOLOR + KAM_ADVERT2 + AC_HTML_NONSENSE_TAGS + URIBL_BLACK + URIBL_RED >= 1)
4174 score KAM_GRABBAG2 5.0
4175 describe KAM_GRABBAG2 Grabbag of Spams hitting EU domains and other indicators
4178 body __KAM_DIABETES1 /- - Diabetes News Today - -|diabetes.health|blood.sugar/i
4179 body __KAM_DIABETES2 /Reverse.{0,10}(Diabetes|type.2|type.1)|reverse.type.2|beat.type.2|conventional.medical/i
4180 header __KAM_DIABETES3 Subject =~ /End Diabetes|diabetes.association|every.diabetic/i
4182 meta KAM_DIABETES (__KAM_DIABETES1 + __KAM_DIABETES2 + __KAM_DIABETES3 >= 2)
4183 score KAM_DIABETES 4.5
4184 describe KAM_DIABETES End Diabetes Spam
4187 header __KAM_SPY1 From =~ /spy.?camera/i
4188 header __KAM_SPY2 Subject =~ /spy.?camera/i
4189 body __KAM_SPY3 /spy.?camera.?system|hidden.spy.camera|valuables.safe|protect.your.children/i
4191 meta KAM_SPY (__KAM_SPY1 + __KAM_SPY2 + __KAM_SPY3 >= 3)
4192 describe KAM_SPY Spy cameras and similar products
4196 header __KAM_HARP1 From =~ /\bharp\b|obamacare|save|healthcare/i
4197 header __KAM_HARP2 Subject =~ /\bHARP\b|obamacare|tax benefit|age bracket|protect yourself|mortgage|save.thousands/i
4198 header __KAM_HARP3 From !~ /\.gov>?$/i
4200 meta KAM_HARP (__KAM_HARP1 + __KAM_HARP2 + __KAM_HARP3 + KAM_SUBJECTNOTICE >= 3)
4201 describe KAM_HARP HARP Refinance Spams
4204 #LUNAR SLEEP AND OTHER SLEEPING AIDS
4205 header __KAM_LUNAR1 From =~ /lunar.?sleep|peak.life/i
4206 header __KAM_LUNAR2 Subject =~ /tired again|sleep(ing)? aid|miracle.sleep|free.sample|sleep.well|fall.asleep|waking.up|sleep.?spray|doctors.discover|the.secret|nights?.sleep/i
4207 uri __KAM_LUNAR3 /lunar.?sleep/i
4208 body __KAM_LUNAR4 /sleep you really need|sleep(ing)? aid|trouble.sleeping|miracle.sleep|lunar.?sleep|all.natural|fall.asleep|refreshed|sleep.cycle|sleep.aid|lack.of.sleep|stay.asleep|somnapure|weird.trick/i
4210 meta KAM_LUNAR (__KAM_LUNAR1 + __KAM_LUNAR2 + MISSING_HEADERS + __KAM_LUNAR3 + __KAM_LUNAR4 >= 3)
4211 describe KAM_LUNAR Sleeping aid spam
4214 meta KAM_LUNAR2 (__KAM_LUNAR1 + __KAM_LUNAR2 + MISSING_HEADERS + __KAM_LUNAR3 + __KAM_LUNAR4 >= 4)
4215 describe KAM_LUNAR2 Definitely sleeping aid spam
4216 score KAM_LUNAR2 2.0
4219 header __KAM_OCEANSBOUNTY1 From =~ /oceans.?bounty/i
4220 header __KAM_OCEANSBOUNTY2 Subject =~ /pain.free|turn.back.the.clock|reactivate.your.heart/i
4221 body __KAM_OCEANSBOUNTY3 /years.of.aging|medical.doctor|age.revers|turn.back.the.clock|reactivate.your.heart/i
4223 meta KAM_OCEANSBOUNTY (__KAM_OCEANSBOUNTY1 + __KAM_OCEANSBOUNTY2 + __KAM_OCEANSBOUNTY3 >= 3)
4224 describe KAM_OCEANSBOUNTY More medical spam
4225 score KAM_OCEANSBOUNTY 4.5
4228 header __KAM_ANDROGEL1 From =~ /testosterone|androgel|entitled|enclosed|medwatch|axiron|fda|natural.man|mega.product|\.mobi/i
4229 header __KAM_ANDROGEL2 Subject =~ /androgel|axiron|product.of.the.year|free.sample|raise.your.testosterone/i
4230 body __KAM_ANDROGEL3 /healthcare|medwatch|drug|testosterone|therapy|manhood|your.woman/i
4232 meta KAM_ANDROGEL (__KAM_ANDROGEL1 + __KAM_ANDROGEL2 + __KAM_ANDROGEL3 >= 3)
4233 describe KAM_ANDROGEL More medical spam
4234 score KAM_ANDROGEL 4.5
4237 header __KAM_CELL1 From =~ /phone/i
4238 header __KAM_CELL2 Subject =~ /cell.?phone|mobile.communication|newest.mobile|smartphone|phones.*get.one|phone.bargain|hottest.phone|new.phone/i
4239 body __KAM_CELL3 /phone.(information|deals|reviews)|(free|latest|hottest)..?(cell)?.?phone|selection.of.phones|hottest.(brands|models)|check.out.these.smartphones|smartphones.do.more|refurbished.phone|bored.with.your.phone/i
4241 meta KAM_CELL (__KAM_CELL1 + __KAM_CELL2 + __KAM_CELL3 >= 3)
4242 describe KAM_CELL Ads for cell phones
4245 header __KAM_FOUNTAINOFYOUTH1 From =~ /deepseasecret/i
4246 header __KAM_FOUNTAINOFYOUTH2 Subject =~ /fountain.of.youth/i
4247 body __KAM_FOUNTAINOFYOUTH3 /look & feel old|\d+.years.of.aging|weird.\d+.second.trick/i
4249 meta KAM_FOUNTAINOFYOUTH (__KAM_FOUNTAINOFYOUTH1 + __KAM_FOUNTAINOFYOUTH2 + __KAM_FOUNTAINOFYOUTH3 >= 3)
4250 score KAM_FOUNTAINOFYOUTH 5.0
4251 describe KAM_FOUNTAINOFYOUTH Anti-aging ad
4254 header __KAM_HERPES1 From =~ /herpes/i
4255 header __KAM_HERPES2 Subject =~ /your.herpes/i
4256 body __KAM_HERPES3 /permanent.remedy|ugly.sores|herpes.episode|got.herpes|your.herpes|herpes.issue/i
4258 meta KAM_HERPES (__KAM_HERPES1 + __KAM_HERPES2 + __KAM_HERPES3 >= 2)
4259 describe KAM_HERPES Ads for herpes medication
4260 score KAM_HERPES 5.0
4262 #FAKE VOUCHER/REWARD EMAIL
4263 header __KAM_FAKEVOUCHER1 From =~ /(amazon|target).*(reward|voucher|appreciation|customer)|\$\d+ gift|(spring|summer|fall|autumn|winter) (reward|bonus)|(january|february|march|april|may|june|july|august|september|october|november|december).?(reward|bonus)|day.reward|macy.?s?.reward|rewards?.?center/i
4264 body __KAM_FAKEVOUCHER2 /\$\d+ amazon(.com)? Card|redeem.your.\$\d+|join.amazon|bonus voucher|spring.rewards|new.gift.card|exclusive.for|shopper.bucks|activate.here|cash.in.your/i
4265 header __KAM_FAKEVOUCHER3 Subject =~ /special.thanks|thank.you|amazon.appreciation|(spring|summer|fall|autumn|winter) .?(reward|bonus|bucks)|short.survey|\$\d+..?(gift|issued|voucher|e.?gift)|register.reward|target.reward|\d+.(dollar.)?gift.card|claim.your.*reward/i
4266 body __KAM_FAKEVOUCHER4 /your.opinion|submit.your.email/i
4268 meta KAM_FAKEVOUCHER (__KAM_FAKEVOUCHER1 + __KAM_FAKEVOUCHER2 + __KAM_FAKEVOUCHER3 + __KAM_FAKEVOUCHER4 >= 3)
4269 describe KAM_FAKEVOUCHER Fake voucher/reward email
4270 score KAM_FAKEVOUCHER 4.5
4273 header __KAM_ATTORNEY1 From =~ /attorney/i
4274 header __KAM_ATTORNEY2 Subject =~ /right.attorney|quick.divorce|advertisement/i
4275 body __KAM_ATTORNEY3 /find.a.\b[a-z]+\b.attorney/i
4277 meta KAM_ATTORNEY (__KAM_ATTORNEY1 + __KAM_ATTORNEY2 + __KAM_ATTORNEY3 >= 3)
4278 score KAM_ATTORNEY 3.5
4279 describe KAM_ATTORNEY Ads for legal services
4282 header __KAM_RECALL1 From =~ /dog.?food/i
4283 header __KAM_RECALL2 Subject =~ /recall|thousands.of.dogs.die/i
4284 body __KAM_RECALL3 /protect.your.dog|recall?s.on.dog.?food|processing.standards|commercial.food/i
4286 meta KAM_RECALL (__KAM_RECALL1 + __KAM_RECALL2 + __KAM_RECALL3 >= 3)
4287 score KAM_RECALL 3.5
4288 describe KAM_RECALL Spam for product recall notices
4290 #REMOTE IMAGES WITH ENORMOUS SRC URLS - COMMONLY USED FOR IMAGE TRACKING
4291 rawbody __KAM_HUGEIMGSRC /<img[^>]*\ssrc=["']?http[^\s>"']{120}/i
4292 tflags __KAM_HUGEIMGSRC multiple maxhits=6
4294 meta KAM_HUGEIMGSRC (__KAM_HUGEIMGSRC >= 6)
4295 score KAM_HUGEIMGSRC 0.2
4296 describe KAM_HUGEIMGSRC Message contains many image tags with huge http urls
4298 describe KAM_REALLYHUGEIMGSRC Spam with image tags with ridiculously huge http urls
4299 rawbody KAM_REALLYHUGEIMGSRC /<img[^>]*\ssrc=["']?http[^\s]{300}/i
4300 score KAM_REALLYHUGEIMGSRC 0.5
4302 rawbody KAM_TRACKIMAGE /<img[^>]*\ssrc=["']?https?:\/\/track/i
4303 describe KAM_TRACKIMAGE Message has a remote image explicitly meant for tracking
4304 score KAM_TRACKIMAGE 0.2
4306 #BAG OF SPAM THAT TRIES DESPERATELY TO TRACK RECIPIENTS
4307 meta KAM_GRABBAG3 (KAM_TRACKIMAGE + KAM_HUGEIMGSRC + (KAM_UNSUB1 || KAM_INFOUSMEBIZ || __KAM_IMGMAP_LINK_OBFU || __KAM_HAS_10_URIS) >= 3)
4308 score KAM_GRABBAG3 3.0
4309 describe KAM_GRABBAG3 Grab bag of spam that employs multiple tricks that indicate tracking of recipients
4311 #MANY SEQUENTIAL EMPTY <A HREF> TAGS WITH NOTHING IN BETWEEN
4312 #IMPORTANTLY, DO NOT MATCH ON EMPTY <A LINK> TAGS, WHICH ARE MEANT TO BE EMPTY
4313 rawbody __KAM_EMPTYLINK /(?:<a[^>]*\shref=[^>]*><\/a>\s*){10}/i
4315 meta KAM_EMPTYLINK (__KAM_EMPTYLINK)
4316 describe KAM_EMPTYLINK Many empty a tags with href all in a row
4317 score KAM_EMPTYLINK 3.5
4319 header __KAM_TILDEFROM From =~ /^\s*"'?\s*~/i
4320 describe __KAM_TILDEFROM Spam with a from name that starts with tilde
4322 # WORDS THAT "A R E S P A C E D O U T" LIKE SO
4323 body __KAM_SPACEY_WORDS /a +v +e +n +u +e/i
4325 # SPAM THAT WOULD LIKE TO INVEST IN YOUR COUNTRY
4326 header __KAM_INVESTCOUNTRY1 Subject =~ /Confidential Contract Proposal/i
4327 body __KAM_INVESTCOUNTRY2 /invest in your country/i
4329 meta KAM_INVESTCOUNTRY (__KAM_INVESTCOUNTRY1 + __KAM_INVESTCOUNTRY2 >= 2)
4330 score KAM_INVESTCOUNTRY 3.5
4331 describe KAM_INVESTCOUNTRY Spam for investing in your country
4334 header __KAM_FLAG1 From =~ /flag/i
4335 header __KAM_FLAG2 Subject =~ /find.the.flag|what flags|new.flag|patriotism|looking.for.a.flag/i
4336 body __KAM_FLAG3 /performance.flags|shopping.online|scoop on flags|need your flag|best flag|flag design|new flag|flag.needs|flags?.you.need/i
4338 meta KAM_FLAG (__KAM_FLAG1 + __KAM_FLAG2 + __KAM_FLAG3 >= 3)
4340 describe KAM_FLAG Spam that sells flags
4342 rawbody __KAM_BIGSMALL /<small><big>|<big><small>/i
4343 describe __KAM_BIGSMALL Spam engine that is using nested big and small tags
4345 rawbody __KAM_DIVTITLE /<div (title|alt)/i
4346 describe __KAM_DIVTITLE Div tag with custom alt text
4348 rawbody __KAM_IMGMAP_LINK_OBFU /<map[^>]+><area[^>]+><\/map>/i
4349 describe __KAM_IMGMAP_LINK_OBFU Image links obfuscated by an image map with a single area
4351 meta KAM_GRABBAG4 (__KAM_DIVTITLE + __KAM_IMGMAP_LINK_OBFU + KAM_HUGEIMGSRC >= 3)
4352 describe KAM_GRABBAG4 Another spam engine that displays unique quirks
4353 score KAM_GRABBAG4 3.5
4355 header __KAM_KORS1 From =~ /Michael Kors/i
4356 header __KAM_KORS2 Subject =~ /Michael Kors|out.of.the.ordinary/i
4357 body __KAM_KORS3 /sent you this item|register to receive|latest updates|win great prizes|shop michael kors|kors insider|handbag collection/i
4359 meta KAM_KORS (__KAM_KORS1 + __KAM_KORS2 + __KAM_KORS3 >= 3)
4361 describe KAM_KORS Spam for Michael Kors
4363 header __KAM_HOLIDAY1 From =~ /holidays/i
4364 header __KAM_HOLIDAY2 Subject =~ /\d\d\d\d offers/i
4365 body __KAM_HOLIDAY3 /star special|Hotel Opening|(Request|order) a brochure/i
4367 meta KAM_HOLIDAY (__KAM_HOLIDAY1 + __KAM_HOLIDAY2 + __KAM_HOLIDAY3 >= 3)
4368 describe KAM_HOLIDAY Generic holiday deals
4369 score KAM_HOLIDAY 3.5
4371 #Thanks to Dave Wreski for his idea on commas
4372 header __KAM_MANYTO To =~ />,/i
4373 tflags __KAM_MANYTO multiple maxhits=5
4375 header __KAM_MANYTO2 To =~ /, /
4376 tflags __KAM_MANYTO2 multiple maxhits=25
4378 meta KAM_MANYTO (__KAM_MANYTO >= 5 || __KAM_MANYTO2 >= 25)
4379 score KAM_MANYTO 0.2
4380 describe KAM_MANYTO Email has more than one To Header or more than 25 recipients
4382 meta KAM_GRABBAG5 (KAM_MANYTO && FORGED_YAHOO_RCVD)
4383 score KAM_GRABBAG5 5.0
4384 describe KAM_GRABBAG5 Forged Yahoo emails that are sent to lots of recipients
4386 body __KAM_MILLIONAIRE1 /internet millionai?re/i
4387 body __KAM_MILLIONAIRE2 /huge success stor(y|ies)|controversial/i
4388 header __KAM_MILLIONAIRE3 Subject =~ /see this video/i
4390 meta KAM_MILLIONAIRE (__KAM_MILLIONAIRE1 + __KAM_MILLIONAIRE2 + __KAM_MILLIONAIRE3 + LOTS_OF_MONEY >= 3)
4391 score KAM_MILLIONAIRE 4.5
4392 describe KAM_MILLIONAIRE Internet millionaire guarantees money
4394 header __KAM_OILCHANGE1 From =~ /oil.?change|coupon|vehicle service/i
4395 header __KAM_OILCHANGE2 Subject =~ /oil change|vehicle service/i
4396 body __KAM_OILCHANGE3 /fresh savings|find your favorite|discount.coupons|oil.change.is.due|local.provider|favorite.location|coupon/i
4398 meta KAM_OILCHANGE (__KAM_OILCHANGE1 + __KAM_OILCHANGE2 + __KAM_OILCHANGE3 >= 3)
4399 score KAM_OILCHANGE 4.5
4400 describe KAM_OILCHANGE Spam for oil changes
4402 header __KAM_ADHD1 From =~ /ADH?D/i
4403 header __KAM_ADHD2 Subject =~ /know.the.signs|could.have.adh?d|adult adh?d/i
4404 body __KAM_ADHD3 /struggling with adh?d|treatment options/i
4406 meta KAM_ADHD (__KAM_ADHD1 + __KAM_ADHD2 + __KAM_ADHD3 >= 3)
4408 describe KAM_ADHD Spam for ADD and ADHD treatment
4411 header __KAM_REPAIR1_1 From =~ /repair.your.auto|auto.expert|auto.repair|warranty|support|pops.a.dent|vehicle.protect/i
4412 header __KAM_REPAIR1_2 Subject =~ /auto.service|auto.repair|having.problems|all.repair|take.care.of|car.trouble|save.\d+%|repair.bill|fix.dents/i
4413 body __KAM_REPAIR1_3 /car.repair|Auto Protection|repair.bill|lowest.rates|need.repairs|cost.you.thousands|auto.warranty|costs.keep.rising|repair.cost|do.it.yourself|auto.body|body.repair|protection.quote/i
4415 meta KAM_REPAIR1 (__KAM_REPAIR1_1 + __KAM_REPAIR1_2 + __KAM_REPAIR1_3 >= 3)
4416 score KAM_REPAIR1 3.5
4417 describe KAM_REPAIR1 Spam for auto repair services
4420 header __KAM_REPAIR2_1 From =~ /warranty|support|home.repair|your.roof/i
4421 header __KAM_REPAIR2_2 Subject =~ /roof.repair|warranty.plan|home.warranty|never.pay.for|home.repair|repairing.your|new.roof/i
4422 body __KAM_REPAIR2_3 /never.pay|covered.home.repair|the.trouble|warning.signs|roofing.problem|roof.repair/i
4424 meta KAM_REPAIR2 (__KAM_REPAIR2_1 + __KAM_REPAIR2_2 + __KAM_REPAIR2_3 >= 3)
4425 score KAM_REPAIR2 3.5
4426 describe KAM_REPAIR2 Spam for home repair services
4428 body __KAM_EPISODE /episode \d+/i
4430 header __KAM_CLOUD1 From =~ /cloud.?(storage|computing|provider)|efolder/i
4431 header __KAM_CLOUD2 Subject =~ /private.cloud|data.loss.happens|share.securely/i
4432 body __KAM_CLOUD3 /big data|powering apps|reduce.tech.costs|backup.solution|bundling.the.service/i
4433 body __KAM_CLOUD4 /hacking|complimentary.(lunch|breakfast)/i
4435 meta KAM_CLOUD (__KAM_CLOUD1 + __KAM_CLOUD2 + __KAM_CLOUD3 + __KAM_CLOUD4 >= 3)
4437 describe KAM_CLOUD Spam for cloud services
4439 #FAX AND PAPERLESS SPAM
4440 header __KAM_PAPERLESS1 From =~ /paperless|fax|admin/i
4441 header __KAM_PAPERLESS2 Subject =~ /paperless|fax (document|thru email|to email|message)|send document|(receive|send|new) fax|voice.message|have.received/i
4442 body __KAM_PAPERLESS3 /fax service|service plan|view.(fax|this.fax)|\d.page.fax|voice.message/i
4443 body __KAM_PAPERLESS4 /link expires/i
4445 meta KAM_PAPERLESS (__KAM_PAPERLESS1 + __KAM_PAPERLESS2 + __KAM_PAPERLESS3 + __KAM_PAPERLESS4 + HEADER_FROM_DIFFERENT_DOMAINS >= 4)
4446 score KAM_PAPERLESS 4.5
4447 describe KAM_PAPERLESS Paperless spam for the paperless office
4449 rawbody __KAM_LOTSOFNBSP /( ?){30}/i
4451 header __KAM_IPUNSUB List-Unsubscribe =~ /http:\/\/\d+\.\d+\.\d+\.\d+/i
4453 # PASSWORD PHISH - Fixed FP thanks to Thijs Eilander
4454 header __KAM_PASSWORD1 Subject =~ /password/i
4455 body __KAM_PASSWORD2 /validate.your.email/i
4457 meta KAM_PASSWORD (__KAM_PASSWORD1 + __KAM_PASSWORD2 >= 2)
4458 score KAM_PASSWORD 1.5
4459 describe KAM_PASSWORD Message tries to phish for password
4461 # SEMINARS AND WORKSHOPS SPAM
4462 header __KAM_WEBINAR1 From =~ /education|career|manage|learning|webinar|project|efolder/i
4463 header __KAM_WEBINAR2 Subject =~ /last chance|increase productivity|workplace morale|payroll dept|trauma.training|case.study|issues|follow.up|service.desk|vip.(lunch|breakfast)|manage.your|private.business|professional.checklist|customers.safer|great.timesaver|prep.course|crash.course|hunger.to.learn|(keys|tips).(to|for).smarter/i
4464 header __KAM_WEBINAR3 Subject =~ /webinar|strateg|seminar|owners.meeting|webcast|our.\d.new|sales.video/i
4465 body __KAM_WEBINAR4 /executive.education|contactid|register now|\d+.minute webinar|management.position|supervising.skills|discover.tips|register.early|take.control|marketing.capabilit|drive.more.sales|leveraging.cloud|solution.provider|have.a.handle|plan.to.divest|being.informed|upcoming.webinar|spearfishing.email|increase.revenue|industry.podcast|\d+.in.depth.tips|early.bird.offer|pmp.certified|lunch.briefing/i
4467 meta KAM_WEBINAR (__KAM_WEBINAR1 + __KAM_WEBINAR2 + __KAM_WEBINAR3 + __KAM_WEBINAR4 >= 3)
4468 describe KAM_WEBINAR Spam for webinars
4469 score KAM_WEBINAR 3.5
4471 meta KAM_WEBINAR2 (__KAM_WEBINAR1 + __KAM_WEBINAR2 + __KAM_WEBINAR3 + __KAM_WEBINAR4 >= 4)
4472 describe KAM_WEBINAR2 Spam for webinars
4473 score KAM_WEBINAR2 3.5
4475 header __KAM_CONTACTME1 Subject =~ /^contact me$/i
4476 body __KAM_CONTACTME2 /read the attached letter/i
4478 meta KAM_CONTACTME (__KAM_CONTACTME1 + __KAM_CONTACTME2 >= 2)
4479 score KAM_CONTACTME 3.5
4480 describe KAM_CONTACTME Spam that wants you to reply
4482 header __KAM_MESH1 From =~ /consumer|connect|claim/i
4483 header __KAM_MESH2 Subject =~ /surgical mesh|serious injuries|increased risk|experiencing problems|mesh recall/i
4484 body __KAM_MESH3 /have a mesh implant|entitled to compensation|consumer injury|injured consumer/i
4486 meta KAM_MESH (__KAM_MESH1 + __KAM_MESH2 + __KAM_MESH3 >= 3)
4487 describe KAM_MESH Spam for surgical mesh
4490 header __KAM_ALERT1 From =~ /medical.?alert/i
4491 header __KAM_ALERT2 Subject =~ /medical.alert|emergency coverage/i
4492 body __KAM_ALERT3 /help button/i
4494 meta KAM_ALERT (__KAM_ALERT1 + __KAM_ALERT2 + __KAM_ALERT3 >= 3)
4496 describe KAM_ALERT Spam for medical alerts
4498 # SPAM FOR RECENT HEARTBLEED CVE AND OTHER SECURITY STUFF
4499 header __KAM_SECURITY1 From =~ /Digital Defense/i
4500 header __KAM_SECURITY2 Subject =~ /heartbleed|hijack/i
4501 body __KAM_SECURITY3 /information.security|cyber.?criminal/i
4503 meta KAM_SECURITY (__KAM_SECURITY1 + __KAM_SECURITY2 + __KAM_SECURITY3 >= 3)
4504 describe KAM_SECURITY Spam related to online security
4505 score KAM_SECURITY 6.0
4507 body __KAM_JESUS1 /jesus lovely|the.lord|touched.by.christ/i
4508 body __KAM_JESUS2 /sister.in.the.lord|need for bible/i
4509 body __KAM_JESUS3 /nigeria|muslim.women/i
4511 meta KAM_JESUS (__KAM_JESUS1 + __KAM_JESUS2 >= 2)
4512 describe KAM_JESUS Christian spam
4515 header __KAM_CLAIMS1 From =~ /claims.payment/i
4516 header __KAM_CLAIMS2 Subject =~ /confirm/i
4517 body __KAM_CLAIMS3 /claim.payment|claim.processing|kindly.confirm/i
4519 meta KAM_CLAIMS (__KAM_CLAIMS1 + __KAM_CLAIMS2 + __KAM_CLAIMS3 >= 3)
4520 describe KAM_CLAIMS Spam for claims processing
4521 score KAM_CLAIMS 4.5
4524 header __KAM_VISION1 From =~ /clear.?vision|20.20|glasses|perfect.vision|mind.blowing|my.vision|oakley|quantum.vision/i
4525 header __KAM_VISION2 Subject =~ /20\/20|vision|your.glasses|your.contacts|your.eyes|dangers?.of.glasses|focus.on.here/i
4526 body __KAM_VISION3 /100%.natural|vision.restored|currently.wear.(glasses|contacts)|perfect.vision|risky.surgery|corrective.surgery|dangers.of.surgery|laser.eye|eye.care|making.your.eyes.worse|your.glasses|worsen.your.vision|special.prices|vision.in.\d+.day|vision.in.\d+.week/i
4528 meta KAM_VISION (__KAM_VISION1 + __KAM_VISION2 + __KAM_VISION3 + (KAM_WEIRDTRICK1 || RDNS_NONE) >= 3)
4529 describe KAM_VISION Spam for vision improvement
4530 score KAM_VISION 4.5
4532 body KAM_TRUTHINESS /[Tt]he TRUTH/
4533 describe KAM_TRUTHINESS Spam that wants you to learn "The TRUTH"
4534 score KAM_TRUTHINESS 1.5
4536 header __KAM_KITCHEN1 From =~ /sears|kitchen|cabinet/i
4537 header __KAM_KITCHEN2 Subject =~ /kitchen.upgrade|kitchen.remodel|cabinet.install|new.kitchen/i
4538 body __KAM_KITCHEN3 /special.gift|kitchen.remodel|special.offer/i
4540 meta KAM_KITCHEN (__KAM_KITCHEN1 + __KAM_KITCHEN2 + __KAM_KITCHEN3 >= 3)
4541 score KAM_KITCHEN 4.5
4542 describe KAM_KITCHEN Spam for kitchen improvement
4544 # ALL-ENCOMPASSING RULES FOR HEALTH RELATED SPAM, INCLUDING SKIN, WEIGHT, VISION, ETC
4545 header __KAM_GENERICHEALTH1 From =~ /(dr.?|doc.?)[ -]?([o0]z|gupta)|skinny|\d+.?(pounds|[li1]bs?)|[o0]z.([a-z]+.)?(daily|tip|show|weight)|ellen|rapid|vision|20.20|perfect|mind.blowing|healthy|beaut|medical|wrinkle|miracle|energy|weight|as.seen.on|celeb|workout|inches.off|slim|overweight|skinny|trend|curve|stubborn|bikini|f-a-t|trim|youth|belly|unwanted.pounds|gone.easily|heavy|diabetes|oz.?report|years.younger|anti.?aging|look.\d|old.age|without.trying|annoying.pounds|fat.melt|women.?s.health|forskolin|phyto|garcinia|mayo.clinic|gain.mass|nuforia|miracle.cure|notify|champion|healthly|food.health|health.news|nutrisystem|doctor.s.choice|age..prevention|diet.{0,4}report|sharp..?mind|face.?lift/i
4547 header __KAM_GENERICHEALTH2 Subject =~ /PSA|\[video\]|doctor|\d+.day|(zero|any).effort|oprah|(Dr|Doc).{0,2}[o0]z|[o0]z.([a-z]+.)?(daily|tip|show|weight|quick)|ellen|most.viewed|metabolism|danger|hormone|must.read|life.changing|healthy|perfect|younger|beautiful|hollywood|secret|aging|youth|flawless|as.seen.on|simple.way|workout|nutrition|shocking|detox|exercise|cleanse|diet|\d+(\+?).?(pounds|[li1]bs?)|images?.leaked|wow,|the.pics|don.t.tell|makeup|f-a-t|of.skin|on.(cnn|abc|cbs)|for.(summer|fall|autumn|winter|spring)|unwanted.fat|oz: |backfire|and.oz|and.racha?el|racha?el.talk|your.legs|slim.and.tone|fit.wom[ea]n|tummy|dress.size|wrinkle.reduc|younger.skin|solid.meds|belly.fat|your.calories|champion|is.it.possible|worse.than.smok|meds.online|jump-start.your.weightloss|cure.your.diabetes|weight.loss..?cure|magic.weight.loss|youth.and.vitality|get.thin.with|mental.decline|by.exercising|kidney.beans|drinking.this|treats?.the.(root.)?cause|reverse.\d+.years/i
4549 body __KAM_GENERICHEALTH3 /aging|clinical|dermatologist|aging|younger|wrinkle|omg|reduction|prevention|(body|your).fat|extra.pounds|perfect.skin|healthy|diet|gossip|\d+.years|facelift|(Dr|Doc).{0,2}[o0]z|weight|calories|metabolism|appetite|detox|unsightly|cholesterol|free.sample|\d+\s*[li]b|slimming|episode|tv.segment|oprah|colon|hollywood|shocking|workout|trend|starving|\d+%.?off|dress.size|flat.belly|silky|younger|free.trial|\d+.years|easy.trick|selfies|medical|\d+.?(lb|pounds)|exercise|the.mirror|fda.approved|slimmer|oz.blog|the.bulge|plant.based|online.store|respected.doctor|cure.your.diabete|with.forskolin|belly.fat|miracle.pill|burn.fat.fast|the.root.cause|drink(ing)?.this.shake/i
4551 meta KAM_GENERICHEALTH (__KAM_GENERICHEALTH1 + __KAM_GENERICHEALTH2 + __KAM_GENERICHEALTH3 + (KAM_EU || KAM_OTHER_BAD_TLD) >= 3)
4552 score KAM_GENERICHEALTH 1.75
4553 describe KAM_GENERICHEALTH Matches generic health-related advert/blurbs
4555 header __KAM_SALE1 From =~ /ipad|hdtv|\$\d+|auction|laptop|easyviewing/i
4556 header __KAM_SALE2 Subject =~ /blowout|became.perfect|great.products|your.ipad.forever|weird.device|change.how.you.use|transform.your.piad|laptop.replacement/i
4557 body __KAM_SALE3 /\d+%.off|just.shipped|touch.?fire|just.became.perfect|transform.your.ipad/i
4559 header __KAM_SALEA_1 From =~ /touch.?fire/i
4560 header __KAM_SALEA_2 Received =~ /touchfire|tfire/i
4561 body __KAM_SALEA_3 /touchfire|just.became.perfect|never.be.the.same/i
4563 meta KAM_SALE (__KAM_SALE1 + __KAM_SALE2 + (__KAM_SALE3 || BODY_8BITS) >= 3)
4565 describe KAM_SALE Spam for things on sale
4567 meta KAM_SALEA ((__KAM_SALEA_1 || __KAM_SALE1 || __KAM_SALEA_2) + __KAM_SALEA_3 >= 2)
4569 describe KAM_SALEA A very persistent ipad spam campaign
4571 # SPAM THAT USES ASCII FORMATTING TRICKS TO EVADE HTML-BASED RULES
4572 body __KAM_ASCII_DIVIDERS /[-~<>=_]{20}/i
4573 tflags __KAM_ASCII_DIVIDERS multiple maxhits=4
4575 meta KAM_ASCII_DIVIDERS ((__KAM_ASCII_DIVIDERS >= 4) && !HTML_MESSAGE)
4576 describe KAM_ASCII_DIVIDERS Spam that uses ascii formatting tricks
4577 score KAM_ASCII_DIVIDERS 0.8
4579 # RATWARE THAT CAN'T EVEN PRETEND TO BE AUTHORIZED
4580 header __KAM_NOTINMYNETWORK1 X-No-Relay =~ /./i
4582 rawbody __KAM_HTMLNOISE1 /<big><\/big>|<small><\/small>|<style><\/style>/i
4584 meta KAM_HTMLNOISE (__KAM_HTMLNOISE1 + __KAM_BIGSMALL >= 1)
4585 score KAM_HTMLNOISE 1.0
4586 describe KAM_HTMLNOISE Spam containing useless HTML padding
4588 header __KAM_CHICKEN1 From =~ /coop/i
4589 header __KAM_CHICKEN2 Subject =~ /chicken.coop|cost.of.buying/i
4590 body __KAM_CHICKEN3 /your.own.chicken|fresh.egg|chicken.coop|build.your.own/i
4592 meta KAM_CHICKEN (__KAM_CHICKEN1 + __KAM_CHICKEN2 + __KAM_CHICKEN3 >= 3)
4593 score KAM_CHICKEN 4.5
4594 describe KAM_CHICKEN Spam for chicken coops
4596 # SPAM THAT TRIES TO BYPASS RULES LIKE CBJ_GiveMeABreak
4597 rawbody __KAM_LINEPADDING /(\n[^\n]){8}/
4599 meta KAM_LINEPADDING (__KAM_LINEPADDING >= 1)
4600 score KAM_LINEPADDING 1.2
4601 describe KAM_LINEPADDING Spam that tries to get past blank line filters
4604 header __KAM_DRAPES1 From =~ /drapes/i
4605 header __KAM_DRAPES2 Subject =~ /table.drapes|visibility/i
4606 body __KAM_DRAPES3 /banner.stand|print.project/i
4608 meta KAM_DRAPES (__KAM_DRAPES1 + __KAM_DRAPES2 + __KAM_DRAPES3 >= 3)
4609 score KAM_DRAPES 3.5
4610 describe KAM_DRAPES Spam for drapes
4612 header __KAM_NUWAVE1 From =~ /nuwave|cooktop/i
4613 header __KAM_NUWAVE2 Subject =~ /cooking.needs/i
4614 body __KAM_NUWAVE3 /nuwave|energy.saving|temperature.control|meal.prep|cooktop/i
4616 meta KAM_NUWAVE (__KAM_NUWAVE1 + __KAM_NUWAVE2 + __KAM_NUWAVE3 >= 3)
4617 describe KAM_NUWAVE Spam for cooking tools
4618 score KAM_NUWAVE 3.5
4620 rawbody __KAM_MANYCOMMENTS /<!--[^>]{200,}-->/i
4621 tflags __KAM_MANYCOMMENTS multiple maxhits=6
4623 meta KAM_MANYCOMMENTS (__KAM_MANYCOMMENTS >= 6)
4624 describe KAM_MANYCOMMENTS Spam engine that uses large html noise comments
4625 score KAM_MANYCOMMENTS 1.2
4627 header __KAM_HIRE1 From =~ /recruit/i
4628 header __KAM_HIRE2 Subject =~ /checking.in/i
4629 body __KAM_HIRE3 /hiring.situation|recruiting|plans.to.hire|altera.staff/i
4631 meta KAM_HIRE (__KAM_HIRE1 + __KAM_HIRE2 + __KAM_HIRE3 >= 3)
4632 describe KAM_HIRE Spam for hiring services
4635 header __KAM_DEALS1 From =~ /deal.?hunter/i
4636 header __KAM_DEALS2 Subject =~ /exclusive.saving|the.hottest/i
4637 body __KAM_DEALS3 /exclusive.savings/i
4639 meta KAM_DEALS (__KAM_DEALS1 + __KAM_DEALS2 + __KAM_DEALS3 >= 3)
4641 describe KAM_DEALS Generic advertising for deals
4643 header __KAM_CONTRACT1 From =~ /samanage/i
4644 header __KAM_CONTRACT2 Subject =~ /contract cost|itsm contract/i
4645 body __KAM_CONTRACT3 /buy you out|service management|management solution/i
4647 meta KAM_CONTRACT (__KAM_CONTRACT1 + __KAM_CONTRACT2 + __KAM_CONTRACT3 >= 3)
4648 score KAM_CONTRACT 4.5
4649 describe KAM_CONTRACT Spam that will buy your service contract
4652 header __KAM_TOLL1 From =~ /e.?z.?pass|collection/i
4653 header __KAM_TOLL2 Subject =~ /on.(the.)?toll.road|(pay|indebted).for.driving/i
4654 body __KAM_TOLL3 /have.not.paid|your.debt|invoice/i
4656 meta KAM_TOLL (__KAM_TOLL1 + __KAM_TOLL2 + __KAM_TOLL3 >= 3)
4657 describe KAM_TOLL Spam for road tolls
4660 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
4662 header __KAM_AMAZON1 From =~ /amazon\.com/i
4664 meta KAM_AMAZON (__KAM_AMAZON1 + KAM_RAPTOR_ALTERED >= 2)
4665 score KAM_AMAZON 4.5
4666 describe KAM_AMAZON Fake Amazon email with malware
4670 header __KAM_LANDSCAPE1 From =~ /landscaping/i
4671 header __KAM_LANDSCAPE2 Subject =~ /turn.your.yard|mtv.crib|swimming.pool/i
4672 body __KAM_LANDSCAPE3 /landscape.designs|(simple|cheap).strategies|design.troph/i
4673 body __KAM_LANDSCAPE4 /stone.carving/i
4675 meta KAM_LANDSCAPING (__KAM_LANDSCAPE1 + __KAM_LANDSCAPE2 + __KAM_LANDSCAPE3 + __KAM_LANDSCAPE4 >= 3)
4676 describe KAM_LANDSCAPING Spam for landscaping
4677 score KAM_LANDSCAPING 3.5
4680 header __KAM_SINGING1 From =~ /singing/i
4681 header __KAM_SINGING2 Subject =~ /professional.singer/i
4682 body __KAM_SINGING3 /terrible.singer|more.talent|love.songs/i
4684 meta KAM_SINGING (__KAM_SINGING1 + __KAM_SINGING2 + __KAM_SINGING3 >= 3)
4685 describe KAM_SINGING Spam for singing lessons
4686 score KAM_SINGING 4.5
4689 header __KAM_ADVERTISE1 From =~ /gmail/i
4690 header __KAM_ADVERTISE2 Subject =~ /samsung..galaxy.s\d/i
4691 body __KAM_ADVERTISE3 /advertising.for.samsung|no.application.fee|carry.this.advert/i
4693 meta KAM_ADVERTISE (__KAM_ADVERTISE1 + __KAM_ADVERTISE2 + __KAM_ADVERTISE3 >= 3)
4694 describe KAM_ADVERTISE Spam that wants you to advertise for them
4695 score KAM_ADVERTISE 4.5
4697 # RULE FOR DOMAINS THAT HAVE NOT IMPLEMENTED ANY ANTI-FORGERY MECHANISMS - Thanks to Christian Kueppers for the request to encapsulate with DKIM and SPF plugin checks!
4698 if (version >= 3.003002)
4699 ifplugin Mail::SpamAssassin::Plugin::DKIM
4700 ifplugin Mail::SpamAssassin::Plugin::SPF
4701 # We may recommend people start raising the score for this to force more people to use SPF or DKIM Since Gmail and AOL work much better with / require SPF.
4702 header __KAM_SPF_NONE eval:check_for_spf_none()
4704 meta KAM_LAZY_DOMAIN_SECURITY (!__DKIM_EXISTS && __KAM_SPF_NONE)
4705 score KAM_LAZY_DOMAIN_SECURITY 1.0
4706 describe KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any anti-forgery methods
4711 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
4712 # FORGED EMAILS WITH A VIRUS ATTACHED
4713 meta KAM_FORGED_ATTACHED (SPF_HELO_FAIL + KAM_RAPTOR_ALTERED >= 2)
4714 score KAM_FORGED_ATTACHED 4.5
4715 describe KAM_FORGED_ATTACHED Forged email with a malware attachment
4718 # LOTS OF PERIODS IN SUBJECT
4719 header __KAM_MANYDOTS1 Subject =~ /\.{20}/i
4721 meta KAM_MANYDOTS (__KAM_MANYDOTS1 + KAM_HUGEIMGSRC >= 2)
4722 describe KAM_MANYDOTS Spam with lots of periods in subject
4723 score KAM_MANYDOTS 3.5
4726 header __KAM_SUBJECTNOTICE1 Subject =~ /Notice: \d+$|final.notice|rpt: \d+$/i
4728 meta KAM_SUBJECTNOTICE __KAM_SUBJECTNOTICE1
4729 describe KAM_SUBJECTNOTICE Spam notices
4730 score KAM_SUBJECTNOTICE 1.0
4732 # SPAM FOR BACKUP SERVICE
4733 header __KAM_BACKUP1 From =~ /backup/i
4734 header __KAM_BACKUP2 Subject =~ /continuity|\d.reasons|traditional.backup/i
4735 body __KAM_BACKUP3 /backup.necessary|marketing|infographic|charge.more/i
4737 meta KAM_BACKUP (__KAM_BACKUP1 + __KAM_BACKUP2 + __KAM_BACKUP3 >= 3)
4738 describe KAM_BACKUP Spam for backup services
4739 score KAM_BACKUP 4.5
4741 # SPAM THAT TRIES TO AVOID DETECTION WITH NUMBERS IN THE FROM
4742 header KAM_FROMNUM From:name =~ /\.\d{7,}$/
4743 describe KAM_FROMNUM Spam with large numbers in the from header
4744 score KAM_FROMNUM 1.0
4746 # LAZY SPAM WITH BARELY MORE THAN A LINK TO A BAD DOMAIN
4747 meta KAM_LINKBAIT (KAM_LAZY_DOMAIN_SECURITY + __KAM_BODY_LENGTH_LT_512 + (__KAM_COUNT_URIS >= 1) >= 3)
4748 score KAM_LINKBAIT 2.5
4749 describe KAM_LINKBAIT Short messages containing little more than a link, from a domain with no security in place
4751 uri __KAM_WP_INCLUDES /(?:wp-includes|wp-content)/i
4753 meta KAM_LINKBAIT2 KAM_LINKBAIT + __KAM_WP_INCLUDES >= 2
4754 score KAM_LINKBAIT2 1.5
4755 describe KAM_LINKBAIT2 Linkbait that points to wordpress - usually means a compromised site
4758 meta KAM_LINKBAIT3 (KAM_SHORT + FREEMAIL_FROM + __KAM_BODY_LENGTH_LT_512 >= 3)
4759 score KAM_LINKBAIT3 1.5
4760 describe KAM_LINKBAIT3 Freemail linkbait with a url shortener
4762 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
4763 # MALWARE IN EMAILS THAT MENTION LOTS OF MONEY
4764 meta KAM_PHISHY_DOLLARS (KAM_RAPTOR_ALTERED + LOTS_OF_MONEY >= 2)
4765 score KAM_PHISHY_DOLLARS 3.5
4766 describe KAM_PHISHY_DOLLARS Emails with malware and large dollar amounts
4769 # RATWARE DU JOUR, MULTIPLE FROM HEADERS AND WONKY SUBJECT LINE
4770 header __KAM_MULTIPLE_FROM From =~ /^./
4771 tflags __KAM_MULTIPLE_FROM multiple maxhits=2
4773 header __KAM_SUBJECT_WHITESPACE_START Subject =~ /^\s{10}/
4775 meta KAM_GRABBAG6 ((__KAM_MULTIPLE_FROM >= 2) + __KAM_SUBJECT_WHITESPACE_START >= 2)
4776 describe KAM_GRABBAG6 Ratware with multiple from headers and subject beginning with whitespace
4777 score KAM_GRABBAG6 4.5
4779 # GENERIC GREETINGS THAT YOU WOULD NEVER GET FROM A LEGIT EMAIL
4780 header KAM_GENERICHELLO Subject =~ /dear.email.user|hi.there/i
4781 score KAM_GENERICHELLO 1.5
4782 describe KAM_GENERICHELLO Spam with generic greetings in the subject
4784 # FAKE GOOGLE EMAILS - Thanks to Marc Jouan for pointing out the double rule / T_HK rule name change
4785 header __KAM_GOOGLE2_1 From =~ /google\+/i
4786 header __KAM_GOOGLE2_2 From !~ /google.com/i
4788 meta KAM_GOOGLE2 (__KAM_GOOGLE2_1 + __KAM_GOOGLE2_2 + (HK_SPAMMY_FILENAME || KAM_LAZY_DOMAIN_SECURITY) >= 3)
4789 score KAM_GOOGLE2 4.5
4790 describe KAM_GOOGLE2 Fake Google spam
4792 # MORE NIGERIAN VARIANTS
4793 body __KAM_NIGERIAN3_1 /congo/i
4795 meta KAM_NIGERIAN3 (__KAM_NIGERIAN3_1 + DEAR_SOMETHING + LOTS_OF_MONEY >= 3)
4796 score KAM_NIGERIAN3 4.5
4797 describe KAM_NIGERIAN3 Nigerian scam variant
4800 header __KAM_FINGERHUT1 From =~ /finger.?hut/i
4801 header __KAM_FINGERHUT2 Subject =~ /your.budget|credit.account|qualify|finger.?hut|credit|your.account/i
4802 body __KAM_FINGERHUT3 /important.message|what.you.want|monthly.pay|your.account|credit.account|holiday.shopping|are.you.approved|fingerhut.buying/i
4804 meta KAM_FINGERHUT (__KAM_FINGERHUT1 + __KAM_FINGERHUT2 + __KAM_FINGERHUT3 >= 3)
4805 score KAM_FINGERHUT 4.5
4806 describe KAM_FINGERHUT Spam for fingerhut
4808 # FRIEND REQUEST SPAM
4809 header __KAM_FRIEND1 Subject =~ /new.notification/i
4810 body __KAM_FRIEND2 /wants.to.follow/i
4812 meta KAM_FRIEND (__KAM_FRIEND1 + __KAM_FRIEND2 >= 2)
4813 score KAM_FRIEND 1.5
4814 describe KAM_FRIEND Friend request spam
4816 # ELIMINATE A BUNCH OF RECENT BAD ATTACHMENT SPAM
4817 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
4818 meta KAM_VERY_MALWARE (KAM_LAZY_DOMAIN_SECURITY && KAM_RAPTOR_ALTERED >= 2)
4819 score KAM_VERY_MALWARE 3.5
4820 describe KAM_VERY_MALWARE A message with malware that is definitely unwanted
4823 #MERCHANT ACCOUNTS SPAM
4824 header __KAM_MERCHANT1 Subject =~ /finance.department/i
4825 body __KAM_MERCHANT2 /business.owner|merchant.processor|processing.fee|average.bank|interchange.fee/i
4826 body __KAM_MERCHANT3 /merchant.processing|small.business|yearly.credit|monthly.fee|100%.free/i
4828 meta KAM_MERCHANT (__KAM_MERCHANT1 + __KAM_MERCHANT2 + __KAM_MERCHANT3 >= 3)
4829 score KAM_MERCHANT 4.5
4830 describe KAM_MERCHANT Spam for merchant processing
4832 # ZERO DAY ATTACHMENTS THAT ARE OBVIOUSLY CRAP BUT NOT CAUGHT BY AV
4833 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4834 mimeheader __KAM_ZERODAY1 Content-Type =~ /msword|ms-excel|spreadsheet|office|octet/i
4835 header __KAM_ZERODAY2 X-Mailer =~ /foxmail/i
4837 # DISABLED 7/16 FOR NO LONGER BEING RELEVANT
4838 #meta KAM_ZERODAY (__SUBJECT_ENCODED_B64 + __KAM_ZERODAY1 + __KAM_ZERODAY2 >= 3)
4839 #describe KAM_ZERODAY obviously a malware email that was not caught
4840 #score KAM_ZERODAY 8.0
4843 header __KAM_ZERODAY3 Subject =~ /remittance advice|invoice|resume|the.open.message|please.the.open|visa.chip/i
4845 meta KAM_ZERODAY2 (__KAM_ZERODAY1 + __KAM_ZERODAY3 + KAM_LAZY_DOMAIN_SECURITY >= 3)
4846 score KAM_ZERODAY2 1.0
4847 describe KAM_ZERODAY2 Another obvious zero-day malware
4849 meta KAM_ZERODAY3 (KAM_ZERODAY2 + T_OBFU_DOC_ATTACH >= 2)
4850 score KAM_ZERODAY3 3.5
4851 describe KAM_ZERODAY3 Another obvious zero-day malware
4855 header __KAM_ANCESTOR1 From =~ /ancestry/i
4856 header __KAM_ANCESTOR2 Subject =~ /free.family.tree|find.your.ancestor/i
4857 body __KAM_ANCESTOR3 /family.history|your family|share.the.stories/i
4859 meta KAM_ANCESTOR (__KAM_ANCESTOR1 + __KAM_ANCESTOR2 + __KAM_ANCESTOR3 >= 3)
4860 describe KAM_ANCESTOR Spam for family trees
4861 score KAM_ANCESTOR 3.5
4863 # REMEMBER WHEN YOU GOT THAT SPAM
4864 header __KAM_REMEMBERWHEN1 Subject =~ /sup|hello|for.you.bro|how.are.you/i
4865 body __KAM_REMEMBERWHEN2 /hello.brother|remember(ed)?.you|i.remember/i
4866 body __KAM_REMEMBERWHEN3 /medication|\d+%.discount|lots?.of.drug/i
4868 meta KAM_REMEMBERWHEN (__KAM_REMEMBERWHEN1 + __KAM_REMEMBERWHEN2 + __KAM_REMEMBERWHEN3 >= 3)
4869 score KAM_REMEMBERWHEN 4.5
4870 describe KAM_REMEMBERWHEN Reminder of something that never happened
4872 # THE LATEST TRAILING NOISE FORMAT
4873 body __KAM_NOISE1 /([a-z0-9],){12}/i
4874 body __KAM_NOISE2 /([a-z]{1,10},){10}/i
4876 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
4877 meta KAM_NOISE1 (__KAM_NOISE1 + __KAM_NOISE2 + (CBJ_GiveMeABreak || __CBJ_GiveMeABreak2) >= 3)
4878 describe KAM_NOISE1 Pattern of noise words at the end of an email
4879 score KAM_NOISE1 2.5
4883 header __KAM_PIZZA1 From =~ /pizza/i
4884 header __KAM_PIZZA2 Subject =~ /^free pizza$/i
4885 body __KAM_PIZZA3 /free.pizza.coupon/i
4887 meta KAM_PIZZA (__KAM_PIZZA1 + __KAM_PIZZA2 + __KAM_PIZZA3 >= 3)
4889 describe KAM_PIZZA Spam for free pizza
4892 header __KAM_ENGINEER1 Subject =~ /engineering . architect|engineering.industry/i
4893 body __KAM_ENGINEER2 /email.list|target.audience|databank|verified.email/i
4894 body __KAM_ENGINEER3 /construction.engineering|engineering . architect|marketing.manager/i
4896 meta KAM_ENGINEER (__KAM_ENGINEER1 + __KAM_ENGINEER2 + __KAM_ENGINEER3 >= 3)
4897 score KAM_ENGINEER 3.5
4898 describe KAM_ENGINEER Spam for engineering contact information
4901 header __KAM_SUNGLASSES1 Subject =~ /rayban/i
4902 body __KAM_SUNGLASSES2 /great ray|hot.deal/i
4903 body __KAM_SUNGLASSES3 /style rocks|today.only/i
4905 meta KAM_SUNGLASSES (__KAM_SUNGLASSES1 + __KAM_SUNGLASSES2 + __KAM_SUNGLASSES3 >= 3)
4906 describe KAM_SUNGLASSES Spam for sunglasses
4907 score KAM_SUNGLASSES 3.5
4909 # INVOICE SPAM OF THE DAY
4910 header __KAM_INVOICE1 From =~ /billing/i
4911 header __KAM_INVOICE2 Subject =~ /past.due|invoice/i
4912 header __KAM_INVOICE3 Subject =~ /invoice (error|issue)/i
4913 body __KAM_INVOICE4 /(billing error|problem with the address).{2,10}invoice/i
4914 uri __KAM_INVOICE5 /overdue|final.account/i
4916 meta KAM_INVOICE (__KAM_INVOICE1 + __KAM_INVOICE2 + SPF_FAIL >= 3)
4917 score KAM_INVOICE 4.5
4918 describe KAM_INVOICE Phishing invoice spam
4920 meta KAM_INVOICE2 (__KAM_INVOICE1 + __KAM_INVOICE3 + __KAM_INVOICE4 + __KAM_INVOICE5 + SPF_FAIL >= 3)
4921 score KAM_INVOICE2 5.5
4922 describe KAM_INVOICE2 Phishing invoice spam
4925 header __KAM_GRIPPY1 From =~ /gripeez/i
4926 header __KAM_GRIPPY2 Subject =~ /bonus.offer|gripeez/i
4927 body __KAM_GRIPPY3 /gripeez.bonus|interior.decorator|sticky.grip/i
4929 meta KAM_GRIPPY (__KAM_GRIPPY1 + __KAM_GRIPPY2 + __KAM_GRIPPY3 >= 3)
4930 score KAM_GRIPPY 4.5
4931 describe KAM_GRIPPY Spam for sticky grip products
4933 # LIMITED / DISABLED ACCOUNT, ACTIVATION, SECURITY ALERTS, AND OTHER ACCOUNT PHISHES
4934 header __KAM_ACCOUNTPHISH1 From =~ /[il]tunes|account|costco|walgreen|amazon|ebay|internal|admin|gold|webmail|provider|marketing|Bank of America/i
4935 header __KAM_ACCOUNTPHISH2 Subject =~ /your.account|is.limited|activate|recover|acknowledgment|of.order|buying.from|order.(status|confirm)|help.?desk|update.your|security|document|(^secure$)|download.failed|click.to.activate|status.approved|notification.message|storage.exceeded|maintenance routine|storage.warning|size.notification|administrative.notice/i
4936 body __KAM_ACCOUNTPHISH3 /update.your.information|problems.with.your|billing.information|order.details|personal.data|detailed.order|order.information|for.activation|account.{1,30}.inactive|information.required|secure.browser|recently.compromised|classified.document|with.your.email|complete.your.account|account.confirmed|claim.your.order|free.money|forced.to.cancel|immediate.access|upgrading.all.staff|advice.to.update|confirm.your.account/i
4937 body __KAM_ACCOUNTPHISH4 /webmail|all.systems|storage.limit|get.back.into|update.your.account|kindly.click|very.private.message|this.is.honest|fill.the.form|click.on.send|follow.here|for.all.user|one.click.away|mail.desk/i
4939 meta KAM_ACCOUNTPHISH ((__KAM_ACCOUNTPHISH1 || FREEMAIL_FROM || KAM_LAZY_DOMAIN_SECURITY) + __KAM_ACCOUNTPHISH2 + __KAM_ACCOUNTPHISH3 + __KAM_ACCOUNTPHISH4 >= 3)
4940 score KAM_ACCOUNTPHISH 3.20
4941 describe KAM_ACCOUNTPHISH Spam that tries to get account information
4944 header __KAM_PROPERTY1 From =~ /high.rise|condo/i
4945 header __KAM_PROPERTY2 Subject =~ /condo|move.in.soon|developer/i
4946 body __KAM_PROPERTY3 /convenient.location/i
4948 meta KAM_PROPERTY (__KAM_PROPERTY1 + __KAM_PROPERTY2 + __KAM_PROPERTY3 >= 3)
4949 score KAM_PROPERTY 2.5
4950 describe KAM_PROPERTY Spam for buying property
4953 header __KAM_FAKEAMEX1 From =~ /aexp.com/i
4955 meta KAM_FAKEAMEX (__KAM_FAKEAMEX1 + SPF_FAIL >= 2)
4956 score KAM_FAKEAMEX 8.0
4957 describe KAM_FAKEAMEX A rash of spam that is phishing for American Express information
4959 header KAM_HUGESUBJECT Subject =~ /^.{500}/
4960 score KAM_HUGESUBJECT 2.5
4961 describe KAM_HUGESUBJECT Email with a subject longer than any mail client would let you enter
4964 header __KAM_HOOKUP1 Subject =~ /hookup with local singles/i
4965 uri __KAM_HOOKUP2 /justhookup/i
4966 body __KAM_HOOKUP3 /match.?me.?networks/i
4968 meta KAM_HOOKUP (__KAM_HOOKUP1 + __KAM_HOOKUP2 + __KAM_HOOKUP3 >= 3)
4969 score KAM_HOOKUP 10.5
4970 describe KAM_HOOKUP Spam for Local Hookup Service
4973 header __KAM_PSYCHIC1 Subject =~ /horoscope|psychic/i
4974 uri __KAM_PSYCHIC2 /free.psychic/i
4975 body __KAM_PSYCHIC3 /psychic Chris|free psychic reading/i
4977 meta KAM_PSYCHIC (__KAM_PSYCHIC1 + __KAM_PSYCHIC2 + __KAM_PSYCHIC3 >= 3)
4978 score KAM_PSYCHIC 4.5
4979 describe KAM_PSYCHIC Current Psychic Product Spam du Jour
4982 body __KAM_BADUNSUB /(?:remove|Unsubscribe) from (?:MindTCommunications|LunarMessages)/i
4984 meta KAM_BADUNSUB (__KAM_BADUNSUB >= 1)
4985 score KAM_BADUNSUB 3.0
4986 describe KAM_BADUNSUB Bad Unsubscribe Messages
4988 #GRABBAG FOR A ROUND OF WORDPRESS HACKS
4989 rawbody __KAM_GRABBAG7_1 /wp-content|wp-includes|\/plugins\//
4991 meta KAM_GRABBAG7 ((HTML_MIME_NO_HTML_TAG || MIME_HTML_ONLY) + __KAM_GRABBAG7_1 + (SPF_FAIL || SPF_HELO_FAIL) >= 3)
4992 score KAM_GRABBAG7 3.0
4993 describe KAM_GRABBAG7 Spam pattern with bad HTML message
4995 #TINYURL OBFUSCATION
4996 uri __KAM_TINYURL1 /tinyurl.com\/.{0,10}(hookup|sexual|online-riches|predator-zipcode|nothnx|imtaken)/i
4998 meta KAM_TINYURL (__KAM_TINYURL1)
4999 score KAM_TINYURL 4.0
5000 describe KAM_TINYURL Spammy urls that hide behind a link shortener
5003 header __KAM_DROPBOX1 From =~ /dropbox/i
5004 header __KAM_DROPBOX2 From !~ /dropbox.com/i
5005 body __KAM_DROPBOX3 /shared.a.folder/i
5007 meta KAM_DROPBOX (__KAM_DROPBOX1 + __KAM_DROPBOX2 + __KAM_DROPBOX3 >= 3)
5008 score KAM_DROPBOX 4.5
5009 describe KAM_DROPBOX Fake Dropbox emails
5011 # BAD YAHOO! DON'T SEND EMAIL FROM A MULTICAST IP!
5012 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
5013 header __KAM_YAHOO_MISTAKE1 From =~ /\@yahoo\./i
5015 meta KAM_YAHOO_MISTAKE (SPF_PASS && __KAM_YAHOO_MISTAKE1 && RCVD_ILLEGAL_IP)
5016 describe KAM_YAHOO_MISTAKE Reversing score for some idiotic Yahoo received headers
5017 score KAM_YAHOO_MISTAKE -3.0
5021 meta KAM_GRABBAG9 (MALFORMED_FREEMAIL + SUBJ_ALL_CAPS + FREEMAIL_ENVFROM_END_DIGIT >= 3)
5022 score KAM_GRABBAG9 4.5
5023 describe KAM_GRABBAG9 Garbage email from a garbage freemail account
5026 header __KAM_AQUARUG1 From =~ /aqua.?rug/i
5027 header __KAM_AQUARUG2 Subject =~ /(bath|shower).mat|for.your.shower/i
5028 body __KAM_AQUARUG3 /stop.slipping|unique.carpet|aqua.rug|bare.feet.love/i
5030 meta KAM_AQUARUG (__KAM_AQUARUG1 + __KAM_AQUARUG2 + __KAM_AQUARUG3 >= 3)
5031 score KAM_AQUARUG 3.5
5032 describe KAM_AQUARUG Spam for aqua rug product
5035 # Fixed FP thanks to j.marshall
5036 header __KAM_ITC1 From =~ /thetradecouncil.com/i
5037 body __KAM_ITC2 /International Trade Council/i
5038 body __KAM_ITC3 /enclosed/i
5040 meta KAM_ITC (__KAM_ITC1 < 1) && (__KAM_ITC2 >= 1) && (__KAM_ITC3 + KAM_BADIPHTTP >= 1)
5042 describe KAM_ITC Fake email from International Trade Council
5044 # HAVE YOU SEEN THIS
5045 body __KAM_SEENTHIS1 /have.you.seen|seen.this/i
5047 meta KAM_SEENTHIS (__KAM_SEENTHIS1 + __KAM_OPRAH3 + (KAM_LAZY_DOMAIN_SECURITY || KAM_MANYTO) >= 3)
5048 score KAM_SEENTHIS 4.5
5049 describe KAM_SEENTHIS Have you seen this spam?
5052 header __KAM_DETOX1 From =~ /detox/i
5053 header __KAM_DETOX2 Subject =~ /detox.service|discover.detox|clear.your.system|how.detox.(could|can)/i
5054 body __KAM_DETOX3 /detox.program|right.for.you|clean(ing)? up your life|a.little.easier/i
5056 meta KAM_DETOX (__KAM_DETOX1 + __KAM_DETOX2 + __KAM_DETOX3 >= 3)
5058 describe KAM_DETOX Spam for trendy detox stuff
5061 header __KAM_DEATHINSURE1 From =~ /live.sure/i
5062 header __KAM_DEATHINSURE2 Subject =~ /life.will|cheaper.than.today/i
5063 body __KAM_DEATHINSURE3 /inheritance.tax|your.loved.ones|funeral.costs/i
5065 meta KAM_DEATHINSURE (__KAM_DEATHINSURE1 + __KAM_DEATHINSURE2 + __KAM_DEATHINSURE3 >= 3)
5066 describe KAM_DEATHINSURE Spam for death insurance
5067 score KAM_DEATHINSURE 3.5
5070 body KAM_REACHBASE /ReachBase is committed to providing you with relevant business information/i
5071 score KAM_REACHBASE 2.5
5072 describe KAM_REACHBASE Marketing email pretending to be business info
5074 # DIGITAL WALLET SPAM
5075 header __KAM_DIGITALWALLET1 From =~ /apple.?pay/i
5076 header __KAM_DIGITALWALLET2 Subject =~ /(ready.for|introducing|complimentary).apple.?pay|paying.too.much/i
5077 body __KAM_DIGITALWALLET3 /business.ready|no.setup.fee|only.$?[\d\.]+%?.(per|a).swipe|apple.?pay.equipment|free,equipment/i
5079 meta KAM_DIGITALWALLET (__KAM_DIGITALWALLET1 + __KAM_DIGITALWALLET2 + __KAM_DIGITALWALLET3 + (HELO_DYNAMIC_DHCP || KAM_EU || KAM_INFOUSMEBIZ) >= 3)
5080 score KAM_DIGITALWALLET 3.5
5081 describe KAM_DIGITALWALLET Spam for digital wallet services
5084 header __KAM_BADPHP1 X-PHP-Originating-Script =~ /eval..'d code/i
5085 header __KAM_BADPHP2 X-Source-Args =~ /css.php/i
5087 meta KAM_BADPHP (__KAM_BADPHP1 || __KAM_BADPHP2)
5088 score KAM_BADPHP 3.5
5089 describe KAM_BADPHP Questionable PHP mailer headers
5092 header __KAM_TINNITUS1 From =~ /tinnitus.?(911|breakthrough)/i
5093 header __KAM_TINNITUS2 Subject =~ /new.tip|only.(1|one).week|pandemic/i
5094 body __KAM_TINNITUS3 /scientifically.proven|end.tinnitus|get rid of the ringing/i
5096 meta KAM_TINNITUS (__KAM_TINNITUS1 + __KAM_TINNITUS2 + __KAM_TINNITUS3 >= 3)
5097 describe KAM_TINNITUS Tinnitus spam
5098 score KAM_TINNITUS 4.5
5101 header __KAM_KIWIBANK1 From =~ /kiwibank/i
5102 header __KAM_KIWIBANK2 Subject =~ /verification.required/i
5103 body __KAM_KIWIBANK3 /security.procedure|customer.safety|security.details/i
5105 meta KAM_KIWIBANK (__KAM_KIWIBANK1 + __KAM_KIWIBANK2 + __KAM_KIWIBANK3 >= 3)
5106 describe KAM_KIWIBANK Account phish for Kiwibank
5107 score KAM_KIWIBANK 3.5
5110 header __KAM_HAPPYTALK1 Subject =~ /^hello$/i
5111 body __KAM_HAPPYTALK2 /honest.and.nice/i
5112 body __KAM_HAPPYTALK3 /beautiful.mail/i
5114 meta KAM_HAPPYTALK (__KAM_HAPPYTALK1 + __KAM_HAPPYTALK2 + __KAM_HAPPYTALK3 >= 3)
5115 score KAM_HAPPYTALK 3.5
5116 describe KAM_HAPPYTALK Weirdly happy spam
5119 header __KAM_SETTLEMENT1 From =~ /xarelto/i
5120 header __KAM_SETTLEMENT2 Subject =~ /settlements?.available/i
5121 body __KAM_SETTLEMENT3 /lawsuit.information/i
5123 meta KAM_SETTLEMENT (__KAM_SETTLEMENT1 + __KAM_SETTLEMENT2 + __KAM_SETTLEMENT3 >= 3)
5124 score KAM_SETTLEMENT 3.5
5125 describe KAM_SETTLEMENT Spam offering lawsuit settlement
5128 header __KAM_CAD1 Subject =~ /cad.drawing/i
5129 body __KAM_CAD2 /we.specialize.in/i
5130 body __KAM_CAD3 /our.products/i
5132 meta KAM_CAD (__KAM_CAD1 + __KAM_CAD2 + __KAM_CAD3 >= 3)
5133 describe KAM_CAD Spam for CAD services
5136 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
5137 #SPAM WITH OFFICE MACROS
5138 header __KAM_VBMACRO X-KAM-VBMacro =~ /True/i
5140 meta KAM_VBMACRO ((__KAM_VBMACRO >= 1) && !KAM_OLEMACRO)
5141 describe KAM_VBMACRO Message contains attachment with VB macro
5142 score KAM_VBMACRO 6.5
5144 #SPAM THAT INDICATES DYNAMIC IP
5145 header KAM_DYNIP X-KAM-DynamicIndicator =~ /True/i
5146 describe KAM_DYNIP Message contains Dynamic IP Address Indicator
5151 # YELP AND OTHER REVIEW SITES
5152 header __KAM_REVIEW1 From =~ /contractor/i
5153 header __KAM_REVIEW2 Subject =~ /verify.accuracy|your.listing|listing.on.yelp/i
5154 body __KAM_REVIEW3 /unverified|major.local.search|search.sites|company(.s)?.information/i
5156 meta KAM_REVIEW (__KAM_REVIEW1 + __KAM_REVIEW2 + __KAM_REVIEW3 >= 3)
5157 describe KAM_REVIEW Spam for review sites
5158 score KAM_REVIEW 4.5
5161 header __KAM_TOURS1 From =~ /festival/i
5162 header __KAM_TOURS2 Subject =~ /adventure.tour/i
5163 body __KAM_TOURS3 /your.adventure.tour|your.event/i
5165 meta KAM_TOURS (__KAM_TOURS1 + __KAM_TOURS2 + __KAM_TOURS3 >= 3)
5167 describe KAM_TOURS Spam for tours and events
5169 # NO MORE SPAM ENGINES
5170 body __KAM_NOMORE1 /no.more.of.this/i
5171 body __KAM_NOMORE2 /no.more.at.all/i
5173 meta KAM_NOMORE (__KAM_NOMORE1 + __KAM_NOMORE2 >= 2)
5174 describe KAM_NOMORE Another predictable spam engine
5175 score KAM_NOMORE 3.5
5177 # NOT REALLY CONFIDENTIAL
5178 body __KAM_NOCONFIDENCE1 /confidential.information/i
5180 meta KAM_NOCONFIDENCE (KAM_LAZY_DOMAIN_SECURITY + __KAM_NOCONFIDENCE1 >= 2)
5181 score KAM_NOCONFIDENCE 0.5
5182 describe KAM_NOCONFIDENCE Confidential information sent with no security
5184 # YER GON GET SASSINATED
5185 header __KAM_ASSASSIN1 Subject =~ /want you dead/i
5186 body __KAM_ASSASSIN2 /my identity/i
5187 body __KAM_ASSASSIN3 /assassinate/i
5188 body __KAM_ASSASSIN4 /like.an.accident/i
5190 meta KAM_ASSASSIN (__KAM_ASSASSIN1 + __KAM_ASSASSIN2 + __KAM_ASSASSIN3 + __KAM_ASSASSIN4 >= 3)
5191 score KAM_ASSASSIN 4.5
5192 describe KAM_ASSASSIN Assassination spam
5194 # GIMME FLASH DRIVES
5195 header __KAM_DRIVE1 From =~ /purchase|manager/i
5196 header __KAM_DRIVE2 Subject =~ /quotation/i
5197 body __KAM_DRIVE3 /to.be.furnished|office.equipment.item/i
5199 meta KAM_DRIVE (__KAM_DRIVE1 + __KAM_DRIVE2 + __KAM_DRIVE3 >= 3)
5201 describe KAM_DRIVE Spam for ordering office equipment
5203 #BAD TLD - TESTING NEW blacklist_uri_host feature
5204 #PASSED TEST BUT THIS IS 100 points - Instead modify SOMETLD_ARE_BAD_TLD TO PREVENT FPs
5205 #if (version >= 3.004000)
5206 # blacklist_uri_host link
5209 #LOOKING TO SHUTDOWN MISUSE OF DNSWL AND HOSTKARMA
5210 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
5211 meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1)
5212 score KAM_QUITE_BAD_DNSWL 3.25
5213 describe KAM_QUITE_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
5215 meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1)
5216 score KAM_QUITE_BAD_DNSWL 3.25
5217 describe KAM_QUITE_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
5220 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
5221 meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
5222 score KAM_BAD_DNSWL 7.0
5223 describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
5225 meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
5226 score KAM_BAD_DNSWL 7.0
5227 describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
5231 header __JMQ_HEARINGLOSS1 From =~ /hearing.?loss|deaf \& angry/i
5232 header __JMQ_HEARINGLOSS2 Subject =~ /reverse.your.hearing|hearing.loss|\d+.year.old.method|hearing.aids/i
5233 body __JMQ_HEARINGLOSS3 /going.crazy|natural.formula|restore.your.hearing|click.here.to.see|off.hearing.aid/i
5235 meta JMQ_HEARINGLOSS (__JMQ_HEARINGLOSS1 + __JMQ_HEARINGLOSS2 + __JMQ_HEARINGLOSS3 >= 3)
5236 score JMQ_HEARINGLOSS 3.5
5237 describe JMQ_HEARINGLOSS Spam for hearing loss solutions
5240 header __JMQ_TRACKR1 From =~ /trackr/i
5241 header __JMQ_TRACKR2 Subject =~ /trackr|never.lose|find.any|lost.items/i
5242 body __JMQ_TRACKR3 /locate anything|find.anything|never.lose.anything|new.invention|never.lose.your|tired.of.losing|find.any.lost/i
5244 meta JMQ_TRACKR (__JMQ_TRACKR1 + __JMQ_TRACKR2 + __JMQ_TRACKR3 >= 3)
5245 score JMQ_TRACKR 4.5
5246 describe JMQ_TRACKR Spam for TrackR
5249 header __JMQ_CONGRAT1 From =~ /award|claim/i
5250 header __JMQ_CONGRAT2 Subject =~ /congratulation|open.attachment|good.news.for/i
5252 meta JMQ_CONGRAT (__JMQ_CONGRAT1 + __JMQ_CONGRAT2 + (KAM_RAPTOR_ALTERED || T_FREEMAIL_DOC_PDF || HK_SPAMMY_FILENAME) >= 3)
5253 score JMQ_CONGRAT 3.5
5254 describe JMQ_CONGRAT Open attachment to claim your free spam
5257 header __JMQ_PICKUP1 Subject =~ /hey there|(^hey$)/i
5258 body __JMQ_PICKUP2 /(dirty|freaky|naughty|good)(pix|pic)|hey.cutie/i
5259 header __JMQ_PICKUP3 X-Mailer =~ /php/i
5260 body __JMQ_PICKUP4 /\d+.year.old|female/i
5262 meta JMQ_PICKUP (__JMQ_PICKUP1 + __JMQ_PICKUP2 + __JMQ_PICKUP3 + __JMQ_PICKUP4 >= 3)
5263 score JMQ_PICKUP 8.0
5264 describe JMQ_PICKUP spam that wants your number
5266 # COMPROMISED DROPBOX
5267 header __JMQ_DROPBOX1 Subject =~ /(payment|transfer)/i
5268 header __JMQ_DROPBOX2 Subject =~ /\([a-z]\d+\)/i
5269 body __JMQ_DROPBOX3 /ach.(payment|transfer)/i
5271 meta JMQ_DROPBOX (__JMQ_DROPBOX1 + __JMQ_DROPBOX2 + __JMQ_DROPBOX3 >= 3)
5272 score JMQ_DROPBOX 3.0
5273 describe JMQ_DROPBOX Spam from what appears to be compromised dropbox accounts
5276 header __KAM_BAD_REVIEW1 Subject =~ /fix bad reviews/i
5277 body __KAM_BAD_REVIEW2 /Reputation Giant/i
5279 meta KAM_BAD_REVIEW (__KAM_BAD_REVIEW1 + __KAM_BAD_REVIEW2 >= 2)
5280 score KAM_BAD_REVIEW 4.0
5281 describe KAM_BAD_REVIEW Online reputation spammers
5284 header __KAM_GOOGLE_AWARD1 From =~ /Google UK/i
5285 body __KAM_GOOGLE_AWARD2 /selected as a winner/i
5286 body __KAM_GOOGLE_AWARD3 /Dear Google/i
5287 body __KAM_GOOGLE_AWARD4 /Official Notification Letter/i
5289 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5290 mimeheader __KAM_GOOGLE_AWARD5A Content-Type =~ /Google Award/i
5291 mimeheader __KAM_GOOGLE_AWARD5B Content-Disposition =~ /Google Award/i
5294 meta KAM_GOOGLE_AWARD (__KAM_GOOGLE_AWARD1 + __KAM_GOOGLE_AWARD2 + __KAM_GOOGLE_AWARD3 + __KAM_GOOGLE_AWARD4 + (__KAM_GOOGLE_AWARD5A + __KAM_GOOGLE_AWARD5B >= 1) >= 4)
5295 score KAM_GOOGLE_AWARD 5.0
5296 describe KAM_GOOGLE_AWARD Fake Google Awards
5299 body KAM_OBFU_LOANS /Stüdént Lóans/i
5300 score KAM_OBFU_LOANS 5.0
5301 describe KAM_OBFU_LOANS Obfuscated Loan Verbiage
5304 body __KAM_WORKFROMHOME1 /work from home/i
5306 meta KAM_WORKFROMHOME (KAM_SHORT + __KAM_WORKFROMHOME1 >= 2)
5307 score KAM_WORKFROMHOME 1.75
5308 describe KAM_WORKFROMHOME Work from Home Spams
5311 body __KAM_STUDENTLOAN1 /(National|Federal) Student Loan Status/i
5312 body __KAM_STUDENTLOAN2 /consolidate your loan/i
5313 body __KAM_STUDENTLOAN3 /doesn't injured/i
5314 body __KAM_STUDENTLOAN4 /866-351-4693/i
5315 body __KAM_STUDENTLOAN5 /(financial troubles|debt) is (understood|forgiven)/i
5317 meta KAM_STUDENTLOAN (__KAM_STUDENTLOAN1 + __KAM_STUDENTLOAN2 + __KAM_STUDENTLOAN3 + __KAM_STUDENTLOAN4 + __KAM_STUDENTLOAN5 >= 3)
5318 score KAM_STUDENTLOAN 4.5
5319 describe KAM_STUDENTLOAN Student Loan Scam
5322 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5323 header __JMQ_RESUME1 Subject =~ /resume/i
5324 body __JMQ_RESUME2 /hello my name|my name is/i
5325 body __JMQ_RESUME3 /appreciate.your.cooperation|my.resume.is.pdf|resume.attach|pdf.file.is|is.my.resume/i
5326 mimeheader __JMQ_RESUME4 Content-Type =~ /x-zip-comp/i
5327 mimeheader __JMQ_RESUME5 Content-Type =~ /my_resume\.zip/i
5329 meta JMQ_RESUME ((__JMQ_RESUME1 + __JMQ_RESUME2 + __JMQ_RESUME3 + __JMQ_RESUME5 >= 3) && __JMQ_RESUME4)
5330 score JMQ_RESUME 4.5
5331 describe JMQ_RESUME Spam for bad attached resumes
5335 header __KAM_LED1 From =~ /light? ?bulb|garage ?light|Sun.?like?.?Bulb|LED.?Sun/i
5336 body __KAM_LED2 /(garage|LED Fan) Light|sun-?like|\dx the brightness/i
5337 tflags __KAM_LED2 nosubject
5338 header __KAM_LED3 Subject =~ /LED Lighting|L\.E\.D\.? Bulb|Innovative Light|energy bill|one bulb|Garage LED/i
5340 meta KAM_LED (__KAM_LED1 + __KAM_LED2 + __KAM_LED3 >= 3)
5341 describe KAM_LED LED Lighting Spams
5345 header __JMQ_REALESTATE1 From =~ /tom.brice/i
5346 header __JMQ_REALESTATE2 Subject =~ /real.estate/i
5347 body __JMQ_REALESTATE3 /preferred.choice|looking.for.real.estate|online.platform|systems.placement/i
5349 meta JMQ_REALESTATE (__JMQ_REALESTATE1 + __JMQ_REALESTATE2 + __JMQ_REALESTATE3 >= 3)
5350 describe JMQ_REALESTATE Real estate spam
5351 score JMQ_REALESTATE 4.5
5354 header JMQ_IPINFROM From =~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/
5355 score JMQ_IPINFROM 2.5
5356 describe JMQ_IPINFROM Spam with IP in the from address
5358 # IFFY PAYPAL OF THE DAY
5359 header __JMQ_PAYPAL2 From =~ /paypai/i
5361 meta JMQ_PAYPAL2 (JMQ_IPINFROM + __JMQ_PAYPAL2 >= 2)
5362 score JMQ_PAYPAL2 4.5
5363 describe JMQ_PAYPAL2 PayPal spam of the day
5365 # RESUME SPAM REDUX PART 2 (WOOHOO)
5366 meta JMQ_RESUME3 (__JMQ_RESUME1 && __JMQ_RESUME2 && KAM_THEBAT)
5367 score JMQ_RESUME3 3.5
5368 describe JMQ_RESUME3 Yet more resume spam
5370 # SPF THAT DOESN'T REALLY CARE IF EMAIL IS A FORGERY -
5371 ifplugin Mail::SpamAssassin::Plugin::AskDNS
5372 askdns JMQ_SPF_NEUTRAL _SENDERDOMAIN_ TXT /^v=spf1 .*\?all/
5373 describe JMQ_SPF_NEUTRAL SPF set to ?all
5374 score JMQ_SPF_NEUTRAL 0.5
5376 askdns JMQ_SPF_ALL _SENDERDOMAIN_ TXT /^v=spf1 .*\+all/
5377 describe JMQ_SPF_ALL SPF set to +all!
5378 score JMQ_SPF_ALL 0.5
5382 header __JMQ_IMPORTANT1 Subject =~ /(fw|re):? important/i
5383 body __JMQ_IMPORTANT2 /important message/i
5384 body __JMQ_IMPORTANT3 /please visit/i
5386 meta JMQ_IMPORTANT (__JMQ_IMPORTANT1 + __JMQ_IMPORTANT2 + __JMQ_IMPORTANT3 + KAM_LAZY_DOMAIN_SECURITY >= 4)
5387 score JMQ_IMPORTANT 4.5
5388 describe JMQ_IMPORTANT Spam that thinks it is important
5391 uri __JMQ_TRACKER1 /sidekickopen\d*\.com/i
5393 meta JMQ_TRACKER (__JMQ_TRACKER1 >= 1)
5394 score JMQ_TRACKER 0.5
5395 describe JMQ_TRACKER Message uses image-based tracker
5398 header __JMQ_WIRE1 Subject =~ /wire.*fund|request.*wire|(fwd|re): request/i
5399 body __JMQ_WIRE2 /medical.support|payment.sent/i
5400 body __JMQ_WIRE3 /bank.wire|sent.out.asap/i
5402 meta JMQ_WIRE (__JMQ_WIRE1 + __JMQ_WIRE2 + __JMQ_WIRE3 + (LOTS_OF_MONEY || KAM_LAZY_DOMAIN_SECURITY || HEADER_FROM_DIFFERENT_DOMAINS) >= 3)
5404 describe JMQ_WIRE Attempt to steal money via wire transfer
5406 #bindata code in RTF
5407 #rawbody __KAM_BADRTF1 /<w:binData/
5408 #rawbody __KAM_BADRTF2 /QWN0aXZlTWltZQ/
5410 #meta KAM_BADRTF (__KAM_BADRTF1 + __KAM_BADRTF2 >= 2)
5411 #describe KAM_BADRTF Message contains binary data in RTF format
5412 #score KAM_BADRTF 5.0
5415 body __KAM_ORDER1 /Please find document attached/i
5416 header __KAM_ORDER2 Subject =~ /Order \d+ (\(Acknowledgement\))?/i
5418 meta KAM_ORDER __KAM_ORDER1 + __KAM_ORDER2 + __BODY_LE_200 >= 3
5420 describe KAM_ORDER Fraudulent Order Emails
5422 rawbody __RB_LE_200 /^.{2,200}$/s
5423 tflags __RB_LE_200 multiple maxhits=2
5424 rawbody __RB_GT_200 /^.{201}/s
5425 meta __BODY_LE_200 (__RB_LE_200 == 1) && !__RB_GT_200
5428 body __KAM_SHOCK1 /shocking.beverage/i
5429 header __KAM_SHOCK2 Subject =~ /(Bill O.Reilly|Donald Trump)/i
5430 body __KAM_SHOCK3 /drinking this beverage/i
5432 meta KAM_SHOCK __KAM_SHOCK1 + __KAM_SHOCK2 + __KAM_SHOCK3 >= 2
5434 describe KAM_SHOCK Spams with energy drinks
5437 body __KAM_BEAUTY1 /she now looks \d+/i
5438 body __KAM_BEAUTY2 /reveals exactly/i
5439 body __KAM_BEAUTY3 /most amazing transformation/i
5440 header __KAM_BEAUTY4 Subject =~ /now looks \d+/i
5442 meta KAM_BEAUTY __KAM_BEAUTY1 + __KAM_BEAUTY2 + __KAM_BEAUTY3 + __KAM_BEAUTY4 >= 3
5443 score KAM_BEAUTY 4.0
5444 describe KAM_BEAUTY Youth and Beauty Product Scams
5447 body __KAM_WEED1 /legal.weed|jim kramer|kevin james/i
5448 header __KAM_WEED2 Subject =~ /Legal.Weed|pot.stock/i
5449 body __KAM_WEED3 /doubled? (there|their) money|Triple this afternoon/i
5450 body __KAM_WEED4 /(weed|pot).stock/i
5452 meta KAM_WEED __KAM_WEED1 + __KAM_WEED2 + __KAM_WEED3 + __KAM_WEED4 >= 3
5454 describe KAM_WEED Legal Weed and related investment scams
5457 body __KAM_LOGO1 /guru.level logo/i
5458 header __KAM_LOGO2 Subject =~ /guru.level logo/i
5459 body __KAM_LOGO3 /(guru.level|ready.made) logo/i
5461 meta KAM_LOGO __KAM_LOGO1 + __KAM_LOGO2 + __KAM_LOGO3 >= 3
5463 describe KAM_LOGO Logo Spam
5466 body __KAM_TRUMPCOIN1 /Donald Trump/i
5467 header __KAM_TRUMPCOIN2 Subject =~ /trump.coin/i
5468 body __KAM_TRUMPCOIN3 /special colored coin/i
5470 meta KAM_TRUMPCOIN __KAM_TRUMPCOIN1 + __KAM_TRUMPCOIN2 + __KAM_TRUMPCOIN3 >= 3
5471 score KAM_TRUMPCOIN 5.25
5472 describe KAM_TRUMPCOIN Trump Coin Spam
5475 body __KAM_WATER1 /Never Drink Water/i
5476 header __KAM_WATER2 Subject =~ /bottled water/i
5477 body __KAM_WATER3 /filtered tap water/i
5479 meta KAM_WATER __KAM_WATER1 + __KAM_WATER2 + __KAM_WATER3 >= 3
5480 score KAM_WATER 5.25
5481 describe KAM_WATER Water Poison Scam
5484 body __KAM_RUIN1 /do not deposit/i
5485 header __KAM_RUIN2 Subject =~ /money into your bank/i
5486 body __KAM_RUIN3 /banking institutions/i
5488 meta KAM_RUIN __KAM_RUIN1 + __KAM_RUIN2 + __KAM_RUIN3 >= 3
5490 describe KAM_RUIN Bank Phishing Scam
5493 body __KAM_WEIGHT2_1 /goodbye to her waist|wild transformation/i
5494 header __KAM_WEIGHT2_2 Subject =~ /looks \d+ overnight|no gym/i
5495 body __KAM_WEIGHT2_3 /melissa mccarthy|now looks \d+/i
5497 meta KAM_WEIGHT2 __KAM_WEIGHT2_1 + __KAM_WEIGHT2_2 + __KAM_WEIGHT2_3 >= 3
5498 score KAM_WEIGHT2 5.25
5499 describe KAM_WEIGHT2 Weight loss process du jour
5502 body __KAM_LENS1 /pro quality (pho|pic)|Bill gates|best camera/i
5503 header __KAM_LENS2 Subject =~ /(amazing|incredible) photos|gadget of the year|coolest product|camera/i
5504 body __KAM_LENS3 /amazing lens|hdx-lens|hdrx/i
5505 header __KAM_LENS4 From =~ /hdcam|lens|inhd/i
5507 meta KAM_LENS __KAM_LENS1 + __KAM_LENS2 + __KAM_LENS3 + __KAM_LENS4 >= 3
5509 describe KAM_LENS Amazing Lens Scam
5512 body __KAM_HONOR1 /greatest thing of your life/i
5513 header __KAM_HONOR2 Subject =~ /Congrats, on the honor/i
5514 body __KAM_HONOR3 /profession women/i
5515 body __KAM_HONOR4 /invitation/i
5517 meta KAM_HONOR __KAM_HONOR1 + __KAM_HONOR2 + __KAM_HONOR3 + __KAM_HONOR4 >= 3
5518 score KAM_HONOR 6.25
5519 describe KAM_HONOR Professional Network Scam
5522 #Idea from John Hardin so you can see all URI's - ONLY for rule development - Then all the detected URIs appear in the rule hits debug output.
5524 #tflags __ALL_URI multiple
5526 #Bad UTF-8 content type and transfer encoding - Thanks to Pedro David Marco for alerting to issue
5527 header __KAM_BAD_UTF8_1 Content-Type =~ /text\/html; charset=\"utf-8\"/i
5528 header __KAM_BAD_UTF8_2 Content-Transfer-Encoding =~ /base64/i
5529 full __RW_BAD_UTF8_3 /^(?:[^\n]|\n(?!\n))*\nContent-Transfer-Encoding:\s+base64(?:[^\n]|\n(?!\n))*\n\n[\s\n]{0,300}[^\s\n].{0,300}[^a-z0-9+\/=\n][^\s\n]/si
5531 meta KAM_BAD_UTF8 (__KAM_BAD_UTF8_1 + __KAM_BAD_UTF8_2 + __RW_BAD_UTF8_3 >= 3)
5532 score KAM_BAD_UTF8 14.0
5533 describe KAM_BAD_UTF8 Bad Content Type and Transfer Encoding that attempts to evade SA scanning
5536 body __KAM_DEATH1 /prevent early.death/i
5537 header __KAM_DEATH2 Subject =~ /(early|unexpected).death/i
5538 body __KAM_DEATH3 /Eating this|before it.?s too late/i
5539 body __KAM_DEATH4 /heart.(attack|stops)/i
5541 meta KAM_DEATH __KAM_DEATH1 + __KAM_DEATH2 + __KAM_DEATH3 + __KAM_DEATH4 >= 4
5542 score KAM_DEATH 6.25
5543 describe KAM_DEATH Supplement Scam
5546 body __KAM_REWARD1 /walgreens|ikea|sephora|sams.?club/i
5547 header __KAM_REWARD2 Subject =~ /weekend.*reward|reward.*weekend|(reward|perk).{0,60}(expiring|ending)/i
5548 header __KAM_REWARD3 Subject =~ /(Cert|coup|ending now|ending|expiring|expiring.now)(..)?(\d+|\[num)/i
5549 header __KAM_REWARD4 From =~ /ikea|sephora|shopper|walgreen|sale/i
5551 meta KAM_REWARD __KAM_REWARD1 + __KAM_REWARD2 + __KAM_REWARD3 + __KAM_REWARD4 + KAM_NUMSUBJECT >= 4
5552 score KAM_REWARD 5.25
5553 describe KAM_REWARD Coupon Scam
5556 body __KAM_PACKAGE1 /dysfunction|\dx longer/i
5557 body __KAM_PACKAGE2 /sexual.performance|longer.in.bed/i
5558 header __KAM_PACKAGE3 Subject =~ /sex/i
5559 header __KAM_PACKAGE4 From =~ /function|fivex/i
5561 meta KAM_PACKAGE __KAM_PACKAGE1 + __KAM_PACKAGE2 + __KAM_PACKAGE3 + __KAM_PACKAGE4 >= 3
5562 score KAM_PACKAGE 4.25
5563 describe KAM_PACKAGE Sexual Enhancement Scam
5566 header __KAM_NUMSUBJECT Subject =~ /\d+$/
5567 header __KAM_SUBJECTYEAR Subject =~ /20[1-2][0-9]$/
5569 meta KAM_NUMSUBJECT (__KAM_NUMSUBJECT >=1 && __KAM_SUBJECTYEAR <= 0)
5570 score KAM_NUMSUBJECT 0.5
5571 describe KAM_NUMSUBJECT Subject ends in numbers excluding current years
5574 mimeheader KAM_MGCS Content-Type =~ /\+\-\+\-\+\-MGCS\-\+\-\+\-\+|[\xC2\xB7]pdf(?=)?"$/i
5576 describe KAM_MGCS Boundary Content Indicative of Ratware
5578 #NetWeaver - Disabled 7/24
5579 #header KAM_NW X-Mailer =~ /SAP NetWeaver/i
5581 #describe KAM_NW Spam Indicator
5584 body __KAM_STOCKOBFU1 /make up the \d letter symbol/i
5585 body __KAM_STOCKOBFU2 /first letter/i
5586 header __KAM_STOCKOBFU3 Subject =~ /less than \d days|ten bagger|ten ?fold your principle/i
5588 meta KAM_STOCKOBFU (__KAM_STOCKOBFU1 + __KAM_STOCKOBFU2 + __KAM_STOCKOBFU3 >= 3)
5589 describe KAM_STOCKOBFU Stock Spam Tips that are being sneaky
5590 score KAM_STOCKOBFU 4.5
5592 #FAKE BBB/FLSA NOTICES
5593 header __KAM_FAKEBBB1 Subject =~ /(incident:|case:)?[\d:;]{5}/i
5594 body __KAM_FAKEBBB2 /(Fair Labor Standards Act|Safety and Health act|Better Business Bureau|(\b|$)BBB(\b|^))/i
5595 body __KAM_FAKEBBB3 /(complaint|compliant|Abuse) ID/i
5596 body __KAM_FAKEBBB4 /(incident:|case:)[\d:;]{6,}/i
5598 meta KAM_FAKEBBB (__KAM_FAKEBBB1 + __KAM_FAKEBBB2 + KAM_SHORT + __KAM_FAKEBBB3 + __KAM_FAKEBBB4>= 4)
5599 describe KAM_FAKEBBB Fake Notices for Various Business Violations
5600 score KAM_FAKEBBB 12.0
5603 #header __KAM_HOWRU1 Subject =~ /How are you?|Hi|What's Up|Hey, Sweety/i
5604 body __KAM_HOWRU2 /My name is|what's your name|ask your name|keep company with you/i
5605 body __KAM_HOWRU3 /visit the site|visit this site|visiting this website|have some social networks|meet you in private|write me tomorrow/i
5606 body __KAM_HOWRU4 /gmx.com|rambler.ru/i
5608 meta KAM_HOWRU (__KB_WAM_SUBJECT_HELLO_ONLY + __KAM_HOWRU2 + __KAM_HOWRU3 + __KAM_HOWRU4 >=4)
5609 describe KAM_HOWRU Female Chat Scam
5612 # 2017-11-01, note 56146
5614 body __KAM_DOMAIN_SALE1 /\b(related|similar) domain\b/i
5615 body __KAM_DOMAIN_SALE2 /\b(interested in|obtaining) .{5,20} domain\b/i
5616 body __KAM_DOMAIN_SALE3 /\bdomain (name owner|advanced avail|backordering)\b/i
5617 body __KAM_DOMAIN_SALE4 /\b(domain you might be interested|interested in the domain|interested in obtain|benefit acquiring|complete ownership transfer|brokering the domain)\b/i
5619 body __KAM_INTRUDE /\b(hope I am not intruding|out of the blue|I will never contact you again if you go here)\b/i
5621 meta KAM_DOMAIN_SALE_2 (__KAM_DOMAIN_SALE1 + __KAM_DOMAIN_SALE2 + __KAM_DOMAIN_SALE3 + __KAM_DOMAIN_SALE4 >=2)
5623 meta KAM_DOMAIN_SALE_3 (__KAM_DOMAIN_SALE1 + __KAM_DOMAIN_SALE2 + __KAM_DOMAIN_SALE3 + __KAM_DOMAIN_SALE4 >=3)
5625 score KAM_DOMAIN_SALE_2 3.0
5626 score KAM_DOMAIN_SALE_3 1.0
5628 meta KAM_DOMAIN_SALE_INTRUDE (__KAM_INTRUDE && KAM_DOMAIN_SALE_2)
5630 score KAM_DOMAIN_SALE_INTRUDE 1.0
5632 describe KAM_DOMAIN_SALE_2 Domain Selling Spam
5633 describe KAM_DOMAIN_SALE_3 Domain Selling Spam
5634 describe KAM_DOMAIN_SALE_INTRUDE Domain Selling Spam
5636 # 2017-11-08, lonely russian women Whack-A-Mole
5638 # Likely Overlap with HOWRU rules, similar target. No real-life
5639 # overlap in rules hit observed so far, KB_WAM_OVERLAP to look out for
5642 header __KB_WAM_FROM_NAME_SINGLEWORD From:name =~ /^[a-z]+$/i
5643 header __KAM_SUBJECT_SINGLEWORD Subject =~ /^[a-z]+$/i
5644 header __KB_WAM_SUBJECT_HELLO_ONLY Subject =~ /^(hi|hi there|hello|hey|yo|how are you|What's Up|Hey, Sweety)[?!\.]?$/i
5646 meta KB_WAM_LONELY_WOMEN (__KB_WAM_FROM_NAME_SINGLEWORD + __KB_WAM_SUBJECT_HELLO_ONLY + __KAM_HOWRU4 + (__KAM_HOWRU2 || __KB_WAM_LONELY_WOMEN_PHRASE_01) >= 4)
5648 score KB_WAM_LONELY_WOMEN 5.0
5649 describe KB_WAM_LONELY_WOMEN Lonely Women Scam of the Day
5651 body __KB_WAM_LONELY_WOMEN_PHRASE_01 /\b(I am missing you all the time|I am waiting for your answer|I send you my tender love|I would really like to know you|quest of love|I am lonely and tired)\b/i
5653 #meta KB_WAM_OVERLAP ( KAM_HOWRU && KB_WAM_LONELY_WOMEN )
5654 #score KB_WAM_OVERLAP -0.01
5655 #describe KB_WAM_OVERLAP Rule to test for overlap with another similar ruleset
5657 #MAILSPLOIT CONTROL CHARACTER - Thanks to Jan-Pieter Cornet for the idea
5658 #All Control chars like NUL except \n which should exist once legitimately
5659 #Investigating double-byte language FP. Reverting back to just \0
5660 #header __KAM_MAILSPLOIT1 From =~ /[\x00-\x09\x0b-\x1f]/
5661 header __KAM_MAILSPLOIT1 From =~ /[\0]/
5662 describe __KAM_MAILSPLOIT1 RFC2047 Exploit https://www.mailsploit.com/index
5664 #\n Multiple in the From Header
5665 header __KAM_MAILSPLOIT2 From =~ /[\n]/
5666 describe __KAM_MAILSPLOIT2 RFC2047 Exploit https://www.mailsploit.com/index
5667 tflags __KAM_MAILSPLOIT2 multiple maxhits=2
5669 meta KAM_MAILSPLOIT (__KAM_MAILSPLOIT1 || (__KAM_MAILSPLOIT2 >= 2))
5670 describe KAM_MAILSPLOIT Mail triggers known exploits per mailsploit.com
5671 score KAM_MAILSPLOIT 10.0
5673 #cc in From - Thanks to Dave Jones for idea
5674 header KAM_CCFROM1 From =~ /\b(to|cc|bcc|from):/i
5675 describe KAM_CCFROM1 Addition of cc: and similar as a phishing tactic
5676 score KAM_CCFROM1 5.0
5678 #MailBox Verify Phish - Also See KAM_MAILBOX
5679 header __KAM_BOXWARNING_SUBJECT Subject =~ /FINAL WARNING/i
5680 header __KAM_BOXVERIFICATION_SUBJECT Subject =~ /VERIFICATION.{4,20}MAIL.?BOX/i
5681 body __KAM_BOXVERIFY /Verify.{0,10}Mail.?box|retrieve messages/i
5682 body __KAM_BOXQUOTA /mailbox.{0,5}exceeded.{4,14}quota|low email storage/i
5683 header __KAM_MAILBOXFROM From =~ /mailbox/i
5685 meta KAM_BOXPHISH ((__KAM_BOXWARNING_SUBJECT + __KAM_BOXVERIFICATION_SUBJECT >= 1) + __UPGR_MAILBOX + __KAM_MAILBOXFROM + __KAM_BOXVERIFY + __KAM_BOXQUOTA + __KAM_MAILBOX1 >= 4)
5686 describe KAM_BOXPHISH Mailbox verification phishing scams
5687 score KAM_BOXPHISH 6.5
5690 body __KAM_CRYPTO1 /swiss.?coin|[{(]SIC[)}]/i
5691 header __KAM_CRYPTO2 Subject =~ /forget about bitcoin|crypto (currency|coin) .{0,10}could (turn|go)/i
5693 meta KAM_CRYPTO (__KAM_CRYPTO1 + __KAM_CRYPTO2 >= 2)
5694 describe KAM_CRYPTO Crypto Currency Spam Du Jour
5695 score KAM_CRYPTO 8.0
5697 #COMPROMISED CMS - Thanks to Jing Shan for the idea
5698 uri __KAM_CMS1 /VALIDATE\/mail\.htm/i
5699 uri __KAM_CMS2 /\/erroreng\/erroreng\//i
5700 uri __KAM_CMS3 /twentythirteen\/Upgrade\/?email=/i
5702 meta KAM_CMS (__KAM_CMS1 + __KAM_CMS2 + __KAM_CMS3) >= 1
5703 describe KAM_CMS Indicators that a CMS has been exploited for Spammers
5706 #WESTERN UNION SCANS
5707 header __KAM_WU1 from:addr !~ /\@westernunion.com/i
5708 header __KAM_WU2 Subject =~ /WUMT|Western.?Union/i
5709 uri __KAM_WU3 /western.umt/i
5711 meta KAM_WU (__KAM_WU1 + __KAM_WU2 + __KAM_WU3 + LOTS_OF_MONEY >= 3)
5712 describe KAM_WU Western Union Scam
5716 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5718 replace_rules __KAM_CRIM1 __KAM_CRIM2 __KAM_CRIM3 __KAM_CRIM4 __KAM_CRIM5 __KAM_CRIM6 __KAM_CRIM7
5720 body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A1>lw<A1>r<E1> <O1>n th<E1> w<E1>b|footage of you|you do not know who I am|mercenary|hack phones|(monitored|infected) your device|double.screen video|keylogger|ruin your life|collection officer|turned on your c<A1>mera|cameras? and a mic|I am a hacker|brows(er|ing) history|trojan virus|automatically infect|inject some code|google translator|<P1>l<A1><C1><E1>d (a )?m<A1>lw<A1>r<E1>|<S1><P1><Y1><W1><A1><R1><E1>|hacked your (OS|operating)|got hacked|hidden app|managed to hack/i
5723 body __KAM_CRIM2 /(<B1><I1><T1>\-?<C1><O1><I1><N1>|BTC|DSH|cryptocurrency|bc[13][a-km-zA-HJ-NP-Z0-9]{26,39})|(remove|manually) all spaces|contains spaces/i
5726 body __KAM_CRIM3 /make (<T1>he|a) paymen<T1>|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C1><O1><I1>n w<A1>ll|(m<A1>k<I1>ng|<C1><O1>mpl<E1>et<E1>) th<E1> tr<A1>ns<A1><C1>t<I1><O1>n|send me \d+ dollars|send [\d\.]+ USD|addr<E1>ss f<O1>r p<A1>ym<E1>nt|(dollars|euros) (worth )?in bit-?coin|wallet number|bitcoin network|BTC to this Bitcoin|paym<E1>nt by b<I1>tco<I1>n|\d\d\d usd|DSH\)? address|Address part|<D1><O1><N1><A1><T1><I1><O1><N1>|negotiation|USD.? in bitcoin/i
5729 body __KAM_CRIM4 /erotica|<P1><O1><R1><N1>|p(ro|or)nographic movie|promising evidence|<M1><A1><S1><T1><U1><R1><B1><A1><T1>|playing with yourself|wanking|l<I1>f<E1> <C1><A1>n b<E1> ru<I1>n<E1>d|explosi|lead azide|hexogen|banana|perversion|secured \d+ video/i
5732 body __KAM_CRIM5 /(twenty.?four|24).?h<O1>urs|(72|24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O1>urs)? <A1>ft<E1>r y<O1><U> <O1>p<E1>n|hours for payment|days?\)? to (send|perform|make|transfer) the (amount|payment|dash|fund)|short-term support|48h plz|deadline|hours *(only )?to send the (pay|fund)|address immediately|tr<A1>nsfer the (amount|funds)|get back to me now/i
5735 header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O1><U> <A1>r<E1> my v<I1><C1>t<I1>m|visit the police|hi. vi<C1>tim|bomb|rescue|your building|<M1>asturbat|hi perv|account has been hacked|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you|<P1>orn|(share|forward|leak) (your|the) video|Read me now|want to read this|i have you/i
5738 header __KAM_CRIM7 From =~ /h<A1>ck<E1>r|know/i
5741 meta KAM_CRIM (__KAM_CRIM1 + __KAM_CRIM2 + __KAM_CRIM3 + __KAM_CRIM4 + __KAM_CRIM5 + __KAM_CRIM6 + __KAM_CRIM7 + FUZZY_BITCOIN >= 4)
5742 describe KAM_CRIM Extortion Email
5747 body __KAM_CRIM2_1 /bit.{0,2}coin/i
5748 body __KAM_CRIM2_2 /address\:/i
5749 body __KAM_CRIM2_3 /adult.{0,2}video|sex.{0,2}sites/is
5751 meta KAM_CRIM2 (__KAM_CRIM2_1 + __KAM_CRIM2_2 + __KAM_CRIM2_3 + HTML_FONT_LOW_CONTRAST >= 4)
5752 describe KAM_CRIM2 Extortion Email
5756 #ZWNJ 200C 157 https://en.wikipedia.org/wiki/Windows-1256
5757 # Also want to look at Unicode U+200C.
5758 # Also 'zero-width joiner' which is Windows-1256 0x9E and Unicode U+200D. $a
5760 # Per RW, switching for this to work with 'normalize_charset 1', \x9d needs to be replaced with (?:\x9d|\xe2\x80\x8c)
5761 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5762 mimeheader __KAM_ZWNJ1 Content-Type =~ /charset.+windows-1256/i
5764 body __KAM_ZWNJ2 /(?:\x9D|\xe2\x80\x8c)/
5765 tflags __KAM_ZWNJ2 multiple maxhits=16
5766 body __KAM_ZWNJ3 /\&\#x200B;/i
5768 describe KAM_ZWNJ Use of null characters indicates a goal to elude scanners
5770 meta KAM_ZWNJ (__KAM_ZWNJ1 + (__KAM_ZWNJ2 >= 16) >= 2)
5771 describe KAM_ZWNJ Use of null characters indicates a goal to elude scanners
5774 describe KAM_ZWNJBAD Attempted & failed Use of zero-width characters indicates a goal to elude scanners
5775 meta KAM_ZWNJBAD (__KAM_ZWNJ3 >=1)
5776 score KAM_ZWNJBAD 2.0
5779 body __KAM_GIRLS1 /Lack of sex/i
5781 meta KAM_GIRLS ( __SINGLE_WORD_SUBJ + __KAM_GIRLS1 >= 2)
5782 describe KAM_GIRLS Girl Chat Scam du Jour
5785 #SKINCELL PRO Spam Du Jour
5786 body __KAM_SKINCELL1 /Skincell.Pro/i
5787 header __KAM_SKINCELL2 Subject =~ /Skincell.Pro/i
5789 meta KAM_SKINCELL (__KAM_SKINCELL1 + __KAM_SKINCELL2 >= 1)
5790 describe KAM_SKINCELL Skincare Scam du Jour
5791 score KAM_SKINCELL 7.0
5793 #UK INVOICE - Thanks to Andy Smith for his help on this
5794 uri __KAM_UKINV1 /\/(client|share|documentview)$/i
5795 body __KAM_UKINV2 /View (and pay )?(scan|invoice)/i
5796 body __KAM_UKINV3 /INV-\d+|Check out what .{4,30} shared with you/i
5797 body __KAM_UKINV4 /£/i
5798 header __KAM_UKINV5 Subject =~ /(invoice INV-\d+|wants to share scan)/i
5799 header __KAM_UKINV6 Subject =~ /invoice/i
5801 meta KAM_UKINV (__KAM_UKINV1 + __KAM_UKINV2 + __KAM_UKINV3 + __KAM_UKINV4 + __KAM_UKINV5 >= 4) || (__KAM_UKINV1 + __KAM_UKINV2 + __KAM_UKINV3 + __KAM_UKINV4 + __KAM_UKINV6 + HTML_TITLE_SUBJ_DIFF && HTML_OBFUSCATE_10_20 >= 6)
5802 describe KAM_UKINV Fake Invoice/Scan Scams
5806 body __KAM_LISTSALE1 /interested in acquiring/i
5807 body __KAM_LISTSALE2 /contact list|list of customers|list of decision makers|list for marketing/i
5808 body __KAM_LISTSALE3 /share counts and samples|send focused campaigns|compiled a dataset/i
5810 header __KAM_LISTSALE4 Subject =~ /users|leads/i
5811 header __KAM_LISTSALE5 From =~ /leads/i
5813 meta KAM_LISTSALE (__KAM_LISTSALE1 + __KAM_LISTSALE2 + __KAM_LISTSALE3 >=2) && (__KAM_LISTSALE4 + __KAM_LISTSALE5 >= 1)
5814 describe KAM_LISTSALE List sellers
5815 score KAM_LISTSALE 5.0
5818 uri KAM_GOOGLESHORT /\/www.google.com\/url\?q=.{4,16}bit\.ly/i
5819 describe KAM_GOOGLESHORT Obfuscated links using Google and URL Shorteners
5820 score KAM_GOOGLESHORT 9.0
5823 body __KAM_HEARTPROD1 /heart ?attack/i
5824 body __KAM_HEARTPROD2 /enzyme/i
5825 header __KAM_HEARTPROD3 Subject =~ /heart attack|healthy.{4,10}cells/i
5826 header __KAM_HEARTPROD4 From =~ /clear 7/i
5828 meta KAM_HEARTPROD (__KAM_HEARTPROD1 + __KAM_HEARTPROD2 + __KAM_HEARTPROD3 + __KAM_HEARTPROD4 >= 4)
5829 describe KAM_HEARTPROD Snake Oil Heart Health du Jour
5830 score KAM_HEARTPROD 7.0
5832 # LINES FULL OF SHORT WORDS. SCC='SOLID CLUES CONSULTING'=BILL COLE
5833 # NOTE: Some languages and people using things like ZWNJ repeatedly will cause FPs for this rule.
5834 # This rule disabled in deadweight anyway!
5835 describe __SCC_SHORT_WORDS A line with lots of short words
5836 body __SCC_SHORT_WORDS /\W(\D\w{1,3}\W{1,3}){11}/
5837 tflags __SCC_SHORT_WORDS multiple maxhits=40
5839 describe SCC_5_SHORT_WORD_LINES 5 lines with many short words
5840 meta SCC_5_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 5
5841 describe SCC_10_SHORT_WORD_LINES 10 lines with many short words
5842 meta SCC_10_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 10
5843 describe SCC_20_SHORT_WORD_LINES 20 lines with many short words
5844 meta SCC_20_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 20
5845 describe SCC_35_SHORT_WORD_LINES 35 lines with many short words
5846 meta SCC_35_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 35
5848 # A pattern seen in subscription-bombings
5849 describe SCC_SUBBOMB_SUBJ_1 An unusual string pattern seen in subscription bombing subjects
5850 header SCC_SUBBOMB_SUBJ_1 Subject =~ /[sxz][vwz]usa[fly]me[a-z0-9]{7}GP/
5851 score SCC_SUBBOMB_SUBJ_1 5
5854 header __SCC_HELO_CPANELNET X-Spam-Relays-Untrusted =~ / helo=cpanel\.net /
5855 describe __SCC_HELO_CPANELNET HELO is bare cpanel.net
5856 meta SCC_FAKE_CPANEL __SCC_HELO_CPANELNET && ! (SPF_PASS || SPF_HELO_PASS)
5857 score SCC_FAKE_CPANEL 6
5859 header KAM_PHISHCP From =~ /\@cpanel\d+\.com/i
5860 describe KAM_PHISHCP Fraudulent notices purporting to be from cPanel
5861 score KAM_PHISHCP 15.0
5863 uri KAM_PHISHCP2 /(\.|\/)cpanel\d+\.com(\/|\b|\?)/i
5864 describe KAM_PHISHCP2 Fraudulent notices purporting to be from cPanel
5865 score KAM_PHISHCP2 15.0
5867 body __KAM_PHISHCP3_1 /cPanel Cloud Service/
5869 meta KAM_PHISHCP3 (__KAM_TINYDOMAIN + __KAM_PHISHCP3_1 >=2)
5870 describe KAM_PHISHCP3 Fraudulent notices purporting to be from cPanel
5871 score KAM_PHISHCP3 15.0
5874 #https://www.csoonline.com/article/3333916/windows-security/i-can-get-and-crack-your-password-hashes-from-email.html?upd=1547922397157
5875 body KAM_FILE /file:\/\/\/\//i
5876 describe KAM_FILE Potential attempt for NTLM attack
5880 header __KAM_FUN1 From =~ /\.fun|\.icu|\.pro|\.stream|\.world|\.monster|\.best|\.store|\.surf|\.rest|\.bar|\.asia|\.casa|\.uno|\.london|\.info|\.cam|\.work|\.cyou>?$/i
5881 header __KAM_FUN1A From:name =~ /Bite Pro|Diabetes|Blood Sugar|Sugar Disease|Fish Oil|ultra ?boost|Gutter|time ?share|Affiliate|arctic ?blast|splash ?wine|date|fat ?loss|nutrisystem|Silver ?Single|Insta ?Heater/i
5883 body __KAM_FUN2 /Addify Link|Kennett Pike|PetPlan|Newton Sq|1st Avenue|Jones Blvd|permanently opt-out from our all newsletters|(wish|prefer) (to not|not to|to) receive (these|future) (messages|emails)|purehealth|leave any time|too good to be true|try(ing)? this trick|doesn?'t like this update|(click here|wish) +to unsubscribe|send post-mail to|to be removed from receiving|to unsubscribe.+click|no longer like to receive|this is an advertisement/i
5884 body __KAM_FUN3 /This Offer is (only )?for (unite. state|USA)|(can ?not|won\'t|can\'t) see this image|visit the page below|Continue Reading|watch now|this is an ad|update preferences|click here now/i
5885 uri __KAM_FUN3A /imgstore.host/i
5888 header __KAM_FUN4 Subject =~ /Gutter|Assisted Living|Refi|rate|livewave|mortgage|E\.D\.|Single|Superfood|tax|protection|debt|mastercard|safety charge|supplement|pillow|Inogenone|learn a language|Roadside safety|carry a gun|minute survey|roofing Deals|fungus|insurance|pain|gold|hair|knife|warranty|reflexology|accufeet|keto|sound|heartburn|skincare|terminix|zippy|sneeze|healthcare|yoga|heal|jesus|virus|neuropathy|BP med|perfect vision|parasites|wine|willie nelson|InstaFresh|InstaSavings|carriers|CPAP|melt your belly|heart attack|power of plants|immunity|smart.?watch|fever|hearing aids|diabetes|gum problem|bad breath|fish oil|ultra ?boost|boost your internet|christmas list|(energy|cooling) (bill|cost)|time ?share|interstate move|vanishes pain|wine order|chat rooms|\d+ ?lbs|dementia|nutrisystem|personal plan|Printer Ink|america strong|perfect gifts|Someone Special|Insta ?heater|asian girls/i
5891 body __KAM_FUN5 /\d million americans|less than \d+ (weeks|days|hours)|temporary feeling|\d+ ?lbs|[\d+,]+ Asian babes/i
5893 body __KAM_FUN6 /finds the secret|new discovery|natural medicine|health channel|medicinal plants|simple tweak|doctors are shocked|mysterious liquid|massive mistake|scientifically shown/i
5895 body __KAM_FUN7 /nerve pain|poor vision|lasik|sleep deeper|smart.?watch|fever|hearing aids|diabetes|gum problem|blood sugar|sugar disease|bad breath|fish oil|ultra ?boost|soothing relief|older women|belly fat|reverse alzheimer|personal safety|gadget.?junk|Insta ?heater|need boyfriends/i
5896 tflags __KAM_FUN7 nosubject
5898 meta KAM_FUN ((__KAM_FUN1 + __KAM_FUN1A >=1) + __KAM_FUN2 + (__KAM_FUN3 + __KAM_FUN3A >= 1) + __KAM_FUN4 >=3)
5899 describe KAM_FUN Spam Engine Hawking Various Goods and Abusing a Lot of Domains
5902 meta KAM_FUN2 ((__KAM_FUN1 + __KAM_FUN1A >= 1) + __KAM_FUN4 + __KAM_FUN5 + __KAM_FUN6 + __KAM_FUN7 >= 5)
5903 describe KAM_FUN2 Spam Engine Hawking Various Goods and Abusing a Lot of Domains
5906 #GOOGLE DRIVE PORN - Thanks to Mark Sapiro for the bug fix
5907 uri KAM_DRIVENUM /\d+\.drive\.google.com/i
5908 describe KAM_DRIVENUM Drive Links Prevalent in Spam
5909 score KAM_DRIVENUM 5.0
5911 #SWIFT PAYMENT SCAMS
5912 header __KAM_SWIFT1 Subject =~ /Swift/i
5913 body __KAM_SWIFT2 /swift copy/i
5914 body __KAM_SWIFT3 /balance payment/i
5916 meta KAM_SWIFT (__KAM_SWIFT1 + __KAM_SWIFT2 + __KAM_SWIFT3 >= 3)
5917 describe KAM_SWIFT SWIFT payment scam
5920 ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
5922 score FROMNAME_SPOOFED_EMAIL 0.3
5924 meta GB_FROMNAME_SPOOF_EQUALS_TO (PDS_FROMNAME_SPOOFED_EMAIL && __PLUGIN_FROMNAME_EQUALS_TO)
5925 describe GB_FROMNAME_SPOOF_EQUALS_TO From:name is spoof to look like To: address
5926 score GB_FROMNAME_SPOOF_EQUALS_TO 0.3
5928 meta GB_FROMNAME_SPOOF_FREEMAIL (FREEMAIL_FROM && PDS_FROMNAME_SPOOFED_EMAIL)
5929 describe GB_FROMNAME_SPOOF_FREEMAIL From:name spoof and Freemail From:address
5930 score GB_FROMNAME_SPOOF_FREEMAIL 0.4
5932 ifplugin Mail::SpamAssassin::Plugin::FreeMail
5933 header __FROM_EQ_REPLY eval:check_fromname_equals_replyto()
5934 meta GB_FREEM_FROM_NOT_REPLY ( !__FROM_EQ_REPLY && FREEMAIL_FROM && FREEMAIL_REPLYTO )
5935 describe GB_FREEM_FROM_NOT_REPLY From: and Reply-To: have different freemail domains
5936 score GB_FREEM_FROM_NOT_REPLY 0.4
5940 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
5941 header KAM_RAPTOR_ALTERED X-KAM-Raptor-Alter =~ /True/i
5942 describe KAM_RAPTOR_ALTERED Raptor identified a dangerous attachment
5943 score KAM_RAPTOR_ALTERED 2.0
5947 header __KAM_PROFORMA1 Subject =~ /Proforma/i
5948 body __KAM_PROFORMA2 /no responds/i
5949 body __KAM_PROFORMA3 /highly encrypted/i
5950 body __KAM_PROFORMA4 /Proforma Invoice/i
5951 uri __KAM_PROFORMA5 /\.php/i
5953 meta KAM_PROFORMA (__KAM_PROFORMA1 + __KAM_PROFORMA2 + __KAM_PROFORMA3 + __KAM_PROFORMA4 + __KAM_PROFORMA5 >= 5)
5954 describe KAM_PROFORMA Invoice scam
5955 score KAM_PROFORMA 7.5
5958 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5959 header __KAM_INVOICEPO1 Subject =~ /Invoice copies/i
5960 body __KAM_INVOICEPO2 /consignment/i
5961 body __KAM_INVOICEPO3 /invoice copies/i
5962 mimeheader __KAM_INVOICEPO4 Content-Type =~ /invoice copies.{0,100}\.html/i
5964 meta KAM_INVOICEPO (__KAM_INVOICEPO1 + __KAM_INVOICEPO2 + __KAM_INVOICEPO3 + __KAM_INVOICEPO4 >= 4)
5965 describe KAM_INVOICEPO Invoice scam
5966 score KAM_INVOICEPO 4.0
5968 mimeheader KAM_HTMLINVOICE Content-Type =~ /invoice.{0,100}\.html/i
5969 describe KAM_HTMLINVOICE Invoice scam
5970 score KAM_HTMLINVOICE 1.5
5972 mimeheader KAM_HTMLINVOICE2 Content-Type =~ /(order confirmation|po attachments.{0,100})\.xls\.html/i
5973 describe KAM_HTMLINVOICE2 Invoice scam
5974 score KAM_HTMLINVOICE2 3.5
5977 # Spear phishing rules
5978 ifplugin Mail::SpamAssassin::Plugin::FreeMail
5979 header __GB_TO_ADDR_FREEMAIL eval:check_freemail_header('To:addr')
5980 header __GB_TO_NAME_FREEMAIL eval:check_freemail_header('To:name')
5981 meta GB_TO_NAME_FREEMAIL ( !__GB_TO_ADDR_FREEMAIL && __GB_TO_NAME_FREEMAIL )
5982 describe GB_TO_NAME_FREEMAIL Freemail spear phish with free mail
5983 score GB_TO_NAME_FREEMAIL 0.01
5985 header __GB_FROM_ADDR_FREEMAIL eval:check_freemail_header('From:addr')
5986 header __GB_FROM_NAME_FREEMAIL eval:check_freemail_header('From:name')
5987 header __GB_FROM_NAME_EMAIL From:name =~ /\@/
5988 meta GB_FROM_NAME_FREEMAIL ( __GB_FROM_NAME_EMAIL && __GB_FROM_ADDR_FREEMAIL && !__GB_FROM_NAME_FREEMAIL )
5989 describe GB_FROM_NAME_FREEMAIL Freemail spear phish with free mail
5990 score GB_FROM_NAME_FREEMAIL 0.01
5993 # Disable possible CPU burning rule, reported to SA users list -- 2019-05-29
5994 # FIXED rule distributed via sa-update since 2019-05-31
5995 # meta __STYLE_GIBBERISH_1 0
5997 ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
5998 # Allow googleapis.com to be blacklisted due to spam runs in June 2019 exploiting it
5999 clear_uridnsbl_skip_domain googleapis.com
6002 # Need a favor phishing
6003 header __KAM_FAVOR1 Subject =~ /Request|Quick Reply/i
6004 body __KAM_FAVOR2 /I need a favor from you|Are you available to work on a request for me today/i
6005 body __KAM_FAVOR3 /email me back as soon as possible|send me your personal cell phone number/i
6007 meta KAM_FAVOR (__KAM_FAVOR1 + __KAM_FAVOR2 + __KAM_FAVOR3 + FREEMAIL_FROM >= 4)
6008 describe KAM_FAVOR Phishing Attempt
6011 # WHITELIST PCCC/MCGRAIL
6012 whitelist_auth *@pccc.com *@mcgrail.com
6013 #trusted_networks 69.171.29.0/25
6014 #trusted_networks 38.124.232.0/24
6016 # CONTACTS / LISTS - This would be a good rule for tflags nosubject which requires 3.4.3 release
6017 header __KAM_LIST3_1 Subject =~ /Contacts|Visitor|Attendee|User|Professional|Meeting|Expo|Emails|Exhibit|Companies|trade ?show|marketing|retailer|list|outreach|customers|campaign|show|data|leaders|partnership|lead|(accou?nt|Contacts?|buyers?) (list|information)|install base|offices and clinics|healthcare|reach qualified buyers/i
6020 body __KAM_LIST3_2 /list services|email campaign|global marketing|(sales|event|campaign) manager|marketing (coordinator|campaign|manager|exec|project|team)|(lead|demand) generation|(business|Data|event) (analyst|coordinator)|(potential|professionals?|qualified) lead|(marketing|lead|attendees?|data) specialist|(marketing|Business) Co-?ordinator|marketing and comm|inside sales|pre-?sales|(email|attendee)s? list|global leads/i
6022 body __KAM_LIST3_3 /(information|data) field|verified email|(\d{4,8}|complete) (contact|details)|with email address|target geograph|counts and pric|decision maker|specific parameters|job titles|Specific lists|current attendee|each record|post show attendee|(attendees|counts)\:|(List|contacts|fields) (consists?|Contains?|includes?)|visitors and price|pricing, counts|information about the list|sample (file|record)|direct email|100\% populated|installed users|(compiled|selling) (a )?list|pricing and further|(validated|buy a) dataset|counts, pricing|procure the list|samples for (your )?review|attendees who might|decision.makers|samples and pricing|pricing details|demographics|few samples|database (organization|provider)|expense and count|(samples|counts?) and cost|multichannel marketing|count of email|users of the following|your marketing campaign/i
6024 body __KAM_LIST3_4 /contacts and email|(visitors?|contacts?|attendee.?s?|users?) (contacts? |mailing )?(list|record|database)|end users|our lists|\d\+? (attendee|contact)|users? database|Opt-in email list|(professionals?|user'?s|attendees?) (contact|list)|not spammer|delegates|marketing (analyst|campaigns)|(complete|emailed) list|unique account|contacts\:|titles\:|business profiles|database of|list from USA|(complete|contact) (Name|information|details)|geography|target audience|list.database|data (intelligence|include)|emails, phone|marketing list|unlimited usage|target (attendees|audience|industry)|opt-?in (contact|emails)|offices and clinics|specialties\:|showcase our capabilit|share samples|list includes|recently compiled/i
6026 meta KAM_LIST3 (__KAM_LIST3_1 + __KAM_LIST3_2 + __KAM_LIST3_3 + __KAM_LIST3_4 >= 4)
6027 describe KAM_LIST3 Mailing List Purveyor Spam
6028 score KAM_LIST3 12.25
6031 meta KAM_LIST3_1 (KAM_LIST3 < 1) && (__KAM_LIST3_1 + __KAM_LIST3_2 + __KAM_LIST3_3 + __KAM_LIST3_4 >= 3)
6032 describe KAM_LIST3_1 Likely Mailing List Purveyor Spam
6033 score KAM_LIST3_1 5.75
6036 header __KAM_MONCLER1 Subject =~ /moncler/i
6037 header __KAM_MONCLER2 From =~ /moncler/i
6039 meta KAM_MONCLER (__KAM_MONCLER1 + __KAM_MONCLER2 + KAM_SOMETLD_ARE_BAD_TLD >= 3)
6040 describe KAM_MONCLER Fashionista Spammers
6041 score KAM_MONCLER 6.0
6044 header __KAM_ERP1 Subject =~ /ERP/
6045 body __KAM_ERP2 /K9ERP/i
6047 meta KAM_ERP (__KAM_ERP1 + __KAM_ERP2 >=2)
6048 describe KAM_ERP ERP Spammers
6051 #DMARC POLICY RULES - Thanks to Giovanni Bechis for the original idea plus Jesse Norell and Amir Caspi for additional suggestions & testing!
6053 #https://tools.ietf.org/html/rfc7489 and https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/
6055 #"To pass DMARC, a message must pass SPF authentication and SPF alignment and/or DKIM authentication and DKIM alignment. A message will fail DMARC if the message fails both (1) SPF or SPF alignment and (2) DKIM or DKIM alignment."
6057 # We expect edge cases with DKIM where a parent (gateway) domain signing for a subdomain author (e.g., parent.gov signing for sub.parent.gov). This is a common and a sane implementation of DKIM, but is not supported in the current SA DKIM/DMARC implementation -- it results in DKIM_VALID but not DKIM_VALID_AU. The SPF || DKIM logic below will allow this scenario.
6059 # Note: Certain glues like MailScanner will modify an email before testing. That will cause many DKIM failures. If you have a known broken system for DKIM like this, you should likely disable the plugin.
6062 ifplugin Mail::SpamAssassin::Plugin::AskDNS
6063 ifplugin Mail::SpamAssassin::Plugin::DKIM
6064 ifplugin Mail::SpamAssassin::Plugin::SPF
6065 askdns __KAM_DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=none;/
6066 askdns __KAM_DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=quarantine;/
6067 askdns __KAM_DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=reject;/
6068 askdns __KAM_DMARC_POLICY_DKIM_STRICT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\badkim=s;/
6070 #Checks if either DKIM Passed with Alignment and the policy is strict or VALID and alignment didn't pass
6071 meta KAM_DMARC_STATUS !((DKIM_VALID_AU && __KAM_DMARC_POLICY_DKIM_STRICT) || (DKIM_VALID && !__KAM_DMARC_POLICY_DKIM_STRICT))
6072 describe KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict Alignment
6073 score KAM_DMARC_STATUS 0.01
6075 meta KAM_DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_REJECT
6076 describe KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message and the domain has a DMARC reject policy
6077 score KAM_DMARC_REJECT 3.0
6079 meta KAM_DMARC_QUARANTINE !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_QUAR
6080 describe KAM_DMARC_QUARANTINE DKIM has Failed or SPF has failed on the message and the domain has a DMARC quarantine policy
6081 score KAM_DMARC_QUARANTINE 1.5
6083 meta KAM_DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_NONE
6084 describe KAM_DMARC_NONE DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy
6085 score KAM_DMARC_NONE 0.25
6091 ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro
6092 # increase number of mime parts checked
6093 olemacro_num_mime 10
6095 if (version >= 3.0040005)
6097 body KAM_OLEMACRO eval:check_olemacro()
6098 describe KAM_OLEMACRO Attachment has an Office Macro
6099 score KAM_OLEMACRO 7.5
6101 body KAM_OLEMACRO_MALICE eval:check_olemacro_malice()
6102 describe KAM_OLEMACRO_MALICE Potentially malicious Office Macro
6103 score KAM_OLEMACRO_MALICE 10.0
6105 body KAM_OLEMACRO_ENCRYPTED eval:check_olemacro_encrypted()
6106 describe KAM_OLEMACRO_ENCRYPTED Has an Office doc that is encrypted
6107 score KAM_OLEMACRO_ENCRYPTED 3.0
6109 #This may cause more CPU usage
6110 olemacro_extended_scan 1
6111 body KAM_OLEMACRO_RENAME eval:check_olemacro_renamed()
6112 describe KAM_OLEMACRO_RENAME Has an Office doc that has been renamed
6113 score KAM_OLEMACRO_RENAME 0.5
6115 meta GB_OLEMACRO_REN_VIR ( KAM_OLEMACRO_RENAME && FORGED_OUTLOOK_HTML )
6116 describe GB_OLEMACRO_REN_VIR Olemacro and fake Outlook
6117 score GB_OLEMACRO_REN_VIR 10
6121 body KAM_OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
6122 describe KAM_OLEMACRO_ZIP_PW Has an Office doc that is password protected in a zip
6123 score KAM_OLEMACRO_ZIP_PW 1.0
6125 body KAM_OLEMACRO_CSV eval:check_olemacro_csv()
6126 describe KAM_OLEMACRO_CSV Macro in csv file
6127 score KAM_OLEMACRO_CSV 5.0
6129 #meta KAM_OLEMACRO_ZIP_PW_NOMID ( KAM_OLEMACRO_ZIP_PW && MISSING_MID )
6130 #describe KAM_OLEMACRO_ZIP_PW_NOMID OLE macro sent by a bot / ratware
6131 #score KAM_OLEMACRO_ZIP_PW_NOMID 5.0
6133 meta KAM_OLEMACRO_ZIP_BOT ( KAM_OLEMACRO_ZIP_PW && ( MISSING_MID || PDS_FROMNAME_SPOOFED_EMAIL ) )
6134 describe KAM_OLEMACRO_ZIP_BOT OLE macro sent by a bot / ratware
6135 score KAM_OLEMACRO_ZIP_BOT 5.0
6138 #Testing Rule for Subject Prefixes - See note 58397
6139 #if can(Mail::SpamAssassin::Conf::feature_subjprefix)
6140 # enlist_addrlist (INTERNAL) *@pccc.com
6141 # header __FROM_INTERNAL eval:check_from_in_list('INTERNAL')
6143 # meta EXTERNAL (!__FROM_INTERNAL)
6144 # describe EXTERNAL External users to PCCC Test Rule
6145 # score EXTERNAL 0.001
6146 # subjprefix EXTERNAL [EXTERNAL]
6149 #Testing Rule for NoSubject Rules - See note 58246
6150 #if (version >= 3.004003)
6152 # body NOSUBJECT_TEST_HIT /example/i
6153 # describe NOSUBJECT_TEST_HIT This should hit on an email with example in the subject but not in the body because subjects are automatically prepending for testing.
6156 # body NOSUBJECT_TEST_FAIL /example/i
6157 # describe NOSUBJECT_TEST_FAIL This should NOT hit on an email with example in the subject not not in the body because the tflags nosubject will stop the automatic prepending of subjects for testing.
6158 # tflags NOSUBJECT_TEST_FAIL nosubject
6161 if (version >= 3.004003)
6162 ifplugin Mail::SpamAssassin::Plugin::HashBL
6163 # BTC address present in BTC blacklist
6164 # thanks to Henrik Krohns for the regexp
6165 body BTC_HASHBL_BLACK eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b(?<!=)([13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})\b')
6166 priority BTC_HASHBL_BLACK -100
6167 tflags BTC_HASHBL_BLACK net
6168 describe BTC_HASHBL_BLACK Message contains BTC address found on BTC blacklist
6169 score BTC_HASHBL_BLACK 5.0
6173 #Testing of HASHBL Additions - Note 58246
6174 if (version >= 3.004003)
6175 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
6176 ifplugin Mail::SpamAssassin::Plugin::HashBL
6178 rbl_headers EnvelopeFrom,Reply-To,X-Sender,X-Source-IP
6180 # mass-marketing domain found in headers (EnvelopeFrom,Reply-To,X-Sender,X-Source-IP)
6181 header PCCC_HDR_MARKETINGBL eval:check_rbl_headers('pccc-hdr-marketing', 'wild.pccc.com.', '127.0.0.32')
6182 describe PCCC_HDR_MARKETINGBL Address in email headers associated with mass-marketing (https://raptor.pccc.com/RBL)
6183 tflags PCCC_HDR_MARKETINGBL net
6184 score PCCC_HDR_MARKETINGBL 0.001
6185 priority PCCC_HDR_MARKETINGBL -100
6187 header PCCC_HDR_REPLYTO eval:check_rbl_headers('pccc-hdr-repto', 'wild.pccc.com.', '127.0.0.4', 'Reply-To')
6188 describe PCCC_HDR_REPLYTO Address in email headers associated with compromised uris (https://raptor.pccc.com/RBL)
6189 tflags PCCC_HDR_REPLYTO net
6190 score PCCC_HDR_REPLYTO 3.5
6191 priority PCCC_HDR_REPLYTO -100
6193 # compromised domain found in headers (X-Sender,X-Source-IP,X-SRS-Sender)
6194 header PCCC_SENDER_COMPROMISED eval:check_rbl_headers('pccc-sender', 'wild.pccc.com.', '127.0.1.2', 'X-Sender,X-Source-IP,X-SRS-Sender')
6195 describe PCCC_SENDER_COMPROMISED Sender address associated with compromised uris (https://raptor.pccc.com/RBL)
6196 tflags PCCC_SENDER_COMPROMISED net
6197 score PCCC_SENDER_COMPROMISED 2.0
6198 priority PCCC_SENDER_COMPROMISED -100
6200 # compromised domain found in received headers
6201 header PCCC_RECEIVED_HDR_COMPROMISED eval:check_rbl_rcvd('pccc-rcvd', 'wild.pccc.com.', '127.0.1.2')
6202 describe PCCC_RECEIVED_HDR_COMPROMISED Compromised domain found in received headers found on PCCC RBL (https://raptor.pccc.com/RBL)
6203 tflags PCCC_RECEIVED_HDR_COMPROMISED net
6204 score PCCC_RECEIVED_HDR_COMPROMISED 2.0
6205 priority PCCC_RECEIVED_HDR_COMPROMISED -100
6207 # dns server of From address found on PCCC RBL
6208 header PCCC_FROM_BAD_NS eval:check_rbl_ns_from('pccc-ns', 'wild.pccc.com.', '127.0.1.1')
6209 describe PCCC_FROM_BAD_NS DNS server of From address found on PCCC RBL (https://raptor.pccc.com/RBL)
6210 tflags PCCC_FROM_BAD_NS net
6211 score PCCC_FROM_BAD_NS 2.0
6212 priority PCCC_FROM_BAD_NS -100
6214 # Freemail address in Reply-To header found on PCCC HashBL
6215 # this rule needs 99_hashbl.cf to work
6216 header PCCC_HASHBL_FREEMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5', 'Reply-To', '^127\.', 'freemail')
6217 describe PCCC_HASHBL_FREEMAIL Message contains freemail address in reply-to found on PCCC HashBL (https://raptor.pccc.com/RBL)
6218 tflags PCCC_HASHBL_FREEMAIL net
6219 score PCCC_HASHBL_FREEMAIL 3.5
6220 priority PCCC_HASHBL_FREEMAIL -100
6222 # Email address in X-Sender header found on PCCC HashBL
6223 header PCCC_HASHBL_EMAIL_SEND eval:check_hashbl_emails('wild.pccc.com', 'md5', 'X-Sender', '^127\.', 'all')
6224 describe PCCC_HASHBL_EMAIL_SEND Message contains sender email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
6225 tflags PCCC_HASHBL_EMAIL_SEND net
6226 score PCCC_HASHBL_EMAIL_SEND 1.5
6227 priority PCCC_HASHBL_EMAIL_SEND -100
6229 # Email address in X-SRS-Sender header found on PCCC HashBL
6230 header PCCC_HASHBL_EMAIL_SRS eval:check_hashbl_emails('wild.pccc.com', 'md5', 'X-SRS-Sender', '^127\.', 'all')
6231 describe PCCC_HASHBL_EMAIL_SRS Message contains srs email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
6232 tflags PCCC_HASHBL_EMAIL_SRS net
6233 score PCCC_HASHBL_EMAIL_SRS 1.5
6234 priority PCCC_HASHBL_EMAIL_SRS -100
6236 # Email address in email headers found on PCCC HashBL
6237 header PCCC_HASHBL_EMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5')
6238 describe PCCC_HASHBL_EMAIL Message contains email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
6239 tflags PCCC_HASHBL_EMAIL net
6240 score PCCC_HASHBL_EMAIL 1.5
6241 priority PCCC_HASHBL_EMAIL -100
6243 # Email address in custom email headers found on PCCC HashBL
6244 header PCCC_HASHBL_HDR_EMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5', 'Reply-To/Disposition-Notification-To/X-Original-Sender/X-Sender', '^127\.', 'all')
6245 describe PCCC_HASHBL_HDR_EMAIL Message contains email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
6246 tflags PCCC_HASHBL_HDR_EMAIL net
6247 score PCCC_HASHBL_HDR_EMAIL 0.5
6248 priority PCCC_HASHBL_HDR_EMAIL -100
6250 #Move this to a file like 99_hashbl_settings.cf when KAM rules become a channel
6251 hashbl_acl_freemail 020.co.uk
6252 hashbl_acl_freemail 111mail.com
6253 hashbl_acl_freemail 123.com
6254 hashbl_acl_freemail 123box.net
6255 hashbl_acl_freemail 123india.com
6256 hashbl_acl_freemail 123iran.com
6257 hashbl_acl_freemail 123mail.cl
6258 hashbl_acl_freemail 123mail.org
6259 hashbl_acl_freemail 123qwe.co.uk
6260 hashbl_acl_freemail 126.com
6261 hashbl_acl_freemail 138mail.com
6262 hashbl_acl_freemail 139.com
6263 hashbl_acl_freemail 141.ro
6264 hashbl_acl_freemail 150mail.com
6265 hashbl_acl_freemail 150ml.com
6266 hashbl_acl_freemail 163.com
6267 hashbl_acl_freemail 16mail.com
6268 hashbl_acl_freemail 188.com
6269 hashbl_acl_freemail 189.cn
6270 hashbl_acl_freemail 1963chevrolet.com
6271 hashbl_acl_freemail 1963pontiac.com
6272 hashbl_acl_freemail 1netdrive.com
6273 hashbl_acl_freemail 1st-website.com
6274 hashbl_acl_freemail 1stpd.net
6275 hashbl_acl_freemail 2-mail.com
6276 hashbl_acl_freemail 20after4.com
6277 hashbl_acl_freemail 21cn.com
6278 hashbl_acl_freemail 24h.co.jp
6279 hashbl_acl_freemail 24horas.com
6280 hashbl_acl_freemail 263.net
6281 hashbl_acl_freemail 271soundview.com
6282 hashbl_acl_freemail 2die4.com
6283 hashbl_acl_freemail 2mydns.com
6284 hashbl_acl_freemail 2net.us
6285 hashbl_acl_freemail 3000.it
6286 hashbl_acl_freemail 37.com
6287 hashbl_acl_freemail 3ammagazine.com
6288 hashbl_acl_freemail 3email.com
6289 hashbl_acl_freemail 3xl.net
6290 hashbl_acl_freemail 4-music-today.com
6291 hashbl_acl_freemail 420email.com
6292 hashbl_acl_freemail 444.net
6293 hashbl_acl_freemail 4degreez.com
6294 hashbl_acl_freemail 4email.com
6295 hashbl_acl_freemail 4email.net
6296 hashbl_acl_freemail 4newyork.com
6297 hashbl_acl_freemail 4xn.de
6298 hashbl_acl_freemail 5005.lv
6299 hashbl_acl_freemail 50mail.com
6300 hashbl_acl_freemail 55mail.cc
6301 hashbl_acl_freemail 5fm.za.com
6302 hashbl_acl_freemail 5x2.de
6303 hashbl_acl_freemail 5x2.me
6304 hashbl_acl_freemail 6210.hu
6305 hashbl_acl_freemail 6sens.com
6306 hashbl_acl_freemail 702mail.co.za
6307 hashbl_acl_freemail 7110.hu
6308 hashbl_acl_freemail 8848.net
6309 hashbl_acl_freemail 8m.com
6310 hashbl_acl_freemail 8m.net
6311 hashbl_acl_freemail 8u8.com
6312 hashbl_acl_freemail 8u8.hk
6313 hashbl_acl_freemail 8u8.tw
6314 hashbl_acl_freemail 8x.com.br
6315 hashbl_acl_freemail 9.cn
6316 hashbl_acl_freemail a-teens.net
6317 hashbl_acl_freemail a-topmail.at
6318 hashbl_acl_freemail a.org.ua
6319 hashbl_acl_freemail abha.cc
6320 hashbl_acl_freemail about.com
6321 hashbl_acl_freemail abv.bg
6322 hashbl_acl_freemail acatperson.com
6323 hashbl_acl_freemail acceso.or.cr
6324 hashbl_acl_freemail access4less.net
6325 hashbl_acl_freemail accessgcc.com
6326 hashbl_acl_freemail accountant.com
6327 hashbl_acl_freemail acdcfan.com
6328 hashbl_acl_freemail acmemail.net
6329 hashbl_acl_freemail actingbiz.com
6330 hashbl_acl_freemail activist.com
6331 hashbl_acl_freemail adexec.com
6332 hashbl_acl_freemail adiga.com
6333 hashbl_acl_freemail adinet.com.uy
6334 hashbl_acl_freemail adogperson.com
6335 hashbl_acl_freemail adres.nl
6336 hashbl_acl_freemail advalvas.be
6337 hashbl_acl_freemail aeiou.pt
6338 hashbl_acl_freemail aeneasmail.com
6339 hashbl_acl_freemail africamail.com
6340 hashbl_acl_freemail afrik.com
6341 hashbl_acl_freemail afropoets.com
6342 hashbl_acl_freemail agadir.cc
6343 hashbl_acl_freemail aggies.com
6344 hashbl_acl_freemail ahaa.dk
6345 hashbl_acl_freemail ahsa.ws
6346 hashbl_acl_freemail aichi.com
6347 hashbl_acl_freemail aim.com
6348 hashbl_acl_freemail aircraftmail.com
6349 hashbl_acl_freemail airpost.net
6350 hashbl_acl_freemail aiutamici.com
6351 hashbl_acl_freemail ajman.cc
6352 hashbl_acl_freemail ajman.us
6353 hashbl_acl_freemail ajman.ws
6354 hashbl_acl_freemail aklan.com
6355 hashbl_acl_freemail aknet.kg
6356 hashbl_acl_freemail alabama.usa.com
6357 hashbl_acl_freemail alaska.usa.com
6358 hashbl_acl_freemail alavatotal.com
6359 hashbl_acl_freemail albafind.com
6360 hashbl_acl_freemail albaha.cc
6361 hashbl_acl_freemail albawaba.com
6362 hashbl_acl_freemail alburaq.net
6363 hashbl_acl_freemail aldeax.com
6364 hashbl_acl_freemail aldeax.com.ar
6365 hashbl_acl_freemail alex4all.com
6366 hashbl_acl_freemail alexandria.cc
6367 hashbl_acl_freemail algeria.com
6368 hashbl_acl_freemail algerie.cc
6369 hashbl_acl_freemail alice.it
6370 hashbl_acl_freemail alinto.com
6371 hashbl_acl_freemail aliyun.com
6372 hashbl_acl_freemail all4theskins.com
6373 hashbl_acl_freemail allergist.com
6374 hashbl_acl_freemail allhiphop.com
6375 hashbl_acl_freemail allmail.net
6376 hashbl_acl_freemail allsportsrock.com
6377 hashbl_acl_freemail alriyadh.cc
6378 hashbl_acl_freemail alskens.dk
6379 hashbl_acl_freemail altavista.se
6380 hashbl_acl_freemail altbox.org
6381 hashbl_acl_freemail alternativagratis.com
6382 hashbl_acl_freemail alum.com
6383 hashbl_acl_freemail alumni.com
6384 hashbl_acl_freemail alumnidirector.com
6385 hashbl_acl_freemail alunos.unipar.br
6386 hashbl_acl_freemail alvilag.hu
6387 hashbl_acl_freemail alwaysgrilling.com
6388 hashbl_acl_freemail alwaysinthekitchen.com
6389 hashbl_acl_freemail alwayswatchingmovies.com
6390 hashbl_acl_freemail alwayswatchingtv.com
6391 hashbl_acl_freemail amenworld.com
6392 hashbl_acl_freemail america.hm
6393 hashbl_acl_freemail americamail.com
6394 hashbl_acl_freemail amman.cc
6395 hashbl_acl_freemail amnetsal.com
6396 hashbl_acl_freemail amorous.com
6397 hashbl_acl_freemail ananzi.co.za
6398 hashbl_acl_freemail anatomicrock.com
6399 hashbl_acl_freemail anet.ne.jp
6400 hashbl_acl_freemail anfmail.com
6401 hashbl_acl_freemail angelfire.com
6402 hashbl_acl_freemail angelic.com
6403 hashbl_acl_freemail animail.net
6404 hashbl_acl_freemail animeone.com
6405 hashbl_acl_freemail aniverse.com
6406 hashbl_acl_freemail anjungcafe.com
6407 hashbl_acl_freemail another.com
6408 hashbl_acl_freemail antedoonsub.com
6409 hashbl_acl_freemail antwerpen.com
6410 hashbl_acl_freemail anunciador.net
6411 hashbl_acl_freemail anytimenow.com
6412 hashbl_acl_freemail aol.co.uk
6413 hashbl_acl_freemail aol.com
6414 hashbl_acl_freemail aon.at
6415 hashbl_acl_freemail apexmail.com
6416 hashbl_acl_freemail apollo.lv
6417 hashbl_acl_freemail appraiser.net
6418 hashbl_acl_freemail approvers.net
6419 hashbl_acl_freemail aprava.com
6420 hashbl_acl_freemail apropo.ro
6421 hashbl_acl_freemail aqaba.cc
6422 hashbl_acl_freemail arab.ir
6423 hashbl_acl_freemail arar.ws
6424 hashbl_acl_freemail archaeologist.com
6425 hashbl_acl_freemail arcor.de
6426 hashbl_acl_freemail arcticmail.com
6427 hashbl_acl_freemail argentina.com
6428 hashbl_acl_freemail arizona.usa.com
6429 hashbl_acl_freemail arkansas.usa.com
6430 hashbl_acl_freemail armmail.com
6431 hashbl_acl_freemail army.com
6432 hashbl_acl_freemail arnet.com.ar
6433 hashbl_acl_freemail aroma.com
6434 hashbl_acl_freemail arrl.net
6435 hashbl_acl_freemail artlover.com
6436 hashbl_acl_freemail aruba.it
6437 hashbl_acl_freemail asheville.com
6438 hashbl_acl_freemail asia-links.com
6439 hashbl_acl_freemail asia-mail.com
6440 hashbl_acl_freemail asia.com
6441 hashbl_acl_freemail asiamail.com
6442 hashbl_acl_freemail asiancutes.com
6443 hashbl_acl_freemail assala.com
6444 hashbl_acl_freemail assamesemail.com
6445 hashbl_acl_freemail asurfer.com
6446 hashbl_acl_freemail aswan.cc
6447 hashbl_acl_freemail asylum.com
6448 hashbl_acl_freemail atheist.com
6449 hashbl_acl_freemail atl.lv
6450 hashbl_acl_freemail atlas.cz
6451 hashbl_acl_freemail atlas.sk
6452 hashbl_acl_freemail atozasia.com
6453 hashbl_acl_freemail atreillou.com
6454 hashbl_acl_freemail att.ne.jp
6455 hashbl_acl_freemail att.net
6456 hashbl_acl_freemail au.ru
6457 hashbl_acl_freemail aubenin.com
6458 hashbl_acl_freemail auctioneer.net
6459 hashbl_acl_freemail auf-steroide.de
6460 hashbl_acl_freemail aufdrogen.de
6461 hashbl_acl_freemail aus-city.com
6462 hashbl_acl_freemail ausi.com
6463 hashbl_acl_freemail aussiemail.com.au
6464 hashbl_acl_freemail australiamail.com
6465 hashbl_acl_freemail autoindia.com
6466 hashbl_acl_freemail autopm.com
6467 hashbl_acl_freemail avasmail.com.mv
6468 hashbl_acl_freemail axarnet.com
6469 hashbl_acl_freemail ayna.com
6470 hashbl_acl_freemail azet.sk
6471 hashbl_acl_freemail b-boy.com
6472 hashbl_acl_freemail baalbeck.cc
6473 hashbl_acl_freemail babbalu.com
6474 hashbl_acl_freemail badgers.com
6475 hashbl_acl_freemail bahraini.cc
6476 hashbl_acl_freemail bakpaka.com
6477 hashbl_acl_freemail bakpaka.net
6478 hashbl_acl_freemail balochistan.org
6479 hashbl_acl_freemail baluch.com
6480 hashbl_acl_freemail bama-fan.com
6481 hashbl_acl_freemail bancora.net
6482 hashbl_acl_freemail banha.cc
6483 hashbl_acl_freemail bankersmail.com
6484 hashbl_acl_freemail barlick.net
6485 hashbl_acl_freemail barriolife.com
6486 hashbl_acl_freemail bartender.net
6487 hashbl_acl_freemail basketball-email.com
6488 hashbl_acl_freemail beabookworm.com
6489 hashbl_acl_freemail beagolfer.com
6490 hashbl_acl_freemail beahealthnut.com
6491 hashbl_acl_freemail beautifulboy.com
6492 hashbl_acl_freemail beeebank.com
6493 hashbl_acl_freemail beehive.org
6494 hashbl_acl_freemail been-there.com
6495 hashbl_acl_freemail beirut.com
6496 hashbl_acl_freemail believeinliberty.com
6497 hashbl_acl_freemail belizehome.com
6498 hashbl_acl_freemail belizemail.net
6499 hashbl_acl_freemail belizeweb.com
6500 hashbl_acl_freemail bellair.net
6501 hashbl_acl_freemail bellsouth.net
6502 hashbl_acl_freemail berlin.com
6503 hashbl_acl_freemail berlin.de
6504 hashbl_acl_freemail besser-als-du.de
6505 hashbl_acl_freemail bestcoolcars.com
6506 hashbl_acl_freemail bestjobcandidate.com
6507 hashbl_acl_freemail bestmail.us
6508 hashbl_acl_freemail besure2vote.com
6509 hashbl_acl_freemail bflomail.com
6510 hashbl_acl_freemail bgay.com
6511 hashbl_acl_freemail bgnmail.com
6512 hashbl_acl_freemail bharatmail.com
6513 hashbl_acl_freemail bicycledata.com
6514 hashbl_acl_freemail bicycling.com
6515 hashbl_acl_freemail big-orange.com
6516 hashbl_acl_freemail bigboss.cz
6517 hashbl_acl_freemail bigfoot.com
6518 hashbl_acl_freemail bigger.com
6519 hashbl_acl_freemail bigheavyworld.com
6520 hashbl_acl_freemail bigmailbox.com
6521 hashbl_acl_freemail bigmailbox.net
6522 hashbl_acl_freemail bigmir.net
6523 hashbl_acl_freemail bigpond.com
6524 hashbl_acl_freemail bigstring.com
6525 hashbl_acl_freemail bigtimecatperson.com
6526 hashbl_acl_freemail bigtimedogperson.com
6527 hashbl_acl_freemail bigtimereader.com
6528 hashbl_acl_freemail bigtimesportsfan.com
6529 hashbl_acl_freemail bikerheaven.net
6530 hashbl_acl_freemail bikerider.com
6531 hashbl_acl_freemail bikermail.com
6532 hashbl_acl_freemail billssite.com
6533 hashbl_acl_freemail bip.net
6534 hashbl_acl_freemail birdlover.com
6535 hashbl_acl_freemail bitwiser.com
6536 hashbl_acl_freemail biz.by
6537 hashbl_acl_freemail bizerte.cc
6538 hashbl_acl_freemail bizhosting.com
6539 hashbl_acl_freemail black-sea.ro
6540 hashbl_acl_freemail blackandchristian.com
6541 hashbl_acl_freemail blackburnmail.com
6542 hashbl_acl_freemail blackcity.net
6543 hashbl_acl_freemail blackglobalnetwork.net
6544 hashbl_acl_freemail blackvault.com
6545 hashbl_acl_freemail blackvoices.com
6546 hashbl_acl_freemail blader.com
6547 hashbl_acl_freemail blida.info
6548 hashbl_acl_freemail blink182.net
6549 hashbl_acl_freemail blue.devils.com
6550 hashbl_acl_freemail bluebottle.com
6551 hashbl_acl_freemail bluemail.ch
6552 hashbl_acl_freemail blumail.org
6553 hashbl_acl_freemail blvds.com
6554 hashbl_acl_freemail bmx.lv
6555 hashbl_acl_freemail bmxtrix.com
6556 hashbl_acl_freemail boardermail.com
6557 hashbl_acl_freemail boarderzone.com
6558 hashbl_acl_freemail boatnerd.com
6559 hashbl_acl_freemail bol.com.br
6560 hashbl_acl_freemail bolando.com
6561 hashbl_acl_freemail bolbox.com
6562 hashbl_acl_freemail bollywood2000.com
6563 hashbl_acl_freemail bollywoodz.com
6564 hashbl_acl_freemail bombka.dyn.pl
6565 hashbl_acl_freemail bonbon.net
6566 hashbl_acl_freemail bongmail.com
6567 hashbl_acl_freemail boom.com
6568 hashbl_acl_freemail bootmail.com
6569 hashbl_acl_freemail bostonoffice.com
6570 hashbl_acl_freemail bowl.com
6571 hashbl_acl_freemail box.az
6572 hashbl_acl_freemail boxbg.com
6573 hashbl_acl_freemail boxemail.com
6574 hashbl_acl_freemail brain.com.pk
6575 hashbl_acl_freemail brainsurfer.de
6576 hashbl_acl_freemail brasilia.net
6577 hashbl_acl_freemail bravanese.com
6578 hashbl_acl_freemail brazilmail.com
6579 hashbl_acl_freemail brazilmail.com.br
6580 hashbl_acl_freemail breathe.com
6581 hashbl_acl_freemail brestonline.com
6582 hashbl_acl_freemail brew-master.com
6583 hashbl_acl_freemail brew-meister.com
6584 hashbl_acl_freemail brfree.com.br
6585 hashbl_acl_freemail brujula.net
6586 hashbl_acl_freemail bsdmail.com
6587 hashbl_acl_freemail btcc.org
6588 hashbl_acl_freemail buffaloes.com
6589 hashbl_acl_freemail bulgaria.com
6590 hashbl_acl_freemail bulldogs.com
6591 hashbl_acl_freemail bumerang.ro
6592 hashbl_acl_freemail buraydah.cc
6593 hashbl_acl_freemail burntmail.com
6594 hashbl_acl_freemail butch-femme.net
6595 hashbl_acl_freemail butch-femme.org
6596 hashbl_acl_freemail buzy.com
6597 hashbl_acl_freemail buzzjakkerz.com
6598 hashbl_acl_freemail byke.com
6599 hashbl_acl_freemail c-box.cz
6600 hashbl_acl_freemail c3.hu
6601 hashbl_acl_freemail c4.com
6602 hashbl_acl_freemail cadinfo.net
6603 hashbl_acl_freemail calcfacil.com.br
6604 hashbl_acl_freemail calcware.org
6605 hashbl_acl_freemail california.usa.com
6606 hashbl_acl_freemail californiamail.com
6607 hashbl_acl_freemail calle22.com
6608 hashbl_acl_freemail callnetuk.com
6609 hashbl_acl_freemail camaroclubsweden.com
6610 hashbl_acl_freemail cameroon.cc
6611 hashbl_acl_freemail canada-11.com
6612 hashbl_acl_freemail canada.com
6613 hashbl_acl_freemail canal21.com
6614 hashbl_acl_freemail cannabismail.com
6615 hashbl_acl_freemail canoemail.com
6616 hashbl_acl_freemail capsfanatic.com
6617 hashbl_acl_freemail capshockeyfan.com
6618 hashbl_acl_freemail capsred.com
6619 hashbl_acl_freemail car-nut.net
6620 hashbl_acl_freemail caramail.com
6621 hashbl_acl_freemail cardblvd.com
6622 hashbl_acl_freemail care-mail.com
6623 hashbl_acl_freemail care2.com
6624 hashbl_acl_freemail caress.com
6625 hashbl_acl_freemail carioca.net
6626 hashbl_acl_freemail cash4u.com
6627 hashbl_acl_freemail cashette.com
6628 hashbl_acl_freemail casino.com
6629 hashbl_acl_freemail casinomail.com
6630 hashbl_acl_freemail cat-person.com
6631 hashbl_acl_freemail cataloniamail.com
6632 hashbl_acl_freemail catalunyamail.com
6633 hashbl_acl_freemail cataz.com
6634 hashbl_acl_freemail catcha.com
6635 hashbl_acl_freemail catholic.org
6636 hashbl_acl_freemail caths.co.uk
6637 hashbl_acl_freemail catlover.com
6638 hashbl_acl_freemail catlovers.com
6639 hashbl_acl_freemail catpeoplerule.com
6640 hashbl_acl_freemail caxess.net
6641 hashbl_acl_freemail cbrmail.com
6642 hashbl_acl_freemail cc.lv
6643 hashbl_acl_freemail cemelli.com
6644 hashbl_acl_freemail centoper.it
6645 hashbl_acl_freemail centralpets.com
6646 hashbl_acl_freemail centrum.cz
6647 hashbl_acl_freemail centrum.sk
6648 hashbl_acl_freemail centurylink.net
6649 hashbl_acl_freemail cercaziende.it
6650 hashbl_acl_freemail certifiedbitches.com
6651 hashbl_acl_freemail cgac.es
6652 hashbl_acl_freemail chaiyo.com
6653 hashbl_acl_freemail chaiyomail.com
6654 hashbl_acl_freemail championboxing.com
6655 hashbl_acl_freemail chance2mail.com
6656 hashbl_acl_freemail channelonetv.com
6657 hashbl_acl_freemail charter.net
6658 hashbl_acl_freemail chat-with-me.com
6659 hashbl_acl_freemail chattown.com
6660 hashbl_acl_freemail chatway.com
6661 hashbl_acl_freemail cheatasrule.com
6662 hashbl_acl_freemail checkitmail.at
6663 hashbl_acl_freemail cheerful.com
6664 hashbl_acl_freemail chef.net
6665 hashbl_acl_freemail chelny.com
6666 hashbl_acl_freemail chemist.com
6667 hashbl_acl_freemail cheshiremail.com
6668 hashbl_acl_freemail chewiemail.com
6669 hashbl_acl_freemail chil-e.com
6670 hashbl_acl_freemail chillaxer.de
6671 hashbl_acl_freemail chillimail.com
6672 hashbl_acl_freemail chillymail.com
6673 hashbl_acl_freemail china.com
6674 hashbl_acl_freemail chinamail.com
6675 hashbl_acl_freemail christianmail.org
6676 hashbl_acl_freemail ciaoweb.it
6677 hashbl_acl_freemail cine.com
6678 hashbl_acl_freemail ciphercom.net
6679 hashbl_acl_freemail circlemail.com
6680 hashbl_acl_freemail cititrustbank1.cjb.net
6681 hashbl_acl_freemail citromail.hu
6682 hashbl_acl_freemail citynetusa.com
6683 hashbl_acl_freemail ciudad.com.ar
6684 hashbl_acl_freemail claramail.com
6685 hashbl_acl_freemail classicmail.co.za
6686 hashbl_acl_freemail classprod.com
6687 hashbl_acl_freemail classycouples.com
6688 hashbl_acl_freemail clerk.com
6689 hashbl_acl_freemail cliffhanger.com
6690 hashbl_acl_freemail clix.pt
6691 hashbl_acl_freemail close2you.net
6692 hashbl_acl_freemail clovermail.net
6693 hashbl_acl_freemail clubmember.org
6694 hashbl_acl_freemail cluemail.com
6695 hashbl_acl_freemail clujnapoca.ro
6696 hashbl_acl_freemail collector.org
6697 hashbl_acl_freemail collegeclub.com
6698 hashbl_acl_freemail colombia.com
6699 hashbl_acl_freemail colorado.usa.com
6700 hashbl_acl_freemail columnist.com
6701 hashbl_acl_freemail comcast.net
6702 hashbl_acl_freemail comfortable.com
6703 hashbl_acl_freemail comic.com
6704 hashbl_acl_freemail company.org.ua
6705 hashbl_acl_freemail compaqnet.fr
6706 hashbl_acl_freemail compuserve.com
6707 hashbl_acl_freemail computer.net
6708 hashbl_acl_freemail computer4u.com
6709 hashbl_acl_freemail computermail.net
6710 hashbl_acl_freemail computhouse.com
6711 hashbl_acl_freemail conevyt.org.mx
6712 hashbl_acl_freemail congiu.net
6713 hashbl_acl_freemail connect4free.net
6714 hashbl_acl_freemail connecticut.usa.com
6715 hashbl_acl_freemail consultant.com
6716 hashbl_acl_freemail contractor.net
6717 hashbl_acl_freemail coolgoose.com
6718 hashbl_acl_freemail coolkiwi.com
6719 hashbl_acl_freemail coollist.com
6720 hashbl_acl_freemail coolmail.com
6721 hashbl_acl_freemail coolmail.net
6722 hashbl_acl_freemail coolmail.ru
6723 hashbl_acl_freemail coolsend.com
6724 hashbl_acl_freemail coolshit.com
6725 hashbl_acl_freemail coolsite.net
6726 hashbl_acl_freemail cooltoad.com
6727 hashbl_acl_freemail cooperation.net
6728 hashbl_acl_freemail copacabana.com
6729 hashbl_acl_freemail copticmail.com
6730 hashbl_acl_freemail corporateattorneys.com
6731 hashbl_acl_freemail corporation.net
6732 hashbl_acl_freemail corpusmail.com
6733 hashbl_acl_freemail correios.net.br
6734 hashbl_acl_freemail correomagico.com
6735 hashbl_acl_freemail cosmo.com
6736 hashbl_acl_freemail cosmosurf.net
6737 hashbl_acl_freemail cougars.com
6738 hashbl_acl_freemail counsellor.com
6739 hashbl_acl_freemail count.com
6740 hashbl_acl_freemail countrybass.com
6741 hashbl_acl_freemail couple.com
6742 hashbl_acl_freemail coxinet.net
6743 hashbl_acl_freemail crazy4baseball.com
6744 hashbl_acl_freemail crazy4homeimprovement.com
6745 hashbl_acl_freemail crazy4mail.com
6746 hashbl_acl_freemail crazyaboutfilms.net
6747 hashbl_acl_freemail crazycarfan.com
6748 hashbl_acl_freemail crazyforemail.com
6749 hashbl_acl_freemail crazymoviefan.com
6750 hashbl_acl_freemail criticalpath.net
6751 hashbl_acl_freemail critterpost.com
6752 hashbl_acl_freemail crosspaths.net
6753 hashbl_acl_freemail crosswinds.net
6754 hashbl_acl_freemail cryingmail.com
6755 hashbl_acl_freemail cs.com
6756 hashbl_acl_freemail csucsposta.hu
6757 hashbl_acl_freemail cumbriamail.com
6758 hashbl_acl_freemail curio-city.com
6759 hashbl_acl_freemail custmail.com
6760 hashbl_acl_freemail cutey.com
6761 hashbl_acl_freemail cwazy.co.uk
6762 hashbl_acl_freemail cwazy.net
6763 hashbl_acl_freemail cww.de
6764 hashbl_acl_freemail cyber-wizard.com
6765 hashbl_acl_freemail cyberaccess.com.pk
6766 hashbl_acl_freemail cyberdude.com
6767 hashbl_acl_freemail cybergal.com
6768 hashbl_acl_freemail cybergirls.dk
6769 hashbl_acl_freemail cyberguys.dk
6770 hashbl_acl_freemail cyberkriminell.de
6771 hashbl_acl_freemail cybernet.it
6772 hashbl_acl_freemail cyberservices.com
6773 hashbl_acl_freemail cyberunlimited.org
6774 hashbl_acl_freemail cycledata.com
6775 hashbl_acl_freemail cymail.net
6776 hashbl_acl_freemail dabsol.net
6777 hashbl_acl_freemail dada.net
6778 hashbl_acl_freemail dadanet.it
6779 hashbl_acl_freemail dailypioneer.com
6780 hashbl_acl_freemail dallasmail.com
6781 hashbl_acl_freemail damuc.org.br
6782 hashbl_acl_freemail danneben.so
6783 hashbl_acl_freemail dansegulvet.com
6784 hashbl_acl_freemail darkfear.com
6785 hashbl_acl_freemail darkforces.com
6786 hashbl_acl_freemail darkhorsefan.net
6787 hashbl_acl_freemail data54.com
6788 hashbl_acl_freemail daum.net
6789 hashbl_acl_freemail davegracey.com
6790 hashbl_acl_freemail dayzers.com
6791 hashbl_acl_freemail dbmail.com
6792 hashbl_acl_freemail dbzmail.com
6793 hashbl_acl_freemail dcemail.com
6794 hashbl_acl_freemail dcsi.net
6795 hashbl_acl_freemail deacons.com
6796 hashbl_acl_freemail deadlymob.org
6797 hashbl_acl_freemail deal-maker.com
6798 hashbl_acl_freemail dearriba.com
6799 hashbl_acl_freemail degoo.com
6800 hashbl_acl_freemail delajaonline.org
6801 hashbl_acl_freemail delaware.usa.com
6802 hashbl_acl_freemail delfi.lv
6803 hashbl_acl_freemail delhimail.com
6804 hashbl_acl_freemail deliveryman.com
6805 hashbl_acl_freemail demon.deacons.com
6806 hashbl_acl_freemail denmark.ir
6807 hashbl_acl_freemail descriptivemail.com
6808 hashbl_acl_freemail desertonline.com
6809 hashbl_acl_freemail desidrivers.com
6810 hashbl_acl_freemail deskpilot.com
6811 hashbl_acl_freemail despammed.com
6812 hashbl_acl_freemail detik.com
6813 hashbl_acl_freemail devils.com
6814 hashbl_acl_freemail dexara.net
6815 hashbl_acl_freemail dhahran.cc
6816 hashbl_acl_freemail dhmail.net
6817 hashbl_acl_freemail dhofar.cc
6818 hashbl_acl_freemail di-ve.com
6819 hashbl_acl_freemail didamail.com
6820 hashbl_acl_freemail differentmail.com
6821 hashbl_acl_freemail digitaltrue.com
6822 hashbl_acl_freemail dino.lv
6823 hashbl_acl_freemail diplomats.com
6824 hashbl_acl_freemail direccion.com
6825 hashbl_acl_freemail director-general.com
6826 hashbl_acl_freemail diri.com
6827 hashbl_acl_freemail dirtythird.com
6828 hashbl_acl_freemail discardmail.com
6829 hashbl_acl_freemail disciples.com
6830 hashbl_acl_freemail discofan.com
6831 hashbl_acl_freemail discoverymail.net
6832 hashbl_acl_freemail disinfo.net
6833 hashbl_acl_freemail disposable.com
6834 hashbl_acl_freemail djibouti.cc
6835 hashbl_acl_freemail djmillenium.com
6836 hashbl_acl_freemail dmailman.com
6837 hashbl_acl_freemail dnsmadeeasy.com
6838 hashbl_acl_freemail do.net.ar
6839 hashbl_acl_freemail doctor.com
6840 hashbl_acl_freemail dodgeit.com
6841 hashbl_acl_freemail dog-person.com
6842 hashbl_acl_freemail doglover.com
6843 hashbl_acl_freemail dogmail.co.uk
6844 hashbl_acl_freemail dogpeoplerule.com
6845 hashbl_acl_freemail doityourself.com
6846 hashbl_acl_freemail domaindiscover.com
6847 hashbl_acl_freemail domainmanager.com
6848 hashbl_acl_freemail dominican.cc
6849 hashbl_acl_freemail doneasy.com
6850 hashbl_acl_freemail dontexist.org
6851 hashbl_acl_freemail dopefiends.com
6852 hashbl_acl_freemail doramail.com
6853 hashbl_acl_freemail dores.com
6854 hashbl_acl_freemail dostmail.com
6855 hashbl_acl_freemail dot5hosting.com
6856 hashbl_acl_freemail dotcom.fr
6857 hashbl_acl_freemail dotnow.com
6858 hashbl_acl_freemail dott.it
6859 hashbl_acl_freemail doubt.com
6860 hashbl_acl_freemail dplanet.ch
6861 hashbl_acl_freemail dr-dre.com
6862 hashbl_acl_freemail dr.com
6863 hashbl_acl_freemail draac.com
6864 hashbl_acl_freemail dragoncon.net
6865 hashbl_acl_freemail dragonfans.com
6866 hashbl_acl_freemail drakmail.net
6867 hashbl_acl_freemail dreamstop.com
6868 hashbl_acl_freemail dropzone.com
6869 hashbl_acl_freemail dserver.org
6870 hashbl_acl_freemail dubaiwebcity.com
6871 hashbl_acl_freemail dublin.com
6872 hashbl_acl_freemail dublin.ie
6873 hashbl_acl_freemail dustdevil.com
6874 hashbl_acl_freemail dutchmail.com
6875 hashbl_acl_freemail dynamitemail.com
6876 hashbl_acl_freemail dyndns.org
6877 hashbl_acl_freemail e-apollo.lv
6878 hashbl_acl_freemail e-hkma.com
6879 hashbl_acl_freemail e-mail.am
6880 hashbl_acl_freemail e-mail.cz
6881 hashbl_acl_freemail e-mail.ph
6882 hashbl_acl_freemail e-mailanywhere.com
6883 hashbl_acl_freemail e-milio.com
6884 hashbl_acl_freemail e-tapaal.com
6885 hashbl_acl_freemail e-webtec.com
6886 hashbl_acl_freemail earthalliance.com
6887 hashbl_acl_freemail earthling.net
6888 hashbl_acl_freemail eastmail.com
6889 hashbl_acl_freemail eastrolog.com
6890 hashbl_acl_freemail easy-pages.com
6891 hashbl_acl_freemail easy.com
6892 hashbl_acl_freemail easydoesit.com
6893 hashbl_acl_freemail easyinfomail.co.za
6894 hashbl_acl_freemail easypeasy.com
6895 hashbl_acl_freemail echina.com
6896 hashbl_acl_freemail eclub.lv
6897 hashbl_acl_freemail ecn.org
6898 hashbl_acl_freemail ecplaza.net
6899 hashbl_acl_freemail edsamail.com.ph
6900 hashbl_acl_freemail educacao.te.pt
6901 hashbl_acl_freemail edumail.co.za
6902 hashbl_acl_freemail eeism.com
6903 hashbl_acl_freemail ego.co.th
6904 hashbl_acl_freemail egypt.ir
6905 hashbl_acl_freemail egypt.net
6906 hashbl_acl_freemail eircom.net
6907 hashbl_acl_freemail ekolay.net
6908 hashbl_acl_freemail elforotv.com.ar
6909 hashbl_acl_freemail elitemail.org
6910 hashbl_acl_freemail elsitio.com
6911 hashbl_acl_freemail eltimon.com
6912 hashbl_acl_freemail elvis.com
6913 hashbl_acl_freemail elvisfan.com
6914 hashbl_acl_freemail email.bg
6915 hashbl_acl_freemail email.com
6916 hashbl_acl_freemail email.com.br
6917 hashbl_acl_freemail email.cz
6918 hashbl_acl_freemail email.it
6919 hashbl_acl_freemail email.lu
6920 hashbl_acl_freemail email.lviv.ua
6921 hashbl_acl_freemail email.nu
6922 hashbl_acl_freemail email.ro
6923 hashbl_acl_freemail email.si
6924 hashbl_acl_freemail email2me.com
6925 hashbl_acl_freemail emailacc.com
6926 hashbl_acl_freemail emailaccount.com
6927 hashbl_acl_freemail emailaddresses.com
6928 hashbl_acl_freemail emailchoice.com
6929 hashbl_acl_freemail emailcorner.net
6930 hashbl_acl_freemail emailengine.net
6931 hashbl_acl_freemail emailengine.org
6932 hashbl_acl_freemail emailfast.com
6933 hashbl_acl_freemail emailgaul.com
6934 hashbl_acl_freemail emailgroups.net
6935 hashbl_acl_freemail emailhut.net
6936 hashbl_acl_freemail emailn.de
6937 hashbl_acl_freemail emailpinoy.com
6938 hashbl_acl_freemail emailplanet.com
6939 hashbl_acl_freemail emailplus.org
6940 hashbl_acl_freemail emailuser.net
6941 hashbl_acl_freemail ematic.com
6942 hashbl_acl_freemail embarqmail.com
6943 hashbl_acl_freemail embroideryforums.com
6944 hashbl_acl_freemail eml.cc
6945 hashbl_acl_freemail emoka.ro
6946 hashbl_acl_freemail emptymail.com
6947 hashbl_acl_freemail enel.net
6948 hashbl_acl_freemail enelpunto.net
6949 hashbl_acl_freemail engineer.com
6950 hashbl_acl_freemail england.com
6951 hashbl_acl_freemail englandmail.com
6952 hashbl_acl_freemail enterate.com.ar
6953 hashbl_acl_freemail entryweb.it
6954 hashbl_acl_freemail entusiastisk.com
6955 hashbl_acl_freemail enusmail.com
6956 hashbl_acl_freemail envirocitizen.com
6957 hashbl_acl_freemail epatra.com
6958 hashbl_acl_freemail epix.net
6959 hashbl_acl_freemail epomail.com
6960 hashbl_acl_freemail epost.de
6961 hashbl_acl_freemail eprompter.com
6962 hashbl_acl_freemail eqqu.com
6963 hashbl_acl_freemail eramail.co.za
6964 hashbl_acl_freemail eresmas.com
6965 hashbl_acl_freemail eriga.lv
6966 hashbl_acl_freemail eritrea.cc
6967 hashbl_acl_freemail ertelecom.ru
6968 hashbl_acl_freemail escapeartist.com
6969 hashbl_acl_freemail esde-s.org
6970 hashbl_acl_freemail esfera.cl
6971 hashbl_acl_freemail estadao.com.br
6972 hashbl_acl_freemail etllao.com
6973 hashbl_acl_freemail euromail.net
6974 hashbl_acl_freemail europe.com
6975 hashbl_acl_freemail europemail.com
6976 hashbl_acl_freemail euroseek.com
6977 hashbl_acl_freemail euskalmail.com
6978 hashbl_acl_freemail evafan.com
6979 hashbl_acl_freemail everyday.com.kh
6980 hashbl_acl_freemail everymail.net
6981 hashbl_acl_freemail everyone.net
6982 hashbl_acl_freemail excite.co.uk
6983 hashbl_acl_freemail excite.com
6984 hashbl_acl_freemail execs.com
6985 hashbl_acl_freemail execs2k.com
6986 hashbl_acl_freemail executivemail.co.za
6987 hashbl_acl_freemail expertrenovator.com
6988 hashbl_acl_freemail expn.com
6989 hashbl_acl_freemail expressivemail.com
6990 hashbl_acl_freemail expressmail.dk
6991 hashbl_acl_freemail ezilon.com
6992 hashbl_acl_freemail ezrs.com
6993 hashbl_acl_freemail ezsweeps.com
6994 hashbl_acl_freemail f-m.fm
6995 hashbl_acl_freemail facilmail.com
6996 hashbl_acl_freemail fadrasha.net
6997 hashbl_acl_freemail fadrasha.org
6998 hashbl_acl_freemail faithhighway.com
6999 hashbl_acl_freemail faithmail.com
7000 hashbl_acl_freemail falasteen.cc
7001 hashbl_acl_freemail familymailbox.com
7002 hashbl_acl_freemail familyroll.com
7003 hashbl_acl_freemail familysafeweb.net
7004 hashbl_acl_freemail famous.as
7005 hashbl_acl_freemail fan.com
7006 hashbl_acl_freemail fan.net
7007 hashbl_acl_freemail fanaticos.com
7008 hashbl_acl_freemail fanofbooks.com
7009 hashbl_acl_freemail fanofcomputers.com
7010 hashbl_acl_freemail fanofcooking.com
7011 hashbl_acl_freemail fanoftheweb.com
7012 hashbl_acl_freemail faroweb.com
7013 hashbl_acl_freemail farts.com
7014 hashbl_acl_freemail fast-email.com
7015 hashbl_acl_freemail fast-mail.org
7016 hashbl_acl_freemail fastem.com
7017 hashbl_acl_freemail fastemail.us
7018 hashbl_acl_freemail fastemailer.com
7019 hashbl_acl_freemail fastermail.com
7020 hashbl_acl_freemail fastest.cc
7021 hashbl_acl_freemail fastimap.com
7022 hashbl_acl_freemail fastmail.co.uk
7023 hashbl_acl_freemail fastmail.com
7024 hashbl_acl_freemail fastmailbox.net
7025 hashbl_acl_freemail fastmessaging.com
7026 hashbl_acl_freemail fastservice.com
7027 hashbl_acl_freemail fastwebmail.it
7028 hashbl_acl_freemail fawz.net
7029 hashbl_acl_freemail fea.st
7030 hashbl_acl_freemail federalcontractors.com
7031 hashbl_acl_freemail fedxmail.com
7032 hashbl_acl_freemail feelingnaughty.com
7033 hashbl_acl_freemail feelings.com
7034 hashbl_acl_freemail female.ru
7035 hashbl_acl_freemail fepg.net
7036 hashbl_acl_freemail ffanet.com
7037 hashbl_acl_freemail fiberia.com
7038 hashbl_acl_freemail fieldmail.com
7039 hashbl_acl_freemail filipinolinks.com
7040 hashbl_acl_freemail financesource.com
7041 hashbl_acl_freemail financier.com
7042 hashbl_acl_freemail findmail.com
7043 hashbl_acl_freemail fireman.net
7044 hashbl_acl_freemail firemyst.com
7045 hashbl_acl_freemail fiscal.net
7046 hashbl_acl_freemail fit.lv
7047 hashbl_acl_freemail flashmail.com
7048 hashbl_acl_freemail fleetmail.com
7049 hashbl_acl_freemail flipcode.com
7050 hashbl_acl_freemail florida.usa.com
7051 hashbl_acl_freemail floridagators.com
7052 hashbl_acl_freemail fmail.co.uk
7053 hashbl_acl_freemail fmailbox.com
7054 hashbl_acl_freemail fmgirl.com
7055 hashbl_acl_freemail fmguy.com
7056 hashbl_acl_freemail fnmail.com
7057 hashbl_acl_freemail focusedonprofits.com
7058 hashbl_acl_freemail focusedonreturns.com
7059 hashbl_acl_freemail footballer.com
7060 hashbl_acl_freemail forfree.at
7061 hashbl_acl_freemail forsythmissouri.org
7062 hashbl_acl_freemail fortuncity.com
7063 hashbl_acl_freemail forum.dk
7064 hashbl_acl_freemail foxmail.com
7065 hashbl_acl_freemail free.com.pe
7066 hashbl_acl_freemail free.fr
7067 hashbl_acl_freemail free.net.nz
7068 hashbl_acl_freemail freeaccess.nl
7069 hashbl_acl_freemail freegates.be
7070 hashbl_acl_freemail freeghana.com
7071 hashbl_acl_freemail freehosting.nl
7072 hashbl_acl_freemail freei.co.th
7073 hashbl_acl_freemail freeler.nl
7074 hashbl_acl_freemail freemail.com
7075 hashbl_acl_freemail freemail.globalsite.com.br
7076 hashbl_acl_freemail freemailen.de
7077 hashbl_acl_freemail freemailn.de
7078 hashbl_acl_freemail freemuslim.net
7079 hashbl_acl_freemail freenet.de
7080 hashbl_acl_freemail freenet.kg
7081 hashbl_acl_freemail freeola.net
7082 hashbl_acl_freemail freeonline.com
7083 hashbl_acl_freemail freepgs.com
7084 hashbl_acl_freemail freesbee.fr
7085 hashbl_acl_freemail freeservers.com
7086 hashbl_acl_freemail freestart.hu
7087 hashbl_acl_freemail freesurf.ch
7088 hashbl_acl_freemail freesurf.fr
7089 hashbl_acl_freemail freesurf.nl
7090 hashbl_acl_freemail freeuk.com
7091 hashbl_acl_freemail freeuk.net
7092 hashbl_acl_freemail freeweb.it
7093 hashbl_acl_freemail freewebemail.com
7094 hashbl_acl_freemail freeyellow.com
7095 hashbl_acl_freemail frisurf.no
7096 hashbl_acl_freemail frontiernet.net
7097 hashbl_acl_freemail fsmail.net
7098 hashbl_acl_freemail fsnet.co.uk
7099 hashbl_acl_freemail ftml.net
7100 hashbl_acl_freemail fudge.com
7101 hashbl_acl_freemail fuelie.org
7102 hashbl_acl_freemail fujairah.cc
7103 hashbl_acl_freemail fujairah.us
7104 hashbl_acl_freemail fujairah.ws
7105 hashbl_acl_freemail fun-greetings-jokes.com
7106 hashbl_acl_freemail fun.21cn.com
7107 hashbl_acl_freemail funkytimes.com
7108 hashbl_acl_freemail fusemail.com
7109 hashbl_acl_freemail fut.es
7110 hashbl_acl_freemail futboladdict.com
7111 hashbl_acl_freemail gabes.cc
7112 hashbl_acl_freemail gafsa.cc
7113 hashbl_acl_freemail gala.net
7114 hashbl_acl_freemail galaxyhit.com
7115 hashbl_acl_freemail galmail.co.za
7116 hashbl_acl_freemail gamebox.net
7117 hashbl_acl_freemail gamecocks.com
7118 hashbl_acl_freemail gamerssolution.com
7119 hashbl_acl_freemail games.com
7120 hashbl_acl_freemail gardener.com
7121 hashbl_acl_freemail gawab.com
7122 hashbl_acl_freemail gay.com
7123 hashbl_acl_freemail gaymailbox.com
7124 hashbl_acl_freemail gaza.net
7125 hashbl_acl_freemail gazabo.net
7126 hashbl_acl_freemail gazeta.pl
7127 hashbl_acl_freemail gci.net
7128 hashbl_acl_freemail gdi.net
7129 hashbl_acl_freemail geeklife.com
7130 hashbl_acl_freemail gemari.or.id
7131 hashbl_acl_freemail genxemail.com
7132 hashbl_acl_freemail geologist.com
7133 hashbl_acl_freemail geopia.com
7134 hashbl_acl_freemail georgia.usa.com
7135 hashbl_acl_freemail germanymail.com
7136 hashbl_acl_freemail getintobooks.com
7137 hashbl_acl_freemail getmail.no
7138 hashbl_acl_freemail ggaweb.ch
7139 hashbl_acl_freemail giga4u.de
7140 hashbl_acl_freemail giza.cc
7141 hashbl_acl_freemail gjk.dk
7142 hashbl_acl_freemail glay.org
7143 hashbl_acl_freemail glendale.net
7144 hashbl_acl_freemail glittergrrrls.com
7145 hashbl_acl_freemail globalfree.it
7146 hashbl_acl_freemail globalpinoy.com
7147 hashbl_acl_freemail globalsite.com.br
7148 hashbl_acl_freemail globalum.com
7149 hashbl_acl_freemail globetrotter.net
7150 hashbl_acl_freemail globomail.com
7151 hashbl_acl_freemail gmail.com
7152 hashbl_acl_freemail gmx.com
7153 hashbl_acl_freemail go-bama.com
7154 hashbl_acl_freemail go-cavs.com
7155 hashbl_acl_freemail go-chargers.com
7156 hashbl_acl_freemail go-dawgs.com
7157 hashbl_acl_freemail go-gators.com
7158 hashbl_acl_freemail go-hogs.com
7159 hashbl_acl_freemail go-irish.com
7160 hashbl_acl_freemail go-spartans.com
7161 hashbl_acl_freemail go-tigers.com
7162 hashbl_acl_freemail go.aggies.com
7163 hashbl_acl_freemail go.air-force.com
7164 hashbl_acl_freemail go.badgers.com
7165 hashbl_acl_freemail go.big-orange.com
7166 hashbl_acl_freemail go.blue.devils.com
7167 hashbl_acl_freemail go.buffaloes.com
7168 hashbl_acl_freemail go.bulldogs.com
7169 hashbl_acl_freemail go.com
7170 hashbl_acl_freemail go.cougars.com
7171 hashbl_acl_freemail go.dores.com
7172 hashbl_acl_freemail go.gamecocks.com
7173 hashbl_acl_freemail go.huskies.com
7174 hashbl_acl_freemail go.longhorns.com
7175 hashbl_acl_freemail go.mustangs.com
7176 hashbl_acl_freemail go.rebels.com
7177 hashbl_acl_freemail go.ro
7178 hashbl_acl_freemail go.ru
7179 hashbl_acl_freemail go.terrapins.com
7180 hashbl_acl_freemail go.wildcats.com
7181 hashbl_acl_freemail go.wolverines.com
7182 hashbl_acl_freemail go.yellow-jackets.com
7183 hashbl_acl_freemail go2net.com
7184 hashbl_acl_freemail go4.it
7185 hashbl_acl_freemail goatrance.com
7186 hashbl_acl_freemail goddess.com
7187 hashbl_acl_freemail gofree.co.uk
7188 hashbl_acl_freemail gohip.com
7189 hashbl_acl_freemail golfemail.com
7190 hashbl_acl_freemail goliadtexas.com
7191 hashbl_acl_freemail gomail.com.ua
7192 hashbl_acl_freemail gonowmail.com
7193 hashbl_acl_freemail gonuts4free.com
7194 hashbl_acl_freemail googlemail.com
7195 hashbl_acl_freemail goplay.com
7196 hashbl_acl_freemail gorontalo.net
7197 hashbl_acl_freemail gospelcity.com
7198 hashbl_acl_freemail gothicgirl.com
7199 hashbl_acl_freemail gotmail.com
7200 hashbl_acl_freemail gotomy.com
7201 hashbl_acl_freemail govzone.com
7202 hashbl_acl_freemail grad.com
7203 hashbl_acl_freemail graduate.org
7204 hashbl_acl_freemail graffiti.net
7205 hashbl_acl_freemail grapemail.net
7206 hashbl_acl_freemail graphic-designer.com
7207 hashbl_acl_freemail gratisweb.com
7208 hashbl_acl_freemail greatautos.org
7209 hashbl_acl_freemail greenmail.net
7210 hashbl_acl_freemail groupmail.com
7211 hashbl_acl_freemail gtechnics.com
7212 hashbl_acl_freemail guate.net
7213 hashbl_acl_freemail guessmail.com
7214 hashbl_acl_freemail guinea.cc
7215 hashbl_acl_freemail guy.com
7216 hashbl_acl_freemail gwalla.com
7217 hashbl_acl_freemail h-mail.us
7218 hashbl_acl_freemail haberx.com
7219 hashbl_acl_freemail hacker.am
7220 hashbl_acl_freemail hackermail.com
7221 hashbl_acl_freemail hail2theskins.com
7222 hashbl_acl_freemail hailmail.net
7223 hashbl_acl_freemail hairdresser.net
7224 hashbl_acl_freemail haitisurf.com
7225 hashbl_acl_freemail halejob.com
7226 hashbl_acl_freemail hamptonroads.com
7227 hashbl_acl_freemail hamra.cc
7228 hashbl_acl_freemail handbag.com
7229 hashbl_acl_freemail hanmail.net
7230 hashbl_acl_freemail happemail.com
7231 hashbl_acl_freemail happycounsel.com
7232 hashbl_acl_freemail happyhippo.com
7233 hashbl_acl_freemail hasakah.com
7234 hashbl_acl_freemail hateinthebox.com
7235 hashbl_acl_freemail hawaii.com
7236 hashbl_acl_freemail hawaii.usa.com
7237 hashbl_acl_freemail hayahaya.tg
7238 hashbl_acl_freemail hebron.tv
7239 hashbl_acl_freemail hedgeai.com
7240 hashbl_acl_freemail heesun.net
7241 hashbl_acl_freemail heremail.com
7242 hashbl_acl_freemail hetnet.nl
7243 hashbl_acl_freemail highveldmail.co.za
7244 hashbl_acl_freemail hilarious.com
7245 hashbl_acl_freemail hildebrands.de
7246 hashbl_acl_freemail hingis.org
7247 hashbl_acl_freemail hiphopfan.com
7248 hashbl_acl_freemail hispavista.com
7249 hashbl_acl_freemail hitmanrecords.com
7250 hashbl_acl_freemail hitthepuck.com
7251 hashbl_acl_freemail hockeyghiaccio.com
7252 hashbl_acl_freemail hockeymail.com
7253 hashbl_acl_freemail holapuravida.com
7254 hashbl_acl_freemail home.no.net
7255 hashbl_acl_freemail home.ro
7256 hashbl_acl_freemail home.se
7257 hashbl_acl_freemail homelocator.com
7258 hashbl_acl_freemail homemail.co.za
7259 hashbl_acl_freemail homemail.com
7260 hashbl_acl_freemail homenetmail.com
7261 hashbl_acl_freemail homestead.com
7262 hashbl_acl_freemail homosexual.net
7263 hashbl_acl_freemail homs.cc
7264 hashbl_acl_freemail hong-kong-1.com
7265 hashbl_acl_freemail hongkong.com
7266 hashbl_acl_freemail hopthu.com
7267 hashbl_acl_freemail hosanna.net
7268 hashbl_acl_freemail hot-shot.com
7269 hashbl_acl_freemail hot.ee
7270 hashbl_acl_freemail hotbot.com
7271 hashbl_acl_freemail hotbox.ru
7272 hashbl_acl_freemail hotcoolmail.com
7273 hashbl_acl_freemail hotdak.com
7274 hashbl_acl_freemail hotfire.net
7275 hashbl_acl_freemail hotinbox.com
7276 hashbl_acl_freemail hotmail.co.uk
7277 hashbl_acl_freemail hotmail.com
7278 hashbl_acl_freemail hotpop.com
7279 hashbl_acl_freemail hotvoice.com
7280 hashbl_acl_freemail hour.com
7281 hashbl_acl_freemail housemail.com
7282 hashbl_acl_freemail houseofhorrors.com
7283 hashbl_acl_freemail howling.com
7284 hashbl_acl_freemail hugkiss.com
7285 hashbl_acl_freemail huhmail.com
7286 hashbl_acl_freemail hullnumber.com
7287 hashbl_acl_freemail human.lv
7288 hashbl_acl_freemail humanoid.net
7289 hashbl_acl_freemail humour.com
7290 hashbl_acl_freemail hurra.de
7291 hashbl_acl_freemail hush.ai
7292 hashbl_acl_freemail hush.com
7293 hashbl_acl_freemail hushmail.com
7294 hashbl_acl_freemail huskies.com
7295 hashbl_acl_freemail hutchcity.com
7296 hashbl_acl_freemail i-dig-movies.com
7297 hashbl_acl_freemail i-france.com
7298 hashbl_acl_freemail i-love-restaurants.com
7299 hashbl_acl_freemail i-p.com
7300 hashbl_acl_freemail i12.com
7301 hashbl_acl_freemail i2828.com
7302 hashbl_acl_freemail ibatam.com
7303 hashbl_acl_freemail ibest.com.br
7304 hashbl_acl_freemail ibizdns.com
7305 hashbl_acl_freemail ibra.cc
7306 hashbl_acl_freemail icafe.com
7307 hashbl_acl_freemail ice.is
7308 hashbl_acl_freemail icestorm.com
7309 hashbl_acl_freemail icloud.com
7310 hashbl_acl_freemail icq.com
7311 hashbl_acl_freemail icq.ir
7312 hashbl_acl_freemail icqmail.com
7313 hashbl_acl_freemail icrazy.com
7314 hashbl_acl_freemail id.ru
7315 hashbl_acl_freemail idaho.usa.com
7316 hashbl_acl_freemail idigcomputers.com
7317 hashbl_acl_freemail idigelectronics.com
7318 hashbl_acl_freemail idigvideos.com
7319 hashbl_acl_freemail idirect.com
7320 hashbl_acl_freemail idncafe.com
7321 hashbl_acl_freemail idunno4recipes.com
7322 hashbl_acl_freemail ieg.com.br
7323 hashbl_acl_freemail iespalomeras.net
7324 hashbl_acl_freemail iespana.es
7325 hashbl_acl_freemail ifrance.com
7326 hashbl_acl_freemail ig.com.br
7327 hashbl_acl_freemail ignazio.it
7328 hashbl_acl_freemail ihatenetscape.com
7329 hashbl_acl_freemail ilike2helpothers.com
7330 hashbl_acl_freemail ilike2invest.com
7331 hashbl_acl_freemail ilike2workout.com
7332 hashbl_acl_freemail ilikeelectronics.com
7333 hashbl_acl_freemail ilikeworkingout.com
7334 hashbl_acl_freemail illinois.usa.com
7335 hashbl_acl_freemail ilovehomeprojects.com
7336 hashbl_acl_freemail iloveourteam.com
7337 hashbl_acl_freemail iloveworkingout.com
7338 hashbl_acl_freemail ilse.net
7339 hashbl_acl_freemail ilse.nl
7340 hashbl_acl_freemail imail.ru
7341 hashbl_acl_freemail imailbox.com
7342 hashbl_acl_freemail imap-mail.com
7343 hashbl_acl_freemail imap.cc
7344 hashbl_acl_freemail imapmail.org
7345 hashbl_acl_freemail imel.org
7346 hashbl_acl_freemail in-box.net
7347 hashbl_acl_freemail in.com
7348 hashbl_acl_freemail in2autos.net
7349 hashbl_acl_freemail iname.acom
7350 hashbl_acl_freemail iname.com
7351 hashbl_acl_freemail inbox.com
7352 hashbl_acl_freemail inbox.ge
7353 hashbl_acl_freemail inbox.lv
7354 hashbl_acl_freemail inbox.net
7355 hashbl_acl_freemail inbox.ru
7356 hashbl_acl_freemail incamail.com
7357 hashbl_acl_freemail indexa.fr
7358 hashbl_acl_freemail india.com
7359 hashbl_acl_freemail indiamail.com
7360 hashbl_acl_freemail indiana.usa.com
7361 hashbl_acl_freemail indiatimes.com
7362 hashbl_acl_freemail induquimica.org
7363 hashbl_acl_freemail inet.com.ua
7364 hashbl_acl_freemail infinito.it
7365 hashbl_acl_freemail infoapex.com
7366 hashbl_acl_freemail infohq.com
7367 hashbl_acl_freemail infomail.es
7368 hashbl_acl_freemail infomart.or.jp
7369 hashbl_acl_freemail infosat.net
7370 hashbl_acl_freemail infovia.com.ar
7371 hashbl_acl_freemail inicia.es
7372 hashbl_acl_freemail inmail.sk
7373 hashbl_acl_freemail inmail24.com
7374 hashbl_acl_freemail innocent.com
7375 hashbl_acl_freemail inorbit.com
7376 hashbl_acl_freemail inoutbox.com
7377 hashbl_acl_freemail instruction.com
7378 hashbl_acl_freemail instructor.net
7379 hashbl_acl_freemail insurer.com
7380 hashbl_acl_freemail intelnet.net.gt
7381 hashbl_acl_freemail intelnett.com
7382 hashbl_acl_freemail interblod.com
7383 hashbl_acl_freemail interestedinthejob.com
7384 hashbl_acl_freemail interfree.it
7385 hashbl_acl_freemail interia.pl
7386 hashbl_acl_freemail interlap.com.ar
7387 hashbl_acl_freemail intermail.hu
7388 hashbl_acl_freemail internet-e-mail.com
7389 hashbl_acl_freemail internet-mail.org
7390 hashbl_acl_freemail internet.lu
7391 hashbl_acl_freemail internetegypt.com
7392 hashbl_acl_freemail internetemails.net
7393 hashbl_acl_freemail internetmailing.net
7394 hashbl_acl_freemail intimatefire.com
7395 hashbl_acl_freemail intomotors.com
7396 hashbl_acl_freemail inwind.it
7397 hashbl_acl_freemail iobox.com
7398 hashbl_acl_freemail iobox.fi
7399 hashbl_acl_freemail iol.it
7400 hashbl_acl_freemail iol.pt
7401 hashbl_acl_freemail iowa.usa.com
7402 hashbl_acl_freemail ip3.com
7403 hashbl_acl_freemail ipermitmail.com
7404 hashbl_acl_freemail iphon.biz
7405 hashbl_acl_freemail iqemail.com
7406 hashbl_acl_freemail iquebec.com
7407 hashbl_acl_freemail ir.ae
7408 hashbl_acl_freemail iran.com
7409 hashbl_acl_freemail irangate.net
7410 hashbl_acl_freemail iraq.ir
7411 hashbl_acl_freemail irbid.ws
7412 hashbl_acl_freemail ire.ir
7413 hashbl_acl_freemail ireland.ir
7414 hashbl_acl_freemail irelandmail.com
7415 hashbl_acl_freemail irow.com
7416 hashbl_acl_freemail irr.ir
7417 hashbl_acl_freemail iscool.net
7418 hashbl_acl_freemail islandmama.com
7419 hashbl_acl_freemail ismailia.cc
7420 hashbl_acl_freemail ismart.net
7421 hashbl_acl_freemail isonews2.com
7422 hashbl_acl_freemail isonfire.com
7423 hashbl_acl_freemail isp9.net
7424 hashbl_acl_freemail ispey.com
7425 hashbl_acl_freemail israelmail.com
7426 hashbl_acl_freemail ist-der-mann.de
7427 hashbl_acl_freemail ist-der-wahnsinn.de
7428 hashbl_acl_freemail ist-echt.so
7429 hashbl_acl_freemail ist-genialer.de
7430 hashbl_acl_freemail ist-schlauer.de
7431 hashbl_acl_freemail ist-supersexy.de
7432 hashbl_acl_freemail istecht.so
7433 hashbl_acl_freemail italymail.com
7434 hashbl_acl_freemail itelgua.com
7435 hashbl_acl_freemail itloox.com
7436 hashbl_acl_freemail itmom.com
7437 hashbl_acl_freemail ivenus.com
7438 hashbl_acl_freemail iwan-fals.com
7439 hashbl_acl_freemail iwatchrealitytv.com
7440 hashbl_acl_freemail iwon.com
7441 hashbl_acl_freemail ixp.net
7442 hashbl_acl_freemail jadida.cc
7443 hashbl_acl_freemail jadida.org
7444 hashbl_acl_freemail japan.com
7445 hashbl_acl_freemail jaydemail.com
7446 hashbl_acl_freemail jazzemail.com
7447 hashbl_acl_freemail jedrzejow.pl
7448 hashbl_acl_freemail jerash.cc
7449 hashbl_acl_freemail jetemail.net
7450 hashbl_acl_freemail jingjo.net
7451 hashbl_acl_freemail jippii.fi
7452 hashbl_acl_freemail jizan.cc
7453 hashbl_acl_freemail jmail.co.za
7454 hashbl_acl_freemail job4u.com
7455 hashbl_acl_freemail jojomail.com
7456 hashbl_acl_freemail jouf.cc
7457 hashbl_acl_freemail journalist.com
7458 hashbl_acl_freemail jovem.te.pt
7459 hashbl_acl_freemail joymail.com
7460 hashbl_acl_freemail jpg.ir
7461 hashbl_acl_freemail juanitabynum.com
7462 hashbl_acl_freemail jubii.dk
7463 hashbl_acl_freemail jubiipost.dk
7464 hashbl_acl_freemail jumpy.it
7465 hashbl_acl_freemail juno.com
7466 hashbl_acl_freemail justemail.net
7467 hashbl_acl_freemail justmailz.com
7468 hashbl_acl_freemail k.ro
7469 hashbl_acl_freemail kaazoo.com
7470 hashbl_acl_freemail kabissa.org
7471 hashbl_acl_freemail kairouan.cc
7472 hashbl_acl_freemail kaixo.com
7473 hashbl_acl_freemail kalluritimes.com
7474 hashbl_acl_freemail kalpoint.com
7475 hashbl_acl_freemail kann.so
7476 hashbl_acl_freemail kanoodle.com
7477 hashbl_acl_freemail kansas.usa.com
7478 hashbl_acl_freemail karak.cc
7479 hashbl_acl_freemail katamail.com
7480 hashbl_acl_freemail kataweb.it
7481 hashbl_acl_freemail kayafmmail.co.za
7482 hashbl_acl_freemail keko.com.ar
7483 hashbl_acl_freemail kentucky.usa.com
7484 hashbl_acl_freemail keptprivate.com
7485 hashbl_acl_freemail keromail.com
7486 hashbl_acl_freemail khaimah.cc
7487 hashbl_acl_freemail khartoum.cc
7488 hashbl_acl_freemail khobar.cc
7489 hashbl_acl_freemail kickboxing.com
7490 hashbl_acl_freemail kidrock.com
7491 hashbl_acl_freemail kimo.com
7492 hashbl_acl_freemail kinkyemail.com
7493 hashbl_acl_freemail kissfans.com
7494 hashbl_acl_freemail kittymail.com
7495 hashbl_acl_freemail kiwitown.com
7496 hashbl_acl_freemail klik.it
7497 hashbl_acl_freemail klikni.cz
7498 hashbl_acl_freemail kmtn.ru
7499 hashbl_acl_freemail koko.com
7500 hashbl_acl_freemail kolozsvar.ro
7501 hashbl_acl_freemail kombud.com
7502 hashbl_acl_freemail kool-things.com
7503 hashbl_acl_freemail koreamail.com
7504 hashbl_acl_freemail koreanmail.com
7505 hashbl_acl_freemail kotaksuratku.info
7506 hashbl_acl_freemail krunis.com
7507 hashbl_acl_freemail ksa.ir
7508 hashbl_acl_freemail kukamail.com
7509 hashbl_acl_freemail kuronowish.com
7510 hashbl_acl_freemail kuwait.ir
7511 hashbl_acl_freemail kuwaiti.tv
7512 hashbl_acl_freemail kyokodate.com
7513 hashbl_acl_freemail kyokofukada.net
7514 hashbl_acl_freemail kyrgyzstan.cc
7515 hashbl_acl_freemail ladymail.cz
7516 hashbl_acl_freemail lagoon.nc
7517 hashbl_acl_freemail lahaonline.com
7518 hashbl_acl_freemail lamalla.net
7519 hashbl_acl_freemail lancsmail.com
7520 hashbl_acl_freemail land.ru
7521 hashbl_acl_freemail laposte.net
7522 hashbl_acl_freemail latakia.cc
7523 hashbl_acl_freemail latchess.com
7524 hashbl_acl_freemail latinabarbie.com
7525 hashbl_acl_freemail latinmail.com
7526 hashbl_acl_freemail latinogreeks.com
7527 hashbl_acl_freemail lawyer.com
7528 hashbl_acl_freemail lawyersmail.com
7529 hashbl_acl_freemail lawyerzone.com
7530 hashbl_acl_freemail lebanese.cc
7531 hashbl_acl_freemail lebanonatlas.com
7532 hashbl_acl_freemail leehom.net
7533 hashbl_acl_freemail leesville.com
7534 hashbl_acl_freemail legislator.com
7535 hashbl_acl_freemail lemondrop.com
7536 hashbl_acl_freemail leonardo.it
7537 hashbl_acl_freemail leonlai.net
7538 hashbl_acl_freemail letsjam.com
7539 hashbl_acl_freemail letterbox.org
7540 hashbl_acl_freemail letterboxes.org
7541 hashbl_acl_freemail levele.com
7542 hashbl_acl_freemail lexpress.net
7543 hashbl_acl_freemail libero.it
7544 hashbl_acl_freemail liberomail.com
7545 hashbl_acl_freemail libertysurf.net
7546 hashbl_acl_freemail libre.net
7547 hashbl_acl_freemail lightwines.org
7548 hashbl_acl_freemail linkmaster.com
7549 hashbl_acl_freemail linuxfreemail.com
7550 hashbl_acl_freemail linuxmail.org
7551 hashbl_acl_freemail lionsfan.com.au
7552 hashbl_acl_freemail live.com
7553 hashbl_acl_freemail livedoor.com
7554 hashbl_acl_freemail llandudno.com
7555 hashbl_acl_freemail llangollen.com
7556 hashbl_acl_freemail lmxmail.sk
7557 hashbl_acl_freemail lobbyist.com
7558 hashbl_acl_freemail loggain.net
7559 hashbl_acl_freemail loggain.nu
7560 hashbl_acl_freemail lolnetwork.net
7561 hashbl_acl_freemail london.com
7562 hashbl_acl_freemail london.ir
7563 hashbl_acl_freemail longhorns.com
7564 hashbl_acl_freemail look.com
7565 hashbl_acl_freemail looksmart.co.uk
7566 hashbl_acl_freemail looksmart.com
7567 hashbl_acl_freemail looksmart.com.au
7568 hashbl_acl_freemail loteria.net
7569 hashbl_acl_freemail lotonazo.com
7570 hashbl_acl_freemail louisiana.usa.com
7571 hashbl_acl_freemail louiskoo.com
7572 hashbl_acl_freemail love2exercise.com
7573 hashbl_acl_freemail love2workout.com
7574 hashbl_acl_freemail loveable.com
7575 hashbl_acl_freemail lovecat.com
7576 hashbl_acl_freemail loveemail.com
7577 hashbl_acl_freemail lovefantasysports.com
7578 hashbl_acl_freemail loveis.lv
7579 hashbl_acl_freemail lovemail.com
7580 hashbl_acl_freemail lovetoexercise.com
7581 hashbl_acl_freemail lovingjesus.com
7582 hashbl_acl_freemail lowrider.com
7583 hashbl_acl_freemail lpemail.com
7584 hashbl_acl_freemail lubnan.cc
7585 hashbl_acl_freemail lubnan.ws
7586 hashbl_acl_freemail lucky7lotto.net
7587 hashbl_acl_freemail luckymail.com
7588 hashbl_acl_freemail luso.pt
7589 hashbl_acl_freemail lusoweb.pt
7590 hashbl_acl_freemail luukku.com
7591 hashbl_acl_freemail luvfishing.com
7592 hashbl_acl_freemail luvgolfing.com
7593 hashbl_acl_freemail luvsoccer.com
7594 hashbl_acl_freemail lv-inter.net
7595 hashbl_acl_freemail lycos.co.uk
7596 hashbl_acl_freemail lycos.com
7597 hashbl_acl_freemail lycosmail.com
7598 hashbl_acl_freemail mac.com
7599 hashbl_acl_freemail machinecandy.com
7600 hashbl_acl_freemail macmail.com
7601 hashbl_acl_freemail mad.scientist.com
7602 hashbl_acl_freemail madcrazy.com
7603 hashbl_acl_freemail madeniggaz.net
7604 hashbl_acl_freemail madinah.cc
7605 hashbl_acl_freemail madonnafan.com
7606 hashbl_acl_freemail madonno.com
7607 hashbl_acl_freemail madrid.com
7608 hashbl_acl_freemail mag-spam.net
7609 hashbl_acl_freemail mag2.com
7610 hashbl_acl_freemail maghreb.cc
7611 hashbl_acl_freemail magicmail.co.za
7612 hashbl_acl_freemail magik-net.com
7613 hashbl_acl_freemail mail-atlas.net
7614 hashbl_acl_freemail mail-awu.de
7615 hashbl_acl_freemail mail-box.cz
7616 hashbl_acl_freemail mail-center.com
7617 hashbl_acl_freemail mail-central.com
7618 hashbl_acl_freemail mail-jp.org
7619 hashbl_acl_freemail mail-me.com
7620 hashbl_acl_freemail mail-on.us
7621 hashbl_acl_freemail mail-online.dk
7622 hashbl_acl_freemail mail-page.com
7623 hashbl_acl_freemail mail-x-change.com
7624 hashbl_acl_freemail mail.austria.com
7625 hashbl_acl_freemail mail.az
7626 hashbl_acl_freemail mail.be
7627 hashbl_acl_freemail mail.bg
7628 hashbl_acl_freemail mail.bulgaria.com
7629 hashbl_acl_freemail mail.by
7630 hashbl_acl_freemail mail.co.za
7631 hashbl_acl_freemail mail.com
7632 hashbl_acl_freemail mail.de
7633 hashbl_acl_freemail mail.dk
7634 hashbl_acl_freemail mail.ee
7635 hashbl_acl_freemail mail.goo.ne.jp
7636 hashbl_acl_freemail mail.gr
7637 hashbl_acl_freemail mail.lawguru.com
7638 hashbl_acl_freemail mail.md
7639 hashbl_acl_freemail mail.mn
7640 hashbl_acl_freemail mail.org
7641 hashbl_acl_freemail mail.pf
7642 hashbl_acl_freemail mail.pt
7643 hashbl_acl_freemail mail.ru
7644 hashbl_acl_freemail mail.yahoo.co.jp
7645 hashbl_acl_freemail mail15.com
7646 hashbl_acl_freemail mail3000.com
7647 hashbl_acl_freemail mail333.com
7648 hashbl_acl_freemail mail4me.com
7649 hashbl_acl_freemail mail8.com
7650 hashbl_acl_freemail mailandftp.com
7651 hashbl_acl_freemail mailandnews.com
7652 hashbl_acl_freemail mailas.com
7653 hashbl_acl_freemail mailasia.com
7654 hashbl_acl_freemail mailbg.com
7655 hashbl_acl_freemail mailblocks.com
7656 hashbl_acl_freemail mailbolt.com
7657 hashbl_acl_freemail mailbomb.com
7658 hashbl_acl_freemail mailbox.as
7659 hashbl_acl_freemail mailbox.co.za
7660 hashbl_acl_freemail mailbox.gr
7661 hashbl_acl_freemail mailbox.hu
7662 hashbl_acl_freemail mailbox.sk
7663 hashbl_acl_freemail mailc.net
7664 hashbl_acl_freemail mailcan.com
7665 hashbl_acl_freemail mailcircuit.com
7666 hashbl_acl_freemail mailclub.fr
7667 hashbl_acl_freemail mailclub.net
7668 hashbl_acl_freemail maildozy.com
7669 hashbl_acl_freemail mailfly.com
7670 hashbl_acl_freemail mailforce.net
7671 hashbl_acl_freemail mailftp.com
7672 hashbl_acl_freemail mailglobal.net
7673 hashbl_acl_freemail mailhaven.com
7674 hashbl_acl_freemail mailinator.com
7675 hashbl_acl_freemail mailingaddress.org
7676 hashbl_acl_freemail mailingweb.com
7677 hashbl_acl_freemail mailisent.com
7678 hashbl_acl_freemail mailite.com
7679 hashbl_acl_freemail mailme.dk
7680 hashbl_acl_freemail mailmight.com
7681 hashbl_acl_freemail mailmij.nl
7682 hashbl_acl_freemail mailnew.com
7683 hashbl_acl_freemail mailops.com
7684 hashbl_acl_freemail mailpanda.com
7685 hashbl_acl_freemail mailpersonal.com
7686 hashbl_acl_freemail mailroom.com
7687 hashbl_acl_freemail mailru.com
7688 hashbl_acl_freemail mails.de
7689 hashbl_acl_freemail mailsent.net
7690 hashbl_acl_freemail mailserver.dk
7691 hashbl_acl_freemail mailservice.ms
7692 hashbl_acl_freemail mailsnare.net
7693 hashbl_acl_freemail mailsurf.com
7694 hashbl_acl_freemail mailup.net
7695 hashbl_acl_freemail mailvault.com
7696 hashbl_acl_freemail mailworks.org
7697 hashbl_acl_freemail maine.usa.com
7698 hashbl_acl_freemail majorana.martina-franca.ta.it
7699 hashbl_acl_freemail majorgolfer.com
7700 hashbl_acl_freemail majorshopaholic.com
7701 hashbl_acl_freemail majortechie.com
7702 hashbl_acl_freemail maktoob.com
7703 hashbl_acl_freemail malayalamtelevision.net
7704 hashbl_acl_freemail malayalapathram.com
7705 hashbl_acl_freemail male.ru
7706 hashbl_acl_freemail manager.de
7707 hashbl_acl_freemail manama.cc
7708 hashbl_acl_freemail manlymail.net
7709 hashbl_acl_freemail mansoura.tv
7710 hashbl_acl_freemail mantrafreenet.com
7711 hashbl_acl_freemail mantramail.com
7712 hashbl_acl_freemail mantraonline.com
7713 hashbl_acl_freemail marchmail.com
7714 hashbl_acl_freemail marihuana.ro
7715 hashbl_acl_freemail marijuana.nl
7716 hashbl_acl_freemail marillion.net
7717 hashbl_acl_freemail marketweighton.com
7718 hashbl_acl_freemail marrakesh.cc
7719 hashbl_acl_freemail maryland.usa.com
7720 hashbl_acl_freemail mascara.ws
7721 hashbl_acl_freemail masrawy.com
7722 hashbl_acl_freemail massachusetts.usa.com
7723 hashbl_acl_freemail mauimail.com
7724 hashbl_acl_freemail mbox.com.au
7725 hashbl_acl_freemail mcom.com
7726 hashbl_acl_freemail mcrmail.com
7727 hashbl_acl_freemail me.by
7728 hashbl_acl_freemail me.com
7729 hashbl_acl_freemail medicinatv.com
7730 hashbl_acl_freemail meetingmall.com
7731 hashbl_acl_freemail mega-schlau.de
7732 hashbl_acl_freemail megamail.pt
7733 hashbl_acl_freemail megarave.com
7734 hashbl_acl_freemail meknes.cc
7735 hashbl_acl_freemail menara.ma
7736 hashbl_acl_freemail merseymail.com
7737 hashbl_acl_freemail mesra.net
7738 hashbl_acl_freemail messagez.com
7739 hashbl_acl_freemail metacrawler.com
7740 hashbl_acl_freemail metalfan.com
7741 hashbl_acl_freemail mexico.com
7742 hashbl_acl_freemail mexicomail.com
7743 hashbl_acl_freemail miaoweb.net
7744 hashbl_acl_freemail michigan.usa.com
7745 hashbl_acl_freemail micro2media.com
7746 hashbl_acl_freemail miesto.sk
7747 hashbl_acl_freemail mighty.co.za
7748 hashbl_acl_freemail milacamn.net
7749 hashbl_acl_freemail milmail.com
7750 hashbl_acl_freemail mindless.com
7751 hashbl_acl_freemail mindviz.com
7752 hashbl_acl_freemail minister.com
7753 hashbl_acl_freemail minnesota.usa.com
7754 hashbl_acl_freemail mississippi.usa.com
7755 hashbl_acl_freemail missouri.usa.com
7756 hashbl_acl_freemail mixmail.com
7757 hashbl_acl_freemail ml1.net
7758 hashbl_acl_freemail ml2clan.com
7759 hashbl_acl_freemail mlanime.com
7760 hashbl_acl_freemail mm.st
7761 hashbl_acl_freemail mmail.com
7762 hashbl_acl_freemail mobimail.mn
7763 hashbl_acl_freemail mobsters.com
7764 hashbl_acl_freemail mobstop.com
7765 hashbl_acl_freemail modemnet.net
7766 hashbl_acl_freemail modomail.com
7767 hashbl_acl_freemail mofa.com
7768 hashbl_acl_freemail moldova.com
7769 hashbl_acl_freemail moldovacc.com
7770 hashbl_acl_freemail monarchy.com
7771 hashbl_acl_freemail montana.usa.com
7772 hashbl_acl_freemail montevideo.com.uy
7773 hashbl_acl_freemail moomia.com
7774 hashbl_acl_freemail moose-mail.com
7775 hashbl_acl_freemail mosaicfx.com
7776 hashbl_acl_freemail moscowmail.com
7777 hashbl_acl_freemail motley.com
7778 hashbl_acl_freemail motor-nut.com
7779 hashbl_acl_freemail motormania.com
7780 hashbl_acl_freemail movemail.com
7781 hashbl_acl_freemail moviefan.com
7782 hashbl_acl_freemail mr.outblaze.com
7783 hashbl_acl_freemail mrspender.com
7784 hashbl_acl_freemail mscold.com
7785 hashbl_acl_freemail msn.co.uk
7786 hashbl_acl_freemail msn.com
7787 hashbl_acl_freemail msnzone.cn
7788 hashbl_acl_freemail mundo-r.com
7789 hashbl_acl_freemail munich.com
7790 hashbl_acl_freemail muscat.tv
7791 hashbl_acl_freemail muscat.ws
7792 hashbl_acl_freemail music.com
7793 hashbl_acl_freemail musician.net
7794 hashbl_acl_freemail musician.org
7795 hashbl_acl_freemail musicsites.com
7796 hashbl_acl_freemail muslim.com
7797 hashbl_acl_freemail muslimsonline.com
7798 hashbl_acl_freemail muss.so
7799 hashbl_acl_freemail mustangs.com
7800 hashbl_acl_freemail mxs.de
7801 hashbl_acl_freemail myblue.cc
7802 hashbl_acl_freemail mycabin.com
7803 hashbl_acl_freemail mycapitalsmail.com
7804 hashbl_acl_freemail mycatiscool.com
7805 hashbl_acl_freemail mycity.com
7806 hashbl_acl_freemail mycommail.com
7807 hashbl_acl_freemail mycool.com
7808 hashbl_acl_freemail mydomain.com
7809 hashbl_acl_freemail myeweb.com
7810 hashbl_acl_freemail myfantasyteamrules.com
7811 hashbl_acl_freemail myfastmail.com
7812 hashbl_acl_freemail myfunnymail.com
7813 hashbl_acl_freemail mygamingconsoles.com
7814 hashbl_acl_freemail mygrande.net
7815 hashbl_acl_freemail myiris.com
7816 hashbl_acl_freemail myjazzmail.com
7817 hashbl_acl_freemail mykolab.com
7818 hashbl_acl_freemail mymacmail.com
7819 hashbl_acl_freemail mymail.dk
7820 hashbl_acl_freemail mymail.ph.inter.net
7821 hashbl_acl_freemail mymail.ro
7822 hashbl_acl_freemail mynet.com
7823 hashbl_acl_freemail mynet.com.tr
7824 hashbl_acl_freemail myopera.com
7825 hashbl_acl_freemail myotw.net
7826 hashbl_acl_freemail myownemail.com
7827 hashbl_acl_freemail mypersonalemail.com
7828 hashbl_acl_freemail myplace.com
7829 hashbl_acl_freemail myrealbox.com
7830 hashbl_acl_freemail myself.com
7831 hashbl_acl_freemail myspace.com
7832 hashbl_acl_freemail myt.mu
7833 hashbl_acl_freemail myteamisbest.com
7834 hashbl_acl_freemail myway.com
7835 hashbl_acl_freemail mzgchaos.de
7836 hashbl_acl_freemail n2.com
7837 hashbl_acl_freemail n2business.com
7838 hashbl_acl_freemail n2mail.com
7839 hashbl_acl_freemail n2software.com
7840 hashbl_acl_freemail nabble.com
7841 hashbl_acl_freemail nabeul.cc
7842 hashbl_acl_freemail nabeul.info
7843 hashbl_acl_freemail nablus.cc
7844 hashbl_acl_freemail nador.cc
7845 hashbl_acl_freemail najaf.cc
7846 hashbl_acl_freemail name.com
7847 hashbl_acl_freemail nameplanet.com
7848 hashbl_acl_freemail nanamail.co.il
7849 hashbl_acl_freemail nanaseaikawa.com
7850 hashbl_acl_freemail nandomail.com
7851 hashbl_acl_freemail narod.ru
7852 hashbl_acl_freemail naseej.com
7853 hashbl_acl_freemail nastything.com
7854 hashbl_acl_freemail nate.com
7855 hashbl_acl_freemail national-champs.com
7856 hashbl_acl_freemail nativeweb.net
7857 hashbl_acl_freemail naveganas.com
7858 hashbl_acl_freemail naver.com
7859 hashbl_acl_freemail nebraska.usa.com
7860 hashbl_acl_freemail nemra1.com
7861 hashbl_acl_freemail nenter.com
7862 hashbl_acl_freemail nerd4life.de
7863 hashbl_acl_freemail nerdshack.com
7864 hashbl_acl_freemail nervhq.org
7865 hashbl_acl_freemail net-shopping.com
7866 hashbl_acl_freemail net-surf.com
7867 hashbl_acl_freemail net.hr
7868 hashbl_acl_freemail net4b.pt
7869 hashbl_acl_freemail net4jesus.com
7870 hashbl_acl_freemail net4you.at
7871 hashbl_acl_freemail netbounce.com
7872 hashbl_acl_freemail netbroadcaster.com
7873 hashbl_acl_freemail netbusiness.com
7874 hashbl_acl_freemail netcabo.pt
7875 hashbl_acl_freemail netcape.net
7876 hashbl_acl_freemail netcourrier.com
7877 hashbl_acl_freemail netexecutive.com
7878 hashbl_acl_freemail netfingers.com
7879 hashbl_acl_freemail netfirms.com
7880 hashbl_acl_freemail netkushi.com
7881 hashbl_acl_freemail netmongol.com
7882 hashbl_acl_freemail netpiper.com
7883 hashbl_acl_freemail netposta.net
7884 hashbl_acl_freemail netscape.com
7885 hashbl_acl_freemail netscape.net
7886 hashbl_acl_freemail netscapeonline.co.uk
7887 hashbl_acl_freemail netsquare.com
7888 hashbl_acl_freemail nettaxi.com
7889 hashbl_acl_freemail netti.fi
7890 hashbl_acl_freemail networld.com
7891 hashbl_acl_freemail netzero.com
7892 hashbl_acl_freemail netzero.net
7893 hashbl_acl_freemail neustreet.com
7894 hashbl_acl_freemail nevada.usa.com
7895 hashbl_acl_freemail newhampshire.usa.com
7896 hashbl_acl_freemail newjersey.usa.com
7897 hashbl_acl_freemail newmail.com
7898 hashbl_acl_freemail newmail.net
7899 hashbl_acl_freemail newmail.ok.com
7900 hashbl_acl_freemail newmail.ru
7901 hashbl_acl_freemail newmexico.usa.com
7902 hashbl_acl_freemail news-fanatic.com
7903 hashbl_acl_freemail newspaperemail.com
7904 hashbl_acl_freemail newspaperfan.com
7905 hashbl_acl_freemail newyork.com
7906 hashbl_acl_freemail newyork.usa.com
7907 hashbl_acl_freemail newyorkcity.com
7908 hashbl_acl_freemail nfmail.com
7909 hashbl_acl_freemail nicegal.com
7910 hashbl_acl_freemail nightimeuk.com
7911 hashbl_acl_freemail nightly.com
7912 hashbl_acl_freemail nightmail.com
7913 hashbl_acl_freemail nightmail.ru
7914 hashbl_acl_freemail ninfan.com
7915 hashbl_acl_freemail noavar.com
7916 hashbl_acl_freemail nocharge.com
7917 hashbl_acl_freemail noemail.com
7918 hashbl_acl_freemail nokiamail.com
7919 hashbl_acl_freemail nonomail.com
7920 hashbl_acl_freemail nonpartisan.com
7921 hashbl_acl_freemail noolhar.com
7922 hashbl_acl_freemail northcarolina.usa.com
7923 hashbl_acl_freemail northdakota.usa.com
7924 hashbl_acl_freemail nospammail.net
7925 hashbl_acl_freemail nowzer.com
7926 hashbl_acl_freemail null.net
7927 hashbl_acl_freemail ny.com
7928 hashbl_acl_freemail nyc.com
7929 hashbl_acl_freemail nycmail.com
7930 hashbl_acl_freemail nz11.com
7931 hashbl_acl_freemail nzoomail.com
7932 hashbl_acl_freemail o2.pl
7933 hashbl_acl_freemail oath.com
7934 hashbl_acl_freemail oceanfree.net
7935 hashbl_acl_freemail ocsnet.net
7936 hashbl_acl_freemail oddpost.com
7937 hashbl_acl_freemail odeon.pl
7938 hashbl_acl_freemail odmail.com
7939 hashbl_acl_freemail offcolormail.com
7940 hashbl_acl_freemail offshorewebmail.com
7941 hashbl_acl_freemail ofir.dk
7942 hashbl_acl_freemail ohio.usa.com
7943 hashbl_acl_freemail ohne-drogen-gehts.net
7944 hashbl_acl_freemail oicexchange.com
7945 hashbl_acl_freemail ok.ru
7946 hashbl_acl_freemail oklahoma.usa.com
7947 hashbl_acl_freemail ole.com
7948 hashbl_acl_freemail oleco.net
7949 hashbl_acl_freemail olympist.net
7950 hashbl_acl_freemail omani.ws
7951 hashbl_acl_freemail omaninfo.com
7952 hashbl_acl_freemail omdurman.cc
7953 hashbl_acl_freemail on-steroids.de
7954 hashbl_acl_freemail onatoo.com
7955 hashbl_acl_freemail ondikoi.com
7956 hashbl_acl_freemail onebox.com
7957 hashbl_acl_freemail onenet.com.ar
7958 hashbl_acl_freemail onet.pl
7959 hashbl_acl_freemail ongc.net
7960 hashbl_acl_freemail oninet.pt
7961 hashbl_acl_freemail online.ie
7962 hashbl_acl_freemail online.ru
7963 hashbl_acl_freemail onlinevideosrock.com
7964 hashbl_acl_freemail onlinewiz.com
7965 hashbl_acl_freemail onobox.com
7966 hashbl_acl_freemail open.by
7967 hashbl_acl_freemail openbg.com
7968 hashbl_acl_freemail openforyou.com
7969 hashbl_acl_freemail openmail.cc
7970 hashbl_acl_freemail opentransfer.com
7971 hashbl_acl_freemail operamail.com
7972 hashbl_acl_freemail operationivy.com
7973 hashbl_acl_freemail oplusnet.com
7974 hashbl_acl_freemail optician.com
7975 hashbl_acl_freemail oran.cc
7976 hashbl_acl_freemail orange.es
7977 hashbl_acl_freemail orange.fr
7978 hashbl_acl_freemail orange.jo
7979 hashbl_acl_freemail orange.pl
7980 hashbl_acl_freemail orangehome.co.uk
7981 hashbl_acl_freemail orbitel.bg
7982 hashbl_acl_freemail orcon.net.nz
7983 hashbl_acl_freemail oregon.usa.com
7984 hashbl_acl_freemail oreka.com
7985 hashbl_acl_freemail organizer.net
7986 hashbl_acl_freemail orgio.net
7987 hashbl_acl_freemail orthodontist.net
7988 hashbl_acl_freemail orthodox.com
7989 hashbl_acl_freemail osite.com.br
7990 hashbl_acl_freemail oso.com
7991 hashbl_acl_freemail oued.info
7992 hashbl_acl_freemail oued.org
7993 hashbl_acl_freemail oujda.biz
7994 hashbl_acl_freemail oujda.cc
7995 hashbl_acl_freemail ourbrisbane.com
7996 hashbl_acl_freemail ournet.md
7997 hashbl_acl_freemail ourprofile.net
7998 hashbl_acl_freemail ourwest.com
7999 hashbl_acl_freemail outgun.com
8000 hashbl_acl_freemail outlook.com
8001 hashbl_acl_freemail ownmail.net
8002 hashbl_acl_freemail oxfoot.com
8003 hashbl_acl_freemail ozu.es
8004 hashbl_acl_freemail pacer.com
8005 hashbl_acl_freemail pacific-ocean.com
8006 hashbl_acl_freemail pacificwest.com
8007 hashbl_acl_freemail paginasamarillas.com
8008 hashbl_acl_freemail paidoffers.net
8009 hashbl_acl_freemail pakistani.ws
8010 hashbl_acl_freemail pakistanmail.com
8011 hashbl_acl_freemail palmyra.cc
8012 hashbl_acl_freemail palmyra.ws
8013 hashbl_acl_freemail paltalk.ir
8014 hashbl_acl_freemail pandawa.com
8015 hashbl_acl_freemail pando.com
8016 hashbl_acl_freemail pandora.be
8017 hashbl_acl_freemail paris.com
8018 hashbl_acl_freemail parsimail.com
8019 hashbl_acl_freemail parspage.com
8020 hashbl_acl_freemail patmail.com
8021 hashbl_acl_freemail pattayacitythailand.com
8022 hashbl_acl_freemail pc4me.us
8023 hashbl_acl_freemail pcbee.com
8024 hashbl_acl_freemail pcpostal.com
8025 hashbl_acl_freemail pediatrician.com
8026 hashbl_acl_freemail penguinmaster.com
8027 hashbl_acl_freemail pennsylvania.usa.com
8028 hashbl_acl_freemail peoplepc.com
8029 hashbl_acl_freemail peopleweb.com
8030 hashbl_acl_freemail persian.com
8031 hashbl_acl_freemail personal.ro
8032 hashbl_acl_freemail personales.com
8033 hashbl_acl_freemail peru.com
8034 hashbl_acl_freemail petlover.com
8035 hashbl_acl_freemail petml.com
8036 hashbl_acl_freemail petrofind.com
8037 hashbl_acl_freemail photographer.net
8038 hashbl_acl_freemail phreaker.net
8039 hashbl_acl_freemail phunkybitches.com
8040 hashbl_acl_freemail physicist.net
8041 hashbl_acl_freemail pigeonportal.com
8042 hashbl_acl_freemail pikaguam.com
8043 hashbl_acl_freemail pilu.com
8044 hashbl_acl_freemail pimagop.com
8045 hashbl_acl_freemail pinkcity.net
8046 hashbl_acl_freemail pinoymail.com
8047 hashbl_acl_freemail pipni.cz
8048 hashbl_acl_freemail pisem.net
8049 hashbl_acl_freemail pitbullmail.com
8050 hashbl_acl_freemail planet-school.de
8051 hashbl_acl_freemail planetaccess.com
8052 hashbl_acl_freemail planetmail.com
8053 hashbl_acl_freemail planetmail.net
8054 hashbl_acl_freemail planetout.com
8055 hashbl_acl_freemail planetsmeg.com
8056 hashbl_acl_freemail plasa.com
8057 hashbl_acl_freemail playersodds.com
8058 hashbl_acl_freemail playful.com
8059 hashbl_acl_freemail pluno.com
8060 hashbl_acl_freemail plusmail.com.br
8061 hashbl_acl_freemail pmail.net
8062 hashbl_acl_freemail pnetmail.co.za
8063 hashbl_acl_freemail pobox.ru
8064 hashbl_acl_freemail pobox.sk
8065 hashbl_acl_freemail pochta.ru
8066 hashbl_acl_freemail pochtamt.ru
8067 hashbl_acl_freemail poczta.fm
8068 hashbl_acl_freemail poetic.com
8069 hashbl_acl_freemail pogowave.com
8070 hashbl_acl_freemail polandmail.com
8071 hashbl_acl_freemail polbox.com
8072 hashbl_acl_freemail politician.com
8073 hashbl_acl_freemail pookmail.com
8074 hashbl_acl_freemail poop.com
8075 hashbl_acl_freemail poormail.com
8076 hashbl_acl_freemail pop.co.th
8077 hashbl_acl_freemail pop3.ru
8078 hashbl_acl_freemail popmail.com
8079 hashbl_acl_freemail poppymail.com
8080 hashbl_acl_freemail popsmail.com
8081 hashbl_acl_freemail popstar.com
8082 hashbl_acl_freemail portafree.com
8083 hashbl_acl_freemail portaldosalunos.com
8084 hashbl_acl_freemail portsaid.cc
8085 hashbl_acl_freemail portugalmail.com
8086 hashbl_acl_freemail portugalmail.pt
8087 hashbl_acl_freemail post.com
8088 hashbl_acl_freemail post.cz
8089 hashbl_acl_freemail post.expart.ne.jp
8090 hashbl_acl_freemail post.pl
8091 hashbl_acl_freemail post.sk
8092 hashbl_acl_freemail posta.ge
8093 hashbl_acl_freemail postaccesslite.com
8094 hashbl_acl_freemail postiloota.net
8095 hashbl_acl_freemail postinbox.com
8096 hashbl_acl_freemail postino.ch
8097 hashbl_acl_freemail postino.it
8098 hashbl_acl_freemail postmaster.co.uk
8099 hashbl_acl_freemail postpro.net
8100 hashbl_acl_freemail potsmokersnet.com
8101 hashbl_acl_freemail powdermail.com
8102 hashbl_acl_freemail praize.com
8103 hashbl_acl_freemail presidency.com
8104 hashbl_acl_freemail press.co.jp
8105 hashbl_acl_freemail priest.com
8106 hashbl_acl_freemail primetap.com
8107 hashbl_acl_freemail primposta.com
8108 hashbl_acl_freemail printesamargareta.ro
8109 hashbl_acl_freemail private.21cn.com
8110 hashbl_acl_freemail probemail.com
8111 hashbl_acl_freemail profesional.com
8112 hashbl_acl_freemail profession.freemail.com.br
8113 hashbl_acl_freemail programmer.net
8114 hashbl_acl_freemail proinbox.com
8115 hashbl_acl_freemail project420.com
8116 hashbl_acl_freemail prolife.net
8117 hashbl_acl_freemail promessage.com
8118 hashbl_acl_freemail prontomail.com
8119 hashbl_acl_freemail protestant.com
8120 hashbl_acl_freemail protonmail.ch
8121 hashbl_acl_freemail protonmail.com
8122 hashbl_acl_freemail provincial.net
8123 hashbl_acl_freemail publicaccounting.com
8124 hashbl_acl_freemail publicist.com
8125 hashbl_acl_freemail puertoricowow.com
8126 hashbl_acl_freemail punkass.com
8127 hashbl_acl_freemail puppetweb.com
8128 hashbl_acl_freemail puppy.com.my
8129 hashbl_acl_freemail q.com
8130 hashbl_acl_freemail qassem.cc
8131 hashbl_acl_freemail qatar.io
8132 hashbl_acl_freemail qlmail.com
8133 hashbl_acl_freemail qq.com
8134 hashbl_acl_freemail qrio.com
8135 hashbl_acl_freemail qsl.net
8136 hashbl_acl_freemail qualityservice.com
8137 hashbl_acl_freemail quds.cc
8138 hashbl_acl_freemail qudsmail.com
8139 hashbl_acl_freemail queerplaces.com
8140 hashbl_acl_freemail quepasa.com
8141 hashbl_acl_freemail quick.cz
8142 hashbl_acl_freemail quickwebmail.com
8143 hashbl_acl_freemail r-o-o-t.com
8144 hashbl_acl_freemail r320.hu
8145 hashbl_acl_freemail raakim.com
8146 hashbl_acl_freemail rabat.cc
8147 hashbl_acl_freemail racingseat.com
8148 hashbl_acl_freemail radicalz.com
8149 hashbl_acl_freemail radiojobbank.com
8150 hashbl_acl_freemail radiologist.net
8151 hashbl_acl_freemail rafah.cc
8152 hashbl_acl_freemail ragingbull.com
8153 hashbl_acl_freemail raisingadaughter.com
8154 hashbl_acl_freemail rallye-webmail.com
8155 hashbl_acl_freemail ramallah.cc
8156 hashbl_acl_freemail rambler.ru
8157 hashbl_acl_freemail ranmamail.com
8158 hashbl_acl_freemail rapstar.com
8159 hashbl_acl_freemail rapworld.com
8160 hashbl_acl_freemail rastamall.com
8161 hashbl_acl_freemail ratedx.net
8162 hashbl_acl_freemail ravearena.com
8163 hashbl_acl_freemail ravemail.co.za
8164 hashbl_acl_freemail ravemail.com
8165 hashbl_acl_freemail ravermail.com
8166 hashbl_acl_freemail razormail.com
8167 hashbl_acl_freemail rbcmail.ru
8168 hashbl_acl_freemail rbox.co
8169 hashbl_acl_freemail rbox.me
8170 hashbl_acl_freemail real.ro
8171 hashbl_acl_freemail realbookfan.com
8172 hashbl_acl_freemail realemail.net
8173 hashbl_acl_freemail realhealthnut.com
8174 hashbl_acl_freemail realitytvaddict.net
8175 hashbl_acl_freemail realitytvnut.com
8176 hashbl_acl_freemail reallyfast.biz
8177 hashbl_acl_freemail reallyfast.info
8178 hashbl_acl_freemail reallyintomusic.com
8179 hashbl_acl_freemail realtravelfan.com
8180 hashbl_acl_freemail realtyagent.com
8181 hashbl_acl_freemail rebels.com
8182 hashbl_acl_freemail reborn.com
8183 hashbl_acl_freemail recife.net
8184 hashbl_acl_freemail recme.net
8185 hashbl_acl_freemail rediffmail.com
8186 hashbl_acl_freemail rediffmailpro.com
8187 hashbl_acl_freemail redseven.de
8188 hashbl_acl_freemail redskinscheer.com
8189 hashbl_acl_freemail redskinsfamily.com
8190 hashbl_acl_freemail redskinsfancentral.com
8191 hashbl_acl_freemail redskinshog.com
8192 hashbl_acl_freemail redskinsrule.com
8193 hashbl_acl_freemail redskinsspecialteams.com
8194 hashbl_acl_freemail redskinsultimatefan.com
8195 hashbl_acl_freemail redwhitearmy.com
8196 hashbl_acl_freemail reggaefan.com
8197 hashbl_acl_freemail registerednurses.com
8198 hashbl_acl_freemail reincarnate.com
8199 hashbl_acl_freemail relapsecult.com
8200 hashbl_acl_freemail relia.com
8201 hashbl_acl_freemail religious.com
8202 hashbl_acl_freemail remixer.com
8203 hashbl_acl_freemail repairman.com
8204 hashbl_acl_freemail representative.com
8205 hashbl_acl_freemail rescueteam.com
8206 hashbl_acl_freemail revenue.com
8207 hashbl_acl_freemail rexian.com
8208 hashbl_acl_freemail rhodeisland.usa.com
8209 hashbl_acl_freemail ritmes.net
8210 hashbl_acl_freemail rn.com
8211 hashbl_acl_freemail roanokemail.com
8212 hashbl_acl_freemail rochester-mail.com
8213 hashbl_acl_freemail rock.com
8214 hashbl_acl_freemail rockeros.com
8215 hashbl_acl_freemail rocketmail.com
8216 hashbl_acl_freemail rocketship.com
8217 hashbl_acl_freemail rockfan.com
8218 hashbl_acl_freemail rockinghamgateway.com
8219 hashbl_acl_freemail rojname.com
8220 hashbl_acl_freemail rol.ro
8221 hashbl_acl_freemail rollin.com
8222 hashbl_acl_freemail romance106fm.com
8223 hashbl_acl_freemail rome.com
8224 hashbl_acl_freemail romymichele.com
8225 hashbl_acl_freemail royal.net
8226 hashbl_acl_freemail rpharmacist.com
8227 hashbl_acl_freemail rt.nl
8228 hashbl_acl_freemail ru.ru
8229 hashbl_acl_freemail runbox.com
8230 hashbl_acl_freemail rushpost.com
8231 hashbl_acl_freemail russiamail.com
8232 hashbl_acl_freemail rxpost.net
8233 hashbl_acl_freemail s-mail.com
8234 hashbl_acl_freemail saabnet.com
8235 hashbl_acl_freemail sacbeemail.com
8236 hashbl_acl_freemail sacmail.com
8237 hashbl_acl_freemail safat.biz
8238 hashbl_acl_freemail safat.info
8239 hashbl_acl_freemail safat.us
8240 hashbl_acl_freemail safat.ws
8241 hashbl_acl_freemail safe-mail.net
8242 hashbl_acl_freemail safe-mailbox.com
8243 hashbl_acl_freemail safrica.com
8244 hashbl_acl_freemail saigonnet.vn
8245 hashbl_acl_freemail saint-mike.org
8246 hashbl_acl_freemail saintly.com
8247 hashbl_acl_freemail salalah.cc
8248 hashbl_acl_freemail salesperson.net
8249 hashbl_acl_freemail salmiya.biz
8250 hashbl_acl_freemail samerica.com
8251 hashbl_acl_freemail samilan.net
8252 hashbl_acl_freemail sanaa.cc
8253 hashbl_acl_freemail sandiego.com
8254 hashbl_acl_freemail sanfranmail.com
8255 hashbl_acl_freemail sanook.com
8256 hashbl_acl_freemail sanriotown.com
8257 hashbl_acl_freemail sapibon.com
8258 hashbl_acl_freemail sapo.pt
8259 hashbl_acl_freemail saturnfans.com
8260 hashbl_acl_freemail sayhi.net
8261 hashbl_acl_freemail sbcglobal.com
8262 hashbl_acl_freemail scfn.net
8263 hashbl_acl_freemail scheint.so
8264 hashbl_acl_freemail schweiz.org
8265 hashbl_acl_freemail sci.fi
8266 hashbl_acl_freemail sciaga.pl
8267 hashbl_acl_freemail scientist.com
8268 hashbl_acl_freemail scotlandmail.com
8269 hashbl_acl_freemail scoutmail.com
8270 hashbl_acl_freemail scrapbookscrapbook.com
8271 hashbl_acl_freemail seapole.com
8272 hashbl_acl_freemail search417.com
8273 hashbl_acl_freemail seark.com
8274 hashbl_acl_freemail sebil.com
8275 hashbl_acl_freemail secretary.net
8276 hashbl_acl_freemail secretservices.net
8277 hashbl_acl_freemail secure-jlnet.com
8278 hashbl_acl_freemail seductive.com
8279 hashbl_acl_freemail seeb.cc
8280 hashbl_acl_freemail sendmail.ru
8281 hashbl_acl_freemail sendme.cz
8282 hashbl_acl_freemail sent.as
8283 hashbl_acl_freemail sent.at
8284 hashbl_acl_freemail sent.com
8285 hashbl_acl_freemail serga.com.ar
8286 hashbl_acl_freemail sermix.com
8287 hashbl_acl_freemail server4free.de
8288 hashbl_acl_freemail serverwench.com
8289 hashbl_acl_freemail sesmail.com
8290 hashbl_acl_freemail sexmagnet.com
8291 hashbl_acl_freemail sexriga.lv
8292 hashbl_acl_freemail seznam.cz
8293 hashbl_acl_freemail sfax.ws
8294 hashbl_acl_freemail shadango.com
8295 hashbl_acl_freemail sharm.cc
8296 hashbl_acl_freemail she.com
8297 hashbl_acl_freemail shuf.com
8298 hashbl_acl_freemail siamlocalhost.com
8299 hashbl_acl_freemail siamnow.net
8300 hashbl_acl_freemail sify.com
8301 hashbl_acl_freemail sina.cn
8302 hashbl_acl_freemail sina.com
8303 hashbl_acl_freemail sinai.cc
8304 hashbl_acl_freemail sinamail.com
8305 hashbl_acl_freemail sinanail.com
8306 hashbl_acl_freemail singalongcenter.com
8307 hashbl_acl_freemail singapore.com
8308 hashbl_acl_freemail singmail.com
8309 hashbl_acl_freemail singnet.com.sg
8310 hashbl_acl_freemail siraj.org
8311 hashbl_acl_freemail siria.cc
8312 hashbl_acl_freemail sirindia.com
8313 hashbl_acl_freemail sirunet.com
8314 hashbl_acl_freemail sister.com
8315 hashbl_acl_freemail sistersbrothers.com
8316 hashbl_acl_freemail sizzling.com
8317 hashbl_acl_freemail sketchyfriends.com
8318 hashbl_acl_freemail skins4life.com
8319 hashbl_acl_freemail slamdunkfan.com
8320 hashbl_acl_freemail slayerized.com
8321 hashbl_acl_freemail slickriffs.co.uk
8322 hashbl_acl_freemail slingshot.com
8323 hashbl_acl_freemail slo.net
8324 hashbl_acl_freemail slomusic.net
8325 hashbl_acl_freemail smartemail.co.uk
8326 hashbl_acl_freemail smartstocks.com
8327 hashbl_acl_freemail smtp.ru
8328 hashbl_acl_freemail snail-mail.net
8329 hashbl_acl_freemail snakebite.com
8330 hashbl_acl_freemail sndt.net
8331 hashbl_acl_freemail sneakemail.com
8332 hashbl_acl_freemail snoopymail.com
8333 hashbl_acl_freemail snowboarding.com
8334 hashbl_acl_freemail so-simple.org
8335 hashbl_acl_freemail socamail.com
8336 hashbl_acl_freemail socialworker.net
8337 hashbl_acl_freemail sociologist.com
8338 hashbl_acl_freemail softhome.net
8339 hashbl_acl_freemail sohu.com
8340 hashbl_acl_freemail sol.dk
8341 hashbl_acl_freemail solidmail.com
8342 hashbl_acl_freemail solution4u.com
8343 hashbl_acl_freemail songwriter.net
8344 hashbl_acl_freemail soon.com
8345 hashbl_acl_freemail sos.lv
8346 hashbl_acl_freemail soulja-beatz.org
8347 hashbl_acl_freemail soundvillage.org
8348 hashbl_acl_freemail sousse.cc
8349 hashbl_acl_freemail southcarolina.usa.com
8350 hashbl_acl_freemail southdakota.usa.com
8351 hashbl_acl_freemail space.com
8352 hashbl_acl_freemail spacetowns.com
8353 hashbl_acl_freemail spain.ir
8354 hashbl_acl_freemail spainmail.com
8355 hashbl_acl_freemail spamex.com
8356 hashbl_acl_freemail spartapiet.com
8357 hashbl_acl_freemail specialoperations.com
8358 hashbl_acl_freemail speed-racer.com
8359 hashbl_acl_freemail speedpost.net
8360 hashbl_acl_freemail speedymail.net
8361 hashbl_acl_freemail speedymail.org
8362 hashbl_acl_freemail spells.com
8363 hashbl_acl_freemail spils.com
8364 hashbl_acl_freemail spinfinder.com
8365 hashbl_acl_freemail sportemail.com
8366 hashbl_acl_freemail spray.net
8367 hashbl_acl_freemail spray.no
8368 hashbl_acl_freemail spray.se
8369 hashbl_acl_freemail spymac.com
8370 hashbl_acl_freemail srbbs.com
8371 hashbl_acl_freemail srilankan.net
8372 hashbl_acl_freemail ssan.com
8373 hashbl_acl_freemail ssl-mail.com
8374 hashbl_acl_freemail staatsterrorist.de
8375 hashbl_acl_freemail stade.fr
8376 hashbl_acl_freemail stalag13.com
8377 hashbl_acl_freemail stampmail.com
8378 hashbl_acl_freemail starbuzz.com
8379 hashbl_acl_freemail stargate2.com
8380 hashbl_acl_freemail stargateatlantis.com
8381 hashbl_acl_freemail stargatefanclub.com
8382 hashbl_acl_freemail stargatesg1.com
8383 hashbl_acl_freemail stargateu.com
8384 hashbl_acl_freemail starline.ee
8385 hashbl_acl_freemail starmail.com
8386 hashbl_acl_freemail starmail.org
8387 hashbl_acl_freemail starmedia.com
8388 hashbl_acl_freemail starspath.com
8389 hashbl_acl_freemail start.com.au
8390 hashbl_acl_freemail start.no
8391 hashbl_acl_freemail streetracing.com
8392 hashbl_acl_freemail stribmail.com
8393 hashbl_acl_freemail strompost.com
8394 hashbl_acl_freemail student.com
8395 hashbl_acl_freemail student.ednet.ns.ca
8396 hashbl_acl_freemail studmail.com
8397 hashbl_acl_freemail subspacemail.com
8398 hashbl_acl_freemail sudanese.cc
8399 hashbl_acl_freemail sudanmail.net
8400 hashbl_acl_freemail suez.cc
8401 hashbl_acl_freemail sugarray.com
8402 hashbl_acl_freemail suisse.org
8403 hashbl_acl_freemail sunbella.net
8404 hashbl_acl_freemail sunmail1.com
8405 hashbl_acl_freemail sunpoint.net
8406 hashbl_acl_freemail sunrise.ch
8407 hashbl_acl_freemail sunumail.sn
8408 hashbl_acl_freemail sunuweb.net
8409 hashbl_acl_freemail suomi24.fi
8410 hashbl_acl_freemail super-gerissen.de
8411 hashbl_acl_freemail superbikeclub.com
8412 hashbl_acl_freemail superdada.it
8413 hashbl_acl_freemail supereva.com
8414 hashbl_acl_freemail supereva.it
8415 hashbl_acl_freemail superintendents.net
8416 hashbl_acl_freemail supermailbox.com
8417 hashbl_acl_freemail superposta.com
8418 hashbl_acl_freemail surf3.net
8419 hashbl_acl_freemail surfassistant.com
8420 hashbl_acl_freemail surfguiden.com
8421 hashbl_acl_freemail surfsupnet.net
8422 hashbl_acl_freemail surfy.net
8423 hashbl_acl_freemail surgical.net
8424 hashbl_acl_freemail surimail.com
8425 hashbl_acl_freemail surnet.cl
8426 hashbl_acl_freemail sverige.nu
8427 hashbl_acl_freemail svizzera.org
8428 hashbl_acl_freemail sweb.cz
8429 hashbl_acl_freemail sweden.ir
8430 hashbl_acl_freemail swedenmail.com
8431 hashbl_acl_freemail sweetwishes.com
8432 hashbl_acl_freemail swift-mail.com
8433 hashbl_acl_freemail swissinfo.org
8434 hashbl_acl_freemail swissmail.com
8435 hashbl_acl_freemail swissmail.net
8436 hashbl_acl_freemail switched.com
8437 hashbl_acl_freemail switzerland.org
8438 hashbl_acl_freemail syom.com
8439 hashbl_acl_freemail syriamail.com
8440 hashbl_acl_freemail t-mail.com
8441 hashbl_acl_freemail t-net.net.ve
8442 hashbl_acl_freemail t-online.de
8443 hashbl_acl_freemail t2mail.com
8444 hashbl_acl_freemail tabasheer.com
8445 hashbl_acl_freemail tabouk.cc
8446 hashbl_acl_freemail tajikistan.cc
8447 hashbl_acl_freemail talk21.com
8448 hashbl_acl_freemail talkcity.com
8449 hashbl_acl_freemail tangiers.cc
8450 hashbl_acl_freemail tangmonkey.com
8451 hashbl_acl_freemail tanta.cc
8452 hashbl_acl_freemail tatanova.com
8453 hashbl_acl_freemail tattoodesign.com
8454 hashbl_acl_freemail taxcutadvice.com
8455 hashbl_acl_freemail tayef.cc
8456 hashbl_acl_freemail teachers.org
8457 hashbl_acl_freemail teamster.net
8458 hashbl_acl_freemail tech-center.com
8459 hashbl_acl_freemail techemail.com
8460 hashbl_acl_freemail techie.com
8461 hashbl_acl_freemail technisamail.co.za
8462 hashbl_acl_freemail technologist.com
8463 hashbl_acl_freemail teenchatnow.com
8464 hashbl_acl_freemail teenmail.co.uk
8465 hashbl_acl_freemail teenmail.co.za
8466 hashbl_acl_freemail tejary.com
8467 hashbl_acl_freemail telebot.com
8468 hashbl_acl_freemail telefonica.net
8469 hashbl_acl_freemail telegraf.by
8470 hashbl_acl_freemail teleline.es
8471 hashbl_acl_freemail telenet.be
8472 hashbl_acl_freemail telinco.net
8473 hashbl_acl_freemail telkom.net
8474 hashbl_acl_freemail telpage.net
8475 hashbl_acl_freemail telstra.com
8476 hashbl_acl_freemail telusplanet.net
8477 hashbl_acl_freemail tempting.com
8478 hashbl_acl_freemail tenchiclub.com
8479 hashbl_acl_freemail tennessee.usa.com
8480 hashbl_acl_freemail terrapins.com
8481 hashbl_acl_freemail tetouan.cc
8482 hashbl_acl_freemail texas.usa.com
8483 hashbl_acl_freemail texascrossroads.com
8484 hashbl_acl_freemail tfz.net
8485 hashbl_acl_freemail thai.com
8486 hashbl_acl_freemail thaimail.com
8487 hashbl_acl_freemail thaimail.net
8488 hashbl_acl_freemail the-fastest.net
8489 hashbl_acl_freemail the-quickest.com
8490 hashbl_acl_freemail the5thquarter.com
8491 hashbl_acl_freemail theblackmarket.com
8492 hashbl_acl_freemail thegame.com
8493 hashbl_acl_freemail thegamefanatic.com
8494 hashbl_acl_freemail theinternetemail.com
8495 hashbl_acl_freemail theoffice.net
8496 hashbl_acl_freemail theplate.com
8497 hashbl_acl_freemail thepostmaster.net
8498 hashbl_acl_freemail theracetrack.com
8499 hashbl_acl_freemail therapist.net
8500 hashbl_acl_freemail theserverbiz.com
8501 hashbl_acl_freemail thewatercooler.com
8502 hashbl_acl_freemail thewebpros.co.uk
8503 hashbl_acl_freemail thinkpost.net
8504 hashbl_acl_freemail thirdage.com
8505 hashbl_acl_freemail thundermail.com
8506 hashbl_acl_freemail tightmail.com
8507 hashbl_acl_freemail tim.it
8508 hashbl_acl_freemail timemail.com
8509 hashbl_acl_freemail timor.cc
8510 hashbl_acl_freemail tin.it
8511 hashbl_acl_freemail tinati.net
8512 hashbl_acl_freemail tiscali.co.uk
8513 hashbl_acl_freemail tiscali.com
8514 hashbl_acl_freemail tiscali.it
8515 hashbl_acl_freemail tiscalinet.it
8516 hashbl_acl_freemail tjohoo.se
8517 hashbl_acl_freemail tkcity.com
8518 hashbl_acl_freemail tlcfan.com
8519 hashbl_acl_freemail tlen.pl
8520 hashbl_acl_freemail tmicha.net
8521 hashbl_acl_freemail todito.com
8522 hashbl_acl_freemail todoperros.com
8523 hashbl_acl_freemail toke.com
8524 hashbl_acl_freemail tokyo.com
8525 hashbl_acl_freemail tokyo.ir
8526 hashbl_acl_freemail tombstone.ws
8527 hashbl_acl_freemail toothandmail.com
8528 hashbl_acl_freemail toothfairy.com
8529 hashbl_acl_freemail topchat.com
8530 hashbl_acl_freemail topmail.co.ie
8531 hashbl_acl_freemail topmail.co.in
8532 hashbl_acl_freemail topmail.co.nz
8533 hashbl_acl_freemail topmail.co.uk
8534 hashbl_acl_freemail topmail.co.za
8535 hashbl_acl_freemail topmail.com.ar
8536 hashbl_acl_freemail topmail.dk
8537 hashbl_acl_freemail topsurf.com
8538 hashbl_acl_freemail toquedequeda.com
8539 hashbl_acl_freemail torba.com
8540 hashbl_acl_freemail torchmail.com
8541 hashbl_acl_freemail torontomail.com
8542 hashbl_acl_freemail total-techie.com
8543 hashbl_acl_freemail totalfoodnut.com
8544 hashbl_acl_freemail totally-into-cooking.com
8545 hashbl_acl_freemail totallyintobaseball.com
8546 hashbl_acl_freemail totallyintobasketball.com
8547 hashbl_acl_freemail totallyintocooking.com
8548 hashbl_acl_freemail totallyintofootball.com
8549 hashbl_acl_freemail totallyintogolf.com
8550 hashbl_acl_freemail totallyintohockey.com
8551 hashbl_acl_freemail totallyintomusic.com
8552 hashbl_acl_freemail totallyintoreading.com
8553 hashbl_acl_freemail totallyintosports.com
8554 hashbl_acl_freemail totallyintotravel.com
8555 hashbl_acl_freemail totalmail.com
8556 hashbl_acl_freemail totalmoviefan.com
8557 hashbl_acl_freemail totalsurf.com
8558 hashbl_acl_freemail totonline.net
8559 hashbl_acl_freemail tough.com
8560 hashbl_acl_freemail toughguy.net
8561 hashbl_acl_freemail trav.se
8562 hashbl_acl_freemail travel2newplaces.com
8563 hashbl_acl_freemail trevas.net
8564 hashbl_acl_freemail tripod-mail.com
8565 hashbl_acl_freemail triton.net
8566 hashbl_acl_freemail trmailbox.com
8567 hashbl_acl_freemail troamail.org
8568 hashbl_acl_freemail tsamail.co.za
8569 hashbl_acl_freemail tunisian.cc
8570 hashbl_acl_freemail tunome.com
8571 hashbl_acl_freemail turbonett.com
8572 hashbl_acl_freemail turkey.com
8573 hashbl_acl_freemail tushmail.com
8574 hashbl_acl_freemail tvchannelsurfer.com
8575 hashbl_acl_freemail tvnet.lv
8576 hashbl_acl_freemail tvstar.com
8577 hashbl_acl_freemail twc.com
8578 hashbl_acl_freemail typemail.com
8579 hashbl_acl_freemail u2club.com
8580 hashbl_acl_freemail u2tours.com
8581 hashbl_acl_freemail uae.ac
8582 hashbl_acl_freemail ubbi.com
8583 hashbl_acl_freemail ubbi.com.br
8584 hashbl_acl_freemail uboot.com
8585 hashbl_acl_freemail ugeek.com
8586 hashbl_acl_freemail uk2.net
8587 hashbl_acl_freemail uk2net.com
8588 hashbl_acl_freemail ukr.net
8589 hashbl_acl_freemail ukrpost.net
8590 hashbl_acl_freemail ukrpost.ua
8591 hashbl_acl_freemail uku.co.uk
8592 hashbl_acl_freemail ulimit.com
8593 hashbl_acl_freemail ultimateredskinsfan.com
8594 hashbl_acl_freemail ummah.org
8595 hashbl_acl_freemail umpire.com
8596 hashbl_acl_freemail unbounded.com
8597 hashbl_acl_freemail unendlich-schlau.de
8598 hashbl_acl_freemail unican.es
8599 hashbl_acl_freemail unicum.de
8600 hashbl_acl_freemail unimail.mn
8601 hashbl_acl_freemail unitedemailsystems.com
8602 hashbl_acl_freemail universal.pt
8603 hashbl_acl_freemail universia.cl
8604 hashbl_acl_freemail universia.edu.ve
8605 hashbl_acl_freemail universia.es
8606 hashbl_acl_freemail universia.net.co
8607 hashbl_acl_freemail universia.net.mx
8608 hashbl_acl_freemail universia.pr
8609 hashbl_acl_freemail universia.pt
8610 hashbl_acl_freemail universiabrasil.net
8611 hashbl_acl_freemail unofree.it
8612 hashbl_acl_freemail uol.com.ar
8613 hashbl_acl_freemail uol.com.br
8614 hashbl_acl_freemail uole.com
8615 hashbl_acl_freemail uolmail.com
8616 hashbl_acl_freemail uomail.com
8617 hashbl_acl_freemail uraniomail.com
8618 hashbl_acl_freemail urbi.com.br
8619 hashbl_acl_freemail urdun.cc
8620 hashbl_acl_freemail ureach.com
8621 hashbl_acl_freemail usa.com
8622 hashbl_acl_freemail usanetmail.com
8623 hashbl_acl_freemail userbeam.com
8624 hashbl_acl_freemail utah.usa.com
8625 hashbl_acl_freemail uymail.com
8626 hashbl_acl_freemail uyuyuy.com
8627 hashbl_acl_freemail v-sexi.com
8628 hashbl_acl_freemail v3mail.com
8629 hashbl_acl_freemail vegetarisme.be
8630 hashbl_acl_freemail velnet.com
8631 hashbl_acl_freemail velocall.com
8632 hashbl_acl_freemail vercorreo.com
8633 hashbl_acl_freemail verizonmail.com
8634 hashbl_acl_freemail vermont.usa.com
8635 hashbl_acl_freemail verticalheaven.com
8636 hashbl_acl_freemail veryfast.biz
8637 hashbl_acl_freemail veryspeedy.net
8638 hashbl_acl_freemail vfemail.net
8639 hashbl_acl_freemail videogamesrock.com
8640 hashbl_acl_freemail vietmedia.com
8641 hashbl_acl_freemail vip-client.de
8642 hashbl_acl_freemail vip.126.com
8643 hashbl_acl_freemail vip.163.com
8644 hashbl_acl_freemail vip.188.com
8645 hashbl_acl_freemail vip.gr
8646 hashbl_acl_freemail vip.qq.com
8647 hashbl_acl_freemail vip.sina.com
8648 hashbl_acl_freemail vip.sohu.com
8649 hashbl_acl_freemail vip.sohu.net
8650 hashbl_acl_freemail vip.tom.com
8651 hashbl_acl_freemail vipsohu.net
8652 hashbl_acl_freemail virgilio.it
8653 hashbl_acl_freemail virgin.net
8654 hashbl_acl_freemail virginia.usa.com
8655 hashbl_acl_freemail virtual-mail.com
8656 hashbl_acl_freemail visitmail.com
8657 hashbl_acl_freemail visto.com
8658 hashbl_acl_freemail vitalogy.org
8659 hashbl_acl_freemail vivelared.com
8660 hashbl_acl_freemail vjtimail.com
8661 hashbl_acl_freemail vnn.vn
8662 hashbl_acl_freemail vodafone.com
8663 hashbl_acl_freemail vodafone.it
8664 hashbl_acl_freemail vodamail.co.za
8665 hashbl_acl_freemail voila.fr
8666 hashbl_acl_freemail volkermord.com
8667 hashbl_acl_freemail volunteeringisawesome.com
8668 hashbl_acl_freemail vosforums.com
8669 hashbl_acl_freemail vsnl.com
8670 hashbl_acl_freemail vsnl.net
8671 hashbl_acl_freemail w.cn
8672 hashbl_acl_freemail walla.co.il
8673 hashbl_acl_freemail walla.com
8674 hashbl_acl_freemail wallet.com
8675 hashbl_acl_freemail wam.co.za
8676 hashbl_acl_freemail wanex.ge
8677 hashbl_acl_freemail wap.hu
8678 hashbl_acl_freemail wapda.com
8679 hashbl_acl_freemail wapicode.com
8680 hashbl_acl_freemail wappi.com
8681 hashbl_acl_freemail warpmail.net
8682 hashbl_acl_freemail washington.usa.com
8683 hashbl_acl_freemail wassup.com
8684 hashbl_acl_freemail waterloo.com
8685 hashbl_acl_freemail waumail.com
8686 hashbl_acl_freemail wayintocomputers.com
8687 hashbl_acl_freemail wazmail.com
8688 hashbl_acl_freemail wearab.net
8689 hashbl_acl_freemail web-mail.com.ar
8690 hashbl_acl_freemail web.de
8691 hashbl_acl_freemail web.nl
8692 hashbl_acl_freemail web2mail.com
8693 hashbl_acl_freemail webaddressbook.com
8694 hashbl_acl_freemail webbworks.com
8695 hashbl_acl_freemail webcity.ca
8696 hashbl_acl_freemail webdream.com
8697 hashbl_acl_freemail webemaillist.com
8698 hashbl_acl_freemail webindia123.com
8699 hashbl_acl_freemail webinfo.fi
8700 hashbl_acl_freemail webjump.com
8701 hashbl_acl_freemail webl-3.br.inter.net
8702 hashbl_acl_freemail webmail.co.yu
8703 hashbl_acl_freemail webmail.co.za
8704 hashbl_acl_freemail webmails.com
8705 hashbl_acl_freemail webmailv.com
8706 hashbl_acl_freemail webname.com
8707 hashbl_acl_freemail webpim.cc
8708 hashbl_acl_freemail webspawner.com
8709 hashbl_acl_freemail webstation.com
8710 hashbl_acl_freemail websurfer.co.za
8711 hashbl_acl_freemail webtopmail.com
8712 hashbl_acl_freemail webtribe.net
8713 hashbl_acl_freemail webtv.net
8714 hashbl_acl_freemail weedmail.com
8715 hashbl_acl_freemail weekonline.com
8716 hashbl_acl_freemail weirdness.com
8717 hashbl_acl_freemail westvirginia.usa.com
8718 hashbl_acl_freemail whale-mail.com
8719 hashbl_acl_freemail whatisthis.com
8720 hashbl_acl_freemail whatmail.com
8721 hashbl_acl_freemail when.com
8722 hashbl_acl_freemail whipmail.com
8723 hashbl_acl_freemail who.net
8724 hashbl_acl_freemail whoever.com
8725 hashbl_acl_freemail wild4music.com
8726 hashbl_acl_freemail wildaboutelectronics.com
8727 hashbl_acl_freemail wildcats.com
8728 hashbl_acl_freemail wildmail.com
8729 hashbl_acl_freemail will-keinen-spam.de
8730 hashbl_acl_freemail williams.net.ar
8731 hashbl_acl_freemail winning.com
8732 hashbl_acl_freemail winningteam.com
8733 hashbl_acl_freemail winwinhosting.com
8734 hashbl_acl_freemail wisconsin.usa.com
8735 hashbl_acl_freemail witelcom.com
8736 hashbl_acl_freemail witty.com
8737 hashbl_acl_freemail wolverines.com
8738 hashbl_acl_freemail wooow.it
8739 hashbl_acl_freemail worker.com
8740 hashbl_acl_freemail workingaroundthehouse.com
8741 hashbl_acl_freemail workingonthehouse.com
8742 hashbl_acl_freemail workmail.co.za
8743 hashbl_acl_freemail workmail.com
8744 hashbl_acl_freemail worldcrossing.com
8745 hashbl_acl_freemail worldemail.com
8746 hashbl_acl_freemail worldmedic.com
8747 hashbl_acl_freemail worldonline.de
8748 hashbl_acl_freemail wowmail.com
8749 hashbl_acl_freemail wp.pl
8750 hashbl_acl_freemail wprost.pl
8751 hashbl_acl_freemail wrestlezone.com
8752 hashbl_acl_freemail writeme.com
8753 hashbl_acl_freemail writesoon.com
8754 hashbl_acl_freemail wrongmail.com
8755 hashbl_acl_freemail wtonetwork.com
8756 hashbl_acl_freemail wurtele.net
8757 hashbl_acl_freemail www.com
8758 hashbl_acl_freemail www.consulcredit.it
8759 hashbl_acl_freemail wyoming.usa.com
8760 hashbl_acl_freemail x-mail.net
8761 hashbl_acl_freemail xasa.com
8762 hashbl_acl_freemail xemail.com
8763 hashbl_acl_freemail xfreehosting.com
8764 hashbl_acl_freemail xmail.net
8765 hashbl_acl_freemail xmasmail.com
8766 hashbl_acl_freemail xmsg.com
8767 hashbl_acl_freemail xnmsn.cn
8768 hashbl_acl_freemail xoom.com
8769 hashbl_acl_freemail xpectmore.com
8770 hashbl_acl_freemail xrea.com
8771 hashbl_acl_freemail xsmail.com
8772 hashbl_acl_freemail xtra.co.nz
8773 hashbl_acl_freemail xuite.net
8774 hashbl_acl_freemail xzapmail.com
8775 hashbl_acl_freemail y7mail.com
8776 hashbl_acl_freemail ya.com
8777 hashbl_acl_freemail ya.ru
8778 hashbl_acl_freemail yahala.co.il
8779 hashbl_acl_freemail yaho.com
8780 hashbl_acl_freemail yahoo.co.uk
8781 hashbl_acl_freemail yahoo.com
8782 hashbl_acl_freemail yahoomail.com
8783 hashbl_acl_freemail yalla.com.lb
8784 hashbl_acl_freemail yam.com
8785 hashbl_acl_freemail yamal.info
8786 hashbl_acl_freemail yanbo.cc
8787 hashbl_acl_freemail yandex.ru
8788 hashbl_acl_freemail yapost.com
8789 hashbl_acl_freemail yawmail.com
8790 hashbl_acl_freemail yeah.net
8791 hashbl_acl_freemail yebox.com
8792 hashbl_acl_freemail yehey.com
8793 hashbl_acl_freemail yellow-jackets.com
8794 hashbl_acl_freemail yellowstone.net
8795 hashbl_acl_freemail yemeni.cc
8796 hashbl_acl_freemail yenimail.com
8797 hashbl_acl_freemail yepmail.net
8798 hashbl_acl_freemail yifan.net
8799 hashbl_acl_freemail ymail.com
8800 hashbl_acl_freemail yopmail.com
8801 hashbl_acl_freemail your-mail.com
8802 hashbl_acl_freemail yours.com
8803 hashbl_acl_freemail yourwap.com
8804 hashbl_acl_freemail yunus.cc
8805 hashbl_acl_freemail yyhmail.com
8806 hashbl_acl_freemail z11.com
8807 hashbl_acl_freemail z6.com
8808 hashbl_acl_freemail zagazig.cc
8809 hashbl_acl_freemail zambia.cc
8810 hashbl_acl_freemail zednet.co.uk
8811 hashbl_acl_freemail zeeman.nl
8812 hashbl_acl_freemail ziplip.com
8813 hashbl_acl_freemail zipmail.com.br
8814 hashbl_acl_freemail zipmax.com
8815 hashbl_acl_freemail zmail.pt
8816 hashbl_acl_freemail zmail.ru
8817 hashbl_acl_freemail zoho.com
8818 hashbl_acl_freemail zona-andina.net
8819 hashbl_acl_freemail zonai.com
8820 hashbl_acl_freemail zoneview.net
8821 hashbl_acl_freemail zonnet.nl
8822 hashbl_acl_freemail zoomshare.com
8823 hashbl_acl_freemail zoznam.sk
8824 hashbl_acl_freemail zu-geil.de
8825 hashbl_acl_freemail zubee.com
8826 hashbl_acl_freemail zuvio.com
8827 hashbl_acl_freemail zwallet.com
8828 hashbl_acl_freemail zworg.com
8829 hashbl_acl_freemail zybermail.com
8830 hashbl_acl_freemail zzn.com
8832 hashbl_acl_freemail !notify@yahoogroups.com
8833 hashbl_acl_freemail !no-reply@yahoogroups.com
8834 hashbl_acl_freemail !groupsupdates@yahoogroups.com
8835 hashbl_acl_freemail !calendarnotification@outlook.com
8836 hashbl_acl_freemail !nsubscribe@googlegroups.com
8837 hashbl_acl_freemail !ubscribe@googlegroups.com
8838 hashbl_acl_freemail !unsubscribe@googlegroups.com
8842 #END of TEST OF HASHBL ADDITIONS
8845 header __KAM_LABEL1 Subject =~/(Checking in|Appointment|(this|next) week|thoughts|availability|consultation|introduction|let me know|schedule|meeting)/i
8846 body __KAM_LABEL2 /meet at your office|quick lead time/i
8847 body __KAM_LABEL3a /make custom (shirts|sports|jackets|suits)/i
8848 # bug fix thanks to Moritz Friedrich
8849 body __KAM_LABEL3b /PPE/
8850 body __KAM_LABEL4 /(suits start at \$|shirts at \$)|\d\d per mask|\d masks/i
8851 body __KAM_LABEL5 /(premier|top|luxury) (clothing|fabric)|fortune 500/i
8852 body __KAM_LABEL6 /\| Label|Label Health/i
8854 header __KAM_LABEL7 Subject =~ /(^|\b)PPE(\b|$)|(Ply|Face) ?mask/i
8855 body __KAM_LABEL8 /face ?mask|(^|\b)PPE(\b|$)/i
8857 meta KAM_LABEL (__KAM_LABEL1 + __KAM_LABEL2 + (__KAM_LABEL3a + __KAM_LABEL3b >= 1) + __KAM_LABEL4 + __KAM_LABEL5 + __KAM_LABEL6 + __KAM_LABEL7 + __KAM_LABEL8>= 6)
8858 describe KAM_LABEL Tailored clothier spam
8861 meta KAM_LABEL2 ((__KAM_LABEL1 + __KAM_LABEL5 >= 1) + __KAM_LABEL6 + __KAM_LABEL7 + __KAM_LABEL8 >= 3)
8862 describe KAM_LABEL2 PPE Spam
8863 score KAM_LABEL2 9.0
8866 body __KAM_RBL_OBFU1 /b2b.{1,4}salesprospects.{1,4}com/i
8867 body __KAM_RBL_OBFU2 /quin.{0,3}for.{0,3}ce.com/i
8868 body __KAM_RBL_OBFU3 /jrgpartners\(\.\)com/i
8870 meta KAM_RBL_OBFU ((__KAM_RBL_OBFU1 + __KAM_RBL_OBFU2 >=1) + FREEMAIL_FROM >= 2)
8871 describe KAM_RBL_OBFU Spammers obfuscating their domain and abusing freemail
8872 score KAM_RBL_OBFU 12.0
8874 meta KAM_RBL_OBFU2 __KAM_RBL_OBFU3
8875 describe KAM_RBL_OBFU2 Spammers obfuscating their domain
8876 score KAM_RBL_OBFU2 9.0
8879 body __KAM_SHADYCC1 /(transactions?|purchases?) from your (online store|web-?shop)/i
8880 header __KAM_SHADYCC2 Subject =~ /(illegal|shady) (purchases?|transactions?).*?(credit ?card|mastercard|visa).*?at your site/i
8881 body __KAM_SHADYCC3 /(four|4) of (my|the) (master)?card/i
8882 body __KAM_SHADYCC4 /(detailed|full) statement/i
8884 meta KAM_SHADYCC (__KAM_SHADYCC1 + __KAM_SHADYCC2 + __KAM_SHADYCC3 + __KAM_SHADYCC4 >= 4)
8885 describe KAM_SHADYCC Scam predicated around reporting fraudulent purchase
8886 score KAM_SHADYCC 6.0
8889 header __KAM_EXPOPIRATE1 Subject =~ /Hotel Booking/i
8890 body __KAM_EXPOPIRATE2 /Business Traveller/i
8892 meta KAM_EXPOPIRATE (__KAM_EXPOPIRATE1 + __KAM_EXPOPIRATE2 + __KAM_LIST3_2 >= 2)
8893 describe KAM_EXPOPIRATE Scam Pirates trying to Hijack Event Hotel Bookings
8894 score KAM_EXPOPIRATE 4.5
8896 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8897 #Domain Expiry Scams
8898 header __KAM_DOMAINEXPIRY1 Subject =~ /Domain.*Expiration/i
8899 body __KAM_DOMAINEXPIRY2 /Attached letter/i
8901 meta KAM_DOMAINEXPIRY (__KAM_DOMAINEXPIRY1 + __KAM_DOMAINEXPIRY2 + __KAM_ZERODAY1 >= 3)
8902 describe KAM_DOMAINEXPIRY Domain Expiration Scams
8903 score KAM_DOMAINEXPIRY 4.5
8906 header __KAM_PAYMENTSCAM1 Subject =~ /Payment.*(INV|Bookings|Reference|\/201)/i
8907 body __KAM_PAYMENTSCAM2 /attached (payment|herewith)|ready for release/i
8908 mimeheader __KAM_PAYMENTSCAM3 Content-Type =~ /\.doc/i
8909 full __KAM_PAYMENTSCAM4 /\{\\rtf/
8911 meta KAM_PAYMENTSCAM (__KAM_ZERODAY1 + __KAM_PAYMENTSCAM1 + __KAM_PAYMENTSCAM2 + (__KAM_PAYMENTSCAM3 + __KAM_PAYMENTSCAM4 >=2) >= 4)
8912 describe KAM_PAYMENTSCAM Payment Scams with Malware Payloads
8913 score KAM_PAYMENTSCAM 6.5
8915 meta KAM_PAYMENTSCAM2 (DEAR_BENEFICIARY + __KAM_PAYMENTSCAM1 + __KAM_PAYMENTSCAM2 >= 3) && !(KAM_PAYMENTSCAM)
8916 describe KAM_PAYMENTSCAM2 Payment scams
8917 score KAM_PAYMENTSCAM2 4.5
8921 body __KAM_PASSWORDSCAM1 /pass word/i
8923 meta KAM_PASSWORDSCAM (__KAM_PASSWORDSCAM1 + __SINGLE_WORD_SUBJ + __PDF_ATTACH + __BODY_LE_200 >= 4)
8924 describe KAM_PASSWORDSCAM Password extortion spams
8925 score KAM_PASSWORDSCAM 6.0
8929 header __KAM_TRAINING1 Subject =~ /mandatory.*training/i
8930 body __KAM_TRAINING2 /intranet|training calendar/i
8931 body __KAM_TRAINING3 /Human Resources/i
8933 meta KAM_TRAINING (__KAM_TRAINING1 + __KAM_TRAINING2+ __KAM_TRAINING3 >= 3)
8934 describe KAM_TRAINING Training Phishing
8935 score KAM_TRAINING 4.5
8938 header __KAM_MEDICARE2_1 Subject =~ /Trump Medicare/i
8940 meta KAM_MEDICARE2 __KAM_MEDICARE2_1 >= 1
8941 describe KAM_MEDICARE2 Medicare Scams
8942 score KAM_MEDICARE2 2.0
8945 header __KAM_WATERHACK1 Subject =~ /Water Hack/i
8946 body __KAM_WATERHACK2 /water hack/i
8948 meta KAM_WATERHACK (__KAM_WATERHACK1 + __KAM_WATERHACK2 + KAM_SHORT >= 3)
8949 describe KAM_WATERHACK Diet Scams
8950 score KAM_WATERHACK 5.0
8953 #thanks to Chip for another Spample on 2020-03-07
8954 header __KAM_SENDGRID1 EnvelopeFrom =~ /\@u\d+\.wl\d+\.sendgrid\.net|bounces.*\@sendgrid\.net/i
8955 header __KAM_SENDGRID1A Return-Path =~ /\@u\d+\.wl\d+\.sendgrid\.net/i
8956 header __KAM_SENDGRID2 Received =~ /ismtp.*?.sendgrid.net|outbound\-mail\.sendgrid\.net \[/i
8958 meta KAM_SENDGRID ((HEADER_FROM_DIFFERENT_DOMAINS || SPF_HELO_NONE) + ((__KAM_SENDGRID1 + __KAM_SENDGRID1A >= 1) + __KAM_SENDGRID2 >= 1) >= 2)
8959 describe KAM_SENDGRID Sendgrid being exploited by scammers
8960 score KAM_SENDGRID 1.50
8962 header __KAM_EDU_FROM From:addr =~ /\.edu$/i
8964 header __KAM_SENDGRID3 Subject =~ /Amex|Wells ?Fargo|American Express|Security (Review|Message)|Quickbooks|Sign-?in Blocked|unusual activity|payment pending|online Payment|Intuit|security Upgrade|you have a document|verify your card|email alert/i
8965 header __KAM_SENDGRID4 From =~ /Amex|Wells ?Fargo|American Express|Schwab|bank|USAA|stripe|intuit|chase/i
8967 meta KAM_SENDGRID2 ((__KAM_EDU_FROM + KAM_SENDGRID >= 1) + (TO_IN_SUBJ + __KAM_SENDGRID3 + __KAM_SENDGRID4 >=1) >= 2)
8968 describe KAM_SENDGRID2 Sendgrid being exploited by scammers
8969 score KAM_SENDGRID2 2.0
8972 header __KAM_2020_1 Subject =~ /Re-?elect Trump|(science|funny|election|christmas|personalized|mission) (t|tee)( |-)?shirt|ginsburg shirt|officially licensed/i
8973 body __KAM_2020_2 /T-?shirt|printed in the US|stink stank stunk|officially licensed|star wars/i
8974 tflags __KAM_2020_2 nosubject
8976 meta KAM_2020 (__KAM_2020_1 + __KAM_2020_2 + FREEMAIL_FROM >= 3)
8977 describe KAM_2020 2020 Political (and Tshirt???) Spams - Vote for KAM & Pedro - donate today at www.mcgrail.com
8981 uri __KAM_WETRANSFER1 /wetransferfiledownload|\?email=|redirecturl/i
8982 header __KAM_WETRANSFER2 From:name =~ /WeTransfer/i
8983 header __KAM_WETRANSFER3 From:addr !~ /wetransfer\.com/i
8984 header __KAM_WETRANSFER4 Subject =~ /via WeTransfer/i
8986 meta KAM_WETRANSFER (__KAM_WETRANSFER1 + __KAM_WETRANSFER2 + __KAM_WETRANSFER3 + (__KAM_WETRANSFER4 + SPF_FAIL >= 1) >= 4)
8987 score KAM_WETRANSFER 6.0
8988 describe KAM_WETRANSFER WeTransfer Impersonators
8991 header __KAM_GREYEAGLE_1 From =~ /greyeagle|funding|capital|banking|lending/i
8992 body __KAM_GREYEAGLE_2 /grey eagle funding/i
8994 meta KAM_GREYEAGLE (__KAM_GREYEAGLE_1 + __KAM_GREYEAGLE_2 >= 2)
8995 describe KAM_GREYEAGLE Spammy Funding Company w/lots of Domains
8996 score KAM_GREYEAGLE 10.0
8998 #Google Storage APIs
8999 uri KAM_STORAGE_GOOGLE /storage.googleapis.com|\.web.app\//i
9000 describe KAM_STORAGE_GOOGLE Google Storage API being abused by spammers
9001 score KAM_STORAGE_GOOGLE 2.25
9004 header __KAM_DUJOUR1 Subject =~ /(Worst Food|Tinnitus|Reflux|Gift Card)/i
9006 body __KAM_DUJOUR2 /(Worst Food|Tinnitus|Reflux|CVS Gift Card)/i
9007 tflags __KAM_DUJOUR2 nosubject
9009 header __KAM_DUJOUR3 From =~ /(Probio|Tinnitus|Reflux|CVS)/i
9011 meta KAM_DUJOUR (KAM_STORAGE_GOOGLE + __KAM_DUJOUR1 + __KAM_DUJOUR2 + __KAM_DUJOUR3 >= 3)
9012 describe KAM_DUJOUR Spam of the Day hocking various products
9013 score KAM_DUJOUR 4.5
9016 body __KAM_QUINFORCE1 /q.?u.?i.?n.?f.?o.?r.?c.?e/i
9018 meta KAM_QUINFORCE1 (__KAM_QUINFORCE1 >= 1)
9019 describe KAM_QUINFORCE1 Obfuscating spamming firm
9020 score KAM_QUINFORCE1 6.0
9023 body __KAM_CBD1 /Meridian CBD/i
9025 meta KAM_CBD (__KAM_CBD1 + __KAM_OTHER_BAD_TLD2 >= 2)
9026 describe KAM_CBD Spam du jour for CBD
9030 body __KAM_COVID1 /International Monetary fund|world health organization|empowerment fund/i
9031 header __KAM_COVID2 Subject =~ /COVID?.{0,12}(payment|fund)/i
9032 body __KAM_COVID3 /COVID.{0,12}(empowerment|payment)|W\.?H\.?O\.? trust.?fund/i
9033 tflags __KAM_COVID3 nosubject
9034 header __KAM_COVID4 From =~ /COVID|world ?Health|WHO/i
9036 body __KAM_COVID5 /00 ?(EUR|USD|Dollar)/i
9038 meta KAM_COVID ((__KAM_COVID5 + LOTS_OF_MONEY >= 1) + __KAM_COVID1 + __KAM_COVID2 + __KAM_COVID3 + __KAM_COVID4 >= 4)
9039 describe KAM_COVID Scams revolving around the pandemic
9043 body __KAM_COVID2_1 /COVID-19 (CHARITY )?(fund|donated relief)/i
9044 tflags __KAM_COVID2_1 nosubject
9045 header __KAM_COVID2_2 Subject =~ /(little|COVID-19) (fund|donation)/i
9047 meta KAM_COVID2 (__KAM_COVID2_1 + __KAM_COVID2_2 + LOTS_OF_MONEY >= 2)
9048 describe KAM_COVID2 Scams revolving around the pandemic
9049 score KAM_COVID2 7.5
9052 body __KAM_COVID3_1 /Prince/i
9053 body __KAM_COVID3_2 /reliable source/i
9054 body __KAM_COVID3_3 /\$[\d\.,]+ mil/i
9055 body __KAM_COVID3_4 /assist me/i
9056 body __KAM_COVID3_5 /Saudi Arabia/i
9058 meta KAM_COVID3 (__KAM_COVID3_1 + __KAM_COVID3_2 + __KAM_COVID3_3 + __KAM_COVID3_4 + __KAM_COVID3_5 >= 5)
9059 describe KAM_COVID3 Scams revolving around the pandemic
9060 score KAM_COVID3 7.5
9063 uri __KAM_VM1 /storage.googleapis.com\/.*?htm|appspot\.com|safesend\.|\/api\/v1\/click\|\.sharepoint\.com\/personal\/|evernote\.com/i
9064 header __KAM_VM2 Subject =~ /VN Audio|message for|voice Message|Voicemail|Fax Message|OneDrive File/i
9065 body __KAM_VM3 /(Voice ?Audio|VN Audio|VM Meant|Listen to (your )?Voice|voicemail message|Fax(ed)? (document|message)|new voicemail)/i
9066 tflags __KAM_VM3 nosubject
9067 body __KAM_VM4 /recorded voice|audio message|Caller.id|CID:|mailbox \d|sign document/i
9068 tflags __KAM_VM4 nosubject
9070 meta KAM_VM (__KAM_VM1 + __KAM_VM2 + __KAM_VM3 + __KAM_VM4 >= 3)
9072 describe KAM_VM Voice Mail & Fax Scams
9075 header __KAM_ADMIN1 From =~ /admin/i
9076 header __KAM_ADMIN2 Subject =~ /For /i
9077 body __KAM_ADMIN3 /next tax return/i
9078 body __KAM_ADMIN4 /read this document/i
9080 meta KAM_ADMIN (HEADER_FROM_DIFFERENT_DOMAINS + HTML_OBFUSCATE_10_20 + __KAM_ADMIN1 + __KAM_ADMIN2 + __KAM_ADMIN3 + __KAM_ADMIN4 >= 6)
9081 describe KAM_ADMIN Phishing attempt spoofing admins
9086 replace_rules __KAM_BENEFICIARY2
9088 header __KAM_BENEFICIARY1 Subject =~ /(your|Urgent) Help|refugee|Attention|Inherit|donation|refund|beloved|^Hello$|dear friend|compensated|get back to me|hope to hear|my dear|postal service|From.....|compliment|sincere apology|proposal|How are you|congratulations|ATM VISA Card|good (day|news)|beneficiary|cc|best regards|dearest one|^Att$|^Reply$|partnership|greeting'?s|atm fund|postmaster general|Investment/i
9090 body __KAM_BENEFICIARY2 /(consignment|fund(\b|$)|person of trust|don't know me|emails only|apologize for intrud|formal relationship|diplomatic agent|ATM VISA CARD|unsolicited manner|proposition|solicit your|trustworthy relation|verily|random people|you a beneficiary|help<SPACE1>+widow|same last ?name|(same|similar) surname|investment manager)|level of maturity|important project|jackpot|investment opp|something important|unclaimed trunk|estate investment|donation recipient|bank draft|funding of your business/i
9091 tflags __KAM_BENEFICIARY2 nosubject
9094 body __KAM_BENEFICIARY3 /(gold|diamonds|inherit|foreign customer|risk.?free|less.privilege|next of kin|nearest airport|certain funds|partnership to transfer|repatriation|co.fiscate|separate account|christian activit|receiving bank|donate the sum|money left|sweepstakes|lucky winner|get rich|\d% of the total|investment fund)|moving some money|god has blessed|contributions to humanity|partake in the deal|pledge dep|over-?due compensation|left your check|invest(ment)? in your country/i
9096 body __KAM_BENEFICIARY4 /(Ghana|South Africa|China|Greece|Estonia|United kingdom|foreign|(your|my) country|Benin|africa|Foreign Op|international Airport|portugal|business trip|Ivory Coast|Royal Bank|Syria|Libyan|Ministry of |Buffett Foundation|audit unit)|postmaster general|your country/i
9098 body __KAM_BENEFICIARY5 /\d+ ?(kilo|kg)|donat|assignment|last wishes|charity org|million dollars|secret account|overdue winnings|handsomely compensate|large amount|share of fund|one digit interest|beneficial business|anticipated cooperation|\d% (with|for) you|fiscal cash|huge amount|(half|99 percent) of (his|their|her) fortune|by proxy/i
9100 body __KAM_BENEFICIARY6 /(deceased|late) (customer|husband|client|father)|death of my husband|cancer|power of attorney|customer who died|orphan|no beneficiary|terminal|family treasure|not criminal|send (you )?more (information|details)|wife ran away|inability to release|terrorist attack|sterile|foreigner who died|corrupt officials|could not complete/i
9102 meta KAM_BENEFICIARY ((LOTS_OF_MONEY + __KAM_BENEFICIARY5 >=1) + (KAM_BLANKSUBJECT + __KAM_BENEFICIARY1 >=1) + __KAM_BENEFICIARY2 + __KAM_BENEFICIARY3 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 + FREEMAIL_FROM >= 6)
9103 describe KAM_BENEFICIARY Beneficiary scams
9104 score KAM_BENEFICIARY 10.5
9106 meta KAM_BENEFICIARYLOW ((LOTS_OF_MONEY + __KAM_BENEFICIARY5 >=1) + (KAM_BLANKSUBJECT + __KAM_BENEFICIARY1 >=1) + __KAM_BENEFICIARY2 + __KAM_BENEFICIARY3 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 + FREEMAIL_FROM >= 5) && !KAM_BENEFICIARY && !__KAM_NPO1
9107 describe KAM_BENEFICIARYLOW Beneficiary scams (Lower Confidence)
9108 score KAM_BENEFICIARYLOW 6.0
9111 body __KAM_NPO1 /501\(?c\)?\(?3\)?|501 c 3/i
9115 meta KAM_BENEFICIARY2 (GMD_PDF_EMPTY_BODY + DEAR_BENEFICIARY >= 2)
9116 describe KAM_BENEFICIARY2 Beneficiary scams
9117 score KAM_BENEFICIARY2 3.0
9120 body __KAM_BENEFICIARY3_1 /Mikhail Fridman/i
9121 header __KAM_BENEFICIARY3_2 From =~ /Mikhail Fridman/i
9122 uri __KAM_BENEFICIARY3_3 /www.rt.com/i
9124 meta KAM_BENEFICIARY3 (__KAM_BENEFICIARY3_1 + __KAM_BENEFICIARY3_2 + __KAM_BENEFICIARY3_3 + __KAM_DIDYOUSUBJ >= 3)
9125 describe KAM_BENEFICIARY3 Beneficiary scams
9126 score KAM_BENEFICIARY3 4.5
9129 #Did you get my message?
9130 header __KAM_DIDYOUSUBJ Subject =~ /Did you (receive it|get my message)/i
9131 body __KAM_DIDYOUBODY /Did you (receive it|get my message)/i
9132 tflags __KAM_DIDYOUBODY nosubject
9135 #body __KAM_SIGONLY1 /^.{0,10}--\b/im
9136 #tflags __KAM_SIGONLY1 nosubject
9138 #meta KAM_SIGONLY (__KAM_SIGONLY1 >= 2)
9139 #score KAM_SIGONLY 1.5
9140 #describe KAM_SIGONLY Messages is (mostly) just a signature
9143 #meta KAM_SIGONLY2 (KAM_SIGONLY + (__KAM_DIDYOUBODY + __KAM_DIDYOUSUBJ >= 1) >= 2)
9144 #score KAM_SIGONLY2 1.5
9145 #describe KAM_SIGONLY2 Junk Messages using (mostly) just a signature
9148 header KAM_BLANKSUBJECT Subject =~ /^\s*$/i
9149 describe KAM_BLANKSUBJECT Message has a blank Subject
9150 score KAM_BLANKSUBJECT 0.25
9153 header __KAM_JOB2_1 Subject =~ /doing the job/i
9154 body __KAM_JOB2_2 /represent the company/i
9156 body __KAM_JOB2_3 /Singapore/i
9158 body __KAM_JOB2_4 /\d,?000 USD (monthly|weekly)/i
9160 meta KAM_JOB2 (FREEMAIL_FROM + __KAM_JOB2_1 + __KAM_JOB2_2 + __KAM_JOB2_3 + __KAM_JOB2_4 >= 5)
9161 describe KAM_JOB2 Employment scams
9165 header __KAM_WEB2_1 Subject =~ /follow|next step|website work/i
9166 body __KAM_WEB2_2 /affordable (quot|price)|less than half/i
9167 body __KAM_WEB2_3 /web (designer|develop)|new website/i
9168 body __KAM_WEB2_4 /portfolio|sample|insights/i
9170 meta KAM_WEB2 (FREEMAIL_FROM + __KAM_WEB2_1 + __KAM_WEB2_2 + __KAM_WEB2_3 + __KAM_WEB2_4 >=5)
9171 describe KAM_WEB2 Unsolicited web workers
9175 header __KAM_BANK_1 Subject =~ /Welcome to (Central )?(Money ?Gram|Bank)|Funding|Banker|congratulations/i
9176 body __KAM_BANK_2 /beneficiary|agent|investment group|deceased/i
9177 body __KAM_BANK_3 /re\-?verification|clearance tax|possible funding|same last name|nominated bank account/i
9179 meta KAM_BANK (FREEMAIL_FROM + LOTS_OF_MONEY + __KAM_BANK_1 + __KAM_BANK_2 + __KAM_BANK_3 >= 5)
9180 describe KAM_BANK Bank scams
9184 header __KAM_CERT1 Subject =~ /Medical Certificate/i
9185 body __KAM_CERT2 /review this certificate/i
9186 body __KAM_CERT3 /link below/i
9188 meta KAM_CERT (__KAM_CERT1 + __KAM_CERT2 + __KAM_CERT3 + __PLUGIN_FROMNAME_SPOOF >= 3)
9189 describe KAM_CERT Fake Certificate Scams
9193 header __KAM_URGENT1 Subject =~ /^Hello$/i
9194 body __KAM_URGENT2 /urgent respond/i
9195 body __KAM_URGENT3 /private e?mail/i
9196 body __KAM_URGENT4 /god bless/i
9197 body __KAM_URGENT5 /address still valid/i
9199 meta KAM_URGENT ( __KAM_URGENT1 + __KAM_URGENT2 + __KAM_URGENT3 + __KAM_URGENT4 + __KAM_URGENT5 >= 5)
9200 describe KAM_URGENT Urgent Scams
9201 score KAM_URGENT 7.5
9204 header __KAM_INVEST1 Subject =~ /Investment|(hello|congrats|dear) friend|urgent|greetings|^HELLO$|mutual business|contact him|mail for you|confirming your email|business opportunity|important|interest/i
9206 body __KAM_INVEST2 /apprehensive|unstable investment|(honest|well.?established|reliable) (individual|partner|person)|wealthy client|legal paper|branch manager|director finance|business man|family asset|personal assistant|found your (detail|contact)|consultant|project financing|my name is|i am the lawyer|need your assistance/i
9208 body __KAM_INVEST3 /earn \d+\%|(more|full|elaborate) details|discuss further|risk.?free|give details|profitable|\% (yearly|commission)|bank draft|remuneration|(needs|seek|seeks|seeking) fund|employ you|split.?ration|(receive|secure) my fund/i
9210 body __KAM_INVEST4 /malta|oil company|joint venture|(fund|business) proposal|dubai|mutual business|bahrain|compensation fund|barrister|minister of|ghana|strategic development|your region|Mineral.Rich|africa|non.?european|your country/i
9211 tflags __KAM_INVEST4 nosubject
9213 meta KAM_INVEST (LOTS_OF_MONEY + FREEMAIL_FROM + __KAM_INVEST1 + __KAM_INVEST2 + __KAM_INVEST3 + __KAM_INVEST4 >= 4)
9214 describe KAM_INVEST Investment Scams
9215 score KAM_INVEST 6.0
9218 header __KAM_SIGN1 Subject =~ /New Sign-?[io]n/i
9219 body __KAM_SIGN2 /review your account/i
9220 body __KAM_SIGN3 /verification is processed/i
9222 meta KAM_SIGN (KAM_STORAGE_GOOGLE + __KAM_SIGN1 + __KAM_SIGN2 + __KAM_SIGN3 >= 4)
9223 describe KAM_SIGN Sign-in Verification Scams
9227 header __KAM_WEIRDC19_1 Subject =~ /The virus that causes COVID-19/i
9228 header __KAM_WEIRDC19_2 From =~ /John Robert/i
9229 body __KAM_WEIRDC19_3 /The virus that causes COVID-19/i
9230 tflags __KAM_WEIRDC19_3 nosubject
9232 meta KAM_WEIRDC19 (FREEMAIL_FROM + __KAM_BODY_LENGTH_LT_512 + __KAM_WEIRDC19_1 + __KAM_WEIRDC19_2 + __KAM_WEIRDC19_3 >= 5)
9233 describe KAM_WEIRDC19 Odd Covid-19 spam with information
9234 score KAM_WEIRDC19 7.5
9237 header __KAM_CELEB1 Subject =~ /Celebrity Doc/i
9238 body __KAM_CELEB2 /resugar/i
9239 body __KAM_CELEB3 /fat.burning/i
9241 meta KAM_CELEB (__KAM_CELEB1 + __KAM_CELEB2 + __KAM_CELEB3 >= 3)
9242 describe KAM_CELEB Celebrity Health Scams
9245 #BEAL AND SIMILAR IMPERSONATOR
9246 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
9247 header __KAM_BEAL1 From:name =~ /Geoff White|(Robert|Bob)( E.)? Beal|(James|Jim) Hoffman|Kevin (A\. )?Mc ?Grail|Chad Coney|Frederic Beuter|Chris(topher)? Surprise|(mike|michael) Charvat|Sheryl Brissett Chapman|janet smith|Jeff Gardner|Geoff(rey)? White|Jason Davis/i
9248 #header __KAM_BEAL2 From:addr =~ /\@gmail\.com|\@mail\.ru/i
9249 body __KAM_BEAL3 /(Robert|Bob).{1,4}Beal|Geoff White|(James|Jim).{1,4}Hoffman|Kevin (A\. )?Mc ?Grail|Frederic Beuter|Chris(topher)? Surprise|(mike|michael) Charvat|SHERYL Brissett Chapman|Janet Smith|Jeff Gardner|Geoff(rey)? White|Jason Davis/i
9250 body __KAM_BEAL4 /(reply with|forward|send me|let me have) your (Cell|Mobile)|task (real quick|quickly)|(urgent|quick|fast) (reply|errand|response|task|request)|make (some|a) purchase|reimburse you|do something for me fast|spare time right now|confirm if you are free|physical or electronic gift card|(done for me|send out|task done) ASAP|available at the moment|(desk|moment) right now|get some .{0,10}gift card|reconfirm your cell|important task for me/i
9251 body __KAM_BEAL5 /can't talk on the phone|receivable aging report|summary of all w\-?2|look forward to my text|are you in the office/i
9253 meta KAM_BEAL ((__KAM_BEAL1 + __KAM_BEAL3 >= 1) + (SPF_SOFTFAIL + FREEMAIL_FROM + FREEMAIL_FORGED_REPLYTO >= 1) + __KAM_BEAL4 + __KAM_BEAL5 >= 3)
9254 describe KAM_BEAL IMPOSTER! Will the real slim shady, please stand up?
9259 header __KAM_PROJECT1 Subject =~ /Project/i
9260 body __KAM_PROJECT2 /business project/i
9261 body __KAM_PROJECT3 /email is active/i
9262 body __KAM_PROJECT4 /please respond/i
9264 meta KAM_PROJECT (__KAM_PROJECT1 + __KAM_PROJECT2 + __KAM_PROJECT3 + __KAM_PROJECT4 >= 4)
9265 describe KAM_PROJECT Scam inquiries about amorphous projects
9266 score KAM_PROJECT 6.0
9269 header __KAM_FAKEWEST1 Subject =~ /Attention/i
9270 body __KAM_FAKEWEST2 /Western Union/i
9271 body __KAM_FAKEWEST3 /United Nation/i
9272 body __KAM_FAKEWEST4 /Wrong Transfer/i
9273 body __KAM_FAKEWEST5 /0[\.,]?000[\.,]?00\s?USD/i
9275 meta KAM_FAKEWEST (__KAM_FAKEWEST1 + __KAM_FAKEWEST2 + __KAM_FAKEWEST3 + __KAM_FAKEWEST4 + (__KAM_FAKEWEST5 + LOTS_OF_MONEY >= 1) >= 5)
9276 describe KAM_FAKEWEST Fake money Transfer Scam
9277 score KAM_FAKEWEST 6.0
9280 header __KAM_FAKEDROPBOX2_1 Subject =~ /on Dropbox/i
9282 meta KAM_FAKEDROPBOX2 (__KAM_FAKEDROPBOX2_1 + __KAM_TINYDOMAIN + FREEMAIL_FROM >= 3)
9283 describe KAM_FAKEDROPBOX2 Fake Dropbox Phish
9284 score KAM_FAKEDROPBOX2 4.5
9286 header __KAM_FAKEDROPBOX3_1 Subject =~ /new dropbox message/i
9287 uri __KAM_FAKEDROPBOX3_2 /wp\-includes/i
9289 meta KAM_FAKEDROPBOX3 (__KAM_FAKEDROPBOX3_1 + __KAM_FAKEDROPBOX3_2 >= 2)
9290 describe KAM_FAKEDROPBOX3 Fake Dropbox Phish
9291 score KAM_FAKEDROPBOX3 6.0
9295 header __KAM_FAKEMONEYGRAM1 From =~ /Money.?Gram/i
9297 meta KAM_FAKEMONEYGRAM (__KAM_FAKEMONEYGRAM1 + FREEMAIL_FROM >= 2)
9298 describe KAM_FAKEMONEYGRAM Fake Moneygram Phish
9299 score KAM_FAKEMONEYGRAM 5.5
9303 header __KAM_FAKESHAREPOINT1 Subject =~ /by Sharepoint|payment reminder|shared|Request for Quot/i
9304 header __KAM_FAKESHAREPOINT2 from =~ /sharepoint|accounts? payable|RFQ/i
9305 uri __KAM_FAKESHAREPOINT3 /my\.sharepoint\.com|appdomain\.cloud/i
9306 body __KAM_FAKESHAREPOINT4 /Sharepoint Fileshare/i
9307 mimeheader __KAM_FAKESHAREPOINT5 Content-Type =~ /.html?\"?$/i
9310 meta KAM_FAKESHAREPOINT (__KAM_FAKESHAREPOINT1 + __KAM_FAKESHAREPOINT2 + (__KAM_FAKESHAREPOINT3 + KAM_STORAGE_GOOGLE + __KAM_FAKESHAREPOINT4 >= 1) + __KAM_FAKESHAREPOINT5 >= 3)
9311 describe KAM_FAKESHAREPOINT Fake Sharepoint Phish
9312 score KAM_FAKESHAREPOINT 4.0
9315 body __KAM_BADZIP1 /attached (to email|document)|take a look/i
9316 body __KAM_BADZIP2 /Encrypted zip/i
9317 uri __KAM_BADZIP2A /drive.google.com.*export=download/i
9318 body __KAM_BADZIP3 /(order|urgent|report|dialogue)/i
9319 body __KAM_BADZIP4 /password:/i
9321 meta KAM_BADZIP (__KAM_BADZIP1 + (__KAM_BADZIP2 + __KAM_BADZIP2A >= 1) + __KAM_BADZIP3 + __KAM_BADZIP4 >= 4)
9322 describe KAM_BADZIP Encrypted Zip File Indicating a Scam
9323 score KAM_BADZIP 6.0
9327 header __KAM_VERIZON1 Subject =~ /verizon wireless security message/i
9328 header __KAM_VERIZON2 From:name =~ /Verizon/i
9329 header __KAM_VERIZON3 From:addr !~ /verizon/i
9332 body __KAM_VERIZON4 /Update required immediately/i
9334 body __KAM_VERIZON5 /update your account information/i
9336 body __KAM_VERIZON6 /deactivated/i
9338 body __KAM_VERIZON7 /credit card|bank account/i
9340 meta KAM_VERIZON (__KAM_VERIZON1 + __KAM_VERIZON2 + __KAM_VERIZON3 >= 3) && (__KAM_VERIZON4 + __KAM_VERIZON5 + __KAM_VERIZON6 + __KAM_VERIZON7 >= 3)
9341 describe KAM_VERIZON Fake Wireless account notices
9342 score KAM_VERIZON 9.5
9345 header __KAM_DOCUSIGN1 Subject =~ /New e-DocuSign Signature|new e-signature docusign|docusign electronic signature|transfer notice|docusign (electronic|signature) service/i
9346 header __KAM_DOCUSIGN2 From:name =~ /docusign/i
9347 header __KAM_DOCUSIGN3 From:addr !~ /docusign/i
9349 uri __KAM_DOCUSIGN4 /\.weebly\.com|docs\.google\.com/i
9351 meta KAM_DOCUSIGN ((__KAM_DOCUSIGN1 >= 1) + (__KAM_DOCUSIGN2 + __KAM_DOCUSIGN3 >= 2) + (FREEMAIL_FROM + LOTS_OF_MONEY + __KAM_DOCUSIGN4 >= 1) >= 3)
9352 describe KAM_DOCUSIGN Fake Document Signature account notices
9353 score KAM_DOCUSIGN 4.5
9356 header __KAM_TWODOTS From:addr =~ /\@.*\.\./i
9358 meta KAM_INVALIDFROM (__KAM_TWODOTS >= 1)
9359 describe KAM_INVALIDFROM Invalid From Address
9360 score KAM_INVALIDFROM 5.0
9362 #Client Fake Invoice
9363 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9364 header __KAM_FAKEINV1 From =~ /headoffice/i
9365 header __KAM_FAKEINV1A Reply-to =~ /no.?reply\@/i
9367 body __KAM_FAKEINV2 /dearest client/i
9369 mimeheader __KAM_FAKEINV3 Content-Type =~ /.xls\"?$/i
9371 meta KAM_FAKEINV ((__KAM_FAKEINV1 + __KAM_FAKEINV1A >=1) + __KAM_FAKEINV2 + __KAM_FAKEINV3 >=3)
9372 describe KAM_FAKEINV Fake Customer Invoices
9373 score KAM_FAKEINV 4.5
9377 meta KAM_IMAGEONLY (PDS_OTHER_BAD_TLD + HTML_IMAGE_ONLY_08 >= 2)
9378 describe KAM_IMAGEONLY Email from a questionable TLD that contains primarily just an image
9379 score KAM_IMAGEONLY 0.75
9382 header __KAM_HOLIDAY2020_1 Subject =~ /holiday item|blac.?k friday|(vortex|illusional|this|3d).*rug|canvas print|get your (personalized christmas )?ornament|Christmas sale|novelty household|(perfect|seasonal) gift|Rising.? Stand.?|endoscope/i
9383 body __KAM_HOLIDAY2020_2 /(illusional|Vortex|3d) Rug|wireless earbuds|canvas print|get your (personalized christmas )?ornament|holiday novelty|personalized ornament|rising laptop|HOME Ear endoscope|Gadget ?Junk/i
9384 tflags __KAM_HOLIDAY2020_2 nosubject
9385 header __KAM_HOLIDAY2020_3 From =~ /vortex|christmas|novelty|(laptop|new).?tech|rising.?stand|Clean.?ear|Massager/i
9387 meta KAM_HOLIDAY2020 (__KAM_HOLIDAY2020_1 + __KAM_HOLIDAY2020_2 + __KAM_HOLIDAY2020_3 >= 2)
9388 describe KAM_HOLIDAY2020 Holiday Gifts 2020 Spam
9389 score KAM_HOLIDAY2020 4.0
9392 uri __KAM_GOOGLEFORM_1 /docs\.google\.com\/forms\//i
9393 body __KAM_GOOGLEFORM_2 /Untitled|Formulaire sans titre/i
9394 body __KAM_GOOGLEFORM_3 /foundation is donating/i
9396 meta KAM_GOOGLEFORM (__KAM_GOOGLEFORM_1 + (__KAM_GOOGLEFORM_2 + __KAM_GOOGLEFORM_3 >= 1) >= 2)
9397 describe KAM_GOOGLEFORM Untitled or Spam Google Form
9398 score KAM_GOOGLEFORM 4.0
9400 header __GB_RETPATH_GOOG_TRIX Return-Path =~ /\@trix\.bounces\.google\.com/
9402 meta GB_RETPATH_GOOG_TRIX __GB_RETPATH_GOOG_TRIX
9403 describe GB_RETPATH_GOOG_TRIX Email from Google subdomain being abused by spammers
9404 score GB_RETPATH_GOOG_TRIX 2.00
9406 #BENEFICIARY FAKE FORM
9407 body __KAM_DISCLOSE1 /enable me disclose|indicate your? interest|something important/i
9409 meta KAM_FAKEFORM ((__KAM_DISCLOSE1 + LOTS_OF_MONEY >= 1) + (__KAM_BENEFICIARY2 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 >= 1) + (__KAM_GOOGLEFORM_1 >= 1) >= 3)
9410 describe KAM_FAKEFORM Fake Form for Scams
9411 score KAM_FAKEFORM 4.0
9414 body __KAM_2ND_1 /police can no longer be trusted|protect yourself|anti-?gun ban|no classes/i
9415 body __KAM_2ND_2 /2nd am?mendment|concealed carry|right to carry/i
9416 header __KAM_2ND_3 From =~ /2nd amm?endment|Concealed/i
9418 meta KAM_2ND ((__KAM_FUN1 + __KAM_FUN1A >= 1) + __KAM_2ND_1 + __KAM_2ND_2 + __KAM_2ND_3 >= 3)
9419 describe KAM_2ND Political / 2nd Ammendement Spam
9422 #SPAM DU JOUR - MASKS
9423 body __KAM_KN_1 /(respirator|KN95) .{0,25}Mask|Ultramasx|upgrade your mask/i
9424 tflags __KAM_KN_1 nosubject
9425 body __KAM_KN_2 /get your|for the public|biden wants to curb|Prevent Corona|quick delivery|do your part|while supplies last|(smart|your) mask/i
9426 tflags __KAM_KN_2 nosubject
9427 header __KAM_KN_3 Subject =~ /KN95 .{0,25}Mask|(curb|curve?)(ing)? C<O1>vid|(your|mandates?) mask|ultimate protection|Protective (face )?mask/i
9428 header __KAM_KN_4 From =~ /KN95|(smart|Face) ?Mask|Mask.?(dept|Special)|Stay ?safe|protective ?gear|World ?safe/i
9430 meta KAM_KN (__KAM_KN_1 + __KAM_KN_2 + __KAM_KN_3 + __KAM_KN_4 >= 3)
9431 describe KAM_KN Spam Du Jour for Masks
9434 #SPAM DU JOUR - BAD CREDIT
9435 body __KAM_BADCRED_1 /bad credit/i
9436 tflags __KAM_BADCRED_1 nosubject
9437 header __KAM_BADCRED_2 Subject =~ /bad credit.*off track/
9439 meta KAM_BADCRED (__KAM_BADCRED_1 + __KAM_BADCRED_2 >= 2)
9440 describe KAM_BADCRED Spam Du Jour for Bad Credit
9441 score KAM_BADCRED 3.0
9443 #SPAM DU JOUR - SPO2
9444 replace_rules __KAM_SPO2_2 __KAM_SPO2_3
9446 body __KAM_SPO2_1 /pulse oximeter|touchless thermometer/i
9447 body __KAM_SPO2_2 /C<O1>VID/i
9448 tflags __KAM_SPO2_2 nosubject
9449 header __KAM_SPO2_3 Subject =~ /C<O1>VID.*(screening|oximeter)|Laser Thermometer|(detecting|screening) C<O1>VID/i
9450 header __KAM_SPO2_4 From =~ /health|infrared|oximeter|Painless/i
9452 meta KAM_SPO2 (__KAM_SPO2_1 + __KAM_SPO2_2 + __KAM_SPO2_3 + __KAM_SPO2_4 >= 3)
9453 describe KAM_SPO2 COVID Spams
9456 #SPAM DU JOUR - HEATED VEST
9457 body __KAM_VEST1 /(heated|thermal) vest/i
9458 tflags __KAM_VEST1 nosubject
9459 header __KAM_VEST2 Subject =~ /stay toasty/i
9460 header __KAM_VEST3 From =~ /thermal vest/i
9462 meta KAM_VEST (__KAM_VEST1 + __KAM_VEST2 + __KAM_VEST3 >= 3)
9463 describe KAM_VEST Spam Du Jour for Vests
9467 header __KAM_CVS1 From =~ /CVS Pharm/i
9468 header __KAM_CVS1A From:addr !~ /\@cvs.com/i
9469 body __KAM_CVS2 /CVS/
9470 tflags __KAM_CVS2 nosubject
9471 header __KAM_CVS3 Subject =~ /CVS Pharm/i
9473 meta KAM_CVS ((__KAM_CVS1 + (FREEMAIL_FROM + __KAM_CVS1A >= 1) >= 2) + __KAM_CVS2 + __KAM_CVS3 >= 3)
9474 describe KAM_CVS Fake CVS Spams
9478 body __KAM_HACK1 /(phone|electronic|computer) have been hacked|suspected online scam/i
9479 body __KAM_HACK2 /read attached|click here for verification/i
9480 body __KAM_HACK3 /save yourself|lead to your arrest/i
9481 header __KAM_HACK4 From:name =~ /justice dep/i
9483 meta KAM_HACK (__KAM_HACK1 + __KAM_HACK2 + __KAM_HACK3 + __KAM_HACK4 >= 3)
9484 describe KAM_HACK Hacker Exploitation Email
9488 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9490 header __KAM_FAKEINV2_1 Subject =~ /lnv (remittance|\& check)/i
9491 body __KAM_FAKEINV2_2 /(find|see) (the )?attach/i
9492 body __KAM_FAKEINV2_3 /not mail the check|typeform\.com/i
9493 mimeheader __KAM_FAKEINV2_4 Content-Type =~ /(ACH W[il]re|Rem[il]ttance adv[il]ce).*xls/i
9495 meta KAM_FAKEINV2 (__KAM_FAKEINV2_1 + __KAM_FAKEINV2_2 + __KAM_FAKEINV2_3 + __KAM_FAKEINV2_4 >= 3)
9496 describe KAM_FAKEINV2 Fake Invoice Scams
9497 score KAM_FAKEINV2 6.0
9502 header __KAM_FAKEAD1 Subject =~ /brand medication|stubborn fat/i
9503 body __KAM_FAKEAD2 /click here to UNSUBSCRIBE|start shopping|here\'s how/i
9504 uri __KAM_FAKEAD3 /\/bit\.ly/i
9505 body __KAM_FAKEAD4 /Sweet passion|no plastic surgery/i
9507 meta KAM_FAKEAD (__KAM_FAKEAD1 + __KAM_FAKEAD2 + __KAM_FAKEAD3 + __KAM_FAKEAD4 >= 4)
9508 describe KAM_FAKEAD Fake Advertisements
9509 score KAM_FAKEAD 6.0
9511 #FAKE REGISTRY SCAMS
9512 body __KAM_FAKE_REGISTRY1 /www(\.|\(dot\))domainregistryasia(\.|\(dot\))net/i
9513 uri __KAM_FAKE_REGISTRY2 /domainregistryasia\.net|domainregistryasia\.cn/i
9515 meta KAM_FAKE_REGISTRY (__KAM_FAKE_REGISTRY1 + __KAM_FAKE_REGISTRY2 >= 1)
9516 describe KAM_FAKE_REGISTRY Fake Domain Registry Scammers trying to get you to buy unneeded domains
9517 score KAM_FAKE_REGISTRY 5.0
9520 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9521 mimeheader __KAM_FAKE_FAX1 Content-Type =~ /.*(fax).*\.htm/i
9523 body __KAM_FAKE_FAX2 /incoming fax|fax received/i
9524 header __KAM_FAKE_FAX3 Subject =~ /Fax/i
9525 body __KAM_FAKE_FAX4 /invoice/i
9527 meta KAM_FAKE_FAX (T_HTML_ATTACH + __KAM_FAKE_FAX1 + __KAM_FAKE_FAX2 + __KAM_FAKE_FAX3 + __KAM_FAKE_FAX4 >= 4)
9528 describe KAM_FAKE_FAX Fake Fax Scam
9529 score KAM_FAKE_FAX 8.0
9532 body __KAM_FAKE_TRUST1 /Message is from a .{0,40}trusted source/i
9534 meta KAM_FAKE_TRUST (__KAM_FAKE_TRUST1 >= 1 )
9535 describe KAM_FAKE_TRUST Scams about trusted sources
9536 score KAM_FAKE_TRUST 3.5
9539 header __KAM_FAKE_INVOICE1 Subject =~ /payment advice/i
9540 body __KAM_FAKE_INVOICE2 /Payment advice/i
9542 meta KAM_FAKE_INVOICE (T_HTML_ATTACH + __KAM_FAKE_INVOICE1 + __KAM_FAKE_INVOICE2 >= 3)
9543 describe KAM_FAKE_INVOICE Fake Invoice Scam
9544 score KAM_FAKE_INVOICE 6.0
9547 header __KAM_BAD_PRODUCT1 Subject =~ /Dolphin Vacuum|Warm any room|rapid thaw/i
9548 body __KAM_BAD_PRODUCT2 /Dolphin sealer|hotstreak plug|Rapid thaw tray/i
9550 meta KAM_BAD_PRODUCT (__KAM_BAD_PRODUCT1 + __KAM_BAD_PRODUCT2 >= 2)
9551 describe KAM_BAD_PRODUCT Spammy Products
9552 score KAM_BAD_PRODUCT 3.0
9555 uri __KAM_BAD_LINK1 /\.pdf\.iso$/i
9557 meta KAM_BAD_LINK (__KAM_BAD_LINK1 >= 1)
9558 describe KAM_BAD_LINK Potentially dangerous link in email
9559 score KAM_BAD_LINK 10.0
9562 header __KAM_CITIZEN1 Subject =~ /Citizens Bank Ealert/i
9563 body __KAM_CITIZEN2 /Important (message|Notice) From Citizens/i
9564 uri __KAM_CITIZEN3 /phpmailer|wp-admin|.well-known/i
9565 header __KAM_CITIZEN4 From:name =~ /Citizens ?Bank/i
9566 header __KAM_CITIZEN5 From:addr !~ /citizen/i
9568 meta KAM_CITIZEN (__KAM_CITIZEN1 + __KAM_CITIZEN2 + __KAM_CITIZEN3 + __KAM_CITIZEN4 + (__KAM_CITIZEN5 + SPF_FAIL >= 1) >= 5)
9569 describe KAM_CITIZEN Fake Bank Alert Scam
9570 score KAM_CITIZEN 7.5
9573 header __KAM_PRODUCT2_1 Subject =~ /meal delivery|no chopping|(sticker|Children'?s?) book|\$[\d,\.]{5,10} Fast|Car ?Shield|Top Vet|Chew a day|trugreen|(perfect|healthy|your) lawn|slice.?n.?seal|kitchen (device|gadget)|butter knive|small penis|make you bigger|ACs|Wifi Booster|anti.?snore|visceral fat/i
9574 body __KAM_PRODUCT2_2 /meal delivery|no chopping|i ?can ?read|zippy ?loan|car ?shield|Lick their paws|excessive scratching|trugreen|slice.?n.?seal|kitchen (device|gadget)|Better Butter|savage.?grow|coolair|Wifi Booster|sleeplab|belly.flat/i
9575 header __KAM_PRODUCT2_3 From =~ /veestro|i ?can ?read|zippy ?loan|car ?shieldi|petscy|trugreen|slice.?n.?seal|better.?butter|savage.?grow|CoolMe|wifi repeater|sleep.?lab|lost.?\d+lbs/i
9577 meta KAM_PRODUCT2 ( __KAM_PRODUCT2_1 + __KAM_PRODUCT2_2 + __KAM_PRODUCT2_3 >= 3)
9578 describe KAM_PRODUCT2 Scammy Products prevalent in spam
9579 score KAM_PRODUCT2 4.5
9582 #uri_detail KAM_PDF_FAKE text =~ /\.PDF/i cleaned =~ /\.github.io\//i
9583 #describe KAM_PDF_FAKE Links to Fake PDFs
9584 #score KAM_PDF_FAKE 5.0
9588 body __KAM_INQUIRY_1 /inquiry for purchase|product catalog|price list|reply with catalog/i
9590 header __KAM_INQUIRY_2 Subject =~ /Purchase Order|Urgent (i|e)nquiry/i
9592 body __KAM_INQUIRY_3 /terms? (\&|and) conditions?|rightful dep/i
9594 body __KAM_INQUIRY_4 /certificate of origin|import\export|trading company/i
9596 meta KAM_INQUIRY (__KAM_INQUIRY_1 + __KAM_INQUIRY_2 + __KAM_INQUIRY_3 + __KAM_INQUIRY_4 >= 4)
9597 describe KAM_INQUIRY Product Inquiry Scams
9598 score KAM_INQUIRY 7.0
9601 header __KAM_FROM_NAME_FAKERBL From:name =~ /Savagegrowplus\.com|Lifequote\.selectquote\.com|GoldAlliedTrust\.com|MeetAsianLady.com|Betterbutterspreader.com/i
9603 meta KAM_FROM_NAME_FAKERBL (__KAM_FROM_NAME_FAKERBL >= 1)
9604 describe KAM_FROM_NAME_FAKERBL From name contains a URL that is spammy
9605 score KAM_FROM_NAME_FAKERBL 6.0
projects / proxmox-spamassassin.git / blob