#KAM.cf - SpamAssassin Rules #Author: Kevin A. McGrail with contributions from Joe Quinn, Karsten Bräckelmann, # & Bill Cole #Email: Kevin.McGrail@McGrail.com - NOTE: Questions about spam are best submitted # at https://raptor.pccc.com/raptor.cgim?template=report_problem #HomePage: http://www.mcgrail.com/downloads/KAM.cf #2018-06-20: We will be moving KAM.cf over to a non-profit to allow for it to # continue being maintained. It will continue being ASLv2 licensed # but we are soliciting donations to help fund the development. # # As a 501(c)(3), all donations are tax deductible to the extent # permissible by law. # # Sponsors gifting $5,000USD or greater per year will be thanked # in this file and on our website. #This is a collection of special rules that I have developed and use on my system. # #The exact date is lost to the sands of time but we have been publishing this #ruleset since at least May 2004. # #They are intended as live research for committal to SpamAssassin's SVN sandbox but #often rely on my corpora so they do not fair well in masschecks. # #You are welcome and encouraged to email me directly regarding suggestions. #To avoid being caught by our filters, False positives and negatives should be #submitted to https://raptor.pccc.com/raptor.cgim?template=report_problem # #I believe the rules are safe and they are in use on production systems so I will #do my best to respond to FPs *especially* if you can send me an email sample. # #This cf file is designed for systems with a threshold of 5.0 or higher. #It is best to save an email sample in mbox format and zip it to attach to get #around my filters. It is sometimes best to send samples in a second email so I #know to go looking for it in my spam folders. # #NOTE: I do use some poison pill (i.e. Automatic HAM/SPAM rules). # # - I don't view many of my rules as single rules as I typically use meta rules. # I view meta rules as multiple rules hence a larger score is acceptable. # # - Some content needs to be blocked either due to large number of complaints or # for content. For example, the sexually explicit items and the stock tips. # FPs in these rules will be quickly addressed. #For a free anti-spam consultation, fill out the form at the following URL: #https://raptor.pccc.com/free_spam_consultation.cgim # #Copyright (c) 2019 Kevin A. McGrail and the McGrail Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # NOTE: You should also grab a file we use of some various rules at # https://www.mcgrail.com/downloads/nonKAMrules.cf # And realize that we have numerous internal rules so not every rule will be # useful but we try and encapsulate those in a KAMOnly defined loop. # COURTESY OF Marcin Miros.aw body __KAM_MM_FOREX_1 /program.{0,10}ktory\ssam\sgra\sna\sgieldzie|program\sdo\sgry\sna\sgieldzie|Potega\stego\sprogramu\stkwi|program.{0,10}handluje.{0,10}zarabia.{0,10}gieldzie.{0,10}udzialu.{0,10}czlowieka|zarabiaj.{0,10}program.{0,10}nie.{0,10}jest.{0,10}zabroniony|Program.{0,10}zrobi.{0,10}wszystko.{0,10}sam|handluj.{0,10}na.{0,10}gieldzie.{0,10}programowi|100.{0,10}%.{0,10}pewnych.{0,10}transakcji|program.{0,10}100.{0,10}%.{0,10}zysk|handel.{0,10}bedzie.{0,10}zabroniony|program.{0,10}odmieni.{0,10}twoje.{0,10}zycie|system.{0,10}finansow.{0,10}przed.{0,10}upadkiem|grupa.{0,10}niemieckich.{0,10}matematykow.{0,10}inteligentny.{0,10}program|zostan\sobrzydliwie\sbogaty|technologia.{0,10}100%.{0,10}pewne.{0,10}decyzje|zarabianie.{0,10}w.{0,10}sieci|swoja.{0,10}szanse.{0,10}zarabianie|internet.{0,10}doprowadzil.{0,10}pieniedzy|zarabia.{0,10}(w|przez).{0,10}internet|karaluch.{0,10}dom.{0,10}brzeg.{0,10}morza|odmieni.{0,10}zycie|pieniadz|pieniedz|zarabia|zarobi/i rawbody __KAM_MM_FOREX_2 /(\[|\<).{1,10}http:\/\/.{1,50}php\?.{1,30}\=.{1,30}(\]|\>).{0,20}(klik|odwiedz|dowiedz|przegap|odnosnik|zarobi|spiesz|majatek|wiecej\sinformacji\sna\sten\stemat\sznajdziesz\s-\stutaj|tutaj\sznajdziesz.{0,10}szczegolowe.{0,10}informacje|odwiedz|zarabia|wchodz)/i meta KAM_MM_FOREX __KAM_MM_FOREX_1 && __KAM_MM_FOREX_2 score KAM_MM_FOREX 2.5 describe KAM_MM_FOREX Polish-language spam from the Forex botnet #PHISHING TEST rawbody KAM_PHISH1 /u style="cursor: pointer"/ describe KAM_PHISH1 Test for PHISH that changes the cursor score KAM_PHISH1 0.01 header __KAM_PHISH4_1 From =~ /host|apple|amazon|microsoft|windows|express|app.serv|goodluck|bank/i body __KAM_PHISH4_2 /dear.{0,50}customer|automated.message|spam.activities|attempted.gaining.access|your.account.expires|authorized.government|important.message|message.alert/i body __KAM_PHISH4_3 /(confirm|verify|update).your.(identity|account)|account.password|credit.(bureau|profile)|identity.theft|accredited.commission|security.concern|kindly.find.enclosed/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __KAM_PHISH4_4 Content-Type =~ /(verification|information|form)\.htm/i endif meta KAM_PHISH4 (__KAM_PHISH4_1 + __KAM_PHISH4_2 + __KAM_PHISH4_3 + __KAM_PHISH4_4 >= 3) score KAM_PHISH4 3.5 describe KAM_PHISH4 Another phishing attempt #KAM REALESTATE / RE-FINANCE SCAM EMAILS - Thanks to David Goldsmith for pointing out my error in the meta rule! body __KAM_REAL1 /(^|\b)RE market/is body __KAM_REAL2 /(crashing|declining)/i body __KAM_REAL3 /(vacation|second) (home|place)/is meta KAM_REAL (__KAM_REAL1 + __KAM_REAL2 + __KAM_REAL3 >= 3) describe KAM_REAL Real Estate or Re-Finance Spam score KAM_REAL 0.5 #REFINANCE SCAM EMAILS header __KAM_REFI1 Subject =~ /(refinance|rates) at \d\.\d*%|(?:I would like to offer you my help|Lower your house payment|follow up email|evaluation enclosed|submit a bid|fixed rates|ARM program|New Program|regardless of credit|loan request|accepting your application|refinance appl?ication|ready to (give a (business )?loan|lend)|good credit or not|refinance without perfect credit|financial independence|Loan Offer|Get a Loan|your urgent loan|credit report|time to refinance|refi.(rates|requirements|plus|program|plan|advice)|rates at historical low|EQUIFAX|TRANSUNION|Experian|rates can be cut|save your home)|Reverse.?Mortgage|obama (extends|waives)|VA loan|harp program|re.?fi.advice|homeowners.owe|harp.extension|\d+\.\d+%.fixed|\d+\.\d+.pct|this.rate|refi(nance)?.rate|lower.refi|refinance.your.mortgage|refinance.now|obama.?s?.refi|monthly.payment|house.payment|monthly.savings|modified.payment|new.payment|overpaying|calculate.your|your.saving|housing.plan|obama.?s.hous|l.f..insuranc.|offer.for.your.home|second.mortgage/i body __KAM_REFI2 /(Free Evaluation (?:online|on your (?:current )?home loan)|No hidden costs|no strings attached|good credit or not|personalized consultation|in need of loan|consolidation loan|loan processing|apply by sending|loan of any amount|clean up any inacccuracies|lock in saving|save on monthly mortgage|absolutely no cost|underwater)|Reverse.?Mortgage|qualify for a VA loan|Refi now.? and Save|obama..?announces|rate.calculator|save.thousands|update: \d.\d\d..available|homeowner|over.your.head|rate.service|now.eligi?[bl]{2}e|a.second.mortgage|urgent.loan|loan.offer/is body __KAM_REFI3 /(restructure (?:proposal|program|opportunity|your loan)|switch from an adjustable rate to a fixed|new lending program|(low|reasonable) interest (loan|rate)|lowest monthly payment|\d% interest|unsecured personal|better credit terms|lower your mortgage|low-interest refinance|see your credit score|credit score.{1,15}updated|refi with HARP)|obama announce(s|d) (the )?harp program|obama'?s.refi|a.fortune.off|lower.home.rate|your.home|home.loan|gov.program|official.harp|currently.overpaying/is body __KAM_REFI4 /(\$\d{1,3},\d{1,3}|\d{2,3}k of funds|\d{4,6} USD|\d{4,6}\$ per month|\d{3,5}\/mo)|refinance at \d\.\d%|\$\d{3,}(\.\d\d)?.(a|per).year|extend.harp|spending.too.much|new.payment|better.rate/i body __KAM_REFI5 /([\d,]{5,6}|\d{2}\s*%) savings|principal \d+% less|\d+\.\d+%.fixed|refi.calculator|lowered.requirements|home.?owner/is body __KAM_REFI6 /((?:reduce your monthly payment|save you) (between )?\d{2}\s*%|save yourself hundreds of dollars|great rate available|completely unsecured|instantly connect with\s+lenders|get you back on the right financial|get report today|protect against identity|know your credit score|crazy payments)|u.?s.? homeowners|drop.your.rate|in.your.pocket|our.records|apply.for.your/is body __KAM_REFI7 /(?:loan product|equity cash|house.payment|home.payment|no up front fees|seasoned equity|pay off high rate cards|ARM Program|credit is less than perfect|credit (score )?will not disqualify|plastic money|charge card balances|we offer out loans|floating loan scheme|unsecured guaranteed|President.?s new program|Home Affordable Refinance Program)|save $?[\d\.]+ per (year|month)|low.rate|harp.?2|rates.like.th(is|ese)/is header __KAM_REFI8 From =~ /great loan|mortgage|financ|Delta|Rate\.?market|credit score|free.?score|harp|mtge|foreclosure|VA loan|lower.my.(bills|debt|mortgage|rate)|refi.(alert|advantage|quote|calc|rate)|obama|lendingtree|(house|home).?payment|home.?payment|lower.rate|\d+\.\d+%|saving|d.r.ct.l.f.|helpline/i meta KAM_REFI (__KAM_REFI1 + __KAM_REFI2 + __KAM_REFI3 + __KAM_REFI4 + (__KAM_REFI5 + __KAM_REFI6 >= 1) + __KAM_REFI7 + __KAM_REFI8 + (KAM_SHORT || AC_HTML_NONSENSE_TAGS || KAM_EU) >= 4) describe KAM_REFI Real Estate / Re-Finance Spam score KAM_REFI 3.0 meta KAM_REFI2 (__KAM_REFI1 + __KAM_REFI2 + __KAM_REFI3 + __KAM_REFI4 + (__KAM_REFI5 + __KAM_REFI6 >= 1) + __KAM_REFI7 + __KAM_REFI8 + (KAM_SHORT || AC_HTML_NONSENSE_TAGS || KAM_EU) >= 6) describe KAM_REFI2 Real Estate / Re-Finance Spam score KAM_REFI2 2.75 #KAM ERADICATE DEBTS body __KAM_DEBT1 /(debts disappear|reduce your payments|piling bills|creditors|late bills|vanish some of your bills|reduce your payments|looming bills|all that debt|outstanding debt|debt.{0,7}accumulated|all my debt|penalties,? and fees are gone|banking laws|select legal|change your life|get out of .?d.?e.?b.?t|Free[- ]Credit Report|debt relief options|are you in debt|pay off all your debt|get better rates|credit card debt|could.be.easy)/is header __KAM_DEBT2 Subject =~ /(all that you owe|all you owe|everything you owe|eradicate|indebted|sick of bills|debt.{0,7}accumulated|tired of (the )?debt|looming debt|creditors|bank[ ]?rupt|debt ?free|out ?of ?debt|take control of your monthly payments|bills disappear|We can help|consultation regarding bills|get better rates|credit score|FICO Score|eliminate\s{1,2}debt|Erase the debt|loan offer|consolidating.debt)/i body __KAM_DEBT3 /(bills keeping you|brink of bankruptcy|take all the (stress|pain) away|all the bills|tired of high credit card|make your bills disappear|improve your credit score|b.?a.?n.?k.?r.?u.?p.?t.?c?.?y|monitor your[- ]credit|Wipes out debt|being debt free|interest rates are reasonable|view your credit score|manage.your.finance)/is meta KAM_DEBT ((__KAM_DEBT1 + __KAM_DEBT2 + __KAM_DEBT3) >= 3) describe KAM_DEBT Debt eradication spams score KAM_DEBT 2.5 meta KAM_DEBT2 ((__KAM_DEBT1 + __KAM_DEBT2 + __KAM_DEBT3 + __KAM_ADVERT2) >= 2) describe KAM_DEBT2 Likely Debt eradication spams score KAM_DEBT2 1.0 #XtraSize+ Penis Enlargement Scam header __KAM_SILD1 Subject =~ /Sildenafil Citrate/i body __KAM_SILD2 /(XtraSize\+|Sildenafil Citrate)/i meta KAM_SILD (__KAM_SILD1 + __KAM_SILD2 >= 1) describe KAM_SILD Simple rule to block one more enhancement message score KAM_SILD 5.0 #if (version < 3.002000) # #HTML_SHORT_LENGTH DEPENDENCY RULE REMOVED FROM SA 3.2.X # #KAM NUMBER EMAILS - Thanks to Mark Damrose for the NUMBER3 idea & Jan-Pieter Cornet # header __KAM_NUMBER1 Subject =~ /^\d+$/ # body __KAM_NUMBER2 /\d{1,6}/ # header __KAM_NUMBER3 Message-ID =~ /\<[a-z]{19}\@/i # # meta KAM_NUMBER ((__KAM_NUMBER1 + __KAM_NUMBER2 + MIME_HTML_ONLY + HTML_SHORT_LENGTH + __KAM_NUMBER3) >= 5) # describe KAM_NUMBER Silly Number Emails # score KAM_NUMBER 1.0 #endif #KAM MEDICATION KAM_OVERPAY body KAM_OVERPAY /O . V . E . R . P . A . Y/i describe KAM_OVERPAY Common Medicinal Ad Trick score KAM_OVERPAY 3.5 #VIAGRA AD - CHANGED DUE TO FPS on 2010-05-06 - Replaced [VACLXPSI] with separate rules space separated body KAM_VIAGRA1 /V I A G R A|C I A L I S|V A L I U M|X A N A X/i describe KAM_VIAGRA1 Common Viagra and Medicinal Table Trick score KAM_VIAGRA1 3.0 #VIAGRA AD 2 body KAM_VIAGRA2 /(?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer) (?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer) (?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer)/i describe KAM_VIAGRA2 Common Viagra and Medicinal Table Trick score KAM_VIAGRA2 3.1 #VIAGRA AD 3 - REMOVED FOR LOW S/O - Thanks to Shane Williams for reporting the FP #body KAM_VIAGRA3 /(?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer)( \w )(?:ax|lis|ra|ium)/i #describe KAM_VIAGRA3 Common Viagra and Medicinal Table Trick #score KAM_VIAGRA3 3.1 #VIAGRA AD 4 body __KAM_VIAGRA4A /V (. )?A (. )?L (. )?[I\/t] (. )?U (. )?M/i body __KAM_VIAGRA4B /V (. )?[I\/t] (. )?A (. )?G (. )?R (. )?A/i body __KAM_VIAGRA4C /M (. )?E (. )?R (. )?[I\/t] (. )?D (. )?[I\/] (. )?A/i # FP FOR "Les Iles du Monde Via Gramsci" OR ITALIAN "WE WISH YOU" body __KAM_VIAGRA_FPS /via gra|i augur/i meta KAM_VIAGRA4 ((__KAM_VIAGRA4A + __KAM_VIAGRA4B + __KAM_VIAGRA4C) >= 2) describe KAM_VIAGRA4 Common Viagra and Medicinal Table Trick score KAM_VIAGRA4 3.1 #VIAGRA AD 5 body KAM_VIAGRA5 /(V [1li|\]] [a&] G R A|VljAG+R+A)/i describe KAM_VIAGRA5 Viagra Obfuscation Technique SPAM score KAM_VIAGRA5 3.1 #VIAGRA AD 6 #Switch to [-_\. ]? to avoid FP's reported by Robin Tan #Also added a few more boundary checks thanks to Daniele Duca body __KAM_VIAGRA6A /V[-_\. ]?[IL1][-_\. ]?A.?G.?R.?A/i body __KAM_VIAGRA6B /(\b|^)A.?M.?B.?[il1].?E.?N($|\b)/i body __KAM_VIAGRA6C /V.?A.?L.?[il1].?U.?M/i body __KAM_VIAGRA6D /(\b|^)C.?[il1].?A.?L.?[Il1].?S($|\b)/i header __KAM_VIAGRA6E From =~ /Viagra|Cialis(\b|$)/i meta KAM_VIAGRA6 (__KAM_VIAGRA6A + __KAM_VIAGRA6B + __KAM_VIAGRA6C + __KAM_VIAGRA6D + __KAM_VIAGRA6E >= 2) describe KAM_VIAGRA6 Viagra Obfuscation Technique SPAM score KAM_VIAGRA6 3.1 #VIAGRA AD 7 - TWEAKING RULE 7B TO PREVENT HITS ON SPECIALIST body __KAM_VIAGRA7A /V[ij]+AGRA/i body __KAM_VIAGRA7B /(^|\b)C[ij]+AL[ij]+S($|\b)/i body __KAM_VIAGRA7C /(^|\b)AMB[ij]+EN($|\b)/i body __KAM_VIAGRA7D /VAL[ij]+UM/i meta KAM_VIAGRA7 ((__KAM_VIAGRA7A + __KAM_VIAGRA7B + __KAM_VIAGRA7C + __KAM_VIAGRA7D >= 2) && (KAM_VIAGRA6 < 1)) describe KAM_VIAGRA7 Viagra Obfuscation Technique SPAM score KAM_VIAGRA7 3.1 #VIAGRA AD 8 body __KAM_VIAGRA8A /VI...?AGRA/i body __KAM_VIAGRA8B /AM...?BIEN/i body __KAM_VIAGRA8C /VA...?LIUM/i body __KAM_VIAGRA8D /CI...?ALIS/i meta KAM_VIAGRA8 ((__KAM_VIAGRA8A + __KAM_VIAGRA8B + __KAM_VIAGRA8C + __KAM_VIAGRA8D) >= 2) describe KAM_VIAGRA8 Viagra Obfuscation Technique SPAM score KAM_VIAGRA8 5.1 #VIAGRA AD 9 body __KAM_VIAGRA9A /V[IL1]A..GRA/i body __KAM_VIAGRA9B /AMB..IEN/i body __KAM_VIAGRA9C /VAL..IUM/i body __KAM_VIAGRA9D /C[IL1]A..LIS/i meta KAM_VIAGRA9 ((__KAM_VIAGRA9A + __KAM_VIAGRA9B + __KAM_VIAGRA9C + __KAM_VIAGRA9D) >= 2) describe KAM_VIAGRA9 Viagra Obfuscation Technique SPAM score KAM_VIAGRA9 5.1 #VIAGRA AD 10 - CONTENT-LESS EMAIL FROM "MALE ENHANCEMENT" header __KAM_VIAGRA10A From =~ /male enhancement|mens.renewal/i header __KAM_VIAGRA10B Subject =~ /your intimate partner will (thank|love)|grow.your.manhood|satisfy.your.woman/i meta KAM_VIAGRA10 (__KAM_VIAGRA10A + __KAM_VIAGRA10B >= 1) describe KAM_VIAGRA10 Male enhancement spam with no content score KAM_VIAGRA10 8.0 #NITROXIN - A NEW AND SPAMMY COMPETITOR TO VIAGRA header __KAM_NITROXIN1A From =~ /nitroxin/i meta KAM_NITROXIN1 (__KAM_NITROXIN1A >= 1) describe KAM_NITROXIN1 Another variant of Viagra spam score KAM_NITROXIN1 8.0 #RE[#] SPAM #NOTE: Thanks to Jason Haar" for pointing out that I was only doing >=1! header KAM_RE Subject =~ /^Re(?:\s)*\[\d\]+(?:\s)*:?$/i describe KAM_RE Subject of Re[0]: etc prevalent in Spam score KAM_RE 2.0 meta KAM_RE_PLUS (HTML_IMAGE_ONLY_08+KAM_RE >= 2) describe KAM_RE_PLUS Bad Subject and Image Only rule hit == SPAM! score KAM_RE_PLUS 4.0 #HOODIA #RE-WEIGHTING - Thanks to Martin Kaempf and Gareth Blades for pointing out the False Positives!! #Changed to escape + for 920\+ and changed to rawbody because we don't want to check the subject twice. #thansk to Michael Denney for the FP report header __KAM_HOODIA1 Subject =~ /(hoodia|920\+|serotonin|reduce your appetite)/i rawbody __KAM_HOODIA2 /(?:hoodia|920\+)/i body __KAM_HOODIA3 /(?:fat loss product|sur?p?press appetite|Reduce Your Appetite)/is meta KAM_HOODIA (__KAM_HOODIA1 + __KAM_HOODIA2 + __KAM_HOODIA3 >= 2) describe KAM_HOODIA Hoodia / Weight Loss Product Promotion Spam score KAM_HOODIA 3.0 #STOCK TIPS ##1 through 120 disabld 5-12-2014 due to age ##body __KAM_STOCKTIP1 /(?:Reynaldo's Mexican Food|RYNL)/is ##body __KAM_STOCKTIP2 /(?:KOKO PETROLEUM|KKPT)/is ##body __KAM_STOCKTIP3 /(?:DARK DYNAMITE|DKDY|D K D Y)/is ##body __KAM_STOCKTIP4 /(?:Remington Ventures|RMVN)/is ##body __KAM_STOCKTIP5 /(?:m-Wise|MWIS|M W I S)/is ##body __KAM_STOCKTIP6 /(?:China World Trade Corporation|CWTD)/is ##body __KAM_STOCKTIP7 /(?:Packets International|IPKL)/is ##body __KAM_STOCKTIP8 /(?:Infinex Ventures|IFNX)/is ##body __KAM_STOCKTIP9 /(?:FacePrint Global Solutions|FCPG)/is ###THANKS TO HOMER PARKER FOR THE FALSE POSSITIVE NOTE! ##body __KAM_STOCKTIP10 /(?:Ever[-_ ~]{0,3}Gl[o0]ry|(^|\b)E[-_~\. =]{0,3}G[-_~\. =]{0,3}L[-_~\. =]{0,3}Y($|\b))/is ##body __KAM_STOCKTIP11 /(?:Gulf Petroleum|GFPE)/is ##body __KAM_STOCKTIP12 /(?:Patriot Mechanical Handling|PMHH)/is ##body __KAM_STOCKTIP13 /(?:KSW Industries|KSWJ)/is ##body __KAM_STOCKTIP14 /(?:Conforce International|CFRI)/is ##body __KAM_STOCKTIP15 /(?:Nano Superlattice Technology|NSLT)/is ##body __KAM_STOCKTIP16 /(?:Morgan Beaumont|MBEU)/is ##body __KAM_STOCKTIP17 /(?:Relay Capital|(^|\b)RLYC($|\b))/is ###THANKS TO DAVID GOLDSMITH FOR POINTING OUT THE POTENTIAL FPs FROM THIS RULE ##body __KAM_STOCKTIP18 /(?:Madison Explorations|(?:^|\b)MDEX(?:$|\b))/is ##body __KAM_STOCKTIP19 /(?:CTR Investments and Consulting|C ?I ?V ?X)/is ##body __KAM_STOCKTIP20 /(?:PREMIER INFORMATION|(?:^|\b)PIFR(?:$|\b))/is ##body __KAM_STOCKTIP21 /(?:Harbin Pingchuan|P G C N|PGCN)/is ##body __KAM_STOCKTIP22 /(?:CLIENT TRACK CORP|CTKR)/is ##body __KAM_STOCKTIP23 /(?:EXTREME INNOVATIONS|(^|\b)EXTI($|\b))/is ##body __KAM_STOCKTIP24 /(?:Medical Home Products|\bMHPT\b)/is ##body __KAM_STOCKTIP25 /(?:AmeraMex International|AMMX)/is ##body __KAM_STOCKTIP26 /(?:Equipment & Systems Engineering|EQUIPMENT & SYS ENGR|EQSE)/is ##body __KAM_STOCKTIP27 /(?:NANOFORCE|NNFC)/i ##body __KAM_STOCKTIP28 /(?:\b|^)(?:Resort Clubs (I|\|)nternational|R[ ]*T[ ]*C[ ]*(?:I|\|))(?:\b|$)/is ##body __KAM_STOCKTIP29 /(?:Innovation Holdings|IVHN)/is ##body __KAM_STOCKTIP30 /(?:GOLDEN APPLE OIL|GAPJ)/is ##body __KAM_STOCKTIP31 /(?:inZon Corporation|(^|\b)I ?Z ?O ?N($|\b))/is ##body __KAM_STOCKTIP32 /(?:Midland Baring Financial Group|MDBF)/is ##body __KAM_STOCKTIP33 /(?:Aradyme Corporation|A D Y E)/is ##body __KAM_STOCKTIP34 /(?:TRANSAKT CORP|TKTJF)/is ##body __KAM_STOCKTIP35 /(?:CTXE|CANTEX ENERGY CORP)/is ##body __KAM_STOCKTIP36 /(?:De Greko|DGKO)/is ##body __KAM_STOCKTIP37 /(?:Deep Earth Resource, Inc|CTFE|DPER)/is ##body __KAM_STOCKTIP38 /(?:Vemics|(\b|^)VMCI(\b|$)|Summit Financial Resources)/is ##body __KAM_STOCKTIP39 /Premium Petroleum/is ##body __KAM_STOCKTIP40 /(?:F ?a ?l ?c ?o ?n ?E ?n ?e ?r ?g ?y|F.?C.?Y.?I)/s ##body __KAM_STOCKTIP41 /(?:CHINA GOLD CORP|CGDC)/is ##body __KAM_STOCKTIP42 /DPEK/i ###FIXED FP THANKS TO BEN LENTZ - Also found that the X ?X ?X ?X concept is causing too many FPs thanks to Homer Parker ##body __KAM_STOCKTIP43 /(?:Amerossi International Group|A M S N(\b|$)|AMSN)/is ##body __KAM_STOCKTIP44 /(?:WATAIRE INDUSTRIES|W ?T ?A ?F)/is ##body __KAM_STOCKTIP45 /(?:ABSOLUTESKY|A ?B ?S ?Y)/i ##body __KAM_STOCKTIP46 /(?:Infinex Ventures|I ?N ? ?F ?X)/is ##body __KAM_STOCKTIP47 /(?:Holly ?wood Intermediate|HYWI|H Y W I)/is ###DISABLED DUPLICATE OF 40 ###body __KAM_STOCKTIP48 /(?:Falcon Energy|F ?C ?Y ?I)/is ##body __KAM_STOCKTIP49 /(?:\b|^)(?:AGA Resources|A ?G ?A)(?:\b|$)/is ##body __KAM_STOCKTIP50 /(?:COSCO|CCPI)/i ##body __KAM_STOCKTIP51 /(?:PETRO([- ?])?SUN DRILLING|P[- ]?S[- ]?U[- ]?D)/is ##body __KAM_STOCKTIP52 /(?:KMA Global Solutions International|KMAG)/is ##body __KAM_STOCKTIP53 /(?:Advanced Powerline Technologies|APWL)/is ##body __KAM_STOCKTIP54 /(?:GOLDMARK INDUSTRIES|GDKI)/is ##body __KAM_STOCKTIP55 /(?:QUANTUM ENERGY|QEGY)/is ###FP FIXED THANKS TO Homer Parker ##body __KAM_STOCKTIP56 /(?:AAGA RESOURCE+S NEW|A G A O|(\b|^)AGAO(\b|$))/is ###FP FIXED THANKS TO Homer Parker ##body __KAM_STOCKTIP57 /(?:Bicoastal Communications|BCLC|B C L C)/is ##body __KAM_STOCKTIP58 /(?:Greater China Media \& Ent|G ?C ?M ?E)/is ##body __KAM_STOCKTIP59 /(?:Viva International|(\b|^)VIVI(\b|$))/s ##body __KAM_STOCKTIP60 /(?:WILON RESOURCES|(\b|^)WLON(\b|$))/is ##body __KAM_STOCKTIP61 /(?:Am+erica+n U+ni+ty I+nve+stments|(\b|^)A[ _]?U[ _]?N[ _]?I[ _]?(\b|$))/is ##body __KAM_STOCKTIP62 /(?:DEFENSE DIRECTIVE|(\b|^)DFSE(\b|$))/is ##body __KAM_STOCKTIP63 /(?:Cyberhand Technologies|(\b|^)CYHD(\b|$))/is ##body __KAM_STOCKTIP64 /(?:Texhoma Energy|(\b|^)TXHE(\b|$))/is ##body __KAM_STOCKTIP65 /(?:Equal Trading|(\b|^)EQTD(\b|$))/is ###DISABLED FOR FALSE POSITIVES AND AGE ###body __KAM_STOCKTIP66 /(?:\b|^)W.?B.?R.?S(?:\b|$)/is ##body __KAM_STOCKTIP67 /(?:Mobile Airwaves|(\b|^)M.?W.?B.?C.?(\b|$))/is ##body __KAM_STOCKTIP68 /(?:X-tra Petroleum|(\b|^)XTPT(\b|$))/is ###ADDED FP BOUNDARY CHECK THANKS TO Greg Troxel for reporting the issue ##body __KAM_STOCKTIP69 /(?:Red Reef Laboratories|(\b|^)RREF(\b|$))/is ##body __KAM_STOCKTIP70 /(?:Great American Food Chain|(\b|^)GAMN(\b|$))/is ##body __KAM_STOCKTIP71 /(?:Cana Petroleum|(\b|^)CNPM(\b|$))/is ##body __KAM_STOCKTIP72 /(?:China Health Management|(\b|^)CNHC(\b|$))/is ##body __KAM_STOCKTIP73 /(?:Makeup Limited|MAKU)/is ##body __KAM_STOCKTIP74 /(?:Premier Holdings Group|PMHD)/is ###FP FIXED THANKS TO Christopher X. Candreva ##body __KAM_STOCKTIP75 /(?:VSUS technologies|(\b|^)VSUS($|\b))/is ##body __KAM_STOCKTIP76 /(?:FLAIR PETROLEUM|FPMC)/is ##body __KAM_STOCKTIP77 /(?:Physician Adult Daycare|PHYA)/is ###FP FIXED THANKS TO Homer Parker ##body __KAM_STOCKTIP78 /(?:AlgoDyne Ethanol Energy|(\b|^)ADYN(\b|$))/is ##body __KAM_STOCKTIP79 /(?:Critical Care.{1,3}Inc|CTCX)/is ##body __KAM_STOCKTIP80 /(?:Aerofoam Metals|AFML)/is ##body __KAM_STOCKTIP81 /(?:Ten \& 10|(?:\b|^)TTEN)/is ##body __KAM_STOCKTIP82 /(?:Medical Institutional Services|MISJ(\b|$))/is ##body __KAM_STOCKTIP83 /(?:Harris Exploration|HXPN)/is ##body __KAM_STOCKTIP84 /(?:MARSHAL HOLDINGS|MHII)/is ##body __KAM_STOCKTIP85 /(?:ADVANCED GROWING SYSTEMS|AGWS)/is ##body __KAM_STOCKTIP86 /(?:WEST EXCELSIOR ENT|WEXE)/is ##body __KAM_STOCKTIP87 /(?:Hemisphere Gold|HPGI)/is ##body __KAM_STOCKTIP88 /(?:Victory Energy Corporation|VYEY)/is ##body __KAM_STOCKTIP89 /UTEV/i ##body __KAM_STOCKTIP90 /(?:CHINA BIOLIFE ENTERP|CBFE)/is ##body __KAM_STOCKTIP91 /(?:Critical Care|C ?T ?C ?X)/is ##body __KAM_STOCKTIP92 /CBRJ/i ##body __KAM_STOCKTIP93 /(?:LAS VEGAS CENTRAL RESERVATIONS|LVCC)/is ##body __KAM_STOCKTIP94 /GTAP/i ##body __KAM_STOCKTIP95 /(North American Energy Group|N-?N-?Y-?R)/is ###FP FIXED THANKS TO BRETT GARRETT ##body __KAM_STOCKTIP96 /(\b|^)C\.?C\.?T\.?I(\b|$)/i ##body __KAM_STOCKTIP97 /(C ?E ?O AMERICA|C ? E ? O ?A)/is ##body __KAM_STOCKTIP98 /PLMA/i ##body __KAM_STOCKTIP99 /CDYV/i ##body __KAM_STOCKTIP100 /(Fire (Mountain|Mtn) Beverage Company|(^|\b)F[ _]?B[ _]?V[ _]?G($|\b))/is ###Added boundary check thanks to Michael Denney ##body __KAM_STOCKTIP101 /(\b|^)WDSC(\b|$)/i ##body __KAM_STOCKTIP102 /(Distributed Power|DPWI)/is ##body __KAM_STOCKTIP103 /(HUMET-PBC|L9Z\.F)/is ##body __KAM_STOCKTIP104 /ASVP/is ##body __KAM_STOCKTIP105 /CHVC/is ##body __KAM_STOCKTIP106 /(China Datacom|CDPN)/is ##body __KAM_STOCKTIP107 /(ORAMED PHARMA|OJU\.F)/is ##body __KAM_STOCKTIP108 /(DSDI|DSI Direct Sales)/is ##body __KAM_STOCKTIP109 /(Monolith Athletic Club|M[-_ ]?N[-_ ]?A[-_ ]?B)/is ###DUPLICATED STOCKTIP #51 ###body __KAM_STOCKTIP110 /(PETRO-SUN|P[- ]?S[- ]?U[- ]?D)/is ##body __KAM_STOCKTIP111 /(COMPLIANCE SYSTEMS|(\b|^)COPI(\b|$))/is ###FP Fixed thanks to Greg Troxel ##body __KAM_STOCKTIP112 /(Global Pay Solutions|(\b|^)GPSI(\b|$))/is ##body __KAM_STOCKTIP113 /(MEGOLA|MGOA)/i ###FP FIXED THANKS TO Antonio Falzarano ##body __KAM_STOCKTIP114 /(\b|^)ADOV(\b|$)/i ##body __KAM_STOCKTIP115 /(Oncology Med|(\b|^)ONCO(\b|$))/is ##body __KAM_STOCKTIP116 /(Strategy X|SGXI)/is ##body __KAM_STOCKTIP117 /(Spotlight Homes|COST CONTAINMENT TEC|SPHM)/is ###FALSE POSITIVE ON DANSREALESTATE. ##body __KAM_STOCKTIP118 /((\b|^)SREA(\b|$)|Score One)/is ##body __KAM_STOCKTIP119 /(Monster Motors|MRMT)/is ##body __KAM_STOCKTIP120 /(EntreMetrix|ERMX)/i body __KAM_STOCKTIP121 /(VISION AIRSHIPS|(\b|^)VPSN(\b|$))/is body __KAM_STOCKTIP122 /(Shandong Zhouyuan Seed and Nursery|(\b|^)SZSN(\b|$))/is body __KAM_STOCKTIP123 /(Puerto Rico 7|(\b|^)P ?R ?T ?H(\b|$))/is body __KAM_STOCKTIP124 /(VGPM|Vega Promotional Sys)/is body __KAM_STOCKTIP125 /((\b|^)D[- ]?M[- ]?X[- ]?C(\b|$))/i body __KAM_STOCKTIP126 /((\b|^)C\.?W\.?T\.?E(\b|$)|C'Watre International)/is body __KAM_STOCKTIP127 /(Physical Property Holdings|(\b|^)PPYH(\b|$))/is #FP ON MNUM IN PLAIN TEXT HTML CONVERSION - Thanks to Kevin Lewis body __KAM_STOCKTIP128 /(MONUMENTAL MARKETING|(\b|^)MNUM(\b|$))/is body __KAM_STOCKTIP129 /(EnerBrite Technologies Group|(\b|^)eTgU(\b|$))/is body __KAM_STOCKTIP130 /(Pricester|(\b|^)PRCC(\b|$))/is #Added boundary check thanks to Michael Denney body __KAM_STOCKTIP131 /(Greenstone Holdings|(\b|^)GSHN(\b|$))/is body __KAM_STOCKTIP132 /((\b|^)AGMS(\b|$)|Angstrom[- ]Microsystems)/is body __KAM_STOCKTIP133 /(Pluris Energy|(\b|^)PEYG(\b|$))/is body __KAM_STOCKTIP134 /(United Consortium|(\b|^)UCSO(\b|$))/is body __KAM_STOCKTIP135 /(Dominion Minerals|(\b|^)DMNM(\b|$))/is body __KAM_STOCKTIP136 /(PrimeGen Energy|(\b|$)PGNE(\b|^))/is body __KAM_STOCKTIP137 /Dynamic Response Group|(\b|^)DRGZ(\b|$)/is body __KAM_STOCKTIP138 /Cobra Oil (and|&) Gas|(\b|^)CGCA(\b|$)/is body __KAM_STOCKTIP139 /Solanex Management|(\b|^)SLNX(\b|$)/is body __KAM_STOCKTIP140 /BIO-SOLUTIONS|(\b|^)BISU(\b|$)/is #FP IN French email on 3/2/2017 #body __KAM_STOCKTIP141 /(\b|^)FORC(\b|$)/is body __KAM_STOCKTIP142 /Hawk Systems Inc|(\b|^)HWSYD(\b|$)/is body __KAM_STOCKTIP143 /AmeriLithium/is #|(\b|^)AMEL(\b|$)/is # FP 9/10/15 body __KAM_STOCKTIP144 /Fleet Management Solutions|(\b|^)FLMG(\b|$)/is body __KAM_STOCKTIP145 /Nuvilex|(\b|^)N.?V.?L.?X.?(\b|$)/is body __KAM_STOCKTIP146 /Plandai|(\b|^)PLPL(\b|$)/is body __KAM_STOCKTIP147 /Beamz Interactive|(\b|^)B.?Z.?I.?C(\b|$)/is body __KAM_STOCKTIP148 /(\b|^)STBV(\b|$)/i body __KAM_STOCKTIP149 /LifeApps|(\b|^)LFAP(\b|$)/i body __KAM_STOCKTIP150 /MONARCHY RESOURCES/i body __KAM_STOCKTIP151 /Alanco Tech/i body __KAM_STOCKTIP152 /Siga Resources/i body __KAM_STOCKTIP153 /INSCOR|(\b|^)IOGA(\b|$)/is body __KAM_STOCKTIP154 /mLight Tech|(\b|^)MLGT(\b|$)/is body __KAM_STOCKTIP155 /Alanco Technologies/is body __KAM_STOCKTIP156 /Progress Watch|(\b|^)PROW(\b|$)/is body __KAM_STOCKTIP157 /(\b|^)PRFC(\b|$)/is body __KAM_STOCKTIP158 /(\b|^)(RCHA|R\.+C\.+H\.+A|R\/C\/H\/A)(\b|$)/is body __KAM_STOCKTIP159 /(\b|^)(RNBI|R.N.B.I)(\b|$)/is body __KAM_STOCKTIP160 /(\b|^)(CNRMF|C.N.R.M.F)(\b|$)/is body __KAM_STOCKTIP161 /(\b|^)(NUAN|N[- ]U[- ]A[- ]N)(\b|$)|NUANCE COMMUNICATIONS/is body __KAM_STOCKTIP162 /(\b|^)(CHICF|C.H.I.C.F)(\b|$)/is body __KAM_STOCKTIP163 /(\b|^)(brixmor)(\b|$)/is body __KAM_STOCKTIP164 /(\b|^)(KBLB|K.B.L.B)(\b|$)/is body __KAM_STOCKTIP165 /(\b|^)(SCRF|S.C.R.F)(\b|$)/is body __KAM_STOCKTIP166 /(\b|^)(INCT|Incapta)(\b|$)/is body __KAM_STOCKTIP167 /(\b|^)(QSMS|Quest Management|Quest Science Management Gate)(\b|$)/is body __KAM_STOCKTIP168 /(\b|^)(QSMG|Q.S.M.G|Stemvax)(\b|$)/is body __KAM_STOCKTIP169 /(\b|^)E.?C.?G.?R(\b|$)/s body __KAM_STOCKOTC /(OTC|OTC ?BB|OTC Pink Sheets|NASDAQ|NYSE|StockWatch):/is body __KAM_STOCKSYM /S[ ]?[iy][ ]?m[ ]?[ßb8][ ]?[o0][ ]?[l1]|Siymbol/i body __KAM_STOCKSYM2 /(SYM[ ]?[-\:]|\bTicker|Pr+ice\s*\:|Volume\s*\:|Target\s*\:|Current(ly)? ?\??:|Projected:|Smybol:|Stcok\s*\:|Stock\s*\:|S\s*t\s*o\s*c\s*k\s*\:|Trad[ ]?e\:|short-?sell|book value|S\.umbol|Action:|Symb\s?[-:]|Price Today:|SYmN-|Lookup:|RADAR:|PK PAPER:|PINKSHEETS:|f[o0]rward ?l[0o]{2}king)/i body __KAM_STOCKSHR /\b(Shares|Investments|invest|Stock|acquisitions?|broker|joint[ -]?venture|underperforming|(uncap|ventilated|public(ity)?) on friday|dividend opportunities|set your buy|financial safe haven|before the bell)\b/i body __KAM_STOCKBULL /bull (run|market)|very.rich|high.return/is body __KAM_STOCKSCTR /(energy sector|mineral rights|mineral wealth|natural resources|gold deposits)/is header __KAM_STOCKHEAD Subject =~ /{stk-sub}|on your radar|st0ck|best.stocktip|huge.winner|breaking.news/i body __KAM_STOCKJUMP /(up|jumps) \d\d(\.\d)?\%/i body __KAM_INSTOCK /in stock/i # ADDED A CAVEAT FOR in stock so gibberish links don't hit a stock symbol meta KAM_STOCKTIP (__KAM_STOCKHEAD + __KAM_STOCKOTC + __KAM_STOCKSYM + __KAM_STOCKJUMP + __KAM_STOCKSHR + __KAM_STOCKSYM2 + __KAM_STOCKBULL + __KAM_STOCKSCTR >= 1) && (__KAM_INSTOCK < 1) && (__KAM_STOCKTIP121 + __KAM_STOCKTIP122 + __KAM_STOCKTIP123 + __KAM_STOCKTIP124 + __KAM_STOCKTIP125 + __KAM_STOCKTIP126 + __KAM_STOCKTIP127 + __KAM_STOCKTIP128 + __KAM_STOCKTIP129 + __KAM_STOCKTIP130 + __KAM_STOCKTIP131 + __KAM_STOCKTIP132 + __KAM_STOCKTIP133 + __KAM_STOCKTIP134 + __KAM_STOCKTIP135 + __KAM_STOCKTIP136 + __KAM_STOCKTIP137 + __KAM_STOCKTIP138 + __KAM_STOCKTIP139 + __KAM_STOCKTIP140 + __KAM_STOCKTIP142 + __KAM_STOCKTIP143 + __KAM_STOCKTIP144 + __KAM_STOCKTIP145 + __KAM_STOCKTIP146 + __KAM_STOCKTIP147 + __KAM_STOCKTIP148 + __KAM_STOCKTIP149 + __KAM_STOCKTIP150 + __KAM_STOCKTIP151 + __KAM_STOCKTIP152 + __KAM_STOCKTIP153 + __KAM_STOCKTIP154 + __KAM_STOCKTIP155 + __KAM_STOCKTIP156 + __KAM_STOCKTIP157 + __KAM_STOCKTIP158 + __KAM_STOCKTIP159 + __KAM_STOCKTIP160 + __KAM_STOCKTIP161 + __KAM_STOCKTIP162 + __KAM_STOCKTIP163 + __KAM_STOCKTIP164 + __KAM_STOCKTIP165 + __KAM_STOCKTIP166 + __KAM_STOCKTIP167 + __KAM_STOCKTIP168 + __KAM_STOCKTIP169 >= 1) describe KAM_STOCKTIP Email Contains Pump & Dump Stock Tip score KAM_STOCKTIP 7.1 #KAM STOCK RULE #3 BASED HEAVILY ON WONDERFUL INPUT BY GARETH OF LINGUAPHONE body __KAM_STOCK3 /([sS].?ymbol|Sym|SYM|SYMB|Symb|SYMBOL|SYmN|SYMN|Symn|Ticker|TICKER|Lookup|PINKSHEETS)\s*[-_:]\s*[A-Z0-9][-\._ ]?[A-Z0-9][-\._ ]?[A-Z0-9][-\._ ]?[A-Z0-9]/ score __KAM_STOCK3 0.1 describe __KAM_STOCK3 Email Looks like it references a 4 character stock symbol #GENERIC STOCK RULE meta KAM_STOCKGEN (__KAM_STOCKHEAD + __KAM_STOCKOTC + __KAM_STOCKSYM + __KAM_STOCKSHR + __KAM_STOCKSYM2 + __KAM_STOCKBULL + __KAM_STOCKSCTR >= 1) && (__KAM_STOCK3 >= 1) && (KAM_STOCKTIP < 1) describe KAM_STOCKGEN Email Contains Generic Pump & Dump Stock Tip score KAM_STOCKGEN 1.5 #KAM STOCK RULE #2 body __KAM_STOCK2_1 /(good trader|trading experience|bad trading day|hard trading day|FREE Stock Market Outlook|Market Watch)|more.than.\d+%|most.valuable|morning.report|real.?estate.authority|commercial.real.estate/i body __KAM_STOCK2_2 /(easy cash|losses and victories|backstage trading|market facts|succeed in trading|destined to skyrocket|make traders rich|times your principal)|good.investment|overvalued.companies|company.is.soaring|economic.opportunity|amazing.company|take.notice|rental.yield|high.return/i body __KAM_STOCK2_3 /stock/i body __KAM_STOCK2_4 /trader|investor|analyst|royalties/i header __KAM_STOCK2_5 Subject =~ /stock|bull market|penny|traders|go.getter|thousand.percent|this.company|opportunity|pct.rally|private.investment/i header __KAM_STOCK2_6 From =~ /investment|daily.tip|bloomberg|selectedotc|penny|fortune|stock|finance|real.?estate|promotion/i meta KAM_STOCK2 (__KAM_STOCK2_1 + __KAM_STOCK2_2 + __KAM_STOCK2_3 + __KAM_STOCK2_4 + __KAM_STOCK2_5 + __KAM_STOCK2_6) >= 4 score KAM_STOCK2 2.5 describe KAM_STOCK2 Another Round of Pump & Dump Stock Scams #JUDGEMENTS body __KAM_JUDGE1 /(unpaid court|(un-?collected|unsatisfied) judgments)/is body __KAM_JUDGE2 /(funds|receive what) you are (due|owed)/is #HALF-WEIGHTED RULES body __KAM_JUDGE3 /collect your money/is body __KAM_JUDGE4 /judgment/i #FULL-WEIGHT header __KAM_JUDGE5 Subject =~ /judgment/i meta KAM_JUDGE (__KAM_JUDGE1 + __KAM_JUDGE2 + ((__KAM_JUDGE3 + __KAM_JUDGE4) / 2) + __KAM_JUDGE5 >= 2) describe KAM_JUDGE Email Contains Judicial Judgment Solicitation score KAM_JUDGE 2.5 #MEDS body __KAM_MED1 /e.?c.?o.?n.?o.?m.?i.?z.?e.{1,10}med/i body __KAM_MED2 /\d\d ?%/ describe KAM_MED Economizing your meds spam meta KAM_MED (__KAM_MED1 + __KAM_MED2 >= 2) score KAM_MED 1.5 #MEDS2- THANKS TO RES FOR POINTING OUT A REGEX STUPIDITY header __KAM_MED2_1 Subject =~ /Pharmacy order \#\d{5}/i describe KAM_MED2 More Medical SPAM meta KAM_MED2 (__KAM_MED2_1 >= 1) score KAM_MED2 1.0 #TIME PIECE header __KAM_TIME1 Subject =~ /(replica(\b|$)|designer[-_ ](watch|piece|collection)|(old|replica|style|luxury|trendy|elegant) watch|time[-_ ](keeper|piece)|wrist|chronometer|watches are in fashion|low budget|deliver your watch|(number|amount) of watches)|excellent.watch/i #0.50 WEIGHTED TESTS body __KAM_TIME2 /(replica(\b|$)|diamond|designer[-_ ](piece|collections|watch)|time[-_ ]piece|wrist|time-keeper|\/\/atch)/is header __KAM_TIME3 Subject =~ /(\b|^)(time|watch)(\b|$)/i body __KAM_TIME4 /(\b|^)(time|watch)(\b|$)/i body __KAM_TIME5 /(funny|low) price|treat.yourself/i #REMOVED WORD OMEGA FROM BRANDS. TOO MANY FPs. body __KAM_TIME6 /(Cx?ARTIER|Bx?REITLING|Px?ATEK|Rx?OLEX|Bx?VLGARI|Tx?IFFANY)/i meta KAM_TIME __KAM_TIME1 + ((__KAM_TIME2 + __KAM_TIME3 + __KAM_TIME4 + __KAM_TIME5 + __KAM_TIME6)/2) >= 2 describe KAM_TIME Pssss. Hey Buddy, wanna buy a watch? score KAM_TIME 3.0 meta KAM_TIMEGEO (KAM_GEO_STRING2 && KAM_TIME) describe KAM_TIMEGEO Email references geocities & wrist watch sales score KAM_TIMEGEO 3.5 #YOUR HOME body __KAM_HOME1 /YOUR HOME|Federal Housing Assistance Program|near.your.area/i body __KAM_HOME2 /Build your equity faster|refund is not reversible|rent.to.own/i body __KAM_HOME3 /tax saving plans|\d+K Mortgage Credit|no.more.of/i header __KAM_HOME4 From =~ /rent.?and.?own|rent.own.list/i header __KAM_HOME5 Subject =~ /homes.near.you|near.your.city|\d+ (bed|bath)|low.monthly/i meta KAM_HOME (__KAM_HOME1 + __KAM_HOME2 + __KAM_HOME3 + __KAM_HOME4 + __KAM_HOME5 >= 3) describe KAM_HOME Mortage & Refinance Spam Rule score KAM_HOME 3.5 #UNIVERSITY RULE body __KAM_UNIV1 /(University Administration|University Enrollment|Education Assessment|Faculty Assessment|University Degree|Administration Office|Education office|Schools office|Enrollment Office|Online University)/is body __KAM_UNIV2 /\d (week|month).{0,30}degree/is body __KAM_UNIV3 /(past work|based on your|earned from|life|life and work|present work) experience/is body __KAM_UNIV4 /not official degree|non[ -]?accredited/is body __KAM_UNIV5 /novelty (degree|use)/is body __KAM_UNIV6 /verifiable University Degree/is body __KAM_UNIV7 /(life|work) experience (diploma|degree|transcript)/is body __KAM_UNIV8 /Career Path/is body __KAM_UNIV9 /non[- ]?ac(creditee?d)?.{1,10}universit/is body __KAM_UNIV10 /(graduating|diploma) (within|in) (as little as)? (one|two|three|\d) (week|month)/is body __KAM_UNIV11 /(degree|transcript) in any field|Field of yourr? ch[oò][iì]ce/is body __KAM_UNIV12 /(obtain your diploma|diploma that you want|Criminal Justice or Homeland Security degree)/is body __KAM_UNIV13 /(degree|field|diploma) of your (choice|expertise)/is body __KAM_UNIV14 /(earn a|full) transcript/is body __KAM_UNIV15 /(No Study Required|Without Exams|No (examinations|[eÉ]xams)|without attending a single class|no classes|no textbooks|no (?:required )?tests|degree .{0,30}you deserve)/is body __KAM_UNIV16 /\d weeks.{0,30}graduated/is header __KAM_UNIV17 Subject =~ /(dip(i|l)oma|degree|transcript|award|increase ?your ?income|degree online|Ph\.?D|Add an mba)/i body __KAM_UNIV18 /100% discrete/is body __KAM_UNIV1B /\d (months|weeks)/i body __KAM_UNIV2B /d[_\. ]?e[_\. ]?g[_\. ]?r[_\. ]?e[_\. ]?e/i body __KAM_UNIV3B /(dead end job|improve your future, and your income|high paying jobs|bec[óo]me a do[cç]tor|get your diploma today)/is body __KAM_UNIV4B /1.?0.?0.?% (legit|verifiable|online|no pre|non[- ]?accredited)/is body __KAM_UNIV5B /F A S T[ ]{0,4}T R A C K/is body __KAM_UNIV6B /DIP\sLOMA/ meta KAM_UNIV ((__KAM_UNIV1 + __KAM_UNIV2 + __KAM_UNIV3 + __KAM_UNIV4 + __KAM_UNIV5 + __KAM_UNIV6 + __KAM_UNIV7 + __KAM_UNIV8 + __KAM_UNIV9 + __KAM_UNIV10 + __KAM_UNIV11 + __KAM_UNIV12 + __KAM_UNIV13 + __KAM_UNIV14 + __KAM_UNIV15 + __KAM_UNIV16 + __KAM_UNIV17 + __KAM_UNIV18) >= 2 || (__KAM_UNIV1B + __KAM_UNIV2B + __KAM_UNIV3B + __KAM_UNIV4B + __KAM_UNIV5B + __KAM_UNIV6B) >= 3) describe KAM_UNIV Diploma Mill Rule score KAM_UNIV 4.5 #URUNIT body __KAM_URUNIT1 /\bur (unit|liveliness|energy level|endurance level)/is body __KAM_URUNIT2 /\bur (gf|girl|wife|size|thing|partner|significant other)/is body __KAM_URUNIT3A /\b(exasperated|fatigued|drained|tired) all the time/is #HALF-WEIGHTED RULES body __KAM_URUNIT3 /(unsatisfied|not satisfied|nagging|complaining|complaints|complained|unlimited prowess|increase your volume)/is body __KAM_URUNIT4 /(bedroom|the bed|nighttime activit|male power|show your girl)/is body __KAM_URUNIT5 /(size of (there|their|your) .{0,11}(unit|thing)|using them for a couple months|enhancing formula)/is body __KAM_URUNIT6 /(majority of women|shrinking .{0,12} baby fat|winning guy|huge explosion)/is #FULL-WEIGHT header __KAM_URUNIT7 Subject =~ /(\b|^)ur (unit|wife|girlfriend|GF|size|thing|partner|significant other|livelyehood)/i header __KAM_URUNIT8 Subject =~ /(pleasure|sensation|grow|your teeny|impress your mate|being small|how big|more intense)/i meta KAM_URUNIT ((__KAM_URUNIT1 + __KAM_URUNIT2 + ((__KAM_URUNIT3 + __KAM_URUNIT4 + __KAM_URUNIT5 + __KAM_URUNIT6) / 2) + __KAM_URUNIT7 + __KAM_URUNIT8 + __KAM_URUNIT3A) >= 2) describe KAM_URUNIT Recent penile and body enhancement spams score KAM_URUNIT 0.5 #UR ZEST body __KAM_URZEST1 /(?:your|ur) (?:power|strength|zal|zeal|liveliness|zest|intensity|spontaneity|activity)(?: level)?(?: been)?(?: feeling| down)? ?(?:lately|recently|anew)?/i body __KAM_URZEST2 /or still (?:jaded|worn|drained|exasperated) all the time/i body __KAM_URZEST3 /(?:(?:wanting|looking|seeking) to get in the gym|(?:dreaming|seeking|hoping) to get (?:into shape|fit))/i body __KAM_URZEST4 /(wks it has been|been mos) since we('| ha)ve chatted/i body __KAM_URZEST5 /(back into shape|made me healthier after my disease)/i meta KAM_URZEST (__KAM_URZEST1 + __KAM_URZEST2 + __KAM_URZEST3 + __KAM_URZEST4 + __KAM_URZEST5 >= 2) describe KAM_URZEST Recent penile and body enhancement spams score KAM_URZEST 3.0 #JOB LET GO body __KAM_JOB1 /let go from (a job|my employment) I held for.{1,19} (month|year|forever|life)/is body __KAM_JOB2 /twice as much/is meta KAM_JOB (__KAM_JOB1 + __KAM_JOB2 >=2) describe KAM_JOB People let go, work at home, earn billions! score KAM_JOB 4.3 #PERIMETERPARK body KAM_PERPARK /P e r i m e t e r P a r k C e n t e r/i describe KAM_PERPARK Obfuscated address appearing in SPAM Feb 06 score KAM_PERPARK 2.5 #HOLLYWOOD WAY body KAM_HOLLY /1 0 2 0 N H o l l y w o o d W a y /i describe KAM_HOLLY Obfuscated address appearing in SPAM Jun 06 score KAM_HOLLY 2.5 #PUMP & DUMP STOCK GRAPHICS header __KAM_STOCKG1 Subject =~ /^Fw: \d{6}$/i header __KAM_STOCKG2 Subject =~ /(^|\b)(stocks?|small-cap)(\b|$)/i meta KAM_STOCKG ((HTML_IMAGE_ONLY_12 || HTML_IMAGE_ONLY_16 || HTML_IMAGE_ONLY_24) && HTML_MESSAGE && (__KAM_STOCKG1 || __KAM_STOCKG2)) describe KAM_STOCKG Graphical Pump and Dump Scams score KAM_STOCKG 3.0 #CEP Diploma Mill body __KAM_CEP1 /Job Prospect Newsletter|training.workshop/i body __KAM_CEP2 /legitimate verifiable degree|build a better you|domain.knowledge/i body __KAM_CEP3 /Career Education program|customize a learning program|certified.instructor/i body __KAM_CEP4 /(MBA|CEP)/ body __KAM_CEP5 /degree\/certificates|certification/i body __KAM_CEP6 /\d (week|month)/i header __KAM_CEP7 From =~ /certificate program/i meta KAM_CEP ((__KAM_CEP1 + __KAM_CEP2 + __KAM_CEP3 + __KAM_CEP4 + __KAM_CEP5 + __KAM_CEP6 + __KAM_CEP7) >= 3) describe KAM_CEP CEP Diploma Mill Rule score KAM_CEP 3.5 #Commented since 3.2.0 is pretty old now #if (version < 3.200000) # #BLANK EMAILS - CURRENTLY REQUIRES 99_FVGT_meta.cf for FM_NO_FROM AND NO_TO. UNDISC_RECIPS MIGHT BE REMOVED IN 3.2+ # #HTML_SHORT_LENGTH DEPENDENCY RULE REMOVED FROM SA 3.2 # meta KAM_BLANK01 (MISSING_SUBJECT && (UNDISC_RECIPS || FM_NO_FROM_OR_TO || FM_NO_TO)) # describe KAM_BLANK01 Blank emails # score KAM_BLANK01 1.0 # # #MSGID_FROM_MTA_ID REMOVED IN NEWER SPAMASSASSIN 3.2 # meta KAM_BLANK02 (KAM_BLANK01 && MSGID_FROM_MTA_ID) # describe KAM_BLANK02 Blank emails with MTA Headers # score KAM_BLANK02 1.0 #endif #KAM GEOCITIES SPAM # Updated by KAM based on Work by Dallas L. Engelken (T_GEO_QUERY_STRING) uri KAM_GEO_STRING2 /^http:\/\/(?:\w{1,5}\.)?geocities(?:\.yahoo)?\.com(?:\.\w{1,5})?(?::\d*)?\/.+?/i describe KAM_GEO_STRING2 Use of geocities/yahoo very likely spam as of Dec 2005 score KAM_GEO_STRING2 4.7 #KAM GOOGLE SPAM uri KAM_GOOGLE_STRING /^http:\/\/www.google.com\/url\?q=/i describe KAM_GOOGLE_STRING Use of Google redir appearing in spam July 2006 score KAM_GOOGLE_STRING 1.0 #MSN Brasil REDIRECTOR - Known exploit since at least 2007!! http://www.xssed.com/mirror/14129/ uri KAM_MSNBR_REDIR /g.msn.com.br\/BR9\/1369.0/i describe KAM_MSNBR_REDIR Use of MSN Brasil Redirector for Spam seen in 2011 score KAM_MSNBR_REDIR 5.0 #KAM MSN SPAM uri __KAM_MSN_STRING1 /^http:\/\/spaces\.msn\.com(?::\d*)?\/.+\//i uri __KAM_MSN_STRING2 /^http:\/\/.{0,20}\.spaces\.live\.com/i meta KAM_MSN_STRING (__KAM_MSN_STRING1 + __KAM_MSN_STRING2 >=1) describe KAM_MSN_STRING spaces.msn.com likely spam (Mar 2006) + spaces.live.com (Mar 2010) score KAM_MSN_STRING 2.5 #KAM LIVEJOURNAL SPAM uri __KAM_LIVE1 /^http:\/\/.{0,20}\.(blogspot|livejournal)\.com/i meta KAM_LIVE (__KAM_LIVE1) describe KAM_LIVE blogspot.com & livejournal.com likely spam (Apr 2010) score KAM_LIVE 1.0 #KAM PAGE.TL SPAM - idea from Benny Pedersen uri __KAM_PAGE1 /^http:\/\/.{0,20}\.(page\.tl)/i meta KAM_PAGE (__KAM_PAGE1) describe KAM_PAGE Page.TL likely spam (Nov 2011) score KAM_PAGE 2.0 # This rule is to mark emails using the exploit of the URI parsing uri KAM_URIPARSE /(\%0[01]|\0).{1,100}\@/i describe KAM_URIPARSE Attempted use of URI bug-high probability of fraud score KAM_URIPARSE 7.0 #Ebay Closed their Redirector - Disabled 4-9-05 # This rule is to mark emails using the exploit of the eBay redirector #uri KAM_EBAYREDIR /.*.ebay.com.*RedirectToDomain/i #describe KAM_EBAYREDIR Attempted use of eBay redirect-likely fraud #score KAM_EBAYREDIR 7.0 # Rule based on Kelson Vibber's MD code for bogus AOL Addresses # Check for bogus AOL addresses as described at # http://postmaster.aol.com/faq/mailerfaq.html#syntax # - all alphanumeric, starting with a letter, from 3 to 16 characters long. # # #What is the correct syntax for AOL e-mail addresses? #The "user name" is the part of the address that appears before the @ symbol: username@aol.com. #Valid AOL e-mail addresses can not: #Be shorter than 3 or longer than 16 characters. #Begin with numbers. #Contain punctuation of any kind (such as periods, underscores, or dashes). # # #2017-10-24 upon evidence that AOL no longer follows their syntax. #Awaiting an updated version however KAM predicts that with the merger that this #is likely to accommodate other systems like Verizon coming under the same infrastructure. #UPDATED 2018-02-20 #THANKS to Angel from 16bits for this research: #Based on tests at https://i.aol.com/reg/signup shows: # #Username cannot # #a) "Be shorter than 3" # This is being enforced: «Please make sure that the username field is at #least 3 characters long # #b) or longer than 16 characters. #The userName field has a maxlength of 32 #(intriguingly, there's also a hidden usernameEmail of up to 97 #characters) # #c) Begin with numbers. #This is being enforced «Your username must begin with a letter.» # #d) Contain punctuation of any kind (such as periods, underscores, or #dashes). #Both periods and underscores are accepted (they are even offered in the #dropbox), dashes are not. #«Your username may not contain characters such as @, !, * or $.» # #Periods and underscores may not begin or end the username, or be #consecutive (not between themselves), ie. these two characters may only #appear when surrounded by alphanumeric ones. # #(this condition for periods actually comes from rfc5321, assuming you #want to avoid quoting the local part) # # #Basically, it seems they added . and _ to the allowed characters, and #doubled the username size. # # #The error messages at #https://sns-static.aolcdn.com/1.19/reg/resources/js/webreg_validate5-built.js also provide relevant information for gathering the rules: # #"Please make sure that the username field is at least 3 characters #long." #"Please make sure that the username field is at least 3 characters #long." #"Your username may not exceed "+regPageData.snMax+" characters." #"Your username must begin with a letter." #"Your username may not contain characters such as @, !, * or $.", #"Your username may not contain characters such as @, !, * or $." (funnily, this is shown if you enter a space) #"Your username may not contain characters such as @, !, * or $." (this is if it is deemed "not alphanumeric") #"Usernames cannot end with a dot (.) or underscore (_)." #"Usernames cannot have consecutive dots (..) or underscores (__)." # #"Please make sure that the email address is at least 3 characters long." #"Your email address may not exceed 97 characters." header __KAM_AOL From:addr =~ /\@aol\.(com|co\.uk)/i # username portion must be between 3 & 16 chars, starting with a letter header __KAM_GOODAOL1 From:addr =~ /^[a-z].{2,15}\@aol\.(com|co\.uk)/i # certain punctuation not allowed - This is likely not exhaustive header __KAM_BADAOL1 From:addr =~ /[-\!\*\$].*\@aol\.(com|co\.uk)/ # no consectutive periods or underscores header __KAM_BADAOL2 From:addr =~ /(\.\.|__).*\@aol\.(com|co\.uk)/ # cannot end with . or underscore header __KAM_BADAOL3 From:addr =~ /(\.|_)\@aol\.(com|co\.uk)/i meta KAM_BADAOL (__KAM_AOL && !__KAM_GOODAOL1) || (__KAM_BADAOL1 + __KAM_BADAOL2 + __KAM_BADAOL3 >= 1) describe KAM_BADAOL Invalid AOL Address score KAM_BADAOL 7.0 meta KAM_GOODAOL __KAM_AOL && (__KAM_GOODAOL1 && !KAM_BADAOL) && SPF_PASS describe KAM_GOODAOL Valid AOL Email Address score KAM_GOODAOL -1.0 # Rule to mark emails from adv@somewhere accounts a bit higher on the SPAM scale header KAM_ADV_EMAIL From:addr =~ /adv\@/i describe KAM_ADV_EMAIL Marks adv@ Addresses as likely SPAM score KAM_ADV_EMAIL 5.0 #SEXUALLY EXPLICIT EMAILS - With updates courtesy of Mark Damrose header __KAM_SEX_EXPLICIT1 Subject =~ /SEXUAL{2,3}Y[-_, ]{0,1}EXPL{1,2}I{1,2}CI{1,2}T/i #EXPANDED TO INCLUDE HEADERS FOR SPAMS PREVALENT MAR 2007 header __KAM_SEX_EXPLICIT2 Subject =~ /(?:fuck .*suck|suck .*fuck|pussy .*cock|cock .*pussy|horny amateur|couch sex|slut fuck|naked celebrity|pissing babes|ass[- ]fuck|animal cock|(^|\b)P[^a-zA-Z\d]O[^a-zA-Z\d]R[^a-zA-Z\d]N |exposes sexy ass|drunk babe nude|masturbate|looking.for.sex|breast.implants|pedophile|child predator|explore.being.bad|double.penetration|hardcore.slut|getting.laid|your.disco.stick|having.sex.*begging|f.ckbook|xxx gay|asian porn|blowjob|anal xxx|huge tits tube|xxx tube|porn tube|porn video|sexy.clip|portal for xxx|3d porn|hard(er)?.erect)|dreaming of f.?cking|(^|\b)sex.in.the.car|horny.virgin|sex.acts|best.intercourse|sex request|dripping wet and need to get/i header __KAM_SEX_EXPLICIT3 From =~ /(?:better sex|sextrick|ashleymadison|booty.call|breast.(aug|surg|redu)|throbing.member|f[\*u]?ckbook|Local MILFs|fuck)/i #MODIFIED TO FIX FP THANKS TO DOC SCHNEIDER AND MARK MARTINEC - REMOVED castrate|sexual.encounter|casual.sex|discreet.encounter 5/19/15 body __KAM_SEX_EXPLICIT4 /(?:fucked hardcore|dildoes her tight ass|kinky watersports|schoolgirls? slut|teens? porn|first anal(\b|$)|pussy lips|kinky lesbian|sucks? cock|rub puss|spreads? cunt|fetish babe|kinky pee|muffdived \& fuck|deepthroat on knees|hello.naughty.boy|certain.type.of.guy|girlfriend.trick|sexual.stamina|sex...toy|porn.link|cunt.fuck|c-o-c-k|non.stop.sex|porn.industry|stronger.erection|make.her.moan|extreme.pro.abortion|erection.problem|your.erection|get.an.erection|hardest.erection|get.erect|xxx gay|asian porn|blowjob porn|anal xxx|huge tits tube|xxx tube|porn tube|fuckbook|portal for xxx|3d porn|DrPEnterprise|girlfriends.porn|\bsex.galler|pussy.eaten|shemale|anal.adventure|black.girls.video|gay.porn|pussy.wet|make.her.horny|crave sex|women.fuck|women.horny|wanting.to.bang|getting.laid.is.simple|woman.on.her.knees|b r e a s t|generic.ed.product|best.sex|f[^a-z]cking.you|f[^a-z]ckbuddy|F\#ckFriends|Milf Selfies|need.a.horny.man|cute.sex.lover|horny.as.f.ck|fun.in.the.bedroom|my.tits.are|be.horny|horny.girl|horny.i.am|horny.latina|huge.dildo|made.me.climax|sex in my office|a.good.f\@ck|married.horny.woman|sucked.your.d\@ck|horny.milf|suck.you.off|horny.stories|all.my.h[o0]les|cum.heavily|sucking.your.c[o0]ck|to.get.f[^a-z]cked)|h00kup|s\*xy|\bh0rny|ch0ked|pu\$\$y|f\*cked|F\#ck|F\*ck_|find milfs/i header __KAM_SEX_EXPLICIT5 Subject =~ /(?:Babe.*dildo|milk.*pussy|licks.*lesbian.*tits|mud.*wrestling.*sluts|rock.*hard.*cock|working.*pussy|(anal|suck|lick|hot|cock|wife).*f.?u.?c.?k|sneaky.*upskirt.*shots|hairy.*(pussy|cunt)|chicks.*cum|shows.*off.*titties|tits.*milf.*sex|riding.*big.*dick|dildo.*pussy|slut.*sex|suck.*dick|show.*off.*pink.*slit|coed.*pussy|squirt.*pussy|polish.*cock|femdom.*fist|schoolgirl.*(f.?u.?c.?k|blowjob)|mistress.*finger.*slave|cervix.*examined|tits.*vibrator|licks.*lesbian|slut.*anal|slurp.*pecker|master.*hogtie|bitch.*stroke.*guy|huge.*cock.*bang|take.*dick.*ride|milf.*nailed|girl.*in.*panties|Slut.*Doing.*it|barely.*legal.*teen|perverted.*girl.*works.*ass|slut.*milking|caught.*fucking|F.?u.?c.?k.*(dick)|shemale.*strips|chick.*drilled|\bass.*screw|teen.*pussy|fucked.*hard|bimbo.*hooter|cuntbanged|tittyfucked|fuck.*cock|blowing and nailed|lesbians.*masturbat|shaking wet booty|pussy.*lip|lick.*asshole|kinky lesbian|suck.*cock|rub puss|tits.*cunt|kinky pee|fetish babe|exposes sexy ass|drunk babe nude|muff.*fuck|cock.?suck.*blonde|fuck.*vibrator|threeway.*orgy|sex.life.*new.level|your.sex.life|hotsex|f.cktonight|my.?pu[s\$]{1,5}y|InstaSext|SnapHookup|InstaAffair|InstaHookup|SexiSnap|SnapF.ck|snapbangmsg)/i body __KAM_SEX_EXPLICIT6 /virus on a porn web/i meta KAM_SEX_EXPLICIT (__KAM_SEX_EXPLICIT1 + __KAM_SEX_EXPLICIT2 + __KAM_SEX_EXPLICIT3 + __KAM_SEX_EXPLICIT4 + __KAM_SEX_EXPLICIT5 + __KAM_SEX_EXPLICIT6 >= 1) describe KAM_SEX_EXPLICIT Subject or body indicates Sexually Explicit material score KAM_SEX_EXPLICIT 16.0 #SOLICITING AFFAIR SPAM header __KAM_SEX_AFFAIR1 Subject =~ /Have an affair|Your Affair is Waiting|sick of your wife|find you a girlfriend/i header __KAM_SEX_AFFAIR2 From =~ /Ashley.?Madison|Let's have fun/i rawbody __KAM_SEX_AFFAIR3 /have an affair|ashleymadison/i rawbody __KAM_SEX_AFFAIR4 /looking.for.affair/i meta KAM_SEX_AFFAIR (__KAM_SEX_AFFAIR1 + __KAM_SEX_AFFAIR2 + __KAM_SEX_AFFAIR3 + __KAM_SEX_AFFAIR4 >= 2) describe KAM_SEX_AFFAIR Subject or body soliciting an affair score KAM_SEX_AFFAIR 8.0 #KAM_TELEWORK body __KAM_TELEWORK1 /(generate|make) .{0,10}1.5K? (to|-) 3.5K (a day|daily|per day|per month)|makes? \$[\d,]+\/month|upgrade your salary/is body __KAM_TELEWORK2 /have a (?:tele)?phone|money making challenge|has full internet/is body __KAM_TELEWORK3 /return(?:ing)? (phone )?calls|working a few hours each day|positive work environment/is body __KAM_TELEWORK4 /fully qualified|no experience needed|all the training|managing expectations|accountability|stronger results/is body __KAM_TELEWORK5 /work (?:online )?from home|process(?:ing)? rebates (?:at|from) home|set your own hours|100% no risk|Western Union fees|new job or career/is body __KAM_TELEWORK6 /earning up to \d+USD|earn thousands of dollars|\d% commission|get rich quick|manager training|real.payoff/is header __KAM_TELEWORK7 Subject =~ /process rebates|easy work and great pay|making money today|earn money|vacancies in your city|internet jobs|bad ecomomy|(manager|supervisor).training|handling difficult|work.from.home/i header __KAM_TELEWORK8 From =~ /training|online/i meta KAM_TELEWORK (__KAM_TELEWORK1 + __KAM_TELEWORK2 + __KAM_TELEWORK3 + __KAM_TELEWORK4 + __KAM_TELEWORK5 + __KAM_TELEWORK6 + __KAM_TELEWORK7 + __KAM_TELEWORK8 >= 3) describe KAM_TELEWORK Stupid telework and training scams score KAM_TELEWORK 3.0 #Changed to meta 2017-10-17 #2017-10-23 - Removed .link. Uniregistry has committed to reviewing abuse concerns. header __KAM_SOMETLD_ARE_BAD_TLD_FROM From:addr =~ /\.(pw|stream|trade|bid|press|top|date)$/i uri __KAM_SOMETLD_ARE_BAD_TLD_URI /\.(pw|stream|trade|bid|press|top|date)($|\/)/i meta KAM_SOMETLD_ARE_BAD_TLD (__KAM_SOMETLD_ARE_BAD_TLD_FROM + __KAM_SOMETLD_ARE_BAD_TLD_URI) >= 1 describe KAM_SOMETLD_ARE_BAD_TLD .stream, .trade, .pw, .top, .press, .bid & .date TLD Abuse score KAM_SOMETLD_ARE_BAD_TLD 5.0 #CHANGED TO KAMOnly ifplugin Mail::SpamAssassin::Plugin::KAMOnly #TESTING RULE body KAM_LOCAL_TEST1 /myspamtest12341234/ describe KAM_LOCAL_TEST1 This is a unique phrase to trigger a + score score KAM_LOCAL_TEST1 50 #REVERSE DNS TESTS FROM MIMEDEFANG - UNLESS YOU HAVE A TEST FOR REVERSE POINTERS, YOU CAN COMMENT THIS OUT header KAM_RPTR_FAILED X-KAM-Reverse =~ /^Failed/ describe KAM_RPTR_FAILED Failed Mail Relay Reverse DNS Test score KAM_RPTR_FAILED 6.0 header __KAM_RPTR_SUSPECT X-KAM-Reverse =~ /^Suspect/ meta KAM_RPTR_SUSPECT (KAM_BODY_MARKETINGBL_PCCC < 1 && __KAM_RPTR_SUSPECT >= 1) describe KAM_RPTR_SUSPECT Suspected Dynamic IP/Bad TLD/Spammy TLD from Mail Relay Reverse DNS Test score KAM_RPTR_SUSPECT 2.45 #REMOVED __URIBL_ANY DEPENDENCY AS THE RULE IS GONE. NOTED by David Goldsmith. header __KAM_RPTR_PASSED X-KAM-Reverse =~ /^Passed/ meta KAM_RPTR_PASSED (__KAM_RPTR_PASSED && (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + KAM_SPAMJDR + KAM_LOTTO3 + __KAM_URIBL_PCCC + __KAM_MX + SPF_SOFTFAIL + SPF_FAIL + KAM_INFOUSMEBIZ + KAM_TOLL < 1)) describe KAM_RPTR_PASSED Passed Mail Relay Reverse DNS Test score KAM_RPTR_PASSED -1.0 header KAM_RPTR_MISSING X-KAM-Reverse =~ /^Missing/ describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing! score KAM_RPTR_MISSING 9.0 #DWDTECHSPAM /ETC header KAM_RPTR_BADHOST X-KAM-Reverse =~ /dwdtechllc.com|inculloop.net|donapex.net|wriltay.com|raptornode.com|voicitr.us|premiumjobhunt.com|newsocialdeals.com|dailysummercoupons.com|nm-priorityhosting.com|hypernia.com|queryfoundry.net|colocrossing.com|pawlitenews.com|hosted-by-i3d.net/i describe KAM_RPTR_BADHOST Very Spammy Hosting Company Identified score KAM_RPTR_BADHOST 9.0 #CUSTOM SCORES THAT KAM LIKES #score SARE_GIF_ATTACH 3.0 score CHARSET_FARAWAY_HEADER 1.6 score MIME_CHARSET_FARAWAY 1.25 score FH_FROM_CASH 2.0 score EWG_BAD_40 1.5 score EWG_BAD_47 1.5 score EWG_BAD_54 1.5 score FREEMAIL_ENVFROM_END_DIGIT 1.0 score FREEMAIL_REPLYTO 1.0 score KHOP_BIG_TO_CC 1.5 score URIBL_DBL_SPAM 5.0 score AC_HTML_NONSENSE_TAGS 4.0 #ENABLING DNSWL - BUG 6668 score RCVD_IN_DNSWL_NONE 0 -0.0001 0 -0.0001 score RCVD_IN_DNSWL_LOW 0 -0.7 0 -0.7 score RCVD_IN_DNSWL_MED 0 -2.3 0 -2.3 score RCVD_IN_DNSWL_HI 0 -5 0 -5 #COMPLETE WHOIS IS DOWN #score __RCVD_IN_WHOIS 0 #score RCVD_IN_WHOIS_INVALID 0 #score URIBL_COMPLETEWHOIS 0 #Custom subject whitelist #header FRANCHISE_JERRY Subject =~ /: (Franchise Application|Request Franchise Information)$/i #score FRANCHISE_JERRY -99.0 #describe FRANCHISE_JERRY Jerry's Franchise Application or Request header KAM_INVALID_FROM X-KAM-From =~ /From Header Missing Host/ describe KAM_INVALID_FROM From header missing host portion score KAM_INVALID_FROM 4.0 #RAPTOR ALTERED EMAILS body __KAM_RAPTOR1 /altered by our Raptor filters/i header __KAM_RAPTOR2 X-KAM-Raptor-Alter =~ /True/ meta KAM_RAPTOR (__KAM_RAPTOR1 + __KAM_RAPTOR2 >= 1) describe KAM_RAPTOR PCCC Raptor altered the email score KAM_RAPTOR 3.5 #NJABL Shutdown Bug 6913 - Check after 3/3/2013 update if these can be removed score RCVD_IN_NJABL_CGI 0 score RCVD_IN_NJABL_MULTI 0 score RCVD_IN_NJABL_PROXY 0 score RCVD_IN_NJABL_RELAY 0 score RCVD_IN_NJABL_SPAM 0 score __RCVD_IN_NJABL 0 if can(Mail::SpamAssassin::Conf::feature_dns_query_restriction) dns_query_restriction deny njabl.org endif #KAM Bad Attach header KAM_RPTR_MISSING X-KAM-Reverse =~ /^Missing/ describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing! score KAM_RPTR_MISSING 9.0 #KAM Bad Attach header KAM_RPTR_MISSING X-KAM-Reverse =~ /^Missing/ describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing! score KAM_RPTR_MISSING 9.0 #KAM Bad Attach header KAM_RPTR_MISSING X-KAM-Reverse =~ /^Missing/ describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing! score KAM_RPTR_MISSING 9.0 #KAM Bad Attach header KAM_BADATTACH X-KAM-BadAttach =~ /^True/ describe KAM_BADATTACH Mail contains a bad attachment score KAM_BADATTACH 15.0 #RHS_DOB not working 10/6/2014 - Resolved 10/9/2014 #score URIBL_RHS_DOB 0.0 else # no KAMOnly, stub rules meta KAM_RAPTOR 0 score KAM_RAPTOR 0 meta CBJ_GiveMeABreak 0 score CBJ_GiveMeABreak 0 meta KAM_RPTR_SUSPECT 0 score KAM_RPTR_SUSPECT 0 meta KAM_RPTR_FAILED 0 score KAM_RPTR_FAILED 0 meta KAM_RPTR_PASSED 0 score KAM_RPTR_PASSED 0 endif #$6c822ecf@ - Idea from Jailer-Daemon on SARE header KAM_6C822ECF Message-Id =~ /\$6c822ecf\@/i describe KAM_6C822ECF $6c822ecf@ VERY prevalent message-ID header in SPAMs score KAM_6C822ECF 7.0 #DRILLING & MUST READ - With updates courtesy of Mark Damrose header __KAM_MUSTREAD1 Subject =~ /you (?:must|should|require|need|have) to read\.$/i header __KAM_MUSTREAD2 Subject =~ /^(?:Weighty|Very important|Serious|Momentous|Significant|Grand|Essential) (?:message|letter|note)\./i meta KAM_MUSTREAD (__KAM_MUSTREAD1 + __KAM_MUSTREAD2 >= 1) describe KAM_MUSTREAD Subject indicative of a SPAM message score KAM_MUSTREAD 1.25 body __KAM_DRILL1 /drilling/i body __KAM_DRILL2 /oil (company|partnership|and gas rights)/i body __KAM_DRILL3 /(exceed(ed)? .{0,10}expectations|see your brokers website)/i body __KAM_DRILL4 /(buy today|Check this deal out)/i meta KAM_DRILL (KAM_MUSTREAD + __KAM_DRILL1 + __KAM_DRILL2 + __KAM_DRILL3 + __KAM_DRILL4 >= 4) describe KAM_DRILL Oil Drilling SPAM score KAM_DRILL 1.5 #CHANGED TO KAMOnly ifplugin Mail::SpamAssassin::Plugin::KAMOnly #WE USE MIMEDEFANG TO DISABLE ANY IFRAME, OBJECT OR SCRIPT TAGS IN EMAILS header KAM_IFRAME X-IframeWarning =~ /Iframe\/Object\/Script tag\(s\) deactivated by MIMEDefang/ describe KAM_IFRAME Email contained Iframe, Object or Script tags score KAM_IFRAME 1.0 body KAM_IFRAME2 /you need a browser with javascript/i describe KAM_IFRAME2 Email contains phrase instructing javascript use score KAM_IFRAME2 1.0 meta KAM_IFRAME3 (KAM_IFRAME + KAM_IFRAME2 + T_HTML_ATTACH >=3) score KAM_IFRAME3 5.0 describe KAM_IFRAME3 Likely email exploit - Email shouldn't require javascript in an email attachment #XEROX SCANS header __KAM_XEROX1 Subject =~ /Scan from a Xerox WorkCentre Pro \#\d+|Scanned from a Xerox Multifunction Device/i meta KAM_XEROX (__KAM_XEROX1 + (KAM_IFRAME && T_HTML_ATTACH) + KAM_RAPTOR >= 2) score KAM_XEROX 5.0 describe KAM_XEROX Likely Fake Xerox Attachment else # no KAMOnly, stub rules meta KAM_IFRAME 0 score KAM_IFRAME 0 endif #STUPID REMOVE "*" to make the link working. body __KAM_STAR1 /REMOVE ("\*"|space) (in the above|to make the) link/i meta KAM_STAR (__KAM_STAR1 >= 1) describe KAM_STAR Stupid Obfuscated Link SPAMs score KAM_STAR 2.0 #IN LATE FEB 2007, WE BEGAN RECEIVING TONS OF EMAILS FORMATED ALL THE SAME. body __KAM_SPAMKING1 /This advertisement is presented by/is body __KAM_SPAMKING2 /If you have any questions or concerns regarding this communication, please send correspondence/is body __KAM_SPAMKING3 /To .{0,30}(?:unsubscribe|stop|remove) .{0,35}(?:email|messages) from third party advertisers/is body __KAM_SPAMKING4 /notify .{0,30} that you no longer wish to receive (?:promotional )?messages/is body __KAM_SPAMKING5 /This (communication|message) was delivered to you by/is body __KAM_SPAMKING6 /(?:please send|Forward postal) correspondence to/is meta KAM_SPAMKING (__KAM_SPAMKING1 + __KAM_SPAMKING2 + __KAM_SPAMKING3 + __KAM_SPAMKING4 + __KAM_SPAMKING5 + __KAM_SPAMKING6 >= 3) describe KAM_SPAMKING SPAM using throw-away domains and addresses. SpamKing's Heir! score KAM_SPAMKING 1.0 #THIS HEADER SEEMS TO BE PREVALENT IN SPAMS header KAM_SPAMJDR X-Mailerinfo =~ /OTHR_JDR/ describe KAM_SPAMJDR Emails seen with SPAM containing this header X-Mailerinfo: OTHR_JDR1173771 score KAM_SPAMJDR 2.0 meta KAM_COMBOJDR (KAM_SPAMJDR + KAM_SPAMKING >= 2) describe KAM_COMBOJDR Spam Test for Rules Combined with KAM_SPAMJDR score KAM_COMBOJDR 5.0 #LOTTO CRUD body __KAM_LOTTO1 /((you |e-?mail )(?:address,? )?(has |have )?(emerged as one of (the|our) winning|emerged as a category "A" Winner|came out as the winning coupon|emerged a winner|has won|(?:was |is )?attached( to)?\s+(winning number|serial|ticket|reference)|was one of the ten winners|has been selected as one of the lucky)|random selection in our computerized email selection system|procuring your prize|email id identified with coupon|e-mail addresses are picked randomly|send your winning identification|final recipients? of a cash|selected as the one of the beneficiaries|receiving your donation)/is body __KAM_LOTTO2 /((ticket|serial|lucky) number|secret pin ?code|pin number|batch number|reference number|promotion date|lottery|sweepstake|\d+ lucky recipients|for claim and inquiring)/is body __KAM_LOTTO3 /(won|claim|cash prize|pounds? sterling|over \$500|award sum of US\$|NOTIFICATION FOR CASH AID)/is body __KAM_LOTTO4 /(claims (office|agent|manager)|lottery coordinator|(certificate|fiduciary) (officer|agent)|fiduaciary claims|accredited agent|payment agency board|promotion manager|promotions? department|Name of +Agent:|executive secretary|claims & Management|lottery approved courier|promo.team)/is body __KAM_LOTTO5 /(POWERBALL LOTTO|freelotto group|Royal Heritage Lottery|(British|UK) National( Online)? Lottery|U\.?K\.? Grand Promotions|Lottery Department UK|Euromillion Loteria|Luckyday International Lottery|International Lottery|Euro - Afro Asian Sweepstake|urawinner|Free Lotto Sweepstakes|PROMOTION DEPARTMENT|PROMOTION\/PRIZE AWARD|Nederlandse Internationale Loterij|EURO MILLIONS|APPLE LOTTERY ONLINE|MSW MEGA JACKPOT|MICROSOFT EMAIL PROMO|MSNlottery|ECOWAS|Nigeria|National Lottery|claim.{1,10}your.gbp|won.you.{1,10}gbp)/is body __KAM_LOTTO6 /(Dear (Award|Consultation Prize|Lucky) Winner|Winning Notification|Attention:Winner|Dear:? Winner|Amount won:|Sincere Congratulations|Lucky Numbers:|you are a winner|prize attached|prize notification|claims requirement|winning number|winning sum|payout of|qualification number)|attached.file|numbers.on.email/is header __KAM_LOTTO7 Subject =~ /(Your Lucky Day|Final Notice|CONGRATULATION|(Attention:|ONLINE) WINNER|Winning Notification|Claim Fund|YOU HAVE WON|Online Notification|Your Winning Amount|PROMOTIONS MANAGER|Winnin?g Alert|NOTICE FOR YOUR CLAIM|WINNER|Reference Number)/i header __KAM_LOTTO8 From =~ /Lottery|powerball|western.union/i header __KAM_LOTTO9 Subject =~ /\d{3},\d{3}|eligibility.for.claims|promo.desk|deserves.\$\d/i meta KAM_LOTTO1 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 >= 3) describe KAM_LOTTO1 Likely to be an e-Lotto Scam Email score KAM_LOTTO1 0.5 meta KAM_LOTTO2 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 >= 4) describe KAM_LOTTO2 Highly Likely to be an e-Lotto Scam Email score KAM_LOTTO2 1.0 meta KAM_LOTTO3 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 >= 5) describe KAM_LOTTO3 Almost certain to be an e-Lotto Scam Email score KAM_LOTTO3 2.0 #ABOUT YOUR INTERNET ACTIVITIES SPYWARE CRUD header __KAM_ABOUT1 Subject =~ /About your Internet (activities|activity)/i body __KAM_ABOUT2 /Spyware/i meta KAM_ABOUT (__KAM_ABOUT1 + __KAM_ABOUT2 >=2) describe KAM_ABOUT Email Scam Hawking Anti-Spyware score KAM_ABOUT 1.0 #EMAIL ADVERTISING body __KAM_ADVERT1 /email advertising|\d{3}%.roi/is body __KAM_ADVERT2 /instant traffic (to your website|and sales)|demand.generation/is body __KAM_ADVERT3 /Email Ad Broadcast|Double OPT IN list|making.some.changes/is header __KAM_ADVERT4 Subject =~ /(get (instant|more) (sales|business|orders)|instant traffic, leads and sales|within 24 hours|increase in business|Ten Time Increase in Sales and Traffic|Emails Sent to Get You Sales)|sales.goal/i meta KAM_ADVERT (__KAM_ADVERT1 + __KAM_ADVERT2 + __KAM_ADVERT3 + __KAM_ADVERT4 >= 4) describe KAM_ADVERT Mailing List Scammers Hawking Their Lists / Services score KAM_ADVERT 2.5 #DOMAIN ADVERTISING body KAM_ADVERT3 /AllExpiringDomains.com/i describe KAM_ADVERT3 Traffic / Expiring Domain List Spam score KAM_ADVERT3 5.0 #ADVERTISEMENT body KAM_ADVERT2 /No longer interested in our offers|This (message|email)? is an Ad|Continue in your Secure Web Browser|Can\'t see the images( below|, continue)|To view this email as a webpage|see images for this offer|support best practices in responsible email marketing|This email is not unsolicited|You registered with one of our partners websites|a d v e r t i s (?:e )?m e n t|No\-?Images? Click|Program is not endorsed, sponsored by or affiliated|can\'t read or see this email|By clicking any image and\/or text link in this Email|This is a (commercial|commericial)|This message brought to you|THIS EMAIL IS A COMMERCIAL|If you no longer wish to receive further offers|business solicitation message|link is for removal|end these weekly ad\-messages|cancel these Ads go|This is an email advertisement|end all Advertisements go below|We are not spammers|Unsolicited email\?|Quit receiving these admail|I.{0,3}am not spamming|commercial.advertisement|adv.ertisement|if.you.are.not.interested|Brought to you by\:|This communication is an advertisement|removal from further update|inbox by requesting removal|No more incoming messages will be delivered|Never receive these again|This is an ad\-coresspondance|this page is an advertise?ment|this is an \(adver\-?tisement\)|this page are an.ad|statements above are an.ad|advertis.e.ment/is describe KAM_ADVERT2 This is probably an unwanted commercial email... score KAM_ADVERT2 0.75 #ONE LINE ADVERTISEMENTS body __KAM_1LINE1 /(free score and report|Did you overpay\?)/is header __KAM_1LINE2 Subject =~ /(free online score & report|I need tax savings? tip)/i meta KAM_1LINE (__KAM_1LINE1 + __KAM_1LINE2 >= 2) describe KAM_1LINE One liner SPAMs score KAM_1LINE 2.5 #CAN SPAM body KAM_CANSPAM /(full compliance with the U.S. Federal-?Can-?Spam-Act|provides CAN-SPAM compliant email|consistent with the provisions of the CAN-SPAM Act|compliance with the CanSpam Act|no deceptive subject lines|compliant with all legal provisions of the CAN-SPAM Act)/is describe KAM_CANSPAM SPAM = Lack of Consent (not a Legal Definition) score KAM_CANSPAM 1.0 #GIFTS / GIFT CARDS body __KAM_GIFT1 /(Claim your free \$500 Target Gift Card|complimentary gift-?card|received a Victoria's Secret Giftcard|\$500 airline gift card|\$1000 gift card for you to shop|\$\d+.{0,50}gift card|Secret gift card)|costco.coupon|facebook.gift|claim.my.credit/is body __KAM_GIFT2 /(unsubscribe from this advertiseme(tn|nt)|exit future communications|to unsubscribe from this|to stop any offers from us)/is body __KAM_GIFT3 /every girl loves to buy|do you need a new|offer pass you by|shopping.online|best.price|activate.my|valued.{0,20}user|extra.deals|sign.up.today/i body __KAM_GIFT4 /card will be yours free|card on us|buy you the dyson animal|amazon.gift.?card|superstore|starbucks.card|card.egift|redeem.before|offering.you.this|enter.promo.code/i body __KAM_GIFT5 /member incentive program|complet(e|ing) the survey|your.customer.id|security.code|promotional.points/i header __KAM_GIFT6 From =~ /\$\d+ ?gift ?card|coupon|home.improvement|reward|voucher|starbucks|exclusive|amazon|ehost/i meta KAM_GIFT ((__KAM_GIFT1 + __KAM_GIFT2 + __KAM_GIFT3 + __KAM_GIFT4 + __KAM_GIFT5 + KAM_LOTSOFHASH + KAM_SHORT >= 3) && __KAM_GIFT6) describe KAM_GIFT Gift Card Scams score KAM_GIFT 3.5 meta KAM_GIFT2 ((__KAM_GIFT1 + __KAM_GIFT2 + __KAM_GIFT3 + __KAM_GIFT4 + __KAM_GIFT5 + KAM_LOTSOFHASH + KAM_ADVERT2 >= 4) && __KAM_GIFT6) describe KAM_GIFT2 Gift Card Scams score KAM_GIFT2 3.5 #MYSTERY SHOPPER body __KAM_SHOP1 /chosen to participate as a Mystery Shopper/is body __KAM_SHOP2 /Do you like to shop/is body __KAM_SHOP3 /make money while you shop/is meta KAM_SHOP (__KAM_SHOP1 + __KAM_SHOP2 + __KAM_SHOP3 >= 3) describe KAM_SHOP Mystery Shopper Scams score KAM_SHOP 2.0 #FAST CASH rawbody __KAM_FAST1 /make fast cash in real estate/is meta KAM_FAST (__KAM_FAST1 + KAM_ADVERT2 >=2) describe KAM_FAST Get Rich Quick, Make Money Fast Schemes score KAM_FAST 1.8 #BIZ CARDS FREE! body __KAM_BIZ1 /You always need new cards|free full color business cards|get 250 more ?- ?free|business card offer|500 business cards/is header __KAM_BIZ2 Subject =~ /(do not pay for|Stop paying for|free) business cards|get( your)? 250 Free|BOGO|500 cards for|all for \$1\.99/i header __KAM_BIZ3 From =~ /Free Business Cards|Custom Printing|Premium Cards/i meta KAM_BIZ (__KAM_BIZ1 + __KAM_BIZ2 + __KAM_BIZ3 >= 2) describe KAM_BIZ Free Business Card Emails score KAM_BIZ 2.5 #FDA body __KAM_FDA1 /statements.{1,10}not.{1,10}evaluated.{1,10}(FDA|Food ?(and|&) ?Drug Administration)/i body __KAM_FDA2 /not intended to diagnose,? treat,? cure,? or prevent/i body __KAM_FDA3 /FDA Recall/i meta KAM_FDA (__KAM_FDA1 + __KAM_FDA2 + __KAM_FDA3) describe KAM_FDA Carries a not evaluated by the FDA warning or recall warning score KAM_FDA 0.5 #WEIGHT LOSS body __KAM_WEIGHT1 /(overweight|extra weight|glutting|shed fat|burns fat|burn calories|appetite suppressant|stimulate your metabolism|unwanted weight|duet of the year|healthy energy boost|Suppresses Appetite|internal cleansing|detoxify|cellulite|unsightly bulges|fat burn|Diet of the year|acai|cuts cholesterol|cleanse excess waste|free sample|unwanted weight|Acai suppl[ie]ments|Diet\/Detox|\#1 Weight Loss|lose body fat|(lose|drop) (about )?\d+\s*[li]b|calorie burning machine|before eating carbs)|flush.fat.away|slimming.down|\d+.pounds.gone|lose.\dx|highest.rated.episode|unwanted..?gain|too.goo?d.to.be.true|get.slim|tv.segment|weird.solution/is body __KAM_WEIGHT2 /(\d pounds|lose[_ ]weight|suppress appetite|appetite out of control|Oprah|for cancer patients|colon cure|colon cleanse|colonmate|avai berry|acai burn|ultraslim|feel energized|excess[_ ]weight|no diet changes|no exercise|hollywood'?s hottest -?diet|acai berry edge|Acai Diet|top secret diet|Power HCG|Sensa|shocking method|Jennifer Aniston|before eating carbs|all natural weight.?loss|green fruit|top celeb's diet)|one.secret|enjoying.food|f-a-t|melt.fat|squeeze into them|crazy.workout|celebs.everywhere|zero.effort|nothing.to.lose/is header __KAM_WEIGHT3 Subject =~ /(leaner|slimmer|stop gaining weight|fat loss|weight management|now available without a script|wuYi tea|(drop|lost|shed|knocked) \d+.?(pounds|[li]bs?)|FRS Healthy Energy|instant diet|colonmate|trimmer you|body cleanse|acai berry|acai burn|Fatburner|cholesterol reduction|cholestapro|Ephedra|W[EA]IGHT[- ]LOSS PRODUCT OF THE YEAR|t-r-i-a-l|try our trial|cleanse your system|no exc?ercise|Acai Advanced|toxic sludge|cleanse your body|Acai Diet|Acai Elite|Acai Super|losing weight fast|weight loss|detox product|Power HCG|Weight Loss System|shocking (?:weight|weihgt) loss)|before eating carbs|all natural weight.?loss|eat this fruit|Jennifer An+iston's secret|drop.\d.dress.sizes|fat.burning|burn..?fat|get.slim|drop.the.weight|(drop|shed).[li]bs?|move.\.*.?the scale|step.by.step|drop..?pounds|perfect.body|lose.the.weight|half.my.size|special.nutrition|workout|skinny|simple.way|to.get.slim|workout.for.the..?lazy|start.losing.weight|melt.fat|celebs.boycott|celebs.did|overeating|without.any.effort|doctors.tv|oprah|results.are.in|as.seen.on|slim.?spray|zero.effort/i #rawbody __KAM_WEIGHT4 /shocking method|Jennifer Aniston|nationally known|never.seen.anything.like.this|unusual.(new.)?tip|your.metabolism|need.a.boost|this.is.not.a."?(joke|hoax|fad|trend)|no working out|no starving|a trimmer you|celebrity.doctor|seen.on.(cnn|abc|cbs)|\d+%.?off|oprah.and.celeb|beer.belly|thunder.thigh|flush.fat.fast|get.skinny|Women's Health|dress.size|feel.good|physical.activity|starving|hit.a.plateau|flat.belly|brakes on your appetite/i header __KAM_WEIGHT5 From =~ /celeb.weightloss|no.work.workout|(drop|shed).pounds|(drop|shed).\d+[il]bs?|inches off|your.waist|nutrisystem|fat.burn|magic.slim|slim.pack|get.?slim|overweight|becomingslim|slimmer|skinny.tee|flush.fat|slimming.down|hot.trend|curves.?\dweek|stubborn.fat|\d+.pounds|look.great|lazy.workout|bikini|fit.community|slim.?spray|shave.off.(the.)?(pound|lb)|f-a-t|fit.in.\d+.day|days.to.slim|oprah|belly|biggestloser/i #ANATRIM / GREEN TEA / CORTITHERM / ETC body __KAM_ANA1 /(anatrim|Green ?Tea|cortitherm|PHENTERTHIN|Phentremine|Acai Ultra|Civ-xR|WuYi Tea|Wu-?Yi Source|FRS Healthy Energy|Acai Berry|Chinese secret|Ephedra|Cholestapro|ColonMedic|Pure Cleanse|AcaiBurn|Acai Elite|Garcinia|Chlorogenic Acid|green coffee)/i header __KAM_ANA2 From =~ /green ?tea|Ultra ?Energy|weight ?loss|colon? ?clean|colon ?aid|acai|As seen on|Garcinia|sensa/i meta KAM_ANA (__KAM_ANA1 + __KAM_ANA2 + (__KAM_OZ1 || __KAM_OZ2 || __KAM_OZ3) + __KAM_WEIGHT1 + __KAM_WEIGHT2 + __KAM_WEIGHT3 + __KAM_WEIGHT5 + KAM_FDA + (__KAM_HTML1 || KAM_INFOUSMEBIZ) >= 3) describe KAM_ANA Likely Weight-loss / Medical Spam score KAM_ANA 3.0 meta KAM_ANA2 (__KAM_ANA1 + __KAM_ANA2 + __KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 + __KAM_WEIGHT1 + __KAM_WEIGHT2 + __KAM_WEIGHT3 + __KAM_WEIGHT5 + KAM_FDA + (__KAM_HTML1 || KAM_INFOUSMEBIZ) >= 5) describe KAM_ANA2 Higher probability of Weight-loss / Medical Spam score KAM_ANA2 3.5 #REPLACE body __KAM_REP1 /Replace \[?[-!~\.]\]? with \./is body __KAM_REP2 /www\s+[-!~\.]/i body __KAM_REP2_1 /(Just|Please|all you need to do is to) (copy|type):? (www\s)?.{0,10}[\[\(]([-!~\.]|dot)[\]\)]/is body __KAM_REP2_2 /in your (IE|internet|explorer|browser)/i body __KAM_REP3_1 /\*omit empty spaces/is body __KAM_REP3_2 /.\s+(COM|org|net|info)$/i meta KAM_REPLACE (__KAM_REP1 + __KAM_REP2 >= 2) || (__KAM_REP2_1 + __KAM_REP2_2 >=2) || (__KAM_REP3_1 + __KAM_REP3_2 >=2) describe KAM_REPLACE Spams that use obfuscated URLs with instructions score KAM_REPLACE 2.0 #EVEN MORE NIGERIAN SCAMS AND VARIANTS body __KAM_NIGERIAN1 /(?:payment officer|personal treasurer|experienced marketers|Chairman of the Finance Committee|contact my secretary|field of Financial Services|Head of Human Resources|Public Relation Officer|field of Business Services|payment agent|representing partner|vacancy in my company|representative\/book ?keeper|executor|search and selection of both experienced|retired chief economist|foreign partner|diplomatic courier|senior auditor|online book-?keeper)|in.your.country|united.state[^s]|states?.citizen|retired.ceo|nigeria|origin.finland|serious.illness|brain.(tumor|cancer)|former.minister|investment.partner|got.mugged|losing.my.(wife|only.son)/is body __KAM_NIGERIAN2 /(?:looking for dynamic representative|seek your partnership|new online business model|seek to transfer this money|completely legal activity|never ask you to pay or invest|in search of trustworthy representatives|establishing a new liaison network|rec[ei]{2}ving payment on our behalf|assist me in transferring those funds|make money at home|requiring rep to work on a part time|part time job\/full time|organization for the good work of the lord|job search directory|investor willing to invest in lebanon|invest in Real Estate|Your kind assistance|next of kin|gold.exportation|calgary.lotto)|oil.producing|import.firm|oil.and.gas|petroleum|asset.available|urgent.reply|(cash|credit.cards?|cell(.phone)?).(were|was).stolen/is body __KAM_NIGERIAN3 /(?:\d{1,2}\% (?:commission on each transaction|of the total will be set|will be mapped out|is made available to you|of the total sum for your partner|of the money for your effort|for\s+sales)|pay for performance|floating deficit|for your compensation|financial independence|their financial dreams|work from home part\s*-?\s*time|employing your services|get extra income|deduct your weekly salary \d\d%|transfer of the funds|make successful career at us|you will get \d{1,2}% on each|funds can be directed to your account as a grant|reasonable parentage|dormant domiciliary account|share would be \d+\%|pay you \d+%)|invest|have.a.sum|make.a.donation|immense.benefits|transact.a?.?business|company.sponsor|loan me \$/is body __KAM_NIGERIAN4 /(?:American oil merchant|independent contractor|removallink|claim the funds|international corporation|bank draft|becoming our contract staff|contractual employment|customers\s*in Europe,\s*America|new partner from UK|great investment site|money orders|cashiers check|access to the funds|piloting the business|moving the funds|next of kin|syrian.refugees|reply.for.detail)|security.reason|(his|her).account|new.investor|directly.beneficial|business.discussion|promise.to|need.to.spend/is body __KAM_NIGERIAN5 /Western Union Money Transfer|Money Gram|form of Money Orders|to apply for this job, please send the following|process our payments|not traceable|risk free transation|transfer to a designated bank account|inheritance return|my.inheritance|my.wealth|donation.to.you|out.of.country|charitable.trust/i meta KAM_NIGERIAN (__KAM_NIGERIAN1 + __KAM_NIGERIAN2 + __KAM_NIGERIAN3 + __KAM_NIGERIAN4 + __KAM_NIGERIAN5 + LOTS_OF_MONEY + __KAM_REFI4 >= 4) describe KAM_NIGERIAN Nigerian Scam and Variants score KAM_NIGERIAN 2.5 #I LIKE YOUR SPAM body __KAM_LIKE1 /been working (extremely|very) hard on my friend's website/is body __KAM_LIKE2 /a link from .{1,54} would be greatly appreciated/is body __KAM_LIKE3 /(link exchange|in return to me linking back)/is body __KAM_LIKE4 /HTML code for the link/is body __KAM_LIKE5 /I apologize if this message was sent, in error/is meta KAM_LIKE (__KAM_LIKE1 + __KAM_LIKE2 + __KAM_LIKE3 + __KAM_LIKE4 + __KAM_LIKE5 >= 5) describe KAM_LIKE I like your website link exchange spam score KAM_LIKE 2.0 #PUBLICLY AVAILABLE LISTS? body KAM_PUBLIC /obtained your email address from a publicly available list|find your mail in public forum/is describe KAM_PUBLIC Obtained from Public List != to Consent == SPAM! score KAM_PUBLIC 9.0 #SEXUALLY EXPLICIT RULES ROUND TWO - Fixed some FPs from Scunthorpe thanks to Stefan Morrell body __KAM_SEX1 /(?:double[ -]?headed|pornstar|huge weenie|male power|\d\dper\. of men|male enhancement product|enlarge patch|boost up your virility|clinically tested|improve manhood|Bigger Pen..is|Big Penis|incredible gains to your manhood|muscular manhood|nights unsatisfied|climaxes|sensual enhancer|love instrument|bigger member|excitement with girls|fucker|animal sex)|adds \d inches to your manhood|pussy licked|hard.erection/i body __KAM_SEX2 /(?:(\b|^)cunt(\b|$)|busty|interracial|hardcore|peni(s|le) enlarge|generic quality|enlarge your manhood|stone-hard manhood|XXL Dick|intense pleasure|spend a night with you|efficient medicine|turn on your wife|with your boner|dick dangl)|\d.(extra.)?inches.of.girth|best.sex/i header __KAM_SEX3 Subject =~ /(double dildo|bunsfuck|dominatrix|huge tits|anti-ED|most confident man|for men over 30|peni(s|le) enlargement|interracial gobble|bitch sucking dong|product actually does work|update your penis|mans mall|endurerx|more excitement|love package|add more fire|her best male|average guys|monster cocks|first anal|anal fucking|love with monsters|horse sex|be the stud)/i body __KAM_SEX4 /(?:bring your girlfriend back|satisfied with their size|penis so huge and heavy|more semen|volume of your loads|wondercum|ejaculate|bargain offers on medic|improve xxx|improve your lovemaking|youngest teen|teen pics|monster in his pants|(female|multiple) orgasms|extreme penetration)/i describe KAM_SEX Sexually Explicit SPAM / Penis Enlargement Scam score KAM_SEX 7.0 meta KAM_SEX (__KAM_SEX1 + __KAM_SEX2 + __KAM_SEX3 + __KAM_SEX4 + __HTML_IMG_ONLY + (__KAM_VIAGRA6A + __KAM_VIAGRA6E + __KAM_VIAGRA7A >= 1 && !__KAM_VIAGRA_FPS) >= 2) #STUPID PICTURE SPAMS body __KAM_PIC1 /(tired|bored) (this )?(today|tonight|evening|morning|afternoon)|saw your email address|online right now|can name me|found you on this site|I am alone|my next boyfriend|blonde with blue|like the girls|crush on you/is body __KAM_PIC2 /(nice girl|2\d years old|25 y.o. girl|pretty russian|I russian girl|age is 25|long legs, cute|see my pictures|I'm 19|searching for a bad girl|meet with such attractive|cute lady)/is body __KAM_PIC3 /like to chat|feelings can be true|like to have friendship|friendly guy|gave me your photos|waiting on you|found your pictures|send me a note|more information about you|text me ASAP/is body __KAM_PIC4 /(like to share some of my pics|some (?:great )?pictures of me|sending some of my pictures|To see my pic|hope you like my pic|will reply with my pics|show you some pic|chat with me and see|that's my photo)|will send you my pictures|view my profile|describe yourself|chat with me|bad girl|view your snapshot|want to watch video|erotic pics/is body __KAM_PIC5 /picture|photo|my pics|appended my pic/i describe KAM_PIC Share Pictures and Chat SPAM score KAM_PIC 3.5 meta KAM_PIC (__KAM_PIC1 + __KAM_PIC2 + __KAM_PIC3 + __KAM_PIC4 + __KAM_PIC5 + __KAM_PRIV3 >= 4) #STUPID MAILING LIST SPAMS body __KAM_LIST1 /((Hospital|MD) directory|Nursing Home (List|directory)|doctor lists|marketing lists|Licensed Physicians|practicing MDs|practicing Medical doctors|Physicians in America|emails for every state|(vip|laywers|planners|Business Email|HR Directors Email|Sales & Marketing Directors|Managing Director Email) database)/is body __KAM_LIST2 /(?:hospital|dentist|chiropractor|physician|medical doctors|nursing directors|medical marketing|\d sortable fields|records all with emails|business director(y|ies)|direct marketing data)|nursing assistant/is body __KAM_LIST3 /price\:|prices for our director/is body __KAM_LIST4 /(?:database|list|[\d,]+ (total records|e-?mails))/is body __KAM_LIST5 /(reply with "stop" as a subject|Send an email with "rem" in the subject to discontinue|put "cease" in the subject of an email|for termination of this e?mail|reply with .{1,8} in the subject)|you will have your email taken off|for the datacard|send.a.reply/is header __KAM_LIST6 Subject =~ /Database of (neurological|surgeons|doctors|nurses|mds)|MD Database|looking for list|email database|we have that list|marketing database|list.of.\d/i describe KAM_LIST Mailing List Database SPAM score KAM_LIST 3.0 meta KAM_LIST (__KAM_LIST1 + __KAM_LIST2 + __KAM_LIST3 + __KAM_LIST4 + __KAM_LIST5 + __KAM_LIST6 >= 4) #YET MORE DRUG SCAMS body __KAM_DRUG1 /Quality and cheap|premier quality|supor-collosal mixture|Discount-?Pharmacy|hi.quality.drug/is body __KAM_DRUG2 /cheaper|redeem in bulk and save|bigger quantities and Save|drugstore accredi[dt]ations|economical (?:value|amount)|drug.online.supplies/is rawbody __KAM_DRUG3 /local drugstore|(hush-hush|secret) with no waiting rooms|confidential package|distributed securely|shape is our main concern/is body __KAM_DRUG4 /click to buy|no previous doctors direction|No prescript[oi]{2}n needed|no script necessary|medicine assistance supplier|mail[- ]?order medicine/is describe KAM_DRUG More Viagra, Medicine, et al Scams score KAM_DRUG 2.5 meta KAM_DRUG (__KAM_DRUG1 + __KAM_DRUG2 + __KAM_DRUG3 + __KAM_DRUG4 + __KAM_VIAGRA6A + __KAM_VIAGRA7A + KAM_REPLACE >= 4) #DUE TO THE RASH OF IP BASED LINKS IN EMAILS DUE TO STORM BOTS, THESE ARE TESTS FOR IPS IN EMAILS # I'D LIKE TO TEST THIS WITH ONE RULE BUT HAVEN'T FIGURED OUT HOW. RIGHT NOW, ONE URL THAT IS BAD # AND ONE THAT IS GOOD WILL PASS :-( I'D LIKE TO FIX THAT rawbody __KAM_GOODIPHTTP /https?:\/\/(192\.168|10\.)/i rawbody __KAM_IPHTTP /https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/i describe KAM_BADIPHTTP Due to the Storm Bot Network, IPs in emails is bad score KAM_BADIPHTTP 2.0 meta KAM_BADIPHTTP (__KAM_IPHTTP - __KAM_GOODIPHTTP >= 1) body __KAM_HIDDEN_URI1 /\[DOT\]com/is body __KAM_HIDDEN_URI2 /replace "?\[DOT\]/is meta KAM_HIDDEN_URI (__KAM_HIDDEN_URI1 + __KAM_HIDDEN_URI2 >= 2) describe KAM_HIDDEN_URI URI obfuscation techniques score KAM_HIDDEN_URI 4.0 #ODD INFO URL - MATCH A URL-LIKE STRING THAT ENDS IN A QUESTIONABLE TLD, FOLLOWED BY A WORD BOUNDARY OR A SLASH (BUT NOT A DOT, OR IT WILL FP ON SUBDOMAINS LIKE FOO.INFO.LEGIT.COM) rawbody __KAM_INFOUSMEBIZ1 /http:\/\/(?:www.)?.{4,30}\.(info|us|me|me\.uk|biz)(?![-\.])(\b|\/)/i header __KAM_INFOUSMEBIZ2 From:addr =~ /\.(info|us|me|me\.uk|biz)$/i header __KAM_INFOUSMEBIZ3 Return-Path =~ /\.(info|us|me|me\.uk|biz)>?$/i meta KAM_INFOUSMEBIZ (__KAM_INFOUSMEBIZ1 + __KAM_INFOUSMEBIZ2 + __KAM_INFOUSMEBIZ3 >= 1) score KAM_INFOUSMEBIZ 0.75 describe KAM_INFOUSMEBIZ Prevalent use of .info|.us|.me|.me.uk|.biz domains in spam/malware # OTHER QUESTIONABLE / CHEAP TLDS - .click, .work, .rocks, .science rawbody __KAM_OTHER_BAD_TLD1 /http:\/\/(?:www.)?.{4,30}\.(click|work|rocks|science|club)(?![-\.])(\b|\/)/i header __KAM_OTHER_BAD_TLD2 From:addr =~ /\.(click|work|rocks|science|club)$/i header __KAM_OTHER_BAD_TLD3 Return-Path =~ /\.(click|work|rocks|science|club)>?$/i meta KAM_OTHER_BAD_TLD (__KAM_OTHER_BAD_TLD1 + __KAM_OTHER_BAD_TLD2 + __KAM_OTHER_BAD_TLD3 >= 1) score KAM_OTHER_BAD_TLD 0.75 describe KAM_OTHER_BAD_TLD Other untrustworthy TLDs #RECENT RASH OF VIRII/TROJAN PAYLOADS USING GREETING CARD NOTICES - IPHTTP IDEA BY STEPHEN FORD body __KAM_CARD1 /(worshipper|friend|Neighbou?r|partner|mate|colleague|member|worshipper|cousin|pal|brother|somebody|father|mother|uncle|aunt|daughter|son|nephew)(\(.{0,35}\))?(?: has)? (?:sen[dt] you|created) (?:an|a)?\s*(?:funny|love|post|greeting|birthday|animated|musical|holiday|love|hallmark|thank you|e)\s*(e|post)?-?card/i body __KAM_CARD2 /(laughing kitty|crazy cat) card|enjoy your awesome card|Click on your .{0,15}card('s)? (link|direct www address) below|To see your custom .{0,15}card, simply click on the (link below|following)|(as you can see on the ecard)|^your .{1,15}card link:$|I bet your wife won\'?t do this for you|Your temporary Login Info|temp\.? password id|pics I took of my Ex-Wife|card will be aviailable|our.new.collection/i body __KAM_CARD3 /I['`]m in hurry, but i still love you...|has (issued you a greeting|made you an Ecard)|^(Follow this link:|click (here to enter our secure server:))?\s*?http:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|eCard, open attached/i header __KAM_CARD4 Subject =~ /Here is some pics to say thanks|do you like em?|here is my picture|bra is too tight|look what I like to do|hot news|(\s|^)e-?cards?(\s|$)|greeting.e?card/i rawbody __KAM_CARD5 /postcard(\.gif)?\.exe|card.zip|groups.google.com|blaqseal/i describe KAM_CARD Trojan or Virus Payload from fake ecard notice score KAM_CARD 3.5 meta KAM_CARD (__KAM_CARD1 + __KAM_CARD2 + __KAM_CARD3 + __KAM_CARD4 + __KAM_CARD5 + KAM_INFOUSMEBIZ + __KAM_IPHTTP + KAM_RPTR_SUSPECT >= 3) #INSURANCE / CAR / LIFE / HEALTH SCAMS - fixed $ bug thanks to Mark Chaney header __KAM_INSURE1 Subject =~ /get (low )?affordable health (coverage|insurance)|reduce health costs|without health coverage|\d+K(?:.in)?.(term.)?life|overypay for auto insurance|Policy.Payment|GAs Prices|Auto Insurance|get your 20\d\d quote|\$\d00,000 coverage|no exam|Insurance.Payment|child's financial future|\d+K in coverage|health insurance (?:plans|coverage)|(Omaba|obama).?care|Secure \d+k coverage|\$\d\d\d,\d\d\d of term life|life insurance coverage|save up to \d+% on .{0,10}insurance|Protect.your.family|homeowners insurance|home.?.?protection|read.asap|auto.policy|protect your|\$\d+K..?term|auto.?insurance|\d+k.available|simplified.protection|policy.update|view.policy|med(ical)?.exam|term.life|protection|\d+k.available|policy.review|business.insurance|your.health|care.policy|life.cover|life.secure|life.insured/i body __KAM_INSURE2 /find better Health Insurance Rates Today|get information about health coverage|protect your family|overpay for auto insurance|been recently,? lowered|gas prices are going up|Auto Insurnace go with it|no examination|get (?:a )?free quote|have been.{0,2}reduced|AutoWarranty|plans as low as|plans starting at|complete your health profile|Secure \d+k coverage|growing.family|milestone|special.enroll|updated.rate|lifeinsurance|no.medical.exam|accuquote|no.tobacco.rate|denied.coverage|business.policy|reduced.rate|coverage.starts.immediately|obama|respect.your.privacy/i header __KAM_INSURE3 From =~ /Cheaper Auto|Insurance|health.quote.direct|fidelity|gerber|lifeplan|notice|warranty.expir|auto-repairs.{0,30}no longer covered|affordable.?health|Health.?care|AIG|accuquote|life.?rate|eCoverage|humana|ahs.warranty|policy|farmer|qualify|term.life|milestone|payout|secure|out.of.pocket|\d+k|take.comfort/i body __KAM_INSURE4 /why pay more for.{0,30}coverage|save up to \d+%|accuquote|Life Insurance Coverage|protect.your.family.{1,20}insurance|Protect home and belonging|Affordable Care Act|new health insurance plan for you|home.?.?protection|\d+k.life.insurance|eligible for auto.coverage|set to expire|\$\d+\/mo|new.rate|your.auto.?insurance.policy|term.life|update.policy|legacy|estate|your.package|your.own.life|prepared.for.anything|paying.(far.)?too/i describe KAM_INSURE Life, Health, Auto, etc. Insurance SPAMs score KAM_INSURE 2.5 meta KAM_INSURE (__KAM_INSURE1 + __KAM_INSURE2 + __KAM_INSURE3 + __KAM_INSURE4 + (KAM_ADVERT2 || KAM_LOTSOFHASH || KAM_INFOUSMEBIZ || CBJ_GiveMeABreak) >= 3) describe KAM_INSURE2 Higher Probability of Life, Health, Auto, etc. Insurance SPAMs score KAM_INSURE2 2.5 meta KAM_INSURE2 (__KAM_INSURE1 + __KAM_INSURE2 + __KAM_INSURE3 + __KAM_INSURE4 + (KAM_ADVERT2 || KAM_LOTSOFHASH || KAM_INFOUSMEBIZ || CBJ_GiveMeABreak) >= 4) #HEALTH INSURANCE body __KAM_HEALTH1 /as low as \$\d+\s*(per|\/)\s*month|at \$\d+ including dental/i body __KAM_HEALTH2 /save up to \d+% on health insurance|affordable health coverage|quality term life insurance|nationalhealthxchange.com|view.rate|no.obligation|start.saving/i rawbody __KAM_HEALTH3 /easy and it's free|receive daily health news|check our rates|Call to qualify|no physical exam|set.to.expire|immediately.available|you.can.afford/i rawbody __KAM_HEALTH4 /health insurance (coverage|rates)|free .{0,3}personalized.quote|get a quote for health insurance|fast and easy term|life.milestone|instant.free.quote/i header __KAM_HEALTH5 Subject =~ /\$38 Health Insurance|health insurance quote|Save up to \d%|term.life|New Health Insurance|\$\d+\/mo|lifepolicy/i describe KAM_HEALTH Health/Life Insurance Spam Emails score KAM_HEALTH 3.0 meta KAM_HEALTH (__KAM_HEALTH1 + __KAM_HEALTH2 + __KAM_HEALTH3 + __KAM_HEALTH4 + __KAM_HEALTH5 + KAM_ADVERT2 >= 4) #HEALTH INSURANCE body __KAM_HEALTH2_1 /affordable health coverage/i header __KAM_HEALTH2_2 Subject =~ /health insurance quote/i describe KAM_HEALTH2 Health Insurance Spam Emails score KAM_HEALTH2 3.0 meta KAM_HEALTH2 (__KAM_HEALTH2_1 + __KAM_HEALTH2_2 + HTML_MESSAGE >= 3) #HEALTH INSURANCE header __KAM_HEALTH3_1 Subject =~ /Term Life Coverage/i header __KAM_HEALTH3_2 Subject =~ /\d\d\/mo/i header __KAM_HEALTH3_3 From =~ /fidelity/i describe KAM_HEALTH3 Term Life Insurance Spam score KAM_HEALTH3 3.0 meta KAM_HEALTH3 (__KAM_HEALTH3_1 + __KAM_HEALTH3_2 + __KAM_HEALTH3_3 >= 3) #REAL ESTATE INVESTMENT SCAMS body __KAM_REAL2_1 /(?:Property available|on the water|costa rica|mountain.top)/i body __KAM_REAL2_2 /(?:pre-development prices|finish building|torn down to build|exclusive place|ready.for.construction)/i body __KAM_REAL2_3 /(?:unbelievable deals|buyer with CA[s\$]h|pennies.on.the.dollar)/i body __KAM_REAL2_4 /(?:home sites|raw land|vacation home|wooded.property)/i body __KAM_REAL2_5 /(?:developers|estates|buyer flying in|retirement plans|liquidation)/i describe KAM_REAL2 Real-estate investment scams score KAM_REAL2 1.0 meta KAM_REAL2 (__KAM_REAL2_1 + __KAM_REAL2_2 + __KAM_REAL2_3 + __KAM_REAL2_4 + __KAM_REAL2_5 >= 5) #BASED on JIM MCCULLARS' IDEA AND DALLAS' GREAT PDFINFO RULES ifplugin Mail::SpamAssassin::Plugin::PDFInfo #Thanks to Ben Lentz for pointing out a lint error with this. describe KAM_BADPDF Prevalent Junk PDF SPAMs - BAD SUBJECT score KAM_BADPDF 2.5 header KAM_BADPDF Subject =~ /(?:^.{0,15}(document|confirmation|marketwatch|pinksheets|wire info|pinksheets|investor_report|proposal|invest_today|alert|invoice|investor_letter|check)-\d{5,12}$|^basic[- _]chart-|^Active[- _](stocks|trader)|^Analyst[- _]Coverage|^Income[- _](report|details|statement)|^Market[- _](advice|watch)|^Investor[- _]news|^real-?time[- _]quotes)/i describe KAM_BADPDF1 Prevalent Junk PDF SPAMs - EMPTY BODY & ENCRYPTED score KAM_BADPDF1 2.5 meta KAM_BADPDF1 (GMD_PDF_EMPTY_BODY + GMD_PDF_ENCRYPTED >= 2) #2009-03-11 - Found FP on this rule where a bad reverse PTR and a Subject triggered this rule. That was NOT the intent. describe KAM_BADPDF2 Prevalent Junk PDF SPAMs - 3 STRIKES score KAM_BADPDF2 2.5 ifplugin Mail::SpamAssassin::Plugin::KAMOnly meta KAM_BADPDF2 (KAM_BADPDF + KAM_BADPDF1 + MISSING_SUBJECT >= 2) && (KAM_RPTR_SUSPECT + KAM_RPTR_FAILED >=1) else meta KAM_BADPDF2 (KAM_BADPDF + KAM_BADPDF1 + MISSING_SUBJECT >= 2) && (KAM_RPTR_SUSPECT >=1) endif endif #FAKE PDF READER/WRITE body __KAM_FAKEPDF1 /Download PDF Reader.Writer/is body __KAM_FAKEPDF2 /Reader 2010/is header __KAM_FAKEPDF3 From =~ /adobe/is header __KAM_FAKEPDF4 Subject =~ /reader.writer version 2010/is meta KAM_FAKEPDF (__KAM_FAKEPDF1 + __KAM_FAKEPDF2 + __KAM_FAKEPDF3 + __KAM_FAKEPDF4 >= 3) describe KAM_FAKEPDF Fake PDF Reader / Writer score KAM_FAKEPDF 4.0 #VACU AND VARIOUS PHISHING SCAMS #SUBJECTS header __KAM_PHISH2_1 Subject =~ /(VACU Message|Virgini?a Credit|Account Verification|account might be compromised|Account Status Notification|important.alert|payment.advice|important.update|card.declined)/i #BANKS body __KAM_PHISH2_2 /Virginia Credit Union|Lloyds|HSBC|usaa|barclay|credit card account/is #BAD LINKS rawbody __KAM_PHISH2_3 /https?:\/\/.{5,30}\.(kr|hk|edu|pl|ie|it|pro)\//i #STUPID STATEMENTS body __KAM_PHISH2_4 /unauthori[sz]ed use|security.enhancement|dropbox|hold.(on.)?your.fund/i body __KAM_PHISH2_5 /account suspension|temporary locked|temporarily.suspend|your.reference|accurately.detail/i body __KAM_PHISH2_6 /confirm your online banking details|payment.advice|online.fraud|billing.information/i body __KAM_PHISH2_7 /extra security check|security.tip/i describe KAM_PHISH2 Prevalent Phishing Scam emails score KAM_PHISH2 2.0 ifplugin Mail::SpamAssassin::Plugin::KAMOnly meta KAM_PHISH2 (__KAM_PHISH2_1 + __KAM_PHISH2_2 >= 2) && ((__KAM_IPHTTP + __KAM_URIBL_PCCC + __KAM_PHISH2_3 >= 1) || (__KAM_PHISH2_4 + __KAM_PHISH2_5 + __KAM_PHISH2_6 + __KAM_PHISH2_7 >= 4)) else meta KAM_PHISH2 (__KAM_PHISH2_1 + __KAM_PHISH2_2 >= 2) && ((__KAM_IPHTTP + __KAM_PHISH2_3 >= 1) || (__KAM_PHISH2_4 + __KAM_PHISH2_5 + __KAM_PHISH2_6 + __KAM_PHISH2_7 >= 4)) endif #CRAZY HEX EMPTY MESSAGE body __KAM_HEX1 /^[a-f0-9]{8}(\b|$)/i header __KAM_HEX2 Subject =~ /^\d{5,6}$/ describe KAM_HEX Crazy Empty Hex Messages score KAM_HEX 5.5 meta KAM_HEX (__KAM_HEX1 + __KAM_HEX2 >= 2) #THE BAT! MAILER USED TOO MUCH FOR SPAM # I'VE LOOKED AT THIS AND JUST CAN'T ARGUE THAT IT LOOKS LIKE IT WILL HELP. header KAM_THEBAT X-Mailer =~ /The Bat!/i describe KAM_THEBAT Abused X-Mailer Header for The Bat! MUA score KAM_THEBAT 1.9 #MAILER BUGS body __KAM_MAILER1 /{!firstname_fix}/i meta KAM_MAILER (__KAM_MAILER1 >= 1) score KAM_MAILER 2.0 describe KAM_MAILER Automated Mailer Tag Left in Email #YET ANOTHER NIGERIAN SCAM VARIANT body __KAM_CHECK1 /delivery fee for your che(que|ck) draft/i body __KAM_CHECK2 /let me know when you recieve your money/i describe KAM_CHECK Another Nigerian Bank Draft Scam score KAM_CHECK 3.0 meta KAM_CHECK (__KAM_CHECK1 + __KAM_CHECK2 + __KAM_REFI4 >= 3) #SEE OPRAH LIVE! body __KAM_OPRAH1 /airfare/i body __KAM_OPRAH2 /hotel/i body __KAM_OPRAH3 /oprah/i header __KAM_OPRAH4 Subject =~ /see\s+.*oprah\s+.*live/i describe KAM_OPRAH SPAMs re: Oprah Winfrey Show score KAM_OPRAH 2.5 meta KAM_OPRAH (__KAM_OPRAH1 + __KAM_OPRAH2 + __KAM_OPRAH3 + __KAM_OPRAH4 >= 4) #EBAY TIPS body __KAM_EBAY1 /Succeed on ebay|thousands with ebay|ebay success|money-making secret/i body __KAM_EBAY2 /Auction success kit|Great Money Maker|documented program|Chuck Mullaney|more bills than money/i header __KAM_EBAY3 Subject =~ /ebay .*for dummies|ebay expert|work online|ebay business|secrets to ebay|Chuck Mullaney|living on ebay|build a business|huge cash flows/i describe KAM_EBAY SPAMs re: eBay Auction Tips score KAM_EBAY 3.5 meta KAM_EBAY (__KAM_EBAY1 + __KAM_EBAY2 + __KAM_EBAY3 >= 3) #GAS PRICES, GAS CARDS, OTHER FUEL-RELATED SPAM body __KAM_GAS1 /Gas prices are at an? all time high|\$\d per gallon|gasoline cards/i body __KAM_GAS2 /We have a solution|save \d+ cents per gallon|competitive rewards/i header __KAM_GAS3 Subject =~ /High Gas Prices|ripped off for gas|Save \d+c per gallon/i header __KAM_GAS4 From =~ /gas/i describe KAM_GAS SPAMs re: High Gas Prices score KAM_GAS 4.5 meta KAM_GAS (__KAM_GAS1 + __KAM_GAS2 + __KAM_GAS3 + __KAM_GAS4 >=3) #WEIRD BODY MESSAGES body KAM_BODY /{_BODY_HTML}/i score KAM_BODY 1.0 describe KAM_BODY Odd Erectile Dysfunction Messages with Poor Formatting #FREE TV, SATELLITE, CABLE INTERNET, ETC body __KAM_TV1 /watch unlimited television|DTV4PC|Online TV Code|Free DVD-CD Burner|100% legal|Rabbit TV|reliable.cable.service|existing.smart.tv/i body __KAM_TV2 /without a monthly fee|pay a cable or satellite bill|no monthly fee|watch uncensored|movies online|no censorship|favorite.channels|online.television|\d{3}.channels|high.speed|sysview/i header __KAM_TV3 Subject =~ /watch uncensored tv|digital TV|internet TV|Free TV|tv online for free|(shows|movies).with.cable|less.than.dish|stream.*channels|\$\d{2}.mo|smart.tv/i header __KAM_TV4 From =~ /Unlock Internet TV|Movie Download|product alert|cable.tv|tv.stream|high.speed/i meta KAM_TV (__KAM_TV1 + __KAM_TV2 + __KAM_TV3 + __KAM_TV4 >= 2) score KAM_TV 3.0 describe KAM_TV Free TV/Cable/etc. Scams meta KAM_TV2 (KAM_TV + KAM_INFOUSMEBIZ >=2) score KAM_TV2 3.5 describe KAM_TV2 Higher probability of Free TV/Cable/etc. Spams #DEGREE SPAMS body __KAM_CAREER1 /Hospitals need you|Medical Billing and Coding|medical.coding/is body __KAM_CAREER2 /Get your Healthcare Degree|Billing and Coding degree|job.placement|great.opportunity|training.start(s|ing).soon|job.growth/is body __KAM_CAREER3 /unstable.economy|secure.a.position|fast.growing|extraordinary.benefits|work.from.home/is meta KAM_CAREER (__KAM_CAREER1 + __KAM_CAREER2 + __KAM_CAREER3 + KAM_ADVERT2 >= 3) score KAM_CAREER 5.0 describe KAM_CAREER Spam for Career/Diploma Mills #NURSE SPAMS header __KAM_NURSE1 From =~ /nursing|nurses|health.?care/i header __KAM_NURSE2 Subject =~ /nurses (?:are now in high.?demand|are needed)|become a nurse|open.position|training|cna.education/i body __KAM_NURSE3 /nurses (?:are NOW in high.?demand|are needed)|nursing Degree|indispensable.position|growing.career|nursing.assist|certified.nurs/i meta KAM_NURSE (__KAM_NURSE1 + __KAM_NURSE2 + __KAM_NURSE3 >= 3) score KAM_NURSE 3.0 describe KAM_NURSE Spam for Career/Diploma Mills #PILLS header __KAM_PILLS1 Subject =~ /save \d\d% on your (pills|drugs|medications)/i body __KAM_PILLS2 /be (thrifty|smart|clever), buy your (pills|drugs|medications)/i meta KAM_PILLS (__KAM_PILLS1 + __KAM_PILLS2 >=2) score KAM_PILLS 4.0 describe KAM_PILLS Spam for scam pharmacy #PILLS 2.0 header __KAM_PILLS2_1 From =~ /Enlarge|Men's Supplement/i header __KAM_PILLS2_2 From =~ /Free Sample/i meta KAM_PILLS2 (__KAM_PILLS2_1 + __KAM_PILLS2_2 >= 2) describe KAM_PILLS2 Male enhancement spams score KAM_PILLS2 2.5 #ALTERNATE EMAIL body __KAM_ALT1 /reply to my alternative E-?mail/is meta KAM_ALT (__KAM_ALT1 >= 1) score KAM_ALT 0.5 describe KAM_ALT Requests use of an alternate email which may indicate spam #POLITICAL SPAMS #AS WE ENTER AN ELECTION PERIOD, WE SEE UNSOLICITED MAILS FROM ORGS #Right vs Left header __KAM_POLITICS1 From =~ /Right vs Left|Minuteman|Senator|Pennsylvania Transportation Partners|Americans for Limited Government|special election|conservative|liberal|congress|judge|usa.?net|senate|fedup|sen\. |tea.party|the.right.to/i body __KAM_POLITICS2 /Minuteman Civil Defense Corps|National Campaign Fund|Right vs Left|Restore America PAC|penntransportation.com|getliberty.org|Americans for Limited Government|radical|true.conservative|true.liberal|job.killing|wasteful.spending|senate.takeover|liberal.agenda|smear.campaign|america.s future|liberty|obama|governor|election.day|v-o-t-e|sign.the.petition|paid.for.by|dear.conservative|dear.liberal|winning.the.senate|election.cycle|return.power|failed.policy|(left|right).is.claiming|bigwigs|favorable.voters/i header __KAM_POLITICS3 Received =~ /\.politicalsystems.net|republican.com|democrat.com|inboxfirst.com/i header __KAM_POLITICS4 Subject =~ /alert:?.?election|(republican|democratic).party|and.vote|impeach|insanity|election.ad|liberals|conservatives|back.?room.deal|urgent.obama|social.security.mistake|big.social|absentee.info/i meta KAM_POLITICS (__KAM_POLITICS1 + __KAM_POLITICS2 + (__KAM_POLITICS3 + __KAM_POLITICS4 >= 1) >= 2) score KAM_POLITICS 4.5 describe KAM_POLITICS Unsolicited Political E-Mails #SPAMMING COMPANIES #Wall Street Media header __KAM_COMPANY1 From =~ /W\$[LM]( |_)(Insurance|Mortgage)( |_)New\$/i meta KAM_COMPANY1 (__KAM_COMPANY1 >= 1) score KAM_COMPANY1 5.0 describe KAM_COMPANY1 Egregious spammers that should also be on RBLs (and might be) #MGM,LLC body __KAM_COMPANY2_1 /Member Services MGM, LLC/is meta KAM_COMPANY2 (__KAM_COMPANY2_1 >= 1) score KAM_COMPANY2 5.0 describe KAM_COMPANY2 Egregious spammers that should also be on RBLs (and might be) ifplugin Mail::SpamAssassin::Plugin::URIDNSBL #PCCC URIBL Check for bad URIs in body, Received, From and Reply-to #Thanks to AXB for his help with these! #2013-10-09 Note # #These RBL's below can contain domains that can cause collateral damage. #We try and only add these domains when the evidence is overwhelming and points to a culture or architecture prone to spaminess. #And this can include services that have legitimate and illegitimate users; servers for legitimate firms that are compromised; and hosting firms which fail to have adequate anti-spam procedures. #The lists have high scores which we believe are consistent with the veracity of the research used to compile the lists. #Additionally, we ONLY use this RBL to improve our scoring and it is not used to block emails outright. #However, your mileage may very and you might want to seriously dial down the scores especially if you do block/reject/blackhole emails. #Feedback is appreciated and requests to de-list can be sent via https://raptor.pccc.com/raptor.cgim?template=report_problem #Or to explicitly skip RBL testing for a domain, use uridnsbl_skip_domain example.com if (version >= 3.003000) #HOSTS THAT BEHAVE LIKE TLDS, SUCH AS BLOGSPOT.COM AND OTHER FREE HOSTING - NOTE BLOGSPOT is in 20_aux_tlds.cf ALREADY util_rb_2tld ning.com util_rb_2tld mygbiz.com util_rb_2tld web.com util_rb_2tld onmicrosoft.com util_rb_2tld online.de util_rb_2tld wix.com util_rb_2tld netdna-cdn.com util_rb_2tld dreamhost.com util_rb_2tld noip.us util_rb_2tld mmsend.com util_rb_2tld cu-portland.edu util_rb_2tld jimdo.com util_rb_2tld doesphotography.com util_rb_2tld isteaching.com endif # allow URI rules to look at DKIM headers if they exist and our SA version supports it if (version >= 3.0040001) parse_dkim_uris 1 endif ifplugin Mail::SpamAssassin::Plugin::KAMOnly #BAD URI IN BODY urirhssub KAM_BODY_URIBL_PCCC wild.pccc.com. A 127.0.0.4 body KAM_BODY_URIBL_PCCC eval:check_uridnsbl('KAM_URIBL_PCCC') describe KAM_BODY_URIBL_PCCC Body contains URI listed in PCCC URIBL (https://raptor.pccc.com/RBL) tflags KAM_BODY_URIBL_PCCC net score KAM_BODY_URIBL_PCCC 9.0 if (version >= 3.004001) #BAD URI IN FROM #all from addresses domains - This is a new check available in 3.4.1-rc1+ which will check bob.com for something like bob@test.bob.com - The old code did not properly handle octet subtests header KAM_FROM_URIBL_PCCC eval:check_rbl_from_domain('pccc', 'wild.pccc.com.', '127.0.0.4') describe KAM_FROM_URIBL_PCCC From address listed in PCCC URIBL (https://raptor.pccc.com/RBL) tflags KAM_FROM_URIBL_PCCC net score KAM_FROM_URIBL_PCCC 9.0 endif #MARKETING IN BODY - MARKETING RBL IS PRIMARILY FOR META TESTS urirhssub KAM_BODY_MARKETINGBL_PCCC wild.pccc.com. A 127.0.0.32 body KAM_BODY_MARKETINGBL_PCCC eval:check_uridnsbl('KAM_MARKETINGBL_PCCC') describe KAM_BODY_MARKETINGBL_PCCC Body contains URI associated with mass-marketing (https://raptor.pccc.com/RBL) tflags KAM_BODY_MARKETINGBL_PCCC net score KAM_BODY_MARKETINGBL_PCCC 0.001 if (version >= 3.004001) #MARKETING IN FROM header KAM_FROM_MARKETINGBL_PCCC eval:check_rbl_from_domain('pccc', 'wild.pccc.com.', '127.0.0.32') describe KAM_FROM_MARKETINGBL_PCCC From address associated with mass-marketing (https://raptor.pccc.com/RBL) tflags KAM_FROM_MARKETINGBL_PCCC net score KAM_FROM_MARKETINGBL_PCCC 0.001 meta KAM_MARKETINGBL_PCCC (KAM_BODY_MARKETINGBL_PCCC || KAM_FROM_MARKETINGBL_PCCC) describe KAM_MARKETINGBL_PCCC Message contains URI associated with mass-marketing (https://raptor.pccc.com/RBL) score KAM_MARKETINGBL_PCCC 1.0 endif endif if (version >= 3.004001) #Compromised URI - In Body urirhssub KAM_BODY_COMPROMISED_URIBL_PCCC wild.pccc.com. A 127.0.1.2 body KAM_BODY_COMPROMISED_URIBL_PCCC eval:check_uridnsbl('KAM_URIBL2_PCCC') describe KAM_BODY_COMPROMISED_URIBL_PCCC Body contains URI listed in PCCC Compromised URIBL (https://raptor.pccc.com/RBL) tflags KAM_BODY_COMPROMISED_URIBL_PCCC net score KAM_BODY_COMPROMISED_URIBL_PCCC 9.0 ifplugin Mail::SpamAssassin::Plugin::KAMOnly #Contains a likely good URI but otherwise compromised by malware/hackers header KAM_FROM_COMPROMISED_URIBL_PCCC eval:check_rbl_from_domain('pccc', 'wild.pccc.com.', '127.0.1.2') describe KAM_FROM_COMPROMISED_URIBL_PCCC From address listed in PCCC Compromised URIBL (https://raptor.pccc.com/RBL) tflags KAM_FROM_COMPROMISED_URIBL_PCCC net score KAM_FROM_COMPROMISED_URIBL_PCCC 9.0 endif endif ifplugin Mail::SpamAssassin::Plugin::KAMOnly #Received - Currently disabled for more research on FPs #header KAM_RCVD_URIBL_PCCC eval:check_rbl_sub('pccc', '^127\.0\.0\.4$') #describe KAM_RCVD_URIBL_PCCC Received header contains URL listed in PCCC URIBL (https://raptor.pccc.com/RBL) #tflags KAM_RCVD_URIBL_PCCC net #score KAM_RCVD_URIBL_PCCC 5.0 #Reply-to #NO SOLUTION - Would make a Good Bugzila for a FR #Test for any hits on PCCC URIBL Rules meta __KAM_URIBL_PCCC (KAM_BODY_URIBL_PCCC + KAM_FROM_URIBL_PCCC >= 1) endif #Test for URIBL Black and Spamhaus DBL per discussion ith Alex Broens meta KAM_VERY_BLACK_DBL (URIBL_BLACK && URIBL_DBL_SPAM) describe KAM_VERY_BLACK_DBL Email that hits both URIBL Black and Spamhaus DBL score KAM_VERY_BLACK_DBL 5.0 endif #EMAIL BLACKLIST CHECK FOR PCCC RBL ifplugin Mail::SpamAssassin::Plugin::EmailBL ifplugin Mail::SpamAssassin::Plugin::KAMOnly #uses emailbl -all which is the same as -headers and -bodysafe header KAM_MESSAGE_EMAILBL_PCCC eval:check_emailbl('freemail-all', 'wild.pccc.com', '127.0.0.64') describe KAM_MESSAGE_EMAILBL_PCCC Message contains freemail address listed in PCCC URIBL (https://raptor.pccc.com/RBL) tflags KAM_MESSAGE_EMAILBL_PCCC net score KAM_MESSAGE_EMAILBL_PCCC 5.0 endif endif #FAKERBL MX RELATED RULES header __KAM_MX1 Reply-To =~ /\@mx\d+\./i header __KAM_MX2 Return-Path =~ /\@mx\d+\./i header __KAM_MX3 Received =~ /(\(|\b)(pet|ptr|tech|host|mta|mx|vps|vsp|colo|sox|m)\d+\./i header __KAM_MX4 Received =~ /(\(|\b)[0-9A-F]{8}\.ptr\./i # Thanks to Markus Clardy for feedback! header __KAM_MX5 Received =~ /(\(|\b)[a-z]{2,4}[0-9]{1,3}\.[^\s]{1,20}\.info\b/i meta __KAM_MX (__KAM_MX1 + __KAM_MX2 + __KAM_MX3 + __KAM_MX4 + __KAM_MX5 >= 1) describe __KAM_MX Odd prevalence of mx records associated with the FAKERBL Spammers #CHANGED KAMOnly ifplugin Mail::SpamAssassin::Plugin::KAMOnly meta KAM_MX (__KAM_MX + (__KAM_URIBL_PCCC + URIBL_BLACK >=1) >= 2) score KAM_MX 4.0 describe KAM_MX Spammers and MX Rule endif meta KAM_MXINFO (__KAM_MX5) score KAM_MXINFO 1.0 describe KAM_MXINFO MX Record and dot info domains associated with FAKERBL Spammers #BAD NAMES body __KAM_BADNAME1 /CocoMedia|CMI Free Stuff|Vista Del Mar Productions|by SuperClub|Buil tech Services|eMarketing Alliance|aSHARPi Media|Satell Center for Executive Education|Pacific Shores Investments|R. Allen Media|The Only Virginia Team|Ban Amnesty Now|Intrust Domains|New Heights Development and Research|Red Base Interactive|RateMarketplace|WORLD COMPANY REGISTER|Mobie Concepts, Inc.|Clickingz IT Research Lab|Leadz[,\.].?Co|Pimsleur Approach|Business Who's Who|Who's Who Among Executives|Buena Vista Catalogue|Ashray Medical Center|Bethany Christian Services|Preston Energy|SteelCityAds|Beyond Human, LLC|Research Promo Center|OmegaK, Inc|Momentum.Ads|Dove Lighting Co|BrandRoot SEO|Team TPW|WEB ANALYTICS MEDIA LLC/i header __KAM_BADNAME2 From =~ /CMI Free Stuff|Vista Del Mar Productions|Buil tech Services|eMarketing Alliance|aSHARPi Media|Plaza Neptuno|Satell Center for Executive Education|Pacific Shores Investments|rx ?unit|R. Allen Media|The Only Virginia Team|Intrust Domains|American Arbitration Association|Rate\.?Marketplace|Health.Quote.Direct|Pimsleur|Ethika Politika|Disney Movie Club/i #GRASS SEED header __KAM_GRASS1 From =~ /(Patch|Perfect|Lawn)/i header __KAM_GRASS2 Subject =~ /rich beautiful lawn|grow grass|grass seed on steroids/i body __KAM_GRASS3 /Grass Seed On Steroids|rich beautiful lawn|Patch Perfect Seeds|Grow Grass (anywhere|in the shade)/i meta KAM_GRASS (__KAM_GRASS1 + __KAM_GRASS2 + __KAM_GRASS3 >= 3) score KAM_GRASS 2.5 describe KAM_GRASS Spammers hawking lawn products #PED EGG / BELISI / SKIN PRODUCTS header __KAM_SKIN1 From =~ /(Ped ?Egg|Healthy Feet|beautiful feet|belisi|skin tightener|medical|Wrinkle|Face ?Lift|Skin Reju|Nuforia|LifeCEll|Miracle Hydrate|beauty tip|lifestyle lift|marine essentials|nufori?a)|skin transformer|lifecell|oz.show|botox|your.skin|rejuvenate|youth|ellen/i header __KAM_SKIN2 Subject =~ /Ped ?Egg|Healthy Feet|beautiful feet|tighter skin|works for wrinkles|Sera Concepts|Wrinkle Eraser|\d\d years younger|Hollywood(?:'s)? Secret|years younger|perfect skin|anti.?aging|look younger in \d+ day|regain your youthful|years off your appear|flawless.skin|youthful appear|fine.lines|collagen.production|dark.circles|your.skin|looks?.like.this|looks?.great|images?.leaked|looks.\d|ellen.looks/i rawbody __KAM_SKIN3 /Ped ?Egg|Belisi|Botox|Gabamed|Sera Concepts|Purelift|nuforia|natural collagen|complimentary trials|nugenics|marine essentials|Nufori?a|ellen.has.a|flawless.skin|phyto|facelift|hype.is.real|celeb.trend|twenty.years.younger|face.lift|pics.leaked|rejuvenate/i body __KAM_SKIN4 /feet feel smooth and healthy|calluses and dead skin|silky smooth skin|tighter skin|\d.years.younger|anti[- ]aging|look younger|free trial|lose 25 years|angered plastic surge|quick and easy trick|anti-?aging|blood pressure low|heart rate monitor|selfies|just.one.month|just.four.weeks|medical.research|rebuild.your.skin|decades.younger|erase.time|gossip|smooth.lines/i meta KAM_SKIN (KAM_ADVERT2 + __KAM_SKIN1 + __KAM_SKIN2 + __KAM_SKIN3 + __KAM_SKIN4 + __KAM_TRIAL + __KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 >= 3) score KAM_SKIN 3.5 describe KAM_SKIN Spammers hawking skin/medical/foot products meta KAM_SKIN2 (KAM_ADVERT2 + __KAM_SKIN1 + __KAM_SKIN2 + __KAM_SKIN3 + __KAM_SKIN4 + __KAM_TRIAL + __KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 >= 4) score KAM_SKIN2 2.5 describe KAM_SKIN2 Spammers hawking skin/medical/foot products #NEW CAR / WARRANTY SCAMS header __KAM_CAR1 Subject =~ /(save thousands|vehicle warranty|paying too much for auto|skyrocketing cost of car|car deals|deal on a new car|cheap(er)? auto insurance|warranty options|afford the car|blowout|auto repair bills)/i body __KAM_CAR2 /buying a new car|dream car|new car you want|free auto insurance(?:-| )quote|save money on your auto|roadside assistance|extended warranty/i body __KAM_CAR3 /unbelievable payment terms|no commitment|free price quote|get competitive quotes|offering better rates|no obligation quote|Pay Later|No risk|save up to \d+%/i header __KAM_CAR4 From =~ /warranty|lender|clearance/i meta KAM_CAR (__KAM_CAR1 + __KAM_CAR2 + __KAM_CAR3 + __KAM_CAR4 >= 2) score KAM_CAR 2.0 describe KAM_CAR Spammers hawking new car, insurance or warranties # MORE NEW CAR SPAMS header __KAM_AUTO1 Subject =~ /new.vehicle|biggest.discounts|clearance.event|must.go|half.off.auto|blue.book|cars.priced|dirt.cheap|new.car|new.truck|half.off|dealership|dealers.compete|trade.it.in|auto(motive)?.parts|inventory.must.go|\d\d%.off.msrp|all \d\d\d\d.s must go|time.to.drive|all.vehicle|clearance.pric|all.\d\d\d\d.(cars|trucks)/i header __KAM_AUTO2 From =~ /car.?saving|auto.?deals|%.off|half.(off|price)|ford|gm|clearing.lots|model.year|latest.auto|dealership|clearance|cars?.discount|\d+.model|\d+.half.off|auto.price|best.auto|motor|trade.in|auto.part|imotor|autotrend/i body __KAM_AUTO3 /(car|truck).dealer|clearance.price|shop.cars|\d+.vehicles|dealership|deep.discount|liquidating|vehicle.options|auto.news|old.clunker|dream.car|clearance.inventory|dealer.clearance|special.clearance|auto(mobile?).recall|clearance.pric|new.ride|dealers.{1,40}.scrambling|sell.yours.for.more|car.is.worth|auto.parts.brand|blowout|incredible.discount/i meta KAM_AUTO (__KAM_AUTO1 + __KAM_AUTO2 + __KAM_AUTO3 + (KAM_COUK || KAM_OTHER_BAD_TLD || CBJ_GiveMeABreak) >= 3) describe KAM_AUTO Spam for new cars score KAM_AUTO 4.5 #HOME WARRANTY SPAMS header __KAM_WARRANTY1 Subject =~ /home warrant|protect your home|home repair|homeowners insurance|repairing your house/i body __KAM_WARRANTY2 /Protect your home|choice home warranty|unexpected repair/i body __KAM_WARRANTY3 /home warrant|complimentary insurance quote/i header __KAM_WARRANTY4 From =~ /ChoiceHomeWarrant|TotalProtect|home.?Insurance|CHW Home Warranty|AHS.warranty/i meta KAM_WARRANTY (__KAM_WARRANTY1 + __KAM_WARRANTY2 + __KAM_WARRANTY3 + __KAM_WARRANTY4 + CBJ_GiveMeABreak >= 3) score KAM_WARRANTY 1.5 describe KAM_WARRANTY Spammers hawking home warranties meta KAM_WARRANTY2 (KAM_WARRANTY + KAM_INFOUSMEBIZ >= 2) score KAM_WARRANTY2 3.5 describe KAM_WARRANTY2 Spammers pushing home warranties meta KAM_WARRANTY3 (__KAM_WARRANTY1 + __KAM_WARRANTY2 + __KAM_WARRANTY3 + __KAM_WARRANTY4 + CBJ_GiveMeABreak >= 4) score KAM_WARRANTY3 1.5 describe KAM_WARRANTY3 Spammers hawking home warranties #AWESOME AUGER header __KAM_AUGER1 Subject =~ /Dig Holes|plant Trees/i body __KAM_AUGER2 /Awesome Auger/i meta KAM_AUGER (__KAM_AUGER1 + __KAM_AUGER2 >= 2) score KAM_AUGER 4.0 describe KAM_AUGER Spammers hawking Awesome Augers?!? #MOVIE EXTRA header __KAM_MOVIE1 Subject =~ /Movie Extra/i body __KAM_MOVIE2 /Movie Extra/i meta KAM_MOVIE (__KAM_MOVIE1 + __KAM_MOVIE2 >= 2) score KAM_MOVIE 3.0 describe KAM_MOVIE Spammers hawking Movie Extra positions #DEBT COLLECTION header __KAM_COLLECT1 Subject =~ /You Pay Nothing/i body __KAM_COLLECT2 /No Fee/i body __KAM_COLLECT3 /collection professionals/i body __KAM_COLLECT4 /recovery rate/i meta KAM_COLLECT (__KAM_COLLECT1 + __KAM_COLLECT2 + __KAM_COLLECT3 + __KAM_COLLECT4 + __KAM_SEARCH5 + KAM_ADVERT2 >= 4) score KAM_COLLECT 5.0 describe KAM_COLLECT Spammers hawking debt collection #SEARCH ENGINE SPAM header __KAM_SEARCH1 Subject =~ /be seen first on (google|msn|yahoo)|get ranked high|rank high|(no cost|free) website (analysis|search engine)|WEBSITE PROMOTION|social media|blog leads|infotech|(first|1st)(.page)?.result|seo.service|seo.{1,30}expert|on.your.website|organic.seo|site.ranking|website.health/i body __KAM_SEARCH2 /search engine|SEO|bring.traffic|business.development/i body __KAM_SEARCH3 /(first on|all of) the major search|not ranked number one|Website promotion|popular keywords|mobile.website|complete.solution|back.link|india.based|surfing|not.ranking.on/i body __KAM_SEARCH4 /guaranteed type of exposure|free website search engine optimi|increase your revenue|improve your website traffice|website rank higher|marketing service|popular.keyword|media.presence|media.portal|brand.awareness|analytics.certified|optimized.content|white.label|website.optimization|digital.marketing|in.your.industry/i rawbody __KAM_SEARCH5 /Click2Call|a1-solutions|fast-response.net|action-pros.net|tops-1.com|vividinfotech.com|internet.marketing|web.solution/i meta KAM_SEARCH (__KAM_SEARCH1 + __KAM_SEARCH2 + __KAM_SEARCH3 + __KAM_SEARCH4 + __KAM_SEARCH5 >= 4) score KAM_SEARCH 5.0 describe KAM_SEARCH Spammers hawking SEO #SEO header __KAM_SEO1 Subject =~ /Idea for \[|can rank 1st on Google|Organic SEO|SEO (Solution|proposal)|integrated marketing|optimization.service/i body __KAM_SEO2 /(?:top|first page) (?:in|of) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building/i body __KAM_SEO3 /never find your web site|major search engines|link.building|WEBSITE AUDIT REPORT|specific.keyword|targeted.email|visited.your.website/i body __KAM_SEO4 /No upfront fees|SEO Specialists|online marketing services|S.?E.?O.? Company in INDIA|google.panda|google.penguin|not.ranking/i body __KAM_SEO5 /more traffic guaranteed|results in thirty day|top 5 organic|high revenue|free.analysis|guaranteed.top/i body __KAM_SEO6 /will not get your website banned|Google.?s SEO policies|six month ongoing campaign|web.promotion/i uri __KAM_SEO7 /./ # LEGITIMATE SEO EMAILS WOULD SURELY HAVE AT LEAST ONE URL TO THEIR WEBSITE... meta KAM_SEO (__KAM_SEO1 + __KAM_SEO2 + __KAM_SEO3 + __KAM_SEO4 + __KAM_SEO5 + __KAM_SEO6 + !__KAM_SEO7 + __KAM_FREEMAIL + KAM_ADVERT2 >= 5) score KAM_SEO 7.0 describe KAM_SEO Spammers hawking SEO #ABUSED FREEMAIL ACCOUNTS header __KAM_FREEMAIL1 From =~ /(?:websolution|seo).{0,15}\@gmail.com/i header __KAM_FREEMAIL2 From =~ /speakeasylingerie\@gmail.com/i meta __KAM_FREEMAIL (__KAM_FREEMAIL1 + __KAM_FREEMAIL2 >= 1) #LINGERIE VIDEOS header __KAM_LINGERIE1 From =~ /lexi campbell/i header __KAM_LINGERIE2 Subject =~ /Exotic modeling Videos/i header __KAM_LINGERIE3 Subject =~ /Hustler Magazine/i body __KAM_LINGERIE4 /Exotic modelling videos/i meta KAM_LINGERIE (__KAM_FREEMAIL + __KAM_LINGERIE1 + __KAM_LINGERIE2 + __KAM_LINGERIE3 >= 4) score KAM_LINGERIE 10.0 describe KAM_LINGERIE Sexually Explicity Lingerie Spam #WEB DESIGN header __KAM_WEB1 Subject =~ /Web.?(Design|programming).?Services|Web.?Designing/i body __KAM_WEB2 /INDIA based IT|indian.based.website|certified.it.company/i body __KAM_WEB3 /Online Marketing Consultant|possible.redesign|seo.service|mobiles?.app|business.develop|commerce.solution/i meta KAM_WEB (__KAM_WEB1 + __KAM_WEB2 + __KAM_WEB3 + KAM_ADVERT2 >= 3) score KAM_WEB 4.0 describe KAM_WEB Web design spams #DOMAIN NAME AND OTHER RELATED SPAMS body __KAM_DOMAIN1 /Domain (opportunity|notification|release|Availability|club)|Notification for Domain|availability.notice|time.draws.near|submit.a.bid|your.business|exclusive.rights|free.registration|the.domain.provider|website.wizard|increase.your.{0,50}.traffic|domain.extension|brand.can.leverage|like.to.obtain|buy(ing)?.this.domain/i body __KAM_DOMAIN2 /(?:available|listed) (?:by|for|at|in) auction|confirm interest in (this domain|owning)|capturing this domain|proposal.on.the.domain|exclusive.owner|online.search|web.form|counting.down|potential.buyer|interested.parties|secure.{1,50}.today|drive.more.leads|targeted.traffic|similar.domain|exclusive.regis/i body __KAM_DOMAIN3 /(?:have|own) a domain (that is )?.{0,5}similar|(have|own) a similar domain|offer on the Domain|similar to your (current )?domain|Domain Division|all.domains|main.webpage|visibility.platform|solicitation|potential.owner|your.offer|domain.match|domain.notification|domain.will.be|interest.{1,20}.domain.name|fully.responsive|website.included|list.your.website|opportt?unity.regarding|courtesy.notification/i header __KAM_DOMAIN4 From =~ /domain|submit.site/i header __KAM_DOMAIN5 Subject =~ /\.com$/i meta KAM_DOMAIN (__KAM_DOMAIN1 + __KAM_DOMAIN2 + __KAM_DOMAIN3 + __KAM_DOMAIN4 + __KAM_DOMAIN5 >= 3) score KAM_DOMAIN 8.5 describe KAM_DOMAIN Domain Selling Spams #MEDICAL TOURISM SPAM body __KAM_MEDTOUR1 /medical.tourism/i body __KAM_MEDTOUR2 /lowest cost in India/i header __KAM_MEDTOUR3 Subject =~ /Medical.Tourism/i meta KAM_MEDTOUR (__KAM_MEDTOUR1 + __KAM_MEDTOUR2 + __KAM_MEDTOUR3 >= 3) score KAM_MEDTOUR 3.0 describe KAM_MEDTOUR Medical Tourism Spam #ACNE SPAM header __KAM_ACNE1 Subject =~ /Proactiv/i header __KAM_ACNE2 From =~ /Acne/i body __KAM_ACNE3 /proactiv/i body __KAM_ACNE4 /Online Gift Rewards/i meta KAM_ACNE (__KAM_ACNE1 + __KAM_ACNE2 + __KAM_ACNE3 + __KAM_ACNE4 >= 4) score KAM_ACNE 5.0 describe KAM_ACNE Spammers hawking Acne products #SOFTWARE SPAM header __KAM_SOFTWARE1 Subject =~ /fix Windows File Errors/i header __KAM_SOFTWARE2 From =~ /registry/i body __KAM_SOFTWARE3 /Fix file errors/i body __KAM_SOFTWARE4 /download for no cost|FREE Software|Free Analysis|Free Report/i meta KAM_SOFTWARE (__KAM_SOFTWARE1 + __KAM_SOFTWARE2 + __KAM_SOFTWARE3 + __KAM_SOFTWARE4 >= 4) score KAM_SOFTWARE 5.0 describe KAM_SOFTWARE Spammers hawking Software products #NIGERIAN SCAM SCAN header __KAM_NIGERIAN2_1 Subject =~ /high court|contact fedex courier|WIRE TRANSFER/i body __KAM_NIGERIAN2_2 /barrister|director of central bank|bank director|former.minister|gold.dealer/i body __KAM_NIGERIAN2_3 /high court|central bank|payment center|customs?.officer/i body __KAM_NIGERIAN2_4 /e-?mail id is found among those that have been scammed|paid the fee for your cheque draft|contact the bank director/i body __KAM_NIGERIAN2_5 /fund code|cheque|bank draft|oil.and.gas/i body __KAM_NIGERIAN2_6 /full contact information requested|need your contacts informations|your bank account information|out.of.the.country/i body __KAM_NIGERIAN2_7 /bank|smuggle/i body __KAM_NIGERIAN2_8 /courier|diplomat agent|direct wire transfer|my.gold|the.gold/i body __KAM_NIGERIAN2_9 /scam|don't let them know that it is money|bank transfer charges/i meta KAM_NIGERIAN2 (__KAM_REFI4 + __KAM_NIGERIAN2_1 + __KAM_NIGERIAN2_2 + __KAM_NIGERIAN2_3 + __KAM_NIGERIAN2_4 + __KAM_NIGERIAN2_5 + __KAM_NIGERIAN2_6 + __KAM_NIGERIAN2_7 + __KAM_NIGERIAN2_8 + __KAM_NIGERIAN2_9 >= 6) score KAM_NIGERIAN2 5.0 describe KAM_NIGERIAN2 Yet more Nigerian scams. Some even explaining the scam. #MEDICAL body __KAM_MEDICAL1 /million who suffer from|suffered from organ failure|Medical Billing and Coding|medical doctor/i body __KAM_MEDICAL2 /Safe - Natural - Effective/i header __KAM_MEDICAL3 From =~ /Medical/i header __KAM_MEDICAL4 Subject =~ /Medical Billing/i meta KAM_MEDICAL (__KAM_MEDICAL1 + __KAM_MEDICAL2 + __KAM_MEDICAL3 + __KAM_MEDICAL4 >= 3) score KAM_MEDICAL 4.0 describe KAM_MEDICAL Misc medical spam #EAR RINGING body __KAM_TINNI1 /TinniFix/i body __KAM_TINNI2 /Stop the ringing in your ears/i header __KAM_TINNI3 Subject =~ /(ringing|buzz) in your ears/i meta KAM_TINNI (__KAM_MEDICAL1 + __KAM_MEDICAL2 + __KAM_TRIAL + __KAM_TINNI1 + __KAM_TINNI2 + __KAM_TINNI3 >= 5) score KAM_TINNI 5.0 describe KAM_TINNI Another Medical Scam #GIVEAWAY body __KAM_GIVE1 /receive your gift/i body __KAM_GIVE2 /laptop giveaway|deliver your dell.? laptop/i body __KAM_GIVE3 /answering a short survey/i body __KAM_GIVE4 /verify your shipping address/i meta KAM_GIVE (__KAM_GIVE1 + __KAM_GIVE2 + __KAM_GIVE3 + __KAM_GIVE4 >= 4) score KAM_GIVE 4.0 describe KAM_GIVE Free stuff "giveaway" scam #GOVERNMENT MONEY header __KAM_GOVT1 Subject =~ /Government Funding/i body __KAM_GOVT2 /government funding/i body __KAM_GOVT3 /complimentary information kit/i body __KAM_GOVT4 /No.Money?.{0,4}No.Problem/i meta KAM_GOVT (__KAM_GOVT1 + __KAM_GOVT2 + __KAM_GOVT3 + __KAM_GOVT4 >= 4) score KAM_GOVT 4.0 describe KAM_GOVT Your tax dollars at work scam... #RBL TRUST RULES meta KAM_RBL (URIBL_BLACK + RCVD_IN_PBL >=2) score KAM_RBL 2.0 describe KAM_RBL Higher scores for hitting multiple trusted RBLs #KAM CNN header __KAM_CNN1 Subject =~ /CNN.com Daily Top/i meta KAM_CNN (__KAM_CNN1 == 1) score KAM_CNN 2.0 describe KAM_CNN CNN Daily Top 10 Link Obfuscation spams #SNUGGIE BLANKETS / SHAM WOW header __KAM_SHAM1 Subject =~ /Hold 20 times|ShamWow/i header __KAM_SHAM2 From =~ /Sham ?Wow/i body __KAM_SHAM3 /ShamWow/i body __KAM_SHAM4 /20(X| times) its weight/i meta KAM_SHAM (__KAM_SHAM1 + __KAM_SHAM2 + __KAM_SHAM3 + __KAM_SHAM4 + KAM_ADVERT2 >= 3) score KAM_SHAM 2.0 describe KAM_SHAM More product scams... #SANTA LETTERS header __KAM_SANTA1 Subject =~ /Santa Letter|Letter from Santa|Santa send a letter|Sent by Santa/i body __KAM_SANTA2 /Santa Letter|Letter from Santa|sent by Santa/i body __KAM_SANTA3 /the .?perfect.? gift|personalized letter/i meta KAM_SANTA (__KAM_SANTA1 + __KAM_SANTA2 + __KAM_SANTA3 >= 3) score KAM_SANTA 3.5 describe KAM_SANTA Ho Ho Holy smokes Batman another Santa Letter spam... #WORK FOR / LEARN GOOGLE header __KAM_GOOGLE1 Subject =~ /Learn Google|Google Starter Kit|with Google|Use Google|Google Work|google millionaire|Google Business|Google Pro Sucess|with my Google|Google Home Business|Google ATM|One Hour On Google|Free Money Making|make a fortune on ?line/i body __KAM_GOOGLE2 /learn how to earn|automated income kit|online from home|as much money as you wish|be the boss/i body __KAM_GOOGLE3 /tons of money|making \$[\d,]*s with Google|extra cash|making serious money/i body __KAM_GOOGLE4 /with Google|Google Pie|Google Cash/i header __KAM_GOOGLE5 From =~ /Google Money/i meta KAM_GOOGLE (__KAM_GOOGLE1 + __KAM_GOOGLE2 + __KAM_GOOGLE3 + __KAM_GOOGLE4 + __KAM_GOOGLE5 >= 3) score KAM_GOOGLE 3.5 describe KAM_GOOGLE Google Pyramid Scams #SECURITY / ALARM header __KAM_ALARM1 Subject =~ /Free Alarm Quotes|home security|protect your.(house|home)|protect.what.matters.most|adt monitor|keep.watch|monitor.the.home|home.alarm|feel safe|burglar|high.crime|free.security|with.this.offer|crime.can|watching.your.home|adt.is.here|ADT-monitoring/i body __KAM_ALARM2 /free Quote|burglaries|wireless.security.camera|(Guard|protect) Your Family|ADT is Number One|monitored security system|install from ADT|with ADT security|keep(ing)?.your.home.safe|home.is.your.castle|sleep.with.security|home.security.system|remote.access|video.security/i rawbody __KAM_ALARM3 /Great rates on Home Security|(1|one) in Alarm System Monitoring|protect your loved ones|protect your business|your source for home security|event on home security|keep.the.home.safe|night.vision|online.monitoring|surveill?ance.camera|ADT.monitor|top.notch.security|exclusive.to.you|home security system/i header __KAM_ALARM4 From =~ /adt|security.?cam|home.security|wireless.security|security.?camera|author.zed|home.?alarm/i meta KAM_ALARM (__KAM_ALARM1 + __KAM_ALARM2 + __KAM_ALARM3 + __KAM_ALARM4 + KAM_COUK >= 3) score KAM_ALARM 4.5 describe KAM_ALARM Security and Alarm Company Spams rawbody __KAM_ALARM5 /gaylord/i meta KAM_ALARM2 (KAM_ALARM && __KAM_ALARM5) score KAM_ALARM2 2.5 describe KAM_ALARM2 High Probability of Security and Alarm Company Spams #SELL CARDS header __KAM_SELL1 Subject =~ /Market Credit Cards/i body __KAM_SELL2 /Easy Money/i body __KAM_SELL3 /Selling Credit Cards/i meta KAM_SELL (__KAM_SELL1 + __KAM_SELL2 + __KAM_SELL3 >= 3) score KAM_SELL 3.5 describe KAM_SELL Selling Cards Marketing Scams #WHITEN TEETH header __KAM_WHITEN1 Subject =~ /whiten your teeth/i body __KAM_WHITEN2 /whitener/i body __KAM_WHITEN3 /(Celebrity Smile|Carbamide Peroxide)/i meta KAM_WHITEN (__KAM_WHITEN1 + __KAM_WHITEN2 + __KAM_WHITEN3 >= 3) score KAM_WHITEN 3.5 describe KAM_WHITEN Teeth Whitening Scams #URONLINE body __KAM_URONLINE1 /(chat|chat with me|hook ?up) on Y ?A ?H ?O ?O (tonight|or MSN)|add me with yahoo or msn|view now|press this web link|send me your? photo|can u turn me on|kissing you|begin.a.chat/i body __KAM_URONLINE2 /wanna talk|ur info|found your mail|found ur profile|mutual friend|katya from russia|you came to russia|my gentle sun|see this page I made|match making heaven|meet that special|comee see it over here|hexten.net|looking for a man|waiting for ur mail|found ur account|waiting for your message|casual.hookup/i body __KAM_URONLINE3 /get (naked|naughty)|horny|naughty toys|I will do anything|TOTALLY msg me on MSN|tell me your mobile|I remember you|let's talk|ran across someone like u|sexywebdating|chatting with someone|saw you by BJs|private e-?mail|dating portal|looking.for.fun/i header __KAM_URONLINE4 Subject =~ /i'?m so ho?rny|ur really cute|flirt with u|get the party|lets hookup|MSN messanger|\d\d y.o.|russian soul-?mate|my handsome|want you now|russian girl|costs you nothing|can you feel this|came to russia|I remember you|sexual Russia|take a look|attractive girl writes|found u by accident|tell u something special|hookups.waiting/i meta KAM_URONLINE (__KAM_URONLINE1 + __KAM_URONLINE2 + __KAM_URONLINE3 + __KAM_URONLINE4 >= 3) score KAM_URONLINE 4.5 describe KAM_URONLINE Chat Scams #TIMESHARE body __KAM_TIMESHARE1 /Get[- ]Cash for Your Timeshare|not using your timeshare|(unwanted|ugly) timeshare|cash out quickly/is body __KAM_TIMESHARE2 /goldmine|sell or rent it|we pay cash|sell\/rent your time|own a timeshare or condo|get.cash|find.your.value/is header __KAM_TIMESHARE3 Subject =~ /(rent|sell|buy) your Timeshare|have a timeshare|timeshare money|unwanted timeshare/i header __KAM_TIMESHARE4 From =~ /Resort.*sales|timeshare/i meta KAM_TIMESHARE (__KAM_TIMESHARE1 + __KAM_TIMESHARE2 + __KAM_TIMESHARE3 + __KAM_TIMESHARE4>= 3) score KAM_TIMESHARE 4.0 describe KAM_TIMESHARE Timeshare Scams #AQUA GLOBE body __KAM_AQUA1 /Aqua Globe/is body __KAM_AQUA2 /watering your plants/is body __KAM_AQUA3 /while on vacation/is header __KAM_AQUA4 Subject =~ /Waters your Plants/i meta KAM_AQUA (__KAM_AQUA1 + __KAM_AQUA2 + __KAM_AQUA3 + __KAM_AQUA4 >= 3) score KAM_AQUA 3.0 describe KAM_AQUA Spams of yet another product du jour #GEVALIA body __KAM_GEVALIA1 /Gevalia Kaffe|premium coffee delivered/is body __KAM_GEVALIA2 /(Gevalia coffee lover's|I love coffee) kit/is body __KAM_GEVALIA3 /No Further Obligation/is header __KAM_GEVALIA4 Subject =~ /gevalia|cup of coffee/i meta KAM_GEVALIA (__KAM_GEVALIA1 + __KAM_GEVALIA2 + __KAM_GEVALIA3 + __KAM_GEVALIA4 >=3) score KAM_GEVALIA 3.0 describe KAM_GEVALIA Spams of yet another product du jour #SIMPLYINK body __KAM_INK1 /Ink (and|&|n) Toner|SimplyInk|101 inks|1ink|printer ink sale|full.price/is header __KAM_INK2 From =~ /Simply ?Ink|Ink and toner|1ink|ink.*budget|ink.?saver|printer[- ]{0,4}ink/i header __KAM_INK3 Subject =~ /Ink (and|&) Toner|SimplyInk|printer ink/i meta KAM_INK (__KAM_INK1 + __KAM_INK2 + __KAM_INK3 >=3) score KAM_INK 4.0 describe KAM_INK Spams of yet another product du jour meta KAM_INK2 (KAM_INK + KAM_INFOUSMEBIZ >= 2) score KAM_INK2 3.0 describe KAM_INK2 Spams for Ink refills #TITAN PEELER body __KAM_PEEL1 /Titan Peeler/is header __KAM_PEEL2 From =~ /Titan Peeler/i header __KAM_PEEL3 Subject =~ /peeler|stainless|titan peeler/i meta KAM_PEEL (__KAM_PEEL1 + __KAM_PEEL2 + __KAM_PEEL3 >=2) score KAM_PEEL 3.0 describe KAM_PEEL Spams of yet another product du jour #HTML EMAIL REQUIRING IMAGES? rawbody __KAM_HTML1 /Please enable image viewing in order to view this message/is #RATWARE header __KAM_RAT1_1 From =~ /\@fromname\@/i header __KAM_RAT1_2 Subject =~ /(\[FName\]|\%\{AUTOVALS)/i meta KAM_RAT1 (__KAM_RAT1_1 + __KAM_RAT1_2 >= 1) score KAM_RAT1 5.0 describe KAM_RAT1 Variable Replacements Indicative of RatWare/Mass Mailing body __KAM_RAT2_1 /job description/i body __KAM_RAT2_2 /dear shopper/i header __KAM_RAT2_3 From =~ /mystery/i meta KAM_RAT2 (__KAM_RAT2_1 + __KAM_RAT2_2 + __KAM_RAT2_3 >= 3) score KAM_RAT2 5.0 describe KAM_RAT2 Another ratware mistake, uninterpolated text #TITAN EGGER body __KAM_EGG1 /Egg Genie/is header __KAM_EGG2 From =~ /Egg Genie/i header __KAM_EGG3 Subject =~ /medium eggs/i meta KAM_EGG (__KAM_EGG1 + __KAM_EGG2 + __KAM_EGG3 >=2) score KAM_EGG 3.0 describe KAM_EGG Spams of yet another product du jour #USBDRIVES body __KAM_USB1 /(debi|deborah brown|Melissa Sylvan)/i body __KAM_USB2 /person (that|who) handles the promotions/i body __KAM_USB3 /usbsmg.com/i meta KAM_USB (__KAM_USB1 + __KAM_USB2 + __KAM_USB3 >= 2) score KAM_USB 4.0 describe KAM_USB USB Promotion Spammer #GOVT GRANT body __KAM_GRANT1 /government grant/i body __KAM_GRANT2 /find out if you qualify/i body __KAM_GRANT3 /discontinue from this promotion/i meta KAM_GRANT (__KAM_GRANT1 + __KAM_GRANT2 + __KAM_GRANT3 + __KAM_REFI4 >= 3) score KAM_GRANT 5.0 describe KAM_GRANT Government Grant Scams #SEX SCAMS #MEDICINE REFERENCES body __KAM_SEX04_1 /(curative|medicinal|salutary|wholesome|beneficial|satisfaction) effect|(first-rated|splendid) drugs|(yellow|blue|famos) (tablet|pill)|good medical supplies|(commendable|valuable) medicines|canadian pharmacy|GNC|nugenix/is #BED REFERENCES body __KAM_SEX04_2 /fun in bed|(bed|night) adventures|aid your bed|(lift|heave|ascent|hoist|raise|boost|aid) your (belove|love|darling|sex|sweet)|sexuality with assistance|ascent your sweet|bed experience|love sexuality/is #SUBJECT REFERENCES header __KAM_SEX04_3 Subject =~ /your manhood|(bed|night) adventures|sexual experience|empower your (belove|sex)|sweet sex|bed (event|experience)|lover sexuality|(lift|heave|ascent|hoist|raise|boost|aid) your (belove|love|darling|sex|sweet)|discounted drugs/i #SEXUAL REFENCES body __KAM_SEX04_4 /longer your tool|sexual experience|empower your (belove|sex)|sweet sex|(not bad|great|nice|special|awesome|free) bonus|sex all night|lovers package|male.vitality|sex with new boys/is meta KAM_SEX04 (__KAM_SEX04_1 + __KAM_SEX04_2 + __KAM_SEX04_3 + __KAM_SEX04_4 >= 3) score KAM_SEX04 10.0 describe KAM_SEX04 Sexually Explicit SPAM meta KAM_SEX04_2 (__KAM_SEX04_1 + __KAM_SEX04_2 + __KAM_SEX04_3 + __KAM_SEX04_4 >= 2 && (KAM_SEX04 < 1)) score KAM_SEX04_2 2.0 describe KAM_SEX04_2 Likely Sexually Explicit SPAM #Another Sexually Explicit Email meta KAM_SEX07 (__KAM_SUBJECT_SINGLEWORD + __KAM_SEX04_4 >= 2) score KAM_SEX07 5.0 describe KAM_SEX07 Sexually Explicit SPAM #SEX SCAMS ROUND 5 header __KAM_SEX05_1 Subject =~ /upgrade your virility|become a man|bigger instrument|admire your stick|enlarge your member|you have a tiny tool|with more inches|your mega size|improve your love/i body __KAM_SEX05_2 /buy rubber friends|big bait in your pants|she sees your size|women will be funk|biggest tool|immense monster|women will be daydreaming|have so much meat|prolonging your size|last a lot longer/i meta KAM_SEX05 (__KAM_SEX05_1 + __KAM_SEX05_2 >= 2) score KAM_SEX05 5.0 describe KAM_SEX05 Sexually Explicit SPAM #FOOTBALL CLUB SPAMS header __KAM_FOOTBALL1 Subject =~ /Amateur Club|Seeks? Player/i header __KAM_FOOTBALL2 From =~ /Football/i body __KAM_FOOTBALL3 /Mercato/i body __KAM_FOOTBALL4 /Football/i meta KAM_FOOTBALL (__KAM_FOOTBALL1 + __KAM_FOOTBALL2 + __KAM_FOOTBALL3 + __KAM_FOOTBALL4 >= 4) score KAM_FOOTBALL 4.0 describe KAM_FOOTBALL Spammy Football Club #DISH NETWORK SPAMS AND OTHER TV SPAM header __KAM_DISH1 From =~ /Dish Network|TVUpgrade|Satellite|Satellite|Dish.*Promo|dish.author|Wireless.Internet|cable.tv|tv.\&|tv.cable|tv.internet|liveteam/i header __KAM_DISH2 Subject =~ /Free Next Day Install|Free HD Receiver|Free HBO|free w\/Dish|Holiday Special|Redzone is back|Web-Only Offer|Free HD|with DISH|dish gives you|dish.offers|Wireless Internet provider|sports.package|dish.vs.cable|switch.to.satellite|dish.just|watch.everything|satellite.dish|cable.bill|satellite.bill|paying.too.much|try.satellite|stream.live.tv/i rawbody __KAM_DISH3 /(American Satellite|Wireless Internet) Provider|gethdsat|free dvr|Satellite Deals|Dish Network|dish.gives.you.more|packages under \$\d+|compare plans|internet service provider|premium.channel|best.cable.deals|fit.your.budget|deals.near.you|online.television|quality.tv/i meta KAM_DISH (__KAM_DISH1 + __KAM_DISH2 + __KAM_DISH3 >=3) score KAM_DISH 4.0 describe KAM_DISH Dish Network Spams meta KAM_DISH2 (KAM_DISH + KAM_INFOUSMEBIZ >= 2) score KAM_DISH2 4.0 describe KAM_DISH2 Dish Network Spams #IDENTITY NETWORK header __KAM_IDENTNET1 From =~ /\@identitynetwork.net/i body __KAM_IDENTNET2 /ADVERTISE WITH IDENTITY NETWORK/i meta KAM_IDENTNET (__KAM_IDENTNET1 + __KAM_IDENTNET2 >=2) score KAM_IDENTNET 8.0 describe KAM_IDENTNET Identity Network Spams #HONEYPOT HITS #body __KAM_HONEY1 /Intacct Corporation|Miles Technologies|EcoPhones|businessbrief\.com|pbpinfo\.com|pbp-executivereports\.net|b21pubs\.com|sonar6\.com|cheetahsend\.com|voip-news|microcappress.com|myrtlebeachnow|sosonlinebackup.com|Landslide Technologies|The Performance Institute|ASMI Corporate|Kaseya|Cascio|CarProperty|HSRUpdates.com/i #header __KAM_HONEY2 From =~ /\@intacct\.com|\@(staff\.)?milestechnologies\.com|\@greenschoolfundraiser\.org|\@business-brief\.(net|com)|\@b21pubs\.com|\@pbp-executivereports\.net|\@sonar6\.com|\@cheetahsend\.com|\@ripple.us.com|\@voip-news\.com|\@.{0,8}.microcappress.com|\@BetterBuysReports.com|\@MyrtleBeachNow.com|\@sosonlinebackup.com|\@next-gen-crm.com|\@TheInstituteWeb.org|\@ASMIweb.com|\@performanceinstitute.org|\@kaseya.com|\@news.interstatemusic.com|\@interstatemusic.com|\@carproperty.com|\@hsrupdates.com/i #meta KAM_HONEY (__KAM_HONEY1 + __KAM_HONEY2 >= 2) #score KAM_HONEY 12.0 #describe KAM_HONEY Spammer sending to a honeypot or known spammer through other means #MEDIA DUCHESS header __KAM_DUCHESS1 Received =~ /mediaduchessstore.info|mediaduchesslive.info|mymediaduchess.info|mediaduchessonline.info|mytvduchess.info|mediaduchesspro.info|mileshop.info|freegrampro.info|radioduchess.info|acreforyou.info|mileblog.info/i header __KAM_DUCHESS2 From =~ /mediaduchessstore.info|mediaduchesslive.info|mymediaduchess.info|mediaduchessonline.info|mytvduchess.info|mediaduchesspro.info|mileshop.info|freegrampro.info|radioduchess.info|acreforyou.info|mileblog.info/i body __KAM_DUCHESS3 /Mr. Media Group|BLM Marketing Services|4801 l[yi]nton b/i rawbody __KAM_DUCHESS4 /duchess/i rawbody __KAM_DUCHESS5 /http:\/\/.{4,30}\.info\/[A-Za-z]{30}("|\/)/i body __KAM_DUCHESS6 /For account number:/i meta KAM_DUCHESS ((__KAM_DUCHESS1 + __KAM_DUCHESS2 >= 1) + __KAM_DUCHESS3 + __KAM_DUCHESS4 + __KAM_DUCHESS5 + __KAM_DUCHESS6 >= 4) score KAM_DUCHESS 5.0 describe KAM_DUCHESS Spammer sending emails using a variety of domains and linked images #UPS header __KAM_UPS1 Subject =~ /UPS Delivery problem/i header __KAM_UPS2 From !~ /\@ups\.com[ |>]/i body __KAM_UPS3 /invoice copy attached/i meta KAM_UPS (__KAM_UPS1 + __KAM_UPS2 + __KAM_UPS3 >=3) score KAM_UPS 6.0 describe KAM_UPS UPS doesn't send invoices with delivery problem notes #Free Calls header __KAM_SKYPE1 Subject =~ /Free Calls/i header __KAM_SKYPE2 Received =~ /releasesourcek.com/i header __KAM_SKYPE3 From =~ /VOIP News/i body __KAM_SKYPE4 /Promo Code: \d/i meta KAM_SKYPE (__KAM_SKYPE1 + __KAM_SKYPE2 + __KAM_SKYPE3 + __KAM_SKYPE4 >=3) score KAM_SKYPE 5.0 describe KAM_SKYPE Skype/Voip scams likely to spread malware #OWA/EMAIL PHISH rawbody KAM_OWAPHISH1 /http:\/\/.{5,30}\/owa\/service_directory\/settings.php/i score KAM_OWAPHISH1 6.0 describe KAM_OWAPHISH1 Rash of OWA setting change emails for phishing #MORE DRUG SPAM - 2009-05-03 header __KAM_DRUG2_1 Subject =~ /Viagra|male enhanc|easier time making her|hot infatuations|bed tempera?ment|resigned slaves|prick be soft|increased performance|guys in bed|bedroom fun|love more passion|cure ED|(bed|sex) games|spices? (it up in|to the) bed|(bedroom|nights of) pleasure|ladies love|stay hard|satis?fy (your spouse|her)|(problems|strong|help|good) (in|for) bed|bedtime enhanc|p[0o]rn ?star|blue ?pill|great sex|please your gf|(help in the|king of the|great time in|strong night in|performance in|advice for the) bed|intimate life|gain 3\+? inches|sexual (excitement|anxiety|act)|love tool|sexual treatment|make love|make your girl happ|completely impotent|do.you.suffer/i header __KAM_DRUG2_2 Subject =~ /ambien|Percocet|vicod[i1]n|Meridia|look slim|Phentermin|adderall|codeine|Hydrocodone|Phetermin|oxycodone|no prescription need|(help|trouble) falling asleep|overpriced pharmacy|prescript.medz|Xanx?ax|RxMed|your.rx.meds|fill your meds|pharmacy offers|international pharm|(loved|preferred|favor[ite]{3}) (rx)?med|pain killer|Medi?cati[o0]ns|canadianrx|weightl0ss|no ?prescription|weight l0ss|l0seweight|ritalin|look great|brain.function|cognition|enhance.memory|amazing.energy|joint.pain|nerve.pain/i body __KAM_DRUG2_3 /Medi?cati[o0]ns|desired meds|favou?red (rx)?med|buy remedies|drug store|medicants|medicaments|sexual stim|sex stim|pain killer|(purchase|loved|preferred|favou?rite) (?:rx.?)?(deal|med)[sz]|rx.?Meds?.?deal|buy your meds|choice of meds|Rx.?(deal|Med|Sale)|v[i1]agra|medz.special|loved meds|(rx|medication) ?discount|Get the edge|joint.pain.relief|neuropathy|nerve.pain/i body __KAM_DRUG2_4 /grab hold|at[_ ~]your[_ ~]finger[_ ~]?tip|placing your order|questions about drugs|prescription is not|don't care about prescription|without a doctor|no need for a doctor|affor[df]able.prices|best daily rx|Fav.Prescript|unmatched.prices|rx.med|millions.are.praising/i body __KAM_DRUG2_5 /0nline|hassle[~-]free|favored rx|branded solutions|branded remedies|v[1i]cod[!i]n|Penhtremine|prxpills|ultimaterxhere|insanerx|speedymed4u|mightymeds1|coolestrxhere|hotrxmedspot|topshoprx|mightyrxhere|qualityrxmedz|legitrxlife|dealsformeds|simplyrxdeals|bestrxlight|ezprescriptz|reliablerxsource1|freetrusted-rx|hotmedsourcehere|CabinetOfMeds|mytrusted-rx|RxwarehouseHere|WarehouseofRxMeds|GreatrxMedsRus|rxmedsrus|(come by|Come to|Check Out) our web site|browse [0o]ur (website|selection)|Visit_0ur Web|Order_Now|available_this week|(buy|order) (n[0o]w|today|right.now|instantly|at [0o]nce|immediately)|check it out today|ord3r|0rder|0rd3r|browseour|rx ?unit/i body __KAM_DRUG2_6 /(Express|Prompt|Day|Trusty|Trustworthy|Reliable|fast|true|discreet|confidential|rapid)[_ ~\.]?Shippin|anonymous packing|shipped.right.away|adderrx|clinically.proven|support.formula/i header __KAM_DRUG2_7 Subject =~ / {4}[a-z0-9]{2,4}$/i header __KAM_DRUG2_8 From =~ /aquaflexin/i meta KAM_DRUG2 ( __KAM_DRUG2_1 + __KAM_DRUG2_2 + __KAM_DRUG2_3 + __KAM_DRUG2_4 + __KAM_DRUG2_5 + __KAM_DRUG2_6 + __KAM_DRUG2_7 + __KAM_DRUG2_8 + KAM_SHORT + KAM_UNSUB1 >= 3) score KAM_DRUG2 3.5 describe KAM_DRUG2 More online Drug Scams meta KAM_DRUG2_2 ( __KAM_DRUG2_1 + __KAM_DRUG2_2 + __KAM_DRUG2_3 + __KAM_DRUG2_4 + __KAM_DRUG2_5 + __KAM_DRUG2_6 + __KAM_DRUG2_7 + __KAM_DRUG2_8 + KAM_SHORT + KAM_UNSUB1 >= 5) score KAM_DRUG2_2 3.0 describe KAM_DRUG2_2 Higher Certainty of Drug Scam meta KAM_SEXSUBJECT __KAM_DRUG2_1 score KAM_SEXSUBJECT 2.0 describe KAM_SEXSUBJECT Sexually Explicit Subject #RUSSIAN WIFE/BRIDE SCAMS header __KAM_WIFE1 Subject =~ /Remember me|(Russian|asian) ?(single|women|bride|lad(y|ies)|babe)/i body __KAM_WIFE2 /marry a Russian|sizzling photos|(russian|asian) (women|beauties)|Russian ?bride|Slavic babes|Russian ?lad(y|ies)|russian girl/i header __KAM_WIFE3 From =~ /Russian.?Dat|russian.?bride|Russian.?single|russian.?women|asian.?beauties/i meta KAM_WIFE ( __KAM_WIFE1 + __KAM_WIFE2 + __KAM_WIFE3 >= 2) score KAM_WIFE 8.0 describe KAM_WIFE Mail order bride scams #PRODUCT SCAMS header __KAM_PRODUCT1 Subject =~ /Beauty Phone/i body __KAM_PRODUCT2 /phones for discerning individuals/i meta KAM_PRODUCT ( __KAM_PRODUCT1 + __KAM_PRODUCT2 >= 2) score KAM_PRODUCT 3.0 describe KAM_PRODUCT Product scams often used with MSN/Live URIs #SPACES / LIVE / MSN / ETC. SCAMS meta KAM_LIVEURI2 ( (KAM_PRODUCT + KAM_DRUG2 + KAM_WIFE >=1) + (KAM_WEBS + KAM_MSN_STRING + KAM_BADSWF >=1) >= 2) score KAM_LIVEURI2 3.0 describe KAM_LIVEURI2 More online Scams + Known URI #WEBS.COM uri KAM_WEBS /.{3,25}\.webs.com/i score KAM_WEBS 0.5 describe KAM_WEBS webs.com links used in Spams #IMAGESHACK SWF Files uri KAM_BADSWF /imageshack.us\/.{3,25}.swf$/i score KAM_BADSWF 3.0 describe KAM_BADSWF SWF embedded links in Email Scams #EXE LINK uri KAM_EXEURI /.exe$/i score KAM_EXEURI 0.5 describe KAM_EXEURI EXE embedded link #SETTINGS FILE PHISH header __KAM_SETTING1 Subject =~ /settings file|maintenance!!/i body __KAM_SETTING2 /security upgrade|Maintenance Process on our email system /i body __KAM_SETTING3 /settings?.zip/i meta KAM_SETTING ( __KAM_SETTING1 + __KAM_SETTING2 >= 2) score KAM_SETTING 2.5 describe KAM_SETTING Phishing scams w/Setting Files or Webmail #Fixed small misspelling thanks to Jameel Akari meta KAM_SETTING2 ( KAM_SETTING + (KAM_EXEURI + __KAM_SETTING3 >=1) >= 2) score KAM_SETTING2 4.0 describe KAM_SETTING2 Phishing scams w/Setting Files or Webmail + Bad File link #FARM SPAM header __KAM_FARM1 Subject =~ /supersized (blueberr|tomato)|(blueberry|tomatoe?) giant|grows in sun or shade|giant (blueberry|tomatoe?)/i header __KAM_FARM2 From =~ /blueberr|tomato|DIY|garden/i body __KAM_FARM3 /(blueberry|Tomatoe?) giant/i meta KAM_FARM (__KAM_FARM1 + __KAM_FARM2 + __KAM_FARM3 >= 3) score KAM_FARM 4.0 describe KAM_FARM Farming related Spams #MX URI - Scored lowered from 2.5 to 1.5 due to FPs reported by Christopher X. Candreva - see https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6700 for bug on issue uri KAM_MXURI /^(?:http:\/\/)?(mail|mx)\..{1,40}\..{1,8}/i score KAM_MXURI 1.5 describe KAM_MXURI URI begins with a mail exchange prefix, i.e. mx.[...] #FLASH PLAYER body __KAM_FLASH1 /Flash Player Code: \d\d/i body __KAM_FLASH2 /Flash Player Update/i header __KAM_FLASH3 Subject =~ /Flash Player/i header __KAM_FLASH4 Subject =~ /activation code/i header __KAM_FLASH5 From =~ /Flash Player/i meta KAM_FLASH (__KAM_FLASH1 + __KAM_FLASH2 + __KAM_FLASH3 + __KAM_FLASH4 + __KAM_FLASH5 >= 3) score KAM_FLASH 4.0 describe KAM_FLASH Fake Flash Player Phishing Scam #CHANGED TO KAMOnly ifplugin Mail::SpamAssassin::Plugin::KAMOnly #FAKE ADWORDS body __KAM_ADWORD1 /(Advertisement|Adwords) Campaign/i header __KAM_ADWORD2 From =~ /adwords.com|salesdirect.com/i header __KAM_ADWORD3 Subject =~ /adwords campaign|ads in adwords/i body __KAM_ADWORD4 /adwords\.php|index\.php\?isgoogle/i meta KAM_ADWORD (__KAM_ADWORD1 + __KAM_ADWORD2 + __KAM_ADWORD3 + __KAM_ADWORD4 >= 3) + (KAM_RPTR_SUSPECT + KAM_RPTR_FAILED >= 1) >= 2 score KAM_ADWORD 10.0 describe KAM_ADWORD Fake Adword Campaign notices endif #DON NOB & WORK FROM HOME SCAMS header __KAM_DON1 X-KAM-Reverse =~ /donnob\.(?:biz|net)|emarketnow.com/i header __KAM_DON2 Subject =~ /(?:\b|^)ATM(?:\b|$)|Just Over Broke|J\.O\.B\./ body __KAM_DON3 /donnob\.(?:biz|net)|emarketnow.com|watersolutiontoday.com/i body __KAM_DON4 /\$1,000 A Day ATM|J\.O\.B\./i meta KAM_DON (__KAM_DON1 + __KAM_DON2 + __KAM_DON3 + __KAM_DON4 + __KAM_MED2 + __KAM_REFI4 + __KAM_TV2 >= 4) score KAM_DON 6.0 describe KAM_DON Work at Home Scams meta KAM_DON2 (__KAM_DON1 + __KAM_DON2 + __KAM_DON3 + __KAM_DON4 + __KAM_MED2 + __KAM_REFI4 + __KAM_TV2 >= 6) score KAM_DON2 4.0 describe KAM_DON2 Egregious Work at Home Scams #GINA SCAMS header __KAM_GINA1 From =~ /GINA deadline|GINA Update|compliance/i header __KAM_GINA2 Subject =~ /GINA deadline/i body __KAM_GINA3 /Genetic Information Nondiscrimination Act/i body __KAM_GINA4 /mandatory poster|remain in compliance|GINA regulations/i meta KAM_GINA (__KAM_GINA1 + __KAM_GINA2 + __KAM_GINA3 + __KAM_GINA4 + __KAM_REFI4 >= 4) score KAM_GINA 6.0 describe KAM_GINA Employment Poster Marketing Spams #TAX SCAMS header __KAM_TAX1 Subject =~ /Free (IRS )?Tax Filing|Tax Filing Exten[st]ion|taxes online|irs audit|wage garnish|collections|tax.relief|tax.penalt|tax.resolution|settlement.option|remove.tax|irs.penalt|payback.package|get.help|down.your.neck|tax.research|urgent.tax/i header __KAM_TAX2 From =~ /tax|HRBlock|marketing|garnish|settlement|installment|IRS|debt|advisory|government|payback|protection.agency/i body __KAM_TAX3 /File your taxes for free|need more time|back.taxes|tax relief|irs offer|avoid penalty|stop.aggressive.collections|relief.(program|package)|tax.settlement|settlement.package|paying.bills|paying.tax|back.tax|wage..?garnish|tax.help|remove.lien|bankrupt|urgent.tax.notice|could.change.everything|instantly.save.you/i body __KAM_TAX4 /MSNBC|fox news|CNN|please.confirm|you.qualify|obtain.now|must.see.tax/i meta KAM_TAX (__KAM_TAX1 + __KAM_TAX2 + __KAM_TAX3 + __KAM_TAX4 + KAM_LOTSOFHASH >=3) score KAM_TAX 2.5 describe KAM_TAX Tax Filing Scams meta KAM_TAX2 (__KAM_TAX1 + __KAM_TAX2 + __KAM_TAX3 + __KAM_TAX4 + KAM_LOTSOFHASH >=4) score KAM_TAX2 2.5 describe KAM_TAX2 Higher Probability of Tax Filing Scams #SEX SCAM body __KAM_SEX06_1 /more fire and passion/i meta KAM_SEX06 (__KAM_SEX06_1 + KAM_MSN_STRING >= 2) score KAM_SEX06 5.0 describe KAM_SEX06 Sexual Stimulant Spam #DOG BARK AND OTHER DOG SPAM body __KAM_BARK1 /Bark.Off|petzoom sonic|comfy control harness|dogs? behavior|four legged/i header __KAM_BARK2 Subject =~ /Barking|petzoom sonic|dogs any size|dog (is )?misbehaving/i header __KAM_BARK3 From =~ /Bark.Off|petzoom|control harnesss|dog whisperer/i meta KAM_BARK (__KAM_BARK1 + __KAM_BARK2 + __KAM_BARK3 >=2) score KAM_BARK 3.5 describe KAM_BARK Dog Product Scam #CASINO SPAM body __KAM_CASINO1 /Elite World Casino/i body __KAM_CASINO2 /Online Casino/i header __KAM_CASINO3 Subject =~ /chances to win/i meta KAM_CASINO (__KAM_CASINO1 + __KAM_CASINO2 + __KAM_CASINO3 >= 3) score KAM_CASINO 3.5 describe KAM_CASINO Online Casino Spam #TWITTER PHISHING header __KAM_TWIT1 From =~ /twitter/i header __KAM_TWIT2 Subject =~ /twitter \d{3}-\d{2}/i meta KAM_TWIT (__KAM_TWIT1 + __KAM_TWIT2 + KAM_THEBAT >= 3) score KAM_TWIT 10 describe KAM_TWIT Twitter bogus phishing emails #FACEBOOK PHISHING header __KAM_FACE1 From =~ /password/i header __KAM_FACE2 Subject =~ /reset your facebook/i header __KAM_FACE3 X-Mailer =~ /Zuckmail/i meta KAM_FACE (__KAM_FACE1 + __KAM_FACE2 + __KAM_FACE3 >= 3) score KAM_FACE 10 describe KAM_FACE Facebook bogus phishing emails header __KAM_PHISH3_1 Subject =~ /account notification/i body __KAM_PHISH3_2 /accessed by someone else./ meta KAM_PHISH3 (__KAM_PHISH3_1 + __KAM_PHISH3_2 + __KAM_CLICK >= 3) score KAM_PHISH3 4 describe KAM_PHISH3 Phishing emails for account notification #GENERIC TEST FOR CLICK NOTICES INDICATIVE OF SPAM IN META RULES BUT NOT BY ITSELF body __KAM_CLICK /Please click on the link below|Copy and paste this link into your internet browser/i #DIRECT BUY header __KAM_DIRECT1 From =~ /Direct ?Buy|Wholesale/i header __KAM_DIRECT2 Subject=~ /complimentary|visitor|settle for retail|top .rands at wholesale|guest pass and catalog|direct.?buy/i body __KAM_DIRECT3 /(Complimentary|Visitor|attend our open house|30-day member|VIP Pass|Wholesale Direct Pricing|guest pass and catalog)/i body __KAM_DIRECT4 /Direct.?Buy/i meta KAM_DIRECT (__KAM_DIRECT1 + __KAM_DIRECT2 + __KAM_DIRECT3 + __KAM_DIRECT4 >= 3) score KAM_DIRECT 3.0 describe KAM_DIRECT DirectBuy Spam #SWIPE BIDS header __KAM_SWIPE1 From =~ /SwipeBids|Auction|Deal ?hunter|bigger.bid|bidder|Overstocked|daily.?deals|quibids|iphone|penny.stock/i header __KAM_SWIPE2 Subject=~ /auction|bid on great|\d% off retail|Iphones for Under|Big Items|ipads|Macbook Pro|top.?.?of the line..?electronic|buy or sell|never.pay.retail|2011 line up|ebay|pay retail|ipad for \$\d\d\.|bids in real.?time|penny.stock|exclusive.savings|economic|prediction:/i body __KAM_SWIPE3 /pennies on the dollar|join, bid|penny (auctions|stock)|\d% .{0,10}retail|ipads on auction|bid now|factory sealed ipads|cheap ipads|for pennies|ebay killer|Inventory Clearance on iPads|crazy auctions|XPS for \d\dUSD|iphone.{1,10}clearance|the.hottest/i body __KAM_SWIPE4 /SwipeBids|Swipe Auction|CIRCLE MEDIA BIDS|Wavee|BIGGER BIDDER|Bidooka|Sellmoo|overstocked auctions|for pennies|\d{1,2} cent/i meta KAM_SWIPE (__KAM_SWIPE1 + __KAM_SWIPE2 + __KAM_SWIPE3 + __KAM_SWIPE4 >= 3) score KAM_SWIPE 2.0 describe KAM_SWIPE SwipeBid Spam / Penny Auction Spams meta KAM_SWIPE2 (__KAM_SWIPE1 + __KAM_SWIPE2 >= 2) score KAM_SWIPE2 0.5 describe KAM_SWIPE2 SwipeBid Spam / Penny Auction Spams #WE THE SPAMMERS header __KAM_WTA1 From =~ /@(wethealliance\.(org|com|net)|wta\d\d\d\.com|socalsecurityinstitute.org)|Lawrence.{0,4}Hunter/i body __KAM_WTA2 /Alliance for Retirement Prosperity Association|Social Security Institute/is meta KAM_WTA (__KAM_WTA1 + __KAM_WTA2 >= 2) score KAM_WTA 9.0 describe KAM_WTA Ridiculous campaign by unapologetic spammers purposefully using throwaway domains #SMOKELESS body __KAM_SMOKE1 /smoke.anywhere|electronic cig|smoking alternative|prado|e.?-?cig|wanting to quit/i header __KAM_SMOKE2 Subject =~ /smoke|e-cig|perfect.?.gift|no cancer|electronic cig|never smoke|e.?-?cig/i header __KAM_SMOKE3 From =~ /smoke|smoking|e.?-?cig|electronic cig|vapex|vapor|starter.kit/i body __KAM_SMOKE4 /No carbon monoxide|Smokeless Direct|No Tobacco|no tar|no cancer|quit smoking|electronic cig|sinless.vapor/i body __KAM_SMOKE5 /you have qualified/i meta KAM_SMOKE (__KAM_CLICK + __KAM_SMOKE1 + __KAM_SMOKE2 + __KAM_SMOKE3 + __KAM_SMOKE4 + __KAM_SMOKE5 >= 3) score KAM_SMOKE 4.5 describe KAM_SMOKE Smokeless cigarette and quitting spam meta KAM_SMOKE2 (__KAM_CLICK + __KAM_SMOKE1 + __KAM_SMOKE2 + __KAM_SMOKE3 + __KAM_SMOKE4 + __KAM_SMOKE5 >= 4) score KAM_SMOKE2 3.0 describe KAM_SMOKE2 Higher probability of spam #OBF URL body __KAM_OBFURL1 /A\s+D\s+I\s+L\s+I\s+Z\+E\s+R\s+.\s+C\s+O\s+M/i meta KAM_OBFURL (__KAM_OBFURL1 >= 1) score KAM_OBFURL 5.0 describe KAM_OBFURL Obfuscated URL #SHARP FOR LIFE body __KAM_SHARP1 /sharp for life/i body __KAM_SHARP2 /yoshiblade/i body __KAM_SHARP3 /zirconium oxide/i body __KAM_SHARP4 /ceramic knife/i header __KAM_SHARP5 Subject =~ /ceramic knief|yoshiblade|sharp for life/i header __KAM_SHARP6 From =~ /yoshi/i meta KAM_SHARP (__KAM_SHARP1 + __KAM_SHARP2 + __KAM_SHARP3 + __KAM_SHARP4 + __KAM_SHARP5 + __KAM_SHARP6 >= 4) score KAM_SHARP 4.5 describe KAM_SHARP Ceramic Blade Spam #HIP REPLACEMENT body __KAM_HIP1 /hip replacement|medical alert/i body __KAM_HIP2 /implant recall|recall list/i header __KAM_HIP3 Subject =~ /dupuy recall|hip recall|hip implants|hip replacement/i header __KAM_HIP4 From =~ /recall/i meta KAM_HIP (__KAM_HIP1 + __KAM_HIP2 + __KAM_HIP3 + __KAM_HIP4 >= 3) score KAM_HIP 4.5 describe KAM_HIP Hip Replacement Recall Spam #WORK AT HOME body __KAM_WORKHOME1 /online jobs|Full-time (and|&) Part-time|at home employment/i body __KAM_WORKHOME2 /\#1 site|view here|information here/i header __KAM_WORKHOME3 Subject =~ /work at home|work \@ home|home positions/i meta KAM_WORKHOME (__KAM_WORKHOME1 + __KAM_WORKHOME2 + __KAM_WORKHOME3 >= 3) score KAM_WORKHOME 4.5 describe KAM_WORKHOME Work at Home Spam meta KAM_WORKHOME2 (__KAM_WORKHOME3 + KAM_SHORT + __KAM_REFI4 >=3) score KAM_WORKHOME2 4.5 describe KAM_WORKHOME2 Work at Home Spam #HSR UPDATES body __KAM_HSR1 /hsrupdates.com|progressiverailroading.com/i header __KAM_HSR2 Subject =~ /hi-speed rail|HSR Funds|U.?S.? DOT|railroads/i header __KAM_HSR3 From =~ /HSRUpdates.com|progressive ?railroading/i meta KAM_HSR (__KAM_HSR1 + __KAM_HSR2 + __KAM_HSR3 >= 3) score KAM_HSR 4.5 describe KAM_HSR High Speed Rail Spam #SELLPHONE body __KAM_SELLPHONE1 /Turn iphones into cash/i body __KAM_SELLPHONE2 /used or broken|pre-paid envelope/i header __KAM_SELLPHONE3 Subject =~ /sell your old iphone/i meta KAM_SELLPHONE (__KAM_SELLPHONE1 + __KAM_SELLPHONE2 + __KAM_SELLPHONE3 >= 3) score KAM_SELLPHONE 4.5 describe KAM_SELLPHONE Used Equipment Spam #STORAGE LIMIT body __KAM_MAILBOX1 /mailbox has exceeded the storage limit|storage.quota/i body __KAM_MAILBOX2 /re-validate your (mailbox|email)/i meta KAM_MAILBOX (__KAM_MAILBOX1 + __KAM_MAILBOX2 >=2) score KAM_MAILBOX 4.0 describe KAM_MAILBOX Mailbox Quota Phishing Scams meta KAM_SHORT (__KAM_SHORT + __KAM_TINYDOMAIN >= 1) score KAM_SHORT 0.001 describe KAM_SHORT Use of a URL Shortener for very short URL #URL SHORTENER - META RULE TO SEE IF URL SHORTENER IS IN USE - THANKS TO SHANE WILLIAMS and RW for HELP - More thanks to Giovanni Bechis uri __KAM_SHORT /^http:\/\/(?:bit\.ly|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|justpaste\.it)\/[^\/]{3}\/?/ # GENERIC RULE FOR TINY DOMAINS, WHICH WILL LIKELY BE URL SHORTENERS uri __KAM_TINYDOMAIN /https?:\/\/(?:[^\/]{1,4})\..{2,7}\//i #POWER CHAIRS body __KAM_POWER1 /hoveround/i header __KAM_POWER2 Subject =~ /Get your freedom|power Chairs/i header __KAM_POWER3 From =~ /Get your freedom|power Chairs/i meta KAM_POWER (__KAM_POWER1 + __KAM_POWER2 + __KAM_POWER3 >= 3) score KAM_POWER 3.0 describe KAM_POWER Motorized Chair Spams #GUN ALERTS body __KAM_GUN1 /Keep and Bear Arms/i header __KAM_GUN2 From =~ /gunalerts.com/i header __KAM_GUN3 Subject =~ /gun/i meta KAM_GUN (__KAM_GUN1 + __KAM_GUN2 + __KAM_GUN3 >= 3) score KAM_GUN 2.0 describe KAM_GUN Gun Alert Spams #GET RICH QUICK SCHEME body __KAM_RICH1 /financial.success story/i body __KAM_RICH2 /see me on the channel \d news/i body __KAM_RICH3 /talking about my blog/i body __KAM_RICH4 /bec.me financially independent/i meta KAM_RICH (__KAM_RICH1 + __KAM_RICH2 + __KAM_RICH3 + __KAM_RICH4 >= 4) score KAM_RICH 3.5 describe KAM_RICH Get Rich Quick Schemes #INVALID FROM HEADER header __KAM_INVFROM1 From =~ /<[^>]*$/ header __KAM_INVFROM2 From =~ /^[^<]*>/ meta KAM_INVFROM (__KAM_INVFROM1 + __KAM_INVFROM2 >= 1) score KAM_INVFROM 2.0 describe KAM_INVFROM Invalid From Header containing mismatched <>'s #YAHOO GROUP EMAIL RULE BASED ON WORK FROM Jim McCullars - University of Alabama in Huntsville header __KAM_UAH_YAHOOGR_4 X-Mailer =~ /Yahoo Groups Message Poster/ ifplugin Mail::SpamAssassin::Plugin::DKIM meta KAM_UAH_YAHOOGROUP_SENDER __DOS_HAS_LIST_UNSUB && __ML2 && __DOS_HAS_MAILING_LIST && __KAM_UAH_YAHOOGR_4 && !FORGED_YAHOO_RCVD && DKIM_VALID else meta KAM_UAH_YAHOOGROUP_SENDER __DOS_HAS_LIST_UNSUB && __ML2 && __DOS_HAS_MAILING_LIST && __KAM_UAH_YAHOOGR_4 && !FORGED_YAHOO_RCVD endif describe KAM_UAH_YAHOOGROUP_SENDER Sender appears to be a legit Yahoo! Group Mail score KAM_UAH_YAHOOGROUP_SENDER -20.0 #GALLERY header __KAM_GALLERY1 Subject =~ /(Infinite|Multi|Elite|Extreme|Complete|Instant|Ultimate|Multi|approved|Free|HD|Guaranteed|Unreal) Access|(Ultimate|Babes|Elite|Extreme|P.?o.?r.?n) Collection|(Girls|Adu.?lt|Babes|Celeb.?rities) Passwords|(Ultimate|p.?o.?r.?n|extreme|elite|Girls) gallery|HD Video|Access Now/i body __KAM_GALLERY2 /(?:Infinite|Multi|Elite|Extreme|Complete|Instant|Ultimate|Multi|approved|Free|HD|Guaranteed|Unreal) Access|(?:Ultimate|Babes|Elite|Extreme|P.?o.?r.?n) Collection|(?:Girls|Adu.?lt|Babes|Celeb.?rities) Passwords|(?:Ultimate|p.?o.?r.?n|extreme|elite|Girls) gallery|HD Video|Access Now/i header __KAM_GALLERY3 Subject =~ /(Fantastic|Insane|Mega|Extreme|Extreme|New|Many|Fresh|Your|Check) P.?o.?r.?n|cele.?brities elite|(Insane|P.?o.?r.?n|More|Awesome|All|Mega) Model|(Your|Mega|Asian|Bad|Cool|Fresh|Real|Awesome|More) Girl|(Sweet|Incredible|Insane|The|Grand) chick|(Many|New|Infinite|Cool|All) Cele.?b|The N.?u.?des|(Infinite|Awesome|Many|Sweet|Bad|Get|Fresh|Hot|More|Black) Babe|Amat.?e.?urs|(All|Fresh|Fantastic|The|Mega) Adu.?lt|(Extraordinary) Chicks/i body __KAM_GALLERY4 /(Fantastic|Insane|Mega|Extreme|Extreme|New|Many|Fresh|Your|Check) P.?o.?r.?n|cele.?brities elite|(Insane|P.?o.?r.?n|More|Awesome|All|Mega) Model|(Your|Mega|Asian|Bad|Cool|Fresh|Real|Awesome|More) Girl|(Sweet|Incredible|Insane|The|Grand) chick|(Many|New|Infinite|Cool|All) Cele.?b|The N.?u.?des|(Infinite|Awesome|Many|Sweet|Bad|Get|Fresh|Hot|More|Black) Babe|Amat.?e.?urs|(All|Fresh|Fantastic|The|Mega) Adu.?lt|(Extraordinary) Chicks/i rawbody __KAM_GALLERY5 /wp-content|_vti_cnf|cache|wp-admin|wordpress/i meta KAM_GALLERY (__KAM_GALLERY1 + __KAM_GALLERY2 + __KAM_GALLERY3 + __KAM_GALLERY4 + __KAM_GALLERY5 >=4) describe KAM_GALLERY Exploited Gallery with Porn score KAM_GALLERY 5.0 meta KAM_GALLERY2 (__KAM_GALLERY1 + __KAM_GALLERY2 + __KAM_GALLERY3 + __KAM_GALLERY4 + __KAM_GALLERY5 >=5) describe KAM_GALLERY2 Higher Likelihood of Exploited Gallery with Porn score KAM_GALLERY2 2.0 #CHANGELOG header __KAM_CHANGELOG1 Subject =~ /^Re: Changelog (Oct.|Nov.|Dec.)$/i body __KAM_CHANGELOG2 /as promised chnglog update/i meta KAM_CHANGELOG (__KAM_CHANGELOG1 + __KAM_CHANGELOG2 >= 2) describe KAM_CHANGELOG Phishing Email score KAM_CHANGELOG 2.5 #NIGERIAN VARIANT body __KAM_BUS1 /business proposal/i body __KAM_BUS2 /sensitive by nature/i body __KAM_BUS3 /have not met/i body __KAM_BUS4 /view my attach/i meta KAM_BUS (__KAM_BUS1 + __KAM_BUS2 + __KAM_BUS3 + __KAM_BUS4 >= 4) describe KAM_BUS Yet another Nigerian Scam/Phishing Variant score KAM_BUS 4.0 #PRIVATE MESSAGE body __KAM_PRIV1 /private message|horny|sweet ass/i body __KAM_PRIV2 /(personal|private) video/i body __KAM_PRIV3 /the attache?ment|attached file/i meta KAM_PRIV (__KAM_PRIV1 + __KAM_PRIV2 + __KAM_PRIV3 >=2 && T_HTML_ATTACH) describe KAM_PRIV Private Messages using Exploits in attached HTML files score KAM_PRIV 5.0 #DIV rawbody __KAM_DIV1 /(Viagr?|Cial?)
r?a\|l?is/i meta KAM_DIV (__KAM_DIV1 + __KAM_DIV2 >= 2) describe KAM_DIV Use of divs to hide Medical Spams score KAM_DIV 2.0 #CREDIT SCORE header __KAM_CREDIT1 Subject =~ /CRITICAL:.*change to.* (EXPERIAN|Transunion|Equifax) score|Recent 3 Bureau Credit|(credit|score).score|credit has changed|check your rating|yearly review|scores?.(?:may.have|has.been|have.been).changed|(?:EXPERIAN|Transunion|Equifax) scores? delivered|your credit report|all three sources|credit (may )?ha(ve|s) been revised|credit ?card ?processing|merchant account|TransUnion..?Experian . Equifax Scores|all 3 scores|update to your score|your 3 scores|is your score correct|score (report|review)|latest.score|updated.score|update:|derogatory.(info|item)|affecting.your.score|scores.this.week|EQUIFAX..?EXPERIAN..?(and|&).TRANSUNION|(EXPERIAN|Transunion|Equifax)..?score|\d{4}.scores?.detail|((equifax|experian|transunion)..?){3}|score.today|score.w\//i body __KAM_CREDIT2 /View (all 3 reports|your credit score|your up.to.the.minute credit)|(EXPERIAN|Transunion|Equifax) report|check my credit score|3.free credit scores|credit restoration|changes in your.score|get your \d+ score online|3 major sources|all three bureau|all 3 credit score|credit (may )?ha(ve|s) been revised|payment.options|complimentary 3 scores|credit scores? in seconds|TRANSUNION,\s+EQUIFAX,\s+(and|.)\s+EXPERIAN|just (been )?changed|score.breakdown|credit.summary|score.is.waiting|confirmation \#\d+|average.credit.score|what.?s.your.score|(3|three).free.score|check.your.score|we.can.help|credit.record|complimentary.score/i body __KAM_CREDIT3 /NO COST|it's on us|3 companies for free|freescore360|Scoresense|score.report(?:ing)?.team|stand in the rating scales|view your higher credit|(score|credit).alert|provide.faster.service|your credit score|free.credit.score|score.generation|new.score.immediately|score.notification|your report/i body __KAM_CREDIT4 /CHANGES TO YOUR CREDIT[- ]SCORE|credit score has changed|Triple Bureau Credit Alerts|score\s+may\s+have\s+(been)?\s*changed|ThinkCredit|Debunk Credit Card Processing Myths|costs for your business|TransUnion,? Experian and Equifax Scores|ha(s|ve).been.updated|what.?s.your.credit|sensitive.information/i header __KAM_CREDIT5 From =~ /Credit|score|bureau|finance|report|advisory/i #EXPERIMENTAL UTF-8 # SecureCRT in UTF-8 Session Options - terminal>appearance>character encoding and set to utf-8 & Set this in VI :set encoding=utf-8 :set fileencodings=utf-8 #Useful Resources for Tags #https://www.utf8-chartable.de/unicode-utf8-table.pl?start=1024&number=128&names=-&utf8=string-literal #https://www.branah.com/unicode-converter ifplugin Mail::SpamAssassin::Plugin::ReplaceTags replace_tag A (?:[\xd0][\xb0]|a) replace_tag C (?:[\xd0][\xa1]|c|[\xd1][\x81]) replace_tag E (?:[\xd0][\xb5]|e) replace_tag I (?:[\xd1][\x96]|i) replace_tag M (?:[\xca][\x8d]|m) replace_tag O (?:[\xd0][\xbe]|o) replace_tag P (?:[\xd1][\x80]|p|[\xc7][\xb7]) replace_tag S (?:[\xd0][\x85]|s) header __KAM_CREDIT6 Subject =~ /omplmentary (redt|EXPERIAN|Transunion|Equifax)/i header __KAM_CREDIT7 From =~ /core.?ense/i replace_rules __KAM_CREDIT6 __KAM_CREDIT7 endif meta KAM_CREDIT (__KAM_CREDIT1 + __KAM_CREDIT2 + __KAM_CREDIT3 + __KAM_CREDIT4 + __KAM_CREDIT5 + __KAM_CREDIT6 + __KAM_CREDIT7 + (__KAM_THIRD || KAM_LOTSOFHASH || KAM_INFOUSMEBIZ) >= 4) describe KAM_CREDIT Credit Score Spams score KAM_CREDIT 4.5 ifplugin Mail::SpamAssassin::Plugin::KAMOnly meta KAM_CREDIT2 (__KAM_CREDIT1 + __KAM_CREDIT5 + __KAM_CREDIT6 + __KAM_CREDIT7 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3 && KAM_CREDIT < 1) describe KAM_CREDIT2 Credit Score Spams score KAM_CREDIT2 4.5 endif #OBFUSCATED URI rawbody KAM_OBFURI /http:\/\/.{2,30}\.c=E2=93=9Em?/ describe KAM_OBFURI Obfuscated URI trick score KAM_OBFURI 4.0 #ADVANCE header __KAM_ADVANCE1 Subject =~ /Advance for \d.\d\d\d/i body __KAM_ADVANCE2 /Advance Details/i body __KAM_ADVANCE3 /Pre-Approved/i header __KAM_ADVANCE4 From =~ /Advance|Approv|Financ/i meta KAM_ADVANCE (__KAM_ADVANCE1 + __KAM_ADVANCE2 + __KAM_ADVANCE3 + __KAM_ADVANCE4 >= 3) describe KAM_ADVANCE Advance Spams score KAM_ADVANCE 3.5 #PAYPAL NON SPF - FP fixed by Piper Andreas header __KAM_PAYPAL1A From =~ /\@[a-z\.]*paypal.com>?$/i meta KAM_PAYPAL1 (__KAM_PAYPAL1A + SPF_FAIL >=2) describe KAM_PAYPAL1 rampant paypal phishing scams score KAM_PAYPAL1 16.0 #PAYPAL IMPERSONATING MALWARE body __KAM_PAYPAL2A /paypal/i body __KAM_PAYPAL2B /protection services department|download(ing)?.the.attach/i meta KAM_PAYPAL2 (__KAM_PAYPAL2A + __KAM_PAYPAL2B + KAM_RAPTOR >= 3) describe KAM_PAYPAL2 Malware disguised as a paypal email score KAM_PAYPAL2 8.0 #PAYPAL PHISH header __KAM_PAYPAL3A From =~ /paypal/i header __KAM_PAYPAL3B From !~ /paypal.com(\.au)?>?$/i header __KAM_PAYPAL3C Subject =~ /your.paypal.account/i body __KAM_PAYPAL3D /security.process|more.information|has.limitation|verify.your.information/i meta KAM_PAYPAL3 ((__KAM_PAYPAL3A && __KAM_PAYPAL3B) + __KAM_PAYPAL3C + __KAM_PAYPAL3D + KAM_LAZY_DOMAIN_SECURITY >= 3) score KAM_PAYPAL3 8.0 describe KAM_PAYPAL3 Phish disguised as a paypal email #COMPROMISED ACCOUNT SPAMS - SCORED HIGH BECAUSE THESE ARE COMPROMISED ACCOUNTS header __KAM_COMPROMISED1A From =~ /\@(yahoo.com|yahoo.com.id|rocketmail.com)/i header __KAM_COMPROMISED1B X-Mailer =~ /Yahoo/i header __KAM_COMPROMISED2 Subject =~ /^(FOR |Hey$|hi$|look at this$|great!?$|amazing!?|the best!?$|excellent!?$|very good!?$|great!?$|question?$|Fwd: (?:latest |top )?news$)|have a look/ body __KAM_COMPROMISED3 /\d{1,2}[\\\/]\d{1,2}[\\\/]\d{2,4} \d{1,2}\:\d{1,2}\:\d{1,2} (AM|PM)/ body __KAM_COMPROMISED4 /How are you\? Look at this.{0,70}Do you know about this site|look at this site right now|I found (an amazing|great) site|hey\. please have a look|have a look right now|breaking news/i meta KAM_COMPROMISED ((__KAM_COMPROMISED1A + __KAM_COMPROMISED1B >=1 ) + __KAM_COMPROMISED2 + __KAM_COMPROMISED3 + __KAM_COMPROMISED4 + __KAM_BODY_LENGTH_LT_128 + MISSING_SUBJECT >= 3) describe KAM_COMPROMISED Compromised Accounts Sending Spam score KAM_COMPROMISED 8.25 #GROUPS THAT ARE BAD - RENAMED TO AVOID COLLISSION - THANKS TO DAVID FUNK header __KAM_LIST2A List-ID =~ /^?$/i header __KAM_LIST2B Sender =~ /(mediajo\d*|aloulaonline\d*|jomedia\d*|golbanoo\d*)\@googlegroups\.com/i meta KAM_LIST2 (__KAM_LIST2A + __KAM_LIST2B >= 1) describe KAM_LIST2 Known Bad Groups score KAM_LIST2 60.0 #LIMITED ACCESS/QUOTA SCAMS - ISP THAT SEND LEGITIMATE NOTICES MIGHT WANT TO LOWER THE SCORE body __KAM_QUOTA1 /Mailbox Quota Has Exceeded|exceeded its storage limit/i body __KAM_QUOTA2 /Limited Access|termination of your email|restore.your.account|will.not.be.able/i meta KAM_QUOTA (__KAM_QUOTA1 + __KAM_QUOTA2 >= 2) describe KAM_QUOTA Limited Access / Quota Phishing Scam score KAM_QUOTA 3.0 # BACKGROUND CHECK SPAM body __KAM_BACK1 /backgrounds in seconds|Instant..?Checkmate|federal.record|background.report|reputation/i body __KAM_BACK2 /(Property & Personal history|Asset & Background) (Investigation|Search)|check anyone|know.anything|registered.offense|their.name|publicly.available/is body __KAM_BACK3 /(background check|detective|investigator|investigate backgrounds|arrest.record|public.record)|remain.anonymous|anonymous.report|says.about.you|instant.database|the.truth|reveal.the.information|screening.services/is header __KAM_BACK4 Subject =~ /background..?check|date-smart|detective|finding people|instant checkmate|pedophile|who.lives.next.?door|reports.are.now.posted|screening.results|police.record|confirm.identity|records.enclosed|local.report|criminal|public.record|complete.record|arrest|posted.online|information.posted|info.updated|who.they.are|uncover.any|public.records|private.eye|investigate.background/i header __KAM_BACK5 From =~ /Background.?check|instant.?check|arrest.record|pedophile|trust|criminal|urgent.info|find.out|who.is.s?he|trouble|shady|public.record|private.?eye/i describe KAM_BACK Background Check SPAM meta KAM_BACK (__KAM_BACK1 + __KAM_BACK2 + __KAM_BACK3 + __KAM_BACK4 + __KAM_BACK5 >=3) score KAM_BACK 5.5 #ARREST RECORD SCAMS header __KAM_ARREST1 Subject =~ /arrest record|with.a.criminal|child.predator|public.safety.alert|full.report|reports?.now.posted|records?.(now.)?(available|posted)|predator.identified/i body __KAM_ARREST2 /Instant Checkmate|dirty Truth|\brapist\b|criminal.(background|record)|predator|stay.safe|child.offender|think.you.know|know.everything|database.screening|know.something|wanted.to.know|arrest.record/i header __KAM_ARREST3 From =~ /Checkmate|alert|protect|arrest|neighborhood|criminal|live.safe/i meta KAM_ARREST (__KAM_ARREST1 + __KAM_ARREST2 + __KAM_ARREST3 >=3) || (__KAM_ARREST1 + KAM_SHORT + __KAM_BODY_LENGTH_LT_128 >=3) describe KAM_ARREST Arrest Record Scams score KAM_ARREST 5.0 #MORE DIET SCAMS header __KAM_DIET2_1 From =~ /Coffee.?Bean|Fat.?Burning.?Hormone|Saffron|Lifestyle|burn.fat|slim/i header __KAM_DIET2_2 Subject =~ /diet|flatten your belly|calorie count|metabolism|lose the belly|belly flub/i body __KAM_DIET2_3 /secret to being skinny|doctors? are raving|testosterone|could be \d+ ?lbs? lighter|feeling chubby/i meta KAM_DIET2 (__KAM_DIET2_1 + __KAM_DIET2_2 + __KAM_DIET2_3 + KAM_INFOUSMEBIZ >=3) describe KAM_DIET2 Diet Scams score KAM_DIET2 5.0 #CIGAR SCAMS header __KAM_CIGAR1 Subject =~ /Premium Cigar|Essentials for Dad|cigar lover/i header __KAM_CIGAR2 From =~ /Cigar/i body __KAM_CIGAR3 /Thompson Cigar|Premium Cigar/i meta KAM_CIGAR (__KAM_CIGAR1 + __KAM_CIGAR2 + __KAM_CIGAR3 + __KAM_THIRD >= 3) describe KAM_CIGAR Cigar Scam Emails score KAM_CIGAR 6.0 #TK DOMAINS rawbody KAM_TK /https?:\/\/.{5,30}\.tk\//i describe KAM_TK Abuse of .tk domain registrar which offers free domains score KAM_TK 5.0 #THIRD PARTY / SENT BY XXXX body __KAM_THIRD /advertisement.{0,12}sent by a third-?party|sent.by.tb.systems|is.an.advert[il]se?ment/i #LASIK header __KAM_LASIK1 From =~ /Lasik/i header __KAM_LASIK2 Subject =~ /Lasik|free eval|A great use for your Tax Refund|eye.surgery/i body __KAM_LASIK3 /free (?:Lasik )?eval|\d+ per eye|get lasik info|L.SI. V....n In.t.tut. Summ.r S.v.ng.|works.faster.than/i uri __KAM_LASIK4 /lasik\.php/i meta KAM_LASIK (__KAM_LASIK1 + __KAM_LASIK2 + __KAM_LASIK3 + (__KAM_LASIK4 || KAM_EU) >= 3) describe KAM_LASIK Lasik Treatment Spams score KAM_LASIK 4.5 #FAKE NOTIFIES header __KAM_NOTIFY1 From =~ /Support|Notifier|Reminder|Assistance|Administrator|RuneScape|Wells Fargo|Scotia|Diablo|MAILER-DAEMON|Notifications/i body __KAM_NOTIFY2 /[2-9] friend request( |\b)|sell your personal|mandatory validation|verify your Account|unread messages/i header __KAM_NOTIFY3 From =~ /\.br>/i meta KAM_NOTIFY (__KAM_NOTIFY1 + __KAM_PHISH2_3 + __KAM_NOTIFY2 + __KAM_NOTIFY3 >= 3) describe KAM_NOTIFY Fake Notifications score KAM_NOTIFY 4.0 meta KAM_NOTIFY2 (KAM_NOTIFY + (KAM_IFRAME || HEADER_FROM_DIFFERENT_DOMAINS) >= 2) describe KAM_NOTIFY2 Higher likelihood of fake notification score KAM_NOTIFY2 3.0 #LANGUAGE header __KAM_LANG1 From =~ /Pimsleur|learnalanguage/i header __KAM_LANG2 Subject =~ /language barrier|(?:learn|speak)(?:ing)? (?:a|any) (?:new )?language|Pimsleur/i body __KAM_LANG3 /pimsleur|Language in just \d+ Day/i meta KAM_LANG (__KAM_LANG1 + __KAM_LANG2 + __KAM_LANG3 + KAM_INFOUSMEBIZ >= 3) describe KAM_LANG Language Method Spams score KAM_LANG 4.5 #FAKE TRACK header __KAM_TRACK1 From =~ /Worldwide Express|Priority Mail|First-Class Mail|Express Mail/i meta KAM_TRACK (__KAM_PHISH2_3 + __KAM_TRACK1 >= 2) describe KAM_TRACK Fake Tracking Emails score KAM_TRACK 3.0 #BACK TO SCHOOL header __KAM_SCHOOL1 From =~ /Classes/i header __KAM_SCHOOL2 Subject =~ /(?:Return|Back) to School/i meta KAM_SCHOOL (__KAM_SCHOOL1 + __KAM_SCHOOL2 + KAM_INFOUSMEBIZ >= 3) describe KAM_SCHOOL School Spams score KAM_SCHOOL 5.0 #MEMBERS header __KAM_MEMBER1 From =~ /(\b|^|)Date|(\b|^|)Dating|eharmony(.com)?.?partner|(..?en..?or|black)..?e.ple..?eet|cougars|singles|match|our.?time|lonely|affair/i header __KAM_MEMBER2 Subject =~ /naughty|looking for love|single & dating|Dating.site|free.this.weekend|free.communication.weekend|True Love|(Older|black|available|latin[oa]|jewish) Single|single.women|single.photo|local.cougar|want to date|fall in love|meet...1000s|dream.date|meet.single|your.matches|for.single|singles|eharmony(.com)?.match|50\+.{0,5}ngles|your.ex.back|married.dating|(anonymous|secret).affair|unlimited.pics|dating.(video|movie)|fetish|still.single/i body __KAM_MEMBER3 /(\b|^)dating|eharmony|Find.Your.Perfect.Match|thousands.of.single.women|singles?.photos?|local.cougar|successfully matched|blind date|(available|black|latin[oa]|jewish).singles|photos of 50\+/i rawbody __KAM_MEMBER4 /special promotion|free.this.weekend|personal matchmaker|dating service|fall in love|looking.for.someone|kindle.the.passion|cheating.member|dating.mega.site|free.dating|free.fetish/i meta __KAM_MEMBER5 (KAM_INFOUSMEBIZ || KAM_COUK) #header __KAM_MEMBER6 From =~ /Updat/i meta KAM_MEMBER (__KAM_MEMBER1 + __KAM_MEMBER2 + __KAM_MEMBER3 + __KAM_MEMBER4 + __KAM_MEMBER5 >= 3) describe KAM_MEMBER Dating Scams score KAM_MEMBER 4.5 #MEDICARE header __KAM_MEDICARE1 From =~ /Medicare|health.?options|enrollment/i header __KAM_MEDICARE2 Subject =~ /medicare|message for senior|baby-boomer|save up to|compare.quotes|enrollment.plan/i body __KAM_MEDICARE3 /medicare.(plan|recipient)/i body __KAM_MEDICARE4 /over.(65|sixty.?five)|most.affordable|lower.your.premium/i meta KAM_MEDICARE (__KAM_MEDICARE1 + __KAM_MEDICARE2 + (__KAM_MEDICARE3 + __KAM_MEDICARE4 >= 1) + (KAM_INFOUSMEBIZ || KAM_COUK) >= 3) describe KAM_MEDICARE Medicare Scams score KAM_MEDICARE 4.0 #BILLS header __KAM_BILLS1 From =~ /LowerMyBills|mortgage/i header __KAM_BILLS2 Subject =~ /Save up to \$\d|refi requirement|refi.program/i meta KAM_BILLS (__KAM_BILLS1 + __KAM_BILLS2 + KAM_INFOUSMEBIZ >= 3) describe KAM_BILLS Bill Pay Spams score KAM_BILLS 4.0 #HOSE header __KAM_HOSE1 From =~ /Pocket Hose/i header __KAM_HOSE2 Subject =~ /garden hose|kinks/i body __KAM_HOSE3 /pocket hose|garden.hose|stays.strong|grows.to.full.size|never.kinks/i meta KAM_HOSE (__KAM_HOSE1 + __KAM_HOSE2 + __KAM_HOSE3 + KAM_INFOUSMEBIZ >= 3) describe KAM_HOSE Garden Hose Spams score KAM_HOSE 4.5 #AV header __KAM_AV1 From =~ /Norton/i header __KAM_AV2 Subject =~ /Update now|Are you protected/i meta KAM_AV (__KAM_AV1 + __KAM_AV2 + KAM_INFOUSMEBIZ >= 3) describe KAM_AV Anti-Virus Spams score KAM_AV 4.0 #MASCARA header __KAM_MASCARA1 From =~ /smartlash/i header __KAM_MASCARA2 Subject =~ /mascara/i body __KAM_MASCARA3 /smartlash/i meta KAM_MASCARA (__KAM_MASCARA1 + __KAM_MASCARA2 + __KAM_MASCARA3 + KAM_INFOUSMEBIZ >= 3) describe KAM_MASCARA Make-up Spams score KAM_MASCARA 4.5 #COLLEGE header __KAM_COLLEGE1 From =~ /degree|doctorate|online/i header __KAM_COLLEGE2 Subject =~ /college|ph\.?d|earning your degree|online doctorate|advance your career/i rawbody __KAM_COLLEGE3 /online degree|ph\.?d online|online doctorate|advance your career with a degree/i ifplugin Mail::SpamAssassin::Plugin::KAMOnly meta KAM_COLLEGE (__KAM_COLLEGE1 + __KAM_COLLEGE2 + __KAM_COLLEGE3 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3) describe KAM_COLLEGE Online Degree/Aid Spams score KAM_COLLEGE 4.0 endif #SURVEY header __KAM_SURVEY1 From =~ /Survey|safecount|privacy/i header __KAM_SURVEY2 Subject =~ /win an ipad/i body __KAM_SURVEY3 /Do You Use Instagram|Complete the survey|win a great prize/i meta KAM_SURVEY (__KAM_SURVEY1 + __KAM_SURVEY2 + __KAM_SURVEY3 + KAM_INFOUSMEBIZ >= 3) describe KAM_SURVEY Online Survey Spams score KAM_SURVEY 4.5 #LAKE #REMOVED 1/7/2014 #rawbody KAM_LAKE /http:\/\/.{0,13}(lak|ake|iver).{0,10}\.(com|info)\//i #describe KAM_LAKE Odd spamming engine LAKE signature on URLs #score KAM_LAKE 0.25 #SNORE header __KAM_SNORE1 From =~ /snoring|zquiet/i header __KAM_SNORE2 Subject =~ /zquiet|Jaw Supporter|z{6}|the.only.thing/i body __KAM_SNORE3 /stop snoring|zquiet|Jaw Supporter|get.rest|end.snoring|more.rest|to.be.tired/i meta KAM_SNORE (__KAM_SNORE1 + __KAM_SNORE2 + __KAM_SNORE3 + KAM_INFOUSMEBIZ >= 3) describe KAM_SNORE Snoring Aid Spams score KAM_SNORE 4.0 #VACATION header __KAM_VACATION1 From =~ /Promotions|cruise|vacation/i header __KAM_VACATION2 Subject =~ /Free Florida vacation|(carr?ibb?ean|alaskan?).cruise|european destination/i body __KAM_VACATION3 /Resorts FOR FREE|(carr?ibb?ean|alaskan?).cruise|top deals/i meta KAM_VACATION (__KAM_VACATION1 + __KAM_VACATION2 + __KAM_VACATION3 + KAM_INFOUSMEBIZ >= 3) describe KAM_VACATION Vacation Spams score KAM_VACATION 4.0 #BLOOD PRESSURE header __KAM_BLOOD1 From =~ /Marine Essent|blood.pressure/i header __KAM_BLOOD2 Subject =~ /Blood Pressure|the.(nurse|doctor).said|do.this.or.die|bp.med/i body __KAM_BLOOD3 /Secret Big Pharma|conspiracy|Breaking.Health.Stories/i body __KAM_BLOOD4 /Marine Essentials|this mineral|drug.companies.hate/i body __KAM_BLOOD5 /Anti-Aging Expert|worst.food/i body __KAM_BLOOD6 /Blood pressure/i meta KAM_BLOOD ( __KAM_BLOOD1 + __KAM_BLOOD2 + __KAM_BLOOD3 + __KAM_BLOOD4 + __KAM_BLOOD5 + __KAM_BLOOD6 + KAM_INFOUSMEBIZ >= 4) describe KAM_BLOOD Blood Pressure Spams score KAM_BLOOD 4.75 #SCOOTER header __KAM_SCOOTER1 From =~ /Scooter Store/i header __KAM_SCOOTER2 Subject =~ /lack of mobility/i body __KAM_SCOOTER3 /the scooter store/i meta KAM_SCOOTER ( __KAM_SCOOTER1 + __KAM_SCOOTER2 + __KAM_SCOOTER3 + __KAM_MEDICARE2 + KAM_INFOUSMEBIZ >= 4) describe KAM_SCOOTER Blood Pressure Spams score KAM_SCOOTER 4.75 #ANATABLOC header __KAM_ANATA1 From =~ /Anatabloc/i header __KAM_ANATA2 Subject =~ /(back|joint) pain|arthritis/i meta KAM_ANATA (__KAM_ANATA1 + __KAM_ANATA2 >= 2) describe KAM_ANATA Drug Spam score KAM_ANATA 4.5 ifplugin Mail::SpamAssassin::Plugin::KAMOnly #BBB Phish header __KAM_BBB1 From =~ /bbb.org/i body __KAM_BBB2 /consumer's *(?:worry|uneasiness|anxiety|disturbance|concern|trouble)/i body __KAM_BBB3 /has been registered the above|(?:visiting|review at) a link below|above-referenced complaint/i body __KAM_BBB4 /about your *(?:glance|belief|judgment)/i header __KAM_BBB5 Subject =~ /(?:client|customer).{0,5}preten|(?:Appeal|Claim|Case|No\.|Complaint).{0,3}[A-Z\d]{5}/i meta KAM_BBB (__KAM_BBB1 + __KAM_BBB2 + __KAM_BBB3 + __KAM_BBB4 + __KAM_BBB5 + SPF_FAIL + __KAM_GALLERY5 + KAM_RAPTOR >= 4) describe KAM_BBB Better Business Bureau Phishing score KAM_BBB 5.0 endif #PREV MARK header __KAM_MARK1 Subject =~ /[\[\<]ADV[\>\]]/i header __KAM_MARK2 Subject =~ /[\[\<]SPAM[\>\]]/i header __KAM_MARK3 Subject =~ /[\[\<]VIRUS[\>\]]/i meta KAM_MARKADV (__KAM_MARK1 >= 1) describe KAM_MARKADV Email arrived marked as an Advertisement score KAM_MARKADV 10.0 meta KAM_MARKSPAM (__KAM_MARK2 >= 1) describe KAM_MARKSPAM Email arrived marked as Spam score KAM_MARKSPAM 4.0 meta KAM_MARKVIRI (__KAM_MARK3 >= 1) describe KAM_MARKVIRI Email arrived marked as Virus score KAM_MARKVIRI 10.0 #H1QNUM ENGINE rawbody __KAM_H1QNUM1 /

(vv5|ORG1|IN2|OR3|AR1|FO1|Q22)<\/h1>/i header __KAM_H1QNUM2 Subject =~ /Russian Women|Free Lasik|Criminal Records|Background Check|Stop Alcoholism|Alcohol Addiction|Hybrid cars|solar energy|electrical bill|fly in luxury/i uri __KAM_H1QNUM3 /\.co\.uk/i meta KAM_H1QNUM (__KAM_H1QNUM1 >= 1) describe KAM_H1QNUM H1 Qnum indicator score KAM_H1QNUM 4.0 meta KAM_H1QNUM2 ( KAM_H1QNUM + __KAM_H1QNUM2 + __KAM_H1QNUM3 >= 2 ) describe KAM_H1QNUM2 H1 Qnum higher spamminess indicators score KAM_H1QNUM2 5.0 #AP header __KAM_AP1 From =~ /AP/ header __KAM_AP2 Subject =~ /Community & educational development/i body __KAM_AP3 /American Grants and Loans Catalog/i meta KAM_AP (__KAM_AP1 + __KAM_AP2 + __KAM_AP3 >= 3) describe KAM_AP American Publishing Spam score KAM_AP 4.5 #CO.UK header KAM_COUK From =~ /\@.{1,30}\.co\.uk/i describe KAM_COUK Scoring .co.uk emails higher due to poor registry security. score KAM_COUK 0.85 #FAKE FACEBOOKMAIL #REAL FB DOMAIN header __KAM_FACEBOOKMAIL1 From =~ /\@facebookmail.com/i #SPECIFIC PEOPLE header __KAM_FACEBOOKMAIL2 From =~ /Ramakanth Raavi/i meta KAM_FACEBOOKMAIL ((__KAM_FACEBOOKMAIL2 >= 1) || (__KAM_FACEBOOKMAIL1 >=1 && (SPF_FAIL + DKIM_ADSP_ALL >=1))) describe KAM_FACEBOOKMAIL Fake or Abused Facebook Mail score KAM_FACEBOOKMAIL 8.0 #FAKE DHL/FEDEX/ETC body __KAM_FAKEDELIVER1 /courier couldn.?t make the delivery|Courier was unable to deliver|courier company was not able to deliver|memo.of.application|delivering.address|make.the.delivery|see.attached.file|attention.please|event.invitation|could not deliver|delivery.label|postal.noti(fication|ce)|parcels.(has|have).been.shipped|shipment.label.is.attached/i header __KAM_FAKEDELIVER2 Subject =~ /Invalid Address|shipping service|(ship|postal|delivery) notification|Delivery Failure|Delivery Information|Delivery status|Package Delivery|package is available for pickup|your.package.arrived|attention.please|delivery.problem|id.\d{6}|deliver.(your|the).parcel/i #DHL body __KAM_FAKEDELIVER3 /DHL/ header __KAM_FAKEDELIVER4 From !~ /dhl.com/i #FEDEX rawbody __KAM_FAKEDELIVER5 /Fed ?ex/i header __KAM_FAKEDELIVER6 From !~ /fedex.com/i #USPS body __KAM_FAKEDELIVER7 /USPS/i header __KAM_FAKEDELIVER8 From !~ /usps.com/i #CARGO body __KAM_FAKEDELIVER9 /CARGO/ header __KAM_FAKEDELIVER10 From =~ /shipping|economy|priority/i #USPS body __KAM_FAKEDELIVER11 /DPD/i header __KAM_FAKEDELIVER12 From !~ /dpd.com|dpd.co.uk/i meta KAM_FAKE_DELIVER (__KAM_FAKEDELIVER1 + __KAM_FAKEDELIVER2 + ((__KAM_FAKEDELIVER3 + __KAM_FAKEDELIVER4 >= 2) + (__KAM_FAKEDELIVER5 + __KAM_FAKEDELIVER6 >= 2) + (__KAM_FAKEDELIVER7 + __KAM_FAKEDELIVER8 >= 2) + (__KAM_FAKEDELIVER11 + __KAM_FAKEDELIVER12 >= 2) + (__KAM_FAKEDELIVER9 + __KAM_FAKEDELIVER10 >= 2) >= 1) + (HEADER_FROM_DIFFERENT_DOMAINS + SPF_SOFTFAIL + KAM_RAPTOR >= 1) >= 3) describe KAM_FAKE_DELIVER Fake delivery notifications score KAM_FAKE_DELIVER 5.0 meta KAM_REALLY_FAKE_DELIVER (KAM_FAKE_DELIVER + KAM_RPTR_PASSED + (__KAM_FAKEDELIVER4 && __KAM_FAKEDELIVER6 && __KAM_FAKEDELIVER8) >= 3) score KAM_REALLY_FAKE_DELIVER 2.5 describe KAM_REALLY_FAKE_DELIVER Definitely fake delivery notifications #SOLAR POWER header __KAM_SOLAR1 From =~ /Solar|electric|regard|energy|.olar..etwork/i header __KAM_SOLAR2 Subject =~ /power bill|sells power|electrical bill|subsidize your solar|switching to solar|save \d+\%|solar system saves|solar power plant|solar.america|energy.use|solar.incentive|utility.option|go.solar|govt.rebate|.overnment.incentive|electricity|obama.rebate/i body __KAM_SOLAR3 /power bill in half|go solar|approved for solar|solar system saves|reduce your electric|energy.cost|energy.bill|government.incentive|can.profit|utility.bill|switch(ing)?.to.solar|solar.incentive|solar.now|US Solar Dept|your.electric.bill|your.home.qualifies/i meta KAM_SOLAR (__KAM_SOLAR1 + __KAM_SOLAR2 + __KAM_SOLAR3 >=2) describe KAM_SOLAR Solar Power Spams score KAM_SOLAR 1.9 meta KAM_SOLAR2 (__KAM_SOLAR1 + __KAM_SOLAR2 + __KAM_SOLAR3 >=3) describe KAM_SOLAR2 Definite Solar Power Spams score KAM_SOLAR2 1.9 #ASIAN BRIDE header __KAM_ASIAN1 Subject =~ /Asian Bride/i body __KAM_ASIAN2 /Adoring Asian/i header __KAM_ASIAN3 From =~ /asian/i meta KAM_ASIAN (__KAM_ASIAN1 + __KAM_ASIAN2 + __KAM_ASIAN3 >= 3) describe KAM_ASIAN Asian Bride Spams score KAM_ASIAN 3.5 #DR OZ SPAM header __KAM_OZ1 From =~ /(Dr|Doc).{0,2}[o0]z|[o0]z.([a-z]+.)?(daily|tip|show|weight)|rapid.loss|ellen|drop.lbs/i #NOTE THE ZERO header __KAM_OZ2 Subject =~ /Fatburning|healthy?.tip|melt your fat|must.read.tip|i can help|fat to flat|perfect.skin|workout|drop.\d+.?[il]bs?|without.exercise|must.read|oz.in.your.corner|It (does not|doesn't) have to be hard|racha?el and oz|doc.?oz insid|life.changing|\d+%.increase|anti.aging|she.looks.\d+|ellen.did.this|(Dr|Doc).{0,2}[o0]z|[o0]z.([a-z]+.)?(daily|tip|show)/i body __KAM_OZ3 /burn off your (?:body.?)?fat|(?:burn away|burn|melt) your fat|fox news video|melt the extra pounds|lost (an average of )?\d+ lbs|body.flab|look years younger|get perfect skin|healthy tips|without diet|it was just gossip|weight.loss|dropping.pounds|losing.weight|\d+.years|facelift|(Dr|Doc).{0,2}[o0]z/i #meta KAM_OZ (__KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 >= 3) #describe KAM_OZ Fake Dr. Oz Spam's #score KAM_OZ 3.5 #STUDENT LOAN header __KAM_STUDENT1 From =~ /Student.?Loan|government/i header __KAM_STUDENT2 Subject =~ /NEW GOVERNMENT PROGRAM|payback.package|assistance.package|student.loan|consolidate.loan/i body __KAM_STUDENT3 /penalt(y|ies)|garnish|your.debt|president.loan|reduce.(your.)?(student.)?loan|forgiveness.plan|qualify.for|federal.program|low.monthly/i meta KAM_STUDENT (__KAM_STUDENT1 + __KAM_STUDENT2 + __KAM_STUDENT3 + (KAM_INFOUSMEBIZ || KAM_COUK || KAM_HTMLNOISE || KAM_SHORT) >= 3) describe KAM_STUDENT Student Loan Forgiveness Spams score KAM_STUDENT 4.0 #TIP header __KAM_TIP1 From =~ /Beauty Tips/i header __KAM_TIP2 Subject =~ /Dark-Circles|undereye bags/i body __KAM_TIP3 /undereye bags/i body __KAM_TIP4 /Find Out This Quick New Trick/i meta KAM_TIP (__KAM_TIP1 + __KAM_TIP2 + __KAM_TIP3 + __KAM_TIP4 >= 3) describe KAM_TIP Beauty Tip Spams score KAM_TIP 4.3 #WhatsApp header __KAM_WHATS1 From =~ /WhatsApp/i header __KAM_WHATS2 Subject =~ /Voice Message Notification/i body __KAM_WHATS3 /WhatsApp/ meta KAM_WHATS (__KAM_WHATS1 + __KAM_WHATS2 + __KAM_WHATS3 >= 3) describe KAM_WHATS WhatsApp Spams score KAM_WHATS 3.0 #QTJars header __KAM_QTJARS1 From =~ /qtjar/i header __KAM_QTJARS2 Subject =~ /qtjar|left you a message|new message/i body __KAM_QTJARS3 /qtjars/ body __KAM_QTJARS4 /private message/ meta KAM_QTJARS (__KAM_QTJARS1 + __KAM_QTJARS2 + __KAM_QTJARS3 + __KAM_QTJARS4 >= 3) describe KAM_QTJARS QTJars Spams score KAM_QTJARS 3.0 #GOOGLE DOCS PHISH # view the agreement. body __KAM_GOOGLEPHISH1 /copy of the signed agreement/i rawbody __KAM_GOOGLEPHISH2 /http:\/\/.{5,50}\/http\/docs.google.com\/login\//i meta KAM_GOOGLEPHISH (__KAM_GOOGLEPHISH1 + __KAM_GOOGLEPHISH2 >= 2) describe KAM_GOOGLEPHISH Google Login Phishing Scam score KAM_GOOGLEPHISH 5.0 #POLITICAL SPAM header __KAM_POLY1 Subject =~ /Barack Obama/i body __KAM_POLY2 /The End of Barack Obama/i meta KAM_POLY (__KAM_POLY1 + __KAM_POLY2 >= 2) describe KAM_POLY Political Spams score KAM_POLY 3.0 #MAID header __KAM_MAID1 Subject =~ /Maid Services|housekeeping.service/i header __KAM_MAID2 From =~ /Maid|Housekeeper/i body __KAM_MAID3 /Pre-Screened Housekeepers|local.maid/i meta KAM_MAID (__KAM_MAID1 + __KAM_MAID2 + __KAM_MAID3 >= 3) describe KAM_MAID Maid Service Spams score KAM_MAID 3.0 #TUB header __KAM_TUB1 Subject =~ /Walk.?in.*tub|bath and massage/i header __KAM_TUB2 From =~ /jacuzzi|walk.?in.?tub|premier.?care|improvement.center|bathing..?easy/i body __KAM_TUB3 /Walk.?in (hot.?|bath.?)?tub|bath and massage|easy transfer from a wheelchair/i meta KAM_TUB (__KAM_TUB1 + __KAM_TUB2 + __KAM_TUB3 >= 3) describe KAM_TUB Tub Spams score KAM_TUB 4.0 #OBFUSCATE PORN header __KAM_OBF1 Subject =~ /(\b|^)(P.{0,2}O.{0,2}R.{0,2}N|S.{0,2}E.{0,2}.X.{0,2})/i header __KAM_OBF2 Subject =~ /[-:\#\/_\(\)].{0,10}[-:\#\/_\(\)].{0,10}[-:\#\/_\(\)]/ header __KAM_OBF3 Subject =~ /(\b|^)P.{0,2}r.{0,2}e.{0,2}m.{0,2}i.{0,2}u.{0,2}m/i header __KAM_OBF4 Subject =~ /(\b|^)P.{0,2}a.{0,2}s.{0,2}s.{0,2}/i header __KAM_OBF5 Subject =~ /(\b|^)S.{0,2}i.{0,2}t.{0,2}e.{0,2}/i header __KAM_OBF6 Subject =~ /(\b|^)F.{0,2}r.{0,2}e.{0,2}e.{0,2}/i header __KAM_OBF7 Subject =~ /(\b|^)F.{0,2}i.{0,2}l.{0,2}m.{0,2}/i header __KAM_OBF8 Subject =~ /X.X.X/ meta KAM_OBF ((__KAM_OBF3 + __KAM_OBF4 + __KAM_OBF5 + __KAM_OBF6 + __KAM_OBF7 >= 1) + __KAM_OBF1 + (__KAM_OBF2 - BODY_8BITS) >= 3) describe KAM_OBF Obfuscated Porn Spams score KAM_OBF 4.0 meta KAM_OBF (__KAM_OBF8 + __KAM_OBF2 >= 2) describe KAM_OBF Obfuscated Porn Spams score KAM_OBF 2.0 #SHARK TANK header __KAM_SHARKTANK_SUBJ Subject =~ /shark tank/i body __KAM_SHARKTANK_BODY /shark tank/i meta KAM_SHARKTANK (__KAM_SHARKTANK_SUBJ + __KAM_SHARKTANK_BODY >= 1) score KAM_SHARKTANK 1.0 describe KAM_SHARKTANK Mentions Shark Tank body __KAM_SHARKPROD /high blood pressure|moles|Dermabellix|follicles|drop 20|IQ/is meta KAM_SHARKPROD (__KAM_SHARKPROD + KAM_SHARKTANK >= 2) score KAM_SHARKPROD 5.0 describe KAM_SHARKPROD Shark Tank Spam #ICU TLD PROBLEMS header __KAM_ICUTLD_FROM From:addr =~ /\.icu$/i uri __KAM_ICUTLD_URI /\.icu($|\/)/i meta KAM_ICU_BAD_TLD (__KAM_ICUTLD_FROM + __KAM_ICUTLD_URI) >= 1 describe KAM_ICU_BAD_TLD .icu TLD Abuse score KAM_ICU_BAD_TLD 2.0 #HAIR LOSS / GREYING / REMOVAL header __KAM_HAIR1 Subject =~ /(Regrows?|restore your|regain your|thinning) hair|Get Your Hair Back|hair regrowth|masculine|gr[ae]y hair|hair.loss|the.hottest.concept|hair.removal|all.your.hair|(fuller|thicker).hair|hair growth/i header __KAM_HAIR2 From =~ /K.ranique|Hair Loss Solutions|hair transplant|bosley|gr[ae]y hair|hair.removal|preserve|keranique|hair.?news/i rawbody __KAM_HAIR3 /k.ranique|Hair Los Solution|Get Your Hair Back|restore your hair naturally and permanently|hair restoration|original color|dye gr[ae]y hair|defeat.your.hair.loss|stop.hair.loss|fda.approve|hair will return|reactivate dormant hair/i rawbody __KAM_HAIR4 /Hair Regrowth|Hair Club for Men|Bosley|Rejuvalex/i rawbody __KAM_NEWSLETTER /Newsletter<\/title>/i meta KAM_HAIR (__KAM_HAIR1 + __KAM_HAIR2 + __KAM_HAIR3 + __KAM_HAIR4 + __KAM_TRIAL + __KAM_NEWSLETTER + KAM_WEIRDTRICK1 + KAM_SHARKTANK + KAM_ADVERT2 >=4) describe KAM_HAIR Hair Loss / Removal Spams score KAM_HAIR 4.5 #TRIAL body __KAM_TRIAL /RISK-FREE Trial|Free \d+ day trial|try it free|free.dvd.info|free.info.kit|limited..?trial|claim.package/i #UNSUB body __KAM_UNSUB1 /cancel 0ffers/i #note the zero body __KAM_UNSUB2 /u +n +s +u +b +s +c +r +i +b +e/i meta KAM_UNSUB (__KAM_UNSUB1 + __KAM_UNSUB2 >= 1) describe KAM_UNSUB Completely ridiculous unsubscribe text found score KAM_UNSUB 5.0 #MAINTENANCE / Email Phish Scams body __KAM_EMAILPHISH1 /Please login to complete update process/i meta KAM_EMAILPHISH (__KAM_EMAILPHISH1 + KAM_SHORT >= 2) describe KAM_EMAILPHISH Email Phishing Scams score KAM_EMAILPHISH 3.5 #MASSMAILER ERRORS header __KAM_MASSERROR1 Reply-to =~ /\@domain\]\]/i meta KAM_MASSERROR (__KAM_MASSERROR1 >= 1) describe KAM_MASSERROR Error in usage of a mass mailing software score KAM_MASSERROR 2.0 #CAR DEAL SPAMS header __KAM_CARDEAL1 Subject =~ /great car deal|new vehicles near you|brand new cars|cars on clearance/i header __KAM_CARDEAL2 From =~ /dealer|clearance|veh.cle/i body __KAM_CARDEAL3 /201\d Closeout pricing|New Vehicles near you|new automobiles|brand new car|\d{4} makes and models/i meta KAM_CARDEAL (__KAM_CARDEAL1 + __KAM_CARDEAL2 + __KAM_CARDEAL3 >= 3) describe KAM_CARDEAL Car Deal Spams score KAM_CARDEAL 3.0 #Quick Sale Scams header __KAM_HOMESALE1 Subject =~ /buyer interested in your ho/i header __KAM_HOMESALE2 From =~ /Fastcash/i body __KAM_HOMESALE3 /Cash Offer for Your Home/i meta KAM_HOMESALE (__KAM_HOMESALE1 + __KAM_HOMESALE2 + __KAM_HOMESALE3 >= 3) describe KAM_HOMESALE Home Sale Spams score KAM_HOMESALE 3.5 #ADVERTISEMENTS FOR LOANS header __KAM_LOAN1 Subject =~ /pay bills|borrow|business loan|help your business grow|small business|propel your business goals|with a loan|results you need|\$\d+ down loan|loan.fund|lender|are.you.broke|get.cash|approval.notice|loan \d.\d% offer/i header __KAM_LOAN2 From =~ /payday|loans for you|approval|small.?business|direct.wire|cash|loan offer/i body __KAM_LOAN3 /Financial Relief|need to borrow|Business Loan|instant.funds|approval department|\$\d+ down|loan option|offer.loan|expenses|times.are.tough|money.problems/i body __KAM_LOAN4 /development.project|just.been.approved|for.your.business|loan.solution/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __KAM_LOAN5A Content-Type =~ /loan offer/i mimeheader __KAM_LOAN5B Content-Disposition =~ /loan offer/i endif meta KAM_LOAN (__KAM_LOAN1 + __KAM_LOAN2 + __KAM_LOAN3 + __KAM_LOAN4 + (__KAM_LOAN5A + __KAM_LOAN5B >= 1) >= 3) describe KAM_LOAN Payday and other loan spams score KAM_LOAN 4.5 #HANGOVER SPAM header __KAM_HANGOVER1 Subject =~ /hangover patch/i header __KAM_HANGOVER2 From =~ /hangover/i body __KAM_HANGOVER3 /hangover patch/i meta KAM_HANGOVER (__KAM_HANGOVER1 + __KAM_HANGOVER2 + __KAM_HANGOVER3 >= 3) describe KAM_HANGOVER Hangover Patch Spams score KAM_HANGOVER 3.5 #RX PLAN SPAM header __KAM_RXPLAN1 Subject =~ /Medigap|prescription drug plan/i header __KAM_RXPLAN2 From =~ /Better.?Rx|medigap/i body __KAM_RXPLAN3 /gap coverage/i meta KAM_RXPLAN (__KAM_RXPLAN1 + __KAM_RXPLAN2 + __KAM_RXPLAN3 >= 3) describe KAM_RXPLAN Rx Plan Spams score KAM_RXPLAN 3.5 #SIDE SOCKET header __KAM_SOCKET1 Subject =~ /tangled mess|socket capacity|messy cords/i header __KAM_SOCKET2 From =~ /side.?socket/i body __KAM_SOCKET3 /side socket/i meta KAM_SOCKET (__KAM_SOCKET1 + __KAM_SOCKET2 + __KAM_SOCKET3 >= 3) describe KAM_SOCKET Product Spam du Jour score KAM_SOCKET 3.5 #TESTOSTERONE header __KAM_TESTOSTERONE1 Subject =~ /Boost your testosterone|Testoril|turning you into a woman|men into women|low.testosterone/i header __KAM_TESTOSTERONE2 From =~ /Testoril|mens health|low-T|for.men/i body __KAM_TESTOSTERONE3 /Boost your testosterone|get your body back|low.testosterone/i body __KAM_TESTOSTERONE4 /Testoril|sexual confidence|androgel|axiron+androderm/i meta KAM_TESTOSTERONE (__KAM_TESTOSTERONE1 + __KAM_TESTOSTERONE2 + __KAM_TESTOSTERONE3 + __KAM_TESTOSTERONE4 >= 3) describe KAM_TESTOSTERONE Product Spam du Jour score KAM_TESTOSTERONE 4.5 #FLEXHOSE header __KAM_FLEXHOSE1 Subject =~ /stretch but not kink|flex.{0,8}hose|expands.and.contracts|\d-in-\d.hose/i header __KAM_FLEXHOSE2 From =~ /hose/i body __KAM_FLEXHOSE3 /stretch but not kink|flex.?hose|expanding.hose|garden.hose/i meta KAM_FLEXHOSE (__KAM_FLEXHOSE1 + __KAM_FLEXHOSE2 + __KAM_FLEXHOSE3 >= 3) describe KAM_FLEXHOSE Product Spam du Jour score KAM_FLEXHOSE 3.5 #PET header __KAM_PET1 Subject =~ /pet health insurance|dog.product.coupon/i header __KAM_PET2 From =~ /pet.?insurance|dog.?coupon/i body __KAM_PET3 /pet health insurance|doggy.loot|coupon.notice|reduce.your.cost/i meta KAM_PET (__KAM_PET1 + __KAM_PET2 + __KAM_PET3 >= 3) describe KAM_PET Insurance and other pet-related spam score KAM_PET 4.5 meta KAM_PET2 (KAM_PET + KAM_INFOUSMEBIZ >= 2) describe KAM_PET2 Even more likely insurance and other pet-related spam score KAM_PET2 3.5 #COBRA header __KAM_COBRA1 Subject =~ /Cobra Health/i header __KAM_COBRA2 From =~ /Cobra|Health/i body __KAM_COBRA3 /find cobra health/i meta KAM_COBRA (__KAM_COBRA1 + __KAM_COBRA2 + __KAM_COBRA3 >= 3) describe KAM_COBRA Cobra Insurance Spam score KAM_COBRA 3.5 #Discount Air header __KAM_DISCAIR1 Subject =~ /Fly Cheap|Discount Air/i header __KAM_DISCAIR2 From =~ /Discount Air/i body __KAM_DISCAIR3 /Fly Cheap in Business Class/i meta KAM_DISCAIR (__KAM_DISCAIR1 + __KAM_DISCAIR2 + __KAM_DISCAIR3 >= 3) describe KAM_DISCAIR Discount Airfare Spam score KAM_DISCAIR 3.5 #PEST header __KAM_PEST1 Subject =~ /pes?t control system/i header __KAM_PEST2 From =~ /Riddex|pest/i body __KAM_PEST3 /revolutionary pes?t control system/i meta KAM_PEST (__KAM_PEST1 + __KAM_PEST2 + __KAM_PEST3 >= 3) describe KAM_PEST Spam for Pest Control score KAM_PEST 3.5 #PROPHET header __KAM_PROPHET1 Subject =~ /beezelbub|communique|prophecy|Christian Media/i header __KAM_PROPHET2 From =~ /christian.*prophe|twintongues/i body __KAM_PROPHET3 /Dear Christian Friend/i body __KAM_PROPHET4 /Christian ?Media ?(Daily|Ministry)/i body __KAM_PROPHET5 /prophecy|rapture/i meta KAM_PROPHET (__KAM_PROPHET1 + __KAM_PROPHET2 + __KAM_PROPHET3 + __KAM_PROPHET4 + __KAM_PROPHET5 >= 4) describe KAM_PROPHET Spam for Prophecy score KAM_PROPHET 6.0 #HEART header __KAM_HEART1 Subject =~ /save your life|prevent (a|your)?.?heart attacks?|\d+ second trick|sudden death|easy trick|heart health secret/i header __KAM_HEART2 From =~ /He.rt.?Att.ck|omegaK/i body __KAM_HEART3 /Knowing this could very well save your life|\d+.second trick|\#1 Trick|Prevent(ing)? A Heart Attack|will you be killed|heart disease|silent heart attack/i meta KAM_HEART (__KAM_HEART1 + __KAM_HEART2 + __KAM_HEART3 >= 3) describe KAM_HEART Spam for Heart Attack prevention score KAM_HEART 4.5 #JOINT header __KAM_JOINT1 Subject =~ /joint relief/i header __KAM_JOINT2 From =~ /Tfx/i body __KAM_JOINT3 /TFX.?(?:health|flex)|tflex/i body __KAM_JOINT4 /Joint Relief|effective as glucosamine/i body __KAM_JOINT5 /free bottle/i meta KAM_JOINT (__KAM_JOINT1 + __KAM_JOINT2 + __KAM_JOINT3 + __KAM_JOINT4 + __KAM_JOINT5 + __KAM_SKIN4 >= 4) describe KAM_JOINT Joint relief Spam score KAM_JOINT 4.0 #REHAB header __KAM_REHAB1 Subject =~ /(?:drug|alcohol) (recovery|rehab|dependenc|addict|treatment)|choose sobriety|battling alcohol|stop drinking|addiction|drinking problem|normal life|tr..?at..?ng.alcohol|overcome..lcohol|change.your.life/i header __KAM_REHAB2 From =~ /(?:drug|alcohol).?(recovery|rehab|dependenc|add..?ct|treatment)|alcoholism|rehab center|.lc.h.lism|rehabdirectory/i body __KAM_REHAB3 /(?:drug|alcohol) (recovery|rehab|dependenc|addict|treatment)|help for alcoholism|life from alcohol|end your drinking|think about rehab/i meta KAM_REHAB (__KAM_REHAB1 + __KAM_REHAB2 + (__KAM_REHAB3 || KAM_OTHER_BAD_TLD) >= 2) describe KAM_REHAB Rehab Spam score KAM_REHAB 3.0 #HAIRTRANS header __KAM_HAIRTRANS1 Subject =~ /hair restoration|man look as young|losing your hair|hair ?loss|consultations?.available/i header __KAM_HAIRTRANS2 From =~ /Bosley|hair restoration|hair.loss.expert/i body __KAM_HAIRTRANS3 /hair restoration|man look as young|losing your hair|hair ?loss|get.your.hair|(look|feel).younger/i meta KAM_HAIRTRANS (__KAM_HAIRTRANS1 + __KAM_HAIRTRANS2 + __KAM_HAIRTRANS3 + KAM_GIFT >= 2) describe KAM_HAIRTRANS Spam for Hair Restoration score KAM_HAIRTRANS 3.5 meta KAM_HAIRTRANS2 (__KAM_HAIRTRANS1 + __KAM_HAIRTRANS2 + __KAM_HAIRTRANS3 + (KAM_GIFT || KAM_UNSUB1) >= 3) describe KAM_HAIRTRANS2 Higher probability of spam for Hair Restoration score KAM_HAIRTRANS2 2.0 #OUR GIFT body __KAM_GIFTCERT1 /Our gift to you/i body __KAM_GIFTCERT2 /\$\d+ gift certificate/i header __KAM_GIFTCERT3 Subject =~ /Our gift to you/i meta KAM_GIFTCERT (__KAM_GIFTCERT1 + __KAM_GIFTCERT2 + __KAM_GIFTCERT3 >= 2) score KAM_GIFTCERT 1.5 describe KAM_GIFTCERT Gift Certificate Spams #TIRES header __KAM_TIRES1 Subject =~ /discount tire|tire coupon|tire offers|best deals/i header __KAM_TIRES2 From =~ /Tire/i body __KAM_TIRES3 /savings on tire|new tires/i meta KAM_TIRES (__KAM_TIRES1 + __KAM_TIRES2 + __KAM_TIRES3 >= 3) describe KAM_TIRES Spam for Tires score KAM_TIRES 3.0 #SLICEOMATIC header __KAM_SLICEOMATIC1 Subject =~ /Slice-O-Matic|Precision Cutting Blade/i header __KAM_SLICEOMATIC2 From =~ /Slice-o-matic/i body __KAM_SLICEOMATIC3 /Slice-o-matic/i meta KAM_SLICEOMATIC (__KAM_SLICEOMATIC1 + __KAM_SLICEOMATIC2 + __KAM_SLICEOMATIC3 >= 3) describe KAM_SLICEOMATIC Spam for Kitchen Tools score KAM_SLICEOMATIC 3.0 #FINDYOURWINDOWS AND OTHER WINDOW SPAM header __KAM_WINDOWS1 Subject =~ /Top Window Companies|(old|your|bedroom|new|replacement|discounted|awning|cheap).window|allow.(light|ventilation)|window.(installation|discount|replacement)|home.depot|anders.n.window/i header __KAM_WINDOWS2 From =~ /FindYourWindows|(old|your|bedroom|new|replacement|discounted).?window|window.?(install|discount|replacement)|install.windows|remodel/i body __KAM_WINDOWS3 /Find Your Windows|replacement.window|window.design|home.a.new.look|dingy.old.windows|high.heating|high.cooling|let a draft|energy.efficient|double.pane.window|shop.windows|energy.tax|window.(installation|discount|replacement)|summer.is.coming/i meta KAM_WINDOWS (__KAM_WINDOWS1 + __KAM_WINDOWS2 + __KAM_WINDOWS3 + KAM_ADVERT2 >= 3) describe KAM_WINDOWS Spam for House Windows score KAM_WINDOWS 4.5 #EMMAPP.WEB.COM - DUE TO SA SILLINESS WE ARE UNABLE TO RBL THIS PARTICULAR SUBDOMAIN WITHOUT BLOCKING ALL OF WEB.COM #POISON PILL uri __KAM_EMMAP_WEB_COM1 /emmapp\.web\.com/i meta KAM_EMMAPP_WEB_COM (__KAM_EMMAP_WEB_COM1 >= 1) describe KAM_EMMAPP_WEB_COM Spam from emmapp.web.com score KAM_EMMAPP_WEB_COM 20.0 #NEW CREDIT CARD header __KAM_NEW_CREDITCARD1 Subject =~ /with this credit card|charge card|credit card|cards?.reward|cards?.rate|top.rated/i header __KAM_NEW_CREDITCARD2 From =~ /Spend-Charge|platinum credit|business credit|card.approval|approval.match/i body __KAM_NEW_CREDITCARD3 /Select your new card|Increase Your Spending|Higher Limit|rewards|business credit|which.credit.card|find.out.now/i meta KAM_NEW_CREDITCARD (__KAM_NEW_CREDITCARD1 + __KAM_NEW_CREDITCARD2 + __KAM_NEW_CREDITCARD3 >= 3) describe KAM_NEW_CREDITCARD Spam for new credit cards score KAM_NEW_CREDITCARD 4.0 #WEIRD GERMAN SPAM header __KAM_GERMAN_BUSINESS_CONTACTS1 Subject =~ /Wichtige Nach?richt|Important message/i header __KAM_GERMAN_BUSINESS_CONTACTS2 From =~ /Merkel/i body __KAM_GERMAN_BUSINESS_CONTACTS3 /German business phone numbers/i body __KAM_GERMAN_BUSINESS_CONTACTS4 /Unlimited exportation capabilities/i meta KAM_GERMAN_BUSINESS_CONTACTS (__KAM_GERMAN_BUSINESS_CONTACTS1 + __KAM_GERMAN_BUSINESS_CONTACTS2 + __KAM_GERMAN_BUSINESS_CONTACTS3 + __KAM_GERMAN_BUSINESS_CONTACTS4 >= 3) describe KAM_GERMAN_BUSINESS_CONTACTS Weird German business contact info spam score KAM_GERMAN_BUSINESS_CONTACTS 3.0 #WEIRD SENIOR DATING SPAM header __KAM_SENIOR_DATING1 From =~ /SeniorPeopleMeet/i meta KAM_SENIOR_DATING (__KAM_SENIOR_DATING1 >= 1) describe KAM_SENIOR_DATING Senior dating spam score KAM_SENIOR_DATING 2.0 #NEWS! header __KAM_NEWS1 Subject =~ /^(?:Fwd: ?)?(?:NEWS|WEBSITE|ARTICLE)$|how.are.you/i body __KAM_NEWS2 /(?:Hello|hey|hi)!/i meta KAM_NEWS (__KAM_NEWS1 + __KAM_NEWS2 + __KAM_BODY_LENGTH_LT_128 + KAM_MANYTO >= 3) describe KAM_NEWS Forged Emails with NEWS! score KAM_NEWS 9.0 #URI COUNT - REQUIRES 3.3 OR LATER if (version >= 3.003000) uri __KAM_COUNT_URIS /^./ tflags __KAM_COUNT_URIS multiple maxhits=16 describe __KAM_COUNT_URIS A multiple match used to count URIs in a message, including http:// and email@email.com - use one of the meta rules below instead of directly using this one meta __KAM_HAS_0_URIS (__KAM_COUNT_URIS == 0) meta __KAM_HAS_1_URIS (__KAM_COUNT_URIS >= 1) meta __KAM_HAS_2_URIS (__KAM_COUNT_URIS >= 2) meta __KAM_HAS_3_URIS (__KAM_COUNT_URIS >= 3) meta __KAM_HAS_4_URIS (__KAM_COUNT_URIS >= 4) meta __KAM_HAS_5_URIS (__KAM_COUNT_URIS >= 5) meta __KAM_HAS_10_URIS (__KAM_COUNT_URIS >= 10) meta __KAM_HAS_15_URIS (__KAM_COUNT_URIS >= 15) endif #DISCLAIMER STUB FOR FUTURE RESOURCE body __KAM_DISCLAIMER1 /receives compensation/i #FAKE AT&T #header __KAM_FAKE_ATT1 From =~ /AT.?T/i #header __KAM_FAKE_ATT2 Subject =~ /AT.?T cordless phone|deals.at.at.?t|phone.from.at.?t/i #uri __KAM_FAKE_ATT3 /att-mail.com/i # #meta KAM_FAKE_ATT (__KAM_FAKE_ATT1 + __KAM_FAKE_ATT2 + __KAM_FAKE_ATT3 >= 2) #describe KAM_FAKE_ATT Fake AT&T newsletters #score KAM_FAKE_ATT 3.0 #YOU HAVE BEEN CHOSEN header __KAM_CHOSEN1 Subject =~ /Invitation to|open.house|come.join.me/i header __KAM_CHOSEN2 From =~ /marketing|invitation/i body __KAM_CHOSEN3 /You (were|have been|are) (recently )?(chosen|invited)|you.are.(very.)?welcome/i meta KAM_CHOSEN (__KAM_CHOSEN1 + __KAM_CHOSEN2 + __KAM_CHOSEN3 >= 3) describe KAM_CHOSEN Spam claiming the recipient has been chosen for something score KAM_CHOSEN 2.0 #JURY DUTY AND OTHER FAKE COURT NOTICES header __KAM_JURY1 Subject =~ /in court|court (hearing )?notice|judicial summons|hearing.of.your.case|case.in.court|notice.of.appearance/i header __KAM_JURY2 From =~ /Notice (to|of) Appear|court attendance|pretrial notice|lawyer/i header __KAM_JURY3 From !~ /\.gov/i body __KAM_JURY4 /in Court|hearing date|notice to appear|Pretrial notice|compulsory.attendance|court.notice/i meta KAM_JURY (__KAM_JURY1 + __KAM_JURY2 + __KAM_JURY3 + __KAM_JURY4 + KAM_RAPTOR >= 4) describe KAM_JURY Spam claiming the recipient must serve jury duty score KAM_JURY 8.0 #BITCOIN header __KAM_BITCOIN1 Subject =~ /bitcoin|dumping.?their.?gold|dumped.?the.?dollar/i body __KAM_BITCOIN2 /price.of.bitcoin|bitcoin.price|crypto.?currenc(y|ies)|currency.pioneer|cartel|financial.security|abandoned.our.dollar|money.map/i header __KAM_BITCOIN3 From =~ /bitcoin/i meta KAM_BITCOIN (KAM_INFOUSMEBIZ + __KAM_BITCOIN1 + __KAM_BITCOIN2 + __KAM_BITCOIN3 >= 3) describe KAM_BITCOIN Spam related to investing in bitcoin and other cryptocurrency score KAM_BITCOIN 4.5 #RELIGIOUS header __KAM_RELIGION1 Subject =~ /Christian Media/i header __KAM_RELIGION2 From =~ /Bible Prophecy/i body __KAM_RELIGION3 /Dear Christian|Christian Media/i meta KAM_RELIGION (__KAM_RELIGION1 + __KAM_RELIGION2 + __KAM_RELIGION3 >= 3) describe KAM_RELIGION Generic religious spam score KAM_RELIGION 2.5 #BUSINESS PHONE header __KAM_BUSINESSPHONE1 Subject =~ /customer calls|phone system|phone system upgrade|business success/i header __KAM_BUSINESSPHONE2 From =~ /business phone/i body __KAM_BUSINESSPHONE3 /business phone system/i meta KAM_BUSINESSPHONE (__KAM_BUSINESSPHONE1 + __KAM_BUSINESSPHONE2 + __KAM_BUSINESSPHONE3 >= 3) describe KAM_BUSINESSPHONE Advertising for business phone systems score KAM_BUSINESSPHONE 5.5 #NUMEROLOGY header __KAM_NUMEROLOGY1 Subject =~ /success and joy in life/i header __KAM_NUMEROLOGY2 From =~ /Numerology/i body __KAM_NUMEROLOGY3 /Control your destiny/i meta KAM_NUMEROLOGY (__KAM_NUMEROLOGY1 + __KAM_NUMEROLOGY2 + __KAM_NUMEROLOGY3 >= 3) describe KAM_NUMEROLOGY Pseudo-scientific spam score KAM_NUMEROLOGY 3.5 ifplugin Mail::SpamAssassin::Plugin::KAMOnly #VOICEMAIL SPAM header __KAM_VOICEMAIL1 Subject =~ /new voice.?mail message|news/i header __KAM_VOICEMAIL2 From =~ /voice.?mail|news/i body __KAM_VOICEMAIL3 /new voice.?mail message|voice.redirected/i meta KAM_VOICEMAIL (__KAM_VOICEMAIL1 + __KAM_VOICEMAIL2 + __KAM_VOICEMAIL3 + KAM_RAPTOR >= 3) describe KAM_VOICEMAIL Common malware that tricks the user into opening a fake VOIP voicemail score KAM_VOICEMAIL 5.0 endif #SPAM ADVERTISING SPAM - HAS SCIENCE GONE TOO FAR? header __KAM_SPAMFORSPAM1 Subject =~ /email marketing|marketing solution|connect with your audience|reaching your customers|marketing ideas|business.contacts/i header __KAM_SPAMFORSPAM2 From =~ /email marketing|mailing lists|listz/i rawbody __KAM_SPAMFORSPAM3 /email marketing|Keep your customers informed|expand your brand|(grow|improve) your business|Acquire New Customers|business reach|your.customer.base|demand.generation/i meta KAM_SPAMFORSPAM (__KAM_SPAMFORSPAM1 + __KAM_SPAMFORSPAM2 + __KAM_SPAMFORSPAM3 + KAM_INFOUSMEBIZ >= 3) describe KAM_SPAMFORSPAM Spam advertising spam services score KAM_SPAMFORSPAM 5.5 #ALZHEIMERS / NEUROLOGICAL MEDICAL SPAM header __KAM_NEUROLOGICAL1 Subject =~ /alzheimers|doctors hate him/i header __KAM_NEUROLOGICAL2 From =~ /alzheimers|cognizine/i body __KAM_NEUROLOGICAL3 /at risk for alzheimers|alzheimers conspiracy|doctors hate him/i meta KAM_NEUROLOGICAL (__KAM_NEUROLOGICAL1 + __KAM_NEUROLOGICAL2 + __KAM_NEUROLOGICAL3 >= 3) describe KAM_NEUROLOGICAL Variant of medical spam targeting neurological ailments score KAM_NEUROLOGICAL 3.5 #EXCESSIVE HASHES AND OTHER IDENTIFIER STRINGS body __KAM_LOTSOFHASH /[abcdef1234567890]{20}/i tflags __KAM_LOTSOFHASH multiple maxhits=10 meta KAM_LOTSOFHASH (__KAM_LOTSOFHASH >= 10) describe KAM_LOTSOFHASH Emails with lots of hash-like gibberish score KAM_LOTSOFHASH 0.25 #SPAM THAT SHOWS SEVERAL QUESTIONABLE BEHAVIORS IN COMBINATION meta KAM_GRABBAG1 (__KAM_THIRD + __KAM_DOMAINDOTCOM + __KAM_TILDEFROM + HTML_FONT_LOW_CONTRAST + T_REMOTE_IMAGE + __KAM_EPISODE + __KAM_LOTSOFNBSP + __KAM_IPUNSUB + (__KAM_LOTSOFHASH >= 6) >= 4) describe KAM_GRABBAG1 A combination of tricks that when combined indicate spam score KAM_GRABBAG1 3.5 #TV DOCTOR TRASH header __KAM_TVDOCTOR1 Subject =~ /hormones|(dr.?|doc.?) [o0]z|flatter belly|anti.?.?aging.tip|\d+.years.younger|wrinkle.(reduction|prevention)|weight.loss|models.use.this|reverse.\d+.years/i header __KAM_TVDOCTOR2 From =~ /(dr.?|doc.?) ?[o0]z|dr.? steve|oz skin tip|skinny|drop \d+lb/i body __KAM_TVDOCTOR3 /clinical|miracle|dermatologist|anti.?.?aging.tip|\d+.years.younger|wrinkle.(reduction|prevention)|\bOMG!\b|loose.\d+.lb|tv.doctor/i meta KAM_TVDOCTOR (__KAM_TVDOCTOR1 + __KAM_TVDOCTOR2 + __KAM_TVDOCTOR3 + (KAM_INFOUSMEBIZ || KAM_WEIRDTRICK1) >= 3) describe KAM_TVDOCTOR Spam for TV doctor stuff score KAM_TVDOCTOR 3.5 # 1-800-DENTIST header __KAM_DENTIST1 Subject =~ /dentist/i header __KAM_DENTIST2 From =~ /1-?800-?dentist/i body __KAM_DENTIST3 /Find a dentist/i meta KAM_DENTIST (__KAM_DENTIST1 + __KAM_DENTIST2 + __KAM_DENTIST3 + KAM_INFOUSMEBIZ >= 3) describe KAM_DENTIST Spam for 1-800-DENTIST score KAM_DENTIST 3.5 # GOLD AND DIAMOND JEWELRY header __KAM_JEWELRY1 Subject =~ /jewell?rey online|shop now/i header __KAM_JEWELRY2 From =~ /bluestone.com/i meta KAM_JEWELRY (__KAM_JEWELRY1 + __KAM_JEWELRY2 >= 2) describe KAM_JEWELRY Spam for Gold and Diamond Jewelry score KAM_JEWELRY 3.5 # PSSST, WANNA BUY SOME POT body __KAM_MARIJUANA1 /marijuana|cannabis/i body __KAM_MARIJUANA2 /medicinal|recreational|legal.cannabis/i body __KAM_MARIJUANA3 /colorado|washington|profit|without.a.(prescription|doctor)|lets.you.vape|no.doctor/i header __KAM_MARIJUANA4 From =~ /marijuana|cannabis/i meta KAM_MARIJUANA (__KAM_MARIJUANA1 + __KAM_MARIJUANA2 + (__KAM_MARIJUANA3 + KAM_INFOUSMEBIZ >= 1) >= 3) describe KAM_MARIJUANA Spam pertaining to marijuana score KAM_MARIJUANA 3.5 meta KAM_MARIJUANA2 (__KAM_MARIJUANA4 + (__KAM_MARIJUANA3 || __KAM_MARIJUANA2) >= 2) score KAM_MARIJUANA2 8.0 describe KAM_MARIJUANA2 Definitely spam for marijuana # EVICTION NOTICE header __KAM_EVICTION1 From =~ /eviction|vacate immediately/i header __KAM_EVICTION2 Subject =~ /notice|notification|occupant/i body __KAM_EVICTION3 /eviction|foreclosed|trespasser/i meta KAM_EVICTION (__KAM_EVICTION1 + __KAM_EVICTION2 + __KAM_EVICTION3 + KAM_RAPTOR >= 4) describe KAM_EVICTION Malware disguised as eviction notice score KAM_EVICTION 4.5 # WALK IN TUBS header __KAM_WALKINTUB1 From =~ /walk.?in.?tub/i header __KAM_WALKINTUB2 Subject =~ /walk.?in.?tub/i body __KAM_WALKINTUB3 /walk.?in.?tub/i meta KAM_WALKINTUB (__KAM_WALKINTUB1 + __KAM_WALKINTUB2 + __KAM_WALKINTUB3 >= 3) describe KAM_WALKINTUB Ads for walk-in tubs score KAM_WALKINTUB 3.5 # SUBJECTS BEGINNING WITH "EMAIL - QUESTION" AND OTHER VARIANTS header __KAM_EMAILQUESTION1 Subject =~ /^(<)?([^@\s]+@[^@\s]+)( - |> )/i header __KAM_EMAILQUESTION2 Subject =~ /break away from the pack|make your own wine|\d figures a day|unlock the secret|you need to see|let me show you|at their own game|drop \d+ pounds|potty trained|you can actually|your dog is being poisoned|control your destiny|buy a new|check out these|arthritis/i meta KAM_EMAILQUESTION (__KAM_EMAILQUESTION1 + __KAM_EMAILQUESTION2 >= 2) describe KAM_EMAILQUESTION Subjects beginning with an email address and followed by a spammy subject score KAM_EMAILQUESTION 3.5 # BECOME BEYOND SUPERHUMAN / SUPERMAN header __KAM_SUPERHUMAN1 From =~ /(become[ _]?)?(beyond[ _]?)?(super|hu)man/i header __KAM_SUPERHUMAN2 Subject =~ /relationship problems|better sex|regain your former glory|(male|men) over (\d\d|fou?rty)/i body __KAM_SUPERHUMAN3 /reclaim your glory|stay hot and sexy|unfair.advantage|better sex|weird trick|testosterone/i meta KAM_SUPERHUMAN (__KAM_SUPERHUMAN1 + __KAM_SUPERHUMAN2 + __KAM_SUPERHUMAN3 >= 3) describe KAM_SUPERHUMAN Male enhancement of the day score KAM_SUPERHUMAN 8.0 # VALENTINES header __KAM_VALENTINE1 From =~ /smartbuys|valentine|ecard|flower|fingerhut/i header __KAM_VALENTINE2 Subject =~ /valentine|(bouquets|expressions) of love|win her over|swoon.?worthy bouquet|grow more in love|\$\d\d.\d\d bouquet|love at (the )?first/i rawbody __KAM_VALENTINE3 /amazing gifts|perfect for valentine|irresist.ble perfume|send an ecard|most memorable flowers|(bouquets|expressions) of love|valentine.?s?.(day.)?(gift|ecard|flower|delivery|is february 14|bouquet)|grow more in love|Saint Valentine|your valentine/i meta KAM_VALENTINE (__KAM_VALENTINE1 + __KAM_VALENTINE2 + __KAM_VALENTINE3 + KAM_INFOUSMEBIZ >= 3) describe KAM_VALENTINE Spam for valentine gifts and other holiday stuff score KAM_VALENTINE 4.5 header __KAM_MOTHER1 From =~ /flower|seventeen/i header __KAM_MOTHER2 Subject =~ /mother.?s.?day|\d+%.off.flower|pro.?flowers|guaranteed.delivery|beautiful bouquets|celebrate.mom/i body __KAM_MOTHER3 /pro.?flowers|flowers.fresh|freshness.guarantee|shop.now|mom.?s.delight/i meta KAM_MOTHER (__KAM_MOTHER1 + __KAM_MOTHER2 + __KAM_MOTHER3 >= 3) describe KAM_MOTHER Spam for mother's day score KAM_MOTHER 4.5 # WHO'S WHO header __KAM_WHOSWHO1 From =~ /whos_who|who.?s.who/i header __KAM_WHOSWHO2 Subject =~ /your exclusive invitation|who.?s.who|your invitation|you have been selected/i body __KAM_WHOSWHO3 /(global|executive) who.s who|represent your community|you have been selected|complete your listing|prominent registry|accomplished individuals/i uri __KAM_WHOSWHO4 /whoswho/i meta KAM_WHOSWHO (__KAM_WHOSWHO1 + __KAM_WHOSWHO2 + __KAM_WHOSWHO3 >= 2) describe KAM_WHOSWHO Ads for network of important people score KAM_WHOSWHO 5.0 meta KAM_WHOSWHO2 (KAM_WHOSWHO && __KAM_WHOSWHO4) describe KAM_WHOSWHO2 Definitely ads for network of important people score KAM_WHOSWHO2 1.0 # GARAGE FLOOR COATING header __KAM_GARAGE1 From =~ /garage|surface.protection|protection.plus|esurface/i header __KAM_GARAGE2 Subject =~ /garage floor coating|industrial strength|protect your floors|protect.and.beautify|esurface|what.you.should.know/i body __KAM_GARAGE3 /surface protection plus|industrial strength|Concrete.{0,5}metal.{0,8}wood|protect.and.beautify|industrial.grade|common.flooring|treat.your.deck|professional.coating/i meta KAM_GARAGE (__KAM_GARAGE1 + __KAM_GARAGE2 + __KAM_GARAGE3 + (HTML_FONT_LOW_CONTRAST || SPF_FAIL || SPF_HELO_FAIL) >= 3) describe KAM_GARAGE Garage floor coating product of the day score KAM_GARAGE 4.0 meta KAM_GARAGE2 (KAM_GARAGE + (HTML_FONT_LOW_CONTRAST || SPF_FAIL) >= 2) score KAM_GARAGE2 1.0 describe KAM_GARAGE2 More likely garage floor coating spam #PAINT - NEED TO LOOK FOR CROSSOVER ON KAM_GARAGE AND KAM_PAINT header __KAM_PAINT1 From =~ /Coating|Paint|Surface|Sealer/i header __KAM_PAINT2 Subject =~ /surface Paint/i meta KAM_PAINT (__KAM_PAINT1 + __KAM_PAINT2 + KAM_INFOUSMEBIZ >= 3) describe KAM_PAINT Paint Spams score KAM_PAINT 4.0 # HURRICANE MOP header __KAM_MOP1 From =~ /hurricane mop/i header __KAM_MOP2 Subject =~ /filthy floor|cut cleaning time|absorbs \d+x its own weight|the mop that/i body __KAM_MOP3 /filthy floor|cut cleaning time+absorbs \d+x its own weight|the mop that/i meta KAM_MOP (__KAM_MOP1 + __KAM_MOP2 + __KAM_MOP3 >= 3) describe KAM_MOP Hurricane mop product of the day score KAM_MOP 3.5 # DATING TIPS header __KAM_DATINGTIPS1 From =~ /girlfriendtrick|seduction|the.real/i header __KAM_DATINGTIPS2 Subject =~ /girlfriend.trick|women.excited|real.moment/i body __KAM_DATINGTIPS3 /seduction|certain.type.of.guy|secret to their hearts|women.excited|real.love|one.night.stand/i meta KAM_DATINGTIPS (__KAM_DATINGTIPS1 + __KAM_DATINGTIPS2 + __KAM_DATINGTIPS3 >= 3) describe KAM_DATINGTIPS Tips for dating score KAM_DATINGTIPS 4.5 # CANDY header __KAM_CANDY1 From =~ /candy/i header __KAM_CANDY2 Subject =~ /candy/i body __KAM_CANDY3 /you deserve a treat|sweet tooth/i meta KAM_CANDY (__KAM_CANDY1 + __KAM_CANDY2 + __KAM_CANDY3 >= 3) describe KAM_CANDY Ads for candy score KAM_CANDY 4.5 # EXCESSIVE TEXT IN THE FORMAT OF =## - http://en.wikipedia.org/wiki/Quoted-printable # MATCH ONLY ESCAPES THAT ARE LESS THAN 0x80 - HIGH BIT NOT SET - THESE CAN BE EXPRESSED JUST FINE AS ASCII # DISABLED PENDING UPDATES TO SA - RAWBODY IS NOT RAW ENOUGH TO GET UN-DECODED QP #rawbody KAM_EXCESSIVEQP /(=[0-7][a-f0-9]){10}/i #score KAM_EXCESSIVEQP 2.5 #describe KAM_EXCESSIVEQP Excessive use of pointless Quoted-printable # ONE WEIRD THING THAT GETS YOU MARKED AS SPAM header __KAM_WEIRDTRICK1 Subject =~ /(one|ten|\d+) '?weird'?|'?weird'? trick|strange trick|shocking.truth|\d.words.that/i body __KAM_WEIRDTRICK2 /'?(weird|odd|strange)'?.(new.)?(trick|tip)|strange trick|shocking.truth/i header __KAM_WEIRDTRICK3 Subject =~ /girlfriend|aging|old.age|cut \d+ years|PSA|horny/i header __KAM_WEIRDTRICK4 From =~ /girlfriend|freedom/i meta KAM_WEIRDTRICK1 __KAM_WEIRDTRICK2 describe KAM_WEIRDTRICK1 Huge family of spam that uses the word weird to grab attention score KAM_WEIRDTRICK1 1.5 meta KAM_WEIRDTRICK2 (__KAM_WEIRDTRICK1 + __KAM_WEIRDTRICK2 + (KAM_INFOUSMEBIZ + KAM_LOTSOFHASH + AC_HTML_NONSENSE_TAGS + HTML_FONT_LOW_CONTRAST + T_REMOTE_IMAGE >= 3) >= 3) describe KAM_WEIRDTRICK2 Huge family of spam that uses the word weird to grab attention score KAM_WEIRDTRICK2 3.5 meta KAM_WEIRDTRICK3 (__KAM_WEIRDTRICK1 + __KAM_WEIRDTRICK2 + __KAM_WEIRDTRICK3 + __KAM_WEIRDTRICK4 >= 3) describe KAM_WEIRDTRICK3 Weird/Strange Trick score KAM_WEIRDTRICK3 3.0 #MATCH MAKER SPAM header __KAM_MATCH1 From =~ /Match/i header __KAM_MATCH2 Subject =~ /Find love|available singles|free.to.look|meet.singles/i meta KAM_MATCH (__KAM_MATCH1 + __KAM_MATCH2 + (HTML_IMAGE_RATIO_06 || SPF_FAIL) >= 3) describe KAM_MATCH Match Maker Spams score KAM_MATCH 3.5 #CAR INSURANCE header __KAM_CARINSURE1 From =~ /insurance/i header __KAM_CARINSURE2 Subject =~ /save on car insurance|smarter.way/i meta KAM_CARINSURE (__KAM_CARINSURE1 + __KAM_CARINSURE2 >= 2) describe KAM_CARINSURE Car Insurance Spams score KAM_CARINSURE 3.0 #DATA IMG rawbody __KAM_DATAIMG /<img src="data:image/i #FAKE MMS rawbody __KAM_MMS1 /base64,G011K60C12QKQ9790AIFQ5L/s meta KAM_MMS (__KAM_DATAIMG + __KAM_MMS1 >= 2) describe KAM_MMS Fake MMS Spam score KAM_MMS 6.0 #LEARNMORE rawbody __KAM_LEARN1 /base64,R0lGODlh3gA9APcAAAFlmUK/ meta KAM_LEARN (__KAM_DATAIMG + __KAM_LEARN1 >= 2) describe KAM_LEARN Learn More Spam score KAM_LEARN 6.0 #UNSUB1 header __KAM_UNSUB1_1 List-Unsubscribe =~ /^\<(?:mailto:)?unsub1\@/i rawbody __KAM_UNSUB1_2 /:\s?unsub1\@|unsubscribe<[^\/]|click here<h/i meta KAM_UNSUB1 (__KAM_UNSUB1_1 + __KAM_UNSUB1_2 >= 1) describe KAM_UNSUB1 Unsubscription Spams score KAM_UNSUB1 0.1 uri __KAM_DOMAINDOTCOM /domain\.com/i meta KAM_UNSUB2 ((KAM_UNSUB1 || KAM_ADVERT2) + __KAM_DOMAINDOTCOM >= 2) score KAM_UNSUB2 3.5 describe KAM_UNSUB2 Improperly configured spam engines that leave placeholder domains in the body # DUTCH GLOW AND OTHER WOODWORKING SPAM header __KAM_DUTCHGLOW1 From =~ /dutch.?glow|original.?dutch|easy.woodwork/i header __KAM_DUTCHGLOW2 Subject =~ /wood milk|cleaning the wood|woodwork|cleaning.formula|repel.dust|natural.beauty|furniture|amish|woodworking.plans/i body __KAM_DUTCHGLOW3 /wood milk|dutch glow|wood's natural beauty|nourish wood|wax build up|your furniture|woodworking.plans/i meta KAM_DUTCHGLOW (__KAM_DUTCHGLOW1 + __KAM_DUTCHGLOW2 + __KAM_DUTCHGLOW3 >= 3) describe KAM_DUTCHGLOW Woodworking spam score KAM_DUTCHGLOW 3.0 # FUNERAL HOME SPAM header __KAM_FUNERAL1 From =~ /Funeral/i header __KAM_FUNERAL2 Subject =~ /condolence|funeral announcement|funeral of your friend|death notification|burial.(life.)?insurance/i body __KAM_FUNERAL3 /untimely death|death notification|funeral.costs/i uri __KAM_FUNERAL4 /\/home\.php\?funeral/i meta KAM_FUNERAL (__KAM_FUNERAL1 + __KAM_FUNERAL2 + __KAM_FUNERAL3 >= 3) describe KAM_FUNERAL Likely Fake funeral notices score KAM_FUNERAL 2.0 meta KAM_FUNERAL2 (__KAM_FUNERAL4 >= 1) describe KAM_FUNERAL2 Fake funeral notices score KAM_FUNERAL2 3.0 # WEB VIEW OBFUSCATION body __KAM_WEB_OBFUSCATION1 /check over this commercial|see the commercial.advertisement/i rawbody __KAM_WEB_OBFUSCATION2 /(you'll have to press me)\s*<\/a>/i meta KAM_WEB_OBFUSCATION (__KAM_WEB_OBFUSCATION1 + __KAM_WEB_OBFUSCATION2 >= 2) describe KAM_WEB_OBFUSCATION Obfuscated web view links score KAM_WEB_OBFUSCATION 0.1 # TUPPERWARE header __KAM_TUPPERWARE1 From =~ /Mr\. Lid|Food Storage|Storage Container/i header __KAM_TUPPERWARE2 Subject =~ /tupperware|food storage|storage container/i body __KAM_TUPPERWARE3 /tupperware lid|food storage|storage container/i meta KAM_TUPPERWARE (__KAM_TUPPERWARE1 + __KAM_TUPPERWARE2 + __KAM_TUPPERWARE3 >= 3) describe KAM_TUPPERWARE Ads for tupperware score KAM_TUPPERWARE 3.5 # PATRIOT SURVIVAL AND OTHER DISASTER / NATIONALISM / CONSPIRACY SPAM header __KAM_PATRIOT1 From =~ /patriot|disaster|emergency|USAF|shocking|for.truth|nwo|expat|special.op|christianmedia/i header __KAM_PATRIOT2 Subject =~ /the truth about|financial collapse|your guns|hidden (agenda|truth)|unprecedented.crisis|worst.crisis|obama.?care|do not ignore|get a lot worse|coffins.ordered.by.fema|depression|prepared.for.war|free.our.marine|survival.guide|beloved.usa|civil war|shocking.footage|cia.economist|collapse.is.imminent|attack.on|wants.war|disturbing.issue|plane.crash|nuke.deal|extortion|prophecy/i body __KAM_PATRIOT3 /the truth about|financial collapse|your guns|hidden agenda|unprecedented.crisis|disaster|fema (stock.?piling|storing)|Gor?vernment Not Telling|survival.plan|nation.gone.under|blind.with.patriotism|government shutdown|only chance|civil.unrest|high.crimes|behind.our.back|know.the.truth|PatriotNewsNet|second civil war|for.the.cia|market.crash|american.meltdown|concerned.american|military force|we.were.right|our.suspicions|vindicated|abuse.of.power|american.empire/i body __KAM_PATRIOT4 /projectprophet|financial.threat|nuke.deal/i meta KAM_PATRIOT (__KAM_PATRIOT1 + __KAM_PATRIOT2 + __KAM_PATRIOT3 + __KAM_PATRIOT4 >= 3) describe KAM_PATRIOT conspiracy spam score KAM_PATRIOT 4.0 meta KAM_PATRIOT2 (__KAM_PATRIOT1 + __KAM_PATRIOT2 + __KAM_PATRIOT3 + __KAM_PATRIOT4 >= 2) describe KAM_PATRIOT2 Likely conspiracy spam score KAM_PATRIOT2 1.5 # PAYMENT LOWERED header __KAM_PAYMENT_LOWERED1 Subject =~ /insurance payment/i body __KAM_PAYMENT_LOWERED2 /new monthly payment|just.recently.been..?lowered/i body __KAM_PAYMENT_LOWERED3 /ID.?\#.?[\da-f]{20}/i meta KAM_PAYMENT_LOWERED (__KAM_PAYMENT_LOWERED1 + __KAM_PAYMENT_LOWERED2 + __KAM_PAYMENT_LOWERED3 + KAM_LOTSOFHASH >= 3) describe KAM_PAYMENT_LOWERED Spam that says your insurance payment has already been lowered score KAM_PAYMENT_LOWERED 4.5 meta KAM_PAYMENT_LOWERED (__KAM_PAYMENT_LOWERED1 + __KAM_PAYMENT_LOWERED2 + __KAM_PAYMENT_LOWERED3 + KAM_LOTSOFHASH >= 4) describe KAM_PAYMENT_LOWERED Higher probability of lowered payment spam score KAM_PAYMENT_LOWERED 2.0 #NEW NOTICE body __KAM_NEWNOTICE1 /- - -\s?(start |begin )?(of |new )?(notification|notice)( \d\d\/\d\d\/\d\d)?\s?- - -|notice of/i body __KAM_NEWNOTICE2 /- - -\s?(finish |end )?(of |new )?(notification|notice)( \d\d\/\d\d\/\d\d)?\s?- - -|end notice:/i header __KAM_NEWNOTICE3 From =~ /Notice|Notification|Credit/i meta KAM_NEWNOTICE (__KAM_NEWNOTICE1 + __KAM_NEWNOTICE2 + __KAM_NEWNOTICE3 >= 3) describe KAM_NEWNOTICE New Notice Spam score KAM_NEWNOTICE 4.25 meta KAM_NEWNOTICE2 (KAM_NEWNOTICE + KAM_LOTSOFHASH >= 2) describe KAM_NEWNOTICE2 Higher Probability of New Notice Spam score KAM_NEWNOTICE2 2.0 #REFI NEW NOTICE header __KAM_REFINEW1 Subject =~ /refl.rates|Rates.(now.)?Dropped.Again|score.*recently.changed/i body __KAM_REFINEW2 /(rate|payment).reduction|score-update/i meta KAM_REFINEW (__KAM_REFINEW1 + __KAM_REFINEW2 >=2) describe KAM_REFINEW New Refi/Credit Notice spam score KAM_REFINEW 2.0 meta KAM_REFINEW2 (KAM_REFINEW) && (KAM_NEWNOTICE + KAM_LOTSOFHASH >= 1) describe KAM_REFINEW2 Higher Probability Refi Spam score KAM_REFINEW2 2.0 #AUTO INSURE / LOAN header __KAM_AUTONEW1 Subject =~ /Auto.{0,2}(Insurance|policy).{0,2}Payment|auto.warranty|finance|policy.saving|your.quote|car.loan|bad..credit.ok/i body __KAM_AUTONEW2 /car.{1,2}insurance.{1,2}payment|monthly.payment|plan.has.expired|auto.loan|auto.coverage|coverage.benefits|premium.reduc|compare.quote|financing.your.way/i body __KAM_AUTONEW3 /just.{1,2}been.{1,2}lowered|reduced.recently|has been reduced|free.repair|easy.steps|overpaying|view.plan|overpaid.your|premiums?.as.low|lenders.compete/i header __KAM_AUTONEW4 From =~ /notice|credit|coverag3|auto.cover|lower.auto|auto.finance/i meta KAM_AUTONEW (__KAM_AUTONEW1 + __KAM_AUTONEW2 + __KAM_AUTONEW3 + __KAM_AUTONEW4 >= 3) describe KAM_AUTONEW New Auto insurance spam score KAM_AUTONEW 3.0 meta KAM_AUTONEW2 (KAM_AUTONEW) && (KAM_NEWNOTICE + KAM_SUBJECTNOTICE + KAM_LOTSOFHASH + KAM_INFOUSMEBIZ + KAM_ASCII_DIVIDERS >= 1) describe KAM_AUTONEW2 Higher Probability Insurance Spam score KAM_AUTONEW2 2.0 #STATLER header __KAM_STATLER1 Subject =~ /Mike Statler|finance news|invest in ....(\b)/i header __KAM_STATLER2 Subject =~ /quintuple/i body __KAM_STATLER3 /Mike Statler/i meta KAM_STATLER (__KAM_STATLER1 + __KAM_STATLER2 + __KAM_STATLER3 >= 3) describe KAM_STATLER Mike Statler Spams score KAM_STATLER 6.0 #LEARNING TO WRITE header __KAM_WRITING1 From =~ /writing/i header __KAM_WRITING2 Subject =~ /writing resources|get published/i body __KAM_WRITING3 /Professional Writing|world famous (writer|poet)/i meta KAM_WRITING (__KAM_WRITING1 + __KAM_WRITING2 + __KAM_WRITING3 >= 3) describe KAM_WRITING Spam for writing lessons score KAM_WRITING 3.5 #RASH OF .EU EXPLOITS rawbody KAM_EU /https?:\/\/(?:www.)?.{4,30}\.(eu)(\b|\/)/i score KAM_EU 0.50 describe KAM_EU Prevalent use of .eu in spam/malware #CSS USING A 12-BIT RGBA COLOR, WHICH IS NOT WIDELY SUPPORTED rawbody __KAM_12BITCOLOR /color: \#[\da-f]{12}/i meta KAM_GRABBAG2 KAM_EU && (__KAM_12BITCOLOR + KAM_ADVERT2 + AC_HTML_NONSENSE_TAGS + URIBL_BLACK + URIBL_RED >= 1) score KAM_GRABBAG2 5.0 describe KAM_GRABBAG2 Grabbag of Spams hitting EU domains and other indicators #END DIABETES SPAM body __KAM_DIABETES1 /- - Diabetes News Today - -|diabetes.health|blood.sugar/i body __KAM_DIABETES2 /Reverse.{0,10}(Diabetes|type.2|type.1)|reverse.type.2|beat.type.2|conventional.medical/i header __KAM_DIABETES3 Subject =~ /End Diabetes|diabetes.association|every.diabetic/i meta KAM_DIABETES (__KAM_DIABETES1 + __KAM_DIABETES2 + __KAM_DIABETES3 >= 2) score KAM_DIABETES 4.5 describe KAM_DIABETES End Diabetes Spam #SPY CAMERAS, ETC header __KAM_SPY1 From =~ /spy.?camera/i header __KAM_SPY2 Subject =~ /spy.?camera/i body __KAM_SPY3 /spy.?camera.?system|hidden.spy.camera|valuables.safe|protect.your.children/i meta KAM_SPY (__KAM_SPY1 + __KAM_SPY2 + __KAM_SPY3 >= 3) describe KAM_SPY Spy cameras and similar products score KAM_SPY 3.5 #HARP header __KAM_HARP1 From =~ /\bharp\b|obamacare|save|healthcare/i header __KAM_HARP2 Subject =~ /\bHARP\b|obamacare|tax benefit|age bracket|protect yourself|mortgage|save.thousands/i header __KAM_HARP3 From !~ /\.gov>?$/i meta KAM_HARP (__KAM_HARP1 + __KAM_HARP2 + __KAM_HARP3 + KAM_SUBJECTNOTICE >= 3) describe KAM_HARP HARP Refinance Spams score KAM_HARP 4.5 #LUNAR SLEEP AND OTHER SLEEPING AIDS header __KAM_LUNAR1 From =~ /lunar.?sleep|peak.life/i header __KAM_LUNAR2 Subject =~ /tired again|sleep(ing)? aid|miracle.sleep|free.sample|sleep.well|fall.asleep|waking.up|sleep.?spray|doctors.discover|the.secret|nights?.sleep/i uri __KAM_LUNAR3 /lunar.?sleep/i body __KAM_LUNAR4 /sleep you really need|sleep(ing)? aid|trouble.sleeping|miracle.sleep|lunar.?sleep|all.natural|fall.asleep|refreshed|sleep.cycle|sleep.aid|lack.of.sleep|stay.asleep|somnapure|weird.trick/i meta KAM_LUNAR (__KAM_LUNAR1 + __KAM_LUNAR2 + MISSING_HEADERS + __KAM_LUNAR3 + __KAM_LUNAR4 >= 3) describe KAM_LUNAR Sleeping aid spam score KAM_LUNAR 4.5 meta KAM_LUNAR2 (__KAM_LUNAR1 + __KAM_LUNAR2 + MISSING_HEADERS + __KAM_LUNAR3 + __KAM_LUNAR4 >= 4) describe KAM_LUNAR2 Definitely sleeping aid spam score KAM_LUNAR2 2.0 #OCEANS BOUNTY header __KAM_OCEANSBOUNTY1 From =~ /oceans.?bounty/i header __KAM_OCEANSBOUNTY2 Subject =~ /pain.free|turn.back.the.clock|reactivate.your.heart/i body __KAM_OCEANSBOUNTY3 /years.of.aging|medical.doctor|age.revers|turn.back.the.clock|reactivate.your.heart/i meta KAM_OCEANSBOUNTY (__KAM_OCEANSBOUNTY1 + __KAM_OCEANSBOUNTY2 + __KAM_OCEANSBOUNTY3 >= 3) describe KAM_OCEANSBOUNTY More medical spam score KAM_OCEANSBOUNTY 4.5 #ANDROGEL header __KAM_ANDROGEL1 From =~ /testosterone|androgel|entitled|enclosed|medwatch|axiron|fda|natural.man|mega.product|\.mobi/i header __KAM_ANDROGEL2 Subject =~ /androgel|axiron|product.of.the.year|free.sample|raise.your.testosterone/i body __KAM_ANDROGEL3 /healthcare|medwatch|drug|testosterone|therapy|manhood|your.woman/i meta KAM_ANDROGEL (__KAM_ANDROGEL1 + __KAM_ANDROGEL2 + __KAM_ANDROGEL3 >= 3) describe KAM_ANDROGEL More medical spam score KAM_ANDROGEL 4.5 #CELL PHONES header __KAM_CELL1 From =~ /phone/i header __KAM_CELL2 Subject =~ /cell.?phone|mobile.communication|newest.mobile|smartphone|phones.*get.one|phone.bargain|hottest.phone|new.phone/i body __KAM_CELL3 /phone.(information|deals|reviews)|(free|latest|hottest)..?(cell)?.?phone|selection.of.phones|hottest.(brands|models)|check.out.these.smartphones|smartphones.do.more|refurbished.phone|bored.with.your.phone/i meta KAM_CELL (__KAM_CELL1 + __KAM_CELL2 + __KAM_CELL3 >= 3) describe KAM_CELL Ads for cell phones score KAM_CELL 3.5 header __KAM_FOUNTAINOFYOUTH1 From =~ /deepseasecret/i header __KAM_FOUNTAINOFYOUTH2 Subject =~ /fountain.of.youth/i body __KAM_FOUNTAINOFYOUTH3 /look & feel old|\d+.years.of.aging|weird.\d+.second.trick/i meta KAM_FOUNTAINOFYOUTH (__KAM_FOUNTAINOFYOUTH1 + __KAM_FOUNTAINOFYOUTH2 + __KAM_FOUNTAINOFYOUTH3 >= 3) score KAM_FOUNTAINOFYOUTH 5.0 describe KAM_FOUNTAINOFYOUTH Anti-aging ad #HERPES header __KAM_HERPES1 From =~ /herpes/i header __KAM_HERPES2 Subject =~ /your.herpes/i body __KAM_HERPES3 /permanent.remedy|ugly.sores|herpes.episode|got.herpes|your.herpes|herpes.issue/i meta KAM_HERPES (__KAM_HERPES1 + __KAM_HERPES2 + __KAM_HERPES3 >= 2) describe KAM_HERPES Ads for herpes medication score KAM_HERPES 5.0 #FAKE VOUCHER/REWARD EMAIL header __KAM_FAKEVOUCHER1 From =~ /(amazon|target).*(reward|voucher|appreciation|customer)|\$\d+ gift|(spring|summer|fall|autumn|winter) (reward|bonus)|(january|february|march|april|may|june|july|august|september|october|november|december).?(reward|bonus)|day.reward|macy.?s?.reward|rewards?.?center/i body __KAM_FAKEVOUCHER2 /\$\d+ amazon(.com)? Card|redeem.your.\$\d+|join.amazon|bonus voucher|spring.rewards|new.gift.card|exclusive.for|shopper.bucks|activate.here|cash.in.your/i header __KAM_FAKEVOUCHER3 Subject =~ /special.thanks|thank.you|amazon.appreciation|(spring|summer|fall|autumn|winter) .?(reward|bonus|bucks)|short.survey|\$\d+..?(gift|issued|voucher|e.?gift)|register.reward|target.reward|\d+.(dollar.)?gift.card|claim.your.*reward/i body __KAM_FAKEVOUCHER4 /your.opinion|submit.your.email/i meta KAM_FAKEVOUCHER (__KAM_FAKEVOUCHER1 + __KAM_FAKEVOUCHER2 + __KAM_FAKEVOUCHER3 + __KAM_FAKEVOUCHER4 >= 3) describe KAM_FAKEVOUCHER Fake voucher/reward email score KAM_FAKEVOUCHER 4.5 #ATTORNEY SPAM header __KAM_ATTORNEY1 From =~ /attorney/i header __KAM_ATTORNEY2 Subject =~ /right.attorney|quick.divorce|advertisement/i body __KAM_ATTORNEY3 /find.a.\b[a-z]+\b.attorney/i meta KAM_ATTORNEY (__KAM_ATTORNEY1 + __KAM_ATTORNEY2 + __KAM_ATTORNEY3 >= 3) score KAM_ATTORNEY 3.5 describe KAM_ATTORNEY Ads for legal services #PRODUCT RECALL header __KAM_RECALL1 From =~ /dog.?food/i header __KAM_RECALL2 Subject =~ /recall|thousands.of.dogs.die/i body __KAM_RECALL3 /protect.your.dog|recall?s.on.dog.?food|processing.standards|commercial.food/i meta KAM_RECALL (__KAM_RECALL1 + __KAM_RECALL2 + __KAM_RECALL3 >= 3) score KAM_RECALL 3.5 describe KAM_RECALL Spam for product recall notices #REMOTE IMAGES WITH ENORMOUS SRC URLS - COMMONLY USED FOR IMAGE TRACKING rawbody __KAM_HUGEIMGSRC /<img[^>]*\ssrc=["']?http[^\s>"']{120}/i tflags __KAM_HUGEIMGSRC multiple maxhits=6 meta KAM_HUGEIMGSRC (__KAM_HUGEIMGSRC >= 6) score KAM_HUGEIMGSRC 0.2 describe KAM_HUGEIMGSRC Message contains many image tags with huge http urls describe KAM_REALLYHUGEIMGSRC Spam with image tags with ridiculously huge http urls rawbody KAM_REALLYHUGEIMGSRC /<img[^>]*\ssrc=["']?http[^\s]{300}/i score KAM_REALLYHUGEIMGSRC 1.1 rawbody KAM_TRACKIMAGE /<img[^>]*\ssrc=["']?https?:\/\/track/i describe KAM_TRACKIMAGE Message has a remote image explicitly meant for tracking score KAM_TRACKIMAGE 0.2 #BAG OF SPAM THAT TRIES DESPERATELY TO TRACK RECIPIENTS meta KAM_GRABBAG3 (KAM_TRACKIMAGE + KAM_HUGEIMGSRC + (KAM_UNSUB1 || KAM_INFOUSMEBIZ || __KAM_IMGMAP_LINK_OBFU || __KAM_HAS_10_URIS) >= 3) score KAM_GRABBAG3 3.0 describe KAM_GRABBAG3 Grab bag of spam that employs multiple tricks that indicate tracking of recipients #MANY SEQUENTIAL EMPTY <A HREF> TAGS WITH NOTHING IN BETWEEN #IMPORTANTLY, DO NOT MATCH ON EMPTY <A LINK> TAGS, WHICH ARE MEANT TO BE EMPTY rawbody __KAM_EMPTYLINK /(?:<a[^>]*\shref=[^>]*><\/a>\s*){10}/i meta KAM_EMPTYLINK (__KAM_EMPTYLINK) describe KAM_EMPTYLINK Many empty a tags with href all in a row score KAM_EMPTYLINK 3.5 header __KAM_TILDEFROM From =~ /^\s*"'?\s*~/i describe __KAM_TILDEFROM Spam with a from name that starts with tilde # WORDS THAT "A R E S P A C E D O U T" LIKE SO body __KAM_SPACEY_WORDS /a +v +e +n +u +e/i # SPAM THAT WOULD LIKE TO INVEST IN YOUR COUNTRY header __KAM_INVESTCOUNTRY1 Subject =~ /Confidential Contract Proposal/i body __KAM_INVESTCOUNTRY2 /invest in your country/i meta KAM_INVESTCOUNTRY (__KAM_INVESTCOUNTRY1 + __KAM_INVESTCOUNTRY2 >= 2) score KAM_INVESTCOUNTRY 3.5 describe KAM_INVESTCOUNTRY Spam for investing in your country # SPAM FOR FLAGS header __KAM_FLAG1 From =~ /flag/i header __KAM_FLAG2 Subject =~ /find.the.flag|what flags|new.flag|patriotism|looking.for.a.flag/i body __KAM_FLAG3 /performance.flags|shopping.online|scoop on flags|need your flag|best flag|flag design|new flag|flag.needs|flags?.you.need/i meta KAM_FLAG (__KAM_FLAG1 + __KAM_FLAG2 + __KAM_FLAG3 >= 3) score KAM_FLAG 3.5 describe KAM_FLAG Spam that sells flags rawbody __KAM_BIGSMALL /<small><big>|<big><small>/i describe __KAM_BIGSMALL Spam engine that is using nested big and small tags rawbody __KAM_DIVTITLE /<div (title|alt)/i describe __KAM_DIVTITLE Div tag with custom alt text rawbody __KAM_IMGMAP_LINK_OBFU /<map[^>]+><area[^>]+><\/map>/i describe __KAM_IMGMAP_LINK_OBFU Image links obfuscated by an image map with a single area meta KAM_GRABBAG4 (__KAM_DIVTITLE + __KAM_IMGMAP_LINK_OBFU + KAM_HUGEIMGSRC >= 3) describe KAM_GRABBAG4 Another spam engine that displays unique quirks score KAM_GRABBAG4 3.5 header __KAM_KORS1 From =~ /Michael Kors/i header __KAM_KORS2 Subject =~ /Michael Kors|out.of.the.ordinary/i body __KAM_KORS3 /sent you this item|register to receive|latest updates|win great prizes|shop michael kors|kors insider|handbag collection/i meta KAM_KORS (__KAM_KORS1 + __KAM_KORS2 + __KAM_KORS3 >= 3) score KAM_KORS 3.5 describe KAM_KORS Spam for Michael Kors header __KAM_HOLIDAY1 From =~ /holidays/i header __KAM_HOLIDAY2 Subject =~ /\d\d\d\d offers/i body __KAM_HOLIDAY3 /star special|Hotel Opening|(Request|order) a brochure/i meta KAM_HOLIDAY (__KAM_HOLIDAY1 + __KAM_HOLIDAY2 + __KAM_HOLIDAY3 >= 3) describe KAM_HOLIDAY Generic holiday deals score KAM_HOLIDAY 3.5 #Thanks to Dave Wreski for his idea on commas header __KAM_MANYTO To =~ />,/i tflags __KAM_MANYTO multiple,maxhits=5 header __KAM_MANYTO2 To =~ /, / tflags __KAM_MANYTO2 multiple,maxhits=25 meta KAM_MANYTO (__KAM_MANYTO >= 5 || __KAM_MANYTO2 >= 25) score KAM_MANYTO 0.2 describe KAM_MANYTO Email has more than one To Header or more than 25 recipients meta KAM_GRABBAG5 (KAM_MANYTO && FORGED_YAHOO_RCVD) score KAM_GRABBAG5 5.0 describe KAM_GRABBAG5 Forged Yahoo emails that are sent to lots of recipients body __KAM_MILLIONAIRE1 /internet millionai?re/i body __KAM_MILLIONAIRE2 /huge success stor(y|ies)|controversial/i header __KAM_MILLIONAIRE3 Subject =~ /see this video/i meta KAM_MILLIONAIRE (__KAM_MILLIONAIRE1 + __KAM_MILLIONAIRE2 + __KAM_MILLIONAIRE3 + LOTS_OF_MONEY >= 3) score KAM_MILLIONAIRE 4.5 describe KAM_MILLIONAIRE Internet millionaire guarantees money header __KAM_OILCHANGE1 From =~ /oil.?change|coupon|vehicle service/i header __KAM_OILCHANGE2 Subject =~ /oil change|vehicle service/i body __KAM_OILCHANGE3 /fresh savings|find your favorite|discount.coupons|oil.change.is.due|local.provider|favorite.location|coupon/i meta KAM_OILCHANGE (__KAM_OILCHANGE1 + __KAM_OILCHANGE2 + __KAM_OILCHANGE3 >= 3) score KAM_OILCHANGE 4.5 describe KAM_OILCHANGE Spam for oil changes header __KAM_ADHD1 From =~ /ADH?D/i header __KAM_ADHD2 Subject =~ /know.the.signs|could.have.adh?d|adult adh?d/i body __KAM_ADHD3 /struggling with adh?d|treatment options/i meta KAM_ADHD (__KAM_ADHD1 + __KAM_ADHD2 + __KAM_ADHD3 >= 3) score KAM_ADHD 3.5 describe KAM_ADHD Spam for ADD and ADHD treatment # AUTO REPAIR header __KAM_REPAIR1_1 From =~ /repair.your.auto|auto.expert|auto.repair|warranty|support|pops.a.dent|vehicle.protect/i header __KAM_REPAIR1_2 Subject =~ /auto.service|auto.repair|having.problems|all.repair|take.care.of|car.trouble|save.\d+%|repair.bill|fix.dents/i body __KAM_REPAIR1_3 /car.repair|Auto Protection|repair.bill|lowest.rates|need.repairs|cost.you.thousands|auto.warranty|costs.keep.rising|repair.cost|do.it.yourself|auto.body|body.repair|protection.quote/i meta KAM_REPAIR1 (__KAM_REPAIR1_1 + __KAM_REPAIR1_2 + __KAM_REPAIR1_3 >= 3) score KAM_REPAIR1 3.5 describe KAM_REPAIR1 Spam for auto repair services # HOME REPAIR header __KAM_REPAIR2_1 From =~ /warranty|support|home.repair|your.roof/i header __KAM_REPAIR2_2 Subject =~ /roof.repair|warranty.plan|home.warranty|never.pay.for|home.repair|repairing.your|new.roof/i body __KAM_REPAIR2_3 /never.pay|covered.home.repair|the.trouble|warning.signs|roofing.problem|roof.repair/i meta KAM_REPAIR2 (__KAM_REPAIR2_1 + __KAM_REPAIR2_2 + __KAM_REPAIR2_3 >= 3) score KAM_REPAIR2 3.5 describe KAM_REPAIR2 Spam for home repair services body __KAM_EPISODE /episode \d+/i header __KAM_CLOUD1 From =~ /cloud.?(storage|computing|provider)|efolder/i header __KAM_CLOUD2 Subject =~ /private.cloud|data.loss.happens|share.securely/i body __KAM_CLOUD3 /big data|powering apps|reduce.tech.costs|backup.solution|bundling.the.service/i body __KAM_CLOUD4 /hacking|complimentary.(lunch|breakfast)/i meta KAM_CLOUD (__KAM_CLOUD1 + __KAM_CLOUD2 + __KAM_CLOUD3 + __KAM_CLOUD4 >= 3) score KAM_CLOUD 3.5 describe KAM_CLOUD Spam for cloud services header __KAM_PAPERLESS1 From =~ /paperless|fax|admin/i header __KAM_PAPERLESS2 Subject =~ /paperless|fax to email|send document|fax thru email|receive faxes|send faxes|fax.message|voice.message|new.fax|have.received/i body __KAM_PAPERLESS3 /fax service|service plan|view.this.fax|\d.page.fax|voice.message/i meta KAM_PAPERLESS (__KAM_PAPERLESS1 + __KAM_PAPERLESS2 + __KAM_PAPERLESS3 + HEADER_FROM_DIFFERENT_DOMAINS >= 4) score KAM_PAPERLESS 4.5 describe KAM_PAPERLESS Paperless spam for the paperless office rawbody __KAM_LOTSOFNBSP /(  ?){30}/i header __KAM_IPUNSUB List-Unsubscribe =~ /http:\/\/\d+\.\d+\.\d+\.\d+/i # PASSWORD PHISH - Fixed FP thanks to Thijs Eilander header __KAM_PASSWORD1 Subject =~ /password/i body __KAM_PASSWORD2 /validate.your.email/i meta KAM_PASSWORD (__KAM_PASSWORD1 + __KAM_PASSWORD2 >= 2) score KAM_PASSWORD 1.5 describe KAM_PASSWORD Message tries to phish for password # SEMINARS AND WORKSHOPS SPAM header __KAM_WEBINAR1 From =~ /education|career|manage|learning|webinar|project|efolder/i header __KAM_WEBINAR2 Subject =~ /last chance|increase productivity|workplace morale|payroll dept|trauma.training|case.study|issues|follow.up|service.desk|vip.(lunch|breakfast)|manage.your|private.business|professional.checklist|customers.safer|great.timesaver|prep.course|crash.course|hunger.to.learn|(keys|tips).(to|for).smarter/i header __KAM_WEBINAR3 Subject =~ /webinar|strateg|seminar|owners.meeting|webcast|our.\d.new|sales.video/i body __KAM_WEBINAR4 /executive.education|contactid|register now|\d+.minute webinar|management.position|supervising.skills|discover.tips|register.early|take.control|marketing.capabilit|drive.more.sales|leveraging.cloud|solution.provider|have.a.handle|plan.to.divest|being.informed|upcoming.webinar|spearfishing.email|increase.revenue|industry.podcast|\d+.in.depth.tips|early.bird.offer|pmp.certified|lunch.briefing/i meta KAM_WEBINAR (__KAM_WEBINAR1 + __KAM_WEBINAR2 + __KAM_WEBINAR3 + __KAM_WEBINAR4 >= 3) describe KAM_WEBINAR Spam for webinars score KAM_WEBINAR 3.5 meta KAM_WEBINAR2 (__KAM_WEBINAR1 + __KAM_WEBINAR2 + __KAM_WEBINAR3 + __KAM_WEBINAR4 >= 4) describe KAM_WEBINAR2 Spam for webinars score KAM_WEBINAR2 3.5 header __KAM_CONTACTME1 Subject =~ /^contact me$/i body __KAM_CONTACTME2 /read the attached letter/i meta KAM_CONTACTME (__KAM_CONTACTME1 + __KAM_CONTACTME2 >= 2) score KAM_CONTACTME 3.5 describe KAM_CONTACTME Spam that wants you to reply header __KAM_MESH1 From =~ /consumer|connect|claim/i header __KAM_MESH2 Subject =~ /surgical mesh|serious injuries|increased risk|experiencing problems|mesh recall/i body __KAM_MESH3 /have a mesh implant|entitled to compensation|consumer injury|injured consumer/i meta KAM_MESH (__KAM_MESH1 + __KAM_MESH2 + __KAM_MESH3 >= 3) describe KAM_MESH Spam for surgical mesh score KAM_MESH 3.5 header __KAM_ALERT1 From =~ /medical.?alert/i header __KAM_ALERT2 Subject =~ /medical.alert|emergency coverage/i body __KAM_ALERT3 /help button/i meta KAM_ALERT (__KAM_ALERT1 + __KAM_ALERT2 + __KAM_ALERT3 >= 3) score KAM_ALERT 3.5 describe KAM_ALERT Spam for medical alerts # SPAM FOR RECENT HEARTBLEED CVE AND OTHER SECURITY STUFF header __KAM_SECURITY1 From =~ /Digital Defense/i header __KAM_SECURITY2 Subject =~ /heartbleed|hijack/i body __KAM_SECURITY3 /information.security|cyber.?criminal/i meta KAM_SECURITY (__KAM_SECURITY1 + __KAM_SECURITY2 + __KAM_SECURITY3 >= 3) describe KAM_SECURITY Spam related to online security score KAM_SECURITY 6.0 body __KAM_JESUS1 /jesus lovely|the.lord|touched.by.christ/i body __KAM_JESUS2 /sister.in.the.lord|need for bible/i body __KAM_JESUS3 /nigeria|muslim.women/i meta KAM_JESUS (__KAM_JESUS1 + __KAM_JESUS2 >= 2) describe KAM_JESUS Christian spam score KAM_JESUS 4.5 header __KAM_CLAIMS1 From =~ /claims.payment/i header __KAM_CLAIMS2 Subject =~ /confirm/i body __KAM_CLAIMS3 /claim.payment|claim.processing|kindly.confirm/i meta KAM_CLAIMS (__KAM_CLAIMS1 + __KAM_CLAIMS2 + __KAM_CLAIMS3 >= 3) describe KAM_CLAIMS Spam for claims processing score KAM_CLAIMS 4.5 # VISION SPAM header __KAM_VISION1 From =~ /clear.?vision|20.20|glasses|perfect.vision|mind.blowing|my.vision|oakley|quantum.vision/i header __KAM_VISION2 Subject =~ /20\/20|vision|your.glasses|your.contacts|your.eyes|dangers?.of.glasses|focus.on.here/i body __KAM_VISION3 /100%.natural|vision.restored|currently.wear.(glasses|contacts)|perfect.vision|risky.surgery|corrective.surgery|dangers.of.surgery|laser.eye|eye.care|making.your.eyes.worse|your.glasses|worsen.your.vision|special.prices|vision.in.\d+.day|vision.in.\d+.week/i meta KAM_VISION (__KAM_VISION1 + __KAM_VISION2 + __KAM_VISION3 + (KAM_WEIRDTRICK1 || RDNS_NONE) >= 3) describe KAM_VISION Spam for vision improvement score KAM_VISION 4.5 body KAM_TRUTHINESS /[Tt]he TRUTH/ describe KAM_TRUTHINESS Spam that wants you to learn "The TRUTH" score KAM_TRUTHINESS 1.5 header __KAM_KITCHEN1 From =~ /sears|kitchen|cabinet/i header __KAM_KITCHEN2 Subject =~ /kitchen.upgrade|kitchen.remodel|cabinet.install|new.kitchen/i body __KAM_KITCHEN3 /special.gift|kitchen.remodel|special.offer/i meta KAM_KITCHEN (__KAM_KITCHEN1 + __KAM_KITCHEN2 + __KAM_KITCHEN3 >= 3) score KAM_KITCHEN 4.5 describe KAM_KITCHEN Spam for kitchen improvement # ALL-ENCOMPASSING RULES FOR HEALTH RELATED SPAM, INCLUDING SKIN, WEIGHT, VISION, ETC header __KAM_GENERICHEALTH1 From =~ /(dr.?|doc.?)[ -]?([o0]z|gupta)|skinny|\d+.?(pounds|[li1]bs?)|[o0]z.([a-z]+.)?(daily|tip|show|weight)|ellen|rapid|vision|20.20|perfect|mind.blowing|healthy|beaut|medical|wrinkle|miracle|energy|weight|as.seen.on|celeb|workout|inches.off|slim|overweight|skinny|trend|curve|stubborn|bikini|f-a-t|trim|youth|belly|unwanted.pounds|gone.easily|heavy|diabetes|oz.?report|years.younger|anti.?aging|look.\d|old.age|without.trying|annoying.pounds|fat.melt|women.?s.health|forskolin|phyto|garcinia|mayo.clinic|gain.mass|nuforia|miracle.cure|notify|champion|healthly|food.health|health.news|nutrisystem|doctor.s.choice|age..prevention|diet.{0,4}report|sharp..?mind|face.?lift/i header __KAM_GENERICHEALTH2 Subject =~ /PSA|\[video\]|doctor|\d+.day|(zero|any).effort|oprah|(Dr|Doc).{0,2}[o0]z|[o0]z.([a-z]+.)?(daily|tip|show|weight|quick)|ellen|most.viewed|metabolism|danger|hormone|must.read|life.changing|healthy|perfect|younger|beautiful|hollywood|secret|aging|youth|flawless|as.seen.on|simple.way|workout|nutrition|shocking|detox|exercise|cleanse|diet|\d+(\+?).?(pounds|[li1]bs?)|images?.leaked|wow,|the.pics|don.t.tell|makeup|f-a-t|of.skin|on.(cnn|abc|cbs)|for.(summer|fall|autumn|winter|spring)|unwanted.fat|oz: |backfire|and.oz|and.racha?el|racha?el.talk|your.legs|slim.and.tone|fit.wom[ea]n|tummy|dress.size|wrinkle.reduc|younger.skin|solid.meds|belly.fat|your.calories|champion|is.it.possible|worse.than.smok|meds.online|jump-start.your.weightloss|cure.your.diabetes|weight.loss..?cure|magic.weight.loss|youth.and.vitality|get.thin.with|mental.decline|by.exercising|kidney.beans|drinking.this|treats?.the.(root.)?cause|reverse.\d+.years/i body __KAM_GENERICHEALTH3 /aging|clinical|dermatologist|aging|younger|wrinkle|omg|reduction|prevention|(body|your).fat|extra.pounds|perfect.skin|healthy|diet|gossip|\d+.years|facelift|(Dr|Doc).{0,2}[o0]z|weight|calories|metabolism|appetite|detox|unsightly|cholesterol|free.sample|\d+\s*[li]b|slimming|episode|tv.segment|oprah|colon|hollywood|shocking|workout|trend|starving|\d+%.?off|dress.size|flat.belly|silky|younger|free.trial|\d+.years|easy.trick|selfies|medical|\d+.?(lb|pounds)|exercise|the.mirror|fda.approved|slimmer|oz.blog|the.bulge|plant.based|online.store|respected.doctor|cure.your.diabete|with.forskolin|belly.fat|miracle.pill|burn.fat.fast|the.root.cause|drink(ing)?.this.shake/i meta KAM_GENERICHEALTH (__KAM_GENERICHEALTH1 + __KAM_GENERICHEALTH2 + __KAM_GENERICHEALTH3 + (KAM_EU || KAM_OTHER_BAD_TLD) >= 3) score KAM_GENERICHEALTH 4.0 describe KAM_GENERICHEALTH Matches generic health-related advert/blurbs header __KAM_SALE1 From =~ /ipad|hdtv|\$\d+|auction|laptop|easyviewing/i header __KAM_SALE2 Subject =~ /blowout|became.perfect|great.products|your.ipad.forever|weird.device|change.how.you.use|transform.your.piad|laptop.replacement/i body __KAM_SALE3 /\d+%.off|just.shipped|touch.?fire|just.became.perfect|transform.your.ipad/i header __KAM_SALEA_1 From =~ /touch.?fire/i header __KAM_SALEA_2 Received =~ /touchfire|tfire/i body __KAM_SALEA_3 /touchfire|just.became.perfect|never.be.the.same/i meta KAM_SALE (__KAM_SALE1 + __KAM_SALE2 + (__KAM_SALE3 || BODY_8BITS) >= 3) score KAM_SALE 4.0 describe KAM_SALE Spam for things on sale meta KAM_SALEA ((__KAM_SALEA_1 || __KAM_SALE1 || __KAM_SALEA_2) + __KAM_SALEA_3 >= 2) score KAM_SALEA 8.0 describe KAM_SALEA A very persistent ipad spam campaign # SPAM THAT USES ASCII FORMATTING TRICKS TO EVADE HTML-BASED RULES body __KAM_ASCII_DIVIDERS /[-~<>=_]{20}/i tflags __KAM_ASCII_DIVIDERS multiple, maxhits=4 meta KAM_ASCII_DIVIDERS ((__KAM_ASCII_DIVIDERS >= 4) && !HTML_MESSAGE) describe KAM_ASCII_DIVIDERS Spam that uses ascii formatting tricks score KAM_ASCII_DIVIDERS 0.8 # RATWARE THAT CAN'T EVEN PRETEND TO BE AUTHORIZED header __KAM_NOTINMYNETWORK1 X-No-Relay =~ /./i rawbody __KAM_HTMLNOISE1 /<big><big>|<small><\/small>|<style><\/style>/i meta KAM_HTMLNOISE (__KAM_HTMLNOISE1 + __KAM_BIGSMALL >= 1) score KAM_HTMLNOISE 1.0 describe KAM_HTMLNOISE Spam containing useless HTML padding header __KAM_CHICKEN1 From =~ /coop/i header __KAM_CHICKEN2 Subject =~ /chicken.coop|cost.of.buying/i body __KAM_CHICKEN3 /your.own.chicken|fresh.egg|chicken.coop|build.your.own/i meta KAM_CHICKEN (__KAM_CHICKEN1 + __KAM_CHICKEN2 + __KAM_CHICKEN3 >= 3) score KAM_CHICKEN 4.5 describe KAM_CHICKEN Spam for chicken coops # SPAM THAT TRIES TO BYPASS RULES LIKE CBJ_GiveMeABreak rawbody __KAM_LINEPADDING /(\n[^\n]){8}/ meta KAM_LINEPADDING (__KAM_LINEPADDING >= 1) score KAM_LINEPADDING 1.2 describe KAM_LINEPADDING Spam that tries to get past blank line filters # DRAPES SPAM header __KAM_DRAPES1 From =~ /drapes/i header __KAM_DRAPES2 Subject =~ /table.drapes|visibility/i body __KAM_DRAPES3 /banner.stand|print.project/i meta KAM_DRAPES (__KAM_DRAPES1 + __KAM_DRAPES2 + __KAM_DRAPES3 >= 3) score KAM_DRAPES 3.5 describe KAM_DRAPES Spam for drapes header __KAM_NUWAVE1 From =~ /nuwave|cooktop/i header __KAM_NUWAVE2 Subject =~ /cooking.needs/i body __KAM_NUWAVE3 /nuwave|energy.saving|temperature.control|meal.prep|cooktop/i meta KAM_NUWAVE (__KAM_NUWAVE1 + __KAM_NUWAVE2 + __KAM_NUWAVE3 >= 3) describe KAM_NUWAVE Spam for cooking tools score KAM_NUWAVE 3.5 rawbody __KAM_MANYCOMMENTS /<!--[^>]{200,}-->/i tflags __KAM_MANYCOMMENTS multiple,maxhits=6 meta KAM_MANYCOMMENTS (__KAM_MANYCOMMENTS >= 6) describe KAM_MANYCOMMENTS Spam engine that uses large html noise comments score KAM_MANYCOMMENTS 1.2 header __KAM_HIRE1 From =~ /recruit/i header __KAM_HIRE2 Subject =~ /checking.in/i body __KAM_HIRE3 /hiring.situation|recruiting|plans.to.hire|altera.staff/i meta KAM_HIRE (__KAM_HIRE1 + __KAM_HIRE2 + __KAM_HIRE3 >= 3) describe KAM_HIRE Spam for hiring services score KAM_HIRE 4.5 header __KAM_DEALS1 From =~ /deal.?hunter/i header __KAM_DEALS2 Subject =~ /exclusive.saving|the.hottest/i body __KAM_DEALS3 /exclusive.savings/i meta KAM_DEALS (__KAM_DEALS1 + __KAM_DEALS2 + __KAM_DEALS3 >= 3) score KAM_DEALS 3.5 describe KAM_DEALS Generic advertising for deals header __KAM_CONTRACT1 From =~ /samanage/i header __KAM_CONTRACT2 Subject =~ /contract cost|itsm contract/i body __KAM_CONTRACT3 /buy you out|service management|management solution/i meta KAM_CONTRACT (__KAM_CONTRACT1 + __KAM_CONTRACT2 + __KAM_CONTRACT3 >= 3) score KAM_CONTRACT 4.5 describe KAM_CONTRACT Spam that will buy your service contract #KAM_TOLL header __KAM_TOLL1 From =~ /e.?z.?pass|collection/i header __KAM_TOLL2 Subject =~ /on.(the.)?toll.road|(pay|indebted).for.driving/i body __KAM_TOLL3 /have.not.paid|your.debt|invoice/i meta KAM_TOLL (__KAM_TOLL1 + __KAM_TOLL2 + __KAM_TOLL3 >= 3) describe KAM_TOLL Spam for road tolls score KAM_TOLL 8.0 ifplugin Mail::SpamAssassin::Plugin::KAMOnly #KAM_AMAZON header __KAM_AMAZON1 From =~ /amazon\.com/i meta KAM_AMAZON (__KAM_AMAZON1 + KAM_RAPTOR >= 2) score KAM_AMAZON 4.5 describe KAM_AMAZON Fake Amazon email with malware endif # LANDSCAPING header __KAM_LANDSCAPE1 From =~ /landscaping/i header __KAM_LANDSCAPE2 Subject =~ /turn.your.yard|mtv.crib|swimming.pool/i body __KAM_LANDSCAPE3 /landscape.designs|(simple|cheap).strategies|design.troph/i body __KAM_LANDSCAPE4 /stone.carving/i meta KAM_LANDSCAPING (__KAM_LANDSCAPE1 + __KAM_LANDSCAPE2 + __KAM_LANDSCAPE3 + __KAM_LANDSCAPE4 >= 3) describe KAM_LANDSCAPING Spam for landscaping score KAM_LANDSCAPING 3.5 # SINGING LESSONS header __KAM_SINGING1 From =~ /singing/i header __KAM_SINGING2 Subject =~ /professional.singer/i body __KAM_SINGING3 /terrible.singer|more.talent|love.songs/i meta KAM_SINGING (__KAM_SINGING1 + __KAM_SINGING2 + __KAM_SINGING3 >= 3) describe KAM_SINGING Spam for singing lessons score KAM_SINGING 4.5 # SPAM FOR ADS header __KAM_ADVERTISE1 From =~ /gmail/i header __KAM_ADVERTISE2 Subject =~ /samsung..galaxy.s\d/i body __KAM_ADVERTISE3 /advertising.for.samsung|no.application.fee|carry.this.advert/i meta KAM_ADVERTISE (__KAM_ADVERTISE1 + __KAM_ADVERTISE2 + __KAM_ADVERTISE3 >= 3) describe KAM_ADVERTISE Spam that wants you to advertise for them score KAM_ADVERTISE 4.5 # RULE FOR DOMAINS THAT HAVE NOT IMPLEMENTED ANY ANTI-FORGERY MECHANISMS if (version >= 3.003002) # We may recommend people start raising the score for this to force more people to use SPF or DKIM Since Gmail and AOL work much better with / require SPF. header __KAM_SPF_NONE eval:check_for_spf_none() meta KAM_LAZY_DOMAIN_SECURITY (!__DKIM_EXISTS && __KAM_SPF_NONE) score KAM_LAZY_DOMAIN_SECURITY 1.0 describe KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any anti-forgery methods endif # FORGED EMAILS WITH A VIRUS ATTACHED meta KAM_FORGED_ATTACHED (SPF_HELO_FAIL + KAM_RAPTOR >= 2) score KAM_FORGED_ATTACHED 4.5 describe KAM_FORGED_ATTACHED Forged email with a malware attachment # LOTS OF PERIODS IN SUBJECT header __KAM_MANYDOTS1 Subject =~ /\.{20}/i meta KAM_MANYDOTS (__KAM_MANYDOTS1 + KAM_HUGEIMGSRC >= 2) describe KAM_MANYDOTS Spam with lots of periods in subject score KAM_MANYDOTS 3.5 # FINAL NOTICE SPAM header __KAM_SUBJECTNOTICE1 Subject =~ /Notice: \d+$|final.notice|rpt: \d+$/i meta KAM_SUBJECTNOTICE __KAM_SUBJECTNOTICE1 describe KAM_SUBJECTNOTICE Spam notices score KAM_SUBJECTNOTICE 1.0 # SPAM FOR BACKUP SERVICE header __KAM_BACKUP1 From =~ /backup/i header __KAM_BACKUP2 Subject =~ /continuity|\d.reasons|traditional.backup/i body __KAM_BACKUP3 /backup.necessary|marketing|infographic|charge.more/i meta KAM_BACKUP (__KAM_BACKUP1 + __KAM_BACKUP2 + __KAM_BACKUP3 >= 3) describe KAM_BACKUP Spam for backup services score KAM_BACKUP 4.5 # SPAM THAT TRIES TO AVOID DETECTION WITH NUMBERS IN THE FROM header KAM_FROMNUM From:name =~ /\.\d{7,}$/ describe KAM_FROMNUM Spam with large numbers in the from header score KAM_FROMNUM 1.0 # LAZY SPAM WITH BARELY MORE THAN A LINK TO A BAD DOMAIN meta KAM_LINKBAIT (KAM_LAZY_DOMAIN_SECURITY + __KAM_BODY_LENGTH_LT_512 + (__KAM_COUNT_URIS >= 1) >= 3) score KAM_LINKBAIT 2.5 describe KAM_LINKBAIT Short messages containing little more than a link, from a domain with no security in place uri __KAM_WP_INCLUDES /(?:wp-includes|wp-content)/i meta KAM_LINKBAIT2 KAM_LINKBAIT + __KAM_WP_INCLUDES >= 2 score KAM_LINKBAIT2 1.5 describe KAM_LINKBAIT2 Linkbait that points to wordpress - usually means a compromised site # FREEMAIL LINKBAIT meta KAM_LINKBAIT3 (KAM_SHORT + FREEMAIL_FROM + __KAM_BODY_LENGTH_LT_512 >= 3) score KAM_LINKBAIT3 1.5 describe KAM_LINKBAIT3 Freemail linkbait with a url shortener # MALWARE IN EMAILS THAT MENTION LOTS OF MONEY meta KAM_PHISHY_DOLLARS (KAM_RAPTOR + LOTS_OF_MONEY >= 2) score KAM_PHISHY_DOLLARS 3.5 describe KAM_PHISHY_DOLLARS Emails with malware and large dollar amounts # RATWARE DU JOUR, MULTIPLE FROM HEADERS AND WONKY SUBJECT LINE header __KAM_MULTIPLE_FROM From =~ /^./ tflags __KAM_MULTIPLE_FROM multiple,maxhits=2 header __KAM_SUBJECT_WHITESPACE_START Subject =~ /^\s{10}/ meta KAM_GRABBAG6 (__KAM_MULTIPLE_FROM + __KAM_SUBJECT_WHITESPACE_START >= 2) describe KAM_GRABBAG6 Ratware with multiple from headers and subject beginning with whitespace score KAM_GRABBAG6 4.5 # GENERIC GREETINGS THAT YOU WOULD NEVER GET FROM A LEGIT EMAIL header KAM_GENERICHELLO Subject =~ /dear.email.user|hi.there/i score KAM_GENERICHELLO 1.5 describe KAM_GENERICHELLO Spam with generic greetings in the subject # FAKE GOOGLE EMAILS - Thanks to Marc Jouan for pointing out the double rule / T_HK rule name change header __KAM_GOOGLE2_1 From =~ /google\+/i header __KAM_GOOGLE2_2 From !~ /google.com/i meta KAM_GOOGLE2 (__KAM_GOOGLE2_1 + __KAM_GOOGLE2_2 + (HK_SPAMMY_FILENAME || KAM_LAZY_DOMAIN_SECURITY) >= 3) score KAM_GOOGLE2 4.5 describe KAM_GOOGLE2 Fake Google spam # MORE NIGERIAN VARIANTS body __KAM_NIGERIAN2_1 /congo/i meta KAM_NIGERIAN2 (__KAM_NIGERIAN2_1 + DEAR_SOMETHING + LOTS_OF_MONEY >= 3) score KAM_NIGERIAN2 4.5 describe KAM_NIGERIAN2 Nigerian scam variant # FINGERHUT SPAMS header __KAM_FINGERHUT1 From =~ /finger.?hut/i header __KAM_FINGERHUT2 Subject =~ /your.budget|credit.account|qualify|finger.?hut|credit|your.account/i body __KAM_FINGERHUT3 /important.message|what.you.want|monthly.pay|your.account|credit.account|holiday.shopping|are.you.approved|fingerhut.buying/i meta KAM_FINGERHUT (__KAM_FINGERHUT1 + __KAM_FINGERHUT2 + __KAM_FINGERHUT3 >= 3) score KAM_FINGERHUT 4.5 describe KAM_FINGERHUT Spam for fingerhut # FRIEND REQUEST SPAM header __KAM_FRIEND1 Subject =~ /new.notification/i body __KAM_FRIEND2 /wants.to.follow/i meta KAM_FRIEND (__KAM_FRIEND1 + __KAM_FRIEND2 >= 2) score KAM_FRIEND 1.5 describe KAM_FRIEND Friend request spam # ELIMINATE A BUNCH OF RECENT BAD ATTACHMENT SPAM ifplugin Mail::SpamAssassin::Plugin::KAMOnly meta KAM_VERY_MALWARE (KAM_LAZY_DOMAIN_SECURITY && KAM_RAPTOR) score KAM_VERY_MALWARE 3.5 describe KAM_VERY_MALWARE A message with malware that is definitely unwanted endif #MERCHANT ACCOUNTS SPAM header __KAM_MERCHANT1 Subject =~ /finance.department/i body __KAM_MERCHANT2 /business.owner|merchant.processor|processing.fee|average.bank|interchange.fee/i body __KAM_MERCHANT3 /merchant.processing|small.business|yearly.credit|monthly.fee|100%.free/i meta KAM_MERCHANT (__KAM_MERCHANT1 + __KAM_MERCHANT2 + __KAM_MERCHANT3 >= 3) score KAM_MERCHANT 4.5 describe KAM_MERCHANT Spam for merchant processing # ZERO DAY ATTACHMENTS THAT ARE OBVIOUSLY CRAP BUT NOT CAUGHT BY AV ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __KAM_ZERODAY1 Content-Type =~ /msword|ms-excel|spreadsheet|office|octet/i header __KAM_ZERODAY2 X-Mailer =~ /foxmail/i # DISABLED 7/16 FOR NO LONGER BEING RELEVANT #meta KAM_ZERODAY (__SUBJECT_ENCODED_B64 + __KAM_ZERODAY1 + __KAM_ZERODAY2 >= 3) #describe KAM_ZERODAY obviously a malware email that was not caught #score KAM_ZERODAY 8.0 # ANOTHER ONE header __KAM_ZERODAY3 Subject =~ /remittance advice|invoice|resume|the.open.message|please.the.open|visa.chip/i meta KAM_ZERODAY2 (__KAM_ZERODAY1 + __KAM_ZERODAY3 + KAM_LAZY_DOMAIN_SECURITY >= 3) score KAM_ZERODAY2 1.0 describe KAM_ZERODAY2 Another obvious zero-day malware meta KAM_ZERODAY3 (KAM_ZERODAY2 + T_OBFU_DOC_ATTACH >= 2) score KAM_ZERODAY3 3.5 describe KAM_ZERODAY3 Another obvious zero-day malware endif # FAMILY TREE SPAM header __KAM_ANCESTOR1 From =~ /ancestry/i header __KAM_ANCESTOR2 Subject =~ /free.family.tree|find.your.ancestor/i body __KAM_ANCESTOR3 /family.history|your family|share.the.stories/i meta KAM_ANCESTOR (__KAM_ANCESTOR1 + __KAM_ANCESTOR2 + __KAM_ANCESTOR3 >= 3) describe KAM_ANCESTOR Spam for family trees score KAM_ANCESTOR 3.5 # REMEMBER WHEN YOU GOT THAT SPAM header __KAM_REMEMBERWHEN1 Subject =~ /sup|hello|for.you.bro|how.are.you/i body __KAM_REMEMBERWHEN2 /hello.brother|remember(ed)?.you|i.remember/i body __KAM_REMEMBERWHEN3 /medication|\d+%.discount|lots?.of.drug/i meta KAM_REMEMBERWHEN (__KAM_REMEMBERWHEN1 + __KAM_REMEMBERWHEN2 + __KAM_REMEMBERWHEN3 >= 3) score KAM_REMEMBERWHEN 4.5 describe KAM_REMEMBERWHEN Reminder of something that never happened # THE LATEST TRAILING NOISE FORMAT body __KAM_NOISE1 /([a-z0-9],){12}/i body __KAM_NOISE2 /([a-z]{1,10},){10}/i ifplugin Mail::SpamAssassin::Plugin::KAMOnly meta KAM_NOISE1 (__KAM_NOISE1 + __KAM_NOISE2 + (CBJ_GiveMeABreak || __CBJ_GiveMeABreak2) >= 3) describe KAM_NOISE1 Pattern of noise words at the end of an email score KAM_NOISE1 2.5 endif # FREE PIZZA WOO! header __KAM_PIZZA1 From =~ /pizza/i header __KAM_PIZZA2 Subject =~ /^free pizza$/i body __KAM_PIZZA3 /free.pizza.coupon/i meta KAM_PIZZA (__KAM_PIZZA1 + __KAM_PIZZA2 + __KAM_PIZZA3 >= 3) score KAM_PIZZA 3.5 describe KAM_PIZZA Spam for free pizza # ENGINEERING SPAM header __KAM_ENGINEER1 Subject =~ /engineering . architect|engineering.industry/i body __KAM_ENGINEER2 /email.list|target.audience|databank|verified.email/i body __KAM_ENGINEER3 /construction.engineering|engineering . architect|marketing.manager/i meta KAM_ENGINEER (__KAM_ENGINEER1 + __KAM_ENGINEER2 + __KAM_ENGINEER3 >= 3) score KAM_ENGINEER 3.5 describe KAM_ENGINEER Spam for engineering contact information # SUNGLASSES header __KAM_SUNGLASSES1 Subject =~ /rayban/i body __KAM_SUNGLASSES2 /great ray|hot.deal/i body __KAM_SUNGLASSES3 /style rocks|today.only/i meta KAM_SUNGLASSES (__KAM_SUNGLASSES1 + __KAM_SUNGLASSES2 + __KAM_SUNGLASSES3 >= 3) describe KAM_SUNGLASSES Spam for sunglasses score KAM_SUNGLASSES 3.5 # INVOICE SPAM OF THE DAY header __KAM_INVOICE1 From =~ /billing/i header __KAM_INVOICE2 Subject =~ /past.due|invoice/i header __KAM_INVOICE3 Subject =~ /invoice (error|issue)/i body __KAM_INVOICE4 /(billing error|problem with the address).{2,10}invoice/i uri __KAM_INVOICE5 /overdue|final.account/i meta KAM_INVOICE (__KAM_INVOICE1 + __KAM_INVOICE2 + SPF_FAIL >= 3) score KAM_INVOICE 4.5 describe KAM_INVOICE Phishing invoice spam meta KAM_INVOICE2 (__KAM_INVOICE1 + __KAM_INVOICE3 + __KAM_INVOICE4 + __KAM_INVOICE5 + SPF_FAIL >= 3) score KAM_INVOICE2 5.5 describe KAM_INVOICE2 Phishing invoice spam # GRIPEEZ header __KAM_GRIPPY1 From =~ /gripeez/i header __KAM_GRIPPY2 Subject =~ /bonus.offer|gripeez/i body __KAM_GRIPPY3 /gripeez.bonus|interior.decorator|sticky.grip/i meta KAM_GRIPPY (__KAM_GRIPPY1 + __KAM_GRIPPY2 + __KAM_GRIPPY3 >= 3) score KAM_GRIPPY 4.5 describe KAM_GRIPPY Spam for sticky grip products # LIMITED / DISABLED ACCOUNT, ACTIVATION, SECURITY ALERTS, AND OTHER ACCOUNT PHISHES header __KAM_ACCOUNTPHISH1 From =~ /[il]tunes|account|costco|walgreen|amazon|ebay|internal|admin|gold|webmail|provider|marketing/i header __KAM_ACCOUNTPHISH2 Subject =~ /your.account|is.limited|activate|recover|acknowledgment|of.order|buying.from|order.(status|confirm)|help.?desk|update.your|security|document|(^secure$)|download.failed|click.to.activate|status.approved|notification.message|storage.exceeded|maintenance routine|storage.warning|size.notification|administrative.notice/i body __KAM_ACCOUNTPHISH3 /update.your.information|problems.with.your|billing.information|order.details|personal.data|detailed.order|order.information|for.activation|account.{1,30}.inactive|information.required|secure.browser|recently.compromised|classified.document|with.your.email|complete.your.account|account.confirmed|claim.your.order|free.money|forced.to.cancel|immediate.access|upgrading.all.staff|advice.to.update|confirm.your.account/i body __KAM_ACCOUNTPHISH4 /webmail|all.systems|storage.limit|get.back.into|update.your.account|kindly.click|very.private.message|this.is.honest|fill.the.form|click.on.send|follow.here|for.all.user|one.click.away|mail.desk/i meta KAM_ACCOUNTPHISH ((__KAM_ACCOUNTPHISH1 || FREEMAIL_FROM || KAM_LAZY_DOMAIN_SECURITY) + __KAM_ACCOUNTPHISH2 + __KAM_ACCOUNTPHISH3 + __KAM_ACCOUNTPHISH4 >= 3) score KAM_ACCOUNTPHISH 3.20 describe KAM_ACCOUNTPHISH Spam that tries to get account information # BUY PROPERTY header __KAM_PROPERTY1 From =~ /high.rise|condo/i header __KAM_PROPERTY2 Subject =~ /condo|move.in.soon|developer/i body __KAM_PROPERTY3 /convenient.location/i meta KAM_PROPERTY (__KAM_PROPERTY1 + __KAM_PROPERTY2 + __KAM_PROPERTY3 >= 3) score KAM_PROPERTY 2.5 describe KAM_PROPERTY Spam for buying property # FAKE AMEX header __KAM_FAKEAMEX1 From =~ /aexp.com/i meta KAM_FAKEAMEX (__KAM_FAKEAMEX1 + SPF_FAIL >= 2) score KAM_FAKEAMEX 8.0 describe KAM_FAKEAMEX A rash of spam that is phishing for American Express information header KAM_HUGESUBJECT Subject =~ /^.{500}/ score KAM_HUGESUBJECT 2.5 describe KAM_HUGESUBJECT Email with a subject longer than any mail client would let you enter #HOOKUP header __KAM_HOOKUP1 Subject =~ /hookup with local singles/i uri __KAM_HOOKUP2 /justhookup/i body __KAM_HOOKUP3 /match.?me.?networks/i meta KAM_HOOKUP (__KAM_HOOKUP1 + __KAM_HOOKUP2 + __KAM_HOOKUP3 >= 3) score KAM_HOOKUP 10.5 describe KAM_HOOKUP Spam for Local Hookup Service #PSYCHIC header __KAM_PSYCHIC1 Subject =~ /horoscope|psychic/i uri __KAM_PSYCHIC2 /free.psychic/i body __KAM_PSYCHIC3 /psychic Chris|free psychic reading/i meta KAM_PSYCHIC (__KAM_PSYCHIC1 + __KAM_PSYCHIC2 + __KAM_PSYCHIC3 >= 3) score KAM_PSYCHIC 4.5 describe KAM_PSYCHIC Current Psychic Product Spam du Jour #UNSUB BADDIES body __KAM_BADUNSUB /(?:remove|Unsubscribe) from (?:MindTCommunications|LunarMessages)/i meta KAM_BADUNSUB (__KAM_BADUNSUB >= 1) score KAM_BADUNSUB 3.0 describe KAM_BADUNSUB Bad Unsubscribe Messages #GRABBAG FOR A ROUND OF WORDPRESS HACKS rawbody __KAM_GRABBAG7_1 /wp-content|wp-includes|\/plugins\// meta KAM_GRABBAG7 ((HTML_MIME_NO_HTML_TAG || MIME_HTML_ONLY) + __KAM_GRABBAG7_1 + (SPF_FAIL || SPF_HELO_FAIL) >= 3) score KAM_GRABBAG7 3.0 describe KAM_GRABBAG7 Spam pattern with bad HTML message #TINYURL OBFUSCATION uri __KAM_TINYURL1 /tinyurl.com\/.{0,10}(hookup|sexual|online-riches|predator-zipcode|nothnx|imtaken)/i meta KAM_TINYURL (__KAM_TINYURL1) score KAM_TINYURL 4.0 describe KAM_TINYURL Spammy urls that hide behind a link shortener # FAKE DROPBOX header __KAM_DROPBOX1 From =~ /dropbox/i header __KAM_DROPBOX2 From !~ /dropbox.com/i body __KAM_DROPBOX3 /shared.a.folder/i meta KAM_DROPBOX (__KAM_DROPBOX1 + __KAM_DROPBOX2 + __KAM_DROPBOX3 >= 3) score KAM_DROPBOX 4.5 describe KAM_DROPBOX Fake Dropbox emails # BAD YAHOO! DON'T SEND EMAIL FROM A MULTICAST IP! ifplugin Mail::SpamAssassin::Plugin::KAMOnly header __KAM_YAHOO_MISTAKE1 From =~ /\@yahoo\./i meta KAM_YAHOO_MISTAKE (SPF_PASS && __KAM_YAHOO_MISTAKE1 && RCVD_ILLEGAL_IP) describe KAM_YAHOO_MISTAKE Reversing score for some idiotic Yahoo received headers score KAM_YAHOO_MISTAKE -3.0 endif # GARBAGE FREEMAIL meta KAM_GRABBAG9 (MALFORMED_FREEMAIL + SUBJ_ALL_CAPS + FREEMAIL_ENVFROM_END_DIGIT >= 3) score KAM_GRABBAG9 4.5 describe KAM_GRABBAG9 Garbage email from a garbage freemail account # AQUA RUG header __KAM_AQUARUG1 From =~ /aqua.?rug/i header __KAM_AQUARUG2 Subject =~ /(bath|shower).mat|for.your.shower/i body __KAM_AQUARUG3 /stop.slipping|unique.carpet|aqua.rug|bare.feet.love/i meta KAM_AQUARUG (__KAM_AQUARUG1 + __KAM_AQUARUG2 + __KAM_AQUARUG3 >= 3) score KAM_AQUARUG 3.5 describe KAM_AQUARUG Spam for aqua rug product # FAKE ITC SPAM # Fixed FP thanks to j.marshall header __KAM_ITC1 From =~ /thetradecouncil.com/i body __KAM_ITC2 /International Trade Council/i body __KAM_ITC3 /enclosed/i meta KAM_ITC (__KAM_ITC1 < 1) && (__KAM_ITC2 >= 1) && (__KAM_ITC3 + KAM_BADIPHTTP >= 1) score KAM_ITC 4.5 describe KAM_ITC Fake email from International Trade Council # HAVE YOU SEEN THIS body __KAM_SEENTHIS1 /have.you.seen|seen.this/i meta KAM_SEENTHIS (__KAM_SEENTHIS1 + __KAM_OPRAH3 + (KAM_LAZY_DOMAIN_SECURITY || KAM_MANYTO) >= 3) score KAM_SEENTHIS 4.5 describe KAM_SEENTHIS Have you seen this spam? # DETOX header __KAM_DETOX1 From =~ /detox/i header __KAM_DETOX2 Subject =~ /detox.service|discover.detox|clear.your.system|how.detox.(could|can)/i body __KAM_DETOX3 /detox.program|right.for.you|clean(ing)? up your life|a.little.easier/i meta KAM_DETOX (__KAM_DETOX1 + __KAM_DETOX2 + __KAM_DETOX3 >= 3) score KAM_DETOX 2.5 describe KAM_DETOX Spam for trendy detox stuff # DEATH INSURANCE header __KAM_DEATHINSURE1 From =~ /live.sure/i header __KAM_DEATHINSURE2 Subject =~ /life.will|cheaper.than.today/i body __KAM_DEATHINSURE3 /inheritance.tax|your.loved.ones|funeral.costs/i meta KAM_DEATHINSURE (__KAM_DEATHINSURE1 + __KAM_DEATHINSURE2 + __KAM_DEATHINSURE3 >= 3) describe KAM_DEATHINSURE Spam for death insurance score KAM_DEATHINSURE 3.5 # REACHBASE body KAM_REACHBASE /ReachBase is committed to providing you with relevant business information/i score KAM_REACHBASE 2.5 describe KAM_REACHBASE Marketing email pretending to be business info # DIGITAL WALLET SPAM header __KAM_DIGITALWALLET1 From =~ /apple.?pay/i header __KAM_DIGITALWALLET2 Subject =~ /(ready.for|introducing|complimentary).apple.?pay|paying.too.much/i body __KAM_DIGITALWALLET3 /business.ready|no.setup.fee|only.$?[\d\.]+%?.(per|a).swipe|apple.?pay.equipment|free,equipment/i meta KAM_DIGITALWALLET (__KAM_DIGITALWALLET1 + __KAM_DIGITALWALLET2 + __KAM_DIGITALWALLET3 + (HELO_DYNAMIC_DHCP || KAM_EU || KAM_INFOUSMEBIZ) >= 3) score KAM_DIGITALWALLET 3.5 describe KAM_DIGITALWALLET Spam for digital wallet services # BAD PHP header __KAM_BADPHP1 X-PHP-Originating-Script =~ /eval..'d code/i header __KAM_BADPHP2 X-Source-Args =~ /css.php/i meta KAM_BADPHP (__KAM_BADPHP1 || __KAM_BADPHP2) score KAM_BADPHP 2.5 describe KAM_BADPHP Questionable PHP mailer headers # TINNITUS header __KAM_TINNITUS1 From =~ /tinnitus.breakthrough/i header __KAM_TINNITUS2 Subject =~ /new.tip|only.(1|one).week/i body __KAM_TINNITUS3 /scientifically.proven|end.tinnitus/i meta KAM_TINNITUS (__KAM_TINNITUS1 + __KAM_TINNITUS2 + __KAM_TINNITUS3 >= 3) describe KAM_TINNITUS Tinnitus spam score KAM_TINNITUS 3.5 # KIWIBANK header __KAM_KIWIBANK1 From =~ /kiwibank/i header __KAM_KIWIBANK2 Subject =~ /verification.required/i body __KAM_KIWIBANK3 /security.procedure|customer.safety|security.details/i meta KAM_KIWIBANK (__KAM_KIWIBANK1 + __KAM_KIWIBANK2 + __KAM_KIWIBANK3 >= 3) describe KAM_KIWIBANK Account phish for Kiwibank score KAM_KIWIBANK 3.5 # HAPPY TALK header __KAM_HAPPYTALK1 Subject =~ /^hello$/i body __KAM_HAPPYTALK2 /honest.and.nice/i body __KAM_HAPPYTALK3 /beautiful.mail/i meta KAM_HAPPYTALK (__KAM_HAPPYTALK1 + __KAM_HAPPYTALK2 + __KAM_HAPPYTALK3 >= 3) score KAM_HAPPYTALK 3.5 describe KAM_HAPPYTALK Weirdly happy spam # SETTLEMENT SPAM header __KAM_SETTLEMENT1 From =~ /xarelto/i header __KAM_SETTLEMENT2 Subject =~ /settlements?.available/i body __KAM_SETTLEMENT3 /lawsuit.information/i meta KAM_SETTLEMENT (__KAM_SETTLEMENT1 + __KAM_SETTLEMENT2 + __KAM_SETTLEMENT3 >= 3) score KAM_SETTLEMENT 3.5 describe KAM_SETTLEMENT Spam offering lawsuit settlement # CAD SPAM header __KAM_CAD1 Subject =~ /cad.drawing/i body __KAM_CAD2 /we.specialize.in/i body __KAM_CAD3 /our.products/i meta KAM_CAD (__KAM_CAD1 + __KAM_CAD2 + __KAM_CAD3 >= 3) describe KAM_CAD Spam for CAD services score KAM_CAD 3.5 ifplugin Mail::SpamAssassin::Plugin::KAMOnly #SPAM WITH OFFICE MACROS header KAM_VBMACRO X-KAM-VBMacro =~ /True/i describe KAM_VBMACRO Message contains attachment with VB macro score KAM_VBMACRO 6.5 #SPAM THAT INDICATES DYNAMIC IP header KAM_DYNIP X-KAM-DynamicIndicator =~ /True/i describe KAM_DYNIP Message contains Dynamic IP Address Indicator score KAM_DYNIP 6.5 endif # YELP AND OTHER REVIEW SITES header __KAM_REVIEW1 From =~ /contractor/i header __KAM_REVIEW2 Subject =~ /verify.accuracy|your.listing|listing.on.yelp/i body __KAM_REVIEW3 /unverified|major.local.search|search.sites|company(.s)?.information/i meta KAM_REVIEW (__KAM_REVIEW1 + __KAM_REVIEW2 + __KAM_REVIEW3 >= 3) describe KAM_REVIEW Spam for review sites score KAM_REVIEW 4.5 # TOURS AND EVENTS header __KAM_TOURS1 From =~ /festival/i header __KAM_TOURS2 Subject =~ /adventure.tour/i body __KAM_TOURS3 /your.adventure.tour|your.event/i meta KAM_TOURS (__KAM_TOURS1 + __KAM_TOURS2 + __KAM_TOURS3 >= 3) score KAM_TOURS 3.5 describe KAM_TOURS Spam for tours and events # NO MORE SPAM ENGINES body __KAM_NOMORE1 /no.more.of.this/i body __KAM_NOMORE2 /no.more.at.all/i meta KAM_NOMORE (__KAM_NOMORE1 + __KAM_NOMORE2 >= 2) describe KAM_NOMORE Another predictable spam engine score KAM_NOMORE 3.5 # NOT REALLY CONFIDENTIAL body __KAM_NOCONFIDENCE1 /confidential.information/i meta KAM_NOCONFIDENCE (KAM_LAZY_DOMAIN_SECURITY + __KAM_NOCONFIDENCE1 >= 2) score KAM_NOCONFIDENCE 0.5 describe KAM_NOCONFIDENCE Confidential information sent with no security # YER GON GET SASSINATED header __KAM_ASSASSIN1 Subject =~ /want you dead/i body __KAM_ASSASSIN2 /my identity/i body __KAM_ASSASSIN3 /assassinate/i body __KAM_ASSASSIN4 /like.an.accident/i meta KAM_ASSASSIN (__KAM_ASSASSIN1 + __KAM_ASSASSIN2 + __KAM_ASSASSIN3 + __KAM_ASSASSIN4 >= 3) score KAM_ASSASSIN 4.5 describe KAM_ASSASSIN Assassination spam # GIMME FLASH DRIVES header __KAM_DRIVE1 From =~ /purchase|manager/i header __KAM_DRIVE2 Subject =~ /quotation/i body __KAM_DRIVE3 /to.be.furnished|office.equipment.item/i meta KAM_DRIVE (__KAM_DRIVE1 + __KAM_DRIVE2 + __KAM_DRIVE3 >= 3) score KAM_DRIVE 3.5 describe KAM_DRIVE Spam for ordering office equipment #BAD TLD - TESTING NEW blacklist_uri_host feature #PASSED TEST BUT THIS IS 100 points - Instead modify SOMETLD_ARE_BAD_TLD TO PREVENT FPs #if (version >= 3.004000) # blacklist_uri_host link #endif #LOOKING TO SHUTDOWN MISUSE OF DNSWL AND HOSTKARMA ifplugin Mail::SpamAssassin::Plugin::KAMOnly meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + RCVD_IN_LASHBACK + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1) score KAM_QUITE_BAD_DNSWL 3.25 describe KAM_QUITE_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL else meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + RCVD_IN_LASHBACK + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1) score KAM_QUITE_BAD_DNSWL 3.25 describe KAM_QUITE_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL endif ifplugin Mail::SpamAssassin::Plugin::KAMOnly meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + RCVD_IN_LASHBACK + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2) score KAM_BAD_DNSWL 7.0 describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL else meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + RCVD_IN_LASHBACK + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2) score KAM_BAD_DNSWL 7.0 describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL endif # HEARING LOSS header __JMQ_HEARINGLOSS1 From =~ /hearing.?loss|deaf \& angry/i header __JMQ_HEARINGLOSS2 Subject =~ /reverse.your.hearing|hearing.loss|\d+.year.old.method|hearing.aids/i body __JMQ_HEARINGLOSS3 /going.crazy|natural.formula|restore.your.hearing|click.here.to.see|off.hearing.aid/i meta JMQ_HEARINGLOSS (__JMQ_HEARINGLOSS1 + __JMQ_HEARINGLOSS2 + __JMQ_HEARINGLOSS3 >= 3) score JMQ_HEARINGLOSS 3.5 describe JMQ_HEARINGLOSS Spam for hearing loss solutions # TRACKR header __JMQ_TRACKR1 From =~ /trackr/i header __JMQ_TRACKR2 Subject =~ /trackr|never.lose|find.any|lost.items/i body __JMQ_TRACKR3 /locate anything|find.anything|never.lose.anything|new.invention|never.lose.your|tired.of.losing|find.any.lost/i meta JMQ_TRACKR (__JMQ_TRACKR1 + __JMQ_TRACKR2 + __JMQ_TRACKR3 >= 3) score JMQ_TRACKR 4.5 describe JMQ_TRACKR Spam for TrackR # CONGRATULATION header __JMQ_CONGRAT1 From =~ /award|claim/i header __JMQ_CONGRAT2 Subject =~ /congratulation|open.attachment|good.news.for/i meta JMQ_CONGRAT (__JMQ_CONGRAT1 + __JMQ_CONGRAT2 + (KAM_RAPTOR || T_FREEMAIL_DOC_PDF || HK_SPAMMY_FILENAME) >= 3) score JMQ_CONGRAT 3.5 describe JMQ_CONGRAT Open attachment to claim your free spam # PICKUP header __JMQ_PICKUP1 Subject =~ /hey there|(^hey$)/i body __JMQ_PICKUP2 /(dirty|freaky|naughty|good)(pix|pic)|hey.cutie/i header __JMQ_PICKUP3 X-Mailer =~ /php/i body __JMQ_PICKUP4 /\d+.year.old|female/i meta JMQ_PICKUP (__JMQ_PICKUP1 + __JMQ_PICKUP2 + __JMQ_PICKUP3 + __JMQ_PICKUP4 >= 3) score JMQ_PICKUP 8.0 describe JMQ_PICKUP spam that wants your number # COMPROMISED DROPBOX header __JMQ_DROPBOX1 Subject =~ /(payment|transfer)/i header __JMQ_DROPBOX2 Subject =~ /\([a-z]\d+\)/i body __JMQ_DROPBOX3 /ach.(payment|transfer)/i meta JMQ_DROPBOX (__JMQ_DROPBOX1 + __JMQ_DROPBOX2 + __JMQ_DROPBOX3 >= 3) score JMQ_DROPBOX 3.0 describe JMQ_DROPBOX Spam from what appears to be compromised dropbox accounts #FIX BAD REVIEW header __KAM_BAD_REVIEW1 Subject =~ /fix bad reviews/i body __KAM_BAD_REVIEW2 /Reputation Giant/i meta KAM_BAD_REVIEW (__KAM_BAD_REVIEW1 + __KAM_BAD_REVIEW2 >= 2) score KAM_BAD_REVIEW 4.0 describe KAM_BAD_REVIEW Online reputation spammers #GOOGLE AWARD header __KAM_GOOGLE_AWARD1 From =~ /Google UK/i body __KAM_GOOGLE_AWARD2 /selected as a winner/i body __KAM_GOOGLE_AWARD3 /Dear Google/i body __KAM_GOOGLE_AWARD4 /Official Notification Letter/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __KAM_GOOGLE_AWARD5A Content-Type =~ /Google Award/i mimeheader __KAM_GOOGLE_AWARD5B Content-Disposition =~ /Google Award/i endif meta KAM_GOOGLE_AWARD (__KAM_GOOGLE_AWARD1 + __KAM_GOOGLE_AWARD2 + __KAM_GOOGLE_AWARD3 + __KAM_GOOGLE_AWARD4 + (__KAM_GOOGLE_AWARD5A + __KAM_GOOGLE_AWARD5B >= 1) >= 4) score KAM_GOOGLE_AWARD 5.0 describe KAM_GOOGLE_AWARD Fake Google Awards #OBFUSCATED LOANS body KAM_OBFU_LOANS /Stüdént Lóans/i score KAM_OBFU_LOANS 5.0 describe KAM_OBFU_LOANS Obfuscated Loan Verbiage #WORK FROM HOME body __KAM_WORKFROMHOME1 /work from home/i meta KAM_WORKFROMHOME (KAM_SHORT + __KAM_WORKFROMHOME1 >= 2) score KAM_WORKFROMHOME 1.75 describe KAM_WORKFROMHOME Work from Home Spams #STUDENT LOAN body __KAM_STUDENTLOAN1 /(National|Federal) Student Loan Status/i body __KAM_STUDENTLOAN2 /consolidate your loan/i body __KAM_STUDENTLOAN3 /doesn't injured/i body __KAM_STUDENTLOAN4 /866-351-4693/i body __KAM_STUDENTLOAN5 /(financial troubles|debt) is (understood|forgiven)/i meta KAM_STUDENTLOAN (__KAM_STUDENTLOAN1 + __KAM_STUDENTLOAN2 + __KAM_STUDENTLOAN3 + __KAM_STUDENTLOAN4 + __KAM_STUDENTLOAN5 >= 3) score KAM_STUDENTLOAN 4.5 describe KAM_STUDENTLOAN Student Loan Scam #RESUME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader header __JMQ_RESUME1 Subject =~ /resume/i body __JMQ_RESUME2 /hello my name|my name is/i body __JMQ_RESUME3 /appreciate.your.cooperation|my.resume.is.pdf|resume.attach|pdf.file.is|is.my.resume/i mimeheader __JMQ_RESUME4 Content-Type =~ /x-zip-comp/i mimeheader __JMQ_RESUME5 Content-Type =~ /my_resume\.zip/i meta JMQ_RESUME ((__JMQ_RESUME1 + __JMQ_RESUME2 + __JMQ_RESUME3 + __JMQ_RESUME5 >= 3) && __JMQ_RESUME4) score JMQ_RESUME 4.5 describe JMQ_RESUME Spam for bad attached resumes endif #LED/SOLAR LIGHTS header __KAM_LED1 Reply-to =~ /huixinsoft\d*\@foxmail.com/i body __KAM_LED2 /solar (lighting|led)/i body __KAM_LED3 /China aier/i meta KAM_LED (__KAM_LED1 + __KAM_LED2 + __KAM_LED3 >= 2) describe KAM_LED Solar LED Lighting Spams score KAM_LED 5.5 # REAL ESTATE header __JMQ_REALESTATE1 From =~ /tom.brice/i header __JMQ_REALESTATE2 Subject =~ /real.estate/i body __JMQ_REALESTATE3 /preferred.choice|looking.for.real.estate|online.platform|systems.placement/i meta JMQ_REALESTATE (__JMQ_REALESTATE1 + __JMQ_REALESTATE2 + __JMQ_REALESTATE3 >= 3) describe JMQ_REALESTATE Real estate spam score JMQ_REALESTATE 4.5 # IP IN FROM header JMQ_IPINFROM From =~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/ score JMQ_IPINFROM 2.5 describe JMQ_IPINFROM Spam with IP in the from address # IFFY PAYPAL OF THE DAY header __JMQ_PAYPAL2 From =~ /paypai/i meta JMQ_PAYPAL2 (JMQ_IPINFROM + __JMQ_PAYPAL2 >= 2) score JMQ_PAYPAL2 4.5 describe JMQ_PAYPAL2 PayPal spam of the day # RESUME SPAM REDUX PART 2 (WOOHOO) meta JMQ_RESUME3 (__JMQ_RESUME1 && __JMQ_RESUME2 && KAM_THEBAT) score JMQ_RESUME3 3.5 describe JMQ_RESUME3 Yet more resume spam # SPF THAT DOESN'T REALLY CARE IF EMAIL IS A FORGERY - ifplugin Mail::SpamAssassin::Plugin::AskDNS askdns JMQ_SPF_NEUTRAL _SENDERDOMAIN_ TXT /^v=spf1 .*\?all/ describe JMQ_SPF_NEUTRAL SPF set to ?all score JMQ_SPF_NEUTRAL 0.5 askdns JMQ_SPF_ALL _SENDERDOMAIN_ TXT /^v=spf1 .*\+all/ describe JMQ_SPF_ALL SPF set to +all! score JMQ_SPF_ALL 0.5 endif # IMPORTANT MESSAGE header __JMQ_IMPORTANT1 Subject =~ /(fw|re):? important/i body __JMQ_IMPORTANT2 /important message/i body __JMQ_IMPORTANT3 /please visit/i meta JMQ_IMPORTANT (__JMQ_IMPORTANT1 + __JMQ_IMPORTANT2 + __JMQ_IMPORTANT3 + KAM_LAZY_DOMAIN_SECURITY >= 4) score JMQ_IMPORTANT 4.5 describe JMQ_IMPORTANT Spam that thinks it is important # IMAGE TRACKERS uri __JMQ_TRACKER1 /sidekickopen\d*\.com/i meta JMQ_TRACKER (__JMQ_TRACKER1 >= 1) score JMQ_TRACKER 0.5 describe JMQ_TRACKER Message uses image-based tracker # WIRE TRANSFERS header __JMQ_WIRE1 Subject =~ /wire.*fund|request.*wire|(fwd|re): request/i body __JMQ_WIRE2 /medical.support|payment.sent/i body __JMQ_WIRE3 /bank.wire|sent.out.asap/i meta JMQ_WIRE (__JMQ_WIRE1 + __JMQ_WIRE2 + __JMQ_WIRE3 + (LOTS_OF_MONEY || KAM_LAZY_DOMAIN_SECURITY || HEADER_FROM_DIFFERENT_DOMAINS) >= 3) score JMQ_WIRE 4.5 describe JMQ_WIRE Attempt to steal money via wire transfer #bindata code in RTF #rawbody __KAM_BADRTF1 /<w:binData/ #rawbody __KAM_BADRTF2 /QWN0aXZlTWltZQ/ #meta KAM_BADRTF (__KAM_BADRTF1 + __KAM_BADRTF2 >= 2) #describe KAM_BADRTF Message contains binary data in RTF format #score KAM_BADRTF 5.0 #Fake Order body __KAM_ORDER1 /Please find document attached/i header __KAM_ORDER2 Subject =~ /Order \d+ (\(Acknowledgement\))?/i meta KAM_ORDER __KAM_ORDER1 + __KAM_ORDER2 + __BODY_LE_200 >= 3 score KAM_ORDER 3.0 describe KAM_ORDER Fraudulent Order Emails rawbody __RB_LE_200 /^.{2,200}$/s tflags __RB_LE_200 multiple maxhits=2 rawbody __RB_GT_200 /^.{201}/s meta __BODY_LE_200 (__RB_LE_200 == 1) && !__RB_GT_200 #SHOCKING BEVERAGE body __KAM_SHOCK1 /shocking.beverage/i header __KAM_SHOCK2 Subject =~ /(Bill O.Reilly|Donald Trump)/i body __KAM_SHOCK3 /drinking this beverage/i meta KAM_SHOCK __KAM_SHOCK1 + __KAM_SHOCK2 + __KAM_SHOCK3 >= 2 score KAM_SHOCK 4.0 describe KAM_SHOCK Spams with energy drinks #BEAUTY SCAM body __KAM_BEAUTY1 /she now looks \d+/i body __KAM_BEAUTY2 /reveals exactly/i body __KAM_BEAUTY3 /most amazing transformation/i header __KAM_BEAUTY4 Subject =~ /now looks \d+/i meta KAM_BEAUTY __KAM_BEAUTY1 + __KAM_BEAUTY2 + __KAM_BEAUTY3 + __KAM_BEAUTY4 >= 3 score KAM_BEAUTY 4.0 describe KAM_BEAUTY Youth and Beauty Product Scams #WEED body __KAM_WEED1 /legal.weed|jim kramer|kevin james/i header __KAM_WEED2 Subject =~ /Legal.Weed|pot.stock/i body __KAM_WEED3 /doubled? (there|their) money|Triple this afternoon/i body __KAM_WEED4 /(weed|pot).stock/i meta KAM_WEED __KAM_WEED1 + __KAM_WEED2 + __KAM_WEED3 + __KAM_WEED4 >= 3 score KAM_WEED 8.0 describe KAM_WEED Legal Weed and related investment scams #LOGOS body __KAM_LOGO1 /guru.level logo/i header __KAM_LOGO2 Subject =~ /guru.level logo/i body __KAM_LOGO3 /(guru.level|ready.made) logo/i meta KAM_LOGO __KAM_LOGO1 + __KAM_LOGO2 + __KAM_LOGO3 >= 3 score KAM_LOGO 5.25 describe KAM_LOGO Logo Spam #TRUMP COIN body __KAM_TRUMPCOIN1 /Donald Trump/i header __KAM_TRUMPCOIN2 Subject =~ /trump.coin/i body __KAM_TRUMPCOIN3 /special colored coin/i meta KAM_TRUMPCOIN __KAM_TRUMPCOIN1 + __KAM_TRUMPCOIN2 + __KAM_TRUMPCOIN3 >= 3 score KAM_TRUMPCOIN 5.25 describe KAM_TRUMPCOIN Trump Coin Spam #WATER body __KAM_WATER1 /Never Drink Water/i header __KAM_WATER2 Subject =~ /bottled water/i body __KAM_WATER3 /filtered tap water/i meta KAM_WATER __KAM_WATER1 + __KAM_WATER2 + __KAM_WATER3 >= 3 score KAM_WATER 5.25 describe KAM_WATER Water Poison Scam #BANK body __KAM_RUIN1 /do not deposit/i header __KAM_RUIN2 Subject =~ /money into your bank/i body __KAM_RUIN3 /banking institutions/i meta KAM_RUIN __KAM_RUIN1 + __KAM_RUIN2 + __KAM_RUIN3 >= 3 score KAM_RUIN 5.25 describe KAM_RUIN Bank Phishing Scam #BANK body __KAM_WEIGHT2_1 /goodbye to her waist|wild transformation/i header __KAM_WEIGHT2_2 Subject =~ /looks \d+ overnight|no gym/i body __KAM_WEIGHT2_3 /melissa mccarthy|now looks \d+/i meta KAM_WEIGHT2 __KAM_WEIGHT2_1 + __KAM_WEIGHT2_2 + __KAM_WEIGHT2_3 >= 3 score KAM_WEIGHT2 5.25 describe KAM_WEIGHT2 Weight loss process du jour #AMAZING LENS body __KAM_LENS1 /pro quality (pho|pic)|Bill gates|best camera/i header __KAM_LENS2 Subject =~ /(amazing|incredible) photos|gadget of the year|coolest product|camera/i body __KAM_LENS3 /amazing lens|hdx-lens|hdrx/i header __KAM_LENS4 From =~ /hdcam|lens|inhd/i meta KAM_LENS __KAM_LENS1 + __KAM_LENS2 + __KAM_LENS3 + __KAM_LENS4 >= 3 score KAM_LENS 5.25 describe KAM_LENS Amazing Lens Scam #HONOR body __KAM_HONOR1 /greatest thing of your life/i header __KAM_HONOR2 Subject =~ /Congrats, on the honor/i body __KAM_HONOR3 /profession women/i body __KAM_HONOR4 /invitation/i meta KAM_HONOR __KAM_HONOR1 + __KAM_HONOR2 + __KAM_HONOR3 + __KAM_HONOR4 >= 3 score KAM_HONOR 6.25 describe KAM_HONOR Professional Network Scam #Rule Dev #Idea from John Hardin so you can see all URI's - ONLY for rule development - Then all the detected URIs appear in the rule hits debug output. #uri __ALL_URI /.*/ #tflags __ALL_URI multiple #Bad UTF-8 content type and transfer encoding - Thanks to Pedro David Marco for alerting to issue header __KAM_BAD_UTF8_1 Content-Type =~ /text\/html; charset=\"utf-8\"/i header __KAM_BAD_UTF8_2 Content-Transfer-Encoding =~ /base64/i full __RW_BAD_UTF8_3 /^(?:[^\n]|\n(?!\n))*\nContent-Transfer-Encoding:\s+base64(?:[^\n]|\n(?!\n))*\n\n[\s\n]{0,300}[^\s\n].{0,300}[^a-z0-9+\/=\n][^\s\n]/si meta KAM_BAD_UTF8 (__KAM_BAD_UTF8_1 + __KAM_BAD_UTF8_2 + __RW_BAD_UTF8_3 >= 3) score KAM_BAD_UTF8 14.0 describe KAM_BAD_UTF8 Bad Content Type and Transfer Encoding that attempts to evade SA scanning #DEATH body __KAM_DEATH1 /prevent early.death/i header __KAM_DEATH2 Subject =~ /(early|unexpected).death/i body __KAM_DEATH3 /Eating this|before it.?s too late/i body __KAM_DEATH4 /heart.(attack|stops)/i meta KAM_DEATH __KAM_DEATH1 + __KAM_DEATH2 + __KAM_DEATH3 + __KAM_DEATH4 >= 4 score KAM_DEATH 6.25 describe KAM_DEATH Supplement Scam #REWARD body __KAM_REWARD1 /walgreens|ikea|sephora|sams.?club/i header __KAM_REWARD2 Subject =~ /weekend.*reward|reward.*weekend|(reward|perk).{0,60}(expiring|ending)/i header __KAM_REWARD3 Subject =~ /(Cert|coup|ending now|ending|expiring|expiring.now)(..)?(\d+|\[num)/i header __KAM_REWARD4 From =~ /ikea|sephora|shopper|walgreen|sale/i meta KAM_REWARD __KAM_REWARD1 + __KAM_REWARD2 + __KAM_REWARD3 + __KAM_REWARD4 + KAM_NUMSUBJECT >= 4 score KAM_REWARD 5.25 describe KAM_REWARD Coupon Scam #PACKAGE body __KAM_PACKAGE1 /dysfunction|\dx longer/i body __KAM_PACKAGE2 /sexual.performance|longer.in.bed/i header __KAM_PACKAGE3 Subject =~ /sex/i header __KAM_PACKAGE4 From =~ /function|fivex/i meta KAM_PACKAGE __KAM_PACKAGE1 + __KAM_PACKAGE2 + __KAM_PACKAGE3 + __KAM_PACKAGE4 >= 3 score KAM_PACKAGE 4.25 describe KAM_PACKAGE Sexual Enhancement Scam #NUM header __KAM_NUMSUBJECT Subject =~ /\d+$/ header __KAM_SUBJECTYEAR Subject =~ /20[1-2][0-9]$/ meta KAM_NUMSUBJECT (__KAM_NUMSUBJECT >=1 && __KAM_SUBJECTYEAR <= 0) score KAM_NUMSUBJECT 0.5 describe KAM_NUMSUBJECT Subject ends in numbers excluding current years #BAD PDF header KAM_MGCS Content-Type =~ /\+\-\+\-\+\-MGCS\-\+\-\+\-\+/i score KAM_MGCS 10.0 describe KAM_MGCS Boundary Content Indicative of Ratware #NetWeaver - Disabled 7/24 #header KAM_NW X-Mailer =~ /SAP NetWeaver/i #score KAM_NW 2.75 #describe KAM_NW Spam Indicator #STOCKTIP OBFU body __KAM_STOCKOBFU1 /make up the \d letter symbol/i body __KAM_STOCKOBFU2 /first letter/i header __KAM_STOCKOBFU3 Subject =~ /less than \d days|ten bagger|ten ?fold your principle/i meta KAM_STOCKOBFU (__KAM_STOCKOBFU1 + __KAM_STOCKOBFU2 + __KAM_STOCKOBFU3 >= 3) describe KAM_STOCKOBFU Stock Spam Tips that are being sneaky score KAM_STOCKOBFU 4.5 #FAKE BBB/FLSA NOTICES header __KAM_FAKEBBB1 Subject =~ /(incident:|case:)?[\d:;]{5}/i body __KAM_FAKEBBB2 /(Fair Labor Standards Act|Safety and Health act|Better Business Bureau|(\b|$)BBB(\b|^))/i body __KAM_FAKEBBB3 /(complaint|compliant|Abuse) ID/i body __KAM_FAKEBBB4 /(incident:|case:)[\d:;]{6,}/i meta KAM_FAKEBBB (__KAM_FAKEBBB1 + __KAM_FAKEBBB2 + KAM_SHORT + __KAM_FAKEBBB3 + __KAM_FAKEBBB4>= 4) describe KAM_FAKEBBB Fake Notices for Various Business Violations score KAM_FAKEBBB 12.0 #HOWRU #header __KAM_HOWRU1 Subject =~ /How are you?|Hi|What's Up|Hey, Sweety/i body __KAM_HOWRU2 /My name is|what's your name|ask your name|keep company with you/i body __KAM_HOWRU3 /visit the site|visit this site|visiting this website|have some social networks|meet you in private|write me tomorrow/i body __KAM_HOWRU4 /gmx.com|rambler.ru/i meta KAM_HOWRU (__KB_WAM_SUBJECT_HELLO_ONLY + __KAM_HOWRU2 + __KAM_HOWRU3 + __KAM_HOWRU4 >=4) describe KAM_HOWRU Female Chat Scam score KAM_HOWRU 8.0 # 2017-11-01, note 56146 body __KAM_DOMAIN_SALE1 /\b(related|similar) domain\b/i body __KAM_DOMAIN_SALE2 /\b(interested in|obtaining) .{5,20} domain\b/i body __KAM_DOMAIN_SALE3 /\bdomain (name owner|advanced avail|backordering)\b/i body __KAM_DOMAIN_SALE4 /\b(domain you might be interested|interested in the domain|interested in obtain|benefit acquiring|complete ownership transfer|brokering the domain)\b/i body __KAM_INTRUDE /\b(hope I am not intruding|out of the blue|I will never contact you again if you go here)\b/i meta KAM_DOMAIN_SALE_2 (__KAM_DOMAIN_SALE1 + __KAM_DOMAIN_SALE2 + __KAM_DOMAIN_SALE3 + __KAM_DOMAIN_SALE4 >=2) meta KAM_DOMAIN_SALE_3 (__KAM_DOMAIN_SALE1 + __KAM_DOMAIN_SALE2 + __KAM_DOMAIN_SALE3 + __KAM_DOMAIN_SALE4 >=3) score KAM_DOMAIN_SALE_2 3.0 score KAM_DOMAIN_SALE_3 1.0 meta KAM_DOMAIN_SALE_INTRUDE (__KAM_INTRUDE && KAM_DOMAIN_SALE_2) score KAM_DOMAIN_SALE_INTRUDE 1.0 describe KAM_DOMAIN_SALE_2 Domain Selling Spam describe KAM_DOMAIN_SALE_3 Domain Selling Spam describe KAM_DOMAIN_SALE_INTRUDE Domain Selling Spam # 2017-11-08, lonely russian women Whack-A-Mole # Likely Overlap with HOWRU rules, similar target. No real-life # overlap in rules hit observed so far, KB_WAM_OVERLAP to look out for # it. header __KB_WAM_FROM_NAME_SINGLEWORD From:name =~ /^[a-z]+$/i header __KAM_SUBJECT_SINGLEWORD Subject =~ /^[a-z]+$/i header __KB_WAM_SUBJECT_HELLO_ONLY Subject =~ /^(hi|hi there|hello|hey|yo|how are you|What's Up|Hey, Sweety)[?!\.]?$/i meta KB_WAM_LONELY_WOMEN (__KB_WAM_FROM_NAME_SINGLEWORD + __KB_WAM_SUBJECT_HELLO_ONLY + __KAM_HOWRU4 + (__KAM_HOWRU2 || __KB_WAM_LONELY_WOMEN_PHRASE_01) >= 4) score KB_WAM_LONELY_WOMEN 5.0 describe KB_WAM_LONELY_WOMEN Lonely Women Scam of the Day body __KB_WAM_LONELY_WOMEN_PHRASE_01 /\b(I am missing you all the time|I am waiting for your answer|I send you my tender love|I would really like to know you|quest of love|I am lonely and tired)\b/i #meta KB_WAM_OVERLAP ( KAM_HOWRU && KB_WAM_LONELY_WOMEN ) #score KB_WAM_OVERLAP -0.01 #describe KB_WAM_OVERLAP Rule to test for overlap with another similar ruleset #MAILSPLOIT CONTROL CHARACTER - Thanks to Jan-Pieter Cornet for the idea #All Control chars like NUL except \n which should exist once legitimately #Investigating double-byte language FP. Reverting back to just \0 #header __KAM_MAILSPLOIT1 From =~ /[\x00-\x09\x0b-\x1f]/ header __KAM_MAILSPLOIT1 From =~ /[\0]/ describe __KAM_MAILSPLOIT1 RFC2047 Exploit https://www.mailsploit.com/index #\n Multiple in the From Header header __KAM_MAILSPLOIT2 From =~ /[\n]/ describe __KAM_MAILSPLOIT2 RFC2047 Exploit https://www.mailsploit.com/index tflags __KAM_MAILSPLOIT2 multiple maxhits=2 meta KAM_MAILSPLOIT (__KAM_MAILSPLOIT1 || (__KAM_MAILSPLOIT2 >= 2)) describe KAM_MAILSPLOIT Mail triggers known exploits per mailsploit.com score KAM_MAILSPLOIT 10.0 #cc in From - Thanks to Dave Jones for idea header KAM_CCFROM1 From =~ /\b(to|cc|bcc|from):/i describe KAM_CCFROM1 Addition of cc: and similar as a phishing tactic score KAM_CCFROM1 5.0 #MailBox Verify Phish header __KAM_BOXWARNING_SUBJECT Subject =~ /FINAL WARNING/i header __KAM_BOXVERIFICATION_SUBJECT Subject =~ /VERIFICATION.{4,20}MAIL.?BOX/i body __KAM_BOXVERIFY /Verify.{0,10}Mail.?box/i body __KAM_BOXQUOTA /mailbox.{0,5}exceeded.{4,14}quota/i header __KAM_MAILBOXFROM From =~ /mailbox/i meta KAM_BOXPHISH (__KAM_BOXWARNING_SUBJECT + __KAM_BOXVERIFICATION_SUBJECT + __UPGR_MAILBOX + __KAM_MAILBOXFROM + __KAM_BOXVERIFY + __KAM_BOXQUOTA >= 5) describe KAM_BOXPHISH Mailbox verification phishing scams score KAM_BOXPHISH 4.0 #SWISSCOIN, ETC. body __KAM_CRYPTO1 /swiss.?coin|[{(]SIC[)}]/i header __KAM_CRYPTO2 Subject =~ /forget about bitcoin|crypto (currency|coin) .{0,10}could (turn|go)/i meta KAM_CRYPTO (__KAM_CRYPTO1 + __KAM_CRYPTO2 >= 2) describe KAM_CRYPTO Crypto Currency Spam Du Jour score KAM_CRYPTO 8.0 #COMPROMISED CMS - Thanks to Jing Shan for the idea uri __KAM_CMS1 /VALIDATE\/mail\.htm/i uri __KAM_CMS2 /\/erroreng\/erroreng\//i uri __KAM_CMS3 /twentythirteen\/Upgrade\/?email=/i meta KAM_CMS (__KAM_CMS1 + __KAM_CMS2 + __KAM_CMS3) >= 1 describe KAM_CMS Indicators that a CMS has been exploited for Spammers score KAM_CMS 1.0 #WESTERN UNION SCANS header __KAM_WU1 from:addr !~ /\@westernunion.com/i header __KAM_WU2 Subject =~ /WUMT|Western.?Union/i uri __KAM_WU3 /western.umt/i meta KAM_WU (__KAM_WU1 + __KAM_WU2 + __KAM_WU3 + LOTS_OF_MONEY >= 3) describe KAM_WU Western Union Scam score KAM_WU 5.0 #WEB CRIMINALS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags replace_rules __KAM_CRIM1 __KAM_CRIM2 __KAM_CRIM3 __KAM_CRIM4 __KAM_CRIM5 __KAM_CRIM6 body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A>lw<A>r<E> <O>n th<E> w<E>b|footage of you|you do not know who I am|mercenary|hack phones|infected your device|double.screen video|keylogger|ruin your life|collection officer|cameras? and a mic|I am a hacker/i #Different encodings body __KAM_CRIM2 /(bit<C><O><I>n|BTC)/i body __KAM_CRIM3 /make a payment|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C><O><I>n w<A>ll|(m<A>k<I>ng|<C><O>mpl<E>et<E>) th<E> tr<A>ns<A><C>t<I><O>n|send me \d+ dollars|send [\d\.]+ USD|addr<E>ss f<O>r p<A>ym<E>nt|euros in bitcoin|wallet number|bitcoin network/i body __KAM_CRIM4 /erotica|<P>orn|promising evidence|video|masturbat|playing with yourself|wanking|l<I>f<E> <C><A>n b<E> ru<I>n<E>d|explosi|lead azide|hexogen|banana/i endif body __KAM_CRIM5 /(twenty.?four|24).?hours|(24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O>urs)? <A>ft<E>r y<O><U> <O>p<E>n|hours for payment|days? to (perform|make) the payment|short-term support|48h plz|deadline|hours only to send the fund/i header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O><U> <A>r<E> my v<I><C>t<I>m|visit the police|hi. vi<C>tim|bomb|rescue|your building|<M>asturbat|hi perv|account has been hacked|last warning|dirty little secret|bad news|central intelligence|pervert/i meta KAM_CRIM (__KAM_CRIM1 + __KAM_CRIM2 + __KAM_CRIM3 + __KAM_CRIM4 + __KAM_CRIM5 + __KAM_CRIM6 >= 4) describe KAM_CRIM Extortion Email score KAM_CRIM 7.5 #KAM_CRIM_V2 body __KAM_CRIM2_1 /bit.{0,2}coin/i body __KAM_CRIM2_2 /address\:/i body __KAM_CRIM2_3 /adult.{0,2}video|sex.{0,2}sites/is meta KAM_CRIM2 (__KAM_CRIM2_1 + __KAM_CRIM2_2 + __KAM_CRIM2_3 + HTML_FONT_LOW_CONTRAST >= 4) describe KAM_CRIM2 Extortion Email score KAM_CRIM2 7.5 #ZWNJ #ZWNJ 200C 157 https://en.wikipedia.org/wiki/Windows-1256 # Also want to look at Unicode U+200C. # Also 'zero-width joiner' which is Windows-1256 0x9E and Unicode U+200D. $a # Switch rawbody check to Mail::SpamAssassin::Plugin::MIMEHeader # Per RW, switching for this to work with 'normalize_charset 1', \x9d needs to be replaced with (?:\x9d|\xe2\x80\x8c) rawbody __KAM_ZWNJ1 /Content\-Type.{1,1000}charset.{1,1000}windows\-1256/i body __KAM_ZWNJ2 /(?:\x9D|\xe2\x80\x8c)/ tflags __KAM_ZWNJ2 multiple maxhits=16 describe KAM_ZWNJ Use of null characters indicates a goal to elude scanners meta KAM_ZWNJ (__KAM_ZWNJ1 + (__KAM_ZWNJ2 >= 16) >= 2) describe KAM_ZWNJ Use of null characters indicates a goal to elude scanners score KAM_ZWNJ 7.0 #GIRLS body __KAM_GIRLS1 /Lack of sex/i meta KAM_GIRLS ( __SINGLE_WORD_SUBJ + __KAM_GIRLS1 >= 2) describe KAM_GIRLS Girl Chat Scam du Jour score KAM_GIRLS 7.0 #SKINCELL PRO Spam Du Jour body __KAM_SKINCELL1 /Skincell.Pro/i header __KAM_SKINCELL2 Subject =~ /Skincell.Pro/i meta KAM_SKINCELL (__KAM_SKINCELL1 + __KAM_SKINCELL2 >= 1) describe KAM_SKINCELL Skincare Scam du Jour score KAM_SKINCELL 7.0 #UK INVOICE - Thanks to Andy Smith for his help on this uri __KAM_UKINV1 /\/(client|share|documentview)$/i body __KAM_UKINV2 /View (and pay )?(scan|invoice)/i body __KAM_UKINV3 /INV-\d+|Check out what .{4,30} shared with you/i body __KAM_UKINV4 /£/i header __KAM_UKINV5 Subject =~ /(invoice INV-\d+|wants to share scan)/i header __KAM_UKINV6 Subject =~ /invoice/i meta KAM_UKINV (__KAM_UKINV1 + __KAM_UKINV2 + __KAM_UKINV3 + __KAM_UKINV4 + __KAM_UKINV5 >= 4) || (__KAM_UKINV1 + __KAM_UKINV2 + __KAM_UKINV3 + __KAM_UKINV4 + __KAM_UKINV6 + HTML_TITLE_SUBJ_DIFF && HTML_OBFUSCATE_10_20 >= 6) describe KAM_UKINV Fake Invoice/Scan Scams score KAM_UKINV 5.5 #LIST SELLERS body __KAM_LISTSALE1 /interested in acquiring/i body __KAM_LISTSALE2 /contact list|list of customers|list of decision makers|list for marketing/i body __KAM_LISTSALE3 /share counts and samples|send focused campaigns|compiled a dataset/i header __KAM_LISTSALE4 Subject =~ /users|leads/i header __KAM_LISTSALE5 From =~ /leads/i meta KAM_LISTSALE (__KAM_LISTSALE1 + __KAM_LISTSALE2 + __KAM_LISTSALE3 >=2) && (__KAM_LISTSALE4 + __KAM_LISTSALE5 >= 1) describe KAM_LISTSALE List sellers score KAM_LISTSALE 5.0 #Google Short? uri KAM_GOOGLESHORT /\/www.google.com\/url\?q=.{4,16}bit\.ly/i describe KAM_GOOGLESHORT Obfuscated links using Google and URL Shorteners score KAM_GOOGLESHORT 9.0 #HEART ATTACK SPAM body __KAM_HEARTPROD1 /heart ?attack/i body __KAM_HEARTPROD2 /enzyme/i header __KAM_HEARTPROD3 Subject =~ /heart attack|healthy.{4,10}cells/i header __KAM_HEARTPROD4 From =~ /clear 7/i meta KAM_HEARTPROD (__KAM_HEARTPROD1 + __KAM_HEARTPROD2 + __KAM_HEARTPROD3 + __KAM_HEARTPROD4 >= 4) describe KAM_HEARTPROD Snake Oil Heart Health du Jour score KAM_HEARTPROD 7.0 # LINES FULL OF SHORT WORDS. SCC='SOLID CLUES CONSULTING'=BILL COLE describe __SCC_SHORT_WORDS A line with lots of short words body __SCC_SHORT_WORDS /\W(\D\w{1,3}\W{1,3}){11}/ tflags __SCC_SHORT_WORDS multiple maxhits=40 describe SCC_5_SHORT_WORD_LINES 5 lines with many short words meta SCC_5_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 5 describe SCC_10_SHORT_WORD_LINES 10 lines with many short words meta SCC_10_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 10 describe SCC_20_SHORT_WORD_LINES 20 lines with many short words meta SCC_20_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 20 describe SCC_35_SHORT_WORD_LINES 35 lines with many short words meta SCC_35_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 35 # A pattern seen in subscription-bombings describe SCC_SUBBOMB_SUBJ_1 An unusual string pattern seen in subscription bombing subjects header SCC_SUBBOMB_SUBJ_1 Subject =~ /[sxz][vwz]usa[fly]me[a-z0-9]{7}GP/ score SCC_SUBBOMB_SUBJ_1 5 # cPanel Phishing header __SCC_HELO_CPANELNET X-Spam-Relays-Untrusted =~ / helo=cpanel\.net / describe __SCC_HELO_CPANELNET HELO is bare cpanel.net meta SCC_FAKE_CPANEL __SCC_HELO_CPANELNET && ! (SPF_PASS || SPF_HELO_PASS) score SCC_FAKE_CPANEL 6 #https://www.csoonline.com/article/3333916/windows-security/i-can-get-and-crack-your-password-hashes-from-email.html?upd=1547922397157 body KAM_FILE /file:\/\/\/\//i describe KAM_FILE Potential attempt for NTLM attack score KAM_FILE 4.5 #FUN SPAM RUN header __KAM_FUN1 From =~ /\.fun|\.icu|\.pro|\.stream|\.world>?$/i body __KAM_FUN2 /Addify Link/i body __KAM_FUN3 /This Offer is (only )?for (united states|USA)/i header __KAM_FUN4 Subject =~ /Gutters|Assisted Living|Refi|rate|livewave|mortgage|E\.D\.|Single|Superfood|tax|protection|debt|mastercard|safety charge|supplement/i meta KAM_FUN (__KAM_FUN1 + __KAM_FUN2 + __KAM_FUN3 + __KAM_FUN4 >=3) describe KAM_FUN Spam Engine Hawking Various Goods and Abusing a Lot of Domains score KAM_FUN 4.5 #GOOGLE DRIVE PORN - Thanks to Mark Sapiro for the bug fix uri KAM_DRIVENUM /\d+\.drive\.google.com/i describe KAM_DRIVENUM Drive Links Prevalent in Spam score KAM_DRIVENUM 5.0 #SWIFT PAYMENT SCAMS header __KAM_SWIFT1 Subject =~ /Swift/i body __KAM_SWIFT2 /swift copy/i body __KAM_SWIFT3 /balance payment/i meta KAM_SWIFT (__KAM_SWIFT1 + __KAM_SWIFT2 + __KAM_SWIFT3 >= 3) describe KAM_SWIFT SWIFT payment scam score KAM_SWIFT 3.0 ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof # Custom score score FROMNAME_SPOOFED_EMAIL 0.3 endif ifplugin Mail::SpamAssassin::Plugin::KAMOnly header KAM_RAPTOR_ALTERED X-KAM-Raptor-Alter =~ /True/ describe KAM_RAPTOR_ALTERED Raptor identified a dangerous attachment score KAM_RAPTOR_ALTERED 2.0 endif #BAD INVOICE SCAMS header __KAM_PROFORMA1 Subject =~ /Proforma/i body __KAM_PROFORMA2 /no responds/i body __KAM_PROFORMA3 /highly encrypted/i body __KAM_PROFORMA4 /Proforma Invoice/i uri __KAM_PROFORMA5 /\.php/i meta KAM_PROFORMA (__KAM_PROFORMA1 + __KAM_PROFORMA2 + __KAM_PROFORMA3 + __KAM_PROFORMA4 + __KAM_PROFORMA5 >= 5) describe KAM_PROFORMA Invoice scam score KAM_PROFORMA 7.5 #BAD INVOICE SCAMS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader header __KAM_INVOICEPO1 Subject =~ /Invoice copies/i body __KAM_INVOICEPO2 /consignment/i body __KAM_INVOICEPO3 /invoice copies/i mimeheader __KAM_INVOICEPO4 Content-Type =~ /invoice copies.{0,100}\.html/i meta KAM_INVOICEPO (__KAM_INVOICEPO1 + __KAM_INVOICEPO2 + __KAM_INVOICEPO3 + __KAM_INVOICEPO4 >= 4) describe KAM_INVOICEPO Invoice scam score KAM_INVOICEPO 4.0 mimeheader KAM_HTMLINVOICE Content-Type =~ /invoice.{0,100}\.html/i describe KAM_HTMLINVOICE Invoice scam score KAM_HTMLINVOICE 1.5 mimeheader KAM_HTMLINVOICE2 Content-Type =~ /(order confirmation|po attachments.{0,100})\.xls\.html/i describe KAM_HTMLINVOICE2 Invoice scam score KAM_HTMLINVOICE2 3.5 endif # Disable possible CPU burning rule, reported to SA users list -- 2019-05-29 # FIXED rule distributed via sa-update since 2019-05-31 # meta __STYLE_GIBBERISH_1 0 # EOF