body __KAM_CEP6 /\d (week|month)/i
header __KAM_CEP7 From =~ /certificate program/i
-meta KAM_CEP ((__KAM_CEP1 + __KAM_CEP2 + __KAM_CEP3 + __KAM_CEP4 + __KAM_CEP5 + __KAM_CEP6 + __KAM_CEP7) >= 3)
+meta KAM_CEP (((__KAM_CEP1 + __KAM_CEP2 + __KAM_CEP3 + __KAM_CEP4 + __KAM_CEP5 + __KAM_CEP6 + __KAM_CEP7) >= 3) && ! __PDF_ATTACH )
describe KAM_CEP CEP Diploma Mill Rule
score KAM_CEP 3.5
describe GB_STORAGE_GOOGLE_EMAIL Google storage cloud abuse
score GB_STORAGE_GOOGLE_EMAIL 2.000
+ uri GB_YOUTUBE_EMAIL m|^https?://(?:www\.)?youtube\.com/attribution_link\?.{20,256}/%{GB_TO_ADDR}|i
+ describe GB_YOUTUBE_EMAIL Youtube attribution links abuse
+ score GB_YOUTUBE_EMAIL 2.000
+
# Links to malware
uri __GB_CUSTOM_HTM_URI0 m;^https?://.{10,128}(?:\.html?|\.php|\/)?(?:\#|\?&e=)%{GB_TO_ADDR};i
uri __GB_CUSTOM_HTM_URI1 m|^https?://.{10,64}\=https?://.{4,64}\#%{GB_TO_ADDR}|i
- uri __GB_CUSTOM_HTM_URI2 m;^https?://.{10,256}(?:\/\?)?(?:email=|audit\#|wapp\#)%{GB_TO_ADDR};i
+ uri __GB_CUSTOM_HTM_URI2 m;^https?://.{10,256}(?:\/\?)?(?:(?<!blocker)email=|audit\#|wapp\#)%{GB_TO_ADDR};i
uri __GB_DRUPAL_URI m|^https?://.{10,64}/default/files/(?:\@)?\#%{GB_TO_ADDR}|i
meta GB_CUSTOM_HTM_URI ( __GB_CUSTOM_HTM_URI0 || __GB_CUSTOM_HTM_URI1 || __GB_CUSTOM_HTM_URI2 || __GB_DRUPAL_URI )
describe GB_CUSTOM_HTM_URI Custom html uri
describe KAM_TELEWORK Stupid telework and training scams
score KAM_TELEWORK 3.0
-#Changed to meta 2017-10-17
-#Key removal/credits
-#2017-10-23 - Removed .link. Uniregistry has committed to reviewing abuse concerns.
-#2019-11-24 - Removed .bid for FPs
-#2020-06-04 - Added FP check for td.date and div.top
-#2021-08-14 - Thanks to Giovanni for the new regex and Kenneth Porter for the FP for things that ended in one of the TLDs but wasn't part of the domain
-#2021-08-25 - Added a FP fix for date with { from programming discussions
-#2022-04-26 - Sort tlds and add .cfp domain
-#2022-09-21 - adding .link back due to prevalence
-header __KAM_SOMETLD_ARE_BAD_TLD_FROM From:addr =~ /\.(bar|beauty|buzz|cam|casa|cfd|club|date|guru|link|live|online|press|pw|quest|rest|sbs|shop|stream|top|trade|work|xyz)$/i
-uri __KAM_SOMETLD_ARE_BAD_TLD_URI /:\/{2}([a-z0-9-\.]+)\.(bar|beauty|buzz|cam|casa|cfd|club|date|guru|link|live|online|press|pw|quest|rest|sbs|shop|stream|top|trade|work|xyz)($|\/|\:)/i
+#SOME TLD ARE BAD
+header __KAM_SOMETLD_ARE_BAD_TLD_FROM From:addr =~ /\.(bar|beauty|buzz|cam|casa|cfd|club|date|guru|link|live|monster|online|press|pw|quest|rest|sbs|shop|stream|top|trade|wiki|workxyz)$/i
+uri __KAM_SOMETLD_ARE_BAD_TLD_URI /:\/{2}([a-z0-9-\.]+)\.(bar|beauty|buzz|cam|casa|cfd|club|date|guru|link|live|monster|online|press|pw|quest|rest|sbs|shop|stream|top|trade|wiki|work|xyz)($|\/|\:)/i
#FPs
-uri __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE /(^|\b)td\.date|de[b|l]\.date|div\.top($|\/)/i
+uri __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE /(^|\b)(input|td)\.date|de[b|l]\.date|div\.top($|\/)|\/smart\.link|\.emailprotection\.link\//i
body __KAM_SOMETLD_ARE_BAD_TLD_PROGRAM_REF /\.date ?\{/i
meta KAM_SOMETLD_ARE_BAD_TLD (__KAM_SOMETLD_ARE_BAD_TLD_FROM) || (__KAM_SOMETLD_ARE_BAD_TLD_URI && !(__KAM_SOMETLD_ARE_BAD_TLD_PROGRAM_REF + __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE))
-describe KAM_SOMETLD_ARE_BAD_TLD .bar, .beauty, .buzz, .cam, .casa, .cfd, .club, .date, .guru, .link, .live, .online, .press, .pw, .quest, .rest, .sbs, .shop, .stream, .top, .trade, .work, .xyz TLD abuse
+describe KAM_SOMETLD_ARE_BAD_TLD .bar, .beauty, .buzz, .cam, .casa, .cfd, .club, .date, .guru, .link, .live, .monster, .online, .press, .pw, .quest, .rest, .sbs, .shop, .stream, .top, .trade, .wiki, .work, .xyz TLD abuse
score KAM_SOMETLD_ARE_BAD_TLD 5.0
#2019-11-24 - Test to do the SOMETLD with WLBLEval - Doesn't work because no uri check for the body
util_rb_2tld glitch.me
util_rb_2tld gr8.com
util_rb_2tld benchmarkurl.com
-
+ util_rb_2tld caspio.com
+ util_rb_3tld lt.acemlnc.com
+ util_rb_2tld wpenginepowered.com
+ util_rb_2tld tumblr.com
+ util_rb_2tld codesandbox.io
endif
# allow URI rules to look at DKIM headers if they exist and our SA version supports it
endif
#FREEMAIL SPAMMY ADDRESSES IN UNWANTED LANGUAGES
-header __GB_FREEMAIL_NUM0 From:addr =~ /[a-z]\.?\d{4}\@(gmail|hotmail|yahoo)\.com/i
-header __GB_FREEMAIL_NUMN0 From:addr =~ /[a-z]\.?(?:19|20)\d{2}\@(gmail|hotmail|yahoo)\.com/i
-header __GB_FREEMAIL_NUM1 From:addr =~ /[a-z]\.?(?:\d{3}|\d{5,10})\@(gmail|hotmail|yahoo)\.com/i
-header __GB_FREEMAIL_NUM2 From:addr =~ /[a-z]\.?(?:\d+)(?:[a-z])+(?:\d+)?\@(gmail|hotmail|yahoo)\.com/i
+header __GB_FREEMAIL_NUM0 From:addr =~ /[a-z]\.?\d{4}\@(gmail|hotmail|icloud|yahoo)\.com/i
+header __GB_FREEMAIL_NUMN0 From:addr =~ /[a-z]\.?(?:19|20)\d{2}\@(gmail|hotmail|icloud|yahoo)\.com/i
+header __GB_FREEMAIL_NUM1 From:addr =~ /[a-z]\.?(?:\d{3}|\d{5,10})\@(gmail|hotmail|icloud|yahoo)\.com/i
+header __GB_FREEMAIL_NUM2 From:addr =~ /[a-z]\.?(?:\d+)(?:[a-z])+(?:\d+)?\@(gmail|hotmail|icloud|yahoo)\.com/i
meta GB_FREEMAIL_NUM ( ( __GB_FREEMAIL_NUM0 && ! __GB_FREEMAIL_NUMN0 ) || __GB_FREEMAIL_NUM1 || __GB_FREEMAIL_NUM2 )
describe GB_FREEMAIL_NUM Freemail spammy address
score GB_FREEMAIL_NUM 1.0
replace_rules __KAM_MAILBOX1 __KAM_MAILBOX2 __KAM_MAILBOX3
#ISSUE
- body __KAM_MAILBOX1 /mailbox .{0,12}exceeded|(storage|e-?mail|mailbox|bandwidth).(limit|quota|size|capacity)|(box|quota) is (a<L1>most )?(exhausted|fu<L1><L1>)|have been rejected|new version|(prevented|pending) (the )?(delivery|messages)|quota is low|annual upgrade|(held|important) message|messages pending|messages (are|placed) on.?hold|upgrade to our service|recent attack|(request(ed)? to|account) de-?activat|de-?activat(ed|e|ing) (from using|all mailbox)|close down.{0,10}account|(sync|communication) failure|de<A1>ctiv<A1>ted if no <A1>ction|invalid users|request .{0,13}shutdown|migrating all email|del<I1>v<E1>ry <O1>f \d|messages.{0,6}returned|\d.{0,2}(unreceived|failed|undelivered|incoming|valid) (undelivered|incoming|message|e?mail)|synchronize \d email|messages.{1,10}suspend|report your account|(validation|configuration|service|mail) error|updating stage|blacklisted|(server|quota|quarantine|suspension|mail|upgrade) (alert|noti)|mailbox agreement|(system|security|server) (reasons|update|upgrade|alert)|system malfunction|due for an update|mailbox managment|automatically renew|.\d. pending|due for (upgrade|update|reconfirmation)|has been outdated|(due|about) to expire|not confirmed the email|(failed|couldn't be|refused to) deliver|temporarily suspend|failure to proceed|data plan limit|blocked from (sending|receiving)|sending unsolicited|\d\% full|confirm your request|security turned off|blocked or suspended|update warning|account .{1,9}?(restricted|closed)|old versions|mail malfunction|messages now queue|password expir|virus|expire on \d+\/|DNS Upgrad|encountered error|will be (locked|shut ?down)|unauthorized (person|access)|prevent (further reject|loss of account)|ensure safety|problem occurred|wrong password|suspicious sign.?in|\d quarantined? (e?mail|message|incoming)|deactivated tempor|low disk space|shutdown robot|suspended email|webmail security|account hijacked|(has been|will be) (hacked|suspended)|will.{0,2}expire.{0,2}(today|soon)|IP below was used|password.{1,5}expires? today|server is totally full|account is almost full|(irregular|suspicious) activit|locked out of your account|login (interruption|problem)|automatic shut.?down|lose your contact|not receive (more|new) e?mail|deactivation of the email|Expired today|exceeded the limit|disruption of your email|message might be pre<V1>ented|mail delivery blocked|email gets locked|shut down on your account|refusal in updating your email|avoid (lose access|shut.?down|being barred)|losing (of )?your account|undelivered e?-?mail|SSL Port server error|refusal of email security|blocked access to your inbox|web-?mail support|change your password|pending (e-?mail|mail) message|terminated in \d+ hour|messages were rejected|server error|platform is outdated|need to validate.{2,40}owned by you|password notification|expires today|Reconfirm(?: your) password|out of storage|mail quota full|email password will expire|mailbox termination|failed to sync|permanent deletion|password has been disabled|mailbox \".{5,35}\" has expired/i
+ body __KAM_MAILBOX1 /mailbox .{0,12}exceeded|(storage|e-?mail|mailbox|bandwidth).(limit|quota|size|capacity)|(box|quota) is (a<L1>most )?(exhausted|fu<L1><L1>)|have been rejected|new version|(prevented|pending) (the )?(delivery|messages)|quota is low|annual upgrade|(held|important) message|messages pending|messages (are|placed) on.?hold|upgrade to our service|recent attack|(request(ed)? to|account) de-?activat|de-?activat(ed|e|ing) (from using|all mailbox)|close down.{0,10}account|(sync|communication) failure|de<A1>ctiv<A1>ted if no <A1>ction|invalid users|request .{0,13}shutdown|migrating all email|del<I1>v<E1>ry <O1>f \d|messages.{0,6}returned|\d.{0,2}(unreceived|failed|undelivered|incoming|valid) (undelivered|incoming|message|e?mail)|synchronize \d email|messages.{1,10}suspend|report your account|(validation|configuration|service|mail) error|updating stage|blacklisted|(server|quota|quarantine|suspension|mail|upgrade) (alert|noti)|mailbox agreement|(system|security|server) (reasons|update|upgrade|alert)|system malfunction|due for an update|mailbox managment|automatically renew|.\d. pending|due for (upgrade|update|reconfirmation)|has been outdated|(due|about) to expire|not confirmed the email|(failed|couldn't be|refused to) deliver|temporarily suspend|failure to proceed|data plan limit|blocked from (sending|receiving|your inbox)|sending unsolicited|\d\% full|confirm your request|security turned off|blocked or suspended|update warning|account .{1,9}?(restricted|closed)|old versions|mail malfunction|messages now queue|password expir|virus|expire on \d+\/|DNS Upgrad|encountered error|will be (locked|shut ?down)|unauthorized (person|access)|prevent (further reject|loss of account)|ensure safety|problem occurred|wrong password|suspicious sign.?in|\d quarantined? (e?mail|message|incoming)|deactivated tempor|low disk space|shutdown robot|suspended email|webmail security|account hijacked|(has been|will be) (hacked|suspended)|will.{0,2}expire.{0,2}(today|soon)|IP below was used|password.{1,5}expires? today|server is totally full|account is almost full|(irregular|suspicious) activit|locked out of your account|login (interruption|problem)|automatic shut.?down|lose your contact|not receive (more|new) e?mail|deactivation of the email|Expired today|exceeded the limit|disruption of your email|message might be pre<V1>ented|mail delivery blocked|email gets locked|shut down on your account|refusal in updating your email|avoid (lose access|shut.?down|being barred)|losing (of )?your account|undelivered e?-?mail|SSL Port server error|refusal of email security|blocked access to your inbox|web-?mail support|change your password|pending (e-?mail|mail) message|terminated in \d+ hour|messages were rejected|server error|platform is outdated|need to validate.{2,40}owned by you|password notification|expires today|Reconfirm(?: your) password|out of storage|mail quota full|email password will expire|mailbox termination|failed to sync|permanent deletion|password has been disabled|mailbox \".{5,35}\" has expired|deleted after \d+ hour|expires in less than \d+h|risk of being locked out/i
tflags __KAM_MAILBOX1 nosubject
#ACTION
- body __KAM_MAILBOX2 /(verify|update|upgrade|increase|validate|confirm|disable)"? (their|your)? {0,5}(address|password|<A1>ccount|(web-?)?mail|info|email|web ?mail|ownership|mailbox)|(increase|upgrade) (my|your?) (inbox |email )?quota|quota (configuration|upgrade)|(increase disk|create some additional|update|add|increase) storage|(setup|upgrade) (your )?mailbox|mail malfunction|update account|validated within \d\d|deleted (automatically|in our server)|release .{0,40}(sent e.?mail|message|pending mess)|account to be close|remain active|termination of your account|choose what happens|blacklisting inactive|continue (using|the usage)|untrusted activity|(retrieve|review|view) (message|e?mail)|(verify|validate) (it )?(here|now)|reset below|verification (check|process)|email disk usage|auto extend your disk|confirm your (email|details)|mandetory file|retrieve here|expected to reactivate|keep your webmail|data will be lost|(block|release|review) (them|below)|view undelivered sent|reconfirm .{0,40}password|will be deactivat|avoid suspension|start the process|fake payment|(will be|automatically) cancel|mail verification|turn on (security|authentication)|Office 365-?Secure|an usual location|(avoid|automatically) delet|(retrieve|review|reload) (your )?(undelivered|pending)|view, release or delete|reload below|unblock (your )?incoming|rectify below|fix now|Company.Assigned Outlook|fix delivery|restore your roundcube|re-?authenticate (now|below)|manage your quarantine|manually fi|manually fix|review and take action|view (your )?(pending|withheld|recent) (incoming|message|e?mail)|use the button|reduce your mai<L1>|deliver recent mail|(use|using|keep) (current|same|my) password|change password|stop (this action|account removal)|fix (the problem here|your email)|(maintain|keep).{0,6}current.{0,2}(signing|password)|verify login|apply update|deliver pending message|archive emails|initiate the upgrad|(approve|continue with) the (current|same) password|free up space|quick re-?validation|cancel the request|prevent lock of account|back under the limit|update no<W1>|re<A1>ctiv<A1>te <A1>ccess|consider keeping your password|account will work effectively|portal to prompt delivery|open the attachment|Reload Email message|secure your account|authenticate account|keep (the )?same password|(keep|use) (the|your) current password|proper verification|restoration of your account|systematically updated|synchronization errors|activate Improved security|(restore|recover) messages (here|below)|recover your delayed messages|validate your (?:mailbox|e\-mail)|conveyed to each sender|Please security access key|account password is due to expire|avoid missing important e?-?mail|pending e?-?mail message|clear cache quick|avoid loss of e?mail|upgrade inbox|enable your password|retrieve your file/i
- tflags __KAM_MAILBOX2 nosubject
- #SUBJECT
- header __KAM_MAILBOX3 Subject =~ /(mail|exceeded|insufficient) (storage|quota|upgrade)|(@.*?is|Inbox) almost full|(urgent|important|admin|last|suspension|server|account|administrator|system|disk ?usage|max size) (alert|rectification|attention|warning|noti)|needs to be upgraded|(incoming|pending|unreceived) +((e-?)?mail|document|message)|(del<I1>v<E1>ry|synchronization|processing) (problem|is blocked|failure|err<O1>r)|(mailbox|storage) (is )?full|(disc|disk|inbox) full|(unread|upgrade|delayed) (messages|e?mail)|release your message|pending (new )?((e-?)?mail|message)|365 .{0,10} Update|new privacy policy|mandatory up|(sign in|Final|account|password|emails?) (closing|removal|update|upgrade|alert|notification|review)|quarantine|rejected|undelivered|(mailbox|limit|quota) .{0,10}exceeded|(action|confirmation|\..{2,6} update).?required|(mail|mailbox|account|password) (error|shutdown|verification|Veirification|Verfication|account)|(blocked|held) message|technology services|(server|mail|account).{1,8}err<O1>r|validat|messages.{1,10}(suspend|hinder)|account (is )?(blocked|limited)|please verify.{1,10}account|mail.{1,6}Notice|email account.{1,11}full|final warning|help\-?desk|mail ownership|point files|(d|r)e-?activation|delayed for \d+ (hour|day)|undeliverable|closure of.{1,15}(\@|account)|(password|mail) (has|will) expire|did you make|password.(due|recovery|expir)|recovery option|(confirm|email) activity|Immediate action|action required|avoid block|review recent e?mail|final +alert|storage (error|limit)|ver<I1>f<I1>cat<I1>on|\@.{1,25}notification|notification \d+\/\d+\/|notification for .{1,25}\@|New Sign-in|deliver.{1,4}(cancel|issue|error|fail)|Unsuccessful Email|Mail DNS|ICT Maintenance|sync err|mailer un.?delivery|unauthorized (person|access)|configuration setting|reminder +for|re-?authenticate|change in your ip|shutdown request|Failure.{0,2}Report|(mail delivery|\d emails?) suspended|error sync|(e-?mails?|messages) (are )?pending|\d \(?new\)? notice|new IP address|expir(y|ation) notif|reached their disk quota|webmail support|notification for|change.{0,30}account password now|(mail|mail-?box) termination|office? ?365 access|(Attention|urgent):? update (required|needed)|(full|out of) storage|quota (limit|reached)|access.{1,4}expire|renew your e?-?mail pass|mail protection update|e-?mail .{0,30}still pending|unauthorized (login|logging) attempt|^suspended$|message failed|security upgrade|password.*expires today|password activity|mail (access blocked|delayed)|account has been hacked|prevent account malfunction|password change notification|Critical(?:\-|\s)Status on|(storage|upgrade) notice|mail not sent|mailbox.{0,4}update settings|\-notification\:\w|access has been suspended|Activities account/i
+ body __KAM_MAILBOX2 /(verify|update|upgrade|increase|validate|confirm|disable)"? (their|your)? {0,5}(address|password|<A1>ccount|(web-?)?mail|info|email|web ?mail|ownership|mailbox)|(increase|upgrade) (my|your?) (inbox |email )?quota|quota (configuration|upgrade)|(increase disk|create some additional|update|add|increase) storage|(setup|upgrade) (your )?mailbox|mail malfunction|update account|validated within \d\d|deleted (automatically|in our server)|release .{0,40}(sent e.?mail|message|pending mess)|account to be close|remain active|termination of your account|choose what happens|blacklisting inactive|continue (using|the usage)|untrusted activity|(retrieve|review|view) (message|e?mail)|(verify|validate) (it )?(here|now)|reset below|verification (check|process)|email disk usage|auto extend your disk|confirm your (email|details)|mandetory file|retrieve here|expected to reactivate|keep your webmail|data will be lost|(block|release|review) (them|below)|view undelivered sent|reconfirm .{0,40}password|will be deactivat|avoid suspension|start the process|fake payment|(will be|automatically) cancel|mail verification|turn on (security|authentication)|Office 365-?Secure|an usual location|(avoid|automatically) delet|(retrieve|review|reload) (your )?(undelivered|pending)|view, release or delete|reload below|unblock (your )?incoming|rectify below|fix now|Company.Assigned Outlook|fix delivery|restore your roundcube|re-?authenticate (now|below)|manage your quarantine|manually fi|manually fix|review and take action|view (your )?(pending|withheld|recent) (incoming|message|e?mail)|use the button|reduce your mai<L1>|deliver recent mail|(use|using|keep) (current|same|my) password|change password|stop (this action|account removal)|fix (the problem here|your email)|(maintain|keep).{0,6}current.{0,2}(signing|password)|verify login|apply update|deliver pending message|archive emails|initiate the upgrad|(approve|continue with) the (current|same) password|free up space|quick re-?validation|cancel the request|prevent lock of account|back under the limit|update no<W1>|re<A1>ctiv<A1>te <A1>ccess|consider keeping your password|account will work effectively|portal to prompt delivery|open the attachment|Reload Email message|secure your account|authenticate account|keep (the )?same password|(keep|use) (the|your) current password|proper verification|restoration of your account|systematically updated|synchronization errors|activate Improved security|(restore|recover) messages (here|below)|recover your delayed messages|validate your (?:mailbox|e\-mail)|conveyed to each sender|Please security access key|account password is due to expire|avoid missing important e?-?mail|pending e?-?mail message|clear cache quick|avoid loss of e?mail|upgrade inbox|enable your password|retrieve your file|view and accept messages|keep my access/i
+ tflags __KAM_MAILBOX2 nosubject
+ #SUBJECT
+ header __KAM_MAILBOX3 Subject =~ /(mail|exceeded|insufficient) (storage|quota|upgrade)|(@.*?is|Inbox) almost full|(urgent|important|admin|last|suspension|server|account|administrator|system|disk ?usage|max size) (alert|rectification|attention|warning|noti)|needs to be upgraded|(incoming|pending|unreceived) +((e-?)?mail|document|message)|(del<I1>v<E1>ry|synchronization|processing) (problem|is blocked|failure|err<O1>r)|(mailbox|storage) (is )?full|(disc|disk|inbox) full|(unread|upgrade|delayed) (messages|e?mail)|release your message|pending (new )?((e-?)?mail|message)|365 .{0,10} Update|new privacy policy|mandatory up|(sign in|Final|account|password|emails?) (closing|removal|update|upgrade|alert|notification|review)|quarantine|rejected|undelivered|(mailbox|limit|quota) .{0,10}exceeded|(action|confirmation|\..{2,6} update).?required|(mail|mailbox|account|password) (error|shutdown|verification|Veirification|Verfication|account)|(blocked|held) message|technology services|(server|mail|account).{1,8}err<O1>r|validat|messages.{1,10}(suspend|hinder)|account (is )?(blocked|limited)|please verify.{1,10}account|mail.{1,6}Notice|email account.{1,11}full|final warning|help\-?desk|mail ownership|point files|(d|r)e-?activation|delayed for \d+ (hour|day)|undeliverable|closure of.{1,15}(\@|account)|(password|mail) (has|will) expire|did you make|password.(due|recovery|expir)|recovery option|(confirm|email) activity|Immediate action|action required|avoid block|review recent e?mail|final +alert|storage (error|limit)|ver<I1>f<I1>cat<I1>on|\@.{1,25}notification|notification \d+\/\d+\/|notification for .{1,25}\@|New Sign-in|deliver.{1,4}(cancel|issue|error|fail)|Unsuccessful Email|Mail DNS|ICT Maintenance|sync err|mailer un.?delivery|unauthorized (person|access)|configuration setting|reminder +for|re-?authenticate|change in your ip|shutdown request|Failure.{0,2}Report|(mail delivery|\d emails?) suspended|error sync|(e-?mails?|messages) (are )?pending|\d \(?new\)? notice|new IP address|expir(y|ation) notif|reached their disk quota|webmail support|notification for|change.{0,30}account password now|(mail|mail-?box) termination|office? ?365 access|(Attention|urgent):? update (required|needed)|(full|out of) storage|quota (limit|reached)|access.{1,4}expire|renew your e?-?mail pass|mail protection update|e-?mail .{0,30}still pending|unauthorized (login|logging) attempt|^suspended$|message failed|security upgrade|password.*expires today|password activity|mail (access blocked|delayed)|account has been hacked|prevent account malfunction|password change notification|Critical(?:\-|\s)Status on|(storage|upgrade) notice|mail not sent|mailbox.{0,4}update settings|\-notification\:\w|access has been suspended|Activities account|Alert\!\!|do not ignore this notification|trying to contact you/i
#NON OBFUSCATED VARIANT NOT A SPAM INDICATOR
header __KAM_MAILBOX3FP Subject =~ /verification/i
#Write a very broad regex like g.*k.?squ.* and the debug outputs something like G\x{CF}\x{B5}\x{CF}\x{B5}k Squ" Then you can Edit the tag for E1 to add |[\xcf][\xb5]
# replace_tag A1 (?:a|[\xf0\x9d\x97\xae]|[\xf0\x9d\x9a\x8a]|[\xd0][\xb0]|[\xc9][\x91]|α|\@)
-replace_tag A1 (?:a|[\xf0\x9d\x97][\xae]|[\xc3][\xa3]|[\xf0\x9d\x9a][\x8a]|[\xd0][\xb0]|[\xc9][\x91]|α|\@)
-replace_tag B1 (?:b|[\xce][\x92]|[\xce][\xb2]|[\xc2]|[\xe2]|[\xf0\x9d\x97\xaf]|[xf0\x9d\x9a\x8b])
-replace_tag C1 (?:c|[\xd0][\xa1]|[\xd1][\x81]|[\xf0\x9d\x97\xb0]|[\xf0\x9d\x9a\x8c]|[xd0\xa1])
-replace_tag D1 (?:d|[\xf0\x9d\x9a\x8d])
-replace_tag E1 (?:e|[\xd0][\xb5]|[\xc4][\x97]|[\xf0\x9d\x97\xb2]|[\xf0\x9d\x9a\x8e]|[\xc3][\xaa]|[\xcf][\xb5]|[\xc3][\xab]|[\xc3][\xa8])
-replace_tag G1 (?:g|[\xf0\x9d\x97\x80])
-replace_tag I1 (?:i|[\xd1][\x96]|[\xc4][\xab]|[\xce][\xb9]|[\xe9]|[\xf0\x9d\x97\xb6]|[\xf0\x9d\x9a\x92]|l|1)
-replace_tag K1 (?:k|[\xd0][\xba])
-replace_tag L1 (?:l|i)
-replace_tag M1 (?:m|[\xca][\x8d]|[\xf0\x9d\x97\xba])
-replace_tag N1 (?:n|[\xe7]|[\xf0\x9d\x97\xbc]|[\xf0\x9d\x9a\x97])
-replace_tag O1 (?:o|0|[\xd0][\xbe]|[\xce][\xbf]|[\xef]|[\xf0\x9d\x97\xbc]|[\xf0\x9d\x9a\x98]|[\xd0][\x9e]|[\xc3][\xb4])
-replace_tag P1 (?:p|[\xd1][\x80]|[\xc7][\xb7]|[\xcf][\x81]|[\xf1]|[\xf0\x9d\x97\xbd]|[\xf0\x9d\x9a\x99]|[\xd0\xa0])
-replace_tag R1 (?:r|[\xf0\x9d\x97\xbf]|[\xf0\x9d\x9a\x9b])
-replace_tag S1 (?:s|[\xd0][\x85]|[\xf0\x9d\x98\x80]|[\xf0\x9d\x9a\x9c])
-replace_tag T1 (?:t|[\xcf][\x84]|[\xf4]|[\xf0\x9d\x98\x81]|[\xf0\x9d\x9a\x9d])
-replace_tag U1 (?:u|[\xf0\x9d\x98\x82])
-replace_tag V1 (?:v|[\xf0\x9d\x96\xb5]|[\xce][\xbd])
-replace_tag W1 (?:w|[\xf0\x9d\x98\x84]|[\xf0\x9d\x9a\xa0]|[\xd1\xa1])
-replace_tag Y1 (?:y|[\xf0\x9d\x98\x80]|[\xf0\x9d\x9a\xa2])
-replace_tag SPACE1 (?: |[\xc2\xa0])
+
+#Thanks to Kent Oyer for his review of the replace tags
+replace_tag A1 (?:a|\xf0\x9d\x97\xae|\xc3\xa3|\xf0\x9d\x9a\x8a|\xd0\xb0|\xc9\x91|\xce\xb1|\xc3\x81|\@)
+replace_tag B1 (?:b|\xce\x92|\xce\xb2|\xf0\x9d\x97\xaf|\xf0\x9d\x9a\x8b)
+replace_tag C1 (?:c|\xd0\xa1|\xd1\x81|\xf0\x9d\x97\xb0|\xf0\x9d\x9a\x8c)
+replace_tag D1 (?:d|\xf0\x9d\x9a\x8d)
+replace_tag E1 (?:e|\xd0\xb5|\xc4\x97|\xf0\x9d\x97\xb2|\xf0\x9d\x9a\x8e|\xc3\xaa|\xcf\xb5|\xc3\xab)
+replace_tag G1 (?:g|\xf0\x9d\x97\x80)
+replace_tag I1 (?:i|\xd1\x96|\xc4\xab|\xce\xb9|\xf0\x9d\x97\xb6|\xf0\x9d\x9a\x92|l|1)
+replace_tag K1 (?:k|\xd0\xba)
+replace_tag L1 (?:l|i)
+replace_tag M1 (?:m|\xca\x8d|\xf0\x9d\x97\xba|\x9b\x96)
+replace_tag N1 (?:n|\xf0\x9d\x9a\x97)
+replace_tag O1 (?:o|0|\xd0\xbe|\xce\xbf|\xf0\x9d\x97\xbc|\xf0\x9d\x9a\x98|\xd0\x9e|\xc3\xb4)
+replace_tag P1 (?:p|\xd1\x80|\xc7\xb7|\xcf\x81|\xf0\x9d\x97\xbd|\xf0\x9d\x9a\x99|\xd0\xa0)
+replace_tag R1 (?:r|\xf0\x9d\x97\xbf|\xf0\x9d\x9a\x9b)
+replace_tag S1 (?:s|\xd0\x85|\xf0\x9d\x98\x80|\xf0\x9d\x9a\x9c)
+replace_tag T1 (?:t|\xcf\x84|\xf0\x9d\x98\x81|\xf0\x9d\x9a\x9d)
+replace_tag U1 (?:u|\xf0\x9d\x98\x82)
+replace_tag V1 (?:v|\xf0\x9d\x96\xb5|\xce\xbd)
+replace_tag W1 (?:w|\xf0\x9d\x98\x84|\xf0\x9d\x9a\xa0|\xd1\xa1)
+replace_tag Y1 (?:y|\xf0\x9d\x9a\xa2)
+replace_tag SPACE1 (?: |\xc2\xa0)
#OBFU ONLY
replace_tag A2 (?:[\xf0\x9d\x97][\xae]|[\xc3][\xa3]|[\xf0\x9d\x9a][\x8a]|[\xd0][\xb0]|[\xc9][\x91]|α|\@)
#CO.UK
header KAM_COUK From =~ /\@.{1,30}\.co\.uk/i
describe KAM_COUK Scoring .co.uk emails higher due to poor registry security.
-score KAM_COUK 0.6
+score KAM_COUK 0.3
#FAKE FACEBOOKMAIL
#REAL FB DOMAIN
score KAM_CMS 1.0
#WESTERN UNION SCANS
-header __KAM_WU1 from:addr !~ /\@westernunion.com/i
+header __KAM_WU1 from:addr !~ /\@westernunion\.com/i
header __KAM_WU2 Subject =~ /WUMT|Western.?Union/i
uri __KAM_WU3 /western.umt/i
replace_rules __KAM_CRIM1 __KAM_CRIM2 __KAM_CRIM3 __KAM_CRIM4 __KAM_CRIM5 __KAM_CRIM6 __KAM_CRIM7
- body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A1>lw<A1>r<E1> <O1>n th<E1> w<E1>b|footage of you|you do not know who I am|mercenary|hack phones|(monitored|infected) your device|double.screen video|keylogger|ruin your life|collection officer|turned on your c<A1>mera|cameras? and a mic|I am a hacker|brows(er|ing) history|trojan virus|automatically infect|inject some code|google translator|<P1>l<A1><C1><E1>d (a )?m<A1>lw<A1>r<E1>|<S1><P1><Y1><W1><A1><R1><E1>|hacked y<O1>ur (website|OS|operating)|got hacked|hidden app|managed to hack|thr(u|ough) (ur|your) web.?cam|broke\s+into\s+your\s+system/i
+ body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A1>lw<A1>r<E1> <O1>n th<E1> w<E1>b|footage of you|you do not know who I am|mercenary|hack phones|(monitored|infected) your device|double.screen video|keylogger|ruin your life|collection officer|turned on your c<A1>mera|cameras? and a mic|I am a hacker|brows(er|ing) history|trojan virus|automatically infect|inject some code|google translator|<P1>l<A1><C1><E1>d (a )?m<A1>lw<A1>r<E1>|<S1><P1><Y1><W1><A1><R1><E1>|hacked y<O1>ur (website|OS|operating)|got hacked|hidden app|managed to hack|thr(u|ough) (ur|your) web.?cam|broke\s+into\s+your\s+system|infected your system|data security hack|hide (yo)?ur web.?camera/i
- #Bitcoin
- body __KAM_CRIM2 /(<B1><I1><T1>\-?<C1><O1><I1><N1>|BTC|DSH|cryptocurrency|bc[13][a-km-zA-HJ-NP-Z0-9]{26,39})|(remove|manually) all spaces|contains spaces|Litecoin/i
+ #Bitcoin / Etc.
+ body __KAM_CRIM2 /(<B1><I1><T1>\-?<C1><O1><I1><N1>|(\b|^)(BTC|DSH|LTC)(\b|$)|cryptocurrency|bc[13][a-km-zA-HJ-NP-Z0-9]{26,39})|(remove|manually) all spaces|contains spaces|Litecoin|shoprite|instant money/i
#Payment
- body __KAM_CRIM3 /make (<T1>he|a) paymen<T1>|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C1><O1><I1>n w<A1>ll|(m<A1>k<I1>ng|<C1><O1>mpl<E1>et<E1>) th<E1> tr<A1>ns<A1><C1>t<I1><O1>n|send me \d+ dollars|send [\d\.]+ USD|addr<E1>ss f<O1>r p<A1>ym<E1>nt|(dollars|euros) (worth )?in bit-?coin|wallet number|bitcoin network|BTC to this Bitcoin|paym<E1>nt by b<I1>tco<I1>n|\d\d\d usd|DSH\)? address|Address part|<D1><O1><N1><A1><T1><I1><O1><N1>|negotiation|USD.? in bitcoin|transfer\s+me\s+\d+|\d+ in bitcoins/i
+ body __KAM_CRIM3 /make (<T1>he|a) paymen<T1>|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C1><O1><I1>n w<A1>ll|(m<A1>k<I1>ng|<C1><O1>mpl<E1>et<E1>) th<E1> tr<A1>ns<A1><C1>t<I1><O1>n|send me \d+ dollars|send [\d\.]+ USD|addr<E1>ss f<O1>r p<A1>ym<E1>nt|(dollars|euros) (worth )?in bit-?coin|wallet number|bitcoin network|BTC to this Bitcoin|paym<E1>nt by b<I1>tco<I1>n|\d\d\d usd|DSH\)? address|Address part|<D1><O1><N1><A1><T1><I1><O1><N1>|negotiation|USD.? in bitcoin|transfer\s+me\s+\d+|\d+ in bitcoins|receive the compensation|talking price|reputation will be ruin/i
#Sexually explicit
- body __KAM_CRIM4 /erotica|<P1><O1><R1><N1>|p(ro|or)nographic movie|promising evidence|<M1><A1><S1><T1><U1><R1><B1><A1><T1>|playing with yourself|wanking|l<I1>f<E1> <C1><A1>n b<E1> ru<I1>n<E1>d|explosi|lead azide|hexogen|banana|perversion|secured \d+ video|passion for jerk|creepy addiction|wank off/i
+ body __KAM_CRIM4 /erotica|<P1><O1><R1><N1>|p(ro|or)nographic movie|promising evidence|<M1><A1><S1><T1><U1><R1><B1><A1><T1>|playing with yourself|wanking|l<I1>f<E1> <C1><A1>n b<E1> ru<I1>n<E1>d|explosi|lead azide|hexogen|banana|perversion|secured \d+ video|passion for jerk|creepy addiction|wank off|site for adult/i
#TIME
- body __KAM_CRIM5 /(twenty.?four|24).?h<O1>urs|(72|24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O1>urs)? <A1>ft<E1>r y<O1><U> <O1>p<E1>n|hours for payment|days?\)? to (send|perform|make|transfer) the (amount|payment|dash|fund)|short-term support|48h plz|deadline|hours *(only )?to send the (pay|fund)|address immediately|tr<A1>nsfer the (amount|funds)|get back to me now|\d\s+working\s+days|make payment within \d+ day|indicated da(y|te)/i
+ body __KAM_CRIM5 /(twenty.?four|24).?h<O1>urs|(72|24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O1>urs)? <A1>ft<E1>r y<O1><U> <O1>p<E1>n|hours for payment|days?\)? to (send|perform|make|transfer) the (amount|payment|dash|fund)|short-term support|48h plz|deadline|hours *(only )?to send the (pay|fund)|address immediately|tr<A1>nsfer the (amount|funds)|get back to me now|\d\s+working\s+days|make payment within \d+ day|indicated da(y|te)|\d hours from this moment|\d hours (yo)?ur contacts/i
#Subject
- header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O1><U> <A1>r<E1> my v<I1><C1>t<I1>m|visit the police|hi. vi<C1>tim|bomb|rescue|your building|<M1>asturbat|hi perv|(site|account) has been (compromised|hacked)|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you|<P1>orn|(share|forward|leak) (your|the) video|Read me now|want to read this|i have you/i
+ header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O1><U> <A1>r<E1> my v<I1><C1>t<I1>m|visit the police|hi. vi<C1>tim|bomb|rescue|your building|<M1>asturbat|hi perv|(site|account) has been (compromised|hacked)|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you|<P1>orn|(share|forward|leak) (your|the) video|Read me now|want to read this|i have you|exfiltrated|everybody will know/i
header __KAM_NOT_CRIM6 Subject =~ /Bomb.?cyclone/i
#KAM_CRIM_V2
body __KAM_CRIM2_1 /bit.{0,2}coin/i
body __KAM_CRIM2_2 /address\:/i
-body __KAM_CRIM2_3 /adult.{0,2}video|sex.{0,2}sites/is
+body __KAM_CRIM2_3 /adult.{0,2}video|sex.{0,2}sites|site for adult/is
meta KAM_CRIM2 (__KAM_CRIM2_1 + __KAM_CRIM2_2 + __KAM_CRIM2_3 + HTML_FONT_LOW_CONTRAST >= 4)
describe KAM_CRIM2 Extortion Email
describe SCC_35_SHORT_WORD_LINES 35 lines with many short words
meta SCC_35_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 35
+# Redefine WORD_INVIS_MANY to get rid of FPs
+meta WORD_INVIS_MANY ( __WORD_INVIS_2 && ! T_SCC_BODY_TEXT_LINE )
+
# A pattern seen in subscription-bombings
describe SCC_SUBBOMB_SUBJ_1 An unusual string pattern seen in subscription bombing subjects
header SCC_SUBBOMB_SUBJ_1 Subject =~ /[sxz][vwz]usa[fly]me[a-z0-9]{7}GP/
#trusted_networks 38.124.232.0/24
# CONTACTS / LISTS
-#REPLACED WITH BELOW FOR SINGLE WORD HIT REMOVAL
-#header __KAM_LIST3_1 Subject =~ /Contacts|Visitor|Attendee|User|Professional|Meeting|Expo|Emails|Exhibit|Companies|trade ?show|marketing|retailer|list|outreach|customers|campaign|show|data|leaders|partnership|lead|(accou?nt|Contacts?|buyers?) (list|information)|install base|offices and clinics|healthcare|reach qualified buyers|potential prospects|decision maker|reach out|target audience|revenue generation|(potential|reach your) client|Lead list|(list|lead) prospecting|market share/i
-
-# Modified 3/23/2022 to try and remove FPs in this rule
-header __KAM_LIST3_1 Subject =~ /(accou?nt|Contacts?|buyers?|registrants?|attendees?|B2B|B2C|mailing).(data|list|information)|reach qualified buyers|potential prospects|(potential|reach your) client|(list|lead) prospecting|build customer|(bitdefender|Acronis) Users|reach clients|Clients records|users accounts|Attendees info|marketing opp|(expo|Summit) Leads|Free Samples|email database|sales prospect|business professionals|prospects|decision.?makers|(email|lead) list|increase your TAM|Booth.?\#\d+/i
+header __KAM_LIST3_1 Subject =~ /(accou?nt|Contacts?|buyers?|registrants?|attendees?|B2B|B2C|mailing|industries).(data|list|information)|reach qualified buyers|potential prospects|(potential|reach your) client|(list|lead) prospecting|build customer|(bitdefender|Acronis) Users|reach clients|Clients records|users accounts|Attendees info|marketing opp|(expo|Summit) Leads|Free Samples|email database|sales prospect|(construction|business) +(executives|professionals)|prospects|decision.?makers|(email|lead) list|increase your TAM|Booth.?\#\d+|data that you need|(audience|geography)\?|contact details/i
#title
-body __KAM_LIST3_2 /list (consultant|services)|email campaign|global marketing|(event|campaign|success|purchasing) mana?ger|(tradeshow|marketing) (coordinator|campaign|manager|exec|project|team)|(lead|demand) generation|(business|Data|event|research|marketing) (analyst|coordinator)|(potential|professionals?|qualified) lead|(business development|marketing|lead|attendees?|data|prospect|intelligence|event).(executive|consultant|specialist)|(marketing|Business) Co-?ordinator|marketing (\&|and) comm|inside sales|pre-?sales|global leads|data dep(t|artment)|marketing exec|(right|appropriate) person|info solutions|Sales executive|database coordinator|list provider|business development manager/i
+body __KAM_LIST3_2 /list (consultant|services)|email campaign|global marketing|(event|campaign|success|purchasing) mana?ger|(tradeshow|marketing) (coordinator|campaign|manager|exec|project|team)|(lead|demand) gen|(business|Data|event|research|marketing) (analyst|coordinator)|(potential|professionals?|qualified) lead|(business development|marketing|lead|attendees?|data|prospect|intelligence|event).(executive|consultant|specialist)|(marketing|Business) Co-?ordinator|marketing (\&|and) comm|inside sales|pre-?sales|global leads|data dep(t|artment)|marketing exec|(right|appropriate) person|info solutions|Sales executive|database coordinator|list provider|(leads|business development|BD|Biz.?Dev) manager|cd services|data intelligence specialist/i
tflags __KAM_LIST3_2 nosubject
#db for sale
-body __KAM_LIST3_3 /(information|data|list\'s) (count|field)|verified e?-?mail|with email address|counts and pric|decision maker|specific parameters|job titles|Specific lists|current attendee|each record|post show attendee|(List|contacts|fields) (consists?|Contains?|includes?)|visitors and price|pricing, counts|information about the list|sample (file|record)|direct email|100\% populated|installed users|(compiled|selling) (a )?list|pricing and further|(validated|buy a) dataset|counts, pricing|procure the list|samples for (your )?review|attendees who might|decision.makers|samples and pricing|pricing details|demographics|few (examples|samples)|database (organization|provider)|expense and count|(samples|counts?) and cost|multichannel marketing|count of email|users of the following|your marketing campaign|\d\d% on emails|acquiring (email|the) list|list of retailers|decision maker mailing list|B2B( data)? list|acquiring email|interested (in )?acquiring|quality lists|potential (client|customer)|database and list management|pricing and count|audience you would like to reach|data cleansing/i
+body __KAM_LIST3_3 /(information|data|list\'s) (count|field)|verified e?-?mail|with email address|counts and pric|decision maker|specific parameters|job titles|Specific lists|each record|post show attendee|(List|contacts|fields) (consists?|Contains?|includes?)|visitors and price|pricing, counts|information about the list|sample (file|record)|direct email|100\% populated|installed users|(compiled|selling) (a )?list|pricing and further|(validated|buy a) dataset|counts, pricing|procure the list|samples for (your )?review|attendees who might|decision.makers|samples and pricing|pricing details|demographics|few (examples|samples)|database (organization|provider)|(cost|expense) (\&|and) count|(samples|counts?) and cost|multichannel marketing|count of email|users of the following|your marketing campaign|\d\d% on emails|acquiring (email|the) list|list of retailers|decision maker mailing list|B2B( data)? list|acquiring email|interested (in )?acquiring|quality lists|potential (client|customer)|database and list management|pricing and count|audience you would like to reach|data cleansing|job titles you wish to contact|leverage competitive intelligence|business contacts? list/i
tflags __KAM_LIST3_3 nosubject
#db what
-body __KAM_LIST3_4 /contacts and email|(visitors?|contacts?|attendee.?s?|users?) (contacts? |mailing )?(list|record|database)|end users|our lists|\d\+? (attendee|contact)|users? database|Opt-in email list|(professionals?|user'?s|attendees?) (contact|list)|not spammer|marketing (analyst|campaigns)|(complete|emailed) list|unique account|contacts\:|titles\:|business profiles|database of|list from USA|(complete|contact) (Name|details|information)|geography|list.database|data (intelligence|include)|emails, phone|marketing list|unlimited usage|target (audience|geograph|attendees|audience|industry)|opt-?in (contact|emails|list)|offices and clinics|specialties\:|showcase our capabilit|share samples|sample file|recently compiled|contact details|targeted market|marketing needs|Users of the following|100\% populated|b2b (mailing list|contact)|targeted business list|data list|(job profile|attendees|counts|list contains|Contacts include)\:|Consumer database|every industry sector|quality email list|email list of|titles? includes?\:|including their names|contacts available\:|curated list|fields? includes?\:|contact validation|opt-in dataset|90% on that list type|enence|Lejeune.?Lawsuits|smart.?timeshare|number of attendees/i
+body __KAM_LIST3_4 /contacts and email|(visitors?|contacts?|attendee.?s?|users?) (contacts? |mailing )?(list|record|database)|end users|our lists|\d\+? (attendee|contact)|users? database|Opt-in email list|(professionals?|user'?s|attendees?) (contact|list)|not spammer|marketing (analyst|campaigns)|(complete|emailed) list|unique account|contacts\:|titles\:|business profiles|database of|list from USA|(complete|contact) (Name|details|information)|geography|list.database|data (intelligence|include)|emails, phone|marketing list|unlimited usage|target (audience|geograph|attendees|audience|industry)|opt-?in (contact|emails|list)|offices and clinics|specialties\:|showcase our capabilit|share samples|sample file|recently compiled|contact details|targeted (criteria|market)|marketing needs|Users of the following|100\% populated|b2b (mailing list|contact)|targeted business list|data list|(job profile|attendees|counts|list contains|Contacts include)\:|Consumer database|every industry sector|quality email list|email list of|titles? includes?\:|including their names|contacts available\:|curated list|fields? includes?\:|contact validation|opt-in dataset|90% on that list type|enence|Lejeune.?Lawsuits|smart.?timeshare|number of attendees|tester file|list of organi[sz]ation/i
tflags __KAM_LIST3_4 nosubject
meta KAM_LIST3 (__KAM_LIST3_1 + __KAM_LIST3_2 + __KAM_LIST3_3 + __KAM_LIST3_4 >= 4)
tflags KAM_DMARC_QUARANTINE net
reuse KAM_DMARC_QUARANTINE
describe KAM_DMARC_QUARANTINE DKIM has Failed or SPF has failed on the message and the domain has a DMARC quarantine policy
- score KAM_DMARC_QUARANTINE 1.5
+ score KAM_DMARC_QUARANTINE 3.0
header KAM_DMARC_NONE eval:check_dmarc_none()
priority KAM_DMARC_NONE 500
score KAM_DMARC_NONE_TRUNCATE -0.25
tflags KAM_DMARC_NONE_TRUNCATE net nice
reuse KAM_DMARC_NONE_TRUNCATE
+
+ header __KAM_FROM_RAPTORSRV From:addr =~ /\@server\d+\.raptoremailsecurity\.com$/i
+ meta KAM_FROM_RAPTOR_DMARCFAIL ( __KAM_FROM_RAPTORSRV && KAM_DMARC_QUARANTINE )
+ describe KAM_FROM_RAPTOR_DMARCFAIL Email from Raptor servers with DMARC failure
+ score KAM_FROM_RAPTOR_DMARCFAIL 5.0
+ priority KAM_FROM_RAPTOR_DMARCFAIL 500
+ tflags KAM_FROM_RAPTOR_DMARCFAIL net
+
endif
endif
endif
score KAM_URGENT 7.5
#INVESTMENT
-header __KAM_INVEST1 Subject =~ /Investment|(hello|congrats|dear) friend|urgent|greetings|^HELLO$|mutual business|contact him|mail for you|confirming your email|business opportunity|important|interest|^proposal$/i
+header __KAM_INVEST1 Subject =~ /Investment|(hello|congrats|dear) friend|urgent\b|greetings|^HELLO$|mutual business|contact him|mail for you|confirming your email|business opportunity|important|interest|^proposal$/i
#looking/why
body __KAM_INVEST2 /apprehensive|unstable investment|(honest|well.?established|reliable) (individual|partner|person)|wealthy client|legal paper|branch manager|director finance|business man|family asset|personal assistant|found your (detail|contact)|consultant|project financing|my name is|i am the lawyer|need your assistance|investment officer/i
#money/deal
score KAM_CELEB 4.5
#additional Freemail domains
-freemail_domains my.com mediacombb.net tutanota.com mega.nz ntlworld.com windstream.net list.ru
+freemail_domains my.com mediacombb.net tutanota.com mega.nz ntlworld.com windstream.net list.ru docomo.ne.jp terra.com.br interia.pl
#BEAL AND SIMILAR IMPERSONATOR
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
- replace_tag KAM_BEAL_NAMES (?:(Robert|Bob).{1,4}Beal|Geoff White|(James|Jim).{1,4}Hoffman|Kevin (A\. )?Mc ?Grail|Frederic Beuter|Chris(topher)? (K\.? )?Surprise|(mike|michael) Charvat|Sheryl( Brissett)? Chapman|Sheryl Brissett|Janet Smith|Jeff Gardner|Geoff(rey)? White|Jason Davis|Al Nance|Laura (C\.? )?Leach|Guy Neitz|Michael Rowland|Brenda MacDonald|Daram Van Oers|Pat(rick)? (A\. )?Campfield|Toni Kerns|Tina L. Berger|Robert T. Lalka|Karen Holmes|Richard Manship|WILLIAM HYATT|Alex DiJohnson|Mike Rinaldi|Patrick Augustine|Randy Livingston|Michael Schoor|Amy Millar|Gino Renne|Edward Kroman|Bill Stynes|Ralph Belk|gino renne|scott allen|Paula Sherman|Peter Turcik|Chip Anastasi|erik howard|Dyana Forester|Ryan Gardner|Yvan (cote|C\x{C3}\x{B4}t\x{C3}\x{A9})|morris adler|Gary (A. )?Smith|Peggy White|Sunny Kim|Jayran Farzanega|Kristin Kirkpatrick|Michael Davison|John Meis)
+ replace_tag KAM_BEAL_NAMES (?:(Robert|Bob).{1,4}Beal|Geoff White|(James|Jim).{1,4}Hoffman|Kevin (A\. )?Mc ?Grail|Frederic Beuter|Chris(topher)? (K\.? )?Surprise|(mike|michael) Charvat|Sheryl( Brissett)? Chapman|Sheryl Brissett|Janet Smith|Jeff Gardner|Geoff(rey)? White|Jason Davis|Al Nance|Laura (C\.? )?Leach|Guy Neitz|Michael Rowland|Brenda MacDonald|Daram Van Oers|Pat(rick)? (A\. )?Campfield|Toni Kerns|Tina L. Berger|Robert T. Lalka|Karen Holmes|Richard Manship|WILLIAM HYATT|Alex DiJohnson|Mike Rinaldi|Patrick Augustine|Randy Livingston|Michael Schoor|Amy Millar|Gino Renne|Edward Kroman|Bill Stynes|Ralph Belk|gino renne|scott allen|Paula Sherman|Peter Turcik|Chip Anastasi|erik howard|Dyana Forester|Ryan Gardner|Yvan (cote|C\x{C3}\x{B4}t\x{C3}\x{A9})|morris adler|Gary (A. )?Smith|Peggy White|Sunny Kim|Jayran Farzanega|Kristin Kirkpatrick|Michael Davison|John Meis|Mitchell Forbes|Kate Syson|Bryan Plumlee)
replace_rules __KAM_BEAL1 __KAM_BEAL3 __KAM_NOT_BEAL3
body __KAM_BEAL3 /<KAM_BEAL_NAMES>/i
body __KAM_NOT_BEAL3 /((From|Cc|To)\:\s+)<KAM_BEAL_NAMES>/i
# Task
- # have a moment removed 4/4
- body __KAM_BEAL4 /(reply with|forward|send me|let me have|give me) +your (Cell|Mobile|text)|task (real quick|quickly)|(urgent|quick|fast) (reply|errand|response|task|request)|(handle|make) (some|a) purchase|reimburse you|do something for me fast|spare time right now|confirm if you are free|physical or electronic gift card|(done for me|send out|task done) ASAP|available at the moment|(desk|moment) right now|get some .{0,10}gift card|(run a|important) task for me|certain task to be carried|purchase on my behalf|(urgent|Immediate) (Task|Assignment)|quickly on my behalf|variety of gift card|something important for me|carry out (urgently|swiftly)|codes electronically|make a payment|gifts for their hard|assist me with a task|quick favor|gift cards? for staff|process a payment via Zelle|request I need|purchase done on my behalf|take care of something|handle (some )?task quickly|(have|got) a moment|run an errand|are you in\?|purchase urgently|assignment for (me|you)|change my direct deposit|personal (email|text phone|cell|number)|(leave|drop) your (phone )?number|(reply me with|confirm|drop|need) your (mobil|cell)|send me your text|get all the gifts purchase|direct deposit authorization form|list of all unpaid|help me with something|if (you are|you're) available|(send|drop) me your (direct|personal) (cell|phone)|free time for you|you available today|bancaires actuelles|ask you for a favor/i
+ body __KAM_BEAL4 /(reply with|forward|send me|let me have|give me|drop) +your (Cell|Mobile|text)|task (real quick|quickly)|(urgent|quick|fast) (reply|errand|response|task|request)|(handle|make) (some|a) purchase|reimburse you|do something for me fast|spare time right now|confirm if you are free|physical or electronic gift card|(done for me|send out|task done) ASAP|available at the moment|(desk|moment) right now|get some .{0,10}gift card|(run a|important) task for me|certain task to be carried|purchase on my behalf|(urgent|Immediate) (Task|Assignment)|quickly on my behalf|variety of gift card|something important for me|carry out (urgently|swiftly)|codes electronically|make a payment|gifts for their hard|assist me with a task|quick favor|gift cards? for staff|process a payment via Zelle|request I need|purchase done on my behalf|take care of something|handle (some )?task quickly|(have|got) a moment|run an errand|are you in\?|purchase urgently|assignment for (me|you)|change my direct deposit|personal (email|text phone|cell|number)|(leave|drop) your (phone )?number|(reply me with|confirm|drop|need) your (mobil|cell)|send me your text|get all the gifts purchase|direct deposit authorization form|list of all unpaid|help me with something|if (you are|you're) available|(send|drop) me your (direct|personal) (cell|phone)|free time for you|you available today|bancaires actuelles|ask you for a favor|get physical gift card|confirm your mobile/i
# question / privacy
- # as soon as you can removed 4/4
- body __KAM_BEAL5 /can't talk on the phone|receivable aging report|summary of all w\-?2|look forward to my text|are you (accessible|in the office|busy)|between you and I|closed-?door meeting|get something done|you\'re unoccupied|accurately|I can brief|in a (conference|meeting)|reimburse if personal|what details do you need|(do|handle) discreetly|confidentiality|keep this private|get to a nearby store|(let me know|confirm) if you (are available|can get it done)|no calls just reply|write me back|look out for my text|concise you about it|so much on your plate|let me know if you are free|trust you on this|worry about your reimburse|after the surprise|limited cell service|can you assist|convey a message|entrust you|not want to disclose this|planning a surprise event|confidential assignment|respond back via email|going into a meeting|no calls|reach you at|lookout to my message|dans la confidence|wait for my text|immediate assistance|swift discussion|an emergency|prompt reply|laryngitis/i
+ body __KAM_BEAL5 /can't talk on the phone|receivable aging report|summary of all w\-?2|look forward to my text|are you (accessible|in the office|busy)|between you and I|closed-?door meeting|get something done|you\'re unoccupied|accurately|I can brief|in a (conference|meeting)|reimburse if personal|what details do you need|(do|handle) discreetly|confidentiality|keep this private|get to a nearby store|(let me know|confirm) if you (are available|can get it done)|no calls just reply|write me back|look out for my text|concise you about it|so much on your plate|let me know if you are free|trust you on this|worry about your reimburse|after the surprise|limited cell service|can you assist|convey a message|entrust you|not want to disclose this|planning a surprise event|confidential assignment|respond back via email|going into a meeting|no calls|reach you at|lookout to my message|dans la confidence|wait for my text|immediate assistance|swift discussion|an emergency|prompt reply|laryngitis|as soon as you are available|limited access to phone|kindly send me emails|plan to surprise|reach you urgent|need a work done/i
# oddlang
body __KAM_BEAL6 /sent from my mail|depuis mon smartphone/i
endif
#HTML ATTACHMENTS WITH FUNCTIONS AND EVALS
-rawbody __GB_JS_UNESCAPE /document\.write(?:\s+)?\((?:\s+)?(?:atob|unescape)/
-rawbody __GB_JS_FUNCTION /(?:\=|\:)"?(?:function|eval)\(/
-rawbody __GB_JS_OBFU /script\s+src="?\&\#x|var\s+_0x[a-z0-9]{1,6}(?:\s+)?\=/
-meta GB_BADJS ( ( __GB_JS_UNESCAPE || __GB_JS_FUNCTION || __GB_JS_OBFU ) && ( T_HTML_ATTACH || T_OBFU_HTML_ATTACH || UNICODE_OBFU_ASC ) )
+rawbody __GB_JS_UNESCAPE /document\.write(?:\s+)?\((?:\s+)?(?:atob|unescape|decodeURIComponent)|\=unescape\(.{1,10}\;document\.write|\=\s+atob\(/
+rawbody __GB_JS_FUNCTION /(?:\=|\:)"?(?:function|eval)\(/
+rawbody __GB_JS_OBFU /(?:script\s+src|onload)="?\&\#x|var\s+_0x[a-z0-9]{1,6}(?:\s+)?\=|window\.(?:location|href)/
+meta GB_BADJS ( ( __GB_JS_UNESCAPE || __GB_JS_FUNCTION || __GB_JS_OBFU ) && ( __KAM_SHTML_ATTACH || T_HTML_ATTACH || T_OBFU_HTML_ATTACH || UNICODE_OBFU_ASC ) )
describe GB_BADJS Bad html attachment
score GB_BADJS 4.0
#HTML FORM ATTACHED
-rawbody __GB_HTML_FORM /form\s+(?:method\=.{1,10})?\s+action\=/i
+rawbody __GB_HTML_FORM /\<form\s+.{1,50}(?:method\=|action\=|id\=)/i
meta GB_HTML_FORM ( __GB_HTML_FORM && ( T_HTML_ATTACH || T_OBFU_HTML_ATTACH || UNICODE_OBFU_ASC ) )
describe GB_HTML_FORM Html form attached
score GB_HTML_FORM 4.0
replace_rules __KAM_FAKE_NORTON1 __KAM_FAKE_NORTON2 __KAM_FAKE_NORTON3 __KAM_FAKE_NORTON4
#subj
-header __KAM_FAKE_NORTON1 Subject =~ /IN.?VOICE *\#?NUMBER|(confirmation|ORDER|Invoice|plan.?status) ?(ID_\*|\#|Num|-?No)|\#(ORDER|BILL)|(Purchase|Order|Payment) Confirmation|(RECEIPT|INVOI?CE) ?\#|software subscription|transaction.successful|amount.debited|(subscription|service|Purchase) (renewal|request|serial) \#|renewal service \#|(Unique|Member|purchase|Bill|receipt|service|invoice) id ?(is|:|\#)|using protection|<O1>rder <I1>d|IN(\-|_)VOICE (Number|ID)|Product Id:|security renewal|(Buyer'?s|purchase) receipt|order worth \$|service notice.{0,3}\d+|antivirus activated|order has been (confirmed|processed)|subscription expired|your bill|auto renewal|new message|renewal notice:|annual subscription|transaction code|account key verif|billing team|service required|g-?squad|plan activated|protection alert/i
+header __KAM_FAKE_NORTON1 Subject =~ /IN.?VOICE *\#?NUMBER|(confirmation|ORDER|Invoice|plan.?status) ?(ID_\*|\#|Num|-?No)|\#(ORDER|BILL)|(Purchase|Order|Payment) Confirmation|(RECEIPT|INVOI?CE) ?\#|software subscription|transaction.successful|amount.debited|(subscription|service|Purchase) (renewal|request|serial) \#|renew(al|ing) (id|service) \#|(Unique|Member|purchase|Bill|receipt|service|invoice) id ?(is|:|\#)|using protection|<O1>rder <I1>d|IN(\-|_)VOICE (Number|ID)|Product Id:|security renewal|(Buyer'?s|purchase) receipt|order worth \$|service notice.{0,3}\d+|antivirus activated|order has been (confirmed|processed)|subscription expired|your bill|auto renewal|new message|renewal notice:|annual subscription|transaction code|account key verif|billing team|service required|g-?squad|plan (upgraded|activated)|protection alert|order process|payment success|renewal complete/i
header __KAM_FAKE_NORTON1A To =~ /norton|billing\@geeksquad/i
-header __KAM_FAKE_NORTON1B From =~ /norton|confirmation|no.?reply|service.?updates|billing|devices.?support|service.?dep|order|device.?alert|biliing|receipt/i
+header __KAM_FAKE_NORTON1B From =~ /norton|confirmation|no.?reply|service.?updates|billing|devices.?support|service.?dep|order|device.?alert|biliing|receipt|account.?team/i
#Fuzzy Prod
-body __KAM_FAKE_NORTON2 /N<O1>RT<O1>N(\(?tm\)?|\#)|360 (anti.?virus|Security|protection)|N<O1>rt<O1>N.?Life|norton (\- )?(360|security|deluxe|protection|firewall|plus family)|(nort-.|norton|Mcafee) (Web Pro|Web|Plus(\+| Pro)|pro (net|plus|protection)|all.?round) ((Secure|Family) )?Protection|norton (plan|pro life lock)|(service (name)?|item|Product):?\s+(Norton|Nort.?Pro|geek.?squad)|norton secure plus|nort-(Advance|Pro)|nort-?one 360|life-?lock pro|mal-?ware bites|geeksquad-solutions|Geek(squad)? 360|renewal through geeksquad|Geek Secure Premium|Shield Protection Renewal|G<E1><E1><K1>.?squad security|(symantec|mcafee|norton|geek).{0,3}total (secure|protection)|geek.?squad.?corp|norton billing team|firewall defender|geek.? advanced network|pro geek PC protection|SQUAD anti-?virus|Norton,? Inc|G<E1><E1>k\s+squ<A1>d|Windows Defender Advanced|Netwrk Shield Protection|(pc|network) (security|protection) (service|shield)|previous annual subscription|windows defender security|norton Tech pc support|\(defender\)|premium protection/mi
+body __KAM_FAKE_NORTON2 /N<O1>RT<O1>N(\(?tm\)?|\#)|360 (anti.?virus|Security|protection)|N<O1>rt<O1>N.?Life|norton (\- )?(360|security|deluxe|protection|firewall|plus family)|(nort-.|norton|Mcafee) (Web Pro|Web|Plus(\+| Pro)|pro (net|plus|protection)|all.?round) ((Secure|Family) )?Protection|norton (plan|pro life lock)|(service (name)?|item|Product):?\s+(Norton|Nort.?Pro|geek.?squad)|norton secure plus|nort-(Advance|Pro)|nort-?one 360|life-?lock pro|mal-?ware bites|geeksquad-solutions|Geek(squad)? 360|renewal through geeksquad|Geek Secure Premium|Shield Protection Renewal|G<E1><E1><K1>.?squad security|(symantec|mcafee|norton|geek).{0,3}total (secure|protection)|geek.?squad.?corp|norton billing team|firewall defender|geek.? advanced network|pro geek PC protection|SQUAD anti-?virus|Norton,? Inc|G<E1><E1>k\s+squ<A1>d|Windows Defender Advanced|Netwrk Shield Protection|(pc|network) (security|protection) (service|shield)|previous annual subscription|windows defender security|norton Tech pc support|\(defender\)|premium protection|norton membership|ant<I1>v<I1>rus \(?ultimate|Subscription Plan|geek standard upfront|Select Powerful Protection|<M1>cA\&fnof\;ee|<M1><C1><A1>Fee Subscription|PC Guard Protection/mi
#Oddlang
-body __KAM_FAKE_NORTON3 /Esteem your assessment|enhance our administration|recharged your club|looking for patron|delight and happiness|touch our group|confirmatory e?mail|customer service board|connect with expert|for transaction|confirmation range|did not place this order|cancel (your|this|the) (membership|service|subscription)|team norton|(claim a|instant) refund|cancel (or continue )?the plan|for more query|void (this|the) charge|account is debited|kindly activate the license|A\/C statement|you can trust them|drop you an email|don't want this plan|deactivate this plan|queries or doubt|issue with the transaction|feel free to contact|hesitate to call|appritiate your decesion|Warm (regards|respects)|(wish|want) (to )?cancel|order +worth +\$|plan has been enacted|change something|salutations|any query related|norton billing team|same has been processed|an confirmation|don\'t want to renew|remove auto-debit|auto renewal request|thanks\/norton|invalidate your subscription|precept copy|payment method.{1,10}on-?line|drop the membership|generously go ahead|want a refund|renewal tenure|believe an unauthorized|contact microsoft for a full refund|\*\-\* (8\-8\-8|8\-5\-0) \*\-\*|really want further explanation|disc<O1>unt benevolently|upgrade or postpone|get the full refund|valued member of us|find the attachment of your invoice|drop the charges|norton.{0,2}helpdesk|cancel service|not placed the order/i
+body __KAM_FAKE_NORTON3 /Esteem your assessment|enhance our administration|recharged your club|looking for patron|delight and happiness|touch our group|confirmatory e?mail|customer service board|connect with expert|for transaction|confirmation range|did not place this order|cancel (your|this|the) (membership|service|subscription)|team norton|(claim a|instant) refund|cancel (or continue )?the plan|for more query|void (this|the) charge|account is debited|kindly activate the license|A\/C statement|you can trust them|drop you an email|don't want this plan|deactivate this plan|queries or doubt|issues? with (your order|the transaction)|feel free to contact|hesitate to call|appritiate your decesion|Warm (regards|respects)|(wish|want) (to )?cancel|order +worth +\$|plan has been enacted|change something|salutations|any query related|norton billing team|same has been processed|an confirmation|don\'t want to renew|remove auto-debit|auto renewal request|thanks\/norton|invalidate your subscription|precept copy|payment method.{1,10}on-?line|drop the membership|generously go ahead|want a refund|renewal tenure|believe an unauthorized|contact microsoft for a full refund|\*\-\* (8\-8\-8|8\-5\-0) \*\-\*|really want further explanation|disc<O1>unt benevolently|upgrade or postpone|get the full refund|valued member of us|find the attachment of your invoice|drop the charges|norton.{0,2}helpdesk|cancel service|not placed the order|within the next two hour|payment network regulation|open a dispute/i
tflags __KAM_FAKE_NORTON3 nosubject
#Order
body __KAM_FAKE_NORTON4 /(bank|Auto(matic)?)-?.?-?(debit|renew)|Updated to premium|order is p<L1>aced|0rder|renewal|successfully (placed|renewed)|(repetitive|annual) charge|have been modified|In_voice id|details pertain|auto pay|online\/card|joined our security program|payment_for_services|yearly payment|\$[\d\.]+ will appear|renewed your product/i
header __KAM_FROM_SPAM_MAR23 From =~ /Ukranian.?girls|feel.?good.?knee|fiber.?warning|septi.?fix|elongation.?secret|liver.?warning|Health.?Teamz|Blisterol/i
-meta KAM_FROM_SPAM ( __KAM_FROM_SPAM_NOV21 + __KAM_FROM_SPAM_DEC21 + __KAM_FROM_SPAM_JAN22 + __KAM_FROM_SPAM_FEB22 + __KAM_FROM_SPAM_MAR22 + __KAM_FROM_SPAM_APR22 + __KAM_FROM_SPAM_MAY22 + __KAM_FROM_SPAM_JUN22 + __KAM_FROM_SPAM_JUL22 + __KAM_FROM_SPAM_AUG22 + __KAM_FROM_SPAM_SEP22 + __KAM_FROM_SPAM_OCT22 + __KAM_FROM_SPAM_NOV22 + __KAM_FROM_SPAM_DEC22 + __KAM_FROM_SPAM_JAN23 + __KAM_FROM_SPAM_FEB23 + __KAM_FROM_SPAM_MAR23 >= 1)
+header __KAM_FROM_SPAM_APR23 From =~ /Fat.?loss.?trick|paid.?clinical.?stud|reduce.?wrist.?pain|Compression.?Sock|mystery.?shopper|carshield|prostate.?911|sonovive|\@avogtal\.|homedepotpromotions|ukranian.?girls|liver.?health/i
+
+header __KAM_FROM_SPAM_MAY23 From =~ /Get.?prostate|mr.?.?lean.?belly|pain.?trigger|homedepotpromo|lume.?deodorant|hemp.?gummies|ninja.?offers|obamacare.?rate|brain.?news|joint.?support|lepticell/i
+
+header __KAM_FROM_SPAM_JUN23 From =~ /ukrainian.?(wom[ae]n|single)|brain.?fortify|attorney.?for.?cancer|enence.?translator|tac.?right.?mini.?saw|walk.?in.?bath|care.?soles|hip.?flexor|prodentim/i
+
+
+meta KAM_FROM_SPAM ( __KAM_FROM_SPAM_NOV21 + __KAM_FROM_SPAM_DEC21 + __KAM_FROM_SPAM_JAN22 + __KAM_FROM_SPAM_FEB22 + __KAM_FROM_SPAM_MAR22 + __KAM_FROM_SPAM_APR22 + __KAM_FROM_SPAM_MAY22 + __KAM_FROM_SPAM_JUN22 + __KAM_FROM_SPAM_JUL22 + __KAM_FROM_SPAM_AUG22 + __KAM_FROM_SPAM_SEP22 + __KAM_FROM_SPAM_OCT22 + __KAM_FROM_SPAM_NOV22 + __KAM_FROM_SPAM_DEC22 + __KAM_FROM_SPAM_JAN23 + __KAM_FROM_SPAM_FEB23 + __KAM_FROM_SPAM_MAR23 + __KAM_FROM_SPAM_APR23 + __KAM_FROM_SPAM_MAY23 + __KAM_FROM_SPAM_JUN23 >= 1)
describe KAM_FROM_SPAM From Indicates a Product Spam
score KAM_FROM_SPAM 6.75
# +1 (123) 123-4567
# 441 (123) 123-4567 (44 is the hex of the + char, tesseract(1) could convert the '+' sign this way
# spaces, + sign, parenthesis and spaces are optional
- body GB_PHONE_RBL eval:check_hashbl_bodyre('wild.pccc.com', 'raw/max=10/shuffle/num', '\b(?:\+|4{2})?(?:\s)?(?:[0-9]{1,2})?((?:\s|,|\^|!|_)?[(|{|\[]?[0-9]{3}[)|}|\]]?[-\s\.\*_~,:!_\xe2\x88\x92]?[0-9]{3}[-\s\.\*_~,"!_\xe2\x88\x92\(]{1,3}?[0-9]{4,6})\b', '127.0.1.16')
+ body GB_PHONE_RBL eval:check_hashbl_bodyre('wild.pccc.com', 'raw/max=10/shuffle/num', '\b(?:\+|4{2})?(?:\s)?(?:[0-9]{1,2})?((?:(\s|,|\^|!|_|\.){1,2})?[(|{|\[]?[0-9]{3}[)|}|\]]?(?:(\-|\s|\.|\*|_|~|,|:|!|_|\xe2\x88\x92){1,2})?[0-9]{3}(?:(\-|\s|\.|\*|_|~|,|"|!|_|\xe2\x88\x92){1,3})?[0-9]{4,6})\b', '127.0.1.16')
# slow regexp
# body GB_PHONE_RBL eval:check_hashbl_bodyre('wild.pccc.com', 'raw/max=10/shuffle/num', '(?:\*+|\b)(?:\+|4{2})?(?:[\s\*]+)?(?:[0-9]{1,2})?((?:[\s,\^\*]+)?[(|{|\*+]?[0-9]{3}[)|}|\*+]?(?:[-\s\.\*_~,:\*]+)?[0-9]{3}(?:[-\s\.\*_~,"]+)?[0-9]{4,6})(?:\*+|\b)', '127.0.1.16')
#FAKE PAYROLL UPDATE
#subj
-header __KAM_FAKE_PAY_UPDATE1 Subject =~ /Payroll (details?|information) (rectification|adjust|update)|account information|pay(check|roll) (update|review)|update info|direct deposit|new bank|UPDATE (BANK|PAYCHECK)|BANK (STATUS|CHANGE)|modification request|update salary|quick update|(^|\b)D-?D (pay|information|update)|change of account|^\s$/i
+header __KAM_FAKE_PAY_UPDATE1 Subject =~ /Payroll (details?|information) (rectification|adjust|update)|account information|pay(check|roll) (update|review)|update info|direct deposit|new bank|UPDATE (BANK|PAYCHECK)|BANK (STATUS|CHANGE)|modification request|update salary|quick update|(^|\b)D(\.|-)?D ?(pay|information|update|request)|change of account|Demand Change|^\s$|DD[\- ]*Authorization|Change|help needed|new account|account (change|update)|payroll adjustment|request? for (change|update)|have a request/i
#urg
-body __KAM_FAKE_PAY_UPDATE2 /before the next payroll|for next payroll|kindly review (payroll|your) statement|when the next payday|current pay cycle|next pay date|Inactive in a few day|right away|on-?time for any ongoing|what data is required/i
+body __KAM_FAKE_PAY_UPDATE2 /before the (current|next) pay|for next payroll|kindly review (payroll|your) statement|when the next payday|current pay cycle|next pay (run|date)|Inactive in a few day|right away|on-?time for any ongoing|what data is required|urgent help|next salary|forthcoming payroll|effective on payday|effect for next pay|made right now|closed in (a )?few day|for the current pay/i
tflags __KAM_FAKE_PAY_UPDATE2 nosubject
#task
-body __KAM_FAKE_PAY_UPDATE3 /(change|updat(e|ing)) my (ACH|bank(ing)?|paycheck) (info|account)|new bank(ing)? info|change the account on my pay|direct.?deposit\s+information|change my payroll|account information be change|update my bank|account needs to be updated|change in my ACH/i
+body __KAM_FAKE_PAY_UPDATE3 /(change|updat(e|ing)) my (ACH|bank(ing)?|DD|paycheck) (direct.?deposit|info|account)|new bank(ing)? (details|info)|change the account on my pay|direct.?deposit\s+information|change my payroll|account information be change|update my bank|account needs to be updated|change in my ACH|I switched bank|paychecks? needs to be update|updat(e|ing) my (payroll.?)?direct.?deposit|designate it as my payee|bank information.{0,35} on file has changed|about my direct deposit|change my direct deposit/i
tflags __KAM_FAKE_PAY_UPDATE3 nosubject
#sigonly/freemail
meta KAM_FAKE_PAY_UPDATE ( FREEMAIL_FROM + __KAM_FAKE_PAY_UPDATE1 + __KAM_FAKE_PAY_UPDATE2 + __KAM_FAKE_PAY_UPDATE3 >= 4)
describe KAM_FAKE_PAY_UPDATE Likely a fake ACH/Payroll Scam
-score KAM_FAKE_PAY_UPDATE 6.0
+score KAM_FAKE_PAY_UPDATE 8.0
meta KAM_FAKE_PAY_UPDATE_LOW FREEMAIL_FROM && ( __KAM_FAKE_PAY_UPDATE1 + __KAM_FAKE_PAY_UPDATE2 + __KAM_FAKE_PAY_UPDATE3 >= 2) && ! KAM_FAKE_PAY_UPDATE
describe KAM_FAKE_PAY_UPDATE_LOW Likely a fake ACH/Payroll Scam (Lower Confidence)
-score KAM_FAKE_PAY_UPDATE_LOW 4.5
+score KAM_FAKE_PAY_UPDATE_LOW 6.5
#ENCRYPTED PAYLOAD
uri __KAM_ENCRYPTED_LIVE1 /onedrive\.live\.com/i
#BIDDING/ESTIMATING
#NAMES
-body __KAM_BIDEST1A /CSI Estimati(ng|on)|crossland estimating|Williams Estimating|Global Estimation|bolt estimating|prestige estimation|bidding estimating|define estimating|dreamland estimation|swift estimating LLC|define estimating,? LLC|perfect estimation.? llc|estimating solutions.? LLC|rockford estimation.? LLC/i
+body __KAM_BIDEST1A /CSI Estimati(ng|on)|crossland estimating|Williams Estimating|Global Estimation|bolt estimating|prestige estimation|bidding estimating|define estimating|dreamland estimation|swift estimating LLC|define estimating,? LLC|perfect estimation.? llc|estimating solutions.? LLC|rockford estimation.? LLC|define estimating LLC|Rise Estimating LLC|american estimating/i
header __KAM_BIDEST1B From =~ /bidding|estimat/i
-header __KAM_BIDEST1C Subject =~ /bidding|estimati(on|ng)|take.?off|(quote|quotation) (to|for) (bid|project|take.?off)|CSI(\b|$)/i
+header __KAM_BIDEST1C Subject =~ /bidding|estimati(on|ng)|take.?off|(quote|quotation) (to|for) (bid|project|take.?off)|budget planning|CSI(\b|$)/i
#MORE INFO
-body __KAM_BIDEST2 /need assistance with a project|like more information|bidding and estimating service|estimate your projects|project for estimat|need of cost estimation|low cost detailed cost estimates|providing estimation|you really want take-offs|outsourced cost estimation|need any take.?off service|looking for accurate estimat|Take.?off services for any project|need a detailed estimate|offering budget cost estimates|cost estimating services|show you some sample|estimating.?take-offs? service|forward us the bid|quote on your project|sample (take.?off|estimate)|complimentary detail from|send us the drawing/i
+body __KAM_BIDEST2 /need assistance with a project|like more information|bidding and estimating service|estimate your projects|project for estimat|need of cost estimation|low cost detailed cost estimates|providing estimation|you really want take-offs|outsourced cost estimation|need any take.?off service|looking for accurate estimat|Take.?off services for any project|need a detailed estimate|offering budget cost estimates|cost estimating services|show you some sample|estimating.?take-offs? service|forward us the bid|quote on your project|sample (take.?off|estimate)|complimentary detail from|send (me|us) the drawing|quick introductory call|send us the project's construction plans|quotes for your project|see attached sample|our example work|need any samples/i
#TITLE
-body __KAM_BIDEST3 /Business Development Manager|(senior|certified) estimator|certified software|(office|marketing) manager|estimation company/i
+body __KAM_BIDEST3 /Business Development Manager|(senior|certified) estimator|certified software|(office|marketing) manager|estimation company|head of business devel|estimating service|estimator|project +manager/i
#OBFU
body __KAM_BIDEST4 /(dot)/i
meta KAM_BIDEST ( (__KAM_BIDEST1A + __KAM_BIDEST1B + __KAM_BIDEST1C >= 1) + __KAM_BIDEST2 + __KAM_BIDEST3 + (__KAM_BIDEST4 + FREEMAIL_FROM >=1) >= 3 )
describe KAM_BIDEST Bidding and Estimating Spam
-score KAM_BIDEST 6.5
+score KAM_BIDEST 7.5
#FAKE BILL
header __KAM_FAKE_BILL1 From:name =~ /alert/i
score KAM_FAKE_COINBASE2 7.5
#FAKE COINBASE VARIANT 2
-header __KAM_FAKE_COINBASE3_1 From:name =~ /coinbase/i
-header __KAM_FAKE_COINBASE3_2 From:addr !~ /(\@\.)coinbase\.com/i
+ #FP fixed on 4/11 with the From:addr rule thanks to RunBox
+replace_rules __KAM_FAKE_COINBASE3_1
+
+header __KAM_FAKE_COINBASE3_1 From:name =~ /c<O1><I1>nbase/i
+header __KAM_FAKE_COINBASE3_2 From:addr !~ /\@(.*?\.)?coinbase\.com/i
meta KAM_FAKE_COINBASE3 (__KAM_FAKE_COINBASE3_1 + __KAM_FAKE_COINBASE3_2 >= 2)
describe KAM_FAKE_COINBASE3 Fake Coinbase Notice
-score KAM_FAKE_COINBASE3 5.0
+score KAM_FAKE_COINBASE3 8.5
#FAKE COINBASE VARIANT 3
body __KAM_FAKE_COINBASE4_1 /Coinbase at risk/i
#IPFS
uri KAM_IPFS /(\.|\b|\/)ipfs\.io\/|\/ipfs\/|https?\:\/\/ipfs\./i
describe KAM_IPFS Abused Protocol for Distributed Content
-score KAM_IPFS 9.0
+score KAM_IPFS 12.0
#PHONESYSTEM
#DEAL
endif
#ADVIDS
-header __KAM_ADVIDS1 From:addr =~ /\@advid/i
-body __KAM_ADVIDS2 /video (production|examples|ads)/i
+header __KAM_ADVIDS1 From:addr =~ /\@advid|\@.*advids?\./i
+body __KAM_ADVIDS2 /video (production|examples|ads)|design explainer/i
uri __KAM_ADVIDS3 /search\?q\=Advids|youtube/i
meta KAM_ADVIDS ( __KAM_ADVIDS1 + __KAM_ADVIDS2 + __KAM_ADVIDS3 >= 3)
score KAM_CRYPTOFAKE 6.5
#EMOJISEX
-body __KAM_SEXEMOJI1 /ready 4fun|lets fun|private cam|exciting experiences|very hot|taste me|freaky fantas|hookup|tight pus|tight boob|divorced mom|mature wom[ae]n/i
+body __KAM_SEXEMOJI1 /ready 4fun|lets fun|private cam|exciting experiences|very hot|taste me|freaky fantas|hookup|tight pus|tight boob|divorced mom|mature wom[ae]n|bj mom|div0rced|f\*?u\*?c\*?k|sexy on your bed|good fuck/i
#EMOJI
body __KAM_SEXEMOJI2 /\x{F0}\x{9F}\x{8D}\x{91}|\x{F0}\x{9F}\x{92}\x{8B}/i
#URL
score KAM_COPOUT 4.5
#DOMAIN/URI TEST CONCEPT
-replace_tag BADCALENDLYURIS (?:jpcalendly|michael\-2900|avolinq|otto\-demosho|jprecruiting|stella\-ridge|nivaai|guammi\-marketing|sethg\-erc)
+replace_tag BADCALENDLYURIS (?:jpcalendly|michael\-2900|avolinq|otto\-demosho|jprecruiting|stella\-ridge|nivaai|guammi\-marketing|sethg\-erc|marc\-alderson|randy\-wimmer|video\-animation|julius\-frago|growthtitan)
replace_rules __KAM_BADCALENDLY
uri __KAM_BADCALENDLY /https?\:\/\/(www\.)?calendly\.com\/<BADCALENDLYURIS>(?:\/|\?|\b|$)/i
replace_rules __KAM_BADYT
uri __KAM_BADYT /https?\:\/\/(www\.)?youtube\.com\/<BADYTURIS>(?:\/|\?|\b|$)/i
-replace_tag BADVIMEOURIS (?:446834731|399916650|256117879|clumcreative)
+replace_tag BADVIMEOURIS (?:446834731|399916650|256117879|268399852|602066576|179069936|540337372|391568499|clumcreative)
replace_rules __KAM_BADVIMEO
uri __KAM_BADVIMEO /https?\:\/\/(www\.)?vimeo\.com\/<BADVIMEOURIS>(?:\/|\?|\b|$)/i
-meta KAM_BADDOMAINURI (__KAM_BADCALENDLY + __KAM_BADIG + __KAM_BADYT + __KAM_BADVIMEO >= 1)
+replace_tag BADMEDIUMURIS (?:\@webmoneyrevolution)
+replace_rules __KAM_BADMEDIUM
+uri __KAM_BADMEDIUM /https?\:\/\/(www\.)?medium\.com\/<BADMEDIUMURIS>(?:\/|\?|\b|$)/i
+
+replace_tag BADFIVERRURIS (?:jamshednarayana)
+replace_rules __KAM_BADFIVERR
+uri __KAM_BADFIVERR /https?\:\/\/(www\.)?fiverr\.com\/<BADFIVERRURIS>(?:\/|\?|\b|$)/i
+
+meta KAM_BADDOMAINURI (__KAM_BADCALENDLY + __KAM_BADIG + __KAM_BADYT + __KAM_BADVIMEO + __KAM_BADMEDIUM + __KAM_BADFIVERR >= 1)
describe KAM_BADDOMAINURI Blocked domain/uri combo
score KAM_BADDOMAINURI 9.0
#APPLINK EMAILS
uri __KAM_APPLINK1 /\.app\.link/i
-meta KAM_APPLINK ( __KAM_APPLINK1 + FREEMAIL_FROM + KAM_BODY_LENGTH_LT_512 >= 3)
+meta KAM_APPLINK ( __KAM_APPLINK1 + FREEMAIL_FROM + __KAM_BODY_LENGTH_LT_512 >= 3)
describe KAM_APPLINK App Link Spams
score KAM_APPLINK 4.5
#SEX EXPLICIT GROUPS
-header __KAM_SEX_GROUPS1 From:addr =~ /(Anya|sexy)\-.*\@googlegroups\.com/i
+header __KAM_SEX_GROUPS1 From:addr =~ /(Anya|sexy|\-x)\-.*\@googlegroups\.com/i
uri __KAM_SEX_GROUPS2 /sites\.google\.com/i
-body __KAM_SEX_GROUPS3 /(escort (company|job)|sexual needs|sexy lady|sexual?ly fit|fucked hard)/i
+body __KAM_SEX_GROUPS3 /(escort (company|job|section)|sexual needs|sexy lady|sexual?ly fit|fucked hard|local hotties|secret community|hq escorts|good fuck|naughty date|male escort)/i
meta KAM_SEX_GROUPS ( __KAM_SEX_GROUPS1 + __KAM_SEX_GROUPS2 + __KAM_SEX_GROUPS3 >= 3)
describe KAM_SEX_GROUPS Sexually Explicit Spam
#FAKE MCAFEE VARIANT
header __KAM_FAKE_NORTON3_1 From:name =~ /Mcafee/i
header __KAM_FAKE_NORTON3_2 Subject =~ /payment/i
-body __KAM_FAKE_NORTON3_3 /auto.?renew/i
-uri __KAM_FAKE_NORTON3_4 /drive\.google\.com\/file/i
+body __KAM_FAKE_NORTON3_3 /auto(matic)?.?renew/i
+uri __KAM_FAKE_NORTON3_4 /(docs|drive)\.google\.com\/(document|file)\//i
-meta KAM_FAKE_NORTON3 (__KAM_FAKE_NORTON3_1 + __KAM_FAKE_NORTON3_2 + __KAM_FAKE_NORTON3_3 + KAM_FAKE_NORTON3_4 + FREEMAIL_FROM >= 4)
+meta KAM_FAKE_NORTON3 (__KAM_FAKE_NORTON3_1 + __KAM_FAKE_NORTON3_2 + __KAM_FAKE_NORTON3_3 + __KAM_FAKE_NORTON3_4 + FREEMAIL_FROM >= 4)
describe KAM_FAKE_NORTON3 Fake Norton / McAfee / Geek Squad / Symantec / etc. Renewal Notices
-score KAM_FAKE_NORTON3 6.0
+score KAM_FAKE_NORTON3 8.0
+
+#TRACKING REDIR
+uri __KAM_TRACKING_REDIR1 /\/tracking\/clicks\?redirect\=/i
+
+meta KAM_TRACKING_REDIR ( __KAM_TRACKING_REDIR1 >= 1 )
+describe KAM_TRACKING_REDIR Tracking URI with a redirect that is a security risk
+score KAM_TRACKING_REDIR 4.5
+
+#FAKE SAFE SENDERS LIST
+body __KAM_FAKE_SAFESENDER1 /This sender has been verified from the.*safe senders? list/
+
+meta KAM_FAKE_SAFESENDER ( __KAM_FAKE_SAFESENDER1 >= 1 )
+describe KAM_FAKE_SAFESENDER Email shows up with a safe sender notice
+score KAM_FAKE_SAFESENDER 1.0
+
+#CHECKFILE
+body __KAM_CHECKFILE1 /(File|Document)\: https?\:\/\/.*\/.{2,5}\/\?/i
+
+meta KAM_CHECKFILE ( __KAM_CHECKFILE1 >= 1)
+describe KAM_CHECKFILE Likely File link abuse
+score KAM_CHECKFILE 8.5
+
+body __KAM_CHECKFILE2_1 /(See|View|check|check) attach(ment|ed) (document|file)/i
+
+meta KAM_CHECKFILE2 ( T_OBFU_PDF_ATTACH + __KAM_CHECKFILE2_1 >= 2)
+score KAM_CHECKFILE2 8.5
+describe KAM_CHECKFILE2 Likely File Attachment scam
+
+#BAD MAILBOX RELEASE / FINANCIAL REQUEST
+uri __KAM_CONSTANTCONTACT1 /https?\:\/\/\w\d{1,3}\.rs6\.net/i
+header __KAM_BAD_RELEASE1 Subject =~ /held messages|financial statement.? has been shared/i
+
+meta KAM_BAD_RELEASE ( __KAM_EDU_FROM + __KAM_CONSTANTCONTACT1 + __KAM_BAD_RELEASE1 >= 3)
+describe KAM_BAD_RELEASE Likely bad link abuse
+score KAM_BAD_RELEASE 4.5
+
+#FAKE TREZOR
+header __KAM_FAKE_TREZOR1 from:addr !~ /\@trezor\.io/i
+header __KAM_FAKE_TREZOR2 from:name =~ /trezor/i
+
+ #problem
+body __KAM_FAKE_TREZOR3 /Ethereum merge|new device paired/i
+tflags __KAM_FAKE_TREZOR3 nosubject
+ #urg
+body __KAM_FAKE_TREZOR4 /as soon as possible|lost forever/i
+ #Trezor
+body __KAM_FAKE_TREZOR5 /trezor|satoshi.?labs.?group/i
+tflags __KAM_FAKE_TREZOR5 nosubject
+ #sub
+header __KAM_FAKE_TREZOR6 Subject =~ /missing.?funds/i
+
+meta KAM_FAKE_TREZOR (__KAM_FAKE_TREZOR1 + __KAM_FAKE_TREZOR2 + __KAM_FAKE_TREZOR3 + __KAM_FAKE_TREZOR4 + __KAM_FAKE_TREZOR5 + (__KAM_FAKE_TREZOR8 + __KAM_FAKE_TREZOR6 >= 1) + __KAM_SHORT >= 7)
+describe KAM_FAKE_TREZOR Fake Trezor Message
+score KAM_FAKE_TREZOR 10.5
+
+ #confirm
+body __KAM_FAKE_TREZOR7 /confirm it was you/i
+
+ #problem
+body __KAM_FAKE_TREZOR8 /new (paired )?application|new device paired/i
+
+ #Trezor
+header __KAM_FAKE_TREZOR9 Subject =~ /Trezor|Linked\!/i
+
+meta KAM_FAKE_TREZOR2 (__KAM_FAKE_TREZOR1 + __KAM_FAKE_TREZOR7 + __KAM_FAKE_TREZOR8 + __KAM_FAKE_TREZOR9 + KAM_SHORT >= 5)
+describe KAM_FAKE_TREZOR2 Fake Trezor Message
+score KAM_FAKE_TREZOR2 7.5
+
+#CRYPTODRIVE
+header __KAM_CRYPTODRIVE1 Subject =~ /\d hours to withdraw|quickly withdraw|balance has been replenished|withdraw your \+\d|cancell?ed in \d+ hour/i
+body __KAM_CRYPTODRIVE2 /bitcoin (earn|min)|automatic bitcoin/i
+
+meta KAM_CRYPTODRIVE ( __KAM_CRYPTODRIVE1 + __KAM_CRYPTODRIVE2 + FREEMAIL_FROM + __URI_GOOGLE_DRV >= 4 )
+describe KAM_CRYPTODRIVE Likely CryptoCurrency Scam
+score KAM_CRYPTODRIVE 6.0
+
+#SA_POSTAL
+header __KAM_FAKE_SA_POST1 From:addr !~ /\@postoffice\.co\.za/i
+header __KAM_FAKE_SA_POST2 From:name =~ /South African Post Office/i
+
+meta KAM_FAKE_SA_POST ( __KAM_FAKE_SA_POST1 + __KAM_FAKE_SA_POST2 >= 2 )
+describe KAM_FAKE_SA_POST Fake Postal Notice
+score KAM_FAKE_SA_POST 4.0
+
+#FAKE BENEFITS
+body __KAM_FAKE_BENEFIT1 /attached/i
+body __KAM_FAKE_BENEFIT2 /benefits? enrollment/i
+
+meta KAM_FAKE_BENEFIT ( __KAM_FAKE_BENEFIT1 + __KAM_FAKE_BENEFIT2 + T_HTML_ATTACH >= 3 )
+describe KAM_FAKE_BENEFIT Likely fake benefit email
+score KAM_FAKE_BENEFIT 4.5
#EOF
projects / proxmox-spamassassin.git / blobdiff