score KAM_REAL 0.5
#REFINANCE SCAM EMAILS
+ #subj
header __KAM_REFI1 Subject =~ /(refinance|rates) at \d\.\d*%|(?:I would like to offer you my help|Lower your house payment|follow up email|evaluation enclosed|submit a bid|fixed rates|ARM program|New Program|regardless of credit|loan request|accepting your application|refinance appl?ication|ready to (give a (business )?loan|lend)|good credit or not|refinance without perfect credit|financial independence|Loan Offer|Get a Loan|your urgent loan|credit report|time to refinance|refi.(rates|requirements|plus|program|plan|advice)|rates at historical low|EQUIFAX|TRANSUNION|Experian|rates can be cut|save your home)|Reverse.?Mortgage|obama (extends|waives)|VA loan|harp program|re.?fi.advice|homeowners.owe|harp.extension|\d+\.\d+%.fixed|\d+\.\d+.pct|this.rate|refi(nance)?.rate|lower.refi|refinance.your.mortgage|refinance.now|obama.?s?.refi|monthly.payment|house.payment|monthly.savings|modified.payment|new.payment|overpaying|calculate.your|your.saving|housing.plan|obama.?s.hous|l.f..insuranc.|offer.for.your.home|second.mortgage/i
+
body __KAM_REFI2 /(Free Evaluation (?:online|on your (?:current )?home loan)|No hidden costs|no strings attached|good credit or not|personalized consultation|in need of loan|consolidation loan|loan processing|apply by sending|loan of any amount|clean up any inacccuracies|lock in saving|save on monthly mortgage|absolutely no cost|underwater)|Reverse.?Mortgage|qualify for a VA loan|Refi now.? and Save|obama..?announces|rate.calculator|save.thousands|update: \d.\d\d..available|homeowner|over.your.head|rate.service|now.eligi?[bl]{2}e|a.second.mortgage|urgent.loan|loan.offer/is
+
body __KAM_REFI3 /(restructure (?:proposal|program|opportunity|your loan)|switch from an adjustable rate to a fixed|new lending program|(low|reasonable) interest (loan|rate)|lowest monthly payment|\d% interest|unsecured personal|better credit terms|lower your mortgage|low-interest refinance|see your credit score|credit score.{1,15}updated|refi with HARP)|obama announce(s|d) (the )?harp program|obama'?s.refi|a.fortune.off|lower.home.rate|your.home|home.loan|gov.program|official.harp|currently.overpaying/is
+
body __KAM_REFI4 /(\$\d{1,3},\d{1,3}|\d{2,3}k of funds|\d{4,6} USD|\d{4,6}\$ per month|\d{3,5}\/mo)|refinance at \d\.\d%|\$\d{3,}(\.\d\d)?.(a|per).year|extend.harp|spending.too.much|new.payment|better.rate/i
-body __KAM_REFI5 /([\d,]{5,6}|\d{2}\s*%) savings|principal \d+% less|\d+\.\d+%.fixed|refi.calculator|lowered.requirements|home.?owner/is
+tflags __KAM_REFI4 nosubject
+
+body __KAM_REFI5 /([\d,]{5,6}|\d{2}\s*%) savings|principal \d+% less|\d+\.\d+%.fixed|refi.calculator|lowered.requirements/is
+
body __KAM_REFI6 /((?:reduce your monthly payment|save you) (between )?\d{2}\s*%|save yourself hundreds of dollars|great rate available|completely unsecured|instantly connect with\s+lenders|get you back on the right financial|get report today|protect against identity|know your credit score|crazy payments)|u.?s.? homeowners|drop.your.rate|in.your.pocket|our.records|apply.for.your/is
+
body __KAM_REFI7 /(?:loan product|equity cash|house.payment|home.payment|no up front fees|seasoned equity|pay off high rate cards|ARM Program|credit is less than perfect|credit (score )?will not disqualify|plastic money|charge card balances|we offer out loans|floating loan scheme|unsecured guaranteed|President.?s new program|Home Affordable Refinance Program)|save $?[\d\.]+ per (year|month)|low.rate|harp.?2|rates.like.th(is|ese)/is
header __KAM_REFI8 From =~ /great loan|mortgage|financ|Delta|Rate\.?market|credit score|free.?score|harp|mtge|foreclosure|VA loan|lower.my.(bills|debt|mortgage|rate)|refi.(alert|advantage|quote|calc|rate)|obama|lendingtree|(house|home).?payment|home.?payment|lower.rate|\d+\.\d+%|saving|d.r.ct.l.f.|helpline/i
#VIAGRA AD 6
#Switch to [-_\. ]? to avoid FP's reported by Robin Tan
#Also added a few more boundary checks thanks to Daniele Duca
-body __KAM_VIAGRA6A /V[-_\. ]?[IL1][-_\. ]?A.?G.?R.?A/i
-body __KAM_VIAGRA6B /(\b|^)A.?M.?B.?[il1].?E.?N($|\b)/i
-body __KAM_VIAGRA6C /V.?A.?L.?[il1].?U.?M/i
-body __KAM_VIAGRA6D /(\b|^)C.?[il1].?A.?L.?[Il1].?S($|\b)/i
-header __KAM_VIAGRA6E From =~ /(Viagra|Cialis)(\b|$)/i
+body __KAM_VIAGRA6A /(^|\b)V[-_\. ]?[IL1][-_\. ]?A.?G.?R.?A($|\b)/i
+body __KAM_VIAGRA6B /(^|\b)A.?M.?B.?[il1].?E.?N($|\b)/i
+body __KAM_VIAGRA6C /(^|\b)V.?A.?L.?[il1].?U.?M($|\b)/i
+body __KAM_VIAGRA6D /(^|\b)C.?[il1].?A.?L.?[Il1].?S($|\b)/i
+header __KAM_VIAGRA6E From =~ /(Viagra|Cialis)($|\b)/i
meta KAM_VIAGRA6 (__KAM_VIAGRA6A + __KAM_VIAGRA6B + __KAM_VIAGRA6C + __KAM_VIAGRA6D + __KAM_VIAGRA6E >= 2)
describe KAM_VIAGRA6 Viagra Obfuscation Technique SPAM
score KAM_VIAGRA6 3.1
#VIAGRA AD 7 - TWEAKING RULE 7B TO PREVENT HITS ON SPECIALIST
-body __KAM_VIAGRA7A /V[ij]+AGRA/i
+body __KAM_VIAGRA7A /(^|\b)V[ij]+AGRA($|\b)/i
body __KAM_VIAGRA7B /(^|\b)C[ij]+AL[ij]+S($|\b)/i
body __KAM_VIAGRA7C /(^|\b)AMB[ij]+EN($|\b)/i
-body __KAM_VIAGRA7D /VAL[ij]+UM/i
+body __KAM_VIAGRA7D /(^|\b)VAL[ij]+UM($|\b)/i
meta KAM_VIAGRA7 ((__KAM_VIAGRA7A + __KAM_VIAGRA7B + __KAM_VIAGRA7C + __KAM_VIAGRA7D >= 2) && (KAM_VIAGRA6 < 1))
describe KAM_VIAGRA7 Viagra Obfuscation Technique SPAM
score KAM_GEO_STRING2 4.7
#KAM GOOGLE SPAM
-uri __KAM_GOOGLE_REDIR /^https?:\/\/www\.google\.{0,5}\/url\?q=/i
+uri __KAM_GOOGLE_REDIR /^https?:\/\/www\.google\..{2,6}\/(?:url\?q=|amp\/s\/)/i
-meta KAM_GOOGLE_REDIR __KAM_GOOGLE_REDIR
+header __GB_FROM_GCAL0 From:addr =~ /calendar\-notification\@google\.com/
+uri __GB_FROM_GCAL1 /mailto\:calendar\-notification\@google\.com/
+meta KAM_GOOGLE_REDIR ( __KAM_GOOGLE_REDIR && !__GB_FROM_GCAL0 && !__GB_FROM_GCAL1 )
+# meta KAM_GOOGLE_REDIR __KAM_GOOGLE_REDIR
describe KAM_GOOGLE_REDIR Use of Google redir
score KAM_GOOGLE_REDIR 1.5
describe KAM_PAGE Page.TL likely spam (Nov 2011)
score KAM_PAGE 2.0
-# .html link stored on S3
-uri GB_S3_HTM /^https?:\/\/s3\.amazonaws\.com\/.{3,128}\.html?/i
-describe GB_S3_HTM .html link stored on AWS S3
-score GB_S3_HTM 4.5
-
if (version >= 4.000000)
if can(Mail::SpamAssassin::Conf::feature_capture_rules)
header __GB_TO_ADDR To:addr =~ /(?<GB_TO_ADDR>.*)/
uri __GB_CUSTOM_HTM_URI0 m;^https?://.{10,128}(?:\.html?|\.php|\/)?(?:\#|\?&e=)%{GB_TO_ADDR};i
uri __GB_CUSTOM_HTM_URI1 m|^https?://.{10,64}\=https?://.{4,64}\#%{GB_TO_ADDR}|i
uri __GB_CUSTOM_HTM_URI2 m;^https?://.{10,256}(?:\/\?)?(?:(?<!blocker)email=|audit\#|wapp\#)%{GB_TO_ADDR};i
+ uri __GB_ASWTRACK_URI m;^https?://.{10,20}\.awstrack\.me/L\d+/\=https?://.{4,64}\#%{GB_TO_ADDR};i
uri __GB_DRUPAL_URI m|^https?://.{10,64}/default/files/(?:\@)?\#%{GB_TO_ADDR}|i
- meta GB_CUSTOM_HTM_URI ( __GB_CUSTOM_HTM_URI0 || __GB_CUSTOM_HTM_URI1 || __GB_CUSTOM_HTM_URI2 || __GB_DRUPAL_URI )
+ meta GB_CUSTOM_HTM_URI ( __GB_CUSTOM_HTM_URI0 || __GB_CUSTOM_HTM_URI1 || __GB_CUSTOM_HTM_URI2 || __GB_DRUPAL_URI || __GB_ASWTRACK_URI )
describe GB_CUSTOM_HTM_URI Custom html uri
score GB_CUSTOM_HTM_URI 1.500
uri __KAM_SOMETLD_ARE_BAD_TLD_URI /:\/{2}([a-z0-9-\.]+)\.(bar|beauty|buzz|cam|casa|cfd|club|date|guru|link|live|monster|online|press|pw|quest|rest|sbs|shop|stream|top|trade|wiki|work|xyz)($|\/|\:)/i
#FPs
-uri __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE /(^|\b)(input|td)\.date|de[b|l]\.date|div\.top($|\/)|\/smart\.link|\.emailprotection\.link\//i
+uri __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE /(^|\b)(input|td|lev)\.date|de[b|l]\.date|div\.top($|\/)|\/smart\.link|\.emailprotection\.link\/|\.goat\.com\/|\/square\.link\//i
body __KAM_SOMETLD_ARE_BAD_TLD_PROGRAM_REF /\.date ?\{/i
-meta KAM_SOMETLD_ARE_BAD_TLD (__KAM_SOMETLD_ARE_BAD_TLD_FROM) || (__KAM_SOMETLD_ARE_BAD_TLD_URI && !(__KAM_SOMETLD_ARE_BAD_TLD_PROGRAM_REF + __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE))
+meta KAM_SOMETLD_ARE_BAD_TLD (__KAM_SOMETLD_ARE_BAD_TLD_FROM) || (__KAM_SOMETLD_ARE_BAD_TLD_URI && !(__KAM_SOMETLD_ARE_BAD_TLD_PROGRAM_REF + __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE >= 1))
describe KAM_SOMETLD_ARE_BAD_TLD .bar, .beauty, .buzz, .cam, .casa, .cfd, .club, .date, .guru, .link, .live, .monster, .online, .press, .pw, .quest, .rest, .sbs, .shop, .stream, .top, .trade, .wiki, .work, .xyz TLD abuse
score KAM_SOMETLD_ARE_BAD_TLD 5.0
header KAM_NOTLS X-Raptor-TLS =~ /False/
describe KAM_NOTLS Mail has been sent using an unsecure connection
score KAM_NOTLS 0.001
+ subjprefix KAM_NOTLS [NoTLS]
#CUSTOM SCORES THAT KAM LIKES
#score SARE_GIF_ATTACH 3.0
describe KAM_INVALID_FROM From header missing host portion
score KAM_INVALID_FROM 6.0
+ score FROM_IN_TO_AND_SUBJ 0
+
#RAPTOR ALTERED EMAILS
#body __KAM_RAPTOR1 /altered by our Raptor filters/i
#header __KAM_RAPTOR2 X-Raptor-Alter =~ /True/
body __KAM_FDA2 /not intended to diagnose,? treat,? cure,? or prevent/i
body __KAM_FDA3 /FDA Recall/i
-meta KAM_FDA (__KAM_FDA1 + __KAM_FDA2 + __KAM_FDA3)
+meta KAM_FDA (__KAM_FDA1 + __KAM_FDA2 + __KAM_FDA3 >= 3)
describe KAM_FDA Carries a not evaluated by the FDA warning or recall warning
score KAM_FDA 0.5
#STUPID PICTURE SPAMS
body __KAM_PIC1 /(tired|bored) (this )?(today|tonight|evening|morning|afternoon)|saw your email address|online right now|can name me|found you on this site|I am alone|my next boyfriend|blonde with blue|like the girls|crush on you/is
-body __KAM_PIC2 /(nice girl|2\d years old|25 y.o. girl|pretty russian|I russian girl|age is 25|long legs, cute|see my pictures|I'm 19|searching for a bad girl|meet with such attractive|cute lady)/is
-body __KAM_PIC3 /like to chat|feelings can be true|like to have friendship|friendly guy|gave me your photos|waiting on you|found your pictures|send me a note|more information about you|text me ASAP/is
-body __KAM_PIC4 /(like to share some of my pics|some (?:great )?pictures of me|sending some of my pictures|To see my pic|hope you like my pic|will reply with my pics|show you some pic|chat with me and see|that's my photo)|will send you my pictures|view my profile|describe yourself|chat with me|bad girl|view your snapshot|want to watch video|erotic pics/is
+body __KAM_PIC2 /(nice girl|2\d years old|25 y.o. girl|pretty russian|I russian girl|age is 25|long legs, cute|see my pictures|I'm 19|searching for a bad girl|meet with such attractive|cute lady|(female|girl born) in Russia)/is
+body __KAM_PIC3 /like to chat|feelings can be true|like to have friendship|friendly guy|gave me your photos|waiting on you|found your pictures|send me a note|more information about you|text me ASAP|corking male|uncomparable mister/is
+body __KAM_PIC4 /(like to share some of my pics|some (?:great )?pictures of me|sending some of my pictures|To see my pic|hope you like my pic|will reply with my pics|show you some pic|chat with me and see|that's my photo)|(reply to|will send) you my picture|view my profile|describe yourself|chat with me|bad girl|view your snapshot|want to watch video|erotic pics|e.?mail to me at/is
body __KAM_PIC5 /picture|photo|my pics|appended my pic/i
+body __KAM_PIC6 /where (are|r) (you|u) live/i
describe KAM_PIC Share Pictures and Chat SPAM
-score KAM_PIC 3.5
-meta KAM_PIC (__KAM_PIC1 + __KAM_PIC2 + __KAM_PIC3 + __KAM_PIC4 + __KAM_PIC5 + __KAM_PRIV3 >= 4)
+score KAM_PIC 6.0
+meta KAM_PIC (__KAM_PIC1 + __KAM_PIC2 + __KAM_PIC3 + __KAM_PIC4 + __KAM_PIC5 + __KAM_PIC6 + __KAM_PRIV3 >= 4)
#STUPID MAILING LIST SPAMS
body __KAM_LIST1 /((Hospital|MD) directory|Nursing Home (List|directory)|doctor lists|marketing lists|Licensed Physicians|practicing MDs|practicing Medical doctors|Physicians in America|emails for every state|(vip|laywers|planners|Business Email|HR Directors Email|Sales & Marketing Directors|Managing Director Email) database)/is
describe KAM_BADPDF Prevalent Junk PDF SPAMs - BAD SUBJECT
score KAM_BADPDF 2.5
- header KAM_BADPDF Subject =~ /(?:^.{0,15}(document|confirmation|marketwatch|pinksheets|wire info|pinksheets|investor_report|proposal|invest_today|alert|invoice|investor_letter|check)-\d{5,12}$|^basic[- _]chart-|^Active[- _](stocks|trader)|^Analyst[- _]Coverage|^Income[- _](report|details|statement)|^Market[- _](advice|watch)|^Investor[- _]news|^real-?time[- _]quotes)/i
+ header KAM_BADPDF Subject =~ /(?:^.{0,15}(document|confirmation|marketwatch|pinksheets|wire info|pinksheets|investor_report|proposal|invest_today|alert|invoice|investor_letter|check)-\d{5,12}$|^basic[- _]chart-|^Active[- _](stocks|trader)|^Analyst[- _]Coverage|^Income[- _](report|details|statement)|^Market[- _](advice|watch)|^Investor[- _]news|^real-?time[- _]quotes)/i
describe KAM_BADPDF1 Prevalent Junk PDF SPAMs - EMPTY BODY & ENCRYPTED
score KAM_BADPDF1 2.5
- meta KAM_BADPDF1 (GMD_PDF_EMPTY_BODY + GMD_PDF_ENCRYPTED >= 2)
+ meta KAM_BADPDF1 (GMD_PDF_EMPTY_BODY + GMD_PDF_ENCRYPTED >= 2)
#2009-03-11 - Found FP on this rule where a bad reverse PTR and a Subject triggered this rule. That was NOT the intent.
describe KAM_BADPDF2 Prevalent Junk PDF SPAMs - 3 STRIKES
describe KAM_BADPO2 Bad Purchase Orders
score KAM_BADPO2 5.0
-meta KAM_BADPDF (__KAM_BADPO2 >= 1)
-describe KAM_BADPDF Likely Fake PDF
-score KAM_BADPDF 3.0
+meta KAM_BADPDF3 (__KAM_BADPO2 >= 1)
+describe KAM_BADPDF3 Likely Fake PDF
+score KAM_BADPDF3 3.0
#PDFCOUNT
score KAM_THEBAT 1.9
#MAILER BUGS
-body __KAM_MAILER1 /{!firstname_fix}/i
+body __KAM_MAILER1 /\{\!firstname_fix\}/i
+body __KAM_MAILER2 /Dear \[Recipient\]/i
-meta KAM_MAILER (__KAM_MAILER1 >= 1)
+meta KAM_MAILER ( __KAM_MAILER1 + __KAM_MAILER2 >= 1 )
score KAM_MAILER 2.0
describe KAM_MAILER Automated Mailer Tag Left in Email
#Right vs Left
header __KAM_POLITICS1 From =~ /Right vs Left|Minuteman|Senator|Pennsylvania Transportation Partners|Americans for Limited Government|special election|conservative|liberal|congress|judge|usa.?net|senate|fedup|sen\. |tea.party|the.right.to/i
body __KAM_POLITICS2 /Minuteman Civil Defense Corps|National Campaign Fund|Right vs Left|Restore America PAC|penntransportation.com|getliberty.org|Americans for Limited Government|radical|true.conservative|true.liberal|job.killing|wasteful.spending|senate.takeover|liberal.agenda|smear.campaign|america.s future|liberty|obama|governor|election.day|v-o-t-e|sign.the.petition|paid.for.by|dear.conservative|dear.liberal|winning.the.senate|election.cycle|return.power|failed.policy|(left|right).is.claiming|bigwigs|favorable.voters/i
-header __KAM_POLITICS3 Received =~ /\.politicalsystems.net|republican.com|democrat.com|inboxfirst.com/i
+header __KAM_POLITICS3 Received =~ /\.politicalsystems\.net|republican\.com|democrat\.com|inboxfirst\.com/i
header __KAM_POLITICS4 Subject =~ /alert:?.?election|(republican|democratic).party|and.vote|impeach|insanity|election.ad|liberals|conservatives|back.?room.deal|urgent.obama|social.security.mistake|big.social|absentee.info/i
meta KAM_POLITICS (__KAM_POLITICS1 + __KAM_POLITICS2 + (__KAM_POLITICS3 + __KAM_POLITICS4 >= 1) >= 2)
-score KAM_POLITICS 4.5
+score KAM_POLITICS 3.75
describe KAM_POLITICS Political E-Mails
#SPAMMING COMPANIES
body SEM_FRESHZERO eval:check_uridnsbl('SEM_FRESHZERO')
describe SEM_FRESHZERO Contains a domain never seen before
tflags SEM_FRESHZERO net
- score SEM_FRESHZERO 2.5
+ score SEM_FRESHZERO 1.25
# SEM-FRESH
urirhssub SEM_FRESH fresh.spameatingmonkey.net. A 2
body SEM_FRESH eval:check_uridnsbl('SEM_FRESH')
describe SEM_FRESH Contains a domain registered less than 5 days ago
tflags SEM_FRESH net
- score SEM_FRESH 2.0
+ score SEM_FRESH 1.0
# SEM-FRESH10
urirhssub SEM_FRESH10 fresh10.spameatingmonkey.net. A 2
body SEM_FRESH10 eval:check_uridnsbl('SEM_FRESH10')
describe SEM_FRESH10 Contains a domain registered less than 10 days ago
tflags SEM_FRESH10 net
- score SEM_FRESH10 1.5
+ score SEM_FRESH10 0.75
meta KAM_SEMFRESH (SEM_FRESHZERO || SEM_FRESH || SEM_FRESH10 )
describe KAM_SEMFRESH Contains a domain recently registered
if (version >= 3.003000)
#HOSTS THAT BEHAVE LIKE TLDS, SUCH AS BLOGSPOT.COM AND OTHER FREE HOSTING - NOTE BLOGSPOT is in 20_aux_tlds.cf ALREADY
- util_rb_2tld ning.com
- util_rb_2tld mygbiz.com
- util_rb_2tld web.com
- util_rb_2tld onmicrosoft.com
- util_rb_2tld online.de
- util_rb_2tld wix.com
- util_rb_2tld netdna-cdn.com
- util_rb_2tld dreamhost.com
- util_rb_2tld noip.us
- util_rb_2tld mmsend.com
+ util_rb_2tld a2hosted.com
+ util_rb_2tld amplifyapp.com
+ util_rb_2tld app.link
+ util_rb_2tld armenia.su
+ util_rb_2tld ashgabad.su
+ util_rb_2tld awsapps.com
+ util_rb_2tld azurewebsites.net
+ util_rb_2tld benchmarkurl.com
+ util_rb_2tld benchurl.com
+ util_rb_2tld bmecurl.co
+ util_rb_2tld boxmode.io
+ util_rb_2tld campaign-view.com
+ util_rb_2tld caspio.com
+ util_rb_2tld cfolks.pl
+ util_rb_2tld codeanyapp.com
+ util_rb_2tld codesandbox.io
+ util_rb_2tld co.in
util_rb_2tld cu-portland.edu
- util_rb_2tld jimdo.com
util_rb_2tld doesphotography.com
- util_rb_2tld isteaching.com
+ util_rb_2tld dreamhost.com
+ util_rb_2tld dreamhosters.com
+ util_rb_2tld east-kazakhstan.su
+ util_rb_2tld exnet.su
+ util_rb_2tld fameup.net
+ util_rb_2tld fere.top
+ util_rb_2tld firebaseapp.com
+ util_rb_2tld free.hr
+ util_rb_2tld georgia.su
+ util_rb_2tld glitch.me
+ util_rb_2tld glueup.com
util_rb_2tld googleapis.com
- util_rb_2tld a2hosted.com
- util_rb_2tld netlify.app
+ util_rb_2tld gr8.com
+ util_rb_2tld great-site.net
+ util_rb_2tld herokuapp.com
+ util_rb_2tld hubspot-inbox.com
+ util_rb_2tld in.net
+ util_rb_2tld isteaching.com
+ util_rb_2tld jimdo.com
+ util_rb_2tld kalmykia.su
util_rb_2tld kriya.ai
- util_rb_2tld usekalendarai.com
- util_rb_2tld trykalendarai.com
- util_rb_2tld outrch.com
- util_rb_2tld campaign-view.com
- util_rb_2tld fameup.net
+ util_rb_2tld lovestoblog.com
+ util_rb_2tld mangyshlak.su
+ util_rb_2tld mjt.lu
+ util_rb_2tld mmsend.com
util_rb_2tld msgfocus.com
- util_rb_2tld herokuapp.com
- util_rb_2tld boxmode.io
- util_rb_2tld amplifyapp.com
- util_rb_2tld azurewebsites.net
+ util_rb_2tld myclickfunnels.com
+ util_rb_2tld mygbiz.com
+ util_rb_2tld myshopify.com
+ util_rb_2tld netdna-cdn.com
+ util_rb_2tld netlify.app
+ util_rb_2tld ning.com
+ util_rb_2tld noip.us
+ util_rb_2tld north-kazakhstan.su
+ util_rb_2tld nov.su
+ util_rb_2tld onelink.me
+ util_rb_2tld online.de
+ util_rb_2tld onmicrosoft.com
+ util_rb_2tld outrch.com
+ util_rb_2tld pages.dev
+ util_rb_2tld plan-net.technology
+ util_rb_2tld qualtrics.com
+ util_rb_2tld radio.am
+ util_rb_2tld ru.com
+ util_rb_2tld sa.com
+ util_rb_2tld sendpul.se
+ util_rb_2tld sentieo.com
+ util_rb_2tld tashkent.su
+ util_rb_2tld tempurl.host
+ util_rb_2tld trykalendarai.com
+ util_rb_2tld tumblr.com
+ util_rb_2tld usekalendarai.com
+ util_rb_2tld vercel.app
+ util_rb_2tld web.com
+ util_rb_2tld webflow.io
+ util_rb_2tld wix.com
util_rb_2tld wixsite.com
util_rb_2tld workers.dev
- util_rb_2tld in.net
- util_rb_2tld ru.com
+ util_rb_2tld wpenginepowered.com
+ util_rb_2tld wufoo.com
util_rb_2tld za.com
- util_rb_2tld sa.com
- util_rb_2tld hubspot-inbox.com
+ util_rb_2tld zendesk.com
util_rb_3tld en.alibaba.com
- util_rb_2tld co.in
- util_rb_2tld firebaseapp.com
- util_rb_2tld awsapps.com
- util_rb_2tld app.link
- util_rb_2tld glueup.com
- util_rb_2tld radio.am
- util_rb_2tld wufoo.com
- util_rb_2tld webflow.io
- util_rb_2tld plan-net.technology
- util_rb_2tld glitch.me
- util_rb_2tld gr8.com
- util_rb_2tld benchmarkurl.com
- util_rb_2tld caspio.com
+ util_rb_3tld fr-par-1.linodeobjects.com
+ util_rb_3tld hosted.phplist.com
util_rb_3tld lt.acemlnc.com
- util_rb_2tld wpenginepowered.com
- util_rb_2tld tumblr.com
- util_rb_2tld codesandbox.io
+ util_rb_3tld mkt.dynamics.co
+ util_rb_3tld on.fleek.co
+ util_rb_3tld qiye.163.com
+ util_rb_3tld us-east-1.linodeobjects.com
+ util_rb_3tld us-iad-1.linodeobjects.com
endif
# allow URI rules to look at DKIM headers if they exist and our SA version supports it
parse_dkim_uris 1
endif
+ # Check mailto links on rbl
+ ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
+ if can(Mail::SpamAssassin::Plugin::URIDNSBL::has_uridnsbl_skip_mailto)
+ uridnsbl_skip_mailto 0
+ endif
+ endif
#LAUNCH PCCC WILD RBL
+
+ ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
+ # match on any Wild rbl rule excluding Marketing rbl
+ meta __KAM_WILD_PCCC ( KAM_BODY_URIBL_PCCC || KAM_FROM_URIBL_PCCC || KAM_BODY_COMPROMISED_URIBL_PCCC || KAM_FROM_COMPROMISED_URIBL_PCCC || KAM_MESSAGE_HASHBL_FREEMAIL || PCCC_HDR_REPLYTO || PCCC_SENDER_COMPROMISED || PCCC_RECEIVED_HDR_COMPROMISED || PCCC_FROM_BAD_NS || PCCC_HASHBL_FREEMAIL || PCCC_HASHBL_EMAIL || PCCC_HASHBL_SHORT_URI || GB_PHONE_RBL || GB_PHONE_RBL_RAW )
+ endif
+
#BAD URI IN BODY
urirhssub KAM_BODY_URIBL_PCCC wild.pccc.com. A 127.0.0.4
body KAM_BODY_URIBL_PCCC eval:check_uridnsbl('KAM_URIBL_PCCC')
endif
#FREEMAIL SPAMMY ADDRESSES IN UNWANTED LANGUAGES
-header __GB_FREEMAIL_NUM0 From:addr =~ /[a-z]\.?\d{4}\@(gmail|hotmail|icloud|yahoo)\.com/i
-header __GB_FREEMAIL_NUMN0 From:addr =~ /[a-z]\.?(?:19|20)\d{2}\@(gmail|hotmail|icloud|yahoo)\.com/i
-header __GB_FREEMAIL_NUM1 From:addr =~ /[a-z]\.?(?:\d{3}|\d{5,10})\@(gmail|hotmail|icloud|yahoo)\.com/i
-header __GB_FREEMAIL_NUM2 From:addr =~ /[a-z]\.?(?:\d+)(?:[a-z])+(?:\d+)?\@(gmail|hotmail|icloud|yahoo)\.com/i
-meta GB_FREEMAIL_NUM ( ( __GB_FREEMAIL_NUM0 && ! __GB_FREEMAIL_NUMN0 ) || __GB_FREEMAIL_NUM1 || __GB_FREEMAIL_NUM2 )
-describe GB_FREEMAIL_NUM Freemail spammy address
-score GB_FREEMAIL_NUM 1.0
-
-header __GB_FREEMAIL_GMAIL From:addr =~ /\@gmail\.com/i
-meta GB_GMAIL_NUM ( GB_FREEMAIL_NUM && __GB_FREEMAIL_GMAIL && ( KAM_DMARC_NONE || KAM_DMARC_QUARANTINE ) )
-describe GB_GMAIL_NUM Spam from random Gmail address
-score GB_GMAIL_NUM 2.0
-
-rawbody __GB_COLORTEXT /font\-family\:.{1,40};color\:/
-meta GB_FREEMAIL_TEXTCOLOR ( GB_FREEMAIL_NUM && __GB_COLORTEXT )
-describe GB_FREEMAIL_TEXTCOLOR Colored text spam from Freemail addresses
-score GB_FREEMAIL_TEXTCOLOR 1.5
+ifplugin Mail::SpamAssassin::Plugin::FreeMail
+ header __GB_FREEMAIL_NUM0 From:addr =~ /[a-z]\.?\d{4}\@(gmail|hotmail|icloud|yahoo)\.com/i
+ header __GB_FREEMAIL_NUMN0 From:addr =~ /[a-z]\.?(?:19|20)\d{2}\@(gmail|hotmail|icloud|yahoo)\.com/i
+ header __GB_FREEMAIL_NUM1 From:addr =~ /[a-z]\.?(?:\d{3}|\d{5,10})\@(gmail|hotmail|icloud|yahoo)\.com/i
+ header __GB_FREEMAIL_NUM2 From:addr =~ /[a-z]\.?(?:\d+)(?:[a-z])+(?:\d+)?\@(gmail|hotmail|icloud|yahoo)\.com/i
+ meta GB_FREEMAIL_NUM ( ( __GB_FREEMAIL_NUM0 && ! __GB_FREEMAIL_NUMN0 ) || __GB_FREEMAIL_NUM1 || __GB_FREEMAIL_NUM2 )
+ describe GB_FREEMAIL_NUM Freemail spammy address
+ score GB_FREEMAIL_NUM 1.0
+
+ header __GB_FREEMAIL_GMAIL From:addr =~ /\@gmail\.com/i
+ meta GB_GMAIL_NUM ( GB_FREEMAIL_NUM && __GB_FREEMAIL_GMAIL && ( KAM_DMARC_NONE || KAM_DMARC_QUARANTINE ) )
+ describe GB_GMAIL_NUM Spam from random Gmail address
+ score GB_GMAIL_NUM 2.0
+
+ header __GB_FROM_CONSONANTS From =~ /^[^aeiou0-9]{8,24}@/i
+ meta GB_FROM_CONSONANTS ( __GB_FROM_CONSONANTS && FREEMAIL_FROM )
+ describe GB_FROM_CONSONANTS From: localpart with only consonants and freemail domain
+ score GB_FROM_CONSONANTS 1.0
+
+ rawbody __GB_COLORTEXT /font\-family\:.{1,64};color\:/
+ meta GB_FREEMAIL_TEXTCOLOR ( GB_FREEMAIL_NUM && __GB_COLORTEXT && __KAM_BODY_LENGTH_LT_1024 )
+ describe GB_FREEMAIL_TEXTCOLOR Colored text spam from Freemail addresses
+ score GB_FREEMAIL_TEXTCOLOR 1.5
+endif
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
describe KAM_GRASS Spammers hawking lawn products
#PED EGG / BELISI / SKIN PRODUCTS
-header __KAM_SKIN1 From =~ /(Ped ?Egg|Healthy Feet|beautiful feet|belisi|skin tightener|medical|Wrinkle|Face ?Lift|Skin Reju|Nuforia|LifeCEll|Miracle Hydrate|beauty tip|lifestyle lift|marine essentials|nufori?a)|skin transformer|lifecell|oz.show|botox|your.skin|rejuvenate|youth|ellen/i
+header __KAM_SKIN1 From =~ /(Ped ?Egg|Healthy Feet|beautiful feet|belisi|skin tightener|medical|Wrinkle|Face ?Lift|Skin Reju|Nuforia|LifeCEll|Miracle Hydrate|beauty tip|lifestyle lift|marine essentials|nufori?a)|skin transformer|lifecell|oz.show|botox|your.skin|rejuvenate|youth/i
header __KAM_SKIN2 Subject =~ /Ped ?Egg|Healthy Feet|beautiful feet|tighter skin|works for wrinkles|Sera Concepts|Wrinkle Eraser|\d\d years younger|Hollywood(?:'s)? Secret|years younger|perfect skin|anti.?aging|look younger in \d+ day|regain your youthful|years off your appear|flawless.skin|youthful appear|fine.lines|collagen.production|dark.circles|your.skin|looks?.like.this|looks?.great|images?.leaked|looks.\d|ellen.looks/i
rawbody __KAM_SKIN3 /Ped ?Egg|Belisi|Botox|Gabamed|Sera Concepts|Purelift|nuforia|natural collagen|complimentary trials|nugenics|marine essentials|Nufori?a|ellen.has.a|flawless.skin|phyto|facelift|hype.is.real|celeb.trend|twenty.years.younger|face.lift|pics.leaked|rejuvenate/i
body __KAM_SKIN4 /feet feel smooth and healthy|calluses and dead skin|silky smooth skin|tighter skin|\d.years.younger|anti[- ]aging|look younger|free trial|lose 25 years|angered plastic surge|quick and easy trick|anti-?aging|blood pressure low|heart rate monitor|selfies|just.one.month|just.four.weeks|medical.research|rebuild.your.skin|decades.younger|erase.time|gossip|smooth.lines/i
#SEARCH ENGINE SPAM
#Subj
-header __KAM_SEARCH1 Subject =~ /be seen first on (google|msn|yahoo)|get ranked high|rank high|(no cost|free) website (analysis|search engine)|WEBSITE PROMOTION|social media|blog leads|infotech|(first|1st)(.page)?.result|seo.(optimiz|package|service)|seo.{1,30}expert|on.your.website|organic.seo|site.ranking|website.health|(first|1st) page|^proposal$|marketing proposal|top (o|i)n google|looking for an SEO|web design|on page 1|top rank|info & cost/i
+header __KAM_SEARCH1 Subject =~ /be seen first on (google|msn|yahoo)|get ranked high|rank high|(no cost|free) website (analysis|search engine)|WEBSITE PROMOTION|social media|blog leads|infotech|(first|1st)(.page)?.result|seo.(optimiz|package|service)|seo.{1,30}expert|on.your.website|organic.seo|site.ranking|website.health|(first|1st) page|^proposal$|marketing proposal|top (o|i)n google|looking for an SEO|web design|on page 1|top rank|info & cost|seo$|\(SEO\)/i
#what specific
body __KAM_SEARCH2 /search (ranking|engine)|S\.?E\.?O|bring.traffic|business.development|marketing (manager|strateg)/i
tflags __KAM_SEARCH2 nosubject
#ranking
-body __KAM_SEARCH3 /(first on|all of) the major search|not ranked number one|Website promotion|popular keywords|mobile.website|complete.solution|back.link|company in india|india.based|\(India\)|surfing|not.ranking.on|top in Google|1st page|more (clients|customers)|organic search|generate leads|specialization includes SEO|rank on page (1|one)|top page ranking|white.?hat SEO/i
+body __KAM_SEARCH3 /(first on|all of) the major search|not ranked number one|Website promotion|popular keywords|mobile.website|complete.solution|back.link|company in india|india.based|\(India\)|surfing|not.ranking.on|(?:top in|page \d\-\d of) Google|1st page|more (clients|customers)|organic search|generate leads|specialization includes SEO|rank on page (1|one)|top page ranking|white.?hat SEO/i
tflags __KAM_SEARCH3 nosubject
#how
-body __KAM_SEARCH4 /guaranteed type of exposure|free website (analysis|report|search engine optimiz)|increase your revenue|improve your website traffice|website rank higher|marketing service|popular.keyword|media.presence|media.portal|brand.awareness|analytics.certified|optimized.content|white.label|website.optimization|digital.marketing|in.your.industry|high.revenue|plans? and pric|keyword|full proposal|online reputation|(blog|article|pr|search engine) (promotion|submission)|competitive quote|send you (our past work|quote)|website audit|seo (package|campaign)|package for \d+ keyword/i
+body __KAM_SEARCH4 /guaranteed type of exposure|free website (analysis|report|search engine optimiz)|increase your revenue|improve your website traffice|website rank higher|marketing service|popular.keyword|media.presence|media.portal|brand.awareness|analytics.certified|optimized.content|white.label|website.optimization|digital.marketing|in.your.industry|high.revenue|plans? and pric|keyword|full proposal|online reputation|(blog|article|pr|search engine) (promotion|submission)|competitive quote|send you (our past work|quote)|website audit|seo (package|campaign)|package for \d+ keyword|website\'s high rank/i
#who
rawbody __KAM_SEARCH5 /Click2Call|a1-solutions|fast-response.net|action-pros.net|tops-1.com|vividinfotech.com|internet.marketing|web.solution|(development|marketing|business) (executive|consultant)|(search engine|SEO) (company|consultant|expert|Service)|(marketing|sales) manager/i
describe KAM_SEARCH Spammers hawking SEO
#SEO
-header __KAM_SEO1 Subject =~ /Idea for \[|can rank 1st on Google|Organic SEO|SEO (Solution|rank|proposal)|integrated marketing|optimization.service|SEO Outsourcing|affordable package|quick result|ranking report|why your website|getting online sales/i
+header __KAM_SEO1 Subject =~ /Idea for \[|can rank 1st on Google|Organic SEO|SEO (solution|rank|portfolio|proposal)|integrated marketing|optimization.service|SEO Outsourcing|affordable package|quick result|ranking report|why your website|getting online sales|send you quot|1st page on google/i
#what we give you
-body __KAM_SEO2 /(?:top|first page) (?:in|of) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building|business SEO|(audit|ranking) report|higher search rank|top \d+ search engine rank/i
+body __KAM_SEO2 /(?:top|(1st|first) page) (?:in|of) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building|business SEO|(audit|ranking) report|higher search rank|top \d+ search engine rank|top rank(ings?)? (on|in) Google|free audit report|new clients every day/i
tflags __KAM_SEO2 nosubject
#what we do/fix
-body __KAM_SEO3 /(came across|never find) your web.?site|major search engines|paid access to tools|WEBSITE AUDIT REPORT|specific.keyword|targeted.email|visited.your.website|not ranking well|Google rankings|issues bugging your website|increase your organic traffic/i
+body __KAM_SEO3 /(came across|never find) your web.?site|major search engines|paid access to tools|WEBSITE AUDIT REPORT|specific.keyword|targeted.email|visited.your.website|not ranking well|Google rankings|issues bugging your website|increase your organic traffic|targeted keywords on page|your website rank/i
#SEO
body __KAM_SEO4 /SEO Specialists|online marketing services|S.?E.?O.? Company in INDIA|google.panda|google.penguin|not.ranking|SEO Packages/i
#costs
-body __KAM_SEO5 /more traffic guaranteed|results in thirty day|top 5 organic|high revenue|free.analysis|guaranteed.top|pricelist|completely free|No upfront fees|free trial|(plan of action|proposal) for your website/i
+body __KAM_SEO5 /more traffic guaranteed|results in thirty day|top 5 organic|high revenue|free.analysis|guaranteed.top|price.?list|completely free|No upfront fees|free trial|(plan of action|proposal) for your website/i
#SEO Indicators
body __KAM_SEO6 /will not get your website banned|Google.?s SEO policies|six month ongoing campaign|web.promotion|quality junk spam|promotional online marketing|panda.?safe|digital marketing/i
# LEGITIMATE SEO EMAILS WOULD SURELY HAVE AT LEAST ONE URL TO THEIR WEBSITE...
score KAM_SEO 7.0
describe KAM_SEO Spammers hawking SEO
+meta KAM_SEO2 ( __KAM_SEO2 + !__KAM_SEO7 + FREEMAIL_FROM >= 3 )
+describe KAM_SEO2 Spammers hawking SEO
+score KAM_SEO2 4.5
+
#ABUSED FREEMAIL ACCOUNTS
#header __KAM_FREEMAIL1 From =~ /(?:websolution|seo).{0,15}\@gmail.com/i
#header __KAM_FREEMAIL2 From =~ /speakeasylingerie\@gmail.com/i
describe KAM_DUCHESS Spammer sending emails using a variety of domains and linked images
#UPS
-header __KAM_UPS1 Subject =~ /UPS Delivery problem/i
+header __KAM_UPS1 Subject =~ /UPS Delivery problem|UPS Rewards/i
header __KAM_UPS2 From !~ /\@ups\.com[ |>]/i
-body __KAM_UPS3 /invoice copy attached/i
+body __KAM_UPS3 /invoice copy attached|\d in UPS Rewards/i
meta KAM_UPS (__KAM_UPS1 + __KAM_UPS2 + __KAM_UPS3 >=3)
score KAM_UPS 6.0
-describe KAM_UPS UPS doesn't send invoices with delivery problem notes
+describe KAM_UPS Fake UPS Notice, e.g. UPS doesn't send invoices with delivery problem notes
#Free Calls
header __KAM_SKYPE1 Subject =~ /Free Calls/i
body __KAM_DRUG2_5 /0nline|hassle[~-]free|favored rx|branded solutions|branded remedies|v[1i]cod[!i]n|Penhtremine|prxpills|ultimaterxhere|insanerx|speedymed4u|mightymeds1|coolestrxhere|hotrxmedspot|topshoprx|mightyrxhere|qualityrxmedz|legitrxlife|dealsformeds|simplyrxdeals|bestrxlight|ezprescriptz|reliablerxsource1|freetrusted-rx|hotmedsourcehere|CabinetOfMeds|mytrusted-rx|RxwarehouseHere|WarehouseofRxMeds|GreatrxMedsRus|rxmedsrus|(come by|Come to|Check Out) our web site|browse [0o]ur (website|selection)|Visit_0ur Web|Order_Now|available_this week|(buy|order) (n[0o]w|today|right.now|instantly|at [0o]nce|immediately)|check it out today|ord3r|0rder|0rd3r|browseour|rx ?unit/i
-body __KAM_DRUG2_6 /(Express|Prompt|Day|Trusty|Trustworthy|Reliable|fast|true|discreet|confidential|rapid)[_ ~\.]?Shippin|anonymous packing|shipped.right.away|adderrx|clinically.proven|support.formula/i
+body __KAM_DRUG2_6 /\b(Express|Prompt|Day|Trusty|Trustworthy|Reliable|fast|true|discreet|confidential|rapid)[_ ~\.]?Shippin|anonymous packing|shipped.right.away|adderrx|clinically.proven|support.formula/i
header __KAM_DRUG2_7 Subject =~ / {4}[a-z0-9]{2,4}$/i
replace_rules __KAM_MAILBOX1 __KAM_MAILBOX2 __KAM_MAILBOX3
#ISSUE
- body __KAM_MAILBOX1 /mailbox .{0,12}exceeded|(storage|e-?mail|mailbox|bandwidth).(limit|quota|size|capacity)|(box|quota) is (a<L1>most )?(exhausted|fu<L1><L1>)|have been rejected|new version|(prevented|pending) (the )?(delivery|messages)|quota is low|annual upgrade|(held|important) message|messages pending|messages (are|placed) on.?hold|upgrade to our service|recent attack|(request(ed)? to|account) de-?activat|de-?activat(ed|e|ing) (from using|all mailbox)|close down.{0,10}account|(sync|communication) failure|de<A1>ctiv<A1>ted if no <A1>ction|invalid users|request .{0,13}shutdown|migrating all email|del<I1>v<E1>ry <O1>f \d|messages.{0,6}returned|\d.{0,2}(unreceived|failed|undelivered|incoming|valid) (undelivered|incoming|message|e?mail)|synchronize \d email|messages.{1,10}suspend|report your account|(validation|configuration|service|mail) error|updating stage|blacklisted|(server|quota|quarantine|suspension|mail|upgrade) (alert|noti)|mailbox agreement|(system|security|server) (reasons|update|upgrade|alert)|system malfunction|due for an update|mailbox managment|automatically renew|.\d. pending|due for (upgrade|update|reconfirmation)|has been outdated|(due|about) to expire|not confirmed the email|(failed|couldn't be|refused to) deliver|temporarily suspend|failure to proceed|data plan limit|blocked from (sending|receiving|your inbox)|sending unsolicited|\d\% full|confirm your request|security turned off|blocked or suspended|update warning|account .{1,9}?(restricted|closed)|old versions|mail malfunction|messages now queue|password expir|virus|expire on \d+\/|DNS Upgrad|encountered error|will be (locked|shut ?down)|unauthorized (person|access)|prevent (further reject|loss of account)|ensure safety|problem occurred|wrong password|suspicious sign.?in|\d quarantined? (e?mail|message|incoming)|deactivated tempor|low disk space|shutdown robot|suspended email|webmail security|account hijacked|(has been|will be) (hacked|suspended)|will.{0,2}expire.{0,2}(today|soon)|IP below was used|password.{1,5}expires? today|server is totally full|account is almost full|(irregular|suspicious) activit|locked out of your account|login (interruption|problem)|automatic shut.?down|lose your contact|not receive (more|new) e?mail|deactivation of the email|Expired today|exceeded the limit|disruption of your email|message might be pre<V1>ented|mail delivery blocked|email gets locked|shut down on your account|refusal in updating your email|avoid (lose access|shut.?down|being barred)|losing (of )?your account|undelivered e?-?mail|SSL Port server error|refusal of email security|blocked access to your inbox|web-?mail support|change your password|pending (e-?mail|mail) message|terminated in \d+ hour|messages were rejected|server error|platform is outdated|need to validate.{2,40}owned by you|password notification|expires today|Reconfirm(?: your) password|out of storage|mail quota full|email password will expire|mailbox termination|failed to sync|permanent deletion|password has been disabled|mailbox \".{5,35}\" has expired|deleted after \d+ hour|expires in less than \d+h|risk of being locked out/i
+ body __KAM_MAILBOX1 /mailbox .{0,12}exceeded|(storage|e-?mail|mailbox|bandwidth).(limit|quota|size|capacity)|(box|quota) is (a<L1>most )?(exhausted|fu<L1><L1>)|have been rejected|new version|(prevented|pending) (the )?(delivery|messages)|quota is low|annual upgrade|(held|important) message|messages pending|messages (are|placed) on.?hold|upgrade to our service|recent attack|(request(ed)? to|account) de-?activat|de-?activat(ed|e|ing) (from using|all mailbox)|close down.{0,10}account|(sync|communication) failure|de<A1>ctiv<A1>ted if no <A1>ction|invalid users|request .{0,13}shutdown|migrating all email|del<I1>v<E1>ry <O1>f \d|messages.{0,6}returned|\d.{0,2}(unreceived|failed|undelivered|incoming|valid) (undelivered|incoming|message|e?mail)|synchronize \d email|messages.{1,10}suspend|report your account|(validation|configuration|service|mail) error|updating stage|blacklisted|(server|quota|quarantine|suspension|mail|upgrade) (alert|noti)|mailbox agreement|(system|security|server) (reasons|update|upgrade|alert)|system malfunction|due for an update|mailbox managment|automatically renew|.\d. pending|due for (upgrade|update|reconfirmation)|has been outdated|(due|about) to expire|not confirmed the email|(failed|couldn't be|refused to) deliver|temporarily suspend|failure to proceed|data plan limit|blocked from (sending|receiving|your inbox)|sending unsolicited|\d\% full|confirm your request|security turned off|blocked or suspended|update warning|account .{1,9}?(restricted|closed)|old versions|mail malfunction|messages now queue|password expir|virus|expire on \d+\/|DNS Upgrad|encountered error|will be (locked|shut ?down)|unauthorized (person|access)|prevent (further reject|loss of account)|ensure safety|problem occurred|wrong password|suspicious sign.?in|\d quarantined? (e?mail|message|incoming)|deactivated tempor|low disk space|shutdown robot|suspended email|webmail security|account hijacked|(has been|will be) (hacked|suspended)|will.{0,2}expire.{0,2}(today|soon)|IP below was used|password.{1,5}expires? today|server is totally full|account is almost full|(irregular|suspicious) activit|locked out of your account|login (interruption|problem)|automatic shut.?down|lose your contact|not receive (more|new) e?mail|deactivation of the email|Expired today|exceeded the limit|disruption of your email|message might be pre<V1>ented|mail delivery blocked|email gets locked|shut down on your account|refusal in updating your email|avoid (lose access|shut.?down|being barred)|losing (of )?your account|undelivered e?-?mail|SSL Port server error|refusal of email security|blocked access to your inbox|web-?mail support|change your password|pending (some|e-?mail|mail) message|terminated in \d+ hour|messages were rejected|server error|platform is outdated|need to validate.{2,40}owned by you|password notification|expires today|Reconfirm(?: your) password|out of storage|mail quota full|email password will expire|mailbox termination|failed to sync|permanent deletion|password has been disabled|mailbox \".{5,35}\" has expired|deleted after \d+ hour|expires in less than \d+h|risk of being locked out|e\-?mail service deletion request|password for .{10,60} expire|password is set to expire/i
tflags __KAM_MAILBOX1 nosubject
#ACTION
- body __KAM_MAILBOX2 /(verify|update|upgrade|increase|validate|confirm|disable)"? (their|your)? {0,5}(address|password|<A1>ccount|(web-?)?mail|info|email|web ?mail|ownership|mailbox)|(increase|upgrade) (my|your?) (inbox |email )?quota|quota (configuration|upgrade)|(increase disk|create some additional|update|add|increase) storage|(setup|upgrade) (your )?mailbox|mail malfunction|update account|validated within \d\d|deleted (automatically|in our server)|release .{0,40}(sent e.?mail|message|pending mess)|account to be close|remain active|termination of your account|choose what happens|blacklisting inactive|continue (using|the usage)|untrusted activity|(retrieve|review|view) (message|e?mail)|(verify|validate) (it )?(here|now)|reset below|verification (check|process)|email disk usage|auto extend your disk|confirm your (email|details)|mandetory file|retrieve here|expected to reactivate|keep your webmail|data will be lost|(block|release|review) (them|below)|view undelivered sent|reconfirm .{0,40}password|will be deactivat|avoid suspension|start the process|fake payment|(will be|automatically) cancel|mail verification|turn on (security|authentication)|Office 365-?Secure|an usual location|(avoid|automatically) delet|(retrieve|review|reload) (your )?(undelivered|pending)|view, release or delete|reload below|unblock (your )?incoming|rectify below|fix now|Company.Assigned Outlook|fix delivery|restore your roundcube|re-?authenticate (now|below)|manage your quarantine|manually fi|manually fix|review and take action|view (your )?(pending|withheld|recent) (incoming|message|e?mail)|use the button|reduce your mai<L1>|deliver recent mail|(use|using|keep) (current|same|my) password|change password|stop (this action|account removal)|fix (the problem here|your email)|(maintain|keep).{0,6}current.{0,2}(signing|password)|verify login|apply update|deliver pending message|archive emails|initiate the upgrad|(approve|continue with) the (current|same) password|free up space|quick re-?validation|cancel the request|prevent lock of account|back under the limit|update no<W1>|re<A1>ctiv<A1>te <A1>ccess|consider keeping your password|account will work effectively|portal to prompt delivery|open the attachment|Reload Email message|secure your account|authenticate account|keep (the )?same password|(keep|use) (the|your) current password|proper verification|restoration of your account|systematically updated|synchronization errors|activate Improved security|(restore|recover) messages (here|below)|recover your delayed messages|validate your (?:mailbox|e\-mail)|conveyed to each sender|Please security access key|account password is due to expire|avoid missing important e?-?mail|pending e?-?mail message|clear cache quick|avoid loss of e?mail|upgrade inbox|enable your password|retrieve your file|view and accept messages|keep my access/i
+ body __KAM_MAILBOX2 /(verify|update|upgrade|increase|validate|confirm|disable)"? (their|your)? {0,5}(address|password|<A1>ccount|(web-?)?mail|info|email|web ?mail|ownership|mailbox)|(increase|upgrade) (my|your?) (inbox |email )?quota|quota (configuration|upgrade)|(increase disk|create some additional|update|add|increase) storage|(setup|upgrade) (your )?mailbox|mail malfunction|update account|validated within \d\d|deleted (automatically|in our server)|release .{0,40}(sent e.?mail|message|pending mess)|account to be close|remain active|termination of your account|choose what happens|blacklisting inactive|continue (using|the usage)|untrusted activity|(retrieve|review|view) (message|e?mail)|(verify|validate) (it )?(here|now)|reset below|verification (check|process)|email disk usage|auto extend your disk|confirm your (email|details)|mandetory file|retrieve here|expected to reactivate|keep your webmail|data will be lost|(block|release|review) (them|below)|view undelivered sent|reconfirm .{0,40}password|will be deactivat|avoid suspension|start the process|fake payment|(will be|automatically) cancel|mail verification|turn on (security|authentication)|Office 365-?Secure|an usual location|(avoid|automatically) delet|(retrieve|review|reload) (your )?(undelivered|pending)|view, release or delete|reload below|unblock (your )?incoming|rectify below|fix now|Company.Assigned Outlook|fix delivery|restore your roundcube|re-?authenticate (now|below)|manage your quarantine|manually fi|manually fix|review and take action|view (your )?(pending|withheld|recent) (incoming|message|e?mail)|use the button|reduce your mai<L1>|deliver recent mail|(use|using|keep) (current|same|my) password|change password|stop (this action|account removal)|fix (the problem here|your email)|(maintain|keep).{0,6}current.{0,2}(signing|password)|verify login|apply update|deliver pending message|archive emails|initiate the upgrad|(approve|continue with) the (current|same) password|free up space|quick re-?validation|cancel the request|prevent lock of account|back under the limit|update no<W1>|re<A1>ctiv<A1>te <A1>ccess|consider keeping your password|account will work effectively|portal to prompt delivery|open the attachment|Reload Email message|secure your account|authenticate.{1,35} account|keep (the )?same password|(keep|use) (the|your) current password|proper verification|restoration of your account|systematically updated|synchronization errors|activate Improved security|(restore|recover) messages (here|below)|recover your delayed messages|validate your (?:mailbox|e\-mail)|conveyed to each sender|Please security access key|account password is due to expire|avoid missing important e?-?mail|pending e?-?mail message|clear cache quick|avoid loss of e?mail|upgrade inbox|enable your password|retrieve your file|view and accept messages|keep my access|re-?active current pass|call support helpline|attend to our notice|clear up space setting/i
tflags __KAM_MAILBOX2 nosubject
#SUBJECT
- header __KAM_MAILBOX3 Subject =~ /(mail|exceeded|insufficient) (storage|quota|upgrade)|(@.*?is|Inbox) almost full|(urgent|important|admin|last|suspension|server|account|administrator|system|disk ?usage|max size) (alert|rectification|attention|warning|noti)|needs to be upgraded|(incoming|pending|unreceived) +((e-?)?mail|document|message)|(del<I1>v<E1>ry|synchronization|processing) (problem|is blocked|failure|err<O1>r)|(mailbox|storage) (is )?full|(disc|disk|inbox) full|(unread|upgrade|delayed) (messages|e?mail)|release your message|pending (new )?((e-?)?mail|message)|365 .{0,10} Update|new privacy policy|mandatory up|(sign in|Final|account|password|emails?) (closing|removal|update|upgrade|alert|notification|review)|quarantine|rejected|undelivered|(mailbox|limit|quota) .{0,10}exceeded|(action|confirmation|\..{2,6} update).?required|(mail|mailbox|account|password) (error|shutdown|verification|Veirification|Verfication|account)|(blocked|held) message|technology services|(server|mail|account).{1,8}err<O1>r|validat|messages.{1,10}(suspend|hinder)|account (is )?(blocked|limited)|please verify.{1,10}account|mail.{1,6}Notice|email account.{1,11}full|final warning|help\-?desk|mail ownership|point files|(d|r)e-?activation|delayed for \d+ (hour|day)|undeliverable|closure of.{1,15}(\@|account)|(password|mail) (has|will) expire|did you make|password.(due|recovery|expir)|recovery option|(confirm|email) activity|Immediate action|action required|avoid block|review recent e?mail|final +alert|storage (error|limit)|ver<I1>f<I1>cat<I1>on|\@.{1,25}notification|notification \d+\/\d+\/|notification for .{1,25}\@|New Sign-in|deliver.{1,4}(cancel|issue|error|fail)|Unsuccessful Email|Mail DNS|ICT Maintenance|sync err|mailer un.?delivery|unauthorized (person|access)|configuration setting|reminder +for|re-?authenticate|change in your ip|shutdown request|Failure.{0,2}Report|(mail delivery|\d emails?) suspended|error sync|(e-?mails?|messages) (are )?pending|\d \(?new\)? notice|new IP address|expir(y|ation) notif|reached their disk quota|webmail support|notification for|change.{0,30}account password now|(mail|mail-?box) termination|office? ?365 access|(Attention|urgent):? update (required|needed)|(full|out of) storage|quota (limit|reached)|access.{1,4}expire|renew your e?-?mail pass|mail protection update|e-?mail .{0,30}still pending|unauthorized (login|logging) attempt|^suspended$|message failed|security upgrade|password.*expires today|password activity|mail (access blocked|delayed)|account has been hacked|prevent account malfunction|password change notification|Critical(?:\-|\s)Status on|(storage|upgrade) notice|mail not sent|mailbox.{0,4}update settings|\-notification\:\w|access has been suspended|Activities account|Alert\!\!|do not ignore this notification|trying to contact you/i
+ header __KAM_MAILBOX3 Subject =~ /(mail|exceeded|insufficient) (storage|quota|upgrade)|(@.*?is|Inbox) almost full|(urgent|important|admin|last|suspension|server|account|administrator|system|disk ?usage|max size) (alert|rectification|attention|warning|noti)|needs to be upgraded|(incoming|pending|unreceived) +((e-?)?mail|document|message)|(del<I1>v<E1>ry|synchronization|processing) (problem|is blocked|failure|err<O1>r)|(mailbox|storage) (is )?full|(disc|disk|inbox) full|(unread|upgrade|delayed) (messages|e?mail)|release your message|pending (new )?((e-?)?mail|message)|365 .{0,10} Update|new privacy policy|mandatory up|(sign in|Final|account|password|emails?) (closing|removal|update|upgrade|alert|notification|review)|quarantine|rejected|undelivered|(mailbox|limit|quota) .{0,10}exceeded|(action|confirmation|\..{2,6} update).?required|(mail|mailbox|account|password) (error|shutdown|verification|Veirification|Verfication|account)|(blocked|held) message|technology services|(server|mail|account).{1,8}err<O1>r|messages.{1,10}(suspend|hinder)|account (is )?(blocked|limited)|please verify.{1,10}account|mail.{1,6}Notice|email account.{1,11}full|final warning|help\-?desk|mail ownership|point files|(d|r)e-?activation|delayed for \d+ (hour|day)|undeliverable|closure of.{1,15}(\@|account)|(password|mail) (has|will) expire|did you make|password.(due|recovery|expir)|recovery option|(confirm|email) activity|Immediate action|action required|avoid block|review recent e?mail|final +alert|storage (error|limit)|ver<I1>f<I1>cat<I1>on|\@.{1,25}notification|notification \d+\/\d+\/|notification for .{1,25}\@|New Sign-in|deliver.{1,4}(cancel|issue|error|fail)|Unsuccessful Email|Mail DNS|ICT Maintenance|sync err|mailer un.?delivery|unauthorized (person|access)|configuration setting|reminder +for|re-?authenticate|change in your ip|shutdown request|Failure.{0,2}Report|(mail delivery|\d emails?) suspended|error sync|(e-?mails?|messages) (are )?pending|\d \(?new\)? notice|new IP address|expir(y|ation) notif|reached their disk quota|webmail support|notification for|change.{0,30}account password now|(mail|mail-?box) termination|office? ?365 access|(Attention|urgent):? update (required|needed)|(full|out of) storage|quota (limit|reached)|access.{1,4}expire|renew your e?-?mail pass|mail protection update|e-?mail .{0,30}still pending|unauthorized (login|logging) attempt|^suspended$|message failed|security upgrade|password.*expires today|password activity|mail (access blocked|delayed)|account has been hacked|prevent account malfunction|password change notification|Critical(?:\-|\s)Status on|(storage|upgrade) notice|mail not sent|mailbox.{0,4}update settings|\-notification\:\w|access has been suspended|Activities account|Alert\!\!|do not ignore this notification|trying to contact you|validation notic|pass(word|wrod) expire|email configuration|e\-?mail service deletion|cpanel notification|password for .{10,60} expire/i
#NON OBFUSCATED VARIANT NOT A SPAM INDICATOR
header __KAM_MAILBOX3FP Subject =~ /verification/i
uri __KAM_WPADMIN /\/wp-admin\//i
meta KAM_MAILBOX (__KAM_MAILBOX1 + __KAM_MAILBOX2 + (__KAM_MAILBOX3 && !__KAM_MAILBOX3FP) >=2) && (T_FREEMAIL_DOC_PDF + (KAM_SENDGRID + KAM_SENDGRID2 >= 1) + HTML_MIME_NO_HTML_TAG + T_HTML_ATTACH + __KAM_WPADMIN) >= 2
- score KAM_MAILBOX 7.75
+ score KAM_MAILBOX 8.75
describe KAM_MAILBOX Mailbox Quota Phishing Scams
meta KAM_MAILBOX2 (__KAM_MAILBOX1 + __KAM_MAILBOX2 + (__KAM_MAILBOX3 && !__KAM_MAILBOX3FP) + KAM_SHORT >= 3) && !KAM_MAILBOX
- score KAM_MAILBOX2 4.5
+ score KAM_MAILBOX2 5.5
describe KAM_MAILBOX2 Mailbox Quota Phishing Scams
meta KAM_MAILBOX3 (KAM_MAILBOX + KAM_MAILBOX2 >= 1) && (KAM_SENDGRID + KAM_SENDGRID2 >= 1)
describe KAM_MAILBOX3 Enhanced Scoring for Mailbox Quota Phishing
- score KAM_MAILBOX3 3.75
+ score KAM_MAILBOX3 4.75
endif
meta KAM_SHORT (__KAM_SHORT + __KAM_TINYDOMAIN >= 1)
#CO.UK
header KAM_COUK From =~ /\@.{1,30}\.co\.uk/i
describe KAM_COUK Scoring .co.uk emails higher due to poor registry security.
-score KAM_COUK 0.3
+score KAM_COUK 0.15
#FAKE FACEBOOKMAIL
#REAL FB DOMAIN
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
ifplugin Mail::SpamAssassin::Plugin::DKIM
- header __KAM_TRUNCATE exists:X-Raptor-Truncate
- meta DKIM_FAILED_TRUNCATE ( DKIM_INVALID && __KAM_TRUNCATE )
- describe DKIM_FAILED_TRUNCATE DKIM invalid but message truncated by Raptor
- score DKIM_FAILED_TRUNCATE -0.1
- tflags DKIM_FAILED_TRUNCATE nice
+ header __KAM_TRUNCATE exists:X-Raptor-Truncate
+ meta DKIM_FAILED_TRUNCATE ( DKIM_INVALID && __KAM_TRUNCATE )
+ describe DKIM_FAILED_TRUNCATE DKIM invalid but message truncated by Raptor
+ score DKIM_FAILED_TRUNCATE -0.1
+ tflags DKIM_FAILED_TRUNCATE nice
+
+ meta EMPTY_FAILED_TRUNCATE ( DKIM_FAILED_TRUNCATE && EMPTY_MESSAGE )
+ describe EMPTY_FAILED_TRUNCATE Empty message FP
+ score EMPTY_FAILED_TRUNCATE -2.3
+ tflags EMPTY_FAILED_TRUNCATE nice
endif
endif
score KAM_FAKEAMEX 8.0
describe KAM_FAKEAMEX A rash of spam that is phishing for American Express information
+# HUGE SUBJECT
header KAM_HUGESUBJECT Subject =~ /^.{500}/
score KAM_HUGESUBJECT 2.5
describe KAM_HUGESUBJECT Email with a subject longer than any mail client would let you enter
replace_rules __KAM_CRIM1 __KAM_CRIM2 __KAM_CRIM3 __KAM_CRIM4 __KAM_CRIM5 __KAM_CRIM6 __KAM_CRIM7
- body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A1>lw<A1>r<E1> <O1>n th<E1> w<E1>b|footage of you|you do not know who I am|mercenary|hack phones|(monitored|infected) your device|double.screen video|keylogger|ruin your life|collection officer|turned on your c<A1>mera|cameras? and a mic|I am a hacker|brows(er|ing) history|trojan virus|automatically infect|inject some code|google translator|<P1>l<A1><C1><E1>d (a )?m<A1>lw<A1>r<E1>|<S1><P1><Y1><W1><A1><R1><E1>|hacked y<O1>ur (website|OS|operating)|got hacked|hidden app|managed to hack|thr(u|ough) (ur|your) web.?cam|broke\s+into\s+your\s+system|infected your system|data security hack|hide (yo)?ur web.?camera/i
+ body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A1>lw<A1>r<E1> <O1>n th<E1> w<E1>b|footage of you|you do not know who I am|mercenary|hack phones|(monitored|infected) your device|double.screen video|keylogger|ruin your life|collection officer|turned on your c<A1>mera|cameras? and a mic|I am a hacker|brows(er|ing) history|trojan virus|automatically infect|inject some code|google translator|<P1>l<A1><C1><E1>d (a )?m<A1>lw<A1>r<E1>|<S1><P1><Y1><W1><A1><R1><E1>|hacked y<O1>ur (website|OS|operating)|got hacked|hidden app|managed to hack|thr(u|ough) (ur|your) web.?cam|broke\s+into\s+your\s+system|infected your system|data security hack|hide (yo)?ur web.?camera|device was infected|i recorded you/i
#Bitcoin / Etc.
- body __KAM_CRIM2 /(<B1><I1><T1>\-?<C1><O1><I1><N1>|(\b|^)(BTC|DSH|LTC)(\b|$)|cryptocurrency|bc[13][a-km-zA-HJ-NP-Z0-9]{26,39})|(remove|manually) all spaces|contains spaces|Litecoin|shoprite|instant money/i
+ body __KAM_CRIM2 /(<B1><I1><T1>\-?<C1><O1><I1><N1>|(\b|^)(BTC|DSH|LTC)(\b|$)|cryptocurrency|\b(?<!=)([13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,62})\b)|(remove|manually) all spaces|contains spaces|Litecoin|shoprite|instant money/i
#Payment
- body __KAM_CRIM3 /make (<T1>he|a) paymen<T1>|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C1><O1><I1>n w<A1>ll|(m<A1>k<I1>ng|<C1><O1>mpl<E1>et<E1>) th<E1> tr<A1>ns<A1><C1>t<I1><O1>n|send me \d+ dollars|send [\d\.]+ USD|addr<E1>ss f<O1>r p<A1>ym<E1>nt|(dollars|euros) (worth )?in bit-?coin|wallet number|bitcoin network|BTC to this Bitcoin|paym<E1>nt by b<I1>tco<I1>n|\d\d\d usd|DSH\)? address|Address part|<D1><O1><N1><A1><T1><I1><O1><N1>|negotiation|USD.? in bitcoin|transfer\s+me\s+\d+|\d+ in bitcoins|receive the compensation|talking price|reputation will be ruin/i
+ body __KAM_CRIM3 /make (<T1>he|a) paymen<T1>|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C1><O1><I1>n w<A1>ll|(m<A1>k<I1>ng|<C1><O1>mpl<E1>et<E1>) th<E1> tr<A1>ns<A1><C1>t<I1><O1>n|send me \d+ dollars|send [\d\.]+ USD|addr<E1>ss f<O1>r p<A1>ym<E1>nt|(dollars|euros) (worth )?in bit-?coin|wallet number|bitcoin network|BTC to this Bitcoin|paym<E1>nt by b<I1>tco<I1>n|\d\d\d usd|DSH\)? address|Address part|<D1><O1><N1><A1><T1><I1><O1><N1>|negotiation|USD.? in bitcoin|transfer\s+me\s+\d+|\d+ in bitcoins|receive the compensation|talking price|reputation will be ruin|buy bitcoin \(BTC\) here/i
#Sexually explicit
- body __KAM_CRIM4 /erotica|<P1><O1><R1><N1>|p(ro|or)nographic movie|promising evidence|<M1><A1><S1><T1><U1><R1><B1><A1><T1>|playing with yourself|wanking|l<I1>f<E1> <C1><A1>n b<E1> ru<I1>n<E1>d|explosi|lead azide|hexogen|banana|perversion|secured \d+ video|passion for jerk|creepy addiction|wank off|site for adult/i
+ body __KAM_CRIM4 /erotica|<P1><O1><R1><N1>|p(ro|or)nographic movie|promising evidence|<M1><A1><S1><T1><U1><R1><B1><A1><T1>|playing with yourself|wanking|l<I1>f<E1> <C1><A1>n b<E1> ru<I1>n<E1>d|explosi|lead azide|hexogen|banana|perversion|secured \d+ video|passion for jerk|creepy addiction|wank off|site for adult|spy on you over your cam|pleasuring yourself/i
#TIME
- body __KAM_CRIM5 /(twenty.?four|24).?h<O1>urs|(72|24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O1>urs)? <A1>ft<E1>r y<O1><U> <O1>p<E1>n|hours for payment|days?\)? to (send|perform|make|transfer) the (amount|payment|dash|fund)|short-term support|48h plz|deadline|hours *(only )?to send the (pay|fund)|address immediately|tr<A1>nsfer the (amount|funds)|get back to me now|\d\s+working\s+days|make payment within \d+ day|indicated da(y|te)|\d hours from this moment|\d hours (yo)?ur contacts/i
+ body __KAM_CRIM5 /(twenty.?four|24).?h<O1>urs|(72|24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O1>urs)? <A1>ft<E1>r y<O1><U> <O1>p<E1>n|hours for payment|days?\)? to (send|perform|make|transfer) the (amount|payment|dash|fund)|short-term support|48h plz|deadline|hours *(only )?to send the (pay|fund)|address immediately|tr<A1>nsfer the (amount|funds)|get back to me now|\d\s+working\s+days|make payment within \d+ day|indicated da(y|te)|\d hours from this moment|\d hours (yo)?ur contacts|not more than \d+ days?|\d hours to make a pay/i
#Subject
- header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O1><U> <A1>r<E1> my v<I1><C1>t<I1>m|visit the police|hi. vi<C1>tim|bomb|rescue|your building|<M1>asturbat|hi perv|(site|account) has been (compromised|hacked)|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you|<P1>orn|(share|forward|leak) (your|the) video|Read me now|want to read this|i have you|exfiltrated|everybody will know/i
+ header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O1><U> <A1>r<E1> my v<I1><C1>t<I1>m|visit the police|hi. vi<C1>tim|bomb|rescue|your building|<M1>asturbat|hi perv|(site|account) has been (compromised|hacked)|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you|<P1>orn|(share|forward|leak) (your|the) video|Read me now|want to read this|i have you|exfiltrated|everybody will know|check the information/i
header __KAM_NOT_CRIM6 Subject =~ /Bomb.?cyclone/i
#trusted_networks 38.124.232.0/24
# CONTACTS / LISTS
-header __KAM_LIST3_1 Subject =~ /(accou?nt|Contacts?|buyers?|registrants?|attendees?|B2B|B2C|mailing|industries).(data|list|information)|reach qualified buyers|potential prospects|(potential|reach your) client|(list|lead) prospecting|build customer|(bitdefender|Acronis) Users|reach clients|Clients records|users accounts|Attendees info|marketing opp|(expo|Summit) Leads|Free Samples|email database|sales prospect|(construction|business) +(executives|professionals)|prospects|decision.?makers|(email|lead) list|increase your TAM|Booth.?\#\d+|data that you need|(audience|geography)\?|contact details/i
+header __KAM_LIST3_1 Subject =~ /(accou?nt|Contacts?|buyers?|registrants?|attendees?|B2B|B2C|mailing|industries).(data|list|information)|reach qualified buyers|potential prospects|(potential|reach your) client|(list|lead) prospecting|build customer|(bitdefender|Acronis) Users|reach clients|Clients records|users accounts|Attendees info|marketing opp|(expo|Summit) Leads|Free Samples|email database|sales prospect|(construction|business) +(executives|professionals)|prospects|decision.?makers|(email|lead) list|increase your TAM|Booth.?\#\d+|data that you need|(audience|geography)\?|contact details|professional industry clients/i
#title
body __KAM_LIST3_2 /list (consultant|services)|email campaign|global marketing|(event|campaign|success|purchasing) mana?ger|(tradeshow|marketing) (coordinator|campaign|manager|exec|project|team)|(lead|demand) gen|(business|Data|event|research|marketing) (analyst|coordinator)|(potential|professionals?|qualified) lead|(business development|marketing|lead|attendees?|data|prospect|intelligence|event).(executive|consultant|specialist)|(marketing|Business) Co-?ordinator|marketing (\&|and) comm|inside sales|pre-?sales|global leads|data dep(t|artment)|marketing exec|(right|appropriate) person|info solutions|Sales executive|database coordinator|list provider|(leads|business development|BD|Biz.?Dev) manager|cd services|data intelligence specialist/i
tflags __KAM_LIST3_2 nosubject
#db for sale
-body __KAM_LIST3_3 /(information|data|list\'s) (count|field)|verified e?-?mail|with email address|counts and pric|decision maker|specific parameters|job titles|Specific lists|each record|post show attendee|(List|contacts|fields) (consists?|Contains?|includes?)|visitors and price|pricing, counts|information about the list|sample (file|record)|direct email|100\% populated|installed users|(compiled|selling) (a )?list|pricing and further|(validated|buy a) dataset|counts, pricing|procure the list|samples for (your )?review|attendees who might|decision.makers|samples and pricing|pricing details|demographics|few (examples|samples)|database (organization|provider)|(cost|expense) (\&|and) count|(samples|counts?) and cost|multichannel marketing|count of email|users of the following|your marketing campaign|\d\d% on emails|acquiring (email|the) list|list of retailers|decision maker mailing list|B2B( data)? list|acquiring email|interested (in )?acquiring|quality lists|potential (client|customer)|database and list management|pricing and count|audience you would like to reach|data cleansing|job titles you wish to contact|leverage competitive intelligence|business contacts? list/i
+body __KAM_LIST3_3 /(information|data|list\'s) (count|field)|verified e?-?mail|with email address|counts and pric|decision maker|specific parameters|job titles|Specific lists|each record|post show attendee|(List|contacts|fields) (consists?|Contains?|includes?)|visitors and price|pricing, counts|information about the list|sample (file|record)|direct email|100\% populated|installed users|(compiled|selling) (a )?list|pricing and further|(validated|buy a) dataset|counts, pricing|procure the list|samples for (your )?review|attendees who might|decision.makers|samples and pricing|pricing details|demographics|few (examples|samples)|database (organization|provider)|(cost|expense) (\&|and) count|(samples|counts?) and cost|multichannel marketing|count of email|users of the following|your marketing campaign|\d\d% on emails|acquiring (email|the) list|list of retailers|decision maker mailing list|B2B( data)? list|acquiring email|interested (in )?acquiring|quality lists|potential (client|customer)|database and list management|pricing and count|audience you would like to reach|data cleansing|job titles you wish to contact|leverage competitive intelligence|business contacts? list|verified direct contact numbers/i
tflags __KAM_LIST3_3 nosubject
#db what
header PCCC_HASHBL_HDR_EMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5', 'Reply-To/Disposition-Notification-To/X-Original-Sender/X-Sender', '^127\.', 'all')
describe PCCC_HASHBL_HDR_EMAIL Message contains email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
tflags PCCC_HASHBL_HDR_EMAIL net
- score PCCC_HASHBL_HDR_EMAIL 0.5
+ score PCCC_HASHBL_HDR_EMAIL 3.5
priority PCCC_HASHBL_HDR_EMAIL -100
# Short URL in PCCC HashBL found
#Google Storage APIs
uri KAM_STORAGE_GOOGLE /storage.googleapis.com|\.web.app\//i
describe KAM_STORAGE_GOOGLE Google Storage API being abused by spammers
-score KAM_STORAGE_GOOGLE 2.25
+score KAM_STORAGE_GOOGLE 1.70
uri GB_URI_FLEEK_STO_HTM m,^https?://storageapi\.fleek\.co/.*\.html?,i
describe GB_URI_FLEEK_STO_HTM Html file stored on Fleek cloud
replace_rules __KAM_BENEFICIARY2
header __KAM_BENEFICIARY1 Subject =~ /(your|Urgent) Help|refugee|Attention|Inherit|donation|refund|beloved|^Hello$|dear friend|compensated|get back to me|hope to hear|my dear|postal service|From.....|compliment|sincere apology|proposal|How are you|congratulations|ATM VISA Card|good (day|news)|beneficiary|\bcc\b|best regards|dearest one|^Att$|^Reply$|partnership|greeting'?s|atm fund|postmaster general|Investment|shipment|indicate your interest/i
-#what
-body __KAM_BENEFICIARY2 /(consignment|fund(\b|$)|person of trust|don't know me|emails only|apologize for intrud|formal relationship|diplomatic agent|ATM VISA CARD|unsolicited manner|proposition|solicit your|trustworthy relation|verily|random people|you a beneficiary|help<SPACE1>+widow|same last ?name|(same|similar) surname|investment manager)|level of maturity|important project|jackpot|investment opp|something important|unclaimed trunk|estate investment|donation recipient|bank draft|funding of your business/i
+#what
+ #removed fund(\b|$) on 1/12
+body __KAM_BENEFICIARY2 /consignment|person of trust|don't know me|emails only|apologize for intrud|formal relationship|diplomatic agent|ATM VISA CARD|unsolicited manner|proposition|solicit your|trustworthy relation|verily|random people|you a beneficiary|help<SPACE1>+widow|same last ?name|(same|similar) surname|investment manager|level of maturity|important project|jackpot|investment opp|something important|unclaimed trunk|estate investment|donation recipient|bank draft|funding of your business/i
tflags __KAM_BENEFICIARY2 nosubject
#bus
body __KAM_BENEFICIARY3 /(gold|diamonds|inherit|foreign customer|risk.?free|less.privilege|next of kin|nearest airport|certain funds|partnership to transfer|repatriation|co.fiscate|separate account|christian activit|receiving bank|donate the sum|money left|sweepstakes|lucky winner|get rich|\d% of the total|investment fund)|moving some money|god has blessed|contributions to humanity|partake in the deal|pledge dep|over-?due compensation|left your check|invest(ment)? in your country|abandoned shipment/i
#bus fp
-body __KAM_BENEFICIARY3A /ELECTRONIC TICKET RECeipt/i
+body __KAM_BENEFICIARY3A /(e\-|ELECTRONIC )TICKET RECeipt/i
#where
body __KAM_BENEFICIARY4 /(Ghana|South Africa|China|Greece|Estonia|United kingdom|foreign|(your|my) country|Benin|africa|Foreign Op|international Airport|portugal|business trip|Ivory Coast|Royal Bank|Syria|Libyan|Ministry of |Buffett Foundation|audit unit)|postmaster general|your country/i
#WEB
#subject
-header __KAM_WEB2_1 Subject =~ /follow|next step|website (analysis|builder|design|work)|crazy offer|cRM solution|CMS|worrdpress/i
+header __KAM_WEB2_1 Subject =~ /follow|next step|web(site)? (analysis|builder|design|work)|crazy offer|cRM solution|CMS|worrdpress|inquiry web.?site|prices|developing mobile innovation|new web/i
- #price - purposefully looks at subject too
-body __KAM_WEB2_2 /affordable (quot|price)|cheap website|less than half|free of cost|low package price|indian web.?design|\(India\)/i
+ #price or person - purposefully looks at subject too
+body __KAM_WEB2_2 /(inexpensive|affordable) (quot|price)|cheap website|less than half|free of cost|low package price|indian web.?design|\(India\)|i am a professional|team of experts/i
#product
-body __KAM_WEB2_3 /web (design|develop)|(better|new|refreshed) website|website audit|fresh look/i
+body __KAM_WEB2_3 /web(site)? (design|develop)|(better|new|refreshed) website|website audit|fresh look|redesign your website|mobile application devel|redesign your existing web/i
tflags __KAM_WEB2_3 nosubject
#sample/offer
-body __KAM_WEB2_4 /portfolio|sample|insights|special offer|page 1|(any|your) requirements/i
+body __KAM_WEB2_4 /portfolio|sample|insights|special offer|page 1|(any|your) requirements|anything you can imagine|send you a quote|share a few example|you'?re? requirement/i
tflags __KAM_WEB2_4 nosubject
meta KAM_WEB2 (FREEMAIL_FROM + __KAM_WEB2_1 + __KAM_WEB2_2 + __KAM_WEB2_3 + __KAM_WEB2_4 >=5)
body __KAM_INVEST4 /malta|oil company|joint venture|(fund|business) proposal|dubai|mutual business|bahrain|compensation fund|barrister|minister of|ghana|strategic development|your region|Mineral.Rich|non.?european|your country|outside UAE/i
tflags __KAM_INVEST4 nosubject
-meta KAM_INVEST (LOTS_OF_MONEY + FREEMAIL_FROM + __KAM_INVEST1 + __KAM_INVEST2 + __KAM_INVEST3 + __KAM_INVEST4 >= 4)
+meta KAM_INVEST ( (LOTS_OF_MONEY + FREEMAIL_FROM + __KAM_INVEST1 + __KAM_INVEST2 + __KAM_INVEST3 + __KAM_INVEST4 >= 4) && !EXTRACTTEXT )
describe KAM_INVEST Investment Scams
score KAM_INVEST 6.0
score KAM_CELEB 4.5
#additional Freemail domains
-freemail_domains my.com mediacombb.net tutanota.com mega.nz ntlworld.com windstream.net list.ru docomo.ne.jp terra.com.br interia.pl
+freemail_domains my.com mediacombb.net tutanota.com mega.nz ntlworld.com windstream.net list.ru docomo.ne.jp terra.com.br interia.pl currently.com
#BEAL AND SIMILAR IMPERSONATOR
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
- replace_tag KAM_BEAL_NAMES (?:(Robert|Bob).{1,4}Beal|Geoff White|(James|Jim).{1,4}Hoffman|Kevin (A\. )?Mc ?Grail|Frederic Beuter|Chris(topher)? (K\.? )?Surprise|(mike|michael) Charvat|Sheryl( Brissett)? Chapman|Sheryl Brissett|Janet Smith|Jeff Gardner|Geoff(rey)? White|Jason Davis|Al Nance|Laura (C\.? )?Leach|Guy Neitz|Michael Rowland|Brenda MacDonald|Daram Van Oers|Pat(rick)? (A\. )?Campfield|Toni Kerns|Tina L. Berger|Robert T. Lalka|Karen Holmes|Richard Manship|WILLIAM HYATT|Alex DiJohnson|Mike Rinaldi|Patrick Augustine|Randy Livingston|Michael Schoor|Amy Millar|Gino Renne|Edward Kroman|Bill Stynes|Ralph Belk|gino renne|scott allen|Paula Sherman|Peter Turcik|Chip Anastasi|erik howard|Dyana Forester|Ryan Gardner|Yvan (cote|C\x{C3}\x{B4}t\x{C3}\x{A9})|morris adler|Gary (A. )?Smith|Peggy White|Sunny Kim|Jayran Farzanega|Kristin Kirkpatrick|Michael Davison|John Meis|Mitchell Forbes|Kate Syson|Bryan Plumlee)
+ replace_tag KAM_BEAL_NAMES (?:(Robert|Bob).{1,4}Beal|Geoff White|(James|Jim).{1,4}Hoffman|Kevin (A\. )?Mc ?Grail|Frederic Beuter|Chris(topher)? (K\.? )?Surprise|(mike|michael) Charvat|Sheryl( Brissett)? Chapman|Sheryl Brissett|Janet Smith|Jeff Gardner|Geoff(rey)? White|Jason Davis|Al Nance|Laura (C\.? )?Leach|Guy Neitz|Michael Rowland|Brenda MacDonald|Daram Van Oers|Pat(rick)? (A\. )?Campfield|Toni Kerns|Tina L. Berger|Robert T. Lalka|Karen Holmes|Richard Manship|WILLIAM HYATT|Alex DiJohnson|Mike Rinaldi|Patrick Augustine|Randy Livingston|Michael Schoor|Amy Millar|Gino Renne|Edward Kroman|Bill Stynes|Ralph Belk|gino renne|scott allen|Paula Sherman|Peter Turcik|Chip Anastasi|erik howard|Dyana Forester|Ryan Gardner|Yvan (cote|C\x{C3}\x{B4}t\x{C3}\x{A9})|morris adler|Gary (A. )?Smith|Peggy White|Sunny Kim|Jayran Farzanega|Kristin Kirkpatrick|Michael Davison|John Meis|Mitchell Forbes|Kate Syson|Bryan Plumlee|Janet Smith|Christian Gardner|Calvin Johnson|rick cole)
replace_rules __KAM_BEAL1 __KAM_BEAL3 __KAM_NOT_BEAL3
body __KAM_BEAL3 /<KAM_BEAL_NAMES>/i
body __KAM_NOT_BEAL3 /((From|Cc|To)\:\s+)<KAM_BEAL_NAMES>/i
# Task
- body __KAM_BEAL4 /(reply with|forward|send me|let me have|give me|drop) +your (Cell|Mobile|text)|task (real quick|quickly)|(urgent|quick|fast) (reply|errand|response|task|request)|(handle|make) (some|a) purchase|reimburse you|do something for me fast|spare time right now|confirm if you are free|physical or electronic gift card|(done for me|send out|task done) ASAP|available at the moment|(desk|moment) right now|get some .{0,10}gift card|(run a|important) task for me|certain task to be carried|purchase on my behalf|(urgent|Immediate) (Task|Assignment)|quickly on my behalf|variety of gift card|something important for me|carry out (urgently|swiftly)|codes electronically|make a payment|gifts for their hard|assist me with a task|quick favor|gift cards? for staff|process a payment via Zelle|request I need|purchase done on my behalf|take care of something|handle (some )?task quickly|(have|got) a moment|run an errand|are you in\?|purchase urgently|assignment for (me|you)|change my direct deposit|personal (email|text phone|cell|number)|(leave|drop) your (phone )?number|(reply me with|confirm|drop|need) your (mobil|cell)|send me your text|get all the gifts purchase|direct deposit authorization form|list of all unpaid|help me with something|if (you are|you're) available|(send|drop) me your (direct|personal) (cell|phone)|free time for you|you available today|bancaires actuelles|ask you for a favor|get physical gift card|confirm your mobile/i
+ body __KAM_BEAL4 /(reply with|forward|send me|let me have|give me|drop) +your (Cell|Mobile|text)|task (real quick|quickly)|(urgent|quick|fast) (reply|errand|response|task|request)|(handle|make) (some|a) purchase|reimburse you|do something for me fast|spare time right now|confirm if you are free|physical or electronic gift card|(done for me|send out|task done) ASAP|available at the moment|(desk|moment) right now|get some .{0,10}gift card|(run a|important) task for me|certain task to be carried|purchase on my behalf|(urgent|Immediate) (Task|Assignment)|quickly on my behalf|variety of gift card|something important for me|carry out (urgently|swiftly)|codes electronically|make a payment|gifts for their hard|assist me with a task|quick favor|gift cards? for staff|process a payment via Zelle|request I need|purchase done on my behalf|take care of something|handle (some )?task quickly|(have|got) a moment|run an errand|are you in\?|purchase urgently|assignment for (me|you)|change my direct deposit|personal (email|text phone|cell|number)|(leave|have|drop) your (phone )?number|(reply me with|confirm|drop|need|attach) your (mobil|cell)|send me your text|get all the gifts purchase|direct deposit authorization form|list of all unpaid|can you get (?:this\s)?paid|help me with something|if (you are|you're) available|(send|drop) me your (direct|personal) (cell|phone)|free time for you|you available today|bancaires actuelles|ask you for a favor|get physical gift card|(include|confirm) your mobile|Task\!|CONFERENCE MEETING|cartes\-cadeaux|talk a little via email|surprise gift|account balances|in the office today|just respond to my email|send a cell number|aging report|complete an outstanding request/i
# question / privacy
- body __KAM_BEAL5 /can't talk on the phone|receivable aging report|summary of all w\-?2|look forward to my text|are you (accessible|in the office|busy)|between you and I|closed-?door meeting|get something done|you\'re unoccupied|accurately|I can brief|in a (conference|meeting)|reimburse if personal|what details do you need|(do|handle) discreetly|confidentiality|keep this private|get to a nearby store|(let me know|confirm) if you (are available|can get it done)|no calls just reply|write me back|look out for my text|concise you about it|so much on your plate|let me know if you are free|trust you on this|worry about your reimburse|after the surprise|limited cell service|can you assist|convey a message|entrust you|not want to disclose this|planning a surprise event|confidential assignment|respond back via email|going into a meeting|no calls|reach you at|lookout to my message|dans la confidence|wait for my text|immediate assistance|swift discussion|an emergency|prompt reply|laryngitis|as soon as you are available|limited access to phone|kindly send me emails|plan to surprise|reach you urgent|need a work done/i
+ body __KAM_BEAL5 /can't talk on the phone|receivable aging report|summary of all w\-?2|look forward to my text|are you (accessible|in the office|busy)|between you and I|closed-?door meeting|get something done|you\'re unoccupied|accurately|I can brief|in a (conference|meeting)|reimburse if personal|what details do you need|(do|handle) discreetly|confidentiality|keep this private|get to a nearby store|(let me know|confirm) if you (are available|can get it done)|no calls just reply|write me back|look out for my text|concise you about it|so much on your plate|let me know if you are free|trust you on this|worry about your reimburse|after the surprise|limited cell service|can you assist|convey a message|entrust you|not want to disclose this|planning a surprise event|confidential assignment|respond back via email|going into a meeting|no calls|reach you at|lookout to my message|dans la confidence|wait for my text|immediate assistance|swift discussion|an emergency|prompt reply|laryngitis|(let me know when|as soon as) you are available|limited access to phone|kindly send me emails|plan to surprise|reach you urgent|need a work done|give me a number|comme une surprise|no call, just write|ruin this surprise|currently in session|assistance with an assignment|where we stand with cash|help is needed with an assignment|secretly handle|calls are off.?limit|number I can contact you|it\'s now overdue|can you handle|(send|give) me your personal (cell|num)|email back regarding|executive meeting currently|engaged in a virtual meeting/i
# oddlang
- body __KAM_BEAL6 /sent from my mail|depuis mon smartphone/i
+ body __KAM_BEAL6 /sent from my ?mail|depuis mon smartphone|\- Forwarded Message \-/i
meta KAM_BEAL (__KAM_BEAL1 + (__KAM_BEAL3 && ! __KAM_NOT_BEAL3) >= 1) && ((SPF_SOFTFAIL + FREEMAIL_FROM + FREEMAIL_FORGED_REPLYTO + __KAM_BEAL2 + KAM_RAPTOR_EXTERNAL >= 1) + __KAM_BEAL4 + __KAM_BEAL5 + __KAM_BEAL6 >= 3) && !EXTRACTTEXT
describe KAM_BEAL IMPOSTER! Will the real Slim Shady, please stand up?
subjprefix KAM_BEAL [Imposter]
endif
- meta KAM_BEAL2 (__KAM_BEAL1 + (__KAM_BEAL3 && ! __KAM_NOT_BEAL3) >= 1) && (KAM_RAPTOR_EXTERNAL + __KAM_BEAL4 + __KAM_BEAL5 + __KAM_BEAL6 >= 2) && (KAM_BEAL <= 0) && !EXTRACTTEXT
+ meta KAM_BEAL2 (__KAM_BEAL1 >= 1) && (__KAM_BEAL3 >= 1 && ! __KAM_NOT_BEAL3) && (KAM_RAPTOR_EXTERNAL + __KAM_BEAL4 + __KAM_BEAL5 + __KAM_BEAL6 >= 2) && (KAM_BEAL <= 0) && !EXTRACTTEXT
describe KAM_BEAL2 IMPOSTER! Will the real Slim Shady, please stand up?
score KAM_BEAL2 12.0
if can(Mail::SpamAssassin::Conf::feature_subjprefix)
score KAM_VERIZON 9.5
#Docusign SCAM
-header __KAM_DOCUSIGN1 Subject =~ /New e-DocuSign Signature|new e-signature docusign|docusign electronic signature|transfer notice|docusign (electronic|signature) service|docusign document/i
+header __KAM_DOCUSIGN1 Subject =~ /New e-DocuSign Signature|new e-signature docusign|docusign electronic signature|transfer notice|docusign (electronic|signature) service|docusign document|please_complete_document/i
header __KAM_DOCUSIGN2 From:name =~ /docusign/i
header __KAM_DOCUSIGN3 From:addr !~ /docusign/i
-uri __KAM_DOCUSIGN4 /\.weebly\.com|docs\.google\.com|onedrive\.live\.com/i
+uri __KAM_DOCUSIGN4 /\.weebly\.com|docs\.google\.com|onedrive\.live\.com|\.linodeobjects\.com/i
+
+body __KAM_DOCUSIGN5A /scan the QR Code/i
+body __KAM_DOCUSIGN5B /secure link to docusign/i
meta KAM_DOCUSIGN ((__KAM_DOCUSIGN1 >= 1) + (__KAM_DOCUSIGN2 + __KAM_DOCUSIGN3 >= 2) + (FREEMAIL_FROM + LOTS_OF_MONEY + __KAM_DOCUSIGN4 >= 1) >= 3)
describe KAM_DOCUSIGN Fake Document Signature account notices
describe KAM_DOCUSIGN_LOW Lower score Fake Document Signature Account Notice
score KAM_DOCUSIGN_LOW 3.0
+meta KAM_DOCUSIGN_QR ((__KAM_DOCUSIGN1 >= 1) + (__KAM_DOCUSIGN2 + __KAM_DOCUSIGN3 >= 2) + (__KAM_DOCUSIGN5A + __KAM_DOCUSIGN5B >= 2) >= 3)
+describe KAM_DOCUSIGN_QR Qishing scam with Docusign
+score KAM_DOCUSIGN_QR 4.5
+
#Invalid From
header __KAM_TWODOTS From:addr =~ /\@.*\.\./i
endif
#HTML ATTACHMENTS WITH FUNCTIONS AND EVALS
-rawbody __GB_JS_UNESCAPE /document\.write(?:\s+)?\((?:\s+)?(?:atob|unescape|decodeURIComponent)|\=unescape\(.{1,10}\;document\.write|\=\s+atob\(/
+rawbody __GB_JS_UNESCAPE /document\.write(?:\s+)?\((?:\s+)?(?:atob|unescape|decodeURIComponent)|\=unescape\(.{1,10}\;document\.write|\=\s+atob\(|document\.createElement\(\"script\"/
rawbody __GB_JS_FUNCTION /(?:\=|\:)"?(?:function|eval)\(/
-rawbody __GB_JS_OBFU /(?:script\s+src|onload)="?\&\#x|var\s+_0x[a-z0-9]{1,6}(?:\s+)?\=|window\.(?:location|href)/
+rawbody __GB_JS_OBFU /(?:script\s+src|onload)="?(?:\&\#x|data\:text\/javascript)|\<svg\s+onload\=|var\s+_0x[a-z0-9]{1,6}(?:\s+)?\=|window\.(?:atob|location|href)/
meta GB_BADJS ( ( __GB_JS_UNESCAPE || __GB_JS_FUNCTION || __GB_JS_OBFU ) && ( __KAM_SHTML_ATTACH || T_HTML_ATTACH || T_OBFU_HTML_ATTACH || UNICODE_OBFU_ASC ) )
describe GB_BADJS Bad html attachment
score GB_BADJS 4.0
header __KAM_FROM_SPAM_JUL22 From =~ /Horrific.?Back|fat.?reducer|smart.?watch|chill.?well|blurred.?vision|Family.?savings|Revifol\.com|Fluxactive|eye.?herb|eco.?chip|Lumbar.?Correct|Air.?Flops|Getinstahard\.com|neurodrine|air.?cooly|Bladder.?relief|Doctor.?Inflammation|Shrink.?your.?prostate|RetailMarketingPro|back.?to.?life/i
-header __KAM_FROM_SPAM_AUG22 From =~ /a1c.?fix|LeafProtect\.com|ServicePlus\.Home|Golden.?fx|Arcti.?FREEZE|RensaClub\.com|\@advid\-|nail.?infection|pain.?relief.?sock|leaf.?filter|toxic.?foot|nails.?fungus|cat.?spraying|big.?pharma|vision.?enhancing|battery.?recondition|injecting.?fat|mosquito.?light|black.?surge|tinnitus.?911|sugar.?balance|cardio.?clear|compression.?sock|balanced.?blood|Sqribble|ukraine.?(beauty|bride)|instahard|shop.?icehouse|vital.?flow|Discount.?is.?ready|cinch.?home.?protection|home.?protection.?plan|zander.?term|easy.?canvas.?(deals|prints)|home.?warranty.?offer|toxic.?water|keto.?202\d|wifi.?booster|restore.?gummies|-advids\.|lost.?superfoods|vantis.?life|roofing.?quote|maasalong|flux.?active|hot.?russian|serious.?daters|anderson.?affiliate|instant.?translator|clipper.?pro|scientific.?nail|6.?secrets|singles.?offer|lower.?my.?bill|SplashWines\.com|leafprotect\.com|columbian.?girl|wifi.?ultraboost|\@clum-?(video|creat)|deadly.?sex|Vita.?Firm/i
+header __KAM_FROM_SPAM_AUG22 From =~ /a1c.?fix|LeafProtect\.com|ServicePlus\.Home|Golden.?fx|Arcti.?FREEZE|RensaClub\.com|\@advids?\-|nail.?infection|pain.?relief.?sock|leaf.?filter|toxic.?foot|nails.?fungus|cat.?spraying|big.?pharma|vision.?enhancing|battery.?recondition|injecting.?fat|mosquito.?light|black.?surge|tinnitus.?911|sugar.?balance|cardio.?clear|compression.?sock|balanced.?blood|Sqribble|ukraine.?(beauty|bride)|instahard|shop.?icehouse|vital.?flow|Discount.?is.?ready|cinch.?home.?protection|home.?protection.?plan|zander.?term|easy.?canvas.?(deals|prints)|home.?warranty.?offer|toxic.?water|keto.?202\d|wifi.?booster|restore.?gummies|-advids\.|lost.?superfoods|vantis.?life|roofing.?quote|maasalong|flux.?active|hot.?russian|serious.?daters|anderson.?affiliate|instant.?translator|clipper.?pro|scientific.?nail|6.?secrets|singles.?offer|lower.?my.?bill|SplashWines\.com|leafprotect\.com|columbian.?girl|wifi.?ultraboost|\@clum-?(video|creat)|deadly.?sex|Vita.?Firm/i
header __KAM_FROM_SPAM_SEP22 From =~ /Select.?Quote.?(offer|affiliate|insurance)|light.?bulb.?camera|pitney.?bowes.?presort|carshield.?quote|neckcool|zinc7|term.?life.?insurance|detox.?shower|protection.?from.?pests|Pest.?defense|Life.?Omic|pipelinersales|\.kalendar/i
header __KAM_FROM_SPAM_JUN23 From =~ /ukrainian.?(wom[ae]n|single)|brain.?fortify|attorney.?for.?cancer|enence.?translator|tac.?right.?mini.?saw|walk.?in.?bath|care.?soles|hip.?flexor|prodentim/i
+header __KAM_FROM_SPAM_JUL23 From =~ /Memory.?foam.?pillow|flow.?it.?hardware|payroll.?advance|elon.?Power.?bank|dementia.?trigger/i
+
+header __KAM_FROM_SPAM_AUG23 From =~ /menopause.?pooch|icloud.?online.?shopper|(airlines?|UPS).?shopper.?gift|surge.?card|1st.?premier.?lending|fast.?lean.?pro|Dementia.?Trigger|(epson|delta|stanley|Lowes).?(rewards|giveaway)|\@\d\.socialteers\-|\@\d\..*-carmine\.com/i
+
+header __KAM_FROM_SPAM_SEP23 From =~ /\@\d\.petra\-.*\.com|ups.?evaluation.?center|kohls.?perspective.?team|gift.?opportunities.?by.?oreilly|netflixmember|home.?depot.?(store|reward|express)|hexclad.?(kitchen|cook)ware|costco.?store.?card|\@dealclosers-.*\.com|Walgreens(points)|powerknot|unitedmiieage/i
+
+header __KAM_FROM_SPAM_OCT23 From =~ /bye.?herpes|compass.?coffee|Kobalt.?giveaway|pain.?relief.?protein|\@(tr\.)?\d\.digiteers\-.*\.com|stanleyToolSet/i
+
+header __KAM_FROM_SPAM_NOV23 From =~ /Amblebrook.?at.?Gettysburg|mcafee.?warning|tiktok.?shop|\@reloadl?ux\.|metamask.?airdrop|legostar.?nft/i
+
+header __KAM_FROM_SPAM_DEC23 From =~ /SBAlley|home.?foreclosures?.?list|Ad0be.?Acr0bat|real.?social.?mart|nail.?fungus|cardiologists.?shocked/i
+
+header __KAM_FROM_SPAM_JAN24 From =~ /Nail.?Fungus|water.?filtration|safe.?drinking.?water|Portable.?Heater|scrub.?daddy|stop.?ear.?ring|kohl.?s.?surprise|Solar.?Generator|vault.?scanner|b2b.?worlds|chimp\'s.?custom.?graphics|cold.?sore.*nuker|neuropathy.?cure|BackPain|\@.*\.(cannoschoolnighqua|usanoschoolnighqua)\d+\.org|Apple_Mystery|N\.e\.t\.f\.l\.i\.x|Nano.?Security.?scan|Temu Pallet|QBKS.?renew|american.?airlines.?winner|food.?shortage|Airwheel|benign.?vertigo|ozempic.?scandal|Harbor.?Freight.?Dep/i
+
+header __KAM_FROM_SPAM_FEB24 From =~ /MTS.?Transitional.?Life|\@avogtal\-|carshield.?auto.?protection|harbor.?freight.?thanks|anti.?aging.?cream|my.?senior.?perks|siriusxm.?loyalty.?program|0nlyfans|gutter.?guard.?affiliate|Federal.?Tax.?Debt.?Help|Activate.?your.?superbrain/i
+
+meta KAM_FROM_SPAM ( __KAM_FROM_SPAM_NOV21 + __KAM_FROM_SPAM_DEC21 + __KAM_FROM_SPAM_JAN22 + __KAM_FROM_SPAM_FEB22 + __KAM_FROM_SPAM_MAR22 + __KAM_FROM_SPAM_APR22 + __KAM_FROM_SPAM_MAY22 + __KAM_FROM_SPAM_JUN22 + __KAM_FROM_SPAM_JUL22 + __KAM_FROM_SPAM_AUG22 + __KAM_FROM_SPAM_SEP22 + __KAM_FROM_SPAM_OCT22 + __KAM_FROM_SPAM_NOV22 + __KAM_FROM_SPAM_DEC22 + __KAM_FROM_SPAM_JAN23 + __KAM_FROM_SPAM_FEB23 + __KAM_FROM_SPAM_MAR23 + __KAM_FROM_SPAM_APR23 + __KAM_FROM_SPAM_MAY23 + __KAM_FROM_SPAM_JUN23 + __KAM_FROM_SPAM_JUL23 + __KAM_FROM_SPAM_AUG23 + __KAM_FROM_SPAM_SEP23 + __KAM_FROM_SPAM_OCT23 + __KAM_FROM_SPAM_NOV23 + __KAM_FROM_SPAM_DEC23 + __KAM_FROM_SPAM_JAN24 + __KAM_FROM_SPAM_FEB24 >= 1)
-meta KAM_FROM_SPAM ( __KAM_FROM_SPAM_NOV21 + __KAM_FROM_SPAM_DEC21 + __KAM_FROM_SPAM_JAN22 + __KAM_FROM_SPAM_FEB22 + __KAM_FROM_SPAM_MAR22 + __KAM_FROM_SPAM_APR22 + __KAM_FROM_SPAM_MAY22 + __KAM_FROM_SPAM_JUN22 + __KAM_FROM_SPAM_JUL22 + __KAM_FROM_SPAM_AUG22 + __KAM_FROM_SPAM_SEP22 + __KAM_FROM_SPAM_OCT22 + __KAM_FROM_SPAM_NOV22 + __KAM_FROM_SPAM_DEC22 + __KAM_FROM_SPAM_JAN23 + __KAM_FROM_SPAM_FEB23 + __KAM_FROM_SPAM_MAR23 + __KAM_FROM_SPAM_APR23 + __KAM_FROM_SPAM_MAY23 + __KAM_FROM_SPAM_JUN23 >= 1)
describe KAM_FROM_SPAM From Indicates a Product Spam
-score KAM_FROM_SPAM 6.75
+score KAM_FROM_SPAM 9.0
meta KAM_FROM_SPAM_TLD ( __KAM_FROM_SPAM_FEB22_TLD + KAM_SOMETLD_ARE_BAD_TLD >= 2)
describe KAM_FROM_SPAM_TLD From and TLD Indicates a Product Spam
# +1 (123) 123-4567
# 441 (123) 123-4567 (44 is the hex of the + char, tesseract(1) could convert the '+' sign this way
# spaces, + sign, parenthesis and spaces are optional
- body GB_PHONE_RBL eval:check_hashbl_bodyre('wild.pccc.com', 'raw/max=10/shuffle/num', '\b(?:\+|4{2})?(?:\s)?(?:[0-9]{1,2})?((?:(\s|,|\^|!|_|\.){1,2})?[(|{|\[]?[0-9]{3}[)|}|\]]?(?:(\-|\s|\.|\*|_|~|,|:|!|_|\xe2\x88\x92){1,2})?[0-9]{3}(?:(\-|\s|\.|\*|_|~|,|"|!|_|\xe2\x88\x92){1,3})?[0-9]{4,6})\b', '127.0.1.16')
+ body GB_PHONE_RBL eval:check_hashbl_bodyre('wild.pccc.com', 'raw/max=10/shuffle/num', '\b(?:\+|4{2})?(?:\s)?(?:[0-9]{1,2})?((?:(\s|,|\^|!|_|\.){1,2})?[(|{|\[]?[0-9]{3}[)|}|\]]?(?:(\-|\s|\.|\*|_|~|,|:|!|_|\xe2\x88\x92){1,2})?[0-9]{3}(?:(\-|\s|\.|\*|_|~|,|"|!|_|\xe2\x88\x92){1,3})?[0-9]{4,6})\b', '127.0.1.16')
# slow regexp
# body GB_PHONE_RBL eval:check_hashbl_bodyre('wild.pccc.com', 'raw/max=10/shuffle/num', '(?:\*+|\b)(?:\+|4{2})?(?:[\s\*]+)?(?:[0-9]{1,2})?((?:[\s,\^\*]+)?[(|{|\*+]?[0-9]{3}[)|}|\*+]?(?:[-\s\.\*_~,:\*]+)?[0-9]{3}(?:[-\s\.\*_~,"]+)?[0-9]{4,6})(?:\*+|\b)', '127.0.1.16')
-
- priority GB_PHONE_RBL -100
- tflags GB_PHONE_RBL net
- describe GB_PHONE_RBL Message contains phone number found on blocklist
- score GB_PHONE_RBL 6.0
+ priority GB_PHONE_RBL -100
+ tflags GB_PHONE_RBL net
+ describe GB_PHONE_RBL Message contains phone number found on blocklist (https://raptor.pccc.com/RBL)
+ score GB_PHONE_RBL 6.0
+
+ rawbody GB_PHONE_RBL_RAW eval:check_hashbl_bodyre('wild.pccc.com', 'raw/max=10/shuffle/num', 'tel:\+([0-9]{11})', '127.0.1.16')
+ priority GB_PHONE_RBL_RAW -100
+ tflags GB_PHONE_RBL_RAW net
+ describe GB_PHONE_RBL_RAW Message contains phone number found on blocklist (https://raptor.pccc.com/RBL)
+ score GB_PHONE_RBL_RAW 6.0
endif
endif
endif
score KAM_PAYROLL_SCANNER 7.5
#KAM_REFRESH
- #LIKELY NEED MORE EFFICIENT RAPTOR TAG
+# LIKELY NEED MORE EFFICIENT RAPTOR TAG
rawbody KAM_HTTP_REFRESH /http-equiv=("|')?refresh("|')?/i
describe KAM_HTTP_REFRESH Contains an http refresh
score KAM_HTTP_REFRESH 0.5
#FAKE PAYROLL UPDATE
#subj
-header __KAM_FAKE_PAY_UPDATE1 Subject =~ /Payroll (details?|information) (rectification|adjust|update)|account information|pay(check|roll) (update|review)|update info|direct deposit|new bank|UPDATE (BANK|PAYCHECK)|BANK (STATUS|CHANGE)|modification request|update salary|quick update|(^|\b)D(\.|-)?D ?(pay|information|update|request)|change of account|Demand Change|^\s$|DD[\- ]*Authorization|Change|help needed|new account|account (change|update)|payroll adjustment|request? for (change|update)|have a request/i
+header __KAM_FAKE_PAY_UPDATE1 Subject =~ /Payroll (details?|information) (rectification|adjust|update)|account information|pay(check|roll) ((re\-)?update|review)|update (DD|info)|direct deposit|new bank|UPDATE (BANK|PAYCHECK)|BANK (STATUS|CHANGE)|modification request|update salary|quick update|(^|\b)D(\.|-)?D ?(stub|pay|information|update|request)|change (in|of) (DD|direct.?deposit|account)|Demand Change|^\s$|DD[\- ]*(Authorization|Modify)|help needed|new account|account (change|replace|update)|pay.?roll (update|adjustment)|request? for (change|update)|have a request|RENSEIGNEMENTS\s+.{1,16}\s+BANCAIRES|URGENT(\b|$)|adjustment of bank|ASSIST\!|correction of ACH|paycheck|pay D\-D|payroll \(?info|modifications? to (electronic fund transfer|ACH|EFT)|replac(e|ing) bank info|have a moment|update my account|^Changes$|emolument/i
#urg
-body __KAM_FAKE_PAY_UPDATE2 /before the (current|next) pay|for next payroll|kindly review (payroll|your) statement|when the next payday|current pay cycle|next pay (run|date)|Inactive in a few day|right away|on-?time for any ongoing|what data is required|urgent help|next salary|forthcoming payroll|effective on payday|effect for next pay|made right now|closed in (a )?few day|for the current pay/i
+body __KAM_FAKE_PAY_UPDATE2 /(for|before|against) (my|the) (subsequent|current|next|upcoming) pay|for next payroll|kindly review (payroll|your) statement|when the next payday|prochaine date de paiement|current pay cycle|next pay (run|date)|Inactive in a few day|right away|on-?time for any ongoing|what data is required|urgent help|next salary|(upcoming|forthcoming) payroll|effective (for this|this|on) pay.?da|effect for next pay|made right now|closed in (a )?few day|for the current pay|next pay period|prompt attention|subsequent payroll|finish the update|can ?not afford any more delay|before the pay.?(roll|date)|straight away|against the upcoming pay|before payroll is run|timely payment|for my current pay|prochain ch.que de paie|quick assistance|account will not be difficult|next pay cycle|immediate effect|before next pay|for the next (check|pay)|this coming payroll/i
tflags __KAM_FAKE_PAY_UPDATE2 nosubject
#task
-body __KAM_FAKE_PAY_UPDATE3 /(change|updat(e|ing)) my (ACH|bank(ing)?|DD|paycheck) (direct.?deposit|info|account)|new bank(ing)? (details|info)|change the account on my pay|direct.?deposit\s+information|change my payroll|account information be change|update my bank|account needs to be updated|change in my ACH|I switched bank|paychecks? needs to be update|updat(e|ing) my (payroll.?)?direct.?deposit|designate it as my payee|bank information.{0,35} on file has changed|about my direct deposit|change my direct deposit/i
+body __KAM_FAKE_PAY_UPDATE3 /(change|updat(e|ing)) (of my|my) (ACH|bank(ing)?|DD|paycheck|payment|pay) (direct.?deposit|info|account)|new bank(ing)? (details|info)|change the account on my pay|direct.?deposit\s+information|(move|change) (in )?(my|the) (bank|payroll)|account information be change|update my (Pay|bank|account)|account needs to be updated|change in my ACH|I switched bank|paychecks? needs to be update|updat(e|ing) my (payroll.?)?direct.?deposit|designate it as my payee|bank information.{0,35} on file has changed|about my direct deposit|change (on )?my (old account|direct deposit)|updating for my salary|just changed banks|changed my financial institut|DD details changed|new account for my direct deposit|new bank account|informations bancaires|replace my bank(ing)? info|updat(e|ing) my deposit|update my information on pay|passer\s+.\s+un nouveau compte|replace my (previous|current) (bank|direct deposit)|direct.?deposit update|move my paycheck/i
tflags __KAM_FAKE_PAY_UPDATE3 nosubject
#sigonly/freemail
meta KAM_FAKE_PAY_UPDATE ( FREEMAIL_FROM + __KAM_FAKE_PAY_UPDATE1 + __KAM_FAKE_PAY_UPDATE2 + __KAM_FAKE_PAY_UPDATE3 >= 4)
describe KAM_FAKE_PAY_UPDATE Likely a fake ACH/Payroll Scam
-score KAM_FAKE_PAY_UPDATE 8.0
+score KAM_FAKE_PAY_UPDATE 9.0
meta KAM_FAKE_PAY_UPDATE_LOW FREEMAIL_FROM && ( __KAM_FAKE_PAY_UPDATE1 + __KAM_FAKE_PAY_UPDATE2 + __KAM_FAKE_PAY_UPDATE3 >= 2) && ! KAM_FAKE_PAY_UPDATE
describe KAM_FAKE_PAY_UPDATE_LOW Likely a fake ACH/Payroll Scam (Lower Confidence)
-score KAM_FAKE_PAY_UPDATE_LOW 6.5
+score KAM_FAKE_PAY_UPDATE_LOW 7.5
#ENCRYPTED PAYLOAD
uri __KAM_ENCRYPTED_LIVE1 /onedrive\.live\.com/i
describe KAM_FAKE_INVOICEMS Fake Invoice Scam
score KAM_FAKE_INVOICEMS 4.5
-#FAKE ACE/COSTCO/ETC
-replace_rules __KAM_FAKE_COSTCO2 __KAM_FAKE_COSTCO3
+#FAKE ACE/LOWES/ETC
+replace_rules __KAM_FAKE_LOWES2 __KAM_FAKE_LOWES3
- #VOUCHER/COUPON
-header __KAM_FAKE_COSTCO1 Subject =~ /(costco|ace.?hardware|cvs|cvs.?pharmacy|t-mobile|target).*(christmas|e-?coupon|gift.?voucher|bonus|(e.?)?voucher|gift.?card|give.?away|credit)|ace-hard?ware|massive thank you|give?.?away winner|(\d+|dols|bucks) (for you )?from (Starbuck|Sam|Costco)|gas reward|acehardware|samsclub|free samples|gas drop|\d+\.\d+ vouch from costco|CVS\s+expires|sams_club|(fuel|gas) shopping spree|giveaway from (bud.?light|fox)|glft.?card|thank you from (\(?Home.?Depot\)?|cvs)|cvs e-?rewards|nike sends \d+|Verizon (August|September) Gift|points rwrds|verizonrewards|thanks (from|to) .?(sam\'s club|ace.?hardware)|survey reward|\d+ gift.?card pending|(cvs|verizon) (gift.?cert|coupon|has something special|has \d\.0)|\d+ (bucks|dols)|\d+\.0 for you|your \d+ at Verizon|(home.?depot|t-mobile) bonus|Evouch from Sams Club|_ace.?hardware_|use your\s+from Verizon|glft.?certificate|points rwrds|home.?depot_shopper|\$\d+ at Sam\'?s.?club|gift for you|costco gift.?cert/i
- #FUZZ
-body __KAM_FAKE_COSTCO2 /C<O1>stc<O1> (giveaway|new gift|credit|local reward)|(erewards?|epoints?|evouch|thank you|\d\.\d) from (starbucks|ace.?hardware)|ace[-_]?hardware|sams[-_]?club|complimentary-(fuel\/gas|gas\/Fuel) card|(monday|tuesday|wednesday|thursday|friday|saturday|sunday) (gift-?cert|bonus)|costco-wholesale|\d from your CVS St<O1>re|cvs-pharmacy.?gift.?voucher|giveaway from (bud.?light|fox)|glft.?card|\d from cvs pharm|one hundred from C.?V.?S|nike sends \d+|Sam\'sClub|amount of \d+\.0(\b|$)|\d+ from Verizon|points rwrds|verizonrewards|UNINQUE GIVEAWAY|em<O1>ney|_Ace.?Hardware_|C Ostco|Sam\'s...Club|\$\-Prize|G[1l]ft.?cert|coupon from C<O1>stc<O1>|(target|T\-mobile) e.?(voucher|coupon)|\(home.?depot\)|homedepot bonus|\brwrds\b|_shopper|gift-voucher|has a prize|home depot\-|home\-depot|kohls(\s|\b|$)/i
-tflags __KAM_FAKE_COSTCO2 nosubject
- #ODDLANG
-body __KAM_FAKE_COSTCO3 /\d buck|your \d+\.0|\d+ dols|sent with joy|chosen as winer|spend you \$|(huge|massive) (thank you|thanks)|tough times|humble gift|evouch|epoint|em<O1>ney|ereward|we are loved|sending some love|(difficult|turbulent) times|nearest-pharm|weekend is on us|wish you a happy (August)|starbucks wishes you|spend bonus|inspire your dreams|unsuscribe here|want to give back|Enjoy_your_weekend|all the-best|e-?vouch|weekly gift.?card|big thanks for (Ace|costco|cvs)|\d+ sent to you by (Ace|costco|cvs)|rewards balance = \d+ USD|this make it better|Ace.?hardware style|awaiting to be spend|dols-voucher|you have been chosen|scary.?reward|tuff times|super.?(monday|tuesday|wednesday|thursday|friday|saturday|sunday).?mega|send a postcard|day-vouch|\d+ bucks coupon|inside = \$\d+|[\d\.] coupon|\%Subscriber|as an important customer|glft|here is a thanks|202\d has been difficult|how we celebrate|available for download/i
- #URGENT
-body __KAM_FAKE_COSTCO4 /will be expiring|expires|(finishes|change by) (mon|tue|wed|thu|fri|sat|sun)|pending to activate|(use by|until) (Jan|Feb|mar|apr|may|jun|Jul|aug|sep|oct|nov|dec|mon|tue|wed|thu|fri|sat|sun)|pending (to|your) activat|(valid until|(redeem|use|spend) (before|by)) (mid.?night|mon|tue|wed|thu|fri|sat|sun|aug|sep|oct|nov|dec|jan|feb|mar|apr|may|jun|jul)|ending tomorrow|before midnight|received before \d|activat(e|ion) (today|by|before)|end of month giveaway|ends (today|tomorrow)|valid for (today|the weekend|\d+ hours)|August Help|pending to use|by next (Mon|tue|Wed|Thu|Fri|Sat|sun)|(received?|used?) as soon as possible|ends the \d+(nd|th)|yet to be used|this.? (Mon|Tue|Wed|Thu|Fri|Sat|Sun)|use before|used? \d+\.\d+ by (Sun|Mon|Tue|Wed|Thu|Fri|Sat)|last day to activate|ends (Oct(ober)?|Nov(ember)?|Dec(ember)?) \d|\d+ hours to change|grab your \d+|\d hours left|use now|end of today|used today|this week|\d is available since|before christmas/i
+#VOUCHER/COUPON
+header __KAM_FAKE_LOWES1 Subject =~ /(costco|ace.?hardware|cvs|cvs.?pharmacy|t-mobile|target|burgerking).*(christmas|e-?coupon|gift.?voucher|bonus|(e.?)?voucher|gift.?card|give.?away|credit)|ace-hard?ware|massive thank you|give?.?away winner|(\d+|dols|bucks) (for you )?from (Starbuck|Sam|Costco)|gas reward|acehardware|samsclub|free samples|gas drop|\d+\.\d+ vouch from costco|CVS\s+expires|sams_club|(fuel|gas) shopping spree|giveaway from (bud.?light|fox)|glft.?card|thank you from (\(?Home.?Depot\)?|cvs)|cvs e-?rewards|nike sends \d+|Verizon (August|September) Gift|points rwrds|verizonrewards|thanks (from|to) .?(sam\'s club|ace.?hardware)|survey reward|\d+ gift.?card pending|(cvs|verizon) (gift.?cert|coupon|has something special|has \d\.0)|\d+ (bucks|dols)|\d+\.0 for you|your \d+ at Verizon|(home.?depot|t-mobile) bonus|Evouch from Sams Club|_ace.?hardware_|use your\s+from Verizon|glft.?certificate|points rwrds|home.?depot_shopper|\$\d+ at Sam\'?s.?club|gift for you|costco gift.?cert|walgreens bonus points/i
+#FUZZ
+body __KAM_FAKE_LOWES2 /C<O1>stc<O1> (giveaway|new gift|credit|local reward)|(erewards?|epoints?|evouch|thank you|\d\.\d) from (starbucks|ace.?hardware)|ace[-_]?hardware|sams[-_]?club|complimentary-(fuel\/gas|gas\/Fuel) card|(monday|tuesday|wednesday|thursday|friday|saturday|sunday) (gift-?cert|bonus)|costco-wholesale|\d from your CVS St<O1>re|cvs-pharmacy.?gift.?voucher|giveaway from (bud.?light|fox)|glft.?card|\d from cvs pharm|one hundred from C.?V.?S|nike sends \d+|Sam\'sClub|amount of \d+\.0(\b|$)|\d+ from Verizon|points rwrds|verizonrewards|UNINQUE GIVEAWAY|em<O1>ney|_Ace.?Hardware_|C Ostco|Sam\'s...Club|\$\-Prize|G[1l]ft.?cert|coupon from C<O1>stc<O1>|(target|T\-mobile) e.?(voucher|coupon)|\(home.?depot\)|homedepot bonus|\brwrds\b|_shopper|gift-voucher|has a prize|home depot\-|home\-depot|kohls(\s|\b|$)|BK Card/i
+tflags __KAM_FAKE_LOWES2 nosubject
+#ODDLANG
+body __KAM_FAKE_LOWES3 /\d buck|your \d+\.0|\d+ dols|sent with joy|chosen as winer|spend you \$|(huge|massive) (thank you|thanks)|tough times|humble gift|evouch|\bepoint|em<O1>ney|ereward|we are loved|sending some love|(difficult|turbulent) times|nearest-pharm|weekend is on us|wish you a happy (August)|starbucks wishes you|spend bonus|inspire your dreams|unsuscribe here|want to give back|Enjoy_your_weekend|all the-best|e-?vouch|weekly gift.?card|big thanks for (Ace|costco|cvs)|\d+ sent to you by (Ace|costco|cvs)|rewards balance = \d+ USD|this make it better|Ace.?hardware style|awaiting to be spend|dols-voucher|you have been chosen|scary.?reward|tuff times|super.?(monday|tuesday|wednesday|thursday|friday|saturday|sunday).?mega|send a postcard|day-vouch|\d+ bucks coupon|inside = \$\d+|\d+ coupon|\%Subscriber|as an important customer|glft|here is a thanks|202\d has been difficult|how we celebrate|available for download|points-can be used/i
+#URGENT
+body __KAM_FAKE_LOWES4 /will be expiring|expires|(finishes|change by) (mon|tue|wed|thu|fri|sat|sun)|pending to activate|(use by|until) (Jan|Feb|mar|apr|may|jun|Jul|aug|sep|oct|nov|dec|mon|tue|wed|thu|fri|sat|sun)|pending (to|your) activat|(valid until|(redeem|use|spend) (before|by)) (mid.?night|mon|tue|wed|thu|fri|sat|sun|aug|sep|oct|nov|dec|jan|feb|mar|apr|may|jun|jul)|ending tomorrow|before midnight|received before \d|activat(e|ion) (today|by|before)|end of month giveaway|ends (today|tomorrow)|valid for (today|the weekend|\d+ hours)|August Help|pending to use|by next (Mon|tue|Wed|Thu|Fri|Sat|sun)|(received?|used?) as soon as possible|ends the \d+(nd|th)|yet to be used|this.? (Mon|Tue|Wed|Thu|Fri|Sat|Sun)|use before|used? \d+\.\d+ by (Sun|Mon|Tue|Wed|Thu|Fri|Sat)|last day to activate|ends (Oct(ober)?|Nov(ember)?|Dec(ember)?) \d|\d+ hours to change|grab your \d+|\d hours left|use now|end of today|used today|this week|\d is available since|before christmas|act fast|will go quickly/i
-meta KAM_FAKE_COSTCO ( __KAM_FAKE_COSTCO1 + __KAM_FAKE_COSTCO2 + __KAM_FAKE_COSTCO3 + __KAM_FAKE_COSTCO4 >= 4)
-describe KAM_FAKE_COSTCO Fake Costco/Ace Hardware/etc. coupons
-score KAM_FAKE_COSTCO 6.0
+meta KAM_FAKE_LOWES ( __KAM_FAKE_LOWES1 + __KAM_FAKE_LOWES2 + __KAM_FAKE_LOWES3 + __KAM_FAKE_LOWES4 >= 4)
+describe KAM_FAKE_LOWES Fake Costco/Ace Hardware/etc. coupons
+score KAM_FAKE_LOWES 6.0
-meta KAM_FAKE_COSTCO_LOW !KAM_FAKE_COSTCO && ( __KAM_FAKE_COSTCO1 + __KAM_FAKE_COSTCO2 + __KAM_FAKE_COSTCO3 + __KAM_FAKE_COSTCO4 >= 3)
-describe KAM_FAKE_COSTCO_LOW Fake Costco/Ace Hardware/etc. coupons (Lower Confidence)
-score KAM_FAKE_COSTCO_LOW 4.5
+meta KAM_FAKE_LOWES_LOW !KAM_FAKE_LOWES && ( __KAM_FAKE_LOWES1 + __KAM_FAKE_LOWES2 + __KAM_FAKE_LOWES3 + __KAM_FAKE_LOWES4 >= 3)
+describe KAM_FAKE_LOWES_LOW Fake Costco/Ace Hardware/etc. coupons (Lower Confidence)
+score KAM_FAKE_LOWES_LOW 4.5
#FAKE ACE
header __KAM_FAKE_ACE1 From:addr =~ /\@.*ace.*/i
header __KAM_FAKE_ACE2 From:addr !~ /acehardware\.com/i
-meta KAM_FAKE_ACE ( (__KAM_FAKE_ACE1 + __KAM_FAKE_ACE2 >=2 ) + (__KAM_FAKE_COSTCO1 + __KAM_FAKE_COSTCO2 >= 1) >= 2)
+meta KAM_FAKE_ACE ( (__KAM_FAKE_ACE1 + __KAM_FAKE_ACE2 >=2 ) + (__KAM_FAKE_LOWES1 + __KAM_FAKE_LOWES2 >= 1) >= 2)
describe KAM_FAKE_ACE Possible Ace Hardware Forgery
score KAM_FAKE_ACE 2.0
#BIDDING/ESTIMATING
#NAMES
-body __KAM_BIDEST1A /CSI Estimati(ng|on)|crossland estimating|Williams Estimating|Global Estimation|bolt estimating|prestige estimation|bidding estimating|define estimating|dreamland estimation|swift estimating LLC|define estimating,? LLC|perfect estimation.? llc|estimating solutions.? LLC|rockford estimation.? LLC|define estimating LLC|Rise Estimating LLC|american estimating/i
-header __KAM_BIDEST1B From =~ /bidding|estimat/i
-header __KAM_BIDEST1C Subject =~ /bidding|estimati(on|ng)|take.?off|(quote|quotation) (to|for) (bid|project|take.?off)|budget planning|CSI(\b|$)/i
+body __KAM_BIDEST1A /CSI Estimati(ng|on)|crossland estimating|Williams Estimating|Global Estimation|bolt estimating|prestige estimation|bidding estimating|define estimating|dreamland estimation|swift estimating LLC|define estimating,? LLC|perfect estimation.? llc|estimating solutions.? LLC|rockford estimation.? LLC|define estimating LLC|Rise Estimating LLC|american estimating|maple professionals|international estimating, llc|international estimates, llc|Estemanians, LLC|Dream Estimations|universal estimating llc/i
+header __KAM_BIDEST1B From =~ /bidding|estimat|globalbid/i
+header __KAM_BIDEST1C Subject =~ /bidding|estimati(on|ng)|take.?off|(quote|quotation) (to|for) (bid|project|take.?off)|budget planning|CSI(\b|$)|constructions? project/i
#MORE INFO
-body __KAM_BIDEST2 /need assistance with a project|like more information|bidding and estimating service|estimate your projects|project for estimat|need of cost estimation|low cost detailed cost estimates|providing estimation|you really want take-offs|outsourced cost estimation|need any take.?off service|looking for accurate estimat|Take.?off services for any project|need a detailed estimate|offering budget cost estimates|cost estimating services|show you some sample|estimating.?take-offs? service|forward us the bid|quote on your project|sample (take.?off|estimate)|complimentary detail from|send (me|us) the drawing|quick introductory call|send us the project's construction plans|quotes for your project|see attached sample|our example work|need any samples/i
+body __KAM_BIDEST2 /need assistance with a project|like more information|bidding and estimating service|estimate your projects|project for estimat|need of cost estimation|low cost detailed cost estimates|providing estimation|you really want take-offs|outsourced cost estimation|need any take.?off service|looking for accurate estimat|Take.?off services for any project|need a detailed estimate|offering budget cost estimates|cost estimating services|show you some sample|estimating.?take-offs? service|forward us the bid|quote on your project|(fair|sample) (take.?off|estimate)|complimentary detail from|send (me|us) the drawing|quick introductory call|send us the project's construction plans|quotes for your project|see attached sample|our example work|need any samples|detailed quote|provide detailed quantity take.?off|professional services in Quantity take.?off|provide material take.?off|estimates \& take.?off|20\% discount on your first estimate|cost estimating|architectural projects for us|need of expert construction estimating|handle your construction (take.?offs|estimat)|any job for us regarding estimat|benefit from our estimat|construction estimation service|estimation services are tailored|offer the most precise estimat|detailed commercial estimate/i
#TITLE
-body __KAM_BIDEST3 /Business Development Manager|(senior|certified) estimator|certified software|(office|marketing) manager|estimation company|head of business devel|estimating service|estimator|project +manager/i
+body __KAM_BIDEST3 /Business Development Manager|(senior|certified) estimator|certified software|(office|marketing) manager|estimation (department|dept|company)|head of business devel|estimating service|estimator|project +manager|Civil, MEP, Architectural|manager of business dev|Sales team/i
#OBFU
-body __KAM_BIDEST4 /(dot)/i
+body __KAM_BIDEST4 /\(dot\)/i
meta KAM_BIDEST ( (__KAM_BIDEST1A + __KAM_BIDEST1B + __KAM_BIDEST1C >= 1) + __KAM_BIDEST2 + __KAM_BIDEST3 + (__KAM_BIDEST4 + FREEMAIL_FROM >=1) >= 3 )
describe KAM_BIDEST Bidding and Estimating Spam
describe KAM_FAKE_REIMB Fake Reimbursement Request
score KAM_FAKE_REIMB 9.0
-#FAKE_AMAZON
-header __KAM_FAKE_AMAZON1 From:name =~ /\#A.?m.?a.?z.?o.?n/i
-header __KAM_FAKE_AMAZON2 Subject =~ /A\-M\-A\-Z\-O\-N|payment confirmation|amazon.?e.?billing/i
-#body __KAM_FAKE_AMAZON3 /(888\s5\s?3\s?1\s?4\s?0\s?3\s?0|855\s5\s?4\s?5\s?6\s?2\s?0\s?1)/
-body __KAM_FAKE_AMAZON3 /Receipt Id|Bill no/i
-uri __KAM_FAKE_AMAZON4 /googleusercontent\.com/i
+#FAKE_AMAZON #2
+header __KAM_FAKE_AMAZON2_1 From:name =~ /\#A.?m.?a.?z.?o.?n/i
+header __KAM_FAKE_AMAZON2_2 Subject =~ /A\-M\-A\-Z\-O\-N|payment confirmation|amazon.?e.?billing/i
+#body __KAM_FAKE_AMAZON2_3 /(888\s5\s?3\s?1\s?4\s?0\s?3\s?0|855\s5\s?4\s?5\s?6\s?2\s?0\s?1)/
+body __KAM_FAKE_AMAZON2_3 /Receipt Id|Bill no/i
+uri __KAM_FAKE_AMAZON2_4 /googleusercontent\.com/i
-meta KAM_FAKE_AMAZON ( __KAM_FAKE_AMAZON1 + __KAM_FAKE_AMAZON2 + __KAM_FAKE_AMAZON3 + __KAM_FAKE_AMAZON4 + FREEMAIL_FROM >= 5 )
+meta KAM_FAKE_AMAZON ( __KAM_FAKE_AMAZON2_1 + __KAM_FAKE_AMAZON2_2 + __KAM_FAKE_AMAZON2_3 + __KAM_FAKE_AMAZON2_4 + FREEMAIL_FROM >= 5 )
describe KAM_FAKE_AMAZON Fake Amazon Order
score KAM_FAKE_AMAZON 7.5
body __KAM_FAKE_COINBASE2_2 /sent a payment/i
body __KAM_FAKE_COINBASE2_3 /BTC|paypal/i
-meta KAM_FAKE_COINBASE2 (__KAM_FAKE_COINBASE2_1 + __KAM_FAKE_COINBASE2_2 + __KAM_FAKE_COINBASE2_3 + FREEMAIL_FROM + __KAM_FAKE_AMAZON3 >= 5)
+meta KAM_FAKE_COINBASE2 (__KAM_FAKE_COINBASE2_1 + __KAM_FAKE_COINBASE2_2 + __KAM_FAKE_COINBASE2_3 + FREEMAIL_FROM + __KAM_FAKE_AMAZON2_3 >= 5)
describe KAM_FAKE_COINBASE2 Fake Coinbase Email
score KAM_FAKE_COINBASE2 7.5
score KAM_PASSEXP 4.5
#IPFS
-uri KAM_IPFS /(\.|\b|\/)ipfs\.io\/|\/ipfs\/|https?\:\/\/ipfs\./i
+uri KAM_IPFS /(\.|\b|\/)ipfs\.io\/|\/ipfs\/|https?\:\/\/ipfs\.|https?\:\/\/.*\.ipfs\./i
describe KAM_IPFS Abused Protocol for Distributed Content
score KAM_IPFS 12.0
endif
#ADVIDS
-header __KAM_ADVIDS1 From:addr =~ /\@advid|\@.*advids?\./i
-body __KAM_ADVIDS2 /video (production|examples|ads)|design explainer/i
+header __KAM_ADVIDS1 From:addr =~ /\@advid|\@.*advids?\.|\@advi\-/i
+body __KAM_ADVIDS2 /video (production|examples|ads|design|ideas)|design explainer|design capabilit|(business|demo) video/i
uri __KAM_ADVIDS3 /search\?q\=Advids|youtube/i
+body __KAM_ADVIDS4 /(video|content) (director|producer)/i
-meta KAM_ADVIDS ( __KAM_ADVIDS1 + __KAM_ADVIDS2 + __KAM_ADVIDS3 >= 3)
+meta KAM_ADVIDS ( __KAM_ADVIDS1 + __KAM_ADVIDS2 + (__KAM_ADVIDS3 + __KAM_ADVIDS4 >= 1) >= 3)
describe KAM_ADVIDS Video Production Spam
score KAM_ADVIDS 10.0
score KAM_COPOUT 4.5
#DOMAIN/URI TEST CONCEPT
-replace_tag BADCALENDLYURIS (?:jpcalendly|michael\-2900|avolinq|otto\-demosho|jprecruiting|stella\-ridge|nivaai|guammi\-marketing|sethg\-erc|marc\-alderson|randy\-wimmer|video\-animation|julius\-frago|growthtitan)
+replace_tag BADCALENDLYURIS (?:jpcalendly|michael\-2900|avolinq|otto\-demosho|jprecruiting|stella\-ridge|nivaai|guammi\-marketing|sethg\-erc|marc\-alderson|randy\-wimmer|video\-animation|julius\-frago|growthtitan|byte\-bridge\-team|flipcausedemo|techerp|leadoverload\-team|twiz|vissia\-ac|eventgives|sephacquisition|mattia\-100|doug\-376|byron\-lewis|selo\-ai|elevatemkt|business-gps-tetsch|nandreaatos|stephanie\-alic)
replace_rules __KAM_BADCALENDLY
uri __KAM_BADCALENDLY /https?\:\/\/(www\.)?calendly\.com\/<BADCALENDLYURIS>(?:\/|\?|\b|$)/i
replace_rules __KAM_BADIG
uri __KAM_BADIG /https?\:\/\/(www\.)?instagram\.com\/<BADIGURIS>(?:\/|\?|\b|$)/i
-replace_tag BADYTURIS (?:\@muvisaku)
+replace_tag BADYTURIS (?:\@muvisaku|mzVih1bMPVE|PXcdLbnO9I4)
replace_rules __KAM_BADYT
-uri __KAM_BADYT /https?\:\/\/(www\.)?youtube\.com\/<BADYTURIS>(?:\/|\?|\b|$)/i
+uri __KAM_BADYT /https?\:\/\/(www\.)?(youtube\.com|youtu\.be)\/<BADYTURIS>(?:\/|\?|\b|$)/i
replace_tag BADVIMEOURIS (?:446834731|399916650|256117879|268399852|602066576|179069936|540337372|391568499|clumcreative)
replace_rules __KAM_BADVIMEO
replace_rules __KAM_BADFIVERR
uri __KAM_BADFIVERR /https?\:\/\/(www\.)?fiverr\.com\/<BADFIVERRURIS>(?:\/|\?|\b|$)/i
-meta KAM_BADDOMAINURI (__KAM_BADCALENDLY + __KAM_BADIG + __KAM_BADYT + __KAM_BADVIMEO + __KAM_BADMEDIUM + __KAM_BADFIVERR >= 1)
+replace_tag BADGSITESURIS (?:33344455666)
+replace_rules __KAM_BADGSITES
+uri __KAM_BADGSITES /https?\:\/\/sites\.google\.com\/view\/<BADGSITESURIS>(?:\/|\?|\b|$)/i
+
+replace_tag BADDYNAMICSURIS (?:9F7f0SFS2Z|Koi3RYh33D)
+replace_rules __KAM_BADDYNAMICS
+uri __KAM_BADDYNAMICS /https?\:\/\/ncv\.microsoft\.com\/<BADDYNAMICSURIS>(?:\/|\?|\b|$)/i
+
+replace_tag BADTELEGRAMURIS (?:leadgenmarket1)
+replace_rules __KAM_BADTELEGRAMURIS
+uri __KAM_BADTELEGRAMURIS /t.me\/<BADTELEGRAMURIS>(?:\/|\?|\b|$)/i
+
+replace_tag BADSKYPEURIS (?:32a8cfbcf097b10d|2bc4ed65aa40fb3b)
+replace_rules __KAM_BADSKYPEURIS
+body __KAM_BADSKYPEURIS /live\:\.cid\.<BADSKYPEURIS>(?:\/|\?|\b|$)/i
+
+replace_tag BADWHATSAPPURIS (?:40753537389)
+replace_rules __KAM_BADWHATSAPPURIS
+uri __KAM_BADWHATSAPPURIS /https?\:\/\/wa.me\/<BADWHATSAPPURIS>(?:\/|\?|\b|$)/i
+
+replace_tag BADFLOWCODEURIS (?:signalsdefense)
+replace_rules __KAM_BADFLOWCODEURIS
+uri __KAM_BADFLOWCODEURIS /https?\:\/\/flow\.page\/<BADFLOWCODEURIS>(?:\/|\?|\b|$)/i
+
+meta KAM_BADDOMAINURI (__KAM_BADCALENDLY + __KAM_BADIG + __KAM_BADYT + __KAM_BADVIMEO + __KAM_BADMEDIUM + __KAM_BADFIVERR + __KAM_BADGSITES + __KAM_BADDYNAMICS + __KAM_BADTELEGRAMURIS + __KAM_BADSKYPEURIS + __KAM_BADWHATSAPPURIS + __KAM_BADFLOWCODEURIS >= 1)
describe KAM_BADDOMAINURI Blocked domain/uri combo
score KAM_BADDOMAINURI 9.0
#TRACKING REDIR
uri __KAM_TRACKING_REDIR1 /\/tracking\/clicks\?redirect\=/i
+uri __KAM_TRACKING_REDIR2 /https?:\/\/adclick\.\w\.doubleclick\.net\/\/?pcs\/click\?.{10,64}\&?\&adurl\=(?:https?\:)?\/\//i
+uri __KAM_TRACKING_REDIR3 /https?:\/\/ad\.doubleclick\.net\/clk;.{8,64}\?(?:https?:)?\/\//i
-meta KAM_TRACKING_REDIR ( __KAM_TRACKING_REDIR1 >= 1 )
+meta KAM_TRACKING_REDIR ( __KAM_TRACKING_REDIR1 + __KAM_TRACKING_REDIR2 + __KAM_TRACKING_REDIR3 >= 1 )
describe KAM_TRACKING_REDIR Tracking URI with a redirect that is a security risk
score KAM_TRACKING_REDIR 4.5
describe KAM_FAKE_BENEFIT Likely fake benefit email
score KAM_FAKE_BENEFIT 4.5
+#CNOBFU
+body __KAM_URI_OBFU1 /w ?w ?w\[?.\]?asiane ?twork\[?.\]?org\[?.\]?cn/i
+body __KAM_URI_OBFU2 /w ?w ?w\[?.\]?netchin ?a\[?.\]?org/i
+
+meta KAM_URI_OBFU ( __KAM_URI_OBFU1 + __KAM_URI_OBFU2 >= 1 )
+describe KAM_URI_OBFU Obfuscation of URLs
+score KAM_URI_OBFU 10.0
+
+#FAKE_GOOGLEGROUP
+replace_rules __KAM_FAKE_GOOGLEGROUP2
+
+header __KAM_FAKE_GOOGLEGROUP1 From:addr =~ /\@googlegroups\.com/i
+header __KAM_FAKE_GOOGLEGROUP2 From:name =~ /Support Team|(Mcafee|Best.?Buy) (support|Team)|Help Desk|client support|customer care team|Geek Squad (help.?(line|desk)|Call Center|support|customer support)|Team (McAfee|Best.?buy)|chase bank (protect|zero)|paypal (team|support)|(support|Service|Billing|team) PayPal|Helping (group|Hand|community)|help each other|W<E1>llsf<A1>rgo B<A1>nk r<e>gain|Bank of America Business/i
+
+meta KAM_FAKE_GOOGLEGROUP ( __KAM_FAKE_GOOGLEGROUP1 + __KAM_FAKE_GOOGLEGROUP2 >= 2 )
+describe KAM_FAKE_GOOGLEGROUP Google Group posing as a legitimate firm
+score KAM_FAKE_GOOGLEGROUP 9.0
+
+#LEAD FORENSICS
+body __KAM_LEAD_FORENSICS1 /leadforensics.*com|Lead Forensics/i
+
+meta KAM_LEAD_FORENSICS ( __KAM_LEAD_FORENSICS1 >= 1 )
+describe KAM_LEAD_FORENSICS Domain hopping spamming engine
+score KAM_LEAD_FORENSICS 10.0
+
+#FAKE_NETFLIX
+ #domain mismatch
+header __KAM_FAKE_NETFLIX1A From:name =~ /Netflix/i
+header __KAM_FAKE_NETFLIX1B From:addr !~ /netflix\.com/i
+ #fuzz
+header __KAM_FAKE_NETFLIX2A From:addr =~ /NetfIix/i
+header __KAM_FAKE_NETFLIX2B Subject =~ /NetfIix/i
+
+meta KAM_FAKE_NETFLIX ( __KAM_FAKE_NETFLIX1A + __KAM_FAKE_NETFLIX1B >= 2 ) || ( __KAM_FAKE_NETFLIX2A + __KAM_FAKE_NETFLIX2B >= 1 )
+describe KAM_FAKE_NETFLIX Fake Netflix message
+score KAM_FAKE_NETFLIX 7.0
+
+#FAKE_STARBUCKS
+ #domain
+header __KAM_FAKE_STARBUCKS1A From:name =~ /starbucks/i
+header __KAM_FAKE_STARBUCKS1B From:addr !~ /starbucks\.com/i
+
+meta KAM_FAKE_STARBUCKS ( __KAM_FAKE_STARBUCKS1A + __KAM_FAKE_STARBUCKS1B >= 2 )
+describe KAM_FAKE_STARBUCKS Fake Starbucks message
+score KAM_FAKE_STARBUCKS 4.0
+
+#FAKE_SAMSCLUB
+ #domain mismatch
+header __KAM_FAKE_SAMSCLUB1A From:name =~ /Sam'?s?.?c(1|l|I)ub/i
+header __KAM_FAKE_SAMSCLUB1B From:addr !~ /samsclub\.com/i
+ #fuzz
+header __KAM_FAKE_SAMSCLUB2A From:addr =~ /Sam'?s?.?CIub/i
+header __KAM_FAKE_SAMSCLUB2B Subject =~ /Sam'?s.?CIub/i
+
+meta KAM_FAKE_SAMSCLUB ( __KAM_FAKE_SAMSCLUB1A + __KAM_FAKE_SAMSCLUB1B >= 2 ) || ( __KAM_FAKE_SAMSCLUB2A + __KAM_FAKE_SAMSCLUB2B >= 1 )
+describe KAM_FAKE_SAMSCLUB Fake Sam's Club message
+score KAM_FAKE_SAMSCLUB 4.0
+
+#FAKE_WALGREENS
+ #domain
+header __KAM_FAKE_WALGREENS1A From:name =~ /wa(l|1|i)greens/i
+header __KAM_FAKE_WALGREENS1B From:addr !~ /wa(l|1|i)greens\.com/i
+ #fuzz
+header __KAM_FAKE_WALGREENS2A From:addr =~ /wa(1|i)greens/i
+header __KAM_FAKE_WALGREENS2B Subject =~ /wa(1|i)greens/i
+
+meta KAM_FAKE_WALGREENS ( __KAM_FAKE_WALGREENS1A + __KAM_FAKE_WALGREENS1B >= 2 ) || ( __KAM_FAKE_WALGREENS2A + __KAM_FAKE_WALGREENS2B >= 1 )
+describe KAM_FAKE_WALGREENS Fake Walgreens message
+score KAM_FAKE_WALGREENS 4.0
+
+#FAKE_ACEHARDWARE2
+ #domain
+header __KAM_FAKE_ACEHARDWARE2_1A From:name =~ /Ace.?(reward|Hardware)|AceOctoberReward/i
+header __KAM_FAKE_ACEHARDWARE2_1B From:addr !~ /acehardware\.com/i
+#header __KAM_FAKE_ACEHARDWARE2_1C Subject =~ /Ace.?hardware.?rewards/i
+
+meta KAM_FAKE_ACEHARDWARE2 ( __KAM_FAKE_ACEHARDWARE2_1A + __KAM_FAKE_ACEHARDWARE2_1B >= 2 )
+describe KAM_FAKE_ACEHARDWARE2 Fake Ace Hardware message
+score KAM_FAKE_ACEHARDWARE2 8.0
+
+#FAKE_CVS
+ #domain - Fixed FP on 2023-10-06 from Joel Risberg
+header __KAM_FAKE_CVS_1A From:name =~ /CVS(care|extra|octoberreward|reward|bonus|stores|savr|save)|CVS(\b|\$)|CVS.*dea[1|i|l]s/i
+header __KAM_FAKE_CVS_1B From:addr !~ /cvs(health)?\.com/i
+
+meta KAM_FAKE_CVS ( __KAM_FAKE_CVS_1A + __KAM_FAKE_CVS_1B >= 2 )
+describe KAM_FAKE_CVS Fake CVS message
+score KAM_FAKE_CVS 6.0
+
+#MEDALLIA
+header __KAM_MEDALLIA From:addr =~ /medallia\.com/i
+meta KAM_MEDALLIA (KAM_FAKE_CVS + KAM_FAKE_SAMSCLUB >= 1) && __KAM_MEDALLIA
+describe KAM_MEDALLIA False Positive Handling for Medallia Surveys
+score KAM_MEDALLIA -6.0
+
+#FAKE HOME DEPOT
+ #domain
+header __KAM_FAKE_HOMEDEPOT_1A From:name =~ /home.?depot/i
+header __KAM_FAKE_HOMEDEPOT_1B From:addr !~ /homedepot\.com/i
+
+meta KAM_FAKE_HOMEDEPOT ( __KAM_FAKE_HOMEDEPOT_1A + __KAM_FAKE_HOMEDEPOT_1B >= 2 )
+describe KAM_FAKE_HOMEDEPOT Fake Home Depot message
+score KAM_FAKE_HOMEDEPOT 5.0
+
+#FAKE COSTCO
+ #domain
+header __KAM_FAKE_COSTCO_1A From:name =~ /costco/i
+header __KAM_FAKE_COSTCO_1B From:addr !~ /costco\.(com|ca)|costcotravel\.com/i
+
+meta KAM_FAKE_COSTCO2 ( __KAM_FAKE_COSTCO_1A + __KAM_FAKE_COSTCO_1B >= 2 )
+describe KAM_FAKE_COSTCO2 Fake Costco message
+score KAM_FAKE_COSTCO2 7.0
+
+#EMPTY MESSAGE FP FOR CALENDARS
+mimeheader __GB_CALENDAR_ATTACH Content-Type =~ /\b(text\/calendar)\b/i
+meta GB_EMPTY_CALENDAR ( ( EMPTY_MESSAGE || SCC_BODY_URI_ONLY ) && __GB_CALENDAR_ATTACH )
+describe GB_EMPTY_CALENDAR Empty message with a calendar attachment
+score GB_EMPTY_CALENDAR -2.0
+
+#FAKE LOWES
+ #domain
+header __KAM_FAKE_LOWES_1A From:name =~ /lowes.?home.?improvement|Lowes.?(shopper|Store)|LowesHome/i
+header __KAM_FAKE_LOWES_1B From:addr !~ /lowes\.com/i
+
+meta KAM_FAKE_LOWES ( __KAM_FAKE_LOWES_1A + __KAM_FAKE_LOWES_1B >= 2 )
+describe KAM_FAKE_LOWES Fake Lowes message
+score KAM_FAKE_LOWES 4.0
+
+#UNSOLICITED
+body __KAM_UNSOLICITED1 /Sorry for the unsolicited email/i
+
+meta KAM_UNSOLICITED ( __KAM_UNSOLICITED1 >= 1 )
+describe KAM_UNSOLICITED Email that is unsolicited
+score KAM_UNSOLICITED 5.0
+
+#FAKE PRIME/AMAZON
+ #domain
+header __KAM_FAKE_PRIME_1A From:name =~ /Prime.*Member|PrimeAccount(a(1|i|l)ert|Service)|Prime.?Dea(1|i)|prime.?day.?saving/i
+header __KAM_FAKE_PRIME_1B From:addr !~ /amazon\.com/i
+
+header __KAM_FAKE_PRIME_2 Subject =~ /Amaz0n prime|prime membership (is renewing|statement was ended)/i
+
+meta KAM_FAKE_PRIME ( ( __KAM_FAKE_PRIME_1A + __KAM_FAKE_PRIME_2 >= 1 ) + __KAM_FAKE_PRIME_1B >= 2 )
+describe KAM_FAKE_PRIME Fake Amazon Prime message
+score KAM_FAKE_PRIME 7.0
+
+#FAKE MILWAUKEE
+ #fuzz
+header __KAM_FAKE_MILWAUKEE2A From:addr =~ /mi(1|i)waukeetoo(i|1)s/i
+header __KAM_FAKE_MILWAUKEE2B Subject =~ /Milwaukee (Drill|tool)/i
+
+meta KAM_FAKE_MILWAUKEE ( __KAM_FAKE_MILWAUKEE2A + __KAM_FAKE_MILWAUKEE2B >= 1 )
+describe KAM_FAKE_MILWAUKEE Fake Lowes / Milwaukee Tools message
+score KAM_FAKE_MILWAUKEE 4.0
+
+#FAKE HULU
+ #fuzz
+header __KAM_FAKE_HULU2A From:addr =~ /hu(1|i)u.?(acct|account|member)/i
+header __KAM_FAKE_HULU2B Subject =~ /hu(1|i)u.?member/i
+
+meta KAM_FAKE_HULU ( __KAM_FAKE_HULU2A + __KAM_FAKE_HULU2B >= 1 )
+describe KAM_FAKE_HULU Fake Hulu message
+score KAM_FAKE_HULU 6.0
+
+#FAKE WEBROOT
+header __KAM_FAKE_WEBROOT1 Subject =~ /got your order|Payment receipt|Order Confirm|your e.?statement|renewal confirm|itemized invoice|renewal success/i
+body __KAM_FAKE_WEBROOT2 /Webroot/i
+body __KAM_FAKE_WEBROOT3 /Total Securities|Webroot (security|premium)/i
+body __KAM_FAKE_WEBROOT4 /not authorized|should there be any concern|terminate your service|discontinuing this transaction/i
+
+meta KAM_FAKE_WEBROOT ( __KAM_FAKE_WEBROOT1 + __KAM_FAKE_WEBROOT2 + __KAM_FAKE_WEBROOT3 + __KAM_FAKE_WEBROOT4 + FREEMAIL_FROM >= 5)
+describe KAM_FAKE_WEBROOT Fake Webroot Scam
+score KAM_FAKE_WEBROOT 7.5
+
+ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
+# Received document
+ body __GB_DID_RECEIVE /did you receive .{1,10} document/i
+ meta GB_DID_RECEIVE ( __GB_DID_RECEIVE && KAM_RAPTOR_EXTERNAL )
+ describe GB_DID_RECEIVE Document received scam
+ score GB_DID_RECEIVE 1.5
+endif
+
+# ExtractText Rules
+ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
+ ifplugin Mail::SpamAssassin::Plugin::ExtractText
+ header GB_QR_CODE X-ExtractText-Flags =~ /\bQR\-Code\b/
+ describe GB_QR_CODE QR-Code in attached image
+ score GB_QR_CODE 2.0
+
+ header __GB_OCR_URI_BAD_TLD X-ExtractText-URIs =~ /https?:\/\/.*\.ru\//i
+ meta GB_QR_CODE_BAD_TLD ( __GB_OCR_URI_BAD_TLD && GB_QR_CODE )
+ describe GB_QR_CODE_BAD_TLD Qr code uri with a bad tld domain
+ score GB_QR_CODE_BAD_TLD 4.5
+ endif
+endif
+
+# Adobe redirector
+uri GB_ADOBE_REDIR m|^https?://\w+\-rt\-prod\d+\-t.campaign.adobe.com/r/\?id=.{8,24}&p1=|i
+describe GB_ADOBE_REDIR Adobe redirector
+score GB_ADOBE_REDIR 1.5
+
+# Bing redirector
+uri GB_BING_REDIR m|^https?://(?:www.)?bing.com/ck/a\?!&&p=.{32,128}&ptn=\d+&|i
+describe GB_BING_REDIR Microsoft Bing redirector
+score GB_BING_REDIR 1.5
+
+# Bizzabo redirector
+uri GB_BIZZABO_REDIR m|^https?://events.bizzabo.com/auth/emailAssociatedLogin/verifyTokenAndRedirect\?token=.{10,128}&redirectUrl=|i
+describe GB_BIZZABO_REDIR Bizzabo redirector
+score GB_BIZZABO_REDIR 1.5
+
+# Windows redirector
+uri GB_WINDOWS_REDIR m|^https?://\w+.blob.core.windows.net/\w+/\w+.html\#\w{2}/\d{5}_md/\d+/|i
+describe GB_WINDOWS_REDIR Windows redirector
+score GB_WINDOWS_REDIR 4.5
+
+# Disq.us redirector
+uri GB_DISQUS_REDIR m|^https?://(?:www\.)?disq.us/?\?url=https?:|i
+describe GB_DISQUS_REDIR Disq.us redirector
+score GB_DISQUS_REDIR 1.5
+
+# Yandex redirector
+uri GB_YANDEX_REDIR m;^https?://[^/]*sba\.yandex\.net/redirect\?;i
+describe GB_YANDEX_REDIR Yandex redirect used to obscure spamvertised website
+score GB_YANDEX_REDIR 1.5
+
+# Flashtalking redirector
+uri GB_FLASHTALK_REDIR m;^https?://servedby\.flashtalking\.com/click/.{16,256}&url=https?://;i
+describe GB_FLASHTALK_REDIR Flashtalking redirector
+score GB_FLASHTALK_REDIR 1.5
+
+# RetailRocket redirector
+uri GB_RETAILROCKET_REDIR m;^https?://clickproxy\.retailrocket\.net/\?url\.aspx.{1,32}url=http;i
+describe GB_RETAILROCKET_REDIR RetailRocket redirector
+score GB_RETAILROCKET_REDIR 1.5
+
+# ShopMyExchange redirector
+uri GB_SHOPMYEXC_REDIR m;^https?://links\.e\.shopmyexchange\.com/.{4,128}&kd=;i
+describe GB_SHOPMYEXC_REDIR ShopMyExchange redirector
+score GB_SHOPMYEXC_REDIR 1.5
+
+# Allaincemh redirector
+uri GB_ALLAINCEMH_REDIR m;^https?://url\d+\.allaincemh\.com/ls/click\?;i
+describe GB_ALLAINCEMH_REDIR Allaincemh redirector
+score GB_ALLAINCEMH_REDIR 1.5
+
+# Bloom.io redirector
+uri GB_BLOOMIO_REDIR m;^https?://email\.mail\.bloom\.io/c/.{256,512};i
+describe GB_BLOOMIO_REDIR bloom.io redirector
+score GB_BLOOMIO_REDIR 1.5
+
+# Dell redirector
+uri GB_DELL_REDIR m;^https?://\w\.\w{2}\.home\.dell\.com/r/\?.{8,128}\&p1=;i
+describe GB_DELL_REDIR Dell redirector
+score GB_DELL_REDIR 1.5
+
+# Oneclick redirector
+uri GB_ONECLICK_REDIR m;^https?://go\.onelink\.me/\d+\?pid=InProduct.{16,128}&af_web_dp=https?://;i
+describe GB_ONECLICK_REDIR Oneclick redirector
+score GB_ONECLICK_REDIR 1.5
+
+# Powerobjects redirector
+uri GB_POWEROBJECTS_REDIR m;^https?://go\.onelink\.me/\d+\?pid=InProduct.{16,128}&af_web_dp=https?://;i
+describe GB_POWEROBJECTS_REDIR Powerobjects redirector
+score GB_POWEROBJECTS_REDIR 1.5
+
+# Generic Php redirector
+uri GB_PHP_REDIR /\.php\?url=https?\:\/\//
+describe GB_PHP_REDIR Php redirector
+score GB_PHP_REDIR 1.0
+
+#TLDSCHINA
+body __KAM_TLDSCHINA1 /t ?l ?d ?s ?c ?h ?i ?n ?a\[\.\]com|0086\-21\-619\-18\-696/i
+
+meta KAM_TLDSCHINA ( __KAM_TLDSCHINA1 >= 1 )
+describe KAM_TLDSCHINA Chinese Domain Scams
+score KAM_TLDSCHINA 5.0
+
+# .html link stored on S3
+uri __GB_S3_HTM1 /^https?:\/\/.{3,64}\.s3\..{3,16}\.amazonaws\.com\/.{3,128}\.s?htm/i
+uri __GB_S3_HTM2 /^https?:\/\/s3\.amazonaws\.com\/.{3,16}\/.{3,16}\/.{3,128}\.s?html?\#/i
+
+meta GB_S3_HTM ( __GB_S3_HTM1 + __GB_S3_HTM2 >= 1 )
+describe GB_S3_HTM .html link stored on AWS S3
+score GB_S3_HTM 4.5
+
+#FAKE STIMULUS
+header __KAM_FAKE_STIM1 From =~ /state.?reiief|stim.?state.?check|stim.?check.?reiief|reiief2023|statestimcheck|statebenefits/i
+header __KAM_FAKE_STIM2 Subject =~ /stimu[1i]us/i
+body __KAM_FAKE_STIM3 /stimu[1i]us|stimulus (benefit|fund|check)/i
+tflags __KAM_FAKE_STIM3 nosubject
+
+meta KAM_FAKE_STIM ( __KAM_FAKE_STIM1 + __KAM_FAKE_STIM2 + __KAM_FAKE_STIM3 >= 3)
+describe KAM_FAKE_STIM Fake Stimulus Scam
+score KAM_FAKE_STIM 6.0
+
+#FAKE QUOTES
+header __KAM_FAKE_QUOTE1 Subject =~ /signing up for Quotes\.daily/i
+
+meta KAM_FAKE_QUOTE ( __KAM_FAKE_QUOTE1 + FREEMAIL_FROM >= 2 )
+describe KAM_FAKE_QUOTE Fake Quotes Signup Notice
+score KAM_FAKE_QUOTE 3.0
+
+#FAKE HOTEL ROOM
+replace_rules __GB_FAKE_HOTEL
+body __GB_FAKE_HOTEL /(?:book(?:ing)? a|(?:need|reserving) a|standard|cost of a)(?:\s)?(?:single|double|twin)?(?:\sstandard)? room|check into your hotel|book a hotel room|have such a room|left it in (?:a|my|the) room|mak(?:e|ing) a reservation|reservar una habitaci<O>n|room availability/i
+header __GB_FAKE_HOTEL_S Subject =~ /To the Hotel|Booking confirmation/i
+meta GB_FAKE_HOTEL ( FREEMAIL_FROM && ( KAM_BLANKSUBJECT || __GB_FAKE_HOTEL_S ) && __GB_FAKE_HOTEL )
+describe GB_FAKE_HOTEL Fake hotel room reservation
+score GB_FAKE_HOTEL 4.0
+
+#FAKE SPOTIFY
+ #domain
+header __KAM_FAKE_SPOTIFY_1A From:name =~ /spotify premium|Spotify(?:\s|_)Inc\./i
+header __KAM_FAKE_SPOTIFY_1B From:addr !~ /spotify\.com/i
+
+meta KAM_FAKE_SPOTIFY ( __KAM_FAKE_SPOTIFY_1A + __KAM_FAKE_SPOTIFY_1B >= 2 )
+describe KAM_FAKE_SPOTIFY Fake Spotify message
+score KAM_FAKE_SPOTIFY 7.0
+
+#FAKE TRUST WALLET
+ #domain
+header __KAM_FAKE_TRUSTWALLET_1A From:name =~ /trust.?wallet/i
+header __KAM_FAKE_TRUSTWALLET_1B From:addr !~ /trustwallet\.com/i
+
+meta KAM_FAKE_TRUSTWALLET ( __KAM_FAKE_TRUSTWALLET_1A + __KAM_FAKE_TRUSTWALLET_1B >= 2 )
+describe KAM_FAKE_TRUSTWALLET Fake Trust Wallet message
+score KAM_FAKE_TRUSTWALLET 7.0
+
+#APP SPAM
+ #subject
+header __KAM_APP1 Subject =~ /App Idea/i
+ #who
+body __KAM_APP2 /IT Based company/i
+ #what
+body __KAM_APP3 /App devel/i
+ #pricing
+body __KAM_APP4 /pocket.?friendly/i
+ #LMK
+body __KAM_APP5 /requirements in detail/i
+
+meta KAM_APP ( __KAM_APP1 + __KAM_APP2 + __KAM_APP3 + __KAM_APP4 + __KAM_APP5 + FREEMAIL_FROM >= 6 )
+describe KAM_APP Spammers hawking App Development
+score KAM_APP 9.0
+
+#PENPAL
+ #subject
+header __KAM_PENPAL1 Subject =~ /^(GREETINGS|HI)$/i
+ #intro
+body __KAM_PENPAL2 /my name is|I\'m from Sweden/i
+ #penpal
+body __KAM_PENPAL3 /pen.?pal/i
+ #topic
+body __KAM_PENPAL4 /talk *anything|talk about (everything|anything)|look forward to hear/i
+
+meta KAM_PENPAL ( __KAM_PENPAL1 + __KAM_PENPAL2 + __KAM_PENPAL3 + __KAM_PENPAL4 >= 4 )
+describe KAM_PENPAL Pen Pal Scams
+score KAM_PENPAL 8.0
+
+#FAKE GOOGLE DRIVE NOTICE
+replace_rules __KAM_FAKE_DRIVE1
+
+ #from:name
+header __KAM_FAKE_DRIVE1 From:name =~ /(Ch<A1>s<E1>|W<E1>(1|l|I)(1|l|I)s.?F<A1>rg<O1>).?(B<A1>nk|S<E1>c|R<E1>g<A1>|R<E1>v<I1>|H<E1>lp)/i
+ #from:addr
+header __KAM_FAKE_DRIVE2 From:addr =~ /drive-shares-dm-noreply\@google\.com/i
+ #subj
+header __KAM_FAKE_DRIVE3 Subject =~ /Scam Sign.?in Detected|Bank ID Locked|Account Frozen|Fraud Sign.?in/i
+
+meta KAM_FAKE_DRIVE ( __KAM_FAKE_DRIVE1 + __KAM_FAKE_DRIVE2 >= 2 ) || ( __KAM_FAKE_DRIVE2 + __KAM_FAKE_DRIVE3 >= 2 )
+describe KAM_FAKE_DRIVE Fake Google Drive Notice
+score KAM_FAKE_DRIVE 12.0
+
+#FAKE SCORE NOTES
+ #subj
+header __KAM_FAKE_SCORE1 Subject =~ /Score released\:.*\+\$\d+/i
+ #Form
+header __KAM_FAKE_SCORE2 X-GoogleForms-IsConsumerForm =~ /true/i
+ #Result
+body __KAM_FAKE_SCORE3 /account deactivation|balance will be (reset|cleared|zeroed)|block inactive account/i
+ #Action
+body __KAM_FAKE_SCORE4 /(sign in.?to|log.?in.?to|enter|access) your account/i
+
+meta KAM_FAKE_SCORE ( __KAM_FAKE_SCORE1 + __KAM_FAKE_SCORE2 + __KAM_FAKE_SCORE3 + __KAM_FAKE_SCORE4 + FREEMAIL_FROM >= 5 )
+describe KAM_FAKE_SCORE Fake Score Emails
+score KAM_FAKE_SCORE 7.5
+
+#blob
+uri __KAM_BLOBHTML1 /.*\.blob\.core\.windows\.net\/.*html?/i
+
+meta KAM_BLOBHTML ( __KAM_BLOBHTML1 + FREEMAIL_FROM >= 2 )
+describe KAM_BLOBHTML Windows Blob Likely Spam
+score KAM_BLOBHTML 7.0
+
+meta KAM_BLOBHTMLLOW ( __KAM_BLOBHTML1 >= 1 ) && !KAM_BLOBHTML
+describe KAM_BLOBHTMLLOW Windows Blob Lower Confidence of Spam
+score KAM_BLOBHTMLLOW 3.0
+
+# Cloudflare r2.dev public cloud
+uri __GB_R2DEVHTML1 /https?:\/\/pub\-\w+\.r2\.dev\/.{1,32}\.html?/
+
+meta GB_R2DEVHTML ( __GB_R2DEVHTML1 + FREEMAIL_FROM >= 2 )
+describe GB_R2DEVHTML Cloudflare r2.dev Likely Spam
+score GB_R2DEVHTML 5.0
+
+meta GB_R2DEVHTMLLOW ( __GB_R2DEVHTML1 >= 1 )
+describe GB_R2DEVHTMLLOW Cloudflare r2.dev Lower Confidence of Spam
+score GB_R2DEVHTMLLOW 2.0
+
+# Fake invoice links to Google Cloud
+ifplugin Mail::SpamAssassin::Plugin::URIDetail
+ uri_detail GB_GOOGLE_INVOICE cleaned =~ /\d+\.\d+\.\d+\.\d+\.bc\.googleusercontent\.com/ text =~ /invoice|fattura/i
+ describe GB_GOOGLE_INVOICE Fake Invoice stored on Google cloud
+ score GB_GOOGLE_INVOICE 4.0
+endif
+
+# Dispatch targeted postcompromise spam
+body __KAM_DISPATCH1 /dis+patch(ed)? a (material|file)|Document\:/i
+uri __KAM_DISPATCH2 /https?\:\/\/.*?\/\w*\/\?\d+/i
+
+meta KAM_DISPATCH ( __KAM_DISPATCH1 + __KAM_DISPATCH2 >= 2)
+describe KAM_DISPATCH Phishing File Scam Email
+score KAM_DISPATCH 4.0
+
+# DEAD PIANO
+ #DAYED
+body __KAM_PIANO1 /(dead|late) (spouse|husband)/i
+ #PIANO
+body __KAM_PIANO2 /(Yamaha|grand) piano|baby grand/i
+ #COST
+body __KAM_PIANO3 /free|gifting|offering|give away/i
+ #SUBJ
+header __KAM_PIANO4 Subject =~ /want this|beautiful piano|instrument/i
+
+meta KAM_PIANO ( __KAM_PIANO1 + __KAM_PIANO2 + __KAM_PIANO3 + __KAM_PIANO4 + (__KAM_EDU_FROM + FREEMAIL_FROM >= 1) >= 5 )
+describe KAM_PIANO Likely Piano Scam (yes, Piano Scams are a real thing apparently)
+score KAM_PIANO 7.5
+
+ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
+ # AP/AR SCAM
+ body __KAM_APARSCAM /email me our most recent AP and AR Aging report|what is the bank cut off line for WIRE TRANSFER/i
+
+ meta KAM_APARSCAM ( __KAM_APARSCAM + __KAM_BEAL1 + KAM_RAPTOR_EXTERNAL >= 3 )
+ describe KAM_APARSCAM Accounting Phishing Scams
+ score KAM_APARSCAM 6.0
+endif
+
+#FAKE WELLS FARGO
+replace_rules __KAM_FAKE_WELLSFARGO_1A
+
+ #domain
+header __KAM_FAKE_WELLSFARGO_1A From:name =~ /W<E1>lls.?f<A1>rgo 0nline/i
+header __KAM_FAKE_WELLSFARGO_1B From:addr !~ /wellsfargo\.com/i
+
+meta KAM_FAKE_WELLSFARGO ( __KAM_FAKE_WELLSFARGO_1A + __KAM_FAKE_WELLSFARGO_1B >= 2 )
+describe KAM_FAKE_WELLSFARGO Fake Wells Fargo message
+score KAM_FAKE_WELLSFARGO 7.0
+
+#FIT LLC
+replace_rules __KAM_FIT1
+
+body __KAM_FIT1 /Email sent by F<I1>T, LLC|newsletter on behalf of (prestige publishing|Event Horizon) LLC/im
+
+meta KAM_FIT ( __KAM_FIT1 >= 1 )
+describe KAM_FIT Spamming spammers who spam
+score KAM_FIT 5.0
+
+#Lowering for FPs
+score HTML_IMAGE_ONLY_08 1.0
+score SUSPICIOUS_RECIPS 2.0
+
+#FAKE FIDELITY
+body __KAM_FAKE_FIDELITY1 /we are brokers/i
+header __KAM_FAKE_FIDELITY2 Subject =~ /Fidelity Investments/i
+
+meta KAM_FAKE_FIDELITY ( __KAM_FAKE_FIDELITY1 + __KAM_FAKE_FIDELITY2 + FREEMAIL_FROM >= 3 )
+describe KAM_FAKE_FIDELITY Likely Fake Brokerage Emails
+score KAM_FAKE_FIDELITY 4.5
+
#EOF