update KAM.cf

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>

diff --git a/KAM.cf b/KAM.cf
index b028eb9416082a2348a7180f0d6c327789ea52ba..21201c293af317a7086af7aae10af4366b60bdac 100644 (file)
--- a/KAM.cf
+++ b/KAM.cf
@@ -863,14 +863,27 @@ score             KAM_TELEWORK    3.0
 
 #Changed to meta 2017-10-17
 #2017-10-23 - Removed .link.  Uniregistry has committed to reviewing abuse concerns.
-header                 __KAM_SOMETLD_ARE_BAD_TLD_FROM          From:addr =~ /\.(pw|stream|trade|bid|press|top|date)$/i
-uri            __KAM_SOMETLD_ARE_BAD_TLD_URI           /\.(pw|stream|trade|bid|press|top|date)($|\/)/i
+#2019-11-24 - Removed .bid for FPs
+header                 __KAM_SOMETLD_ARE_BAD_TLD_FROM          From:addr =~ /\.(pw|stream|trade|press|top|date)$/i
+uri            __KAM_SOMETLD_ARE_BAD_TLD_URI           /\.(pw|stream|trade|press|top|date)($|\/)/i
 
 meta           KAM_SOMETLD_ARE_BAD_TLD         (__KAM_SOMETLD_ARE_BAD_TLD_FROM + __KAM_SOMETLD_ARE_BAD_TLD_URI) >= 1
-describe       KAM_SOMETLD_ARE_BAD_TLD         .stream, .trade, .pw, .top, .press, .bid & .date TLD Abuse
+describe       KAM_SOMETLD_ARE_BAD_TLD         .stream, .trade, .pw, .top, .press & .date TLD Abuse
 score          KAM_SOMETLD_ARE_BAD_TLD         5.0
 
-
+#2019-11-24 - Test to do the SOMETLD with WLBLEval - Doesn't work because no uri check for the body 
+#ifplugin Mail::SpamAssassin::Plugin::WLBLEval
+#  enlist_addrlist (BADTLDS) *@*.pw
+#  enlist_addrlist (BADTLDS) *@*.stream
+#  enlist_addrlist (BADTLDS) *@*.trade
+#  enlist_addrlist (BADTLDS) *@*.bid
+#  enlist_addrlist (BADTLDS) *@*.press
+#  enlist_addrlist (BADTLDS) *@*.top
+#  enlist_addrlist (BADTLDS) *@*.date
+#  
+#  header      __KAM_SOMETLD_ARE_BAD_TLD_FROM eval:check_from_in_list('BADTLDS') 
+#  body                __KAM_SOMETLD_ARE_BAD_TLD_URI  eval:check_uri_host_listed('BADTLDS')
+#endif
 
 #CHANGED TO KAMOnly
 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
@@ -1645,6 +1658,7 @@ ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
     util_rb_2tld doesphotography.com
     util_rb_2tld isteaching.com
     util_rb_2tld googleapis.com
+    util_rb_2tld a2hosted.com  
   endif
 
   # allow URI rules to look at DKIM headers if they exist and our SA version supports it
@@ -2612,9 +2626,9 @@ score             KAM_SELLPHONE   4.5
 describe       KAM_SELLPHONE   Used Equipment Spam
 
 #STORAGE LIMIT
-body           __KAM_MAILBOX1  /mailbox has exceeded|(storage|email).(limit|quota|size)|quota is full|have been rejected|new version|pending messages|quota is low/i
-body           __KAM_MAILBOX2  /validate your (account|mailbox|email)|(increase|upgrade) (my|your?) (inbox |email )?quota|create some additional storage|upgrade your mailbox|mail malfunction|click here to update|update account/i
-header         __KAM_MAILBOX3  Subject =~ /(mail|exceeded) quota|Inbox almost full|important notice|needs to be upgraded|incoming mails|delivery failure|storage is full/i
+body           __KAM_MAILBOX1  /mailbox has exceeded|(storage|email).(limit|quota|size)|quota is full|have been rejected|new version|pending messages|quota is low|annual upgrade|important message|messages pending|messages placed on hold|upgrade to our service|recent attack|deactivating all mailbox|close down.{0,10}account/i
+body           __KAM_MAILBOX2  /(verify|validate) your (account|mailbox|email)|(increase|upgrade) (my|your?) (inbox |email )?quota|create some additional storage|upgrade your mailbox|mail malfunction|click here to update|update account|validated within \d\d|deleted automatically|release .{0,40}message|account to be close|termination of your account/i
+header         __KAM_MAILBOX3  Subject =~ /(mail|exceeded) quota|Inbox almost full|(urgent|important) noti|needs to be upgraded|incoming mails|delivery failure|storage (is )?full|inbox full|upgrade email|delayed email|release your message|pending (new )?message|365 .{0,10} Update|new privacy policy|mandatory up|account upgrade/i
 
 meta           KAM_MAILBOX     (__KAM_MAILBOX1 + __KAM_MAILBOX2 + __KAM_MAILBOX3 >= 3)
 score          KAM_MAILBOX     6.0
@@ -4603,14 +4617,18 @@ meta     KAM_ADVERTISE (__KAM_ADVERTISE1 + __KAM_ADVERTISE2 + __KAM_ADVERTISE3 >
 describe KAM_ADVERTISE Spam that wants you to advertise for them
 score    KAM_ADVERTISE 4.5
 
-# RULE FOR DOMAINS THAT HAVE NOT IMPLEMENTED ANY ANTI-FORGERY MECHANISMS
+# RULE FOR DOMAINS THAT HAVE NOT IMPLEMENTED ANY ANTI-FORGERY MECHANISMS - Thanks to Christian Kueppers for the request to encapsulate with DKIM and SPF plugin checks!
 if (version >= 3.003002)
-  # We may recommend people start raising the score for this to force more people to use SPF or DKIM Since Gmail and AOL work much better with / require SPF.
-  header   __KAM_SPF_NONE    eval:check_for_spf_none()
+ ifplugin Mail::SpamAssassin::Plugin::DKIM
+    ifplugin Mail::SpamAssassin::Plugin::SPF
+      # We may recommend people start raising the score for this to force more people to use SPF or DKIM Since Gmail and AOL work much better with / require SPF.
+      header   __KAM_SPF_NONE    eval:check_for_spf_none()
 
-  meta     KAM_LAZY_DOMAIN_SECURITY (!__DKIM_EXISTS && __KAM_SPF_NONE)
-  score    KAM_LAZY_DOMAIN_SECURITY 1.0
-  describe KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any anti-forgery methods
+      meta     KAM_LAZY_DOMAIN_SECURITY (!__DKIM_EXISTS && __KAM_SPF_NONE)
+      score    KAM_LAZY_DOMAIN_SECURITY 1.0
+      describe KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any anti-forgery methods
+    endif
+  endif
 endif
 
 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
@@ -5040,7 +5058,9 @@ score    KAM_CAD 3.5
 
 ifplugin Mail::SpamAssassin::Plugin::KAMOnly
   #SPAM WITH OFFICE MACROS
-  header   KAM_VBMACRO X-KAM-VBMacro =~ /True/i
+  header   __KAM_VBMACRO X-KAM-VBMacro =~ /True/i
+
+  meta    KAM_VBMACRO ((__KAM_VBMACRO >= 1) && !KAM_OLEMACRO)
   describe KAM_VBMACRO Message contains attachment with VB macro
   score    KAM_VBMACRO 6.5
   
@@ -5619,15 +5639,15 @@ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
 
   replace_rules   __KAM_CRIM1 __KAM_CRIM2 __KAM_CRIM3 __KAM_CRIM4 __KAM_CRIM5 __KAM_CRIM6 __KAM_CRIM7
 
-  body         __KAM_CRIM1     /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A>lw<A>r<E> <O>n th<E> w<E>b|footage of you|you do not know who I am|mercenary|hack phones|infected your device|double.screen video|keylogger|ruin your life|collection officer|turned on your c<A>mera|cameras? and a mic|I am a hacker|browser history|trojan virus|automatically infect/i
+  body         __KAM_CRIM1     /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A>lw<A>r<E> <O>n th<E> w<E>b|footage of you|you do not know who I am|mercenary|hack phones|infected your device|double.screen video|keylogger|ruin your life|collection officer|turned on your c<A>mera|cameras? and a mic|I am a hacker|browser history|trojan virus|automatically infect|inject some code/i
   #Different encodings
-  body         __KAM_CRIM2     /(bit<C><O><I>n|BTC|DSH|cryptocurrency)/i
-  body         __KAM_CRIM3     /make a payment|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C><O><I>n w<A>ll|(m<A>k<I>ng|<C><O>mpl<E>et<E>) th<E> tr<A>ns<A><C>t<I><O>n|send me \d+ dollars|send [\d\.]+ USD|addr<E>ss f<O>r p<A>ym<E>nt|euros in bitcoin|wallet number|bitcoin network|BTC to this Bitcoin|paym<E>nt by b<I>tco<I>n|\d\d\d usd|DSH\)? address/i
+  body         __KAM_CRIM2     /(bit-?<C><O><I>n|BTC|DSH|cryptocurrency)/i
+  body         __KAM_CRIM3     /make a payment|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C><O><I>n w<A>ll|(m<A>k<I>ng|<C><O>mpl<E>et<E>) th<E> tr<A>ns<A><C>t<I><O>n|send me \d+ dollars|send [\d\.]+ USD|addr<E>ss f<O>r p<A>ym<E>nt|euros in bitcoin|wallet number|bitcoin network|BTC to this Bitcoin|paym<E>nt by b<I>tco<I>n|\d\d\d usd|DSH\)? address|Address part/i
   body         __KAM_CRIM4     /erotica|<P>orn|promising evidence|video|<M>asturbat|playing with yourself|wanking|l<I>f<E> <C><A>n b<E> ru<I>n<E>d|explosi|lead azide|hexogen|banana|perversion/i
 
-  body         __KAM_CRIM5     /(twenty.?four|24).?hours|(24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O>urs)? <A>ft<E>r y<O><U> <O>p<E>n|hours for payment|days? to (perform|make|transfer) the (payment|dash)|short-term support|48h plz|deadline|hours only to send the fund|address immediately|tr\@nsfer the amount/i
+  body         __KAM_CRIM5     /(twenty.?four|24).?hours|(72|24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O>urs)? <A>ft<E>r y<O><U> <O>p<E>n|hours for payment|days?\)? to (send|perform|make|transfer) the (payment|dash)|short-term support|48h plz|deadline|hours only to send the fund|address immediately|tr\@nsfer the amount/i
 
-  header               __KAM_CRIM6     Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O><U> <A>r<E> my v<I><C>t<I>m|visit the police|hi. vi<C>tim|bomb|rescue|your building|<M>asturbat|hi perv|account has been hacked|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you/i
+  header               __KAM_CRIM6     Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O><U> <A>r<E> my v<I><C>t<I>m|visit the police|hi. vi<C>tim|bomb|rescue|your building|<M>asturbat|hi perv|account has been hacked|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you|porn/i
 
   header               __KAM_CRIM7     From =~ /h<A>ck<E>r|know/i
 
@@ -5754,10 +5774,10 @@ describe        KAM_FILE                Potential attempt for NTLM attack
 score          KAM_FILE                4.5
 
 #FUN SPAM RUN
-header         __KAM_FUN1              From =~ /\.fun|\.icu|\.pro|\.stream|\.world|\.monster|\.best>?$/i
+header         __KAM_FUN1              From =~ /\.fun|\.icu|\.pro|\.stream|\.world|\.monster|\.best|\.store>?$/i
 body           __KAM_FUN2              /Addify Link|Kennett Pike|PetPlan|Newton Sq|1st Avenue|Jones Blvd|permanently opt-out from our all newsletters/i
 body           __KAM_FUN3              /This Offer is (only )?for (unite. state|USA)|can't see this image/i
-header         __KAM_FUN4              Subject =~ /Gutters|Assisted Living|Refi|rate|livewave|mortgage|E\.D\.|Single|Superfood|tax|protection|debt|mastercard|safety charge|supplement|pillow|Inogenone|learn a language|Roadside safety|carry a gun|minute survey|roofing Deals|fungus|insurance|pain|gold|hair|knife|warranty/i
+header         __KAM_FUN4              Subject =~ /Gutters|Assisted Living|Refi|rate|livewave|mortgage|E\.D\.|Single|Superfood|tax|protection|debt|mastercard|safety charge|supplement|pillow|Inogenone|learn a language|Roadside safety|carry a gun|minute survey|roofing Deals|fungus|insurance|pain|gold|hair|knife|warranty|reflexology|accufeet/i
 
 meta           KAM_FUN                 (__KAM_FUN1 + __KAM_FUN2 + __KAM_FUN3 + __KAM_FUN4 >=3)
 describe       KAM_FUN                 Spam Engine Hawking Various Goods and Abusing a Lot of Domains
@@ -5859,19 +5879,23 @@ score           KAM_FAVOR       7.5
 #trusted_networks 38.124.232.0/24
 
 # CONTACTS / LISTS - This would be a good rule for tflags nosubject which requires 3.4.3 release
-header         __KAM_LIST3_1   Subject =~ /Contacts|Visitor|Attendee|User|Professional|Meeting|Expo|Emails|Exhibit|Companies|trade ?show|marketing|retailer/i
-body           __KAM_LIST3_2   /list services|email campaign|global marketing|(sales|event) manager|marketing (campaign|manager|exec|project)|(lead|demand) generation|(business|Data|event) (analyst|coordinator)|qualified leads|(marketing|lead) specialist|Business Co-?ordinator|marketing and comm|inside sales/i
-body           __KAM_LIST3_3   /data fields|verified email|complete (contact|details)|with email address|target geography|counts and pric|decision maker|specific parameters|job titles|Specific lists|current attendee|each record|post show attendee|(attendees|counts)\:|(List|contacts|fields) (Contains?|includes?)\:|visitors and price|pricing, counts|information about the list/i
-body           __KAM_LIST3_4   /contacts and email|(visitors?|contacts?|attendee.?s?|users?) (mailing )?(list|record|database)|end users|our lists|\d\+? (attendee|contact)|database organization|users? database|Opt-in email list|(professionals?|user'?s|attendees?) (contact|list)|not spammer|delegates|marketing campaigns|complete list/i
+header         __KAM_LIST3_1   Subject =~ /Contacts|Visitor|Attendee|User|Professional|Meeting|Expo|Emails|Exhibit|Companies|trade ?show|marketing|retailer|list|outreach|customers|campaign/i
+
+#title
+body           __KAM_LIST3_2   /list services|email campaign|global marketing|(sales|event) manager|marketing (campaign|manager|exec|project)|(lead|demand) generation|(business|Data|event) (analyst|coordinator)|qualified leads|(marketing|lead|attendees?) specialist|Business Co-?ordinator|marketing and comm|inside sales|unlimited usage|target (attendees|audience|industry)|opt-?in (contact|emails)|pre-?sales|attendees list/i
+#db for sale
+body           __KAM_LIST3_3   /(information|data) fields|verified email|complete (contact|details)|with email address|target geograph|counts and pric|decision maker|specific parameters|job titles|Specific lists|current attendee|each record|post show attendee|(attendees|counts)\:|(List|contacts|fields) (consists?|Contains?|includes?)|visitors and price|pricing, counts|information about the list|sample (file|record)|direct email|100\% populated|installed users|selling list|pricing and further|buy a dataset|counts, pricing|procure the list/i
+#db what
+body           __KAM_LIST3_4   /contacts and email|(visitors?|contacts?|attendee.?s?|users?) (mailing )?(list|record|database)|end users|our lists|\d\+? (attendee|contact)|database organization|users? database|Opt-in email list|(professionals?|user'?s|attendees?) (contact|list)|not spammer|delegates|marketing (analyst|campaigns)|(complete|emailed) list|job title|unique account|available titles\:|business profiles|database of/i
 
 meta           KAM_LIST3       (__KAM_LIST3_1 + __KAM_LIST3_2 + __KAM_LIST3_3 + __KAM_LIST3_4 >= 4)
 describe       KAM_LIST3       Mailing List Purveyor Spam
-score          KAM_LIST3       8.0
+score          KAM_LIST3       9.0
 
  #NO SUBJ MATCH
 meta            KAM_LIST3_1     (KAM_LIST3 < 1) && (__KAM_LIST3_1 + __KAM_LIST3_2 + __KAM_LIST3_3 + __KAM_LIST3_4 >= 3)
 describe        KAM_LIST3_1     Likely Mailing List Purveyor Spam
-score           KAM_LIST3_1     4.0
+score           KAM_LIST3_1     7.5
 
 #MONCLER
 header         __KAM_MONCLER1  Subject =~ /moncler/i
@@ -5881,6 +5905,7 @@ meta              KAM_MONCLER     (__KAM_MONCLER1 + __KAM_MONCLER2 +  KAM_SOMETLD_ARE_BAD_TLD >=
 describe       KAM_MONCLER     Fashionista Spammers
 score          KAM_MONCLER     6.0
 
+#ERP
 header         __KAM_ERP1      Subject =~ /ERP/
 body           __KAM_ERP2      /K9ERP/i
 
@@ -5888,57 +5913,72 @@ meta            KAM_ERP         (__KAM_ERP1 + __KAM_ERP2 >=2)
 describe       KAM_ERP         ERP Spammers
 score          KAM_ERP         4.0
 
-#DMARC POLICY RULES
+#DMARC POLICY RULES - Thanks to Giovanni Bechis for the original idea plus Jesse Norell and Amir Caspi for additional suggestions & testing!
+#
+#https://tools.ietf.org/html/rfc7489 and https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/
+#
+#"To pass DMARC, a message must pass SPF authentication and SPF alignment and/or DKIM authentication and DKIM alignment. A message will fail DMARC if the message fails both (1) SPF or SPF alignment and (2) DKIM or DKIM alignment."
+#
+# We expect edge cases with DKIM where a parent (gateway) domain signing for a subdomain author (e.g., parent.gov signing for sub.parent.gov).  This is a common and a sane implementation of DKIM, but is not supported in the current SA DKIM/DMARC implementation -- it results in DKIM_VALID but not DKIM_VALID_AU.  The SPF || DKIM logic below will allow this scenario.
+#
+# Note: Certain glues like MailScanner will modify an email before testing.  That will cause many DKIM failures.  If you have a known broken system for DKIM like this, you should likely disable the plugin.
+
+
 ifplugin Mail::SpamAssassin::Plugin::AskDNS
   ifplugin Mail::SpamAssassin::Plugin::DKIM
     ifplugin Mail::SpamAssassin::Plugin::SPF
-      askdns __DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=none;/
-      askdns __DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=quarantine;/
-      askdns __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=reject;/
-
-      meta DMARC_REJECT (DKIM_INVALID || SPF_FAIL) && __DMARC_POLICY_REJECT
-      describe DMARC_REJECT    DKIM has Failed or SPF has failed on the message and the domain has a DMARC reject policy
-
-      meta DMARC_QUAR (DKIM_INVALID || SPF_FAIL) && __DMARC_POLICY_QUAR
-      describe DMARC_QUAR DKIM has Failed or SPF has failed on the message and the domain has a DMARC quarantine policy
-
-      meta DMARC_NONE (DKIM_INVALID || SPF_FAIL) && __DMARC_POLICY_NONE
-      describe DMARC_NONE DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy 
-
-      score DMARC_REJECT 10.0
-      score DMARC_QUAR 1.5
-      score DMARC_NONE 0.25
+      askdns __KAM_DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=none;/
+      askdns __KAM_DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=quarantine;/
+      askdns __KAM_DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=reject;/
+      askdns __KAM_DMARC_POLICY_DKIM_STRICT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\badkim=s;/
+
+      #Checks if either DKIM Passed with Alignment and the policy is strict or VALID and alignment didn't pass
+      meta     KAM_DMARC_STATUS !((DKIM_VALID_AU && __KAM_DMARC_POLICY_DKIM_STRICT) || (DKIM_VALID && !__KAM_DMARC_POLICY_DKIM_STRICT))
+      describe KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict Alignment
+      score    KAM_DMARC_STATUS 0.01 
+     
+      meta     KAM_DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_REJECT
+      describe KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message and the domain has a DMARC reject policy
+      score    KAM_DMARC_REJECT 3.0
+
+      meta     KAM_DMARC_QUARANTINE !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_QUAR
+      describe KAM_DMARC_QUARANTINE DKIM has Failed or SPF has failed on the message and the domain has a DMARC quarantine policy
+      score    KAM_DMARC_QUARANTINE 1.5
+
+      meta     KAM_DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_NONE
+      describe KAM_DMARC_NONE DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy 
+      score    KAM_DMARC_NONE 0.25
     endif
   endif
 endif
 
 #OLE/VB MACROs
 ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro
-  body     OLEMACRO eval:check_olemacro()
-  describe OLEMACRO Attachment has an Office Macro
-  score    OLEMACRO 3.0 
+  body     KAM_OLEMACRO eval:check_olemacro()
+  describe KAM_OLEMACRO Attachment has an Office Macro
+  score    KAM_OLEMACRO 6.5
 
-  body     OLEMACRO_MALICE eval:check_olemacro_malice()
-  describe OLEMACRO_MALICE Potentially malicious Office Macro
-  score    OLEMACRO_MALICE 10.0
+  body     KAM_OLEMACRO_MALICE eval:check_olemacro_malice()
+  describe KAM_OLEMACRO_MALICE Potentially malicious Office Macro
+  score    KAM_OLEMACRO_MALICE 10.0
 
-  body     OLEMACRO_ENCRYPTED eval:check_olemacro_encrypted()
-  describe OLEMACRO_ENCRYPTED Has an Office doc that is encrypted
-  score    OLEMACRO_ENCRYPTED 2.0
+  body     KAM_OLEMACRO_ENCRYPTED eval:check_olemacro_encrypted()
+  describe KAM_OLEMACRO_ENCRYPTED Has an Office doc that is encrypted
+  score    KAM_OLEMACRO_ENCRYPTED 2.0
 
   #This may cause more CPU usage
   olemacro_extended_scan 1 
-  body     OLEMACRO_RENAME eval:check_olemacro_renamed()
-  describe OLEMACRO_RENAME Has an Office doc that has been renamed
-  score    OLEMACRO_RENAME 0.1
+  body     KAM_OLEMACRO_RENAME eval:check_olemacro_renamed()
+  describe KAM_OLEMACRO_RENAME Has an Office doc that has been renamed
+  score    KAM_OLEMACRO_RENAME 0.1
 
-  body     OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
-  describe OLEMACRO_ZIP_PW Has an Office doc that is password protected in a zip
-  score    OLEMACRO_ZIP_PW 1.0
+  body     KAM_OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
+  describe KAM_OLEMACRO_ZIP_PW Has an Office doc that is password protected in a zip
+  score    KAM_OLEMACRO_ZIP_PW 1.0
 
-  body     OLEMACRO_CSV eval:check_olemacro_csv()
-  describe OLEMACRO_CSV Macro in csv file
-  score    OLEMACRO_CSV 4.0
+  body     KAM_OLEMACRO_CSV eval:check_olemacro_csv()
+  describe KAM_OLEMACRO_CSV Macro in csv file
+  score    KAM_OLEMACRO_CSV 4.0
 endif
 
 #Testing Rule for Subject Prefixes - See note 58397
@@ -5978,6 +6018,12 @@ if (version >= 3.004003)
       score      PCCC_HDR_MARKETINGBL    0.001
       priority   PCCC_HDR_MARKETINGBL    -100  
     
+      header     PCCC_HDR_REPLYTO          eval:check_rbl_headers('pccc-hdr-repto', 'wild.pccc.com.', '127.0.0.4', 'Reply-To')
+      describe   PCCC_HDR_REPLYTO          Address in email headers associated with compromised uris (https://raptor.pccc.com/RBL)
+      tflags     PCCC_HDR_REPLYTO          net
+      score      PCCC_HDR_REPLYTO          3.5
+      priority   PCCC_HDR_REPLYTO          -100  
+    
       # compromised domain found in headers (X-Sender,X-Source-IP,X-SRS-Sender)
       header     PCCC_SENDER_COMPROMISED        eval:check_rbl_headers('pccc-sender', 'wild.pccc.com.', '127.0.1.2', 'X-Sender,X-Source-IP,X-SRS-Sender')
       describe   PCCC_SENDER_COMPROMISED        Sender address associated with compromised uris (https://raptor.pccc.com/RBL)
@@ -6006,7 +6052,7 @@ if (version >= 3.004003)
       tflags     PCCC_HASHBL_FREEMAIL    net
       score      PCCC_HASHBL_FREEMAIL    3.5
       priority   PCCC_HASHBL_FREEMAIL    -100
-    
+
       # Email address in X-Sender header found on PCCC HashBL
       header   PCCC_HASHBL_EMAIL_SEND    eval:check_hashbl_emails('wild.pccc.com', 'md5', 'X-Sender', '^127\.', 'all')
       describe PCCC_HASHBL_EMAIL_SEND    Message contains sender email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
@@ -8631,7 +8677,7 @@ endif
 #END of TEST OF HASHBL ADDITIONS
 
 #LABEL
-header         __KAM_LABEL1    Subject =~/(Checking in|this week)/i
+header         __KAM_LABEL1    Subject =~/(Checking in|(this|next) week)/i
 body   __KAM_LABEL2    /meet at your office/i
 body   __KAM_LABEL3    /make custom (shirts|sports|jackets|suits)/i
 body   __KAM_LABEL4    /(suits start at \$|shirts at \$)/i
@@ -8644,10 +8690,11 @@ score           KAM_LABEL       9.0
 
 #RBLOBFU
 body   __KAM_RBL_OBFU1 /b2b.{1,4}salesprospects.{1,4}com/i
+body   __KAM_RBL_OBFU2 /quin.{0,3}for.{0,3}ce.com/i
 
-meta           KAM_RBL_OBFU    (__KAM_RBL_OBFU1 + __FREEMAIL_FROM)
+meta           KAM_RBL_OBFU    ((__KAM_RBL_OBFU1 + __KAM_RBL_OBFU2 >=1) + FREEMAIL_FROM >= 2)
 describe       KAM_RBL_OBFU    Spammers obfuscating their domain and abusing freemail
-score          KAM_RBL_OBFU    7.0
+score          KAM_RBL_OBFU    12.0
 
 #Shady CC's
 body           __KAM_SHADYCC1  /(transactions?|purchases?) from your (online store|web-?shop)/i
@@ -8667,4 +8714,51 @@ meta             KAM_EXPOPIRATE  (__KAM_EXPOPIRATE1 + __KAM_EXPOPIRATE2 + __KAM_LIST3_2 >= 2
 describe       KAM_EXPOPIRATE  Scam Pirates trying to Hijack Event Hotel Bookings
 score          KAM_EXPOPIRATE  4.5
 
+ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+  #Domain Expiry Scams
+  header       __KAM_DOMAINEXPIRY1     Subject =~ /Domain.*Expiration/i
+  body         __KAM_DOMAINEXPIRY2     /Attached letter/i
+  
+  meta         KAM_DOMAINEXPIRY        (__KAM_DOMAINEXPIRY1 + __KAM_DOMAINEXPIRY2 + __KAM_ZERODAY1 >= 3)
+  describe     KAM_DOMAINEXPIRY        Domain Expiration Scams
+  score                KAM_DOMAINEXPIRY        4.5
+  
+  #Payment Scams
+  header       __KAM_PAYMENTSCAM1      Subject =~ /Payment.*(INV|Bookings|Reference|\/201)/i
+  body         __KAM_PAYMENTSCAM2      /attached (payment|herewith)|ready for release/i
+  mimeheader   __KAM_PAYMENTSCAM3      Content-Type =~ /\.doc/i
+  full         __KAM_PAYMENTSCAM4      /\{\\rtf/
+  
+  meta         KAM_PAYMENTSCAM         (__KAM_ZERODAY1 + __KAM_PAYMENTSCAM1 + __KAM_PAYMENTSCAM2 + (__KAM_PAYMENTSCAM3 + __KAM_PAYMENTSCAM4 >=2) >= 4)
+  describe     KAM_PAYMENTSCAM         Payment Scams with Malware Payloads
+  score                KAM_PAYMENTSCAM         6.5
+
+  meta         KAM_PAYMENTSCAM2        (DEAR_BENEFICIARY +  __KAM_PAYMENTSCAM1 + __KAM_PAYMENTSCAM2 >= 3) && !(KAM_PAYMENTSCAM)
+  describe     KAM_PAYMENTSCAM2        Payment scams
+  score                KAM_PAYMENTSCAM2        4.5
+
+
+  #Password Scams
+  body                 __KAM_PASSWORDSCAM1     /pass word/i
+  
+  meta         KAM_PASSWORDSCAM        (__KAM_PASSWORDSCAM1 + __SINGLE_WORD_SUBJ + __PDF_ATTACH + __BODY_LE_200 >= 4)
+  describe     KAM_PASSWORDSCAM        Password extortion spams
+  score                KAM_PASSWORDSCAM        6.0
+endif
+
+#Training Scams
+header         __KAM_TRAINING1         Subject =~ /mandatory.*training/i
+body           __KAM_TRAINING2         /intranet|training calendar/i
+body           __KAM_TRAINING3         /Human Resources/i
+
+meta           KAM_TRAINING            (__KAM_TRAINING1 + __KAM_TRAINING2+ __KAM_TRAINING3 >= 3)
+describe       KAM_TRAINING            Training Phishing
+score          KAM_TRAINING            4.5
+
+#Trump Medicare
+header         __KAM_MEDICARE1         Subject =~ /Trump Medicare/i
+
+meta           KAM_MEDICARE            __KAM_MEDICARE1 >= 1
+describe       KAM_MEDICARE            Medicare Scams
+score          KAM_MEDICARE            2.0
 # EOF