describe KAM_SELLPHONE Used Equipment Spam
#STORAGE LIMIT
-body __KAM_MAILBOX1 /mailbox has exceeded|(storage|email).(limit|quota|size)|quota is full|have been rejected|new version|pending messages|quota is low|annual upgrade|important message|messages pending|messages placed on hold|upgrade to our service|recent attack|deactivating all mailbox|close down.{0,10}account/i
-body __KAM_MAILBOX2 /(verify|validate) your (account|mailbox|email)|(increase|upgrade) (my|your?) (inbox |email )?quota|create some additional storage|upgrade your mailbox|mail malfunction|click here to update|update account|validated within \d\d|deleted automatically|release .{0,40}message|account to be close|termination of your account/i
-header __KAM_MAILBOX3 Subject =~ /(mail|exceeded) quota|Inbox almost full|(urgent|important) noti|needs to be upgraded|incoming mails|delivery failure|storage (is )?full|inbox full|upgrade email|delayed email|release your message|pending (new )?message|365 .{0,10} Update|new privacy policy|mandatory up|account upgrade/i
+ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
+
+ replace_rules __KAM_MAILBOX1 __KAM_MAILBOX2
+
+ body __KAM_MAILBOX1 /mailbox .{0,12}exceeded|(storage|email).(limit|quota|size)|quota is full|have been rejected|new version|pending messages|quota is low|annual upgrade|important message|messages pending|messages placed on hold|upgrade to our service|recent attack|deactivating all mailbox|close down.{0,10}account|\d failed message|communication failure|de<A>ctiv<A>ted if no <A>ction|invalid users|request .{0,13}shutdown/i
+ tflags __KAM_MAILBOX1 nosubject
+
+ body __KAM_MAILBOX2 /(verify|update|validate|r<E>confirm) (your )?(<A>ccount|mailbox|email|web ?mail)|(increase|upgrade) (my|your?) (inbox |email )?quota|quota upgrade|create some additional storage|upgrade your mailbox|mail malfunction|click here to update|update account|validated within \d\d|deleted automatically|release .{0,40}message|account to be close|termination of your account|choose what happens|blacklisting inactive|continue the usage|untrusted activity/i
-meta KAM_MAILBOX (__KAM_MAILBOX1 + __KAM_MAILBOX2 + __KAM_MAILBOX3 >= 3)
-score KAM_MAILBOX 6.0
-describe KAM_MAILBOX Mailbox Quota Phishing Scams
+ header __KAM_MAILBOX3 Subject =~ /(mail|exceeded) quota|Inbox almost full|(urgent|important) noti|needs to be upgraded|incoming mails|delivery failure|storage (is )?full|inbox full|upgrade email|delayed email|release your message|pending (new )?message|365 .{0,10} Update|new privacy policy|mandatory up|account (update|upgrade)|quarantined|undelivered|limit .{0,5}exceeded|confirmation required|mailbox account|held messages/i
+
+ meta KAM_MAILBOX (__KAM_MAILBOX1 + __KAM_MAILBOX2 + __KAM_MAILBOX3 >= 3)
+ score KAM_MAILBOX 6.75
+ describe KAM_MAILBOX Mailbox Quota Phishing Scams
+endif
#SHORTERNERS
meta KAM_SHORT (__KAM_SHORT + __KAM_TINYDOMAIN >= 1)
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
-replace_tag A (?:[\xd0][\xb0]|[\xc9][\x91]|a)
+replace_tag A (?:[\xd0][\xb0]|[\xc9][\x91]|a|α|\@)
replace_tag C (?:[\xd0][\xa1]|c|[\xd1][\x81])
-replace_tag E (?:[\xd0][\xb5]|[\xc4][\x97]|e)
+replace_tag E (?:[\xd0][\xb5]|[\xc4][\x97]|e|ε)
replace_tag I (?:[\xd1][\x96]|[\xc4][\xab]|i)
replace_tag M (?:[\xca][\x8d]|m)
replace_tag O (?:[\xd0][\xbe]|o)
replace_rules __KAM_CRIM1 __KAM_CRIM2 __KAM_CRIM3 __KAM_CRIM4 __KAM_CRIM5 __KAM_CRIM6 __KAM_CRIM7
- body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A>lw<A>r<E> <O>n th<E> w<E>b|footage of you|you do not know who I am|mercenary|hack phones|infected your device|double.screen video|keylogger|ruin your life|collection officer|turned on your c<A>mera|cameras? and a mic|I am a hacker|browser history|trojan virus|automatically infect|inject some code/i
+ body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A>lw<A>r<E> <O>n th<E> w<E>b|footage of you|you do not know who I am|mercenary|hack phones|infected your device|double.screen video|keylogger|ruin your life|collection officer|turned on your c<A>mera|cameras? and a mic|I am a hacker|browser history|trojan virus|automatically infect|inject some code|google translator|placed (a )?malware/i
#Different encodings
body __KAM_CRIM2 /(bit-?<C><O><I>n|BTC|DSH|cryptocurrency)/i
- body __KAM_CRIM3 /make a payment|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C><O><I>n w<A>ll|(m<A>k<I>ng|<C><O>mpl<E>et<E>) th<E> tr<A>ns<A><C>t<I><O>n|send me \d+ dollars|send [\d\.]+ USD|addr<E>ss f<O>r p<A>ym<E>nt|euros in bitcoin|wallet number|bitcoin network|BTC to this Bitcoin|paym<E>nt by b<I>tco<I>n|\d\d\d usd|DSH\)? address|Address part/i
+ body __KAM_CRIM3 /make a payment|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C><O><I>n w<A>ll|(m<A>k<I>ng|<C><O>mpl<E>et<E>) th<E> tr<A>ns<A><C>t<I><O>n|send me \d+ dollars|send [\d\.]+ USD|addr<E>ss f<O>r p<A>ym<E>nt|(dollars|euros) (worth )?in bit-?coin|wallet number|bitcoin network|BTC to this Bitcoin|paym<E>nt by b<I>tco<I>n|\d\d\d usd|DSH\)? address|Address part/i
body __KAM_CRIM4 /erotica|<P>orn|promising evidence|video|<M>asturbat|playing with yourself|wanking|l<I>f<E> <C><A>n b<E> ru<I>n<E>d|explosi|lead azide|hexogen|banana|perversion/i
- body __KAM_CRIM5 /(twenty.?four|24).?hours|(72|24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O>urs)? <A>ft<E>r y<O><U> <O>p<E>n|hours for payment|days?\)? to (send|perform|make|transfer) the (payment|dash)|short-term support|48h plz|deadline|hours only to send the fund|address immediately|tr\@nsfer the amount/i
+ body __KAM_CRIM5 /(twenty.?four|24).?hours|(72|24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O>urs)? <A>ft<E>r y<O><U> <O>p<E>n|hours for payment|days?\)? to (send|perform|make|transfer) the (payment|dash)|short-term support|48h plz|deadline|hours *(only )?to send the (pay|fund)|address immediately|tr<A>nsfer the (amount|funds)/i
- header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O><U> <A>r<E> my v<I><C>t<I>m|visit the police|hi. vi<C>tim|bomb|rescue|your building|<M>asturbat|hi perv|account has been hacked|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you|porn/i
+ header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O><U> <A>r<E> my v<I><C>t<I>m|visit the police|hi. vi<C>tim|bomb|rescue|your building|<M>asturbat|hi perv|account has been hacked|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you|porn|(share|forward) the video/i
header __KAM_CRIM7 From =~ /h<A>ck<E>r|know/i
meta KAM_CRIM (__KAM_CRIM1 + __KAM_CRIM2 + __KAM_CRIM3 + __KAM_CRIM4 + __KAM_CRIM5 + __KAM_CRIM6 >= 4)
describe KAM_CRIM Extortion Email
- score KAM_CRIM 7.5
+ score KAM_CRIM 8.5
endif
#KAM_CRIM_V2
meta KAM_CRIM2 (__KAM_CRIM2_1 + __KAM_CRIM2_2 + __KAM_CRIM2_3 + HTML_FONT_LOW_CONTRAST >= 4)
describe KAM_CRIM2 Extortion Email
score KAM_CRIM2 7.5
+
#ZWNJ
#ZWNJ 200C 157 https://en.wikipedia.org/wiki/Windows-1256
# Also want to look at Unicode U+200C.
score KAM_FILE 4.5
#FUN SPAM RUN
-header __KAM_FUN1 From =~ /\.fun|\.icu|\.pro|\.stream|\.world|\.monster|\.best|\.store>?$/i
-body __KAM_FUN2 /Addify Link|Kennett Pike|PetPlan|Newton Sq|1st Avenue|Jones Blvd|permanently opt-out from our all newsletters/i
+header __KAM_FUN1 From =~ /\.fun|\.icu|\.pro|\.stream|\.world|\.monster|\.best|\.store|\.surf|\.rest|\.bar>?$/i
+body __KAM_FUN2 /Addify Link|Kennett Pike|PetPlan|Newton Sq|1st Avenue|Jones Blvd|permanently opt-out from our all newsletters|purehealth/i
body __KAM_FUN3 /This Offer is (only )?for (unite. state|USA)|can't see this image/i
-header __KAM_FUN4 Subject =~ /Gutters|Assisted Living|Refi|rate|livewave|mortgage|E\.D\.|Single|Superfood|tax|protection|debt|mastercard|safety charge|supplement|pillow|Inogenone|learn a language|Roadside safety|carry a gun|minute survey|roofing Deals|fungus|insurance|pain|gold|hair|knife|warranty|reflexology|accufeet/i
+header __KAM_FUN4 Subject =~ /Gutters|Assisted Living|Refi|rate|livewave|mortgage|E\.D\.|Single|Superfood|tax|protection|debt|mastercard|safety charge|supplement|pillow|Inogenone|learn a language|Roadside safety|carry a gun|minute survey|roofing Deals|fungus|insurance|pain|gold|hair|knife|warranty|reflexology|accufeet|keto|sound|heartburn|skincare/i
meta KAM_FUN (__KAM_FUN1 + __KAM_FUN2 + __KAM_FUN3 + __KAM_FUN4 >=3)
describe KAM_FUN Spam Engine Hawking Various Goods and Abusing a Lot of Domains
#trusted_networks 38.124.232.0/24
# CONTACTS / LISTS - This would be a good rule for tflags nosubject which requires 3.4.3 release
-header __KAM_LIST3_1 Subject =~ /Contacts|Visitor|Attendee|User|Professional|Meeting|Expo|Emails|Exhibit|Companies|trade ?show|marketing|retailer|list|outreach|customers|campaign/i
+header __KAM_LIST3_1 Subject =~ /Contacts|Visitor|Attendee|User|Professional|Meeting|Expo|Emails|Exhibit|Companies|trade ?show|marketing|retailer|list|outreach|customers|campaign|show|data/i
#title
-body __KAM_LIST3_2 /list services|email campaign|global marketing|(sales|event) manager|marketing (campaign|manager|exec|project)|(lead|demand) generation|(business|Data|event) (analyst|coordinator)|qualified leads|(marketing|lead|attendees?) specialist|Business Co-?ordinator|marketing and comm|inside sales|unlimited usage|target (attendees|audience|industry)|opt-?in (contact|emails)|pre-?sales|attendees list/i
+body __KAM_LIST3_2 /list services|email campaign|global marketing|(sales|event) manager|marketing (coordinator|campaign|manager|exec|project)|(lead|demand) generation|(business|Data|event) (analyst|coordinator)|qualified leads|(marketing|lead|attendees?) specialist|Business Co-?ordinator|marketing and comm|inside sales|unlimited usage|target (attendees|audience|industry)|opt-?in (contact|emails)|pre-?sales|attendees list/i
#db for sale
-body __KAM_LIST3_3 /(information|data) fields|verified email|complete (contact|details)|with email address|target geograph|counts and pric|decision maker|specific parameters|job titles|Specific lists|current attendee|each record|post show attendee|(attendees|counts)\:|(List|contacts|fields) (consists?|Contains?|includes?)|visitors and price|pricing, counts|information about the list|sample (file|record)|direct email|100\% populated|installed users|selling list|pricing and further|buy a dataset|counts, pricing|procure the list/i
+body __KAM_LIST3_3 /(information|data) fields|verified email|complete (contact|details)|with email address|target geograph|counts and pric|decision maker|specific parameters|job titles|Specific lists|current attendee|each record|post show attendee|(attendees|counts)\:|(List|contacts|fields) (consists?|Contains?|includes?)|visitors and price|pricing, counts|information about the list|sample (file|record)|direct email|100\% populated|installed users|selling list|pricing and further|buy a dataset|counts, pricing|procure the list|samples for (your )?review|attendees who might|decision.makers|samples and pricing/i
#db what
-body __KAM_LIST3_4 /contacts and email|(visitors?|contacts?|attendee.?s?|users?) (mailing )?(list|record|database)|end users|our lists|\d\+? (attendee|contact)|database organization|users? database|Opt-in email list|(professionals?|user'?s|attendees?) (contact|list)|not spammer|delegates|marketing (analyst|campaigns)|(complete|emailed) list|job title|unique account|available titles\:|business profiles|database of/i
+body __KAM_LIST3_4 /contacts and email|(visitors?|contacts?|attendee.?s?|users?) (mailing )?(list|record|database)|end users|our lists|\d\+? (attendee|contact)|database organization|users? database|Opt-in email list|(professionals?|user'?s|attendees?) (contact|list)|not spammer|delegates|marketing (analyst|campaigns)|(complete|emailed) list|job title|unique account|titles\:|business profiles|database of|list from USA|contact details|geography/i
meta KAM_LIST3 (__KAM_LIST3_1 + __KAM_LIST3_2 + __KAM_LIST3_3 + __KAM_LIST3_4 >= 4)
describe KAM_LIST3 Mailing List Purveyor Spam
-score KAM_LIST3 9.0
+score KAM_LIST3 11.0
#NO SUBJ MATCH
meta KAM_LIST3_1 (KAM_LIST3 < 1) && (__KAM_LIST3_1 + __KAM_LIST3_2 + __KAM_LIST3_3 + __KAM_LIST3_4 >= 3)
priority PCCC_HASHBL_EMAIL -100
# BTC address present in BTC blacklist
- body __HASHBL_BTC eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b([13][a-km-zA-HJ-NP-Z1-9]{25,34})\b')
+ # thanks to Henrik Krohns for the regexp
+ body __HASHBL_BTC eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '(?:\s|^)([13][a-km-zA-HJ-NP-Z1-9]{25,34})(?:\s|$)')
priority __HASHBL_BTC -100
tflags __HASHBL_BTC net
meta BTC_HASHBL_BLACK ( __HASHBL_BTC && __BITCOIN_ID && !__URL_BTC_ID )
#END of TEST OF HASHBL ADDITIONS
#LABEL
-header __KAM_LABEL1 Subject =~/(Checking in|(this|next) week)/i
+header __KAM_LABEL1 Subject =~/(Checking in|Appointment|(this|next) week|thoughts)/i
body __KAM_LABEL2 /meet at your office/i
body __KAM_LABEL3 /make custom (shirts|sports|jackets|suits)/i
body __KAM_LABEL4 /(suits start at \$|shirts at \$)/i
-body __KAM_LABEL5 /top fabrics/i
+body __KAM_LABEL5 /(premier|top) fabrics/i
body __KAM_LABEL6 /\| Label/i
meta KAM_LABEL (__KAM_LABEL1 + __KAM_LABEL2 + __KAM_LABEL3 + __KAM_LABEL4 + __KAM_LABEL5 + __KAM_LABEL6 >= 6)
meta KAM_MEDICARE __KAM_MEDICARE1 >= 1
describe KAM_MEDICARE Medicare Scams
score KAM_MEDICARE 2.0
+
+#Water hack
+header __KAM_WATERHACK1 Subject =~ /Water Hack/i
+body __KAM_WATERHACK2 /water hack/i
+
+meta KAM_WATERHACK (__KAM_WATERHACK1 + __KAM_WATERHACK2 + KAM_SHORT >= 3)
+describe KAM_WATERHACK Diet Scams
+score KAM_WATERHACK 5.0
+
+#Sendgrid Exploits
+header __KAM_SENDGRID1 EnvelopeFrom =~ /\@u\d+\.wl\d+\.sendgrid\.net/i
+header __KAM_SENDGRID2 Received =~ /outbound\-mail\.sendgrid\.net \[/i
+
+meta KAM_SENDGRID (HEADER_FROM_DIFFERENT_DOMAINS + (__KAM_SENDGRID1 + __KAM_SENDGRID2 >= 1) >= 2)
+describe KAM_SENDGRID Sendgrid being exploited by scammers
+score KAM_SENDGRID 2.0
+
+meta KAM_SENDGRID2 (KAM_SENDGRID + TO_IN_SUBJ >= 2)
+describe KAM_SENDGRID2 Sendgrid being exploited by scammers
+score KAM_SENDGRID2 2.0
+
+#Political Spam
+header __KAM_2020_1 Subject =~ /Re-?elect Trump/i
+body __KAM_2020_2 /T-?shirt/i
+
+meta KAM_2020 (__KAM_2020_1 + __KAM_2020_2 + FREEMAIL_FROM >= 3)
+describe KAM_2020 2020 Political Spams
+score KAM_2020 5.0
+
# EOF
projects / proxmox-spamassassin.git / commitdiff