#https://raptor.pccc.com/free_spam_consultation.cgim
#
-#Copyright (c) 2019 Kevin A. McGrail and the McGrail Foundation
+#Copyright (c) 2020 Kevin A. McGrail and the McGrail Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
body __KAM_STOCKTIP154 /mLight Tech|(\b|^)MLGT(\b|$)/is
body __KAM_STOCKTIP155 /Alanco Technologies/is
body __KAM_STOCKTIP156 /Progress Watch|(\b|^)PROW(\b|$)/is
-body __KAM_STOCKTIP157 /(\b|^)PRFC(\b|$)/is
+#body __KAM_STOCKTIP157 /(\b|^)PRFC(\b|$)/is
body __KAM_STOCKTIP158 /(\b|^)(RCHA|R\.+C\.+H\.+A|R\/C\/H\/A)(\b|$)/is
body __KAM_STOCKTIP159 /(\b|^)(RNBI|R.N.B.I)(\b|$)/is
body __KAM_STOCKTIP160 /(\b|^)(CNRMF|C.N.R.M.F)(\b|$)/is
body __KAM_INSTOCK /in stock/i
# ADDED A CAVEAT FOR in stock so gibberish links don't hit a stock symbol
-meta KAM_STOCKTIP (__KAM_STOCKHEAD + __KAM_STOCKOTC + __KAM_STOCKSYM + __KAM_STOCKJUMP + __KAM_STOCKSHR + __KAM_STOCKSYM2 + __KAM_STOCKBULL + __KAM_STOCKSCTR >= 1) && (__KAM_INSTOCK < 1) && (__KAM_STOCKTIP121 + __KAM_STOCKTIP122 + __KAM_STOCKTIP123 + __KAM_STOCKTIP124 + __KAM_STOCKTIP125 + __KAM_STOCKTIP126 + __KAM_STOCKTIP127 + __KAM_STOCKTIP128 + __KAM_STOCKTIP129 + __KAM_STOCKTIP130 + __KAM_STOCKTIP131 + __KAM_STOCKTIP132 + __KAM_STOCKTIP133 + __KAM_STOCKTIP134 + __KAM_STOCKTIP135 + __KAM_STOCKTIP136 + __KAM_STOCKTIP137 + __KAM_STOCKTIP138 + __KAM_STOCKTIP139 + __KAM_STOCKTIP140 + __KAM_STOCKTIP142 + __KAM_STOCKTIP143 + __KAM_STOCKTIP144 + __KAM_STOCKTIP145 + __KAM_STOCKTIP146 + __KAM_STOCKTIP147 + __KAM_STOCKTIP148 + __KAM_STOCKTIP149 + __KAM_STOCKTIP150 + __KAM_STOCKTIP151 + __KAM_STOCKTIP152 + __KAM_STOCKTIP153 + __KAM_STOCKTIP154 + __KAM_STOCKTIP155 + __KAM_STOCKTIP156 + __KAM_STOCKTIP157 + __KAM_STOCKTIP158 + __KAM_STOCKTIP159 + __KAM_STOCKTIP160 + __KAM_STOCKTIP161 + __KAM_STOCKTIP162 + __KAM_STOCKTIP163 + __KAM_STOCKTIP164 + __KAM_STOCKTIP165 + __KAM_STOCKTIP166 + __KAM_STOCKTIP167 + __KAM_STOCKTIP168 + __KAM_STOCKTIP169 >= 1)
+meta KAM_STOCKTIP (__KAM_STOCKHEAD + __KAM_STOCKOTC + __KAM_STOCKSYM + __KAM_STOCKJUMP + __KAM_STOCKSHR + __KAM_STOCKSYM2 + __KAM_STOCKBULL + __KAM_STOCKSCTR >= 1) && (__KAM_INSTOCK < 1) && (__KAM_STOCKTIP121 + __KAM_STOCKTIP122 + __KAM_STOCKTIP123 + __KAM_STOCKTIP124 + __KAM_STOCKTIP125 + __KAM_STOCKTIP126 + __KAM_STOCKTIP127 + __KAM_STOCKTIP128 + __KAM_STOCKTIP129 + __KAM_STOCKTIP130 + __KAM_STOCKTIP131 + __KAM_STOCKTIP132 + __KAM_STOCKTIP133 + __KAM_STOCKTIP134 + __KAM_STOCKTIP135 + __KAM_STOCKTIP136 + __KAM_STOCKTIP137 + __KAM_STOCKTIP138 + __KAM_STOCKTIP139 + __KAM_STOCKTIP140 + __KAM_STOCKTIP142 + __KAM_STOCKTIP143 + __KAM_STOCKTIP144 + __KAM_STOCKTIP145 + __KAM_STOCKTIP146 + __KAM_STOCKTIP147 + __KAM_STOCKTIP148 + __KAM_STOCKTIP149 + __KAM_STOCKTIP150 + __KAM_STOCKTIP151 + __KAM_STOCKTIP152 + __KAM_STOCKTIP153 + __KAM_STOCKTIP154 + __KAM_STOCKTIP155 + __KAM_STOCKTIP156 + __KAM_STOCKTIP158 + __KAM_STOCKTIP159 + __KAM_STOCKTIP160 + __KAM_STOCKTIP161 + __KAM_STOCKTIP162 + __KAM_STOCKTIP163 + __KAM_STOCKTIP164 + __KAM_STOCKTIP165 + __KAM_STOCKTIP166 + __KAM_STOCKTIP167 + __KAM_STOCKTIP168 + __KAM_STOCKTIP169 >= 1)
describe KAM_STOCKTIP Email Contains Pump & Dump Stock Tip
score KAM_STOCKTIP 7.1
#SEARCH ENGINE SPAM
-header __KAM_SEARCH1 Subject =~ /be seen first on (google|msn|yahoo)|get ranked high|rank high|(no cost|free) website (analysis|search engine)|WEBSITE PROMOTION|social media|blog leads|infotech|(first|1st)(.page)?.result|seo.service|seo.{1,30}expert|on.your.website|organic.seo|site.ranking|website.health/i
-body __KAM_SEARCH2 /search engine|SEO|bring.traffic|business.development/i
-body __KAM_SEARCH3 /(first on|all of) the major search|not ranked number one|Website promotion|popular keywords|mobile.website|complete.solution|back.link|india.based|surfing|not.ranking.on/i
-body __KAM_SEARCH4 /guaranteed type of exposure|free website search engine optimi|increase your revenue|improve your website traffice|website rank higher|marketing service|popular.keyword|media.presence|media.portal|brand.awareness|analytics.certified|optimized.content|white.label|website.optimization|digital.marketing|in.your.industry/i
-rawbody __KAM_SEARCH5 /Click2Call|a1-solutions|fast-response.net|action-pros.net|tops-1.com|vividinfotech.com|internet.marketing|web.solution/i
+ #Subj
+header __KAM_SEARCH1 Subject =~ /be seen first on (google|msn|yahoo)|get ranked high|rank high|(no cost|free) website (analysis|search engine)|WEBSITE PROMOTION|social media|blog leads|infotech|(first|1st)(.page)?.result|seo.(package|service)|seo.{1,30}expert|on.your.website|organic.seo|site.ranking|website.health|1st page/i
+ #what specific
+body __KAM_SEARCH2 /search engine|S\.?E\.?O|bring.traffic|business.development|marketing strateg/i
+ #ranging
+body __KAM_SEARCH3 /(first on|all of) the major search|not ranked number one|Website promotion|popular keywords|mobile.website|complete.solution|back.link|india.based|surfing|not.ranking.on|top in Google|1st page|more (clients|customers)|organic search/i
+ #how
+body __KAM_SEARCH4 /guaranteed type of exposure|free website search engine optimi|increase your revenue|improve your website traffice|website rank higher|marketing service|popular.keyword|media.presence|media.portal|brand.awareness|analytics.certified|optimized.content|white.label|website.optimization|digital.marketing|in.your.industry|high.revenue|plans? and pric|keyword|full proposal|online reputation|(blog|article|pr|search engine) (promotion|submission)/i
+ #who
+rawbody __KAM_SEARCH5 /Click2Call|a1-solutions|fast-response.net|action-pros.net|tops-1.com|vividinfotech.com|internet.marketing|web.solution|(development|marketing) (executive|consultant)|SEO expert|sales manager/i
meta KAM_SEARCH (__KAM_SEARCH1 + __KAM_SEARCH2 + __KAM_SEARCH3 + __KAM_SEARCH4 + __KAM_SEARCH5 >= 4)
score KAM_SEARCH 5.0
replace_rules __KAM_MAILBOX1 __KAM_MAILBOX2
- body __KAM_MAILBOX1 /mailbox .{0,12}exceeded|(storage|email).(limit|quota|size)|quota is full|have been rejected|new version|pending messages|quota is low|annual upgrade|important message|messages pending|messages placed on hold|upgrade to our service|recent attack|deactivating all mailbox|close down.{0,10}account|\d failed message|communication failure|de<A>ctiv<A>ted if no <A>ction|invalid users|request .{0,13}shutdown/i
+ #ISSUE
+ body __KAM_MAILBOX1 /mailbox .{0,12}exceeded|(storage|email).(limit|quota|size)|quota is full|have been rejected|new version|pending messages|quota is low|annual upgrade|important message|messages pending|messages placed on hold|upgrade to our service|recent attack|deactivating all mailbox|close down.{0,10}account|communication failure|de<A1>ctiv<A1>ted if no <A1>ction|invalid users|request .{0,13}shutdown|migrating all email|delivery of \d|messages.{0,6}returned|\d.{0,2}(failed|undelivered|incoming) (message|mail)|synchronize \d email|messages.{1,10}suspend|report your account|configuration error|updating stage|blacklisted|quota notification|mailbox agreement|(system|security|server) upgrade|system malfunction|mail notice|due for an update|mailbox managment|automatically renew/i
tflags __KAM_MAILBOX1 nosubject
+ #ACTION
+ body __KAM_MAILBOX2 /(verify|update|upgrade|validate|r<E1>confirm) (their|your)? {0,5}(<A1>ccount|mail|info|email|web ?mail)|(increase|upgrade) (my|your?) (inbox |email )?quota|quota upgrade|create some additional storage|upgrade your mailbox|mail malfunction|click here to update|update account|validated within \d\d|deleted automatically|release .{0,40}message|account to be close|termination of your account|choose what happens|blacklisting inactive|continue the usage|untrusted activity|review (message|e?mail)|(verify|validate) (here|now)|reset below|verification process|email disk usage|auto extend your disk|confirm your details|mandetory file|retrieve here|expected to reactivate|keep your webmail/i
+ tflags __KAM_MAILBOX2 nosubject
+ #SUBJECT
+ header __KAM_MAILBOX3 Subject =~ /(mail|exceeded) quota|Inbox almost full|(urgent|important|admin) noti|needs to be upgraded|(incoming|pending) (mails|document|message)|delivery (problem|is blocked|failure)|storage (is )?full|inbox full|(unread|upgrade|delayed) e?mail|release your message|pending (new )?message|365 .{0,10} Update|new privacy policy|mandatory up|(security|account) (update|upgrade)|quarantine|rejected|undelivered|limit .{0,5}exceeded|confirmation required|mailbox account|(blocked|held) messages|technology services|(server|mail).{1,8}error|validat|messages.{1,10}suspend|account limited|please verify.{1,10}account|mail.{1,6}Notice|email account.{1,11}full|final warning|help\-?desk|mail ownership|point files|re-?activation/i
- body __KAM_MAILBOX2 /(verify|update|validate|r<E>confirm) (your )?(<A>ccount|mailbox|email|web ?mail)|(increase|upgrade) (my|your?) (inbox |email )?quota|quota upgrade|create some additional storage|upgrade your mailbox|mail malfunction|click here to update|update account|validated within \d\d|deleted automatically|release .{0,40}message|account to be close|termination of your account|choose what happens|blacklisting inactive|continue the usage|untrusted activity/i
-
- header __KAM_MAILBOX3 Subject =~ /(mail|exceeded) quota|Inbox almost full|(urgent|important) noti|needs to be upgraded|incoming mails|delivery failure|storage (is )?full|inbox full|upgrade email|delayed email|release your message|pending (new )?message|365 .{0,10} Update|new privacy policy|mandatory up|account (update|upgrade)|quarantined|undelivered|limit .{0,5}exceeded|confirmation required|mailbox account|held messages/i
-
- meta KAM_MAILBOX (__KAM_MAILBOX1 + __KAM_MAILBOX2 + __KAM_MAILBOX3 >= 3)
+ meta KAM_MAILBOX (__KAM_MAILBOX1 + __KAM_MAILBOX2 + __KAM_MAILBOX3 + T_FREEMAIL_DOC_PDF >= 3)
score KAM_MAILBOX 6.75
describe KAM_MAILBOX Mailbox Quota Phishing Scams
endif
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
-replace_tag A (?:[\xd0][\xb0]|[\xc9][\x91]|a|α|\@)
-replace_tag C (?:[\xd0][\xa1]|c|[\xd1][\x81])
-replace_tag E (?:[\xd0][\xb5]|[\xc4][\x97]|e|ε)
-replace_tag I (?:[\xd1][\x96]|[\xc4][\xab]|i)
-replace_tag M (?:[\xca][\x8d]|m)
-replace_tag O (?:[\xd0][\xbe]|o)
-replace_tag P (?:[\xd1][\x80]|p|[\xc7][\xb7])
-replace_tag S (?:[\xd0][\x85]|s)
-
-header __KAM_CREDIT6 Subject =~ /<C>ompl<I>mentary (<C>red<I>t|EXPERIAN|Transunion|Equifax)/i
-header __KAM_CREDIT7 From =~ /<S>core.?<S>ense/i
+#renamed to A1, C1, etc. to avoid collissions with stock rules
+#Thanks to John Hardin for his help!
+replace_tag A1 (?:a|[\xd0][\xb0]|[\xc9][\x91]|α|\@)
+replace_tag B1 (?:b|[\xce][\x92]|[\xce][\xb2]|[\xc2]|[\xe2])
+replace_tag C1 (?:c|[\xd0][\xa1]|[\xd1][\x81])
+replace_tag E1 (?:e|[\xd0][\xb5]|[\xc4][\x97])
+replace_tag I1 (?:i|[\xd1][\x96]|[\xc4][\xab]|[\xce][\xb9]|[\xe9])
+replace_tag M1 (?:m|[\xca][\x8d])
+replace_tag O1 (?:o|[\xd0][\xbe]|[\xce][\xbf]|[\xef])
+replace_tag P1 (?:p|[\xd1][\x80]|[\xc7][\xb7]|[\xcf][\x81]|[\xf1])
+replace_tag S1 (?:s|[\xd0][\x85])
+replace_tag T1 (?:t|[\xcf][\x84]|[\xf4])
+replace_tag N1 (?:n|[\xe7])
+
+header __KAM_CREDIT6 Subject =~ /<C1>ompl<I1>mentary (<C1>red<I1>t|EXPERIAN|Transunion|Equifax)/i
+header __KAM_CREDIT7 From =~ /<S1>core.?<S1>ense/i
replace_rules __KAM_CREDIT6 __KAM_CREDIT7
#PREV MARK
header __KAM_MARK1 Subject =~ /[\[\<]ADV[\>\]]/i
-header __KAM_MARK2 Subject =~ /[\[\<]SPAM[\>\]]/i
+header __KAM_MARK2 Subject =~ /[\(\[\<\{](BULK|SPAM)\??[\>\]\)\}]/i
header __KAM_MARK3 Subject =~ /[\[\<]VIRUS[\>\]]/i
meta KAM_MARKADV (__KAM_MARK1 >= 1)
describe KAM_GOOGLE2 Fake Google spam
# MORE NIGERIAN VARIANTS
-body __KAM_NIGERIAN2_1 /congo/i
+body __KAM_NIGERIAN3_1 /congo/i
-meta KAM_NIGERIAN2 (__KAM_NIGERIAN2_1 + DEAR_SOMETHING + LOTS_OF_MONEY >= 3)
-score KAM_NIGERIAN2 4.5
-describe KAM_NIGERIAN2 Nigerian scam variant
+meta KAM_NIGERIAN3 (__KAM_NIGERIAN3_1 + DEAR_SOMETHING + LOTS_OF_MONEY >= 3)
+score KAM_NIGERIAN3 4.5
+describe KAM_NIGERIAN3 Nigerian scam variant
# FINGERHUT SPAMS
header __KAM_FINGERHUT1 From =~ /finger.?hut/i
replace_rules __KAM_CRIM1 __KAM_CRIM2 __KAM_CRIM3 __KAM_CRIM4 __KAM_CRIM5 __KAM_CRIM6 __KAM_CRIM7
- body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A>lw<A>r<E> <O>n th<E> w<E>b|footage of you|you do not know who I am|mercenary|hack phones|infected your device|double.screen video|keylogger|ruin your life|collection officer|turned on your c<A>mera|cameras? and a mic|I am a hacker|browser history|trojan virus|automatically infect|inject some code|google translator|placed (a )?malware/i
+ body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A1>lw<A1>r<E1> <O1>n th<E1> w<E1>b|footage of you|you do not know who I am|mercenary|hack phones|infected your device|double.screen video|keylogger|ruin your life|collection officer|turned on your c<A1>mera|cameras? and a mic|I am a hacker|browser history|trojan virus|automatically infect|inject some code|google translator|<P1>l<A1><C1><E1>d (a )?m<A1>lw<A1>r<E1>/i
#Different encodings
- body __KAM_CRIM2 /(bit-?<C><O><I>n|BTC|DSH|cryptocurrency)/i
- body __KAM_CRIM3 /make a payment|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C><O><I>n w<A>ll|(m<A>k<I>ng|<C><O>mpl<E>et<E>) th<E> tr<A>ns<A><C>t<I><O>n|send me \d+ dollars|send [\d\.]+ USD|addr<E>ss f<O>r p<A>ym<E>nt|(dollars|euros) (worth )?in bit-?coin|wallet number|bitcoin network|BTC to this Bitcoin|paym<E>nt by b<I>tco<I>n|\d\d\d usd|DSH\)? address|Address part/i
- body __KAM_CRIM4 /erotica|<P>orn|promising evidence|video|<M>asturbat|playing with yourself|wanking|l<I>f<E> <C><A>n b<E> ru<I>n<E>d|explosi|lead azide|hexogen|banana|perversion/i
+ body __KAM_CRIM2 /(<B1><I1><T1>\-?<C1><O1><I1><N1>|BTC|DSH|cryptocurrency|bc[13][a-km-zA-HJ-NP-Z0-9]{26,39})/i
+ body __KAM_CRIM3 /make (<T1>he|a) paymen<T1>|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C1><O1><I1>n w<A1>ll|(m<A1>k<I1>ng|<C1><O1>mpl<E1>et<E1>) th<E1> tr<A1>ns<A1><C1>t<I1><O1>n|send me \d+ dollars|send [\d\.]+ USD|addr<E1>ss f<O1>r p<A1>ym<E1>nt|(dollars|euros) (worth )?in bit-?coin|wallet number|bitcoin network|BTC to this Bitcoin|paym<E1>nt by b<I1>tco<I1>n|\d\d\d usd|DSH\)? address|Address part/i
+ body __KAM_CRIM4 /erotica|<P1>orn|promising evidence|video|<M1>asturbat|playing with yourself|wanking|l<I1>f<E1> <C1><A1>n b<E1> ru<I1>n<E1>d|explosi|lead azide|hexogen|banana|perversion/i
- body __KAM_CRIM5 /(twenty.?four|24).?hours|(72|24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O>urs)? <A>ft<E>r y<O><U> <O>p<E>n|hours for payment|days?\)? to (send|perform|make|transfer) the (payment|dash)|short-term support|48h plz|deadline|hours *(only )?to send the (pay|fund)|address immediately|tr<A>nsfer the (amount|funds)/i
+ body __KAM_CRIM5 /(twenty.?four|24).?h<O1>urs|(72|24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O1>urs)? <A1>ft<E1>r y<O1><U> <O1>p<E1>n|hours for payment|days?\)? to (send|perform|make|transfer) the (payment|dash)|short-term support|48h plz|deadline|hours *(only )?to send the (pay|fund)|address immediately|tr<A1>nsfer the (amount|funds)/i
- header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O><U> <A>r<E> my v<I><C>t<I>m|visit the police|hi. vi<C>tim|bomb|rescue|your building|<M>asturbat|hi perv|account has been hacked|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you|porn|(share|forward) the video/i
+ header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O1><U> <A1>r<E1> my v<I1><C1>t<I1>m|visit the police|hi. vi<C1>tim|bomb|rescue|your building|<M1>asturbat|hi perv|account has been hacked|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you|<P1>orn|(share|forward) the video/i
- header __KAM_CRIM7 From =~ /h<A>ck<E>r|know/i
+ header __KAM_CRIM7 From =~ /h<A1>ck<E1>r|know/i
- meta KAM_CRIM (__KAM_CRIM1 + __KAM_CRIM2 + __KAM_CRIM3 + __KAM_CRIM4 + __KAM_CRIM5 + __KAM_CRIM6 >= 4)
+ meta KAM_CRIM (__KAM_CRIM1 + __KAM_CRIM2 + __KAM_CRIM3 + __KAM_CRIM4 + __KAM_CRIM5 + __KAM_CRIM6 + __KAM_CRIM7 + FUZZY_BITCOIN >= 4)
describe KAM_CRIM Extortion Email
score KAM_CRIM 8.5
endif
score KAM_FILE 4.5
#FUN SPAM RUN
-header __KAM_FUN1 From =~ /\.fun|\.icu|\.pro|\.stream|\.world|\.monster|\.best|\.store|\.surf|\.rest|\.bar>?$/i
-body __KAM_FUN2 /Addify Link|Kennett Pike|PetPlan|Newton Sq|1st Avenue|Jones Blvd|permanently opt-out from our all newsletters|purehealth/i
+header __KAM_FUN1 From =~ /\.fun|\.icu|\.pro|\.stream|\.world|\.monster|\.best|\.store|\.surf|\.rest|\.bar|\.asia|\.casa|\.uno|\.london>?$/i
+body __KAM_FUN2 /Addify Link|Kennett Pike|PetPlan|Newton Sq|1st Avenue|Jones Blvd|permanently opt-out from our all newsletters|prefer not to receive future emails|purehealth|leave any time/i
body __KAM_FUN3 /This Offer is (only )?for (unite. state|USA)|can't see this image/i
-header __KAM_FUN4 Subject =~ /Gutters|Assisted Living|Refi|rate|livewave|mortgage|E\.D\.|Single|Superfood|tax|protection|debt|mastercard|safety charge|supplement|pillow|Inogenone|learn a language|Roadside safety|carry a gun|minute survey|roofing Deals|fungus|insurance|pain|gold|hair|knife|warranty|reflexology|accufeet|keto|sound|heartburn|skincare/i
+header __KAM_FUN4 Subject =~ /Gutters|Assisted Living|Refi|rate|livewave|mortgage|E\.D\.|Single|Superfood|tax|protection|debt|mastercard|safety charge|supplement|pillow|Inogenone|learn a language|Roadside safety|carry a gun|minute survey|roofing Deals|fungus|insurance|pain|gold|hair|knife|warranty|reflexology|accufeet|keto|sound|heartburn|skincare|terminix|zippy|sneeze|healthcare|yoga|heal|jesus|virus/i
meta KAM_FUN (__KAM_FUN1 + __KAM_FUN2 + __KAM_FUN3 + __KAM_FUN4 >=3)
describe KAM_FUN Spam Engine Hawking Various Goods and Abusing a Lot of Domains
describe KAM_FAVOR Phishing Attempt
score KAM_FAVOR 7.5
-# WHITELIST
-#whitelist_auth_from *@pccc.com *@mcgrail.com
+# WHITELIST PCCC/MCGRAIL
+whitelist_auth *@pccc.com *@mcgrail.com
#trusted_networks 69.171.29.0/25
#trusted_networks 38.124.232.0/24
# CONTACTS / LISTS - This would be a good rule for tflags nosubject which requires 3.4.3 release
-header __KAM_LIST3_1 Subject =~ /Contacts|Visitor|Attendee|User|Professional|Meeting|Expo|Emails|Exhibit|Companies|trade ?show|marketing|retailer|list|outreach|customers|campaign|show|data/i
+header __KAM_LIST3_1 Subject =~ /Contacts|Visitor|Attendee|User|Professional|Meeting|Expo|Emails|Exhibit|Companies|trade ?show|marketing|retailer|list|outreach|customers|campaign|show|data|leaders|partnership|leads/i
#title
-body __KAM_LIST3_2 /list services|email campaign|global marketing|(sales|event) manager|marketing (coordinator|campaign|manager|exec|project)|(lead|demand) generation|(business|Data|event) (analyst|coordinator)|qualified leads|(marketing|lead|attendees?) specialist|Business Co-?ordinator|marketing and comm|inside sales|unlimited usage|target (attendees|audience|industry)|opt-?in (contact|emails)|pre-?sales|attendees list/i
+body __KAM_LIST3_2 /list services|email campaign|global marketing|(sales|event) manager|marketing (coordinator|campaign|manager|exec|project)|(lead|demand) generation|(business|Data|event) (analyst|coordinator)|qualified leads|(marketing|lead|attendees?) specialist|(marketing|Business) Co-?ordinator|marketing and comm|inside sales|unlimited usage|target (attendees|audience|industry)|opt-?in (contact|emails)|pre-?sales|(email|attendee)s? list/i
#db for sale
-body __KAM_LIST3_3 /(information|data) fields|verified email|complete (contact|details)|with email address|target geograph|counts and pric|decision maker|specific parameters|job titles|Specific lists|current attendee|each record|post show attendee|(attendees|counts)\:|(List|contacts|fields) (consists?|Contains?|includes?)|visitors and price|pricing, counts|information about the list|sample (file|record)|direct email|100\% populated|installed users|selling list|pricing and further|buy a dataset|counts, pricing|procure the list|samples for (your )?review|attendees who might|decision.makers|samples and pricing/i
+body __KAM_LIST3_3 /(information|data) fields|verified email|complete (contact|details)|with email address|target geograph|counts and pric|decision maker|specific parameters|job titles|Specific lists|current attendee|each record|post show attendee|(attendees|counts)\:|(List|contacts|fields) (consists?|Contains?|includes?)|visitors and price|pricing, counts|information about the list|sample (file|record)|direct email|100\% populated|installed users|selling list|pricing and further|buy a dataset|counts, pricing|procure the list|samples for (your )?review|attendees who might|decision.makers|samples and pricing|pricing details|demographics|few samples/i
#db what
-body __KAM_LIST3_4 /contacts and email|(visitors?|contacts?|attendee.?s?|users?) (mailing )?(list|record|database)|end users|our lists|\d\+? (attendee|contact)|database organization|users? database|Opt-in email list|(professionals?|user'?s|attendees?) (contact|list)|not spammer|delegates|marketing (analyst|campaigns)|(complete|emailed) list|job title|unique account|titles\:|business profiles|database of|list from USA|contact details|geography/i
+body __KAM_LIST3_4 /contacts and email|(visitors?|contacts?|attendee.?s?|users?) (mailing )?(list|record|database)|end users|our lists|\d\+? (attendee|contact)|database organization|users? database|Opt-in email list|(professionals?|user'?s|attendees?) (contact|list)|not spammer|delegates|marketing (analyst|campaigns)|(complete|emailed) list|job title|unique account|titles\:|business profiles|database of|list from USA|contact (information|details)|geography|target audience|list.database|data include/i
meta KAM_LIST3 (__KAM_LIST3_1 + __KAM_LIST3_2 + __KAM_LIST3_3 + __KAM_LIST3_4 >= 4)
describe KAM_LIST3 Mailing List Purveyor Spam
# BTC address present in BTC blacklist
# thanks to Henrik Krohns for the regexp
- body __HASHBL_BTC eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '(?:\s|^)([13][a-km-zA-HJ-NP-Z1-9]{25,34})(?:\s|$)')
- priority __HASHBL_BTC -100
- tflags __HASHBL_BTC net
- meta BTC_HASHBL_BLACK ( __HASHBL_BTC && __BITCOIN_ID && !__URL_BTC_ID )
+ body BTC_HASHBL_BLACK eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b(?<!=)([13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})\b')
+ priority BTC_HASHBL_BLACK -100
+ tflags BTC_HASHBL_BLACK net
describe BTC_HASHBL_BLACK Message contains BTC address found on BTC blacklist
score BTC_HASHBL_BLACK 5.0
#END of TEST OF HASHBL ADDITIONS
#LABEL
-header __KAM_LABEL1 Subject =~/(Checking in|Appointment|(this|next) week|thoughts)/i
+header __KAM_LABEL1 Subject =~/(Checking in|Appointment|(this|next) week|thoughts|availability|consultation)/i
body __KAM_LABEL2 /meet at your office/i
body __KAM_LABEL3 /make custom (shirts|sports|jackets|suits)/i
body __KAM_LABEL4 /(suits start at \$|shirts at \$)/i
-body __KAM_LABEL5 /(premier|top) fabrics/i
+body __KAM_LABEL5 /(premier|top|luxury) fabric/i
body __KAM_LABEL6 /\| Label/i
meta KAM_LABEL (__KAM_LABEL1 + __KAM_LABEL2 + __KAM_LABEL3 + __KAM_LABEL4 + __KAM_LABEL5 + __KAM_LABEL6 >= 6)
score KAM_WATERHACK 5.0
#Sendgrid Exploits
-header __KAM_SENDGRID1 EnvelopeFrom =~ /\@u\d+\.wl\d+\.sendgrid\.net/i
-header __KAM_SENDGRID2 Received =~ /outbound\-mail\.sendgrid\.net \[/i
+ #thanks to Chip for another Spample on 2020-03-07
+header __KAM_SENDGRID1 EnvelopeFrom =~ /\@u\d+\.wl\d+\.sendgrid\.net|bounces.*\@sendgrid\.net/i
+header __KAM_SENDGRID2 Received =~ /ismtp.*?.sendgrid.net|outbound\-mail\.sendgrid\.net \[/i
meta KAM_SENDGRID (HEADER_FROM_DIFFERENT_DOMAINS + (__KAM_SENDGRID1 + __KAM_SENDGRID2 >= 1) >= 2)
describe KAM_SENDGRID Sendgrid being exploited by scammers
-score KAM_SENDGRID 2.0
+score KAM_SENDGRID 3.0
+
+header __KAM_EDU_FROM From:addr =~ /\.edu$/i
-meta KAM_SENDGRID2 (KAM_SENDGRID + TO_IN_SUBJ >= 2)
+header __KAM_SENDGRID3 Subject =~ /Amex|Wells ?Fargo|American Express|Security Message|Quickbooks/i
+header __KAM_SENDGRID4 From =~ /Amex|Wells ?Fargo|American Express/i
+
+meta KAM_SENDGRID2 ((__KAM_EDU_FROM + KAM_SENDGRID >= 1) + (TO_IN_SUBJ + __KAM_SENDGRID3 + __KAM_SENDGRID4 >=1) >= 2)
describe KAM_SENDGRID2 Sendgrid being exploited by scammers
-score KAM_SENDGRID2 2.0
+score KAM_SENDGRID2 3.0
#Political Spam
header __KAM_2020_1 Subject =~ /Re-?elect Trump/i
describe KAM_2020 2020 Political Spams
score KAM_2020 5.0
+#WeTransfer Spam - Also in Sandbox so we'll see how long it takes to promote it
+header __FROM_NAME_WETRANSFER From:name =~ /WeTransfer/i
+header __SUBJ_WETRANSFER Subject =~ /WeTransfer Files/i
+meta GB_WETRANSFER_HTM ( HTML_ATTACH && (__SUBJ_WETRANSFER + __FROM_NAME_WETRANSFER >= 1) )
+describe GB_WETRANSFER_HTM WeTransfer html attachment
+score GB_WETRANSFER_HTM 3.0
+
+#Grey Eagle
+header __KAM_GREYEAGLE_1 From =~ /greyeagle|funding|capital|banking|lending/i
+body __KAM_GREYEAGLE_2 /grey eagle funding/i
+
+meta KAM_GREYEAGLE (__KAM_GREYEAGLE_1 + __KAM_GREYEAGLE_2 >= 2)
+describe KAM_GREYEAGLE Spammy Funding Company w/lots of Domains
+score KAM_GREYEAGLE 10.0
+
# EOF
projects / proxmox-spamassassin.git / commitdiff