-#KAM.cf - SpamAssassin Rules
+#KAM.cf - Apache SpamAssassin Rules
#Author: Kevin A. McGrail with contributions from Joe Quinn, Karsten Bräckelmann,
# Bill Cole & Giovanni Bechis
#HomePage: http://www.mcgrail.com/downloads/KAM.cf
-#2018-06-20: We will be moving KAM.cf over to a non-profit to allow for it to
-# continue being maintained. It will continue being ASLv2 licensed
-# but we are soliciting donations to help fund the development.
-#
-# As a 501(c)(3), all donations are tax deductible to the extent
-# permissible by law.
-#
-# Sponsors gifting $5,000USD or greater per year will be thanked
-# in this file and on our website.
+
+#Installation: There are multiple files that make up the KAM ruleset including
+#heavyweight, deadweight, & nonKAMrules. KAM.cf is changing to a channel-based
+#distribution. Watch the users@spamassassin.apache.org mailing list for an
+#announcement in early November 2020.
+
+#The ruleset includes internal rules so not every rule will be useful but
+#we encapsulate those in a KAMOnly defined loop.
+
+#KAM.cf is maintained by The McGrail Foundation, a 501(c)(3) charity. Donations
+#are appreciated. See www.mcgrail.com for more information on donations and
+#sponsorships.
+
+#THANK YOU TO OUR SPONSORS (in Alphabetical Order):
+#cPanel, INKY, Invaluement, iSpark, Linode, PCCC, ShipShapeIT and Zix/Appriver
#This is a collection of special rules that I have developed and use on my system.
#I believe the rules are safe and they are in use on production systems so I will
#do my best to respond to FPs *especially* if you can send me an email sample.
#
-#This cf file is designed for systems with a threshold of 5.0 or higher.
+#IMPORTANT: This cf file is designed for systems with a threshold of 5.0 or higher.
#It is best to save an email sample in mbox format and zip it to attach to get
# for content. For example, the sexually explicit items and the stock tips.
# FPs in these rules will be quickly addressed.
-#For a free anti-spam consultation, fill out the form at the following URL:
-#https://raptor.pccc.com/free_spam_consultation.cgim
-
-#
#Copyright (c) 2020 Kevin A. McGrail and the McGrail Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# See the License for the specific language governing permissions and
# limitations under the License.
-# NOTE: You should also grab a file we use of some various rules at
-# https://www.mcgrail.com/downloads/nonKAMrules.cf
-# And realize that we have numerous internal rules so not every rule will be
-# useful but we try and encapsulate those in a KAMOnly defined loop.
-
# COURTESY OF Marcin Miros.aw <marcin@mejor.pl>
body __KAM_MM_FOREX_1 /program.{0,10}ktory\ssam\sgra\sna\sgieldzie|program\sdo\sgry\sna\sgieldzie|Potega\stego\sprogramu\stkwi|program.{0,10}handluje.{0,10}zarabia.{0,10}gieldzie.{0,10}udzialu.{0,10}czlowieka|zarabiaj.{0,10}program.{0,10}nie.{0,10}jest.{0,10}zabroniony|Program.{0,10}zrobi.{0,10}wszystko.{0,10}sam|handluj.{0,10}na.{0,10}gieldzie.{0,10}programowi|100.{0,10}%.{0,10}pewnych.{0,10}transakcji|program.{0,10}100.{0,10}%.{0,10}zysk|handel.{0,10}bedzie.{0,10}zabroniony|program.{0,10}odmieni.{0,10}twoje.{0,10}zycie|system.{0,10}finansow.{0,10}przed.{0,10}upadkiem|grupa.{0,10}niemieckich.{0,10}matematykow.{0,10}inteligentny.{0,10}program|zostan\sobrzydliwie\sbogaty|technologia.{0,10}100%.{0,10}pewne.{0,10}decyzje|zarabianie.{0,10}w.{0,10}sieci|swoja.{0,10}szanse.{0,10}zarabianie|internet.{0,10}doprowadzil.{0,10}pieniedzy|zarabia.{0,10}(w|przez).{0,10}internet|karaluch.{0,10}dom.{0,10}brzeg.{0,10}morza|odmieni.{0,10}zycie|pieniadz|pieniedz|zarabia|zarobi/i
+
rawbody __KAM_MM_FOREX_2 /(\[|\<).{1,10}http:\/\/.{1,50}php\?.{1,30}\=.{1,30}(\]|\>).{0,20}(klik|odwiedz|dowiedz|przegap|odnosnik|zarobi|spiesz|majatek|wiecej\sinformacji\sna\sten\stemat\sznajdziesz\s-\stutaj|tutaj\sznajdziesz.{0,10}szczegolowe.{0,10}informacje|odwiedz|zarabia|wchodz)/i
+
meta KAM_MM_FOREX __KAM_MM_FOREX_1 && __KAM_MM_FOREX_2
score KAM_MM_FOREX 2.5
describe KAM_MM_FOREX Polish-language spam from the Forex botnet
score KAM_OVERPAY 3.5
#VIAGRA AD - CHANGED DUE TO FPS on 2010-05-06 - Replaced [VACLXPSI] with separate rules space separated
-body KAM_VIAGRA1 /V I A G R A|C I A L I S|V A L I U M|X A N A X/i
+replace_rules __KAM_VIAGRA2
+
+body __KAM_VIAGRA1 /V I A G R A|C I A L I S|V A L I U M|X A N A X/i
+header __KAM_VIAGRA2 Subject =~ /<V1><I1><A1><G1><R1><A1>/i
+
+meta KAM_VIAGRA1 (__KAM_VIAGRA1 + __KAM_VIAGRA2 >= 1)
describe KAM_VIAGRA1 Common Viagra and Medicinal Table Trick
score KAM_VIAGRA1 3.0
body __KAM_STOCKTIP164 /(\b|^)(KBLB|K.B.L.B)(\b|$)/is
body __KAM_STOCKTIP165 /(\b|^)(SCRF|S.C.R.F)(\b|$)/is
body __KAM_STOCKTIP166 /(\b|^)(INCT|Incapta)(\b|$)/is
-body __KAM_STOCKTIP167 /(\b|^)(QSMS|Quest Management|Quest Science Management Gate)(\b|$)/is
+body __KAM_STOCKTIP167 /(\b|^)(QSMS|Quest Science Management Gate)(\b|$)/is
body __KAM_STOCKTIP168 /(\b|^)(QSMG|Q.S.M.G|Stemvax)(\b|$)/is
body __KAM_STOCKTIP169 /(\b|^)E.?C.?G.?R(\b|$)/s
header __KAM_SEX_EXPLICIT2 Subject =~ /(?:fuck .*suck|suck .*fuck|pussy .*cock|cock .*pussy|horny amateur|couch sex|slut fuck|naked celebrity|pissing babes|ass[- ]fuck|animal cock|(^|\b)P[^a-zA-Z\d]O[^a-zA-Z\d]R[^a-zA-Z\d]N |exposes sexy ass|drunk babe nude|masturbate|looking.for.sex|breast.implants|pedophile|child predator|explore.being.bad|double.penetration|hardcore.slut|getting.laid|your.disco.stick|having.sex.*begging|f.ckbook|xxx gay|asian porn|blowjob|anal xxx|huge tits tube|xxx tube|porn tube|porn video|sexy.clip|portal for xxx|3d porn|hard(er)?.erect)|dreaming of f.?cking|(^|\b)sex.in.the.car|horny.virgin|sex.acts|best.intercourse|sex request|dripping wet and need to get/i
header __KAM_SEX_EXPLICIT3 From =~ /(?:better sex|sextrick|ashleymadison|booty.call|breast.(aug|surg|redu)|throbing.member|f[\*u]?ckbook|Local MILFs|fuck)/i
#MODIFIED TO FIX FP THANKS TO DOC SCHNEIDER AND MARK MARTINEC - REMOVED castrate|sexual.encounter|casual.sex|discreet.encounter 5/19/15
-body __KAM_SEX_EXPLICIT4 /(?:fucked hardcore|dildoes her tight ass|kinky watersports|schoolgirls? slut|teens? porn|first anal(\b|$)|pussy lips|kinky lesbian|sucks? cock|rub puss|spreads? cunt|fetish babe|kinky pee|muffdived \& fuck|deepthroat on knees|hello.naughty.boy|certain.type.of.guy|girlfriend.trick|sexual.stamina|sex...toy|porn.link|cunt.fuck|c-o-c-k|non.stop.sex|porn.industry|stronger.erection|make.her.moan|extreme.pro.abortion|erection.problem|your.erection|get.an.erection|hardest.erection|get.erect|xxx gay|asian porn|blowjob porn|anal xxx|huge tits tube|xxx tube|porn tube|fuckbook|portal for xxx|3d porn|DrPEnterprise|girlfriends.porn|\bsex.galler|pussy.eaten|shemale|(\b|^)anal.adventure|black.girls.video|gay.porn|pussy.wet|make.her.horny|crave sex|women.fuck|women.horny|wanting.to.bang|getting.laid.is.simple|woman.on.her.knees|b r e a s t|generic.ed.product|best.sex|f[^a-z]cking.you|f[^a-z]ckbuddy|F\#ckFriends|Milf Selfies|need.a.horny.man|cute.sex.lover|horny.as.f.ck|fun.in.the.bedroom|my.tits.are|be.horny|horny.girl|horny.i.am|horny.latina|huge.dildo|made.me.climax|sex in my office|a.good.f\@ck|married.horny.woman|sucked.your.d\@ck|horny.milf|suck.you.off|horny.stories|all.my.h[o0]les|cum.heavily|sucking.your.c[o0]ck|to.get.f[^a-z]cked)|h00kup|s\*xy|\bh0rny|ch0ked|pu\$\$y|f\*cked|F\#ck|F\*ck_|find milfs/i
+body __KAM_SEX_EXPLICIT4 /(?:fucked hardcore|dildoes her tight ass|kinky watersports|schoolgirls? slut|teens? porn|first anal(\b|$)|pussy lips|kinky lesbian|sucks? cock|rub puss|spreads? cunt|fetish babe|kinky pee|muffdived \& fuck|deepthroat on knees|hello.naughty.boy|certain.type.of.guy|girlfriend.trick|sexual.stamina|sex...toy|porn.link|cunt.fuck|c-o-c-k|non.stop.sex|porn.industry|stronger.erection|make.her.moan|extreme.pro.abortion|erection.problem|your.erection|get.an.erection|hardest.erection|get.erect|xxx gay|asian porn|blowjob porn|anal xxx|huge tits tube|xxx tube|porn tube|fuckbook|portal for xxx|3d porn|DrPEnterprise|girlfriends.porn|\bsex.galler|pussy.eaten|shemale|(\b|^)anal.adventure|black.girls.video|gay.porn|pussy.wet|make.her.horny|crave sex|women.fuck|women.horny|wanting.to.bang|getting.laid.is.simple|woman.on.her.knees|b r e a s t|generic.ed.product|best.sex|f[^a-z]cking.you|f[^a-z]ckbuddy|F\#ckFriends|Milf Selfies|need.a.horny.man|cute.sex.lover|horny.as.f.ck|fun.in.the.bedroom|my.tits.are|be.horny|horny.girl|horny.i.am|horny.latina|huge.dildo|made.me.climax|sex in my office|a.good.f\@ck|married.horny.woman|sucked.your.d\@ck|horny.milf|suck.you.off|horny.stories|all.my.h[o0]les|cum.heavily|sucking.your.c[o0]ck|to.get.f[^a-z]cked)|h00kup|s\*xy|\bh0rny|ch0ked|pu\$\$y|f\*cked|F\*ck_|find milfs/i
+#remove f\#ck for FPs
+
header __KAM_SEX_EXPLICIT5 Subject =~ /(?:Babe.*dildo|milk.*pussy|licks.*lesbian.*tits|mud.*wrestling.*sluts|rock.*hard.*cock|working.*pussy|(anal|suck|lick|hot|cock|wife).*f.?u.?c.?k|sneaky.*upskirt.*shots|hairy.*(pussy|cunt)|chicks.*cum|shows.*off.*titties|tits.*milf.*sex|riding.*big.*dick|dildo.*pussy|slut.*sex|suck.*dick|show.*off.*pink.*slit|coed.*pussy|squirt.*pussy|polish.*cock|femdom.*fist|schoolgirl.*(f.?u.?c.?k|blowjob)|mistress.*finger.*slave|cervix.*examined|tits.*vibrator|licks.*lesbian|slut.*anal|slurp.*pecker|master.*hogtie|bitch.*stroke.*guy|huge.*cock.*bang|take.*dick.*ride|milf.*nailed|girl.*in.*panties|Slut.*Doing.*it|barely.*legal.*teen|perverted.*girl.*works.*ass|slut.*milking|caught.*fucking|F.?u.?c.?k.*(dick)|shemale.*strips|chick.*drilled|\bass.*screw|teen.*pussy|fucked.*hard|bimbo.*hooter|cuntbanged|tittyfucked|fuck.*cock|blowing and nailed|lesbians.*masturbat|shaking wet booty|pussy.*lip|lick.*asshole|kinky lesbian|suck.*cock|rub puss|tits.*cunt|kinky pee|fetish babe|exposes sexy ass|drunk babe nude|muff.*fuck|cock.?suck.*blonde|fuck.*vibrator|threeway.*orgy|sex.life.*new.level|your.sex.life|hotsex|f.cktonight|my.?pu[s\$]{1,5}y|InstaSext|SnapHookup|InstaAffair|InstaHookup|SexiSnap|SnapF.ck|snapbangmsg)/i
body __KAM_SEX_EXPLICIT6 /virus on a porn web/i
#Changed to meta 2017-10-17
#2017-10-23 - Removed .link. Uniregistry has committed to reviewing abuse concerns.
#2019-11-24 - Removed .bid for FPs
-header __KAM_SOMETLD_ARE_BAD_TLD_FROM From:addr =~ /\.(pw|stream|trade|press|top|date)$/i
-uri __KAM_SOMETLD_ARE_BAD_TLD_URI /\.(pw|stream|trade|press|top|date)($|\/)/i
+#2020-06-04 - Added FP check for td.date and div.top
+#2020-08-23 - Added guru
+header __KAM_SOMETLD_ARE_BAD_TLD_FROM From:addr =~ /\.(pw|stream|trade|press|top|date|guru)$/i
+uri __KAM_SOMETLD_ARE_BAD_TLD_URI /\.(pw|stream|trade|press|top|date|guru)($|\/)/i
+
+#FPs
+uri __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE /(^|\b)td\.date|div\.top($|\/)/i
-meta KAM_SOMETLD_ARE_BAD_TLD (__KAM_SOMETLD_ARE_BAD_TLD_FROM + __KAM_SOMETLD_ARE_BAD_TLD_URI) >= 1
-describe KAM_SOMETLD_ARE_BAD_TLD .stream, .trade, .pw, .top, .press & .date TLD Abuse
+meta KAM_SOMETLD_ARE_BAD_TLD (__KAM_SOMETLD_ARE_BAD_TLD_FROM) || (__KAM_SOMETLD_ARE_BAD_TLD_URI && !__KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE)
+describe KAM_SOMETLD_ARE_BAD_TLD .stream, .trade, .pw, .top, .press, .guru & .date TLD Abuse
score KAM_SOMETLD_ARE_BAD_TLD 5.0
#2019-11-24 - Test to do the SOMETLD with WLBLEval - Doesn't work because no uri check for the body
score KAM_COMBOJDR 5.0
#LOTTO CRUD
-body __KAM_LOTTO1 /((you |e-?mail )(?:address,? )?(has |have )?(emerged as one of (the|our) winning|emerged as a category "A" Winner|came out as the winning coupon|emerged a winner|has won|(?:was |is )?attached( to)?\s+(winning number|serial|ticket|reference)|was one of the ten winners|has been selected as one of the lucky)|random selection in our computerized email selection system|procuring your prize|email id identified with coupon|e-mail addresses are picked randomly|send your winning identification|final recipients? of a cash|selected as the one of the beneficiaries|receiving your donation)/is
+body __KAM_LOTTO1 /((you |e-?mail )(?:address,? )?(has |have )?(emerged as one of (the|our) winning|emerged as a category "A" Winner|came out as the winning coupon|emerged a winner|has won|(?:was |is )?attached( to)?\s+(winning number|serial|ticket|reference)|was one of the ten winners|has been selected as one of the lucky)|random selection in our computerized email selection system|procuring your prize|email id identified with coupon|e-mail addresses are picked randomly|send your winning identification|final recipients? of a cash|selected as the one of the beneficiaries|receiving your donation|facebook name was selected)/is
+
body __KAM_LOTTO2 /((ticket|serial|lucky) number|secret pin ?code|pin number|batch number|reference number|promotion date|lottery|sweepstake|\d+ lucky recipients|for claim and inquiring)/is
+
body __KAM_LOTTO3 /(won|claim|cash prize|pounds? sterling|over \$500|award sum of US\$|NOTIFICATION FOR CASH AID)/is
-body __KAM_LOTTO4 /(claims (office|agent|manager)|lottery coordinator|(certificate|fiduciary) (officer|agent)|fiduaciary claims|accredited agent|payment agency board|promotion manager|promotions? department|Name of +Agent:|executive secretary|claims & Management|lottery approved courier|promo.team)/is
-body __KAM_LOTTO5 /(POWERBALL LOTTO|freelotto group|Royal Heritage Lottery|(British|UK) National( Online)? Lottery|U\.?K\.? Grand Promotions|Lottery Department UK|Euromillion Loteria|Luckyday International Lottery|International Lottery|Euro - Afro Asian Sweepstake|urawinner|Free Lotto Sweepstakes|PROMOTION DEPARTMENT|PROMOTION\/PRIZE AWARD|Nederlandse Internationale Loterij|EURO MILLIONS|APPLE LOTTERY ONLINE|MSW MEGA JACKPOT|MICROSOFT EMAIL PROMO|MSNlottery|ECOWAS|Nigeria|National Lottery|claim.{1,10}your.gbp|won.you.{1,10}gbp)/is
-body __KAM_LOTTO6 /(Dear (Award|Consultation Prize|Lucky) Winner|Winning Notification|Attention:Winner|Dear:? Winner|Amount won:|Sincere Congratulations|Lucky Numbers:|you are a winner|prize attached|prize notification|claims requirement|winning number|winning sum|payout of|qualification number)|attached.file|numbers.on.email/is
-header __KAM_LOTTO7 Subject =~ /(Your Lucky Day|Final Notice|CONGRATULATION|(Attention:|ONLINE) WINNER|Winning Notification|Claim Fund|YOU HAVE WON|Online Notification|Your Winning Amount|PROMOTIONS MANAGER|Winnin?g Alert|NOTICE FOR YOUR CLAIM|WINNER|Reference Number)/i
+
+body __KAM_LOTTO4 /(claims (office|agent|manager|requirement)|lottery coordinator|(certificate|fiduciary) (officer|agent)|fiduaciary claims|accredited agent|payment agency board|promotion manager|promotions? department|Name of +Agent:|executive secretary|claims & Management|lottery approved courier|promo.team)/is
+
+body __KAM_LOTTO5 /(POWERBALL-?LOTTO|freelotto group|(microsoft|Royal Heritage) Lottery|(British|UK) National( Online)? Lottery|U\.?K\.? Grand Promotions|Lottery Department UK|Euromillion Loteria|Luckyday International Lottery|International Lottery|Euro - Afro Asian Sweepstake|urawinner|Free Lotto Sweepstakes|PROMOTION DEPARTMENT|PROMOTION\/PRIZE AWARD|Nederlandse Internationale Loterij|EURO MILLIONS|APPLE LOTTERY ONLINE|MSW MEGA JACKPOT|MICROSOFT EMAIL PROMO|MSNlottery|ECOWAS|Nigeria|National Lottery|claim.{1,10}your.gbp|won.you.{1,10}gbp)|cola lotto online|on-?line promotion/is
+
+body __KAM_LOTTO6 /(Dear (Award|Consultation Prize|Lucky) Winner|Winning Notification|Attention:Winner|Dear:? Winner|Amount won:|Sincere Congratulations|Lucky Numbers:|you are a winner|prize attached|prize notification|claims requirement|winning number|winning sum|payout of|qualification number)|attached.file|numbers.on.email|active email address/is
+
+header __KAM_LOTTO7 Subject =~ /(Your Lucky Day|Final Notice|CONGRATULATION|(Attention:|ONLINE) WINNER|Winning Notification|Claim Fund|YOU HAVE WON|Online Notification|Your Winning Amount|PROMOTIONS MANAGER|Winnin?g Alert|NOTICE FOR YOUR CLAIM|WINNER|Reference Number|payment of (prize|claim))/i
+
header __KAM_LOTTO8 From =~ /Lottery|powerball|western.union/i
+
header __KAM_LOTTO9 Subject =~ /\d{3},\d{3}|eligibility.for.claims|promo.desk|deserves.\$\d/i
meta KAM_LOTTO1 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 >= 3)
describe KAM_LOTTO1 Likely to be an e-Lotto Scam Email
-score KAM_LOTTO1 0.5
+score KAM_LOTTO1 0.75
meta KAM_LOTTO2 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 >= 4)
describe KAM_LOTTO2 Highly Likely to be an e-Lotto Scam Email
-score KAM_LOTTO2 1.0
+score KAM_LOTTO2 1.25
meta KAM_LOTTO3 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 >= 5)
describe KAM_LOTTO3 Almost certain to be an e-Lotto Scam Email
-score KAM_LOTTO3 2.0
+score KAM_LOTTO3 3.0
#ABOUT YOUR INTERNET ACTIVITIES SPYWARE CRUD
header __KAM_ABOUT1 Subject =~ /About your Internet (activities|activity)/i
score KAM_INFOUSMEBIZ 0.75
describe KAM_INFOUSMEBIZ Prevalent use of .info|.us|.me|.me.uk|.biz|xyz|id|rocks|life domains in spam/malware
-# OTHER QUESTIONABLE / CHEAP TLDS - .click, .work, .rocks, .science
-rawbody __KAM_OTHER_BAD_TLD1 /http:\/\/(?:www.)?.{4,30}\.(click|work|rocks|science|club)(?![-\.])(\b|\/)/i
-header __KAM_OTHER_BAD_TLD2 From:addr =~ /\.(click|work|rocks|science|club)$/i
-header __KAM_OTHER_BAD_TLD3 Return-Path =~ /\.(click|work|rocks|science|club)>?$/i
+# OTHER QUESTIONABLE / CHEAP TLDS - .click, .work, .rocks, .science, .casa
+rawbody __KAM_OTHER_BAD_TLD1 /http:\/\/(?:www.)?.{4,30}\.(click|farm|work|rocks|science|club|casa)(?![-\.])(\b|\/)/i
+header __KAM_OTHER_BAD_TLD2 From:addr =~ /\.(click|farm|work|rocks|science|club|casa)$/i
+header __KAM_OTHER_BAD_TLD3 Return-Path =~ /\.(click|farm|work|rocks|science|club|casa)>?$/i
meta KAM_OTHER_BAD_TLD (__KAM_OTHER_BAD_TLD1 + __KAM_OTHER_BAD_TLD2 + __KAM_OTHER_BAD_TLD3 >= 1)
score KAM_OTHER_BAD_TLD 0.75
endif
if (version >= 3.004001)
- #Compromised URI - In Body
- urirhssub KAM_BODY_COMPROMISED_URIBL_PCCC wild.pccc.com. A 127.0.1.2
- body KAM_BODY_COMPROMISED_URIBL_PCCC eval:check_uridnsbl('KAM_URIBL2_PCCC')
- describe KAM_BODY_COMPROMISED_URIBL_PCCC Body contains URI listed in PCCC Compromised URIBL (https://raptor.pccc.com/RBL)
- tflags KAM_BODY_COMPROMISED_URIBL_PCCC net
- score KAM_BODY_COMPROMISED_URIBL_PCCC 9.0
-
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+ #Compromised URI - In Body
+ urirhssub KAM_BODY_COMPROMISED_URIBL_PCCC wild.pccc.com. A 127.0.1.2
+ body KAM_BODY_COMPROMISED_URIBL_PCCC eval:check_uridnsbl('KAM_URIBL2_PCCC')
+ describe KAM_BODY_COMPROMISED_URIBL_PCCC Body contains URI listed in PCCC Compromised URIBL (https://raptor.pccc.com/RBL)
+ tflags KAM_BODY_COMPROMISED_URIBL_PCCC net
+ score KAM_BODY_COMPROMISED_URIBL_PCCC 9.0
+
#Contains a likely good URI but otherwise compromised by malware/hackers
header KAM_FROM_COMPROMISED_URIBL_PCCC eval:check_rbl_from_domain('pccc-compromised-uribl', 'wild.pccc.com.', '127.0.1.2')
describe KAM_FROM_COMPROMISED_URIBL_PCCC From address listed in PCCC Compromised URIBL (https://raptor.pccc.com/RBL)
header KAM_MESSAGE_EMAILBL_PCCC eval:check_emailbl('freemail-all', 'wild.pccc.com', '127.0.0.64')
describe KAM_MESSAGE_EMAILBL_PCCC Message contains freemail address listed in PCCC URIBL (https://raptor.pccc.com/RBL)
tflags KAM_MESSAGE_EMAILBL_PCCC net
- score KAM_MESSAGE_EMAILBL_PCCC 5.0
+ score KAM_MESSAGE_EMAILBL_PCCC 6.0
endif
endif
describe KAM_SEARCH Spammers hawking SEO
#SEO
-header __KAM_SEO1 Subject =~ /Idea for \[|can rank 1st on Google|Organic SEO|SEO (Solution|proposal)|integrated marketing|optimization.service/i
-body __KAM_SEO2 /(?:top|first page) (?:in|of) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building/i
-body __KAM_SEO3 /never find your web site|major search engines|link.building|WEBSITE AUDIT REPORT|specific.keyword|targeted.email|visited.your.website/i
-body __KAM_SEO4 /No upfront fees|SEO Specialists|online marketing services|S.?E.?O.? Company in INDIA|google.panda|google.penguin|not.ranking/i
-body __KAM_SEO5 /more traffic guaranteed|results in thirty day|top 5 organic|high revenue|free.analysis|guaranteed.top/i
-body __KAM_SEO6 /will not get your website banned|Google.?s SEO policies|six month ongoing campaign|web.promotion/i
-uri __KAM_SEO7 /./ # LEGITIMATE SEO EMAILS WOULD SURELY HAVE AT LEAST ONE URL TO THEIR WEBSITE...
-
-meta KAM_SEO (__KAM_SEO1 + __KAM_SEO2 + __KAM_SEO3 + __KAM_SEO4 + __KAM_SEO5 + __KAM_SEO6 + !__KAM_SEO7 + __KAM_FREEMAIL + KAM_ADVERT2 >= 5)
+header __KAM_SEO1 Subject =~ /Idea for \[|can rank 1st on Google|Organic SEO|SEO (Solution|proposal)|integrated marketing|optimization.service|SEO Outsourcing|affordable package|quick result|ranking report/i
+#what we give you
+body __KAM_SEO2 /(?:top|first page) (?:in|of) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building|business SEO|ranking report/i
+tflags __KAM_SEO2 nosubject
+#what we do/fix
+body __KAM_SEO3 /(came across|never find) your web.?site|major search engines|paid access to tools|WEBSITE AUDIT REPORT|specific.keyword|targeted.email|visited.your.website|not ranking well|Google rankings/i
+#SEO
+body __KAM_SEO4 /SEO Specialists|online marketing services|S.?E.?O.? Company in INDIA|google.panda|google.penguin|not.ranking|SEO Packages/i
+#costs
+body __KAM_SEO5 /more traffic guaranteed|results in thirty day|top 5 organic|high revenue|free.analysis|guaranteed.top|pricelist|completely free|No upfront fees|free trial/i
+#SEO Indicators
+body __KAM_SEO6 /will not get your website banned|Google.?s SEO policies|six month ongoing campaign|web.promotion|quality junk spam/i
+# LEGITIMATE SEO EMAILS WOULD SURELY HAVE AT LEAST ONE URL TO THEIR WEBSITE...
+uri __KAM_SEO7 /./
+
+meta KAM_SEO (__KAM_SEO1 + __KAM_SEO2 + __KAM_SEO3 + __KAM_SEO4 + __KAM_SEO5 + __KAM_SEO6 + !__KAM_SEO7 + KAM_ADVERT2 >= 5)
score KAM_SEO 7.0
describe KAM_SEO Spammers hawking SEO
#ABUSED FREEMAIL ACCOUNTS
-header __KAM_FREEMAIL1 From =~ /(?:websolution|seo).{0,15}\@gmail.com/i
-header __KAM_FREEMAIL2 From =~ /speakeasylingerie\@gmail.com/i
-meta __KAM_FREEMAIL (__KAM_FREEMAIL1 + __KAM_FREEMAIL2 >= 1)
+#header __KAM_FREEMAIL1 From =~ /(?:websolution|seo).{0,15}\@gmail.com/i
+#header __KAM_FREEMAIL2 From =~ /speakeasylingerie\@gmail.com/i
+#meta __KAM_FREEMAIL (__KAM_FREEMAIL1 + __KAM_FREEMAIL2 >= 1)
#LINGERIE VIDEOS
-header __KAM_LINGERIE1 From =~ /lexi campbell/i
-header __KAM_LINGERIE2 Subject =~ /Exotic modeling Videos/i
-header __KAM_LINGERIE3 Subject =~ /Hustler Magazine/i
-body __KAM_LINGERIE4 /Exotic modelling videos/i
+#header __KAM_LINGERIE1 From =~ /lexi campbell/i
+#header __KAM_LINGERIE2 Subject =~ /Exotic modeling Videos/i
+#header __KAM_LINGERIE3 Subject =~ /Hustler Magazine/i
+#body __KAM_LINGERIE4 /Exotic modelling videos/i
-meta KAM_LINGERIE (__KAM_FREEMAIL + __KAM_LINGERIE1 + __KAM_LINGERIE2 + __KAM_LINGERIE3 >= 4)
-score KAM_LINGERIE 10.0
-describe KAM_LINGERIE Sexually Explicity Lingerie Spam
+#meta KAM_LINGERIE (__KAM_FREEMAIL + __KAM_LINGERIE1 + __KAM_LINGERIE2 + __KAM_LINGERIE3 >= 4)
+#score KAM_LINGERIE 10.0
+#describe KAM_LINGERIE Sexually Explicity Lingerie Spam
#WEB DESIGN
describe KAM_SEXSUBJECT Sexually Explicit Subject
#RUSSIAN WIFE/BRIDE SCAMS
-header __KAM_WIFE1 Subject =~ /Remember me|(Russian|asian) ?(single|women|bride|lad(y|ies)|babe)/i
-body __KAM_WIFE2 /marry a Russian|sizzling photos|(russian|asian) (women|beauties)|Russian ?bride|Slavic babes|Russian ?lad(y|ies)|russian girl/i
-header __KAM_WIFE3 From =~ /Russian.?Dat|russian.?bride|Russian.?single|russian.?women|asian.?beauties/i
+header __KAM_WIFE1 Subject =~ /Remember me|(Russian|asian) ?(beaut|single|women|bride|lad(y|ies)|babe)/i
+body __KAM_WIFE2 /marry a Russian|sizzling photos|(russian|asian) (women|beaut)|Russian ?bride|Slavic babes|Russian ?lad(y|ies)|russian girl|sexy photos/i
+header __KAM_WIFE3 From =~ /(asian|russian).?(dat|bride|single|women|beaut)|(date|nice).?(russian|asian)/i
meta KAM_WIFE ( __KAM_WIFE1 + __KAM_WIFE2 + __KAM_WIFE3 >= 2)
score KAM_WIFE 8.0
#STORAGE LIMIT
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
- replace_rules __KAM_MAILBOX1 __KAM_MAILBOX2
+ replace_rules __KAM_MAILBOX1 __KAM_MAILBOX2 __KAM_MAILBOX3
#ISSUE
- body __KAM_MAILBOX1 /mailbox .{0,12}exceeded|(storage|email).(limit|quota|size)|quota is full|have been rejected|new version|pending messages|quota is low|annual upgrade|important message|messages pending|messages placed on hold|upgrade to our service|recent attack|deactivating all mailbox|close down.{0,10}account|communication failure|de<A1>ctiv<A1>ted if no <A1>ction|invalid users|request .{0,13}shutdown|migrating all email|delivery of \d|messages.{0,6}returned|\d.{0,2}(failed|undelivered|incoming) (message|mail)|synchronize \d email|messages.{1,10}suspend|report your account|configuration error|updating stage|blacklisted|quota notification|mailbox agreement|(system|security|server) upgrade|system malfunction|mail notice|due for an update|mailbox managment|automatically renew/i
+ body __KAM_MAILBOX1 /mailbox .{0,12}exceeded|(storage|email).(limit|quota|size|capacity)|(box|quota) is (almost )?full|have been rejected|new version|(prevented|pending) (the )?(delivery|messages)|quota is low|annual upgrade|(held|important) message|messages pending|messages (are|placed) on.?hold|upgrade to our service|recent attack|(request(ed)? to|account) de-?activat|de-?activat(ed|e|ing) (from using|all mailbox)|close down.{0,10}account|(sync|communication) failure|de<A1>ctiv<A1>ted if no <A1>ction|invalid users|request .{0,13}shutdown|migrating all email|del<I1>v<E1>ry <O1>f \d|messages.{0,6}returned|\d.{0,2}(unreceived|failed|undelivered|incoming) (message|e?mail)|synchronize \d email|messages.{1,10}suspend|report your account|(validation|configuration|service) error|updating stage|blacklisted|(server|quota|quarantine|suspension|mail|upgrade) noti|mailbox agreement|(system|security|server) (reasons|update|upgrade|alert)|system malfunction|due for an update|mailbox managment|automatically renew|.\d. pending|due for (upgrade|update|reconfirmation)|has been outdated|(due|about) to expire|not confirmed the email|(failed|couldn't be|refused to) deliver|temporarily suspend|failure to proceed|data plan limit|blocked from (sending|receiving)|sending unsolicited|\d\% full|confirm your request|security turned off|blocked or suspended|update warning|account .{1,9}?(restricted|closed)|old versions|mail malfunction|messages now queue|password expir|virus|expire on \d+\/|DNS Upgrad|encountered error|will be shut ?down|unauthorized (person|access)|prevent (further reject|loss of account)|avoid lose access|ensure safety|problem occurred/i
tflags __KAM_MAILBOX1 nosubject
#ACTION
- body __KAM_MAILBOX2 /(verify|update|upgrade|validate|r<E1>confirm) (their|your)? {0,5}(<A1>ccount|mail|info|email|web ?mail)|(increase|upgrade) (my|your?) (inbox |email )?quota|quota upgrade|create some additional storage|upgrade your mailbox|mail malfunction|click here to update|update account|validated within \d\d|deleted automatically|release .{0,40}message|account to be close|termination of your account|choose what happens|blacklisting inactive|continue the usage|untrusted activity|review (message|e?mail)|(verify|validate) (here|now)|reset below|verification process|email disk usage|auto extend your disk|confirm your details|mandetory file|retrieve here|expected to reactivate|keep your webmail/i
+ body __KAM_MAILBOX2 /(verify|update|upgrade|increase|validate|confirm|disable)"? (their|your)? {0,5}(<A1>ccount|(web-?)?mail|info|email|web ?mail)|(increase|upgrade) (my|your?) (inbox |email )?quota|(security|quota) upgrade|create some additional storage|(setup|upgrade) (your )?mailbox|mail malfunction|click here to update|update account|validated within \d\d|deleted (automatically|in our server)|release .{0,40}(message|pending mess)|account to be close|remain active|termination of your account|choose what happens|blacklisting inactive|continue (using|the usage)|untrusted activity|(retrieve|review|view) (message|e?mail)|(verify|validate) (here|now)|reset below|verification (check|process)|email disk usage|auto extend your disk|confirm your (email|details)|mandetory file|retrieve here|expected to reactivate|keep your webmail|data will be lost|(block|release|review) them|view undelivered sent|reconfirm .{0,40}password|will be deactivat|avoid suspension|start the process|fake payment|(will be|automatically) cancel|same password|mail verification|same password|turn on (security|authentication)|Office 365-?Secure|an usual location|automatically delete|(retrieve|review|reload) (your )?pending|view, release or delete|reload below|unblock (your )?incoming|rectify below|fix now|Company.Assigned Outlook|fix delivery|restore your roundcube|re-?authenticate (now|below)/i
tflags __KAM_MAILBOX2 nosubject
#SUBJECT
- header __KAM_MAILBOX3 Subject =~ /(mail|exceeded) quota|Inbox almost full|(urgent|important|admin) noti|needs to be upgraded|(incoming|pending) (mails|document|message)|delivery (problem|is blocked|failure)|storage (is )?full|inbox full|(unread|upgrade|delayed) e?mail|release your message|pending (new )?message|365 .{0,10} Update|new privacy policy|mandatory up|(security|account) (update|upgrade)|quarantine|rejected|undelivered|limit .{0,5}exceeded|confirmation required|mailbox account|(blocked|held) messages|technology services|(server|mail).{1,8}error|validat|messages.{1,10}suspend|account limited|please verify.{1,10}account|mail.{1,6}Notice|email account.{1,11}full|final warning|help\-?desk|mail ownership|point files|re-?activation/i
+ header __KAM_MAILBOX3 Subject =~ /(mail|exceeded|insufficient) (storage|quota|upgrade)|Inbox almost full|(urgent|important|admin|last|suspension|server|account|administrator|system) (attention|warning|noti)|needs to be upgraded|(incoming|pending) ((e-?)?mails|document|message)|(del<I1>v<E1>ry|synchronization) (problem|is blocked|failure|err<O1>r)|storage (is )?full|inbox full|(unread|upgrade|delayed) e?mail|release your message|pending (new )?((e-?)?mail|message)|365 .{0,10} Update|new privacy policy|mandatory up|(Final|security|account|password) (update|upgrade|alert|notification|review)|quarantine|rejected|undelivered|(mailbox|limit) .{0,10}exceeded|confirmation required|(mail|mailbox|account) (shutdown|verification|Veirification|Verfication|account)|(blocked|held) message|technology services|(server|mail|account).{1,8}err<O1>r|validat|messages.{1,10}suspend|account (is )?(blocked|limited)|please verify.{1,10}account|mail.{1,6}Notice|email account.{1,11}full|final warning|help\-?desk|mail ownership|point files|(d|r)e-?activation|delayed for \d+ (hour|day)|undeliverable|confirmation required|closure of.{1,15}(\@|account)|(password|mail) (has|will) expire|did you make|password (reset|due|recovery|expir)|recovery option|\d+ new mess|email activity|Immediate action|avoid block|review recent e?mail|final +alert|storage limit|ver<I1>f<I1>cat<I1>on|\@.{1,25}notification|notification \d+\/\d+\/|notification for .{1,25}\@|New Sign-in|deliver.{1,4}(error|fail)|Unsuccessful Email|Mail DNS|ICT Maintenance|sync err|mailer un.?delivery|unauthorized (person|access)|configuration setting|reminder +for|re-?authenticate/i
- meta KAM_MAILBOX (__KAM_MAILBOX1 + __KAM_MAILBOX2 + __KAM_MAILBOX3 + T_FREEMAIL_DOC_PDF >= 3)
+ meta KAM_MAILBOX (__KAM_MAILBOX1 + __KAM_MAILBOX2 + __KAM_MAILBOX3 >=2) && (T_FREEMAIL_DOC_PDF + (KAM_SENDGRID + KAM_SENDGRID2 >= 1) + HTML_MIME_NO_HTML_TAG >= 2)
score KAM_MAILBOX 6.75
describe KAM_MAILBOX Mailbox Quota Phishing Scams
+
+ meta KAM_MAILBOX2 (__KAM_MAILBOX1 + __KAM_MAILBOX2 + __KAM_MAILBOX3 >=3) && !KAM_MAILBOX
+ score KAM_MAILBOX2 4.5
+ describe KAM_MAILBOX2 Mailbox Quota Phishing Scams
+
+ meta KAM_MAILBOX3 (KAM_MAILBOX + KAM_MAILBOX2 >= 1) && (KAM_SENDGRID + KAM_SENDGRID2 >= 1)
+ describe KAM_MAILBOX3 Enhanced Scoring for Mailbox Quota Phishing
+ score KAM_MAILBOX3 2.5
endif
#SHORTERNERS
describe KAM_SHORT Use of a URL Shortener for very short URL
#URL SHORTENER - META RULE TO SEE IF URL SHORTENER IS IN USE - THANKS TO SHANE WILLIAMS and RW for HELP - More thanks to Giovanni Bechis
-uri __KAM_SHORT /^http:\/\/(?:bit\.ly|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|justpaste\.it)\/[^\/]{3}\/?/
+uri __KAM_SHORT /^http:\/\/(?:bit\.(do|ly)|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|justpaste\.it|l\.linklyhq\.com)\/[^\/]{3}\/?/
# GENERIC RULE FOR TINY DOMAINS, WHICH WILL LIKELY BE URL SHORTENERS
uri __KAM_TINYDOMAIN /https?:\/\/(?:[^\/]{1,4})\..{2,7}\//i
#Useful Resources for Tags
#https://www.utf8-chartable.de/unicode-utf8-table.pl?start=1024&number=128&names=-&utf8=string-literal
#https://www.branah.com/unicode-converter
+#look at the encoding type and the charset. For base64 utf-8, something like this tool will help https://www.base64decode.org/ then hexdump -C or something like https://onlineutf8tools.com/convert-utf8-to-hexadecimal or perl -e '$u=unpack("H*",$ARGV[0]);print "[\\x$1]" while ($u=~/(..)/g)' '<PASTE>'
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
#renamed to A1, C1, etc. to avoid collissions with stock rules
-#Thanks to John Hardin for his help!
-replace_tag A1 (?:a|[\xd0][\xb0]|[\xc9][\x91]|α|\@)
-replace_tag B1 (?:b|[\xce][\x92]|[\xce][\xb2]|[\xc2]|[\xe2])
-replace_tag C1 (?:c|[\xd0][\xa1]|[\xd1][\x81])
-replace_tag E1 (?:e|[\xd0][\xb5]|[\xc4][\x97])
-replace_tag I1 (?:i|[\xd1][\x96]|[\xc4][\xab]|[\xce][\xb9]|[\xe9])
-replace_tag M1 (?:m|[\xca][\x8d])
-replace_tag O1 (?:o|[\xd0][\xbe]|[\xce][\xbf]|[\xef])
-replace_tag P1 (?:p|[\xd1][\x80]|[\xc7][\xb7]|[\xcf][\x81]|[\xf1])
-replace_tag S1 (?:s|[\xd0][\x85])
-replace_tag T1 (?:t|[\xcf][\x84]|[\xf4])
-replace_tag N1 (?:n|[\xe7])
+#Thanks to John Hardin for his help! and thanks to Giovanni for the help with the 4-byte chars
+#thanks as well to Henrik Krohns
+replace_tag A1 (?:a|[\xf0\x9d\x97\xae]|[\xf0\x9d\x9a\x8a]|[\xd0][\xb0]|[\xc9][\x91]|α|\@)
+replace_tag B1 (?:b|[\xce][\x92]|[\xce][\xb2]|[\xc2]|[\xe2]|[\xf0\x9d\x97\xaf]|[xf0\x9d\x9a\x8b])
+replace_tag C1 (?:c|[\xd0][\xa1]|[\xd1][\x81]|[\xf0\x9d\x97\xb0]|[\xf0\x9d\x9a\x8c])
+replace_tag D1 (?:d|[\xf0\x9d\x9a\x8d])
+replace_tag E1 (?:e|[\xd0][\xb5]|[\xc4][\x97]|[\xf0\x9d\x97\xb2]|[\xf0\x9d\x9a\x8e])
+replace_tag G1 (?:g|[\xf0\x9d\x97\x80])
+replace_tag I1 (?:i|[\xd1][\x96]|[\xc4][\xab]|[\xce][\xb9]|[\xe9]|[\xf0\x9d\x97\xb6]|[\xf0\x9d\x9a\x92]|l)
+replace_tag M1 (?:m|[\xca][\x8d]|[\xf0\x9d\x97\xba])
+replace_tag N1 (?:n|[\xe7]|[\xf0\x9d\x97\xbc]|[\xf0\x9d\x9a\x97])
+replace_tag O1 (?:o|0|[\xd0][\xbe]|[\xce][\xbf]|[\xef]|[\xf0\x9d\x97\xbc]|[\xf0\x9d\x9a\x98])
+replace_tag P1 (?:p|[\xd1][\x80]|[\xc7][\xb7]|[\xcf][\x81]|[\xf1]|[\xf0\x9d\x97\xbd]|[\xf0\x9d\x9a\x99])
+replace_tag R1 (?:r|[\xf0\x9d\x97\xbf]|[\xf0\x9d\x9a\x9b])
+replace_tag S1 (?:s|[\xd0][\x85]|[\xf0\x9d\x98\x80]|[\xf0\x9d\x9a\x9c])
+replace_tag T1 (?:t|[\xcf][\x84]|[\xf4]|[\xf0\x9d\x98\x81]|[\xf0\x9d\x9a\x9d])
+replace_tag U1 (?:u|[\xf0\x9d\x98\x82])
+replace_tag V1 (?:v|[\xf0\x9d\x96\xb5])
+replace_tag W1 (?:w|[\xf0\x9d\x98\x84]|[\xf0\x9d\x9a\xa0])
+replace_tag Y1 (?:y|[\xf0\x9d\x98\x80]|[\xf0\x9d\x9a\xa2])
+replace_tag SPACE1 (?: |[\xc2\xa0])
header __KAM_CREDIT6 Subject =~ /<C1>ompl<I1>mentary (<C1>red<I1>t|EXPERIAN|Transunion|Equifax)/i
header __KAM_CREDIT7 From =~ /<S1>core.?<S1>ense/i
score KAM_MEMBER 4.5
#MEDICARE
-header __KAM_MEDICARE1 From =~ /Medicare|health.?options|enrollment/i
+header __KAM_MEDICARE1 From =~ /(Medicare|health.?options|enrollment)/i
header __KAM_MEDICARE2 Subject =~ /medicare|message for senior|baby-boomer|save up to|compare.quotes|enrollment.plan/i
-body __KAM_MEDICARE3 /medicare.(plan|recipient)/i
-body __KAM_MEDICARE4 /over.(65|sixty.?five)|most.affordable|lower.your.premium/i
+body __KAM_MEDICARE3 /medicare.(plan|recipient|annual election)/i
+tflags __KAM_MEDICARE3 nosubject
+body __KAM_MEDICARE4 /over.(65|sixty.?five)|most.affordable|lower.your.premium|medicare basics guide/i
meta KAM_MEDICARE (__KAM_MEDICARE1 + __KAM_MEDICARE2 + (__KAM_MEDICARE3 + __KAM_MEDICARE4 >= 1) + (KAM_INFOUSMEBIZ || KAM_COUK) >= 3)
describe KAM_MEDICARE Medicare Scams
score KAM_FACEBOOKMAIL 8.0
#FAKE DHL/FEDEX/ETC
-body __KAM_FAKEDELIVER1 /courier couldn.?t make the delivery|Courier was unable to deliver|courier company was not able to deliver|memo.of.application|delivering.address|make.the.delivery|see.attached.file|attention.please|event.invitation|could not deliver|delivery.label|postal.noti(fication|ce)|parcels.(has|have).been.shipped|shipment.label.is.attached/i
-header __KAM_FAKEDELIVER2 Subject =~ /Invalid Address|shipping service|(ship|postal|delivery) notification|Delivery Failure|Delivery Information|Delivery status|Package Delivery|package is available for pickup|your.package.arrived|attention.please|delivery.problem|id.\d{6}|deliver.(your|the).parcel/i
+body __KAM_FAKEDELIVER1 /courier couldn.?t make the delivery|Courier was unable to deliver|courier company was not able to deliver|memo.of.application|delivering.address|make.the.delivery|see.attached.file|attention.please|event.invitation|could not deliver|delivery.label|postal.noti(fication|ce)|parcels.(has|have).been.shipped|shipment.label.is.attached|confirm your shipping/i
+header __KAM_FAKEDELIVER2 Subject =~ /Invalid Address|shipping service|(ship|postal|delivery) notification|Delivery Failure|Delivery Information|Delivery status|Package Delivery|package is available for pickup|your.package.arrived|attention.please|delivery.problem|id.\d{6}|deliver.(your|the).parcel|shipping confirmation/i
#DHL
body __KAM_FAKEDELIVER3 /DHL/
body __KAM_FAKEDELIVER11 /DPD/i
header __KAM_FAKEDELIVER12 From !~ /dpd.com|dpd.co.uk/i
+uri __KAM_FAKEDELIVER13 /cdn.discordapp.com/i
-meta KAM_FAKE_DELIVER (__KAM_FAKEDELIVER1 + __KAM_FAKEDELIVER2 + ((__KAM_FAKEDELIVER3 + __KAM_FAKEDELIVER4 >= 2) + (__KAM_FAKEDELIVER5 + __KAM_FAKEDELIVER6 >= 2) + (__KAM_FAKEDELIVER7 + __KAM_FAKEDELIVER8 >= 2) + (__KAM_FAKEDELIVER11 + __KAM_FAKEDELIVER12 >= 2) + (__KAM_FAKEDELIVER9 + __KAM_FAKEDELIVER10 >= 2) >= 1) + (HEADER_FROM_DIFFERENT_DOMAINS + SPF_SOFTFAIL + KAM_RAPTOR_ALTERED >= 1) >= 3)
+meta KAM_FAKE_DELIVER (__KAM_FAKEDELIVER1 + __KAM_FAKEDELIVER2 + ((__KAM_FAKEDELIVER3 + __KAM_FAKEDELIVER4 >= 2) + (__KAM_FAKEDELIVER5 + __KAM_FAKEDELIVER6 >= 2) + (__KAM_FAKEDELIVER7 + __KAM_FAKEDELIVER8 >= 2) + (__KAM_FAKEDELIVER11 + __KAM_FAKEDELIVER12 >= 2) + (__KAM_FAKEDELIVER9 + __KAM_FAKEDELIVER10 >= 2) >= 1) + (HEADER_FROM_DIFFERENT_DOMAINS + SPF_SOFTFAIL + KAM_RAPTOR_ALTERED + __KAM_FAKEDELIVER13 >= 1) >= 3)
describe KAM_FAKE_DELIVER Fake delivery notifications
-score KAM_FAKE_DELIVER 5.0
+score KAM_FAKE_DELIVER 6.25
meta KAM_REALLY_FAKE_DELIVER (KAM_FAKE_DELIVER + KAM_RPTR_PASSED + (__KAM_FAKEDELIVER4 && __KAM_FAKEDELIVER6 && __KAM_FAKEDELIVER8) >= 3)
score KAM_REALLY_FAKE_DELIVER 2.5
#GOOGLE DOCS PHISH
# view the agreement.
body __KAM_GOOGLEPHISH1 /copy of the signed agreement/i
-rawbody __KAM_GOOGLEPHISH2 /http:\/\/.{5,50}\/http\/docs.google.com\/login\//i
+rawbody __KAM_GOOGLEPHISH2 /http:\/\/.{5,50}\/http\/docs\.google\.com\/login\//i
meta KAM_GOOGLEPHISH (__KAM_GOOGLEPHISH1 + __KAM_GOOGLEPHISH2 >= 2)
describe KAM_GOOGLEPHISH Google Login Phishing Scam
score KAM_SHARKTANK 1.0
describe KAM_SHARKTANK Mentions Shark Tank
-body __KAM_SHARKPROD /high blood pressure|moles|Dermabellix|follicles|drop 20|IQ/is
+rawbody __KAM_SHARKPROD /high blood pressure|moles|Dermabellix|follicles|drop 20|IQ|keto SS/is
meta KAM_SHARKPROD (__KAM_SHARKPROD + KAM_SHARKTANK >= 2)
score KAM_SHARKPROD 5.0
#PROPHET
header __KAM_PROPHET1 Subject =~ /beezelbub|communique|prophecy|Christian Media/i
-header __KAM_PROPHET2 From =~ /christian.*prophe|twintongues/i
+header __KAM_PROPHET2 From =~ /christian.*(media|prophe)|twintongues/i
body __KAM_PROPHET3 /Dear Christian Friend/i
body __KAM_PROPHET4 /Christian ?Media ?(Daily|Ministry)/i
body __KAM_PROPHET5 /prophecy|rapture/i
score KAM_NUMEROLOGY 3.5
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
- #VOICEMAIL SPAM
- header __KAM_VOICEMAIL1 Subject =~ /new voice.?mail message|news/i
- header __KAM_VOICEMAIL2 From =~ /voice.?mail|news/i
- body __KAM_VOICEMAIL3 /new voice.?mail message|voice.redirected/i
-
- meta KAM_VOICEMAIL (__KAM_VOICEMAIL1 + __KAM_VOICEMAIL2 + __KAM_VOICEMAIL3 + KAM_RAPTOR_ALTERED >= 3)
- describe KAM_VOICEMAIL Common malware that tricks the user into opening a fake VOIP voicemail
- score KAM_VOICEMAIL 5.0
+#VOICEMAIL SPAM
+header __KAM_VOICEMAIL1 Subject =~ /new voice.?mail message|news|Fax Message for/i
+header __KAM_VOICEMAIL2 From =~ /voice.?mail|news/i
+body __KAM_VOICEMAIL3 /new voice.?mail message|voice.redirected/i
+
+meta KAM_VOICEMAIL (__KAM_VOICEMAIL1 + __KAM_VOICEMAIL2 + __KAM_VOICEMAIL3 + KAM_RAPTOR_ALTERED >= 3)
+describe KAM_VOICEMAIL Common malware that tricks the user into opening a fake VOIP voicemail
+score KAM_VOICEMAIL 5.0
endif
#SPAM ADVERTISING SPAM - HAS SCIENCE GONE TOO FAR?
describe KAM_MARIJUANA2 Definitely spam for marijuana
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
- # EVICTION NOTICE
- header __KAM_EVICTION1 From =~ /eviction|vacate immediately/i
- header __KAM_EVICTION2 Subject =~ /notice|notification|occupant/i
- body __KAM_EVICTION3 /eviction|foreclosed|trespasser/i
-
- meta KAM_EVICTION (__KAM_EVICTION1 + __KAM_EVICTION2 + __KAM_EVICTION3 + KAM_RAPTOR_ALTERED >= 4)
- describe KAM_EVICTION Malware disguised as eviction notice
- score KAM_EVICTION 4.5
+# EVICTION NOTICE
+header __KAM_EVICTION1 From =~ /eviction|vacate immediately/i
+header __KAM_EVICTION2 Subject =~ /notice|notification|occupant/i
+body __KAM_EVICTION3 /eviction|foreclosed|trespasser/i
+
+meta KAM_EVICTION (__KAM_EVICTION1 + __KAM_EVICTION2 + __KAM_EVICTION3 + KAM_RAPTOR_ALTERED >= 4)
+describe KAM_EVICTION Malware disguised as eviction notice
+score KAM_EVICTION 4.5
endif
# WALK IN TUBS
describe KAM_REALLYHUGEIMGSRC Spam with image tags with ridiculously huge http urls
rawbody KAM_REALLYHUGEIMGSRC /<img[^>]*\ssrc=["']?http[^\s]{300}/i
-score KAM_REALLYHUGEIMGSRC 1.1
+score KAM_REALLYHUGEIMGSRC 0.5
rawbody KAM_TRACKIMAGE /<img[^>]*\ssrc=["']?https?:\/\/track/i
describe KAM_TRACKIMAGE Message has a remote image explicitly meant for tracking
score KAM_CLOUD 3.5
describe KAM_CLOUD Spam for cloud services
+#FAX AND PAPERLESS SPAM
header __KAM_PAPERLESS1 From =~ /paperless|fax|admin/i
-header __KAM_PAPERLESS2 Subject =~ /paperless|fax to email|send document|fax thru email|receive faxes|send faxes|fax.message|voice.message|new.fax|have.received/i
-body __KAM_PAPERLESS3 /fax service|service plan|view.this.fax|\d.page.fax|voice.message/i
+header __KAM_PAPERLESS2 Subject =~ /paperless|fax (document|thru email|to email|message)|send document|(receive|send|new) fax|voice.message|have.received/i
+body __KAM_PAPERLESS3 /fax service|service plan|view.(fax|this.fax)|\d.page.fax|voice.message/i
+body __KAM_PAPERLESS4 /link expires/i
-meta KAM_PAPERLESS (__KAM_PAPERLESS1 + __KAM_PAPERLESS2 + __KAM_PAPERLESS3 + HEADER_FROM_DIFFERENT_DOMAINS >= 4)
+meta KAM_PAPERLESS (__KAM_PAPERLESS1 + __KAM_PAPERLESS2 + __KAM_PAPERLESS3 + __KAM_PAPERLESS4 + HEADER_FROM_DIFFERENT_DOMAINS >= 4)
score KAM_PAPERLESS 4.5
describe KAM_PAPERLESS Paperless spam for the paperless office
score KAM_TOLL 8.0
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
- #KAM_AMAZON
- header __KAM_AMAZON1 From =~ /amazon\.com/i
+#KAM_AMAZON
+header __KAM_AMAZON1 From =~ /amazon\.com/i
- meta KAM_AMAZON (__KAM_AMAZON1 + KAM_RAPTOR_ALTERED >= 2)
- score KAM_AMAZON 4.5
- describe KAM_AMAZON Fake Amazon email with malware
+meta KAM_AMAZON (__KAM_AMAZON1 + KAM_RAPTOR_ALTERED >= 2)
+score KAM_AMAZON 4.5
+describe KAM_AMAZON Fake Amazon email with malware
endif
# LANDSCAPING
# RULE FOR DOMAINS THAT HAVE NOT IMPLEMENTED ANY ANTI-FORGERY MECHANISMS - Thanks to Christian Kueppers for the request to encapsulate with DKIM and SPF plugin checks!
if (version >= 3.003002)
- ifplugin Mail::SpamAssassin::Plugin::DKIM
- ifplugin Mail::SpamAssassin::Plugin::SPF
- # We may recommend people start raising the score for this to force more people to use SPF or DKIM Since Gmail and AOL work much better with / require SPF.
- header __KAM_SPF_NONE eval:check_for_spf_none()
+ifplugin Mail::SpamAssassin::Plugin::DKIM
+ifplugin Mail::SpamAssassin::Plugin::SPF
+# We may recommend people start raising the score for this to force more people to use SPF or DKIM Since Gmail and AOL work much better with / require SPF.
+header __KAM_SPF_NONE eval:check_for_spf_none()
- meta KAM_LAZY_DOMAIN_SECURITY (!__DKIM_EXISTS && __KAM_SPF_NONE)
- score KAM_LAZY_DOMAIN_SECURITY 1.0
- describe KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any anti-forgery methods
- endif
- endif
+meta KAM_LAZY_DOMAIN_SECURITY (!__DKIM_EXISTS && __KAM_SPF_NONE)
+score KAM_LAZY_DOMAIN_SECURITY 1.0
+describe KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any anti-forgery methods
+endif
+endif
endif
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
- # FORGED EMAILS WITH A VIRUS ATTACHED
- meta KAM_FORGED_ATTACHED (SPF_HELO_FAIL + KAM_RAPTOR_ALTERED >= 2)
- score KAM_FORGED_ATTACHED 4.5
- describe KAM_FORGED_ATTACHED Forged email with a malware attachment
+# FORGED EMAILS WITH A VIRUS ATTACHED
+meta KAM_FORGED_ATTACHED (SPF_HELO_FAIL + KAM_RAPTOR_ALTERED >= 2)
+score KAM_FORGED_ATTACHED 4.5
+describe KAM_FORGED_ATTACHED Forged email with a malware attachment
endif
# LOTS OF PERIODS IN SUBJECT
describe KAM_LINKBAIT3 Freemail linkbait with a url shortener
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
- # MALWARE IN EMAILS THAT MENTION LOTS OF MONEY
- meta KAM_PHISHY_DOLLARS (KAM_RAPTOR_ALTERED + LOTS_OF_MONEY >= 2)
- score KAM_PHISHY_DOLLARS 3.5
- describe KAM_PHISHY_DOLLARS Emails with malware and large dollar amounts
+# MALWARE IN EMAILS THAT MENTION LOTS OF MONEY
+meta KAM_PHISHY_DOLLARS (KAM_RAPTOR_ALTERED + LOTS_OF_MONEY >= 2)
+score KAM_PHISHY_DOLLARS 3.5
+describe KAM_PHISHY_DOLLARS Emails with malware and large dollar amounts
endif
# RATWARE DU JOUR, MULTIPLE FROM HEADERS AND WONKY SUBJECT LINE
# ELIMINATE A BUNCH OF RECENT BAD ATTACHMENT SPAM
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
- meta KAM_VERY_MALWARE (KAM_LAZY_DOMAIN_SECURITY && KAM_RAPTOR_ALTERED >= 2)
- score KAM_VERY_MALWARE 3.5
- describe KAM_VERY_MALWARE A message with malware that is definitely unwanted
+meta KAM_VERY_MALWARE (KAM_LAZY_DOMAIN_SECURITY && KAM_RAPTOR_ALTERED >= 2)
+score KAM_VERY_MALWARE 3.5
+describe KAM_VERY_MALWARE A message with malware that is definitely unwanted
endif
#MERCHANT ACCOUNTS SPAM
# ZERO DAY ATTACHMENTS THAT ARE OBVIOUSLY CRAP BUT NOT CAUGHT BY AV
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
- mimeheader __KAM_ZERODAY1 Content-Type =~ /msword|ms-excel|spreadsheet|office|octet/i
- header __KAM_ZERODAY2 X-Mailer =~ /foxmail/i
+mimeheader __KAM_ZERODAY1 Content-Type =~ /msword|ms-excel|spreadsheet|office|octet/i
+header __KAM_ZERODAY2 X-Mailer =~ /foxmail/i
- # DISABLED 7/16 FOR NO LONGER BEING RELEVANT
- #meta KAM_ZERODAY (__SUBJECT_ENCODED_B64 + __KAM_ZERODAY1 + __KAM_ZERODAY2 >= 3)
- #describe KAM_ZERODAY obviously a malware email that was not caught
- #score KAM_ZERODAY 8.0
+# DISABLED 7/16 FOR NO LONGER BEING RELEVANT
+#meta KAM_ZERODAY (__SUBJECT_ENCODED_B64 + __KAM_ZERODAY1 + __KAM_ZERODAY2 >= 3)
+#describe KAM_ZERODAY obviously a malware email that was not caught
+#score KAM_ZERODAY 8.0
- # ANOTHER ONE
- header __KAM_ZERODAY3 Subject =~ /remittance advice|invoice|resume|the.open.message|please.the.open|visa.chip/i
+# ANOTHER ONE
+header __KAM_ZERODAY3 Subject =~ /remittance advice|invoice|resume|the.open.message|please.the.open|visa.chip/i
- meta KAM_ZERODAY2 (__KAM_ZERODAY1 + __KAM_ZERODAY3 + KAM_LAZY_DOMAIN_SECURITY >= 3)
- score KAM_ZERODAY2 1.0
- describe KAM_ZERODAY2 Another obvious zero-day malware
+meta KAM_ZERODAY2 (__KAM_ZERODAY1 + __KAM_ZERODAY3 + KAM_LAZY_DOMAIN_SECURITY >= 3)
+score KAM_ZERODAY2 1.0
+describe KAM_ZERODAY2 Another obvious zero-day malware
- meta KAM_ZERODAY3 (KAM_ZERODAY2 + T_OBFU_DOC_ATTACH >= 2)
- score KAM_ZERODAY3 3.5
- describe KAM_ZERODAY3 Another obvious zero-day malware
+meta KAM_ZERODAY3 (KAM_ZERODAY2 + T_OBFU_DOC_ATTACH >= 2)
+score KAM_ZERODAY3 3.5
+describe KAM_ZERODAY3 Another obvious zero-day malware
endif
# FAMILY TREE SPAM
body __KAM_NOISE2 /([a-z]{1,10},){10}/i
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
- meta KAM_NOISE1 (__KAM_NOISE1 + __KAM_NOISE2 + (CBJ_GiveMeABreak || __CBJ_GiveMeABreak2) >= 3)
- describe KAM_NOISE1 Pattern of noise words at the end of an email
- score KAM_NOISE1 2.5
+meta KAM_NOISE1 (__KAM_NOISE1 + __KAM_NOISE2 + (CBJ_GiveMeABreak || __CBJ_GiveMeABreak2) >= 3)
+describe KAM_NOISE1 Pattern of noise words at the end of an email
+score KAM_NOISE1 2.5
endif
# FREE PIZZA WOO!
# BAD YAHOO! DON'T SEND EMAIL FROM A MULTICAST IP!
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
- header __KAM_YAHOO_MISTAKE1 From =~ /\@yahoo\./i
+header __KAM_YAHOO_MISTAKE1 From =~ /\@yahoo\./i
- meta KAM_YAHOO_MISTAKE (SPF_PASS && __KAM_YAHOO_MISTAKE1 && RCVD_ILLEGAL_IP)
- describe KAM_YAHOO_MISTAKE Reversing score for some idiotic Yahoo received headers
- score KAM_YAHOO_MISTAKE -3.0
+meta KAM_YAHOO_MISTAKE (SPF_PASS && __KAM_YAHOO_MISTAKE1 && RCVD_ILLEGAL_IP)
+describe KAM_YAHOO_MISTAKE Reversing score for some idiotic Yahoo received headers
+score KAM_YAHOO_MISTAKE -3.0
endif
# GARBAGE FREEMAIL
header __KAM_BADPHP2 X-Source-Args =~ /css.php/i
meta KAM_BADPHP (__KAM_BADPHP1 || __KAM_BADPHP2)
-score KAM_BADPHP 2.5
+score KAM_BADPHP 3.5
describe KAM_BADPHP Questionable PHP mailer headers
# TINNITUS
score KAM_CAD 3.5
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
- #SPAM WITH OFFICE MACROS
- header __KAM_VBMACRO X-KAM-VBMacro =~ /True/i
+#SPAM WITH OFFICE MACROS
+header __KAM_VBMACRO X-KAM-VBMacro =~ /True/i
- meta KAM_VBMACRO ((__KAM_VBMACRO >= 1) && !KAM_OLEMACRO)
- describe KAM_VBMACRO Message contains attachment with VB macro
- score KAM_VBMACRO 6.5
-
- #SPAM THAT INDICATES DYNAMIC IP
- header KAM_DYNIP X-KAM-DynamicIndicator =~ /True/i
- describe KAM_DYNIP Message contains Dynamic IP Address Indicator
- score KAM_DYNIP 6.5
+meta KAM_VBMACRO ((__KAM_VBMACRO >= 1) && !KAM_OLEMACRO)
+describe KAM_VBMACRO Message contains attachment with VB macro
+score KAM_VBMACRO 6.5
+
+#SPAM THAT INDICATES DYNAMIC IP
+header KAM_DYNIP X-KAM-DynamicIndicator =~ /True/i
+describe KAM_DYNIP Message contains Dynamic IP Address Indicator
+score KAM_DYNIP 6.5
endif
#LOOKING TO SHUTDOWN MISUSE OF DNSWL AND HOSTKARMA
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
- meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + RCVD_IN_LASHBACK + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1)
- score KAM_QUITE_BAD_DNSWL 3.25
- describe KAM_QUITE_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
+meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + RCVD_IN_LASHBACK + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1)
+score KAM_QUITE_BAD_DNSWL 3.25
+describe KAM_QUITE_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
else
- meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + RCVD_IN_LASHBACK + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1)
- score KAM_QUITE_BAD_DNSWL 3.25
- describe KAM_QUITE_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
+meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + RCVD_IN_LASHBACK + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1)
+score KAM_QUITE_BAD_DNSWL 3.25
+describe KAM_QUITE_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
endif
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
- meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + RCVD_IN_LASHBACK + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
- score KAM_BAD_DNSWL 7.0
- describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
+meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + RCVD_IN_LASHBACK + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
+score KAM_BAD_DNSWL 7.0
+describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
else
- meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + RCVD_IN_LASHBACK + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
- score KAM_BAD_DNSWL 7.0
- describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
+meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + RCVD_IN_LASHBACK + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
+score KAM_BAD_DNSWL 7.0
+describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
endif
# HEARING LOSS
body __KAM_GOOGLE_AWARD4 /Official Notification Letter/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
- mimeheader __KAM_GOOGLE_AWARD5A Content-Type =~ /Google Award/i
- mimeheader __KAM_GOOGLE_AWARD5B Content-Disposition =~ /Google Award/i
+mimeheader __KAM_GOOGLE_AWARD5A Content-Type =~ /Google Award/i
+mimeheader __KAM_GOOGLE_AWARD5B Content-Disposition =~ /Google Award/i
endif
meta KAM_GOOGLE_AWARD (__KAM_GOOGLE_AWARD1 + __KAM_GOOGLE_AWARD2 + __KAM_GOOGLE_AWARD3 + __KAM_GOOGLE_AWARD4 + (__KAM_GOOGLE_AWARD5A + __KAM_GOOGLE_AWARD5B >= 1) >= 4)
#RESUME
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
- header __JMQ_RESUME1 Subject =~ /resume/i
- body __JMQ_RESUME2 /hello my name|my name is/i
- body __JMQ_RESUME3 /appreciate.your.cooperation|my.resume.is.pdf|resume.attach|pdf.file.is|is.my.resume/i
- mimeheader __JMQ_RESUME4 Content-Type =~ /x-zip-comp/i
- mimeheader __JMQ_RESUME5 Content-Type =~ /my_resume\.zip/i
-
- meta JMQ_RESUME ((__JMQ_RESUME1 + __JMQ_RESUME2 + __JMQ_RESUME3 + __JMQ_RESUME5 >= 3) && __JMQ_RESUME4)
- score JMQ_RESUME 4.5
- describe JMQ_RESUME Spam for bad attached resumes
+header __JMQ_RESUME1 Subject =~ /resume/i
+body __JMQ_RESUME2 /hello my name|my name is/i
+body __JMQ_RESUME3 /appreciate.your.cooperation|my.resume.is.pdf|resume.attach|pdf.file.is|is.my.resume/i
+mimeheader __JMQ_RESUME4 Content-Type =~ /x-zip-comp/i
+mimeheader __JMQ_RESUME5 Content-Type =~ /my_resume\.zip/i
+
+meta JMQ_RESUME ((__JMQ_RESUME1 + __JMQ_RESUME2 + __JMQ_RESUME3 + __JMQ_RESUME5 >= 3) && __JMQ_RESUME4)
+score JMQ_RESUME 4.5
+describe JMQ_RESUME Spam for bad attached resumes
endif
#LED/SOLAR LIGHTS
# SPF THAT DOESN'T REALLY CARE IF EMAIL IS A FORGERY -
ifplugin Mail::SpamAssassin::Plugin::AskDNS
- askdns JMQ_SPF_NEUTRAL _SENDERDOMAIN_ TXT /^v=spf1 .*\?all/
- describe JMQ_SPF_NEUTRAL SPF set to ?all
- score JMQ_SPF_NEUTRAL 0.5
+askdns JMQ_SPF_NEUTRAL _SENDERDOMAIN_ TXT /^v=spf1 .*\?all/
+describe JMQ_SPF_NEUTRAL SPF set to ?all
+score JMQ_SPF_NEUTRAL 0.5
- askdns JMQ_SPF_ALL _SENDERDOMAIN_ TXT /^v=spf1 .*\+all/
- describe JMQ_SPF_ALL SPF set to +all!
- score JMQ_SPF_ALL 0.5
+askdns JMQ_SPF_ALL _SENDERDOMAIN_ TXT /^v=spf1 .*\+all/
+describe JMQ_SPF_ALL SPF set to +all!
+score JMQ_SPF_ALL 0.5
endif
# IMPORTANT MESSAGE
describe KAM_NUMSUBJECT Subject ends in numbers excluding current years
#BAD PDF
-header KAM_MGCS Content-Type =~ /\+\-\+\-\+\-MGCS\-\+\-\+\-\+/i
+mimeheader KAM_MGCS Content-Type =~ /\+\-\+\-\+\-MGCS\-\+\-\+\-\+|[\xC2\xB7]pdf(?=)?"$/i
score KAM_MGCS 10.0
describe KAM_MGCS Boundary Content Indicative of Ratware
#describe KB_WAM_OVERLAP Rule to test for overlap with another similar ruleset
#MAILSPLOIT CONTROL CHARACTER - Thanks to Jan-Pieter Cornet for the idea
- #All Control chars like NUL except \n which should exist once legitimately
- #Investigating double-byte language FP. Reverting back to just \0
+#All Control chars like NUL except \n which should exist once legitimately
+#Investigating double-byte language FP. Reverting back to just \0
#header __KAM_MAILSPLOIT1 From =~ /[\x00-\x09\x0b-\x1f]/
header __KAM_MAILSPLOIT1 From =~ /[\0]/
describe __KAM_MAILSPLOIT1 RFC2047 Exploit https://www.mailsploit.com/index
- #\n Multiple in the From Header
+#\n Multiple in the From Header
header __KAM_MAILSPLOIT2 From =~ /[\n]/
describe __KAM_MAILSPLOIT2 RFC2047 Exploit https://www.mailsploit.com/index
tflags __KAM_MAILSPLOIT2 multiple maxhits=2
replace_rules __KAM_CRIM1 __KAM_CRIM2 __KAM_CRIM3 __KAM_CRIM4 __KAM_CRIM5 __KAM_CRIM6 __KAM_CRIM7
- body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A1>lw<A1>r<E1> <O1>n th<E1> w<E1>b|footage of you|you do not know who I am|mercenary|hack phones|infected your device|double.screen video|keylogger|ruin your life|collection officer|turned on your c<A1>mera|cameras? and a mic|I am a hacker|browser history|trojan virus|automatically infect|inject some code|google translator|<P1>l<A1><C1><E1>d (a )?m<A1>lw<A1>r<E1>/i
- #Different encodings
- body __KAM_CRIM2 /(<B1><I1><T1>\-?<C1><O1><I1><N1>|BTC|DSH|cryptocurrency|bc[13][a-km-zA-HJ-NP-Z0-9]{26,39})/i
- body __KAM_CRIM3 /make (<T1>he|a) paymen<T1>|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C1><O1><I1>n w<A1>ll|(m<A1>k<I1>ng|<C1><O1>mpl<E1>et<E1>) th<E1> tr<A1>ns<A1><C1>t<I1><O1>n|send me \d+ dollars|send [\d\.]+ USD|addr<E1>ss f<O1>r p<A1>ym<E1>nt|(dollars|euros) (worth )?in bit-?coin|wallet number|bitcoin network|BTC to this Bitcoin|paym<E1>nt by b<I1>tco<I1>n|\d\d\d usd|DSH\)? address|Address part/i
- body __KAM_CRIM4 /erotica|<P1>orn|promising evidence|video|<M1>asturbat|playing with yourself|wanking|l<I1>f<E1> <C1><A1>n b<E1> ru<I1>n<E1>d|explosi|lead azide|hexogen|banana|perversion/i
+ body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A1>lw<A1>r<E1> <O1>n th<E1> w<E1>b|footage of you|you do not know who I am|mercenary|hack phones|infected your device|double.screen video|keylogger|ruin your life|collection officer|turned on your c<A1>mera|cameras? and a mic|I am a hacker|brows(er|ing) history|trojan virus|automatically infect|inject some code|google translator|<P1>l<A1><C1><E1>d (a )?m<A1>lw<A1>r<E1>|<S1><P1><Y1><W1><A1><R1><E1>|hacked your (OS|operating)|got hacked|hidden app/i
- body __KAM_CRIM5 /(twenty.?four|24).?h<O1>urs|(72|24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O1>urs)? <A1>ft<E1>r y<O1><U> <O1>p<E1>n|hours for payment|days?\)? to (send|perform|make|transfer) the (payment|dash)|short-term support|48h plz|deadline|hours *(only )?to send the (pay|fund)|address immediately|tr<A1>nsfer the (amount|funds)/i
+ #Bitcoin
+ body __KAM_CRIM2 /(<B1><I1><T1>\-?<C1><O1><I1><N1>|BTC|DSH|cryptocurrency|bc[13][a-km-zA-HJ-NP-Z0-9]{26,39})|remove manually all spaces|contains spaces/i
- header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O1><U> <A1>r<E1> my v<I1><C1>t<I1>m|visit the police|hi. vi<C1>tim|bomb|rescue|your building|<M1>asturbat|hi perv|account has been hacked|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you|<P1>orn|(share|forward) the video/i
+ #Payment
+ body __KAM_CRIM3 /make (<T1>he|a) paymen<T1>|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C1><O1><I1>n w<A1>ll|(m<A1>k<I1>ng|<C1><O1>mpl<E1>et<E1>) th<E1> tr<A1>ns<A1><C1>t<I1><O1>n|send me \d+ dollars|send [\d\.]+ USD|addr<E1>ss f<O1>r p<A1>ym<E1>nt|(dollars|euros) (worth )?in bit-?coin|wallet number|bitcoin network|BTC to this Bitcoin|paym<E1>nt by b<I1>tco<I1>n|\d\d\d usd|DSH\)? address|Address part|<D1><O1><N1><A1><T1><I1><O1><N1>|negotiation/i
+ #Sexually explicit
+ body __KAM_CRIM4 /erotica|<P1><O1><R1><N1>|promising evidence|<M1><A1><S1><T1><U1><R1><B1><A1><T1>|playing with yourself|wanking|l<I1>f<E1> <C1><A1>n b<E1> ru<I1>n<E1>d|explosi|lead azide|hexogen|banana|perversion|secured \d+ video/i
+
+ #TIME
+ body __KAM_CRIM5 /(twenty.?four|24).?h<O1>urs|(72|24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O1>urs)? <A1>ft<E1>r y<O1><U> <O1>p<E1>n|hours for payment|days?\)? to (send|perform|make|transfer) the (payment|dash)|short-term support|48h plz|deadline|hours *(only )?to send the (pay|fund)|address immediately|tr<A1>nsfer the (amount|funds)|get back to me now/i
+
+ #Subject
+ header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O1><U> <A1>r<E1> my v<I1><C1>t<I1>m|visit the police|hi. vi<C1>tim|bomb|rescue|your building|<M1>asturbat|hi perv|account has been hacked|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you|<P1>orn|(share|forward) the video|Read me now|want to read this/i
+
+ #From
header __KAM_CRIM7 From =~ /h<A1>ck<E1>r|know/i
score SCC_SUBBOMB_SUBJ_1 5
# cPanel Phishing
-header __SCC_HELO_CPANELNET X-Spam-Relays-Untrusted =~ / helo=cpanel\.net /
-describe __SCC_HELO_CPANELNET HELO is bare cpanel.net
-meta SCC_FAKE_CPANEL __SCC_HELO_CPANELNET && ! (SPF_PASS || SPF_HELO_PASS)
-score SCC_FAKE_CPANEL 6
+header __SCC_HELO_CPANELNET X-Spam-Relays-Untrusted =~ / helo=cpanel\.net /
+describe __SCC_HELO_CPANELNET HELO is bare cpanel.net
+meta SCC_FAKE_CPANEL __SCC_HELO_CPANELNET && ! (SPF_PASS || SPF_HELO_PASS)
+score SCC_FAKE_CPANEL 6
+
+header KAM_PHISHCP From =~ /\@cpanel\d+\.com/i
+describe KAM_PHISHCP Fraudulent notices purporting to be from cPanel
+score KAM_PHISHCP 15.0
+
+uri KAM_PHISHCP2 /(\.|\/)cpanel\d+\.com(\/|\b|\?)/i
+describe KAM_PHISHCP2 Fraudulent notices purporting to be from cPanel
+score KAM_PHISHCP2 15.0
+
+body __KAM_PHISHCP3_1 /cPanel Cloud Service/
+
+meta KAM_PHISHCP3 (__KAM_TINYDOMAIN + __KAM_PHISHCP3_1 >=2)
+describe KAM_PHISHCP3 Fraudulent notices purporting to be from cPanel
+score KAM_PHISHCP3 15.0
+
#https://www.csoonline.com/article/3333916/windows-security/i-can-get-and-crack-your-password-hashes-from-email.html?upd=1547922397157
body KAM_FILE /file:\/\/\/\//i
score KAM_FILE 4.5
#FUN SPAM RUN
-header __KAM_FUN1 From =~ /\.fun|\.icu|\.pro|\.stream|\.world|\.monster|\.best|\.store|\.surf|\.rest|\.bar|\.asia|\.casa|\.uno|\.london>?$/i
-body __KAM_FUN2 /Addify Link|Kennett Pike|PetPlan|Newton Sq|1st Avenue|Jones Blvd|permanently opt-out from our all newsletters|prefer not to receive future emails|purehealth|leave any time/i
-body __KAM_FUN3 /This Offer is (only )?for (unite. state|USA)|can't see this image/i
-header __KAM_FUN4 Subject =~ /Gutters|Assisted Living|Refi|rate|livewave|mortgage|E\.D\.|Single|Superfood|tax|protection|debt|mastercard|safety charge|supplement|pillow|Inogenone|learn a language|Roadside safety|carry a gun|minute survey|roofing Deals|fungus|insurance|pain|gold|hair|knife|warranty|reflexology|accufeet|keto|sound|heartburn|skincare|terminix|zippy|sneeze|healthcare|yoga|heal|jesus|virus/i
+header __KAM_FUN1 From =~ /\.fun|\.icu|\.pro|\.stream|\.world|\.monster|\.best|\.store|\.surf|\.rest|\.bar|\.asia|\.casa|\.uno|\.london|\.info|\.cam|\.work|\.cyou>?$/i
+header __KAM_FUN1A From:name =~ /Bite Pro|Diabetes|Blood Sugar|Sugar Disease|Fish Oil|ultra ?boost|Gutter|time ?share/i
+
+body __KAM_FUN2 /Addify Link|Kennett Pike|PetPlan|Newton Sq|1st Avenue|Jones Blvd|permanently opt-out from our all newsletters|(wish|prefer) (to not|not to|to) receive (these|future) (messages|emails)|purehealth|leave any time|too good to be true|try(ing)? this trick|doesn?'t like this update|(click here|wish) +to unsubscribe|send post-mail to/i
+body __KAM_FUN3 /This Offer is (only )?for (unite. state|USA)|(can ?not|won\'t|can\'t) see this image|visit the page below|Continue Reading|watch now/i
+uri __KAM_FUN3A /imgstore.host/i
+
+#Subject
+header __KAM_FUN4 Subject =~ /Gutter|Assisted Living|Refi|rate|livewave|mortgage|E\.D\.|Single|Superfood|tax|protection|debt|mastercard|safety charge|supplement|pillow|Inogenone|learn a language|Roadside safety|carry a gun|minute survey|roofing Deals|fungus|insurance|pain|gold|hair|knife|warranty|reflexology|accufeet|keto|sound|heartburn|skincare|terminix|zippy|sneeze|healthcare|yoga|heal|jesus|virus|neuropathy|BP med|perfect vision|parasites|wine|willie nelson|InstaFresh|InstaSavings|carriers|CPAP|melt your belly|heart attack|power of plants|immunity|smart.?watch|fever|hearing aids|diabetes|gum problem|bad breath|fish oil|ultra ?boost|boost your internet|christmas list|cooling costs|time ?share/i
+
+#How many/How Soon
+body __KAM_FUN5 /\d million americans|less than \d+ (weeks|days|hours)/i
+#miracle!
+body __KAM_FUN6 /finds the secret|new discovery|natural medicine|health channel|medicinal plants|simple tweak|doctors are shocked/i
+#what
+body __KAM_FUN7 /nerve pain|poor vision|lasik|sleep deeper|smart.?watch|fever|hearing aids|diabetes|gum problem|blood sugar|sugar disease|bad breath|fish oil|ultra ?boost/i
+tflags __KAM_FUN7 nosubject
-meta KAM_FUN (__KAM_FUN1 + __KAM_FUN2 + __KAM_FUN3 + __KAM_FUN4 >=3)
+meta KAM_FUN ((__KAM_FUN1 + __KAM_FUN1A >=1) + __KAM_FUN2 + (__KAM_FUN3 + __KAM_FUN3A >= 1) + __KAM_FUN4 >=3)
describe KAM_FUN Spam Engine Hawking Various Goods and Abusing a Lot of Domains
score KAM_FUN 7.5
+meta KAM_FUN2 ((__KAM_FUN1 + __KAM_FUN1A >= 1) + __KAM_FUN4 + __KAM_FUN5 + __KAM_FUN6 + __KAM_FUN7 >= 5)
+describe KAM_FUN2 Spam Engine Hawking Various Goods and Abusing a Lot of Domains
+score KAM_FUN2 7.5
+
#GOOGLE DRIVE PORN - Thanks to Mark Sapiro for the bug fix
uri KAM_DRIVENUM /\d+\.drive\.google.com/i
describe KAM_DRIVENUM Drive Links Prevalent in Spam
ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
# Custom score
score FROMNAME_SPOOFED_EMAIL 0.3
+
+ meta GB_FROMNAME_SPOOF_EQUALS_TO (PDS_FROMNAME_SPOOFED_EMAIL && __PLUGIN_FROMNAME_EQUALS_TO)
+ describe GB_FROMNAME_SPOOF_EQUALS_TO From:name is spoof to look like To: address
+ score GB_FROMNAME_SPOOF_EQUALS_TO 0.3
+
+ meta GB_FROMNAME_SPOOF_FREEMAIL (FREEMAIL_FROM && PDS_FROMNAME_SPOOFED_EMAIL)
+ describe GB_FROMNAME_SPOOF_FREEMAIL From:name spoof and Freemail From:address
+ score GB_FROMNAME_SPOOF_FREEMAIL 0.4
+
+ ifplugin Mail::SpamAssassin::Plugin::FreeMail
+ header __FROM_EQ_REPLY eval:check_fromname_equals_replyto()
+ meta GB_FREEM_FROM_NOT_REPLY ( !__FROM_EQ_REPLY && FREEMAIL_FROM && FREEMAIL_REPLYTO )
+ describe GB_FREEM_FROM_NOT_REPLY From: and Reply-To: have different freemail domains
+ score GB_FREEM_FROM_NOT_REPLY 0.4
+ endif
endif
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
#trusted_networks 38.124.232.0/24
# CONTACTS / LISTS - This would be a good rule for tflags nosubject which requires 3.4.3 release
-header __KAM_LIST3_1 Subject =~ /Contacts|Visitor|Attendee|User|Professional|Meeting|Expo|Emails|Exhibit|Companies|trade ?show|marketing|retailer|list|outreach|customers|campaign|show|data|leaders|partnership|leads/i
+header __KAM_LIST3_1 Subject =~ /Contacts|Visitor|Attendee|User|Professional|Meeting|Expo|Emails|Exhibit|Companies|trade ?show|marketing|retailer|list|outreach|customers|campaign|show|data|leaders|partnership|lead|(accou?nt|Contacts?) (list|information)|install base/i
#title
-body __KAM_LIST3_2 /list services|email campaign|global marketing|(sales|event) manager|marketing (coordinator|campaign|manager|exec|project)|(lead|demand) generation|(business|Data|event) (analyst|coordinator)|qualified leads|(marketing|lead|attendees?) specialist|(marketing|Business) Co-?ordinator|marketing and comm|inside sales|unlimited usage|target (attendees|audience|industry)|opt-?in (contact|emails)|pre-?sales|(email|attendee)s? list/i
+body __KAM_LIST3_2 /list services|email campaign|global marketing|(sales|event|campaign) manager|marketing (coordinator|campaign|manager|exec|project)|(lead|demand) generation|(business|Data|event) (analyst|coordinator)|(potential|professionals?|qualified) lead|(marketing|lead|attendees?) specialist|(marketing|Business) Co-?ordinator|marketing and comm|inside sales|unlimited usage|target (attendees|audience|industry)|opt-?in (contact|emails)|pre-?sales|(email|attendee)s? list/i
#db for sale
-body __KAM_LIST3_3 /(information|data) fields|verified email|complete (contact|details)|with email address|target geograph|counts and pric|decision maker|specific parameters|job titles|Specific lists|current attendee|each record|post show attendee|(attendees|counts)\:|(List|contacts|fields) (consists?|Contains?|includes?)|visitors and price|pricing, counts|information about the list|sample (file|record)|direct email|100\% populated|installed users|selling list|pricing and further|buy a dataset|counts, pricing|procure the list|samples for (your )?review|attendees who might|decision.makers|samples and pricing|pricing details|demographics|few samples/i
+body __KAM_LIST3_3 /(information|data) fields|verified email|(\d{4,8}|complete) (contact|details)|with email address|target geograph|counts and pric|decision maker|specific parameters|job titles|Specific lists|current attendee|each record|post show attendee|(attendees|counts)\:|(List|contacts|fields) (consists?|Contains?|includes?)|visitors and price|pricing, counts|information about the list|sample (file|record)|direct email|100\% populated|installed users|(compiled|selling) (a )?list|pricing and further|(validated|buy a) dataset|counts, pricing|procure the list|samples for (your )?review|attendees who might|decision.makers|samples and pricing|pricing details|demographics|few samples|database (organization|provider)|expense and count|count and cost|multichannel marketing|count of email/i
#db what
-body __KAM_LIST3_4 /contacts and email|(visitors?|contacts?|attendee.?s?|users?) (mailing )?(list|record|database)|end users|our lists|\d\+? (attendee|contact)|database organization|users? database|Opt-in email list|(professionals?|user'?s|attendees?) (contact|list)|not spammer|delegates|marketing (analyst|campaigns)|(complete|emailed) list|job title|unique account|titles\:|business profiles|database of|list from USA|contact (information|details)|geography|target audience|list.database|data include/i
+body __KAM_LIST3_4 /contacts and email|(visitors?|contacts?|attendee.?s?|users?) (mailing )?(list|record|database)|end users|our lists|\d\+? (attendee|contact)|users? database|Opt-in email list|(professionals?|user'?s|attendees?) (contact|list)|not spammer|delegates|marketing (analyst|campaigns)|(complete|emailed) list|unique account|titles\:|business profiles|database of|list from USA|(complete|contact) (Name|information|details)|geography|target audience|list.database|data (intelligence|include)|emails, phone|marketing list/i
meta KAM_LIST3 (__KAM_LIST3_1 + __KAM_LIST3_2 + __KAM_LIST3_3 + __KAM_LIST3_4 >= 4)
describe KAM_LIST3 Mailing List Purveyor Spam
-score KAM_LIST3 11.0
+score KAM_LIST3 12.25
#NO SUBJ MATCH
meta KAM_LIST3_1 (KAM_LIST3 < 1) && (__KAM_LIST3_1 + __KAM_LIST3_2 + __KAM_LIST3_3 + __KAM_LIST3_4 >= 3)
describe KAM_LIST3_1 Likely Mailing List Purveyor Spam
-score KAM_LIST3_1 7.5
+score KAM_LIST3_1 5.75
#MONCLER
header __KAM_MONCLER1 Subject =~ /moncler/i
#OLE/VB MACROs
ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro
+ # increase number of mime parts checked
+ olemacro_num_mime 10
body KAM_OLEMACRO eval:check_olemacro()
describe KAM_OLEMACRO Attachment has an Office Macro
- score KAM_OLEMACRO 6.5
+ score KAM_OLEMACRO 7.5
body KAM_OLEMACRO_MALICE eval:check_olemacro_malice()
describe KAM_OLEMACRO_MALICE Potentially malicious Office Macro
body KAM_OLEMACRO_ENCRYPTED eval:check_olemacro_encrypted()
describe KAM_OLEMACRO_ENCRYPTED Has an Office doc that is encrypted
- score KAM_OLEMACRO_ENCRYPTED 2.0
+ score KAM_OLEMACRO_ENCRYPTED 3.0
#This may cause more CPU usage
olemacro_extended_scan 1
body KAM_OLEMACRO_RENAME eval:check_olemacro_renamed()
describe KAM_OLEMACRO_RENAME Has an Office doc that has been renamed
- score KAM_OLEMACRO_RENAME 0.1
+ score KAM_OLEMACRO_RENAME 0.5
+
+ meta GB_OLEMACRO_REN_VIR ( KAM_OLEMACRO_RENAME && FORGED_OUTLOOK_HTML )
+ describe GB_OLEMACRO_REN_VIR Olemacro and fake Outlook
+ score GB_OLEMACRO_REN_VIR 10
body KAM_OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
describe KAM_OLEMACRO_ZIP_PW Has an Office doc that is password protected in a zip
body KAM_OLEMACRO_CSV eval:check_olemacro_csv()
describe KAM_OLEMACRO_CSV Macro in csv file
- score KAM_OLEMACRO_CSV 4.0
+ score KAM_OLEMACRO_CSV 5.0
endif
#Testing Rule for Subject Prefixes - See note 58397
#
# #SHOULD NOT HIT
# body NOSUBJECT_TEST_FAIL /example/i
-# describe NOSUBJECT_TEST_FAIL This should NOT hit on an email with example in the subject not not in the body because the tflag nosubject will stop the automatic prepending of subjects for testing.
+# describe NOSUBJECT_TEST_FAIL This should NOT hit on an email with example in the subject not not in the body because the tflags nosubject will stop the automatic prepending of subjects for testing.
# tflags NOSUBJECT_TEST_FAIL nosubject
#endif
+if (version >= 3.004003)
+ ifplugin Mail::SpamAssassin::Plugin::HashBL
+ # BTC address present in BTC blacklist
+ # thanks to Henrik Krohns for the regexp
+ body BTC_HASHBL_BLACK eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b(?<!=)([13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})\b')
+ priority BTC_HASHBL_BLACK -100
+ tflags BTC_HASHBL_BLACK net
+ describe BTC_HASHBL_BLACK Message contains BTC address found on BTC blacklist
+ score BTC_HASHBL_BLACK 5.0
+ endif
+endif
+
#Testing of HASHBL Additions - Note 58246
if (version >= 3.004003)
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
header PCCC_HASHBL_EMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5')
describe PCCC_HASHBL_EMAIL Message contains email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
tflags PCCC_HASHBL_EMAIL net
- score PCCC_HASHBL_EMAIL 0.5
+ score PCCC_HASHBL_EMAIL 1.5
priority PCCC_HASHBL_EMAIL -100
- # BTC address present in BTC blacklist
- # thanks to Henrik Krohns for the regexp
- body BTC_HASHBL_BLACK eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b(?<!=)([13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})\b')
- priority BTC_HASHBL_BLACK -100
- tflags BTC_HASHBL_BLACK net
- describe BTC_HASHBL_BLACK Message contains BTC address found on BTC blacklist
- score BTC_HASHBL_BLACK 5.0
+ # Email address in custom email headers found on PCCC HashBL
+ header PCCC_HASHBL_HDR_EMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5', 'Reply-To/Disposition-Notification-To/X-Original-Sender/X-Sender', '^127\.', 'all')
+ describe PCCC_HASHBL_HDR_EMAIL Message contains email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
+ tflags PCCC_HASHBL_HDR_EMAIL net
+ score PCCC_HASHBL_HDR_EMAIL 0.5
+ priority PCCC_HASHBL_HDR_EMAIL -100
#Move this to a file like 99_hashbl_settings.cf when KAM rules become a channel
hashbl_acl_freemail 020.co.uk
#END of TEST OF HASHBL ADDITIONS
#LABEL
-header __KAM_LABEL1 Subject =~/(Checking in|Appointment|(this|next) week|thoughts|availability|consultation)/i
-body __KAM_LABEL2 /meet at your office/i
-body __KAM_LABEL3 /make custom (shirts|sports|jackets|suits)/i
-body __KAM_LABEL4 /(suits start at \$|shirts at \$)/i
-body __KAM_LABEL5 /(premier|top|luxury) fabric/i
-body __KAM_LABEL6 /\| Label/i
-
-meta KAM_LABEL (__KAM_LABEL1 + __KAM_LABEL2 + __KAM_LABEL3 + __KAM_LABEL4 + __KAM_LABEL5 + __KAM_LABEL6 >= 6)
+header __KAM_LABEL1 Subject =~/(Checking in|Appointment|(this|next) week|thoughts|availability|consultation|introduction|let me know|schedule|meeting)/i
+body __KAM_LABEL2 /meet at your office|quick lead time/i
+body __KAM_LABEL3a /make custom (shirts|sports|jackets|suits)/i
+# bug fix thanks to Moritz Friedrich
+body __KAM_LABEL3b /PPE/
+body __KAM_LABEL4 /(suits start at \$|shirts at \$)|\d\d per mask|\d masks/i
+body __KAM_LABEL5 /(premier|top|luxury) (clothing|fabric)|fortune 500/i
+body __KAM_LABEL6 /\| Label|Label Health/i
+
+header __KAM_LABEL7 Subject =~ /(^|\b)PPE(\b|$)|(Ply|Face) ?mask/i
+body __KAM_LABEL8 /face ?mask|(^|\b)PPE(\b|$)/i
+
+meta KAM_LABEL (__KAM_LABEL1 + __KAM_LABEL2 + (__KAM_LABEL3a + __KAM_LABEL3b >= 1) + __KAM_LABEL4 + __KAM_LABEL5 + __KAM_LABEL6 + __KAM_LABEL7 + __KAM_LABEL8>= 6)
describe KAM_LABEL Tailored clothier spam
score KAM_LABEL 9.0
+meta KAM_LABEL2 ((__KAM_LABEL1 + __KAM_LABEL5 >= 1) + __KAM_LABEL6 + __KAM_LABEL7 + __KAM_LABEL8 >= 3)
+describe KAM_LABEL2 PPE Spam
+score KAM_LABEL2 9.0
+
#RBLOBFU
body __KAM_RBL_OBFU1 /b2b.{1,4}salesprospects.{1,4}com/i
body __KAM_RBL_OBFU2 /quin.{0,3}for.{0,3}ce.com/i
+body __KAM_RBL_OBFU3 /jrgpartners\(\.\)com/i
meta KAM_RBL_OBFU ((__KAM_RBL_OBFU1 + __KAM_RBL_OBFU2 >=1) + FREEMAIL_FROM >= 2)
describe KAM_RBL_OBFU Spammers obfuscating their domain and abusing freemail
score KAM_RBL_OBFU 12.0
+meta KAM_RBL_OBFU2 __KAM_RBL_OBFU3
+describe KAM_RBL_OBFU2 Spammers obfuscating their domain
+score KAM_RBL_OBFU2 9.0
+
#Shady CC's
body __KAM_SHADYCC1 /(transactions?|purchases?) from your (online store|web-?shop)/i
header __KAM_SHADYCC2 Subject =~ /(illegal|shady) (purchases?|transactions?).*?(credit ?card|mastercard|visa).*?at your site/i
score KAM_TRAINING 4.5
#Trump Medicare
-header __KAM_MEDICARE1 Subject =~ /Trump Medicare/i
+header __KAM_MEDICARE2_1 Subject =~ /Trump Medicare/i
-meta KAM_MEDICARE __KAM_MEDICARE1 >= 1
-describe KAM_MEDICARE Medicare Scams
-score KAM_MEDICARE 2.0
+meta KAM_MEDICARE2 __KAM_MEDICARE2_1 >= 1
+describe KAM_MEDICARE2 Medicare Scams
+score KAM_MEDICARE2 2.0
#Water hack
header __KAM_WATERHACK1 Subject =~ /Water Hack/i
#Sendgrid Exploits
#thanks to Chip for another Spample on 2020-03-07
header __KAM_SENDGRID1 EnvelopeFrom =~ /\@u\d+\.wl\d+\.sendgrid\.net|bounces.*\@sendgrid\.net/i
+header __KAM_SENDGRID1A Return-Path =~ /\@u\d+\.wl\d+\.sendgrid\.net/i
header __KAM_SENDGRID2 Received =~ /ismtp.*?.sendgrid.net|outbound\-mail\.sendgrid\.net \[/i
-meta KAM_SENDGRID (HEADER_FROM_DIFFERENT_DOMAINS + (__KAM_SENDGRID1 + __KAM_SENDGRID2 >= 1) >= 2)
+meta KAM_SENDGRID ((HEADER_FROM_DIFFERENT_DOMAINS || SPF_HELO_NONE) + ((__KAM_SENDGRID1 + __KAM_SENDGRID1A >= 1) + __KAM_SENDGRID2 >= 1) >= 2)
describe KAM_SENDGRID Sendgrid being exploited by scammers
-score KAM_SENDGRID 3.0
+score KAM_SENDGRID 1.50
header __KAM_EDU_FROM From:addr =~ /\.edu$/i
-header __KAM_SENDGRID3 Subject =~ /Amex|Wells ?Fargo|American Express|Security Message|Quickbooks/i
-header __KAM_SENDGRID4 From =~ /Amex|Wells ?Fargo|American Express/i
+header __KAM_SENDGRID3 Subject =~ /Amex|Wells ?Fargo|American Express|Security (Review|Message)|Quickbooks|Sign-?in Blocked|unusual activity|payment pending|online Payment|Intuit|security Upgrade|you have a document|verify your card/i
+header __KAM_SENDGRID4 From =~ /Amex|Wells ?Fargo|American Express|Schwab|bank|USAA|stripe|intuit|chase/i
meta KAM_SENDGRID2 ((__KAM_EDU_FROM + KAM_SENDGRID >= 1) + (TO_IN_SUBJ + __KAM_SENDGRID3 + __KAM_SENDGRID4 >=1) >= 2)
describe KAM_SENDGRID2 Sendgrid being exploited by scammers
-score KAM_SENDGRID2 3.0
+score KAM_SENDGRID2 2.0
#Political Spam
-header __KAM_2020_1 Subject =~ /Re-?elect Trump/i
-body __KAM_2020_2 /T-?shirt/i
+header __KAM_2020_1 Subject =~ /Re-?elect Trump|election t-?shirt|ginsburg shirt/i
+body __KAM_2020_2 /T-?shirt|printed in the US/i
+tflags __KAM_2020_2 nosubject
meta KAM_2020 (__KAM_2020_1 + __KAM_2020_2 + FREEMAIL_FROM >= 3)
-describe KAM_2020 2020 Political Spams
-score KAM_2020 5.0
+describe KAM_2020 2020 Political Spams - Vote KAM for 2020 - donate today at www.mcgrail.com
+score KAM_2020 7.0
-#WeTransfer Spam - Also in Sandbox so we'll see how long it takes to promote it
-header __FROM_NAME_WETRANSFER From:name =~ /WeTransfer/i
-header __SUBJ_WETRANSFER Subject =~ /WeTransfer Files/i
-meta GB_WETRANSFER_HTM ( HTML_ATTACH && (__SUBJ_WETRANSFER + __FROM_NAME_WETRANSFER >= 1) )
-describe GB_WETRANSFER_HTM WeTransfer html attachment
-score GB_WETRANSFER_HTM 3.0
+#WeTransfer Spam
+#header __FROM_NAME_WETRANSFER From:name =~ /WeTransfer/i
+#header __SUBJ_WETRANSFER Subject =~ /WeTransfer Files/i
+#meta GB_WETRANSFER_HTM ( T_HTML_ATTACH && (__SUBJ_WETRANSFER + __FROM_NAME_WETRANSFER >= 1) )
+#describe GB_WETRANSFER_HTM WeTransfer html attachment
+#score GB_WETRANSFER_HTM 3.0
#Grey Eagle
header __KAM_GREYEAGLE_1 From =~ /greyeagle|funding|capital|banking|lending/i
describe KAM_GREYEAGLE Spammy Funding Company w/lots of Domains
score KAM_GREYEAGLE 10.0
+#Google Storage APIs
+uri KAM_STORAGE_GOOGLE /storage.googleapis.com|\.web.app\//i
+describe KAM_STORAGE_GOOGLE Google Storage API being abused by spammers
+score KAM_STORAGE_GOOGLE 2.25
+
+#Spam Du Jour
+header __KAM_DUJOUR1 Subject =~ /(Worst Food|Tinnitus|Reflux|Gift Card)/i
+
+body __KAM_DUJOUR2 /(Worst Food|Tinnitus|Reflux|CVS Gift Card)/i
+tflags __KAM_DUJOUR2 nosubject
+
+header __KAM_DUJOUR3 From =~ /(Probio|Tinnitus|Reflux|CVS)/i
+
+meta KAM_DUJOUR (KAM_STORAGE_GOOGLE + __KAM_DUJOUR1 + __KAM_DUJOUR2 + __KAM_DUJOUR3 >= 3)
+describe KAM_DUJOUR Spam of the Day hocking various products
+score KAM_DUJOUR 4.5
+
+#QUINFORCE
+body __KAM_QUINFORCE1 /q.?u.?i.?n.?f.?o.?r.?c.?e/i
+
+meta KAM_QUINFORCE1 (__KAM_QUINFORCE1 >= 1)
+describe KAM_QUINFORCE1 Obfuscating spamming firm
+score KAM_QUINFORCE1 6.0
+
+#SPAMDUJOUR
+body __KAM_CBD1 /Meridian CBD/i
+
+meta KAM_CBD (__KAM_CBD1 + __KAM_OTHER_BAD_TLD2 >= 2)
+describe KAM_CBD Spam du jour for CBD
+score KAM_CBD 4.5
+
+#COVID SCAMS
+body __KAM_COVID1 /International Monetary fund|world health organization/i
+header __KAM_COVID2 Subject =~ /COVID.{0,12}payment|support/i
+body __KAM_COVID3 /COVID.{0,12}payment|W\.?H\.?O\.? trust.?fund/i
+tflags __KAM_COVID3 nosubject
+header __KAM_COVID4 From =~ /COVID|world ?Health|WHO/i
+
+body __KAM_COVID5 /00 ?(EUR|USD|Dollar)/i
+
+meta KAM_COVID ((__KAM_COVID5 + LOTS_OF_MONEY >= 1) + __KAM_COVID1 + __KAM_COVID2 + __KAM_COVID3 + __KAM_COVID4 >= 5)
+describe KAM_COVID Scams revolving around the pandemic
+score KAM_COVID 7.5
+
+#COVID SCAMS
+body __KAM_COVID2_1 /COVID-19 (CHARITY )?(fund|donated relief)/i
+tflags __KAM_COVID2_1 nosubject
+header __KAM_COVID2_2 Subject =~ /(little|COVID-19) (fund|donation)/i
+
+meta KAM_COVID2 (__KAM_COVID2_1 + __KAM_COVID2_2 + LOTS_OF_MONEY >= 2)
+describe KAM_COVID2 Scams revolving around the pandemic
+score KAM_COVID2 7.5
+
+#COVID SCAMS
+body __KAM_COVID3_1 /Prince/i
+body __KAM_COVID3_2 /reliable source/i
+body __KAM_COVID3_3 /\$[\d\.,]+ mil/i
+body __KAM_COVID3_4 /assist me/i
+body __KAM_COVID3_5 /Saudi Arabia/i
+
+meta KAM_COVID3 (__KAM_COVID3_1 + __KAM_COVID3_2 + __KAM_COVID3_3 + __KAM_COVID3_4 + __KAM_COVID3_5 >= 5)
+describe KAM_COVID3 Scams revolving around the pandemic
+score KAM_COVID3 7.5
+
+#VOICEMAIL SCAM
+uri __KAM_VM1 /storage.googleapis.com\/.*?htm|appspot\.com|\/api\/v1\/click\|\.sharepoint\.com\/personal\//i
+header __KAM_VM2 Subject =~ /VN Audio|message for|voice Message|Voicemail|Fax Message|OneDrive File/i
+body __KAM_VM3 /(Voice ?Audio|VN Audio|VM Meant|Listen to (your )?Voice|voicemail message|Fax(ed)? (document|message)|new voicemail)/i
+tflags __KAM_VM3 nosubject
+body __KAM_VM4 /recorded voice|audio message|Caller.id|CID:|mailbox \d|sign document/i
+tflags __KAM_VM4 nosubject
+
+meta KAM_VM (__KAM_VM1 + __KAM_VM2 + __KAM_VM3 + __KAM_VM4 >= 3)
+score KAM_VM 4.5
+describe KAM_VM Voice Mail & Fax Scams
+
+#Admin Notice Fraud
+header __KAM_ADMIN1 From =~ /admin/i
+header __KAM_ADMIN2 Subject =~ /For /i
+body __KAM_ADMIN3 /next tax return/i
+body __KAM_ADMIN4 /read this document/i
+
+meta KAM_ADMIN (HEADER_FROM_DIFFERENT_DOMAINS + HTML_OBFUSCATE_10_20 + __KAM_ADMIN1 + __KAM_ADMIN2 + __KAM_ADMIN3 + __KAM_ADMIN4 >= 6)
+describe KAM_ADMIN Phishing attempt spoofing admins
+score KAM_ADMIN 9.0
+
+
+#BENEFICIARY
+replace_rules __KAM_BENEFICIARY2
+
+header __KAM_BENEFICIARY1 Subject =~ /(your|Urgent) Help|refugee|Attention|Inherit|donation|refund|beloved|^Hello$|dear friend|compensated|get back to me|hope to hear|my dear|postal service|From.....|compliment|sincere apology|proposal|How are you|congratulations|ATM VISA Card|good (day|news)|beneficiary|cc|best regards|dearest one|^Att$/i
+#what
+body __KAM_BENEFICIARY2 /(consignment|fund|person of trust|don't know me|emails only|apologize for intrud|formal relationship|diplomatic agent|ATM VISA CARD|unsolicited manner|proposition|solicit your|trustworthy relation|verily|random people|you a beneficiary|help<SPACE1>+widow|same last ?name|similar surname|investment manager)|level of maturity|important project/i
+tflags __KAM_BENEFICIARY2 nosubject
+
+#bus
+body __KAM_BENEFICIARY3 /(gold|diamonds|inherit|foreign customer|risk.?free|less.privilege|next of kin|nearest airport|certain funds|partnership to transfer|repatriation|co.fiscate|separate account|christian activit|receiving bank|donate the sum|money left|sweepstakes|lucky winner|get rich|\d% of the total|investment fund)|moving some money/i
+#where
+body __KAM_BENEFICIARY4 /(Ghana|South Africa|China|Greece|Estonia|United kingdom|foreign|(your|my) country|Benin|africa|Foreign Op|international Airport|portugal|business trip|Ivory Coast|Royal Bank|Syria|Libyan)/i
+#how much
+body __KAM_BENEFICIARY5 /\d+ ?(kilo|kg)|donat|assignment|last wishes|charity org|million dollars|secret account|overdue winnings|handsomely compensate|large amount|share of fund|one digit interest|beneficial business/i
+#sob
+body __KAM_BENEFICIARY6 /(deceased|late) (husband|client|father)|death of my husband|cancer|power of attorney|customer who died|orphan|no beneficiary|terminal|family treasure|not criminal|send (you )?more (information|details)|wife ran away|inability to release|terrorist attack|sterile/i
+
+meta KAM_BENEFICIARY ((LOTS_OF_MONEY + __KAM_BENEFICIARY5 >=1) + (KAM_BLANKSUBJECT + __KAM_BENEFICIARY1 >=1) + __KAM_BENEFICIARY2 + __KAM_BENEFICIARY3 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 + FREEMAIL_FROM >= 6)
+describe KAM_BENEFICIARY Beneficiary scams
+score KAM_BENEFICIARY 10.5
+
+meta KAM_BENEFICIARYLOW ((LOTS_OF_MONEY + __KAM_BENEFICIARY5 >=1) + (KAM_BLANKSUBJECT + __KAM_BENEFICIARY1 >=1) + __KAM_BENEFICIARY2 + __KAM_BENEFICIARY3 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 + FREEMAIL_FROM >= 5) && !KAM_BENEFICIARY
+describe KAM_BENEFICIARYLOW Beneficiary scams (Lower Confidence)
+score KAM_BENEFICIARYLOW 6.0
+
+
+#BENEFICIARY
+meta KAM_BENEFICIARY2 (GMD_PDF_EMPTY_BODY + DEAR_BENEFICIARY >= 2)
+describe KAM_BENEFICIARY2 Beneficiary scams
+score KAM_BENEFICIARY2 3.0
+
+#Person Beneficiary
+body __KAM_BENEFICIARY3_1 /Mikhail Fridman/i
+header __KAM_BENEFICIARY3_2 From =~ /Mikhail Fridman/i
+uri __KAM_BENEFICIARY3_3 /www.rt.com/i
+
+meta KAM_BENEFICIARY3 (__KAM_BENEFICIARY3_1 + __KAM_BENEFICIARY3_2 + __KAM_BENEFICIARY3_3 + __KAM_DIDYOUSUBJ >= 3)
+describe KAM_BENEFICIARY3 Beneficiary scams
+score KAM_BENEFICIARY3 4.5
+
+
+#Did you get my message?
+header __KAM_DIDYOUSUBJ Subject =~ /Did you (receive it|get my message)/i
+body __KAM_DIDYOUBODY /Did you (receive it|get my message)/i
+tflags __KAM_DIDYOUBODY nosubject
+
+#Nothing but sig
+#body __KAM_SIGONLY1 /^.{0,10}--\b/im
+#tflags __KAM_SIGONLY1 nosubject
+#
+#meta KAM_SIGONLY (__KAM_SIGONLY1 >= 2)
+#score KAM_SIGONLY 1.5
+#describe KAM_SIGONLY Messages is (mostly) just a signature
+#
+##SigOnly spam
+#meta KAM_SIGONLY2 (KAM_SIGONLY + (__KAM_DIDYOUBODY + __KAM_DIDYOUSUBJ >= 1) >= 2)
+#score KAM_SIGONLY2 1.5
+#describe KAM_SIGONLY2 Junk Messages using (mostly) just a signature
+
+#Blank Subject
+header KAM_BLANKSUBJECT Subject =~ /^\s*$/i
+describe KAM_BLANKSUBJECT Message has a blank Subject
+score KAM_BLANKSUBJECT 0.25
+#Job
+#what
+header __KAM_JOB2_1 Subject =~ /doing the job/i
+body __KAM_JOB2_2 /represent the company/i
+#Where
+body __KAM_JOB2_3 /Singapore/i
+#how much
+body __KAM_JOB2_4 /\d,?000 USD (monthly|weekly)/i
+
+meta KAM_JOB2 (FREEMAIL_FROM + __KAM_JOB2_1 + __KAM_JOB2_2 + __KAM_JOB2_3 + __KAM_JOB2_4 >= 5)
+describe KAM_JOB2 Employment scams
+score KAM_JOB2 7.5
+
+#WEB
+header __KAM_WEB2_1 Subject =~ /follow|next step|website work/i
+body __KAM_WEB2_2 /affordable (quot|price)|less than half/i
+body __KAM_WEB2_3 /web (designer|develop)|new website/i
+body __KAM_WEB2_4 /portfolio|sample|insights/i
+
+meta KAM_WEB2 (FREEMAIL_FROM + __KAM_WEB2_1 + __KAM_WEB2_2 + __KAM_WEB2_3 + __KAM_WEB2_4 >=5)
+describe KAM_WEB2 Unsolicited web workers
+score KAM_WEB2 7.5
+
+#BANK
+header __KAM_BANK_1 Subject =~ /Welcome to (Central )?(Money ?Gram|Bank)|Funding|Banker|congratulations/i
+body __KAM_BANK_2 /beneficiary|agent|investment group|deceased/i
+body __KAM_BANK_3 /re\-?verification|clearance tax|possible funding|same last name|nominated bank account/i
+
+meta KAM_BANK (FREEMAIL_FROM + LOTS_OF_MONEY + __KAM_BANK_1 + __KAM_BANK_2 + __KAM_BANK_3 >= 5)
+describe KAM_BANK Bank scams
+score KAM_BANK 7.5
+
+#FAKE CERTIFICATES
+header __KAM_CERT1 Subject =~ /Medical Certificate/i
+body __KAM_CERT2 /review this certificate/i
+body __KAM_CERT3 /link below/i
+
+meta KAM_CERT (__KAM_CERT1 + __KAM_CERT2 + __KAM_CERT3 + __PLUGIN_FROMNAME_SPOOF >= 3)
+describe KAM_CERT Fake Certificate Scams
+score KAM_CERT 4.5
+
+#URGENT
+header __KAM_URGENT1 Subject =~ /^Hello$/i
+body __KAM_URGENT2 /urgent respond/i
+body __KAM_URGENT3 /private e?mail/i
+body __KAM_URGENT4 /god bless/i
+body __KAM_URGENT5 /address still valid/i
+
+meta KAM_URGENT ( __KAM_URGENT1 + __KAM_URGENT2 + __KAM_URGENT3 + __KAM_URGENT4 + __KAM_URGENT5 >= 5)
+describe KAM_URGENT Urgent Scams
+score KAM_URGENT 7.5
+
+#INVESTMENT
+header __KAM_INVEST1 Subject =~ /Investment|(hello|congrats|dear) friend|urgent|greetings|^HELLO$|mutual business|contact him|mail for you|confirming your email|business opportunity|important|interest/i
+#looking/why
+body __KAM_INVEST2 /apprehensive|unstable investment|(honest|well.?established|reliable) (individual|partner|person)|wealthy client|legal paper|branch manager|director finance|business man|family asset|personal assistant|found your (detail|contact)|consultant|project financing|my name is|i am the lawyer|need your assistance/i
+#money/deal
+body __KAM_INVEST3 /earn \d+\%|(more|full|elaborate) details|discuss further|risk.?free|give details|profitable|\% (yearly|commission)|bank draft|remuneration|(needs|seek|seeks|seeking) fund|employ you|split.?ration|(receive|secure) my fund/i
+#what/where
+body __KAM_INVEST4 /malta|oil company|joint venture|(fund|business) proposal|dubai|mutual business|bahrain|compensation fund|barrister|minister of|ghana|strategic development|your region|Mineral.Rich|africa|non.?european|your country/i
+tflags __KAM_INVEST4 nosubject
+
+meta KAM_INVEST (LOTS_OF_MONEY + FREEMAIL_FROM + __KAM_INVEST1 + __KAM_INVEST2 + __KAM_INVEST3 + __KAM_INVEST4 >= 4)
+describe KAM_INVEST Investment Scams
+score KAM_INVEST 6.0
+
+#SIGNON
+header __KAM_SIGN1 Subject =~ /New Sign-?[io]n/i
+body __KAM_SIGN2 /review your account/i
+body __KAM_SIGN3 /verification is processed/i
+
+meta KAM_SIGN (KAM_STORAGE_GOOGLE + __KAM_SIGN1 + __KAM_SIGN2 + __KAM_SIGN3 >= 4)
+describe KAM_SIGN Sign-in Verification Scams
+score KAM_SIGN 6.0
+
+#COVID SPAM
+header __KAM_WEIRDC19_1 Subject =~ /The virus that causes COVID-19/i
+header __KAM_WEIRDC19_2 From =~ /John Robert/i
+body __KAM_WEIRDC19_3 /The virus that causes COVID-19/i
+tflags __KAM_WEIRDC19_3 nosubject
+
+meta KAM_WEIRDC19 (FREEMAIL_FROM + __KAM_BODY_LENGTH_LT_512 + __KAM_WEIRDC19_1 + __KAM_WEIRDC19_2 + __KAM_WEIRDC19_3 >= 5)
+describe KAM_WEIRDC19 Odd Covid-19 spam with information
+score KAM_WEIRDC19 7.5
+
+#PRODUCT DUJOUR
+header __KAM_CELEB1 Subject =~ /Celebrity Doc/i
+body __KAM_CELEB2 /resugar/i
+body __KAM_CELEB3 /fat.burning/i
+
+meta KAM_CELEB (__KAM_CELEB1 + __KAM_CELEB2 + __KAM_CELEB3 >= 3)
+describe KAM_CELEB Celebrity Health Scams
+score KAM_CELEB 4.5
+
+#BEAL AND SIMILAR IMPERSONATOR
+ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+ header __KAM_BEAL1 From:name =~ /Geoff White|(Robert|Bob) Beal|(James|Jim) Hoffman|Kevin (A\.)? Mc ?Grail|Chad Coney|Frederic Beuter/i
+ #header __KAM_BEAL2 From:addr =~ /\@gmail\.com|\@mail\.ru/i
+ body __KAM_BEAL3 /(Robert|Bob).{1,4}Beal|Geoff White|(James|Jim).{1,4}Hoffman|Kevin (A\.)? Mc ?Grail|Frederic Beuter/i
+ body __KAM_BEAL4 /(reply with|forward) your (Cell|Mobile)|task quickly|urgent task|quick errand|make (some|a) purchase|reimburse you/i
+
+ meta KAM_BEAL ((__KAM_BEAL1 + __KAM_BEAL3 >= 1) + FREEMAIL_FROM + __KAM_BEAL4 >= 3)
+ describe KAM_BEAL IMPOSTER! Will the real slim shady, please stand up?
+ score KAM_BEAL 9.0
+endif
+
+#PROJECT
+header __KAM_PROJECT1 Subject =~ /Project/i
+body __KAM_PROJECT2 /business project/i
+body __KAM_PROJECT3 /email is active/i
+body __KAM_PROJECT4 /please respond/i
+
+meta KAM_PROJECT (__KAM_PROJECT1 + __KAM_PROJECT2 + __KAM_PROJECT3 + __KAM_PROJECT4 >= 4)
+describe KAM_PROJECT Scam inquiries about amorphous projects
+score KAM_PROJECT 6.0
+
+#FAKEWESTERN
+header __KAM_FAKEWEST1 Subject =~ /Attention/i
+body __KAM_FAKEWEST2 /Western Union/i
+body __KAM_FAKEWEST3 /United Nation/i
+body __KAM_FAKEWEST4 /Wrong Transfer/i
+body __KAM_FAKEWEST5 /0[\.,]?000[\.,]?00\s?USD/i
+
+meta KAM_FAKEWEST (__KAM_FAKEWEST1 + __KAM_FAKEWEST2 + __KAM_FAKEWEST3 + __KAM_FAKEWEST4 + (__KAM_FAKEWEST5 + LOTS_OF_MONEY >= 1) >= 5)
+describe KAM_FAKEWEST Fake money Transfer Scam
+score KAM_FAKEWEST 6.0
+
+#FAKEDROPBOX
+header __KAM_FAKEDROPBOX2_1 Subject =~ /on Dropbox/i
+
+meta KAM_FAKEDROPBOX2 (__KAM_FAKEDROPBOX2_1 + __KAM_TINYDOMAIN + FREEMAIL_FROM >= 3)
+describe KAM_FAKEDROPBOX2 Fake Dropbox Phish
+score KAM_FAKEDROPBOX2 4.5
+
+header __KAM_FAKEDROPBOX3_1 Subject =~ /new dropbox message/i
+uri __KAM_FAKEDROPBOX3_2 /wp\-includes/i
+
+meta KAM_FAKEDROPBOX3 (__KAM_FAKEDROPBOX3_1 + __KAM_FAKEDROPBOX3_2 >= 2)
+describe KAM_FAKEDROPBOX3 Fake Dropbox Phish
+score KAM_FAKEDROPBOX3 6.0
+
+
+#FAKEMONEYGRAM
+header __KAM_FAKEMONEYGRAM1 From =~ /Money.?Gram/i
+
+meta KAM_FAKEMONEYGRAM (__KAM_FAKEMONEYGRAM1 + FREEMAIL_FROM >= 2)
+describe KAM_FAKEMONEYGRAM Fake Moneygram Phish
+score KAM_FAKEMONEYGRAM 5.5
+
+
+#FAKESHAREPOINT
+header __KAM_FAKESHAREPOINT1 Subject =~ /by Sharepoint/i
+header __KAM_FAKESHAREPOINT2 From =~ /sharepoint/i
+
+meta KAM_FAKESHAREPOINT (__KAM_FAKESHAREPOINT1 + __KAM_FAKESHAREPOINT2 + KAM_STORAGE_GOOGLE >= 3)
+describe KAM_FAKESHAREPOINT Fake Sharepoint Phish
+score KAM_FAKESHAREPOINT 3.0
+
+#ENCRYPTED ZIP
+body __KAM_BADZIP1 /attached (to email|document)|take a look/i
+body __KAM_BADZIP2 /Encrypted zip/i
+uri __KAM_BADZIP2A /drive.google.com.*export=download/i
+body __KAM_BADZIP3 /(order|urgent|report|dialogue)/i
+body __KAM_BADZIP4 /password:/i
+
+meta KAM_BADZIP (__KAM_BADZIP1 + (__KAM_BADZIP2 + __KAM_BADZIP2A >= 1) + __KAM_BADZIP3 + __KAM_BADZIP4 >= 4)
+describe KAM_BADZIP Encrypted Zip File Indicating a Scam
+score KAM_BADZIP 6.0
+
+#VERIZON SCAM
+
+header __KAM_VERIZON1 Subject =~ /verizon wireless security message/i
+header __KAM_VERIZON2 From:name =~ /Verizon/i
+header __KAM_VERIZON3 From:addr !~ /verizon/i
+
+#What
+body __KAM_VERIZON4 /Update required immediately/i
+#how
+body __KAM_VERIZON5 /update your account information/i
+#Problem
+body __KAM_VERIZON6 /deactivated/i
+#Money
+body __KAM_VERIZON7 /credit card|bank account/i
+
+meta KAM_VERIZON (__KAM_VERIZON1 + __KAM_VERIZON2 + __KAM_VERIZON3 >= 3) && (__KAM_VERIZON4 + __KAM_VERIZON5 + __KAM_VERIZON6 + __KAM_VERIZON7 >= 3)
+describe KAM_VERIZON Fake Wireless account notices
+score KAM_VERIZON 9.5
+
+#Docusign SCAM
+header __KAM_DOCUSIGN1 Subject =~ /New e-DocuSign Signature|new e-signature docusign|docusign electronic signature|transfer notice|docusign signature service/i
+header __KAM_DOCUSIGN2 From:name =~ /docusign/i
+header __KAM_DOCUSIGN3 From:addr !~ /docusign/i
+
+uri __KAM_DOCUSIGN4 /\.weebly\.com|docs\.google\.com/i
+
+meta KAM_DOCUSIGN ((__KAM_DOCUSIGN1 >= 1) + (__KAM_DOCUSIGN2 + __KAM_DOCUSIGN3 >= 2) + (FREEMAIL_FROM + LOTS_OF_MONEY + __KAM_DOCUSIGN4 >= 1) >= 3)
+describe KAM_DOCUSIGN Fake Document Signature account notices
+score KAM_DOCUSIGN 4.5
+
+#Invalid From
+header __KAM_TWODOTS From:addr =~ /\@.*\.\./i
+
+meta KAM_INVALIDFROM (__KAM_TWODOTS >= 1)
+describe KAM_INVALIDFROM Invalid From Address
+score KAM_INVALIDFROM 5.0
+
+#Client Fake Invoice
+ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+ header __KAM_FAKEINV1 From =~ /headoffice/i
+ header __KAM_FAKEINV1A Reply-to =~ /no.?reply\@/i
+
+ body __KAM_FAKEINV2 /dearest client/i
+
+ mimeheader __KAM_FAKEINV3 Content-Type =~ /.xls\"?$/i
+
+ meta KAM_FAKEINV ((__KAM_FAKEINV1 + __KAM_FAKEINV1A >=1) + __KAM_FAKEINV2 + __KAM_FAKEINV3 >=3)
+ describe KAM_FAKEINV Fake Customer Invoices
+ score KAM_FAKEINV 4.5
+endif
+
+#IMAGE ONLY
+meta KAM_IMAGEONLY (PDS_OTHER_BAD_TLD + HTML_IMAGE_ONLY_08 >= 2)
+describe KAM_IMAGEONLY Email from a questionable TLD that contains primarily just an image
+score KAM_IMAGEONLY 0.75
+
+#HOLIDAY 2020 GIFTS
+header __KAM_HOLIDAY2020_1 Subject =~ /holiday item|blac.?k friday|(vortex|illusional|this) rug|canvas print|get your ornament/i
+body __KAM_HOLIDAY2020_2 /(illusional|Vortex) Rug|wireless earbuds|canvas print|get your ornament|holiday novelty/i
+tflags __KAM_HOLIDAY2020_2 nosubject
+
+meta KAM_HOLIDAY2020 (__KAM_HOLIDAY2020_1 + __KAM_HOLIDAY2020_2 >= 2)
+describe KAM_HOLIDAY2020 Holiday Gifts 2020 Spam
+score KAM_HOLIDAY2020 4.0
+
+#GOOGLE FORM
+uri __KAM_GOOGLEFORM_1 /docs\.google\.com\/forms\//i
+body __KAM_GOOGLEFORM_2 /Untitled Form|Formulaire sans titre/i
+
+meta KAM_GOOGLEFORM (__KAM_GOOGLEFORM_1 + __KAM_GOOGLEFORM_2 >= 2)
+describe KAM_GOOGLEFORM Untitled Google Form
+score KAM_GOOGLEFORM 2.0
+
+#BENEFICIARY FAKE FORM
+meta KAM_FAKEFORM (LOTS_OF_MONEY + (__KAM_BENEFICIARY2 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 >= 1) + __KAM_GOOGLEFORM_1 >= 2)
+describe KAM_FAKEFORM Fake Form for Scams
+score KAM_FAKEFORM 4.0
+
+#2ND AMMENDMENT
+body __KAM_2ND_1 /police can no longer be trusted/i
+body __KAM_2ND_2 /2nd am?mendment/i
+header __KAM_2ND_3 From =~ /2nd amm?endment/i
+
+meta KAM_2ND (__KAM_FUN1 + __KAM_2ND_1 + __KAM_2ND_2 + __KAM_2ND_3 >= 4)
+describe KAM_2ND Political Spam
+score KAM_2ND 6.0
+
+#SPAM DU JOUR - MASKS
+body __KAM_KN_1 /KN95 (Face )?Mask/i
+tflags __KAM_KN_1 nosubject
+body __KAM_KN_2 /get your|for the public/i
+tflags __KAM_KN_2 nosubject
+header __KAM_KN_3 Subject =~ /KN95 (Official |Face )?Mask/i
+header __KAM_KN_4 From =~ /KN95|Mask Special/i
+
+meta KAM_KN (__KAM_KN_1 + __KAM_KN_2 + __KAM_KN_3 + __KAM_KN_4 >= 3)
+describe KAM_KN Spam Du Jour for Masks
+score KAM_KN 3.0
+
+#SPAM DU JOUR - BAD CREDIT
+body __KAM_BADCRED_1 /bad credit/i
+tflags __KAM_BADCRED_1 nosubject
+header __KAM_BADCRED_2 Subject =~ /bad credit.*off track/
+
+meta KAM_BADCRED (__KAM_BADCRED_1 + __KAM_BADCRED_2 >= 2)
+describe KAM_BADCRED Spam Du Jour for Bad Credit
+score KAM_BADCRED 3.0
+
+#SPAM DU JOUR - SPO2
+replace_rules __KAM_SPO2_2 __KAM_SPO2_3
+
+body __KAM_SPO2_1 /pulse oximeter/i
+body __KAM_SPO2_2 /C<O1>VID/i
+tflags __KAM_SPO2_2 nosubject
+header __KAM_SPO2_3 Subject =~ /C<O1>VID.*(screening|oximeter)/i
+header __KAM_SPO2_4 From =~ /health/i
+
+meta KAM_SPO2 (__KAM_SPO2_1 + __KAM_SPO2_2 + __KAM_SPO2_3 + __KAM_SPO2_4 >= 3)
+describe KAM_SPO2 COVID Spams
+score KAM_SPO2 4.5
+
+#SPAM DU JOUR - HEATED VEST
+body __KAM_VEST1 /(heated|thermal) vest/i
+tflags __KAM_VEST1 nosubject
+header __KAM_VEST2 Subject =~ /stay toasty/i
+header __KAM_VEST3 From =~ /thermal vest/i
+
+meta KAM_VEST (__KAM_VEST1 + __KAM_VEST2 + __KAM_VEST3 >= 3)
+describe KAM_VEST Spam Du Jour for Vests
+score KAM_VEST 4.5
+
+
+#FAKE CVS
+header __KAM_CVS1 From =~ /CVS Pharm/i
+header __KAM_CVS1A From:addr !~ /\@cvs.com/i
+body __KAM_CVS2 /CVS/
+tflags __KAM_CVS2 nosubject
+header __KAM_CVS3 Subject =~ /CVS Pharm/i
+
+meta KAM_CVS ((__KAM_CVS1 + (FREEMAIL_FROM + __KAM_CVS1A >= 1) >= 2) + __KAM_CVS2 + __KAM_CVS3 >= 3)
+describe KAM_CVS Fake CVS Spams
+score KAM_CVS 6.0
# EOF
projects / proxmox-spamassassin.git / commitdiff