#KAM.cf - SpamAssassin Rules
#Author: Kevin A. McGrail with contributions from Joe Quinn, Karsten Bräckelmann,
-# & Bill Cole
+# Bill Cole & Giovanni Bechis
#Email: Kevin.McGrail@McGrail.com - NOTE: Questions about spam are best submitted
# at https://raptor.pccc.com/raptor.cgim?template=report_problem
score KAM_INVALID_FROM 4.0
#RAPTOR ALTERED EMAILS
- body __KAM_RAPTOR1 /altered by our Raptor filters/i
- header __KAM_RAPTOR2 X-KAM-Raptor-Alter =~ /True/
+ #body __KAM_RAPTOR1 /altered by our Raptor filters/i
+ #header __KAM_RAPTOR2 X-KAM-Raptor-Alter =~ /True/
- meta KAM_RAPTOR (__KAM_RAPTOR1 + __KAM_RAPTOR2 >= 1)
- describe KAM_RAPTOR PCCC Raptor altered the email
- score KAM_RAPTOR 3.5
+ #meta KAM_RAPTOR (__KAM_RAPTOR1 + __KAM_RAPTOR2 >= 1)
+ #describe KAM_RAPTOR PCCC Raptor altered the email
+ #score KAM_RAPTOR 3.5
#NJABL Shutdown Bug 6913 - Check after 3/3/2013 update if these can be removed
score RCVD_IN_NJABL_CGI 0
else
# no KAMOnly, stub rules
- meta KAM_RAPTOR 0
- score KAM_RAPTOR 0
+ meta KAM_RAPTOR_ALTERED 0
+ score KAM_RAPTOR_ALTERED 0
meta CBJ_GiveMeABreak 0
score CBJ_GiveMeABreak 0
meta KAM_RPTR_SUSPECT 0
#XEROX SCANS
header __KAM_XEROX1 Subject =~ /Scan from a Xerox WorkCentre Pro \#\d+|Scanned from a Xerox Multifunction Device/i
- meta KAM_XEROX (__KAM_XEROX1 + (KAM_IFRAME && T_HTML_ATTACH) + KAM_RAPTOR >= 2)
+ meta KAM_XEROX (__KAM_XEROX1 + (KAM_IFRAME && T_HTML_ATTACH) + KAM_RAPTOR_ALTERED >= 2)
score KAM_XEROX 5.0
describe KAM_XEROX Likely Fake Xerox Attachment
#ODD INFO URL - MATCH A URL-LIKE STRING THAT ENDS IN A QUESTIONABLE TLD, FOLLOWED BY A WORD BOUNDARY OR A SLASH (BUT NOT A DOT, OR IT WILL FP ON SUBDOMAINS LIKE FOO.INFO.LEGIT.COM)
rawbody __KAM_INFOUSMEBIZ1 /http:\/\/(?:www.)?.{4,30}\.(info|us|me|me\.uk|biz)(?![-\.])(\b|\/)/i
-header __KAM_INFOUSMEBIZ2 From:addr =~ /\.(info|us|me|me\.uk|biz)$/i
-header __KAM_INFOUSMEBIZ3 Return-Path =~ /\.(info|us|me|me\.uk|biz)>?$/i
+header __KAM_INFOUSMEBIZ2 From:addr =~ /\.(info|us|me|me\.uk|biz|xyz|id|rocks|life)$/i
+header __KAM_INFOUSMEBIZ3 Return-Path =~ /\.(info|us|me|me\.uk|biz|xyz|id|rocks|life)>?$/i
meta KAM_INFOUSMEBIZ (__KAM_INFOUSMEBIZ1 + __KAM_INFOUSMEBIZ2 + __KAM_INFOUSMEBIZ3 >= 1)
score KAM_INFOUSMEBIZ 0.75
-describe KAM_INFOUSMEBIZ Prevalent use of .info|.us|.me|.me.uk|.biz domains in spam/malware
+describe KAM_INFOUSMEBIZ Prevalent use of .info|.us|.me|.me.uk|.biz|xyz|id|rocks|life domains in spam/malware
# OTHER QUESTIONABLE / CHEAP TLDS - .click, .work, .rocks, .science
rawbody __KAM_OTHER_BAD_TLD1 /http:\/\/(?:www.)?.{4,30}\.(click|work|rocks|science|club)(?![-\.])(\b|\/)/i
else
meta KAM_BADPDF2 (KAM_BADPDF + KAM_BADPDF1 + MISSING_SUBJECT >= 2) && (KAM_RPTR_SUSPECT >=1)
endif
+endif
+
+ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+ mimeheader __KAM_BADPO1 Content-Type =~ /Purchase.Order/i
+ mimeheader __KAM_BADPO2 Content-type =~ /PDF.html/i
+endif
+
+header __KAM_BADPO3 Subject =~ /New Order|PO(\b|$)|PO\d\d\d|Purchase Order|Invoice/i
+
+ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+ meta KAM_BADPO (KAM_RAPTOR_ALTERED + __KAM_BADPO3 >= 2)
+ describe KAM_BADPO Bad Purchase Orders
+ score KAM_BADPO 5.0
endif
+meta KAM_BADPO2 (__KAM_BADPO1 + __KAM_BADPO2 + T_HTML_ATTACH >= 3)
+describe KAM_BADPO2 Bad Purchase Orders
+score KAM_BADPO2 5.0
+
+ #PDFCOUNT
+
#FAKE PDF READER/WRITE
body __KAM_FAKEPDF1 /Download PDF Reader.Writer/is
body __KAM_FAKEPDF2 /Reader 2010/is
util_rb_2tld jimdo.com
util_rb_2tld doesphotography.com
util_rb_2tld isteaching.com
+ util_rb_2tld googleapis.com
endif
# allow URI rules to look at DKIM headers if they exist and our SA version supports it
score KAM_SMOKE2 3.0
describe KAM_SMOKE2 Higher probability of spam
-#OBF URL
-body __KAM_OBFURL1 /A\s+D\s+I\s+L\s+I\s+Z\+E\s+R\s+.\s+C\s+O\s+M/i
+#OBF URL - need to make this more generic and perhaps something for RBL lookups when these techniques are used.
+body __KAM_OBFURL1 /A\s+D\s+I\s+L\s+I\s+Z\+E\s+R\s+.\s+C\s+O\s+M|insidesaleswiz\.\s+com/i
meta KAM_OBFURL (__KAM_OBFURL1 >= 1)
-score KAM_OBFURL 5.0
+score KAM_OBFURL 15.0
describe KAM_OBFURL Obfuscated URL
#SHARP FOR LIFE
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
-replace_tag A (?:[\xd0][\xb0]|a)
+replace_tag A (?:[\xd0][\xb0]|[\xc9][\x91]|a)
replace_tag C (?:[\xd0][\xa1]|c|[\xd1][\x81])
-replace_tag E (?:[\xd0][\xb5]|e)
-replace_tag I (?:[\xd1][\x96]|i)
+replace_tag E (?:[\xd0][\xb5]|[\xc4][\x97]|e)
+replace_tag I (?:[\xd1][\x96]|[\xc4][\xab]|i)
replace_tag M (?:[\xca][\x8d]|m)
replace_tag O (?:[\xd0][\xbe]|o)
replace_tag P (?:[\xd1][\x80]|p|[\xc7][\xb7])
describe KAM_PAYPAL1 rampant paypal phishing scams
score KAM_PAYPAL1 16.0
-#PAYPAL IMPERSONATING MALWARE
-body __KAM_PAYPAL2A /paypal/i
-body __KAM_PAYPAL2B /protection services department|download(ing)?.the.attach/i
+ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+ #PAYPAL IMPERSONATING MALWARE
+ body __KAM_PAYPAL2A /paypal/i
+ body __KAM_PAYPAL2B /protection services department|download(ing)?.the.attach/i
-meta KAM_PAYPAL2 (__KAM_PAYPAL2A + __KAM_PAYPAL2B + KAM_RAPTOR >= 3)
-describe KAM_PAYPAL2 Malware disguised as a paypal email
-score KAM_PAYPAL2 8.0
+ meta KAM_PAYPAL2 (__KAM_PAYPAL2A + __KAM_PAYPAL2B + KAM_RAPTOR_ALTERED >= 3)
+ describe KAM_PAYPAL2 Malware disguised as a paypal email
+ score KAM_PAYPAL2 8.0
+endif
#PAYPAL PHISH
header __KAM_PAYPAL3A From =~ /paypal/i
body __KAM_BBB4 /about your *(?:glance|belief|judgment)/i
header __KAM_BBB5 Subject =~ /(?:client|customer).{0,5}preten|(?:Appeal|Claim|Case|No\.|Complaint).{0,3}[A-Z\d]{5}/i
- meta KAM_BBB (__KAM_BBB1 + __KAM_BBB2 + __KAM_BBB3 + __KAM_BBB4 + __KAM_BBB5 + SPF_FAIL + __KAM_GALLERY5 + KAM_RAPTOR >= 4)
+ meta KAM_BBB (__KAM_BBB1 + __KAM_BBB2 + __KAM_BBB3 + __KAM_BBB4 + __KAM_BBB5 + SPF_FAIL + __KAM_GALLERY5 + KAM_RAPTOR_ALTERED >= 4)
describe KAM_BBB Better Business Bureau Phishing
score KAM_BBB 5.0
endif
header __KAM_FAKEDELIVER12 From !~ /dpd.com|dpd.co.uk/i
-meta KAM_FAKE_DELIVER (__KAM_FAKEDELIVER1 + __KAM_FAKEDELIVER2 + ((__KAM_FAKEDELIVER3 + __KAM_FAKEDELIVER4 >= 2) + (__KAM_FAKEDELIVER5 + __KAM_FAKEDELIVER6 >= 2) + (__KAM_FAKEDELIVER7 + __KAM_FAKEDELIVER8 >= 2) + (__KAM_FAKEDELIVER11 + __KAM_FAKEDELIVER12 >= 2) + (__KAM_FAKEDELIVER9 + __KAM_FAKEDELIVER10 >= 2) >= 1) + (HEADER_FROM_DIFFERENT_DOMAINS + SPF_SOFTFAIL + KAM_RAPTOR >= 1) >= 3)
+meta KAM_FAKE_DELIVER (__KAM_FAKEDELIVER1 + __KAM_FAKEDELIVER2 + ((__KAM_FAKEDELIVER3 + __KAM_FAKEDELIVER4 >= 2) + (__KAM_FAKEDELIVER5 + __KAM_FAKEDELIVER6 >= 2) + (__KAM_FAKEDELIVER7 + __KAM_FAKEDELIVER8 >= 2) + (__KAM_FAKEDELIVER11 + __KAM_FAKEDELIVER12 >= 2) + (__KAM_FAKEDELIVER9 + __KAM_FAKEDELIVER10 >= 2) >= 1) + (HEADER_FROM_DIFFERENT_DOMAINS + SPF_SOFTFAIL + KAM_RAPTOR_ALTERED >= 1) >= 3)
describe KAM_FAKE_DELIVER Fake delivery notifications
score KAM_FAKE_DELIVER 5.0
header __KAM_JURY3 From !~ /\.gov/i
body __KAM_JURY4 /in Court|hearing date|notice to appear|Pretrial notice|compulsory.attendance|court.notice/i
-meta KAM_JURY (__KAM_JURY1 + __KAM_JURY2 + __KAM_JURY3 + __KAM_JURY4 + KAM_RAPTOR >= 4)
+meta KAM_JURY (__KAM_JURY1 + __KAM_JURY2 + __KAM_JURY3 + __KAM_JURY4 + KAM_RAPTOR_ALTERED >= 4)
describe KAM_JURY Spam claiming the recipient must serve jury duty
score KAM_JURY 8.0
header __KAM_VOICEMAIL2 From =~ /voice.?mail|news/i
body __KAM_VOICEMAIL3 /new voice.?mail message|voice.redirected/i
- meta KAM_VOICEMAIL (__KAM_VOICEMAIL1 + __KAM_VOICEMAIL2 + __KAM_VOICEMAIL3 + KAM_RAPTOR >= 3)
+ meta KAM_VOICEMAIL (__KAM_VOICEMAIL1 + __KAM_VOICEMAIL2 + __KAM_VOICEMAIL3 + KAM_RAPTOR_ALTERED >= 3)
describe KAM_VOICEMAIL Common malware that tricks the user into opening a fake VOIP voicemail
score KAM_VOICEMAIL 5.0
endif
score KAM_MARIJUANA2 8.0
describe KAM_MARIJUANA2 Definitely spam for marijuana
-# EVICTION NOTICE
-header __KAM_EVICTION1 From =~ /eviction|vacate immediately/i
-header __KAM_EVICTION2 Subject =~ /notice|notification|occupant/i
-body __KAM_EVICTION3 /eviction|foreclosed|trespasser/i
-
-meta KAM_EVICTION (__KAM_EVICTION1 + __KAM_EVICTION2 + __KAM_EVICTION3 + KAM_RAPTOR >= 4)
-describe KAM_EVICTION Malware disguised as eviction notice
-score KAM_EVICTION 4.5
+ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+ # EVICTION NOTICE
+ header __KAM_EVICTION1 From =~ /eviction|vacate immediately/i
+ header __KAM_EVICTION2 Subject =~ /notice|notification|occupant/i
+ body __KAM_EVICTION3 /eviction|foreclosed|trespasser/i
+
+ meta KAM_EVICTION (__KAM_EVICTION1 + __KAM_EVICTION2 + __KAM_EVICTION3 + KAM_RAPTOR_ALTERED >= 4)
+ describe KAM_EVICTION Malware disguised as eviction notice
+ score KAM_EVICTION 4.5
+endif
# WALK IN TUBS
header __KAM_WALKINTUB1 From =~ /walk.?in.?tub/i
#Thanks to Dave Wreski for his idea on commas
header __KAM_MANYTO To =~ />,/i
-tflags __KAM_MANYTO multiple,maxhits=5
+tflags __KAM_MANYTO multiple maxhits=5
header __KAM_MANYTO2 To =~ /, /
-tflags __KAM_MANYTO2 multiple,maxhits=25
+tflags __KAM_MANYTO2 multiple maxhits=25
meta KAM_MANYTO (__KAM_MANYTO >= 5 || __KAM_MANYTO2 >= 25)
score KAM_MANYTO 0.2
body __KAM_GENERICHEALTH3 /aging|clinical|dermatologist|aging|younger|wrinkle|omg|reduction|prevention|(body|your).fat|extra.pounds|perfect.skin|healthy|diet|gossip|\d+.years|facelift|(Dr|Doc).{0,2}[o0]z|weight|calories|metabolism|appetite|detox|unsightly|cholesterol|free.sample|\d+\s*[li]b|slimming|episode|tv.segment|oprah|colon|hollywood|shocking|workout|trend|starving|\d+%.?off|dress.size|flat.belly|silky|younger|free.trial|\d+.years|easy.trick|selfies|medical|\d+.?(lb|pounds)|exercise|the.mirror|fda.approved|slimmer|oz.blog|the.bulge|plant.based|online.store|respected.doctor|cure.your.diabete|with.forskolin|belly.fat|miracle.pill|burn.fat.fast|the.root.cause|drink(ing)?.this.shake/i
meta KAM_GENERICHEALTH (__KAM_GENERICHEALTH1 + __KAM_GENERICHEALTH2 + __KAM_GENERICHEALTH3 + (KAM_EU || KAM_OTHER_BAD_TLD) >= 3)
-score KAM_GENERICHEALTH 4.0
+score KAM_GENERICHEALTH 1.75
describe KAM_GENERICHEALTH Matches generic health-related advert/blurbs
header __KAM_SALE1 From =~ /ipad|hdtv|\$\d+|auction|laptop|easyviewing/i
# SPAM THAT USES ASCII FORMATTING TRICKS TO EVADE HTML-BASED RULES
body __KAM_ASCII_DIVIDERS /[-~<>=_]{20}/i
-tflags __KAM_ASCII_DIVIDERS multiple, maxhits=4
+tflags __KAM_ASCII_DIVIDERS multiple maxhits=4
meta KAM_ASCII_DIVIDERS ((__KAM_ASCII_DIVIDERS >= 4) && !HTML_MESSAGE)
describe KAM_ASCII_DIVIDERS Spam that uses ascii formatting tricks
score KAM_NUWAVE 3.5
rawbody __KAM_MANYCOMMENTS /<!--[^>]{200,}-->/i
-tflags __KAM_MANYCOMMENTS multiple,maxhits=6
+tflags __KAM_MANYCOMMENTS multiple maxhits=6
meta KAM_MANYCOMMENTS (__KAM_MANYCOMMENTS >= 6)
describe KAM_MANYCOMMENTS Spam engine that uses large html noise comments
#KAM_AMAZON
header __KAM_AMAZON1 From =~ /amazon\.com/i
- meta KAM_AMAZON (__KAM_AMAZON1 + KAM_RAPTOR >= 2)
+ meta KAM_AMAZON (__KAM_AMAZON1 + KAM_RAPTOR_ALTERED >= 2)
score KAM_AMAZON 4.5
describe KAM_AMAZON Fake Amazon email with malware
endif
describe KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any anti-forgery methods
endif
-# FORGED EMAILS WITH A VIRUS ATTACHED
-meta KAM_FORGED_ATTACHED (SPF_HELO_FAIL + KAM_RAPTOR >= 2)
-score KAM_FORGED_ATTACHED 4.5
-describe KAM_FORGED_ATTACHED Forged email with a malware attachment
+ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+ # FORGED EMAILS WITH A VIRUS ATTACHED
+ meta KAM_FORGED_ATTACHED (SPF_HELO_FAIL + KAM_RAPTOR_ALTERED >= 2)
+ score KAM_FORGED_ATTACHED 4.5
+ describe KAM_FORGED_ATTACHED Forged email with a malware attachment
+endif
# LOTS OF PERIODS IN SUBJECT
header __KAM_MANYDOTS1 Subject =~ /\.{20}/i
score KAM_LINKBAIT3 1.5
describe KAM_LINKBAIT3 Freemail linkbait with a url shortener
-# MALWARE IN EMAILS THAT MENTION LOTS OF MONEY
-meta KAM_PHISHY_DOLLARS (KAM_RAPTOR + LOTS_OF_MONEY >= 2)
-score KAM_PHISHY_DOLLARS 3.5
-describe KAM_PHISHY_DOLLARS Emails with malware and large dollar amounts
+ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+ # MALWARE IN EMAILS THAT MENTION LOTS OF MONEY
+ meta KAM_PHISHY_DOLLARS (KAM_RAPTOR_ALTERED + LOTS_OF_MONEY >= 2)
+ score KAM_PHISHY_DOLLARS 3.5
+ describe KAM_PHISHY_DOLLARS Emails with malware and large dollar amounts
+endif
# RATWARE DU JOUR, MULTIPLE FROM HEADERS AND WONKY SUBJECT LINE
header __KAM_MULTIPLE_FROM From =~ /^./
-tflags __KAM_MULTIPLE_FROM multiple,maxhits=2
+tflags __KAM_MULTIPLE_FROM multiple maxhits=2
header __KAM_SUBJECT_WHITESPACE_START Subject =~ /^\s{10}/
-meta KAM_GRABBAG6 (__KAM_MULTIPLE_FROM + __KAM_SUBJECT_WHITESPACE_START >= 2)
+meta KAM_GRABBAG6 ((__KAM_MULTIPLE_FROM >= 2) + __KAM_SUBJECT_WHITESPACE_START >= 2)
describe KAM_GRABBAG6 Ratware with multiple from headers and subject beginning with whitespace
score KAM_GRABBAG6 4.5
# ELIMINATE A BUNCH OF RECENT BAD ATTACHMENT SPAM
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
- meta KAM_VERY_MALWARE (KAM_LAZY_DOMAIN_SECURITY && KAM_RAPTOR)
+ meta KAM_VERY_MALWARE (KAM_LAZY_DOMAIN_SECURITY && KAM_RAPTOR_ALTERED >= 2)
score KAM_VERY_MALWARE 3.5
describe KAM_VERY_MALWARE A message with malware that is definitely unwanted
endif
header __JMQ_CONGRAT1 From =~ /award|claim/i
header __JMQ_CONGRAT2 Subject =~ /congratulation|open.attachment|good.news.for/i
-meta JMQ_CONGRAT (__JMQ_CONGRAT1 + __JMQ_CONGRAT2 + (KAM_RAPTOR || T_FREEMAIL_DOC_PDF || HK_SPAMMY_FILENAME) >= 3)
+meta JMQ_CONGRAT (__JMQ_CONGRAT1 + __JMQ_CONGRAT2 + (KAM_RAPTOR_ALTERED || T_FREEMAIL_DOC_PDF || HK_SPAMMY_FILENAME) >= 3)
score JMQ_CONGRAT 3.5
describe JMQ_CONGRAT Open attachment to claim your free spam
#WEB CRIMINALS
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
-replace_rules __KAM_CRIM1 __KAM_CRIM2 __KAM_CRIM3 __KAM_CRIM4 __KAM_CRIM5 __KAM_CRIM6
+ replace_rules __KAM_CRIM1 __KAM_CRIM2 __KAM_CRIM3 __KAM_CRIM4 __KAM_CRIM5 __KAM_CRIM6 __KAM_CRIM7
-body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A>lw<A>r<E> <O>n th<E> w<E>b|footage of you|you do not know who I am|mercenary|hack phones|infected your device|double.screen video|keylogger|ruin your life|collection officer|cameras? and a mic|I am a hacker/i
+ body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A>lw<A>r<E> <O>n th<E> w<E>b|footage of you|you do not know who I am|mercenary|hack phones|infected your device|double.screen video|keylogger|ruin your life|collection officer|turned on your c<A>mera|cameras? and a mic|I am a hacker/i
#Different encodings
-body __KAM_CRIM2 /(bit<C><O><I>n|BTC)/i
-body __KAM_CRIM3 /make a payment|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C><O><I>n w<A>ll|(m<A>k<I>ng|<C><O>mpl<E>et<E>) th<E> tr<A>ns<A><C>t<I><O>n|send me \d+ dollars|send [\d\.]+ USD|addr<E>ss f<O>r p<A>ym<E>nt|euros in bitcoin|wallet number|bitcoin network/i
-body __KAM_CRIM4 /erotica|<P>orn|promising evidence|video|masturbat|playing with yourself|wanking|l<I>f<E> <C><A>n b<E> ru<I>n<E>d|explosi|lead azide|hexogen|banana/i
-endif
+ body __KAM_CRIM2 /(bit<C><O><I>n|BTC)/i
+ body __KAM_CRIM3 /make a payment|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C><O><I>n w<A>ll|(m<A>k<I>ng|<C><O>mpl<E>et<E>) th<E> tr<A>ns<A><C>t<I><O>n|send me \d+ dollars|send [\d\.]+ USD|addr<E>ss f<O>r p<A>ym<E>nt|euros in bitcoin|wallet number|bitcoin network|BTC to this Bitcoin|paym<E>nt by b<I>tco<I>n/i
+ body __KAM_CRIM4 /erotica|<P>orn|promising evidence|video|<M>asturbat|playing with yourself|wanking|l<I>f<E> <C><A>n b<E> ru<I>n<E>d|explosi|lead azide|hexogen|banana/i
-body __KAM_CRIM5 /(twenty.?four|24).?hours|(24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O>urs)? <A>ft<E>r y<O><U> <O>p<E>n|hours for payment|days? to (perform|make) the payment|short-term support|48h plz|deadline|hours only to send the fund/i
-header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O><U> <A>r<E> my v<I><C>t<I>m|visit the police|hi. vi<C>tim|bomb|rescue|your building|<M>asturbat|hi perv|account has been hacked|last warning|dirty little secret|bad news|central intelligence|pervert/i
+ body __KAM_CRIM5 /(twenty.?four|24).?hours|(24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O>urs)? <A>ft<E>r y<O><U> <O>p<E>n|hours for payment|days? to (perform|make) the payment|short-term support|48h plz|deadline|hours only to send the fund|address immediately/i
+ header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O><U> <A>r<E> my v<I><C>t<I>m|visit the police|hi. vi<C>tim|bomb|rescue|your building|<M>asturbat|hi perv|account has been hacked|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account/i
-meta KAM_CRIM (__KAM_CRIM1 + __KAM_CRIM2 + __KAM_CRIM3 + __KAM_CRIM4 + __KAM_CRIM5 + __KAM_CRIM6 >= 4)
-describe KAM_CRIM Extortion Email
-score KAM_CRIM 7.5
+ header __KAM_CRIM7 From =~ /h<A>ck<E>r/i
+
+
+ meta KAM_CRIM (__KAM_CRIM1 + __KAM_CRIM2 + __KAM_CRIM3 + __KAM_CRIM4 + __KAM_CRIM5 + __KAM_CRIM6 >= 4)
+ describe KAM_CRIM Extortion Email
+ score KAM_CRIM 7.5
+endif
#KAM_CRIM_V2
body __KAM_CRIM2_1 /bit.{0,2}coin/i
#ZWNJ 200C 157 https://en.wikipedia.org/wiki/Windows-1256
# Also want to look at Unicode U+200C.
# Also 'zero-width joiner' which is Windows-1256 0x9E and Unicode U+200D. $a
-# Switch rawbody check to Mail::SpamAssassin::Plugin::MIMEHeader
# Per RW, switching for this to work with 'normalize_charset 1', \x9d needs to be replaced with (?:\x9d|\xe2\x80\x8c)
-rawbody __KAM_ZWNJ1 /Content\-Type.{1,1000}charset.{1,1000}windows\-1256/i
+ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+ mimeheader __KAM_ZWNJ1 Content-Type =~ /charset.+windows-1256/i
+endif
body __KAM_ZWNJ2 /(?:\x9D|\xe2\x80\x8c)/
tflags __KAM_ZWNJ2 multiple maxhits=16
+body __KAM_ZWNJ3 /\&\#x200B;/i
describe KAM_ZWNJ Use of null characters indicates a goal to elude scanners
-meta KAM_ZWNJ (__KAM_ZWNJ1 + (__KAM_ZWNJ2 >= 16) >= 2)
+meta KAM_ZWNJ (__KAM_ZWNJ1 + (__KAM_ZWNJ2 >= 16) >= 2)
describe KAM_ZWNJ Use of null characters indicates a goal to elude scanners
score KAM_ZWNJ 7.0
+describe KAM_ZWNJBAD Attempted & failed Use of zero-width characters indicates a goal to elude scanners
+meta KAM_ZWNJBAD (__KAM_ZWNJ3 >=1)
+score KAM_ZWNJBAD 2.0
+
#GIRLS
body __KAM_GIRLS1 /Lack of sex/i
#FUN SPAM RUN
header __KAM_FUN1 From =~ /\.fun|\.icu|\.pro|\.stream|\.world>?$/i
body __KAM_FUN2 /Addify Link/i
-body __KAM_FUN3 /This Offer is (only )?for (united states|USA)/i
-header __KAM_FUN4 Subject =~ /Gutters|Assisted Living|Refi|rate|livewave|mortgage|E\.D\.|Single|Superfood|tax|protection|debt|mastercard|safety charge|supplement/i
+body __KAM_FUN3 /This Offer is (only )?for (unite. state|USA)|can't see this image/i
+header __KAM_FUN4 Subject =~ /Gutters|Assisted Living|Refi|rate|livewave|mortgage|E\.D\.|Single|Superfood|tax|protection|debt|mastercard|safety charge|supplement|pillow|Inogenone|learn a language|Roadside safety|carry a gun|minute survey|roofing Deals|fungus/i
meta KAM_FUN (__KAM_FUN1 + __KAM_FUN2 + __KAM_FUN3 + __KAM_FUN4 >=3)
describe KAM_FUN Spam Engine Hawking Various Goods and Abusing a Lot of Domains
-score KAM_FUN 4.5
+score KAM_FUN 6.5
#GOOGLE DRIVE PORN - Thanks to Mark Sapiro for the bug fix
uri KAM_DRIVENUM /\d+\.drive\.google.com/i
endif
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
- header KAM_RAPTOR_ALTERED X-KAM-Raptor-Alter =~ /True/
+ header KAM_RAPTOR_ALTERED X-KAM-Raptor-Alter =~ /True/i
describe KAM_RAPTOR_ALTERED Raptor identified a dangerous attachment
score KAM_RAPTOR_ALTERED 2.0
endif
score KAM_HTMLINVOICE2 3.5
endif
+# Spear phishing rules
+ifplugin Mail::SpamAssassin::Plugin::FreeMail
+ header __GB_TO_ADDR_FREEMAIL eval:check_freemail_header('To:addr')
+ header __GB_TO_NAME_FREEMAIL eval:check_freemail_header('To:name')
+ meta GB_TO_NAME_FREEMAIL ( !__GB_TO_ADDR_FREEMAIL && __GB_TO_NAME_FREEMAIL )
+ describe GB_TO_NAME_FREEMAIL Freemail spear phish with free mail
+ score GB_TO_NAME_FREEMAIL 0.01
+
+ header __GB_FROM_ADDR_FREEMAIL eval:check_freemail_header('From:addr')
+ header __GB_FROM_NAME_FREEMAIL eval:check_freemail_header('From:name')
+ header __GB_FROM_NAME_EMAIL From:name =~ /\@/
+ meta GB_FROM_NAME_FREEMAIL ( __GB_FROM_NAME_EMAIL && __GB_FROM_ADDR_FREEMAIL && !__GB_FROM_NAME_FREEMAIL )
+ describe GB_FROM_NAME_FREEMAIL Freemail spear phish with free mail
+ score GB_FROM_NAME_FREEMAIL 0.01
+endif
+
# Disable possible CPU burning rule, reported to SA users list -- 2019-05-29
# FIXED rule distributed via sa-update since 2019-05-31
# meta __STYLE_GIBBERISH_1 0
+ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
+ # Allow googleapis.com to be blacklisted due to spam runs in June 2019 exploiting it
+ clear_uridnsbl_skip_domain googleapis.com
+endif
+
+# Need a favor phishing
+header __KAM_FAVOR1 Subject =~ /Request|Quick Reply/i
+body __KAM_FAVOR2 /I need a favor from you|Are you available to work on a request for me today/i
+body __KAM_FAVOR3 /email me back as soon as possible|send me your personal cell phone number/i
+
+meta KAM_FAVOR (__KAM_FAVOR1 + __KAM_FAVOR2 + __KAM_FAVOR3 + FREEMAIL_FROM >= 4)
+describe KAM_FAVOR Phishing Attempt
+score KAM_FAVOR 7.5
+
+#if (version >= 3.004003)
+#
+#ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+#
+#ifplugin Mail::SpamAssassin::Plugin::HashBL
+#
+#rbl_headers EnvelopeFrom,Reply-To,X-Sender,X-Source-IP
+#
+# #MARKETING IN FROM
+# header PCCC_FROM_MARKETINGBL_PCCC eval:check_rbl_headers('pccc', 'wild.pccc.com.', '127.0.0.32')
+# describe PCCC_FROM_MARKETINGBL_PCCC From address associated with mass-marketing (https://raptor.pccc.com/RBL)
+# tflags PCCC_FROM_MARKETINGBL_PCCC net
+# score PCCC_FROM_MARKETINGBL_PCCC 0.001
+# priority PCCC_FROM_MARKETINGBL_PCCC -100
+#
+# header PCCC_FROM_MARKETINGBL_PCCC2 eval:check_rbl_headers('pccc', 'wild.pccc.com.', '127.0.1.2', 'X-Sender,X-Source-IP,X-SRS-Sender')
+# describe PCCC_FROM_MARKETINGBL_PCCC2 From address associated with mass-marketing (https://raptor.pccc.com/RBL)
+# tflags PCCC_FROM_MARKETINGBL_PCCC2 net
+# score PCCC_FROM_MARKETINGBL_PCCC2 0.001
+# priority PCCC_FROM_MARKETINGBL_PCCC2 -100
+#
+# header PCCC_RDNS eval:check_rbl_rcvd('pccc', 'wild.pccc.com.', '127.0.1.2')
+# describe PCCC_RDNS Rdns check
+# tflags PCCC_RDNS net
+# score PCCC_RDNS 0.001
+# priority PCCC_RDNS -100
+#
+# header PCCC_FROM_NS eval:check_rbl_ns_from('pccc', 'wild.pccc.com.', '127.0.1.1')
+# describe PCCC_FROM_NS dns server of From address in RBL
+# tflags PCCC_FROM_NS net
+# score PCCC_FROM_NS 0.001
+# priority PCCC_FROM_NS -100
+#
+# header PCCC_HASHBL_EMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5', 'freemail', 'Reply-To')
+# describe PCCC_HASHBL_EMAIL Message contains email address found on PCCC HashBL
+# tflags PCCC_HASHBL_EMAIL net
+# score PCCC_HASHBL_EMAIL 0.001
+# priority PCCC_HASHBL_EMAIL -100
+#
+# header PCCC_HASHBL_EMAIL2 eval:check_hashbl_emails('wild.pccc.com', 'md5', 'all', 'X-Sender')
+# describe PCCC_HASHBL_EMAIL2 Message contains email address found on PCCC HashBL
+# tflags PCCC_HASHBL_EMAIL2 net
+# score PCCC_HASHBL_EMAIL2 0.001
+# priority PCCC_HASHBL_EMAIL2 -100
+#
+# header PCCC_HASHBL_EMAIL3 eval:check_hashbl_emails('wild.pccc.com', 'md5', 'all', 'X-SRS-Sender')
+# describe PCCC_HASHBL_EMAIL3 Message contains email address found on PCCC HashBL
+# tflags PCCC_HASHBL_EMAIL3 net
+# score PCCC_HASHBL_EMAIL3 0.001
+# priority PCCC_HASHBL_EMAIL3 -100
+#
+# header PCCC_HASHBL_EMAIL4 eval:check_hashbl_emails('wild.pccc.com', 'md5')
+# describe PCCC_HASHBL_EMAIL4 Message contains email address found on PCCC HashBL
+# tflags PCCC_HASHBL_EMAIL4 net
+# score PCCC_HASHBL_EMAIL4 0.001
+# priority PCCC_HASHBL_EMAIL4 -100
+#
+#endif
+#
+#endif
+#
+#endif
# EOF