#KAM.cf aka the KAM ruleset - Apache SpamAssassin Rules
-#Author: Kevin A. McGrail with contributions from Joe Quinn, Karsten Bräckelmann,
+#Authors: Kevin A. McGrail with key contributions from Joe Quinn, Karsten Bräckelmann,
# Bill Cole & Giovanni Bechis
-#Email: Kevin.McGrail@McGrail.com - NOTE: Questions about spam are best submitted
-# at https://raptor.pccc.com/raptor.cgim?template=report_problem
+#Email: Kevin.McGrail@McGrail.com
-#HomePage: http://www.mcgrail.com/downloads/KAM.cf
+#Questions: Questions about the KAM Ruleset are best submitted at:
+# https://raptor.pccc.com/raptor.cgim?template=report_problem
+
+#HomePage: https://mcgrail.com/template/projects#KAM1
#Installation: There are multiple files that make up the KAM ruleset including
#cPanel, INKY, Invaluement, iSpark, Linode, PCCC, ShipShapeIT and Zix/Appriver
-#This is a collection of special rules that I have developed and use on my system.
+#This is a collection of special rules that KAM developed and uses for
+#https://raptoremailsecurity.com/.
#
#The exact date is lost to the sands of time but we have been publishing this
-#ruleset since at least May 2004.
-#
-#They are intended as live research for committal to SpamAssassin's SVN sandbox but
-#often rely on my corpora so they do not fair well in masschecks.
+#ruleset since at least May 2004 at no charge for the benefit of all.
#
-#You are welcome and encouraged to email me directly regarding suggestions.
+#They were intended as live research for committal to SpamAssassin's SVN sandbox but
+#often rely on our corpora so they do not fair well in masschecks.
-#To avoid being caught by our filters, False positives and negatives should be
-#submitted to https://raptor.pccc.com/raptor.cgim?template=report_problem
-#
-#I believe the rules are safe and they are in use on production systems so I will
-#do my best to respond to FPs *especially* if you can send me an email sample.
-#
-#IMPORTANT: This cf file is designed for systems with a threshold of 5.0 or higher.
+
+#Problems and suggestions are best sent by this form to avoid being caught by our
+#filters: #https://raptor.pccc.com/raptor.cgim?template=report_problem
+#We do respond to most problem reports *especially* if you send an email sample.
+#Samples in mbox format are preferred.
-#It is best to save an email sample in mbox format and zip it to attach to get
-#around my filters. It is sometimes best to send samples in a second email so I
-#know to go looking for it in my spam folders.
+#The KAM Ruleset is production ready and in use on production systems protecting
+#many millions of mailboxes every day.
#
-#NOTE: I do use some poison pill (i.e. Automatic HAM/SPAM rules).
+#IMPORTANT: This ruleset cf file is designed for systems at a threshold of 5.0+.
+
+
+#NOTE: We do use some poison pill (i.e. Automatic HAM/SPAM rules).
#
-# - I don't view many of my rules as single rules as I typically use meta rules.
-# I view meta rules as multiple rules hence a larger score is acceptable.
+# - Because we use meta rules, false positives are minimized and a larger score
+# is acceptable.
#
-# - Some content needs to be blocked either due to large number of complaints or
-# for content. For example, the sexually explicit items and the stock tips.
-# FPs in these rules will be quickly addressed.
+# - In developing these rules and the associated RBL, we use a consent litmus
+# test. We do not block solely based on content except for the sexually
+# explicit rules. You can, of course, locally disable these rules.
-#Copyright (c) 2021 Kevin A. McGrail and The McGrail Foundation
+
+#Copyright (c) 2022 Kevin A. McGrail and The McGrail Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# See the License for the specific language governing permissions and
# limitations under the License.
-# COURTESY OF Marcin Miros.aw <marcin@mejor.pl>
+# Thanks to Wolfgang Breyha for his help fixing a few rules
+
+# COURTESY OF Marcin Miros
body __KAM_MM_FOREX_1 /program.{0,10}ktory\ssam\sgra\sna\sgieldzie|program\sdo\sgry\sna\sgieldzie|Potega\stego\sprogramu\stkwi|program.{0,10}handluje.{0,10}zarabia.{0,10}gieldzie.{0,10}udzialu.{0,10}czlowieka|zarabiaj.{0,10}program.{0,10}nie.{0,10}jest.{0,10}zabroniony|Program.{0,10}zrobi.{0,10}wszystko.{0,10}sam|handluj.{0,10}na.{0,10}gieldzie.{0,10}programowi|100.{0,10}%.{0,10}pewnych.{0,10}transakcji|program.{0,10}100.{0,10}%.{0,10}zysk|handel.{0,10}bedzie.{0,10}zabroniony|program.{0,10}odmieni.{0,10}twoje.{0,10}zycie|system.{0,10}finansow.{0,10}przed.{0,10}upadkiem|grupa.{0,10}niemieckich.{0,10}matematykow.{0,10}inteligentny.{0,10}program|zostan\sobrzydliwie\sbogaty|technologia.{0,10}100%.{0,10}pewne.{0,10}decyzje|zarabianie.{0,10}w.{0,10}sieci|swoja.{0,10}szanse.{0,10}zarabianie|internet.{0,10}doprowadzil.{0,10}pieniedzy|zarabia.{0,10}(w|przez).{0,10}internet|karaluch.{0,10}dom.{0,10}brzeg.{0,10}morza|odmieni.{0,10}zycie|pieniadz|pieniedz|zarabia|zarobi/i
rawbody __KAM_MM_FOREX_2 /(\[|\<).{1,10}http:\/\/.{1,50}php\?.{1,30}\=.{1,30}(\]|\>).{0,20}(klik|odwiedz|dowiedz|przegap|odnosnik|zarobi|spiesz|majatek|wiecej\sinformacji\sna\sten\stemat\sznajdziesz\s-\stutaj|tutaj\sznajdziesz.{0,10}szczegolowe.{0,10}informacje|odwiedz|zarabia|wchodz)/i
body __KAM_STOCKTIP121 /(VISION AIRSHIPS|(\b|^)VPSN(\b|$))/is
body __KAM_STOCKTIP122 /(Shandong Zhouyuan Seed and Nursery|(\b|^)SZSN(\b|$))/is
body __KAM_STOCKTIP123 /(Puerto Rico 7|(\b|^)P ?R ?T ?H(\b|$))/is
-body __KAM_STOCKTIP124 /(VGPM|Vega Promotional Sys)/is
+body __KAM_STOCKTIP124 /((\b|^)VGPM(\b|$)|Vega Promotional Sys)/is
body __KAM_STOCKTIP125 /((\b|^)D[- ]?M[- ]?X[- ]?C(\b|$))/i
body __KAM_STOCKTIP126 /((\b|^)C\.?W\.?T\.?E(\b|$)|C'Watre International)/is
body __KAM_STOCKTIP127 /(Physical Property Holdings|(\b|^)PPYH(\b|$))/is
score KAM_HOME 3.5
#UNIVERSITY RULE
+replace_rules __KAM_UNIV11 __KAM_UNIV15 __KAM_UNIV3B
+
body __KAM_UNIV1 /(University Administration|University Enrollment|Education Assessment|Faculty Assessment|University Degree|Administration Office|Education office|Schools office|Enrollment Office|Online University)/is
body __KAM_UNIV2 /\d (week|month).{0,30}degree/is
body __KAM_UNIV3 /(past work|based on your|earned from|life|life and work|present work) experience/is
body __KAM_UNIV8 /Career Path/is
body __KAM_UNIV9 /non[- ]?ac(creditee?d)?.{1,10}universit/is
body __KAM_UNIV10 /(graduating|diploma) (within|in) (as little as)? (one|two|three|\d) (week|month)/is
-body __KAM_UNIV11 /(degree|transcript) in any field|Field of yourr? ch[oò][iì]ce/is
+body __KAM_UNIV11 /(degree|transcript) in any field|Field of yourr? ch<O1>/is
body __KAM_UNIV12 /(obtain your diploma|diploma that you want|Criminal Justice or Homeland Security degree)/is
body __KAM_UNIV13 /(degree|field|diploma) of your (choice|expertise)/is
body __KAM_UNIV14 /(earn a|full) transcript/is
-body __KAM_UNIV15 /(No Study Required|Without Exams|No (examinations|[eÉ]xams)|without attending a single class|no classes|no textbooks|no (?:required )?tests|degree .{0,30}you deserve)/is
+body __KAM_UNIV15 /(No Study Required|Without Exams|No ex<A1>ms|without attending a single class|no classes|no textbooks|no (?:required )?tests|degree .{0,30}you deserve)/is
body __KAM_UNIV16 /\d weeks.{0,30}graduated/is
header __KAM_UNIV17 Subject =~ /(dip(i|l)oma|degree|transcript|award|increase ?your ?income|degree online|Ph\.?D|Add an mba)/i
body __KAM_UNIV18 /100% discrete/is
body __KAM_UNIV1B /\d (months|weeks)/i
body __KAM_UNIV2B /d[_\. ]?e[_\. ]?g[_\. ]?r[_\. ]?e[_\. ]?e/i
-body __KAM_UNIV3B /(dead end job|improve your future, and your income|high paying jobs|bec[óo]me a do[cç]tor|get your diploma today)/is
+body __KAM_UNIV3B /(dead end job|improve your future, and your income|high paying jobs|bec<O1>me a do<C1>|get your diploma today)/is
body __KAM_UNIV4B /1.?0.?0.?% (legit|verifiable|online|no pre|non[- ]?accredited)/is
body __KAM_UNIV5B /F A S T[ ]{0,4}T R A C K/is
body __KAM_UNIV6B /DIP\sLOMA/
score KAM_GEO_STRING2 4.7
#KAM GOOGLE SPAM
-uri KAM_GOOGLE_STRING /^http:\/\/www.google.com\/url\?q=/i
-describe KAM_GOOGLE_STRING Use of Google redir appearing in spam July 2006
-score KAM_GOOGLE_STRING 1.0
+uri __KAM_GOOGLE_REDIR /^https?:\/\/www\.google\.{0,5}\/url\?q=/i
+
+meta KAM_GOOGLE_REDIR __KAM_GOOGLE_REDIR
+describe KAM_GOOGLE_REDIR Use of Google redir
+score KAM_GOOGLE_REDIR 1.5
#MSN Brasil REDIRECTOR - Known exploit since at least 2007!! http://www.xssed.com/mirror/14129/
uri KAM_MSNBR_REDIR /g.msn.com.br\/BR9\/1369.0/i
describe KAM_PAGE Page.TL likely spam (Nov 2011)
score KAM_PAGE 2.0
+# .html link stored on S3
+uri GB_S3_HTM /^https?:\/\/s3\.amazonaws\.com\/.{3,128}\.html?/i
+describe GB_S3_HTM .html link stored on AWS S3
+score GB_S3_HTM 4.5
+
+if (version >= 4.000000)
+if can(Mail::SpamAssassin::Conf::feature_capture_rules)
+ header __GB_TO_ADDR To:addr =~ /(?<GB_TO_ADDR>.*)/
+
+ # Links to malware stored on Google storage
+ uri GB_STORAGE_GOOGLE_EMAIL m|^https?://storage\.cloud\.google\.com/.{4,128}\#%{GB_TO_ADDR}|i
+ describe GB_STORAGE_GOOGLE_EMAIL Google storage cloud abuse
+ score GB_STORAGE_GOOGLE_EMAIL 2.000
+
+ # Links to malware
+ uri __GB_CUSTOM_HTM_URI0 m;^https?://.{10,128}(?:\.html?|\.php|\/)(?:\#|\?&e=)?%{GB_TO_ADDR};i
+ uri __GB_CUSTOM_HTM_URI1 m|^https?://.{10,64}\=https?://.{4,64}\#%{GB_TO_ADDR}|i
+ uri __GB_CUSTOM_HTM_URI2 m;^https?://.{10,256}(?:\/\?)?(?:email=|wapp\#)%{GB_TO_ADDR};i
+ uri __GB_DRUPAL_URI m|^https?://.{10,64}/default/files/(?:\@)?\#%{GB_TO_ADDR}|i
+ meta GB_CUSTOM_HTM_URI ( __GB_CUSTOM_HTM_URI0 || __GB_CUSTOM_HTM_URI1 || __GB_CUSTOM_HTM_URI2 || __GB_DRUPAL_URI )
+ describe GB_CUSTOM_HTM_URI Custom html uri
+ score GB_CUSTOM_HTM_URI 1.500
+
+endif
+endif
+
# This rule is to mark emails using the exploit of the URI parsing
uri KAM_URIPARSE /(\%0[01]|\0).{1,100}\@/i
describe KAM_URIPARSE Attempted use of URI bug-high probability of fraud
#SEXUALLY EXPLICIT EMAILS - With updates courtesy of Mark Damrose
header __KAM_SEX_EXPLICIT1 Subject =~ /SEXUAL{2,3}Y[-_, ]{0,1}EXPL{1,2}I{1,2}CI{1,2}T/i
#EXPANDED TO INCLUDE HEADERS FOR SPAMS PREVALENT MAR 2007
-header __KAM_SEX_EXPLICIT2 Subject =~ /(?:fuck .*suck|suck .*fuck|pussy .*cock|cock .*pussy|horny amateur|couch sex|slut fuck|naked celebrity|pissing babes|ass[- ]fuck|animal cock|(^|\b)P[^a-zA-Z\d]O[^a-zA-Z\d]R[^a-zA-Z\d]N |exposes sexy ass|drunk babe nude|masturbate|looking.for.sex|breast.implants|pedophile|child predator|explore.being.bad|double.penetration|hardcore.slut|getting.laid|your.disco.stick|having.sex.*begging|f.ckbook|xxx gay|asian porn|blow ?job|anal xxx|huge tits tube|xxx tube|porn tube|porn video|sexy.clip|portal for xxx|3d porn|hard(er)?.erect)|dreaming of f.?cking|(^|\b)sex.in.the.car|horny.virgin|sex.acts|best.intercourse|sex request|dripping wet and need to get|S*?exy granny|shagmate|her squirt|elongation secret/i
+header __KAM_SEX_EXPLICIT2 Subject =~ /(?:fuck .*suck|suck .*fuck|pussy .*cock|cock .*pussy|horny amateur|couch sex|slut fuck|naked celebrity|pissing babes|ass[- ]fuck|animal cock|(^|\b)P[^a-zA-Z\d]O[^a-zA-Z\d]R[^a-zA-Z\d]N |exposes sexy ass|drunk babe nude|masturbate|looking.for.sex|breast.implants|pedophile|child predator|explore.being.bad|double.penetration|hardcore.slut|getting.laid|your.disco.stick|having.sex.*begging|f.ckbook|xxx gay|asian porn|blow ?job|anal xxx|huge tits tube|xxx tube|porn tube|porn video|sexy.clip|portal for xxx|3d porn|hard(er)?.erect)|dreaming of f.?cking|(^|\b)sex.in.the.car|horny.virgin|sex.acts|best.intercourse|sex request|dripping wet and need to get|S*?exy granny|shagmate|her squirt|elongation secret|small member|g-spot|XXX life|cart.?bloom.?jigsaw|clogged.?colon|Peppy.?Pet.?ball|derma.?correct|secret to squirting|monstrous cock|adult film star extension secret|inches to your manhood|lack of sex|harrys.?affiliate|numerologist|your prostate|stiffening tonic|need sex partner/i
#TRYING TO GET RID OF FPs WITH LAST NAMES
-header __KAM_SEX_EXPLICIT3 From =~ /(?:better sex|sextrick|ashleymadison|booty.call|breast.(aug|surg|redu)|throbing.member|f[\*u]?ckbook|Local MILFs|fuck(s|ing)?(\b|^)|Dating Granny|school of squirt)|hookup.?alert|horny|bedroom.?partner|hookup.?online|lovely.?asian/i
+header __KAM_SEX_EXPLICIT3 From =~ /(?:better sex|sextrick|ashleymadison|booty.call|breast.(aug|surg|redu)|throbing.member|f[\*u]?ckbook|Local MILFs|fuck(s|ing)?(\b|^)|Dating Granny|school.?of.?squirt)|hookup.?alert|bedroom.?partner|hookup.?online|lovely.?asian|squirting.?school|sex.?portal|sex.?club|liberator.?x2|instahard|eat me with your dick/i
#MODIFIED TO FIX FP THANKS TO DOC SCHNEIDER AND MARK MARTINEC - REMOVED castrate|sexual.encounter|casual.sex|discreet.encounter 5/19/15
-body __KAM_SEX_EXPLICIT4 /(?:fucked hardcore|dildoes her tight ass|kinky watersports|schoolgirls? slut|teens? porn|first anal(\b|$)|pussy lips|kinky lesbian|sucks? cock|rub puss|spreads? cunt|fetish babe|kinky pee|muffdived \& fuck|deepthroat on knees|hello.naughty.boy|certain.type.of.guy|girlfriend.trick|sexual.stamina|sex...toy|porn.link|cunt.fuck|c-o-c-k|non.stop.sex|porn.industry|stronger.erection|make.her.moan|extreme.pro.abortion|erection.problem|your.erection|get.an.erection|hardest.erection|get.erect|xxx gay|asian porn|blow ?job (comm?unity|porn)|anal xxx|huge tits tube|xxx tube|porn tube|fuckbook|portal for xxx|3d porn|DrPEnterprise|girlfriends.porn|\bsex.galler|pussy.eaten|shemale|(\b|^)anal.adventure|black.girls.video|gay.porn|pussy.wet|make.her.horny|crave sex|women.fuck|women.horny|wanting.to.bang|getting.laid.is.simple|woman.on.her.knees|b r e a s t|generic.ed.product|best.sex|f[^a-z]cking.you|f[^a-z]ckbuddy|F\#ckFriends|Milf Selfies|need.a.horny.man|cute.sex.lover|horny.as.f.ck|fun.in.the.bedroom|my.tits.are|be.horny|horny.girl|horny.i.am|horny.latina|huge.dildo|made.me.climax|sex in my office|a.good.f\@ck|married.horny.woman|sucked.your.d\@ck|horny.milf|suck.you.off|horny.stories|all.my.h[o0]les|cum.heavily|sucking.your.c[o0]ck|to.get.f[^a-z]cked)|h00kup|s\*xy|\bh0rny|ch0ked|pu\$\$y|f\*cked|F\*ck_|find milfs|girls in your city/i
+body __KAM_SEX_EXPLICIT4 /(?:fucked hardcore|dildoes her tight ass|kinky watersports|schoolgirls? slut|teens? porn|first anal(\b|$)|pussy lips|kinky lesbian|sucks? cock|rub puss|spreads? cunt|fetish babe|kinky pee|muffdived \& fuck|deepthroat on knees|hello.naughty.boy|certain.type.of.guy|girlfriend.trick|sexual.stamina|sex...toy|porn.link|cunt.fuck|c-o-c-k|non.stop.sex|porn.industry|stronger.erection|make.her.moan|extreme.pro.abortion|erection.problem|your.erection|get.an.erection|hardest.erection|get.erect|xxx gay|asian porn|blow ?job (comm?unity|porn)|anal xxx|huge tits tube|xxx tube|porn tube|fuckbook|portal for xxx|3d porn|DrPEnterprise|girlfriends.porn|\bsex.galler|pussy.eaten|shemale|(\b|^)anal.adventure|black.girls.video|gay.porn|pussy.wet|make.her.horny|crave sex|women.fuck|women.horny|wanting.to.bang|getting.laid.is.simple|woman.on.her.knees|b r e a s t|generic.ed.product|best.sex|f[^a-z]cking.you|f[^a-z]ckbuddy|F\#ckFriends|Milf Selfies|need.a.horny.man|cute.sex.lover|horny.as.f.ck|fun.in.the.bedroom|my.tits.are|be.horny|horny.girl|horny.i.am|horny.latina|huge.dildo|made.me.climax|sex in my office|a.good.f\@ck|married.horny.woman|sucked.your.d\@ck|(naughty|horny).milf|suck.you.off|horny.stories|all.my.h[o0]les|cum.heavily|sucking.your.c[o0]ck|to.get.f[^a-z]cked)|h00kup|s\*xy|\bh0rny|ch0ked|pu\$\$y|f\*cked|F\*ck_|find milfs|girls (from|in) your city|rock.?hard boner|reclaiming your manhood|sexy and horny|bad girls from your city|awesome in bed|turbo\-charge your bed|shocking erection|stiffening tonic|anal fun|fingering videos/i
#remove f\#ck for FPs
+tflags __KAM_SEX_EXPLICIT4 nosubject
header __KAM_SEX_EXPLICIT5 Subject =~ /(?:Babe.*dildo|milk.*pussy|licks.*lesbian.*tits|mud.*wrestling.*sluts|rock.*hard.*cock|working.*pussy|(anal|suck|lick|hot|cock|wife).*f.?u.?c.?k|sneaky.*upskirt.*shots|hairy.*(pussy|cunt)|chicks.*cum|shows.*off.*titties|tits.*milf.*sex|riding.*big.*dick|dildo.*pussy|slut.*sex|suck.*dick|show.*off.*pink.*slit|coed.*pussy|squirt.*pussy|polish.*cock|femdom.*fist|schoolgirl.*(f.?u.?c.?k|blowjob)|mistress.*finger.*slave|cervix.*examined|tits.*vibrator|licks.*lesbian|slut.*anal|slurp.*pecker|master.*hogtie|bitch.*stroke.*guy|huge.*cock.*bang|take.*dick.*ride|milf.*nailed|girl.*in.*panties|Slut.*Doing.*it|barely.*legal.*teen|perverted.*girl.*works.*ass|slut.*milking|caught.*fucking|F.?u.?c.?k.*(dick)|shemale.*strips|chick.*drilled|\bass.*screw|teen.*pussy|fucked.*hard|bimbo.*hooter|cuntbanged|tittyfucked|fuck.*cock|blowing and nailed|lesbians.*masturbat|shaking wet booty|pussy.*lip|lick.*asshole|kinky lesbian|suck.*cock|rub puss|tits.*cunt|kinky pee|fetish babe|exposes sexy ass|drunk babe nude|muff.*fuck|cock.?suck.*blonde|fuck.*vibrator|threeway.*orgy|sex.life.*new.level|your.sex.life|hotsex|f.cktonight|my.?pu[s\$]{1,5}y|InstaSext|SnapHookup|InstaAffair|InstaHookup|SexiSnap|SnapF.ck|snapbangmsg)/i
score KAM_TELEWORK 3.0
#Changed to meta 2017-10-17
+#Key removal/credits
#2017-10-23 - Removed .link. Uniregistry has committed to reviewing abuse concerns.
#2019-11-24 - Removed .bid for FPs
#2020-06-04 - Added FP check for td.date and div.top
-#2020-08-23 - Added guru
#2021-08-14 - Thanks to Giovanni for the new regex and Kenneth Porter for the FP for things that ended in one of the TLDs but wasn't part of the domain
#2021-08-25 - Added a FP fix for date with { from programming discussions
-header __KAM_SOMETLD_ARE_BAD_TLD_FROM From:addr =~ /\.(pw|stream|trade|press|top|date|guru|casa|online|cam|shop|club|bar|sbs)$/i
-uri __KAM_SOMETLD_ARE_BAD_TLD_URI /:\/{2}([a-z0-9-\.]+)\.(pw|stream|trade|press|top|date|guru|casa|online|cam|shop|club|bar|sbs)($|\/|\:)/i
+#2022-04-26 - Sort tlds and add .cfp domain
+#2022-09-21 - adding .link back due to prevalence
+header __KAM_SOMETLD_ARE_BAD_TLD_FROM From:addr =~ /\.(bar|beauty|buzz|cam|casa|cfd|club|date|guru|link|live|online|press|pw|quest|rest|sbs|shop|stream|top|trade|work|xyz)$/i
+uri __KAM_SOMETLD_ARE_BAD_TLD_URI /:\/{2}([a-z0-9-\.]+)\.(bar|beauty|buzz|cam|casa|cfd|club|date|guru|link|live|online|press|pw|quest|rest|sbs|shop|stream|top|trade|work|xyz)($|\/|\:)/i
#FPs
-uri __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE /(^|\b)td\.date|div\.top($|\/)/i
+uri __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE /(^|\b)td\.date|de[b|l]\.date|div\.top($|\/)/i
body __KAM_SOMETLD_ARE_BAD_TLD_PROGRAM_REF /\.date ?\{/i
meta KAM_SOMETLD_ARE_BAD_TLD (__KAM_SOMETLD_ARE_BAD_TLD_FROM) || (__KAM_SOMETLD_ARE_BAD_TLD_URI && !(__KAM_SOMETLD_ARE_BAD_TLD_PROGRAM_REF + __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE))
-describe KAM_SOMETLD_ARE_BAD_TLD .stream, .trade, .pw, .top, .press, .guru, .casa, .online, .cam, .shop, .bar, .club, .sbs & .date TLD Abuse
+describe KAM_SOMETLD_ARE_BAD_TLD .bar, .beauty, .buzz, .cam, .casa, .cfd, .club, .date, .guru, .link, .live, .online, .press, .pw, .quest, .rest, .sbs, .shop, .stream, .top, .trade, .work, .xyz TLD abuse
score KAM_SOMETLD_ARE_BAD_TLD 5.0
#2019-11-24 - Test to do the SOMETLD with WLBLEval - Doesn't work because no uri check for the body
score KAM_LOCAL_TEST1 50
#REVERSE DNS TESTS FROM MIMEDEFANG - UNLESS YOU HAVE A TEST FOR REVERSE POINTERS, YOU CAN COMMENT THIS OUT
- header KAM_RPTR_FAILED X-KAM-Reverse =~ /^Failed/
+ header KAM_RPTR_FAILED X-Raptor-Reverse =~ /^Failed/
describe KAM_RPTR_FAILED Failed Mail Relay Reverse DNS Test
score KAM_RPTR_FAILED 6.0
- header __KAM_RPTR_SUSPECT X-KAM-Reverse =~ /^Suspect/
+ header __KAM_RPTR_SUSPECT X-Raptor-Reverse =~ /^Suspect/
meta KAM_RPTR_SUSPECT (KAM_BODY_MARKETINGBL_PCCC < 1 && __KAM_RPTR_SUSPECT >= 1)
describe KAM_RPTR_SUSPECT Suspected Dynamic IP/Bad TLD/Spammy TLD from Mail Relay Reverse DNS Test
score KAM_RPTR_SUSPECT 2.45
#REMOVED __URIBL_ANY DEPENDENCY AS THE RULE IS GONE. NOTED by David Goldsmith.
- header __KAM_RPTR_PASSED X-KAM-Reverse =~ /^Passed/
+ header __KAM_RPTR_PASSED X-Raptor-Reverse =~ /^Passed/
meta KAM_RPTR_PASSED (__KAM_RPTR_PASSED && (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + KAM_SPAMJDR + KAM_LOTTO3 + __KAM_URIBL_PCCC + __KAM_MX + SPF_SOFTFAIL + SPF_FAIL + KAM_INFOUSMEBIZ + KAM_TOLL < 1))
describe KAM_RPTR_PASSED Passed Mail Relay Reverse DNS Test
score KAM_RPTR_PASSED -1.0
- header KAM_RPTR_MISSING X-KAM-Reverse =~ /^Missing/
+ header KAM_RPTR_MISSING X-Raptor-Reverse =~ /^Missing/
describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing!
- score KAM_RPTR_MISSING 9.0
+ score KAM_RPTR_MISSING 6.0 #Lowered to 6.0 temporarily
#DWDTECHSPAM /ETC
- header KAM_RPTR_BADHOST X-KAM-Reverse =~ /dwdtechllc.com|inculloop.net|donapex.net|wriltay.com|raptornode.com|voicitr.us|premiumjobhunt.com|newsocialdeals.com|dailysummercoupons.com|nm-priorityhosting.com|hypernia.com|queryfoundry.net|colocrossing.com|pawlitenews.com|hosted-by-i3d.net/i
+ header KAM_RPTR_BADHOST X-Raptor-Reverse =~ /dwdtechllc.com|inculloop.net|donapex.net|wriltay.com|raptornode.com|voicitr.us|premiumjobhunt.com|newsocialdeals.com|dailysummercoupons.com|nm-priorityhosting.com|hypernia.com|queryfoundry.net|colocrossing.com|pawlitenews.com|hosted-by-i3d.net/i
describe KAM_RPTR_BADHOST Very Spammy Hosting Company Identified
score KAM_RPTR_BADHOST 9.0
+ header KAM_NOTLS X-Raptor-TLS =~ /False/
+ describe KAM_NOTLS Mail has been sent using an unsecure connection
+ score KAM_NOTLS 0.001
+
#CUSTOM SCORES THAT KAM LIKES
#score SARE_GIF_ATTACH 3.0
score CHARSET_FARAWAY_HEADER 1.6
#score FRANCHISE_JERRY -99.0
#describe FRANCHISE_JERRY Jerry's Franchise Application or Request
- header KAM_INVALID_FROM X-KAM-From =~ /From Header Missing Host/
+ header KAM_INVALID_FROM X-Raptor-From =~ /From Header Missing Host/
describe KAM_INVALID_FROM From header missing host portion
- score KAM_INVALID_FROM 4.0
+ score KAM_INVALID_FROM 6.0
#RAPTOR ALTERED EMAILS
#body __KAM_RAPTOR1 /altered by our Raptor filters/i
- #header __KAM_RAPTOR2 X-KAM-Raptor-Alter =~ /True/
+ #header __KAM_RAPTOR2 X-Raptor-Alter =~ /True/
#meta KAM_RAPTOR (__KAM_RAPTOR1 + __KAM_RAPTOR2 >= 1)
#describe KAM_RAPTOR PCCC Raptor altered the email
endif
#KAM Bad Attach
- header KAM_RPTR_MISSING X-KAM-Reverse =~ /^Missing/
+ header KAM_RPTR_MISSING X-Raptor-Reverse =~ /^Missing/
describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing!
score KAM_RPTR_MISSING 9.0
#KAM Bad Attach
- header KAM_RPTR_MISSING X-KAM-Reverse =~ /^Missing/
+ header KAM_RPTR_MISSING X-Raptor-Reverse =~ /^Missing/
describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing!
score KAM_RPTR_MISSING 9.0
#KAM Bad Attach
- header KAM_RPTR_MISSING X-KAM-Reverse =~ /^Missing/
+ header KAM_RPTR_MISSING X-Raptor-Reverse =~ /^Missing/
describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing!
score KAM_RPTR_MISSING 9.0
#KAM Bad Attach
- header KAM_BADATTACH X-KAM-BadAttach =~ /^True/
+ header KAM_BADATTACH X-Raptor-BadAttach =~ /^True/
describe KAM_BADATTACH Mail contains a bad attachment
score KAM_BADATTACH 15.0
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
#WE USE MIMEDEFANG TO DISABLE ANY IFRAME, OBJECT OR SCRIPT TAGS IN EMAILS
- header KAM_IFRAME X-IframeWarning =~ /Iframe\/Object\/Script tag\(s\) deactivated by MIMEDefang/
+ header KAM_IFRAME X-Raptor-IframeWarning =~ /Iframe\/Object\/Script tag\(s\) deactivated by MIMEDefang/
describe KAM_IFRAME Email contained Iframe, Object or Script tags
- score KAM_IFRAME 1.0
+ if can(Mail::SpamAssassin::Conf::feature_subjprefix)
+ subjprefix KAM_IFRAME [Javascript]
+ endif
+ score KAM_IFRAME 2.0
body KAM_IFRAME2 /you need a browser with javascript/i
describe KAM_IFRAME2 Email contains phrase instructing javascript use
describe KAM_IFRAME3 Likely email exploit - Email shouldn't require javascript in an email attachment
#XEROX SCANS
- header __KAM_XEROX1 Subject =~ /Scan from a Xerox WorkCentre Pro \#\d+|Scanned from a Xerox Multifunction Device/i
+ header __KAM_XEROX1 Subject =~ /Scan from a Xerox WorkCentre Pro \#\d+|Scanned from a Xerox Multifunction Device|document from xerox scanner/i
meta KAM_XEROX (__KAM_XEROX1 + (KAM_IFRAME && T_HTML_ATTACH) + KAM_RAPTOR_ALTERED >= 2)
score KAM_XEROX 5.0
describe KAM_XEROX Likely Fake Xerox Attachment
score KAM_IFRAME 0
endif
+ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+ #WE USE MIMEDEFANG TO DISABLE TRACKING IMG TAGS
+ header KAM_IMG_TRACKING X-Raptor-TrackingWarning =~ /remote tracking image\(s\) deactivated by MIMEDefang/
+ describe KAM_IMG_TRACKING Email contained a tracking img tag
+ score KAM_IMG_TRACKING 0.001
+endif
+
#STUPID REMOVE "*" to make the link working.
body __KAM_STAR1 /REMOVE ("\*"|space) (in the above|to make the) link/i
score KAM_ADVERT3 5.0
#ADVERTISEMENT
-body KAM_ADVERT2 /No longer interested in our offers|This (message|email)? is an Ad|Continue in your Secure Web Browser|Can\'t see the images( below|, continue)|To view this email as a webpage|see images for this offer|support best practices in responsible email marketing|This email is not unsolicited|You registered with one of our partners websites|a d v e r t i s (?:e )?m e n t|No\-?Images? Click|Program is not endorsed, sponsored by or affiliated|can\'t read or see this email|By clicking any image and\/or text link in this Email|This is a (commercial|commericial)|This message brought to you|THIS EMAIL IS A COMMERCIAL|If you no longer wish to receive further offers|business solicitation message|link is for removal|end these weekly ad\-messages|cancel these Ads go|This is an email advertisement|end all Advertisements go below|We are not spammers|Unsolicited email\?|Quit receiving these admail|I.{0,3}am not spamming|commercial.advertisement|adv.ertisement|if.you.are.not.interested|Brought to you by\:|This communication is an advertisement|removal from further update|inbox by requesting removal|No more incoming messages will be delivered|Never receive these again|This is an ad\-coresspondance|this page is an advertise?ment|this is an \(adver\-?tisement\)|this page are an.ad|statements above are an.ad|advertis.e.ment|share your contact/is
+body KAM_ADVERT2 /No longer interested in our offers|This (message|email)? is an Ad|Continue in your Secure Web Browser|Can\'t see the images( below|, continue)|To view this email as a webpage|see images for this offer|support best practices in responsible email marketing|This email is not unsolicited|You registered with one of our partners websites|a d v e r t i s (?:e )?m e n t|No\-?Images? Click|Program is not endorsed, sponsored by or affiliated|can\'t read or see this email|By clicking any image and\/or text link in this Email|This is a (commercial|commericial)|This message brought to you|THIS EMAIL IS A COMMERCIAL|If you no longer wish to receive further offers|business solicitation message|link is for removal|end these weekly ad\-messages|cancel these Ads go|This is an email advertisement|end all Advertisements go below|We are not spammers|Unsolicited email\?|Quit receiving these admail|I.{0,3}am not spamming|commercial.advertisement|adv.ertisement|if.you.are.not.interested|Brought to you by\:|This (message|entire message|communication) is an ad|removal from further update|inbox by requesting removal|No more incoming messages will be delivered|Never receive these again|This is an ad\-coresspondance|this page is an advertise?ment|this is an \(adver\-?tisement\)|this page are an.ad|statements above are an.ad|advertis.e.ment|share your contact/is
describe KAM_ADVERT2 This is probably an unwanted commercial email...
score KAM_ADVERT2 0.75
meta KAM_NIGERIAN (__KAM_NIGERIAN1 + __KAM_NIGERIAN2 + __KAM_NIGERIAN3 + __KAM_NIGERIAN4 + __KAM_NIGERIAN5 + LOTS_OF_MONEY + __KAM_REFI4 >= 4)
describe KAM_NIGERIAN Nigerian Scam and Variants
-score KAM_NIGERIAN 2.5
+score KAM_NIGERIAN 2.25
#I LIKE YOUR SPAM
body __KAM_LIKE1 /been working (extremely|very) hard on my friend's website/is
#SEXUALLY EXPLICIT RULES ROUND TWO - Fixed some FPs from Scunthorpe thanks to Stefan Morrell
body __KAM_SEX1 /(?:double[ -]?headed|pornstar|huge weenie|male power|\d\dper\. of men|male enhancement product|enlarge patch|boost up your virility|clinically tested|improve manhood|Bigger Pen..is|Big Penis|incredible gains to your manhood|muscular manhood|nights unsatisfied|climaxes|sensual enhancer|love instrument|bigger member|excitement with girls|fucker|animal sex)|adds \d inches to your manhood|pussy licked|hard.erection/i
body __KAM_SEX2 /(?:(\b|^)cunt(\b|$)|busty|interracial|hardcore|peni(s|le) enlarge|generic quality|enlarge your manhood|stone-hard manhood|XXL Dick|intense pleasure|spend a night with you|efficient medicine|turn on your wife|with your boner|dick dangl)|\d.(extra.)?inches.of.girth|best.sex/i
-header __KAM_SEX3 Subject =~ /(double dildo|bunsfuck|dominatrix|huge tits|anti-ED|most confident man|for men over 30|peni(s|le) enlargement|interracial gobble|bitch sucking dong|product actually does work|update your penis|mans mall|endurerx|more excitement|love package|add more fire|her best male|average guys|monster cocks|first anal|anal fucking|love with monsters|horse sex|be the stud)/i
+header __KAM_SEX3 Subject =~ /(double dildo|bunsfuck|dominatrix|huge tits|anti-ED|most confident man|for men over 30|peni(s|le) enlargement|interracial gobble|bitch sucking dong|product actually does work|update your penis|mans mall|endurerx|more excitement|love package|add more fire|her best male|average guys|monster cocks|first anal|anal fucking|love with monsters|horse sex|be the stud)|have an affair/i
body __KAM_SEX4 /(?:bring your girlfriend back|satisfied with their size|penis so huge and heavy|more semen|volume of your loads|wondercum|ejaculate|bargain offers on medic|improve xxx|improve your lovemaking|youngest teen|teen pics|monster in his pants|(female|multiple) orgasms|extreme penetration)/i
describe KAM_SEX Sexually Explicit SPAM / Penis Enlargement Scam
endif
endif
-
+#BAD PURCHASE ORDER
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_BADPO1 Content-Type =~ /Purchase.Order|New.Invoice/i
mimeheader __KAM_BADPO2 Content-type =~ /PDF\.html?/i
util_rb_2tld googleapis.com
util_rb_2tld a2hosted.com
util_rb_2tld netlify.app
+ util_rb_2tld kriya.ai
+ util_rb_2tld usekalendarai.com
+ util_rb_2tld trykalendarai.com
+ util_rb_2tld outrch.com
+ util_rb_2tld campaign-view.com
+ util_rb_2tld fameup.net
+ util_rb_2tld msgfocus.com
+ util_rb_2tld herokuapp.com
+ util_rb_2tld boxmode.io
+ util_rb_2tld amplifyapp.com
+ util_rb_2tld azurewebsites.net
+ util_rb_2tld wixsite.com
+ util_rb_2tld workers.dev
+ util_rb_2tld in.net
+ util_rb_2tld ru.com
+ util_rb_2tld za.com
+ util_rb_2tld sa.com
+ util_rb_2tld hubspot-inbox.com
+ util_rb_3tld en.alibaba.com
+ util_rb_2tld co.in
+ util_rb_2tld firebaseapp.com
+ util_rb_2tld glitch.me
+ util_rb_2tld awsapps.com
+ util_rb_2tld app.link
+ util_rb_2tld glueup.com
+ util_rb_2tld radio.am
+ util_rb_2tld wufoo.com
endif
# allow URI rules to look at DKIM headers if they exist and our SA version supports it
- if (version >= 3.0040001)
+ if (version >= 3.004001)
parse_dkim_uris 1
endif
meta KAM_MARKETINGBL_PCCC (KAM_BODY_MARKETINGBL_PCCC || KAM_FROM_MARKETINGBL_PCCC)
describe KAM_MARKETINGBL_PCCC Message contains URI associated with mass-marketing (https://raptor.pccc.com/RBL)
score KAM_MARKETINGBL_PCCC 1.0
+ tflags KAM_MARKETINGBL_PCCC net
endif
+
+ # SEM-FRESHZERO
+ urirhssub SEM_FRESHZERO freshzero.spameatingmonkey.net. A 2
+ body SEM_FRESHZERO eval:check_uridnsbl('SEM_FRESHZERO')
+ describe SEM_FRESHZERO Contains a domain never seen before
+ tflags SEM_FRESHZERO net
+ score SEM_FRESHZERO 2.5
+ # SEM-FRESH
+ urirhssub SEM_FRESH fresh.spameatingmonkey.net. A 2
+ body SEM_FRESH eval:check_uridnsbl('SEM_FRESH')
+ describe SEM_FRESH Contains a domain registered less than 5 days ago
+ tflags SEM_FRESH net
+ score SEM_FRESH 2.0
+ # SEM-FRESH10
+ urirhssub SEM_FRESH10 fresh10.spameatingmonkey.net. A 2
+ body SEM_FRESH10 eval:check_uridnsbl('SEM_FRESH10')
+ describe SEM_FRESH10 Contains a domain registered less than 10 days ago
+ tflags SEM_FRESH10 net
+ score SEM_FRESH10 1.5
+
+ meta KAM_SEMFRESH (SEM_FRESHZERO || SEM_FRESH || SEM_FRESH10 )
+ describe KAM_SEMFRESH Contains a domain recently registered
+ tflags KAM_SEMFRESH net
+ score KAM_SEMFRESH 0.001
endif
if (version >= 3.004001)
urirhssub KAM_BODY_WELCOMELIST_URIBL_PCCC wild.pccc.com. A 127.0.1.8
body KAM_BODY_WELCOMELIST_URIBL_PCCC eval:check_uridnsbl('KAM_URIBL2_PCCC')
describe KAM_BODY_WELCOMELIST_URIBL_PCCC Body contains URI listed in PCCC Welcome List URIBL (https://raptor.pccc.com/RBL)
- tflags KAM_BODY_WELCOMELIST_URIBL_PCCC net
+ tflags KAM_BODY_WELCOMELIST_URIBL_PCCC net nice
score KAM_BODY_WELCOMELIST_URIBL_PCCC -7.0
endif
endif
meta KAM_VERY_BLACK_DBL (URIBL_BLACK && URIBL_DBL_SPAM)
describe KAM_VERY_BLACK_DBL Email that hits both URIBL Black and Spamhaus DBL
score KAM_VERY_BLACK_DBL 5.0
+ tflags KAM_VERY_BLACK_DBL net
endif
endif
#FREEMAIL SPAMMY ADDRESSES IN UNWANTED LANGUAGES
+header __GB_FREEMAIL_NUM0 From:addr =~ /[a-z]\.?\d{3}\@(gmail|hotmail|yahoo)\.com/i
+header __GB_FREEMAIL_NUM1 From:addr =~ /[a-z]\.?\d{5,10}\@(gmail|hotmail|yahoo)\.com/i
+meta GB_FREEMAIL_NUM ( __GB_FREEMAIL_NUM0 || __GB_FREEMAIL_NUM1 )
+describe GB_FREEMAIL_NUM Freemail spammy address
+score GB_FREEMAIL_NUM 1.0
+
+header __GB_FREEMAIL_GMAIL From:addr =~ /\@gmail\.com/i
+meta GB_GMAIL_NUM ( GB_FREEMAIL_NUM && __GB_FREEMAIL_GMAIL && ( KAM_DMARC_NONE || KAM_DMARC_QUARANTINE ) )
+describe GB_GMAIL_NUM Spam from random Gmail address
+score GB_GMAIL_NUM 2.0
+
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
- header __GB_FREEMAIL_NUM0 From:addr =~ /[a-z]\d{3}\@(gmail|hotmail|yahoo)\.com/i
- header __GB_FREEMAIL_NUM1 From:addr =~ /[a-z]\d{5,10}\@(gmail|hotmail|yahoo)\.com/i
- meta GB_FREEMAIL_NUM ( __GB_FREEMAIL_NUM0 || __GB_FREEMAIL_NUM1 )
- describe GB_FREEMAIL_NUM Freemail spammy address
- score GB_FREEMAIL_NUM 1.0
- meta GB_UNWANTED_FREE_NUM ( GB_FREEMAIL_NUM && UNWANTED_LANGUAGE_BODY )
+ meta GB_UNWANTED_FREE_NUM ( GB_FREEMAIL_NUM && UNWANTED_LANGUAGE_BODY )
describe GB_UNWANTED_FREE_NUM Freemail spammy address and unwanted language
score GB_UNWANTED_FREE_NUM 3.0
endif
#SEARCH ENGINE SPAM
#Subj
-header __KAM_SEARCH1 Subject =~ /be seen first on (google|msn|yahoo)|get ranked high|rank high|(no cost|free) website (analysis|search engine)|WEBSITE PROMOTION|social media|blog leads|infotech|(first|1st)(.page)?.result|seo.(optimiz|package|service)|seo.{1,30}expert|on.your.website|organic.seo|site.ranking|website.health|(first|1st) page|^proposal$|marketing proposal|top (o|i)n google|looking for an SEO/i
+header __KAM_SEARCH1 Subject =~ /be seen first on (google|msn|yahoo)|get ranked high|rank high|(no cost|free) website (analysis|search engine)|WEBSITE PROMOTION|social media|blog leads|infotech|(first|1st)(.page)?.result|seo.(optimiz|package|service)|seo.{1,30}expert|on.your.website|organic.seo|site.ranking|website.health|(first|1st) page|^proposal$|marketing proposal|top (o|i)n google|looking for an SEO|web design|on page 1|top rank|info & cost/i
#what specific
-body __KAM_SEARCH2 /search (ranking|engine)|S\.?E\.?O|bring.traffic|business.development|marketing strateg/i
- #ranging
-body __KAM_SEARCH3 /(first on|all of) the major search|not ranked number one|Website promotion|popular keywords|mobile.website|complete.solution|back.link|company in india|india.based|surfing|not.ranking.on|top in Google|1st page|more (clients|customers)|organic search|generate leads|specialization includes SEO/i
+body __KAM_SEARCH2 /search (ranking|engine)|S\.?E\.?O|bring.traffic|business.development|marketing (manager|strateg)/i
+tflags __KAM_SEARCH2 nosubject
+ #ranking
+body __KAM_SEARCH3 /(first on|all of) the major search|not ranked number one|Website promotion|popular keywords|mobile.website|complete.solution|back.link|company in india|india.based|\(India\)|surfing|not.ranking.on|top in Google|1st page|more (clients|customers)|organic search|generate leads|specialization includes SEO|rank on page (1|one)|top page ranking|white.?hat SEO/i
tflags __KAM_SEARCH3 nosubject
#how
-body __KAM_SEARCH4 /guaranteed type of exposure|free website (analysis|report|search engine optimiz)|increase your revenue|improve your website traffice|website rank higher|marketing service|popular.keyword|media.presence|media.portal|brand.awareness|analytics.certified|optimized.content|white.label|website.optimization|digital.marketing|in.your.industry|high.revenue|plans? and pric|keyword|full proposal|online reputation|(blog|article|pr|search engine) (promotion|submission)|competitive quote|send you quote/i
+body __KAM_SEARCH4 /guaranteed type of exposure|free website (analysis|report|search engine optimiz)|increase your revenue|improve your website traffice|website rank higher|marketing service|popular.keyword|media.presence|media.portal|brand.awareness|analytics.certified|optimized.content|white.label|website.optimization|digital.marketing|in.your.industry|high.revenue|plans? and pric|keyword|full proposal|online reputation|(blog|article|pr|search engine) (promotion|submission)|competitive quote|send you (our past work|quote)|website audit|seo (package|campaign)|package for \d+ keyword/i
#who
-rawbody __KAM_SEARCH5 /Click2Call|a1-solutions|fast-response.net|action-pros.net|tops-1.com|vividinfotech.com|internet.marketing|web.solution|(development|marketing|business) (executive|consultant)|(search engine|SEO) (company|consultant|expert|Service)|sales manager/i
+rawbody __KAM_SEARCH5 /Click2Call|a1-solutions|fast-response.net|action-pros.net|tops-1.com|vividinfotech.com|internet.marketing|web.solution|(development|marketing|business) (executive|consultant)|(search engine|SEO) (company|consultant|expert|Service)|(marketing|sales) manager/i
-meta KAM_SEARCH (__KAM_SEARCH1 + __KAM_SEARCH2 + __KAM_SEARCH3 + __KAM_SEARCH4 + __KAM_SEARCH5 >= 4)
-score KAM_SEARCH 6.0
+meta KAM_SEARCH (__KAM_SEARCH1 + __KAM_SEARCH2 + __KAM_SEARCH3 + __KAM_SEARCH4 + __KAM_SEARCH5 + FREEMAIL_FROM >= 5)
+score KAM_SEARCH 7.5
describe KAM_SEARCH Spammers hawking SEO
#SEO
-header __KAM_SEO1 Subject =~ /Idea for \[|can rank 1st on Google|Organic SEO|SEO (Solution|proposal)|integrated marketing|optimization.service|SEO Outsourcing|affordable package|quick result|ranking report|why your website/i
+header __KAM_SEO1 Subject =~ /Idea for \[|can rank 1st on Google|Organic SEO|SEO (Solution|rank|proposal)|integrated marketing|optimization.service|SEO Outsourcing|affordable package|quick result|ranking report|why your website|getting online sales/i
#what we give you
-body __KAM_SEO2 /(?:top|first page) (?:in|of) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building|business SEO|(audit|ranking) report/i
+body __KAM_SEO2 /(?:top|first page) (?:in|of) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building|business SEO|(audit|ranking) report|higher search rank|top \d+ search engine rank/i
tflags __KAM_SEO2 nosubject
#what we do/fix
-body __KAM_SEO3 /(came across|never find) your web.?site|major search engines|paid access to tools|WEBSITE AUDIT REPORT|specific.keyword|targeted.email|visited.your.website|not ranking well|Google rankings|issues bugging your website/i
+body __KAM_SEO3 /(came across|never find) your web.?site|major search engines|paid access to tools|WEBSITE AUDIT REPORT|specific.keyword|targeted.email|visited.your.website|not ranking well|Google rankings|issues bugging your website|increase your organic traffic/i
#SEO
body __KAM_SEO4 /SEO Specialists|online marketing services|S.?E.?O.? Company in INDIA|google.panda|google.penguin|not.ranking|SEO Packages/i
#costs
-body __KAM_SEO5 /more traffic guaranteed|results in thirty day|top 5 organic|high revenue|free.analysis|guaranteed.top|pricelist|completely free|No upfront fees|free trial|proposal for your website/i
+body __KAM_SEO5 /more traffic guaranteed|results in thirty day|top 5 organic|high revenue|free.analysis|guaranteed.top|pricelist|completely free|No upfront fees|free trial|(plan of action|proposal) for your website/i
#SEO Indicators
-body __KAM_SEO6 /will not get your website banned|Google.?s SEO policies|six month ongoing campaign|web.promotion|quality junk spam|promotional online marketing/i
+body __KAM_SEO6 /will not get your website banned|Google.?s SEO policies|six month ongoing campaign|web.promotion|quality junk spam|promotional online marketing|panda.?safe|digital marketing/i
# LEGITIMATE SEO EMAILS WOULD SURELY HAVE AT LEAST ONE URL TO THEIR WEBSITE...
uri __KAM_SEO7 /./
#WEB DESIGN
-header __KAM_WEB1 Subject =~ /Web.?(Design|programming|Development)/i
+header __KAM_WEB1 Subject =~ /(app|Web|software).?(proposal|Design|programming|Development)/i
-body __KAM_WEB2 /indian?.based.(web|it)|certified.it.company|offering Website Design/i
+ #service
+body __KAM_WEB2 /indian?.based.(web|it)|certified.it.company|offering Website Design|(expert|based) in india|software development.{0,2}firm|develop your web/i
tflags __KAM_WEB2 nosubject
-
+ #title
body __KAM_WEB3 /Online Marketing (Executive|Consultant)|possible.redesign|seo.service|mobiles?.app|business.develop|commerce.solution/i
meta KAM_WEB (__KAM_WEB1 + __KAM_WEB2 + __KAM_WEB3 + KAM_ADVERT2 >= 3)
describe KAM_WEB Web design spams
#DOMAIN NAME AND OTHER RELATED SPAMS
-body __KAM_DOMAIN1 /Domain (opportunity|notification|release|Availability|club)|Notification for Domain|availability.notice|time.draws.near|submit.a.bid|your.business|exclusive.rights|free.registration|the.domain.provider|website.wizard|increase.your.{0,50}.traffic|domain.extension|brand.can.leverage|like.to.obtain|buy(ing)?.this.domain/i
+body __KAM_DOMAIN1 /Domain (opportunity|notification|release|Availability|club)|Notification for Domain|availability.notice|time.draws.near|submit.a.bid|exclusive.rights|free.registration|the.domain.provider|website.wizard|increase.your.{0,50}.traffic|domain.extension|brand.can.leverage|like.to.obtain|buy(ing)?.this.domain/i
body __KAM_DOMAIN2 /(?:available|listed) (?:by|for|at|in) auction|confirm interest in (this domain|owning)|capturing this domain|proposal.on.the.domain|exclusive.owner|online.search|web.form|counting.down|potential.buyer|interested.parties|secure.{1,50}.today|drive.more.leads|targeted.traffic|similar.domain|exclusive.regis/i
body __KAM_DOMAIN3 /(?:have|own) a domain (that is )?.{0,5}similar|(have|own) a similar domain|offer on the Domain|similar to your (current )?domain|Domain Division|all.domains|main.webpage|visibility.platform|solicitation|potential.owner|your.offer|domain.match|domain.notification|domain.will.be|interest.{1,20}.domain.name|fully.responsive|website.included|list.your.website|opportt?unity.regarding|courtesy.notification/i
header __KAM_DOMAIN4 From =~ /domain|submit.site/i
score KAM_SEXSUBJECT 2.0
describe KAM_SEXSUBJECT Sexually Explicit Subject
-#RUSSIAN WIFE/BRIDE SCAMS
+#RUSSIAN WIFE/BRIDE SCAMS - Raising to >= 3 for FPs due to Russian Invasion of Ukraine 2/25/2023
header __KAM_WIFE1 Subject =~ /Remember me|(Russian|asian|Ukrai?nian) ?(dating|beaut|single|women|bride|lad|babe|girls)/i
body __KAM_WIFE2 /marry a Russian|sizzling photos|(russian|asian|ukrai?nian) (women|beaut|bride|girl)|Slavic babes|Russian ?lad(y|ies)|sexy photos/i
tflags __KAM_WIFE2 nosubject
header __KAM_WIFE3 From =~ /(asian|russian|ukrai?nian).?(dat|bride|single|women|beaut|lad)|(date|nice|hot).?(russian|asian)/i
-meta KAM_WIFE ( __KAM_WIFE1 + __KAM_WIFE2 + __KAM_WIFE3 >= 2)
+meta KAM_WIFE ( __KAM_WIFE1 + __KAM_WIFE2 + __KAM_WIFE3 >= 3)
score KAM_WIFE 8.0
describe KAM_WIFE Mail order bride scams
#DON NOB & WORK FROM HOME SCAMS
-header __KAM_DON1 X-KAM-Reverse =~ /donnob\.(?:biz|net)|emarketnow.com/i
+header __KAM_DON1 X-Raptor-Reverse =~ /donnob\.(?:biz|net)|emarketnow.com/i
header __KAM_DON2 Subject =~ /(?:\b|^)ATM(?:\b|$)|Just Over Broke|J\.O\.B\./
body __KAM_DON3 /donnob\.(?:biz|net)|emarketnow.com|watersolutiontoday.com/i
body __KAM_DON4 /\$1,000 A Day ATM|J\.O\.B\./i
header __KAM_TAX1 Subject =~ /Free (IRS )?Tax Filing|Tax Filing Exten[st]ion|taxes online|irs audit|wage garnish|collections|tax.relief|tax.penalt|tax.resolution|settlement.option|remove.tax|irs.penalt|payback.package|get.help|down.your.neck|tax.research|urgent.tax/i
header __KAM_TAX2 From =~ /tax|HRBlock|marketing|garnish|settlement|installment|IRS|debt|advisory|government|payback|protection.agency/i
body __KAM_TAX3 /File your taxes for free|need more time|back.taxes|tax relief|irs offer|avoid penalty|stop.aggressive.collections|relief.(program|package)|tax.settlement|settlement.package|paying.bills|paying.tax|back.tax|wage..?garnish|tax.help|remove.lien|bankrupt|urgent.tax.notice|could.change.everything|instantly.save.you/i
-body __KAM_TAX4 /MSNBC|fox news|CNN|please.confirm|you.qualify|obtain.now|must.see.tax/i
+body __KAM_TAX4 /MSNBC|fox news|\bCNN\b|please.confirm|you.qualify|obtain.now|must.see.tax/i
meta KAM_TAX (__KAM_TAX1 + __KAM_TAX2 + __KAM_TAX3 + __KAM_TAX4 + KAM_LOTSOFHASH >=3)
score KAM_TAX 2.5
replace_rules __KAM_MAILBOX1 __KAM_MAILBOX2 __KAM_MAILBOX3
#ISSUE
- body __KAM_MAILBOX1 /mailbox .{0,12}exceeded|(storage|e-?mail|mailbox|bandwidth).(limit|quota|size|capacity)|(box|quota) is (a<L1>most )?(exhausted|fu<L1><L1>)|have been rejected|new version|(prevented|pending) (the )?(delivery|messages)|quota is low|annual upgrade|(held|important) message|messages pending|messages (are|placed) on.?hold|upgrade to our service|recent attack|(request(ed)? to|account) de-?activat|de-?activat(ed|e|ing) (from using|all mailbox)|close down.{0,10}account|(sync|communication) failure|de<A1>ctiv<A1>ted if no <A1>ction|invalid users|request .{0,13}shutdown|migrating all email|del<I1>v<E1>ry <O1>f \d|messages.{0,6}returned|\d.{0,2}(unreceived|failed|undelivered|incoming|valid) (undelivered|incoming|message|e?mail)|synchronize \d email|messages.{1,10}suspend|report your account|(validation|configuration|service|mail) error|updating stage|blacklisted|(server|quota|quarantine|suspension|mail|upgrade) (alert|noti)|mailbox agreement|(system|security|server) (reasons|update|upgrade|alert)|system malfunction|due for an update|mailbox managment|automatically renew|.\d. pending|due for (upgrade|update|reconfirmation)|has been outdated|(due|about) to expire|not confirmed the email|(failed|couldn't be|refused to) deliver|temporarily suspend|failure to proceed|data plan limit|blocked from (sending|receiving)|sending unsolicited|\d\% full|confirm your request|security turned off|blocked or suspended|update warning|account .{1,9}?(restricted|closed)|old versions|mail malfunction|messages now queue|password expir|virus|expire on \d+\/|DNS Upgrad|encountered error|will be shut ?down|unauthorized (person|access)|prevent (further reject|loss of account)|avoid lose access|ensure safety|problem occurred|wrong password|suspicious sign.?in|\d quarantined? (e?mail|message|incoming)|deactivated tempor|low disk space|shutdown robot|suspended email|webmail security|account hijacked|will be suspended|will.{0,2}expire.{0,2}(today|soon)|IP below was used|password.{1,5}expires? today|server is totally full|account is almost full|suspicious activities|locked out of your account|login (interruption|problem)|automatic shut.?down|lose your contact|not receive new e?mail|deactivation of the email|Expired today|exceeded the limit|disruption of your email|message might be pre<V1>ented|mail delivery blocked|email gets locked|shut down on your account|refusal in updating your email|avoid being barred|losing (of )?your account|undelivered e?-?mail|SSL Port server error|refusal of email security|blocked access to your inbox/i
+ body __KAM_MAILBOX1 /mailbox .{0,12}exceeded|(storage|e-?mail|mailbox|bandwidth).(limit|quota|size|capacity)|(box|quota) is (a<L1>most )?(exhausted|fu<L1><L1>)|have been rejected|new version|(prevented|pending) (the )?(delivery|messages)|quota is low|annual upgrade|(held|important) message|messages pending|messages (are|placed) on.?hold|upgrade to our service|recent attack|(request(ed)? to|account) de-?activat|de-?activat(ed|e|ing) (from using|all mailbox)|close down.{0,10}account|(sync|communication) failure|de<A1>ctiv<A1>ted if no <A1>ction|invalid users|request .{0,13}shutdown|migrating all email|del<I1>v<E1>ry <O1>f \d|messages.{0,6}returned|\d.{0,2}(unreceived|failed|undelivered|incoming|valid) (undelivered|incoming|message|e?mail)|synchronize \d email|messages.{1,10}suspend|report your account|(validation|configuration|service|mail) error|updating stage|blacklisted|(server|quota|quarantine|suspension|mail|upgrade) (alert|noti)|mailbox agreement|(system|security|server) (reasons|update|upgrade|alert)|system malfunction|due for an update|mailbox managment|automatically renew|.\d. pending|due for (upgrade|update|reconfirmation)|has been outdated|(due|about) to expire|not confirmed the email|(failed|couldn't be|refused to) deliver|temporarily suspend|failure to proceed|data plan limit|blocked from (sending|receiving)|sending unsolicited|\d\% full|confirm your request|security turned off|blocked or suspended|update warning|account .{1,9}?(restricted|closed)|old versions|mail malfunction|messages now queue|password expir|virus|expire on \d+\/|DNS Upgrad|encountered error|will be (locked|shut ?down)|unauthorized (person|access)|prevent (further reject|loss of account)|ensure safety|problem occurred|wrong password|suspicious sign.?in|\d quarantined? (e?mail|message|incoming)|deactivated tempor|low disk space|shutdown robot|suspended email|webmail security|account hijacked|(has been|will be) (hacked|suspended)|will.{0,2}expire.{0,2}(today|soon)|IP below was used|password.{1,5}expires? today|server is totally full|account is almost full|(irregular|suspicious) activit|locked out of your account|login (interruption|problem)|automatic shut.?down|lose your contact|not receive (more|new) e?mail|deactivation of the email|Expired today|exceeded the limit|disruption of your email|message might be pre<V1>ented|mail delivery blocked|email gets locked|shut down on your account|refusal in updating your email|avoid (lose access|shut.?down|being barred)|losing (of )?your account|undelivered e?-?mail|SSL Port server error|refusal of email security|blocked access to your inbox|web-?mail support|change your password|pending (e-?mail|mail) message|terminated in \d+ hour|messages were rejected|server error|platform is outdated|need to validate.{2,40}owned by you|password notification|expires today|Reconfirm(?: your) password|out of storage|mail quota full|email password will expire/i
tflags __KAM_MAILBOX1 nosubject
#ACTION
- body __KAM_MAILBOX2 /(verify|update|upgrade|increase|validate|confirm|disable)"? (their|your)? {0,5}(address|password|<A1>ccount|(web-?)?mail|info|email|web ?mail|ownership|mailbox)|(increase|upgrade) (my|your?) (inbox |email )?quota|quota (configuration|upgrade)|(increase disk|create some additional) storage|(setup|upgrade) (your )?mailbox|mail malfunction|click here to update|update account|validated within \d\d|deleted (automatically|in our server)|release .{0,40}(message|pending mess)|account to be close|remain active|termination of your account|choose what happens|blacklisting inactive|continue (using|the usage)|untrusted activity|(retrieve|review|view) (message|e?mail)|(verify|validate) (it )?(here|now)|reset below|verification (check|process)|email disk usage|auto extend your disk|confirm your (email|details)|mandetory file|retrieve here|expected to reactivate|keep your webmail|data will be lost|(block|release|review) (them|below)|view undelivered sent|reconfirm .{0,40}password|will be deactivat|avoid suspension|start the process|fake payment|(will be|automatically) cancel|mail verification|turn on (security|authentication)|Office 365-?Secure|an usual location|automatically delete|(retrieve|review|reload) (your )?(undelivered|pending)|view, release or delete|reload below|unblock (your )?incoming|rectify below|fix now|Company.Assigned Outlook|fix delivery|restore your roundcube|re-?authenticate (now|below)|manage your quarantine|manually fi|manually fix|review and take action|view (your )?(pending|withheld|recent) (incoming|message|e?mail)|use the button|reduce your mai<L1>|deliver recent mail|(use|using|keep) (current|same) password|change password|stop (this action|account removal)|fix your email|(maintain|keep).{0,6}current.{0,2}(signing|password)|verify login|apply update|deliver pending message|archive emails|initiate the upgrad|(approve|continue with) the (current|same) password|free up space|quick re-?validation|cancel the request|prevent lock of account|back under the limit|update no<W1>|re<A1>ctiv<A1>te <A1>ccess|consider keeping your password|account will work effectively|portal to prompt delivery|open the attachment|Reload Email message|secure your account|authenticate account/i
- tflags __KAM_MAILBOX2 nosubject
- #SUBJECT
- header __KAM_MAILBOX3 Subject =~ /(mail|exceeded|insufficient) (storage|quota|upgrade)|(@.*?is|Inbox) almost full|(urgent|important|admin|last|suspension|server|account|administrator|system|disk ?usage|max size) (alert|rectification|attention|warning|noti)|needs to be upgraded|(incoming|pending|unreceived) +((e-?)?mail|document|message)|(del<I1>v<E1>ry|synchronization|processing) (problem|is blocked|failure|err<O1>r)|(mailbox|storage) (is )?full|(disc|disk|inbox) full|(unread|upgrade|delayed) (messages|e?mail)|release your message|pending (new )?((e-?)?mail|message)|365 .{0,10} Update|new privacy policy|mandatory up|(sign in|Final|account|password|emails?) (closing|removal|update|upgrade|alert|notification|review)|quarantine|rejected|undelivered|(mailbox|limit|quota) .{0,10}exceeded|confirmation required|(mail|mailbox|account|password) (error|shutdown|verification|Veirification|Verfication|account)|(blocked|held) message|technology services|(server|mail|account).{1,8}err<O1>r|validat|messages.{1,10}(suspend|hinder)|account (is )?(blocked|limited)|please verify.{1,10}account|mail.{1,6}Notice|email account.{1,11}full|final warning|help\-?desk|mail ownership|point files|(d|r)e-?activation|delayed for \d+ (hour|day)|undeliverable|confirmation required|closure of.{1,15}(\@|account)|(password|mail) (has|will) expire|did you make|password.(reset|due|recovery|expir)|recovery option|\d+ new mess|email activity|Immediate action|action required|avoid block|review recent e?mail|final +alert|storage (error|limit)|ver<I1>f<I1>cat<I1>on|\@.{1,25}notification|notification \d+\/\d+\/|notification for .{1,25}\@|New Sign-in|deliver.{1,4}(cancel|issue|error|fail)|Unsuccessful Email|Mail DNS|ICT Maintenance|sync err|mailer un.?delivery|unauthorized (person|access)|configuration setting|reminder +for|re-?authenticate|change in your ip|shutdown request|Failure.{0,2}Report|(mail delivery|\d emails?) suspended|error sync|(e-?mails?|messages) (are )?pending|\d \(?new\)? notice|new IP address|expir(y|ation) notif|reached their disk quota|webmail support|notification for|change.{0,30}account password now|(mail|mail-?box) termination|office? ?365 access|(Attention|urgent):? update (required|needed)|out of storage|quota (limit|reached)|access.{1,4}expire|renew your e?-?mail pass|mail protection update|e-?mail .{0,30}still pending|unauthorized (login|logging) attempt/i
-
- meta KAM_MAILBOX (__KAM_MAILBOX1 + __KAM_MAILBOX2 + __KAM_MAILBOX3 >=2) && (T_FREEMAIL_DOC_PDF + (KAM_SENDGRID + KAM_SENDGRID2 >= 1) + HTML_MIME_NO_HTML_TAG + T_HTML_ATTACH) >= 2
+ body __KAM_MAILBOX2 /(verify|update|upgrade|increase|validate|confirm|disable)"? (their|your)? {0,5}(address|password|<A1>ccount|(web-?)?mail|info|email|web ?mail|ownership|mailbox)|(increase|upgrade) (my|your?) (inbox |email )?quota|quota (configuration|upgrade)|(increase disk|create some additional|update|add) storage|(setup|upgrade) (your )?mailbox|mail malfunction|update account|validated within \d\d|deleted (automatically|in our server)|release .{0,40}(message|pending mess)|account to be close|remain active|termination of your account|choose what happens|blacklisting inactive|continue (using|the usage)|untrusted activity|(retrieve|review|view) (message|e?mail)|(verify|validate) (it )?(here|now)|reset below|verification (check|process)|email disk usage|auto extend your disk|confirm your (email|details)|mandetory file|retrieve here|expected to reactivate|keep your webmail|data will be lost|(block|release|review) (them|below)|view undelivered sent|reconfirm .{0,40}password|will be deactivat|avoid suspension|start the process|fake payment|(will be|automatically) cancel|mail verification|turn on (security|authentication)|Office 365-?Secure|an usual location|(avoid|automatically) delet|(retrieve|review|reload) (your )?(undelivered|pending)|view, release or delete|reload below|unblock (your )?incoming|rectify below|fix now|Company.Assigned Outlook|fix delivery|restore your roundcube|re-?authenticate (now|below)|manage your quarantine|manually fi|manually fix|review and take action|view (your )?(pending|withheld|recent) (incoming|message|e?mail)|use the button|reduce your mai<L1>|deliver recent mail|(use|using|keep) (current|same|my) password|change password|stop (this action|account removal)|fix (the problem here|your email)|(maintain|keep).{0,6}current.{0,2}(signing|password)|verify login|apply update|deliver pending message|archive emails|initiate the upgrad|(approve|continue with) the (current|same) password|free up space|quick re-?validation|cancel the request|prevent lock of account|back under the limit|update no<W1>|re<A1>ctiv<A1>te <A1>ccess|consider keeping your password|account will work effectively|portal to prompt delivery|open the attachment|Reload Email message|secure your account|authenticate account|keep (the )?same password|(keep|use) (the|your) current password|proper verification|restoration of your account|systematically updated|synchronization errors|activate Improved security|(restore|recover) messages (here|below)|recover your delayed messages|validate your (?:mailbox|e\-mail)|conveyed to each sender|Please security access key|account password is due to expire|avoid missing important e?-?mail|pending e?-?mail message|clear cache quick|avoid loss of e?mail/i
+ tflags __KAM_MAILBOX2 nosubject
+ #SUBJECT
+ header __KAM_MAILBOX3 Subject =~ /(mail|exceeded|insufficient) (storage|quota|upgrade)|(@.*?is|Inbox) almost full|(urgent|important|admin|last|suspension|server|account|administrator|system|disk ?usage|max size) (alert|rectification|attention|warning|noti)|needs to be upgraded|(incoming|pending|unreceived) +((e-?)?mail|document|message)|(del<I1>v<E1>ry|synchronization|processing) (problem|is blocked|failure|err<O1>r)|(mailbox|storage) (is )?full|(disc|disk|inbox) full|(unread|upgrade|delayed) (messages|e?mail)|release your message|pending (new )?((e-?)?mail|message)|365 .{0,10} Update|new privacy policy|mandatory up|(sign in|Final|account|password|emails?) (closing|removal|update|upgrade|alert|notification|review)|quarantine|rejected|undelivered|(mailbox|limit|quota) .{0,10}exceeded|(action|confirmation|\..{2,6} update).?required|(mail|mailbox|account|password) (error|shutdown|verification|Veirification|Verfication|account)|(blocked|held) message|technology services|(server|mail|account).{1,8}err<O1>r|validat|messages.{1,10}(suspend|hinder)|account (is )?(blocked|limited)|please verify.{1,10}account|mail.{1,6}Notice|email account.{1,11}full|final warning|help\-?desk|mail ownership|point files|(d|r)e-?activation|delayed for \d+ (hour|day)|undeliverable|closure of.{1,15}(\@|account)|(password|mail) (has|will) expire|did you make|password.(due|recovery|expir)|recovery option|(confirm|email) activity|Immediate action|action required|avoid block|review recent e?mail|final +alert|storage (error|limit)|ver<I1>f<I1>cat<I1>on|\@.{1,25}notification|notification \d+\/\d+\/|notification for .{1,25}\@|New Sign-in|deliver.{1,4}(cancel|issue|error|fail)|Unsuccessful Email|Mail DNS|ICT Maintenance|sync err|mailer un.?delivery|unauthorized (person|access)|configuration setting|reminder +for|re-?authenticate|change in your ip|shutdown request|Failure.{0,2}Report|(mail delivery|\d emails?) suspended|error sync|(e-?mails?|messages) (are )?pending|\d \(?new\)? notice|new IP address|expir(y|ation) notif|reached their disk quota|webmail support|notification for|change.{0,30}account password now|(mail|mail-?box) termination|office? ?365 access|(Attention|urgent):? update (required|needed)|(full|out of) storage|quota (limit|reached)|access.{1,4}expire|renew your e?-?mail pass|mail protection update|e-?mail .{0,30}still pending|unauthorized (login|logging) attempt|^suspended$|message failed|security upgrade|password.*expires today|password activity|mail (access blocked|delayed)|account has been hacked|prevent account malfunction|password change notification|Critical(?:\-|\s)Status on|(storage|upgrade) notice/i
+
+ #NON OBFUSCATED VARIANT NOT A SPAM INDICATOR
+ header __KAM_MAILBOX3FP Subject =~ /verification/i
+
+ #COMPROMISED SYSTEMS
+ uri __KAM_WPADMIN /\/wp-admin\//i
+
+ meta KAM_MAILBOX (__KAM_MAILBOX1 + __KAM_MAILBOX2 + (__KAM_MAILBOX3 && !__KAM_MAILBOX3FP) >=2) && (T_FREEMAIL_DOC_PDF + (KAM_SENDGRID + KAM_SENDGRID2 >= 1) + HTML_MIME_NO_HTML_TAG + T_HTML_ATTACH + __KAM_WPADMIN) >= 2
score KAM_MAILBOX 7.75
describe KAM_MAILBOX Mailbox Quota Phishing Scams
- meta KAM_MAILBOX2 (__KAM_MAILBOX1 + __KAM_MAILBOX2 + __KAM_MAILBOX3 >=3) && !KAM_MAILBOX
+ meta KAM_MAILBOX2 (__KAM_MAILBOX1 + __KAM_MAILBOX2 + (__KAM_MAILBOX3 && !__KAM_MAILBOX3FP) + KAM_SHORT >=3) && !KAM_MAILBOX
score KAM_MAILBOX2 6.25
describe KAM_MAILBOX2 Mailbox Quota Phishing Scams
endif
meta KAM_SHORT (__KAM_SHORT + __KAM_TINYDOMAIN >= 1)
+tflags KAM_SHORT net
score KAM_SHORT 0.001
describe KAM_SHORT Use of a URL Shortener for very short URL
if can(Mail::SpamAssassin::Plugin::DecodeShortURLs::has_short_url)
# use DecodeShortURLs plugin and disable __KAM_TINYDOMAIN
body __KAM_SHORT eval:short_url()
+ tflags __KAM_SHORT net
else
#OLDER RULE, SHOULD USE DecodeShortURLS and the kam_urlshorterners.cf which is more comprehensive than this.
uri __KAM_SHORT /^https?:\/\/(?:bit\.(do|ly)|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|urlshortener\.teams\.microsoft\.com|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|justpaste\.it|l\.linklyhq\.com)\/[^\/]{3}\/?/
# GENERIC RULE FOR TINY DOMAINS, WHICH WILL LIKELY BE URL SHORTENERS
- uri __KAM_TINYDOMAIN /https?:\/\/(?:[^\/]{1,4})\.(?!avg|ibm).{2,7}\//i
+ uri __KAM_TINYDOMAIN /https?:\/\/(?:[^\/]{1,4})\.(?!avg|ibm|gov).{2,7}\//i
endif
else
#OLDER RULE, SHOULD USE DecodeShortURLS and the kam_urlshorterners.cf which is more comprehensive than this.
uri __KAM_SHORT /^https?:\/\/(?:bit\.(do|ly)|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|urlshortener\.teams\.microsoft\.com|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|justpaste\.it|l\.linklyhq\.com)\/[^\/]{3}\/?/
# GENERIC RULE FOR TINY DOMAINS, WHICH WILL LIKELY BE URL SHORTENERS
- uri __KAM_TINYDOMAIN /https?:\/\/(?:[^\/]{1,4})\.(?!avg|ibm).{2,7}\//i
+ uri __KAM_TINYDOMAIN /https?:\/\/(?:[^\/]{1,4})\.(?!avg|ibm|gov).{2,7}\//i
endif
#POWER CHAIRS
#renamed to A1, C1, etc. to avoid collissions with stock rules
#Thanks to John Hardin for his help! and thanks to Giovanni for the help with the 4-byte chars
#thanks as well to Henrik Krohns
-replace_tag A1 (?:a|[\xf0\x9d\x97\xae]|[\xf0\x9d\x9a\x8a]|[\xd0][\xb0]|[\xc9][\x91]|α|\@)
+
+#Write a very broad regex like g.*k.?squ.* and the debug outputs something like G\x{CF}\x{B5}\x{CF}\x{B5}k Squ" Then you can Edit the tag for E1 to add |[\xcf][\xb5]
+# replace_tag A1 (?:a|[\xf0\x9d\x97\xae]|[\xf0\x9d\x9a\x8a]|[\xd0][\xb0]|[\xc9][\x91]|α|\@)
+replace_tag A1 (?:a|[\xf0\x9d\x97][\xae]|[\xc3][\xa3]|[\xf0\x9d\x9a][\x8a]|[\xd0][\xb0]|[\xc9][\x91]|α|\@)
replace_tag B1 (?:b|[\xce][\x92]|[\xce][\xb2]|[\xc2]|[\xe2]|[\xf0\x9d\x97\xaf]|[xf0\x9d\x9a\x8b])
-replace_tag C1 (?:c|[\xd0][\xa1]|[\xd1][\x81]|[\xf0\x9d\x97\xb0]|[\xf0\x9d\x9a\x8c])
+replace_tag C1 (?:c|[\xd0][\xa1]|[\xd1][\x81]|[\xf0\x9d\x97\xb0]|[\xf0\x9d\x9a\x8c]|[xd0\xa1])
replace_tag D1 (?:d|[\xf0\x9d\x9a\x8d])
-replace_tag E1 (?:e|[\xd0][\xb5]|[\xc4][\x97]|[\xf0\x9d\x97\xb2]|[\xf0\x9d\x9a\x8e])
+replace_tag E1 (?:e|[\xd0][\xb5]|[\xc4][\x97]|[\xf0\x9d\x97\xb2]|[\xf0\x9d\x9a\x8e]|[\xc3][\xaa]|[\xcf][\xb5]|[\xc3][\xab])
replace_tag G1 (?:g|[\xf0\x9d\x97\x80])
replace_tag I1 (?:i|[\xd1][\x96]|[\xc4][\xab]|[\xce][\xb9]|[\xe9]|[\xf0\x9d\x97\xb6]|[\xf0\x9d\x9a\x92]|l|1)
+replace_tag K1 (?:k|[\xd0][\xba])
replace_tag L1 (?:l|i)
replace_tag M1 (?:m|[\xca][\x8d]|[\xf0\x9d\x97\xba])
replace_tag N1 (?:n|[\xe7]|[\xf0\x9d\x97\xbc]|[\xf0\x9d\x9a\x97])
-replace_tag O1 (?:o|0|[\xd0][\xbe]|[\xce][\xbf]|[\xef]|[\xf0\x9d\x97\xbc]|[\xf0\x9d\x9a\x98]|[\xd0][\x9e])
-replace_tag P1 (?:p|[\xd1][\x80]|[\xc7][\xb7]|[\xcf][\x81]|[\xf1]|[\xf0\x9d\x97\xbd]|[\xf0\x9d\x9a\x99])
+replace_tag O1 (?:o|0|[\xd0][\xbe]|[\xce][\xbf]|[\xef]|[\xf0\x9d\x97\xbc]|[\xf0\x9d\x9a\x98]|[\xd0][\x9e]|[\xc3][\xb4])
+replace_tag P1 (?:p|[\xd1][\x80]|[\xc7][\xb7]|[\xcf][\x81]|[\xf1]|[\xf0\x9d\x97\xbd]|[\xf0\x9d\x9a\x99]|[\xd0\xa0])
replace_tag R1 (?:r|[\xf0\x9d\x97\xbf]|[\xf0\x9d\x9a\x9b])
replace_tag S1 (?:s|[\xd0][\x85]|[\xf0\x9d\x98\x80]|[\xf0\x9d\x9a\x9c])
replace_tag T1 (?:t|[\xcf][\x84]|[\xf4]|[\xf0\x9d\x98\x81]|[\xf0\x9d\x9a\x9d])
#CO.UK
header KAM_COUK From =~ /\@.{1,30}\.co\.uk/i
describe KAM_COUK Scoring .co.uk emails higher due to poor registry security.
-score KAM_COUK 0.85
+score KAM_COUK 0.6
#FAKE FACEBOOKMAIL
#REAL FB DOMAIN
#DHL
header __KAM_FAKE_DELIVER3 From:name =~ /DHL/i
-header __KAM_FAKE_DELIVER4 From:addr !~ /dhl.com/i
+header __KAM_FAKE_DELIVER4 From:addr !~ /dhl\.com/i
body __KAM_FAKE_DELIVER4A /dhl team/i
#FEDEX
score KAM_SHARKTANK 1.0
describe KAM_SHARKTANK Mentions Shark Tank
-rawbody __KAM_SHARKPROD /high blood pressure|moles|Dermabellix|follicles|drop 20|(^|\b)IQ($|\b)|keto SS/is
+rawbody __KAM_SHARKPROD /high blood pressure|Dermabellix|follicles|drop 20|(^|\b)IQ($|\b)|keto SS/is
meta KAM_SHARKPROD (__KAM_SHARKPROD + KAM_SHARKTANK >= 2)
score KAM_SHARKPROD 5.0
tflags __KAM_ASCII_DIVIDERS multiple maxhits=4
meta KAM_ASCII_DIVIDERS ((__KAM_ASCII_DIVIDERS >= 4) && !HTML_MESSAGE)
-describe KAM_ASCII_DIVIDERS Spam that uses ascii formatting tricks
+describe KAM_ASCII_DIVIDERS Email that uses ascii formatting dividers and possible spam tricks
score KAM_ASCII_DIVIDERS 0.8
# RATWARE THAT CAN'T EVEN PRETEND TO BE AUTHORIZED
ifplugin Mail::SpamAssassin::Plugin::SPF
# We may recommend people start raising the score for this to force more people to use SPF or DKIM Since Gmail and AOL work much better with / require SPF.
header __KAM_SPF_NONE eval:check_for_spf_none()
+tflags __KAM_SPF_NONE net
meta KAM_LAZY_DOMAIN_SECURITY (!__DKIM_EXISTS && __KAM_SPF_NONE)
+tflags KAM_LAZY_DOMAIN_SECURITY net
score KAM_LAZY_DOMAIN_SECURITY 1.0
describe KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any anti-forgery methods
endif
endif
endif
+ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+ ifplugin Mail::SpamAssassin::Plugin::DKIM
+ header __KAM_TRUNCATE exists:X-Raptor-Truncate
+ meta DKIM_FAILED_TRUNCATE ( DKIM_INVALID && __KAM_TRUNCATE )
+ describe DKIM_FAILED_TRUNCATE DKIM invalid but message truncated by Raptor
+ score DKIM_FAILED_TRUNCATE -0.1
+ tflags DKIM_FAILED_TRUNCATE nice
+ endif
+endif
+
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
# FORGED EMAILS WITH A VIRUS ATTACHED
meta KAM_FORGED_ATTACHED (SPF_HELO_FAIL + KAM_RAPTOR_ALTERED >= 2)
describe KAM_BADPHP Questionable PHP mailer headers
# TINNITUS
-header __KAM_TINNITUS1 From =~ /tinnitus.?(solution|911|breakthrough|ringing)/i
-header __KAM_TINNITUS2 Subject =~ /new.tip|only.(1|one).week|pandemic|ears? ring/i
-body __KAM_TINNITUS3 /scientifically.proven|end.tinnitus|get rid of the ringing|shocking presentation|IVY League|doctors are baffled/i
+header __KAM_TINNITUS1 From =~ /tinnitus.?(solution|911|breakthrough|ringing)|silencil|tinnitus/i
+header __KAM_TINNITUS2 Subject =~ /new.tip|only.(1|one).week|pandemic|ears? ring|removes? tinnitus/i
+body __KAM_TINNITUS3 /scientifically.proven|end.tinnitus|get rid of the ringing|shocking presentation|IVY League|doctors are baffled|restores your hearing|no more buzzing/i
+tflags __KAM_TINNITUS3 nosubject
meta KAM_TINNITUS (__KAM_TINNITUS1 + __KAM_TINNITUS2 + __KAM_TINNITUS3 >= 3)
describe KAM_TINNITUS Tinnitus spam
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
#SPAM WITH OFFICE MACROS
-header __KAM_VBMACRO X-KAM-VBMacro =~ /True/i
+header __KAM_VBMACRO X-Raptor-VBMacro =~ /True/i
meta KAM_VBMACRO ((__KAM_VBMACRO >= 1) && !KAM_OLEMACRO)
describe KAM_VBMACRO Message contains attachment with VB macro
score KAM_VBMACRO 6.5
#SPAM THAT INDICATES DYNAMIC IP
-header KAM_DYNIP X-KAM-DynamicIndicator =~ /True/i
+header KAM_DYNIP X-Raptor-DynamicIndicator =~ /True/i
describe KAM_DYNIP Message contains Dynamic IP Address Indicator
score KAM_DYNIP 6.5
endif
askdns JMQ_SPF_NEUTRAL _SENDERDOMAIN_ TXT /^v=spf1 .*\?all/
describe JMQ_SPF_NEUTRAL SPF set to ?all
score JMQ_SPF_NEUTRAL 0.5
+tflags JMQ_SPF_NEUTRAL net
askdns JMQ_SPF_ALL _SENDERDOMAIN_ TXT /^v=spf1 .*\+all/
describe JMQ_SPF_ALL SPF set to +all!
score JMQ_SPF_ALL 0.5
+tflags JMQ_SPF_ALL net
endif
# IMPORTANT MESSAGE
replace_rules __KAM_CRIM1 __KAM_CRIM2 __KAM_CRIM3 __KAM_CRIM4 __KAM_CRIM5 __KAM_CRIM6 __KAM_CRIM7
- body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A1>lw<A1>r<E1> <O1>n th<E1> w<E1>b|footage of you|you do not know who I am|mercenary|hack phones|(monitored|infected) your device|double.screen video|keylogger|ruin your life|collection officer|turned on your c<A1>mera|cameras? and a mic|I am a hacker|brows(er|ing) history|trojan virus|automatically infect|inject some code|google translator|<P1>l<A1><C1><E1>d (a )?m<A1>lw<A1>r<E1>|<S1><P1><Y1><W1><A1><R1><E1>|hacked your (OS|operating)|got hacked|hidden app|managed to hack/i
+ body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A1>lw<A1>r<E1> <O1>n th<E1> w<E1>b|footage of you|you do not know who I am|mercenary|hack phones|(monitored|infected) your device|double.screen video|keylogger|ruin your life|collection officer|turned on your c<A1>mera|cameras? and a mic|I am a hacker|brows(er|ing) history|trojan virus|automatically infect|inject some code|google translator|<P1>l<A1><C1><E1>d (a )?m<A1>lw<A1>r<E1>|<S1><P1><Y1><W1><A1><R1><E1>|hacked y<O1>ur (website|OS|operating)|got hacked|hidden app|managed to hack|thr(u|ough) (ur|your) web.?cam|broke\s+into\s+your\s+system/i
#Bitcoin
- body __KAM_CRIM2 /(<B1><I1><T1>\-?<C1><O1><I1><N1>|BTC|DSH|cryptocurrency|bc[13][a-km-zA-HJ-NP-Z0-9]{26,39})|(remove|manually) all spaces|contains spaces/i
+ body __KAM_CRIM2 /(<B1><I1><T1>\-?<C1><O1><I1><N1>|BTC|DSH|cryptocurrency|bc[13][a-km-zA-HJ-NP-Z0-9]{26,39})|(remove|manually) all spaces|contains spaces|Litecoin/i
#Payment
- body __KAM_CRIM3 /make (<T1>he|a) paymen<T1>|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C1><O1><I1>n w<A1>ll|(m<A1>k<I1>ng|<C1><O1>mpl<E1>et<E1>) th<E1> tr<A1>ns<A1><C1>t<I1><O1>n|send me \d+ dollars|send [\d\.]+ USD|addr<E1>ss f<O1>r p<A1>ym<E1>nt|(dollars|euros) (worth )?in bit-?coin|wallet number|bitcoin network|BTC to this Bitcoin|paym<E1>nt by b<I1>tco<I1>n|\d\d\d usd|DSH\)? address|Address part|<D1><O1><N1><A1><T1><I1><O1><N1>|negotiation|USD.? in bitcoin/i
+ body __KAM_CRIM3 /make (<T1>he|a) paymen<T1>|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C1><O1><I1>n w<A1>ll|(m<A1>k<I1>ng|<C1><O1>mpl<E1>et<E1>) th<E1> tr<A1>ns<A1><C1>t<I1><O1>n|send me \d+ dollars|send [\d\.]+ USD|addr<E1>ss f<O1>r p<A1>ym<E1>nt|(dollars|euros) (worth )?in bit-?coin|wallet number|bitcoin network|BTC to this Bitcoin|paym<E1>nt by b<I1>tco<I1>n|\d\d\d usd|DSH\)? address|Address part|<D1><O1><N1><A1><T1><I1><O1><N1>|negotiation|USD.? in bitcoin|transfer\s+me\s+\d+|\d+ in bitcoins/i
#Sexually explicit
- body __KAM_CRIM4 /erotica|<P1><O1><R1><N1>|p(ro|or)nographic movie|promising evidence|<M1><A1><S1><T1><U1><R1><B1><A1><T1>|playing with yourself|wanking|l<I1>f<E1> <C1><A1>n b<E1> ru<I1>n<E1>d|explosi|lead azide|hexogen|banana|perversion|secured \d+ video/i
+ body __KAM_CRIM4 /erotica|<P1><O1><R1><N1>|p(ro|or)nographic movie|promising evidence|<M1><A1><S1><T1><U1><R1><B1><A1><T1>|playing with yourself|wanking|l<I1>f<E1> <C1><A1>n b<E1> ru<I1>n<E1>d|explosi|lead azide|hexogen|banana|perversion|secured \d+ video|passion for jerk|creepy addiction|wank off/i
#TIME
- body __KAM_CRIM5 /(twenty.?four|24).?h<O1>urs|(72|24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O1>urs)? <A1>ft<E1>r y<O1><U> <O1>p<E1>n|hours for payment|days?\)? to (send|perform|make|transfer) the (amount|payment|dash|fund)|short-term support|48h plz|deadline|hours *(only )?to send the (pay|fund)|address immediately|tr<A1>nsfer the (amount|funds)|get back to me now/i
+ body __KAM_CRIM5 /(twenty.?four|24).?h<O1>urs|(72|24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O1>urs)? <A1>ft<E1>r y<O1><U> <O1>p<E1>n|hours for payment|days?\)? to (send|perform|make|transfer) the (amount|payment|dash|fund)|short-term support|48h plz|deadline|hours *(only )?to send the (pay|fund)|address immediately|tr<A1>nsfer the (amount|funds)|get back to me now|\d\s+working\s+days|make payment within \d+ day/i
#Subject
- header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O1><U> <A1>r<E1> my v<I1><C1>t<I1>m|visit the police|hi. vi<C1>tim|bomb|rescue|your building|<M1>asturbat|hi perv|account has been hacked|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you|<P1>orn|(share|forward|leak) (your|the) video|Read me now|want to read this|i have you/i
+ header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O1><U> <A1>r<E1> my v<I1><C1>t<I1>m|visit the police|hi. vi<C1>tim|bomb|rescue|your building|<M1>asturbat|hi perv|(website|account) has been (compromised|hacked)|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you|<P1>orn|(share|forward|leak) (your|the) video|Read me now|want to read this|i have you/i
+
+ header __KAM_NOT_CRIM6 Subject =~ /Bomb.?cyclone/i
#From
header __KAM_CRIM7 From =~ /h<A1>ck<E1>r|know/i
- meta KAM_CRIM (__KAM_CRIM1 + __KAM_CRIM2 + __KAM_CRIM3 + __KAM_CRIM4 + __KAM_CRIM5 + __KAM_CRIM6 + __KAM_CRIM7 + FUZZY_BITCOIN >= 4)
+ meta KAM_CRIM (__KAM_CRIM1 + __KAM_CRIM2 + __KAM_CRIM3 + __KAM_CRIM4 + __KAM_CRIM5 + (__KAM_CRIM6 && ! __KAM_NOT_CRIM6) + __KAM_CRIM7 + FUZZY_BITCOIN >= 4)
describe KAM_CRIM Extortion Email
score KAM_CRIM 8.5
endif
meta KAM_ZWNJ (__KAM_ZWNJ1 + (__KAM_ZWNJ2 >= 16) >= 2)
describe KAM_ZWNJ Use of null characters indicates a goal to elude scanners
-score KAM_ZWNJ 7.0
+score KAM_ZWNJ 6.0
describe KAM_ZWNJBAD Attempted & failed Use of zero-width characters indicates a goal to elude scanners
meta KAM_ZWNJBAD (__KAM_ZWNJ3 >=1)
describe GB_FREEM_FROM_NOT_REPLY From: and Reply-To: have different freemail domains
score GB_FREEM_FROM_NOT_REPLY 0.4
endif
+
+ rawbody __GB_REGEX_BR /{\:REGEX\:\((<br>){1,3}\|(<br>){1,3}/
+ meta GB_REGEX_BR_SPOOF ( __GB_REGEX_BR && PDS_FROMNAME_SPOOFED_EMAIL && __ANY_TEXT_ATTACH_DOC )
+ describe GB_REGEX_BR_SPOOF Office document from spoofed email
+ score GB_REGEX_BR_SPOOF 2.0
+
endif
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
- header KAM_RAPTOR_ALTERED X-KAM-Raptor-Alter =~ /True/i
- describe KAM_RAPTOR_ALTERED Raptor identified a dangerous attachment
+ header KAM_RAPTOR_ALTERED X-Raptor-Alter =~ /True/i
+ describe KAM_RAPTOR_ALTERED Raptor identified a dangerous, possible zero day attachment risk
score KAM_RAPTOR_ALTERED 2.0
endif
score KAM_FAVOR 7.5
# WHITELIST PCCC/MCGRAIL
+if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist)
+welcomelist_auth *@pccc.com *@mcgrail.com
+endif
+if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist)
whitelist_auth *@pccc.com *@mcgrail.com
+endif
#trusted_networks 69.171.29.0/25
#trusted_networks 38.124.232.0/24
# CONTACTS / LISTS
-header __KAM_LIST3_1 Subject =~ /Contacts|Visitor|Attendee|User|Professional|Meeting|Expo|Emails|Exhibit|Companies|trade ?show|marketing|retailer|list|outreach|customers|campaign|show|data|leaders|partnership|lead|(accou?nt|Contacts?|buyers?) (list|information)|install base|offices and clinics|healthcare|reach qualified buyers|potential prospects|decision maker|reach out|target audience|revenue generation|(potential|reach your) client|Lead list|(list|lead) prospecting|market share/i
+#REPLACED WITH BELOW FOR SINGLE WORD HIT REMOVAL
+#header __KAM_LIST3_1 Subject =~ /Contacts|Visitor|Attendee|User|Professional|Meeting|Expo|Emails|Exhibit|Companies|trade ?show|marketing|retailer|list|outreach|customers|campaign|show|data|leaders|partnership|lead|(accou?nt|Contacts?|buyers?) (list|information)|install base|offices and clinics|healthcare|reach qualified buyers|potential prospects|decision maker|reach out|target audience|revenue generation|(potential|reach your) client|Lead list|(list|lead) prospecting|market share/i
+
+# Modified 3/23/2022 to try and remove FPs in this rule
+header __KAM_LIST3_1 Subject =~ /(accou?nt|Contacts?|buyers?|registrants?|attendees?|B2B|B2C|mailing) (data|list|information)|reach qualified buyers|potential prospects|(potential|reach your) client|(list|lead) prospecting|build customer|(bitdefender|Acronis) Users|reach clients|Clients records|users accounts|Attendees info|marketing opp|(expo|Summit) Leads|Free Samples|email database|sales prospect|business professionals|prospects|decision.?makers|(email|lead) list|increase your TAM|Booth.?\#\d+/i
#title
-body __KAM_LIST3_2 /list services|email campaign|global marketing|(event|campaign|success|purchasing) mana?ger|(tradeshow|marketing) (coordinator|campaign|manager|exec|project|team)|(lead|demand) generation|(business|Data|event|research|marketing) (analyst|coordinator)|(potential|professionals?|qualified) lead|(business development|marketing|lead|attendees?|data|prospect|intelligence).(consultant|specialist)|(marketing|Business) Co-?ordinator|marketing and comm|inside sales|pre-?sales|global leads|data dep(t|artment)/i
+body __KAM_LIST3_2 /list (consultant|services)|email campaign|global marketing|(event|campaign|success|purchasing) mana?ger|(tradeshow|marketing) (coordinator|campaign|manager|exec|project|team)|(lead|demand) generation|(business|Data|event|research|marketing) (analyst|coordinator)|(potential|professionals?|qualified) lead|(business development|marketing|lead|attendees?|data|prospect|intelligence|event).(executive|consultant|specialist)|(marketing|Business) Co-?ordinator|marketing (\&|and) comm|inside sales|pre-?sales|global leads|data dep(t|artment)|marketing exec|(right|appropriate) person|info solutions|Sales executive|database coordinator|list provider|business development manager/i
tflags __KAM_LIST3_2 nosubject
#db for sale
-body __KAM_LIST3_3 /(information|data) (count|field)|verified email|with email address|counts and pric|decision maker|specific parameters|job titles|Specific lists|current attendee|each record|post show attendee|(attendees|counts)\:|(List|contacts|fields) (consists?|Contains?|includes?)|visitors and price|pricing, counts|information about the list|sample (file|record)|direct email|100\% populated|installed users|(compiled|selling) (a )?list|pricing and further|(validated|buy a) dataset|counts, pricing|procure the list|samples for (your )?review|attendees who might|decision.makers|samples and pricing|pricing details|demographics|few samples|database (organization|provider)|expense and count|(samples|counts?) and cost|multichannel marketing|count of email|users of the following|your marketing campaign|\d\d% on emails|acquiring (email|the) list|list of retailers|decision maker mailing list|B2B list|acquiring email|contacts? list|interested in acquiring/i
+body __KAM_LIST3_3 /(information|data|list\'s) (count|field)|verified e?-?mail|with email address|counts and pric|decision maker|specific parameters|job titles|Specific lists|current attendee|each record|post show attendee|(List|contacts|fields) (consists?|Contains?|includes?)|visitors and price|pricing, counts|information about the list|sample (file|record)|direct email|100\% populated|installed users|(compiled|selling) (a )?list|pricing and further|(validated|buy a) dataset|counts, pricing|procure the list|samples for (your )?review|attendees who might|decision.makers|samples and pricing|pricing details|demographics|few (examples|samples)|database (organization|provider)|expense and count|(samples|counts?) and cost|multichannel marketing|count of email|users of the following|your marketing campaign|\d\d% on emails|acquiring (email|the) list|list of retailers|decision maker mailing list|B2B( data)? list|acquiring email|interested in acquiring|quality lists|potential (client|customer)|database and list management|pricing and count|audience you would like to reach|data cleansing/i
tflags __KAM_LIST3_3 nosubject
#db what
-body __KAM_LIST3_4 /contacts and email|(visitors?|contacts?|attendee.?s?|users?) (contacts? |mailing )?(list|record|database)|end users|our lists|\d\+? (attendee|contact)|users? database|Opt-in email list|(professionals?|user'?s|attendees?) (contact|list)|not spammer|delegates|marketing (analyst|campaigns)|(complete|emailed) list|unique account|contacts\:|titles\:|business profiles|database of|list from USA|(complete|contact) (Name|information)|geography|list.database|data (intelligence|include)|emails, phone|marketing list|unlimited usage|target (audience|geograph|attendees|audience|industry)|opt-?in (contact|emails)|offices and clinics|specialties\:|showcase our capabilit|share samples|recently compiled|contact details|targeted market|marketing needs|Users of the following|100\% populated|b2b contact/i
+body __KAM_LIST3_4 /contacts and email|(visitors?|contacts?|attendee.?s?|users?) (contacts? |mailing )?(list|record|database)|end users|our lists|\d\+? (attendee|contact)|users? database|Opt-in email list|(professionals?|user'?s|attendees?) (contact|list)|not spammer|marketing (analyst|campaigns)|(complete|emailed) list|unique account|contacts\:|titles\:|business profiles|database of|list from USA|(complete|contact) (Name|details|information)|geography|list.database|data (intelligence|include)|emails, phone|marketing list|unlimited usage|target (audience|geograph|attendees|audience|industry)|opt-?in (contact|emails|list)|offices and clinics|specialties\:|showcase our capabilit|share samples|sample file|recently compiled|contact details|targeted market|marketing needs|Users of the following|100\% populated|b2b (mailing list|contact)|targeted business list|data list|(job profile|attendees|counts|list contains|Contacts include)\:|Consumer database|every industry sector|quality email list|email list of|titles? includes?\:|including their names|contacts available\:|curated list|fields? includes?\:|contact validation|opt-in dataset|90% on that list type|enence|Lejeune.?Lawsuits|smart.?timeshare|number of attendees/i
tflags __KAM_LIST3_4 nosubject
meta KAM_LIST3 (__KAM_LIST3_1 + __KAM_LIST3_2 + __KAM_LIST3_3 + __KAM_LIST3_4 >= 4)
#
# Note: Certain glues like MailScanner will modify an email before testing. That will cause many DKIM failures. If you have a known broken system for DKIM like this, you should likely disable the plugin.
+#Newer Systems with DMARC Plugin
ifplugin Mail::SpamAssassin::Plugin::Dmarc
+ #Override the default scores
+ score DMARC_MISSING 0.1
+ score DMARC_PASS -0.1
+ score DMARC_REJECT 0.1
+ score DMARC_QUAR 0.1
+ score DMARC_NONE 0.1
+
+
ifplugin Mail::SpamAssassin::Plugin::AskDNS
ifplugin Mail::SpamAssassin::Plugin::DKIM
ifplugin Mail::SpamAssassin::Plugin::SPF
header KAM_DMARC_REJECT eval:check_dmarc_reject()
priority KAM_DMARC_REJECT 500
+ tflags KAM_DMARC_REJECT net
+ reuse KAM_DMARC_REJECT
describe KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message and the domain has a DMARC reject policy
- score KAM_DMARC_REJECT 3.0
+ score KAM_DMARC_REJECT 6.0
header KAM_DMARC_QUARANTINE eval:check_dmarc_quarantine()
priority KAM_DMARC_QUARANTINE 500
+ tflags KAM_DMARC_QUARANTINE net
+ reuse KAM_DMARC_QUARANTINE
describe KAM_DMARC_QUARANTINE DKIM has Failed or SPF has failed on the message and the domain has a DMARC quarantine policy
score KAM_DMARC_QUARANTINE 1.5
header KAM_DMARC_NONE eval:check_dmarc_none()
priority KAM_DMARC_NONE 500
+ tflags KAM_DMARC_NONE net
+ reuse KAM_DMARC_NONE
describe KAM_DMARC_NONE DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy
score KAM_DMARC_NONE 0.25
+
+ ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+ # Add a negative score if email hits Dmarc rules but is truncated
+ # scores must be kept in sync with Dmarc rules
+ meta KAM_DMARC_REJECT_TRUNCATE ( KAM_DMARC_REJECT && DKIM_FAILED_TRUNCATE )
+ describe KAM_DMARC_REJECT_TRUNCATE Dmarc reject on truncated email
+ priority KAM_DMARC_REJECT_TRUNCATE 500
+ score KAM_DMARC_REJECT_TRUNCATE -6.0
+ tflags KAM_DMARC_REJECT_TRUNCATE net nice
+ reuse KAM_DMARC_REJECT_TRUNCATE
+
+ meta KAM_DMARC_QUARANTINE_TRUNCATE ( KAM_DMARC_QUARANTINE && DKIM_FAILED_TRUNCATE )
+ describe KAM_DMARC_QUARANTINE_TRUNCATE Dmarc quarantine on truncated email
+ priority KAM_DMARC_QUARANTINE_TRUNCATE 500
+ score KAM_DMARC_QUARANTINE_TRUNCATE -1.5
+ tflags KAM_DMARC_QUARANTINE_TRUNCATE net nice
+ reuse KAM_DMARC_QUARANTINE_TRUNCATE
+
+ meta KAM_DMARC_NONE_TRUNCATE ( KAM_DMARC_NONE && DKIM_FAILED_TRUNCATE )
+ describe KAM_DMARC_NONE_TRUNCATE Dmarc none on trucated email
+ priority KAM_DMARC_NONE_TRUNCATE 500
+ score KAM_DMARC_NONE_TRUNCATE -0.25
+ tflags KAM_DMARC_NONE_TRUNCATE net nice
+ reuse KAM_DMARC_NONE_TRUNCATE
+ endif
endif
endif
endif
else
+#Older systems without the DMARC Plugin - Less accurate
ifplugin Mail::SpamAssassin::Plugin::AskDNS
ifplugin Mail::SpamAssassin::Plugin::DKIM
ifplugin Mail::SpamAssassin::Plugin::SPF
askdns __KAM_DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=none;/
+ tflags __KAM_DMARC_POLICY_NONE net
askdns __KAM_DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=quarantine;/
+ tflags __KAM_DMARC_POLICY_QUAR net
askdns __KAM_DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=reject;/
+ tflags __KAM_DMARC_POLICY_REJECT net
askdns __KAM_DMARC_POLICY_DKIM_STRICT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\badkim=s;/
+ tflags __KAM_DMARC_POLICY_DKIM_STRICT net
#Checks if either DKIM Passed with Alignment and the policy is strict or VALID and alignment didn't pass
meta KAM_DMARC_STATUS !((DKIM_VALID_AU && __KAM_DMARC_POLICY_DKIM_STRICT) || (DKIM_VALID && !__KAM_DMARC_POLICY_DKIM_STRICT))
describe KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict Alignment
- score KAM_DMARC_STATUS 0.01
+ score KAM_DMARC_STATUS 0.01
+ tflags KAM_DMARC_STATUS net
meta KAM_DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_REJECT
describe KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message and the domain has a DMARC reject policy
score KAM_DMARC_REJECT 3.0
+ tflags KAM_DMARC_REJECT net
meta KAM_DMARC_QUARANTINE !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_QUAR
describe KAM_DMARC_QUARANTINE DKIM has Failed or SPF has failed on the message and the domain has a DMARC quarantine policy
score KAM_DMARC_QUARANTINE 1.5
+ tflags KAM_DMARC_QUARANTINE net
meta KAM_DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_NONE
describe KAM_DMARC_NONE DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy
score KAM_DMARC_NONE 0.25
+ tflags KAM_DMARC_NONE net
endif
endif
endif
# skip psd and other files from macro checks
olemacro_skip_exts (?:dotx|potx|ppsx|pptx|psd|sldx|xltx|oxps)$
- if (version >= 3.0040005)
+ if (version >= 3.004005)
body KAM_OLEMACRO eval:check_olemacro()
describe KAM_OLEMACRO Attachment has an Office Macro
olemacro_extended_scan 1
body KAM_OLEMACRO_RENAME eval:check_olemacro_renamed()
describe KAM_OLEMACRO_RENAME Has an Office doc that has been renamed
- score KAM_OLEMACRO_RENAME 0.5
+ score KAM_OLEMACRO_RENAME 2.5
meta GB_OLEMACRO_REN_VIR ( KAM_OLEMACRO_RENAME && FORGED_OUTLOOK_HTML )
describe GB_OLEMACRO_REN_VIR Olemacro and fake Outlook
score GB_OLEMACRO_REN_VIR 10
+ if (version >= 3.004006)
+ if (version >= 4.000000)
+ olemacro_download_marker ((?:cmd(?:\.exe)? \/c ms\^h\^ta ht\^tps?:\/\^\/)|SysWow.{1,15}\s.{1,5}RETURN|RET.{1,4}URN.{1,25}\.exe)
+ endif
+ #NO good reason to add a "cmd.exe" invocation inside an Excel file.
+ body GB_OLEMACRO_DOWNLOAD_EXE eval:check_olemacro_download_exe()
+ describe GB_OLEMACRO_DOWNLOAD_EXE Malicious code inside the Office doc that tries to download a .exe file detected
+ score GB_OLEMACRO_DOWNLOAD_EXE 10
+ endif
+
endif
body KAM_OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
describe KAM_OLEMACRO_ZIP_PW Has an Office doc that is password protected in a zip
- score KAM_OLEMACRO_ZIP_PW 1.0
+ score KAM_OLEMACRO_ZIP_PW 2.0
body KAM_OLEMACRO_CSV eval:check_olemacro_csv()
describe KAM_OLEMACRO_CSV Macro in csv file
if (version >= 4.000000)
if can(Mail::SpamAssassin::Plugin::OLEVBMacro::has_olemacro_redirect_uri)
body OLEMACRO_URI_TARGET eval:check_olemacro_redirect_uri()
- describe OLEMACRO_URI_TARGET Malicious code inside the Office doc that tries to redirect to an uri
+ describe OLEMACRO_URI_TARGET Code inside the Office doc that tries to redirect to an uri
score OLEMACRO_URI_TARGET 0.001
endif
+ if can(Mail::SpamAssassin::Plugin::OLEVBMacro::has_olertfobject)
+ body OLEMACRO_RTF eval:check_olertfobject()
+ describe OLEMACRO_RTF Rtf file embedded in an Office document
+ score OLEMACRO_RTF 0.01
+ endif
endif
endif
ifplugin Mail::SpamAssassin::Plugin::HashBL
# BTC address present in BTC blacklist
# thanks to Henrik Krohns for the regexp
- body BTC_HASHBL_BLACK eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b(?<!=)([13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})\b')
+ body BTC_HASHBL_BLACK eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b(?<!=)([13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,62})\b')
priority BTC_HASHBL_BLACK -100
tflags BTC_HASHBL_BLACK net
describe BTC_HASHBL_BLACK Message contains BTC address found on BTC blacklist
- score BTC_HASHBL_BLACK 5.0
+ score BTC_HASHBL_BLACK 8.0
endif
endif
header PCCC_HDR_REPLYTO eval:check_rbl_headers('pccc-hdr-repto', 'wild.pccc.com.', '127.0.0.4', 'Reply-To')
describe PCCC_HDR_REPLYTO Address in email headers associated with compromised uris (https://raptor.pccc.com/RBL)
tflags PCCC_HDR_REPLYTO net
- score PCCC_HDR_REPLYTO 3.5
+ score PCCC_HDR_REPLYTO 7.5
priority PCCC_HDR_REPLYTO -100
# compromised domain found in headers (X-Sender,X-Source-IP,X-SRS-Sender)
header PCCC_HASHBL_FREEMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5', 'Reply-To', '^127\.', 'freemail')
describe PCCC_HASHBL_FREEMAIL Message contains freemail address in reply-to found on PCCC HashBL (https://raptor.pccc.com/RBL)
tflags PCCC_HASHBL_FREEMAIL net
- score PCCC_HASHBL_FREEMAIL 3.5
+ score PCCC_HASHBL_FREEMAIL 4.5
priority PCCC_HASHBL_FREEMAIL -100
# Email address in X-Sender header found on PCCC HashBL
header PCCC_HASHBL_EMAIL_SEND eval:check_hashbl_emails('wild.pccc.com', 'md5', 'X-Sender', '^127\.', 'all')
describe PCCC_HASHBL_EMAIL_SEND Message contains sender email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
tflags PCCC_HASHBL_EMAIL_SEND net
- score PCCC_HASHBL_EMAIL_SEND 1.5
+ score PCCC_HASHBL_EMAIL_SEND 3.5
priority PCCC_HASHBL_EMAIL_SEND -100
# Email address in X-SRS-Sender header found on PCCC HashBL
header PCCC_HASHBL_EMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5')
describe PCCC_HASHBL_EMAIL Message contains email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
tflags PCCC_HASHBL_EMAIL net
- score PCCC_HASHBL_EMAIL 1.5
+ score PCCC_HASHBL_EMAIL 2.5
priority PCCC_HASHBL_EMAIL -100
# Email address in custom email headers found on PCCC HashBL
score KAM_SENDGRID2 2.0
#Political (and T-shirt Spam)
-header __KAM_2020_1 Subject =~ /Re-?elect Trump|(Guinea pig|science|funny|election|christmas|personalized|mission|collection|engineer|teacher|fishing) (t|tee)( |-)?shirt|ginsburg shirt|officially licensed|check out our new collection|let.?s go brandon/i
+header __KAM_2020_1 Subject =~ /Re-?elect Trump|(Guinea pig|science|funny|election|christmas|personalized|mission|collection|engineer|teacher|fishing|jesus|202\d) (tee|(t|tee)( |-)?shirt)|ginsburg shirt|officially licensed|check out our new collection|let.?s go brandon|support truckers|freedom convoy/i
header __KAM_2020_1A From:name =~ /(T|Tee).?shirt|Tee4u/i
-body __KAM_2020_2 /(Tee|T)-?shirt|printed in the US|stink stank stunk|officially licensed|star wars|funny (guinea pig|science|tee|teacher|fishing|halloween)|\d+ designs|let.?s go brandon/i
+ #removing (Tee|T)-?shirt for FPs
+body __KAM_2020_2 /printed in the US|stink stank stunk|officially licensed|star wars|funny (guinea pig|science|tee|teacher|fishing|halloween)|\d+ designs|let.?s go brandon|blood of jesus|support truckers|freedom convoy/i
tflags __KAM_2020_2 nosubject
uri __KAM_GOOGLE_FORM /docs\.google\.com\/form/i
-meta KAM_2020 ((__KAM_2020_1 + __KAM_2020_1A >=1) + __KAM_2020_2 + __KAM_GOOGLE_FORM + FREEMAIL_FROM >= 3)
+meta KAM_2020 ((__KAM_2020_1 + __KAM_2020_1A >=1) + __KAM_2020_2 + (__KAM_GOOGLE_FORM + KAM_SHORT >= 1) + FREEMAIL_FROM >= 3)
describe KAM_2020 Political (and Tshirt???) Spams - Vote for KAM & Pedro - donate today at www.mcgrail.com
score KAM_2020 7.0
describe KAM_STORAGE_GOOGLE Google Storage API being abused by spammers
score KAM_STORAGE_GOOGLE 2.25
+uri GB_URI_FLEEK_STO_HTM m,^https?://storageapi\.fleek\.co/.*\.html?,i
+describe GB_URI_FLEEK_STO_HTM Html file stored on Fleek cloud
+score GB_URI_FLEEK_STO_HTM 4.25
+tflags GB_URI_FLEEK_STO_HTM multiple maxhits=5
+
#Spam Du Jour
header __KAM_DUJOUR1 Subject =~ /(Worst Food|Tinnitus|Reflux|Gift Card)/i
body __KAM_VM4 /recorded voice|audio message|Caller.?id|CID:|mailbox \d|sign document|new vm on/i
tflags __KAM_VM4 nosubject
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
-mimeheader __KAM_VM5 Content-Type =~ /.html?\"?$/i
+mimeheader __KAM_VM5 Content-Type =~ /.s?html?\.?\"?$/i
endif
meta KAM_VM (__KAM_VM1 + (__KAM_VM2A + __KAM_VM2 >= 1) + __KAM_VM3 + __KAM_VM4 + __KAM_VM5 + KAM_RAPTOR_EXTERNAL >= 3)
score KAM_VM 5.5
describe KAM_VM Voice Mail & Fax Scams
+meta KAM_VM_HTML (KAM_VM + __KAM_VM5 >= 2)
+describe KAM_VM_HTML Likely Phish for VM
+score KAM_VM_HTML 3.0
+
#Admin Notice Fraud
header __KAM_ADMIN1 From =~ /admin/i
header __KAM_ADMIN2 Subject =~ /For /i
#BENEFICIARY
replace_rules __KAM_BENEFICIARY2
-header __KAM_BENEFICIARY1 Subject =~ /(your|Urgent) Help|refugee|Attention|Inherit|donation|refund|beloved|^Hello$|dear friend|compensated|get back to me|hope to hear|my dear|postal service|From.....|compliment|sincere apology|proposal|How are you|congratulations|ATM VISA Card|good (day|news)|beneficiary|cc|best regards|dearest one|^Att$|^Reply$|partnership|greeting'?s|atm fund|postmaster general|Investment|shipment|indicate your interest/i
+header __KAM_BENEFICIARY1 Subject =~ /(your|Urgent) Help|refugee|Attention|Inherit|donation|refund|beloved|^Hello$|dear friend|compensated|get back to me|hope to hear|my dear|postal service|From.....|compliment|sincere apology|proposal|How are you|congratulations|ATM VISA Card|good (day|news)|beneficiary|\bcc\b|best regards|dearest one|^Att$|^Reply$|partnership|greeting'?s|atm fund|postmaster general|Investment|shipment|indicate your interest/i
#what
body __KAM_BENEFICIARY2 /(consignment|fund(\b|$)|person of trust|don't know me|emails only|apologize for intrud|formal relationship|diplomatic agent|ATM VISA CARD|unsolicited manner|proposition|solicit your|trustworthy relation|verily|random people|you a beneficiary|help<SPACE1>+widow|same last ?name|(same|similar) surname|investment manager)|level of maturity|important project|jackpot|investment opp|something important|unclaimed trunk|estate investment|donation recipient|bank draft|funding of your business/i
tflags __KAM_BENEFICIARY2 nosubject
#bus
body __KAM_BENEFICIARY3 /(gold|diamonds|inherit|foreign customer|risk.?free|less.privilege|next of kin|nearest airport|certain funds|partnership to transfer|repatriation|co.fiscate|separate account|christian activit|receiving bank|donate the sum|money left|sweepstakes|lucky winner|get rich|\d% of the total|investment fund)|moving some money|god has blessed|contributions to humanity|partake in the deal|pledge dep|over-?due compensation|left your check|invest(ment)? in your country|abandoned shipment/i
+#bus fp
+body __KAM_BENEFICIARY3A /ELECTRONIC TICKET RECeipt/i
+
#where
body __KAM_BENEFICIARY4 /(Ghana|South Africa|China|Greece|Estonia|United kingdom|foreign|(your|my) country|Benin|africa|Foreign Op|international Airport|portugal|business trip|Ivory Coast|Royal Bank|Syria|Libyan|Ministry of |Buffett Foundation|audit unit)|postmaster general|your country/i
#how much
#sob
body __KAM_BENEFICIARY6 /(deceased|late) (customer|husband|client|father)|death of my husband|cancer|power of attorney|customer who died|orphan|no beneficiary|terminal|family treasure|not criminal|send (you )?more (information|details)|wife ran away|inability to release|terrorist attack|sterile|foreigner who died|corrupt officials|could not complete|Diplomat from|seized all my/i
-meta KAM_BENEFICIARY ((LOTS_OF_MONEY + __KAM_BENEFICIARY5 >=1) + (KAM_BLANKSUBJECT + __KAM_BENEFICIARY1 >=1) + __KAM_BENEFICIARY2 + __KAM_BENEFICIARY3 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 + FREEMAIL_FROM >= 6)
+meta KAM_BENEFICIARY ((LOTS_OF_MONEY + __KAM_BENEFICIARY5 >=1) + (KAM_BLANKSUBJECT + __KAM_BENEFICIARY1 >=1) + __KAM_BENEFICIARY2 + __KAM_BENEFICIARY3 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 + FREEMAIL_FROM >= 6) && (__KAM_BENEFICIARY3A + EXTRACTTEXT <= 0)
describe KAM_BENEFICIARY Beneficiary scams
score KAM_BENEFICIARY 10.5
-meta KAM_BENEFICIARYLOW ((LOTS_OF_MONEY + __KAM_BENEFICIARY5 >=1) + (KAM_BLANKSUBJECT + __KAM_BENEFICIARY1 >=1) + __KAM_BENEFICIARY2 + __KAM_BENEFICIARY3 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 + FREEMAIL_FROM >= 5) && !KAM_BENEFICIARY && !__KAM_NPO1
+meta KAM_BENEFICIARYLOW ((LOTS_OF_MONEY + __KAM_BENEFICIARY5 >=1) + (KAM_BLANKSUBJECT + __KAM_BENEFICIARY1 >=1) + __KAM_BENEFICIARY2 + __KAM_BENEFICIARY3 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 + FREEMAIL_FROM >= 5) && !KAM_BENEFICIARY && !__KAM_NPO1 && (__KAM_BENEFICIARY3A + EXTRACTTEXT <= 0)
describe KAM_BENEFICIARYLOW Beneficiary scams (Lower Confidence)
score KAM_BENEFICIARYLOW 6.0
body __KAM_DIDYOUBODY /Did you (receive it|get my message)/i
tflags __KAM_DIDYOUBODY nosubject
-#Nothing but sig
-#body __KAM_SIGONLY1 /^.{0,10}--\b/im
-#tflags __KAM_SIGONLY1 nosubject
-#
-#meta KAM_SIGONLY (__KAM_SIGONLY1 >= 2)
-#score KAM_SIGONLY 1.5
-#describe KAM_SIGONLY Messages is (mostly) just a signature
-#
-##SigOnly spam
-#meta KAM_SIGONLY2 (KAM_SIGONLY + (__KAM_DIDYOUBODY + __KAM_DIDYOUSUBJ >= 1) >= 2)
-#score KAM_SIGONLY2 1.5
-#describe KAM_SIGONLY2 Junk Messages using (mostly) just a signature
-
#Blank Subject
header KAM_BLANKSUBJECT Subject =~ /^\s*$/i
describe KAM_BLANKSUBJECT Message has a blank Subject
#WEB
#subject
-header __KAM_WEB2_1 Subject =~ /follow|next step|website (analysis|builder|work)|crazy offer|cRM solution/i
+header __KAM_WEB2_1 Subject =~ /follow|next step|website (analysis|builder|design|work)|crazy offer|cRM solution|CMS|worrdpress/i
#price - purposefully looks at subject too
-body __KAM_WEB2_2 /affordable (quot|price)|cheap website|less than half|free of cost|low package price|indian web.?design/i
+body __KAM_WEB2_2 /affordable (quot|price)|cheap website|less than half|free of cost|low package price|indian web.?design|\(India\)/i
#product
body __KAM_WEB2_3 /web (design|develop)|(better|new|refreshed) website|website audit|fresh look/i
tflags __KAM_WEB2_3 nosubject
#sample/offer
-body __KAM_WEB2_4 /portfolio|sample|insights|special offer|page 1|your requirements/i
+body __KAM_WEB2_4 /portfolio|sample|insights|special offer|page 1|(any|your) requirements/i
tflags __KAM_WEB2_4 nosubject
meta KAM_WEB2 (FREEMAIL_FROM + __KAM_WEB2_1 + __KAM_WEB2_2 + __KAM_WEB2_3 + __KAM_WEB2_4 >=5)
score KAM_CELEB 4.5
#additional Freemail domains
-freemail_domains my.com mediacombb.net tutanota.com
+freemail_domains my.com mediacombb.net tutanota.com mega.nz ntlworld.com
#BEAL AND SIMILAR IMPERSONATOR
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+
+ replace_tag KAM_BEAL_NAMES (?:(Robert|Bob).{1,4}Beal|Geoff White|(James|Jim).{1,4}Hoffman|Kevin (A\. )?Mc ?Grail|Frederic Beuter|Chris(topher)? (K\.? )?Surprise|(mike|michael) Charvat|Sheryl( Brissett)? Chapman|Sheryl Brissett|Janet Smith|Jeff Gardner|Geoff(rey)? White|Jason Davis|Al Nance|Laura (C\.? )?Leach|Guy Neitz|Michael Rowland|Brenda MacDonald|Daram Van Oers|Pat(rick)? (A\. )?Campfield|Toni Kerns|Tina L. Berger|Robert T. Lalka|Karen Holmes|Richard Manship|WILLIAM HYATT|Alex DiJohnson|Mike Rinaldi|Patrick Augustine|Randy Livingston|Michael Schoor|Amy Millar|Gino Renne|Edward Kroman|Bill Stynes|Ralph Belk|gino renne|scott allen|Paula Sherman|Peter Turcik|Chip Anastasi|erik howard|Dyana Forester|Ryan Gardner|Yvan (cote|C\x{C3}\x{B4}t\x{C3}\x{A9}))
+
+ replace_rules __KAM_BEAL1 __KAM_BEAL3 __KAM_NOT_BEAL3
+
#from
- header __KAM_BEAL1 From:name =~ /Geoff White|(Robert|Bob)( E.)? Beal|(James|Jim) Hoffman|Kevin (A\. )?Mc ?Grail|Chad Coney|Frederic Beuter|Chris(topher)? (K\.? )?Surprise|(mike|michael) Charvat|Sheryl Brissett Chapman|janet smith|Jeff Gardner|Geoff(rey)? White|Jason Davis|Al Nance|Laura (C\.? )?Leach|Guy Neitz|Michael Rowland|Brenda MacDonald|Daram Van Oers|Pat(rick)? (A\. )?Campfield|toni Kerns|Tina L. Berger|Robert T. Lalka|Karen Holmes|Richard Manship|WILLIAM HYATT|Alex DiJohnson|Mike Rinaldi|Patrick Augustine|Randy Livingston|Michael Schoor|Amy Millar|Gino Renne/i
+ header __KAM_BEAL1 From:name =~ /<KAM_BEAL_NAMES>/i
#in addition to freemail
header __KAM_BEAL2 From:addr =~ /\@.+\.rr\.com|\@mail\.ru|\@.*\.cz|\@cox\.net/i
#Name
- body __KAM_BEAL3 /(Robert|Bob).{1,4}Beal|Geoff White|(James|Jim).{1,4}Hoffman|Kevin (A\. )?Mc ?Grail|Frederic Beuter|Chris(topher)? (K\.? )?Surprise|(mike|michael) Charvat|SHERYL Brissett Chapman|Janet Smith|Jeff Gardner|Geoff(rey)? White|Jason Davis|Al Nance|Laura (C\.? )?Leach|Guy Neitz|Michael Rowland|Brenda MacDonald|Daram Van Oers|Pat(rick)? (A\. )?Campfield|Toni Kerns|Tina L. Berger|Robert T. Lalka|Karen Holmes|Richard Manship|WILLIAM HYATT|Alex DiJohnson|Mike Rinaldi|Patrick Augustine|Randy Livingston|Michael Schoor|Amy Millar|Gino Renne/i
+ body __KAM_BEAL3 /<KAM_BEAL_NAMES>/i
+ body __KAM_NOT_BEAL3 /((From|Cc|To)\:\s+)<KAM_BEAL_NAMES>/i
# Task
- body __KAM_BEAL4 /(reply with|forward|send me|let me have|give me) +your (Cell|Mobile)|task (real quick|quickly)|(urgent|quick|fast) (reply|errand|response|task|request)|make (some|a) purchase|reimburse you|do something for me fast|spare time right now|confirm if you are free|physical or electronic gift card|(done for me|send out|task done) ASAP|available at the moment|(desk|moment) right now|get some .{0,10}gift card|(reply me with|confirm|drop) your cell|(run a|important) task for me|certain task to be carried|purchase on my behalf|(urgent|Immediate) (Task|Assignment)|quickly on my behalf|variety of gift card|something important for me|carry out (urgently|swiftly)|codes electronically|make a payment|gifts for their hard|have a moment|assist me with a task|quick favor|gift cards? for staff|process a payment via Zelle|request I need|purchase done on my behalf|take care of something|handle (some )?task quickly|got a moment/i
+ # have a moment removed 4/4
+ body __KAM_BEAL4 /(reply with|forward|send me|let me have|give me) +your (Cell|Mobile|text)|task (real quick|quickly)|(urgent|quick|fast) (reply|errand|response|task|request)|(handle|make) (some|a) purchase|reimburse you|do something for me fast|spare time right now|confirm if you are free|physical or electronic gift card|(done for me|send out|task done) ASAP|available at the moment|(desk|moment) right now|get some .{0,10}gift card|(run a|important) task for me|certain task to be carried|purchase on my behalf|(urgent|Immediate) (Task|Assignment)|quickly on my behalf|variety of gift card|something important for me|carry out (urgently|swiftly)|codes electronically|make a payment|gifts for their hard|assist me with a task|quick favor|gift cards? for staff|process a payment via Zelle|request I need|purchase done on my behalf|take care of something|handle (some )?task quickly|got a moment|run an errand|are you in\?|purchase urgently|assignment for (me|you)|change my direct deposit|personal (email|text phone|cell|number)|drop your number|(reply me with|confirm|drop) your cell|send me your text|get all the gifts purchase|direct deposit authorization form|list of all unpaid|help me with something|if (you are|you're) available|drop me your personal (cell|phone)|free time for you|you available today/i
# question / privacy
- body __KAM_BEAL5 /can't talk on the phone|receivable aging report|summary of all w\-?2|look forward to my text|are you (accessible|in the office|busy)|between you and I|closed-?door meeting|as soon as you can|get something done|you\'re unoccupied|accurately|I can brief|in a (conference|meeting)|personal (email|text phone|cell|number)|drop your number|reimburse if personal|what details do you need|(do|handle) discreetly|confidentiality|keep this private|get to a nearby store|confirm if you can get it done|no calls just reply|write me back|look out for my text|concise you about it|so much on your plate/i
+ # as soon as you can removed 4/4
+ body __KAM_BEAL5 /can't talk on the phone|receivable aging report|summary of all w\-?2|look forward to my text|are you (accessible|in the office|busy)|between you and I|closed-?door meeting|get something done|you\'re unoccupied|accurately|I can brief|in a (conference|meeting)|reimburse if personal|what details do you need|(do|handle) discreetly|confidentiality|keep this private|get to a nearby store|(let me know|confirm) if you (are available|can get it done)|no calls just reply|write me back|look out for my text|concise you about it|so much on your plate|let me know if you are free|trust you on this|worry about your reimburse|after the surprise|limited cell service|can you assist|convey a message|entrust you|not want to disclose this|planning a surprise event|confidential assignment|respond back via email|going into a meeting|no calls|reach you at/i
- meta KAM_BEAL (__KAM_BEAL1 + __KAM_BEAL3 >= 1) && ((SPF_SOFTFAIL + FREEMAIL_FROM + FREEMAIL_FORGED_REPLYTO + __KAM_BEAL2 + KAM_RAPTOR_EXTERNAL >= 1) + __KAM_BEAL4 + __KAM_BEAL5 >= 3)
+# oddlang
+ body __KAM_BEAL6 /sent from my mail/i
+
+ meta KAM_BEAL (__KAM_BEAL1 + (__KAM_BEAL3 && ! __KAM_NOT_BEAL3) >= 1) && ((SPF_SOFTFAIL + FREEMAIL_FROM + FREEMAIL_FORGED_REPLYTO + __KAM_BEAL2 + KAM_RAPTOR_EXTERNAL >= 1) + __KAM_BEAL4 + __KAM_BEAL5 + __KAM_BEAL6 >= 3) && !EXTRACTTEXT
describe KAM_BEAL IMPOSTER! Will the real Slim Shady, please stand up?
- score KAM_BEAL 14.0
- subjprefix KAM_BEAL [Imposter]
+ score KAM_BEAL 16.0
+ if can(Mail::SpamAssassin::Conf::feature_subjprefix)
+ subjprefix KAM_BEAL [Imposter]
+ endif
- meta KAM_BEAL2 (__KAM_BEAL1 + __KAM_BEAL3 >= 1) && (KAM_RAPTOR_EXTERNAL + __KAM_BEAL4 + __KAM_BEAL5 >= 2) && (KAM_BEAL <= 0)
+ meta KAM_BEAL2 (__KAM_BEAL1 + (__KAM_BEAL3 && ! __KAM_NOT_BEAL3) >= 1) && (KAM_RAPTOR_EXTERNAL + __KAM_BEAL4 + __KAM_BEAL5 + __KAM_BEAL6 >= 2) && (KAM_BEAL <= 0) && !EXTRACTTEXT
describe KAM_BEAL2 IMPOSTER! Will the real Slim Shady, please stand up?
- score KAM_BEAL2 10.0
- subjprefix KAM_BEAL2 [Imposter]
+ score KAM_BEAL2 12.0
+ if can(Mail::SpamAssassin::Conf::feature_subjprefix)
+ subjprefix KAM_BEAL2 [Imposter]
+ endif
+
+meta KAM_BEAL3 (__KAM_BEAL1 + __KAM_BEAL3 + FREEMAIL_FROM + KAM_RAPTOR_EXTERNAL >= 4) && ! KAM_BEAL && ! KAM_BEAL2
+describe KAM_BEAL3 Likely Imposter email
+score KAM_BEAL3 6.0
#EXTERNAL SENDER
header KAM_RAPTOR_EXTERNAL X-Raptor-External =~ /Yes/i
score KAM_FAKEMONEYGRAM 5.5
-#FAKESHAREPOINT - SEE FAKESHAREPOINT2 for Sexually explicit
+#FAKESHAREPOINT - SEE FAKE_SHAREPOINT2 for Sexually explicit
header __KAM_FAKE_SHAREPOINT1 Subject =~ /(via|by) Sharepoint|payment reminder|shared|Request for Quot|urgent|far from you/i
header __KAM_FAKE_SHAREPOINT2 from =~ /sharepoint|accounts? payable|RFQ/i
uri __KAM_FAKE_SHAREPOINT3 /my\.sharepoint\.com/i
uri __KAM_FAKE_SHAREPOINT3A /appdomain\.cloud|discordapp\.com|netlify\.app/i
-body __KAM_FAKE_SHAREPOINT4 /Sharepoint Fileshare|open.me.{0,3}asap/i
+body __KAM_FAKE_SHAREPOINT4 /Sharepoint Fileshare|open.me.{0,3}asap|link will only work/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_FAKE_SHAREPOINT5 Content-Type =~ /.html?\"?$/i
endif
-meta KAM_FAKE_SHAREPOINT (__KAM_FAKE_SHAREPOINT1 + __KAM_FAKE_SHAREPOINT2 + (__KAM_FAKE_SHAREPOINT3 + __KAM_FAKE_SHAREPOINT3A + KAM_STORAGE_GOOGLE + __KAM_FAKE_SHAREPOINT4 >= 1) + __KAM_FAKE_SHAREPOINT5 >= 3)
+# meta KAM_FAKE_SHAREPOINT (__KAM_FAKE_SHAREPOINT1 + __KAM_FAKE_SHAREPOINT2 + (__KAM_FAKE_SHAREPOINT3 + __KAM_FAKE_SHAREPOINT3A + KAM_STORAGE_GOOGLE + __KAM_FAKE_SHAREPOINT4 + KAM_SHORT >= 1) + __KAM_FAKE_SHAREPOINT5 >= 3)
+meta KAM_FAKE_SHAREPOINT ( ( __KAM_FAKE_SHAREPOINT1 + __KAM_FAKE_SHAREPOINT2 + __KAM_FAKE_SHAREPOINT5 >= 2 ) && (__KAM_FAKE_SHAREPOINT3 + __KAM_FAKE_SHAREPOINT3A + __KAM_FAKE_SHAREPOINT4 + KAM_STORAGE_GOOGLE + KAM_SHORT >= 2 ) )
describe KAM_FAKE_SHAREPOINT Fake Sharepoint Phish
score KAM_FAKE_SHAREPOINT 6.0
#MORE FAKE SHAREPOINT BAD LINKS IN A SHAREPOINT MESSAGE
-meta KAM_FAKE_SHAREPOINTLINK (__KAM_FAKE_SHAREPOINT1 + __KAM_FAKE_SHAREPOINT2 + (__KAM_FAKE_SHAREPOINT3A + KAM_STORAGE_GOOGLE) >= 3) && !KAM_FAKE_SHAREPOINT
+meta KAM_FAKE_SHAREPOINTLINK (__KAM_FAKE_SHAREPOINT1 + __KAM_FAKE_SHAREPOINT2 + (__KAM_FAKE_SHAREPOINT3A + KAM_STORAGE_GOOGLE + KAM_SHORT) >= 3) && !KAM_FAKE_SHAREPOINT
describe KAM_FAKE_SHAREPOINTLINK Fake Sharepoint Link Phish
score KAM_FAKE_SHAREPOINTLINK 4.5
#ENCRYPTED ZIP
-body __KAM_BADZIP1 /attached (to email|document)|take a look/i
-body __KAM_BADZIP2 /Encrypted zip/i
+body __KAM_BADZIP1 /attached (to email|document)|take a look|send this fax/i
+body __KAM_BADZIP2 /Encrypted zip|File password/i
uri __KAM_BADZIP2A /drive.google.com.*export=download/i
-body __KAM_BADZIP3 /(order|urgent|report|dialogue)/i
+body __KAM_BADZIP3 /(order|urgent|report|dialogue|reminder)/i
body __KAM_BADZIP4 /password:/i
meta KAM_BADZIP (__KAM_BADZIP1 + (__KAM_BADZIP2 + __KAM_BADZIP2A >= 1) + __KAM_BADZIP3 + __KAM_BADZIP4 >= 4)
endif
#IMAGE ONLY
-meta KAM_IMAGEONLY (PDS_OTHER_BAD_TLD + HTML_IMAGE_ONLY_08 >= 2)
+meta KAM_IMAGEONLY ((T_PDS_OTHER_BAD_TLD + PDS_OTHER_BAD_TLD >= 1) + HTML_IMAGE_ONLY_08 >= 2)
describe KAM_IMAGEONLY Email from a questionable TLD that contains primarily just an image
score KAM_IMAGEONLY 0.75
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_FAKE_FAX1 Content-Type =~ /.*(fax).*\.htm/i
endif
-body __KAM_FAKE_FAX2 /incoming fax|fax received/i
-header __KAM_FAKE_FAX3 Subject =~ /Fax/i
-body __KAM_FAKE_FAX4 /invoice/i
+body __KAM_FAKE_FAX2 /(new|incoming) fax|fax received/i
+header __KAM_FAKE_FAX3 Subject =~ /Fax|new (message|document)/i
+body __KAM_FAKE_FAX4 /invoice|xerox scanner|recipient view only|click below to view your fax|refer to attachment/i
+tflags __KAM_FAKE_FAX4 nosubject
+uri __KAM_FAKE_FAX5 /\/s3\.|quarantine|myqcloud/i
-meta KAM_FAKE_FAX (T_HTML_ATTACH + __KAM_FAKE_FAX1 + __KAM_FAKE_FAX2 + __KAM_FAKE_FAX3 + __KAM_FAKE_FAX4 >= 4)
+meta KAM_FAKE_FAX ((T_HTML_ATTACH + __KAM_FAKE_FAX1 + __KAM_FAKE_FAX5 >= 1) + __KAM_FAKE_FAX2 + __KAM_FAKE_FAX3 + __KAM_FAKE_FAX4 >= 4)
describe KAM_FAKE_FAX Fake Fax Scam
score KAM_FAKE_FAX 8.0
describe KAM_FAKE_TRUST Scams about trusted sources
score KAM_FAKE_TRUST 3.5
+ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+ #SHTML ATTACHMENT ADD TO T_HTML_ATTACH! - 2022-01-14
+ mimeheader __KAM_SHTML_ATTACH Content-Type =~ /\b(application\/octet-string|text\/html)\b.+\.shtml?\b/i
+endif
+
+
#FAKE INVOICE
-header __KAM_FAKE_INVOICE1 Subject =~ /(remittance|payment) advice|past.?due|purchase order|EFT payment/i
-body __KAM_FAKE_INVOICE2 /(remittance|Payment) advice|past due invoice|new proforma/i
+header __KAM_FAKE_INVOICE1 Subject =~ /(remittance|payment) (receipt|advice)|past.?due|purchase order|(ACH|EFT) (remittance|payment)|invoice copy|swift confirmation|overdue invoice|attached receipt|payment confirmation/i
+body __KAM_FAKE_INVOICE2 /(remittance|Payment) (advice|confirmation|breakdown)|past due invoice|new pro.?forma|attached|balance paid|proforma invoice/i
tflags __KAM_FAKE_INVOICE2 nosubject
-meta KAM_FAKE_INVOICE ((T_HTML_ATTACH + OLEMACRO_URI_TARGET >= 1) + __KAM_FAKE_INVOICE1 + __KAM_FAKE_INVOICE2 >= 3)
+meta KAM_FAKE_INVOICE ((T_HTML_ATTACH + __KAM_SHTML_ATTACH + KAM_RAPTOR_ALTERED + OLEMACRO_URI_TARGET >= 1) + __KAM_FAKE_INVOICE1 + __KAM_FAKE_INVOICE2 >= 3)
describe KAM_FAKE_INVOICE Fake Invoice / Purchase Order Scam
score KAM_FAKE_INVOICE 6.4
score KAM_BAD_LINK 10.0
#BAD CITIZENS
-header __KAM_CITIZEN1 Subject =~ /Citizens Bank Ealert/i
-body __KAM_CITIZEN2 /Important (message|Notice) From Citizens/i
-uri __KAM_CITIZEN3 /phpmailer|wp-admin|.well-known/i
-header __KAM_CITIZEN4 From:name =~ /Citizens ?Bank/i
-header __KAM_CITIZEN5 From:addr !~ /citizen/i
+header __KAM_FAKE_CITIZEN1 Subject =~ /Citizens Bank Ealert/i
+body __KAM_FAKE_CITIZEN2 /Important (message|Notice) From Citizens/i
+uri __KAM_FAKE_CITIZEN3 /phpmailer|wp-admin|.well-known/i
+header __KAM_FAKE_CITIZEN4 From:name =~ /Citizens ?Bank/i
+header __KAM_FAKE_CITIZEN5 From:addr !~ /citizen/i
-meta KAM_CITIZEN (__KAM_CITIZEN1 + __KAM_CITIZEN2 + __KAM_CITIZEN3 + __KAM_CITIZEN4 + (__KAM_CITIZEN5 + SPF_FAIL >= 1) >= 5)
-describe KAM_CITIZEN Fake Bank Alert Scam
-score KAM_CITIZEN 7.5
+meta KAM_FAKE_CITIZEN (__KAM_FAKE_CITIZEN1 + __KAM_FAKE_CITIZEN2 + (KAM_SHORT + __KAM_FAKE_CITIZEN3 >= 1) + __KAM_FAKE_CITIZEN4 + (__KAM_FAKE_CITIZEN5 + SPF_FAIL >= 1) >= 5)
+describe KAM_FAKE_CITIZEN Fake Bank Alert Scam
+score KAM_FAKE_CITIZEN 7.5
#BAD PRODUCTS
header __KAM_PRODUCT2_1 Subject =~ /meal delivery|no chopping|(sticker|Children'?s?) book|\$[\d,\.]{5,10} Fast|Car ?Shield|Top Vet|Chew a day|trugreen|(perfect|healthy|your) lawn|slice.?n.?seal|kitchen (device|gadget)|butter knive|small penis|make you bigger|(explosive|increase) size|ACs|Wifi Booster|anti.?snore|visceral fat|solar ?bright|mini a\/?c|portable (cooler|air.?condition)|keep cool|wife.caught|banned technique/i
score KAM_INQUIRY 7.0
#FROM NAME SPAM
-header __KAM_FROM_NAME_FAKERBL From:name =~ /Sivagegrowplus\.com|Lifequote\.selectquote\.com|GoldAlliedTrust\.com|MeetAsianLady\.com|Betterbutterspreader\.com|americanhomewarranty\.com|Solarbrightfloodlight\.com|primevision\.website|FijiShowerSpa\.com|easylenders\.website|Burialinsurance\.com|curiousfinds\.com/i
+header __KAM_FROM_NAME_FAKERBL From:name =~ /Sivagegrowplus\.com|Lifequote\.selectquote\.com|GoldAlliedTrust\.com|MeetAsianLady\.com|Betterbutterspreader\.com|americanhomewarranty\.com|Solarbrightfloodlight\.com|primevision\.website|FijiShowerSpa\.com|easylenders\.website|Burialinsurance\.com|curiousfinds\.com|professionalwhosiswho\.com/i
meta KAM_FROM_NAME_FAKERBL (__KAM_FROM_NAME_FAKERBL >= 1)
describe KAM_FROM_NAME_FAKERBL From name contains a URL that is spammy
score KAM_FROM_NAME_FAKERBL 6.0
#FAKE NORTON
-replace_rules __KAM_FAKE_NORTON1 __KAM_FAKE_NORTON2 __KAM_FAKE_NORTON4
+replace_rules __KAM_FAKE_NORTON1 __KAM_FAKE_NORTON2 __KAM_FAKE_NORTON3 __KAM_FAKE_NORTON4
#subj
-header __KAM_FAKE_NORTON1 Subject =~ /IN.?VOICE *\#?NUMBER|(confirmation|ORDER|Invoice) ?(\#|Num|-?No)|\#(ORDER|BILL)|(Purchase|Order) Confirmation|(RECEIPT|INVOI?CE) ?\#|software subscription|transaction.successful|amount.debited|(subscription|service|Purchase) (renewal|request|serial) \#|renewal service \#|(Unique|Member|purchase|Bill|receipt|service|invoice) id ?(is|:|\#)|using protection|<O1>rder <I1>d|IN(\-|_)VOICE (Number|ID)|Product Id:|security renewal|(Buyer'?s|purchase) receipt|order worth \$|service notice.{0,3}\d+|antivirus activated/i
-header __KAM_FAKE_NORTON1A To =~ /norton/i
-header __KAM_FAKE_NORTON1B From =~ /norton|confirmation|renew|no.?reply/i
-#Fuzz
-body __KAM_FAKE_NORTON2 /N<O1>RT<O1>N(\(?tm\)?|\#)|360 (anti.?virus|Security|protection)|N<O1>rt<O1>N.?Life|norton (\- )?(360|security|deluxe|protection|firewall|plus family)|(nort-.|norton|Mcafee) (Web Pro|Web|Plus(\+| Pro)|pro (net|plus|protection)|all.?round) ((Secure|Family) )?Protection|norton (plan|pro life lock)|(service (name)?|item|Product):?\s+(Norton|Nort.?Pro|geek.?squad)|norton secure plus|nort-(Advance|Pro)|nort-?one 360|life-?lock pro|mal-?ware bites|geeksquad-solutions/mi
+header __KAM_FAKE_NORTON1 Subject =~ /IN.?VOICE *\#?NUMBER|(confirmation|ORDER|Invoice|plan.?status) ?(ID_\*|\#|Num|-?No)|\#(ORDER|BILL)|(Purchase|Order|Payment) Confirmation|(RECEIPT|INVOI?CE) ?\#|software subscription|transaction.successful|amount.debited|(subscription|service|Purchase) (renewal|request|serial) \#|renewal service \#|(Unique|Member|purchase|Bill|receipt|service|invoice) id ?(is|:|\#)|using protection|<O1>rder <I1>d|IN(\-|_)VOICE (Number|ID)|Product Id:|security renewal|(Buyer'?s|purchase) receipt|order worth \$|service notice.{0,3}\d+|antivirus activated|order has been (confirmed|processed)|subscription expired|your bill|auto renewal|new message|renewal notice:|annual subscription|transaction code|account key verif|billing team|service required|g-?squad|plan activated|protection alert/i
+header __KAM_FAKE_NORTON1A To =~ /norton|billing\@geeksquad/i
+header __KAM_FAKE_NORTON1B From =~ /norton|confirmation|no.?reply|service.?updates|billing|devices.?support|service.?dep|order|device.?alert|biliing|receipt/i
+#Fuzzy Prod
+body __KAM_FAKE_NORTON2 /N<O1>RT<O1>N(\(?tm\)?|\#)|360 (anti.?virus|Security|protection)|N<O1>rt<O1>N.?Life|norton (\- )?(360|security|deluxe|protection|firewall|plus family)|(nort-.|norton|Mcafee) (Web Pro|Web|Plus(\+| Pro)|pro (net|plus|protection)|all.?round) ((Secure|Family) )?Protection|norton (plan|pro life lock)|(service (name)?|item|Product):?\s+(Norton|Nort.?Pro|geek.?squad)|norton secure plus|nort-(Advance|Pro)|nort-?one 360|life-?lock pro|mal-?ware bites|geeksquad-solutions|Geek(squad)? 360|renewal through geeksquad|Geek Secure Premium|Shield Protection Renewal|G<E1><E1><K1>.?squad security|(symantec|mcafee|norton|geek).{0,3}total protection|geek.?squad.?corp|norton billing team|firewall defender|geek.? advanced network|pro geek PC protection|SQUAD anti-?virus|Norton,? Inc|G<E1><E1>k\s+squ<A1>d|Windows Defender Advanced|Netwrk Shield Protection|(pc|network) (security|protection) (service|shield)|previous annual subscription|windows defender security|norton Tech pc support|\(defender\)/mi
#Oddlang
-body __KAM_FAKE_NORTON3 /Esteem your assessment|enhance our administration|recharged your club|looking for patron|delight and happiness|touch our group|confirmatory e?mail|customer service board|connect with expert|for transaction|confirmation range|did not place this order|cancel (your|this) subscription|team norton|(claim a|instant) refund|cancel (or continue )?the plan|for more query|void (this|the) charge|account is debited|kindly activate the license|A\/C statement|you can trust them|drop you an email|don't want this plan|deactivate this plan|queries or doubt|issue with the transaction|feel free to contact|hesitate to call|appritiate your decesion|Warm (regards|respects)|(wish|want) (to )?cancel|order +worth +\$|plan has been enacted|change something|salutations|any query related|norton billing team|same has been processed|an confirmation|don\'t want to renew|remove auto-debit|auto renewal request|thanks\/norton|invalidate your subscription|precept copy|payment method.{1,10}on-?line/i
+body __KAM_FAKE_NORTON3 /Esteem your assessment|enhance our administration|recharged your club|looking for patron|delight and happiness|touch our group|confirmatory e?mail|customer service board|connect with expert|for transaction|confirmation range|did not place this order|cancel (your|this|the) (membership|service|subscription)|team norton|(claim a|instant) refund|cancel (or continue )?the plan|for more query|void (this|the) charge|account is debited|kindly activate the license|A\/C statement|you can trust them|drop you an email|don't want this plan|deactivate this plan|queries or doubt|issue with the transaction|feel free to contact|hesitate to call|appritiate your decesion|Warm (regards|respects)|(wish|want) (to )?cancel|order +worth +\$|plan has been enacted|change something|salutations|any query related|norton billing team|same has been processed|an confirmation|don\'t want to renew|remove auto-debit|auto renewal request|thanks\/norton|invalidate your subscription|precept copy|payment method.{1,10}on-?line|drop the membership|generously go ahead|want a refund|renewal tenure|believe an unauthorized|contact microsoft for a full refund|\*\-\* (8\-8\-8|8\-5\-0) \*\-\*|really want further explanation|disc<O1>unt benevolently|upgrade or postpone|get the full refund|valued member of us|find the attachment of your invoice|drop the charges|norton.{0,2}helpdesk/i
tflags __KAM_FAKE_NORTON3 nosubject
#Order
-body __KAM_FAKE_NORTON4 /Auto(matic)?-?.?-?(debit|renew)|Updated to premium|order is p<L1>aced|0rder|renewal|successfully (placed|renewed)|annual charge|have been modified|In_voice id|details pertain|auto pay|online\/card|joined our security program|payment_for_services/i
+body __KAM_FAKE_NORTON4 /(bank|Auto(matic)?)-?.?-?(debit|renew)|Updated to premium|order is p<L1>aced|0rder|renewal|successfully (placed|renewed)|(repetitive|annual) charge|have been modified|In_voice id|details pertain|auto pay|online\/card|joined our security program|payment_for_services|yearly payment|\$[\d\.]+ will appear/i
tflags __KAM_FAKE_NORTON4 nosubject
-meta KAM_FAKE_NORTON (__KAM_FAKE_NORTON1 + (__KAM_FAKE_NORTON1A + __KAM_FAKE_NORTON1B >= 1)+ __KAM_FAKE_NORTON2 + __KAM_FAKE_NORTON3 + __KAM_FAKE_NORTON4 + FREEMAIL_FROM >= 4)
-describe KAM_FAKE_NORTON Fake Norton / McAfee / Geek Squad Renewal Notices
+meta KAM_FAKE_NORTON (__KAM_FAKE_NORTON1 + (__KAM_FAKE_NORTON1A + __KAM_FAKE_NORTON1B + FREEMAIL_FROM >= 1)+ __KAM_FAKE_NORTON2 + __KAM_FAKE_NORTON3 + __KAM_FAKE_NORTON4 + FREEMAIL_FROM >= 4) && __KAM_FAKE_NORTON2
+describe KAM_FAKE_NORTON Fake Norton / McAfee / Geek Squad / Symantec / etc. Renewal Notices
score KAM_FAKE_NORTON 8.0
-meta KAM_FAKE_NORTONLOW (__KAM_FAKE_NORTON1 + (__KAM_FAKE_NORTON1A + __KAM_FAKE_NORTON1B >= 1) + __KAM_FAKE_NORTON2 + __KAM_FAKE_NORTON3 + __KAM_FAKE_NORTON4 + FREEMAIL_FROM >= 3) && !KAM_FAKE_NORTON
-describe KAM_FAKE_NORTONLOW Fake Norton / McAfee / Geek Squad Renewal Notices (Lower Confidence)
+meta KAM_FAKE_NORTONLOW (__KAM_FAKE_NORTON1 + (__KAM_FAKE_NORTON1A + __KAM_FAKE_NORTON1B + FREEMAIL_FROM >= 1) + __KAM_FAKE_NORTON2 + __KAM_FAKE_NORTON3 + __KAM_FAKE_NORTON4 + FREEMAIL_FROM >= 3) && !KAM_FAKE_NORTON && __KAM_FAKE_NORTON2
+describe KAM_FAKE_NORTONLOW Fake Norton / McAfee / Geek Squad / Symantec / etc. Renewal Notices (Lower Confidence)
score KAM_FAKE_NORTONLOW 6.5
-#FAKE BANK
-header __KAM_FAKE_BANK1 Subject =~ /unusual activit|security/i
-body __KAM_FAKE_BANK2 /chase online/i
-body __KAM_FAKE_BANK3 /Fraud Protection|unusual activity/i
-header __KAM_FAKE_BANK4 From:name =~ /chase online/i
-header __KAM_FAKE_BANK5 From:addr !~ /chase/i
+#FAKE CHASE BANK
+header __KAM_FAKE_CHASE1 Subject =~ /unusual activit|security/i
+body __KAM_FAKE_CHASE2 /chase online/i
+body __KAM_FAKE_CHASE3 /Fraud Protection|unusual activity/i
+header __KAM_FAKE_CHASE4 From:name =~ /chase online/i
+header __KAM_FAKE_CHASE5 From:addr !~ /chase/i
-meta KAM_FAKE_BANK (__KAM_FAKE_BANK1 + __KAM_FAKE_BANK2 + __KAM_FAKE_BANK3 + __KAM_FAKE_BANK4 + __KAM_FAKE_BANK5 >= 5)
-describe KAM_FAKE_BANK Fake Bank Notice
-score KAM_FAKE_BANK 4.5
+meta KAM_FAKE_CHASE (__KAM_FAKE_CHASE1 + __KAM_FAKE_CHASE2 + __KAM_FAKE_CHASE3 + __KAM_FAKE_CHASE4 + __KAM_FAKE_CHASE5 >= 5)
+describe KAM_FAKE_CHASE Fake Bank Notice
+score KAM_FAKE_CHASE 4.5
#FAKE CANADA POST
-body __KAM_FAKE_CAN_POST1 /package is on hold/i
-body __KAM_FAKE_CAN_POST2 /CANADAPOST/i
-body __KAM_FAKE_CAN_POST3 /require additional details/i
-body __KAM_FAKE_CAN_POST4 /redelivery/i
+replace_rules __KAM_FAKE_CAN_POST2
+
+body __KAM_FAKE_CAN_POST1 /package is (waiting|on hold)/i
+body __KAM_FAKE_CAN_POST2 /<C1><A1>n<A1>d<A1>.{0,2}<P1><O1>st/i
+body __KAM_FAKE_CAN_POST3 /require additional details|online verification/i
+body __KAM_FAKE_CAN_POST4 /redelivery|confirm the payment/i
header __KAM_FAKE_CAN_POST5 From:addr !~ /\.ca$/i
-header __KAM_FAKE_CAN_POST6 From:name =~ /canada.?post/i
+header __KAM_FAKE_CAN_POST6 From:name =~ /canada.?post|Postes.?Canada/i
+header __KAM_FAKE_CAN_POST6B From:addr =~ /shipping/i
-meta KAM_FAKE_CAN_POST (__KAM_FAKE_CAN_POST1 + __KAM_FAKE_CAN_POST2 + __KAM_FAKE_CAN_POST3 + __KAM_FAKE_CAN_POST4 + __KAM_FAKE_CAN_POST5 + __KAM_FAKE_CAN_POST6 >= 6)
+meta KAM_FAKE_CAN_POST (__KAM_FAKE_CAN_POST1 + __KAM_FAKE_CAN_POST2 + __KAM_FAKE_CAN_POST3 + __KAM_FAKE_CAN_POST4 + __KAM_FAKE_CAN_POST5 + (__KAM_FAKE_CAN_POST6 + __KAM_FAKE_CAN_POST6B >= 1) >= 6)
describe KAM_FAKE_CAN_POST Fake Canada Post Scam
score KAM_FAKE_CAN_POST 9.0
#FAKE SHAREPOINT 2 - Sexually explicit
header __KAM_FAKE_SHAREPOINT2_1 From:addr =~ /no\-reply\@sharepointonline\.com|sex|69/i
-header __KAM_FAKE_SHAREPOINT2_2 Subject =~ /view my profile|(\b|^|\s)sex+y man|live chat|hook.?up|sweet.?heart|(\b|^|\s)sex|f a c e b o o k|i know you|just fun|my phone|for se+x+|tease|play with my pus|facebook|chat shared|horne?y/i
-body __KAM_FAKE_SHAREPOINT2_3 /REAL DATING NETWORK|bad partner|single.hot.mom|chat room|escort girl|hi there|hook.?up|flirty singles|sweet.?heart|(\b|^|\s)sex|(\b|^|\s)dick|escort|Open me\.? asap|intercourse|seeking male|real relationship|suck my kitty|F.ck me|single girl|real man|need a partner/i
+header __KAM_FAKE_SHAREPOINT2_2 Subject =~ /view my profile|(\b|^|\s)sex+y man|live chat|hook.?up|sweet.?heart|(\b|^|\s)sex|f a c e b o o k|i know you|just fun|my phone|for se+x+|tease|play with my pus|facebook|chat shared|horne?y|see my nu(t|d)e|Video.M(a|e)ssage|bang.?meetup|private massage|confirm your e.?mail|tiktok for sex/i
+body __KAM_FAKE_SHAREPOINT2_3 /REAL DATING NETWORK|bad partner|single.hot.mom|chat room|escort girl|hi there|hook.?up|flirty singles|sweet.?heart|(\b|^|\s)sex|(\b|^|\s)dick|escort|Open me\.? asap|intercourse|seeking male|real relationship|suck my kitty|F.ck me|single girl|real man|need a partner|lonely mom|adults? classified|screw many girls|bang.?meetup|(chat|meet) for sex/i
tflags __KAM_FAKE_SHAREPOINT2_3 nosubject
meta KAM_FAKE_SHAREPOINT2 (__KAM_FAKE_SHAREPOINT2_1 + __KAM_FAKE_SHAREPOINT2_2 + __KAM_FAKE_SHAREPOINT2_3 >= 3)
score KAM_DRONE 7.5
#FAKE PAYPAL
-header __KAM_FAKE_PAYPAL1 From:name =~ /paypal|invoice|confirmation|payapl/i
-header __KAM_FAKE_PAYPAL2 Subject =~ /Order ?(\#|reference|Confirmation)|your (transaction|purchase)|(buyer'?s|purchase) (receipt|ref|id) \#|transaction|statement|shipping notification/i
+header __KAM_FAKE_PAYPAL1 From:name =~ /paypal|invoice|confirmation|payapl|receipt|reciept|help.?desk/i
+header __KAM_FAKE_PAYPAL2 Subject =~ /Order ?(\#|reference|Confirmation)|your (transaction|purchase)|(buyer'?s|purchase) (receipt|ref|id) \#|transaction|statement|shipping notification|0rder|\$\d\d\d\.\d\d charged|payment info|subscription|paid the invoice/i
body __KAM_FAKE_PAYPAL3 /paypal/i
tflags __KAM_FAKE_PAYPAL3 nosubject
-body __KAM_FAKE_PAYPAL4 /if any concern|in order to cancel|(any|open a) dispute|(exact|usual) location|used by someone else|regular IP address|not made this purchase|contact us immediately|trust & safety|not authorized/i
-body __KAM_FAKE_PAYPAL5 /(accepted|confirmed|USD|purchase) (at|to|by) (Walmart|Target)|(Walmart|Target),?( Inc.?)? has (accepted|received|confirmed)|charge will appear|auto debited/i
-body __KAM_FAKE_PAYPAL6 /help by phone|call paypal team|paypal fraud dep/i
+body __KAM_FAKE_PAYPAL4 /if any concern|in order to cancel|(any|open a) dispute|(exact|usual) location|used by someone else|regular IP address|(haven'?t|not) made this purchase|contact us immediately|trust & safety|not authorized|file an issue|cancellation|to cancel/i
+body __KAM_FAKE_PAYPAL5 /(accepted|confirmed|USD|purchase) (at|to|by) (Walmart|Target)|(Walmart|Target),?( Inc.?)? has (accepted|received|confirmed)|charge will appear|auto debited|paid instantly|credit wallet balance/i
+body __KAM_FAKE_PAYPAL6 /help by phone|call paypal ?(usa|team)|paypal fraud dep|paypal support immediately|before dispatch|paypal consumer credit/i
meta KAM_FAKE_PAYPAL (__KAM_FAKE_PAYPAL1 + __KAM_FAKE_PAYPAL2 + __KAM_FAKE_PAYPAL3 + __KAM_FAKE_PAYPAL4 + __KAM_FAKE_PAYPAL5 + FREEMAIL_FROM + __KAM_FAKE_PAYPAL6 >= 5)
describe KAM_FAKE_PAYPAL Fake PayPal Message
describe GB_G_FEEDPROXY Google Feed Proxy Abuse
score GB_G_FEEDPROXY 2.5
+#b-cdn abuse
+uri GB_PULLZONE_B_CDN /https?\:\/\/pullzone-v[0-9]\.b\-cdn\.net/
+describe GB_PULLZONE_B_CDN B-Cdn abuse
+score GB_PULLZONE_B_CDN 3.0
+
#DISCORD ABUSE
uri __KAM_DISCORDCDN1 /cdn\.discordapp\.com\/attachment/i
header __KAM_DISCORDCDN2 From:addr !~ /\@discord\.com/i
#FAKE ZIX
header __KAM_FAKE_ZIX1 From:addr !~ /zixmessagecenter.com/i
-header __KAM_FAKE_ZIX2 Subject =~ /Secure Zix message/i
-body __KAM_FAKE_ZIX3 /security system/i
-uri __KAM_FAKE_ZIX4 /dynamics\.com/i
+header __KAM_FAKE_ZIX2 Subject =~ /Secure Zix message|remittance advice/i
+body __KAM_FAKE_ZIX3 /security system|view document/i
+uri __KAM_FAKE_ZIX4 /dynamics\.com|\.html?/i
meta KAM_FAKE_ZIX ( __KAM_FAKE_ZIX1 + __KAM_FAKE_ZIX2 + __KAM_FAKE_ZIX3 + __KAM_FAKE_ZIX4 >=4)
describe KAM_FAKE_ZIX Fake Zix Email
score KAM_PEAK 7.0
#FROM PRODUCT SPAMs
-header KAM_FROM_SPAM From =~ /(blood.?pressure.?(fix|cure)|20.?amazing.?gadgets|2021.?gadget.?guide|your.?hormones|Be.?Free.?Of.?Your.?Timeshare|unique.?christmas.?gifts|youthful.?brain|veteran.?discounts|VieShield.?Sanitizer|Walgreens.?Shopper.?Feedback|Solar.?Bright|shocking.?truth:|(\b|^)ed.?solution|beauty.?digs|LED.?Beach.?Balls|Pelvic.?Floor.?strong|Leptitox|Clean.?cell|Gadget.?List)|Avoid.?melatonin|My.?Senior.?Perks|explosive.?size|savage.?grow|blood.?pressure.?roulette|ElectronX.?Ruler|Software.?Treats/i
+header __KAM_FROM_SPAM_NOV21 From =~ /(blood.?pressure.?(fix|cure)|20.?amazing.?gadgets|2021.?gadget.?guide|your.?hormones|Be.?Free.?Of.?Your.?Timeshare|unique.?christmas.?gifts|youthful.?brain|veteran.?discounts|VieShield.?Sanitizer|Walgreens.?Shopper.?Feedback|Solar.?Bright|shocking.?truth:|(\b|^)ed.?solution|beauty.?digs|LED.?Beach.?Balls|Pelvic.?Floor.?strong|Leptitox|Clean.?cell|Gadget.?List)|Avoid.?melatonin|My.?Senior.?Perks|explosive.?size|savage.?grow|blood.?pressure.?roulette|ElectronX.?Ruler|Software.?Treats|Grease.?Your.?Knee|late.?night.?peeing|Landscaping.?Ideas|hot.?new.?gadget|Tetrus.?LED.?Lighting|Weedkiller.?Injury|Compressa.?Relief|Shed.?Building.?Guide|plans?.?for.?shed|increase.?size|herpes.?cure|Human.?reproductive.?system|body.?shaper|ear.?wax.?remover|vital.?flow|curious.?finds|get.?skinny.?chocolate|Home.?Depot.?Shopper.?Feedback|modern.?woman|EU.?Business.?Register|comfy.?shoes/i
+header __KAM_FROM_SPAM_DEC21 From =~ /Heater.?Pro.?X|Neck.?Massager|Cinna.?Chroma|Sibgazinvest|Striction.?Blood|blood.?pressure.?warning|stamina.?pro|Smart.?Holder.?Pro|Smart.?phone.?Gloves|WiFi.?Ultraboost|HD.?telescope|Doctor.?Holmes\'s.?co.?op|variety.?store.?kerry|Suzi\'s.?potion|Antiseptic.?cathy|flat.?tummy.?recipe|bye.?big.?tummy|Skincell.?2|nail.?dry.?pro|muscle.?relax.?pro|easy.?slippers/i
+
+header __KAM_FROM_SPAM_JAN22 From =~ /Puppy.?Pet.?Ball|ultimate.?keto.?meal|steel.?bite.?pro|he?rpa.?greens|HAIR.?REVITAL|peak.?biome|energy.?cube.?system|perfect.?flush|make.?money.?online|Stops?.?Herpes|blood.?pressure.?911|Fat.?Burning|Personal.?power.?plant|sqribblee.?book.?creator|special.?launch.?price|ringing.?ears|fading.?memory|big.?stomach|apple.?cider.?vinegar|glucofort|do.?this.?at.?breakfast|immune.?defense|sonus.?complete.?basic|introducing.?exi.?pure|blood.?sugar.?defense|shed.?plan|obsession.?method|5g.?male|cold.?war.?generator|tinnitus.?(terminator|guard)|keto.?advantage|senior.?saving.?club|exipure|gold.?plated.?coin|trump.?coin|Prostate.?relief|acida.?burn|back.?pain|fungus.?treat|herpa.?green|neck.?massage|Silencil|\@advid|kishor.?exports|fatty.?liver|gluca.?fix|reservation.?diet|high.?blood.?pressure|energy.?bill.?crunch|muscle.?care|fast charger pro|Tv.?Share.?Max|bar.?x.?health|canad(a|ian).?drug.?store|Duramax.?Fence|vid.?toon|online.?pharmacy|viagra.?shop|circa.?knee|Shoppers.?Drug.?Mart|royal.?numerology/i
+
+header __KAM_FROM_SPAM_FEB22 From =~ /Swag.?Envy|Turn.?Text.?to.?speech|cart.?bloom|Pierre.?Omidyar|copper.?zen.?socks|Muama.?Ryoko|Mindinsole|clipper.?pro|nerve.?control|arthritis.?relief|sleep.?connection|lose.?it.?now|Pioneer.?Travels|bathroom.?remodel/i
+
+header __KAM_FROM_SPAM_FEB22_TLD From =~ /solar.?panels/i
+
+header __KAM_FROM_SPAM_MAR22 From =~ /Whos.?who|ray.?ban|simple.?home.?quotes|laundry.?masher|embarr?ass?ing.?toe|miracle.?sheets|nail.?fungus|Smartcam|tactical.?drone|owl.?vision|hulk.?heater|wifi.?repeater|gluco.?flow.?supplement|blood.?sugar.?blaster|dr\..?phil.?news|Muama.?Ryok|usmile.?pro|power.?pod|never.?snore|snore.?stop|(^|\")usmile|bye.?bye.?fat|chemist.?s.?shop|married.?women|potent.?CBD|diabetes.?gone|US.?concealed.?online|gift.?card.?chance|cardio.?clear|one.?monthly.?fee|online.?learn.?piano|coffee.?secret|shark.?tank.?keto|rots.?your.?teeth|stronger.?vision|Norton.?Lifelock|instant.?translator/i
+
+header __KAM_FROM_SPAM_APR22 From =~ /snoring.?fix|automix|circa.?knee|zoomshot.?pro|Instant.?translator|prostate.?health|stay.?dry.?202|battery.?vault|goodbye.?diabetes|bad eyes|createxdigital|\@.{0,8}advids\.|\@deszy|\@devacc\./i
+
+header __KAM_FROM_SPAM_MAY22 From =~ /butter.?on.?toast|exobone|sharp.?ear|news.?reward.?exclusive|AirBuds|earbuds|Massage.?gun|directaxis|sanlamfinance|grants.?for.?homeowner|manchester.?collection|Power.?drill.?(confirmation|surprise)|gift.?card.?shipment|fast.?keto.?diet|(energy|bill).?cruncher|fun.?drops.?cbd|easy.?warm.?floor|home.?loan.?analyst.?offer/i
+
+header __KAM_FROM_SPAM_JUN22 From =~ /Finance.?the.?big.?lie|cbd.?gumm|vet.?savings|Keto.?maxx|unbreakable.?brain|brain.?blueprint|just.?gi[zs]mo|ice.?house.?portable|portable.?ac|single.?flirt|painful.?knees|russian?.?(babe|bride)|eyesight.?max|blood.?sugar.?formula|brain.?fix|FOLIFORT|PROCompression.?special|por?table.?oxygen|Special.?Oil|Syno.?gut|blissy.?offer|WarHawk.?Binoculars|keto.?diet|match.?seniors|no.?more.?pin.?pricks|Doctors?.?shock|20.?20.?Vision|Windows.?Defender.?Order|fat.?burner/i
+
+header __KAM_FROM_SPAM_JUL22 From =~ /Horrific.?Back|fat.?reducer|smart.?watch|chill.?well|blurred.?vision|Family.?savings|Revifol\.com|Fluxactive|eye.?herb|eco.?chip|Lumbar.?Correct|Air.?Flops|Getinstahard\.com|neurodrine|air.?cooly|Bladder.?relief|Doctor.?Inflammation|Shrink.?your.?prostate|RetailMarketingPro|back.?to.?life/i
+
+header __KAM_FROM_SPAM_AUG22 From =~ /a1c.?fix|LeafProtect\.com|ServicePlus\.Home|Golden.?fx|Arcti.?FREEZE|RensaClub\.com|\@advid\-|nail.?infection|pain.?relief.?sock|leaf.?filter|toxic.?foot|nails.?fungus|cat.?spraying|big.?pharma|vision.?enhancing|battery.?recondition|injecting.?fat|mosquito.?light|black.?surge|tinnitus.?911|sugar.?balance|cardio.?clear|compression.?sock|balanced.?blood|Sqribble|ukraine.?(beauty|bride)|instahard|shop.?icehouse|vital.?flow|Discount.?is.?ready|cinch.?home.?protection|home.?protection.?plan|zander.?term|easy.?canvas.?prints|home.?warranty.?offer|toxic.?water|keto.?202\d|wifi.?booster|restore.?gummies|-advids\.|lost.?superfoods|vantis.?life|roofing.?quote|maasalong|flux.?active|hot.?russian|serious.?daters|anderson.?affiliate|instant.?translator|clipper.?pro|scientific.?nail|6.?secrets|singles.?offer|lower.?my.?bill|SplashWines\.com|leafprotect\.com|columbian.?girl|wifi.?ultraboost|\@clum-?(video|creat)|deadly.?sex|Vita.?Firm/i
+
+header __KAM_FROM_SPAM_SEP22 From =~ /Select.?Quote.?(offer|affiliate|insurance)|light.?bulb.?camera|pitney.?bowes.?presort|carshield.?quote|neckcool|zinc7|term.?life.?insurance|detox.?shower|protection.?from.?pests|Pest.?defense|Life.?Omic|pipelinersales|\.kalendar/i
+
+header __KAM_FROM_SPAM_OCT22 From =~ /Barx.?Busy.?Ball|Nationwide.?Home.?protection|Social Diger|Splash Wine|Holiday.?Wallet.?Guru|no.?more.?joint.?pain|poop.?out.?fat/i
+
+header __KAM_FROM_SPAM_NOV22 From =~ /liveto.?accelerator|tupi.?tea|lT Service Desk|free.?spins?.?Canada|eye.?bag.?cream|amylase.?benefit|bladder.?leak|\@.{0,8}saasee\.|\@saasee|japanese.?delicacy|insure.?my.?car|businesspronews|CFOtrends|COOupdate|\@whizzbridge|phototrakk/i
+
+meta KAM_FROM_SPAM ( __KAM_FROM_SPAM_NOV21 + __KAM_FROM_SPAM_DEC21 + __KAM_FROM_SPAM_JAN22 + __KAM_FROM_SPAM_FEB22 + __KAM_FROM_SPAM_MAR22 + __KAM_FROM_SPAM_APR22 + __KAM_FROM_SPAM_MAY22 + __KAM_FROM_SPAM_JUN22 + __KAM_FROM_SPAM_JUL22 + __KAM_FROM_SPAM_AUG22 + __KAM_FROM_SPAM_SEP22 + __KAM_FROM_SPAM_OCT22 + __KAM_FROM_SPAM_NOV22 >= 1)
describe KAM_FROM_SPAM From Indicates a Product Spam
-score KAM_FROM_SPAM 4.0
+score KAM_FROM_SPAM 6.75
+
+meta KAM_FROM_SPAM_TLD ( __KAM_FROM_SPAM_FEB22_TLD + KAM_SOMETLD_ARE_BAD_TLD >= 2)
+describe KAM_FROM_SPAM_TLD From and TLD Indicates a Product Spam
+score KAM_FROM_SPAM_TLD 7.75
+
+#EVIL NUMBERS
+
+ #1.?\(?213\)?[-\. ]+?260[-\. ]+?3712
+body __KAM_EVIL_NUMBERS1 /(1.?\(?833\)?[-\. ]?900[-\. ]?0864|1.?\(?818\)?[-\. ]?275[-\. ]?7971|1.?\(?855\)?[-\. ]?357[-\. ]?8754|1.?\(?888\)?[-\. ]?683[-\. ]?2877|1.?\(?800\)?[-\. ]?363[-\. ]?9576|1.?\(?888\)?[-\. ]?501[-\. ]?3532|1.?\(?770\)?[-\. ]?406[-\. ]?6871|1.?\(?213\)?[-\. ]?260[-\. ]?3712|1.?\(?844\)?[-\. ]?984[-\. ]?0636|1.?\(?877\)?[-\. ]?483[-\. ]?0915|1.?\(?845\)?[-\. ]?393[-\. ]?0745|1.?\(?888\)?[-\. ]?505[-\. ]?1735|1.?\(?888\)?[-\. ]+?987[-\. ]+?6497|1.?\(?855\)?[-\. ]+?459[-\. ]+?2056|1.?\(?804\)?[-\. ]+?889[-\. ]+?0912|1.?\(?888\)?[-\. ]+?246[-\. ]+?8525|1.?\(?888\)?[-\. ]+?366[-\. ]+?2749|1.?\(?816\)?[-\. ]+?376[-\. ]+?8830|1.?\(?877\)?[-\. ]+?509[-\. ]+?8177|1.?\(?888\)?[-\. ]+?385[-\. ]+?8394|1.?\(?805\)?[-\. ]+?429[-\. ]+?2880|1.?\(?888\)?[-\. ]+?260[-\. ]+?7583|1.?\(?808\)?[-\. ]+?444[-\. ]+?7474|1.?\(?888\)?[-\. ]+?225[-\. ]+?0087|1.?\(?818\)?[-\. ]+?447[-\. ]+?4686|1.?\(?845\)?[-\. ]+?481[-\. ]+?2002|1.?\(?888\)?[-\. ]+?337[-\. ]+?3512|1.?\(?888\)?[-\. ]+?865[-\. ]+?0443|1.?\(?801\)?[-\. ]+?326[-\. ]+?4945|1.?\(?888\)?[-\. ]+?457[-\. ]+?7953|1.?\(?888\)?[-\. ]+?712[-\. ]+?0714|1.?\(?805\)?[-\. ]+?220[-\. ]+?9060|1.?\(?888\)?[-\. ]+?216[-\. ]+?7674|1.?\(?888\)?[-\. ]+?219[-\. ]+?8757|1.?\(?888\)?[-\. ]+?376[-\. ]+?0079|1.?\(?888\)?[-\. ]+?806[-\. ]+?2548|1.?\(?808\)?[-\. ]+?736[-\. ]+?6567|1.?\(?805\)?[-\. ]+?250[-\. ]+?1682|1.?\(?808\)?[-\. ]+?649[-\. ]+?5251|1.?\(?888\)?[-\. ]+?884[-\. ]+?3596|1.?\(?888\)?[-\. ]+?850[-\. ]+?1879|1.?\(?888\)?[-\. ]+?672[-\. ]+?7156|1.?\(?801\)?[-\. ]+?833[-\. ]+?0315|1.?\(?808\)?[-\. ]+?755[-\. ]+?6084|1.?\(?859\)?[-\. ]+?888[-\. ]+?2341|1.?\(?833\)?[-\. ]+?685[-\. ]+?4054|1.?\(?888\)?[-\. ]+?394[-\. ]+?0278|1.?\(?888\)?[-\. ]+?992[-\. ]+?1779|1.?\(?888\)?[-\. ]+?399[-\. ]+?0394|1.?\(?888\)?[-\. ]+?982[-\. ]+?7639|1.?\(?877\)?[-\. ]+?208[-\. ]+?4319|1.?\(?877\)?[-\. ]+?232[-\. ]+?6467|1.?\(?877\)?[-\. ]+?208[-\. ]+?4319|1.?\(?855\)?[-\. ]+?630[-\. ]+?3663|1.?\(?808\)?[-\. ]+?470[-\. ]+?7449|1.?\(?888\)?[-\. ]+?803[-\. ]+?6039|1.?\(?920\)?[-\. ]+?354[-\. ]+?6236|1.?\(?888\)?[-\. ]+?803[-\. ]+?3130|1.?\(?888\)?[-\. ]+?436[-\. ]+?-0785|1.?\(?855\)?[-\. ]+?948[-\. ]+?3820|1.?\(?888\)?[-\. ]+?662[-\. ]+?7908|1.?\(?888\)?[-\. ]+?350[-\. ]+?3529|1.?\(?808\)?[-\. ]+?501[-\. ]+?0625|1.?\(?833\)?[-\. ]+?216[-\. ]+?0511|1.?\(?833\)?[-\. ]+?552[-\. ]+?7144|1.?\(?800\)?[-\. ]+?526[-\. ]+?5742|1.?\(?806\)?[-\. ]+?839[-\. ]+?6096|1.?\(?727\)?[-\. ]+?498[-\. ]+?4899|1.?\(?808\)?[-\. ]+?318[-\. ]+?2838|1.?\(?877\)?[-\. ]+?409[-\. ]+?1087)(\b|$)/i
+ #WEIRD FORMAT
+body __KAM_EVIL_NUMBERS2 /(845)-458-6\.4\.9\.1|850 3285 455|229 5154 934|585 3660 399/i
+ #WEIRD CHARS
+body __KAM_EVIL_NUMBERS3 /(888\s5\s?3\s?1\s?4\s?0\s?3\s?0|855\s5\s?4\s?5\s?6\s?2\s?0\s?1)/i
+
+meta KAM_EVIL_NUMBERS (__KAM_EVIL_NUMBERS1 + __KAM_EVIL_NUMBERS2 + __KAM_EVIL_NUMBERS3 >= 1)
+describe KAM_EVIL_NUMBERS Phone Numbers used by scammers
+score KAM_EVIL_NUMBERS 7.0
+
+#FAKE PRODUCTS USING SHAREPOINT
+body __KAM_FAKE_SHAREPOINT_PRODUCTS1 /bitdefender security cloud/i
+body __KAM_FAKE_SHAREPOINT_PRODUCTS2 /renewed/i
+
+meta KAM_FAKE_SHAREPOINT_PRODUCTS (KAM_FAKE_SHAREPOINT + __KAM_FAKE_SHAREPOINT_PRODUCTS1 + __KAM_FAKE_SHAREPOINT_PRODUCTS2 >= 3)
+describe KAM_FAKE_SHAREPOINT_PRODUCTS Spams abusing Sharepoint
+score KAM_FAKE_SHAREPOINT_PRODUCTS 3.0
+
+#ODDNAME ENGINE
+ #SIG
+body __KAM_ODDNAME_1 /(Respond|Message back|reply).{0,4}(OPT.?OUT|NOT INTERESTED)/i
+ #HAWK
+body __KAM_ODDNAME_2 /we offer|how about a quote|connect for a quote|good time in mind|number to quickly connect|best time to contact|direct line to connect/i
+ #SUBJ
+header __KAM_ODDNAME_3 Subject =~ /best line to reach|payroll|leads|call answering|quick minute|talk tomorrow|available today/i
+ #WHAT
+body __KAM_ODDNAME_4 /high.?speed internet|payroll solution|x more visit|inbound call|marketing (division|arm)|reduce its phone/i
+
+meta KAM_ODDNAME ( __KAM_ODDNAME_1 + __KAM_ODDNAME_2 + __KAM_ODDNAME_3 + __KAM_ODDNAME_4 + FREEMAIL_FROM >= 5 )
+describe KAM_ODDNAME Engine Hawking Products with Odd rotating business names
+score KAM_ODDNAME 7.5
+
+#FAKE HOLD
+ #from
+header __KAM_FAKE_HOLD1 From:name =~ /TD.?Ameritrade/i
+ #subj
+header __KAM_FAKE_HOLD2 Subject =~ /account is on hold/i
+ #prob
+body __KAM_FAKE_HOLD3 /account has been put on hold/i
+ #action
+body __KAM_FAKE_HOLD4 /verify your identity/i
+
+meta KAM_FAKE_HOLD ( __KAM_FAKE_HOLD1 + __KAM_FAKE_HOLD2 + __KAM_FAKE_HOLD3 + __KAM_FAKE_HOLD4 + KAM_SHORT >= 5)
+describe KAM_FAKE_HOLD Fake Account Hold Scams
+score KAM_FAKE_HOLD 7.5
+
+#PAYROLL SCANNER
+header __KAM_PAYROLL_SCANNER1 From =~ /account/i
+header __KAM_PAYROLL_SCANNER2 Subject =~ /payroll/i
+body __KAM_PAYROLL_SCANNER3 /e-?mail was sent from \"/i
+
+meta KAM_PAYROLL_SCANNER ( __KAM_PAYROLL_SCANNER1 + __KAM_PAYROLL_SCANNER2 + __KAM_PAYROLL_SCANNER3 + (T_HTML_ATTACH + __KAM_SHTML_ATTACH >= 1) + KAM_IFRAME >= 5)
+describe KAM_PAYROLL_SCANNER Payroll Scam Emails
+score KAM_PAYROLL_SCANNER 7.5
+
+#KAM_REFRESH
+ #LIKELY NEED MORE EFFICIENT RAPTOR TAG
+rawbody KAM_HTTP_REFRESH /http-equiv=("|')?refresh("|')?/i
+describe KAM_HTTP_REFRESH Contains an http refresh
+score KAM_HTTP_REFRESH 0.5
+
+#BAD HTML MESSAGES
+meta KAM_BAD_HTML (KAM_SHORT + (T_HTML_ATTACH + __KAM_SHTML_ATTACH >= 1) + KAM_HTTP_REFRESH + UNWANTED_LANGUAGE_BODY >= 3)
+describe KAM_BAD_HTML Email With a likely bad or dangerous html attachment
+score KAM_BAD_HTML 6.5
+
+#BAD CONTENT-TYPE
+ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+ mimeheader KAM_BAD_CONTENT Content-Type =~ /image\/png.*\.s?html?"?$/i
+ describe KAM_BAD_CONTENT Content likely using evasion techniques
+ score KAM_BAD_CONTENT 6.0
+endif
+
+#FAKE MT BANK
+header __KAM_FAKE_MT1 Subject =~ /Important Notice from M&T/i
+body __KAM_FAKE_MT2 /Important (message|Notice) From /i
+tflags __KAM_FAKE_MT2 nosubject
+#3 removed - looking at X-PHP-Originating-Script: or something similar - header __X_PHP_EXISTS ALL =~ /^X-PHP-/m
+header __KAM_FAKE_MT4 From:name =~ /M&T Bank/i
+header __KAM_FAKE_MT5 From:addr !~ /mtb\.com/i
+
+meta KAM_FAKE_MT (__KAM_FAKE_MT1 + __KAM_FAKE_MT2 + KAM_SHORT + __HAS_PHP_ORIG_SCRIPT + __KAM_FAKE_MT4 + (__KAM_FAKE_MT5 + SPF_FAIL >= 1) >= 5)
+describe KAM_FAKE_MT Fake Bank Alert Scam
+score KAM_FAKE_MT 7.5
+
+#FAKE SHARED DOCUMENT
+header __KAM_FAKE_SHARE1 Subject =~ /document shared with you/i
+body __KAM_FAKE_SHARE2 /sent you the following/i
+
+meta KAM_FAKE_SHARE ( __KAM_FAKE_SHARE1 + __KAM_FAKE_SHARE2 + KAM_GOOGLE_REDIR >= 3)
+describe KAM_FAKE_SHARE Fake sharing email scam
+score KAM_FAKE_SHARE 4.5
+
+#BTC SCAM
+header __KAM_BTC1 Subject =~ /btc|bitcoin/i
+body __KAM_BTC2 /passive income/i
+tflags __KAM_BTC2 nosubject
+
+meta KAM_BTC ( __KAM_BTC2 + __KAM_BTC2 + KAM_GOOGLE_REDIR >= 3)
+describe KAM_BTC BTC Investment Scam
+score KAM_BTC 8.5
+
+#PHOTO PHISH
+body __KAM_PHOTOPHISH1 /here are the(se)? (pics|pictures|images|photo)|(here is|forwarded|sent) (this|that) (photo|pic)|have a look|send these pics before|photos from last week/i
+body __KAM_PHOTOPHISH2 /(guess|not sure if|hope|presume) (it\'s|they\'re|they are) still (appropriate|related|needed|relevant)|still the right time for them|send them to you way sooner|just occurred to me/i
+body __KAM_PHOTOPHISH3 /remember the (m[ae]n|wom[ea]n|girls) (in|on) (the|this) (pic|image|photo)|recall the (guys|girls) on the last \d+\s+pictures|assume you know most of these (guys|girls)/i
+
+meta KAM_PHOTOPHISH (( __KAM_PHOTOPHISH1 + __KAM_PHOTOPHISH2 >= 2) + (__HAS_ANY_URI >= 1) >= 2 )
+describe KAM_PHOTOPHISH Photograph phishing scam
+score KAM_PHOTOPHISH 7.0
+
+meta KAM_PHOTOPHISHLOW __KAM_PHOTOPHISH3 + __HAS_ANY_URI >= 2
+describe KAM_PHOTOPHISHLOW Photograph phishing scam [lower confidence]
+score KAM_PHOTOPHISHLOW 5.0
+
+#DIRECT DEPOSIT
+body __KAM_DIRECTDEPOSIT1 /payroll|pay account/i
+body __KAM_DIRECTDEPOSIT2 /(update|Change) my (pay account|Direct deposit)/i
+tflags __KAM_DIRECTDEPOSIT2 nosubject
+header __KAM_DIRECTDEPOSIT3 Subject =~/direct deposit change/i
+
+meta KAM_DIRECTDEPOSIT ( __KAM_DIRECTDEPOSIT1 + __KAM_DIRECTDEPOSIT2 + __KAM_DIRECTDEPOSIT3 + ( KAM_RAPTOR_EXTERNAL + FREEMAIL_FROM >= 1) >= 3)
+describe KAM_DIRECTDEPOSIT Direct Deposit Phish
+ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+if can(Mail::SpamAssassin::Conf::feature_subjprefix)
+ subjprefix KAM_DIRECTDEPOSIT [Phish]
+endif
+endif
+score KAM_DIRECTDEPOSIT 4.5
+
+ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro
+ #MAL INVOICE
+ header __KAM_MALINVOICE1 Subject =~ /Tax Invoice/i
+ body __KAM_MALINVOICE2 /tax invoice/i
+ tflags __KAM_MALINVOICE2 nosubject
+ mimeheader __KAM_MALINVOICE3 Content-type =~ /Name=\"?Form.*\.xls\"?$/i
+
+ meta KAM_MALINVOICE ( KAM_OLEMACRO_RENAME + __KAM_MALINVOICE1 + __KAM_MALINVOICE2 + __KAM_MALINVOICE3 >= 4)
+ describe KAM_MALINVOICE Malicious Invoice with Dangerous Attachment
+ ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+ if can(Mail::SpamAssassin::Conf::feature_subjprefix)
+ subjprefix KAM_MALINVOICE [Malware]
+ endif
+ endif
+ score KAM_MALINVOICE 10.0
+endif
+
+#LEAD SUPPLY
+body KAM_LEAD_SUPPLY /The Lead Supply via marketing services from The Email Bureau|The Email Bureau Limited/i
+describe KAM_LEAD_SUPPLY Spam from Lead Supply
+score KAM_LEAD_SUPPLY 10.0
+
+#FAKE LINKEDIN
+header __KAM_FAKE_LINKEDIN1 From:name =~ /Linkedin/i
+header __KAM_FAKE_LINKEDIN2 From:addr !~ /linkedin\.com$/i
+header __KAM_FAKE_LINKEDIN2A From:addr =~ /googleusercontent/i
+header __KAM_FAKE_LINKEDIN3 Subject =~ /\d+ searches this week|looking at your profile|found by people|matches this job|have \d+ new message|searching for you/i
+
+meta KAM_FAKE_LINKEDIN (__KAM_FAKE_LINKEDIN1 + __KAM_FAKE_LINKEDIN2 + __KAM_FAKE_LINKEDIN2A + __KAM_FAKE_LINKEDIN3 >= 3)
+describe KAM_FAKE_LINKEDIN Fake LinkedIn messages
+score KAM_FAKE_LINKEDIN 4.5
+
+#INVALID FROM RULE
+header __KAM_GB_INVALID_FROM_NO_DOTS From:addr !~ /\./
+header __KAM_GB_INVALID_FROM_NO_AT From:addr !~ /\@/
+
+meta KAM_GB_INVALID_FROM (__KAM_GB_INVALID_FROM_NO_DOTS + __KAM_GB_INVALID_FROM_NO_AT >= 1) && ! ( ALL_TRUSTED || NO_RELAYS || __BOUNCE_CTYPE )
+describe KAM_GB_INVALID_FROM From Address is invalid
+score KAM_GB_INVALID_FROM 3.0
+
+#FAKE PAYROLL
+header __KAM_FAKE_PAYROLL1 Subject =~ /payroll verification/i
+ #change
+body __KAM_FAKE_PAYROLL2 /new payroll directory/i
+ #oddlang
+body __KAM_FAKE_PAYROLL3 /required directive/i
+ #oddlink
+uri __KAM_FAKE_PAYROLL4 /\.boxmode\.io/i
+
+meta KAM_FAKE_PAYROLL ( __KAM_FAKE_PAYROLL1 + __KAM_FAKE_PAYROLL2 + __KAM_FAKE_PAYROLL3 + __KAM_FAKE_PAYROLL4 >= 4)
+describe KAM_FAKE_PAYROLL Payroll Scam
+score KAM_FAKE_PAYROLL 6.0
+
+#DATING ADD THAT IS EXPLICIT
+body __KAM_DATING1 /women seeking happiness/i
+body __KAM_DATING2 /18\+ platform/i
+mimeheader __KAM_DATING3 Content-type =~ /\.(png|jpe?g)\"?$/i
+
+meta KAM_DATING ( __KAM_DATING1 + __KAM_DATING2 + __KAM_DATING3 + (FREEMAIL_FORGED_REPLYTO + FREEMAIL_FROM >= 1) >= 4)
+describe KAM_DATING Explicit Content Dating Advert
+score KAM_DATING 4.5
+
+#FAKE EFAX
+header __KAM_FAKE_EFAX1 From:addr !~ /efax.com/i
+header __KAM_FAKE_EFAX2 Subject =~ /new fax document/i
+body __KAM_FAKE_EFAX3 /efax/i
+uri __KAM_FAKE_EFAX4 /\.html?/i
+
+meta KAM_FAKE_EFAX ( __KAM_FAKE_EFAX1 + __KAM_FAKE_EFAX2 + __KAM_FAKE_EFAX3 + __KAM_FAKE_EFAX4 >=4)
+describe KAM_FAKE_EFAX Fake Zix Email
+score KAM_FAKE_EFAX 7.0
+
+#PIPEDRIVE HTML
+uri KAM_PIPEDRIVE_HTML /\.pipedrive\.email\/.*\.s?html?/i
+describe KAM_PIPEDRIVE_HTML Suspicious HTML Link in an email
+score KAM_PIPEDRIVE_HTML 4.0
+
+#GEEKSERVICES
+uri __KAM_GEEKSERVICES1 /geeks?-?(squad)?(hub|services)\d+\.co|gsquad-services\d+\.co/i
+header __KAM_GEEKSERVICES1A From:addr =~ /geeks?-?(squad)?(hub|services)\d+\.co|gsquad-services\d+\.co/i
+header __KAM_GEEKSERVICES2 Subject =~ /receipt|renewal|renewing|subscription/i
+body __KAM_GEEKSERVICES2A /bitcoin|coinbase/i
+
+meta KAM_GEEKSERVICES ( (__KAM_GEEKSERVICES1 + __KAM_GEEKSERVICES1A >= 1) + (__KAM_GEEKSERVICES2 + __KAM_GEEKSERVICES2A >= 1) >= 2)
+describe KAM_GEEKSERVICES Fake Geek Squad Services
+score KAM_GEEKSERVICES 9.0
+
+#FAKE SECURITY ALERT
+body __KAM_FAKE_SECURITY1 /Security Alert/i
+header __KAM_FAKE_SECURITY2 Subject =~ /(Failed login|Account must be updated)/i
+
+meta KAM_FAKE_SECURITY (__KAM_FAKE_SECURITY1 + __KAM_FAKE_SECURITY2 + KAM_GOOGLE_REDIR >= 3)
+describe KAM_FAKE_SECURITY Likely a fake security alert
+score KAM_FAKE_SECURITY 5.5
+
+#FAKE GEEKSQUAD
+header KAM_FAKE_GEEKSQUAD From:addr =~ /\@geek-?(squad)?\-?services\d+\.|productshipping-?hub\d+\./i
+describe KAM_FAKE_GEEKSQUAD Fake Geek Squad Notice
+score KAM_FAKE_GEEKSQUAD 7.0
+
+#FAKE GEEKSQUAD VARIANT 2
+ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+ mimeheader __KAM_FAKE_GEEKSQUAD2_1 Content-Type =~ /geeksquad.*\.jpe?g/i
+ header __KAM_FAKE_GEEKSQUAD2_2 Subject =~ /antivirus receipt/i
+
+ meta KAM_FAKE_GEEKSQUAD2 ( __KAM_FAKE_GEEKSQUAD2_1 + __KAM_FAKE_GEEKSQUAD2_2 + FREEMAIL_FROM >= 3)
+ describe KAM_FAKE_GEEKSQUAD2 Fake Geek Squad Notice
+ score KAM_FAKE_GEEKSQUAD2 4.5
+endif
+
+#FAKE PAYROLL UPDATE
+ #subj
+header __KAM_FAKE_PAY_UPDATE1 Subject =~ /Payroll information update|account information|payroll (update|review)|update info|direct deposit|new bank|UPDATE (BANK|PAYCHECK)|BANK (STATUS|CHANGE)|modification request|update salary|quick update|(^|\b)D-?D (pay|information|update)/i
+ #urg
+body __KAM_FAKE_PAY_UPDATE2 /before the next payroll|for next payroll|kindly review (payroll|your) statement|when the next payday|current pay cycle|next pay date|Inactive in a few day|right away/i
+tflags __KAM_FAKE_PAY_UPDATE2 nosubject
+ #task
+body __KAM_FAKE_PAY_UPDATE3 /(change|updat(e|ing)) my (bank(ing)?|paycheck|paycheck account) info|new bank(ing)? info|change the account on my pay|direct.?deposit\s+information|change my payroll|account information be change|update my bank/i
+tflags __KAM_FAKE_PAY_UPDATE3 nosubject
+
+#sigonly/freemail
+
+meta KAM_FAKE_PAY_UPDATE ( FREEMAIL_FROM + __KAM_FAKE_PAY_UPDATE1 + __KAM_FAKE_PAY_UPDATE2 + __KAM_FAKE_PAY_UPDATE3 >= 4)
+describe KAM_FAKE_PAY_UPDATE Likely a fake ACH/Payroll Scam
+score KAM_FAKE_PAY_UPDATE 6.0
+
+#ENCRYPTED PAYLOAD
+uri __KAM_ENCRYPTED_LIVE1 /onedrive\.live\.com/i
+body __KAM_ENCRYPTED_LIVE2 /password:/i
+
+meta KAM_ENCRYPTED_LIVE ( __KAM_ENCRYPTED_LIVE1 + __KAM_ENCRYPTED_LIVE2 >= 2)
+describe KAM_ENCRYPTED_LIVE Likely malware payload
+score KAM_ENCRYPTED_LIVE 7.0
+
+#HOMEDEPOT SURVEY
+header __KAM_HOMEDEPOTE1 From:addr =~ /\@homedepote\.com/i
+
+meta KAM_HOMEDEPOTE ( __KAM_HOMEDEPOTE1 >= 1)
+describe KAM_HOMEDEPOTE Fake Home Depot Messages
+score KAM_HOMEDEPOTE 10.0
+
+#SIGNATURE ONLY VERSION 2.0
+if (version >= 4.000000)
+ if can(Mail::SpamAssassin::Plugin::BodyEval::has_plaintext_body_sig_ratio)
+ body __KAM_SIGONLY_BODY_NONE eval:plaintext_body_length('0','0')
+ body __KAM_SIGONLY_SIG_100 eval:plaintext_sig_length('100')
+ meta KAM_SIGONLY __KAM_SIGONLY_BODY_NONE && __KAM_SIGONLY_SIG_100
+ score KAM_SIGONLY 3.5
+ else
+ meta KAM_SIGONLY 0
+ endif
+endif
+
+#GAMBLING SPAM
+meta KAM_GAMBLING (KAM_MANYTO + KAM_SHORT + FORGED_GMAIL_RCVD + __FREEMAIL_DOC_PDF >= 4)
+describe KAM_GAMBLING Emails hawking gambling and similar spams
+score KAM_GAMBLING 2.0
+
+#JUNK_INVOICE
+ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+ mimeheader __KAM_JUNK_INVOICE1 Content-Type =~ /invoice\.jpe?g/i
+ body __KAM_JUNK_INVOICE2 /\[image\:\s+invoice/i
+ header __KAM_JUNK_INVOICE3 Subject =~ /Invoice/i
+
+ meta KAM_JUNK_INVOICE (FREEMAIL_FROM + __KAM_JUNK_INVOICE1 + __KAM_JUNK_INVOICE2 + __KAM_JUNK_INVOICE3 >= 4)
+
+ score KAM_JUNK_INVOICE 6.0
+endif
+
+#ONMICROSOFT
+header __KAM_ONMICROSOFT1 From =~ /[-\.]onmicrosoft\.com/i
+header __KAM_ONMICROSOFT2 Reply-To =~ /[-\.]onmicrosoft\.com/i
+
+meta KAM_ONMICROSOFT (( __KAM_ONMICROSOFT1 + __KAM_ONMICROSOFT2 >= 1) && !__AUTOREPLY_ASU )
+describe KAM_ONMICROSOFT Mail from or reply-to an unprovisioned domain on Microsoft 365
+score KAM_ONMICROSOFT 4.0
+
+#FAKE INVOICE
+header __KAM_FAKE_INVOICEMS1 Subject =~ /invoice/i
+body __KAM_FAKE_INVOICEMS2 /process ACH/i
+
+meta KAM_FAKE_INVOICEMS KAM_ONMICROSOFT + ( __KAM_FAKE_INVOICEMS1 + __KAM_FAKE_INVOICEMS2 >= 2) >=2
+describe KAM_FAKE_INVOICEMS Fake Invoice Scam
+score KAM_FAKE_INVOICEMS 4.5
+
+#FAKE ACE/COSTCO/ETC
+replace_rules __KAM_FAKE_COSTCO2 __KAM_FAKE_COSTCO3
+
+ #VOUCHER/COUPON
+header __KAM_FAKE_COSTCO1 Subject =~ /(costco|ace.?hardware|cvs|cvs.?pharmacy|t-mobile|target).*(e-?coupon|gift.?voucher|bonus|(e.?)?voucher|gift.?card|give.?away|credit)|ace-hard?ware|massive thank you|give?.?away winner|(\d+|dols|bucks) (for you )?from (Starbuck|Sam|Costco)|gas reward|acehardware|samsclub|free samples|gas drop|\d+\.\d+ vouch from costco|CVS\s+expires|sams_club|(fuel|gas) shopping spree|giveaway from (bud.?light|fox)|glft.?card|thank you from (\(?Home.?Depot\)?|cvs)|cvs e-?rewards|nike sends \d+|Verizon (August|September) Gift|points rwrds|verizonrewards|thanks (from|to) .?(sam\'s club|ace.?hardware)|survey reward|\d+ gift.?card pending|(cvs|verizon) (gift.?cert|coupon|has something special|has \d\.0)|\d+ (bucks|dols)|\d+\.0 for you|your \d+ at Verizon|(home.?depot|t-mobile) bonus|Evouch from Sams Club|_ace.?hardware_|use your\s+from Verizon|glft.?certificate|points rwrds|home.?depot_shopper|\$\d+ at Sam\'?s.?club/i
+ #FUZZ
+body __KAM_FAKE_COSTCO2 /C<O1>stc<O1> (giveaway|new gift|credit|local reward)|(erewards?|epoints?|evouch|thank you|\d\.\d) from (starbucks|ace.?hardware)|ace[-_]?hardware|sams[-_]?club|complimentary-(fuel\/gas|gas\/Fuel) card|(monday|tuesday|wednesday|thursday|friday|saturday|sunday) (gift-?cert|bonus)|costco-wholesale|\d from your CVS St<O1>re|cvs-pharmacy.?gift.?voucher|giveaway from (bud.?light|fox)|glft.?card|\d from cvs pharm|one hundred from C.?V.?S|nike sends \d+|Sam\'sClub|amount of \d+\.0(\b|$)|\d+ from Verizon|points rwrds|verizonrewards|UNINQUE GIVEAWAY|em<O1>ney|_Ace.?Hardware_|C Ostco|Sam\'s...Club|\$\-Prize|G[1l]ft.?cert|coupon from C<O1>stc<O1>|(target|T\-mobile) e.?(voucher|coupon)|\(home.?depot\)|homedepot bonus|\brwrds\b|_shopper/i
+tflags __KAM_FAKE_COSTCO2 nosubject
+ #ODDLANG
+body __KAM_FAKE_COSTCO3 /\d buck|your \d+\.0|\d+ dols|sent with joy|chosen as winer|spend you \$|(huge|massive) (thank you|thanks)|tough times|humble gift|evouch|epoint|em<O1>ney|ereward|we are loved|sending some love|(difficult|turbulent) times|nearest-pharm|weekend is on us|wish you a happy (August)|starbucks wishes you|spend bonus|inspire your dreams|unsuscribe here|want to give back|Enjoy_your_weekend|all the-best|e-?vouch|weekly gift.?card|big thanks for (Ace|costco|cvs)|\d+ sent to you by (Ace|costco|cvs)|rewards balance = \d+ USD|this make it better|Ace.?hardware style|awaiting to be spend|dols-voucher|you have been chosen|scary.?reward|tuff times|super.?(monday|tuesday|wednesday|thursday|friday|saturday|sunday).?mega|send a postcard|day-vouch|\d+ bucks coupon|inside = \$\d+|[\d\.] coupon|\%Subscriber|as an important customer/i
+ #URGENT
+body __KAM_FAKE_COSTCO4 /will be expiring|expires|(finishes|change by) (mon|tue|wed|thu|fri|sat|sun)|pending to activate|(use by|until) (Jan|Feb|mar|apr|may|jun|Jul|aug|sep|oct|nov|dec|mon|tue|wed|thu|fri|sat|sun)|pending (to|your) activat|(valid until|(redeem|use|spend) (before|by)) (mid.?night|mon|tue|wed|thu|fri|sat|sun|aug|sep|oct|nov|dec|jan|feb|mar|apr|may|jun|jul)|ending tomorrow|before midnight|received before \d|activat(e|ion) (today|by|before)|end of month giveaway|ends (today|tomorrow)|valid for (today|the weekend|\d+ hours)|August Help|pending to use|by next (Mon|tue|Wed|Thu|Fri|Sat|sun)|(received?|used?) as soon as possible|ends the \d+(nd|th)|yet to be used|this.? (Mon|Tue|Wed|Thu|Fri|Sat|Sun)|use before|used? \d+\.\d+ by (Sun|Mon|Tue|Wed|Thu|Fri|Sat)|last day to activate|ends (Oct(ober)?|Nov(ember)?|Dec(ember)?) \d|\d+ hours to change|grab your \d+|\d hours left|use now|end of today|used today/i
+
+meta KAM_FAKE_COSTCO ( __KAM_FAKE_COSTCO1 + __KAM_FAKE_COSTCO2 + __KAM_FAKE_COSTCO3 + __KAM_FAKE_COSTCO4 >= 4)
+describe KAM_FAKE_COSTCO Fake Costco/Ace Hardware/etc. coupons
+score KAM_FAKE_COSTCO 6.0
+
+meta KAM_FAKE_COSTCO_LOW !KAM_FAKE_COSTCO && ( __KAM_FAKE_COSTCO1 + __KAM_FAKE_COSTCO2 + __KAM_FAKE_COSTCO3 + __KAM_FAKE_COSTCO4 >= 3)
+describe KAM_FAKE_COSTCO_LOW Fake Costco/Ace Hardware/etc. coupons (Lower Confidence)
+score KAM_FAKE_COSTCO_LOW 4.5
+
+#FAKE ACE
+header __KAM_FAKE_ACE1 From:addr =~ /\@.*ace.*/i
+header __KAM_FAKE_ACE2 From:addr !~ /acehardware\.com/i
+
+meta KAM_FAKE_ACE ( (__KAM_FAKE_ACE1 + __KAM_FAKE_ACE2 >=2 ) + (__KAM_FAKE_COSTCO1 + __KAM_FAKE_COSTCO2 >= 1) >= 2)
+describe KAM_FAKE_ACE Possible Ace Hardware Forgery
+score KAM_FAKE_ACE 2.0
+
+#BAD SCAN
+ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+ body __KAM_BAD_SCAN1 /scanned from MFP|\(\d+\) scanned/i
+ header __KAM_BAD_SCAN2 Subject =~ /scan(ned)? image from MFP/i
+
+ meta KAM_BAD_SCAN ( __KAM_BAD_SCAN1 + __KAM_BAD_SCAN2 + (T_HTML_ATTACH + __KAM_VM5 >= 1) >= 3)
+ describe KAM_BAD_SCAN Likely a fake scan
+ score KAM_BAD_SCAN 6.5
+endif
+
+#TRADERBOT
+ #BOT / DEPOSIT
+header __KAM_TRADEBOT1 Subject =~ /(auto|crypto|new|unique|trader?).?bot|(minimum|initial) deposit|without invest|automatic machine/i
+ #EARN
+header __KAM_TRADEBOT2 Subject =~ /(raise|earn) from \d+ (\$+|USD|Eur|dollar|a (month|day))|earnings on crypto|\d+ (\$+|euro?|USD|dollars?) (every|per) (month|day)/i
+ #BOT BODY
+body __KAM_TRADEBOT3 /(auto|crypto|new|trader?|unique).?bot|automatic machine|pro tariff|free monthly tariff|fully automatic/i
+tflags __KAM_TRADEBOT3 nosubject
+ #TRADING BODY
+body __KAM_TRADEBOT4 /initial deposit|crytpocurrency trading|(field|world) of (trading|crypto)|make money on trading|solution for the trader|without investing|no investment|(find|news) for trader|traders can relax|lazy trader|currency trading/i
+tflags __KAM_TRADEBOT4 nosubject
+ #EARN BODY
+body __KAM_TRADEBOT5 /(make|earn) from \d+ (\$+|USD|Eur|dollar)|(earn|make) \d+ (\$+|USD|Eur|dollar)|(over|more than) [\d,]+ (dollar|USD|Eur)/i
+tflags __KAM_TRADEBOT5 nosubject
+
+ #LINK / ATTACH
+ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+ mimeheader __KAM_TRADEBOT6A Content-Type =~ /(earn.?from.?\d+.?(USD|Eur|dollar)|novice.?trader|(auto|crypto|trader?).?bot).*\.pdf"?$/i
+endif
+body __KAM_TRADEBOT6B /(personal|private|your) (secure )?link|link (below )?from PDF/i
+
+meta KAM_TRADEBOT ( __KAM_TRADEBOT1 + __KAM_TRADEBOT2 + __KAM_TRADEBOT3 + __KAM_TRADEBOT4 + __KAM_TRADEBOT5 + (__KAM_TRADEBOT6A + __KAM_TRADEBOT6B >= 1) + FREEMAIL_FROM >= 6 )
+describe KAM_TRADEBOT Crypto Currency Trading Spams
+score KAM_TRADEBOT 9.0
+
+#BIDDING/ESTIMATING
+ #NAMES
+body __KAM_BIDEST1A /CSI Estimation|crossland estimating|Williams Estimating|Global Estimation|bolt estimating|prestige estimation|bidding estimating|define estimating|dreamland estimation|swift estimating LLC/i
+header __KAM_BIDEST1B From =~ /bidding|estimat/i
+header __KAM_BIDEST1C Subject =~ /bidding|estimati(on|ng)|takeoffs|take-?off service|(quote|quotation) (to|for) (bid|project|take.?off)/i
+ #MORE INFO
+body __KAM_BIDEST2 /need assistance with a project|like more information|bidding and estimating service|estimate your projects|project for estimat|need of cost estimation|low cost detailed cost estimates|providing estimation|you really want take-offs|outsourced cost estimation|need any take.?off service|looking for accurate estimat|Take.?off services for any project|need a detailed estimate/i
+ #TITLE
+body __KAM_BIDEST3 /Business Development Manager|(senior|certified) estimator|certified software|marketing manager|estimation company/i
+ #OBFU
+body __KAM_BIDEST4 /(dot)/i
+
+meta KAM_BIDEST ( (__KAM_BIDEST1A + __KAM_BIDEST1B + __KAM_BIDEST1C >= 1) + __KAM_BIDEST2 + __KAM_BIDEST3 + (__KAM_BIDEST4 + FREEMAIL_FROM >=1) >= 3 )
+describe KAM_BIDEST Bidding and Estimating Spam
+score KAM_BIDEST 5.5
+
+#FAKE BILL
+header __KAM_FAKE_BILL1 From:name =~ /alert/i
+header __KAM_FAKE_BILL2 Subject =~ /e\-bill copy/i
+body __KAM_FAKE_BILL3 /Payment mode: Paypal pro\-credits|paypal billing team/i
+body __KAM_FAKE_BILL4 /issues with the transaction/i
+
+meta KAM_FAKE_BILL ( __KAM_FAKE_BILL1 + __KAM_FAKE_BILL2 + __KAM_FAKE_BILL3 + __KAM_FAKE_BILL4 + FREEMAIL_FROM >= 5 )
+describe KAM_FAKE_BILL Fake Invoice Scams
+score KAM_FAKE_BILL 6.0
+
+#FAKE PO
+body __KAM_FAKE_PO1 /status on our purchase order/i
+header __KAM_FAKE_PO2 Subject =~ /PO \d+/i
+body __KAM_FAKE_PO3 /attached/i
+
+meta KAM_FAKE_PO (__KAM_FAKE_PO1 + __KAM_FAKE_PO2 + __KAM_FAKE_PO3 + T_HTML_ATTACH >= 4)
+describe KAM_FAKE_PO Fake Purchase Orders
+score KAM_FAKE_PO 6.0
+
+#FAKE AGING REPORT
+header __KAM_FAKE_AGING1 Subject =~ /Aging Report/i
+body __KAM_FAKE_AGING2 /current aging report/i
+tflags __KAM_FAKE_AGING2 nosubject
+body __KAM_FAKE_AGING3 /treat it as urgent/i
+body __KAM_FAKE_AGING4 /email addresses in an excel/i
+
+meta KAM_FAKE_AGING ( __KAM_FAKE_AGING1 + __KAM_FAKE_AGING2 + __KAM_FAKE_AGING3 + __KAM_FAKE_AGING4 + KAM_RAPTOR_EXTERNAL >= 5)
+describe KAM_FAKE_AGING Phishes for Financial Information
+score KAM_FAKE_AGING 7.5
+
+#PAYPAL FREEMAIL
+header __KAM_PAYPAL_FREEMAIL1 From:name =~ /paypal/i
+#body __KAM_PAYPAL_FREEMAIL2 /crypto.?currency/i
+
+meta KAM_PAYPAL_FREEMAIL ( FREEMAIL_FROM + __KAM_PAYPAL_FREEMAIL1 >= 2)
+describe KAM_PAYPAL_FREEMAIL PayPal spoofs from Freemail Addresses
+score KAM_PAYPAL_FREEMAIL 4.5
+
+#FAKE DOCUSIGN
+ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+ mimeheader __KAM_FAKE_DOCUSIGN1 Content-Type =~ /docusign\.png/i
+
+ meta KAM_FAKE_DOCUSIGN (__KAM_FAKE_DOCUSIGN1 + T_HTML_ATTACH >= 2)
+ describe KAM_FAKE_DOCUSIGN Fake Docusign Document
+ score KAM_FAKE_DOCUSIGN 3.0
+endif
+
+#FAKE REIMB
+header __KAM_FAKE_REIMB1 Subject =~ /assistance/i
+ #HOW
+body __KAM_FAKE_REIMB2 /mobile transfer/i
+ #MONEY
+body __KAM_FAKE_REIMB3 /\$[\d,]+/i
+ #ODDLANG & REIMBURSEMENT REQUEST
+body __KAM_FAKE_REIMB4 /reimbursement cheque/i
+ #TRANSFER
+body __KAM_FAKE_REIMB5 /details for the transfer/i
+
+meta KAM_FAKE_REIMB ( __KAM_FAKE_REIMB1 + __KAM_FAKE_REIMB2 + __KAM_FAKE_REIMB3 + __KAM_FAKE_REIMB4 + __KAM_FAKE_REIMB5 + FREEMAIL_FROM >= 6)
+describe KAM_FAKE_REIMB Fake Reimbursement Request
+score KAM_FAKE_REIMB 9.0
+
+#FAKE_AMAZON
+header __KAM_FAKE_AMAZON1 From:name =~ /\#A.?m.?a.?z.?o.?n/i
+header __KAM_FAKE_AMAZON2 Subject =~ /A\-M\-A\-Z\-O\-N|payment confirmation|amazon.?e.?billing/i
+#body __KAM_FAKE_AMAZON3 /(888\s5\s?3\s?1\s?4\s?0\s?3\s?0|855\s5\s?4\s?5\s?6\s?2\s?0\s?1)/
+body __KAM_FAKE_AMAZON3 /Receipt Id|Bill no/i
+uri __KAM_FAKE_AMAZON4 /googleusercontent\.com/i
+
+meta KAM_FAKE_AMAZON ( __KAM_FAKE_AMAZON1 + __KAM_FAKE_AMAZON2 + __KAM_FAKE_AMAZON3 + __KAM_FAKE_AMAZON4 + FREEMAIL_FROM >= 5 )
+describe KAM_FAKE_AMAZON Fake Amazon Order
+score KAM_FAKE_AMAZON 7.5
+
+#FAKE_APPLE
+header __KAM_FAKE_APPLE1 From:name =~ /\#.?A.?p.?p.?l.?e|statement/i
+header __KAM_FAKE_APPLE2 Subject =~ /i\.t\.u\.n\.e|membership confirmation|invoice|billing/i
+body __KAM_FAKE_APPLE3 /a\.p\.p\.l\.e|i\.c\.l\.o\.u\.d|app store team/i
+tflags __KAM_FAKE_APPLE3 nosubject
+uri __KAM_FAKE_APPLE4 /googleusercontent\.com/i
+
+meta KAM_FAKE_APPLE ( __KAM_FAKE_APPLE1 + __KAM_FAKE_APPLE2 + __KAM_FAKE_APPLE3 + __KAM_FAKE_APPLE4 + FREEMAIL_FROM >= 5 )
+describe KAM_FAKE_APPLE Fake Apple Order
+score KAM_FAKE_APPLE 7.5
+
+#FREEMAIL_ORD
+header __KAM_FREEMAIL_ORDER1 Subject =~ /thank you for your order/i
+
+meta KAM_FREEMAIL_ORDER ( __KAM_FREEMAIL_ORDER1 + FREEMAIL_FROM >= 2 )
+describe KAM_FREEMAIL_ORDER Questionable message about an order but using freemail
+score KAM_FREEMAIL_ORDER 3.0
+
+#RESCORE
+score URI_DOTEDU 0.5
+score ADVANCE_FEE_3_NEW 1.5
+
+#PROBLEMATIC 2TLD PROVIDERS
+uri KAM_2TLD_PROBLEMS /(\.sa\.com|\.ru\.com|\.plesk\.page)/i
+describe KAM_2TLD_PROBLEMS Problematic 2TLD handlers being abused
+score KAM_2TLD_PROBLEMS 2.0
+
+#CALLING ASSOCIATE
+ #SUBJ
+header __KAM_CALLING_1 Subject =~ /answering solution/i
+ #NAME
+body __KAM_CALLING_2 /Itotogit/i
+ #TITLE
+body __KAM_CALLING_3 /answering associate/i
+tflags __KAM_CALLING_3 nosubject
+
+meta KAM_CALLING ( __KAM_CALLING_1 + __KAM_CALLING_2 + __KAM_CALLING_3 + FREEMAIL_FROM >= 4)
+describe KAM_CALLING Spamming Phone and Answering Solutions
+score KAM_CALLING 6.0
+
+#SA and ZA ABUSE
+
+replace_tag ABUSE_DOMAINS (?:\.(sa\.com|za\.com|co\.in))(\b|\/|$|\@)
+
+replace_rules __KAM_SA_ZA_ABUSE1 __KAM_SA_ZA_ABUSE2
+
+uri __KAM_SA_ZA_ABUSE1 /<ABUSE_DOMAINS>/i
+header __KAM_SA_ZA_ABUSE2 From:addr =~ /<ABUSE_DOMAINS>/i
+
+meta KAM_SA_ZA_ABUSE (__KAM_SA_ZA_ABUSE1 + __KAM_SA_ZA_ABUSE2 >= 1)
+describe KAM_SA_ZA_ABUSE 2TLD Providers prevalent in spam abuse
+
+score KAM_SA_ZA_ABUSE 4.5
+
+#FAKE COINBASE
+body __KAM_FAKE_COINBASE1 /C\.O\.I\.N\.B\.A\.S\.E/
+
+meta KAM_FAKE_COINBASE (__KAM_FAKE_COINBASE1 >= 1)
+describe KAM_FAKE_COINBASE Fake Coinbase Email
+score KAM_FAKE_COINBASE 3.0
+
+#FAKE COINBASE VARIANT
+header __KAM_FAKE_COINBASE2_1 Subject =~ /billing/i
+body __KAM_FAKE_COINBASE2_2 /sent a payment/i
+body __KAM_FAKE_COINBASE2_3 /BTC|paypal/i
+
+meta KAM_FAKE_COINBASE2 (__KAM_FAKE_COINBASE2_1 + __KAM_FAKE_COINBASE2_2 + __KAM_FAKE_COINBASE2_3 + FREEMAIL_FROM + __KAM_FAKE_AMAZON3 >= 5)
+describe KAM_FAKE_COINBASE2 Fake Coinbase Email
+score KAM_FAKE_COINBASE2 7.5
+
+
+#FAKE SURVEY
+header __KAM_FAKE_SURVEY1 From:addr =~ /Shopper.?Gift.?Card|survey/i
+body __KAM_FAKE_SURVEY2 /gift card (opp|promo)/i
+tflags __KAM_FAKE_SURVEY2 nosubject
+body __KAM_FAKE_SURVEY3 /\d second survey/i
+tflags __KAM_FAKE_SURVEY3 nosubject
+header __KAM_FAKE_SURVEY4 Subject =~ /gift card/i
+
+meta KAM_FAKE_SURVEY ( __KAM_FAKE_SURVEY1 + __KAM_FAKE_SURVEY2 + __KAM_FAKE_SURVEY3 + __KAM_FAKE_SURVEY4 + KAM_SA_ZA_ABUSE >= 5)
+describe KAM_FAKE_SURVEY Fake gift card surveys
+score KAM_FAKE_SURVEY 7.5
+
+#REWARDS
+header __KAM_FAKE_REWARDS1 Subject =~ /(dollar general|t-mobile|ace hardware) (gift|reward)/i
+
+meta KAM_FAKE_REWARDS ( KAM_STORAGE_GOOGLE + __KAM_FAKE_REWARDS1 >= 2)
+describe KAM_FAKE_REWARDS Fake Reward emails
+score KAM_FAKE_REWARDS 3.0
+
+#FAKE_AHS
+header __KAM_FAKE_AHS1 From =~ /AHS Warranty/i
+
+meta KAM_FAKE_AHS ( __KAM_FAKE_AHS1 + KAM_SOMETLD_ARE_BAD_TLD >= 2)
+describe KAM_FAKE_AHS Home Warranty Spam
+score KAM_FAKE_AHS 3.0
+
+#FAKE_FICO
+ #FUZZ
+body __KAM_FAKE_FICO1 /F[1l]co/i
+
+ #ODD LANG
+body __KAM_FAKE_FICO1A /complimentary\-review/i
+ #SUBJ
+header __KAM_FAKE_FICO2 Subject =~ /(cred[1il]t.?(points|score)|score heal?th|202\d score|3 bureaus|Equifax score)/i
+
+meta KAM_FAKE_FICO ((__KAM_FAKE_FICO1 + __KAM_FAKE_FICO1A >= 1) + __KAM_FAKE_FICO2 >= 2 )
+describe KAM_FAKE_FICO Credit Score Spam
+score KAM_FAKE_FICO 6.0
+
+#CAM DOMAIN ISSUES
+header __KAM_CAM_DOMAIN From:addr =~ /\.cam$/i
+
+meta KAM_CAM_DOMAIN ( KAM_SEMFRESH + __KAM_CAM_DOMAIN >= 2 )
+describe KAM_CAM_DOMAIN Abusive TLD with a new domain
+score KAM_CAM_DOMAIN 3.0
+
+#UNREAD MESSAGES
+header __KAM_UNREAD1 Subject =~ /unread message/i
+body __KAM_UNREAD2 /relationship status/i
+body __KAM_UNREAD3 /(see more of me here|photo album)/i
+
+meta KAM_UNREAD ( __KAM_UNREAD1 + __KAM_UNREAD2 + __KAM_UNREAD3 >= 3)
+describe KAM_UNREAD Singles Message Scams
+score KAM_UNREAD 4.5
+
+#NOT INTERESTED
+body KAM_NOT_INTERESTED /reply \"Not Interested\"/i
+describe KAM_NOT_INTERESTED Contains Opt-Out Language
+score KAM_NOT_INTERESTED 1.5
+
+#OCTET STREAM ISSUE - Updated 2022-11-26 thanks to Judah for the FP
+mimeheader __KAM_OCTET_PHISH1 Content-Type =~ /application\/octet-stream.*.s?html?\.?\"?$/i
+
+meta KAM_OCTET_PHISH ( __KAM_OCTET_PHISH1 >= 1 )
+describe KAM_OCTET_PHISH HTML File attached with the wrong MIME Type
+score KAM_OCTET_PHISH 3.0
+
+#FAKE WALMART
+header __KAM_FAKE_WALMART1 Subject =~ /transaction code/i
+body __KAM_FAKE_WALMART2 /Your order/i
+tflags __KAM_FAKE_WALMART2 nosubject
+body __KAM_FAKE_WALMART3 /WALMART INC/i
+tflags __KAM_FAKE_WALMART3 nosubject
+
+meta KAM_FAKE_WALMART ( __KAM_FAKE_NORTON3 + FREEMAIL_FROM + __KAM_FAKE_WALMART1 + __KAM_FAKE_WALMART2 + __KAM_FAKE_WALMART3 >= 5)
+describe KAM_FAKE_WALMART Fake Walmart Scam
+score KAM_FAKE_WALMART 7.5
+
+#ANALYTICO
+header __KAM_ANALYTICO1 Subject =~ /online course|promotion/i
+body __KAM_ANALYTICO2 /Training Manager/i
+body __KAM_ANALYTICO3 /Analytico Academy/i
+
+meta KAM_ANALYTICO ( __KAM_ANALYTICO1 + __KAM_ANALYTICO2 + __KAM_ANALYTICO3 >= 3)
+describe KAM_ANALYTICO Domain Hopping Spammers
+score KAM_ANALYTICO 4.5
+
+#DESZY
+header __KAM_DESZY1 From =~ /deszy/i
+body __KAM_DESZY2 /Deszy/i
+uri __KAM_DESZY3 /search\?q=Deszy/i
+header __KAM_DESZY4 Subject =~ /content creation/i
+
+meta KAM_DESZY ( __KAM_DESZY1 + __KAM_DESZY2 + __KAM_DESZY3 + __KAM_DESZY4 >= 4)
+describe KAM_DESZY Domain Hopping Spammers
+score KAM_DESZY 6.0
+
+#HEROKU ETC APP EXPLOITS WITH FREEMAIL
+uri __KAM_APPS1 /\.herokuapp\.com|app\.connect365\.io|\.appspot\.com|salesforce\.com\/servlet/i
+header __KAM_APPS2A Subject =~ /onedrive/i
+header __KAM_APPS2B From:name =~ /onedrive/i
+header __KAM_APPS3 From:addr =~ /\.awsapps.com>?$/i
+
+meta KAM_APPS ( FREEMAIL_FROM + __KAM_APPS1 >= 2 )
+describe KAM_APPS Apps being exploited by Spammers
+score KAM_APPS 4.0
+
+meta KAM_APPS2 (__KAM_APPS1 + (__KAM_APPS2A + __KAM_APPS2B >= 1) >= 2)
+describe KAM_APPS2 Fake OneDrive Notification
+score KAM_APPS2 4.0
+
+meta KAM_APPS3 (__KAM_APPS3)
+describe KAM_APPS3 AWS Apps Emailing Directly
+score KAM_APPS3 9.0
+
+#PHONE
+body __KAM_PHONE1 /reduce your company phone expense/i
+body __KAM_PHONE2 /changes? that takes? less than \d+ min/i
+
+meta KAM_PHONE ( __KAM_PHONE1 + __KAM_PHONE2 + FREEMAIL_FROM >= 3 )
+describe KAM_PHONE Phone Service Spam
+score KAM_PHONE 4.5
+
+#PASSWORD EXPIRATIOn
+ #URG
+body __KAM_PASSEXP1 /expires today|about to expire/i
+ #ACTION
+body __KAM_PASSEXP2 /(continue with|Keep my) same password/i
+ #URI
+uri __KAM_PASSEXP3 /s3\.amazonaws\.com\/.{1,10}\.html/i
+
+meta KAM_PASSEXP ( __KAM_PASSEXP1 + __KAM_PASSEXP2 + ( KAM_IPFS + __KAM_PASSEXP3 >= 1 ) >= 3 )
+describe KAM_PASSEXP Credential Scam
+score KAM_PASSEXP 4.5
+
+#IPFS
+uri KAM_IPFS /(\.|\b|\/)ipfs\.io\//i
+describe KAM_IPFS Abused Protocol for Distributed Content
+score KAM_IPFS 3.0
+
+#PHONESYSTEM
+ #DEAL
+body __KAM_PHONESYS1 /(reduced|lower your) rate|\d+% lower|lower (your|its) telecom/i
+ #TITLE
+body __KAM_PHONESYS2 /Business Dev|tech associate|tele.?specialist|growth dev/i
+ #PHONE
+body __KAM_PHONESYS3 /Top-regarded carriers|(T1|Cloud) (lines|phone)|cloud.?based phone|voip service/i
+ #MEETING REQ/OPT
+body __KAM_PHONESYS4 /(worth|Have) \d+ minute|reply with rule.?out|open to this/i
+ #INFO REQ
+body __KAM_PHONESYS5 /best number to quickly get in touch|quick number to reach you|may i send some info|best direct line to reach/i
+
+meta KAM_PHONESYS ( __KAM_PHONESYS1 + __KAM_PHONESYS2 + __KAM_PHONESYS3 + __KAM_PHONESYS4 + __KAM_PHONESYS5 + FREEMAIL_FROM >= 6 )
+describe KAM_PHONESYS New Phone System Spam
+score KAM_PHONESYS 9.0
+
+#CONTRACT HTML
+ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+ mimeheader __KAM_CONTRACT2_1 Content-Type =~ /(statement\d+|contract\#?\d+|final.?hud.?\d+|Kyc\d+|check)\.htm/i
+
+ meta KAM_CONTRACT2 ( __KAM_CONTRACT2_1 >= 1)
+ describe KAM_CONTRACT2 Suspect HTML file
+ score KAM_CONTRACT2 7.0
+endif
+
+#FAKE ALLSCRIPTS
+header __KAM_ALLSCRIPTS1 From:addr !~ /\@allscripts.com/i
+header __KAM_ALLSCRIPTS2 From:name =~ /allscripts/i
+header __KAM_ALLSCRIPTS3 Subject =~ /invoice|receipt/i
+body __KAM_ALLSCRIPTS4 /membership|recurring monthly/i
+
+meta KAM_ALLSCRIPTS ( __KAM_ALLSCRIPTS1 + __KAM_ALLSCRIPTS2 + __KAM_ALLSCRIPTS3 + __KAM_ALLSCRIPTS4 >= 4 )
+describe KAM_ALLSCRIPTS Fake Invoice Scam
+score KAM_ALLSCRIPTS 6.0
+
+#EXPLOIT SCAM
+body __KAM_EXPLOIT1 /wallet:/i
+body __KAM_EXPLOIT2 /you have three days/i
+body __KAM_EXPLOIT3 /countdown will begin/i
+body __KAM_EXPLOIT4 /\$\d00/i
+
+meta KAM_EXPLOIT (__KAM_EXPLOIT1 + __KAM_EXPLOIT2 + __KAM_EXPLOIT3 + __KAM_EXPLOIT4 + KAM_SENDGRID >= 5)
+describe KAM_EXPLOIT Exploitation Scam
+score KAM_EXPLOIT 7.5
-#
#EOF