From 1b8feee9a65502e4c0655f8a40173827efdf499a Mon Sep 17 00:00:00 2001 From: Stoiko Ivanov Date: Fri, 13 Dec 2019 11:21:41 +0100 Subject: [PATCH] update KAM.cf Signed-off-by: Stoiko Ivanov --- KAM.cf | 220 ++++++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 157 insertions(+), 63 deletions(-) diff --git a/KAM.cf b/KAM.cf index b028eb9..21201c2 100644 --- a/KAM.cf +++ b/KAM.cf @@ -863,14 +863,27 @@ score KAM_TELEWORK 3.0 #Changed to meta 2017-10-17 #2017-10-23 - Removed .link. Uniregistry has committed to reviewing abuse concerns. -header __KAM_SOMETLD_ARE_BAD_TLD_FROM From:addr =~ /\.(pw|stream|trade|bid|press|top|date)$/i -uri __KAM_SOMETLD_ARE_BAD_TLD_URI /\.(pw|stream|trade|bid|press|top|date)($|\/)/i +#2019-11-24 - Removed .bid for FPs +header __KAM_SOMETLD_ARE_BAD_TLD_FROM From:addr =~ /\.(pw|stream|trade|press|top|date)$/i +uri __KAM_SOMETLD_ARE_BAD_TLD_URI /\.(pw|stream|trade|press|top|date)($|\/)/i meta KAM_SOMETLD_ARE_BAD_TLD (__KAM_SOMETLD_ARE_BAD_TLD_FROM + __KAM_SOMETLD_ARE_BAD_TLD_URI) >= 1 -describe KAM_SOMETLD_ARE_BAD_TLD .stream, .trade, .pw, .top, .press, .bid & .date TLD Abuse +describe KAM_SOMETLD_ARE_BAD_TLD .stream, .trade, .pw, .top, .press & .date TLD Abuse score KAM_SOMETLD_ARE_BAD_TLD 5.0 - +#2019-11-24 - Test to do the SOMETLD with WLBLEval - Doesn't work because no uri check for the body +#ifplugin Mail::SpamAssassin::Plugin::WLBLEval +# enlist_addrlist (BADTLDS) *@*.pw +# enlist_addrlist (BADTLDS) *@*.stream +# enlist_addrlist (BADTLDS) *@*.trade +# enlist_addrlist (BADTLDS) *@*.bid +# enlist_addrlist (BADTLDS) *@*.press +# enlist_addrlist (BADTLDS) *@*.top +# enlist_addrlist (BADTLDS) *@*.date +# +# header __KAM_SOMETLD_ARE_BAD_TLD_FROM eval:check_from_in_list('BADTLDS') +# body __KAM_SOMETLD_ARE_BAD_TLD_URI eval:check_uri_host_listed('BADTLDS') +#endif #CHANGED TO KAMOnly ifplugin Mail::SpamAssassin::Plugin::KAMOnly @@ -1645,6 +1658,7 @@ ifplugin Mail::SpamAssassin::Plugin::URIDNSBL util_rb_2tld doesphotography.com util_rb_2tld isteaching.com util_rb_2tld googleapis.com + util_rb_2tld a2hosted.com endif # allow URI rules to look at DKIM headers if they exist and our SA version supports it @@ -2612,9 +2626,9 @@ score KAM_SELLPHONE 4.5 describe KAM_SELLPHONE Used Equipment Spam #STORAGE LIMIT -body __KAM_MAILBOX1 /mailbox has exceeded|(storage|email).(limit|quota|size)|quota is full|have been rejected|new version|pending messages|quota is low/i -body __KAM_MAILBOX2 /validate your (account|mailbox|email)|(increase|upgrade) (my|your?) (inbox |email )?quota|create some additional storage|upgrade your mailbox|mail malfunction|click here to update|update account/i -header __KAM_MAILBOX3 Subject =~ /(mail|exceeded) quota|Inbox almost full|important notice|needs to be upgraded|incoming mails|delivery failure|storage is full/i +body __KAM_MAILBOX1 /mailbox has exceeded|(storage|email).(limit|quota|size)|quota is full|have been rejected|new version|pending messages|quota is low|annual upgrade|important message|messages pending|messages placed on hold|upgrade to our service|recent attack|deactivating all mailbox|close down.{0,10}account/i +body __KAM_MAILBOX2 /(verify|validate) your (account|mailbox|email)|(increase|upgrade) (my|your?) (inbox |email )?quota|create some additional storage|upgrade your mailbox|mail malfunction|click here to update|update account|validated within \d\d|deleted automatically|release .{0,40}message|account to be close|termination of your account/i +header __KAM_MAILBOX3 Subject =~ /(mail|exceeded) quota|Inbox almost full|(urgent|important) noti|needs to be upgraded|incoming mails|delivery failure|storage (is )?full|inbox full|upgrade email|delayed email|release your message|pending (new )?message|365 .{0,10} Update|new privacy policy|mandatory up|account upgrade/i meta KAM_MAILBOX (__KAM_MAILBOX1 + __KAM_MAILBOX2 + __KAM_MAILBOX3 >= 3) score KAM_MAILBOX 6.0 @@ -4603,14 +4617,18 @@ meta KAM_ADVERTISE (__KAM_ADVERTISE1 + __KAM_ADVERTISE2 + __KAM_ADVERTISE3 > describe KAM_ADVERTISE Spam that wants you to advertise for them score KAM_ADVERTISE 4.5 -# RULE FOR DOMAINS THAT HAVE NOT IMPLEMENTED ANY ANTI-FORGERY MECHANISMS +# RULE FOR DOMAINS THAT HAVE NOT IMPLEMENTED ANY ANTI-FORGERY MECHANISMS - Thanks to Christian Kueppers for the request to encapsulate with DKIM and SPF plugin checks! if (version >= 3.003002) - # We may recommend people start raising the score for this to force more people to use SPF or DKIM Since Gmail and AOL work much better with / require SPF. - header __KAM_SPF_NONE eval:check_for_spf_none() + ifplugin Mail::SpamAssassin::Plugin::DKIM + ifplugin Mail::SpamAssassin::Plugin::SPF + # We may recommend people start raising the score for this to force more people to use SPF or DKIM Since Gmail and AOL work much better with / require SPF. + header __KAM_SPF_NONE eval:check_for_spf_none() - meta KAM_LAZY_DOMAIN_SECURITY (!__DKIM_EXISTS && __KAM_SPF_NONE) - score KAM_LAZY_DOMAIN_SECURITY 1.0 - describe KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any anti-forgery methods + meta KAM_LAZY_DOMAIN_SECURITY (!__DKIM_EXISTS && __KAM_SPF_NONE) + score KAM_LAZY_DOMAIN_SECURITY 1.0 + describe KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any anti-forgery methods + endif + endif endif ifplugin Mail::SpamAssassin::Plugin::KAMOnly @@ -5040,7 +5058,9 @@ score KAM_CAD 3.5 ifplugin Mail::SpamAssassin::Plugin::KAMOnly #SPAM WITH OFFICE MACROS - header KAM_VBMACRO X-KAM-VBMacro =~ /True/i + header __KAM_VBMACRO X-KAM-VBMacro =~ /True/i + + meta KAM_VBMACRO ((__KAM_VBMACRO >= 1) && !KAM_OLEMACRO) describe KAM_VBMACRO Message contains attachment with VB macro score KAM_VBMACRO 6.5 @@ -5619,15 +5639,15 @@ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags replace_rules __KAM_CRIM1 __KAM_CRIM2 __KAM_CRIM3 __KAM_CRIM4 __KAM_CRIM5 __KAM_CRIM6 __KAM_CRIM7 - body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|mlwr n th wb|footage of you|you do not know who I am|mercenary|hack phones|infected your device|double.screen video|keylogger|ruin your life|collection officer|turned on your cmera|cameras? and a mic|I am a hacker|browser history|trojan virus|automatically infect/i + body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|mlwr n th wb|footage of you|you do not know who I am|mercenary|hack phones|infected your device|double.screen video|keylogger|ruin your life|collection officer|turned on your cmera|cameras? and a mic|I am a hacker|browser history|trojan virus|automatically infect|inject some code/i #Different encodings - body __KAM_CRIM2 /(bitn|BTC|DSH|cryptocurrency)/i - body __KAM_CRIM3 /make a payment|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bitn wll|(mkng|mplet) th trnstn|send me \d+ dollars|send [\d\.]+ USD|addrss fr pymnt|euros in bitcoin|wallet number|bitcoin network|BTC to this Bitcoin|paymnt by btcon|\d\d\d usd|DSH\)? address/i + body __KAM_CRIM2 /(bit-?n|BTC|DSH|cryptocurrency)/i + body __KAM_CRIM3 /make a payment|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bitn wll|(mkng|mplet) th trnstn|send me \d+ dollars|send [\d\.]+ USD|addrss fr pymnt|euros in bitcoin|wallet number|bitcoin network|BTC to this Bitcoin|paymnt by btcon|\d\d\d usd|DSH\)? address|Address part/i body __KAM_CRIM4 /erotica|

orn|promising evidence|video|asturbat|playing with yourself|wanking|lf n b rund|explosi|lead azide|hexogen|banana|perversion/i - body __KAM_CRIM5 /(twenty.?four|24).?hours|(24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(urs)? ftr y pn|hours for payment|days? to (perform|make|transfer) the (payment|dash)|short-term support|48h plz|deadline|hours only to send the fund|address immediately|tr\@nsfer the amount/i + body __KAM_CRIM5 /(twenty.?four|24).?hours|(72|24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(urs)? ftr y pn|hours for payment|days?\)? to (send|perform|make|transfer) the (payment|dash)|short-term support|48h plz|deadline|hours only to send the fund|address immediately|tr\@nsfer the amount/i - header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y r my vtm|visit the police|hi. vitim|bomb|rescue|your building|asturbat|hi perv|account has been hacked|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you/i + header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y r my vtm|visit the police|hi. vitim|bomb|rescue|your building|asturbat|hi perv|account has been hacked|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you|porn/i header __KAM_CRIM7 From =~ /hckr|know/i @@ -5754,10 +5774,10 @@ describe KAM_FILE Potential attempt for NTLM attack score KAM_FILE 4.5 #FUN SPAM RUN -header __KAM_FUN1 From =~ /\.fun|\.icu|\.pro|\.stream|\.world|\.monster|\.best>?$/i +header __KAM_FUN1 From =~ /\.fun|\.icu|\.pro|\.stream|\.world|\.monster|\.best|\.store>?$/i body __KAM_FUN2 /Addify Link|Kennett Pike|PetPlan|Newton Sq|1st Avenue|Jones Blvd|permanently opt-out from our all newsletters/i body __KAM_FUN3 /This Offer is (only )?for (unite. state|USA)|can't see this image/i -header __KAM_FUN4 Subject =~ /Gutters|Assisted Living|Refi|rate|livewave|mortgage|E\.D\.|Single|Superfood|tax|protection|debt|mastercard|safety charge|supplement|pillow|Inogenone|learn a language|Roadside safety|carry a gun|minute survey|roofing Deals|fungus|insurance|pain|gold|hair|knife|warranty/i +header __KAM_FUN4 Subject =~ /Gutters|Assisted Living|Refi|rate|livewave|mortgage|E\.D\.|Single|Superfood|tax|protection|debt|mastercard|safety charge|supplement|pillow|Inogenone|learn a language|Roadside safety|carry a gun|minute survey|roofing Deals|fungus|insurance|pain|gold|hair|knife|warranty|reflexology|accufeet/i meta KAM_FUN (__KAM_FUN1 + __KAM_FUN2 + __KAM_FUN3 + __KAM_FUN4 >=3) describe KAM_FUN Spam Engine Hawking Various Goods and Abusing a Lot of Domains @@ -5859,19 +5879,23 @@ score KAM_FAVOR 7.5 #trusted_networks 38.124.232.0/24 # CONTACTS / LISTS - This would be a good rule for tflags nosubject which requires 3.4.3 release -header __KAM_LIST3_1 Subject =~ /Contacts|Visitor|Attendee|User|Professional|Meeting|Expo|Emails|Exhibit|Companies|trade ?show|marketing|retailer/i -body __KAM_LIST3_2 /list services|email campaign|global marketing|(sales|event) manager|marketing (campaign|manager|exec|project)|(lead|demand) generation|(business|Data|event) (analyst|coordinator)|qualified leads|(marketing|lead) specialist|Business Co-?ordinator|marketing and comm|inside sales/i -body __KAM_LIST3_3 /data fields|verified email|complete (contact|details)|with email address|target geography|counts and pric|decision maker|specific parameters|job titles|Specific lists|current attendee|each record|post show attendee|(attendees|counts)\:|(List|contacts|fields) (Contains?|includes?)\:|visitors and price|pricing, counts|information about the list/i -body __KAM_LIST3_4 /contacts and email|(visitors?|contacts?|attendee.?s?|users?) (mailing )?(list|record|database)|end users|our lists|\d\+? (attendee|contact)|database organization|users? database|Opt-in email list|(professionals?|user'?s|attendees?) (contact|list)|not spammer|delegates|marketing campaigns|complete list/i +header __KAM_LIST3_1 Subject =~ /Contacts|Visitor|Attendee|User|Professional|Meeting|Expo|Emails|Exhibit|Companies|trade ?show|marketing|retailer|list|outreach|customers|campaign/i + +#title +body __KAM_LIST3_2 /list services|email campaign|global marketing|(sales|event) manager|marketing (campaign|manager|exec|project)|(lead|demand) generation|(business|Data|event) (analyst|coordinator)|qualified leads|(marketing|lead|attendees?) specialist|Business Co-?ordinator|marketing and comm|inside sales|unlimited usage|target (attendees|audience|industry)|opt-?in (contact|emails)|pre-?sales|attendees list/i +#db for sale +body __KAM_LIST3_3 /(information|data) fields|verified email|complete (contact|details)|with email address|target geograph|counts and pric|decision maker|specific parameters|job titles|Specific lists|current attendee|each record|post show attendee|(attendees|counts)\:|(List|contacts|fields) (consists?|Contains?|includes?)|visitors and price|pricing, counts|information about the list|sample (file|record)|direct email|100\% populated|installed users|selling list|pricing and further|buy a dataset|counts, pricing|procure the list/i +#db what +body __KAM_LIST3_4 /contacts and email|(visitors?|contacts?|attendee.?s?|users?) (mailing )?(list|record|database)|end users|our lists|\d\+? (attendee|contact)|database organization|users? database|Opt-in email list|(professionals?|user'?s|attendees?) (contact|list)|not spammer|delegates|marketing (analyst|campaigns)|(complete|emailed) list|job title|unique account|available titles\:|business profiles|database of/i meta KAM_LIST3 (__KAM_LIST3_1 + __KAM_LIST3_2 + __KAM_LIST3_3 + __KAM_LIST3_4 >= 4) describe KAM_LIST3 Mailing List Purveyor Spam -score KAM_LIST3 8.0 +score KAM_LIST3 9.0 #NO SUBJ MATCH meta KAM_LIST3_1 (KAM_LIST3 < 1) && (__KAM_LIST3_1 + __KAM_LIST3_2 + __KAM_LIST3_3 + __KAM_LIST3_4 >= 3) describe KAM_LIST3_1 Likely Mailing List Purveyor Spam -score KAM_LIST3_1 4.0 +score KAM_LIST3_1 7.5 #MONCLER header __KAM_MONCLER1 Subject =~ /moncler/i @@ -5881,6 +5905,7 @@ meta KAM_MONCLER (__KAM_MONCLER1 + __KAM_MONCLER2 + KAM_SOMETLD_ARE_BAD_TLD >= describe KAM_MONCLER Fashionista Spammers score KAM_MONCLER 6.0 +#ERP header __KAM_ERP1 Subject =~ /ERP/ body __KAM_ERP2 /K9ERP/i @@ -5888,57 +5913,72 @@ meta KAM_ERP (__KAM_ERP1 + __KAM_ERP2 >=2) describe KAM_ERP ERP Spammers score KAM_ERP 4.0 -#DMARC POLICY RULES +#DMARC POLICY RULES - Thanks to Giovanni Bechis for the original idea plus Jesse Norell and Amir Caspi for additional suggestions & testing! +# +#https://tools.ietf.org/html/rfc7489 and https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/ +# +#"To pass DMARC, a message must pass SPF authentication and SPF alignment and/or DKIM authentication and DKIM alignment. A message will fail DMARC if the message fails both (1) SPF or SPF alignment and (2) DKIM or DKIM alignment." +# +# We expect edge cases with DKIM where a parent (gateway) domain signing for a subdomain author (e.g., parent.gov signing for sub.parent.gov). This is a common and a sane implementation of DKIM, but is not supported in the current SA DKIM/DMARC implementation -- it results in DKIM_VALID but not DKIM_VALID_AU. The SPF || DKIM logic below will allow this scenario. +# +# Note: Certain glues like MailScanner will modify an email before testing. That will cause many DKIM failures. If you have a known broken system for DKIM like this, you should likely disable the plugin. + + ifplugin Mail::SpamAssassin::Plugin::AskDNS ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF - askdns __DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=none;/ - askdns __DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=quarantine;/ - askdns __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=reject;/ + askdns __KAM_DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=none;/ + askdns __KAM_DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=quarantine;/ + askdns __KAM_DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=reject;/ + askdns __KAM_DMARC_POLICY_DKIM_STRICT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\badkim=s;/ - meta DMARC_REJECT (DKIM_INVALID || SPF_FAIL) && __DMARC_POLICY_REJECT - describe DMARC_REJECT DKIM has Failed or SPF has failed on the message and the domain has a DMARC reject policy + #Checks if either DKIM Passed with Alignment and the policy is strict or VALID and alignment didn't pass + meta KAM_DMARC_STATUS !((DKIM_VALID_AU && __KAM_DMARC_POLICY_DKIM_STRICT) || (DKIM_VALID && !__KAM_DMARC_POLICY_DKIM_STRICT)) + describe KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict Alignment + score KAM_DMARC_STATUS 0.01 + + meta KAM_DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_REJECT + describe KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message and the domain has a DMARC reject policy + score KAM_DMARC_REJECT 3.0 - meta DMARC_QUAR (DKIM_INVALID || SPF_FAIL) && __DMARC_POLICY_QUAR - describe DMARC_QUAR DKIM has Failed or SPF has failed on the message and the domain has a DMARC quarantine policy + meta KAM_DMARC_QUARANTINE !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_QUAR + describe KAM_DMARC_QUARANTINE DKIM has Failed or SPF has failed on the message and the domain has a DMARC quarantine policy + score KAM_DMARC_QUARANTINE 1.5 - meta DMARC_NONE (DKIM_INVALID || SPF_FAIL) && __DMARC_POLICY_NONE - describe DMARC_NONE DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy - - score DMARC_REJECT 10.0 - score DMARC_QUAR 1.5 - score DMARC_NONE 0.25 + meta KAM_DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_NONE + describe KAM_DMARC_NONE DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy + score KAM_DMARC_NONE 0.25 endif endif endif #OLE/VB MACROs ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro - body OLEMACRO eval:check_olemacro() - describe OLEMACRO Attachment has an Office Macro - score OLEMACRO 3.0 + body KAM_OLEMACRO eval:check_olemacro() + describe KAM_OLEMACRO Attachment has an Office Macro + score KAM_OLEMACRO 6.5 - body OLEMACRO_MALICE eval:check_olemacro_malice() - describe OLEMACRO_MALICE Potentially malicious Office Macro - score OLEMACRO_MALICE 10.0 + body KAM_OLEMACRO_MALICE eval:check_olemacro_malice() + describe KAM_OLEMACRO_MALICE Potentially malicious Office Macro + score KAM_OLEMACRO_MALICE 10.0 - body OLEMACRO_ENCRYPTED eval:check_olemacro_encrypted() - describe OLEMACRO_ENCRYPTED Has an Office doc that is encrypted - score OLEMACRO_ENCRYPTED 2.0 + body KAM_OLEMACRO_ENCRYPTED eval:check_olemacro_encrypted() + describe KAM_OLEMACRO_ENCRYPTED Has an Office doc that is encrypted + score KAM_OLEMACRO_ENCRYPTED 2.0 #This may cause more CPU usage olemacro_extended_scan 1 - body OLEMACRO_RENAME eval:check_olemacro_renamed() - describe OLEMACRO_RENAME Has an Office doc that has been renamed - score OLEMACRO_RENAME 0.1 + body KAM_OLEMACRO_RENAME eval:check_olemacro_renamed() + describe KAM_OLEMACRO_RENAME Has an Office doc that has been renamed + score KAM_OLEMACRO_RENAME 0.1 - body OLEMACRO_ZIP_PW eval:check_olemacro_zip_password() - describe OLEMACRO_ZIP_PW Has an Office doc that is password protected in a zip - score OLEMACRO_ZIP_PW 1.0 + body KAM_OLEMACRO_ZIP_PW eval:check_olemacro_zip_password() + describe KAM_OLEMACRO_ZIP_PW Has an Office doc that is password protected in a zip + score KAM_OLEMACRO_ZIP_PW 1.0 - body OLEMACRO_CSV eval:check_olemacro_csv() - describe OLEMACRO_CSV Macro in csv file - score OLEMACRO_CSV 4.0 + body KAM_OLEMACRO_CSV eval:check_olemacro_csv() + describe KAM_OLEMACRO_CSV Macro in csv file + score KAM_OLEMACRO_CSV 4.0 endif #Testing Rule for Subject Prefixes - See note 58397 @@ -5978,6 +6018,12 @@ if (version >= 3.004003) score PCCC_HDR_MARKETINGBL 0.001 priority PCCC_HDR_MARKETINGBL -100 + header PCCC_HDR_REPLYTO eval:check_rbl_headers('pccc-hdr-repto', 'wild.pccc.com.', '127.0.0.4', 'Reply-To') + describe PCCC_HDR_REPLYTO Address in email headers associated with compromised uris (https://raptor.pccc.com/RBL) + tflags PCCC_HDR_REPLYTO net + score PCCC_HDR_REPLYTO 3.5 + priority PCCC_HDR_REPLYTO -100 + # compromised domain found in headers (X-Sender,X-Source-IP,X-SRS-Sender) header PCCC_SENDER_COMPROMISED eval:check_rbl_headers('pccc-sender', 'wild.pccc.com.', '127.0.1.2', 'X-Sender,X-Source-IP,X-SRS-Sender') describe PCCC_SENDER_COMPROMISED Sender address associated with compromised uris (https://raptor.pccc.com/RBL) @@ -6006,7 +6052,7 @@ if (version >= 3.004003) tflags PCCC_HASHBL_FREEMAIL net score PCCC_HASHBL_FREEMAIL 3.5 priority PCCC_HASHBL_FREEMAIL -100 - + # Email address in X-Sender header found on PCCC HashBL header PCCC_HASHBL_EMAIL_SEND eval:check_hashbl_emails('wild.pccc.com', 'md5', 'X-Sender', '^127\.', 'all') describe PCCC_HASHBL_EMAIL_SEND Message contains sender email address found on PCCC HashBL (https://raptor.pccc.com/RBL) @@ -8631,7 +8677,7 @@ endif #END of TEST OF HASHBL ADDITIONS #LABEL -header __KAM_LABEL1 Subject =~/(Checking in|this week)/i +header __KAM_LABEL1 Subject =~/(Checking in|(this|next) week)/i body __KAM_LABEL2 /meet at your office/i body __KAM_LABEL3 /make custom (shirts|sports|jackets|suits)/i body __KAM_LABEL4 /(suits start at \$|shirts at \$)/i @@ -8644,10 +8690,11 @@ score KAM_LABEL 9.0 #RBLOBFU body __KAM_RBL_OBFU1 /b2b.{1,4}salesprospects.{1,4}com/i +body __KAM_RBL_OBFU2 /quin.{0,3}for.{0,3}ce.com/i -meta KAM_RBL_OBFU (__KAM_RBL_OBFU1 + __FREEMAIL_FROM) +meta KAM_RBL_OBFU ((__KAM_RBL_OBFU1 + __KAM_RBL_OBFU2 >=1) + FREEMAIL_FROM >= 2) describe KAM_RBL_OBFU Spammers obfuscating their domain and abusing freemail -score KAM_RBL_OBFU 7.0 +score KAM_RBL_OBFU 12.0 #Shady CC's body __KAM_SHADYCC1 /(transactions?|purchases?) from your (online store|web-?shop)/i @@ -8667,4 +8714,51 @@ meta KAM_EXPOPIRATE (__KAM_EXPOPIRATE1 + __KAM_EXPOPIRATE2 + __KAM_LIST3_2 >= 2 describe KAM_EXPOPIRATE Scam Pirates trying to Hijack Event Hotel Bookings score KAM_EXPOPIRATE 4.5 +ifplugin Mail::SpamAssassin::Plugin::MIMEHeader + #Domain Expiry Scams + header __KAM_DOMAINEXPIRY1 Subject =~ /Domain.*Expiration/i + body __KAM_DOMAINEXPIRY2 /Attached letter/i + + meta KAM_DOMAINEXPIRY (__KAM_DOMAINEXPIRY1 + __KAM_DOMAINEXPIRY2 + __KAM_ZERODAY1 >= 3) + describe KAM_DOMAINEXPIRY Domain Expiration Scams + score KAM_DOMAINEXPIRY 4.5 + + #Payment Scams + header __KAM_PAYMENTSCAM1 Subject =~ /Payment.*(INV|Bookings|Reference|\/201)/i + body __KAM_PAYMENTSCAM2 /attached (payment|herewith)|ready for release/i + mimeheader __KAM_PAYMENTSCAM3 Content-Type =~ /\.doc/i + full __KAM_PAYMENTSCAM4 /\{\\rtf/ + + meta KAM_PAYMENTSCAM (__KAM_ZERODAY1 + __KAM_PAYMENTSCAM1 + __KAM_PAYMENTSCAM2 + (__KAM_PAYMENTSCAM3 + __KAM_PAYMENTSCAM4 >=2) >= 4) + describe KAM_PAYMENTSCAM Payment Scams with Malware Payloads + score KAM_PAYMENTSCAM 6.5 + + meta KAM_PAYMENTSCAM2 (DEAR_BENEFICIARY + __KAM_PAYMENTSCAM1 + __KAM_PAYMENTSCAM2 >= 3) && !(KAM_PAYMENTSCAM) + describe KAM_PAYMENTSCAM2 Payment scams + score KAM_PAYMENTSCAM2 4.5 + + + #Password Scams + body __KAM_PASSWORDSCAM1 /pass word/i + + meta KAM_PASSWORDSCAM (__KAM_PASSWORDSCAM1 + __SINGLE_WORD_SUBJ + __PDF_ATTACH + __BODY_LE_200 >= 4) + describe KAM_PASSWORDSCAM Password extortion spams + score KAM_PASSWORDSCAM 6.0 +endif + +#Training Scams +header __KAM_TRAINING1 Subject =~ /mandatory.*training/i +body __KAM_TRAINING2 /intranet|training calendar/i +body __KAM_TRAINING3 /Human Resources/i + +meta KAM_TRAINING (__KAM_TRAINING1 + __KAM_TRAINING2+ __KAM_TRAINING3 >= 3) +describe KAM_TRAINING Training Phishing +score KAM_TRAINING 4.5 + +#Trump Medicare +header __KAM_MEDICARE1 Subject =~ /Trump Medicare/i + +meta KAM_MEDICARE __KAM_MEDICARE1 >= 1 +describe KAM_MEDICARE Medicare Scams +score KAM_MEDICARE 2.0 # EOF