proxmox-mirrors/proxmox-spamassassin
1
0
Fork 0
mirror of https://git.proxmox.com/git/proxmox-spamassassin synced 2025-04-28 12:19:37 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

update KAM.cf

Browse Source 
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Thomas Lamprecht 2019-06-04 18:13:17 +02:00
parent 4e63c279a1
commit 5c391e88fb
1 changed files with 164 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

215
KAM.cf
View File

@ -1,6 +1,6 @@
#KAM.cf - SpamAssassin Rules
#Author: Kevin A. McGrail with contributions from Joe Quinn, Karsten Bräckelmnn,
#Author: Kevin A. McGrail with contributions from Joe Quinn, Karsten Bräckelmann,
# & Bill Cole
#Email: Kevin.McGrail@McGrail.com - NOTE: Questions about spam are best submitted
@ -55,7 +55,7 @@
#https://raptor.pccc.com/free_spam_consultation.cgim
#
#Copyright (c) 2018 Kevin A. McGrail and the McGrail Foundation
#Copyright (c) 2019 Kevin A. McGrail and the McGrail Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -91,7 +91,7 @@ body __KAM_PHISH4_2 /dear.{0,50}customer|automated.message|spam.activ
body __KAM_PHISH4_3 /(confirm|verify|update).your.(identity|account)|account.password|credit.(bureau|profile)|identity.theft|accredited.commission|security.concern|kindly.find.enclosed/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_PHISH4_4 Content-Type =~ /(verification|information|form).htm/i
mimeheader __KAM_PHISH4_4 Content-Type =~ /(verification|information|form)\.htm/i
endif
meta KAM_PHISH4 (__KAM_PHISH4_1 + __KAM_PHISH4_2 + __KAM_PHISH4_3 + __KAM_PHISH4_4 >= 3)
@ -1440,8 +1440,11 @@ body __KAM_PHISH2_7 /extra security check|security.tip/i
describe KAM_PHISH2 Prevalent Phishing Scam emails
score KAM_PHISH2 2.0
meta KAM_PHISH2 (__KAM_PHISH2_1 + __KAM_PHISH2_2 >= 2) && ((__KAM_IPHTTP + __KAM_URIBL_PCCC + __KAM_PHISH2_3 >= 1) || (__KAM_PHISH2_4 + __KAM_PHISH2_5 + __KAM_PHISH2_6 + __KAM_PHISH2_7 >= 4))
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
meta KAM_PHISH2 (__KAM_PHISH2_1 + __KAM_PHISH2_2 >= 2) && ((__KAM_IPHTTP + __KAM_URIBL_PCCC + __KAM_PHISH2_3 >= 1) || (__KAM_PHISH2_4 + __KAM_PHISH2_5 + __KAM_PHISH2_6 + __KAM_PHISH2_7 >= 4))
else
meta KAM_PHISH2 (__KAM_PHISH2_1 + __KAM_PHISH2_2 >= 2) && ((__KAM_IPHTTP + __KAM_PHISH2_3 >= 1) || (__KAM_PHISH2_4 + __KAM_PHISH2_5 + __KAM_PHISH2_6 + __KAM_PHISH2_7 >= 4))
endif
#CRAZY HEX EMPTY MESSAGE
body __KAM_HEX1 /^[a-f0-9]{8}(\b|$)/i
@ -2602,7 +2605,7 @@ score KAM_SHORT 0.001
describe KAM_SHORT Use of a URL Shortener for very short URL
#URL SHORTENER - META RULE TO SEE IF URL SHORTENER IS IN USE - THANKS TO SHANE WILLIAMS and RW for HELP - More thanks to Giovanni Bechis
uri __KAM_SHORT /^http:\/\/(?:bit\.ly|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly)\/[^\/]{3}\/?/
uri __KAM_SHORT /^http:\/\/(?:bit\.ly|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|justpaste\.it)\/[^\/]{3}\/?/
# GENERIC RULE FOR TINY DOMAINS, WHICH WILL LIKELY BE URL SHORTENERS
uri __KAM_TINYDOMAIN /https?:\/\/(?:[^\/]{1,4})\..{2,7}\//i
@ -2697,7 +2700,7 @@ describe KAM_PRIV Private Messages using Exploits in attached HTML files
score KAM_PRIV 5.0
#DIV
rawbody __KAM_DIV1 /Viagr?|Cial?<div/i
rawbody __KAM_DIV1 /(Viagr?|Cial?)<div/i
rawbody __KAM_DIV2 /<\/div>r?a\|l?is/i
meta KAM_DIV (__KAM_DIV1 + __KAM_DIV2 >= 2)
@ -2714,15 +2717,19 @@ header __KAM_CREDIT5 From =~ /Credit|score|bureau|finance|report|advisory/i
#EXPERIMENTAL UTF-8
# SecureCRT in UTF-8 Session Options - terminal>appearance>character encoding and set to utf-8 & Set this in VI :set encoding=utf-8 :set fileencodings=utf-8
#Useful Resources for Tags
#https://www.utf8-chartable.de/unicode-utf8-table.pl?start=1024&number=128&names=-&utf8=string-literal
#https://www.branah.com/unicode-converter
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
replace_tag A (?:[\xd0][\xb0]|a)
replace_tag C (?:[\xd0][\xa1]|c|[\xd1][\x81])
replace_tag E (?:[\xd0][\xb5]|e)
replace_tag I (?:[\xd1][\x96]|i)
replace_tag M (?:[\xca][\x8d]|m)
replace_tag O (?:[\xd0][\xbe]|o)
replace_tag P (?:[\xd1][\x80]|p)
replace_tag P (?:[\xd1][\x80]|p|[\xc7][\xb7])
replace_tag S (?:[\xd0][\x85]|s)
header __KAM_CREDIT6 Subject =~ /<C>ompl<I>mentary (<C>red<I>t|EXPERIAN|Transunion|Equifax)/i
@ -2736,9 +2743,11 @@ meta KAM_CREDIT (__KAM_CREDIT1 + __KAM_CREDIT2 + __KAM_CREDIT3 +
describe KAM_CREDIT Credit Score Spams
score KAM_CREDIT 4.5
meta KAM_CREDIT2 (__KAM_CREDIT1 + __KAM_CREDIT5 + __KAM_CREDIT6 + __KAM_CREDIT7 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3 && KAM_CREDIT < 1)
describe KAM_CREDIT2 Credit Score Spams
score KAM_CREDIT2 4.5
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
meta KAM_CREDIT2 (__KAM_CREDIT1 + __KAM_CREDIT5 + __KAM_CREDIT6 + __KAM_CREDIT7 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3 && KAM_CREDIT < 1)
describe KAM_CREDIT2 Credit Score Spams
score KAM_CREDIT2 4.5
endif
#OBFUSCATED URI
rawbody KAM_OBFURI /http:\/\/.{2,30}\.c=E2=93=9Em?/
@ -2962,9 +2971,11 @@ header __KAM_COLLEGE1 From =~ /degree|doctorate|online/i
header __KAM_COLLEGE2 Subject =~ /college|ph\.?d|earning your degree|online doctorate|advance your career/i
rawbody __KAM_COLLEGE3 /online degree|ph\.?d online|online doctorate|advance your career with a degree/i
meta KAM_COLLEGE (__KAM_COLLEGE1 + __KAM_COLLEGE2 + __KAM_COLLEGE3 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3)
describe KAM_COLLEGE Online Degree/Aid Spams
score KAM_COLLEGE 4.0
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
meta KAM_COLLEGE (__KAM_COLLEGE1 + __KAM_COLLEGE2 + __KAM_COLLEGE3 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3)
describe KAM_COLLEGE Online Degree/Aid Spams
score KAM_COLLEGE 4.0
endif
#SURVEY
header __KAM_SURVEY1 From =~ /Survey|safecount|privacy/i
@ -3028,16 +3039,18 @@ meta KAM_ANATA (__KAM_ANATA1 + __KAM_ANATA2 >= 2)
describe KAM_ANATA Drug Spam
score KAM_ANATA 4.5
#BBB Phish
header __KAM_BBB1 From =~ /bbb.org/i
body __KAM_BBB2 /consumer's *(?:worry|uneasiness|anxiety|disturbance|concern|trouble)/i
body __KAM_BBB3 /has been registered the above|(?:visiting|review at) a link below|above-referenced complaint/i
body __KAM_BBB4 /about your *(?:glance|belief|judgment)/i
header __KAM_BBB5 Subject =~ /(?:client|customer).{0,5}preten|(?:Appeal|Claim|Case|No\.|Complaint).{0,3}[A-Z\d]{5}/i
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
#BBB Phish
header __KAM_BBB1 From =~ /bbb.org/i
body __KAM_BBB2 /consumer's *(?:worry|uneasiness|anxiety|disturbance|concern|trouble)/i
body __KAM_BBB3 /has been registered the above|(?:visiting|review at) a link below|above-referenced complaint/i
body __KAM_BBB4 /about your *(?:glance|belief|judgment)/i
header __KAM_BBB5 Subject =~ /(?:client|customer).{0,5}preten|(?:Appeal|Claim|Case|No\.|Complaint).{0,3}[A-Z\d]{5}/i
meta KAM_BBB (__KAM_BBB1 + __KAM_BBB2 + __KAM_BBB3 + __KAM_BBB4 + __KAM_BBB5 + SPF_FAIL + __KAM_GALLERY5 + KAM_RAPTOR >= 4)
describe KAM_BBB Better Business Bureau Phishing
score KAM_BBB 5.0
meta KAM_BBB (__KAM_BBB1 + __KAM_BBB2 + __KAM_BBB3 + __KAM_BBB4 + __KAM_BBB5 + SPF_FAIL + __KAM_GALLERY5 + KAM_RAPTOR >= 4)
describe KAM_BBB Better Business Bureau Phishing
score KAM_BBB 5.0
endif
#PREV MARK
header __KAM_MARK1 Subject =~ /[\[\<]ADV[\>\]]/i
@ -3429,13 +3442,13 @@ score KAM_PEST 3.5
#PROPHET
header __KAM_PROPHET1 Subject =~ /beezelbub|communique/i
header __KAM_PROPHET2 From =~ /christian.*prophe/i
header __KAM_PROPHET1 Subject =~ /beezelbub|communique|prophecy|Christian Media/i
header __KAM_PROPHET2 From =~ /christian.*prophe|twintongues/i
body __KAM_PROPHET3 /Dear Christian Friend/i
body __KAM_PROPHET4 /Christian Media Ministry/i
body __KAM_PROPHET5 /prophecy article|rapture/i
body __KAM_PROPHET4 /Christian ?Media ?(Daily|Ministry)/i
body __KAM_PROPHET5 /prophecy|rapture/i
meta KAM_PROPHET (__KAM_PROPHET1 + __KAM_PROPHET2 + __KAM_PROPHET3 + __KAM_PROPHET4 + __KAM_PROPHET5 >= 4)
meta KAM_PROPHET (__KAM_PROPHET1 + __KAM_PROPHET2 + __KAM_PROPHET3 + __KAM_PROPHET4 + __KAM_PROPHET5 >= 4)
describe KAM_PROPHET Spam for Prophecy
score KAM_PROPHET 6.0
@ -3642,14 +3655,16 @@ meta KAM_NUMEROLOGY (__KAM_NUMEROLOGY1 + __KAM_NUMEROLOGY2 + __KAM_NUMEROLOG
describe KAM_NUMEROLOGY Pseudo-scientific spam
score KAM_NUMEROLOGY 3.5
#VOICEMAIL SPAM
header __KAM_VOICEMAIL1 Subject =~ /new voice.?mail message|news/i
header __KAM_VOICEMAIL2 From =~ /voice.?mail|news/i
body __KAM_VOICEMAIL3 /new voice.?mail message|voice.redirected/i
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
#VOICEMAIL SPAM
header __KAM_VOICEMAIL1 Subject =~ /new voice.?mail message|news/i
header __KAM_VOICEMAIL2 From =~ /voice.?mail|news/i
body __KAM_VOICEMAIL3 /new voice.?mail message|voice.redirected/i
meta KAM_VOICEMAIL (__KAM_VOICEMAIL1 + __KAM_VOICEMAIL2 + __KAM_VOICEMAIL3 + KAM_RAPTOR >= 3)
describe KAM_VOICEMAIL Common malware that tricks the user into opening a fake VOIP voicemail
score KAM_VOICEMAIL 5.0
meta KAM_VOICEMAIL (__KAM_VOICEMAIL1 + __KAM_VOICEMAIL2 + __KAM_VOICEMAIL3 + KAM_RAPTOR >= 3)
describe KAM_VOICEMAIL Common malware that tricks the user into opening a fake VOIP voicemail
score KAM_VOICEMAIL 5.0
endif
#SPAM ADVERTISING SPAM - HAS SCIENCE GONE TOO FAR?
header __KAM_SPAMFORSPAM1 Subject =~ /email marketing|marketing solution|connect with your audience|reaching your customers|marketing ideas|business.contacts/i
@ -4034,7 +4049,7 @@ describe KAM_WRITING Spam for writing lessons
score KAM_WRITING 3.5
#RASH OF .EU EXPLOITS
rawbody KAM_EU /http:\/\/(?:www.)?.{4,30}\.(eu)(\b|\/)/i
rawbody KAM_EU /https?:\/\/(?:www.)?.{4,30}\.(eu)(\b|\/)/i
score KAM_EU 0.50
describe KAM_EU Prevalent use of .eu in spam/malware
@ -4526,12 +4541,14 @@ meta KAM_TOLL (__KAM_TOLL1 + __KAM_TOLL2 + __KAM_TOLL3 >= 3)
describe KAM_TOLL Spam for road tolls
score KAM_TOLL 8.0
#KAM_AMAZON
header __KAM_AMAZON1 From =~ /amazon\.com/i
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
#KAM_AMAZON
header __KAM_AMAZON1 From =~ /amazon\.com/i
meta KAM_AMAZON (__KAM_AMAZON1 + KAM_RAPTOR >= 2)
score KAM_AMAZON 4.5
describe KAM_AMAZON Fake Amazon email with malware
meta KAM_AMAZON (__KAM_AMAZON1 + KAM_RAPTOR >= 2)
score KAM_AMAZON 4.5
describe KAM_AMAZON Fake Amazon email with malware
endif
# LANDSCAPING
header __KAM_LANDSCAPE1 From =~ /landscaping/i
@ -5064,9 +5081,25 @@ describe KAM_DRIVE Spam for ordering office equipment
#endif
#LOOKING TO SHUTDOWN MISUSE OF DNSWL AND HOSTKARMA
meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
score KAM_BAD_DNSWL 7.0
describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + RCVD_IN_LASHBACK + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1)
score KAM_QUITE_BAD_DNSWL 3.25
describe KAM_QUITE_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
else
meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + RCVD_IN_LASHBACK + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1)
score KAM_QUITE_BAD_DNSWL 3.25
describe KAM_QUITE_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
endif
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + RCVD_IN_LASHBACK + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
score KAM_BAD_DNSWL 7.0
describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
else
meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + RCVD_IN_LASHBACK + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
score KAM_BAD_DNSWL 7.0
describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
endif
# HEARING LOSS
header __JMQ_HEARINGLOSS1 From =~ /hearing.?loss|deaf \& angry/i
@ -5557,21 +5590,29 @@ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
replace_rules __KAM_CRIM1 __KAM_CRIM2 __KAM_CRIM3 __KAM_CRIM4 __KAM_CRIM5 __KAM_CRIM6
body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A>lw<A>r<E> <O>n th<E> w<E>b|footage of you|you do not know who I am|mercenary|hack phones|infected your device|double.screen video|keylogger|ruin your life/i
body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A>lw<A>r<E> <O>n th<E> w<E>b|footage of you|you do not know who I am|mercenary|hack phones|infected your device|double.screen video|keylogger|ruin your life|collection officer|cameras? and a mic|I am a hacker/i
#Different encodings
body __KAM_CRIM2 /(bit<C><O><I>n|BTC)/
body __KAM_CRIM3 /make a payment|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C><O><I>n w<A>ll|(m<A>k<I>ng|<C><O>mpl<E>et<E>) th<E> tr<A>ns<A><C>t<I><O>n|send me \d+ dollars|send [\d\.]+ USD|addr<E>ss f<O>r p<A>ym<E>nt|euros in bitcoin|wallet number/i
body __KAM_CRIM4 /erotica|<P>orn|promising evidence|video|masturbat|playing with yourself|wanking|l<I>f<E> <C><A>n b<E> ru<I>n<E>d|explosi|lead azide|hexogen/i
body __KAM_CRIM2 /(bit<C><O><I>n|BTC)/i
body __KAM_CRIM3 /make a payment|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C><O><I>n w<A>ll|(m<A>k<I>ng|<C><O>mpl<E>et<E>) th<E> tr<A>ns<A><C>t<I><O>n|send me \d+ dollars|send [\d\.]+ USD|addr<E>ss f<O>r p<A>ym<E>nt|euros in bitcoin|wallet number|bitcoin network/i
body __KAM_CRIM4 /erotica|<P>orn|promising evidence|video|masturbat|playing with yourself|wanking|l<I>f<E> <C><A>n b<E> ru<I>n<E>d|explosi|lead azide|hexogen|banana/i
endif
body __KAM_CRIM5 /(twenty.?four|24).?hours|(24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O>urs)? <A>ft<E>r y<O><U> <O>p<E>n|hours for payment|days? to (perform|make) the payment|short-term support|48h plz/i
header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O><U> <A>r<E> my v<I><C>t<I>m|visit the police|hi. vi<C>tim|bomb|rescue|your building|masturbat|hi perv|account has been hacked|last warning|dirty little secret|bad news/i
body __KAM_CRIM5 /(twenty.?four|24).?hours|(24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O>urs)? <A>ft<E>r y<O><U> <O>p<E>n|hours for payment|days? to (perform|make) the payment|short-term support|48h plz|deadline|hours only to send the fund/i
header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O><U> <A>r<E> my v<I><C>t<I>m|visit the police|hi. vi<C>tim|bomb|rescue|your building|<M>asturbat|hi perv|account has been hacked|last warning|dirty little secret|bad news|central intelligence|pervert/i
meta KAM_CRIM (__KAM_CRIM1 + __KAM_CRIM2 + __KAM_CRIM3 + __KAM_CRIM4 + __KAM_CRIM5 + __KAM_CRIM6 >= 4)
describe KAM_CRIM Extortion Email
score KAM_CRIM 7.5
#KAM_CRIM_V2
body __KAM_CRIM2_1 /bit.{0,2}coin/i
body __KAM_CRIM2_2 /address\:/i
body __KAM_CRIM2_3 /adult.{0,2}video|sex.{0,2}sites/is
meta KAM_CRIM2 (__KAM_CRIM2_1 + __KAM_CRIM2_2 + __KAM_CRIM2_3 + HTML_FONT_LOW_CONTRAST >= 4)
describe KAM_CRIM2 Extortion Email
score KAM_CRIM2 7.5
#ZWNJ
#ZWNJ 200C 157 https://en.wikipedia.org/wiki/Windows-1256
# Also want to look at Unicode U+200C.
@ -5579,7 +5620,7 @@ score KAM_CRIM 7.5
# Switch rawbody check to Mail::SpamAssassin::Plugin::MIMEHeader
# Per RW, switching for this to work with 'normalize_charset 1', \x9d needs to be replaced with (?:\x9d|\xe2\x80\x8c)
rawbody __KAM_ZWNJ1 /Content\-Type.*charset.*windows\-1256/i
rawbody __KAM_ZWNJ1 /Content\-Type.{1,1000}charset.{1,1000}windows\-1256/i
body __KAM_ZWNJ2 /(?:\x9D|\xe2\x80\x8c)/
tflags __KAM_ZWNJ2 multiple maxhits=16
@ -5658,6 +5699,17 @@ meta SCC_20_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 20
describe SCC_35_SHORT_WORD_LINES 35 lines with many short words
meta SCC_35_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 35
# A pattern seen in subscription-bombings
describe SCC_SUBBOMB_SUBJ_1 An unusual string pattern seen in subscription bombing subjects
header SCC_SUBBOMB_SUBJ_1 Subject =~ /[sxz][vwz]usa[fly]me[a-z0-9]{7}GP/
score SCC_SUBBOMB_SUBJ_1 5
# cPanel Phishing
header __SCC_HELO_CPANELNET X-Spam-Relays-Untrusted =~ / helo=cpanel\.net /
describe __SCC_HELO_CPANELNET HELO is bare cpanel.net
meta SCC_FAKE_CPANEL __SCC_HELO_CPANELNET && ! (SPF_PASS || SPF_HELO_PASS)
score SCC_FAKE_CPANEL 6
#https://www.csoonline.com/article/3333916/windows-security/i-can-get-and-crack-your-password-hashes-from-email.html?upd=1547922397157
body KAM_FILE /file:\/\/\/\//i
describe KAM_FILE Potential attempt for NTLM attack
@ -5673,4 +5725,65 @@ meta KAM_FUN (__KAM_FUN1 + __KAM_FUN2 + __KAM_FUN3 + __KAM_FUN4 >=3)
describe KAM_FUN Spam Engine Hawking Various Goods and Abusing a Lot of Domains
score KAM_FUN 4.5
#GOOGLE DRIVE PORN - Thanks to Mark Sapiro for the bug fix
uri KAM_DRIVENUM /\d+\.drive\.google.com/i
describe KAM_DRIVENUM Drive Links Prevalent in Spam
score KAM_DRIVENUM 5.0
#SWIFT PAYMENT SCAMS
header __KAM_SWIFT1 Subject =~ /Swift/i
body __KAM_SWIFT2 /swift copy/i
body __KAM_SWIFT3 /balance payment/i
meta KAM_SWIFT (__KAM_SWIFT1 + __KAM_SWIFT2 + __KAM_SWIFT3 >= 3)
describe KAM_SWIFT SWIFT payment scam
score KAM_SWIFT 3.0
ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
# Custom score
score FROMNAME_SPOOFED_EMAIL 0.3
endif
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
header KAM_RAPTOR_ALTERED X-KAM-Raptor-Alter =~ /True/
describe KAM_RAPTOR_ALTERED Raptor identified a dangerous attachment
score KAM_RAPTOR_ALTERED 2.0
endif
#BAD INVOICE SCAMS
header __KAM_PROFORMA1 Subject =~ /Proforma/i
body __KAM_PROFORMA2 /no responds/i
body __KAM_PROFORMA3 /highly encrypted/i
body __KAM_PROFORMA4 /Proforma Invoice/i
uri __KAM_PROFORMA5 /\.php/i
meta KAM_PROFORMA (__KAM_PROFORMA1 + __KAM_PROFORMA2 + __KAM_PROFORMA3 + __KAM_PROFORMA4 + __KAM_PROFORMA5 >= 5)
describe KAM_PROFORMA Invoice scam
score KAM_PROFORMA 7.5
#BAD INVOICE SCAMS
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
header __KAM_INVOICEPO1 Subject =~ /Invoice copies/i
body __KAM_INVOICEPO2 /consignment/i
body __KAM_INVOICEPO3 /invoice copies/i
mimeheader __KAM_INVOICEPO4 Content-Type =~ /invoice copies.{0,100}\.html/i
meta KAM_INVOICEPO (__KAM_INVOICEPO1 + __KAM_INVOICEPO2 + __KAM_INVOICEPO3 + __KAM_INVOICEPO4 >= 4)
describe KAM_INVOICEPO Invoice scam
score KAM_INVOICEPO 4.0
mimeheader KAM_HTMLINVOICE Content-Type =~ /invoice.{0,100}\.html/i
describe KAM_HTMLINVOICE Invoice scam
score KAM_HTMLINVOICE 1.5
mimeheader KAM_HTMLINVOICE2 Content-Type =~ /(order confirmation|po attachments.{0,100})\.xls\.html/i
describe KAM_HTMLINVOICE2 Invoice scam
score KAM_HTMLINVOICE2 3.5
endif
# Disable possible CPU burning rule, reported to SA users list -- 2019-05-29
# FIXED rule distributed via sa-update since 2019-05-31
# meta __STYLE_GIBBERISH_1 0
# EOF