diff --git a/KAM.cf b/KAM.cf
index a67541c..fae0d89 100644
--- a/KAM.cf
+++ b/KAM.cf
@@ -1,6 +1,6 @@
 #KAM.cf - SpamAssassin Rules
 
-#Author: Kevin A. McGrail with contributions from Joe Quinn, Karsten Bräckelmnn,
+#Author: Kevin A. McGrail with contributions from Joe Quinn, Karsten Bräckelmann,
 #        & Bill Cole
 
 #Email: Kevin.McGrail@McGrail.com - NOTE: Questions about spam are best submitted
@@ -55,7 +55,7 @@
 #https://raptor.pccc.com/free_spam_consultation.cgim
 
 #
-#Copyright (c) 2018 Kevin A. McGrail and the McGrail Foundation
+#Copyright (c) 2019 Kevin A. McGrail and the McGrail Foundation
 #
 #   Licensed under the Apache License, Version 2.0 (the "License");
 #   you may not use this file except in compliance with the License.
@@ -91,7 +91,7 @@ body            __KAM_PHISH4_2 /dear.{0,50}customer|automated.message|spam.activ
 body            __KAM_PHISH4_3 /(confirm|verify|update).your.(identity|account)|account.password|credit.(bureau|profile)|identity.theft|accredited.commission|security.concern|kindly.find.enclosed/i
 
 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
-  mimeheader    __KAM_PHISH4_4 Content-Type =~ /(verification|information|form).htm/i
+  mimeheader    __KAM_PHISH4_4 Content-Type =~ /(verification|information|form)\.htm/i
 endif
 
 meta            KAM_PHISH4 (__KAM_PHISH4_1 + __KAM_PHISH4_2 + __KAM_PHISH4_3 + __KAM_PHISH4_4 >= 3)
@@ -1440,8 +1440,11 @@ body		__KAM_PHISH2_7  /extra security check|security.tip/i
 
 describe	KAM_PHISH2	Prevalent Phishing Scam emails
 score		KAM_PHISH2	2.0
-meta		KAM_PHISH2	(__KAM_PHISH2_1 + __KAM_PHISH2_2 >= 2) && ((__KAM_IPHTTP + __KAM_URIBL_PCCC + __KAM_PHISH2_3 >= 1) || (__KAM_PHISH2_4 + __KAM_PHISH2_5 + __KAM_PHISH2_6 + __KAM_PHISH2_7 >= 4))
-
+ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+  meta		KAM_PHISH2	(__KAM_PHISH2_1 + __KAM_PHISH2_2 >= 2) && ((__KAM_IPHTTP + __KAM_URIBL_PCCC + __KAM_PHISH2_3 >= 1) || (__KAM_PHISH2_4 + __KAM_PHISH2_5 + __KAM_PHISH2_6 + __KAM_PHISH2_7 >= 4))
+else
+  meta		KAM_PHISH2	(__KAM_PHISH2_1 + __KAM_PHISH2_2 >= 2) && ((__KAM_IPHTTP + __KAM_PHISH2_3 >= 1) || (__KAM_PHISH2_4 + __KAM_PHISH2_5 + __KAM_PHISH2_6 + __KAM_PHISH2_7 >= 4))
+endif
 
 #CRAZY HEX EMPTY MESSAGE
 body		__KAM_HEX1	/^[a-f0-9]{8}(\b|$)/i
@@ -2602,7 +2605,7 @@ score		KAM_SHORT	0.001
 describe	KAM_SHORT	Use of a URL Shortener for very short URL
 
 #URL SHORTENER - META RULE TO SEE IF URL SHORTENER IS IN USE - THANKS TO SHANE WILLIAMS and RW for HELP - More thanks to Giovanni Bechis
-uri		__KAM_SHORT	/^http:\/\/(?:bit\.ly|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly)\/[^\/]{3}\/?/
+uri		__KAM_SHORT	/^http:\/\/(?:bit\.ly|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|justpaste\.it)\/[^\/]{3}\/?/
 
 # GENERIC RULE FOR TINY DOMAINS, WHICH WILL LIKELY BE URL SHORTENERS
 uri             __KAM_TINYDOMAIN /https?:\/\/(?:[^\/]{1,4})\..{2,7}\//i
@@ -2697,7 +2700,7 @@ describe	KAM_PRIV	Private Messages using Exploits in attached HTML files
 score		KAM_PRIV	5.0
 
 #DIV
-rawbody		__KAM_DIV1	/Viagr?|Cial?<div/i
+rawbody		__KAM_DIV1	/(Viagr?|Cial?)<div/i
 rawbody		__KAM_DIV2	/<\/div>r?a\|l?is/i
 
 meta		KAM_DIV		(__KAM_DIV1 + __KAM_DIV2 >= 2)
@@ -2714,15 +2717,19 @@ header		__KAM_CREDIT5	From =~ /Credit|score|bureau|finance|report|advisory/i
 #EXPERIMENTAL UTF-8
 # SecureCRT in UTF-8 Session Options - terminal>appearance>character encoding and set to utf-8 &  Set this in VI :set encoding=utf-8 :set fileencodings=utf-8
 
+#Useful Resources for Tags
 #https://www.utf8-chartable.de/unicode-utf8-table.pl?start=1024&number=128&names=-&utf8=string-literal
+#https://www.branah.com/unicode-converter
+
 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
 
 replace_tag     A       (?:[\xd0][\xb0]|a)
 replace_tag     C       (?:[\xd0][\xa1]|c|[\xd1][\x81])
 replace_tag     E       (?:[\xd0][\xb5]|e)
 replace_tag     I       (?:[\xd1][\x96]|i)
+replace_tag	M	(?:[\xca][\x8d]|m)
 replace_tag     O       (?:[\xd0][\xbe]|o)
-replace_tag	P	(?:[\xd1][\x80]|p)
+replace_tag	P	(?:[\xd1][\x80]|p|[\xc7][\xb7])
 replace_tag     S       (?:[\xd0][\x85]|s)
 
 header          __KAM_CREDIT6   Subject =~ /<C>ompl<I>mentary (<C>red<I>t|EXPERIAN|Transunion|Equifax)/i
@@ -2736,9 +2743,11 @@ meta            KAM_CREDIT      (__KAM_CREDIT1 + __KAM_CREDIT2 + __KAM_CREDIT3 +
 describe        KAM_CREDIT      Credit Score Spams
 score           KAM_CREDIT      4.5
 
-meta		KAM_CREDIT2	(__KAM_CREDIT1 + __KAM_CREDIT5 + __KAM_CREDIT6 + __KAM_CREDIT7 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3 && KAM_CREDIT < 1)
-describe	KAM_CREDIT2	Credit Score Spams
-score		KAM_CREDIT2	4.5
+ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+  meta		KAM_CREDIT2	(__KAM_CREDIT1 + __KAM_CREDIT5 + __KAM_CREDIT6 + __KAM_CREDIT7 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3 && KAM_CREDIT < 1)
+  describe	KAM_CREDIT2	Credit Score Spams
+  score		KAM_CREDIT2	4.5
+endif
 
 #OBFUSCATED URI
 rawbody         KAM_OBFURI      /http:\/\/.{2,30}\.c=E2=93=9Em?/
@@ -2962,9 +2971,11 @@ header          __KAM_COLLEGE1   From =~ /degree|doctorate|online/i
 header          __KAM_COLLEGE2   Subject =~ /college|ph\.?d|earning your degree|online doctorate|advance your career/i
 rawbody         __KAM_COLLEGE3   /online degree|ph\.?d online|online doctorate|advance your career with a degree/i
 
-meta            KAM_COLLEGE      (__KAM_COLLEGE1 + __KAM_COLLEGE2 + __KAM_COLLEGE3 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3)
-describe        KAM_COLLEGE      Online Degree/Aid Spams
-score           KAM_COLLEGE      4.0
+ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+  meta            KAM_COLLEGE      (__KAM_COLLEGE1 + __KAM_COLLEGE2 + __KAM_COLLEGE3 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3)
+  describe        KAM_COLLEGE      Online Degree/Aid Spams
+  score           KAM_COLLEGE      4.0
+endif
 
 #SURVEY
 header		__KAM_SURVEY1	From =~ /Survey|safecount|privacy/i
@@ -3028,16 +3039,18 @@ meta		KAM_ANATA	(__KAM_ANATA1 + __KAM_ANATA2 >= 2)
 describe	KAM_ANATA	Drug Spam
 score		KAM_ANATA	4.5
 
-#BBB Phish
-header		__KAM_BBB1	From =~ /bbb.org/i
-body		__KAM_BBB2	/consumer's *(?:worry|uneasiness|anxiety|disturbance|concern|trouble)/i
-body		__KAM_BBB3	/has been registered the above|(?:visiting|review at) a link below|above-referenced complaint/i
-body		__KAM_BBB4	/about your *(?:glance|belief|judgment)/i
-header		__KAM_BBB5	Subject =~ /(?:client|customer).{0,5}preten|(?:Appeal|Claim|Case|No\.|Complaint).{0,3}[A-Z\d]{5}/i
+ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+  #BBB Phish
+  header		__KAM_BBB1	From =~ /bbb.org/i
+  body		__KAM_BBB2	/consumer's *(?:worry|uneasiness|anxiety|disturbance|concern|trouble)/i
+  body		__KAM_BBB3	/has been registered the above|(?:visiting|review at) a link below|above-referenced complaint/i
+  body		__KAM_BBB4	/about your *(?:glance|belief|judgment)/i
+  header		__KAM_BBB5	Subject =~ /(?:client|customer).{0,5}preten|(?:Appeal|Claim|Case|No\.|Complaint).{0,3}[A-Z\d]{5}/i
 
-meta		KAM_BBB		(__KAM_BBB1 + __KAM_BBB2 + __KAM_BBB3 + __KAM_BBB4 + __KAM_BBB5 + SPF_FAIL + __KAM_GALLERY5 + KAM_RAPTOR >= 4)
-describe	KAM_BBB		Better Business Bureau Phishing
-score		KAM_BBB		5.0
+  meta		KAM_BBB		(__KAM_BBB1 + __KAM_BBB2 + __KAM_BBB3 + __KAM_BBB4 + __KAM_BBB5 + SPF_FAIL + __KAM_GALLERY5 + KAM_RAPTOR >= 4)
+  describe	KAM_BBB		Better Business Bureau Phishing
+  score		KAM_BBB		5.0
+endif
 
 #PREV MARK
 header		__KAM_MARK1	Subject =~ /[\[\<]ADV[\>\]]/i
@@ -3429,13 +3442,13 @@ score           KAM_PEST    3.5
 
 
 #PROPHET
-header          __KAM_PROPHET1 Subject =~ /beezelbub|communique/i
-header          __KAM_PROPHET2 From =~ /christian.*prophe/i
+header          __KAM_PROPHET1 Subject =~ /beezelbub|communique|prophecy|Christian Media/i
+header          __KAM_PROPHET2 From =~ /christian.*prophe|twintongues/i
 body            __KAM_PROPHET3 /Dear Christian Friend/i
-body		__KAM_PROPHET4 /Christian Media Ministry/i
-body		__KAM_PROPHET5 /prophecy article|rapture/i
+body		__KAM_PROPHET4 /Christian ?Media ?(Daily|Ministry)/i
+body		__KAM_PROPHET5 /prophecy|rapture/i
 
-meta            KAM_PROPHET    (__KAM_PROPHET1 + __KAM_PROPHET2 + __KAM_PROPHET3 + __KAM_PROPHET4 + __KAM_PROPHET5 >= 4) 
+meta		KAM_PROPHET    (__KAM_PROPHET1 + __KAM_PROPHET2 + __KAM_PROPHET3 + __KAM_PROPHET4 + __KAM_PROPHET5 >= 4)
 describe        KAM_PROPHET    Spam for Prophecy 
 score           KAM_PROPHET    6.0
 
@@ -3642,14 +3655,16 @@ meta     KAM_NUMEROLOGY (__KAM_NUMEROLOGY1 + __KAM_NUMEROLOGY2 + __KAM_NUMEROLOG
 describe KAM_NUMEROLOGY Pseudo-scientific spam
 score    KAM_NUMEROLOGY 3.5
 
-#VOICEMAIL SPAM
-header   __KAM_VOICEMAIL1 Subject =~ /new voice.?mail message|news/i
-header   __KAM_VOICEMAIL2 From =~ /voice.?mail|news/i
-body     __KAM_VOICEMAIL3 /new voice.?mail message|voice.redirected/i
+ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+  #VOICEMAIL SPAM
+  header   __KAM_VOICEMAIL1 Subject =~ /new voice.?mail message|news/i
+  header   __KAM_VOICEMAIL2 From =~ /voice.?mail|news/i
+  body     __KAM_VOICEMAIL3 /new voice.?mail message|voice.redirected/i
 
-meta     KAM_VOICEMAIL (__KAM_VOICEMAIL1 + __KAM_VOICEMAIL2 + __KAM_VOICEMAIL3 + KAM_RAPTOR >= 3)
-describe KAM_VOICEMAIL Common malware that tricks the user into opening a fake VOIP voicemail
-score    KAM_VOICEMAIL 5.0
+  meta     KAM_VOICEMAIL (__KAM_VOICEMAIL1 + __KAM_VOICEMAIL2 + __KAM_VOICEMAIL3 + KAM_RAPTOR >= 3)
+  describe KAM_VOICEMAIL Common malware that tricks the user into opening a fake VOIP voicemail
+  score    KAM_VOICEMAIL 5.0
+endif
 
 #SPAM ADVERTISING SPAM - HAS SCIENCE GONE TOO FAR?
 header   __KAM_SPAMFORSPAM1 Subject =~ /email marketing|marketing solution|connect with your audience|reaching your customers|marketing ideas|business.contacts/i
@@ -4034,7 +4049,7 @@ describe KAM_WRITING Spam for writing lessons
 score    KAM_WRITING 3.5
 
 #RASH OF .EU EXPLOITS
-rawbody         KAM_EU /http:\/\/(?:www.)?.{4,30}\.(eu)(\b|\/)/i
+rawbody         KAM_EU /https?:\/\/(?:www.)?.{4,30}\.(eu)(\b|\/)/i
 score           KAM_EU 0.50
 describe        KAM_EU Prevalent use of .eu in spam/malware
 
@@ -4526,12 +4541,14 @@ meta     KAM_TOLL (__KAM_TOLL1 + __KAM_TOLL2 + __KAM_TOLL3 >= 3)
 describe KAM_TOLL Spam for road tolls
 score    KAM_TOLL 8.0
 
-#KAM_AMAZON
-header   __KAM_AMAZON1 From =~ /amazon\.com/i
+ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+  #KAM_AMAZON
+  header   __KAM_AMAZON1 From =~ /amazon\.com/i
 
-meta     KAM_AMAZON (__KAM_AMAZON1 + KAM_RAPTOR >= 2)
-score    KAM_AMAZON 4.5
-describe KAM_AMAZON Fake Amazon email with malware
+  meta     KAM_AMAZON (__KAM_AMAZON1 + KAM_RAPTOR >= 2)
+  score    KAM_AMAZON 4.5
+  describe KAM_AMAZON Fake Amazon email with malware
+endif
 
 # LANDSCAPING
 header   __KAM_LANDSCAPE1 From =~ /landscaping/i
@@ -5064,9 +5081,25 @@ describe KAM_DRIVE Spam for ordering office equipment
 #endif 
 
 #LOOKING TO SHUTDOWN MISUSE OF DNSWL AND HOSTKARMA
-meta 	 KAM_BAD_DNSWL	(URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + __KAM_URIBL_PCCC +  KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
-score	 KAM_BAD_DNSWL	7.0
-describe KAM_BAD_DNSWL  Removing HostKarma and DNSWL HI Scoring for Emails in various RBL 
+ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+  meta 	 KAM_QUITE_BAD_DNSWL	(URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + RCVD_IN_LASHBACK + __KAM_URIBL_PCCC +  KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1)
+  score	 KAM_QUITE_BAD_DNSWL	3.25
+  describe KAM_QUITE_BAD_DNSWL  Removing HostKarma and DNSWL HI Scoring for Emails in various RBL 
+else
+  meta 	 KAM_QUITE_BAD_DNSWL	(URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + RCVD_IN_LASHBACK +  KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1)
+  score	 KAM_QUITE_BAD_DNSWL	3.25
+  describe KAM_QUITE_BAD_DNSWL  Removing HostKarma and DNSWL HI Scoring for Emails in various RBL 
+endif
+
+ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+  meta 	 KAM_BAD_DNSWL	(URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + RCVD_IN_LASHBACK + __KAM_URIBL_PCCC +  KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
+  score	 KAM_BAD_DNSWL	7.0
+  describe KAM_BAD_DNSWL  Removing HostKarma and DNSWL HI Scoring for Emails in various RBL 
+else
+  meta 	 KAM_BAD_DNSWL	(URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + RCVD_IN_LASHBACK +  KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
+  score	 KAM_BAD_DNSWL	7.0
+  describe KAM_BAD_DNSWL  Removing HostKarma and DNSWL HI Scoring for Emails in various RBL 
+endif
 
 # HEARING LOSS
 header   __JMQ_HEARINGLOSS1 From =~ /hearing.?loss|deaf \& angry/i
@@ -5557,21 +5590,29 @@ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
 
 replace_rules   __KAM_CRIM1 __KAM_CRIM2 __KAM_CRIM3 __KAM_CRIM4 __KAM_CRIM5 __KAM_CRIM6
 
-body		__KAM_CRIM1	/(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A>lw<A>r<E> <O>n th<E> w<E>b|footage of you|you do not know who I am|mercenary|hack phones|infected your device|double.screen video|keylogger|ruin your life/i
+body		__KAM_CRIM1	/(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A>lw<A>r<E> <O>n th<E> w<E>b|footage of you|you do not know who I am|mercenary|hack phones|infected your device|double.screen video|keylogger|ruin your life|collection officer|cameras? and a mic|I am a hacker/i
   #Different encodings
-body		__KAM_CRIM2	/(bit<C><O><I>n|BTC)/
-body		__KAM_CRIM3	/make a payment|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C><O><I>n w<A>ll|(m<A>k<I>ng|<C><O>mpl<E>et<E>) th<E> tr<A>ns<A><C>t<I><O>n|send me \d+ dollars|send [\d\.]+ USD|addr<E>ss f<O>r p<A>ym<E>nt|euros in bitcoin|wallet number/i
-body		__KAM_CRIM4	/erotica|<P>orn|promising evidence|video|masturbat|playing with yourself|wanking|l<I>f<E> <C><A>n b<E> ru<I>n<E>d|explosi|lead azide|hexogen/i
+body		__KAM_CRIM2	/(bit<C><O><I>n|BTC)/i
+body		__KAM_CRIM3	/make a payment|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C><O><I>n w<A>ll|(m<A>k<I>ng|<C><O>mpl<E>et<E>) th<E> tr<A>ns<A><C>t<I><O>n|send me \d+ dollars|send [\d\.]+ USD|addr<E>ss f<O>r p<A>ym<E>nt|euros in bitcoin|wallet number|bitcoin network/i
+body		__KAM_CRIM4	/erotica|<P>orn|promising evidence|video|masturbat|playing with yourself|wanking|l<I>f<E> <C><A>n b<E> ru<I>n<E>d|explosi|lead azide|hexogen|banana/i
 endif
 
-body		__KAM_CRIM5	/(twenty.?four|24).?hours|(24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O>urs)? <A>ft<E>r y<O><U> <O>p<E>n|hours for payment|days? to (perform|make) the payment|short-term support|48h plz/i
-header		__KAM_CRIM6	Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O><U> <A>r<E> my v<I><C>t<I>m|visit the police|hi. vi<C>tim|bomb|rescue|your building|masturbat|hi perv|account has been hacked|last warning|dirty little secret|bad news/i
+body		__KAM_CRIM5	/(twenty.?four|24).?hours|(24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O>urs)? <A>ft<E>r y<O><U> <O>p<E>n|hours for payment|days? to (perform|make) the payment|short-term support|48h plz|deadline|hours only to send the fund/i
+header		__KAM_CRIM6	Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O><U> <A>r<E> my v<I><C>t<I>m|visit the police|hi. vi<C>tim|bomb|rescue|your building|<M>asturbat|hi perv|account has been hacked|last warning|dirty little secret|bad news|central intelligence|pervert/i
 
 
 meta		KAM_CRIM	(__KAM_CRIM1 + __KAM_CRIM2 + __KAM_CRIM3 + __KAM_CRIM4 + __KAM_CRIM5 + __KAM_CRIM6 >= 4)
 describe	KAM_CRIM	Extortion Email
 score		KAM_CRIM	7.5
 
+#KAM_CRIM_V2
+body		__KAM_CRIM2_1	/bit.{0,2}coin/i
+body		__KAM_CRIM2_2   /address\:/i
+body		__KAM_CRIM2_3   /adult.{0,2}video|sex.{0,2}sites/is
+
+meta		KAM_CRIM2	(__KAM_CRIM2_1 + __KAM_CRIM2_2 + __KAM_CRIM2_3 + HTML_FONT_LOW_CONTRAST >= 4)
+describe	KAM_CRIM2	Extortion Email
+score		KAM_CRIM2	7.5
 #ZWNJ
 #ZWNJ 200C 157 https://en.wikipedia.org/wiki/Windows-1256
 # Also want to look at Unicode U+200C. 
@@ -5579,7 +5620,7 @@ score		KAM_CRIM	7.5
 # Switch rawbody check to Mail::SpamAssassin::Plugin::MIMEHeader
 
 # Per RW, switching for this to work with 'normalize_charset 1', \x9d needs to be replaced with (?:\x9d|\xe2\x80\x8c)
-rawbody		__KAM_ZWNJ1	/Content\-Type.*charset.*windows\-1256/i
+rawbody		__KAM_ZWNJ1	/Content\-Type.{1,1000}charset.{1,1000}windows\-1256/i
 body		__KAM_ZWNJ2	/(?:\x9D|\xe2\x80\x8c)/ 
 tflags   	__KAM_ZWNJ2     multiple maxhits=16
 
@@ -5658,6 +5699,17 @@ meta	 SCC_20_SHORT_WORD_LINES	__SCC_SHORT_WORDS >= 20
 describe SCC_35_SHORT_WORD_LINES 35 lines with many short words 
 meta	 SCC_35_SHORT_WORD_LINES	__SCC_SHORT_WORDS >= 35
 
+# A pattern seen in subscription-bombings
+describe SCC_SUBBOMB_SUBJ_1	An unusual string pattern seen in subscription bombing subjects
+header   SCC_SUBBOMB_SUBJ_1	Subject =~ /[sxz][vwz]usa[fly]me[a-z0-9]{7}GP/
+score    SCC_SUBBOMB_SUBJ_1	5
+
+# cPanel Phishing
+header         __SCC_HELO_CPANELNET X-Spam-Relays-Untrusted =~ / helo=cpanel\.net /
+describe       __SCC_HELO_CPANELNET HELO is bare cpanel.net
+meta         SCC_FAKE_CPANEL  __SCC_HELO_CPANELNET && ! (SPF_PASS || SPF_HELO_PASS) 
+score        SCC_FAKE_CPANEL  6
+
 #https://www.csoonline.com/article/3333916/windows-security/i-can-get-and-crack-your-password-hashes-from-email.html?upd=1547922397157
 body		KAM_FILE		/file:\/\/\/\//i
 describe	KAM_FILE		Potential attempt for NTLM attack
@@ -5673,4 +5725,65 @@ meta		KAM_FUN			(__KAM_FUN1 + __KAM_FUN2 + __KAM_FUN3 + __KAM_FUN4 >=3)
 describe	KAM_FUN			Spam Engine Hawking Various Goods and Abusing a Lot of Domains
 score		KAM_FUN			4.5
 
+#GOOGLE DRIVE PORN - Thanks to Mark Sapiro for the bug fix
+uri		KAM_DRIVENUM		/\d+\.drive\.google.com/i
+describe	KAM_DRIVENUM		Drive Links Prevalent in Spam
+score		KAM_DRIVENUM		5.0
+
+#SWIFT PAYMENT SCAMS
+header		__KAM_SWIFT1		Subject =~ /Swift/i
+body		__KAM_SWIFT2		/swift copy/i
+body		__KAM_SWIFT3		/balance payment/i
+
+meta		KAM_SWIFT		(__KAM_SWIFT1 + __KAM_SWIFT2 + __KAM_SWIFT3 >= 3)
+describe	KAM_SWIFT		SWIFT payment scam
+score		KAM_SWIFT		3.0
+
+ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
+  # Custom score
+  score         FROMNAME_SPOOFED_EMAIL 0.3
+endif
+
+ifplugin Mail::SpamAssassin::Plugin::KAMOnly
+  header	KAM_RAPTOR_ALTERED	X-KAM-Raptor-Alter =~ /True/
+  describe	KAM_RAPTOR_ALTERED	Raptor identified a dangerous attachment
+  score		KAM_RAPTOR_ALTERED	2.0
+endif
+
+#BAD INVOICE SCAMS
+header          __KAM_PROFORMA1         Subject =~ /Proforma/i
+body            __KAM_PROFORMA2         /no responds/i
+body            __KAM_PROFORMA3         /highly encrypted/i
+body		__KAM_PROFORMA4		/Proforma Invoice/i
+uri		__KAM_PROFORMA5		/\.php/i
+
+meta            KAM_PROFORMA            (__KAM_PROFORMA1 + __KAM_PROFORMA2 + __KAM_PROFORMA3 + __KAM_PROFORMA4 + __KAM_PROFORMA5 >= 5)
+describe        KAM_PROFORMA            Invoice scam
+score           KAM_PROFORMA            7.5 
+
+#BAD INVOICE SCAMS
+ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+  header          __KAM_INVOICEPO1         Subject =~ /Invoice copies/i
+  body            __KAM_INVOICEPO2         /consignment/i
+  body            __KAM_INVOICEPO3         /invoice copies/i
+  mimeheader      __KAM_INVOICEPO4	   Content-Type =~ /invoice copies.{0,100}\.html/i
+  
+  meta            KAM_INVOICEPO            (__KAM_INVOICEPO1 + __KAM_INVOICEPO2 + __KAM_INVOICEPO3 + __KAM_INVOICEPO4 >= 4)
+  describe        KAM_INVOICEPO            Invoice scam
+  score           KAM_INVOICEPO            4.0
+
+  mimeheader      KAM_HTMLINVOICE         Content-Type =~ /invoice.{0,100}\.html/i
+  describe        KAM_HTMLINVOICE         Invoice scam
+  score           KAM_HTMLINVOICE         1.5
+
+  mimeheader      KAM_HTMLINVOICE2        Content-Type =~ /(order confirmation|po attachments.{0,100})\.xls\.html/i
+  describe	  KAM_HTMLINVOICE2	  Invoice scam
+  score		  KAM_HTMLINVOICE2	  3.5
+endif
+
+# Disable possible CPU burning rule, reported to SA users list  -- 2019-05-29
+# FIXED rule distributed via sa-update since 2019-05-31
+# meta __STYLE_GIBBERISH_1  0
+
+
 # EOF