kam-update: add complete KAM ruleset

generated by `make update-kam`

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>

kam-updates/kam_sa-channels_mcgrail_com.cf

@@ -0,0 +1,9 @@
+# UPDATE version 1679601668
+include kam_sa-channels_mcgrail_com/KAM.cf
+include kam_sa-channels_mcgrail_com/KAM_deadweight3.cf
+include kam_sa-channels_mcgrail_com/KAM_deadweight3_meta.cf
+include kam_sa-channels_mcgrail_com/KAM_deadweight3_sub.cf
+include kam_sa-channels_mcgrail_com/KAM_hashbl_settings.cf
+include kam_sa-channels_mcgrail_com/KAM_heavyweight.cf
+include kam_sa-channels_mcgrail_com/KAM_urlshorteners.cf
+include kam_sa-channels_mcgrail_com/nonKAMrules.cf

kam-updates/kam_sa-channels_mcgrail_com/KAM_deadweight3.cf

@@ -0,0 +1,199 @@
+#Copyright (c) 2022 Kevin A. McGrail and the McGrail Foundation
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+
+score EMAIL_ROT13 0
+score BLANK_LINES_80_90 0
+score MULTIPART_ALT_NON_TEXT 0
+score CHARSET_FARAWAY 0
+score MIME_BAD_ISO_CHARSET 0
+score MIMEPART_LIMIT_EXCEEDED 0
+score SUBJECT_DRUG_GAP_S 0
+score SUBJECT_DRUG_GAP_X 0
+score DRUG_DOSAGE 0
+score DRUG_ED_SILD 0
+score DRUG_ED_GENERIC 0
+score DRUG_ED_ONLINE 0
+score NO_PRESCRIPTION 0
+score VIA_GAP_GRA 0
+score DRUGS_SMEAR1 0
+score HELO_DYNAMIC_ROGERS 0
+score HELO_DYNAMIC_DIALIN 0
+score HELO_DYNAMIC_HOME_NL 0
+score FRAGMENTED_MESSAGE 0
+score MSGID_SPAM_LETTERS 0
+score MSGID_YAHOO_CAPS 0
+score DATE_SPAMWARE_Y2K 0
+score INVALID_TZ_CST 0
+score INVALID_TZ_EST 0
+score ENGLISH_UCE_SUBJECT 0
+score JAPANESE_UCE_SUBJECT 0
+score KOREAN_UCE_SUBJECT 0
+score FORGED_TELESP_RCVD 0
+score NONEXISTENT_CHARSET 0
+score PREVENT_NONDELIVERY 0
+score SUBJ_AS_SEEN 0
+score MIME_BOUND_MANY_HEX 0
+score WITH_LC_SMTP 0
+score RCVD_AM_PM 0
+score FAKE_OUTBLAZE_RCVD 0
+score UNCLOSED_BRACKET 0
+score FROM_LOCAL_HEX 0
+score X_PRIORITY_CC 0
+score MSGID_OUTLOOK_INVALID 0
+score HEADER_COUNT_CTYPE 0
+score HEAD_LONG 0
+score MISSING_HB_SEP 0
+score HIDE_WIN_STATUS 0
+score HTML_COMMENT_SHORT 0
+score HTML_EMBEDS 0
+score HTML_FORMACTION_MAILTO 0
+score HTML_OBFUSCATE_30_40 0
+score HTML_OBFUSCATE_50_60 0
+score HTML_OBFUSCATE_70_80 0
+score HTML_OBFUSCATE_90_100 0
+score HTML_TAG_EXIST_BGSOUND 0
+score HTML_BADTAG_40_50 0
+score HTML_BADTAG_50_60 0
+score HTML_BADTAG_60_70 0
+score HTML_BADTAG_90_100 0
+score HTML_NONELEMENT_30_40 0
+score HTML_NONELEMENT_40_50 0
+score HTML_NONELEMENT_60_70 0
+score HTML_NONELEMENT_80_90 0
+score HTML_IFRAME_SRC 0
+score NO_DNS_FOR_FROM 0
+score GMD_PDF_HORIZ 0
+score GMD_PDF_SQUARE 0
+score GMD_PDF_VERT 0
+score GMD_PRODUCER_GPL 0
+score GMD_PRODUCER_POWERPDF 0
+score GMD_PRODUCER_EASYPDF 0
+score GMD_PDF_ENCRYPTED 0
+score GMD_PDF_EMPTY_BODY 0
+score EXCUSE_REMOVE 0
+score STRONG_BUY 0
+score STOCK_ALERT 0
+score NOT_ADVISOR 0
+score PREST_NON_ACCREDITED 0
+score FREE_QUOTE_INSTANT 0
+score REFINANCE_YOUR_HOME 0
+score REFINANCE_NOW 0
+score FORWARD_LOOKING 0
+score OBSCURED_EMAIL 0
+score BANG_OPRAH 0
+score REPLICA_WATCH 0
+score EM_ROLEX 0
+score FREE_PORN 0
+score CUM_SHOT 0
+score LIVE_PORN 0
+score SUBJECT_SEXUAL 0
+score RATWARE_OE_MALFORMED 0
+score RATWARE_MOZ_MALFORMED 0
+score RATWARE_MPOP_WEBMAIL 0
+score RATWARE_HASH_DASH 0
+score X_MESSAGE_INFO 0
+score RATWARE_RCVD_PF 0
+score RATWARE_RCVD_AT 0
+score RATWARE_EFROM 0
+score ACCESSDB 0
+score MIME_SUSPECT_NAME 0
+score SUBJECT_FUZZY_MEDS 0
+score SUBJECT_FUZZY_CHEAP 0
+score SUBJECT_FUZZY_PENIS 0
+score SUBJECT_FUZZY_TION 0
+score FUZZY_AFFORDABLE 0
+score FUZZY_BILLION 0
+score FUZZY_GUARANTEE 0
+score FUZZY_MEDICATION 0
+score FUZZY_MILLION 0
+score FUZZY_MONEY 0
+score FUZZY_MORTGAGE 0
+score FUZZY_OBLIGATION 0
+score FUZZY_OFFERS 0
+score FUZZY_PHARMACY 0
+score FUZZY_PHENT 0
+score FUZZY_PRESCRIPT 0
+score FUZZY_PRICES 0
+score FUZZY_REFINANCE 0
+score FUZZY_REMOVE 0
+score FUZZY_SOFTWARE 0
+score FUZZY_THOUSANDS 0
+score FUZZY_VLIUM 0
+score FUZZY_VIOXX 0
+score BODY_8BITS 0
+score BANKING_LAWS 0
+score CURR_PRICE 0
+score DOS_ANAL_SPAM_MAILER 0
+score DOS_RCVD_IP_TWICE_C 0
+score DRUGS_HDIA 0
+score DX_TEXT_02 0
+score EMRCP 0
+score EXCUSE_24 0
+score FSL_HELO_DEVICE 0
+score FSL_HELO_SETUP 0
+score FUZZY_MERIDIA 0
+score HEADER_COUNT_SUBJECT 0
+score HELO_FRIEND 0
+score HELO_LH_LD 0
+score HELO_OEM 0
+score JH_SPAMMY_PATTERN01 0
+score JH_SPAMMY_PATTERN02 0
+score JM_RCVD_QMAILV1 0
+score KB_RATWARE_OUTLOOK_08 0
+score KB_RATWARE_OUTLOOK_12 0
+score KB_RATWARE_OUTLOOK_16 0
+score KB_RATWARE_OUTLOOK_MID 0
+score LONG_TERM_PRICE 0
+score LOOPHOLE_1 0
+score MID_DEGREES 0
+score MIME_BOUND_EQ_REL 0
+score RCVD_BAD_ID 0
+score RCVD_DBL_DQ 0
+score RCVD_FORGED_WROTE 0
+score RCVD_FORGED_WROTE2 0
+score RCVD_MAIL_COM 0
+score SCC_SPECIAL_GUID 0
+score SHORT_TERM_PRICE 0
+score THEBAT_UNREG 0
+score TT_MSGID_TRUNC 0
+score TVD_ACT_193 0
+score TVD_DEAR_HOMEOWNER 0
+score TVD_ENVFROM_APOST 0
+score TVD_FINGER_02 0
+score TVD_FLOAT_GENERAL 0
+score TVD_FUZZY_DEGREE 0
+score TVD_FUZZY_FINANCE 0
+score TVD_FUZZY_FIXED_RATE 0
+score TVD_FUZZY_MICROCAP 0
+score TVD_FUZZY_PHARMACEUTICAL 0
+score TVD_FUZZY_SYMBOL 0
+score TVD_INCREASE_SIZE 0
+score TVD_LINK_SAVE 0
+score TVD_RATWARE_CB 0
+score TVD_RATWARE_CB_2 0
+score TVD_RATWARE_MSGID_02 0
+score TVD_RCVD_IP4 0
+score TVD_SECTION 0
+score TVD_SILLY_URI_OBFU 0
+score TVD_SPACED_SUBJECT_WORD3 0
+score TVD_STOCK1 0
+score TVD_SUBJ_FINGER_03 0
+score TVD_SUBJ_OWE 0
+score TVD_SUBJ_WIPE_DEBT 0
+score TVD_VIS_HIDDEN 0
+score T_LFUZ_PWRMALE 0
+score T_LOTTO_AGENT_FM 0
+score T_TVD_FUZZY_SECURITIES 0
+score X_MAILER_CME_6543_MSN 0

kam-updates/kam_sa-channels_mcgrail_com/KAM_deadweight3_meta.cf

@@ -0,0 +1,164 @@
+#Copyright (c) 2022 Kevin A. McGrail and the McGrail Foundation
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+
+score MIME_HTML_ONLY_MULTI 0 # (__CTYPE_MULTIPART_ALT && MIME_HTML_ONLY)
+score MIME_CHARSET_FARAWAY 0 # (__MIME_CHARSET_FARAWAY && __HIGHBITS)
+score DRUGS_DIET 0 # (__DRUGS_DIET1 || __DRUGS_DIET2 || __DRUGS_DIET3 || __DRUGS_DIET4 ||__DRUGS_DIET5 ||__DRUGS_DIET6 ||__DRUGS_DIET7 ||__DRUGS_DIET8 || __DRUGS_DIET9 || __DRUGS_DIET10 )
+score DRUGS_DIET_OBFU 0 # (__DRUGS_DIET1 && !__DRUGS_DIET_PHEN)
+score DRUGS_MUSCLE 0 # (__DRUGS_MUSCLE2 || __DRUGS_MUSCLE3 || __DRUGS_MUSCLE4 ||__DRUGS_MUSCLE5 )
+score DRUGS_ANXIETY_OBFU 0 # ( (__DRUGS_ANXIETY1 &&! __DRUGS_ANXIETY_XAN) || (__DRUGS_ANXIETY3 && !__DRUGS_ANXIETY_VAL))
+score DRUGS_ANXIETY_EREC 0 # (DRUGS_ERECTILE && DRUGS_ANXIETY)
+score DRUGS_SLEEP_EREC 0 # (DRUGS_ERECTILE && __DRUGS_SLEEP)
+score DRUGS_MANYKINDS 0 # (DRUGS_ERECTILE + DRUGS_DIET + __DRUGS_PAIN + __DRUGS_SLEEP + DRUGS_MUSCLE + DRUGS_ANXIETY > 3)
+score MSGID_DOLLARS_RANDOM 0 # __MSGID_DOLLARS_MAYBE && !__MSGID_DOLLARS_OK
+score FORGED_MSGID_AOL 0 # (__AT_AOL_MSGID && !__FROM_AOL_COM)
+score FORGED_MSGID_EXCITE 0 # (__AT_EXCITE_MSGID && !__MY_RCVD_EXCITE)
+score FORGED_MSGID_HOTMAIL 0 # (__AT_HOTMAIL_MSGID && (!__FROM_HOTMAIL_COM && !__FROM_MSN_COM && !__FROM_YAHOO_COM))
+score FORGED_MSGID_MSN 0 # (__AT_MSN_MSGID && (!__FROM_MSN_COM && !__FROM_HOTMAIL_COM && !__FROM_YAHOO_COM))
+score FORGED_MSGID_YAHOO 0 # (__AT_YAHOO_MSGID && !__FROM_YAHOO_COM)
+score JAPANESE_UCE_BODY 0 # (__ISO_2022_JP_DELIM && __JAPANESE_UCE_BODY)
+score CONFIRMED_FORGED 0 # (__FORGED_RCVD_TRAIL && (__FORGED_AOL_RCVD || __FORGED_HOTMAIL_RCVD || __FORGED_EUDORAMAIL_RCVD || FORGED_YAHOO_RCVD || __FORGED_JUNO_RCVD || FORGED_GMAIL_RCVD))
+score MULTI_FORGED 0 # ((__FORGED_AOL_RCVD + __FORGED_HOTMAIL_RCVD + __FORGED_EUDORAMAIL_RCVD + FORGED_YAHOO_RCVD + __FORGED_JUNO_RCVD + FORGED_GMAIL_RCVD) > 1)
+score HTML_CHARSET_FARAWAY 0 # (__HTML_CHARSET_FARAWAY && __HIGHBITS)
+score HTML_MISSING_CTYPE 0 # (!__MIME_HTML && HTML_MESSAGE)
+score OBFUSCATING_COMMENT 0 # ((__OBFUSCATING_COMMENT_A && HTML_MESSAGE) || (__OBFUSCATING_COMMENT_B && MIME_HTML_ONLY)) && !__ISO_2022_JP_DELIM
+score JS_FROMCHARCODE 0 # (__JS_FROMCHARCODE && __JS_DOCWRITE)
+score PERCENT_RANDOM 0 # (__PC_RND_HEADER || __PC_RND_RAWBODY)
+score NO_HEADERS_MESSAGE 0 # (MISSING_DATE && MISSING_HEADERS && NO_RECEIVED && NO_RELAYS && MISSING_MID)
+score DIGEST_MULTIPLE 0 # RAZOR2_CHECK + DCC_CHECK + PYZOR_CHECK > 1
+score RUDE_HTML 0 # __RUDE_HTML_1 || __RUDE_HTML_2 || __RUDE_HTML_3 || __RUDE_HTML_4
+score FORGED_MUA_THEBAT_CS 0 # (__THEBAT_MUA && __CTYPE_CHARSET_QUOTED && !__MAILMAN_21)
+score FORGED_IMS_HTML 0 # (!__YAHOO_BULK && __IMS_MUA && MIME_HTML_ONLY && !(__IMS_HTML_BUILDS && __IMS_HTML_RCVD))
+score FORGED_THEBAT_HTML 0 # (__THEBAT_MUA_V1 && MIME_HTML_ONLY)
+score REPTO_QUOTE_AOL 0 # __REPTO_QUOTE && __AOL_MUA
+score REPTO_QUOTE_IMS 0 # __REPTO_QUOTE && __IMS_MUA
+score REPTO_QUOTE_MSN 0 # __REPTO_QUOTE && (__FROM_MSN_COM || __AT_MSN_MSGID)
+score REPTO_QUOTE_QUALCOMM 0 # __REPTO_QUOTE && __ANY_QUALCOMM_MUA
+score FORGED_QUALCOMM_TAGS 0 # (__ANY_QUALCOMM_MUA && __MIME_HTML && !__TAG_EXISTS_HTML)
+score FORGED_IMS_TAGS 0 # (!__YAHOO_BULK && __ANY_IMS_MUA && __MIME_HTML && !(__TAG_EXISTS_HTML && __TAG_EXISTS_HEAD && __TAG_EXISTS_META && __TAG_EXISTS_BODY))
+score RATWARE_ZERO_TZ 0 # (__RATWARE_0_TZ_DATE && __CTYPE_HTML && (__0_TZ_1 || __0_TZ_2 || __0_TZ_3 || __0_TZ_4 || __0_TZ_5 || __0_TZ_6 || __0_TZ_7))
+score RATWARE_OUTLOOK_NONAME 0 # __MSGID_DOLLARS_OK && !__HAS_X_MAILER && !__RCVD_WITH_EXCHANGE
+score RATWARE_NAME_ID 0 # __RATWARE_0_TZ_DATE && __RATWARE_NAME_ID
+score NML_ADSP_CUSTOM_LOW 0 # DKIM_ADSP_CUSTOM_LOW  && !__VIA_ML && !__VIA_RESIGNER
+score NML_ADSP_CUSTOM_MED 0 # DKIM_ADSP_CUSTOM_MED  && !__VIA_ML && !__VIA_RESIGNER
+score NML_ADSP_CUSTOM_HIGH 0 # DKIM_ADSP_CUSTOM_HIGH && !__VIA_ML && !__VIA_RESIGNER
+score SUBJECT_FUZZY_VPILL 0 # __SUBJECT_FUZZY_VPILL && !FUZZY_VPILL
+score ENV_AND_HDR_SPF_MATCH 0 # (USER_IN_DEF_SPF_WL && __ENV_AND_HDR_FROM_MATCH)
+score AC_SPAMMY_URI_PATTERNS1 0 # (__AC_OUTL_URI && __AC_OUTI_URI)
+score AC_SPAMMY_URI_PATTERNS10 0 # __AC_PUNCTNUMS_URI
+score AC_SPAMMY_URI_PATTERNS11 0 # __AC_NDOMLONGNASPX_URI
+score AC_SPAMMY_URI_PATTERNS12 0 # (__AC_CHDSEQ_URI && __AC_MHDSEQ_URI && __AC_UHDSEQ_URI)
+score AC_SPAMMY_URI_PATTERNS2 0 # (__AC_LAND_URI && __AC_UNSUB_URI && __AC_REPORT_URI)
+score AC_SPAMMY_URI_PATTERNS3 0 # (__AC_PHPOFFTOP_URI && __AC_PHPOFFSUB_URI)
+score AC_SPAMMY_URI_PATTERNS9 0 # (__AC_1SEQC_URI && (__AC_1SEQV_URI || __AC_RMOVE_URI))
+score ADMAIL 0 # __ADMAIL && !__DKIM_EXISTS && !__COMMENT_EXISTS 
+score ADULT_DATING_COMPANY 0 # __ADULTDATINGCOMPANY_BODY || __ADULTDATINGCOMPANY_FROM || __ADULTDATINGCOMPANY_REPTO
+score BEBEE_IMG_NOT_RCVD_BB 0 # __BEBEE_IMG_NOT_RCVD_BB
+score BULK_RE_SUSP_NTLD 0 # __SUBJ_RE && __ML1 && __FROM_ADDRLIST_SUSPNTLD
+score CANT_SEE_AD 0 # (__CANT_SEE_AD_1 || __CANT_SEE_AD_2) && !__DOS_HAS_LIST_UNSUB
+score COMMENT_GIBBERISH 0 # __COMMENT_GIBBERISH && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA_MESSY && !__SENDER_BOT
+score CORRUPT_FROM_LINE_IN_HDRS 0 # (MISSING_HEADERS && __BODY_STARTS_WITH_FROM_LINE && MISSING_DATE && NO_RELAYS)
+score CTYPE_001C_A 0 # (0)      # obsolete
+score DOS_DEREK_AUG08 0 # __DOS_SINGLE_EXT_RELAY && __DOS_HAS_ANY_URI && __NAKED_TO && __LAST_UNTRUSTED_RELAY_NO_AUTH && SPF_PASS && __TVD_MIME_ATT_TP && __CT_TEXT_PLAIN && (__DOS_MSGID_DIGITS9 || __DOS_MSGID_DIGITS10)
+score DOS_FIX_MY_URI 0 # __MIMEOLE_1106 && __DOS_HAS_ANY_URI && __DOS_SINGLE_EXT_RELAY && __DOS_HI && __DOS_LINK
+score DOS_HIGH_BAT_TO_MX 0 # __DOS_DIRECT_TO_MX && __HIGHBITS && __LAST_UNTRUSTED_RELAY_NO_AUTH && __THEBAT_MUA
+score DOS_LET_GO_JOB 0 # __DOS_LET_GO_JOB && __DOS_MY_OLD_JOB && __DOS_I_DRIVE_A && __DOS_TAKING_HOME
+score DOS_STOCK_BAT 0 # __THEBAT_MUA && (__DOS_BODY_STOCK || __DOS_BODY_TICKER) && (__DOS_REF_TODAY || __DOS_REF_NEXT_WK_DAY || __DOS_REF_2_WK_DAYS)
+score DOS_STOCK_BAT2 0 # DOS_STOCK_BAT && (__DOS_FIN_ADVANTAGE + __DOS_STRONG_CF + __DOS_STEADY_COURSE > 2)
+score DOS_YOUR_PLACE 0 # (__DOS_COMING_TO_YOUR_PLACE && __DOS_MEET_EACH_OTHER && (__DOS_DROP_ME_A_LINE || __DOS_CORRESPOND_EMAIL || __DOS_EMAIL_DIRECTLY || __DOS_I_AM_25 || __DOS_WRITE_ME_AT || __DOS_PERSONAL_EMAIL))
+score FORM_FRAUD 0 # (__FORM_FRAUD && !__FORM_FRAUD_3 && !__FORM_FRAUD_5) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__UPPERCASE_URI && !__UNSUB_LINK
+score FORM_FRAUD_3 0 # (__FORM_FRAUD_3 && !__FORM_FRAUD_5 && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_3_NEW_FRM_MNY) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__MIME_QP && !__DOS_BODY_FRI && !__UNSUB_LINK && !__BUGGED_IMG && !__NOT_SPOOFED
+score FREEMAIL_WFH_01 0 # __FREEMAIL_WFH_01
+score FREEM_FRNUM_UNICD_EMPTY 0 # __FREEM_FRNUM_UNICD_EMPTY
+score FRNAME_IN_MSG_XPRIO_NO_SUB 0 # (__FROM_NAME_IN_MSG && __XPRIO && (__SUBJECT_EMPTY || __SUBJ_SHORT)) && !__DKIM_EXISTS  && !__SUBJ_NOT_SHORT && !ALL_TRUSTED
+score FROM_BANK_NOAUTH 0 # __FROM_ADDRLIST_BANKS && (! NO_RELAYS && ! ALL_TRUSTED) && (! SPF_PASS && ! DKIM_VALID_AU)
+score FUZZY_MONERO 0 # __FUZZY_MONERO
+score GB_FORGED_MUA_POSTFIX 0 # ( __FORGED_MUA_POSTFIX0 || __FORGED_MUA_POSTFIX1 )
+score GOOGLE_DOCS_PHISH_MANY 0 # __URI_GOOGLE_DOC && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY)
+score GOOGLE_DRIVE_REPLY_BAD_NTLD 0 # __PDS_GOOGLE_DRIVE_SHARE && __REPLYTO_ADDRLIST_SUSPNTLD
+score GOOG_REDIR_SHORT 0 # __GOOG_REDIR && __LCL__KAM_BODY_LENGTH_LT_512 
+score GOOG_STO_HTML_PHISH_MANY 0 # __URI_GOOG_STO_HTML && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY)
+score GOOG_STO_IMG_HTML 0 # __GOOG_STO_IMG_HTML_1 && !URI_GOOG_STO_SPAMMY
+score HDR_ORDER_FTSDMCXX_001C 0 # (__HDR_ORDER_FTSDMCXXXX && __MID_START_001C)
+score HDR_ORDER_FTSDMCXX_BAT 0 # (__HDR_ORDER_FTSDMCXXXX && __BAT_BOUNDARY)
+score HOSTED_IMG_DQ_UNSUB 0 # __HOSTED_IMG_DQ_UNSUB
+score HTML_SINGLET_MANY 0 # __HTML_SINGLET_MANY && !__RCD_RDNS_MTA_MESSY && !__NOT_SPOOFED && !ALL_TRUSTED && !__USING_VERP1 && !__MIME_QP 
+score JM_TORA_XM 0 # (__MAILER_OL_6626 && __MOLE_2962 && __NAKED_TO)
+score KB_DATE_CONTAINS_TAB 0 # __KB_DATE_CONTAINS_TAB && !__ML_TURNS_SP_TO_TAB 
+score KB_FAKED_THE_BAT 0 # (__THEBAT_MUA && KB_DATE_CONTAINS_TAB)
+score KB_RATWARE_BOUNDARY 0 # __RATWARE_BOUND_A || __RATWARE_BOUND_B
+score KB_RATWARE_MSGID 0 # (__KB_MSGID_OUTLOOK_888 && __ANY_OUTLOOK_MUA)
+score KHOP_FAKE_EBAY 0 # __EBAY_ADDRESS && !__NOT_SPOOFED
+score KHOP_HELO_FCRDNS 0 # __HELO_NOT_RDNS && !(__VIA_ML || __freemail_safe || __RCVD_IN_DNSWL || __NOT_SPOOFED || __RDNS_SHORT)
+score LIST_PRTL_PUMPDUMP 0 # __LIST_PRTL_PUMPDUMP && !__DKIM_EXISTS 
+score LIST_PRTL_SAME_USER 0 # __LIST_PRTL_SAME_USER && !__BUGGED_IMG && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__HAS_ERRORS_TO 
+score LOTTERY_PH_004470 0 # (__AFF_004470_NUMBER && __AFF_LOTTERY)
+score LUCRATIVE 0 # ( __LUCRATIVE && __HELO_NO_DOMAIN ) && !ALL_TRUSTED
+score MALF_HTML_B64 0 # MIME_BASE64_TEXT && HTML_MIME_NO_HTML_TAG 
+score MIXED_AREA_CASE 0 # __MIXED_AREA_CASE
+score MIXED_FONT_CASE 0 # __MIXED_FONT_CASE
+score MONERO_DEADLINE 0 # __MONERO && __HOURS_DEADLINE && !MONERO_EXTORT_01
+score MONERO_EXTORT_01 0 # __MONERO && __EXTORT_MANY
+score MONERO_MALWARE 0 # __MONERO && __MY_MALWARE && !MONERO_EXTORT_01
+score MONERO_PAY_ME 0 # __MONERO && __PAY_ME && !MONERO_EXTORT_01
+score MSGID_DOLLARS_URI_IMG 0 # __MSGID_DOLLARS_URI_IMG && !__THREADED && !__HS_SUBJ_RE_FW 
+score NEWEGG_IMG_NOT_RCVD_NEGG 0 # __NEWEGG_IMG_NOT_RCVD_NEGG
+score PART_CID_STOCK 0 # (__ANY_IMAGE_ATTACH&&__PART_STOCK_CID&&!__PART_STOCK_CL&&!__PART_STOCK_CD_F)
+score PART_CID_STOCK_LESS 0 # (__ANY_IMAGE_ATTACH&&__PART_CID_STOCK_LESS)
+score PDS_HELO_SPF_FAIL 0 # SPF_HELO_FAIL && __HELO_HIGHPROFILE
+score PHISH_FBASEAPP 0 # __PHISH_FBASE_01
+score PHP_SCRIPT_MUA 0 # __HAS_PHP_SCRIPT && __PHP_NOVER_MUA 
+score POSSIBLE_APPLE_PHISH_02 0 # (__FROM_NAME_APPLECOM && !__HDR_RCVD_APPLE)
+score POSSIBLE_EBAY_PHISH_02 0 # (__FROM_NAME_EBAYCOM && !__HDR_RCVD_EBAY)
+score POSSIBLE_PAYPAL_PHISH_01 0 # (__FROM_NAME_PAYPALCOM && __NAME_EMAIL_DIFF)
+score POSSIBLE_PAYPAL_PHISH_02 0 # (__FROM_NAME_PAYPALCOM && !__HDR_RCVD_PAYPAL)
+score PUMPDUMP_MULTI 0 # (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 1
+score PUMPDUMP_TIP 0 # __PD_CNT_1 && __STOCK_TIP
+score RAND_HEADER_MANY 0 # __RAND_HEADER_2
+score RCVD_DOTEDU_SUSP_URI 0 # __RCVD_DOTEDU_SUSP_URI
+score RDNS_NUM_TLD_ATCHNX 0 # __RDNS_NUMERIC_TLD && __ATTACH_NAME_NO_EXT
+score REPTO_419_FRAUD_AOL_LOOSE 0 # __REPTO_419_FRAUD_AOL_LOOSE && !REPTO_419_FRAUD_AOL
+score REPTO_419_FRAUD_YH_LOOSE 0 # __REPTO_419_FRAUD_YH_LOOSE && !REPTO_419_FRAUD_YH
+score SENDGRID_REDIR_PHISH 0 # __SENDGRID_REDIR_PHISH
+score SHORT_IMG_SUSP_NTLD 0 # __LCL__KAM_BODY_LENGTH_LT_1024 && __HTML_LINK_IMAGE && __FROM_ADDRLIST_SUSPNTLD
+score STOCK_IMG_HDR_FROM 0 # (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__TVD_FW_GRAPHIC_ID1&&__HTML_IMG_ONLY)
+score STOCK_IMG_HTML 0 # (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__PART_STOCK_CID&&__HTML_IMG_ONLY)
+score STOCK_PRICES 0 # (SHORT_TERM_PRICE && LONG_TERM_PRICE)
+score STOCK_TIP 0 # __STOCK_TIP && !__DKIM_EXISTS 
+score STOX_AND_PRICE 0 # CURR_PRICE && STOX_REPLY_TYPE
+score SYSADMIN 0 # __SYSADMIN && !ALL_TRUSTED && !__ANY_TEXT_ATTACH && !__DKIM_EXISTS && !__LCL__ENV_AND_HDR_FROM_MATCH && !__MSGID_OK_DIGITS 
+score TBIRD_SUSP_MIME_BDRY 0 # __MUA_TBIRD && __TB_MIME_BDRY_NO_Z
+score TEQF_USR_IMAGE 0 # __TO_EQ_FROM_USR_NN_MINFP && __ANY_IMAGE_ATTACH 
+score TEQF_USR_MSGID_HEX 0 # __TO_EQ_FROM_USR_NN_MINFP && __MSGID_OK_HEX && !__MSGID_NOFQDN2
+score TEQF_USR_MSGID_MALF 0 # __TO_EQ_FROM_USR_NN_MINFP && __MSGID_NOFQDN2 
+score TONLINE_FAKE_DKIM 0 # __HDR_RCVD_TONLINEDE && __DKIM_EXISTS 
+score TO_TOO_MANY_WFH_01 0 # __TO_TOO_MANY_WFH_01
+score TT_OBSCURED_VALIUM 0 # ( __TT_BROKEN_VALIUM || __TT_OBSCURED_VALIUM ) && ! __TT_VALIUM
+score TT_OBSCURED_VIAGRA 0 # ( __TT_BROKEN_VIAGRA || __TT_OBSCURED_VIAGRA ) && ! __TT_VIAGRA
+score TVD_EB_PHISH 0 # __FROM_EBAY && NORMAL_HTTP_TO_IP
+score TVD_PP_PHISH 0 # __FROM_PAYPAL && NORMAL_HTTP_TO_IP
+score TVD_SPACE_RATIO_MINFP 0 # __TVD_SPACE_RATIO && !__CT_ENCRYPTED && !__X_CRON_ENV && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !ALL_TRUSTED && !__MIME_NO_TEXT && !__LONGLINE && !__THREADED && !__SUBSCRIPTION_INFO && !__VIA_ML && !__HELO_HIGHPROFILE && !__DKIM_EXISTS && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MAIL && !__EMPTY_BODY && !__XM_APPLEMAIL 
+score TW_GIBBERISH_MANY 0 # __TENWORD_GIBBERISH > 20
+score T_DRUGS_ERECTILE_SHORT_SHORTNER 0 # __PDS_HTML_LENGTH_1024 && __URL_SHORTENER && DRUGS_ERECTILE
+score T_FROMNAME_SPOOFED_EMAIL 0 # (__PLUGIN_FROMNAME_SPOOF && !__VIA_ML && !__VIA_RESIGNER && !__RP_MATCHES_RCVD)
+score T_OFFER_ONLY_AMERICA 0 # __FROM_ADDRLIST_SUSPNTLD && __PDS_OFFER_ONLY_AMERICA
+score T_PDS_FROM_2_EMAILS_SHRTNER 0 # __URL_SHORTENER && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF) && __BODY_URI_ONLY
+score T_PDS_URISHRT_LOCALPART_SUBJ 0 # LOCALPART_IN_SUBJECT && __URL_SHORTENER && __PDS_MSG_1024
+score T_SENT_TO_EMAIL_ADDR 0 # __FROM_ADDRLIST_SUSPNTLD && __PDS_SENT_TO_EMAIL_ADDR
+score T_SUSPNTLD_EXPIRATION_EXTORT 0 # LOTS_OF_MONEY && __PDS_EXPIRATION_NOTICE && __FROM_ADDRLIST_SUSPNTLD
+score T_XPRIO_URL_SHORTNER 0 # __XPRIO_MINFP && __URL_SHORTENER
+score USB_DRIVES 0 # __SUBJ_USB_DRIVES
+score VPS_NO_NTLD 0 # __VPSNUMBERONLY_TLD && __FROM_ADDRLIST_SUSPNTLD
+score XM_DIGITS_ONLY 0 # __XM_DIGITS_ONLY

kam-updates/kam_sa-channels_mcgrail_com/KAM_deadweight3_sub.cf

@@ -0,0 +1,180 @@
+#Copyright (c) 2022 Kevin A. McGrail and the McGrail Foundation
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+
+meta __HAS_ORIGINALLY 0
+meta __AOL_IP 0
+meta __FRAUD_EZY 0
+meta __FRAUD_ZFJ 0
+meta __FRAUD_WDR 0
+meta __FRAUD_GBW 0
+meta __DRUGS_ERECTILE5 0
+meta __DRUGS_ERECTILE8 0
+meta __DRUGS_ERECTILE11 0
+meta __DRUGS_PAIN_VICO 0
+meta __DRUGS_PAIN_FIO 0
+meta __DRUGS_PAIN1 0
+meta __DRUGS_PAIN2 0
+meta __DRUGS_PAIN3 0
+meta __DRUGS_PAIN4 0
+meta __DRUGS_PAIN6 0
+meta __DRUGS_PAIN7 0
+meta __DRUGS_PAIN8 0
+meta __DRUGS_PAIN9 0
+meta __DRUGS_PAIN10 0
+meta __DRUGS_PAIN11 0
+meta __DRUGS_PAIN12 0
+meta __DRUGS_PAIN13 0
+meta __DRUGS_SLEEP3 0
+meta __DRUGS_SLEEP4 0
+meta __DRUGS_ANXIETY2 0
+meta __DRUGS_ANXIETY4 0
+meta __DRUGS_ANXIETY5 0
+meta __DRUGS_ANXIETY6 0
+meta __DRUGS_ANXIETY7 0
+meta __DRUGS_ANXIETY8 0
+meta __DRUGS_ANXIETY9 0
+meta __freemail_safe_rls 0
+meta __HAS_CGP_MAPI_IN_MAILER 0
+meta __USER_AGENT_MSN 0
+meta __GMD_PDF_DIMS 0
+meta __GMD_PDF_PRODUCERS 0
+meta __GMD_PDF_NO_TXT 0
+meta __HOTMAIL_BAYDAV_MSGID 0
+meta __IPLANET_MESSAGING_SERVER 0
+meta __SYMPATICO_MSGID 0
+meta __WACKY_SENDMAIL_VERSION 0
+meta __GROUPSIO_MSGID 0
+meta __HAS_XORIGMSGID 0
+meta __GROUPSIO_GATED 0
+meta __OE_MSGID_1 0
+meta __OUTLOOK_DOLLARS_OTHER 0
+meta __FMO_EXCL_O3416 0
+meta __FMO_EXCL_OE3790 0
+meta __EUDORA_MSGID 0
+meta __MIME_VERSION_APPLEMAIL 0
+meta __0_TZ_3 0
+meta __0_TZ_4 0
+meta __0_TZ_5 0
+meta __0_TZ_6 0
+meta __0_TZ_7 0
+meta __MAJORDOMO_SUBJ 0
+meta __MAJORDOMO_HELP_BODY 0
+meta __MAJORDOMO_HELP_BODY2 0
+meta __VBOUNCE_RAPPORT 0
+meta __ACCESS_REVOKE 0
+meta __ACCOUNT_SECURE 0
+meta __ACCOUNT_UPGRADE 0
+meta __ACH_CANCELLED_01 0
+meta __ACH_CANCELLED_02 0
+meta __ACH_CANCELLED_03 0
+meta __ACH_CANCELLED_04 0
+meta __AMADEUSMS_MUA 0
+meta __ATTN_MAIL_USER 0
+meta __BONUS_LAST_DAY 0
+meta __CR_IN_SUBJ 0
+meta __FAILED_LOGINS 0
+meta __FBI_FM_DOM 0
+meta __FBI_RCVD_DOM 0
+meta __FLASHMAIL_MUA 0
+meta __FORGED_TBIRD_IMG 0
+meta __FROM_DOM_ADMIN 0
+meta __HAS_LOGID 0
+meta __HAS_TRACKING_CODE 0
+meta __HAS_WON_01 0
+meta __HAS_X_EBSERVER 0
+meta __HDR_RCVD_ALIBABA 0
+meta __HDR_RCVD_AMAZON_HELO 0
+meta __HDR_RCVD_BEBEE 0
+meta __HDR_RCVD_KEEPA 0
+meta __HDR_RCVD_LINKEDIN 0
+meta __HDR_RCVD_NEWEGG 0
+meta __HDR_RCVD_TAGSTAT 0
+meta __HDR_RCVD_TARINGANET 0
+meta __HDR_RCVD_WALMART 0
+meta __HK_LOTTO_STAATS 0
+meta __HK_SCAM_N16 0
+meta __HK_SCAM_S25 0
+meta __LONG_INVIS_DIV 0
+meta __LOTTO_AGENT_02 0
+meta __LOTTO_VERIFY 0
+meta __LUNSUB_BEFORE_SUBJDT 0
+meta __MAILBOX_FULL_SE 0
+meta __MAIL_ACCT_ACCESS1 0
+meta __MAKE_XTRA_DOLLAR 0
+meta __MONERO_CURNCY 0
+meta __MONERO_ID 0
+meta __MSGID_HEX_UID 0
+meta __MTLANDROID_MUA 0
+meta __NOT_SCAM 0
+meta __PAXFUL 0
+meta __PDS_SEO2 0
+meta __PERFECT_BINARY 0
+meta __RCVD_ZIXMAIL 0
+meta __RECEIVE_BONUS 0
+meta __SMIME_MESSAGE 0
+meta __SUBJ_DOM_ADMIN 0
+meta __SUM_OF_FUND 0
+meta __TRAVEL_MANY 0
+meta __TRAVEL_PROFILE 0
+meta __TRAVEL_RESERV 0
+meta __TVD_PH_BODY_01 0
+meta __TVD_PH_BODY_02 0
+meta __TVD_PH_BODY_06 0
+meta __TVD_PH_BODY_07 0
+meta __TVD_PH_BODY_08 0
+meta __TVD_PH_SUBJ_00 0
+meta __TVD_PH_SUBJ_02 0
+meta __TVD_PH_SUBJ_04 0
+meta __TVD_PH_SUBJ_15 0
+meta __TVD_PH_SUBJ_17 0
+meta __TVD_PH_SUBJ_18 0
+meta __TVD_PH_SUBJ_31 0
+meta __TVD_PH_SUBJ_36 0
+meta __TVD_PH_SUBJ_39 0
+meta __TVD_PH_SUBJ_52 0
+meta __TVD_PH_SUBJ_54 0
+meta __TVD_PH_SUBJ_56 0
+meta __TVD_PH_SUBJ_58 0
+meta __TVD_PH_SUBJ_59 0
+meta __TVD_PH_SUBJ_ACCESS_POST 0
+meta __UA_GNUS 0
+meta __UA_KMAIL 0
+meta __UA_KNODE 0
+meta __UA_MSOEMAC 0
+meta __UA_MUTT 0
+meta __UA_OPERA7 0
+meta __UA_PAN 0
+meta __UA_XNEWS 0
+meta __VALIDATE_MBOX_SE 0
+meta __WE_PAID 0
+meta __WFH_01 0
+meta __XEROXWORKCTR_MUA 0
+meta __XM_ASPQMAIL 0
+meta __XM_BALSA 0
+meta __XM_CALYPSO 0
+meta __XM_FORTE 0
+meta __XM_GNUS 0
+meta __XM_MHE 0
+meta __XM_MOZ4 0
+meta __XM_OL_10_0_4115 0
+meta __XM_OL_28001441 0
+meta __XM_OL_48072300 0
+meta __XM_OL_4_72_2106_4 0
+meta __XM_SKYRI 0
+meta __XM_SYLPHEED 0
+meta __XM_VM 0
+meta __XM_WWWMAIL 0
+meta __XM_XIMEVOL 0
+meta __YOU_WON_04 0

kam-updates/kam_sa-channels_mcgrail_com/KAM_heavyweight.cf

@@ -0,0 +1,33 @@
+#https://raptor.pccc.com/free_spam_consultation.cgim
+
+#
+#Copyright (c) 2020 Kevin A. McGrail and the McGrail Foundation
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+
+
+# These use ~15% of scanning time for almost no yield
+meta    __FILL_THIS_FORM_SHORT2         0
+meta    __FILL_THIS_FORM_LONG2          0
+#score   KAM_ADVERT2                     0
+#meta   __KAM_ADDRESS1                  0
+#need to check KAM_BADNAME for impact as weell
+meta    __KAM_WEIGHT4                   0
+meta    __FILL_THIS_FORM_FRAUD_PHISH1   0
+meta    __KAM_SKIN3                     0
+meta    __KAM_DISH3                     0
+meta    __KAM_ALARM3                    0
+meta    __FILL_THIS_FORM_LOAN1          0
+
+#2019-05-01 Note 57981 - This rule can take 11-13 minutes to scan a 1MB js file
+#score	HIDE_WIN_STATUS			0

kam-updates/kam_sa-channels_mcgrail_com/KAM_urlshorteners.cf

@@ -0,0 +1,747 @@
+ifplugin Mail::SpamAssassin::Plugin::DecodeShortURLs
+
+# Url shorteners list, shorteners included in KAM.cf
+# ruleset with lot of addictions
+
+url_shortener .app.link
+url_shortener .crezla.click
+url_shortener .dweb.link
+url_shortener .page.link
+url_shortener .short.gy
+url_shortener 0rz.tw
+url_shortener 1l2.us
+url_shortener 1link.in
+url_shortener 1u.ro
+url_shortener 1url.com
+url_shortener 2.gp
+url_shortener 2.ly
+url_shortener 2big.at
+url_shortener 2chap.it
+url_shortener 2pl.us
+url_shortener 2su.de
+url_shortener 2tu.us
+url_shortener 2ze.us
+url_shortener 3.ly
+url_shortener 301.to
+url_shortener 301url.com
+url_shortener 307.to
+url_shortener 4ms.me
+url_shortener 4sq.com
+url_shortener 4url.cc
+url_shortener 6url.com
+url_shortener 7.ly
+url_shortener 9mp.com
+url_shortener a.gd
+url_shortener a.gg
+url_shortener a.nf
+url_shortener a2a.me
+url_shortener a2n.eu
+url_shortener aa.cx
+url_shortener abbr.com
+url_shortener abcurl.net
+url_shortener abe5.com
+url_shortener access.im
+url_shortener ad.vu
+url_shortener adf.ly
+url_shortener adjix.com
+url_shortener afly.co
+url_shortener afx.cc
+url_shortener ai6.net
+url_shortener all.fuseurl.com
+url_shortener alturl.com
+url_shortener amzn.com
+url_shortener amzn.to
+url_shortener ar.gy
+url_shortener arm.in
+url_shortener arst.ch
+url_shortener asso.in
+url_shortener atu.ca
+url_shortener aurls.info
+url_shortener awe.sm
+url_shortener ayl.lv
+url_shortener azc.cc
+url_shortener azqq.com
+url_shortener b.link
+url_shortener b23.ru
+url_shortener b2l.me
+url_shortener b65.com
+url_shortener b65.us
+url_shortener bacn.me
+url_shortener bcool.bz
+url_shortener beam.to
+url_shortener bgl.me
+url_shortener binged.it
+url_shortener bit.do
+if can(Mail::SpamAssassin::Plugin::DecodeShortURLs::has_get)
+  url_shortener_get bit.ly
+  url_shortener_get bitly.com
+endif
+url_shortener bizj.us
+url_shortener bkite.com
+url_shortener blippr.com
+url_shortener bloat.me
+url_shortener blu.cc
+url_shortener bon.no
+url_shortener bravo.ly
+url_shortener bsa.ly
+url_shortener bt.io
+url_shortener budurl.com
+url_shortener buff.ly
+url_shortener buk.me
+url_shortener burnurl.com
+url_shortener c-o.in
+url_shortener c.shamekh.ws
+url_shortener canurl.com
+url_shortener cd4.me
+url_shortener chilp.it
+url_shortener chopd.it
+url_shortener chpt.me
+url_shortener chs.mx
+url_shortener chzb.gr
+url_shortener cl.lk
+url_shortener cl.ly
+url_shortener clck.ru
+url_shortener cli.gs
+url_shortener cliccami.info
+url_shortener clickthru.ca
+url_shortener clipurl.us
+url_shortener clk.my
+url_shortener cloaky.de
+url_shortener clop.in
+url_shortener clp.ly
+url_shortener coge.la
+url_shortener cokeurl.com
+url_shortener conta.cc
+url_shortener cort.as
+url_shortener cot.ag
+url_shortener crks.me
+url_shortener crum.pl
+url_shortener ctvr.us
+url_shortener curio.us
+url_shortener cuthut.com
+url_shortener cutt.us
+url_shortener cutt.ly
+url_shortener cuturl.com
+url_shortener cuturls.com
+url_shortener dai.ly
+url_shortener db.tt
+url_shortener dealspl.us
+url_shortener decenturl.com
+url_shortener df9.net
+url_shortener dfl8.me
+url_shortener digbig.com
+url_shortener digg.com
+url_shortener digipills.com
+url_shortener digs.by
+url_shortener disq.us
+url_shortener dld.bz
+url_shortener dlvr.it
+url_shortener dn.vc
+url_shortener do.my
+url_shortener doi.org
+url_shortener doiop.com
+url_shortener dopen.us
+url_shortener dr.tl
+url_shortener drudge.tw
+url_shortener durl.me
+url_shortener durl.us
+url_shortener dvlr.it
+url_shortener dwarfurl.com
+url_shortener easyuri.com
+url_shortener easyurl.net
+url_shortener eca.sh
+url_shortener eclurl.com
+url_shortener eepurl.com
+url_shortener eezurl.com
+url_shortener emlnk.com
+url_shortener eweri.com
+url_shortener ewerl.com
+url_shortener ezurl.eu
+url_shortener fa.by
+url_shortener faceto.us
+url_shortener fastredirected.ru
+url_shortener fav.me
+url_shortener fb.me
+url_shortener fbshare.me
+url_shortener ff.im
+url_shortener fff.to
+url_shortener fhurl.com
+url_shortener fire.to
+url_shortener firsturl.de
+url_shortener firsturl.net
+url_shortener flic.kr
+url_shortener flingk.com
+url_shortener flq.us
+url_shortener fly2.ws
+url_shortener fon.gs
+url_shortener foxyurl.com
+url_shortener freak.to
+url_shortener fur.ly
+url_shortener fuseurl.com
+url_shortener fuzzy.to
+url_shortener fwd4.me
+url_shortener fwdurl.net
+url_shortener fwib.net
+url_shortener g.ro.lt
+url_shortener g8l.us
+url_shortener get-shorty.com
+url_shortener get-url.com
+url_shortener get.sh
+url_shortener geturl.us
+url_shortener gg.gg
+url_shortener gi.vc
+url_shortener gizmo.do
+url_shortener gkurl.us
+url_shortener gl.am
+url_shortener go.9nl.com
+url_shortener go.ign.com
+url_shortener go.to
+url_shortener go.usa.gov
+url_shortener go2.me
+url_shortener gog.li
+url_shortener golmao.com
+url_shortener goo.gl
+url_shortener good.ly
+url_shortener goolnk.com
+url_shortener goshrink.com
+url_shortener gplus.to
+url_shortener gri.ms
+url_shortener gurl.es
+url_shortener hao.jp
+url_shortener hellotxt.com
+url_shortener hex.io
+url_shortener hiderefer.com
+url_shortener hmm.ph
+url_shortener hop.im
+url_shortener hopclicks.com
+url_shortener hotredirect.com
+url_shortener hotshorturl.com
+url_shortener href.in
+url_shortener hsblinks.com
+url_shortener ht.ly
+url_shortener htxt.it
+url_shortener hub.am
+url_shortener huff.to
+url_shortener hugeurl.com
+url_shortener hulu.com
+url_shortener hurl.it
+url_shortener hurl.me
+url_shortener hurl.no
+url_shortener hurl.ws
+url_shortener icanhaz.com
+url_shortener icio.us
+url_shortener idek.net
+url_shortener ikr.me
+url_shortener ilix.in
+url_shortener inx.lv
+url_shortener ir.pe
+url_shortener irt.me
+url_shortener is.gd
+url_shortener iscool.net
+url_shortener it2.in
+url_shortener ito.mx
+url_shortener its.my
+url_shortener itsy.it
+url_shortener ix.lt
+url_shortener j.mp
+url_shortener j2j.de
+url_shortener jdem.cz
+url_shortener jijr.com
+url_shortener just.as
+url_shortener k.vu
+url_shortener k6.kz
+url_shortener ketkp.in
+url_shortener kisa.ch
+url_shortener kissa.be
+url_shortener kl.am
+url_shortener klck.me
+url_shortener kore.us
+url_shortener korta.nu
+url_shortener kots.nu
+url_shortener krunchd.com
+url_shortener krz.ch
+url_shortener ktzr.us
+url_shortener kxk.me
+url_shortener l.bestsellers.to
+url_shortener l.hh.de
+url_shortener l.pr
+url_shortener l9k.net
+url_shortener lat.ms
+url_shortener liip.to
+url_shortener liltext.com
+url_shortener lin.cr
+url_shortener lin.io
+url_shortener linkbee.com
+url_shortener linkbun.ch
+url_shortener linkee.com
+url_shortener linkgap.com
+url_shortener linkslice.com
+url_shortener linktr.ee
+url_shortener linxfix.de
+url_shortener liteurl.net
+url_shortener liurl.cn
+url_shortener livesi.de
+url_shortener lix.in
+url_shortener lk.ht
+url_shortener ln-s.net
+url_shortener ln-s.ru
+url_shortener lnk.by
+url_shortener lnk.gd
+url_shortener lnk.in
+url_shortener lnk.ly
+url_shortener lnk.ms
+url_shortener lnk.sk
+url_shortener lnkd.in
+url_shortener lnkurl.com
+url_shortener loopt.us
+url_shortener lost.in
+url_shortener lru.jp
+url_shortener lt.tl
+url_shortener lu.to
+url_shortener lukora.cz
+url_shortener lurl.no
+url_shortener macte.ch
+url_shortener mash.to
+url_shortener mavrev.com
+url_shortener mcaf.ee
+url_shortener memurl.com
+url_shortener merky.de
+url_shortener metamark.net
+url_shortener migre.me
+url_shortener min2.me
+url_shortener minilien.com
+url_shortener minilink.org
+url_shortener miniurl.com
+url_shortener minurl.fr
+url_shortener mke.me
+url_shortener moby.to
+url_shortener moourl.com
+url_shortener mrte.ch
+url_shortener msg.sg
+url_shortener murl.kz
+url_shortener mv2.me
+url_shortener myloc.me
+url_shortener mysp.in
+url_shortener myurl.in
+url_shortener myurl.si
+url_shortener n.pr
+url_shortener nanoref.com
+url_shortener nanourl.se
+url_shortener nbc.co
+url_shortener nblo.gs
+url_shortener nbx.ch
+url_shortener ncane.com
+url_shortener ndurl.com
+url_shortener ne1.net
+url_shortener netnet.me
+url_shortener netshortcut.com
+url_shortener ni.to
+url_shortener nig.gr
+url_shortener nm.ly
+url_shortener nn.nf
+url_shortener not.my
+url_shortener notlong.com
+url_shortener nsfw.in
+url_shortener nutshellurl.com
+url_shortener nxy.in
+url_shortener nyti.ms
+url_shortener o-x.fr
+url_shortener o.ly
+url_shortener oboeyasui.com
+url_shortener oc1.us
+url_shortener offur.com
+url_shortener ofl.me
+url_shortener om.ly
+url_shortener omf.gd
+url_shortener omoikane.net
+url_shortener on.cnn.com
+url_shortener on.mktw.net
+url_shortener onecent.us
+url_shortener onforb.es
+url_shortener onion.com
+url_shortener onsaas.info
+url_shortener ooqx.com
+url_shortener oreil.ly
+url_shortener orz.se
+url_shortener ow.ly
+url_shortener oxyz.info
+url_shortener p.ly
+url_shortener p8g.tw
+url_shortener parv.us
+url_shortener paulding.net
+url_shortener pduda.mobi
+url_shortener peaurl.com
+url_shortener pendek.in
+url_shortener pep.si
+url_shortener pic.gd
+url_shortener piko.me
+url_shortener ping.fm
+url_shortener piurl.com
+url_shortener pli.gs
+url_shortener plumurl.com
+url_shortener plurl.me
+url_shortener pnt.me
+url_shortener politi.co
+url_shortener poll.fm
+url_shortener pop.ly
+url_shortener poprl.com
+url_shortener post.ly
+url_shortener posted.at
+url_shortener pp.gg
+url_shortener profile.to
+url_shortener pt2.me
+url_shortener ptiturl.com
+url_shortener pub.vitrue.com
+url_shortener puke.it
+url_shortener pysper.com
+url_shortener qik.li
+url_shortener qlnk.net
+url_shortener qoiob.com
+url_shortener qr.cx
+url_shortener qte.me
+url_shortener qu.tc
+url_shortener quickurl.co.uk
+url_shortener qurl.com
+url_shortener qurlyq.com
+url_shortener quu.nu
+url_shortener qux.in
+url_shortener qy.fi
+url_shortener r.im
+url_shortener rb.gy
+url_shortener rb6.me
+url_shortener rde.me
+url_shortener read.bi
+url_shortener readthis.ca
+url_shortener reallytinyurl.com
+url_shortener rebrand.ly
+url_shortener redir.ec
+url_shortener redirects.ca
+url_shortener redirx.com
+url_shortener relyt.us
+url_shortener retwt.me
+url_shortener ri.ms
+url_shortener rickroll.it
+url_shortener rivva.de
+url_shortener riz.gd
+url_shortener rly.cc
+url_shortener rnk.me
+url_shortener rsmonkey.com
+url_shortener rt.nu
+url_shortener ru.ly
+url_shortener rubyurl.com
+url_shortener rurl.org
+url_shortener rww.tw
+url_shortener s.free.fr
+url_shortener s.gnoss.us
+url_shortener s.id
+url_shortener s3nt.com
+url_shortener s4c.in
+url_shortener s7y.us
+url_shortener safe.mn
+url_shortener safelinks.ru
+url_shortener sai.ly
+url_shortener sameurl.com
+url_shortener sdut.us
+url_shortener sed.cx
+url_shortener sfu.ca
+url_shortener shadyurl.com
+url_shortener shar.es
+url_shortener shim.net
+url_shortener shink.de
+url_shortener shorl.com
+url_shortener short.ie
+url_shortener short.to
+url_shortener shorten.ws
+url_shortener shortenurl.com
+url_shortener shorterlink.com
+url_shortener shortio.com
+url_shortener shortlinks.co.uk
+url_shortener shortly.nl
+url_shortener shortn.me
+url_shortener shortna.me
+url_shortener shortr.me
+url_shortener shorturl.com
+url_shortener shortz.me
+url_shortener shoturl.us
+url_shortener shout.to
+url_shortener show.my
+url_shortener shredu
+url_shortener shredurl.com
+url_shortener shrinkify.com
+url_shortener shrinkr.com
+url_shortener shrinkster.com
+url_shortener shrinkurl.us
+url_shortener shrt.fr
+url_shortener shrt.st
+url_shortener shrt.ws
+url_shortener shrten.com
+url_shortener shrtl.com
+url_shortener shrtn.com
+url_shortener shrtnd.com
+url_shortener shrunkin.com
+url_shortener shurl.net
+url_shortener shw.me
+url_shortener simurl.com
+url_shortener simurl.net
+url_shortener simurl.org
+url_shortener simurl.us
+url_shortener sitelutions.com
+url_shortener siteo.us
+url_shortener sl.ly
+url_shortener slate.me
+url_shortener slidesha.re
+url_shortener slki.ru
+url_shortener smallr.com
+url_shortener smallr.net
+url_shortener smarturl.it
+url_shortener smfu.in
+url_shortener smsh.me
+url_shortener smurl.com
+url_shortener smurl.name
+url_shortener sn.im
+url_shortener sn.vc
+url_shortener snadr.it
+url_shortener snip.ly
+url_shortener snipie.com
+url_shortener snipr.com
+url_shortener snipurl.com
+url_shortener snkr.me
+url_shortener snurl.com
+url_shortener soo.gd
+url_shortener song.ly
+url_shortener sp2.ro
+url_shortener spedr.com
+url_shortener sqze.it
+url_shortener srnk.net
+url_shortener srs.li
+url_shortener starturl.com
+url_shortener stickurl.com
+url_shortener stpmvt.com
+url_shortener sturly.com
+url_shortener swiy.io
+url_shortener su.pr
+url_shortener surl.co.uk
+url_shortener surl.hu
+url_shortener surl.it
+url_shortener t.cn
+url_shortener t.co
+url_shortener t.lh.com
+url_shortener ta.gd
+url_shortener takemyfile.com
+url_shortener tbd.ly
+url_shortener tcrn.ch
+url_shortener tgr.me
+url_shortener tgr.ph
+url_shortener th8.us
+url_shortener thecow.me
+url_shortener thrdl.es
+url_shortener tighturl.com
+url_shortener timesurl.at
+url_shortener tini.us
+url_shortener tiniuri.com
+url_shortener tiny.cc
+url_shortener tiny.ly
+url_shortener tiny.pl
+url_shortener tinyarro.ws
+url_shortener tinylink.com
+url_shortener tinylink.in
+url_shortener tinypl.us
+url_shortener tinysong.com
+url_shortener tinytw.it
+url_shortener tinyuri.ca
+url_shortener tinyurl.com
+url_shortener tk.
+url_shortener tl.gd
+url_shortener tllg.net
+url_shortener tmi.me
+url_shortener tncr.ws
+url_shortener tnij.org
+url_shortener tnw.to
+url_shortener tny.com
+url_shortener to.
+url_shortener to.je
+url_shortener to.ly
+url_shortener to.vg
+url_shortener togoto.us
+url_shortener totc.us
+url_shortener toysr.us
+url_shortener tpm.ly
+url_shortener tr.im
+url_shortener tr.my
+url_shortener tra.kz
+url_shortener traceurl.com
+url_shortener trackurl.it
+url_shortener trcb.me
+url_shortener trg.li
+url_shortener trib.al
+url_shortener trick.ly
+url_shortener trii.us
+url_shortener trim.li
+url_shortener trumpink.lt
+url_shortener trunc.it
+url_shortener truncurl.com
+url_shortener tsort.us
+url_shortener tubeurl.com
+url_shortener turo.us
+url_shortener tw0.us
+url_shortener tw1.us
+url_shortener tw2.us
+url_shortener tw5.us
+url_shortener tw6.us
+url_shortener tw8.us
+url_shortener tw9.us
+url_shortener twa.lk
+url_shortener tweet.me
+url_shortener tweetburner.com
+url_shortener tweetl.com
+url_shortener twhub.com
+url_shortener twi.gy
+url_shortener twip.us
+url_shortener twirl.at
+url_shortener twit.ac
+url_shortener twitclicks.com
+url_shortener twitterurl.net
+url_shortener twitterurl.org
+url_shortener twitthis.com
+url_shortener twittu.ms
+url_shortener twiturl.de
+url_shortener twitzap.com
+url_shortener twlv.net
+url_shortener twtr.us
+url_shortener twurl.cc
+url_shortener twurl.nl
+url_shortener u.mavrev.com
+url_shortener u.nu
+url_shortener u76.org
+url_shortener ub0.cc
+url_shortener uiop.me
+url_shortener ulimit.com
+url_shortener ulu.lu
+url_shortener unfaker.it
+url_shortener updating.me
+url_shortener ur.ly
+url_shortener ur1.ca
+url_shortener urizy.com
+url_shortener url.ag
+url_shortener url.az
+url_shortener url.co.uk
+url_shortener url.go.it
+url_shortener url.ie
+url_shortener url.inc-x.eu
+url_shortener url.lotpatrol.com
+url_shortener url360.me
+url_shortener url4.eu
+url_shortener urlao.com
+url_shortener urlbee.com
+url_shortener urlborg.com
+url_shortener urlbrief.com
+url_shortener urlcorta.es
+url_shortener urlcover.com
+url_shortener urlcut.com
+url_shortener urlcutter.com
+url_shortener urlday.cc
+url_shortener urlenco.de
+url_shortener urlg.info
+url_shortener urlhawk.com
+url_shortener urli.nl
+url_shortener urlin.it
+url_shortener urlkiss.com
+url_shortener urloo.com
+url_shortener urlpire.com
+url_shortener urls.im
+url_shortener urlshorteningservicefortwitter.com
+url_shortener urltea.com
+url_shortener urlu.ms
+url_shortener urlvi.b
+url_shortener urlvi.be
+url_shortener urlx.ie
+url_shortener urlz.at
+url_shortener urlzen.com
+url_shortener usat.ly
+url_shortener use.my
+url_shortener uservoice.com
+url_shortener ustre.am
+url_shortener vado.it
+url_shortener vb.ly
+url_shortener vdirect.com
+url_shortener vgn.am
+url_shortener vi.ly
+url_shortener viigo.im
+url_shortener virl.com
+url_shortener vl.am
+url_shortener vm.lc
+url_shortener voizle.com
+url_shortener vtc.es
+url_shortener w0r.me
+url_shortener w33.us
+url_shortener w34.us
+url_shortener w3t.org
+url_shortener w55.de
+url_shortener wa9.la
+url_shortener wapo.st
+url_shortener wapurl.co.uk
+url_shortener webalias.com
+url_shortener welcome.to
+url_shortener wh.gov
+url_shortener widg.me
+url_shortener wipi.es
+url_shortener wkrg.com
+url_shortener woo.ly
+url_shortener wp.me
+url_shortener x.co
+url_shortener x.hypem.com
+url_shortener x.se
+url_shortener x.vu
+url_shortener xeeurl.com
+url_shortener xil.in
+url_shortener xlurl.de
+url_shortener xn--1ci.ws
+url_shortener xn--3fi.ws
+url_shortener xn--5gi.ws
+url_shortener xn--9gi.ws
+url_shortener xn--bih.ws
+url_shortener xn--cwg.ws
+url_shortener xn--egi.ws
+url_shortener xn--fwg.ws
+url_shortener xn--hgi.ws
+url_shortener xn--l3h.ws
+url_shortener xn--odi.ws
+url_shortener xn--ogi.ws
+url_shortener xn--rei.ws
+url_shortener xn--vgi.ws
+url_shortener xoxourl.com
+url_shortener xr.com
+url_shortener xrl.in
+url_shortener xrl.us
+url_shortener xrt.me
+url_shortener xurl.es
+url_shortener xurl.jp
+url_shortener xxsurl.de
+url_shortener xzb.cc
+url_shortener y.ahoo.it
+url_shortener yatuc.com
+url_shortener ye-s.com
+url_shortener ye.pe
+url_shortener yep.it
+url_shortener yfrog.com
+url_shortener yhoo.it
+url_shortener yiyd.com
+url_shortener youtu.be
+url_shortener yuarel.com
+url_shortener z.pe
+url_shortener z0p.de
+url_shortener zapt.in
+url_shortener zi.ma
+url_shortener zi.me
+url_shortener zi.mu
+url_shortener zi.pe
+url_shortener zip.li
+url_shortener zipmyurl.com
+url_shortener zite.to
+url_shortener zootit.com
+url_shortener zud.me
+url_shortener zurl.ws
+url_shortener zz.gd
+url_shortener zzang.kr
+
+endif

kam-updates/kam_sa-channels_mcgrail_com/nonKAMrules.cf

@@ -0,0 +1,408 @@
+#FROM SA/MD/SARE LISTS - All consider public domain or fair use.
+
+#BY Warren Sallade" <warren.sallade@ewgateway.org> for Drug Spams
+
+#DISABLING DUE TO FALSE POSITIVES 2021-09-14
+rawbody   __EWG_BAD34 />\s{0,3}V\s{0,3}</i
+rawbody   __EWG_BAD35 />\s{0,3}I\s{0,3}</i
+rawbody   __EWG_BAD36 />\s{0,3}A\s{0,3}</i
+rawbody   __EWG_BAD37 />\s{0,3}G\s{0,3}</i
+rawbody   __EWG_BAD38 />\s{0,3}R\s{0,3}</i
+rawbody   __EWG_BAD39 />\s{0,3}A\s{0,3}</i
+meta  	 EWG_VIAGRA ((__EWG_BAD34 + __EWG_BAD35 + __EWG_BAD36 + __EWG_BAD37 + __EWG_BAD38 + __EWG_BAD39) > 5) 
+describe EWG_VIAGRA Viagra Obfuscation SPAM
+score  	 EWG_VIAGRA 1.0
+
+rawbody   __EWG_BAD41 />\s{0,3}C\s{0,3}</i
+rawbody   __EWG_BAD42 />\s{0,3}I\s{0,3}</i
+rawbody   __EWG_BAD43 />\s{0,3}A\s{0,3}</i
+rawbody   __EWG_BAD44 />\s{0,3}L\s{0,3}</i
+rawbody   __EWG_BAD45 />\s{0,3}I\s{0,3}</i
+rawbody   __EWG_BAD46 />\s{0,3}S\s{0,3}</i
+meta   	EWG_CIALIS ((__EWG_BAD41 + __EWG_BAD42 + __EWG_BAD43 + __EWG_BAD44 + __EWG_BAD45 + __EWG_BAD46) > 5)
+describe EWG_CIALIS Cialis Obfuscation spam
+score   EWG_CIALIS 1.0
+
+rawbody   __EWG_BAD48 />\s{0,3}V\s{0,3}</i
+rawbody   __EWG_BAD49 />\s{0,3}A\s{0,3}</i
+rawbody   __EWG_BAD50 />\s{0,3}L\s{0,3}</i
+rawbody   __EWG_BAD51 />\s{0,3}I\s{0,3}</i
+rawbody   __EWG_BAD52 />\s{0,3}U\s{0,3}</i
+rawbody   __EWG_BAD53 />\s{0,3}M\s{0,3}</i
+meta   	EWG_VALIUM ((__EWG_BAD48 + __EWG_BAD49 + __EWG_BAD50 + __EWG_BAD51 + __EWG_BAD52 + __EWG_BAD53) > 5)
+describe EWG_VALIUM Valium Obfuscation Spam
+score   EWG_VALIUM 1.000
+
+#FOR CURRENT RND_UC_CHAR SPAMS
+header SUBJ_RND_UC_CHAR_L       Subject =~ /\%RND_UC_CHAR/
+describe SUBJ_RND_UC_CHAR_L     Subject contains literal RND_UC_CHAR tag
+score SUBJ_RND_UC_CHAR_L        5.0
+
+header SUBJ_RND_UC_CHAR         Subject =~ /^Re:\s[A-Z]{2,8},\s[a-z]+\s[a-z]+\s[a-z]+\s*$/
+describe SUBJ_RND_UC_CHAR       Subject fits RND_UC_CHAR pattern
+score SUBJ_RND_UC_CHAR          1.0
+
+uri         PHARMACOURT_BIZ 	/\b(?:pharmacourt|pharmawarehouse|valuepointmeds)\.biz\b/i
+describe    PHARMACOURT_BIZ 	Includes a link to spammer www.pharmacourt.biz
+score       PHARMACOURT_BIZ 	3.0
+
+#meta        HABEAS_VIOLATOR_LOCAL   (!HABEAS_VIOLATOR && PHARMACOURT_BIZ && HABEAS_SWE)
+#describe    HABEAS_VIOLATOR_LOCAL   Spammer known to abuse Habeas mark
+#score       HABEAS_VIOLATOR_LOCAL   16.0
+
+rawbody     UAH_VIAGRA_IMAGE 	/^<center><\!--[a-zA-Z0-9]{10,20}--><a href=.+><img src=.+\/[a-z][1-9]\.gif\" border=0><\/a><\/center>$/i
+describe    UAH_VIAGRA_IMAGE	Viagra Image
+score	    UAH_VIAGRA_IMAGE    3.0
+
+
+#INVALID QMAIL 
+header  	GERMANSPAM MESSAGEID =~ /^<.*[a-z].*\.qmail\@.*>/
+describe        GERMANSPAM Contains German Spam / Invalid Qmail Message ID
+score           GERMANSPAM 3.0
+
+#GOOGLE Who really uses the "I'm Feeling Lucky" button anyway? by John Wilcock
+uri      local_GOOGLE_LUCKY /(?:\bgoogle\b).+(?:&btnI=)/i
+describe local_GOOGLE_LUCKY Redirect through Google Feeling Lucky
+score    local_GOOGLE_LUCKY 2.0
+
+#ZD.NET's OPEN REDIR by Raymond Dijkxhoorn
+uri PROLO_REDIR_ZDNET_CHECK_1 /http:\/\/.*chkpt.zdnet.com\/chkpt/
+score PROLO_REDIR_ZDNET_CHECK_1  8.0
+describe PROLO_REDIR_ZDNET_CHECK_1 PROLO_REDIR-ZDNET CHECK_1_2_3, Body
+
+#TINYTEXT by Jonathan Maliepaard <jon@enetworks.co.za>
+#describe TINY_TEXT_1              Body includes very small html text 
+#rawbody TINY_TEXT_1              /FONT-SIZE: (?:1|1.5|2|2.5|3)px/i
+#score TINY_TEXT_1                  1.5
+
+#describe TINY_TEXT_2              Body includes very small html text 
+#rawbody TINY_TEXT_2              /FONT-SIZE: (?:1|1.5|2|2.5|3)\;/i
+#score TINY_TEXT_2                  1.5
+
+
+#HABEAS MARK TOO OFTEN FORGED
+#REMOVED FOR 3.0SA #score HABEAS_SWE 0.0
+
+#patch to MS Outlook 2003 has changed the headers
+#REMOVED FOR 3.0SA #score   FORGED_MUA_OUTLOOK 0.00
+
+#SCORE ADJUSTMENTS
+#REMOVED FOR 3.0SA #score   RCVD_IN_NJABL_DIALUP    1.5
+#REMOVED FOR 3.0SA #score   RCVD_IN_DYNABLOCK       1.0
+#REMOVED FROM RULES score DNS_FROM_OPENWHOIS		2.0
+
+#
+# Abusive public hosting Raymond Dijkxhoorn
+#
+
+uri PROLO_PUBWEB_UKGEO_CHECK1 /^http:\/\/.*uk\.geocities\.com\//
+score PROLO_PUBWEB_UKGEO_CHECK1  5.0
+describe PROLO_PUBWEB_UKGEO_CHECK1 PROLO_PUBWEB_UKGEO_CHECK1, Body
+
+uri PROLO_PUBWEB_ITGEO_CHECK1 /^http:\/\/.*it\.geocities\.com\//
+score PROLO_PUBWEB_ITGEO_CHECK1  5.0
+describe PROLO_PUBWEB_ITGEO_CHECK1 PROLO_PUBWEB_ITGEO_CHECK1, Body
+
+uri PROLO_PUBWEB_WWWGEO_CHECK1 /^http:\/\/.*www\.geocities\.com\//
+score PROLO_PUBWEB_WWWGEO_CHECK1  5.0
+describe PROLO_PUBWEB_WWWGEO_CHECK1 PROLO_PUBWEB_WWWGEO_CHECK1, Body
+
+uri PROLO_HOSTING_PROHOSTING_CHK1 /^http:\/\/.*prohosting\.com\//
+score PROLO_HOSTING_PROHOSTING_CHK1  5.0
+describe PROLO_HOSTING_PROHOSTING_CHK1 PROLO_HOSTING_PROHOSTING_CHK1, Body
+
+uri PROLO_HOSTING_XTHOST_CHK1 /^http:\/\/.*xthost\.info\//
+score PROLO_HOSTING_XTHOST_CHK1  5.0
+describe PROLO_HOSTING_XTHOST_CHK1 PROLO_HOSTING_XTHOST_CHK1, Body
+
+uri PROLO_HOSTING_NET4FREE_CHK1 /^http:\/\/.*net4free\.org\//
+score PROLO_HOSTING_NET4FREE_CHK1  5.0
+describe PROLO_HOSTING_NET4FREE_CHK1 PROLO_HOSTING_NET4FREE_CHK1, Body
+
+#Raymond's SA Rules for Tripod Spams from Leo
+body            PROLO_LEO1              /85\,45|1\,21/
+body            PROLO_LEO2              /69\,95|3\,33/
+body            PROLO_LEO3              /99\,95|3\,75/
+uri             PROLO_LEO4              /http:\/\/.*\.tripod\.com/
+meta            PROLO_LEO_M1           (PROLO_LEO1 && PROLO_LEO2 && PROLO_LEO3 && PROLO_LEO4)
+
+score           PROLO_LEO1             0.1
+score           PROLO_LEO2             0.1
+score           PROLO_LEO3             0.1
+score           PROLO_LEO4             0.1
+score           PROLO_LEO_M1           8
+
+describe        PROLO_LEO1             Meta Catches all Leo drug variations so far
+describe        PROLO_LEO2             Meta Catches all Leo drug variations so far
+describe        PROLO_LEO3             Meta Catches all Leo drug variations so far
+describe        PROLO_LEO4             Meta to catch Leo now using Tripod
+describe        PROLO_LEO_M1           Catches all Leo drug variations so far
+
+#JUNK SCORES TO RECREATE ROUNDING BUG
+#score		RDNS_NONE		0.0
+#header		TEMP			Received =~ /64.18.1.27/
+#score		TEMP			-0.5
+#score           KAM_LIVE         0.0
+
+#DFS Rule for Warning: Malformed MIME virus in the wild 10-10-2013
+full __RP_ZIP_TYPE /name\s{0,2}=\s{0,2}.{0,80}\.zip/i
+full     __RP_EMPTY_CTYPE /Content-Type:\s{0,4};/i
+meta	 RP_ZIP_ECTYP __RP_EMPTY_CTYPE && __RP_ZIP_TYPE
+describe RP_ZIP_ECTYP Zip file attachment with bogus Content-Type: header
+score	 RP_ZIP_ECTYP 15
+
+#AXB TEXTAREA
+rawbody 	__AXB_RAW_TXTRO1	/\<textarea name\=\"textmain\" readonly\=\"readonly\" style\=\"width\:/
+rawbody         __AXB_RAW_TXTRO2   	/\<textarea readonly\=\"readonly\" name\=\"textmain\" style\=\"width\:/
+meta		AXB_RAW_TXTRO		(__AXB_RAW_TXTRO1 + __AXB_RAW_TXTRO2 >= 2)
+describe	AXB_RAW_TXTRO		R/O Textarea
+score		AXB_RAW_TXTRO		5.0
+
+##########################################################################
+# - Find messages with eight or more html break characters in it.
+# - From: Kevin Miller <Kevin_Miller@ci.juneau.ak.us>
+##########################################################################
+
+# HTML <BR>
+rawbody   __CBJ_GiveMeABreak1      /(?:<\/?br ?\/?>[\s\r\n]{0,4}){8}/mi
+
+# NEWLINES - DISABLED
+rawbody   __CBJ_GiveMeABreak2      /(?:[\r\n]){8}/mi
+
+# EMPTY TABLE ROWS
+rawbody   __CBJ_GiveMeABreak3      /(?:<tr><td><\/td><\/tr>[\r\n]{0,4}){4}/mi
+
+# EMPTY PARAGRAPHS
+rawbody   __CBJ_GiveMeABreak4      /(?:<p[^>]*>&nbsp;<\/p>\s*){4}|(?:<div[^>]*>&nbsp;<\/div>\s*){4}/mi
+
+meta      CBJ_GiveMeABreak      (__CBJ_GiveMeABreak1 + __CBJ_GiveMeABreak3 + __CBJ_GiveMeABreak4 >= 1)
+describe  CBJ_GiveMeABreak      Messages with consecutive break characters
+score     CBJ_GiveMeABreak      1.75
+
+# FIX FOR THE FAILURE THAT IS OUTLOOK
+meta  MSGID_MULTIPLE_AT_OUTLOOK  (MSGID_MULTIPLE_AT && __ANY_OUTLOOK_MUA && !MSGID_OUTLOOK_INVALID)
+score MSGID_MULTIPLE_AT_OUTLOOK  -1.00
+describe MSGID_MULTIPLE_AT_OUTLOOK Undo MSGID_MULTIPLE_AT for Outlook MUAs that fail at standards
+
+# SPAM THAT SAYS IT IS SPAM
+header   AXB_X_FF_SEZ_S X-Forefront-Antispam-Report =~ /^SFV\:SPM/
+describe AXB_X_FF_SEZ_S Forefront says this is spam
+score    AXB_X_FF_SEZ_S 1.5
+
+# HACKED WORDPRESS SITES
+uri        __RP_D_00069_1 /\/wp-content\/(?:plugins|themes)\/.*\.php/is
+uri        __RP_D_00069_2 /\/wp-includes\/.*\.php/is
+meta       RP_D_00069 __RP_D_00069_1 || __RP_D_00069_2
+describe   RP_D_00069 Contains URL that may point to hacked WordPress site
+score      RP_D_00069 1.2
+
+#lowering score on this rule from 1.5 to 1.2 and the stock URI_WP_HACKED_2 to 2.1
+score	   URI_WP_HACKED_2   2.1
+
+# from John Hardin <jhardin@impsec.org>
+# reported on users list 09/2014 George Johnson <georgejohnson@talaya.net>
+header    __RAND_HEADER                ALL =~ /^(?!Accept-Language|Authentication-Results|Content-|DomainKey-Signature|DKIM-|List-|MIME-|Received-SPF|Return-Path|Thread-|User-Agent)(?:[a-z]{4,}-[a-z]{3,}|[a-z]{3,}-[a-z]{5,}):\s+(?:\d{3,}[-\.][0-9a-f]{6,}|\d{6,}(?:[-\.]\d{2,5})?|[0-9a-f]{30,})$/ism
+tflags    __RAND_HEADER                multiple maxhits=5
+meta      RAND_HEADER_MANY             __RAND_HEADER > 4
+describe  RAND_HEADER_MANY             Many random gibberish message headers
+score     RAND_HEADER_MANY             1.500   # limit
+
+
+uri    AXB_URI_MLW_DROPBOX    /\/(dropbox|googlebox)\/(document|doc|invoice)\.php$/
+score  AXB_URI_MLW_DROPBOX    100
+
+# from axb - the .link tld is completely useless and spam-ridden
+# FP from 2017-09-12 removed
+if (version >= 3.004000)
+  #blacklist_uri_host link
+endif
+
+# COSTCO SPAM RULE FROM DIANNE F SKOLL
+uri        __RP_D_00081_1 /\.php\?(?:dp|k|c|t)=[\/A-Za-z0-9=+]{25}/
+header     __RP_D_00081_2 Subject =~ /\b(?:order|buying)\b/i
+meta       RP_D_00081 __RP_D_00081_1 && __RP_D_00081_2
+describe   RP_D_00081 Link to malware
+score      RP_D_00081 3.5
+
+# MORE AXB - PENDING BUG 4691
+#rawbody  MINIMAL_PAGE_128 	/\<HTML\>\<BODY\>\<\/BODY\>\<\/HTML\>/
+#range    MINIMAL_PAGE_128        byte 0:128
+#score    MINIMAL_PAGE_128        5.0
+
+#fast_body       PILLS_VIAGRA     /Blue pill and all popular Meds/
+#score           PILLS_VIAGRA     5.0
+
+#NOTE 53548 - TESTING JUNKEMAIL FILTER CHECK - TESTING WITH RULES 1/2 OF DOCUMENTED
+header __RCVD_IN_HOSTKARMA eval:check_rbl('HOSTKARMA-lastexternal','hostkarma.junkemailfilter.com.')
+describe __RCVD_IN_HOSTKARMA Sender listed in JunkEmailFilter
+tflags __RCVD_IN_HOSTKARMA net
+ 
+header RCVD_IN_HOSTKARMA_W eval:check_rbl_sub('HOSTKARMA-lastexternal', '127.0.0.1')
+describe RCVD_IN_HOSTKARMA_W Sender listed in HOSTKARMA-WHITE
+tflags RCVD_IN_HOSTKARMA_W net nice
+score RCVD_IN_HOSTKARMA_W -2.5
+ 
+header RCVD_IN_HOSTKARMA_BL eval:check_rbl_sub('HOSTKARMA-lastexternal', '127.0.0.2')
+describe RCVD_IN_HOSTKARMA_BL Sender listed in HOSTKARMA-BLACK
+tflags RCVD_IN_HOSTKARMA_BL net
+score RCVD_IN_HOSTKARMA_BL 1.5
+ 
+header RCVD_IN_HOSTKARMA_BR eval:check_rbl_sub('HOSTKARMA-lastexternal', '127.0.0.4')
+describe RCVD_IN_HOSTKARMA_BR Sender listed in HOSTKARMA-BROWN
+tflags RCVD_IN_HOSTKARMA_BR net
+score RCVD_IN_HOSTKARMA_BR 0.5
+
+#Steadramon's bogus SPF rules  - https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7099 
+ifplugin Mail::SpamAssassin::Plugin::AskDNS
+  askdns PDS_SPF_ALL _SENDERDOMAIN_ TXT /^v=spf1 .+\+all$/
+  describe PDS_SPF_ALL SPF set to +all!
+  score PDS_SPF_ALL 4.5
+
+  askdns PDS_SPF_NONE _SENDERDOMAIN_ TXT /^v=spf1 \-all$/
+  describe PDS_SPF_NONE No IP is supposed to send email for this domain!
+  score PDS_SPF_NONE 3.5
+
+  askdns PDS_SPF_ONLYALL _SENDERDOMAIN_ TXT /^v=spf1 \+all$/
+  describe PDS_SPF_ONLYALL SPF only +all - very lazy
+  score PDS_SPF_ONLYALL 4.5
+endif
+
+# FROM DFS
+ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+mimeheader RP_D_00086 Content-Disposition =~ /SecureMessage\.chm/
+score      RP_D_00086 50
+describe   RP_D_00086 SecureMessage.chm malware
+endif
+
+# FROM BENNY PEDERSEN
+# sig of fill space to possible drop scanning if clients have very low
+# size on how much thay send to spamassassin in size
+
+rawbody POISEN_SPAM_PILL_1 /\ \/[a-zA-Z0-9]{5}/i
+tflags POISEN_SPAM_PILL_1 multiple maxhits=1
+describe POISEN_SPAM_PILL_1 random spam to be learned in bayes
+score POISEN_SPAM_PILL_1 0.1 0.1 0.1 0.1
+
+rawbody POISEN_SPAM_PILL_2 /\ \/\/[a-zA-Z0-9]{5}/i
+tflags POISEN_SPAM_PILL_2 multiple maxhits=1
+describe POISEN_SPAM_PILL_2 random spam to be learned in bayes
+score POISEN_SPAM_PILL_2 0.1 0.1 0.1 0.1
+
+# lets check above is in body :=)
+
+body POISEN_SPAM_PILL_3 /\ \/[a-zA-Z0-9]{5}/i
+tflags POISEN_SPAM_PILL_3 multiple maxhits=1
+describe POISEN_SPAM_PILL_3 random spam to be learned in bayes
+score POISEN_SPAM_PILL_3 0.1 0.1 0.1 0.1
+
+body POISEN_SPAM_PILL_4 /\ \/\/[a-zA-Z0-9]{5}/i
+tflags POISEN_SPAM_PILL_4 multiple maxhits=1
+describe POISEN_SPAM_PILL_4 random spam to be learned in bayes
+score POISEN_SPAM_PILL_4 0.1 0.1 0.1 0.1
+
+# meta is now
+
+meta POISEN_SPAM_PILL ((POISEN_SPAM_PILL_1 || POISEN_SPAM_PILL_2) && (!POISEN_SPAM_PILL_3 || !POISEN_SPAM_PILL_4))
+describe POISEN_SPAM_PILL Meta: its spam
+score POISEN_SPAM_PILL 0.1 0.1 0.1 0.1
+
+#HENRIK KROHNS DEPENDENCY ISSUES FROM OLD SANDBOX
+ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+  mimeheader      __HK_SPAMMY_CTFN        Content-Type =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi
+  mimeheader      __HK_SPAMMY_CDFN        Content-Disposition =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi
+  meta            HK_SPAMMY_FILENAME      __HK_SPAMMY_CTFN || __HK_SPAMMY_CDFN
+  score           HK_SPAMMY_FILENAME      0.5
+  describe        HK_SPAMMY_FILENAME      Content Type or Disposition is Spammy
+endif
+
+#KHOPESH DEPENDENCY ISSUES FROM OLD SANDBOX
+meta     MALFORMED_FREEMAIL     (MISSING_HEADERS||__HDRS_LCASE) && FREEMAIL_FROM
+describe MALFORMED_FREEMAIL     Bad headers on message from free email service
+score   MALFORMED_FREEMAIL     0.1
+
+#DAVE JONES / ENA OK TO ADD TO SA DEFAULT IF PROVEN WORTHY
+header          ENA_SUBJ_IS_SPACE       Subject =~ /^ $/
+describe        ENA_SUBJ_IS_SPACE       Subject is a space
+score           ENA_SUBJ_IS_SPACE       1.2
+#Lowered score from 3.2 for testing 9/19
+
+header          ENA_SUBJ_ONLY_SPACES    Subject =~ /^\s\s+$/
+describe        ENA_SUBJ_ONLY_SPACES    Subject is only spaces commonly used by spammers to get around subject checks
+score           ENA_SUBJ_ONLY_SPACES    0.2
+#Lowered score from 2.2 for testing 9/19
+
+header          ENA_SUBJ_ONLY_FWD       Subject =~ /(^Fw:\s+$|^Fw\s+$|^Fwd:\s+$|^Fwd\s+$|^Fwd: \(\d\)$|^Fwd: \[\d\]$)/i
+describe        ENA_SUBJ_ONLY_FWD       Subject is only "Fwd:"
+score           ENA_SUBJ_ONLY_FWD       2.2
+
+header          ENA_SUBJ_ONLY_RE        Subject =~ /(^Re:\s+$|^Re\s+$|^Re: \(\d\)$|^Re: \[\d\]$)/i
+describe        ENA_SUBJ_ONLY_RE        Subject is only "Re:"
+score           ENA_SUBJ_ONLY_RE        2.2
+
+header          ENA_SUBJ_LONG_WORD      Subject =~ /\b[^[:space:][:punct:]]{30}/
+describe        ENA_SUBJ_LONG_WORD      Subject has a very long word
+score           ENA_SUBJ_LONG_WORD      2.2
+
+header          ENA_SUBJ_ODD_CASE       Subject =~ /(?:[[:lower:]][[:upper:]].{0,15}){3}/
+describe        ENA_SUBJ_ODD_CASE       Subject has odd case
+score           ENA_SUBJ_ODD_CASE       2.6
+
+
+# David Jones <djones@ena.com>, SA users list, 2 Oct 2017
+
+#header   USERS_FROM_SPOOF_EMAIL_DISPLAY  From =~ /\@[a-z_]+?\.[a-z]{2,3} \</i
+#score    USERS_FROM_SPOOF_EMAIL_DISPLAY  0.1
+
+#describe USERS_FROM_SPOOF_EMAIL_DISPLAY  From trying to spoof an email address in the display name
+
+# RW <rwmaillists@googlemail.com>, SA users list, 5 Oct 2017
+
+#header   USERS_FROM_ADDR_SPACE  From:addr =~ /\s/
+#score    USERS_FROM_ADDR_SPACE  0.1
+
+
+# Note 56133, SA bug 5561
+#score FORGED_YAHOO_RCVD 0
+
+
+# RW <rwmaillists@googlemail.com>, SA users list, 26 Apr 2019
+header    BOGUS_MIME_VERSION  MIME-Version =~ /^(?!.*\b1\.0\b).+/
+score     BOGUS_MIME_VERSION  0.5
+describe  BOGUS_MIME_VERSION  bogus MIME-Version header
+
+# by Paul Stead <paul.stead@zeninternet.co.uk>
+if (version >= 3.004000)
+ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
+  # skip message signed by these DKIM senders
+  fns_ignore_dkim linkedin.com googlegroups.com yahoogroups.com yahoogroups.de
+
+  # skip messages with one or more of these headers
+  fns_ignore_headers List-Id List-Post Mailing-List X-Forwarded-For
+
+  # group similar domains to one name
+  fns_add_addrlist   (GMAIL)  *@gmail.com *@googlemail.com
+
+  # From:name and From:address don't match and owners differ
+  header   __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof()
+
+  # From:name address matches To:address
+  header   __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to()
+
+  meta     PDS_FROMNAME_SPOOFED_EMAIL  (__PLUGIN_FROMNAME_SPOOF && !__VIA_ML && !__VIA_RESIGNER && !__RP_MATCHES_RCVD)
+  describe PDS_FROMNAME_SPOOFED_EMAIL From:name doesn't match From:address
+  score    PDS_FROMNAME_SPOOFED_EMAIL 0.2
+
+endif
+endif
+
+# by Pedro David Marcos
+ifplugin Mail::SpamAssassin::Plugin::AskDNS
+  uri_detail      PDM_URI_GOOGLEAPIS          text =~ /check|click|update|renew|preview/i         cleaned =~ /\.googleapis\./i
+  describe        PDM_URI_GOOGLEAPIS          Rule to look for spammy Google API usage
+  score           PDM_URI_GOOGLEAPIS          3.0
+endif
+
+#RECOMMENDED BY Raymond Dijkxhoorn for SURBL to block abuses on these pages
+util_rb_3tld    ct.sendgrid.net
+util_rb_2tld    page.link
+