diff --git a/kam-updates/kam_sa-channels_mcgrail_com.cf b/kam-updates/kam_sa-channels_mcgrail_com.cf index 72bf0dc..7ff074c 100644 --- a/kam-updates/kam_sa-channels_mcgrail_com.cf +++ b/kam-updates/kam_sa-channels_mcgrail_com.cf @@ -1,4 +1,4 @@ -# UPDATE version 1717981545 +# UPDATE version 1740457405 include kam_sa-channels_mcgrail_com/KAM.cf include kam_sa-channels_mcgrail_com/KAM_deadweight3.cf include kam_sa-channels_mcgrail_com/KAM_deadweight3_meta.cf @@ -6,5 +6,7 @@ include kam_sa-channels_mcgrail_com/KAM_deadweight3_sub.cf include kam_sa-channels_mcgrail_com/KAM_freemail.cf include kam_sa-channels_mcgrail_com/KAM_hashbl_settings.cf include kam_sa-channels_mcgrail_com/KAM_heavyweight.cf +include kam_sa-channels_mcgrail_com/KAM_redirectors.cf +include kam_sa-channels_mcgrail_com/KAM_tlds.cf include kam_sa-channels_mcgrail_com/KAM_urlshorteners.cf include kam_sa-channels_mcgrail_com/nonKAMrules.cf diff --git a/kam-updates/kam_sa-channels_mcgrail_com/KAM.cf b/kam-updates/kam_sa-channels_mcgrail_com/KAM.cf index 9085592..8028f8f 100644 --- a/kam-updates/kam_sa-channels_mcgrail_com/KAM.cf +++ b/kam-updates/kam_sa-channels_mcgrail_com/KAM.cf @@ -76,8 +76,21 @@ # Thanks to Wolfgang Breyha for his help fixing a few rules +# The KAM Ruleset is composed by the following files: +# KAM.cf +# KAM_deadweight3.cf +# KAM_deadweight3_meta.cf +# KAM_deadweight3_sub.cf +# KAM_freemail.cf +# KAM_hashbl_settings.cf +# KAM_heavyweight.cf +# KAM_redirectors.cf +# KAM_tlds.cf +# KAM_urlshorteners.cf +# nonKAMrules.cf #RESCORE - Lowering for FPs +score AMAZON_IMG_NOT_RCVD_AMZN 1.5 score HTML_IMAGE_ONLY_08 1.0 score SUSPICIOUS_RECIPS 2.0 score FSL_HAS_TINYURL 0.5 @@ -87,8 +100,26 @@ score ENA_SUBJ_ONLY_FWD 1.5 score URI_DOTEDU 0.5 score ADVANCE_FEE_3_NEW 1.5 score URI_DOTEDU_ENTITY 0.25 +score THREAD_INDEX_BAD 0.1 score TVD_APPROVED 2.5 score WIKI_IMG 2.25 +score URIBL_CT_SURBL 0.1 +score FREEMAIL_FORGED_REPLYTO 1.75 +score RCVD_IN_IADB_COURT -10.0 +score RCVD_IN_IADB_LEG_MAND -10.0 +if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) + score USER_IN_WELCOMELIST_TO -18 + + if !can(Mail::SpamAssassin::Conf::compat_welcomelist_blocklist) + score USER_IN_WHITELIST_TO -18 + score USER_IN_WELCOMELIST_TO -0.01 + endif +endif +if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) + score USER_IN_WELCOMELIST_TO -0.01 + score USER_IN_WHITELIST_TO -18 +endif +score URI_TRY_3LD 1.0 # COURTESY OF Marcin Miros body __KAM_MM_FOREX_1 /program.{0,10}ktory\ssam\sgra\sna\sgieldzie|program\sdo\sgry\sna\sgieldzie|Potega\stego\sprogramu\stkwi|program.{0,10}handluje.{0,10}zarabia.{0,10}gieldzie.{0,10}udzialu.{0,10}czlowieka|zarabiaj.{0,10}program.{0,10}nie.{0,10}jest.{0,10}zabroniony|Program.{0,10}zrobi.{0,10}wszystko.{0,10}sam|handluj.{0,10}na.{0,10}gieldzie.{0,10}programowi|100.{0,10}%.{0,10}pewnych.{0,10}transakcji|program.{0,10}100.{0,10}%.{0,10}zysk|handel.{0,10}bedzie.{0,10}zabroniony|program.{0,10}odmieni.{0,10}twoje.{0,10}zycie|system.{0,10}finansow.{0,10}przed.{0,10}upadkiem|grupa.{0,10}niemieckich.{0,10}matematykow.{0,10}inteligentny.{0,10}program|zostan\sobrzydliwie\sbogaty|technologia.{0,10}100%.{0,10}pewne.{0,10}decyzje|zarabianie.{0,10}w.{0,10}sieci|swoja.{0,10}szanse.{0,10}zarabianie|internet.{0,10}doprowadzil.{0,10}pieniedzy|zarabia.{0,10}(w|przez).{0,10}internet|karaluch.{0,10}dom.{0,10}brzeg.{0,10}morza|odmieni.{0,10}zycie|pieniadz|pieniedz|zarabia|zarobi/i @@ -130,7 +161,7 @@ header __KAM_REFI1 Subject =~ /(refinance|rates) at \d\.\d*%|(?:I would like to body __KAM_REFI2 /(Free Evaluation (?:online|on your (?:current )?home loan)|No hidden costs|no strings attached|good credit or not|personalized consultation|in need of loan|consolidation loan|loan processing|apply by sending|loan of any amount|clean up any inacccuracies|lock in saving|save on monthly mortgage|absolutely no cost|underwater)|Reverse.?Mortgage|qualify for a VA loan|Refi now.? and Save|obama..?announces|rate.calculator|save.thousands|update: \d.\d\d..available|homeowner|over.your.head|rate.service|now.eligi?[bl]{2}e|a.second.mortgage|urgent.loan|loan.offer/is -body __KAM_REFI3 /(restructure (?:proposal|program|opportunity|your loan)|switch from an adjustable rate to a fixed|new lending program|(low|reasonable) interest (loan|rate)|lowest monthly payment|\d% interest|unsecured personal|better credit terms|lower your mortgage|low\-interest refinance|see your credit score|credit score.{1,15}updated|refi with HARP)|obama announce(s|d) (the )?harp program|obama'?s.refi|a.fortune.off|lower.home.rate|your.home|home.loan|gov.program|official.harp|currently.overpaying/is +body __KAM_REFI3 /(restructure (?:proposal|program|opportunity|your loan)|switch from an adjustable rate to a fixed|new lending program|(low|reasonable) interest (loan|rate)|lowest monthly payment|\d% interest|unsecured personal|better credit terms|lower your mortgage|low\-interest refinance|see your credit score|credit score.{1,15}updated|refi with HARP)|obama announce(s|d) (the )?harp program|obama'?s.refi|a.fortune.off|lower.home.rate|home.loan|gov.program|official.harp|currently.overpaying/is body __KAM_REFI4 /(\$\d{1,3},\d{1,3}|\d{2,3}k of funds|\d{4,6} USD|\d{4,6}\$ per month|\d{3,5}\/mo)|refinance at \d\.\d%|\$\d{3,}(\.\d\d)?.(a|per).year|extend.harp|spending.too.much|new.payment|better.rate/i tflags __KAM_REFI4 nosubject @@ -618,7 +649,7 @@ body __KAM_UNIV13 /(degree|field|diploma) of your (choice|expertise)/is body __KAM_UNIV14 /(earn a|full) transcript/is body __KAM_UNIV15 /(No Study Required|Without Exams|No exms|without attending a single class|no classes|no textbooks|no (?:required )?tests|degree .{0,30}you deserve)/is body __KAM_UNIV16 /\d weeks.{0,30}graduated/is -header __KAM_UNIV17 Subject =~ /(dip(i|l)oma|degree|transcript|award|increase ?your ?income|degree online|Ph\.?D|Add an mba)/i +header __KAM_UNIV17 Subject =~ /(dip(i|l)oma|degree|transcript|increase ?your ?income|degree online|Ph\.?D|Add an mba)/i body __KAM_UNIV18 /100% discrete/is body __KAM_UNIV1B /\d (months|weeks)/i @@ -695,7 +726,7 @@ body __KAM_CEP5 /degree\/certificates|certification/i body __KAM_CEP6 /\d (week|month)/i header __KAM_CEP7 From =~ /certificate program/i -meta KAM_CEP (((__KAM_CEP1 + __KAM_CEP2 + __KAM_CEP3 + __KAM_CEP4 + __KAM_CEP5 + __KAM_CEP6 + __KAM_CEP7) >= 3) && ! __PDF_ATTACH ) +meta KAM_CEP (((__KAM_CEP1 + __KAM_CEP2 + __KAM_CEP3 + __KAM_CEP4 + __KAM_CEP5 + __KAM_CEP6 + __KAM_CEP7) >= 3) && ! __PDF_ATTACH && __KAM_BODY_LENGTH_LT_1024) describe KAM_CEP CEP Diploma Mill Rule score KAM_CEP 3.5 @@ -720,21 +751,6 @@ uri KAM_GEO_STRING2 /^http:\/\/(?:\w{1,5}\.)?geocities(?:\.yahoo)?\.com(?:\.\ describe KAM_GEO_STRING2 Use of geocities/yahoo very likely spam as of Dec 2005 score KAM_GEO_STRING2 4.7 -#KAM GOOGLE SPAM -uri __KAM_GOOGLE_REDIR /^https?:\/\/www\.google\..{2,6}\/(?:url\?q=|amp\/s\/)/i - -header __GB_FROM_GCAL0 From:addr =~ /calendar\-notification\@google\.com/ -uri __GB_FROM_GCAL1 /mailto\:calendar\-notification\@google\.com/ -meta KAM_GOOGLE_REDIR ( __KAM_GOOGLE_REDIR && !__GB_FROM_GCAL0 && !__GB_FROM_GCAL1 ) -# meta KAM_GOOGLE_REDIR __KAM_GOOGLE_REDIR -describe KAM_GOOGLE_REDIR Use of Google redir -score KAM_GOOGLE_REDIR 1.5 - -#MSN Brasil REDIRECTOR - Known exploit since at least 2007!! http://www.xssed.com/mirror/14129/ -uri KAM_MSNBR_REDIR /g.msn.com.br\/BR9\/1369.0/i -describe KAM_MSNBR_REDIR Use of MSN Brasil Redirector for Spam seen in 2011 -score KAM_MSNBR_REDIR 5.0 - #KAM MSN SPAM uri __KAM_MSN_STRING1 /^http:\/\/spaces\.msn\.com(?::\d*)?\/.+\//i uri __KAM_MSN_STRING2 /^http:\/\/.{0,20}\.spaces\.live\.com/i @@ -778,6 +794,11 @@ if can(Mail::SpamAssassin::Conf::feature_capture_rules) describe GB_CUSTOM_HTM_URI Custom html uri score GB_CUSTOM_HTM_URI 1.500 + uri __GB_ROUNDCUBE /\/roundcube/i + meta GB_ROUNDCUBE_HTM ( GB_CUSTOM_HTM_URI && __GB_ROUNDCUBE ) + describe GB_ROUNDCUBE_HTM Roundcube .html uri + score GB_ROUNDCUBE_HTM 1.0 + endif endif @@ -894,13 +915,13 @@ score KAM_ADV_EMAIL 5.0 #SEXUALLY EXPLICIT EMAILS - With updates courtesy of Mark Damrose header __KAM_SEX_EXPLICIT1 Subject =~ /SEXUAL{2,3}Y[-_, ]{0,1}EXPL{1,2}I{1,2}CI{1,2}T/i #EXPANDED TO INCLUDE HEADERS FOR SPAMS PREVALENT MAR 2007 -header __KAM_SEX_EXPLICIT2 Subject =~ /(?:fuck .*suck|suck .*fuck|pussy .*cock|cock .*pussy|horny amateur|couch sex|slut fuck|naked celebrity|pissing babes|ass[- ]fuck|animal cock|(^|\b)P[^a-zA-Z\d]O[^a-zA-Z\d]R[^a-zA-Z\d]N |exposes sexy ass|drunk babe nude|masturbate|looking.for.sex|breast.implants|pedophile|child predator|explore.being.bad|double.penetration|hardcore.slut|getting.laid|your.disco.stick|having.sex.*begging|f.ckbook|xxx gay|asian porn|blow ?job|anal xxx|huge tits tube|xxx tube|porn tube|porn video|sexy.clip|portal for xxx|3d porn|hard(er)?.erect)|dreaming of f.?cking|(^|\b)sex.in.the.car|horny.virgin|sex.acts|best.intercourse|sex request|dripping wet and need to get|S*?exy granny|shagmate|her squirt|elongation secret|small member|g\-spot|XXX life|cart.?bloom.?jigsaw|clogged.?colon|Peppy.?Pet.?ball|derma.?correct|secret to squirting|monstrous cock|adult film star extension secret|inches to your manhood|lack of sex|harrys.?affiliate|numerologist|your prostate|stiffening tonic|need sex partner|manhood bigger|TPE sex.?doll/i +header __KAM_SEX_EXPLICIT2 Subject =~ /(?:fuck .*suck|suck .*fuck|pussy .*cock|cock .*pussy|horny amateur|couch sex|slut fuck|naked celebrity|pissing babes|ass[- ]fuck|animal cock|(^|\b)P[^a-zA-Z\d]O[^a-zA-Z\d]R[^a-zA-Z\d]N |exposes sexy ass|drunk babe nude|masturbate|looking.for.sex|breast.implants|pedophile|child predator|explore.being.bad|double.penetration|hardcore.slut|getting.laid|your.disco.stick|having.sex.*begging|f.ckbook|xxx gay|asian porn|blow ?job|anal xxx|huge tits tube|xxx tube|porn tube|porn video|sexy.clip|portal for xxx|3d porn|hard(er)?.erect)|dreaming of f.?cking|(^|\b)sex.in.the.car|horny.virgin|sex.acts|best.intercourse|sex request|dripping wet and need to get|S*?exy granny|shagmate|her squirt|elongation secret|small member|g\-spot|XXX life|cart.?bloom.?jigsaw|clogged.?colon|Peppy.?Pet.?ball|derma.?correct|secret to squirting|monstrous cock|adult film star extension secret|inches to your manhood|lack of sex|harrys.?affiliate|numerologist|your prostate|stiffening tonic|need sex partner|manhood bigger|TPE sex.?doll|sex position|Penis Growth|partners who can't get it up|Penis Ritual|eating puss\*y|lemon\-sized prostate|touches your anus|shrink your prostrate|testicles removed|penis chopped/i #TRYING TO GET RID OF FPs WITH LAST NAMES -header __KAM_SEX_EXPLICIT3 From =~ /(?:better sex|sextrick|ashleymadison|booty.call|breast.(aug|surg|redu)|throbing.member|f[\*u]?ckbook|Local MILFs|fuck(s|ing)?(\b|^)|Dating Granny|school.?of.?squirt)|hookup.?alert|bedroom.?partner|hookup.?online|lovely.?asian|squirting.?school|sex.?portal|sex.?club|liberator.?x2|instahard|eat me with your dick|(live|naughty).?.?sex/i +header __KAM_SEX_EXPLICIT3 From =~ /(?:better sex|sextrick|ashleymadison|booty.call|breast.(aug|surg|redu)|throbing.member|f[\*u]?ckbook|Local MILFs|fuck(s|ing)?(\b|^)|Dating Granny|school.?of.?squirt)|hookup.?alert|bedroom.?partner|hookup.?online|lovely.?asian|squirting.?school|sex.?portal|sex.?club|liberator.?x2|instahard|eat me with your dick|(live|naughty).?.?sex|Erectile.?Dysfunction|penis.?(growth|enlargement)|Virility Amplifier|harderandlonger|dead penis|Ejaculation|dead penis|lifeless.{0,4}manhood/i #MODIFIED TO FIX FP THANKS TO DOC SCHNEIDER AND MARK MARTINEC - REMOVED castrate|sexual.encounter|casual.sex|discreet.encounter 5/19/15 -body __KAM_SEX_EXPLICIT4 /(?:fucked hardcore|dildoes her tight ass|kinky watersports|schoolgirls? slut|teens? porn|first anal(\b|$)|pussy lips|kinky lesbian|sucks? cock|rub puss|spreads? cunt|fetish babe|kinky pee|muffdived \& fuck|deepthroat on knees|hello.naughty.boy|certain.type.of.guy|girlfriend.trick|sexual.stamina|sex...toy|porn.link|cunt.fuck|c\-o\-c\-k|non.stop.sex|porn.industry|stronger.erection|make.her.moan|extreme.pro.abortion|erection.problem|your.erection|get.an.erection|hardest.erection|get.erect|xxx gay|asian porn|blow ?job (comm?unity|porn)|anal xxx|huge tits tube|xxx tube|porn tube|fuckbook|portal for xxx|3d porn|DrPEnterprise|girlfriends.porn|\bsex.galler|pussy.eaten|shemale|(\b|^)anal.adventure|black.girls.video|gay.porn|pussy.wet|make.her.horny|crave sex|women.fuck|women.horny|wanting.to.bang|getting.laid.is.simple|woman.on.her.knees|b r e a s t|generic.ed.product|best.sex|f[^a-z]cking.you|f[^a-z]ckbuddy|F\#ckFriends|Milf Selfies|need.a.horny.man|cute.sex.lover|horny.as.f.ck|fun.in.the.bedroom|my.tits.are|be.horny|horny.girl|horny.i.am|horny.latina|huge.dildo|made.me.climax|sex in my office|a.good.f\@ck|married.horny.woman|sucked.your.d\@ck|(naughty|horny).milf|suck.you.off|horny.stories|all.my.h[o0]les|cum.heavily|sucking.your.c[o0]ck|to.get.f[^a-z]cked)|h00kup|s\*xy|\bh0rny|ch0ked|pu\$\$y|f\*cked|F\*ck_|find milfs|girls (from|in) your city|rock.?hard boner|reclaiming your manhood|sexy and horny|bad girls from your city|awesome in bed|turbo\-charge your bed|shocking erection|stiffening tonic|anal fun|fingering videos|willing to pay for sex/i +body __KAM_SEX_EXPLICIT4 /(?:fucked hardcore|dildoes her tight ass|kinky watersports|schoolgirls? slut|teens? porn|first anal(\b|$)|pussy lips|kinky lesbian|sucks? cock|rub puss|spreads? cunt|fetish babe|kinky pee|muffdived \& fuck|deepthroat on knees|hello.naughty.boy|certain.type.of.guy|girlfriend.trick|sexual.stamina|sex...toy|porn.link|cunt.fuck|c\-o\-c\-k|non.stop.sex|porn.industry|stronger.erection|make.her.moan|extreme.pro.abortion|erection.problem|your.erection|get.an.erection|hardest.erection|get.erect|xxx gay|asian porn|blow ?job (comm?unity|porn)|anal xxx|huge tits tube|xxx tube|porn tube|fuckbook|portal for xxx|3d porn|DrPEnterprise|girlfriends.porn|\bsex.galler|pussy.eaten|shemale|(\b|^)anal.adventure|black.girls.video|gay.porn|pussy.wet|make.her.horny|crave sex|women.fuck|women.horny|wanting.to.bang|getting.laid.is.simple|woman.on.her.knees|b r e a s t|generic.ed.product|best.sex|f[^a-z]cking.you|f[^a-z]ckbuddy|F\#ckFriends|Milf Selfies|need.a.horny.man|cute.sex.lover|horny.as.f.ck|fun.in.the.bedroom|my.tits.are|be.horny|horny.girl|horny.i.am|horny.latina|huge.dildo|made.me.climax|sex in my office|a.good.f\@ck|married.horny.woman|sucked.your.d\@ck|(naughty|horny).milf|suck.you.off|horny.stories|all.my.h[o0]les|cum.heavily|sucking.your.c[o0]ck|to.get.f[^a-z]cked)|h00kup|s\*xy|\bh0rny|ch0ked|pu\$\$y|f\*cked|F\*ck_|find milfs|girls (from|in) your city|rock.?hard boner|reclaiming your manhood|sexy and horny|bad girls from your city|awesome in bed|turbo\-charge your bed|shocking erection|stiffening tonic|anal fun|fingering videos|willing to pay for sex|c\*ck size|penis pump/i #remove f\#ck for FPs tflags __KAM_SEX_EXPLICIT4 nosubject @@ -937,16 +958,35 @@ describe KAM_TELEWORK Stupid telework and training scams score KAM_TELEWORK 3.0 #SOME TLD ARE BAD -header __KAM_SOMETLD_ARE_BAD_TLD_FROM From:addr =~ /\.(bar|beauty|buzz|cam|casa|cfd|club|date|guru|link|live|monster|online|press|pw|quest|rest|sbs|shop|stream|top|trade|wiki|work|xyz)$/i -uri __KAM_SOMETLD_ARE_BAD_TLD_URI /:\/{2}([a-z0-9-\.]+)\.(bar|beauty|buzz|cam|casa|cfd|club|date|guru|link|live|monster|online|press|pw|quest|rest|sbs|shop|stream|top|trade|wiki|work|xyz)($|\/|\:)/i +header __KAM_SOMETLD_ARE_BAD_TLD_FROM From:addr =~ /\.(bar|beauty|buzz|cam|casa|cfd|club|date|guru|link|live|monster|online|pw|quest|rest|sbs|shop|stream|top|trade|wiki|work|xyz)$/i +uri __KAM_SOMETLD_ARE_BAD_TLD_URI /:\/{2}([a-z0-9-\.]+)\.(bar|beauty|buzz|cam|casa|cfd|club|date|guru|link|live|monster|online|pw|quest|rest|sbs|shop|stream|top|trade|wiki|work|xyz)($|\/|\:)/i + +header __KAM_SOMETLD_ARE_BAD_TLD_FROM_PRESS From:addr =~ /\.press$/i +uri __KAM_SOMETLD_ARE_BAD_TLD_URI_PRESS /:\/{2}([a-z0-9-\.]+)\.press($|\/|\:)/i #FPs -uri __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE /(^|\b)(input|td|lev)\.date|de[b|l]\.date|div\.top($|\/)|enable\.work|\/smart\.link|\.emailprotection\.link\/|\.goat\.com\/|\/square\.link\//i +uri __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE /(^|\b)(input|td|lev)\.date|de[b|l]\.date|div\.top($|\/)|enable\.work|\/smart\.link|\.emailprotection\.link\/|\.goat\.com\/|\/square\.link\/|\.sng\.link\/|\.page\.link\/|\.app\.link($|\/)/i body __KAM_SOMETLD_ARE_BAD_TLD_PROGRAM_REF /\.date ?\{/i -meta KAM_SOMETLD_ARE_BAD_TLD (__KAM_SOMETLD_ARE_BAD_TLD_FROM) || (__KAM_SOMETLD_ARE_BAD_TLD_URI && !(__KAM_SOMETLD_ARE_BAD_TLD_PROGRAM_REF + __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE >= 1)) +ifplugin Mail::SpamAssassin::Plugin::RaptorOnly + header __RAPTOR_NOT_NEW X-Raptor-New =~ /no/i + header KAM_RAPTOR_NEW X-Raptor-New =~ /yes/i + describe KAM_RAPTOR_NEW Email from a new domain + score KAM_RAPTOR_NEW 0.1 + + meta KAM_SOMETLD_ARE_BAD_NNEW (((__KAM_SOMETLD_ARE_BAD_TLD_FROM + __KAM_SOMETLD_ARE_BAD_TLD_FROM_PRESS >= 1) || (__KAM_SOMETLD_ARE_BAD_TLD_URI + __KAM_SOMETLD_ARE_BAD_TLD_URI_PRESS >= 1) && !(__KAM_SOMETLD_ARE_BAD_TLD_PROGRAM_REF + __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE >= 1)) && __RAPTOR_NOT_NEW) + score KAM_SOMETLD_ARE_BAD_NNEW 4.0 + describe KAM_SOMETLD_ARE_BAD_NNEW not new emails from commonly abused domains + meta KAM_SOMETLD_ARE_BAD_NEW (((__KAM_SOMETLD_ARE_BAD_TLD_FROM + __KAM_SOMETLD_ARE_BAD_TLD_FROM_PRESS >= 1) || (__KAM_SOMETLD_ARE_BAD_TLD_URI + __KAM_SOMETLD_ARE_BAD_TLD_URI_PRESS >= 1) && !(__KAM_SOMETLD_ARE_BAD_TLD_PROGRAM_REF + __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE >= 1)) && !__RAPTOR_NOT_NEW) + score KAM_SOMETLD_ARE_BAD_NEW 5.0 + describe KAM_SOMETLD_ARE_BAD_NEW new emails from commonly abused domains + meta KAM_SOMETLD_ARE_BAD_TLD ( KAM_SOMETLD_ARE_BAD_NNEW || KAM_SOMETLD_ARE_BAD_NEW ) + score KAM_SOMETLD_ARE_BAD_TLD 0.001 +else + meta KAM_SOMETLD_ARE_BAD_TLD (__KAM_SOMETLD_ARE_BAD_TLD_FROM + __KAM_SOMETLD_ARE_BAD_TLD_FROM_PRESS >= 1) || ((__KAM_SOMETLD_ARE_BAD_TLD_URI + __KAM_SOMETLD_ARE_BAD_TLD_URI_PRESS >= 1) && !(__KAM_SOMETLD_ARE_BAD_TLD_PROGRAM_REF + __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE >= 1)) + score KAM_SOMETLD_ARE_BAD_TLD 5.0 +endif describe KAM_SOMETLD_ARE_BAD_TLD .bar, .beauty, .buzz, .cam, .casa, .cfd, .club, .date, .guru, .link, .live, .monster, .online, .press, .pw, .quest, .rest, .sbs, .shop, .stream, .top, .trade, .wiki, .work, .xyz TLD abuse -score KAM_SOMETLD_ARE_BAD_TLD 5.0 #2019-11-24 - Test to do the SOMETLD with WLBLEval - Doesn't work because no uri check for the body #ifplugin Mail::SpamAssassin::Plugin::WLBLEval @@ -982,7 +1022,7 @@ ifplugin Mail::SpamAssassin::Plugin::RaptorOnly #REMOVED __URIBL_ANY DEPENDENCY AS THE RULE IS GONE. NOTED by David Goldsmith. header __KAM_RPTR_PASSED X-Raptor-Reverse =~ /^Passed/ - meta KAM_RPTR_PASSED (__KAM_RPTR_PASSED && (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + KAM_SPAMJDR + KAM_LOTTO3 + __KAM_URIBL_PCCC + __KAM_MX + SPF_SOFTFAIL + SPF_FAIL + KAM_INFOUSMEBIZ + KAM_TOLL < 1)) + meta KAM_RPTR_PASSED (__KAM_RPTR_PASSED && (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + KAM_SPAMJDR + KAM_LOTTO3 + __KAM_URIBL_PCCC + __KAM_MX + SPF_SOFTFAIL + SPF_FAIL + KAM_INFOUSMEBIZ + KAM_TOLL < 1)) describe KAM_RPTR_PASSED Passed Mail Relay Reverse DNS Test score KAM_RPTR_PASSED -1.0 @@ -1311,7 +1351,7 @@ score KAM_FDA 0.5 #WEIGHT LOSS body __KAM_WEIGHT1 /(overweight|extra weight|glutting|shed fat|burns fat|burn calories|appetite suppressant|stimulate your metabolism|unwanted weight|duet of the year|healthy energy boost|Suppresses Appetite|internal cleansing|detoxify|cellulite|unsightly bulges|fat burn|Diet of the year|acai|cuts cholesterol|cleanse excess waste|free sample|unwanted weight|Acai suppl[ie]ments|Diet\/Detox|\#1 Weight Loss|lose body fat|(lose|drop) (about )?\d+\s*[li]b|calorie burning machine|before eating carbs)|flush.fat.away|slimming.down|\d+.pounds.gone|lose.\dx|highest.rated.episode|unwanted..?gain|too.goo?d.to.be.true|get.slim|tv.segment|weird.solution/is -body __KAM_WEIGHT2 /(\d pounds|lose[_ ]weight|suppress appetite|appetite out of control|Oprah|for cancer patients|colon cure|colon cleanse|colonmate|avai berry|acai burn|ultraslim|feel energized|excess[_ ]weight|no diet changes|no exercise|hollywood'?s hottest \-?diet|acai berry edge|Acai Diet|top secret diet|Power HCG|Sensa|shocking method|Jennifer Aniston|before eating carbs|all natural weight.?loss|green fruit|top celeb's diet)|one.secret|enjoying.food|f\-a\-t|melt.fat|squeeze into them|crazy.workout|celebs.everywhere|zero.effort|nothing.to.lose/is +body __KAM_WEIGHT2 /\b(\d pounds|lose[_ ]weight|suppress appetite|appetite out of control|Oprah|for cancer patients|colon cure|colon cleanse|colonmate|avai berry|acai burn|ultraslim|feel energized|excess[_ ]weight|no diet changes|no exercise|hollywood'?s hottest \-?diet|acai berry edge|Acai Diet|top secret diet|Power HCG|Sensa|shocking method|Jennifer Aniston|before eating carbs|all natural weight.?loss|green fruit|top celeb's diet)|one.secret|enjoying.food|f\-a\-t|melt.fat|squeeze into them|crazy.workout|celebs.everywhere|zero.effort|nothing.to.lose/is header __KAM_WEIGHT3 Subject =~ /(leaner|slimmer|stop gaining weight|fat loss|weight management|now available without a script|wuYi tea|(drop|lost|shed|knocked) \d+.?(pounds|[li]bs?)|FRS Healthy Energy|instant diet|colonmate|trimmer you|body cleanse|acai berry|acai burn|Fatburner|cholesterol reduction|cholestapro|Ephedra|W[EA]IGHT[- ]LOSS PRODUCT OF THE YEAR|t\-r\-i\-a\-l|try our trial|cleanse your system|no exc?ercise|Acai Advanced|toxic sludge|cleanse your body|Acai Diet|Acai Elite|Acai Super|losing weight fast|weight loss|detox product|Power HCG|Weight Loss System|shocking (?:weight|weihgt) loss)|before eating carbs|all natural weight.?loss|eat this fruit|Jennifer An+iston's secret|drop.\d.dress.sizes|fat.burning|burn..?fat|get.slim|drop.the.weight|(drop|shed).[li]bs?|move.\.*.?the scale|step.by.step|drop..?pounds|perfect.body|lose.the.weight|half.my.size|special.nutrition|workout|skinny|simple.way|to.get.slim|workout.for.the..?lazy|start.losing.weight|melt.fat|celebs.boycott|celebs.did|overeating|without.any.effort|doctors.tv|oprah|results.are.in|as.seen.on|slim.?spray|zero.effort/i #rawbody __KAM_WEIGHT4 /shocking method|Jennifer Aniston|nationally known|never.seen.anything.like.this|unusual.(new.)?tip|your.metabolism|need.a.boost|this.is.not.a."?(joke|hoax|fad|trend)|no working out|no starving|a trimmer you|celebrity.doctor|seen.on.(cnn|abc|cbs)|\d+%.?off|oprah.and.celeb|beer.belly|thunder.thigh|flush.fat.fast|get.skinny|Women's Health|dress.size|feel.good|physical.activity|starving|hit.a.plateau|flat.belly|brakes on your appetite/i header __KAM_WEIGHT5 From =~ /celeb.weightloss|no.work.workout|(drop|shed).pounds|(drop|shed).\d+[il]bs?|inches off|your.waist|nutrisystem|fat.burn|magic.slim|slim.pack|get.?slim|overweight|becomingslim|slimmer|skinny.tee|flush.fat|slimming.down|hot.trend|curves.?\dweek|stubborn.fat|\d+.pounds|look.great|lazy.workout|bikini|fit.community|slim.?spray|shave.off.(the.)?(pound|lb)|f\-a\-t|fit.in.\d+.day|days.to.slim|oprah|belly|biggestloser/i @@ -1380,9 +1420,9 @@ score KAM_SEX 7.0 meta KAM_SEX (__KAM_SEX1 + __KAM_SEX2 + __KAM_SEX3 + __KAM_SEX4 + __HTML_IMG_ONLY + (__KAM_VIAGRA6A + __KAM_VIAGRA6E + __KAM_VIAGRA7A >= 1 && !__KAM_VIAGRA_FPS) >= 2) #STUPID PICTURE SPAMS -body __KAM_PIC1 /(tired|bored) (this )?(today|tonight|evening|morning|afternoon)|saw your email address|online right now|can name me|found you on this site|I am alone|my next boyfriend|blonde with blue|like the girls|crush on you/is -body __KAM_PIC2 /(nice girl|2\d years old|25 y.o. girl|pretty russian|I russian girl|age is 25|long legs, cute|see my pictures|I'm 19|searching for a bad girl|meet with such attractive|cute lady|(female|girl born) in Russia)/is -body __KAM_PIC3 /like to chat|feelings can be true|like to have friendship|friendly guy|gave me your photos|waiting on you|found your pictures|send me a note|more information about you|text me ASAP|corking male|uncomparable mister/is +body __KAM_PIC1 /(tired|bored) (this )?(today|tonight|evening|morning|afternoon)|saw your email address|online right now|can name me|found you on this site|I am alone|my next boyfriend|blonde with blue|like the girls|crush on you|(wish|hope) (you're|you are) (free|able) to talk/is +body __KAM_PIC2 /(nice girl|2\d years old|25 y.o. girl|pretty russian|I russian girl|(\b|^)age is 25|long legs, cute|see my pictures|I'm 19|searching for a bad girl|meet with such attractive|(solitary|cute) lady|(female|girl born) in Russia)/is +body __KAM_PIC3 /like to chat|feelings can be true|like to have friendship|friendly guy|gave me your photos|waiting on you|found your pictures|send me a note|more information about you|text me ASAP|corking male|(find a good|uncomparable|waiting for a good) (man|mister)/is body __KAM_PIC4 /(like to share some of my pics|some (?:great )?pictures of me|sending some of my pictures|To see my pic|hope you like my pic|will reply with my pics|show you some pic|chat with me and see|that's my photo)|(reply to|will send) you my picture|view my profile|describe yourself|chat with me|bad girl|view your snapshot|want to watch video|erotic pics|e.?mail to me at/is body __KAM_PIC5 /picture|photo|my pics|appended my pic/i body __KAM_PIC6 /where (are|r) (you|u) live/i @@ -1604,8 +1644,8 @@ describe KAM_THEBAT Abused X-Mailer Header for The Bat! MUA score KAM_THEBAT 1.9 #MAILER BUGS -body __KAM_MAILER1 /\{\!firstname_fix\}/i -body __KAM_MAILER2 /Dear \[Recipient\]/i +body __KAM_MAILER1 /\{\!firstname_fix\}|\{\{email\}\}|\{\{name\}\}|\{id1?\}/i +body __KAM_MAILER2 /(Hi|Dear) \[Recipient('s name)?\]/i meta KAM_MAILER ( __KAM_MAILER1 + __KAM_MAILER2 >= 1 ) score KAM_MAILER 2.0 @@ -1760,7 +1800,12 @@ ifplugin Mail::SpamAssassin::Plugin::URIDNSBL tflags SEM_FRESH10 net score SEM_FRESH10 0.75 - meta KAM_SEMFRESH (SEM_FRESHZERO || SEM_FRESH || SEM_FRESH10 ) + # Use same score for SEMFRESH and FMBLA rbls + score FROM_FMBLA_NEWDOM 1.25 + score FROM_FMBLA_NEWDOM14 1.0 + score FROM_FMBLA_NEWDOM28 0.75 + + meta KAM_SEMFRESH (SEM_FRESHZERO || SEM_FRESH || SEM_FRESH10 || FROM_FMBLA_NEWDOM || FROM_FMBLA_NEWDOM14 || FROM_FMBLA_NEWDOM28 ) describe KAM_SEMFRESH Contains a domain recently registered tflags KAM_SEMFRESH net score KAM_SEMFRESH 0.001 @@ -1772,123 +1817,6 @@ ifplugin Mail::SpamAssassin::Plugin::URIDNSBL #PCCC WILD RBL, URIBL Check for bad URIs in body, Received, From and Reply-to #Thanks to AXB for his help with these! - #2013-10-09 Note - # - #These RBL's below can contain domains that can cause collateral damage. - #We try and only add these domains when the evidence is overwhelming and points to a culture or architecture prone to spaminess. - #And this can include services that have legitimate and illegitimate users; servers for legitimate firms that are compromised; and hosting firms which fail to have adequate anti-spam procedures. - #The lists have high scores which we believe are consistent with the veracity of the research used to compile the lists. - #Additionally, we ONLY use this RBL to improve our scoring and it is not used to block emails outright. - #However, your mileage may very and you might want to seriously dial down the scores especially if you do block/reject/blackhole emails. - #Feedback is appreciated and requests to de-list can be sent via https://raptor.pccc.com/raptor.cgim?template=report_problem - #Or to explicitly skip RBL testing for a domain, use uridnsbl_skip_domain example.com - - if (version >= 3.003000) - #HOSTS THAT BEHAVE LIKE TLDS, SUCH AS BLOGSPOT.COM AND OTHER FREE HOSTING - NOTE BLOGSPOT is in 20_aux_tlds.cf ALREADY - util_rb_2tld 42web.io - util_rb_2tld a2hosted.com - util_rb_2tld amplifyapp.com - util_rb_2tld app.link - util_rb_2tld armenia.su - util_rb_2tld ashgabad.su - util_rb_2tld awsapps.com - util_rb_2tld azurewebsites.net - util_rb_2tld benchmarkurl.com - util_rb_2tld benchurl.com - util_rb_2tld bmecurl.co - util_rb_2tld boxmode.io - util_rb_2tld campaign-view.com - util_rb_2tld caspio.com - util_rb_2tld cfolks.pl - util_rb_2tld cn.com - util_rb_2tld codeanyapp.com - util_rb_2tld codesandbox.io - util_rb_2tld co.in - util_rb_2tld cu-portland.edu - util_rb_2tld doesphotography.com - util_rb_2tld dreamhost.com - util_rb_2tld dreamhosters.com - util_rb_2tld fanlink.tv - util_rb_2tld east-kazakhstan.su - util_rb_2tld exnet.su - util_rb_2tld fameup.net - util_rb_2tld fere.top - util_rb_2tld firebaseapp.com - util_rb_2tld fly.dev - util_rb_2tld free.hr - util_rb_2tld georgia.su - util_rb_2tld glitch.me - util_rb_2tld glueup.com - util_rb_2tld googleapis.com - util_rb_2tld gr8.com - util_rb_2tld great-site.net - util_rb_2tld herokuapp.com - util_rb_2tld hubspot-inbox.com - util_rb_2tld in.net - util_rb_2tld infinityfreeapp.com - util_rb_2tld isteaching.com - util_rb_2tld jimdo.com - util_rb_2tld kalmykia.su - util_rb_2tld kriya.ai - util_rb_2tld lovestoblog.com - util_rb_2tld mangyshlak.su - util_rb_2tld mjt.lu - util_rb_2tld mmsend.com - util_rb_2tld msgfocus.com - util_rb_2tld myclickfunnels.com - util_rb_2tld mygbiz.com - util_rb_2tld myshopify.com - util_rb_2tld netart.com - util_rb_2tld netdna-cdn.com - util_rb_2tld netlify.app - util_rb_2tld ning.com - util_rb_2tld noip.us - util_rb_2tld north-kazakhstan.su - util_rb_2tld nov.su - util_rb_2tld onelink.me - util_rb_2tld online.de - util_rb_2tld onmicrosoft.com - util_rb_2tld outrch.com - util_rb_2tld pages.dev - util_rb_2tld psee.io - util_rb_2tld plan-net.technology - util_rb_2tld qualtrics.com - util_rb_2tld r2.dev - util_rb_2tld radio.am - util_rb_2tld replit.dev - util_rb_2tld ru.com - util_rb_2tld sa.com - util_rb_2tld sendpul.se - util_rb_2tld sentieo.com - util_rb_2tld sharepoint.com - util_rb_2tld tashkent.su - util_rb_2tld tempurl.host - util_rb_2tld thrivecart.com - util_rb_2tld trykalendarai.com - util_rb_2tld tumblr.com - util_rb_2tld usekalendarai.com - util_rb_2tld vercel.app - util_rb_2tld web.com - util_rb_2tld webflow.io - util_rb_2tld wix.com - util_rb_2tld wixsite.com - util_rb_2tld workers.dev - util_rb_2tld wpenginepowered.com - util_rb_2tld wufoo.com - util_rb_2tld za.com - util_rb_2tld zendesk.com - util_rb_3tld en.alibaba.com - util_rb_3tld fr-par-1.linodeobjects.com - util_rb_3tld hosted.phplist.com - util_rb_3tld lt.acemlnc.com - util_rb_3tld mkt.dynamics.co - util_rb_3tld on.fleek.co - util_rb_3tld qiye.163.com - util_rb_3tld trk.elasticemail.com - util_rb_3tld us-east-1.linodeobjects.com - util_rb_3tld us-iad-1.linodeobjects.com - endif - # allow URI rules to look at DKIM headers if they exist and our SA version supports it if (version >= 3.004001) parse_dkim_uris 1 @@ -1902,9 +1830,20 @@ ifplugin Mail::SpamAssassin::Plugin::URIDNSBL endif #LAUNCH PCCC WILD RBL + #2013-10-09 Note + # + #These RBL's below can contain domains that can cause collateral damage. + #We try and only add these domains when the evidence is overwhelming and points to a culture or architecture prone to spaminess. + #And this can include services that have legitimate and illegitimate users; servers for legitimate firms that are compromised; and hosting firms which fail to have adequate anti-spam procedures. + #The lists have high scores which we believe are consistent with the veracity of the research used to compile the lists. + #Additionally, we ONLY use this RBL to improve our scoring and it is not used to block emails outright. + #However, your mileage may very and you might want to seriously dial down the scores especially if you do block/reject/blackhole emails. + #Feedback is appreciated and requests to de-list can be sent via https://raptor.pccc.com/raptor.cgim?template=report_problem + #Or to explicitly skip RBL testing for a domain, use uridnsbl_skip_domain example.com + ifplugin Mail::SpamAssassin::Plugin::RaptorOnly # match on any Wild rbl rule excluding Marketing rbl - meta __KAM_WILD_PCCC ( KAM_BODY_URIBL_PCCC || KAM_FROM_URIBL_PCCC || KAM_BODY_COMPROMISED_URIBL_PCCC || KAM_FROM_COMPROMISED_URIBL_PCCC || KAM_MESSAGE_HASHBL_FREEMAIL || PCCC_HDR_REPLYTO || PCCC_SENDER_COMPROMISED || PCCC_RECEIVED_HDR_COMPROMISED || PCCC_FROM_BAD_NS || PCCC_HASHBL_FREEMAIL || PCCC_HASHBL_EMAIL || PCCC_HASHBL_SHORT_URI || GB_PHONE_RBL || GB_PHONE_RBL_RAW ) + meta __KAM_WILD_PCCC ( KAM_BODY_URIBL_PCCC || PCCC_BAD_FREE_URI || KAM_FROM_URIBL_PCCC || KAM_BODY_COMPROMISED_URIBL_PCCC || KAM_FROM_COMPROMISED_URIBL_PCCC || KAM_MESSAGE_HASHBL_FREEMAIL || PCCC_HDR_REPLYTO || PCCC_SENDER_COMPROMISED || PCCC_RECEIVED_HDR_COMPROMISED || PCCC_FROM_BAD_NS || PCCC_HASHBL_FREEMAIL || PCCC_HASHBL_EMAIL || PCCC_HASHBL_SHORT_URI || PCCC_HASHBL_LISTID || GB_PHONE_RBL || GB_PHONE_RBL_RAW ) endif #BAD URI IN BODY @@ -1922,6 +1861,12 @@ ifplugin Mail::SpamAssassin::Plugin::URIDNSBL tflags KAM_FROM_URIBL_PCCC net score KAM_FROM_URIBL_PCCC 9.0 endif + + urirhssub PCCC_BAD_FREE_URI wild.pccc.com. A 127.0.0.6 + body PCCC_BAD_FREE_URI eval:check_uridnsbl('PCCC_BAD_FREE_URI') + describe PCCC_BAD_FREE_URI Body contains URI listed in PCCC WILD RBL (https://raptor.pccc.com/RBL) + tflags PCCC_BAD_FREE_URI net + score PCCC_BAD_FREE_URI 0.5 #MARKETING IN BODY - MARKETING RBL IS PRIMARILY FOR META TESTS urirhssub KAM_BODY_MARKETINGBL_PCCC wild.pccc.com. A 127.0.0.32 @@ -1992,7 +1937,7 @@ endif #EMAIL BLACKLIST CHECK FOR PCCC WILD RBL if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL - header KAM_MESSAGE_HASHBL_FREEMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5/max=10/shuffle', 'ALLFROM/Reply-To/body', '^127\.0\.0\.64', 'freemail') + header KAM_MESSAGE_HASHBL_FREEMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5/max=10/shuffle', 'ALLFROM/Reply-To/Resent-from/body', '^127\.0\.0\.64', 'freemail') describe KAM_MESSAGE_HASHBL_FREEMAIL Message contains freemail address listed in PCCC WILD RBL (https://raptor.pccc.com/RBL) tflags KAM_MESSAGE_HASHBL_FREEMAIL net score KAM_MESSAGE_HASHBL_FREEMAIL 10.0 @@ -2004,10 +1949,10 @@ ifplugin Mail::SpamAssassin::Plugin::FreeMail header __GB_FREEMAIL_NUMN0 From:addr =~ /[a-z]\.?(?:19|20)\d{2}\@(gmail|hotmail|icloud|yahoo)\.com/i header __GB_FREEMAIL_NUM1 From:addr =~ /[a-z]\.?(?:\d{3}|\d{5,10})\@(gmail|hotmail|icloud|yahoo)\.com/i header __GB_FREEMAIL_NUMN1 From:addr =~ /[a-z]\.?(?:123|321|456)\@(gmail|hotmail|icloud|yahoo)\.com/i - header __GB_FREEMAIL_NUM2 From:addr =~ /[a-z]\.?(?:\d+)(?:[a-z])+(?:\d+)?\@(gmail|hotmail|icloud|yahoo)\.com/i + header __GB_FREEMAIL_NUM2 From:addr =~ /[a-z]\.?(?:\d+)(?:[a-z])+(?:\d{3,10})\@(gmail|hotmail|icloud|yahoo)\.com/i meta GB_FREEMAIL_NUM ( ( __GB_FREEMAIL_NUM0 && ! __GB_FREEMAIL_NUMN0 ) || ( __GB_FREEMAIL_NUM1 && ! __GB_FREEMAIL_NUMN1 ) || __GB_FREEMAIL_NUM2 ) describe GB_FREEMAIL_NUM Freemail spammy address - score GB_FREEMAIL_NUM 1.0 + score GB_FREEMAIL_NUM 0.75 header __GB_FREEMAIL_GMAIL From:addr =~ /\@gmail\.com/i meta GB_GMAIL_NUM ( GB_FREEMAIL_NUM && __GB_FREEMAIL_GMAIL && ( KAM_DMARC_NONE || KAM_DMARC_QUARANTINE ) ) @@ -2025,6 +1970,24 @@ ifplugin Mail::SpamAssassin::Plugin::FreeMail score GB_FREEMAIL_TEXTCOLOR 1.5 endif +ifplugin Mail::SpamAssassin::Plugin::RaptorOnly + # SNB Hashbl freemail rbl not handled in KAM.cf +else + ifplugin Mail::SpamAssassin::Plugin::HashBL + if can(Mail::SpamAssassin::Plugin::HashBL::has_hashbl_alldomains) + header SNB_HASHBL_FREEMAIL eval:check_hashbl_emails('freemailbl-s.snb.it', 'md5/max=10/shuffle/alldomains', 'ALLFROM/Reply-To/body', '^127\.0\.0\.1', 'freemail') + else + if (version >= 3.004003) + header SNB_HASHBL_FREEMAIL eval:check_hashbl_emails('freemailbl-s.snb.it', 'md5/max=10/shuffle', 'ALLFROM/Reply-To/body', '^127\.0\.0\.1', 'freemail') + describe SNB_HASHBL_FREEMAIL Message contains email address found on SNB Freemail HashBL + tflags SNB_HASHBL_FREEMAIL net + score SNB_HASHBL_FREEMAIL 7.5 + priority SNB_HASHBL_FREEMAIL -100 + endif + endif + endif +endif + #FREEMAIL SPAMMY ADDRESSES IN UNWANTED LANGUAGES ifplugin Mail::SpamAssassin::Plugin::RaptorOnly meta GB_UNWANTED_FREE_NUM ( GB_FREEMAIL_NUM && UNWANTED_LANGUAGE_BODY ) @@ -2061,9 +2024,10 @@ score KAM_MXINFO 1.0 describe KAM_MXINFO MX Record and dot info domains associated with FAKERBL Spammers #BAD NAMES -body __KAM_BADNAME1 /CocoMedia|CMI Free Stuff|Vista Del Mar Productions|by SuperClub|Buil tech Services|eMarketing Alliance|aSHARPi Media|Satell Center for Executive Education|Pacific Shores Investments|R. Allen Media|The Only Virginia Team|Ban Amnesty Now|Intrust Domains|New Heights Development and Research|Red Base Interactive|RateMarketplace|WORLD COMPANY REGISTER|Mobie Concepts, Inc.|Clickingz IT Research Lab|Leadz[,\.].?Co|Pimsleur Approach|Business Who's Who|Who's Who Among Executives|Buena Vista Catalogue|Ashray Medical Center|Bethany Christian Services|Preston Energy|SteelCityAds|Beyond Human, LLC|Research Promo Center|OmegaK, Inc|Momentum.Ads|Dove Lighting Co|BrandRoot SEO|Team TPW|WEB ANALYTICS MEDIA LLC/i +#Disabled 2024-11-12 as they are not used in any metas +#body __KAM_BADNAME1 /CocoMedia|CMI Free Stuff|Vista Del Mar Productions|by SuperClub|Buil tech Services|eMarketing Alliance|aSHARPi Media|Satell Center for Executive Education|Pacific Shores Investments|R. Allen Media|The Only Virginia Team|Ban Amnesty Now|Intrust Domains|New Heights Development and Research|Red Base Interactive|RateMarketplace|WORLD COMPANY REGISTER|Mobie Concepts, Inc.|Clickingz IT Research Lab|Leadz[,\.].?Co|Pimsleur Approach|Business Who's Who|Who's Who Among Executives|Buena Vista Catalogue|Ashray Medical Center|Bethany Christian Services|Preston Energy|SteelCityAds|Beyond Human, LLC|Research Promo Center|OmegaK, Inc|Momentum.Ads|Dove Lighting Co|BrandRoot SEO|Team TPW|WEB ANALYTICS MEDIA LLC/i -header __KAM_BADNAME2 From =~ /CMI Free Stuff|Vista Del Mar Productions|Buil tech Services|eMarketing Alliance|aSHARPi Media|Plaza Neptuno|Satell Center for Executive Education|Pacific Shores Investments|rx ?unit|R. Allen Media|The Only Virginia Team|Intrust Domains|American Arbitration Association|Rate\.?Marketplace|Health.Quote.Direct|Pimsleur|Ethika Politika|Disney Movie Club/i +#header __KAM_BADNAME2 From =~ /CMI Free Stuff|Vista Del Mar Productions|Buil tech Services|eMarketing Alliance|aSHARPi Media|Plaza Neptuno|Satell Center for Executive Education|Pacific Shores Investments|rx ?unit|R. Allen Media|The Only Virginia Team|Intrust Domains|American Arbitration Association|Rate\.?Marketplace|Health.Quote.Direct|Pimsleur|Ethika Politika|Disney Movie Club/i #GRASS SEED header __KAM_GRASS1 From =~ /(Patch|Perfect|Lawn)/i @@ -2166,7 +2130,10 @@ body __KAM_SEARCH4 /guaranteed type of exposure|free website (analysis|report|se #who rawbody __KAM_SEARCH5 /Click2Call|a1-solutions|fast-response.net|action-pros.net|tops-1.com|vividinfotech.com|internet.marketing|web.solution|(development|marketing|business) (executive|consultant)|(search engine|SEO) (company|consultant|expert|Service)|(marketing|sales) manager/i -meta KAM_SEARCH (__KAM_SEARCH1 + __KAM_SEARCH2 + __KAM_SEARCH3 + __KAM_SEARCH4 + __KAM_SEARCH5 + FREEMAIL_FROM >= 5) + #Obfu - AUTOMATIC SPAM +header __KAM_SEARCH6 Subject =~ /Ist page of google/i + +meta KAM_SEARCH ( __KAM_SEARCH6 ) || ( __KAM_SEARCH1 + __KAM_SEARCH2 + __KAM_SEARCH3 + __KAM_SEARCH4 + __KAM_SEARCH5 + FREEMAIL_FROM >= 5 ) score KAM_SEARCH 7.5 describe KAM_SEARCH Spammers hawking SEO @@ -2640,12 +2607,12 @@ score KAM_SEXSUBJECT 2.0 describe KAM_SEXSUBJECT Sexually Explicit Subject #RUSSIAN WIFE/BRIDE SCAMS - Raising to >= 3 for FPs due to Russian Invasion of Ukraine 2/25/2023 -header __KAM_WIFE1 Subject =~ /Remember me|(Russian|asian|Ukrai?nian) ?(dating|beaut|single|women|bride|lad|babe|girls)/i -body __KAM_WIFE2 /marry a Russian|sizzling photos|(russian|asian|ukrai?nian) (women|beaut|bride|girl)|Slavic babes|Russian ?lad(y|ies)|sexy photos/i +header __KAM_WIFE1 Subject =~ /Remember me|(Russian|asian|Ukrai?nian) ?(dating|beaut|single|women|bride|lad|babe|girls)|(Ukrainian|russian|asian) wom[ae]n (are )?near you/i +body __KAM_WIFE2 /marry a Russian|sizzling photos|(russian|asian|ukrai?nian) (women|beaut|bride|girl)|Slavic babes|Russian ?lad(y|ies)|sexy photos|actively seeking men/i tflags __KAM_WIFE2 nosubject header __KAM_WIFE3 From =~ /(asian|russian|ukrai?nian).?(dat|bride|single|women|beaut|lad)|(date|nice|hot).?(russian|asian)/i -meta KAM_WIFE ( __KAM_WIFE1 + __KAM_WIFE2 + __KAM_WIFE3 >= 3) +meta KAM_WIFE ( __KAM_WIFE1 + __KAM_WIFE2 + ( FREEMAIL_FROM + __KAM_WIFE3 >= 1) >= 3) score KAM_WIFE 8.0 describe KAM_WIFE Mail order bride scams @@ -2856,9 +2823,9 @@ score KAM_WTA 9.0 describe KAM_WTA Ridiculous campaign by unapologetic spammers purposefully using throwaway domains #SMOKELESS -body __KAM_SMOKE1 /smoke.anywhere|electronic cig|smoking alternative|prado|e.?\-?cig|wanting to quit/i -header __KAM_SMOKE2 Subject =~ /smoke|e\-cig|perfect.?.gift|no cancer|electronic cig|never smoke|e.?\-?cig/i -header __KAM_SMOKE3 From =~ /smoke|smoking|e.?\-?cig|electronic cig|vapex|vapor|starter.kit/i +body __KAM_SMOKE1 /smoke.anywhere|electronic cig|smoking alternative|prado|\be.?\-?cig|wanting to quit/i +header __KAM_SMOKE2 Subject =~ /smoke|\be\-cig|perfect.?.gift|no cancer|electronic cig|never smoke|\be.?\-?cig/i +header __KAM_SMOKE3 From =~ /smoke|smoking|\be.?\-?cig|electronic cig|vapex|vapor|starter.kit/i body __KAM_SMOKE4 /No carbon monoxide|Smokeless Direct|No Tobacco|no tar|no cancer|quit smoking|electronic cig|sinless.vapor/i body __KAM_SMOKE5 /you have qualified/i @@ -2936,16 +2903,16 @@ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags replace_rules __KAM_MAILBOX1 __KAM_MAILBOX2 __KAM_MAILBOX3 #ISSUE - body __KAM_MAILBOX1 /mailbox .{0,12}exceeded|(storage|e\-?mail|mailbox|bandwidth).(limit|quota|size|capacity)|(box|quota) is (amost )?(exhausted|fu)|have been rejected|new version|(prevented|pending) (the )?(delivery|messages)|quota is low|annual upgrade|(held|important) message|messages pending|messages (are|placed) on.?hold|upgrade to our service|recent attack|(request(ed)? to|account) de\-?activat|de\-?activat(ed|e|ing) (from using|all mailbox)|close down.{0,10}account|(sync|communication) failure|dectivted if no ction|invalid users|request .{0,13}shutdown|migrating all email|delvry f \d|messages.{0,6}returned|\d.{0,2}(unreceived|failed|undelivered|incoming|valid) (undelivered|incoming|message|e?mail)|synchronize \d email|messages.{1,10}suspend|report your account|(validation|configuration|service|mail) error|updating stage|blacklisted|(server|quota|quarantine|suspension|mail|upgrade) (alert|noti)|mailbox agreement|(system|security|server) (reasons|update|upgrade|alert)|system malfunction|due for an update|mailbox managment|automatically renew|.\d. pending|due for (upgrade|update|reconfirmation)|has been outdated|(due|about|set) to expire|not confirmed the email|(failed|couldn't be|refused to) deliver|temporarily suspend|failure to proceed|data plan limit|blocked from (sending|receiving|your inbox)|sending unsolicited|\d\% full|confirm your request|security turned off|blocked or suspended|update warning|account .{1,9}?(restricted|closed)|old versions|mail malfunction|messages now queue|password expir|virus|expire on \d+\/|DNS Upgrad|encountered error|will be (locked|shut ?down)|unauthorized (person|access)|prevent (further reject|loss of account)|ensure safety|problem occurred|wrong password|suspicious sign.?in|\d quarantined? (e?mail|message|incoming)|deactivated tempor|low disk space|shutdown robot|suspended email|webmail security|account hijacked|(has been|will be) (hacked|suspended)|will.{0,2}expire.{0,2}(today|soon)|IP below was used|password.{1,5}expires? today|server is totally full|account is almost full|(irregular|suspicious) activit|locked out of your account|login (interruption|problem)|automatic shut.?down|lose your contact|not receive (more|new) e?mail|deactivation of the email|Expired today|exceeded the limit|disruption of your email|message might be preented|mail delivery blocked|email gets locked|shut down on your account|refusal in updating your email|avoid (lose access|shut.?down|being barred)|losing (of )?your account|undelivered e?\-?mail|SSL Port server error|refusal of email security|blocked access to your inbox|web\-?mail support|change your password|pending (some|e\-?mail|mail) message|terminated in \d+ hour|messages were rejected|server error|platform is outdated|need to validate.{2,40}owned by you|password notification|expires today|Reconfirm(?: your) password|out of storage|mail quota full|email password will expire|mailbox termination|failed to sync|permanent deletion|password has been disabled|mailbox \".{5,35}\" has expired|deleted after \d+ hour|expires in less than \d+h|risk of being locked out|e\-?mail service deletion request|password for .{10,60} expire|password is set to expire|discontinue support on your account|generate a new password|word for .{1,30} is set expire|confirm your own|upgraded our security|p*ssword*is*s*t to *xpir/i + body __KAM_MAILBOX1 /mailbox .{0,12}exceeded|(storage|e\-?mail|mailbox|bandwidth).(limit|quota|size|capacity)|(box|quota) is (amost )?(exhausted|fu)|have been rejected|new version|(prevented|pending) (the )?(delivery|messages)|quota is low|annual upgrade|(held|important) message|messages pending|messages (are|placed) on.?hold|upgrade to our service|recent attack|(request(ed)? to|account) de\-?activat|de\-?activat(ed|e|ing) (from using|all mailbox)|close down.{0,10}account|(sync|communication) failure|dectivted if no ction|invalid users|request .{0,13}shutdown|migrating all email|delvry f \d|messages.{0,6}returned|\d.{0,2}(unreceived|failed|undelivered|incoming|valid) (undelivered|incoming|message|e?mail)|synchronize \d email|messages.{1,10}suspend|report your account|(validation|configuration|service|mail) error|updating stage|blacklisted|(server|quota|quarantine|suspension|mail|upgrade) (alert|noti)|mailbox agreement|(system|security|server) (reasons|update|upgrade|alert)|system malfunction|due for an update|mailbox managment|automatically renew|.\d. pending|due for (upgrade|update|reconfirmation)|has been outdated|(due|about|set) to expire|not confirmed the email|(failed|couldn't be|refused to) deliver|temporarily suspend|failure to proceed|data plan limit|blocked from (sending|receiving|your inbox)|sending unsolicited|\d\% full|confirm your request|security turned off|blocked or suspended|update warning|account .{1,9}?(restricted|closed)|old versions|mail malfunction|messages now queue|password expir|virus|expire on \d+\/|DNS Upgrad|encountered error|will be (locked|shut ?down)|unauthorized (person|access)|prevent (further reject|loss of account)|ensure safety|problem occurred|wrong password|suspicious sign.?in|\d quarantined? (e?mail|message|incoming)|deactivated tempor|low disk space|shutdown robot|suspended email|webmail security|account hijacked|(has been|will be) (hacked|suspended)|will.{0,2}expire.{0,2}(today|soon)|IP below was used|password.{1,5}expires? today|server is totally full|account is almost full|(irregular|suspicious) activit|locked out of your account|login (interruption|problem)|automatic shut.?down|lose your contact|not receive (more|new) e?mail|deactivation of the email|Expired today|exceeded the limit|disruption of your email|message might be preented|mail delivery blocked|email gets locked|shut down on your account|refusal in updating your email|avoid (lose access|shut.?down|being barred)|losing (of )?your account|undelivered e?\-?mail|SSL Port server error|refusal of email security|blocked access to your inbox|web\-?mail support|change your password|pending (some|e\-?mail|mail) message|terminated in \d+ hour|messages were rejected|server error|platform is outdated|need to validate.{2,40}owned by you|password notification|expires today|Reconfirm(?: your) password|out of storage|mail quota full|email password will expire|mailbox termination|failed to sync|permanent deletion|password has been disabled|mailbox \".{5,35}\" has expired|deleted after \d+ hour|expires in less than \d+h|risk of being locked out|e\-?mail service deletion request|password for .{10,60} expire|password is set to expire|discontinue support on your account|generate a new password|word for .{1,30} is set expire|confirm your own|upgraded our security|p*ssword*is*s*t to *xpir|address verification is required|credentials? is due to update|placed a temporary suspension|notification of pending \d+ message|all users to update their email/i tflags __KAM_MAILBOX1 nosubject #ACTION - body __KAM_MAILBOX2 /(verify|update|upgrade|increase|validate|confirm|disable)"? (their|your)? {0,5}(address|password|ccount|(web\-?)?mail|info|email|web ?mail|ownership|mailbox)|(increase|upgrade) (my|your?) (inbox |email )?quota|quota (configuration|upgrade)|(increase disk|create some additional|update|add|increase) storage|(setup|upgrade) (your )?mailbox|mail malfunction|update account|validated within \d\d|deleted (automatically|in our server)|release .{0,40}(sent e.?mail|message|pending mess)|account to be close|remain active|termination of your account|choose what happens|blacklisting inactive|continue (using|the usage)|untrusted activity|(retrieve|review) (message|e?mail)|(verify|validate) (it )?(here|now)|reset below|verification (check|process)|email disk usage|auto extend your disk|confirm your (email|details)|mandetory file|retrieve here|expected to reactivate|keep your webmail|data will be lost|(block|release|review) (them|below)|view undelivered sent|reconfirm .{0,40}password|will be deactivat|avoid suspension|start the process|fake payment|(will be|automatically) cancel|mail verification|turn on (security|authentication)|Office 365\-?Secure|an usual location|(avoid|automatically) delet|(retrieve|review|reload) (your )?(undelivered|pending)|view, release or delete|reload below|unblock (your )?incoming|rectify below|fix now|Company.Assigned Outlook|fix delivery|restore your roundcube|re\-?authenticate (now|below)|manage your quarantine|manually fi|manually fix|review and take action|view (your )?(pending|withheld|recent) (incoming|message|e?mail)|use the button|reduce your mai|deliver recent mail|(use|using|keep) (current|same|my) password|change password|stop (this action|account removal)|fix (the problem here|your email)|(maintain|keep).{0,6}current.{0,2}(signing|password)|verify login|apply update|deliver pending message|archive emails|initiate the upgrad|(approve|continue with) the (current|same) password|free up space|quick re\-?validation|cancel the request|prevent lock of account|back under the limit|update no|rectivte ccess|consider keeping your password|account will work effectively|portal to prompt delivery|open the attachment|Reload Email message|secure your account|authenticate.{1,35} account|keep (the )?same password|(keep|use) (the|your) current password|proper verification|restoration of your account|systematically updated|synchronization errors|activate Improved security|(restore|recover) messages (here|below)|recover your delayed messages|validate your (?:mailbox|e\-mail)|conveyed to each sender|Please security access key|account password is due to expire|avoid missing important e?\-?mail|pending e?\-?mail message|clear cache quick|avoid loss of e?mail|upgrade inbox|enable your password|retrieve your file|view and accept messages|keep my access|re\-?active current pass|call support helpline|attend to our notice|clear up space setting|retain your existing password|avoid mailbox disconnection|confirm active account|keep using the existing pass|maintain current credential/i + body __KAM_MAILBOX2 /(verify|update|upgrade|increase|validate|confirm|disable)"? (their|your)? {0,5}(address|password|ccount|(web\-?)?mail|info|email|web ?mail|ownership|mailbox)|(increase|upgrade) (my|your?) (inbox |email )?quota|quota (configuration|upgrade)|(increase disk|create some additional|update|add|increase) storage|(setup|upgrade) (your )?mailbox|mail malfunction|update (email )?account|validated within \d\d|deleted (automatically|in our server)|release .{0,40}(sent e.?mail|message|pending mess)|account to be close|remain active|termination of your account|choose what happens|blacklisting inactive|continue (using|the usage)|untrusted activity|(retrieve|review) (message|e?mail)|(verify|validate) (it )?(here|now)|reset below|verification (check|process)|email disk usage|auto extend your disk|confirm your (email|details)|mandetory file|retrieve here|expected to reactivate|keep your webmail|data will be lost|(block|release|review) (them|below)|view undelivered sent|reconfirm .{0,40}password|will be deactivat|avoid suspension|start the process|fake payment|(will be|automatically) cancel|mail verification|turn on (security|authentication)|Office 365\-?Secure|an usual location|(avoid|automatically) delet|(retrieve|review|reload) (your )?(undelivered|pending)|view, release or delete|reload below|unblock (your )?incoming|rectify below|fix now|Company.Assigned Outlook|fix delivery|restore your roundcube|re\-?authenticate (now|below)|manage your quarantine|manually fi|manually fix|review and take action|view (your )?(pending|withheld|recent) (incoming|message|e?mail)|use the button|reduce your mai|deliver recent mail|(use|using|keep) (current|same|my) password|change password|stop (this action|account removal)|fix (the problem here|your email)|(maintain|keep).{0,6}current.{0,2}(signing|password)|verify login|apply update|deliver pending message|archive emails|initiate the upgrad|(approve|continue with) (the )?(current|same) password|free up space|quick re\-?validation|cancel the request|prevent lock of account|back under the limit|update no|rectivte ccess|consider keeping your password|account will work effectively|portal to prompt delivery|open the attachment|Reload Email message|secure your account|authenticate.{1,35} account|keep (the )?same password|(keep|use) (the|your) current password|proper verification|restoration of your account|systematically updated|synchronization errors|activate Improved security|(restore|recover) messages (here|below)|recover your delayed messages|validate your (?:mailbox|e\-mail)|conveyed to each sender|Please security access key|account password is due to expire|avoid missing important e?\-?mail|pending e?\-?mail message|clear cache quick|avoid loss of e?mail|upgrade inbox|enable your password|retrieve your file|view and accept messages|keep my access|re\-?active current pass|call support helpline|attend to our notice|clear up space setting|retain your existing password|avoid mailbox disconnection|confirm active account|keep using the existing pass|maintain current credential|unblock message|verification portal|refresh (your account|e?.?mail server)|Keep your details|resolve errors now/i tflags __KAM_MAILBOX2 nosubject #SUBJECT - header __KAM_MAILBOX3 Subject =~ /(mail|exceeded|insufficient) (storage|quota|upgrade)|(@.*?is|Inbox) almost full|(urgent|important|admin|last|suspension|server|account|administrator|system|disk ?usage|max size) (alert|rectification|attention|warning|noti)|needs to be upgraded|(incoming|pending|unreceived) +((e\-?)?mail|document|message)|(delvry|synchronization|processing) (problem|is blocked|failure|errr)|(mailbox|storage) (is )?full|(disc|disk|inbox) full|(unread|upgrade|delayed) (messages|e?mail)|release your message|pending (new )?((e\-?)?mail|message)|365 .{0,10} Update|new privacy policy|mandatory up|(sign in|Final|account|password|emails?) (closing|removal|update|upgrade|alert|notification|review)|quarantine|rejected|undelivered|(mailbox|limit|quota) .{0,10}exceeded|(action|confirmation|\..{2,6} update).?required|(mail|mailbox|account|password) (error|shutdown|verification|Veirification|Verfication|account)|(blocked|held) message|technology services|(server|mail|account).{1,8}errr|messages.{1,10}(suspend|hinder)|account (is )?(blocked|limited|closing)|please verify.{1,10}account|mail.{1,6}Notice|email account.{1,11}full|final warning|help\-?desk|mail ownership|point files|(d|r)e\-?activation|delayed for \d+ (hour|day)|undeliverable|closure of.{1,15}(\@|account)|(password|mail) (has|will) expire|did you make|password.(due|recovery|expir)|recovery option|(confirm|email) activity|Immediate action|action required|avoid block|review recent e?mail|final +alert|storage (error|limit)|verfcaton|\@.{1,25}notification|notification \d+\/\d+\/|notification for .{1,25}\@|New Sign\-in|deliver.{1,4}(cancel|issue|error|fail)|Unsuccessful Email|Mail DNS|ICT Maintenance|sync err|mailer un.?delivery|unauthorized (person|access)|configuration setting|reminder +for|re\-?authenticate|change in your ip|shutdown request|Failure.{0,2}Report|(mail delivery|\d emails?) suspended|error sync|(e\-?mails?|messages) (are )?pending|\d \(?new\)? notice|new IP address|expir(y|ation) notif|reached their disk quota|webmail support|notification for|change.{0,30}account password now|(mail|mail\-?box) termination|office? ?365 access|(Attention|urgent):? update (required|needed)|(full|out of) storage|quota (limit|reached)|access.{1,4}expire|renew your e?\-?mail pass|mail protection update|e\-?mail .{0,30}still pending|unauthorized (login|logging) attempt|^suspended$|message failed|security upgrade|password.*expires? today|password activity|mail (access blocked|delayed)|account has been hacked|prevent account malfunction|password change notification|Critical(?:\-|\s)Status on|(storage|upgrade) notice|mail not sent|mailbox.{0,4}update settings|\-notification\:\w|access has been suspended|Activities account|Alert\!\!|do not ignore this notification|trying to contact you|validation notic|pass(word|wrod) expire|email configuration|e\-?mail service deletion|cpanel notification|password for .{10,60} expire|message expiry error|message failure delivery notice|e-?mail account validat|^Your .{1,30} notification$|Final Notice\!/i + header __KAM_MAILBOX3 Subject =~ /(mail|exceeded|insufficient) (storage|quota|upgrade)|(@.*?is|Inbox) almost full|(urgent|important|admin|last|suspension|server|account|administrator|system|disk ?usage|max size) (alert|rectification|attention|warning|noti)|needs to be upgraded|(incoming|pending|unreceived) +((e\-?)?mail|document|m[ae]ssage)|(delvry|synchronization|processing) (problem|is blocked|failure|errr)|(mailbox|storage) (is )?full|(disc|disk|inbox) full|(unread|upgrade|delayed) (messages|e?mail)|release your message|pending (new )?((e\-?)?mail|message)|365 .{0,10} Update|new privacy policy|mandatory up|(sign in|Final|account|password|emails?) (closing|removal|update|upgrade|alert|notification|review)|quarantine|rejected|undelivered|(mailbox|limit|quota) .{0,10}exceeded|(action|\..{2,6} update).?required|(mail|mailbox|account|password) (error|shutdown|verification|Veirification|Verfication|account)|(blocked|held) message|technology services|(server|mail|account).{1,8}errr|messages.{1,10}(suspend|hinder)|account (is )?(blocked|limited|closing)|please verify.{1,10}account|mail.{1,6}Notice|email account.{1,11}full|final warning|help\-?desk|mail ownership|point files|(d|r)e\-?activation|delayed for \d+ (hour|day)|undeliverable|closure of.{1,15}(\@|account)|(password|mail) (has|will) expire|did you make|password.(due|recovery|expir)|recovery option|(confirm|email) activity|Immediate action|action required|avoid block|review recent e?mail|final +alert|storage (error|limit)|verfcaton|\@.{1,25}notification|notification \d+\/\d+\/|notification for .{1,25}\@|New Sign\-in|deliver.{1,4}(cancel|issue|error|fail)|Unsuccessful Email|Mail DNS|ICT Maintenance|sync err|mailer un.?delivery|unauthorized (person|access)|configuration setting|reminder +for|re\-?authenticate|change in your ip|shutdown request|Failure.{0,2}Report|(mail delivery|\d emails?) suspended|error sync|(e\-?mails?|messages) (are )?pending|\d \(?new\)? notice|new IP address|expir(y|ation) notif|reached their disk quota|webmail support|notification for|change.{0,30}account password now|(mail|mail\-?box) termination|office? ?365 access|(Attention|urgent):? update (required|needed)|(full|out of) storage|quota (limit|reached)|access.{1,4}expire|renew your e?\-?mail pass|mail protection update|e\-?mail .{0,30}still pending|unauthorized (login|logging) attempt|^suspended$|message failed|security upgrade|password.*expires? today|password activity|mail (access blocked|delayed)|account has been hacked|prevent account malfunction|password change notification|Critical(?:\-|\s)Status on|(storage|upgrade) notice|mail not sent|mailbox.{0,4}update settings|\-notification\:\w|access has been suspended|Activities account|Alert\!\!|do not ignore this notification|trying to contact you|validation notic|pass(word|wrod) expire|email configuration|e\-?mail service deletion|cpanel notification|password for .{10,60} expire|message expiry error|message failure delivery notice|e-?mail account validat|^Your .{1,30} notification$|Final Notice\!|email expiration|^\s*update required\s*$|^\s*IT Support\s*$|Please validate|Review Required|verify email address|Confirm if this user is active|password is set for cancellation|cancel your registered email|refresh e?.?mail server|account disabled due to recent activity|your .*\@.* rectification|Password expiry alert|Update your.*account to ensure security/i #NON OBFUSCATED VARIANT NOT A SPAM INDICATOR - header __KAM_MAILBOX3FP Subject =~ /verification/i + header __KAM_MAILBOX3FP Subject =~ /verification|Approaching pooled storage/i #COMPROMISED SYSTEMS uri __KAM_WPADMIN /\/wp\-admin\//i @@ -2977,18 +2944,15 @@ ifplugin Mail::SpamAssassin::Plugin::DecodeShortURLs else #OLDER RULE, SHOULD USE DecodeShortURLS and the kam_urlshorterners.cf which is more comprehensive than this. uri __KAM_SHORT /^https?:\/\/(?:bit\.(do|ly)|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|urlshortener\.teams\.microsoft\.com|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|justpaste\.it|l\.linklyhq\.com)\/[^\/]{3}\/?/ - - # GENERIC RULE FOR TINY DOMAINS, WHICH WILL LIKELY BE URL SHORTENERS - uri __KAM_TINYDOMAIN /https?:\/\/(?!aka\.ms)(?:[^\/]{1,4})\.(?!avg|ibm|gov).{2,7}\//i - endif else #OLDER RULE, SHOULD USE DecodeShortURLS and the kam_urlshorterners.cf which is more comprehensive than this. uri __KAM_SHORT /^https?:\/\/(?:bit\.(do|ly)|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|urlshortener\.teams\.microsoft\.com|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|justpaste\.it|l\.linklyhq\.com)\/[^\/]{3}\/?/ - # GENERIC RULE FOR TINY DOMAINS, WHICH WILL LIKELY BE URL SHORTENERS - uri __KAM_TINYDOMAIN /https?:\/\/(?!aka\.ms)(?:[^\/]{1,4})\.(?!avg|ibm|gov).{2,7}\//i endif +# GENERIC RULE FOR TINY DOMAINS, WHICH WILL LIKELY BE URL SHORTENERS +uri __KAM_TINYDOMAIN /https?:\/\/(?!aka\.ms)(?:[^\/]{1,4})\.(?!avg|ibm|gov).{2,7}\//i + #POWER CHAIRS body __KAM_POWER1 /hoveround/i header __KAM_POWER2 Subject =~ /Get your freedom|power Chairs/i @@ -3111,8 +3075,8 @@ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags # replace_tag A1 (?:a|[\xf0\x9d\x97\xae]|[\xf0\x9d\x9a\x8a]|[\xd0][\xb0]|[\xc9][\x91]|α|\@) #Thanks to Kent Oyer for his review of the replace tags -replace_tag A1 (?:a|\xf0\x9d\x97\xae|\xc3\xa3|\xf0\x9d\x9a\x8a|\xd0\xb0|\xc9\x91|\xce\xb1|\xc3\x81|\@) -replace_tag B1 (?:b|\xce\x92|\xce\xb2|\xf0\x9d\x97\xaf|\xf0\x9d\x9a\x8b) +replace_tag A1 (?:a|\xf0\x9d\x97\xae|\xc3\xa3|\xf0\x9d\x9a\x8a|\xd0\xb0|\xc9\x91|\xce\xb1|\xc3\x81|\@|\xc8\xa6) +replace_tag B1 (?:b|\xce\x92|\xce\xb2|\xf0\x9d\x97\xaf|\xf0\x9d\x9a\x8b|\xd0\x92) replace_tag C1 (?:c|\xd0\xa1|\xd1\x81|\xf0\x9d\x97\xb0|\xf0\x9d\x9a\x8c) replace_tag D1 (?:d|\xf0\x9d\x9a\x8d) replace_tag E1 (?:e|\xd0\xb5|\xc4\x97|\xf0\x9d\x97\xb2|\xf0\x9d\x9a\x8e|\xc3\xaa|\xcf\xb5|\xc3\xab) @@ -3120,24 +3084,29 @@ replace_tag G1 (?:g|\xf0\x9d\x97\x80) replace_tag I1 (?:i|\xd1\x96|\xc4\xab|\xce\xb9|\xf0\x9d\x97\xb6|\xf0\x9d\x9a\x92|l|1) replace_tag K1 (?:k|\xd0\xba) replace_tag L1 (?:l|i) -replace_tag M1 (?:m|\xca\x8d|\xf0\x9d\x97\xba|\x9b\x96) -replace_tag N1 (?:n|\xf0\x9d\x9a\x97) +replace_tag M1 (?:m|\xca\x8d|\xf0\x9d\x97\xba|\x9b\x96|\xd0\xbc) +replace_tag N1 (?:n|\xf0\x9d\x9a\x97|\xd5\xb8) replace_tag O1 (?:o|0|\xd0\xbe|\xce\xbf|\xf0\x9d\x97\xbc|\xf0\x9d\x9a\x98|\xd0\x9e|\xc3\xb4) replace_tag P1 (?:p|\xd1\x80|\xc7\xb7|\xcf\x81|\xf0\x9d\x97\xbd|\xf0\x9d\x9a\x99|\xd0\xa0) replace_tag R1 (?:r|\xf0\x9d\x97\xbf|\xf0\x9d\x9a\x9b) -replace_tag S1 (?:s|\xd0\x85|\xf0\x9d\x98\x80|\xf0\x9d\x9a\x9c) +replace_tag S1 (?:s|\xd0\x85|\xf0\x9d\x98\x80|\xf0\x9d\x9a\x9c|\xd1\x95) replace_tag T1 (?:t|\xcf\x84|\xf0\x9d\x98\x81|\xf0\x9d\x9a\x9d) replace_tag U1 (?:u|\xf0\x9d\x98\x82) -replace_tag V1 (?:v|\xf0\x9d\x96\xb5|\xce\xbd) +replace_tag V1 (?:v|\xf0\x9d\x96\xb5|\xce\xbd|\xd1\xb5) replace_tag W1 (?:w|\xf0\x9d\x98\x84|\xf0\x9d\x9a\xa0|\xd1\xa1) -replace_tag Y1 (?:y|\xf0\x9d\x9a\xa2) +replace_tag Y1 (?:y|\xf0\x9d\x9a\xa2|\&\#7823\;|\xd1\x83) replace_tag SPACE1 (?: |\xc2\xa0|\xef\xbb\xbf) #OBFU ONLY replace_tag A2 (?:[\xf0\x9d\x97][\xae]|[\xc3][\xa3]|[\xf0\x9d\x9a][\x8a]|[\xd0][\xb0]|[\xc9][\x91]|α|\@) -replace_tag E2 (?:[\xd0][\xb5]|[\xc4][\x97]|[\xf0\x9d\x97\xb2]|[\xf0\x9d\x9a\x8e]|[\xc3][\xaa]|[\xcf][\xb5]|[\xc3][\xab]|[\xc3][\xa8]) +replace_tag D2 (?:\xf0\x9d\x9a\x8d|\xf0\x9d\x90\x9d) +replace_tag E2 (?:[\xd0][\xb5]|[\xc4][\x97]|\xf0\x9d\x97\xb2|\xf0\x9d\x9a\x8e|[\xc3][\xaa]|[\xcf][\xb5]|[\xc3][\xab]|[\xc3][\xa8]|\xf0\x9d\x90\x9e) replace_tag K2 (?:[\xd0][\xba]) -replace_tag U2 (?:[\xf0\x9d\x98\x82]) +replace_tag O2 (?:O|\xd0\xbe|\xce\xbf|\xf0\x9d\x97\xbc|\xf0\x9d\x9a\x98|\xd0\x9e|\xc3\xb4|\xf0\x9d\x90\xa8) +replace_tag R2 (?:\xf0\x9d\x97\xbf|\xf0\x9d\x9a\x9b|\xf0\x9d\x90\xab) +replace_tag U2 (?:\xf0\x9d\x98\x82) +replace_tag NUM1 (?:\xf0\x9d\x9f\x8f|\xf0\x9d\x9f\xad) +replace_tag NUM8 (?:\xf0\x9d\x9f\x96) header __KAM_CREDIT6 Subject =~ /omplmentary (redt|EXPERIAN|Transunion|Equifax)/i header __KAM_CREDIT7 From =~ /core.?ense/i @@ -3197,6 +3166,81 @@ meta KAM_PAYPAL3 ((__KAM_PAYPAL3A && __KAM_PAYPAL3B) + __KAM_PAYP score KAM_PAYPAL3 8.0 describe KAM_PAYPAL3 Phish disguised as a paypal email +replace_rules __GB_OBFU_PHONE +body __GB_OBFU_PHONE /(?:\b|\s)(?:\+(?:\s|\-)?\(|\+?(?:)?(?:\(|\-)?(?:)|\d\d|Call-I\(|I\(888\))/ +meta GB_PAYPAL_OBFU_PHONE ( __GB_OBFU_PHONE && ( FUZZY_PAYPAL || FROM_PAYPAL_SPOOF ) ) +describe GB_PAYPAL_OBFU_PHONE Paypal email with obfuscated content +score GB_PAYPAL_OBFU_PHONE 3.5 + +# Thanks to Jim Brandt for the regexp fix +replace_rules __GB_FRAUD_PAYPAL +header __GB_TO_ONMICROSOFT To:addr =~ /.{3,16}\.onmicrosoft\.com/ +header __GB_TO_TEST_GOOGLE To:addr =~ /\.test\-google\-a\.com/ +header __GB_TO_NOREPLY To:addr =~ /norepla?y.{0,16}\@/ +header __GB_TO_PURCHASE To:addr =~ /(?:(?:purchase|confirmed).{0,16}\d+|order.?status(?:\d+)?|company)\@/ +header __GB_TO_LOCAL_NOVOWEL To:addr =~ /[bcdfgjklmnpqrstvwxz]{6}\S*\@/i +header __GB_FROM_PAYPAL From:addr =~ /\@(?:intl\.)?paypal.com(?:\.au|\.mx)?/ +header __GB_FROM_DOCUSIGN From:addr =~ /\@docusign\.net/ +header __GB_FROM_ZELLEPAY From:addr =~ /\@zellepay\.com/ +header __GB_FROM_BESTBUY From:addr =~ /\@emailinfo\.bestbuy\.com/ +header __GB_FROM_ADOBESIGN From:addr =~ /\@adobesign\.com/ +body __GB_PHONE /(?:\+[0-9])?\s?(?:\()?(?:[0-9]{3})(?:\))?\s?(?:[0-9\-]{8,9})/ +body __GB_FRAUD_PAYPAL /Fraud\s+Alert||recognize\s+the\s+seller|Quickly\s+inform\s+us|(?:PayPal)(?:Support)?(?:Team)?\s+Immediately|we do\s?n.{1,3}t (?:hear|receive any communication) from you|unauthorized charge|made in error|BTC order|do.{1,3}t hesitate to contact us immediately|did\s?n.{1,3}t made this order|seconds? for your account to reflect this transaction/i +ifplugin Mail::SpamAssassin::Plugin::RaptorOnly + meta GB_FAKE_INVOICE ( ( __GB_FROM_PAYPAL || __GB_FROM_DOCUSIGN || __GB_FROM_ZELLEPAY || __GB_FROM_BESTBUY || __GB_FROM_ADOBESIGN ) + ( __GB_TO_ONMICROSOFT || __GB_TO_TEST_GOOGLE || __GB_TO_NOREPLY || __GB_TO_PURCHASE || __GB_TO_LOCAL_NOVOWEL ) + ( __GB_PHONE || __GB_OBFU_PHONE ) >= 3 ) + score GB_FAKE_INVOICE 5.5 +else + meta GB_FAKE_INVOICE ( ( __GB_FROM_PAYPAL || __GB_FROM_DOCUSIGN || __GB_FROM_ZELLEPAY || __GB_FROM_BESTBUY || __GB_FROM_ADOBESIGN ) + ( __GB_TO_ONMICROSOFT || __GB_TO_TEST_GOOGLE || __GB_TO_NOREPLY || __GB_TO_PURCHASE || __GB_TO_LOCAL_NOVOWEL ) + ( __GB_PHONE || __GB_OBFU_PHONE ) + __GB_FRAUD_PAYPAL >= 4 ) + score GB_FAKE_INVOICE 7.0 +endif +describe GB_FAKE_INVOICE Fake Docusign or Paypal invoice + +body __GB_BTC1 /\b(?:BTC|Bitcoin)\b/i +meta GB_FAKE_INVOICE_BTC ( GB_FAKE_INVOICE && __GB_BTC1 ) +describe GB_FAKE_INVOICE_BTC Fake Docusign or Paypal invoice mentioning Bitcoins +score GB_FAKE_INVOICE_BTC 1.5 + +header __GB_FROM_ZOHOINVOICE From:addr =~ /\@(?:sender\.zohoinvoice\.com|zohosign\.com)/ +meta GB_FAKE_ZOHOINVOICE ( __GB_FROM_ZOHOINVOICE + FREEMAIL_REPLYTO_END_DIGIT + ( __GB_PHONE || __GB_OBFU_PHONE ) >= 3 ) +describe GB_FAKE_ZOHOINVOICE Fake Zoho invoice +score GB_FAKE_ZOHOINVOICE 3.0 + +header __GB_FROM_VENMO From:addr =~ /\@venmo\.com/ +header __GB_ORG_ONMICROSOFT X-OriginatorOrg =~ /\.onmicrosoft\.com/ +meta GB_FAKE_VENMO ( __GB_FROM_VENMO + ( __GB_ORG_ONMICROSOFT || __GB_TO_PURCHASE ) + __GB_OBFU_PHONE >= 3 ) +describe GB_FAKE_VENMO Fake Venmo invoice +score GB_FAKE_VENMO 3.0 + +header __GB_FROM_PAYPAL From:name =~ /Paypal/i +header __GB_ENVFROM_PAYPAL From:addr =~ /\@paypal\.com/ +meta GB_PAYPAL_BTC_PHONE ( ( __GB_FROM_PAYPAL && !__GB_ENVFROM_PAYPAL ) && __GB_BTC1 && ( __GB_PHONE || __GB_OBFU_PHONE ) && MONEY_NOHTML ) +describe GB_PAYPAL_BTC_PHONE Paypal scam +score GB_PAYPAL_BTC_PHONE 3.0 + +ifplugin Mail::SpamAssassin::Plugin::RaptorOnly + meta GB_PAYPAL_SHORT ( ( __GB_FROM_PAYPAL && !__GB_ENVFROM_PAYPAL ) && ( KAM_IFRAME || __KAM_SHORT ) && KAM_RAPTOR_NEW ) + describe GB_PAYPAL_SHORT Fake Paypal email with an url shortener + score GB_PAYPAL_SHORT 2.0 +endif + +ifplugin Mail::SpamAssassin::Plugin::URIDetail + uri_detail GB_INVOICE_GDRIVE cleaned =~ /drive\.google\.com\/uc\?export\=download/ text =~ /pay\s+invoice/i + describe GB_INVOICE_GDRIVE Invoice link to GDrive + score GB_INVOICE_GDRIVE 2.0 + + uri_detail GB_INVOICE_DROPBOX cleaned =~ /dropbox\.com\/.{3,128}\.html/ text =~ /invoice|receipt/i + describe GB_INVOICE_DROPBOX Invoice link to Dropbox + score GB_INVOICE_DROPBOX 2.0 + + uri_detail GB_PASS_GTRANSLATE cleaned =~ /\.translate\.goog\// text =~ /same password/i + describe GB_PASS_GTRANSLATE Google Translate service abuse + score GB_PASS_GTRANSLATE 1.5 + + uri_detail GB_WEBCORE_PASS cleaned =~ /\.web\.core\.windows\.net\// text =~ /same password/i + describe GB_WEBCORE_PASS Windows web core service abuse + score GB_WEBCORE_PASS 1.5 +endif + #COMPROMISED ACCOUNT SPAMS - SCORED HIGH BECAUSE THESE ARE COMPROMISED ACCOUNTS header __KAM_COMPROMISED1A From =~ /\@(yahoo.com|yahoo.com.id|rocketmail.com)/i header __KAM_COMPROMISED1B X-Mailer =~ /Yahoo/i @@ -3204,12 +3248,12 @@ header __KAM_COMPROMISED2 Subject =~ /^(FOR |Hey$|hi$|look at this$|great!?$|am body __KAM_COMPROMISED3 /\d{1,2}[\\\/]\d{1,2}[\\\/]\d{2,4} \d{1,2}\:\d{1,2}\:\d{1,2} (AM|PM)/ body __KAM_COMPROMISED4 /How are you\? Look at this.{0,70}Do you know about this site|look at this site right now|I found (an amazing|great) site|hey\. please have a look|have a look right now|breaking news/i -meta KAM_COMPROMISED ((__KAM_COMPROMISED1A + __KAM_COMPROMISED1B >=1 ) + __KAM_COMPROMISED2 + __KAM_COMPROMISED3 + __KAM_COMPROMISED4 + __KAM_BODY_LENGTH_LT_128 + MISSING_SUBJECT >= 3) +meta KAM_COMPROMISED ((__KAM_COMPROMISED1A + __KAM_COMPROMISED1B >=1 ) + __KAM_COMPROMISED2 + __KAM_COMPROMISED3 + __KAM_COMPROMISED4 + __KAM_BODY_LENGTH_LT_128 + MISSING_SUBJECT >= 4) describe KAM_COMPROMISED Compromised Accounts Sending Spam score KAM_COMPROMISED 8.25 #GROUPS THAT ARE BAD - RENAMED TO AVOID COLLISSION - THANKS TO DAVID FUNK -header __KAM_LIST2A List-ID =~ /^?$/i +header __KAM_LIST2A List-ID =~ /^?$/i header __KAM_LIST2B Sender =~ /(mediajo\d*|aloulaonline\d*|jomedia\d*|golbanoo\d*)\@googlegroups\.com/i meta KAM_LIST2 (__KAM_LIST2A + __KAM_LIST2B >= 1) @@ -3477,6 +3521,7 @@ endif header __KAM_MARK1 Subject =~ /[\[\<]ADV[\>\]]/i header __KAM_MARK2 Subject =~ /[\(\[\<\{\*]\s*(BULK|SPAM)\??\s*[\*\>\]\)\}]|\[\#+ ?SPAM\]/i header __KAM_MARK3 Subject =~ /[\[\<\*]\s*VIRUS\s*[\*\>\]]/i +header __GB_M365_SPAM x-forefront-antispam-report =~ /SFV:SPM\;/ meta KAM_MARKADV (__KAM_MARK1 >= 1) describe KAM_MARKADV Email arrived marked as an Advertisement @@ -3486,6 +3531,10 @@ meta KAM_MARKSPAM (__KAM_MARK2 >= 1) describe KAM_MARKSPAM Email arrived marked as Spam score KAM_MARKSPAM 4.0 +meta GB_M365_SPAM ( __GB_M365_SPAM >= 1 ) +describe GB_M365_SPAM Email arrived marked as Spam by M365 +score GB_M365_SPAM 4.0 + meta KAM_MARKVIRI (__KAM_MARK3 >= 1) describe KAM_MARKVIRI Email arrived marked as Virus score KAM_MARKVIRI 10.0 @@ -3572,11 +3621,11 @@ body __KAM_SOLAR3 /power bill in half|go solar|approved for solar|solar system meta KAM_SOLAR (__KAM_SOLAR1 + __KAM_SOLAR2 + __KAM_SOLAR3 >=2) describe KAM_SOLAR Solar Power Spams -score KAM_SOLAR 1.9 +score KAM_SOLAR 1.0 -meta KAM_SOLAR2 (__KAM_SOLAR1 + __KAM_SOLAR2 + __KAM_SOLAR3 >=3) -describe KAM_SOLAR2 Definite Solar Power Spams -score KAM_SOLAR2 1.9 +meta KAM_SOLAR_HIGH (__KAM_SOLAR1 + __KAM_SOLAR2 + __KAM_SOLAR3 >=3) +describe KAM_SOLAR_HIGH Definite Solar Power Spams +score KAM_SOLAR_HIGH 2.5 #ASIAN BRIDE header __KAM_ASIAN1 Subject =~ /(Chinese|Asian) (girl|Lad|Bride)|heart?beat when seeing her|such a beauty/i @@ -5260,6 +5309,15 @@ meta KAM_INVOICE2 (__KAM_INVOICE1 + __KAM_INVOICE3 + __KAM_INVOICE4 + __KAM_INV score KAM_INVOICE2 5.5 describe KAM_INVOICE2 Phishing invoice spam +meta GB_INVOICE3 ( __WORD_INVIS_2 && __KAM_INVOICE2 ) +describe GB_INVOICE3 Phishing invoice spam +score GB_INVOICE3 0.5 + +header __GB_INV_SHIP Subject =~ /invoice|shipment/ +meta GB_INVOICE4 ( PCCC_BAD_FREE_URI && ( __GB_INV_SHIP || __KAM_INVOICE2 || __KAM_INVOICE3 ) >= 2 ) +describe GB_INVOICE4 Invoice spam with free hosting links +score GB_INVOICE4 0.25 + # GRIPEEZ header __KAM_GRIPPY1 From =~ /gripeez/i header __KAM_GRIPPY2 Subject =~ /bonus.offer|gripeez/i @@ -5549,21 +5607,21 @@ describe KAM_DRIVE Spam for ordering office equipment #LOOKING TO SHUTDOWN MISUSE OF DNSWL AND HOSTKARMA ifplugin Mail::SpamAssassin::Plugin::RaptorOnly - meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1) + meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + __KAM_URIBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1) score KAM_QUITE_BAD_DNSWL 3.25 describe KAM_QUITE_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL else - meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1) + meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1) score KAM_QUITE_BAD_DNSWL 3.25 describe KAM_QUITE_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL endif ifplugin Mail::SpamAssassin::Plugin::RaptorOnly - meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2) + meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + __KAM_URIBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2) score KAM_BAD_DNSWL 7.0 describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL else - meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2) + meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2) score KAM_BAD_DNSWL 7.0 describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL endif @@ -6064,22 +6122,22 @@ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags replace_rules __KAM_CRIM1 __KAM_CRIM2 __KAM_CRIM3 __KAM_CRIM4 __KAM_CRIM5 __KAM_CRIM6 __KAM_CRIM7 - body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|mlwr n th wb|footage of you|you do not know who I am|mercenary|hack phones|(monitored|infected) your device|double.screen video|keylogger|ruin your life|collection officer|turned on your cmera|cameras? and a mic|I am a hacker|brows(er|ing) history|trojan virus|automatically infect|inject some code|google translator|ld (a )?mlwr||hacked yur (website|OS|operating)|got hacked|hidden app|managed to hack|thr(u|ough) (ur|your) web.?cam|broke\s+into\s+your\s+system|infected your system|data security hack|hide (yo)?ur web.?camera|device was infected|i recorded you|gained access to your device/i + body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|mlwr n th wb|footage of you|you do not know who I am|mercenary|hack phones|(monitored|infected) your device|double.screen video|keylogger|ruin your life|collection officer|turned on your cmera|cameras? and a mic|I am a hacker|brows(er|ing) history|trojan virus|automatically infect|inject some code|google translator|ld (a )?mlwr||hacked yur (website|OS|operating)|got hacked|hidden app|managed to hack|thr(u|ough) (ur|your) web.?cam|broke\s+into\s+your\s+system|infected your system|data security hack|hide (yo)?ur web.?camera|device was infected|i recorded you|gained access to your device|I know a\s?lot about you|installed it on all your devices|our sstem was breached|ntlled a troj/i #Bitcoin / Etc. - body __KAM_CRIM2 /(\-?|(\b|^)(BTC|DSH|LTC)(\b|$)|cryptocurrency|\b(?\-?|(\b|^)(BTC|DSH|LTC)(\b|$)|cryptocurrency|\b(?he|a) paymen|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bitn wll|(mkng|mplet) th trnstn|send me \d+ dollars|send [\d\.]+ USD|addrss fr pymnt|(dollars|euros) (worth )?in bit-?coin|wallet number|bitcoin network|BTC to this Bitcoin|paymnt by btcon|\d\d\d usd|DSH\)? address|Address part||negotiation|USD.? in bitcoin|transfer\s+me\s+\d+|\d+ in bitcoins|receive the compensation|talking price|reputation will be ruin|buy bitcoin \(BTC\) here/i + body __KAM_CRIM3 /make (he|a) paymen|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bitn wll|(mkng|mplet) th trnstn|send me \d+ dollars|send [\d\.]+ USD|addrss fr pymnt|(dollars|euros) (worth )?in bit-?coin|wallet number|bitcoin network|BTC to this Bitcoin|paymnt by btcon|\d\d\d usd|DSH\)? address|Address part||negotiation|USD.? in bitcoin|transfer\s+me\s+\d+|\d+ in bitcoins|receive the compensation|talking price|reputation will be ruin|buy bitcoin \(BTC\) here|your Bitcoin QR code|Transfer \$\d+ in Bitcoin|\$\d+ trfr to wllet/i #Sexually explicit - body __KAM_CRIM4 /erotica||p(ro|or)nographic movie|promising evidence||playing with yourself|wanking|lf n b rund|explosi|lead azide|hexogen|banana|perversion|secured \d+ video|passion for jerk|creepy addiction|wank off|site for adult|spy on you over your cam|pleasuring yourself/i + body __KAM_CRIM4 /erotica||p(ro|or)nographic movie|promising evidence||playing with yourself|wanking|lf n b rund|explosi|lead azide|hexogen|banana|perversion|secured \d+ video|passion for jerk|creepy addiction|wank off|site for adult|spy on you over your cam|pleasuring yourself|adult site|jerking off|mature content|explicit material|intimate footage|highly controversial video/i #TIME - body __KAM_CRIM5 /(twenty.?four|24).?hurs|(72|24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(urs)? ftr y pn|hours for payment|days?\)? to (send|perform|make|transfer) the (amount|payment|dash|fund)|short-term support|48h plz|deadline|hours *(only )?to send the (pay|fund)|address immediately|trnsfer the (amount|funds)|get back to me now|\d\s+working\s+days|make payment within \d+ day|indicated da(y|te)|\d hours from this moment|\d hours (yo)?ur contacts|not more than \d+ days?|\d hours to make a pay|you have \d+ hour/i + body __KAM_CRIM5 /(twenty.?four|24).?hurs|(72|24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(urs)? ftr y pn|hours for payment|days?\)? to (send|perform|make|transfer) the (amount|payment|dash|fund)|short-term support|48h plz|deadline|hours *(only )?to send the (pay|fund)|address immediately|trnsfer the (amount|funds)|get back to me now|\d\s+working\s+days|make payment within \d+ day|indicated da(y|te)|\d hours from this moment|\d hours (yo)?ur contacts|not more than \d+ days?|\d hours to make a pay|you have \d+ hour|give you \d+ hours.{0,20} to pay|have one day to sort this out|crucial you respond swiftly|time is almost up|within \d+ hours|Second option is to pay|one day to sort this out/i #Subject - header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y r my vtm|visit the police|hi. vitim|bomb|rescue|your building|asturbat|hi perv|(site|account) has been (compromised|hacked)|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you|orn|(share|forward|leak) (your|the) video|Read me now|want to read this|i have you|exfiltrated|everybody will know|check the information|Regarding you /i + header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y r my vtm|visit the police|hi. vitim|bomb|rescue|your building|asturbat|hi perv|(site|account) has been (compromised|hacked)|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you|orn|(share|forward|leak) (your|the) video|Read me now|want to read this|i have you|exfiltrated|everybody will know|check the information|Regarding you |suspected harmful activit|account is hacked|data is stolen/i header __KAM_NOT_CRIM6 Subject =~ /Bomb.?cyclone/i @@ -6118,11 +6176,11 @@ describe KAM_ZWNJ Use of zero width null characters indicates a goal to elude sc meta KAM_ZWNJ (__KAM_ZWNJ1 + (__KAM_ZWNJ2 >= 16) >= 2) describe KAM_ZWNJ Use of null characters indicates a goal to elude scanners -score KAM_ZWNJ 5.25 +score KAM_ZWNJ 2.5 #LOWERED FROM 5.25 describe KAM_ZWNJBAD Attempted & failed Use of zero-width characters indicates a goal to elude scanners meta KAM_ZWNJBAD (__KAM_ZWNJ3 >=1) -score KAM_ZWNJBAD 2.0 +score KAM_ZWNJBAD 1.25 #LOWERED FROM 2.0 #ZWNS - Zero Width Non-Breaking Space body __KAM_ZWNS1 /\xef\xbb\xbf/ @@ -6130,7 +6188,7 @@ tflags __KAM_ZWNS1 multiple maxhits=16 meta KAM_ZWNS ( __KAM_ZWNS1 >= 16 ) describe KAM_ZWNS Use of zero width space characters indicates a goal to elude scanners -score KAM_ZWNS 2.5 +score KAM_ZWNS 1.25 #LOWERED FROM 2.5 #GIRLS body __KAM_GIRLS1 /Lack of sex/i @@ -6203,7 +6261,7 @@ describe SCC_35_SHORT_WORD_LINES 35 lines with many short words meta SCC_35_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 35 # Redefine WORD_INVIS_MANY to get rid of FPs -meta WORD_INVIS_MANY ( __WORD_INVIS_2 && ! T_SCC_BODY_TEXT_LINE ) +meta WORD_INVIS_MANY ( __WORD_INVIS_2 && ! __BODY_TEXT_LINE ) # A pattern seen in subscription-bombings describe SCC_SUBBOMB_SUBJ_1 An unusual string pattern seen in subscription bombing subjects @@ -6245,8 +6303,8 @@ score KAM_FILE 4.5 header __KAM_FUN1 From =~ /\.fun|\.icu|\.pro|\.stream|\.world|\.monster|\.best|\.store|\.surf|\.rest|\.bar|\.asia|\.casa|\.uno|\.london|\.info|\.cam|\.work|\.cyou|\.quest>?$/i header __KAM_FUN1A From:name =~ /Bite Pro|Diabetes|Blood Sugar|Sugar Disease|Fish Oil|ultra ?boost|Gutter|time ?share|Affiliate|arctic ?blast|splash ?wine|date|fat ?loss|nutrisystem|Silver ?Single|Insta ?Heater|Canvas?Print|LeptiSense|Hello.?Fresh/i -body __KAM_FUN2 /Addify Link|Kennett Pike|PetPlan|Newton Sq|1st Avenue|Jones Blvd|permanently opt-out from our all newsletters|(wish|prefer) (to not|not to|to) receive (these|future) (messages|emails)|purehealth|leave any time|too good to be true|try(ing)? this trick|doesn?'t like this update|(click here|wish) +to unsub|send post-mail to|to be removed from receiving|to unsubscribe.+click|no longer like to receive|this is an advertisement/i -body __KAM_FUN3 /This Offer is (only )?for (unite. state|USA)|(can ?not|won\'t|can\'t|unable to) see (the|this)? ?image|visit the page below|Continue Reading|watch now|this is an ad|update preferences|click here now/i +body __KAM_FUN2 /Addify Link|Kennett Pike|PetPlan|Newton Sq|1st Avenue|Jones Blvd|permanently opt-out from our all newsletters|(wish|prefer) (to not|not to|to) receive (these|future) (messages|emails)|purehealth|leave any time|too good to be true|try(ing)? this trick|doesn?'t like this update|(click here|wish) +to unsub|send post-mail to|to be removed from receiving|to unsubscribe.+click|no longer like to receive/i +body __KAM_FUN3 /This Offer is (only )?for (unite. state|USA)|(can ?not|won\'t|can\'t|unable to) see (the|this)? ?image|visit the page below|Continue Reading|watch now|this is an ad|click here now/i uri __KAM_FUN3A /imgstore.host/i #Subject @@ -6391,14 +6449,14 @@ endif #trusted_networks 38.124.232.0/24 # CONTACTS / LISTS -header __KAM_LIST3_1 Subject =~ /(accou?nt|Contacts?|buyers?|registrants?|attendees?|B2B|B2C|mailing|industries).(data|list|information)|reach qualified buyers|potential prospects|(potential|reach your) client|(list|lead) prospecting|build customer|(bitdefender|Acronis) Users|reach clients|Clients records|users accounts|Attendees info|marketing opp|(expo|Summit) Leads|Free Samples|email database|sales prospect|(construction|business) +(executives|professionals)|prospects|decision.?makers|(email|lead) list|increase your TAM|Booth.?\#\d+|data that you need|(audience|geography)\?|contact details|professional industry clients|easy contacts of/i +header __KAM_LIST3_1 Subject =~ /(accou?nt|Contacts?|buyers?|registrants?|attendees?|B2B|B2C|mailing|industries).(data|list|information)|reach qualified buyers|potential prospects|(potential|reach your) client|(list|lead) prospecting|build customer|(bitdefender|Acronis) Users|reach clients|Clients records|users accounts|Attendees info|marketing opp|(expo|Summit) Leads|Free Samples|email database|sales prospect|(construction|business) +(executives|professionals)|prospects|decision.?makers|(email|lead) list|increase your TAM|Booth.?\#\d+|data that you need|(audience|geography)\?|contact details|professional industry clients|easy contacts of|school districts? contacts|list\-2025|Visitor Profiles|contacts 20\d\d/i #title body __KAM_LIST3_2 /list (consultant|services)|email campaign|global marketing|(event|campaign|success|purchasing) mana?ger|(tradeshow|marketing) (coordinator|campaign|manager|exec|project|team)|(lead|demand) gen|(business|Data|event|research|marketing) (analyst|coordinator)|(potential|professionals?|qualified) lead|(business development|marketing|lead|attendees?|data|prospect|intelligence|event).(executive|consultant|specialist)|(marketing|Business) Co-?ordinator|marketing (\&|and) comm|inside sales|pre-?sales|global leads|data dep(t|artment)|marketing exec|(right|appropriate) person|info solutions|Sales executive|database coordinator|list provider|(leads|business development|BD|Biz.?Dev) manager|cd services|data intelligence specialist/i tflags __KAM_LIST3_2 nosubject #db for sale -body __KAM_LIST3_3 /(information|data|list\'s) (count|field)|verified e?-?mail|with email address|counts and pric|decision maker|specific parameters|job titles|Specific lists|each record|post show attendee|(List|contacts|fields) (consists?|Contains?|includes?)|visitors and price|pricing, counts|information about the list|sample (file|record)|direct email|100\% populated|installed users|(compiled|selling) (a )?list|pricing and further|(validated|buy a) dataset|counts, pricing|procure the list|samples for (your )?review|attendees who might|decision.makers|samples and pricing|pricing details|demographics|few (examples|samples)|database (organization|provider)|(cost|expense) (\&|and) count|(samples|counts?) and cost|multichannel marketing|count of email|users of the following|your marketing campaign|\d\d% on emails|acquiring (email|the) list|list of retailers|decision maker mailing list|B2B( data)? list|acquiring email|interested (in )?acquiring|quality lists|potential (client|customer)|database and list management|pricing and count|audience you would like to reach|data cleansing|job titles you wish to contact|leverage competitive intelligence|business contacts? list|verified direct contact numbers|our list comes with/i +body __KAM_LIST3_3 /(information|data|list\'s) (count|field)|verified e?-?mail|with email address|counts and pric|decision maker|specific parameters|job titles|Specific lists|each record|post show attendee|(List|contacts|fields) (consists?|Contains?|includes?)|visitors and price|pricing, counts|information about the list|sample (file|record)|direct email|100\% populated|installed users|(compiled|selling) (a )?list|pricing and further|(validated|buy a) dataset|counts, pricing|procure the list|samples for (your )?review|attendees who might|decision.makers|samples and pricing|pricing details|demographics|few (examples|samples)|database (organization|provider)|(cost|expense) (\&|and) count|(samples|counts?) and cost|multichannel marketing|count of email|users of the following|your marketing campaign|\d\d% on emails|acquiring (email|the) list|list of retailers|decision maker mailing list|B2B( data)? list|acquiring email|interested (in )?acquiring|quality lists|potential (client|customer)|database and list management|pricing and count|audience you would like to reach|data cleansing|job titles you wish to contact|leverage competitive intelligence|business contacts? list|verified direct contact numbers|our list comes with|(industry|comprehensive) email list|purchasing the vistor\'?s list/i tflags __KAM_LIST3_3 nosubject #db what @@ -6468,14 +6526,14 @@ ifplugin Mail::SpamAssassin::Plugin::Dmarc tflags KAM_DMARC_REJECT net reuse KAM_DMARC_REJECT describe KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message and the domain has a DMARC reject policy - score KAM_DMARC_REJECT 6.0 + score KAM_DMARC_REJECT 7.0 header KAM_DMARC_QUARANTINE eval:check_dmarc_quarantine() priority KAM_DMARC_QUARANTINE 500 tflags KAM_DMARC_QUARANTINE net reuse KAM_DMARC_QUARANTINE describe KAM_DMARC_QUARANTINE DKIM has Failed or SPF has failed on the message and the domain has a DMARC quarantine policy - score KAM_DMARC_QUARANTINE 3.0 + score KAM_DMARC_QUARANTINE 4.0 header KAM_DMARC_NONE eval:check_dmarc_none() priority KAM_DMARC_NONE 500 @@ -6490,14 +6548,14 @@ ifplugin Mail::SpamAssassin::Plugin::Dmarc meta KAM_DMARC_REJECT_TRUNCATE ( KAM_DMARC_REJECT && DKIM_FAILED_TRUNCATE ) describe KAM_DMARC_REJECT_TRUNCATE Dmarc reject on truncated email priority KAM_DMARC_REJECT_TRUNCATE 500 - score KAM_DMARC_REJECT_TRUNCATE -6.0 + score KAM_DMARC_REJECT_TRUNCATE -7.0 tflags KAM_DMARC_REJECT_TRUNCATE net nice reuse KAM_DMARC_REJECT_TRUNCATE meta KAM_DMARC_QUARANTINE_TRUNCATE ( KAM_DMARC_QUARANTINE && DKIM_FAILED_TRUNCATE ) describe KAM_DMARC_QUARANTINE_TRUNCATE Dmarc quarantine on truncated email priority KAM_DMARC_QUARANTINE_TRUNCATE 500 - score KAM_DMARC_QUARANTINE_TRUNCATE -1.5 + score KAM_DMARC_QUARANTINE_TRUNCATE -4.0 tflags KAM_DMARC_QUARANTINE_TRUNCATE net nice reuse KAM_DMARC_QUARANTINE_TRUNCATE @@ -6675,7 +6733,7 @@ if (version >= 3.004003) #LAUNCH PCCC WILD RBL ifplugin Mail::SpamAssassin::Plugin::HashBL - rbl_headers EnvelopeFrom,Reply-To,X-Sender,X-Source-IP + rbl_headers EnvelopeFrom,Reply-To,Resent-from,X-Sender,X-Source-IP # mass-marketing domain found in headers (EnvelopeFrom,Reply-To,X-Sender,X-Source-IP) header PCCC_HDR_MARKETINGBL eval:check_rbl_headers('pccc-hdr-marketing', 'wild.pccc.com.', '127.0.0.32') @@ -6684,7 +6742,7 @@ if (version >= 3.004003) score PCCC_HDR_MARKETINGBL 0.001 priority PCCC_HDR_MARKETINGBL -100 - header PCCC_HDR_REPLYTO eval:check_rbl_headers('pccc-hdr-repto', 'wild.pccc.com.', '127.0.0.4', 'Reply-To') + header PCCC_HDR_REPLYTO eval:check_rbl_headers('pccc-hdr-repto', 'wild.pccc.com.', '127.0.0.4', 'Reply-To,Resent-from') describe PCCC_HDR_REPLYTO Address in email headers associated with compromised uris (https://raptor.pccc.com/RBL) tflags PCCC_HDR_REPLYTO net score PCCC_HDR_REPLYTO 7.5 @@ -6713,7 +6771,7 @@ if (version >= 3.004003) # Freemail address in Reply-To header found on PCCC HashBL # this rule needs 99_hashbl.cf to work - header PCCC_HASHBL_FREEMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5', 'Reply-To', '^127\.', 'freemail') + header PCCC_HASHBL_FREEMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5', 'Reply-To,Resent-from', '^127\.', 'freemail') describe PCCC_HASHBL_FREEMAIL Message contains freemail address in reply-to found on PCCC HashBL (https://raptor.pccc.com/RBL) tflags PCCC_HASHBL_FREEMAIL net score PCCC_HASHBL_FREEMAIL 4.5 @@ -6741,7 +6799,7 @@ if (version >= 3.004003) priority PCCC_HASHBL_EMAIL -100 # Email address in custom email headers found on PCCC HashBL - header PCCC_HASHBL_HDR_EMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5', 'Reply-To/Disposition-Notification-To/X-Original-Sender/X-Sender', '^127\.', 'all') + header PCCC_HASHBL_HDR_EMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5', 'Reply-To/Resent-from/Disposition-Notification-To/X-Original-Sender/X-Sender', '^127\.', 'all') describe PCCC_HASHBL_HDR_EMAIL Message contains email address found on PCCC HashBL (https://raptor.pccc.com/RBL) tflags PCCC_HASHBL_HDR_EMAIL net score PCCC_HASHBL_HDR_EMAIL 3.5 @@ -6754,31 +6812,37 @@ if (version >= 3.004003) score PCCC_HASHBL_SHORT_URI 9.5 priority PCCC_HASHBL_SHORT_URI -100 + if (version >= 4.000000) + header __GB_LISTID List-ID =~ /^(?.{1,32})$/ + header PCCC_HASHBL_LISTID eval:check_hashbl_tag('wild.pccc.com', 'md5', 'LISTID', '^127\.0\.0\.5') + tflags PCCC_HASHBL_LISTID net + score PCCC_HASHBL_LISTID 9.0 + priority PCCC_HASHBL_LISTID -100 + endif + endif endif #END of TEST OF HASHBL ADDITIONS #LABEL +# SUBJ header __KAM_LABEL1 Subject =~/(Checking in|Appointment|(this|next) week|thoughts|availability|consultation|introduction|let me know|schedule|meeting|tailor)/i -body __KAM_LABEL2 /meet at your office|quick lead time/i -body __KAM_LABEL3a /make custom (shirts|sports|jackets|suits)/i -# bug fix thanks to Moritz Friedrich -body __KAM_LABEL3b /PPE/ -body __KAM_LABEL4 /(suits start at \$|shirts at \$)|\d\d per mask|\d masks/i +# MEET +body __KAM_LABEL2 /meet (you )?at your (home|office)|quick lead time/i +# CUSTOM +body __KAM_LABEL3 /(custom.?tailored|make custom) (shirts|sports|jackets|suits)/i +# SHIRTS /WARDROBE +body __KAM_LABEL4 /(suits start at \$|shirts at \$|upgrad(e|ing) your wardrobe)|refreshing your work wardrobe/i +# FABRIC body __KAM_LABEL5 /(premier|top|luxury) (clothing|fabric)|fortune 500/i -body __KAM_LABEL6 /\| Label|Label Health/i +# LABEL +body __KAM_LABEL6 /\| Label|Company, Label,/i -header __KAM_LABEL7 Subject =~ /(^|\b)PPE(\b|$)|(Ply|Face) ?mask/i -body __KAM_LABEL8 /face ?mask|(^|\b)PPE(\b|$)/i -meta KAM_LABEL (__KAM_LABEL1 + __KAM_LABEL2 + (__KAM_LABEL3a + __KAM_LABEL3b >= 1) + __KAM_LABEL4 + __KAM_LABEL5 + __KAM_LABEL6 + __KAM_LABEL7 + __KAM_LABEL8>= 6) +meta KAM_LABEL (__KAM_LABEL1 + __KAM_LABEL2 + __KAM_LABEL3 + __KAM_LABEL4 + __KAM_LABEL5 + __KAM_LABEL6 >= 6) describe KAM_LABEL Tailored clothier spam score KAM_LABEL 9.0 -meta KAM_LABEL2 ((__KAM_LABEL1 + __KAM_LABEL5 >= 1) + __KAM_LABEL6 + __KAM_LABEL7 + __KAM_LABEL8 >= 3) -describe KAM_LABEL2 PPE Spam -score KAM_LABEL2 9.0 - #RBLOBFU body __KAM_RBL_OBFU1 /b2b.{1,4}salesprospects.{1,4}com/i body __KAM_RBL_OBFU2 /quin.{0,3}for.{0,3}ce.com/i @@ -6877,7 +6941,7 @@ score GB_WEBFORM 2.0 #thanks to Chip for another Spample on 2020-03-07 header __KAM_SENDGRID1 EnvelopeFrom =~ /\@u\d+\.wl\d+\.sendgrid\.net|bounces.*\@sendgrid\.net/i header __KAM_SENDGRID1A Return-Path =~ /\@u\d+\.wl\d+\.sendgrid\.net/i -header __KAM_SENDGRID2 Received =~ /ismtp.*?.sendgrid.net|outbound\-mail\.sendgrid\.net \[/i +header __KAM_SENDGRID2 Received =~ /ismtp.*?.sendgrid\.net|outbound\-mail\.sendgrid\.net \[/i meta KAM_SENDGRID ((HEADER_FROM_DIFFERENT_DOMAINS || SPF_HELO_NONE) + ((__KAM_SENDGRID1 + __KAM_SENDGRID1A >= 1) + __KAM_SENDGRID2 >= 1) >= 2) describe KAM_SENDGRID Sendgrid being exploited by scammers @@ -6997,18 +7061,25 @@ score KAM_COVID3 7.5 #VOICEMAIL SCAM replace_rules __KAM_VM3 +#URI uri __KAM_VM1 /storage.googleapis.com\/.*?htm|appspot\.com|safesend\.|\/api\/v1\/click\|\.sharepoint\.com\/personal\/|evernote\.com|github\.io|netlify\.app|sendgrid\.net|dynamics\.com/i + +#Subject or FROM header __KAM_VM2 Subject =~ /VN Audio|message for|voice Message|Voicemail|Fax Message|OneDrive File|voice note duration|voice-audio|telephone vm|portal/i header __KAM_VM2A From =~ /-xxxx|tele-mail/i + +#Body body __KAM_VM3 /(Voice.?Audio|VN Audio|VM Meant|Listen to (your )?Voice|voicemail message|Fax(ed)? (document|message)|new voicemail|Virtual ffice Extenson)|caer left you a message|play voice/i tflags __KAM_VM3 nosubject body __KAM_VM4 /recorded voice|audio message|Caller.?id|CID:|mailbox \d|sign document|new vm on/i tflags __KAM_VM4 nosubject + +#Content Type ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __KAM_VM5 Content-Type =~ /.s?html?\.?\"?$/i endif -meta KAM_VM (__KAM_VM1 + (__KAM_VM2A + __KAM_VM2 >= 1) + __KAM_VM3 + __KAM_VM4 + __KAM_VM5 + KAM_RAPTOR_EXTERNAL >= 3) +meta KAM_VM (__KAM_VM1 + (__KAM_VM2A + __KAM_VM2 >= 1) + __KAM_VM3 + __KAM_VM4 + __KAM_VM5 + KAM_RAPTOR_EXTERNAL >= 4) score KAM_VM 5.5 describe KAM_VM Voice Mail & Fax Scams @@ -7042,7 +7113,7 @@ body __KAM_BENEFICIARY3 /(gold|diamonds|inherit|foreign customer|risk.?free|les body __KAM_BENEFICIARY3A /(e\-|ELECTRONIC )TICKET RECeipt/i #where -body __KAM_BENEFICIARY4 /(Ghana|South Africa|China|Greece|Estonia|United kingdom|foreign|(your|my) country|Benin|africa|Foreign Op|international Airport|portugal|business trip|Ivory Coast|Royal Bank|Syria|Libyan|Ministry of |Buffett Foundation|audit unit)|postmaster general|your country/i +body __KAM_BENEFICIARY4 /(Ghana|\b(?:South\s)?Africa\b|China|Greece|Estonia|United kingdom|foreign|(your|my) country\b|\bBenin\b|Foreign Op|international Airport|portugal|business trip|Ivory Coast|Royal Bank|\bSyria\b|Libyan|Ministry of |Buffett Foundation|audit unit)|postmaster general/i #how much body __KAM_BENEFICIARY5 /\d{1,32} ?(kilo|kg)|donat|assignment|last wishes|charity org|million dollars|secret account|overdue winnings|handsomely compensate|large amount|share of fund|one digit interest|beneficial business|anticipated cooperation|\d% (with|for) you|fiscal cash|huge amount|(half|99 percent) of (his|their|her) fortune|by proxy|\d million|investment in your country/i #sob @@ -7099,17 +7170,17 @@ score KAM_JOB2 7.5 #WEB #subject -header __KAM_WEB2_1 Subject =~ /follow|next step|web(site)? (analysis|builder|design|work)|crazy offer|cRM solution|CMS|worrdpress|inquiry web.?site|prices|developing mobile innovation|new web|develoment/i +header __KAM_WEB2_1 Subject =~ /follow|next step|web(site)? (analysis|builder|design|work)|crazy offer|cRM solution|CMS|worrdpress|inquiry web.?site|prices|developing mobile innovation|new web|develoment|web development offer/i #price or person - purposefully looks at subject too -body __KAM_WEB2_2 /(inexpensive|affordable) (quot|price)|cheap website|less than half|free of cost|low package price|indian web.?design|\(India\)|i am a professional|team of experts|i am from india/i +body __KAM_WEB2_2 /(inexpensive|affordable) (quot|price)|cheap website|less than half|free of cost|low package price|indian web.?design|\(India\)|i am a professional|team of experts|i am from india|development company/i #product body __KAM_WEB2_3 /web(site)? (design|develop)|(better|new|refreshed) website|website audit|fresh look|redesign your website|mobile application devel|redesign your existing web|apps solution/i tflags __KAM_WEB2_3 nosubject #sample/offer -body __KAM_WEB2_4 /portfolio|sample|insights|special offer|page 1|(any|your) requirements|anything you can imagine|send you a quote|share a few example|you'?re? requirement/i +body __KAM_WEB2_4 /portfolio|sample|insights|special offer|page 1|(any|your) requirements|anything you can imagine|send you a quote|share a few example|you'?re? requirement|share your requirement/i tflags __KAM_WEB2_4 nosubject meta KAM_WEB2 (FREEMAIL_FROM + __KAM_WEB2_1 + __KAM_WEB2_2 + __KAM_WEB2_3 + __KAM_WEB2_4 >=5) @@ -7194,21 +7265,23 @@ score KAM_CELEB 4.5 #BEAL AND SIMILAR IMPERSONATOR ifplugin Mail::SpamAssassin::Plugin::RaptorOnly - replace_tag KAM_BEAL_NAMES (?:(Robert|Bob).{1,4}Beal|Geoff White|(James|Jim).{1,4}Hoffman|Kevin (A\. )?Mc ?Grail|Frederic Beuter|Chris(topher)? (K\.? )?Surprise|(mike|michael) Charvat|Sheryl( Brissett)? Chapman|Sheryl Brissett|Janet Smith|Jeff Gardner|Geoff(rey)? White|Jason Davis|Al Nance|Laura (C\.? )?Leach|Guy Neitz|Michael Rowland|Brenda MacDonald|Daram Van Oers|Pat(rick)? (A\. )?Campfield|Toni Kerns|Tina L. Berger|Robert T. Lalka|Karen Holmes|Richard Manship|WILLIAM HYATT|Alex DiJohnson|Mike Rinaldi|Patrick Augustine|Randy Livingston|Michael Schoor|Amy Millar|Gino Renne|Edward Kroman|Bill Stynes|Ralph Belk|gino renne|scott allen|Paula Sherman|Peter Turcik|Chip Anastasi|erik howard|Dyana Forester|Ryan Gardner|Yvan (cote|C\x{C3}\x{B4}t\x{C3}\x{A9}|C\x{C3}\x{83}\x{C2}\x{B4}t\x{C3}\x{83}\x{C2}\x{A9})|morris adler|Gary (A. )?Smith|Peggy White|Sunny Kim|Jayran Farzanega|Kristin Kirkpatrick|Michael Davison|John Meis|Mitchell Forbes|Kate Syson|Bryan Plumlee|Janet Smith|Christian Gardner|Calvin Johnson|rick cole|(James A.|Andy) Sheppard) +# remove Daram Van Oers temporarily + replace_tag KAM_BEAL_NAMES (?:(Robert|Bob).{1,4}Beal|Geoff White|(James|Jim).{1,4}Hoffman|Kevin (A\. )?Mc ?Grail|Frederic Beuter|Chris(topher)? (K\.? )?Surprise|(mike|michael) Charvat|Sheryl( Brissett)? Chapman|Sheryl Brissett|Janet Smith|Jeff Gardner|Geoff(rey)? White|Jason Davis|Al Nance|Laura (C\.? )?Leach|Guy Neitz|Michael Rowland|Brenda MacDonald|Pat(rick)? (A\. )?Campfield|Toni Kerns|Tina L. Berger|Robert T. Lalka|Karen Holmes|Richard Manship|WILLIAM HYATT|Alex DiJohnson|Mike Rinaldi|Patrick Augustine|Randy Livingston|Michael Schoor|Amy Millar|Gino Renne|Edward Kroman|Bill Stynes|Ralph Belk|gino renne|scott allen|Paula Sherman|Peter Turcik|Chip Anastasi|erik howard|Dyana Forester|Ryan Gardner|Yvan (cote|C\x{C3}\x{B4}t\x{C3}\x{A9}|C\x{C3}\x{83}\x{C2}\x{B4}t\x{C3}\x{83}\x{C2}\x{A9})|morris adler|Gary (A. )?Smith|Peggy White|Sunny Kim|Jayran Farzanega|Kristin Kirkpatrick|Michael Davison|John Meis|Mitchell Forbes|Kate Syson|Bryan Plumlee|Janet Smith|Christian Gardner|Calvin Johnson|rick cole|(James A.|Andy) Sheppard|Mathieu Fournier|Aaron Rash|William Schoor|Morris Adler|Paul Lefebvre|Bobby Boursiquot) replace_rules __KAM_BEAL1 __KAM_BEAL3 __KAM_NOT_BEAL3 #from - header __KAM_BEAL1 From:name =~ //i + header __KAM_BEAL1 From:name =~ /|TIME.?SENSITIVE|HASTE.?FEEDBACK|one.?moment|Urgent.?(message|task)|QUICK RESPONSE|REQUEST|TIMELY RESPONSE/i #in addition to freemail header __KAM_BEAL2 From:addr =~ /\@.+\.rr\.com|\@mail\.ru|\@.*\.cz|\@cox\.net/i #Name body __KAM_BEAL3 //i body __KAM_NOT_BEAL3 /((From|Cc|To)\:\s+).*/i # Task - body __KAM_BEAL4 /(reply with|forward|send me|let me have|give me|drop) +your (Cell|Mobile|text)|task (real quick|quickly)|(urgent|quick|fast) (reply|errand|response|task|request)|(handle|make) (some|a) purchase|reimburse you|do something for me fast|spare time right now|confirm if you are free|physical or electronic gift card|(done for me|send out|task done) ASAP|available at the moment|(desk|moment) right now|get some .{0,10}gift card|(run a|important) task for me|certain task to be carried|purchase on my behalf|(urgent|Immediate) (Task|Assignment)|quickly on my behalf|variety of gift card|something important for me|carry out (urgently|swiftly)|codes electronically|make a payment|gifts for their hard|assist me with a task|quick favor|gift cards? for staff|process a payment via Zelle|request I need|purchase done on my behalf|take care of something|handle (some )?task quickly|(have|got) a moment|run an errand|are you in\?|purchase urgently|assignment for (me|you)|change my direct deposit|personal (email|text phone|cell|number)|(leave|have|drop) your (phone )?number|(reply me with|confirm|drop|need|attach|email)( (me|with))? your (mobil|cell)|send me your text|get all the gifts purchase|direct deposit authorization form|list of all unpaid|can you get (?:this\s)?paid|help me with something|if (you are|you're) available|(send|drop) me your (direct|personal) (cell|phone)|free time for you|you available today|bancaires actuelles|ask you for a favor|get physical gift card|(include|confirm) your mobile|Task\!|CONFERENCE MEETING|cartes\-cadeaux|talk a little via email|surprise gift|account balances|in the office today|just respond to my email|send a cell number|aging report|complete an outstanding request|Visa, Apple or Amazon card|purchas(e|ing) these gifts on my behalf|souhaite modifier (?:le|mon\s+)?compte|(set up ACH for|take care of) the attached invoice/i + #removed personal (email|text phone|cell|number) on 7/31/2024 for FP + body __KAM_BEAL4 /(reply with|forward|send me|let me have|give me|drop) +your (Cell|Mobile|text)|task (real quick|quickly)|(urgent|quick|fast) (reply|errand|response|task|request|assistance)|(handle|make) (some|a) purchase|reimburse you|do something for me fast|spare time right now|confirm if you are free|physical or electronic gift card|(done for me|send out|task done) ASAP|available at the moment|(desk|moment) right now|get some .{0,10}gift card|(run a|important) task for me|certain task to be carried|purchase on my behalf|(urgent|Immediate) (Task|Assignment)|quickly on my behalf|variety of gift card|something important for me|carry out (urgently|swiftly)|codes electronically|make a payment|organiser le paiement|gifts for their hard|assist me with a task|quick favor|gift cards? for staff|process a payment via Zelle|request I need|purchase done on my behalf|take care of something|handle (some )?task quickly|(have|got) a moment|run an errand|are you in\?|purchase urgently|assignment for (me|you)|change my direct deposit|(leave|have|drop) your (phone )?number|(reply me with|confirm|drop|need|attach|email)( (me|with))? your (mobil|cell)|send me your text|get all the gifts purchase|direct deposit authorization form|list of all unpaid|can you get (?:this\s)?paid|help me with something|if (you are|you're) available|(send|drop) me your (direct|personal) (cell|phone)|free time for you|you available today|bancaires actuelles|ask you for a favor|get physical gift card|(include|confirm) your mobile|Task\!|CONFERENCE MEETING|cartes\-cadeaux|talk a little via email|surprise gift|account balances|in the office today|just respond to my email|send a cell number|aging report|complete an outstanding request|Visa, Apple or Amazon card|purchas(e|ing) these gifts on my behalf|souhaite modifier (?:le|mon\s+)?compte|(set up ACH for|take care of) the attached invoice|need you to take care of right now|in need of gift cards|what knowledge do you have of gift card|re-?confirm your personal cell|forward(ing)? your personal contact|provide your cell(phone) (no|number)|treasurer is unfamiliar with (Zelle|Paypal)|take care of this now|get your help today|delight some staff with gift.?card|Merci pour votre attention rapide|proceed with the payment via (wire|ACH)|aging report|do something for me right away|provide an alternate personal contact/i # question / privacy - body __KAM_BEAL5 /can't talk on the phone|receivable aging report|summary of all w\-?2|look forward to my text|are you (accessible|in the office|busy)|between you and I|closed-?door meeting|get something done|you\'re unoccupied|accurately|I can brief|in a (conference|meeting)|reimburse if personal|what details do you need|(do|handle) discreetly|confidentiality|keep this private|get to a nearby store|(let me know|confirm) if you (are available|can get it done)|no calls just reply|write me back|look out for my text|concise you about it|so much on your plate|let me know if you are free|trust you on this|worry about your reimburse|after the surprise|limited cell service|can you assist|convey a message|entrust you|not want to disclose this|planning a surprise event|confidential assignment|respond back via email|going into a meeting|no calls|reach you at|lookout to my message|dans la confidence|wait for my text|immediate assistance|swift discussion|an emergency|prompt (response|reply)|laryngitis|(let me know when|as soon as) you are available|limited access to phone|kindly send me emails|plan to surprise|reach you urgent|need a work done|give me a number|comme une surprise|no call, just write|ruin this surprise|currently in session|assistance with an assignment|where we stand with cash|help is needed with an assignment|secretly handle|calls are off.?limit|number I can contact you|it\'s now overdue|can you handle|(send|give) me your personal (cell|num)|email back regarding|executive meeting currently|engaged in a virtual meeting|limited to call|Puis(?:\-|\s)je envoyer .{8,32} maintenant|handle the payment today/i + body __KAM_BEAL5 /can't talk on the phone|receivable aging report|summary of all w\-?2|look forward to my text|are you (accessible|in the office|busy)|between you and I|closed-?door meeting|get something done|you\'re unoccupied|accurately|I can brief|in a (conference|meeting)|reimburse if personal|what details do you need|(do|handle) discreetly|confidentiality|keep this private|get to a nearby store|(let me know|confirm) if you (are available|can get it done)|no calls just reply|write me back|look out for my text|concise you about it|so much on your plate|let me know if you are free|trust you on this|worry about your reimburse|after the surprise|limited cell service|can you assist|convey a message|entrust you|not want to disclose this|planning a surprise event|confidential assignment|respond back via email|going into a meeting|no calls|reach you at|lookout to my message|dans la confidence|wait for my text|immediate assistance|swift discussion|an emergency|prompt (response|reply)|laryngitis|(let me know when|as soon as) you are available|limited access to phone|kindly send me emails|plan to surprise|reach you urgent|need a work done|give me a number|comme une surprise|no call, just write|ruin this surprise|currently in session|assistance with an assignment|where we stand with cash|help is needed with an assignment|secretly handle|calls are off.?limit|number I can contact you|it\'s now overdue|can you handle|(send me|give me|re\-?affirm|share)( with me)? your (personal )?(e.?mail|cell|num)|email back regarding|executive meeting currently|engaged in a virtual meeting|limited to call|Puis(?:\-|\s)je envoyer .{8,32} maintenant|handle the payment today|(provide|include) your whatsapp number|middle of a conference|d\x{C3}\x{BB}\s+aupr\x{C3}\x{A8}s|I\'m currently unavailable to handle this myself|assistance in purchasing these gift|(watch|look|eye) ?out for my text|have any of these payment platform|please set up the vendor and make payment|handled confidentially|confidential until|in a virtual meeting|traiter pour paiement|before my next appointment|find the attached invoice|prompt attention to this request|in a long zoom|just for emergency purpose/i # oddlang body __KAM_BEAL6 /sent from my ?mail|depuis mon smartphone|\- Forwarded Message \-|I\'ll need you run/i @@ -7284,18 +7357,18 @@ score KAM_FAKEMONEYGRAM 5.5 #FAKESHAREPOINT - SEE FAKE_SHAREPOINT2 for Sexually explicit -header __KAM_FAKE_SHAREPOINT1 Subject =~ /(via|by) Sharepoint|payment reminder|shared|Request for Quot|urgent|far from you/i +header __KAM_FAKE_SHAREPOINT1 Subject =~ /(via|by) Sharepoint|payment reminder|shared|Request for Quot|urgent|far from you|unopened invoice/i header __KAM_FAKE_SHAREPOINT2 from =~ /sharepoint|accounts? payable|RFQ/i uri __KAM_FAKE_SHAREPOINT3 /my\.sharepoint\.com/i uri __KAM_FAKE_SHAREPOINT3A /appdomain\.cloud|discordapp\.com|netlify\.app/i -body __KAM_FAKE_SHAREPOINT4 /Sharepoint Fileshare|open.me.{0,3}asap|link will only work/i +body __KAM_FAKE_SHAREPOINT4 /Sharepoint Fileshare|open.me.{0,3}asap|link will only work|our automated system noticed/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __KAM_FAKE_SHAREPOINT5 Content-Type =~ /.html?\"?$/i endif # meta KAM_FAKE_SHAREPOINT (__KAM_FAKE_SHAREPOINT1 + __KAM_FAKE_SHAREPOINT2 + (__KAM_FAKE_SHAREPOINT3 + __KAM_FAKE_SHAREPOINT3A + KAM_STORAGE_GOOGLE + __KAM_FAKE_SHAREPOINT4 + KAM_SHORT >= 1) + __KAM_FAKE_SHAREPOINT5 >= 3) -meta KAM_FAKE_SHAREPOINT ( ( __KAM_FAKE_SHAREPOINT1 + __KAM_FAKE_SHAREPOINT2 + __KAM_FAKE_SHAREPOINT5 >= 2 ) && (__KAM_FAKE_SHAREPOINT3 + __KAM_FAKE_SHAREPOINT3A + __KAM_FAKE_SHAREPOINT4 + KAM_STORAGE_GOOGLE + KAM_SHORT >= 2 ) ) +meta KAM_FAKE_SHAREPOINT ( ( __KAM_FAKE_SHAREPOINT1 + __KAM_FAKE_SHAREPOINT2 + __KAM_FAKE_SHAREPOINT5 >= 2 ) && (__KAM_FAKE_SHAREPOINT3 + __KAM_FAKE_SHAREPOINT3A + __KAM_FAKE_SHAREPOINT4 + KAM_STORAGE_GOOGLE + KAM_SHORT + GOOG_REDIR_NOTRDNS >= 2 ) ) describe KAM_FAKE_SHAREPOINT Fake Sharepoint Phish score KAM_FAKE_SHAREPOINT 6.0 @@ -7304,6 +7377,14 @@ meta KAM_FAKE_SHAREPOINTLINK (__KAM_FAKE_SHAREPOINT1 + __KAM_FAKE_SHAREPOINT2 + describe KAM_FAKE_SHAREPOINTLINK Fake Sharepoint Link Phish score KAM_FAKE_SHAREPOINTLINK 4.5 +#Fake document share +ifplugin Mail::SpamAssassin::Plugin::RaptorOnly + header __GB_SUBJ_DOC_FROM Subject =~ /^Document from/i + body __GB_SECURE_DOC /SECURED DOCUMENT/ + meta GB_FAKE_SECURE_DOC ( KAM_RAPTOR_NEW && __GB_SECURE_DOC && __GB_SUBJ_DOC_FROM ) + score GB_FAKE_SECURE_DOC 3.5 +endif + #ENCRYPTED ZIP body __KAM_BADZIP1 /attached (to email|document)|take a look|send this fax/i body __KAM_BADZIP2 /Encrypted zip|File password/i @@ -7337,6 +7418,7 @@ score KAM_VERIZON 9.5 #Docusign SCAM header __KAM_DOCUSIGN1 Subject =~ /New e-DocuSign Signature|new e-signature docusign|docusign electronic signature|transfer notice|docusign (electronic|signature) service|docusign document|please_complete_document/i header __KAM_DOCUSIGN2 From:name =~ /docusign/i +header __KAM_DOCUSIGN2A From:name =~ /docusign|docshare/i header __KAM_DOCUSIGN3 From:addr !~ /docusign/i uri __KAM_DOCUSIGN4 /\.weebly\.com|docs\.google\.com|onedrive\.live\.com|\.linodeobjects\.com/i @@ -7356,6 +7438,24 @@ meta KAM_DOCUSIGN_QR ((__KAM_DOCUSIGN1 >= 1) + (__KAM_DOCUSIGN2 + __KAM_DOCUSI describe KAM_DOCUSIGN_QR Qishing scam with Docusign score KAM_DOCUSIGN_QR 4.5 +ifplugin Mail::SpamAssassin::Plugin::URIDetail + body __GB_FAKE_DOCUSIGNB /review(?:\s+|\_)document|view (completed\s+)?document/i + uri_detail __GB_FAKE_DOCUSIGNU cleaned =~ /\.google\.(?:com|es|it|hu)|demo\.docusign\.net|\.pages\.dev|\.html/ text =~ /(?:review|view completed) document|review and sign|review document/i + meta GB_FAKE_DOCUSIGN ( __KAM_DOCUSIGN2A && ( __KAM_DOCUSIGN3 || __GB_M365_SPAM ) && __GB_FAKE_DOCUSIGNB && ( __KAM_FAKE_EFAX4 || __GB_FAKE_DOCUSIGNU || GOOG_REDIR_DOCUSIGN ) ) + describe GB_FAKE_DOCUSIGN Fake Docusign email + score GB_FAKE_DOCUSIGN 6.0 +endif + +uri __GB_SHAREPOINT /\.sharepoint\.com\//i +meta GB_DOCUSIGN_G_SHARE ( GOOG_REDIR_DOCUSIGN && __GB_SHAREPOINT ) +describe GB_DOCUSIGN_G_SHARE Google redirector to Docusign and a Sharepoint link +score GB_DOCUSIGN_G_SHARE 1.0 + +header __GB_FROM_MICROSOFT From:addr =~ /\@microsoft\.com/ +meta GB_FAKE_SIGNED_MICROSOFT ( __GB_FROM_MICROSOFT && KAM_ONMICROSOFT_RF && DKIM_VALID_AU ) +describe GB_FAKE_SIGNED_MICROSOFT Fake Microsoft signed emails +score GB_FAKE_SIGNED_MICROSOFT 3.0 + #Invalid From header __KAM_TWODOTS From:addr =~ /\@.*\.\./i @@ -7378,7 +7478,7 @@ ifplugin Mail::SpamAssassin::Plugin::MIMEHeader endif #IMAGE ONLY -meta KAM_IMAGEONLY ((T_PDS_OTHER_BAD_TLD + PDS_OTHER_BAD_TLD >= 1) + HTML_IMAGE_ONLY_08 >= 2) +meta KAM_IMAGEONLY ( PDS_OTHER_BAD_TLD && HTML_IMAGE_ONLY_08 ) describe KAM_IMAGEONLY Email from a questionable TLD that contains primarily just an image score KAM_IMAGEONLY 0.75 @@ -7513,7 +7613,7 @@ describe KAM_FAKEAD Fake Advertisements score KAM_FAKEAD 6.0 #FAKE REGISTRY SCAMS -body __KAM_FAKE_REGISTRY1 /www(\.|\(dot\))domainregistryasia(\.|\(dot\))net/i +body __KAM_FAKE_REGISTRY1 /www(\.|\(dot\))(chinanameregistry|china\-registry|domainregistryasia)(\.|\(dot\))(net|com)|www\(dot\)domainregistry\(dot\)org\(dot\)cn/i uri __KAM_FAKE_REGISTRY2 /domainregistryasia\.net|domainregistryasia\.cn/i meta KAM_FAKE_REGISTRY (__KAM_FAKE_REGISTRY1 + __KAM_FAKE_REGISTRY2 >= 1) @@ -7648,13 +7748,13 @@ score KAM_FROM_NAME_FAKERBL 6.0 replace_rules __KAM_FAKE_NORTON1 __KAM_FAKE_NORTON2 __KAM_FAKE_NORTON3 __KAM_FAKE_NORTON4 #subj -header __KAM_FAKE_NORTON1 Subject =~ /IN.?VOICE *\#?NUMBER|(confirmation|ORDER|Invoice|plan.?status) ?(ID_\*|\#|Num|-?No)|\#(ORDER|BILL)|(Purchase|Order|Payment) Confirmation|(RECEIPT|INVOI?CE) ?\#|software subscription|transaction.successful|amount.debited|(subscription|service|Purchase) (renewal|request|serial) \#|renew(al|ing) (id|service) \#|(Unique|Member|purchase|Bill|receipt|service|invoice) id ?(is|:|\#)|using protection|rder d|IN(\-|_)VOICE (Number|ID)|Product Id:|security renewal|(Buyer'?s|purchase) receipt|order worth \$|service notice.{0,3}\d+|antivirus activated|order has been (confirmed|processed)|subscription expired|your bill|auto renewal|new message|renewal notice:|annual subscription|transaction code|account key verif|billing team|service required|g-?squad|plan (upgraded|activated)|protection alert|order process|payment success|renewal complete/i +header __KAM_FAKE_NORTON1 Subject =~ /IN.?VOICE *\#?NUMBER|(confirmation|ORDER|Invoice|plan.?status) ?(ID_\*|\#|Num|-?No)|\#(ORDER|BILL)|(Purchase|Order|Payment) Confirmation|(RECEIPT|INVOI?CE) ?\#|software subscription|transaction.successful|amount.debited|(subscription|service|Purchase) (renewal|request|serial) \#|renew(al|ing) (id|service) \#|(Unique|Member|purchase|Bill|receipt|service|invoice) id ?(is|:|\#)|using protection|rder d|IN(\-|_)VOICE (Number|ID)|Product Id:|security renewal|(Buyer'?s|purchase) receipt|order worth \$|service notice.{0,3}\d+|antivirus activated|order has been (confirmed|processed)|subscription expired|your bill|auto renewal|new message|renewal notice:|annual subscription|transaction code|account key verif|billing team|service required|g-?squad|plan (upgraded|activated)|protection alert|order process|payment success|renewal complete|Purchase order for \$\d|payment is processed|confirmation of your product/i header __KAM_FAKE_NORTON1A To =~ /norton|billing\@geeksquad/i header __KAM_FAKE_NORTON1B From =~ /norton|confirmation|no.?reply|service.?updates|billing|devices.?support|service.?dep|order|device.?alert|biliing|receipt|account.?team/i #Fuzzy Prod -body __KAM_FAKE_NORTON2 /NRTN(\(?tm\)?|\#)|360 (anti.?virus|Security|protection)|NrtN.?Life|norton (\- )?(360|security|deluxe|protection|firewall|plus family)|(nort-.|norton|Mcafee) (Web Pro|Web|Plus(\+| Pro)|pro (net|plus|protection)|all.?round) ((Secure|Family) )?Protection|norton (plan|pro life lock)|(service (name)?|item|Product):?\s+(Norton|Nort.?Pro|geek.?squad)|norton secure plus|nort-(Advance|Pro)|nort-?one 360|life-?lock pro|mal-?ware bites|geeksquad-solutions|Geek(squad)? 360|renewal through geeksquad|Geek Secure Premium|Shield Protection Renewal|G.?squad security|(symantec|mcafee|norton|geek).{0,3}total (secure|protection)|geek.?squad.?corp|norton billing team|firewall defender|geek.? advanced network|pro geek PC protection|SQUAD anti-?virus|Norton,? Inc|Gk\s+squd|Windows Defender Advanced|Netwrk Shield Protection|(pc|network) (security|protection) (service|shield)|previous annual subscription|windows defender security|norton Tech pc support|\(defender\)|premium protection|norton membership|antvrus \(?ultimate|Subscription Plan|geek standard upfront|Select Powerful Protection|cA\&fnof\;ee|Fee Subscription|PC Guard Protection|mcafee as your security software/mi +body __KAM_FAKE_NORTON2 /NRTN(\(?tm\)?|\#)|360 (anti.?virus|Security|protection)|NrtN.?Life|norton (\- )?(360|security|deluxe|protection|firewall|plus family)|(nort-.|norton|Mcafee) (Web Pro|Web|Plus(\+| Pro)|pro (net|plus|protection)|all.?round) ((Secure|Family) )?Protection|norton (plan|pro life lock)|(service (name)?|item|Product):?\s+(Norton|Nort.?Pro|geek.?squad)|norton secure plus|nort-(Advance|Pro)|nort-?one 360|life-?lock pro|mal-?ware bites|geeksquad-solutions|Geek(squad)? 360|renewal through geeksquad|Geek Secure Premium|Shield Protection Renewal|G.?squad security|(symantec|mcafee|norton|geek).{0,3}total (secure|protection)|geek.?squad.?corp|norton billing team|firewall defender|geek.? advanced network|pro geek PC protection|SQUAD anti-?virus|Norton,? Inc|Gk\s+squd|Windows Defender Advanced|Netwrk Shield Protection|(pc|network) (security|protection) (service|shield)|previous annual subscription|windows defender security|norton Tech pc support|\(defender\)|premium protection|norton membership|antvrus \(?ultimate|Subscription Plan|geek standard upfront|Select Powerful Protection|cA\&fnof\;ee|Fee Subscription|PC Guard Protection|mcafee as your security software|Your security.{0,2} now safeguarded|InsightSecure Scanners/mi #Oddlang -body __KAM_FAKE_NORTON3 /Esteem your assessment|enhance our administration|recharged your club|looking for patron|delight and happiness|touch our group|confirmatory e?mail|customer service board|connect with expert|for transaction|confirmation range|did not place this order|cancel (your|this|the) (membership|service|subscription)|team norton|(claim a|instant) refund|cancel (or continue )?the plan|for more query|void (this|the) charge|account is debited|kindly activate the license|A\/C statement|you can trust them|drop you an email|don't want this plan|deactivate this plan|queries or doubt|issues? with (your order|the transaction)|feel free to contact|hesitate to call|appritiate your decesion|Warm (regards|respects)|(wish|want) (to )?cancel|order +worth +\$|plan has been enacted|change something|salutations|any query related|norton billing team|same has been processed|an confirmation|don\'t want to renew|remove auto-debit|auto renewal request|thanks\/norton|invalidate your subscription|precept copy|payment method.{1,10}on-?line|drop the membership|generously go ahead|want a refund|renewal tenure|believe an unauthorized|contact microsoft for a full refund|\*\-\* (8\-8\-8|8\-5\-0) \*\-\*|really want further explanation|discunt benevolently|upgrade or postpone|get the full refund|valued member of us|find the attachment of your invoice|drop the charges|norton.{0,2}helpdesk|cancel service|not placed the order|within the next two hour|payment network regulation|open a dispute|cancellation, call us/i +body __KAM_FAKE_NORTON3 /Esteem your assessment|enhance our administration|recharged your club|looking for patron|delight and happiness|touch our group|confirmatory e?mail|customer service board|connect with expert|for transaction|confirmation range|did not place this order|cancel (your|this|the) (membership|service|subscription)|team norton|(claim a|instant) refund|cancel (or continue )?the plan|for more query|void (this|the) charge|account is debited|kindly activate the license|A\/C statement|you can trust them|drop you an email|don't want this plan|deactivate this plan|queries or doubt|issues? with (your order|the transaction)|feel free to contact|hesitate to call|appritiate your decesion|Warm (regards|respects)|(wish|want) (to )?cancel|order +worth +\$|plan has been enacted|change something|salutations|any query related|norton billing team|same has been processed|an confirmation|don\'t want to renew|remove auto-debit|auto renewal request|thanks\/norton|invalidate your subscription|precept copy|payment method.{1,10}on-?line|drop the membership|generously go ahead|want a refund|renewal tenure|believe an unauthorized|contact microsoft for a full refund|\*\-\* (8\-8\-8|8\-5\-0) \*\-\*|really want further explanation|discunt benevolently|upgrade or postpone|get the full refund|valued member of us|find the attachment of your invoice|drop the charges|norton.{0,2}helpdesk|cancel service|not placed the order|within the next two hour|payment network regulation|open a dispute|cancellation, call us|think this is not authorized/i tflags __KAM_FAKE_NORTON3 nosubject #Order body __KAM_FAKE_NORTON4 /(bank|Auto(matic)?)-?.?-?(debit|renew)|Updated to premium|order is paced|0rder|renewal|successfully (placed|renewed)|(repetitive|annual) charge|have been modified|In_voice id|details pertain|auto pay|online\/card|joined our security program|payment_for_services|yearly payment|\$[\d\.]+ will appear|renewed your product/i @@ -7672,6 +7772,19 @@ meta KAM_FAKE_NORTON2 (__KAM_FAKE_NORTON3 + KAM_EVIL_NUMBERS4 + FREEMAIL_FROM > describe KAM_FAKE_NORTON2 Fake Norton / McAfee / Geek Squad / Symantec / etc. Renewal Notices score KAM_FAKE_NORTON2 5.0 +#FAKE NORTON WITH OBFU + #SUPPORT +body __KAM_FAKE_NORTON_OBFU1 /contact Norton Support at/i + #OBFU # +body __KAM_FAKE_NORTON_OBFU2 /\+[I1].?\((\d|I){3}\).?(\d|I){3}.?(\d|I){4}/i + #Pay +body __KAM_FAKE_NORTON_OBFU3 /Requesting Payment/i +#__KAM_FAKE_NORTON_OBFU4 TBD: Capture OBFU2 and see if I is in it as a condition + +meta KAM_FAKE_NORTON_OBFU ( __KAM_FAKE_NORTON_OBFU1 + __KAM_FAKE_NORTON_OBFU2 + __KAM_FAKE_NORTON_OBFU3 >= 3) +describe KAM_FAKE_NORTON_OBFU Fake Norton Renewal Notices +score KAM_FAKE_NORTON_OBFU 4.5 + #FAKE CHASE BANK header __KAM_FAKE_CHASE1 Subject =~ /unusual activit|security/i body __KAM_FAKE_CHASE2 /chase online/i @@ -7840,7 +7953,7 @@ header __KAM_FAKE_PAYPAL1 From:name =~ /paypal|invoice|confirmation|payapl|rece header __KAM_FAKE_PAYPAL2 Subject =~ /Order ?(\#|reference|Confirmation)|your (transaction|purchase)|(buyer'?s|purchase) (receipt|ref|id) \#|transaction|statement|shipping notification|0rder|\$\d\d\d\.\d\d charged|payment info|subscription|paid the invoice/i body __KAM_FAKE_PAYPAL3 /paypal/i tflags __KAM_FAKE_PAYPAL3 nosubject -body __KAM_FAKE_PAYPAL4 /if any concern|in order to cancel|(any|open a) dispute|(exact|usual) location|used by someone else|regular IP address|(haven'?t|not) made this purchase|contact us immediately|trust & safety|not authorized|file an issue|cancellation|to cancel/i +body __KAM_FAKE_PAYPAL4 /if any concern|in order to cancel|(any|open a) dispute|(exact|usual) location|used by someone else|regular IP address|(haven'?t|not) made this purchase|contact us immediately|trust & safety|not authorized|file an issue|cancellation|to cancel|did\s?n.{1,3}t made this order/i body __KAM_FAKE_PAYPAL5 /(accepted|confirmed|USD|purchase) (at|to|by) (Walmart|Target)|(Walmart|Target),?( Inc.?)? has (accepted|received|confirmed)|charge will appear|auto debited|paid instantly|credit wallet balance/i body __KAM_FAKE_PAYPAL6 /help by phone|call paypal ?(usa|team)|paypal fraud dep|paypal support immediately|before dispatch|paypal consumer credit/i @@ -7981,6 +8094,13 @@ meta KAM_FAKE_AFFIL ( __KAM_FAKE_AFFIL1 + __KAM_FAKE_AFFIL2 + __KAM_FAKE_AFFIL describe KAM_FAKE_AFFIL Fake Affiliates Garbage score KAM_FAKE_AFFIL 4.5 +ifplugin Mail::SpamAssassin::Plugin::RaptorOnly + ifplugin Mail::SpamAssassin::Plugin::MIMEHeader + mimeheader GB_BAD_SVG Content-Type =~ /Employee\sHandbook.{0,16}\.svg/i + describe GB_BAD_SVG Dangerous svg file attached + score GB_BAD_SVG 10.0 + endif +endif #header __KAM_SIREN1 From =~ /Portable Defense Siren/i @@ -8147,7 +8267,8 @@ header __KAM_FROM_SPAM_SEP23 From =~ /\@\d\.petra\-.*\.com|ups.?evalu header __KAM_FROM_SPAM_OCT23 From =~ /bye.?herpes|compass.?coffee|Kobalt.?giveaway|pain.?relief.?protein|\@(tr\.)?\d\.digiteers\-.*\.com|stanleyToolSet/i -header __KAM_FROM_SPAM_NOV23 From =~ /Amblebrook.?at.?Gettysburg|mcafee.?warning|tiktok.?shop|\@reloadl?ux\.|metamask.?airdrop|legostar.?nft/i +#removed tiktok shop as a FP 2025-02-06 +header __KAM_FROM_SPAM_NOV23 From =~ /Amblebrook.?at.?Gettysburg|mcafee.?warning|\@reloadl?ux\.|metamask.?airdrop|legostar.?nft/i header __KAM_FROM_SPAM_DEC23 From =~ /SBAlley|home.?foreclosures?.?list|Ad0be.?Acr0bat|real.?social.?mart|nail.?fungus|cardiologists.?shocked/i @@ -8161,9 +8282,25 @@ header __KAM_FROM_SPAM_APR24 From =~ /ugly.?plant|Mysterious.?Liquid|empiretaxp header __KAM_FROM_SPAM_MAY24 From =~ /Michael Page Recruitment|Page Group Recruiting|MFA\-Enrollments\-Desk|Nina.?video.?(display|etindge)/i -header __KAM_FROM_SPAM_JUN24 From =~ /Purave.?Water.?filter/i +header __KAM_FROM_SPAM_JUN24 From =~ /Purave.?Water.?filter|vagabondtemple\.com|\@qwiklabs.*\.firebaseapp\.com/i -meta KAM_FROM_SPAM ( __KAM_FROM_SPAM_NOV21 + __KAM_FROM_SPAM_DEC21 + __KAM_FROM_SPAM_JAN22 + __KAM_FROM_SPAM_FEB22 + __KAM_FROM_SPAM_MAR22 + __KAM_FROM_SPAM_APR22 + __KAM_FROM_SPAM_MAY22 + __KAM_FROM_SPAM_JUN22 + __KAM_FROM_SPAM_JUL22 + __KAM_FROM_SPAM_AUG22 + __KAM_FROM_SPAM_SEP22 + __KAM_FROM_SPAM_OCT22 + __KAM_FROM_SPAM_NOV22 + __KAM_FROM_SPAM_DEC22 + __KAM_FROM_SPAM_JAN23 + __KAM_FROM_SPAM_FEB23 + __KAM_FROM_SPAM_MAR23 + __KAM_FROM_SPAM_APR23 + __KAM_FROM_SPAM_MAY23 + __KAM_FROM_SPAM_JUN23 + __KAM_FROM_SPAM_JUL23 + __KAM_FROM_SPAM_AUG23 + __KAM_FROM_SPAM_SEP23 + __KAM_FROM_SPAM_OCT23 + __KAM_FROM_SPAM_NOV23 + __KAM_FROM_SPAM_DEC23 + __KAM_FROM_SPAM_JAN24 + __KAM_FROM_SPAM_FEB24 + __KAM_FROM_SPAM_MAR24 + __KAM_FROM_SPAM_APR24 + __KAM_FROM_SPAM_MAY24 + __KAM_FROM_SPAM_JUN24 >= 1) +header __KAM_FROM_SPAM_JUL24 From =~ /Diabetes.?(defender|solution.?kit)|Black.?Tea.?vs\..?Green.?Tea|Lume.?Deoderant|Chocolate\?vs.?Butter|Fue[il].?Re[il]ief.?Program|loca[il].?food.?he[il]p|Your.?Local.?McDona[il]ds|Trump.?Hat|Power.?Saver.?Pro/i + +header __KAM_FROM_SPAM_AUG24 From =~ /10\-seconds|diabetes.?supplement|healthy.?nails|alerts?yourpackage\@|MarriottComfortSquad|cloudphonealert|Unlimited.?TV|destroy.?fat|Anti.?Snoring.?Solution|Hero.?Blanket|repair.?nerves|Senior.?savings|Knee.?pain|10\-seconds|ageless.?dog|Your.?Teeth|Neck.?Cool.?Pro|Ergonomic.?Chairs|Stanley.?Tool.?Set.?Winner|Wrist.?Pain.?Relief|Cordless.?Drill.?driver.?kit.?reward|Ninja.?Air.?Fryer.?Department|Eye.?Nutrient.?Risk|Tool.?Set.?Rewards|Antibacterial.?Sheets|tractor.?supply.?winner|CostcoExclusiveDeals|Enence.?translat|Portable.?wifi|Walmart.?tech.?team|Harbor.?freight.?surprise/i + +header __KAM_FROM_SPAM_SEP24 From =~ /imanuel.?bible.?app|pancake.?swap|Klaudena.?Ergonomic.?Design|CVS.?Shopper.?Gift|Tactic.?Air.?Drone|Zoominfo.?Accounting.?Dept|ninja.?doublestack|keto.?gumm|omaha.?steaks.?exclusive|yeti.?hopper.?flip|SpyRec.?Pro|Prime.?CBD|penis.?(growth|enlargement)|Home.?Depot.?Opinion.?Requested|[\@=]losbuzos\.com|SouthwestAirlines(Online)?Survey/i + +header __KAM_FROM_SPAM_OCT24 From =~ /Huusk\@|Ace.?Unlocked|Skincare.?by.?Marilee|Patriot.?Solar.?Generator|HuluMembership|FreeTrumpShirt|Tractor.?Supply.?Surprise|WalmartDailyFinds\@|radon.?eraser|DunkinDonutsRewardsBoxDepartment|sniperrifle|TheUltimatePrepStore|NewKneesAndHips|Dr\. Merritt\'s Health Insights|EnenceTranslator|Collagen.?Booster|Virtual.?Shield.?Alerts|hollywood.?skin.?boost|Overnight.?Pain.?Relief/i + +header __KAM_FROM_SPAM_NOV24 From =~ /exclusive.?offers.?tesco|electric.?ear.?vacuum|Excelsior.?Trading.?Plus.?LLC|Enence.?Translator|Klaudena.?Ergonomic.?Design|Sidewinder.?sling|Night.?Vision.?4.?driving|Enence.?translat|Hardware.?store.?Reward|Tractor.?Supply.?Surprise|predator.?generator|official.?santa.?package|peeting.?at.?night|lowering.?blood.?pressure|ebay.?shopper.?feedback/i + +header __KAM_FROM_SPAM_DEC24 From =~ /\(label\)|medicinal.?garden.?kit|eZScrubpro|FreeTaxUSA.?(Customer|Tool)|Personalized.?Santa.?Letters|Vision.?Boosting.?Secret|Winter.?Secret.?Pro|Ryoko.?WiFi|Painful.?Surgery|ukranian girls|DriveBright.?offer/i + +header __KAM_FROM_SPAM_JAN25 From =~ /Free.?Trump.?Merch|southwest.?airlines.?shopper|Prostate.?Wellness|[a-z]*\.biddingestimatings?\@gmail.com|drop.?lbs.?with.?this|Stuck.?poop.?fast|[a-z]*\.smartleadlist\@gmail\.com|heated.?scarf|restore.?prostate|\@accufin\.|Joint.?pain.?remedy|Anti.?glucose.?mineral|vanishes.?wrinkles|activate.?brain.?power|fast.?constipation.?relief/i + +header __KAM_FROM_SPAM_FEB25 From =~ /perfect.?A1C|pooping.?secret|Neuropathy.?Warning|Total\-T|Urgent.?Wealth.?Warning|hearing.?loss|Statefarm.?safety|Trump.?Collector|Trump.?Gold.?Coin|Sudanese.?sugar.?trick|ancient.?secret.?unveiled|no.?more.?metformin|numb.?hands.?and.?feet|do.?this.?in.?bed/i + +meta KAM_FROM_SPAM ( __KAM_FROM_SPAM_NOV21 + __KAM_FROM_SPAM_DEC21 + __KAM_FROM_SPAM_JAN22 + __KAM_FROM_SPAM_FEB22 + __KAM_FROM_SPAM_MAR22 + __KAM_FROM_SPAM_APR22 + __KAM_FROM_SPAM_MAY22 + __KAM_FROM_SPAM_JUN22 + __KAM_FROM_SPAM_JUL22 + __KAM_FROM_SPAM_AUG22 + __KAM_FROM_SPAM_SEP22 + __KAM_FROM_SPAM_OCT22 + __KAM_FROM_SPAM_NOV22 + __KAM_FROM_SPAM_DEC22 + __KAM_FROM_SPAM_JAN23 + __KAM_FROM_SPAM_FEB23 + __KAM_FROM_SPAM_MAR23 + __KAM_FROM_SPAM_APR23 + __KAM_FROM_SPAM_MAY23 + __KAM_FROM_SPAM_JUN23 + __KAM_FROM_SPAM_JUL23 + __KAM_FROM_SPAM_AUG23 + __KAM_FROM_SPAM_SEP23 + __KAM_FROM_SPAM_OCT23 + __KAM_FROM_SPAM_NOV23 + __KAM_FROM_SPAM_DEC23 + __KAM_FROM_SPAM_JAN24 + __KAM_FROM_SPAM_FEB24 + __KAM_FROM_SPAM_MAR24 + __KAM_FROM_SPAM_APR24 + __KAM_FROM_SPAM_MAY24 + __KAM_FROM_SPAM_JUN24 + __KAM_FROM_SPAM_JUL24 + __KAM_FROM_SPAM_AUG24 + __KAM_FROM_SPAM_SEP24 + __KAM_FROM_SPAM_OCT24 + __KAM_FROM_SPAM_NOV24 + __KAM_FROM_SPAM_DEC24 + __KAM_FROM_SPAM_JAN25 + __KAM_FROM_SPAM_FEB25 >= 1) describe KAM_FROM_SPAM From Indicates a Product Spam score KAM_FROM_SPAM 9.0 @@ -8202,7 +8339,7 @@ if (version >= 4.000000) # +1 (123) 123-4567 # 441 (123) 123-4567 (44 is the hex of the + char, tesseract(1) could convert the '+' sign this way # spaces, + sign, parenthesis and spaces are optional - body GB_PHONE_RBL eval:check_hashbl_bodyre('wild.pccc.com', 'raw/max=10/shuffle/num', '\b(?:\+|4{2})?(?:\s)?(?:[0-9]{1,2})?((?:(\s|,|\^|!|_|\.){1,2})?[(|{|\[]?[0-9]{3}[)|}|\]]?(?:(\-|\s|\.|\*|_|~|,|:|!|_|\xe2\x88\x92){1,2})?[0-9]{3}(?:(\-|\s|\.|\*|_|~|,|"|!|_|\xe2\x88\x92){1,3})?[0-9]{4,6})\b', '127.0.1.16') + body GB_PHONE_RBL eval:check_hashbl_bodyre('wild.pccc.com', 'raw/max=10/shuffle/num', '\b(?:\+|4{2})?(?:\s)?(?:[0-9]{1,2})?((?:(\s|,|\^|!|_|\.|"){1,2})?[(|{|\[]?[0-9]{3}[)|}|\]]?(?:(\-|\s|\.|\*|_|~|,|:|!|_|"|\xe2\x88\x92){1,2})?[0-9]{3}(?:(\-|\s|\.|\*|_|~|,|"|!|_|\xe2\x88\x92){1,3})?[0-9]{4,6})\b', '127.0.1.16') # slow regexp # body GB_PHONE_RBL eval:check_hashbl_bodyre('wild.pccc.com', 'raw/max=10/shuffle/num', '(?:\*+|\b)(?:\+|4{2})?(?:[\s\*]+)?(?:[0-9]{1,2})?((?:[\s,\^\*]+)?[(|{|\*+]?[0-9]{3}[)|}|\*+]?(?:[-\s\.\*_~,:\*]+)?[0-9]{3}(?:[-\s\.\*_~,"]+)?[0-9]{4,6})(?:\*+|\b)', '127.0.1.16') priority GB_PHONE_RBL -100 @@ -8210,7 +8347,7 @@ if (version >= 4.000000) describe GB_PHONE_RBL Message contains phone number found on blocklist (https://raptor.pccc.com/RBL) score GB_PHONE_RBL 6.0 - rawbody GB_PHONE_RBL_RAW eval:check_hashbl_bodyre('wild.pccc.com', 'raw/max=10/shuffle/num', 'tel:\+([0-9]{11})', '127.0.1.16') + rawbody GB_PHONE_RBL_RAW eval:check_hashbl_bodyre('wild.pccc.com', 'raw/max=10/shuffle/num', 'tel:(?:\+[0-9])?([0-9]{10,11})', '127.0.1.16') priority GB_PHONE_RBL_RAW -100 tflags GB_PHONE_RBL_RAW net describe GB_PHONE_RBL_RAW Message contains phone number found on blocklist (https://raptor.pccc.com/RBL) @@ -8298,7 +8435,7 @@ score KAM_FAKE_MT 7.5 header __KAM_FAKE_SHARE1 Subject =~ /document shared with you/i body __KAM_FAKE_SHARE2 /sent you the following/i -meta KAM_FAKE_SHARE ( __KAM_FAKE_SHARE1 + __KAM_FAKE_SHARE2 + KAM_GOOGLE_REDIR >= 3) +meta KAM_FAKE_SHARE ( __KAM_FAKE_SHARE1 + __KAM_FAKE_SHARE2 + __GB_ANY_REDIR >= 3) describe KAM_FAKE_SHARE Fake sharing email scam score KAM_FAKE_SHARE 4.5 @@ -8307,7 +8444,7 @@ header __KAM_BTC1 Subject =~ /btc|bitcoin/i body __KAM_BTC2 /passive income/i tflags __KAM_BTC2 nosubject -meta KAM_BTC ( __KAM_BTC2 + __KAM_BTC2 + KAM_GOOGLE_REDIR >= 3) +meta KAM_BTC ( __KAM_BTC2 + __KAM_BTC2 + __GB_ANY_REDIR >= 3) describe KAM_BTC BTC Investment Scam score KAM_BTC 8.5 @@ -8365,7 +8502,7 @@ score KAM_LEAD_SUPPLY 10.0 header __KAM_FAKE_LINKEDIN1 From:name =~ /Linkedin/i header __KAM_FAKE_LINKEDIN2 From:addr !~ /linkedin\.com$/i header __KAM_FAKE_LINKEDIN2A From:addr =~ /googleusercontent/i -header __KAM_FAKE_LINKEDIN3 Subject =~ /\d+ searches this week|looking at your profile|found by people|matches this job|have \d+ new message|searching for you/i +header __KAM_FAKE_LINKEDIN3 Subject =~ /\d+ searches this week|looking at your profile|found by people|matches this job|have (?:a|\d+) new message|searching for you/i meta KAM_FAKE_LINKEDIN (__KAM_FAKE_LINKEDIN1 + __KAM_FAKE_LINKEDIN2 + __KAM_FAKE_LINKEDIN2A + __KAM_FAKE_LINKEDIN3 >= 3) describe KAM_FAKE_LINKEDIN Fake LinkedIn messages @@ -8434,7 +8571,7 @@ score KAM_GEEKSERVICES 9.0 body __KAM_FAKE_SECURITY1 /Security Alert/i header __KAM_FAKE_SECURITY2 Subject =~ /(Failed login|Account must be updated)/i -meta KAM_FAKE_SECURITY (__KAM_FAKE_SECURITY1 + __KAM_FAKE_SECURITY2 + KAM_GOOGLE_REDIR >= 3) +meta KAM_FAKE_SECURITY (__KAM_FAKE_SECURITY1 + __KAM_FAKE_SECURITY2 + __GB_ANY_REDIR >= 3) describe KAM_FAKE_SECURITY Likely a fake security alert score KAM_FAKE_SECURITY 5.5 @@ -8455,13 +8592,13 @@ endif #FAKE PAYROLL UPDATE #subj -header __KAM_FAKE_PAY_UPDATE1 Subject =~ /Payroll (details?|information) (rectification|adjust|update)|account information|pay(check|roll) ((re\-)?update|review)|(change|update) (DD|info)|direct deposit|new bank|UPDATE (BANK|PAYCHECK)|BANK (STATUS|CHANGE)|modification request|update salary|quick update|(^|\b)D(\.|-)?D ?(stub|pay|information|update|request)|(modification|change) (in|of) (DD|direct.?deposit|account)|Demand Change|^\s$|DD[\- ]*(Authorization|Modify)|help needed|new account|account (change|replace|update)|pay.?roll (update|adjustment)|request? for (change|update)|have a request|RENSEIGNEMENTS\s+.{1,16}\s+BANCAIRES|URGENT(\b|$)|adjustment of bank|ASSIST\!|correction of ACH|paycheck|pay D\-D|payroll \(?info|modifications? to (electronic fund transfer|ACH|EFT)|replac(e|ing) bank info|have a moment|update (of|my) (bank )?account|^Changes$|emolument|D D Pay.?Stub|changement de compte|new deposit|DD SWITCH|Immediate Details Change/i +header __KAM_FAKE_PAY_UPDATE1 Subject =~ /Payroll (details?|information) (rectification|adjust|update)|account information|pay(check|roll) ((re\-)?update|review)|(change|update) (DD|info|request)|direct deposit|new bank|UPDATE (BANK|PAYCHECK)|BANK (STATUS|CHANGE)|modification request|update salary|quick update|(^|\b)D(\.|-)?D ?(stub|pay|information|update|request)|(modification|change) (in|of) (DD|direct.?deposit|account)|Demand Change|^\s$|DD[\- ]*(Authorization|Modify)|help needed|new account|account (change|replace|update)|pay.?roll (update|adjustment)|request? for (change|update)|have a request|RENSEIGNEMENTS\s+.{1,16}\s+BANCAIRES|URGENT(\b|$)|adjustment of bank|ASSIST\!|correction of ACH|paycheck|pay D\-D|payroll \(?info|modifications? to (electronic fund transfer|ACH|EFT)|replac(e|ing) bank info|have a moment|update (of|my) (bank )?account|^Changes$|emolument|D D Pay.?Stub|changement de compte|new deposit|DD SWITCH|Immediate Details Change|banking info update|Employee Pay|payroll modification|claim for change|pay request|request for Payroll|updat(e|ing) bank(ing)? info|change in payroll|update pay info|Paystub.?dd|Update on Account|DD Auth/i #urg -body __KAM_FAKE_PAY_UPDATE2 /(for|before|against) (my|the) (subsequent|current|next|upcoming) pay|for next payroll|kindly review (payroll|your) statement|when the next payday|prochaine date de paiement|current pay cycle|next pay (run|date)|Inactive in a few day|on-?time for any ongoing|what data is required|urgent help|next salary|(upcoming|forthcoming) payroll|effective (for this|this|on) pay.?da|effect for next pay|made right now|closed in (a )?few day|for the current pay|next pay period|prompt attention|subsequent payroll|finish the update|can ?not afford any more delay|before the pay.?(roll|date)|straight away|against the upcoming pay|before payroll is run|timely payment|for my current pay|prochain ch.que de paie|quick assistance|account will not be difficult|next pay cycle|immediate effect|before next pay|for the next (check|pay)|(the|this) coming payroll|before the current check|issues with the bank/i +body __KAM_FAKE_PAY_UPDATE2 /(for|before|against) (my|the) (subsequent|current|next|upcoming) pay|for next payroll|kindly review (payroll|your) statement|when the next payday|prochaine date de paiement|current pay cycle|next pay (run|date)|Inactive in a few day|on-?time for any ongoing|what data is required|urgent help|next salary|(upcoming|forthcoming) payroll|effective (for this|this|on) pay.?(day|period)|effect for next pay|made right now|closed in (a )?few day|for the current pay|next pay period|prompt attention|subsequent payroll|finish the update|can ?not afford any more delay|before the pay.?(roll|date)|straight away|against the upcoming pay|before payroll is run|timely payment|for my current pay|prochain ch.que de paie|quick assistance|account will not be difficult|next pay cycle|immediate effect|before next pay|for the next (check|pay)|(the|this) coming payroll|before the current check|issues with the bank|submit the new banking details to you|before processing the next pay|prochaine paie|let me know how to proceed|recently changed (account|bank)|ahead of payroll|before.{5,10}the next pay|before the pay cycle/i tflags __KAM_FAKE_PAY_UPDATE2 nosubject #task -body __KAM_FAKE_PAY_UPDATE3 /(change|updat(e|ing)) (of my|my) (ACH|bank(ing)?|DD|paycheck|payment|pay|new pay) (direct.?deposit|info|account)|new bank(ing)? (details|info)|change the account on my pay|direct.?deposit\s+information|(move|change) (in )?(my|the) (bank|payroll)|account information be change|update my (Pay|bank|account)|account needs to be updated|change in my ACH|I switched bank|paychecks? needs to be update|updat(e|ing) my (payroll.?)?direct.?deposit|designate it as my payee|bank information.{0,35} on file has changed|about my direct deposit|change (on )?my (old account|direct deposit)|updating for my salary|just changed banks|changed my financial institut|DD details changed|new account for my direct deposit|new bank account|informations bancaires|replace my bank(ing)? info|updat(e|ing) my deposit|update my information on pay|passer\s+.\s+un nouveau compte|replace my (previous|current) (bank|direct deposit)|direct.?deposit update|move my paycheck|(change|amend) the direct deposit|Confirmez .{1,16}quand le changement|direct deposit details? has change|new information on file for direct deposit|amending the text about my pay/i -tflags __KAM_FAKE_PAY_UPDATE3 nosubject +body __KAM_FAKE_PAY_UPDATE3 /(change|updat(e|ing)) (of my|my) (ACH|bank(ing)?|DD|paycheck|Payroll|payment|pay|new pay) (direct.?deposit|deposit account|info|account)|new bank(ing)? (details|info)|change the account on my pay|direct.?deposit\s+information|(move|change) (in )?(my|the) (bank|payroll)|account information be change|update my (Pay|bank|account|new checking)|account needs to be updated|change in my ACH|I switched bank|paychecks? needs to be update|updat(e|ing) my (payroll.?)?direct.?deposit|designate it as my payee|bank information.{0,35} on file has changed|about my direct deposit|change (on )?my (old account|direct deposit)|updating for my salary|just changed banks|changed my financial institut|DD details changed|new account for my direct deposit|new bank account|(?:coordonn\x{C3}\x{A9}es|informations) bancaires|replace my bank(ing)? info|updat(e|ing) my deposit|update my information on pay|passer\s+.\s+un nouveau compte|replace my (previous|current) (bank|direct deposit)|direct.?deposit update|d\x{C3}\x{A9}p\x{C3}\x{B4}ts direct|move my paycheck|(change|amend) the direct deposit|Confirmez .{1,16}quand le changement|direct deposit details? has change|new information on file for direct deposit|amending the text about my pay|change my personal paycheck|issue with the DD|replace my pay.?roll info/i +tflags __KAM_FAKE_PAY_UPDATE3 nosubject #sigonly/freemail @@ -8469,7 +8606,7 @@ meta KAM_FAKE_PAY_UPDATE ( ( KAM_RAPTOR_EXTERNAL + FREEMAIL_FROM >= 1 ) + __KAM describe KAM_FAKE_PAY_UPDATE Likely a fake ACH/Payroll Scam score KAM_FAKE_PAY_UPDATE 9.0 -meta KAM_FAKE_PAY_UPDATE_LOW ( KAM_RAPTOR_EXTERNAL + FREEMAIL_FROM >= 1 ) && ( __KAM_FAKE_PAY_UPDATE1 + __KAM_FAKE_PAY_UPDATE2 + __KAM_FAKE_PAY_UPDATE3 >= 2) && ! KAM_FAKE_PAY_UPDATE +meta KAM_FAKE_PAY_UPDATE_LOW ( KAM_RAPTOR_EXTERNAL + FREEMAIL_FROM >= 1 ) && ( __KAM_FAKE_PAY_UPDATE1 + __KAM_FAKE_PAY_UPDATE2 + __KAM_FAKE_PAY_UPDATE3 >= 2) && ! KAM_FAKE_PAY_UPDATE && !EXTRACTTEXT describe KAM_FAKE_PAY_UPDATE_LOW Likely a fake ACH/Payroll Scam (Lower Confidence) score KAM_FAKE_PAY_UPDATE_LOW 7.5 @@ -8491,12 +8628,13 @@ score KAM_HOMEDEPOTE 10.0 #SIGNATURE ONLY VERSION 2.0 if (version >= 4.000000) if can(Mail::SpamAssassin::Plugin::BodyEval::has_plaintext_body_sig_ratio) - body __KAM_SIGONLY_BODY_NONE eval:plaintext_body_length('0','0') - body __KAM_SIGONLY_SIG_100 eval:plaintext_sig_length('100') - meta KAM_SIGONLY __KAM_SIGONLY_BODY_NONE && __KAM_SIGONLY_SIG_100 - score KAM_SIGONLY 3.5 + body __GB_BODY_ONLY_SPACE eval:check_blank_line_ratio('100', '100') + body __KAM_SIGONLY_BODY_NONE eval:plaintext_body_length('0','0') + body __KAM_SIGONLY_SIG_100 eval:plaintext_sig_length('100') + meta KAM_SIGONLY ( __KAM_SIGONLY_BODY_NONE || __GB_BODY_ONLY_SPACE ) && __KAM_SIGONLY_SIG_100 && !__GB_CALENDAR_ATTACH && !__MIME_ATTACHMENT && !__ANY_IMAGE_ATTACH && !__PDF_ATTACH + score KAM_SIGONLY 3.5 else - meta KAM_SIGONLY 0 + meta KAM_SIGONLY 0 endif endif @@ -8519,11 +8657,16 @@ endif #ONMICROSOFT header __KAM_ONMICROSOFT1 From =~ /[-\.]onmicrosoft\.com/i header __KAM_ONMICROSOFT2 Reply-To =~ /[-\.]onmicrosoft\.com/i +header __KAM_ONMICROSOFT3 Resent-from =~ /[-\.]onmicrosoft\.com/i meta KAM_ONMICROSOFT (( __KAM_ONMICROSOFT1 + __KAM_ONMICROSOFT2 >= 1) && !__AUTOREPLY_ASU ) -describe KAM_ONMICROSOFT Mail from or reply-to an unprovisioned domain on Microsoft 365 +describe KAM_ONMICROSOFT Mail From or Reply-to an unprovisioned domain on Microsoft 365 score KAM_ONMICROSOFT 5.0 +meta KAM_ONMICROSOFT_RF ( __KAM_ONMICROSOFT3 && !__AUTOREPLY_ASU ) +describe KAM_ONMICROSOFT_RF Mail Resent-from an unprovisioned domain on Microsoft 365 +score KAM_ONMICROSOFT_RF 0.001 + #FAKE INVOICE header __KAM_FAKE_INVOICEMS1 Subject =~ /invoice/i body __KAM_FAKE_INVOICEMS2 /process ACH/i @@ -8533,7 +8676,7 @@ describe KAM_FAKE_INVOICEMS Fake Invoice Scam score KAM_FAKE_INVOICEMS 4.5 #FAKE ACE/LOWES/ETC -replace_rules __KAM_FAKE_LOWES2 __KAM_FAKE_LOWES3 +replace_rules __KAM_FAKE_LOWES2 #VOUCHER/COUPON header __KAM_FAKE_LOWES1 Subject =~ /(costco|ace.?hardware|cvs|cvs.?pharmacy|t-mobile|target|burgerking).*(christmas|e-?coupon|gift.?voucher|bonus|(e.?)?voucher|gift.?card|give.?away|credit)|ace-hard?ware|massive thank you|give?.?away winner|(\d+|dols|bucks) (for you )?from (Starbuck|Sam|Costco)|gas reward|acehardware|samsclub|free samples|gas drop|\d+\.\d+ vouch from costco|CVS\s+expires|sams_club|(fuel|gas) shopping spree|giveaway from (bud.?light|fox)|glft.?card|thank you from (\(?Home.?Depot\)?|cvs)|cvs e-?rewards|nike sends \d+|Verizon (August|September) Gift|points rwrds|verizonrewards|thanks (from|to) .?(sam\'s club|ace.?hardware)|survey reward|\d+ gift.?card pending|(cvs|verizon) (gift.?cert|coupon|has something special|has \d\.0)|\d+ (bucks|dols)|\d+\.0 for you|your \d+ at Verizon|(home.?depot|t-mobile) bonus|Evouch from Sams Club|_ace.?hardware_|use your\s+from Verizon|glft.?certificate|points rwrds|home.?depot_shopper|\$\d+ at Sam\'?s.?club|gift for you|costco gift.?cert|walgreens bonus points/i @@ -8541,7 +8684,7 @@ header __KAM_FAKE_LOWES1 Subject =~ /(costco|ace.?hardware|cvs|cvs.?pharmacy|t- body __KAM_FAKE_LOWES2 /Cstc (giveaway|new gift|credit|local reward)|(erewards?|epoints?|evouch|thank you|\d\.\d) from (starbucks|ace.?hardware)|ace[-_]?hardware|sams[-_]?club|complimentary-(fuel\/gas|gas\/Fuel) card|(monday|tuesday|wednesday|thursday|friday|saturday|sunday) (gift-?cert|bonus)|costco-wholesale|\d from your CVS Stre|cvs-pharmacy.?gift.?voucher|giveaway from (bud.?light|fox)|glft.?card|\d from cvs pharm|one hundred from C.?V.?S|nike sends \d+|Sam\'sClub|amount of \d+\.0(\b|$)|\d+ from Verizon|points rwrds|verizonrewards|UNINQUE GIVEAWAY|_Ace.?Hardware_|C Ostco|Sam\'s...Club|\$\-Prize|G[1l]ft.?cert|coupon from Cstc|(target|T\-mobile) e.?(voucher|coupon)|\(home.?depot\)|homedepot bonus|\brwrds\b|_shopper|gift-voucher|has a prize|home depot\-|home\-depot|kohls(\s|\b|$)|BK Card/i tflags __KAM_FAKE_LOWES2 nosubject #ODDLANG -body __KAM_FAKE_LOWES3 /\d buck|your \d+\.0|\d+ dols|sent with joy|chosen as winer|spend you \$|(huge|massive) (thank you|thanks)|tough times|humble gift|evouch|\bepoint|ereward|we are loved|sending some love|(difficult|turbulent) times|nearest-pharm|weekend is on us|wish you a happy (August)|starbucks wishes you|spend bonus|inspire your dreams|unsuscribe here|want to give back|Enjoy_your_weekend|all the-best|e-?vouch|weekly gift.?card|big thanks for (Ace|costco|cvs)|\d+ sent to you by (Ace|costco|cvs)|rewards balance = \d+ USD|this make it better|Ace.?hardware style|awaiting to be spend|dols-voucher|you have been chosen|scary.?reward|tuff times|super.?(monday|tuesday|wednesday|thursday|friday|saturday|sunday).?mega|send a postcard|day-vouch|\d+ bucks coupon|inside = \$\d+|\d+ coupon|\%Subscriber|as an important customer|glft|here is a thanks|202\d has been difficult|how we celebrate|available for download|points-can be used/i +body __KAM_FAKE_LOWES3 /\d buck|your \d+\.0|\d+ dols|sent with joy|chosen as winer|spend you \$|(huge|massive) (thank you|thanks)|tough times|humble gift|evouch|\bepoint|ereward|we are loved|sending some love|(difficult|turbulent) times|nearest-pharm|weekend is on us|wish you a happy (August)|starbucks wishes you|spend bonus|inspire your dreams|unsuscribe here|want to give back|Enjoy_your_weekend|all the-best|e-?vouch|weekly gift.?card|big thanks for (Ace|costco|cvs)|\d+ sent to you by (Ace|costco|cvs)|rewards balance = \d+ USD|this make it better|Ace.?hardware style|awaiting to be spend|dols-voucher|you have been chosen|scary.?reward|tuff times|super.?(monday|tuesday|wednesday|thursday|friday|saturday|sunday).?mega|send a postcard|day-vouch|\d+ bucks coupon|inside = \$\d+|\d+ coupon|\%Subscriber|as an important customer|glft|here is a thanks|202\d has been difficult|how we celebrate|available for download|points\-can be used/i #URGENT body __KAM_FAKE_LOWES4 /will be expiring|expires|(finishes|change by) (mon|tue|wed|thu|fri|sat|sun)|pending to activate|(use by|until) (Jan|Feb|mar|apr|may|jun|Jul|aug|sep|oct|nov|dec|mon|tue|wed|thu|fri|sat|sun)|pending (to|your) activat|(valid until|(redeem|use|spend) (before|by)) (mid.?night|mon|tue|wed|thu|fri|sat|sun|aug|sep|oct|nov|dec|jan|feb|mar|apr|may|jun|jul)|ending tomorrow|before midnight|received before \d|activat(e|ion) (today|by|before)|end of month giveaway|ends (today|tomorrow)|valid for (today|the weekend|\d+ hours)|August Help|pending to use|by next (Mon|tue|Wed|Thu|Fri|Sat|sun)|(received?|used?) as soon as possible|ends the \d+(nd|th)|yet to be used|this.? (Mon|Tue|Wed|Thu|Fri|Sat|Sun)|use before|used? \d+\.\d+ by (Sun|Mon|Tue|Wed|Thu|Fri|Sat)|last day to activate|ends (Oct(ober)?|Nov(ember)?|Dec(ember)?) \d|\d+ hours to change|grab your \d+|\d hours left|use now|end of today|used today|this week|\d is available since|before christmas|act fast|will go quickly/i @@ -8598,17 +8741,17 @@ score KAM_TRADEBOT 9.0 #BIDDING/ESTIMATING #NAMES -body __KAM_BIDEST1A /CSI Estimati(ng|on)|crossland estimating|Williams Estimating|Global Estimation|bolt estimating|prestige estimation|bidding estimating|define estimating|dreamland estimation|swift estimating LLC|define estimating,? LLC|perfect estimation.? llc|estimating solutions.? LLC|rockford estimation.? LLC|define estimating LLC|Rise Estimating LLC|american estimating|maple professionals|international estimating, llc|international estimates, llc|Estemanians, LLC|Dream Estimations|universal estimating llc|unity estimating|Cannon Estimation, LLC/i -header __KAM_BIDEST1B From =~ /bidding|estimat|globalbid/i -header __KAM_BIDEST1C Subject =~ /bidding|estimati(on|ng)|take.?off|(quote|quotation) (to|for) (bid|project|take.?off)|budget planning|CSI(\b|$)|constructions? project|project bid proposal/i - #MORE INFO -body __KAM_BIDEST2 /need assistance with a project|like more information|bidding and estimating service|estimate your projects|project for estimat|need of cost estimation|low cost detailed cost estimates|providing estimation|you really want take-offs|outsourced cost estimation|need any take.?off service|looking for accurate estimat|Take.?off services for any project|need a detailed estimate|offering budget cost estimates|cost estimating services|show you some sample|estimating.?take-offs? service|forward us the bid|quote on your project|(fair|sample) (take.?off|estimate)|complimentary detail from|send (me|us) the drawing|quick introductory call|send us the project's construction plans|quotes for your project|see attached sample|our example work|need any samples|detailed quote|provide detailed quantity take.?off|professional services in Quantity take.?off|provide material take.?off|estimates \& take.?off|20\% discount on your first estimate|cost estimating|architectural projects for us|need of expert construction estimating|handle your construction (take.?offs|estimat)|any job for us regarding estimat|benefit from our estimat|construction estimation service|estimation services are tailored|offer the most precise estimat|detailed commercial estimate|costing \& take\-?off|too much time on construction take-?off|send us plans for proposal/i +body __KAM_BIDEST1A /CSI Estimati(ng|on)|crossland estimating|Williams Estimating|Global Estimation|bolt estimating|prestige estimation|bidding estimating|define estimating|dreamland estimation|swift estimating LLC|define estimating,? LLC|perfect estimation.? llc|estimating solutions.? LLC|rockford estimation.? LLC|define estimating LLC|Rise Estimating LLC|american estimating|maple professionals|international estimating, llc|international estimates, llc|Estemanians, LLC|Dream Estimations|universal estimating llc|unity estimating|Cannon Estimation, LLC|Estimen LLC|The Global Estimation LLC|USA ESTIMATION LLC|Estimate Builders LLC|Quantify Bids, LLC|Grace Arch & Estimating, LLC|Unity Estimating, LLC|MultiTrade Estimating, LLC/i +header __KAM_BIDEST1B From =~ /bidding|estimat|globalbid|define the scope of work/i +header __KAM_BIDEST1C Subject =~ /bidding|estimati(on|ng)|take.?off|(quote|quotation) (to|for) (bid|project|take.?off)|budget planning|CSI(\b|$)|constructions? project|project bid proposal|bid more/i + #MORE INFO (removed detailed quote for FP) +body __KAM_BIDEST2 /need assistance with a project|like more information|bidding and estimating service|estimate your projects|project for estimat|need of cost estimation|low cost detailed cost estimates|providing estimation|you really want take-offs|outsourced cost estimation|need any take.?off service|looking for accurate estimat|Take.?off services for any project|need a detailed estimate|offering budget cost estimates|cost estimating services|show you some sample|estimating.?take-offs? service|forward us the bid|quote on your project|(fair|sample) (take.?off|estimate)|complimentary detail from|send (me|us) the drawing|quick introductory call|send us the project's construction plans|quotes for your project|see attached sample|our example work|need any samples|provide detailed quantity take.?off|professional services in Quantity take.?off|provide material take.?off|estimates \& take.?off|20\% discount on your first estimate|cost estimating|architectural projects for us|need of expert construction estimating|handle your construction (take.?offs|estimat)|any job for us regarding estimat|benefit from our estimat|construction estimation service|estimation services are tailored|offer the most precise estimat|detailed commercial estimate|costing \& take\-?off|too much time on construction take-?off|send us plans for proposal|construction estimates and takeoffs|share your project drawings|require samples or a quotation|services like quantity takeoff|provide accurate estimates|remind you of our construction estimating|pending projects for architecture or estimation|looking for top\-notch estimation service|send plans \& scope|need estimating support|send over the set of plans/i #TITLE -body __KAM_BIDEST3 /Business Development Manager|(senior|certified) estimator|certified software|(office|marketing) manager|estimation (department|dept|company)|head of business devel|estimating service|estimator|project +manager|Civil, MEP, Architectural|manager of business dev|Sales team|estimation department/i +body __KAM_BIDEST3 /Business Development Manager|(senior|certified) estimator|certified software|(office|marketing) manager|estimation (department|dept|company)|head of business devel|estimating (manager|service)|estimator|project +manager|Civil, MEP, Architectural|manager of business dev|Sales team|estimation department|bidding estimating|BD Manager/i #OBFU body __KAM_BIDEST4 /\(dot\)/i -meta KAM_BIDEST ( (__KAM_BIDEST1A + __KAM_BIDEST1B + __KAM_BIDEST1C >= 1) + __KAM_BIDEST2 + __KAM_BIDEST3 + (__KAM_BIDEST4 + FREEMAIL_FROM >=1) >= 3 ) +meta KAM_BIDEST ( (__KAM_BIDEST1A + __KAM_BIDEST1B + __KAM_BIDEST1C >= 1) + __KAM_BIDEST2 + __KAM_BIDEST3 + (__KAM_BIDEST4 + FREEMAIL_FROM + KAM_FROM_URIBL_PCCC >= 1 ) >= 3 ) describe KAM_BIDEST Bidding and Estimating Spam score KAM_BIDEST 7.5 @@ -8737,11 +8880,12 @@ describe KAM_SA_ZA_ABUSE 2TLD Providers prevalent in spam abuse score KAM_SA_ZA_ABUSE 3.0 #FAKE COINBASE -body __KAM_FAKE_COINBASE1 /C\.O\.I\.N\.B\.A\.S\.E/ +body __KAM_OBFU_COINBASE1 /C[\. ]O[\. ]I[\. ]N[\. ]B[\. ]A[\. ]S[\. ]E/i +header __KAM_OBFU_COINBASE2 From:name =~ /C[\. ]O[\. ]I[\. ]N[\. ]B[\. ]A[\. ]S[\. ]E/i -meta KAM_FAKE_COINBASE (__KAM_FAKE_COINBASE1 >= 1) -describe KAM_FAKE_COINBASE Fake Coinbase Email -score KAM_FAKE_COINBASE 3.0 +meta KAM_OBFU_COINBASE ( __KAM_OBFU_COINBASE1 + __KAM_OBFU_COINBASE2 >= 1 ) +describe KAM_OBFU_COINBASE Likely Fake Coinbase Email using Obfuscation +score KAM_OBFU_COINBASE 3.0 #FAKE COINBASE VARIANT header __KAM_FAKE_COINBASE2_1 Subject =~ /billing/i @@ -8914,7 +9058,7 @@ uri __KAM_IPFS /(\.|\b|\/)ipfs\.io\/|\/ipfs\/|https?\:\/\/ipfs\.|https?\:\/\/. uri __KAM_FALSE_IPFS /(\@|\/|^)ipfs\.com/i meta KAM_IPFS ( __KAM_IPFS && !__KAM_FALSE_IPFS) describe KAM_IPFS Abused Protocol for Distributed Content -score KAM_IPFS 12.0 +score KAM_IPFS 18.0 #PHONESYSTEM #DEAL @@ -8980,9 +9124,9 @@ endif #ADVIDS header __KAM_ADVIDS1 From:addr =~ /\@advid|\@.*advids?\.|\@advi\-/i -body __KAM_ADVIDS2 /video (production|examples|ads|design|ideas)|design explainer|design capabilit|(business|demo) video/i -uri __KAM_ADVIDS3 /search\?q\=Advids|youtube/i -body __KAM_ADVIDS4 /(video|content) (director|producer)/i +body __KAM_ADVIDS2 /video (production|examples|ads|design|ideas|content)|design explainer|design capabilit|(business|demo) video/i +uri __KAM_ADVIDS3 /search\?q\=Advids|youtube|video samples/i +body __KAM_ADVIDS4 /(video|content) (director|producer|marketer|creation)/i meta KAM_ADVIDS ( __KAM_ADVIDS1 + __KAM_ADVIDS2 + (__KAM_ADVIDS3 + __KAM_ADVIDS4 >= 1) >= 3) describe KAM_ADVIDS Video Production Spam @@ -9024,15 +9168,15 @@ describe KAM_COPOUT Marketing Emails that copout on the verification score KAM_COPOUT 4.5 #DOMAIN/URI TEST CONCEPT -replace_tag BADCALENDLYURIS (?:jpcalendly|michael\-2900|avolinq|otto\-demosho|jprecruiting|stella\-ridge|nivaai|guammi\-marketing|sethg\-erc|marc\-alderson|randy\-wimmer|video\-animation|julius\-frago|growthtitan|byte\-bridge\-team|flipcausedemo|techerp|leadoverload\-team|twiz|vissia\-ac|eventgives|sephacquisition|mattia\-100|doug\-376|byron\-lewis|selo\-ai|elevatemkt|business-gps-tetsch|nandreaatos|stephanie\-alic|.*praxis\-business\-brokers\-introduction|tony\-tarkowski|jvrtechllc|fractionl\/sonia-rosa|\-spv|2jm\-9wc\-m84|adrianaidid|bilal\-saeed\-) +replace_tag BADCALENDLYURIS (?:jpcalendly|michael\-2900|avolinq|otto\-demosho|jprecruiting|stella\-ridge|nivaai|guammi\-marketing|sethg\-erc|marc\-alderson|randy\-wimmer|video\-animation|julius\-frago|growthtitan|byte\-bridge\-team|flipcausedemo|techerp|leadoverload\-team|twiz|vissia\-ac|eventgives|sephacquisition|mattia\-100|doug\-376|byron\-lewis|selo\-ai|elevatemkt|business-gps-tetsch|nandreaatos|stephanie\-alic|.*praxis\-business\-brokers\-introduction|tony\-tarkowski|jvrtechllc|fractionl\/sonia-rosa|\-spv|2jm\-9wc\-m84|adrianaidid|bilal\-saeed\-|adobosolutions\-calendar\-4tof|verticalsols12|cyrusrsandoval77|fbfb|ikefontaine|ryan\-gonyo|gunaatita|mhoan867|paulam\-leadsignite|mktg\-sales\-leads|marketingteam\-cbox|leadstouchmarketingcal|appventurez\-mobi\-tech) replace_rules __KAM_BADCALENDLY uri __KAM_BADCALENDLY /https?\:\/\/(www\.)?calendly\.com\/(d\/)?(?:\/|\?|\b|$)/i -replace_tag BADIGURIS (?:vakninliorcom) +replace_tag BADIGURIS (?:vakninliorcom|wehackhealth) replace_rules __KAM_BADIG uri __KAM_BADIG /https?\:\/\/(www\.)?instagram\.com\/(?:\/|\?|\b|$)/i -replace_tag BADYTURIS (?:\@muvisaku|mzVih1bMPVE|PXcdLbnO9I4|\-lkrTRz5Ei8) +replace_tag BADYTURIS (?:\@muvisaku|mzVih1bMPVE|PXcdLbnO9I4|\-lkrTRz5Ei8|j87M2BS4Ii8|LnQC_6XdH\-I|nT8luUsO4SU) replace_rules __KAM_BADYT uri __KAM_BADYT /https?\:\/\/(www\.)?(youtube\.com|youtu\.be)\/(watch\?v\=)?(?:\/|\?|\b|$)/i @@ -9072,7 +9216,7 @@ replace_tag BADFLOWCODEURIS (?:signalsdefense|rAcrHS8hy) replace_rules __KAM_BADFLOWCODEURIS uri __KAM_BADFLOWCODEURIS /https?\:\/\/(flow\.page|flowcode\.com\/p)\/(?:\/|\?|\b|$)/i -replace_tag BADBOXURIS (?:x6ddn2vwirubrnh5|3nrerkb3hstmpqx9|x6ddn2vwirubrnh5|q3629y3ewqvpmzb3|ic47i4xh8ms6pdd2|wr55diqj4rs785v3|bk5bdzzqbg2f9r7r) +replace_tag BADBOXURIS (?:x6ddn2vwirubrnh5|3nrerkb3hstmpqx9|x6ddn2vwirubrnh5|q3629y3ewqvpmzb3|ic47i4xh8ms6pdd2|wr55diqj4rs785v3|bk5bdzzqbg2f9r7r|i8zkd3af27jznkzm|8hcqbxug96jcdkju|ukv7ra8ka6hi6tqb) replace_rules __KAM_BADBOXURIS uri __KAM_BADBOXURIS /https?\:\/\/docsend\.com\/view\/(?:\/|\?|\b|\#|$)/i @@ -9080,7 +9224,23 @@ replace_tag BADHUBSPOTURIS (?:timote\-chanut|keaton\-flanigan) replace_rules __KAM_BADHUBSPOTURIS uri __KAM_BADHUBSPOTURIS /https?\:\/\/meetings\.hubspot\.com\/(?:\/|\?|\b|$)/i -meta KAM_BADDOMAINURI (__KAM_BADCALENDLY + __KAM_BADIG + __KAM_BADYT + __KAM_BADVIMEO + __KAM_BADMEDIUM + __KAM_BADFIVERR + __KAM_BADGSITES + __KAM_BADDYNAMICS + __KAM_BADTELEGRAMURIS + __KAM_BADSKYPEURIS + __KAM_BADWHATSAPPURIS + __KAM_BADFLOWCODEURIS + __KAM_BADBOXURIS + __KAM_BADHUBSPOTURIS >= 1) +replace_tag BADLOOKERURIS (?:s74PQVx32qg|vcqPQCIEiwo) +replace_rules __KAM_BADLOOKERURIS +uri __KAM_BADLOOKERURIS /https?\:\/\/lookerstudio\.google\.com\/s\/(?:\/|\?|\b|$)/i + +replace_tag BADYESWAREURIS (?:siniyahs) +replace_rules __KAM_BADYESWAREURIS +uri __KAM_BADYESWAREURIS /https?\:\/\/meet\.yesware\.com\/me\/(?:\/|\?|\b|$)/i + +replace_tag BADXURIS (?:omarmohdomain|I4NZO7DEGe|329FQ5xXLY|wywBeF5oSy|WVg3MrDcuT|jeJ6QmURIo|nlBSAQ8vYx|9eyWNqeGvr|vqw4wHc7JF|Oer3A39I6x|jeeva_ai) +replace_rules __KAM_BADXURIS +uri __KAM_BADXURIS /https?\:\/\/((twitter|x)\.com|t\.co)\/(?:\/|\?|\b|$)/i + +replace_tag BADLINKEDINURIS (?:thomaspropen) +replace_rules __KAM_BADLINKEDINURIS +uri __KAM_BADLINKEDINURIS /https?\:\/\/(www.)?linkedin\.com\/in\/(?:\/|\?|\b|$)/i + +meta KAM_BADDOMAINURI (__KAM_BADCALENDLY + __KAM_BADIG + __KAM_BADYT + __KAM_BADVIMEO + __KAM_BADMEDIUM + __KAM_BADFIVERR + __KAM_BADGSITES + __KAM_BADDYNAMICS + __KAM_BADTELEGRAMURIS + __KAM_BADSKYPEURIS + __KAM_BADWHATSAPPURIS + __KAM_BADFLOWCODEURIS + __KAM_BADBOXURIS + __KAM_BADHUBSPOTURIS + __KAM_BADLOOKERURIS + __KAM_BADYESWAREURIS + __KAM_BADXURIS + __KAM_BADLINKEDINURIS >= 1) describe KAM_BADDOMAINURI Blocked domain/uri combo score KAM_BADDOMAINURI 9.0 @@ -9166,7 +9326,7 @@ score KAM_CHECKFILE 8.5 body __KAM_CHECKFILE2_1 /(See|View|check|check) attach(ment|ed) (document|file)/i meta KAM_CHECKFILE2 ( T_OBFU_PDF_ATTACH + __KAM_CHECKFILE2_1 >= 2) -score KAM_CHECKFILE2 8.5 +score KAM_CHECKFILE2 4.0 #lowered from 8.5 on 2025-02-11 describe KAM_CHECKFILE2 Likely File Attachment scam #BAD MAILBOX RELEASE / FINANCIAL REQUEST @@ -9251,6 +9411,13 @@ meta KAM_FAKE_GOOGLEGROUP ( __KAM_FAKE_GOOGLEGROUP1 + __KAM_FAKE_GOOGLEGROUP2 > describe KAM_FAKE_GOOGLEGROUP Google Group posing as a legitimate firm score KAM_FAKE_GOOGLEGROUP 9.0 +replace_rules __GB_OBFU_BANK +header __GB_FROM_GOOGLEDRIVE1 X-Original-Sender =~ /drive\-shares\-noreply\@google\.com/ +header __GB_OBFU_BANK X-Original-From =~ /\s?\s?/i +meta GB_OBFU_BANK_GDRIVE ( __GB_FROM_GOOGLEDRIVE1 && __GB_OBFU_BANK ) +describe GB_OBFU_BANK_GDRIVE Google drive link from obfuscated Bank address +score GB_OBFU_BANK_GDRIVE 2.0 + #LEAD FORENSICS body __KAM_LEAD_FORENSICS1 /leadforensics.{1,32}com|Lead Forensics/i @@ -9273,7 +9440,7 @@ score KAM_FAKE_NETFLIX 7.0 #FAKE_STARBUCKS #domain header __KAM_FAKE_STARBUCKS1A From:name =~ /starbucks/i -header __KAM_FAKE_STARBUCKS1B From:addr !~ /starbucks\.com/i +header __KAM_FAKE_STARBUCKS1B From:addr !~ /starbucks\.com|order\.online/i meta KAM_FAKE_STARBUCKS ( __KAM_FAKE_STARBUCKS1A + __KAM_FAKE_STARBUCKS1B >= 2 ) describe KAM_FAKE_STARBUCKS Fake Starbucks message @@ -9282,7 +9449,7 @@ score KAM_FAKE_STARBUCKS 4.0 #FAKE_SAMSCLUB #domain mismatch header __KAM_FAKE_SAMSCLUB1A From:name =~ /Sam'?s?.?c(1|l|I)ub/i -header __KAM_FAKE_SAMSCLUB1B From:addr !~ /samsclub\.com/i +header __KAM_FAKE_SAMSCLUB1B From:addr !~ /samsclub\.com|synchrony\.com/i #fuzz header __KAM_FAKE_SAMSCLUB2A From:addr =~ /Sam'?s?.?CIub/i header __KAM_FAKE_SAMSCLUB2B Subject =~ /Sam'?s.?CIub/i @@ -9340,7 +9507,7 @@ score KAM_FAKE_HOMEDEPOT 5.0 #FAKE COSTCO #domain header __KAM_FAKE_COSTCO_1A From:name =~ /costco/i -header __KAM_FAKE_COSTCO_1B From:addr !~ /costco\.(com|ca)|costcotravel\.com/i +header __KAM_FAKE_COSTCO_1B From:addr !~ /costco\.(com|ca|uk)|costcotravel\.com/i meta KAM_FAKE_COSTCO2 ( __KAM_FAKE_COSTCO_1A + __KAM_FAKE_COSTCO_1B >= 2 ) describe KAM_FAKE_COSTCO2 Fake Costco message @@ -9348,7 +9515,7 @@ score KAM_FAKE_COSTCO2 7.0 #EMPTY MESSAGE FP FOR CALENDARS mimeheader __GB_CALENDAR_ATTACH Content-Type =~ /\b(text\/calendar)\b/i -meta GB_EMPTY_CALENDAR ( ( EMPTY_MESSAGE || SCC_BODY_URI_ONLY ) && __GB_CALENDAR_ATTACH ) +meta GB_EMPTY_CALENDAR ( ( EMPTY_MESSAGE || BODY_URI_ONLY ) && __GB_CALENDAR_ATTACH ) describe GB_EMPTY_CALENDAR Empty message with a calendar attachment score GB_EMPTY_CALENDAR -2.0 @@ -9359,12 +9526,12 @@ score GB_EMPTY_IMAGES -2.0 #FAKE LOWES #domain -header __KAM_FAKE_LOWES_1A From:name =~ /lowes.?home.?improvement|Lowes.?(shopper|Store)|LowesHome/i -header __KAM_FAKE_LOWES_1B From:addr !~ /lowes\.com/i +header __KAM_FAKE_LOWES2_1A From:name =~ /lowes.?home.?improvement|Lowes.?(shopper|Store)|LowesHome|Lowes.?customer.?support|Lowe's.?Shopper/i +header __KAM_FAKE_LOWES2_1B From:addr !~ /lowes\.com/i -meta KAM_FAKE_LOWES ( __KAM_FAKE_LOWES_1A + __KAM_FAKE_LOWES_1B >= 2 ) -describe KAM_FAKE_LOWES Fake Lowes message -score KAM_FAKE_LOWES 4.0 +meta KAM_FAKE_LOWES2 ( __KAM_FAKE_LOWES2_1A + __KAM_FAKE_LOWES2_1B >= 2 ) +describe KAM_FAKE_LOWES2 Fake Lowes message +score KAM_FAKE_LOWES2 4.0 #UNSOLICITED body __KAM_UNSOLICITED1 /Sorry for the unsolicited email/i @@ -9434,137 +9601,6 @@ ifplugin Mail::SpamAssassin::Plugin::RaptorOnly endif endif -# Adobe redirector -uri GB_ADOBE_REDIR m|^https?://\w+\-rt\-prod\d+\-t.campaign.adobe.com/r/\?id=.{8,24}&p1=|i -describe GB_ADOBE_REDIR Adobe redirector -score GB_ADOBE_REDIR 1.5 - -# Bing redirector -uri GB_BING_REDIR m|^https?://(?:www.)?bing.com/ck/a\?!&&p=.{32,128}&ptn=\d+&|i -describe GB_BING_REDIR Microsoft Bing redirector -score GB_BING_REDIR 1.5 - -# Bizzabo redirector -uri GB_BIZZABO_REDIR m|^https?://events.bizzabo.com/auth/emailAssociatedLogin/verifyTokenAndRedirect\?token=.{10,128}&redirectUrl=|i -describe GB_BIZZABO_REDIR Bizzabo redirector -score GB_BIZZABO_REDIR 1.5 - -# Windows redirector -uri GB_WINDOWS_REDIR m|^https?://\w+.blob.core.windows.net/\w+/\w+.html?\#\w{2}/\d{5}_md/\d+/|i -describe GB_WINDOWS_REDIR Windows redirector -score GB_WINDOWS_REDIR 4.5 - -# Disq.us redirector -uri GB_DISQUS_REDIR m|^https?://(?:www\.)?disq.us/?\?url=https?:|i -describe GB_DISQUS_REDIR Disq.us redirector -score GB_DISQUS_REDIR 1.5 - -# Yandex redirector -uri GB_YANDEX_REDIR m;^https?://[^/]*sba\.yandex\.net/redirect\?;i -describe GB_YANDEX_REDIR Yandex redirect used to obscure spamvertised website -score GB_YANDEX_REDIR 1.5 - -# Flashtalking redirector -uri GB_FLASHTALK_REDIR m;^https?://servedby\.flashtalking\.com/click/.{16,256}&url=https?://;i -describe GB_FLASHTALK_REDIR Flashtalking redirector -score GB_FLASHTALK_REDIR 1.5 - -# RetailRocket redirector -uri GB_RETAILROCKET_REDIR m;^https?://clickproxy\.retailrocket\.net/\?url\.aspx.{1,32}url=http;i -describe GB_RETAILROCKET_REDIR RetailRocket redirector -score GB_RETAILROCKET_REDIR 1.5 - -# ShopMyExchange redirector -uri GB_SHOPMYEXC_REDIR m;^https?://links\.e\.shopmyexchange\.com/.{4,128}&kd=;i -describe GB_SHOPMYEXC_REDIR ShopMyExchange redirector -score GB_SHOPMYEXC_REDIR 1.5 - -# Allaincemh redirector -uri GB_ALLAINCEMH_REDIR m;^https?://url\d+\.allaincemh\.com/ls/click\?;i -describe GB_ALLAINCEMH_REDIR Allaincemh redirector -score GB_ALLAINCEMH_REDIR 1.5 - -# Bloom.io redirector -uri GB_BLOOMIO_REDIR m;^https?://email\.mail\.bloom\.io/c/.{256,512};i -describe GB_BLOOMIO_REDIR bloom.io redirector -score GB_BLOOMIO_REDIR 1.5 - -# Dell redirector -uri GB_DELL_REDIR m;^https?://\w\.\w{2}\.home\.dell\.com/r/\?.{8,128}\&p1=;i -describe GB_DELL_REDIR Dell redirector -score GB_DELL_REDIR 1.5 - -# Oneclick redirector -uri GB_ONECLICK_REDIR m;^https?://go\.onelink\.me/\d+\?pid=InProduct.{16,128}&af_web_dp=https?://;i -describe GB_ONECLICK_REDIR Oneclick redirector -score GB_ONECLICK_REDIR 1.5 - -# Powerobjects redirector -uri GB_POWEROBJECTS_REDIR m;^https?://pocloudcentral\.crm\.powerobjects\.net/PowerEmailWebsite/GetUrl\d+\.aspx\?.{16,128}\&pval=https?://;i -describe GB_POWEROBJECTS_REDIR Powerobjects redirector -score GB_POWEROBJECTS_REDIR 1.5 - -# Kmail-lists redirector -uri GB_KMAIL_LISTS_REDIR m;^https?://manage\.kmail\-lists\.com/subscriptions/subscribe/update\?.{16,128}&r=https?;i -describe GB_KMAIL_LISTS_REDIR Kmail-lists redirector -score GB_KMAIL_LISTS_REDIR 1.5 - -# Emlnk redirector -uri GB_EMLNK_REDIR m;^https?://\w+\.\w+\.emlnk\.com/Prod/link\-tracker\?.{4,64}&redirectUrl=;i -describe GB_EMLNK_REDIR Emlnk redirector -score GB_EMLNK_REDIR 1.5 - -# Benchurl redirector -uri GB_BENCH_REDIR m;^https?://clt\d{4,16}\.benchurl\.com/c/l\?.{8,64}&email\=;i -describe GB_BENCH_REDIR Benchurl redirector -score GB_BENCH_REDIR 1.5 - -# Originsmarket redirector -uri GB_ORIGINSMARKET_REDIR m;https?://sp\-track\.originsmarket\.com\.au/api/v1/track/click/\d+/\d+/.{32,64}\?redirecturl=https?://;i -describe GB_ORIGINSMARKET_REDIR Originsmarket redirector -score GB_ORIGINSMARKET_REDIR 1.5 - -# Contactmonkey redirector -uri GB_CONTACTMONKEY_REDIR m;^https?://contactmonkey\.com/api/v1/tracker.{32,256}\&cm_destination=https?://;i -describe GB_CONTACTMONKEY_REDIR Contactmonkey redirector -score GB_CONTACTMONKEY_REDIR 1.5 - -# Turkmenportal redirector -uri GB_TURKMEN_REDIR m;^https?://turkmenportal\.com/\w{2}/banner/\w/leave\?url=(?:https?:)?//;i -describe GB_TURKMEN_REDIR Turkmenportal redirector -score GB_TURKMEN_REDIR 1.5 - -# Zafos redirector -uri GB_ZAFOS_REDIR m;^https?://zafos\.com/app/newsletter/tracklink\?.{8,32}\&tid=https?://;i -describe GB_ZAFOS_REDIR Zafos redirector -score GB_ZAFOS_REDIR 1.5 - -# Generic Php redirector -uri GB_PHP_REDIR /\.php\?url=https?\:\/\// -describe GB_PHP_REDIR Php redirector -score GB_PHP_REDIR 1.0 - -# href.li abused redirector -uri GB_HREF_LI_REDIR m;https?://href\.li/\??https?://;i -describe GB_HREF_LI_REDIR Href.li abused redirector -score GB_HREF_LI_REDIR 2.5 - -if (version >= 4.000000) - if can(Mail::SpamAssassin::Conf::feature_capture_rules) - ifplugin Mail::SpamAssassin::Plugin::AskDNS - uri __GAD_REDIR_URL m;(?:adclick\.\w\.doubleclick\.net/pcs/click|(?:www)?\.googleadservices\.com/pagead/aclk)\?.{64,1024}\&adurl=https?//(?.*)/; - askdns GB_GAD_REDIR _GAD_REDIR_URL_.wild.pccc.com A 127.0.0.4 - describe GB_GAD_REDIR Abused Google Ads redirector - score GB_GAD_REDIR 9.0 - - uri __G_REDIR_URL m;https?://(?:www\.)?google\.\w+/amp/s/(?.*)/?; - askdns GB_G_REDIR _G_REDIR_URL_.wild.pccc.com A 127.0.0.4 - describe GB_G_REDIR Abused Google search redirector - score GB_G_REDIR 9.0 - endif - endif -endif - #TLDSCHINA body __KAM_TLDSCHINA1 /t ?l ?d ?s ?c ?h ?i ?n ?a\[\.\]com|0086\-21\-619\-18\-696/i @@ -9573,12 +9609,13 @@ describe KAM_TLDSCHINA Chinese Domain Scams score KAM_TLDSCHINA 5.0 # .html link stored on S3 -uri __GB_S3_HTM1 /^https?:\/\/.{3,64}\.s3\..{3,16}\.amazonaws\.com\/.{3,128}\.s?htm/i -uri __GB_S3_HTM2 /^https?:\/\/s3\.amazonaws\.com\/.{3,16}\/.{3,16}\/.{3,128}\.s?html?\#/i +uri __GB_S3_HTM1 /^https?:\/\/.{3,64}\.s3\..{3,16}\.amazonaws\.com\/.{3,128}\.s?html?/i +uri __GB_S3_HTM2 /^https?:\/\/(?:\w+\.)?s3\.amazonaws\.com\/(?:.{3,16}\/.{3,16}\/)?.{3,128}\.s?html?/i +uri __GB_S3_HTM3 /^https?:\/\/s3\.(?:[a-z0-9-]+)\.amazonaws\.com\/(?:[a-z0-9-\.]+)\/.{1,16}\.s?html?/i -meta GB_S3_HTM ( __GB_S3_HTM1 + __GB_S3_HTM2 >= 1 ) +meta GB_S3_HTM ( __GB_S3_HTM1 + __GB_S3_HTM2 + __GB_S3_HTM3 >= 1 ) describe GB_S3_HTM .html link stored on AWS S3 -score GB_S3_HTM 4.5 +score GB_S3_HTM 5.5 #FAKE STIMULUS header __KAM_FAKE_STIM1 From =~ /state.?reiief|stim.?state.?check|stim.?check.?reiief|reiief2023|statestimcheck|statebenefits/i @@ -9605,6 +9642,13 @@ meta GB_FAKE_HOTEL ( FREEMAIL_FROM && ( KAM_BLANKSUBJECT || describe GB_FAKE_HOTEL Fake hotel room reservation score GB_FAKE_HOTEL 4.0 +body __GB_FAKE_BOOKING /Booking\.com/ +body __GB_BOOKING_DEAR /Dear Hotel Manage(?:ment|r)/i +uri __GB_BOOKING_URI /booking\.com/ +meta GB_FAKE_BOOKING ( __GB_FAKE_BOOKING && __GB_BOOKING_DEAR && !__GB_BOOKING_URI ) +describe GB_FAKE_BOOKING Booking.com scam +score GB_FAKE_BOOKING 0.001 + #FAKE SPOTIFY #domain header __KAM_FAKE_SPOTIFY_1A From:name =~ /spotify premium|Spotify(?:\s|_)Inc\./i @@ -9641,15 +9685,16 @@ score KAM_APP 9.0 #PENPAL #subject -header __KAM_PENPAL1 Subject =~ /^(GREETINGS|HI)$|GET WRITING/i +header __KAM_PENPAL1 Subject =~ /^(GREETINGS|HI)\.?$|GET WRITING|pen.?pal|GOOD MORNING|GOOD DAY|MORNING/i #intro -body __KAM_PENPAL2 /my name is|I\'m from Sweden/i +body __KAM_PENPAL2 /my name is| from Sweden/i #penpal -body __KAM_PENPAL3 /pen.?pal/i +body __KAM_PENPAL3 /pen.?pal|virtual friendship|learn about life in your country/i +tflags __KAM_PENPAL3 nosubject #topic -body __KAM_PENPAL4 /talk *anything|talk about (everything|anything)|look forward to hear|contact details online/i +body __KAM_PENPAL4 /talk *anything|talk about (everything|anything)|look forward to hear|contact details online|begin a worthwhile relationship|share anything|establishing a meaningful connection/i -meta KAM_PENPAL ( __KAM_PENPAL1 + __KAM_PENPAL2 + __KAM_PENPAL3 + __KAM_PENPAL4 >= 4 ) +meta KAM_PENPAL ( __KAM_PENPAL1 + __KAM_PENPAL2 + __KAM_PENPAL3 + __KAM_PENPAL4 + FREEMAIL_FROM >= 5 ) describe KAM_PENPAL Pen Pal Scams score KAM_PENPAL 8.0 @@ -9686,11 +9731,11 @@ uri __KAM_BLOBHTML1 /.*\.blob\.core\.windows\.net\/.*html?/i meta KAM_BLOBHTML ( __KAM_BLOBHTML1 + FREEMAIL_FROM >= 2 ) describe KAM_BLOBHTML Windows Blob Likely Spam -score KAM_BLOBHTML 7.0 +score KAM_BLOBHTML 9.0 meta KAM_BLOBHTMLLOW ( __KAM_BLOBHTML1 >= 1 ) && !KAM_BLOBHTML describe KAM_BLOBHTMLLOW Windows Blob Lower Confidence of Spam -score KAM_BLOBHTMLLOW 3.0 +score KAM_BLOBHTMLLOW 4.5 # Cloudflare r2.dev public cloud uri __GB_R2DEVHTML1 /https?:\/\/pub\-\w+\.r2\.dev\/.{1,32}\.html?/ @@ -9703,9 +9748,22 @@ meta GB_R2DEVHTMLLOW ( __GB_R2DEVHTML1 >= 1 ) describe GB_R2DEVHTMLLOW Cloudflare r2.dev Lower Confidence of Spam score GB_R2DEVHTMLLOW 2.0 +if (version >= 4.000000) + if can(Mail::SpamAssassin::Conf::feature_capture_rules) + uri __GB_CUSTOM_SURGESH /https?:\/\/(?:[a-z0-9_\-]+)\.surge\.sh\/.{0,16}\#%{GB_TO_ADDR}/i + meta GB_CUSTOM_SURGESH __GB_CUSTOM_SURGESH + describe GB_CUSTOM_SURGESH Surge.sh abuse + score GB_CUSTOM_SURGESH 2.0 + + meta GB_CUSTOM_FREESURGESH ( GB_CUSTOM_SURGESH && FREEMAIL_FROM ) + describe GB_CUSTOM_FREESURGESH Surge.sh abuse from freemail address + score GB_CUSTOM_FREESURGESH 3.0 + endif +endif + # Fake invoice links to Google Cloud ifplugin Mail::SpamAssassin::Plugin::URIDetail - uri_detail __GB_GOOGLE_INVOICE0 cleaned =~ /(?:\d+\.\d+\.\d+\.\d+\.bc\.googleusercontent\.com|(?:adclick|googleads)\.\w\.doubleclick\.net\/(?:aclk|pcs\/click))/ text =~ /document|invoice|fattura/i + uri_detail __GB_GOOGLE_INVOICE0 cleaned =~ /(?:\d+\.\d+\.\d+\.\d+\.bc\.googleusercontent\.com|(?:adclick|googleads)\.\w\.doubleclick\.net\/(?:aclk|pcs\/click)|googleadservices\.com\/pagead)/ text =~ /document|invoice|fattura/i uri __GB_GOOGLE_INVOICE1 /(?:\d+\.\d+\.\d+\.\d+\.bc\.googleusercontent\.com|adclick\.\w\.doubleclick\.net\/pcs\/click).{1,8}Payment.Invoice/i meta GB_GOOGLE_INVOICE ( __GB_GOOGLE_INVOICE0 + __GB_GOOGLE_INVOICE1 >= 1 ) describe GB_GOOGLE_INVOICE Fake Invoice stored on Google cloud/ads @@ -9728,7 +9786,7 @@ body __KAM_PIANO2 /(Yamaha|grand) piano|baby grand/i #COST body __KAM_PIANO3 /free|gifting|offering|give away/i #SUBJ -header __KAM_PIANO4 Subject =~ /want this|beautiful piano|instrument|piano donation|baby grand|['`] +piano|yamaha piano/i +header __KAM_PIANO4 Subject =~ /want this|(beautiful|grand) piano|instrument|piano donation|baby grand|['`] +piano|yamaha piano/i meta KAM_PIANO ( __KAM_PIANO1 + __KAM_PIANO2 + __KAM_PIANO3 + __KAM_PIANO4 + (__KAM_EDU_FROM + FREEMAIL_FROM >= 1) >= 5 ) describe KAM_PIANO Likely Piano Scam (yes, Piano Scams are a real thing apparently. "Sing us a song, you're the piano scam...") @@ -9757,7 +9815,7 @@ score KAM_FAKE_WELLSFARGO 7.0 #FIT LLC replace_rules __KAM_FIT1 -body __KAM_FIT1 /Email (was |is )?sent by:? (Event Horizon LLC|FT, LLC)|(email was sent|newsletter).{0,35} (operator of|on behalf of) (prestige publishing|Event Horizon) LLC|Polaris Advertising is the operator and proprietor/im +body __KAM_FIT1 /Email (was |is )?sent by:? (Event Horizon LLC|FT, LLC)|(email was sent|newsletter).{0,35} (operator of|on behalf of) (prestige publishing|Event Horizon) LLC|Polaris Advertising is the operator and proprietor|brought to you by Event Horizon LLC|(valued member of the|possessed by) Stark Media LLC/im meta KAM_FIT ( __KAM_FIT1 >= 1 ) describe KAM_FIT Spamming spammers who spam @@ -9823,12 +9881,12 @@ score KAM_FAKE_DOCUSIGN2 4.5 #VIRTUAL BOOKKEEPER #SUBJ -header __KAM_BOOKKEEP1 Subject =~ /(Accounting|Bookkeeping) ?(\/|\&) ?(Bookkeeping|Accounting)|Help with bookkeeping|bookkeeping for|bookkeeping a hassle|outsourced Bookkeeping|ease your bookkeeping|(accounting|bookkeeping)\/tax prep service|virtual (accounting|bookkeeping|bookkeeper|accountant)|affordable (accounting|bookkeeping) solution|be your in.?house (accounting|bookkeeping)/i +header __KAM_BOOKKEEP1 Subject =~ /(Accounting|Bookkeeping) ?(\/|\&) ?(Bookkeeping|Accounting)|Help with bookkeeping|bookkeeping for|bookkeeping a hassle|outsourced Bookkeeping|ease your bookkeeping|(accounting|bookkeeping)\/tax prep service|virtual (accounting|bookkeeping|bookkeeper|accountant)|affordable (accounting|bookkeeping) solution|be your in.?house (accounting|bookkeeping)|senior bookkeep|master your finance/i #FOLLOW/COLD -body __KAM_BOOKKEEP2 /sent you a message|my name is|reply with an optimal number for me to reach|helped a business in your state|reply with a good time\/number to reach|respond a time for us to talk|helping businesses outsource all their bookkeeping|give you a quick call|assisted a company (organize|manage) two years of books|follow back on my message|reply back with a good line|give you a brief line|convenient time to connect|brief minute to discuss|follow up on my last email|received my note from a couple of days|what time works best|set up a time to chat|reached out a couple of days ago|schedule a time to connect/i +body __KAM_BOOKKEEP2 /sent you a message|my name is|reply with an optimal number for me to reach|helped a business in your state|reply with a good time\/number to reach|respond a time for us to talk|helping businesses outsource all their bookkeeping|give you a quick call|assisted a company (organize|manage) two years of books|follow back on my message|reply back with a good line|give you a brief line|convenient time to connect|brief minute to discuss|follow up on my last email|received my note from a couple of days|what time works best|set up a time to chat|reached out a couple of days ago|schedule a time to connect|interested in seeing our work/i tflags __KAM_BOOKKEEP2 nosubject #SALE -body __KAM_BOOKKEEP3 /(explore|see|check) if (we\'?re|we are) a (match|fit)|paying huge amounts of money for bookkeeping|open to a quick call|streamline bookkeeping needs|fed up with keeping your own books|transform your bookkeeping|accounting for (tons|thousands) of companies just like|no\-stress bookkeeping solution|wasting a lot of time doing bookkeeping|benefit from help keeping books|manag(e|ing) bookkeeping \& accounting requirements for lots of (companies|customers)|interested to hire a dedicated remote (tax|accountant|bookkeeper)|assist businesses handle their books|extra hand with bookkeeping|client in your state|we saved \d+ hours a month/im +body __KAM_BOOKKEEP3 /(explore|see|check) if (we\'?re|we are) a (match|fit)|paying huge amounts of money for bookkeeping|open to a quick call|streamline bookkeeping needs|fed up with keeping your own books|transform your bookkeeping|accounting for (tons|thousands) of companies just like|no\-stress bookkeeping solution|wasting a lot of time doing bookkeeping|benefit from help keeping books|manag(e|ing) bookkeeping \& accounting requirements for lots of (companies|customers)|interested to hire a dedicated remote (tax|accountant|bookkeeper)|assist businesses handle their books|extra hand with bookkeeping|client in your state|we saved \d+ hours a month|already serving \d+ plus business|we specialize in:? bookkeeping/im tflags __KAM_BOOKKEEP3 nosubject meta KAM_BOOKKEEP ( __KAM_BOOKKEEP1 + __KAM_BOOKKEEP2 + __KAM_BOOKKEEP3 + FREEMAIL_FROM >= 4 ) @@ -9837,18 +9895,18 @@ score KAM_BOOKKEEP 6.0 #LATEST APP DEV SPAMS #subj -header __KAM_APPDEV1 Subject =~ /App Prices|healthcare app|app offer|new app|follow up|mobile app(lication|s)? company|Mobile App$|improve your app/i +header __KAM_APPDEV1 Subject =~ /App Prices|healthcare app|app offer|new app|follow up|mobile app(lication|s)? company|Mobile App$|improve your app|Any app|creating an app|\@gmail\.com|Price|perfect app|your requirement|apps? development|app platform|developer|Electric Bike Apps|applications? for your business|Ios Apps|Web apps|app proposal|Custom app|create an app/i #location or type of app -body __KAM_APPDEV2 /(companies|based) in India|Indian.?Based|Rani$|(handyman|fitness|Entertainment|Shopping|hospital|real.?estate|Taxi|custom business|store|booking) App/i +body __KAM_APPDEV2 /(companies|company|based) in India|Indian.?Based|Rani$|(handyman|fitness|Entertainment|Shopping|hospital|real.?estate|Taxi|custom business|store|booking|lifestyle|ecommerce|ios|game|gaming|Web) App|App and Website Devel|are you looking for responsive mobile app/i tflags __KAM_APPDEV2 nosubject #COLD -body __KAM_APPDEV3 /My name is|chance to review my email|I work with \d+\+ experienced IT|if you are interested|chance to peruse through it/i +body __KAM_APPDEV3 /My name is|chance to review my (previous )?email|I work with \d+\+ experienced IT|if you are interested|chance to peruse through it|interested in developing a mobile app|are you trying to find apps|wondering if you wanted an app|connect you with the right person|company with over \d+ years of experience|We specialize in high\-quality android|looking for creating an app/i tflags __KAM_APPDEV3 nosubject #AppDev -body __KAM_APPDEV4 /app developer|app for your domain|best mobile app devel|app development manager|app development service/i +body __KAM_APPDEV4 /app develop(ment|er)|app for your domain|best mobile app devel|app development manager|app development service|develop your web project|apps for your company|experts in app.?dev|build a mobile? app|apps we have successfully developed|mobile apps and game devel|apps development manager/i tflags __KAM_APPDEV4 nosubject - #PRICE -body __KAM_APPDEV5 /mobile app price list|cost efficient|price list \& sample|catalog price|meeting to discuss details}|share ballpark estimat/i + #PRICE / REQS +body __KAM_APPDEV5 /mobile app price list|cost efficient|price list \& sample|catalog price|meeting to discuss details|share ballpark estimat|share your requirement|discuss the further steps|see our portfolio|portfolio and pricing|send you our price|price list|requirement, please do share|(let me know|discuss) your requirements|send you more details on (sample|package|portfolio)|offer a detailed pric|hear more about project req|forward you our price \& latest work|app prices? list|we can discuss pricing/i tflags __KAM_APPDEV5 nosubject meta KAM_APPDEV ( __KAM_APPDEV1 + __KAM_APPDEV2 + __KAM_APPDEV3 + __KAM_APPDEV4 + __KAM_APPDEV5 + FREEMAIL_FROM >= 6) @@ -9859,14 +9917,159 @@ score KAM_APPDEV 9.0 #FROM header __KAM_FAKE_METAMASK1 From:name =~ /metamask/i #CRYPTO -header __KAM_FAKE_METAMASK2 Subject =~ /wallet has been (suspended|limited)/i +header __KAM_FAKE_METAMASK2 Subject =~ /wallet has been (suspended|limited|locked|disabled)/i #NOT META header __KAM_FAKE_METAMASK3 From:addr !~ /\@metamask\.com/i #TASK -body __KAM_FAKE_METAMASK4 /Up(grade|date) (here|Now)|activate and verify/i +body __KAM_FAKE_METAMASK4 /Up(grade|date) (here|Now)|activate and verify|complete the migration/i meta KAM_FAKE_METAMASK ( __KAM_FAKE_METAMASK1 + __KAM_FAKE_METAMASK2 + __KAM_FAKE_METAMASK3 + __KAM_FAKE_METAMASK4 >= 4 ) describe KAM_FAKE_METAMASK Fake MetaMask Crypto Notification score KAM_FAKE_METAMASK 6.0 +#FAKE SAISON WALLET +body __KAM_FAKE_SAISON1 /Saison Gold Premium|saison card/i +uri __KAM_FAKE_SAISON2 /\.cn(\/|$|\b)/i + +meta KAM_FAKE_SAISON ( __KAM_FAKE_SAISON1 + __KAM_FAKE_SAISON2 + RDNS_NONE + SPF_SOFTFAIL >= 4) +describe KAM_FAKE_SAISON Fake Saison Notices +score KAM_FAKE_SAISON 6.0 + +#Google APPSHEET ABUSE +header __KAM_APPSHEET1 From:addr =~ /noreply\@appsheet\.com/i + +meta KAM_APPSHEET ( __KAM_APPSHEET1 >= 1 ) +describe KAM_APPSHEET Google AppSheet being abused by spammers +score KAM_APPSHEET 4.0 + +#FAKE_META + #from +header __KAM_FAKE_META1 From:name =~ /Meta for Business/i + #subj +header __KAM_FAKE_META2 Subject =~ /(account|page) will be restricted/i + #messenger +uri __KAM_FAKE_META3 /messenger.com\/t\/\d+/i + +meta KAM_FAKE_META ( __KAM_FAKE_META1 + __KAM_FAKE_META2 + __KAM_FAKE_META3 + FREEMAIL_FROM >= 4) +describe KAM_FAKE_META Fake Message from Meta for Business +score KAM_FAKE_META 6.0 + +#GITHUB +uri __KAM_GITHUB_USER_ATTACHMENT /github\.com\/user\-attachments\/assets\//i + +meta KAM_GITHUB_USER_ATTACHMENT ( __KAM_GITHUB_USER_ATTACHMENT >= 1 ) +describe KAM_GITHUB_USER_ATTACHMENT Email contains a github user attachment +score KAM_GITHUB_USER_ATTACHMENT 1.5 + +ifplugin Mail::SpamAssassin::Plugin::URIDetail + uri_detail GB_GITEXE_SOCIAL cleaned =~ /(?:bitbucket|github|gitlab)\.com\/.{8,128}\.exe$/i text =~ /Social Security/i + describe GB_GITEXE_SOCIAL "Social Security" link to a .exe file stored on a git public link + score GB_GITEXE_SOCIAL 3.0 +endif + +replace_tag SUBSTACK_IDS (?:10xresearch|paulgassee|joinaidaily) +replace_rules GB_SUBSTACK_IDS +header GB_SUBSTACK_IDS List-id =~ /^\<\.substack\.com\>$/i +describe GB_SUBSTACK_IDS Substack spam +score GB_SUBSTACK_IDS 10.0 + +#SENDGRID +uri __KAM_SENDGRID_LINK /sendgrid\.net\/ls\/click/i + +#FAKE CRYPTO + #CRYPTO +body __KAM_FAKE_CRYPTO1 /join our platform and start stak|tokens are waiting|Steth rewards|stake now/i + #SUBJ +header __KAM_FAKE_CRYPTO2 Subject =~ /claim your tokens|announcing OP \#\d|steth earnings/i + #FROM +header __KAM_FAKE_CRYPTO3 From =~ /lido finance|optimism newsletter/i + +meta KAM_FAKE_CRYPTO ( __KAM_FAKE_CRYPTO1 + __KAM_FAKE_CRYPTO2 + __KAM_FAKE_CRYPTO3 + ( __KAM_SENDGRID_LINK + __KAM_GITHUB_USER_ATTACHMENT >= 1 ) >= 4) +describe KAM_FAKE_CRYPTO Fake Crypto Scam Email +score KAM_FAKE_CRYPTO 6.0 + +#KALENDAR +body __KAM_KALENDAR1 /introduce KalendarAI|sales at .?talkingheads/i +body __KAM_KALENDAR2 /(director|VP) of (strategic|growth|sales)|head of AI sales|Director of Regional AI Sales/i +body __KAM_KALENDAR3 /(reply \'stop\'|opt\-out of our campaigns)/i + +meta KAM_KALENDAR ( __KAM_KALENDAR1 + __KAM_KALENDAR2 + __KAM_KALENDAR3 >= 3 ) +describe KAM_KALENDAR Spams from KalendarAI +score KAM_KALENDAR 8.5 + +#AI AGENTS +body __KAM_AI_SOCIAL_AGENTS1 /Written by AI Social Agents/i + +meta KAM_AI_SOCIAL_AGENTS ( __KAM_AI_SOCIAL_AGENTS1 >= 1 ) +describe KAM_AI_SOCIAL_AGENTS AI Driven Spam Campaigns +score KAM_AI_SOCIAL_AGENTS 10.0 + +#PAYPAL FRAUD +header __KAM_PAYPAL_FRAUD1 From:addr =~ /\@paypal\.com/i +body __KAM_PAYPAL_FRAUD2 /Note from Seller.?.?Didn\'t make this order? Call|Note from.{5,110}Didn\'t make this order\? Call|don\'t recognize the seller\? quickly/i +header __KAM_PAYPAL_FRAUD3 Subject =~ /money request|invoice from/i + +meta KAM_PAYPAL_FRAUD ( __KAM_PAYPAL_FRAUD1 + __KAM_PAYPAL_FRAUD2 + __KAM_PAYPAL_FRAUD3 >= 3) +describe KAM_PAYPAL_FRAUD Fraudulent Payment Scam +score KAM_PAYPAL_FRAUD 6.0 + +#E-BIKE +body __GB_EBIKE /\b(?:electric (?:bicycle|bike)s?|e\-bike)\b/i +meta GB_EBIKE ( ( NEW_PRODUCTS || CBJ_GiveMeABreak || __DOS_DIRECT_TO_MX_UNTRUSTED ) && __TAG_EXISTS_HEAD && __GB_EBIKE ) +describe GB_EBIKE E-Bike spam +score GB_EBIKE 2.5 +meta GB_EBIKE_ADDR ( GB_EBIKE && YOUR_DELIVERY_ADDRESS ) +describe GB_EBIKE_ADDR E-Bike shipping spam +score GB_EBIKE_ADDR 1.0 + +#TALKINGHEADS +body __KAM_TALKINGHEADS1 /WebsiteTalkingHeads/i +body __KAM_TALKINGHEADS2 /AI Sales/i + +meta KAM_TALKINGHEADS ( __KAM_TALKINGHEADS1 + __KAM_TALKINGHEADS2 ) +describe KAM_TALKINGHEADS TalkingHeads Spam +score KAM_TALKINGHEADS 3.0 + +#KALENDARAI +body __KAM_KALENDARAI1 /Sent from Kalendar.?AI/i +header __KAM_KALENDARAI2 List-Unsubscribe =~ /\/kriya\.ai\// + +meta KAM_KALENDARAI ( __KAM_KALENDARAI1 + __KAM_KALENDARAI2 >= 1 ) +describe KAM_KALENDARAI Sent from a known spammy source of KalendarAI +score KAM_KALENDARAI 7.0 + +#GOLD + #GOLD +body __KAM_GOLD1 /gold merchant/i + #HELPING SOMEONE +body __KAM_GOLD2 /sick (mother|father|uncle)/i + #ASK +body __KAM_GOLD3 /Assistance in transferring|investing the(se)? fund/i + #PLACE +body __KAM_GOLD4 /departure from ghana|fleeing Ukraine/i + +meta KAM_GOLD ( __KAM_GOLD1 + __KAM_GOLD2 + __KAM_GOLD3 + __KAM_GOLD4 >= 4) +describe KAM_GOLD Funds to release treasure scam du jour +score KAM_GOLD 6.0 + +#SURLLIDATE +uri __KAM_SURLLI1 /https?:\/\/surl\.li\//i + #RELATIONSHIP +body __KAM_SURLLI2 /local relationship|looking for a man|dating platform|short distance relationship/i + +meta KAM_SURLLI ( __KAM_SURLLI1 + __KAM_SURLLI2 + FREEMAIL_FROM >= 2 ) +describe KAM_SURLLI Surli Dating Spam +score KAM_SURLLI 4.5 + +#FP_URI_TRY_3LD +#uri KAM_FP_URI_TRY_3LD /\/join\.slack\.com\//i +#describe KAM_FP_URI_TRY_3LD Offsetting a FP with Slack Join Links +#score KAM_FP_URI_TRY_3LD -2.0 + +#SOME 2TLD SERVICES ARE BAD +uri __KAM_SOME_2TLD_ARE_BAD1 /https?:\/\/.{3,32}\.(za|ru)\.com/i + +meta KAM_SOME_2TLD_ARE_BAD ( __KAM_SOME_2TLD_ARE_BAD1 >= 1 ) +describe KAM_SOME_2TLD_ARE_BAD Some 2TLD and hosting sites are bad +score KAM_SOME_2TLD_ARE_BAD 3.0 #EOF diff --git a/kam-updates/kam_sa-channels_mcgrail_com/KAM_deadweight3.cf b/kam-updates/kam_sa-channels_mcgrail_com/KAM_deadweight3.cf index f8a9900..8d3055b 100644 --- a/kam-updates/kam_sa-channels_mcgrail_com/KAM_deadweight3.cf +++ b/kam-updates/kam_sa-channels_mcgrail_com/KAM_deadweight3.cf @@ -80,8 +80,8 @@ score GMD_PDF_VERT 0 score GMD_PRODUCER_GPL 0 score GMD_PRODUCER_POWERPDF 0 score GMD_PRODUCER_EASYPDF 0 -score GMD_PDF_ENCRYPTED 0 -score GMD_PDF_EMPTY_BODY 0 +# score GMD_PDF_ENCRYPTED 0 +# score GMD_PDF_EMPTY_BODY 0 score EXCUSE_REMOVE 0 score STRONG_BUY 0 score STOCK_ALERT 0 @@ -132,7 +132,7 @@ score FUZZY_SOFTWARE 0 score FUZZY_THOUSANDS 0 score FUZZY_VLIUM 0 score FUZZY_VIOXX 0 -score BODY_8BITS 0 +# score BODY_8BITS 0 score BANKING_LAWS 0 score CURR_PRICE 0 score DOS_ANAL_SPAM_MAILER 0 diff --git a/kam-updates/kam_sa-channels_mcgrail_com/KAM_deadweight3_meta.cf b/kam-updates/kam_sa-channels_mcgrail_com/KAM_deadweight3_meta.cf index 6696786..1fb25b3 100644 --- a/kam-updates/kam_sa-channels_mcgrail_com/KAM_deadweight3_meta.cf +++ b/kam-updates/kam_sa-channels_mcgrail_com/KAM_deadweight3_meta.cf @@ -14,7 +14,7 @@ # score MIME_HTML_ONLY_MULTI 0 # (__CTYPE_MULTIPART_ALT && MIME_HTML_ONLY) -score MIME_CHARSET_FARAWAY 0 # (__MIME_CHARSET_FARAWAY && __HIGHBITS) +# score MIME_CHARSET_FARAWAY 0 # (__MIME_CHARSET_FARAWAY && __HIGHBITS) score DRUGS_DIET 0 # (__DRUGS_DIET1 || __DRUGS_DIET2 || __DRUGS_DIET3 || __DRUGS_DIET4 ||__DRUGS_DIET5 ||__DRUGS_DIET6 ||__DRUGS_DIET7 ||__DRUGS_DIET8 || __DRUGS_DIET9 || __DRUGS_DIET10 ) score DRUGS_DIET_OBFU 0 # (__DRUGS_DIET1 && !__DRUGS_DIET_PHEN) score DRUGS_MUSCLE 0 # (__DRUGS_MUSCLE2 || __DRUGS_MUSCLE3 || __DRUGS_MUSCLE4 ||__DRUGS_MUSCLE5 ) diff --git a/kam-updates/kam_sa-channels_mcgrail_com/KAM_freemail.cf b/kam-updates/kam_sa-channels_mcgrail_com/KAM_freemail.cf index b404eb9..a3f5e60 100644 --- a/kam-updates/kam_sa-channels_mcgrail_com/KAM_freemail.cf +++ b/kam-updates/kam_sa-channels_mcgrail_com/KAM_freemail.cf @@ -1,6 +1,7 @@ # NOTE: freemail_domains in KAM.cf also needs to be updated for FREEMAIL_FROM -# update freemail domain list by running: +# Instructions: to add a new freemail address, add it to KAM_hashbl_settings.cf +# then update freemail domain list by running: # make freemail if (version >= 3.004003) @@ -1358,6 +1359,7 @@ if (version >= 3.004003) freemail_domains lycos.co.uk freemail_domains lycos.com freemail_domains lycosmail.com + freemail_domains korea.com freemail_domains mac.com freemail_domains machinecandy.com freemail_domains macmail.com @@ -1729,6 +1731,7 @@ if (version >= 3.004003) freemail_domains onionmail.org freemail_domains online.ie freemail_domains online.ru + freemail_domains online-emails.net freemail_domains onlinevideosrock.com freemail_domains onlinewiz.com freemail_domains onobox.com @@ -1742,6 +1745,7 @@ if (version >= 3.004003) freemail_domains oplusnet.com freemail_domains optician.com freemail_domains optimum.net + freemail_domains optonline.net freemail_domains oran.cc freemail_domains orange.es freemail_domains orange.fr @@ -1799,6 +1803,8 @@ if (version >= 3.004003) freemail_domains peopleweb.com freemail_domains persian.com freemail_domains personal.ro + freemail_domains personal-emails.eu + freemail_domains personal-emails.me freemail_domains personales.com freemail_domains peru.com freemail_domains petlover.com @@ -1997,6 +2003,7 @@ if (version >= 3.004003) freemail_domains romymichele.com freemail_domains royal.net freemail_domains rpharmacist.com + freemail_domains *.rr.com freemail_domains rt.nl freemail_domains ru.ru freemail_domains runbox.com @@ -2254,6 +2261,7 @@ if (version >= 3.004003) freemail_domains tennessee.usa.com freemail_domains terra.com.br freemail_domains terrapins.com + freemail_domains test-google-a.com freemail_domains tetouan.cc freemail_domains texas.usa.com freemail_domains texascrossroads.com @@ -2447,6 +2455,7 @@ if (version >= 3.004003) freemail_domains vsnl.com freemail_domains vsnl.net freemail_domains w.cn + freemail_domains cc.wakwak.com freemail_domains walla.co.il freemail_domains walla.com freemail_domains wallet.com @@ -2564,6 +2573,7 @@ if (version >= 3.004003) freemail_domains yamal.info freemail_domains yanbo.cc freemail_domains yandex.ru + freemail_domains yandex.com freemail_domains yapost.com freemail_domains yawmail.com freemail_domains yeah.net diff --git a/kam-updates/kam_sa-channels_mcgrail_com/KAM_hashbl_settings.cf b/kam-updates/kam_sa-channels_mcgrail_com/KAM_hashbl_settings.cf index 814398e..6ff51bf 100644 --- a/kam-updates/kam_sa-channels_mcgrail_com/KAM_hashbl_settings.cf +++ b/kam-updates/kam_sa-channels_mcgrail_com/KAM_hashbl_settings.cf @@ -1,7 +1,8 @@ # HashBL freemail definition # NOTE: freemail_domains in KAM.cf also needs to be updated for FREEMAIL_FROM -# update freemail domain list by running: +# Instructions: to add a new freemail address, add it to KAM_hashbl_settings.cf +# then update freemail domain list by running: # make freemail if (version >= 3.004003) @@ -1359,6 +1360,7 @@ if (version >= 3.004003) hashbl_acl_freemail lycos.co.uk hashbl_acl_freemail lycos.com hashbl_acl_freemail lycosmail.com + hashbl_acl_freemail korea.com hashbl_acl_freemail mac.com hashbl_acl_freemail machinecandy.com hashbl_acl_freemail macmail.com @@ -1730,6 +1732,7 @@ if (version >= 3.004003) hashbl_acl_freemail onionmail.org hashbl_acl_freemail online.ie hashbl_acl_freemail online.ru + hashbl_acl_freemail online-emails.net hashbl_acl_freemail onlinevideosrock.com hashbl_acl_freemail onlinewiz.com hashbl_acl_freemail onobox.com @@ -1743,6 +1746,7 @@ if (version >= 3.004003) hashbl_acl_freemail oplusnet.com hashbl_acl_freemail optician.com hashbl_acl_freemail optimum.net + hashbl_acl_freemail optonline.net hashbl_acl_freemail oran.cc hashbl_acl_freemail orange.es hashbl_acl_freemail orange.fr @@ -1800,6 +1804,8 @@ if (version >= 3.004003) hashbl_acl_freemail peopleweb.com hashbl_acl_freemail persian.com hashbl_acl_freemail personal.ro + hashbl_acl_freemail personal-emails.eu + hashbl_acl_freemail personal-emails.me hashbl_acl_freemail personales.com hashbl_acl_freemail peru.com hashbl_acl_freemail petlover.com @@ -1998,6 +2004,7 @@ if (version >= 3.004003) hashbl_acl_freemail romymichele.com hashbl_acl_freemail royal.net hashbl_acl_freemail rpharmacist.com + hashbl_acl_freemail *.rr.com hashbl_acl_freemail rt.nl hashbl_acl_freemail ru.ru hashbl_acl_freemail runbox.com @@ -2255,6 +2262,7 @@ if (version >= 3.004003) hashbl_acl_freemail tennessee.usa.com hashbl_acl_freemail terra.com.br hashbl_acl_freemail terrapins.com + hashbl_acl_freemail test-google-a.com hashbl_acl_freemail tetouan.cc hashbl_acl_freemail texas.usa.com hashbl_acl_freemail texascrossroads.com @@ -2448,6 +2456,7 @@ if (version >= 3.004003) hashbl_acl_freemail vsnl.com hashbl_acl_freemail vsnl.net hashbl_acl_freemail w.cn + hashbl_acl_freemail cc.wakwak.com hashbl_acl_freemail walla.co.il hashbl_acl_freemail walla.com hashbl_acl_freemail wallet.com @@ -2565,6 +2574,7 @@ if (version >= 3.004003) hashbl_acl_freemail yamal.info hashbl_acl_freemail yanbo.cc hashbl_acl_freemail yandex.ru + hashbl_acl_freemail yandex.com hashbl_acl_freemail yapost.com hashbl_acl_freemail yawmail.com hashbl_acl_freemail yeah.net diff --git a/kam-updates/kam_sa-channels_mcgrail_com/KAM_urlshorteners.cf b/kam-updates/kam_sa-channels_mcgrail_com/KAM_urlshorteners.cf index e112b4d..eb1a184 100644 --- a/kam-updates/kam_sa-channels_mcgrail_com/KAM_urlshorteners.cf +++ b/kam-updates/kam_sa-channels_mcgrail_com/KAM_urlshorteners.cf @@ -110,6 +110,7 @@ url_shortener cli.gs url_shortener cliccami.info url_shortener clickthru.ca url_shortener clipurl.us +url_shortener cli.re url_shortener clck.ru url_shortener clk.my url_shortener cloaky.de @@ -212,6 +213,7 @@ url_shortener good.ly url_shortener goolnk.com url_shortener goshrink.com url_shortener gplus.to +url_shortener .graphic.com.gh url_shortener gri.ms url_shortener gurl.es url_shortener han.gl @@ -401,6 +403,7 @@ url_shortener poprl.com url_shortener post.ly url_shortener posted.at url_shortener pp.gg +url_shortener ppt.cc url_shortener profile.to url_shortener pt2.me url_shortener ptiturl.com @@ -478,6 +481,7 @@ url_shortener shortn.me url_shortener shortna.me url_shortener shortr.me url_shortener shorturl.asia +url_shortener shorturl.at url_shortener shorturl.com url_shortener www.shorturl.at url_shortener shortz.me @@ -542,10 +546,12 @@ url_shortener su.pr url_shortener surl.co.uk url_shortener surl.hu url_shortener surl.it +url_shortener surl.li url_shortener t.cn url_shortener t.co url_shortener t.lh.com url_shortener t.ly +url_shortener t2m.io url_shortener ta.gd url_shortener takemyfile.com url_shortener tbd.ly @@ -570,7 +576,7 @@ url_shortener tinysong.com url_shortener tinytw.it url_shortener tinyuri.ca url_shortener tinyurl.com -url_shortener tk. +# url_shortener tk. url_shortener tl.gd url_shortener tllg.net url_shortener tmi.me @@ -578,7 +584,7 @@ url_shortener tncr.ws url_shortener tnij.org url_shortener tnw.to url_shortener tny.com -url_shortener to. +# url_shortener to. url_shortener to.je url_shortener to.ly url_shortener to.vg