diff --git a/KAM.cf b/KAM.cf index 462cf1a..11b625e 100644 --- a/KAM.cf +++ b/KAM.cf @@ -1,12 +1,23 @@ #KAM.cf - SpamAssassin Rules -# + #Author: Kevin A. McGrail with contributions from Joe Quinn & Karsten Bräckelmann -# + #Email: Kevin.McGrail@McGrail.com - NOTE: Questions about spam are best submitted # at https://raptor.pccc.com/raptor.cgim?template=report_problem + +#HomePage: http://www.mcgrail.com/downloads/KAM.cf + +#2018-06-20: We will be moving KAM.cf over to a non-profit to allow for it to +# continue being maintained. It will continue being ASLv2 licensed +# but we are soliciting donations to help fund the development. +# +# As a 501(c)(3), all donations are tax deductible to the extent +# permissible by law. # -#HomePage: http://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf -# +# Sponsors gifting $5,000USD or greater per year will be thanked +# in this file and on our website. + + #This is a collection of special rules that I have developed and use on my system. # #The exact date is lost to the sands of time but we have been publishing this @@ -16,7 +27,7 @@ #often rely on my corpora so they do not fair well in masschecks. # #You are welcome and encouraged to email me directly regarding suggestions. -# + #To avoid being caught by our filters, False positives and negatives should be #submitted to https://raptor.pccc.com/raptor.cgim?template=report_problem # @@ -24,8 +35,8 @@ #do my best to respond to FPs *especially* if you can send me an email sample. # #This cf file is designed for systems with a threshold of 5.0 or higher. -# -# + + #It is best to save an email sample in mbox format and zip it to attach to get #around my filters. It is sometimes best to send samples in a second email so I #know to go looking for it in my spam folders. @@ -38,12 +49,12 @@ # - Some content needs to be blocked either due to large number of complaints or # for content. For example, the sexually explicit items and the stock tips. # FPs in these rules will be quickly addressed. -# + #For a free anti-spam consultation, fill out the form at the following URL: #https://raptor.pccc.com/free_spam_consultation.cgim # -#Copyright (c) 2018 Kevin A. McGrail +#Copyright (c) 2018 Kevin A. McGrail and the McGrail Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -1730,19 +1741,15 @@ meta KAM_MXINFO (__KAM_MX5) score KAM_MXINFO 1.0 describe KAM_MXINFO MX Record and dot info domains associated with FAKERBL Spammers +#BAD NAMES +body __KAM_BADNAME1 /CocoMedia|CMI Free Stuff|Vista Del Mar Productions|by SuperClub|Buil tech Services|eMarketing Alliance|aSHARPi Media|Satell Center for Executive Education|Pacific Shores Investments|R. Allen Media|The Only Virginia Team|Ban Amnesty Now|Intrust Domains|New Heights Development and Research|Red Base Interactive|RateMarketplace|WORLD COMPANY REGISTER|Mobie Concepts, Inc.|Clickingz IT Research Lab|Leadz[,\.].?Co|Pimsleur Approach|Business Who's Who|Who's Who Among Executives|Buena Vista Catalogue|Ashray Medical Center|Bethany Christian Services|Preston Energy|SteelCityAds|Beyond Human, LLC|Research Promo Center|OmegaK, Inc|Momentum.Ads|Dove Lighting Co|BrandRoot SEO|Team TPW|WEB ANALYTICS MEDIA LLC/i -#BAD ADDRESS / COMPANY NAMES -#FINISHED URL CLEANUP BUT MOST URLS MOVED TO PCCC URIBL -body __KAM_ADDRESS1 /204 N. El Camino Real|CocoMedia|17 Patchogue Road|1128-274 Royal Palm Beach|(848|500) N. Rainbow Dr. Ste \#?(2511|300)|CMI Free Stuff|Vista Del Mar Productions|by SuperClub|Buil tech Services|eMarketing Alliance|aSHARPi Media|Plaza Neptuno|Satell Center for Executive Education|Pacific Shores Investments|R. Allen Media|The Only Virginia Team|Ban Amnesty Now|Intrust Domains|8001 Irvine Center Dr|American Arbitration Association, 1633 Broadway|\+962 79 668 2974|7025 County Rd. 46A|1001 E.Hillsdale Blvd|New Heights Development and Research|Red Base Interactive|RateMarketplace|WORLD COMPANY REGISTER|WhatsApp Inc|Streetdirectory Pte Ltd|4399 Church Street, Brooklyn|Mobie Concepts, Inc.|Clickingz IT Research Lab|Leadz[,\.].?Co|DLF Cyber City Gurgaon India|4447 N Central Expressway, Office \#110|5401 Hangar Court|Pimsleur Approach|1600 JFK Boulevard, 3rd|Business Who's Who|Who's Who Among Executives|Buena Vista Catalogue|10620 Southern Highlands|Ashray Medical Center|Bethany Christian Services|Ashland.Avenue.{0,4}95761|Preston Energy|SteelCityAds|Beyond Human, LLC|Research Promo Center|OmegaK, Inc|320 S. Lemon Blvd \# 1803|1063 (suite.)?([\#\d]+.)?King St|8 White Ln. Mansfield|Momentum.Ads|PO Box 29502 \#24912 Las Vegas|2383.Mystic Dr..Sarasota.FL|1107 Valeria Dr, Marion|321 N Central Expressway Suite 341|PO Box 540488 Houston|Post Office Box 4668 NY|9100 Wilshire Blvd. East Tower Penthouse|Headquarters, 18 True Tower Building|111 Customer Way, Irving|B a y t o w n, TX|adilizer..?com Post.Office.Box 540488|353 Chadwick Pl Fairborn|PO.?Box.295[O0]2.Las.?Vegas|1103 St. Michel|Suite 115-243, San Diego|100 E. Campus View|(3.?2.?0.?5|three two zero five)..?L.?a.?k.?e.S.?a.?r.?a.?h|100 RITCHIE ROAD|M i n n e s o t a|3801 D..?o..?w..?n..?s..?W..?a..?y|515 Oaklane McPherson|74.Lancaster..?RD|202.Albion|One Kimeric Ln|302 Washington St|One.One.Eight.Jason.Ln|PO.Box.227.Moran|V a l e r i a|Dove Lighting Co|BrandRoot SEO|Team TPW|WEB ANALYTICS MEDIA LLC|Scott Walker Inc. Testing the Waters|CARLY for America|Scott Walker for America|Jeb 2016, Inc/i - -header __KAM_ADDRESS2 From =~ /CMI Free Stuff|Vista Del Mar Productions|Buil tech Services|eMarketing Alliance|aSHARPi Media|Plaza Neptuno|Satell Center for Executive Education|Pacific Shores Investments|rx ?unit|R. Allen Media|The Only Virginia Team|Intrust Domains|American Arbitration Association|Rate\.?Marketplace|Health.Quote.Direct|Pimsleur|Ethika Politika|Disney Movie Club/i +header __KAM_BADNAME2 From =~ /CMI Free Stuff|Vista Del Mar Productions|Buil tech Services|eMarketing Alliance|aSHARPi Media|Plaza Neptuno|Satell Center for Executive Education|Pacific Shores Investments|rx ?unit|R. Allen Media|The Only Virginia Team|Intrust Domains|American Arbitration Association|Rate\.?Marketplace|Health.Quote.Direct|Pimsleur|Ethika Politika|Disney Movie Club/i meta KAM_ADDRESS (__KAM_ADDRESS1 + __KAM_ADDRESS2 >= 1) -score KAM_ADDRESS 13.0 +score KAM_ADDRESS 6.0 describe KAM_ADDRESS Addresses and Companies prevalent in spams -# END SPAMMING COMPANIES - #GRASS SEED header __KAM_GRASS1 From =~ /(Patch|Perfect|Lawn)/i header __KAM_GRASS2 Subject =~ /rich beautiful lawn|grow grass|grass seed on steroids/i @@ -2762,7 +2769,7 @@ score KAM_PAYPAL2 8.0 #PAYPAL PHISH header __KAM_PAYPAL3A From =~ /paypal/i -header __KAM_PAYPAL3B From !~ /paypal.com>?$/i +header __KAM_PAYPAL3B From !~ /paypal.com(\.au)?>?$/i header __KAM_PAYPAL3C Subject =~ /your.paypal.account/i body __KAM_PAYPAL3D /security.process|more.information|has.limitation|verify.your.information/i @@ -5102,7 +5109,7 @@ describe KAM_OBFU_LOANS Obfuscated Loan Verbiage body __KAM_WORKFROMHOME1 /work from home/i meta KAM_WORKFROMHOME (KAM_SHORT + __KAM_WORKFROMHOME1 >= 2) -score KAM_WORKFROMHOME 2.5 +score KAM_WORKFROMHOME 1.75 describe KAM_WORKFROMHOME Work from Home Spams #STUDENT LOAN @@ -5368,10 +5375,10 @@ header KAM_MGCS Content-Type =~ /\+\-\+\-\+\-MGCS\-\+\-\+\-\+/i score KAM_MGCS 10.0 describe KAM_MGCS Boundary Content Indicative of Ratware -#NetWeaver -header KAM_NW X-Mailer =~ /SAP NetWeaver/i -score KAM_NW 2.75 -describe KAM_NW Spam Indicator +#NetWeaver - Disabled 7/24 +#header KAM_NW X-Mailer =~ /SAP NetWeaver/i +#score KAM_NW 2.75 +#describe KAM_NW Spam Indicator #STOCKTIP OBFU body __KAM_STOCKOBFU1 /make up the \d letter symbol/i @@ -5441,7 +5448,7 @@ meta KB_WAM_LONELY_WOMEN (__KB_WAM_FROM_NAME_SINGLEWORD + __KB_WAM_SUBJECT_HE score KB_WAM_LONELY_WOMEN 5.0 describe KB_WAM_LONELY_WOMEN Lonely Women Scam of the Day -body __KB_WAM_LONELY_WOMEN_PHRASE_01 /\b(I am missing you all the time|I am waiting for your answer|I send you my tender love|I would really like to know you)\b/i +body __KB_WAM_LONELY_WOMEN_PHRASE_01 /\b(I am missing you all the time|I am waiting for your answer|I send you my tender love|I would really like to know you|quest of love|I am lonely and tired)\b/i #meta KB_WAM_OVERLAP ( KAM_HOWRU && KB_WAM_LONELY_WOMEN ) #score KB_WAM_OVERLAP -0.01 @@ -5506,13 +5513,13 @@ describe KAM_WU Western Union Scam score KAM_WU 5.0 #WEB CRIMINALS -body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy) (the|this) (videotape|evidence|promising evidence)|complain to (the )?(cops|police)/i +body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|complain to (the )?(cops|police)|malware on the web/i #Different encodngs body __KAM_CRIM2 /(bitсoin|bitcoin|BTC|bitcоi)/ -body __KAM_CRIM3 /make a payment|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency)|bitсoin wаllеt/i +body __KAM_CRIM3 /make a payment|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency)|bitсoin wаllе|complete the transaction/i body __KAM_CRIM4 /erotica|porn|promising evidence|video|masturb|playing with yourself|wanking/i -body __KAM_CRIM5 /(twenty.?four|24).?hours|(24|32|30|12) h\. (since|from) (now|this moment)|one day after opening|tracking pixel/i -header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera/i +body __KAM_CRIM5 /(twenty.?four|24).?hours|(24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h after you open this letter/i +header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|you are my vic.im|visit the police/i meta KAM_CRIM (__KAM_CRIM1 + __KAM_CRIM2 + __KAM_CRIM3 + __KAM_CRIM4 + __KAM_CRIM5 + __KAM_CRIM6 >= 4) describe KAM_CRIM Extortion Email @@ -5533,4 +5540,43 @@ meta KAM_SKINCELL (__KAM_SKINCELL1 + __KAM_SKINCELL2 >= 1) describe KAM_SKINCELL Skincare Scam du Jour score KAM_SKINCELL 7.0 +#UK INVOICE - Thanks to Andy Smith for his help on this +uri __KAM_UKINV1 /\/(client|share|documentview)$/i +body __KAM_UKINV2 /View (and pay )?(scan|invoice)/i +body __KAM_UKINV3 /INV-\d+|Check out what .{4,30} shared with you/i +body __KAM_UKINV4 /£/i +header __KAM_UKINV5 Subject =~ /(invoice INV-\d+|wants to share scan)/i +header __KAM_UKINV6 Subject =~ /invoice/i + +meta KAM_UKINV (__KAM_UKINV1 + __KAM_UKINV2 + __KAM_UKINV3 + __KAM_UKINV4 + __KAM_UKINV5 >= 4) || (__KAM_UKINV1 + __KAM_UKINV2 + __KAM_UKINV3 + __KAM_UKINV4 + __KAM_UKINV6 + HTML_TITLE_SUBJ_DIFF && HTML_OBFUSCATE_10_20 >= 6) +describe KAM_UKINV Fake Invoice/Scan Scams +score KAM_UKINV 5.5 + +#LIST SELLERS +body __KAM_LISTSALE1 /interested in acquiring/i +body __KAM_LISTSALE2 /contact list|list of customers|list of decision makers|list for marketing/i +body __KAM_LISTSALE3 /share counts and samples|send focused campaigns|compiled a dataset/i + +header __KAM_LISTSALE4 Subject =~ /users|leads/i +header __KAM_LISTSALE5 From =~ /leads/i + +meta KAM_LISTSALE (__KAM_LISTSALE1 + __KAM_LISTSALE2 + __KAM_LISTSALE3 >=2) && (__KAM_LISTSALE4 + __KAM_LISTSALE5 >= 1) +describe KAM_LISTSALE List sellers +score KAM_LISTSALE 5.0 + +#Google Short? +uri KAM_GOOGLESHORT /\/www.google.com\/url\?q=.{4,16}bit\.ly/i +describe KAM_GOOGLESHORT Obfuscated links using Google and URL Shorteners +score KAM_GOOGLESHORT 9.0 + +#HEART ATTACK SPAM +body __KAM_HEARTPROD1 /heart ?attack/i +body __KAM_HEARTPROD2 /enzyme/i +header __KAM_HEARTPROD3 Subject =~ /heart attack|healthy.{4,10}cells/i +header __KAM_HEARTPROD4 From =~ /clear 7/i + +meta KAM_HEARTPROD (__KAM_HEARTPROD1 + __KAM_HEARTPROD2 + __KAM_HEARTPROD3 + __KAM_HEARTPROD4 >= 4) +describe KAM_HEARTPROD Snake Oil Heart Health du Jour +score KAM_HEARTPROD 7.0 + #EOF diff --git a/Makefile b/Makefile index b465b9a..f99dbcd 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ # edit paths ($srcdir) in changes.pl # update changes.diff - verify changes! -# dig -t any 1.4.3.updates.spamassassin.org +# dig -t any 2.4.3.updates.spamassassin.org # wget http://spamassassin.kluge.net/updates/501214.tar.gz # wget http://spamassassin.kluge.net/updates/501214.tar.gz.asc # gpg --verify 501214.tar.gz.asc 501214.tar.gz @@ -16,8 +16,8 @@ # # edit debin/rules to apply updates -PKGREL=55 -SAVER=3.4.1 +PKGREL=1 +SAVER=3.4.2 OPKGNAME = Mail-SpamAssassin-${SAVER} NPKGNAME = proxmox-spamassassin_${SAVER} DEB = proxmox-spamassassin_${SAVER}-${PKGREL}_amd64.deb diff --git a/debian/changelog b/debian/changelog index b7b9e34..c2a3a43 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +proxmox-spamassassin (3.4.2-1) unstable; urgency=medium + + * update to version 3.4.2 + + * update ruleset + + * update KAM.cf + + -- Proxmox Support Team Mon, 17 Sep 2018 06:35:23 +0200 + proxmox-spamassassin (3.4.1-55) unstable; urgency=medium * update ruleset diff --git a/debian/patches/series b/debian/patches/series index 66651c5..78f208c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,6 +1 @@ disable-dkim.patch -bug_835494_perl_INC -bug_760277_net_dns_URIDNSBL -bug_821385_dnsresolver -dkim_subdomains -fix-uninitialized-concat diff --git a/sa-updates.tgz b/sa-updates.tgz index 8ab231c..39d41fa 100644 Binary files a/sa-updates.tgz and b/sa-updates.tgz differ