diff --git a/KAM.cf b/KAM.cf index 4b1c0e8..a1c3141 100644 --- a/KAM.cf +++ b/KAM.cf @@ -1,12 +1,14 @@ #KAM.cf aka the KAM ruleset - Apache SpamAssassin Rules -#Author: Kevin A. McGrail with contributions from Joe Quinn, Karsten Bräckelmann, +#Authors: Kevin A. McGrail with key contributions from Joe Quinn, Karsten Bräckelmann, # Bill Cole & Giovanni Bechis -#Email: Kevin.McGrail@McGrail.com - NOTE: Questions about spam are best submitted -# at https://raptor.pccc.com/raptor.cgim?template=report_problem +#Email: Kevin.McGrail@McGrail.com -#HomePage: http://www.mcgrail.com/downloads/KAM.cf +#Questions: Questions about the KAM Ruleset are best submitted at: +# https://raptor.pccc.com/raptor.cgim?template=report_problem + +#HomePage: https://mcgrail.com/template/projects#KAM1 #Installation: There are multiple files that make up the KAM ruleset including @@ -26,39 +28,39 @@ #cPanel, INKY, Invaluement, iSpark, Linode, PCCC, ShipShapeIT and Zix/Appriver -#This is a collection of special rules that I have developed and use on my system. +#This is a collection of special rules that KAM developed and uses for +#https://raptoremailsecurity.com/. # #The exact date is lost to the sands of time but we have been publishing this -#ruleset since at least May 2004. +#ruleset since at least May 2004 at no charge for the benefit of all. # -#They are intended as live research for committal to SpamAssassin's SVN sandbox but -#often rely on my corpora so they do not fair well in masschecks. -# -#You are welcome and encouraged to email me directly regarding suggestions. - -#To avoid being caught by our filters, False positives and negatives should be -#submitted to https://raptor.pccc.com/raptor.cgim?template=report_problem -# -#I believe the rules are safe and they are in use on production systems so I will -#do my best to respond to FPs *especially* if you can send me an email sample. -# -#IMPORTANT: This cf file is designed for systems with a threshold of 5.0 or higher. +#They were intended as live research for committal to SpamAssassin's SVN sandbox but +#often rely on our corpora so they do not fair well in masschecks. -#It is best to save an email sample in mbox format and zip it to attach to get -#around my filters. It is sometimes best to send samples in a second email so I -#know to go looking for it in my spam folders. -# -#NOTE: I do use some poison pill (i.e. Automatic HAM/SPAM rules). -# -# - I don't view many of my rules as single rules as I typically use meta rules. -# I view meta rules as multiple rules hence a larger score is acceptable. -# -# - Some content needs to be blocked either due to large number of complaints or -# for content. For example, the sexually explicit items and the stock tips. -# FPs in these rules will be quickly addressed. +#Problems and suggestions are best sent by this form to avoid being caught by our +#filters: #https://raptor.pccc.com/raptor.cgim?template=report_problem +#We do respond to most problem reports *especially* if you send an email sample. +#Samples in mbox format are preferred. -#Copyright (c) 2021 Kevin A. McGrail and The McGrail Foundation + +#The KAM Ruleset is production ready and in use on production systems protecting +#many millions of mailboxes every day. +# +#IMPORTANT: This ruleset cf file is designed for systems at a threshold of 5.0+. + + +#NOTE: We do use some poison pill (i.e. Automatic HAM/SPAM rules). +# +# - Because we use meta rules, false positives are minimized and a larger score +# is acceptable. +# +# - In developing these rules and the associated RBL, we use a consent litmus +# test. We do not block solely based on content except for the sexually +# explicit rules. You can, of course, locally disable these rules. + + +#Copyright (c) 2022 Kevin A. McGrail and The McGrail Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -72,7 +74,9 @@ # See the License for the specific language governing permissions and # limitations under the License. -# COURTESY OF Marcin Miros.aw +# Thanks to Wolfgang Breyha for his help fixing a few rules + +# COURTESY OF Marcin Miros body __KAM_MM_FOREX_1 /program.{0,10}ktory\ssam\sgra\sna\sgieldzie|program\sdo\sgry\sna\sgieldzie|Potega\stego\sprogramu\stkwi|program.{0,10}handluje.{0,10}zarabia.{0,10}gieldzie.{0,10}udzialu.{0,10}czlowieka|zarabiaj.{0,10}program.{0,10}nie.{0,10}jest.{0,10}zabroniony|Program.{0,10}zrobi.{0,10}wszystko.{0,10}sam|handluj.{0,10}na.{0,10}gieldzie.{0,10}programowi|100.{0,10}%.{0,10}pewnych.{0,10}transakcji|program.{0,10}100.{0,10}%.{0,10}zysk|handel.{0,10}bedzie.{0,10}zabroniony|program.{0,10}odmieni.{0,10}twoje.{0,10}zycie|system.{0,10}finansow.{0,10}przed.{0,10}upadkiem|grupa.{0,10}niemieckich.{0,10}matematykow.{0,10}inteligentny.{0,10}program|zostan\sobrzydliwie\sbogaty|technologia.{0,10}100%.{0,10}pewne.{0,10}decyzje|zarabianie.{0,10}w.{0,10}sieci|swoja.{0,10}szanse.{0,10}zarabianie|internet.{0,10}doprowadzil.{0,10}pieniedzy|zarabia.{0,10}(w|przez).{0,10}internet|karaluch.{0,10}dom.{0,10}brzeg.{0,10}morza|odmieni.{0,10}zycie|pieniadz|pieniedz|zarabia|zarobi/i rawbody __KAM_MM_FOREX_2 /(\[|\<).{1,10}http:\/\/.{1,50}php\?.{1,30}\=.{1,30}(\]|\>).{0,20}(klik|odwiedz|dowiedz|przegap|odnosnik|zarobi|spiesz|majatek|wiecej\sinformacji\sna\sten\stemat\sznajdziesz\s-\stutaj|tutaj\sznajdziesz.{0,10}szczegolowe.{0,10}informacje|odwiedz|zarabia|wchodz)/i @@ -424,7 +428,7 @@ score KAM_HOODIA 3.0 body __KAM_STOCKTIP121 /(VISION AIRSHIPS|(\b|^)VPSN(\b|$))/is body __KAM_STOCKTIP122 /(Shandong Zhouyuan Seed and Nursery|(\b|^)SZSN(\b|$))/is body __KAM_STOCKTIP123 /(Puerto Rico 7|(\b|^)P ?R ?T ?H(\b|$))/is -body __KAM_STOCKTIP124 /(VGPM|Vega Promotional Sys)/is +body __KAM_STOCKTIP124 /((\b|^)VGPM(\b|$)|Vega Promotional Sys)/is body __KAM_STOCKTIP125 /((\b|^)D[- ]?M[- ]?X[- ]?C(\b|$))/i body __KAM_STOCKTIP126 /((\b|^)C\.?W\.?T\.?E(\b|$)|C'Watre International)/is body __KAM_STOCKTIP127 /(Physical Property Holdings|(\b|^)PPYH(\b|$))/is @@ -574,6 +578,8 @@ describe KAM_HOME Mortage & Refinance Spam Rule score KAM_HOME 3.5 #UNIVERSITY RULE +replace_rules __KAM_UNIV11 __KAM_UNIV15 __KAM_UNIV3B + body __KAM_UNIV1 /(University Administration|University Enrollment|Education Assessment|Faculty Assessment|University Degree|Administration Office|Education office|Schools office|Enrollment Office|Online University)/is body __KAM_UNIV2 /\d (week|month).{0,30}degree/is body __KAM_UNIV3 /(past work|based on your|earned from|life|life and work|present work) experience/is @@ -584,18 +590,18 @@ body __KAM_UNIV7 /(life|work) experience (diploma|degree|transcript)/is body __KAM_UNIV8 /Career Path/is body __KAM_UNIV9 /non[- ]?ac(creditee?d)?.{1,10}universit/is body __KAM_UNIV10 /(graduating|diploma) (within|in) (as little as)? (one|two|three|\d) (week|month)/is -body __KAM_UNIV11 /(degree|transcript) in any field|Field of yourr? ch[oò][iì]ce/is +body __KAM_UNIV11 /(degree|transcript) in any field|Field of yourr? ch/is body __KAM_UNIV12 /(obtain your diploma|diploma that you want|Criminal Justice or Homeland Security degree)/is body __KAM_UNIV13 /(degree|field|diploma) of your (choice|expertise)/is body __KAM_UNIV14 /(earn a|full) transcript/is -body __KAM_UNIV15 /(No Study Required|Without Exams|No (examinations|[eÉ]xams)|without attending a single class|no classes|no textbooks|no (?:required )?tests|degree .{0,30}you deserve)/is +body __KAM_UNIV15 /(No Study Required|Without Exams|No exms|without attending a single class|no classes|no textbooks|no (?:required )?tests|degree .{0,30}you deserve)/is body __KAM_UNIV16 /\d weeks.{0,30}graduated/is header __KAM_UNIV17 Subject =~ /(dip(i|l)oma|degree|transcript|award|increase ?your ?income|degree online|Ph\.?D|Add an mba)/i body __KAM_UNIV18 /100% discrete/is body __KAM_UNIV1B /\d (months|weeks)/i body __KAM_UNIV2B /d[_\. ]?e[_\. ]?g[_\. ]?r[_\. ]?e[_\. ]?e/i -body __KAM_UNIV3B /(dead end job|improve your future, and your income|high paying jobs|bec[óo]me a do[cç]tor|get your diploma today)/is +body __KAM_UNIV3B /(dead end job|improve your future, and your income|high paying jobs|becme a do|get your diploma today)/is body __KAM_UNIV4B /1.?0.?0.?% (legit|verifiable|online|no pre|non[- ]?accredited)/is body __KAM_UNIV5B /F A S T[ ]{0,4}T R A C K/is body __KAM_UNIV6B /DIP\sLOMA/ @@ -693,9 +699,11 @@ describe KAM_GEO_STRING2 Use of geocities/yahoo very likely spam as of Dec 2005 score KAM_GEO_STRING2 4.7 #KAM GOOGLE SPAM -uri KAM_GOOGLE_STRING /^http:\/\/www.google.com\/url\?q=/i -describe KAM_GOOGLE_STRING Use of Google redir appearing in spam July 2006 -score KAM_GOOGLE_STRING 1.0 +uri __KAM_GOOGLE_REDIR /^https?:\/\/www\.google\.{0,5}\/url\?q=/i + +meta KAM_GOOGLE_REDIR __KAM_GOOGLE_REDIR +describe KAM_GOOGLE_REDIR Use of Google redir +score KAM_GOOGLE_REDIR 1.5 #MSN Brasil REDIRECTOR - Known exploit since at least 2007!! http://www.xssed.com/mirror/14129/ uri KAM_MSNBR_REDIR /g.msn.com.br\/BR9\/1369.0/i @@ -721,6 +729,32 @@ meta KAM_PAGE (__KAM_PAGE1) describe KAM_PAGE Page.TL likely spam (Nov 2011) score KAM_PAGE 2.0 +# .html link stored on S3 +uri GB_S3_HTM /^https?:\/\/s3\.amazonaws\.com\/.{3,128}\.html?/i +describe GB_S3_HTM .html link stored on AWS S3 +score GB_S3_HTM 4.5 + +if (version >= 4.000000) +if can(Mail::SpamAssassin::Conf::feature_capture_rules) + header __GB_TO_ADDR To:addr =~ /(?.*)/ + + # Links to malware stored on Google storage + uri GB_STORAGE_GOOGLE_EMAIL m|^https?://storage\.cloud\.google\.com/.{4,128}\#%{GB_TO_ADDR}|i + describe GB_STORAGE_GOOGLE_EMAIL Google storage cloud abuse + score GB_STORAGE_GOOGLE_EMAIL 2.000 + + # Links to malware + uri __GB_CUSTOM_HTM_URI0 m;^https?://.{10,128}(?:\.html?|\.php|\/)(?:\#|\?&e=)?%{GB_TO_ADDR};i + uri __GB_CUSTOM_HTM_URI1 m|^https?://.{10,64}\=https?://.{4,64}\#%{GB_TO_ADDR}|i + uri __GB_CUSTOM_HTM_URI2 m;^https?://.{10,256}(?:\/\?)?(?:email=|wapp\#)%{GB_TO_ADDR};i + uri __GB_DRUPAL_URI m|^https?://.{10,64}/default/files/(?:\@)?\#%{GB_TO_ADDR}|i + meta GB_CUSTOM_HTM_URI ( __GB_CUSTOM_HTM_URI0 || __GB_CUSTOM_HTM_URI1 || __GB_CUSTOM_HTM_URI2 || __GB_DRUPAL_URI ) + describe GB_CUSTOM_HTM_URI Custom html uri + score GB_CUSTOM_HTM_URI 1.500 + +endif +endif + # This rule is to mark emails using the exploit of the URI parsing uri KAM_URIPARSE /(\%0[01]|\0).{1,100}\@/i describe KAM_URIPARSE Attempted use of URI bug-high probability of fraud @@ -834,14 +868,15 @@ score KAM_ADV_EMAIL 5.0 #SEXUALLY EXPLICIT EMAILS - With updates courtesy of Mark Damrose header __KAM_SEX_EXPLICIT1 Subject =~ /SEXUAL{2,3}Y[-_, ]{0,1}EXPL{1,2}I{1,2}CI{1,2}T/i #EXPANDED TO INCLUDE HEADERS FOR SPAMS PREVALENT MAR 2007 -header __KAM_SEX_EXPLICIT2 Subject =~ /(?:fuck .*suck|suck .*fuck|pussy .*cock|cock .*pussy|horny amateur|couch sex|slut fuck|naked celebrity|pissing babes|ass[- ]fuck|animal cock|(^|\b)P[^a-zA-Z\d]O[^a-zA-Z\d]R[^a-zA-Z\d]N |exposes sexy ass|drunk babe nude|masturbate|looking.for.sex|breast.implants|pedophile|child predator|explore.being.bad|double.penetration|hardcore.slut|getting.laid|your.disco.stick|having.sex.*begging|f.ckbook|xxx gay|asian porn|blow ?job|anal xxx|huge tits tube|xxx tube|porn tube|porn video|sexy.clip|portal for xxx|3d porn|hard(er)?.erect)|dreaming of f.?cking|(^|\b)sex.in.the.car|horny.virgin|sex.acts|best.intercourse|sex request|dripping wet and need to get|S*?exy granny|shagmate|her squirt|elongation secret/i +header __KAM_SEX_EXPLICIT2 Subject =~ /(?:fuck .*suck|suck .*fuck|pussy .*cock|cock .*pussy|horny amateur|couch sex|slut fuck|naked celebrity|pissing babes|ass[- ]fuck|animal cock|(^|\b)P[^a-zA-Z\d]O[^a-zA-Z\d]R[^a-zA-Z\d]N |exposes sexy ass|drunk babe nude|masturbate|looking.for.sex|breast.implants|pedophile|child predator|explore.being.bad|double.penetration|hardcore.slut|getting.laid|your.disco.stick|having.sex.*begging|f.ckbook|xxx gay|asian porn|blow ?job|anal xxx|huge tits tube|xxx tube|porn tube|porn video|sexy.clip|portal for xxx|3d porn|hard(er)?.erect)|dreaming of f.?cking|(^|\b)sex.in.the.car|horny.virgin|sex.acts|best.intercourse|sex request|dripping wet and need to get|S*?exy granny|shagmate|her squirt|elongation secret|small member|g-spot|XXX life|cart.?bloom.?jigsaw|clogged.?colon|Peppy.?Pet.?ball|derma.?correct|secret to squirting|monstrous cock|adult film star extension secret|inches to your manhood|lack of sex|harrys.?affiliate|numerologist|your prostate|stiffening tonic|need sex partner/i #TRYING TO GET RID OF FPs WITH LAST NAMES -header __KAM_SEX_EXPLICIT3 From =~ /(?:better sex|sextrick|ashleymadison|booty.call|breast.(aug|surg|redu)|throbing.member|f[\*u]?ckbook|Local MILFs|fuck(s|ing)?(\b|^)|Dating Granny|school of squirt)|hookup.?alert|horny|bedroom.?partner|hookup.?online|lovely.?asian/i +header __KAM_SEX_EXPLICIT3 From =~ /(?:better sex|sextrick|ashleymadison|booty.call|breast.(aug|surg|redu)|throbing.member|f[\*u]?ckbook|Local MILFs|fuck(s|ing)?(\b|^)|Dating Granny|school.?of.?squirt)|hookup.?alert|bedroom.?partner|hookup.?online|lovely.?asian|squirting.?school|sex.?portal|sex.?club|liberator.?x2|instahard|eat me with your dick/i #MODIFIED TO FIX FP THANKS TO DOC SCHNEIDER AND MARK MARTINEC - REMOVED castrate|sexual.encounter|casual.sex|discreet.encounter 5/19/15 -body __KAM_SEX_EXPLICIT4 /(?:fucked hardcore|dildoes her tight ass|kinky watersports|schoolgirls? slut|teens? porn|first anal(\b|$)|pussy lips|kinky lesbian|sucks? cock|rub puss|spreads? cunt|fetish babe|kinky pee|muffdived \& fuck|deepthroat on knees|hello.naughty.boy|certain.type.of.guy|girlfriend.trick|sexual.stamina|sex...toy|porn.link|cunt.fuck|c-o-c-k|non.stop.sex|porn.industry|stronger.erection|make.her.moan|extreme.pro.abortion|erection.problem|your.erection|get.an.erection|hardest.erection|get.erect|xxx gay|asian porn|blow ?job (comm?unity|porn)|anal xxx|huge tits tube|xxx tube|porn tube|fuckbook|portal for xxx|3d porn|DrPEnterprise|girlfriends.porn|\bsex.galler|pussy.eaten|shemale|(\b|^)anal.adventure|black.girls.video|gay.porn|pussy.wet|make.her.horny|crave sex|women.fuck|women.horny|wanting.to.bang|getting.laid.is.simple|woman.on.her.knees|b r e a s t|generic.ed.product|best.sex|f[^a-z]cking.you|f[^a-z]ckbuddy|F\#ckFriends|Milf Selfies|need.a.horny.man|cute.sex.lover|horny.as.f.ck|fun.in.the.bedroom|my.tits.are|be.horny|horny.girl|horny.i.am|horny.latina|huge.dildo|made.me.climax|sex in my office|a.good.f\@ck|married.horny.woman|sucked.your.d\@ck|horny.milf|suck.you.off|horny.stories|all.my.h[o0]les|cum.heavily|sucking.your.c[o0]ck|to.get.f[^a-z]cked)|h00kup|s\*xy|\bh0rny|ch0ked|pu\$\$y|f\*cked|F\*ck_|find milfs|girls in your city/i +body __KAM_SEX_EXPLICIT4 /(?:fucked hardcore|dildoes her tight ass|kinky watersports|schoolgirls? slut|teens? porn|first anal(\b|$)|pussy lips|kinky lesbian|sucks? cock|rub puss|spreads? cunt|fetish babe|kinky pee|muffdived \& fuck|deepthroat on knees|hello.naughty.boy|certain.type.of.guy|girlfriend.trick|sexual.stamina|sex...toy|porn.link|cunt.fuck|c-o-c-k|non.stop.sex|porn.industry|stronger.erection|make.her.moan|extreme.pro.abortion|erection.problem|your.erection|get.an.erection|hardest.erection|get.erect|xxx gay|asian porn|blow ?job (comm?unity|porn)|anal xxx|huge tits tube|xxx tube|porn tube|fuckbook|portal for xxx|3d porn|DrPEnterprise|girlfriends.porn|\bsex.galler|pussy.eaten|shemale|(\b|^)anal.adventure|black.girls.video|gay.porn|pussy.wet|make.her.horny|crave sex|women.fuck|women.horny|wanting.to.bang|getting.laid.is.simple|woman.on.her.knees|b r e a s t|generic.ed.product|best.sex|f[^a-z]cking.you|f[^a-z]ckbuddy|F\#ckFriends|Milf Selfies|need.a.horny.man|cute.sex.lover|horny.as.f.ck|fun.in.the.bedroom|my.tits.are|be.horny|horny.girl|horny.i.am|horny.latina|huge.dildo|made.me.climax|sex in my office|a.good.f\@ck|married.horny.woman|sucked.your.d\@ck|(naughty|horny).milf|suck.you.off|horny.stories|all.my.h[o0]les|cum.heavily|sucking.your.c[o0]ck|to.get.f[^a-z]cked)|h00kup|s\*xy|\bh0rny|ch0ked|pu\$\$y|f\*cked|F\*ck_|find milfs|girls (from|in) your city|rock.?hard boner|reclaiming your manhood|sexy and horny|bad girls from your city|awesome in bed|turbo\-charge your bed|shocking erection|stiffening tonic|anal fun|fingering videos/i #remove f\#ck for FPs +tflags __KAM_SEX_EXPLICIT4 nosubject header __KAM_SEX_EXPLICIT5 Subject =~ /(?:Babe.*dildo|milk.*pussy|licks.*lesbian.*tits|mud.*wrestling.*sluts|rock.*hard.*cock|working.*pussy|(anal|suck|lick|hot|cock|wife).*f.?u.?c.?k|sneaky.*upskirt.*shots|hairy.*(pussy|cunt)|chicks.*cum|shows.*off.*titties|tits.*milf.*sex|riding.*big.*dick|dildo.*pussy|slut.*sex|suck.*dick|show.*off.*pink.*slit|coed.*pussy|squirt.*pussy|polish.*cock|femdom.*fist|schoolgirl.*(f.?u.?c.?k|blowjob)|mistress.*finger.*slave|cervix.*examined|tits.*vibrator|licks.*lesbian|slut.*anal|slurp.*pecker|master.*hogtie|bitch.*stroke.*guy|huge.*cock.*bang|take.*dick.*ride|milf.*nailed|girl.*in.*panties|Slut.*Doing.*it|barely.*legal.*teen|perverted.*girl.*works.*ass|slut.*milking|caught.*fucking|F.?u.?c.?k.*(dick)|shemale.*strips|chick.*drilled|\bass.*screw|teen.*pussy|fucked.*hard|bimbo.*hooter|cuntbanged|tittyfucked|fuck.*cock|blowing and nailed|lesbians.*masturbat|shaking wet booty|pussy.*lip|lick.*asshole|kinky lesbian|suck.*cock|rub puss|tits.*cunt|kinky pee|fetish babe|exposes sexy ass|drunk babe nude|muff.*fuck|cock.?suck.*blonde|fuck.*vibrator|threeway.*orgy|sex.life.*new.level|your.sex.life|hotsex|f.cktonight|my.?pu[s\$]{1,5}y|InstaSext|SnapHookup|InstaAffair|InstaHookup|SexiSnap|SnapF.ck|snapbangmsg)/i @@ -876,21 +911,23 @@ describe KAM_TELEWORK Stupid telework and training scams score KAM_TELEWORK 3.0 #Changed to meta 2017-10-17 +#Key removal/credits #2017-10-23 - Removed .link. Uniregistry has committed to reviewing abuse concerns. #2019-11-24 - Removed .bid for FPs #2020-06-04 - Added FP check for td.date and div.top -#2020-08-23 - Added guru #2021-08-14 - Thanks to Giovanni for the new regex and Kenneth Porter for the FP for things that ended in one of the TLDs but wasn't part of the domain #2021-08-25 - Added a FP fix for date with { from programming discussions -header __KAM_SOMETLD_ARE_BAD_TLD_FROM From:addr =~ /\.(pw|stream|trade|press|top|date|guru|casa|online|cam|shop|club|bar|sbs)$/i -uri __KAM_SOMETLD_ARE_BAD_TLD_URI /:\/{2}([a-z0-9-\.]+)\.(pw|stream|trade|press|top|date|guru|casa|online|cam|shop|club|bar|sbs)($|\/|\:)/i +#2022-04-26 - Sort tlds and add .cfp domain +#2022-09-21 - adding .link back due to prevalence +header __KAM_SOMETLD_ARE_BAD_TLD_FROM From:addr =~ /\.(bar|beauty|buzz|cam|casa|cfd|club|date|guru|link|live|online|press|pw|quest|rest|sbs|shop|stream|top|trade|work|xyz)$/i +uri __KAM_SOMETLD_ARE_BAD_TLD_URI /:\/{2}([a-z0-9-\.]+)\.(bar|beauty|buzz|cam|casa|cfd|club|date|guru|link|live|online|press|pw|quest|rest|sbs|shop|stream|top|trade|work|xyz)($|\/|\:)/i #FPs -uri __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE /(^|\b)td\.date|div\.top($|\/)/i +uri __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE /(^|\b)td\.date|de[b|l]\.date|div\.top($|\/)/i body __KAM_SOMETLD_ARE_BAD_TLD_PROGRAM_REF /\.date ?\{/i meta KAM_SOMETLD_ARE_BAD_TLD (__KAM_SOMETLD_ARE_BAD_TLD_FROM) || (__KAM_SOMETLD_ARE_BAD_TLD_URI && !(__KAM_SOMETLD_ARE_BAD_TLD_PROGRAM_REF + __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE)) -describe KAM_SOMETLD_ARE_BAD_TLD .stream, .trade, .pw, .top, .press, .guru, .casa, .online, .cam, .shop, .bar, .club, .sbs & .date TLD Abuse +describe KAM_SOMETLD_ARE_BAD_TLD .bar, .beauty, .buzz, .cam, .casa, .cfd, .club, .date, .guru, .link, .live, .online, .press, .pw, .quest, .rest, .sbs, .shop, .stream, .top, .trade, .work, .xyz TLD abuse score KAM_SOMETLD_ARE_BAD_TLD 5.0 #2019-11-24 - Test to do the SOMETLD with WLBLEval - Doesn't work because no uri check for the body @@ -916,30 +953,34 @@ ifplugin Mail::SpamAssassin::Plugin::KAMOnly score KAM_LOCAL_TEST1 50 #REVERSE DNS TESTS FROM MIMEDEFANG - UNLESS YOU HAVE A TEST FOR REVERSE POINTERS, YOU CAN COMMENT THIS OUT - header KAM_RPTR_FAILED X-KAM-Reverse =~ /^Failed/ + header KAM_RPTR_FAILED X-Raptor-Reverse =~ /^Failed/ describe KAM_RPTR_FAILED Failed Mail Relay Reverse DNS Test score KAM_RPTR_FAILED 6.0 - header __KAM_RPTR_SUSPECT X-KAM-Reverse =~ /^Suspect/ + header __KAM_RPTR_SUSPECT X-Raptor-Reverse =~ /^Suspect/ meta KAM_RPTR_SUSPECT (KAM_BODY_MARKETINGBL_PCCC < 1 && __KAM_RPTR_SUSPECT >= 1) describe KAM_RPTR_SUSPECT Suspected Dynamic IP/Bad TLD/Spammy TLD from Mail Relay Reverse DNS Test score KAM_RPTR_SUSPECT 2.45 #REMOVED __URIBL_ANY DEPENDENCY AS THE RULE IS GONE. NOTED by David Goldsmith. - header __KAM_RPTR_PASSED X-KAM-Reverse =~ /^Passed/ + header __KAM_RPTR_PASSED X-Raptor-Reverse =~ /^Passed/ meta KAM_RPTR_PASSED (__KAM_RPTR_PASSED && (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + KAM_SPAMJDR + KAM_LOTTO3 + __KAM_URIBL_PCCC + __KAM_MX + SPF_SOFTFAIL + SPF_FAIL + KAM_INFOUSMEBIZ + KAM_TOLL < 1)) describe KAM_RPTR_PASSED Passed Mail Relay Reverse DNS Test score KAM_RPTR_PASSED -1.0 - header KAM_RPTR_MISSING X-KAM-Reverse =~ /^Missing/ + header KAM_RPTR_MISSING X-Raptor-Reverse =~ /^Missing/ describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing! - score KAM_RPTR_MISSING 9.0 + score KAM_RPTR_MISSING 6.0 #Lowered to 6.0 temporarily #DWDTECHSPAM /ETC - header KAM_RPTR_BADHOST X-KAM-Reverse =~ /dwdtechllc.com|inculloop.net|donapex.net|wriltay.com|raptornode.com|voicitr.us|premiumjobhunt.com|newsocialdeals.com|dailysummercoupons.com|nm-priorityhosting.com|hypernia.com|queryfoundry.net|colocrossing.com|pawlitenews.com|hosted-by-i3d.net/i + header KAM_RPTR_BADHOST X-Raptor-Reverse =~ /dwdtechllc.com|inculloop.net|donapex.net|wriltay.com|raptornode.com|voicitr.us|premiumjobhunt.com|newsocialdeals.com|dailysummercoupons.com|nm-priorityhosting.com|hypernia.com|queryfoundry.net|colocrossing.com|pawlitenews.com|hosted-by-i3d.net/i describe KAM_RPTR_BADHOST Very Spammy Hosting Company Identified score KAM_RPTR_BADHOST 9.0 + header KAM_NOTLS X-Raptor-TLS =~ /False/ + describe KAM_NOTLS Mail has been sent using an unsecure connection + score KAM_NOTLS 0.001 + #CUSTOM SCORES THAT KAM LIKES #score SARE_GIF_ATTACH 3.0 score CHARSET_FARAWAY_HEADER 1.6 @@ -971,13 +1012,13 @@ ifplugin Mail::SpamAssassin::Plugin::KAMOnly #score FRANCHISE_JERRY -99.0 #describe FRANCHISE_JERRY Jerry's Franchise Application or Request - header KAM_INVALID_FROM X-KAM-From =~ /From Header Missing Host/ + header KAM_INVALID_FROM X-Raptor-From =~ /From Header Missing Host/ describe KAM_INVALID_FROM From header missing host portion - score KAM_INVALID_FROM 4.0 + score KAM_INVALID_FROM 6.0 #RAPTOR ALTERED EMAILS #body __KAM_RAPTOR1 /altered by our Raptor filters/i - #header __KAM_RAPTOR2 X-KAM-Raptor-Alter =~ /True/ + #header __KAM_RAPTOR2 X-Raptor-Alter =~ /True/ #meta KAM_RAPTOR (__KAM_RAPTOR1 + __KAM_RAPTOR2 >= 1) #describe KAM_RAPTOR PCCC Raptor altered the email @@ -996,25 +1037,25 @@ ifplugin Mail::SpamAssassin::Plugin::KAMOnly endif #KAM Bad Attach - header KAM_RPTR_MISSING X-KAM-Reverse =~ /^Missing/ + header KAM_RPTR_MISSING X-Raptor-Reverse =~ /^Missing/ describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing! score KAM_RPTR_MISSING 9.0 #KAM Bad Attach - header KAM_RPTR_MISSING X-KAM-Reverse =~ /^Missing/ + header KAM_RPTR_MISSING X-Raptor-Reverse =~ /^Missing/ describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing! score KAM_RPTR_MISSING 9.0 #KAM Bad Attach - header KAM_RPTR_MISSING X-KAM-Reverse =~ /^Missing/ + header KAM_RPTR_MISSING X-Raptor-Reverse =~ /^Missing/ describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing! score KAM_RPTR_MISSING 9.0 #KAM Bad Attach - header KAM_BADATTACH X-KAM-BadAttach =~ /^True/ + header KAM_BADATTACH X-Raptor-BadAttach =~ /^True/ describe KAM_BADATTACH Mail contains a bad attachment score KAM_BADATTACH 15.0 @@ -1061,9 +1102,12 @@ score KAM_DRILL 1.5 ifplugin Mail::SpamAssassin::Plugin::KAMOnly #WE USE MIMEDEFANG TO DISABLE ANY IFRAME, OBJECT OR SCRIPT TAGS IN EMAILS - header KAM_IFRAME X-IframeWarning =~ /Iframe\/Object\/Script tag\(s\) deactivated by MIMEDefang/ + header KAM_IFRAME X-Raptor-IframeWarning =~ /Iframe\/Object\/Script tag\(s\) deactivated by MIMEDefang/ describe KAM_IFRAME Email contained Iframe, Object or Script tags - score KAM_IFRAME 1.0 + if can(Mail::SpamAssassin::Conf::feature_subjprefix) + subjprefix KAM_IFRAME [Javascript] + endif + score KAM_IFRAME 2.0 body KAM_IFRAME2 /you need a browser with javascript/i describe KAM_IFRAME2 Email contains phrase instructing javascript use @@ -1074,7 +1118,7 @@ ifplugin Mail::SpamAssassin::Plugin::KAMOnly describe KAM_IFRAME3 Likely email exploit - Email shouldn't require javascript in an email attachment #XEROX SCANS - header __KAM_XEROX1 Subject =~ /Scan from a Xerox WorkCentre Pro \#\d+|Scanned from a Xerox Multifunction Device/i + header __KAM_XEROX1 Subject =~ /Scan from a Xerox WorkCentre Pro \#\d+|Scanned from a Xerox Multifunction Device|document from xerox scanner/i meta KAM_XEROX (__KAM_XEROX1 + (KAM_IFRAME && T_HTML_ATTACH) + KAM_RAPTOR_ALTERED >= 2) score KAM_XEROX 5.0 describe KAM_XEROX Likely Fake Xerox Attachment @@ -1085,6 +1129,13 @@ else score KAM_IFRAME 0 endif +ifplugin Mail::SpamAssassin::Plugin::KAMOnly + #WE USE MIMEDEFANG TO DISABLE TRACKING IMG TAGS + header KAM_IMG_TRACKING X-Raptor-TrackingWarning =~ /remote tracking image\(s\) deactivated by MIMEDefang/ + describe KAM_IMG_TRACKING Email contained a tracking img tag + score KAM_IMG_TRACKING 0.001 +endif + #STUPID REMOVE "*" to make the link working. body __KAM_STAR1 /REMOVE ("\*"|space) (in the above|to make the) link/i @@ -1168,7 +1219,7 @@ describe KAM_ADVERT3 Traffic / Expiring Domain List Spam score KAM_ADVERT3 5.0 #ADVERTISEMENT -body KAM_ADVERT2 /No longer interested in our offers|This (message|email)? is an Ad|Continue in your Secure Web Browser|Can\'t see the images( below|, continue)|To view this email as a webpage|see images for this offer|support best practices in responsible email marketing|This email is not unsolicited|You registered with one of our partners websites|a d v e r t i s (?:e )?m e n t|No\-?Images? Click|Program is not endorsed, sponsored by or affiliated|can\'t read or see this email|By clicking any image and\/or text link in this Email|This is a (commercial|commericial)|This message brought to you|THIS EMAIL IS A COMMERCIAL|If you no longer wish to receive further offers|business solicitation message|link is for removal|end these weekly ad\-messages|cancel these Ads go|This is an email advertisement|end all Advertisements go below|We are not spammers|Unsolicited email\?|Quit receiving these admail|I.{0,3}am not spamming|commercial.advertisement|adv.ertisement|if.you.are.not.interested|Brought to you by\:|This communication is an advertisement|removal from further update|inbox by requesting removal|No more incoming messages will be delivered|Never receive these again|This is an ad\-coresspondance|this page is an advertise?ment|this is an \(adver\-?tisement\)|this page are an.ad|statements above are an.ad|advertis.e.ment|share your contact/is +body KAM_ADVERT2 /No longer interested in our offers|This (message|email)? is an Ad|Continue in your Secure Web Browser|Can\'t see the images( below|, continue)|To view this email as a webpage|see images for this offer|support best practices in responsible email marketing|This email is not unsolicited|You registered with one of our partners websites|a d v e r t i s (?:e )?m e n t|No\-?Images? Click|Program is not endorsed, sponsored by or affiliated|can\'t read or see this email|By clicking any image and\/or text link in this Email|This is a (commercial|commericial)|This message brought to you|THIS EMAIL IS A COMMERCIAL|If you no longer wish to receive further offers|business solicitation message|link is for removal|end these weekly ad\-messages|cancel these Ads go|This is an email advertisement|end all Advertisements go below|We are not spammers|Unsolicited email\?|Quit receiving these admail|I.{0,3}am not spamming|commercial.advertisement|adv.ertisement|if.you.are.not.interested|Brought to you by\:|This (message|entire message|communication) is an ad|removal from further update|inbox by requesting removal|No more incoming messages will be delivered|Never receive these again|This is an ad\-coresspondance|this page is an advertise?ment|this is an \(adver\-?tisement\)|this page are an.ad|statements above are an.ad|advertis.e.ment|share your contact/is describe KAM_ADVERT2 This is probably an unwanted commercial email... score KAM_ADVERT2 0.75 @@ -1275,7 +1326,7 @@ body __KAM_NIGERIAN5 /Western Union Money Transfer|Money Gram|form of Money Ord meta KAM_NIGERIAN (__KAM_NIGERIAN1 + __KAM_NIGERIAN2 + __KAM_NIGERIAN3 + __KAM_NIGERIAN4 + __KAM_NIGERIAN5 + LOTS_OF_MONEY + __KAM_REFI4 >= 4) describe KAM_NIGERIAN Nigerian Scam and Variants -score KAM_NIGERIAN 2.5 +score KAM_NIGERIAN 2.25 #I LIKE YOUR SPAM body __KAM_LIKE1 /been working (extremely|very) hard on my friend's website/is @@ -1296,7 +1347,7 @@ score KAM_PUBLIC 9.0 #SEXUALLY EXPLICIT RULES ROUND TWO - Fixed some FPs from Scunthorpe thanks to Stefan Morrell body __KAM_SEX1 /(?:double[ -]?headed|pornstar|huge weenie|male power|\d\dper\. of men|male enhancement product|enlarge patch|boost up your virility|clinically tested|improve manhood|Bigger Pen..is|Big Penis|incredible gains to your manhood|muscular manhood|nights unsatisfied|climaxes|sensual enhancer|love instrument|bigger member|excitement with girls|fucker|animal sex)|adds \d inches to your manhood|pussy licked|hard.erection/i body __KAM_SEX2 /(?:(\b|^)cunt(\b|$)|busty|interracial|hardcore|peni(s|le) enlarge|generic quality|enlarge your manhood|stone-hard manhood|XXL Dick|intense pleasure|spend a night with you|efficient medicine|turn on your wife|with your boner|dick dangl)|\d.(extra.)?inches.of.girth|best.sex/i -header __KAM_SEX3 Subject =~ /(double dildo|bunsfuck|dominatrix|huge tits|anti-ED|most confident man|for men over 30|peni(s|le) enlargement|interracial gobble|bitch sucking dong|product actually does work|update your penis|mans mall|endurerx|more excitement|love package|add more fire|her best male|average guys|monster cocks|first anal|anal fucking|love with monsters|horse sex|be the stud)/i +header __KAM_SEX3 Subject =~ /(double dildo|bunsfuck|dominatrix|huge tits|anti-ED|most confident man|for men over 30|peni(s|le) enlargement|interracial gobble|bitch sucking dong|product actually does work|update your penis|mans mall|endurerx|more excitement|love package|add more fire|her best male|average guys|monster cocks|first anal|anal fucking|love with monsters|horse sex|be the stud)|have an affair/i body __KAM_SEX4 /(?:bring your girlfriend back|satisfied with their size|penis so huge and heavy|more semen|volume of your loads|wondercum|ejaculate|bargain offers on medic|improve xxx|improve your lovemaking|youngest teen|teen pics|monster in his pants|(female|multiple) orgasms|extreme penetration)/i describe KAM_SEX Sexually Explicit SPAM / Penis Enlargement Scam @@ -1457,7 +1508,7 @@ ifplugin Mail::SpamAssassin::Plugin::PDFInfo endif endif - +#BAD PURCHASE ORDER ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __KAM_BADPO1 Content-Type =~ /Purchase.Order|New.Invoice/i mimeheader __KAM_BADPO2 Content-type =~ /PDF\.html?/i @@ -1691,10 +1742,37 @@ ifplugin Mail::SpamAssassin::Plugin::URIDNSBL util_rb_2tld googleapis.com util_rb_2tld a2hosted.com util_rb_2tld netlify.app + util_rb_2tld kriya.ai + util_rb_2tld usekalendarai.com + util_rb_2tld trykalendarai.com + util_rb_2tld outrch.com + util_rb_2tld campaign-view.com + util_rb_2tld fameup.net + util_rb_2tld msgfocus.com + util_rb_2tld herokuapp.com + util_rb_2tld boxmode.io + util_rb_2tld amplifyapp.com + util_rb_2tld azurewebsites.net + util_rb_2tld wixsite.com + util_rb_2tld workers.dev + util_rb_2tld in.net + util_rb_2tld ru.com + util_rb_2tld za.com + util_rb_2tld sa.com + util_rb_2tld hubspot-inbox.com + util_rb_3tld en.alibaba.com + util_rb_2tld co.in + util_rb_2tld firebaseapp.com + util_rb_2tld glitch.me + util_rb_2tld awsapps.com + util_rb_2tld app.link + util_rb_2tld glueup.com + util_rb_2tld radio.am + util_rb_2tld wufoo.com endif # allow URI rules to look at DKIM headers if they exist and our SA version supports it - if (version >= 3.0040001) + if (version >= 3.004001) parse_dkim_uris 1 endif @@ -1733,7 +1811,32 @@ ifplugin Mail::SpamAssassin::Plugin::URIDNSBL meta KAM_MARKETINGBL_PCCC (KAM_BODY_MARKETINGBL_PCCC || KAM_FROM_MARKETINGBL_PCCC) describe KAM_MARKETINGBL_PCCC Message contains URI associated with mass-marketing (https://raptor.pccc.com/RBL) score KAM_MARKETINGBL_PCCC 1.0 + tflags KAM_MARKETINGBL_PCCC net endif + + # SEM-FRESHZERO + urirhssub SEM_FRESHZERO freshzero.spameatingmonkey.net. A 2 + body SEM_FRESHZERO eval:check_uridnsbl('SEM_FRESHZERO') + describe SEM_FRESHZERO Contains a domain never seen before + tflags SEM_FRESHZERO net + score SEM_FRESHZERO 2.5 + # SEM-FRESH + urirhssub SEM_FRESH fresh.spameatingmonkey.net. A 2 + body SEM_FRESH eval:check_uridnsbl('SEM_FRESH') + describe SEM_FRESH Contains a domain registered less than 5 days ago + tflags SEM_FRESH net + score SEM_FRESH 2.0 + # SEM-FRESH10 + urirhssub SEM_FRESH10 fresh10.spameatingmonkey.net. A 2 + body SEM_FRESH10 eval:check_uridnsbl('SEM_FRESH10') + describe SEM_FRESH10 Contains a domain registered less than 10 days ago + tflags SEM_FRESH10 net + score SEM_FRESH10 1.5 + + meta KAM_SEMFRESH (SEM_FRESHZERO || SEM_FRESH || SEM_FRESH10 ) + describe KAM_SEMFRESH Contains a domain recently registered + tflags KAM_SEMFRESH net + score KAM_SEMFRESH 0.001 endif if (version >= 3.004001) @@ -1755,7 +1858,7 @@ ifplugin Mail::SpamAssassin::Plugin::URIDNSBL urirhssub KAM_BODY_WELCOMELIST_URIBL_PCCC wild.pccc.com. A 127.0.1.8 body KAM_BODY_WELCOMELIST_URIBL_PCCC eval:check_uridnsbl('KAM_URIBL2_PCCC') describe KAM_BODY_WELCOMELIST_URIBL_PCCC Body contains URI listed in PCCC Welcome List URIBL (https://raptor.pccc.com/RBL) - tflags KAM_BODY_WELCOMELIST_URIBL_PCCC net + tflags KAM_BODY_WELCOMELIST_URIBL_PCCC net nice score KAM_BODY_WELCOMELIST_URIBL_PCCC -7.0 endif endif @@ -1779,6 +1882,7 @@ ifplugin Mail::SpamAssassin::Plugin::URIDNSBL meta KAM_VERY_BLACK_DBL (URIBL_BLACK && URIBL_DBL_SPAM) describe KAM_VERY_BLACK_DBL Email that hits both URIBL Black and Spamhaus DBL score KAM_VERY_BLACK_DBL 5.0 + tflags KAM_VERY_BLACK_DBL net endif @@ -1795,13 +1899,19 @@ if (version >= 3.004003) endif #FREEMAIL SPAMMY ADDRESSES IN UNWANTED LANGUAGES +header __GB_FREEMAIL_NUM0 From:addr =~ /[a-z]\.?\d{3}\@(gmail|hotmail|yahoo)\.com/i +header __GB_FREEMAIL_NUM1 From:addr =~ /[a-z]\.?\d{5,10}\@(gmail|hotmail|yahoo)\.com/i +meta GB_FREEMAIL_NUM ( __GB_FREEMAIL_NUM0 || __GB_FREEMAIL_NUM1 ) +describe GB_FREEMAIL_NUM Freemail spammy address +score GB_FREEMAIL_NUM 1.0 + +header __GB_FREEMAIL_GMAIL From:addr =~ /\@gmail\.com/i +meta GB_GMAIL_NUM ( GB_FREEMAIL_NUM && __GB_FREEMAIL_GMAIL && ( KAM_DMARC_NONE || KAM_DMARC_QUARANTINE ) ) +describe GB_GMAIL_NUM Spam from random Gmail address +score GB_GMAIL_NUM 2.0 + ifplugin Mail::SpamAssassin::Plugin::KAMOnly - header __GB_FREEMAIL_NUM0 From:addr =~ /[a-z]\d{3}\@(gmail|hotmail|yahoo)\.com/i - header __GB_FREEMAIL_NUM1 From:addr =~ /[a-z]\d{5,10}\@(gmail|hotmail|yahoo)\.com/i - meta GB_FREEMAIL_NUM ( __GB_FREEMAIL_NUM0 || __GB_FREEMAIL_NUM1 ) - describe GB_FREEMAIL_NUM Freemail spammy address - score GB_FREEMAIL_NUM 1.0 - meta GB_UNWANTED_FREE_NUM ( GB_FREEMAIL_NUM && UNWANTED_LANGUAGE_BODY ) + meta GB_UNWANTED_FREE_NUM ( GB_FREEMAIL_NUM && UNWANTED_LANGUAGE_BODY ) describe GB_UNWANTED_FREE_NUM Freemail spammy address and unwanted language score GB_UNWANTED_FREE_NUM 3.0 endif @@ -1924,34 +2034,35 @@ describe KAM_COLLECT Spammers hawking debt collection #SEARCH ENGINE SPAM #Subj -header __KAM_SEARCH1 Subject =~ /be seen first on (google|msn|yahoo)|get ranked high|rank high|(no cost|free) website (analysis|search engine)|WEBSITE PROMOTION|social media|blog leads|infotech|(first|1st)(.page)?.result|seo.(optimiz|package|service)|seo.{1,30}expert|on.your.website|organic.seo|site.ranking|website.health|(first|1st) page|^proposal$|marketing proposal|top (o|i)n google|looking for an SEO/i +header __KAM_SEARCH1 Subject =~ /be seen first on (google|msn|yahoo)|get ranked high|rank high|(no cost|free) website (analysis|search engine)|WEBSITE PROMOTION|social media|blog leads|infotech|(first|1st)(.page)?.result|seo.(optimiz|package|service)|seo.{1,30}expert|on.your.website|organic.seo|site.ranking|website.health|(first|1st) page|^proposal$|marketing proposal|top (o|i)n google|looking for an SEO|web design|on page 1|top rank|info & cost/i #what specific -body __KAM_SEARCH2 /search (ranking|engine)|S\.?E\.?O|bring.traffic|business.development|marketing strateg/i - #ranging -body __KAM_SEARCH3 /(first on|all of) the major search|not ranked number one|Website promotion|popular keywords|mobile.website|complete.solution|back.link|company in india|india.based|surfing|not.ranking.on|top in Google|1st page|more (clients|customers)|organic search|generate leads|specialization includes SEO/i +body __KAM_SEARCH2 /search (ranking|engine)|S\.?E\.?O|bring.traffic|business.development|marketing (manager|strateg)/i +tflags __KAM_SEARCH2 nosubject + #ranking +body __KAM_SEARCH3 /(first on|all of) the major search|not ranked number one|Website promotion|popular keywords|mobile.website|complete.solution|back.link|company in india|india.based|\(India\)|surfing|not.ranking.on|top in Google|1st page|more (clients|customers)|organic search|generate leads|specialization includes SEO|rank on page (1|one)|top page ranking|white.?hat SEO/i tflags __KAM_SEARCH3 nosubject #how -body __KAM_SEARCH4 /guaranteed type of exposure|free website (analysis|report|search engine optimiz)|increase your revenue|improve your website traffice|website rank higher|marketing service|popular.keyword|media.presence|media.portal|brand.awareness|analytics.certified|optimized.content|white.label|website.optimization|digital.marketing|in.your.industry|high.revenue|plans? and pric|keyword|full proposal|online reputation|(blog|article|pr|search engine) (promotion|submission)|competitive quote|send you quote/i +body __KAM_SEARCH4 /guaranteed type of exposure|free website (analysis|report|search engine optimiz)|increase your revenue|improve your website traffice|website rank higher|marketing service|popular.keyword|media.presence|media.portal|brand.awareness|analytics.certified|optimized.content|white.label|website.optimization|digital.marketing|in.your.industry|high.revenue|plans? and pric|keyword|full proposal|online reputation|(blog|article|pr|search engine) (promotion|submission)|competitive quote|send you (our past work|quote)|website audit|seo (package|campaign)|package for \d+ keyword/i #who -rawbody __KAM_SEARCH5 /Click2Call|a1-solutions|fast-response.net|action-pros.net|tops-1.com|vividinfotech.com|internet.marketing|web.solution|(development|marketing|business) (executive|consultant)|(search engine|SEO) (company|consultant|expert|Service)|sales manager/i +rawbody __KAM_SEARCH5 /Click2Call|a1-solutions|fast-response.net|action-pros.net|tops-1.com|vividinfotech.com|internet.marketing|web.solution|(development|marketing|business) (executive|consultant)|(search engine|SEO) (company|consultant|expert|Service)|(marketing|sales) manager/i -meta KAM_SEARCH (__KAM_SEARCH1 + __KAM_SEARCH2 + __KAM_SEARCH3 + __KAM_SEARCH4 + __KAM_SEARCH5 >= 4) -score KAM_SEARCH 6.0 +meta KAM_SEARCH (__KAM_SEARCH1 + __KAM_SEARCH2 + __KAM_SEARCH3 + __KAM_SEARCH4 + __KAM_SEARCH5 + FREEMAIL_FROM >= 5) +score KAM_SEARCH 7.5 describe KAM_SEARCH Spammers hawking SEO #SEO -header __KAM_SEO1 Subject =~ /Idea for \[|can rank 1st on Google|Organic SEO|SEO (Solution|proposal)|integrated marketing|optimization.service|SEO Outsourcing|affordable package|quick result|ranking report|why your website/i +header __KAM_SEO1 Subject =~ /Idea for \[|can rank 1st on Google|Organic SEO|SEO (Solution|rank|proposal)|integrated marketing|optimization.service|SEO Outsourcing|affordable package|quick result|ranking report|why your website|getting online sales/i #what we give you -body __KAM_SEO2 /(?:top|first page) (?:in|of) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building|business SEO|(audit|ranking) report/i +body __KAM_SEO2 /(?:top|first page) (?:in|of) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building|business SEO|(audit|ranking) report|higher search rank|top \d+ search engine rank/i tflags __KAM_SEO2 nosubject #what we do/fix -body __KAM_SEO3 /(came across|never find) your web.?site|major search engines|paid access to tools|WEBSITE AUDIT REPORT|specific.keyword|targeted.email|visited.your.website|not ranking well|Google rankings|issues bugging your website/i +body __KAM_SEO3 /(came across|never find) your web.?site|major search engines|paid access to tools|WEBSITE AUDIT REPORT|specific.keyword|targeted.email|visited.your.website|not ranking well|Google rankings|issues bugging your website|increase your organic traffic/i #SEO body __KAM_SEO4 /SEO Specialists|online marketing services|S.?E.?O.? Company in INDIA|google.panda|google.penguin|not.ranking|SEO Packages/i #costs -body __KAM_SEO5 /more traffic guaranteed|results in thirty day|top 5 organic|high revenue|free.analysis|guaranteed.top|pricelist|completely free|No upfront fees|free trial|proposal for your website/i +body __KAM_SEO5 /more traffic guaranteed|results in thirty day|top 5 organic|high revenue|free.analysis|guaranteed.top|pricelist|completely free|No upfront fees|free trial|(plan of action|proposal) for your website/i #SEO Indicators -body __KAM_SEO6 /will not get your website banned|Google.?s SEO policies|six month ongoing campaign|web.promotion|quality junk spam|promotional online marketing/i +body __KAM_SEO6 /will not get your website banned|Google.?s SEO policies|six month ongoing campaign|web.promotion|quality junk spam|promotional online marketing|panda.?safe|digital marketing/i # LEGITIMATE SEO EMAILS WOULD SURELY HAVE AT LEAST ONE URL TO THEIR WEBSITE... uri __KAM_SEO7 /./ @@ -1976,11 +2087,12 @@ describe KAM_SEO Spammers hawking SEO #WEB DESIGN -header __KAM_WEB1 Subject =~ /Web.?(Design|programming|Development)/i +header __KAM_WEB1 Subject =~ /(app|Web|software).?(proposal|Design|programming|Development)/i -body __KAM_WEB2 /indian?.based.(web|it)|certified.it.company|offering Website Design/i + #service +body __KAM_WEB2 /indian?.based.(web|it)|certified.it.company|offering Website Design|(expert|based) in india|software development.{0,2}firm|develop your web/i tflags __KAM_WEB2 nosubject - + #title body __KAM_WEB3 /Online Marketing (Executive|Consultant)|possible.redesign|seo.service|mobiles?.app|business.develop|commerce.solution/i meta KAM_WEB (__KAM_WEB1 + __KAM_WEB2 + __KAM_WEB3 + KAM_ADVERT2 >= 3) @@ -1988,7 +2100,7 @@ score KAM_WEB 4.0 describe KAM_WEB Web design spams #DOMAIN NAME AND OTHER RELATED SPAMS -body __KAM_DOMAIN1 /Domain (opportunity|notification|release|Availability|club)|Notification for Domain|availability.notice|time.draws.near|submit.a.bid|your.business|exclusive.rights|free.registration|the.domain.provider|website.wizard|increase.your.{0,50}.traffic|domain.extension|brand.can.leverage|like.to.obtain|buy(ing)?.this.domain/i +body __KAM_DOMAIN1 /Domain (opportunity|notification|release|Availability|club)|Notification for Domain|availability.notice|time.draws.near|submit.a.bid|exclusive.rights|free.registration|the.domain.provider|website.wizard|increase.your.{0,50}.traffic|domain.extension|brand.can.leverage|like.to.obtain|buy(ing)?.this.domain/i body __KAM_DOMAIN2 /(?:available|listed) (?:by|for|at|in) auction|confirm interest in (this domain|owning)|capturing this domain|proposal.on.the.domain|exclusive.owner|online.search|web.form|counting.down|potential.buyer|interested.parties|secure.{1,50}.today|drive.more.leads|targeted.traffic|similar.domain|exclusive.regis/i body __KAM_DOMAIN3 /(?:have|own) a domain (that is )?.{0,5}similar|(have|own) a similar domain|offer on the Domain|similar to your (current )?domain|Domain Division|all.domains|main.webpage|visibility.platform|solicitation|potential.owner|your.offer|domain.match|domain.notification|domain.will.be|interest.{1,20}.domain.name|fully.responsive|website.included|list.your.website|opportt?unity.regarding|courtesy.notification/i header __KAM_DOMAIN4 From =~ /domain|submit.site/i @@ -2403,13 +2515,13 @@ meta KAM_SEXSUBJECT __KAM_DRUG2_1 score KAM_SEXSUBJECT 2.0 describe KAM_SEXSUBJECT Sexually Explicit Subject -#RUSSIAN WIFE/BRIDE SCAMS +#RUSSIAN WIFE/BRIDE SCAMS - Raising to >= 3 for FPs due to Russian Invasion of Ukraine 2/25/2023 header __KAM_WIFE1 Subject =~ /Remember me|(Russian|asian|Ukrai?nian) ?(dating|beaut|single|women|bride|lad|babe|girls)/i body __KAM_WIFE2 /marry a Russian|sizzling photos|(russian|asian|ukrai?nian) (women|beaut|bride|girl)|Slavic babes|Russian ?lad(y|ies)|sexy photos/i tflags __KAM_WIFE2 nosubject header __KAM_WIFE3 From =~ /(asian|russian|ukrai?nian).?(dat|bride|single|women|beaut|lad)|(date|nice|hot).?(russian|asian)/i -meta KAM_WIFE ( __KAM_WIFE1 + __KAM_WIFE2 + __KAM_WIFE3 >= 2) +meta KAM_WIFE ( __KAM_WIFE1 + __KAM_WIFE2 + __KAM_WIFE3 >= 3) score KAM_WIFE 8.0 describe KAM_WIFE Mail order bride scams @@ -2496,7 +2608,7 @@ endif #DON NOB & WORK FROM HOME SCAMS -header __KAM_DON1 X-KAM-Reverse =~ /donnob\.(?:biz|net)|emarketnow.com/i +header __KAM_DON1 X-Raptor-Reverse =~ /donnob\.(?:biz|net)|emarketnow.com/i header __KAM_DON2 Subject =~ /(?:\b|^)ATM(?:\b|$)|Just Over Broke|J\.O\.B\./ body __KAM_DON3 /donnob\.(?:biz|net)|emarketnow.com|watersolutiontoday.com/i body __KAM_DON4 /\$1,000 A Day ATM|J\.O\.B\./i @@ -2523,7 +2635,7 @@ describe KAM_GINA Employment Poster Marketing Spams header __KAM_TAX1 Subject =~ /Free (IRS )?Tax Filing|Tax Filing Exten[st]ion|taxes online|irs audit|wage garnish|collections|tax.relief|tax.penalt|tax.resolution|settlement.option|remove.tax|irs.penalt|payback.package|get.help|down.your.neck|tax.research|urgent.tax/i header __KAM_TAX2 From =~ /tax|HRBlock|marketing|garnish|settlement|installment|IRS|debt|advisory|government|payback|protection.agency/i body __KAM_TAX3 /File your taxes for free|need more time|back.taxes|tax relief|irs offer|avoid penalty|stop.aggressive.collections|relief.(program|package)|tax.settlement|settlement.package|paying.bills|paying.tax|back.tax|wage..?garnish|tax.help|remove.lien|bankrupt|urgent.tax.notice|could.change.everything|instantly.save.you/i -body __KAM_TAX4 /MSNBC|fox news|CNN|please.confirm|you.qualify|obtain.now|must.see.tax/i +body __KAM_TAX4 /MSNBC|fox news|\bCNN\b|please.confirm|you.qualify|obtain.now|must.see.tax/i meta KAM_TAX (__KAM_TAX1 + __KAM_TAX2 + __KAM_TAX3 + __KAM_TAX4 + KAM_LOTSOFHASH >=3) score KAM_TAX 2.5 @@ -2700,19 +2812,25 @@ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags replace_rules __KAM_MAILBOX1 __KAM_MAILBOX2 __KAM_MAILBOX3 #ISSUE - body __KAM_MAILBOX1 /mailbox .{0,12}exceeded|(storage|e-?mail|mailbox|bandwidth).(limit|quota|size|capacity)|(box|quota) is (amost )?(exhausted|fu)|have been rejected|new version|(prevented|pending) (the )?(delivery|messages)|quota is low|annual upgrade|(held|important) message|messages pending|messages (are|placed) on.?hold|upgrade to our service|recent attack|(request(ed)? to|account) de-?activat|de-?activat(ed|e|ing) (from using|all mailbox)|close down.{0,10}account|(sync|communication) failure|dectivted if no ction|invalid users|request .{0,13}shutdown|migrating all email|delvry f \d|messages.{0,6}returned|\d.{0,2}(unreceived|failed|undelivered|incoming|valid) (undelivered|incoming|message|e?mail)|synchronize \d email|messages.{1,10}suspend|report your account|(validation|configuration|service|mail) error|updating stage|blacklisted|(server|quota|quarantine|suspension|mail|upgrade) (alert|noti)|mailbox agreement|(system|security|server) (reasons|update|upgrade|alert)|system malfunction|due for an update|mailbox managment|automatically renew|.\d. pending|due for (upgrade|update|reconfirmation)|has been outdated|(due|about) to expire|not confirmed the email|(failed|couldn't be|refused to) deliver|temporarily suspend|failure to proceed|data plan limit|blocked from (sending|receiving)|sending unsolicited|\d\% full|confirm your request|security turned off|blocked or suspended|update warning|account .{1,9}?(restricted|closed)|old versions|mail malfunction|messages now queue|password expir|virus|expire on \d+\/|DNS Upgrad|encountered error|will be shut ?down|unauthorized (person|access)|prevent (further reject|loss of account)|avoid lose access|ensure safety|problem occurred|wrong password|suspicious sign.?in|\d quarantined? (e?mail|message|incoming)|deactivated tempor|low disk space|shutdown robot|suspended email|webmail security|account hijacked|will be suspended|will.{0,2}expire.{0,2}(today|soon)|IP below was used|password.{1,5}expires? today|server is totally full|account is almost full|suspicious activities|locked out of your account|login (interruption|problem)|automatic shut.?down|lose your contact|not receive new e?mail|deactivation of the email|Expired today|exceeded the limit|disruption of your email|message might be preented|mail delivery blocked|email gets locked|shut down on your account|refusal in updating your email|avoid being barred|losing (of )?your account|undelivered e?-?mail|SSL Port server error|refusal of email security|blocked access to your inbox/i + body __KAM_MAILBOX1 /mailbox .{0,12}exceeded|(storage|e-?mail|mailbox|bandwidth).(limit|quota|size|capacity)|(box|quota) is (amost )?(exhausted|fu)|have been rejected|new version|(prevented|pending) (the )?(delivery|messages)|quota is low|annual upgrade|(held|important) message|messages pending|messages (are|placed) on.?hold|upgrade to our service|recent attack|(request(ed)? to|account) de-?activat|de-?activat(ed|e|ing) (from using|all mailbox)|close down.{0,10}account|(sync|communication) failure|dectivted if no ction|invalid users|request .{0,13}shutdown|migrating all email|delvry f \d|messages.{0,6}returned|\d.{0,2}(unreceived|failed|undelivered|incoming|valid) (undelivered|incoming|message|e?mail)|synchronize \d email|messages.{1,10}suspend|report your account|(validation|configuration|service|mail) error|updating stage|blacklisted|(server|quota|quarantine|suspension|mail|upgrade) (alert|noti)|mailbox agreement|(system|security|server) (reasons|update|upgrade|alert)|system malfunction|due for an update|mailbox managment|automatically renew|.\d. pending|due for (upgrade|update|reconfirmation)|has been outdated|(due|about) to expire|not confirmed the email|(failed|couldn't be|refused to) deliver|temporarily suspend|failure to proceed|data plan limit|blocked from (sending|receiving)|sending unsolicited|\d\% full|confirm your request|security turned off|blocked or suspended|update warning|account .{1,9}?(restricted|closed)|old versions|mail malfunction|messages now queue|password expir|virus|expire on \d+\/|DNS Upgrad|encountered error|will be (locked|shut ?down)|unauthorized (person|access)|prevent (further reject|loss of account)|ensure safety|problem occurred|wrong password|suspicious sign.?in|\d quarantined? (e?mail|message|incoming)|deactivated tempor|low disk space|shutdown robot|suspended email|webmail security|account hijacked|(has been|will be) (hacked|suspended)|will.{0,2}expire.{0,2}(today|soon)|IP below was used|password.{1,5}expires? today|server is totally full|account is almost full|(irregular|suspicious) activit|locked out of your account|login (interruption|problem)|automatic shut.?down|lose your contact|not receive (more|new) e?mail|deactivation of the email|Expired today|exceeded the limit|disruption of your email|message might be preented|mail delivery blocked|email gets locked|shut down on your account|refusal in updating your email|avoid (lose access|shut.?down|being barred)|losing (of )?your account|undelivered e?-?mail|SSL Port server error|refusal of email security|blocked access to your inbox|web-?mail support|change your password|pending (e-?mail|mail) message|terminated in \d+ hour|messages were rejected|server error|platform is outdated|need to validate.{2,40}owned by you|password notification|expires today|Reconfirm(?: your) password|out of storage|mail quota full|email password will expire/i tflags __KAM_MAILBOX1 nosubject #ACTION - body __KAM_MAILBOX2 /(verify|update|upgrade|increase|validate|confirm|disable)"? (their|your)? {0,5}(address|password|ccount|(web-?)?mail|info|email|web ?mail|ownership|mailbox)|(increase|upgrade) (my|your?) (inbox |email )?quota|quota (configuration|upgrade)|(increase disk|create some additional) storage|(setup|upgrade) (your )?mailbox|mail malfunction|click here to update|update account|validated within \d\d|deleted (automatically|in our server)|release .{0,40}(message|pending mess)|account to be close|remain active|termination of your account|choose what happens|blacklisting inactive|continue (using|the usage)|untrusted activity|(retrieve|review|view) (message|e?mail)|(verify|validate) (it )?(here|now)|reset below|verification (check|process)|email disk usage|auto extend your disk|confirm your (email|details)|mandetory file|retrieve here|expected to reactivate|keep your webmail|data will be lost|(block|release|review) (them|below)|view undelivered sent|reconfirm .{0,40}password|will be deactivat|avoid suspension|start the process|fake payment|(will be|automatically) cancel|mail verification|turn on (security|authentication)|Office 365-?Secure|an usual location|automatically delete|(retrieve|review|reload) (your )?(undelivered|pending)|view, release or delete|reload below|unblock (your )?incoming|rectify below|fix now|Company.Assigned Outlook|fix delivery|restore your roundcube|re-?authenticate (now|below)|manage your quarantine|manually fi|manually fix|review and take action|view (your )?(pending|withheld|recent) (incoming|message|e?mail)|use the button|reduce your mai|deliver recent mail|(use|using|keep) (current|same) password|change password|stop (this action|account removal)|fix your email|(maintain|keep).{0,6}current.{0,2}(signing|password)|verify login|apply update|deliver pending message|archive emails|initiate the upgrad|(approve|continue with) the (current|same) password|free up space|quick re-?validation|cancel the request|prevent lock of account|back under the limit|update no|rectivte ccess|consider keeping your password|account will work effectively|portal to prompt delivery|open the attachment|Reload Email message|secure your account|authenticate account/i - tflags __KAM_MAILBOX2 nosubject - #SUBJECT - header __KAM_MAILBOX3 Subject =~ /(mail|exceeded|insufficient) (storage|quota|upgrade)|(@.*?is|Inbox) almost full|(urgent|important|admin|last|suspension|server|account|administrator|system|disk ?usage|max size) (alert|rectification|attention|warning|noti)|needs to be upgraded|(incoming|pending|unreceived) +((e-?)?mail|document|message)|(delvry|synchronization|processing) (problem|is blocked|failure|errr)|(mailbox|storage) (is )?full|(disc|disk|inbox) full|(unread|upgrade|delayed) (messages|e?mail)|release your message|pending (new )?((e-?)?mail|message)|365 .{0,10} Update|new privacy policy|mandatory up|(sign in|Final|account|password|emails?) (closing|removal|update|upgrade|alert|notification|review)|quarantine|rejected|undelivered|(mailbox|limit|quota) .{0,10}exceeded|confirmation required|(mail|mailbox|account|password) (error|shutdown|verification|Veirification|Verfication|account)|(blocked|held) message|technology services|(server|mail|account).{1,8}errr|validat|messages.{1,10}(suspend|hinder)|account (is )?(blocked|limited)|please verify.{1,10}account|mail.{1,6}Notice|email account.{1,11}full|final warning|help\-?desk|mail ownership|point files|(d|r)e-?activation|delayed for \d+ (hour|day)|undeliverable|confirmation required|closure of.{1,15}(\@|account)|(password|mail) (has|will) expire|did you make|password.(reset|due|recovery|expir)|recovery option|\d+ new mess|email activity|Immediate action|action required|avoid block|review recent e?mail|final +alert|storage (error|limit)|verfcaton|\@.{1,25}notification|notification \d+\/\d+\/|notification for .{1,25}\@|New Sign-in|deliver.{1,4}(cancel|issue|error|fail)|Unsuccessful Email|Mail DNS|ICT Maintenance|sync err|mailer un.?delivery|unauthorized (person|access)|configuration setting|reminder +for|re-?authenticate|change in your ip|shutdown request|Failure.{0,2}Report|(mail delivery|\d emails?) suspended|error sync|(e-?mails?|messages) (are )?pending|\d \(?new\)? notice|new IP address|expir(y|ation) notif|reached their disk quota|webmail support|notification for|change.{0,30}account password now|(mail|mail-?box) termination|office? ?365 access|(Attention|urgent):? update (required|needed)|out of storage|quota (limit|reached)|access.{1,4}expire|renew your e?-?mail pass|mail protection update|e-?mail .{0,30}still pending|unauthorized (login|logging) attempt/i + body __KAM_MAILBOX2 /(verify|update|upgrade|increase|validate|confirm|disable)"? (their|your)? {0,5}(address|password|ccount|(web-?)?mail|info|email|web ?mail|ownership|mailbox)|(increase|upgrade) (my|your?) (inbox |email )?quota|quota (configuration|upgrade)|(increase disk|create some additional|update|add) storage|(setup|upgrade) (your )?mailbox|mail malfunction|update account|validated within \d\d|deleted (automatically|in our server)|release .{0,40}(message|pending mess)|account to be close|remain active|termination of your account|choose what happens|blacklisting inactive|continue (using|the usage)|untrusted activity|(retrieve|review|view) (message|e?mail)|(verify|validate) (it )?(here|now)|reset below|verification (check|process)|email disk usage|auto extend your disk|confirm your (email|details)|mandetory file|retrieve here|expected to reactivate|keep your webmail|data will be lost|(block|release|review) (them|below)|view undelivered sent|reconfirm .{0,40}password|will be deactivat|avoid suspension|start the process|fake payment|(will be|automatically) cancel|mail verification|turn on (security|authentication)|Office 365-?Secure|an usual location|(avoid|automatically) delet|(retrieve|review|reload) (your )?(undelivered|pending)|view, release or delete|reload below|unblock (your )?incoming|rectify below|fix now|Company.Assigned Outlook|fix delivery|restore your roundcube|re-?authenticate (now|below)|manage your quarantine|manually fi|manually fix|review and take action|view (your )?(pending|withheld|recent) (incoming|message|e?mail)|use the button|reduce your mai|deliver recent mail|(use|using|keep) (current|same|my) password|change password|stop (this action|account removal)|fix (the problem here|your email)|(maintain|keep).{0,6}current.{0,2}(signing|password)|verify login|apply update|deliver pending message|archive emails|initiate the upgrad|(approve|continue with) the (current|same) password|free up space|quick re-?validation|cancel the request|prevent lock of account|back under the limit|update no|rectivte ccess|consider keeping your password|account will work effectively|portal to prompt delivery|open the attachment|Reload Email message|secure your account|authenticate account|keep (the )?same password|(keep|use) (the|your) current password|proper verification|restoration of your account|systematically updated|synchronization errors|activate Improved security|(restore|recover) messages (here|below)|recover your delayed messages|validate your (?:mailbox|e\-mail)|conveyed to each sender|Please security access key|account password is due to expire|avoid missing important e?-?mail|pending e?-?mail message|clear cache quick|avoid loss of e?mail/i + tflags __KAM_MAILBOX2 nosubject + #SUBJECT + header __KAM_MAILBOX3 Subject =~ /(mail|exceeded|insufficient) (storage|quota|upgrade)|(@.*?is|Inbox) almost full|(urgent|important|admin|last|suspension|server|account|administrator|system|disk ?usage|max size) (alert|rectification|attention|warning|noti)|needs to be upgraded|(incoming|pending|unreceived) +((e-?)?mail|document|message)|(delvry|synchronization|processing) (problem|is blocked|failure|errr)|(mailbox|storage) (is )?full|(disc|disk|inbox) full|(unread|upgrade|delayed) (messages|e?mail)|release your message|pending (new )?((e-?)?mail|message)|365 .{0,10} Update|new privacy policy|mandatory up|(sign in|Final|account|password|emails?) (closing|removal|update|upgrade|alert|notification|review)|quarantine|rejected|undelivered|(mailbox|limit|quota) .{0,10}exceeded|(action|confirmation|\..{2,6} update).?required|(mail|mailbox|account|password) (error|shutdown|verification|Veirification|Verfication|account)|(blocked|held) message|technology services|(server|mail|account).{1,8}errr|validat|messages.{1,10}(suspend|hinder)|account (is )?(blocked|limited)|please verify.{1,10}account|mail.{1,6}Notice|email account.{1,11}full|final warning|help\-?desk|mail ownership|point files|(d|r)e-?activation|delayed for \d+ (hour|day)|undeliverable|closure of.{1,15}(\@|account)|(password|mail) (has|will) expire|did you make|password.(due|recovery|expir)|recovery option|(confirm|email) activity|Immediate action|action required|avoid block|review recent e?mail|final +alert|storage (error|limit)|verfcaton|\@.{1,25}notification|notification \d+\/\d+\/|notification for .{1,25}\@|New Sign-in|deliver.{1,4}(cancel|issue|error|fail)|Unsuccessful Email|Mail DNS|ICT Maintenance|sync err|mailer un.?delivery|unauthorized (person|access)|configuration setting|reminder +for|re-?authenticate|change in your ip|shutdown request|Failure.{0,2}Report|(mail delivery|\d emails?) suspended|error sync|(e-?mails?|messages) (are )?pending|\d \(?new\)? notice|new IP address|expir(y|ation) notif|reached their disk quota|webmail support|notification for|change.{0,30}account password now|(mail|mail-?box) termination|office? ?365 access|(Attention|urgent):? update (required|needed)|(full|out of) storage|quota (limit|reached)|access.{1,4}expire|renew your e?-?mail pass|mail protection update|e-?mail .{0,30}still pending|unauthorized (login|logging) attempt|^suspended$|message failed|security upgrade|password.*expires today|password activity|mail (access blocked|delayed)|account has been hacked|prevent account malfunction|password change notification|Critical(?:\-|\s)Status on|(storage|upgrade) notice/i - meta KAM_MAILBOX (__KAM_MAILBOX1 + __KAM_MAILBOX2 + __KAM_MAILBOX3 >=2) && (T_FREEMAIL_DOC_PDF + (KAM_SENDGRID + KAM_SENDGRID2 >= 1) + HTML_MIME_NO_HTML_TAG + T_HTML_ATTACH) >= 2 + #NON OBFUSCATED VARIANT NOT A SPAM INDICATOR + header __KAM_MAILBOX3FP Subject =~ /verification/i + + #COMPROMISED SYSTEMS + uri __KAM_WPADMIN /\/wp-admin\//i + + meta KAM_MAILBOX (__KAM_MAILBOX1 + __KAM_MAILBOX2 + (__KAM_MAILBOX3 && !__KAM_MAILBOX3FP) >=2) && (T_FREEMAIL_DOC_PDF + (KAM_SENDGRID + KAM_SENDGRID2 >= 1) + HTML_MIME_NO_HTML_TAG + T_HTML_ATTACH + __KAM_WPADMIN) >= 2 score KAM_MAILBOX 7.75 describe KAM_MAILBOX Mailbox Quota Phishing Scams - meta KAM_MAILBOX2 (__KAM_MAILBOX1 + __KAM_MAILBOX2 + __KAM_MAILBOX3 >=3) && !KAM_MAILBOX + meta KAM_MAILBOX2 (__KAM_MAILBOX1 + __KAM_MAILBOX2 + (__KAM_MAILBOX3 && !__KAM_MAILBOX3FP) + KAM_SHORT >=3) && !KAM_MAILBOX score KAM_MAILBOX2 6.25 describe KAM_MAILBOX2 Mailbox Quota Phishing Scams @@ -2722,6 +2840,7 @@ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags endif meta KAM_SHORT (__KAM_SHORT + __KAM_TINYDOMAIN >= 1) +tflags KAM_SHORT net score KAM_SHORT 0.001 describe KAM_SHORT Use of a URL Shortener for very short URL @@ -2730,19 +2849,20 @@ ifplugin Mail::SpamAssassin::Plugin::DecodeShortURLs if can(Mail::SpamAssassin::Plugin::DecodeShortURLs::has_short_url) # use DecodeShortURLs plugin and disable __KAM_TINYDOMAIN body __KAM_SHORT eval:short_url() + tflags __KAM_SHORT net else #OLDER RULE, SHOULD USE DecodeShortURLS and the kam_urlshorterners.cf which is more comprehensive than this. uri __KAM_SHORT /^https?:\/\/(?:bit\.(do|ly)|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|urlshortener\.teams\.microsoft\.com|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|justpaste\.it|l\.linklyhq\.com)\/[^\/]{3}\/?/ # GENERIC RULE FOR TINY DOMAINS, WHICH WILL LIKELY BE URL SHORTENERS - uri __KAM_TINYDOMAIN /https?:\/\/(?:[^\/]{1,4})\.(?!avg|ibm).{2,7}\//i + uri __KAM_TINYDOMAIN /https?:\/\/(?:[^\/]{1,4})\.(?!avg|ibm|gov).{2,7}\//i endif else #OLDER RULE, SHOULD USE DecodeShortURLS and the kam_urlshorterners.cf which is more comprehensive than this. uri __KAM_SHORT /^https?:\/\/(?:bit\.(do|ly)|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|urlshortener\.teams\.microsoft\.com|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|justpaste\.it|l\.linklyhq\.com)\/[^\/]{3}\/?/ # GENERIC RULE FOR TINY DOMAINS, WHICH WILL LIKELY BE URL SHORTENERS - uri __KAM_TINYDOMAIN /https?:\/\/(?:[^\/]{1,4})\.(?!avg|ibm).{2,7}\//i + uri __KAM_TINYDOMAIN /https?:\/\/(?:[^\/]{1,4})\.(?!avg|ibm|gov).{2,7}\//i endif #POWER CHAIRS @@ -2862,18 +2982,22 @@ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags #renamed to A1, C1, etc. to avoid collissions with stock rules #Thanks to John Hardin for his help! and thanks to Giovanni for the help with the 4-byte chars #thanks as well to Henrik Krohns -replace_tag A1 (?:a|[\xf0\x9d\x97\xae]|[\xf0\x9d\x9a\x8a]|[\xd0][\xb0]|[\xc9][\x91]|α|\@) + +#Write a very broad regex like g.*k.?squ.* and the debug outputs something like G\x{CF}\x{B5}\x{CF}\x{B5}k Squ" Then you can Edit the tag for E1 to add |[\xcf][\xb5] +# replace_tag A1 (?:a|[\xf0\x9d\x97\xae]|[\xf0\x9d\x9a\x8a]|[\xd0][\xb0]|[\xc9][\x91]|α|\@) +replace_tag A1 (?:a|[\xf0\x9d\x97][\xae]|[\xc3][\xa3]|[\xf0\x9d\x9a][\x8a]|[\xd0][\xb0]|[\xc9][\x91]|α|\@) replace_tag B1 (?:b|[\xce][\x92]|[\xce][\xb2]|[\xc2]|[\xe2]|[\xf0\x9d\x97\xaf]|[xf0\x9d\x9a\x8b]) -replace_tag C1 (?:c|[\xd0][\xa1]|[\xd1][\x81]|[\xf0\x9d\x97\xb0]|[\xf0\x9d\x9a\x8c]) +replace_tag C1 (?:c|[\xd0][\xa1]|[\xd1][\x81]|[\xf0\x9d\x97\xb0]|[\xf0\x9d\x9a\x8c]|[xd0\xa1]) replace_tag D1 (?:d|[\xf0\x9d\x9a\x8d]) -replace_tag E1 (?:e|[\xd0][\xb5]|[\xc4][\x97]|[\xf0\x9d\x97\xb2]|[\xf0\x9d\x9a\x8e]) +replace_tag E1 (?:e|[\xd0][\xb5]|[\xc4][\x97]|[\xf0\x9d\x97\xb2]|[\xf0\x9d\x9a\x8e]|[\xc3][\xaa]|[\xcf][\xb5]|[\xc3][\xab]) replace_tag G1 (?:g|[\xf0\x9d\x97\x80]) replace_tag I1 (?:i|[\xd1][\x96]|[\xc4][\xab]|[\xce][\xb9]|[\xe9]|[\xf0\x9d\x97\xb6]|[\xf0\x9d\x9a\x92]|l|1) +replace_tag K1 (?:k|[\xd0][\xba]) replace_tag L1 (?:l|i) replace_tag M1 (?:m|[\xca][\x8d]|[\xf0\x9d\x97\xba]) replace_tag N1 (?:n|[\xe7]|[\xf0\x9d\x97\xbc]|[\xf0\x9d\x9a\x97]) -replace_tag O1 (?:o|0|[\xd0][\xbe]|[\xce][\xbf]|[\xef]|[\xf0\x9d\x97\xbc]|[\xf0\x9d\x9a\x98]|[\xd0][\x9e]) -replace_tag P1 (?:p|[\xd1][\x80]|[\xc7][\xb7]|[\xcf][\x81]|[\xf1]|[\xf0\x9d\x97\xbd]|[\xf0\x9d\x9a\x99]) +replace_tag O1 (?:o|0|[\xd0][\xbe]|[\xce][\xbf]|[\xef]|[\xf0\x9d\x97\xbc]|[\xf0\x9d\x9a\x98]|[\xd0][\x9e]|[\xc3][\xb4]) +replace_tag P1 (?:p|[\xd1][\x80]|[\xc7][\xb7]|[\xcf][\x81]|[\xf1]|[\xf0\x9d\x97\xbd]|[\xf0\x9d\x9a\x99]|[\xd0\xa0]) replace_tag R1 (?:r|[\xf0\x9d\x97\xbf]|[\xf0\x9d\x9a\x9b]) replace_tag S1 (?:s|[\xd0][\x85]|[\xf0\x9d\x98\x80]|[\xf0\x9d\x9a\x9c]) replace_tag T1 (?:t|[\xcf][\x84]|[\xf4]|[\xf0\x9d\x98\x81]|[\xf0\x9d\x9a\x9d]) @@ -3261,7 +3385,7 @@ score KAM_AP 4.5 #CO.UK header KAM_COUK From =~ /\@.{1,30}\.co\.uk/i describe KAM_COUK Scoring .co.uk emails higher due to poor registry security. -score KAM_COUK 0.85 +score KAM_COUK 0.6 #FAKE FACEBOOKMAIL #REAL FB DOMAIN @@ -3280,7 +3404,7 @@ header __KAM_FAKE_DELIVER2 Subject =~ /Invalid Address|shipping service|(ship|p #DHL header __KAM_FAKE_DELIVER3 From:name =~ /DHL/i -header __KAM_FAKE_DELIVER4 From:addr !~ /dhl.com/i +header __KAM_FAKE_DELIVER4 From:addr !~ /dhl\.com/i body __KAM_FAKE_DELIVER4A /dhl team/i #FEDEX @@ -3442,7 +3566,7 @@ meta KAM_SHARKTANK (__KAM_SHARKTANK_SUBJ + __KAM_SHARKTANK_BODY >= 1) score KAM_SHARKTANK 1.0 describe KAM_SHARKTANK Mentions Shark Tank -rawbody __KAM_SHARKPROD /high blood pressure|moles|Dermabellix|follicles|drop 20|(^|\b)IQ($|\b)|keto SS/is +rawbody __KAM_SHARKPROD /high blood pressure|Dermabellix|follicles|drop 20|(^|\b)IQ($|\b)|keto SS/is meta KAM_SHARKPROD (__KAM_SHARKPROD + KAM_SHARKTANK >= 2) score KAM_SHARKPROD 5.0 @@ -4627,7 +4751,7 @@ body __KAM_ASCII_DIVIDERS /[-~<>=_]{20}/i tflags __KAM_ASCII_DIVIDERS multiple maxhits=4 meta KAM_ASCII_DIVIDERS ((__KAM_ASCII_DIVIDERS >= 4) && !HTML_MESSAGE) -describe KAM_ASCII_DIVIDERS Spam that uses ascii formatting tricks +describe KAM_ASCII_DIVIDERS Email that uses ascii formatting dividers and possible spam tricks score KAM_ASCII_DIVIDERS 0.8 # RATWARE THAT CAN'T EVEN PRETEND TO BE AUTHORIZED @@ -4757,14 +4881,26 @@ ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF # We may recommend people start raising the score for this to force more people to use SPF or DKIM Since Gmail and AOL work much better with / require SPF. header __KAM_SPF_NONE eval:check_for_spf_none() +tflags __KAM_SPF_NONE net meta KAM_LAZY_DOMAIN_SECURITY (!__DKIM_EXISTS && __KAM_SPF_NONE) +tflags KAM_LAZY_DOMAIN_SECURITY net score KAM_LAZY_DOMAIN_SECURITY 1.0 describe KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any anti-forgery methods endif endif endif +ifplugin Mail::SpamAssassin::Plugin::KAMOnly + ifplugin Mail::SpamAssassin::Plugin::DKIM + header __KAM_TRUNCATE exists:X-Raptor-Truncate + meta DKIM_FAILED_TRUNCATE ( DKIM_INVALID && __KAM_TRUNCATE ) + describe DKIM_FAILED_TRUNCATE DKIM invalid but message truncated by Raptor + score DKIM_FAILED_TRUNCATE -0.1 + tflags DKIM_FAILED_TRUNCATE nice + endif +endif + ifplugin Mail::SpamAssassin::Plugin::KAMOnly # FORGED EMAILS WITH A VIRUS ATTACHED meta KAM_FORGED_ATTACHED (SPF_HELO_FAIL + KAM_RAPTOR_ALTERED >= 2) @@ -5151,9 +5287,10 @@ score KAM_BADPHP 3.5 describe KAM_BADPHP Questionable PHP mailer headers # TINNITUS -header __KAM_TINNITUS1 From =~ /tinnitus.?(solution|911|breakthrough|ringing)/i -header __KAM_TINNITUS2 Subject =~ /new.tip|only.(1|one).week|pandemic|ears? ring/i -body __KAM_TINNITUS3 /scientifically.proven|end.tinnitus|get rid of the ringing|shocking presentation|IVY League|doctors are baffled/i +header __KAM_TINNITUS1 From =~ /tinnitus.?(solution|911|breakthrough|ringing)|silencil|tinnitus/i +header __KAM_TINNITUS2 Subject =~ /new.tip|only.(1|one).week|pandemic|ears? ring|removes? tinnitus/i +body __KAM_TINNITUS3 /scientifically.proven|end.tinnitus|get rid of the ringing|shocking presentation|IVY League|doctors are baffled|restores your hearing|no more buzzing/i +tflags __KAM_TINNITUS3 nosubject meta KAM_TINNITUS (__KAM_TINNITUS1 + __KAM_TINNITUS2 + __KAM_TINNITUS3 >= 3) describe KAM_TINNITUS Tinnitus spam @@ -5197,14 +5334,14 @@ score KAM_CAD 3.5 ifplugin Mail::SpamAssassin::Plugin::KAMOnly #SPAM WITH OFFICE MACROS -header __KAM_VBMACRO X-KAM-VBMacro =~ /True/i +header __KAM_VBMACRO X-Raptor-VBMacro =~ /True/i meta KAM_VBMACRO ((__KAM_VBMACRO >= 1) && !KAM_OLEMACRO) describe KAM_VBMACRO Message contains attachment with VB macro score KAM_VBMACRO 6.5 #SPAM THAT INDICATES DYNAMIC IP -header KAM_DYNIP X-KAM-DynamicIndicator =~ /True/i +header KAM_DYNIP X-Raptor-DynamicIndicator =~ /True/i describe KAM_DYNIP Message contains Dynamic IP Address Indicator score KAM_DYNIP 6.5 endif @@ -5434,10 +5571,12 @@ ifplugin Mail::SpamAssassin::Plugin::AskDNS askdns JMQ_SPF_NEUTRAL _SENDERDOMAIN_ TXT /^v=spf1 .*\?all/ describe JMQ_SPF_NEUTRAL SPF set to ?all score JMQ_SPF_NEUTRAL 0.5 +tflags JMQ_SPF_NEUTRAL net askdns JMQ_SPF_ALL _SENDERDOMAIN_ TXT /^v=spf1 .*\+all/ describe JMQ_SPF_ALL SPF set to +all! score JMQ_SPF_ALL 0.5 +tflags JMQ_SPF_ALL net endif # IMPORTANT MESSAGE @@ -5783,28 +5922,30 @@ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags replace_rules __KAM_CRIM1 __KAM_CRIM2 __KAM_CRIM3 __KAM_CRIM4 __KAM_CRIM5 __KAM_CRIM6 __KAM_CRIM7 - body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|mlwr n th wb|footage of you|you do not know who I am|mercenary|hack phones|(monitored|infected) your device|double.screen video|keylogger|ruin your life|collection officer|turned on your cmera|cameras? and a mic|I am a hacker|brows(er|ing) history|trojan virus|automatically infect|inject some code|google translator|ld (a )?mlwr||hacked your (OS|operating)|got hacked|hidden app|managed to hack/i + body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|mlwr n th wb|footage of you|you do not know who I am|mercenary|hack phones|(monitored|infected) your device|double.screen video|keylogger|ruin your life|collection officer|turned on your cmera|cameras? and a mic|I am a hacker|brows(er|ing) history|trojan virus|automatically infect|inject some code|google translator|ld (a )?mlwr||hacked yur (website|OS|operating)|got hacked|hidden app|managed to hack|thr(u|ough) (ur|your) web.?cam|broke\s+into\s+your\s+system/i #Bitcoin - body __KAM_CRIM2 /(\-?|BTC|DSH|cryptocurrency|bc[13][a-km-zA-HJ-NP-Z0-9]{26,39})|(remove|manually) all spaces|contains spaces/i + body __KAM_CRIM2 /(\-?|BTC|DSH|cryptocurrency|bc[13][a-km-zA-HJ-NP-Z0-9]{26,39})|(remove|manually) all spaces|contains spaces|Litecoin/i #Payment - body __KAM_CRIM3 /make (he|a) paymen|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bitn wll|(mkng|mplet) th trnstn|send me \d+ dollars|send [\d\.]+ USD|addrss fr pymnt|(dollars|euros) (worth )?in bit-?coin|wallet number|bitcoin network|BTC to this Bitcoin|paymnt by btcon|\d\d\d usd|DSH\)? address|Address part||negotiation|USD.? in bitcoin/i + body __KAM_CRIM3 /make (he|a) paymen|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bitn wll|(mkng|mplet) th trnstn|send me \d+ dollars|send [\d\.]+ USD|addrss fr pymnt|(dollars|euros) (worth )?in bit-?coin|wallet number|bitcoin network|BTC to this Bitcoin|paymnt by btcon|\d\d\d usd|DSH\)? address|Address part||negotiation|USD.? in bitcoin|transfer\s+me\s+\d+|\d+ in bitcoins/i #Sexually explicit - body __KAM_CRIM4 /erotica||p(ro|or)nographic movie|promising evidence||playing with yourself|wanking|lf n b rund|explosi|lead azide|hexogen|banana|perversion|secured \d+ video/i + body __KAM_CRIM4 /erotica||p(ro|or)nographic movie|promising evidence||playing with yourself|wanking|lf n b rund|explosi|lead azide|hexogen|banana|perversion|secured \d+ video|passion for jerk|creepy addiction|wank off/i #TIME - body __KAM_CRIM5 /(twenty.?four|24).?hurs|(72|24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(urs)? ftr y pn|hours for payment|days?\)? to (send|perform|make|transfer) the (amount|payment|dash|fund)|short-term support|48h plz|deadline|hours *(only )?to send the (pay|fund)|address immediately|trnsfer the (amount|funds)|get back to me now/i + body __KAM_CRIM5 /(twenty.?four|24).?hurs|(72|24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(urs)? ftr y pn|hours for payment|days?\)? to (send|perform|make|transfer) the (amount|payment|dash|fund)|short-term support|48h plz|deadline|hours *(only )?to send the (pay|fund)|address immediately|trnsfer the (amount|funds)|get back to me now|\d\s+working\s+days|make payment within \d+ day/i #Subject - header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y r my vtm|visit the police|hi. vitim|bomb|rescue|your building|asturbat|hi perv|account has been hacked|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you|orn|(share|forward|leak) (your|the) video|Read me now|want to read this|i have you/i + header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y r my vtm|visit the police|hi. vitim|bomb|rescue|your building|asturbat|hi perv|(website|account) has been (compromised|hacked)|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you|orn|(share|forward|leak) (your|the) video|Read me now|want to read this|i have you/i + + header __KAM_NOT_CRIM6 Subject =~ /Bomb.?cyclone/i #From header __KAM_CRIM7 From =~ /hckr|know/i - meta KAM_CRIM (__KAM_CRIM1 + __KAM_CRIM2 + __KAM_CRIM3 + __KAM_CRIM4 + __KAM_CRIM5 + __KAM_CRIM6 + __KAM_CRIM7 + FUZZY_BITCOIN >= 4) + meta KAM_CRIM (__KAM_CRIM1 + __KAM_CRIM2 + __KAM_CRIM3 + __KAM_CRIM4 + __KAM_CRIM5 + (__KAM_CRIM6 && ! __KAM_NOT_CRIM6) + __KAM_CRIM7 + FUZZY_BITCOIN >= 4) describe KAM_CRIM Extortion Email score KAM_CRIM 8.5 endif @@ -5835,7 +5976,7 @@ describe KAM_ZWNJ Use of null characters indicates a goal to elude scanners meta KAM_ZWNJ (__KAM_ZWNJ1 + (__KAM_ZWNJ2 >= 16) >= 2) describe KAM_ZWNJ Use of null characters indicates a goal to elude scanners -score KAM_ZWNJ 7.0 +score KAM_ZWNJ 6.0 describe KAM_ZWNJBAD Attempted & failed Use of zero-width characters indicates a goal to elude scanners meta KAM_ZWNJBAD (__KAM_ZWNJ3 >=1) @@ -6006,11 +6147,17 @@ ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof describe GB_FREEM_FROM_NOT_REPLY From: and Reply-To: have different freemail domains score GB_FREEM_FROM_NOT_REPLY 0.4 endif + + rawbody __GB_REGEX_BR /{\:REGEX\:\((
){1,3}\|(
){1,3}/ + meta GB_REGEX_BR_SPOOF ( __GB_REGEX_BR && PDS_FROMNAME_SPOOFED_EMAIL && __ANY_TEXT_ATTACH_DOC ) + describe GB_REGEX_BR_SPOOF Office document from spoofed email + score GB_REGEX_BR_SPOOF 2.0 + endif ifplugin Mail::SpamAssassin::Plugin::KAMOnly - header KAM_RAPTOR_ALTERED X-KAM-Raptor-Alter =~ /True/i - describe KAM_RAPTOR_ALTERED Raptor identified a dangerous attachment + header KAM_RAPTOR_ALTERED X-Raptor-Alter =~ /True/i + describe KAM_RAPTOR_ALTERED Raptor identified a dangerous, possible zero day attachment risk score KAM_RAPTOR_ALTERED 2.0 endif @@ -6079,23 +6226,32 @@ describe KAM_FAVOR Phishing Attempt score KAM_FAVOR 7.5 # WHITELIST PCCC/MCGRAIL +if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) +welcomelist_auth *@pccc.com *@mcgrail.com +endif +if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) whitelist_auth *@pccc.com *@mcgrail.com +endif #trusted_networks 69.171.29.0/25 #trusted_networks 38.124.232.0/24 # CONTACTS / LISTS -header __KAM_LIST3_1 Subject =~ /Contacts|Visitor|Attendee|User|Professional|Meeting|Expo|Emails|Exhibit|Companies|trade ?show|marketing|retailer|list|outreach|customers|campaign|show|data|leaders|partnership|lead|(accou?nt|Contacts?|buyers?) (list|information)|install base|offices and clinics|healthcare|reach qualified buyers|potential prospects|decision maker|reach out|target audience|revenue generation|(potential|reach your) client|Lead list|(list|lead) prospecting|market share/i +#REPLACED WITH BELOW FOR SINGLE WORD HIT REMOVAL +#header __KAM_LIST3_1 Subject =~ /Contacts|Visitor|Attendee|User|Professional|Meeting|Expo|Emails|Exhibit|Companies|trade ?show|marketing|retailer|list|outreach|customers|campaign|show|data|leaders|partnership|lead|(accou?nt|Contacts?|buyers?) (list|information)|install base|offices and clinics|healthcare|reach qualified buyers|potential prospects|decision maker|reach out|target audience|revenue generation|(potential|reach your) client|Lead list|(list|lead) prospecting|market share/i + +# Modified 3/23/2022 to try and remove FPs in this rule +header __KAM_LIST3_1 Subject =~ /(accou?nt|Contacts?|buyers?|registrants?|attendees?|B2B|B2C|mailing) (data|list|information)|reach qualified buyers|potential prospects|(potential|reach your) client|(list|lead) prospecting|build customer|(bitdefender|Acronis) Users|reach clients|Clients records|users accounts|Attendees info|marketing opp|(expo|Summit) Leads|Free Samples|email database|sales prospect|business professionals|prospects|decision.?makers|(email|lead) list|increase your TAM|Booth.?\#\d+/i #title -body __KAM_LIST3_2 /list services|email campaign|global marketing|(event|campaign|success|purchasing) mana?ger|(tradeshow|marketing) (coordinator|campaign|manager|exec|project|team)|(lead|demand) generation|(business|Data|event|research|marketing) (analyst|coordinator)|(potential|professionals?|qualified) lead|(business development|marketing|lead|attendees?|data|prospect|intelligence).(consultant|specialist)|(marketing|Business) Co-?ordinator|marketing and comm|inside sales|pre-?sales|global leads|data dep(t|artment)/i +body __KAM_LIST3_2 /list (consultant|services)|email campaign|global marketing|(event|campaign|success|purchasing) mana?ger|(tradeshow|marketing) (coordinator|campaign|manager|exec|project|team)|(lead|demand) generation|(business|Data|event|research|marketing) (analyst|coordinator)|(potential|professionals?|qualified) lead|(business development|marketing|lead|attendees?|data|prospect|intelligence|event).(executive|consultant|specialist)|(marketing|Business) Co-?ordinator|marketing (\&|and) comm|inside sales|pre-?sales|global leads|data dep(t|artment)|marketing exec|(right|appropriate) person|info solutions|Sales executive|database coordinator|list provider|business development manager/i tflags __KAM_LIST3_2 nosubject #db for sale -body __KAM_LIST3_3 /(information|data) (count|field)|verified email|with email address|counts and pric|decision maker|specific parameters|job titles|Specific lists|current attendee|each record|post show attendee|(attendees|counts)\:|(List|contacts|fields) (consists?|Contains?|includes?)|visitors and price|pricing, counts|information about the list|sample (file|record)|direct email|100\% populated|installed users|(compiled|selling) (a )?list|pricing and further|(validated|buy a) dataset|counts, pricing|procure the list|samples for (your )?review|attendees who might|decision.makers|samples and pricing|pricing details|demographics|few samples|database (organization|provider)|expense and count|(samples|counts?) and cost|multichannel marketing|count of email|users of the following|your marketing campaign|\d\d% on emails|acquiring (email|the) list|list of retailers|decision maker mailing list|B2B list|acquiring email|contacts? list|interested in acquiring/i +body __KAM_LIST3_3 /(information|data|list\'s) (count|field)|verified e?-?mail|with email address|counts and pric|decision maker|specific parameters|job titles|Specific lists|current attendee|each record|post show attendee|(List|contacts|fields) (consists?|Contains?|includes?)|visitors and price|pricing, counts|information about the list|sample (file|record)|direct email|100\% populated|installed users|(compiled|selling) (a )?list|pricing and further|(validated|buy a) dataset|counts, pricing|procure the list|samples for (your )?review|attendees who might|decision.makers|samples and pricing|pricing details|demographics|few (examples|samples)|database (organization|provider)|expense and count|(samples|counts?) and cost|multichannel marketing|count of email|users of the following|your marketing campaign|\d\d% on emails|acquiring (email|the) list|list of retailers|decision maker mailing list|B2B( data)? list|acquiring email|interested in acquiring|quality lists|potential (client|customer)|database and list management|pricing and count|audience you would like to reach|data cleansing/i tflags __KAM_LIST3_3 nosubject #db what -body __KAM_LIST3_4 /contacts and email|(visitors?|contacts?|attendee.?s?|users?) (contacts? |mailing )?(list|record|database)|end users|our lists|\d\+? (attendee|contact)|users? database|Opt-in email list|(professionals?|user'?s|attendees?) (contact|list)|not spammer|delegates|marketing (analyst|campaigns)|(complete|emailed) list|unique account|contacts\:|titles\:|business profiles|database of|list from USA|(complete|contact) (Name|information)|geography|list.database|data (intelligence|include)|emails, phone|marketing list|unlimited usage|target (audience|geograph|attendees|audience|industry)|opt-?in (contact|emails)|offices and clinics|specialties\:|showcase our capabilit|share samples|recently compiled|contact details|targeted market|marketing needs|Users of the following|100\% populated|b2b contact/i +body __KAM_LIST3_4 /contacts and email|(visitors?|contacts?|attendee.?s?|users?) (contacts? |mailing )?(list|record|database)|end users|our lists|\d\+? (attendee|contact)|users? database|Opt-in email list|(professionals?|user'?s|attendees?) (contact|list)|not spammer|marketing (analyst|campaigns)|(complete|emailed) list|unique account|contacts\:|titles\:|business profiles|database of|list from USA|(complete|contact) (Name|details|information)|geography|list.database|data (intelligence|include)|emails, phone|marketing list|unlimited usage|target (audience|geograph|attendees|audience|industry)|opt-?in (contact|emails|list)|offices and clinics|specialties\:|showcase our capabilit|share samples|sample file|recently compiled|contact details|targeted market|marketing needs|Users of the following|100\% populated|b2b (mailing list|contact)|targeted business list|data list|(job profile|attendees|counts|list contains|Contacts include)\:|Consumer database|every industry sector|quality email list|email list of|titles? includes?\:|including their names|contacts available\:|curated list|fields? includes?\:|contact validation|opt-in dataset|90% on that list type|enence|Lejeune.?Lawsuits|smart.?timeshare|number of attendees/i tflags __KAM_LIST3_4 nosubject meta KAM_LIST3 (__KAM_LIST3_1 + __KAM_LIST3_2 + __KAM_LIST3_3 + __KAM_LIST3_4 >= 4) @@ -6133,7 +6289,16 @@ score KAM_ERP 4.0 # # Note: Certain glues like MailScanner will modify an email before testing. That will cause many DKIM failures. If you have a known broken system for DKIM like this, you should likely disable the plugin. +#Newer Systems with DMARC Plugin ifplugin Mail::SpamAssassin::Plugin::Dmarc + #Override the default scores + score DMARC_MISSING 0.1 + score DMARC_PASS -0.1 + score DMARC_REJECT 0.1 + score DMARC_QUAR 0.1 + score DMARC_NONE 0.1 + + ifplugin Mail::SpamAssassin::Plugin::AskDNS ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF @@ -6149,46 +6314,86 @@ ifplugin Mail::SpamAssassin::Plugin::Dmarc header KAM_DMARC_REJECT eval:check_dmarc_reject() priority KAM_DMARC_REJECT 500 + tflags KAM_DMARC_REJECT net + reuse KAM_DMARC_REJECT describe KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message and the domain has a DMARC reject policy - score KAM_DMARC_REJECT 3.0 + score KAM_DMARC_REJECT 6.0 header KAM_DMARC_QUARANTINE eval:check_dmarc_quarantine() priority KAM_DMARC_QUARANTINE 500 + tflags KAM_DMARC_QUARANTINE net + reuse KAM_DMARC_QUARANTINE describe KAM_DMARC_QUARANTINE DKIM has Failed or SPF has failed on the message and the domain has a DMARC quarantine policy score KAM_DMARC_QUARANTINE 1.5 header KAM_DMARC_NONE eval:check_dmarc_none() priority KAM_DMARC_NONE 500 + tflags KAM_DMARC_NONE net + reuse KAM_DMARC_NONE describe KAM_DMARC_NONE DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy score KAM_DMARC_NONE 0.25 + + ifplugin Mail::SpamAssassin::Plugin::KAMOnly + # Add a negative score if email hits Dmarc rules but is truncated + # scores must be kept in sync with Dmarc rules + meta KAM_DMARC_REJECT_TRUNCATE ( KAM_DMARC_REJECT && DKIM_FAILED_TRUNCATE ) + describe KAM_DMARC_REJECT_TRUNCATE Dmarc reject on truncated email + priority KAM_DMARC_REJECT_TRUNCATE 500 + score KAM_DMARC_REJECT_TRUNCATE -6.0 + tflags KAM_DMARC_REJECT_TRUNCATE net nice + reuse KAM_DMARC_REJECT_TRUNCATE + + meta KAM_DMARC_QUARANTINE_TRUNCATE ( KAM_DMARC_QUARANTINE && DKIM_FAILED_TRUNCATE ) + describe KAM_DMARC_QUARANTINE_TRUNCATE Dmarc quarantine on truncated email + priority KAM_DMARC_QUARANTINE_TRUNCATE 500 + score KAM_DMARC_QUARANTINE_TRUNCATE -1.5 + tflags KAM_DMARC_QUARANTINE_TRUNCATE net nice + reuse KAM_DMARC_QUARANTINE_TRUNCATE + + meta KAM_DMARC_NONE_TRUNCATE ( KAM_DMARC_NONE && DKIM_FAILED_TRUNCATE ) + describe KAM_DMARC_NONE_TRUNCATE Dmarc none on trucated email + priority KAM_DMARC_NONE_TRUNCATE 500 + score KAM_DMARC_NONE_TRUNCATE -0.25 + tflags KAM_DMARC_NONE_TRUNCATE net nice + reuse KAM_DMARC_NONE_TRUNCATE + endif endif endif endif else +#Older systems without the DMARC Plugin - Less accurate ifplugin Mail::SpamAssassin::Plugin::AskDNS ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF askdns __KAM_DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=none;/ + tflags __KAM_DMARC_POLICY_NONE net askdns __KAM_DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=quarantine;/ + tflags __KAM_DMARC_POLICY_QUAR net askdns __KAM_DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=reject;/ + tflags __KAM_DMARC_POLICY_REJECT net askdns __KAM_DMARC_POLICY_DKIM_STRICT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\badkim=s;/ + tflags __KAM_DMARC_POLICY_DKIM_STRICT net #Checks if either DKIM Passed with Alignment and the policy is strict or VALID and alignment didn't pass meta KAM_DMARC_STATUS !((DKIM_VALID_AU && __KAM_DMARC_POLICY_DKIM_STRICT) || (DKIM_VALID && !__KAM_DMARC_POLICY_DKIM_STRICT)) describe KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict Alignment - score KAM_DMARC_STATUS 0.01 + score KAM_DMARC_STATUS 0.01 + tflags KAM_DMARC_STATUS net meta KAM_DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_REJECT describe KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message and the domain has a DMARC reject policy score KAM_DMARC_REJECT 3.0 + tflags KAM_DMARC_REJECT net meta KAM_DMARC_QUARANTINE !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_QUAR describe KAM_DMARC_QUARANTINE DKIM has Failed or SPF has failed on the message and the domain has a DMARC quarantine policy score KAM_DMARC_QUARANTINE 1.5 + tflags KAM_DMARC_QUARANTINE net meta KAM_DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_NONE describe KAM_DMARC_NONE DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy score KAM_DMARC_NONE 0.25 + tflags KAM_DMARC_NONE net endif endif endif @@ -6201,7 +6406,7 @@ ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro # skip psd and other files from macro checks olemacro_skip_exts (?:dotx|potx|ppsx|pptx|psd|sldx|xltx|oxps)$ - if (version >= 3.0040005) + if (version >= 3.004005) body KAM_OLEMACRO eval:check_olemacro() describe KAM_OLEMACRO Attachment has an Office Macro @@ -6219,17 +6424,27 @@ ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro olemacro_extended_scan 1 body KAM_OLEMACRO_RENAME eval:check_olemacro_renamed() describe KAM_OLEMACRO_RENAME Has an Office doc that has been renamed - score KAM_OLEMACRO_RENAME 0.5 + score KAM_OLEMACRO_RENAME 2.5 meta GB_OLEMACRO_REN_VIR ( KAM_OLEMACRO_RENAME && FORGED_OUTLOOK_HTML ) describe GB_OLEMACRO_REN_VIR Olemacro and fake Outlook score GB_OLEMACRO_REN_VIR 10 + if (version >= 3.004006) + if (version >= 4.000000) + olemacro_download_marker ((?:cmd(?:\.exe)? \/c ms\^h\^ta ht\^tps?:\/\^\/)|SysWow.{1,15}\s.{1,5}RETURN|RET.{1,4}URN.{1,25}\.exe) + endif + #NO good reason to add a "cmd.exe" invocation inside an Excel file. + body GB_OLEMACRO_DOWNLOAD_EXE eval:check_olemacro_download_exe() + describe GB_OLEMACRO_DOWNLOAD_EXE Malicious code inside the Office doc that tries to download a .exe file detected + score GB_OLEMACRO_DOWNLOAD_EXE 10 + endif + endif body KAM_OLEMACRO_ZIP_PW eval:check_olemacro_zip_password() describe KAM_OLEMACRO_ZIP_PW Has an Office doc that is password protected in a zip - score KAM_OLEMACRO_ZIP_PW 1.0 + score KAM_OLEMACRO_ZIP_PW 2.0 body KAM_OLEMACRO_CSV eval:check_olemacro_csv() describe KAM_OLEMACRO_CSV Macro in csv file @@ -6246,9 +6461,14 @@ ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro if (version >= 4.000000) if can(Mail::SpamAssassin::Plugin::OLEVBMacro::has_olemacro_redirect_uri) body OLEMACRO_URI_TARGET eval:check_olemacro_redirect_uri() - describe OLEMACRO_URI_TARGET Malicious code inside the Office doc that tries to redirect to an uri + describe OLEMACRO_URI_TARGET Code inside the Office doc that tries to redirect to an uri score OLEMACRO_URI_TARGET 0.001 endif + if can(Mail::SpamAssassin::Plugin::OLEVBMacro::has_olertfobject) + body OLEMACRO_RTF eval:check_olertfobject() + describe OLEMACRO_RTF Rtf file embedded in an Office document + score OLEMACRO_RTF 0.01 + endif endif endif @@ -6280,11 +6500,11 @@ if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL # BTC address present in BTC blacklist # thanks to Henrik Krohns for the regexp - body BTC_HASHBL_BLACK eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b(?= 3.004003) header PCCC_HDR_REPLYTO eval:check_rbl_headers('pccc-hdr-repto', 'wild.pccc.com.', '127.0.0.4', 'Reply-To') describe PCCC_HDR_REPLYTO Address in email headers associated with compromised uris (https://raptor.pccc.com/RBL) tflags PCCC_HDR_REPLYTO net - score PCCC_HDR_REPLYTO 3.5 + score PCCC_HDR_REPLYTO 7.5 priority PCCC_HDR_REPLYTO -100 # compromised domain found in headers (X-Sender,X-Source-IP,X-SRS-Sender) @@ -6334,14 +6554,14 @@ if (version >= 3.004003) header PCCC_HASHBL_FREEMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5', 'Reply-To', '^127\.', 'freemail') describe PCCC_HASHBL_FREEMAIL Message contains freemail address in reply-to found on PCCC HashBL (https://raptor.pccc.com/RBL) tflags PCCC_HASHBL_FREEMAIL net - score PCCC_HASHBL_FREEMAIL 3.5 + score PCCC_HASHBL_FREEMAIL 4.5 priority PCCC_HASHBL_FREEMAIL -100 # Email address in X-Sender header found on PCCC HashBL header PCCC_HASHBL_EMAIL_SEND eval:check_hashbl_emails('wild.pccc.com', 'md5', 'X-Sender', '^127\.', 'all') describe PCCC_HASHBL_EMAIL_SEND Message contains sender email address found on PCCC HashBL (https://raptor.pccc.com/RBL) tflags PCCC_HASHBL_EMAIL_SEND net - score PCCC_HASHBL_EMAIL_SEND 1.5 + score PCCC_HASHBL_EMAIL_SEND 3.5 priority PCCC_HASHBL_EMAIL_SEND -100 # Email address in X-SRS-Sender header found on PCCC HashBL @@ -6355,7 +6575,7 @@ if (version >= 3.004003) header PCCC_HASHBL_EMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5') describe PCCC_HASHBL_EMAIL Message contains email address found on PCCC HashBL (https://raptor.pccc.com/RBL) tflags PCCC_HASHBL_EMAIL net - score PCCC_HASHBL_EMAIL 1.5 + score PCCC_HASHBL_EMAIL 2.5 priority PCCC_HASHBL_EMAIL -100 # Email address in custom email headers found on PCCC HashBL @@ -6512,14 +6732,15 @@ describe KAM_SENDGRID2 Sendgrid being exploited by scammers score KAM_SENDGRID2 2.0 #Political (and T-shirt Spam) -header __KAM_2020_1 Subject =~ /Re-?elect Trump|(Guinea pig|science|funny|election|christmas|personalized|mission|collection|engineer|teacher|fishing) (t|tee)( |-)?shirt|ginsburg shirt|officially licensed|check out our new collection|let.?s go brandon/i +header __KAM_2020_1 Subject =~ /Re-?elect Trump|(Guinea pig|science|funny|election|christmas|personalized|mission|collection|engineer|teacher|fishing|jesus|202\d) (tee|(t|tee)( |-)?shirt)|ginsburg shirt|officially licensed|check out our new collection|let.?s go brandon|support truckers|freedom convoy/i header __KAM_2020_1A From:name =~ /(T|Tee).?shirt|Tee4u/i -body __KAM_2020_2 /(Tee|T)-?shirt|printed in the US|stink stank stunk|officially licensed|star wars|funny (guinea pig|science|tee|teacher|fishing|halloween)|\d+ designs|let.?s go brandon/i + #removing (Tee|T)-?shirt for FPs +body __KAM_2020_2 /printed in the US|stink stank stunk|officially licensed|star wars|funny (guinea pig|science|tee|teacher|fishing|halloween)|\d+ designs|let.?s go brandon|blood of jesus|support truckers|freedom convoy/i tflags __KAM_2020_2 nosubject uri __KAM_GOOGLE_FORM /docs\.google\.com\/form/i -meta KAM_2020 ((__KAM_2020_1 + __KAM_2020_1A >=1) + __KAM_2020_2 + __KAM_GOOGLE_FORM + FREEMAIL_FROM >= 3) +meta KAM_2020 ((__KAM_2020_1 + __KAM_2020_1A >=1) + __KAM_2020_2 + (__KAM_GOOGLE_FORM + KAM_SHORT >= 1) + FREEMAIL_FROM >= 3) describe KAM_2020 Political (and Tshirt???) Spams - Vote for KAM & Pedro - donate today at www.mcgrail.com score KAM_2020 7.0 @@ -6546,6 +6767,11 @@ uri KAM_STORAGE_GOOGLE /storage.googleapis.com|\.web.app\//i describe KAM_STORAGE_GOOGLE Google Storage API being abused by spammers score KAM_STORAGE_GOOGLE 2.25 +uri GB_URI_FLEEK_STO_HTM m,^https?://storageapi\.fleek\.co/.*\.html?,i +describe GB_URI_FLEEK_STO_HTM Html file stored on Fleek cloud +score GB_URI_FLEEK_STO_HTM 4.25 +tflags GB_URI_FLEEK_STO_HTM multiple maxhits=5 + #Spam Du Jour header __KAM_DUJOUR1 Subject =~ /(Worst Food|Tinnitus|Reflux|Gift Card)/i @@ -6617,13 +6843,17 @@ tflags __KAM_VM3 nosubject body __KAM_VM4 /recorded voice|audio message|Caller.?id|CID:|mailbox \d|sign document|new vm on/i tflags __KAM_VM4 nosubject ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -mimeheader __KAM_VM5 Content-Type =~ /.html?\"?$/i +mimeheader __KAM_VM5 Content-Type =~ /.s?html?\.?\"?$/i endif meta KAM_VM (__KAM_VM1 + (__KAM_VM2A + __KAM_VM2 >= 1) + __KAM_VM3 + __KAM_VM4 + __KAM_VM5 + KAM_RAPTOR_EXTERNAL >= 3) score KAM_VM 5.5 describe KAM_VM Voice Mail & Fax Scams +meta KAM_VM_HTML (KAM_VM + __KAM_VM5 >= 2) +describe KAM_VM_HTML Likely Phish for VM +score KAM_VM_HTML 3.0 + #Admin Notice Fraud header __KAM_ADMIN1 From =~ /admin/i header __KAM_ADMIN2 Subject =~ /For /i @@ -6638,13 +6868,16 @@ score KAM_ADMIN 9.0 #BENEFICIARY replace_rules __KAM_BENEFICIARY2 -header __KAM_BENEFICIARY1 Subject =~ /(your|Urgent) Help|refugee|Attention|Inherit|donation|refund|beloved|^Hello$|dear friend|compensated|get back to me|hope to hear|my dear|postal service|From.....|compliment|sincere apology|proposal|How are you|congratulations|ATM VISA Card|good (day|news)|beneficiary|cc|best regards|dearest one|^Att$|^Reply$|partnership|greeting'?s|atm fund|postmaster general|Investment|shipment|indicate your interest/i +header __KAM_BENEFICIARY1 Subject =~ /(your|Urgent) Help|refugee|Attention|Inherit|donation|refund|beloved|^Hello$|dear friend|compensated|get back to me|hope to hear|my dear|postal service|From.....|compliment|sincere apology|proposal|How are you|congratulations|ATM VISA Card|good (day|news)|beneficiary|\bcc\b|best regards|dearest one|^Att$|^Reply$|partnership|greeting'?s|atm fund|postmaster general|Investment|shipment|indicate your interest/i #what body __KAM_BENEFICIARY2 /(consignment|fund(\b|$)|person of trust|don't know me|emails only|apologize for intrud|formal relationship|diplomatic agent|ATM VISA CARD|unsolicited manner|proposition|solicit your|trustworthy relation|verily|random people|you a beneficiary|help+widow|same last ?name|(same|similar) surname|investment manager)|level of maturity|important project|jackpot|investment opp|something important|unclaimed trunk|estate investment|donation recipient|bank draft|funding of your business/i tflags __KAM_BENEFICIARY2 nosubject #bus body __KAM_BENEFICIARY3 /(gold|diamonds|inherit|foreign customer|risk.?free|less.privilege|next of kin|nearest airport|certain funds|partnership to transfer|repatriation|co.fiscate|separate account|christian activit|receiving bank|donate the sum|money left|sweepstakes|lucky winner|get rich|\d% of the total|investment fund)|moving some money|god has blessed|contributions to humanity|partake in the deal|pledge dep|over-?due compensation|left your check|invest(ment)? in your country|abandoned shipment/i +#bus fp +body __KAM_BENEFICIARY3A /ELECTRONIC TICKET RECeipt/i + #where body __KAM_BENEFICIARY4 /(Ghana|South Africa|China|Greece|Estonia|United kingdom|foreign|(your|my) country|Benin|africa|Foreign Op|international Airport|portugal|business trip|Ivory Coast|Royal Bank|Syria|Libyan|Ministry of |Buffett Foundation|audit unit)|postmaster general|your country/i #how much @@ -6652,11 +6885,11 @@ body __KAM_BENEFICIARY5 /\d+ ?(kilo|kg)|donat|assignment|last wishes|charity or #sob body __KAM_BENEFICIARY6 /(deceased|late) (customer|husband|client|father)|death of my husband|cancer|power of attorney|customer who died|orphan|no beneficiary|terminal|family treasure|not criminal|send (you )?more (information|details)|wife ran away|inability to release|terrorist attack|sterile|foreigner who died|corrupt officials|could not complete|Diplomat from|seized all my/i -meta KAM_BENEFICIARY ((LOTS_OF_MONEY + __KAM_BENEFICIARY5 >=1) + (KAM_BLANKSUBJECT + __KAM_BENEFICIARY1 >=1) + __KAM_BENEFICIARY2 + __KAM_BENEFICIARY3 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 + FREEMAIL_FROM >= 6) +meta KAM_BENEFICIARY ((LOTS_OF_MONEY + __KAM_BENEFICIARY5 >=1) + (KAM_BLANKSUBJECT + __KAM_BENEFICIARY1 >=1) + __KAM_BENEFICIARY2 + __KAM_BENEFICIARY3 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 + FREEMAIL_FROM >= 6) && (__KAM_BENEFICIARY3A + EXTRACTTEXT <= 0) describe KAM_BENEFICIARY Beneficiary scams score KAM_BENEFICIARY 10.5 -meta KAM_BENEFICIARYLOW ((LOTS_OF_MONEY + __KAM_BENEFICIARY5 >=1) + (KAM_BLANKSUBJECT + __KAM_BENEFICIARY1 >=1) + __KAM_BENEFICIARY2 + __KAM_BENEFICIARY3 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 + FREEMAIL_FROM >= 5) && !KAM_BENEFICIARY && !__KAM_NPO1 +meta KAM_BENEFICIARYLOW ((LOTS_OF_MONEY + __KAM_BENEFICIARY5 >=1) + (KAM_BLANKSUBJECT + __KAM_BENEFICIARY1 >=1) + __KAM_BENEFICIARY2 + __KAM_BENEFICIARY3 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 + FREEMAIL_FROM >= 5) && !KAM_BENEFICIARY && !__KAM_NPO1 && (__KAM_BENEFICIARY3A + EXTRACTTEXT <= 0) describe KAM_BENEFICIARYLOW Beneficiary scams (Lower Confidence) score KAM_BENEFICIARYLOW 6.0 @@ -6684,19 +6917,6 @@ header __KAM_DIDYOUSUBJ Subject =~ /Did you (receive it|get my message)/i body __KAM_DIDYOUBODY /Did you (receive it|get my message)/i tflags __KAM_DIDYOUBODY nosubject -#Nothing but sig -#body __KAM_SIGONLY1 /^.{0,10}--\b/im -#tflags __KAM_SIGONLY1 nosubject -# -#meta KAM_SIGONLY (__KAM_SIGONLY1 >= 2) -#score KAM_SIGONLY 1.5 -#describe KAM_SIGONLY Messages is (mostly) just a signature -# -##SigOnly spam -#meta KAM_SIGONLY2 (KAM_SIGONLY + (__KAM_DIDYOUBODY + __KAM_DIDYOUSUBJ >= 1) >= 2) -#score KAM_SIGONLY2 1.5 -#describe KAM_SIGONLY2 Junk Messages using (mostly) just a signature - #Blank Subject header KAM_BLANKSUBJECT Subject =~ /^\s*$/i describe KAM_BLANKSUBJECT Message has a blank Subject @@ -6716,17 +6936,17 @@ score KAM_JOB2 7.5 #WEB #subject -header __KAM_WEB2_1 Subject =~ /follow|next step|website (analysis|builder|work)|crazy offer|cRM solution/i +header __KAM_WEB2_1 Subject =~ /follow|next step|website (analysis|builder|design|work)|crazy offer|cRM solution|CMS|worrdpress/i #price - purposefully looks at subject too -body __KAM_WEB2_2 /affordable (quot|price)|cheap website|less than half|free of cost|low package price|indian web.?design/i +body __KAM_WEB2_2 /affordable (quot|price)|cheap website|less than half|free of cost|low package price|indian web.?design|\(India\)/i #product body __KAM_WEB2_3 /web (design|develop)|(better|new|refreshed) website|website audit|fresh look/i tflags __KAM_WEB2_3 nosubject #sample/offer -body __KAM_WEB2_4 /portfolio|sample|insights|special offer|page 1|your requirements/i +body __KAM_WEB2_4 /portfolio|sample|insights|special offer|page 1|(any|your) requirements/i tflags __KAM_WEB2_4 nosubject meta KAM_WEB2 (FREEMAIL_FROM + __KAM_WEB2_1 + __KAM_WEB2_2 + __KAM_WEB2_3 + __KAM_WEB2_4 >=5) @@ -6805,30 +7025,49 @@ describe KAM_CELEB Celebrity Health Scams score KAM_CELEB 4.5 #additional Freemail domains -freemail_domains my.com mediacombb.net tutanota.com +freemail_domains my.com mediacombb.net tutanota.com mega.nz ntlworld.com #BEAL AND SIMILAR IMPERSONATOR ifplugin Mail::SpamAssassin::Plugin::KAMOnly + + replace_tag KAM_BEAL_NAMES (?:(Robert|Bob).{1,4}Beal|Geoff White|(James|Jim).{1,4}Hoffman|Kevin (A\. )?Mc ?Grail|Frederic Beuter|Chris(topher)? (K\.? )?Surprise|(mike|michael) Charvat|Sheryl( Brissett)? Chapman|Sheryl Brissett|Janet Smith|Jeff Gardner|Geoff(rey)? White|Jason Davis|Al Nance|Laura (C\.? )?Leach|Guy Neitz|Michael Rowland|Brenda MacDonald|Daram Van Oers|Pat(rick)? (A\. )?Campfield|Toni Kerns|Tina L. Berger|Robert T. Lalka|Karen Holmes|Richard Manship|WILLIAM HYATT|Alex DiJohnson|Mike Rinaldi|Patrick Augustine|Randy Livingston|Michael Schoor|Amy Millar|Gino Renne|Edward Kroman|Bill Stynes|Ralph Belk|gino renne|scott allen|Paula Sherman|Peter Turcik|Chip Anastasi|erik howard|Dyana Forester|Ryan Gardner|Yvan (cote|C\x{C3}\x{B4}t\x{C3}\x{A9})) + + replace_rules __KAM_BEAL1 __KAM_BEAL3 __KAM_NOT_BEAL3 + #from - header __KAM_BEAL1 From:name =~ /Geoff White|(Robert|Bob)( E.)? Beal|(James|Jim) Hoffman|Kevin (A\. )?Mc ?Grail|Chad Coney|Frederic Beuter|Chris(topher)? (K\.? )?Surprise|(mike|michael) Charvat|Sheryl Brissett Chapman|janet smith|Jeff Gardner|Geoff(rey)? White|Jason Davis|Al Nance|Laura (C\.? )?Leach|Guy Neitz|Michael Rowland|Brenda MacDonald|Daram Van Oers|Pat(rick)? (A\. )?Campfield|toni Kerns|Tina L. Berger|Robert T. Lalka|Karen Holmes|Richard Manship|WILLIAM HYATT|Alex DiJohnson|Mike Rinaldi|Patrick Augustine|Randy Livingston|Michael Schoor|Amy Millar|Gino Renne/i + header __KAM_BEAL1 From:name =~ //i #in addition to freemail header __KAM_BEAL2 From:addr =~ /\@.+\.rr\.com|\@mail\.ru|\@.*\.cz|\@cox\.net/i #Name - body __KAM_BEAL3 /(Robert|Bob).{1,4}Beal|Geoff White|(James|Jim).{1,4}Hoffman|Kevin (A\. )?Mc ?Grail|Frederic Beuter|Chris(topher)? (K\.? )?Surprise|(mike|michael) Charvat|SHERYL Brissett Chapman|Janet Smith|Jeff Gardner|Geoff(rey)? White|Jason Davis|Al Nance|Laura (C\.? )?Leach|Guy Neitz|Michael Rowland|Brenda MacDonald|Daram Van Oers|Pat(rick)? (A\. )?Campfield|Toni Kerns|Tina L. Berger|Robert T. Lalka|Karen Holmes|Richard Manship|WILLIAM HYATT|Alex DiJohnson|Mike Rinaldi|Patrick Augustine|Randy Livingston|Michael Schoor|Amy Millar|Gino Renne/i + body __KAM_BEAL3 //i + body __KAM_NOT_BEAL3 /((From|Cc|To)\:\s+)/i # Task - body __KAM_BEAL4 /(reply with|forward|send me|let me have|give me) +your (Cell|Mobile)|task (real quick|quickly)|(urgent|quick|fast) (reply|errand|response|task|request)|make (some|a) purchase|reimburse you|do something for me fast|spare time right now|confirm if you are free|physical or electronic gift card|(done for me|send out|task done) ASAP|available at the moment|(desk|moment) right now|get some .{0,10}gift card|(reply me with|confirm|drop) your cell|(run a|important) task for me|certain task to be carried|purchase on my behalf|(urgent|Immediate) (Task|Assignment)|quickly on my behalf|variety of gift card|something important for me|carry out (urgently|swiftly)|codes electronically|make a payment|gifts for their hard|have a moment|assist me with a task|quick favor|gift cards? for staff|process a payment via Zelle|request I need|purchase done on my behalf|take care of something|handle (some )?task quickly|got a moment/i + # have a moment removed 4/4 + body __KAM_BEAL4 /(reply with|forward|send me|let me have|give me) +your (Cell|Mobile|text)|task (real quick|quickly)|(urgent|quick|fast) (reply|errand|response|task|request)|(handle|make) (some|a) purchase|reimburse you|do something for me fast|spare time right now|confirm if you are free|physical or electronic gift card|(done for me|send out|task done) ASAP|available at the moment|(desk|moment) right now|get some .{0,10}gift card|(run a|important) task for me|certain task to be carried|purchase on my behalf|(urgent|Immediate) (Task|Assignment)|quickly on my behalf|variety of gift card|something important for me|carry out (urgently|swiftly)|codes electronically|make a payment|gifts for their hard|assist me with a task|quick favor|gift cards? for staff|process a payment via Zelle|request I need|purchase done on my behalf|take care of something|handle (some )?task quickly|got a moment|run an errand|are you in\?|purchase urgently|assignment for (me|you)|change my direct deposit|personal (email|text phone|cell|number)|drop your number|(reply me with|confirm|drop) your cell|send me your text|get all the gifts purchase|direct deposit authorization form|list of all unpaid|help me with something|if (you are|you're) available|drop me your personal (cell|phone)|free time for you|you available today/i # question / privacy - body __KAM_BEAL5 /can't talk on the phone|receivable aging report|summary of all w\-?2|look forward to my text|are you (accessible|in the office|busy)|between you and I|closed-?door meeting|as soon as you can|get something done|you\'re unoccupied|accurately|I can brief|in a (conference|meeting)|personal (email|text phone|cell|number)|drop your number|reimburse if personal|what details do you need|(do|handle) discreetly|confidentiality|keep this private|get to a nearby store|confirm if you can get it done|no calls just reply|write me back|look out for my text|concise you about it|so much on your plate/i + # as soon as you can removed 4/4 + body __KAM_BEAL5 /can't talk on the phone|receivable aging report|summary of all w\-?2|look forward to my text|are you (accessible|in the office|busy)|between you and I|closed-?door meeting|get something done|you\'re unoccupied|accurately|I can brief|in a (conference|meeting)|reimburse if personal|what details do you need|(do|handle) discreetly|confidentiality|keep this private|get to a nearby store|(let me know|confirm) if you (are available|can get it done)|no calls just reply|write me back|look out for my text|concise you about it|so much on your plate|let me know if you are free|trust you on this|worry about your reimburse|after the surprise|limited cell service|can you assist|convey a message|entrust you|not want to disclose this|planning a surprise event|confidential assignment|respond back via email|going into a meeting|no calls|reach you at/i - meta KAM_BEAL (__KAM_BEAL1 + __KAM_BEAL3 >= 1) && ((SPF_SOFTFAIL + FREEMAIL_FROM + FREEMAIL_FORGED_REPLYTO + __KAM_BEAL2 + KAM_RAPTOR_EXTERNAL >= 1) + __KAM_BEAL4 + __KAM_BEAL5 >= 3) +# oddlang + body __KAM_BEAL6 /sent from my mail/i + + meta KAM_BEAL (__KAM_BEAL1 + (__KAM_BEAL3 && ! __KAM_NOT_BEAL3) >= 1) && ((SPF_SOFTFAIL + FREEMAIL_FROM + FREEMAIL_FORGED_REPLYTO + __KAM_BEAL2 + KAM_RAPTOR_EXTERNAL >= 1) + __KAM_BEAL4 + __KAM_BEAL5 + __KAM_BEAL6 >= 3) && !EXTRACTTEXT describe KAM_BEAL IMPOSTER! Will the real Slim Shady, please stand up? - score KAM_BEAL 14.0 - subjprefix KAM_BEAL [Imposter] + score KAM_BEAL 16.0 + if can(Mail::SpamAssassin::Conf::feature_subjprefix) + subjprefix KAM_BEAL [Imposter] + endif - meta KAM_BEAL2 (__KAM_BEAL1 + __KAM_BEAL3 >= 1) && (KAM_RAPTOR_EXTERNAL + __KAM_BEAL4 + __KAM_BEAL5 >= 2) && (KAM_BEAL <= 0) + meta KAM_BEAL2 (__KAM_BEAL1 + (__KAM_BEAL3 && ! __KAM_NOT_BEAL3) >= 1) && (KAM_RAPTOR_EXTERNAL + __KAM_BEAL4 + __KAM_BEAL5 + __KAM_BEAL6 >= 2) && (KAM_BEAL <= 0) && !EXTRACTTEXT describe KAM_BEAL2 IMPOSTER! Will the real Slim Shady, please stand up? - score KAM_BEAL2 10.0 - subjprefix KAM_BEAL2 [Imposter] + score KAM_BEAL2 12.0 + if can(Mail::SpamAssassin::Conf::feature_subjprefix) + subjprefix KAM_BEAL2 [Imposter] + endif + +meta KAM_BEAL3 (__KAM_BEAL1 + __KAM_BEAL3 + FREEMAIL_FROM + KAM_RAPTOR_EXTERNAL >= 4) && ! KAM_BEAL && ! KAM_BEAL2 +describe KAM_BEAL3 Likely Imposter email +score KAM_BEAL3 6.0 #EXTERNAL SENDER header KAM_RAPTOR_EXTERNAL X-Raptor-External =~ /Yes/i @@ -6880,31 +7119,32 @@ describe KAM_FAKEMONEYGRAM Fake Moneygram Phish score KAM_FAKEMONEYGRAM 5.5 -#FAKESHAREPOINT - SEE FAKESHAREPOINT2 for Sexually explicit +#FAKESHAREPOINT - SEE FAKE_SHAREPOINT2 for Sexually explicit header __KAM_FAKE_SHAREPOINT1 Subject =~ /(via|by) Sharepoint|payment reminder|shared|Request for Quot|urgent|far from you/i header __KAM_FAKE_SHAREPOINT2 from =~ /sharepoint|accounts? payable|RFQ/i uri __KAM_FAKE_SHAREPOINT3 /my\.sharepoint\.com/i uri __KAM_FAKE_SHAREPOINT3A /appdomain\.cloud|discordapp\.com|netlify\.app/i -body __KAM_FAKE_SHAREPOINT4 /Sharepoint Fileshare|open.me.{0,3}asap/i +body __KAM_FAKE_SHAREPOINT4 /Sharepoint Fileshare|open.me.{0,3}asap|link will only work/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __KAM_FAKE_SHAREPOINT5 Content-Type =~ /.html?\"?$/i endif -meta KAM_FAKE_SHAREPOINT (__KAM_FAKE_SHAREPOINT1 + __KAM_FAKE_SHAREPOINT2 + (__KAM_FAKE_SHAREPOINT3 + __KAM_FAKE_SHAREPOINT3A + KAM_STORAGE_GOOGLE + __KAM_FAKE_SHAREPOINT4 >= 1) + __KAM_FAKE_SHAREPOINT5 >= 3) +# meta KAM_FAKE_SHAREPOINT (__KAM_FAKE_SHAREPOINT1 + __KAM_FAKE_SHAREPOINT2 + (__KAM_FAKE_SHAREPOINT3 + __KAM_FAKE_SHAREPOINT3A + KAM_STORAGE_GOOGLE + __KAM_FAKE_SHAREPOINT4 + KAM_SHORT >= 1) + __KAM_FAKE_SHAREPOINT5 >= 3) +meta KAM_FAKE_SHAREPOINT ( ( __KAM_FAKE_SHAREPOINT1 + __KAM_FAKE_SHAREPOINT2 + __KAM_FAKE_SHAREPOINT5 >= 2 ) && (__KAM_FAKE_SHAREPOINT3 + __KAM_FAKE_SHAREPOINT3A + __KAM_FAKE_SHAREPOINT4 + KAM_STORAGE_GOOGLE + KAM_SHORT >= 2 ) ) describe KAM_FAKE_SHAREPOINT Fake Sharepoint Phish score KAM_FAKE_SHAREPOINT 6.0 #MORE FAKE SHAREPOINT BAD LINKS IN A SHAREPOINT MESSAGE -meta KAM_FAKE_SHAREPOINTLINK (__KAM_FAKE_SHAREPOINT1 + __KAM_FAKE_SHAREPOINT2 + (__KAM_FAKE_SHAREPOINT3A + KAM_STORAGE_GOOGLE) >= 3) && !KAM_FAKE_SHAREPOINT +meta KAM_FAKE_SHAREPOINTLINK (__KAM_FAKE_SHAREPOINT1 + __KAM_FAKE_SHAREPOINT2 + (__KAM_FAKE_SHAREPOINT3A + KAM_STORAGE_GOOGLE + KAM_SHORT) >= 3) && !KAM_FAKE_SHAREPOINT describe KAM_FAKE_SHAREPOINTLINK Fake Sharepoint Link Phish score KAM_FAKE_SHAREPOINTLINK 4.5 #ENCRYPTED ZIP -body __KAM_BADZIP1 /attached (to email|document)|take a look/i -body __KAM_BADZIP2 /Encrypted zip/i +body __KAM_BADZIP1 /attached (to email|document)|take a look|send this fax/i +body __KAM_BADZIP2 /Encrypted zip|File password/i uri __KAM_BADZIP2A /drive.google.com.*export=download/i -body __KAM_BADZIP3 /(order|urgent|report|dialogue)/i +body __KAM_BADZIP3 /(order|urgent|report|dialogue|reminder)/i body __KAM_BADZIP4 /password:/i meta KAM_BADZIP (__KAM_BADZIP1 + (__KAM_BADZIP2 + __KAM_BADZIP2A >= 1) + __KAM_BADZIP3 + __KAM_BADZIP4 >= 4) @@ -6967,7 +7207,7 @@ ifplugin Mail::SpamAssassin::Plugin::MIMEHeader endif #IMAGE ONLY -meta KAM_IMAGEONLY (PDS_OTHER_BAD_TLD + HTML_IMAGE_ONLY_08 >= 2) +meta KAM_IMAGEONLY ((T_PDS_OTHER_BAD_TLD + PDS_OTHER_BAD_TLD >= 1) + HTML_IMAGE_ONLY_08 >= 2) describe KAM_IMAGEONLY Email from a questionable TLD that contains primarily just an image score KAM_IMAGEONLY 0.75 @@ -7113,11 +7353,13 @@ score KAM_FAKE_REGISTRY 5.0 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __KAM_FAKE_FAX1 Content-Type =~ /.*(fax).*\.htm/i endif -body __KAM_FAKE_FAX2 /incoming fax|fax received/i -header __KAM_FAKE_FAX3 Subject =~ /Fax/i -body __KAM_FAKE_FAX4 /invoice/i +body __KAM_FAKE_FAX2 /(new|incoming) fax|fax received/i +header __KAM_FAKE_FAX3 Subject =~ /Fax|new (message|document)/i +body __KAM_FAKE_FAX4 /invoice|xerox scanner|recipient view only|click below to view your fax|refer to attachment/i +tflags __KAM_FAKE_FAX4 nosubject +uri __KAM_FAKE_FAX5 /\/s3\.|quarantine|myqcloud/i -meta KAM_FAKE_FAX (T_HTML_ATTACH + __KAM_FAKE_FAX1 + __KAM_FAKE_FAX2 + __KAM_FAKE_FAX3 + __KAM_FAKE_FAX4 >= 4) +meta KAM_FAKE_FAX ((T_HTML_ATTACH + __KAM_FAKE_FAX1 + __KAM_FAKE_FAX5 >= 1) + __KAM_FAKE_FAX2 + __KAM_FAKE_FAX3 + __KAM_FAKE_FAX4 >= 4) describe KAM_FAKE_FAX Fake Fax Scam score KAM_FAKE_FAX 8.0 @@ -7128,12 +7370,18 @@ meta KAM_FAKE_TRUST (__KAM_FAKE_TRUST1 >= 1 ) describe KAM_FAKE_TRUST Scams about trusted sources score KAM_FAKE_TRUST 3.5 +ifplugin Mail::SpamAssassin::Plugin::MIMEHeader + #SHTML ATTACHMENT ADD TO T_HTML_ATTACH! - 2022-01-14 + mimeheader __KAM_SHTML_ATTACH Content-Type =~ /\b(application\/octet-string|text\/html)\b.+\.shtml?\b/i +endif + + #FAKE INVOICE -header __KAM_FAKE_INVOICE1 Subject =~ /(remittance|payment) advice|past.?due|purchase order|EFT payment/i -body __KAM_FAKE_INVOICE2 /(remittance|Payment) advice|past due invoice|new proforma/i +header __KAM_FAKE_INVOICE1 Subject =~ /(remittance|payment) (receipt|advice)|past.?due|purchase order|(ACH|EFT) (remittance|payment)|invoice copy|swift confirmation|overdue invoice|attached receipt|payment confirmation/i +body __KAM_FAKE_INVOICE2 /(remittance|Payment) (advice|confirmation|breakdown)|past due invoice|new pro.?forma|attached|balance paid|proforma invoice/i tflags __KAM_FAKE_INVOICE2 nosubject -meta KAM_FAKE_INVOICE ((T_HTML_ATTACH + OLEMACRO_URI_TARGET >= 1) + __KAM_FAKE_INVOICE1 + __KAM_FAKE_INVOICE2 >= 3) +meta KAM_FAKE_INVOICE ((T_HTML_ATTACH + __KAM_SHTML_ATTACH + KAM_RAPTOR_ALTERED + OLEMACRO_URI_TARGET >= 1) + __KAM_FAKE_INVOICE1 + __KAM_FAKE_INVOICE2 >= 3) describe KAM_FAKE_INVOICE Fake Invoice / Purchase Order Scam score KAM_FAKE_INVOICE 6.4 @@ -7153,15 +7401,15 @@ describe KAM_BAD_LINK Potentially dangerous link in email score KAM_BAD_LINK 10.0 #BAD CITIZENS -header __KAM_CITIZEN1 Subject =~ /Citizens Bank Ealert/i -body __KAM_CITIZEN2 /Important (message|Notice) From Citizens/i -uri __KAM_CITIZEN3 /phpmailer|wp-admin|.well-known/i -header __KAM_CITIZEN4 From:name =~ /Citizens ?Bank/i -header __KAM_CITIZEN5 From:addr !~ /citizen/i +header __KAM_FAKE_CITIZEN1 Subject =~ /Citizens Bank Ealert/i +body __KAM_FAKE_CITIZEN2 /Important (message|Notice) From Citizens/i +uri __KAM_FAKE_CITIZEN3 /phpmailer|wp-admin|.well-known/i +header __KAM_FAKE_CITIZEN4 From:name =~ /Citizens ?Bank/i +header __KAM_FAKE_CITIZEN5 From:addr !~ /citizen/i -meta KAM_CITIZEN (__KAM_CITIZEN1 + __KAM_CITIZEN2 + __KAM_CITIZEN3 + __KAM_CITIZEN4 + (__KAM_CITIZEN5 + SPF_FAIL >= 1) >= 5) -describe KAM_CITIZEN Fake Bank Alert Scam -score KAM_CITIZEN 7.5 +meta KAM_FAKE_CITIZEN (__KAM_FAKE_CITIZEN1 + __KAM_FAKE_CITIZEN2 + (KAM_SHORT + __KAM_FAKE_CITIZEN3 >= 1) + __KAM_FAKE_CITIZEN4 + (__KAM_FAKE_CITIZEN5 + SPF_FAIL >= 1) >= 5) +describe KAM_FAKE_CITIZEN Fake Bank Alert Scam +score KAM_FAKE_CITIZEN 7.5 #BAD PRODUCTS header __KAM_PRODUCT2_1 Subject =~ /meal delivery|no chopping|(sticker|Children'?s?) book|\$[\d,\.]{5,10} Fast|Car ?Shield|Top Vet|Chew a day|trugreen|(perfect|healthy|your) lawn|slice.?n.?seal|kitchen (device|gadget)|butter knive|small penis|make you bigger|(explosive|increase) size|ACs|Wifi Booster|anti.?snore|visceral fat|solar ?bright|mini a\/?c|portable (cooler|air.?condition)|keep cool|wife.caught|banned technique/i @@ -7195,56 +7443,59 @@ describe KAM_INQUIRY Product Inquiry Scams score KAM_INQUIRY 7.0 #FROM NAME SPAM -header __KAM_FROM_NAME_FAKERBL From:name =~ /Sivagegrowplus\.com|Lifequote\.selectquote\.com|GoldAlliedTrust\.com|MeetAsianLady\.com|Betterbutterspreader\.com|americanhomewarranty\.com|Solarbrightfloodlight\.com|primevision\.website|FijiShowerSpa\.com|easylenders\.website|Burialinsurance\.com|curiousfinds\.com/i +header __KAM_FROM_NAME_FAKERBL From:name =~ /Sivagegrowplus\.com|Lifequote\.selectquote\.com|GoldAlliedTrust\.com|MeetAsianLady\.com|Betterbutterspreader\.com|americanhomewarranty\.com|Solarbrightfloodlight\.com|primevision\.website|FijiShowerSpa\.com|easylenders\.website|Burialinsurance\.com|curiousfinds\.com|professionalwhosiswho\.com/i meta KAM_FROM_NAME_FAKERBL (__KAM_FROM_NAME_FAKERBL >= 1) describe KAM_FROM_NAME_FAKERBL From name contains a URL that is spammy score KAM_FROM_NAME_FAKERBL 6.0 #FAKE NORTON -replace_rules __KAM_FAKE_NORTON1 __KAM_FAKE_NORTON2 __KAM_FAKE_NORTON4 +replace_rules __KAM_FAKE_NORTON1 __KAM_FAKE_NORTON2 __KAM_FAKE_NORTON3 __KAM_FAKE_NORTON4 #subj -header __KAM_FAKE_NORTON1 Subject =~ /IN.?VOICE *\#?NUMBER|(confirmation|ORDER|Invoice) ?(\#|Num|-?No)|\#(ORDER|BILL)|(Purchase|Order) Confirmation|(RECEIPT|INVOI?CE) ?\#|software subscription|transaction.successful|amount.debited|(subscription|service|Purchase) (renewal|request|serial) \#|renewal service \#|(Unique|Member|purchase|Bill|receipt|service|invoice) id ?(is|:|\#)|using protection|rder d|IN(\-|_)VOICE (Number|ID)|Product Id:|security renewal|(Buyer'?s|purchase) receipt|order worth \$|service notice.{0,3}\d+|antivirus activated/i -header __KAM_FAKE_NORTON1A To =~ /norton/i -header __KAM_FAKE_NORTON1B From =~ /norton|confirmation|renew|no.?reply/i -#Fuzz -body __KAM_FAKE_NORTON2 /NRTN(\(?tm\)?|\#)|360 (anti.?virus|Security|protection)|NrtN.?Life|norton (\- )?(360|security|deluxe|protection|firewall|plus family)|(nort-.|norton|Mcafee) (Web Pro|Web|Plus(\+| Pro)|pro (net|plus|protection)|all.?round) ((Secure|Family) )?Protection|norton (plan|pro life lock)|(service (name)?|item|Product):?\s+(Norton|Nort.?Pro|geek.?squad)|norton secure plus|nort-(Advance|Pro)|nort-?one 360|life-?lock pro|mal-?ware bites|geeksquad-solutions/mi +header __KAM_FAKE_NORTON1 Subject =~ /IN.?VOICE *\#?NUMBER|(confirmation|ORDER|Invoice|plan.?status) ?(ID_\*|\#|Num|-?No)|\#(ORDER|BILL)|(Purchase|Order|Payment) Confirmation|(RECEIPT|INVOI?CE) ?\#|software subscription|transaction.successful|amount.debited|(subscription|service|Purchase) (renewal|request|serial) \#|renewal service \#|(Unique|Member|purchase|Bill|receipt|service|invoice) id ?(is|:|\#)|using protection|rder d|IN(\-|_)VOICE (Number|ID)|Product Id:|security renewal|(Buyer'?s|purchase) receipt|order worth \$|service notice.{0,3}\d+|antivirus activated|order has been (confirmed|processed)|subscription expired|your bill|auto renewal|new message|renewal notice:|annual subscription|transaction code|account key verif|billing team|service required|g-?squad|plan activated|protection alert/i +header __KAM_FAKE_NORTON1A To =~ /norton|billing\@geeksquad/i +header __KAM_FAKE_NORTON1B From =~ /norton|confirmation|no.?reply|service.?updates|billing|devices.?support|service.?dep|order|device.?alert|biliing|receipt/i +#Fuzzy Prod +body __KAM_FAKE_NORTON2 /NRTN(\(?tm\)?|\#)|360 (anti.?virus|Security|protection)|NrtN.?Life|norton (\- )?(360|security|deluxe|protection|firewall|plus family)|(nort-.|norton|Mcafee) (Web Pro|Web|Plus(\+| Pro)|pro (net|plus|protection)|all.?round) ((Secure|Family) )?Protection|norton (plan|pro life lock)|(service (name)?|item|Product):?\s+(Norton|Nort.?Pro|geek.?squad)|norton secure plus|nort-(Advance|Pro)|nort-?one 360|life-?lock pro|mal-?ware bites|geeksquad-solutions|Geek(squad)? 360|renewal through geeksquad|Geek Secure Premium|Shield Protection Renewal|G.?squad security|(symantec|mcafee|norton|geek).{0,3}total protection|geek.?squad.?corp|norton billing team|firewall defender|geek.? advanced network|pro geek PC protection|SQUAD anti-?virus|Norton,? Inc|Gk\s+squd|Windows Defender Advanced|Netwrk Shield Protection|(pc|network) (security|protection) (service|shield)|previous annual subscription|windows defender security|norton Tech pc support|\(defender\)/mi #Oddlang -body __KAM_FAKE_NORTON3 /Esteem your assessment|enhance our administration|recharged your club|looking for patron|delight and happiness|touch our group|confirmatory e?mail|customer service board|connect with expert|for transaction|confirmation range|did not place this order|cancel (your|this) subscription|team norton|(claim a|instant) refund|cancel (or continue )?the plan|for more query|void (this|the) charge|account is debited|kindly activate the license|A\/C statement|you can trust them|drop you an email|don't want this plan|deactivate this plan|queries or doubt|issue with the transaction|feel free to contact|hesitate to call|appritiate your decesion|Warm (regards|respects)|(wish|want) (to )?cancel|order +worth +\$|plan has been enacted|change something|salutations|any query related|norton billing team|same has been processed|an confirmation|don\'t want to renew|remove auto-debit|auto renewal request|thanks\/norton|invalidate your subscription|precept copy|payment method.{1,10}on-?line/i +body __KAM_FAKE_NORTON3 /Esteem your assessment|enhance our administration|recharged your club|looking for patron|delight and happiness|touch our group|confirmatory e?mail|customer service board|connect with expert|for transaction|confirmation range|did not place this order|cancel (your|this|the) (membership|service|subscription)|team norton|(claim a|instant) refund|cancel (or continue )?the plan|for more query|void (this|the) charge|account is debited|kindly activate the license|A\/C statement|you can trust them|drop you an email|don't want this plan|deactivate this plan|queries or doubt|issue with the transaction|feel free to contact|hesitate to call|appritiate your decesion|Warm (regards|respects)|(wish|want) (to )?cancel|order +worth +\$|plan has been enacted|change something|salutations|any query related|norton billing team|same has been processed|an confirmation|don\'t want to renew|remove auto-debit|auto renewal request|thanks\/norton|invalidate your subscription|precept copy|payment method.{1,10}on-?line|drop the membership|generously go ahead|want a refund|renewal tenure|believe an unauthorized|contact microsoft for a full refund|\*\-\* (8\-8\-8|8\-5\-0) \*\-\*|really want further explanation|discunt benevolently|upgrade or postpone|get the full refund|valued member of us|find the attachment of your invoice|drop the charges|norton.{0,2}helpdesk/i tflags __KAM_FAKE_NORTON3 nosubject #Order -body __KAM_FAKE_NORTON4 /Auto(matic)?-?.?-?(debit|renew)|Updated to premium|order is paced|0rder|renewal|successfully (placed|renewed)|annual charge|have been modified|In_voice id|details pertain|auto pay|online\/card|joined our security program|payment_for_services/i +body __KAM_FAKE_NORTON4 /(bank|Auto(matic)?)-?.?-?(debit|renew)|Updated to premium|order is paced|0rder|renewal|successfully (placed|renewed)|(repetitive|annual) charge|have been modified|In_voice id|details pertain|auto pay|online\/card|joined our security program|payment_for_services|yearly payment|\$[\d\.]+ will appear/i tflags __KAM_FAKE_NORTON4 nosubject -meta KAM_FAKE_NORTON (__KAM_FAKE_NORTON1 + (__KAM_FAKE_NORTON1A + __KAM_FAKE_NORTON1B >= 1)+ __KAM_FAKE_NORTON2 + __KAM_FAKE_NORTON3 + __KAM_FAKE_NORTON4 + FREEMAIL_FROM >= 4) -describe KAM_FAKE_NORTON Fake Norton / McAfee / Geek Squad Renewal Notices +meta KAM_FAKE_NORTON (__KAM_FAKE_NORTON1 + (__KAM_FAKE_NORTON1A + __KAM_FAKE_NORTON1B + FREEMAIL_FROM >= 1)+ __KAM_FAKE_NORTON2 + __KAM_FAKE_NORTON3 + __KAM_FAKE_NORTON4 + FREEMAIL_FROM >= 4) && __KAM_FAKE_NORTON2 +describe KAM_FAKE_NORTON Fake Norton / McAfee / Geek Squad / Symantec / etc. Renewal Notices score KAM_FAKE_NORTON 8.0 -meta KAM_FAKE_NORTONLOW (__KAM_FAKE_NORTON1 + (__KAM_FAKE_NORTON1A + __KAM_FAKE_NORTON1B >= 1) + __KAM_FAKE_NORTON2 + __KAM_FAKE_NORTON3 + __KAM_FAKE_NORTON4 + FREEMAIL_FROM >= 3) && !KAM_FAKE_NORTON -describe KAM_FAKE_NORTONLOW Fake Norton / McAfee / Geek Squad Renewal Notices (Lower Confidence) +meta KAM_FAKE_NORTONLOW (__KAM_FAKE_NORTON1 + (__KAM_FAKE_NORTON1A + __KAM_FAKE_NORTON1B + FREEMAIL_FROM >= 1) + __KAM_FAKE_NORTON2 + __KAM_FAKE_NORTON3 + __KAM_FAKE_NORTON4 + FREEMAIL_FROM >= 3) && !KAM_FAKE_NORTON && __KAM_FAKE_NORTON2 +describe KAM_FAKE_NORTONLOW Fake Norton / McAfee / Geek Squad / Symantec / etc. Renewal Notices (Lower Confidence) score KAM_FAKE_NORTONLOW 6.5 -#FAKE BANK -header __KAM_FAKE_BANK1 Subject =~ /unusual activit|security/i -body __KAM_FAKE_BANK2 /chase online/i -body __KAM_FAKE_BANK3 /Fraud Protection|unusual activity/i -header __KAM_FAKE_BANK4 From:name =~ /chase online/i -header __KAM_FAKE_BANK5 From:addr !~ /chase/i +#FAKE CHASE BANK +header __KAM_FAKE_CHASE1 Subject =~ /unusual activit|security/i +body __KAM_FAKE_CHASE2 /chase online/i +body __KAM_FAKE_CHASE3 /Fraud Protection|unusual activity/i +header __KAM_FAKE_CHASE4 From:name =~ /chase online/i +header __KAM_FAKE_CHASE5 From:addr !~ /chase/i -meta KAM_FAKE_BANK (__KAM_FAKE_BANK1 + __KAM_FAKE_BANK2 + __KAM_FAKE_BANK3 + __KAM_FAKE_BANK4 + __KAM_FAKE_BANK5 >= 5) -describe KAM_FAKE_BANK Fake Bank Notice -score KAM_FAKE_BANK 4.5 +meta KAM_FAKE_CHASE (__KAM_FAKE_CHASE1 + __KAM_FAKE_CHASE2 + __KAM_FAKE_CHASE3 + __KAM_FAKE_CHASE4 + __KAM_FAKE_CHASE5 >= 5) +describe KAM_FAKE_CHASE Fake Bank Notice +score KAM_FAKE_CHASE 4.5 #FAKE CANADA POST -body __KAM_FAKE_CAN_POST1 /package is on hold/i -body __KAM_FAKE_CAN_POST2 /CANADAPOST/i -body __KAM_FAKE_CAN_POST3 /require additional details/i -body __KAM_FAKE_CAN_POST4 /redelivery/i -header __KAM_FAKE_CAN_POST5 From:addr !~ /\.ca$/i -header __KAM_FAKE_CAN_POST6 From:name =~ /canada.?post/i +replace_rules __KAM_FAKE_CAN_POST2 -meta KAM_FAKE_CAN_POST (__KAM_FAKE_CAN_POST1 + __KAM_FAKE_CAN_POST2 + __KAM_FAKE_CAN_POST3 + __KAM_FAKE_CAN_POST4 + __KAM_FAKE_CAN_POST5 + __KAM_FAKE_CAN_POST6 >= 6) +body __KAM_FAKE_CAN_POST1 /package is (waiting|on hold)/i +body __KAM_FAKE_CAN_POST2 /nd.{0,2}st/i +body __KAM_FAKE_CAN_POST3 /require additional details|online verification/i +body __KAM_FAKE_CAN_POST4 /redelivery|confirm the payment/i +header __KAM_FAKE_CAN_POST5 From:addr !~ /\.ca$/i +header __KAM_FAKE_CAN_POST6 From:name =~ /canada.?post|Postes.?Canada/i +header __KAM_FAKE_CAN_POST6B From:addr =~ /shipping/i + +meta KAM_FAKE_CAN_POST (__KAM_FAKE_CAN_POST1 + __KAM_FAKE_CAN_POST2 + __KAM_FAKE_CAN_POST3 + __KAM_FAKE_CAN_POST4 + __KAM_FAKE_CAN_POST5 + (__KAM_FAKE_CAN_POST6 + __KAM_FAKE_CAN_POST6B >= 1) >= 6) describe KAM_FAKE_CAN_POST Fake Canada Post Scam score KAM_FAKE_CAN_POST 9.0 @@ -7361,8 +7612,8 @@ score KAM_DOMAINBROKER 4.5 #FAKE SHAREPOINT 2 - Sexually explicit header __KAM_FAKE_SHAREPOINT2_1 From:addr =~ /no\-reply\@sharepointonline\.com|sex|69/i -header __KAM_FAKE_SHAREPOINT2_2 Subject =~ /view my profile|(\b|^|\s)sex+y man|live chat|hook.?up|sweet.?heart|(\b|^|\s)sex|f a c e b o o k|i know you|just fun|my phone|for se+x+|tease|play with my pus|facebook|chat shared|horne?y/i -body __KAM_FAKE_SHAREPOINT2_3 /REAL DATING NETWORK|bad partner|single.hot.mom|chat room|escort girl|hi there|hook.?up|flirty singles|sweet.?heart|(\b|^|\s)sex|(\b|^|\s)dick|escort|Open me\.? asap|intercourse|seeking male|real relationship|suck my kitty|F.ck me|single girl|real man|need a partner/i +header __KAM_FAKE_SHAREPOINT2_2 Subject =~ /view my profile|(\b|^|\s)sex+y man|live chat|hook.?up|sweet.?heart|(\b|^|\s)sex|f a c e b o o k|i know you|just fun|my phone|for se+x+|tease|play with my pus|facebook|chat shared|horne?y|see my nu(t|d)e|Video.M(a|e)ssage|bang.?meetup|private massage|confirm your e.?mail|tiktok for sex/i +body __KAM_FAKE_SHAREPOINT2_3 /REAL DATING NETWORK|bad partner|single.hot.mom|chat room|escort girl|hi there|hook.?up|flirty singles|sweet.?heart|(\b|^|\s)sex|(\b|^|\s)dick|escort|Open me\.? asap|intercourse|seeking male|real relationship|suck my kitty|F.ck me|single girl|real man|need a partner|lonely mom|adults? classified|screw many girls|bang.?meetup|(chat|meet) for sex/i tflags __KAM_FAKE_SHAREPOINT2_3 nosubject meta KAM_FAKE_SHAREPOINT2 (__KAM_FAKE_SHAREPOINT2_1 + __KAM_FAKE_SHAREPOINT2_2 + __KAM_FAKE_SHAREPOINT2_3 >= 3) @@ -7386,13 +7637,13 @@ describe KAM_DRONE Drone Spam Du Jour score KAM_DRONE 7.5 #FAKE PAYPAL -header __KAM_FAKE_PAYPAL1 From:name =~ /paypal|invoice|confirmation|payapl/i -header __KAM_FAKE_PAYPAL2 Subject =~ /Order ?(\#|reference|Confirmation)|your (transaction|purchase)|(buyer'?s|purchase) (receipt|ref|id) \#|transaction|statement|shipping notification/i +header __KAM_FAKE_PAYPAL1 From:name =~ /paypal|invoice|confirmation|payapl|receipt|reciept|help.?desk/i +header __KAM_FAKE_PAYPAL2 Subject =~ /Order ?(\#|reference|Confirmation)|your (transaction|purchase)|(buyer'?s|purchase) (receipt|ref|id) \#|transaction|statement|shipping notification|0rder|\$\d\d\d\.\d\d charged|payment info|subscription|paid the invoice/i body __KAM_FAKE_PAYPAL3 /paypal/i tflags __KAM_FAKE_PAYPAL3 nosubject -body __KAM_FAKE_PAYPAL4 /if any concern|in order to cancel|(any|open a) dispute|(exact|usual) location|used by someone else|regular IP address|not made this purchase|contact us immediately|trust & safety|not authorized/i -body __KAM_FAKE_PAYPAL5 /(accepted|confirmed|USD|purchase) (at|to|by) (Walmart|Target)|(Walmart|Target),?( Inc.?)? has (accepted|received|confirmed)|charge will appear|auto debited/i -body __KAM_FAKE_PAYPAL6 /help by phone|call paypal team|paypal fraud dep/i +body __KAM_FAKE_PAYPAL4 /if any concern|in order to cancel|(any|open a) dispute|(exact|usual) location|used by someone else|regular IP address|(haven'?t|not) made this purchase|contact us immediately|trust & safety|not authorized|file an issue|cancellation|to cancel/i +body __KAM_FAKE_PAYPAL5 /(accepted|confirmed|USD|purchase) (at|to|by) (Walmart|Target)|(Walmart|Target),?( Inc.?)? has (accepted|received|confirmed)|charge will appear|auto debited|paid instantly|credit wallet balance/i +body __KAM_FAKE_PAYPAL6 /help by phone|call paypal ?(usa|team)|paypal fraud dep|paypal support immediately|before dispatch|paypal consumer credit/i meta KAM_FAKE_PAYPAL (__KAM_FAKE_PAYPAL1 + __KAM_FAKE_PAYPAL2 + __KAM_FAKE_PAYPAL3 + __KAM_FAKE_PAYPAL4 + __KAM_FAKE_PAYPAL5 + FREEMAIL_FROM + __KAM_FAKE_PAYPAL6 >= 5) describe KAM_FAKE_PAYPAL Fake PayPal Message @@ -7410,6 +7661,11 @@ uri GB_G_FEEDPROXY /https?\:\/\/feedproxy\.google\.com\/~r\ describe GB_G_FEEDPROXY Google Feed Proxy Abuse score GB_G_FEEDPROXY 2.5 +#b-cdn abuse +uri GB_PULLZONE_B_CDN /https?\:\/\/pullzone-v[0-9]\.b\-cdn\.net/ +describe GB_PULLZONE_B_CDN B-Cdn abuse +score GB_PULLZONE_B_CDN 3.0 + #DISCORD ABUSE uri __KAM_DISCORDCDN1 /cdn\.discordapp\.com\/attachment/i header __KAM_DISCORDCDN2 From:addr !~ /\@discord\.com/i @@ -7436,9 +7692,9 @@ score KAM_PAYROLL 6.0 #FAKE ZIX header __KAM_FAKE_ZIX1 From:addr !~ /zixmessagecenter.com/i -header __KAM_FAKE_ZIX2 Subject =~ /Secure Zix message/i -body __KAM_FAKE_ZIX3 /security system/i -uri __KAM_FAKE_ZIX4 /dynamics\.com/i +header __KAM_FAKE_ZIX2 Subject =~ /Secure Zix message|remittance advice/i +body __KAM_FAKE_ZIX3 /security system|view document/i +uri __KAM_FAKE_ZIX4 /dynamics\.com|\.html?/i meta KAM_FAKE_ZIX ( __KAM_FAKE_ZIX1 + __KAM_FAKE_ZIX2 + __KAM_FAKE_ZIX3 + __KAM_FAKE_ZIX4 >=4) describe KAM_FAKE_ZIX Fake Zix Email @@ -7640,10 +7896,767 @@ describe KAM_PEAK Finance Spammer score KAM_PEAK 7.0 #FROM PRODUCT SPAMs -header KAM_FROM_SPAM From =~ /(blood.?pressure.?(fix|cure)|20.?amazing.?gadgets|2021.?gadget.?guide|your.?hormones|Be.?Free.?Of.?Your.?Timeshare|unique.?christmas.?gifts|youthful.?brain|veteran.?discounts|VieShield.?Sanitizer|Walgreens.?Shopper.?Feedback|Solar.?Bright|shocking.?truth:|(\b|^)ed.?solution|beauty.?digs|LED.?Beach.?Balls|Pelvic.?Floor.?strong|Leptitox|Clean.?cell|Gadget.?List)|Avoid.?melatonin|My.?Senior.?Perks|explosive.?size|savage.?grow|blood.?pressure.?roulette|ElectronX.?Ruler|Software.?Treats/i +header __KAM_FROM_SPAM_NOV21 From =~ /(blood.?pressure.?(fix|cure)|20.?amazing.?gadgets|2021.?gadget.?guide|your.?hormones|Be.?Free.?Of.?Your.?Timeshare|unique.?christmas.?gifts|youthful.?brain|veteran.?discounts|VieShield.?Sanitizer|Walgreens.?Shopper.?Feedback|Solar.?Bright|shocking.?truth:|(\b|^)ed.?solution|beauty.?digs|LED.?Beach.?Balls|Pelvic.?Floor.?strong|Leptitox|Clean.?cell|Gadget.?List)|Avoid.?melatonin|My.?Senior.?Perks|explosive.?size|savage.?grow|blood.?pressure.?roulette|ElectronX.?Ruler|Software.?Treats|Grease.?Your.?Knee|late.?night.?peeing|Landscaping.?Ideas|hot.?new.?gadget|Tetrus.?LED.?Lighting|Weedkiller.?Injury|Compressa.?Relief|Shed.?Building.?Guide|plans?.?for.?shed|increase.?size|herpes.?cure|Human.?reproductive.?system|body.?shaper|ear.?wax.?remover|vital.?flow|curious.?finds|get.?skinny.?chocolate|Home.?Depot.?Shopper.?Feedback|modern.?woman|EU.?Business.?Register|comfy.?shoes/i +header __KAM_FROM_SPAM_DEC21 From =~ /Heater.?Pro.?X|Neck.?Massager|Cinna.?Chroma|Sibgazinvest|Striction.?Blood|blood.?pressure.?warning|stamina.?pro|Smart.?Holder.?Pro|Smart.?phone.?Gloves|WiFi.?Ultraboost|HD.?telescope|Doctor.?Holmes\'s.?co.?op|variety.?store.?kerry|Suzi\'s.?potion|Antiseptic.?cathy|flat.?tummy.?recipe|bye.?big.?tummy|Skincell.?2|nail.?dry.?pro|muscle.?relax.?pro|easy.?slippers/i + +header __KAM_FROM_SPAM_JAN22 From =~ /Puppy.?Pet.?Ball|ultimate.?keto.?meal|steel.?bite.?pro|he?rpa.?greens|HAIR.?REVITAL|peak.?biome|energy.?cube.?system|perfect.?flush|make.?money.?online|Stops?.?Herpes|blood.?pressure.?911|Fat.?Burning|Personal.?power.?plant|sqribblee.?book.?creator|special.?launch.?price|ringing.?ears|fading.?memory|big.?stomach|apple.?cider.?vinegar|glucofort|do.?this.?at.?breakfast|immune.?defense|sonus.?complete.?basic|introducing.?exi.?pure|blood.?sugar.?defense|shed.?plan|obsession.?method|5g.?male|cold.?war.?generator|tinnitus.?(terminator|guard)|keto.?advantage|senior.?saving.?club|exipure|gold.?plated.?coin|trump.?coin|Prostate.?relief|acida.?burn|back.?pain|fungus.?treat|herpa.?green|neck.?massage|Silencil|\@advid|kishor.?exports|fatty.?liver|gluca.?fix|reservation.?diet|high.?blood.?pressure|energy.?bill.?crunch|muscle.?care|fast charger pro|Tv.?Share.?Max|bar.?x.?health|canad(a|ian).?drug.?store|Duramax.?Fence|vid.?toon|online.?pharmacy|viagra.?shop|circa.?knee|Shoppers.?Drug.?Mart|royal.?numerology/i + +header __KAM_FROM_SPAM_FEB22 From =~ /Swag.?Envy|Turn.?Text.?to.?speech|cart.?bloom|Pierre.?Omidyar|copper.?zen.?socks|Muama.?Ryoko|Mindinsole|clipper.?pro|nerve.?control|arthritis.?relief|sleep.?connection|lose.?it.?now|Pioneer.?Travels|bathroom.?remodel/i + +header __KAM_FROM_SPAM_FEB22_TLD From =~ /solar.?panels/i + +header __KAM_FROM_SPAM_MAR22 From =~ /Whos.?who|ray.?ban|simple.?home.?quotes|laundry.?masher|embarr?ass?ing.?toe|miracle.?sheets|nail.?fungus|Smartcam|tactical.?drone|owl.?vision|hulk.?heater|wifi.?repeater|gluco.?flow.?supplement|blood.?sugar.?blaster|dr\..?phil.?news|Muama.?Ryok|usmile.?pro|power.?pod|never.?snore|snore.?stop|(^|\")usmile|bye.?bye.?fat|chemist.?s.?shop|married.?women|potent.?CBD|diabetes.?gone|US.?concealed.?online|gift.?card.?chance|cardio.?clear|one.?monthly.?fee|online.?learn.?piano|coffee.?secret|shark.?tank.?keto|rots.?your.?teeth|stronger.?vision|Norton.?Lifelock|instant.?translator/i + +header __KAM_FROM_SPAM_APR22 From =~ /snoring.?fix|automix|circa.?knee|zoomshot.?pro|Instant.?translator|prostate.?health|stay.?dry.?202|battery.?vault|goodbye.?diabetes|bad eyes|createxdigital|\@.{0,8}advids\.|\@deszy|\@devacc\./i + +header __KAM_FROM_SPAM_MAY22 From =~ /butter.?on.?toast|exobone|sharp.?ear|news.?reward.?exclusive|AirBuds|earbuds|Massage.?gun|directaxis|sanlamfinance|grants.?for.?homeowner|manchester.?collection|Power.?drill.?(confirmation|surprise)|gift.?card.?shipment|fast.?keto.?diet|(energy|bill).?cruncher|fun.?drops.?cbd|easy.?warm.?floor|home.?loan.?analyst.?offer/i + +header __KAM_FROM_SPAM_JUN22 From =~ /Finance.?the.?big.?lie|cbd.?gumm|vet.?savings|Keto.?maxx|unbreakable.?brain|brain.?blueprint|just.?gi[zs]mo|ice.?house.?portable|portable.?ac|single.?flirt|painful.?knees|russian?.?(babe|bride)|eyesight.?max|blood.?sugar.?formula|brain.?fix|FOLIFORT|PROCompression.?special|por?table.?oxygen|Special.?Oil|Syno.?gut|blissy.?offer|WarHawk.?Binoculars|keto.?diet|match.?seniors|no.?more.?pin.?pricks|Doctors?.?shock|20.?20.?Vision|Windows.?Defender.?Order|fat.?burner/i + +header __KAM_FROM_SPAM_JUL22 From =~ /Horrific.?Back|fat.?reducer|smart.?watch|chill.?well|blurred.?vision|Family.?savings|Revifol\.com|Fluxactive|eye.?herb|eco.?chip|Lumbar.?Correct|Air.?Flops|Getinstahard\.com|neurodrine|air.?cooly|Bladder.?relief|Doctor.?Inflammation|Shrink.?your.?prostate|RetailMarketingPro|back.?to.?life/i + +header __KAM_FROM_SPAM_AUG22 From =~ /a1c.?fix|LeafProtect\.com|ServicePlus\.Home|Golden.?fx|Arcti.?FREEZE|RensaClub\.com|\@advid\-|nail.?infection|pain.?relief.?sock|leaf.?filter|toxic.?foot|nails.?fungus|cat.?spraying|big.?pharma|vision.?enhancing|battery.?recondition|injecting.?fat|mosquito.?light|black.?surge|tinnitus.?911|sugar.?balance|cardio.?clear|compression.?sock|balanced.?blood|Sqribble|ukraine.?(beauty|bride)|instahard|shop.?icehouse|vital.?flow|Discount.?is.?ready|cinch.?home.?protection|home.?protection.?plan|zander.?term|easy.?canvas.?prints|home.?warranty.?offer|toxic.?water|keto.?202\d|wifi.?booster|restore.?gummies|-advids\.|lost.?superfoods|vantis.?life|roofing.?quote|maasalong|flux.?active|hot.?russian|serious.?daters|anderson.?affiliate|instant.?translator|clipper.?pro|scientific.?nail|6.?secrets|singles.?offer|lower.?my.?bill|SplashWines\.com|leafprotect\.com|columbian.?girl|wifi.?ultraboost|\@clum-?(video|creat)|deadly.?sex|Vita.?Firm/i + +header __KAM_FROM_SPAM_SEP22 From =~ /Select.?Quote.?(offer|affiliate|insurance)|light.?bulb.?camera|pitney.?bowes.?presort|carshield.?quote|neckcool|zinc7|term.?life.?insurance|detox.?shower|protection.?from.?pests|Pest.?defense|Life.?Omic|pipelinersales|\.kalendar/i + +header __KAM_FROM_SPAM_OCT22 From =~ /Barx.?Busy.?Ball|Nationwide.?Home.?protection|Social Diger|Splash Wine|Holiday.?Wallet.?Guru|no.?more.?joint.?pain|poop.?out.?fat/i + +header __KAM_FROM_SPAM_NOV22 From =~ /liveto.?accelerator|tupi.?tea|lT Service Desk|free.?spins?.?Canada|eye.?bag.?cream|amylase.?benefit|bladder.?leak|\@.{0,8}saasee\.|\@saasee|japanese.?delicacy|insure.?my.?car|businesspronews|CFOtrends|COOupdate|\@whizzbridge|phototrakk/i + +meta KAM_FROM_SPAM ( __KAM_FROM_SPAM_NOV21 + __KAM_FROM_SPAM_DEC21 + __KAM_FROM_SPAM_JAN22 + __KAM_FROM_SPAM_FEB22 + __KAM_FROM_SPAM_MAR22 + __KAM_FROM_SPAM_APR22 + __KAM_FROM_SPAM_MAY22 + __KAM_FROM_SPAM_JUN22 + __KAM_FROM_SPAM_JUL22 + __KAM_FROM_SPAM_AUG22 + __KAM_FROM_SPAM_SEP22 + __KAM_FROM_SPAM_OCT22 + __KAM_FROM_SPAM_NOV22 >= 1) describe KAM_FROM_SPAM From Indicates a Product Spam -score KAM_FROM_SPAM 4.0 +score KAM_FROM_SPAM 6.75 + +meta KAM_FROM_SPAM_TLD ( __KAM_FROM_SPAM_FEB22_TLD + KAM_SOMETLD_ARE_BAD_TLD >= 2) +describe KAM_FROM_SPAM_TLD From and TLD Indicates a Product Spam +score KAM_FROM_SPAM_TLD 7.75 + +#EVIL NUMBERS + + #1.?\(?213\)?[-\. ]+?260[-\. ]+?3712 +body __KAM_EVIL_NUMBERS1 /(1.?\(?833\)?[-\. ]?900[-\. ]?0864|1.?\(?818\)?[-\. ]?275[-\. ]?7971|1.?\(?855\)?[-\. ]?357[-\. ]?8754|1.?\(?888\)?[-\. ]?683[-\. ]?2877|1.?\(?800\)?[-\. ]?363[-\. ]?9576|1.?\(?888\)?[-\. ]?501[-\. ]?3532|1.?\(?770\)?[-\. ]?406[-\. ]?6871|1.?\(?213\)?[-\. ]?260[-\. ]?3712|1.?\(?844\)?[-\. ]?984[-\. ]?0636|1.?\(?877\)?[-\. ]?483[-\. ]?0915|1.?\(?845\)?[-\. ]?393[-\. ]?0745|1.?\(?888\)?[-\. ]?505[-\. ]?1735|1.?\(?888\)?[-\. ]+?987[-\. ]+?6497|1.?\(?855\)?[-\. ]+?459[-\. ]+?2056|1.?\(?804\)?[-\. ]+?889[-\. ]+?0912|1.?\(?888\)?[-\. ]+?246[-\. ]+?8525|1.?\(?888\)?[-\. ]+?366[-\. ]+?2749|1.?\(?816\)?[-\. ]+?376[-\. ]+?8830|1.?\(?877\)?[-\. ]+?509[-\. ]+?8177|1.?\(?888\)?[-\. ]+?385[-\. ]+?8394|1.?\(?805\)?[-\. ]+?429[-\. ]+?2880|1.?\(?888\)?[-\. ]+?260[-\. ]+?7583|1.?\(?808\)?[-\. ]+?444[-\. ]+?7474|1.?\(?888\)?[-\. ]+?225[-\. ]+?0087|1.?\(?818\)?[-\. ]+?447[-\. ]+?4686|1.?\(?845\)?[-\. ]+?481[-\. ]+?2002|1.?\(?888\)?[-\. ]+?337[-\. ]+?3512|1.?\(?888\)?[-\. ]+?865[-\. ]+?0443|1.?\(?801\)?[-\. ]+?326[-\. ]+?4945|1.?\(?888\)?[-\. ]+?457[-\. ]+?7953|1.?\(?888\)?[-\. ]+?712[-\. ]+?0714|1.?\(?805\)?[-\. ]+?220[-\. ]+?9060|1.?\(?888\)?[-\. ]+?216[-\. ]+?7674|1.?\(?888\)?[-\. ]+?219[-\. ]+?8757|1.?\(?888\)?[-\. ]+?376[-\. ]+?0079|1.?\(?888\)?[-\. ]+?806[-\. ]+?2548|1.?\(?808\)?[-\. ]+?736[-\. ]+?6567|1.?\(?805\)?[-\. ]+?250[-\. ]+?1682|1.?\(?808\)?[-\. ]+?649[-\. ]+?5251|1.?\(?888\)?[-\. ]+?884[-\. ]+?3596|1.?\(?888\)?[-\. ]+?850[-\. ]+?1879|1.?\(?888\)?[-\. ]+?672[-\. ]+?7156|1.?\(?801\)?[-\. ]+?833[-\. ]+?0315|1.?\(?808\)?[-\. ]+?755[-\. ]+?6084|1.?\(?859\)?[-\. ]+?888[-\. ]+?2341|1.?\(?833\)?[-\. ]+?685[-\. ]+?4054|1.?\(?888\)?[-\. ]+?394[-\. ]+?0278|1.?\(?888\)?[-\. ]+?992[-\. ]+?1779|1.?\(?888\)?[-\. ]+?399[-\. ]+?0394|1.?\(?888\)?[-\. ]+?982[-\. ]+?7639|1.?\(?877\)?[-\. ]+?208[-\. ]+?4319|1.?\(?877\)?[-\. ]+?232[-\. ]+?6467|1.?\(?877\)?[-\. ]+?208[-\. ]+?4319|1.?\(?855\)?[-\. ]+?630[-\. ]+?3663|1.?\(?808\)?[-\. ]+?470[-\. ]+?7449|1.?\(?888\)?[-\. ]+?803[-\. ]+?6039|1.?\(?920\)?[-\. ]+?354[-\. ]+?6236|1.?\(?888\)?[-\. ]+?803[-\. ]+?3130|1.?\(?888\)?[-\. ]+?436[-\. ]+?-0785|1.?\(?855\)?[-\. ]+?948[-\. ]+?3820|1.?\(?888\)?[-\. ]+?662[-\. ]+?7908|1.?\(?888\)?[-\. ]+?350[-\. ]+?3529|1.?\(?808\)?[-\. ]+?501[-\. ]+?0625|1.?\(?833\)?[-\. ]+?216[-\. ]+?0511|1.?\(?833\)?[-\. ]+?552[-\. ]+?7144|1.?\(?800\)?[-\. ]+?526[-\. ]+?5742|1.?\(?806\)?[-\. ]+?839[-\. ]+?6096|1.?\(?727\)?[-\. ]+?498[-\. ]+?4899|1.?\(?808\)?[-\. ]+?318[-\. ]+?2838|1.?\(?877\)?[-\. ]+?409[-\. ]+?1087)(\b|$)/i + #WEIRD FORMAT +body __KAM_EVIL_NUMBERS2 /(845)-458-6\.4\.9\.1|850 3285 455|229 5154 934|585 3660 399/i + #WEIRD CHARS +body __KAM_EVIL_NUMBERS3 /(888\s5\s?3\s?1\s?4\s?0\s?3\s?0|855\s5\s?4\s?5\s?6\s?2\s?0\s?1)/i + +meta KAM_EVIL_NUMBERS (__KAM_EVIL_NUMBERS1 + __KAM_EVIL_NUMBERS2 + __KAM_EVIL_NUMBERS3 >= 1) +describe KAM_EVIL_NUMBERS Phone Numbers used by scammers +score KAM_EVIL_NUMBERS 7.0 + +#FAKE PRODUCTS USING SHAREPOINT +body __KAM_FAKE_SHAREPOINT_PRODUCTS1 /bitdefender security cloud/i +body __KAM_FAKE_SHAREPOINT_PRODUCTS2 /renewed/i + +meta KAM_FAKE_SHAREPOINT_PRODUCTS (KAM_FAKE_SHAREPOINT + __KAM_FAKE_SHAREPOINT_PRODUCTS1 + __KAM_FAKE_SHAREPOINT_PRODUCTS2 >= 3) +describe KAM_FAKE_SHAREPOINT_PRODUCTS Spams abusing Sharepoint +score KAM_FAKE_SHAREPOINT_PRODUCTS 3.0 + +#ODDNAME ENGINE + #SIG +body __KAM_ODDNAME_1 /(Respond|Message back|reply).{0,4}(OPT.?OUT|NOT INTERESTED)/i + #HAWK +body __KAM_ODDNAME_2 /we offer|how about a quote|connect for a quote|good time in mind|number to quickly connect|best time to contact|direct line to connect/i + #SUBJ +header __KAM_ODDNAME_3 Subject =~ /best line to reach|payroll|leads|call answering|quick minute|talk tomorrow|available today/i + #WHAT +body __KAM_ODDNAME_4 /high.?speed internet|payroll solution|x more visit|inbound call|marketing (division|arm)|reduce its phone/i + +meta KAM_ODDNAME ( __KAM_ODDNAME_1 + __KAM_ODDNAME_2 + __KAM_ODDNAME_3 + __KAM_ODDNAME_4 + FREEMAIL_FROM >= 5 ) +describe KAM_ODDNAME Engine Hawking Products with Odd rotating business names +score KAM_ODDNAME 7.5 + +#FAKE HOLD + #from +header __KAM_FAKE_HOLD1 From:name =~ /TD.?Ameritrade/i + #subj +header __KAM_FAKE_HOLD2 Subject =~ /account is on hold/i + #prob +body __KAM_FAKE_HOLD3 /account has been put on hold/i + #action +body __KAM_FAKE_HOLD4 /verify your identity/i + +meta KAM_FAKE_HOLD ( __KAM_FAKE_HOLD1 + __KAM_FAKE_HOLD2 + __KAM_FAKE_HOLD3 + __KAM_FAKE_HOLD4 + KAM_SHORT >= 5) +describe KAM_FAKE_HOLD Fake Account Hold Scams +score KAM_FAKE_HOLD 7.5 + +#PAYROLL SCANNER +header __KAM_PAYROLL_SCANNER1 From =~ /account/i +header __KAM_PAYROLL_SCANNER2 Subject =~ /payroll/i +body __KAM_PAYROLL_SCANNER3 /e-?mail was sent from \"/i + +meta KAM_PAYROLL_SCANNER ( __KAM_PAYROLL_SCANNER1 + __KAM_PAYROLL_SCANNER2 + __KAM_PAYROLL_SCANNER3 + (T_HTML_ATTACH + __KAM_SHTML_ATTACH >= 1) + KAM_IFRAME >= 5) +describe KAM_PAYROLL_SCANNER Payroll Scam Emails +score KAM_PAYROLL_SCANNER 7.5 + +#KAM_REFRESH + #LIKELY NEED MORE EFFICIENT RAPTOR TAG +rawbody KAM_HTTP_REFRESH /http-equiv=("|')?refresh("|')?/i +describe KAM_HTTP_REFRESH Contains an http refresh +score KAM_HTTP_REFRESH 0.5 + +#BAD HTML MESSAGES +meta KAM_BAD_HTML (KAM_SHORT + (T_HTML_ATTACH + __KAM_SHTML_ATTACH >= 1) + KAM_HTTP_REFRESH + UNWANTED_LANGUAGE_BODY >= 3) +describe KAM_BAD_HTML Email With a likely bad or dangerous html attachment +score KAM_BAD_HTML 6.5 + +#BAD CONTENT-TYPE +ifplugin Mail::SpamAssassin::Plugin::MIMEHeader + mimeheader KAM_BAD_CONTENT Content-Type =~ /image\/png.*\.s?html?"?$/i + describe KAM_BAD_CONTENT Content likely using evasion techniques + score KAM_BAD_CONTENT 6.0 +endif + +#FAKE MT BANK +header __KAM_FAKE_MT1 Subject =~ /Important Notice from M&T/i +body __KAM_FAKE_MT2 /Important (message|Notice) From /i +tflags __KAM_FAKE_MT2 nosubject +#3 removed - looking at X-PHP-Originating-Script: or something similar - header __X_PHP_EXISTS ALL =~ /^X-PHP-/m +header __KAM_FAKE_MT4 From:name =~ /M&T Bank/i +header __KAM_FAKE_MT5 From:addr !~ /mtb\.com/i + +meta KAM_FAKE_MT (__KAM_FAKE_MT1 + __KAM_FAKE_MT2 + KAM_SHORT + __HAS_PHP_ORIG_SCRIPT + __KAM_FAKE_MT4 + (__KAM_FAKE_MT5 + SPF_FAIL >= 1) >= 5) +describe KAM_FAKE_MT Fake Bank Alert Scam +score KAM_FAKE_MT 7.5 + +#FAKE SHARED DOCUMENT +header __KAM_FAKE_SHARE1 Subject =~ /document shared with you/i +body __KAM_FAKE_SHARE2 /sent you the following/i + +meta KAM_FAKE_SHARE ( __KAM_FAKE_SHARE1 + __KAM_FAKE_SHARE2 + KAM_GOOGLE_REDIR >= 3) +describe KAM_FAKE_SHARE Fake sharing email scam +score KAM_FAKE_SHARE 4.5 + +#BTC SCAM +header __KAM_BTC1 Subject =~ /btc|bitcoin/i +body __KAM_BTC2 /passive income/i +tflags __KAM_BTC2 nosubject + +meta KAM_BTC ( __KAM_BTC2 + __KAM_BTC2 + KAM_GOOGLE_REDIR >= 3) +describe KAM_BTC BTC Investment Scam +score KAM_BTC 8.5 + +#PHOTO PHISH +body __KAM_PHOTOPHISH1 /here are the(se)? (pics|pictures|images|photo)|(here is|forwarded|sent) (this|that) (photo|pic)|have a look|send these pics before|photos from last week/i +body __KAM_PHOTOPHISH2 /(guess|not sure if|hope|presume) (it\'s|they\'re|they are) still (appropriate|related|needed|relevant)|still the right time for them|send them to you way sooner|just occurred to me/i +body __KAM_PHOTOPHISH3 /remember the (m[ae]n|wom[ea]n|girls) (in|on) (the|this) (pic|image|photo)|recall the (guys|girls) on the last \d+\s+pictures|assume you know most of these (guys|girls)/i + +meta KAM_PHOTOPHISH (( __KAM_PHOTOPHISH1 + __KAM_PHOTOPHISH2 >= 2) + (__HAS_ANY_URI >= 1) >= 2 ) +describe KAM_PHOTOPHISH Photograph phishing scam +score KAM_PHOTOPHISH 7.0 + +meta KAM_PHOTOPHISHLOW __KAM_PHOTOPHISH3 + __HAS_ANY_URI >= 2 +describe KAM_PHOTOPHISHLOW Photograph phishing scam [lower confidence] +score KAM_PHOTOPHISHLOW 5.0 + +#DIRECT DEPOSIT +body __KAM_DIRECTDEPOSIT1 /payroll|pay account/i +body __KAM_DIRECTDEPOSIT2 /(update|Change) my (pay account|Direct deposit)/i +tflags __KAM_DIRECTDEPOSIT2 nosubject +header __KAM_DIRECTDEPOSIT3 Subject =~/direct deposit change/i + +meta KAM_DIRECTDEPOSIT ( __KAM_DIRECTDEPOSIT1 + __KAM_DIRECTDEPOSIT2 + __KAM_DIRECTDEPOSIT3 + ( KAM_RAPTOR_EXTERNAL + FREEMAIL_FROM >= 1) >= 3) +describe KAM_DIRECTDEPOSIT Direct Deposit Phish +ifplugin Mail::SpamAssassin::Plugin::KAMOnly +if can(Mail::SpamAssassin::Conf::feature_subjprefix) + subjprefix KAM_DIRECTDEPOSIT [Phish] +endif +endif +score KAM_DIRECTDEPOSIT 4.5 + +ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro + #MAL INVOICE + header __KAM_MALINVOICE1 Subject =~ /Tax Invoice/i + body __KAM_MALINVOICE2 /tax invoice/i + tflags __KAM_MALINVOICE2 nosubject + mimeheader __KAM_MALINVOICE3 Content-type =~ /Name=\"?Form.*\.xls\"?$/i + + meta KAM_MALINVOICE ( KAM_OLEMACRO_RENAME + __KAM_MALINVOICE1 + __KAM_MALINVOICE2 + __KAM_MALINVOICE3 >= 4) + describe KAM_MALINVOICE Malicious Invoice with Dangerous Attachment + ifplugin Mail::SpamAssassin::Plugin::KAMOnly + if can(Mail::SpamAssassin::Conf::feature_subjprefix) + subjprefix KAM_MALINVOICE [Malware] + endif + endif + score KAM_MALINVOICE 10.0 +endif + +#LEAD SUPPLY +body KAM_LEAD_SUPPLY /The Lead Supply via marketing services from The Email Bureau|The Email Bureau Limited/i +describe KAM_LEAD_SUPPLY Spam from Lead Supply +score KAM_LEAD_SUPPLY 10.0 + +#FAKE LINKEDIN +header __KAM_FAKE_LINKEDIN1 From:name =~ /Linkedin/i +header __KAM_FAKE_LINKEDIN2 From:addr !~ /linkedin\.com$/i +header __KAM_FAKE_LINKEDIN2A From:addr =~ /googleusercontent/i +header __KAM_FAKE_LINKEDIN3 Subject =~ /\d+ searches this week|looking at your profile|found by people|matches this job|have \d+ new message|searching for you/i + +meta KAM_FAKE_LINKEDIN (__KAM_FAKE_LINKEDIN1 + __KAM_FAKE_LINKEDIN2 + __KAM_FAKE_LINKEDIN2A + __KAM_FAKE_LINKEDIN3 >= 3) +describe KAM_FAKE_LINKEDIN Fake LinkedIn messages +score KAM_FAKE_LINKEDIN 4.5 + +#INVALID FROM RULE +header __KAM_GB_INVALID_FROM_NO_DOTS From:addr !~ /\./ +header __KAM_GB_INVALID_FROM_NO_AT From:addr !~ /\@/ + +meta KAM_GB_INVALID_FROM (__KAM_GB_INVALID_FROM_NO_DOTS + __KAM_GB_INVALID_FROM_NO_AT >= 1) && ! ( ALL_TRUSTED || NO_RELAYS || __BOUNCE_CTYPE ) +describe KAM_GB_INVALID_FROM From Address is invalid +score KAM_GB_INVALID_FROM 3.0 + +#FAKE PAYROLL +header __KAM_FAKE_PAYROLL1 Subject =~ /payroll verification/i + #change +body __KAM_FAKE_PAYROLL2 /new payroll directory/i + #oddlang +body __KAM_FAKE_PAYROLL3 /required directive/i + #oddlink +uri __KAM_FAKE_PAYROLL4 /\.boxmode\.io/i + +meta KAM_FAKE_PAYROLL ( __KAM_FAKE_PAYROLL1 + __KAM_FAKE_PAYROLL2 + __KAM_FAKE_PAYROLL3 + __KAM_FAKE_PAYROLL4 >= 4) +describe KAM_FAKE_PAYROLL Payroll Scam +score KAM_FAKE_PAYROLL 6.0 + +#DATING ADD THAT IS EXPLICIT +body __KAM_DATING1 /women seeking happiness/i +body __KAM_DATING2 /18\+ platform/i +mimeheader __KAM_DATING3 Content-type =~ /\.(png|jpe?g)\"?$/i + +meta KAM_DATING ( __KAM_DATING1 + __KAM_DATING2 + __KAM_DATING3 + (FREEMAIL_FORGED_REPLYTO + FREEMAIL_FROM >= 1) >= 4) +describe KAM_DATING Explicit Content Dating Advert +score KAM_DATING 4.5 + +#FAKE EFAX +header __KAM_FAKE_EFAX1 From:addr !~ /efax.com/i +header __KAM_FAKE_EFAX2 Subject =~ /new fax document/i +body __KAM_FAKE_EFAX3 /efax/i +uri __KAM_FAKE_EFAX4 /\.html?/i + +meta KAM_FAKE_EFAX ( __KAM_FAKE_EFAX1 + __KAM_FAKE_EFAX2 + __KAM_FAKE_EFAX3 + __KAM_FAKE_EFAX4 >=4) +describe KAM_FAKE_EFAX Fake Zix Email +score KAM_FAKE_EFAX 7.0 + +#PIPEDRIVE HTML +uri KAM_PIPEDRIVE_HTML /\.pipedrive\.email\/.*\.s?html?/i +describe KAM_PIPEDRIVE_HTML Suspicious HTML Link in an email +score KAM_PIPEDRIVE_HTML 4.0 + +#GEEKSERVICES +uri __KAM_GEEKSERVICES1 /geeks?-?(squad)?(hub|services)\d+\.co|gsquad-services\d+\.co/i +header __KAM_GEEKSERVICES1A From:addr =~ /geeks?-?(squad)?(hub|services)\d+\.co|gsquad-services\d+\.co/i +header __KAM_GEEKSERVICES2 Subject =~ /receipt|renewal|renewing|subscription/i +body __KAM_GEEKSERVICES2A /bitcoin|coinbase/i + +meta KAM_GEEKSERVICES ( (__KAM_GEEKSERVICES1 + __KAM_GEEKSERVICES1A >= 1) + (__KAM_GEEKSERVICES2 + __KAM_GEEKSERVICES2A >= 1) >= 2) +describe KAM_GEEKSERVICES Fake Geek Squad Services +score KAM_GEEKSERVICES 9.0 + +#FAKE SECURITY ALERT +body __KAM_FAKE_SECURITY1 /Security Alert/i +header __KAM_FAKE_SECURITY2 Subject =~ /(Failed login|Account must be updated)/i + +meta KAM_FAKE_SECURITY (__KAM_FAKE_SECURITY1 + __KAM_FAKE_SECURITY2 + KAM_GOOGLE_REDIR >= 3) +describe KAM_FAKE_SECURITY Likely a fake security alert +score KAM_FAKE_SECURITY 5.5 + +#FAKE GEEKSQUAD +header KAM_FAKE_GEEKSQUAD From:addr =~ /\@geek-?(squad)?\-?services\d+\.|productshipping-?hub\d+\./i +describe KAM_FAKE_GEEKSQUAD Fake Geek Squad Notice +score KAM_FAKE_GEEKSQUAD 7.0 + +#FAKE GEEKSQUAD VARIANT 2 +ifplugin Mail::SpamAssassin::Plugin::MIMEHeader + mimeheader __KAM_FAKE_GEEKSQUAD2_1 Content-Type =~ /geeksquad.*\.jpe?g/i + header __KAM_FAKE_GEEKSQUAD2_2 Subject =~ /antivirus receipt/i + + meta KAM_FAKE_GEEKSQUAD2 ( __KAM_FAKE_GEEKSQUAD2_1 + __KAM_FAKE_GEEKSQUAD2_2 + FREEMAIL_FROM >= 3) + describe KAM_FAKE_GEEKSQUAD2 Fake Geek Squad Notice + score KAM_FAKE_GEEKSQUAD2 4.5 +endif + +#FAKE PAYROLL UPDATE + #subj +header __KAM_FAKE_PAY_UPDATE1 Subject =~ /Payroll information update|account information|payroll (update|review)|update info|direct deposit|new bank|UPDATE (BANK|PAYCHECK)|BANK (STATUS|CHANGE)|modification request|update salary|quick update|(^|\b)D-?D (pay|information|update)/i + #urg +body __KAM_FAKE_PAY_UPDATE2 /before the next payroll|for next payroll|kindly review (payroll|your) statement|when the next payday|current pay cycle|next pay date|Inactive in a few day|right away/i +tflags __KAM_FAKE_PAY_UPDATE2 nosubject + #task +body __KAM_FAKE_PAY_UPDATE3 /(change|updat(e|ing)) my (bank(ing)?|paycheck|paycheck account) info|new bank(ing)? info|change the account on my pay|direct.?deposit\s+information|change my payroll|account information be change|update my bank/i +tflags __KAM_FAKE_PAY_UPDATE3 nosubject + +#sigonly/freemail + +meta KAM_FAKE_PAY_UPDATE ( FREEMAIL_FROM + __KAM_FAKE_PAY_UPDATE1 + __KAM_FAKE_PAY_UPDATE2 + __KAM_FAKE_PAY_UPDATE3 >= 4) +describe KAM_FAKE_PAY_UPDATE Likely a fake ACH/Payroll Scam +score KAM_FAKE_PAY_UPDATE 6.0 + +#ENCRYPTED PAYLOAD +uri __KAM_ENCRYPTED_LIVE1 /onedrive\.live\.com/i +body __KAM_ENCRYPTED_LIVE2 /password:/i + +meta KAM_ENCRYPTED_LIVE ( __KAM_ENCRYPTED_LIVE1 + __KAM_ENCRYPTED_LIVE2 >= 2) +describe KAM_ENCRYPTED_LIVE Likely malware payload +score KAM_ENCRYPTED_LIVE 7.0 + +#HOMEDEPOT SURVEY +header __KAM_HOMEDEPOTE1 From:addr =~ /\@homedepote\.com/i + +meta KAM_HOMEDEPOTE ( __KAM_HOMEDEPOTE1 >= 1) +describe KAM_HOMEDEPOTE Fake Home Depot Messages +score KAM_HOMEDEPOTE 10.0 + +#SIGNATURE ONLY VERSION 2.0 +if (version >= 4.000000) + if can(Mail::SpamAssassin::Plugin::BodyEval::has_plaintext_body_sig_ratio) + body __KAM_SIGONLY_BODY_NONE eval:plaintext_body_length('0','0') + body __KAM_SIGONLY_SIG_100 eval:plaintext_sig_length('100') + meta KAM_SIGONLY __KAM_SIGONLY_BODY_NONE && __KAM_SIGONLY_SIG_100 + score KAM_SIGONLY 3.5 + else + meta KAM_SIGONLY 0 + endif +endif + +#GAMBLING SPAM +meta KAM_GAMBLING (KAM_MANYTO + KAM_SHORT + FORGED_GMAIL_RCVD + __FREEMAIL_DOC_PDF >= 4) +describe KAM_GAMBLING Emails hawking gambling and similar spams +score KAM_GAMBLING 2.0 + +#JUNK_INVOICE +ifplugin Mail::SpamAssassin::Plugin::MIMEHeader + mimeheader __KAM_JUNK_INVOICE1 Content-Type =~ /invoice\.jpe?g/i + body __KAM_JUNK_INVOICE2 /\[image\:\s+invoice/i + header __KAM_JUNK_INVOICE3 Subject =~ /Invoice/i + + meta KAM_JUNK_INVOICE (FREEMAIL_FROM + __KAM_JUNK_INVOICE1 + __KAM_JUNK_INVOICE2 + __KAM_JUNK_INVOICE3 >= 4) + + score KAM_JUNK_INVOICE 6.0 +endif + +#ONMICROSOFT +header __KAM_ONMICROSOFT1 From =~ /[-\.]onmicrosoft\.com/i +header __KAM_ONMICROSOFT2 Reply-To =~ /[-\.]onmicrosoft\.com/i + +meta KAM_ONMICROSOFT (( __KAM_ONMICROSOFT1 + __KAM_ONMICROSOFT2 >= 1) && !__AUTOREPLY_ASU ) +describe KAM_ONMICROSOFT Mail from or reply-to an unprovisioned domain on Microsoft 365 +score KAM_ONMICROSOFT 4.0 + +#FAKE INVOICE +header __KAM_FAKE_INVOICEMS1 Subject =~ /invoice/i +body __KAM_FAKE_INVOICEMS2 /process ACH/i + +meta KAM_FAKE_INVOICEMS KAM_ONMICROSOFT + ( __KAM_FAKE_INVOICEMS1 + __KAM_FAKE_INVOICEMS2 >= 2) >=2 +describe KAM_FAKE_INVOICEMS Fake Invoice Scam +score KAM_FAKE_INVOICEMS 4.5 + +#FAKE ACE/COSTCO/ETC +replace_rules __KAM_FAKE_COSTCO2 __KAM_FAKE_COSTCO3 + + #VOUCHER/COUPON +header __KAM_FAKE_COSTCO1 Subject =~ /(costco|ace.?hardware|cvs|cvs.?pharmacy|t-mobile|target).*(e-?coupon|gift.?voucher|bonus|(e.?)?voucher|gift.?card|give.?away|credit)|ace-hard?ware|massive thank you|give?.?away winner|(\d+|dols|bucks) (for you )?from (Starbuck|Sam|Costco)|gas reward|acehardware|samsclub|free samples|gas drop|\d+\.\d+ vouch from costco|CVS\s+expires|sams_club|(fuel|gas) shopping spree|giveaway from (bud.?light|fox)|glft.?card|thank you from (\(?Home.?Depot\)?|cvs)|cvs e-?rewards|nike sends \d+|Verizon (August|September) Gift|points rwrds|verizonrewards|thanks (from|to) .?(sam\'s club|ace.?hardware)|survey reward|\d+ gift.?card pending|(cvs|verizon) (gift.?cert|coupon|has something special|has \d\.0)|\d+ (bucks|dols)|\d+\.0 for you|your \d+ at Verizon|(home.?depot|t-mobile) bonus|Evouch from Sams Club|_ace.?hardware_|use your\s+from Verizon|glft.?certificate|points rwrds|home.?depot_shopper|\$\d+ at Sam\'?s.?club/i + #FUZZ +body __KAM_FAKE_COSTCO2 /Cstc (giveaway|new gift|credit|local reward)|(erewards?|epoints?|evouch|thank you|\d\.\d) from (starbucks|ace.?hardware)|ace[-_]?hardware|sams[-_]?club|complimentary-(fuel\/gas|gas\/Fuel) card|(monday|tuesday|wednesday|thursday|friday|saturday|sunday) (gift-?cert|bonus)|costco-wholesale|\d from your CVS Stre|cvs-pharmacy.?gift.?voucher|giveaway from (bud.?light|fox)|glft.?card|\d from cvs pharm|one hundred from C.?V.?S|nike sends \d+|Sam\'sClub|amount of \d+\.0(\b|$)|\d+ from Verizon|points rwrds|verizonrewards|UNINQUE GIVEAWAY|emney|_Ace.?Hardware_|C Ostco|Sam\'s...Club|\$\-Prize|G[1l]ft.?cert|coupon from Cstc|(target|T\-mobile) e.?(voucher|coupon)|\(home.?depot\)|homedepot bonus|\brwrds\b|_shopper/i +tflags __KAM_FAKE_COSTCO2 nosubject + #ODDLANG +body __KAM_FAKE_COSTCO3 /\d buck|your \d+\.0|\d+ dols|sent with joy|chosen as winer|spend you \$|(huge|massive) (thank you|thanks)|tough times|humble gift|evouch|epoint|emney|ereward|we are loved|sending some love|(difficult|turbulent) times|nearest-pharm|weekend is on us|wish you a happy (August)|starbucks wishes you|spend bonus|inspire your dreams|unsuscribe here|want to give back|Enjoy_your_weekend|all the-best|e-?vouch|weekly gift.?card|big thanks for (Ace|costco|cvs)|\d+ sent to you by (Ace|costco|cvs)|rewards balance = \d+ USD|this make it better|Ace.?hardware style|awaiting to be spend|dols-voucher|you have been chosen|scary.?reward|tuff times|super.?(monday|tuesday|wednesday|thursday|friday|saturday|sunday).?mega|send a postcard|day-vouch|\d+ bucks coupon|inside = \$\d+|[\d\.] coupon|\%Subscriber|as an important customer/i + #URGENT +body __KAM_FAKE_COSTCO4 /will be expiring|expires|(finishes|change by) (mon|tue|wed|thu|fri|sat|sun)|pending to activate|(use by|until) (Jan|Feb|mar|apr|may|jun|Jul|aug|sep|oct|nov|dec|mon|tue|wed|thu|fri|sat|sun)|pending (to|your) activat|(valid until|(redeem|use|spend) (before|by)) (mid.?night|mon|tue|wed|thu|fri|sat|sun|aug|sep|oct|nov|dec|jan|feb|mar|apr|may|jun|jul)|ending tomorrow|before midnight|received before \d|activat(e|ion) (today|by|before)|end of month giveaway|ends (today|tomorrow)|valid for (today|the weekend|\d+ hours)|August Help|pending to use|by next (Mon|tue|Wed|Thu|Fri|Sat|sun)|(received?|used?) as soon as possible|ends the \d+(nd|th)|yet to be used|this.? (Mon|Tue|Wed|Thu|Fri|Sat|Sun)|use before|used? \d+\.\d+ by (Sun|Mon|Tue|Wed|Thu|Fri|Sat)|last day to activate|ends (Oct(ober)?|Nov(ember)?|Dec(ember)?) \d|\d+ hours to change|grab your \d+|\d hours left|use now|end of today|used today/i + +meta KAM_FAKE_COSTCO ( __KAM_FAKE_COSTCO1 + __KAM_FAKE_COSTCO2 + __KAM_FAKE_COSTCO3 + __KAM_FAKE_COSTCO4 >= 4) +describe KAM_FAKE_COSTCO Fake Costco/Ace Hardware/etc. coupons +score KAM_FAKE_COSTCO 6.0 + +meta KAM_FAKE_COSTCO_LOW !KAM_FAKE_COSTCO && ( __KAM_FAKE_COSTCO1 + __KAM_FAKE_COSTCO2 + __KAM_FAKE_COSTCO3 + __KAM_FAKE_COSTCO4 >= 3) +describe KAM_FAKE_COSTCO_LOW Fake Costco/Ace Hardware/etc. coupons (Lower Confidence) +score KAM_FAKE_COSTCO_LOW 4.5 + +#FAKE ACE +header __KAM_FAKE_ACE1 From:addr =~ /\@.*ace.*/i +header __KAM_FAKE_ACE2 From:addr !~ /acehardware\.com/i + +meta KAM_FAKE_ACE ( (__KAM_FAKE_ACE1 + __KAM_FAKE_ACE2 >=2 ) + (__KAM_FAKE_COSTCO1 + __KAM_FAKE_COSTCO2 >= 1) >= 2) +describe KAM_FAKE_ACE Possible Ace Hardware Forgery +score KAM_FAKE_ACE 2.0 + +#BAD SCAN +ifplugin Mail::SpamAssassin::Plugin::MIMEHeader + body __KAM_BAD_SCAN1 /scanned from MFP|\(\d+\) scanned/i + header __KAM_BAD_SCAN2 Subject =~ /scan(ned)? image from MFP/i + + meta KAM_BAD_SCAN ( __KAM_BAD_SCAN1 + __KAM_BAD_SCAN2 + (T_HTML_ATTACH + __KAM_VM5 >= 1) >= 3) + describe KAM_BAD_SCAN Likely a fake scan + score KAM_BAD_SCAN 6.5 +endif + +#TRADERBOT + #BOT / DEPOSIT +header __KAM_TRADEBOT1 Subject =~ /(auto|crypto|new|unique|trader?).?bot|(minimum|initial) deposit|without invest|automatic machine/i + #EARN +header __KAM_TRADEBOT2 Subject =~ /(raise|earn) from \d+ (\$+|USD|Eur|dollar|a (month|day))|earnings on crypto|\d+ (\$+|euro?|USD|dollars?) (every|per) (month|day)/i + #BOT BODY +body __KAM_TRADEBOT3 /(auto|crypto|new|trader?|unique).?bot|automatic machine|pro tariff|free monthly tariff|fully automatic/i +tflags __KAM_TRADEBOT3 nosubject + #TRADING BODY +body __KAM_TRADEBOT4 /initial deposit|crytpocurrency trading|(field|world) of (trading|crypto)|make money on trading|solution for the trader|without investing|no investment|(find|news) for trader|traders can relax|lazy trader|currency trading/i +tflags __KAM_TRADEBOT4 nosubject + #EARN BODY +body __KAM_TRADEBOT5 /(make|earn) from \d+ (\$+|USD|Eur|dollar)|(earn|make) \d+ (\$+|USD|Eur|dollar)|(over|more than) [\d,]+ (dollar|USD|Eur)/i +tflags __KAM_TRADEBOT5 nosubject + + #LINK / ATTACH +ifplugin Mail::SpamAssassin::Plugin::MIMEHeader + mimeheader __KAM_TRADEBOT6A Content-Type =~ /(earn.?from.?\d+.?(USD|Eur|dollar)|novice.?trader|(auto|crypto|trader?).?bot).*\.pdf"?$/i +endif +body __KAM_TRADEBOT6B /(personal|private|your) (secure )?link|link (below )?from PDF/i + +meta KAM_TRADEBOT ( __KAM_TRADEBOT1 + __KAM_TRADEBOT2 + __KAM_TRADEBOT3 + __KAM_TRADEBOT4 + __KAM_TRADEBOT5 + (__KAM_TRADEBOT6A + __KAM_TRADEBOT6B >= 1) + FREEMAIL_FROM >= 6 ) +describe KAM_TRADEBOT Crypto Currency Trading Spams +score KAM_TRADEBOT 9.0 + +#BIDDING/ESTIMATING + #NAMES +body __KAM_BIDEST1A /CSI Estimation|crossland estimating|Williams Estimating|Global Estimation|bolt estimating|prestige estimation|bidding estimating|define estimating|dreamland estimation|swift estimating LLC/i +header __KAM_BIDEST1B From =~ /bidding|estimat/i +header __KAM_BIDEST1C Subject =~ /bidding|estimati(on|ng)|takeoffs|take-?off service|(quote|quotation) (to|for) (bid|project|take.?off)/i + #MORE INFO +body __KAM_BIDEST2 /need assistance with a project|like more information|bidding and estimating service|estimate your projects|project for estimat|need of cost estimation|low cost detailed cost estimates|providing estimation|you really want take-offs|outsourced cost estimation|need any take.?off service|looking for accurate estimat|Take.?off services for any project|need a detailed estimate/i + #TITLE +body __KAM_BIDEST3 /Business Development Manager|(senior|certified) estimator|certified software|marketing manager|estimation company/i + #OBFU +body __KAM_BIDEST4 /(dot)/i + +meta KAM_BIDEST ( (__KAM_BIDEST1A + __KAM_BIDEST1B + __KAM_BIDEST1C >= 1) + __KAM_BIDEST2 + __KAM_BIDEST3 + (__KAM_BIDEST4 + FREEMAIL_FROM >=1) >= 3 ) +describe KAM_BIDEST Bidding and Estimating Spam +score KAM_BIDEST 5.5 + +#FAKE BILL +header __KAM_FAKE_BILL1 From:name =~ /alert/i +header __KAM_FAKE_BILL2 Subject =~ /e\-bill copy/i +body __KAM_FAKE_BILL3 /Payment mode: Paypal pro\-credits|paypal billing team/i +body __KAM_FAKE_BILL4 /issues with the transaction/i + +meta KAM_FAKE_BILL ( __KAM_FAKE_BILL1 + __KAM_FAKE_BILL2 + __KAM_FAKE_BILL3 + __KAM_FAKE_BILL4 + FREEMAIL_FROM >= 5 ) +describe KAM_FAKE_BILL Fake Invoice Scams +score KAM_FAKE_BILL 6.0 + +#FAKE PO +body __KAM_FAKE_PO1 /status on our purchase order/i +header __KAM_FAKE_PO2 Subject =~ /PO \d+/i +body __KAM_FAKE_PO3 /attached/i + +meta KAM_FAKE_PO (__KAM_FAKE_PO1 + __KAM_FAKE_PO2 + __KAM_FAKE_PO3 + T_HTML_ATTACH >= 4) +describe KAM_FAKE_PO Fake Purchase Orders +score KAM_FAKE_PO 6.0 + +#FAKE AGING REPORT +header __KAM_FAKE_AGING1 Subject =~ /Aging Report/i +body __KAM_FAKE_AGING2 /current aging report/i +tflags __KAM_FAKE_AGING2 nosubject +body __KAM_FAKE_AGING3 /treat it as urgent/i +body __KAM_FAKE_AGING4 /email addresses in an excel/i + +meta KAM_FAKE_AGING ( __KAM_FAKE_AGING1 + __KAM_FAKE_AGING2 + __KAM_FAKE_AGING3 + __KAM_FAKE_AGING4 + KAM_RAPTOR_EXTERNAL >= 5) +describe KAM_FAKE_AGING Phishes for Financial Information +score KAM_FAKE_AGING 7.5 + +#PAYPAL FREEMAIL +header __KAM_PAYPAL_FREEMAIL1 From:name =~ /paypal/i +#body __KAM_PAYPAL_FREEMAIL2 /crypto.?currency/i + +meta KAM_PAYPAL_FREEMAIL ( FREEMAIL_FROM + __KAM_PAYPAL_FREEMAIL1 >= 2) +describe KAM_PAYPAL_FREEMAIL PayPal spoofs from Freemail Addresses +score KAM_PAYPAL_FREEMAIL 4.5 + +#FAKE DOCUSIGN +ifplugin Mail::SpamAssassin::Plugin::MIMEHeader + mimeheader __KAM_FAKE_DOCUSIGN1 Content-Type =~ /docusign\.png/i + + meta KAM_FAKE_DOCUSIGN (__KAM_FAKE_DOCUSIGN1 + T_HTML_ATTACH >= 2) + describe KAM_FAKE_DOCUSIGN Fake Docusign Document + score KAM_FAKE_DOCUSIGN 3.0 +endif + +#FAKE REIMB +header __KAM_FAKE_REIMB1 Subject =~ /assistance/i + #HOW +body __KAM_FAKE_REIMB2 /mobile transfer/i + #MONEY +body __KAM_FAKE_REIMB3 /\$[\d,]+/i + #ODDLANG & REIMBURSEMENT REQUEST +body __KAM_FAKE_REIMB4 /reimbursement cheque/i + #TRANSFER +body __KAM_FAKE_REIMB5 /details for the transfer/i + +meta KAM_FAKE_REIMB ( __KAM_FAKE_REIMB1 + __KAM_FAKE_REIMB2 + __KAM_FAKE_REIMB3 + __KAM_FAKE_REIMB4 + __KAM_FAKE_REIMB5 + FREEMAIL_FROM >= 6) +describe KAM_FAKE_REIMB Fake Reimbursement Request +score KAM_FAKE_REIMB 9.0 + +#FAKE_AMAZON +header __KAM_FAKE_AMAZON1 From:name =~ /\#A.?m.?a.?z.?o.?n/i +header __KAM_FAKE_AMAZON2 Subject =~ /A\-M\-A\-Z\-O\-N|payment confirmation|amazon.?e.?billing/i +#body __KAM_FAKE_AMAZON3 /(888\s5\s?3\s?1\s?4\s?0\s?3\s?0|855\s5\s?4\s?5\s?6\s?2\s?0\s?1)/ +body __KAM_FAKE_AMAZON3 /Receipt Id|Bill no/i +uri __KAM_FAKE_AMAZON4 /googleusercontent\.com/i + +meta KAM_FAKE_AMAZON ( __KAM_FAKE_AMAZON1 + __KAM_FAKE_AMAZON2 + __KAM_FAKE_AMAZON3 + __KAM_FAKE_AMAZON4 + FREEMAIL_FROM >= 5 ) +describe KAM_FAKE_AMAZON Fake Amazon Order +score KAM_FAKE_AMAZON 7.5 + +#FAKE_APPLE +header __KAM_FAKE_APPLE1 From:name =~ /\#.?A.?p.?p.?l.?e|statement/i +header __KAM_FAKE_APPLE2 Subject =~ /i\.t\.u\.n\.e|membership confirmation|invoice|billing/i +body __KAM_FAKE_APPLE3 /a\.p\.p\.l\.e|i\.c\.l\.o\.u\.d|app store team/i +tflags __KAM_FAKE_APPLE3 nosubject +uri __KAM_FAKE_APPLE4 /googleusercontent\.com/i + +meta KAM_FAKE_APPLE ( __KAM_FAKE_APPLE1 + __KAM_FAKE_APPLE2 + __KAM_FAKE_APPLE3 + __KAM_FAKE_APPLE4 + FREEMAIL_FROM >= 5 ) +describe KAM_FAKE_APPLE Fake Apple Order +score KAM_FAKE_APPLE 7.5 + +#FREEMAIL_ORD +header __KAM_FREEMAIL_ORDER1 Subject =~ /thank you for your order/i + +meta KAM_FREEMAIL_ORDER ( __KAM_FREEMAIL_ORDER1 + FREEMAIL_FROM >= 2 ) +describe KAM_FREEMAIL_ORDER Questionable message about an order but using freemail +score KAM_FREEMAIL_ORDER 3.0 + +#RESCORE +score URI_DOTEDU 0.5 +score ADVANCE_FEE_3_NEW 1.5 + +#PROBLEMATIC 2TLD PROVIDERS +uri KAM_2TLD_PROBLEMS /(\.sa\.com|\.ru\.com|\.plesk\.page)/i +describe KAM_2TLD_PROBLEMS Problematic 2TLD handlers being abused +score KAM_2TLD_PROBLEMS 2.0 + +#CALLING ASSOCIATE + #SUBJ +header __KAM_CALLING_1 Subject =~ /answering solution/i + #NAME +body __KAM_CALLING_2 /Itotogit/i + #TITLE +body __KAM_CALLING_3 /answering associate/i +tflags __KAM_CALLING_3 nosubject + +meta KAM_CALLING ( __KAM_CALLING_1 + __KAM_CALLING_2 + __KAM_CALLING_3 + FREEMAIL_FROM >= 4) +describe KAM_CALLING Spamming Phone and Answering Solutions +score KAM_CALLING 6.0 + +#SA and ZA ABUSE + +replace_tag ABUSE_DOMAINS (?:\.(sa\.com|za\.com|co\.in))(\b|\/|$|\@) + +replace_rules __KAM_SA_ZA_ABUSE1 __KAM_SA_ZA_ABUSE2 + +uri __KAM_SA_ZA_ABUSE1 //i +header __KAM_SA_ZA_ABUSE2 From:addr =~ //i + +meta KAM_SA_ZA_ABUSE (__KAM_SA_ZA_ABUSE1 + __KAM_SA_ZA_ABUSE2 >= 1) +describe KAM_SA_ZA_ABUSE 2TLD Providers prevalent in spam abuse + +score KAM_SA_ZA_ABUSE 4.5 + +#FAKE COINBASE +body __KAM_FAKE_COINBASE1 /C\.O\.I\.N\.B\.A\.S\.E/ + +meta KAM_FAKE_COINBASE (__KAM_FAKE_COINBASE1 >= 1) +describe KAM_FAKE_COINBASE Fake Coinbase Email +score KAM_FAKE_COINBASE 3.0 + +#FAKE COINBASE VARIANT +header __KAM_FAKE_COINBASE2_1 Subject =~ /billing/i +body __KAM_FAKE_COINBASE2_2 /sent a payment/i +body __KAM_FAKE_COINBASE2_3 /BTC|paypal/i + +meta KAM_FAKE_COINBASE2 (__KAM_FAKE_COINBASE2_1 + __KAM_FAKE_COINBASE2_2 + __KAM_FAKE_COINBASE2_3 + FREEMAIL_FROM + __KAM_FAKE_AMAZON3 >= 5) +describe KAM_FAKE_COINBASE2 Fake Coinbase Email +score KAM_FAKE_COINBASE2 7.5 + + +#FAKE SURVEY +header __KAM_FAKE_SURVEY1 From:addr =~ /Shopper.?Gift.?Card|survey/i +body __KAM_FAKE_SURVEY2 /gift card (opp|promo)/i +tflags __KAM_FAKE_SURVEY2 nosubject +body __KAM_FAKE_SURVEY3 /\d second survey/i +tflags __KAM_FAKE_SURVEY3 nosubject +header __KAM_FAKE_SURVEY4 Subject =~ /gift card/i + +meta KAM_FAKE_SURVEY ( __KAM_FAKE_SURVEY1 + __KAM_FAKE_SURVEY2 + __KAM_FAKE_SURVEY3 + __KAM_FAKE_SURVEY4 + KAM_SA_ZA_ABUSE >= 5) +describe KAM_FAKE_SURVEY Fake gift card surveys +score KAM_FAKE_SURVEY 7.5 + +#REWARDS +header __KAM_FAKE_REWARDS1 Subject =~ /(dollar general|t-mobile|ace hardware) (gift|reward)/i + +meta KAM_FAKE_REWARDS ( KAM_STORAGE_GOOGLE + __KAM_FAKE_REWARDS1 >= 2) +describe KAM_FAKE_REWARDS Fake Reward emails +score KAM_FAKE_REWARDS 3.0 + +#FAKE_AHS +header __KAM_FAKE_AHS1 From =~ /AHS Warranty/i + +meta KAM_FAKE_AHS ( __KAM_FAKE_AHS1 + KAM_SOMETLD_ARE_BAD_TLD >= 2) +describe KAM_FAKE_AHS Home Warranty Spam +score KAM_FAKE_AHS 3.0 + +#FAKE_FICO + #FUZZ +body __KAM_FAKE_FICO1 /F[1l]co/i + + #ODD LANG +body __KAM_FAKE_FICO1A /complimentary\-review/i + #SUBJ +header __KAM_FAKE_FICO2 Subject =~ /(cred[1il]t.?(points|score)|score heal?th|202\d score|3 bureaus|Equifax score)/i + +meta KAM_FAKE_FICO ((__KAM_FAKE_FICO1 + __KAM_FAKE_FICO1A >= 1) + __KAM_FAKE_FICO2 >= 2 ) +describe KAM_FAKE_FICO Credit Score Spam +score KAM_FAKE_FICO 6.0 + +#CAM DOMAIN ISSUES +header __KAM_CAM_DOMAIN From:addr =~ /\.cam$/i + +meta KAM_CAM_DOMAIN ( KAM_SEMFRESH + __KAM_CAM_DOMAIN >= 2 ) +describe KAM_CAM_DOMAIN Abusive TLD with a new domain +score KAM_CAM_DOMAIN 3.0 + +#UNREAD MESSAGES +header __KAM_UNREAD1 Subject =~ /unread message/i +body __KAM_UNREAD2 /relationship status/i +body __KAM_UNREAD3 /(see more of me here|photo album)/i + +meta KAM_UNREAD ( __KAM_UNREAD1 + __KAM_UNREAD2 + __KAM_UNREAD3 >= 3) +describe KAM_UNREAD Singles Message Scams +score KAM_UNREAD 4.5 + +#NOT INTERESTED +body KAM_NOT_INTERESTED /reply \"Not Interested\"/i +describe KAM_NOT_INTERESTED Contains Opt-Out Language +score KAM_NOT_INTERESTED 1.5 + +#OCTET STREAM ISSUE - Updated 2022-11-26 thanks to Judah for the FP +mimeheader __KAM_OCTET_PHISH1 Content-Type =~ /application\/octet-stream.*.s?html?\.?\"?$/i + +meta KAM_OCTET_PHISH ( __KAM_OCTET_PHISH1 >= 1 ) +describe KAM_OCTET_PHISH HTML File attached with the wrong MIME Type +score KAM_OCTET_PHISH 3.0 + +#FAKE WALMART +header __KAM_FAKE_WALMART1 Subject =~ /transaction code/i +body __KAM_FAKE_WALMART2 /Your order/i +tflags __KAM_FAKE_WALMART2 nosubject +body __KAM_FAKE_WALMART3 /WALMART INC/i +tflags __KAM_FAKE_WALMART3 nosubject + +meta KAM_FAKE_WALMART ( __KAM_FAKE_NORTON3 + FREEMAIL_FROM + __KAM_FAKE_WALMART1 + __KAM_FAKE_WALMART2 + __KAM_FAKE_WALMART3 >= 5) +describe KAM_FAKE_WALMART Fake Walmart Scam +score KAM_FAKE_WALMART 7.5 + +#ANALYTICO +header __KAM_ANALYTICO1 Subject =~ /online course|promotion/i +body __KAM_ANALYTICO2 /Training Manager/i +body __KAM_ANALYTICO3 /Analytico Academy/i + +meta KAM_ANALYTICO ( __KAM_ANALYTICO1 + __KAM_ANALYTICO2 + __KAM_ANALYTICO3 >= 3) +describe KAM_ANALYTICO Domain Hopping Spammers +score KAM_ANALYTICO 4.5 + +#DESZY +header __KAM_DESZY1 From =~ /deszy/i +body __KAM_DESZY2 /Deszy/i +uri __KAM_DESZY3 /search\?q=Deszy/i +header __KAM_DESZY4 Subject =~ /content creation/i + +meta KAM_DESZY ( __KAM_DESZY1 + __KAM_DESZY2 + __KAM_DESZY3 + __KAM_DESZY4 >= 4) +describe KAM_DESZY Domain Hopping Spammers +score KAM_DESZY 6.0 + +#HEROKU ETC APP EXPLOITS WITH FREEMAIL +uri __KAM_APPS1 /\.herokuapp\.com|app\.connect365\.io|\.appspot\.com|salesforce\.com\/servlet/i +header __KAM_APPS2A Subject =~ /onedrive/i +header __KAM_APPS2B From:name =~ /onedrive/i +header __KAM_APPS3 From:addr =~ /\.awsapps.com>?$/i + +meta KAM_APPS ( FREEMAIL_FROM + __KAM_APPS1 >= 2 ) +describe KAM_APPS Apps being exploited by Spammers +score KAM_APPS 4.0 + +meta KAM_APPS2 (__KAM_APPS1 + (__KAM_APPS2A + __KAM_APPS2B >= 1) >= 2) +describe KAM_APPS2 Fake OneDrive Notification +score KAM_APPS2 4.0 + +meta KAM_APPS3 (__KAM_APPS3) +describe KAM_APPS3 AWS Apps Emailing Directly +score KAM_APPS3 9.0 + +#PHONE +body __KAM_PHONE1 /reduce your company phone expense/i +body __KAM_PHONE2 /changes? that takes? less than \d+ min/i + +meta KAM_PHONE ( __KAM_PHONE1 + __KAM_PHONE2 + FREEMAIL_FROM >= 3 ) +describe KAM_PHONE Phone Service Spam +score KAM_PHONE 4.5 + +#PASSWORD EXPIRATIOn + #URG +body __KAM_PASSEXP1 /expires today|about to expire/i + #ACTION +body __KAM_PASSEXP2 /(continue with|Keep my) same password/i + #URI +uri __KAM_PASSEXP3 /s3\.amazonaws\.com\/.{1,10}\.html/i + +meta KAM_PASSEXP ( __KAM_PASSEXP1 + __KAM_PASSEXP2 + ( KAM_IPFS + __KAM_PASSEXP3 >= 1 ) >= 3 ) +describe KAM_PASSEXP Credential Scam +score KAM_PASSEXP 4.5 + +#IPFS +uri KAM_IPFS /(\.|\b|\/)ipfs\.io\//i +describe KAM_IPFS Abused Protocol for Distributed Content +score KAM_IPFS 3.0 + +#PHONESYSTEM + #DEAL +body __KAM_PHONESYS1 /(reduced|lower your) rate|\d+% lower|lower (your|its) telecom/i + #TITLE +body __KAM_PHONESYS2 /Business Dev|tech associate|tele.?specialist|growth dev/i + #PHONE +body __KAM_PHONESYS3 /Top-regarded carriers|(T1|Cloud) (lines|phone)|cloud.?based phone|voip service/i + #MEETING REQ/OPT +body __KAM_PHONESYS4 /(worth|Have) \d+ minute|reply with rule.?out|open to this/i + #INFO REQ +body __KAM_PHONESYS5 /best number to quickly get in touch|quick number to reach you|may i send some info|best direct line to reach/i + +meta KAM_PHONESYS ( __KAM_PHONESYS1 + __KAM_PHONESYS2 + __KAM_PHONESYS3 + __KAM_PHONESYS4 + __KAM_PHONESYS5 + FREEMAIL_FROM >= 6 ) +describe KAM_PHONESYS New Phone System Spam +score KAM_PHONESYS 9.0 + +#CONTRACT HTML +ifplugin Mail::SpamAssassin::Plugin::MIMEHeader + mimeheader __KAM_CONTRACT2_1 Content-Type =~ /(statement\d+|contract\#?\d+|final.?hud.?\d+|Kyc\d+|check)\.htm/i + + meta KAM_CONTRACT2 ( __KAM_CONTRACT2_1 >= 1) + describe KAM_CONTRACT2 Suspect HTML file + score KAM_CONTRACT2 7.0 +endif + +#FAKE ALLSCRIPTS +header __KAM_ALLSCRIPTS1 From:addr !~ /\@allscripts.com/i +header __KAM_ALLSCRIPTS2 From:name =~ /allscripts/i +header __KAM_ALLSCRIPTS3 Subject =~ /invoice|receipt/i +body __KAM_ALLSCRIPTS4 /membership|recurring monthly/i + +meta KAM_ALLSCRIPTS ( __KAM_ALLSCRIPTS1 + __KAM_ALLSCRIPTS2 + __KAM_ALLSCRIPTS3 + __KAM_ALLSCRIPTS4 >= 4 ) +describe KAM_ALLSCRIPTS Fake Invoice Scam +score KAM_ALLSCRIPTS 6.0 + +#EXPLOIT SCAM +body __KAM_EXPLOIT1 /wallet:/i +body __KAM_EXPLOIT2 /you have three days/i +body __KAM_EXPLOIT3 /countdown will begin/i +body __KAM_EXPLOIT4 /\$\d00/i + +meta KAM_EXPLOIT (__KAM_EXPLOIT1 + __KAM_EXPLOIT2 + __KAM_EXPLOIT3 + __KAM_EXPLOIT4 + KAM_SENDGRID >= 5) +describe KAM_EXPLOIT Exploitation Scam +score KAM_EXPLOIT 7.5 -# #EOF