diff --git a/kam-updates/kam_sa-channels_mcgrail_com.cf b/kam-updates/kam_sa-channels_mcgrail_com.cf index a8c5b9c..94d86b7 100644 --- a/kam-updates/kam_sa-channels_mcgrail_com.cf +++ b/kam-updates/kam_sa-channels_mcgrail_com.cf @@ -1,4 +1,4 @@ -# UPDATE version 1679601668 +# UPDATE version 1687472126 include kam_sa-channels_mcgrail_com/KAM.cf include kam_sa-channels_mcgrail_com/KAM_deadweight3.cf include kam_sa-channels_mcgrail_com/KAM_deadweight3_meta.cf diff --git a/kam-updates/kam_sa-channels_mcgrail_com/KAM.cf b/kam-updates/kam_sa-channels_mcgrail_com/KAM.cf index 2a62aca..3384ea0 100644 --- a/kam-updates/kam_sa-channels_mcgrail_com/KAM.cf +++ b/kam-updates/kam_sa-channels_mcgrail_com/KAM.cf @@ -673,7 +673,7 @@ body __KAM_CEP5 /degree\/certificates|certification/i body __KAM_CEP6 /\d (week|month)/i header __KAM_CEP7 From =~ /certificate program/i -meta KAM_CEP ((__KAM_CEP1 + __KAM_CEP2 + __KAM_CEP3 + __KAM_CEP4 + __KAM_CEP5 + __KAM_CEP6 + __KAM_CEP7) >= 3) +meta KAM_CEP (((__KAM_CEP1 + __KAM_CEP2 + __KAM_CEP3 + __KAM_CEP4 + __KAM_CEP5 + __KAM_CEP6 + __KAM_CEP7) >= 3) && ! __PDF_ATTACH ) describe KAM_CEP CEP Diploma Mill Rule score KAM_CEP 3.5 @@ -743,10 +743,14 @@ if can(Mail::SpamAssassin::Conf::feature_capture_rules) describe GB_STORAGE_GOOGLE_EMAIL Google storage cloud abuse score GB_STORAGE_GOOGLE_EMAIL 2.000 + uri GB_YOUTUBE_EMAIL m|^https?://(?:www\.)?youtube\.com/attribution_link\?.{20,256}/%{GB_TO_ADDR}|i + describe GB_YOUTUBE_EMAIL Youtube attribution links abuse + score GB_YOUTUBE_EMAIL 2.000 + # Links to malware uri __GB_CUSTOM_HTM_URI0 m;^https?://.{10,128}(?:\.html?|\.php|\/)?(?:\#|\?&e=)%{GB_TO_ADDR};i uri __GB_CUSTOM_HTM_URI1 m|^https?://.{10,64}\=https?://.{4,64}\#%{GB_TO_ADDR}|i - uri __GB_CUSTOM_HTM_URI2 m;^https?://.{10,256}(?:\/\?)?(?:email=|audit\#|wapp\#)%{GB_TO_ADDR};i + uri __GB_CUSTOM_HTM_URI2 m;^https?://.{10,256}(?:\/\?)?(?:(?= 3.004003) endif #FREEMAIL SPAMMY ADDRESSES IN UNWANTED LANGUAGES -header __GB_FREEMAIL_NUM0 From:addr =~ /[a-z]\.?\d{4}\@(gmail|hotmail|yahoo)\.com/i -header __GB_FREEMAIL_NUMN0 From:addr =~ /[a-z]\.?(?:19|20)\d{2}\@(gmail|hotmail|yahoo)\.com/i -header __GB_FREEMAIL_NUM1 From:addr =~ /[a-z]\.?(?:\d{3}|\d{5,10})\@(gmail|hotmail|yahoo)\.com/i -header __GB_FREEMAIL_NUM2 From:addr =~ /[a-z]\.?(?:\d+)(?:[a-z])+(?:\d+)?\@(gmail|hotmail|yahoo)\.com/i +header __GB_FREEMAIL_NUM0 From:addr =~ /[a-z]\.?\d{4}\@(gmail|hotmail|icloud|yahoo)\.com/i +header __GB_FREEMAIL_NUMN0 From:addr =~ /[a-z]\.?(?:19|20)\d{2}\@(gmail|hotmail|icloud|yahoo)\.com/i +header __GB_FREEMAIL_NUM1 From:addr =~ /[a-z]\.?(?:\d{3}|\d{5,10})\@(gmail|hotmail|icloud|yahoo)\.com/i +header __GB_FREEMAIL_NUM2 From:addr =~ /[a-z]\.?(?:\d+)(?:[a-z])+(?:\d+)?\@(gmail|hotmail|icloud|yahoo)\.com/i meta GB_FREEMAIL_NUM ( ( __GB_FREEMAIL_NUM0 && ! __GB_FREEMAIL_NUMN0 ) || __GB_FREEMAIL_NUM1 || __GB_FREEMAIL_NUM2 ) describe GB_FREEMAIL_NUM Freemail spammy address score GB_FREEMAIL_NUM 1.0 @@ -2829,13 +2829,13 @@ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags replace_rules __KAM_MAILBOX1 __KAM_MAILBOX2 __KAM_MAILBOX3 #ISSUE - body __KAM_MAILBOX1 /mailbox .{0,12}exceeded|(storage|e-?mail|mailbox|bandwidth).(limit|quota|size|capacity)|(box|quota) is (amost )?(exhausted|fu)|have been rejected|new version|(prevented|pending) (the )?(delivery|messages)|quota is low|annual upgrade|(held|important) message|messages pending|messages (are|placed) on.?hold|upgrade to our service|recent attack|(request(ed)? to|account) de-?activat|de-?activat(ed|e|ing) (from using|all mailbox)|close down.{0,10}account|(sync|communication) failure|dectivted if no ction|invalid users|request .{0,13}shutdown|migrating all email|delvry f \d|messages.{0,6}returned|\d.{0,2}(unreceived|failed|undelivered|incoming|valid) (undelivered|incoming|message|e?mail)|synchronize \d email|messages.{1,10}suspend|report your account|(validation|configuration|service|mail) error|updating stage|blacklisted|(server|quota|quarantine|suspension|mail|upgrade) (alert|noti)|mailbox agreement|(system|security|server) (reasons|update|upgrade|alert)|system malfunction|due for an update|mailbox managment|automatically renew|.\d. pending|due for (upgrade|update|reconfirmation)|has been outdated|(due|about) to expire|not confirmed the email|(failed|couldn't be|refused to) deliver|temporarily suspend|failure to proceed|data plan limit|blocked from (sending|receiving)|sending unsolicited|\d\% full|confirm your request|security turned off|blocked or suspended|update warning|account .{1,9}?(restricted|closed)|old versions|mail malfunction|messages now queue|password expir|virus|expire on \d+\/|DNS Upgrad|encountered error|will be (locked|shut ?down)|unauthorized (person|access)|prevent (further reject|loss of account)|ensure safety|problem occurred|wrong password|suspicious sign.?in|\d quarantined? (e?mail|message|incoming)|deactivated tempor|low disk space|shutdown robot|suspended email|webmail security|account hijacked|(has been|will be) (hacked|suspended)|will.{0,2}expire.{0,2}(today|soon)|IP below was used|password.{1,5}expires? today|server is totally full|account is almost full|(irregular|suspicious) activit|locked out of your account|login (interruption|problem)|automatic shut.?down|lose your contact|not receive (more|new) e?mail|deactivation of the email|Expired today|exceeded the limit|disruption of your email|message might be preented|mail delivery blocked|email gets locked|shut down on your account|refusal in updating your email|avoid (lose access|shut.?down|being barred)|losing (of )?your account|undelivered e?-?mail|SSL Port server error|refusal of email security|blocked access to your inbox|web-?mail support|change your password|pending (e-?mail|mail) message|terminated in \d+ hour|messages were rejected|server error|platform is outdated|need to validate.{2,40}owned by you|password notification|expires today|Reconfirm(?: your) password|out of storage|mail quota full|email password will expire|mailbox termination|failed to sync|permanent deletion|password has been disabled|mailbox \".{5,35}\" has expired/i + body __KAM_MAILBOX1 /mailbox .{0,12}exceeded|(storage|e-?mail|mailbox|bandwidth).(limit|quota|size|capacity)|(box|quota) is (amost )?(exhausted|fu)|have been rejected|new version|(prevented|pending) (the )?(delivery|messages)|quota is low|annual upgrade|(held|important) message|messages pending|messages (are|placed) on.?hold|upgrade to our service|recent attack|(request(ed)? to|account) de-?activat|de-?activat(ed|e|ing) (from using|all mailbox)|close down.{0,10}account|(sync|communication) failure|dectivted if no ction|invalid users|request .{0,13}shutdown|migrating all email|delvry f \d|messages.{0,6}returned|\d.{0,2}(unreceived|failed|undelivered|incoming|valid) (undelivered|incoming|message|e?mail)|synchronize \d email|messages.{1,10}suspend|report your account|(validation|configuration|service|mail) error|updating stage|blacklisted|(server|quota|quarantine|suspension|mail|upgrade) (alert|noti)|mailbox agreement|(system|security|server) (reasons|update|upgrade|alert)|system malfunction|due for an update|mailbox managment|automatically renew|.\d. pending|due for (upgrade|update|reconfirmation)|has been outdated|(due|about) to expire|not confirmed the email|(failed|couldn't be|refused to) deliver|temporarily suspend|failure to proceed|data plan limit|blocked from (sending|receiving|your inbox)|sending unsolicited|\d\% full|confirm your request|security turned off|blocked or suspended|update warning|account .{1,9}?(restricted|closed)|old versions|mail malfunction|messages now queue|password expir|virus|expire on \d+\/|DNS Upgrad|encountered error|will be (locked|shut ?down)|unauthorized (person|access)|prevent (further reject|loss of account)|ensure safety|problem occurred|wrong password|suspicious sign.?in|\d quarantined? (e?mail|message|incoming)|deactivated tempor|low disk space|shutdown robot|suspended email|webmail security|account hijacked|(has been|will be) (hacked|suspended)|will.{0,2}expire.{0,2}(today|soon)|IP below was used|password.{1,5}expires? today|server is totally full|account is almost full|(irregular|suspicious) activit|locked out of your account|login (interruption|problem)|automatic shut.?down|lose your contact|not receive (more|new) e?mail|deactivation of the email|Expired today|exceeded the limit|disruption of your email|message might be preented|mail delivery blocked|email gets locked|shut down on your account|refusal in updating your email|avoid (lose access|shut.?down|being barred)|losing (of )?your account|undelivered e?-?mail|SSL Port server error|refusal of email security|blocked access to your inbox|web-?mail support|change your password|pending (e-?mail|mail) message|terminated in \d+ hour|messages were rejected|server error|platform is outdated|need to validate.{2,40}owned by you|password notification|expires today|Reconfirm(?: your) password|out of storage|mail quota full|email password will expire|mailbox termination|failed to sync|permanent deletion|password has been disabled|mailbox \".{5,35}\" has expired|deleted after \d+ hour|expires in less than \d+h|risk of being locked out/i tflags __KAM_MAILBOX1 nosubject #ACTION - body __KAM_MAILBOX2 /(verify|update|upgrade|increase|validate|confirm|disable)"? (their|your)? {0,5}(address|password|ccount|(web-?)?mail|info|email|web ?mail|ownership|mailbox)|(increase|upgrade) (my|your?) (inbox |email )?quota|quota (configuration|upgrade)|(increase disk|create some additional|update|add|increase) storage|(setup|upgrade) (your )?mailbox|mail malfunction|update account|validated within \d\d|deleted (automatically|in our server)|release .{0,40}(sent e.?mail|message|pending mess)|account to be close|remain active|termination of your account|choose what happens|blacklisting inactive|continue (using|the usage)|untrusted activity|(retrieve|review|view) (message|e?mail)|(verify|validate) (it )?(here|now)|reset below|verification (check|process)|email disk usage|auto extend your disk|confirm your (email|details)|mandetory file|retrieve here|expected to reactivate|keep your webmail|data will be lost|(block|release|review) (them|below)|view undelivered sent|reconfirm .{0,40}password|will be deactivat|avoid suspension|start the process|fake payment|(will be|automatically) cancel|mail verification|turn on (security|authentication)|Office 365-?Secure|an usual location|(avoid|automatically) delet|(retrieve|review|reload) (your )?(undelivered|pending)|view, release or delete|reload below|unblock (your )?incoming|rectify below|fix now|Company.Assigned Outlook|fix delivery|restore your roundcube|re-?authenticate (now|below)|manage your quarantine|manually fi|manually fix|review and take action|view (your )?(pending|withheld|recent) (incoming|message|e?mail)|use the button|reduce your mai|deliver recent mail|(use|using|keep) (current|same|my) password|change password|stop (this action|account removal)|fix (the problem here|your email)|(maintain|keep).{0,6}current.{0,2}(signing|password)|verify login|apply update|deliver pending message|archive emails|initiate the upgrad|(approve|continue with) the (current|same) password|free up space|quick re-?validation|cancel the request|prevent lock of account|back under the limit|update no|rectivte ccess|consider keeping your password|account will work effectively|portal to prompt delivery|open the attachment|Reload Email message|secure your account|authenticate account|keep (the )?same password|(keep|use) (the|your) current password|proper verification|restoration of your account|systematically updated|synchronization errors|activate Improved security|(restore|recover) messages (here|below)|recover your delayed messages|validate your (?:mailbox|e\-mail)|conveyed to each sender|Please security access key|account password is due to expire|avoid missing important e?-?mail|pending e?-?mail message|clear cache quick|avoid loss of e?mail|upgrade inbox|enable your password|retrieve your file/i - tflags __KAM_MAILBOX2 nosubject - #SUBJECT - header __KAM_MAILBOX3 Subject =~ /(mail|exceeded|insufficient) (storage|quota|upgrade)|(@.*?is|Inbox) almost full|(urgent|important|admin|last|suspension|server|account|administrator|system|disk ?usage|max size) (alert|rectification|attention|warning|noti)|needs to be upgraded|(incoming|pending|unreceived) +((e-?)?mail|document|message)|(delvry|synchronization|processing) (problem|is blocked|failure|errr)|(mailbox|storage) (is )?full|(disc|disk|inbox) full|(unread|upgrade|delayed) (messages|e?mail)|release your message|pending (new )?((e-?)?mail|message)|365 .{0,10} Update|new privacy policy|mandatory up|(sign in|Final|account|password|emails?) (closing|removal|update|upgrade|alert|notification|review)|quarantine|rejected|undelivered|(mailbox|limit|quota) .{0,10}exceeded|(action|confirmation|\..{2,6} update).?required|(mail|mailbox|account|password) (error|shutdown|verification|Veirification|Verfication|account)|(blocked|held) message|technology services|(server|mail|account).{1,8}errr|validat|messages.{1,10}(suspend|hinder)|account (is )?(blocked|limited)|please verify.{1,10}account|mail.{1,6}Notice|email account.{1,11}full|final warning|help\-?desk|mail ownership|point files|(d|r)e-?activation|delayed for \d+ (hour|day)|undeliverable|closure of.{1,15}(\@|account)|(password|mail) (has|will) expire|did you make|password.(due|recovery|expir)|recovery option|(confirm|email) activity|Immediate action|action required|avoid block|review recent e?mail|final +alert|storage (error|limit)|verfcaton|\@.{1,25}notification|notification \d+\/\d+\/|notification for .{1,25}\@|New Sign-in|deliver.{1,4}(cancel|issue|error|fail)|Unsuccessful Email|Mail DNS|ICT Maintenance|sync err|mailer un.?delivery|unauthorized (person|access)|configuration setting|reminder +for|re-?authenticate|change in your ip|shutdown request|Failure.{0,2}Report|(mail delivery|\d emails?) suspended|error sync|(e-?mails?|messages) (are )?pending|\d \(?new\)? notice|new IP address|expir(y|ation) notif|reached their disk quota|webmail support|notification for|change.{0,30}account password now|(mail|mail-?box) termination|office? ?365 access|(Attention|urgent):? update (required|needed)|(full|out of) storage|quota (limit|reached)|access.{1,4}expire|renew your e?-?mail pass|mail protection update|e-?mail .{0,30}still pending|unauthorized (login|logging) attempt|^suspended$|message failed|security upgrade|password.*expires today|password activity|mail (access blocked|delayed)|account has been hacked|prevent account malfunction|password change notification|Critical(?:\-|\s)Status on|(storage|upgrade) notice|mail not sent|mailbox.{0,4}update settings|\-notification\:\w|access has been suspended|Activities account/i + body __KAM_MAILBOX2 /(verify|update|upgrade|increase|validate|confirm|disable)"? (their|your)? {0,5}(address|password|ccount|(web-?)?mail|info|email|web ?mail|ownership|mailbox)|(increase|upgrade) (my|your?) (inbox |email )?quota|quota (configuration|upgrade)|(increase disk|create some additional|update|add|increase) storage|(setup|upgrade) (your )?mailbox|mail malfunction|update account|validated within \d\d|deleted (automatically|in our server)|release .{0,40}(sent e.?mail|message|pending mess)|account to be close|remain active|termination of your account|choose what happens|blacklisting inactive|continue (using|the usage)|untrusted activity|(retrieve|review|view) (message|e?mail)|(verify|validate) (it )?(here|now)|reset below|verification (check|process)|email disk usage|auto extend your disk|confirm your (email|details)|mandetory file|retrieve here|expected to reactivate|keep your webmail|data will be lost|(block|release|review) (them|below)|view undelivered sent|reconfirm .{0,40}password|will be deactivat|avoid suspension|start the process|fake payment|(will be|automatically) cancel|mail verification|turn on (security|authentication)|Office 365-?Secure|an usual location|(avoid|automatically) delet|(retrieve|review|reload) (your )?(undelivered|pending)|view, release or delete|reload below|unblock (your )?incoming|rectify below|fix now|Company.Assigned Outlook|fix delivery|restore your roundcube|re-?authenticate (now|below)|manage your quarantine|manually fi|manually fix|review and take action|view (your )?(pending|withheld|recent) (incoming|message|e?mail)|use the button|reduce your mai|deliver recent mail|(use|using|keep) (current|same|my) password|change password|stop (this action|account removal)|fix (the problem here|your email)|(maintain|keep).{0,6}current.{0,2}(signing|password)|verify login|apply update|deliver pending message|archive emails|initiate the upgrad|(approve|continue with) the (current|same) password|free up space|quick re-?validation|cancel the request|prevent lock of account|back under the limit|update no|rectivte ccess|consider keeping your password|account will work effectively|portal to prompt delivery|open the attachment|Reload Email message|secure your account|authenticate account|keep (the )?same password|(keep|use) (the|your) current password|proper verification|restoration of your account|systematically updated|synchronization errors|activate Improved security|(restore|recover) messages (here|below)|recover your delayed messages|validate your (?:mailbox|e\-mail)|conveyed to each sender|Please security access key|account password is due to expire|avoid missing important e?-?mail|pending e?-?mail message|clear cache quick|avoid loss of e?mail|upgrade inbox|enable your password|retrieve your file|view and accept messages|keep my access/i + tflags __KAM_MAILBOX2 nosubject + #SUBJECT + header __KAM_MAILBOX3 Subject =~ /(mail|exceeded|insufficient) (storage|quota|upgrade)|(@.*?is|Inbox) almost full|(urgent|important|admin|last|suspension|server|account|administrator|system|disk ?usage|max size) (alert|rectification|attention|warning|noti)|needs to be upgraded|(incoming|pending|unreceived) +((e-?)?mail|document|message)|(delvry|synchronization|processing) (problem|is blocked|failure|errr)|(mailbox|storage) (is )?full|(disc|disk|inbox) full|(unread|upgrade|delayed) (messages|e?mail)|release your message|pending (new )?((e-?)?mail|message)|365 .{0,10} Update|new privacy policy|mandatory up|(sign in|Final|account|password|emails?) (closing|removal|update|upgrade|alert|notification|review)|quarantine|rejected|undelivered|(mailbox|limit|quota) .{0,10}exceeded|(action|confirmation|\..{2,6} update).?required|(mail|mailbox|account|password) (error|shutdown|verification|Veirification|Verfication|account)|(blocked|held) message|technology services|(server|mail|account).{1,8}errr|validat|messages.{1,10}(suspend|hinder)|account (is )?(blocked|limited)|please verify.{1,10}account|mail.{1,6}Notice|email account.{1,11}full|final warning|help\-?desk|mail ownership|point files|(d|r)e-?activation|delayed for \d+ (hour|day)|undeliverable|closure of.{1,15}(\@|account)|(password|mail) (has|will) expire|did you make|password.(due|recovery|expir)|recovery option|(confirm|email) activity|Immediate action|action required|avoid block|review recent e?mail|final +alert|storage (error|limit)|verfcaton|\@.{1,25}notification|notification \d+\/\d+\/|notification for .{1,25}\@|New Sign-in|deliver.{1,4}(cancel|issue|error|fail)|Unsuccessful Email|Mail DNS|ICT Maintenance|sync err|mailer un.?delivery|unauthorized (person|access)|configuration setting|reminder +for|re-?authenticate|change in your ip|shutdown request|Failure.{0,2}Report|(mail delivery|\d emails?) suspended|error sync|(e-?mails?|messages) (are )?pending|\d \(?new\)? notice|new IP address|expir(y|ation) notif|reached their disk quota|webmail support|notification for|change.{0,30}account password now|(mail|mail-?box) termination|office? ?365 access|(Attention|urgent):? update (required|needed)|(full|out of) storage|quota (limit|reached)|access.{1,4}expire|renew your e?-?mail pass|mail protection update|e-?mail .{0,30}still pending|unauthorized (login|logging) attempt|^suspended$|message failed|security upgrade|password.*expires today|password activity|mail (access blocked|delayed)|account has been hacked|prevent account malfunction|password change notification|Critical(?:\-|\s)Status on|(storage|upgrade) notice|mail not sent|mailbox.{0,4}update settings|\-notification\:\w|access has been suspended|Activities account|Alert\!\!|do not ignore this notification|trying to contact you/i #NON OBFUSCATED VARIANT NOT A SPAM INDICATOR header __KAM_MAILBOX3FP Subject =~ /verification/i @@ -3002,27 +3002,29 @@ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags #Write a very broad regex like g.*k.?squ.* and the debug outputs something like G\x{CF}\x{B5}\x{CF}\x{B5}k Squ" Then you can Edit the tag for E1 to add |[\xcf][\xb5] # replace_tag A1 (?:a|[\xf0\x9d\x97\xae]|[\xf0\x9d\x9a\x8a]|[\xd0][\xb0]|[\xc9][\x91]|α|\@) -replace_tag A1 (?:a|[\xf0\x9d\x97][\xae]|[\xc3][\xa3]|[\xf0\x9d\x9a][\x8a]|[\xd0][\xb0]|[\xc9][\x91]|α|\@) -replace_tag B1 (?:b|[\xce][\x92]|[\xce][\xb2]|[\xc2]|[\xe2]|[\xf0\x9d\x97\xaf]|[xf0\x9d\x9a\x8b]) -replace_tag C1 (?:c|[\xd0][\xa1]|[\xd1][\x81]|[\xf0\x9d\x97\xb0]|[\xf0\x9d\x9a\x8c]|[xd0\xa1]) -replace_tag D1 (?:d|[\xf0\x9d\x9a\x8d]) -replace_tag E1 (?:e|[\xd0][\xb5]|[\xc4][\x97]|[\xf0\x9d\x97\xb2]|[\xf0\x9d\x9a\x8e]|[\xc3][\xaa]|[\xcf][\xb5]|[\xc3][\xab]|[\xc3][\xa8]) -replace_tag G1 (?:g|[\xf0\x9d\x97\x80]) -replace_tag I1 (?:i|[\xd1][\x96]|[\xc4][\xab]|[\xce][\xb9]|[\xe9]|[\xf0\x9d\x97\xb6]|[\xf0\x9d\x9a\x92]|l|1) -replace_tag K1 (?:k|[\xd0][\xba]) -replace_tag L1 (?:l|i) -replace_tag M1 (?:m|[\xca][\x8d]|[\xf0\x9d\x97\xba]) -replace_tag N1 (?:n|[\xe7]|[\xf0\x9d\x97\xbc]|[\xf0\x9d\x9a\x97]) -replace_tag O1 (?:o|0|[\xd0][\xbe]|[\xce][\xbf]|[\xef]|[\xf0\x9d\x97\xbc]|[\xf0\x9d\x9a\x98]|[\xd0][\x9e]|[\xc3][\xb4]) -replace_tag P1 (?:p|[\xd1][\x80]|[\xc7][\xb7]|[\xcf][\x81]|[\xf1]|[\xf0\x9d\x97\xbd]|[\xf0\x9d\x9a\x99]|[\xd0\xa0]) -replace_tag R1 (?:r|[\xf0\x9d\x97\xbf]|[\xf0\x9d\x9a\x9b]) -replace_tag S1 (?:s|[\xd0][\x85]|[\xf0\x9d\x98\x80]|[\xf0\x9d\x9a\x9c]) -replace_tag T1 (?:t|[\xcf][\x84]|[\xf4]|[\xf0\x9d\x98\x81]|[\xf0\x9d\x9a\x9d]) -replace_tag U1 (?:u|[\xf0\x9d\x98\x82]) -replace_tag V1 (?:v|[\xf0\x9d\x96\xb5]|[\xce][\xbd]) -replace_tag W1 (?:w|[\xf0\x9d\x98\x84]|[\xf0\x9d\x9a\xa0]|[\xd1\xa1]) -replace_tag Y1 (?:y|[\xf0\x9d\x98\x80]|[\xf0\x9d\x9a\xa2]) -replace_tag SPACE1 (?: |[\xc2\xa0]) + +#Thanks to Kent Oyer for his review of the replace tags +replace_tag A1 (?:a|\xf0\x9d\x97\xae|\xc3\xa3|\xf0\x9d\x9a\x8a|\xd0\xb0|\xc9\x91|\xce\xb1|\xc3\x81|\@) +replace_tag B1 (?:b|\xce\x92|\xce\xb2|\xf0\x9d\x97\xaf|\xf0\x9d\x9a\x8b) +replace_tag C1 (?:c|\xd0\xa1|\xd1\x81|\xf0\x9d\x97\xb0|\xf0\x9d\x9a\x8c) +replace_tag D1 (?:d|\xf0\x9d\x9a\x8d) +replace_tag E1 (?:e|\xd0\xb5|\xc4\x97|\xf0\x9d\x97\xb2|\xf0\x9d\x9a\x8e|\xc3\xaa|\xcf\xb5|\xc3\xab) +replace_tag G1 (?:g|\xf0\x9d\x97\x80) +replace_tag I1 (?:i|\xd1\x96|\xc4\xab|\xce\xb9|\xf0\x9d\x97\xb6|\xf0\x9d\x9a\x92|l|1) +replace_tag K1 (?:k|\xd0\xba) +replace_tag L1 (?:l|i) +replace_tag M1 (?:m|\xca\x8d|\xf0\x9d\x97\xba|\x9b\x96) +replace_tag N1 (?:n|\xf0\x9d\x9a\x97) +replace_tag O1 (?:o|0|\xd0\xbe|\xce\xbf|\xf0\x9d\x97\xbc|\xf0\x9d\x9a\x98|\xd0\x9e|\xc3\xb4) +replace_tag P1 (?:p|\xd1\x80|\xc7\xb7|\xcf\x81|\xf0\x9d\x97\xbd|\xf0\x9d\x9a\x99|\xd0\xa0) +replace_tag R1 (?:r|\xf0\x9d\x97\xbf|\xf0\x9d\x9a\x9b) +replace_tag S1 (?:s|\xd0\x85|\xf0\x9d\x98\x80|\xf0\x9d\x9a\x9c) +replace_tag T1 (?:t|\xcf\x84|\xf0\x9d\x98\x81|\xf0\x9d\x9a\x9d) +replace_tag U1 (?:u|\xf0\x9d\x98\x82) +replace_tag V1 (?:v|\xf0\x9d\x96\xb5|\xce\xbd) +replace_tag W1 (?:w|\xf0\x9d\x98\x84|\xf0\x9d\x9a\xa0|\xd1\xa1) +replace_tag Y1 (?:y|\xf0\x9d\x9a\xa2) +replace_tag SPACE1 (?: |\xc2\xa0) #OBFU ONLY replace_tag A2 (?:[\xf0\x9d\x97][\xae]|[\xc3][\xa3]|[\xf0\x9d\x9a][\x8a]|[\xd0][\xb0]|[\xc9][\x91]|α|\@) @@ -3406,7 +3408,7 @@ score KAM_AP 4.5 #CO.UK header KAM_COUK From =~ /\@.{1,30}\.co\.uk/i describe KAM_COUK Scoring .co.uk emails higher due to poor registry security. -score KAM_COUK 0.6 +score KAM_COUK 0.3 #FAKE FACEBOOKMAIL #REAL FB DOMAIN @@ -5936,7 +5938,7 @@ describe KAM_CMS Indicators that a CMS has been exploited for Spammers score KAM_CMS 1.0 #WESTERN UNION SCANS -header __KAM_WU1 from:addr !~ /\@westernunion.com/i +header __KAM_WU1 from:addr !~ /\@westernunion\.com/i header __KAM_WU2 Subject =~ /WUMT|Western.?Union/i uri __KAM_WU3 /western.umt/i @@ -5949,22 +5951,22 @@ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags replace_rules __KAM_CRIM1 __KAM_CRIM2 __KAM_CRIM3 __KAM_CRIM4 __KAM_CRIM5 __KAM_CRIM6 __KAM_CRIM7 - body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|mlwr n th wb|footage of you|you do not know who I am|mercenary|hack phones|(monitored|infected) your device|double.screen video|keylogger|ruin your life|collection officer|turned on your cmera|cameras? and a mic|I am a hacker|brows(er|ing) history|trojan virus|automatically infect|inject some code|google translator|ld (a )?mlwr||hacked yur (website|OS|operating)|got hacked|hidden app|managed to hack|thr(u|ough) (ur|your) web.?cam|broke\s+into\s+your\s+system/i + body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|mlwr n th wb|footage of you|you do not know who I am|mercenary|hack phones|(monitored|infected) your device|double.screen video|keylogger|ruin your life|collection officer|turned on your cmera|cameras? and a mic|I am a hacker|brows(er|ing) history|trojan virus|automatically infect|inject some code|google translator|ld (a )?mlwr||hacked yur (website|OS|operating)|got hacked|hidden app|managed to hack|thr(u|ough) (ur|your) web.?cam|broke\s+into\s+your\s+system|infected your system|data security hack|hide (yo)?ur web.?camera/i - #Bitcoin - body __KAM_CRIM2 /(\-?|BTC|DSH|cryptocurrency|bc[13][a-km-zA-HJ-NP-Z0-9]{26,39})|(remove|manually) all spaces|contains spaces|Litecoin/i + #Bitcoin / Etc. + body __KAM_CRIM2 /(\-?|(\b|^)(BTC|DSH|LTC)(\b|$)|cryptocurrency|bc[13][a-km-zA-HJ-NP-Z0-9]{26,39})|(remove|manually) all spaces|contains spaces|Litecoin|shoprite|instant money/i #Payment - body __KAM_CRIM3 /make (he|a) paymen|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bitn wll|(mkng|mplet) th trnstn|send me \d+ dollars|send [\d\.]+ USD|addrss fr pymnt|(dollars|euros) (worth )?in bit-?coin|wallet number|bitcoin network|BTC to this Bitcoin|paymnt by btcon|\d\d\d usd|DSH\)? address|Address part||negotiation|USD.? in bitcoin|transfer\s+me\s+\d+|\d+ in bitcoins/i + body __KAM_CRIM3 /make (he|a) paymen|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bitn wll|(mkng|mplet) th trnstn|send me \d+ dollars|send [\d\.]+ USD|addrss fr pymnt|(dollars|euros) (worth )?in bit-?coin|wallet number|bitcoin network|BTC to this Bitcoin|paymnt by btcon|\d\d\d usd|DSH\)? address|Address part||negotiation|USD.? in bitcoin|transfer\s+me\s+\d+|\d+ in bitcoins|receive the compensation|talking price|reputation will be ruin/i #Sexually explicit - body __KAM_CRIM4 /erotica||p(ro|or)nographic movie|promising evidence||playing with yourself|wanking|lf n b rund|explosi|lead azide|hexogen|banana|perversion|secured \d+ video|passion for jerk|creepy addiction|wank off/i + body __KAM_CRIM4 /erotica||p(ro|or)nographic movie|promising evidence||playing with yourself|wanking|lf n b rund|explosi|lead azide|hexogen|banana|perversion|secured \d+ video|passion for jerk|creepy addiction|wank off|site for adult/i #TIME - body __KAM_CRIM5 /(twenty.?four|24).?hurs|(72|24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(urs)? ftr y pn|hours for payment|days?\)? to (send|perform|make|transfer) the (amount|payment|dash|fund)|short-term support|48h plz|deadline|hours *(only )?to send the (pay|fund)|address immediately|trnsfer the (amount|funds)|get back to me now|\d\s+working\s+days|make payment within \d+ day|indicated da(y|te)/i + body __KAM_CRIM5 /(twenty.?four|24).?hurs|(72|24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(urs)? ftr y pn|hours for payment|days?\)? to (send|perform|make|transfer) the (amount|payment|dash|fund)|short-term support|48h plz|deadline|hours *(only )?to send the (pay|fund)|address immediately|trnsfer the (amount|funds)|get back to me now|\d\s+working\s+days|make payment within \d+ day|indicated da(y|te)|\d hours from this moment|\d hours (yo)?ur contacts/i #Subject - header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y r my vtm|visit the police|hi. vitim|bomb|rescue|your building|asturbat|hi perv|(site|account) has been (compromised|hacked)|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you|orn|(share|forward|leak) (your|the) video|Read me now|want to read this|i have you/i + header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y r my vtm|visit the police|hi. vitim|bomb|rescue|your building|asturbat|hi perv|(site|account) has been (compromised|hacked)|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you|orn|(share|forward|leak) (your|the) video|Read me now|want to read this|i have you|exfiltrated|everybody will know/i header __KAM_NOT_CRIM6 Subject =~ /Bomb.?cyclone/i @@ -5980,7 +5982,7 @@ endif #KAM_CRIM_V2 body __KAM_CRIM2_1 /bit.{0,2}coin/i body __KAM_CRIM2_2 /address\:/i -body __KAM_CRIM2_3 /adult.{0,2}video|sex.{0,2}sites/is +body __KAM_CRIM2_3 /adult.{0,2}video|sex.{0,2}sites|site for adult/is meta KAM_CRIM2 (__KAM_CRIM2_1 + __KAM_CRIM2_2 + __KAM_CRIM2_3 + HTML_FONT_LOW_CONTRAST >= 4) describe KAM_CRIM2 Extortion Email @@ -6079,6 +6081,9 @@ meta SCC_20_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 20 describe SCC_35_SHORT_WORD_LINES 35 lines with many short words meta SCC_35_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 35 +# Redefine WORD_INVIS_MANY to get rid of FPs +meta WORD_INVIS_MANY ( __WORD_INVIS_2 && ! T_SCC_BODY_TEXT_LINE ) + # A pattern seen in subscription-bombings describe SCC_SUBBOMB_SUBJ_1 An unusual string pattern seen in subscription bombing subjects header SCC_SUBBOMB_SUBJ_1 Subject =~ /[sxz][vwz]usa[fly]me[a-z0-9]{7}GP/ @@ -6263,22 +6268,18 @@ endif #trusted_networks 38.124.232.0/24 # CONTACTS / LISTS -#REPLACED WITH BELOW FOR SINGLE WORD HIT REMOVAL -#header __KAM_LIST3_1 Subject =~ /Contacts|Visitor|Attendee|User|Professional|Meeting|Expo|Emails|Exhibit|Companies|trade ?show|marketing|retailer|list|outreach|customers|campaign|show|data|leaders|partnership|lead|(accou?nt|Contacts?|buyers?) (list|information)|install base|offices and clinics|healthcare|reach qualified buyers|potential prospects|decision maker|reach out|target audience|revenue generation|(potential|reach your) client|Lead list|(list|lead) prospecting|market share/i - -# Modified 3/23/2022 to try and remove FPs in this rule -header __KAM_LIST3_1 Subject =~ /(accou?nt|Contacts?|buyers?|registrants?|attendees?|B2B|B2C|mailing).(data|list|information)|reach qualified buyers|potential prospects|(potential|reach your) client|(list|lead) prospecting|build customer|(bitdefender|Acronis) Users|reach clients|Clients records|users accounts|Attendees info|marketing opp|(expo|Summit) Leads|Free Samples|email database|sales prospect|business professionals|prospects|decision.?makers|(email|lead) list|increase your TAM|Booth.?\#\d+/i +header __KAM_LIST3_1 Subject =~ /(accou?nt|Contacts?|buyers?|registrants?|attendees?|B2B|B2C|mailing|industries).(data|list|information)|reach qualified buyers|potential prospects|(potential|reach your) client|(list|lead) prospecting|build customer|(bitdefender|Acronis) Users|reach clients|Clients records|users accounts|Attendees info|marketing opp|(expo|Summit) Leads|Free Samples|email database|sales prospect|(construction|business) +(executives|professionals)|prospects|decision.?makers|(email|lead) list|increase your TAM|Booth.?\#\d+|data that you need|(audience|geography)\?|contact details/i #title -body __KAM_LIST3_2 /list (consultant|services)|email campaign|global marketing|(event|campaign|success|purchasing) mana?ger|(tradeshow|marketing) (coordinator|campaign|manager|exec|project|team)|(lead|demand) generation|(business|Data|event|research|marketing) (analyst|coordinator)|(potential|professionals?|qualified) lead|(business development|marketing|lead|attendees?|data|prospect|intelligence|event).(executive|consultant|specialist)|(marketing|Business) Co-?ordinator|marketing (\&|and) comm|inside sales|pre-?sales|global leads|data dep(t|artment)|marketing exec|(right|appropriate) person|info solutions|Sales executive|database coordinator|list provider|business development manager/i +body __KAM_LIST3_2 /list (consultant|services)|email campaign|global marketing|(event|campaign|success|purchasing) mana?ger|(tradeshow|marketing) (coordinator|campaign|manager|exec|project|team)|(lead|demand) gen|(business|Data|event|research|marketing) (analyst|coordinator)|(potential|professionals?|qualified) lead|(business development|marketing|lead|attendees?|data|prospect|intelligence|event).(executive|consultant|specialist)|(marketing|Business) Co-?ordinator|marketing (\&|and) comm|inside sales|pre-?sales|global leads|data dep(t|artment)|marketing exec|(right|appropriate) person|info solutions|Sales executive|database coordinator|list provider|(leads|business development|BD|Biz.?Dev) manager|cd services|data intelligence specialist/i tflags __KAM_LIST3_2 nosubject #db for sale -body __KAM_LIST3_3 /(information|data|list\'s) (count|field)|verified e?-?mail|with email address|counts and pric|decision maker|specific parameters|job titles|Specific lists|current attendee|each record|post show attendee|(List|contacts|fields) (consists?|Contains?|includes?)|visitors and price|pricing, counts|information about the list|sample (file|record)|direct email|100\% populated|installed users|(compiled|selling) (a )?list|pricing and further|(validated|buy a) dataset|counts, pricing|procure the list|samples for (your )?review|attendees who might|decision.makers|samples and pricing|pricing details|demographics|few (examples|samples)|database (organization|provider)|expense and count|(samples|counts?) and cost|multichannel marketing|count of email|users of the following|your marketing campaign|\d\d% on emails|acquiring (email|the) list|list of retailers|decision maker mailing list|B2B( data)? list|acquiring email|interested (in )?acquiring|quality lists|potential (client|customer)|database and list management|pricing and count|audience you would like to reach|data cleansing/i +body __KAM_LIST3_3 /(information|data|list\'s) (count|field)|verified e?-?mail|with email address|counts and pric|decision maker|specific parameters|job titles|Specific lists|each record|post show attendee|(List|contacts|fields) (consists?|Contains?|includes?)|visitors and price|pricing, counts|information about the list|sample (file|record)|direct email|100\% populated|installed users|(compiled|selling) (a )?list|pricing and further|(validated|buy a) dataset|counts, pricing|procure the list|samples for (your )?review|attendees who might|decision.makers|samples and pricing|pricing details|demographics|few (examples|samples)|database (organization|provider)|(cost|expense) (\&|and) count|(samples|counts?) and cost|multichannel marketing|count of email|users of the following|your marketing campaign|\d\d% on emails|acquiring (email|the) list|list of retailers|decision maker mailing list|B2B( data)? list|acquiring email|interested (in )?acquiring|quality lists|potential (client|customer)|database and list management|pricing and count|audience you would like to reach|data cleansing|job titles you wish to contact|leverage competitive intelligence|business contacts? list/i tflags __KAM_LIST3_3 nosubject #db what -body __KAM_LIST3_4 /contacts and email|(visitors?|contacts?|attendee.?s?|users?) (contacts? |mailing )?(list|record|database)|end users|our lists|\d\+? (attendee|contact)|users? database|Opt-in email list|(professionals?|user'?s|attendees?) (contact|list)|not spammer|marketing (analyst|campaigns)|(complete|emailed) list|unique account|contacts\:|titles\:|business profiles|database of|list from USA|(complete|contact) (Name|details|information)|geography|list.database|data (intelligence|include)|emails, phone|marketing list|unlimited usage|target (audience|geograph|attendees|audience|industry)|opt-?in (contact|emails|list)|offices and clinics|specialties\:|showcase our capabilit|share samples|sample file|recently compiled|contact details|targeted market|marketing needs|Users of the following|100\% populated|b2b (mailing list|contact)|targeted business list|data list|(job profile|attendees|counts|list contains|Contacts include)\:|Consumer database|every industry sector|quality email list|email list of|titles? includes?\:|including their names|contacts available\:|curated list|fields? includes?\:|contact validation|opt-in dataset|90% on that list type|enence|Lejeune.?Lawsuits|smart.?timeshare|number of attendees/i +body __KAM_LIST3_4 /contacts and email|(visitors?|contacts?|attendee.?s?|users?) (contacts? |mailing )?(list|record|database)|end users|our lists|\d\+? (attendee|contact)|users? database|Opt-in email list|(professionals?|user'?s|attendees?) (contact|list)|not spammer|marketing (analyst|campaigns)|(complete|emailed) list|unique account|contacts\:|titles\:|business profiles|database of|list from USA|(complete|contact) (Name|details|information)|geography|list.database|data (intelligence|include)|emails, phone|marketing list|unlimited usage|target (audience|geograph|attendees|audience|industry)|opt-?in (contact|emails|list)|offices and clinics|specialties\:|showcase our capabilit|share samples|sample file|recently compiled|contact details|targeted (criteria|market)|marketing needs|Users of the following|100\% populated|b2b (mailing list|contact)|targeted business list|data list|(job profile|attendees|counts|list contains|Contacts include)\:|Consumer database|every industry sector|quality email list|email list of|titles? includes?\:|including their names|contacts available\:|curated list|fields? includes?\:|contact validation|opt-in dataset|90% on that list type|enence|Lejeune.?Lawsuits|smart.?timeshare|number of attendees|tester file|list of organi[sz]ation/i tflags __KAM_LIST3_4 nosubject meta KAM_LIST3 (__KAM_LIST3_1 + __KAM_LIST3_2 + __KAM_LIST3_3 + __KAM_LIST3_4 >= 4) @@ -6351,7 +6352,7 @@ ifplugin Mail::SpamAssassin::Plugin::Dmarc tflags KAM_DMARC_QUARANTINE net reuse KAM_DMARC_QUARANTINE describe KAM_DMARC_QUARANTINE DKIM has Failed or SPF has failed on the message and the domain has a DMARC quarantine policy - score KAM_DMARC_QUARANTINE 1.5 + score KAM_DMARC_QUARANTINE 3.0 header KAM_DMARC_NONE eval:check_dmarc_none() priority KAM_DMARC_NONE 500 @@ -6383,6 +6384,14 @@ ifplugin Mail::SpamAssassin::Plugin::Dmarc score KAM_DMARC_NONE_TRUNCATE -0.25 tflags KAM_DMARC_NONE_TRUNCATE net nice reuse KAM_DMARC_NONE_TRUNCATE + + header __KAM_FROM_RAPTORSRV From:addr =~ /\@server\d+\.raptoremailsecurity\.com$/i + meta KAM_FROM_RAPTOR_DMARCFAIL ( __KAM_FROM_RAPTORSRV && KAM_DMARC_QUARANTINE ) + describe KAM_FROM_RAPTOR_DMARCFAIL Email from Raptor servers with DMARC failure + score KAM_FROM_RAPTOR_DMARCFAIL 5.0 + priority KAM_FROM_RAPTOR_DMARCFAIL 500 + tflags KAM_FROM_RAPTOR_DMARCFAIL net + endif endif endif @@ -7012,7 +7021,7 @@ describe KAM_URGENT Urgent Scams score KAM_URGENT 7.5 #INVESTMENT -header __KAM_INVEST1 Subject =~ /Investment|(hello|congrats|dear) friend|urgent|greetings|^HELLO$|mutual business|contact him|mail for you|confirming your email|business opportunity|important|interest|^proposal$/i +header __KAM_INVEST1 Subject =~ /Investment|(hello|congrats|dear) friend|urgent\b|greetings|^HELLO$|mutual business|contact him|mail for you|confirming your email|business opportunity|important|interest|^proposal$/i #looking/why body __KAM_INVEST2 /apprehensive|unstable investment|(honest|well.?established|reliable) (individual|partner|person)|wealthy client|legal paper|branch manager|director finance|business man|family asset|personal assistant|found your (detail|contact)|consultant|project financing|my name is|i am the lawyer|need your assistance|investment officer/i #money/deal @@ -7054,12 +7063,12 @@ describe KAM_CELEB Celebrity Health Scams score KAM_CELEB 4.5 #additional Freemail domains -freemail_domains my.com mediacombb.net tutanota.com mega.nz ntlworld.com windstream.net list.ru +freemail_domains my.com mediacombb.net tutanota.com mega.nz ntlworld.com windstream.net list.ru docomo.ne.jp terra.com.br interia.pl #BEAL AND SIMILAR IMPERSONATOR ifplugin Mail::SpamAssassin::Plugin::RaptorOnly - replace_tag KAM_BEAL_NAMES (?:(Robert|Bob).{1,4}Beal|Geoff White|(James|Jim).{1,4}Hoffman|Kevin (A\. )?Mc ?Grail|Frederic Beuter|Chris(topher)? (K\.? )?Surprise|(mike|michael) Charvat|Sheryl( Brissett)? Chapman|Sheryl Brissett|Janet Smith|Jeff Gardner|Geoff(rey)? White|Jason Davis|Al Nance|Laura (C\.? )?Leach|Guy Neitz|Michael Rowland|Brenda MacDonald|Daram Van Oers|Pat(rick)? (A\. )?Campfield|Toni Kerns|Tina L. Berger|Robert T. Lalka|Karen Holmes|Richard Manship|WILLIAM HYATT|Alex DiJohnson|Mike Rinaldi|Patrick Augustine|Randy Livingston|Michael Schoor|Amy Millar|Gino Renne|Edward Kroman|Bill Stynes|Ralph Belk|gino renne|scott allen|Paula Sherman|Peter Turcik|Chip Anastasi|erik howard|Dyana Forester|Ryan Gardner|Yvan (cote|C\x{C3}\x{B4}t\x{C3}\x{A9})|morris adler|Gary (A. )?Smith|Peggy White|Sunny Kim|Jayran Farzanega|Kristin Kirkpatrick|Michael Davison|John Meis) + replace_tag KAM_BEAL_NAMES (?:(Robert|Bob).{1,4}Beal|Geoff White|(James|Jim).{1,4}Hoffman|Kevin (A\. )?Mc ?Grail|Frederic Beuter|Chris(topher)? (K\.? )?Surprise|(mike|michael) Charvat|Sheryl( Brissett)? Chapman|Sheryl Brissett|Janet Smith|Jeff Gardner|Geoff(rey)? White|Jason Davis|Al Nance|Laura (C\.? )?Leach|Guy Neitz|Michael Rowland|Brenda MacDonald|Daram Van Oers|Pat(rick)? (A\. )?Campfield|Toni Kerns|Tina L. Berger|Robert T. Lalka|Karen Holmes|Richard Manship|WILLIAM HYATT|Alex DiJohnson|Mike Rinaldi|Patrick Augustine|Randy Livingston|Michael Schoor|Amy Millar|Gino Renne|Edward Kroman|Bill Stynes|Ralph Belk|gino renne|scott allen|Paula Sherman|Peter Turcik|Chip Anastasi|erik howard|Dyana Forester|Ryan Gardner|Yvan (cote|C\x{C3}\x{B4}t\x{C3}\x{A9})|morris adler|Gary (A. )?Smith|Peggy White|Sunny Kim|Jayran Farzanega|Kristin Kirkpatrick|Michael Davison|John Meis|Mitchell Forbes|Kate Syson|Bryan Plumlee) replace_rules __KAM_BEAL1 __KAM_BEAL3 __KAM_NOT_BEAL3 @@ -7071,11 +7080,9 @@ ifplugin Mail::SpamAssassin::Plugin::RaptorOnly body __KAM_BEAL3 //i body __KAM_NOT_BEAL3 /((From|Cc|To)\:\s+)/i # Task - # have a moment removed 4/4 - body __KAM_BEAL4 /(reply with|forward|send me|let me have|give me) +your (Cell|Mobile|text)|task (real quick|quickly)|(urgent|quick|fast) (reply|errand|response|task|request)|(handle|make) (some|a) purchase|reimburse you|do something for me fast|spare time right now|confirm if you are free|physical or electronic gift card|(done for me|send out|task done) ASAP|available at the moment|(desk|moment) right now|get some .{0,10}gift card|(run a|important) task for me|certain task to be carried|purchase on my behalf|(urgent|Immediate) (Task|Assignment)|quickly on my behalf|variety of gift card|something important for me|carry out (urgently|swiftly)|codes electronically|make a payment|gifts for their hard|assist me with a task|quick favor|gift cards? for staff|process a payment via Zelle|request I need|purchase done on my behalf|take care of something|handle (some )?task quickly|(have|got) a moment|run an errand|are you in\?|purchase urgently|assignment for (me|you)|change my direct deposit|personal (email|text phone|cell|number)|(leave|drop) your (phone )?number|(reply me with|confirm|drop|need) your (mobil|cell)|send me your text|get all the gifts purchase|direct deposit authorization form|list of all unpaid|help me with something|if (you are|you're) available|(send|drop) me your (direct|personal) (cell|phone)|free time for you|you available today|bancaires actuelles|ask you for a favor/i + body __KAM_BEAL4 /(reply with|forward|send me|let me have|give me|drop) +your (Cell|Mobile|text)|task (real quick|quickly)|(urgent|quick|fast) (reply|errand|response|task|request)|(handle|make) (some|a) purchase|reimburse you|do something for me fast|spare time right now|confirm if you are free|physical or electronic gift card|(done for me|send out|task done) ASAP|available at the moment|(desk|moment) right now|get some .{0,10}gift card|(run a|important) task for me|certain task to be carried|purchase on my behalf|(urgent|Immediate) (Task|Assignment)|quickly on my behalf|variety of gift card|something important for me|carry out (urgently|swiftly)|codes electronically|make a payment|gifts for their hard|assist me with a task|quick favor|gift cards? for staff|process a payment via Zelle|request I need|purchase done on my behalf|take care of something|handle (some )?task quickly|(have|got) a moment|run an errand|are you in\?|purchase urgently|assignment for (me|you)|change my direct deposit|personal (email|text phone|cell|number)|(leave|drop) your (phone )?number|(reply me with|confirm|drop|need) your (mobil|cell)|send me your text|get all the gifts purchase|direct deposit authorization form|list of all unpaid|help me with something|if (you are|you're) available|(send|drop) me your (direct|personal) (cell|phone)|free time for you|you available today|bancaires actuelles|ask you for a favor|get physical gift card|confirm your mobile/i # question / privacy - # as soon as you can removed 4/4 - body __KAM_BEAL5 /can't talk on the phone|receivable aging report|summary of all w\-?2|look forward to my text|are you (accessible|in the office|busy)|between you and I|closed-?door meeting|get something done|you\'re unoccupied|accurately|I can brief|in a (conference|meeting)|reimburse if personal|what details do you need|(do|handle) discreetly|confidentiality|keep this private|get to a nearby store|(let me know|confirm) if you (are available|can get it done)|no calls just reply|write me back|look out for my text|concise you about it|so much on your plate|let me know if you are free|trust you on this|worry about your reimburse|after the surprise|limited cell service|can you assist|convey a message|entrust you|not want to disclose this|planning a surprise event|confidential assignment|respond back via email|going into a meeting|no calls|reach you at|lookout to my message|dans la confidence|wait for my text|immediate assistance|swift discussion|an emergency|prompt reply|laryngitis/i + body __KAM_BEAL5 /can't talk on the phone|receivable aging report|summary of all w\-?2|look forward to my text|are you (accessible|in the office|busy)|between you and I|closed-?door meeting|get something done|you\'re unoccupied|accurately|I can brief|in a (conference|meeting)|reimburse if personal|what details do you need|(do|handle) discreetly|confidentiality|keep this private|get to a nearby store|(let me know|confirm) if you (are available|can get it done)|no calls just reply|write me back|look out for my text|concise you about it|so much on your plate|let me know if you are free|trust you on this|worry about your reimburse|after the surprise|limited cell service|can you assist|convey a message|entrust you|not want to disclose this|planning a surprise event|confidential assignment|respond back via email|going into a meeting|no calls|reach you at|lookout to my message|dans la confidence|wait for my text|immediate assistance|swift discussion|an emergency|prompt reply|laryngitis|as soon as you are available|limited access to phone|kindly send me emails|plan to surprise|reach you urgent|need a work done/i # oddlang body __KAM_BEAL6 /sent from my mail|depuis mon smartphone/i @@ -7411,15 +7418,15 @@ ifplugin Mail::SpamAssassin::Plugin::MIMEHeader endif #HTML ATTACHMENTS WITH FUNCTIONS AND EVALS -rawbody __GB_JS_UNESCAPE /document\.write(?:\s+)?\((?:\s+)?(?:atob|unescape)/ -rawbody __GB_JS_FUNCTION /(?:\=|\:)"?(?:function|eval)\(/ -rawbody __GB_JS_OBFU /script\s+src="?\&\#x|var\s+_0x[a-z0-9]{1,6}(?:\s+)?\=/ -meta GB_BADJS ( ( __GB_JS_UNESCAPE || __GB_JS_FUNCTION || __GB_JS_OBFU ) && ( T_HTML_ATTACH || T_OBFU_HTML_ATTACH || UNICODE_OBFU_ASC ) ) +rawbody __GB_JS_UNESCAPE /document\.write(?:\s+)?\((?:\s+)?(?:atob|unescape|decodeURIComponent)|\=unescape\(.{1,10}\;document\.write|\=\s+atob\(/ +rawbody __GB_JS_FUNCTION /(?:\=|\:)"?(?:function|eval)\(/ +rawbody __GB_JS_OBFU /(?:script\s+src|onload)="?\&\#x|var\s+_0x[a-z0-9]{1,6}(?:\s+)?\=|window\.(?:location|href)/ +meta GB_BADJS ( ( __GB_JS_UNESCAPE || __GB_JS_FUNCTION || __GB_JS_OBFU ) && ( __KAM_SHTML_ATTACH || T_HTML_ATTACH || T_OBFU_HTML_ATTACH || UNICODE_OBFU_ASC ) ) describe GB_BADJS Bad html attachment score GB_BADJS 4.0 #HTML FORM ATTACHED -rawbody __GB_HTML_FORM /form\s+(?:method\=.{1,10})?\s+action\=/i +rawbody __GB_HTML_FORM /\rder d|IN(\-|_)VOICE (Number|ID)|Product Id:|security renewal|(Buyer'?s|purchase) receipt|order worth \$|service notice.{0,3}\d+|antivirus activated|order has been (confirmed|processed)|subscription expired|your bill|auto renewal|new message|renewal notice:|annual subscription|transaction code|account key verif|billing team|service required|g-?squad|plan activated|protection alert/i +header __KAM_FAKE_NORTON1 Subject =~ /IN.?VOICE *\#?NUMBER|(confirmation|ORDER|Invoice|plan.?status) ?(ID_\*|\#|Num|-?No)|\#(ORDER|BILL)|(Purchase|Order|Payment) Confirmation|(RECEIPT|INVOI?CE) ?\#|software subscription|transaction.successful|amount.debited|(subscription|service|Purchase) (renewal|request|serial) \#|renew(al|ing) (id|service) \#|(Unique|Member|purchase|Bill|receipt|service|invoice) id ?(is|:|\#)|using protection|rder d|IN(\-|_)VOICE (Number|ID)|Product Id:|security renewal|(Buyer'?s|purchase) receipt|order worth \$|service notice.{0,3}\d+|antivirus activated|order has been (confirmed|processed)|subscription expired|your bill|auto renewal|new message|renewal notice:|annual subscription|transaction code|account key verif|billing team|service required|g-?squad|plan (upgraded|activated)|protection alert|order process|payment success|renewal complete/i header __KAM_FAKE_NORTON1A To =~ /norton|billing\@geeksquad/i -header __KAM_FAKE_NORTON1B From =~ /norton|confirmation|no.?reply|service.?updates|billing|devices.?support|service.?dep|order|device.?alert|biliing|receipt/i +header __KAM_FAKE_NORTON1B From =~ /norton|confirmation|no.?reply|service.?updates|billing|devices.?support|service.?dep|order|device.?alert|biliing|receipt|account.?team/i #Fuzzy Prod -body __KAM_FAKE_NORTON2 /NRTN(\(?tm\)?|\#)|360 (anti.?virus|Security|protection)|NrtN.?Life|norton (\- )?(360|security|deluxe|protection|firewall|plus family)|(nort-.|norton|Mcafee) (Web Pro|Web|Plus(\+| Pro)|pro (net|plus|protection)|all.?round) ((Secure|Family) )?Protection|norton (plan|pro life lock)|(service (name)?|item|Product):?\s+(Norton|Nort.?Pro|geek.?squad)|norton secure plus|nort-(Advance|Pro)|nort-?one 360|life-?lock pro|mal-?ware bites|geeksquad-solutions|Geek(squad)? 360|renewal through geeksquad|Geek Secure Premium|Shield Protection Renewal|G.?squad security|(symantec|mcafee|norton|geek).{0,3}total (secure|protection)|geek.?squad.?corp|norton billing team|firewall defender|geek.? advanced network|pro geek PC protection|SQUAD anti-?virus|Norton,? Inc|Gk\s+squd|Windows Defender Advanced|Netwrk Shield Protection|(pc|network) (security|protection) (service|shield)|previous annual subscription|windows defender security|norton Tech pc support|\(defender\)|premium protection/mi +body __KAM_FAKE_NORTON2 /NRTN(\(?tm\)?|\#)|360 (anti.?virus|Security|protection)|NrtN.?Life|norton (\- )?(360|security|deluxe|protection|firewall|plus family)|(nort-.|norton|Mcafee) (Web Pro|Web|Plus(\+| Pro)|pro (net|plus|protection)|all.?round) ((Secure|Family) )?Protection|norton (plan|pro life lock)|(service (name)?|item|Product):?\s+(Norton|Nort.?Pro|geek.?squad)|norton secure plus|nort-(Advance|Pro)|nort-?one 360|life-?lock pro|mal-?ware bites|geeksquad-solutions|Geek(squad)? 360|renewal through geeksquad|Geek Secure Premium|Shield Protection Renewal|G.?squad security|(symantec|mcafee|norton|geek).{0,3}total (secure|protection)|geek.?squad.?corp|norton billing team|firewall defender|geek.? advanced network|pro geek PC protection|SQUAD anti-?virus|Norton,? Inc|Gk\s+squd|Windows Defender Advanced|Netwrk Shield Protection|(pc|network) (security|protection) (service|shield)|previous annual subscription|windows defender security|norton Tech pc support|\(defender\)|premium protection|norton membership|antvrus \(?ultimate|Subscription Plan|geek standard upfront|Select Powerful Protection|cA\&fnof\;ee|Fee Subscription|PC Guard Protection/mi #Oddlang -body __KAM_FAKE_NORTON3 /Esteem your assessment|enhance our administration|recharged your club|looking for patron|delight and happiness|touch our group|confirmatory e?mail|customer service board|connect with expert|for transaction|confirmation range|did not place this order|cancel (your|this|the) (membership|service|subscription)|team norton|(claim a|instant) refund|cancel (or continue )?the plan|for more query|void (this|the) charge|account is debited|kindly activate the license|A\/C statement|you can trust them|drop you an email|don't want this plan|deactivate this plan|queries or doubt|issue with the transaction|feel free to contact|hesitate to call|appritiate your decesion|Warm (regards|respects)|(wish|want) (to )?cancel|order +worth +\$|plan has been enacted|change something|salutations|any query related|norton billing team|same has been processed|an confirmation|don\'t want to renew|remove auto-debit|auto renewal request|thanks\/norton|invalidate your subscription|precept copy|payment method.{1,10}on-?line|drop the membership|generously go ahead|want a refund|renewal tenure|believe an unauthorized|contact microsoft for a full refund|\*\-\* (8\-8\-8|8\-5\-0) \*\-\*|really want further explanation|discunt benevolently|upgrade or postpone|get the full refund|valued member of us|find the attachment of your invoice|drop the charges|norton.{0,2}helpdesk|cancel service|not placed the order/i +body __KAM_FAKE_NORTON3 /Esteem your assessment|enhance our administration|recharged your club|looking for patron|delight and happiness|touch our group|confirmatory e?mail|customer service board|connect with expert|for transaction|confirmation range|did not place this order|cancel (your|this|the) (membership|service|subscription)|team norton|(claim a|instant) refund|cancel (or continue )?the plan|for more query|void (this|the) charge|account is debited|kindly activate the license|A\/C statement|you can trust them|drop you an email|don't want this plan|deactivate this plan|queries or doubt|issues? with (your order|the transaction)|feel free to contact|hesitate to call|appritiate your decesion|Warm (regards|respects)|(wish|want) (to )?cancel|order +worth +\$|plan has been enacted|change something|salutations|any query related|norton billing team|same has been processed|an confirmation|don\'t want to renew|remove auto-debit|auto renewal request|thanks\/norton|invalidate your subscription|precept copy|payment method.{1,10}on-?line|drop the membership|generously go ahead|want a refund|renewal tenure|believe an unauthorized|contact microsoft for a full refund|\*\-\* (8\-8\-8|8\-5\-0) \*\-\*|really want further explanation|discunt benevolently|upgrade or postpone|get the full refund|valued member of us|find the attachment of your invoice|drop the charges|norton.{0,2}helpdesk|cancel service|not placed the order|within the next two hour|payment network regulation|open a dispute/i tflags __KAM_FAKE_NORTON3 nosubject #Order body __KAM_FAKE_NORTON4 /(bank|Auto(matic)?)-?.?-?(debit|renew)|Updated to premium|order is paced|0rder|renewal|successfully (placed|renewed)|(repetitive|annual) charge|have been modified|In_voice id|details pertain|auto pay|online\/card|joined our security program|payment_for_services|yearly payment|\$[\d\.]+ will appear|renewed your product/i @@ -7986,7 +7993,14 @@ header __KAM_FROM_SPAM_FEB23 From =~ /SEO Rose|Diabacore|Cholibrium|Brain.?Savi header __KAM_FROM_SPAM_MAR23 From =~ /Ukranian.?girls|feel.?good.?knee|fiber.?warning|septi.?fix|elongation.?secret|liver.?warning|Health.?Teamz|Blisterol/i -meta KAM_FROM_SPAM ( __KAM_FROM_SPAM_NOV21 + __KAM_FROM_SPAM_DEC21 + __KAM_FROM_SPAM_JAN22 + __KAM_FROM_SPAM_FEB22 + __KAM_FROM_SPAM_MAR22 + __KAM_FROM_SPAM_APR22 + __KAM_FROM_SPAM_MAY22 + __KAM_FROM_SPAM_JUN22 + __KAM_FROM_SPAM_JUL22 + __KAM_FROM_SPAM_AUG22 + __KAM_FROM_SPAM_SEP22 + __KAM_FROM_SPAM_OCT22 + __KAM_FROM_SPAM_NOV22 + __KAM_FROM_SPAM_DEC22 + __KAM_FROM_SPAM_JAN23 + __KAM_FROM_SPAM_FEB23 + __KAM_FROM_SPAM_MAR23 >= 1) +header __KAM_FROM_SPAM_APR23 From =~ /Fat.?loss.?trick|paid.?clinical.?stud|reduce.?wrist.?pain|Compression.?Sock|mystery.?shopper|carshield|prostate.?911|sonovive|\@avogtal\.|homedepotpromotions|ukranian.?girls|liver.?health/i + +header __KAM_FROM_SPAM_MAY23 From =~ /Get.?prostate|mr.?.?lean.?belly|pain.?trigger|homedepotpromo|lume.?deodorant|hemp.?gummies|ninja.?offers|obamacare.?rate|brain.?news|joint.?support|lepticell/i + +header __KAM_FROM_SPAM_JUN23 From =~ /ukrainian.?(wom[ae]n|single)|brain.?fortify|attorney.?for.?cancer|enence.?translator|tac.?right.?mini.?saw|walk.?in.?bath|care.?soles|hip.?flexor|prodentim/i + + +meta KAM_FROM_SPAM ( __KAM_FROM_SPAM_NOV21 + __KAM_FROM_SPAM_DEC21 + __KAM_FROM_SPAM_JAN22 + __KAM_FROM_SPAM_FEB22 + __KAM_FROM_SPAM_MAR22 + __KAM_FROM_SPAM_APR22 + __KAM_FROM_SPAM_MAY22 + __KAM_FROM_SPAM_JUN22 + __KAM_FROM_SPAM_JUL22 + __KAM_FROM_SPAM_AUG22 + __KAM_FROM_SPAM_SEP22 + __KAM_FROM_SPAM_OCT22 + __KAM_FROM_SPAM_NOV22 + __KAM_FROM_SPAM_DEC22 + __KAM_FROM_SPAM_JAN23 + __KAM_FROM_SPAM_FEB23 + __KAM_FROM_SPAM_MAR23 + __KAM_FROM_SPAM_APR23 + __KAM_FROM_SPAM_MAY23 + __KAM_FROM_SPAM_JUN23 >= 1) describe KAM_FROM_SPAM From Indicates a Product Spam score KAM_FROM_SPAM 6.75 @@ -8024,7 +8038,7 @@ if (version >= 4.000000) # +1 (123) 123-4567 # 441 (123) 123-4567 (44 is the hex of the + char, tesseract(1) could convert the '+' sign this way # spaces, + sign, parenthesis and spaces are optional - body GB_PHONE_RBL eval:check_hashbl_bodyre('wild.pccc.com', 'raw/max=10/shuffle/num', '\b(?:\+|4{2})?(?:\s)?(?:[0-9]{1,2})?((?:\s|,|\^|!|_)?[(|{|\[]?[0-9]{3}[)|}|\]]?[-\s\.\*_~,:!_\xe2\x88\x92]?[0-9]{3}[-\s\.\*_~,"!_\xe2\x88\x92\(]{1,3}?[0-9]{4,6})\b', '127.0.1.16') + body GB_PHONE_RBL eval:check_hashbl_bodyre('wild.pccc.com', 'raw/max=10/shuffle/num', '\b(?:\+|4{2})?(?:\s)?(?:[0-9]{1,2})?((?:(\s|,|\^|!|_|\.){1,2})?[(|{|\[]?[0-9]{3}[)|}|\]]?(?:(\-|\s|\.|\*|_|~|,|:|!|_|\xe2\x88\x92){1,2})?[0-9]{3}(?:(\-|\s|\.|\*|_|~|,|"|!|_|\xe2\x88\x92){1,3})?[0-9]{4,6})\b', '127.0.1.16') # slow regexp # body GB_PHONE_RBL eval:check_hashbl_bodyre('wild.pccc.com', 'raw/max=10/shuffle/num', '(?:\*+|\b)(?:\+|4{2})?(?:[\s\*]+)?(?:[0-9]{1,2})?((?:[\s,\^\*]+)?[(|{|\*+]?[0-9]{3}[)|}|\*+]?(?:[-\s\.\*_~,:\*]+)?[0-9]{3}(?:[-\s\.\*_~,"]+)?[0-9]{4,6})(?:\*+|\b)', '127.0.1.16') @@ -8272,23 +8286,23 @@ endif #FAKE PAYROLL UPDATE #subj -header __KAM_FAKE_PAY_UPDATE1 Subject =~ /Payroll (details?|information) (rectification|adjust|update)|account information|pay(check|roll) (update|review)|update info|direct deposit|new bank|UPDATE (BANK|PAYCHECK)|BANK (STATUS|CHANGE)|modification request|update salary|quick update|(^|\b)D-?D (pay|information|update)|change of account|^\s$/i +header __KAM_FAKE_PAY_UPDATE1 Subject =~ /Payroll (details?|information) (rectification|adjust|update)|account information|pay(check|roll) (update|review)|update info|direct deposit|new bank|UPDATE (BANK|PAYCHECK)|BANK (STATUS|CHANGE)|modification request|update salary|quick update|(^|\b)D(\.|-)?D ?(pay|information|update|request)|change of account|Demand Change|^\s$|DD[\- ]*Authorization|Change|help needed|new account|account (change|update)|payroll adjustment|request? for (change|update)|have a request/i #urg -body __KAM_FAKE_PAY_UPDATE2 /before the next payroll|for next payroll|kindly review (payroll|your) statement|when the next payday|current pay cycle|next pay date|Inactive in a few day|right away|on-?time for any ongoing|what data is required/i +body __KAM_FAKE_PAY_UPDATE2 /before the (current|next) pay|for next payroll|kindly review (payroll|your) statement|when the next payday|current pay cycle|next pay (run|date)|Inactive in a few day|right away|on-?time for any ongoing|what data is required|urgent help|next salary|forthcoming payroll|effective on payday|effect for next pay|made right now|closed in (a )?few day|for the current pay/i tflags __KAM_FAKE_PAY_UPDATE2 nosubject #task -body __KAM_FAKE_PAY_UPDATE3 /(change|updat(e|ing)) my (ACH|bank(ing)?|paycheck) (info|account)|new bank(ing)? info|change the account on my pay|direct.?deposit\s+information|change my payroll|account information be change|update my bank|account needs to be updated|change in my ACH/i +body __KAM_FAKE_PAY_UPDATE3 /(change|updat(e|ing)) my (ACH|bank(ing)?|DD|paycheck) (direct.?deposit|info|account)|new bank(ing)? (details|info)|change the account on my pay|direct.?deposit\s+information|change my payroll|account information be change|update my bank|account needs to be updated|change in my ACH|I switched bank|paychecks? needs to be update|updat(e|ing) my (payroll.?)?direct.?deposit|designate it as my payee|bank information.{0,35} on file has changed|about my direct deposit|change my direct deposit/i tflags __KAM_FAKE_PAY_UPDATE3 nosubject #sigonly/freemail meta KAM_FAKE_PAY_UPDATE ( FREEMAIL_FROM + __KAM_FAKE_PAY_UPDATE1 + __KAM_FAKE_PAY_UPDATE2 + __KAM_FAKE_PAY_UPDATE3 >= 4) describe KAM_FAKE_PAY_UPDATE Likely a fake ACH/Payroll Scam -score KAM_FAKE_PAY_UPDATE 6.0 +score KAM_FAKE_PAY_UPDATE 8.0 meta KAM_FAKE_PAY_UPDATE_LOW FREEMAIL_FROM && ( __KAM_FAKE_PAY_UPDATE1 + __KAM_FAKE_PAY_UPDATE2 + __KAM_FAKE_PAY_UPDATE3 >= 2) && ! KAM_FAKE_PAY_UPDATE describe KAM_FAKE_PAY_UPDATE_LOW Likely a fake ACH/Payroll Scam (Lower Confidence) -score KAM_FAKE_PAY_UPDATE_LOW 4.5 +score KAM_FAKE_PAY_UPDATE_LOW 6.5 #ENCRYPTED PAYLOAD uri __KAM_ENCRYPTED_LIVE1 /onedrive\.live\.com/i @@ -8415,19 +8429,19 @@ score KAM_TRADEBOT 9.0 #BIDDING/ESTIMATING #NAMES -body __KAM_BIDEST1A /CSI Estimati(ng|on)|crossland estimating|Williams Estimating|Global Estimation|bolt estimating|prestige estimation|bidding estimating|define estimating|dreamland estimation|swift estimating LLC|define estimating,? LLC|perfect estimation.? llc|estimating solutions.? LLC|rockford estimation.? LLC/i +body __KAM_BIDEST1A /CSI Estimati(ng|on)|crossland estimating|Williams Estimating|Global Estimation|bolt estimating|prestige estimation|bidding estimating|define estimating|dreamland estimation|swift estimating LLC|define estimating,? LLC|perfect estimation.? llc|estimating solutions.? LLC|rockford estimation.? LLC|define estimating LLC|Rise Estimating LLC|american estimating/i header __KAM_BIDEST1B From =~ /bidding|estimat/i -header __KAM_BIDEST1C Subject =~ /bidding|estimati(on|ng)|take.?off|(quote|quotation) (to|for) (bid|project|take.?off)|CSI(\b|$)/i +header __KAM_BIDEST1C Subject =~ /bidding|estimati(on|ng)|take.?off|(quote|quotation) (to|for) (bid|project|take.?off)|budget planning|CSI(\b|$)/i #MORE INFO -body __KAM_BIDEST2 /need assistance with a project|like more information|bidding and estimating service|estimate your projects|project for estimat|need of cost estimation|low cost detailed cost estimates|providing estimation|you really want take-offs|outsourced cost estimation|need any take.?off service|looking for accurate estimat|Take.?off services for any project|need a detailed estimate|offering budget cost estimates|cost estimating services|show you some sample|estimating.?take-offs? service|forward us the bid|quote on your project|sample (take.?off|estimate)|complimentary detail from|send us the drawing/i +body __KAM_BIDEST2 /need assistance with a project|like more information|bidding and estimating service|estimate your projects|project for estimat|need of cost estimation|low cost detailed cost estimates|providing estimation|you really want take-offs|outsourced cost estimation|need any take.?off service|looking for accurate estimat|Take.?off services for any project|need a detailed estimate|offering budget cost estimates|cost estimating services|show you some sample|estimating.?take-offs? service|forward us the bid|quote on your project|sample (take.?off|estimate)|complimentary detail from|send (me|us) the drawing|quick introductory call|send us the project's construction plans|quotes for your project|see attached sample|our example work|need any samples/i #TITLE -body __KAM_BIDEST3 /Business Development Manager|(senior|certified) estimator|certified software|(office|marketing) manager|estimation company/i +body __KAM_BIDEST3 /Business Development Manager|(senior|certified) estimator|certified software|(office|marketing) manager|estimation company|head of business devel|estimating service|estimator|project +manager/i #OBFU body __KAM_BIDEST4 /(dot)/i meta KAM_BIDEST ( (__KAM_BIDEST1A + __KAM_BIDEST1B + __KAM_BIDEST1C >= 1) + __KAM_BIDEST2 + __KAM_BIDEST3 + (__KAM_BIDEST4 + FREEMAIL_FROM >=1) >= 3 ) describe KAM_BIDEST Bidding and Estimating Spam -score KAM_BIDEST 6.5 +score KAM_BIDEST 7.5 #FAKE BILL header __KAM_FAKE_BILL1 From:name =~ /alert/i @@ -8573,12 +8587,15 @@ describe KAM_FAKE_COINBASE2 Fake Coinbase Email score KAM_FAKE_COINBASE2 7.5 #FAKE COINBASE VARIANT 2 -header __KAM_FAKE_COINBASE3_1 From:name =~ /coinbase/i -header __KAM_FAKE_COINBASE3_2 From:addr !~ /(\@\.)coinbase\.com/i + #FP fixed on 4/11 with the From:addr rule thanks to RunBox +replace_rules __KAM_FAKE_COINBASE3_1 + +header __KAM_FAKE_COINBASE3_1 From:name =~ /cnbase/i +header __KAM_FAKE_COINBASE3_2 From:addr !~ /\@(.*?\.)?coinbase\.com/i meta KAM_FAKE_COINBASE3 (__KAM_FAKE_COINBASE3_1 + __KAM_FAKE_COINBASE3_2 >= 2) describe KAM_FAKE_COINBASE3 Fake Coinbase Notice -score KAM_FAKE_COINBASE3 5.0 +score KAM_FAKE_COINBASE3 8.5 #FAKE COINBASE VARIANT 3 body __KAM_FAKE_COINBASE4_1 /Coinbase at risk/i @@ -8726,7 +8743,7 @@ score KAM_PASSEXP 4.5 #IPFS uri KAM_IPFS /(\.|\b|\/)ipfs\.io\/|\/ipfs\/|https?\:\/\/ipfs\./i describe KAM_IPFS Abused Protocol for Distributed Content -score KAM_IPFS 9.0 +score KAM_IPFS 12.0 #PHONESYSTEM #DEAL @@ -8791,8 +8808,8 @@ ifplugin Mail::SpamAssassin::Plugin::RaptorOnly endif #ADVIDS -header __KAM_ADVIDS1 From:addr =~ /\@advid/i -body __KAM_ADVIDS2 /video (production|examples|ads)/i +header __KAM_ADVIDS1 From:addr =~ /\@advid|\@.*advids?\./i +body __KAM_ADVIDS2 /video (production|examples|ads)|design explainer/i uri __KAM_ADVIDS3 /search\?q\=Advids|youtube/i meta KAM_ADVIDS ( __KAM_ADVIDS1 + __KAM_ADVIDS2 + __KAM_ADVIDS3 >= 3) @@ -8815,7 +8832,7 @@ describe KAM_CRYPTOFAKE Fake Crypto Notice score KAM_CRYPTOFAKE 6.5 #EMOJISEX -body __KAM_SEXEMOJI1 /ready 4fun|lets fun|private cam|exciting experiences|very hot|taste me|freaky fantas|hookup|tight pus|tight boob|divorced mom|mature wom[ae]n/i +body __KAM_SEXEMOJI1 /ready 4fun|lets fun|private cam|exciting experiences|very hot|taste me|freaky fantas|hookup|tight pus|tight boob|divorced mom|mature wom[ae]n|bj mom|div0rced|f\*?u\*?c\*?k|sexy on your bed|good fuck/i #EMOJI body __KAM_SEXEMOJI2 /\x{F0}\x{9F}\x{8D}\x{91}|\x{F0}\x{9F}\x{92}\x{8B}/i #URL @@ -8835,7 +8852,7 @@ describe KAM_COPOUT Marketing Emails that copout on the verification score KAM_COPOUT 4.5 #DOMAIN/URI TEST CONCEPT -replace_tag BADCALENDLYURIS (?:jpcalendly|michael\-2900|avolinq|otto\-demosho|jprecruiting|stella\-ridge|nivaai|guammi\-marketing|sethg\-erc) +replace_tag BADCALENDLYURIS (?:jpcalendly|michael\-2900|avolinq|otto\-demosho|jprecruiting|stella\-ridge|nivaai|guammi\-marketing|sethg\-erc|marc\-alderson|randy\-wimmer|video\-animation|julius\-frago|growthtitan) replace_rules __KAM_BADCALENDLY uri __KAM_BADCALENDLY /https?\:\/\/(www\.)?calendly\.com\/(?:\/|\?|\b|$)/i @@ -8847,11 +8864,19 @@ replace_tag BADYTURIS (?:\@muvisaku) replace_rules __KAM_BADYT uri __KAM_BADYT /https?\:\/\/(www\.)?youtube\.com\/(?:\/|\?|\b|$)/i -replace_tag BADVIMEOURIS (?:446834731|399916650|256117879|clumcreative) +replace_tag BADVIMEOURIS (?:446834731|399916650|256117879|268399852|602066576|179069936|540337372|391568499|clumcreative) replace_rules __KAM_BADVIMEO uri __KAM_BADVIMEO /https?\:\/\/(www\.)?vimeo\.com\/(?:\/|\?|\b|$)/i -meta KAM_BADDOMAINURI (__KAM_BADCALENDLY + __KAM_BADIG + __KAM_BADYT + __KAM_BADVIMEO >= 1) +replace_tag BADMEDIUMURIS (?:\@webmoneyrevolution) +replace_rules __KAM_BADMEDIUM +uri __KAM_BADMEDIUM /https?\:\/\/(www\.)?medium\.com\/(?:\/|\?|\b|$)/i + +replace_tag BADFIVERRURIS (?:jamshednarayana) +replace_rules __KAM_BADFIVERR +uri __KAM_BADFIVERR /https?\:\/\/(www\.)?fiverr\.com\/(?:\/|\?|\b|$)/i + +meta KAM_BADDOMAINURI (__KAM_BADCALENDLY + __KAM_BADIG + __KAM_BADYT + __KAM_BADVIMEO + __KAM_BADMEDIUM + __KAM_BADFIVERR >= 1) describe KAM_BADDOMAINURI Blocked domain/uri combo score KAM_BADDOMAINURI 9.0 @@ -8878,14 +8903,14 @@ score PHP_SCRIPT 2.25 #APPLINK EMAILS uri __KAM_APPLINK1 /\.app\.link/i -meta KAM_APPLINK ( __KAM_APPLINK1 + FREEMAIL_FROM + KAM_BODY_LENGTH_LT_512 >= 3) +meta KAM_APPLINK ( __KAM_APPLINK1 + FREEMAIL_FROM + __KAM_BODY_LENGTH_LT_512 >= 3) describe KAM_APPLINK App Link Spams score KAM_APPLINK 4.5 #SEX EXPLICIT GROUPS -header __KAM_SEX_GROUPS1 From:addr =~ /(Anya|sexy)\-.*\@googlegroups\.com/i +header __KAM_SEX_GROUPS1 From:addr =~ /(Anya|sexy|\-x)\-.*\@googlegroups\.com/i uri __KAM_SEX_GROUPS2 /sites\.google\.com/i -body __KAM_SEX_GROUPS3 /(escort (company|job)|sexual needs|sexy lady|sexual?ly fit|fucked hard)/i +body __KAM_SEX_GROUPS3 /(escort (company|job|section)|sexual needs|sexy lady|sexual?ly fit|fucked hard|local hotties|secret community|hq escorts|good fuck|naughty date|male escort)/i meta KAM_SEX_GROUPS ( __KAM_SEX_GROUPS1 + __KAM_SEX_GROUPS2 + __KAM_SEX_GROUPS3 >= 3) describe KAM_SEX_GROUPS Sexually Explicit Spam @@ -8904,11 +8929,102 @@ endif #FAKE MCAFEE VARIANT header __KAM_FAKE_NORTON3_1 From:name =~ /Mcafee/i header __KAM_FAKE_NORTON3_2 Subject =~ /payment/i -body __KAM_FAKE_NORTON3_3 /auto.?renew/i -uri __KAM_FAKE_NORTON3_4 /drive\.google\.com\/file/i +body __KAM_FAKE_NORTON3_3 /auto(matic)?.?renew/i +uri __KAM_FAKE_NORTON3_4 /(docs|drive)\.google\.com\/(document|file)\//i -meta KAM_FAKE_NORTON3 (__KAM_FAKE_NORTON3_1 + __KAM_FAKE_NORTON3_2 + __KAM_FAKE_NORTON3_3 + KAM_FAKE_NORTON3_4 + FREEMAIL_FROM >= 4) +meta KAM_FAKE_NORTON3 (__KAM_FAKE_NORTON3_1 + __KAM_FAKE_NORTON3_2 + __KAM_FAKE_NORTON3_3 + __KAM_FAKE_NORTON3_4 + FREEMAIL_FROM >= 4) describe KAM_FAKE_NORTON3 Fake Norton / McAfee / Geek Squad / Symantec / etc. Renewal Notices -score KAM_FAKE_NORTON3 6.0 +score KAM_FAKE_NORTON3 8.0 + +#TRACKING REDIR +uri __KAM_TRACKING_REDIR1 /\/tracking\/clicks\?redirect\=/i + +meta KAM_TRACKING_REDIR ( __KAM_TRACKING_REDIR1 >= 1 ) +describe KAM_TRACKING_REDIR Tracking URI with a redirect that is a security risk +score KAM_TRACKING_REDIR 4.5 + +#FAKE SAFE SENDERS LIST +body __KAM_FAKE_SAFESENDER1 /This sender has been verified from the.*safe senders? list/ + +meta KAM_FAKE_SAFESENDER ( __KAM_FAKE_SAFESENDER1 >= 1 ) +describe KAM_FAKE_SAFESENDER Email shows up with a safe sender notice +score KAM_FAKE_SAFESENDER 1.0 + +#CHECKFILE +body __KAM_CHECKFILE1 /(File|Document)\: https?\:\/\/.*\/.{2,5}\/\?/i + +meta KAM_CHECKFILE ( __KAM_CHECKFILE1 >= 1) +describe KAM_CHECKFILE Likely File link abuse +score KAM_CHECKFILE 8.5 + +body __KAM_CHECKFILE2_1 /(See|View|check|check) attach(ment|ed) (document|file)/i + +meta KAM_CHECKFILE2 ( T_OBFU_PDF_ATTACH + __KAM_CHECKFILE2_1 >= 2) +score KAM_CHECKFILE2 8.5 +describe KAM_CHECKFILE2 Likely File Attachment scam + +#BAD MAILBOX RELEASE / FINANCIAL REQUEST +uri __KAM_CONSTANTCONTACT1 /https?\:\/\/\w\d{1,3}\.rs6\.net/i +header __KAM_BAD_RELEASE1 Subject =~ /held messages|financial statement.? has been shared/i + +meta KAM_BAD_RELEASE ( __KAM_EDU_FROM + __KAM_CONSTANTCONTACT1 + __KAM_BAD_RELEASE1 >= 3) +describe KAM_BAD_RELEASE Likely bad link abuse +score KAM_BAD_RELEASE 4.5 + +#FAKE TREZOR +header __KAM_FAKE_TREZOR1 from:addr !~ /\@trezor\.io/i +header __KAM_FAKE_TREZOR2 from:name =~ /trezor/i + + #problem +body __KAM_FAKE_TREZOR3 /Ethereum merge|new device paired/i +tflags __KAM_FAKE_TREZOR3 nosubject + #urg +body __KAM_FAKE_TREZOR4 /as soon as possible|lost forever/i + #Trezor +body __KAM_FAKE_TREZOR5 /trezor|satoshi.?labs.?group/i +tflags __KAM_FAKE_TREZOR5 nosubject + #sub +header __KAM_FAKE_TREZOR6 Subject =~ /missing.?funds/i + +meta KAM_FAKE_TREZOR (__KAM_FAKE_TREZOR1 + __KAM_FAKE_TREZOR2 + __KAM_FAKE_TREZOR3 + __KAM_FAKE_TREZOR4 + __KAM_FAKE_TREZOR5 + (__KAM_FAKE_TREZOR8 + __KAM_FAKE_TREZOR6 >= 1) + __KAM_SHORT >= 7) +describe KAM_FAKE_TREZOR Fake Trezor Message +score KAM_FAKE_TREZOR 10.5 + + #confirm +body __KAM_FAKE_TREZOR7 /confirm it was you/i + + #problem +body __KAM_FAKE_TREZOR8 /new (paired )?application|new device paired/i + + #Trezor +header __KAM_FAKE_TREZOR9 Subject =~ /Trezor|Linked\!/i + +meta KAM_FAKE_TREZOR2 (__KAM_FAKE_TREZOR1 + __KAM_FAKE_TREZOR7 + __KAM_FAKE_TREZOR8 + __KAM_FAKE_TREZOR9 + KAM_SHORT >= 5) +describe KAM_FAKE_TREZOR2 Fake Trezor Message +score KAM_FAKE_TREZOR2 7.5 + +#CRYPTODRIVE +header __KAM_CRYPTODRIVE1 Subject =~ /\d hours to withdraw|quickly withdraw|balance has been replenished|withdraw your \+\d|cancell?ed in \d+ hour/i +body __KAM_CRYPTODRIVE2 /bitcoin (earn|min)|automatic bitcoin/i + +meta KAM_CRYPTODRIVE ( __KAM_CRYPTODRIVE1 + __KAM_CRYPTODRIVE2 + FREEMAIL_FROM + __URI_GOOGLE_DRV >= 4 ) +describe KAM_CRYPTODRIVE Likely CryptoCurrency Scam +score KAM_CRYPTODRIVE 6.0 + +#SA_POSTAL +header __KAM_FAKE_SA_POST1 From:addr !~ /\@postoffice\.co\.za/i +header __KAM_FAKE_SA_POST2 From:name =~ /South African Post Office/i + +meta KAM_FAKE_SA_POST ( __KAM_FAKE_SA_POST1 + __KAM_FAKE_SA_POST2 >= 2 ) +describe KAM_FAKE_SA_POST Fake Postal Notice +score KAM_FAKE_SA_POST 4.0 + +#FAKE BENEFITS +body __KAM_FAKE_BENEFIT1 /attached/i +body __KAM_FAKE_BENEFIT2 /benefits? enrollment/i + +meta KAM_FAKE_BENEFIT ( __KAM_FAKE_BENEFIT1 + __KAM_FAKE_BENEFIT2 + T_HTML_ATTACH >= 3 ) +describe KAM_FAKE_BENEFIT Likely fake benefit email +score KAM_FAKE_BENEFIT 4.5 #EOF diff --git a/kam-updates/kam_sa-channels_mcgrail_com/KAM_hashbl_settings.cf b/kam-updates/kam_sa-channels_mcgrail_com/KAM_hashbl_settings.cf index ca314dd..6471c7a 100644 --- a/kam-updates/kam_sa-channels_mcgrail_com/KAM_hashbl_settings.cf +++ b/kam-updates/kam_sa-channels_mcgrail_com/KAM_hashbl_settings.cf @@ -1728,6 +1728,7 @@ if (version >= 3.004003) hashbl_acl_freemail operationivy.com hashbl_acl_freemail oplusnet.com hashbl_acl_freemail optician.com + hashbl_acl_freemail optimum.net hashbl_acl_freemail oran.cc hashbl_acl_freemail orange.es hashbl_acl_freemail orange.fr diff --git a/kam-updates/kam_sa-channels_mcgrail_com/KAM_urlshorteners.cf b/kam-updates/kam_sa-channels_mcgrail_com/KAM_urlshorteners.cf index 1269359..485e3f0 100644 --- a/kam-updates/kam_sa-channels_mcgrail_com/KAM_urlshorteners.cf +++ b/kam-updates/kam_sa-channels_mcgrail_com/KAM_urlshorteners.cf @@ -25,6 +25,7 @@ url_shortener 3.ly url_shortener 301.to url_shortener 301url.com url_shortener 307.to +url_shortener 4.fo url_shortener 4ms.me url_shortener 4sq.com url_shortener 4url.cc @@ -247,6 +248,7 @@ url_shortener j.mp url_shortener j2j.de url_shortener jdem.cz url_shortener jijr.com +url_shortener jo.my url_shortener just.as url_shortener k.vu url_shortener k6.kz @@ -316,6 +318,7 @@ url_shortener minurl.fr url_shortener mke.me url_shortener moby.to url_shortener moourl.com +url_shortener mpago.la url_shortener mrte.ch url_shortener msg.sg url_shortener murl.kz @@ -526,6 +529,7 @@ url_shortener surl.it url_shortener t.cn url_shortener t.co url_shortener t.lh.com +url_shortener t.ly url_shortener ta.gd url_shortener takemyfile.com url_shortener tbd.ly