r?a\|l?is/i
meta KAM_DIV (__KAM_DIV1 + __KAM_DIV2 >= 2)
describe KAM_DIV Use of divs to hide Medical Spams
score KAM_DIV 2.0
#CREDIT SCORE
header __KAM_CREDIT1 Subject =~ /CRITICAL:.*change to.* (EXPERIAN|Transunion|Equifax) score|Recent 3 Bureau Credit|(credit|score).score|credit has changed|check your rating|yearly review|scores?.(?:may.have|has.been|have.been).changed|(?:EXPERIAN|Transunion|Equifax) scores? delivered|your credit report|all three sources|credit (may )?ha(ve|s) been revised|credit ?card ?processing|merchant account|TransUnion..?Experian . Equifax Scores|all 3 scores|update to your score|your 3 scores|is your score correct|score (report|review)|latest.score|updated.score|update:|derogatory.(info|item)|affecting.your.score|scores.this.week|EQUIFAX..?EXPERIAN..?(and|&).TRANSUNION|(EXPERIAN|Transunion|Equifax)..?score|\d{4}.scores?.detail|((equifax|experian|transunion)..?){3}|score.today|score.w\//i
body __KAM_CREDIT2 /View (all 3 reports|your credit score|your up.to.the.minute credit)|(EXPERIAN|Transunion|Equifax) report|check my credit score|3.free credit scores|credit restoration|changes in your.score|get your \d+ score online|3 major sources|all three bureau|all 3 credit score|credit (may )?ha(ve|s) been revised|payment.options|complimentary 3 scores|credit scores? in seconds|TRANSUNION,\s+EQUIFAX,\s+(and|.)\s+EXPERIAN|just (been )?changed|score.breakdown|credit.summary|score.is.waiting|confirmation \#\d+|average.credit.score|what.?s.your.score|(3|three).free.score|check.your.score|we.can.help|credit.record|complimentary.score/i
body __KAM_CREDIT3 /NO COST|it's on us|3 companies for free|freescore360|Scoresense|score.report(?:ing)?.team|stand in the rating scales|view your higher credit|(score|credit).alert|provide.faster.service|your credit score|free.credit.score|score.generation|new.score.immediately|score.notification|your report/i
body __KAM_CREDIT4 /CHANGES TO YOUR CREDIT[- ]SCORE|credit score has changed|Triple Bureau Credit Alerts|score\s+may\s+have\s+(been)?\s*changed|ThinkCredit|Debunk Credit Card Processing Myths|costs for your business|TransUnion,? Experian and Equifax Scores|ha(s|ve).been.updated|what.?s.your.credit|sensitive.information/i
header __KAM_CREDIT5 From =~ /Credit|score|bureau|finance|report|advisory/i
#EXPERIMENTAL UTF-8
# SecureCRT in UTF-8 Session Options - terminal>appearance>character encoding and set to utf-8 & Set this in VI :set encoding=utf-8 :set fileencodings=utf-8
#Useful Resources for Tags
#https://www.utf8-chartable.de/unicode-utf8-table.pl?start=1024&number=128&names=-&utf8=string-literal
#https://www.branah.com/unicode-converter
#look at the encoding type and the charset. For base64 utf-8, something like this tool will help https://www.base64decode.org/ then hexdump -C or something like https://onlineutf8tools.com/convert-utf8-to-hexadecimal or perl -e '$u=unpack("H*",$ARGV[0]);print "[\\x$1]" while ($u=~/(..)/g)' '
'
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
#renamed to A1, C1, etc. to avoid collissions with stock rules
#Thanks to John Hardin for his help! and thanks to Giovanni for the help with the 4-byte chars
#thanks as well to Henrik Krohns
#Write a very broad regex like g.*k.?squ.* and the debug outputs something like G\x{CF}\x{B5}\x{CF}\x{B5}k Squ" Then you can Edit the tag for E1 to add |[\xcf][\xb5]
# replace_tag A1 (?:a|[\xf0\x9d\x97\xae]|[\xf0\x9d\x9a\x8a]|[\xd0][\xb0]|[\xc9][\x91]|α|\@)
#Thanks to Kent Oyer for his review of the replace tags
replace_tag A1 (?:a|\xf0\x9d\x97\xae|\xc3\xa3|\xf0\x9d\x9a\x8a|\xd0\xb0|\xc9\x91|\xce\xb1|\xc3\x81|\@|\xc8\xa6)
replace_tag B1 (?:b|\xce\x92|\xce\xb2|\xf0\x9d\x97\xaf|\xf0\x9d\x9a\x8b|\xd0\x92)
replace_tag C1 (?:c|\xd0\xa1|\xd1\x81|\xf0\x9d\x97\xb0|\xf0\x9d\x9a\x8c)
replace_tag D1 (?:d|\xf0\x9d\x9a\x8d)
replace_tag E1 (?:e|\xd0\xb5|\xc4\x97|\xf0\x9d\x97\xb2|\xf0\x9d\x9a\x8e|\xc3\xaa|\xcf\xb5|\xc3\xab)
replace_tag G1 (?:g|\xf0\x9d\x97\x80)
replace_tag I1 (?:i|\xd1\x96|\xc4\xab|\xce\xb9|\xf0\x9d\x97\xb6|\xf0\x9d\x9a\x92|l|1)
replace_tag K1 (?:k|\xd0\xba)
replace_tag L1 (?:l|i)
replace_tag M1 (?:m|\xca\x8d|\xf0\x9d\x97\xba|\x9b\x96|\xd0\xbc)
replace_tag N1 (?:n|\xf0\x9d\x9a\x97|\xd5\xb8)
replace_tag O1 (?:o|0|\xd0\xbe|\xce\xbf|\xf0\x9d\x97\xbc|\xf0\x9d\x9a\x98|\xd0\x9e|\xc3\xb4)
replace_tag P1 (?:p|\xd1\x80|\xc7\xb7|\xcf\x81|\xf0\x9d\x97\xbd|\xf0\x9d\x9a\x99|\xd0\xa0)
replace_tag R1 (?:r|\xf0\x9d\x97\xbf|\xf0\x9d\x9a\x9b)
replace_tag S1 (?:s|\xd0\x85|\xf0\x9d\x98\x80|\xf0\x9d\x9a\x9c|\xd1\x95)
replace_tag T1 (?:t|\xcf\x84|\xf0\x9d\x98\x81|\xf0\x9d\x9a\x9d)
replace_tag U1 (?:u|\xf0\x9d\x98\x82)
replace_tag V1 (?:v|\xf0\x9d\x96\xb5|\xce\xbd|\xd1\xb5)
replace_tag W1 (?:w|\xf0\x9d\x98\x84|\xf0\x9d\x9a\xa0|\xd1\xa1)
replace_tag Y1 (?:y|\xf0\x9d\x9a\xa2|\&\#7823\;|\xd1\x83)
replace_tag SPACE1 (?: |\xc2\xa0|\xef\xbb\xbf)
#OBFU ONLY
replace_tag A2 (?:[\xf0\x9d\x97][\xae]|[\xc3][\xa3]|[\xf0\x9d\x9a][\x8a]|[\xd0][\xb0]|[\xc9][\x91]|α|\@)
replace_tag D2 (?:\xf0\x9d\x9a\x8d|\xf0\x9d\x90\x9d)
replace_tag E2 (?:[\xd0][\xb5]|[\xc4][\x97]|\xf0\x9d\x97\xb2|\xf0\x9d\x9a\x8e|[\xc3][\xaa]|[\xcf][\xb5]|[\xc3][\xab]|[\xc3][\xa8]|\xf0\x9d\x90\x9e)
replace_tag K2 (?:[\xd0][\xba])
replace_tag O2 (?:O|\xd0\xbe|\xce\xbf|\xf0\x9d\x97\xbc|\xf0\x9d\x9a\x98|\xd0\x9e|\xc3\xb4|\xf0\x9d\x90\xa8)
replace_tag R2 (?:\xf0\x9d\x97\xbf|\xf0\x9d\x9a\x9b|\xf0\x9d\x90\xab)
replace_tag U2 (?:\xf0\x9d\x98\x82)
replace_tag NUM1 (?:\xf0\x9d\x9f\x8f|\xf0\x9d\x9f\xad)
replace_tag NUM8 (?:\xf0\x9d\x9f\x96)
#NUMBERS
replace_tag N0 (?:0|O|\xf0\x9d\x9f\x8e)
replace_tag N1 (?:1|l|I|\xf0\x9d\x9f\x8a|\xf0\x9d\x9f\xadf)
replace_tag N2 (?:2|\xf0\x9d\x9f\x90)
replace_tag N3 (?:3|\xf0\x9d\x9f\x91)
replace_tag N4 (?:4|\xf0\x9d\x9f\x92)
replace_tag N5 (?:5|\xf0\x9d\x9f\x93)
replace_tag N6 (?:6|\xf0\x9d\x9f\x94)
replace_tag N7 (?:7|\xf0\x9d\x9f\x95)
replace_tag N8 (?:8|\xf0\x9d\x9f\x96)
replace_tag N9 (?:9|\xf0\x9d\x9f\x97)
header __KAM_CREDIT6 Subject =~ /omplmentary (redt|EXPERIAN|Transunion|Equifax)/i
header __KAM_CREDIT7 From =~ /core.?ense/i
replace_rules __KAM_CREDIT6 __KAM_CREDIT7
endif
meta KAM_CREDIT (__KAM_CREDIT1 + __KAM_CREDIT2 + __KAM_CREDIT3 + __KAM_CREDIT4 + __KAM_CREDIT5 + __KAM_CREDIT6 + __KAM_CREDIT7 + (__KAM_THIRD || KAM_LOTSOFHASH || KAM_INFOUSMEBIZ) >= 4)
describe KAM_CREDIT Credit Score Spams
score KAM_CREDIT 4.5
#LAUNCH PCCC WILD RBL
meta KAM_CREDIT2 (__KAM_CREDIT1 + __KAM_CREDIT5 + __KAM_CREDIT6 + __KAM_CREDIT7 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3 && KAM_CREDIT < 1)
describe KAM_CREDIT2 Credit Score Spams
score KAM_CREDIT2 4.5
#OBFUSCATED URI
rawbody KAM_OBFURI /http:\/\/.{2,30}\.c=E2=93=9Em?/
describe KAM_OBFURI Obfuscated URI trick
score KAM_OBFURI 4.0
#ADVANCE
header __KAM_ADVANCE1 Subject =~ /Advance for \d.\d\d\d/i
body __KAM_ADVANCE2 /Advance Details/i
body __KAM_ADVANCE3 /Pre\-Approved/i
header __KAM_ADVANCE4 From =~ /Advance|Approv|Financ/i
meta KAM_ADVANCE (__KAM_ADVANCE1 + __KAM_ADVANCE2 + __KAM_ADVANCE3 + __KAM_ADVANCE4 >= 3)
describe KAM_ADVANCE Advance Spams
score KAM_ADVANCE 3.5
#PAYPAL NON SPF - FP fixed by Piper Andreas
header __KAM_PAYPAL1A From =~ /\@[a-z\.]*paypal.com>?$/i
meta KAM_PAYPAL1 (__KAM_PAYPAL1A + SPF_FAIL >=2)
describe KAM_PAYPAL1 rampant paypal phishing scams
score KAM_PAYPAL1 16.0
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
#PAYPAL IMPERSONATING MALWARE
body __KAM_PAYPAL2A /paypal/i
body __KAM_PAYPAL2B /protection services department|download(ing)?.the.attach/i
meta KAM_PAYPAL2 (__KAM_PAYPAL2A + __KAM_PAYPAL2B + KAM_RAPTOR_ALTERED >= 3)
describe KAM_PAYPAL2 Malware disguised as a paypal email
score KAM_PAYPAL2 8.0
endif
#PAYPAL PHISH
header __KAM_PAYPAL3A From =~ /paypal/i
header __KAM_PAYPAL3B From !~ /paypal(\.com|\.com\.au|\.co\.uk)?>?$/i
header __KAM_PAYPAL3C Subject =~ /your.paypal.account|Invoice PP|order Confirmation/i
body __KAM_PAYPAL3D /security.process|more.information|has.limitation|verify.your.information|bitcoin|\d\d hours from today/i
meta KAM_PAYPAL3 ((__KAM_PAYPAL3A && __KAM_PAYPAL3B) + __KAM_PAYPAL3C + __KAM_PAYPAL3D + KAM_LAZY_DOMAIN_SECURITY >= 3)
score KAM_PAYPAL3 8.0
describe KAM_PAYPAL3 Phish disguised as a paypal email
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
replace_rules __GB_OBFU_PHONE
body __GB_OBFU_PHONE /(?:\b|\s)(?:\+(?:\s|\-)?\(|\+?(?:)?(?:\(|\-)?(?:)|[.(]\d\d{1,2}[.)]\s)|contact(?:ing)? us at \d\d |\+\.1\.\s?\.\(\.\d\.\d\.\d\.\)/
meta GB_OBFU_PHONE ( __GB_OBFU_PHONE || __MXG_PHONE_OBFU )
describe GB_OBFU_PHONE Obfuscated phone number
score GB_OBFU_PHONE 4.0
meta GB_OBFU_FREE_PHONE ( GB_OBFU_PHONE && FREEMAIL_FROM )
describe GB_OBFU_FREE_PHONE Obfuscated phone number from a freemail address
score GB_OBFU_FREE_PHONE 1.5
body __GB_PAYPAL_PHONE /(?:\b|\s)(?:\+(?:\s|\-)?\(|\+?(?:)?(?:\(|\-)?(?:)|\d\d|Call-I\(|I\(888\))/
meta GB_PAYPAL_OBFU_PHONE ( ( GB_OBFU_PHONE || __GB_PAYPAL_PHONE ) && ( FUZZY_PAYPAL || FROM_PAYPAL_SPOOF ) )
describe GB_PAYPAL_OBFU_PHONE Paypal email with obfuscated content
score GB_PAYPAL_OBFU_PHONE 0.5
endif
# Thanks to Jim Brandt for the regexp fix
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
replace_rules __GB_FRAUD_PAYPAL
header __GB_TO_ONMICROSOFT_TO To:addr =~ /.{3,32}\.onmicrosoft\.com/
header __GB_YAHOO_ONMICRO_FWD X-Yahoo-Forwarded =~ /\sTo\s.{3,32}\.onmicrosoft\.com/
meta __GB_TO_ONMICROSOFT ( __GB_TO_ONMICROSOFT_TO || __GB_YAHOO_ONMICRO_FWD )
header __GB_TO_TEST_GOOGLE To:addr =~ /\.test\-google\-a\.com/
header __GB_TO_NOREPLY To:addr =~ /(?:\w+\-)?norepla?y.{0,16}\@/
header __GB_TO_PURCHASE To:addr =~ /(?:(?:purchase|confirmed).{0,16}\d+|order.?(?:record|status)(?:\d+)?|pending.?order(?:\d+)?|company|supportupdate\d+)\@/
header __GB_TO_LOCAL_NOVOWEL To:addr =~ /[bcdfgjklmnpqrstvwxz]{6}\S*\@/i
header __GB_FROM_PAYPAL From:addr =~ /\@(?:intl\.)?paypal.com(?:\.au|\.mx)?/
header __GB_FROM_DOCUSIGN From:addr =~ /\@docusign\.net/
header __GB_FROM_ZELLEPAY From:addr =~ /\@zellepay\.com/
header __GB_FROM_BESTBUY From:addr =~ /\@emailinfo\.bestbuy\.com/
header __GB_FROM_ADOBE From:addr =~ /\@adobe(?:sign)?\.com/
header __GB_FROM_YOUSIGN From:addr =~ /\@yousign\.(?:app|com)/
header __GB_FROM_INTUIT From:addr =~ /\@notification\.intuit\.com/
body __GB_PHONE /(?:\+[0-9])?\s?(?:\()?(?:[0-9]{3})(?:\))?\s?(?:[0-9\-]{8,9})/
body __GB_FRAUD_PAYPAL /Fraud\s+Alert||recognize\s+the\s+seller|Quickly\s+inform\s+us|(?:PayPal)(?:Support)?(?:Team)?\s+Immediately|we do\s?n.{1,3}t (?:hear|receive any communication) from you|unauthorized charge|made in error|BTC order|Crypto currency|do.{1,3}t hesitate to contact us immediately|did\s?n.{1,3}t made this order|seconds? for your account to reflect this transaction|Bitcoin|Blockchain/i
endif
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
meta GB_FAKE_INVOICE ( ( __GB_FROM_PAYPAL || __GB_FROM_DOCUSIGN || __GB_FROM_ZELLEPAY || __GB_FROM_BESTBUY || __GB_FROM_ADOBE || __GB_FROM_YOUSIGN || __GB_FROM_INTUIT ) + ( __GB_TO_ONMICROSOFT || __GB_TO_TEST_GOOGLE || __GB_TO_NOREPLY || __GB_TO_PURCHASE || __GB_TO_LOCAL_NOVOWEL ) + ( __GB_PHONE || GB_OBFU_PHONE ) >= 3 )
score GB_FAKE_INVOICE 5.5
else
meta GB_FAKE_INVOICE ( ( __GB_FROM_PAYPAL || __GB_FROM_DOCUSIGN || __GB_FROM_ZELLEPAY || __GB_FROM_BESTBUY || __GB_FROM_ADOBE || __GB_FROM_YOUSIGN || __GB_FROM_INTUIT ) + ( __GB_TO_ONMICROSOFT || __GB_TO_TEST_GOOGLE || __GB_TO_NOREPLY || __GB_TO_PURCHASE || __GB_TO_LOCAL_NOVOWEL ) + ( __GB_PHONE || GB_OBFU_PHONE ) + __GB_FRAUD_PAYPAL >= 4 )
score GB_FAKE_INVOICE 7.0
endif
describe GB_FAKE_INVOICE Fake Docusign or Paypal invoice
body __GB_BTC1 /\b(?:BTC|Bitcoin)\b/i
meta GB_FAKE_INVOICE_BTC ( GB_FAKE_INVOICE && __GB_BTC1 )
describe GB_FAKE_INVOICE_BTC Fake Docusign or Paypal invoice mentioning Bitcoins
score GB_FAKE_INVOICE_BTC 4.5
header __GB_FROM_ZOHOINVOICE From:addr =~ /\@(?:sender\.zohoinvoice\.com|zohosign\.com)/
meta GB_FAKE_ZOHOINVOICE ( __GB_FROM_ZOHOINVOICE + FREEMAIL_REPLYTO_END_DIGIT + ( __GB_PHONE || GB_OBFU_PHONE ) >= 3 )
describe GB_FAKE_ZOHOINVOICE Fake Zoho invoice
score GB_FAKE_ZOHOINVOICE 3.0
header __GB_FROM_VENMO From:addr =~ /\@venmo\.com/
header __GB_ORG_ONMICROSOFT X-OriginatorOrg =~ /\.onmicrosoft\.com/
meta GB_FAKE_VENMO ( __GB_FROM_VENMO + ( __GB_ORG_ONMICROSOFT || __GB_TO_PURCHASE ) + GB_OBFU_PHONE >= 3 )
describe GB_FAKE_VENMO Fake Venmo invoice
score GB_FAKE_VENMO 3.0
header __GB_FROM_PAYPAL From:name =~ /Paypal/i
header __GB_ENVFROM_PAYPAL From:addr =~ /\@paypal\.com/
meta GB_PAYPAL_BTC_PHONE ( ( __GB_FROM_PAYPAL && !__GB_ENVFROM_PAYPAL ) && __GB_BTC1 && ( __GB_PHONE || GB_OBFU_PHONE ) && MONEY_NOHTML )
describe GB_PAYPAL_BTC_PHONE Paypal scam
score GB_PAYPAL_BTC_PHONE 3.0
body __GB_PAYPAL_INVOICE /Paypal Invoice|Sales receipt/i
meta GB_PAYPAL_BTC_INV ( __GB_PAYPAL_INVOICE && __KAM_PAYPAL2A && __GB_BTC1 && ( __GB_PHONE || GB_OBFU_PHONE ) )
describe GB_PAYPAL_BTC_INV Paypal BTC scam
score GB_PAYPAL_BTC_INV 2.0
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
meta GB_PAYPAL_SHORT ( ( __GB_FROM_PAYPAL && !__GB_ENVFROM_PAYPAL ) && ( KAM_IFRAME || __KAM_SHORT ) && KAM_RAPTOR_NEW )
describe GB_PAYPAL_SHORT Fake Paypal email with an url shortener
score GB_PAYPAL_SHORT 2.0
endif
ifplugin Mail::SpamAssassin::Plugin::URIDetail
uri_detail GB_INVOICE_GDRIVE cleaned =~ /drive\.google\.com\/uc\?export\=download/ text =~ /pay\s+invoice/i
describe GB_INVOICE_GDRIVE Invoice link to GDrive
score GB_INVOICE_GDRIVE 2.0
uri_detail GB_INVOICE_DROPBOX cleaned =~ /dropbox\.com\/.{3,128}\.html/ text =~ /invoice|receipt/i
describe GB_INVOICE_DROPBOX Invoice link to Dropbox
score GB_INVOICE_DROPBOX 2.0
uri_detail GB_PASS_GTRANSLATE cleaned =~ /\.translate\.goog\// text =~ /same password/i
describe GB_PASS_GTRANSLATE Google Translate service abuse
score GB_PASS_GTRANSLATE 1.5
uri_detail GB_WEBCORE_PASS cleaned =~ /\.web\.core\.windows\.net\// text =~ /same password/i
describe GB_WEBCORE_PASS Windows web core service abuse
score GB_WEBCORE_PASS 1.5
endif
#COMPROMISED ACCOUNT SPAMS - SCORED HIGH BECAUSE THESE ARE COMPROMISED ACCOUNTS
header __KAM_COMPROMISED1A From =~ /\@(yahoo.com|yahoo.com.id|rocketmail.com)/i
header __KAM_COMPROMISED1B X-Mailer =~ /Yahoo/i
header __KAM_COMPROMISED2 Subject =~ /^(FOR |Hey$|hi$|look at this$|great!?$|amazing!?|the best!?$|excellent!?$|very good!?$|great!?$|question?$|Fwd: (?:latest |top )?news$)|have a look/
body __KAM_COMPROMISED3 /\d{1,2}[\\\/]\d{1,2}[\\\/]\d{2,4} \d{1,2}\:\d{1,2}\:\d{1,2} (AM|PM)/
body __KAM_COMPROMISED4 /How are you\? Look at this.{0,70}Do you know about this site|look at this site right now|I found (an amazing|great) site|hey\. please have a look|have a look right now|breaking news/i
meta KAM_COMPROMISED ((__KAM_COMPROMISED1A + __KAM_COMPROMISED1B >=1 ) + __KAM_COMPROMISED2 + __KAM_COMPROMISED3 + __KAM_COMPROMISED4 + __KAM_BODY_LENGTH_LT_128 + MISSING_SUBJECT >= 4)
describe KAM_COMPROMISED Compromised Accounts Sending Spam
score KAM_COMPROMISED 8.25
#GROUPS THAT ARE BAD - RENAMED TO AVOID COLLISSION - THANKS TO DAVID FUNK
header __KAM_LIST2A List-ID =~ /^?$/i
header __KAM_LIST2B Sender =~ /(mediajo\d*|aloulaonline\d*|jomedia\d*|golbanoo\d*)\@googlegroups\.com/i
meta KAM_LIST2 (__KAM_LIST2A + __KAM_LIST2B >= 1)
describe KAM_LIST2 Known Bad Groups
score KAM_LIST2 60.0
#LIMITED ACCESS/QUOTA SCAMS - ISP THAT SEND LEGITIMATE NOTICES MIGHT WANT TO LOWER THE SCORE
body __KAM_QUOTA1 /Mailbox Quota Has Exceeded|exceeded its storage limit/i
body __KAM_QUOTA2 /Limited Access|termination of your email|restore.your.account|will.not.be.able/i
meta KAM_QUOTA (__KAM_QUOTA1 + __KAM_QUOTA2 >= 2)
describe KAM_QUOTA Limited Access / Quota Phishing Scam
score KAM_QUOTA 3.0
# BACKGROUND CHECK SPAM
body __KAM_BACK1 /backgrounds in seconds|Instant..?Checkmate|federal.record|background.report|reputation/i
body __KAM_BACK2 /(Property & Personal history|Asset & Background) (Investigation|Search)|check anyone|know.anything|registered.offense|publicly.available|their name/is
body __KAM_BACK3 /(background check|detective|investigator|investigate backgrounds|arrest.record|public.record)|remain.anonymous|anonymous.report|says.about.you|instant.database|the.truth|reveal.the.information|screening.services/is
header __KAM_BACK4 Subject =~ /background..?check|date\-smart|detective|finding people|instant checkmate|pedophile|who.lives.next.?door|reports.are.now.posted|screening.results|police.record|confirm.identity|records.enclosed|local.report|criminal|public.record|complete.record|arrest|posted.online|information.posted|info.updated|who.they.are|uncover.any|private.eye|investigate.background/i
header __KAM_BACK5 From =~ /Background.?check|instant.?check|arrest.record|pedophile|trust|criminal|urgent.info|find.out|who.is.s?he|trouble|shady|public.record|private.?eye/i
describe KAM_BACK Background Check SPAM
meta KAM_BACK ( __KAM_BACK1 + __KAM_BACK2 + __KAM_BACK3 + __KAM_BACK4 + __KAM_BACK5 >= 5 )
score KAM_BACK 4.5
#ARREST RECORD SCAMS
header __KAM_ARREST1 Subject =~ /arrest record|with.a.criminal|child.predator|public.safety.alert|full.report|reports?.now.posted|records?.(now.)?(available|posted)|predator.identified/i
body __KAM_ARREST2 /Instant Checkmate|dirty Truth|\brapist\b|criminal.(background|record)|predator|stay.safe|child.offender|think.you.know|know.everything|database.screening|know.something|wanted.to.know|arrest.record/i
header __KAM_ARREST3 From =~ /Checkmate|alert|protect|arrest|neighborhood|criminal|live.safe/i
meta KAM_ARREST (__KAM_ARREST1 + __KAM_ARREST2 + __KAM_ARREST3 >=3) || (__KAM_ARREST1 + KAM_SHORT + __KAM_BODY_LENGTH_LT_128 >=3)
describe KAM_ARREST Arrest Record Scams
score KAM_ARREST 5.0
#MORE DIET SCAMS
header __KAM_DIET2_1 From =~ /Coffee.?Bean|Fat.?Burning.?Hormone|Saffron|Lifestyle|burn.fat|slim|dieting/i
header __KAM_DIET2_2 Subject =~ /diet|flatten your belly|calorie count|metabolism|lose the belly|belly flub/i
body __KAM_DIET2_3 /secret to being skinny|doctors? are raving|testosterone|could be \d+ ?lbs? lighter|feeling chubby|burn stubborn fat|lose weight fast/i
meta KAM_DIET2 (__KAM_DIET2_1 + __KAM_DIET2_2 + __KAM_DIET2_3 + KAM_INFOUSMEBIZ >=3)
describe KAM_DIET2 Diet Scams
score KAM_DIET2 5.0
#CIGAR SCAMS
header __KAM_CIGAR1 Subject =~ /Premium Cigar|Essentials for Dad|cigar lover/i
header __KAM_CIGAR2 From =~ /Cigar/i
body __KAM_CIGAR3 /Thompson Cigar|Premium Cigar/i
meta KAM_CIGAR (__KAM_CIGAR1 + __KAM_CIGAR2 + __KAM_CIGAR3 + __KAM_THIRD >= 3)
describe KAM_CIGAR Cigar Scam Emails
score KAM_CIGAR 6.0
#TK DOMAINS
rawbody KAM_TK /https?:\/\/.{5,30}\.tk\//i
describe KAM_TK Abuse of .tk domain registrar which offers free domains
score KAM_TK 5.0
#THIRD PARTY / SENT BY XXXX
body __KAM_THIRD /advertisement.{0,12}sent by a third\-?party|sent.by.tb.systems|is.an.advert[il]se?ment/i
#LASIK
header __KAM_LASIK1 From =~ /Lasik/i
header __KAM_LASIK2 Subject =~ /Lasik|free eval|A great use for your Tax Refund|eye.surgery/i
body __KAM_LASIK3 /free (?:Lasik )?eval|\d+ per eye|get lasik info|L.SI. V....n In.t.tut. Summ.r S.v.ng.|works.faster.than/i
uri __KAM_LASIK4 /lasik\.php/i
meta KAM_LASIK (__KAM_LASIK1 + __KAM_LASIK2 + __KAM_LASIK3 + (__KAM_LASIK4 || KAM_EU) >= 3)
describe KAM_LASIK Lasik Treatment Spams
score KAM_LASIK 4.5
#FAKE NOTIFIES
header __KAM_NOTIFY1 From =~ /Support|Notifier|Reminder|Assistance|Administrator|RuneScape|Wells ?Fargo|Scotia|Diablo|MAILER\-DAEMON|Notifications/i
body __KAM_NOTIFY2 /[2-9] friend request( |\b)|sell your personal|mandatory validation|verify your Account|unread messages/i
header __KAM_NOTIFY3 From =~ /\.br>/i
meta KAM_NOTIFY (__KAM_NOTIFY1 + __KAM_PHISH2_3 + __KAM_NOTIFY2 + __KAM_NOTIFY3 >= 3)
describe KAM_NOTIFY Fake Notifications
score KAM_NOTIFY 4.0
meta KAM_NOTIFY2 (KAM_NOTIFY + (KAM_IFRAME || HEADER_FROM_DIFFERENT_DOMAINS) >= 2)
describe KAM_NOTIFY2 Higher likelihood of fake notification
score KAM_NOTIFY2 3.0
#LANGUAGE
header __KAM_LANG1 From =~ /Pimsleur|learnalanguage/i
header __KAM_LANG2 Subject =~ /language barrier|(?:learn|speak)(?:ing)? (?:a|any) (?:new )?language|Pimsleur/i
body __KAM_LANG3 /pimsleur|Language in just \d+ Day/i
meta KAM_LANG (__KAM_LANG1 + __KAM_LANG2 + __KAM_LANG3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_LANG Language Method Spams
score KAM_LANG 4.5
#FAKE TRACK
header __KAM_TRACK1 From =~ /Worldwide Express|Priority Mail|First\-Class Mail|Express Mail/i
meta KAM_TRACK (__KAM_PHISH2_3 + __KAM_TRACK1 >= 2)
describe KAM_TRACK Fake Tracking Emails
score KAM_TRACK 3.0
#BACK TO SCHOOL
header __KAM_SCHOOL1 From =~ /Classes/i
header __KAM_SCHOOL2 Subject =~ /(?:Return|Back) to School/i
meta KAM_SCHOOL (__KAM_SCHOOL1 + __KAM_SCHOOL2 + KAM_INFOUSMEBIZ >= 3)
describe KAM_SCHOOL School Spams
score KAM_SCHOOL 5.0
#MEMBERS
header __KAM_MEMBER1 From =~ /(\b|^|)Date|(\b|^|)Dating|eharmony(.com)?.?partner|(..?en..?or|black)..?e.ple..?eet|cougars|singles|match|our.?time|lonely|affair/i
header __KAM_MEMBER2 Subject =~ /naughty|looking for love|single & dating|Dating.site|free.this.weekend|free.communication.weekend|True Love|(Older|black|available|latin[oa]|jewish) Single|single.women|single.photo|local.cougar|want to date|fall in love|meet...1000s|dream.date|meet.single|your.matches|for.single|singles|eharmony(.com)?.match|50\+.{0,5}ngles|your.ex.back|married.dating|(anonymous|secret).affair|unlimited.pics|dating.(video|movie)|fetish|still.single/i
body __KAM_MEMBER3 /(\b|^)dating\b(?! service)|eharmony|Find.Your.Perfect.Match|thousands.of.single.women|singles?.photos?|local.cougar|successfully matched|blind date|(available|black|latin[oa]|jewish).singles|photos of 50\+/i
rawbody __KAM_MEMBER4 /special promotion|free.this.weekend|personal matchmaker|dating service|fall in love|looking.for.someone|kindle.the.passion|cheating.member|dating.mega.site|free.dating|free.fetish/i
meta __KAM_MEMBER5 (KAM_INFOUSMEBIZ || KAM_COUK)
#header __KAM_MEMBER6 From =~ /Updat/i
meta KAM_MEMBER (__KAM_MEMBER1 + __KAM_MEMBER2 + __KAM_MEMBER3 + __KAM_MEMBER4 + __KAM_MEMBER5 >= 3)
describe KAM_MEMBER Dating Scams
score KAM_MEMBER 4.5
#MEDICARE
header __KAM_MEDICARE1 From =~ /(Medicare|health.?options|enrollment)/i
header __KAM_MEDICARE2 Subject =~ /medicare|message for senior|baby\-boomer|save up to|compare.quotes|enrollment.plan/i
body __KAM_MEDICARE3 /medicare.(plan|recipient|annual election)/i
tflags __KAM_MEDICARE3 nosubject
body __KAM_MEDICARE4 /over.(65|sixty.?five)|most.affordable|lower.your.premium|medicare basics guide/i
meta KAM_MEDICARE (__KAM_MEDICARE1 + __KAM_MEDICARE2 + (__KAM_MEDICARE3 + __KAM_MEDICARE4 >= 1) + (KAM_INFOUSMEBIZ || KAM_COUK) >= 3)
describe KAM_MEDICARE Medicare Scams
score KAM_MEDICARE 4.0
#BILLS
header __KAM_BILLS1 From =~ /LowerMyBills|mortgage/i
header __KAM_BILLS2 Subject =~ /Save up to \$\d|refi requirement|refi.program/i
meta KAM_BILLS (__KAM_BILLS1 + __KAM_BILLS2 + KAM_INFOUSMEBIZ >= 3)
describe KAM_BILLS Bill Pay Spams
score KAM_BILLS 4.0
#HOSE
header __KAM_HOSE1 From:name =~ /Pocket Hose|gardening|hydroeasy/i
header __KAM_HOSE1A From:addr =~ /\.(house|co|store)$/i
header __KAM_HOSE2 Subject =~ /(best|garden|expandable) hose|garden(ing)? and lawn|hose is ready|hose gets tangled/i
body __KAM_HOSE3 /(pocket|garden|expandable).hose|(anti|never).kink|FLEX Technology|hydroeasy/i
tflags __KAM_HOSE3 nosubject
meta KAM_HOSE (__KAM_HOSE1 + __KAM_HOSE2 + __KAM_HOSE3 + (__KAM_HOSE1A + KAM_INFOUSMEBIZ + KAM_SOMETLD_ARE_BAD_TLD + DKIM_INVALID >=1) >= 3)
describe KAM_HOSE Garden Hose Spams
score KAM_HOSE 4.5
#FLEXHOSE
#header __KAM_FLEXHOSE1 Subject =~ /stretch but not kink|flex.{0,8}hose|expands.and.contracts|\d-in-\d.hose/i
#header __KAM_FLEXHOSE2 From =~ /hose/i
#body __KAM_FLEXHOSE3 /stretch but not kink|flex.?hose|expanding.hose|garden.hose/i
#meta KAM_FLEXHOSE (__KAM_FLEXHOSE1 + __KAM_FLEXHOSE2 + __KAM_FLEXHOSE3 >= 3)
#describe KAM_FLEXHOSE Product Spam du Jour
#score KAM_FLEXHOSE 3.5
#AV
header __KAM_AV1 From =~ /Norton/i
header __KAM_AV2 Subject =~ /Update now|Are you protected/i
meta KAM_AV (__KAM_AV1 + __KAM_AV2 + KAM_INFOUSMEBIZ >= 3)
describe KAM_AV Anti-Virus Spams
score KAM_AV 4.0
#MASCARA
header __KAM_MASCARA1 From =~ /smartlash/i
header __KAM_MASCARA2 Subject =~ /mascara/i
body __KAM_MASCARA3 /smartlash/i
meta KAM_MASCARA (__KAM_MASCARA1 + __KAM_MASCARA2 + __KAM_MASCARA3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_MASCARA Make-up Spams
score KAM_MASCARA 4.5
#LAUNCH PCCC WILD RBL
#COLLEGE
header __KAM_COLLEGE1 From =~ /degree|doctorate|online/i
header __KAM_COLLEGE2 Subject =~ /college|ph\.?d|earning your degree|online doctorate|advance your career/i
rawbody __KAM_COLLEGE3 /online degree|ph\.?d online|online doctorate|advance your career with a degree/i
meta KAM_COLLEGE (__KAM_COLLEGE1 + __KAM_COLLEGE2 + __KAM_COLLEGE3 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3)
describe KAM_COLLEGE Online Degree/Aid Spams
score KAM_COLLEGE 4.0
#SURVEY
header __KAM_SURVEY1 From =~ /Survey|safecount|privacy/i
header __KAM_SURVEY2 Subject =~ /win an ipad/i
body __KAM_SURVEY3 /Do You Use Instagram|Complete the survey|win a great prize/i
meta KAM_SURVEY (__KAM_SURVEY1 + __KAM_SURVEY2 + __KAM_SURVEY3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_SURVEY Online Survey Spams
score KAM_SURVEY 4.5
#LAKE
#REMOVED 1/7/2014
#rawbody KAM_LAKE /http:\/\/.{0,13}(lak|ake|iver).{0,10}\.(com|info)\//i
#describe KAM_LAKE Odd spamming engine LAKE signature on URLs
#score KAM_LAKE 0.25
#SNORE
header __KAM_SNORE1 From =~ /snoring|zquiet/i
header __KAM_SNORE2 Subject =~ /zquiet|Jaw Supporter|z{6}|the.only.thing/i
body __KAM_SNORE3 /stop snoring|zquiet|Jaw Supporter|get.rest|end.snoring|more.rest|to.be.tired/i
meta KAM_SNORE (__KAM_SNORE1 + __KAM_SNORE2 + __KAM_SNORE3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_SNORE Snoring Aid Spams
score KAM_SNORE 4.0
#VACATION
header __KAM_VACATION1 From =~ /Promotions|cruise|vacation/i
header __KAM_VACATION2 Subject =~ /Free Florida vacation|(carr?ibb?ean|alaskan?).cruise|european destination/i
body __KAM_VACATION3 /Resorts FOR FREE|(carr?ibb?ean|alaskan?).cruise|top deals/i
meta KAM_VACATION (__KAM_VACATION1 + __KAM_VACATION2 + __KAM_VACATION3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_VACATION Vacation Spams
score KAM_VACATION 4.0
#BLOOD PRESSURE
header __KAM_BLOOD1 From =~ /Marine Essent|blood.pressure/i
header __KAM_BLOOD2 Subject =~ /Blood Pressure|the.(nurse|doctor).said|do.this.or.die|bp.med/i
body __KAM_BLOOD3 /Secret Big Pharma|conspiracy|Breaking.Health.Stories/i
body __KAM_BLOOD4 /Marine Essentials|this mineral|drug.companies.hate/i
body __KAM_BLOOD5 /Anti\-Aging Expert|worst.food/i
body __KAM_BLOOD6 /Blood pressure/i
meta KAM_BLOOD ( __KAM_BLOOD1 + __KAM_BLOOD2 + __KAM_BLOOD3 + __KAM_BLOOD4 + __KAM_BLOOD5 + __KAM_BLOOD6 + KAM_INFOUSMEBIZ >= 4)
describe KAM_BLOOD Blood Pressure Spams
score KAM_BLOOD 4.75
#SCOOTER
header __KAM_SCOOTER1 From =~ /Scooter Store/i
header __KAM_SCOOTER2 Subject =~ /lack of mobility/i
body __KAM_SCOOTER3 /the scooter store/i
meta KAM_SCOOTER ( __KAM_SCOOTER1 + __KAM_SCOOTER2 + __KAM_SCOOTER3 + __KAM_MEDICARE2 + KAM_INFOUSMEBIZ >= 4)
describe KAM_SCOOTER Blood Pressure Spams
score KAM_SCOOTER 4.75
#ANATABLOC
header __KAM_ANATA1 From:name =~ /Anatabloc|joint.?pain/i
header __KAM_ANATA2 Subject =~ /(back|joint) pain|arthritis/i
body __KAM_ANATA3 /Doctor (expose|shock|fix)|conglomerates threatening/i
tflags __KAM_ANATA3 nosubject
meta KAM_ANATA (__KAM_ANATA1 + __KAM_ANATA2 + __KAM_ANATA3 >= 3)
describe KAM_ANATA Drug Spam
score KAM_ANATA 4.5
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
#BBB Phish
header __KAM_BBB1 From =~ /bbb.org/i
body __KAM_BBB2 /consumer's *(?:worry|uneasiness|anxiety|disturbance|concern|trouble)/i
body __KAM_BBB3 /has been registered the above|(?:visiting|review at) a link below|above\-referenced complaint/i
body __KAM_BBB4 /about your *(?:glance|belief|judgment)/i
header __KAM_BBB5 Subject =~ /(?:client|customer).{0,5}preten|(?:Appeal|Claim|Case|No\.|Complaint).{0,3}[A-Z\d]{5}/i
meta KAM_BBB (__KAM_BBB1 + __KAM_BBB2 + __KAM_BBB3 + __KAM_BBB4 + __KAM_BBB5 + SPF_FAIL + __KAM_GALLERY5 + KAM_RAPTOR_ALTERED >= 4)
describe KAM_BBB Better Business Bureau Phishing
score KAM_BBB 5.0
endif
#PREV MARK
header __KAM_MARK1 Subject =~ /[\[\<]ADV[\>\]]/i
header __KAM_MARK2 Subject =~ /[\(\[\<\{\*]\s*(BULK|SPAM)\??\s*[\*\>\]\)\}]|\[\#+ ?SPAM\]/i
header __KAM_MARK3 Subject =~ /[\[\<\*]\s*VIRUS\s*[\*\>\]]/i
header __GB_M365_SPAM x-forefront-antispam-report =~ /SFV:SPM\;/
meta KAM_MARKADV (__KAM_MARK1 >= 1)
describe KAM_MARKADV Email arrived marked as an Advertisement
score KAM_MARKADV 10.0
meta KAM_MARKSPAM (__KAM_MARK2 >= 1)
describe KAM_MARKSPAM Email arrived marked as Spam
score KAM_MARKSPAM 10.0
meta GB_M365_SPAM ( __GB_M365_SPAM >= 1 )
describe GB_M365_SPAM Email arrived marked as Spam by M365
score GB_M365_SPAM 10.0
meta KAM_MARKVIRI (__KAM_MARK3 >= 1)
describe KAM_MARKVIRI Email arrived marked as Virus
score KAM_MARKVIRI 10.0
#H1QNUM ENGINE
rawbody __KAM_H1QNUM1 /(vv5|ORG1|IN2|OR3|AR1|FO1|Q22)<\/h1>/i
header __KAM_H1QNUM2 Subject =~ /Russian Women|Free Lasik|Criminal Records|Background Check|Stop Alcoholism|Alcohol Addiction|Hybrid cars|solar energy|electrical bill|fly in luxury/i
uri __KAM_H1QNUM3 /\.co\.uk/i
meta KAM_H1QNUM (__KAM_H1QNUM1 >= 1)
describe KAM_H1QNUM H1 Qnum indicator
score KAM_H1QNUM 4.0
meta KAM_H1QNUM2 ( KAM_H1QNUM + __KAM_H1QNUM2 + __KAM_H1QNUM3 >= 2 )
describe KAM_H1QNUM2 H1 Qnum higher spamminess indicators
score KAM_H1QNUM2 5.0
#AP
header __KAM_AP1 From =~ /AP/
header __KAM_AP2 Subject =~ /Community & educational development/i
body __KAM_AP3 /American Grants and Loans Catalog/i
meta KAM_AP (__KAM_AP1 + __KAM_AP2 + __KAM_AP3 >= 3)
describe KAM_AP American Publishing Spam
score KAM_AP 4.5
#CO.UK
header KAM_COUK From =~ /\@.{1,30}\.co\.uk/i
describe KAM_COUK Scoring .co.uk emails higher due to poor registry security.
score KAM_COUK 0.15
#FAKE FACEBOOKMAIL
#REAL FB DOMAIN
header __KAM_FACEBOOKMAIL1 From =~ /\@facebookmail.com/i
#SPECIFIC PEOPLE
header __KAM_FACEBOOKMAIL2 From =~ /Ramakanth Raavi/i
meta KAM_FACEBOOKMAIL ((__KAM_FACEBOOKMAIL2 >= 1) || (__KAM_FACEBOOKMAIL1 >=1 && (SPF_FAIL + DKIM_ADSP_ALL >=1)))
describe KAM_FACEBOOKMAIL Fake or Abused Facebook Mail
score KAM_FACEBOOKMAIL 8.0
#FAKE DHL/FEDEX/ETC
body __KAM_FAKE_DELIVER1 /courier couldn.?t make the delivery|Courier was unable to deliver|courier company was not able to deliver|memo.of.application|delivering.address|make.the.delivery|see.attached.file|attention.please|event.invitation|could not deliver|delivery.label|postal.noti(fication|ce)|parcels.(has|have).been.shipped|shipment.label.is.attached|confirm your shipping|view file in attach|unable to locate your address|stored in our local depot|delivery failed/i
header __KAM_FAKE_DELIVER2 Subject =~ /Invalid Address|shipping service|(ship|postal|delivery) notification|Delivery Failure|Delivery Information|Delivery status|(pending|Package) Delivery|package is available for pickup|your.package.(has.)?arrived|attention.please|delivery.(attempt|problem)|id.\d{6}|deliver.(your|the).parcel|shipping confirmation|confirm your address|shipment request|parcel is on hold/i
#DHL
header __KAM_FAKE_DELIVER3 From:name =~ /DHL/i
header __KAM_FAKE_DELIVER4 From:addr !~ /dhl\.com/i
body __KAM_FAKE_DELIVER4A /dhl team/i
#FEDEX
rawbody __KAM_FAKE_DELIVER5 /Fed ?ex/i
header __KAM_FAKE_DELIVER6 From !~ /fedex\.com|narvar\.com/i
#USPS
body __KAM_FAKE_DELIVER7 /USPS/i
header __KAM_FAKE_DELIVER8 From !~ /usps\.com/i
#CARGO
body __KAM_FAKE_DELIVER9 /CARGO/
header __KAM_FAKE_DELIVER10 From =~ /shipping|economy|priority/i
#USPS
body __KAM_FAKE_DELIVER11 /DPD/i
header __KAM_FAKE_DELIVER12 From !~ /dpd\.com|dpd\.co\.uk/i
#ODD DELIVERY
uri __KAM_FAKE_DELIVER13 /(cdn\.discordapp\.com|wp\-conten|wp\d+\.server|onedrive\.live\.com)/i
body __KAM_FAKE_DELIVER13A /open the enclosed receipt|print the receipt/i
meta KAM_FAKE_DELIVER (__KAM_FAKE_DELIVER1 + __KAM_FAKE_DELIVER2 + ((__KAM_FAKE_DELIVER3 + __KAM_FAKE_DELIVER4 + __KAM_FAKE_DELIVER4A >= 2) + (__KAM_FAKE_DELIVER5 + __KAM_FAKE_DELIVER6 >= 2) + (__KAM_FAKE_DELIVER7 + __KAM_FAKE_DELIVER8 >= 2) + (__KAM_FAKE_DELIVER11 + __KAM_FAKE_DELIVER12 >= 2) + (__KAM_FAKE_DELIVER9 + __KAM_FAKE_DELIVER10 >= 2) >= 1) + (HEADER_FROM_DIFFERENT_DOMAINS + SPF_SOFTFAIL + KAM_RAPTOR_ALTERED + __KAM_FAKE_DELIVER13 + __KAM_FAKE_DELIVER13A >= 1) >= 3)
describe KAM_FAKE_DELIVER Fake delivery notifications
score KAM_FAKE_DELIVER 6.25
meta KAM_REALLY_FAKE_DELIVER (KAM_FAKE_DELIVER + KAM_RPTR_PASSED + (__KAM_FAKE_DELIVER4 && __KAM_FAKE_DELIVER6 && __KAM_FAKE_DELIVER8) >= 3)
score KAM_REALLY_FAKE_DELIVER 2.5
describe KAM_REALLY_FAKE_DELIVER Definitely fake delivery notifications
#SOLAR POWER
header __KAM_SOLAR1 From =~ /Solar|electric|regard|energy|.olar..etwork/i
header __KAM_SOLAR2 Subject =~ /power bill|sells power|electric(al)? bill|subsidize your solar|switching to solar|save \d+\%|solar system saves|solar power plant|solar.america|energy.use|solar.incentive|utility.option|go.solar|govt.rebate|.overnment.incentive|electricity|obama.rebate/i
body __KAM_SOLAR3 /power bill in half|go solar|approved for solar|solar system saves|reduce your electric|energy.cost|energy.bill|government.incentive|can.profit|utility.bill|switch(ing)?.to.solar|solar.incentive|solar.now|US Solar Dept|your.electric.bill|your.home.qualifies|yard lights|solarglow/i
meta KAM_SOLAR (__KAM_SOLAR1 + __KAM_SOLAR2 + __KAM_SOLAR3 >=2)
describe KAM_SOLAR Solar Power Spams
score KAM_SOLAR 1.0
meta KAM_SOLAR_HIGH (__KAM_SOLAR1 + __KAM_SOLAR2 + __KAM_SOLAR3 >=3)
describe KAM_SOLAR_HIGH Definite Solar Power Spams
score KAM_SOLAR_HIGH 2.5
#ASIAN BRIDE
header __KAM_ASIAN1 Subject =~ /(Chinese|Asian) (girl|Lad|Bride)|heart?beat when seeing her|such a beauty/i
body __KAM_ASIAN2 /Adoring Asian|(\d\+|thousands of) Asian (women|Girls)|Asian Girlfriend|pics of hot|date an? asian|chat and cam/i
header __KAM_ASIAN3 From =~ /asian/i
meta KAM_ASIAN (__KAM_ASIAN1 + __KAM_ASIAN2 + __KAM_ASIAN3 >= 3)
describe KAM_ASIAN Asian Bride/Dating Spams
score KAM_ASIAN 3.5
#DR OZ SPAM
header __KAM_OZ1 From =~ /(Dr|Doc).{0,2}[o0]z|[o0]z.([a-z]+.)?(daily|tip|show|weight)|rapid.loss|ellen|drop.lbs/i #NOTE THE ZERO
header __KAM_OZ2 Subject =~ /Fatburning|healthy?.tip|melt your fat|must.read.tip|i can help|fat to flat|perfect.skin|workout|drop.\d+.?[il]bs?|without.exercise|must.read|oz.in.your.corner|It (does not|doesn't) have to be hard|racha?el and oz|doc.?oz insid|life.changing|\d+%.increase|anti.aging|she.looks.\d+|ellen.did.this|(Dr|Doc).{0,2}[o0]z|[o0]z.([a-z]+.)?(daily|tip|show)/i
body __KAM_OZ3 /burn off your (?:body.?)?fat|(?:burn away|burn|melt) your fat|fox news video|melt the extra pounds|lost (an average of )?\d+ lbs|body.flab|look years younger|get perfect skin|healthy tips|without diet|it was just gossip|weight.loss|dropping.pounds|losing.weight|\d+.years|facelift|(Dr|Doc).{0,2}[o0]z/i
#meta KAM_OZ (__KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 >= 3)
#describe KAM_OZ Fake Dr. Oz Spam's
#score KAM_OZ 3.5
#STUDENT LOAN
header __KAM_STUDENT1 From =~ /Student.?Loan|government/i
header __KAM_STUDENT2 Subject =~ /NEW GOVERNMENT PROGRAM|payback.package|assistance.package|student.loan|consolidate.loan/i
body __KAM_STUDENT3 /penalt(y|ies)|garnish|your.debt|president.loan|reduce.(your.)?(student.)?loan|forgiveness.plan|qualify.for|federal.program|low.monthly/i
meta KAM_STUDENT (__KAM_STUDENT1 + __KAM_STUDENT2 + __KAM_STUDENT3 + (KAM_INFOUSMEBIZ || KAM_COUK || KAM_HTMLNOISE || KAM_SHORT) >= 3)
describe KAM_STUDENT Student Loan Forgiveness Spams
score KAM_STUDENT 4.0
#TIP
header __KAM_TIP1 From =~ /Beauty Tips/i
header __KAM_TIP2 Subject =~ /Dark\-Circles|undereye bags/i
body __KAM_TIP3 /undereye bags/i
body __KAM_TIP4 /Find Out This Quick New Trick/i
meta KAM_TIP (__KAM_TIP1 + __KAM_TIP2 + __KAM_TIP3 + __KAM_TIP4 >= 3)
describe KAM_TIP Beauty Tip Spams
score KAM_TIP 4.3
#WhatsApp
header __KAM_WHATS1 From =~ /WhatsApp/i
header __KAM_WHATS2 Subject =~ /Voice Message Notification/i
body __KAM_WHATS3 /WhatsApp/
meta KAM_WHATS (__KAM_WHATS1 + __KAM_WHATS2 + __KAM_WHATS3 >= 3)
describe KAM_WHATS WhatsApp Spams
score KAM_WHATS 3.0
#QTJars
header __KAM_QTJARS1 From =~ /qtjar/i
header __KAM_QTJARS2 Subject =~ /qtjar|left you a message|new message/i
body __KAM_QTJARS3 /qtjars/
body __KAM_QTJARS4 /private message/
meta KAM_QTJARS (__KAM_QTJARS1 + __KAM_QTJARS2 + __KAM_QTJARS3 + __KAM_QTJARS4 >= 3)
describe KAM_QTJARS QTJars Spams
score KAM_QTJARS 3.0
#GOOGLE DOCS PHISH
# view the agreement.
body __KAM_GOOGLEPHISH1 /copy of the signed agreement/i
rawbody __KAM_GOOGLEPHISH2 /http:\/\/.{5,50}\/http\/docs\.google\.com\/login\//i
meta KAM_GOOGLEPHISH (__KAM_GOOGLEPHISH1 + __KAM_GOOGLEPHISH2 >= 2)
describe KAM_GOOGLEPHISH Google Login Phishing Scam
score KAM_GOOGLEPHISH 5.0
#POLITICAL SPAM
header __KAM_POLY1 Subject =~ /Barack Obama/i
body __KAM_POLY2 /The End of Barack Obama/i
meta KAM_POLY (__KAM_POLY1 + __KAM_POLY2 >= 2)
describe KAM_POLY Political Spams
score KAM_POLY 3.0
#MAID
header __KAM_MAID1 Subject =~ /Maid Services|housekeeping.service/i
header __KAM_MAID2 From =~ /Maid|Housekeeper/i
body __KAM_MAID3 /Pre\-Screened Housekeepers|local.maid/i
meta KAM_MAID (__KAM_MAID1 + __KAM_MAID2 + __KAM_MAID3 >= 3)
describe KAM_MAID Maid Service Spams
score KAM_MAID 3.0
#TUB
header __KAM_TUB1 Subject =~ /Walk.?in.*tub|bath and massage/i
header __KAM_TUB2 From =~ /jacuzzi|walk.?in.?tub|premier.?care|improvement.center|bathing..?easy/i
body __KAM_TUB3 /Walk.?in (hot.?|bath.?)?tub|bath and massage|easy transfer from a wheelchair/i
meta KAM_TUB (__KAM_TUB1 + __KAM_TUB2 + __KAM_TUB3 >= 3)
describe KAM_TUB Tub Spams
score KAM_TUB 4.0
#OBFUSCATE PORN
header __KAM_OBF1 Subject =~ /(\b|^)(P.{0,2}O.{0,2}R.{0,2}N|S.{0,2}E.{0,2}.X.{0,2})/i
header __KAM_OBF2 Subject =~ /[-:\#\/_\(\)].{0,10}[-:\#\/_\(\)].{0,10}[-:\#\/_\(\)]/
header __KAM_OBF3 Subject =~ /(\b|^)P.{0,2}r.{0,2}e.{0,2}m.{0,2}i.{0,2}u.{0,2}m/i
header __KAM_OBF4 Subject =~ /(\b|^)P.{0,2}a.{0,2}s.{0,2}s.{0,2}/i
header __KAM_OBF5 Subject =~ /(\b|^)S.{0,2}i.{0,2}t.{0,2}e.{0,2}/i
header __KAM_OBF6 Subject =~ /(\b|^)F.{0,2}r.{0,2}e.{0,2}e.{0,2}/i
header __KAM_OBF7 Subject =~ /(\b|^)F.{0,2}i.{0,2}l.{0,2}m.{0,2}/i
header __KAM_OBF8 Subject =~ /X.X.X/
meta KAM_OBF ((__KAM_OBF3 + __KAM_OBF4 + __KAM_OBF5 + __KAM_OBF6 + __KAM_OBF7 >= 1) + __KAM_OBF1 + (__KAM_OBF2 - BODY_8BITS) >= 3)
describe KAM_OBF Obfuscated Porn Spams
score KAM_OBF 4.0
meta KAM_OBF (__KAM_OBF8 + __KAM_OBF2 >= 2)
describe KAM_OBF Obfuscated Porn Spams
score KAM_OBF 2.0
#SHARK TANK
header __KAM_SHARKTANK_SUBJ Subject =~ /shark tank/i
body __KAM_SHARKTANK_BODY /shark tank/i
meta KAM_SHARKTANK (__KAM_SHARKTANK_SUBJ + __KAM_SHARKTANK_BODY >= 1)
score KAM_SHARKTANK 1.0
describe KAM_SHARKTANK Mentions Shark Tank
rawbody __KAM_SHARKPROD /high blood pressure|Dermabellix|follicles|drop 20|(^|\b)IQ($|\b)|keto SS/is
meta KAM_SHARKPROD (__KAM_SHARKPROD + KAM_SHARKTANK >= 2)
score KAM_SHARKPROD 5.0
describe KAM_SHARKPROD Shark Tank Spam
#ICU TLD PROBLEMS
header __KAM_ICUTLD_FROM From:addr =~ /\.icu$/i
uri __KAM_ICUTLD_URI /\.icu($|\/)/i
meta KAM_ICU_BAD_TLD (__KAM_ICUTLD_FROM + __KAM_ICUTLD_URI) >= 1
describe KAM_ICU_BAD_TLD .icu TLD Abuse
score KAM_ICU_BAD_TLD 2.0
#HAIR LOSS / GREYING / REMOVAL
header __KAM_HAIR1 Subject =~ /(Regrows?|restore your|regain your|thinning) hair|Get Your Hair Back|hair regrowth|masculine|gr[ae]y hair|hair.loss|the.hottest.concept|hair.removal|all.your.hair|(fuller|thicker).hair|hair growth/i
header __KAM_HAIR2 From =~ /K.ranique|Hair Loss Solutions|hair transplant|bosley|gr[ae]y hair|hair.removal|preserve|keranique|hair.?news/i
rawbody __KAM_HAIR3 /k.ranique|Hair Los Solution|Get Your Hair Back|restore your hair naturally and permanently|hair restoration|original color|dye gr[ae]y hair|defeat.your.hair.loss|stop.hair.loss|fda.approve|hair will return|reactivate dormant hair/i
rawbody __KAM_HAIR4 /Hair Regrowth|Hair Club for Men|Bosley|Rejuvalex/i
rawbody __KAM_NEWSLETTER /Newsletter<\/title>/i
meta KAM_HAIR (__KAM_HAIR1 + __KAM_HAIR2 + __KAM_HAIR3 + __KAM_HAIR4 + __KAM_TRIAL + __KAM_NEWSLETTER + KAM_WEIRDTRICK1 + KAM_SHARKTANK + KAM_ADVERT2 >=4)
describe KAM_HAIR Hair Loss / Removal Spams
score KAM_HAIR 4.5
#TRIAL
body __KAM_TRIAL /RISK-FREE Trial|Free \d+ day trial|try it free|free.dvd.info|free.info.kit|limited..?trial|claim.package/i
#UNSUB
body __KAM_UNSUB1 /cancel 0ffers/i #note the zero
body __KAM_UNSUB2 /u +n +s +u +b +s +c +r +i +b +e/i
meta KAM_UNSUB (__KAM_UNSUB1 + __KAM_UNSUB2 >= 1)
describe KAM_UNSUB Completely ridiculous unsubscribe text found
score KAM_UNSUB 5.0
#MAINTENANCE / Email Phish Scams
body __KAM_EMAILPHISH1 /Please login to complete update process/i
meta KAM_EMAILPHISH (__KAM_EMAILPHISH1 + KAM_SHORT >= 2)
describe KAM_EMAILPHISH Email Phishing Scams
score KAM_EMAILPHISH 3.5
#MASSMAILER ERRORS
header __KAM_MASSERROR1 Reply-to =~ /\@domain\]\]/i
meta KAM_MASSERROR (__KAM_MASSERROR1 >= 1)
describe KAM_MASSERROR Error in usage of a mass mailing software
score KAM_MASSERROR 2.0
#CAR DEAL SPAMS
header __KAM_CARDEAL1 Subject =~ /great car deal|new vehicles near you|brand new cars|cars on clearance/i
header __KAM_CARDEAL2 From =~ /dealer|clearance|veh.cle/i
body __KAM_CARDEAL3 /201\d Closeout pricing|New Vehicles near you|new automobiles|brand new car|\d{4} makes and models/i
meta KAM_CARDEAL (__KAM_CARDEAL1 + __KAM_CARDEAL2 + __KAM_CARDEAL3 >= 3)
describe KAM_CARDEAL Car Deal Spams
score KAM_CARDEAL 3.0
#Quick Sale Scams
header __KAM_HOMESALE1 Subject =~ /buyer interested in your ho/i
header __KAM_HOMESALE2 From =~ /Fastcash/i
body __KAM_HOMESALE3 /Cash Offer for Your Home/i
meta KAM_HOMESALE (__KAM_HOMESALE1 + __KAM_HOMESALE2 + __KAM_HOMESALE3 >= 3)
describe KAM_HOMESALE Home Sale Spams
score KAM_HOMESALE 3.5
#ADVERTISEMENTS FOR LOANS
header __KAM_LOAN1 Subject =~ /pay bills|borrow|business loan|help your business grow|small business|propel your business goals|with a loan|results you need|\$[\d.,]+ (tomorrow|down loan)|loan.fund|lender|are.you.broke|get.cash|approval.notice|loan \d.\d% offer|money by tomorrow|one monthly payment/i
header __KAM_LOAN2 From =~ /payday|loans for you|approval|small.?business|direct.wire|cash|loan offer|loan department|zippy ?loan|clear ?one/i
body __KAM_LOAN3 /Financial Relief|need to borrow|Business Loan|instant.funds|approval department|\$\d+ down|loan option|offer.loan|expenses|times.are.tough|money.problems|zippy ?loan|advanced lender|pay off debt|development.project|just.been.approved|for.your.business|loan.solution|ease your stress/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_LOAN5A Content-Type =~ /loan offer/i
mimeheader __KAM_LOAN5B Content-Disposition =~ /loan offer/i
endif
meta KAM_LOAN (__KAM_LOAN1 + __KAM_LOAN2 + __KAM_LOAN3 + (__KAM_LOAN5A + __KAM_LOAN5B >= 1) >= 3)
describe KAM_LOAN Payday and other loan spams
score KAM_LOAN 4.5
#HANGOVER SPAM
header __KAM_HANGOVER1 Subject =~ /hangover patch/i
header __KAM_HANGOVER2 From =~ /hangover/i
body __KAM_HANGOVER3 /hangover patch/i
meta KAM_HANGOVER (__KAM_HANGOVER1 + __KAM_HANGOVER2 + __KAM_HANGOVER3 >= 3)
describe KAM_HANGOVER Hangover Patch Spams
score KAM_HANGOVER 3.5
#RX PLAN SPAM
header __KAM_RXPLAN1 Subject =~ /Medigap|prescription drug plan/i
header __KAM_RXPLAN2 From =~ /Better.?Rx|medigap/i
body __KAM_RXPLAN3 /gap coverage/i
meta KAM_RXPLAN (__KAM_RXPLAN1 + __KAM_RXPLAN2 + __KAM_RXPLAN3 >= 3)
describe KAM_RXPLAN Rx Plan Spams
score KAM_RXPLAN 3.5
#SIDE SOCKET
header __KAM_SOCKET1 Subject =~ /tangled mess|socket capacity|messy cords/i
header __KAM_SOCKET2 From =~ /side.?socket/i
body __KAM_SOCKET3 /side socket/i
meta KAM_SOCKET (__KAM_SOCKET1 + __KAM_SOCKET2 + __KAM_SOCKET3 >= 3)
describe KAM_SOCKET Product Spam du Jour
score KAM_SOCKET 3.5
#TESTOSTERONE
header __KAM_TESTOSTERONE1 Subject =~ /Boost your testosterone|Testoril|turning you into a woman|men into women|low.testosterone/i
header __KAM_TESTOSTERONE2 From =~ /Testoril|mens health|low\-T|for.men/i
body __KAM_TESTOSTERONE3 /Boost your testosterone|get your body back|low.testosterone/i
body __KAM_TESTOSTERONE4 /Testoril|sexual confidence|androgel|axiron+androderm/i
meta KAM_TESTOSTERONE (__KAM_TESTOSTERONE1 + __KAM_TESTOSTERONE2 + __KAM_TESTOSTERONE3 + __KAM_TESTOSTERONE4 >= 3)
describe KAM_TESTOSTERONE Product Spam du Jour
score KAM_TESTOSTERONE 4.5
#PET
header __KAM_PET1 Subject =~ /pet health insurance|dog.product.coupon/i
header __KAM_PET2 From =~ /pet.?insurance|dog.?coupon/i
body __KAM_PET3 /pet health insurance|doggy.loot|coupon.notice|reduce.your.cost/i
meta KAM_PET (__KAM_PET1 + __KAM_PET2 + __KAM_PET3 >= 3)
describe KAM_PET Insurance and other pet-related spam
score KAM_PET 4.5
meta KAM_PET2 (KAM_PET + KAM_INFOUSMEBIZ >= 2)
describe KAM_PET2 Even more likely insurance and other pet-related spam
score KAM_PET2 3.5
#COBRA
header __KAM_COBRA1 Subject =~ /Cobra Health/i
header __KAM_COBRA2 From =~ /Cobra|Health/i
body __KAM_COBRA3 /find cobra health/i
meta KAM_COBRA (__KAM_COBRA1 + __KAM_COBRA2 + __KAM_COBRA3 >= 3)
describe KAM_COBRA Cobra Insurance Spam
score KAM_COBRA 3.5
#Discount Air
header __KAM_DISCAIR1 Subject =~ /Fly Cheap|Discount Air/i
header __KAM_DISCAIR2 From =~ /Discount Air/i
body __KAM_DISCAIR3 /Fly Cheap in Business Class/i
meta KAM_DISCAIR (__KAM_DISCAIR1 + __KAM_DISCAIR2 + __KAM_DISCAIR3 >= 3)
describe KAM_DISCAIR Discount Airfare Spam
score KAM_DISCAIR 3.5
#PEST
header __KAM_PEST1 Subject =~ /pes?t control system/i
header __KAM_PEST2 From =~ /Riddex|pest/i
body __KAM_PEST3 /revolutionary pes?t control system/i
meta KAM_PEST (__KAM_PEST1 + __KAM_PEST2 + __KAM_PEST3 >= 3)
describe KAM_PEST Spam for Pest Control
score KAM_PEST 3.5
#PROPHET
header __KAM_PROPHET1 Subject =~ /beezelbub|communique|prophecy|Christian Media/i
header __KAM_PROPHET2 From =~ /christian.*(media|prophe)|twintongues|spiritualisraelnumber\d|TheLeastOfThese\d/i
body __KAM_PROPHET3 /Dear Christian Friend|revelation \d+\:/i
body __KAM_PROPHET4 /Christian ?Media\*? ?(Daily|Ministry|Prophecy)|spiritualisraelnumber\d/i
body __KAM_PROPHET5 /prophecy|rapture/i
meta KAM_PROPHET (__KAM_PROPHET1 + __KAM_PROPHET2 + __KAM_PROPHET3 + __KAM_PROPHET4 + __KAM_PROPHET5 >= 4)
describe KAM_PROPHET Spam for Prophecy
score KAM_PROPHET 8.5
#HEART
header __KAM_HEART1 Subject =~ /save your life|prevent (a|your)?.?heart attacks?|\d+ second trick|sudden death|easy trick|heart health secret/i
header __KAM_HEART2 From =~ /He.rt.?Att.ck|omegaK/i
body __KAM_HEART3 /Knowing this could very well save your life|\d+.second trick|\#1 Trick|Prevent(ing)? A Heart Attack|will you be killed|heart disease|silent heart attack/i
meta KAM_HEART (__KAM_HEART1 + __KAM_HEART2 + __KAM_HEART3 >= 3)
describe KAM_HEART Spam for Heart Attack prevention
score KAM_HEART 4.5
#JOINT
header __KAM_JOINT1 Subject =~ /joint relief/i
header __KAM_JOINT2 From =~ /Tfx/i
body __KAM_JOINT3 /TFX.?(?:health|flex)|tflex/i
body __KAM_JOINT4 /Joint Relief|effective as glucosamine/i
body __KAM_JOINT5 /free bottle/i
meta KAM_JOINT (__KAM_JOINT1 + __KAM_JOINT2 + __KAM_JOINT3 + __KAM_JOINT4 + __KAM_JOINT5 + __KAM_SKIN4 >= 4)
describe KAM_JOINT Joint relief Spam
score KAM_JOINT 4.0
#REHAB
header __KAM_REHAB1 Subject =~ /(?:drug|alcohol) (recovery|rehab|dependenc|addict|treatment)|choose sobriety|battling alcohol|stop drinking|addiction|drinking problem|normal life|tr..?at..?ng.alcohol|overcome..lcohol|change.your.life/i
header __KAM_REHAB2 From =~ /(?:drug|alcohol).?(recovery|rehab|dependenc|add..?ct|treatment)|alcoholism|rehab center|.lc.h.lism|rehabdirectory/i
body __KAM_REHAB3 /(?:drug|alcohol) (recovery|rehab|dependenc|addict|treatment)|help for alcoholism|life from alcohol|end your drinking|think about rehab/i
meta KAM_REHAB (__KAM_REHAB1 + __KAM_REHAB2 + (__KAM_REHAB3 || KAM_OTHER_BAD_TLD) >= 2)
describe KAM_REHAB Rehab Spam
score KAM_REHAB 3.0
#HAIRTRANS
header __KAM_HAIRTRANS1 Subject =~ /hair restoration|man look as young|losing your hair|hair ?loss|consultations?.available/i
header __KAM_HAIRTRANS2 From =~ /Bosley|hair restoration|hair.loss.expert/i
body __KAM_HAIRTRANS3 /hair restoration|man look as young|losing your hair|hair ?loss|get.your.hair|(look|feel).younger/i
meta KAM_HAIRTRANS (__KAM_HAIRTRANS1 + __KAM_HAIRTRANS2 + __KAM_HAIRTRANS3 + KAM_GIFT >= 2)
describe KAM_HAIRTRANS Spam for Hair Restoration
score KAM_HAIRTRANS 3.5
meta KAM_HAIRTRANS2 (__KAM_HAIRTRANS1 + __KAM_HAIRTRANS2 + __KAM_HAIRTRANS3 + (KAM_GIFT || KAM_UNSUB1) >= 3)
describe KAM_HAIRTRANS2 Higher probability of spam for Hair Restoration
score KAM_HAIRTRANS2 2.0
#OUR GIFT
body __KAM_GIFTCERT1 /Our gift to you/i
body __KAM_GIFTCERT2 /\$\d+ gift certificate/i
header __KAM_GIFTCERT3 Subject =~ /Our gift to you/i
meta KAM_GIFTCERT (__KAM_GIFTCERT1 + __KAM_GIFTCERT2 + __KAM_GIFTCERT3 >= 2)
score KAM_GIFTCERT 1.5
describe KAM_GIFTCERT Gift Certificate Spams
#TIRES
header __KAM_TIRES1 Subject =~ /discount tire|tire coupon|tire offers|best deals/i
header __KAM_TIRES2 From =~ /Tire/i
body __KAM_TIRES3 /savings on tire|new tires/i
meta KAM_TIRES (__KAM_TIRES1 + __KAM_TIRES2 + __KAM_TIRES3 >= 3)
describe KAM_TIRES Spam for Tires
score KAM_TIRES 3.0
#SLICEOMATIC
header __KAM_SLICEOMATIC1 Subject =~ /Slice\-O\-Matic|Precision Cutting Blade/i
header __KAM_SLICEOMATIC2 From =~ /Slice\-o\-matic/i
body __KAM_SLICEOMATIC3 /Slice\-o\-matic/i
meta KAM_SLICEOMATIC (__KAM_SLICEOMATIC1 + __KAM_SLICEOMATIC2 + __KAM_SLICEOMATIC3 >= 3)
describe KAM_SLICEOMATIC Spam for Kitchen Tools
score KAM_SLICEOMATIC 3.0
#FINDYOURWINDOWS AND OTHER WINDOW SPAM
header __KAM_WINDOWS1 Subject =~ /Top Window Companies|(old|your|bedroom|new|replacement|discounted|awning|cheap).window|allow.(light|ventilation)|window.(installation|discount|replacement)|home.depot|anders.n.window/i
header __KAM_WINDOWS2 From =~ /FindYourWindows|(old|your|bedroom|new|replacement|discounted).?window|window.?(install|discount|replacement)|install.windows|remodel/i
body __KAM_WINDOWS3 /Find Your Windows|replacement.window|window.design|home.a.new.look|dingy.old.windows|high.heating|high.cooling|let a draft|energy.efficient|double.pane.window|shop.windows|energy.tax|window.(installation|discount|replacement)|summer.is.coming/i
meta KAM_WINDOWS (__KAM_WINDOWS1 + __KAM_WINDOWS2 + __KAM_WINDOWS3 + KAM_ADVERT2 >= 3)
describe KAM_WINDOWS Spam for House Windows
score KAM_WINDOWS 4.5
#EMMAPP.WEB.COM - DUE TO SA SILLINESS WE ARE UNABLE TO RBL THIS PARTICULAR SUBDOMAIN WITHOUT BLOCKING ALL OF WEB.COM
#POISON PILL
uri __KAM_EMMAP_WEB_COM1 /emmapp\.web\.com/i
meta KAM_EMMAPP_WEB_COM (__KAM_EMMAP_WEB_COM1 >= 1)
describe KAM_EMMAPP_WEB_COM Spam from emmapp.web.com
score KAM_EMMAPP_WEB_COM 20.0
#NEW CREDIT CARD
header __KAM_NEW_CREDITCARD1 Subject =~ /with this credit card|charge card|credit card|cards?.reward|cards?.rate|top.rated/i
header __KAM_NEW_CREDITCARD2 From =~ /Spend-Charge|platinum credit|business credit|card.approval|approval.match/i
body __KAM_NEW_CREDITCARD3 /Select your new card|Increase Your Spending|Higher Limit|rewards|business credit|which.credit.card|find.out.now/i
meta KAM_NEW_CREDITCARD (__KAM_NEW_CREDITCARD1 + __KAM_NEW_CREDITCARD2 + __KAM_NEW_CREDITCARD3 >= 3)
describe KAM_NEW_CREDITCARD Spam for new credit cards
score KAM_NEW_CREDITCARD 4.0
#WEIRD GERMAN SPAM
header __KAM_GERMAN_BUSINESS_CONTACTS1 Subject =~ /Wichtige Nach?richt|Important message/i
header __KAM_GERMAN_BUSINESS_CONTACTS2 From =~ /Merkel/i
body __KAM_GERMAN_BUSINESS_CONTACTS3 /German business phone numbers/i
body __KAM_GERMAN_BUSINESS_CONTACTS4 /Unlimited exportation capabilities/i
meta KAM_GERMAN_BUSINESS_CONTACTS (__KAM_GERMAN_BUSINESS_CONTACTS1 + __KAM_GERMAN_BUSINESS_CONTACTS2 + __KAM_GERMAN_BUSINESS_CONTACTS3 + __KAM_GERMAN_BUSINESS_CONTACTS4 >= 3)
describe KAM_GERMAN_BUSINESS_CONTACTS Weird German business contact info spam
score KAM_GERMAN_BUSINESS_CONTACTS 3.0
#WEIRD SENIOR DATING SPAM
header __KAM_SENIOR_DATING1 From =~ /SeniorPeopleMeet/i
meta KAM_SENIOR_DATING (__KAM_SENIOR_DATING1 >= 1)
describe KAM_SENIOR_DATING Senior dating spam
score KAM_SENIOR_DATING 2.0
#NEWS!
header __KAM_NEWS1 Subject =~ /^(?:Fwd: ?)?(?:NEWS|WEBSITE|ARTICLE)$|how.are.you/i
body __KAM_NEWS2 /(?:Hello|hey|hi)!/i
meta KAM_NEWS (__KAM_NEWS1 + __KAM_NEWS2 + __KAM_BODY_LENGTH_LT_128 + KAM_MANYTO >= 3)
describe KAM_NEWS Forged Emails with NEWS!
score KAM_NEWS 9.0
#URI COUNT - REQUIRES 3.3 OR LATER
if (version >= 3.003000)
uri __KAM_COUNT_URIS /^./
tflags __KAM_COUNT_URIS multiple maxhits=16
describe __KAM_COUNT_URIS A multiple match used to count URIs in a message, including http:// and email@email.com - use one of the meta rules below instead of directly using this one
meta __KAM_HAS_0_URIS (__KAM_COUNT_URIS == 0)
meta __KAM_HAS_1_URIS (__KAM_COUNT_URIS >= 1)
meta __KAM_HAS_2_URIS (__KAM_COUNT_URIS >= 2)
meta __KAM_HAS_3_URIS (__KAM_COUNT_URIS >= 3)
meta __KAM_HAS_4_URIS (__KAM_COUNT_URIS >= 4)
meta __KAM_HAS_5_URIS (__KAM_COUNT_URIS >= 5)
meta __KAM_HAS_10_URIS (__KAM_COUNT_URIS >= 10)
meta __KAM_HAS_15_URIS (__KAM_COUNT_URIS >= 15)
endif
#DISCLAIMER STUB FOR FUTURE RESOURCE
body __KAM_DISCLAIMER1 /receives compensation/i
#FAKE AT&T
#header __KAM_FAKE_ATT1 From =~ /AT.?T/i
#header __KAM_FAKE_ATT2 Subject =~ /AT.?T cordless phone|deals.at.at.?t|phone.from.at.?t/i
#uri __KAM_FAKE_ATT3 /att-mail.com/i
#
#meta KAM_FAKE_ATT (__KAM_FAKE_ATT1 + __KAM_FAKE_ATT2 + __KAM_FAKE_ATT3 >= 2)
#describe KAM_FAKE_ATT Fake AT&T newsletters
#score KAM_FAKE_ATT 3.0
#YOU HAVE BEEN CHOSEN
header __KAM_CHOSEN1 Subject =~ /Invitation to|open.house|come.join.me/i
header __KAM_CHOSEN2 From =~ /marketing|invitation/i
body __KAM_CHOSEN3 /You (were|have been|are) (recently )?(chosen|invited)|you.are.(very.)?welcome/i
meta KAM_CHOSEN (__KAM_CHOSEN1 + __KAM_CHOSEN2 + __KAM_CHOSEN3 >= 3)
describe KAM_CHOSEN Spam claiming the recipient has been chosen for something
score KAM_CHOSEN 2.0
#JURY DUTY AND OTHER FAKE COURT NOTICES
header __KAM_JURY1 Subject =~ /in court|court (hearing )?notice|judicial summons|hearing.of.your.case|case.in.court|notice.of.appearance/i
header __KAM_JURY2 From =~ /Notice (to|of) Appear|court attendance|pretrial notice|lawyer/i
header __KAM_JURY3 From !~ /\.gov/i
body __KAM_JURY4 /in Court|hearing date|notice to appear|Pretrial notice|compulsory.attendance|court.notice/i
meta KAM_JURY (__KAM_JURY1 + __KAM_JURY2 + __KAM_JURY3 + __KAM_JURY4 + KAM_RAPTOR_ALTERED >= 4)
describe KAM_JURY Spam claiming the recipient must serve jury duty
score KAM_JURY 8.0
#BITCOIN
header __KAM_BITCOIN1 Subject =~ /bitcoin|dumping.?their.?gold|dumped.?the.?dollar/i
body __KAM_BITCOIN2 /price.of.bitcoin|bitcoin.price|crypto.?currenc(y|ies)|currency.pioneer|cartel|financial.security|abandoned.our.dollar|money.map/i
header __KAM_BITCOIN3 From =~ /bitcoin/i
meta KAM_BITCOIN (KAM_INFOUSMEBIZ + __KAM_BITCOIN1 + __KAM_BITCOIN2 + __KAM_BITCOIN3 >= 3)
describe KAM_BITCOIN Spam related to investing in bitcoin and other cryptocurrency
score KAM_BITCOIN 4.5
#RELIGIOUS
header __KAM_RELIGION1 Subject =~ /Christian Media/i
header __KAM_RELIGION2 From =~ /Bible Prophecy/i
body __KAM_RELIGION3 /Dear Christian|Christian Media/i
meta KAM_RELIGION (__KAM_RELIGION1 + __KAM_RELIGION2 + __KAM_RELIGION3 >= 3)
describe KAM_RELIGION Generic religious spam
score KAM_RELIGION 2.5
#BUSINESS PHONE
header __KAM_BUSINESSPHONE1 Subject =~ /customer calls|phone system|phone system upgrade|business success/i
header __KAM_BUSINESSPHONE2 From =~ /business phone/i
body __KAM_BUSINESSPHONE3 /business phone system/i
meta KAM_BUSINESSPHONE (__KAM_BUSINESSPHONE1 + __KAM_BUSINESSPHONE2 + __KAM_BUSINESSPHONE3 >= 3)
describe KAM_BUSINESSPHONE Advertising for business phone systems
score KAM_BUSINESSPHONE 5.5
#NUMEROLOGY
header __KAM_NUMEROLOGY1 Subject =~ /success and joy in life/i
header __KAM_NUMEROLOGY2 From =~ /Numerology/i
body __KAM_NUMEROLOGY3 /Control your destiny/i
meta KAM_NUMEROLOGY (__KAM_NUMEROLOGY1 + __KAM_NUMEROLOGY2 + __KAM_NUMEROLOGY3 >= 3)
describe KAM_NUMEROLOGY Pseudo-scientific spam
score KAM_NUMEROLOGY 3.5
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
#VOICEMAIL SPAM
header __KAM_VOICEMAIL1 Subject =~ /new voice.?mail message|news|Fax Message for/i
header __KAM_VOICEMAIL2 From =~ /voice.?mail|news/i
body __KAM_VOICEMAIL3 /new voice.?mail message|voice.redirected/i
meta KAM_VOICEMAIL (__KAM_VOICEMAIL1 + __KAM_VOICEMAIL2 + __KAM_VOICEMAIL3 + KAM_RAPTOR_ALTERED >= 3)
describe KAM_VOICEMAIL Common malware that tricks the user into opening a fake VOIP voicemail
score KAM_VOICEMAIL 5.0
endif
#SPAM ADVERTISING SPAM - HAS SCIENCE GONE TOO FAR?
header __KAM_SPAMFORSPAM1 Subject =~ /email marketing|marketing solution|connect with your audience|reaching your customers|marketing ideas|business.contacts/i
header __KAM_SPAMFORSPAM2 From =~ /email marketing|mailing lists|listz/i
rawbody __KAM_SPAMFORSPAM3 /email marketing|Keep your customers informed|expand your brand|(grow|improve) your business|Acquire New Customers|business reach|your.customer.base|demand.generation/i
meta KAM_SPAMFORSPAM (__KAM_SPAMFORSPAM1 + __KAM_SPAMFORSPAM2 + __KAM_SPAMFORSPAM3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_SPAMFORSPAM Spam advertising spam services
score KAM_SPAMFORSPAM 5.5
#ALZHEIMERS / NEUROLOGICAL MEDICAL SPAM
header __KAM_NEUROLOGICAL1 Subject =~ /alzheimers|doctors hate him/i
header __KAM_NEUROLOGICAL2 From =~ /alzheimers|cognizine/i
body __KAM_NEUROLOGICAL3 /at risk for alzheimers|alzheimers conspiracy|doctors hate him/i
meta KAM_NEUROLOGICAL (__KAM_NEUROLOGICAL1 + __KAM_NEUROLOGICAL2 + __KAM_NEUROLOGICAL3 >= 3)
describe KAM_NEUROLOGICAL Variant of medical spam targeting neurological ailments
score KAM_NEUROLOGICAL 3.5
#EXCESSIVE HASHES AND OTHER IDENTIFIER STRINGS
body __KAM_LOTSOFHASH /[abcdef1234567890]{20}/i
tflags __KAM_LOTSOFHASH multiple maxhits=10
meta KAM_LOTSOFHASH (__KAM_LOTSOFHASH >= 10)
describe KAM_LOTSOFHASH Emails with lots of hash-like gibberish
score KAM_LOTSOFHASH 0.25
#SPAM THAT SHOWS SEVERAL QUESTIONABLE BEHAVIORS IN COMBINATION
meta KAM_GRABBAG1 (__KAM_THIRD + __KAM_DOMAINDOTCOM + __KAM_TILDEFROM + HTML_FONT_LOW_CONTRAST + T_REMOTE_IMAGE + __KAM_EPISODE + __KAM_LOTSOFNBSP + __KAM_IPUNSUB + (__KAM_LOTSOFHASH >= 6) >= 4)
describe KAM_GRABBAG1 A combination of tricks that when combined indicate spam
score KAM_GRABBAG1 3.5
#TV DOCTOR TRASH
header __KAM_TVDOCTOR1 Subject =~ /hormones|(dr.?|doc.?) [o0]z|flatter belly|anti.?.?aging.tip|\d+.years.younger|wrinkle.(reduction|prevention)|weight.loss|models.use.this|reverse.\d+.years/i
header __KAM_TVDOCTOR2 From =~ /(dr.?|doc.?) ?[o0]z|dr.? steve|oz skin tip|skinny|drop \d+lb/i
body __KAM_TVDOCTOR3 /clinical|miracle|dermatologist|anti.?.?aging.tip|\d+.years.younger|wrinkle.(reduction|prevention)|\bOMG!\b|loose.\d+.lb|tv.doctor/i
meta KAM_TVDOCTOR (__KAM_TVDOCTOR1 + __KAM_TVDOCTOR2 + __KAM_TVDOCTOR3 + (KAM_INFOUSMEBIZ || KAM_WEIRDTRICK1) >= 3)
describe KAM_TVDOCTOR Spam for TV doctor stuff
score KAM_TVDOCTOR 3.5
# 1-800-DENTIST
header __KAM_DENTIST1 Subject =~ /dentist/i
header __KAM_DENTIST2 From =~ /1-?800-?dentist/i
body __KAM_DENTIST3 /Find a dentist/i
meta KAM_DENTIST (__KAM_DENTIST1 + __KAM_DENTIST2 + __KAM_DENTIST3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_DENTIST Spam for 1-800-DENTIST
score KAM_DENTIST 3.5
# GOLD AND DIAMOND JEWELRY
header __KAM_JEWELRY1 Subject =~ /jewell?rey online|shop now/i
header __KAM_JEWELRY2 From =~ /bluestone.com/i
meta KAM_JEWELRY (__KAM_JEWELRY1 + __KAM_JEWELRY2 >= 2)
describe KAM_JEWELRY Spam for Gold and Diamond Jewelry
score KAM_JEWELRY 3.5
# PSSST, WANNA BUY SOME POT
body __KAM_MARIJUANA1 /marijuana|cannabis/i
body __KAM_MARIJUANA2 /medicinal|recreational|legal.cannabis/i
body __KAM_MARIJUANA3 /colorado|washington|profit|without.a.(prescription|doctor)|lets.you.vape|no.doctor/i
header __KAM_MARIJUANA4 From =~ /marijuana|cannabis/i
meta KAM_MARIJUANA (__KAM_MARIJUANA1 + __KAM_MARIJUANA2 + (__KAM_MARIJUANA3 + KAM_INFOUSMEBIZ >= 1) >= 3)
describe KAM_MARIJUANA Spam pertaining to marijuana
score KAM_MARIJUANA 3.5
meta KAM_MARIJUANA2 (__KAM_MARIJUANA4 + (__KAM_MARIJUANA3 || __KAM_MARIJUANA2) >= 2)
score KAM_MARIJUANA2 8.0
describe KAM_MARIJUANA2 Definitely spam for marijuana
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
# EVICTION NOTICE
header __KAM_EVICTION1 From =~ /eviction|vacate immediately/i
header __KAM_EVICTION2 Subject =~ /notice|notification|occupant/i
body __KAM_EVICTION3 /eviction|foreclosed|trespasser/i
meta KAM_EVICTION (__KAM_EVICTION1 + __KAM_EVICTION2 + __KAM_EVICTION3 + KAM_RAPTOR_ALTERED >= 4)
describe KAM_EVICTION Malware disguised as eviction notice
score KAM_EVICTION 4.5
endif
# WALK IN TUBS
header __KAM_WALKINTUB1 From =~ /walk.?in.?tub/i
header __KAM_WALKINTUB2 Subject =~ /walk.?in.?tub/i
body __KAM_WALKINTUB3 /walk.?in.?tub/i
meta KAM_WALKINTUB (__KAM_WALKINTUB1 + __KAM_WALKINTUB2 + __KAM_WALKINTUB3 >= 3)
describe KAM_WALKINTUB Ads for walk-in tubs
score KAM_WALKINTUB 3.5
# SUBJECTS BEGINNING WITH "EMAIL - QUESTION" AND OTHER VARIANTS
header __KAM_EMAILQUESTION1 Subject =~ /^(<)?([^@\s]+@[^@\s]+)( - |> )/i
header __KAM_EMAILQUESTION2 Subject =~ /break away from the pack|make your own wine|\d figures a day|unlock the secret|you need to see|let me show you|at their own game|drop \d+ pounds|potty trained|you can actually|your dog is being poisoned|control your destiny|buy a new|check out these|arthritis/i
meta KAM_EMAILQUESTION (__KAM_EMAILQUESTION1 + __KAM_EMAILQUESTION2 >= 2)
describe KAM_EMAILQUESTION Subjects beginning with an email address and followed by a spammy subject
score KAM_EMAILQUESTION 3.5
# BECOME BEYOND SUPERHUMAN / SUPERMAN
header __KAM_SUPERHUMAN1 From =~ /(become[ _]?)?(beyond[ _]?)?(super|hu)man/i
header __KAM_SUPERHUMAN2 Subject =~ /relationship problems|better sex|regain your former glory|(male|men) over (\d\d|fou?rty)/i
body __KAM_SUPERHUMAN3 /reclaim your glory|stay hot and sexy|unfair.advantage|better sex|weird trick|testosterone/i
meta KAM_SUPERHUMAN (__KAM_SUPERHUMAN1 + __KAM_SUPERHUMAN2 + __KAM_SUPERHUMAN3 >= 3)
describe KAM_SUPERHUMAN Male enhancement of the day
score KAM_SUPERHUMAN 8.0
# VALENTINES
header __KAM_VALENTINE1 From =~ /smartbuys|valentine|ecard|flower|fingerhut/i
header __KAM_VALENTINE2 Subject =~ /valentine|(bouquets|expressions) of love|win her over|swoon.?worthy bouquet|grow more in love|\$\d\d.\d\d bouquet|love at (the )?first/i
rawbody __KAM_VALENTINE3 /amazing gifts|perfect for valentine|irresist.ble perfume|send an ecard|most memorable flowers|(bouquets|expressions) of love|valentine.?s?.(day.)?(gift|ecard|flower|delivery|is february 14|bouquet)|grow more in love|Saint Valentine|your valentine/i
meta KAM_VALENTINE (__KAM_VALENTINE1 + __KAM_VALENTINE2 + __KAM_VALENTINE3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_VALENTINE Spam for valentine gifts and other holiday stuff
score KAM_VALENTINE 4.5
header __KAM_MOTHER1 From =~ /flower|seventeen/i
header __KAM_MOTHER2 Subject =~ /mother.?s.?day|\d+%.off.flower|pro.?flowers|guaranteed.delivery|beautiful bouquets|celebrate.mom/i
body __KAM_MOTHER3 /pro.?flowers|flowers.fresh|freshness.guarantee|shop.now|mom.?s.delight/i
meta KAM_MOTHER (__KAM_MOTHER1 + __KAM_MOTHER2 + __KAM_MOTHER3 >= 3)
describe KAM_MOTHER Spam for mother's day
score KAM_MOTHER 4.5
# WHO'S WHO
header __KAM_WHOSWHO1 From =~ /whos_who|who.?s.who/i
header __KAM_WHOSWHO2 Subject =~ /your exclusive invitation|who.?s.who|your invitation|you have been selected/i
body __KAM_WHOSWHO3 /(global|executive) who.s who|represent your community|you have been selected|complete your listing|prominent registry|accomplished individuals/i
uri __KAM_WHOSWHO4 /whoswho/i
meta KAM_WHOSWHO (__KAM_WHOSWHO1 + __KAM_WHOSWHO2 + __KAM_WHOSWHO3 >= 2)
describe KAM_WHOSWHO Ads for network of important people
score KAM_WHOSWHO 5.0
meta KAM_WHOSWHO2 (KAM_WHOSWHO && __KAM_WHOSWHO4)
describe KAM_WHOSWHO2 Definitely ads for network of important people
score KAM_WHOSWHO2 1.0
# GARAGE FLOOR COATING
header __KAM_GARAGE1 From =~ /garage|surface.protection|protection.plus|esurface/i
header __KAM_GARAGE2 Subject =~ /garage floor coating|industrial strength|protect your floors|protect.and.beautify|esurface|what.you.should.know/i
body __KAM_GARAGE3 /surface protection plus|industrial strength|Concrete.{0,5}metal.{0,8}wood|protect.and.beautify|industrial.grade|common.flooring|treat.your.deck|professional.coating/i
meta KAM_GARAGE (__KAM_GARAGE1 + __KAM_GARAGE2 + __KAM_GARAGE3 + (HTML_FONT_LOW_CONTRAST || SPF_FAIL || SPF_HELO_FAIL) >= 3)
describe KAM_GARAGE Garage floor coating product of the day
score KAM_GARAGE 4.0
meta KAM_GARAGE2 (KAM_GARAGE + (HTML_FONT_LOW_CONTRAST || SPF_FAIL) >= 2)
score KAM_GARAGE2 1.0
describe KAM_GARAGE2 More likely garage floor coating spam
#PAINT - NEED TO LOOK FOR CROSSOVER ON KAM_GARAGE AND KAM_PAINT
header __KAM_PAINT1 From =~ /Coating|Paint|Surface|Sealer/i
header __KAM_PAINT2 Subject =~ /surface Paint/i
meta KAM_PAINT (__KAM_PAINT1 + __KAM_PAINT2 + KAM_INFOUSMEBIZ >= 3)
describe KAM_PAINT Paint Spams
score KAM_PAINT 4.0
# HURRICANE MOP
header __KAM_MOP1 From =~ /hurricane mop/i
header __KAM_MOP2 Subject =~ /filthy floor|cut cleaning time|absorbs \d+x its own weight|the mop that/i
body __KAM_MOP3 /filthy floor|cut cleaning time+absorbs \d+x its own weight|the mop that/i
meta KAM_MOP (__KAM_MOP1 + __KAM_MOP2 + __KAM_MOP3 >= 3)
describe KAM_MOP Hurricane mop product of the day
score KAM_MOP 3.5
# DATING TIPS
header __KAM_DATINGTIPS1 From =~ /girlfriendtrick|seduction|the.real/i
header __KAM_DATINGTIPS2 Subject =~ /girlfriend.trick|women.excited|real.moment/i
body __KAM_DATINGTIPS3 /seduction|certain.type.of.guy|secret to their hearts|women.excited|real.love|one.night.stand/i
meta KAM_DATINGTIPS (__KAM_DATINGTIPS1 + __KAM_DATINGTIPS2 + __KAM_DATINGTIPS3 >= 3)
describe KAM_DATINGTIPS Tips for dating
score KAM_DATINGTIPS 4.5
# CANDY
header __KAM_CANDY1 From =~ /candy/i
header __KAM_CANDY2 Subject =~ /candy/i
body __KAM_CANDY3 /you deserve a treat|sweet tooth/i
meta KAM_CANDY (__KAM_CANDY1 + __KAM_CANDY2 + __KAM_CANDY3 >= 3)
describe KAM_CANDY Ads for candy
score KAM_CANDY 4.5
# EXCESSIVE TEXT IN THE FORMAT OF =## - http://en.wikipedia.org/wiki/Quoted-printable
# MATCH ONLY ESCAPES THAT ARE LESS THAN 0x80 - HIGH BIT NOT SET - THESE CAN BE EXPRESSED JUST FINE AS ASCII
# DISABLED PENDING UPDATES TO SA - RAWBODY IS NOT RAW ENOUGH TO GET UN-DECODED QP
#rawbody KAM_EXCESSIVEQP /(=[0-7][a-f0-9]){10}/i
#score KAM_EXCESSIVEQP 2.5
#describe KAM_EXCESSIVEQP Excessive use of pointless Quoted-printable
# ONE WEIRD THING THAT GETS YOU MARKED AS SPAM
header __KAM_WEIRDTRICK1 Subject =~ /(one|ten|\d+) '?weird'?|'?weird'? trick|strange trick|shocking.truth|\d.words.that/i
body __KAM_WEIRDTRICK2 /'?(weird|odd|strange)'?.(new.)?(trick|tip)|strange trick|shocking.truth/i
header __KAM_WEIRDTRICK3 Subject =~ /girlfriend|aging|old.age|cut \d+ years|PSA|horny/i
header __KAM_WEIRDTRICK4 From =~ /girlfriend|freedom/i
meta KAM_WEIRDTRICK1 __KAM_WEIRDTRICK2
describe KAM_WEIRDTRICK1 Huge family of spam that uses the word weird to grab attention
score KAM_WEIRDTRICK1 1.5
meta KAM_WEIRDTRICK2 (__KAM_WEIRDTRICK1 + __KAM_WEIRDTRICK2 + (KAM_INFOUSMEBIZ + KAM_LOTSOFHASH + AC_HTML_NONSENSE_TAGS + HTML_FONT_LOW_CONTRAST + T_REMOTE_IMAGE >= 3) >= 3)
describe KAM_WEIRDTRICK2 Huge family of spam that uses the word weird to grab attention
score KAM_WEIRDTRICK2 3.5
meta KAM_WEIRDTRICK3 (__KAM_WEIRDTRICK1 + __KAM_WEIRDTRICK2 + __KAM_WEIRDTRICK3 + __KAM_WEIRDTRICK4 >= 3)
describe KAM_WEIRDTRICK3 Weird/Strange Trick
score KAM_WEIRDTRICK3 3.0
#MATCH MAKER SPAM
header __KAM_MATCH1 From =~ /Match/i
header __KAM_MATCH2 Subject =~ /Find love|available singles|free.to.look|meet.singles/i
meta KAM_MATCH (__KAM_MATCH1 + __KAM_MATCH2 + (HTML_IMAGE_RATIO_06 || SPF_FAIL) >= 3)
describe KAM_MATCH Match Maker Spams
score KAM_MATCH 3.5
#CAR INSURANCE
header __KAM_CARINSURE1 From =~ /insurance/i
header __KAM_CARINSURE2 Subject =~ /save on car insurance|smarter.way/i
meta KAM_CARINSURE (__KAM_CARINSURE1 + __KAM_CARINSURE2 >= 2)
describe KAM_CARINSURE Car Insurance Spams
score KAM_CARINSURE 3.0
#DATA IMG
rawbody __KAM_DATAIMG /<img src="data:image/i
#FAKE MMS
rawbody __KAM_MMS1 /base64,G011K60C12QKQ9790AIFQ5L/s
meta KAM_MMS (__KAM_DATAIMG + __KAM_MMS1 >= 2)
describe KAM_MMS Fake MMS Spam
score KAM_MMS 6.0
#LEARNMORE
rawbody __KAM_LEARN1 /base64,R0lGODlh3gA9APcAAAFlmUK/
meta KAM_LEARN (__KAM_DATAIMG + __KAM_LEARN1 >= 2)
describe KAM_LEARN Learn More Spam
score KAM_LEARN 6.0
#UNSUB1
header __KAM_UNSUB1_1 List-Unsubscribe =~ /^\<(?:mailto:)?unsub1\@/i
rawbody __KAM_UNSUB1_2 /:\s?unsub1\@|unsubscribe<[^\/]|click here<h/i
meta KAM_UNSUB1 (__KAM_UNSUB1_1 + __KAM_UNSUB1_2 >= 1)
describe KAM_UNSUB1 Unsubscription Spams
score KAM_UNSUB1 0.1
uri __KAM_DOMAINDOTCOM /domain\.com/i
meta KAM_UNSUB2 ((KAM_UNSUB1 || KAM_ADVERT2) + __KAM_DOMAINDOTCOM >= 2)
score KAM_UNSUB2 3.5
describe KAM_UNSUB2 Improperly configured spam engines that leave placeholder domains in the body
# DUTCH GLOW AND OTHER WOODWORKING SPAM
header __KAM_DUTCHGLOW1 From =~ /dutch.?glow|original.?dutch|easy.woodwork/i
header __KAM_DUTCHGLOW2 Subject =~ /wood milk|cleaning the wood|woodwork|cleaning.formula|repel.dust|natural.beauty|furniture|amish|woodworking.plans/i
body __KAM_DUTCHGLOW3 /wood milk|dutch glow|wood's natural beauty|nourish wood|wax build up|your furniture|woodworking.plans/i
meta KAM_DUTCHGLOW (__KAM_DUTCHGLOW1 + __KAM_DUTCHGLOW2 + __KAM_DUTCHGLOW3 >= 3)
describe KAM_DUTCHGLOW Woodworking spam
score KAM_DUTCHGLOW 3.0
# FUNERAL HOME SPAM
header __KAM_FUNERAL1 From =~ /Funeral/i
header __KAM_FUNERAL2 Subject =~ /condolence|funeral announcement|funeral of your friend|death notification|burial.(life.)?insurance/i
body __KAM_FUNERAL3 /untimely death|death notification|funeral.costs/i
uri __KAM_FUNERAL4 /\/home\.php\?funeral/i
meta KAM_FUNERAL (__KAM_FUNERAL1 + __KAM_FUNERAL2 + __KAM_FUNERAL3 >= 3)
describe KAM_FUNERAL Likely Fake funeral notices
score KAM_FUNERAL 2.0
meta KAM_FUNERAL2 (__KAM_FUNERAL4 >= 1)
describe KAM_FUNERAL2 Fake funeral notices
score KAM_FUNERAL2 3.0
# WEB VIEW OBFUSCATION
body __KAM_WEB_OBFUSCATION1 /check over this commercial|see the commercial.advertisement/i
rawbody __KAM_WEB_OBFUSCATION2 /(you'll have to press me)\s*<\/a>/i
meta KAM_WEB_OBFUSCATION (__KAM_WEB_OBFUSCATION1 + __KAM_WEB_OBFUSCATION2 >= 2)
describe KAM_WEB_OBFUSCATION Obfuscated web view links
score KAM_WEB_OBFUSCATION 0.1
# TUPPERWARE
header __KAM_TUPPERWARE1 From =~ /Mr\. Lid|Food Storage|Storage Container/i
header __KAM_TUPPERWARE2 Subject =~ /tupperware|food storage|storage container/i
body __KAM_TUPPERWARE3 /tupperware lid|food storage|storage container/i
meta KAM_TUPPERWARE (__KAM_TUPPERWARE1 + __KAM_TUPPERWARE2 + __KAM_TUPPERWARE3 >= 3)
describe KAM_TUPPERWARE Ads for tupperware
score KAM_TUPPERWARE 3.5
# PATRIOT SURVIVAL AND OTHER DISASTER / NATIONALISM / CONSPIRACY SPAM
header __KAM_PATRIOT1 From =~ /patriot|disaster|emergency|USAF|shocking|for.truth|nwo|expat|special.op|christianmedia/i
header __KAM_PATRIOT2 Subject =~ /the truth about|financial collapse|your guns|hidden (agenda|truth)|unprecedented.crisis|worst.crisis|obama.?care|do not ignore|get a lot worse|coffins.ordered.by.fema|depression|prepared.for.war|free.our.marine|survival.guide|beloved.usa|civil war|shocking.footage|cia.economist|collapse.is.imminent|attack.on|wants.war|disturbing.issue|plane.crash|nuke.deal|extortion|prophecy/i
body __KAM_PATRIOT3 /the truth about|financial collapse|your guns|hidden agenda|unprecedented.crisis|disaster|fema (stock.?piling|storing)|Gor?vernment Not Telling|survival.plan|nation.gone.under|blind.with.patriotism|government shutdown|only chance|civil.unrest|high.crimes|behind.our.back|know.the.truth|PatriotNewsNet|second civil war|for.the.cia|market.crash|american.meltdown|concerned.american|military force|we.were.right|our.suspicions|vindicated|abuse.of.power|american.empire/i
body __KAM_PATRIOT4 /projectprophet|financial.threat|nuke.deal/i
meta KAM_PATRIOT (__KAM_PATRIOT1 + __KAM_PATRIOT2 + __KAM_PATRIOT3 + __KAM_PATRIOT4 >= 3)
describe KAM_PATRIOT conspiracy spam
score KAM_PATRIOT 4.0
meta KAM_PATRIOT2 (__KAM_PATRIOT1 + __KAM_PATRIOT2 + __KAM_PATRIOT3 + __KAM_PATRIOT4 >= 2)
describe KAM_PATRIOT2 Likely conspiracy spam
score KAM_PATRIOT2 1.5
# PAYMENT LOWERED
header __KAM_PAYMENT_LOWERED1 Subject =~ /insurance payment/i
body __KAM_PAYMENT_LOWERED2 /new monthly payment|just.recently.been..?lowered/i
body __KAM_PAYMENT_LOWERED3 /ID.?\#.?[\da-f]{20}/i
meta KAM_PAYMENT_LOWERED (__KAM_PAYMENT_LOWERED1 + __KAM_PAYMENT_LOWERED2 + __KAM_PAYMENT_LOWERED3 + KAM_LOTSOFHASH >= 3)
describe KAM_PAYMENT_LOWERED Spam that says your insurance payment has already been lowered
score KAM_PAYMENT_LOWERED 4.5
meta KAM_PAYMENT_LOWERED (__KAM_PAYMENT_LOWERED1 + __KAM_PAYMENT_LOWERED2 + __KAM_PAYMENT_LOWERED3 + KAM_LOTSOFHASH >= 4)
describe KAM_PAYMENT_LOWERED Higher probability of lowered payment spam
score KAM_PAYMENT_LOWERED 2.0
#NEW NOTICE
body __KAM_NEWNOTICE1 /- - -\s?(start |begin )?(of |new )?(notification|notice)( \d\d\/\d\d\/\d\d)?\s?- - -|notice of/i
body __KAM_NEWNOTICE2 /- - -\s?(finish |end )?(of |new )?(notification|notice)( \d\d\/\d\d\/\d\d)?\s?- - -|end notice:/i
header __KAM_NEWNOTICE3 From =~ /Notice|Notification|Credit/i
meta KAM_NEWNOTICE (__KAM_NEWNOTICE1 + __KAM_NEWNOTICE2 + __KAM_NEWNOTICE3 >= 3)
describe KAM_NEWNOTICE New Notice Spam
score KAM_NEWNOTICE 4.25
meta KAM_NEWNOTICE2 (KAM_NEWNOTICE + KAM_LOTSOFHASH >= 2)
describe KAM_NEWNOTICE2 Higher Probability of New Notice Spam
score KAM_NEWNOTICE2 2.0
#REFI NEW NOTICE
header __KAM_REFINEW1 Subject =~ /refl.rates|Rates.(now.)?Dropped.Again|score.*recently.changed/i
body __KAM_REFINEW2 /(rate|payment).reduction|score-update/i
meta KAM_REFINEW (__KAM_REFINEW1 + __KAM_REFINEW2 >=2)
describe KAM_REFINEW New Refi/Credit Notice spam
score KAM_REFINEW 2.0
meta KAM_REFINEW2 (KAM_REFINEW) && (KAM_NEWNOTICE + KAM_LOTSOFHASH >= 1)
describe KAM_REFINEW2 Higher Probability Refi Spam
score KAM_REFINEW2 2.0
#AUTO INSURE / LOAN
header __KAM_AUTONEW1 Subject =~ /Auto.{0,2}(Insurance|policy).{0,2}Payment|auto.warranty|finance|policy.saving|your.quote|car.loan|bad..credit.ok/i
body __KAM_AUTONEW2 /car.{1,2}insurance.{1,2}payment|monthly.payment|plan.has.expired|auto.loan|auto.coverage|coverage.benefits|premium.reduc|compare.quote|financing.your.way/i
body __KAM_AUTONEW3 /just.{1,2}been.{1,2}lowered|reduced.recently|has been reduced|free.repair|easy.steps|overpaying|view.plan|overpaid.your|premiums?.as.low|lenders.compete/i
header __KAM_AUTONEW4 From =~ /notice|credit|coverag3|auto.cover|lower.auto|auto.finance/i
meta KAM_AUTONEW (__KAM_AUTONEW1 + __KAM_AUTONEW2 + __KAM_AUTONEW3 + __KAM_AUTONEW4 >= 3)
describe KAM_AUTONEW New Auto insurance spam
score KAM_AUTONEW 3.0
meta KAM_AUTONEW2 (KAM_AUTONEW) && (KAM_NEWNOTICE + KAM_SUBJECTNOTICE + KAM_LOTSOFHASH + KAM_INFOUSMEBIZ + KAM_ASCII_DIVIDERS >= 1)
describe KAM_AUTONEW2 Higher Probability Insurance Spam
score KAM_AUTONEW2 2.0
#STATLER
header __KAM_STATLER1 Subject =~ /Mike Statler|finance news|invest in ....(\b)/i
header __KAM_STATLER2 Subject =~ /quintuple/i
body __KAM_STATLER3 /Mike Statler/i
meta KAM_STATLER (__KAM_STATLER1 + __KAM_STATLER2 + __KAM_STATLER3 >= 3)
describe KAM_STATLER Mike Statler Spams
score KAM_STATLER 6.0
#LEARNING TO WRITE
header __KAM_WRITING1 From =~ /writing/i
header __KAM_WRITING2 Subject =~ /writing resources|get published/i
body __KAM_WRITING3 /Professional Writing|world famous (writer|poet)/i
meta KAM_WRITING (__KAM_WRITING1 + __KAM_WRITING2 + __KAM_WRITING3 >= 3)
describe KAM_WRITING Spam for writing lessons
score KAM_WRITING 3.5
#RASH OF .EU EXPLOITS
rawbody KAM_EU /https?:\/\/(?:www.)?.{4,30}\.(eu)(\b|\/)/i
score KAM_EU 0.50
describe KAM_EU Prevalent use of .eu in spam/malware
#CSS USING A 12-BIT RGBA COLOR, WHICH IS NOT WIDELY SUPPORTED
rawbody __KAM_12BITCOLOR /color: \#[\da-f]{12}/i
meta KAM_GRABBAG2 KAM_EU && (__KAM_12BITCOLOR + KAM_ADVERT2 + AC_HTML_NONSENSE_TAGS + URIBL_BLACK + URIBL_RED >= 1)
score KAM_GRABBAG2 3.0
describe KAM_GRABBAG2 Grabbag of Spams hitting EU domains and other indicators
#END DIABETES SPAM
body __KAM_DIABETES1 /Diabetes News Today|diabetes.health|blood.sugar/i
tflags __KAM_DIABETES1 nosubject
body __KAM_DIABETES2 /Reverse.{0,10}(Diabetes|type.2|type.1)|reverse.type.2|beat.type.2|conventional.medical|doctors don't know|home solution|yellow spice|shocked doctors/i
tflags __KAM_DIABETES2 nosubject
header __KAM_DIABETES3 Subject =~ /End Diabetes|diabetes.association|every.diabetic|blood sugar|yellow spice/i
header __KAM_DIABETES4 From:name =~ /blood.?sugar|clean.?cell/
meta KAM_DIABETES (__KAM_DIABETES1 + __KAM_DIABETES2 + __KAM_DIABETES3 + __KAM_DIABETES4 >= 3)
score KAM_DIABETES 4.5
describe KAM_DIABETES End Diabetes Spam
#SPY CAMERAS, ETC
header __KAM_SPY1 From =~ /spy.?camera|smartcam/i
header __KAM_SPY2 Subject =~ /spy.?camera|small size video/i
body __KAM_SPY3 /spy.?camera.?system|hidden.spy.camera|valuables.safe|protect.your.children|smartcam pro/i
meta KAM_SPY (__KAM_SPY1 + __KAM_SPY2 + __KAM_SPY3 >= 3)
describe KAM_SPY Spy cameras and similar products
score KAM_SPY 3.5
#HARP
header __KAM_HARP1 From =~ /\bharp\b|obamacare|save|healthcare/i
header __KAM_HARP2 Subject =~ /\bHARP\b|obamacare|tax benefit|age bracket|protect yourself|mortgage|save.thousands/i
header __KAM_HARP3 From !~ /\.gov>?$/i
meta KAM_HARP (__KAM_HARP1 + __KAM_HARP2 + __KAM_HARP3 + KAM_SUBJECTNOTICE >= 3)
describe KAM_HARP HARP Refinance Spams
score KAM_HARP 4.5
#LUNAR SLEEP AND OTHER SLEEPING AIDS
header __KAM_LUNAR1 From =~ /lunar.?sleep|peak.life/i
header __KAM_LUNAR2 Subject =~ /tired again|sleep(ing)? aid|miracle.sleep|free.sample|sleep.well|fall.asleep|waking.up|sleep.?spray|doctors.discover|the.secret|nights?.sleep/i
uri __KAM_LUNAR3 /lunar.?sleep/i
body __KAM_LUNAR4 /sleep you really need|sleep(ing)? aid|trouble.sleeping|miracle.sleep|lunar.?sleep|all.natural|fall.asleep|refreshed|sleep.cycle|sleep.aid|lack.of.sleep|stay.asleep|somnapure|weird.trick/i
meta KAM_LUNAR (__KAM_LUNAR1 + __KAM_LUNAR2 + MISSING_HEADERS + __KAM_LUNAR3 + __KAM_LUNAR4 >= 3)
describe KAM_LUNAR Sleeping aid spam
score KAM_LUNAR 4.5
meta KAM_LUNAR2 (__KAM_LUNAR1 + __KAM_LUNAR2 + MISSING_HEADERS + __KAM_LUNAR3 + __KAM_LUNAR4 >= 4)
describe KAM_LUNAR2 Definitely sleeping aid spam
score KAM_LUNAR2 2.0
#OCEANS BOUNTY
header __KAM_OCEANSBOUNTY1 From =~ /oceans.?bounty/i
header __KAM_OCEANSBOUNTY2 Subject =~ /pain.free|turn.back.the.clock|reactivate.your.heart/i
body __KAM_OCEANSBOUNTY3 /years.of.aging|medical.doctor|age.revers|turn.back.the.clock|reactivate.your.heart/i
meta KAM_OCEANSBOUNTY (__KAM_OCEANSBOUNTY1 + __KAM_OCEANSBOUNTY2 + __KAM_OCEANSBOUNTY3 >= 3)
describe KAM_OCEANSBOUNTY More medical spam
score KAM_OCEANSBOUNTY 4.5
#ANDROGEL
header __KAM_ANDROGEL1 From =~ /testosterone|androgel|entitled|enclosed|medwatch|axiron|fda|natural.man|mega.product|\.mobi/i
header __KAM_ANDROGEL2 Subject =~ /androgel|axiron|product.of.the.year|free.sample|raise.your.testosterone/i
body __KAM_ANDROGEL3 /healthcare|medwatch|drug|testosterone|therapy|manhood|your.woman/i
meta KAM_ANDROGEL (__KAM_ANDROGEL1 + __KAM_ANDROGEL2 + __KAM_ANDROGEL3 >= 3)
describe KAM_ANDROGEL More medical spam
score KAM_ANDROGEL 4.5
#CELL PHONES
header __KAM_CELL1 From =~ /phone/i
header __KAM_CELL2 Subject =~ /cell.?phone|mobile.communication|newest.mobile|smartphone|phones.*get.one|phone.bargain|hottest.phone|new.phone/i
body __KAM_CELL3 /phone.(information|deals|reviews)|(free|latest|hottest)..?(cell)?.?phone|selection.of.phones|hottest.(brands|models)|check.out.these.smartphones|smartphones.do.more|refurbished.phone|bored.with.your.phone/i
meta KAM_CELL (__KAM_CELL1 + __KAM_CELL2 + __KAM_CELL3 >= 3)
describe KAM_CELL Ads for cell phones
score KAM_CELL 3.5
header __KAM_FOUNTAINOFYOUTH1 From =~ /deepseasecret/i
header __KAM_FOUNTAINOFYOUTH2 Subject =~ /fountain.of.youth/i
body __KAM_FOUNTAINOFYOUTH3 /look & feel old|\d+.years.of.aging|weird.\d+.second.trick/i
meta KAM_FOUNTAINOFYOUTH (__KAM_FOUNTAINOFYOUTH1 + __KAM_FOUNTAINOFYOUTH2 + __KAM_FOUNTAINOFYOUTH3 >= 3)
score KAM_FOUNTAINOFYOUTH 5.0
describe KAM_FOUNTAINOFYOUTH Anti-aging ad
#HERPES
header __KAM_HERPES1 From =~ /herpes/i
header __KAM_HERPES2 Subject =~ /your.herpes/i
body __KAM_HERPES3 /permanent.remedy|ugly.sores|herpes.episode|got.herpes|your.herpes|herpes.issue/i
meta KAM_HERPES (__KAM_HERPES1 + __KAM_HERPES2 + __KAM_HERPES3 >= 2)
describe KAM_HERPES Ads for herpes medication
score KAM_HERPES 5.0
#FAKE VOUCHER/REWARD EMAIL
header __KAM_FAKEVOUCHER1 From =~ /(amazon|target).*(reward|voucher|appreciation|customer)|\$\d+ gift|(spring|summer|fall|autumn|winter) (reward|bonus)|(january|february|march|april|may|june|july|august|september|october|november|december).?(reward|bonus)|day.reward|macy.?s?.reward|rewards?.?center/i
body __KAM_FAKEVOUCHER2 /\$\d+ amazon(.com)? Card|redeem.your.\$\d+|join.amazon|bonus voucher|spring.rewards|new.gift.card|exclusive.for|shopper.bucks|activate.here|cash.in.your/i
header __KAM_FAKEVOUCHER3 Subject =~ /special.thanks|thank.you|amazon.appreciation|(spring|summer|fall|autumn|winter) .?(reward|bonus|bucks)|short.survey|\$\d+..?(gift|issued|voucher|e.?gift)|register.reward|target.reward|\d+.(dollar.)?gift.card|claim.your.*reward/i
body __KAM_FAKEVOUCHER4 /your.opinion|submit.your.email/i
meta KAM_FAKEVOUCHER (__KAM_FAKEVOUCHER1 + __KAM_FAKEVOUCHER2 + __KAM_FAKEVOUCHER3 + __KAM_FAKEVOUCHER4 >= 3)
describe KAM_FAKEVOUCHER Fake voucher/reward email
score KAM_FAKEVOUCHER 4.5
#ATTORNEY SPAM
header __KAM_ATTORNEY1 From =~ /attorney/i
header __KAM_ATTORNEY2 Subject =~ /right.attorney|quick.divorce|advertisement/i
body __KAM_ATTORNEY3 /find.a.\b[a-z]+\b.attorney/i
meta KAM_ATTORNEY (__KAM_ATTORNEY1 + __KAM_ATTORNEY2 + __KAM_ATTORNEY3 >= 3)
score KAM_ATTORNEY 3.5
describe KAM_ATTORNEY Ads for legal services
#PRODUCT RECALL
header __KAM_RECALL1 From =~ /dog.?food/i
header __KAM_RECALL2 Subject =~ /recall|thousands.of.dogs.die/i
body __KAM_RECALL3 /protect.your.dog|recall?s.on.dog.?food|processing.standards|commercial.food/i
meta KAM_RECALL (__KAM_RECALL1 + __KAM_RECALL2 + __KAM_RECALL3 >= 3)
score KAM_RECALL 3.5
describe KAM_RECALL Spam for product recall notices
#REMOTE IMAGES WITH ENORMOUS SRC URLS - COMMONLY USED FOR IMAGE TRACKING
rawbody __KAM_HUGEIMGSRC /<img[^>]*\ssrc=["']?http[^\s>"']{120}/i
tflags __KAM_HUGEIMGSRC multiple maxhits=6
meta KAM_HUGEIMGSRC (__KAM_HUGEIMGSRC >= 6)
score KAM_HUGEIMGSRC 0.2
describe KAM_HUGEIMGSRC Message contains many image tags with huge http urls
describe KAM_REALLYHUGEIMGSRC Spam with image tags with ridiculously huge http urls
rawbody KAM_REALLYHUGEIMGSRC /<img[^>]*\ssrc=["']?http[^\s]{300}/i
score KAM_REALLYHUGEIMGSRC 0.5
rawbody KAM_TRACKIMAGE /<img[^>]*\ssrc=["']?https?:\/\/track/i
describe KAM_TRACKIMAGE Message has a remote image explicitly meant for tracking
score KAM_TRACKIMAGE 0.2
#BAG OF SPAM THAT TRIES DESPERATELY TO TRACK RECIPIENTS
meta KAM_GRABBAG3 (KAM_TRACKIMAGE + KAM_HUGEIMGSRC + (KAM_UNSUB1 || __KAM_IMGMAP_LINK_OBFU || __KAM_HAS_10_URIS) >= 3)
score KAM_GRABBAG3 2.0
describe KAM_GRABBAG3 Grab bag of spam that employs multiple tricks that indicate tracking of recipients
#MANY SEQUENTIAL EMPTY <A HREF> TAGS WITH NOTHING IN BETWEEN
#IMPORTANTLY, DO NOT MATCH ON EMPTY <A LINK> TAGS, WHICH ARE MEANT TO BE EMPTY
rawbody __KAM_EMPTYLINK /(?:<a[^>]*\shref=[^>]*><\/a>\s*){10}/i
meta KAM_EMPTYLINK (__KAM_EMPTYLINK)
describe KAM_EMPTYLINK Many empty a tags with href all in a row
score KAM_EMPTYLINK 3.5
header __KAM_TILDEFROM From =~ /^\s*"'?\s*~/i
describe __KAM_TILDEFROM Spam with a from name that starts with tilde
# WORDS THAT "A R E S P A C E D O U T" LIKE SO
body __KAM_SPACEY_WORDS /a +v +e +n +u +e/i
# SPAM THAT WOULD LIKE TO INVEST IN YOUR COUNTRY
header __KAM_INVESTCOUNTRY1 Subject =~ /Confidential Contract Proposal|invest in your country/i
body __KAM_INVESTCOUNTRY2 /invest in your country|investment purpose/i
tflags __KAM_INVESTCOUNTRY2 nosubject
meta KAM_INVESTCOUNTRY (__KAM_INVESTCOUNTRY1 + __KAM_INVESTCOUNTRY2 + FREEMAIL_FROM >= 3)
score KAM_INVESTCOUNTRY 4.5
describe KAM_INVESTCOUNTRY Spam for investing in your country
# SPAM FOR FLAGS
header __KAM_FLAG1 From =~ /flag/i
header __KAM_FLAG2 Subject =~ /find.the.flag|what flags|new.flag|patriotism|looking.for.a.flag/i
body __KAM_FLAG3 /performance.flags|shopping.online|scoop on flags|need your flag|best flag|flag design|new flag|flag.needs|flags?.you.need/i
meta KAM_FLAG (__KAM_FLAG1 + __KAM_FLAG2 + __KAM_FLAG3 >= 3)
score KAM_FLAG 3.5
describe KAM_FLAG Spam that sells flags
rawbody __KAM_BIGSMALL /<small><big>|<big><small>/i
describe __KAM_BIGSMALL Spam engine that is using nested big and small tags
rawbody __KAM_DIVTITLE /<div (title|alt)/i
describe __KAM_DIVTITLE Div tag with custom alt text
rawbody __KAM_IMGMAP_LINK_OBFU /<map[^>]+><area[^>]+><\/map>/i
describe __KAM_IMGMAP_LINK_OBFU Image links obfuscated by an image map with a single area
meta KAM_GRABBAG4 (__KAM_DIVTITLE + __KAM_IMGMAP_LINK_OBFU + KAM_HUGEIMGSRC >= 3)
describe KAM_GRABBAG4 Another spam engine that displays unique quirks
score KAM_GRABBAG4 3.5
header __KAM_KORS1 From =~ /Michael Kors/i
header __KAM_KORS2 Subject =~ /Michael Kors|out.of.the.ordinary/i
body __KAM_KORS3 /sent you this item|register to receive|latest updates|win great prizes|shop michael kors|kors insider|handbag collection/i
meta KAM_KORS (__KAM_KORS1 + __KAM_KORS2 + __KAM_KORS3 >= 3)
score KAM_KORS 3.5
describe KAM_KORS Spam for Michael Kors
header __KAM_HOLIDAY1 From =~ /holidays/i
header __KAM_HOLIDAY2 Subject =~ /\d\d\d\d offers/i
body __KAM_HOLIDAY3 /star special|Hotel Opening|(Request|order) a brochure/i
meta KAM_HOLIDAY (__KAM_HOLIDAY1 + __KAM_HOLIDAY2 + __KAM_HOLIDAY3 >= 3)
describe KAM_HOLIDAY Generic holiday deals
score KAM_HOLIDAY 3.5
#MANY TO - DOES AN EMAIL HAVE MULTIPLE TO HEADERS OR A LOT OF RECIPIENTS?
#Thanks to Dave Wreski for his idea on commas and also to Bill Cole for this version using the "ALL" Pseudo Header as a multiline block
#OLD VERSION
#header __KAM_MANYTO To =~ />,/i
#tflags __KAM_MANYTO multiple maxhits=5
#NEW VERSION
header __KAM_MANYTO ALL =~ /^To: /m
header __KAM_MANYTO2 To =~ /, /
tflags __KAM_MANYTO2 multiple maxhits=25
meta KAM_MANYTO (__KAM_MANYTO >= 5 || __KAM_MANYTO2 >= 25)
score KAM_MANYTO 0.2
describe KAM_MANYTO Email has more than one To Header or more than 25 recipients
meta KAM_GRABBAG5 (KAM_MANYTO && FORGED_YAHOO_RCVD)
score KAM_GRABBAG5 5.0
describe KAM_GRABBAG5 Forged Yahoo emails that are sent to lots of recipients
body __KAM_MILLIONAIRE1 /internet millionai?re/i
body __KAM_MILLIONAIRE2 /huge success stor(y|ies)|controversial/i
header __KAM_MILLIONAIRE3 Subject =~ /see this video/i
meta KAM_MILLIONAIRE (__KAM_MILLIONAIRE1 + __KAM_MILLIONAIRE2 + __KAM_MILLIONAIRE3 + LOTS_OF_MONEY >= 3)
score KAM_MILLIONAIRE 4.5
describe KAM_MILLIONAIRE Internet millionaire guarantees money
header __KAM_OILCHANGE1 From =~ /oil.?change|coupon|vehicle service/i
header __KAM_OILCHANGE2 Subject =~ /oil change|vehicle service/i
body __KAM_OILCHANGE3 /fresh savings|find your favorite|discount.coupons|oil.change.is.due|local.provider|favorite.location|coupon/i
meta KAM_OILCHANGE (__KAM_OILCHANGE1 + __KAM_OILCHANGE2 + __KAM_OILCHANGE3 >= 3)
score KAM_OILCHANGE 4.5
describe KAM_OILCHANGE Spam for oil changes
header __KAM_ADHD1 From =~ /ADH?D/i
header __KAM_ADHD2 Subject =~ /know.the.signs|could.have.adh?d|adult adh?d/i
body __KAM_ADHD3 /struggling with adh?d|treatment options/i
meta KAM_ADHD (__KAM_ADHD1 + __KAM_ADHD2 + __KAM_ADHD3 >= 3)
score KAM_ADHD 3.5
describe KAM_ADHD Spam for ADD and ADHD treatment
# AUTO REPAIR
header __KAM_REPAIR1_1 From =~ /repair.your.auto|auto.expert|auto.repair|warranty|support|pops.a.dent|vehicle.protect/i
header __KAM_REPAIR1_2 Subject =~ /auto.service|auto.repair|having.problems|all.repair|take.care.of|car.trouble|save.\d+%|repair.bill|fix.dents/i
body __KAM_REPAIR1_3 /car.repair|Auto Protection|repair.bill|lowest.rates|need.repairs|cost.you.thousands|auto.warranty|costs.keep.rising|repair.cost|do.it.yourself|auto.body|body.repair|protection.quote/i
meta KAM_REPAIR1 (__KAM_REPAIR1_1 + __KAM_REPAIR1_2 + __KAM_REPAIR1_3 >= 3)
score KAM_REPAIR1 3.5
describe KAM_REPAIR1 Spam for auto repair services
# HOME REPAIR
header __KAM_REPAIR2_1 From =~ /warranty|support|home.repair|your.roof/i
header __KAM_REPAIR2_2 Subject =~ /roof.repair|warranty.plan|home.warranty|never.pay.for|home.repair|repairing.your|new.roof/i
body __KAM_REPAIR2_3 /never.pay|covered.home.repair|the.trouble|warning.signs|roofing.problem|roof.repair/i
meta KAM_REPAIR2 (__KAM_REPAIR2_1 + __KAM_REPAIR2_2 + __KAM_REPAIR2_3 >= 3)
score KAM_REPAIR2 3.5
describe KAM_REPAIR2 Spam for home repair services
body __KAM_EPISODE /episode \d+/i
header __KAM_CLOUD1 From =~ /cloud.?(storage|computing|provider)|efolder/i
header __KAM_CLOUD2 Subject =~ /private.cloud|data.loss.happens|share.securely/i
body __KAM_CLOUD3 /big data|powering apps|reduce.tech.costs|backup.solution|bundling.the.service/i
body __KAM_CLOUD4 /hacking|complimentary.(lunch|breakfast)/i
meta KAM_CLOUD (__KAM_CLOUD1 + __KAM_CLOUD2 + __KAM_CLOUD3 + __KAM_CLOUD4 >= 3)
score KAM_CLOUD 3.5
describe KAM_CLOUD Spam for cloud services
#FAX AND PAPERLESS SPAM
header __KAM_PAPERLESS1 From =~ /paperless|fax|admin/i
header __KAM_PAPERLESS2 Subject =~ /paperless|fax (document|thru email|to email|message)|send document|(receive|send|new) fax|voice.message|have.received/i
body __KAM_PAPERLESS3 /fax service|service plan|view.(fax|this.fax)|\d.page.fax|voice.message/i
body __KAM_PAPERLESS4 /link expires/i
meta KAM_PAPERLESS (__KAM_PAPERLESS1 + __KAM_PAPERLESS2 + __KAM_PAPERLESS3 + __KAM_PAPERLESS4 + HEADER_FROM_DIFFERENT_DOMAINS >= 4)
score KAM_PAPERLESS 4.5
describe KAM_PAPERLESS Paperless spam for the paperless office
rawbody __KAM_LOTSOFNBSP /( ?){30}/i
header __KAM_IPUNSUB List-Unsubscribe =~ /http:\/\/\d+\.\d+\.\d+\.\d+/i
# PASSWORD PHISH - Fixed FP thanks to Thijs Eilander
header __KAM_PASSWORD1 Subject =~ /password/i
body __KAM_PASSWORD2 /validate.your.email/i
meta KAM_PASSWORD (__KAM_PASSWORD1 + __KAM_PASSWORD2 >= 2)
score KAM_PASSWORD 1.5
describe KAM_PASSWORD Message tries to phish for password
# SEMINARS AND WORKSHOPS SPAM
header __KAM_WEBINAR1 From =~ /education|career|manage|learning|webinar|project|efolder/i
header __KAM_WEBINAR2 Subject =~ /last chance|increase productivity|workplace morale|payroll dept|trauma.training|case.study|issues|follow.up|service.desk|vip.(lunch|breakfast)|manage.your|private.business|professional.checklist|customers.safer|great.timesaver|prep.course|crash.course|hunger.to.learn|(keys|tips).(to|for).smarter/i
header __KAM_WEBINAR3 Subject =~ /webinar|strateg|seminar|owners.meeting|webcast|our.\d.new|sales.video/i
body __KAM_WEBINAR4 /executive.education|contactid|register now|\d+.minute webinar|management.position|supervising.skills|discover.tips|register.early|take.control|marketing.capabilit|drive.more.sales|leveraging.cloud|solution.provider|have.a.handle|plan.to.divest|being.informed|upcoming.webinar|spearfishing.email|increase.revenue|industry.podcast|\d+.in.depth.tips|early.bird.offer|pmp.certified|lunch.briefing/i
meta KAM_WEBINAR (__KAM_WEBINAR1 + __KAM_WEBINAR2 + __KAM_WEBINAR3 + __KAM_WEBINAR4 >= 3)
describe KAM_WEBINAR Spam for webinars
score KAM_WEBINAR 2.5
meta KAM_WEBINAR2 (__KAM_WEBINAR1 + __KAM_WEBINAR2 + __KAM_WEBINAR3 + __KAM_WEBINAR4 >= 4) && !KAM_WEBINAR
describe KAM_WEBINAR2 Spam for webinars
score KAM_WEBINAR2 5.0
header __KAM_CONTACTME1 Subject =~ /^contact me$/i
body __KAM_CONTACTME2 /read the attached letter/i
meta KAM_CONTACTME (__KAM_CONTACTME1 + __KAM_CONTACTME2 >= 2)
score KAM_CONTACTME 3.5
describe KAM_CONTACTME Spam that wants you to reply
header __KAM_MESH1 From =~ /consumer|connect|claim/i
header __KAM_MESH2 Subject =~ /surgical mesh|serious injuries|increased risk|experiencing problems|mesh recall/i
body __KAM_MESH3 /have a mesh implant|entitled to compensation|consumer injury|injured consumer/i
meta KAM_MESH (__KAM_MESH1 + __KAM_MESH2 + __KAM_MESH3 >= 3)
describe KAM_MESH Spam for surgical mesh
score KAM_MESH 3.5
header __KAM_ALERT1 From =~ /medical.?alert/i
header __KAM_ALERT2 Subject =~ /medical.alert|emergency coverage/i
body __KAM_ALERT3 /help button/i
meta KAM_ALERT (__KAM_ALERT1 + __KAM_ALERT2 + __KAM_ALERT3 >= 3)
score KAM_ALERT 3.5
describe KAM_ALERT Spam for medical alerts
# SPAM FOR RECENT HEARTBLEED CVE AND OTHER SECURITY STUFF
header __KAM_SECURITY1 From =~ /Digital Defense/i
header __KAM_SECURITY2 Subject =~ /heartbleed|hijack/i
body __KAM_SECURITY3 /information.security|cyber.?criminal/i
meta KAM_SECURITY (__KAM_SECURITY1 + __KAM_SECURITY2 + __KAM_SECURITY3 >= 3)
describe KAM_SECURITY Spam related to online security
score KAM_SECURITY 6.0
body __KAM_JESUS1 /jesus lovely|the.lord|touched.by.christ/i
body __KAM_JESUS2 /sister.in.the.lord|need for bible/i
body __KAM_JESUS3 /nigeria|muslim.women/i
meta KAM_JESUS (__KAM_JESUS1 + __KAM_JESUS2 >= 2)
describe KAM_JESUS Christian spam
score KAM_JESUS 4.5
header __KAM_CLAIMS1 From =~ /claims.payment/i
header __KAM_CLAIMS2 Subject =~ /confirm/i
body __KAM_CLAIMS3 /claim.payment|claim.processing|kindly.confirm/i
meta KAM_CLAIMS (__KAM_CLAIMS1 + __KAM_CLAIMS2 + __KAM_CLAIMS3 >= 3)
describe KAM_CLAIMS Spam for claims processing
score KAM_CLAIMS 4.5
# VISION SPAM
header __KAM_VISION1 From =~ /clear.?vision|20.20|glasses|perfect.vision|mind.blowing|my.vision|oakley|quantum.vision/i
header __KAM_VISION2 Subject =~ /20\/20|vision|your.glasses|your.contacts|your.eyes|dangers?.of.glasses|focus.on.here/i
body __KAM_VISION3 /100%.natural|vision.restored|currently.wear.(glasses|contacts)|perfect.vision|risky.surgery|corrective.surgery|dangers.of.surgery|laser.eye|eye.care|making.your.eyes.worse|your.glasses|worsen.your.vision|special.prices|vision.in.\d+.day|vision.in.\d+.week/i
meta KAM_VISION (__KAM_VISION1 + __KAM_VISION2 + __KAM_VISION3 + (KAM_WEIRDTRICK1 || RDNS_NONE) >= 3)
describe KAM_VISION Spam for vision improvement
score KAM_VISION 4.5
body KAM_TRUTHINESS /[Tt]he TRUTH/
describe KAM_TRUTHINESS Spam that wants you to learn "The TRUTH"
score KAM_TRUTHINESS 1.5
header __KAM_KITCHEN1 From =~ /sears|kitchen|cabinet/i
header __KAM_KITCHEN2 Subject =~ /kitchen.upgrade|kitchen.remodel|cabinet.install|new.kitchen/i
body __KAM_KITCHEN3 /special.gift|kitchen.remodel|special.offer/i
meta KAM_KITCHEN (__KAM_KITCHEN1 + __KAM_KITCHEN2 + __KAM_KITCHEN3 >= 3)
score KAM_KITCHEN 4.5
describe KAM_KITCHEN Spam for kitchen improvement
# ALL-ENCOMPASSING RULES FOR HEALTH RELATED SPAM, INCLUDING SKIN, WEIGHT, VISION, ETC
header __KAM_GENERICHEALTH1 From =~ /(dr.?|doc.?)[ -]?([o0]z|gupta)|skinny|\d+.?(pounds|[li1]bs?)|[o0]z.([a-z]+.)?(daily|tip|show|weight)|ellen|rapid|vision|20.20|perfect|mind.blowing|healthy|beaut|medical|wrinkle|miracle|energy|weight|as.seen.on|celeb|workout|inches.off|slim|overweight|skinny|trend|curve|stubborn|bikini|f-a-t|trim|youth|belly|unwanted.pounds|gone.easily|heavy|diabetes|oz.?report|years.younger|anti.?aging|look.\d|old.age|without.trying|annoying.pounds|fat.melt|women.?s.health|forskolin|phyto|garcinia|mayo.clinic|gain.mass|nuforia|miracle.cure|notify|champion|healthly|food.health|health.news|nutrisystem|doctor.s.choice|age..prevention|diet.{0,4}report|sharp..?mind|face.?lift/i
header __KAM_GENERICHEALTH2 Subject =~ /PSA|\[video\]|doctor|\d+.day|(zero|any).effort|oprah|(Dr|Doc).{0,2}[o0]z|[o0]z.([a-z]+.)?(daily|tip|show|weight|quick)|ellen|most.viewed|metabolism|danger|hormone|must.read|life.changing|healthy|perfect|younger|beautiful|hollywood|secret|aging|youth|flawless|as.seen.on|simple.way|workout|nutrition|shocking|detox|exercise|cleanse|diet|\d+(\+?).?(pounds|[li1]bs?)|images?.leaked|wow,|the.pics|don.t.tell|makeup|f-a-t|of.skin|on.(cnn|abc|cbs)|for.(summer|fall|autumn|winter|spring)|unwanted.fat|oz: |backfire|and.oz|and.racha?el|racha?el.talk|your.legs|slim.and.tone|fit.wom[ea]n|tummy|dress.size|wrinkle.reduc|younger.skin|solid.meds|belly.fat|your.calories|champion|is.it.possible|worse.than.smok|meds.online|jump-start.your.weightloss|cure.your.diabetes|weight.loss..?cure|magic.weight.loss|youth.and.vitality|get.thin.with|mental.decline|by.exercising|kidney.beans|drinking.this|treats?.the.(root.)?cause|reverse.\d+.years/i
body __KAM_GENERICHEALTH3 /aging|clinical|dermatologist|aging|younger|wrinkle|omg|reduction|prevention|(body|your).fat|extra.pounds|perfect.skin|healthy|diet|gossip|\d{1,32}.years|facelift|(Dr|Doc).{0,2}[o0]z|weight|calories|metabolism|appetite|detox|unsightly|cholesterol|free.sample|\d{1,32}\s*[li]b|slimming|episode|tv.segment|oprah|colon|hollywood|shocking|workout|trend|starving|\d{1,32}%.?off|dress.size|flat.belly|silky|younger|free.trial|\d{1,32}.years|easy.trick|selfies|medical|\d{1,32}.?(lb|pounds)|exercise|the.mirror|fda.approved|slimmer|oz.blog|the.bulge|plant.based|online.store|respected.doctor|cure.your.diabete|with.forskolin|belly.fat|miracle.pill|burn.fat.fast|the.root.cause|drink(ing)?.this.shake/i
meta KAM_GENERICHEALTH (__KAM_GENERICHEALTH1 + __KAM_GENERICHEALTH2 + __KAM_GENERICHEALTH3 + (KAM_EU || KAM_OTHER_BAD_TLD) >= 3)
score KAM_GENERICHEALTH 1.75
describe KAM_GENERICHEALTH Matches generic health-related advert/blurbs
header __KAM_SALE1 From =~ /ipad|hdtv|\$\d+|auction|laptop|easyviewing/i
header __KAM_SALE2 Subject =~ /blowout|became.perfect|great.products|your.ipad.forever|weird.device|change.how.you.use|transform.your.piad|laptop.replacement/i
body __KAM_SALE3 /\d{1,32}%.off|just.shipped|touch.?fire|just.became.perfect|transform.your.ipad/i
header __KAM_SALEA_1 From =~ /touch.?fire/i
header __KAM_SALEA_2 Received =~ /touchfire|tfire/i
body __KAM_SALEA_3 /touchfire|just.became.perfect|never.be.the.same/i
meta KAM_SALE (__KAM_SALE1 + __KAM_SALE2 + (__KAM_SALE3 || BODY_8BITS) >= 3)
score KAM_SALE 4.0
describe KAM_SALE Spam for things on sale
meta KAM_SALEA ((__KAM_SALEA_1 || __KAM_SALE1 || __KAM_SALEA_2) + __KAM_SALEA_3 >= 2)
score KAM_SALEA 8.0
describe KAM_SALEA A very persistent ipad spam campaign
# SPAM THAT USES ASCII FORMATTING TRICKS TO EVADE HTML-BASED RULES
body __KAM_ASCII_DIVIDERS /[-~<>=_]{20}/i
tflags __KAM_ASCII_DIVIDERS multiple maxhits=4
meta KAM_ASCII_DIVIDERS ((__KAM_ASCII_DIVIDERS >= 4) && !HTML_MESSAGE)
describe KAM_ASCII_DIVIDERS Email that uses ascii formatting dividers and possible spam tricks
score KAM_ASCII_DIVIDERS 0.8
# RATWARE THAT CAN'T EVEN PRETEND TO BE AUTHORIZED
header __KAM_NOTINMYNETWORK1 X-No-Relay =~ /./i
rawbody __KAM_HTMLNOISE1 /<big><\/big>|<small><\/small>|<style><\/style>/i
meta KAM_HTMLNOISE (__KAM_HTMLNOISE1 + __KAM_BIGSMALL >= 1)
score KAM_HTMLNOISE 1.0
describe KAM_HTMLNOISE Spam containing useless HTML padding
header __KAM_CHICKEN1 From =~ /coop/i
header __KAM_CHICKEN2 Subject =~ /chicken.coop|cost.of.buying/i
body __KAM_CHICKEN3 /your.own.chicken|fresh.egg|chicken.coop|build.your.own/i
meta KAM_CHICKEN (__KAM_CHICKEN1 + __KAM_CHICKEN2 + __KAM_CHICKEN3 >= 3)
score KAM_CHICKEN 4.5
describe KAM_CHICKEN Spam for chicken coops
# SPAM THAT TRIES TO BYPASS RULES LIKE CBJ_GiveMeABreak
rawbody __KAM_LINEPADDING /(\n[^\n]){8}/
meta KAM_LINEPADDING ( __KAM_LINEPADDING && !__CBJ_GiveMeABreak1 && !__CBJ_GiveMeABreak2 )
score KAM_LINEPADDING 1.2
describe KAM_LINEPADDING Spam that tries to get past blank line filters
# DRAPES SPAM
header __KAM_DRAPES1 From =~ /drapes/i
header __KAM_DRAPES2 Subject =~ /table.drapes|visibility/i
body __KAM_DRAPES3 /banner.stand|print.project/i
meta KAM_DRAPES (__KAM_DRAPES1 + __KAM_DRAPES2 + __KAM_DRAPES3 >= 3)
score KAM_DRAPES 3.5
describe KAM_DRAPES Spam for drapes
header __KAM_NUWAVE1 From =~ /nuwave|cooktop/i
header __KAM_NUWAVE2 Subject =~ /cooking.needs/i
body __KAM_NUWAVE3 /nuwave|energy.saving|temperature.control|meal.prep|cooktop/i
meta KAM_NUWAVE (__KAM_NUWAVE1 + __KAM_NUWAVE2 + __KAM_NUWAVE3 >= 3)
describe KAM_NUWAVE Spam for cooking tools
score KAM_NUWAVE 3.5
rawbody __KAM_MANYCOMMENTS /<!--[^>]{200,}-->/i
tflags __KAM_MANYCOMMENTS multiple maxhits=6
meta KAM_MANYCOMMENTS (__KAM_MANYCOMMENTS >= 6)
describe KAM_MANYCOMMENTS Spam engine that uses large html noise comments
score KAM_MANYCOMMENTS 1.2
header __KAM_HIRE1 From =~ /recruit/i
header __KAM_HIRE2 Subject =~ /checking.in/i
body __KAM_HIRE3 /hiring.situation|recruiting|plans.to.hire|altera.staff/i
meta KAM_HIRE (__KAM_HIRE1 + __KAM_HIRE2 + __KAM_HIRE3 >= 3)
describe KAM_HIRE Spam for hiring services
score KAM_HIRE 4.5
header __KAM_DEALS1 From =~ /deal.?hunter/i
header __KAM_DEALS2 Subject =~ /exclusive.saving|the.hottest/i
body __KAM_DEALS3 /exclusive.savings/i
meta KAM_DEALS (__KAM_DEALS1 + __KAM_DEALS2 + __KAM_DEALS3 >= 3)
score KAM_DEALS 3.5
describe KAM_DEALS Generic advertising for deals
header __KAM_CONTRACT1 From =~ /samanage/i
header __KAM_CONTRACT2 Subject =~ /contract cost|itsm contract/i
body __KAM_CONTRACT3 /buy you out|service management|management solution/i
meta KAM_CONTRACT (__KAM_CONTRACT1 + __KAM_CONTRACT2 + __KAM_CONTRACT3 >= 3)
score KAM_CONTRACT 4.5
describe KAM_CONTRACT Spam that will buy your service contract
#KAM_TOLL
header __KAM_TOLL1 From =~ /e.?z.?pass|collection/i
header __KAM_TOLL2 Subject =~ /on.(the.)?toll.road|(pay|indebted).for.driving/i
body __KAM_TOLL3 /have.not.paid|your.debt|invoice/i
meta KAM_TOLL (__KAM_TOLL1 + __KAM_TOLL2 + __KAM_TOLL3 >= 3)
describe KAM_TOLL Spam for road tolls
score KAM_TOLL 8.0
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
#KAM_AMAZON
header __KAM_AMAZON1 From =~ /amazon\.com/i
header __KAM_AMAZON2 From:addr !~ /amazon\.com/i
header __KAM_AMAZON3 From:name =~ /amazon\.com/i
meta KAM_AMAZON (__KAM_AMAZON1 + KAM_RAPTOR_ALTERED >= 2) || (__KAM_AMAZON2 + __KAM_AMAZON3 >= 2)
score KAM_AMAZON 4.5
describe KAM_AMAZON Fake Amazon email with malware
endif
# LANDSCAPING
header __KAM_LANDSCAPE1 From =~ /landscaping/i
header __KAM_LANDSCAPE2 Subject =~ /turn.your.yard|mtv.crib|swimming.pool/i
body __KAM_LANDSCAPE3 /landscape.designs|(simple|cheap).strategies|design.troph/i
body __KAM_LANDSCAPE4 /stone.carving/i
meta KAM_LANDSCAPING (__KAM_LANDSCAPE1 + __KAM_LANDSCAPE2 + __KAM_LANDSCAPE3 + __KAM_LANDSCAPE4 >= 3)
describe KAM_LANDSCAPING Spam for landscaping
score KAM_LANDSCAPING 3.5
# SINGING LESSONS
header __KAM_SINGING1 From =~ /singing/i
header __KAM_SINGING2 Subject =~ /professional.singer/i
body __KAM_SINGING3 /terrible.singer|more.talent|love.songs/i
meta KAM_SINGING (__KAM_SINGING1 + __KAM_SINGING2 + __KAM_SINGING3 >= 3)
describe KAM_SINGING Spam for singing lessons
score KAM_SINGING 4.5
# SPAM FOR ADS
header __KAM_ADVERTISE1 From =~ /gmail/i
header __KAM_ADVERTISE2 Subject =~ /samsung..galaxy.s\d/i
body __KAM_ADVERTISE3 /advertising.for.samsung|no.application.fee|carry.this.advert/i
meta KAM_ADVERTISE (__KAM_ADVERTISE1 + __KAM_ADVERTISE2 + __KAM_ADVERTISE3 >= 3)
describe KAM_ADVERTISE Spam that wants you to advertise for them
score KAM_ADVERTISE 4.5
# RULE FOR DOMAINS THAT HAVE NOT IMPLEMENTED ANY ANTI-FORGERY MECHANISMS - Thanks to Christian Kueppers for the request to encapsulate with DKIM and SPF plugin checks!
if (version >= 3.003002)
ifplugin Mail::SpamAssassin::Plugin::DKIM
ifplugin Mail::SpamAssassin::Plugin::SPF
# We may recommend people start raising the score for this to force more people to use SPF or DKIM Since Gmail and AOL work much better with / require SPF.
header __KAM_SPF_NONE eval:check_for_spf_none()
tflags __KAM_SPF_NONE net
meta KAM_LAZY_DOMAIN_SECURITY (!__DKIM_EXISTS && __KAM_SPF_NONE)
tflags KAM_LAZY_DOMAIN_SECURITY net
score KAM_LAZY_DOMAIN_SECURITY 1.0
describe KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any anti-forgery methods
endif
endif
endif
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
ifplugin Mail::SpamAssassin::Plugin::DKIM
header __KAM_TRUNCATE exists:X-Raptor-Truncate
meta DKIM_FAILED_TRUNCATE ( DKIM_INVALID && __KAM_TRUNCATE )
describe DKIM_FAILED_TRUNCATE DKIM invalid but message truncated by Raptor
score DKIM_FAILED_TRUNCATE -0.1
tflags DKIM_FAILED_TRUNCATE nice
meta EMPTY_FAILED_TRUNCATE ( DKIM_FAILED_TRUNCATE && EMPTY_MESSAGE )
describe EMPTY_FAILED_TRUNCATE Empty message FP
score EMPTY_FAILED_TRUNCATE -2.3
tflags EMPTY_FAILED_TRUNCATE nice
endif
endif
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
# FORGED EMAILS WITH A VIRUS ATTACHED
meta KAM_FORGED_ATTACHED (SPF_HELO_FAIL + KAM_RAPTOR_ALTERED >= 2)
score KAM_FORGED_ATTACHED 4.5
describe KAM_FORGED_ATTACHED Forged email with a malware attachment
endif
# LOTS OF PERIODS IN SUBJECT
header __KAM_MANYDOTS1 Subject =~ /\.{20}/i
meta KAM_MANYDOTS (__KAM_MANYDOTS1 + KAM_HUGEIMGSRC >= 2)
describe KAM_MANYDOTS Spam with lots of periods in subject
score KAM_MANYDOTS 3.5
# FINAL NOTICE SPAM
header __KAM_SUBJECTNOTICE1 Subject =~ /Notice: \d+$|final.notice|rpt: \d+$/i
meta KAM_SUBJECTNOTICE __KAM_SUBJECTNOTICE1
describe KAM_SUBJECTNOTICE Spam notices
score KAM_SUBJECTNOTICE 1.0
# SPAM FOR BACKUP SERVICE
header __KAM_BACKUP1 From =~ /backup/i
header __KAM_BACKUP2 Subject =~ /continuity|\d.reasons|traditional.backup/i
body __KAM_BACKUP3 /backup.necessary|marketing|infographic|charge.more/i
meta KAM_BACKUP (__KAM_BACKUP1 + __KAM_BACKUP2 + __KAM_BACKUP3 >= 3)
describe KAM_BACKUP Spam for backup services
score KAM_BACKUP 4.5
# SPAM THAT TRIES TO AVOID DETECTION WITH NUMBERS IN THE FROM
header KAM_FROMNUM From:name =~ /\.\d{7,}$/
describe KAM_FROMNUM Spam with large numbers in the from header
score KAM_FROMNUM 1.0
# LAZY SPAM WITH BARELY MORE THAN A LINK TO A BAD DOMAIN
meta KAM_LINKBAIT (KAM_LAZY_DOMAIN_SECURITY + __KAM_BODY_LENGTH_LT_512 + (__KAM_COUNT_URIS >= 1) >= 3)
score KAM_LINKBAIT 2.5
describe KAM_LINKBAIT Short messages containing little more than a link, from a domain with no security in place
uri __KAM_WP_INCLUDES /(?:wp-includes|wp-content)/i
meta KAM_LINKBAIT2 KAM_LINKBAIT + __KAM_WP_INCLUDES >= 2
score KAM_LINKBAIT2 1.5
describe KAM_LINKBAIT2 Linkbait that points to wordpress - usually means a compromised site
# FREEMAIL LINKBAIT
meta KAM_LINKBAIT3 (KAM_SHORT + FREEMAIL_FROM + __KAM_BODY_LENGTH_LT_512 >= 3)
score KAM_LINKBAIT3 1.5
describe KAM_LINKBAIT3 Freemail linkbait with a url shortener
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
# MALWARE IN EMAILS THAT MENTION LOTS OF MONEY
meta KAM_PHISHY_DOLLARS (KAM_RAPTOR_ALTERED + LOTS_OF_MONEY >= 2)
score KAM_PHISHY_DOLLARS 3.5
describe KAM_PHISHY_DOLLARS Emails with malware and large dollar amounts
endif
# RATWARE DU JOUR, MULTIPLE FROM HEADERS AND WONKY SUBJECT LINE
header __KAM_MULTIPLE_FROM From =~ /^./
tflags __KAM_MULTIPLE_FROM multiple maxhits=2
header __KAM_SUBJECT_WHITESPACE_START Subject =~ /^\s{10}/
meta KAM_GRABBAG6 ((__KAM_MULTIPLE_FROM >= 2) + __KAM_SUBJECT_WHITESPACE_START >= 2)
describe KAM_GRABBAG6 Ratware with multiple from headers and subject beginning with whitespace
score KAM_GRABBAG6 4.5
# GENERIC GREETINGS THAT YOU WOULD NEVER GET FROM A LEGIT EMAIL
header KAM_GENERICHELLO Subject =~ /dear.email.user|hi.there/i
score KAM_GENERICHELLO 1.5
describe KAM_GENERICHELLO Spam with generic greetings in the subject
# FAKE GOOGLE EMAILS - Thanks to Marc Jouan for pointing out the double rule / T_HK rule name change
header __KAM_GOOGLE2_1 From =~ /google\+/i
header __KAM_GOOGLE2_2 From !~ /google.com/i
meta KAM_GOOGLE2 (__KAM_GOOGLE2_1 + __KAM_GOOGLE2_2 + (HK_SPAMMY_FILENAME || KAM_LAZY_DOMAIN_SECURITY) >= 3)
score KAM_GOOGLE2 4.5
describe KAM_GOOGLE2 Fake Google spam
# MORE NIGERIAN VARIANTS
body __KAM_NIGERIAN3_1 /congo/i
meta KAM_NIGERIAN3 (__KAM_NIGERIAN3_1 + DEAR_SOMETHING + LOTS_OF_MONEY >= 3)
score KAM_NIGERIAN3 4.5
describe KAM_NIGERIAN3 Nigerian scam variant
# FINGERHUT SPAMS
header __KAM_FINGERHUT1 From =~ /finger.?hut/i
header __KAM_FINGERHUT2 Subject =~ /your.budget|credit.account|qualify|finger.?hut|credit|your.account/i
body __KAM_FINGERHUT3 /important.message|what.you.want|monthly.pay|your.account|credit.account|holiday.shopping|are.you.approved|fingerhut.buying/i
meta KAM_FINGERHUT (__KAM_FINGERHUT1 + __KAM_FINGERHUT2 + __KAM_FINGERHUT3 >= 3)
score KAM_FINGERHUT 4.5
describe KAM_FINGERHUT Spam for fingerhut
# FRIEND REQUEST SPAM
header __KAM_FRIEND1 Subject =~ /new.notification/i
body __KAM_FRIEND2 /wants.to.follow/i
meta KAM_FRIEND (__KAM_FRIEND1 + __KAM_FRIEND2 >= 2)
score KAM_FRIEND 1.5
describe KAM_FRIEND Friend request spam
# ELIMINATE A BUNCH OF RECENT BAD ATTACHMENT SPAM
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
meta KAM_VERY_MALWARE (KAM_LAZY_DOMAIN_SECURITY && KAM_RAPTOR_ALTERED >= 2)
score KAM_VERY_MALWARE 3.5
describe KAM_VERY_MALWARE A message with malware that is definitely unwanted
endif
#MERCHANT ACCOUNTS SPAM
header __KAM_MERCHANT1 Subject =~ /finance.department/i
body __KAM_MERCHANT2 /business.owner|merchant.processor|processing.fee|average.bank|interchange.fee/i
body __KAM_MERCHANT3 /merchant.processing|small.business|yearly.credit|monthly.fee|100%.free/i
meta KAM_MERCHANT (__KAM_MERCHANT1 + __KAM_MERCHANT2 + __KAM_MERCHANT3 >= 3)
score KAM_MERCHANT 4.5
describe KAM_MERCHANT Spam for merchant processing
# ZERO DAY ATTACHMENTS THAT ARE OBVIOUSLY CRAP BUT NOT CAUGHT BY AV
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_ZERODAY1 Content-Type =~ /msword|ms-excel|spreadsheet|office|octet/i
header __KAM_ZERODAY2 X-Mailer =~ /foxmail/i
# DISABLED 7/16 FOR NO LONGER BEING RELEVANT
#meta KAM_ZERODAY (__SUBJECT_ENCODED_B64 + __KAM_ZERODAY1 + __KAM_ZERODAY2 >= 3)
#describe KAM_ZERODAY obviously a malware email that was not caught
#score KAM_ZERODAY 8.0
# ANOTHER ONE
header __KAM_ZERODAY3 Subject =~ /remittance advice|invoice|resume|the.open.message|please.the.open|visa.chip/i
meta KAM_ZERODAY2 (__KAM_ZERODAY1 + __KAM_ZERODAY3 + KAM_LAZY_DOMAIN_SECURITY >= 3)
score KAM_ZERODAY2 1.0
describe KAM_ZERODAY2 Another obvious zero-day malware
meta KAM_ZERODAY3 (KAM_ZERODAY2 + T_OBFU_DOC_ATTACH >= 2)
score KAM_ZERODAY3 3.5
describe KAM_ZERODAY3 Another obvious zero-day malware
endif
#MORE ACCOUNTING DANGEROUS SPAMS
meta KAM_DANGEROUSXLS (__KAM_ZERODAY3 + KAM_OLEMACRO_ENCRYPTED + KAM_OLEMACRO_RENAME >= 3)
describe KAM_DANGEROUSXLS Dangerous accounting emails with zero day payloads
score KAM_DANGEROUSXLS 6.0
# FAMILY TREE SPAM
header __KAM_ANCESTOR1 From =~ /ancestry/i
header __KAM_ANCESTOR2 Subject =~ /free.family.tree|find.your.ancestor/i
body __KAM_ANCESTOR3 /family.history|your family|share.the.stories/i
meta KAM_ANCESTOR (__KAM_ANCESTOR1 + __KAM_ANCESTOR2 + __KAM_ANCESTOR3 >= 3)
describe KAM_ANCESTOR Spam for family trees
score KAM_ANCESTOR 3.5
# REMEMBER WHEN YOU GOT THAT SPAM
header __KAM_REMEMBERWHEN1 Subject =~ /sup|hello|for.you.bro|how.are.you/i
body __KAM_REMEMBERWHEN2 /hello.brother|remember(ed)?.you|i.remember/i
body __KAM_REMEMBERWHEN3 /medication|\d+%.discount|lots?.of.drug/i
meta KAM_REMEMBERWHEN (__KAM_REMEMBERWHEN1 + __KAM_REMEMBERWHEN2 + __KAM_REMEMBERWHEN3 >= 3)
score KAM_REMEMBERWHEN 4.5
describe KAM_REMEMBERWHEN Reminder of something that never happened
# THE LATEST TRAILING NOISE FORMAT
body __KAM_NOISE1 /([a-z0-9],){12}/i
body __KAM_NOISE2 /([a-z]{1,10},){10}/i
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
meta KAM_NOISE1 (__KAM_NOISE1 + __KAM_NOISE2 + (CBJ_GiveMeABreak || __CBJ_GiveMeABreak2) >= 3)
describe KAM_NOISE1 Pattern of noise words at the end of an email
score KAM_NOISE1 2.5
endif
# FREE PIZZA WOO!
header __KAM_PIZZA1 From =~ /pizza/i
header __KAM_PIZZA2 Subject =~ /^free pizza$/i
body __KAM_PIZZA3 /free.pizza.coupon/i
meta KAM_PIZZA (__KAM_PIZZA1 + __KAM_PIZZA2 + __KAM_PIZZA3 >= 3)
score KAM_PIZZA 3.5
describe KAM_PIZZA Spam for free pizza
# ENGINEERING SPAM
header __KAM_ENGINEER1 Subject =~ /engineering . architect|engineering.industry/i
body __KAM_ENGINEER2 /email.list|target.audience|databank|verified.email/i
body __KAM_ENGINEER3 /construction.engineering|engineering . architect|marketing.manager/i
meta KAM_ENGINEER (__KAM_ENGINEER1 + __KAM_ENGINEER2 + __KAM_ENGINEER3 >= 3)
score KAM_ENGINEER 3.5
describe KAM_ENGINEER Spam for engineering contact information
# SUNGLASSES
header __KAM_SUNGLASSES1 Subject =~ /rayban/i
body __KAM_SUNGLASSES2 /great ray|hot.deal/i
body __KAM_SUNGLASSES3 /style rocks|today.only/i
meta KAM_SUNGLASSES (__KAM_SUNGLASSES1 + __KAM_SUNGLASSES2 + __KAM_SUNGLASSES3 >= 3)
describe KAM_SUNGLASSES Spam for sunglasses
score KAM_SUNGLASSES 3.5
# INVOICE SPAM OF THE DAY
header __KAM_INVOICE1 From =~ /billing/i
header __KAM_INVOICE2 Subject =~ /past.due|invoice/i
header __KAM_INVOICE3 Subject =~ /invoice (error|issue)/i
body __KAM_INVOICE4 /(billing error|problem with the address).{2,10}invoice/i
uri __KAM_INVOICE5 /overdue|final.account/i
meta KAM_INVOICE (__KAM_INVOICE1 + __KAM_INVOICE2 + SPF_FAIL >= 3)
score KAM_INVOICE 4.5
describe KAM_INVOICE Phishing invoice spam
meta KAM_INVOICE2 (__KAM_INVOICE1 + __KAM_INVOICE3 + __KAM_INVOICE4 + __KAM_INVOICE5 + SPF_FAIL >= 3)
score KAM_INVOICE2 5.5
describe KAM_INVOICE2 Phishing invoice spam
meta GB_INVOICE3 ( __WORD_INVIS_2 && __KAM_INVOICE2 )
describe GB_INVOICE3 Phishing invoice spam
score GB_INVOICE3 0.5
header __GB_INV_SHIP Subject =~ /invoice|shipment/
meta GB_INVOICE4 ( PCCC_BAD_FREE_URI && ( __GB_INV_SHIP || __KAM_INVOICE2 || __KAM_INVOICE3 ) >= 2 )
describe GB_INVOICE4 Invoice spam with free hosting links
score GB_INVOICE4 0.25
# GRIPEEZ
header __KAM_GRIPPY1 From =~ /gripeez/i
header __KAM_GRIPPY2 Subject =~ /bonus.offer|gripeez/i
body __KAM_GRIPPY3 /gripeez.bonus|interior.decorator|sticky.grip/i
meta KAM_GRIPPY (__KAM_GRIPPY1 + __KAM_GRIPPY2 + __KAM_GRIPPY3 >= 3)
score KAM_GRIPPY 4.5
describe KAM_GRIPPY Spam for sticky grip products
# LIMITED / DISABLED ACCOUNT, ACTIVATION, SECURITY ALERTS, AND OTHER ACCOUNT PHISHES
header __KAM_ACCOUNTPHISH1 From =~ /[il]tunes|account|costco|walgreen|amazon|ebay|internal|admin|gold|webmail|provider|marketing|Bank of America/i
header __KAM_ACCOUNTPHISH2 Subject =~ /your.account|is.limited|activate|recover|acknowledgment|of.order|buying.from|order.(status|confirm)|help.?desk|update.your|security|document|(^secure$)|download.failed|click.to.activate|status.approved|notification.message|storage.exceeded|maintenance routine|storage.warning|size.notification|administrative.notice/i
body __KAM_ACCOUNTPHISH3 /update.your.information|problems.with.your|billing.information|order.details|personal.data|detailed.order|order.information|for.activation|account.{1,30}.inactive|information.required|secure.browser|recently.compromised|classified.document|with.your.email|complete.your.account|account.confirmed|claim.your.order|free.money|forced.to.cancel|immediate.access|upgrading.all.staff|advice.to.update|confirm.your.account/i
body __KAM_ACCOUNTPHISH4 /webmail|all.systems|storage.limit|get.back.into|update.your.account|kindly.click|very.private.message|this.is.honest|fill.the.form|click.on.send|follow.here|for.all.user|one.click.away|mail.desk/i
meta KAM_ACCOUNTPHISH ((__KAM_ACCOUNTPHISH1 || FREEMAIL_FROM || KAM_LAZY_DOMAIN_SECURITY) + __KAM_ACCOUNTPHISH2 + __KAM_ACCOUNTPHISH3 + __KAM_ACCOUNTPHISH4 >= 3)
score KAM_ACCOUNTPHISH 3.20
describe KAM_ACCOUNTPHISH Spam that tries to get account information
# BUY PROPERTY
header __KAM_PROPERTY1 From =~ /high.rise|condo/i
header __KAM_PROPERTY2 Subject =~ /condo|move.in.soon|developer/i
body __KAM_PROPERTY3 /convenient.location/i
meta KAM_PROPERTY (__KAM_PROPERTY1 + __KAM_PROPERTY2 + __KAM_PROPERTY3 >= 3)
score KAM_PROPERTY 2.5
describe KAM_PROPERTY Spam for buying property
# FAKE AMEX
header __KAM_FAKEAMEX1 From =~ /aexp.com/i
meta KAM_FAKEAMEX (__KAM_FAKEAMEX1 + SPF_FAIL >= 2)
score KAM_FAKEAMEX 8.0
describe KAM_FAKEAMEX A rash of spam that is phishing for American Express information
# HUGE SUBJECT
header KAM_HUGESUBJECT Subject =~ /^.{500}/
score KAM_HUGESUBJECT 2.5
describe KAM_HUGESUBJECT Email with a subject longer than any mail client would let you enter
#HOOKUP
header __KAM_HOOKUP1 Subject =~ /hookup with local singles/i
uri __KAM_HOOKUP2 /justhookup/i
body __KAM_HOOKUP3 /match.?me.?networks/i
meta KAM_HOOKUP (__KAM_HOOKUP1 + __KAM_HOOKUP2 + __KAM_HOOKUP3 >= 3)
score KAM_HOOKUP 10.5
describe KAM_HOOKUP Spam for Local Hookup Service
#PSYCHIC
header __KAM_PSYCHIC1 Subject =~ /horoscope|psychic/i
uri __KAM_PSYCHIC2 /free.psychic/i
body __KAM_PSYCHIC3 /psychic Chris|free psychic reading/i
meta KAM_PSYCHIC (__KAM_PSYCHIC1 + __KAM_PSYCHIC2 + __KAM_PSYCHIC3 >= 3)
score KAM_PSYCHIC 4.5
describe KAM_PSYCHIC Current Psychic Product Spam du Jour
#UNSUB BADDIES
body __KAM_BADUNSUB /(?:remove|Unsubscribe) from (?:MindTCommunications|LunarMessages)/i
meta KAM_BADUNSUB (__KAM_BADUNSUB >= 1)
score KAM_BADUNSUB 3.0
describe KAM_BADUNSUB Bad Unsubscribe Messages
#GRABBAG FOR A ROUND OF WORDPRESS HACKS
rawbody __KAM_GRABBAG7_1 /wp-content|wp-includes|\/plugins\//
meta KAM_GRABBAG7 ((HTML_MIME_NO_HTML_TAG || MIME_HTML_ONLY) + __KAM_GRABBAG7_1 + (SPF_FAIL || SPF_HELO_FAIL) >= 3)
score KAM_GRABBAG7 3.0
describe KAM_GRABBAG7 Spam pattern with bad HTML message
#TINYURL OBFUSCATION
uri __KAM_TINYURL1 /tinyurl.com\/.{0,10}(hookup|sexual|online-riches|predator-zipcode|nothnx|imtaken)/i
meta KAM_TINYURL (__KAM_TINYURL1)
score KAM_TINYURL 4.0
describe KAM_TINYURL Spammy urls that hide behind a link shortener
# FAKE DROPBOX - Adding _ to DROPBOX2 for badly configured ESS servers
header __KAM_DROPBOX1 From =~ /dropbox/i
header __KAM_DROPBOX2 From !~ /dropbox.com/i
body __KAM_DROPBOX3 /shared.a.folder|download the file/i
meta KAM_DROPBOX (__KAM_DROPBOX1 + __KAM_DROPBOX2 + __KAM_DROPBOX3 >= 3)
score KAM_DROPBOX 4.5
describe KAM_DROPBOX Fake Dropbox emails
# BAD YAHOO! DON'T SEND EMAIL FROM A MULTICAST IP!
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
header __KAM_YAHOO_MISTAKE1 From =~ /\@yahoo\./i
meta KAM_YAHOO_MISTAKE (SPF_PASS && __KAM_YAHOO_MISTAKE1 && RCVD_ILLEGAL_IP)
describe KAM_YAHOO_MISTAKE Reversing score for some idiotic Yahoo received headers
score KAM_YAHOO_MISTAKE -3.0
endif
# GARBAGE FREEMAIL
meta KAM_GRABBAG9 (MALFORMED_FREEMAIL + SUBJ_ALL_CAPS + FREEMAIL_ENVFROM_END_DIGIT >= 3)
score KAM_GRABBAG9 4.5
describe KAM_GRABBAG9 Garbage email from a garbage freemail account
# AQUA RUG
header __KAM_AQUARUG1 From =~ /aqua.?rug/i
header __KAM_AQUARUG2 Subject =~ /(bath|shower).mat|for.your.shower/i
body __KAM_AQUARUG3 /stop.slipping|unique.carpet|aqua.rug|bare.feet.love/i
meta KAM_AQUARUG (__KAM_AQUARUG1 + __KAM_AQUARUG2 + __KAM_AQUARUG3 >= 3)
score KAM_AQUARUG 3.5
describe KAM_AQUARUG Spam for aqua rug product
# FAKE ITC SPAM
# Fixed FP thanks to j.marshall
header __KAM_ITC1 From =~ /thetradecouncil.com/i
body __KAM_ITC2 /International Trade Council/i
body __KAM_ITC3 /enclosed/i
meta KAM_ITC (__KAM_ITC1 < 1) && (__KAM_ITC2 >= 1) && (__KAM_ITC3 + KAM_BADIPHTTP >= 1)
score KAM_ITC 4.5
describe KAM_ITC Fake email from International Trade Council
# HAVE YOU SEEN THIS
body __KAM_SEENTHIS1 /have.you.seen|seen.this/i
meta KAM_SEENTHIS (__KAM_SEENTHIS1 + __KAM_OPRAH3 + (KAM_LAZY_DOMAIN_SECURITY || KAM_MANYTO) >= 3)
score KAM_SEENTHIS 4.5
describe KAM_SEENTHIS Have you seen this spam?
# DETOX
header __KAM_DETOX1 From =~ /detox/i
header __KAM_DETOX2 Subject =~ /detox.service|discover.detox|clear.your.system|how.detox.(could|can)/i
body __KAM_DETOX3 /detox.program|right.for.you|clean(ing)? up your life|a.little.easier/i
meta KAM_DETOX (__KAM_DETOX1 + __KAM_DETOX2 + __KAM_DETOX3 >= 3)
score KAM_DETOX 2.5
describe KAM_DETOX Spam for trendy detox stuff
# DEATH INSURANCE
header __KAM_DEATHINSURE1 From =~ /live.sure/i
header __KAM_DEATHINSURE2 Subject =~ /life.will|cheaper.than.today/i
body __KAM_DEATHINSURE3 /inheritance.tax|your.loved.ones|funeral.costs/i
meta KAM_DEATHINSURE (__KAM_DEATHINSURE1 + __KAM_DEATHINSURE2 + __KAM_DEATHINSURE3 >= 3)
describe KAM_DEATHINSURE Spam for death insurance
score KAM_DEATHINSURE 3.5
# REACHBASE
body KAM_REACHBASE /ReachBase is committed to providing you with relevant business information/i
score KAM_REACHBASE 2.5
describe KAM_REACHBASE Marketing email pretending to be business info
# DIGITAL WALLET SPAM
header __KAM_DIGITALWALLET1 From =~ /apple.?pay/i
header __KAM_DIGITALWALLET2 Subject =~ /(ready.for|introducing|complimentary).apple.?pay|paying.too.much/i
body __KAM_DIGITALWALLET3 /business.ready|no.setup.fee|only.$?[\d\.]+%?.(per|a).swipe|apple.?pay.equipment|free,equipment/i
meta KAM_DIGITALWALLET (__KAM_DIGITALWALLET1 + __KAM_DIGITALWALLET2 + __KAM_DIGITALWALLET3 + (HELO_DYNAMIC_DHCP || KAM_EU || KAM_INFOUSMEBIZ) >= 3)
score KAM_DIGITALWALLET 3.5
describe KAM_DIGITALWALLET Spam for digital wallet services
# BAD PHP
header __KAM_BADPHP1 X-PHP-Originating-Script =~ /eval..'d code/i
header __KAM_BADPHP2 X-Source-Args =~ /css.php/i
meta KAM_BADPHP (__KAM_BADPHP1 || __KAM_BADPHP2)
score KAM_BADPHP 3.5
describe KAM_BADPHP Questionable PHP mailer headers
# TINNITUS
header __KAM_TINNITUS1 From =~ /tinnitus.?(solution|911|breakthrough|ringing)|silencil|tinnitus/i
header __KAM_TINNITUS2 Subject =~ /new.tip|only.(1|one).week|pandemic|ears? ring|removes? tinnitus/i
body __KAM_TINNITUS3 /scientifically.proven|end.tinnitus|get rid of the ringing|shocking presentation|IVY League|doctors are baffled|restores your hearing|no more buzzing/i
tflags __KAM_TINNITUS3 nosubject
meta KAM_TINNITUS (__KAM_TINNITUS1 + __KAM_TINNITUS2 + __KAM_TINNITUS3 >= 3)
describe KAM_TINNITUS Tinnitus spam
score KAM_TINNITUS 4.5
# KIWIBANK
header __KAM_KIWIBANK1 From =~ /kiwibank/i
header __KAM_KIWIBANK2 Subject =~ /verification.required/i
body __KAM_KIWIBANK3 /security.procedure|customer.safety|security.details/i
meta KAM_KIWIBANK (__KAM_KIWIBANK1 + __KAM_KIWIBANK2 + __KAM_KIWIBANK3 >= 3)
describe KAM_KIWIBANK Account phish for Kiwibank
score KAM_KIWIBANK 3.5
# HAPPY TALK
header __KAM_HAPPYTALK1 Subject =~ /^hello$/i
body __KAM_HAPPYTALK2 /honest.and.nice/i
body __KAM_HAPPYTALK3 /beautiful.mail/i
meta KAM_HAPPYTALK (__KAM_HAPPYTALK1 + __KAM_HAPPYTALK2 + __KAM_HAPPYTALK3 >= 3)
score KAM_HAPPYTALK 3.5
describe KAM_HAPPYTALK Weirdly happy spam
# SETTLEMENT SPAM
header __KAM_SETTLEMENT1 From =~ /xarelto/i
header __KAM_SETTLEMENT2 Subject =~ /settlements?.available/i
body __KAM_SETTLEMENT3 /lawsuit.information/i
meta KAM_SETTLEMENT (__KAM_SETTLEMENT1 + __KAM_SETTLEMENT2 + __KAM_SETTLEMENT3 >= 3)
score KAM_SETTLEMENT 3.5
describe KAM_SETTLEMENT Spam offering lawsuit settlement
# CAD SPAM
header __KAM_CAD1 Subject =~ /cad.drawing/i
body __KAM_CAD2 /we.specialize.in/i
body __KAM_CAD3 /our.products/i
meta KAM_CAD (__KAM_CAD1 + __KAM_CAD2 + __KAM_CAD3 >= 3)
describe KAM_CAD Spam for CAD services
score KAM_CAD 3.5
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
#SPAM WITH OFFICE MACROS
header __KAM_VBMACRO X-Raptor-VBMacro =~ /True/i
meta KAM_VBMACRO ((__KAM_VBMACRO >= 1) && !KAM_OLEMACRO)
describe KAM_VBMACRO Message contains attachment with VB macro
score KAM_VBMACRO 6.5
#SPAM THAT INDICATES DYNAMIC IP
header KAM_DYNIP X-Raptor-DynamicIndicator =~ /True/i
describe KAM_DYNIP Message contains Dynamic IP Address Indicator
score KAM_DYNIP 6.5
endif
# YELP AND OTHER REVIEW SITES
header __KAM_REVIEW1 From =~ /contractor/i
header __KAM_REVIEW2 Subject =~ /verify.accuracy|your.listing|listing.on.yelp/i
body __KAM_REVIEW3 /unverified|major.local.search|search.sites|company(.s)?.information/i
meta KAM_REVIEW (__KAM_REVIEW1 + __KAM_REVIEW2 + __KAM_REVIEW3 >= 3)
describe KAM_REVIEW Spam for review sites
score KAM_REVIEW 4.5
# TOURS AND EVENTS
header __KAM_TOURS1 From =~ /festival/i
header __KAM_TOURS2 Subject =~ /adventure.tour/i
body __KAM_TOURS3 /your.adventure.tour|your.event/i
meta KAM_TOURS (__KAM_TOURS1 + __KAM_TOURS2 + __KAM_TOURS3 >= 3)
score KAM_TOURS 3.5
describe KAM_TOURS Spam for tours and events
# NO MORE SPAM ENGINES
body __KAM_NOMORE1 /no.more.of.this/i
body __KAM_NOMORE2 /no.more.at.all/i
meta KAM_NOMORE (__KAM_NOMORE1 + __KAM_NOMORE2 >= 2)
describe KAM_NOMORE Another predictable spam engine
score KAM_NOMORE 3.5
# NOT REALLY CONFIDENTIAL
body __KAM_NOCONFIDENCE1 /confidential.information/i
meta KAM_NOCONFIDENCE (KAM_LAZY_DOMAIN_SECURITY + __KAM_NOCONFIDENCE1 >= 2)
score KAM_NOCONFIDENCE 0.5
describe KAM_NOCONFIDENCE Confidential information sent with no security
# YER GON GET SASSINATED
header __KAM_ASSASSIN1 Subject =~ /want you dead/i
body __KAM_ASSASSIN2 /my identity/i
body __KAM_ASSASSIN3 /assassinate/i
body __KAM_ASSASSIN4 /like.an.accident/i
meta KAM_ASSASSIN (__KAM_ASSASSIN1 + __KAM_ASSASSIN2 + __KAM_ASSASSIN3 + __KAM_ASSASSIN4 >= 3)
score KAM_ASSASSIN 4.5
describe KAM_ASSASSIN Assassination spam
# GIMME FLASH DRIVES
header __KAM_DRIVE1 From =~ /purchase|manager/i
header __KAM_DRIVE2 Subject =~ /quotation/i
body __KAM_DRIVE3 /to.be.furnished|office.equipment.item/i
meta KAM_DRIVE (__KAM_DRIVE1 + __KAM_DRIVE2 + __KAM_DRIVE3 >= 3)
score KAM_DRIVE 3.5
describe KAM_DRIVE Spam for ordering office equipment
#BAD TLD - TESTING NEW blacklist_uri_host feature
#PASSED TEST BUT THIS IS 100 points - Instead modify SOMETLD_ARE_BAD_TLD TO PREVENT FPs
#if (version >= 3.004000)
# blacklist_uri_host link
#endif
#LOOKING TO SHUTDOWN MISUSE OF DNSWL AND HOSTKARMA
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + __KAM_URIBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1)
score KAM_QUITE_BAD_DNSWL 2.5
describe KAM_QUITE_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
else
meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1)
score KAM_QUITE_BAD_DNSWL 2.5
describe KAM_QUITE_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
endif
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + __KAM_URIBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
score KAM_BAD_DNSWL 7.0
describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
else
meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_XBL >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
score KAM_BAD_DNSWL 7.0
describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
endif
# HEARING LOSS
header __JMQ_HEARINGLOSS1 From =~ /hearing.?loss|deaf \& angry|sharpear/i
header __JMQ_HEARINGLOSS2 Subject =~ /reverse.your.hearing|hearing.loss|\d+.year.old.method|hearing.aids|restore your hearing/i
body __JMQ_HEARINGLOSS3 /going.crazy|natural.formula|restore.your.hearing|click.here.to.see|off.hearing.aid|mineral to restore/i
meta JMQ_HEARINGLOSS (__JMQ_HEARINGLOSS1 + __JMQ_HEARINGLOSS2 + __JMQ_HEARINGLOSS3 >= 3)
score JMQ_HEARINGLOSS 3.5
describe JMQ_HEARINGLOSS Spam for hearing loss solutions
# TRACKR
header __JMQ_TRACKR1 From =~ /trackr/i
header __JMQ_TRACKR2 Subject =~ /trackr|never.lose|find.any|lost.items/i
body __JMQ_TRACKR3 /locate anything|find.anything|never.lose.anything|new.invention|never.lose.your|tired.of.losing|find.any.lost/i
meta JMQ_TRACKR (__JMQ_TRACKR1 + __JMQ_TRACKR2 + __JMQ_TRACKR3 >= 3)
score JMQ_TRACKR 4.5
describe JMQ_TRACKR Spam for TrackR
# CONGRATULATION
header __JMQ_CONGRAT1 From =~ /award|claim/i
header __JMQ_CONGRAT2 Subject =~ /congratulation|open.attachment|good.news.for/i
meta JMQ_CONGRAT (__JMQ_CONGRAT1 + __JMQ_CONGRAT2 + (KAM_RAPTOR_ALTERED || T_FREEMAIL_DOC_PDF || HK_SPAMMY_FILENAME) >= 3)
score JMQ_CONGRAT 3.5
describe JMQ_CONGRAT Open attachment to claim your free spam
# PICKUP
header __JMQ_PICKUP1 Subject =~ /hey there|(^hey$)/i
body __JMQ_PICKUP2 /(dirty|freaky|naughty|good)(pix|pic)|hey.cutie/i
header __JMQ_PICKUP3 X-Mailer =~ /php/i
body __JMQ_PICKUP4 /\d+.year.old|female/i
meta JMQ_PICKUP (__JMQ_PICKUP1 + __JMQ_PICKUP2 + __JMQ_PICKUP3 + __JMQ_PICKUP4 >= 3)
score JMQ_PICKUP 8.0
describe JMQ_PICKUP spam that wants your number
# COMPROMISED DROPBOX
header __JMQ_DROPBOX1 Subject =~ /(payment|transfer)/i
header __JMQ_DROPBOX2 Subject =~ /\([a-z]\d+\)/i
body __JMQ_DROPBOX3 /ach.(payment|transfer)/i
meta JMQ_DROPBOX (__JMQ_DROPBOX1 + __JMQ_DROPBOX2 + __JMQ_DROPBOX3 >= 3)
score JMQ_DROPBOX 3.0
describe JMQ_DROPBOX Spam from what appears to be compromised dropbox accounts
#FIX BAD REVIEW
header __KAM_BAD_REVIEW1 Subject =~ /fix bad reviews/i
body __KAM_BAD_REVIEW2 /Reputation Giant/i
meta KAM_BAD_REVIEW (__KAM_BAD_REVIEW1 + __KAM_BAD_REVIEW2 >= 2)
score KAM_BAD_REVIEW 4.0
describe KAM_BAD_REVIEW Online reputation spammers
#GOOGLE AWARD
header __KAM_GOOGLE_AWARD1 From =~ /Google UK/i
body __KAM_GOOGLE_AWARD2 /selected as a winner/i
body __KAM_GOOGLE_AWARD3 /Dear Google/i
body __KAM_GOOGLE_AWARD4 /Official Notification Letter/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_GOOGLE_AWARD5A Content-Type =~ /Google Award/i
mimeheader __KAM_GOOGLE_AWARD5B Content-Disposition =~ /Google Award/i
endif
meta KAM_GOOGLE_AWARD (__KAM_GOOGLE_AWARD1 + __KAM_GOOGLE_AWARD2 + __KAM_GOOGLE_AWARD3 + __KAM_GOOGLE_AWARD4 + (__KAM_GOOGLE_AWARD5A + __KAM_GOOGLE_AWARD5B >= 1) >= 4)
score KAM_GOOGLE_AWARD 5.0
describe KAM_GOOGLE_AWARD Fake Google Awards
#OBFUSCATED LOANS
body KAM_OBFU_LOANS /Stüdént Lóans/i
score KAM_OBFU_LOANS 5.0
describe KAM_OBFU_LOANS Obfuscated Loan Verbiage
#WORK FROM HOME
body __KAM_WORKFROMHOME1 /work from home/i
meta KAM_WORKFROMHOME (KAM_SHORT + __KAM_WORKFROMHOME1 >= 2)
score KAM_WORKFROMHOME 1.75
describe KAM_WORKFROMHOME Work from Home Spams
#STUDENT LOAN
body __KAM_STUDENTLOAN1 /(National|Federal) Student Loan Status/i
body __KAM_STUDENTLOAN2 /consolidate your loan/i
body __KAM_STUDENTLOAN3 /doesn't injured/i
body __KAM_STUDENTLOAN4 /866-351-4693/i
body __KAM_STUDENTLOAN5 /(financial troubles|debt) is (understood|forgiven)/i
meta KAM_STUDENTLOAN (__KAM_STUDENTLOAN1 + __KAM_STUDENTLOAN2 + __KAM_STUDENTLOAN3 + __KAM_STUDENTLOAN4 + __KAM_STUDENTLOAN5 >= 3)
score KAM_STUDENTLOAN 4.5
describe KAM_STUDENTLOAN Student Loan Scam
#RESUME
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
header __JMQ_RESUME1 Subject =~ /resume/i
body __JMQ_RESUME2 /hello my name|my name is/i
body __JMQ_RESUME3 /appreciate.your.cooperation|my.resume.is.pdf|resume.attach|pdf.file.is|is.my.resume/i
mimeheader __JMQ_RESUME4 Content-Type =~ /x-zip-comp/i
mimeheader __JMQ_RESUME5 Content-Type =~ /my_resume\.zip/i
meta JMQ_RESUME ((__JMQ_RESUME1 + __JMQ_RESUME2 + __JMQ_RESUME3 + __JMQ_RESUME5 >= 3) && __JMQ_RESUME4)
score JMQ_RESUME 4.5
describe JMQ_RESUME Spam for bad attached resumes
endif
#LED/SOLAR LIGHTS
header __KAM_LED1 From =~ /light? ?bulb|garage ?light|Sun.?like?.?Bulb|LED.?Sun|flood ?light/i
body __KAM_LED2 /(garage|LED Fan) Light|sun-?like|\dx the brightness|security "?must have/i
tflags __KAM_LED2 nosubject
header __KAM_LED3 Subject =~ /LED Lighting|L\.E\.D\.? Bulb|Innovative Light|energy bill|one bulb|Garage LED|security "?must have/i
meta KAM_LED (__KAM_LED1 + __KAM_LED2 + __KAM_LED3 >= 3)
describe KAM_LED LED Lighting Spams
score KAM_LED 4.5
# REAL ESTATE
header __JMQ_REALESTATE1 From =~ /tom.brice/i
header __JMQ_REALESTATE2 Subject =~ /real.estate/i
body __JMQ_REALESTATE3 /preferred.choice|looking.for.real.estate|online.platform|systems.placement/i
meta JMQ_REALESTATE (__JMQ_REALESTATE1 + __JMQ_REALESTATE2 + __JMQ_REALESTATE3 >= 3)
describe JMQ_REALESTATE Real estate spam
score JMQ_REALESTATE 4.5
# IP IN FROM
header JMQ_IPINFROM From =~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/
score JMQ_IPINFROM 2.5
describe JMQ_IPINFROM Spam with IP in the from address
# IFFY PAYPAL OF THE DAY
header __JMQ_PAYPAL2 From =~ /paypai/i
meta JMQ_PAYPAL2 (JMQ_IPINFROM + __JMQ_PAYPAL2 >= 2)
score JMQ_PAYPAL2 4.5
describe JMQ_PAYPAL2 PayPal spam of the day
# RESUME SPAM REDUX PART 2 (WOOHOO)
meta JMQ_RESUME3 (__JMQ_RESUME1 && __JMQ_RESUME2 && KAM_THEBAT)
score JMQ_RESUME3 3.5
describe JMQ_RESUME3 Yet more resume spam
# SPF THAT DOESN'T REALLY CARE IF EMAIL IS A FORGERY -
ifplugin Mail::SpamAssassin::Plugin::AskDNS
askdns JMQ_SPF_NEUTRAL _SENDERDOMAIN_ TXT /^v=spf1 .*\?all/
describe JMQ_SPF_NEUTRAL SPF set to ?all
score JMQ_SPF_NEUTRAL 0.5
tflags JMQ_SPF_NEUTRAL net
askdns JMQ_SPF_ALL _SENDERDOMAIN_ TXT /^v=spf1 .*\+all/
describe JMQ_SPF_ALL SPF set to +all!
score JMQ_SPF_ALL 0.5
tflags JMQ_SPF_ALL net
endif
# IMPORTANT MESSAGE
header __JMQ_IMPORTANT1 Subject =~ /(fw|re):? important/i
body __JMQ_IMPORTANT2 /important message/i
body __JMQ_IMPORTANT3 /please visit/i
meta JMQ_IMPORTANT (__JMQ_IMPORTANT1 + __JMQ_IMPORTANT2 + __JMQ_IMPORTANT3 + KAM_LAZY_DOMAIN_SECURITY >= 4)
score JMQ_IMPORTANT 4.5
describe JMQ_IMPORTANT Spam that thinks it is important
# IMAGE TRACKERS
uri __JMQ_TRACKER1 /sidekickopen\d*\.com/i
meta JMQ_TRACKER (__JMQ_TRACKER1 >= 1)
score JMQ_TRACKER 0.5
describe JMQ_TRACKER Message uses image-based tracker
# WIRE TRANSFERS
header __JMQ_WIRE1 Subject =~ /wire.*fund|request.*wire|(fwd|re): request/i
body __JMQ_WIRE2 /medical.support|payment.sent/i
body __JMQ_WIRE3 /bank.wire|sent.out.asap/i
meta JMQ_WIRE (__JMQ_WIRE1 + __JMQ_WIRE2 + __JMQ_WIRE3 + (LOTS_OF_MONEY || KAM_LAZY_DOMAIN_SECURITY || HEADER_FROM_DIFFERENT_DOMAINS) >= 3)
score JMQ_WIRE 4.5
describe JMQ_WIRE Attempt to steal money via wire transfer
#bindata code in RTF
#rawbody __KAM_BADRTF1 /<w:binData/
#rawbody __KAM_BADRTF2 /QWN0aXZlTWltZQ/
#meta KAM_BADRTF (__KAM_BADRTF1 + __KAM_BADRTF2 >= 2)
#describe KAM_BADRTF Message contains binary data in RTF format
#score KAM_BADRTF 5.0
#Fake Order
body __KAM_ORDER1 /Please find document attached/i
header __KAM_ORDER2 Subject =~ /Order \d+ (\(Acknowledgement\))?/i
meta KAM_ORDER __KAM_ORDER1 + __KAM_ORDER2 + __BODY_LE_200 >= 3
score KAM_ORDER 3.0
describe KAM_ORDER Fraudulent Order Emails
rawbody __RB_LE_200 /^.{2,200}$/s
tflags __RB_LE_200 multiple maxhits=2
rawbody __RB_GT_200 /^.{201}/s
meta __BODY_LE_200 (__RB_LE_200 == 1) && !__RB_GT_200
#SHOCKING BEVERAGE
body __KAM_SHOCK1 /shocking.beverage/i
header __KAM_SHOCK2 Subject =~ /(Bill O.Reilly|Donald Trump)/i
body __KAM_SHOCK3 /drinking this beverage/i
meta KAM_SHOCK __KAM_SHOCK1 + __KAM_SHOCK2 + __KAM_SHOCK3 >= 2
score KAM_SHOCK 4.0
describe KAM_SHOCK Spams with energy drinks
#BEAUTY SCAM
body __KAM_BEAUTY1 /she now looks \d+/i
body __KAM_BEAUTY2 /reveals exactly/i
body __KAM_BEAUTY3 /most amazing transformation/i
header __KAM_BEAUTY4 Subject =~ /now looks \d+/i
meta KAM_BEAUTY __KAM_BEAUTY1 + __KAM_BEAUTY2 + __KAM_BEAUTY3 + __KAM_BEAUTY4 >= 3
score KAM_BEAUTY 4.0
describe KAM_BEAUTY Youth and Beauty Product Scams
#WEED
body __KAM_WEED1 /legal.weed|jim kramer|kevin james/i
header __KAM_WEED2 Subject =~ /Legal.Weed|pot.stock/i
body __KAM_WEED3 /doubled? (there|their) money|Triple this afternoon/i
body __KAM_WEED4 /(weed|pot).stock/i
meta KAM_WEED __KAM_WEED1 + __KAM_WEED2 + __KAM_WEED3 + __KAM_WEED4 >= 3
score KAM_WEED 8.0
describe KAM_WEED Legal Weed and related investment scams
#LOGOS
body __KAM_LOGO1 /guru.level logo/i
header __KAM_LOGO2 Subject =~ /guru.level logo/i
body __KAM_LOGO3 /(guru.level|ready.made) logo/i
meta KAM_LOGO __KAM_LOGO1 + __KAM_LOGO2 + __KAM_LOGO3 >= 3
score KAM_LOGO 5.25
describe KAM_LOGO Logo Spam
#TRUMP COIN
body __KAM_TRUMPCOIN1 /Donald Trump/i
header __KAM_TRUMPCOIN2 Subject =~ /trump.coin/i
body __KAM_TRUMPCOIN3 /special colored coin/i
meta KAM_TRUMPCOIN __KAM_TRUMPCOIN1 + __KAM_TRUMPCOIN2 + __KAM_TRUMPCOIN3 >= 3
score KAM_TRUMPCOIN 5.25
describe KAM_TRUMPCOIN Trump Coin Spam
#WATER
body __KAM_WATER1 /Never Drink Water/i
header __KAM_WATER2 Subject =~ /bottled water/i
body __KAM_WATER3 /filtered tap water/i
meta KAM_WATER __KAM_WATER1 + __KAM_WATER2 + __KAM_WATER3 >= 3
score KAM_WATER 5.25
describe KAM_WATER Water Poison Scam
#BANK
body __KAM_RUIN1 /do not deposit/i
header __KAM_RUIN2 Subject =~ /money into your bank/i
body __KAM_RUIN3 /banking institutions/i
meta KAM_RUIN __KAM_RUIN1 + __KAM_RUIN2 + __KAM_RUIN3 >= 3
score KAM_RUIN 5.25
describe KAM_RUIN Bank Phishing Scam
#WEIGHT
body __KAM_WEIGHT2_1 /goodbye to her waist|wild transformation|researcher has just discovered|weight loss is wrong/i
tflags __KAM_WEIGHT2_1 nosubject
header __KAM_WEIGHT2_2 Subject =~ /looks \d+ overnight|no gym|fat hack|doctor shocked/i
body __KAM_WEIGHT2_3 /melissa mccarthy|now looks \d+|lbs every \d+ hour|(pound|lb)s in \d+ days|melts pounds/i
header __KAM_WEIGHT2_4 From:name =~ /eat this seed|flat.?belly|big.?stomach/i
meta KAM_WEIGHT2 __KAM_WEIGHT2_1 + __KAM_WEIGHT2_2 + __KAM_WEIGHT2_3 + __KAM_WEIGHT2_4 >= 3
score KAM_WEIGHT2 5.25
describe KAM_WEIGHT2 Weight loss process du jour
#AMAZING LENS
body __KAM_LENS1 /pro quality (pho|pic)|Bill gates|best camera/i
header __KAM_LENS2 Subject =~ /(amazing|incredible) photos|gadget of the year|coolest product|camera/i
body __KAM_LENS3 /amazing lens|hdx-lens|hdrx/i
header __KAM_LENS4 From =~ /hdcam|lens|inhd/i
meta KAM_LENS __KAM_LENS1 + __KAM_LENS2 + __KAM_LENS3 + __KAM_LENS4 >= 3
score KAM_LENS 5.25
describe KAM_LENS Amazing Lens Scam
#HONOR
body __KAM_HONOR1 /greatest thing of your life/i
header __KAM_HONOR2 Subject =~ /Congrats, on the honor/i
body __KAM_HONOR3 /profession women/i
body __KAM_HONOR4 /invitation/i
meta KAM_HONOR __KAM_HONOR1 + __KAM_HONOR2 + __KAM_HONOR3 + __KAM_HONOR4 >= 3
score KAM_HONOR 6.25
describe KAM_HONOR Professional Network Scam
#Rule Dev
#Idea from John Hardin so you can see all URI's - ONLY for rule development - Then all the detected URIs appear in the rule hits debug output.
#uri __ALL_URI /.*/
#tflags __ALL_URI multiple
#Bad UTF-8 content type and transfer encoding - Thanks to Pedro David Marco for alerting to issue
header __KAM_BAD_UTF8_1 Content-Type =~ /text\/html; charset=\"utf-8\"/i
header __KAM_BAD_UTF8_2 Content-Transfer-Encoding =~ /base64/i
full __RW_BAD_UTF8_3 /^(?:[^\n]|\n(?!\n))*\nContent-Transfer-Encoding:\s+base64(?:[^\n]|\n(?!\n))*\n\n[\s\n]{0,300}[^\s\n].{0,300}[^a-z0-9+\/=\n][^\s\n]/si
meta KAM_BAD_UTF8 (__KAM_BAD_UTF8_1 + __KAM_BAD_UTF8_2 + __RW_BAD_UTF8_3 >= 3)
score KAM_BAD_UTF8 14.0
describe KAM_BAD_UTF8 Bad Content Type and Transfer Encoding that attempts to evade SA scanning
#DEATH
body __KAM_DEATH1 /prevent early.death/i
header __KAM_DEATH2 Subject =~ /(early|unexpected).death/i
body __KAM_DEATH3 /Eating this|before it.?s too late/i
body __KAM_DEATH4 /heart.(attack|stops)/i
meta KAM_DEATH __KAM_DEATH1 + __KAM_DEATH2 + __KAM_DEATH3 + __KAM_DEATH4 >= 4
score KAM_DEATH 6.25
describe KAM_DEATH Supplement Scam
#REWARD
body __KAM_REWARD1 /walgreens|ikea|sephora|sams.?club/i
header __KAM_REWARD2 Subject =~ /weekend.*reward|reward.*weekend|(reward|perk).{0,60}(expiring|ending)/i
header __KAM_REWARD3 Subject =~ /(Cert|coup|ending now|ending|expiring|expiring.now)(..)?(\d+|\[num)/i
header __KAM_REWARD4 From =~ /ikea|sephora|shopper|walgreen|sale/i
meta KAM_REWARD __KAM_REWARD1 + __KAM_REWARD2 + __KAM_REWARD3 + __KAM_REWARD4 + KAM_NUMSUBJECT >= 4
score KAM_REWARD 5.25
describe KAM_REWARD Coupon Scam
#PACKAGE
body __KAM_PACKAGE1 /dysfunction|\dx longer/i
body __KAM_PACKAGE2 /sexual.performance|longer.in.bed/i
header __KAM_PACKAGE3 Subject =~ /sex/i
header __KAM_PACKAGE4 From =~ /function|fivex/i
meta KAM_PACKAGE __KAM_PACKAGE1 + __KAM_PACKAGE2 + __KAM_PACKAGE3 + __KAM_PACKAGE4 >= 3
score KAM_PACKAGE 4.25
describe KAM_PACKAGE Sexual Enhancement Scam
#NUM
header __KAM_NUMSUBJECT Subject =~ /(?<!day)\s\d+$/i
header __KAM_SUBJECTYEAR Subject =~ /20[1-2][0-9]$/
meta KAM_NUMSUBJECT (__KAM_NUMSUBJECT >=1 && __KAM_SUBJECTYEAR <= 0)
score KAM_NUMSUBJECT 0.5
describe KAM_NUMSUBJECT Subject ends in numbers excluding current years
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
#BAD PDF
mimeheader KAM_MGCS Content-Type =~ /\+\-\+\-\+\-MGCS\-\+\-\+\-\+|[\xC2\xB7]pdf(?=)?"$/i
score KAM_MGCS 10.0
describe KAM_MGCS Boundary Content Indicative of Ratware
endif
#NetWeaver - Disabled 7/24
#header KAM_NW X-Mailer =~ /SAP NetWeaver/i
#score KAM_NW 2.75
#describe KAM_NW Spam Indicator
#STOCKTIP OBFU
body __KAM_STOCKOBFU1 /make up the \d letter symbol/i
body __KAM_STOCKOBFU2 /first letter/i
header __KAM_STOCKOBFU3 Subject =~ /less than \d days|ten bagger|ten ?fold your principle/i
meta KAM_STOCKOBFU (__KAM_STOCKOBFU1 + __KAM_STOCKOBFU2 + __KAM_STOCKOBFU3 >= 3)
describe KAM_STOCKOBFU Stock Spam Tips that are being sneaky
score KAM_STOCKOBFU 4.5
#FAKE BBB/FLSA NOTICES
header __KAM_FAKEBBB1 Subject =~ /(incident:|case:)?[\d:;]{5}/i
body __KAM_FAKEBBB2 /(Fair Labor Standards Act|Safety and Health act|Better Business Bureau|(\b|$)BBB(\b|^))/i
body __KAM_FAKEBBB3 /(complaint|compliant|Abuse) ID/i
body __KAM_FAKEBBB4 /(incident:|case:)[\d:;]{6,}/i
meta KAM_FAKEBBB (__KAM_FAKEBBB1 + __KAM_FAKEBBB2 + KAM_SHORT + __KAM_FAKEBBB3 + __KAM_FAKEBBB4>= 4)
describe KAM_FAKEBBB Fake Notices for Various Business Violations
score KAM_FAKEBBB 12.0
#HOWRU
#header __KAM_HOWRU1 Subject =~ /How are you?|Hi|What's Up|Hey, Sweety/i
body __KAM_HOWRU2 /My name is|what's your name|ask your name|keep company with you/i
body __KAM_HOWRU3 /visit the site|visit this site|visiting this website|have some social networks|meet you in private|write me tomorrow/i
body __KAM_HOWRU4 /gmx.com|rambler.ru/i
meta KAM_HOWRU (__KB_WAM_SUBJECT_HELLO_ONLY + __KAM_HOWRU2 + __KAM_HOWRU3 + __KAM_HOWRU4 >=4)
describe KAM_HOWRU Female Chat Scam
score KAM_HOWRU 8.0
# 2017-11-01, note 56146
body __KAM_DOMAIN_SALE1 /\b(related|similar) domain\b/i
body __KAM_DOMAIN_SALE2 /\b(interested in|obtaining) .{5,20} domain\b/i
body __KAM_DOMAIN_SALE3 /\bdomain (name owner|advanced avail|backordering)\b/i
body __KAM_DOMAIN_SALE4 /\b(domain you might be interested|interested in the domain|interested in obtain|benefit acquiring|complete ownership transfer|brokering the domain)\b/i
body __KAM_INTRUDE /\b(hope I am not intruding|out of the blue|I will never contact you again if you go here)\b/i
meta KAM_DOMAIN_SALE_2 (__KAM_DOMAIN_SALE1 + __KAM_DOMAIN_SALE2 + __KAM_DOMAIN_SALE3 + __KAM_DOMAIN_SALE4 >=2)
meta KAM_DOMAIN_SALE_3 (__KAM_DOMAIN_SALE1 + __KAM_DOMAIN_SALE2 + __KAM_DOMAIN_SALE3 + __KAM_DOMAIN_SALE4 >=3)
score KAM_DOMAIN_SALE_2 3.0
score KAM_DOMAIN_SALE_3 1.0
meta KAM_DOMAIN_SALE_INTRUDE (__KAM_INTRUDE && KAM_DOMAIN_SALE_2)
score KAM_DOMAIN_SALE_INTRUDE 1.0
describe KAM_DOMAIN_SALE_2 Domain Selling Spam
describe KAM_DOMAIN_SALE_3 Domain Selling Spam
describe KAM_DOMAIN_SALE_INTRUDE Domain Selling Spam
# 2017-11-08, lonely russian women Whack-A-Mole
# Likely Overlap with HOWRU rules, similar target. No real-life
# overlap in rules hit observed so far, KB_WAM_OVERLAP to look out for
# it.
header __KB_WAM_FROM_NAME_SINGLEWORD From:name =~ /^[a-z]+$/i
header __KAM_SUBJECT_SINGLEWORD Subject =~ /^[a-z]+$/i
header __KB_WAM_SUBJECT_HELLO_ONLY Subject =~ /^(hi|hi there|hello|hey|yo|how are you|What's Up|Hey, Sweety)[?!\.]?$/i
meta KB_WAM_LONELY_WOMEN (__KB_WAM_FROM_NAME_SINGLEWORD + __KB_WAM_SUBJECT_HELLO_ONLY + __KAM_HOWRU4 + (__KAM_HOWRU2 || __KB_WAM_LONELY_WOMEN_PHRASE_01) >= 4)
score KB_WAM_LONELY_WOMEN 5.0
describe KB_WAM_LONELY_WOMEN Lonely Women Scam of the Day
body __KB_WAM_LONELY_WOMEN_PHRASE_01 /\b(I am missing you all the time|I am waiting for your answer|I send you my tender love|I would really like to know you|quest of love|I am lonely and tired)\b/i
#meta KB_WAM_OVERLAP ( KAM_HOWRU && KB_WAM_LONELY_WOMEN )
#score KB_WAM_OVERLAP -0.01
#describe KB_WAM_OVERLAP Rule to test for overlap with another similar ruleset
#MAILSPLOIT CONTROL CHARACTER - Thanks to Jan-Pieter Cornet for the idea
#All Control chars like NUL except \n which should exist once legitimately
#Investigating double-byte language FP. Reverting back to just \0
#header __KAM_MAILSPLOIT1 From =~ /[\x00-\x09\x0b-\x1f]/
header __KAM_MAILSPLOIT1 From =~ /[\0]/
describe __KAM_MAILSPLOIT1 RFC2047 Exploit https://www.mailsploit.com/index
#\n Multiple in the From Header
header __KAM_MAILSPLOIT2 From =~ /[\n]/
describe __KAM_MAILSPLOIT2 RFC2047 Exploit https://www.mailsploit.com/index
tflags __KAM_MAILSPLOIT2 multiple maxhits=2
meta KAM_MAILSPLOIT (__KAM_MAILSPLOIT1 || (__KAM_MAILSPLOIT2 >= 2))
describe KAM_MAILSPLOIT Mail triggers known exploits per mailsploit.com
score KAM_MAILSPLOIT 10.0
#cc in From - Thanks to Dave Jones for idea
header KAM_CCFROM1 From =~ /\b(to|cc|bcc|from):/i
describe KAM_CCFROM1 Addition of cc: and similar as a phishing tactic
score KAM_CCFROM1 5.0
#MailBox Verify Phish - Also See KAM_MAILBOX
header __KAM_BOXWARNING_SUBJECT Subject =~ /FINAL WARNING/i
header __KAM_BOXVERIFICATION_SUBJECT Subject =~ /VERIFICATION.{4,20}MAIL.?BOX/i
body __KAM_BOXVERIFY /Verify.{0,10}Mail.?box|retrieve messages/i
body __KAM_BOXQUOTA /mailbox.{0,5}exceeded.{4,14}quota|low email storage/i
header __KAM_MAILBOXFROM From =~ /mailbox/i
meta KAM_BOXPHISH ((__KAM_BOXWARNING_SUBJECT + __KAM_BOXVERIFICATION_SUBJECT >= 1) + __UPGR_MAILBOX + __KAM_MAILBOXFROM + __KAM_BOXVERIFY + __KAM_BOXQUOTA + __KAM_MAILBOX1 >= 4)
describe KAM_BOXPHISH Mailbox verification phishing scams
score KAM_BOXPHISH 6.5
#SWISSCOIN, ETC.
body __KAM_CRYPTO1 /swiss.?coin|[{(]SIC[)}]/i
header __KAM_CRYPTO2 Subject =~ /forget about bitcoin|crypto (currency|coin) .{0,10}could (turn|go)/i
meta KAM_CRYPTO (__KAM_CRYPTO1 + __KAM_CRYPTO2 >= 2)
describe KAM_CRYPTO Crypto Currency Spam Du Jour
score KAM_CRYPTO 8.0
#COMPROMISED CMS - Thanks to Jing Shan for the idea
uri __KAM_CMS1 /VALIDATE\/mail\.htm/i
uri __KAM_CMS2 /\/erroreng\/erroreng\//i
uri __KAM_CMS3 /twentythirteen\/Upgrade\/?email=/i
meta KAM_CMS (__KAM_CMS1 + __KAM_CMS2 + __KAM_CMS3) >= 1
describe KAM_CMS Indicators that a CMS has been exploited for Spammers
score KAM_CMS 1.0
#WESTERN UNION SCANS
header __KAM_WU1 from:addr !~ /\@westernunion\.com/i
header __KAM_WU2 Subject =~ /WUMT|Western.?Union/i
uri __KAM_WU3 /western.umt/i
meta KAM_WU (__KAM_WU1 + __KAM_WU2 + __KAM_WU3 + LOTS_OF_MONEY >= 3)
describe KAM_WU Western Union Scam
score KAM_WU 5.0
#WEB CRIMINALS
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
replace_rules __KAM_CRIM1 __KAM_CRIM2 __KAM_CRIM3 __KAM_CRIM4 __KAM_CRIM5 __KAM_CRIM6 __KAM_CRIM7
body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A1>lw<A1>r<E1> <O1>n th<E1> w<E1>b|footage of you|you do not know who I am|mercenary|hack phones|(monitored|infected) your device|double.screen video|keylogger|ruin your life|collection officer|turned on your c<A1>mera|cameras? and a mic|I am a hacker|brows(er|ing) history|trojan virus|automatically infect|inject some code|google translator|<P1>l<A1><C1><E1>d (a )?m<A1>lw<A1>r<E1>|<S1><P1><Y1><W1><A1><R1><E1>|hacked y<O1>ur (website|OS|operating)|got hacked|hidden app|managed to hack|thr(u|ough) (ur|your) web.?cam|broke\s+into\s+your\s+system|infected your system|data security hack|hide (yo)?ur web.?camera|device was infected|i recorded you|gained access to your device|I know a\s?lot about you|installed it on all your devices|<Y1>our s<Y1>stem was breached|<I1>n<S1>t<A1>lled a troj<A1><N1>/i
#Bitcoin / Etc.
body __KAM_CRIM2 /(<B1><I1><T1>\-?<C1><O1><I1><N1>|(\b|^)(BTC|DSH|LTC)(\b|$)|cryptocurrency|\b(?<!=)([13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,62})\b)|(remove|manually) (any|all) spaces|contains spaces|Litecoin|shoprite|instant money/i
#Payment
body __KAM_CRIM3 /make (<T1>he|a) paymen<T1>|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C1><O1><I1>n w<A1>ll|(m<A1>k<I1>ng|<C1><O1>mpl<E1>et<E1>) th<E1> tr<A1>ns<A1><C1>t<I1><O1>n|send me \d+ dollars|send [\d\.]+ USD|addr<E1>ss f<O1>r p<A1>ym<E1>nt|(dollars|euros) (worth )?in bit-?coin|wallet number|bitcoin network|BTC to this Bitcoin|paym<E1>nt by b<I1>tco<I1>n|\d\d\d usd|DSH\)? address|Address part|<D1><O1><N1><A1><T1><I1><O1><N1>|negotiation|USD.? in bitcoin|transfer\s+me\s+\d+|\d+ in bitcoins|receive the compensation|talking price|reputation will be ruin|buy bitcoin \(BTC\) here|your Bitcoin QR code|Transfer \$\d+ in Bitcoin|\$\d+ tr<A1><N1><S1>f<E1>r to <M1><Y1> w<A1>llet|send \$?\d+ dollars to my (L|B)TC/i
#Sexually explicit
body __KAM_CRIM4 /erotica|<P1><O1><R1><N1>|p(ro|or)nographic movie|promising evidence|<M1><A1><S1><T1><U1><R1><B1><A1><T1>|playing with yourself|wanking|l<I1>f<E1> <C1><A1>n b<E1> ru<I1>n<E1>d|explosi|lead azide|hexogen|banana|perversion|secured \d+ video|passion for jerk|creepy addiction|wank off|site for adult|spy on you over your cam|pleasuring yourself|adult site|jerking off|mature content|explicit material|intimate footage|highly controversial video/i
#TIME
body __KAM_CRIM5 /(twenty.?four|24).?h<O1>urs|(72|24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O1>urs)? <A1>ft<E1>r y<O1><U> <O1>p<E1>n|hours for payment|days?\)? to (send|perform|make|transfer) the (amount|payment|dash|fund)|short-term support|48h plz|deadline|hours *(only )?to send the (pay|fund)|address immediately|tr<A1>nsfer the (amount|funds)|get back to me now|\d\s+working\s+days|make payment within \d+ day|indicated da(y|te)|\d hours from this moment|\d hours (yo)?ur contacts|not more than \d+ days?|\d hours to make a pay|you have \d+ hour|give you \d+ hours.{0,20} to pay|have one day to sort this out|crucial you respond swiftly|time is almost up|within \d+ hours|Second option is to pay|one day to sort this out/i
#Subject
header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O1><U> <A1>r<E1> my v<I1><C1>t<I1>m|visit the police|hi. vi<C1>tim|bomb|rescue|your building|<M1>asturbat|hi perv|(site|account) has been (compromised|hacked)|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you|<P1>orn|(share|forward|leak) (your|the) video|Read me now|want to read this|i have you|exfiltrated|everybody will know|check the information|Regarding you |suspected harmful activit|account is hacked|data is stolen/i
header __KAM_NOT_CRIM6 Subject =~ /Bomb.?cyclone/i
#From
header __KAM_CRIM7 From =~ /h<A1>ck<E1>r|know/i
meta KAM_CRIM (__KAM_CRIM1 + __KAM_CRIM2 + __KAM_CRIM3 + __KAM_CRIM4 + __KAM_CRIM5 + (__KAM_CRIM6 && ! __KAM_NOT_CRIM6) + __KAM_CRIM7 + FUZZY_BITCOIN >= 4)
describe KAM_CRIM Extortion Email
score KAM_CRIM 8.5
endif
#KAM_CRIM_V2
body __KAM_CRIM2_1 /bit.{0,2}coin/i
body __KAM_CRIM2_2 /address\:/i
body __KAM_CRIM2_3 /adult.{0,2}video|sex.{0,2}sites|site for adult/is
meta KAM_CRIM2 (__KAM_CRIM2_1 + __KAM_CRIM2_2 + __KAM_CRIM2_3 + HTML_FONT_LOW_CONTRAST >= 4)
describe KAM_CRIM2 Extortion Email
score KAM_CRIM2 7.5
#ZWNJ - Zero Width Null Joiner
#ZWNJ 200C 157 https://en.wikipedia.org/wiki/Windows-1256
# Also want to look at Unicode U+200C.
# Also 'zero-width joiner' which is Windows-1256 0x9E and Unicode U+200D. $a
# Per RW, switching for this to work with 'normalize_charset 1', \x9d needs to be replaced with (?:\x9d|\xe2\x80\x8c)
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_ZWNJ1 Content-Type =~ /charset.+windows-1256/i
endif
body __KAM_ZWNJ2 /(?:\x9D|\xe2\x80\x8c)/
tflags __KAM_ZWNJ2 multiple maxhits=16
body __KAM_ZWNJ3 /\&\#x200B;/i
describe KAM_ZWNJ Use of zero width null characters indicates a goal to elude scanners
meta KAM_ZWNJ (__KAM_ZWNJ1 + (__KAM_ZWNJ2 >= 16) >= 2)
describe KAM_ZWNJ Use of null characters indicates a goal to elude scanners
score KAM_ZWNJ 2.5 #LOWERED FROM 5.25
describe KAM_ZWNJBAD Attempted & failed Use of zero-width characters indicates a goal to elude scanners
meta KAM_ZWNJBAD (__KAM_ZWNJ3 >=1)
score KAM_ZWNJBAD 1.25 #LOWERED FROM 2.0
#ZWNS - Zero Width Non-Breaking Space
body __KAM_ZWNS1 /\xef\xbb\xbf/
tflags __KAM_ZWNS1 multiple maxhits=16
meta KAM_ZWNS ( __KAM_ZWNS1 >= 16 )
describe KAM_ZWNS Use of zero width space characters indicates a goal to elude scanners
score KAM_ZWNS 1.25 #LOWERED FROM 2.5
#GIRLS
body __KAM_GIRLS1 /Lack of sex/i
meta KAM_GIRLS ( __SINGLE_WORD_SUBJ + __KAM_GIRLS1 >= 2)
describe KAM_GIRLS Girl Chat Scam du Jour
score KAM_GIRLS 7.0
#SKINCELL PRO Spam Du Jour
body __KAM_SKINCELL1 /Skincell.Pro/i
header __KAM_SKINCELL2 Subject =~ /Skincell.Pro/i
meta KAM_SKINCELL (__KAM_SKINCELL1 + __KAM_SKINCELL2 >= 1)
describe KAM_SKINCELL Skincare Scam du Jour
score KAM_SKINCELL 7.0
#UK INVOICE - Thanks to Andy Smith for his help on this
uri __KAM_UKINV1 /\/(client|share|documentview)$/i
body __KAM_UKINV2 /View (and pay )?(scan|invoice)/i
body __KAM_UKINV3 /INV-\d+|Check out what .{4,30} shared with you/i
body __KAM_UKINV4 /£/i
header __KAM_UKINV5 Subject =~ /(invoice INV-\d+|wants to share scan)/i
header __KAM_UKINV6 Subject =~ /invoice/i
meta KAM_UKINV (__KAM_UKINV1 + __KAM_UKINV2 + __KAM_UKINV3 + __KAM_UKINV4 + __KAM_UKINV5 >= 4) || (__KAM_UKINV1 + __KAM_UKINV2 + __KAM_UKINV3 + __KAM_UKINV4 + __KAM_UKINV6 + HTML_TITLE_SUBJ_DIFF && HTML_OBFUSCATE_10_20 >= 6)
describe KAM_UKINV Fake Invoice/Scan Scams
score KAM_UKINV 5.5
#LIST SELLERS
body __KAM_LISTSALE1 /interested in acquiring/i
body __KAM_LISTSALE2 /contact list|list of customers|list of decision makers|list for marketing/i
body __KAM_LISTSALE3 /share counts and samples|send focused campaigns|compiled a dataset/i
header __KAM_LISTSALE4 Subject =~ /users|leads/i
header __KAM_LISTSALE5 From =~ /leads/i
meta KAM_LISTSALE (__KAM_LISTSALE1 + __KAM_LISTSALE2 + __KAM_LISTSALE3 >=2) && (__KAM_LISTSALE4 + __KAM_LISTSALE5 >= 1)
describe KAM_LISTSALE List sellers
score KAM_LISTSALE 5.0
#Google Short?
uri KAM_GOOGLESHORT /\/www.google.com\/url\?q=.{4,16}bit\.ly/i
describe KAM_GOOGLESHORT Obfuscated links using Google and URL Shorteners
score KAM_GOOGLESHORT 9.0
#HEART ATTACK SPAM
body __KAM_HEARTPROD1 /heart ?attack/i
body __KAM_HEARTPROD2 /enzyme/i
header __KAM_HEARTPROD3 Subject =~ /heart attack|healthy.{4,10}cells/i
header __KAM_HEARTPROD4 From =~ /clear 7/i
meta KAM_HEARTPROD (__KAM_HEARTPROD1 + __KAM_HEARTPROD2 + __KAM_HEARTPROD3 + __KAM_HEARTPROD4 >= 4)
describe KAM_HEARTPROD Snake Oil Heart Health du Jour
score KAM_HEARTPROD 7.0
# LINES FULL OF SHORT WORDS. SCC='SOLID CLUES CONSULTING'=BILL COLE
# NOTE: Some languages and people using things like ZWNJ repeatedly will cause FPs for this rule.
# This rule disabled in deadweight anyway!
describe __SCC_SHORT_WORDS A line with lots of short words
body __SCC_SHORT_WORDS /\W(\D\w{1,3}\W{1,3}){11}/
tflags __SCC_SHORT_WORDS multiple maxhits=40
describe SCC_5_SHORT_WORD_LINES 5 lines with many short words
meta SCC_5_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 5
describe SCC_10_SHORT_WORD_LINES 10 lines with many short words
meta SCC_10_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 10
describe SCC_20_SHORT_WORD_LINES 20 lines with many short words
meta SCC_20_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 20
describe SCC_35_SHORT_WORD_LINES 35 lines with many short words
meta SCC_35_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 35
# Redefine WORD_INVIS_MANY to get rid of FPs
meta WORD_INVIS_MANY ( __WORD_INVIS_2 && ! __BODY_TEXT_LINE )
# A pattern seen in subscription-bombings
describe SCC_SUBBOMB_SUBJ_1 An unusual string pattern seen in subscription bombing subjects
header SCC_SUBBOMB_SUBJ_1 Subject =~ /[sxz][vwz]usa[fly]me[a-z0-9]{7}GP/
score SCC_SUBBOMB_SUBJ_1 5
# cPanel Phishing
header __SCC_HELO_CPANELNET X-Spam-Relays-Untrusted =~ / helo=cpanel\.net /
describe __SCC_HELO_CPANELNET HELO is bare cpanel.net
meta SCC_FAKE_CPANEL __SCC_HELO_CPANELNET && ! (SPF_PASS || SPF_HELO_PASS)
score SCC_FAKE_CPANEL 6
header KAM_PHISHCP From =~ /\@cpanel\d+\.com/i
describe KAM_PHISHCP Fraudulent notices purporting to be from cPanel
score KAM_PHISHCP 15.0
uri KAM_PHISHCP2 /(\.|\/)cpanel\d+\.com(\/|\b|\?)/i
describe KAM_PHISHCP2 Fraudulent notices purporting to be from cPanel
score KAM_PHISHCP2 15.0
body __KAM_PHISHCP3_1 /cPanel Cloud Service/
meta KAM_PHISHCP3 (KAM_SHORT + __KAM_PHISHCP3_1 >=2)
describe KAM_PHISHCP3 Fraudulent notices purporting to be from cPanel
score KAM_PHISHCP3 15.0
uri __KAM_PHISHCP4_1 /defender\.php/i
meta KAM_PHISHCP4 ((KAM_MAILBOX + KAM_MAILBOX2 >= 1) + __KAM_PHISHCP4_1 >= 2)
describe KAM_PHISHCP4 Fraudulent cPanel Notices
score KAM_PHISHCP4 15.0
#https://www.csoonline.com/article/3333916/windows-security/i-can-get-and-crack-your-password-hashes-from-email.html?upd=1547922397157
body KAM_FILE /file:\/\/\/\//i
describe KAM_FILE Potential attempt for NTLM attack
score KAM_FILE 4.5
#FUN SPAM RUN
header __KAM_FUN1 From =~ /\.fun|\.icu|\.pro|\.stream|\.world|\.monster|\.best|\.store|\.surf|\.rest|\.bar|\.asia|\.casa|\.uno|\.london|\.info|\.cam|\.work|\.cyou|\.quest>?$/i
header __KAM_FUN1A From:name =~ /Bite Pro|Diabetes|Blood Sugar|Sugar Disease|Fish Oil|ultra ?boost|Gutter|time ?share|Affiliate|arctic ?blast|splash ?wine|date|fat ?loss|nutrisystem|Silver ?Single|Insta ?Heater|Canvas?Print|LeptiSense|Hello.?Fresh/i
body __KAM_FUN2 /Addify Link|Kennett Pike|PetPlan|Newton Sq|1st Avenue|Jones Blvd|permanently opt-out from our all newsletters|(wish|prefer) (to not|not to|to) receive (these|future) (messages|emails)|purehealth|leave any time|too good to be true|try(ing)? this trick|doesn?'t like this update|(click here|wish) +to unsub|send post-mail to|to be removed from receiving|to unsubscribe.+click|no longer like to receive/i
body __KAM_FUN3 /This Offer is (only )?for (unite. state|USA)|(can ?not|won\'t|can\'t|unable to) see (the|this)? ?image|visit the page below|Continue Reading|watch now|this is an ad|click here now/i
uri __KAM_FUN3A /imgstore.host/i
#Subject
header __KAM_FUN4 Subject =~ /Gutter|Assisted Living|Refinance|rate|livewave|mortgage|E\.D\.|Single|Superfood|tax|debt|mastercard|safety charge|supplement|pillow|Inogenone|learn a language|Roadside safety|carry a gun|minute survey|roofing Deals|fungus|insurance|pain|gold|hair|knife|warranty|reflexology|accufeet|keto|sound|heartburn|skincare|terminix|zippy|sneeze|healthcare|yoga|heal|jesus|virus|neuropathy|BP med|perfect vision|parasites|wine|willie nelson|InstaFresh|InstaSavings|carriers|CPAP|melt your belly|heart attack|power of plants|immunity|smart.?watch|fever|hearing aids|diabetes|gum problem|bad breath|fish oil|ultra ?boost|boost your internet|christmas list|(energy|cooling) (bill|cost)|time ?share|interstate move|vanishes pain|wine order|chat rooms|\d+ ?lbs|dementia|nutrisystem|personal plan|Printer Ink|america strong|perfect gifts|Someone Special|Insta ?heater|asian girls|audiobooks|memories into art|losing weight|CBD Gum/i
#How many/How Soon
body __KAM_FUN5 /\d million americans|less than \d{1,32} (weeks|days|hours)|temporary feeling|\d{1,32} ?lbs|[\d+,]{1,32} Asian babes/i
#miracle!
body __KAM_FUN6 /finds the secret|new discovery|natural medicine|health channel|medicinal plants|simple tweak|doctors are shocked|mysterious liquid|massive mistake|scientifically shown|chronic pain/i
#what
body __KAM_FUN7 /nerve pain|poor vision|lasik|sleep deeper|smart.?watch|fever|hearing aids|diabetes|gum problem|blood sugar|sugar disease|bad breath|fish oil|ultra ?boost|soothing relief|older women|belly fat|reverse alzheimer|personal safety|gadget.?junk|Insta ?heater|need boyfriends|audiobooks/i
tflags __KAM_FUN7 nosubject
meta KAM_FUN ((__KAM_FUN1 + __KAM_FUN1A >=1) + __KAM_FUN2 + (__KAM_FUN3 + __KAM_FUN3A >= 1) + __KAM_FUN4 >=3)
describe KAM_FUN Spam Engine Hawking Various Goods and Abusing a Lot of Domains
score KAM_FUN 7.75
meta KAM_FUN2 ((__KAM_FUN1 + __KAM_FUN1A >= 1) + __KAM_FUN4 + __KAM_FUN5 + __KAM_FUN6 + __KAM_FUN7 >= 5)
describe KAM_FUN2 Spam Engine Hawking Various Goods and Abusing a Lot of Domains
score KAM_FUN2 7.5
#GOOGLE DRIVE PORN - Thanks to Mark Sapiro for the bug fix
uri KAM_DRIVENUM /\d+\.drive\.google.com/i
describe KAM_DRIVENUM Drive Links Prevalent in Spam
score KAM_DRIVENUM 5.0
#SWIFT PAYMENT SCAMS
header __KAM_SWIFT1 Subject =~ /Swift/i
body __KAM_SWIFT2 /swift copy/i
body __KAM_SWIFT3 /balance payment/i
meta KAM_SWIFT (__KAM_SWIFT1 + __KAM_SWIFT2 + __KAM_SWIFT3 >= 3)
describe KAM_SWIFT SWIFT payment scam
score KAM_SWIFT 3.0
ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
# Custom score
score FROMNAME_SPOOFED_EMAIL 0.3
meta GB_FROMNAME_SPOOF_EQUALS_TO (PDS_FROMNAME_SPOOFED_EMAIL && __PLUGIN_FROMNAME_EQUALS_TO)
describe GB_FROMNAME_SPOOF_EQUALS_TO From:name is spoof to look like To: address
score GB_FROMNAME_SPOOF_EQUALS_TO 0.3
meta GB_FROMNAME_SPOOF_FREEMAIL (FREEMAIL_FROM && PDS_FROMNAME_SPOOFED_EMAIL)
describe GB_FROMNAME_SPOOF_FREEMAIL From:name spoof and Freemail From:address
score GB_FROMNAME_SPOOF_FREEMAIL 0.4
rawbody __GB_REGEX_BR /{\:REGEX\:\((<br>){1,3}\|(<br>){1,3}/
meta GB_REGEX_BR_SPOOF ( __GB_REGEX_BR && PDS_FROMNAME_SPOOFED_EMAIL && __ANY_TEXT_ATTACH_DOC )
describe GB_REGEX_BR_SPOOF Office document from spoofed email
score GB_REGEX_BR_SPOOF 2.0
endif
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
header KAM_RAPTOR_ALTERED X-Raptor-Alter =~ /True/i
describe KAM_RAPTOR_ALTERED Raptor identified a dangerous, possible zero day attachment risk
score KAM_RAPTOR_ALTERED 2.0
header GB_RAPTOR_ZEROSVG X-Raptor-ZeroDay =~ /svg/i
describe GB_RAPTOR_ZEROSVG Raptor identified a dangerous, possible zero day SVG attachment
score GB_RAPTOR_ZEROSVG 1.0
endif
#BAD INVOICE SCAMS
header __KAM_PROFORMA1 Subject =~ /Proforma/i
body __KAM_PROFORMA2 /no responds/i
body __KAM_PROFORMA3 /highly encrypted/i
body __KAM_PROFORMA4 /Proforma Invoice/i
uri __KAM_PROFORMA5 /\.php/i
meta KAM_PROFORMA (__KAM_PROFORMA1 + __KAM_PROFORMA2 + __KAM_PROFORMA3 + __KAM_PROFORMA4 + __KAM_PROFORMA5 >= 5)
describe KAM_PROFORMA Invoice scam
score KAM_PROFORMA 7.5
#BAD INVOICE SCAMS
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
header __KAM_INVOICEPO1 Subject =~ /Invoice copies|EFT +Process|signed +contract|inquiry|PO-\d+|payment receipt/i
body __KAM_INVOICEPO2 /invoice copies|EFT PROCESS|contract signed|attached enquiry|see the attached|Company name\:/i
tflags __KAM_INVOICEPO2 nosubject
meta KAM_INVOICEPO (__KAM_INVOICEPO1 + __KAM_INVOICEPO2 + (KAM_HTMLINVOICE + KAM_HTMLINVOICE2 + T_HTML_ATTACH >= 1) >= 3)
describe KAM_INVOICEPO Invoice scam
score KAM_INVOICEPO 4.5
mimeheader KAM_HTMLINVOICE Content-Type =~ /(remittance|invoice|contract|order|scan).{0,100}\.(rar|html?)/i
describe KAM_HTMLINVOICE Invoice scam
score KAM_HTMLINVOICE 3.0
mimeheader KAM_HTMLINVOICE2 Content-Type =~ /(order confirmation|po attachments.{0,100})\.xls\.html/i
describe KAM_HTMLINVOICE2 Invoice scam
score KAM_HTMLINVOICE2 3.0
endif
# Spear phishing rules
ifplugin Mail::SpamAssassin::Plugin::FreeMail
header __GB_TO_ADDR_FREEMAIL eval:check_freemail_header('To:addr')
header __GB_TO_NAME_FREEMAIL eval:check_freemail_header('To:name')
meta GB_TO_NAME_FREEMAIL ( !__GB_TO_ADDR_FREEMAIL && __GB_TO_NAME_FREEMAIL )
describe GB_TO_NAME_FREEMAIL Freemail spear phish with free mail
score GB_TO_NAME_FREEMAIL 0.01
header __GB_FROM_ADDR_FREEMAIL eval:check_freemail_header('From:addr')
header __GB_FROM_NAME_FREEMAIL eval:check_freemail_header('From:name')
header __GB_FROM_NAME_EMAIL From:name =~ /\@/
meta GB_FROM_NAME_FREEMAIL ( __GB_FROM_NAME_EMAIL && __GB_FROM_ADDR_FREEMAIL && !__GB_FROM_NAME_FREEMAIL )
describe GB_FROM_NAME_FREEMAIL Freemail spear phish with free mail
score GB_FROM_NAME_FREEMAIL 0.01
endif
# Disable possible CPU burning rule, reported to SA users list -- 2019-05-29
# FIXED rule distributed via sa-update since 2019-05-31
# meta __STYLE_GIBBERISH_1 0
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
# Allow googleapis.com to be blocklisted due to spam runs in June 2019 exploiting it
clear_uridnsbl_skip_domain googleapis.com
# Allow t.co to be blocklisted due to spam seem in April 2024 exploiting it
clear_uridnsbl_skip_domain t.co
endif
# Need a favor phishing
header __KAM_FAVOR1 Subject =~ /Request|Quick Reply/i
body __KAM_FAVOR2 /I need a favor from you|Are you available to work on a request for me today/i
body __KAM_FAVOR3 /email me back as soon as possible|send me your personal cell phone number/i
meta KAM_FAVOR (__KAM_FAVOR1 + __KAM_FAVOR2 + __KAM_FAVOR3 + FREEMAIL_FROM >= 4)
describe KAM_FAVOR Phishing Attempt
score KAM_FAVOR 7.5
# WELCOMELIST PCCC/MCGRAIL
if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist)
welcomelist_auth *@pccc.com *@mcgrail.com
endif
if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist)
whitelist_auth *@pccc.com *@mcgrail.com
endif
#trusted_networks 69.171.29.0/25
#trusted_networks 38.124.232.0/24
# CONTACTS / LISTS
header __KAM_LIST3_1 Subject =~ /(accou?nt|Contacts?|buyers?|registrants?|attendees?|B2B|B2C|mailing|industries).(data|list|information)|reach qualified buyers|potential prospects|(potential|reach your) client|(list|lead) prospecting|build customer|(bitdefender|Acronis) Users|reach clients|Clients records|users accounts|Attendees info|marketing opp|(expo|Summit) Leads|Free Samples|email database|sales prospect|(construction|business) +(executives|professionals)|prospects|decision.?makers|(email|lead) list|increase your TAM|Booth.?\#\d+|data that you need|(audience|geography)\?|contact details|professional industry clients|easy contacts of|school districts? contacts|list\-2025|Visitor Profiles|contacts 20\d\d/i
#title
body __KAM_LIST3_2 /list (consultant|services)|email campaign|global marketing|(event|campaign|success|purchasing) mana?ger|(tradeshow|marketing) (coordinator|campaign|manager|exec|project|team)|(lead|demand) gen|(business|Data|event|research|marketing) (analyst|coordinator)|(potential|professionals?|qualified) lead|(business development|marketing|lead|attendees?|data|prospect|intelligence|event).(executive|consultant|specialist)|(marketing|Business) Co-?ordinator|marketing (\&|and) comm|inside sales|pre-?sales|global leads|data dep(t|artment)|marketing exec|(right|appropriate) person|info solutions|Sales executive|database coordinator|list provider|(leads|business development|BD|Biz.?Dev) manager|cd services|data intelligence specialist/i
tflags __KAM_LIST3_2 nosubject
#db for sale
body __KAM_LIST3_3 /(information|data|list\'s) (count|field)|verified e?-?mail|with email address|counts and pric|decision maker|specific parameters|job titles|Specific lists|each record|post show attendee|(List|contacts|fields) (consists?|Contains?|includes?)|visitors and price|pricing, counts|information about the list|sample (file|record)|direct email|100\% populated|installed users|(compiled|selling) (a )?list|pricing and further|(validated|buy a) dataset|counts, pricing|procure the list|samples for (your )?review|attendees who might|decision.makers|samples and pricing|pricing details|demographics|few (examples|samples)|database (organization|provider)|(cost|expense) (\&|and) count|(samples|counts?) and cost|multichannel marketing|count of email|users of the following|your marketing campaign|\d\d% on emails|acquiring (email|the) list|list of retailers|decision maker mailing list|B2B( data)? list|acquiring email|interested (in )?acquiring|quality lists|potential (client|customer)|database and list management|pricing and count|audience you would like to reach|data cleansing|job titles you wish to contact|leverage competitive intelligence|business contacts? list|verified direct contact numbers|our list comes with|(industry|comprehensive) email list|purchasing the vistor\'?s list/i
tflags __KAM_LIST3_3 nosubject
#db what
body __KAM_LIST3_4 /contacts and email|(visitors?|contacts?|attendee.?s?|users?) (contacts? |mailing )?(list|record|database)|end users|our lists|\d\+? (attendee|contact)|users? database|Opt-in email list|(professionals?|user'?s|attendees?) (contact|list)|not spammer|marketing (analyst|campaigns)|(complete|emailed) list|unique account|contacts\:|titles\:|business profiles|database of|list from USA|(complete|contact) (Name|details|information)|geography|list.database|data (intelligence|include)|emails, phone|marketing list|unlimited usage|target (audience|geograph|attendees|audience|industry)|opt-?in (contact|emails|list)|offices and clinics|specialties\:|showcase our capabilit|share samples|sample file|recently compiled|contact details|targeted (criteria|market)|marketing needs|Users of the following|100\% populated|b2b (mailing list|contact)|targeted business list|data list|(job profile|attendees|counts|list contains|Contacts include)\:|Consumer database|every industry sector|quality email list|email list of|titles? includes?\:|including their names|contacts available\:|curated list|fields? includes?\:|contact validation|opt-in dataset|90% on that list type|enence|Lejeune.?Lawsuits|smart.?timeshare|number of attendees|tester file|list of organi[sz]ation|Mailing list includes/i
tflags __KAM_LIST3_4 nosubject
meta KAM_LIST3 ( (__KAM_LIST3_1 + __KAM_LIST3_2 + __KAM_LIST3_3 + __KAM_LIST3_4 >= 4) && !EXTRACTTEXT )
describe KAM_LIST3 Mailing List Purveyor Spam
score KAM_LIST3 12.25
#NO SUBJ MATCH
meta KAM_LIST3_1 ( (KAM_LIST3 < 1) && (__KAM_LIST3_1 + __KAM_LIST3_2 + __KAM_LIST3_3 + __KAM_LIST3_4 >= 3) && !EXTRACTTEXT )
describe KAM_LIST3_1 Likely Mailing List Purveyor Spam
score KAM_LIST3_1 3.75
#MONCLER
header __KAM_MONCLER1 Subject =~ /moncler/i
header __KAM_MONCLER2 From =~ /moncler/i
meta KAM_MONCLER (__KAM_MONCLER1 + __KAM_MONCLER2 + KAM_SOMETLD_ARE_BAD_TLD >= 3)
describe KAM_MONCLER Fashionista Spammers
score KAM_MONCLER 6.0
#ERP
header __KAM_ERP1 Subject =~ /ERP/
body __KAM_ERP2 /K9ERP/i
meta KAM_ERP (__KAM_ERP1 + __KAM_ERP2 >=2)
describe KAM_ERP ERP Spammers
score KAM_ERP 4.0
#DMARC POLICY RULES - Thanks to Giovanni Bechis for the original idea plus Jesse Norell and Amir Caspi for additional suggestions & testing!
#
#https://tools.ietf.org/html/rfc7489 and https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/
#
#"To pass DMARC, a message must pass SPF authentication and SPF alignment and/or DKIM authentication and DKIM alignment. A message will fail DMARC if the message fails both (1) SPF or SPF alignment and (2) DKIM or DKIM alignment."
#
# We expect edge cases with DKIM where a parent (gateway) domain signing for a subdomain author (e.g., parent.gov signing for sub.parent.gov). This is a common and a sane implementation of DKIM, but is not supported in the current SA DKIM/DMARC implementation -- it results in DKIM_VALID but not DKIM_VALID_AU. The SPF || DKIM logic below will allow this scenario.
#
# Note: Certain glues like MailScanner will modify an email before testing. That will cause many DKIM failures. If you have a known broken system for DKIM like this, you should likely disable the plugin.
#Newer Systems with DMARC Plugin
ifplugin Mail::SpamAssassin::Plugin::Dmarc
#Override the default scores
score DMARC_MISSING 0.1
score DMARC_PASS -0.1
score DMARC_REJECT 0.1
score DMARC_QUAR 0.1
score DMARC_NONE 0.1
ifplugin Mail::SpamAssassin::Plugin::AskDNS
ifplugin Mail::SpamAssassin::Plugin::DKIM
ifplugin Mail::SpamAssassin::Plugin::SPF
askdns __KAM_DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=none;/
askdns __KAM_DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=quarantine;/
askdns __KAM_DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=reject;/
askdns __KAM_DMARC_POLICY_DKIM_STRICT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\badkim=s;/
#Checks if either DKIM Passed with Alignment and the policy is strict or VALID and alignment didn't pass
meta KAM_DMARC_STATUS !((DKIM_VALID_AU && __KAM_DMARC_POLICY_DKIM_STRICT) || (DKIM_VALID && !__KAM_DMARC_POLICY_DKIM_STRICT))
describe KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict Alignment
score KAM_DMARC_STATUS 0.01
header KAM_DMARC_REJECT eval:check_dmarc_reject()
priority KAM_DMARC_REJECT 500
tflags KAM_DMARC_REJECT net
reuse KAM_DMARC_REJECT
describe KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message and the domain has a DMARC reject policy
score KAM_DMARC_REJECT 7.0
header KAM_DMARC_QUARANTINE eval:check_dmarc_quarantine()
priority KAM_DMARC_QUARANTINE 500
tflags KAM_DMARC_QUARANTINE net
reuse KAM_DMARC_QUARANTINE
describe KAM_DMARC_QUARANTINE DKIM has Failed or SPF has failed on the message and the domain has a DMARC quarantine policy
score KAM_DMARC_QUARANTINE 4.0
header KAM_DMARC_NONE eval:check_dmarc_none()
priority KAM_DMARC_NONE 500
tflags KAM_DMARC_NONE net
reuse KAM_DMARC_NONE
describe KAM_DMARC_NONE DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy
score KAM_DMARC_NONE 0.25
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
# Add a negative score if email hits Dmarc rules but is truncated
# scores must be kept in sync with Dmarc rules
meta KAM_DMARC_REJECT_TRUNCATE ( KAM_DMARC_REJECT && DKIM_FAILED_TRUNCATE )
describe KAM_DMARC_REJECT_TRUNCATE Dmarc reject on truncated email
priority KAM_DMARC_REJECT_TRUNCATE 500
score KAM_DMARC_REJECT_TRUNCATE -7.0
tflags KAM_DMARC_REJECT_TRUNCATE net nice
reuse KAM_DMARC_REJECT_TRUNCATE
meta KAM_DMARC_QUARANTINE_TRUNCATE ( KAM_DMARC_QUARANTINE && DKIM_FAILED_TRUNCATE )
describe KAM_DMARC_QUARANTINE_TRUNCATE Dmarc quarantine on truncated email
priority KAM_DMARC_QUARANTINE_TRUNCATE 500
score KAM_DMARC_QUARANTINE_TRUNCATE -4.0
tflags KAM_DMARC_QUARANTINE_TRUNCATE net nice
reuse KAM_DMARC_QUARANTINE_TRUNCATE
meta KAM_DMARC_NONE_TRUNCATE ( KAM_DMARC_NONE && DKIM_FAILED_TRUNCATE )
describe KAM_DMARC_NONE_TRUNCATE Dmarc none on trucated email
priority KAM_DMARC_NONE_TRUNCATE 500
score KAM_DMARC_NONE_TRUNCATE -0.25
tflags KAM_DMARC_NONE_TRUNCATE net nice
reuse KAM_DMARC_NONE_TRUNCATE
header __KAM_FROM_RAPTORSRV From:addr =~ /\@server\d+\.raptoremailsecurity\.com$/i
meta KAM_FROM_RAPTOR_DMARCFAIL ( __KAM_FROM_RAPTORSRV && KAM_DMARC_QUARANTINE )
describe KAM_FROM_RAPTOR_DMARCFAIL Email from Raptor servers with DMARC failure
score KAM_FROM_RAPTOR_DMARCFAIL 5.0
priority KAM_FROM_RAPTOR_DMARCFAIL 500
tflags KAM_FROM_RAPTOR_DMARCFAIL net
endif
endif
endif
endif
else
#Older systems without the DMARC Plugin - Less accurate
ifplugin Mail::SpamAssassin::Plugin::AskDNS
ifplugin Mail::SpamAssassin::Plugin::DKIM
ifplugin Mail::SpamAssassin::Plugin::SPF
askdns __KAM_DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=none;/
tflags __KAM_DMARC_POLICY_NONE net
askdns __KAM_DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=quarantine;/
tflags __KAM_DMARC_POLICY_QUAR net
askdns __KAM_DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=reject;/
tflags __KAM_DMARC_POLICY_REJECT net
askdns __KAM_DMARC_POLICY_DKIM_STRICT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\badkim=s;/
tflags __KAM_DMARC_POLICY_DKIM_STRICT net
#Checks if either DKIM Passed with Alignment and the policy is strict or VALID and alignment didn't pass
meta KAM_DMARC_STATUS !((DKIM_VALID_AU && __KAM_DMARC_POLICY_DKIM_STRICT) || (DKIM_VALID && !__KAM_DMARC_POLICY_DKIM_STRICT))
describe KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict Alignment
score KAM_DMARC_STATUS 0.01
tflags KAM_DMARC_STATUS net
meta KAM_DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_REJECT
describe KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message and the domain has a DMARC reject policy
score KAM_DMARC_REJECT 3.0
tflags KAM_DMARC_REJECT net
meta KAM_DMARC_QUARANTINE !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_QUAR
describe KAM_DMARC_QUARANTINE DKIM has Failed or SPF has failed on the message and the domain has a DMARC quarantine policy
score KAM_DMARC_QUARANTINE 1.5
tflags KAM_DMARC_QUARANTINE net
meta KAM_DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_NONE
describe KAM_DMARC_NONE DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy
score KAM_DMARC_NONE 0.25
tflags KAM_DMARC_NONE net
endif
endif
endif
endif
#OLE/VB MACROs
ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro
# increase number of mime parts checked
olemacro_num_mime 10
olemacro_max_file 2048000
# skip psd and other files from macro checks
olemacro_skip_exts (?:dotx|potx|ppsx|pptx|psd|sldx|xltx|oxps)$
if (version >= 3.004005)
body KAM_OLEMACRO eval:check_olemacro()
describe KAM_OLEMACRO Attachment has an Office Macro
score KAM_OLEMACRO 7.5
body KAM_OLEMACRO_MALICE eval:check_olemacro_malice()
describe KAM_OLEMACRO_MALICE Potentially malicious Office Macro
score KAM_OLEMACRO_MALICE 10.0
body KAM_OLEMACRO_ENCRYPTED eval:check_olemacro_encrypted()
describe KAM_OLEMACRO_ENCRYPTED Has an Office doc that is encrypted
score KAM_OLEMACRO_ENCRYPTED 3.0
#This may cause more CPU usage
olemacro_extended_scan 1
olemacro_exts ((?:doc|docx|dot|one|pot|ppa|pps|ppt|rtf|sldm|xl|xla|xls|xlsx|xlt|xltx|xslb)$)
body KAM_OLEMACRO_RENAME eval:check_olemacro_renamed()
describe KAM_OLEMACRO_RENAME Has an Office doc that has been renamed
score KAM_OLEMACRO_RENAME 2.5
meta GB_OLEMACRO_REN_VIR ( KAM_OLEMACRO_RENAME && FORGED_OUTLOOK_HTML )
describe GB_OLEMACRO_REN_VIR Olemacro and fake Outlook
score GB_OLEMACRO_REN_VIR 10
if (version >= 3.004006)
if (version >= 4.000000)
# olemacro_download_marker ((?:cmd(?:\.exe)? \/c ms\^h\^ta ht\^tps?:\/\^\/)|SysWow.{1,15}\s.{1,5}RETURN|RET.{1,4}URN.{1,25}\.exe)
olemacro_download_marker ((?:cmd(?:\.exe)? \/c ms\^h\^ta ht\^tps?:\/\^\/)|SysWow.{1,15}\s.{1,5}RETURN|RET.{1,4}URN.{1,25}\.exe|powershell\s+Invoke\-WebRequest)
endif
#NO good reason to add a "cmd.exe" invocation inside an Excel file.
body GB_OLEMACRO_DOWNLOAD_EXE eval:check_olemacro_download_exe()
describe GB_OLEMACRO_DOWNLOAD_EXE Malicious code inside the Office doc that tries to download a .exe file detected
score GB_OLEMACRO_DOWNLOAD_EXE 10
endif
endif
body KAM_OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
describe KAM_OLEMACRO_ZIP_PW Has an Office doc that is password protected in a zip
score KAM_OLEMACRO_ZIP_PW 2.0
body KAM_OLEMACRO_CSV eval:check_olemacro_csv()
describe KAM_OLEMACRO_CSV Macro in csv file
score KAM_OLEMACRO_CSV 5.0
#meta KAM_OLEMACRO_ZIP_PW_NOMID ( KAM_OLEMACRO_ZIP_PW && MISSING_MID )
#describe KAM_OLEMACRO_ZIP_PW_NOMID OLE macro sent by a bot / ratware
#score KAM_OLEMACRO_ZIP_PW_NOMID 5.0
meta KAM_OLEMACRO_ZIP_BOT ( KAM_OLEMACRO_ZIP_PW && ( MISSING_MID || PDS_FROMNAME_SPOOFED_EMAIL ) )
describe KAM_OLEMACRO_ZIP_BOT OLE macro sent by a bot / ratware
score KAM_OLEMACRO_ZIP_BOT 5.0
if (version >= 4.000000)
if can(Mail::SpamAssassin::Plugin::OLEVBMacro::has_olemacro_redirect_uri)
body OLEMACRO_URI_TARGET eval:check_olemacro_redirect_uri()
describe OLEMACRO_URI_TARGET Code inside the Office doc that tries to redirect to an uri
score OLEMACRO_URI_TARGET 0.001
endif
if can(Mail::SpamAssassin::Plugin::OLEVBMacro::has_olertfobject)
body OLEMACRO_RTF eval:check_olertfobject()
describe OLEMACRO_RTF Rtf file embedded in an Office document
score OLEMACRO_RTF 0.01
endif
endif
endif
#Testing Rule for Subject Prefixes - See note 58397
#if can(Mail::SpamAssassin::Conf::feature_subjprefix)
# enlist_addrlist (INTERNAL) *@pccc.com
# header __FROM_INTERNAL eval:check_from_in_list('INTERNAL')
#
# meta EXTERNAL (!__FROM_INTERNAL)
# describe EXTERNAL External users to PCCC Test Rule
# score EXTERNAL 0.001
# subjprefix EXTERNAL [EXTERNAL]
#endif
#Testing Rule for NoSubject Rules - See note 58246
#if (version >= 3.004003)
# #SHOULD HIT
# body NOSUBJECT_TEST_HIT /example/i
# describe NOSUBJECT_TEST_HIT This should hit on an email with example in the subject but not in the body because subjects are automatically prepending for testing.
#
# #SHOULD NOT HIT
# body NOSUBJECT_TEST_FAIL /example/i
# describe NOSUBJECT_TEST_FAIL This should NOT hit on an email with example in the subject not not in the body because the tflags nosubject will stop the automatic prepending of subjects for testing.
# tflags NOSUBJECT_TEST_FAIL nosubject
#endif
if (version >= 3.004003)
ifplugin Mail::SpamAssassin::Plugin::HashBL
# BTC address present in BTC blocklist
# thanks to Henrik Krohns for the regexp
body BTC_HASHBL_BLACK eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b(?<!=)([13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,62})\b')
priority BTC_HASHBL_BLACK -100
tflags BTC_HASHBL_BLACK net
describe BTC_HASHBL_BLACK Message contains BTC address found on BTC blocklist
score BTC_HASHBL_BLACK 8.0
endif
endif
#Testing of HASHBL Additions - Note 58246
if (version >= 3.004003)
#LAUNCH PCCC WILD RBL
ifplugin Mail::SpamAssassin::Plugin::HashBL
rbl_headers EnvelopeFrom,Reply-To,Resent-from,X-Sender,X-Source-IP
# mass-marketing domain found in headers (EnvelopeFrom,Reply-To,X-Sender,X-Source-IP)
header PCCC_HDR_MARKETINGBL eval:check_rbl_headers('pccc-hdr-marketing', 'wild.pccc.com.', '127.0.0.32')
describe PCCC_HDR_MARKETINGBL Address in email headers associated with mass-marketing (https://raptor.pccc.com/RBL)
tflags PCCC_HDR_MARKETINGBL net
score PCCC_HDR_MARKETINGBL 0.001
priority PCCC_HDR_MARKETINGBL -100
header PCCC_HDR_REPLYTO eval:check_rbl_headers('pccc-hdr-repto', 'wild.pccc.com.', '127.0.0.4', 'Reply-To,Resent-from')
describe PCCC_HDR_REPLYTO Address in email headers associated with compromised uris (https://raptor.pccc.com/RBL)
tflags PCCC_HDR_REPLYTO net
score PCCC_HDR_REPLYTO 7.5
priority PCCC_HDR_REPLYTO -100
# compromised domain found in headers (X-Sender,X-Source-IP,X-SRS-Sender)
header PCCC_SENDER_COMPROMISED eval:check_rbl_headers('pccc-sender', 'wild.pccc.com.', '127.0.1.2', 'X-Sender,X-Source-IP,X-SRS-Sender')
describe PCCC_SENDER_COMPROMISED Sender address associated with compromised uris (https://raptor.pccc.com/RBL)
tflags PCCC_SENDER_COMPROMISED net
score PCCC_SENDER_COMPROMISED 2.0
priority PCCC_SENDER_COMPROMISED -100
# compromised domain found in received headers
header PCCC_RECEIVED_HDR_COMPROMISED eval:check_rbl_rcvd('pccc-rcvd', 'wild.pccc.com.', '127.0.1.2')
describe PCCC_RECEIVED_HDR_COMPROMISED Compromised domain found in received headers found on PCCC WILD RBL (https://raptor.pccc.com/RBL)
tflags PCCC_RECEIVED_HDR_COMPROMISED net
score PCCC_RECEIVED_HDR_COMPROMISED 2.0
priority PCCC_RECEIVED_HDR_COMPROMISED -100
# dns server of From address found on PCCC WILD RBL
header PCCC_FROM_BAD_NS eval:check_rbl_ns_from('pccc-ns', 'wild.pccc.com.', '127.0.1.1')
describe PCCC_FROM_BAD_NS DNS server of From address found on PCCC WILD RBL (https://raptor.pccc.com/RBL)
tflags PCCC_FROM_BAD_NS net
score PCCC_FROM_BAD_NS 2.0
priority PCCC_FROM_BAD_NS -100
# Freemail address in Reply-To header found on PCCC HashBL
# this rule needs 99_hashbl.cf to work
header PCCC_HASHBL_FREEMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5', 'Reply-To,Resent-from', '^127\.', 'freemail')
describe PCCC_HASHBL_FREEMAIL Message contains freemail address in reply-to found on PCCC HashBL (https://raptor.pccc.com/RBL)
tflags PCCC_HASHBL_FREEMAIL net
score PCCC_HASHBL_FREEMAIL 4.5
priority PCCC_HASHBL_FREEMAIL -100
# Email address in X-Sender header found on PCCC HashBL
header PCCC_HASHBL_EMAIL_SEND eval:check_hashbl_emails('wild.pccc.com', 'md5', 'X-Sender', '^127\.', 'all')
describe PCCC_HASHBL_EMAIL_SEND Message contains sender email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
tflags PCCC_HASHBL_EMAIL_SEND net
score PCCC_HASHBL_EMAIL_SEND 3.5
priority PCCC_HASHBL_EMAIL_SEND -100
# Email address in X-SRS-Sender header found on PCCC HashBL
header PCCC_HASHBL_EMAIL_SRS eval:check_hashbl_emails('wild.pccc.com', 'md5', 'X-SRS-Sender', '^127\.', 'all')
describe PCCC_HASHBL_EMAIL_SRS Message contains srs email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
tflags PCCC_HASHBL_EMAIL_SRS net
score PCCC_HASHBL_EMAIL_SRS 1.5
priority PCCC_HASHBL_EMAIL_SRS -100
# Email address in email headers found on PCCC HashBL
header PCCC_HASHBL_EMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5')
describe PCCC_HASHBL_EMAIL Message contains email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
tflags PCCC_HASHBL_EMAIL net
score PCCC_HASHBL_EMAIL 2.5
priority PCCC_HASHBL_EMAIL -100
# Email address in custom email headers found on PCCC HashBL
header PCCC_HASHBL_HDR_EMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5', 'Reply-To/Resent-from/Disposition-Notification-To/X-Original-Sender/X-Sender', '^127\.', 'all')
describe PCCC_HASHBL_HDR_EMAIL Message contains email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
tflags PCCC_HASHBL_HDR_EMAIL net
score PCCC_HASHBL_HDR_EMAIL 3.5
priority PCCC_HASHBL_HDR_EMAIL -100
# Short URL in PCCC HashBL found
header PCCC_HASHBL_SHORT_URI eval:check_hashbl_uris('wild.pccc.com', 'md5', '^127\.0\.1\.4')
describe PCCC_HASHBL_SHORT_URI Message contains short URI found on PCCC HashBL (https://raptor.pccc.com/RBL)
tflags PCCC_HASHBL_SHORT_URI net
score PCCC_HASHBL_SHORT_URI 9.5
priority PCCC_HASHBL_SHORT_URI -100
if (version >= 4.000000)
header __GB_LISTID List-ID =~ /(?:^|\s)(?<LISTID>.{1,64})$/
header PCCC_HASHBL_LISTID eval:check_hashbl_tag('wild.pccc.com', 'md5', 'LISTID', '^127\.0\.0\.5')
describe PCCC_HASHBL_LISTID Message contains List-ID found on PCCC HashBL (https://raptor.pccc.com/RBL)
tflags PCCC_HASHBL_LISTID net
score PCCC_HASHBL_LISTID 9.0
priority PCCC_HASHBL_LISTID -100
endif
endif
endif
#END of TEST OF HASHBL ADDITIONS
#LABEL
# SUBJ
header __KAM_LABEL1 Subject =~/(Checking in|Appointment|(this|next) week|thoughts|availability|consultation|introduction|let me know|schedule|meeting|tailor)/i
# MEET
body __KAM_LABEL2 /meet (you )?at your (home|office)|quick lead time/i
# CUSTOM
body __KAM_LABEL3 /(custom.?tailored|make custom) (shirts|sports|jackets|suits)/i
# SHIRTS /WARDROBE
body __KAM_LABEL4 /(suits start at \$|shirts at \$|upgrad(e|ing) your wardrobe)|refreshing your work wardrobe/i
# FABRIC
body __KAM_LABEL5 /(premier|top|luxury) (clothing|fabric)|fortune 500/i
# LABEL
body __KAM_LABEL6 /\| Label|Company, Label,/i
meta KAM_LABEL (__KAM_LABEL1 + __KAM_LABEL2 + __KAM_LABEL3 + __KAM_LABEL4 + __KAM_LABEL5 + __KAM_LABEL6 >= 6)
describe KAM_LABEL Tailored clothier spam
score KAM_LABEL 9.0
#RBLOBFU
body __KAM_RBL_OBFU1 /b2b.{1,4}salesprospects.{1,4}com/i
body __KAM_RBL_OBFU2 /quin.{0,3}for.{0,3}ce.com/i
body __KAM_RBL_OBFU3 /jrgpartners\(\.\)com/i
meta KAM_RBL_OBFU ((__KAM_RBL_OBFU1 + __KAM_RBL_OBFU2 >=1) + FREEMAIL_FROM >= 2)
describe KAM_RBL_OBFU Spammers obfuscating their domain and abusing freemail
score KAM_RBL_OBFU 12.0
meta KAM_RBL_OBFU2 __KAM_RBL_OBFU3
describe KAM_RBL_OBFU2 Spammers obfuscating their domain
score KAM_RBL_OBFU2 9.0
#Shady CC's
body __KAM_SHADYCC1 /(transactions?|purchases?) from your (online store|web-?shop)/i
header __KAM_SHADYCC2 Subject =~ /(illegal|shady) (purchases?|transactions?).*?(credit ?card|mastercard|visa).*?at your site/i
body __KAM_SHADYCC3 /(four|4) of (my|the) (master)?card/i
body __KAM_SHADYCC4 /(detailed|full) statement/i
meta KAM_SHADYCC (__KAM_SHADYCC1 + __KAM_SHADYCC2 + __KAM_SHADYCC3 + __KAM_SHADYCC4 >= 4)
describe KAM_SHADYCC Scam predicated around reporting fraudulent purchase
score KAM_SHADYCC 6.0
#Expo Scams
header __KAM_EXPOPIRATE1 Subject =~ /Hotel Booking/i
body __KAM_EXPOPIRATE2 /Business Traveller/i
meta KAM_EXPOPIRATE (__KAM_EXPOPIRATE1 + __KAM_EXPOPIRATE2 + __KAM_LIST3_2 >= 2)
describe KAM_EXPOPIRATE Scam Pirates trying to Hijack Event Hotel Bookings
score KAM_EXPOPIRATE 4.5
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
#Domain Expiry Scams
header __KAM_DOMAINEXPIRY1 Subject =~ /Domain.*Expiration/i
body __KAM_DOMAINEXPIRY2 /Attached letter/i
meta KAM_DOMAINEXPIRY (__KAM_DOMAINEXPIRY1 + __KAM_DOMAINEXPIRY2 + __KAM_ZERODAY1 >= 3)
describe KAM_DOMAINEXPIRY Domain Expiration Scams
score KAM_DOMAINEXPIRY 4.5
#Payment Scams
header __KAM_PAYMENTSCAM1 Subject =~ /Payment.*(INV|Bookings|Reference|\/201)/i
body __KAM_PAYMENTSCAM2 /attached (payment|herewith)|ready for release/i
mimeheader __KAM_PAYMENTSCAM3 Content-Type =~ /\.doc/i
full __KAM_PAYMENTSCAM4 /\{\\rtf/
meta KAM_PAYMENTSCAM (__KAM_ZERODAY1 + __KAM_PAYMENTSCAM1 + __KAM_PAYMENTSCAM2 + (__KAM_PAYMENTSCAM3 + __KAM_PAYMENTSCAM4 >=2) >= 4)
describe KAM_PAYMENTSCAM Payment Scams with Malware Payloads
score KAM_PAYMENTSCAM 6.5
meta KAM_PAYMENTSCAM2 (DEAR_BENEFICIARY + __KAM_PAYMENTSCAM1 + __KAM_PAYMENTSCAM2 >= 3) && !(KAM_PAYMENTSCAM)
describe KAM_PAYMENTSCAM2 Payment scams
score KAM_PAYMENTSCAM2 4.5
#Password Scams
body __KAM_PASSWORDSCAM1 /pass word/i
meta KAM_PASSWORDSCAM (__KAM_PASSWORDSCAM1 + __SINGLE_WORD_SUBJ + __PDF_ATTACH + __BODY_LE_200 >= 4)
describe KAM_PASSWORDSCAM Password extortion spams
score KAM_PASSWORDSCAM 6.0
endif
#Training Scams
header __KAM_TRAINING1 Subject =~ /mandatory.*training/i
body __KAM_TRAINING2 /intranet|training calendar/i
body __KAM_TRAINING3 /Human Resources/i
meta KAM_TRAINING (__KAM_TRAINING1 + __KAM_TRAINING2+ __KAM_TRAINING3 >= 3)
describe KAM_TRAINING Training Phishing
score KAM_TRAINING 4.5
#Trump Medicare
header __KAM_MEDICARE2_1 Subject =~ /Trump Medicare/i
meta KAM_MEDICARE2 __KAM_MEDICARE2_1 >= 1
describe KAM_MEDICARE2 Medicare Scams
score KAM_MEDICARE2 2.0
#Water hack
header __KAM_WATERHACK1 Subject =~ /Water Hack/i
body __KAM_WATERHACK2 /water hack/i
meta KAM_WATERHACK (__KAM_WATERHACK1 + __KAM_WATERHACK2 + KAM_SHORT >= 3)
describe KAM_WATERHACK Diet Scams
score KAM_WATERHACK 5.0
#Web forms used to submit shortened urls
header __XMAIL_CODEIGN X-Mailer =~ /CodeIgniter/
header __XMAIL_PHPMAIL X-Mailer =~ /PHPMailer/
meta GB_WEBFORM ( ( __XMAIL_CODEIGN || __XMAIL_PHPMAIL ) && KAM_SHORT && FREEMAIL_FROM )
describe GB_WEBFORM Webform with url shortener
score GB_WEBFORM 2.0
#Sendgrid Exploits
#thanks to Chip for another Spample on 2020-03-07
header __KAM_SENDGRID1 EnvelopeFrom =~ /\@u\d+\.wl\d+\.sendgrid\.net|bounces.*\@sendgrid\.net/i
header __KAM_SENDGRID1A Return-Path =~ /\@u\d+\.wl\d+\.sendgrid\.net/i
header __KAM_SENDGRID2 Received =~ /ismtp.*?.sendgrid\.net|outbound\-mail\.sendgrid\.net \[/i
meta KAM_SENDGRID ((HEADER_FROM_DIFFERENT_DOMAINS || SPF_HELO_NONE) + ((__KAM_SENDGRID1 + __KAM_SENDGRID1A >= 1) + __KAM_SENDGRID2 >= 1) >= 2)
describe KAM_SENDGRID Sendgrid being exploited by scammers
score KAM_SENDGRID 1.50
header __KAM_EDU_FROM From:addr =~ /\.edu$/i
header __KAM_SENDGRID3 Subject =~ /Amex|Wells ?Fargo|American Express|Security (Review|Message)|Quickbooks|Sign-?in Blocked|unusual activity|payment pending|online Payment|Intuit|security Upgrade|you have a document|verify your card|email alert/i
header __KAM_SENDGRID4 From =~ /Amex|Wells ?Fargo|American Express|Schwab|bank|USAA|stripe|intuit|chase/i
meta KAM_SENDGRID2 ((__KAM_EDU_FROM + KAM_SENDGRID >= 1) + (TO_IN_SUBJ + __KAM_SENDGRID3 + __KAM_SENDGRID4 >=1) >= 2)
describe KAM_SENDGRID2 Sendgrid being exploited by scammers
score KAM_SENDGRID2 2.0
#Political (and T-shirt Spam)
header __KAM_2020_1 Subject =~ /Re-?elect Trump|(Guinea pig|science|funny|election|christmas|personalized|mission|collection|engineer|teacher|fishing|jesus|202\d) (tee|(t|tee)( |-)?shirt)|ginsburg shirt|officially licensed|check out our new collection|let.?s go brandon|support truckers|freedom convoy/i
header __KAM_2020_1A From:name =~ /(T|Tee).?shirt|Tee4u/i
#removing (Tee|T)-?shirt for FPs
body __KAM_2020_2 /printed in the US|stink stank stunk|officially licensed|star wars|funny (guinea pig|science|tee|teacher|fishing|halloween)|\d+ designs|let.?s go brandon|blood of jesus|support truckers|freedom convoy/i
tflags __KAM_2020_2 nosubject
uri __KAM_GOOGLE_FORM /docs\.google\.com\/form/i
meta KAM_2020 ((__KAM_2020_1 + __KAM_2020_1A >=1) + __KAM_2020_2 + (__KAM_GOOGLE_FORM + KAM_SHORT >= 1) + FREEMAIL_FROM >= 3)
describe KAM_2020 Political (and Tshirt???) Spams - Vote for KAM & Pedro - donate today at www.mcgrail.com
score KAM_2020 7.0
#WeTransfer Spam
uri __KAM_WETRANSFER1 /wetransferfiledownload|\?email=|redirecturl/i
header __KAM_WETRANSFER2 From:name =~ /WeTransfer/i
header __KAM_WETRANSFER3 From:addr !~ /wetransfer\.com/i
header __KAM_WETRANSFER4 Subject =~ /via WeTransfer/i
meta KAM_WETRANSFER (__KAM_WETRANSFER1 + __KAM_WETRANSFER2 + __KAM_WETRANSFER3 + (__KAM_WETRANSFER4 + SPF_FAIL >= 1) >= 4)
score KAM_WETRANSFER 6.0
describe KAM_WETRANSFER WeTransfer Impersonators
#Grey Eagle
header __KAM_GREYEAGLE_1 From =~ /greyeagle|funding|capital|banking|lending/i
body __KAM_GREYEAGLE_2 /grey eagle funding/i
meta KAM_GREYEAGLE (__KAM_GREYEAGLE_1 + __KAM_GREYEAGLE_2 >= 2)
describe KAM_GREYEAGLE Spammy Funding Company w/lots of Domains
score KAM_GREYEAGLE 10.0
#Google Storage APIs
uri __KAM_STORAGE_GOOGLE /storage\.googleapis\.com|\.web\.app\//i
meta KAM_STORAGE_GOOGLE ( __KAM_STORAGE_GOOGLE && !__URI_GOOG_STO_IMG )
describe KAM_STORAGE_GOOGLE Google Storage API being abused by spammers
score KAM_STORAGE_GOOGLE 1.70
uri GB_URI_FLEEK_STO_HTM m,^https?://storageapi\.fleek\.co/.*\.html?,i
describe GB_URI_FLEEK_STO_HTM Html file stored on Fleek cloud
score GB_URI_FLEEK_STO_HTM 4.25
tflags GB_URI_FLEEK_STO_HTM multiple maxhits=5
uri GB_URI_BACKBLAZE_HTM m,^https?://(?:\w+.s3.\w{2}\-\w+\-|\w)\d{3}\.backblazeb2\.com/.*\.html?,i
describe GB_URI_BACKBLAZE_HTM Html file stored on Backblaze
score GB_URI_BACKBLAZE_HTM 4.25
tflags GB_URI_BACKBLAZE_HTM multiple maxhits=5
#Spam Du Jour
header __KAM_DUJOUR1 Subject =~ /(Worst Food|Tinnitus|Reflux|Gift Card)/i
body __KAM_DUJOUR2 /(Worst Food|Tinnitus|Reflux|CVS Gift Card)/i
tflags __KAM_DUJOUR2 nosubject
header __KAM_DUJOUR3 From =~ /(Probio|Tinnitus|Reflux|CVS)/i
meta KAM_DUJOUR (KAM_STORAGE_GOOGLE + __KAM_DUJOUR1 + __KAM_DUJOUR2 + __KAM_DUJOUR3 >= 3)
describe KAM_DUJOUR Spam of the Day hocking various products
score KAM_DUJOUR 4.5
#QUINFORCE
body __KAM_QUINFORCE1 /q.?u.?i.?n.?f.?o.?r.?c.?e/i
meta KAM_QUINFORCE1 (__KAM_QUINFORCE1 >= 1)
describe KAM_QUINFORCE1 Obfuscating spamming firm
score KAM_QUINFORCE1 6.0
#SPAMDUJOUR
body __KAM_CBD1 /(Prosper|Meridian) CBD/i
header __KAM_CBD2 From:name =~ /CBD/i
meta KAM_CBD (__KAM_CBD1 + __KAM_CBD2 + __KAM_OTHER_BAD_TLD2 >= 2)
describe KAM_CBD Spam du jour for CBD
score KAM_CBD 4.5
#COVID SCAMS
body __KAM_COVID1 /International Monetary fund|world health organization|empowerment fund/i
header __KAM_COVID2 Subject =~ /COVID?.{0,12}(payment|fund)/i
body __KAM_COVID3 /COVID.{0,12}(empowerment|payment)|W\.?H\.?O\.? trust.?fund/i
tflags __KAM_COVID3 nosubject
header __KAM_COVID4 From =~ /COVID|world ?Health|WHO/i
body __KAM_COVID5 /00 ?(EUR|USD|Dollar)/i
meta KAM_COVID ((__KAM_COVID5 + LOTS_OF_MONEY >= 1) + __KAM_COVID1 + __KAM_COVID2 + __KAM_COVID3 + __KAM_COVID4 >= 4)
describe KAM_COVID Scams revolving around the pandemic
score KAM_COVID 6.0
#COVID SCAMS
body __KAM_COVID2_1 /COVID-19 (CHARITY )?(fund|donated relief)/i
tflags __KAM_COVID2_1 nosubject
header __KAM_COVID2_2 Subject =~ /(little|COVID-19) (fund|donation)/i
meta KAM_COVID2 (__KAM_COVID2_1 + __KAM_COVID2_2 + LOTS_OF_MONEY >= 2)
describe KAM_COVID2 Scams revolving around the pandemic
score KAM_COVID2 7.5
#COVID SCAMS
body __KAM_COVID3_1 /Prince/i
body __KAM_COVID3_2 /reliable source/i
body __KAM_COVID3_3 /\$[\d\.,]+ mil/i
body __KAM_COVID3_4 /assist me/i
body __KAM_COVID3_5 /Saudi Arabia/i
meta KAM_COVID3 (__KAM_COVID3_1 + __KAM_COVID3_2 + __KAM_COVID3_3 + __KAM_COVID3_4 + __KAM_COVID3_5 >= 5)
describe KAM_COVID3 Scams revolving around the pandemic
score KAM_COVID3 7.5
#URI
uri __KAM_VM1 /storage.googleapis.com\/.*?htm|appspot\.com|safesend\.|\/api\/v1\/click\|\.sharepoint\.com\/personal\/|evernote\.com|github\.io|netlify\.app|sendgrid\.net|dynamics\.com/i
#Subject or FROM
header __KAM_VM2 Subject =~ /VN Audio|message for|voice Message|Voicemail|Fax Message|OneDrive File|voice note duration|voice-audio|telephone vm|portal/i
header __KAM_VM2A From =~ /-xxxx|tele-mail/i
#Body
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
#VOICEMAIL SCAM
replace_rules __KAM_VM3
body __KAM_VM3 /(Voice.?Audio|VN Audio|VM Meant|Listen to (your )?Voice|voicemail message|Fax(ed)? (document|message)|new voicemail|Virtual <O1>ffice Extens<I1>on)|ca<L1><L1>er left you a message|play voice/i
tflags __KAM_VM3 nosubject
endif
body __KAM_VM4 /recorded voice|audio message|Caller.?id|CID:|mailbox \d|sign document|new vm on/i
tflags __KAM_VM4 nosubject
#Content Type
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_VM5 Content-Type =~ /.s?html?\.?\"?$/i
endif
meta KAM_VM (__KAM_VM1 + (__KAM_VM2A + __KAM_VM2 >= 1) + __KAM_VM3 + __KAM_VM4 + __KAM_VM5 + KAM_RAPTOR_EXTERNAL >= 4)
score KAM_VM 5.5
describe KAM_VM Voice Mail & Fax Scams
meta KAM_VM_HTML (KAM_VM + __KAM_VM5 >= 2)
describe KAM_VM_HTML Likely Phish for VM
score KAM_VM_HTML 3.0
#Admin Notice Fraud
header __KAM_ADMIN1 From =~ /admin/i
header __KAM_ADMIN2 Subject =~ /For /i
body __KAM_ADMIN3 /next tax return/i
body __KAM_ADMIN4 /read this document/i
meta KAM_ADMIN (HEADER_FROM_DIFFERENT_DOMAINS + HTML_OBFUSCATE_10_20 + __KAM_ADMIN1 + __KAM_ADMIN2 + __KAM_ADMIN3 + __KAM_ADMIN4 >= 6)
describe KAM_ADMIN Phishing attempt spoofing admins
score KAM_ADMIN 9.0
#BENEFICIARY
header __KAM_BENEFICIARY1 Subject =~ /(your|Urgent) Help|refugee|Attention|Inherit|donation|refund|beloved|^Hello$|dear friend|compensated|get back to me|hope to hear|my dear|postal service|From.....|compliment|sincere apology|proposal|How are you|congratulations|ATM VISA Card|good (day|news)|beneficiary|\bcc\b|best regards|dearest one|^Att$|^Reply$|partnership|greeting'?s|atm fund|postmaster general|Investment|shipment|indicate your interest/i
#what
#removed fund(\b|$) on 1/12
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
replace_rules __KAM_BENEFICIARY2
body __KAM_BENEFICIARY2 /consignment|person of trust|don't know me|emails only|apologize for intrud|formal relationship|diplomatic agent|ATM VISA CARD|unsolicited manner|proposition|solicit your|trustworthy relation|verily|random people|you a beneficiary|help<SPACE1>+widow|same last ?name|(same|similar) surname|investment manager|level of maturity|important project|jackpot|investment opp|something important|unclaimed trunk|estate investment|donation recipient|bank draft|funding of your business/i
tflags __KAM_BENEFICIARY2 nosubject
endif
#bus
body __KAM_BENEFICIARY3 /(gold|diamonds|inherit|foreign customer|risk.?free|less.privilege|next of kin|nearest airport|certain funds|partnership to transfer|repatriation|co.fiscate|separate account|christian activit|receiving bank|donate the sum|money left|sweepstakes|lucky winner|get rich|\d% of the total|investment fund)|moving some money|god has blessed|contributions to humanity|partake in the deal|pledge dep|over-?due compensation|left your check|invest(ment)? in your country|abandoned shipment/i
#bus fp
body __KAM_BENEFICIARY3A /(e\-|ELECTRONIC )TICKET RECeipt/i
#where
body __KAM_BENEFICIARY4 /(Ghana|\b(?:South\s)?Africa\b|China|Greece|Estonia|United kingdom|foreign|(your|my) country\b|\bBenin\b|Foreign Op|international Airport|portugal|business trip|Ivory Coast|Royal Bank|\bSyria\b|Libyan|Ministry of |Buffett Foundation|audit unit)|postmaster general/i
#how much
body __KAM_BENEFICIARY5 /\d{1,32} ?(kilo|kg)|donat|assignment|last wishes|charity org|million dollars|secret account|overdue winnings|handsomely compensate|large amount|share of fund|one digit interest|beneficial business|anticipated cooperation|\d% (with|for) you|fiscal cash|huge amount|(half|99 percent) of (his|their|her) fortune|by proxy|\d million|investment in your country/i
#sob
body __KAM_BENEFICIARY6 /(deceased|late) (customer|husband|client|father)|death of my husband|cancer|power of attorney|customer who died|orphan|no beneficiary|terminal|family treasure|not criminal|send (you )?more (information|details)|wife ran away|inability to release|terrorist attack|sterile|foreigner who died|corrupt officials|could not complete|Diplomat from|seized all my/i
meta KAM_BENEFICIARY ((LOTS_OF_MONEY + __KAM_BENEFICIARY5 >=1) + (KAM_BLANKSUBJECT + __KAM_BENEFICIARY1 >=1) + __KAM_BENEFICIARY2 + __KAM_BENEFICIARY3 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 + FREEMAIL_FROM >= 6) && (__KAM_BENEFICIARY3A + EXTRACTTEXT <= 0)
describe KAM_BENEFICIARY Beneficiary scams
score KAM_BENEFICIARY 10.5
meta KAM_BENEFICIARYLOW ((LOTS_OF_MONEY + __KAM_BENEFICIARY5 >=1) + (KAM_BLANKSUBJECT + __KAM_BENEFICIARY1 >=1) + __KAM_BENEFICIARY2 + __KAM_BENEFICIARY3 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 + FREEMAIL_FROM >= 5) && !KAM_BENEFICIARY && !__KAM_NPO1 && (__KAM_BENEFICIARY3A + EXTRACTTEXT <= 0)
describe KAM_BENEFICIARYLOW Beneficiary scams (Lower Confidence)
score KAM_BENEFICIARYLOW 6.0
#NPO
body __KAM_NPO1 /501\(?c\)?\(?3\)?|501 c 3/i
#BENEFICIARY
meta KAM_BENEFICIARY2 (GMD_PDF_EMPTY_BODY + DEAR_BENEFICIARY >= 2)
describe KAM_BENEFICIARY2 Beneficiary scams
score KAM_BENEFICIARY2 3.0
#Person Beneficiary
body __KAM_BENEFICIARY3_1 /Mikhail Fridman/i
header __KAM_BENEFICIARY3_2 From =~ /Mikhail Fridman/i
uri __KAM_BENEFICIARY3_3 /www.rt.com/i
meta KAM_BENEFICIARY3 (__KAM_BENEFICIARY3_1 + __KAM_BENEFICIARY3_2 + __KAM_BENEFICIARY3_3 + __KAM_DIDYOUSUBJ >= 3)
describe KAM_BENEFICIARY3 Beneficiary scams
score KAM_BENEFICIARY3 4.5
#Did you get my message?
header __KAM_DIDYOUSUBJ Subject =~ /Did you (receive it|get my message)/i
body __KAM_DIDYOUBODY /Did you (receive it|get my message)/i
tflags __KAM_DIDYOUBODY nosubject
#Blank Subject
header KAM_BLANKSUBJECT Subject =~ /^\s*$/i
describe KAM_BLANKSUBJECT Message has a blank Subject
score KAM_BLANKSUBJECT 0.25
#Job
#what
header __KAM_JOB2_1 Subject =~ /doing the job/i
body __KAM_JOB2_2 /represent the company/i
#Where
body __KAM_JOB2_3 /Singapore/i
#how much
body __KAM_JOB2_4 /\d,?000 USD (monthly|weekly)/i
meta KAM_JOB2 (FREEMAIL_FROM + __KAM_JOB2_1 + __KAM_JOB2_2 + __KAM_JOB2_3 + __KAM_JOB2_4 >= 5)
describe KAM_JOB2 Employment scams
score KAM_JOB2 7.5
#WEB
#subject
header __KAM_WEB2_1 Subject =~ /follow|next step|web(site)? (analysis|builder|design|work)|crazy offer|cRM solution|CMS|worrdpress|inquiry web.?site|prices|developing mobile innovation|new web|develoment|web development offer/i
#price or person - purposefully looks at subject too
body __KAM_WEB2_2 /(inexpensive|affordable) (quot|price)|cheap website|less than half|free of cost|low package price|indian web.?design|\(India\)|i am a professional|team of experts|i am from india|development company|developer from India/i
#product
body __KAM_WEB2_3 /web(site)? (design|develop)|(better|new|refreshed) website|website audit|fresh look|redesign your website|mobile application devel|redesign your existing web|apps solution/i
tflags __KAM_WEB2_3 nosubject
#sample/offer
body __KAM_WEB2_4 /portfolio|sample|insights|special offer|page 1|(any|your) requirements|anything you can imagine|send you a quote|share a few example|you'?re? requirement|share your requirement|discuss how I can assist/i
tflags __KAM_WEB2_4 nosubject
meta KAM_WEB2 (FREEMAIL_FROM + __KAM_WEB2_1 + __KAM_WEB2_2 + __KAM_WEB2_3 + __KAM_WEB2_4 >=5)
describe KAM_WEB2 Unsolicited web workers
score KAM_WEB2 7.5
#BANK
header __KAM_BANK_1 Subject =~ /Welcome to (Central )?(Money ?Gram|Bank)|Funding|Banker|congratulations|d\x{C3}\x{A9}p\x{C3}\x{B4}t direct/i
body __KAM_BANK_2 /beneficiary|agent|investment group|deceased|\x{C3}\x{A9}viter tout inconv\x{C3}\x{A9}nient/i
body __KAM_BANK_3 /re\-?verification|clearance tax|possible funding|same last name|nominated bank account|mes informations bancaires/i
meta KAM_BANK (FREEMAIL_FROM + LOTS_OF_MONEY + __KAM_BANK_1 + __KAM_BANK_2 + __KAM_BANK_3 >= 5)
describe KAM_BANK Bank scams
score KAM_BANK 7.5
meta KAM_BANK2 (LOTS_OF_MONEY + __KAM_BANK_1 + __KAM_BANK_2 + __KAM_BANK_3 >= 3)
describe KAM_BANK2 Bank scams
score KAM_BANK2 3.0
#FAKE CERTIFICATES
header __KAM_CERT1 Subject =~ /Medical Certificate/i
body __KAM_CERT2 /review this certificate/i
body __KAM_CERT3 /link below/i
meta KAM_CERT (__KAM_CERT1 + __KAM_CERT2 + __KAM_CERT3 + __PLUGIN_FROMNAME_SPOOF >= 3)
describe KAM_CERT Fake Certificate Scams
score KAM_CERT 4.5
#URGENT
header __KAM_URGENT1 Subject =~ /^Hello$/i
body __KAM_URGENT2 /urgent respond/i
body __KAM_URGENT3 /private e?mail/i
body __KAM_URGENT4 /god bless/i
body __KAM_URGENT5 /address still valid/i
meta KAM_URGENT ( __KAM_URGENT1 + __KAM_URGENT2 + __KAM_URGENT3 + __KAM_URGENT4 + __KAM_URGENT5 >= 5)
describe KAM_URGENT Urgent Scams
score KAM_URGENT 7.5
#INVESTMENT
header __KAM_INVEST1 Subject =~ /Investment|(hello|congrats|dear) friend|urgent\b|greetings|^HELLO$|mutual business|contact him|mail for you|confirming your email|business opportunity|important|interest|^proposal$/i
#looking/why
body __KAM_INVEST2 /apprehensive|unstable investment|(honest|well.?established|reliable) (individual|partner|person)|wealthy client|legal paper|branch manager|director finance|business man|family asset|personal assistant|found your (detail|contact)|consultant|project financing|my name is|i am the lawyer|need your assistance|investment officer/i
#money/deal
body __KAM_INVEST3 /earn \d+\%|(more|full|elaborate) details|discuss further|risk.?free|give details|profitable|\% (yearly|ROI|commission)|bank draft|remuneration|(needs|seek|seeks|seeking) fund|employ you|split.?ration|(receive|secure) my fund/i
#what/where
body __KAM_INVEST4 /malta|oil company|joint venture|(fund|business) proposal|dubai|mutual business|bahrain|compensation fund|barrister|minister of|ghana|strategic development|your region|Mineral.Rich|non.?european|your country|outside UAE/i
tflags __KAM_INVEST4 nosubject
meta KAM_INVEST ( (LOTS_OF_MONEY + FREEMAIL_FROM + __KAM_INVEST1 + __KAM_INVEST2 + __KAM_INVEST3 + __KAM_INVEST4 >= 4) && !EXTRACTTEXT )
describe KAM_INVEST Investment Scams
score KAM_INVEST 6.0
#SIGNON
header __KAM_SIGN1 Subject =~ /New Sign-?[io]n/i
body __KAM_SIGN2 /review your account/i
body __KAM_SIGN3 /verification is processed/i
meta KAM_SIGN (KAM_STORAGE_GOOGLE + __KAM_SIGN1 + __KAM_SIGN2 + __KAM_SIGN3 >= 4)
describe KAM_SIGN Sign-in Verification Scams
score KAM_SIGN 6.0
#COVID SPAM
header __KAM_WEIRDC19_1 Subject =~ /The virus that causes COVID-19/i
header __KAM_WEIRDC19_2 From =~ /John Robert/i
body __KAM_WEIRDC19_3 /The virus that causes COVID-19/i
tflags __KAM_WEIRDC19_3 nosubject
meta KAM_WEIRDC19 (FREEMAIL_FROM + __KAM_BODY_LENGTH_LT_512 + __KAM_WEIRDC19_1 + __KAM_WEIRDC19_2 + __KAM_WEIRDC19_3 >= 5)
describe KAM_WEIRDC19 Odd Covid-19 spam with information
score KAM_WEIRDC19 7.5
#PRODUCT DUJOUR
header __KAM_CELEB1 Subject =~ /Celebrity Doc/i
body __KAM_CELEB2 /resugar/i
body __KAM_CELEB3 /fat.burning/i
meta KAM_CELEB (__KAM_CELEB1 + __KAM_CELEB2 + __KAM_CELEB3 >= 3)
describe KAM_CELEB Celebrity Health Scams
score KAM_CELEB 4.5
#BEAL AND SIMILAR IMPERSONATOR
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
# remove Daram Van Oers temporarily
replace_tag KAM_BEAL_NAMES (?:(Robert|Bob).{1,4}Beal|Geoff White|(James|Jim).{1,4}Hoffman|Kevin (A\. )?Mc ?Grail|Frederic Beuter|Chris(topher)? (K\.? )?Surprise|(mike|michael) Charvat|Sheryl( Brissett)? Chapman|Sheryl Brissett|Janet Smith|Jeff Gardner|Geoff(rey)? White|Jason Davis|Al Nance|Laura (C\.? )?Leach|Guy Neitz|Michael Rowland|Brenda MacDonald|Pat(rick)? (A\. )?Campfield|Toni Kerns|Tina L. Berger|Robert T. Lalka|Karen Holmes|Richard Manship|WILLIAM HYATT|Alex DiJohnson|Mike Rinaldi|Patrick Augustine|Randy Livingston|Michael Schoor|Amy Millar|Gino Renne|Edward Kroman|Bill Stynes|Ralph Belk|gino renne|scott allen|Paula Sherman|Peter Turcik|Chip Anastasi|erik howard|Dyana Forester|Ryan Gardner|Yvan (cote|C\x{C3}\x{B4}t\x{C3}\x{A9}|C\x{C3}\x{83}\x{C2}\x{B4}t\x{C3}\x{83}\x{C2}\x{A9})|morris adler|Gary (A. )?Smith|Peggy White|Sunny Kim|Jayran Farzanega|Kristin Kirkpatrick|Michael Davison|John Meis|Mitchell Forbes|Kate Syson|Bryan Plumlee|Janet Smith|Christian Gardner|Calvin Johnson|rick cole|(James A.|Andy) Sheppard|M?athieu Fournier|Aaron Rash|William Schoor|Morris Adler|Paul Lefebvre|Bobby Boursiquot|Josepth Cimino|Victor (M.?)? Glasberg|Joseph Cimino)
replace_rules __KAM_BEAL1 __KAM_BEAL3 __KAM_NOT_BEAL3
#from
header __KAM_BEAL1 From:name =~ /<KAM_BEAL_NAMES>|TIME.?SENSITIVE|HASTE.?FEEDBACK|one.?moment|Urgent.?(message|task)|QUICK RESPONSE|REQUEST|TIMELY RESPONSE/i
#in addition to freemail
header __KAM_BEAL2 From:addr =~ /\@.+\.rr\.com|\@mail\.ru|\@.*\.cz|\@cox\.net/i
#Name
body __KAM_BEAL3 /<KAM_BEAL_NAMES>/i
body __KAM_NOT_BEAL3 /((From|Cc|To)\:\s+).*<KAM_BEAL_NAMES>/i
# Task
#removed personal (email|text phone|cell|number) on 7/31/2024 for FP
body __KAM_BEAL4 /(reply with|forward|send me|let me have|give me|drop) +your (Cell|Mobile|text)|task (real quick|quickly)|(urgent|quick|fast) (reply|errand|response|task|request|assistance)|(handle|make) (some|a) purchase|reimburse you|do something for me fast|spare time right now|confirm if you are free|physical or electronic gift card|(done for me|send out|task done) ASAP|available at the moment|(desk|moment) right now|get some .{0,10}gift card|(run a|important) task for me|certain task to be carried|purchase on my behalf|(urgent|Immediate) (Task|Assignment)|quickly on my behalf|variety of gift card|something important for me|carry out (urgently|swiftly)|codes electronically|make a payment|organiser le paiement|gifts for their hard|assist me with a task|quick favor|gift cards? for staff|process a payment via Zelle|request I need|purchase done on my behalf|take care of something|handle (some )?task quickly|(have|got) a moment|run an errand|are you in\?|purchase urgently|assignment for (me|you)|change my direct deposit|(leave|have|drop) your (phone )?number|(reply me with|confirm|drop|need|attach|email)( (me|with))? your (mobil|cell)|send me your text|get all the gifts purchase|direct deposit authorization form|list of all unpaid|can you get (?:this\s)?paid|help me with something|if (you are|you're) available|(send|drop) me your (direct|personal) (cell|phone)|free time for you|you available today|bancaires actuelles|ask you for a favor|get physical gift card|(include|confirm) your mobile|Task\!|CONFERENCE MEETING|cartes\-cadeaux|talk a little via email|surprise gift|account balances|in the office today|just respond to my email|send a cell number|aging report|complete an outstanding request|Visa, Apple or Amazon card|purchas(e|ing) these gifts on my behalf|souhaite modifier (?:le|mon\s+)?compte|(set up ACH for|take care of) the attached invoice|need you to take care of right now|in need of gift cards|what knowledge do you have of gift card|re-?confirm your personal cell|forward(ing)? your personal contact|provide your cell(phone) (no|number)|treasurer is unfamiliar with (Zelle|Paypal)|take care of this now|get your help today|delight some staff with gift.?card|Merci pour votre attention rapide|proceed with the payment via (wire|ACH)|aging report|do something for me right away|provide an alternate personal contact|(send me|give me|re\-?affirm|share)( with me)? your (personal )?(e.?mail|cell|num)|chat via email/i
# question / privacy
body __KAM_BEAL5 /can't talk on the phone|receivable aging report|summary of all w\-?2|look forward to my text|are you (accessible|in the office|busy)|between you and I|closed-?door meeting|get something done|you\'re unoccupied|accurately|I can brief|in a (conference|meeting)|reimburse if personal|what details do you need|(do|handle) discreetly|confidentiality|keep this private|get to a nearby store|(let me know|confirm) if you (are available|can get it done)|no calls just reply|write me back|look out for my text|concise you about it|so much on your plate|let me know if you are free|trust you on this|worry about your reimburse|after the surprise|limited cell service|can you assist|convey a message|entrust you|not want to disclose this|planning a surprise event|confidential assignment|respond back via email|going into a meeting|no calls|reach you at|lookout to my message|dans la confidence|wait for my text|immediate assistance|swift discussion|an emergency|prompt (response|reply)|laryngitis|(let me know when|as soon as) you are available|limited access to phone|kindly send me emails|plan to surprise|reach you urgent|need a work done|give me a number|comme une surprise|no call, just write|ruin this surprise|currently in session|assistance with an assignment|where we stand with cash|help is needed with an assignment|secretly handle|calls are off.?limit|number I can contact you|it\'s now overdue|can you handle|email back regarding|executive meeting currently|engaged in a virtual meeting|limited to call|Puis(?:\-|\s)je envoyer .{8,32} maintenant|handle the payment today|(provide|include) your whatsapp number|middle of a conference|d\x{C3}\x{BB}\s+aupr\x{C3}\x{A8}s|I\'m currently unavailable to handle this myself|assistance in purchasing these gift|(watch|look|eye) ?out for my text|have any of these payment platform|please set up the vendor and make payment|handled confidentially|confidential until|in a virtual meeting|traiter pour paiement|before my next appointment|find the attached invoice|prompt attention to this request|in a long zoom|just for emergency purpose|appreciate your discretion|no access to phone/i
# oddlang
body __KAM_BEAL6 /sent from my ?mail|depuis mon smartphone|\- Forwarded Message \-|I\'ll need you run/i
meta KAM_BEAL (__KAM_BEAL1 + (__KAM_BEAL3 && ! __KAM_NOT_BEAL3) >= 1) && ((SPF_SOFTFAIL + FREEMAIL_FROM + FREEMAIL_FORGED_REPLYTO + __KAM_BEAL2 + KAM_RAPTOR_EXTERNAL >= 1) + __KAM_BEAL4 + __KAM_BEAL5 + __KAM_BEAL6 >= 3) && !EXTRACTTEXT
describe KAM_BEAL IMPOSTER! Will the real Slim Shady, please stand up?
score KAM_BEAL 16.0
if can(Mail::SpamAssassin::Conf::feature_subjprefix)
subjprefix KAM_BEAL [Imposter]
endif
meta KAM_BEAL2 (__KAM_BEAL1 >= 1) && (__KAM_BEAL3 >= 1 && ! __KAM_NOT_BEAL3) && (KAM_RAPTOR_EXTERNAL + __KAM_BEAL4 + __KAM_BEAL5 + __KAM_BEAL6 >= 2) && (KAM_BEAL <= 0) && !EXTRACTTEXT
describe KAM_BEAL2 IMPOSTER! Will the real Slim Shady, please stand up?
score KAM_BEAL2 12.0
if can(Mail::SpamAssassin::Conf::feature_subjprefix)
subjprefix KAM_BEAL2 [Imposter]
endif
meta KAM_BEAL3 (__KAM_BEAL1 + __KAM_BEAL3 + FREEMAIL_FROM + KAM_RAPTOR_EXTERNAL >= 4) && ! KAM_BEAL && ! KAM_BEAL2
describe KAM_BEAL3 Likely Imposter email
score KAM_BEAL3 6.0
meta KAM_FREENEW_BEAL ( __KAM_BEAL1 && KAM_RAPTOR_EXTERNAL && KAM_RAPTOR_NEW && FREEMAIL_FROM ) && ! KAM_BEAL && ! KAM_BEAL2 && ! KAM_BEAL3
describe KAM_FREENEW_BEAL Likely Imposter email
score KAM_FREENEW_BEAL 1.5
endif
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
#EXTERNAL SENDER
header KAM_RAPTOR_EXTERNAL X-Raptor-External =~ /Yes/i
describe KAM_RAPTOR_EXTERNAL Raptor identified an External Sender
score KAM_RAPTOR_EXTERNAL 0.1
endif
#PROJECT
header __KAM_PROJECT1 Subject =~ /Project/i
body __KAM_PROJECT2 /business project/i
body __KAM_PROJECT3 /email is active/i
body __KAM_PROJECT4 /please respond/i
meta KAM_PROJECT (__KAM_PROJECT1 + __KAM_PROJECT2 + __KAM_PROJECT3 + __KAM_PROJECT4 >= 4)
describe KAM_PROJECT Scam inquiries about amorphous projects
score KAM_PROJECT 6.0
#FAKEWESTERN
header __KAM_FAKEWEST1 Subject =~ /Attention/i
body __KAM_FAKEWEST2 /Western Union/i
body __KAM_FAKEWEST3 /United Nation/i
body __KAM_FAKEWEST4 /Wrong Transfer/i
body __KAM_FAKEWEST5 /0[\.,]?000[\.,]?00\s?USD/i
meta KAM_FAKEWEST (__KAM_FAKEWEST1 + __KAM_FAKEWEST2 + __KAM_FAKEWEST3 + __KAM_FAKEWEST4 + (__KAM_FAKEWEST5 + LOTS_OF_MONEY >= 1) >= 5)
describe KAM_FAKEWEST Fake money Transfer Scam
score KAM_FAKEWEST 6.0
#FAKEDROPBOX
header __KAM_FAKEDROPBOX2_1 Subject =~ /on Dropbox/i
meta KAM_FAKEDROPBOX2 (__KAM_FAKEDROPBOX2_1 + KAM_SHORT + FREEMAIL_FROM >= 3)
describe KAM_FAKEDROPBOX2 Fake Dropbox Phish
score KAM_FAKEDROPBOX2 4.5
header __KAM_FAKEDROPBOX3_1 Subject =~ /new dropbox message/i
uri __KAM_FAKEDROPBOX3_2 /wp\-includes/i
meta KAM_FAKEDROPBOX3 (__KAM_FAKEDROPBOX3_1 + __KAM_FAKEDROPBOX3_2 >= 2)
describe KAM_FAKEDROPBOX3 Fake Dropbox Phish
score KAM_FAKEDROPBOX3 6.0
#FAKEMONEYGRAM
header __KAM_FAKEMONEYGRAM1 From =~ /Money.?Gram/i
meta KAM_FAKEMONEYGRAM (__KAM_FAKEMONEYGRAM1 + FREEMAIL_FROM >= 2)
describe KAM_FAKEMONEYGRAM Fake Moneygram Phish
score KAM_FAKEMONEYGRAM 5.5
#FAKESHAREPOINT - SEE FAKE_SHAREPOINT2 for Sexually explicit
header __KAM_FAKE_SHAREPOINT1 Subject =~ /(via|by) Sharepoint|payment reminder|shared|Request for Quot|urgent|far from you|unopened invoice/i
header __KAM_FAKE_SHAREPOINT2 from =~ /sharepoint|accounts? payable|RFQ/i
uri __KAM_FAKE_SHAREPOINT3 /my\.sharepoint\.com/i
uri __KAM_FAKE_SHAREPOINT3A /appdomain\.cloud|discordapp\.com|netlify\.app/i
body __KAM_FAKE_SHAREPOINT4 /Sharepoint Fileshare|open.me.{0,3}asap|link will only work|our automated system noticed/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_FAKE_SHAREPOINT5 Content-Type =~ /.html?\"?$/i
endif
# meta KAM_FAKE_SHAREPOINT (__KAM_FAKE_SHAREPOINT1 + __KAM_FAKE_SHAREPOINT2 + (__KAM_FAKE_SHAREPOINT3 + __KAM_FAKE_SHAREPOINT3A + KAM_STORAGE_GOOGLE + __KAM_FAKE_SHAREPOINT4 + KAM_SHORT >= 1) + __KAM_FAKE_SHAREPOINT5 >= 3)
meta KAM_FAKE_SHAREPOINT ( ( __KAM_FAKE_SHAREPOINT1 + __KAM_FAKE_SHAREPOINT2 + __KAM_FAKE_SHAREPOINT5 >= 2 ) && (__KAM_FAKE_SHAREPOINT3 + __KAM_FAKE_SHAREPOINT3A + __KAM_FAKE_SHAREPOINT4 + KAM_STORAGE_GOOGLE + KAM_SHORT + GOOG_REDIR_NOTRDNS >= 2 ) )
describe KAM_FAKE_SHAREPOINT Fake Sharepoint Phish
score KAM_FAKE_SHAREPOINT 6.0
#MORE FAKE SHAREPOINT BAD LINKS IN A SHAREPOINT MESSAGE
meta KAM_FAKE_SHAREPOINTLINK (__KAM_FAKE_SHAREPOINT1 + __KAM_FAKE_SHAREPOINT2 + (__KAM_FAKE_SHAREPOINT3A + KAM_STORAGE_GOOGLE + KAM_SHORT) >= 3) && !KAM_FAKE_SHAREPOINT
describe KAM_FAKE_SHAREPOINTLINK Fake Sharepoint Link Phish
score KAM_FAKE_SHAREPOINTLINK 4.5
#Fake document share
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
header __GB_SUBJ_DOC_FROM Subject =~ /^Document from/i
body __GB_SECURE_DOC /SECURED DOCUMENT/
meta GB_FAKE_SECURE_DOC ( KAM_RAPTOR_NEW && __GB_SECURE_DOC && __GB_SUBJ_DOC_FROM )
score GB_FAKE_SECURE_DOC 3.5
endif
#ENCRYPTED ZIP
body __KAM_BADZIP1 /attached (to email|document)|take a look|send this fax/i
body __KAM_BADZIP2 /Encrypted zip|File password/i
uri __KAM_BADZIP2A /drive.google.com.*export=download/i
body __KAM_BADZIP3 /(order|urgent|report|dialogue|reminder)/i
body __KAM_BADZIP4 /password:/i
meta KAM_BADZIP (__KAM_BADZIP1 + (__KAM_BADZIP2 + __KAM_BADZIP2A >= 1) + __KAM_BADZIP3 + __KAM_BADZIP4 >= 4)
describe KAM_BADZIP Encrypted Zip File Indicating a Scam
score KAM_BADZIP 6.0
#VERIZON SCAM
header __KAM_VERIZON1 Subject =~ /verizon wireless security message/i
header __KAM_VERIZON2 From:name =~ /Verizon/i
header __KAM_VERIZON3 From:addr !~ /verizon/i
#What
body __KAM_VERIZON4 /Update required immediately/i
#how
body __KAM_VERIZON5 /update your account information/i
#Problem
body __KAM_VERIZON6 /deactivated/i
#Money
body __KAM_VERIZON7 /credit card|bank account/i
meta KAM_VERIZON (__KAM_VERIZON1 + __KAM_VERIZON2 + __KAM_VERIZON3 >= 3) && (__KAM_VERIZON4 + __KAM_VERIZON5 + __KAM_VERIZON6 + __KAM_VERIZON7 >= 3)
describe KAM_VERIZON Fake Wireless account notices
score KAM_VERIZON 9.5
#Docusign SCAM
header __KAM_DOCUSIGN1 Subject =~ /New e-DocuSign Signature|new e-signature docusign|docusign electronic signature|transfer notice|docusign (electronic|signature) service|docusign document|please_complete_document|Complete via DocuSign/i
header __KAM_DOCUSIGN2 From:name =~ /docusign/i
header __KAM_DOCUSIGN2A From:name =~ /docusign|docshare/i
header __KAM_DOCUSIGN3 From:addr !~ /docusign/i
uri __KAM_DOCUSIGN4 /\.weebly\.com|docs\.google\.com|onedrive\.live\.com|\.linodeobjects\.com|\.oraclecloud\.com|\.cubbit\.eu/i
body __KAM_DOCUSIGN5A /scan the QR Code/i
body __KAM_DOCUSIGN5B /secure link to docusign/i
meta KAM_DOCUSIGN ((__KAM_DOCUSIGN1 >= 1) + (__KAM_DOCUSIGN2 + __KAM_DOCUSIGN3 >= 2) + (FREEMAIL_FROM + LOTS_OF_MONEY + __KAM_DOCUSIGN4 >= 1) >= 3)
describe KAM_DOCUSIGN Fake Document Signature account notices
score KAM_DOCUSIGN 4.5
meta KAM_DOCUSIGN_LOW (__KAM_DOCUSIGN1 + __KAM_DOCUSIGN4 >= 2)
describe KAM_DOCUSIGN_LOW Lower score Fake Document Signature Account Notice
score KAM_DOCUSIGN_LOW 3.0
meta KAM_DOCUSIGN_QR ((__KAM_DOCUSIGN1 >= 1) + (__KAM_DOCUSIGN2 + __KAM_DOCUSIGN3 >= 2) + (__KAM_DOCUSIGN5A + __KAM_DOCUSIGN5B >= 2) >= 3)
describe KAM_DOCUSIGN_QR Qishing scam with Docusign
score KAM_DOCUSIGN_QR 4.5
ifplugin Mail::SpamAssassin::Plugin::URIDetail
header __GB_DOCUSIGN_TOPIC Thread-Topic =~ /Complete via DocuSign/i
body __GB_FAKE_DOCUSIGNB /review(?:\s+|\_)document|view (completed\s+)?document|document to review/i
uri_detail __GB_FAKE_DOCUSIGNU cleaned =~ /\.google\.(?:com|es|it|hu)|demo\.docusign\.net|\.pages\.dev|\.html/ text =~ /(?:review|view completed) document|review and sign|review document|view_doc/i
meta GB_FAKE_DOCUSIGN ( ( __KAM_DOCUSIGN2A + __GB_DOCUSIGN_TOPIC >= 1) && ( __KAM_DOCUSIGN3 || __GB_M365_SPAM ) && __GB_FAKE_DOCUSIGNB && ( __KAM_FAKE_EFAX4 || __GB_FAKE_DOCUSIGNU || GOOG_REDIR_DOCUSIGN || __GB_ANY_REDIR ) )
describe GB_FAKE_DOCUSIGN Fake Docusign email
score GB_FAKE_DOCUSIGN 6.0
endif
uri __GB_SHAREPOINT /\.sharepoint\.com\//i
meta GB_DOCUSIGN_G_SHARE ( GOOG_REDIR_DOCUSIGN && __GB_SHAREPOINT )
describe GB_DOCUSIGN_G_SHARE Google redirector to Docusign and a Sharepoint link
score GB_DOCUSIGN_G_SHARE 1.0
header __GB_FROM_MICROSOFT From:addr =~ /\@microsoft\.com/
meta GB_FAKE_SIGNED_MICROSOFT ( __GB_FROM_MICROSOFT && KAM_ONMICROSOFT_RF && DKIM_VALID_AU )
describe GB_FAKE_SIGNED_MICROSOFT Fake Microsoft signed emails
score GB_FAKE_SIGNED_MICROSOFT 3.0
#Client Fake Invoice
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
header __KAM_FAKEINV1 From =~ /headoffice/i
header __KAM_FAKEINV1A Reply-to =~ /no.?reply\@/i
body __KAM_FAKEINV2 /dearest client/i
mimeheader __KAM_FAKEINV3 Content-Type =~ /.xls\"?$/i
meta KAM_FAKEINV ((__KAM_FAKEINV1 + __KAM_FAKEINV1A >=1) + __KAM_FAKEINV2 + __KAM_FAKEINV3 >=3)
describe KAM_FAKEINV Fake Customer Invoices
score KAM_FAKEINV 4.5
endif
#IMAGE ONLY
meta KAM_IMAGEONLY ( PDS_OTHER_BAD_TLD && HTML_IMAGE_ONLY_08 )
describe KAM_IMAGEONLY Email from a questionable TLD that contains primarily just an image
score KAM_IMAGEONLY 0.75
#HOLIDAY 2020 GIFTS
header __KAM_HOLIDAY2020_1 Subject =~ /holiday item|blac.?k friday|(vortex|illusional|this|3d).*rug|canvas print|get your (personalized christmas )?ornament|Christmas sale|novelty household|(perfect|seasonal) gift|Rising.? Stand.?|endoscope/i
body __KAM_HOLIDAY2020_2 /(illusional|Vortex|3d) Rug|wireless earbuds|canvas print|get your (personalized christmas )?ornament|holiday novelty|personalized ornament|rising laptop|HOME Ear endoscope|Gadget ?Junk/i
tflags __KAM_HOLIDAY2020_2 nosubject
header __KAM_HOLIDAY2020_3 From =~ /vortex|christmas|novelty|(laptop|new).?tech|rising.?stand|Clean.?ear|Massager/i
meta KAM_HOLIDAY2020 (__KAM_HOLIDAY2020_1 + __KAM_HOLIDAY2020_2 + __KAM_HOLIDAY2020_3 >= 2)
describe KAM_HOLIDAY2020 Holiday Gifts 2020 Spam
score KAM_HOLIDAY2020 4.0
#GOOGLE FORM
uri __KAM_GOOGLEFORM_1 /docs\.google\.com\/forms\//i
body __KAM_GOOGLEFORM_2 /Untitled|Formulaire sans titre/i
body __KAM_GOOGLEFORM_3 /foundation is donating/i
meta KAM_GOOGLEFORM (__KAM_GOOGLEFORM_1 + (__KAM_GOOGLEFORM_2 + __KAM_GOOGLEFORM_3 >= 1) >= 2)
describe KAM_GOOGLEFORM Untitled or Spam Google Form
score KAM_GOOGLEFORM 4.0
header __GB_RETPATH_GOOG_TRIX Return-Path =~ /\@trix\.bounces\.google\.com/
meta GB_RETPATH_GOOG_TRIX ( __GB_RETPATH_GOOG_TRIX && !ENVFROM_GOOG_TRIX )
describe GB_RETPATH_GOOG_TRIX Email from Google subdomain being abused by spammers
score GB_RETPATH_GOOG_TRIX 1.00
#BENEFICIARY FAKE FORM
body __KAM_DISCLOSE1 /enable me disclose|indicate your? interest|something important/i
meta KAM_FAKEFORM ((__KAM_DISCLOSE1 + LOTS_OF_MONEY >= 1) + (__KAM_BENEFICIARY2 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 >= 1) + (__KAM_GOOGLEFORM_1 >= 1) >= 3)
describe KAM_FAKEFORM Fake Form for Scams
score KAM_FAKEFORM 4.0
#2ND AMMENDMENT
body __KAM_2ND_1 /police can no longer be trusted|protect yourself|anti-?gun ban|no classes/i
body __KAM_2ND_2 /2nd am?mendment|concealed carry|right to carry/i
header __KAM_2ND_3 From =~ /2nd amm?endment|Concealed/i
meta KAM_2ND ((__KAM_FUN1 + __KAM_FUN1A >= 1) + __KAM_2ND_1 + __KAM_2ND_2 + __KAM_2ND_3 >= 3)
describe KAM_2ND Political / 2nd Ammendement Spam
score KAM_2ND 4.5
#SPAM DU JOUR - MASKS
body __KAM_KN_1 /(respirator|KN95) .{0,25}Mask|Ultramasx|upgrade your mask/i
tflags __KAM_KN_1 nosubject
body __KAM_KN_2 /get your|for the public|biden wants to curb|Prevent Corona|quick delivery|do your part|while supplies last|(smart|your) mask/i
tflags __KAM_KN_2 nosubject
header __KAM_KN_3 Subject =~ /KN95 .{0,25}Mask|(curb|curve?)(ing)? C<O1>vid|(your|mandates?) mask|ultimate protection|Protective (face )?mask/i
header __KAM_KN_4 From =~ /KN95|(smart|Face) ?Mask|Mask.?(dept|Special)|Stay ?safe|protective ?gear|World ?safe/i
meta KAM_KN (__KAM_KN_1 + __KAM_KN_2 + __KAM_KN_3 + __KAM_KN_4 >= 3)
describe KAM_KN Spam Du Jour for Masks
score KAM_KN 4.5
#SPAM DU JOUR - BAD CREDIT
body __KAM_BADCRED_1 /bad credit/i
tflags __KAM_BADCRED_1 nosubject
header __KAM_BADCRED_2 Subject =~ /bad credit.*off track/
meta KAM_BADCRED (__KAM_BADCRED_1 + __KAM_BADCRED_2 >= 2)
describe KAM_BADCRED Spam Du Jour for Bad Credit
score KAM_BADCRED 3.0
#SPAM DU JOUR - SPO2
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
replace_rules __KAM_SPO2_2 __KAM_SPO2_3
body __KAM_SPO2_1 /pulse oximeter|touchless thermometer/i
body __KAM_SPO2_2 /C<O1>VID/i
tflags __KAM_SPO2_2 nosubject
header __KAM_SPO2_3 Subject =~ /C<O1>VID.*(screening|oximeter)|Laser Thermometer|(detecting|screening) C<O1>VID/i
header __KAM_SPO2_4 From =~ /health|infrared|oximeter|Painless/i
meta KAM_SPO2 (__KAM_SPO2_1 + __KAM_SPO2_2 + __KAM_SPO2_3 + __KAM_SPO2_4 >= 3)
describe KAM_SPO2 COVID Spams
score KAM_SPO2 4.5
endif
#SPAM DU JOUR - HEATED VEST
body __KAM_VEST1 /(heated|thermal) vest/i
tflags __KAM_VEST1 nosubject
header __KAM_VEST2 Subject =~ /stay toasty/i
header __KAM_VEST3 From =~ /thermal vest/i
meta KAM_VEST (__KAM_VEST1 + __KAM_VEST2 + __KAM_VEST3 >= 3)
describe KAM_VEST Spam Du Jour for Vests
score KAM_VEST 4.5
#FAKE CVS
header __KAM_CVS1 From =~ /CVS Pharm/i
header __KAM_CVS1A From:addr !~ /\@cvs.com/i
body __KAM_CVS2 /CVS/
tflags __KAM_CVS2 nosubject
header __KAM_CVS3 Subject =~ /CVS Pharm/i
meta KAM_CVS ((__KAM_CVS1 + (FREEMAIL_FROM + __KAM_CVS1A >= 1) >= 2) + __KAM_CVS2 + __KAM_CVS3 >= 3)
describe KAM_CVS Fake CVS Spams
score KAM_CVS 6.0
#HACKED EXPLOIT
body __KAM_HACK1 /(phone|electronic|computer) have been hacked|suspected online scam/i
body __KAM_HACK2 /read attached|click here for verification/i
body __KAM_HACK3 /save yourself|lead to your arrest/i
header __KAM_HACK4 From:name =~ /justice dep/i
meta KAM_HACK (__KAM_HACK1 + __KAM_HACK2 + __KAM_HACK3 + __KAM_HACK4 >= 3)
describe KAM_HACK Hacker Exploitation Email
score KAM_HACK 4.5
#FAKE INVOICES
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
header __KAM_FAKEINV2_1 Subject =~ /lnv (remittance|\& check)/i
body __KAM_FAKEINV2_2 /(find|see) (the )?attach/i
body __KAM_FAKEINV2_3 /not mail the check|typeform\.com/i
mimeheader __KAM_FAKEINV2_4 Content-Type =~ /(ACH W[il]re|Rem[il]ttance adv[il]ce).*xls/i
meta KAM_FAKEINV2 (__KAM_FAKEINV2_1 + __KAM_FAKEINV2_2 + __KAM_FAKEINV2_3 + __KAM_FAKEINV2_4 >= 3)
describe KAM_FAKEINV2 Fake Invoice Scams
score KAM_FAKEINV2 6.0
endif
#FAKE ADS
header __KAM_FAKEAD1 Subject =~ /brand medication|stubborn fat/i
body __KAM_FAKEAD2 /click here to UNSUBSCRIBE|start shopping|here\'s how/i
uri __KAM_FAKEAD3 /\/bit\.ly/i
body __KAM_FAKEAD4 /Sweet passion|no plastic surgery/i
meta KAM_FAKEAD (__KAM_FAKEAD1 + __KAM_FAKEAD2 + __KAM_FAKEAD3 + __KAM_FAKEAD4 >= 4)
describe KAM_FAKEAD Fake Advertisements
score KAM_FAKEAD 6.0
#FAKE REGISTRY SCAMS
body __KAM_FAKE_REGISTRY1 /www(\.|\(dot\))(chinanameregistry|china\-registry|domainregistryasia)(\.|\(dot\))(net|com)|www\(dot\)domainregistry\(dot\)org\(dot\)cn/i
uri __KAM_FAKE_REGISTRY2 /domainregistryasia\.net|domainregistryasia\.cn/i
meta KAM_FAKE_REGISTRY (__KAM_FAKE_REGISTRY1 + __KAM_FAKE_REGISTRY2 >= 1)
describe KAM_FAKE_REGISTRY Fake Domain Registry Scammers trying to get you to buy unneeded domains
score KAM_FAKE_REGISTRY 5.0
#FAKE Fax
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_FAKE_FAX1 Content-Type =~ /.*(fax).*\.htm/i
endif
body __KAM_FAKE_FAX2 /(new|incoming) fax|fax received/i
header __KAM_FAKE_FAX3 Subject =~ /Fax|new (message|document)/i
body __KAM_FAKE_FAX4 /invoice|xerox scanner|recipient view only|click below to view your fax|refer to attachment/i
tflags __KAM_FAKE_FAX4 nosubject
uri __KAM_FAKE_FAX5 /\/s3\.|quarantine|myqcloud/i
meta KAM_FAKE_FAX ((T_HTML_ATTACH + __KAM_FAKE_FAX1 + __KAM_FAKE_FAX5 >= 1) + __KAM_FAKE_FAX2 + __KAM_FAKE_FAX3 + __KAM_FAKE_FAX4 >= 4)
describe KAM_FAKE_FAX Fake Fax Scam
score KAM_FAKE_FAX 8.0
meta KAM_FAKE_FAX2 ( T_HTML_ATTACH + GB_BADJS + __KAM_FAKE_FAX1 + __KAM_FAKE_FAX3 >= 4 ) && !KAM_FAKE_FAX
describe KAM_FAKE_FAX2 Fake Fax Scam
score KAM_FAKE_FAX2 8.0
#FAKE TRUST
body __KAM_FAKE_TRUST1 /Message is from a .{0,40}trusted source/i
meta KAM_FAKE_TRUST (__KAM_FAKE_TRUST1 >= 1 )
describe KAM_FAKE_TRUST Scams about trusted sources
score KAM_FAKE_TRUST 3.5
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
#SHTML ATTACHMENT ADD TO T_HTML_ATTACH! - 2022-01-14
mimeheader __KAM_SHTML_ATTACH Content-Type =~ /\b(application\/octet-string|text\/html)\b.+\.shtml?\b/i
endif
#HTML ATTACHMENTS WITH FUNCTIONS AND EVALS
rawbody __GB_JS_UNESCAPE /document\.write(?:\s+)?\((?:\s+)?(?:atob|unescape|decodeURIComponent)|\=unescape\(.{1,10}\;document\.write|\=\s+atob\(|document\.createElement\(\"script\"/
rawbody __GB_JS_FUNCTION /(?:\=|\:)"?(?:function|eval)\(/
rawbody __GB_JS_OBFU /(?:script\s+src|onload)="?(?:\&\#x|data\:text\/javascript)|\<svg\s+onload\=|var\s+_0x[a-z0-9]{1,6}(?:\s+)?\=|window\.(?:atob|location|href)/
meta GB_BADJS ( ( __GB_JS_UNESCAPE || __GB_JS_FUNCTION || __GB_JS_OBFU ) && ( __KAM_SHTML_ATTACH || T_HTML_ATTACH || T_OBFU_HTML_ATTACH || UNICODE_OBFU_ASC ) )
describe GB_BADJS Bad html attachment
score GB_BADJS 4.0
#HTML FORM ATTACHED
rawbody __GB_HTML_FORM /\<form\s+.{1,250}(?:method\=|action\=|id\=).{0,100}>/is
meta GB_HTML_FORM ( __GB_HTML_FORM && ( T_HTML_ATTACH || T_OBFU_HTML_ATTACH || UNICODE_OBFU_ASC ) )
describe GB_HTML_FORM Html form attached
score GB_HTML_FORM 4.0
#FAKE INVOICE
header __KAM_FAKE_INVOICE1 Subject =~ /(remittance|payment) (receipt|advice)|past.?due|purchase order|(ACH|EFT) (remittance|payment)|invoice (\#|copy)|swift confirmation|overdue invoice|attached receipt|payment confirmation/i
body __KAM_FAKE_INVOICE2 /(remittance|Payment) (advice|confirmation|breakdown)|past due invoice|new pro.?forma|attach(ed|ment)|balance paid|proforma invoice/i
tflags __KAM_FAKE_INVOICE2 nosubject
meta KAM_FAKE_INVOICE ((T_HTML_ATTACH + __KAM_SHTML_ATTACH + KAM_RAPTOR_ALTERED + OLEMACRO_URI_TARGET >= 1) + __KAM_FAKE_INVOICE1 + __KAM_FAKE_INVOICE2 >= 3)
describe KAM_FAKE_INVOICE Fake Invoice / Purchase Order Scam
score KAM_FAKE_INVOICE 6.4
#BAD PRODUCTS
header __KAM_BAD_PRODUCT1 Subject =~ /Dolphin Vacuum|Warm any room|rapid thaw/i
body __KAM_BAD_PRODUCT2 /Dolphin sealer|hotstreak plug|Rapid thaw tray/i
meta KAM_BAD_PRODUCT (__KAM_BAD_PRODUCT1 + __KAM_BAD_PRODUCT2 >= 2)
describe KAM_BAD_PRODUCT Spammy Products
score KAM_BAD_PRODUCT 3.0
#BAD LINK
uri __KAM_BAD_LINK1 /\.pdf\.iso$/i
meta KAM_BAD_LINK (__KAM_BAD_LINK1 >= 1)
describe KAM_BAD_LINK Potentially dangerous link in email
score KAM_BAD_LINK 10.0
#.WELL KNOWN
uri __KAM_WELL_KNOWN1 /\.well\-known\//i
meta KAM_WELL_KNOWN ( __KAM_WELL_KNOWN1 >= 1 )
describe KAM_WELL_KNOWN Link to .well-known directory found in email
score KAM_WELL_KNOWN 2.5
#BAD CITIZENS
header __KAM_FAKE_CITIZEN1 Subject =~ /Citizens Bank Ealert/i
body __KAM_FAKE_CITIZEN2 /Important (message|Notice) From Citizens/i
uri __KAM_FAKE_CITIZEN3 /phpmailer|wp-admin/i
header __KAM_FAKE_CITIZEN4 From:name =~ /Citizens ?Bank/i
header __KAM_FAKE_CITIZEN5 From:addr !~ /citizen/i
meta KAM_FAKE_CITIZEN (__KAM_FAKE_CITIZEN1 + __KAM_FAKE_CITIZEN2 + (KAM_SHORT + __KAM_FAKE_CITIZEN3 + KAM_WELL_KNOWN >= 1) + __KAM_FAKE_CITIZEN4 + (__KAM_FAKE_CITIZEN5 + SPF_FAIL >= 1) >= 5)
describe KAM_FAKE_CITIZEN Fake Bank Alert Scam
score KAM_FAKE_CITIZEN 7.5
#BAD PRODUCTS
header __KAM_PRODUCT2_1 Subject =~ /meal delivery|no chopping|(sticker|Children'?s?) book|\$[\d,\.]{5,10} Fast|Car ?Shield|Top Vet|Chew a day|trugreen|(perfect|healthy|your) lawn|slice.?n.?seal|kitchen (device|gadget)|butter knive|small penis|make you bigger|(explosive|increase) size|ACs|Wifi Booster|anti.?snore|visceral fat|solar ?bright|mini a\/?c|portable (cooler|air.?condition)|keep cool|wife.caught|banned technique/i
body __KAM_PRODUCT2_2 /meal delivery|no chopping|i ?can ?read|zippy ?loan|car ?shield|Lick their paws|excessive scratching|trugreen|slice.?n.?seal|kitchen (device|gadget)|Better Butter|(elongation|growth) secret|savage.?grow|coolair|Wifi Booster|sleeplab|belly.flat|solar ?bright flood|space Cooler|coolair/i
tflags __KAM_PRODUCT2_2 nosubject
header __KAM_PRODUCT2_3 From =~ /veestro|i ?can ?read|zippy ?loan|car ?shieldi|petscy|trugreen|slice.?n.?seal|better.?butter|savage.?grow|CoolMe|wifi repeater|sleep.?lab|lost.?\d+lbs|solar ?bright|(mini|portable) ?A\/?C|air cooler|savage.grow/i
meta KAM_PRODUCT2 ( __KAM_PRODUCT2_1 + __KAM_PRODUCT2_2 + __KAM_PRODUCT2_3 >= 3)
describe KAM_PRODUCT2 Scammy Products prevalent in spam
score KAM_PRODUCT2 4.5
#BAD_PDF_LINK
#uri_detail KAM_PDF_FAKE text =~ /\.PDF/i cleaned =~ /\.github.io\//i
#describe KAM_PDF_FAKE Links to Fake PDFs
#score KAM_PDF_FAKE 5.0
#SCAM INQUIRY
#what
body __KAM_INQUIRY_1 /inquiry for purchase|product catalog|price list|reply with catalog/i
#subj
header __KAM_INQUIRY_2 Subject =~ /Purchase Order|Urgent (i|e)nquiry/i
#oddities
body __KAM_INQUIRY_3 /terms? (\&|and) conditions?|rightful dep/i
#Forwarder
body __KAM_INQUIRY_4 /certificate of origin|import\export|trading company/i
meta KAM_INQUIRY (__KAM_INQUIRY_1 + __KAM_INQUIRY_2 + __KAM_INQUIRY_3 + __KAM_INQUIRY_4 >= 4)
describe KAM_INQUIRY Product Inquiry Scams
score KAM_INQUIRY 7.0
#FROM NAME SPAM
header __KAM_FROM_NAME_FAKERBL From:name =~ /Sivagegrowplus\.com|Lifequote\.selectquote\.com|GoldAlliedTrust\.com|MeetAsianLady\.com|Betterbutterspreader\.com|americanhomewarranty\.com|Solarbrightfloodlight\.com|primevision\.website|FijiShowerSpa\.com|easylenders\.website|Burialinsurance\.com|curiousfinds\.com|professionalwhosiswho\.com/i
meta KAM_FROM_NAME_FAKERBL (__KAM_FROM_NAME_FAKERBL >= 1)
describe KAM_FROM_NAME_FAKERBL From name contains a URL that is spammy
score KAM_FROM_NAME_FAKERBL 6.0
#FAKE NORTON
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
replace_rules __KAM_FAKE_NORTON1 __KAM_FAKE_NORTON2 __KAM_FAKE_NORTON3 __KAM_FAKE_NORTON4
#subj
header __KAM_FAKE_NORTON1 Subject =~ /IN.?VOICE *\#?NUMBER|(confirmation|ORDER|Invoice|plan.?status) ?(ID_\*|\#|Num|-?No)|\#(ORDER|BILL)|(Purchase|Order|Payment) Confirmation|(RECEIPT|INVOI?CE) ?\#|software subscription|transaction.successful|amount.debited|(subscription|service|Purchase) (renewal|request|serial) \#|renew(al|ing) (id|service) \#|(Unique|Member|purchase|Bill|receipt|service|invoice) id ?(is|:|\#)|using protection|<O1>rder <I1>d|IN(\-|_)VOICE (Number|ID)|Product Id:|security renewal|(Buyer'?s|purchase) receipt|order worth \$|service notice.{0,3}\d+|antivirus activated|order has been (confirmed|processed)|subscription expired|your bill|auto renewal|new message|renewal notice:|annual subscription|transaction code|account key verif|billing team|service required|g-?squad|plan (upgraded|activated)|protection alert|order process|payment success|renewal complete|Purchase order for \$\d|payment is processed|confirmation of your product|upcoming due date/i
header __KAM_FAKE_NORTON1A To =~ /norton|billing\@geeksquad/i
header __KAM_FAKE_NORTON1B From =~ /norton|confirmation|no.?reply|service.?updates|billing|devices.?support|service.?dep|order|device.?alert|biliing|receipt|(payment|account).?team/i
#Fuzzy Prod
body __KAM_FAKE_NORTON2 /N<O1>RT<O1>N(\(?tm\)?|\#)|360 (anti.?virus|Security|protection)|N<O1>rt<O1>N.?Life|norton (\- )?(360|security|deluxe|protection|firewall|plus family)|(nort-.|norton|Mcafee) (Web Pro|Web|Plus(\+| Pro)|pro (net|plus|protection)|all.?round) ((Secure|Family) )?Protection|norton (plan|pro life lock)|(service (name)?|item|Product):?\s+(Norton|Nort.?Pro|geek.?squad)|norton secure plus|nort-(Advance|Pro)|nort-?one 360|life-?lock pro|mal-?ware bites|geeksquad-solutions|Geek(squad)? 360|renewal through geeksquad|Geek Secure Premium|Shield Protection Renewal|G<E1><E1><K1>.?squad security|(symantec|mcafee|norton|geek).{0,3}total (secure|protection)|geek.?squad.?corp|norton billing team|firewall defender|geek.? advanced network|pro geek PC protection|SQUAD anti-?virus|Norton,? Inc|G<E1><E1>k\s+squ<A1>d|Windows Defender Advanced|Netwrk Shield Protection|(pc|network) (security|protection) (service|shield)|previous annual subscription|windows defender security|norton Tech pc support|\(defender\)|premium protection|norton membership|ant<I1>v<I1>rus \(?ultimate|geek standard upfront|Select Powerful Protection|<M1>cA\&fnof\;ee|<M1><C1><A1>Fee Subscription|PC Guard Protection|mcafee as your security software|Your security.{0,2} now safeguarded|InsightSecure Scanners|delux protection|Stealthsecure cyber|Office 365 - Abc|service\: Security Measure/mi
#Oddlang
body __KAM_FAKE_NORTON3 /Esteem your assessment|enhance our administration|recharged your club|looking for patron|delight and happiness|touch our group|confirmatory e?mail|customer service board|connect with expert|for transaction|confirmation range|did not place this order|cancel (your|this|the) (membership|service|subscription)|team norton|(claim a|instant) refund|cancel (or continue )?the plan|for more query|void (this|the) charge|account is debited|kindly activate the license|A\/C statement|you can trust them|drop you an email|don't want this plan|deactivate this plan|queries or doubt|issues? with (your order|the transaction)|feel free to contact|hesitate to call|appritiate your decesion|Warm (regards|respects)|(wish|want) (to )?cancel|order +worth +\$|plan has been enacted|change something|salutations|any query related|norton billing team|same has been processed|an confirmation|don\'t want to renew|remove auto-debit|auto renewal request|thanks\/norton|invalidate your subscription|precept copy|payment method.{1,10}on-?line|drop the membership|generously go ahead|want a refund|renewal tenure|believe an unauthorized|contact microsoft for a full refund|\*\-\* (8\-8\-8|8\-5\-0) \*\-\*|really want further explanation|disc<O1>unt benevolently|upgrade or postpone|get the full refund|valued member of us|find the attachment of your invoice|drop the charges|norton.{0,2}helpdesk|cancel service|not placed the order|within the next two hour|payment network regulation|open a dispute|cancellation, call us|think this is not authorized|process withing \d+ hour|renewed for four year,/i
tflags __KAM_FAKE_NORTON3 nosubject
#Order
body __KAM_FAKE_NORTON4 /(bank|Auto(matic)?)-?.?-?(debit|renew)|Updated to premium|order is p<L1>aced|0rder|renewal|successfully (placed|renewed)|(repetitive|annual) charge|have been modified|In_voice id|details pertain|auto pay|online\/card|joined our security program|payment_for_services|yearly payment|\$[\d\.]+ will appear|renewed your product|subscription has been renewed/i
tflags __KAM_FAKE_NORTON4 nosubject
meta KAM_FAKE_NORTON (__KAM_FAKE_NORTON1 + (__KAM_FAKE_NORTON1A + __KAM_FAKE_NORTON1B + FREEMAIL_FROM >= 1)+ __KAM_FAKE_NORTON2 + __KAM_FAKE_NORTON3 + __KAM_FAKE_NORTON4 + FREEMAIL_FROM >= 4) && __KAM_FAKE_NORTON2
describe KAM_FAKE_NORTON Fake Norton / McAfee / Geek Squad / Symantec / etc. Renewal Notices
score KAM_FAKE_NORTON 8.0
meta KAM_FAKE_NORTONLOW (__KAM_FAKE_NORTON1 + (__KAM_FAKE_NORTON1A + __KAM_FAKE_NORTON1B + FREEMAIL_FROM >= 1) + __KAM_FAKE_NORTON2 + __KAM_FAKE_NORTON3 + __KAM_FAKE_NORTON4 >= 3) && !KAM_FAKE_NORTON && __KAM_FAKE_NORTON2
describe KAM_FAKE_NORTONLOW Fake Norton / McAfee / Geek Squad / Symantec / etc. Renewal Notices (Lower Confidence)
score KAM_FAKE_NORTONLOW 6.5
meta KAM_FAKE_NORTON2 (__KAM_FAKE_NORTON3 + KAM_EVIL_NUMBERS4 + FREEMAIL_FROM >= 3)
describe KAM_FAKE_NORTON2 Fake Norton / McAfee / Geek Squad / Symantec / etc. Renewal Notices
score KAM_FAKE_NORTON2 5.0
endif
#FAKE NORTON WITH OBFU
#SUPPORT
body __KAM_FAKE_NORTON_OBFU1 /contact Norton Support at/i
#OBFU #
body __KAM_FAKE_NORTON_OBFU2 /\+[I1].?\((\d|I){3}\).?(\d|I){3}.?(\d|I){4}/i
#Pay
body __KAM_FAKE_NORTON_OBFU3 /Requesting Payment/i
#__KAM_FAKE_NORTON_OBFU4 TBD: Capture OBFU2 and see if I is in it as a condition
meta KAM_FAKE_NORTON_OBFU ( __KAM_FAKE_NORTON_OBFU1 + __KAM_FAKE_NORTON_OBFU2 + __KAM_FAKE_NORTON_OBFU3 >= 3)
describe KAM_FAKE_NORTON_OBFU Fake Norton Renewal Notices
score KAM_FAKE_NORTON_OBFU 4.5
#FAKE CHASE BANK
header __KAM_FAKE_CHASE1 Subject =~ /unusual activit|security/i
body __KAM_FAKE_CHASE2 /chase online/i
body __KAM_FAKE_CHASE3 /Fraud Protection|unusual activity/i
header __KAM_FAKE_CHASE4 From:name =~ /chase online/i
header __KAM_FAKE_CHASE5 From:addr !~ /chase/i
meta KAM_FAKE_CHASE (__KAM_FAKE_CHASE1 + __KAM_FAKE_CHASE2 + __KAM_FAKE_CHASE3 + __KAM_FAKE_CHASE4 + __KAM_FAKE_CHASE5 >= 5)
describe KAM_FAKE_CHASE Fake Bank Notice
score KAM_FAKE_CHASE 4.5
#FAKE CANADA POST
body __KAM_FAKE_CAN_POST1 /package is (waiting|on hold)/i
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
replace_rules __KAM_FAKE_CAN_POST2
body __KAM_FAKE_CAN_POST2 /<C1><A1>n<A1>d<A1>.{0,2}<P1><O1>st/i
endif
body __KAM_FAKE_CAN_POST3 /require additional details|online verification/i
body __KAM_FAKE_CAN_POST4 /redelivery|confirm the payment/i
header __KAM_FAKE_CAN_POST5 From:addr !~ /\.ca$/i
header __KAM_FAKE_CAN_POST6 From:name =~ /canada.?post|Postes.?Canada/i
header __KAM_FAKE_CAN_POST6B From:addr =~ /shipping/i
meta KAM_FAKE_CAN_POST (__KAM_FAKE_CAN_POST1 + __KAM_FAKE_CAN_POST2 + __KAM_FAKE_CAN_POST3 + __KAM_FAKE_CAN_POST4 + __KAM_FAKE_CAN_POST5 + (__KAM_FAKE_CAN_POST6 + __KAM_FAKE_CAN_POST6B >= 1) >= 6)
describe KAM_FAKE_CAN_POST Fake Canada Post Scam
score KAM_FAKE_CAN_POST 9.0
#CARING
header __KAM_CARING1 Subject =~ /Great in Bed|(looking|Searching) +for +a +(shag|(determined|caring|loving) +(man|guy|dude))/i
body __KAM_CARING2 /shagged|lovemate|online dating|affair|hook.?up/i
tflags __KAM_CARING2 nosubject
body __KAM_CARING3 /(recent|my) (contact|picture|photo)/i
body __KAM_CARING4 /unsub/i
meta KAM_CARING (__KAM_CARING1 + __KAM_CARING2 + __KAM_CARING3 + __KAM_CARING4 >= 4)
describe KAM_CARING Catfishing and related scams
score KAM_CARING 6.0
#FAKE POLICY
#OBFU HEADER
header __KAM_POLICY1 Subject =~ /PoIicy Update/i
#HR
header __KAM_POLICY2 From:name =~ /HR/i
#POLICY
body __KAM_POLICY3 /Attached policy|section can proceed/i
#Attach
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_POLICY4 Content-Type =~ /\.html?"?$/i
endif
meta KAM_POLICY ((__KAM_POLICY1 + __KAM_POLICY4 >= 1) + __KAM_POLICY2 + __KAM_POLICY3 >= 3)
describe KAM_POLICY Fake policy email phish
score KAM_POLICY 4.5
#CBT Scraper
body KAM_CBTSCRAP /CBT (website scraper|Email Extractor)/i
describe KAM_CBTSCRAP Spamming tool
score KAM_CBTSCRAP 5.0
#PIP/FOREX
header __KAM_FOREX1 From =~ /pip ?builder/i
body __KAM_FOREX2 /1000pipbuilder/i
body __KAM_FOREX3 /Forex (trading|signals)/i
header __KAM_FOREX4 Subject =~ /Forex (trading|signals)/i
meta KAM_FOREX (__KAM_FOREX1 + __KAM_FOREX2 + __KAM_FOREX3 + __KAM_FOREX4 >= 4)
describe KAM_FOREX Forex Trading spam
score KAM_FOREX 6.0
#SkyTech Wifi
header __KAM_SKYTECH1 From =~ /SkyTech Wifi Booster|ultraboost/i
header __KAM_SKYTECH2 Subject =~ /Wifi Deadspots|buffering/i
body __KAM_SKYTECH3 /skytech wifi|Wifi Booster/i
meta KAM_SKYTECH (__KAM_SKYTECH1 + __KAM_SKYTECH2 + __KAM_SKYTECH3 >= 3)
describe KAM_SKYTECH Wifi Booster Spam
score KAM_SKYTECH 4.5
#FAKE Paypal
header __KAM_FAKEPP1 From:name =~ /PayPal/i
header __KAM_FAKEPP2 From:addr =~ /wordpress/i
meta KAM_FAKEPP ( __KAM_FAKEPP1 + __KAM_FAKEPP2 + KAM_SHORT >= 3)
describe KAM_FAKEPP Fake PayPal Notice
score KAM_FAKEPP 4.5
#SEXUALLY EXPLICITY PHOTO
header __KAM_PHOTO1 Subject =~ /My name is/i
body __KAM_PHOTO2 /I am very lonely/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_PHOTO3 Content-Type =~ /\.jpe?g/i
endif
body __KAM_PHOTO4 /This is my photo/i
body __KAM_PHOTO5 /get to know you/i
meta KAM_PHOTO (__KAM_PHOTO1 + __KAM_PHOTO2 + __KAM_PHOTO3 + __KAM_PHOTO4 + __KAM_PHOTO5 >=5)
describe KAM_PHOTO Sexually Explicit Photo Emails
score KAM_PHOTO 7.5
#FOOTBALL
header __KAM_FOOTBALL2_1 Subject =~ /Foo[ts]ball Table/i
body __KAM_FOOTBALL2_2 /look at (the thing I brought|this product|what I sent you)/i
body __KAM_FOOTBALL2_3 /foo[st]ball table pric/i
meta KAM_FOOTBALL2 (__KAM_FOOTBALL2_1 + __KAM_FOOTBALL2_2 + __KAM_FOOTBALL2_3 + __KAM_SHOP1 >= 3)
describe KAM_FOOTBALL2 Football table spams
score KAM_FOOTBALL2 4.5
#LAWSUIT
header __KAM_LAWSUIT1 From:name =~ /lawsuit/i
header __KAM_LAWSUIT2 Subject =~ /lawsuit/i
body __KAM_LAWSUIT3 /you or a loved one/i
body __KAM_LAWSUIT4 /(roundup|diagnosed with cancer)/i
tflags __KAM_LAWSUIT4 nosubject
meta KAM_LAWSUIT (__KAM_LAWSUIT1 + __KAM_LAWSUIT2 + __KAM_LAWSUIT3 + __KAM_LAWSUIT4 >= 4)
describe KAM_LAWSUIT Ambulance chaser scams
score KAM_LAWSUIT 6.0
#ED SPAM
header __KAM_CHEAT1 From:name =~ /Magnum/i
header __KAM_CHEAT2 Subject =~ /women cheat/i
body __KAM_CHEAT3 /(Erectile Dysfunction|erection)/i
tflags __KAM_CHEAT3 nosubject
meta KAM_CHEAT (__KAM_CHEAT1 + __KAM_CHEAT2 + __KAM_CHEAT3 >= 3)
describe KAM_CHEAT ED Spams
score KAM_CHEAT 4.5
#DomainBroker
body __KAM_DOMAINBROKER1 /DomainBroker/i
header __KAM_DOMAINBROKER2 Subject =~ /Domain on sale/i
header __KAM_DOMAINBROKER3 From:name =~ /Domain.?Agent/i
meta KAM_DOMAINBROKER (__KAM_DOMAINBROKER1 + __KAM_DOMAINBROKER2 + __KAM_DOMAINBROKER3 + KAM_BODY_MARKETINGBL_PCCC >= 3)
describe KAM_DOMAINBROKER Domain seller spams
score KAM_DOMAINBROKER 4.5
#FAKE SHAREPOINT 2 - Sexually explicit
header __KAM_FAKE_SHAREPOINT2_1 From:addr =~ /no\-reply\@sharepointonline\.com|sex|69/i
header __KAM_FAKE_SHAREPOINT2_2 Subject =~ /view my profile|(\b|^|\s)sex+y man|live chat|hook.?up|sweet.?heart|(\b|^|\s)sex|f a c e b o o k|i know you|just fun|my phone|for se+x+|tease|play with my pus|facebook|chat shared|horne?y|see my nu(t|d)e|Video.M(a|e)ssage|bang.?meetup|private massage|confirm your e.?mail|tiktok for sex|firstsheba/i
body __KAM_FAKE_SHAREPOINT2_3 /REAL DATING NETWORK|bad partner|single.hot.mom|chat room|escort girl|hi there|hook.?up|flirty singles|sweet.?heart|(\b|^|\s)sex|(\b|^|\s)dick|escort|Open me\.? asap|intercourse|seeking male|real relationship|suck my kitty|F.ck me|single girl|real man|need a partner|lonely mom|adults? classified|screw many girls|bang.?meetup|(chat|meet) for sex/i
tflags __KAM_FAKE_SHAREPOINT2_3 nosubject
meta KAM_FAKE_SHAREPOINT2 (__KAM_FAKE_SHAREPOINT2_1 + __KAM_FAKE_SHAREPOINT2_2 + __KAM_FAKE_SHAREPOINT2_3 >= 3)
describe KAM_FAKE_SHAREPOINT2 Sexually Explicit Sharepoint Spam
score KAM_FAKE_SHAREPOINT2 8.5
#DRONE
header __KAM_SHOP1 Reply-to =~ /\.shop|drone|\.xyz/i
header __KAM_DRONE2 Subject =~ /follow up on last email|reminder again|drone|quick follow.?up/i
#ODD LANG SHIP
body __KAM_DRONE3 /arrange the (shipment|dispatch)|contact the logistics|logistics to arrange|address for shipping|touch with logistics|location of your shipment/i
#DRONE HERE
body __KAM_DRONE4 /new drone (information|here)|information about the drone|for (two|three) drones|email about this drone/i
#ODD LANG GOODS
body __KAM_DRONE5 /grasp our goods|take one or more|three or more|receiving one or two/i
#DRONE DESC
body __KAM_DRONE6 /GPS Brushless Drone|optical flow/i
meta KAM_DRONE (__KAM_SHOP1 + __KAM_DRONE2 + __KAM_DRONE3 + __KAM_DRONE4 + __KAM_DRONE5 + __KAM_DRONE6 >= 5)
describe KAM_DRONE Drone Spam Du Jour
score KAM_DRONE 7.5
#FAKE PAYPAL
header __KAM_FAKE_PAYPAL1 From:name =~ /paypal|invoice|confirmation|payapl|receipt|reciept|help.?desk/i
header __KAM_FAKE_PAYPAL2 Subject =~ /Order ?(\#|reference|Confirmation)|your (transaction|purchase)|(buyer'?s|purchase) (receipt|ref|id) \#|transaction|statement|shipping notification|0rder|\$\d\d\d\.\d\d charged|payment info|subscription|paid the invoice/i
body __KAM_FAKE_PAYPAL3 /paypal/i
tflags __KAM_FAKE_PAYPAL3 nosubject
body __KAM_FAKE_PAYPAL4 /if any concern|in order to cancel|(any|open a) dispute|(exact|usual) location|used by someone else|regular IP address|(haven'?t|not) made this purchase|contact us immediately|trust & safety|not authorized|file an issue|cancellation|to cancel|did\s?n.{1,3}t made this order/i
body __KAM_FAKE_PAYPAL5 /(accepted|confirmed|USD|purchase) (at|to|by) (Walmart|Target)|(Walmart|Target),?( Inc.?)? has (accepted|received|confirmed)|charge will appear|auto debited|paid instantly|credit wallet balance/i
body __KAM_FAKE_PAYPAL6 /help by phone|call paypal ?(usa|team)|paypal fraud dep|paypal support immediately|before dispatch|paypal consumer credit/i
meta KAM_FAKE_PAYPAL (__KAM_FAKE_PAYPAL1 + __KAM_FAKE_PAYPAL2 + __KAM_FAKE_PAYPAL3 + __KAM_FAKE_PAYPAL4 + __KAM_FAKE_PAYPAL5 + FREEMAIL_FROM + __KAM_FAKE_PAYPAL6 >= 5)
describe KAM_FAKE_PAYPAL Fake PayPal Message
score KAM_FAKE_PAYPAL 6.0
body __KAM_FAKE_PAYPAL2_1 /PayPal (customer service|Support) Team/i
body __KAM_FAKE_PAYPAL2_2 /void this (transaction|order) within/i
meta KAM_FAKE_PAYPAL2 (__KAM_FAKE_PAYPAL2_1 + __KAM_FAKE_PAYPAL2_2 + FREEMAIL_FROM >=3)
describe KAM_FAKE_PAYPAL2 Fake PayPal Message
score KAM_FAKE_PAYPAL2 4.5
#FEEDPROXY ABUSE
uri GB_G_FEEDPROXY /https?\:\/\/feedproxy\.google\.com\/~r\//
describe GB_G_FEEDPROXY Google Feed Proxy Abuse
score GB_G_FEEDPROXY 2.5
#b-cdn abuse
uri GB_PULLZONE_B_CDN /https?\:\/\/pullzone-v[0-9]\.b\-cdn\.net/
describe GB_PULLZONE_B_CDN B-Cdn abuse
score GB_PULLZONE_B_CDN 3.0
#DISCORD ABUSE
uri __KAM_DISCORDCDN1 /cdn\.discordapp\.com\/attachment/i
header __KAM_DISCORDCDN2 From:addr !~ /\@discord\.com/i
header __KAM_DISCORDCDN3 DKIM-Signature !~ / d=discord.com;/i
meta KAM_DISCORDCDN (__KAM_DISCORDCDN1 + __KAM_DISCORDCDN2 + __KAM_DISCORDCDN3 >= 3)
describe KAM_DISCORDCDN Abuse of Discord CDN in spams
score KAM_DISCORDCDN 4.5
uri __KAM_DISCORDCDN_BAD1 /cdn\.discordapp\.com\/attachment.*(docu.?sign|\.(iso|gz|exe|jar|zip|xlsm|docm|pptm))/i
meta KAM_DISCORDCDN_BAD (KAM_DISCORDCDN + __KAM_DISCORDCDN_BAD1 >= 2)
describe KAM_DISCORDCDN_BAD Extra Dangerous Discord CDN Content in spams
score KAM_DISCORDCDN_BAD 6.0
#PAYROLL SCAMS
body __KAM_PAYROLL1 /(Leveragewages|Savingcredits)/i
body __KAM_PAYROLL2 /(companies|businesses) in CA/i
header __KAM_PAYROLL3 Subject =~ /payroll/i
meta KAM_PAYROLL (__KAM_PAYROLL1 + __KAM_PAYROLL2 + __KAM_PAYROLL3 + FREEMAIL_FROM >= 4)
describe KAM_PAYROLL Payroll spammers
score KAM_PAYROLL 6.0
#FAKE ZIX
header __KAM_FAKE_ZIX1 From:addr !~ /zixmessagecenter.com/i
header __KAM_FAKE_ZIX2 Subject =~ /Secure Zix message|remittance advice/i
body __KAM_FAKE_ZIX3 /security system|view document/i
uri __KAM_FAKE_ZIX4 /dynamics\.com|\.html?/i
meta KAM_FAKE_ZIX ( __KAM_FAKE_ZIX1 + __KAM_FAKE_ZIX2 + __KAM_FAKE_ZIX3 + __KAM_FAKE_ZIX4 >=4)
describe KAM_FAKE_ZIX Fake Zix Email
score KAM_FAKE_ZIX 6.0
#FAKE AMAZON
header __KAM_FAKE_AMAZON1 Subject =~ /Quick Request/i
body __KAM_FAKE_AMAZON2 /have an (Amazon account|account with amazon)/i
meta KAM_FAKE_AMAZON ( __KAM_FAKE_AMAZON1 + __KAM_FAKE_AMAZON2 + FREEMAIL_FROM + __KAM_BODY_LENGTH_LT_512 >= 4)
describe KAM_FAKE_AMAZON Amazon Account Phishes
score KAM_FAKE_AMAZON 4.5
#BINANCE
header __KAM_BINANCE1A Subject =~ /income/i
header __KAM_BINANCE1B Subject =~ /crypto.?currenc/i
body __KAM_BINANCE2 /affiliate link/i
body __KAM_BINANCE3 /lifetime commission/i
body __KAM_BINANCE4 /Friends and associates/i
body __KAM_BINANCE5 /Binance/i
meta KAM_BINANCE (( __KAM_BINANCE1A + __KAM_BINANCE1B >=2) + (__KAM_BINANCE2 + __KAM_BINANCE3 + __KAM_BINANCE4 >=2) + ( __KAM_BINANCE5 >= 1) >= 3)
score KAM_BINANCE 6.0
describe KAM_BINANCE Pyramid crypto scams
#FAKE DMCA
header __KAM_FAKE_DMCA1 From:name =~ /DMCA.?Tech/i
header __KAM_FAKE_DMCA2 From:addr =~ /DMCA/i
body __KAM_FAKE_DMCA3 /text of the complaint/i
body __KAM_FAKE_DMCA4 /your device violates/i
body __KAM_FAKE_DMCA5 /cancel subscription/i
meta KAM_FAKE_DMCA ( __KAM_FAKE_DMCA1 + __KAM_FAKE_DMCA2 + __KAM_FAKE_DMCA3 + __KAM_FAKE_DMCA4 + __KAM_FAKE_DMCA5 >=5 )
describe KAM_FAKE_DMCA Fake DMCA Notice
score KAM_FAKE_DMCA 7.5
#Claritox
header __KAM_CLARITOX1 From:name =~ /claritox/i
header __KAM_CLARITOX2 Subject =~ /Brain infection/i
body __KAM_CLARITOX3 /claritox/i
tflags __KAM_CLARITOX3 nosubject
body __KAM_CLARITOX4 /brain infection/i
tflags __KAM_CLARITOX4 nosubject
meta KAM_CLARITOX ( __KAM_CLARITOX1 + __KAM_CLARITOX2 + __KAM_CLARITOX3 + __KAM_CLARITOX4 >= 3 )
describe KAM_CLARITOX Product du Jour Spam
score KAM_CLARITOX 4.5
#BAD Canva
uri __KAM_BAD_CANVA1 /\.canva\.com/i
body __KAM_BAD_CANVA2 /link will not work for only recipients/i
meta KAM_BAD_CANVA ( __KAM_BAD_CANVA1 + __KAM_BAD_CANVA2 >= 2 )
describe KAM_BAD_CANVA Fake link from Canva for phishing
score KAM_BAD_CANVA 5.0
#FAKE EXCEL
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
body __KAM_FAKE_EXCEL1 /details is in Excel File/i
mimeheader __KAM_FAKE_EXCEL2 Content-Type =~ /excel.html?/i
meta KAM_FAKE_EXCEL ( __KAM_FAKE_EXCEL1 + __KAM_FAKE_EXCEL2 >= 2 )
describe KAM_FAKE_EXCEL Excel Phishing Scam
score KAM_FAKE_EXCEL 6.0
endif
#ZOHO EXPLOIT
uri __KAM_ZOHO1 /zfrmz\.com|zohoinsights\.com/i
body __KAM_ZOHO2 /congrats on win|selected as the winner|expiration notice/i
body __KAM_ZOHO3 /sweepstakes|password/i
meta KAM_ZOHO ( __KAM_ZOHO1 + __KAM_ZOHO2 + __KAM_ZOHO3 >= 3 )
describe KAM_ZOHO Zoho form or insights exploit
score KAM_ZOHO 4.5
#FAKE AFFIL ADS
header __KAM_FAKE_AFFIL1 From =~ /(eharmony|Get.?Gutter.?Protection|Hello.?Fresh).*(Affil|partner)|(American.?Home.?Warranty|Renewal.?by.?anders.n|TruGreen.?Lawn.?Service|Blissy|Energy.?Bill.?Cruncher|Amy.?Myers|1-ink|Tommy.?Chong|Burial.?Insurance|walk.?in.?tub)/i
uri __KAM_FAKE_AFFIL2 /cdn\.mpp-stage\.com|cdn\.tedbvi\.com/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_FAKE_AFFIL3 Content-Type =~ /ATT\d+\.htm/i
endif
meta KAM_FAKE_AFFIL ( __KAM_FAKE_AFFIL1 + __KAM_FAKE_AFFIL2 + __KAM_FAKE_AFFIL3 >= 3)
describe KAM_FAKE_AFFIL Fake Affiliates Garbage
score KAM_FAKE_AFFIL 4.5
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader GB_BAD_SVG Content-Type =~ /Employee\sHandbook.{0,16}\.svg/i
describe GB_BAD_SVG Dangerous svg file attached
score GB_BAD_SVG 10.0
endif
endif
#header __KAM_SIREN1 From =~ /Portable Defense Siren/i
#TELEGRA.PH being exploited
uri KAM_TELEGRA /https?:\/\/telegra\.ph/i
describe KAM_TELEGRA Service being exploited by spammers
score KAM_TELEGRA 5.0
#PHARMA SPAMS
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
replace_rules __KAM_PHARMA_1
header __KAM_PHARMA_1 From =~ /Canad<I1>an Pharma/i
body __KAM_PHARMA_2 /Online Pharmacy|No Prescription/i
meta KAM_PHARMA ( __KAM_PHARMA_1 + __KAM_PHARMA_2 + KAM_TELEGRA >= 2)
describe KAM_PHARMA Online Pharmacy Spam
score KAM_PHARMA 3.0
endif
#TWO EMAILS OBFUSCATION
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
meta GB_2_EMAILS ( __PDS_FROM_2_EMAILS + KAM_IFRAME + MISSING_HEADERS >= 3)
describe GB_2_EMAILS Phishing Emails using 2 Emails and Other Tricks for Obfuscation
score GB_2_EMAILS 4.5
endif
#DRONE SPAM
header __KAM_DRONE2_1 From:name =~ /x.?pro|drone/i
header __KAM_DRONE2_2 Subject =~ /(best|4k) drone|drone x.?pro/i
body __KAM_DRONE2_3 /(best|x.?pro) drone|drone x.?pro/i
tflags __KAM_DRONE2_3 nosubject
meta KAM_DRONE2 ( __KAM_DRONE2_1 + __KAM_DRONE2_2 + __KAM_DRONE2_3 + __KAM_SUBSCRIPTION_INFO >= 4)
describe KAM_DRONE2 Drone Spam
score KAM_DRONE2 6.0
#SANDAL SPAM
header __KAM_SANDAL1 From:name =~ /quickdry sandal/i
header __KAM_SANDAL2 Subject =~ /on your feet|uncomfortable shoes|comfiest sandal|with any outfit|with every step/i
body __KAM_SANDAL3 /quickdry sandal/i
tflags __KAM_SANDAL3 nosubject
meta KAM_SANDAL ( __KAM_SANDAL1 + __KAM_SANDAL2 + __KAM_SANDAL3 + __KAM_SUBSCRIPTION_INFO >= 4)
describe KAM_SANDAL Shoe Spam (don't bother me...)
score KAM_SANDAL 6.0
#FAT SPAM
header __KAM_FAT1 From:name =~ /fat/i
header __KAM_FAT2 Subject =~ /melt \d.?(lb|pound)/i
body __KAM_FAT3 /island tonic|maverick doctor/i
tflags __KAM_FAT3 nosubject
meta KAM_FAT ( __KAM_FAT1 + __KAM_FAT2 + __KAM_FAT3 + __KAM_SUBSCRIPTION_INFO >= 4)
describe KAM_FAT Weightloss Spam
score KAM_FAT 6.0
#CAMERA SPAM
header __KAM_CAMERA1 From:name =~ /ultrazoom/i
header __KAM_CAMERA2 Subject =~ /(HD|Super) telescope/i
body __KAM_CAMERA3 /super telephoto zoom/i
tflags __KAM_CAMERA3 nosubject
meta KAM_CAMERA ( __KAM_CAMERA1 + __KAM_CAMERA2 + __KAM_CAMERA3 + __KAM_SUBSCRIPTION_INFO >= 4)
describe KAM_CAMERA Camera Lens Spam
score KAM_CAMERA 6.0
#SUBSCRIPTION META
body __KAM_UNSUBSCRIBE /can always unsubscribe|unsubscribe here|stop receiving e?mail|send post-?mail/i
meta __KAM_SUBSCRIPTION_INFO ( __SUBSCRIPTION_INFO + __KAM_UNSUBSCRIBE >= 1)
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_QUOTATION1 Content-Type =~ /quotation\.html?/i
header __KAM_QUOTATION2 Subject =~ /Quotation/i
header __KAM_QUOTATION3 From =~ /accounts/i
meta KAM_QUOTATION ( __KAM_QUOTATION1 + __KAM_QUOTATION2 + __KAM_QUOTATION3 + (SPF_SOFTFAIL + SPF_FAIL >=1) >= 4)
describe KAM_QUOTATION Quotation Phishes
score KAM_QUOTATION 6.0
endif
#Sexually Explicit Spam
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
header __KAM_SEX2_1 Subject =~ /ready for me|Hello|Wet Invitation|Hi I'm|have fun|ready for me|good evening|private hangout|sex chat|call me on whatsapp/i
body __KAM_SEX2_2 /dating site|bad girls|sexual community|discreet dating|pay for a chat|lover|horny|(adult|sex) chat|free women|i am discreet/i
#LINK REL
body __KAM_SEX2_3 /flirt for free|Fuck.?Free|sex.?club|naked glory|free.?sex|start writing me|canada.?sex|hot greetings|private hangout|get a massage/i
mimeheader __KAM_SEX2_4 Content-type =~ /\.(jpe?g|png)\"?$/i
body __KAM_SEX2_4A /my pics/i
uri __KAM_SEX2_5 /https?:\/\/(au|en|cad?|canada)\./i
meta KAM_SEX2 ( __KAM_SEX2_1 + __KAM_SEX2_2 + __KAM_SEX2_3 + (__KAM_SEX2_4 + __KAM_SEX2_4A >= 1) + (KAM_SHORT + __KAM_SEX2_5 >=1) + FREEMAIL_FROM >= 5)
describe KAM_SEX2 Sexually Explicit Sapm
score KAM_SEX2 15.0
endif
#FAKE ADOBE
header __KAM_FAKE_ADOBE1 Subject =~ /(file|Document) Received/i
uri __KAM_FAKE_ADOBE2 /zohoinsights\.com/i
body __KAM_FAKE_ADOBE3 /sign in required|download to view/i
body __KAM_FAKE_ADOBE4 /received a pdf|pdf document has been shared/i
meta KAM_FAKE_ADOBE ( __KAM_FAKE_ADOBE1 + __KAM_FAKE_ADOBE2 + __KAM_FAKE_ADOBE3 + __KAM_FAKE_ADOBE4 >= 4)
describe KAM_FAKE_ADOBE Fake Adobe Email
score KAM_FAKE_ADOBE 6.0
#PEAK BUSINESS FINANCE
header KAM_PEAK From:addr =~ /peak.*business.*financ/i
describe KAM_PEAK Finance Spammer
score KAM_PEAK 7.0
#FROM PRODUCT SPAMs
header __KAM_FROM_SPAM_NOV21 From =~ /(blood.?pressure.?(fix|cure)|20.?amazing.?gadgets|2021.?gadget.?guide|your.?hormones|Be.?Free.?Of.?Your.?Timeshare|unique.?christmas.?gifts|youthful.?brain|veteran.?discounts|VieShield.?Sanitizer|Walgreens.?Shopper.?Feedback|Solar.?Bright|shocking.?truth:|(\b|^)ed.?solution|beauty.?digs|LED.?Beach.?Balls|Pelvic.?Floor.?strong|Leptitox|Clean.?cell|Gadget.?List)|Avoid.?melatonin|My.?Senior.?Perks|explosive.?size|savage.?grow|blood.?pressure.?roulette|ElectronX.?Ruler|Software.?Treats|Grease.?Your.?Knee|late.?night.?peeing|Landscaping.?Ideas|hot.?new.?gadget|Tetrus.?LED.?Lighting|Weedkiller.?Injury|Compressa.?Relief|Shed.?Building.?Guide|plans?.?for.?shed|increase.?size|herpes.?cure|Human.?reproductive.?system|body.?shaper|ear.?wax.?remover|vital.?flow|curious.?finds|get.?skinny.?chocolate|Home.?Depot.?Shopper.?Feedback|modern.?woman|EU.?Business.?Register|comfy.?shoes/i
header __KAM_FROM_SPAM_DEC21 From =~ /Heater.?Pro.?X|Neck.?Massager|Cinna.?Chroma|Sibgazinvest|Striction.?Blood|blood.?pressure.?warning|stamina.?pro|Smart.?Holder.?Pro|Smart.?phone.?Gloves|WiFi.?Ultraboost|HD.?telescope|Doctor.?Holmes\'s.?co.?op|variety.?store.?kerry|Suzi\'s.?potion|Antiseptic.?cathy|flat.?tummy.?recipe|bye.?big.?tummy|Skincell.?2|nail.?dry.?pro|muscle.?relax.?pro|easy.?slippers/i
#removed \@advid for FPs
header __KAM_FROM_SPAM_JAN22 From =~ /Puppy.?Pet.?Ball|ultimate.?keto.?meal|steel.?bite.?pro|he?rpa.?greens|HAIR.?REVITAL|peak.?biome|energy.?cube.?system|perfect.?flush|make.?money.?online|Stops?.?Herpes|blood.?pressure.?911|Fat.?Burning|Personal.?power.?plant|sqribblee.?book.?creator|special.?launch.?price|ringing.?ears|fading.?memory|big.?stomach|apple.?cider.?vinegar|glucofort|do.?this.?at.?breakfast|immune.?defense|sonus.?complete.?basic|introducing.?exi.?pure|blood.?sugar.?defense|shed.?plan|obsession.?method|5g.?male|cold.?war.?generator|tinnitus.?(terminator|guard)|keto.?advantage|senior.?saving.?club|exipure|gold.?plated.?coin|trump.?coin|Prostate.?relief|acida.?burn|back.?pain|fungus.?treat|herpa.?green|neck.?massage|Silencil|kishor.?exports|fatty.?liver|gluca.?fix|reservation.?diet|high.?blood.?pressure|energy.?bill.?crunch|muscle.?care|fast charger pro|Tv.?Share.?Max|bar.?x.?health|canad(a|ian).?drug.?store|Duramax.?Fence|vid.?toon|online.?pharmacy|viagra.?shop|circa.?knee|Shoppers.?Drug.?Mart|royal.?numerology/i
header __KAM_FROM_SPAM_FEB22 From =~ /Swag.?Envy|Turn.?Text.?to.?speech|cart.?bloom|Pierre.?Omidyar|copper.?zen.?socks|Muama.?Ryoko|Mindinsole|clipper.?pro|nerve.?control|arthritis.?relief|sleep.?connection|lose.?it.?now|Pioneer.?Travels|bathroom.?remodel/i
header __KAM_FROM_SPAM_FEB22_TLD From =~ /solar.?panels/i
header __KAM_FROM_SPAM_MAR22 From =~ /Whos.?who|ray.?ban|simple.?home.?quotes|laundry.?masher|embarr?ass?ing.?toe|miracle.?sheets|nail.?fungus|Smartcam|tactical.?drone|owl.?vision|hulk.?heater|wifi.?repeater|gluco.?flow.?supplement|blood.?sugar.?blaster|dr\..?phil.?news|Muama.?Ryok|usmile.?pro|power.?pod|never.?snore|snore.?stop|(^|\")usmile|bye.?bye.?fat|chemist.?s.?shop|married.?women|potent.?CBD|diabetes.?gone|US.?concealed.?online|gift.?card.?chance|cardio.?clear|one.?monthly.?fee|online.?learn.?piano|coffee.?secret|shark.?tank.?keto|rots.?your.?teeth|stronger.?vision|Norton.?Lifelock|instant.?translator/i
header __KAM_FROM_SPAM_APR22 From =~ /snoring.?fix|automix|circa.?knee|zoomshot.?pro|Instant.?translator|prostate.?health|stay.?dry.?202|battery.?vault|goodbye.?diabetes|bad eyes|createxdigital|\@.{0,8}advids\.|\@deszy|\@devacc\./i
header __KAM_FROM_SPAM_MAY22 From =~ /butter.?on.?toast|exobone|sharp.?ear|news.?reward.?exclusive|AirBuds|earbuds|Massage.?gun|directaxis|sanlamfinance|grants.?for.?homeowner|manchester.?collection|Power.?drill.?(confirmation|surprise)|gift.?card.?shipment|fast.?keto.?diet|(energy|bill).?cruncher|fun.?drops.?cbd|easy.?warm.?floor|home.?loan.?analyst.?offer/i
header __KAM_FROM_SPAM_JUN22 From =~ /Finance.?the.?big.?lie|cbd.?gumm|vet.?savings|Keto.?maxx|unbreakable.?brain|brain.?blueprint|just.?gi[zs]mo|ice.?house.?portable|portable.?ac|single.?flirt|painful.?knees|russian?.?(babe|bride)|eyesight.?max|blood.?sugar.?formula|brain.?fix|FOLIFORT|PROCompression.?special|por?table.?oxygen|Special.?Oil|Syno.?gut|blissy.?offer|WarHawk.?Binoculars|keto.?diet|match.?seniors|no.?more.?pin.?pricks|Doctors?.?shock|20.?20.?Vision|Windows.?Defender.?Order|fat.?burner/i
header __KAM_FROM_SPAM_JUL22 From =~ /Horrific.?Back|fat.?reducer|smart.?watch|chill.?well|blurred.?vision|Family.?savings|Revifol\.com|Fluxactive|eye.?herb|eco.?chip|Lumbar.?Correct|Air.?Flops|Getinstahard\.com|neurodrine|air.?cooly|Bladder.?relief|Doctor.?Inflammation|Shrink.?your.?prostate|RetailMarketingPro|back.?to.?life/i
header __KAM_FROM_SPAM_AUG22 From =~ /a1c.?fix|LeafProtect\.com|ServicePlus\.Home|Golden.?fx|Arcti.?FREEZE|RensaClub\.com|\@advids?\-|nail.?infection|pain.?relief.?sock|leaf.?filter|toxic.?foot|nails.?fungus|cat.?spraying|big.?pharma|vision.?enhancing|battery.?recondition|injecting.?fat|mosquito.?light|black.?surge|tinnitus.?911|sugar.?balance|cardio.?clear|compression.?sock|balanced.?blood|Sqribble|ukraine.?(beauty|bride)|instahard|shop.?icehouse|vital.?flow|Discount.?is.?ready|cinch.?home.?protection|home.?protection.?plan|zander.?term|easy.?canvas.?(deals|prints)|home.?warranty.?offer|toxic.?water|keto.?202\d|wifi.?booster|restore.?gummies|-advids\.|lost.?superfoods|vantis.?life|roofing.?quote|maasalong|flux.?active|hot.?russian|serious.?daters|anderson.?affiliate|instant.?translator|clipper.?pro|scientific.?nail|6.?secrets|singles.?offer|lower.?my.?bill|SplashWines\.com|leafprotect\.com|columbian.?girl|wifi.?ultraboost|\@clum-?(video|creat)|deadly.?sex|Vita.?Firm/i
header __KAM_FROM_SPAM_SEP22 From =~ /Select.?Quote.?(offer|affiliate|insurance)|light.?bulb.?camera|pitney.?bowes.?presort|carshield.?quote|neckcool|zinc7|term.?life.?insurance|detox.?shower|protection.?from.?pests|Pest.?defense|Life.?Omic|pipelinersales|\.kalendar/i
header __KAM_FROM_SPAM_OCT22 From =~ /Barx.?Busy.?Ball|Nationwide.?Home.?protection|Social Diger|Splash Wine|Holiday.?Wallet.?Guru|no.?more.?joint.?pain|poop.?out.?fat/i
header __KAM_FROM_SPAM_NOV22 From =~ /liveto.?accelerator|tupi.?tea|lT Service Desk|free.?spins?.?Canada|eye.?bag.?cream|amylase.?benefit|bladder.?leak|\@.{0,8}saasee\.|\@saasee|japanese.?delicacy|insure.?my.?car|businesspronews|CFOtrends|COOupdate|\@whizzbridge|phototrakk|CIOProNews/i
header __KAM_FROM_SPAM_DEC22 From =~ /\@avogtal\.|Belly.?Slim|stealth.?attraction|renewalbyandersen|\@devacc\.|bloodbalance|\@.*\.kalenda/i
header __KAM_FROM_SPAM_JAN23 From =~ /cat\d[ae]?_cable|\@.*\.kalndr|Alpha.?Beast|Auto.?Renewal.?Notice|Blue.?Hat.?Giveaway|Sleep.?Guard.?Plus|balance.?trick|black.?coffee.?hack|openeye.?cbd|fatty.?liver|bizjournals\.com|washingtonbusinessjournal\.com|Acetaminophen.?Lawsuit|\@whizzbridge|Photo.?Trakk|cosmic.?globe|SelectHomeWarranty/i
header __KAM_FROM_SPAM_FEB23 From =~ /SEO Rose|Diabacore|Cholibrium|Brain.?Savior|Ukranian.?Single|business.?concierge.?team/i
header __KAM_FROM_SPAM_MAR23 From =~ /Ukranian.?girls|feel.?good.?knee|fiber.?warning|septi.?fix|elongation.?secret|liver.?warning|Health.?Teamz|Blisterol/i
header __KAM_FROM_SPAM_APR23 From =~ /Fat.?loss.?trick|paid.?clinical.?stud|reduce.?wrist.?pain|Compression.?Sock|mystery.?shopper|carshield|prostate.?911|sonovive|\@avogtal\.|homedepotpromotions|ukranian.?girls|liver.?health/i
header __KAM_FROM_SPAM_MAY23 From =~ /Get.?prostate|mr.?.?lean.?belly|pain.?trigger|homedepotpromo|lume.?deodorant|hemp.?gummies|ninja.?offers|obamacare.?rate|brain.?news|joint.?support|lepticell/i
header __KAM_FROM_SPAM_JUN23 From =~ /ukrainian.?(wom[ae]n|single)|brain.?fortify|attorney.?for.?cancer|enence.?translator|tac.?right.?mini.?saw|walk.?in.?bath|care.?soles|hip.?flexor|prodentim/i
header __KAM_FROM_SPAM_JUL23 From =~ /Memory.?foam.?pillow|flow.?it.?hardware|payroll.?advance|elon.?Power.?bank|dementia.?trigger/i
header __KAM_FROM_SPAM_AUG23 From =~ /menopause.?pooch|icloud.?online.?shopper|(airlines?|UPS).?shopper.?gift|surge.?card|1st.?premier.?lending|fast.?lean.?pro|Dementia.?Trigger|(epson|delta|stanley|Lowes).?(rewards|giveaway)|\@\d\.socialteers\-|\@\d\..*-carmine\.com/i
header __KAM_FROM_SPAM_SEP23 From =~ /\@\d\.petra\-.*\.com|ups.?evaluation.?center|kohls.?perspective.?team|gift.?opportunities.?by.?oreilly|netflixmember|home.?depot.?(store|reward|express)|hexclad.?(kitchen|cook)ware|costco.?store.?card|\@dealclosers-.*\.com|Walgreens(points)|powerknot|unitedmiieage/i
header __KAM_FROM_SPAM_OCT23 From =~ /bye.?herpes|compass.?coffee|Kobalt.?giveaway|pain.?relief.?protein|\@(tr\.)?\d\.digiteers\-.*\.com|stanleyToolSet/i
#removed tiktok shop as a FP 2025-02-06
header __KAM_FROM_SPAM_NOV23 From =~ /Amblebrook.?at.?Gettysburg|mcafee.?warning|\@reloadl?ux\.|metamask.?airdrop|legostar.?nft/i
header __KAM_FROM_SPAM_DEC23 From =~ /SBAlley|home.?foreclosures?.?list|Ad0be.?Acr0bat|real.?social.?mart|nail.?fungus|cardiologists.?shocked/i
header __KAM_FROM_SPAM_JAN24 From =~ /Nail.?Fungus|water.?filtration|safe.?drinking.?water|Portable.?Heater|scrub.?daddy|stop.?ear.?ring|kohl.?s.?surprise|Solar.?Generator|vault.?scanner|b2b.?worlds|chimp\'s.?custom.?graphics|cold.?sore.*nuker|neuropathy.?cure|BackPain|\@.*\.(cannoschoolnighqua|usanoschoolnighqua)\d+\.org|Apple_Mystery|N\.e\.t\.f\.l\.i\.x|Nano.?Security.?scan|Temu Pallet|QBKS.?renew|american.?airlines.?winner|food.?shortage|Airwheel|benign.?vertigo|ozempic.?scandal|Harbor.?Freight.?Dep/i
header __KAM_FROM_SPAM_FEB24 From =~ /MTS.?Transitional.?Life|\@avogtal\-|carshield.?auto.?protection|harbor.?freight.?thanks|anti.?aging.?cream|my.?senior.?perks|siriusxm.?loyalty.?program|0nlyfans|gutter.?guard.?affiliate|Federal.?Tax.?Debt.?Help|Activate.?your.?superbrain|Eye.?Nutrient.?Risk/i
header __KAM_FROM_SPAM_MAR24 From =~ /Portable.?Wifi|Easter.?letters|\@\w*?\.socialteers\-|Zymme.?Pillow|Crystal.?clear.?vision|stubborn.?belly.?fat|Smart.?time.?share.?owner/i
header __KAM_FROM_SPAM_APR24 From =~ /ugly.?plant|Mysterious.?Liquid|empiretaxprofessionals|\@\w*\.petra\-.*\.com|XBINANCEX/i
header __KAM_FROM_SPAM_MAY24 From =~ /Michael Page Recruitment|Page Group Recruiting|MFA\-Enrollments\-Desk|Nina.?video.?(display|etindge)/i
header __KAM_FROM_SPAM_JUN24 From =~ /Purave.?Water.?filter|vagabondtemple\.com|\@qwiklabs.*\.firebaseapp\.com/i
header __KAM_FROM_SPAM_JUL24 From =~ /Diabetes.?(defender|solution.?kit)|Black.?Tea.?vs\..?Green.?Tea|Lume.?Deoderant|Chocolate\?vs.?Butter|Fue[il].?Re[il]ief.?Program|loca[il].?food.?he[il]p|Your.?Local.?McDona[il]ds|Trump.?Hat|Power.?Saver.?Pro/i
header __KAM_FROM_SPAM_AUG24 From =~ /10\-seconds|diabetes.?supplement|healthy.?nails|alerts?yourpackage\@|MarriottComfortSquad|cloudphonealert|Unlimited.?TV|destroy.?fat|Anti.?Snoring.?Solution|Hero.?Blanket|repair.?nerves|Senior.?savings|Knee.?pain|10\-seconds|ageless.?dog|Your.?Teeth|Neck.?Cool.?Pro|Ergonomic.?Chairs|Stanley.?Tool.?Set.?Winner|Wrist.?Pain.?Relief|Cordless.?Drill.?driver.?kit.?reward|Ninja.?Air.?Fryer.?Department|Eye.?Nutrient.?Risk|Tool.?Set.?Rewards|Antibacterial.?Sheets|tractor.?supply.?winner|CostcoExclusiveDeals|Enence.?translat|Portable.?wifi|Walmart.?tech.?team|Harbor.?freight.?surprise/i
header __KAM_FROM_SPAM_SEP24 From =~ /imanuel.?bible.?app|pancake.?swap|Klaudena.?Ergonomic.?Design|CVS.?Shopper.?Gift|Tactic.?Air.?Drone|Zoominfo.?Accounting.?Dept|ninja.?doublestack|keto.?gumm|omaha.?steaks.?exclusive|yeti.?hopper.?flip|SpyRec.?Pro|Prime.?CBD|penis.?(growth|enlargement)|Home.?Depot.?Opinion.?Requested|[\@=]losbuzos\.com|SouthwestAirlines(Online)?Survey/i
header __KAM_FROM_SPAM_OCT24 From =~ /Huusk\@|Ace.?Unlocked|Skincare.?by.?Marilee|Patriot.?Solar.?Generator|HuluMembership|FreeTrumpShirt|Tractor.?Supply.?Surprise|WalmartDailyFinds\@|radon.?eraser|DunkinDonutsRewardsBoxDepartment|sniperrifle|TheUltimatePrepStore|NewKneesAndHips|Dr\. Merritt\'s Health Insights|EnenceTranslator|Collagen.?Booster|Virtual.?Shield.?Alerts|hollywood.?skin.?boost|Overnight.?Pain.?Relief/i
header __KAM_FROM_SPAM_NOV24 From =~ /exclusive.?offers.?tesco|electric.?ear.?vacuum|Excelsior.?Trading.?Plus.?LLC|Enence.?Translator|Klaudena.?Ergonomic.?Design|Sidewinder.?sling|Night.?Vision.?4.?driving|Enence.?translat|Hardware.?store.?Reward|Tractor.?Supply.?Surprise|predator.?generator|official.?santa.?package|peeting.?at.?night|lowering.?blood.?pressure|ebay.?shopper.?feedback/i
header __KAM_FROM_SPAM_DEC24 From =~ /\(label\)|medicinal.?garden.?kit|eZScrubpro|FreeTaxUSA.?(Customer|Tool)|Personalized.?Santa.?Letters|Vision.?Boosting.?Secret|Winter.?Secret.?Pro|Ryoko.?WiFi|Painful.?Surgery|ukranian girls|DriveBright.?offer/i
header __KAM_FROM_SPAM_JAN25 From =~ /Free.?Trump.?Merch|southwest.?airlines.?shopper|Prostate.?Wellness|[a-z]*\.biddingestimatings?\@gmail.com|drop.?lbs.?with.?this|Stuck.?poop.?fast|[a-z]*\.smartleadlist\@gmail\.com|heated.?scarf|restore.?prostate|\@accufin\.|Joint.?pain.?remedy|Anti.?glucose.?mineral|vanishes.?wrinkles|activate.?brain.?power|fast.?constipation.?relief/i
header __KAM_FROM_SPAM_FEB25 From =~ /perfect.?A1C|pooping.?secret|Neuropathy.?Warning|Total\-T|Urgent.?Wealth.?Warning|hearing.?loss|Statefarm.?safety|Trump.?Collector|Trump.?Gold.?Coin|Sudanese.?sugar.?trick|ancient.?secret.?unveiled|no.?more.?metformin|numb.?hands.?and.?feet|do.?this.?in.?bed|bone.?on.?bone/i
header __KAM_FROM_SPAM_MAR25 From =~ /(kalendarai|reply|datascience)\@(link|join|network|chat)\-\d+/i
header __KAM_FROM_SPAM_APR25 From =~ /cold.?sore.?drink|belly.?fat.?killer|Herpes.?Warning/i
header __KAM_FROM_SPAM_MAY25 From =~ /clear.?fungus.?fast|neuropathy.?relief|Metabolism.?mute|muffled.?hearing|costco.?offer.?alert/i
header __KAM_FROM_SPAM_JUN25 From =~ /you.?have.?been.?hacked.*\@/i
header __KAM_FROM_SPAM_AUG25 From =~ /AAA.?(preparedness|protection|rescue|Roadside|ready|emergency|Help|shipping.?car|response).?Kit/ia
header __KAM_FROM_SPAM_SEP25 From =~ /RoadsideServicesfromAAA/i
meta KAM_FROM_SPAM ( __KAM_FROM_SPAM_NOV21 + __KAM_FROM_SPAM_DEC21 + __KAM_FROM_SPAM_JAN22 + __KAM_FROM_SPAM_FEB22 + __KAM_FROM_SPAM_MAR22 + __KAM_FROM_SPAM_APR22 + __KAM_FROM_SPAM_MAY22 + __KAM_FROM_SPAM_JUN22 + __KAM_FROM_SPAM_JUL22 + __KAM_FROM_SPAM_AUG22 + __KAM_FROM_SPAM_SEP22 + __KAM_FROM_SPAM_OCT22 + __KAM_FROM_SPAM_NOV22 + __KAM_FROM_SPAM_DEC22 + __KAM_FROM_SPAM_JAN23 + __KAM_FROM_SPAM_FEB23 + __KAM_FROM_SPAM_MAR23 + __KAM_FROM_SPAM_APR23 + __KAM_FROM_SPAM_MAY23 + __KAM_FROM_SPAM_JUN23 + __KAM_FROM_SPAM_JUL23 + __KAM_FROM_SPAM_AUG23 + __KAM_FROM_SPAM_SEP23 + __KAM_FROM_SPAM_OCT23 + __KAM_FROM_SPAM_NOV23 + __KAM_FROM_SPAM_DEC23 + __KAM_FROM_SPAM_JAN24 + __KAM_FROM_SPAM_FEB24 + __KAM_FROM_SPAM_MAR24 + __KAM_FROM_SPAM_APR24 + __KAM_FROM_SPAM_MAY24 + __KAM_FROM_SPAM_JUN24 + __KAM_FROM_SPAM_JUL24 + __KAM_FROM_SPAM_AUG24 + __KAM_FROM_SPAM_SEP24 + __KAM_FROM_SPAM_OCT24 + __KAM_FROM_SPAM_NOV24 + __KAM_FROM_SPAM_DEC24 + __KAM_FROM_SPAM_JAN25 + __KAM_FROM_SPAM_FEB25 + __KAM_FROM_SPAM_MAR25 + __KAM_FROM_SPAM_APR25 + __KAM_FROM_SPAM_MAY25 + __KAM_FROM_SPAM_JUN25 + __KAM_FROM_SPAM_AUG25 + __KAM_FROM_SPAM_SEP25 >= 1)
describe KAM_FROM_SPAM From Indicates a Product Spam
score KAM_FROM_SPAM 9.0
meta KAM_FROM_SPAM_TLD ( __KAM_FROM_SPAM_FEB22_TLD + KAM_SOMETLD_ARE_BAD_TLD >= 2)
describe KAM_FROM_SPAM_TLD From and TLD Indicates a Product Spam
score KAM_FROM_SPAM_TLD 7.75
#EVIL NUMBERS
#1.?\(?213\)?[-\. ]+?260[-\. ]+?3712
body __KAM_EVIL_NUMBERS1 /(1.?\(?833\)?[-\. ]?900[-\. ]?0864|1.?\(?818\)?[-\. ]?275[-\. ]?7971|1.?\(?855\)?[-\. ]?357[-\. ]?8754|1.?\(?888\)?[-\. ]?683[-\. ]?2877|1.?\(?800\)?[-\. ]?363[-\. ]?9576|1.?\(?888\)?[-\. ]?501[-\. ]?3532|1.?\(?770\)?[-\. ]?406[-\. ]?6871|1.?\(?213\)?[-\. ]?260[-\. ]?3712|1.?\(?844\)?[-\. ]?984[-\. ]?0636|1.?\(?877\)?[-\. ]?483[-\. ]?0915|1.?\(?845\)?[-\. ]?393[-\. ]?0745|1.?\(?888\)?[-\. ]?505[-\. ]?1735|1.?\(?888\)?[-\. ]+?987[-\. ]+?6497|1.?\(?855\)?[-\. ]+?459[-\. ]+?2056|1.?\(?804\)?[-\. ]+?889[-\. ]+?0912|1.?\(?888\)?[-\. ]+?246[-\. ]+?8525|1.?\(?888\)?[-\. ]+?366[-\. ]+?2749|1.?\(?816\)?[-\. ]+?376[-\. ]+?8830|1.?\(?877\)?[-\. ]+?509[-\. ]+?8177|1.?\(?888\)?[-\. ]+?385[-\. ]+?8394|1.?\(?805\)?[-\. ]+?429[-\. ]+?2880|1.?\(?888\)?[-\. ]+?260[-\. ]+?7583|1.?\(?808\)?[-\. ]+?444[-\. ]+?7474|1.?\(?888\)?[-\. ]+?225[-\. ]+?0087|1.?\(?818\)?[-\. ]+?447[-\. ]+?4686|1.?\(?845\)?[-\. ]+?481[-\. ]+?2002|1.?\(?888\)?[-\. ]+?337[-\. ]+?3512|1.?\(?888\)?[-\. ]+?865[-\. ]+?0443|1.?\(?801\)?[-\. ]+?326[-\. ]+?4945|1.?\(?888\)?[-\. ]+?457[-\. ]+?7953|1.?\(?888\)?[-\. ]+?712[-\. ]+?0714|1.?\(?805\)?[-\. ]+?220[-\. ]+?9060|1.?\(?888\)?[-\. ]+?216[-\. ]+?7674|1.?\(?888\)?[-\. ]+?219[-\. ]+?8757|1.?\(?888\)?[-\. ]+?376[-\. ]+?0079|1.?\(?888\)?[-\. ]+?806[-\. ]+?2548|1.?\(?808\)?[-\. ]+?736[-\. ]+?6567|1.?\(?805\)?[-\. ]+?250[-\. ]+?1682|1.?\(?808\)?[-\. ]+?649[-\. ]+?5251|1.?\(?888\)?[-\. ]+?884[-\. ]+?3596|1.?\(?888\)?[-\. ]+?850[-\. ]+?1879|1.?\(?888\)?[-\. ]+?672[-\. ]+?7156|1.?\(?801\)?[-\. ]+?833[-\. ]+?0315|1.?\(?808\)?[-\. ]+?755[-\. ]+?6084|1.?\(?859\)?[-\. ]+?888[-\. ]+?2341|1.?\(?833\)?[-\. ]+?685[-\. ]+?4054|1.?\(?888\)?[-\. ]+?394[-\. ]+?0278|1.?\(?888\)?[-\. ]+?992[-\. ]+?1779|1.?\(?888\)?[-\. ]+?399[-\. ]+?0394|1.?\(?888\)?[-\. ]+?982[-\. ]+?7639|1.?\(?877\)?[-\. ]+?208[-\. ]+?4319|1.?\(?877\)?[-\. ]+?232[-\. ]+?6467|1.?\(?877\)?[-\. ]+?208[-\. ]+?4319|1.?\(?855\)?[-\. ]+?630[-\. ]+?3663|1.?\(?808\)?[-\. ]+?470[-\. ]+?7449|1.?\(?888\)?[-\. ]+?803[-\. ]+?6039|1.?\(?920\)?[-\. ]+?354[-\. ]+?6236|1.?\(?888\)?[-\. ]+?803[-\. ]+?3130|1.?\(?888\)?[-\. ]+?436[-\. ]+?-0785|1.?\(?855\)?[-\. ]+?948[-\. ]+?3820|1.?\(?888\)?[-\. ]+?662[-\. ]+?7908|1.?\(?888\)?[-\. ]+?350[-\. ]+?3529|1.?\(?808\)?[-\. ]+?501[-\. ]+?0625|1.?\(?833\)?[-\. ]+?216[-\. ]+?0511|1.?\(?833\)?[-\. ]+?552[-\. ]+?7144|1.?\(?800\)?[-\. ]+?526[-\. ]+?5742|1.?\(?806\)?[-\. ]+?839[-\. ]+?6096|1.?\(?727\)?[-\. ]+?498[-\. ]+?4899|1.?\(?808\)?[-\. ]+?318[-\. ]+?2838|1.?\(?877\)?[-\. ]+?409[-\. ]+?1087)(\b|$)/i
#WEIRD FORMAT
body __KAM_EVIL_NUMBERS2 /\(845\)-458-6\.4\.9\.1|850 3285 455|229 5154 934|585 3660 399/i
#WEIRD CHARS
body __KAM_EVIL_NUMBERS3 /(888\s5\s?3\s?1\s?4\s?0\s?3\s?0|855\s5\s?4\s?5\s?6\s?2\s?0\s?1)/i
#WEIRD FORMAT
body __KAM_EVIL_NUMBERS4A /[\({]\d\d\d[\)}][_~\*,]\d\d\d[_~\*,]{1,3}\d\d\d\d/
body __KAM_EVIL_NUMBERS4B /\(\d\d\d\)-\(\d\d\d\)-\(\d\d\d\d\)/
meta KAM_EVIL_NUMBERS (__KAM_EVIL_NUMBERS1 + __KAM_EVIL_NUMBERS2 + __KAM_EVIL_NUMBERS3 >= 1)
describe KAM_EVIL_NUMBERS Phone Numbers used by scammers
score KAM_EVIL_NUMBERS 7.0
#Thanks to Greg Troxel for the error fix here
meta KAM_EVIL_NUMBERS4 ( __KAM_EVIL_NUMBERS4A + __KAM_EVIL_NUMBERS4B >= 1 )
describe KAM_EVIL_NUMBERS4 Phone Numbers used by scammers
score KAM_EVIL_NUMBERS4 1.0
#LAUNCH PCCC WILD RBL
if (version >= 4.000000)
ifplugin Mail::SpamAssassin::Plugin::HashBL
if can(Mail::SpamAssassin::Plugin::HashBL::has_hashbl_bodyre_num)
# extract phone numbers from text
# the phone number might be of the form:
# +1 (123) 123-4567
# 441 (123) 123-4567 (44 is the hex of the + char, tesseract(1) could convert the '+' sign this way
# spaces, + sign, parenthesis and spaces are optional
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
if can(Mail::SpamAssassin::Plugin::HashBL::has_hashbl_bodyre_replace)
if can(Mail::SpamAssassin::Plugin::RaptorOnly::has_hashbl_bodyre_phone)
replace_rules GB_PHONE_RBL
body GB_PHONE_RBL eval:check_hashbl_bodyre_phone('wild.pccc.com', 'raw/max=10/shuffle/num/case/replace', '(?<![1-9])((?:(?:\+)?(?:<N0>|<N1>|<N2>|<N3>|<N4>|<N5>|<N6>|<N7>|<N8>|<N9>){1,3}[^a-zA-Z0-9]{0,2})?(?:<N0>|<N1>|<N2>|<N3>|<N4>|<N5>|<N6>|<N7>|<N8>|<N9>){2,3}[^a-zA-Z0-9]*(?:<N0>|<N1>|<N2>|<N3>|<N4>|<N5>|<N6>|<N7>|<N8>|<N9>){3,4}[^a-zA-Z0-9]*(?:<N0>|<N1>|<N2>|<N3>|<N4>|<N5>|<N6>|<N7>|<N8>|<N9>){4,6})(?!\d)', '127.0.1.16')
priority GB_PHONE_RBL -100
tflags GB_PHONE_RBL net
describe GB_PHONE_RBL Message contains phone number found on blocklist (https://raptor.pccc.com/RBL)
score GB_PHONE_RBL 6.0
endif
replace_rules GB_PHONE_RBL_RAW
rawbody GB_PHONE_RBL_RAW eval:check_hashbl_bodyre('wild.pccc.com', 'raw/max=10/shuffle/num/case/replace', 'tel:(?:\+)?((?:<N0>|<N1>|<N2>|<N3>|<N4>|<N5>|<N6>|<N7>|<N8>|<N9>){10,13})', '127.0.1.16')
priority GB_PHONE_RBL_RAW -100
tflags GB_PHONE_RBL_RAW net
describe GB_PHONE_RBL_RAW Message contains phone number found on blocklist (https://raptor.pccc.com/RBL)
score GB_PHONE_RBL_RAW 6.0
endif
else
body GB_PHONE_RBL eval:check_hashbl_bodyre('wild.pccc.com', 'raw/max=10/shuffle/num/', '(?<![1-9])((?:(?:\d){1,3}[^a-zA-Z0-9]{0,2})?(?:\d){2,3}[^a-zA-Z0-9]*(?:\d){3,4}[^a-zA-Z0-9]*(?:\d){4,6})(?!\d)', '127.0.1.16')
# slow regexp
# body GB_PHONE_RBL eval:check_hashbl_bodyre('wild.pccc.com', 'raw/max=10/shuffle/num', '(?:\*+|\b)(?:\+|4{2})?(?:[\s\*]+)?(?:[0-9]{1,2})?((?:[\s,\^\*]+)?[(|{|\*+]?[0-9]{3}[)|}|\*+]?(?:[-\s\.\*_~,:\*]+)?[0-9]{3}(?:[-\s\.\*_~,"]+)?[0-9]{4,6})(?:\*+|\b)', '127.0.1.16')
priority GB_PHONE_RBL -100
tflags GB_PHONE_RBL net
describe GB_PHONE_RBL Message contains phone number found on blocklist (https://raptor.pccc.com/RBL)
score GB_PHONE_RBL 6.0
rawbody GB_PHONE_RBL_RAW eval:check_hashbl_bodyre('wild.pccc.com', 'raw/max=10/shuffle/num', 'tel:(?:\+)?([0-9]{10,13})', '127.0.1.16')
priority GB_PHONE_RBL_RAW -100
tflags GB_PHONE_RBL_RAW net
describe GB_PHONE_RBL_RAW Message contains phone number found on blocklist (https://raptor.pccc.com/RBL)
score GB_PHONE_RBL_RAW 6.0
endif
endif
endif
endif
#FAKE PRODUCTS USING SHAREPOINT
body __KAM_FAKE_SHAREPOINT_PRODUCTS1 /bitdefender security cloud/i
body __KAM_FAKE_SHAREPOINT_PRODUCTS2 /renewed/i
meta KAM_FAKE_SHAREPOINT_PRODUCTS (KAM_FAKE_SHAREPOINT + __KAM_FAKE_SHAREPOINT_PRODUCTS1 + __KAM_FAKE_SHAREPOINT_PRODUCTS2 >= 3)
describe KAM_FAKE_SHAREPOINT_PRODUCTS Spams abusing Sharepoint
score KAM_FAKE_SHAREPOINT_PRODUCTS 3.0
#ODDNAME ENGINE
#SIG
body __KAM_ODDNAME_1 /(Respond|Message back|reply).{0,4}(OPT.?OUT|NOT INTERESTED)/i
#HAWK
body __KAM_ODDNAME_2 /we offer|how about a quote|connect for a quote|good time in mind|number to quickly connect|best time to contact|direct line to connect/i
#SUBJ
header __KAM_ODDNAME_3 Subject =~ /best line to reach|payroll|leads|call answering|quick minute|talk tomorrow|available today/i
#WHAT
body __KAM_ODDNAME_4 /high.?speed internet|payroll solution|x more visit|inbound call|marketing (division|arm)|reduce its phone/i
meta KAM_ODDNAME ( __KAM_ODDNAME_1 + __KAM_ODDNAME_2 + __KAM_ODDNAME_3 + __KAM_ODDNAME_4 + FREEMAIL_FROM >= 5 )
describe KAM_ODDNAME Engine Hawking Products with Odd rotating business names
score KAM_ODDNAME 7.5
#FAKE HOLD
#from
header __KAM_FAKE_HOLD1 From:name =~ /TD.?Ameritrade/i
#subj
header __KAM_FAKE_HOLD2 Subject =~ /account is on hold/i
#prob
body __KAM_FAKE_HOLD3 /account has been put on hold/i
#action
body __KAM_FAKE_HOLD4 /verify your identity/i
meta KAM_FAKE_HOLD ( __KAM_FAKE_HOLD1 + __KAM_FAKE_HOLD2 + __KAM_FAKE_HOLD3 + __KAM_FAKE_HOLD4 + KAM_SHORT >= 5)
describe KAM_FAKE_HOLD Fake Account Hold Scams
score KAM_FAKE_HOLD 7.5
#PAYROLL SCANNER
header __KAM_PAYROLL_SCANNER1 From =~ /account/i
header __KAM_PAYROLL_SCANNER2 Subject =~ /payroll/i
body __KAM_PAYROLL_SCANNER3 /e-?mail was sent from \"/i
meta KAM_PAYROLL_SCANNER ( __KAM_PAYROLL_SCANNER1 + __KAM_PAYROLL_SCANNER2 + __KAM_PAYROLL_SCANNER3 + (T_HTML_ATTACH + __KAM_SHTML_ATTACH >= 1) + KAM_IFRAME >= 5)
describe KAM_PAYROLL_SCANNER Payroll Scam Emails
score KAM_PAYROLL_SCANNER 7.5
#KAM_REFRESH
# LIKELY NEED MORE EFFICIENT RAPTOR TAG
rawbody KAM_HTTP_REFRESH /http-equiv=("|')?refresh("|')?/i
describe KAM_HTTP_REFRESH Contains an http refresh
score KAM_HTTP_REFRESH 0.5
#BAD HTML MESSAGES
meta KAM_BAD_HTML (KAM_SHORT + (T_HTML_ATTACH + __KAM_SHTML_ATTACH >= 1) + KAM_HTTP_REFRESH + UNWANTED_LANGUAGE_BODY >= 3)
describe KAM_BAD_HTML Email With a likely bad or dangerous html attachment
score KAM_BAD_HTML 6.5
#BAD CONTENT-TYPE
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader KAM_BAD_CONTENT Content-Type =~ /image\/png.*\.s?html?"?$/i
describe KAM_BAD_CONTENT Content likely using evasion techniques
score KAM_BAD_CONTENT 6.0
endif
#FAKE MT BANK
header __KAM_FAKE_MT1 Subject =~ /Important Notice from M&T/i
body __KAM_FAKE_MT2 /Important (message|Notice) From /i
tflags __KAM_FAKE_MT2 nosubject
#3 removed - looking at X-PHP-Originating-Script: or something similar - header __X_PHP_EXISTS ALL =~ /^X-PHP-/m
header __KAM_FAKE_MT4 From:name =~ /M&T Bank/i
header __KAM_FAKE_MT5 From:addr !~ /mtb\.com/i
meta KAM_FAKE_MT (__KAM_FAKE_MT1 + __KAM_FAKE_MT2 + KAM_SHORT + __HAS_PHP_ORIG_SCRIPT + __KAM_FAKE_MT4 + (__KAM_FAKE_MT5 + SPF_FAIL >= 1) >= 5)
describe KAM_FAKE_MT Fake Bank Alert Scam
score KAM_FAKE_MT 7.5
#FAKE SHARED DOCUMENT
header __KAM_FAKE_SHARE1 Subject =~ /document shared with you/i
body __KAM_FAKE_SHARE2 /sent you the following/i
meta KAM_FAKE_SHARE ( __KAM_FAKE_SHARE1 + __KAM_FAKE_SHARE2 + __GB_ANY_REDIR >= 3)
describe KAM_FAKE_SHARE Fake sharing email scam
score KAM_FAKE_SHARE 4.5
#BTC SCAM
header __KAM_BTC1 Subject =~ /btc|bitcoin/i
body __KAM_BTC2 /passive income|\d+\s?btc to your wallet/i
tflags __KAM_BTC2 nosubject
meta KAM_BTC ( __KAM_BTC1 + __KAM_BTC2 + ( __GB_ANY_REDIR || __TO_UNDISCLOSED ) >= 3)
describe KAM_BTC BTC Investment Scam
score KAM_BTC 8.5
#PHOTO PHISH
body __KAM_PHOTOPHISH1 /here are the(se)? (pics|pictures|images|photo)|(here is|forwarded|sent) (this|that) (photo|pic)|have a look|send these pics before|photos from last week/i
body __KAM_PHOTOPHISH2 /(guess|not sure if|hope|presume) (it\'s|they\'re|they are) still (appropriate|related|needed|relevant)|still the right time for them|send them to you way sooner|just occurred to me/i
body __KAM_PHOTOPHISH3 /remember the (m[ae]n|wom[ea]n|girls) (in|on) (the|this) (pic|image|photo)|recall the (guys|girls) on the last \d+\s+pictures|assume you know most of these (guys|girls)/i
meta KAM_PHOTOPHISH (( __KAM_PHOTOPHISH1 + __KAM_PHOTOPHISH2 >= 2) + (__HAS_ANY_URI >= 1) >= 2 )
describe KAM_PHOTOPHISH Photograph phishing scam
score KAM_PHOTOPHISH 7.0
meta KAM_PHOTOPHISHLOW __KAM_PHOTOPHISH3 + __HAS_ANY_URI >= 2
describe KAM_PHOTOPHISHLOW Photograph phishing scam [lower confidence]
score KAM_PHOTOPHISHLOW 5.0
#DIRECT DEPOSIT
body __KAM_DIRECTDEPOSIT1 /payroll|pay account/i
body __KAM_DIRECTDEPOSIT2 /(update|Change) my (pay account|Direct deposit)/i
tflags __KAM_DIRECTDEPOSIT2 nosubject
header __KAM_DIRECTDEPOSIT3 Subject =~/direct deposit change/i
meta KAM_DIRECTDEPOSIT ( __KAM_DIRECTDEPOSIT1 + __KAM_DIRECTDEPOSIT2 + __KAM_DIRECTDEPOSIT3 + ( KAM_RAPTOR_EXTERNAL + FREEMAIL_FROM >= 1) >= 3)
describe KAM_DIRECTDEPOSIT Direct Deposit Phish
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
if can(Mail::SpamAssassin::Conf::feature_subjprefix)
subjprefix KAM_DIRECTDEPOSIT [Phish]
endif
endif
score KAM_DIRECTDEPOSIT 4.5
ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro
#MAL INVOICE
header __KAM_MALINVOICE1 Subject =~ /Tax Invoice/i
body __KAM_MALINVOICE2 /tax invoice/i
tflags __KAM_MALINVOICE2 nosubject
mimeheader __KAM_MALINVOICE3 Content-type =~ /Name=\"?Form.*\.xls\"?$/i
meta KAM_MALINVOICE ( KAM_OLEMACRO_RENAME + __KAM_MALINVOICE1 + __KAM_MALINVOICE2 + __KAM_MALINVOICE3 >= 4)
describe KAM_MALINVOICE Malicious Invoice with Dangerous Attachment
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
if can(Mail::SpamAssassin::Conf::feature_subjprefix)
subjprefix KAM_MALINVOICE [Malware]
endif
endif
score KAM_MALINVOICE 10.0
endif
#LEAD SUPPLY
body KAM_LEAD_SUPPLY /The Lead Supply via marketing services from The Email Bureau|The Email Bureau Limited/i
describe KAM_LEAD_SUPPLY Spam from Lead Supply
score KAM_LEAD_SUPPLY 10.0
#FAKE LINKEDIN
header __KAM_FAKE_LINKEDIN1 From:name =~ /Linkedin/i
header __KAM_FAKE_LINKEDIN2 From:addr !~ /linkedin\.com$/i
header __KAM_FAKE_LINKEDIN2A From:addr =~ /googleusercontent/i
header __KAM_FAKE_LINKEDIN3 Subject =~ /\d+ searches this week|looking at your profile|found by people|matches this job|have (?:a|\d+) new message|searching for you/i
meta KAM_FAKE_LINKEDIN (__KAM_FAKE_LINKEDIN1 + __KAM_FAKE_LINKEDIN2 + __KAM_FAKE_LINKEDIN2A + __KAM_FAKE_LINKEDIN3 >= 3)
describe KAM_FAKE_LINKEDIN Fake LinkedIn messages
score KAM_FAKE_LINKEDIN 4.5
ifplugin Mail::SpamAssassin::Plugin::HeaderEval
if can(Mail::SpamAssassin::Plugin::HeaderEval::has_check_invalid_from)
header __KAM_GB_INVALID_FROM eval:check_invalid_from()
meta KAM_GB_INVALID_FROM (__KAM_GB_INVALID_FROM && ! ( ALL_TRUSTED || NO_RELAYS || __BOUNCE_CTYPE ) )
describe KAM_GB_INVALID_FROM From Address is invalid
score KAM_GB_INVALID_FROM 5.0
else
#INVALID FROM RULE
header __KAM_GB_INVALID_FROM_NO_DOTS From:addr !~ /\./
header __KAM_GB_INVALID_FROM_NO_AT From:addr !~ /\@/
header __KAM_TWODOTS From:addr =~ /\@.*\.\./i
meta KAM_GB_INVALID_FROM (__KAM_GB_INVALID_FROM_NO_DOTS + __KAM_GB_INVALID_FROM_NO_AT + __KAM_TWODOTS >= 1) && ! ( ALL_TRUSTED || NO_RELAYS || __BOUNCE_CTYPE )
describe KAM_GB_INVALID_FROM From Address is invalid
score KAM_GB_INVALID_FROM 5.0
endif
else
#INVALID FROM RULE
header __KAM_GB_INVALID_FROM_NO_DOTS From:addr !~ /\./
header __KAM_GB_INVALID_FROM_NO_AT From:addr !~ /\@/
header __KAM_TWODOTS From:addr =~ /\@.*\.\./i
meta KAM_GB_INVALID_FROM (__KAM_GB_INVALID_FROM_NO_DOTS + __KAM_GB_INVALID_FROM_NO_AT + __KAM_TWODOTS >= 1) && ! ( ALL_TRUSTED || NO_RELAYS || __BOUNCE_CTYPE )
describe KAM_GB_INVALID_FROM From Address is invalid
score KAM_GB_INVALID_FROM 5.0
endif
#INVALID FROM HEADER
header __KAM_INVFROM1 From =~ /<[^>]*$/
header __KAM_INVFROM2 From =~ /^[^<]*>/
meta KAM_INVFROM (__KAM_INVFROM1 + __KAM_INVFROM2 >= 1)
score KAM_INVFROM 2.0
describe KAM_INVFROM Invalid From Header containing mismatched <>'s
meta GB_INVALID_FROM_NOTLS ( KAM_GB_INVALID_FROM && KAM_NOTLS )
describe GB_INVALID_FROM_NOTLS From Address is invalid without TLS connection
score GB_INVALID_FROM_NOTLS 1.5
#FAKE PAYROLL
header __KAM_FAKE_PAYROLL1 Subject =~ /payroll verification/i
#change
body __KAM_FAKE_PAYROLL2 /new payroll directory/i
#oddlang
body __KAM_FAKE_PAYROLL3 /required directive/i
#oddlink
uri __KAM_FAKE_PAYROLL4 /\.boxmode\.io/i
meta KAM_FAKE_PAYROLL ( __KAM_FAKE_PAYROLL1 + __KAM_FAKE_PAYROLL2 + __KAM_FAKE_PAYROLL3 + __KAM_FAKE_PAYROLL4 >= 4)
describe KAM_FAKE_PAYROLL Payroll Scam
score KAM_FAKE_PAYROLL 6.0
#DATING ADD THAT IS EXPLICIT
body __KAM_DATING1 /women seeking happiness/i
body __KAM_DATING2 /18\+ platform/i
mimeheader __KAM_DATING3 Content-type =~ /\.(png|jpe?g)\"?$/i
meta KAM_DATING ( __KAM_DATING1 + __KAM_DATING2 + __KAM_DATING3 + (FREEMAIL_FORGED_REPLYTO + FREEMAIL_FROM >= 1) >= 4)
describe KAM_DATING Explicit Content Dating Advert
score KAM_DATING 4.5
#FAKE EFAX
header __KAM_FAKE_EFAX1 From:addr !~ /efax.com/i
header __KAM_FAKE_EFAX2 Subject =~ /new fax document/i
body __KAM_FAKE_EFAX3 /efax/i
uri __KAM_FAKE_EFAX4 /\.html?/i
meta KAM_FAKE_EFAX ( __KAM_FAKE_EFAX1 + __KAM_FAKE_EFAX2 + __KAM_FAKE_EFAX3 + __KAM_FAKE_EFAX4 >=4)
describe KAM_FAKE_EFAX Fake Zix Email
score KAM_FAKE_EFAX 7.0
#PIPEDRIVE HTML
uri KAM_PIPEDRIVE_HTML /\.pipedrive\.email\/.*\.s?html?/i
describe KAM_PIPEDRIVE_HTML Suspicious HTML Link in an email
score KAM_PIPEDRIVE_HTML 4.0
#GEEKSERVICES
uri __KAM_GEEKSERVICES1 /geeks?-?(squad)?(hub|services)\d+\.co|gsquad-services\d+\.co/i
header __KAM_GEEKSERVICES1A From:addr =~ /geeks?-?(squad)?(hub|services)\d+\.co|gsquad-services\d+\.co/i
header __KAM_GEEKSERVICES2 Subject =~ /receipt|renewal|renewing|subscription/i
body __KAM_GEEKSERVICES2A /bitcoin|coinbase/i
meta KAM_GEEKSERVICES ( (__KAM_GEEKSERVICES1 + __KAM_GEEKSERVICES1A >= 1) + (__KAM_GEEKSERVICES2 + __KAM_GEEKSERVICES2A >= 1) >= 2)
describe KAM_GEEKSERVICES Fake Geek Squad Services
score KAM_GEEKSERVICES 9.0
#FAKE SECURITY ALERT
body __KAM_FAKE_SECURITY1 /Security Alert/i
header __KAM_FAKE_SECURITY2 Subject =~ /(Failed login|Account must be updated)/i
meta KAM_FAKE_SECURITY (__KAM_FAKE_SECURITY1 + __KAM_FAKE_SECURITY2 + __GB_ANY_REDIR >= 3)
describe KAM_FAKE_SECURITY Likely a fake security alert
score KAM_FAKE_SECURITY 5.5
#FAKE GEEKSQUAD
header KAM_FAKE_GEEKSQUAD From:addr =~ /\@geek-?(squad)?\-?services\d+\.|productshipping-?hub\d+\./i
describe KAM_FAKE_GEEKSQUAD Fake Geek Squad Notice
score KAM_FAKE_GEEKSQUAD 7.0
#FAKE GEEKSQUAD VARIANT 2
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_FAKE_GEEKSQUAD2_1 Content-Type =~ /geeksquad.*\.jpe?g/i
header __KAM_FAKE_GEEKSQUAD2_2 Subject =~ /antivirus receipt/i
meta KAM_FAKE_GEEKSQUAD2 ( __KAM_FAKE_GEEKSQUAD2_1 + __KAM_FAKE_GEEKSQUAD2_2 + FREEMAIL_FROM >= 3)
describe KAM_FAKE_GEEKSQUAD2 Fake Geek Squad Notice
score KAM_FAKE_GEEKSQUAD2 4.5
endif
#FAKE PAYROLL UPDATE
#subj
header __KAM_FAKE_PAY_UPDATE1 Subject =~ /Payroll (details?|information) (rectification|adjust|update)|account information|pay(check|roll) ((re\-)?update|review)|(change|update) (DD|info|request)|direct deposit|new bank|UPDATE (BANK|PAYCHECK)|BANK (STATUS|CHANGE)|modification request|update salary|quick update|(^|\b)D(\.|-)?D ?(stub|pay|information|update|request)|(modification|change) (in|of) (DD|direct.?deposit|account)|Demand Change|^\s$|DD[\- ]*(Authorization|Modify)|help needed|new account|account (change|replace|update)|pay.?roll (update|adjustment)|request? for (change|update)|have a request|RENSEIGNEMENTS\s+.{1,16}\s+BANCAIRES|URGENT(\b|$)|adjustment of bank|ASSIST\!|correction of ACH|paycheck|pay D\-D|payroll \(?info|modifications? to (electronic fund transfer|ACH|EFT)|replac(e|ing) bank info|have a moment|update (of|my) (bank )?account|^Changes$|emolument|D D Pay.?Stub|changement de compte|new deposit|DD SWITCH|Immediate Details Change|banking info update|Employee Pay|payroll modification|claim for change|pay request|request for Payroll|updat(e|ing) bank(ing)? info|change in payroll|update pay info|Paystub.?dd|Update on Account|DD Auth|Change of Pay account/i
#urg
body __KAM_FAKE_PAY_UPDATE2 /(for|before|against) (my|the) (subsequent|current|next|upcoming) pay|for next payroll|kindly review (payroll|your) statement|when the next payday|prochaine date de paiement|current pay cycle|next pay (run|date)|Inactive in a few day|on-?time for any ongoing|what data is required|urgent help|next salary|(upcoming|forthcoming) payroll|effective (for this|this|on) pay.?(day|period)|effect for next pay|made right now|closed in (a )?few day|for the current pay|next pay period|prompt attention|subsequent payroll|finish the update|can ?not afford any more delay|before the pay.?(roll|date)|straight away|against the upcoming pay|before payroll is run|timely payment|for my current pay|prochain ch.que de paie|quick assistance|account will not be difficult|next pay cycle|immediate effect|before next pay|for the next (check|pay)|(the|this) coming payroll|before the current check|issues with the bank|submit the new banking details to you|before processing the next pay|prochaine paie|let me know how to proceed|recently changed (account|bank)|ahead of payroll|before.{5,10}the next pay|before the pay cycle/i
tflags __KAM_FAKE_PAY_UPDATE2 nosubject
#task
body __KAM_FAKE_PAY_UPDATE3 /(change|updat(e|ing)) (of my|my) (ACH|bank(ing)?|DD|paycheck|Payroll|payment|pay|new pay) (direct.?deposit|deposit account|info|account)|new bank(ing)? (details|info)|change the account on my pay|direct.?deposit\s+information|(move|change) (in )?(my|the) (bank|payroll)|account information be change|update my (Pay|bank|account|new checking)|account needs to be updated|change in my ACH|I switched bank|paychecks? needs to be update|updat(e|ing) my (payroll.?)?direct.?deposit|designate it as my payee|bank information.{0,35} on file has changed|about my direct deposit|change (on )?my (old account|direct deposit)|updating for my salary|just changed banks|changed my financial institut|DD details changed|new account for my direct deposit|new bank account|(?:coordonn\x{C3}\x{A9}es|informations) bancaires|replace my bank(ing)? info|updat(e|ing) my deposit|update my information on pay|passer\s+.\s+un nouveau compte|replace my (previous|current) (bank|direct deposit)|direct.?deposit update|d\x{C3}\x{A9}p\x{C3}\x{B4}ts direct|move my paycheck|(change|amend) the direct deposit|Confirmez .{1,16}quand le changement|direct deposit details? has change|new information on file for direct deposit|amending the text about my pay|change my personal paycheck|issue with the DD|replace my pay.?roll info|payroll records are updated|make the modification/i
tflags __KAM_FAKE_PAY_UPDATE3 nosubject
#sigonly/freemail
meta KAM_FAKE_PAY_UPDATE ( ( KAM_RAPTOR_EXTERNAL + FREEMAIL_FROM >= 1 ) + __KAM_FAKE_PAY_UPDATE1 + __KAM_FAKE_PAY_UPDATE2 + __KAM_FAKE_PAY_UPDATE3 >= 4)
describe KAM_FAKE_PAY_UPDATE Likely a fake ACH/Payroll Scam
score KAM_FAKE_PAY_UPDATE 9.0
meta KAM_FAKE_PAY_UPDATE_LOW ( KAM_RAPTOR_EXTERNAL + FREEMAIL_FROM >= 1 ) && ( __KAM_FAKE_PAY_UPDATE1 + __KAM_FAKE_PAY_UPDATE2 + __KAM_FAKE_PAY_UPDATE3 >= 2) && ! KAM_FAKE_PAY_UPDATE && !EXTRACTTEXT
describe KAM_FAKE_PAY_UPDATE_LOW Likely a fake ACH/Payroll Scam (Lower Confidence)
score KAM_FAKE_PAY_UPDATE_LOW 7.5
#ENCRYPTED PAYLOAD
uri __KAM_ENCRYPTED_LIVE1 /onedrive\.live\.com/i
body __KAM_ENCRYPTED_LIVE2 /password:/i
meta KAM_ENCRYPTED_LIVE ( __KAM_ENCRYPTED_LIVE1 + __KAM_ENCRYPTED_LIVE2 >= 2)
describe KAM_ENCRYPTED_LIVE Likely malware payload
score KAM_ENCRYPTED_LIVE 7.0
#HOMEDEPOT SURVEY
header __KAM_HOMEDEPOTE1 From:addr =~ /\@homedepote\.com/i
meta KAM_HOMEDEPOTE ( __KAM_HOMEDEPOTE1 >= 1)
describe KAM_HOMEDEPOTE Fake Home Depot Messages
score KAM_HOMEDEPOTE 10.0
#SIGNATURE ONLY VERSION 2.0
if (version >= 4.000000)
if can(Mail::SpamAssassin::Plugin::BodyEval::has_plaintext_body_sig_ratio)
body __GB_BODY_ONLY_SPACE eval:check_blank_line_ratio('100', '100')
body __KAM_SIGONLY_BODY_NONE eval:plaintext_body_length('0','0')
body __KAM_SIGONLY_SIG_100 eval:plaintext_sig_length('100')
meta KAM_SIGONLY ( __KAM_SIGONLY_BODY_NONE || __GB_BODY_ONLY_SPACE ) && __KAM_SIGONLY_SIG_100 && !__GB_CALENDAR_ATTACH && !__MIME_ATTACHMENT && !__ANY_IMAGE_ATTACH && !__PDF_ATTACH
score KAM_SIGONLY 3.5
else
meta KAM_SIGONLY 0
endif
endif
#GAMBLING SPAM
meta KAM_GAMBLING (KAM_MANYTO + KAM_SHORT + FORGED_GMAIL_RCVD + __FREEMAIL_DOC_PDF >= 4)
describe KAM_GAMBLING Emails hawking gambling and similar spams
score KAM_GAMBLING 2.0
#JUNK_INVOICE
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_JUNK_INVOICE1 Content-Type =~ /invoice\.jpe?g/i
body __KAM_JUNK_INVOICE2 /\[image\:\s+invoice/i
header __KAM_JUNK_INVOICE3 Subject =~ /Invoice/i
meta KAM_JUNK_INVOICE (FREEMAIL_FROM + __KAM_JUNK_INVOICE1 + __KAM_JUNK_INVOICE2 + __KAM_JUNK_INVOICE3 >= 4)
score KAM_JUNK_INVOICE 6.0
endif
#ONMICROSOFT
header __KAM_ONMICROSOFT1 From =~ /[-\.]onmicrosoft\.com/i
header __KAM_ONMICROSOFT2 Reply-To =~ /[-\.]onmicrosoft\.com/i
header __KAM_ONMICROSOFT3 Resent-from =~ /[-\.]onmicrosoft\.com/i
meta KAM_ONMICROSOFT (( __KAM_ONMICROSOFT1 + __KAM_ONMICROSOFT2 >= 1) && !__AUTOREPLY_ASU )
describe KAM_ONMICROSOFT Mail From or Reply-to an unprovisioned domain on Microsoft 365
score KAM_ONMICROSOFT 6.0
meta KAM_ONMICROSOFT_RF ( __KAM_ONMICROSOFT3 && !__AUTOREPLY_ASU )
describe KAM_ONMICROSOFT_RF Mail Resent-from an unprovisioned domain on Microsoft 365
score KAM_ONMICROSOFT_RF 0.001
#TEMPORARY.LINK
header __KAM_TEMPORARYLINK1 From =~ /\w\.temporary\.link/i
header __KAM_TEMPORARYLINK2 Reply-To =~ /\w\.temporary\.link/i
header __KAM_TEMPORARYLINK3 Resent-from =~ /\w\.temporary\.link/i
meta KAM_TEMPORARYLINK (( __KAM_TEMPORARYLINK1 + __KAM_TEMPORARYLINK2 >= 1) && !__AUTOREPLY_ASU )
describe KAM_TEMPORARYLINK Mail From or Reply-to an unprovisioned domain on InMotion Hosting
score KAM_TEMPORARYLINK 6.0
meta KAM_TEMPORARYLINK_RF ( __KAM_TEMPORARYLINK3 && !__AUTOREPLY_ASU )
describe KAM_TEMPORARYLINK_RF Mail Resent-from an unprovisioned domain on Microsoft 365
score KAM_TEMPORARYLINK_RF 0.001
#FAKE INVOICE
header __KAM_FAKE_INVOICEMS1 Subject =~ /invoice/i
body __KAM_FAKE_INVOICEMS2 /process ACH/i
meta KAM_FAKE_INVOICEMS KAM_ONMICROSOFT + ( __KAM_FAKE_INVOICEMS1 + __KAM_FAKE_INVOICEMS2 >= 2) >=2
describe KAM_FAKE_INVOICEMS Fake Invoice Scam
score KAM_FAKE_INVOICEMS 4.5
#FAKE ACE/LOWES/ETC
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
replace_rules __KAM_FAKE_LOWES2
#FUZZ
body __KAM_FAKE_LOWES2 /C<O1>stc<O1> (giveaway|new gift|credit|local reward)|(erewards?|epoints?|evouch|thank you|\d\.\d) from (starbucks|ace.?hardware)|ace[-_]?hardware|sams[-_]?club|complimentary-(fuel\/gas|gas\/Fuel) card|(monday|tuesday|wednesday|thursday|friday|saturday|sunday) (gift-?cert|bonus)|costco-wholesale|\d from your CVS St<O1>re|cvs-pharmacy.?gift.?voucher|giveaway from (bud.?light|fox)|glft.?card|\d from cvs pharm|one hundred from C.?V.?S|nike sends \d+|Sam\'sClub|amount of \d+\.0(\b|$)|\d+ from Verizon|points rwrds|verizonrewards|UNINQUE GIVEAWAY|_Ace.?Hardware_|C Ostco|Sam\'s...Club|\$\-Prize|G[1l]ft.?cert|coupon from C<O1>stc<O1>|(target|T\-mobile) e.?(voucher|coupon)|\(home.?depot\)|homedepot bonus|\brwrds\b|_shopper|gift-voucher|has a prize|home depot\-|home\-depot|kohls(\s|\b|$)|BK Card/i
tflags __KAM_FAKE_LOWES2 nosubject
endif
#VOUCHER/COUPON
header __KAM_FAKE_LOWES1 Subject =~ /(costco|ace.?hardware|cvs|cvs.?pharmacy|t-mobile|target|burgerking).*(christmas|e-?coupon|gift.?voucher|bonus|(e.?)?voucher|gift.?card|give.?away|credit)|ace-hard?ware|massive thank you|give?.?away winner|(\d+|dols|bucks) (for you )?from (Starbuck|Sam|Costco)|gas reward|acehardware|samsclub|free samples|gas drop|\d+\.\d+ vouch from costco|CVS\s+expires|sams_club|(fuel|gas) shopping spree|giveaway from (bud.?light|fox)|glft.?card|thank you from (\(?Home.?Depot\)?|cvs)|cvs e-?rewards|nike sends \d+|Verizon (August|September) Gift|points rwrds|verizonrewards|thanks (from|to) .?(sam\'s club|ace.?hardware)|survey reward|\d+ gift.?card pending|(cvs|verizon) (gift.?cert|coupon|has something special|has \d\.0)|\d+ (bucks|dols)|\d+\.0 for you|your \d+ at Verizon|(home.?depot|t-mobile) bonus|Evouch from Sams Club|_ace.?hardware_|use your\s+from Verizon|glft.?certificate|points rwrds|home.?depot_shopper|\$\d+ at Sam\'?s.?club|gift for you|costco gift.?cert|walgreens bonus points/i
#ODDLANG
body __KAM_FAKE_LOWES3 /\d buck|your \d+\.0|\d+ dols|sent with joy|chosen as winer|spend you \$|(huge|massive) (thank you|thanks)|tough times|humble gift|evouch|\bepoint|ereward|we are loved|sending some love|(difficult|turbulent) times|nearest-pharm|weekend is on us|wish you a happy (August)|starbucks wishes you|spend bonus|inspire your dreams|unsuscribe here|want to give back|Enjoy_your_weekend|all the-best|e-?vouch|weekly gift.?card|big thanks for (Ace|costco|cvs)|\d+ sent to you by (Ace|costco|cvs)|rewards balance = \d+ USD|this make it better|Ace.?hardware style|awaiting to be spend|dols-voucher|you have been chosen|scary.?reward|tuff times|super.?(monday|tuesday|wednesday|thursday|friday|saturday|sunday).?mega|send a postcard|day-vouch|\d+ bucks coupon|inside = \$\d+|\d+ coupon|\%Subscriber|as an important customer|glft|here is a thanks|202\d has been difficult|how we celebrate|available for download|points\-can be used/i
#URGENT
body __KAM_FAKE_LOWES4 /will be expiring|expires|(finishes|change by) (mon|tue|wed|thu|fri|sat|sun)|pending to activate|(use by|until) (Jan|Feb|mar|apr|may|jun|Jul|aug|sep|oct|nov|dec|mon|tue|wed|thu|fri|sat|sun)|pending (to|your) activat|(valid until|(redeem|use|spend) (before|by)) (mid.?night|mon|tue|wed|thu|fri|sat|sun|aug|sep|oct|nov|dec|jan|feb|mar|apr|may|jun|jul)|ending tomorrow|before midnight|received before \d|activat(e|ion) (today|by|before)|end of month giveaway|ends (today|tomorrow)|valid for (today|the weekend|\d+ hours)|August Help|pending to use|by next (Mon|tue|Wed|Thu|Fri|Sat|sun)|(received?|used?) as soon as possible|ends the \d+(nd|th)|yet to be used|this.? (Mon|Tue|Wed|Thu|Fri|Sat|Sun)|use before|used? \d+\.\d+ by (Sun|Mon|Tue|Wed|Thu|Fri|Sat)|last day to activate|ends (Oct(ober)?|Nov(ember)?|Dec(ember)?) \d|\d+ hours to change|grab your \d+|\d hours left|use now|end of today|used today|this week|\d is available since|before christmas|act fast|will go quickly/i
meta KAM_FAKE_LOWES ( __KAM_FAKE_LOWES1 + __KAM_FAKE_LOWES2 + __KAM_FAKE_LOWES3 + __KAM_FAKE_LOWES4 >= 4)
describe KAM_FAKE_LOWES Fake Costco/Ace Hardware/etc. coupons
score KAM_FAKE_LOWES 6.0
meta KAM_FAKE_LOWES_LOW !KAM_FAKE_LOWES && ( __KAM_FAKE_LOWES1 + __KAM_FAKE_LOWES2 + __KAM_FAKE_LOWES3 + __KAM_FAKE_LOWES4 >= 3)
describe KAM_FAKE_LOWES_LOW Fake Costco/Ace Hardware/etc. coupons (Lower Confidence)
score KAM_FAKE_LOWES_LOW 4.5
#FAKE ACE
header __KAM_FAKE_ACE1 From:addr =~ /\@.*ace.*/i
header __KAM_FAKE_ACE2 From:addr !~ /acehardware\.com/i
meta KAM_FAKE_ACE ( (__KAM_FAKE_ACE1 + __KAM_FAKE_ACE2 >=2 ) + (__KAM_FAKE_LOWES1 + __KAM_FAKE_LOWES2 >= 1) >= 2)
describe KAM_FAKE_ACE Possible Ace Hardware Forgery
score KAM_FAKE_ACE 2.0
#BAD SCAN
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
body __KAM_BAD_SCAN1 /scanned from MFP|\(\d+\) scanned/i
header __KAM_BAD_SCAN2 Subject =~ /scan(ned)? image from MFP/i
meta KAM_BAD_SCAN ( __KAM_BAD_SCAN1 + __KAM_BAD_SCAN2 + (T_HTML_ATTACH + __KAM_VM5 >= 1) >= 3)
describe KAM_BAD_SCAN Likely a fake scan
score KAM_BAD_SCAN 6.5
endif
#TRADERBOT
#BOT / DEPOSIT
header __KAM_TRADEBOT1 Subject =~ /(auto|crypto|new|unique|trader?).?bot|(minimum|initial) deposit|without invest|automatic machine/i
#EARN
header __KAM_TRADEBOT2 Subject =~ /(raise|earn) from \d+ (\$+|USD|Eur|dollar|a (month|day))|earnings on crypto|\d+ (\$+|euro?|USD|dollars?) (every|per) (month|day)/i
#BOT BODY
body __KAM_TRADEBOT3 /(auto|crypto|new|trader?|unique).?bot|automatic machine|pro tariff|free monthly tariff|fully automatic/i
tflags __KAM_TRADEBOT3 nosubject
#TRADING BODY
body __KAM_TRADEBOT4 /initial deposit|crytpocurrency trading|(field|world) of (trading|crypto)|make money on trading|solution for the trader|without investing|no investment|(find|news) for trader|traders can relax|lazy trader|currency trading/i
tflags __KAM_TRADEBOT4 nosubject
#EARN BODY
body __KAM_TRADEBOT5 /(make|earn) from \d+ (\$+|USD|Eur|dollar)|(earn|make) \d+ (\$+|USD|Eur|dollar)|(over|more than) [\d,]+ (dollar|USD|Eur)/i
tflags __KAM_TRADEBOT5 nosubject
#LINK / ATTACH
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_TRADEBOT6A Content-Type =~ /(earn.?from.?\d+.?(USD|Eur|dollar)|novice.?trader|(auto|crypto|trader?).?bot).*\.pdf"?$/i
endif
body __KAM_TRADEBOT6B /(personal|private|your) (secure )?link|link (below )?from PDF/i
meta KAM_TRADEBOT ( __KAM_TRADEBOT1 + __KAM_TRADEBOT2 + __KAM_TRADEBOT3 + __KAM_TRADEBOT4 + __KAM_TRADEBOT5 + (__KAM_TRADEBOT6A + __KAM_TRADEBOT6B >= 1) + FREEMAIL_FROM >= 6 )
describe KAM_TRADEBOT Crypto Currency Trading Spams
score KAM_TRADEBOT 9.0
#BIDDING/ESTIMATING
#NAMES
body __KAM_BIDEST1A /CSI Estimati(ng|on)|crossland estimating|Williams Estimating|Global Estimation|bolt estimating|prestige estimation|bidding estimating|define estimating|dreamland estimation|swift estimating LLC|define estimating,? LLC|perfect estimation.? llc|estimating solutions.? LLC|rockford estimation.? LLC|define estimating LLC|Rise Estimating LLC|american estimating|maple professionals|international estimating, llc|international estimates, llc|Estemanians, LLC|Dream Estimations|universal estimating llc|unity estimating|Cannon Estimation, LLC|Estimen LLC|The Global Estimation LLC|USA ESTIMATION LLC|Estimate Builders LLC|Quantify Bids, LLC|Grace Arch & Estimating, LLC|Unity Estimating|MultiTrade Estimating, LLC|buildify estimating|Needes Estimating/i
header __KAM_BIDEST1B From =~ /bidding|estimat|globalbid|define the scope of work/i
header __KAM_BIDEST1C Subject =~ /bidding|estimati(on|ng)|take.?off|(quote|quotation) (to|for) (bid|project|take.?off)|budget planning|CSI(\b|$)|constructions? project|project bid proposal|bid more/i
#MORE INFO (removed detailed quote for FP)
body __KAM_BIDEST2 /need assistance with a project|like more information|bidding and estimating service|estimate your projects|project for estimat|need of cost estimation|low cost detailed cost estimates|providing estimation|you really want take-offs|outsourced cost estimation|need any take.?off service|looking for accurate estimat|Take.?off services for any project|need a detailed estimate|offering budget cost estimates|cost estimating services|show you some sample|estimating.?take-offs? service|forward us the bid|quote on your project|(fair|sample) (take.?off|estimate)|complimentary detail from|send (me|us) the drawing|quick introductory call|send us the project's construction plans|quotes for your project|see attached sample|our example work|need any samples|provide detailed quantity take.?off|professional services in Quantity take.?off|provide material take.?off|estimates \& take.?off|20\% discount on your first estimate|cost estimating|architectural projects for us|need of expert construction estimating|handle your construction (take.?offs|estimat)|any job for us regarding estimat|benefit from our estimat|construction estimation service|estimation services are tailored|offer the most precise estimat|detailed commercial estimate|costing \& take\-?off|too much time on construction take-?off|send us plans for proposal|construction estimates and takeoffs|share your project drawings|require samples or a quotation|services like quantity takeoff|provide accurate estimates|remind you of our construction estimating|pending projects for architecture or estimation|looking for top\-notch estimation service|send plans \& scope|need estimating support|send over the set of plans|specialize in providing accurate (take.?off|estimate)|streamlined takeoff|professionally serve estimating|how our estimation services can benefit/i
#TITLE
body __KAM_BIDEST3 /Business Development Manager|(senior|certified) estimator|certified software|(office|marketing) manager|estimation (department|dept|company)|head of business devel|estimating (manager|service)|project +manager|Civil, MEP, Architectural|manager of business dev|Sales team|estimation department|bidding estimating|BD Manager/i
#OBFU / COLD
body __KAM_BIDEST4 /\(dot\)|thank you for considering our service|reaching out to introduce/i
#SOFTWARE
body __KAM_BIDEST5 /Accu-bid|McCormick|Blue\-Beam|Plan\-Swift|On\-Screen/i
meta KAM_BIDEST ( (__KAM_BIDEST1A + __KAM_BIDEST1B + __KAM_BIDEST1C >= 1) + __KAM_BIDEST2 + (__KAM_BIDEST3 + __KAM_BIDEST5 >= 1) + (__KAM_BIDEST4 + FREEMAIL_FROM + KAM_FROM_URIBL_PCCC >= 1 ) >= 3 )
describe KAM_BIDEST Bidding and Estimating Spam
score KAM_BIDEST 7.5
#FAKE BILL
header __KAM_FAKE_BILL1 From:name =~ /alert/i
header __KAM_FAKE_BILL2 Subject =~ /e\-bill copy/i
body __KAM_FAKE_BILL3 /Payment mode: Paypal pro\-credits|paypal billing team/i
body __KAM_FAKE_BILL4 /issues with the transaction/i
meta KAM_FAKE_BILL ( __KAM_FAKE_BILL1 + __KAM_FAKE_BILL2 + __KAM_FAKE_BILL3 + __KAM_FAKE_BILL4 + FREEMAIL_FROM >= 5 )
describe KAM_FAKE_BILL Fake Invoice Scams
score KAM_FAKE_BILL 6.0
#FAKE PO
body __KAM_FAKE_PO1 /status on our purchase order/i
header __KAM_FAKE_PO2 Subject =~ /PO \d+/i
body __KAM_FAKE_PO3 /attached/i
meta KAM_FAKE_PO (__KAM_FAKE_PO1 + __KAM_FAKE_PO2 + __KAM_FAKE_PO3 + T_HTML_ATTACH >= 4)
describe KAM_FAKE_PO Fake Purchase Orders
score KAM_FAKE_PO 6.0
#FAKE AGING REPORT
header __KAM_FAKE_AGING1 Subject =~ /Aging Report/i
body __KAM_FAKE_AGING2 /current aging report/i
tflags __KAM_FAKE_AGING2 nosubject
body __KAM_FAKE_AGING3 /treat it as urgent/i
body __KAM_FAKE_AGING4 /email addresses in an excel/i
meta KAM_FAKE_AGING ( __KAM_FAKE_AGING1 + __KAM_FAKE_AGING2 + __KAM_FAKE_AGING3 + __KAM_FAKE_AGING4 + KAM_RAPTOR_EXTERNAL >= 5)
describe KAM_FAKE_AGING Phishes for Financial Information
score KAM_FAKE_AGING 7.5
#PAYPAL FREEMAIL
header __KAM_PAYPAL_FREEMAIL1 From:name =~ /paypal/i
#body __KAM_PAYPAL_FREEMAIL2 /crypto.?currency/i
meta KAM_PAYPAL_FREEMAIL ( FREEMAIL_FROM + __KAM_PAYPAL_FREEMAIL1 >= 2)
describe KAM_PAYPAL_FREEMAIL PayPal spoofs from Freemail Addresses
score KAM_PAYPAL_FREEMAIL 4.5
#FAKE DOCUSIGN
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_FAKE_DOCUSIGN1 Content-Type =~ /docusign\.png/i
header __KAM_FAKE_DOCUSIGN2 Subject =~ /D0cuSign\: Signature Required/i
meta KAM_FAKE_DOCUSIGN (__KAM_FAKE_DOCUSIGN1 + T_HTML_ATTACH >= 2) || (__KAM_FAKE_DOCUSIGN2)
describe KAM_FAKE_DOCUSIGN Fake Docusign Document
score KAM_FAKE_DOCUSIGN 3.0
endif
#FAKE REIMB
header __KAM_FAKE_REIMB1 Subject =~ /assistance/i
#HOW
body __KAM_FAKE_REIMB2 /mobile transfer/i
#MONEY
body __KAM_FAKE_REIMB3 /\$[\d,]+/i
#ODDLANG & REIMBURSEMENT REQUEST
body __KAM_FAKE_REIMB4 /reimbursement cheque/i
#TRANSFER
body __KAM_FAKE_REIMB5 /details for the transfer/i
meta KAM_FAKE_REIMB ( __KAM_FAKE_REIMB1 + __KAM_FAKE_REIMB2 + __KAM_FAKE_REIMB3 + __KAM_FAKE_REIMB4 + __KAM_FAKE_REIMB5 + FREEMAIL_FROM >= 6)
describe KAM_FAKE_REIMB Fake Reimbursement Request
score KAM_FAKE_REIMB 9.0
#FAKE_AMAZON #2
header __KAM_FAKE_AMAZON2_1 From:name =~ /\#A.?m.?a.?z.?o.?n/i
header __KAM_FAKE_AMAZON2_2 Subject =~ /A\-M\-A\-Z\-O\-N|payment confirmation|amazon.?e.?billing/i
#body __KAM_FAKE_AMAZON2_3 /(888\s5\s?3\s?1\s?4\s?0\s?3\s?0|855\s5\s?4\s?5\s?6\s?2\s?0\s?1)/
body __KAM_FAKE_AMAZON2_3 /Receipt Id|Bill no/i
uri __KAM_FAKE_AMAZON2_4 /googleusercontent\.com/i
meta KAM_FAKE_AMAZON ( __KAM_FAKE_AMAZON2_1 + __KAM_FAKE_AMAZON2_2 + __KAM_FAKE_AMAZON2_3 + __KAM_FAKE_AMAZON2_4 + FREEMAIL_FROM >= 5 )
describe KAM_FAKE_AMAZON Fake Amazon Order
score KAM_FAKE_AMAZON 7.5
#FAKE_APPLE
header __KAM_FAKE_APPLE1 From:name =~ /\#.?A.?p.?p.?l.?e|statement/i
header __KAM_FAKE_APPLE2 Subject =~ /i\.t\.u\.n\.e|membership confirmation|invoice|billing/i
body __KAM_FAKE_APPLE3 /a\.p\.p\.l\.e|i\.c\.l\.o\.u\.d|app store team/i
tflags __KAM_FAKE_APPLE3 nosubject
uri __KAM_FAKE_APPLE4 /googleusercontent\.com/i
meta KAM_FAKE_APPLE ( __KAM_FAKE_APPLE1 + __KAM_FAKE_APPLE2 + __KAM_FAKE_APPLE3 + __KAM_FAKE_APPLE4 + FREEMAIL_FROM >= 5 )
describe KAM_FAKE_APPLE Fake Apple Order
score KAM_FAKE_APPLE 7.5
#FREEMAIL_ORD
header __KAM_FREEMAIL_ORDER1 Subject =~ /thank you for your order/i
meta KAM_FREEMAIL_ORDER ( __KAM_FREEMAIL_ORDER1 + FREEMAIL_FROM >= 2 )
describe KAM_FREEMAIL_ORDER Questionable message about an order but using freemail
score KAM_FREEMAIL_ORDER 3.0
#PROBLEMATIC 2TLD PROVIDERS
uri KAM_2TLD_PROBLEMS /(\.sa\.com|\.ru\.com|\.plesk\.page)/i
describe KAM_2TLD_PROBLEMS Problematic 2TLD handlers being abused
score KAM_2TLD_PROBLEMS 3.5
#CALLING ASSOCIATE
#SUBJ
header __KAM_CALLING_1 Subject =~ /answering solution/i
#NAME
body __KAM_CALLING_2 /Itotogit/i
#TITLE
body __KAM_CALLING_3 /answering associate/i
tflags __KAM_CALLING_3 nosubject
meta KAM_CALLING ( __KAM_CALLING_1 + __KAM_CALLING_2 + __KAM_CALLING_3 + FREEMAIL_FROM >= 4)
describe KAM_CALLING Spamming Phone and Answering Solutions
score KAM_CALLING 6.0
#SA and ZA ABUSE + CO.IN
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
replace_tag ABUSE_DOMAINS (?:\.(sa\.com|za\.com|co\.in))(\b|\/|$|\@)
replace_rules __KAM_SA_ZA_ABUSE1 __KAM_SA_ZA_ABUSE2
uri __KAM_SA_ZA_ABUSE1 /<ABUSE_DOMAINS>/i
header __KAM_SA_ZA_ABUSE2 From:addr =~ /<ABUSE_DOMAINS>/i
meta KAM_SA_ZA_ABUSE (__KAM_SA_ZA_ABUSE1 + __KAM_SA_ZA_ABUSE2 >= 1)
describe KAM_SA_ZA_ABUSE 2TLD Providers prevalent in spam abuse
score KAM_SA_ZA_ABUSE 3.0
endif
#FAKE COINBASE
body __KAM_OBFU_COINBASE1 /C[\. ]O[\. ]I[\. ]N[\. ]B[\. ]A[\. ]S[\. ]E/i
header __KAM_OBFU_COINBASE2 From:name =~ /C[\. ]O[\. ]I[\. ]N[\. ]B[\. ]A[\. ]S[\. ]E/i
meta KAM_OBFU_COINBASE ( __KAM_OBFU_COINBASE1 + __KAM_OBFU_COINBASE2 >= 1 )
describe KAM_OBFU_COINBASE Likely Fake Coinbase Email using Obfuscation
score KAM_OBFU_COINBASE 3.0
#FAKE COINBASE VARIANT
header __KAM_FAKE_COINBASE2_1 Subject =~ /billing/i
body __KAM_FAKE_COINBASE2_2 /sent a payment/i
body __KAM_FAKE_COINBASE2_3 /BTC|paypal/i
meta KAM_FAKE_COINBASE2 (__KAM_FAKE_COINBASE2_1 + __KAM_FAKE_COINBASE2_2 + __KAM_FAKE_COINBASE2_3 + FREEMAIL_FROM + __KAM_FAKE_AMAZON2_3 >= 5)
describe KAM_FAKE_COINBASE2 Fake Coinbase Email
score KAM_FAKE_COINBASE2 7.5
#FAKE COINBASE VARIANT 2
#FP fixed on 4/11 with the From:addr rule thanks to RunBox
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
replace_rules __KAM_FAKE_COINBASE3_1
header __KAM_FAKE_COINBASE3_1 From:name =~ /c<O1><I1>nbase/i
header __KAM_FAKE_COINBASE3_2 From:addr !~ /\@(.*?\.)?coinbase\.com/i
meta KAM_FAKE_COINBASE3 (__KAM_FAKE_COINBASE3_1 + __KAM_FAKE_COINBASE3_2 >= 2)
describe KAM_FAKE_COINBASE3 Fake Coinbase Notice
score KAM_FAKE_COINBASE3 8.5
endif
#FAKE COINBASE VARIANT 3
body __KAM_FAKE_COINBASE4_1 /Coinbase at risk/i
body __KAM_FAKE_COINBASE4_2 /Coinbase\.com\/verify/i
meta KAM_FAKE_COINBASE4 ( KAM_FAKE_COINBASE3 + __KAM_FAKE_COINBASE4_1 + __KAM_FAKE_COINBASE4_2 + KAM_SHORT >= 4)
describe KAM_FAKE_COINBASE4 Fake Coinbase Email
score KAM_FAKE_COINBASE4 4.5
#FAKE SURVEY
header __KAM_FAKE_SURVEY1 From:addr =~ /Shopper.?Gift.?Card|survey/i
body __KAM_FAKE_SURVEY2 /gift card (opp|promo)/i
tflags __KAM_FAKE_SURVEY2 nosubject
body __KAM_FAKE_SURVEY3 /\d second survey/i
tflags __KAM_FAKE_SURVEY3 nosubject
header __KAM_FAKE_SURVEY4 Subject =~ /gift card/i
meta KAM_FAKE_SURVEY ( __KAM_FAKE_SURVEY1 + __KAM_FAKE_SURVEY2 + __KAM_FAKE_SURVEY3 + __KAM_FAKE_SURVEY4 + KAM_SA_ZA_ABUSE >= 5)
describe KAM_FAKE_SURVEY Fake gift card surveys
score KAM_FAKE_SURVEY 7.5
#REWARDS
header __KAM_FAKE_REWARDS1 Subject =~ /(dollar general|t-mobile|ace hardware) (gift|reward)/i
meta KAM_FAKE_REWARDS ( KAM_STORAGE_GOOGLE + __KAM_FAKE_REWARDS1 >= 2)
describe KAM_FAKE_REWARDS Fake Reward emails
score KAM_FAKE_REWARDS 3.0
#FAKE_AHS
header __KAM_FAKE_AHS1 From =~ /AHS Warranty/i
meta KAM_FAKE_AHS ( __KAM_FAKE_AHS1 + KAM_SOMETLD_ARE_BAD_TLD >= 2)
describe KAM_FAKE_AHS Home Warranty Spam
score KAM_FAKE_AHS 3.0
#FAKE_FICO
#FUZZ
body __KAM_FAKE_FICO1 /F[1l]co/i
#ODD LANG
body __KAM_FAKE_FICO1A /complimentary\-review/i
#SUBJ
header __KAM_FAKE_FICO2 Subject =~ /(cred[1il]t.?(points|score)|score heal?th|202\d score|3 bureaus|Equifax score)/i
meta KAM_FAKE_FICO ((__KAM_FAKE_FICO1 + __KAM_FAKE_FICO1A >= 1) + __KAM_FAKE_FICO2 >= 2 )
describe KAM_FAKE_FICO Credit Score Spam
score KAM_FAKE_FICO 6.0
#CAM DOMAIN ISSUES
header __KAM_CAM_DOMAIN From:addr =~ /\.cam$/i
meta KAM_CAM_DOMAIN ( KAM_SEMFRESH + __KAM_CAM_DOMAIN >= 2 )
describe KAM_CAM_DOMAIN Abusive TLD with a new domain
score KAM_CAM_DOMAIN 3.0
#UNREAD MESSAGES
header __KAM_UNREAD1 Subject =~ /unread message/i
body __KAM_UNREAD2 /relationship status/i
body __KAM_UNREAD3 /(see more of me here|photo album)/i
meta KAM_UNREAD ( __KAM_UNREAD1 + __KAM_UNREAD2 + __KAM_UNREAD3 >= 3)
describe KAM_UNREAD Singles Message Scams
score KAM_UNREAD 4.5
#NOT INTERESTED
body KAM_NOT_INTERESTED /reply \"Not Interested\"/i
describe KAM_NOT_INTERESTED Contains Opt-Out Language
score KAM_NOT_INTERESTED 1.5
#OCTET STREAM ISSUE - Updated 2022-11-26 thanks to Judah for the FP
mimeheader __KAM_OCTET_PHISH1 Content-Type =~ /application\/octet-stream.*\.s?html?\.?\"?$/i
meta KAM_OCTET_PHISH ( __KAM_OCTET_PHISH1 >= 1 )
describe KAM_OCTET_PHISH HTML File attached with the wrong MIME Type
score KAM_OCTET_PHISH 3.0
#FAKE WALMART
header __KAM_FAKE_WALMART1 Subject =~ /transaction code/i
body __KAM_FAKE_WALMART2 /Your order/i
tflags __KAM_FAKE_WALMART2 nosubject
body __KAM_FAKE_WALMART3 /WALMART INC/i
tflags __KAM_FAKE_WALMART3 nosubject
meta KAM_FAKE_WALMART ( __KAM_FAKE_NORTON3 + FREEMAIL_FROM + __KAM_FAKE_WALMART1 + __KAM_FAKE_WALMART2 + __KAM_FAKE_WALMART3 >= 5)
describe KAM_FAKE_WALMART Fake Walmart Scam
score KAM_FAKE_WALMART 7.5
#ANALYTICO
header __KAM_ANALYTICO1 Subject =~ /online course|promotion/i
body __KAM_ANALYTICO2 /Training Manager/i
body __KAM_ANALYTICO3 /Analytico Academy/i
meta KAM_ANALYTICO ( __KAM_ANALYTICO1 + __KAM_ANALYTICO2 + __KAM_ANALYTICO3 >= 3)
describe KAM_ANALYTICO Domain Hopping Spammers
score KAM_ANALYTICO 4.5
#DESZY
header __KAM_DESZY1 From =~ /deszy/i
body __KAM_DESZY2 /Deszy/i
uri __KAM_DESZY3 /search\?q=Deszy/i
header __KAM_DESZY4 Subject =~ /content creation/i
meta KAM_DESZY ( __KAM_DESZY1 + __KAM_DESZY2 + __KAM_DESZY3 + __KAM_DESZY4 >= 4)
describe KAM_DESZY Domain Hopping Spammers
score KAM_DESZY 6.0
#HEROKU ETC APP EXPLOITS WITH FREEMAIL
#VALID URIS
uri __KAM_APPS1 /\.herokuapp\.com|app\.connect365\.io|\.appspot\.com|salesforce\.com\/servlet/i
#URIS TO SKIP
uri __KAM_APPS1A /salesforce\.com\/servlet\/servlet\.ImageServer/i
header __KAM_APPS2A Subject =~ /onedrive/i
header __KAM_APPS2B From:name =~ /onedrive/i
header __KAM_APPS3 From:addr =~ /\.awsapps.com>?$/i
meta KAM_APPS ( FREEMAIL_FROM + (__KAM_APPS1 - __KAM_APPS1A) >= 2 )
describe KAM_APPS Apps being exploited by Spammers
score KAM_APPS 4.0
meta KAM_APPS2 ((__KAM_APPS1 - __KAM_APPS1A) + (__KAM_APPS2A + __KAM_APPS2B >= 1) >= 2)
describe KAM_APPS2 Fake OneDrive Notification
score KAM_APPS2 4.0
meta KAM_APPS3 (__KAM_APPS3)
describe KAM_APPS3 AWS Apps Emailing Directly
score KAM_APPS3 9.0
#PHONE
body __KAM_PHONE1 /reduce your company phone expense/i
body __KAM_PHONE2 /changes? that takes? less than \d+ min/i
meta KAM_PHONE ( __KAM_PHONE1 + __KAM_PHONE2 + FREEMAIL_FROM >= 3 )
describe KAM_PHONE Phone Service Spam
score KAM_PHONE 4.5
#PASSWORD EXPIRATIOn
#URG
body __KAM_PASSEXP1 /expires today|about to expire/i
#ACTION
body __KAM_PASSEXP2 /(continue with|Keep my) same password/i
#URI
uri __KAM_PASSEXP3 /s3\.amazonaws\.com\/.{1,10}\.html?/i
meta KAM_PASSEXP ( __KAM_PASSEXP1 + __KAM_PASSEXP2 + ( KAM_IPFS + __KAM_PASSEXP3 >= 1 ) >= 3 )
describe KAM_PASSEXP Credential Scam
score KAM_PASSEXP 4.5
#IPFS
uri __KAM_IPFS /(\.|\b|\/)ipfs\.io\/|\/ipfs\/|https?\:\/\/ipfs\.|https?\:\/\/.*\.ipfs\./i
uri __KAM_FALSE_IPFS /(\@|\/|^)(.{1,32}\.)?ipfs\.com/i
meta KAM_IPFS ( __KAM_IPFS && !__KAM_FALSE_IPFS)
describe KAM_IPFS Abused Protocol for Distributed Content
score KAM_IPFS 18.0
#PHONESYSTEM
#DEAL
body __KAM_PHONESYS1 /(reduced|lower your) rate|\d+% lower|lower (your|its) telecom/i
#TITLE
body __KAM_PHONESYS2 /Business Dev|tech associate|tele.?specialist|growth dev/i
#PHONE
body __KAM_PHONESYS3 /Top-regarded carriers|(T1|Cloud) (lines|phone)|cloud.?based phone|voip service/i
#MEETING REQ/OPT
body __KAM_PHONESYS4 /(worth|Have) \d+ minute|reply with rule.?out|open to this/i
#INFO REQ
body __KAM_PHONESYS5 /best number to quickly get in touch|quick number to reach you|may i send some info|best direct line to reach/i
meta KAM_PHONESYS ( __KAM_PHONESYS1 + __KAM_PHONESYS2 + __KAM_PHONESYS3 + __KAM_PHONESYS4 + __KAM_PHONESYS5 + FREEMAIL_FROM >= 6 )
describe KAM_PHONESYS New Phone System Spam
score KAM_PHONESYS 9.0
#CONTRACT HTML
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_CONTRACT2_1 Content-Type =~ /(statement\d+|contract\#?\d+|final.?hud.?\d+|Kyc\d+|check)\.htm/i
meta KAM_CONTRACT2 ( __KAM_CONTRACT2_1 >= 1)
describe KAM_CONTRACT2 Suspect HTML file
score KAM_CONTRACT2 7.0
endif
#FAKE ALLSCRIPTS
header __KAM_ALLSCRIPTS1 From:addr !~ /\@allscripts.com/i
header __KAM_ALLSCRIPTS2 From:name =~ /allscripts/i
header __KAM_ALLSCRIPTS3 Subject =~ /invoice|receipt/i
body __KAM_ALLSCRIPTS4 /membership|recurring monthly/i
meta KAM_ALLSCRIPTS ( __KAM_ALLSCRIPTS1 + __KAM_ALLSCRIPTS2 + __KAM_ALLSCRIPTS3 + __KAM_ALLSCRIPTS4 >= 4 )
describe KAM_ALLSCRIPTS Fake Invoice Scam
score KAM_ALLSCRIPTS 6.0
#EXPLOIT SCAM
body __KAM_EXPLOIT1 /wallet:/i
body __KAM_EXPLOIT2 /you have three days/i
body __KAM_EXPLOIT3 /countdown will begin/i
body __KAM_EXPLOIT4 /\$\d00/i
meta KAM_EXPLOIT (__KAM_EXPLOIT1 + __KAM_EXPLOIT2 + __KAM_EXPLOIT3 + __KAM_EXPLOIT4 + KAM_SENDGRID >= 5)
describe KAM_EXPLOIT Exploitation Scam
score KAM_EXPLOIT 7.5
#GEEK SQUAD FAKE
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
replace_rules KAM_OBFU_GEEK
body KAM_OBFU_GEEK /G<E2><E2>k Sq/i
describe KAM_OBFU_GEEK Likley Geek Squad impersonation
score KAM_OBFU_GEEK 6.0
endif
#NO SPACE SUBJECT
header GB_SUBJ25 Subject =~ /^[^\s+.]{25,}$/
describe GB_SUBJ25 Subject with no Spaces
score GB_SUBJ25 0.25
#Score adjustment for unwanted languages
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
score UNWANTED_LANGUAGE_BODY 3.3
meta UNWANTED_LB_EXTRACT_CO ( UNWANTED_LANGUAGE_BODY && EXTRACTTEXT )
describe UNWANTED_LB_EXTRACT_CO Compensate unwanted language rule score when data are extracted from images
score UNWANTED_LB_EXTRACT_CO -0.75
tflags UNWANTED_LB_EXTRACT_CO nice
endif
#ADVIDS
header __KAM_ADVIDS1 From:addr =~ /\@advid|\@.*advids?\.|\@advi\-/i
body __KAM_ADVIDS2 /video (production|examples|ads|design|ideas|content)|design explainer|design capabilit|(business|demo) video/i
uri __KAM_ADVIDS3 /search\?q\=Advids|youtube|video samples/i
body __KAM_ADVIDS4 /(video|content) (director|producer|marketer|creation)/i
meta KAM_ADVIDS ( __KAM_ADVIDS1 + __KAM_ADVIDS2 + (__KAM_ADVIDS3 + __KAM_ADVIDS4 >= 1) >= 3)
describe KAM_ADVIDS Video Production Spam
score KAM_ADVIDS 10.0
#CRYPTO FAKE
#ISSUE
body __KAM_CRYPTOFAKE1A /wallet will be suspended/i
body __KAM_CRYPTOFAKE1B /assets (require action|will be frozen|failed to merge)|merge your assets|action required for your assets|upgrade failure|submit your claim/i
#FROM
header __KAM_CRYPTOFAKE2A From =~ /Trust.?wallet|trezor|Ripple/i
body __KAM_CRYPTOFAKE2B /ethereum merge|Community Token Allocation Program|redistributed XRP/i
#SOURCE
uri __KAM_CRYPTOFAKE3A /blogspot\.com|sendgrid\.net/i
body __KAM_CRYPTOFAKE3B /(trezor.io|exodus\.com)\/merge|blogpost instructions/i
meta KAM_CRYPTOFAKE ( (__KAM_CRYPTOFAKE1A + __KAM_CRYPTOFAKE1B >= 1) + (__KAM_CRYPTOFAKE2A + __KAM_CRYPTOFAKE2B >= 1) + (__KAM_CRYPTOFAKE3A + __KAM_CRYPTOFAKE3B >= 1) >= 3 )
describe KAM_CRYPTOFAKE Fake Crypto Notice
score KAM_CRYPTOFAKE 6.5
#EMOJISEX
body __KAM_SEXEMOJI1 /ready 4fun|lets fun|private cam|exciting experiences|very hot|taste me|freaky fantas|hookup|tight pus|tight boob|divorced mom|mature wom[ae]n|bj mom|div0rced|f\*?u\*?c\*?k|sexy on your bed|good fuck/i
#EMOJI
body __KAM_SEXEMOJI2 /\x{F0}\x{9F}\x{8D}\x{91}|\x{F0}\x{9F}\x{92}\x{8B}/i
#URL
uri __KAM_SEXEMOJI3 /\.(ga|cf|ml)\//i
meta KAM_SEXEMOJI (FREEMAIL_FROM >= 1) && (__KAM_SEXEMOJI1 + __KAM_SEXEMOJI2 + __KAM_SEXEMOJI3 >= 3)
describe KAM_SEXEMOJI Sexually Explicit Email Using Emojis
score KAM_SEXEMOJI 9.5
#MARKETING COPOUT
body __KAM_COPOUT1 /MARKETING COMMUNICATION/i
body __KAM_COPOUT2 /sources believed reliable/i
body __KAM_COPOUT3 /We have not verified/i
meta KAM_COPOUT ( __KAM_COPOUT1 + __KAM_COPOUT2 + __KAM_COPOUT3 >= 3 )
describe KAM_COPOUT Marketing Emails that copout on the verification
score KAM_COPOUT 4.5
#DOMAIN/URI TEST CONCEPT
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
replace_tag BADCALENDLYURIS (?:jpcalendly|michael\-2900|avolinq|otto\-demosho|jprecruiting|stella\-ridge|nivaai|guammi\-marketing|sethg\-erc|marc\-alderson|randy\-wimmer|video\-animation|julius\-frago|growthtitan|byte\-bridge\-team|flipcausedemo|techerp|leadoverload\-team|twiz|vissia\-ac|eventgives|sephacquisition|mattia\-100|doug\-376|byron\-lewis|selo\-ai|elevatemkt|business-gps-tetsch|nandreaatos|stephanie\-alic|.*praxis\-business\-brokers\-introduction|tony\-tarkowski|jvrtechllc|fractionl\/sonia-rosa|\-spv|2jm\-9wc\-m84|adrianaidid|bilal\-saeed\-|adobosolutions\-calendar\-4tof|verticalsols12|cyrusrsandoval77|fbfb|ikefontaine|ryan\-gonyo|gunaatita|mhoan867|paulam\-leadsignite|mktg\-sales\-leads|marketingteam\-cbox|leadstouchmarketingcal|appventurez\-mobi\-tech|darlyn\-tindoy\-powerhouse\-unlimited|appventurezmobi|crownglobe|revhero\-demo\-group|rolling\-adz|insyncmedia|dnathan\-3|kevin\-wright)
replace_rules __KAM_BADCALENDLY
uri __KAM_BADCALENDLY /https?\:\/\/(www\.)?calendly\.com\/(d\/)?<BADCALENDLYURIS>(?:\/|\?|\b|$)/i
replace_tag BADIGURIS (?:vakninliorcom|wehackhealth)
replace_rules __KAM_BADIG
uri __KAM_BADIG /https?\:\/\/(www\.)?instagram\.com\/<BADIGURIS>(?:\/|\?|\b|$)/i
replace_tag BADYTURIS (?:\@muvisaku|mzVih1bMPVE|PXcdLbnO9I4|\-lkrTRz5Ei8|j87M2BS4Ii8|LnQC_6XdH\-I|nT8luUsO4SU)
replace_rules __KAM_BADYT
uri __KAM_BADYT /https?\:\/\/(www\.)?(youtube\.com|youtu\.be)\/(watch\?v\=)?<BADYTURIS>(?:\/|\?|\b|$)/i
replace_tag BADVIMEOURIS (?:446834731|399916650|256117879|268399852|602066576|179069936|540337372|391568499|clumcreative)
replace_rules __KAM_BADVIMEO
uri __KAM_BADVIMEO /https?\:\/\/(www\.)?vimeo\.com\/<BADVIMEOURIS>(?:\/|\?|\b|$)/i
replace_tag BADMEDIUMURIS (?:\@webmoneyrevolution)
replace_rules __KAM_BADMEDIUM
uri __KAM_BADMEDIUM /https?\:\/\/(www\.)?medium\.com\/<BADMEDIUMURIS>(?:\/|\?|\b|$)/i
replace_tag BADFIVERRURIS (?:jamshednarayana)
replace_rules __KAM_BADFIVERR
uri __KAM_BADFIVERR /https?\:\/\/(www\.)?fiverr\.com\/<BADFIVERRURIS>(?:\/|\?|\b|$)/i
replace_tag BADGSITESURIS (?:33344455666|rfdzxgffg)
replace_rules __KAM_BADGSITES
uri __KAM_BADGSITES /https?\:\/\/sites\.google\.com\/view\/<BADGSITESURIS>(?:\/|\?|\b|$)/i
replace_tag BADDYNAMICSURIS (?:9F7f0SFS2Z|Koi3RYh33D)
replace_rules __KAM_BADDYNAMICS
uri __KAM_BADDYNAMICS /https?\:\/\/ncv\.microsoft\.com\/<BADDYNAMICSURIS>(?:\/|\?|\b|$)/i
replace_tag BADTELEGRAMURIS (?:leadgenmarket1)
replace_rules __KAM_BADTELEGRAMURIS
uri __KAM_BADTELEGRAMURIS /t.me\/<BADTELEGRAMURIS>(?:\/|\?|\b|$)/i
replace_tag BADSKYPEURIS (?:32a8cfbcf097b10d|2bc4ed65aa40fb3b|feedbackform2019)
replace_rules __KAM_BADSKYPEURIS
body __KAM_BADSKYPEURIS /live\:(\.cid\.)?<BADSKYPEURIS>(?:\/|\?|\b|$)/i
replace_tag BADWHATSAPPURIS (?:40753537389|48794973356|48794972985|48794972595|8801310463899|13653420669|48576377485|48576387220|48504723628|48576386112|48504723542|48660929489|48504723648|48861548807|48504723571|48507951873|48732676269|17539221591)
replace_rules __KAM_BADWHATSAPPURIS
uri __KAM_BADWHATSAPPURIS /https?\:\/\/wa.me\/<BADWHATSAPPURIS>(?:\/|\?|\b|$)/i
replace_tag BADFLOWCODEURIS (?:signalsdefense|rAcrHS8hy)
replace_rules __KAM_BADFLOWCODEURIS
uri __KAM_BADFLOWCODEURIS /https?\:\/\/(flow\.page|flowcode\.com\/p)\/<BADFLOWCODEURIS>(?:\/|\?|\b|$)/i
replace_tag BADBOXURIS (?:x6ddn2vwirubrnh5|3nrerkb3hstmpqx9|x6ddn2vwirubrnh5|q3629y3ewqvpmzb3|ic47i4xh8ms6pdd2|wr55diqj4rs785v3|bk5bdzzqbg2f9r7r|i8zkd3af27jznkzm|8hcqbxug96jcdkju|ukv7ra8ka6hi6tqb|qyt7i36zncx5map7|zpiyp9cfitd6nk83|2m9mvvxhu6nfk963|dncjppepqdfa8nr2|h4cpywq5kijxrqva|cuf3i39bw5mqabv5|nmyr45teezgtdmxi|25wrxidxxj8irkdi|fgpahmmaf4urc82i|fjxzaaqkaz5jk8uf|a2k3hsj3tyv4pg2h|28uyg6xaw2i25axb|r2puxzzs28kyd35t|jibpaq7bj2j7xc84|xfjmwqv6q5hzqaez)
replace_rules __KAM_BADBOXURIS
uri __KAM_BADBOXURIS /https?\:\/\/docsend\.com\/view\/<BADBOXURIS>(?:\/|\?|\b|\#|$)/i
replace_tag BADHUBSPOTURIS (?:timote\-chanut|keaton\-flanigan)
replace_rules __KAM_BADHUBSPOTURIS
uri __KAM_BADHUBSPOTURIS /https?\:\/\/meetings\.hubspot\.com\/<BADHUBSPOTURIS>(?:\/|\?|\b|$)/i
replace_tag BADLOOKERURIS (?:s74PQVx32qg|vcqPQCIEiwo)
replace_rules __KAM_BADLOOKERURIS
uri __KAM_BADLOOKERURIS /https?\:\/\/lookerstudio\.google\.com\/s\/<BADLOOKERURIS>(?:\/|\?|\b|$)/i
replace_tag BADYESWAREURIS (?:siniyahs)
replace_rules __KAM_BADYESWAREURIS
uri __KAM_BADYESWAREURIS /https?\:\/\/meet\.yesware\.com\/me\/<BADYESWAREURIS>(?:\/|\?|\b|$)/i
replace_tag BADXURIS (?:omarmohdomain|I4NZO7DEGe|329FQ5xXLY|wywBeF5oSy|WVg3MrDcuT|jeJ6QmURIo|nlBSAQ8vYx|9eyWNqeGvr|vqw4wHc7JF|Oer3A39I6x|jeeva_ai)
replace_rules __KAM_BADXURIS
uri __KAM_BADXURIS /https?\:\/\/((twitter|x)\.com|t\.co)\/<BADXURIS>(?:\/|\?|\b|$)/i
replace_tag BADLINKEDINURIS (?:thomaspropen)
replace_rules __KAM_BADLINKEDINURIS
uri __KAM_BADLINKEDINURIS /https?\:\/\/(www.)?linkedin\.com\/in\/<BADLINKEDINURIS>(?:\/|\?|\b|$)/i
meta KAM_BADDOMAINURI (__KAM_BADCALENDLY + __KAM_BADIG + __KAM_BADYT + __KAM_BADVIMEO + __KAM_BADMEDIUM + __KAM_BADFIVERR + __KAM_BADGSITES + __KAM_BADDYNAMICS + __KAM_BADTELEGRAMURIS + __KAM_BADSKYPEURIS + __KAM_BADWHATSAPPURIS + __KAM_BADFLOWCODEURIS + __KAM_BADBOXURIS + __KAM_BADHUBSPOTURIS + __KAM_BADLOOKERURIS + __KAM_BADYESWAREURIS + __KAM_BADXURIS + __KAM_BADLINKEDINURIS >= 1)
describe KAM_BADDOMAINURI Blocked domain/uri combo
score KAM_BADDOMAINURI 9.0
endif
#FAKE FEDEX
header __KAM_FEDEX1 From:name =~ /Fedex/i
header __KAM_FEDEX2 From:addr !~ /fedex/i
meta KAM_FEDEX (__KAM_FEDEX1 + __KAM_FEDEX2 + T_HTML_ATTACH >= 3)
describe KAM_FEDEX Fake FedEx notice
score KAM_FEDEX 4.5
#BLUEHORNET ESM SPAM
header __KAM_BLUEHORNET1A EnvelopeFrom =~ /\.bluehornet\.com/i
header __KAM_BLUEHORNET1B Return-Path =~ /\.bluehornet\.com/i
header __KAM_BLUEHORNET2 Received =~ /returnpath\.bluehornet\.com/i
meta KAM_BLUEHORNET ((HEADER_FROM_DIFFERENT_DOMAINS || SPF_HELO_NONE) + ((__KAM_BLUEHORNET1A + __KAM_BLUEHORNET1B >= 1) + __KAM_BLUEHORNET2 >= 1) >= 2)
describe KAM_BLUEHORNET BlueHornet being exploited by scammers
score KAM_BLUEHORNET 4.50
#Rescoring for FPs
score PHP_SCRIPT 2.25
#APPLINK EMAILS
uri __KAM_APPLINK1 /\.app\.link/i
meta KAM_APPLINK ( __KAM_APPLINK1 + FREEMAIL_FROM + __KAM_BODY_LENGTH_LT_512 >= 3)
describe KAM_APPLINK App Link Spams
score KAM_APPLINK 4.5
#SEX EXPLICIT GROUPS
header __KAM_SEX_GROUPS1 From:addr =~ /(Anya|sexy|\-x)\-.*\@googlegroups\.com/i
uri __KAM_SEX_GROUPS2 /sites\.google\.com/i
body __KAM_SEX_GROUPS3 /(escort (company|job|section)|sexual needs|sexy lady|sexual?ly fit|fucked hard|local hotties|secret community|hq escorts|good fuck|naughty date|male escort)/i
meta KAM_SEX_GROUPS ( __KAM_SEX_GROUPS1 + __KAM_SEX_GROUPS2 + __KAM_SEX_GROUPS3 >= 3)
describe KAM_SEX_GROUPS Sexually Explicit Spam
score KAM_SEX_GROUPS 15.0
#SUSAN HAMILTON BLOCK
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
header __KAM_SUSAN1 To =~ /\@triplectrailersales.com/i
header __KAM_SUSAN2 From:name =~ /Susanne Hamilton/i
meta KAM_SUSAN ( __KAM_SUSAN1 + __KAM_SUSAN2 >= 2 )
describe KAM_SUSAN Susanne Hamilton Block
score KAM_SUSAN 10.0
endif
#FAKE MCAFEE VARIANT
header __KAM_FAKE_NORTON3_1 From:name =~ /Mcafee/i
header __KAM_FAKE_NORTON3_2 Subject =~ /payment/i
body __KAM_FAKE_NORTON3_3 /auto(matic)?.?renew/i
uri __KAM_FAKE_NORTON3_4 /(docs|drive)\.google\.com\/(document|file)\//i
meta KAM_FAKE_NORTON3 (__KAM_FAKE_NORTON3_1 + __KAM_FAKE_NORTON3_2 + __KAM_FAKE_NORTON3_3 + __KAM_FAKE_NORTON3_4 + FREEMAIL_FROM >= 4)
describe KAM_FAKE_NORTON3 Fake Norton / McAfee / Geek Squad / Symantec / etc. Renewal Notices
score KAM_FAKE_NORTON3 8.0
#TRACKING REDIR
uri __KAM_TRACKING_REDIR1 /\/tracking\/clicks\?redirect\=/i
uri __KAM_TRACKING_REDIR2 /https?:\/\/adclick\.\w\.doubleclick\.net\/\/?pcs\/click\?.{10,64}\&?\&adurl\=(?:https?\:)?\/\//i
uri __KAM_TRACKING_REDIR3 /https?:\/\/ad\.doubleclick\.net\/clk;.{8,64}\?(?:https?:)?\/\//i
meta KAM_TRACKING_REDIR ( __KAM_TRACKING_REDIR1 + __KAM_TRACKING_REDIR2 + __KAM_TRACKING_REDIR3 >= 1 )
describe KAM_TRACKING_REDIR Tracking URI with a redirect that is a security risk
score KAM_TRACKING_REDIR 4.5
#FAKE SAFE SENDERS LIST
body __KAM_FAKE_SAFESENDER1 /This sender has been verified from the.{1,32}safe senders? list/
meta KAM_FAKE_SAFESENDER ( __KAM_FAKE_SAFESENDER1 >= 1 )
describe KAM_FAKE_SAFESENDER Email shows up with a safe sender notice
score KAM_FAKE_SAFESENDER 1.0
#CHECKFILE
body __KAM_CHECKFILE1 /(File|Document)\: https?\:\/\/.{8,128}\/.{2,5}\/\?/i
meta KAM_CHECKFILE ( __KAM_CHECKFILE1 >= 1)
describe KAM_CHECKFILE Likely File link abuse
score KAM_CHECKFILE 8.5
body __KAM_CHECKFILE2_1 /(See|View|check|check) attach(ment|ed) (document|file)/i
meta KAM_CHECKFILE2 ( T_OBFU_PDF_ATTACH + __KAM_CHECKFILE2_1 >= 2)
score KAM_CHECKFILE2 4.0 #lowered from 8.5 on 2025-02-11
describe KAM_CHECKFILE2 Likely File Attachment scam
#BAD MAILBOX RELEASE / FINANCIAL REQUEST
uri __KAM_CONSTANTCONTACT1 /https?\:\/\/\w\d{1,3}\.rs6\.net/i
header __KAM_BAD_RELEASE1 Subject =~ /held messages|financial statement.? has been shared/i
meta KAM_BAD_RELEASE ( __KAM_EDU_FROM + __KAM_CONSTANTCONTACT1 + __KAM_BAD_RELEASE1 >= 3)
describe KAM_BAD_RELEASE Likely bad link abuse
score KAM_BAD_RELEASE 4.5
#FAKE TREZOR
header __KAM_FAKE_TREZOR1 from:addr !~ /\@trezor\.io/i
header __KAM_FAKE_TREZOR2 from:name =~ /trezor/i
#problem
body __KAM_FAKE_TREZOR3 /Ethereum merge|new device paired/i
tflags __KAM_FAKE_TREZOR3 nosubject
#urg
body __KAM_FAKE_TREZOR4 /as soon as possible|lost forever/i
#Trezor
body __KAM_FAKE_TREZOR5 /trezor|satoshi.?labs.?group/i
tflags __KAM_FAKE_TREZOR5 nosubject
#sub
header __KAM_FAKE_TREZOR6 Subject =~ /missing.?funds/i
meta KAM_FAKE_TREZOR (__KAM_FAKE_TREZOR1 + __KAM_FAKE_TREZOR2 + __KAM_FAKE_TREZOR3 + __KAM_FAKE_TREZOR4 + __KAM_FAKE_TREZOR5 + (__KAM_FAKE_TREZOR8 + __KAM_FAKE_TREZOR6 >= 1) + __KAM_SHORT >= 7)
describe KAM_FAKE_TREZOR Fake Trezor Message
score KAM_FAKE_TREZOR 10.5
#confirm
body __KAM_FAKE_TREZOR7 /confirm it was you/i
#problem
body __KAM_FAKE_TREZOR8 /new (paired )?application|new device paired/i
#Trezor
header __KAM_FAKE_TREZOR9 Subject =~ /Trezor|Linked\!/i
meta KAM_FAKE_TREZOR2 (__KAM_FAKE_TREZOR1 + __KAM_FAKE_TREZOR7 + __KAM_FAKE_TREZOR8 + __KAM_FAKE_TREZOR9 + KAM_SHORT >= 5)
describe KAM_FAKE_TREZOR2 Fake Trezor Message
score KAM_FAKE_TREZOR2 7.5
#CRYPTODRIVE
header __KAM_CRYPTODRIVE1 Subject =~ /\d hours to withdraw|quickly withdraw|balance has been replenished|withdraw your \+\d|cancell?ed in \d+ hour/i
body __KAM_CRYPTODRIVE2 /bitcoin (earn|min)|automatic bitcoin/i
meta KAM_CRYPTODRIVE ( __KAM_CRYPTODRIVE1 + __KAM_CRYPTODRIVE2 + FREEMAIL_FROM + __URI_GOOGLE_DRV >= 4 )
describe KAM_CRYPTODRIVE Likely CryptoCurrency Scam
score KAM_CRYPTODRIVE 6.0
#SA_POSTAL
header __KAM_FAKE_SA_POST1 From:addr !~ /\@postoffice\.co\.za/i
header __KAM_FAKE_SA_POST2 From:name =~ /South African Post Office/i
meta KAM_FAKE_SA_POST ( __KAM_FAKE_SA_POST1 + __KAM_FAKE_SA_POST2 >= 2 )
describe KAM_FAKE_SA_POST Fake Postal Notice
score KAM_FAKE_SA_POST 4.0
#FAKE BENEFITS
body __KAM_FAKE_BENEFIT1 /attached/i
body __KAM_FAKE_BENEFIT2 /benefits? enrollment/i
meta KAM_FAKE_BENEFIT ( __KAM_FAKE_BENEFIT1 + __KAM_FAKE_BENEFIT2 + T_HTML_ATTACH >= 3 )
describe KAM_FAKE_BENEFIT Likely fake benefit email
score KAM_FAKE_BENEFIT 4.5
#CNOBFU
body __KAM_URI_OBFU1 /w ?w ?w\[?.\]?asiane ?twork\[?.\]?org\[?.\]?cn/i
body __KAM_URI_OBFU2 /w ?w ?w\[?.\]?netchin ?a\[?.\]?org/i
meta KAM_URI_OBFU ( __KAM_URI_OBFU1 + __KAM_URI_OBFU2 >= 1 )
describe KAM_URI_OBFU Obfuscation of URLs
score KAM_URI_OBFU 10.0
#FAKE_GOOGLEGROUP
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
replace_rules __KAM_FAKE_GOOGLEGROUP2
header __KAM_FAKE_GOOGLEGROUP1 From:addr =~ /\@googlegroups\.com/i
header __KAM_FAKE_GOOGLEGROUP2 From:name =~ /Support Team|(Mcafee|Best.?Buy) (support|Team)|Help Desk|client support|customer care team|Geek Squad (help.?(line|desk)|Call Center|support|customer support)|Team (McAfee|Best.?buy)|chase bank (protect|zero)|paypal (team|support)|(support|Service|Billing|team) PayPal|Helping (group|Hand|community)|help each other|W<E1>llsf<A1>rgo B<A1>nk r<e>gain|Bank of America Business/i
meta KAM_FAKE_GOOGLEGROUP ( __KAM_FAKE_GOOGLEGROUP1 + __KAM_FAKE_GOOGLEGROUP2 >= 2 )
describe KAM_FAKE_GOOGLEGROUP Google Group posing as a legitimate firm
score KAM_FAKE_GOOGLEGROUP 9.0
replace_rules __GB_OBFU_BANK
header __GB_FROM_GOOGLEDRIVE1 X-Original-Sender =~ /drive\-shares\-noreply\@google\.com/
header __GB_OBFU_BANK X-Original-From =~ /<B1><A1><N1><K1>\s?<O1><F>\s?<A1><M1><E1><R1><I1><C1><A1>/i
meta GB_OBFU_BANK_GDRIVE ( __GB_FROM_GOOGLEDRIVE1 && __GB_OBFU_BANK )
describe GB_OBFU_BANK_GDRIVE Google drive link from obfuscated Bank address
score GB_OBFU_BANK_GDRIVE 2.0
endif
#LEAD FORENSICS
body __KAM_LEAD_FORENSICS1 /leadforensics.{1,32}com|Lead Forensics/i
meta KAM_LEAD_FORENSICS ( __KAM_LEAD_FORENSICS1 >= 1 )
describe KAM_LEAD_FORENSICS Domain hopping spamming engine
score KAM_LEAD_FORENSICS 10.0
#FAKE_INTUIT
header __GB_INTUIT_NAME From:name =~ /intuit\.com/
header __GB_INTUIT_ADDR From:addr =~ /(?:\@|\.)intuit\.com/
meta GB_FAKE_INTUIT ( __GB_INTUIT_NAME && ! __GB_INTUIT_ADDR && SPF_FAIL )
describe GB_FAKE_INTUIT Fake Intuit message
score GB_FAKE_INTUIT 4.0
tflags GB_FAKE_INTUIT net
#FAKE_NETFLIX
#domain mismatch
header __KAM_FAKE_NETFLIX1A From:name =~ /(watch|Net)flix/i
header __KAM_FAKE_NETFLIX1B From:addr !~ /netflix\.com/i
#fuzz
header __KAM_FAKE_NETFLIX2A From:addr =~ /NetfIix/i
header __KAM_FAKE_NETFLIX2B Subject =~ /NetfIix/i
meta KAM_FAKE_NETFLIX ( __KAM_FAKE_NETFLIX1A + __KAM_FAKE_NETFLIX1B >= 2 ) || ( __KAM_FAKE_NETFLIX2A + __KAM_FAKE_NETFLIX2B >= 1 )
describe KAM_FAKE_NETFLIX Fake Netflix message
score KAM_FAKE_NETFLIX 7.0
#FAKE_STARBUCKS
#domain
header __KAM_FAKE_STARBUCKS1A From:name =~ /starbucks/i
header __KAM_FAKE_STARBUCKS1B From:addr !~ /starbucks\.com|order\.online/i
meta KAM_FAKE_STARBUCKS ( __KAM_FAKE_STARBUCKS1A + __KAM_FAKE_STARBUCKS1B >= 2 )
describe KAM_FAKE_STARBUCKS Fake Starbucks message
score KAM_FAKE_STARBUCKS 4.0
#FAKE_SAMSCLUB
#domain mismatch
header __KAM_FAKE_SAMSCLUB1A From:name =~ /Sam'?s?.?c(1|l|I)ub/i
header __KAM_FAKE_SAMSCLUB1B From:addr !~ /samsclub\.com|synchrony\.com/i
#fuzz
header __KAM_FAKE_SAMSCLUB2A From:addr =~ /Sam'?s?.?CIub/i
header __KAM_FAKE_SAMSCLUB2B Subject =~ /Sam'?s.?CIub/i
meta KAM_FAKE_SAMSCLUB ( __KAM_FAKE_SAMSCLUB1A + __KAM_FAKE_SAMSCLUB1B >= 2 ) || ( __KAM_FAKE_SAMSCLUB2A + __KAM_FAKE_SAMSCLUB2B >= 1 )
describe KAM_FAKE_SAMSCLUB Fake Sam's Club message
score KAM_FAKE_SAMSCLUB 4.0
#FAKE_WALGREENS
#domain
header __KAM_FAKE_WALGREENS1A From:name =~ /wa(l|1|i)greens/i
header __KAM_FAKE_WALGREENS1B From:addr !~ /wa(l|1|i)greens\.com/i
#fuzz
header __KAM_FAKE_WALGREENS2A From:addr =~ /wa(1|i)greens/i
header __KAM_FAKE_WALGREENS2B Subject =~ /wa(1|i)greens/i
meta KAM_FAKE_WALGREENS ( __KAM_FAKE_WALGREENS1A + __KAM_FAKE_WALGREENS1B >= 2 ) || ( __KAM_FAKE_WALGREENS2A + __KAM_FAKE_WALGREENS2B >= 1 )
describe KAM_FAKE_WALGREENS Fake Walgreens message
score KAM_FAKE_WALGREENS 4.0
# Disabled 2025-06-02 for FPs with Ace Hardware Franchises
##FAKE_ACEHARDWARE2
# #domain
#header __KAM_FAKE_ACEHARDWARE2_1A From:name =~ /Ace.?(reward|Hardware)|AceOctoberReward/i
#header __KAM_FAKE_ACEHARDWARE2_1B From:addr !~ /acehardware\.com/i
##header __KAM_FAKE_ACEHARDWARE2_1C Subject =~ /Ace.?hardware.?rewards/i
#
#meta KAM_FAKE_ACEHARDWARE2 ( __KAM_FAKE_ACEHARDWARE2_1A + __KAM_FAKE_ACEHARDWARE2_1B >= 2 )
#describe KAM_FAKE_ACEHARDWARE2 Fake Ace Hardware message
#score KAM_FAKE_ACEHARDWARE2 8.0
#FAKE_CVS
#domain - Fixed FP on 2023-10-06 from Joel Risberg
header __KAM_FAKE_CVS_1A From:name =~ /CVS(care|extra|octoberreward|reward|bonus|stores|savr|save)|CVS(\b|\$)|CVS.*dea[1|i|l]s/i
header __KAM_FAKE_CVS_1B From:addr !~ /cvs(health)?\.com|caremark\.com/i
meta KAM_FAKE_CVS ( __KAM_FAKE_CVS_1A + __KAM_FAKE_CVS_1B >= 2 )
describe KAM_FAKE_CVS Fake CVS message
score KAM_FAKE_CVS 6.0
#MEDALLIA
header __KAM_MEDALLIA From:addr =~ /medallia\.com/i
meta KAM_MEDALLIA (KAM_FAKE_CVS + KAM_FAKE_SAMSCLUB >= 1) && __KAM_MEDALLIA
describe KAM_MEDALLIA False Positive Handling for Medallia Surveys
score KAM_MEDALLIA -6.0
#FAKE HOME DEPOT
#domain
header __KAM_FAKE_HOMEDEPOT_1A From:name =~ /home.?depot/i
header __KAM_FAKE_HOMEDEPOT_1B From:addr !~ /(\@|\.)(homedepot\.com|squaretrade\.com)/i
meta KAM_FAKE_HOMEDEPOT ( __KAM_FAKE_HOMEDEPOT_1A + __KAM_FAKE_HOMEDEPOT_1B >= 2 )
describe KAM_FAKE_HOMEDEPOT Fake Home Depot message
score KAM_FAKE_HOMEDEPOT 5.0
#FAKE COSTCO
#domain
header __KAM_FAKE_COSTCO_1A From:name =~ /costco/i
header __KAM_FAKE_COSTCO_1B From:addr !~ /costco\.(com|ca|uk)|costcotravel\.com/i
meta KAM_FAKE_COSTCO2 ( __KAM_FAKE_COSTCO_1A + __KAM_FAKE_COSTCO_1B >= 2 )
describe KAM_FAKE_COSTCO2 Fake Costco message
score KAM_FAKE_COSTCO2 7.0
#EMPTY MESSAGE FP FOR CALENDARS
mimeheader __GB_CALENDAR_ATTACH Content-Type =~ /\b(text\/calendar)\b/i
meta GB_EMPTY_CALENDAR ( ( EMPTY_MESSAGE || BODY_URI_ONLY ) && __GB_CALENDAR_ATTACH )
describe GB_EMPTY_CALENDAR Empty message with a calendar attachment
score GB_EMPTY_CALENDAR -2.0
#EMPTY MESSAGE FP FOR IMAGES
meta GB_EMPTY_IMAGES ( EMPTY_MESSAGE && __ANY_IMAGE_ATTACH )
describe GB_EMPTY_IMAGES Empty message with an attached image
score GB_EMPTY_IMAGES -2.0
#FAKE LOWES
#domain
header __KAM_FAKE_LOWES2_1A From:name =~ /lowes.?home.?improvement|Lowes.?(shopper|Store)|LowesHome|Lowes.?customer.?support|Lowe's.?Shopper/i
header __KAM_FAKE_LOWES2_1B From:addr !~ /lowes\.com/i
meta KAM_FAKE_LOWES2 ( __KAM_FAKE_LOWES2_1A + __KAM_FAKE_LOWES2_1B >= 2 )
describe KAM_FAKE_LOWES2 Fake Lowes message
score KAM_FAKE_LOWES2 4.0
#UNSOLICITED
body __KAM_UNSOLICITED1 /Sorry for the unsolicited email/i
meta KAM_UNSOLICITED ( __KAM_UNSOLICITED1 >= 1 )
describe KAM_UNSOLICITED Email that is unsolicited
score KAM_UNSOLICITED 5.0
#FAKE PRIME/AMAZON
#domain
header __KAM_FAKE_PRIME_1A From:name =~ /Prime.*Member|PrimeAccount(a(1|i|l)ert|Service)|Prime.?Dea(1|i)|prime.?day.?saving/i
header __KAM_FAKE_PRIME_1B From:addr !~ /amazon\.com/i
header __KAM_FAKE_PRIME_2 Subject =~ /Amaz0n prime|prime membership (is renewing|statement was ended)/i
meta KAM_FAKE_PRIME ( ( __KAM_FAKE_PRIME_1A + __KAM_FAKE_PRIME_2 >= 1 ) + __KAM_FAKE_PRIME_1B >= 2 )
describe KAM_FAKE_PRIME Fake Amazon Prime message
score KAM_FAKE_PRIME 7.0
#FAKE MILWAUKEE
#fuzz
header __KAM_FAKE_MILWAUKEE2A From:addr =~ /mi(1|i)waukeetoo(i|1)s/i
header __KAM_FAKE_MILWAUKEE2B Subject =~ /Milwaukee (Drill|tool)/i
meta KAM_FAKE_MILWAUKEE ( __KAM_FAKE_MILWAUKEE2A + __KAM_FAKE_MILWAUKEE2B >= 1 )
describe KAM_FAKE_MILWAUKEE Fake Lowes / Milwaukee Tools message
score KAM_FAKE_MILWAUKEE 4.0
#FAKE HULU
#fuzz
header __KAM_FAKE_HULU2A From:addr =~ /hu(1|i)u.?(acct|account|member)/i
header __KAM_FAKE_HULU2B Subject =~ /hu(1|i)u.?member/i
meta KAM_FAKE_HULU ( __KAM_FAKE_HULU2A + __KAM_FAKE_HULU2B >= 1 )
describe KAM_FAKE_HULU Fake Hulu message
score KAM_FAKE_HULU 6.0
#FAKE WEBROOT
header __KAM_FAKE_WEBROOT1 Subject =~ /got your order|Payment receipt|Order Confirm|your e.?statement|renewal confirm|itemized invoice|renewal success/i
body __KAM_FAKE_WEBROOT2 /Webroot/i
body __KAM_FAKE_WEBROOT3 /Total Securities|Webroot (security|premium)/i
body __KAM_FAKE_WEBROOT4 /not authorized|should there be any concern|terminate your service|discontinuing this transaction/i
meta KAM_FAKE_WEBROOT ( __KAM_FAKE_WEBROOT1 + __KAM_FAKE_WEBROOT2 + __KAM_FAKE_WEBROOT3 + __KAM_FAKE_WEBROOT4 + FREEMAIL_FROM >= 5)
describe KAM_FAKE_WEBROOT Fake Webroot Scam
score KAM_FAKE_WEBROOT 7.5
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
# Received document
body __GB_DID_RECEIVE /did you receive .{1,10} document/i
meta GB_DID_RECEIVE ( __GB_DID_RECEIVE && KAM_RAPTOR_EXTERNAL )
describe GB_DID_RECEIVE Document received scam
score GB_DID_RECEIVE 1.5
endif
# ExtractText Rules
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
ifplugin Mail::SpamAssassin::Plugin::ExtractText
header GB_QR_CODE X-ExtractText-Flags =~ /\bQR\-Code\b/
describe GB_QR_CODE QR-Code in attached image
score GB_QR_CODE 2.0
header __GB_OCR_URI_BAD_TLD X-ExtractText-URIs =~ /https?:\/\/.*\.ru\//i
meta GB_QR_CODE_BAD_TLD ( __GB_OCR_URI_BAD_TLD && GB_QR_CODE )
describe GB_QR_CODE_BAD_TLD Qr code uri with a bad tld domain
score GB_QR_CODE_BAD_TLD 4.5
endif
endif
#TLDSCHINA
body __KAM_TLDSCHINA1 /t ?l ?d ?s ?c ?h ?i ?n ?a\[\.\]com|0086\-21\-619\-18\-696/i
meta KAM_TLDSCHINA ( __KAM_TLDSCHINA1 >= 1 )
describe KAM_TLDSCHINA Chinese Domain Scams
score KAM_TLDSCHINA 5.0
# .html link stored on S3
uri __GB_S3_HTM1 /^https?:\/\/.{3,64}\.s3\..{3,16}\.amazonaws\.com\/.{3,128}\.s?html?(?![^\/]*?(?:%24|\$|\?X\-Amz\-))/i
uri __GB_S3_HTM2 /^https?:\/\/(?:\w+\.)?s3\.amazonaws\.com\/(?:.{3,16}\/.{3,16}\/)?.{3,128}\.s?html?(?![^\/]*?(?:%24|\$|\?X\-Amz\-))/i
uri __GB_S3_HTM3 /^https?:\/\/s3\.(?:[a-z0-9-]+)\.amazonaws\.com\/(?:[a-z0-9-\.]+)\/.{1,64}\.s?html?(?![^\/]*?(?:%24|\$|\?X\-Amz\-))/i
uri __GB_S3_HTMCUB /^https?:\/\/s3\.cubbit\.eu\/(?:[a-z0-9-\.]+)\/.{1,64}\.s?html?/i
meta GB_S3_HTM ( __GB_S3_HTM1 + __GB_S3_HTM2 + __GB_S3_HTM3 + __GB_S3_HTMCUB >= 1 )
describe GB_S3_HTM .html link stored on AWS S3
score GB_S3_HTM 5.75
meta GB_S3_HTM_MANY ( GB_S3_HTM && KAM_MANYTO )
describe GB_S3_HTM_MANY .html link stored on AWS S3 sent to many people
score GB_S3_HTM_MANY 1.0
# AWS Apprunner abuse
if (version >= 4.000000)
if can(Mail::SpamAssassin::Conf::feature_capture_rules)
uri GB_AWSAPPRUNNER_MAIL /^https?:\/\/(?:\w+\.)(?:[a-z0-9-]+)\.awsapprunner\.com\/.{1,64}=%{GB_TO_ADDR}/i
describe GB_AWSAPPRUNNER_MAIL AWS Apprunner link with destination mail address
score GB_AWSAPPRUNNER_MAIL 2.0
endif
endif
#FAKE STIMULUS
header __KAM_FAKE_STIM1 From =~ /state.?reiief|stim.?state.?check|stim.?check.?reiief|reiief2023|statestimcheck|statebenefits/i
header __KAM_FAKE_STIM2 Subject =~ /stimu[1i]us/i
body __KAM_FAKE_STIM3 /stimu[1i]us|stimulus (benefit|fund|check)/i
tflags __KAM_FAKE_STIM3 nosubject
meta KAM_FAKE_STIM ( __KAM_FAKE_STIM1 + __KAM_FAKE_STIM2 + __KAM_FAKE_STIM3 >= 3)
describe KAM_FAKE_STIM Fake Stimulus Scam
score KAM_FAKE_STIM 6.0
#FAKE QUOTES
header __KAM_FAKE_QUOTE1 Subject =~ /signing up for Quotes\.daily/i
meta KAM_FAKE_QUOTE ( __KAM_FAKE_QUOTE1 + FREEMAIL_FROM >= 2 )
describe KAM_FAKE_QUOTE Fake Quotes Signup Notice
score KAM_FAKE_QUOTE 6.0
#FAKE HOTEL ROOM
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
replace_rules __GB_FAKE_HOTEL
body __GB_FAKE_HOTEL /(?:book(?:ing)? a|(?:need|reserving) a|standard|cost of a)(?:\s)?(?:single|double|twin)?(?:\sstandard)? room|check into your hotel|book a hotel room|have such a room|left it in (?:a|my|the) room|mak(?:e|ing) a reservation|reservar una habitaci<O>n|room availability/i
header __GB_FAKE_HOTEL_S Subject =~ /To the Hotel|Booking confirmation/i
meta GB_FAKE_HOTEL ( FREEMAIL_FROM && ( KAM_BLANKSUBJECT || __GB_FAKE_HOTEL_S ) && __GB_FAKE_HOTEL )
describe GB_FAKE_HOTEL Fake hotel room reservation
score GB_FAKE_HOTEL 4.0
body __GB_FAKE_BOOKING /Book,{0,4}ing\.com|Booking app\b|following this link|New Message from Guest|important questions/i
body __GB_BOOKING_DEAR /Dear Hotel (?:Manage(?:ment|r)|Team)|Dear Partner/i
uri __GB_BOOKING_URI /booking\.com/
header __GB_BOOKING_FROM From:addr =~ /\@booking\.com/
header __GB_BOOKING_REPLY Reply-To =~ /noreply\@booking\.com/
meta __GB_FAKE_BOOKING0 ( __GB_FAKE_BOOKING && __GB_BOOKING_DEAR && !__GB_BOOKING_URI )
meta __GB_FAKE_BOOKING1 ( __GB_FAKE_BOOKING && __GB_BOOKING_REPLY && !__GB_BOOKING_FROM )
meta GB_FAKE_BOOKING ( __GB_FAKE_BOOKING0 || __GB_FAKE_BOOKING1 )
describe GB_FAKE_BOOKING Booking.com scam
score GB_FAKE_BOOKING 0.001
endif
#FAKE SPOTIFY
#domain
header __KAM_FAKE_SPOTIFY_1A From:name =~ /spotify premium|Spotify(?:\s|_)Inc\./i
header __KAM_FAKE_SPOTIFY_1B From:addr !~ /spotify\.com/i
meta KAM_FAKE_SPOTIFY ( __KAM_FAKE_SPOTIFY_1A + __KAM_FAKE_SPOTIFY_1B >= 2 )
describe KAM_FAKE_SPOTIFY Fake Spotify message
score KAM_FAKE_SPOTIFY 7.0
#FAKE TRUST WALLET
#domain
header __KAM_FAKE_TRUSTWALLET_1A From:name =~ /trust.?wallet/i
header __KAM_FAKE_TRUSTWALLET_1B From:addr !~ /trustwallet\.com/i
meta KAM_FAKE_TRUSTWALLET ( __KAM_FAKE_TRUSTWALLET_1A + __KAM_FAKE_TRUSTWALLET_1B >= 2 )
describe KAM_FAKE_TRUSTWALLET Fake Trust Wallet message
score KAM_FAKE_TRUSTWALLET 7.0
#APP SPAM
#subject
header __KAM_APP1 Subject =~ /App Idea/i
#who
body __KAM_APP2 /IT Based company/i
#what
body __KAM_APP3 /App devel/i
#pricing
body __KAM_APP4 /pocket.?friendly/i
#LMK
body __KAM_APP5 /requirements in detail/i
meta KAM_APP ( __KAM_APP1 + __KAM_APP2 + __KAM_APP3 + __KAM_APP4 + __KAM_APP5 + FREEMAIL_FROM >= 6 )
describe KAM_APP Spammers hawking App Development
score KAM_APP 9.0
#PENPAL
#subject
header __KAM_PENPAL1 Subject =~ /^(GREETINGS|HI)\.?$|GET WRITING|pen.?pal|GOOD MORNING|GOOD DAY|MORNING|reaching out From Sweden|Friendship Request|request letter|^HELLO$/i
#intro
body __KAM_PENPAL2 /my name is| from Sweden/i
#penpal
body __KAM_PENPAL3 /pen.?pal|virtual friendship|learn about life in your country|exploring a friendship|becoming friends with me/i
tflags __KAM_PENPAL3 nosubject
#topic
body __KAM_PENPAL4 /talk *anything|talk about (everything|anything)|look forward to hear|contact details online|begin a worthwhile relationship|share anything|establishing a meaningful connection|potentially a relationship|relationship with someone/i
meta KAM_PENPAL ( __KAM_PENPAL1 + __KAM_PENPAL2 + __KAM_PENPAL3 + __KAM_PENPAL4 + FREEMAIL_FROM >= 5 )
describe KAM_PENPAL Pen Pal Scams
score KAM_PENPAL 8.0
#FAKE GOOGLE DRIVE NOTICE
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
replace_rules __KAM_FAKE_DRIVE1
#from:name
header __KAM_FAKE_DRIVE1 From:name =~ /(Ch<A1>s<E1>|W<E1>(1|l|I)(1|l|I)s.?F<A1>rg<O1>).?(B<A1>nk|S<E1>c|R<E1>g<A1>|R<E1>v<I1>|H<E1>lp)/i
#from:addr
header __KAM_FAKE_DRIVE2 From:addr =~ /drive\-shares\-dm\-noreply\@google\.com/i
#subj
header __KAM_FAKE_DRIVE3 Subject =~ /Scam Sign.?in Detected|Bank ID Locked|Account Frozen|Fraud Sign.?in/i
meta KAM_FAKE_DRIVE ( __KAM_FAKE_DRIVE1 + __KAM_FAKE_DRIVE2 >= 2 ) || ( __KAM_FAKE_DRIVE2 + __KAM_FAKE_DRIVE3 >= 2 )
describe KAM_FAKE_DRIVE Fake Google Drive Notice
score KAM_FAKE_DRIVE 12.0
endif
#FAKE SCORE NOTES
#subj
header __KAM_FAKE_SCORE1 Subject =~ /Score released\:.*\+\$\d+/i
#Form
header __KAM_FAKE_SCORE2 X-GoogleForms-IsConsumerForm =~ /true/i
#Result
body __KAM_FAKE_SCORE3 /account deactivation|balance will be (reset|cleared|zeroed)|block inactive account/i
#Action
body __KAM_FAKE_SCORE4 /(sign in.?to|log.?in.?to|enter|access) your account/i
meta KAM_FAKE_SCORE ( __KAM_FAKE_SCORE1 + __KAM_FAKE_SCORE2 + __KAM_FAKE_SCORE3 + __KAM_FAKE_SCORE4 + FREEMAIL_FROM >= 5 )
describe KAM_FAKE_SCORE Fake Score Emails
score KAM_FAKE_SCORE 7.5
#blob
uri __KAM_BLOBHTML1 /.*\.blob\.core\.windows\.net\/.*html?/i
meta KAM_BLOBHTML ( __KAM_BLOBHTML1 + FREEMAIL_FROM >= 2 )
describe KAM_BLOBHTML Windows Blob Likely Spam
score KAM_BLOBHTML 9.0
meta KAM_BLOBHTMLLOW ( __KAM_BLOBHTML1 >= 1 ) && !KAM_BLOBHTML
describe KAM_BLOBHTMLLOW Windows Blob Lower Confidence of Spam
score KAM_BLOBHTMLLOW 3.25
# Cloudflare r2.dev public cloud
uri __GB_R2DEVHTML1 /https?:\/\/pub\-\w+\.r2\.dev\/.{1,32}\.html?/
meta GB_R2DEVHTML ( __GB_R2DEVHTML1 + FREEMAIL_FROM >= 2 )
describe GB_R2DEVHTML Cloudflare r2.dev Likely Spam
score GB_R2DEVHTML 5.0
meta GB_R2DEVHTMLLOW ( __GB_R2DEVHTML1 >= 1 )
describe GB_R2DEVHTMLLOW Cloudflare r2.dev Lower Confidence of Spam
score GB_R2DEVHTMLLOW 2.0
if (version >= 4.000000)
if can(Mail::SpamAssassin::Conf::feature_capture_rules)
uri __GB_CUSTOM_SURGESH /https?:\/\/(?:[a-z0-9_\-]+)\.surge\.sh\/.{0,16}\#%{GB_TO_ADDR}/i
meta GB_CUSTOM_SURGESH __GB_CUSTOM_SURGESH
describe GB_CUSTOM_SURGESH Surge.sh abuse
score GB_CUSTOM_SURGESH 2.0
meta GB_CUSTOM_FREESURGESH ( GB_CUSTOM_SURGESH && FREEMAIL_FROM )
describe GB_CUSTOM_FREESURGESH Surge.sh abuse from freemail address
score GB_CUSTOM_FREESURGESH 3.0
endif
endif
# Fake invoice links to Google Cloud
ifplugin Mail::SpamAssassin::Plugin::URIDetail
uri_detail __GB_GOOGLE_INVOICE0 cleaned =~ /(?:\d+\.\d+\.\d+\.\d+\.bc\.googleusercontent\.com|(?:adclick|googleads)\.\w\.doubleclick\.net\/(?:aclk|pcs\/click)|googleadservices\.com\/pagead)/ text =~ /document|invoice|fattura/i
uri __GB_GOOGLE_INVOICE1 /(?:\d+\.\d+\.\d+\.\d+\.bc\.googleusercontent\.com|adclick\.\w\.doubleclick\.net\/pcs\/click).{1,8}Payment.Invoice/i
meta GB_GOOGLE_INVOICE ( __GB_GOOGLE_INVOICE0 + __GB_GOOGLE_INVOICE1 >= 1 )
describe GB_GOOGLE_INVOICE Fake Invoice stored on Google cloud/ads
score GB_GOOGLE_INVOICE 4.0
endif
# Dispatch targeted postcompromise spam
body __KAM_DISPATCH1 /dis+patch(ed)? a (material|file)|Document\:/i
uri __KAM_DISPATCH2 /https?\:\/\/.*?\/\w*\/\?\d+/i
meta KAM_DISPATCH ( __KAM_DISPATCH1 + __KAM_DISPATCH2 >= 2)
describe KAM_DISPATCH Phishing File Scam Email
score KAM_DISPATCH 4.0
# DEAD PIANO
#DAYED
body __KAM_PIANO1 /(dead|late) (spouse|husband)/i
#PIANO
body __KAM_PIANO2 /(Yamaha|grand) piano|baby grand/i
#COST
body __KAM_PIANO3 /free|gifting|offering|give away|go to someone/i
#SUBJ
header __KAM_PIANO4 Subject =~ /want this|(beautiful|grand) piano|instrument|piano donation|baby grand|['`] +piano|yamaha piano/i
meta KAM_PIANO ( __KAM_PIANO1 + __KAM_PIANO2 + __KAM_PIANO3 + __KAM_PIANO4 + (__KAM_EDU_FROM + FREEMAIL_FROM >= 1) >= 5 )
describe KAM_PIANO Likely Piano Scam (yes, Piano Scams are a real thing apparently. "Sing us a song, you're the piano scam...")
score KAM_PIANO 7.5
ifplugin Mail::SpamAssassin::Plugin::RaptorOnly
# AP/AR SCAM
body __KAM_APARSCAM /email me our most recent AP and AR Aging report|what is the bank cut off line for WIRE TRANSFER/i
meta KAM_APARSCAM ( __KAM_APARSCAM + __KAM_BEAL1 + KAM_RAPTOR_EXTERNAL >= 3 )
describe KAM_APARSCAM Accounting Phishing Scams
score KAM_APARSCAM 6.0
endif
#FAKE WELLS FARGO
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
replace_rules __KAM_FAKE_WELLSFARGO_1A
#domain
header __KAM_FAKE_WELLSFARGO_1A From:name =~ /W<E1>lls.?f<A1>rgo 0nline/i
header __KAM_FAKE_WELLSFARGO_1B From:addr !~ /wellsfargo\.com/i
meta KAM_FAKE_WELLSFARGO ( __KAM_FAKE_WELLSFARGO_1A + __KAM_FAKE_WELLSFARGO_1B >= 2 )
describe KAM_FAKE_WELLSFARGO Fake Wells Fargo message
score KAM_FAKE_WELLSFARGO 7.0
#FIT LLC
replace_rules __KAM_FIT1
body __KAM_FIT1 /Email (was |is )?sent by:? (Event Horizon LLC|F<I1>T, LLC)|(email was sent|newsletter).{0,35} (operator of|on behalf of) (prestige publishing|Event Horizon) LLC|Polaris Advertising is the operator and proprietor|brought to you by Event Horizon LLC|(valued member of the|possessed by) Stark Media LLC/im
meta KAM_FIT ( __KAM_FIT1 >= 1 )
describe KAM_FIT Spamming spammers who spam
score KAM_FIT 6.0
endif
#FAKE FIDELITY
body __KAM_FAKE_FIDELITY1 /we are brokers/i
header __KAM_FAKE_FIDELITY2 Subject =~ /Fidelity Investments/i
meta KAM_FAKE_FIDELITY ( __KAM_FAKE_FIDELITY1 + __KAM_FAKE_FIDELITY2 + FREEMAIL_FROM >= 3 )
describe KAM_FAKE_FIDELITY Likely Fake Brokerage Emails
score KAM_FAKE_FIDELITY 4.5
#FAKE AIRDROP
body __KAM_FAKE_AIRDROP1 /claim airdrop/i
uri __KAM_FAKE_AIRDROP2 /\.sendgrid.net\//i
header __KAM_FAKE_AIRDROP3 From:name =~ /cointracker/i
header __KAM_FAKE_AIRDROP4 From:addr !~ /cointracker\.io/i
header __KAM_FAKE_AIRDROP5 Subject =~ /Arbitrum Airdrop/i
meta KAM_FAKE_AIRDROP ( __KAM_FAKE_AIRDROP1 + __KAM_FAKE_AIRDROP2 + __KAM_FAKE_AIRDROP3 + __KAM_FAKE_AIRDROP4 + __KAM_FAKE_AIRDROP5 >= 5 )
describe KAM_FAKE_AIRDROP Fake Air Drop / Coin Email
score KAM_FAKE_AIRDROP 6.0
#PAGE GROUp
#Title
body __KAM_PAGE_GROUP1 /Talent Acquisition Specialist/i
#Name
body __KAM_PAGE_GROUP2 /Michael Page Recruitment/i
meta KAM_PAGE_GROUP ( __KAM_PAGE_GROUP1 + __KAM_PAGE_GROUP2 >= 2)
describe KAM_PAGE_GROUP Page Recruiting Scam
score KAM_PAGE_GROUP 5.0
#GOOGLE SCRIPTS
uri __KAM_GOOGLE_SCRIPT /script\.google\.com/i
#FAKE AMAZON
header __KAM_FAKE_AMAZON_NOTICE1 Subject =~ /Amazon Membership Update/i
meta KAM_FAKE_AMAZON_NOTICE ( __KAM_FAKE_AMAZON_NOTICE1 + __KAM_GOOGLE_SCRIPT >= 2 )
describe KAM_FAKE_AMAZON_NOTICE Fake Amazon Notice
score KAM_FAKE_AMAZON_NOTICE 6.0
#PATHOS PR
body __KAM_PATHOS1 /PR firm|spots left for an article/i
body __KAM_PATHOS2 /(Pathos|Pay on Results) (PR|Media)/i
body __KAM_PATHOS3 /(\b|^)((managing|marketing) (director|partner)|team lead|Partner)(\b|$)/i
body __KAM_PATHOS4 /opt-?out|opt-?ing out/i
meta KAM_PATHOS ( __KAM_PATHOS1 + __KAM_PATHOS2 + __KAM_PATHOS3 + __KAM_PATHOS4 >= 4 )
describe KAM_PATHOS Pathos Payonresults Spam
score KAM_PATHOS 8.0
#FAKE DOCUSIGN
header __KAM_FAKE_DOCUSIGN2_1 Subject =~ /signature required/i
uri __KAM_FAKE_DOCUSIGN2_2 /mimecastprotect.com.*urldefense.proofpoint.co/i
body __KAM_FAKE_DOCUSIGN2_3 /docusign/i
meta KAM_FAKE_DOCUSIGN2 ( __KAM_FAKE_DOCUSIGN2_1 + __KAM_FAKE_DOCUSIGN2_2 + __KAM_FAKE_DOCUSIGN2_3 >= 3 )
describe KAM_FAKE_DOCUSIGN2 Likely Fake DocuSign Email
score KAM_FAKE_DOCUSIGN2 4.5
#VIRTUAL BOOKKEEPER
#SUBJ
header __KAM_BOOKKEEP1 Subject =~ /(Accounting|Bookkeeping) ?(\/|\&) ?(Bookkeeping|Accounting)|Help with bookkeeping|bookkeeping for|bookkeeping a hassle|outsourced Bookkeeping|ease your bookkeeping|(accounting|bookkeeping)\/tax prep service|virtual (accounting|bookkeeping|bookkeeper|accountant)|affordable (accounting|bookkeeping) solution|be your in.?house (accounting|bookkeeping)|senior bookkeep|master your finance/i
#FOLLOW/COLD
body __KAM_BOOKKEEP2 /sent you a message|my name is|reply with an optimal number for me to reach|helped a business in your state|reply with a good time\/number to reach|respond a time for us to talk|helping businesses outsource all their bookkeeping|give you a quick call|assisted a company (organize|manage) two years of books|follow back on my message|reply back with a good line|give you a brief line|convenient time to connect|brief minute to discuss|follow up on my last email|received my note from a couple of days|what time works best|set up a time to chat|reached out a couple of days ago|schedule a time to connect|interested in seeing our work/i
tflags __KAM_BOOKKEEP2 nosubject
#SALE
body __KAM_BOOKKEEP3 /(explore|see|check) if (we\'?re|we are) a (match|fit)|paying huge amounts of money for bookkeeping|open to a quick call|streamline bookkeeping needs|fed up with keeping your own books|transform your bookkeeping|accounting for (tons|thousands) of companies just like|no\-stress bookkeeping solution|wasting a lot of time doing bookkeeping|benefit from help keeping books|manag(e|ing) bookkeeping \& accounting requirements for lots of (companies|customers)|interested to hire a dedicated remote (tax|accountant|bookkeeper)|assist businesses handle their books|extra hand with bookkeeping|client in your state|we saved \d+ hours a month|already serving \d+ plus business|we specialize in:? bookkeeping/im
tflags __KAM_BOOKKEEP3 nosubject
meta KAM_BOOKKEEP ( __KAM_BOOKKEEP1 + __KAM_BOOKKEEP2 + __KAM_BOOKKEEP3 + FREEMAIL_FROM >= 4 )
describe KAM_BOOKKEEP Bookkeeping and Accounting Spams
score KAM_BOOKKEEP 6.0
#LATEST APP DEV SPAMS
#subj
header __KAM_APPDEV1 Subject =~ /App Prices|healthcare app|app offer|new app|follow up|mobile app(lication|s)? company|Mobile App$|improve your app|Any app|creating an app|\@gmail\.com|Price|perfect app|your requirement|apps? development|app platform|developer|Electric Bike Apps|applications? for your business|Ios Apps|Web apps|app proposal|Custom app|create an app/i
#location or type of app
body __KAM_APPDEV2 /(companies|company|based) in India|Indian.?Based|Rani$|(handyman|fitness|Entertainment|Shopping|hospital|real.?estate|Taxi|custom business|store|booking|lifestyle|ecommerce|ios|game|gaming|Web) App|App and Website Devel|are you looking for responsive mobile app/i
tflags __KAM_APPDEV2 nosubject
#COLD
body __KAM_APPDEV3 /My name is|chance to review my (previous )?email|I work with \d+\+ experienced IT|if you are interested|chance to peruse through it|interested in developing a mobile app|are you trying to find apps|wondering if you wanted an app|connect you with the right person|company with over \d+ years of experience|We specialize in high\-quality android|looking for creating an app/i
tflags __KAM_APPDEV3 nosubject
#AppDev
body __KAM_APPDEV4 /app develop(ment|er)|app for your domain|best mobile app devel|app development manager|app development service|develop your web project|apps for your company|experts in app.?dev|build a mobile? app|apps we have successfully developed|mobile apps and game devel|apps development manager/i
tflags __KAM_APPDEV4 nosubject
#PRICE / REQS
body __KAM_APPDEV5 /mobile app price list|cost efficient|price list \& sample|catalog price|meeting to discuss details|share ballpark estimat|share your requirement|discuss the further steps|see our portfolio|portfolio and pricing|send you our price|price list|requirement, please do share|(let me know|discuss) your requirements|send you more details on (sample|package|portfolio)|offer a detailed pric|hear more about project req|forward you our price \& latest work|app prices? list|we can discuss pricing/i
tflags __KAM_APPDEV5 nosubject
meta KAM_APPDEV ( __KAM_APPDEV1 + __KAM_APPDEV2 + __KAM_APPDEV3 + __KAM_APPDEV4 + __KAM_APPDEV5 + FREEMAIL_FROM >= 6)
describe KAM_APPDEV Application Developer Spams
score KAM_APPDEV 9.0
#FAKE METAMASK
#FROM
header __KAM_FAKE_METAMASK1 From:name =~ /metamask/i
#CRYPTO
header __KAM_FAKE_METAMASK2 Subject =~ /wallet has been (suspended|limited|locked|disabled)/i
#NOT META
header __KAM_FAKE_METAMASK3 From:addr !~ /\@metamask\.com/i
#TASK
body __KAM_FAKE_METAMASK4 /Up(grade|date) (here|Now)|activate and verify|complete the migration/i
meta KAM_FAKE_METAMASK ( __KAM_FAKE_METAMASK1 + __KAM_FAKE_METAMASK2 + __KAM_FAKE_METAMASK3 + __KAM_FAKE_METAMASK4 >= 4 )
describe KAM_FAKE_METAMASK Fake MetaMask Crypto Notification
score KAM_FAKE_METAMASK 6.0
#FAKE SAISON WALLET
body __KAM_FAKE_SAISON1 /Saison Gold Premium|saison card/i
uri __KAM_FAKE_SAISON2 /\.cn(\/|$|\b)/i
meta KAM_FAKE_SAISON ( __KAM_FAKE_SAISON1 + __KAM_FAKE_SAISON2 + RDNS_NONE + SPF_SOFTFAIL >= 4)
describe KAM_FAKE_SAISON Fake Saison Notices
score KAM_FAKE_SAISON 6.0
#Google APPSHEET ABUSE
header __KAM_APPSHEET1 From:addr =~ /noreply\@appsheet\.com/i
meta KAM_APPSHEET ( __KAM_APPSHEET1 >= 1 )
describe KAM_APPSHEET Google AppSheet being abused by spammers
score KAM_APPSHEET 4.0
#Google Cloud Run Functions abuse
uri GB_CLOUDFUNCTIONS /https?:\/\/[a-z0-9\-]+\.cloudfunctions\.net\/app\/tracker\/.{8,128}\?redirect.{1,128}\.html?\?/i
describe GB_CLOUDFUNCTIONS Google Cloud Run Functions abused by spammers
score GB_CLOUDFUNCTIONS 2.0
#FAKE_META
#from
header __KAM_FAKE_META1 From:name =~ /Meta for Business/i
#subj
header __KAM_FAKE_META2 Subject =~ /(account|page) will be restricted/i
#messenger
uri __KAM_FAKE_META3 /messenger.com\/t\/\d+/i
meta KAM_FAKE_META ( __KAM_FAKE_META1 + __KAM_FAKE_META2 + __KAM_FAKE_META3 + FREEMAIL_FROM >= 4)
describe KAM_FAKE_META Fake Message from Meta for Business
score KAM_FAKE_META 6.0
#GITHUB
uri __KAM_GITHUB_USER_ATTACHMENT /github\.com\/user\-attachments\/assets\//i
meta KAM_GITHUB_USER_ATTACHMENT ( __KAM_GITHUB_USER_ATTACHMENT >= 1 )
describe KAM_GITHUB_USER_ATTACHMENT Email contains a github user attachment
score KAM_GITHUB_USER_ATTACHMENT 1.5
ifplugin Mail::SpamAssassin::Plugin::URIDetail
uri_detail GB_GITEXE_SOCIAL cleaned =~ /(?:bitbucket|github|gitlab)\.com\/.{8,128}\.exe$/i text =~ /Social Security/i
describe GB_GITEXE_SOCIAL "Social Security" link to a .exe file stored on a git public link
score GB_GITEXE_SOCIAL 3.0
endif
#SENDGRID
uri __KAM_SENDGRID_LINK /sendgrid\.net\/ls\/click/i
#FAKE CRYPTO
#CRYPTO
body __KAM_FAKE_CRYPTO1 /join our platform and start stak|tokens are waiting|Steth rewards|stake now/i
#SUBJ
header __KAM_FAKE_CRYPTO2 Subject =~ /claim your tokens|announcing OP \#\d|steth earnings/i
#FROM
header __KAM_FAKE_CRYPTO3 From =~ /lido finance|optimism newsletter/i
meta KAM_FAKE_CRYPTO ( __KAM_FAKE_CRYPTO1 + __KAM_FAKE_CRYPTO2 + __KAM_FAKE_CRYPTO3 + ( __KAM_SENDGRID_LINK + __KAM_GITHUB_USER_ATTACHMENT >= 1 ) >= 4)
describe KAM_FAKE_CRYPTO Fake Crypto Scam Email
score KAM_FAKE_CRYPTO 6.0
#KALENDAR - NOTE WE HAVE KALENDARAI as well as TALKINGHEADS rules as well
body __KAM_KALENDAR1 /introduce KalendarAI|(development|sales) at .?talkingheads|Veritex Exploration, Inc.|Flexcode software|Bywater street/i
body __KAM_KALENDAR2 /(director|VP|head) of (strategic|growth|sales|AI|regional AI)/i
body __KAM_KALENDAR3 /(reply \'stop\'|opt\-out of our campaigns)/i
meta KAM_KALENDAR ( __KAM_KALENDAR1 + __KAM_KALENDAR2 + __KAM_KALENDAR3 >= 3 )
describe KAM_KALENDAR Spams from KalendarAI / Talking Heads / Veritex Exploration / Flexcode Software
score KAM_KALENDAR 8.5
#AI AGENTS
body __KAM_AI_SOCIAL_AGENTS1 /Written by AI Social Agents/i
meta KAM_AI_SOCIAL_AGENTS ( __KAM_AI_SOCIAL_AGENTS1 >= 1 )
describe KAM_AI_SOCIAL_AGENTS AI Driven Spam Campaigns
score KAM_AI_SOCIAL_AGENTS 10.0
#PAYPAL FRAUD
header __KAM_PAYPAL_FRAUD1 From:addr =~ /\@paypal\.com/i
body __KAM_PAYPAL_FRAUD2 /Note from Seller.?.?Didn\'t make this order? Call|Note from.{5,110}Didn\'t make this order\? Call|don\'t recognize the seller\? quickly/i
header __KAM_PAYPAL_FRAUD3 Subject =~ /money request|invoice from/i
meta KAM_PAYPAL_FRAUD ( __KAM_PAYPAL_FRAUD1 + __KAM_PAYPAL_FRAUD2 + __KAM_PAYPAL_FRAUD3 >= 3)
describe KAM_PAYPAL_FRAUD Fraudulent Payment Scam
score KAM_PAYPAL_FRAUD 6.0
#E-BIKE
body __GB_EBIKE /\b(?:electric (?:bicycle|bike)s?|e\-bike|Elektromopeds)\b/i
meta GB_EBIKE ( ( NEW_PRODUCTS || CBJ_GiveMeABreak || YOUR_DELIVERY_ADDRESS || __DOS_DIRECT_TO_MX_UNTRUSTED || RDNS_NONE ) && __TAG_EXISTS_HEAD && __GB_EBIKE )
describe GB_EBIKE E-Bike spam
score GB_EBIKE 3.5
meta GB_EBIKE_ADDR ( GB_EBIKE && YOUR_DELIVERY_ADDRESS )
describe GB_EBIKE_ADDR E-Bike shipping spam
score GB_EBIKE_ADDR 1.0
#URI WITH ASTERISK
uri __GB_URI_ASTERISK1 /^https?:\/\/(?:\w+\.)?[\-\w]+\.(\w+|\w+\.\w{2})\/(?:\w{2,5}\/)?\*$/i
meta GB_URI_ASTERISK ( __GB_URI_ASTERISK1 >= 1 )
describe GB_URI_ASTERISK Short uris with an asterisk
score GB_URI_ASTERISK 6.75
#TALKINGHEADS
body __KAM_TALKINGHEADS1 /WebsiteTalkingHeads/i
body __KAM_TALKINGHEADS2 /AI Sales/i
meta KAM_TALKINGHEADS ( __KAM_TALKINGHEADS1 + __KAM_TALKINGHEADS2 >= 2 )
describe KAM_TALKINGHEADS TalkingHeads Spam
score KAM_TALKINGHEADS 3.0
#KALENDARAI
body __KAM_KALENDARAI1 /Sent from Kalendar.?AI/i
header __KAM_KALENDARAI2 List-Unsubscribe =~ /\/kriya\.ai\//
meta KAM_KALENDARAI ( __KAM_KALENDARAI1 + __KAM_KALENDARAI2 >= 1 )
describe KAM_KALENDARAI Sent from a known spammy source of KalendarAI
score KAM_KALENDARAI 7.0
#GOLD
#GOLD
body __KAM_GOLD1 /gold merchant/i
#HELPING SOMEONE
body __KAM_GOLD2 /sick (mother|father|uncle)/i
#ASK
body __KAM_GOLD3 /Assistance in transferring|investing the(se)? fund/i
#PLACE
body __KAM_GOLD4 /departure from ghana|fleeing Ukraine/i
meta KAM_GOLD ( __KAM_GOLD1 + __KAM_GOLD2 + __KAM_GOLD3 + __KAM_GOLD4 >= 4)
describe KAM_GOLD Funds to release treasure scam du jour
score KAM_GOLD 6.0
#SURLLIDATE
uri __KAM_SURLLI1 /https?:\/\/surl\.li\//i
#RELATIONSHIP
body __KAM_SURLLI2 /local relationship|looking for a man|dating platform|short distance relationship/i
meta KAM_SURLLI ( __KAM_SURLLI1 + __KAM_SURLLI2 + FREEMAIL_FROM >= 2 )
describe KAM_SURLLI Surli Dating Spam
score KAM_SURLLI 4.5
#FP_URI_TRY_3LD
#uri KAM_FP_URI_TRY_3LD /\/join\.slack\.com\//i
#describe KAM_FP_URI_TRY_3LD Offsetting a FP with Slack Join Links
#score KAM_FP_URI_TRY_3LD -2.0
#SOME 2TLD SERVICES ARE BAD
uri __KAM_SOME_2TLD_ARE_BAD1 /https?:\/\/.{3,32}\.(za|ru)\.com/i
meta KAM_SOME_2TLD_ARE_BAD ( __KAM_SOME_2TLD_ARE_BAD1 >= 1 )
describe KAM_SOME_2TLD_ARE_BAD Some 2TLD and hosting sites are bad
score KAM_SOME_2TLD_ARE_BAD 3.0
#google integration abuse
header __KAM_GOOGLEAPPINTEGRATION1 From:addr =~ /noreply\-application\-integration\@google.com/i
meta KAM_GOOGLEAPPINTEGRATION ( __KAM_GOOGLEAPPINTEGRATION1 >= 1 )
describe KAM_GOOGLEAPPINTEGRATION Abused Google Application Integration Address
score KAM_GOOGLEAPPINTEGRATION 3.0
header __KAM_APPINTEGRATIONFRAUD1 Subject =~ /American Airlines|cookware set|exclusive reward|cvs package/i
meta KAM_APPINTEGRATIONFRAUD ( __KAM_APPINTEGRATIONFRAUD1 + KAM_GOOGLEAPPINTEGRATION >= 2 )
describe KAM_APPINTEGRATIONFRAUD Google Application Integration Address being used for Fraud
score KAM_APPINTEGRATIONFRAUD 3.0
# Google Lookerstudio abuse
body __GB_SECURE_DOCUSIGN /Secure link to DocuSign/i
uri __GB_LOOKERSTUDIO /https?:\/\/lookerstudio\.google\.com/i
meta GB_LOOKERSTUDIO ( __GB_SECURE_DOCUSIGN && __GB_LOOKERSTUDIO && __GB_ANY_REDIR )
describe GB_LOOKERSTUDIO Google Lookerstudio abuse
score GB_LOOKERSTUDIO 2.5
# FAKE INVOICE
#Brand (Real or Fake)
header __KAM_PHISH_INVOICE1 From:name =~ /Microsoft (Global.?Payment|Billing|Payments|subscriptions)/i
#Brand/Product (Fakes)
body __KAM_PHISH_INVOICE2 /Microsoft.?Office.?(365 )?(team|Billing)|Microsoft office plus|Microsoft llc|security\@PayPal, Inc\.\.com|The PayPal, Llc\. Team|GeekFullProtection|microsoft+ premium|Microsoft Business Protection|Family WorkCloud|Microsoft.?office.?black|Norton PC Support, Inc|ArmorScan.?Pro|ThreatLock.?(Ult|Pro)|Total.?AV.?Defender|InvisiGuard.?Secure|Mc Afee, Inc|virusguard.?elite, Geeksquad, llc\.|Geeksquad life.?lock|Security Counsel Solutions subscription|Virusguard.?supreme|Mcafee PC Protection|Team Mcafee Repair|Geek Squad Security Plus Plan|Pay palLLC, Inc|PayPal,LLC Team|TotalShield Premium|Antivirus Shield Pro|(Product|Plan)\: (DefendGuardian|Secure lifeguards|Comprehensive Care Shield)|True.?cyber.?safe.?Security|Internet breach (gaurd|guard)|Mcafee (Genie|Antitrack)|Northon Team/i
header __KAM_PHISH_INVOICE3 Subject =~ /Microsoft.?.? Protection Plan/i
meta KAM_PHISH_INVOICE ( (__KAM_PHISH_INVOICE1 + __KAM_PHISH_INVOICE2 + __KAM_PHISH_INVOICE3 >= 1) + FREEMAIL_FROM >= 2 )
describe KAM_PHISH_INVOICE Brand Impersonation Phishing Invoice
score KAM_PHISH_INVOICE 8.5
# HELLOSIGN BAD
header __KAM_HELLOSIGN1 From:addr =~ /\@(mail\.)hellosign\.com/i
body __KAM_HELLOSIGN2 /Dropbox Sign team/i
meta KAM_HELLOSIGN ( __KAM_HELLOSIGN1 + __KAM_HELLOSIGN2 >= 2 )
describe KAM_HELLOSIGN Spammers abusing hellosign to send spam/phish
score KAM_HELLOSIGN 4.5
# 2IN1
body __KAM_2IN1_1 /DS18\-1215U|DS18\-N100|Alldocube|Ki1306/i
header __KAM_2IN1_2 Subject =~ /2\-in\-1|Ki1306 Laptop/i
meta KAM_2IN1 ( __KAM_2IN1_1 + __KAM_2IN1_2 >= 2 )
describe KAM_2IN1 2-IN-1 Computer Spam
score KAM_2IN1 8.0
# APP ABUSE
uri __KAM_APP_ABUSE_1 /\w\.(vercel\.app|netlify\.app|replit\.app|glitch\.me|page\.link|cloudfunctions\.net)\//i
meta KAM_APP_ABUSE ( __KAM_APP_ABUSE_1 >= 1 )
describe KAM_APP_ABUSE Rampant abuse of legitimate app builders in phishing scams. This is why we can't have nice things.
score KAM_APP_ABUSE 5.0
#EOF