#KAM.cf - SpamAssassin Rules
#
#Author: Kevin A. McGrail with contributions from Joe Quinn & Karsten Bräckelmann
#
#Email: Kevin.McGrail@McGrail.com - NOTE: Questions about spam are best submitted
# at https://raptor.pccc.com/raptor.cgim?template=report_problem
#
#HomePage: http://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf
#
#This is a collection of special rules that I have developed and use on my system.
#
#The exact date is lost to the sands of time but we have been publishing this
#ruleset since at least May 2004.
#
#They are intended as live research for committal to SpamAssassin's SVN sandbox but
#often rely on my corpora so they do not fair well in masschecks.
#
#You are welcome and encouraged to email me directly regarding suggestions.
#
#To avoid being caught by our filters, False positives and negatives should be
#submitted to https://raptor.pccc.com/raptor.cgim?template=report_problem
#
#I believe the rules are safe and they are in use on production systems so I will
#do my best to respond to FPs *especially* if you can send me an email sample.
#
#This cf file is designed for systems with a threshold of 5.0 or higher.
#
#
#It is best to save an email sample in mbox format and zip it to attach to get
#around my filters. It is sometimes best to send samples in a second email so I
#know to go looking for it in my spam folders.
#
#NOTE: I do use some poison pill (i.e. Automatic HAM/SPAM rules).
#
# - I don't view many of my rules as single rules as I typically use meta rules.
# I view meta rules as multiple rules hence a larger score is acceptable.
#
# - Some content needs to be blocked either due to large number of complaints or
# for content. For example, the sexually explicit items and the stock tips.
# FPs in these rules will be quickly addressed.
#
#For a free anti-spam consultation, fill out the form at the following URL:
#https://raptor.pccc.com/free_spam_consultation.cgim
#
#Copyright (c) 2017 Kevin A. McGrail
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# NOTE: You might want to also grab a file we use of some various rules at
# https://www.pccc.com/downloads/SpamAssassin/contrib/nonKAMrules.cf
# And realize that we have numerous internal rules so not every rule will be
# useful but we try and encapsulate those in a KAMOnly defined loop.
# COURTESY OF Marcin Miros.aw <marcin@mejor.pl>
body __KAM_MM_FOREX_1 /program.{0,10}ktory\ssam\sgra\sna\sgieldzie|program\sdo\sgry\sna\sgieldzie|Potega\stego\sprogramu\stkwi|program.{0,10}handluje.{0,10}zarabia.{0,10}gieldzie.{0,10}udzialu.{0,10}czlowieka|zarabiaj.{0,10}program.{0,10}nie.{0,10}jest.{0,10}zabroniony|Program.{0,10}zrobi.{0,10}wszystko.{0,10}sam|handluj.{0,10}na.{0,10}gieldzie.{0,10}programowi|100.{0,10}%.{0,10}pewnych.{0,10}transakcji|program.{0,10}100.{0,10}%.{0,10}zysk|handel.{0,10}bedzie.{0,10}zabroniony|program.{0,10}odmieni.{0,10}twoje.{0,10}zycie|system.{0,10}finansow.{0,10}przed.{0,10}upadkiem|grupa.{0,10}niemieckich.{0,10}matematykow.{0,10}inteligentny.{0,10}program|zostan\sobrzydliwie\sbogaty|technologia.{0,10}100%.{0,10}pewne.{0,10}decyzje|zarabianie.{0,10}w.{0,10}sieci|swoja.{0,10}szanse.{0,10}zarabianie|internet.{0,10}doprowadzil.{0,10}pieniedzy|zarabia.{0,10}(w|przez).{0,10}internet|karaluch.{0,10}dom.{0,10}brzeg.{0,10}morza|odmieni.{0,10}zycie|pieniadz|pieniedz|zarabia|zarobi/i
rawbody __KAM_MM_FOREX_2 /(\[|\<).{1,10}http:\/\/.{1,50}php\?.{1,30}\=.{1,30}(\]|\>).{0,20}(klik|odwiedz|dowiedz|przegap|odnosnik|zarobi|spiesz|majatek|wiecej\sinformacji\sna\sten\stemat\sznajdziesz\s-\stutaj|tutaj\sznajdziesz.{0,10}szczegolowe.{0,10}informacje|odwiedz|zarabia|wchodz)/i
meta KAM_MM_FOREX __KAM_MM_FOREX_1 && __KAM_MM_FOREX_2
score KAM_MM_FOREX 2.5
describe KAM_MM_FOREX Polish-language spam from the Forex botnet
#PHISHING TEST
rawbody KAM_PHISH1 /u style="cursor: pointer"/
describe KAM_PHISH1 Test for PHISH that changes the cursor
score KAM_PHISH1 0.01
header __KAM_PHISH4_1 From =~ /host|apple|amazon|microsoft|windows|express|app.serv|goodluck|bank/i
body __KAM_PHISH4_2 /dear.{0,50}customer|automated.message|spam.activities|attempted.gaining.access|your.account.expires|authorized.government|important.message|message.alert/i
body __KAM_PHISH4_3 /(confirm|verify|update).your.(identity|account)|account.password|credit.(bureau|profile)|identity.theft|accredited.commission|security.concern|kindly.find.enclosed/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_PHISH4_4 Content-Type =~ /(verification|information|form).htm/i
endif
meta KAM_PHISH4 (__KAM_PHISH4_1 + __KAM_PHISH4_2 + __KAM_PHISH4_3 + __KAM_PHISH4_4 >= 3)
score KAM_PHISH4 3.5
describe KAM_PHISH4 Another phishing attempt
#KAM REALESTATE / RE-FINANCE SCAM EMAILS - Thanks to David Goldsmith for pointing out my error in the meta rule!
body __KAM_REAL1 /(^|\b)RE market/is
body __KAM_REAL2 /(crashing|declining)/i
body __KAM_REAL3 /(vacation|second) (home|place)/is
meta KAM_REAL (__KAM_REAL1 + __KAM_REAL2 + __KAM_REAL3 >= 3)
describe KAM_REAL Real Estate or Re-Finance Spam
score KAM_REAL 0.5
#REFINANCE SCAM EMAILS
header __KAM_REFI1 Subject =~ /(refinance|rates) at \d\.\d*%|(?:I would like to offer you my help|Lower your house payment|follow up email|evaluation enclosed|submit a bid|fixed rates|ARM program|New Program|regardless of credit|loan request|accepting your application|refinance appl?ication|ready to (give a (business )?loan|lend)|good credit or not|refinance without perfect credit|financial independence|Loan Offer|Get a Loan|your urgent loan|credit report|time to refinance|refi.(rates|requirements|plus|program|plan|advice)|rates at historical low|EQUIFAX|TRANSUNION|Experian|rates can be cut|save your home)|Reverse.?Mortgage|obama (extends|waives)|VA loan|harp program|re.?fi.advice|homeowners.owe|harp.extension|\d+\.\d+%.fixed|\d+\.\d+.pct|this.rate|refi(nance)?.rate|lower.refi|refinance.your.mortgage|refinance.now|obama.?s?.refi|monthly.payment|house.payment|monthly.savings|modified.payment|new.payment|overpaying|calculate.your|your.saving|housing.plan|obama.?s.hous|l.f..insuranc.|offer.for.your.home|second.mortgage/i
body __KAM_REFI2 /(Free Evaluation (?:online|on your (?:current )?home loan)|No hidden costs|no strings attached|good credit or not|personalized consultation|in need of loan|consolidation loan|loan processing|apply by sending|loan of any amount|clean up any inacccuracies|lock in saving|save on monthly mortgage|absolutely no cost|underwater)|Reverse.?Mortgage|qualify for a VA loan|Refi now.? and Save|obama..?announces|rate.calculator|save.thousands|update: \d.\d\d..available|homeowner|over.your.head|rate.service|now.eligi?[bl]{2}e|a.second.mortgage|urgent.loan|loan.offer/is
body __KAM_REFI3 /(restructure (?:proposal|program|opportunity|your loan)|switch from an adjustable rate to a fixed|new lending program|(low|reasonable) interest (loan|rate)|lowest monthly payment|\d% interest|unsecured personal|better credit terms|lower your mortgage|low-interest refinance|see your credit score|credit score.{1,15}updated|refi with HARP)|obama announce(s|d) (the )?harp program|obama'?s.refi|a.fortune.off|lower.home.rate|your.home|home.loan|gov.program|official.harp|currently.overpaying/is
body __KAM_REFI4 /(\$\d{1,3},\d{1,3}|\d{2,3}k of funds|\d{4,6} USD|\d{4,6}\$ per month|\d{3,5}\/mo)|refinance at \d\.\d%|\$\d{3,}(\.\d\d)?.(a|per).year|extend.harp|spending.too.much|new.payment|better.rate/i
body __KAM_REFI5 /([\d,]{5,6}|\d{2}\s*%) savings|principal \d+% less|\d+\.\d+%.fixed|refi.calculator|lowered.requirements|home.?owner/is
body __KAM_REFI6 /((?:reduce your monthly payment|save you) (between )?\d{2}\s*%|save yourself hundreds of dollars|great rate available|completely unsecured|instantly connect with\s+lenders|get you back on the right financial|get report today|protect against identity|know your credit score|crazy payments)|u.?s.? homeowners|drop.your.rate|in.your.pocket|our.records|apply.for.your/is
body __KAM_REFI7 /(?:loan product|equity cash|house.payment|home.payment|no up front fees|seasoned equity|pay off high rate cards|ARM Program|credit is less than perfect|credit (score )?will not disqualify|plastic money|charge card balances|we offer out loans|floating loan scheme|unsecured guaranteed|President.?s new program|Home Affordable Refinance Program)|save $?[\d\.]+ per (year|month)|low.rate|harp.?2|rates.like.th(is|ese)/is
header __KAM_REFI8 From =~ /great loan|mortgage|financ|Delta|Rate\.?market|credit score|free.?score|harp|mtge|foreclosure|VA loan|lower.my.(bills|debt|mortgage|rate)|refi.(alert|advantage|quote|calc|rate)|obama|lendingtree|(house|home).?payment|home.?payment|lower.rate|\d+\.\d+%|saving|d.r.ct.l.f.|helpline/i
meta KAM_REFI (__KAM_REFI1 + __KAM_REFI2 + __KAM_REFI3 + __KAM_REFI4 + (__KAM_REFI5 + __KAM_REFI6 >= 1) + __KAM_REFI7 + __KAM_REFI8 + (KAM_SHORT || AC_HTML_NONSENSE_TAGS || KAM_EU) >= 4)
describe KAM_REFI Real Estate / Re-Finance Spam
score KAM_REFI 3.0
meta KAM_REFI2 (__KAM_REFI1 + __KAM_REFI2 + __KAM_REFI3 + __KAM_REFI4 + (__KAM_REFI5 + __KAM_REFI6 >= 1) + __KAM_REFI7 + __KAM_REFI8 + (KAM_SHORT || AC_HTML_NONSENSE_TAGS || KAM_EU) >= 6)
describe KAM_REFI2 Real Estate / Re-Finance Spam
score KAM_REFI2 2.75
#KAM ERADICATE DEBTS
body __KAM_DEBT1 /(debts disappear|reduce your payments|piling bills|creditors|late bills|vanish some of your bills|reduce your payments|looming bills|all that debt|outstanding debt|debt.{0,7}accumulated|all my debt|penalties,? and fees are gone|banking laws|select legal|change your life|get out of .?d.?e.?b.?t|Free[- ]Credit Report|debt relief options|are you in debt|pay off all your debt|get better rates|credit card debt|could.be.easy)/is
header __KAM_DEBT2 Subject =~ /(all that you owe|all you owe|everything you owe|eradicate|indebted|sick of bills|debt.{0,7}accumulated|tired of (the )?debt|looming debt|creditors|bank[ ]?rupt|debt ?free|out ?of ?debt|take control of your monthly payments|bills disappear|We can help|consultation regarding bills|get better rates|credit score|FICO Score|eliminate\s{1,2}debt|Erase the debt|loan offer|consolidating.debt)/i
body __KAM_DEBT3 /(bills keeping you|brink of bankruptcy|take all the (stress|pain) away|all the bills|tired of high credit card|make your bills disappear|improve your credit score|b.?a.?n.?k.?r.?u.?p.?t.?c?.?y|monitor your[- ]credit|Wipes out debt|being debt free|interest rates are reasonable|view your credit score|manage.your.finance)/is
meta KAM_DEBT ((__KAM_DEBT1 + __KAM_DEBT2 + __KAM_DEBT3) >= 3)
describe KAM_DEBT Debt eradication spams
score KAM_DEBT 2.5
meta KAM_DEBT2 ((__KAM_DEBT1 + __KAM_DEBT2 + __KAM_DEBT3 + __KAM_ADVERT2) >= 2)
describe KAM_DEBT2 Likely Debt eradication spams
score KAM_DEBT2 1.0
#XtraSize+ Penis Enlargement Scam
header __KAM_SILD1 Subject =~ /Sildenafil Citrate/i
body __KAM_SILD2 /(XtraSize\+|Sildenafil Citrate)/i
meta KAM_SILD (__KAM_SILD1 + __KAM_SILD2 >= 1)
describe KAM_SILD Simple rule to block one more enhancement message
score KAM_SILD 5.0
#if (version < 3.002000)
# #HTML_SHORT_LENGTH DEPENDENCY RULE REMOVED FROM SA 3.2.X
# #KAM NUMBER EMAILS - Thanks to Mark Damrose for the NUMBER3 idea & Jan-Pieter Cornet
# header __KAM_NUMBER1 Subject =~ /^\d+$/
# body __KAM_NUMBER2 /\d{1,6}/
# header __KAM_NUMBER3 Message-ID =~ /\<[a-z]{19}\@/i
#
# meta KAM_NUMBER ((__KAM_NUMBER1 + __KAM_NUMBER2 + MIME_HTML_ONLY + HTML_SHORT_LENGTH + __KAM_NUMBER3) >= 5)
# describe KAM_NUMBER Silly Number Emails
# score KAM_NUMBER 1.0
#endif
#KAM MEDICATION KAM_OVERPAY
body KAM_OVERPAY /O . V . E . R . P . A . Y/i
describe KAM_OVERPAY Common Medicinal Ad Trick
score KAM_OVERPAY 3.5
#VIAGRA AD - CHANGED DUE TO FPS on 2010-05-06 - Replaced [VACLXPSI] with separate rules space separated
body KAM_VIAGRA1 /V I A G R A|C I A L I S|V A L I U M|X A N A X/i
describe KAM_VIAGRA1 Common Viagra and Medicinal Table Trick
score KAM_VIAGRA1 3.0
#VIAGRA AD 2
body KAM_VIAGRA2 /(?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer) (?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer) (?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer)/i
describe KAM_VIAGRA2 Common Viagra and Medicinal Table Trick
score KAM_VIAGRA2 3.1
#VIAGRA AD 3 - REMOVED FOR LOW S/O - Thanks to Shane Williams for reporting the FP
#body KAM_VIAGRA3 /(?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer)( \w )(?:ax|lis|ra|ium)/i
#describe KAM_VIAGRA3 Common Viagra and Medicinal Table Trick
#score KAM_VIAGRA3 3.1
#VIAGRA AD 4
body __KAM_VIAGRA4A /V (. )?A (. )?L (. )?[I\/t] (. )?U (. )?M/i
body __KAM_VIAGRA4B /V (. )?[I\/t] (. )?A (. )?G (. )?R (. )?A/i
body __KAM_VIAGRA4C /M (. )?E (. )?R (. )?[I\/t] (. )?D (. )?[I\/] (. )?A/i
# FP FOR "Les Iles du Monde Via Gramsci" OR ITALIAN "WE WISH YOU"
body __KAM_VIAGRA_FPS /via gra|i augur/i
meta KAM_VIAGRA4 ((__KAM_VIAGRA4A + __KAM_VIAGRA4B + __KAM_VIAGRA4C) >= 2)
describe KAM_VIAGRA4 Common Viagra and Medicinal Table Trick
score KAM_VIAGRA4 3.1
#VIAGRA AD 5
body KAM_VIAGRA5 /(V [1li|\]] [a&] G R A|VljAG+R+A)/i
describe KAM_VIAGRA5 Viagra Obfuscation Technique SPAM
score KAM_VIAGRA5 3.1
#VIAGRA AD 6
#Switch to [-_\. ]? to avoid FP's reported by Robin Tan
#Also added a few more boundary checks thanks to Daniele Duca
body __KAM_VIAGRA6A /V[-_\. ]?[IL1][-_\. ]?A.?G.?R.?A/i
body __KAM_VIAGRA6B /(\b|^)A.?M.?B.?[il1].?E.?N($|\b)/i
body __KAM_VIAGRA6C /V.?A.?L.?[il1].?U.?M/i
body __KAM_VIAGRA6D /(\b|^)C.?[il1].?A.?L.?[Il1].?S($|\b)/i
header __KAM_VIAGRA6E From =~ /Viagra|Cialis(\b|$)/i
meta KAM_VIAGRA6 (__KAM_VIAGRA6A + __KAM_VIAGRA6B + __KAM_VIAGRA6C + __KAM_VIAGRA6D + __KAM_VIAGRA6E >= 2)
describe KAM_VIAGRA6 Viagra Obfuscation Technique SPAM
score KAM_VIAGRA6 3.1
#VIAGRA AD 7 - TWEAKING RULE 7B TO PREVENT HITS ON SPECIALIST
body __KAM_VIAGRA7A /V[ij]+AGRA/i
body __KAM_VIAGRA7B /(^|\b)C[ij]+AL[ij]+S($|\b)/i
body __KAM_VIAGRA7C /(^|\b)AMB[ij]+EN($|\b)/i
body __KAM_VIAGRA7D /VAL[ij]+UM/i
meta KAM_VIAGRA7 ((__KAM_VIAGRA7A + __KAM_VIAGRA7B + __KAM_VIAGRA7C + __KAM_VIAGRA7D >= 2) && (KAM_VIAGRA6 < 1))
describe KAM_VIAGRA7 Viagra Obfuscation Technique SPAM
score KAM_VIAGRA7 3.1
#VIAGRA AD 8
body __KAM_VIAGRA8A /VI...?AGRA/i
body __KAM_VIAGRA8B /AM...?BIEN/i
body __KAM_VIAGRA8C /VA...?LIUM/i
body __KAM_VIAGRA8D /CI...?ALIS/i
meta KAM_VIAGRA8 ((__KAM_VIAGRA8A + __KAM_VIAGRA8B + __KAM_VIAGRA8C + __KAM_VIAGRA8D) >= 2)
describe KAM_VIAGRA8 Viagra Obfuscation Technique SPAM
score KAM_VIAGRA8 5.1
#VIAGRA AD 9
body __KAM_VIAGRA9A /V[IL1]A..GRA/i
body __KAM_VIAGRA9B /AMB..IEN/i
body __KAM_VIAGRA9C /VAL..IUM/i
body __KAM_VIAGRA9D /C[IL1]A..LIS/i
meta KAM_VIAGRA9 ((__KAM_VIAGRA9A + __KAM_VIAGRA9B + __KAM_VIAGRA9C + __KAM_VIAGRA9D) >= 2)
describe KAM_VIAGRA9 Viagra Obfuscation Technique SPAM
score KAM_VIAGRA9 5.1
#VIAGRA AD 10 - CONTENT-LESS EMAIL FROM "MALE ENHANCEMENT"
header __KAM_VIAGRA10A From =~ /male enhancement|mens.renewal/i
header __KAM_VIAGRA10B Subject =~ /your intimate partner will (thank|love)|grow.your.manhood|satisfy.your.woman/i
meta KAM_VIAGRA10 (__KAM_VIAGRA10A + __KAM_VIAGRA10B >= 1)
describe KAM_VIAGRA10 Male enhancement spam with no content
score KAM_VIAGRA10 8.0
#NITROXIN - A NEW AND SPAMMY COMPETITOR TO VIAGRA
header __KAM_NITROXIN1A From =~ /nitroxin/i
meta KAM_NITROXIN1 (__KAM_NITROXIN1A >= 1)
describe KAM_NITROXIN1 Another variant of Viagra spam
score KAM_NITROXIN1 8.0
#RE[#] SPAM
#NOTE: Thanks to Jason Haar" <Jason.Haar@trimble.co.nz> for pointing out that I was only doing >=1!
header KAM_RE Subject =~ /^Re(?:\s)*\[\d\]+(?:\s)*:?$/i
describe KAM_RE Subject of Re[0]: etc prevalent in Spam
score KAM_RE 2.0
meta KAM_RE_PLUS (HTML_IMAGE_ONLY_08+KAM_RE >= 2)
describe KAM_RE_PLUS Bad Subject and Image Only rule hit == SPAM!
score KAM_RE_PLUS 4.0
#HOODIA
#RE-WEIGHTING - Thanks to Martin Kaempf and Gareth Blades for pointing out the False Positives!!
#Changed to escape + for 920\+ and changed to rawbody because we don't want to check the subject twice.
#thansk to Michael Denney for the FP report
header __KAM_HOODIA1 Subject =~ /(hoodia|920\+|serotonin|reduce your appetite)/i
rawbody __KAM_HOODIA2 /(?:hoodia|920\+)/i
body __KAM_HOODIA3 /(?:fat loss product|sur?p?press appetite|Reduce Your Appetite)/is
meta KAM_HOODIA (__KAM_HOODIA1 + __KAM_HOODIA2 + __KAM_HOODIA3 >= 2)
describe KAM_HOODIA Hoodia / Weight Loss Product Promotion Spam
score KAM_HOODIA 3.0
#STOCK TIPS
##1 through 120 disabld 5-12-2014 due to age
##body __KAM_STOCKTIP1 /(?:Reynaldo's Mexican Food|RYNL)/is
##body __KAM_STOCKTIP2 /(?:KOKO PETROLEUM|KKPT)/is
##body __KAM_STOCKTIP3 /(?:DARK DYNAMITE|DKDY|D K D Y)/is
##body __KAM_STOCKTIP4 /(?:Remington Ventures|RMVN)/is
##body __KAM_STOCKTIP5 /(?:m-Wise|MWIS|M W I S)/is
##body __KAM_STOCKTIP6 /(?:China World Trade Corporation|CWTD)/is
##body __KAM_STOCKTIP7 /(?:Packets International|IPKL)/is
##body __KAM_STOCKTIP8 /(?:Infinex Ventures|IFNX)/is
##body __KAM_STOCKTIP9 /(?:FacePrint Global Solutions|FCPG)/is
###THANKS TO HOMER PARKER FOR THE FALSE POSSITIVE NOTE!
##body __KAM_STOCKTIP10 /(?:Ever[-_ ~]{0,3}Gl[o0]ry|(^|\b)E[-_~\. =]{0,3}G[-_~\. =]{0,3}L[-_~\. =]{0,3}Y($|\b))/is
##body __KAM_STOCKTIP11 /(?:Gulf Petroleum|GFPE)/is
##body __KAM_STOCKTIP12 /(?:Patriot Mechanical Handling|PMHH)/is
##body __KAM_STOCKTIP13 /(?:KSW Industries|KSWJ)/is
##body __KAM_STOCKTIP14 /(?:Conforce International|CFRI)/is
##body __KAM_STOCKTIP15 /(?:Nano Superlattice Technology|NSLT)/is
##body __KAM_STOCKTIP16 /(?:Morgan Beaumont|MBEU)/is
##body __KAM_STOCKTIP17 /(?:Relay Capital|(^|\b)RLYC($|\b))/is
###THANKS TO DAVID GOLDSMITH FOR POINTING OUT THE POTENTIAL FPs FROM THIS RULE
##body __KAM_STOCKTIP18 /(?:Madison Explorations|(?:^|\b)MDEX(?:$|\b))/is
##body __KAM_STOCKTIP19 /(?:CTR Investments and Consulting|C ?I ?V ?X)/is
##body __KAM_STOCKTIP20 /(?:PREMIER INFORMATION|(?:^|\b)PIFR(?:$|\b))/is
##body __KAM_STOCKTIP21 /(?:Harbin Pingchuan|P G C N|PGCN)/is
##body __KAM_STOCKTIP22 /(?:CLIENT TRACK CORP|CTKR)/is
##body __KAM_STOCKTIP23 /(?:EXTREME INNOVATIONS|(^|\b)EXTI($|\b))/is
##body __KAM_STOCKTIP24 /(?:Medical Home Products|\bMHPT\b)/is
##body __KAM_STOCKTIP25 /(?:AmeraMex International|AMMX)/is
##body __KAM_STOCKTIP26 /(?:Equipment & Systems Engineering|EQUIPMENT & SYS ENGR|EQSE)/is
##body __KAM_STOCKTIP27 /(?:NANOFORCE|NNFC)/i
##body __KAM_STOCKTIP28 /(?:\b|^)(?:Resort Clubs (I|\|)nternational|R[ ]*T[ ]*C[ ]*(?:I|\|))(?:\b|$)/is
##body __KAM_STOCKTIP29 /(?:Innovation Holdings|IVHN)/is
##body __KAM_STOCKTIP30 /(?:GOLDEN APPLE OIL|GAPJ)/is
##body __KAM_STOCKTIP31 /(?:inZon Corporation|(^|\b)I ?Z ?O ?N($|\b))/is
##body __KAM_STOCKTIP32 /(?:Midland Baring Financial Group|MDBF)/is
##body __KAM_STOCKTIP33 /(?:Aradyme Corporation|A D Y E)/is
##body __KAM_STOCKTIP34 /(?:TRANSAKT CORP|TKTJF)/is
##body __KAM_STOCKTIP35 /(?:CTXE|CANTEX ENERGY CORP)/is
##body __KAM_STOCKTIP36 /(?:De Greko|DGKO)/is
##body __KAM_STOCKTIP37 /(?:Deep Earth Resource, Inc|CTFE|DPER)/is
##body __KAM_STOCKTIP38 /(?:Vemics|(\b|^)VMCI(\b|$)|Summit Financial Resources)/is
##body __KAM_STOCKTIP39 /Premium Petroleum/is
##body __KAM_STOCKTIP40 /(?:F ?a ?l ?c ?o ?n ?E ?n ?e ?r ?g ?y|F.?C.?Y.?I)/s
##body __KAM_STOCKTIP41 /(?:CHINA GOLD CORP|CGDC)/is
##body __KAM_STOCKTIP42 /DPEK/i
###FIXED FP THANKS TO BEN LENTZ - Also found that the X ?X ?X ?X concept is causing too many FPs thanks to Homer Parker
##body __KAM_STOCKTIP43 /(?:Amerossi International Group|A M S N(\b|$)|AMSN)/is
##body __KAM_STOCKTIP44 /(?:WATAIRE INDUSTRIES|W ?T ?A ?F)/is
##body __KAM_STOCKTIP45 /(?:ABSOLUTESKY|A ?B ?S ?Y)/i
##body __KAM_STOCKTIP46 /(?:Infinex Ventures|I ?N ? ?F ?X)/is
##body __KAM_STOCKTIP47 /(?:Holly ?wood Intermediate|HYWI|H Y W I)/is
###DISABLED DUPLICATE OF 40
###body __KAM_STOCKTIP48 /(?:Falcon Energy|F ?C ?Y ?I)/is
##body __KAM_STOCKTIP49 /(?:\b|^)(?:AGA Resources|A ?G ?A)(?:\b|$)/is
##body __KAM_STOCKTIP50 /(?:COSCO|CCPI)/i
##body __KAM_STOCKTIP51 /(?:PETRO([- ?])?SUN DRILLING|P[- ]?S[- ]?U[- ]?D)/is
##body __KAM_STOCKTIP52 /(?:KMA Global Solutions International|KMAG)/is
##body __KAM_STOCKTIP53 /(?:Advanced Powerline Technologies|APWL)/is
##body __KAM_STOCKTIP54 /(?:GOLDMARK INDUSTRIES|GDKI)/is
##body __KAM_STOCKTIP55 /(?:QUANTUM ENERGY|QEGY)/is
###FP FIXED THANKS TO Homer Parker
##body __KAM_STOCKTIP56 /(?:AAGA RESOURCE+S NEW|A G A O|(\b|^)AGAO(\b|$))/is
###FP FIXED THANKS TO Homer Parker
##body __KAM_STOCKTIP57 /(?:Bicoastal Communications|BCLC|B C L C)/is
##body __KAM_STOCKTIP58 /(?:Greater China Media \& Ent|G ?C ?M ?E)/is
##body __KAM_STOCKTIP59 /(?:Viva International|(\b|^)VIVI(\b|$))/s
##body __KAM_STOCKTIP60 /(?:WILON RESOURCES|(\b|^)WLON(\b|$))/is
##body __KAM_STOCKTIP61 /(?:Am+erica+n U+ni+ty I+nve+stments|(\b|^)A[ _]?U[ _]?N[ _]?I[ _]?(\b|$))/is
##body __KAM_STOCKTIP62 /(?:DEFENSE DIRECTIVE|(\b|^)DFSE(\b|$))/is
##body __KAM_STOCKTIP63 /(?:Cyberhand Technologies|(\b|^)CYHD(\b|$))/is
##body __KAM_STOCKTIP64 /(?:Texhoma Energy|(\b|^)TXHE(\b|$))/is
##body __KAM_STOCKTIP65 /(?:Equal Trading|(\b|^)EQTD(\b|$))/is
###DISABLED FOR FALSE POSITIVES AND AGE
###body __KAM_STOCKTIP66 /(?:\b|^)W.?B.?R.?S(?:\b|$)/is
##body __KAM_STOCKTIP67 /(?:Mobile Airwaves|(\b|^)M.?W.?B.?C.?(\b|$))/is
##body __KAM_STOCKTIP68 /(?:X-tra Petroleum|(\b|^)XTPT(\b|$))/is
###ADDED FP BOUNDARY CHECK THANKS TO Greg Troxel for reporting the issue
##body __KAM_STOCKTIP69 /(?:Red Reef Laboratories|(\b|^)RREF(\b|$))/is
##body __KAM_STOCKTIP70 /(?:Great American Food Chain|(\b|^)GAMN(\b|$))/is
##body __KAM_STOCKTIP71 /(?:Cana Petroleum|(\b|^)CNPM(\b|$))/is
##body __KAM_STOCKTIP72 /(?:China Health Management|(\b|^)CNHC(\b|$))/is
##body __KAM_STOCKTIP73 /(?:Makeup Limited|MAKU)/is
##body __KAM_STOCKTIP74 /(?:Premier Holdings Group|PMHD)/is
###FP FIXED THANKS TO Christopher X. Candreva
##body __KAM_STOCKTIP75 /(?:VSUS technologies|(\b|^)VSUS($|\b))/is
##body __KAM_STOCKTIP76 /(?:FLAIR PETROLEUM|FPMC)/is
##body __KAM_STOCKTIP77 /(?:Physician Adult Daycare|PHYA)/is
###FP FIXED THANKS TO Homer Parker
##body __KAM_STOCKTIP78 /(?:AlgoDyne Ethanol Energy|(\b|^)ADYN(\b|$))/is
##body __KAM_STOCKTIP79 /(?:Critical Care.{1,3}Inc|CTCX)/is
##body __KAM_STOCKTIP80 /(?:Aerofoam Metals|AFML)/is
##body __KAM_STOCKTIP81 /(?:Ten \& 10|(?:\b|^)TTEN)/is
##body __KAM_STOCKTIP82 /(?:Medical Institutional Services|MISJ(\b|$))/is
##body __KAM_STOCKTIP83 /(?:Harris Exploration|HXPN)/is
##body __KAM_STOCKTIP84 /(?:MARSHAL HOLDINGS|MHII)/is
##body __KAM_STOCKTIP85 /(?:ADVANCED GROWING SYSTEMS|AGWS)/is
##body __KAM_STOCKTIP86 /(?:WEST EXCELSIOR ENT|WEXE)/is
##body __KAM_STOCKTIP87 /(?:Hemisphere Gold|HPGI)/is
##body __KAM_STOCKTIP88 /(?:Victory Energy Corporation|VYEY)/is
##body __KAM_STOCKTIP89 /UTEV/i
##body __KAM_STOCKTIP90 /(?:CHINA BIOLIFE ENTERP|CBFE)/is
##body __KAM_STOCKTIP91 /(?:Critical Care|C ?T ?C ?X)/is
##body __KAM_STOCKTIP92 /CBRJ/i
##body __KAM_STOCKTIP93 /(?:LAS VEGAS CENTRAL RESERVATIONS|LVCC)/is
##body __KAM_STOCKTIP94 /GTAP/i
##body __KAM_STOCKTIP95 /(North American Energy Group|N-?N-?Y-?R)/is
###FP FIXED THANKS TO BRETT GARRETT
##body __KAM_STOCKTIP96 /(\b|^)C\.?C\.?T\.?I(\b|$)/i
##body __KAM_STOCKTIP97 /(C ?E ?O AMERICA|C ? E ? O ?A)/is
##body __KAM_STOCKTIP98 /PLMA/i
##body __KAM_STOCKTIP99 /CDYV/i
##body __KAM_STOCKTIP100 /(Fire (Mountain|Mtn) Beverage Company|(^|\b)F[ _]?B[ _]?V[ _]?G($|\b))/is
###Added boundary check thanks to Michael Denney
##body __KAM_STOCKTIP101 /(\b|^)WDSC(\b|$)/i
##body __KAM_STOCKTIP102 /(Distributed Power|DPWI)/is
##body __KAM_STOCKTIP103 /(HUMET-PBC|L9Z\.F)/is
##body __KAM_STOCKTIP104 /ASVP/is
##body __KAM_STOCKTIP105 /CHVC/is
##body __KAM_STOCKTIP106 /(China Datacom|CDPN)/is
##body __KAM_STOCKTIP107 /(ORAMED PHARMA|OJU\.F)/is
##body __KAM_STOCKTIP108 /(DSDI|DSI Direct Sales)/is
##body __KAM_STOCKTIP109 /(Monolith Athletic Club|M[-_ ]?N[-_ ]?A[-_ ]?B)/is
###DUPLICATED STOCKTIP #51
###body __KAM_STOCKTIP110 /(PETRO-SUN|P[- ]?S[- ]?U[- ]?D)/is
##body __KAM_STOCKTIP111 /(COMPLIANCE SYSTEMS|(\b|^)COPI(\b|$))/is
###FP Fixed thanks to Greg Troxel
##body __KAM_STOCKTIP112 /(Global Pay Solutions|(\b|^)GPSI(\b|$))/is
##body __KAM_STOCKTIP113 /(MEGOLA|MGOA)/i
###FP FIXED THANKS TO Antonio Falzarano
##body __KAM_STOCKTIP114 /(\b|^)ADOV(\b|$)/i
##body __KAM_STOCKTIP115 /(Oncology Med|(\b|^)ONCO(\b|$))/is
##body __KAM_STOCKTIP116 /(Strategy X|SGXI)/is
##body __KAM_STOCKTIP117 /(Spotlight Homes|COST CONTAINMENT TEC|SPHM)/is
###FALSE POSITIVE ON DANSREALESTATE.
##body __KAM_STOCKTIP118 /((\b|^)SREA(\b|$)|Score One)/is
##body __KAM_STOCKTIP119 /(Monster Motors|MRMT)/is
##body __KAM_STOCKTIP120 /(EntreMetrix|ERMX)/i
body __KAM_STOCKTIP121 /(VISION AIRSHIPS|(\b|^)VPSN(\b|$))/is
body __KAM_STOCKTIP122 /(Shandong Zhouyuan Seed and Nursery|(\b|^)SZSN(\b|$))/is
body __KAM_STOCKTIP123 /(Puerto Rico 7|(\b|^)P ?R ?T ?H(\b|$))/is
body __KAM_STOCKTIP124 /(VGPM|Vega Promotional Sys)/is
body __KAM_STOCKTIP125 /((\b|^)D[- ]?M[- ]?X[- ]?C(\b|$))/i
body __KAM_STOCKTIP126 /((\b|^)C\.?W\.?T\.?E(\b|$)|C'Watre International)/is
body __KAM_STOCKTIP127 /(Physical Property Holdings|(\b|^)PPYH(\b|$))/is
#FP ON MNUM IN PLAIN TEXT HTML CONVERSION - Thanks to Kevin Lewis
body __KAM_STOCKTIP128 /(MONUMENTAL MARKETING|(\b|^)MNUM(\b|$))/is
body __KAM_STOCKTIP129 /(EnerBrite Technologies Group|(\b|^)eTgU(\b|$))/is
body __KAM_STOCKTIP130 /(Pricester|(\b|^)PRCC(\b|$))/is
#Added boundary check thanks to Michael Denney
body __KAM_STOCKTIP131 /(Greenstone Holdings|(\b|^)GSHN(\b|$))/is
body __KAM_STOCKTIP132 /((\b|^)AGMS(\b|$)|Angstrom[- ]Microsystems)/is
body __KAM_STOCKTIP133 /(Pluris Energy|(\b|^)PEYG(\b|$))/is
body __KAM_STOCKTIP134 /(United Consortium|(\b|^)UCSO(\b|$))/is
body __KAM_STOCKTIP135 /(Dominion Minerals|(\b|^)DMNM(\b|$))/is
body __KAM_STOCKTIP136 /(PrimeGen Energy|(\b|$)PGNE(\b|^))/is
body __KAM_STOCKTIP137 /Dynamic Response Group|(\b|^)DRGZ(\b|$)/is
body __KAM_STOCKTIP138 /Cobra Oil (and|&) Gas|(\b|^)CGCA(\b|$)/is
body __KAM_STOCKTIP139 /Solanex Management|(\b|^)SLNX(\b|$)/is
body __KAM_STOCKTIP140 /BIO-SOLUTIONS|(\b|^)BISU(\b|$)/is
#FP IN French email on 3/2/2017
#body __KAM_STOCKTIP141 /(\b|^)FORC(\b|$)/is
body __KAM_STOCKTIP142 /Hawk Systems Inc|(\b|^)HWSYD(\b|$)/is
body __KAM_STOCKTIP143 /AmeriLithium/is #|(\b|^)AMEL(\b|$)/is # FP 9/10/15
body __KAM_STOCKTIP144 /Fleet Management Solutions|(\b|^)FLMG(\b|$)/is
body __KAM_STOCKTIP145 /Nuvilex|(\b|^)N.?V.?L.?X.?(\b|$)/is
body __KAM_STOCKTIP146 /Plandai|(\b|^)PLPL(\b|$)/is
body __KAM_STOCKTIP147 /Beamz Interactive|(\b|^)B.?Z.?I.?C(\b|$)/is
body __KAM_STOCKTIP148 /(\b|^)STBV(\b|$)/i
body __KAM_STOCKTIP149 /LifeApps|(\b|^)LFAP(\b|$)/i
body __KAM_STOCKTIP150 /MONARCHY RESOURCES/i
body __KAM_STOCKTIP151 /Alanco Tech/i
body __KAM_STOCKTIP152 /Siga Resources/i
body __KAM_STOCKTIP153 /INSCOR|(\b|^)IOGA(\b|$)/is
body __KAM_STOCKTIP154 /mLight Tech|(\b|^)MLGT(\b|$)/is
body __KAM_STOCKTIP155 /Alanco Technologies/is
body __KAM_STOCKTIP156 /Progress Watch|(\b|^)PROW(\b|$)/is
body __KAM_STOCKTIP157 /(\b|^)PRFC(\b|$)/is
body __KAM_STOCKTIP158 /(\b|^)(RCHA|R\.+C\.+H\.+A|R\/C\/H\/A)(\b|$)/is
body __KAM_STOCKTIP159 /(\b|^)(RNBI|R.N.B.I)(\b|$)/is
body __KAM_STOCKTIP160 /(\b|^)(CNRMF|C.N.R.M.F)(\b|$)/is
body __KAM_STOCKTIP161 /(\b|^)(NUAN|N[- ]U[- ]A[- ]N)(\b|$)|NUANCE COMMUNICATIONS/is
body __KAM_STOCKTIP162 /(\b|^)(CHICF|C.H.I.C.F)(\b|$)/is
body __KAM_STOCKTIP163 /(\b|^)(brixmor)(\b|$)/is
body __KAM_STOCKTIP164 /(\b|^)(KBLB|K.B.L.B)(\b|$)/is
body __KAM_STOCKTIP165 /(\b|^)(SCRF|S.C.R.F)(\b|$)/is
body __KAM_STOCKTIP166 /(\b|^)(INCT|Incapta)(\b|$)/is
body __KAM_STOCKTIP167 /(\b|^)(QSMS|Quest Management|Quest Science Management Gate)(\b|$)/is
body __KAM_STOCKTIP168 /(\b|^)(QSMG|Q.S.M.G|Stemvax)(\b|$)/is
body __KAM_STOCKTIP169 /(\b|^)E.?C.?G.?R(\b|$)/s
body __KAM_STOCKOTC /(OTC|OTC ?BB|OTC Pink Sheets|NASDAQ|NYSE|StockWatch):/is
body __KAM_STOCKSYM /S[ ]?[iy][ ]?m[ ]?[�b8][ ]?[o0][ ]?[l1]|Siymbol/i
body __KAM_STOCKSYM2 /(SYM[ ]?[-\:]|\bTicker|Pr+ice\s*\:|Volume\s*\:|Target\s*\:|Current(ly)? ?\??:|Projected:|Smybol:|Stcok\s*\:|Stock\s*\:|S\s*t\s*o\s*c\s*k\s*\:|Trad[ ]?e\:|short-?sell|book value|S\.umbol|Action:|Symb\s?[-:]|Price Today:|SYmN-|Lookup:|RADAR:|PK PAPER:|PINKSHEETS:|f[o0]rward ?l[0o]{2}king)/i
body __KAM_STOCKSHR /\b(Shares|Investments|invest|Stock|acquisitions?|broker|joint[ -]?venture|underperforming|(uncap|ventilated|public(ity)?) on friday|dividend opportunities|set your buy|financial safe haven|before the bell)\b/i
body __KAM_STOCKBULL /bull (run|market)|very.rich|high.return/is
body __KAM_STOCKSCTR /(energy sector|mineral rights|mineral wealth|natural resources|gold deposits)/is
header __KAM_STOCKHEAD Subject =~ /{stk-sub}|on your radar|st0ck|best.stocktip|huge.winner|breaking.news/i
body __KAM_STOCKJUMP /(up|jumps) \d\d(\.\d)?\%/i
body __KAM_INSTOCK /in stock/i
# ADDED A CAVEAT FOR in stock so gibberish links don't hit a stock symbol
meta KAM_STOCKTIP (__KAM_STOCKHEAD + __KAM_STOCKOTC + __KAM_STOCKSYM + __KAM_STOCKJUMP + __KAM_STOCKSHR + __KAM_STOCKSYM2 + __KAM_STOCKBULL + __KAM_STOCKSCTR >= 1) && (__KAM_INSTOCK < 1) && (__KAM_STOCKTIP121 + __KAM_STOCKTIP122 + __KAM_STOCKTIP123 + __KAM_STOCKTIP124 + __KAM_STOCKTIP125 + __KAM_STOCKTIP126 + __KAM_STOCKTIP127 + __KAM_STOCKTIP128 + __KAM_STOCKTIP129 + __KAM_STOCKTIP130 + __KAM_STOCKTIP131 + __KAM_STOCKTIP132 + __KAM_STOCKTIP133 + __KAM_STOCKTIP134 + __KAM_STOCKTIP135 + __KAM_STOCKTIP136 + __KAM_STOCKTIP137 + __KAM_STOCKTIP138 + __KAM_STOCKTIP139 + __KAM_STOCKTIP140 + __KAM_STOCKTIP142 + __KAM_STOCKTIP143 + __KAM_STOCKTIP144 + __KAM_STOCKTIP145 + __KAM_STOCKTIP146 + __KAM_STOCKTIP147 + __KAM_STOCKTIP148 + __KAM_STOCKTIP149 + __KAM_STOCKTIP150 + __KAM_STOCKTIP151 + __KAM_STOCKTIP152 + __KAM_STOCKTIP153 + __KAM_STOCKTIP154 + __KAM_STOCKTIP155 + __KAM_STOCKTIP156 + __KAM_STOCKTIP157 + __KAM_STOCKTIP158 + __KAM_STOCKTIP159 + __KAM_STOCKTIP160 + __KAM_STOCKTIP161 + __KAM_STOCKTIP162 + __KAM_STOCKTIP163 + __KAM_STOCKTIP164 + __KAM_STOCKTIP165 + __KAM_STOCKTIP166 + __KAM_STOCKTIP167 + __KAM_STOCKTIP168 + __KAM_STOCKTIP169 >= 1)
describe KAM_STOCKTIP Email Contains Pump & Dump Stock Tip
score KAM_STOCKTIP 7.1
#KAM STOCK RULE #3 BASED HEAVILY ON WONDERFUL INPUT BY GARETH OF LINGUAPHONE
body __KAM_STOCK3 /([sS].?ymbol|Sym|SYM|SYMB|Symb|SYMBOL|SYmN|SYMN|Symn|Ticker|TICKER|Lookup|PINKSHEETS)\s*[-_:]\s*[A-Z0-9][-\._ ]?[A-Z0-9][-\._ ]?[A-Z0-9][-\._ ]?[A-Z0-9]/
score __KAM_STOCK3 0.1
describe __KAM_STOCK3 Email Looks like it references a 4 character stock symbol
#GENERIC STOCK RULE
meta KAM_STOCKGEN (__KAM_STOCKHEAD + __KAM_STOCKOTC + __KAM_STOCKSYM + __KAM_STOCKSHR + __KAM_STOCKSYM2 + __KAM_STOCKBULL + __KAM_STOCKSCTR >= 1) && (__KAM_STOCK3 >= 1) && (KAM_STOCKTIP < 1)
describe KAM_STOCKGEN Email Contains Generic Pump & Dump Stock Tip
score KAM_STOCKGEN 1.5
#KAM STOCK RULE #2
body __KAM_STOCK2_1 /(good trader|trading experience|bad trading day|hard trading day|FREE Stock Market Outlook|Market Watch)|more.than.\d+%|most.valuable|morning.report|real.?estate.authority|commercial.real.estate/i
body __KAM_STOCK2_2 /(easy cash|losses and victories|backstage trading|market facts|succeed in trading|destined to skyrocket|make traders rich|times your principal)|good.investment|overvalued.companies|company.is.soaring|economic.opportunity|amazing.company|take.notice|rental.yield|high.return/i
body __KAM_STOCK2_3 /stock/i
body __KAM_STOCK2_4 /trader|investor|analyst|royalties/i
header __KAM_STOCK2_5 Subject =~ /stock|bull market|penny|traders|go.getter|thousand.percent|this.company|opportunity|pct.rally|private.investment/i
header __KAM_STOCK2_6 From =~ /investment|daily.tip|bloomberg|selectedotc|penny|fortune|stock|finance|real.?estate|promotion/i
meta KAM_STOCK2 (__KAM_STOCK2_1 + __KAM_STOCK2_2 + __KAM_STOCK2_3 + __KAM_STOCK2_4 + __KAM_STOCK2_5 + __KAM_STOCK2_6) >= 4
score KAM_STOCK2 2.5
describe KAM_STOCK2 Another Round of Pump & Dump Stock Scams
#JUDGEMENTS
body __KAM_JUDGE1 /(unpaid court|(un-?collected|unsatisfied) judgments)/is
body __KAM_JUDGE2 /(funds|receive what) you are (due|owed)/is
#HALF-WEIGHTED RULES
body __KAM_JUDGE3 /collect your money/is
body __KAM_JUDGE4 /judgment/i
#FULL-WEIGHT
header __KAM_JUDGE5 Subject =~ /judgment/i
meta KAM_JUDGE (__KAM_JUDGE1 + __KAM_JUDGE2 + ((__KAM_JUDGE3 + __KAM_JUDGE4) / 2) + __KAM_JUDGE5 >= 2)
describe KAM_JUDGE Email Contains Judicial Judgment Solicitation
score KAM_JUDGE 2.5
#MEDS
body __KAM_MED1 /e.?c.?o.?n.?o.?m.?i.?z.?e.{1,10}med/i
body __KAM_MED2 /\d\d ?%/
describe KAM_MED Economizing your meds spam
meta KAM_MED (__KAM_MED1 + __KAM_MED2 >= 2)
score KAM_MED 1.5
#MEDS2- THANKS TO RES FOR POINTING OUT A REGEX STUPIDITY
header __KAM_MED2_1 Subject =~ /Pharmacy order \#\d{5}/i
describe KAM_MED2 More Medical SPAM
meta KAM_MED2 (__KAM_MED2_1 >= 1)
score KAM_MED2 1.0
#TIME PIECE
header __KAM_TIME1 Subject =~ /(replica(\b|$)|designer[-_ ](watch|piece|collection)|(old|replica|style|luxury|trendy|elegant) watch|time[-_ ](keeper|piece)|wrist|chronometer|watches are in fashion|low budget|deliver your watch|(number|amount) of watches)|excellent.watch/i
#0.50 WEIGHTED TESTS
body __KAM_TIME2 /(replica(\b|$)|diamond|designer[-_ ](piece|collections|watch)|time[-_ ]piece|wrist|time-keeper|\/\/atch)/is
header __KAM_TIME3 Subject =~ /(\b|^)(time|watch)(\b|$)/i
body __KAM_TIME4 /(\b|^)(time|watch)(\b|$)/i
body __KAM_TIME5 /(funny|low) price|treat.yourself/i
#REMOVED WORD OMEGA FROM BRANDS. TOO MANY FPs.
body __KAM_TIME6 /(Cx?ARTIER|Bx?REITLING|Px?ATEK|Rx?OLEX|Bx?VLGARI|Tx?IFFANY)/i
meta KAM_TIME __KAM_TIME1 + ((__KAM_TIME2 + __KAM_TIME3 + __KAM_TIME4 + __KAM_TIME5 + __KAM_TIME6)/2) >= 2
describe KAM_TIME Pssss. Hey Buddy, wanna buy a watch?
score KAM_TIME 3.0
meta KAM_TIMEGEO (KAM_GEO_STRING2 && KAM_TIME)
describe KAM_TIMEGEO Email references geocities & wrist watch sales
score KAM_TIMEGEO 3.5
#YOUR HOME
body __KAM_HOME1 /YOUR HOME|Federal Housing Assistance Program|near.your.area/i
body __KAM_HOME2 /Build your equity faster|refund is not reversible|rent.to.own/i
body __KAM_HOME3 /tax saving plans|\d+K Mortgage Credit|no.more.of/i
header __KAM_HOME4 From =~ /rent.?and.?own|rent.own.list/i
header __KAM_HOME5 Subject =~ /homes.near.you|near.your.city|\d+ (bed|bath)|low.monthly/i
meta KAM_HOME (__KAM_HOME1 + __KAM_HOME2 + __KAM_HOME3 + __KAM_HOME4 + __KAM_HOME5 >= 3)
describe KAM_HOME Mortage & Refinance Spam Rule
score KAM_HOME 3.5
#UNIVERSITY RULE
body __KAM_UNIV1 /(University Administration|University Enrollment|Education Assessment|Faculty Assessment|University Degree|Administration Office|Education office|Schools office|Enrollment Office|Online University)/is
body __KAM_UNIV2 /\d (week|month).{0,30}degree/is
body __KAM_UNIV3 /(past work|based on your|earned from|life|life and work|present work) experience/is
body __KAM_UNIV4 /not official degree|non[ -]?accredited/is
body __KAM_UNIV5 /novelty (degree|use)/is
body __KAM_UNIV6 /verifiable University Degree/is
body __KAM_UNIV7 /(life|work) experience (diploma|degree|transcript)/is
body __KAM_UNIV8 /Career Path/is
body __KAM_UNIV9 /non[- ]?ac(creditee?d)?.{1,10}universit/is
body __KAM_UNIV10 /(graduating|diploma) (within|in) (as little as)? (one|two|three|\d) (week|month)/is
body __KAM_UNIV11 /(degree|transcript) in any field|Field of yourr? ch[o�][i�]ce/is
body __KAM_UNIV12 /(obtain your diploma|diploma that you want|Criminal Justice or Homeland Security degree)/is
body __KAM_UNIV13 /(degree|field|diploma) of your (choice|expertise)/is
body __KAM_UNIV14 /(earn a|full) transcript/is
body __KAM_UNIV15 /(No Study Required|Without Exams|No (examinations|[e�]xams)|without attending a single class|no classes|no textbooks|no (?:required )?tests|degree .{0,30}you deserve)/is
body __KAM_UNIV16 /\d weeks.{0,30}graduated/is
header __KAM_UNIV17 Subject =~ /(dip(i|l)oma|degree|transcript|award|increase ?your ?income|degree online|Ph\.?D|Add an mba)/i
body __KAM_UNIV18 /100% discrete/is
body __KAM_UNIV1B /\d (months|weeks)/i
body __KAM_UNIV2B /d[_\. ]?e[_\. ]?g[_\. ]?r[_\. ]?e[_\. ]?e/i
body __KAM_UNIV3B /(dead end job|improve your future, and your income|high paying jobs|bec[�o]me a do[c�]tor|get your diploma today)/is
body __KAM_UNIV4B /1.?0.?0.?% (legit|verifiable|online|no pre|non[- ]?accredited)/is
body __KAM_UNIV5B /F A S T[ ]{0,4}T R A C K/is
body __KAM_UNIV6B /DIP\sLOMA/
meta KAM_UNIV ((__KAM_UNIV1 + __KAM_UNIV2 + __KAM_UNIV3 + __KAM_UNIV4 + __KAM_UNIV5 + __KAM_UNIV6 + __KAM_UNIV7 + __KAM_UNIV8 + __KAM_UNIV9 + __KAM_UNIV10 + __KAM_UNIV11 + __KAM_UNIV12 + __KAM_UNIV13 + __KAM_UNIV14 + __KAM_UNIV15 + __KAM_UNIV16 + __KAM_UNIV17 + __KAM_UNIV18) >= 2 || (__KAM_UNIV1B + __KAM_UNIV2B + __KAM_UNIV3B + __KAM_UNIV4B + __KAM_UNIV5B + __KAM_UNIV6B) >= 3)
describe KAM_UNIV Diploma Mill Rule
score KAM_UNIV 4.5
#URUNIT
body __KAM_URUNIT1 /\bur (unit|liveliness|energy level|endurance level)/is
body __KAM_URUNIT2 /\bur (gf|girl|wife|size|thing|partner|significant other)/is
body __KAM_URUNIT3A /\b(exasperated|fatigued|drained|tired) all the time/is
#HALF-WEIGHTED RULES
body __KAM_URUNIT3 /(unsatisfied|not satisfied|nagging|complaining|complaints|complained|unlimited prowess|increase your volume)/is
body __KAM_URUNIT4 /(bedroom|the bed|nighttime activit|male power|show your girl)/is
body __KAM_URUNIT5 /(size of (there|their|your) .{0,11}(unit|thing)|using them for a couple months|enhancing formula)/is
body __KAM_URUNIT6 /(majority of women|shrinking .{0,12} baby fat|winning guy|huge explosion)/is
#FULL-WEIGHT
header __KAM_URUNIT7 Subject =~ /(\b|^)ur (unit|wife|girlfriend|GF|size|thing|partner|significant other|livelyehood)/i
header __KAM_URUNIT8 Subject =~ /(pleasure|sensation|grow|your teeny|impress your mate|being small|how big|more intense)/i
meta KAM_URUNIT ((__KAM_URUNIT1 + __KAM_URUNIT2 + ((__KAM_URUNIT3 + __KAM_URUNIT4 + __KAM_URUNIT5 + __KAM_URUNIT6) / 2) + __KAM_URUNIT7 + __KAM_URUNIT8 + __KAM_URUNIT3A) >= 2)
describe KAM_URUNIT Recent penile and body enhancement spams
score KAM_URUNIT 0.5
#UR ZEST
body __KAM_URZEST1 /(?:your|ur) (?:power|strength|zal|zeal|liveliness|zest|intensity|spontaneity|activity)(?: level)?(?: been)?(?: feeling| down)? ?(?:lately|recently|anew)?/i
body __KAM_URZEST2 /or still (?:jaded|worn|drained|exasperated) all the time/i
body __KAM_URZEST3 /(?:(?:wanting|looking|seeking) to get in the gym|(?:dreaming|seeking|hoping) to get (?:into shape|fit))/i
body __KAM_URZEST4 /(wks it has been|been mos) since we('| ha)ve chatted/i
body __KAM_URZEST5 /(back into shape|made me healthier after my disease)/i
meta KAM_URZEST (__KAM_URZEST1 + __KAM_URZEST2 + __KAM_URZEST3 + __KAM_URZEST4 + __KAM_URZEST5 >= 2)
describe KAM_URZEST Recent penile and body enhancement spams
score KAM_URZEST 3.0
#JOB LET GO
body __KAM_JOB1 /let go from (a job|my employment) I held for.{1,19} (month|year|forever|life)/is
body __KAM_JOB2 /twice as much/is
meta KAM_JOB (__KAM_JOB1 + __KAM_JOB2 >=2)
describe KAM_JOB People let go, work at home, earn billions!
score KAM_JOB 4.3
#PERIMETERPARK
body KAM_PERPARK /P e r i m e t e r P a r k C e n t e r/i
describe KAM_PERPARK Obfuscated address appearing in SPAM Feb 06
score KAM_PERPARK 2.5
#HOLLYWOOD WAY
body KAM_HOLLY /1 0 2 0 N H o l l y w o o d W a y /i
describe KAM_HOLLY Obfuscated address appearing in SPAM Jun 06
score KAM_HOLLY 2.5
#PUMP & DUMP STOCK GRAPHICS
header __KAM_STOCKG1 Subject =~ /^Fw: \d{6}$/i
header __KAM_STOCKG2 Subject =~ /(^|\b)(stocks?|small-cap)(\b|$)/i
meta KAM_STOCKG ((HTML_IMAGE_ONLY_12 || HTML_IMAGE_ONLY_16 || HTML_IMAGE_ONLY_24) && HTML_MESSAGE && (__KAM_STOCKG1 || __KAM_STOCKG2))
describe KAM_STOCKG Graphical Pump and Dump Scams
score KAM_STOCKG 3.0
#CEP Diploma Mill
body __KAM_CEP1 /Job Prospect Newsletter|training.workshop/i
body __KAM_CEP2 /legitimate verifiable degree|build a better you|domain.knowledge/i
body __KAM_CEP3 /Career Education program|customize a learning program|certified.instructor/i
body __KAM_CEP4 /(MBA|CEP)/
body __KAM_CEP5 /degree\/certificates|certification/i
body __KAM_CEP6 /\d (week|month)/i
header __KAM_CEP7 From =~ /certificate program/i
meta KAM_CEP ((__KAM_CEP1 + __KAM_CEP2 + __KAM_CEP3 + __KAM_CEP4 + __KAM_CEP5 + __KAM_CEP6 + __KAM_CEP7) >= 3)
describe KAM_CEP CEP Diploma Mill Rule
score KAM_CEP 3.5
#Commented since 3.2.0 is pretty old now
#if (version < 3.200000)
# #BLANK EMAILS - CURRENTLY REQUIRES 99_FVGT_meta.cf for FM_NO_FROM AND NO_TO. UNDISC_RECIPS MIGHT BE REMOVED IN 3.2+
# #HTML_SHORT_LENGTH DEPENDENCY RULE REMOVED FROM SA 3.2
# meta KAM_BLANK01 (MISSING_SUBJECT && (UNDISC_RECIPS || FM_NO_FROM_OR_TO || FM_NO_TO))
# describe KAM_BLANK01 Blank emails
# score KAM_BLANK01 1.0
#
# #MSGID_FROM_MTA_ID REMOVED IN NEWER SPAMASSASSIN 3.2
# meta KAM_BLANK02 (KAM_BLANK01 && MSGID_FROM_MTA_ID)
# describe KAM_BLANK02 Blank emails with MTA Headers
# score KAM_BLANK02 1.0
#endif
#KAM GEOCITIES SPAM
# Updated by KAM based on Work by Dallas L. Engelken <dallase@nmgi.com> (T_GEO_QUERY_STRING)
uri KAM_GEO_STRING2 /^http:\/\/(?:\w{1,5}\.)?geocities(?:\.yahoo)?\.com(?:\.\w{1,5})?(?::\d*)?\/.+?/i
describe KAM_GEO_STRING2 Use of geocities/yahoo very likely spam as of Dec 2005
score KAM_GEO_STRING2 4.7
#KAM GOOGLE SPAM
uri KAM_GOOGLE_STRING /^http:\/\/www.google.com\/url\?q=/i
describe KAM_GOOGLE_STRING Use of Google redir appearing in spam July 2006
score KAM_GOOGLE_STRING 1.0
#MSN Brasil REDIRECTOR - Known exploit since at least 2007!! http://www.xssed.com/mirror/14129/
uri KAM_MSNBR_REDIR /g.msn.com.br\/BR9\/1369.0/i
describe KAM_MSNBR_REDIR Use of MSN Brasil Redirector for Spam seen in 2011
score KAM_MSNBR_REDIR 5.0
#KAM MSN SPAM
uri __KAM_MSN_STRING1 /^http:\/\/spaces\.msn\.com(?::\d*)?\/.+\//i
uri __KAM_MSN_STRING2 /^http:\/\/.{0,20}\.spaces\.live\.com/i
meta KAM_MSN_STRING (__KAM_MSN_STRING1 + __KAM_MSN_STRING2 >=1)
describe KAM_MSN_STRING spaces.msn.com likely spam (Mar 2006) + spaces.live.com (Mar 2010)
score KAM_MSN_STRING 2.5
#KAM LIVEJOURNAL SPAM
uri __KAM_LIVE1 /^http:\/\/.{0,20}\.(blogspot|livejournal)\.com/i
meta KAM_LIVE (__KAM_LIVE1)
describe KAM_LIVE blogspot.com & livejournal.com likely spam (Apr 2010)
score KAM_LIVE 1.0
#KAM PAGE.TL SPAM - idea from Benny Pedersen
uri __KAM_PAGE1 /^http:\/\/.{0,20}\.(page\.tl)/i
meta KAM_PAGE (__KAM_PAGE1)
describe KAM_PAGE Page.TL likely spam (Nov 2011)
score KAM_PAGE 2.0
# This rule is to mark emails using the exploit of the URI parsing
uri KAM_URIPARSE /(\%0[01]|\0).{1,100}\@/i
describe KAM_URIPARSE Attempted use of URI bug-high probability of fraud
score KAM_URIPARSE 7.0
#Ebay Closed their Redirector - Disabled 4-9-05
# This rule is to mark emails using the exploit of the eBay redirector
#uri KAM_EBAYREDIR /.*.ebay.com.*RedirectToDomain/i
#describe KAM_EBAYREDIR Attempted use of eBay redirect-likely fraud
#score KAM_EBAYREDIR 7.0
# Rule based on Kelson Vibber's MD code for bogus AOL Addresses
# Check for bogus AOL addresses as described at
# http://postmaster.aol.com/faq/mailerfaq.html#syntax
# - all alphanumeric, starting with a letter, from 3 to 16 characters long.
#
#
#What is the correct syntax for AOL e-mail addresses?
#The "user name" is the part of the address that appears before the @ symbol: username@aol.com.
#Valid AOL e-mail addresses can not:
#Be shorter than 3 or longer than 16 characters.
#Begin with numbers.
#Contain punctuation of any kind (such as periods, underscores, or dashes).
#
#
#2017-10-24 upon evidence that AOL no longer follows their syntax.
#Awaiting an updated version however KAM predicts that with the merger that this
#is likely to accommodate other systems like Verizon coming under the same infrastructure.
#UPDATED 2018-02-20
#THANKS to Angel from 16bits for this research:
#Based on tests at https://i.aol.com/reg/signup shows:
#
#Username cannot
#
#a) "Be shorter than 3"
# This is being enforced: «Please make sure that the username field is at
#least 3 characters long
#
#b) or longer than 16 characters.
#The userName field has a maxlength of 32
#(intriguingly, there's also a hidden usernameEmail of up to 97
#characters)
#
#c) Begin with numbers.
#This is being enforced «Your username must begin with a letter.»
#
#d) Contain punctuation of any kind (such as periods, underscores, or
#dashes).
#Both periods and underscores are accepted (they are even offered in the
#dropbox), dashes are not.
#«Your username may not contain characters such as @, !, * or $.»
#
#Periods and underscores may not begin or end the username, or be
#consecutive (not between themselves), ie. these two characters may only
#appear when surrounded by alphanumeric ones.
#
#(this condition for periods actually comes from rfc5321, assuming you
#want to avoid quoting the local part)
#
#
#Basically, it seems they added . and _ to the allowed characters, and
#doubled the username size.
#
#
#The error messages at
#https://sns-static.aolcdn.com/1.19/reg/resources/js/webreg_validate5-built.js also provide relevant information for gathering the rules:
#
#"Please make sure that the username field is at least 3 characters
#long."
#"Please make sure that the username field is at least 3 characters
#long."
#"Your username may not exceed "+regPageData.snMax+" characters."
#"Your username must begin with a letter."
#"Your username may not contain characters such as @, !, * or $.",
#"Your username may not contain characters such as @, !, * or $." (funnily, this is shown if you enter a space)
#"Your username may not contain characters such as @, !, * or $." (this is if it is deemed "not alphanumeric")
#"Usernames cannot end with a dot (.) or underscore (_)."
#"Usernames cannot have consecutive dots (..) or underscores (__)."
#
#"Please make sure that the email address is at least 3 characters long."
#"Your email address may not exceed 97 characters."
header __KAM_AOL From:addr =~ /\@aol\.(com|co\.uk)/i
# username portion must be between 3 & 16 chars, starting with a letter
header __KAM_GOODAOL1 From:addr =~ /^[a-z].{2,15}\@aol\.(com|co\.uk)/i
# certain punctuation not allowed - This is likely not exhaustive
header __KAM_BADAOL1 From:addr =~ /[-\!\*\$].*\@aol\.(com|co\.uk)/
# no consectutive periods or underscores
header __KAM_BADAOL2 From:addr =~ /(\.\.|__).*\@aol\.(com|co\.uk)/
# cannot end with . or underscore
header __KAM_BADAOL3 From:addr =~ /(\.|_)\@aol\.(com|co\.uk)/i
meta KAM_BADAOL (__KAM_AOL && !__KAM_GOODAOL1) || (__KAM_BADAOL1 + __KAM_BADAOL2 + __KAM_BADAOL3 >= 1)
describe KAM_BADAOL Invalid AOL Address
score KAM_BADAOL 7.0
meta KAM_GOODAOL __KAM_AOL && (__KAM_GOODAOL1 && !KAM_BADAOL)
describe KAM_GOODAOL Valid AOL Email Address
score KAM_GOODAOL -1.0
# Rule to mark emails from adv@somewhere accounts a bit higher on the SPAM scale
header KAM_ADV_EMAIL From:addr =~ /adv\@/i
describe KAM_ADV_EMAIL Marks adv@<domain.com> Addresses as likely SPAM
score KAM_ADV_EMAIL 5.0
#SEXUALLY EXPLICIT EMAILS - With updates courtesy of Mark Damrose
header __KAM_SEX_EXPLICIT1 Subject =~ /SEXUAL{2,3}Y[-_, ]{0,1}EXPL{1,2}I{1,2}CI{1,2}T/i
#EXPANDED TO INCLUDE HEADERS FOR SPAMS PREVALENT MAR 2007
header __KAM_SEX_EXPLICIT2 Subject =~ /(?:fuck .*suck|suck .*fuck|pussy .*cock|cock .*pussy|horny amateur|couch sex|slut fuck|naked celebrity|pissing babes|ass[- ]fuck|animal cock|(^|\b)P[^a-zA-Z\d]O[^a-zA-Z\d]R[^a-zA-Z\d]N |exposes sexy ass|drunk babe nude|masturbate|looking.for.sex|breast.implants|pedophile|child predator|explore.being.bad|double.penetration|hardcore.slut|getting.laid|your.disco.stick|having.sex.*begging|f.ckbook|xxx gay|asian porn|blowjob|anal xxx|huge tits tube|xxx tube|porn tube|porn video|sexy.clip|portal for xxx|3d porn|hard(er)?.erect)|dreaming of f.?cking|(^|\b)sex.in.the.car|horny.virgin|sex.acts|best.intercourse|sex request|dripping wet and need to get/i
header __KAM_SEX_EXPLICIT3 From =~ /(?:better sex|sextrick|ashleymadison|booty.call|breast.(aug|surg|redu)|throbing.member|f[\*u]?ckbook|Local MILFs|fuck)/i
#MODIFIED TO FIX FP THANKS TO DOC SCHNEIDER AND MARK MARTINEC - REMOVED castrate|sexual.encounter|casual.sex|discreet.encounter 5/19/15
body __KAM_SEX_EXPLICIT4 /(?:fucked hardcore|dildoes her tight ass|kinky watersports|schoolgirls? slut|teens? porn|first anal(\b|$)|pussy lips|kinky lesbian|sucks? cock|rub puss|spreads? cunt|fetish babe|kinky pee|muffdived \& fuck|deepthroat on knees|hello.naughty.boy|certain.type.of.guy|girlfriend.trick|sexual.stamina|sex...toy|porn.link|cunt.fuck|c-o-c-k|non.stop.sex|porn.industry|stronger.erection|make.her.moan|extreme.pro.abortion|erection.problem|your.erection|get.an.erection|hardest.erection|get.erect|xxx gay|asian porn|blowjob porn|anal xxx|huge tits tube|xxx tube|porn tube|fuckbook|portal for xxx|3d porn|DrPEnterprise|girlfriends.porn|\bsex.galler|pussy.eaten|shemale|anal.adventure|black.girls.video|gay.porn|pussy.wet|make.her.horny|crave sex|women.fuck|women.horny|wanting.to.bang|getting.laid.is.simple|woman.on.her.knees|b r e a s t|generic.ed.product|best.sex|f[^a-z]cking.you|f[^a-z]ckbuddy|F\#ckFriends|Milf Selfies|need.a.horny.man|cute.sex.lover|horny.as.f.ck|fun.in.the.bedroom|my.tits.are|be.horny|horny.girl|horny.i.am|horny.latina|huge.dildo|made.me.climax|sex in my office|a.good.f\@ck|married.horny.woman|sucked.your.d\@ck|horny.milf|suck.you.off|horny.stories|all.my.h[o0]les|cum.heavily|sucking.your.c[o0]ck|to.get.f[^a-z]cked)|h00kup|s\*xy|\bh0rny|ch0ked|pu\$\$y|f\*cked|F\#ck|F\*ck_|find milfs/i
header __KAM_SEX_EXPLICIT5 Subject =~ /(?:Babe.*dildo|milk.*pussy|licks.*lesbian.*tits|mud.*wrestling.*sluts|rock.*hard.*cock|working.*pussy|(anal|suck|lick|hot|cock|wife).*f.?u.?c.?k|sneaky.*upskirt.*shots|hairy.*(pussy|cunt)|chicks.*cum|shows.*off.*titties|tits.*milf.*sex|riding.*big.*dick|dildo.*pussy|slut.*sex|suck.*dick|show.*off.*pink.*slit|coed.*pussy|squirt.*pussy|polish.*cock|femdom.*fist|schoolgirl.*(f.?u.?c.?k|blowjob)|mistress.*finger.*slave|cervix.*examined|tits.*vibrator|licks.*lesbian|slut.*anal|slurp.*pecker|master.*hogtie|bitch.*stroke.*guy|huge.*cock.*bang|take.*dick.*ride|milf.*nailed|girl.*in.*panties|Slut.*Doing.*it|barely.*legal.*teen|perverted.*girl.*works.*ass|slut.*milking|caught.*fucking|F.?u.?c.?k.*(dick)|shemale.*strips|chick.*drilled|\bass.*screw|teen.*pussy|fucked.*hard|bimbo.*hooter|cuntbanged|tittyfucked|fuck.*cock|blowing and nailed|lesbians.*masturbat|shaking wet booty|pussy.*lip|lick.*asshole|kinky lesbian|suck.*cock|rub puss|tits.*cunt|kinky pee|fetish babe|exposes sexy ass|drunk babe nude|muff.*fuck|cock.?suck.*blonde|fuck.*vibrator|threeway.*orgy|sex.life.*new.level|your.sex.life|hotsex|f.cktonight|my.?pu[s\$]{1,5}y|InstaSext|SnapHookup|InstaAffair|InstaHookup|SexiSnap|SnapF.ck|snapbangmsg)/i
body __KAM_SEX_EXPLICIT6 /virus on a porn web/i
meta KAM_SEX_EXPLICIT (__KAM_SEX_EXPLICIT1 + __KAM_SEX_EXPLICIT2 + __KAM_SEX_EXPLICIT3 + __KAM_SEX_EXPLICIT4 + __KAM_SEX_EXPLICIT5 + __KAM_SEX_EXPLICIT6 >= 1)
describe KAM_SEX_EXPLICIT Subject or body indicates Sexually Explicit material
score KAM_SEX_EXPLICIT 16.0
#SOLICITING AFFAIR SPAM
header __KAM_SEX_AFFAIR1 Subject =~ /Have an affair|Your Affair is Waiting|sick of your wife|find you a girlfriend/i
header __KAM_SEX_AFFAIR2 From =~ /Ashley.?Madison|Let's have fun/i
rawbody __KAM_SEX_AFFAIR3 /have an affair|ashleymadison/i
rawbody __KAM_SEX_AFFAIR4 /looking.for.affair/i
meta KAM_SEX_AFFAIR (__KAM_SEX_AFFAIR1 + __KAM_SEX_AFFAIR2 + __KAM_SEX_AFFAIR3 + __KAM_SEX_AFFAIR4 >= 2)
describe KAM_SEX_AFFAIR Subject or body soliciting an affair
score KAM_SEX_AFFAIR 8.0
#KAM_TELEWORK
body __KAM_TELEWORK1 /(generate|make) .{0,10}1.5K? (to|-) 3.5K (a day|daily|per day|per month)|makes? \$[\d,]+\/month|upgrade your salary/is
body __KAM_TELEWORK2 /have a (?:tele)?phone|money making challenge|has full internet/is
body __KAM_TELEWORK3 /return(?:ing)? (phone )?calls|working a few hours each day|positive work environment/is
body __KAM_TELEWORK4 /fully qualified|no experience needed|all the training|managing expectations|accountability|stronger results/is
body __KAM_TELEWORK5 /work (?:online )?from home|process(?:ing)? rebates (?:at|from) home|set your own hours|100% no risk|Western Union fees|new job or career/is
body __KAM_TELEWORK6 /earning up to \d+USD|earn thousands of dollars|\d% commission|get rich quick|manager training|real.payoff/is
header __KAM_TELEWORK7 Subject =~ /process rebates|easy work and great pay|making money today|earn money|vacancies in your city|internet jobs|bad ecomomy|(manager|supervisor).training|handling difficult|work.from.home/i
header __KAM_TELEWORK8 From =~ /training|online/i
meta KAM_TELEWORK (__KAM_TELEWORK1 + __KAM_TELEWORK2 + __KAM_TELEWORK3 + __KAM_TELEWORK4 + __KAM_TELEWORK5 + __KAM_TELEWORK6 + __KAM_TELEWORK7 + __KAM_TELEWORK8 >= 3)
describe KAM_TELEWORK Stupid telework and training scams
score KAM_TELEWORK 3.0
#Changed to meta 2017-10-17
#2017-10-23 - Removed .link. Uniregistry has committed to reviewing abuse concerns.
header __KAM_SOMETLD_ARE_BAD_TLD_FROM From:addr =~ /\.(pw|stream|trade|bid|press|top|date)$/i
uri __KAM_SOMETLD_ARE_BAD_TLD_URI /\.(pw|stream|trade|bid|press|top|date)($|\/)/i
meta KAM_SOMETLD_ARE_BAD_TLD (__KAM_SOMETLD_ARE_BAD_TLD_FROM + __KAM_SOMETLD_ARE_BAD_TLD_URI) >= 1
describe KAM_SOMETLD_ARE_BAD_TLD .stream, .trade, .pw, .top, .press, .bid & .date TLD Abuse
score KAM_SOMETLD_ARE_BAD_TLD 5.0
#CHANGED TO KAMOnly
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
#TESTING RULE
body KAM_LOCAL_TEST1 /myspamtest12341234/
describe KAM_LOCAL_TEST1 This is a unique phrase to trigger a + score
score KAM_LOCAL_TEST1 50
#REVERSE DNS TESTS FROM MIMEDEFANG - UNLESS YOU HAVE A TEST FOR REVERSE POINTERS, YOU CAN COMMENT THIS OUT
header KAM_RPTR_FAILED X-KAM-Reverse =~ /^Failed/
describe KAM_RPTR_FAILED Failed Mail Relay Reverse DNS Test
score KAM_RPTR_FAILED 6.0
header __KAM_RPTR_SUSPECT X-KAM-Reverse =~ /^Suspect/
meta KAM_RPTR_SUSPECT (KAM_BODY_MARKETINGBL_PCCC < 1 && __KAM_RPTR_SUSPECT >= 1)
describe KAM_RPTR_SUSPECT Suspected Dynamic IP/Bad TLD/Spammy TLD from Mail Relay Reverse DNS Test
score KAM_RPTR_SUSPECT 2.45
#REMOVED __URIBL_ANY DEPENDENCY AS THE RULE IS GONE. NOTED by David Goldsmith.
header __KAM_RPTR_PASSED X-KAM-Reverse =~ /^Passed/
meta KAM_RPTR_PASSED (__KAM_RPTR_PASSED && (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + KAM_SPAMJDR + KAM_LOTTO3 + __KAM_URIBL_PCCC + __KAM_MX + SPF_SOFTFAIL + SPF_FAIL + KAM_INFOUSMEBIZ + KAM_TOLL < 1))
describe KAM_RPTR_PASSED Passed Mail Relay Reverse DNS Test
score KAM_RPTR_PASSED -1.0
header KAM_RPTR_MISSING X-KAM-Reverse =~ /^Missing/
describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing!
score KAM_RPTR_MISSING 9.0
#DWDTECHSPAM /ETC
header KAM_RPTR_BADHOST X-KAM-Reverse =~ /dwdtechllc.com|inculloop.net|donapex.net|wriltay.com|raptornode.com|voicitr.us|premiumjobhunt.com|newsocialdeals.com|dailysummercoupons.com|nm-priorityhosting.com|hypernia.com|queryfoundry.net|colocrossing.com|pawlitenews.com|hosted-by-i3d.net/i
describe KAM_RPTR_BADHOST Very Spammy Hosting Company Identified
score KAM_RPTR_BADHOST 9.0
#CUSTOM SCORES THAT KAM LIKES
#score SARE_GIF_ATTACH 3.0
score CHARSET_FARAWAY_HEADER 1.6
score MIME_CHARSET_FARAWAY 1.25
score FH_FROM_CASH 2.0
score EWG_BAD_40 1.5
score EWG_BAD_47 1.5
score EWG_BAD_54 1.5
score FREEMAIL_ENVFROM_END_DIGIT 1.0
score FREEMAIL_REPLYTO 1.0
score KHOP_BIG_TO_CC 1.5
score URIBL_DBL_SPAM 5.0
score AC_HTML_NONSENSE_TAGS 4.0
#ENABLING DNSWL - BUG 6668
score RCVD_IN_DNSWL_NONE 0 -0.0001 0 -0.0001
score RCVD_IN_DNSWL_LOW 0 -0.7 0 -0.7
score RCVD_IN_DNSWL_MED 0 -2.3 0 -2.3
score RCVD_IN_DNSWL_HI 0 -5 0 -5
#COMPLETE WHOIS IS DOWN
#score __RCVD_IN_WHOIS 0
#score RCVD_IN_WHOIS_INVALID 0
#score URIBL_COMPLETEWHOIS 0
#Custom subject whitelist
#header FRANCHISE_JERRY Subject =~ /: (Franchise Application|Request Franchise Information)$/i
#score FRANCHISE_JERRY -99.0
#describe FRANCHISE_JERRY Jerry's Franchise Application or Request
header KAM_INVALID_FROM X-KAM-From =~ /From Header Missing Host/
describe KAM_INVALID_FROM From header missing host portion
score KAM_INVALID_FROM 4.0
#RAPTOR ALTERED EMAILS
body __KAM_RAPTOR1 /altered by our Raptor filters/i
header __KAM_RAPTOR2 X-KAM-Raptor-Alter =~ /True/
meta KAM_RAPTOR (__KAM_RAPTOR1 + __KAM_RAPTOR2 >= 1)
describe KAM_RAPTOR PCCC Raptor altered the email
score KAM_RAPTOR 3.5
#NJABL Shutdown Bug 6913 - Check after 3/3/2013 update if these can be removed
score RCVD_IN_NJABL_CGI 0
score RCVD_IN_NJABL_MULTI 0
score RCVD_IN_NJABL_PROXY 0
score RCVD_IN_NJABL_RELAY 0
score RCVD_IN_NJABL_SPAM 0
score __RCVD_IN_NJABL 0
if can(Mail::SpamAssassin::Conf::feature_dns_query_restriction)
dns_query_restriction deny njabl.org
endif
#KAM Bad Attach
header KAM_RPTR_MISSING X-KAM-Reverse =~ /^Missing/
describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing!
score KAM_RPTR_MISSING 9.0
#KAM Bad Attach
header KAM_RPTR_MISSING X-KAM-Reverse =~ /^Missing/
describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing!
score KAM_RPTR_MISSING 9.0
#KAM Bad Attach
header KAM_RPTR_MISSING X-KAM-Reverse =~ /^Missing/
describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing!
score KAM_RPTR_MISSING 9.0
#KAM Bad Attach
header KAM_BADATTACH X-KAM-BadAttach =~ /^True/
describe KAM_BADATTACH Mail contains a bad attachment
score KAM_BADATTACH 15.0
#RHS_DOB not working 10/6/2014 - Resolved 10/9/2014
#score URIBL_RHS_DOB 0.0
else
# no KAMOnly, stub rules
meta KAM_RAPTOR 0
score KAM_RAPTOR 0
meta CBJ_GiveMeABreak 0
score CBJ_GiveMeABreak 0
meta KAM_RPTR_SUSPECT 0
score KAM_RPTR_SUSPECT 0
meta KAM_RPTR_FAILED 0
score KAM_RPTR_FAILED 0
meta KAM_RPTR_PASSED 0
score KAM_RPTR_PASSED 0
endif
#$6c822ecf@ - Idea from Jailer-Daemon on SARE
header KAM_6C822ECF Message-Id =~ /\$6c822ecf\@/i
describe KAM_6C822ECF $6c822ecf@ VERY prevalent message-ID header in SPAMs
score KAM_6C822ECF 7.0
#DRILLING & MUST READ - With updates courtesy of Mark Damrose
header __KAM_MUSTREAD1 Subject =~ /you (?:must|should|require|need|have) to read\.$/i
header __KAM_MUSTREAD2 Subject =~ /^(?:Weighty|Very important|Serious|Momentous|Significant|Grand|Essential) (?:message|letter|note)\./i
meta KAM_MUSTREAD (__KAM_MUSTREAD1 + __KAM_MUSTREAD2 >= 1)
describe KAM_MUSTREAD Subject indicative of a SPAM message
score KAM_MUSTREAD 1.25
body __KAM_DRILL1 /drilling/i
body __KAM_DRILL2 /oil (company|partnership|and gas rights)/i
body __KAM_DRILL3 /(exceed(ed)? .{0,10}expectations|see your brokers website)/i
body __KAM_DRILL4 /(buy today|Check this deal out)/i
meta KAM_DRILL (KAM_MUSTREAD + __KAM_DRILL1 + __KAM_DRILL2 + __KAM_DRILL3 + __KAM_DRILL4 >= 4)
describe KAM_DRILL Oil Drilling SPAM
score KAM_DRILL 1.5
#CHANGED TO KAMOnly
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
#WE USE MIMEDEFANG TO DISABLE ANY IFRAME, OBJECT OR SCRIPT TAGS IN EMAILS
header KAM_IFRAME X-IframeWarning =~ /Iframe\/Object\/Script tag\(s\) deactivated by MIMEDefang/
describe KAM_IFRAME Email contained Iframe, Object or Script tags
score KAM_IFRAME 1.0
body KAM_IFRAME2 /you need a browser with javascript/i
describe KAM_IFRAME2 Email contains phrase instructing javascript use
score KAM_IFRAME2 1.0
meta KAM_IFRAME3 (KAM_IFRAME + KAM_IFRAME2 + T_HTML_ATTACH >=3)
score KAM_IFRAME3 5.0
describe KAM_IFRAME3 Likely email exploit - Email shouldn't require javascript in an email attachment
#XEROX SCANS
header __KAM_XEROX1 Subject =~ /Scan from a Xerox WorkCentre Pro \#\d+|Scanned from a Xerox Multifunction Device/i
meta KAM_XEROX (__KAM_XEROX1 + (KAM_IFRAME && T_HTML_ATTACH) + KAM_RAPTOR >= 2)
score KAM_XEROX 5.0
describe KAM_XEROX Likely Fake Xerox Attachment
else
# no KAMOnly, stub rules
meta KAM_IFRAME 0
score KAM_IFRAME 0
endif
#STUPID REMOVE "*" to make the link working.
body __KAM_STAR1 /REMOVE ("\*"|space) (in the above|to make the) link/i
meta KAM_STAR (__KAM_STAR1 >= 1)
describe KAM_STAR Stupid Obfuscated Link SPAMs
score KAM_STAR 2.0
#IN LATE FEB 2007, WE BEGAN RECEIVING TONS OF EMAILS FORMATED ALL THE SAME.
body __KAM_SPAMKING1 /This advertisement is presented by/is
body __KAM_SPAMKING2 /If you have any questions or concerns regarding this communication, please send correspondence/is
body __KAM_SPAMKING3 /To .{0,30}(?:unsubscribe|stop|remove) .{0,35}(?:email|messages) from third party advertisers/is
body __KAM_SPAMKING4 /notify .{0,30} that you no longer wish to receive (?:promotional )?messages/is
body __KAM_SPAMKING5 /This (communication|message) was delivered to you by/is
body __KAM_SPAMKING6 /(?:please send|Forward postal) correspondence to/is
meta KAM_SPAMKING (__KAM_SPAMKING1 + __KAM_SPAMKING2 + __KAM_SPAMKING3 + __KAM_SPAMKING4 + __KAM_SPAMKING5 + __KAM_SPAMKING6 >= 3)
describe KAM_SPAMKING SPAM using throw-away domains and addresses. SpamKing's Heir!
score KAM_SPAMKING 1.0
#THIS HEADER SEEMS TO BE PREVALENT IN SPAMS
header KAM_SPAMJDR X-Mailerinfo =~ /OTHR_JDR/
describe KAM_SPAMJDR Emails seen with SPAM containing this header X-Mailerinfo: OTHR_JDR1173771
score KAM_SPAMJDR 2.0
meta KAM_COMBOJDR (KAM_SPAMJDR + KAM_SPAMKING >= 2)
describe KAM_COMBOJDR Spam Test for Rules Combined with KAM_SPAMJDR
score KAM_COMBOJDR 5.0
#LOTTO CRUD
body __KAM_LOTTO1 /((you |e-?mail )(?:address,? )?(has |have )?(emerged as one of (the|our) winning|emerged as a category "A" Winner|came out as the winning coupon|emerged a winner|has won|(?:was |is )?attached( to)?\s+(winning number|serial|ticket|reference)|was one of the ten winners|has been selected as one of the lucky)|random selection in our computerized email selection system|procuring your prize|email id identified with coupon|e-mail addresses are picked randomly|send your winning identification|final recipients? of a cash|selected as the one of the beneficiaries|receiving your donation)/is
body __KAM_LOTTO2 /((ticket|serial|lucky) number|secret pin ?code|pin number|batch number|reference number|promotion date|lottery|sweepstake|\d+ lucky recipients|for claim and inquiring)/is
body __KAM_LOTTO3 /(won|claim|cash prize|pounds? sterling|over \$500|award sum of US\$|NOTIFICATION FOR CASH AID)/is
body __KAM_LOTTO4 /(claims (office|agent|manager)|lottery coordinator|(certificate|fiduciary) (officer|agent)|fiduaciary claims|accredited agent|payment agency board|promotion manager|promotions? department|Name of +Agent:|executive secretary|claims & Management|lottery approved courier|promo.team)/is
body __KAM_LOTTO5 /(POWERBALL LOTTO|freelotto group|Royal Heritage Lottery|(British|UK) National( Online)? Lottery|U\.?K\.? Grand Promotions|Lottery Department UK|Euromillion Loteria|Luckyday International Lottery|International Lottery|Euro - Afro Asian Sweepstake|urawinner|Free Lotto Sweepstakes|PROMOTION DEPARTMENT|PROMOTION\/PRIZE AWARD|Nederlandse Internationale Loterij|EURO MILLIONS|APPLE LOTTERY ONLINE|MSW MEGA JACKPOT|MICROSOFT EMAIL PROMO|MSNlottery|ECOWAS|Nigeria|National Lottery|claim.{1,10}your.gbp|won.you.{1,10}gbp)/is
body __KAM_LOTTO6 /(Dear (Award|Consultation Prize|Lucky) Winner|Winning Notification|Attention:Winner|Dear:? Winner|Amount won:|Sincere Congratulations|Lucky Numbers:|you are a winner|prize attached|prize notification|claims requirement|winning number|winning sum|payout of|qualification number)|attached.file|numbers.on.email/is
header __KAM_LOTTO7 Subject =~ /(Your Lucky Day|Final Notice|CONGRATULATION|(Attention:|ONLINE) WINNER|Winning Notification|Claim Fund|YOU HAVE WON|Online Notification|Your Winning Amount|PROMOTIONS MANAGER|Winnin?g Alert|NOTICE FOR YOUR CLAIM|WINNER|Reference Number)/i
header __KAM_LOTTO8 From =~ /Lottery|powerball|western.union/i
header __KAM_LOTTO9 Subject =~ /\d{3},\d{3}|eligibility.for.claims|promo.desk|deserves.\$\d/i
meta KAM_LOTTO1 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 >= 3)
describe KAM_LOTTO1 Likely to be an e-Lotto Scam Email
score KAM_LOTTO1 0.5
meta KAM_LOTTO2 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 >= 4)
describe KAM_LOTTO2 Highly Likely to be an e-Lotto Scam Email
score KAM_LOTTO2 1.0
meta KAM_LOTTO3 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 >= 5)
describe KAM_LOTTO3 Almost certain to be an e-Lotto Scam Email
score KAM_LOTTO3 2.0
#ABOUT YOUR INTERNET ACTIVITIES SPYWARE CRUD
header __KAM_ABOUT1 Subject =~ /About your Internet (activities|activity)/i
body __KAM_ABOUT2 /Spyware/i
meta KAM_ABOUT (__KAM_ABOUT1 + __KAM_ABOUT2 >=2)
describe KAM_ABOUT Email Scam Hawking Anti-Spyware
score KAM_ABOUT 1.0
#EMAIL ADVERTISING
body __KAM_ADVERT1 /email advertising|\d{3}%.roi/is
body __KAM_ADVERT2 /instant traffic (to your website|and sales)|demand.generation/is
body __KAM_ADVERT3 /Email Ad Broadcast|Double OPT IN list|making.some.changes/is
header __KAM_ADVERT4 Subject =~ /(get (instant|more) (sales|business|orders)|instant traffic, leads and sales|within 24 hours|increase in business|Ten Time Increase in Sales and Traffic|Emails Sent to Get You Sales)|sales.goal/i
meta KAM_ADVERT (__KAM_ADVERT1 + __KAM_ADVERT2 + __KAM_ADVERT3 + __KAM_ADVERT4 >= 4)
describe KAM_ADVERT Mailing List Scammers Hawking Their Lists / Services
score KAM_ADVERT 2.5
#DOMAIN ADVERTISING
body KAM_ADVERT3 /AllExpiringDomains.com/i
describe KAM_ADVERT3 Traffic / Expiring Domain List Spam
score KAM_ADVERT3 5.0
#ADVERTISEMENT
rawbody KAM_ADVERT2 /(?:No longer interested in our offers|This (?: message| email)?is an Ad|Continue in your Secure Web Browser|Can\'t see the images( below|, continue)|To view this email as a webpage|see images for this offer|support best practices in responsible email marketing|This email is not unsolicited|You registered with one of our partners websites|a d v e r t i s (?:e )?m e n t|No-?Images? Click|Program is not endorsed, sponsored by or affiliated|can\'t read or see this email|By clicking any image and\/or text link in this Email|This is a commercial message|This message brought to you|THIS EMAIL IS A COMMERCIAL SOLICITATION|If you no longer wish to receive further offers|business solicitation message|link is for removal|end these weekly ad-messages|cancel these Ads go|This is an email advertisement|end all Advertisements go below|We are not spammers|Unsolicited email\?|Quit receiving these admail|I.{0,3}am not spamming)|commercial.advertisement|adv.ertisement|if.you.are.not.interested|Brought to you by:|This communication is an advertisement|removal from further update|inbox by requesting removal|No more incoming messages will be delivered|Never receive these again|This is an ad-coresspondance/is
describe KAM_ADVERT2 This is probably an unwanted commercial email...
score KAM_ADVERT2 0.75
#ONE LINE ADVERTISEMENTS
body __KAM_1LINE1 /(free score and report|Did you overpay\?)/is
header __KAM_1LINE2 Subject =~ /(free online score & report|I need tax savings? tip)/i
meta KAM_1LINE (__KAM_1LINE1 + __KAM_1LINE2 >= 2)
describe KAM_1LINE One liner SPAMs
score KAM_1LINE 2.5
#CAN SPAM
body KAM_CANSPAM /(full compliance with the U.S. Federal-?Can-?Spam-Act|provides CAN-SPAM compliant email|consistent with the provisions of the CAN-SPAM Act|compliance with the CanSpam Act|no deceptive subject lines|compliant with all legal provisions of the CAN-SPAM Act)/is
describe KAM_CANSPAM SPAM = Lack of Consent (not a Legal Definition)
score KAM_CANSPAM 1.0
#GIFTS / GIFT CARDS
body __KAM_GIFT1 /(Claim your free \$500 Target Gift Card|complimentary gift-?card|received a Victoria's Secret Giftcard|\$500 airline gift card|\$1000 gift card for you to shop|\$\d+.{0,50}gift card|Secret gift card)|costco.coupon|facebook.gift|claim.my.credit/is
body __KAM_GIFT2 /(unsubscribe from this advertiseme(tn|nt)|exit future communications|to unsubscribe from this|to stop any offers from us)/is
body __KAM_GIFT3 /every girl loves to buy|do you need a new|offer pass you by|shopping.online|best.price|activate.my|valued.{0,20}user|extra.deals|sign.up.today/i
body __KAM_GIFT4 /card will be yours free|card on us|buy you the dyson animal|amazon.gift.?card|superstore|starbucks.card|card.egift|redeem.before|offering.you.this|enter.promo.code/i
body __KAM_GIFT5 /member incentive program|complet(e|ing) the survey|your.customer.id|security.code|promotional.points/i
header __KAM_GIFT6 From =~ /\$\d+ ?gift ?card|coupon|home.improvement|reward|voucher|starbucks|exclusive|amazon|ehost/i
meta KAM_GIFT ((__KAM_GIFT1 + __KAM_GIFT2 + __KAM_GIFT3 + __KAM_GIFT4 + __KAM_GIFT5 + KAM_LOTSOFHASH + KAM_SHORT >= 3) && __KAM_GIFT6)
describe KAM_GIFT Gift Card Scams
score KAM_GIFT 3.5
meta KAM_GIFT2 ((__KAM_GIFT1 + __KAM_GIFT2 + __KAM_GIFT3 + __KAM_GIFT4 + __KAM_GIFT5 + KAM_LOTSOFHASH + KAM_ADVERT2 >= 4) && __KAM_GIFT6)
describe KAM_GIFT2 Gift Card Scams
score KAM_GIFT2 3.5
#MYSTERY SHOPPER
body __KAM_SHOP1 /chosen to participate as a Mystery Shopper/is
body __KAM_SHOP2 /Do you like to shop/is
body __KAM_SHOP3 /make money while you shop/is
meta KAM_SHOP (__KAM_SHOP1 + __KAM_SHOP2 + __KAM_SHOP3 >= 3)
describe KAM_SHOP Mystery Shopper Scams
score KAM_SHOP 2.0
#FAST CASH
rawbody __KAM_FAST1 /make fast cash in real estate/is
meta KAM_FAST (__KAM_FAST1 + KAM_ADVERT2 >=2)
describe KAM_FAST Get Rich Quick, Make Money Fast Schemes
score KAM_FAST 1.8
#BIZ CARDS FREE!
body __KAM_BIZ1 /You always need new cards|free full color business cards|get 250 more ?- ?free|business card offer|500 business cards/is
header __KAM_BIZ2 Subject =~ /(do not pay for|Stop paying for|free) business cards|get( your)? 250 Free|BOGO|500 cards for|all for \$1\.99/i
header __KAM_BIZ3 From =~ /Free Business Cards|Custom Printing|Premium Cards/i
meta KAM_BIZ (__KAM_BIZ1 + __KAM_BIZ2 + __KAM_BIZ3 >= 2)
describe KAM_BIZ Free Business Card Emails
score KAM_BIZ 2.5
#FDA
body __KAM_FDA1 /statements.{1,10}not.{1,10}evaluated.{1,10}(FDA|Food ?(and|&) ?Drug Administration)/i
body __KAM_FDA2 /not intended to diagnose,? treat,? cure,? or prevent/i
body __KAM_FDA3 /FDA Recall/i
meta KAM_FDA (__KAM_FDA1 + __KAM_FDA2 + __KAM_FDA3)
describe KAM_FDA Carries a not evaluated by the FDA warning or recall warning
score KAM_FDA 0.5
#WEIGHT LOSS
body __KAM_WEIGHT1 /(overweight|extra weight|glutting|shed fat|burns fat|burn calories|appetite suppressant|stimulate your metabolism|unwanted weight|duet of the year|healthy energy boost|Suppresses Appetite|internal cleansing|detoxify|cellulite|unsightly bulges|fat burn|Diet of the year|acai|cuts cholesterol|cleanse excess waste|free sample|unwanted weight|Acai suppl[ie]ments|Diet\/Detox|\#1 Weight Loss|lose body fat|(lose|drop) (about )?\d+\s*[li]b|calorie burning machine|before eating carbs)|flush.fat.away|slimming.down|\d+.pounds.gone|lose.\dx|highest.rated.episode|unwanted..?gain|too.goo?d.to.be.true|get.slim|tv.segment|weird.solution/is
body __KAM_WEIGHT2 /(\d pounds|lose[_ ]weight|suppress appetite|appetite out of control|Oprah|for cancer patients|colon cure|colon cleanse|colonmate|avai berry|acai burn|ultraslim|feel energized|excess[_ ]weight|no diet changes|no exercise|hollywood'?s hottest -?diet|acai berry edge|Acai Diet|top secret diet|Power HCG|Sensa|shocking method|Jennifer Aniston|before eating carbs|all natural weight.?loss|green fruit|top celeb's diet)|one.secret|enjoying.food|f-a-t|melt.fat|squeeze into them|crazy.workout|celebs.everywhere|zero.effort|nothing.to.lose/is
header __KAM_WEIGHT3 Subject =~ /(leaner|slimmer|stop gaining weight|fat loss|weight management|now available without a script|wuYi tea|(drop|lost|shed|knocked) \d+.?(pounds|[li]bs?)|FRS Healthy Energy|instant diet|colonmate|trimmer you|body cleanse|acai berry|acai burn|Fatburner|cholesterol reduction|cholestapro|Ephedra|W[EA]IGHT[- ]LOSS PRODUCT OF THE YEAR|t-r-i-a-l|try our trial|cleanse your system|no exc?ercise|Acai Advanced|toxic sludge|cleanse your body|Acai Diet|Acai Elite|Acai Super|losing weight fast|weight loss|detox product|Power HCG|Weight Loss System|shocking (?:weight|weihgt) loss)|before eating carbs|all natural weight.?loss|eat this fruit|Jennifer An+iston's secret|drop.\d.dress.sizes|fat.burning|burn..?fat|get.slim|drop.the.weight|(drop|shed).[li]bs?|move.\.*.?the scale|step.by.step|drop..?pounds|perfect.body|lose.the.weight|half.my.size|special.nutrition|workout|skinny|simple.way|to.get.slim|workout.for.the..?lazy|start.losing.weight|melt.fat|celebs.boycott|celebs.did|overeating|without.any.effort|doctors.tv|oprah|results.are.in|as.seen.on|slim.?spray|zero.effort/i
rawbody __KAM_WEIGHT4 /shocking method|Jennifer Aniston|nationally known|never.seen.anything.like.this|unusual.(new.)?tip|your.metabolism|need.a.boost|this.is.not.a."?(joke|hoax|fad|trend)|no working out|no starving|a trimmer you|celebrity.doctor|seen.on.(cnn|abc|cbs)|\d+%.?off|oprah.and.celeb|beer.belly|thunder.thigh|flush.fat.fast|get.skinny|Women's Health|dress.size|feel.good|physical.activity|starving|hit.a.plateau|flat.belly|brakes on your appetite/i
header __KAM_WEIGHT5 From =~ /celeb.weightloss|no.work.workout|(drop|shed).pounds|(drop|shed).\d+[il]bs?|inches off|your.waist|nutrisystem|fat.burn|magic.slim|slim.pack|get.?slim|overweight|becomingslim|slimmer|skinny.tee|flush.fat|slimming.down|hot.trend|curves.?\dweek|stubborn.fat|\d+.pounds|look.great|lazy.workout|bikini|fit.community|slim.?spray|shave.off.(the.)?(pound|lb)|f-a-t|fit.in.\d+.day|days.to.slim|oprah|belly|biggestloser/i
#ANATRIM / GREEN TEA / CORTITHERM / ETC
body __KAM_ANA1 /(anatrim|Green ?Tea|cortitherm|PHENTERTHIN|Phentremine|Acai Ultra|Civ-xR|WuYi Tea|Wu-?Yi Source|FRS Healthy Energy|Acai Berry|Chinese secret|Ephedra|Cholestapro|ColonMedic|Pure Cleanse|AcaiBurn|Acai Elite|Garcinia|Chlorogenic Acid|green coffee)/i
header __KAM_ANA2 From =~ /green ?tea|Ultra ?Energy|weight ?loss|colon? ?clean|colon ?aid|acai|As seen on|Garcinia|sensa/i
meta KAM_ANA (__KAM_ANA1 + __KAM_ANA2 + (__KAM_OZ1 || __KAM_OZ2 || __KAM_OZ3) + __KAM_WEIGHT1 + __KAM_WEIGHT2 + __KAM_WEIGHT3 + __KAM_WEIGHT4 + __KAM_WEIGHT5 + KAM_FDA + (__KAM_HTML1 || KAM_INFOUSMEBIZ) >= 3)
describe KAM_ANA Likely Weight-loss / Medical Spam
score KAM_ANA 3.0
meta KAM_ANA2 (__KAM_ANA1 + __KAM_ANA2 + __KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 + __KAM_WEIGHT1 + __KAM_WEIGHT2 + __KAM_WEIGHT3 + __KAM_WEIGHT4 + __KAM_WEIGHT5 + KAM_FDA + (__KAM_HTML1 || KAM_INFOUSMEBIZ) >= 5)
describe KAM_ANA2 Higher probability of Weight-loss / Medical Spam
score KAM_ANA2 3.5
#REPLACE
body __KAM_REP1 /Replace \[?[-!~\.]\]? with \./is
body __KAM_REP2 /www\s+[-!~\.]/i
body __KAM_REP2_1 /(Just|Please|all you need to do is to) (copy|type):? (www\s)?.{0,10}[\[\(]([-!~\.]|dot)[\]\)]/is
body __KAM_REP2_2 /in your (IE|internet|explorer|browser)/i
body __KAM_REP3_1 /\*omit empty spaces/is
body __KAM_REP3_2 /.\s+(COM|org|net|info)$/i
meta KAM_REPLACE (__KAM_REP1 + __KAM_REP2 >= 2) || (__KAM_REP2_1 + __KAM_REP2_2 >=2) || (__KAM_REP3_1 + __KAM_REP3_2 >=2)
describe KAM_REPLACE Spams that use obfuscated URLs with instructions
score KAM_REPLACE 2.0
#EVEN MORE NIGERIAN SCAMS AND VARIANTS
body __KAM_NIGERIAN1 /(?:payment officer|personal treasurer|experienced marketers|Chairman of the Finance Committee|contact my secretary|field of Financial Services|Head of Human Resources|Public Relation Officer|field of Business Services|payment agent|representing partner|vacancy in my company|representative\/book ?keeper|executor|search and selection of both experienced|retired chief economist|foreign partner|diplomatic courier|senior auditor|online book-?keeper)|in.your.country|united.state[^s]|states?.citizen|retired.ceo|nigeria|origin.finland|serious.illness|brain.(tumor|cancer)|former.minister|investment.partner|got.mugged|losing.my.(wife|only.son)/is
body __KAM_NIGERIAN2 /(?:looking for dynamic representative|seek your partnership|new online business model|seek to transfer this money|completely legal activity|never ask you to pay or invest|in search of trustworthy representatives|establishing a new liaison network|rec[ei]{2}ving payment on our behalf|assist me in transferring those funds|make money at home|requiring rep to work on a part time|part time job\/full time|organization for the good work of the lord|job search directory|investor willing to invest in lebanon|invest in Real Estate|Your kind assistance|next of kin|gold.exportation|calgary.lotto)|oil.producing|import.firm|oil.and.gas|petroleum|asset.available|urgent.reply|(cash|credit.cards?|cell(.phone)?).(were|was).stolen/is
body __KAM_NIGERIAN3 /(?:\d{1,2}\% (?:commission on each transaction|of the total will be set|will be mapped out|is made available to you|of the total sum for your partner|of the money for your effort|for\s+sales)|pay for performance|floating deficit|for your compensation|financial independence|their financial dreams|work from home part\s*-?\s*time|employing your services|get extra income|deduct your weekly salary \d\d%|transfer of the funds|make successful career at us|you will get \d{1,2}% on each|funds can be directed to your account as a grant|reasonable parentage|dormant domiciliary account|share would be \d+\%|pay you \d+%)|invest|have.a.sum|make.a.donation|immense.benefits|transact.a?.?business|company.sponsor|loan me \$/is
body __KAM_NIGERIAN4 /(?:American oil merchant|independent contractor|removallink|claim the funds|international corporation|bank draft|becoming our contract staff|contractual employment|customers\s*in Europe,\s*America|new partner from UK|great investment site|money orders|cashiers check|access to the funds|piloting the business|moving the funds|next of kin|syrian.refugees|reply.for.detail)|security.reason|(his|her).account|new.investor|directly.beneficial|business.discussion|promise.to|need.to.spend/is
body __KAM_NIGERIAN5 /Western Union Money Transfer|Money Gram|form of Money Orders|to apply for this job, please send the following|process our payments|not traceable|risk free transation|transfer to a designated bank account|inheritance return|my.inheritance|my.wealth|donation.to.you|out.of.country|charitable.trust/i
meta KAM_NIGERIAN (__KAM_NIGERIAN1 + __KAM_NIGERIAN2 + __KAM_NIGERIAN3 + __KAM_NIGERIAN4 + __KAM_NIGERIAN5 + LOTS_OF_MONEY + __KAM_REFI4 >= 4)
describe KAM_NIGERIAN Nigerian Scam and Variants
score KAM_NIGERIAN 2.5
#I LIKE YOUR SPAM
body __KAM_LIKE1 /been working (extremely|very) hard on my friend's website/is
body __KAM_LIKE2 /a link from .{1,54} would be greatly appreciated/is
body __KAM_LIKE3 /(link exchange|in return to me linking back)/is
body __KAM_LIKE4 /HTML code for the link/is
body __KAM_LIKE5 /I apologize if this message was sent, in error/is
meta KAM_LIKE (__KAM_LIKE1 + __KAM_LIKE2 + __KAM_LIKE3 + __KAM_LIKE4 + __KAM_LIKE5 >= 5)
describe KAM_LIKE I like your website link exchange spam
score KAM_LIKE 2.0
#PUBLICLY AVAILABLE LISTS?
body KAM_PUBLIC /obtained your email address from a publicly available list|find your mail in public forum/is
describe KAM_PUBLIC Obtained from Public List != to Consent == SPAM!
score KAM_PUBLIC 9.0
#SEXUALLY EXPLICIT RULES ROUND TWO - Fixed some FPs from Scunthorpe thanks to Stefan Morrell
body __KAM_SEX1 /(?:double[ -]?headed|pornstar|huge weenie|male power|\d\dper\. of men|male enhancement product|enlarge patch|boost up your virility|clinically tested|improve manhood|Bigger Pen..is|Big Penis|incredible gains to your manhood|muscular manhood|nights unsatisfied|climaxes|sensual enhancer|love instrument|bigger member|excitement with girls|fucker|animal sex)|adds \d inches to your manhood|pussy licked|hard.erection/i
body __KAM_SEX2 /(?:(\b|^)cunt(\b|$)|busty|interracial|hardcore|peni(s|le) enlarge|generic quality|enlarge your manhood|stone-hard manhood|XXL Dick|intense pleasure|spend a night with you|efficient medicine|turn on your wife|with your boner|dick dangl)|\d.(extra.)?inches.of.girth|best.sex/i
header __KAM_SEX3 Subject =~ /(double dildo|bunsfuck|dominatrix|huge tits|anti-ED|most confident man|for men over 30|peni(s|le) enlargement|interracial gobble|bitch sucking dong|product actually does work|update your penis|mans mall|endurerx|more excitement|love package|add more fire|her best male|average guys|monster cocks|first anal|anal fucking|love with monsters|horse sex|be the stud)/i
body __KAM_SEX4 /(?:bring your girlfriend back|satisfied with their size|penis so huge and heavy|more semen|volume of your loads|wondercum|ejaculate|bargain offers on medic|improve xxx|improve your lovemaking|youngest teen|teen pics|monster in his pants|(female|multiple) orgasms|extreme penetration)/i
describe KAM_SEX Sexually Explicit SPAM / Penis Enlargement Scam
score KAM_SEX 7.0
meta KAM_SEX (__KAM_SEX1 + __KAM_SEX2 + __KAM_SEX3 + __KAM_SEX4 + __HTML_IMG_ONLY + (__KAM_VIAGRA6A + __KAM_VIAGRA6E + __KAM_VIAGRA7A >= 1 && !__KAM_VIAGRA_FPS) >= 2)
#STUPID PICTURE SPAMS
body __KAM_PIC1 /(tired|bored) (this )?(today|tonight|evening|morning|afternoon)|saw your email address|online right now|can name me|found you on this site|I am alone|my next boyfriend|blonde with blue|like the girls|crush on you/is
body __KAM_PIC2 /(nice girl|2\d years old|25 y.o. girl|pretty russian|I russian girl|age is 25|long legs, cute|see my pictures|I'm 19|searching for a bad girl|meet with such attractive|cute lady)/is
body __KAM_PIC3 /like to chat|feelings can be true|like to have friendship|friendly guy|gave me your photos|waiting on you|found your pictures|send me a note|more information about you|text me ASAP/is
body __KAM_PIC4 /(like to share some of my pics|some (?:great )?pictures of me|sending some of my pictures|To see my pic|hope you like my pic|will reply with my pics|show you some pic|chat with me and see|that's my photo)|will send you my pictures|view my profile|describe yourself|chat with me|bad girl|view your snapshot|want to watch video|erotic pics/is
body __KAM_PIC5 /picture|photo|my pics|appended my pic/i
describe KAM_PIC Share Pictures and Chat SPAM
score KAM_PIC 3.5
meta KAM_PIC (__KAM_PIC1 + __KAM_PIC2 + __KAM_PIC3 + __KAM_PIC4 + __KAM_PIC5 + __KAM_PRIV3 >= 4)
#STUPID MAILING LIST SPAMS
body __KAM_LIST1 /((Hospital|MD) directory|Nursing Home (List|directory)|doctor lists|marketing lists|Licensed Physicians|practicing MDs|practicing Medical doctors|Physicians in America|emails for every state|(vip|laywers|planners|Business Email|HR Directors Email|Sales & Marketing Directors|Managing Director Email) database)/is
body __KAM_LIST2 /(?:hospital|dentist|chiropractor|physician|medical doctors|nursing directors|medical marketing|\d sortable fields|records all with emails|business director(y|ies)|direct marketing data)|nursing assistant/is
body __KAM_LIST3 /price\:|prices for our director/is
body __KAM_LIST4 /(?:database|list|[\d,]+ (total records|e-?mails))/is
body __KAM_LIST5 /(reply with "stop" as a subject|Send an email with "rem" in the subject to discontinue|put "cease" in the subject of an email|for termination of this e?mail|reply with .{1,8} in the subject)|you will have your email taken off|for the datacard|send.a.reply/is
header __KAM_LIST6 Subject =~ /Database of (neurological|surgeons|doctors|nurses|mds)|MD Database|looking for list|email database|we have that list|marketing database|list.of.\d/i
describe KAM_LIST Mailing List Database SPAM
score KAM_LIST 3.0
meta KAM_LIST (__KAM_LIST1 + __KAM_LIST2 + __KAM_LIST3 + __KAM_LIST4 + __KAM_LIST5 + __KAM_LIST6 >= 4)
#YET MORE DRUG SCAMS
body __KAM_DRUG1 /Quality and cheap|premier quality|supor-collosal mixture|Discount-?Pharmacy|hi.quality.drug/is
body __KAM_DRUG2 /cheaper|redeem in bulk and save|bigger quantities and Save|drugstore accredi[dt]ations|economical (?:value|amount)|drug.online.supplies/is
rawbody __KAM_DRUG3 /local drugstore|(hush-hush|secret) with no waiting rooms|confidential package|distributed securely|shape is our main concern/is
body __KAM_DRUG4 /click to buy|no previous doctors direction|No prescript[oi]{2}n needed|no script necessary|medicine assistance supplier|mail[- ]?order medicine/is
describe KAM_DRUG More Viagra, Medicine, et al Scams
score KAM_DRUG 2.5
meta KAM_DRUG (__KAM_DRUG1 + __KAM_DRUG2 + __KAM_DRUG3 + __KAM_DRUG4 + __KAM_VIAGRA6A + __KAM_VIAGRA7A + KAM_REPLACE >= 4)
#DUE TO THE RASH OF IP BASED LINKS IN EMAILS DUE TO STORM BOTS, THESE ARE TESTS FOR IPS IN EMAILS
# I'D LIKE TO TEST THIS WITH ONE RULE BUT HAVEN'T FIGURED OUT HOW. RIGHT NOW, ONE URL THAT IS BAD
# AND ONE THAT IS GOOD WILL PASS :-( I'D LIKE TO FIX THAT
rawbody __KAM_GOODIPHTTP /https?:\/\/(192\.168|10\.)/i
rawbody __KAM_IPHTTP /https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/i
describe KAM_BADIPHTTP Due to the Storm Bot Network, IPs in emails is bad
score KAM_BADIPHTTP 2.0
meta KAM_BADIPHTTP (__KAM_IPHTTP - __KAM_GOODIPHTTP >= 1)
body __KAM_HIDDEN_URI1 /\[DOT\]com/is
body __KAM_HIDDEN_URI2 /replace "?\[DOT\]/is
meta KAM_HIDDEN_URI (__KAM_HIDDEN_URI1 + __KAM_HIDDEN_URI2 >= 2)
describe KAM_HIDDEN_URI URI obfuscation techniques
score KAM_HIDDEN_URI 4.0
#ODD INFO URL - MATCH A URL-LIKE STRING THAT ENDS IN A QUESTIONABLE TLD, FOLLOWED BY A WORD BOUNDARY OR A SLASH (BUT NOT A DOT, OR IT WILL FP ON SUBDOMAINS LIKE FOO.INFO.LEGIT.COM)
rawbody __KAM_INFOUSMEBIZ1 /http:\/\/(?:www.)?.{4,30}\.(info|us|me|me\.uk|biz)(?![-\.])(\b|\/)/i
header __KAM_INFOUSMEBIZ2 From:addr =~ /\.(info|us|me|me\.uk|biz)$/i
header __KAM_INFOUSMEBIZ3 Return-Path =~ /\.(info|us|me|me\.uk|biz)>?$/i
meta KAM_INFOUSMEBIZ (__KAM_INFOUSMEBIZ1 + __KAM_INFOUSMEBIZ2 + __KAM_INFOUSMEBIZ3 >= 1)
score KAM_INFOUSMEBIZ 0.75
describe KAM_INFOUSMEBIZ Prevalent use of .info|.us|.me|.me.uk|.biz domains in spam/malware
# OTHER QUESTIONABLE / CHEAP TLDS - .click, .work, .rocks, .science
rawbody __KAM_OTHER_BAD_TLD1 /http:\/\/(?:www.)?.{4,30}\.(click|work|rocks|science|club)(?![-\.])(\b|\/)/i
header __KAM_OTHER_BAD_TLD2 From:addr =~ /\.(click|work|rocks|science|club)$/i
header __KAM_OTHER_BAD_TLD3 Return-Path =~ /\.(click|work|rocks|science|club)>?$/i
meta KAM_OTHER_BAD_TLD (__KAM_OTHER_BAD_TLD1 + __KAM_OTHER_BAD_TLD2 + __KAM_OTHER_BAD_TLD3 >= 1)
score KAM_OTHER_BAD_TLD 0.75
describe KAM_OTHER_BAD_TLD Other untrustworthy TLDs
#RECENT RASH OF VIRII/TROJAN PAYLOADS USING GREETING CARD NOTICES - IPHTTP IDEA BY STEPHEN FORD
body __KAM_CARD1 /(worshipper|friend|Neighbou?r|partner|mate|colleague|member|worshipper|cousin|pal|brother|somebody|father|mother|uncle|aunt|daughter|son|nephew)(\(.{0,35}\))?(?: has)? (?:sen[dt] you|created) (?:an|a)?\s*(?:funny|love|post|greeting|birthday|animated|musical|holiday|love|hallmark|thank you|e)\s*(e|post)?-?card/i
body __KAM_CARD2 /(laughing kitty|crazy cat) card|enjoy your awesome card|Click on your .{0,15}card('s)? (link|direct www address) below|To see your custom .{0,15}card, simply click on the (link below|following)|(as you can see on the ecard)|^your .{1,15}card link:$|I bet your wife won\'?t do this for you|Your temporary Login Info|temp\.? password id|pics I took of my Ex-Wife|card will be aviailable|our.new.collection/i
body __KAM_CARD3 /I['`]m in hurry, but i still love you...|has (issued you a greeting|made you an Ecard)|^(Follow this link:|click (here to enter our secure server:))?\s*?http:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|eCard, open attached/i
header __KAM_CARD4 Subject =~ /Here is some pics to say thanks|do you like em?|here is my picture|bra is too tight|look what I like to do|hot news|(\s|^)e-?cards?(\s|$)|greeting.e?card/i
rawbody __KAM_CARD5 /postcard(\.gif)?\.exe|card.zip|groups.google.com|blaqseal/i
describe KAM_CARD Trojan or Virus Payload from fake ecard notice
score KAM_CARD 3.5
meta KAM_CARD (__KAM_CARD1 + __KAM_CARD2 + __KAM_CARD3 + __KAM_CARD4 + __KAM_CARD5 + KAM_INFOUSMEBIZ + __KAM_IPHTTP + KAM_RPTR_SUSPECT >= 3)
#INSURANCE / CAR / LIFE / HEALTH SCAMS - fixed $ bug thanks to Mark Chaney
header __KAM_INSURE1 Subject =~ /get (low )?affordable health (coverage|insurance)|reduce health costs|without health coverage|\d+K(?:.in)?.(term.)?life|overypay for auto insurance|Policy.Payment|GAs Prices|Auto Insurance|get your 20\d\d quote|\$\d00,000 coverage|no exam|Insurance.Payment|child's financial future|\d+K in coverage|health insurance (?:plans|coverage)|(Omaba|obama).?care|Secure \d+k coverage|\$\d\d\d,\d\d\d of term life|life insurance coverage|save up to \d+% on .{0,10}insurance|Protect.your.family|homeowners insurance|home.?.?protection|read.asap|auto.policy|protect your|\$\d+K..?term|auto.?insurance|\d+k.available|simplified.protection|policy.update|view.policy|med(ical)?.exam|term.life|protection|\d+k.available|policy.review|business.insurance|your.health|care.policy|life.cover|life.secure|life.insured/i
body __KAM_INSURE2 /find better Health Insurance Rates Today|get information about health coverage|protect your family|overpay for auto insurance|been recently,? lowered|gas prices are going up|Auto Insurnace go with it|no examination|get (?:a )?free quote|have been.{0,2}reduced|AutoWarranty|plans as low as|plans starting at|complete your health profile|Secure \d+k coverage|growing.family|milestone|special.enroll|updated.rate|lifeinsurance|no.medical.exam|accuquote|no.tobacco.rate|denied.coverage|business.policy|reduced.rate|coverage.starts.immediately|obama|respect.your.privacy/i
header __KAM_INSURE3 From =~ /Cheaper Auto|Insurance|health.quote.direct|fidelity|gerber|lifeplan|notice|warranty.expir|auto-repairs.{0,30}no longer covered|affordable.?health|Health.?care|AIG|accuquote|life.?rate|eCoverage|humana|ahs.warranty|policy|farmer|qualify|term.life|milestone|payout|secure|out.of.pocket|\d+k|take.comfort/i
body __KAM_INSURE4 /why pay more for.{0,30}coverage|save up to \d+%|accuquote|Life Insurance Coverage|protect.your.family.{1,20}insurance|Protect home and belonging|Affordable Care Act|new health insurance plan for you|home.?.?protection|\d+k.life.insurance|eligible for auto.coverage|set to expire|\$\d+\/mo|new.rate|your.auto.?insurance.policy|term.life|update.policy|legacy|estate|your.package|your.own.life|prepared.for.anything|paying.(far.)?too/i
describe KAM_INSURE Life, Health, Auto, etc. Insurance SPAMs
score KAM_INSURE 2.5
meta KAM_INSURE (__KAM_INSURE1 + __KAM_INSURE2 + __KAM_INSURE3 + __KAM_INSURE4 + (KAM_ADVERT2 || KAM_LOTSOFHASH || KAM_INFOUSMEBIZ || CBJ_GiveMeABreak) >= 3)
describe KAM_INSURE2 Higher Probability of Life, Health, Auto, etc. Insurance SPAMs
score KAM_INSURE2 2.5
meta KAM_INSURE2 (__KAM_INSURE1 + __KAM_INSURE2 + __KAM_INSURE3 + __KAM_INSURE4 + (KAM_ADVERT2 || KAM_LOTSOFHASH || KAM_INFOUSMEBIZ || CBJ_GiveMeABreak) >= 4)
#HEALTH INSURANCE
body __KAM_HEALTH1 /as low as \$\d+\s*(per|\/)\s*month|at \$\d+ including dental/i
body __KAM_HEALTH2 /save up to \d+% on health insurance|affordable health coverage|quality term life insurance|nationalhealthxchange.com|view.rate|no.obligation|start.saving/i
rawbody __KAM_HEALTH3 /easy and it's free|receive daily health news|check our rates|Call to qualify|no physical exam|set.to.expire|immediately.available|you.can.afford/i
rawbody __KAM_HEALTH4 /health insurance (coverage|rates)|free .{0,3}personalized.quote|get a quote for health insurance|fast and easy term|life.milestone|instant.free.quote/i
header __KAM_HEALTH5 Subject =~ /\$38 Health Insurance|health insurance quote|Save up to \d%|term.life|New Health Insurance|\$\d+\/mo|lifepolicy/i
describe KAM_HEALTH Health/Life Insurance Spam Emails
score KAM_HEALTH 3.0
meta KAM_HEALTH (__KAM_HEALTH1 + __KAM_HEALTH2 + __KAM_HEALTH3 + __KAM_HEALTH4 + __KAM_HEALTH5 + KAM_ADVERT2 >= 4)
#HEALTH INSURANCE
body __KAM_HEALTH2_1 /affordable health coverage/i
header __KAM_HEALTH2_2 Subject =~ /health insurance quote/i
describe KAM_HEALTH2 Health Insurance Spam Emails
score KAM_HEALTH2 3.0
meta KAM_HEALTH2 (__KAM_HEALTH2_1 + __KAM_HEALTH2_2 + HTML_MESSAGE >= 3)
#HEALTH INSURANCE
header __KAM_HEALTH3_1 Subject =~ /Term Life Coverage/i
header __KAM_HEALTH3_2 Subject =~ /\d\d\/mo/i
header __KAM_HEALTH3_3 From =~ /fidelity/i
describe KAM_HEALTH3 Term Life Insurance Spam
score KAM_HEALTH3 3.0
meta KAM_HEALTH3 (__KAM_HEALTH3_1 + __KAM_HEALTH3_2 + __KAM_HEALTH3_3 >= 3)
#REAL ESTATE INVESTMENT SCAMS
body __KAM_REAL2_1 /(?:Property available|on the water|costa rica|mountain.top)/i
body __KAM_REAL2_2 /(?:pre-development prices|finish building|torn down to build|exclusive place|ready.for.construction)/i
body __KAM_REAL2_3 /(?:unbelievable deals|buyer with CA[s\$]h|pennies.on.the.dollar)/i
body __KAM_REAL2_4 /(?:home sites|raw land|vacation home|wooded.property)/i
body __KAM_REAL2_5 /(?:developers|estates|buyer flying in|retirement plans|liquidation)/i
describe KAM_REAL2 Real-estate investment scams
score KAM_REAL2 1.0
meta KAM_REAL2 (__KAM_REAL2_1 + __KAM_REAL2_2 + __KAM_REAL2_3 + __KAM_REAL2_4 + __KAM_REAL2_5 >= 5)
#BASED on JIM MCCULLARS' IDEA AND DALLAS' GREAT PDFINFO RULES
ifplugin Mail::SpamAssassin::Plugin::PDFInfo
#Thanks to Ben Lentz for pointing out a lint error with this.
describe KAM_BADPDF Prevalent Junk PDF SPAMs - BAD SUBJECT
score KAM_BADPDF 2.5
header KAM_BADPDF Subject =~ /(?:^.{0,15}(document|confirmation|marketwatch|pinksheets|wire info|pinksheets|investor_report|proposal|invest_today|alert|invoice|investor_letter|check)-\d{5,12}$|^basic[- _]chart-|^Active[- _](stocks|trader)|^Analyst[- _]Coverage|^Income[- _](report|details|statement)|^Market[- _](advice|watch)|^Investor[- _]news|^real-?time[- _]quotes)/i
describe KAM_BADPDF1 Prevalent Junk PDF SPAMs - EMPTY BODY & ENCRYPTED
score KAM_BADPDF1 2.5
meta KAM_BADPDF1 (GMD_PDF_EMPTY_BODY + GMD_PDF_ENCRYPTED >= 2)
#2009-03-11 - Found FP on this rule where a bad reverse PTR and a Subject triggered this rule. That was NOT the intent.
describe KAM_BADPDF2 Prevalent Junk PDF SPAMs - 3 STRIKES
score KAM_BADPDF2 2.5
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
meta KAM_BADPDF2 (KAM_BADPDF + KAM_BADPDF1 + MISSING_SUBJECT >= 2) && (KAM_RPTR_SUSPECT + KAM_RPTR_FAILED >=1)
else
meta KAM_BADPDF2 (KAM_BADPDF + KAM_BADPDF1 + MISSING_SUBJECT >= 2) && (KAM_RPTR_SUSPECT >=1)
endif
endif
#FAKE PDF READER/WRITE
body __KAM_FAKEPDF1 /Download PDF Reader.Writer/is
body __KAM_FAKEPDF2 /Reader 2010/is
header __KAM_FAKEPDF3 From =~ /adobe/is
header __KAM_FAKEPDF4 Subject =~ /reader.writer version 2010/is
meta KAM_FAKEPDF (__KAM_FAKEPDF1 + __KAM_FAKEPDF2 + __KAM_FAKEPDF3 + __KAM_FAKEPDF4 >= 3)
describe KAM_FAKEPDF Fake PDF Reader / Writer
score KAM_FAKEPDF 4.0
#VACU AND VARIOUS PHISHING SCAMS
#SUBJECTS
header __KAM_PHISH2_1 Subject =~ /(VACU Message|Virgini?a Credit|Account Verification|account might be compromised|Account Status Notification|important.alert|payment.advice|important.update|card.declined)/i
#BANKS
body __KAM_PHISH2_2 /Virginia Credit Union|Lloyds|HSBC|usaa|barclay|credit card account/is
#BAD LINKS
rawbody __KAM_PHISH2_3 /https?:\/\/.{5,30}\.(kr|hk|edu|pl|ie|it|pro)\//i
#STUPID STATEMENTS
body __KAM_PHISH2_4 /unauthori[sz]ed use|security.enhancement|dropbox|hold.(on.)?your.fund/i
body __KAM_PHISH2_5 /account suspension|temporary locked|temporarily.suspend|your.reference|accurately.detail/i
body __KAM_PHISH2_6 /confirm your online banking details|payment.advice|online.fraud|billing.information/i
body __KAM_PHISH2_7 /extra security check|security.tip/i
describe KAM_PHISH2 Prevalent Phishing Scam emails
score KAM_PHISH2 2.0
meta KAM_PHISH2 (__KAM_PHISH2_1 + __KAM_PHISH2_2 >= 2) && ((__KAM_IPHTTP + __KAM_URIBL_PCCC + __KAM_PHISH2_3 >= 1) || (__KAM_PHISH2_4 + __KAM_PHISH2_5 + __KAM_PHISH2_6 + __KAM_PHISH2_7 >= 4))
#CRAZY HEX EMPTY MESSAGE
body __KAM_HEX1 /^[a-f0-9]{8}(\b|$)/i
header __KAM_HEX2 Subject =~ /^\d{5,6}$/
describe KAM_HEX Crazy Empty Hex Messages
score KAM_HEX 5.5
meta KAM_HEX (__KAM_HEX1 + __KAM_HEX2 >= 2)
#THE BAT! MAILER USED TOO MUCH FOR SPAM
# I'VE LOOKED AT THIS AND JUST CAN'T ARGUE THAT IT LOOKS LIKE IT WILL HELP.
header KAM_THEBAT X-Mailer =~ /The Bat!/i
describe KAM_THEBAT Abused X-Mailer Header for The Bat! MUA
score KAM_THEBAT 1.9
#MAILER BUGS
body __KAM_MAILER1 /{!firstname_fix}/i
meta KAM_MAILER (__KAM_MAILER1 >= 1)
score KAM_MAILER 2.0
describe KAM_MAILER Automated Mailer Tag Left in Email
#YET ANOTHER NIGERIAN SCAM VARIANT
body __KAM_CHECK1 /delivery fee for your che(que|ck) draft/i
body __KAM_CHECK2 /let me know when you recieve your money/i
describe KAM_CHECK Another Nigerian Bank Draft Scam
score KAM_CHECK 3.0
meta KAM_CHECK (__KAM_CHECK1 + __KAM_CHECK2 + __KAM_REFI4 >= 3)
#SEE OPRAH LIVE!
body __KAM_OPRAH1 /airfare/i
body __KAM_OPRAH2 /hotel/i
body __KAM_OPRAH3 /oprah/i
header __KAM_OPRAH4 Subject =~ /see\s+.*oprah\s+.*live/i
describe KAM_OPRAH SPAMs re: Oprah Winfrey Show
score KAM_OPRAH 2.5
meta KAM_OPRAH (__KAM_OPRAH1 + __KAM_OPRAH2 + __KAM_OPRAH3 + __KAM_OPRAH4 >= 4)
#EBAY TIPS
body __KAM_EBAY1 /Succeed on ebay|thousands with ebay|ebay success|money-making secret/i
body __KAM_EBAY2 /Auction success kit|Great Money Maker|documented program|Chuck Mullaney|more bills than money/i
header __KAM_EBAY3 Subject =~ /ebay .*for dummies|ebay expert|work online|ebay business|secrets to ebay|Chuck Mullaney|living on ebay|build a business|huge cash flows/i
describe KAM_EBAY SPAMs re: eBay Auction Tips
score KAM_EBAY 3.5
meta KAM_EBAY (__KAM_EBAY1 + __KAM_EBAY2 + __KAM_EBAY3 >= 3)
#GAS PRICES, GAS CARDS, OTHER FUEL-RELATED SPAM
body __KAM_GAS1 /Gas prices are at an? all time high|\$\d per gallon|gasoline cards/i
body __KAM_GAS2 /We have a solution|save \d+ cents per gallon|competitive rewards/i
header __KAM_GAS3 Subject =~ /High Gas Prices|ripped off for gas|Save \d+c per gallon/i
header __KAM_GAS4 From =~ /gas/i
describe KAM_GAS SPAMs re: High Gas Prices
score KAM_GAS 4.5
meta KAM_GAS (__KAM_GAS1 + __KAM_GAS2 + __KAM_GAS3 + __KAM_GAS4 >=3)
#WEIRD BODY MESSAGES
body KAM_BODY /{_BODY_HTML}/i
score KAM_BODY 1.0
describe KAM_BODY Odd Erectile Dysfunction Messages with Poor Formatting
#FREE TV, SATELLITE, CABLE INTERNET, ETC
body __KAM_TV1 /watch unlimited television|DTV4PC|Online TV Code|Free DVD-CD Burner|100% legal|Rabbit TV|reliable.cable.service|existing.smart.tv/i
body __KAM_TV2 /without a monthly fee|pay a cable or satellite bill|no monthly fee|watch uncensored|movies online|no censorship|favorite.channels|online.television|\d{3}.channels|high.speed|sysview/i
header __KAM_TV3 Subject =~ /watch uncensored tv|digital TV|internet TV|Free TV|tv online for free|(shows|movies).with.cable|less.than.dish|stream.*channels|\$\d{2}.mo|smart.tv/i
header __KAM_TV4 From =~ /Unlock Internet TV|Movie Download|product alert|cable.tv|tv.stream|high.speed/i
meta KAM_TV (__KAM_TV1 + __KAM_TV2 + __KAM_TV3 + __KAM_TV4 >= 2)
score KAM_TV 3.0
describe KAM_TV Free TV/Cable/etc. Scams
meta KAM_TV2 (KAM_TV + KAM_INFOUSMEBIZ >=2)
score KAM_TV2 3.5
describe KAM_TV2 Higher probability of Free TV/Cable/etc. Spams
#DEGREE SPAMS
body __KAM_CAREER1 /Hospitals need you|Medical Billing and Coding|medical.coding/is
body __KAM_CAREER2 /Get your Healthcare Degree|Billing and Coding degree|job.placement|great.opportunity|training.start(s|ing).soon|job.growth/is
body __KAM_CAREER3 /unstable.economy|secure.a.position|fast.growing|extraordinary.benefits|work.from.home/is
meta KAM_CAREER (__KAM_CAREER1 + __KAM_CAREER2 + __KAM_CAREER3 + KAM_ADVERT2 >= 3)
score KAM_CAREER 5.0
describe KAM_CAREER Spam for Career/Diploma Mills
#NURSE SPAMS
header __KAM_NURSE1 From =~ /nursing|nurses|health.?care/i
header __KAM_NURSE2 Subject =~ /nurses (?:are now in high.?demand|are needed)|become a nurse|open.position|training|cna.education/i
body __KAM_NURSE3 /nurses (?:are NOW in high.?demand|are needed)|nursing Degree|indispensable.position|growing.career|nursing.assist|certified.nurs/i
meta KAM_NURSE (__KAM_NURSE1 + __KAM_NURSE2 + __KAM_NURSE3 >= 3)
score KAM_NURSE 3.0
describe KAM_NURSE Spam for Career/Diploma Mills
#PILLS
header __KAM_PILLS1 Subject =~ /save \d\d% on your (pills|drugs|medications)/i
body __KAM_PILLS2 /be (thrifty|smart|clever), buy your (pills|drugs|medications)/i
meta KAM_PILLS (__KAM_PILLS1 + __KAM_PILLS2 >=2)
score KAM_PILLS 4.0
describe KAM_PILLS Spam for scam pharmacy
#PILLS 2.0
header __KAM_PILLS2_1 From =~ /Enlarge|Men's Supplement/i
header __KAM_PILLS2_2 From =~ /Free Sample/i
meta KAM_PILLS2 (__KAM_PILLS2_1 + __KAM_PILLS2_2 >= 2)
describe KAM_PILLS2 Male enhancement spams
score KAM_PILLS2 2.5
#ALTERNATE EMAIL
body __KAM_ALT1 /reply to my alternative E-?mail/is
meta KAM_ALT (__KAM_ALT1 >= 1)
score KAM_ALT 0.5
describe KAM_ALT Requests use of an alternate email which may indicate spam
#POLITICAL SPAMS
#AS WE ENTER AN ELECTION PERIOD, WE SEE UNSOLICITED MAILS FROM ORGS
#Right vs Left
header __KAM_POLITICS1 From =~ /Right vs Left|Minuteman|Senator|Pennsylvania Transportation Partners|Americans for Limited Government|special election|conservative|liberal|congress|judge|usa.?net|senate|fedup|sen\. |tea.party|the.right.to/i
body __KAM_POLITICS2 /Minuteman Civil Defense Corps|National Campaign Fund|Right vs Left|Restore America PAC|penntransportation.com|getliberty.org|Americans for Limited Government|radical|true.conservative|true.liberal|job.killing|wasteful.spending|senate.takeover|liberal.agenda|smear.campaign|america.s future|liberty|obama|governor|election.day|v-o-t-e|sign.the.petition|paid.for.by|dear.conservative|dear.liberal|winning.the.senate|election.cycle|return.power|failed.policy|(left|right).is.claiming|bigwigs|favorable.voters/i
header __KAM_POLITICS3 Received =~ /\.politicalsystems.net|republican.com|democrat.com|inboxfirst.com/i
header __KAM_POLITICS4 Subject =~ /alert:?.?election|^elect|(republican|democratic).party|and.vote|impeach|insanity|election.ad|liberals|conservatives|back.?room.deal|urgent.obama|social.security.mistake|big.social|absentee.info/i
meta KAM_POLITICS (__KAM_POLITICS1 + __KAM_POLITICS2 + (__KAM_POLITICS3 + __KAM_POLITICS4 >= 1) >= 2)
score KAM_POLITICS 9.0
describe KAM_POLITICS Unsolicited Political E-Mails
#SPAMMING COMPANIES
#Wall Street Media
header __KAM_COMPANY1 From =~ /W\$[LM]( |_)(Insurance|Mortgage)( |_)New\$/i
meta KAM_COMPANY1 (__KAM_COMPANY1 >= 1)
score KAM_COMPANY1 5.0
describe KAM_COMPANY1 Egregious spammers that should also be on RBLs (and might be)
#MGM,LLC
body __KAM_COMPANY2_1 /Member Services MGM, LLC/is
meta KAM_COMPANY2 (__KAM_COMPANY2_1 >= 1)
score KAM_COMPANY2 5.0
describe KAM_COMPANY2 Egregious spammers that should also be on RBLs (and might be)
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
#PCCC URIBL Check for bad URIs in body, Received, From and Reply-to
#Thanks to AXB for his help with these!
#2013-10-09 Note
#
#These RBL's below can contain domains that can cause collateral damage.
#We try and only add these domains when the evidence is overwhelming and points to a culture or architecture prone to spaminess.
#And this can include services that have legitimate and illegitimate users; servers for legitimate firms that are compromised; and hosting firms which fail to have adequate anti-spam procedures.
#The lists have high scores which we believe are consistent with the veracity of the research used to compile the lists.
#Additionally, we ONLY use this RBL to improve our scoring and it is not used to block emails outright.
#However, your mileage may very and you might want to seriously dial down the scores especially if you do block/reject/blackhole emails.
#Feedback is appreciated and requests to de-list can be sent via https://raptor.pccc.com/raptor.cgim?template=report_problem
#Or to explicitly skip RBL testing for a domain, use uridnsbl_skip_domain example.com
if (version >= 3.003000)
#HOSTS THAT BEHAVE LIKE TLDS, SUCH AS BLOGSPOT.COM AND OTHER FREE HOSTING - NOTE BLOGSPOT is in 20_aux_tlds.cf ALREADY
util_rb_2tld ning.com
util_rb_2tld mygbiz.com
util_rb_2tld web.com
util_rb_2tld onmicrosoft.com
util_rb_2tld online.de
util_rb_2tld wix.com
util_rb_2tld netdna-cdn.com
util_rb_2tld dreamhost.com
util_rb_2tld noip.us
util_rb_2tld mmsend.com
util_rb_2tld cu-portland.edu
util_rb_2tld jimdo.com
util_rb_2tld doesphotography.com
util_rb_2tld isteaching.com
endif
# allow URI rules to look at DKIM headers if they exist and our SA version supports it
if (version >= 3.0040001)
parse_dkim_uris 1
endif
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
#BAD URI IN BODY
urirhssub KAM_BODY_URIBL_PCCC wild.pccc.com. A 127.0.0.4
body KAM_BODY_URIBL_PCCC eval:check_uridnsbl('KAM_URIBL_PCCC')
describe KAM_BODY_URIBL_PCCC Body contains URI listed in PCCC URIBL (https://raptor.pccc.com/RBL)
tflags KAM_BODY_URIBL_PCCC net
score KAM_BODY_URIBL_PCCC 9.0
if (version >= 3.004001)
#BAD URI IN FROM
#all from addresses domains - This is a new check available in 3.4.1-rc1+ which will check bob.com for something like bob@test.bob.com - The old code did not properly handle octet subtests
header KAM_FROM_URIBL_PCCC eval:check_rbl_from_domain('pccc', 'wild.pccc.com.', '127.0.0.4')
describe KAM_FROM_URIBL_PCCC From address listed in PCCC URIBL (https://raptor.pccc.com/RBL)
tflags KAM_FROM_URIBL_PCCC net
score KAM_FROM_URIBL_PCCC 9.0
endif
#MARKETING IN BODY - MARKETING RBL IS PRIMARILY FOR META TESTS
urirhssub KAM_BODY_MARKETINGBL_PCCC wild.pccc.com. A 127.0.0.32
body KAM_BODY_MARKETINGBL_PCCC eval:check_uridnsbl('KAM_MARKETINGBL_PCCC')
describe KAM_BODY_MARKETINGBL_PCCC Body contains URI associated with mass-marketing (https://raptor.pccc.com/RBL)
tflags KAM_BODY_MARKETINGBL_PCCC net
score KAM_BODY_MARKETINGBL_PCCC 0.001
if (version >= 3.004001)
#MARKETING IN FROM
header KAM_FROM_MARKETINGBL_PCCC eval:check_rbl_from_domain('pccc', 'wild.pccc.com.', '127.0.0.32')
describe KAM_FROM_MARKETINGBL_PCCC From address associated with mass-marketing (https://raptor.pccc.com/RBL)
tflags KAM_FROM_MARKETINGBL_PCCC net
score KAM_FROM_MARKETINGBL_PCCC 0.001
meta KAM_MARKETINGBL_PCCC (KAM_BODY_MARKETINGBL_PCCC || KAM_FROM_MARKETINGBL_PCCC)
describe KAM_MARKETINGBL_PCCC Message contains URI associated with mass-marketing (https://raptor.pccc.com/RBL)
score KAM_MARKETINGBL_PCCC 1.0
endif
endif
if (version >= 3.004001)
#Compromised URI - In Body
urirhssub KAM_BODY_COMPROMISED_URIBL_PCCC wild.pccc.com. A 127.0.1.2
body KAM_BODY_COMPROMISED_URIBL_PCCC eval:check_uridnsbl('KAM_URIBL2_PCCC')
describe KAM_BODY_COMPROMISED_URIBL_PCCC Body contains URI listed in PCCC Compromised URIBL (https://raptor.pccc.com/RBL)
tflags KAM_BODY_COMPROMISED_URIBL_PCCC net
score KAM_BODY_COMPROMISED_URIBL_PCCC 9.0
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
#Contains a likely good URI but otherwise compromised by malware/hackers
header KAM_FROM_COMPROMISED_URIBL_PCCC eval:check_rbl_from_domain('pccc', 'wild.pccc.com.', '127.0.1.2')
describe KAM_FROM_COMPROMISED_URIBL_PCCC From address listed in PCCC Compromised URIBL (https://raptor.pccc.com/RBL)
tflags KAM_FROM_COMPROMISED_URIBL_PCCC net
score KAM_FROM_COMPROMISED_URIBL_PCCC 9.0
endif
endif
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
#Received - Currently disabled for more research on FPs
#header KAM_RCVD_URIBL_PCCC eval:check_rbl_sub('pccc', '^127\.0\.0\.4$')
#describe KAM_RCVD_URIBL_PCCC Received header contains URL listed in PCCC URIBL (https://raptor.pccc.com/RBL)
#tflags KAM_RCVD_URIBL_PCCC net
#score KAM_RCVD_URIBL_PCCC 5.0
#Reply-to
#NO SOLUTION - Would make a Good Bugzila for a FR
#Test for any hits on PCCC URIBL Rules
meta __KAM_URIBL_PCCC (KAM_BODY_URIBL_PCCC + KAM_FROM_URIBL_PCCC >= 1)
endif
#Test for URIBL Black and Spamhaus DBL per discussion ith Alex Broens
meta KAM_VERY_BLACK_DBL (URIBL_BLACK && URIBL_DBL_SPAM)
describe KAM_VERY_BLACK_DBL Email that hits both URIBL Black and Spamhaus DBL
score KAM_VERY_BLACK_DBL 5.0
endif
#EMAIL BLACKLIST CHECK FOR PCCC RBL
ifplugin Mail::SpamAssassin::Plugin::EmailBL
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
#uses emailbl -all which is the same as -headers and -bodysafe
header KAM_MESSAGE_EMAILBL_PCCC eval:check_emailbl('freemail-all', 'wild.pccc.com', '127.0.0.64')
describe KAM_MESSAGE_EMAILBL_PCCC Message contains freemail address listed in PCCC URIBL (https://raptor.pccc.com/RBL)
tflags KAM_MESSAGE_EMAILBL_PCCC net
score KAM_MESSAGE_EMAILBL_PCCC 5.0
endif
endif
#FAKERBL MX RELATED RULES
header __KAM_MX1 Reply-To =~ /\@mx\d+\./i
header __KAM_MX2 Return-Path =~ /\@mx\d+\./i
header __KAM_MX3 Received =~ /(\(|\b)(pet|ptr|tech|host|mta|mx|vps|vsp|colo|sox|m)\d+\./i
header __KAM_MX4 Received =~ /(\(|\b)[0-9A-F]{8}\.ptr\./i
# Thanks to Markus Clardy for feedback!
header __KAM_MX5 Received =~ /(\(|\b)[a-z]{2,4}[0-9]{1,3}\.[^\s]{1,20}\.info\b/i
meta __KAM_MX (__KAM_MX1 + __KAM_MX2 + __KAM_MX3 + __KAM_MX4 + __KAM_MX5 >= 1)
describe __KAM_MX Odd prevalence of mx records associated with the FAKERBL Spammers
#CHANGED KAMOnly
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
meta KAM_MX (__KAM_MX + (__KAM_URIBL_PCCC + URIBL_BLACK >=1) >= 2)
score KAM_MX 4.0
describe KAM_MX Spammers and MX Rule
endif
meta KAM_MXINFO (__KAM_MX5)
score KAM_MXINFO 1.0
describe KAM_MXINFO MX Record and dot info domains associated with FAKERBL Spammers
#BAD ADDRESS / COMPANY NAMES
#FINISHED URL CLEANUP BUT MOST URLS MOVED TO PCCC URIBL
body __KAM_ADDRESS1 /204 N. El Camino Real|CocoMedia|17 Patchogue Road|1128-274 Royal Palm Beach|(848|500) N. Rainbow Dr. Ste \#?(2511|300)|CMI Free Stuff|Vista Del Mar Productions|by SuperClub|Buil tech Services|eMarketing Alliance|aSHARPi Media|Plaza Neptuno|Satell Center for Executive Education|Pacific Shores Investments|R. Allen Media|The Only Virginia Team|Ban Amnesty Now|Intrust Domains|8001 Irvine Center Dr|American Arbitration Association, 1633 Broadway|\+962 79 668 2974|7025 County Rd. 46A|1001 E.Hillsdale Blvd|New Heights Development and Research|Red Base Interactive|RateMarketplace|WORLD COMPANY REGISTER|WhatsApp Inc|Streetdirectory Pte Ltd|4399 Church Street, Brooklyn|Mobie Concepts, Inc.|Clickingz IT Research Lab|Leadz[,\.].?Co|DLF Cyber City Gurgaon India|4447 N Central Expressway, Office \#110|5401 Hangar Court|Pimsleur Approach|1600 JFK Boulevard, 3rd|Business Who's Who|Who's Who Among Executives|Buena Vista Catalogue|10620 Southern Highlands|Ashray Medical Center|Bethany Christian Services|Ashland.Avenue.{0,4}95761|Preston Energy|SteelCityAds|Beyond Human, LLC|Research Promo Center|OmegaK, Inc|320 S. Lemon Blvd \# 1803|1063 (suite.)?([\#\d]+.)?King St|8 White Ln. Mansfield|Momentum.Ads|PO Box 29502 \#24912 Las Vegas|2383.Mystic Dr..Sarasota.FL|1107 Valeria Dr, Marion|321 N Central Expressway Suite 341|PO Box 540488 Houston|Post Office Box 4668 NY|9100 Wilshire Blvd. East Tower Penthouse|Headquarters, 18 True Tower Building|111 Customer Way, Irving|B a y t o w n, TX|adilizer..?com Post.Office.Box 540488|353 Chadwick Pl Fairborn|PO.?Box.295[O0]2.Las.?Vegas|1103 St. Michel|Suite 115-243, San Diego|100 E. Campus View|(3.?2.?0.?5|three two zero five)..?L.?a.?k.?e.S.?a.?r.?a.?h|100 RITCHIE ROAD|M i n n e s o t a|3801 D..?o..?w..?n..?s..?W..?a..?y|515 Oaklane McPherson|74.Lancaster..?RD|202.Albion|One Kimeric Ln|302 Washington St|One.One.Eight.Jason.Ln|PO.Box.227.Moran|V a l e r i a|Dove Lighting Co|BrandRoot SEO|Team TPW|WEB ANALYTICS MEDIA LLC|Scott Walker Inc. Testing the Waters|CARLY for America|Scott Walker for America|Jeb 2016, Inc/i
header __KAM_ADDRESS2 From =~ /CMI Free Stuff|Vista Del Mar Productions|Buil tech Services|eMarketing Alliance|aSHARPi Media|Plaza Neptuno|Satell Center for Executive Education|Pacific Shores Investments|rx ?unit|R. Allen Media|The Only Virginia Team|Intrust Domains|American Arbitration Association|Rate\.?Marketplace|Health.Quote.Direct|Pimsleur|Ethika Politika|Disney Movie Club/i
meta KAM_ADDRESS (__KAM_ADDRESS1 + __KAM_ADDRESS2 >= 1)
score KAM_ADDRESS 13.0
describe KAM_ADDRESS Addresses and Companies prevalent in spams
# END SPAMMING COMPANIES
#GRASS SEED
header __KAM_GRASS1 From =~ /(Patch|Perfect|Lawn)/i
header __KAM_GRASS2 Subject =~ /rich beautiful lawn|grow grass|grass seed on steroids/i
body __KAM_GRASS3 /Grass Seed On Steroids|rich beautiful lawn|Patch Perfect Seeds|Grow Grass (anywhere|in the shade)/i
meta KAM_GRASS (__KAM_GRASS1 + __KAM_GRASS2 + __KAM_GRASS3 >= 3)
score KAM_GRASS 2.5
describe KAM_GRASS Spammers hawking lawn products
#PED EGG / BELISI / SKIN PRODUCTS
header __KAM_SKIN1 From =~ /(Ped ?Egg|Healthy Feet|beautiful feet|belisi|skin tightener|medical|Wrinkle|Face ?Lift|Skin Reju|Nuforia|LifeCEll|Miracle Hydrate|beauty tip|lifestyle lift|marine essentials|nufori?a)|skin transformer|lifecell|oz.show|botox|your.skin|rejuvenate|youth|ellen/i
header __KAM_SKIN2 Subject =~ /Ped ?Egg|Healthy Feet|beautiful feet|tighter skin|works for wrinkles|Sera Concepts|Wrinkle Eraser|\d\d years younger|Hollywood(?:'s)? Secret|years younger|perfect skin|anti.?aging|look younger in \d+ day|regain your youthful|years off your appear|flawless.skin|youthful appear|fine.lines|collagen.production|dark.circles|your.skin|looks?.like.this|looks?.great|images?.leaked|looks.\d|ellen.looks/i
rawbody __KAM_SKIN3 /Ped ?Egg|Belisi|Botox|Gabamed|Sera Concepts|Purelift|nuforia|natural collagen|complimentary trials|nugenics|marine essentials|Nufori?a|ellen.has.a|flawless.skin|phyto|facelift|hype.is.real|celeb.trend|twenty.years.younger|face.lift|pics.leaked|rejuvenate/i
body __KAM_SKIN4 /feet feel smooth and healthy|calluses and dead skin|silky smooth skin|tighter skin|\d.years.younger|anti[- ]aging|look younger|free trial|lose 25 years|angered plastic surge|quick and easy trick|anti-?aging|blood pressure low|heart rate monitor|selfies|just.one.month|just.four.weeks|medical.research|rebuild.your.skin|decades.younger|erase.time|gossip|smooth.lines/i
meta KAM_SKIN (KAM_ADVERT2 + __KAM_SKIN1 + __KAM_SKIN2 + __KAM_SKIN3 + __KAM_SKIN4 + __KAM_TRIAL + __KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 >= 3)
score KAM_SKIN 3.5
describe KAM_SKIN Spammers hawking skin/medical/foot products
meta KAM_SKIN2 (KAM_ADVERT2 + __KAM_SKIN1 + __KAM_SKIN2 + __KAM_SKIN3 + __KAM_SKIN4 + __KAM_TRIAL + __KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 >= 4)
score KAM_SKIN2 2.5
describe KAM_SKIN2 Spammers hawking skin/medical/foot products
#NEW CAR / WARRANTY SCAMS
header __KAM_CAR1 Subject =~ /(save thousands|vehicle warranty|paying too much for auto|skyrocketing cost of car|car deals|deal on a new car|cheap(er)? auto insurance|warranty options|afford the car|blowout|auto repair bills)/i
body __KAM_CAR2 /buying a new car|dream car|new car you want|free auto insurance(?:-| )quote|save money on your auto|roadside assistance|extended warranty/i
body __KAM_CAR3 /unbelievable payment terms|no commitment|free price quote|get competitive quotes|offering better rates|no obligation quote|Pay Later|No risk|save up to \d+%/i
header __KAM_CAR4 From =~ /warranty|lender|clearance/i
meta KAM_CAR (__KAM_CAR1 + __KAM_CAR2 + __KAM_CAR3 + __KAM_CAR4 >= 2)
score KAM_CAR 2.0
describe KAM_CAR Spammers hawking new car, insurance or warranties
# MORE NEW CAR SPAMS
header __KAM_AUTO1 Subject =~ /new.vehicle|biggest.discounts|clearance.event|must.go|half.off.auto|blue.book|cars.priced|dirt.cheap|new.car|new.truck|half.off|dealership|dealers.compete|trade.it.in|auto(motive)?.parts|inventory.must.go|\d\d%.off.msrp|all \d\d\d\d.s must go|time.to.drive|all.vehicle|clearance.pric|all.\d\d\d\d.(cars|trucks)/i
header __KAM_AUTO2 From =~ /car.?saving|auto.?deals|%.off|half.(off|price)|ford|gm|clearing.lots|model.year|latest.auto|dealership|clearance|cars?.discount|\d+.model|\d+.half.off|auto.price|best.auto|motor|trade.in|auto.part|imotor|autotrend/i
body __KAM_AUTO3 /(car|truck).dealer|clearance.price|shop.cars|\d+.vehicles|dealership|deep.discount|liquidating|vehicle.options|auto.news|old.clunker|dream.car|clearance.inventory|dealer.clearance|special.clearance|auto(mobile?).recall|clearance.pric|new.ride|dealers.{1,40}.scrambling|sell.yours.for.more|car.is.worth|auto.parts.brand|blowout|incredible.discount/i
meta KAM_AUTO (__KAM_AUTO1 + __KAM_AUTO2 + __KAM_AUTO3 + (KAM_COUK || KAM_OTHER_BAD_TLD || CBJ_GiveMeABreak) >= 3)
describe KAM_AUTO Spam for new cars
score KAM_AUTO 4.5
#HOME WARRANTY SPAMS
header __KAM_WARRANTY1 Subject =~ /home warrant|protect your home|home repair|homeowners insurance|repairing your house/i
body __KAM_WARRANTY2 /Protect your home|choice home warranty|unexpected repair/i
body __KAM_WARRANTY3 /home warrant|complimentary insurance quote/i
header __KAM_WARRANTY4 From =~ /ChoiceHomeWarrant|TotalProtect|home.?Insurance|CHW Home Warranty|AHS.warranty/i
meta KAM_WARRANTY (__KAM_WARRANTY1 + __KAM_WARRANTY2 + __KAM_WARRANTY3 + __KAM_WARRANTY4 + CBJ_GiveMeABreak >= 3)
score KAM_WARRANTY 1.5
describe KAM_WARRANTY Spammers hawking home warranties
meta KAM_WARRANTY2 (KAM_WARRANTY + KAM_INFOUSMEBIZ >= 2)
score KAM_WARRANTY2 3.5
describe KAM_WARRANTY2 Spammers pushing home warranties
meta KAM_WARRANTY3 (__KAM_WARRANTY1 + __KAM_WARRANTY2 + __KAM_WARRANTY3 + __KAM_WARRANTY4 + CBJ_GiveMeABreak >= 4)
score KAM_WARRANTY3 1.5
describe KAM_WARRANTY3 Spammers hawking home warranties
#AWESOME AUGER
header __KAM_AUGER1 Subject =~ /Dig Holes|plant Trees/i
body __KAM_AUGER2 /Awesome Auger/i
meta KAM_AUGER (__KAM_AUGER1 + __KAM_AUGER2 >= 2)
score KAM_AUGER 4.0
describe KAM_AUGER Spammers hawking Awesome Augers?!?
#MOVIE EXTRA
header __KAM_MOVIE1 Subject =~ /Movie Extra/i
body __KAM_MOVIE2 /Movie Extra/i
meta KAM_MOVIE (__KAM_MOVIE1 + __KAM_MOVIE2 >= 2)
score KAM_MOVIE 3.0
describe KAM_MOVIE Spammers hawking Movie Extra positions
#DEBT COLLECTION
header __KAM_COLLECT1 Subject =~ /You Pay Nothing/i
body __KAM_COLLECT2 /No Fee/i
body __KAM_COLLECT3 /collection professionals/i
body __KAM_COLLECT4 /recovery rate/i
meta KAM_COLLECT (__KAM_COLLECT1 + __KAM_COLLECT2 + __KAM_COLLECT3 + __KAM_COLLECT4 + __KAM_SEARCH5 + KAM_ADVERT2 >= 4)
score KAM_COLLECT 5.0
describe KAM_COLLECT Spammers hawking debt collection
#SEARCH ENGINE SPAM
header __KAM_SEARCH1 Subject =~ /be seen first on (google|msn|yahoo)|get ranked high|rank high|(no cost|free) website (analysis|search engine)|WEBSITE PROMOTION|social media|blog leads|infotech|(first|1st)(.page)?.result|seo.service|seo.{1,30}expert|on.your.website|organic.seo|site.ranking|website.health/i
body __KAM_SEARCH2 /search engine|SEO|bring.traffic|business.development/i
body __KAM_SEARCH3 /(first on|all of) the major search|not ranked number one|Website promotion|popular keywords|mobile.website|complete.solution|back.link|india.based|surfing|not.ranking.on/i
body __KAM_SEARCH4 /guaranteed type of exposure|free website search engine optimi|increase your revenue|improve your website traffice|website rank higher|marketing service|popular.keyword|media.presence|media.portal|brand.awareness|analytics.certified|optimized.content|white.label|website.optimization|digital.marketing|in.your.industry/i
rawbody __KAM_SEARCH5 /Click2Call|a1-solutions|fast-response.net|action-pros.net|tops-1.com|vividinfotech.com|internet.marketing|web.solution/i
meta KAM_SEARCH (__KAM_SEARCH1 + __KAM_SEARCH2 + __KAM_SEARCH3 + __KAM_SEARCH4 + __KAM_SEARCH5 >= 4)
score KAM_SEARCH 5.0
describe KAM_SEARCH Spammers hawking SEO
#SEO
header __KAM_SEO1 Subject =~ /Idea for \[|can rank 1st on Google|Organic SEO|SEO (Solution|proposal)|integrated marketing|optimization.service/i
body __KAM_SEO2 /(?:top|first page) (?:in|of) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building/i
body __KAM_SEO3 /never find your web site|major search engines|link.building|WEBSITE AUDIT REPORT|specific.keyword|targeted.email|visited.your.website/i
body __KAM_SEO4 /No upfront fees|SEO Specialists|online marketing services|S.?E.?O.? Company in INDIA|google.panda|google.penguin|not.ranking/i
body __KAM_SEO5 /more traffic guaranteed|results in thirty day|top 5 organic|high revenue|free.analysis|guaranteed.top/i
body __KAM_SEO6 /will not get your website banned|Google.?s SEO policies|six month ongoing campaign|web.promotion/i
uri __KAM_SEO7 /./ # LEGITIMATE SEO EMAILS WOULD SURELY HAVE AT LEAST ONE URL TO THEIR WEBSITE...
meta KAM_SEO (__KAM_SEO1 + __KAM_SEO2 + __KAM_SEO3 + __KAM_SEO4 + __KAM_SEO5 + __KAM_SEO6 + !__KAM_SEO7 + __KAM_FREEMAIL + KAM_ADVERT2 >= 5)
score KAM_SEO 7.0
describe KAM_SEO Spammers hawking SEO
#ABUSED FREEMAIL ACCOUNTS
header __KAM_FREEMAIL1 From =~ /(?:websolution|seo).{0,15}\@gmail.com/i
header __KAM_FREEMAIL2 From =~ /speakeasylingerie\@gmail.com/i
meta __KAM_FREEMAIL (__KAM_FREEMAIL1 + __KAM_FREEMAIL2 >= 1)
#LINGERIE VIDEOS
header __KAM_LINGERIE1 From =~ /lexi campbell/i
header __KAM_LINGERIE2 Subject =~ /Exotic modeling Videos/i
header __KAM_LINGERIE3 Subject =~ /Hustler Magazine/i
body __KAM_LINGERIE4 /Exotic modelling videos/i
meta KAM_LINGERIE (__KAM_FREEMAIL + __KAM_LINGERIE1 + __KAM_LINGERIE2 + __KAM_LINGERIE3 >= 4)
score KAM_LINGERIE 10.0
describe KAM_LINGERIE Sexually Explicity Lingerie Spam
#WEB DESIGN
header __KAM_WEB1 Subject =~ /Web.?(Design|programming).?Services|Web.?Designing/i
body __KAM_WEB2 /INDIA based IT|indian.based.website|certified.it.company/i
body __KAM_WEB3 /Online Marketing Consultant|possible.redesign|seo.service|mobiles?.app|business.develop|commerce.solution/i
meta KAM_WEB (__KAM_WEB1 + __KAM_WEB2 + __KAM_WEB3 + KAM_ADVERT2 >= 3)
score KAM_WEB 4.0
describe KAM_WEB Web design spams
#DOMAIN NAME AND OTHER RELATED SPAMS
body __KAM_DOMAIN1 /Domain (opportunity|notification|release|Availability|club)|Notification for Domain|availability.notice|time.draws.near|submit.a.bid|your.business|exclusive.rights|free.registration|the.domain.provider|website.wizard|increase.your.{0,50}.traffic|domain.extension|brand.can.leverage|like.to.obtain|buy(ing)?.this.domain/i
body __KAM_DOMAIN2 /(?:available|listed) (?:by|for|at|in) auction|confirm interest in (this domain|owning)|capturing this domain|proposal.on.the.domain|exclusive.owner|online.search|web.form|counting.down|potential.buyer|interested.parties|secure.{1,50}.today|drive.more.leads|targeted.traffic|similar.domain|exclusive.regis/i
body __KAM_DOMAIN3 /(?:have|own) a domain (that is )?.{0,5}similar|(have|own) a similar domain|offer on the Domain|similar to your (current )?domain|Domain Division|all.domains|main.webpage|visibility.platform|solicitation|potential.owner|your.offer|domain.match|domain.notification|domain.will.be|interest.{1,20}.domain.name|fully.responsive|website.included|list.your.website|opportt?unity.regarding|courtesy.notification/i
header __KAM_DOMAIN4 From =~ /domain|submit.site/i
header __KAM_DOMAIN5 Subject =~ /\.com$/i
meta KAM_DOMAIN (__KAM_DOMAIN1 + __KAM_DOMAIN2 + __KAM_DOMAIN3 + __KAM_DOMAIN4 + __KAM_DOMAIN5 >= 3)
score KAM_DOMAIN 8.5
describe KAM_DOMAIN Domain Selling Spams
#MEDICAL TOURISM SPAM
body __KAM_MEDTOUR1 /medical.tourism/i
body __KAM_MEDTOUR2 /lowest cost in India/i
header __KAM_MEDTOUR3 Subject =~ /Medical.Tourism/i
meta KAM_MEDTOUR (__KAM_MEDTOUR1 + __KAM_MEDTOUR2 + __KAM_MEDTOUR3 >= 3)
score KAM_MEDTOUR 3.0
describe KAM_MEDTOUR Medical Tourism Spam
#ACNE SPAM
header __KAM_ACNE1 Subject =~ /Proactiv/i
header __KAM_ACNE2 From =~ /Acne/i
body __KAM_ACNE3 /proactiv/i
body __KAM_ACNE4 /Online Gift Rewards/i
meta KAM_ACNE (__KAM_ACNE1 + __KAM_ACNE2 + __KAM_ACNE3 + __KAM_ACNE4 >= 4)
score KAM_ACNE 5.0
describe KAM_ACNE Spammers hawking Acne products
#SOFTWARE SPAM
header __KAM_SOFTWARE1 Subject =~ /fix Windows File Errors/i
header __KAM_SOFTWARE2 From =~ /registry/i
body __KAM_SOFTWARE3 /Fix file errors/i
body __KAM_SOFTWARE4 /download for no cost|FREE Software|Free Analysis|Free Report/i
meta KAM_SOFTWARE (__KAM_SOFTWARE1 + __KAM_SOFTWARE2 + __KAM_SOFTWARE3 + __KAM_SOFTWARE4 >= 4)
score KAM_SOFTWARE 5.0
describe KAM_SOFTWARE Spammers hawking Software products
#NIGERIAN SCAM SCAN
header __KAM_NIGERIAN2_1 Subject =~ /high court|contact fedex courier|WIRE TRANSFER/i
body __KAM_NIGERIAN2_2 /barrister|director of central bank|bank director|former.minister|gold.dealer/i
body __KAM_NIGERIAN2_3 /high court|central bank|payment center|customs?.officer/i
body __KAM_NIGERIAN2_4 /e-?mail id is found among those that have been scammed|paid the fee for your cheque draft|contact the bank director/i
body __KAM_NIGERIAN2_5 /fund code|cheque|bank draft|oil.and.gas/i
body __KAM_NIGERIAN2_6 /full contact information requested|need your contacts informations|your bank account information|out.of.the.country/i
body __KAM_NIGERIAN2_7 /bank|smuggle/i
body __KAM_NIGERIAN2_8 /courier|diplomat agent|direct wire transfer|my.gold|the.gold/i
body __KAM_NIGERIAN2_9 /scam|don't let them know that it is money|bank transfer charges/i
meta KAM_NIGERIAN2 (__KAM_REFI4 + __KAM_NIGERIAN2_1 + __KAM_NIGERIAN2_2 + __KAM_NIGERIAN2_3 + __KAM_NIGERIAN2_4 + __KAM_NIGERIAN2_5 + __KAM_NIGERIAN2_6 + __KAM_NIGERIAN2_7 + __KAM_NIGERIAN2_8 + __KAM_NIGERIAN2_9 >= 6)
score KAM_NIGERIAN2 5.0
describe KAM_NIGERIAN2 Yet more Nigerian scams. Some even explaining the scam.
#MEDICAL
body __KAM_MEDICAL1 /million who suffer from|suffered from organ failure|Medical Billing and Coding|medical doctor/i
body __KAM_MEDICAL2 /Safe - Natural - Effective/i
header __KAM_MEDICAL3 From =~ /Medical/i
header __KAM_MEDICAL4 Subject =~ /Medical Billing/i
meta KAM_MEDICAL (__KAM_MEDICAL1 + __KAM_MEDICAL2 + __KAM_MEDICAL3 + __KAM_MEDICAL4 >= 3)
score KAM_MEDICAL 4.0
describe KAM_MEDICAL Misc medical spam
#EAR RINGING
body __KAM_TINNI1 /TinniFix/i
body __KAM_TINNI2 /Stop the ringing in your ears/i
header __KAM_TINNI3 Subject =~ /(ringing|buzz) in your ears/i
meta KAM_TINNI (__KAM_MEDICAL1 + __KAM_MEDICAL2 + __KAM_TRIAL + __KAM_TINNI1 + __KAM_TINNI2 + __KAM_TINNI3 >= 5)
score KAM_TINNI 5.0
describe KAM_TINNI Another Medical Scam
#GIVEAWAY
body __KAM_GIVE1 /receive your gift/i
body __KAM_GIVE2 /laptop giveaway|deliver your dell.? laptop/i
body __KAM_GIVE3 /answering a short survey/i
body __KAM_GIVE4 /verify your shipping address/i
meta KAM_GIVE (__KAM_GIVE1 + __KAM_GIVE2 + __KAM_GIVE3 + __KAM_GIVE4 >= 4)
score KAM_GIVE 4.0
describe KAM_GIVE Free stuff "giveaway" scam
#GOVERNMENT MONEY
header __KAM_GOVT1 Subject =~ /Government Funding/i
body __KAM_GOVT2 /government funding/i
body __KAM_GOVT3 /complimentary information kit/i
body __KAM_GOVT4 /No.Money?.{0,4}No.Problem/i
meta KAM_GOVT (__KAM_GOVT1 + __KAM_GOVT2 + __KAM_GOVT3 + __KAM_GOVT4 >= 4)
score KAM_GOVT 4.0
describe KAM_GOVT Your tax dollars at work scam...
#RBL TRUST RULES
meta KAM_RBL (URIBL_BLACK + RCVD_IN_PBL >=2)
score KAM_RBL 2.0
describe KAM_RBL Higher scores for hitting multiple trusted RBLs
#KAM CNN
header __KAM_CNN1 Subject =~ /CNN.com Daily Top/i
meta KAM_CNN (__KAM_CNN1 == 1)
score KAM_CNN 2.0
describe KAM_CNN CNN Daily Top 10 Link Obfuscation spams
#SNUGGIE BLANKETS / SHAM WOW
header __KAM_SHAM1 Subject =~ /Hold 20 times|ShamWow/i
header __KAM_SHAM2 From =~ /Sham ?Wow/i
body __KAM_SHAM3 /ShamWow/i
body __KAM_SHAM4 /20(X| times) its weight/i
meta KAM_SHAM (__KAM_SHAM1 + __KAM_SHAM2 + __KAM_SHAM3 + __KAM_SHAM4 + KAM_ADVERT2 >= 3)
score KAM_SHAM 2.0
describe KAM_SHAM More product scams...
#SANTA LETTERS
header __KAM_SANTA1 Subject =~ /Santa Letter|Letter from Santa|Santa send a letter|Sent by Santa/i
body __KAM_SANTA2 /Santa Letter|Letter from Santa|sent by Santa/i
body __KAM_SANTA3 /the .?perfect.? gift|personalized letter/i
meta KAM_SANTA (__KAM_SANTA1 + __KAM_SANTA2 + __KAM_SANTA3 >= 3)
score KAM_SANTA 3.5
describe KAM_SANTA Ho Ho Holy smokes Batman another Santa Letter spam...
#WORK FOR / LEARN GOOGLE
header __KAM_GOOGLE1 Subject =~ /Learn Google|Google Starter Kit|with Google|Use Google|Google Work|google millionaire|Google Business|Google Pro Sucess|with my Google|Google Home Business|Google ATM|One Hour On Google|Free Money Making|make a fortune on ?line/i
body __KAM_GOOGLE2 /learn how to earn|automated income kit|online from home|as much money as you wish|be the boss/i
body __KAM_GOOGLE3 /tons of money|making \$[\d,]*s with Google|extra cash|making serious money/i
body __KAM_GOOGLE4 /with Google|Google Pie|Google Cash/i
header __KAM_GOOGLE5 From =~ /Google Money/i
meta KAM_GOOGLE (__KAM_GOOGLE1 + __KAM_GOOGLE2 + __KAM_GOOGLE3 + __KAM_GOOGLE4 + __KAM_GOOGLE5 >= 3)
score KAM_GOOGLE 3.5
describe KAM_GOOGLE Google Pyramid Scams
#SECURITY / ALARM
header __KAM_ALARM1 Subject =~ /Free Alarm Quotes|home security|protect your.(house|home)|protect.what.matters.most|adt monitor|keep.watch|monitor.the.home|home.alarm|feel safe|burglar|high.crime|free.security|with.this.offer|crime.can|watching.your.home|adt.is.here|ADT-monitoring/i
body __KAM_ALARM2 /free Quote|burglaries|wireless.security.camera|(Guard|protect) Your Family|ADT is Number One|monitored security system|install from ADT|with ADT security|keep(ing)?.your.home.safe|home.is.your.castle|sleep.with.security|home.security.system|remote.access|video.security/i
rawbody __KAM_ALARM3 /Great rates on Home Security|(1|one) in Alarm System Monitoring|protect your loved ones|protect your business|your source for home security|event on home security|keep.the.home.safe|night.vision|online.monitoring|surveill?ance.camera|ADT.monitor|top.notch.security|exclusive.to.you|home security system/i
header __KAM_ALARM4 From =~ /adt|security.?cam|home.security|wireless.security|security.?camera|author.zed|home.?alarm/i
meta KAM_ALARM (__KAM_ALARM1 + __KAM_ALARM2 + __KAM_ALARM3 + __KAM_ALARM4 + KAM_COUK >= 3)
score KAM_ALARM 4.5
describe KAM_ALARM Security and Alarm Company Spams
rawbody __KAM_ALARM5 /gaylord/i
meta KAM_ALARM2 (KAM_ALARM && __KAM_ALARM5)
score KAM_ALARM2 2.5
describe KAM_ALARM2 High Probability of Security and Alarm Company Spams
#SELL CARDS
header __KAM_SELL1 Subject =~ /Market Credit Cards/i
body __KAM_SELL2 /Easy Money/i
body __KAM_SELL3 /Selling Credit Cards/i
meta KAM_SELL (__KAM_SELL1 + __KAM_SELL2 + __KAM_SELL3 >= 3)
score KAM_SELL 3.5
describe KAM_SELL Selling Cards Marketing Scams
#WHITEN TEETH
header __KAM_WHITEN1 Subject =~ /whiten your teeth/i
body __KAM_WHITEN2 /whitener/i
body __KAM_WHITEN3 /(Celebrity Smile|Carbamide Peroxide)/i
meta KAM_WHITEN (__KAM_WHITEN1 + __KAM_WHITEN2 + __KAM_WHITEN3 >= 3)
score KAM_WHITEN 3.5
describe KAM_WHITEN Teeth Whitening Scams
#URONLINE
body __KAM_URONLINE1 /(chat|chat with me|hook ?up) on Y ?A ?H ?O ?O (tonight|or MSN)|add me with yahoo or msn|view now|press this web link|send me your? photo|can u turn me on|kissing you|begin.a.chat/i
body __KAM_URONLINE2 /wanna talk|ur info|found your mail|found ur profile|mutual friend|katya from russia|you came to russia|my gentle sun|see this page I made|match making heaven|meet that special|comee see it over here|hexten.net|looking for a man|waiting for ur mail|found ur account|waiting for your message|casual.hookup/i
body __KAM_URONLINE3 /get (naked|naughty)|horny|naughty toys|I will do anything|TOTALLY msg me on MSN|tell me your mobile|I remember you|let's talk|ran across someone like u|sexywebdating|chatting with someone|saw you by BJs|private e-?mail|dating portal|looking.for.fun/i
header __KAM_URONLINE4 Subject =~ /i'?m so ho?rny|ur really cute|flirt with u|get the party|lets hookup|MSN messanger|\d\d y.o.|russian soul-?mate|my handsome|want you now|russian girl|costs you nothing|can you feel this|came to russia|I remember you|sexual Russia|take a look|attractive girl writes|found u by accident|tell u something special|hookups.waiting/i
meta KAM_URONLINE (__KAM_URONLINE1 + __KAM_URONLINE2 + __KAM_URONLINE3 + __KAM_URONLINE4 >= 3)
score KAM_URONLINE 4.5
describe KAM_URONLINE Chat Scams
#TIMESHARE
body __KAM_TIMESHARE1 /Get[- ]Cash for Your Timeshare|not using your timeshare|(unwanted|ugly) timeshare|cash out quickly/is
body __KAM_TIMESHARE2 /goldmine|sell or rent it|we pay cash|sell\/rent your time|own a timeshare or condo|get.cash|find.your.value/is
header __KAM_TIMESHARE3 Subject =~ /(rent|sell|buy) your Timeshare|have a timeshare|timeshare money|unwanted timeshare/i
header __KAM_TIMESHARE4 From =~ /Resort.*sales|timeshare/i
meta KAM_TIMESHARE (__KAM_TIMESHARE1 + __KAM_TIMESHARE2 + __KAM_TIMESHARE3 + __KAM_TIMESHARE4>= 3)
score KAM_TIMESHARE 4.0
describe KAM_TIMESHARE Timeshare Scams
#AQUA GLOBE
body __KAM_AQUA1 /Aqua Globe/is
body __KAM_AQUA2 /watering your plants/is
body __KAM_AQUA3 /while on vacation/is
header __KAM_AQUA4 Subject =~ /Waters your Plants/i
meta KAM_AQUA (__KAM_AQUA1 + __KAM_AQUA2 + __KAM_AQUA3 + __KAM_AQUA4 >= 3)
score KAM_AQUA 3.0
describe KAM_AQUA Spams of yet another product du jour
#GEVALIA
body __KAM_GEVALIA1 /Gevalia Kaffe|premium coffee delivered/is
body __KAM_GEVALIA2 /(Gevalia coffee lover's|I love coffee) kit/is
body __KAM_GEVALIA3 /No Further Obligation/is
header __KAM_GEVALIA4 Subject =~ /gevalia|cup of coffee/i
meta KAM_GEVALIA (__KAM_GEVALIA1 + __KAM_GEVALIA2 + __KAM_GEVALIA3 + __KAM_GEVALIA4 >=3)
score KAM_GEVALIA 3.0
describe KAM_GEVALIA Spams of yet another product du jour
#SIMPLYINK
body __KAM_INK1 /Ink (and|&|n) Toner|SimplyInk|101 inks|1ink|printer ink sale|full.price/is
header __KAM_INK2 From =~ /Simply ?Ink|Ink and toner|1ink|ink.*budget|ink.?saver|printer[- ]{0,4}ink/i
header __KAM_INK3 Subject =~ /Ink (and|&) Toner|SimplyInk|printer ink/i
meta KAM_INK (__KAM_INK1 + __KAM_INK2 + __KAM_INK3 >=3)
score KAM_INK 4.0
describe KAM_INK Spams of yet another product du jour
meta KAM_INK2 (KAM_INK + KAM_INFOUSMEBIZ >= 2)
score KAM_INK2 3.0
describe KAM_INK2 Spams for Ink refills
#TITAN PEELER
body __KAM_PEEL1 /Titan Peeler/is
header __KAM_PEEL2 From =~ /Titan Peeler/i
header __KAM_PEEL3 Subject =~ /peeler|stainless|titan peeler/i
meta KAM_PEEL (__KAM_PEEL1 + __KAM_PEEL2 + __KAM_PEEL3 >=2)
score KAM_PEEL 3.0
describe KAM_PEEL Spams of yet another product du jour
#HTML EMAIL REQUIRING IMAGES?
rawbody __KAM_HTML1 /Please enable image viewing in order to view this message/is
#RATWARE
header __KAM_RAT1_1 From =~ /\@fromname\@/i
header __KAM_RAT1_2 Subject =~ /(\[FName\]|\%\{AUTOVALS)/i
meta KAM_RAT1 (__KAM_RAT1_1 + __KAM_RAT1_2 >= 1)
score KAM_RAT1 5.0
describe KAM_RAT1 Variable Replacements Indicative of RatWare/Mass Mailing
body __KAM_RAT2_1 /job description/i
body __KAM_RAT2_2 /dear shopper/i
header __KAM_RAT2_3 From =~ /mystery/i
meta KAM_RAT2 (__KAM_RAT2_1 + __KAM_RAT2_2 + __KAM_RAT2_3 >= 3)
score KAM_RAT2 5.0
describe KAM_RAT2 Another ratware mistake, uninterpolated text
#TITAN EGGER
body __KAM_EGG1 /Egg Genie/is
header __KAM_EGG2 From =~ /Egg Genie/i
header __KAM_EGG3 Subject =~ /medium eggs/i
meta KAM_EGG (__KAM_EGG1 + __KAM_EGG2 + __KAM_EGG3 >=2)
score KAM_EGG 3.0
describe KAM_EGG Spams of yet another product du jour
#USBDRIVES
body __KAM_USB1 /(debi|deborah brown|Melissa Sylvan)/i
body __KAM_USB2 /person (that|who) handles the promotions/i
body __KAM_USB3 /usbsmg.com/i
meta KAM_USB (__KAM_USB1 + __KAM_USB2 + __KAM_USB3 >= 2)
score KAM_USB 4.0
describe KAM_USB USB Promotion Spammer
#GOVT GRANT
body __KAM_GRANT1 /government grant/i
body __KAM_GRANT2 /find out if you qualify/i
body __KAM_GRANT3 /discontinue from this promotion/i
meta KAM_GRANT (__KAM_GRANT1 + __KAM_GRANT2 + __KAM_GRANT3 + __KAM_REFI4 >= 3)
score KAM_GRANT 5.0
describe KAM_GRANT Government Grant Scams
#SEX SCAMS
#MEDICINE REFERENCES
body __KAM_SEX04_1 /(curative|medicinal|salutary|wholesome|beneficial|satisfaction) effect|(first-rated|splendid) drugs|(yellow|blue|famos) (tablet|pill)|good medical supplies|(commendable|valuable) medicines|canadian pharmacy|GNC|nugenix/is
#BED REFERENCES
body __KAM_SEX04_2 /fun in bed|(bed|night) adventures|aid your bed|(lift|heave|ascent|hoist|raise|boost|aid) your (belove|love|darling|sex|sweet)|sexuality with assistance|ascent your sweet|bed experience|love sexuality/is
#SUBJECT REFERENCES
header __KAM_SEX04_3 Subject =~ /your manhood|(bed|night) adventures|sexual experience|empower your (belove|sex)|sweet sex|bed (event|experience)|lover sexuality|(lift|heave|ascent|hoist|raise|boost|aid) your (belove|love|darling|sex|sweet)|discounted drugs/i
#SEXUAL REFENCES
body __KAM_SEX04_4 /longer your tool|sexual experience|empower your (belove|sex)|sweet sex|(not bad|great|nice|special|awesome|free) bonus|sex all night|lovers package|male.vitality/is
meta KAM_SEX04 (__KAM_SEX04_1 + __KAM_SEX04_2 + __KAM_SEX04_3 + __KAM_SEX04_4 >= 3)
score KAM_SEX04 10.0
describe KAM_SEX04 Sexually Explicit SPAM
meta KAM_SEX04_2 (__KAM_SEX04_1 + __KAM_SEX04_2 + __KAM_SEX04_3 + __KAM_SEX04_4 >= 2 && (KAM_SEX04 < 1))
score KAM_SEX04_2 2.0
describe KAM_SEX04_2 Likely Sexually Explicit SPAM
#SEX SCAMS ROUND 5
header __KAM_SEX05_1 Subject =~ /upgrade your virility|become a man|bigger instrument|admire your stick|enlarge your member|you have a tiny tool|with more inches|your mega size|improve your love/i
body __KAM_SEX05_2 /buy rubber friends|big bait in your pants|she sees your size|women will be funk|biggest tool|immense monster|women will be daydreaming|have so much meat|prolonging your size|last a lot longer/i
meta KAM_SEX05 (__KAM_SEX05_1 + __KAM_SEX05_2 >= 2)
score KAM_SEX05 5.0
describe KAM_SEX05 Sexually Explicit SPAM
#FOOTBALL CLUB SPAMS
header __KAM_FOOTBALL1 Subject =~ /Amateur Club|Seeks? Player/i
header __KAM_FOOTBALL2 From =~ /Football/i
body __KAM_FOOTBALL3 /Mercato/i
body __KAM_FOOTBALL4 /Football/i
meta KAM_FOOTBALL (__KAM_FOOTBALL1 + __KAM_FOOTBALL2 + __KAM_FOOTBALL3 + __KAM_FOOTBALL4 >= 4)
score KAM_FOOTBALL 4.0
describe KAM_FOOTBALL Spammy Football Club
#DISH NETWORK SPAMS AND OTHER TV SPAM
header __KAM_DISH1 From =~ /Dish Network|TVUpgrade|Satellite|Satellite|Dish.*Promo|dish.author|Wireless.Internet|cable.tv|tv.\&|tv.cable|tv.internet|liveteam/i
header __KAM_DISH2 Subject =~ /Free Next Day Install|Free HD Receiver|Free HBO|free w\/Dish|Holiday Special|Redzone is back|Web-Only Offer|Free HD|with DISH|dish gives you|dish.offers|Wireless Internet provider|sports.package|dish.vs.cable|switch.to.satellite|dish.just|watch.everything|satellite.dish|cable.bill|satellite.bill|paying.too.much|try.satellite|stream.live.tv/i
rawbody __KAM_DISH3 /(American Satellite|Wireless Internet) Provider|gethdsat|free dvr|Satellite Deals|Dish Network|dish.gives.you.more|packages under \$\d+|compare plans|internet service provider|premium.channel|best.cable.deals|fit.your.budget|deals.near.you|online.television|quality.tv/i
meta KAM_DISH (__KAM_DISH1 + __KAM_DISH2 + __KAM_DISH3 >=3)
score KAM_DISH 4.0
describe KAM_DISH Dish Network Spams
meta KAM_DISH2 (KAM_DISH + KAM_INFOUSMEBIZ >= 2)
score KAM_DISH2 4.0
describe KAM_DISH2 Dish Network Spams
#IDENTITY NETWORK
header __KAM_IDENTNET1 From =~ /\@identitynetwork.net/i
body __KAM_IDENTNET2 /ADVERTISE WITH IDENTITY NETWORK/i
meta KAM_IDENTNET (__KAM_IDENTNET1 + __KAM_IDENTNET2 >=2)
score KAM_IDENTNET 8.0
describe KAM_IDENTNET Identity Network Spams
#HONEYPOT HITS
#body __KAM_HONEY1 /Intacct Corporation|Miles Technologies|EcoPhones|businessbrief\.com|pbpinfo\.com|pbp-executivereports\.net|b21pubs\.com|sonar6\.com|cheetahsend\.com|voip-news|microcappress.com|myrtlebeachnow|sosonlinebackup.com|Landslide Technologies|The Performance Institute|ASMI Corporate|Kaseya|Cascio|CarProperty|HSRUpdates.com/i
#header __KAM_HONEY2 From =~ /\@intacct\.com|\@(staff\.)?milestechnologies\.com|\@greenschoolfundraiser\.org|\@business-brief\.(net|com)|\@b21pubs\.com|\@pbp-executivereports\.net|\@sonar6\.com|\@cheetahsend\.com|\@ripple.us.com|\@voip-news\.com|\@.{0,8}.microcappress.com|\@BetterBuysReports.com|\@MyrtleBeachNow.com|\@sosonlinebackup.com|\@next-gen-crm.com|\@TheInstituteWeb.org|\@ASMIweb.com|\@performanceinstitute.org|\@kaseya.com|\@news.interstatemusic.com|\@interstatemusic.com|\@carproperty.com|\@hsrupdates.com/i
#meta KAM_HONEY (__KAM_HONEY1 + __KAM_HONEY2 >= 2)
#score KAM_HONEY 12.0
#describe KAM_HONEY Spammer sending to a honeypot or known spammer through other means
#MEDIA DUCHESS
header __KAM_DUCHESS1 Received =~ /mediaduchessstore.info|mediaduchesslive.info|mymediaduchess.info|mediaduchessonline.info|mytvduchess.info|mediaduchesspro.info|mileshop.info|freegrampro.info|radioduchess.info|acreforyou.info|mileblog.info/i
header __KAM_DUCHESS2 From =~ /mediaduchessstore.info|mediaduchesslive.info|mymediaduchess.info|mediaduchessonline.info|mytvduchess.info|mediaduchesspro.info|mileshop.info|freegrampro.info|radioduchess.info|acreforyou.info|mileblog.info/i
body __KAM_DUCHESS3 /Mr. Media Group|BLM Marketing Services|4801 l[yi]nton b/i
rawbody __KAM_DUCHESS4 /duchess/i
rawbody __KAM_DUCHESS5 /http:\/\/.{4,30}\.info\/[A-Za-z]{30}("|\/)/i
body __KAM_DUCHESS6 /For account number:/i
meta KAM_DUCHESS ((__KAM_DUCHESS1 + __KAM_DUCHESS2 >= 1) + __KAM_DUCHESS3 + __KAM_DUCHESS4 + __KAM_DUCHESS5 + __KAM_DUCHESS6 >= 4)
score KAM_DUCHESS 5.0
describe KAM_DUCHESS Spammer sending emails using a variety of domains and linked images
#UPS
header __KAM_UPS1 Subject =~ /UPS Delivery problem/i
header __KAM_UPS2 From !~ /\@ups\.com[ |>]/i
body __KAM_UPS3 /invoice copy attached/i
meta KAM_UPS (__KAM_UPS1 + __KAM_UPS2 + __KAM_UPS3 >=3)
score KAM_UPS 6.0
describe KAM_UPS UPS doesn't send invoices with delivery problem notes
#Free Calls
header __KAM_SKYPE1 Subject =~ /Free Calls/i
header __KAM_SKYPE2 Received =~ /releasesourcek.com/i
header __KAM_SKYPE3 From =~ /VOIP News/i
body __KAM_SKYPE4 /Promo Code: \d/i
meta KAM_SKYPE (__KAM_SKYPE1 + __KAM_SKYPE2 + __KAM_SKYPE3 + __KAM_SKYPE4 >=3)
score KAM_SKYPE 5.0
describe KAM_SKYPE Skype/Voip scams likely to spread malware
#OWA/EMAIL PHISH
rawbody KAM_OWAPHISH1 /http:\/\/.{5,30}\/owa\/service_directory\/settings.php/i
score KAM_OWAPHISH1 6.0
describe KAM_OWAPHISH1 Rash of OWA setting change emails for phishing
#MORE DRUG SPAM - 2009-05-03
header __KAM_DRUG2_1 Subject =~ /Viagra|male enhanc|easier time making her|hot infatuations|bed tempera?ment|resigned slaves|prick be soft|increased performance|guys in bed|bedroom fun|love more passion|cure ED|(bed|sex) games|spices? (it up in|to the) bed|(bedroom|nights of) pleasure|ladies love|stay hard|satis?fy (your spouse|her)|(problems|strong|help|good) (in|for) bed|bedtime enhanc|p[0o]rn ?star|blue ?pill|great sex|please your gf|(help in the|king of the|great time in|strong night in|performance in|advice for the) bed|intimate life|gain 3\+? inches|sexual (excitement|anxiety|act)|love tool|sexual treatment|make love|make your girl happ|completely impotent|do.you.suffer/i
header __KAM_DRUG2_2 Subject =~ /ambien|Percocet|vicod[i1]n|Meridia|look slim|Phentermin|adderall|codeine|Hydrocodone|Phetermin|oxycodone|no prescription need|(help|trouble) falling asleep|overpriced pharmacy|prescript.medz|Xanx?ax|RxMed|your.rx.meds|fill your meds|pharmacy offers|international pharm|(loved|preferred|favor[ite]{3}) (rx)?med|pain killer|Medi?cati[o0]ns|canadianrx|weightl0ss|no ?prescription|weight l0ss|l0seweight|ritalin|look great|brain.function|cognition|enhance.memory|amazing.energy|joint.pain|nerve.pain/i
body __KAM_DRUG2_3 /Medi?cati[o0]ns|desired meds|favou?red (rx)?med|buy remedies|drug store|medicants|medicaments|sexual stim|sex stim|pain killer|(purchase|loved|preferred|favou?rite) (?:rx.?)?(deal|med)[sz]|rx.?Meds?.?deal|buy your meds|choice of meds|Rx.?(deal|Med|Sale)|v[i1]agra|medz.special|loved meds|(rx|medication) ?discount|Get the edge|joint.pain.relief|neuropathy|nerve.pain/i
body __KAM_DRUG2_4 /grab hold|at[_ ~]your[_ ~]finger[_ ~]?tip|placing your order|questions about drugs|prescription is not|don't care about prescription|without a doctor|no need for a doctor|affor[df]able.prices|best daily rx|Fav.Prescript|unmatched.prices|rx.med|millions.are.praising/i
body __KAM_DRUG2_5 /0nline|hassle[~-]free|favored rx|branded solutions|branded remedies|v[1i]cod[!i]n|Penhtremine|prxpills|ultimaterxhere|insanerx|speedymed4u|mightymeds1|coolestrxhere|hotrxmedspot|topshoprx|mightyrxhere|qualityrxmedz|legitrxlife|dealsformeds|simplyrxdeals|bestrxlight|ezprescriptz|reliablerxsource1|freetrusted-rx|hotmedsourcehere|CabinetOfMeds|mytrusted-rx|RxwarehouseHere|WarehouseofRxMeds|GreatrxMedsRus|rxmedsrus|(come by|Come to|Check Out) our web site|browse [0o]ur (website|selection)|Visit_0ur Web|Order_Now|available_this week|(buy|order) (n[0o]w|today|right.now|instantly|at [0o]nce|immediately)|check it out today|ord3r|0rder|0rd3r|browseour|rx ?unit/i
body __KAM_DRUG2_6 /(Express|Prompt|Day|Trusty|Trustworthy|Reliable|fast|true|discreet|confidential|rapid)[_ ~\.]?Shippin|anonymous packing|shipped.right.away|adderrx|clinically.proven|support.formula/i
header __KAM_DRUG2_7 Subject =~ / {4}[a-z0-9]{2,4}$/i
header __KAM_DRUG2_8 From =~ /aquaflexin/i
meta KAM_DRUG2 ( __KAM_DRUG2_1 + __KAM_DRUG2_2 + __KAM_DRUG2_3 + __KAM_DRUG2_4 + __KAM_DRUG2_5 + __KAM_DRUG2_6 + __KAM_DRUG2_7 + __KAM_DRUG2_8 + KAM_SHORT + KAM_UNSUB1 >= 3)
score KAM_DRUG2 3.5
describe KAM_DRUG2 More online Drug Scams
meta KAM_DRUG2_2 ( __KAM_DRUG2_1 + __KAM_DRUG2_2 + __KAM_DRUG2_3 + __KAM_DRUG2_4 + __KAM_DRUG2_5 + __KAM_DRUG2_6 + __KAM_DRUG2_7 + __KAM_DRUG2_8 + KAM_SHORT + KAM_UNSUB1 >= 5)
score KAM_DRUG2_2 3.0
describe KAM_DRUG2_2 Higher Certainty of Drug Scam
meta KAM_SEXSUBJECT __KAM_DRUG2_1
score KAM_SEXSUBJECT 2.0
describe KAM_SEXSUBJECT Sexually Explicit Subject
#RUSSIAN WIFE/BRIDE SCAMS
header __KAM_WIFE1 Subject =~ /Remember me|(Russian|asian) ?(single|women|bride|lad(y|ies)|babe)/i
body __KAM_WIFE2 /marry a Russian|sizzling photos|(russian|asian) (women|beauties)|Russian ?bride|Slavic babes|Russian ?lad(y|ies)|russian girl/i
header __KAM_WIFE3 From =~ /Russian.?Dat|russian.?bride|Russian.?single|russian.?women|asian.?beauties/i
meta KAM_WIFE ( __KAM_WIFE1 + __KAM_WIFE2 + __KAM_WIFE3 >= 2)
score KAM_WIFE 8.0
describe KAM_WIFE Mail order bride scams
#PRODUCT SCAMS
header __KAM_PRODUCT1 Subject =~ /Beauty Phone/i
body __KAM_PRODUCT2 /phones for discerning individuals/i
meta KAM_PRODUCT ( __KAM_PRODUCT1 + __KAM_PRODUCT2 >= 2)
score KAM_PRODUCT 3.0
describe KAM_PRODUCT Product scams often used with MSN/Live URIs
#SPACES / LIVE / MSN / ETC. SCAMS
meta KAM_LIVEURI2 ( (KAM_PRODUCT + KAM_DRUG2 + KAM_WIFE >=1) + (KAM_WEBS + KAM_MSN_STRING + KAM_BADSWF >=1) >= 2)
score KAM_LIVEURI2 3.0
describe KAM_LIVEURI2 More online Scams + Known URI
#WEBS.COM
uri KAM_WEBS /.{3,25}\.webs.com/i
score KAM_WEBS 0.5
describe KAM_WEBS webs.com links used in Spams
#IMAGESHACK SWF Files
uri KAM_BADSWF /imageshack.us\/.{3,25}.swf$/i
score KAM_BADSWF 3.0
describe KAM_BADSWF SWF embedded links in Email Scams
#EXE LINK
uri KAM_EXEURI /.exe$/i
score KAM_EXEURI 0.5
describe KAM_EXEURI EXE embedded link
#SETTINGS FILE PHISH
header __KAM_SETTING1 Subject =~ /settings file|maintenance!!/i
body __KAM_SETTING2 /security upgrade|Maintenance Process on our email system /i
body __KAM_SETTING3 /settings?.zip/i
meta KAM_SETTING ( __KAM_SETTING1 + __KAM_SETTING2 >= 2)
score KAM_SETTING 2.5
describe KAM_SETTING Phishing scams w/Setting Files or Webmail
#Fixed small misspelling thanks to Jameel Akari
meta KAM_SETTING2 ( KAM_SETTING + (KAM_EXEURI + __KAM_SETTING3 >=1) >= 2)
score KAM_SETTING2 4.0
describe KAM_SETTING2 Phishing scams w/Setting Files or Webmail + Bad File link
#FARM SPAM
header __KAM_FARM1 Subject =~ /supersized (blueberr|tomato)|(blueberry|tomatoe?) giant|grows in sun or shade|giant (blueberry|tomatoe?)/i
header __KAM_FARM2 From =~ /blueberr|tomato|DIY|garden/i
body __KAM_FARM3 /(blueberry|Tomatoe?) giant/i
meta KAM_FARM (__KAM_FARM1 + __KAM_FARM2 + __KAM_FARM3 >= 3)
score KAM_FARM 4.0
describe KAM_FARM Farming related Spams
#MX URI - Scored lowered from 2.5 to 1.5 due to FPs reported by Christopher X. Candreva - see https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6700 for bug on issue
uri KAM_MXURI /^(?:http:\/\/)?(mail|mx)\..{1,40}\..{1,8}/i
score KAM_MXURI 1.5
describe KAM_MXURI URI begins with a mail exchange prefix, i.e. mx.[...]
#FLASH PLAYER
body __KAM_FLASH1 /Flash Player Code: \d\d/i
body __KAM_FLASH2 /Flash Player Update/i
header __KAM_FLASH3 Subject =~ /Flash Player/i
header __KAM_FLASH4 Subject =~ /activation code/i
header __KAM_FLASH5 From =~ /Flash Player/i
meta KAM_FLASH (__KAM_FLASH1 + __KAM_FLASH2 + __KAM_FLASH3 + __KAM_FLASH4 + __KAM_FLASH5 >= 3)
score KAM_FLASH 4.0
describe KAM_FLASH Fake Flash Player Phishing Scam
#CHANGED TO KAMOnly
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
#FAKE ADWORDS
body __KAM_ADWORD1 /(Advertisement|Adwords) Campaign/i
header __KAM_ADWORD2 From =~ /adwords.com|salesdirect.com/i
header __KAM_ADWORD3 Subject =~ /adwords campaign|ads in adwords/i
body __KAM_ADWORD4 /adwords\.php|index\.php\?isgoogle/i
meta KAM_ADWORD (__KAM_ADWORD1 + __KAM_ADWORD2 + __KAM_ADWORD3 + __KAM_ADWORD4 >= 3) + (KAM_RPTR_SUSPECT + KAM_RPTR_FAILED >= 1) >= 2
score KAM_ADWORD 10.0
describe KAM_ADWORD Fake Adword Campaign notices
endif
#DON NOB & WORK FROM HOME SCAMS
header __KAM_DON1 X-KAM-Reverse =~ /donnob\.(?:biz|net)|emarketnow.com/i
header __KAM_DON2 Subject =~ /(?:\b|^)ATM(?:\b|$)|Just Over Broke|J\.O\.B\./
body __KAM_DON3 /donnob\.(?:biz|net)|emarketnow.com|watersolutiontoday.com/i
body __KAM_DON4 /\$1,000 A Day ATM|J\.O\.B\./i
meta KAM_DON (__KAM_DON1 + __KAM_DON2 + __KAM_DON3 + __KAM_DON4 + __KAM_MED2 + __KAM_REFI4 + __KAM_TV2 >= 4)
score KAM_DON 6.0
describe KAM_DON Work at Home Scams
meta KAM_DON2 (__KAM_DON1 + __KAM_DON2 + __KAM_DON3 + __KAM_DON4 + __KAM_MED2 + __KAM_REFI4 + __KAM_TV2 >= 6)
score KAM_DON2 4.0
describe KAM_DON2 Egregious Work at Home Scams
#GINA SCAMS
header __KAM_GINA1 From =~ /GINA deadline|GINA Update|compliance/i
header __KAM_GINA2 Subject =~ /GINA deadline/i
body __KAM_GINA3 /Genetic Information Nondiscrimination Act/i
body __KAM_GINA4 /mandatory poster|remain in compliance|GINA regulations/i
meta KAM_GINA (__KAM_GINA1 + __KAM_GINA2 + __KAM_GINA3 + __KAM_GINA4 + __KAM_REFI4 >= 4)
score KAM_GINA 6.0
describe KAM_GINA Employment Poster Marketing Spams
#TAX SCAMS
header __KAM_TAX1 Subject =~ /Free (IRS )?Tax Filing|Tax Filing Exten[st]ion|taxes online|irs audit|wage garnish|collections|tax.relief|tax.penalt|tax.resolution|settlement.option|remove.tax|irs.penalt|payback.package|get.help|down.your.neck|tax.research|urgent.tax/i
header __KAM_TAX2 From =~ /tax|HRBlock|marketing|garnish|settlement|installment|IRS|debt|advisory|government|payback|protection.agency/i
body __KAM_TAX3 /File your taxes for free|need more time|back.taxes|tax relief|irs offer|avoid penalty|stop.aggressive.collections|relief.(program|package)|tax.settlement|settlement.package|paying.bills|paying.tax|back.tax|wage..?garnish|tax.help|remove.lien|bankrupt|urgent.tax.notice|could.change.everything|instantly.save.you/i
body __KAM_TAX4 /MSNBC|fox news|CNN|please.confirm|you.qualify|obtain.now|must.see.tax/i
meta KAM_TAX (__KAM_TAX1 + __KAM_TAX2 + __KAM_TAX3 + __KAM_TAX4 + KAM_LOTSOFHASH >=3)
score KAM_TAX 2.5
describe KAM_TAX Tax Filing Scams
meta KAM_TAX2 (__KAM_TAX1 + __KAM_TAX2 + __KAM_TAX3 + __KAM_TAX4 + KAM_LOTSOFHASH >=4)
score KAM_TAX2 2.5
describe KAM_TAX2 Higher Probability of Tax Filing Scams
#SEX SCAM
body __KAM_SEX06_1 /more fire and passion/i
meta KAM_SEX06 (__KAM_SEX06_1 + KAM_MSN_STRING >= 2)
score KAM_SEX06 5.0
describe KAM_SEX06 Sexual Stimulant Spam
#DOG BARK AND OTHER DOG SPAM
body __KAM_BARK1 /Bark.Off|petzoom sonic|comfy control harness|dogs? behavior|four legged/i
header __KAM_BARK2 Subject =~ /Barking|petzoom sonic|dogs any size|dog (is )?misbehaving/i
header __KAM_BARK3 From =~ /Bark.Off|petzoom|control harnesss|dog whisperer/i
meta KAM_BARK (__KAM_BARK1 + __KAM_BARK2 + __KAM_BARK3 >=2)
score KAM_BARK 3.5
describe KAM_BARK Dog Product Scam
#CASINO SPAM
body __KAM_CASINO1 /Elite World Casino/i
body __KAM_CASINO2 /Online Casino/i
header __KAM_CASINO3 Subject =~ /chances to win/i
meta KAM_CASINO (__KAM_CASINO1 + __KAM_CASINO2 + __KAM_CASINO3 >= 3)
score KAM_CASINO 3.5
describe KAM_CASINO Online Casino Spam
#TWITTER PHISHING
header __KAM_TWIT1 From =~ /twitter/i
header __KAM_TWIT2 Subject =~ /twitter \d{3}-\d{2}/i
meta KAM_TWIT (__KAM_TWIT1 + __KAM_TWIT2 + KAM_THEBAT >= 3)
score KAM_TWIT 10
describe KAM_TWIT Twitter bogus phishing emails
#FACEBOOK PHISHING
header __KAM_FACE1 From =~ /password/i
header __KAM_FACE2 Subject =~ /reset your facebook/i
header __KAM_FACE3 X-Mailer =~ /Zuckmail/i
meta KAM_FACE (__KAM_FACE1 + __KAM_FACE2 + __KAM_FACE3 >= 3)
score KAM_FACE 10
describe KAM_FACE Facebook bogus phishing emails
header __KAM_PHISH3_1 Subject =~ /account notification/i
body __KAM_PHISH3_2 /accessed by someone else./
meta KAM_PHISH3 (__KAM_PHISH3_1 + __KAM_PHISH3_2 + __KAM_CLICK >= 3)
score KAM_PHISH3 4
describe KAM_PHISH3 Phishing emails for account notification
#GENERIC TEST FOR CLICK NOTICES INDICATIVE OF SPAM IN META RULES BUT NOT BY ITSELF
body __KAM_CLICK /Please click on the link below|Copy and paste this link into your internet browser/i
#DIRECT BUY
header __KAM_DIRECT1 From =~ /Direct ?Buy|Wholesale/i
header __KAM_DIRECT2 Subject=~ /complimentary|visitor|settle for retail|top .rands at wholesale|guest pass and catalog|direct.?buy/i
body __KAM_DIRECT3 /(Complimentary|Visitor|attend our open house|30-day member|VIP Pass|Wholesale Direct Pricing|guest pass and catalog)/i
body __KAM_DIRECT4 /Direct.?Buy/i
meta KAM_DIRECT (__KAM_DIRECT1 + __KAM_DIRECT2 + __KAM_DIRECT3 + __KAM_DIRECT4 >= 3)
score KAM_DIRECT 3.0
describe KAM_DIRECT DirectBuy Spam
#SWIPE BIDS
header __KAM_SWIPE1 From =~ /SwipeBids|Auction|Deal ?hunter|bigger.bid|bidder|Overstocked|daily.?deals|quibids|iphone|penny.stock/i
header __KAM_SWIPE2 Subject=~ /auction|bid on great|\d% off retail|Iphones for Under|Big Items|ipads|Macbook Pro|top.?.?of the line..?electronic|buy or sell|never.pay.retail|2011 line up|ebay|pay retail|ipad for \$\d\d\.|bids in real.?time|penny.stock|exclusive.savings|economic|prediction:/i
body __KAM_SWIPE3 /pennies on the dollar|join, bid|penny (auctions|stock)|\d% .{0,10}retail|ipads on auction|bid now|factory sealed ipads|cheap ipads|for pennies|ebay killer|Inventory Clearance on iPads|crazy auctions|XPS for \d\dUSD|iphone.{1,10}clearance|the.hottest/i
body __KAM_SWIPE4 /SwipeBids|Swipe Auction|CIRCLE MEDIA BIDS|Wavee|BIGGER BIDDER|Bidooka|Sellmoo|overstocked auctions|for pennies|\d{1,2} cent/i
meta KAM_SWIPE (__KAM_SWIPE1 + __KAM_SWIPE2 + __KAM_SWIPE3 + __KAM_SWIPE4 >= 3)
score KAM_SWIPE 2.5
describe KAM_SWIPE SwipeBid Spam / Penny Auction Spams
meta KAM_SWIPE2 (__KAM_SWIPE1 + __KAM_SWIPE2 >= 2)
score KAM_SWIPE2 1.0
describe KAM_SWIPE2 SwipeBid Spam / Penny Auction Spams
#WE THE SPAMMERS
header __KAM_WTA1 From =~ /@(wethealliance\.(org|com|net)|wta\d\d\d\.com|socalsecurityinstitute.org)|Lawrence.{0,4}Hunter/i
body __KAM_WTA2 /Alliance for Retirement Prosperity Association|Social Security Institute/is
meta KAM_WTA (__KAM_WTA1 + __KAM_WTA2 >= 2)
score KAM_WTA 9.0
describe KAM_WTA Ridiculous campaign by unapologetic spammers purposefully using throwaway domains
#SMOKELESS
body __KAM_SMOKE1 /smoke.anywhere|electronic cig|smoking alternative|prado|e.?-?cig|wanting to quit/i
header __KAM_SMOKE2 Subject =~ /smoke|e-cig|perfect.?.gift|no cancer|electronic cig|never smoke|e.?-?cig/i
header __KAM_SMOKE3 From =~ /smoke|smoking|e.?-?cig|electronic cig|vapex|vapor|starter.kit/i
body __KAM_SMOKE4 /No carbon monoxide|Smokeless Direct|No Tobacco|no tar|no cancer|quit smoking|electronic cig|sinless.vapor/i
body __KAM_SMOKE5 /you have qualified/i
meta KAM_SMOKE (__KAM_CLICK + __KAM_SMOKE1 + __KAM_SMOKE2 + __KAM_SMOKE3 + __KAM_SMOKE4 + __KAM_SMOKE5 >= 3)
score KAM_SMOKE 4.5
describe KAM_SMOKE Smokeless cigarette and quitting spam
meta KAM_SMOKE2 (__KAM_CLICK + __KAM_SMOKE1 + __KAM_SMOKE2 + __KAM_SMOKE3 + __KAM_SMOKE4 + __KAM_SMOKE5 >= 4)
score KAM_SMOKE2 3.0
describe KAM_SMOKE2 Higher probability of spam
#OBF URL
body __KAM_OBFURL1 /A\s+D\s+I\s+L\s+I\s+Z\+E\s+R\s+.\s+C\s+O\s+M/i
meta KAM_OBFURL (__KAM_OBFURL1 >= 1)
score KAM_OBFURL 5.0
describe KAM_OBFURL Obfuscated URL
#SHARP FOR LIFE
body __KAM_SHARP1 /sharp for life/i
body __KAM_SHARP2 /yoshiblade/i
body __KAM_SHARP3 /zirconium oxide/i
body __KAM_SHARP4 /ceramic knife/i
header __KAM_SHARP5 Subject =~ /ceramic knief|yoshiblade|sharp for life/i
header __KAM_SHARP6 From =~ /yoshi/i
meta KAM_SHARP (__KAM_SHARP1 + __KAM_SHARP2 + __KAM_SHARP3 + __KAM_SHARP4 + __KAM_SHARP5 + __KAM_SHARP6 >= 4)
score KAM_SHARP 4.5
describe KAM_SHARP Ceramic Blade Spam
#HIP REPLACEMENT
body __KAM_HIP1 /hip replacement|medical alert/i
body __KAM_HIP2 /implant recall|recall list/i
header __KAM_HIP3 Subject =~ /dupuy recall|hip recall|hip implants|hip replacement/i
header __KAM_HIP4 From =~ /recall/i
meta KAM_HIP (__KAM_HIP1 + __KAM_HIP2 + __KAM_HIP3 + __KAM_HIP4 >= 3)
score KAM_HIP 4.5
describe KAM_HIP Hip Replacement Recall Spam
#WORK AT HOME
body __KAM_WORKHOME1 /online jobs|Full-time (and|&) Part-time|at home employment/i
body __KAM_WORKHOME2 /\#1 site|view here|information here/i
header __KAM_WORKHOME3 Subject =~ /work at home|work \@ home|home positions/i
meta KAM_WORKHOME (__KAM_WORKHOME1 + __KAM_WORKHOME2 + __KAM_WORKHOME3 >= 3)
score KAM_WORKHOME 4.5
describe KAM_WORKHOME Work at Home Spam
meta KAM_WORKHOME2 (__KAM_WORKHOME3 + KAM_SHORT + __KAM_REFI4 >=3)
score KAM_WORKHOME2 4.5
describe KAM_WORKHOME2 Work at Home Spam
#HSR UPDATES
body __KAM_HSR1 /hsrupdates.com|progressiverailroading.com/i
header __KAM_HSR2 Subject =~ /hi-speed rail|HSR Funds|U.?S.? DOT|railroads/i
header __KAM_HSR3 From =~ /HSRUpdates.com|progressive ?railroading/i
meta KAM_HSR (__KAM_HSR1 + __KAM_HSR2 + __KAM_HSR3 >= 3)
score KAM_HSR 4.5
describe KAM_HSR High Speed Rail Spam
#SELLPHONE
body __KAM_SELLPHONE1 /Turn iphones into cash/i
body __KAM_SELLPHONE2 /used or broken|pre-paid envelope/i
header __KAM_SELLPHONE3 Subject =~ /sell your old iphone/i
meta KAM_SELLPHONE (__KAM_SELLPHONE1 + __KAM_SELLPHONE2 + __KAM_SELLPHONE3 >= 3)
score KAM_SELLPHONE 4.5
describe KAM_SELLPHONE Used Equipment Spam
#STORAGE LIMIT
body __KAM_MAILBOX1 /mailbox has exceeded the storage limit|storage.quota/i
body __KAM_MAILBOX2 /re-validate your (mailbox|email)/i
meta KAM_MAILBOX (__KAM_MAILBOX1 + __KAM_MAILBOX2 >=2)
score KAM_MAILBOX 4.0
describe KAM_MAILBOX Mailbox Quota Phishing Scams
meta KAM_SHORT (__KAM_SHORT + __KAM_TINYDOMAIN >= 1)
score KAM_SHORT 0.001
describe KAM_SHORT Use of a URL Shortener for very short URL
#URL SHORTENER - META RULE TO SEE IF URL SHORTENER IS IN USE - THANKS TO SHANE WILLIAMS and RW for HELP
uri __KAM_SHORT /https?:\/\/(?:j\.mp|bit\.ly|goo\.gl|x\.co|t\.co|t\.cn|tinyurl\.com|hop\.kz|urla\.ru|fw\.to|back\.ly)(\/)/i
# GENERIC RULE FOR TINY DOMAINS, WHICH WILL LIKELY BE URL SHORTENERS
uri __KAM_TINYDOMAIN /https?:\/\/(?:[^\/]{1,4})\..{2,7}\//i
#POWER CHAIRS
body __KAM_POWER1 /hoveround/i
header __KAM_POWER2 Subject =~ /Get your freedom|power Chairs/i
header __KAM_POWER3 From =~ /Get your freedom|power Chairs/i
meta KAM_POWER (__KAM_POWER1 + __KAM_POWER2 + __KAM_POWER3 >= 3)
score KAM_POWER 3.0
describe KAM_POWER Motorized Chair Spams
#GUN ALERTS
body __KAM_GUN1 /Keep and Bear Arms/i
header __KAM_GUN2 From =~ /gunalerts.com/i
header __KAM_GUN3 Subject =~ /gun/i
meta KAM_GUN (__KAM_GUN1 + __KAM_GUN2 + __KAM_GUN3 >= 3)
score KAM_GUN 2.0
describe KAM_GUN Gun Alert Spams
#GET RICH QUICK SCHEME
body __KAM_RICH1 /financial.success story/i
body __KAM_RICH2 /see me on the channel \d news/i
body __KAM_RICH3 /talking about my blog/i
body __KAM_RICH4 /bec.me financially independent/i
meta KAM_RICH (__KAM_RICH1 + __KAM_RICH2 + __KAM_RICH3 + __KAM_RICH4 >= 4)
score KAM_RICH 3.5
describe KAM_RICH Get Rich Quick Schemes
#INVALID FROM HEADER
header __KAM_INVFROM1 From =~ /<[^>]*$/
header __KAM_INVFROM2 From =~ /^[^<]*>/
meta KAM_INVFROM (__KAM_INVFROM1 + __KAM_INVFROM2 >= 1)
score KAM_INVFROM 2.0
describe KAM_INVFROM Invalid From Header containing mismatched <>'s
#YAHOO GROUP EMAIL RULE BASED ON WORK FROM Jim McCullars - University of Alabama in Huntsville
header __KAM_UAH_YAHOOGR_4 X-Mailer =~ /Yahoo Groups Message Poster/
ifplugin Mail::SpamAssassin::Plugin::DKIM
meta KAM_UAH_YAHOOGROUP_SENDER __DOS_HAS_LIST_UNSUB && __ML2 && __DOS_HAS_MAILING_LIST && __KAM_UAH_YAHOOGR_4 && !FORGED_YAHOO_RCVD && DKIM_VALID
else
meta KAM_UAH_YAHOOGROUP_SENDER __DOS_HAS_LIST_UNSUB && __ML2 && __DOS_HAS_MAILING_LIST && __KAM_UAH_YAHOOGR_4 && !FORGED_YAHOO_RCVD
endif
describe KAM_UAH_YAHOOGROUP_SENDER Sender appears to be a legit Yahoo! Group Mail
score KAM_UAH_YAHOOGROUP_SENDER -20.0
#GALLERY
header __KAM_GALLERY1 Subject =~ /(Infinite|Multi|Elite|Extreme|Complete|Instant|Ultimate|Multi|approved|Free|HD|Guaranteed|Unreal) Access|(Ultimate|Babes|Elite|Extreme|P.?o.?r.?n) Collection|(Girls|Adu.?lt|Babes|Celeb.?rities) Passwords|(Ultimate|p.?o.?r.?n|extreme|elite|Girls) gallery|HD Video|Access Now/i
body __KAM_GALLERY2 /(?:Infinite|Multi|Elite|Extreme|Complete|Instant|Ultimate|Multi|approved|Free|HD|Guaranteed|Unreal) Access|(?:Ultimate|Babes|Elite|Extreme|P.?o.?r.?n) Collection|(?:Girls|Adu.?lt|Babes|Celeb.?rities) Passwords|(?:Ultimate|p.?o.?r.?n|extreme|elite|Girls) gallery|HD Video|Access Now/i
header __KAM_GALLERY3 Subject =~ /(Fantastic|Insane|Mega|Extreme|Extreme|New|Many|Fresh|Your|Check) P.?o.?r.?n|cele.?brities elite|(Insane|P.?o.?r.?n|More|Awesome|All|Mega) Model|(Your|Mega|Asian|Bad|Cool|Fresh|Real|Awesome|More) Girl|(Sweet|Incredible|Insane|The|Grand) chick|(Many|New|Infinite|Cool|All) Cele.?b|The N.?u.?des|(Infinite|Awesome|Many|Sweet|Bad|Get|Fresh|Hot|More|Black) Babe|Amat.?e.?urs|(All|Fresh|Fantastic|The|Mega) Adu.?lt|(Extraordinary) Chicks/i
body __KAM_GALLERY4 /(Fantastic|Insane|Mega|Extreme|Extreme|New|Many|Fresh|Your|Check) P.?o.?r.?n|cele.?brities elite|(Insane|P.?o.?r.?n|More|Awesome|All|Mega) Model|(Your|Mega|Asian|Bad|Cool|Fresh|Real|Awesome|More) Girl|(Sweet|Incredible|Insane|The|Grand) chick|(Many|New|Infinite|Cool|All) Cele.?b|The N.?u.?des|(Infinite|Awesome|Many|Sweet|Bad|Get|Fresh|Hot|More|Black) Babe|Amat.?e.?urs|(All|Fresh|Fantastic|The|Mega) Adu.?lt|(Extraordinary) Chicks/i
rawbody __KAM_GALLERY5 /wp-content|_vti_cnf|cache|wp-admin|wordpress/i
meta KAM_GALLERY (__KAM_GALLERY1 + __KAM_GALLERY2 + __KAM_GALLERY3 + __KAM_GALLERY4 + __KAM_GALLERY5 >=4)
describe KAM_GALLERY Exploited Gallery with Porn
score KAM_GALLERY 5.0
meta KAM_GALLERY2 (__KAM_GALLERY1 + __KAM_GALLERY2 + __KAM_GALLERY3 + __KAM_GALLERY4 + __KAM_GALLERY5 >=5)
describe KAM_GALLERY2 Higher Likelihood of Exploited Gallery with Porn
score KAM_GALLERY2 2.0
#CHANGELOG
header __KAM_CHANGELOG1 Subject =~ /^Re: Changelog (Oct.|Nov.|Dec.)$/i
body __KAM_CHANGELOG2 /as promised chnglog update/i
meta KAM_CHANGELOG (__KAM_CHANGELOG1 + __KAM_CHANGELOG2 >= 2)
describe KAM_CHANGELOG Phishing Email
score KAM_CHANGELOG 2.5
#NIGERIAN VARIANT
body __KAM_BUS1 /business proposal/i
body __KAM_BUS2 /sensitive by nature/i
body __KAM_BUS3 /have not met/i
body __KAM_BUS4 /view my attach/i
meta KAM_BUS (__KAM_BUS1 + __KAM_BUS2 + __KAM_BUS3 + __KAM_BUS4 >= 4)
describe KAM_BUS Yet another Nigerian Scam/Phishing Variant
score KAM_BUS 4.0
#PRIVATE MESSAGE
body __KAM_PRIV1 /private message|horny|sweet ass/i
body __KAM_PRIV2 /(personal|private) video/i
body __KAM_PRIV3 /the attache?ment|attached file/i
meta KAM_PRIV (__KAM_PRIV1 + __KAM_PRIV2 + __KAM_PRIV3 >=2 && T_HTML_ATTACH)
describe KAM_PRIV Private Messages using Exploits in attached HTML files
score KAM_PRIV 5.0
#DIV
rawbody __KAM_DIV1 /Viagr?|Cial?<div/i
rawbody __KAM_DIV2 /<\/div>r?a\|l?is/i
meta KAM_DIV (__KAM_DIV1 + __KAM_DIV2 >= 2)
describe KAM_DIV Use of divs to hide Medical Spams
score KAM_DIV 2.0
#CREDIT SCORE
header __KAM_CREDIT1 Subject =~ /CRITICAL:.*change to.* (EXPERIAN|Transunion|Equifax) score|Recent 3 Bureau Credit|(credit|score).score|credit has changed|check your rating|yearly review|scores?.(?:may.have|has.been|have.been).changed|(?:EXPERIAN|Transunion|Equifax) scores? delivered|your credit report|all three sources|credit (may )?ha(ve|s) been revised|credit ?card ?processing|merchant account|TransUnion..?Experian . Equifax Scores|all 3 scores|update to your score|your 3 scores|is your score correct|score (report|review)|latest.score|updated.score|update:|derogatory.(info|item)|affecting.your.score|scores.this.week|EQUIFAX..?EXPERIAN..?(and|&).TRANSUNION|(EXPERIAN|Transunion|Equifax)..?score|\d{4}.scores?.detail|((equifax|experian|transunion)..?){3}|score.today|score.w\//i
body __KAM_CREDIT2 /View (all 3 reports|your credit score|your up.to.the.minute credit)|(EXPERIAN|Transunion|Equifax) report|check my credit score|3.free credit scores|credit restoration|changes in your.score|get your \d+ score online|3 major sources|all three bureau|all 3 credit score|credit (may )?ha(ve|s) been revised|payment.options|complimentary 3 scores|credit scores? in seconds|TRANSUNION,\s+EQUIFAX,\s+(and|.)\s+EXPERIAN|just (been )?changed|score.breakdown|credit.summary|score.is.waiting|confirmation \#\d+|average.credit.score|what.?s.your.score|(3|three).free.score|check.your.score|we.can.help|credit.record|complimentary.score/i
body __KAM_CREDIT3 /NO COST|it's on us|3 companies for free|freescore360|Scoresense|score.report(?:ing)?.team|stand in the rating scales|view your higher credit|(score|credit).alert|provide.faster.service|your credit score|free.credit.score|score.generation|new.score.immediately|score.notification|your report/i
body __KAM_CREDIT4 /CHANGES TO YOUR CREDIT[- ]SCORE|credit score has changed|Triple Bureau Credit Alerts|score\s+may\s+have\s+(been)?\s*changed|ThinkCredit|Debunk Credit Card Processing Myths|costs for your business|TransUnion,? Experian and Equifax Scores|ha(s|ve).been.updated|what.?s.your.credit|sensitive.information/i
header __KAM_CREDIT5 From =~ /Credit|score|bureau|finance|report|advisory/i
#EXPERIMENTAL UTF-8
# SecureCRT in UTF-8 Session Options - terminal>appearance>character encoding and set to utf-8 & Set this in VI :set encoding=utf-8 :set fileencodings=utf-8
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
replace_tag C (?:[\xd0][\xa1]|c)
replace_tag I (?:[\xd1][\x96]|i)
replace_tag S (?:[\xd0][\x85]|s)
header __KAM_CREDIT6 Subject =~ /<C>ompl<I>mentary (<C>red<I>t|EXPERIAN|Transunion|Equifax)/i
header __KAM_CREDIT7 From =~ /<S>core.?<S>ense/i
replace_rules __KAM_CREDIT6 __KAM_CREDIT7
endif
meta KAM_CREDIT (__KAM_CREDIT1 + __KAM_CREDIT2 + __KAM_CREDIT3 + __KAM_CREDIT4 + __KAM_CREDIT5 + __KAM_CREDIT6 + __KAM_CREDIT7 + (__KAM_THIRD || KAM_LOTSOFHASH || KAM_INFOUSMEBIZ) >= 4)
describe KAM_CREDIT Credit Score Spams
score KAM_CREDIT 4.5
meta KAM_CREDIT2 (__KAM_CREDIT1 + __KAM_CREDIT5 + __KAM_CREDIT6 + __KAM_CREDIT7 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3 && KAM_CREDIT < 1)
describe KAM_CREDIT2 Credit Score Spams
score KAM_CREDIT2 4.5
#OBFUSCATED URI
rawbody KAM_OBFURI /http:\/\/.{2,30}\.c=E2=93=9Em?/
describe KAM_OBFURI Obfuscated URI trick
score KAM_OBFURI 4.0
#ADVANCE
header __KAM_ADVANCE1 Subject =~ /Advance for \d.\d\d\d/i
body __KAM_ADVANCE2 /Advance Details/i
body __KAM_ADVANCE3 /Pre-Approved/i
header __KAM_ADVANCE4 From =~ /Advance|Approv|Financ/i
meta KAM_ADVANCE (__KAM_ADVANCE1 + __KAM_ADVANCE2 + __KAM_ADVANCE3 + __KAM_ADVANCE4 >= 3)
describe KAM_ADVANCE Advance Spams
score KAM_ADVANCE 3.5
#PAYPAL NON SPF - FP fixed by Piper Andreas
header __KAM_PAYPAL1A From =~ /\@[a-z\.]*paypal.com>?$/i
meta KAM_PAYPAL1 (__KAM_PAYPAL1A + SPF_FAIL >=2)
describe KAM_PAYPAL1 rampant paypal phishing scams
score KAM_PAYPAL1 16.0
#PAYPAL IMPERSONATING MALWARE
body __KAM_PAYPAL2A /paypal/i
body __KAM_PAYPAL2B /protection services department|download(ing)?.the.attach/i
meta KAM_PAYPAL2 (__KAM_PAYPAL2A + __KAM_PAYPAL2B + KAM_RAPTOR >= 3)
describe KAM_PAYPAL2 Malware disguised as a paypal email
score KAM_PAYPAL2 8.0
#PAYPAL PHISH
header __KAM_PAYPAL3A From =~ /paypal/i
header __KAM_PAYPAL3B From !~ /paypal.com>?$/i
header __KAM_PAYPAL3C Subject =~ /your.paypal.account/i
body __KAM_PAYPAL3D /security.process|more.information|has.limitation|verify.your.information/i
meta KAM_PAYPAL3 ((__KAM_PAYPAL3A && __KAM_PAYPAL3B) + __KAM_PAYPAL3C + __KAM_PAYPAL3D + KAM_LAZY_DOMAIN_SECURITY >= 3)
score KAM_PAYPAL3 8.0
describe KAM_PAYPAL3 Phish disguised as a paypal email
#COMPROMISED ACCOUNT SPAMS - SCORED HIGH BECAUSE THESE ARE COMPROMISED ACCOUNTS
header __KAM_COMPROMISED1A From =~ /\@(yahoo.com|yahoo.com.id|rocketmail.com)/i
header __KAM_COMPROMISED1B X-Mailer =~ /Yahoo/i
header __KAM_COMPROMISED2 Subject =~ /^(FOR |Hey$|hi$|look at this$|great!?$|amazing!?|the best!?$|excellent!?$|very good!?$|great!?$|question?$|Fwd: (?:latest |top )?news$)|have a look/
body __KAM_COMPROMISED3 /\d{1,2}[\\\/]\d{1,2}[\\\/]\d{2,4} \d{1,2}\:\d{1,2}\:\d{1,2} (AM|PM)/
body __KAM_COMPROMISED4 /How are you\? Look at this.{0,70}Do you know about this site|look at this site right now|I found (an amazing|great) site|hey\. please have a look|have a look right now|breaking news/i
meta KAM_COMPROMISED ((__KAM_COMPROMISED1A + __KAM_COMPROMISED1B >=1 ) + __KAM_COMPROMISED2 + __KAM_COMPROMISED3 + __KAM_COMPROMISED4 + __KAM_BODY_LENGTH_LT_128 + MISSING_SUBJECT >= 3)
describe KAM_COMPROMISED Compromised Accounts Sending Spam
score KAM_COMPROMISED 8.25
#GROUPS THAT ARE BAD - RENAMED TO AVOID COLLISSION - THANKS TO DAVID FUNK
header __KAM_LIST2A List-ID =~ /^<?(wareeed\d*|ArabBusinessmen-and-DecisionMakers-Network|MediaJO\d*|arabjo\d*|prime\-?media\d*|mediajoshoot\d*|bareedw\d*|mghadeh\d*|tawzeef-online|jordanianadd\d*|ssjo\d*|jaracast|ads-shooter-j\d*|jomarketing\d*|jomedia\d*|jobird\d*info|uhrda-\d*|mohanndahad\d*|caragcom\d*|marwahr\d*|sonjobonjo\d*|golrozz\d*|golbanoo\d*)\.googlegroups.com>?$/i
header __KAM_LIST2B Sender =~ /(mediajo\d*|aloulaonline\d*|jomedia\d*|golbanoo\d*)\@googlegroups\.com/i
meta KAM_LIST2 (__KAM_LIST2A + __KAM_LIST2B >= 1)
describe KAM_LIST2 Known Bad Groups
score KAM_LIST2 60.0
#LIMITED ACCESS/QUOTA SCAMS - ISP THAT SEND LEGITIMATE NOTICES MIGHT WANT TO LOWER THE SCORE
body __KAM_QUOTA1 /Mailbox Quota Has Exceeded|exceeded its storage limit/i
body __KAM_QUOTA2 /Limited Access|termination of your email|restore.your.account|will.not.be.able/i
meta KAM_QUOTA (__KAM_QUOTA1 + __KAM_QUOTA2 >= 2)
describe KAM_QUOTA Limited Access / Quota Phishing Scam
score KAM_QUOTA 3.0
# BACKGROUND CHECK SPAM
body __KAM_BACK1 /backgrounds in seconds|Instant..?Checkmate|federal.record|background.report|criminal|reputation/i
body __KAM_BACK2 /(Property & Personal history|Asset & Background) (Investigation|Search)|check anyone|know.anything|registered.offense|their.name|publicly.available/is
body __KAM_BACK3 /(background check|detective|investigator|investigate backgrounds|arrest.record|public.record)|remain.anonymous|anonymous.report|says.about.you|instant.database|the.truth|reveal.the.information|screening.services/is
header __KAM_BACK4 Subject =~ /background..?check|date-smart|detective|finding people|instant checkmate|pedophile|who.lives.next.?door|reports.are.now.posted|screening.results|police.record|confirm.identity|records.enclosed|local.report|criminal|public.record|complete.record|arrest|posted.online|information.posted|info.updated|who.they.are|uncover.any|public.records|private.eye|investigate.background/i
header __KAM_BACK5 From =~ /Background.?check|instant.?check|arrest.record|pedophile|trust|criminal|urgent.info|find.out|who.is.s?he|trouble|shady|public.record|private.?eye/i
describe KAM_BACK Background Check SPAM
meta KAM_BACK (__KAM_BACK1 + __KAM_BACK2 + __KAM_BACK3 + __KAM_BACK4 + __KAM_BACK5 >=3)
score KAM_BACK 5.5
#ARREST RECORD SCAMS
header __KAM_ARREST1 Subject =~ /arrest record|with.a.criminal|child.predator|public.safety.alert|full.report|reports?.now.posted|records?.(now.)?(available|posted)|predator.identified/i
body __KAM_ARREST2 /Instant Checkmate|dirty Truth|\brapist\b|criminal.(background|record)|predator|stay.safe|child.offender|think.you.know|know.everything|database.screening|know.something|wanted.to.know|arrest.record/i
header __KAM_ARREST3 From =~ /Checkmate|alert|protect|arrest|neighborhood|criminal|live.safe/i
meta KAM_ARREST (__KAM_ARREST1 + __KAM_ARREST2 + __KAM_ARREST3 >=3) || (__KAM_ARREST1 + KAM_SHORT + __KAM_BODY_LENGTH_LT_128 >=3)
describe KAM_ARREST Arrest Record Scams
score KAM_ARREST 5.0
#MORE DIET SCAMS
header __KAM_DIET2_1 From =~ /Coffee.?Bean|Fat.?Burning.?Hormone|Saffron|Lifestyle|burn.fat|slim/i
header __KAM_DIET2_2 Subject =~ /diet|flatten your belly|calorie count|metabolism|lose the belly|belly flub/i
body __KAM_DIET2_3 /secret to being skinny|doctors? are raving|testosterone|could be \d+ ?lbs? lighter|feeling chubby/i
meta KAM_DIET2 (__KAM_DIET2_1 + __KAM_DIET2_2 + __KAM_DIET2_3 + KAM_INFOUSMEBIZ >=3)
describe KAM_DIET2 Diet Scams
score KAM_DIET2 5.0
#CIGAR SCAMS
header __KAM_CIGAR1 Subject =~ /Premium Cigar|Essentials for Dad|cigar lover/i
header __KAM_CIGAR2 From =~ /Cigar/i
body __KAM_CIGAR3 /Thompson Cigar|Premium Cigar/i
meta KAM_CIGAR (__KAM_CIGAR1 + __KAM_CIGAR2 + __KAM_CIGAR3 + __KAM_THIRD >= 3)
describe KAM_CIGAR Cigar Scam Emails
score KAM_CIGAR 6.0
#TK DOMAINS
rawbody KAM_TK /https?:\/\/.{5,30}\.tk\//i
describe KAM_TK Abuse of .tk domain registrar which offers free domains
score KAM_TK 5.0
#THIRD PARTY / SENT BY XXXX
body __KAM_THIRD /advertisement.{0,12}sent by a third-?party|sent.by.tb.systems|is.an.advert[il]se?ment/i
#LASIK
header __KAM_LASIK1 From =~ /Lasik/i
header __KAM_LASIK2 Subject =~ /Lasik|free eval|A great use for your Tax Refund|eye.surgery/i
body __KAM_LASIK3 /free (?:Lasik )?eval|\d+ per eye|get lasik info|L.SI. V....n In.t.tut. Summ.r S.v.ng.|works.faster.than/i
uri __KAM_LASIK4 /lasik\.php/i
meta KAM_LASIK (__KAM_LASIK1 + __KAM_LASIK2 + __KAM_LASIK3 + (__KAM_LASIK4 || KAM_EU) >= 3)
describe KAM_LASIK Lasik Treatment Spams
score KAM_LASIK 4.5
#FAKE NOTIFIES
header __KAM_NOTIFY1 From =~ /Support|Notifier|Reminder|Assistance|Administrator|RuneScape|Wells Fargo|Scotia|Diablo|MAILER-DAEMON|Notifications/i
body __KAM_NOTIFY2 /[2-9] friend request( |\b)|sell your personal|mandatory validation|verify your Account|unread messages/i
header __KAM_NOTIFY3 From =~ /\.br>/i
meta KAM_NOTIFY (__KAM_NOTIFY1 + __KAM_PHISH2_3 + __KAM_NOTIFY2 + __KAM_NOTIFY3 >= 3)
describe KAM_NOTIFY Fake Notifications
score KAM_NOTIFY 4.0
meta KAM_NOTIFY2 (KAM_NOTIFY + (KAM_IFRAME || HEADER_FROM_DIFFERENT_DOMAINS) >= 2)
describe KAM_NOTIFY2 Higher likelihood of fake notification
score KAM_NOTIFY2 3.0
#LANGUAGE
header __KAM_LANG1 From =~ /Pimsleur|learnalanguage/i
header __KAM_LANG2 Subject =~ /language barrier|(?:learn|speak)(?:ing)? (?:a|any) (?:new )?language|Pimsleur/i
body __KAM_LANG3 /pimsleur|Language in just \d+ Day/i
meta KAM_LANG (__KAM_LANG1 + __KAM_LANG2 + __KAM_LANG3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_LANG Language Method Spams
score KAM_LANG 4.5
#FAKE TRACK
header __KAM_TRACK1 From =~ /Worldwide Express|Priority Mail|First-Class Mail|Express Mail/i
meta KAM_TRACK (__KAM_PHISH2_3 + __KAM_TRACK1 >= 2)
describe KAM_TRACK Fake Tracking Emails
score KAM_TRACK 3.0
#BACK TO SCHOOL
header __KAM_SCHOOL1 From =~ /Classes/i
header __KAM_SCHOOL2 Subject =~ /(?:Return|Back) to School/i
meta KAM_SCHOOL (__KAM_SCHOOL1 + __KAM_SCHOOL2 + KAM_INFOUSMEBIZ >= 3)
describe KAM_SCHOOL School Spams
score KAM_SCHOOL 5.0
#MEMBERS
header __KAM_MEMBER1 From =~ /(\b|^|)Date|(\b|^|)Dating|eharmony(.com)?.?partner|(..?en..?or|black)..?e.ple..?eet|cougars|singles|match|our.?time|lonely|affair/i
header __KAM_MEMBER2 Subject =~ /naughty|looking for love|single & dating|Dating.site|free.this.weekend|free.communication.weekend|True Love|(Older|black|available|latin[oa]|jewish) Single|single.women|single.photo|local.cougar|want to date|fall in love|meet...1000s|dream.date|meet.single|your.matches|for.single|singles|eharmony(.com)?.match|50\+.{0,5}ngles|your.ex.back|married.dating|(anonymous|secret).affair|unlimited.pics|dating.(video|movie)|fetish|still.single/i
body __KAM_MEMBER3 /(\b|^)dating|eharmony|Find.Your.Perfect.Match|thousands.of.single.women|singles?.photos?|local.cougar|successfully matched|blind date|(available|black|latin[oa]|jewish).singles|photos of 50\+/i
rawbody __KAM_MEMBER4 /special promotion|free.this.weekend|personal matchmaker|dating service|fall in love|looking.for.someone|kindle.the.passion|cheating.member|dating.mega.site|free.dating|free.fetish/i
meta __KAM_MEMBER5 (KAM_INFOUSMEBIZ || KAM_COUK)
#header __KAM_MEMBER6 From =~ /Updat/i
meta KAM_MEMBER (__KAM_MEMBER1 + __KAM_MEMBER2 + __KAM_MEMBER3 + __KAM_MEMBER4 + __KAM_MEMBER5 >= 3)
describe KAM_MEMBER Dating Scams
score KAM_MEMBER 4.5
#MEDICARE
header __KAM_MEDICARE1 From =~ /Medicare|health.?options|enrollment/i
header __KAM_MEDICARE2 Subject =~ /medicare|message for senior|baby-boomer|save up to|compare.quotes|enrollment.plan/i
body __KAM_MEDICARE3 /medicare.(plan|recipient)/i
body __KAM_MEDICARE4 /over.(65|sixty.?five)|most.affordable|lower.your.premium/i
meta KAM_MEDICARE (__KAM_MEDICARE1 + __KAM_MEDICARE2 + (__KAM_MEDICARE3 + __KAM_MEDICARE4 >= 1) + (KAM_INFOUSMEBIZ || KAM_COUK) >= 3)
describe KAM_MEDICARE Medicare Scams
score KAM_MEDICARE 4.0
#BILLS
header __KAM_BILLS1 From =~ /LowerMyBills|mortgage/i
header __KAM_BILLS2 Subject =~ /Save up to \$\d|refi requirement|refi.program/i
meta KAM_BILLS (__KAM_BILLS1 + __KAM_BILLS2 + KAM_INFOUSMEBIZ >= 3)
describe KAM_BILLS Bill Pay Spams
score KAM_BILLS 4.0
#HOSE
header __KAM_HOSE1 From =~ /Pocket Hose/i
header __KAM_HOSE2 Subject =~ /garden hose|kinks/i
body __KAM_HOSE3 /pocket hose|garden.hose|stays.strong|grows.to.full.size|never.kinks/i
meta KAM_HOSE (__KAM_HOSE1 + __KAM_HOSE2 + __KAM_HOSE3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_HOSE Garden Hose Spams
score KAM_HOSE 4.5
#AV
header __KAM_AV1 From =~ /Norton/i
header __KAM_AV2 Subject =~ /Update now|Are you protected/i
meta KAM_AV (__KAM_AV1 + __KAM_AV2 + KAM_INFOUSMEBIZ >= 3)
describe KAM_AV Anti-Virus Spams
score KAM_AV 4.0
#MASCARA
header __KAM_MASCARA1 From =~ /smartlash/i
header __KAM_MASCARA2 Subject =~ /mascara/i
body __KAM_MASCARA3 /smartlash/i
meta KAM_MASCARA (__KAM_MASCARA1 + __KAM_MASCARA2 + __KAM_MASCARA3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_MASCARA Make-up Spams
score KAM_MASCARA 4.5
#COLLEGE
header __KAM_COLLEGE1 From =~ /degree|doctorate|online/i
header __KAM_COLLEGE2 Subject =~ /college|ph\.?d|earning your degree|online doctorate|advance your career/i
rawbody __KAM_COLLEGE3 /online degree|ph\.?d online|online doctorate|advance your career with a degree/i
meta KAM_COLLEGE (__KAM_COLLEGE1 + __KAM_COLLEGE2 + __KAM_COLLEGE3 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3)
describe KAM_COLLEGE Online Degree/Aid Spams
score KAM_COLLEGE 4.0
#SURVEY
header __KAM_SURVEY1 From =~ /Survey|safecount|privacy/i
header __KAM_SURVEY2 Subject =~ /win an ipad/i
body __KAM_SURVEY3 /Do You Use Instagram|Complete the survey|win a great prize/i
meta KAM_SURVEY (__KAM_SURVEY1 + __KAM_SURVEY2 + __KAM_SURVEY3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_SURVEY Online Survey Spams
score KAM_SURVEY 4.5
#LAKE
#REMOVED 1/7/2014
#rawbody KAM_LAKE /http:\/\/.{0,13}(lak|ake|iver).{0,10}\.(com|info)\//i
#describe KAM_LAKE Odd spamming engine LAKE signature on URLs
#score KAM_LAKE 0.25
#SNORE
header __KAM_SNORE1 From =~ /snoring|zquiet/i
header __KAM_SNORE2 Subject =~ /zquiet|Jaw Supporter|z{6}|the.only.thing/i
body __KAM_SNORE3 /stop snoring|zquiet|Jaw Supporter|get.rest|end.snoring|more.rest|to.be.tired/i
meta KAM_SNORE (__KAM_SNORE1 + __KAM_SNORE2 + __KAM_SNORE3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_SNORE Snoring Aid Spams
score KAM_SNORE 4.0
#VACATION
header __KAM_VACATION1 From =~ /Promotions|cruise|vacation/i
header __KAM_VACATION2 Subject =~ /Free Florida vacation|(carr?ibb?ean|alaskan?).cruise|european destination/i
body __KAM_VACATION3 /Resorts FOR FREE|(carr?ibb?ean|alaskan?).cruise|top deals/i
meta KAM_VACATION (__KAM_VACATION1 + __KAM_VACATION2 + __KAM_VACATION3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_VACATION Vacation Spams
score KAM_VACATION 4.0
#BLOOD PRESSURE
header __KAM_BLOOD1 From =~ /Marine Essent|blood.pressure/i
header __KAM_BLOOD2 Subject =~ /Blood Pressure|the.(nurse|doctor).said|do.this.or.die|bp.med/i
body __KAM_BLOOD3 /Secret Big Pharma|conspiracy|Breaking.Health.Stories/i
body __KAM_BLOOD4 /Marine Essentials|this mineral|drug.companies.hate/i
body __KAM_BLOOD5 /Anti-Aging Expert|worst.food/i
body __KAM_BLOOD6 /Blood pressure/i
meta KAM_BLOOD ( __KAM_BLOOD1 + __KAM_BLOOD2 + __KAM_BLOOD3 + __KAM_BLOOD4 + __KAM_BLOOD5 + __KAM_BLOOD6 + KAM_INFOUSMEBIZ >= 4)
describe KAM_BLOOD Blood Pressure Spams
score KAM_BLOOD 4.75
#SCOOTER
header __KAM_SCOOTER1 From =~ /Scooter Store/i
header __KAM_SCOOTER2 Subject =~ /lack of mobility/i
body __KAM_SCOOTER3 /the scooter store/i
meta KAM_SCOOTER ( __KAM_SCOOTER1 + __KAM_SCOOTER2 + __KAM_SCOOTER3 + __KAM_MEDICARE2 + KAM_INFOUSMEBIZ >= 4)
describe KAM_SCOOTER Blood Pressure Spams
score KAM_SCOOTER 4.75
#ANATABLOC
header __KAM_ANATA1 From =~ /Anatabloc/i
header __KAM_ANATA2 Subject =~ /(back|joint) pain|arthritis/i
meta KAM_ANATA (__KAM_ANATA1 + __KAM_ANATA2 >= 2)
describe KAM_ANATA Drug Spam
score KAM_ANATA 4.5
#BBB Phish
header __KAM_BBB1 From =~ /bbb.org/i
body __KAM_BBB2 /consumer's *(?:worry|uneasiness|anxiety|disturbance|concern|trouble)/i
body __KAM_BBB3 /has been registered the above|(?:visiting|review at) a link below|above-referenced complaint/i
body __KAM_BBB4 /about your *(?:glance|belief|judgment)/i
header __KAM_BBB5 Subject =~ /(?:client|customer).{0,5}preten|(?:Appeal|Claim|Case|No\.|Complaint).{0,3}[A-Z\d]{5}/i
meta KAM_BBB (__KAM_BBB1 + __KAM_BBB2 + __KAM_BBB3 + __KAM_BBB4 + __KAM_BBB5 + SPF_FAIL + __KAM_GALLERY5 + KAM_RAPTOR >= 4)
describe KAM_BBB Better Business Bureau Phishing
score KAM_BBB 5.0
#PREV MARK
header __KAM_MARK1 Subject =~ /[\[\<](?:ADV|SPAM)[\>\]]/i
meta KAM_MARK (__KAM_MARK1 >= 1)
describe KAM_MARK Email arrived marked as Spam
score KAM_MARK 10.0
#H1QNUM ENGINE
rawbody __KAM_H1QNUM1 /<h1>(vv5|ORG1|IN2|OR3|AR1|FO1|Q22)<\/h1>/i
header __KAM_H1QNUM2 Subject =~ /Russian Women|Free Lasik|Criminal Records|Background Check|Stop Alcoholism|Alcohol Addiction|Hybrid cars|solar energy|electrical bill|fly in luxury/i
uri __KAM_H1QNUM3 /\.co\.uk/i
meta KAM_H1QNUM (__KAM_H1QNUM1 >= 1)
describe KAM_H1QNUM H1 Qnum indicator
score KAM_H1QNUM 4.0
meta KAM_H1QNUM2 ( KAM_H1QNUM + __KAM_H1QNUM2 + __KAM_H1QNUM3 >= 2 )
describe KAM_H1QNUM2 H1 Qnum higher spamminess indicators
score KAM_H1QNUM2 5.0
#AP
header __KAM_AP1 From =~ /AP/
header __KAM_AP2 Subject =~ /Community & educational development/i
body __KAM_AP3 /American Grants and Loans Catalog/i
meta KAM_AP (__KAM_AP1 + __KAM_AP2 + __KAM_AP3 >= 3)
describe KAM_AP American Publishing Spam
score KAM_AP 4.5
#CO.UK
header KAM_COUK From =~ /\@.{1,30}\.co\.uk/i
describe KAM_COUK Scoring .co.uk emails higher due to poor registry security.
score KAM_COUK 0.85
#FAKE FACEBOOKMAIL
#REAL FB DOMAIN
header __KAM_FACEBOOKMAIL1 From =~ /\@facebookmail.com/i
#SPECIFIC PEOPLE
header __KAM_FACEBOOKMAIL2 From =~ /Ramakanth Raavi/i
meta KAM_FACEBOOKMAIL ((__KAM_FACEBOOKMAIL2 >= 1) || (__KAM_FACEBOOKMAIL1 >=1 && (SPF_FAIL + DKIM_ADSP_ALL >=1)))
describe KAM_FACEBOOKMAIL Fake or Abused Facebook Mail
score KAM_FACEBOOKMAIL 8.0
#FAKE DHL/FEDEX/ETC
body __KAM_FAKEDELIVER1 /courier couldn.?t make the delivery|Courier was unable to deliver|courier company was not able to deliver|memo.of.application|delivering.address|make.the.delivery|see.attached.file|attention.please|event.invitation|could not deliver|delivery.label|postal.noti(fication|ce)|parcels.(has|have).been.shipped|shipment.label.is.attached/i
header __KAM_FAKEDELIVER2 Subject =~ /Invalid Address|shipping service|(ship|postal|delivery) notification|Delivery Failure|Delivery Information|Delivery status|Package Delivery|package is available for pickup|your.package.arrived|attention.please|delivery.problem|id.\d{6}|deliver.(your|the).parcel/i
#DHL
body __KAM_FAKEDELIVER3 /DHL/
header __KAM_FAKEDELIVER4 From !~ /dhl.com/i
#FEDEX
rawbody __KAM_FAKEDELIVER5 /Fed ?ex/i
header __KAM_FAKEDELIVER6 From !~ /fedex.com/i
#USPS
body __KAM_FAKEDELIVER7 /USPS/i
header __KAM_FAKEDELIVER8 From !~ /usps.com/i
#CARGO
body __KAM_FAKEDELIVER9 /CARGO/
header __KAM_FAKEDELIVER10 From =~ /shipping|economy|priority/i
#USPS
body __KAM_FAKEDELIVER11 /DPD/i
header __KAM_FAKEDELIVER12 From !~ /dpd.com|dpd.co.uk/i
meta KAM_FAKE_DELIVER (__KAM_FAKEDELIVER1 + __KAM_FAKEDELIVER2 + ((__KAM_FAKEDELIVER3 + __KAM_FAKEDELIVER4 >= 2) + (__KAM_FAKEDELIVER5 + __KAM_FAKEDELIVER6 >= 2) + (__KAM_FAKEDELIVER7 + __KAM_FAKEDELIVER8 >= 2) + (__KAM_FAKEDELIVER11 + __KAM_FAKEDELIVER12 >= 2) + (__KAM_FAKEDELIVER9 + __KAM_FAKEDELIVER10 >= 2) >= 1) + (HEADER_FROM_DIFFERENT_DOMAINS + SPF_SOFTFAIL + KAM_RAPTOR >= 1) >= 3)
describe KAM_FAKE_DELIVER Fake delivery notifications
score KAM_FAKE_DELIVER 5.0
meta KAM_REALLY_FAKE_DELIVER (KAM_FAKE_DELIVER + KAM_RPTR_PASSED + (__KAM_FAKEDELIVER4 && __KAM_FAKEDELIVER6 && __KAM_FAKEDELIVER8) >= 3)
score KAM_REALLY_FAKE_DELIVER 2.5
describe KAM_REALLY_FAKE_DELIVER Definitely fake delivery notifications
#SOLAR POWER
header __KAM_SOLAR1 From =~ /Solar|electric|regard|energy|.olar..etwork/i
header __KAM_SOLAR2 Subject =~ /power bill|sells power|electrical bill|subsidize your solar|switching to solar|save \d+\%|solar system saves|solar power plant|solar.america|energy.use|solar.incentive|utility.option|go.solar|govt.rebate|.overnment.incentive|electricity|obama.rebate/i
body __KAM_SOLAR3 /power bill in half|go solar|approved for solar|solar system saves|reduce your electric|energy.cost|energy.bill|government.incentive|can.profit|utility.bill|switch(ing)?.to.solar|solar.incentive|solar.now|US Solar Dept|your.electric.bill|your.home.qualifies/i
meta KAM_SOLAR (__KAM_SOLAR1 + __KAM_SOLAR2 + __KAM_SOLAR3 >=2)
describe KAM_SOLAR Solar Power Spams
score KAM_SOLAR 1.9
meta KAM_SOLAR2 (__KAM_SOLAR1 + __KAM_SOLAR2 + __KAM_SOLAR3 >=3)
describe KAM_SOLAR2 Definite Solar Power Spams
score KAM_SOLAR2 1.9
#ASIAN BRIDE
header __KAM_ASIAN1 Subject =~ /Asian Bride/i
body __KAM_ASIAN2 /Adoring Asian/i
header __KAM_ASIAN3 From =~ /asian/i
meta KAM_ASIAN (__KAM_ASIAN1 + __KAM_ASIAN2 + __KAM_ASIAN3 >= 3)
describe KAM_ASIAN Asian Bride Spams
score KAM_ASIAN 3.5
#DR OZ SPAM
header __KAM_OZ1 From =~ /(Dr|Doc).{0,2}[o0]z|[o0]z.([a-z]+.)?(daily|tip|show|weight)|rapid.loss|ellen|drop.lbs/i #NOTE THE ZERO
header __KAM_OZ2 Subject =~ /Fatburning|healthy?.tip|melt your fat|must.read.tip|i can help|fat to flat|perfect.skin|workout|drop.\d+.?[il]bs?|without.exercise|must.read|oz.in.your.corner|It (does not|doesn't) have to be hard|racha?el and oz|doc.?oz insid|life.changing|\d+%.increase|anti.aging|she.looks.\d+|ellen.did.this|(Dr|Doc).{0,2}[o0]z|[o0]z.([a-z]+.)?(daily|tip|show)/i
body __KAM_OZ3 /burn off your (?:body.?)?fat|(?:burn away|burn|melt) your fat|fox news video|melt the extra pounds|lost (an average of )?\d+ lbs|body.flab|look years younger|get perfect skin|healthy tips|without diet|it was just gossip|weight.loss|dropping.pounds|losing.weight|\d+.years|facelift|(Dr|Doc).{0,2}[o0]z/i
#meta KAM_OZ (__KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 >= 3)
#describe KAM_OZ Fake Dr. Oz Spam's
#score KAM_OZ 3.5
#STUDENT LOAN
header __KAM_STUDENT1 From =~ /Student.?Loan|government/i
header __KAM_STUDENT2 Subject =~ /NEW GOVERNMENT PROGRAM|payback.package|assistance.package|student.loan|consolidate.loan/i
body __KAM_STUDENT3 /penalt(y|ies)|garnish|your.debt|president.loan|reduce.(your.)?(student.)?loan|forgiveness.plan|qualify.for|federal.program|low.monthly/i
meta KAM_STUDENT (__KAM_STUDENT1 + __KAM_STUDENT2 + __KAM_STUDENT3 + (KAM_INFOUSMEBIZ || KAM_COUK || KAM_HTMLNOISE || KAM_SHORT) >= 3)
describe KAM_STUDENT Student Loan Forgiveness Spams
score KAM_STUDENT 4.0
#TIP
header __KAM_TIP1 From =~ /Beauty Tips/i
header __KAM_TIP2 Subject =~ /Dark-Circles|undereye bags/i
body __KAM_TIP3 /undereye bags/i
body __KAM_TIP4 /Find Out This Quick New Trick/i
meta KAM_TIP (__KAM_TIP1 + __KAM_TIP2 + __KAM_TIP3 + __KAM_TIP4 >= 3)
describe KAM_TIP Beauty Tip Spams
score KAM_TIP 4.3
#WhatsApp
header __KAM_WHATS1 From =~ /WhatsApp/i
header __KAM_WHATS2 Subject =~ /Voice Message Notification/i
body __KAM_WHATS3 /WhatsApp/
meta KAM_WHATS (__KAM_WHATS1 + __KAM_WHATS2 + __KAM_WHATS3 >= 3)
describe KAM_WHATS WhatsApp Spams
score KAM_WHATS 3.0
#QTJars
header __KAM_QTJARS1 From =~ /qtjar/i
header __KAM_QTJARS2 Subject =~ /qtjar|left you a message|new message/i
body __KAM_QTJARS3 /qtjars/
body __KAM_QTJARS4 /private message/
meta KAM_QTJARS (__KAM_QTJARS1 + __KAM_QTJARS2 + __KAM_QTJARS3 + __KAM_QTJARS4 >= 3)
describe KAM_QTJARS QTJars Spams
score KAM_QTJARS 3.0
#GOOGLE DOCS PHISH
# view the agreement.
body __KAM_GOOGLEPHISH1 /copy of the signed agreement/i
rawbody __KAM_GOOGLEPHISH2 /http:\/\/.{5,50}\/http\/docs.google.com\/login\//i
meta KAM_GOOGLEPHISH (__KAM_GOOGLEPHISH1 + __KAM_GOOGLEPHISH2 >= 2)
describe KAM_GOOGLEPHISH Google Login Phishing Scam
score KAM_GOOGLEPHISH 5.0
#POLITICAL SPAM
header __KAM_POLY1 Subject =~ /Barack Obama/i
body __KAM_POLY2 /The End of Barack Obama/i
meta KAM_POLY (__KAM_POLY1 + __KAM_POLY2 >= 2)
describe KAM_POLY Political Spams
score KAM_POLY 3.0
#MAID
header __KAM_MAID1 Subject =~ /Maid Services|housekeeping.service/i
header __KAM_MAID2 From =~ /Maid|Housekeeper/i
body __KAM_MAID3 /Pre-Screened Housekeepers|local.maid/i
meta KAM_MAID (__KAM_MAID1 + __KAM_MAID2 + __KAM_MAID3 >= 3)
describe KAM_MAID Maid Service Spams
score KAM_MAID 3.0
#TUB
header __KAM_TUB1 Subject =~ /Walk.?in.*tub|bath and massage/i
header __KAM_TUB2 From =~ /jacuzzi|walk.?in.?tub|premier.?care|improvement.center|bathing..?easy/i
body __KAM_TUB3 /Walk.?in (hot.?|bath.?)?tub|bath and massage|easy transfer from a wheelchair/i
meta KAM_TUB (__KAM_TUB1 + __KAM_TUB2 + __KAM_TUB3 >= 3)
describe KAM_TUB Tub Spams
score KAM_TUB 4.0
#OBFUSCATE PORN
header __KAM_OBF1 Subject =~ /(\b|^)(P.{0,2}O.{0,2}R.{0,2}N|S.{0,2}E.{0,2}.X.{0,2})/i
header __KAM_OBF2 Subject =~ /[-:\#\/_\(\)].{0,10}[-:\#\/_\(\)].{0,10}[-:\#\/_\(\)]/
header __KAM_OBF3 Subject =~ /(\b|^)P.{0,2}r.{0,2}e.{0,2}m.{0,2}i.{0,2}u.{0,2}m/i
header __KAM_OBF4 Subject =~ /(\b|^)P.{0,2}a.{0,2}s.{0,2}s.{0,2}/i
header __KAM_OBF5 Subject =~ /(\b|^)S.{0,2}i.{0,2}t.{0,2}e.{0,2}/i
header __KAM_OBF6 Subject =~ /(\b|^)F.{0,2}r.{0,2}e.{0,2}e.{0,2}/i
header __KAM_OBF7 Subject =~ /(\b|^)F.{0,2}i.{0,2}l.{0,2}m.{0,2}/i
header __KAM_OBF8 Subject =~ /X.X.X/
meta KAM_OBF ((__KAM_OBF3 + __KAM_OBF4 + __KAM_OBF5 + __KAM_OBF6 + __KAM_OBF7 >= 1) + __KAM_OBF1 + (__KAM_OBF2 - BODY_8BITS) >= 3)
describe KAM_OBF Obfuscated Porn Spams
score KAM_OBF 4.0
meta KAM_OBF (__KAM_OBF8 + __KAM_OBF2 >= 2)
describe KAM_OBF Obfuscated Porn Spams
score KAM_OBF 2.0
#HAIR LOSS / GREYING / REMOVAL
header __KAM_HAIR1 Subject =~ /(Regrow|restore your|thinning) hair|Get Your Hair Back|hair regrowth|masculine|gr[ae]y hair|hair.loss|the.hottest.concept|hair.removal|all.your.hair|(fuller|thicker).hair|hair growth|shark tank/i
header __KAM_HAIR2 From =~ /K.ranique|Hair Loss Solutions|hair transplant|bosley|gr[ae]y hair|hair.removal|preserve|keranique|hair.?news/i
rawbody __KAM_HAIR3 /k.ranique|Hair Los Solution|Get Your Hair Back|restore your hair naturally and permanently|hair restoration|original color|dye gr[ae]y hair|defeat.your.hair.loss|stop.hair.loss|fda.approve/i
rawbody __KAM_HAIR4 /Hair Regrowth|Hair Club for Men|Bosley/i
rawbody __KAM_NEWSLETTER /<title>Newsletter<\/title>/i
meta KAM_HAIR (__KAM_HAIR1 + __KAM_HAIR2 + __KAM_HAIR3 + __KAM_HAIR4 + __KAM_TRIAL + __KAM_NEWSLETTER + KAM_WEIRDTRICK1 >=4)
describe KAM_HAIR Hair Loss / Removal Spams
score KAM_HAIR 4.5
#TRIAL
body __KAM_TRIAL /RISK-FREE Trial|Free \d+ day trial|try it free|free.dvd.info|free.info.kit|limited..?trial|claim.package/i
#UNSUB
body __KAM_UNSUB1 /cancel 0ffers/i #note the zero
body __KAM_UNSUB2 /u +n +s +u +b +s +c +r +i +b +e/i
meta KAM_UNSUB (__KAM_UNSUB1 + __KAM_UNSUB2 >= 1)
describe KAM_UNSUB Completely ridiculous unsubscribe text found
score KAM_UNSUB 5.0
#MAINTENANCE / Email Phish Scams
body __KAM_EMAILPHISH1 /Please login to complete update process/i
meta KAM_EMAILPHISH (__KAM_EMAILPHISH1 + KAM_SHORT >= 2)
describe KAM_EMAILPHISH Email Phishing Scams
score KAM_EMAILPHISH 3.5
#MASSMAILER ERRORS
header __KAM_MASSERROR1 Reply-to =~ /\@domain\]\]/i
meta KAM_MASSERROR (__KAM_MASSERROR1 >= 1)
describe KAM_MASSERROR Error in usage of a mass mailing software
score KAM_MASSERROR 2.0
#CAR DEAL SPAMS
header __KAM_CARDEAL1 Subject =~ /great car deal|new vehicles near you|brand new cars|cars on clearance/i
header __KAM_CARDEAL2 From =~ /dealer|clearance|veh.cle/i
body __KAM_CARDEAL3 /201\d Closeout pricing|New Vehicles near you|new automobiles|brand new car|\d{4} makes and models/i
meta KAM_CARDEAL (__KAM_CARDEAL1 + __KAM_CARDEAL2 + __KAM_CARDEAL3 >= 3)
describe KAM_CARDEAL Car Deal Spams
score KAM_CARDEAL 3.0
#Quick Sale Scams
header __KAM_HOMESALE1 Subject =~ /buyer interested in your ho/i
header __KAM_HOMESALE2 From =~ /Fastcash/i
body __KAM_HOMESALE3 /Cash Offer for Your Home/i
meta KAM_HOMESALE (__KAM_HOMESALE1 + __KAM_HOMESALE2 + __KAM_HOMESALE3 >= 3)
describe KAM_HOMESALE Home Sale Spams
score KAM_HOMESALE 3.5
#ADVERTISEMENTS FOR LOANS
header __KAM_LOAN1 Subject =~ /pay bills|borrow|business loan|help your business grow|small business|propel your business goals|with a loan|results you need|\$\d+ down loan|loan.fund|lender|are.you.broke|get.cash|approval.notice|loan \d.\d% offer/i
header __KAM_LOAN2 From =~ /payday|loans for you|approval|small.?business|direct.wire|cash|loan offer/i
body __KAM_LOAN3 /Financial Relief|need to borrow|Business Loan|instant.funds|approval department|\$\d+ down|loan option|offer.loan|expenses|times.are.tough|money.problems/i
body __KAM_LOAN4 /development.project|just.been.approved|for.your.business|loan.solution/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_LOAN5A Content-Type =~ /loan offer/i
mimeheader __KAM_LOAN5B Content-Disposition =~ /loan offer/i
endif
meta KAM_LOAN (__KAM_LOAN1 + __KAM_LOAN2 + __KAM_LOAN3 + __KAM_LOAN4 + (__KAM_LOAN5A + __KAM_LOAN5B >= 1) >= 3)
describe KAM_LOAN Payday and other loan spams
score KAM_LOAN 4.5
#HANGOVER SPAM
header __KAM_HANGOVER1 Subject =~ /hangover patch/i
header __KAM_HANGOVER2 From =~ /hangover/i
body __KAM_HANGOVER3 /hangover patch/i
meta KAM_HANGOVER (__KAM_HANGOVER1 + __KAM_HANGOVER2 + __KAM_HANGOVER3 >= 3)
describe KAM_HANGOVER Hangover Patch Spams
score KAM_HANGOVER 3.5
#RX PLAN SPAM
header __KAM_RXPLAN1 Subject =~ /Medigap|prescription drug plan/i
header __KAM_RXPLAN2 From =~ /Better.?Rx|medigap/i
body __KAM_RXPLAN3 /gap coverage/i
meta KAM_RXPLAN (__KAM_RXPLAN1 + __KAM_RXPLAN2 + __KAM_RXPLAN3 >= 3)
describe KAM_RXPLAN Rx Plan Spams
score KAM_RXPLAN 3.5
#SIDE SOCKET
header __KAM_SOCKET1 Subject =~ /tangled mess|socket capacity|messy cords/i
header __KAM_SOCKET2 From =~ /side.?socket/i
body __KAM_SOCKET3 /side socket/i
meta KAM_SOCKET (__KAM_SOCKET1 + __KAM_SOCKET2 + __KAM_SOCKET3 >= 3)
describe KAM_SOCKET Product Spam du Jour
score KAM_SOCKET 3.5
#TESTOSTERONE
header __KAM_TESTOSTERONE1 Subject =~ /Boost your testosterone|Testoril|turning you into a woman|men into women|low.testosterone/i
header __KAM_TESTOSTERONE2 From =~ /Testoril|mens health|low-T|for.men/i
body __KAM_TESTOSTERONE3 /Boost your testosterone|get your body back|low.testosterone/i
body __KAM_TESTOSTERONE4 /Testoril|sexual confidence|androgel|axiron+androderm/i
meta KAM_TESTOSTERONE (__KAM_TESTOSTERONE1 + __KAM_TESTOSTERONE2 + __KAM_TESTOSTERONE3 + __KAM_TESTOSTERONE4 >= 3)
describe KAM_TESTOSTERONE Product Spam du Jour
score KAM_TESTOSTERONE 4.5
#FLEXHOSE
header __KAM_FLEXHOSE1 Subject =~ /stretch but not kink|flex.{0,8}hose|expands.and.contracts|\d-in-\d.hose/i
header __KAM_FLEXHOSE2 From =~ /hose/i
body __KAM_FLEXHOSE3 /stretch but not kink|flex.?hose|expanding.hose|garden.hose/i
meta KAM_FLEXHOSE (__KAM_FLEXHOSE1 + __KAM_FLEXHOSE2 + __KAM_FLEXHOSE3 >= 3)
describe KAM_FLEXHOSE Product Spam du Jour
score KAM_FLEXHOSE 3.5
#PET
header __KAM_PET1 Subject =~ /pet health insurance|dog.product.coupon/i
header __KAM_PET2 From =~ /pet.?insurance|dog.?coupon/i
body __KAM_PET3 /pet health insurance|doggy.loot|coupon.notice|reduce.your.cost/i
meta KAM_PET (__KAM_PET1 + __KAM_PET2 + __KAM_PET3 >= 3)
describe KAM_PET Insurance and other pet-related spam
score KAM_PET 4.5
meta KAM_PET2 (KAM_PET + KAM_INFOUSMEBIZ >= 2)
describe KAM_PET2 Even more likely insurance and other pet-related spam
score KAM_PET2 3.5
#COBRA
header __KAM_COBRA1 Subject =~ /Cobra Health/i
header __KAM_COBRA2 From =~ /Cobra|Health/i
body __KAM_COBRA3 /find cobra health/i
meta KAM_COBRA (__KAM_COBRA1 + __KAM_COBRA2 + __KAM_COBRA3 >= 3)
describe KAM_COBRA Cobra Insurance Spam
score KAM_COBRA 3.5
#Discount Air
header __KAM_DISCAIR1 Subject =~ /Fly Cheap|Discount Air/i
header __KAM_DISCAIR2 From =~ /Discount Air/i
body __KAM_DISCAIR3 /Fly Cheap in Business Class/i
meta KAM_DISCAIR (__KAM_DISCAIR1 + __KAM_DISCAIR2 + __KAM_DISCAIR3 >= 3)
describe KAM_DISCAIR Discount Airfare Spam
score KAM_DISCAIR 3.5
#PEST
header __KAM_PEST1 Subject =~ /pes?t control system/i
header __KAM_PEST2 From =~ /Riddex|pest/i
body __KAM_PEST3 /revolutionary pes?t control system/i
meta KAM_PEST (__KAM_PEST1 + __KAM_PEST2 + __KAM_PEST3 >= 3)
describe KAM_PEST Spam for Pest Control
score KAM_PEST 3.5
#PROPHET
header __KAM_PROPHET1 Subject =~ /beezelbub|communique/i
header __KAM_PROPHET2 From =~ /christian.*prophe/i
body __KAM_PROPHET3 /Dear Christian Friend/i
body __KAM_PROPHET4 /Christian Media Ministry/i
body __KAM_PROPHET5 /prophecy article|rapture/i
meta KAM_PROPHET (__KAM_PROPHET1 + __KAM_PROPHET2 + __KAM_PROPHET3 + __KAM_PROPHET4 + __KAM_PROPHET5 >= 4)
describe KAM_PROPHET Spam for Prophecy
score KAM_PROPHET 6.0
#HEART
header __KAM_HEART1 Subject =~ /save your life|prevent (a|your)?.?heart attacks?|\d+ second trick|sudden death|easy trick|heart health secret/i
header __KAM_HEART2 From =~ /He.rt.?Att.ck|omegaK/i
body __KAM_HEART3 /Knowing this could very well save your life|\d+.second trick|\#1 Trick|Prevent(ing)? A Heart Attack|will you be killed|heart disease|silent heart attack/i
meta KAM_HEART (__KAM_HEART1 + __KAM_HEART2 + __KAM_HEART3 >= 3)
describe KAM_HEART Spam for Heart Attack prevention
score KAM_HEART 4.5
#JOINT
header __KAM_JOINT1 Subject =~ /joint relief/i
header __KAM_JOINT2 From =~ /Tfx/i
body __KAM_JOINT3 /TFX.?(?:health|flex)|tflex/i
body __KAM_JOINT4 /Joint Relief|effective as glucosamine/i
body __KAM_JOINT5 /free bottle/i
meta KAM_JOINT (__KAM_JOINT1 + __KAM_JOINT2 + __KAM_JOINT3 + __KAM_JOINT4 + __KAM_JOINT5 + __KAM_SKIN4 >= 4)
describe KAM_JOINT Joint relief Spam
score KAM_JOINT 4.0
#REHAB
header __KAM_REHAB1 Subject =~ /(?:drug|alcohol) (recovery|rehab|dependenc|addict|treatment)|choose sobriety|battling alcohol|stop drinking|addiction|drinking problem|normal life|tr..?at..?ng.alcohol|overcome..lcohol|change.your.life/i
header __KAM_REHAB2 From =~ /(?:drug|alcohol).?(recovery|rehab|dependenc|add..?ct|treatment)|alcoholism|rehab center|.lc.h.lism|rehabdirectory/i
body __KAM_REHAB3 /(?:drug|alcohol) (recovery|rehab|dependenc|addict|treatment)|help for alcoholism|life from alcohol|end your drinking|think about rehab/i
meta KAM_REHAB (__KAM_REHAB1 + __KAM_REHAB2 + (__KAM_REHAB3 || KAM_OTHER_BAD_TLD) >= 2)
describe KAM_REHAB Rehab Spam
score KAM_REHAB 3.0
#HAIRTRANS
header __KAM_HAIRTRANS1 Subject =~ /hair restoration|man look as young|losing your hair|hair ?loss|consultations?.available/i
header __KAM_HAIRTRANS2 From =~ /Bosley|hair restoration|hair.loss.expert/i
body __KAM_HAIRTRANS3 /hair restoration|man look as young|losing your hair|hair ?loss|get.your.hair|(look|feel).younger/i
meta KAM_HAIRTRANS (__KAM_HAIRTRANS1 + __KAM_HAIRTRANS2 + __KAM_HAIRTRANS3 + KAM_GIFT >= 2)
describe KAM_HAIRTRANS Spam for Hair Restoration
score KAM_HAIRTRANS 3.5
meta KAM_HAIRTRANS2 (__KAM_HAIRTRANS1 + __KAM_HAIRTRANS2 + __KAM_HAIRTRANS3 + (KAM_GIFT || KAM_UNSUB1) >= 3)
describe KAM_HAIRTRANS2 Higher probability of spam for Hair Restoration
score KAM_HAIRTRANS2 2.0
#OUR GIFT
body __KAM_GIFTCERT1 /Our gift to you/i
body __KAM_GIFTCERT2 /\$\d+ gift certificate/i
header __KAM_GIFTCERT3 Subject =~ /Our gift to you/i
meta KAM_GIFTCERT (__KAM_GIFTCERT1 + __KAM_GIFTCERT2 + __KAM_GIFTCERT3 >= 2)
score KAM_GIFTCERT 1.5
describe KAM_GIFTCERT Gift Certificate Spams
#TIRES
header __KAM_TIRES1 Subject =~ /discount tire|tire coupon|tire offers|best deals/i
header __KAM_TIRES2 From =~ /Tire/i
body __KAM_TIRES3 /savings on tire|new tires/i
meta KAM_TIRES (__KAM_TIRES1 + __KAM_TIRES2 + __KAM_TIRES3 >= 3)
describe KAM_TIRES Spam for Tires
score KAM_TIRES 3.0
#SLICEOMATIC
header __KAM_SLICEOMATIC1 Subject =~ /Slice-O-Matic|Precision Cutting Blade/i
header __KAM_SLICEOMATIC2 From =~ /Slice-o-matic/i
body __KAM_SLICEOMATIC3 /Slice-o-matic/i
meta KAM_SLICEOMATIC (__KAM_SLICEOMATIC1 + __KAM_SLICEOMATIC2 + __KAM_SLICEOMATIC3 >= 3)
describe KAM_SLICEOMATIC Spam for Kitchen Tools
score KAM_SLICEOMATIC 3.0
#FINDYOURWINDOWS AND OTHER WINDOW SPAM
header __KAM_WINDOWS1 Subject =~ /Top Window Companies|(old|your|bedroom|new|replacement|discounted|awning|cheap).window|allow.(light|ventilation)|window.(installation|discount|replacement)|home.depot|anders.n.window/i
header __KAM_WINDOWS2 From =~ /FindYourWindows|(old|your|bedroom|new|replacement|discounted).?window|window.?(install|discount|replacement)|install.windows|remodel/i
body __KAM_WINDOWS3 /Find Your Windows|replacement.window|window.design|home.a.new.look|dingy.old.windows|high.heating|high.cooling|let a draft|energy.efficient|double.pane.window|shop.windows|energy.tax|window.(installation|discount|replacement)|summer.is.coming/i
meta KAM_WINDOWS (__KAM_WINDOWS1 + __KAM_WINDOWS2 + __KAM_WINDOWS3 + KAM_ADVERT2 >= 3)
describe KAM_WINDOWS Spam for House Windows
score KAM_WINDOWS 4.5
#EMMAPP.WEB.COM - DUE TO SA SILLINESS WE ARE UNABLE TO RBL THIS PARTICULAR SUBDOMAIN WITHOUT BLOCKING ALL OF WEB.COM
#POISON PILL
uri __KAM_EMMAP_WEB_COM1 /emmapp\.web\.com/i
meta KAM_EMMAPP_WEB_COM (__KAM_EMMAP_WEB_COM1 >= 1)
describe KAM_EMMAPP_WEB_COM Spam from emmapp.web.com
score KAM_EMMAPP_WEB_COM 20.0
#NEW CREDIT CARD
header __KAM_NEW_CREDITCARD1 Subject =~ /with this credit card|charge card|credit card|cards?.reward|cards?.rate|top.rated/i
header __KAM_NEW_CREDITCARD2 From =~ /Spend-Charge|platinum credit|business credit|card.approval|approval.match/i
body __KAM_NEW_CREDITCARD3 /Select your new card|Increase Your Spending|Higher Limit|rewards|business credit|which.credit.card|find.out.now/i
meta KAM_NEW_CREDITCARD (__KAM_NEW_CREDITCARD1 + __KAM_NEW_CREDITCARD2 + __KAM_NEW_CREDITCARD3 >= 3)
describe KAM_NEW_CREDITCARD Spam for new credit cards
score KAM_NEW_CREDITCARD 4.0
#WEIRD GERMAN SPAM
header __KAM_GERMAN_BUSINESS_CONTACTS1 Subject =~ /Wichtige Nach?richt|Important message/i
header __KAM_GERMAN_BUSINESS_CONTACTS2 From =~ /Merkel/i
body __KAM_GERMAN_BUSINESS_CONTACTS3 /German business phone numbers/i
body __KAM_GERMAN_BUSINESS_CONTACTS4 /Unlimited exportation capabilities/i
meta KAM_GERMAN_BUSINESS_CONTACTS (__KAM_GERMAN_BUSINESS_CONTACTS1 + __KAM_GERMAN_BUSINESS_CONTACTS2 + __KAM_GERMAN_BUSINESS_CONTACTS3 + __KAM_GERMAN_BUSINESS_CONTACTS4 >= 3)
describe KAM_GERMAN_BUSINESS_CONTACTS Weird German business contact info spam
score KAM_GERMAN_BUSINESS_CONTACTS 3.0
#WEIRD SENIOR DATING SPAM
header __KAM_SENIOR_DATING1 From =~ /SeniorPeopleMeet/i
meta KAM_SENIOR_DATING (__KAM_SENIOR_DATING1 >= 1)
describe KAM_SENIOR_DATING Senior dating spam
score KAM_SENIOR_DATING 2.0
#NEWS!
header __KAM_NEWS1 Subject =~ /^(?:Fwd: ?)?(?:NEWS|WEBSITE|ARTICLE)$|how.are.you/i
body __KAM_NEWS2 /(?:Hello|hey|hi)!/i
meta KAM_NEWS (__KAM_NEWS1 + __KAM_NEWS2 + __KAM_BODY_LENGTH_LT_128 + KAM_MANYTO >= 3)
describe KAM_NEWS Forged Emails with NEWS!
score KAM_NEWS 9.0
#URI COUNT - REQUIRES 3.3 OR LATER
if (version >= 3.003000)
uri __KAM_COUNT_URIS /^./
tflags __KAM_COUNT_URIS multiple maxhits=16
describe __KAM_COUNT_URIS A multiple match used to count URIs in a message, including http:// and email@email.com - use one of the meta rules below instead of directly using this one
meta __KAM_HAS_0_URIS (__KAM_COUNT_URIS == 0)
meta __KAM_HAS_1_URIS (__KAM_COUNT_URIS >= 1)
meta __KAM_HAS_2_URIS (__KAM_COUNT_URIS >= 2)
meta __KAM_HAS_3_URIS (__KAM_COUNT_URIS >= 3)
meta __KAM_HAS_4_URIS (__KAM_COUNT_URIS >= 4)
meta __KAM_HAS_5_URIS (__KAM_COUNT_URIS >= 5)
meta __KAM_HAS_10_URIS (__KAM_COUNT_URIS >= 10)
meta __KAM_HAS_15_URIS (__KAM_COUNT_URIS >= 15)
endif
#DISCLAIMER STUB FOR FUTURE RESOURCE
body __KAM_DISCLAIMER1 /receives compensation/i
#FAKE AT&T
#header __KAM_FAKE_ATT1 From =~ /AT.?T/i
#header __KAM_FAKE_ATT2 Subject =~ /AT.?T cordless phone|deals.at.at.?t|phone.from.at.?t/i
#uri __KAM_FAKE_ATT3 /att-mail.com/i
#
#meta KAM_FAKE_ATT (__KAM_FAKE_ATT1 + __KAM_FAKE_ATT2 + __KAM_FAKE_ATT3 >= 2)
#describe KAM_FAKE_ATT Fake AT&T newsletters
#score KAM_FAKE_ATT 3.0
#YOU HAVE BEEN CHOSEN
header __KAM_CHOSEN1 Subject =~ /Invitation to|open.house|come.join.me/i
header __KAM_CHOSEN2 From =~ /marketing|invitation/i
body __KAM_CHOSEN3 /You (were|have been|are) (recently )?(chosen|invited)|you.are.(very.)?welcome/i
meta KAM_CHOSEN (__KAM_CHOSEN1 + __KAM_CHOSEN2 + __KAM_CHOSEN3 >= 3)
describe KAM_CHOSEN Spam claiming the recipient has been chosen for something
score KAM_CHOSEN 2.0
#JURY DUTY AND OTHER FAKE COURT NOTICES
header __KAM_JURY1 Subject =~ /in court|court (hearing )?notice|judicial summons|hearing.of.your.case|case.in.court|notice.of.appearance/i
header __KAM_JURY2 From =~ /Notice (to|of) Appear|court attendance|pretrial notice|lawyer/i
header __KAM_JURY3 From !~ /\.gov/i
body __KAM_JURY4 /in Court|hearing date|notice to appear|Pretrial notice|compulsory.attendance|court.notice/i
meta KAM_JURY (__KAM_JURY1 + __KAM_JURY2 + __KAM_JURY3 + __KAM_JURY4 + KAM_RAPTOR >= 4)
describe KAM_JURY Spam claiming the recipient must serve jury duty
score KAM_JURY 8.0
#BITCOIN
header __KAM_BITCOIN1 Subject =~ /bitcoin|dumping.?their.?gold|dumped.?the.?dollar/i
body __KAM_BITCOIN2 /price.of.bitcoin|bitcoin.price|crypto.?currenc(y|ies)|currency.pioneer|cartel|financial.security|abandoned.our.dollar|money.map/i
header __KAM_BITCOIN3 From =~ /bitcoin/i
meta KAM_BITCOIN (KAM_INFOUSMEBIZ + __KAM_BITCOIN1 + __KAM_BITCOIN2 + __KAM_BITCOIN3 >= 3)
describe KAM_BITCOIN Spam related to investing in bitcoin and other cryptocurrency
score KAM_BITCOIN 4.5
#RELIGIOUS
header __KAM_RELIGION1 Subject =~ /Christian Media/i
header __KAM_RELIGION2 From =~ /Bible Prophecy/i
body __KAM_RELIGION3 /Dear Christian|Christian Media/i
meta KAM_RELIGION (__KAM_RELIGION1 + __KAM_RELIGION2 + __KAM_RELIGION3 >= 3)
describe KAM_RELIGION Generic religious spam
score KAM_RELIGION 2.5
#BUSINESS PHONE
header __KAM_BUSINESSPHONE1 Subject =~ /customer calls|phone system|phone system upgrade|business success/i
header __KAM_BUSINESSPHONE2 From =~ /business phone/i
body __KAM_BUSINESSPHONE3 /business phone system/i
meta KAM_BUSINESSPHONE (__KAM_BUSINESSPHONE1 + __KAM_BUSINESSPHONE2 + __KAM_BUSINESSPHONE3 >= 3)
describe KAM_BUSINESSPHONE Advertising for business phone systems
score KAM_BUSINESSPHONE 5.5
#NUMEROLOGY
header __KAM_NUMEROLOGY1 Subject =~ /success and joy in life/i
header __KAM_NUMEROLOGY2 From =~ /Numerology/i
body __KAM_NUMEROLOGY3 /Control your destiny/i
meta KAM_NUMEROLOGY (__KAM_NUMEROLOGY1 + __KAM_NUMEROLOGY2 + __KAM_NUMEROLOGY3 >= 3)
describe KAM_NUMEROLOGY Pseudo-scientific spam
score KAM_NUMEROLOGY 3.5
#VOICEMAIL SPAM
header __KAM_VOICEMAIL1 Subject =~ /new voice.?mail message|news/i
header __KAM_VOICEMAIL2 From =~ /voice.?mail|news/i
body __KAM_VOICEMAIL3 /new voice.?mail message|voice.redirected/i
meta KAM_VOICEMAIL (__KAM_VOICEMAIL1 + __KAM_VOICEMAIL2 + __KAM_VOICEMAIL3 + KAM_RAPTOR >= 3)
describe KAM_VOICEMAIL Common malware that tricks the user into opening a fake VOIP voicemail
score KAM_VOICEMAIL 5.0
#SPAM ADVERTISING SPAM - HAS SCIENCE GONE TOO FAR?
header __KAM_SPAMFORSPAM1 Subject =~ /email marketing|marketing solution|connect with your audience|reaching your customers|marketing ideas|business.contacts/i
header __KAM_SPAMFORSPAM2 From =~ /email marketing|mailing lists|listz/i
rawbody __KAM_SPAMFORSPAM3 /email marketing|Keep your customers informed|expand your brand|(grow|improve) your business|Acquire New Customers|business reach|your.customer.base|demand.generation/i
meta KAM_SPAMFORSPAM (__KAM_SPAMFORSPAM1 + __KAM_SPAMFORSPAM2 + __KAM_SPAMFORSPAM3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_SPAMFORSPAM Spam advertising spam services
score KAM_SPAMFORSPAM 5.5
#ALZHEIMERS / NEUROLOGICAL MEDICAL SPAM
header __KAM_NEUROLOGICAL1 Subject =~ /alzheimers|doctors hate him/i
header __KAM_NEUROLOGICAL2 From =~ /alzheimers|cognizine/i
body __KAM_NEUROLOGICAL3 /at risk for alzheimers|alzheimers conspiracy|doctors hate him/i
meta KAM_NEUROLOGICAL (__KAM_NEUROLOGICAL1 + __KAM_NEUROLOGICAL2 + __KAM_NEUROLOGICAL3 >= 3)
describe KAM_NEUROLOGICAL Variant of medical spam targeting neurological ailments
score KAM_NEUROLOGICAL 3.5
#EXCESSIVE HASHES AND OTHER IDENTIFIER STRINGS
body __KAM_LOTSOFHASH /[abcdef1234567890]{20}/i
tflags __KAM_LOTSOFHASH multiple maxhits=10
meta KAM_LOTSOFHASH (__KAM_LOTSOFHASH >= 10)
describe KAM_LOTSOFHASH Emails with lots of hash-like gibberish
score KAM_LOTSOFHASH 0.25
#SPAM THAT SHOWS SEVERAL QUESTIONABLE BEHAVIORS IN COMBINATION
meta KAM_GRABBAG1 (__KAM_THIRD + __KAM_DOMAINDOTCOM + __KAM_TILDEFROM + HTML_FONT_LOW_CONTRAST + T_REMOTE_IMAGE + __KAM_EPISODE + __KAM_LOTSOFNBSP + __KAM_IPUNSUB + (__KAM_LOTSOFHASH >= 6) >= 4)
describe KAM_GRABBAG1 A combination of tricks that when combined indicate spam
score KAM_GRABBAG1 3.5
#TV DOCTOR TRASH
header __KAM_TVDOCTOR1 Subject =~ /hormones|(dr.?|doc.?) [o0]z|flatter belly|anti.?.?aging.tip|\d+.years.younger|wrinkle.(reduction|prevention)|weight.loss|models.use.this|reverse.\d+.years/i
header __KAM_TVDOCTOR2 From =~ /(dr.?|doc.?) ?[o0]z|dr.? steve|oz skin tip|skinny|drop \d+lb/i
body __KAM_TVDOCTOR3 /clinical|miracle|dermatologist|anti.?.?aging.tip|\d+.years.younger|wrinkle.(reduction|prevention)|\bOMG!\b|loose.\d+.lb|tv.doctor/i
meta KAM_TVDOCTOR (__KAM_TVDOCTOR1 + __KAM_TVDOCTOR2 + __KAM_TVDOCTOR3 + (KAM_INFOUSMEBIZ || KAM_WEIRDTRICK1) >= 3)
describe KAM_TVDOCTOR Spam for TV doctor stuff
score KAM_TVDOCTOR 3.5
# 1-800-DENTIST
header __KAM_DENTIST1 Subject =~ /dentist/i
header __KAM_DENTIST2 From =~ /1-?800-?dentist/i
body __KAM_DENTIST3 /Find a dentist/i
meta KAM_DENTIST (__KAM_DENTIST1 + __KAM_DENTIST2 + __KAM_DENTIST3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_DENTIST Spam for 1-800-DENTIST
score KAM_DENTIST 3.5
# GOLD AND DIAMOND JEWELRY
header __KAM_JEWELRY1 Subject =~ /jewell?rey online|shop now/i
header __KAM_JEWELRY2 From =~ /bluestone.com/i
meta KAM_JEWELRY (__KAM_JEWELRY1 + __KAM_JEWELRY2 >= 2)
describe KAM_JEWELRY Spam for Gold and Diamond Jewelry
score KAM_JEWELRY 3.5
# PSSST, WANNA BUY SOME POT
body __KAM_MARIJUANA1 /marijuana|cannabis/i
body __KAM_MARIJUANA2 /medicinal|recreational|legal.cannabis/i
body __KAM_MARIJUANA3 /colorado|washington|profit|without.a.(prescription|doctor)|lets.you.vape|no.doctor/i
header __KAM_MARIJUANA4 From =~ /marijuana|cannabis/i
meta KAM_MARIJUANA (__KAM_MARIJUANA1 + __KAM_MARIJUANA2 + (__KAM_MARIJUANA3 + KAM_INFOUSMEBIZ >= 1) >= 3)
describe KAM_MARIJUANA Spam pertaining to marijuana
score KAM_MARIJUANA 3.5
meta KAM_MARIJUANA2 (__KAM_MARIJUANA4 + (__KAM_MARIJUANA3 || __KAM_MARIJUANA2) >= 2)
score KAM_MARIJUANA2 8.0
describe KAM_MARIJUANA2 Definitely spam for marijuana
# EVICTION NOTICE
header __KAM_EVICTION1 From =~ /eviction|vacate immediately/i
header __KAM_EVICTION2 Subject =~ /notice|notification|occupant/i
body __KAM_EVICTION3 /eviction|foreclosed|trespasser/i
meta KAM_EVICTION (__KAM_EVICTION1 + __KAM_EVICTION2 + __KAM_EVICTION3 + KAM_RAPTOR >= 4)
describe KAM_EVICTION Malware disguised as eviction notice
score KAM_EVICTION 4.5
# WALK IN TUBS
header __KAM_WALKINTUB1 From =~ /walk.?in.?tub/i
header __KAM_WALKINTUB2 Subject =~ /walk.?in.?tub/i
body __KAM_WALKINTUB3 /walk.?in.?tub/i
meta KAM_WALKINTUB (__KAM_WALKINTUB1 + __KAM_WALKINTUB2 + __KAM_WALKINTUB3 >= 3)
describe KAM_WALKINTUB Ads for walk-in tubs
score KAM_WALKINTUB 3.5
# SUBJECTS BEGINNING WITH "EMAIL - QUESTION" AND OTHER VARIANTS
header __KAM_EMAILQUESTION1 Subject =~ /^(<)?([^@\s]+@[^@\s]+)( - |> )/i
header __KAM_EMAILQUESTION2 Subject =~ /break away from the pack|make your own wine|\d figures a day|unlock the secret|you need to see|let me show you|at their own game|drop \d+ pounds|potty trained|you can actually|your dog is being poisoned|control your destiny|buy a new|check out these|arthritis/i
meta KAM_EMAILQUESTION (__KAM_EMAILQUESTION1 + __KAM_EMAILQUESTION2 >= 2)
describe KAM_EMAILQUESTION Subjects beginning with an email address and followed by a spammy subject
score KAM_EMAILQUESTION 3.5
# BECOME BEYOND SUPERHUMAN / SUPERMAN
header __KAM_SUPERHUMAN1 From =~ /(become[ _]?)?(beyond[ _]?)?(super|hu)man/i
header __KAM_SUPERHUMAN2 Subject =~ /relationship problems|better sex|regain your former glory|(male|men) over (\d\d|fou?rty)/i
body __KAM_SUPERHUMAN3 /reclaim your glory|stay hot and sexy|unfair.advantage|better sex|weird trick|testosterone/i
meta KAM_SUPERHUMAN (__KAM_SUPERHUMAN1 + __KAM_SUPERHUMAN2 + __KAM_SUPERHUMAN3 >= 3)
describe KAM_SUPERHUMAN Male enhancement of the day
score KAM_SUPERHUMAN 8.0
# VALENTINES
header __KAM_VALENTINE1 From =~ /smartbuys|valentine|ecard|flower|fingerhut/i
header __KAM_VALENTINE2 Subject =~ /valentine|(bouquets|expressions) of love|win her over|swoon.?worthy bouquet|grow more in love|\$\d\d.\d\d bouquet|love at (the )?first/i
rawbody __KAM_VALENTINE3 /amazing gifts|perfect for valentine|irresist.ble perfume|send an ecard|most memorable flowers|(bouquets|expressions) of love|valentine.?s?.(day.)?(gift|ecard|flower|delivery|is february 14|bouquet)|grow more in love|Saint Valentine|your valentine/i
meta KAM_VALENTINE (__KAM_VALENTINE1 + __KAM_VALENTINE2 + __KAM_VALENTINE3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_VALENTINE Spam for valentine gifts and other holiday stuff
score KAM_VALENTINE 4.5
header __KAM_MOTHER1 From =~ /flower|seventeen/i
header __KAM_MOTHER2 Subject =~ /mother.?s.?day|\d+%.off.flower|pro.?flowers|guaranteed.delivery|beautiful bouquets|celebrate.mom/i
body __KAM_MOTHER3 /pro.?flowers|flowers.fresh|freshness.guarantee|shop.now|mom.?s.delight/i
meta KAM_MOTHER (__KAM_MOTHER1 + __KAM_MOTHER2 + __KAM_MOTHER3 >= 3)
describe KAM_MOTHER Spam for mother's day
score KAM_MOTHER 4.5
# WHO'S WHO
header __KAM_WHOSWHO1 From =~ /whos_who|who.?s.who/i
header __KAM_WHOSWHO2 Subject =~ /your exclusive invitation|who.?s.who|your invitation|you have been selected/i
body __KAM_WHOSWHO3 /(global|executive) who.s who|represent your community|you have been selected|complete your listing|prominent registry|accomplished individuals/i
uri __KAM_WHOSWHO4 /whoswho/i
meta KAM_WHOSWHO (__KAM_WHOSWHO1 + __KAM_WHOSWHO2 + __KAM_WHOSWHO3 >= 2)
describe KAM_WHOSWHO Ads for network of important people
score KAM_WHOSWHO 5.0
meta KAM_WHOSWHO2 (KAM_WHOSWHO && __KAM_WHOSWHO4)
describe KAM_WHOSWHO2 Definitely ads for network of important people
score KAM_WHOSWHO2 1.0
# GARAGE FLOOR COATING
header __KAM_GARAGE1 From =~ /garage|surface.protection|protection.plus|esurface/i
header __KAM_GARAGE2 Subject =~ /garage floor coating|industrial strength|protect your floors|protect.and.beautify|esurface|what.you.should.know/i
body __KAM_GARAGE3 /surface protection plus|industrial strength|Concrete.{0,5}metal.{0,8}wood|protect.and.beautify|industrial.grade|common.flooring|treat.your.deck|professional.coating/i
meta KAM_GARAGE (__KAM_GARAGE1 + __KAM_GARAGE2 + __KAM_GARAGE3 + (HTML_FONT_LOW_CONTRAST || SPF_FAIL || SPF_HELO_FAIL) >= 3)
describe KAM_GARAGE Garage floor coating product of the day
score KAM_GARAGE 4.0
meta KAM_GARAGE2 (KAM_GARAGE + (HTML_FONT_LOW_CONTRAST || SPF_FAIL) >= 2)
score KAM_GARAGE2 1.0
describe KAM_GARAGE2 More likely garage floor coating spam
#PAINT - NEED TO LOOK FOR CROSSOVER ON KAM_GARAGE AND KAM_PAINT
header __KAM_PAINT1 From =~ /Coating|Paint|Surface|Sealer/i
header __KAM_PAINT2 Subject =~ /surface Paint/i
meta KAM_PAINT (__KAM_PAINT1 + __KAM_PAINT2 + KAM_INFOUSMEBIZ >= 3)
describe KAM_PAINT Paint Spams
score KAM_PAINT 4.0
# HURRICANE MOP
header __KAM_MOP1 From =~ /hurricane mop/i
header __KAM_MOP2 Subject =~ /filthy floor|cut cleaning time|absorbs \d+x its own weight|the mop that/i
body __KAM_MOP3 /filthy floor|cut cleaning time+absorbs \d+x its own weight|the mop that/i
meta KAM_MOP (__KAM_MOP1 + __KAM_MOP2 + __KAM_MOP3 >= 3)
describe KAM_MOP Hurricane mop product of the day
score KAM_MOP 3.5
# DATING TIPS
header __KAM_DATINGTIPS1 From =~ /girlfriendtrick|seduction|the.real/i
header __KAM_DATINGTIPS2 Subject =~ /girlfriend.trick|women.excited|real.moment/i
body __KAM_DATINGTIPS3 /seduction|certain.type.of.guy|secret to their hearts|women.excited|real.love|one.night.stand/i
meta KAM_DATINGTIPS (__KAM_DATINGTIPS1 + __KAM_DATINGTIPS2 + __KAM_DATINGTIPS3 >= 3)
describe KAM_DATINGTIPS Tips for dating
score KAM_DATINGTIPS 4.5
# CANDY
header __KAM_CANDY1 From =~ /candy/i
header __KAM_CANDY2 Subject =~ /candy/i
body __KAM_CANDY3 /you deserve a treat|sweet tooth/i
meta KAM_CANDY (__KAM_CANDY1 + __KAM_CANDY2 + __KAM_CANDY3 >= 3)
describe KAM_CANDY Ads for candy
score KAM_CANDY 4.5
# EXCESSIVE TEXT IN THE FORMAT OF =## - http://en.wikipedia.org/wiki/Quoted-printable
# MATCH ONLY ESCAPES THAT ARE LESS THAN 0x80 - HIGH BIT NOT SET - THESE CAN BE EXPRESSED JUST FINE AS ASCII
# DISABLED PENDING UPDATES TO SA - RAWBODY IS NOT RAW ENOUGH TO GET UN-DECODED QP
#rawbody KAM_EXCESSIVEQP /(=[0-7][a-f0-9]){10}/i
#score KAM_EXCESSIVEQP 2.5
#describe KAM_EXCESSIVEQP Excessive use of pointless Quoted-printable
# ONE WEIRD THING THAT GETS YOU MARKED AS SPAM
header __KAM_WEIRDTRICK1 Subject =~ /(one|ten|\d+) '?weird'?|'?weird'? trick|strange trick|shocking.truth|\d.words.that/i
body __KAM_WEIRDTRICK2 /'?(weird|odd|strange)'?.(new.)?(trick|tip)|strange trick|shocking.truth/i
header __KAM_WEIRDTRICK3 Subject =~ /girlfriend|aging|old.age|cut \d+ years|PSA|horny/i
header __KAM_WEIRDTRICK4 From =~ /girlfriend|freedom/i
meta KAM_WEIRDTRICK1 __KAM_WEIRDTRICK2
describe KAM_WEIRDTRICK1 Huge family of spam that uses the word weird to grab attention
score KAM_WEIRDTRICK1 1.5
meta KAM_WEIRDTRICK2 (__KAM_WEIRDTRICK1 + __KAM_WEIRDTRICK2 + (KAM_INFOUSMEBIZ + KAM_LOTSOFHASH + AC_HTML_NONSENSE_TAGS + HTML_FONT_LOW_CONTRAST + T_REMOTE_IMAGE >= 3) >= 3)
describe KAM_WEIRDTRICK2 Huge family of spam that uses the word weird to grab attention
score KAM_WEIRDTRICK2 3.5
meta KAM_WEIRDTRICK3 (__KAM_WEIRDTRICK1 + __KAM_WEIRDTRICK2 + __KAM_WEIRDTRICK3 + __KAM_WEIRDTRICK4 >= 3)
describe KAM_WEIRDTRICK3 Weird/Strange Trick
score KAM_WEIRDTRICK3 3.0
#MATCH MAKER SPAM
header __KAM_MATCH1 From =~ /Match/i
header __KAM_MATCH2 Subject =~ /Find love|available singles|free.to.look|meet.singles/i
meta KAM_MATCH (__KAM_MATCH1 + __KAM_MATCH2 + (HTML_IMAGE_RATIO_06 || SPF_FAIL) >= 3)
describe KAM_MATCH Match Maker Spams
score KAM_MATCH 3.5
#CAR INSURANCE
header __KAM_CARINSURE1 From =~ /insurance/i
header __KAM_CARINSURE2 Subject =~ /save on car insurance|smarter.way/i
meta KAM_CARINSURE (__KAM_CARINSURE1 + __KAM_CARINSURE2 >= 2)
describe KAM_CARINSURE Car Insurance Spams
score KAM_CARINSURE 3.0
#DATA IMG
rawbody __KAM_DATAIMG /<img src="data:image/i
#FAKE MMS
rawbody __KAM_MMS1 /base64,G011K60C12QKQ9790AIFQ5L/s
meta KAM_MMS (__KAM_DATAIMG + __KAM_MMS1 >= 2)
describe KAM_MMS Fake MMS Spam
score KAM_MMS 6.0
#LEARNMORE
rawbody __KAM_LEARN1 /base64,R0lGODlh3gA9APcAAAFlmUK/
meta KAM_LEARN (__KAM_DATAIMG + __KAM_LEARN1 >= 2)
describe KAM_LEARN Learn More Spam
score KAM_LEARN 6.0
#UNSUB1
header __KAM_UNSUB1_1 List-Unsubscribe =~ /^\<(?:mailto:)?unsub1\@/i
rawbody __KAM_UNSUB1_2 /:\s?unsub1\@|unsubscribe<[^\/]|click here<h/i
meta KAM_UNSUB1 (__KAM_UNSUB1_1 + __KAM_UNSUB1_2 >= 1)
describe KAM_UNSUB1 Unsubscription Spams
score KAM_UNSUB1 0.1
uri __KAM_DOMAINDOTCOM /domain\.com/i
meta KAM_UNSUB2 ((KAM_UNSUB1 || KAM_ADVERT2) + __KAM_DOMAINDOTCOM >= 2)
score KAM_UNSUB2 3.5
describe KAM_UNSUB2 Improperly configured spam engines that leave placeholder domains in the body
# DUTCH GLOW AND OTHER WOODWORKING SPAM
header __KAM_DUTCHGLOW1 From =~ /dutch.?glow|original.?dutch|easy.woodwork/i
header __KAM_DUTCHGLOW2 Subject =~ /wood milk|cleaning the wood|woodwork|cleaning.formula|repel.dust|natural.beauty|furniture|amish|woodworking.plans/i
body __KAM_DUTCHGLOW3 /wood milk|dutch glow|wood's natural beauty|nourish wood|wax build up|your furniture|woodworking.plans/i
meta KAM_DUTCHGLOW (__KAM_DUTCHGLOW1 + __KAM_DUTCHGLOW2 + __KAM_DUTCHGLOW3 >= 3)
describe KAM_DUTCHGLOW Woodworking spam
score KAM_DUTCHGLOW 3.0
# FUNERAL HOME SPAM
header __KAM_FUNERAL1 From =~ /Funeral/i
header __KAM_FUNERAL2 Subject =~ /condolence|funeral announcement|funeral of your friend|death notification|burial.(life.)?insurance/i
body __KAM_FUNERAL3 /untimely death|death notification|funeral.costs/i
uri __KAM_FUNERAL4 /\/home\.php\?funeral/i
meta KAM_FUNERAL (__KAM_FUNERAL1 + __KAM_FUNERAL2 + __KAM_FUNERAL3 >= 3)
describe KAM_FUNERAL Likely Fake funeral notices
score KAM_FUNERAL 2.0
meta KAM_FUNERAL2 (__KAM_FUNERAL4 >= 1)
describe KAM_FUNERAL2 Fake funeral notices
score KAM_FUNERAL2 3.0
# WEB VIEW OBFUSCATION
body __KAM_WEB_OBFUSCATION1 /check over this commercial|see the commercial.advertisement/i
rawbody __KAM_WEB_OBFUSCATION2 /(you'll have to press me)\s*<\/a>/i
meta KAM_WEB_OBFUSCATION (__KAM_WEB_OBFUSCATION1 + __KAM_WEB_OBFUSCATION2 >= 2)
describe KAM_WEB_OBFUSCATION Obfuscated web view links
score KAM_WEB_OBFUSCATION 0.1
# TUPPERWARE
header __KAM_TUPPERWARE1 From =~ /Mr\. Lid|Food Storage|Storage Container/i
header __KAM_TUPPERWARE2 Subject =~ /tupperware|food storage|storage container/i
body __KAM_TUPPERWARE3 /tupperware lid|food storage|storage container/i
meta KAM_TUPPERWARE (__KAM_TUPPERWARE1 + __KAM_TUPPERWARE2 + __KAM_TUPPERWARE3 >= 3)
describe KAM_TUPPERWARE Ads for tupperware
score KAM_TUPPERWARE 3.5
# PATRIOT SURVIVAL AND OTHER DISASTER / NATIONALISM / CONSPIRACY SPAM
header __KAM_PATRIOT1 From =~ /patriot|disaster|emergency|USAF|shocking|for.truth|nwo|expat|special.op|christianmedia/i
header __KAM_PATRIOT2 Subject =~ /the truth about|financial collapse|your guns|hidden (agenda|truth)|unprecedented.crisis|worst.crisis|obama.?care|do not ignore|get a lot worse|coffins.ordered.by.fema|depression|prepared.for.war|free.our.marine|survival.guide|beloved.usa|civil war|shocking.footage|cia.economist|collapse.is.imminent|attack.on|wants.war|disturbing.issue|plane.crash|nuke.deal|extortion|prophecy/i
body __KAM_PATRIOT3 /the truth about|financial collapse|your guns|hidden agenda|unprecedented.crisis|disaster|fema (stock.?piling|storing)|Gor?vernment Not Telling|survival.plan|nation.gone.under|blind.with.patriotism|government shutdown|only chance|civil.unrest|high.crimes|behind.our.back|know.the.truth|PatriotNewsNet|second civil war|for.the.cia|market.crash|american.meltdown|concerned.american|military force|we.were.right|our.suspicions|vindicated|abuse.of.power|american.empire/i
body __KAM_PATRIOT4 /projectprophet|financial.threat|nuke.deal/i
meta KAM_PATRIOT (__KAM_PATRIOT1 + __KAM_PATRIOT2 + __KAM_PATRIOT3 + __KAM_PATRIOT4 >= 3)
describe KAM_PATRIOT conspiracy spam
score KAM_PATRIOT 4.0
meta KAM_PATRIOT2 (__KAM_PATRIOT1 + __KAM_PATRIOT2 + __KAM_PATRIOT3 + __KAM_PATRIOT4 >= 2)
describe KAM_PATRIOT2 Likely conspiracy spam
score KAM_PATRIOT2 1.5
# PAYMENT LOWERED
header __KAM_PAYMENT_LOWERED1 Subject =~ /insurance payment/i
body __KAM_PAYMENT_LOWERED2 /new monthly payment|just.recently.been..?lowered/i
body __KAM_PAYMENT_LOWERED3 /ID.?\#.?[\da-f]{20}/i
meta KAM_PAYMENT_LOWERED (__KAM_PAYMENT_LOWERED1 + __KAM_PAYMENT_LOWERED2 + __KAM_PAYMENT_LOWERED3 + KAM_LOTSOFHASH >= 3)
describe KAM_PAYMENT_LOWERED Spam that says your insurance payment has already been lowered
score KAM_PAYMENT_LOWERED 4.5
meta KAM_PAYMENT_LOWERED (__KAM_PAYMENT_LOWERED1 + __KAM_PAYMENT_LOWERED2 + __KAM_PAYMENT_LOWERED3 + KAM_LOTSOFHASH >= 4)
describe KAM_PAYMENT_LOWERED Higher probability of lowered payment spam
score KAM_PAYMENT_LOWERED 2.0
#NEW NOTICE
body __KAM_NEWNOTICE1 /- - -\s?(start |begin )?(of |new )?(notification|notice)( \d\d\/\d\d\/\d\d)?\s?- - -|notice of/i
body __KAM_NEWNOTICE2 /- - -\s?(finish |end )?(of |new )?(notification|notice)( \d\d\/\d\d\/\d\d)?\s?- - -|end notice:/i
header __KAM_NEWNOTICE3 From =~ /Notice|Notification|Credit/i
meta KAM_NEWNOTICE (__KAM_NEWNOTICE1 + __KAM_NEWNOTICE2 + __KAM_NEWNOTICE3 >= 3)
describe KAM_NEWNOTICE New Notice Spam
score KAM_NEWNOTICE 4.25
meta KAM_NEWNOTICE2 (KAM_NEWNOTICE + KAM_LOTSOFHASH >= 2)
describe KAM_NEWNOTICE2 Higher Probability of New Notice Spam
score KAM_NEWNOTICE2 2.0
#REFI NEW NOTICE
header __KAM_REFINEW1 Subject =~ /refl.rates|Rates.(now.)?Dropped.Again|score.*recently.changed/i
body __KAM_REFINEW2 /(rate|payment).reduction|score-update/i
meta KAM_REFINEW (__KAM_REFINEW1 + __KAM_REFINEW2 >=2)
describe KAM_REFINEW New Refi/Credit Notice spam
score KAM_REFINEW 2.0
meta KAM_REFINEW2 (KAM_REFINEW) && (KAM_NEWNOTICE + KAM_LOTSOFHASH >= 1)
describe KAM_REFINEW2 Higher Probability Refi Spam
score KAM_REFINEW2 2.0
#AUTO INSURE / LOAN
header __KAM_AUTONEW1 Subject =~ /Auto.{0,2}(Insurance|policy).{0,2}Payment|auto.warranty|finance|policy.saving|your.quote|car.loan|bad..credit.ok/i
body __KAM_AUTONEW2 /car.{1,2}insurance.{1,2}payment|monthly.payment|plan.has.expired|auto.loan|auto.coverage|coverage.benefits|premium.reduc|compare.quote|financing.your.way/i
body __KAM_AUTONEW3 /just.{1,2}been.{1,2}lowered|reduced.recently|has been reduced|free.repair|easy.steps|overpaying|view.plan|overpaid.your|premiums?.as.low|lenders.compete/i
header __KAM_AUTONEW4 From =~ /notice|credit|coverag3|auto.cover|lower.auto|auto.finance/i
meta KAM_AUTONEW (__KAM_AUTONEW1 + __KAM_AUTONEW2 + __KAM_AUTONEW3 + __KAM_AUTONEW4 >= 3)
describe KAM_AUTONEW New Auto insurance spam
score KAM_AUTONEW 3.0
meta KAM_AUTONEW2 (KAM_AUTONEW) && (KAM_NEWNOTICE + KAM_SUBJECTNOTICE + KAM_LOTSOFHASH + KAM_INFOUSMEBIZ + KAM_ASCII_DIVIDERS >= 1)
describe KAM_AUTONEW2 Higher Probability Insurance Spam
score KAM_AUTONEW2 2.0
#STATLER
header __KAM_STATLER1 Subject =~ /Mike Statler|finance news|invest in ....(\b)/i
header __KAM_STATLER2 Subject =~ /quintuple/i
body __KAM_STATLER3 /Mike Statler/i
meta KAM_STATLER (__KAM_STATLER1 + __KAM_STATLER2 + __KAM_STATLER3 >= 3)
describe KAM_STATLER Mike Statler Spams
score KAM_STATLER 6.0
#LEARNING TO WRITE
header __KAM_WRITING1 From =~ /writing/i
header __KAM_WRITING2 Subject =~ /writing resources|get published/i
body __KAM_WRITING3 /Professional Writing|world famous (writer|poet)/i
meta KAM_WRITING (__KAM_WRITING1 + __KAM_WRITING2 + __KAM_WRITING3 >= 3)
describe KAM_WRITING Spam for writing lessons
score KAM_WRITING 3.5
#RASH OF .EU EXPLOITS
rawbody KAM_EU /http:\/\/(?:www.)?.{4,30}\.(eu)(\b|\/)/i
score KAM_EU 0.50
describe KAM_EU Prevalent use of .eu in spam/malware
#CSS USING A 12-BIT RGBA COLOR, WHICH IS NOT WIDELY SUPPORTED
rawbody __KAM_12BITCOLOR /color: \#[\da-f]{12}/i
meta KAM_GRABBAG2 KAM_EU && (__KAM_12BITCOLOR + KAM_ADVERT2 + AC_HTML_NONSENSE_TAGS + URIBL_BLACK + URIBL_RED >= 1)
score KAM_GRABBAG2 5.0
describe KAM_GRABBAG2 Grabbag of Spams hitting EU domains and other indicators
#END DIABETES SPAM
body __KAM_DIABETES1 /- - Diabetes News Today - -|diabetes.health|blood.sugar/i
body __KAM_DIABETES2 /Reverse.{0,10}(Diabetes|type.2|type.1)|reverse.type.2|beat.type.2|conventional.medical/i
header __KAM_DIABETES3 Subject =~ /End Diabetes|diabetes.association|every.diabetic/i
meta KAM_DIABETES (__KAM_DIABETES1 + __KAM_DIABETES2 + __KAM_DIABETES3 >= 2)
score KAM_DIABETES 4.5
describe KAM_DIABETES End Diabetes Spam
#SPY CAMERAS, ETC
header __KAM_SPY1 From =~ /spy.?camera/i
header __KAM_SPY2 Subject =~ /spy.?camera/i
body __KAM_SPY3 /spy.?camera.?system|hidden.spy.camera|valuables.safe|protect.your.children/i
meta KAM_SPY (__KAM_SPY1 + __KAM_SPY2 + __KAM_SPY3 >= 3)
describe KAM_SPY Spy cameras and similar products
score KAM_SPY 3.5
#HARP
header __KAM_HARP1 From =~ /\bharp\b|obamacare|save|healthcare/i
header __KAM_HARP2 Subject =~ /\bHARP\b|obamacare|tax benefit|age bracket|protect yourself|mortgage|save.thousands/i
header __KAM_HARP3 From !~ /\.gov>?$/i
meta KAM_HARP (__KAM_HARP1 + __KAM_HARP2 + __KAM_HARP3 + KAM_SUBJECTNOTICE >= 3)
describe KAM_HARP HARP Refinance Spams
score KAM_HARP 4.5
#LUNAR SLEEP AND OTHER SLEEPING AIDS
header __KAM_LUNAR1 From =~ /lunar.?sleep|peak.life/i
header __KAM_LUNAR2 Subject =~ /tired again|sleep(ing)? aid|miracle.sleep|free.sample|sleep.well|fall.asleep|waking.up|sleep.?spray|doctors.discover|the.secret|nights?.sleep/i
uri __KAM_LUNAR3 /lunar.?sleep/i
body __KAM_LUNAR4 /sleep you really need|sleep(ing)? aid|trouble.sleeping|miracle.sleep|lunar.?sleep|all.natural|fall.asleep|refreshed|sleep.cycle|sleep.aid|lack.of.sleep|stay.asleep|somnapure|weird.trick/i
meta KAM_LUNAR (__KAM_LUNAR1 + __KAM_LUNAR2 + MISSING_HEADERS + __KAM_LUNAR3 + __KAM_LUNAR4 >= 3)
describe KAM_LUNAR Sleeping aid spam
score KAM_LUNAR 4.5
meta KAM_LUNAR2 (__KAM_LUNAR1 + __KAM_LUNAR2 + MISSING_HEADERS + __KAM_LUNAR3 + __KAM_LUNAR4 >= 4)
describe KAM_LUNAR2 Definitely sleeping aid spam
score KAM_LUNAR2 2.0
#OCEANS BOUNTY
header __KAM_OCEANSBOUNTY1 From =~ /oceans.?bounty/i
header __KAM_OCEANSBOUNTY2 Subject =~ /pain.free|turn.back.the.clock|reactivate.your.heart/i
body __KAM_OCEANSBOUNTY3 /years.of.aging|medical.doctor|age.revers|turn.back.the.clock|reactivate.your.heart/i
meta KAM_OCEANSBOUNTY (__KAM_OCEANSBOUNTY1 + __KAM_OCEANSBOUNTY2 + __KAM_OCEANSBOUNTY3 >= 3)
describe KAM_OCEANSBOUNTY More medical spam
score KAM_OCEANSBOUNTY 4.5
#ANDROGEL
header __KAM_ANDROGEL1 From =~ /testosterone|androgel|entitled|enclosed|medwatch|axiron|fda|natural.man|mega.product|\.mobi/i
header __KAM_ANDROGEL2 Subject =~ /androgel|axiron|product.of.the.year|free.sample|raise.your.testosterone/i
body __KAM_ANDROGEL3 /healthcare|medwatch|drug|testosterone|therapy|manhood|your.woman/i
meta KAM_ANDROGEL (__KAM_ANDROGEL1 + __KAM_ANDROGEL2 + __KAM_ANDROGEL3 >= 3)
describe KAM_ANDROGEL More medical spam
score KAM_ANDROGEL 4.5
#CELL PHONES
header __KAM_CELL1 From =~ /phone/i
header __KAM_CELL2 Subject =~ /cell.?phone|mobile.communication|newest.mobile|smartphone|phones.*get.one|phone.bargain|hottest.phone|new.phone/i
body __KAM_CELL3 /phone.(information|deals|reviews)|(free|latest|hottest)..?(cell)?.?phone|selection.of.phones|hottest.(brands|models)|check.out.these.smartphones|smartphones.do.more|refurbished.phone|bored.with.your.phone/i
meta KAM_CELL (__KAM_CELL1 + __KAM_CELL2 + __KAM_CELL3 >= 3)
describe KAM_CELL Ads for cell phones
score KAM_CELL 3.5
header __KAM_FOUNTAINOFYOUTH1 From =~ /deepseasecret/i
header __KAM_FOUNTAINOFYOUTH2 Subject =~ /fountain.of.youth/i
body __KAM_FOUNTAINOFYOUTH3 /look & feel old|\d+.years.of.aging|weird.\d+.second.trick/i
meta KAM_FOUNTAINOFYOUTH (__KAM_FOUNTAINOFYOUTH1 + __KAM_FOUNTAINOFYOUTH2 + __KAM_FOUNTAINOFYOUTH3 >= 3)
score KAM_FOUNTAINOFYOUTH 5.0
describe KAM_FOUNTAINOFYOUTH Anti-aging ad
#HERPES
header __KAM_HERPES1 From =~ /herpes/i
header __KAM_HERPES2 Subject =~ /your.herpes/i
body __KAM_HERPES3 /permanent.remedy|ugly.sores|herpes.episode|got.herpes|your.herpes|herpes.issue/i
meta KAM_HERPES (__KAM_HERPES1 + __KAM_HERPES2 + __KAM_HERPES3 >= 2)
describe KAM_HERPES Ads for herpes medication
score KAM_HERPES 5.0
#FAKE VOUCHER/REWARD EMAIL
header __KAM_FAKEVOUCHER1 From =~ /(amazon|target).*(reward|voucher|appreciation|customer)|\$\d+ gift|(spring|summer|fall|autumn|winter) (reward|bonus)|(january|february|march|april|may|june|july|august|september|october|november|december).?(reward|bonus)|day.reward|macy.?s?.reward|rewards?.?center/i
body __KAM_FAKEVOUCHER2 /\$\d+ amazon(.com)? Card|redeem.your.\$\d+|join.amazon|bonus voucher|spring.rewards|new.gift.card|exclusive.for|shopper.bucks|activate.here|cash.in.your/i
header __KAM_FAKEVOUCHER3 Subject =~ /special.thanks|thank.you|amazon.appreciation|(spring|summer|fall|autumn|winter) .?(reward|bonus|bucks)|short.survey|\$\d+..?(gift|issued|voucher|e.?gift)|register.reward|target.reward|\d+.(dollar.)?gift.card|claim.your.*reward/i
body __KAM_FAKEVOUCHER4 /your.opinion|submit.your.email/i
meta KAM_FAKEVOUCHER (__KAM_FAKEVOUCHER1 + __KAM_FAKEVOUCHER2 + __KAM_FAKEVOUCHER3 + __KAM_FAKEVOUCHER4 >= 3)
describe KAM_FAKEVOUCHER Fake voucher/reward email
score KAM_FAKEVOUCHER 4.5
#ATTORNEY SPAM
header __KAM_ATTORNEY1 From =~ /attorney/i
header __KAM_ATTORNEY2 Subject =~ /right.attorney|quick.divorce|advertisement/i
body __KAM_ATTORNEY3 /find.a.\b[a-z]+\b.attorney/i
meta KAM_ATTORNEY (__KAM_ATTORNEY1 + __KAM_ATTORNEY2 + __KAM_ATTORNEY3 >= 3)
score KAM_ATTORNEY 3.5
describe KAM_ATTORNEY Ads for legal services
#PRODUCT RECALL
header __KAM_RECALL1 From =~ /dog.?food/i
header __KAM_RECALL2 Subject =~ /recall|thousands.of.dogs.die/i
body __KAM_RECALL3 /protect.your.dog|recall?s.on.dog.?food|processing.standards|commercial.food/i
meta KAM_RECALL (__KAM_RECALL1 + __KAM_RECALL2 + __KAM_RECALL3 >= 3)
score KAM_RECALL 3.5
describe KAM_RECALL Spam for product recall notices
#REMOTE IMAGES WITH ENORMOUS SRC URLS - COMMONLY USED FOR IMAGE TRACKING
rawbody __KAM_HUGEIMGSRC /<img[^>]*\ssrc=["']?http[^\s>"']{120}/i
tflags __KAM_HUGEIMGSRC multiple maxhits=6
meta KAM_HUGEIMGSRC (__KAM_HUGEIMGSRC >= 6)
score KAM_HUGEIMGSRC 0.2
describe KAM_HUGEIMGSRC Message contains many image tags with huge http urls
describe KAM_REALLYHUGEIMGSRC Spam with image tags with ridiculously huge http urls
rawbody KAM_REALLYHUGEIMGSRC /<img[^>]*\ssrc=["']?http[^\s]{300}/i
score KAM_REALLYHUGEIMGSRC 1.1
rawbody KAM_TRACKIMAGE /<img[^>]*\ssrc=["']?https?:\/\/track/i
describe KAM_TRACKIMAGE Message has a remote image explicitly meant for tracking
score KAM_TRACKIMAGE 0.2
#BAG OF SPAM THAT TRIES DESPERATELY TO TRACK RECIPIENTS
meta KAM_GRABBAG3 (KAM_TRACKIMAGE + KAM_HUGEIMGSRC + (KAM_UNSUB1 || KAM_INFOUSMEBIZ || __KAM_IMGMAP_LINK_OBFU || __KAM_HAS_10_URIS) >= 3)
score KAM_GRABBAG3 3.0
describe KAM_GRABBAG3 Grab bag of spam that employs multiple tricks that indicate tracking of recipients
#MANY SEQUENTIAL EMPTY <A HREF> TAGS WITH NOTHING IN BETWEEN
#IMPORTANTLY, DO NOT MATCH ON EMPTY <A LINK> TAGS, WHICH ARE MEANT TO BE EMPTY
rawbody __KAM_EMPTYLINK /(?:<a[^>]*\shref=[^>]*><\/a>\s*){10}/i
meta KAM_EMPTYLINK (__KAM_EMPTYLINK)
describe KAM_EMPTYLINK Many empty a tags with href all in a row
score KAM_EMPTYLINK 3.5
header __KAM_TILDEFROM From =~ /^\s*"'?\s*~/i
describe __KAM_TILDEFROM Spam with a from name that starts with tilde
# WORDS THAT "A R E S P A C E D O U T" LIKE SO
body __KAM_SPACEY_WORDS /a +v +e +n +u +e/i
# SPAM THAT WOULD LIKE TO INVEST IN YOUR COUNTRY
header __KAM_INVESTCOUNTRY1 Subject =~ /Confidential Contract Proposal/i
body __KAM_INVESTCOUNTRY2 /invest in your country/i
meta KAM_INVESTCOUNTRY (__KAM_INVESTCOUNTRY1 + __KAM_INVESTCOUNTRY2 >= 2)
score KAM_INVESTCOUNTRY 3.5
describe KAM_INVESTCOUNTRY Spam for investing in your country
# SPAM FOR FLAGS
header __KAM_FLAG1 From =~ /flag/i
header __KAM_FLAG2 Subject =~ /find.the.flag|what flags|new.flag|patriotism|looking.for.a.flag/i
body __KAM_FLAG3 /performance.flags|shopping.online|scoop on flags|need your flag|best flag|flag design|new flag|flag.needs|flags?.you.need/i
meta KAM_FLAG (__KAM_FLAG1 + __KAM_FLAG2 + __KAM_FLAG3 >= 3)
score KAM_FLAG 3.5
describe KAM_FLAG Spam that sells flags
rawbody __KAM_BIGSMALL /<small><big>|<big><small>/i
describe __KAM_BIGSMALL Spam engine that is using nested big and small tags
rawbody __KAM_DIVTITLE /<div (title|alt)/i
describe __KAM_DIVTITLE Div tag with custom alt text
rawbody __KAM_IMGMAP_LINK_OBFU /<map[^>]+><area[^>]+><\/map>/i
describe __KAM_IMGMAP_LINK_OBFU Image links obfuscated by an image map with a single area
meta KAM_GRABBAG4 (__KAM_DIVTITLE + __KAM_IMGMAP_LINK_OBFU + KAM_HUGEIMGSRC >= 3)
describe KAM_GRABBAG4 Another spam engine that displays unique quirks
score KAM_GRABBAG4 3.5
header __KAM_KORS1 From =~ /Michael Kors/i
header __KAM_KORS2 Subject =~ /Michael Kors|out.of.the.ordinary/i
body __KAM_KORS3 /sent you this item|register to receive|latest updates|win great prizes|shop michael kors|kors insider|handbag collection/i
meta KAM_KORS (__KAM_KORS1 + __KAM_KORS2 + __KAM_KORS3 >= 3)
score KAM_KORS 3.5
describe KAM_KORS Spam for Michael Kors
header __KAM_HOLIDAY1 From =~ /holidays/i
header __KAM_HOLIDAY2 Subject =~ /\d\d\d\d offers/i
body __KAM_HOLIDAY3 /star special|Hotel Opening|(Request|order) a brochure/i
meta KAM_HOLIDAY (__KAM_HOLIDAY1 + __KAM_HOLIDAY2 + __KAM_HOLIDAY3 >= 3)
describe KAM_HOLIDAY Generic holiday deals
score KAM_HOLIDAY 3.5
#Thanks to Dave Wreski for his idea on commas
header __KAM_MANYTO To =~ />,/i
tflags __KAM_MANYTO multiple,maxhits=5
header __KAM_MANYTO2 To =~ /, /
tflags __KAM_MANYTO2 multiple,maxhits=25
meta KAM_MANYTO (__KAM_MANYTO >= 5 || __KAM_MANYTO2 >= 25)
score KAM_MANYTO 0.2
describe KAM_MANYTO Email has more than one To Header or more than 25 recipients
meta KAM_GRABBAG5 (KAM_MANYTO && FORGED_YAHOO_RCVD)
score KAM_GRABBAG5 5.0
describe KAM_GRABBAG5 Forged Yahoo emails that are sent to lots of recipients
body __KAM_MILLIONAIRE1 /internet millionai?re/i
body __KAM_MILLIONAIRE2 /huge success stor(y|ies)|controversial/i
header __KAM_MILLIONAIRE3 Subject =~ /see this video/i
meta KAM_MILLIONAIRE (__KAM_MILLIONAIRE1 + __KAM_MILLIONAIRE2 + __KAM_MILLIONAIRE3 + LOTS_OF_MONEY >= 3)
score KAM_MILLIONAIRE 4.5
describe KAM_MILLIONAIRE Internet millionaire guarantees money
header __KAM_OILCHANGE1 From =~ /oil.?change|coupon/i
header __KAM_OILCHANGE2 Subject =~ /oil change/i
body __KAM_OILCHANGE3 /fresh savings|find your favorite|discount.coupons|oil.change.is.due|local.provider|favorite.location|coupon/i
meta KAM_OILCHANGE (__KAM_OILCHANGE1 + __KAM_OILCHANGE2 + __KAM_OILCHANGE3 >= 3)
score KAM_OILCHANGE 4.5
describe KAM_OILCHANGE Spam for oil changes
header __KAM_ADHD1 From =~ /ADH?D/i
header __KAM_ADHD2 Subject =~ /know.the.signs|could.have.adh?d|adult adh?d/i
body __KAM_ADHD3 /struggling with adh?d|treatment options/i
meta KAM_ADHD (__KAM_ADHD1 + __KAM_ADHD2 + __KAM_ADHD3 >= 3)
score KAM_ADHD 3.5
describe KAM_ADHD Spam for ADD and ADHD treatment
# AUTO REPAIR
header __KAM_REPAIR1_1 From =~ /repair.your.auto|auto.expert|auto.repair|warranty|support|pops.a.dent|vehicle.protect/i
header __KAM_REPAIR1_2 Subject =~ /auto.service|auto.repair|having.problems|all.repair|take.care.of|car.trouble|save.\d+%|repair.bill|fix.dents/i
body __KAM_REPAIR1_3 /car.repair|Auto Protection|repair.bill|lowest.rates|need.repairs|cost.you.thousands|auto.warranty|costs.keep.rising|repair.cost|do.it.yourself|auto.body|body.repair|protection.quote/i
meta KAM_REPAIR1 (__KAM_REPAIR1_1 + __KAM_REPAIR1_2 + __KAM_REPAIR1_3 >= 3)
score KAM_REPAIR1 3.5
describe KAM_REPAIR1 Spam for auto repair services
# HOME REPAIR
header __KAM_REPAIR2_1 From =~ /warranty|support|home.repair|your.roof/i
header __KAM_REPAIR2_2 Subject =~ /roof.repair|warranty.plan|home.warranty|never.pay.for|home.repair|repairing.your|new.roof/i
body __KAM_REPAIR2_3 /never.pay|covered.home.repair|the.trouble|warning.signs|roofing.problem|roof.repair/i
meta KAM_REPAIR2 (__KAM_REPAIR2_1 + __KAM_REPAIR2_2 + __KAM_REPAIR2_3 >= 3)
score KAM_REPAIR2 3.5
describe KAM_REPAIR2 Spam for home repair services
body __KAM_EPISODE /episode \d+/i
header __KAM_CLOUD1 From =~ /cloud.?(storage|computing|provider)|efolder/i
header __KAM_CLOUD2 Subject =~ /private.cloud|data.loss.happens|share.securely/i
body __KAM_CLOUD3 /big data|powering apps|reduce.tech.costs|backup.solution|bundling.the.service/i
body __KAM_CLOUD4 /hacking|complimentary.(lunch|breakfast)/i
meta KAM_CLOUD (__KAM_CLOUD1 + __KAM_CLOUD2 + __KAM_CLOUD3 + __KAM_CLOUD4 >= 3)
score KAM_CLOUD 3.5
describe KAM_CLOUD Spam for cloud services
header __KAM_PAPERLESS1 From =~ /paperless|fax|admin/i
header __KAM_PAPERLESS2 Subject =~ /paperless|fax to email|send document|fax thru email|receive faxes|send faxes|fax.message|voice.message|new.fax|have.received/i
body __KAM_PAPERLESS3 /fax service|service plan|view.this.fax|\d.page.fax|voice.message/i
meta KAM_PAPERLESS (__KAM_PAPERLESS1 + __KAM_PAPERLESS2 + __KAM_PAPERLESS3 + HEADER_FROM_DIFFERENT_DOMAINS >= 4)
score KAM_PAPERLESS 4.5
describe KAM_PAPERLESS Paperless spam for the paperless office
rawbody __KAM_LOTSOFNBSP /( ?){30}/i
header __KAM_IPUNSUB List-Unsubscribe =~ /http:\/\/\d+\.\d+\.\d+\.\d+/i
# PASSWORD PHISH - Fixed FP thanks to Thijs Eilander
header __KAM_PASSWORD1 Subject =~ /password/i
body __KAM_PASSWORD2 /validate.your.email/i
meta KAM_PASSWORD (__KAM_PASSWORD1 + __KAM_PASSWORD2 >= 2)
score KAM_PASSWORD 1.5
describe KAM_PASSWORD Message tries to phish for password
# SEMINARS AND WORKSHOPS SPAM
header __KAM_WEBINAR1 From =~ /education|career|manage|learning|webinar|project|efolder/i
header __KAM_WEBINAR2 Subject =~ /last chance|increase productivity|workplace morale|payroll dept|trauma.training|case.study|issues|follow.up|service.desk|vip.(lunch|breakfast)|manage.your|private.business|professional.checklist|customers.safer|great.timesaver|prep.course|crash.course|hunger.to.learn|(keys|tips).(to|for).smarter/i
header __KAM_WEBINAR3 Subject =~ /webinar|strateg|seminar|owners.meeting|webcast|our.\d.new|sales.video/i
body __KAM_WEBINAR4 /executive.education|contactid|register now|\d+.minute webinar|management.position|supervising.skills|discover.tips|register.early|take.control|marketing.capabilit|drive.more.sales|leveraging.cloud|solution.provider|have.a.handle|plan.to.divest|being.informed|upcoming.webinar|spearfishing.email|increase.revenue|industry.podcast|\d+.in.depth.tips|early.bird.offer|pmp.certified|lunch.briefing/i
meta KAM_WEBINAR (__KAM_WEBINAR1 + __KAM_WEBINAR2 + __KAM_WEBINAR3 + __KAM_WEBINAR4 >= 3)
describe KAM_WEBINAR Spam for webinars
score KAM_WEBINAR 3.5
meta KAM_WEBINAR2 (__KAM_WEBINAR1 + __KAM_WEBINAR2 + __KAM_WEBINAR3 + __KAM_WEBINAR4 >= 4)
describe KAM_WEBINAR2 Spam for webinars
score KAM_WEBINAR2 3.5
header __KAM_CONTACTME1 Subject =~ /^contact me$/i
body __KAM_CONTACTME2 /read the attached letter/i
meta KAM_CONTACTME (__KAM_CONTACTME1 + __KAM_CONTACTME2 >= 2)
score KAM_CONTACTME 3.5
describe KAM_CONTACTME Spam that wants you to reply
header __KAM_MESH1 From =~ /consumer|connect|claim/i
header __KAM_MESH2 Subject =~ /surgical mesh|serious injuries|increased risk|experiencing problems|mesh recall/i
body __KAM_MESH3 /have a mesh implant|entitled to compensation|consumer injury|injured consumer/i
meta KAM_MESH (__KAM_MESH1 + __KAM_MESH2 + __KAM_MESH3 >= 3)
describe KAM_MESH Spam for surgical mesh
score KAM_MESH 3.5
header __KAM_ALERT1 From =~ /medical.?alert/i
header __KAM_ALERT2 Subject =~ /medical.alert|emergency coverage/i
body __KAM_ALERT3 /help button/i
meta KAM_ALERT (__KAM_ALERT1 + __KAM_ALERT2 + __KAM_ALERT3 >= 3)
score KAM_ALERT 3.5
describe KAM_ALERT Spam for medical alerts
# SPAM FOR RECENT HEARTBLEED CVE AND OTHER SECURITY STUFF
header __KAM_SECURITY1 From =~ /Digital Defense/i
header __KAM_SECURITY2 Subject =~ /heartbleed|hijack/i
body __KAM_SECURITY3 /information.security|cyber.?criminal/i
meta KAM_SECURITY (__KAM_SECURITY1 + __KAM_SECURITY2 + __KAM_SECURITY3 >= 3)
describe KAM_SECURITY Spam related to online security
score KAM_SECURITY 6.0
body __KAM_JESUS1 /jesus lovely|the.lord|touched.by.christ/i
body __KAM_JESUS2 /sister.in.the.lord|need for bible/i
body __KAM_JESUS3 /nigeria|muslim.women/i
meta KAM_JESUS (__KAM_JESUS1 + __KAM_JESUS2 >= 2)
describe KAM_JESUS Christian spam
score KAM_JESUS 4.5
header __KAM_CLAIMS1 From =~ /claims.payment/i
header __KAM_CLAIMS2 Subject =~ /confirm/i
body __KAM_CLAIMS3 /claim.payment|claim.processing|kindly.confirm/i
meta KAM_CLAIMS (__KAM_CLAIMS1 + __KAM_CLAIMS2 + __KAM_CLAIMS3 >= 3)
describe KAM_CLAIMS Spam for claims processing
score KAM_CLAIMS 4.5
# VISION SPAM
header __KAM_VISION1 From =~ /clear.?vision|20.20|glasses|perfect.vision|mind.blowing|my.vision|oakley|quantum.vision/i
header __KAM_VISION2 Subject =~ /20\/20|vision|your.glasses|your.contacts|your.eyes|dangers?.of.glasses|focus.on.here/i
body __KAM_VISION3 /100%.natural|vision.restored|currently.wear.(glasses|contacts)|perfect.vision|risky.surgery|corrective.surgery|dangers.of.surgery|laser.eye|eye.care|making.your.eyes.worse|your.glasses|worsen.your.vision|special.prices|vision.in.\d+.day|vision.in.\d+.week/i
meta KAM_VISION (__KAM_VISION1 + __KAM_VISION2 + __KAM_VISION3 + (KAM_WEIRDTRICK1 || RDNS_NONE) >= 3)
describe KAM_VISION Spam for vision improvement
score KAM_VISION 4.5
body KAM_TRUTHINESS /[Tt]he TRUTH/
describe KAM_TRUTHINESS Spam that wants you to learn "The TRUTH"
score KAM_TRUTHINESS 1.5
header __KAM_KITCHEN1 From =~ /sears|kitchen|cabinet/i
header __KAM_KITCHEN2 Subject =~ /kitchen.upgrade|kitchen.remodel|cabinet.install|new.kitchen/i
body __KAM_KITCHEN3 /special.gift|kitchen.remodel|special.offer/i
meta KAM_KITCHEN (__KAM_KITCHEN1 + __KAM_KITCHEN2 + __KAM_KITCHEN3 >= 3)
score KAM_KITCHEN 4.5
describe KAM_KITCHEN Spam for kitchen improvement
# ALL-ENCOMPASSING RULES FOR HEALTH RELATED SPAM, INCLUDING SKIN, WEIGHT, VISION, ETC
header __KAM_GENERICHEALTH1 From =~ /(dr.?|doc.?)[ -]?([o0]z|gupta)|skinny|\d+.?(pounds|[li1]bs?)|[o0]z.([a-z]+.)?(daily|tip|show|weight)|ellen|rapid|vision|20.20|perfect|mind.blowing|healthy|beaut|medical|wrinkle|miracle|energy|weight|as.seen.on|celeb|workout|inches.off|slim|overweight|skinny|trend|curve|stubborn|bikini|f-a-t|trim|youth|belly|unwanted.pounds|gone.easily|heavy|diabetes|oz.?report|years.younger|anti.?aging|look.\d|old.age|without.trying|annoying.pounds|fat.melt|women.?s.health|forskolin|phyto|garcinia|mayo.clinic|gain.mass|nuforia|miracle.cure|notify|champion|healthly|food.health|health.news|nutrisystem|doctor.s.choice|age..prevention|diet.{0,4}report|sharp..?mind|face.?lift/i
header __KAM_GENERICHEALTH2 Subject =~ /PSA|\[video\]|doctor|\d+.day|(zero|any).effort|oprah|(Dr|Doc).{0,2}[o0]z|[o0]z.([a-z]+.)?(daily|tip|show|weight|quick)|ellen|most.viewed|metabolism|danger|hormone|must.read|life.changing|healthy|perfect|younger|beautiful|hollywood|secret|aging|youth|flawless|as.seen.on|simple.way|workout|nutrition|shocking|detox|exercise|cleanse|diet|\d+(\+?).?(pounds|[li1]bs?)|images?.leaked|wow,|the.pics|don.t.tell|makeup|f-a-t|of.skin|on.(cnn|abc|cbs)|for.(summer|fall|autumn|winter|spring)|unwanted.fat|oz: |backfire|and.oz|and.racha?el|racha?el.talk|your.legs|slim.and.tone|fit.wom[ea]n|tummy|dress.size|wrinkle.reduc|younger.skin|solid.meds|belly.fat|your.calories|champion|is.it.possible|worse.than.smok|meds.online|jump-start.your.weightloss|cure.your.diabetes|weight.loss..?cure|magic.weight.loss|youth.and.vitality|get.thin.with|mental.decline|by.exercising|kidney.beans|drinking.this|treats?.the.(root.)?cause|reverse.\d+.years/i
body __KAM_GENERICHEALTH3 /aging|clinical|dermatologist|aging|younger|wrinkle|omg|reduction|prevention|(body|your).fat|extra.pounds|perfect.skin|healthy|diet|gossip|\d+.years|facelift|(Dr|Doc).{0,2}[o0]z|weight|calories|metabolism|appetite|detox|unsightly|cholesterol|free.sample|\d+\s*[li]b|slimming|episode|tv.segment|oprah|colon|hollywood|shocking|workout|trend|starving|\d+%.?off|dress.size|flat.belly|silky|younger|free.trial|\d+.years|easy.trick|selfies|medical|\d+.?(lb|pounds)|exercise|the.mirror|fda.approved|slimmer|oz.blog|the.bulge|plant.based|online.store|respected.doctor|cure.your.diabete|with.forskolin|belly.fat|miracle.pill|burn.fat.fast|the.root.cause|drink(ing)?.this.shake/i
meta KAM_GENERICHEALTH (__KAM_GENERICHEALTH1 + __KAM_GENERICHEALTH2 + __KAM_GENERICHEALTH3 + (KAM_EU || KAM_OTHER_BAD_TLD) >= 3)
score KAM_GENERICHEALTH 4.0
describe KAM_GENERICHEALTH Matches generic health-related advert/blurbs
header __KAM_SALE1 From =~ /ipad|hdtv|\$\d+|auction|laptop|easyviewing/i
header __KAM_SALE2 Subject =~ /blowout|became.perfect|great.products|your.ipad.forever|weird.device|change.how.you.use|transform.your.piad|laptop.replacement/i
body __KAM_SALE3 /\d+%.off|just.shipped|touch.?fire|just.became.perfect|transform.your.ipad/i
header __KAM_SALEA_1 From =~ /touch.?fire/i
header __KAM_SALEA_2 Received =~ /touchfire|tfire/i
body __KAM_SALEA_3 /touchfire|just.became.perfect|never.be.the.same/i
meta KAM_SALE (__KAM_SALE1 + __KAM_SALE2 + (__KAM_SALE3 || BODY_8BITS) >= 3)
score KAM_SALE 4.0
describe KAM_SALE Spam for things on sale
meta KAM_SALEA ((__KAM_SALEA_1 || __KAM_SALE1 || __KAM_SALEA_2) + __KAM_SALEA_3 >= 2)
score KAM_SALEA 8.0
describe KAM_SALEA A very persistent ipad spam campaign
# SPAM THAT USES ASCII FORMATTING TRICKS TO EVADE HTML-BASED RULES
body __KAM_ASCII_DIVIDERS /[-~<>=_]{20}/i
tflags __KAM_ASCII_DIVIDERS multiple, maxhits=4
meta KAM_ASCII_DIVIDERS ((__KAM_ASCII_DIVIDERS >= 4) && !HTML_MESSAGE)
describe KAM_ASCII_DIVIDERS Spam that uses ascii formatting tricks
score KAM_ASCII_DIVIDERS 0.8
# RATWARE THAT CAN'T EVEN PRETEND TO BE AUTHORIZED
header __KAM_NOTINMYNETWORK1 X-No-Relay =~ /./i
rawbody __KAM_HTMLNOISE1 /<big><big>|<small><\/small>|<style><\/style>/i
meta KAM_HTMLNOISE (__KAM_HTMLNOISE1 + __KAM_BIGSMALL >= 1)
score KAM_HTMLNOISE 1.0
describe KAM_HTMLNOISE Spam containing useless HTML padding
header __KAM_CHICKEN1 From =~ /coop/i
header __KAM_CHICKEN2 Subject =~ /chicken.coop|cost.of.buying/i
body __KAM_CHICKEN3 /your.own.chicken|fresh.egg|chicken.coop|build.your.own/i
meta KAM_CHICKEN (__KAM_CHICKEN1 + __KAM_CHICKEN2 + __KAM_CHICKEN3 >= 3)
score KAM_CHICKEN 4.5
describe KAM_CHICKEN Spam for chicken coops
# SPAM THAT TRIES TO BYPASS RULES LIKE CBJ_GiveMeABreak
rawbody __KAM_LINEPADDING /(\n[^\n]){8}/
meta KAM_LINEPADDING (__KAM_LINEPADDING >= 1)
score KAM_LINEPADDING 1.2
describe KAM_LINEPADDING Spam that tries to get past blank line filters
# DRAPES SPAM
header __KAM_DRAPES1 From =~ /drapes/i
header __KAM_DRAPES2 Subject =~ /table.drapes|visibility/i
body __KAM_DRAPES3 /banner.stand|print.project/i
meta KAM_DRAPES (__KAM_DRAPES1 + __KAM_DRAPES2 + __KAM_DRAPES3 >= 3)
score KAM_DRAPES 3.5
describe KAM_DRAPES Spam for drapes
header __KAM_NUWAVE1 From =~ /nuwave|cooktop/i
header __KAM_NUWAVE2 Subject =~ /cooking.needs/i
body __KAM_NUWAVE3 /nuwave|energy.saving|temperature.control|meal.prep|cooktop/i
meta KAM_NUWAVE (__KAM_NUWAVE1 + __KAM_NUWAVE2 + __KAM_NUWAVE3 >= 3)
describe KAM_NUWAVE Spam for cooking tools
score KAM_NUWAVE 3.5
rawbody __KAM_MANYCOMMENTS /<!--[^>]{200,}-->/i
tflags __KAM_MANYCOMMENTS multiple,maxhits=6
meta KAM_MANYCOMMENTS (__KAM_MANYCOMMENTS >= 6)
describe KAM_MANYCOMMENTS Spam engine that uses large html noise comments
score KAM_MANYCOMMENTS 1.2
header __KAM_HIRE1 From =~ /recruit/i
header __KAM_HIRE2 Subject =~ /checking.in/i
body __KAM_HIRE3 /hiring.situation|recruiting|plans.to.hire|altera.staff/i
meta KAM_HIRE (__KAM_HIRE1 + __KAM_HIRE2 + __KAM_HIRE3 >= 3)
describe KAM_HIRE Spam for hiring services
score KAM_HIRE 4.5
header __KAM_DEALS1 From =~ /deal.?hunter/i
header __KAM_DEALS2 Subject =~ /exclusive.saving|the.hottest/i
body __KAM_DEALS3 /exclusive.savings/i
meta KAM_DEALS (__KAM_DEALS1 + __KAM_DEALS2 + __KAM_DEALS3 >= 3)
score KAM_DEALS 3.5
describe KAM_DEALS Generic advertising for deals
header __KAM_CONTRACT1 From =~ /samanage/i
header __KAM_CONTRACT2 Subject =~ /contract cost|itsm contract/i
body __KAM_CONTRACT3 /buy you out|service management|management solution/i
meta KAM_CONTRACT (__KAM_CONTRACT1 + __KAM_CONTRACT2 + __KAM_CONTRACT3 >= 3)
score KAM_CONTRACT 4.5
describe KAM_CONTRACT Spam that will buy your service contract
#KAM_TOLL
header __KAM_TOLL1 From =~ /e.?z.?pass|collection/i
header __KAM_TOLL2 Subject =~ /on.(the.)?toll.road|(pay|indebted).for.driving/i
body __KAM_TOLL3 /have.not.paid|your.debt|invoice/i
meta KAM_TOLL (__KAM_TOLL1 + __KAM_TOLL2 + __KAM_TOLL3 >= 3)
describe KAM_TOLL Spam for road tolls
score KAM_TOLL 8.0
#KAM_AMAZON
header __KAM_AMAZON1 From =~ /amazon\.com/i
meta KAM_AMAZON (__KAM_AMAZON1 + KAM_RAPTOR >= 2)
score KAM_AMAZON 4.5
describe KAM_AMAZON Fake Amazon email with malware
# LANDSCAPING
header __KAM_LANDSCAPE1 From =~ /landscaping/i
header __KAM_LANDSCAPE2 Subject =~ /turn.your.yard|mtv.crib|swimming.pool/i
body __KAM_LANDSCAPE3 /landscape.designs|(simple|cheap).strategies|design.troph/i
body __KAM_LANDSCAPE4 /stone.carving/i
meta KAM_LANDSCAPING (__KAM_LANDSCAPE1 + __KAM_LANDSCAPE2 + __KAM_LANDSCAPE3 + __KAM_LANDSCAPE4 >= 3)
describe KAM_LANDSCAPING Spam for landscaping
score KAM_LANDSCAPING 3.5
# SINGING LESSONS
header __KAM_SINGING1 From =~ /singing/i
header __KAM_SINGING2 Subject =~ /professional.singer/i
body __KAM_SINGING3 /terrible.singer|more.talent|love.songs/i
meta KAM_SINGING (__KAM_SINGING1 + __KAM_SINGING2 + __KAM_SINGING3 >= 3)
describe KAM_SINGING Spam for singing lessons
score KAM_SINGING 4.5
# SPAM FOR ADS
header __KAM_ADVERTISE1 From =~ /gmail/i
header __KAM_ADVERTISE2 Subject =~ /samsung..galaxy.s\d/i
body __KAM_ADVERTISE3 /advertising.for.samsung|no.application.fee|carry.this.advert/i
meta KAM_ADVERTISE (__KAM_ADVERTISE1 + __KAM_ADVERTISE2 + __KAM_ADVERTISE3 >= 3)
describe KAM_ADVERTISE Spam that wants you to advertise for them
score KAM_ADVERTISE 4.5
# RULE FOR DOMAINS THAT HAVE NOT IMPLEMENTED ANY ANTI-FORGERY MECHANISMS
if (version >= 3.003002)
# We may recommend people start raising the score for this to force more people to use SPF or DKIM Since Gmail and AOL work much better with / require SPF.
header __KAM_SPF_NONE eval:check_for_spf_none()
meta KAM_LAZY_DOMAIN_SECURITY (!__DKIM_EXISTS && __KAM_SPF_NONE)
score KAM_LAZY_DOMAIN_SECURITY 1.0
describe KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any anti-forgery methods
endif
# FORGED EMAILS WITH A VIRUS ATTACHED
meta KAM_FORGED_ATTACHED (SPF_HELO_FAIL + KAM_RAPTOR >= 2)
score KAM_FORGED_ATTACHED 4.5
describe KAM_FORGED_ATTACHED Forged email with a malware attachment
# LOTS OF PERIODS IN SUBJECT
header __KAM_MANYDOTS1 Subject =~ /\.{20}/i
meta KAM_MANYDOTS (__KAM_MANYDOTS1 + KAM_HUGEIMGSRC >= 2)
describe KAM_MANYDOTS Spam with lots of periods in subject
score KAM_MANYDOTS 3.5
# FINAL NOTICE SPAM
header __KAM_SUBJECTNOTICE1 Subject =~ /Notice: \d+$|final.notice|rpt: \d+$/i
meta KAM_SUBJECTNOTICE __KAM_SUBJECTNOTICE1
describe KAM_SUBJECTNOTICE Spam notices
score KAM_SUBJECTNOTICE 1.0
# SPAM FOR BACKUP SERVICE
header __KAM_BACKUP1 From =~ /backup/i
header __KAM_BACKUP2 Subject =~ /continuity|\d.reasons|traditional.backup/i
body __KAM_BACKUP3 /backup.necessary|marketing|infographic|charge.more/i
meta KAM_BACKUP (__KAM_BACKUP1 + __KAM_BACKUP2 + __KAM_BACKUP3 >= 3)
describe KAM_BACKUP Spam for backup services
score KAM_BACKUP 4.5
# SPAM THAT TRIES TO AVOID DETECTION WITH NUMBERS IN THE FROM
header KAM_FROMNUM From:name =~ /\.\d{7,}$/
describe KAM_FROMNUM Spam with large numbers in the from header
score KAM_FROMNUM 1.0
# LAZY SPAM WITH BARELY MORE THAN A LINK TO A BAD DOMAIN
meta KAM_LINKBAIT (KAM_LAZY_DOMAIN_SECURITY + __KAM_BODY_LENGTH_LT_512 + (__KAM_COUNT_URIS >= 1) >= 3)
score KAM_LINKBAIT 2.5
describe KAM_LINKBAIT Short messages containing little more than a link, from a domain with no security in place
uri __KAM_WP_INCLUDES /(?:wp-includes|wp-content)/i
meta KAM_LINKBAIT2 KAM_LINKBAIT + __KAM_WP_INCLUDES >= 2
score KAM_LINKBAIT2 1.5
describe KAM_LINKBAIT2 Linkbait that points to wordpress - usually means a compromised site
# FREEMAIL LINKBAIT
meta KAM_LINKBAIT3 (KAM_SHORT + FREEMAIL_FROM + __KAM_BODY_LENGTH_LT_512 >= 3)
score KAM_LINKBAIT3 1.5
describe KAM_LINKBAIT3 Freemail linkbait with a url shortener
# MALWARE IN EMAILS THAT MENTION LOTS OF MONEY
meta KAM_PHISHY_DOLLARS (KAM_RAPTOR + LOTS_OF_MONEY >= 2)
score KAM_PHISHY_DOLLARS 3.5
describe KAM_PHISHY_DOLLARS Emails with malware and large dollar amounts
# RATWARE DU JOUR, MULTIPLE FROM HEADERS AND WONKY SUBJECT LINE
header __KAM_MULTIPLE_FROM From =~ /^./
tflags __KAM_MULTIPLE_FROM multiple,maxhits=2
header __KAM_SUBJECT_WHITESPACE_START Subject =~ /^\s{10}/
meta KAM_GRABBAG6 (__KAM_MULTIPLE_FROM + __KAM_SUBJECT_WHITESPACE_START >= 2)
describe KAM_GRABBAG6 Ratware with multiple from headers and subject beginning with whitespace
score KAM_GRABBAG6 4.5
# GENERIC GREETINGS THAT YOU WOULD NEVER GET FROM A LEGIT EMAIL
header KAM_GENERICHELLO Subject =~ /dear.email.user|hi.there/i
score KAM_GENERICHELLO 1.5
describe KAM_GENERICHELLO Spam with generic greetings in the subject
# FAKE GOOGLE EMAILS - Thanks to Marc Jouan for pointing out the double rule / T_HK rule name change
header __KAM_GOOGLE2_1 From =~ /google\+/i
header __KAM_GOOGLE2_2 From !~ /google.com/i
meta KAM_GOOGLE2 (__KAM_GOOGLE2_1 + __KAM_GOOGLE2_2 + (HK_SPAMMY_FILENAME || KAM_LAZY_DOMAIN_SECURITY) >= 3)
score KAM_GOOGLE2 4.5
describe KAM_GOOGLE2 Fake Google spam
# MORE NIGERIAN VARIANTS
body __KAM_NIGERIAN2_1 /congo/i
meta KAM_NIGERIAN2 (__KAM_NIGERIAN2_1 + DEAR_SOMETHING + LOTS_OF_MONEY >= 3)
score KAM_NIGERIAN2 4.5
describe KAM_NIGERIAN2 Nigerian scam variant
# FINGERHUT SPAMS
header __KAM_FINGERHUT1 From =~ /finger.?hut/i
header __KAM_FINGERHUT2 Subject =~ /your.budget|credit.account|qualify|finger.?hut|credit|your.account/i
body __KAM_FINGERHUT3 /important.message|what.you.want|monthly.pay|your.account|credit.account|holiday.shopping|are.you.approved|fingerhut.buying/i
meta KAM_FINGERHUT (__KAM_FINGERHUT1 + __KAM_FINGERHUT2 + __KAM_FINGERHUT3 >= 3)
score KAM_FINGERHUT 4.5
describe KAM_FINGERHUT Spam for fingerhut
# FRIEND REQUEST SPAM
header __KAM_FRIEND1 Subject =~ /new.notification/i
body __KAM_FRIEND2 /wants.to.follow/i
meta KAM_FRIEND (__KAM_FRIEND1 + __KAM_FRIEND2 >= 2)
score KAM_FRIEND 1.5
describe KAM_FRIEND Friend request spam
# ELIMINATE A BUNCH OF RECENT BAD ATTACHMENT SPAM
meta KAM_VERY_MALWARE (KAM_LAZY_DOMAIN_SECURITY && KAM_RAPTOR)
score KAM_VERY_MALWARE 3.5
describe KAM_VERY_MALWARE A message with malware that is definitely unwanted
#MERCHANT ACCOUNTS SPAM
header __KAM_MERCHANT1 Subject =~ /finance.department/i
body __KAM_MERCHANT2 /business.owner|merchant.processor|processing.fee|average.bank|interchange.fee/i
body __KAM_MERCHANT3 /merchant.processing|small.business|yearly.credit|monthly.fee|100%.free/i
meta KAM_MERCHANT (__KAM_MERCHANT1 + __KAM_MERCHANT2 + __KAM_MERCHANT3 >= 3)
score KAM_MERCHANT 4.5
describe KAM_MERCHANT Spam for merchant processing
# ZERO DAY ATTACHMENTS THAT ARE OBVIOUSLY CRAP BUT NOT CAUGHT BY AV
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_ZERODAY1 Content-Type =~ /msword|ms-excel|spreadsheet|office|octet/i
header __KAM_ZERODAY2 X-Mailer =~ /foxmail/i
# DISABLED 7/16 FOR NO LONGER BEING RELEVANT
#meta KAM_ZERODAY (__SUBJECT_ENCODED_B64 + __KAM_ZERODAY1 + __KAM_ZERODAY2 >= 3)
#describe KAM_ZERODAY obviously a malware email that was not caught
#score KAM_ZERODAY 8.0
# ANOTHER ONE
header __KAM_ZERODAY3 Subject =~ /remittance advice|invoice|resume|the.open.message|please.the.open|visa.chip/i
meta KAM_ZERODAY2 (__KAM_ZERODAY1 + __KAM_ZERODAY3 + KAM_LAZY_DOMAIN_SECURITY >= 3)
score KAM_ZERODAY2 1.0
describe KAM_ZERODAY2 Another obvious zero-day malware
meta KAM_ZERODAY3 (KAM_ZERODAY2 + T_OBFU_DOC_ATTACH >= 2)
score KAM_ZERODAY3 3.5
describe KAM_ZERODAY3 Another obvious zero-day malware
endif
# FAMILY TREE SPAM
header __KAM_ANCESTOR1 From =~ /ancestry/i
header __KAM_ANCESTOR2 Subject =~ /free.family.tree|find.your.ancestor/i
body __KAM_ANCESTOR3 /family.history|your family|share.the.stories/i
meta KAM_ANCESTOR (__KAM_ANCESTOR1 + __KAM_ANCESTOR2 + __KAM_ANCESTOR3 >= 3)
describe KAM_ANCESTOR Spam for family trees
score KAM_ANCESTOR 3.5
# REMEMBER WHEN YOU GOT THAT SPAM
header __KAM_REMEMBERWHEN1 Subject =~ /sup|hello|for.you.bro|how.are.you/i
body __KAM_REMEMBERWHEN2 /hello.brother|remember(ed)?.you|i.remember/i
body __KAM_REMEMBERWHEN3 /medication|\d+%.discount|lots?.of.drug/i
meta KAM_REMEMBERWHEN (__KAM_REMEMBERWHEN1 + __KAM_REMEMBERWHEN2 + __KAM_REMEMBERWHEN3 >= 3)
score KAM_REMEMBERWHEN 4.5
describe KAM_REMEMBERWHEN Reminder of something that never happened
# THE LATEST TRAILING NOISE FORMAT
body __KAM_NOISE1 /([a-z0-9],){12}/i
body __KAM_NOISE2 /([a-z]{1,10},){10}/i
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
meta KAM_NOISE1 (__KAM_NOISE1 + __KAM_NOISE2 + (CBJ_GiveMeABreak || __CBJ_GiveMeABreak2) >= 3)
describe KAM_NOISE1 Pattern of noise words at the end of an email
score KAM_NOISE1 2.5
endif
# FREE PIZZA WOO!
header __KAM_PIZZA1 From =~ /pizza/i
header __KAM_PIZZA2 Subject =~ /^free pizza$/i
body __KAM_PIZZA3 /free.pizza.coupon/i
meta KAM_PIZZA (__KAM_PIZZA1 + __KAM_PIZZA2 + __KAM_PIZZA3 >= 3)
score KAM_PIZZA 3.5
describe KAM_PIZZA Spam for free pizza
# ENGINEERING SPAM
header __KAM_ENGINEER1 Subject =~ /engineering . architect|engineering.industry/i
body __KAM_ENGINEER2 /email.list|target.audience|databank|verified.email/i
body __KAM_ENGINEER3 /construction.engineering|engineering . architect|marketing.manager/i
meta KAM_ENGINEER (__KAM_ENGINEER1 + __KAM_ENGINEER2 + __KAM_ENGINEER3 >= 3)
score KAM_ENGINEER 3.5
describe KAM_ENGINEER Spam for engineering contact information
# SUNGLASSES
header __KAM_SUNGLASSES1 Subject =~ /rayban/i
body __KAM_SUNGLASSES2 /great ray|hot.deal/i
body __KAM_SUNGLASSES3 /style rocks|today.only/i
meta KAM_SUNGLASSES (__KAM_SUNGLASSES1 + __KAM_SUNGLASSES2 + __KAM_SUNGLASSES3 >= 3)
describe KAM_SUNGLASSES Spam for sunglasses
score KAM_SUNGLASSES 3.5
# INVOICE SPAM OF THE DAY
header __KAM_INVOICE1 From =~ /billing/i
header __KAM_INVOICE2 Subject =~ /past.due|invoice/i
header __KAM_INVOICE3 Subject =~ /invoice (error|issue)/i
body __KAM_INVOICE4 /(billing error|problem with the address).{2,10}invoice/i
uri __KAM_INVOICE5 /overdue|final.account/i
meta KAM_INVOICE (__KAM_INVOICE1 + __KAM_INVOICE2 + SPF_FAIL >= 3)
score KAM_INVOICE 4.5
describe KAM_INVOICE Phishing invoice spam
meta KAM_INVOICE2 (__KAM_INVOICE1 + __KAM_INVOICE3 + __KAM_INVOICE4 + __KAM_INVOICE5 + SPF_FAIL >= 3)
score KAM_INVOICE2 5.5
describe KAM_INVOICE2 Phishing invoice spam
# GRIPEEZ
header __KAM_GRIPPY1 From =~ /gripeez/i
header __KAM_GRIPPY2 Subject =~ /bonus.offer|gripeez/i
body __KAM_GRIPPY3 /gripeez.bonus|interior.decorator|sticky.grip/i
meta KAM_GRIPPY (__KAM_GRIPPY1 + __KAM_GRIPPY2 + __KAM_GRIPPY3 >= 3)
score KAM_GRIPPY 4.5
describe KAM_GRIPPY Spam for sticky grip products
# LIMITED / DISABLED ACCOUNT, ACTIVATION, SECURITY ALERTS, AND OTHER ACCOUNT PHISHES
header __KAM_ACCOUNTPHISH1 From =~ /[il]tunes|account|costco|walgreen|amazon|ebay|internal|admin|gold|webmail|provider|marketing/i
header __KAM_ACCOUNTPHISH2 Subject =~ /your.account|is.limited|activate|recover|acknowledgment|of.order|buying.from|order.(status|confirm)|help.?desk|update.your|security|document|(^secure$)|download.failed|click.to.activate|status.approved|notification.message|storage.exceeded|maintenance routine|storage.warning|size.notification|administrative.notice/i
body __KAM_ACCOUNTPHISH3 /update.your.information|problems.with.your|billing.information|order.details|personal.data|detailed.order|order.information|for.activation|account.{1,30}.inactive|information.required|secure.browser|recently.compromised|classified.document|with.your.email|complete.your.account|account.confirmed|claim.your.order|free.money|forced.to.cancel|immediate.access|upgrading.all.staff|advice.to.update|confirm.your.account/i
body __KAM_ACCOUNTPHISH4 /webmail|all.systems|storage.limit|get.back.into|update.your.account|kindly.click|very.private.message|this.is.honest|fill.the.form|click.on.send|follow.here|for.all.user|one.click.away|mail.desk/i
meta KAM_ACCOUNTPHISH ((__KAM_ACCOUNTPHISH1 || FREEMAIL_FROM || KAM_LAZY_DOMAIN_SECURITY) + __KAM_ACCOUNTPHISH2 + __KAM_ACCOUNTPHISH3 + __KAM_ACCOUNTPHISH4 >= 3)
score KAM_ACCOUNTPHISH 3.20
describe KAM_ACCOUNTPHISH Spam that tries to get account information
# BUY PROPERTY
header __KAM_PROPERTY1 From =~ /high.rise|condo/i
header __KAM_PROPERTY2 Subject =~ /condo|move.in.soon|developer/i
body __KAM_PROPERTY3 /convenient.location/i
meta KAM_PROPERTY (__KAM_PROPERTY1 + __KAM_PROPERTY2 + __KAM_PROPERTY3 >= 3)
score KAM_PROPERTY 2.5
describe KAM_PROPERTY Spam for buying property
# FAKE AMEX
header __KAM_FAKEAMEX1 From =~ /aexp.com/i
meta KAM_FAKEAMEX (__KAM_FAKEAMEX1 + SPF_FAIL >= 2)
score KAM_FAKEAMEX 8.0
describe KAM_FAKEAMEX A rash of spam that is phishing for American Express information
header KAM_HUGESUBJECT Subject =~ /^.{500}/
score KAM_HUGESUBJECT 2.5
describe KAM_HUGESUBJECT Email with a subject longer than any mail client would let you enter
#HOOKUP
header __KAM_HOOKUP1 Subject =~ /hookup with local singles/i
uri __KAM_HOOKUP2 /justhookup/i
body __KAM_HOOKUP3 /match.?me.?networks/i
meta KAM_HOOKUP (__KAM_HOOKUP1 + __KAM_HOOKUP2 + __KAM_HOOKUP3 >= 3)
score KAM_HOOKUP 10.5
describe KAM_HOOKUP Spam for Local Hookup Service
#PSYCHIC
header __KAM_PSYCHIC1 Subject =~ /horoscope|psychic/i
uri __KAM_PSYCHIC2 /free.psychic/i
body __KAM_PSYCHIC3 /psychic Chris|free psychic reading/i
meta KAM_PSYCHIC (__KAM_PSYCHIC1 + __KAM_PSYCHIC2 + __KAM_PSYCHIC3 >= 3)
score KAM_PSYCHIC 4.5
describe KAM_PSYCHIC Current Psychic Product Spam du Jour
#UNSUB BADDIES
body __KAM_BADUNSUB /(?:remove|Unsubscribe) from (?:MindTCommunications|LunarMessages)/i
meta KAM_BADUNSUB (__KAM_BADUNSUB >= 1)
score KAM_BADUNSUB 3.0
describe KAM_BADUNSUB Bad Unsubscribe Messages
#GRABBAG FOR A ROUND OF WORDPRESS HACKS
rawbody __KAM_GRABBAG7_1 /wp-content|wp-includes|\/plugins\//
meta KAM_GRABBAG7 ((HTML_MIME_NO_HTML_TAG || MIME_HTML_ONLY) + __KAM_GRABBAG7_1 + (SPF_FAIL || SPF_HELO_FAIL) >= 3)
score KAM_GRABBAG7 3.0
describe KAM_GRABBAG7 Spam pattern with bad HTML message
#TINYURL OBFUSCATION
uri __KAM_TINYURL1 /tinyurl.com\/.{0,10}(hookup|sexual|online-riches|predator-zipcode|nothnx|imtaken)/i
meta KAM_TINYURL (__KAM_TINYURL1)
score KAM_TINYURL 4.0
describe KAM_TINYURL Spammy urls that hide behind a link shortener
# FAKE DROPBOX
header __KAM_DROPBOX1 From =~ /dropbox/i
header __KAM_DROPBOX2 From !~ /dropbox.com/i
body __KAM_DROPBOX3 /shared.a.folder/i
meta KAM_DROPBOX (__KAM_DROPBOX1 + __KAM_DROPBOX2 + __KAM_DROPBOX3 >= 3)
score KAM_DROPBOX 4.5
describe KAM_DROPBOX Fake Dropbox emails
# BAD YAHOO! DON'T SEND EMAIL FROM A MULTICAST IP!
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
header __KAM_YAHOO_MISTAKE1 From =~ /\@yahoo\./i
meta KAM_YAHOO_MISTAKE (SPF_PASS && __KAM_YAHOO_MISTAKE1 && RCVD_ILLEGAL_IP)
describe KAM_YAHOO_MISTAKE Reversing score for some idiotic Yahoo received headers
score KAM_YAHOO_MISTAKE -3.0
endif
# GARBAGE FREEMAIL
meta KAM_GRABBAG9 (MALFORMED_FREEMAIL + SUBJ_ALL_CAPS + FREEMAIL_ENVFROM_END_DIGIT >= 3)
score KAM_GRABBAG9 4.5
describe KAM_GRABBAG9 Garbage email from a garbage freemail account
# AQUA RUG
header __KAM_AQUARUG1 From =~ /aqua.?rug/i
header __KAM_AQUARUG2 Subject =~ /(bath|shower).mat|for.your.shower/i
body __KAM_AQUARUG3 /stop.slipping|unique.carpet|aqua.rug|bare.feet.love/i
meta KAM_AQUARUG (__KAM_AQUARUG1 + __KAM_AQUARUG2 + __KAM_AQUARUG3 >= 3)
score KAM_AQUARUG 3.5
describe KAM_AQUARUG Spam for aqua rug product
# FAKE ITC SPAM
# Fixed FP thanks to j.marshall
header __KAM_ITC1 From =~ /thetradecouncil.com/i
body __KAM_ITC2 /International Trade Council/i
body __KAM_ITC3 /enclosed/i
meta KAM_ITC (__KAM_ITC1 < 1) && (__KAM_ITC2 >= 1) && (__KAM_ITC3 + KAM_BADIPHTTP >= 1)
score KAM_ITC 4.5
describe KAM_ITC Fake email from International Trade Council
# HAVE YOU SEEN THIS
body __KAM_SEENTHIS1 /have.you.seen|seen.this/i
meta KAM_SEENTHIS (__KAM_SEENTHIS1 + __KAM_OPRAH3 + (KAM_LAZY_DOMAIN_SECURITY || KAM_MANYTO) >= 3)
score KAM_SEENTHIS 4.5
describe KAM_SEENTHIS Have you seen this spam?
# DETOX
header __KAM_DETOX1 From =~ /detox/i
header __KAM_DETOX2 Subject =~ /detox.service|discover.detox|clear.your.system|how.detox.(could|can)/i
body __KAM_DETOX3 /detox.program|right.for.you|clean(ing)? up your life|a.little.easier/i
meta KAM_DETOX (__KAM_DETOX1 + __KAM_DETOX2 + __KAM_DETOX3 >= 3)
score KAM_DETOX 2.5
describe KAM_DETOX Spam for trendy detox stuff
# DEATH INSURANCE
header __KAM_DEATHINSURE1 From =~ /live.sure/i
header __KAM_DEATHINSURE2 Subject =~ /life.will|cheaper.than.today/i
body __KAM_DEATHINSURE3 /inheritance.tax|your.loved.ones|funeral.costs/i
meta KAM_DEATHINSURE (__KAM_DEATHINSURE1 + __KAM_DEATHINSURE2 + __KAM_DEATHINSURE3 >= 3)
describe KAM_DEATHINSURE Spam for death insurance
score KAM_DEATHINSURE 3.5
# REACHBASE
body KAM_REACHBASE /ReachBase is committed to providing you with relevant business information/i
score KAM_REACHBASE 2.5
describe KAM_REACHBASE Marketing email pretending to be business info
# DIGITAL WALLET SPAM
header __KAM_DIGITALWALLET1 From =~ /apple.?pay/i
header __KAM_DIGITALWALLET2 Subject =~ /(ready.for|introducing|complimentary).apple.?pay|paying.too.much/i
body __KAM_DIGITALWALLET3 /business.ready|no.setup.fee|only.$?[\d\.]+%?.(per|a).swipe|apple.?pay.equipment|free,equipment/i
meta KAM_DIGITALWALLET (__KAM_DIGITALWALLET1 + __KAM_DIGITALWALLET2 + __KAM_DIGITALWALLET3 + (HELO_DYNAMIC_DHCP || KAM_EU || KAM_INFOUSMEBIZ) >= 3)
score KAM_DIGITALWALLET 3.5
describe KAM_DIGITALWALLET Spam for digital wallet services
# BAD PHP
header __KAM_BADPHP1 X-PHP-Originating-Script =~ /eval..'d code/i
header __KAM_BADPHP2 X-Source-Args =~ /css.php/i
meta KAM_BADPHP (__KAM_BADPHP1 || __KAM_BADPHP2)
score KAM_BADPHP 2.5
describe KAM_BADPHP Questionable PHP mailer headers
# TINNITUS
header __KAM_TINNITUS1 From =~ /tinnitus.breakthrough/i
header __KAM_TINNITUS2 Subject =~ /new.tip|only.(1|one).week/i
body __KAM_TINNITUS3 /scientifically.proven|end.tinnitus/i
meta KAM_TINNITUS (__KAM_TINNITUS1 + __KAM_TINNITUS2 + __KAM_TINNITUS3 >= 3)
describe KAM_TINNITUS Tinnitus spam
score KAM_TINNITUS 3.5
# KIWIBANK
header __KAM_KIWIBANK1 From =~ /kiwibank/i
header __KAM_KIWIBANK2 Subject =~ /verification.required/i
body __KAM_KIWIBANK3 /security.procedure|customer.safety|security.details/i
meta KAM_KIWIBANK (__KAM_KIWIBANK1 + __KAM_KIWIBANK2 + __KAM_KIWIBANK3 >= 3)
describe KAM_KIWIBANK Account phish for Kiwibank
score KAM_KIWIBANK 3.5
# HAPPY TALK
header __KAM_HAPPYTALK1 Subject =~ /^hello$/i
body __KAM_HAPPYTALK2 /honest.and.nice/i
body __KAM_HAPPYTALK3 /beautiful.mail/i
meta KAM_HAPPYTALK (__KAM_HAPPYTALK1 + __KAM_HAPPYTALK2 + __KAM_HAPPYTALK3 >= 3)
score KAM_HAPPYTALK 3.5
describe KAM_HAPPYTALK Weirdly happy spam
# SETTLEMENT SPAM
header __KAM_SETTLEMENT1 From =~ /xarelto/i
header __KAM_SETTLEMENT2 Subject =~ /settlements?.available/i
body __KAM_SETTLEMENT3 /lawsuit.information/i
meta KAM_SETTLEMENT (__KAM_SETTLEMENT1 + __KAM_SETTLEMENT2 + __KAM_SETTLEMENT3 >= 3)
score KAM_SETTLEMENT 3.5
describe KAM_SETTLEMENT Spam offering lawsuit settlement
# CAD SPAM
header __KAM_CAD1 Subject =~ /cad.drawing/i
body __KAM_CAD2 /we.specialize.in/i
body __KAM_CAD3 /our.products/i
meta KAM_CAD (__KAM_CAD1 + __KAM_CAD2 + __KAM_CAD3 >= 3)
describe KAM_CAD Spam for CAD services
score KAM_CAD 3.5
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
#SPAM WITH OFFICE MACROS
header KAM_VBMACRO X-KAM-VBMacro =~ /True/i
describe KAM_VBMACRO Message contains attachment with VB macro
score KAM_VBMACRO 6.5
#SPAM THAT INDICATES DYNAMIC IP
header KAM_DYNIP X-KAM-DynamicIndicator =~ /True/i
describe KAM_DYNIP Message contains Dynamic IP Address Indicator
score KAM_DYNIP 6.5
endif
# YELP AND OTHER REVIEW SITES
header __KAM_REVIEW1 From =~ /contractor/i
header __KAM_REVIEW2 Subject =~ /verify.accuracy|your.listing|listing.on.yelp/i
body __KAM_REVIEW3 /unverified|major.local.search|search.sites|company(.s)?.information/i
meta KAM_REVIEW (__KAM_REVIEW1 + __KAM_REVIEW2 + __KAM_REVIEW3 >= 3)
describe KAM_REVIEW Spam for review sites
score KAM_REVIEW 4.5
# TOURS AND EVENTS
header __KAM_TOURS1 From =~ /festival/i
header __KAM_TOURS2 Subject =~ /adventure.tour/i
body __KAM_TOURS3 /your.adventure.tour|your.event/i
meta KAM_TOURS (__KAM_TOURS1 + __KAM_TOURS2 + __KAM_TOURS3 >= 3)
score KAM_TOURS 3.5
describe KAM_TOURS Spam for tours and events
# NO MORE SPAM ENGINES
body __KAM_NOMORE1 /no.more.of.this/i
body __KAM_NOMORE2 /no.more.at.all/i
meta KAM_NOMORE (__KAM_NOMORE1 + __KAM_NOMORE2 >= 2)
describe KAM_NOMORE Another predictable spam engine
score KAM_NOMORE 3.5
# NOT REALLY CONFIDENTIAL
body __KAM_NOCONFIDENCE1 /confidential.information/i
meta KAM_NOCONFIDENCE (KAM_LAZY_DOMAIN_SECURITY + __KAM_NOCONFIDENCE1 >= 2)
score KAM_NOCONFIDENCE 0.5
describe KAM_NOCONFIDENCE Confidential information sent with no security
# YER GON GET SASSINATED
header __KAM_ASSASSIN1 Subject =~ /want you dead/i
body __KAM_ASSASSIN2 /my identity/i
body __KAM_ASSASSIN3 /assassinate/i
body __KAM_ASSASSIN4 /like.an.accident/i
meta KAM_ASSASSIN (__KAM_ASSASSIN1 + __KAM_ASSASSIN2 + __KAM_ASSASSIN3 + __KAM_ASSASSIN4 >= 3)
score KAM_ASSASSIN 4.5
describe KAM_ASSASSIN Assassination spam
# GIMME FLASH DRIVES
header __KAM_DRIVE1 From =~ /purchase|manager/i
header __KAM_DRIVE2 Subject =~ /quotation/i
body __KAM_DRIVE3 /to.be.furnished|office.equipment.item/i
meta KAM_DRIVE (__KAM_DRIVE1 + __KAM_DRIVE2 + __KAM_DRIVE3 >= 3)
score KAM_DRIVE 3.5
describe KAM_DRIVE Spam for ordering office equipment
#BAD TLD - TESTING NEW blacklist_uri_host feature
#PASSED TEST BUT THIS IS 100 points - Instead modify SOMETLD_ARE_BAD_TLD TO PREVENT FPs
#if (version >= 3.004000)
# blacklist_uri_host link
#endif
#LOOKING TO SHUTDOWN MISUSE OF DNSWL AND HOSTKARMA
meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
score KAM_BAD_DNSWL 7.0
describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
# HEARING LOSS
header __JMQ_HEARINGLOSS1 From =~ /hearing.?loss|deaf \& angry/i
header __JMQ_HEARINGLOSS2 Subject =~ /reverse.your.hearing|hearing.loss|\d+.year.old.method|hearing.aids/i
body __JMQ_HEARINGLOSS3 /going.crazy|natural.formula|restore.your.hearing|click.here.to.see|off.hearing.aid/i
meta JMQ_HEARINGLOSS (__JMQ_HEARINGLOSS1 + __JMQ_HEARINGLOSS2 + __JMQ_HEARINGLOSS3 >= 3)
score JMQ_HEARINGLOSS 3.5
describe JMQ_HEARINGLOSS Spam for hearing loss solutions
# TRACKR
header __JMQ_TRACKR1 From =~ /trackr/i
header __JMQ_TRACKR2 Subject =~ /trackr|never.lose|find.any|lost.items/i
body __JMQ_TRACKR3 /locate anything|find.anything|never.lose.anything|new.invention|never.lose.your|tired.of.losing|find.any.lost/i
meta JMQ_TRACKR (__JMQ_TRACKR1 + __JMQ_TRACKR2 + __JMQ_TRACKR3 >= 3)
score JMQ_TRACKR 4.5
describe JMQ_TRACKR Spam for TrackR
# CONGRATULATION
header __JMQ_CONGRAT1 From =~ /award|claim/i
header __JMQ_CONGRAT2 Subject =~ /congratulation|open.attachment|good.news.for/i
meta JMQ_CONGRAT (__JMQ_CONGRAT1 + __JMQ_CONGRAT2 + (KAM_RAPTOR || T_FREEMAIL_DOC_PDF || HK_SPAMMY_FILENAME) >= 3)
score JMQ_CONGRAT 3.5
describe JMQ_CONGRAT Open attachment to claim your free spam
# PICKUP
header __JMQ_PICKUP1 Subject =~ /hey there|(^hey$)/i
body __JMQ_PICKUP2 /(dirty|freaky|naughty|good)(pix|pic)|hey.cutie/i
header __JMQ_PICKUP3 X-Mailer =~ /php/i
body __JMQ_PICKUP4 /\d+.year.old|female/i
meta JMQ_PICKUP (__JMQ_PICKUP1 + __JMQ_PICKUP2 + __JMQ_PICKUP3 + __JMQ_PICKUP4 >= 3)
score JMQ_PICKUP 8.0
describe JMQ_PICKUP spam that wants your number
# COMPROMISED DROPBOX
header __JMQ_DROPBOX1 Subject =~ /(payment|transfer)/i
header __JMQ_DROPBOX2 Subject =~ /\([a-z]\d+\)/i
body __JMQ_DROPBOX3 /ach.(payment|transfer)/i
meta JMQ_DROPBOX (__JMQ_DROPBOX1 + __JMQ_DROPBOX2 + __JMQ_DROPBOX3 >= 3)
score JMQ_DROPBOX 3.0
describe JMQ_DROPBOX Spam from what appears to be compromised dropbox accounts
#FIX BAD REVIEW
header __KAM_BAD_REVIEW1 Subject =~ /fix bad reviews/i
body __KAM_BAD_REVIEW2 /Reputation Giant/i
meta KAM_BAD_REVIEW (__KAM_BAD_REVIEW1 + __KAM_BAD_REVIEW2 >= 2)
score KAM_BAD_REVIEW 4.0
describe KAM_BAD_REVIEW Online reputation spammers
#GOOGLE AWARD
header __KAM_GOOGLE_AWARD1 From =~ /Google UK/i
body __KAM_GOOGLE_AWARD2 /selected as a winner/i
body __KAM_GOOGLE_AWARD3 /Dear Google/i
body __KAM_GOOGLE_AWARD4 /Official Notification Letter/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_GOOGLE_AWARD5A Content-Type =~ /Google Award/i
mimeheader __KAM_GOOGLE_AWARD5B Content-Disposition =~ /Google Award/i
endif
meta KAM_GOOGLE_AWARD (__KAM_GOOGLE_AWARD1 + __KAM_GOOGLE_AWARD2 + __KAM_GOOGLE_AWARD3 + __KAM_GOOGLE_AWARD4 + (__KAM_GOOGLE_AWARD5A + __KAM_GOOGLE_AWARD5B >= 1) >= 4)
score KAM_GOOGLE_AWARD 5.0
describe KAM_GOOGLE_AWARD Fake Google Awards
#OBFUSCATED LOANS
body KAM_OBFU_LOANS /Stüdént Lóans/i
score KAM_OBFU_LOANS 5.0
describe KAM_OBFU_LOANS Obfuscated Loan Verbiage
#WORK FROM HOME
body __KAM_WORKFROMHOME1 /work from home/i
meta KAM_WORKFROMHOME (KAM_SHORT + __KAM_WORKFROMHOME1 >= 2)
score KAM_WORKFROMHOME 2.5
describe KAM_WORKFROMHOME Work from Home Spams
#STUDENT LOAN
body __KAM_STUDENTLOAN1 /(National|Federal) Student Loan Status/i
body __KAM_STUDENTLOAN2 /consolidate your loan/i
body __KAM_STUDENTLOAN3 /doesn't injured/i
body __KAM_STUDENTLOAN4 /866-351-4693/i
body __KAM_STUDENTLOAN5 /(financial troubles|debt) is (understood|forgiven)/i
meta KAM_STUDENTLOAN (__KAM_STUDENTLOAN1 + __KAM_STUDENTLOAN2 + __KAM_STUDENTLOAN3 + __KAM_STUDENTLOAN4 + __KAM_STUDENTLOAN5 >= 3)
score KAM_STUDENTLOAN 4.5
describe KAM_STUDENTLOAN Student Loan Scam
#RESUME
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
header __JMQ_RESUME1 Subject =~ /resume/i
body __JMQ_RESUME2 /hello my name|my name is/i
body __JMQ_RESUME3 /appreciate.your.cooperation|my.resume.is.pdf|resume.attach|pdf.file.is|is.my.resume/i
mimeheader __JMQ_RESUME4 Content-Type =~ /x-zip-comp/i
mimeheader __JMQ_RESUME5 Content-Type =~ /my_resume\.zip/i
meta JMQ_RESUME ((__JMQ_RESUME1 + __JMQ_RESUME2 + __JMQ_RESUME3 + __JMQ_RESUME5 >= 3) && __JMQ_RESUME4)
score JMQ_RESUME 4.5
describe JMQ_RESUME Spam for bad attached resumes
endif
#LED/SOLAR LIGHTS
header __KAM_LED1 Reply-to =~ /huixinsoft\d*\@foxmail.com/i
body __KAM_LED2 /solar (lighting|led)/i
body __KAM_LED3 /China aier/i
meta KAM_LED (__KAM_LED1 + __KAM_LED2 + __KAM_LED3 >= 2)
describe KAM_LED Solar LED Lighting Spams
score KAM_LED 5.5
# REAL ESTATE
header __JMQ_REALESTATE1 From =~ /tom.brice/i
header __JMQ_REALESTATE2 Subject =~ /real.estate/i
body __JMQ_REALESTATE3 /preferred.choice|looking.for.real.estate|online.platform|systems.placement/i
meta JMQ_REALESTATE (__JMQ_REALESTATE1 + __JMQ_REALESTATE2 + __JMQ_REALESTATE3 >= 3)
describe JMQ_REALESTATE Real estate spam
score JMQ_REALESTATE 4.5
# IP IN FROM
header JMQ_IPINFROM From =~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/
score JMQ_IPINFROM 2.5
describe JMQ_IPINFROM Spam with IP in the from address
# IFFY PAYPAL OF THE DAY
header __JMQ_PAYPAL2 From =~ /paypai/i
meta JMQ_PAYPAL2 (JMQ_IPINFROM + __JMQ_PAYPAL2 >= 2)
score JMQ_PAYPAL2 4.5
describe JMQ_PAYPAL2 PayPal spam of the day
# RESUME SPAM REDUX PART 2 (WOOHOO)
meta JMQ_RESUME3 (__JMQ_RESUME1 && __JMQ_RESUME2 && KAM_THEBAT)
score JMQ_RESUME3 3.5
describe JMQ_RESUME3 Yet more resume spam
# SPF THAT DOESN'T REALLY CARE IF EMAIL IS A FORGERY
ifplugin Mail::SpamAssassin::Plugin::AskDNS
askdns JMQ_SPF_NEUTRAL_ALL _SENDERDOMAIN_ TXT /^v=spf1 .+\?all$/
describe JMQ_SPF_NEUTRAL_ALL SPF set to ?all!
score JMQ_SPF_NEUTRAL_ALL 0.5
endif
# IMPORTANT MESSAGE
header __JMQ_IMPORTANT1 Subject =~ /(fw|re):? important/i
body __JMQ_IMPORTANT2 /important message/i
body __JMQ_IMPORTANT3 /please visit/i
meta JMQ_IMPORTANT (__JMQ_IMPORTANT1 + __JMQ_IMPORTANT2 + __JMQ_IMPORTANT3 + KAM_LAZY_DOMAIN_SECURITY >= 4)
score JMQ_IMPORTANT 4.5
describe JMQ_IMPORTANT Spam that thinks it is important
# IMAGE TRACKERS
uri __JMQ_TRACKER1 /sidekickopen\d*\.com/i
meta JMQ_TRACKER (__JMQ_TRACKER1 >= 1)
score JMQ_TRACKER 0.5
describe JMQ_TRACKER Message uses image-based tracker
# WIRE TRANSFERS
header __JMQ_WIRE1 Subject =~ /wire.*fund|request.*wire|(fwd|re): request/i
body __JMQ_WIRE2 /medical.support|payment.sent/i
body __JMQ_WIRE3 /bank.wire|sent.out.asap/i
meta JMQ_WIRE (__JMQ_WIRE1 + __JMQ_WIRE2 + __JMQ_WIRE3 + (LOTS_OF_MONEY || KAM_LAZY_DOMAIN_SECURITY || HEADER_FROM_DIFFERENT_DOMAINS) >= 3)
score JMQ_WIRE 4.5
describe JMQ_WIRE Attempt to steal money via wire transfer
#bindata code in RTF
#rawbody __KAM_BADRTF1 /<w:binData/
#rawbody __KAM_BADRTF2 /QWN0aXZlTWltZQ/
#meta KAM_BADRTF (__KAM_BADRTF1 + __KAM_BADRTF2 >= 2)
#describe KAM_BADRTF Message contains binary data in RTF format
#score KAM_BADRTF 5.0
#Fake Order
body __KAM_ORDER1 /Please find document attached/i
header __KAM_ORDER2 Subject =~ /Order \d+ (\(Acknowledgement\))?/i
meta KAM_ORDER __KAM_ORDER1 + __KAM_ORDER2 + __BODY_LE_200 >= 3
score KAM_ORDER 3.0
describe KAM_ORDER Fraudulent Order Emails
rawbody __RB_LE_200 /^.{2,200}$/s
tflags __RB_LE_200 multiple maxhits=2
rawbody __RB_GT_200 /^.{201}/s
meta __BODY_LE_200 (__RB_LE_200 == 1) && !__RB_GT_200
#SHOCKING BEVERAGE
body __KAM_SHOCK1 /shocking.beverage/i
header __KAM_SHOCK2 Subject =~ /(Bill O.Reilly|Donald Trump)/i
body __KAM_SHOCK3 /drinking this beverage/i
meta KAM_SHOCK __KAM_SHOCK1 + __KAM_SHOCK2 + __KAM_SHOCK3 >= 2
score KAM_SHOCK 4.0
describe KAM_SHOCK Spams with energy drinks
#BEAUTY SCAM
body __KAM_BEAUTY1 /she now looks \d+/i
body __KAM_BEAUTY2 /reveals exactly/i
body __KAM_BEAUTY3 /most amazing transformation/i
header __KAM_BEAUTY4 Subject =~ /now looks \d+/i
meta KAM_BEAUTY __KAM_BEAUTY1 + __KAM_BEAUTY2 + __KAM_BEAUTY3 + __KAM_BEAUTY4 >= 3
score KAM_BEAUTY 4.0
describe KAM_BEAUTY Youth and Beauty Product Scams
#WEED
body __KAM_WEED1 /legal.weed|jim kramer|kevin james/i
header __KAM_WEED2 Subject =~ /Legal.Weed|pot.stock/i
body __KAM_WEED3 /doubled? (there|their) money|Triple this afternoon/i
body __KAM_WEED4 /(weed|pot).stock/i
meta KAM_WEED __KAM_WEED1 + __KAM_WEED2 + __KAM_WEED3 + __KAM_WEED4 >= 3
score KAM_WEED 8.0
describe KAM_WEED Legal Weed and related investment scams
#LOGOS
body __KAM_LOGO1 /guru.level logo/i
header __KAM_LOGO2 Subject =~ /guru.level logo/i
body __KAM_LOGO3 /(guru.level|ready.made) logo/i
meta KAM_LOGO __KAM_LOGO1 + __KAM_LOGO2 + __KAM_LOGO3 >= 3
score KAM_LOGO 5.25
describe KAM_LOGO Logo Spam
#TRUMP COIN
body __KAM_TRUMPCOIN1 /Donald Trump/i
header __KAM_TRUMPCOIN2 Subject =~ /trump.coin/i
body __KAM_TRUMPCOIN3 /special colored coin/i
meta KAM_TRUMPCOIN __KAM_TRUMPCOIN1 + __KAM_TRUMPCOIN2 + __KAM_TRUMPCOIN3 >= 3
score KAM_TRUMPCOIN 5.25
describe KAM_TRUMPCOIN Trump Coin Spam
#WATER
body __KAM_WATER1 /Never Drink Water/i
header __KAM_WATER2 Subject =~ /bottled water/i
body __KAM_WATER3 /filtered tap water/i
meta KAM_WATER __KAM_WATER1 + __KAM_WATER2 + __KAM_WATER3 >= 3
score KAM_WATER 5.25
describe KAM_WATER Water Poison Scam
#BANK
body __KAM_RUIN1 /do not deposit/i
header __KAM_RUIN2 Subject =~ /money into your bank/i
body __KAM_RUIN3 /banking institutions/i
meta KAM_RUIN __KAM_RUIN1 + __KAM_RUIN2 + __KAM_RUIN3 >= 3
score KAM_RUIN 5.25
describe KAM_RUIN Bank Phishing Scam
#BANK
body __KAM_WEIGHT2_1 /goodbye to her waist|wild transformation/i
header __KAM_WEIGHT2_2 Subject =~ /looks \d+ overnight|no gym/i
body __KAM_WEIGHT2_3 /melissa mccarthy|now looks \d+/i
meta KAM_WEIGHT2 __KAM_WEIGHT2_1 + __KAM_WEIGHT2_2 + __KAM_WEIGHT2_3 >= 3
score KAM_WEIGHT2 5.25
describe KAM_WEIGHT2 Weight loss process du jour
#AMAZING LENS
body __KAM_LENS1 /pro quality (pho|pic)|Bill gates|best camera/i
header __KAM_LENS2 Subject =~ /(amazing|incredible) photos|gadget of the year|coolest product|camera/i
body __KAM_LENS3 /amazing lens|hdx-lens|hdrx/i
header __KAM_LENS4 From =~ /hdcam|lens|inhd/i
meta KAM_LENS __KAM_LENS1 + __KAM_LENS2 + __KAM_LENS3 + __KAM_LENS4 >= 3
score KAM_LENS 5.25
describe KAM_LENS Amazing Lens Scam
#HONOR
body __KAM_HONOR1 /greatest thing of your life/i
header __KAM_HONOR2 Subject =~ /Congrats, on the honor/i
body __KAM_HONOR3 /profession women/i
body __KAM_HONOR4 /invitation/i
meta KAM_HONOR __KAM_HONOR1 + __KAM_HONOR2 + __KAM_HONOR3 + __KAM_HONOR4 >= 3
score KAM_HONOR 6.25
describe KAM_HONOR Professional Network Scam
#Rule Dev
#Idea from John Hardin so you can see all URI's - ONLY for rule development - Then all the detected URIs appear in the rule hits debug output.
#uri __ALL_URI /.*/
#tflags __ALL_URI multiple
#Bad UTF-8 content type and transfer encoding - Thanks to Pedro David Marco for alerting to issue
header __KAM_BAD_UTF8_1 Content-Type =~ /text\/html; charset=\"utf-8\"/i
header __KAM_BAD_UTF8_2 Content-Transfer-Encoding =~ /base64/i
full __RW_BAD_UTF8_3 /^(?:[^\n]|\n(?!\n))*\nContent-Transfer-Encoding:\s+base64(?:[^\n]|\n(?!\n))*\n\n[\s\n]{0,300}[^\s\n].{0,300}[^a-z0-9+\/=\n][^\s\n]/si
meta KAM_BAD_UTF8 (__KAM_BAD_UTF8_1 + __KAM_BAD_UTF8_2 + __RW_BAD_UTF8_3 >= 3)
score KAM_BAD_UTF8 14.0
describe KAM_BAD_UTF8 Bad Content Type and Transfer Encoding that attempts to evade SA scanning
#DEATH
body __KAM_DEATH1 /prevent early.death/i
header __KAM_DEATH2 Subject =~ /(early|unexpected).death/i
body __KAM_DEATH3 /Eating this|before it.?s too late/i
body __KAM_DEATH4 /heart.(attack|stops)/i
meta KAM_DEATH __KAM_DEATH1 + __KAM_DEATH2 + __KAM_DEATH3 + __KAM_DEATH4 >= 4
score KAM_DEATH 6.25
describe KAM_DEATH Supplement Scam
#REWARD
body __KAM_REWARD1 /walgreens|ikea|sephora|sams.?club/i
header __KAM_REWARD2 Subject =~ /weekend.*reward|reward.*weekend|(reward|perk).{0,60}(expiring|ending)/i
header __KAM_REWARD3 Subject =~ /(Cert|coup|ending now|ending|expiring|expiring.now)(..)?(\d+|\[num)/i
header __KAM_REWARD4 From =~ /ikea|sephora|shopper|walgreen|sale/i
meta KAM_REWARD __KAM_REWARD1 + __KAM_REWARD2 + __KAM_REWARD3 + __KAM_REWARD4 + KAM_NUMSUBJECT >= 4
score KAM_REWARD 5.25
describe KAM_REWARD Coupon Scam
#PACKAGE
body __KAM_PACKAGE1 /dysfunction|\dx longer/i
body __KAM_PACKAGE2 /sexual.performance|longer.in.bed/i
header __KAM_PACKAGE3 Subject =~ /sex/i
header __KAM_PACKAGE4 From =~ /function|fivex/i
meta KAM_PACKAGE __KAM_PACKAGE1 + __KAM_PACKAGE2 + __KAM_PACKAGE3 + __KAM_PACKAGE4 >= 3
score KAM_PACKAGE 4.25
describe KAM_PACKAGE Sexual Enhancement Scam
#NUM
header __KAM_NUMSUBJECT Subject =~ /\d+$/
header __KAM_SUBJECTYEAR Subject =~ /20[1-2][0-9]$/
meta KAM_NUMSUBJECT (__KAM_NUMSUBJECT >=1 && __KAM_SUBJECTYEAR <= 0)
score KAM_NUMSUBJECT 0.5
describe KAM_NUMSUBJECT Subject ends in numbers excluding current years
#BAD PDF
header KAM_MGCS Content-Type =~ /\+\-\+\-\+\-MGCS\-\+\-\+\-\+/i
score KAM_MGCS 10.0
describe KAM_MGCS Boundary Content Indicative of Ratware
#NetWeaver
header KAM_NW X-Mailer =~ /SAP NetWeaver/i
score KAM_NW 2.75
describe KAM_NW Spam Indicator
#STOCKTIP OBFU
body __KAM_STOCKOBFU1 /make up the \d letter symbol/i
body __KAM_STOCKOBFU2 /first letter/i
header __KAM_STOCKOBFU3 Subject =~ /less than \d days|ten bagger|ten ?fold your principle/i
meta KAM_STOCKOBFU (__KAM_STOCKOBFU1 + __KAM_STOCKOBFU2 + __KAM_STOCKOBFU3 >= 3)
describe KAM_STOCKOBFU Stock Spam Tips that are being sneaky
score KAM_STOCKOBFU 4.5
#FAKE BBB/FLSA NOTICES
header __KAM_FAKEBBB1 Subject =~ /(incident:|case:)?[\d:;]{5}/i
body __KAM_FAKEBBB2 /(Fair Labor Standards Act|Safety and Health act|Better Business Bureau|(\b|$)BBB(\b|^))/i
body __KAM_FAKEBBB3 /(complaint|compliant|Abuse) ID/i
body __KAM_FAKEBBB4 /(incident:|case:)[\d:;]{6,}/i
meta KAM_FAKEBBB (__KAM_FAKEBBB1 + __KAM_FAKEBBB2 + KAM_SHORT + __KAM_FAKEBBB3 + __KAM_FAKEBBB4>= 4)
describe KAM_FAKEBBB Fake Notices for Various Business Violations
score KAM_FAKEBBB 12.0
#HOWRU
#header __KAM_HOWRU1 Subject =~ /How are you?|Hi|What's Up|Hey, Sweety/i
body __KAM_HOWRU2 /My name is|what's your name|ask your name|keep company with you/i
body __KAM_HOWRU3 /visit the site|visit this site|visiting this website|have some social networks|meet you in private|write me tomorrow/i
body __KAM_HOWRU4 /gmx.com|rambler.ru/i
meta KAM_HOWRU (__KB_WAM_SUBJECT_HELLO_ONLY + __KAM_HOWRU2 + __KAM_HOWRU3 + __KAM_HOWRU4 >=4)
describe KAM_HOWRU Female Chat Scam
score KAM_HOWRU 8.0
# 2017-11-01, note 56146
body __KAM_DOMAIN_SALE1 /\b(related|similar) domain\b/i
body __KAM_DOMAIN_SALE2 /\b(interested in|obtaining) .{5,20} domain\b/i
body __KAM_DOMAIN_SALE3 /\bdomain (name owner|advanced avail|backordering)\b/i
body __KAM_DOMAIN_SALE4 /\b(domain you might be interested|interested in the domain|interested in obtain|benefit acquiring|complete ownership transfer|brokering the domain)\b/i
body __KAM_INTRUDE /\b(hope I am not intruding|out of the blue|I will never contact you again if you go here)\b/i
meta KAM_DOMAIN_SALE_2 (__KAM_DOMAIN_SALE1 + __KAM_DOMAIN_SALE2 + __KAM_DOMAIN_SALE3 + __KAM_DOMAIN_SALE4 >=2)
meta KAM_DOMAIN_SALE_3 (__KAM_DOMAIN_SALE1 + __KAM_DOMAIN_SALE2 + __KAM_DOMAIN_SALE3 + __KAM_DOMAIN_SALE4 >=3)
score KAM_DOMAIN_SALE_2 3.0
score KAM_DOMAIN_SALE_3 1.0
meta KAM_DOMAIN_SALE_INTRUDE (__KAM_INTRUDE && KAM_DOMAIN_SALE_2)
score KAM_DOMAIN_SALE_INTRUDE 1.0
describe KAM_DOMAIN_SALE_2 Domain Selling Spam
describe KAM_DOMAIN_SALE_3 Domain Selling Spam
describe KAM_DOMAIN_SALE_INTRUDE Domain Selling Spam
# 2017-11-08, lonely russian women Whack-A-Mole
# Likely Overlap with HOWRU rules, similar target. No real-life
# overlap in rules hit observed so far, KB_WAM_OVERLAP to look out for
# it.
header __KB_WAM_FROM_NAME_SINGLEWORD From:name =~ /[a-z]+$/i
header __KB_WAM_SUBJECT_HELLO_ONLY Subject =~ /^(hi|hi there|hello|hey|yo|how are you|What's Up|Hey, Sweety)[?!\.]?$/i
meta KB_WAM_LONELY_WOMEN (__KB_WAM_FROM_NAME_SINGLEWORD + __KB_WAM_SUBJECT_HELLO_ONLY + __KAM_HOWRU4 + (__KAM_HOWRU2 || __KB_WAM_LONELY_WOMEN_PHRASE_01) >= 4)
score KB_WAM_LONELY_WOMEN 5.0
describe KB_WAM_LONELY_WOMEN Lonely Women Scam of the Day
body __KB_WAM_LONELY_WOMEN_PHRASE_01 /\b(I am missing you all the time|I am waiting for your answer|I send you my tender love|I would really like to know you)\b/i
#meta KB_WAM_OVERLAP ( KAM_HOWRU && KB_WAM_LONELY_WOMEN )
#score KB_WAM_OVERLAP -0.01
#describe KB_WAM_OVERLAP Rule to test for overlap with another similar ruleset
#MAILSPLOIT CONTROL CHARACTER - Thanks to Jan-Pieter Cornet for the idea
#All Control chars like NUL except \n which should exist once legitimately
#Investigating double-byte language FP. Reverting back to just \0
#header __KAM_MAILSPLOIT1 From =~ /[\x00-\x09\x0b-\x1f]/
header __KAM_MAILSPLOIT1 From =~ /[\0]/
describe __KAM_MAILSPLOIT1 RFC2047 Exploit https://www.mailsploit.com/index
#\n Multiple in the From Header
header __KAM_MAILSPLOIT2 From =~ /[\n]/
describe __KAM_MAILSPLOIT2 RFC2047 Exploit https://www.mailsploit.com/index
tflags __KAM_MAILSPLOIT2 multiple maxhits=2
meta KAM_MAILSPLOIT (__KAM_MAILSPLOIT1 || (__KAM_MAILSPLOIT2 >= 2))
describe KAM_MAILSPLOIT Mail triggers known exploits per mailsploit.com
score KAM_MAILSPLOIT 10.0
#cc in From - Thanks to Dave Jones for idea
header KAM_CCFROM1 From =~ /\b(to|cc|bcc|from):/i
describe KAM_CCFROM1 Addition of cc: and similar as a phishing tactic
score KAM_CCFROM1 5.0
#MailBox Verify Phish
header __KAM_BOXWARNING_SUBJECT Subject =~ /FINAL WARNING/i
header __KAM_BOXVERIFICATION_SUBJECT Subject =~ /VERIFICATION.{4,20}MAIL.?BOX/i
body __KAM_BOXVERIFY /Verify.{0,10}Mail.?box/i
body __KAM_BOXQUOTA /mailbox.{0,5}exceeded.{4,14}quota/i
header __KAM_MAILBOXFROM From =~ /mailbox/i
meta KAM_BOXPHISH (__KAM_BOXWARNING_SUBJECT + __KAM_BOXVERIFICATION_SUBJECT + __UPGR_MAILBOX + __KAM_MAILBOXFROM + __KAM_BOXVERIFY + __KAM_BOXQUOTA >= 5)
describe KAM_BOXPHISH Mailbox verification phishing scams
score KAM_BOXPHISH 4.0
#SWISSCOIN, ETC.
body __KAM_CRYPTO1 /swiss.?coin|[{(]SIC[)}]/i
header __KAM_CRYPTO2 Subject =~ /forget about bitcoin|crypto (currency|coin) .{0,10}could (turn|go)/i
meta KAM_CRYPTO (__KAM_CRYPTO1 + __KAM_CRYPTO2 >= 2)
describe KAM_CRYPTO Crypto Currency Spam Du Jour
score KAM_CRYPTO 8.0
#COMPROMISED CMS - Thanks to Jing Shan for the idea
uri __KAM_CMS1 /VALIDATE\/mail\.htm/i
uri __KAM_CMS2 /\/erroreng\/erroreng\//i
uri __KAM_CMS3 /twentythirteen\/Upgrade\/?email=/i
meta KAM_CMS (__KAM_CMS1 + __KAM_CMS2 + __KAM_CMS3) >= 1
describe KAM_CMS Indicators that a CMS has been exploited for Spammers
score KAM_CMS 1.0
#WESTERN UNION SCANS
header __KAM_WU1 from:addr !~ /\@westernunion.com/i
header __KAM_WU2 Subject =~ /WUMT|Western.?Union/i
uri __KAM_WU3 /western.umt/i
meta KAM_WU (__KAM_WU1 + __KAM_WU2 + __KAM_WU3 + LOTS_OF_MONEY >= 3)
describe KAM_WU Western Union Scam
score KAM_WU 5.0
#WEB CRIMINALS
body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(eliminate|destroy) (the|this) (videotape|evidence|promising evidence)|complain to the cops/i
body __KAM_CRIM2 /(bitcoin|BTC|bitcоi)/
body __KAM_CRIM3 /make a payment|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin wall|BTC wallet|BTC cryptocurrency/i
body __KAM_CRIM4 /porn|compromising evidence|masturb|playing with yourself|wanking/i
body __KAM_CRIM5 /(twenty.?four|24).?hours|(24|32|12) h\. (since|from) (now|this moment)|one day after opening|tracking pixel/i
header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content/i
meta KAM_CRIM (__KAM_CRIM1 + __KAM_CRIM2 + __KAM_CRIM3 + __KAM_CRIM4 + __KAM_CRIM5 + __KAM_CRIM6 >= 4)
describe KAM_CRIM Extortion Email
score KAM_CRIM 7.5
#GIRLS
body __KAM_GIRLS1 /Lack of sex/i
meta KAM_GIRLS ( __SINGLE_WORD_SUBJ + __KAM_GIRLS1 >= 2)
describe KAM_GIRLS Girl Chat Scam du Jour
score KAM_GIRLS 7.0
#EOF
|