Mini Shell
#KAM.cf aka the KAM ruleset - Apache SpamAssassin Rules
#Author: Kevin A. McGrail with contributions from Joe Quinn, Karsten Bräckelmann,
# Bill Cole & Giovanni Bechis
#Email: Kevin.McGrail@McGrail.com - NOTE: Questions about spam are best submitted
# at https://raptor.pccc.com/raptor.cgim?template=report_problem
#HomePage: http://www.mcgrail.com/downloads/KAM.cf
#Installation: There are multiple files that make up the KAM ruleset including
#heavyweight, deadweight, & nonKAMrules. The KAM ruleset is now a channel!
#
#Please see https://mcgrail.com/template/kam.cf_channel for more information
#The ruleset includes internal rules so not every rule will be useful but
#we encapsulate those in a KAMOnly defined loop.
#KAM.cf is maintained by The McGrail Foundation, a 501(c)(3) charity. Donations
#are appreciated. See www.mcgrail.com for more information on donations and
#sponsorships.
#THANK YOU TO OUR SPONSORS (in Alphabetical Order):
#cPanel, INKY, Invaluement, iSpark, Linode, PCCC, ShipShapeIT and Zix/Appriver
#This is a collection of special rules that I have developed and use on my system.
#
#The exact date is lost to the sands of time but we have been publishing this
#ruleset since at least May 2004.
#
#They are intended as live research for committal to SpamAssassin's SVN sandbox but
#often rely on my corpora so they do not fair well in masschecks.
#
#You are welcome and encouraged to email me directly regarding suggestions.
#To avoid being caught by our filters, False positives and negatives should be
#submitted to https://raptor.pccc.com/raptor.cgim?template=report_problem
#
#I believe the rules are safe and they are in use on production systems so I will
#do my best to respond to FPs *especially* if you can send me an email sample.
#
#IMPORTANT: This cf file is designed for systems with a threshold of 5.0 or higher.
#It is best to save an email sample in mbox format and zip it to attach to get
#around my filters. It is sometimes best to send samples in a second email so I
#know to go looking for it in my spam folders.
#
#NOTE: I do use some poison pill (i.e. Automatic HAM/SPAM rules).
#
# - I don't view many of my rules as single rules as I typically use meta rules.
# I view meta rules as multiple rules hence a larger score is acceptable.
#
# - Some content needs to be blocked either due to large number of complaints or
# for content. For example, the sexually explicit items and the stock tips.
# FPs in these rules will be quickly addressed.
#Copyright (c) 2021 Kevin A. McGrail and The McGrail Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# COURTESY OF Marcin Miros.aw <marcin@mejor.pl>
body __KAM_MM_FOREX_1 /program.{0,10}ktory\ssam\sgra\sna\sgieldzie|program\sdo\sgry\sna\sgieldzie|Potega\stego\sprogramu\stkwi|program.{0,10}handluje.{0,10}zarabia.{0,10}gieldzie.{0,10}udzialu.{0,10}czlowieka|zarabiaj.{0,10}program.{0,10}nie.{0,10}jest.{0,10}zabroniony|Program.{0,10}zrobi.{0,10}wszystko.{0,10}sam|handluj.{0,10}na.{0,10}gieldzie.{0,10}programowi|100.{0,10}%.{0,10}pewnych.{0,10}transakcji|program.{0,10}100.{0,10}%.{0,10}zysk|handel.{0,10}bedzie.{0,10}zabroniony|program.{0,10}odmieni.{0,10}twoje.{0,10}zycie|system.{0,10}finansow.{0,10}przed.{0,10}upadkiem|grupa.{0,10}niemieckich.{0,10}matematykow.{0,10}inteligentny.{0,10}program|zostan\sobrzydliwie\sbogaty|technologia.{0,10}100%.{0,10}pewne.{0,10}decyzje|zarabianie.{0,10}w.{0,10}sieci|swoja.{0,10}szanse.{0,10}zarabianie|internet.{0,10}doprowadzil.{0,10}pieniedzy|zarabia.{0,10}(w|przez).{0,10}internet|karaluch.{0,10}dom.{0,10}brzeg.{0,10}morza|odmieni.{0,10}zycie|pieniadz|pieniedz|zarabia|zarobi/i
rawbody __KAM_MM_FOREX_2 /(\[|\<).{1,10}http:\/\/.{1,50}php\?.{1,30}\=.{1,30}(\]|\>).{0,20}(klik|odwiedz|dowiedz|przegap|odnosnik|zarobi|spiesz|majatek|wiecej\sinformacji\sna\sten\stemat\sznajdziesz\s-\stutaj|tutaj\sznajdziesz.{0,10}szczegolowe.{0,10}informacje|odwiedz|zarabia|wchodz)/i
meta KAM_MM_FOREX __KAM_MM_FOREX_1 && __KAM_MM_FOREX_2
score KAM_MM_FOREX 2.5
describe KAM_MM_FOREX Polish-language spam from the Forex botnet
#PHISHING TEST
rawbody KAM_PHISH1 /u style="cursor: pointer"/
describe KAM_PHISH1 Test for PHISH that changes the cursor
score KAM_PHISH1 0.01
header __KAM_PHISH4_1 From =~ /host|apple|amazon|microsoft|windows|express|app.serv|goodluck|bank|support/i
body __KAM_PHISH4_2 /dear.{0,50}customer|automated.message|spam.activities|attempted.gaining.access|your.account.expires|authorized.government|important.message|message.alert|suspended/i
body __KAM_PHISH4_3 /(confirm|verify|update).your.(identity|account)|account.password|credit.(bureau|profile)|identity.theft|accredited.commission|security.concern|kindly.find.enclosed|owner of this account/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_PHISH4_4 Content-Type =~ /(verification|information|form)\.htm/i
endif
meta KAM_PHISH4 (__KAM_PHISH4_1 + __KAM_PHISH4_2 + __KAM_PHISH4_3 + __KAM_PHISH4_4 >= 3)
score KAM_PHISH4 3.5
describe KAM_PHISH4 Another phishing attempt
#KAM REALESTATE / RE-FINANCE SCAM EMAILS - Thanks to David Goldsmith for pointing out my error in the meta rule!
body __KAM_REAL1 /(^|\b)RE market/is
body __KAM_REAL2 /(crashing|declining)/i
body __KAM_REAL3 /(vacation|second) (home|place)/is
meta KAM_REAL (__KAM_REAL1 + __KAM_REAL2 + __KAM_REAL3 >= 3)
describe KAM_REAL Real Estate or Re-Finance Spam
score KAM_REAL 0.5
#REFINANCE SCAM EMAILS
header __KAM_REFI1 Subject =~ /(refinance|rates) at \d\.\d*%|(?:I would like to offer you my help|Lower your house payment|follow up email|evaluation enclosed|submit a bid|fixed rates|ARM program|New Program|regardless of credit|loan request|accepting your application|refinance appl?ication|ready to (give a (business )?loan|lend)|good credit or not|refinance without perfect credit|financial independence|Loan Offer|Get a Loan|your urgent loan|credit report|time to refinance|refi.(rates|requirements|plus|program|plan|advice)|rates at historical low|EQUIFAX|TRANSUNION|Experian|rates can be cut|save your home)|Reverse.?Mortgage|obama (extends|waives)|VA loan|harp program|re.?fi.advice|homeowners.owe|harp.extension|\d+\.\d+%.fixed|\d+\.\d+.pct|this.rate|refi(nance)?.rate|lower.refi|refinance.your.mortgage|refinance.now|obama.?s?.refi|monthly.payment|house.payment|monthly.savings|modified.payment|new.payment|overpaying|calculate.your|your.saving|housing.plan|obama.?s.hous|l.f..insuranc.|offer.for.your.home|second.mortgage/i
body __KAM_REFI2 /(Free Evaluation (?:online|on your (?:current )?home loan)|No hidden costs|no strings attached|good credit or not|personalized consultation|in need of loan|consolidation loan|loan processing|apply by sending|loan of any amount|clean up any inacccuracies|lock in saving|save on monthly mortgage|absolutely no cost|underwater)|Reverse.?Mortgage|qualify for a VA loan|Refi now.? and Save|obama..?announces|rate.calculator|save.thousands|update: \d.\d\d..available|homeowner|over.your.head|rate.service|now.eligi?[bl]{2}e|a.second.mortgage|urgent.loan|loan.offer/is
body __KAM_REFI3 /(restructure (?:proposal|program|opportunity|your loan)|switch from an adjustable rate to a fixed|new lending program|(low|reasonable) interest (loan|rate)|lowest monthly payment|\d% interest|unsecured personal|better credit terms|lower your mortgage|low-interest refinance|see your credit score|credit score.{1,15}updated|refi with HARP)|obama announce(s|d) (the )?harp program|obama'?s.refi|a.fortune.off|lower.home.rate|your.home|home.loan|gov.program|official.harp|currently.overpaying/is
body __KAM_REFI4 /(\$\d{1,3},\d{1,3}|\d{2,3}k of funds|\d{4,6} USD|\d{4,6}\$ per month|\d{3,5}\/mo)|refinance at \d\.\d%|\$\d{3,}(\.\d\d)?.(a|per).year|extend.harp|spending.too.much|new.payment|better.rate/i
body __KAM_REFI5 /([\d,]{5,6}|\d{2}\s*%) savings|principal \d+% less|\d+\.\d+%.fixed|refi.calculator|lowered.requirements|home.?owner/is
body __KAM_REFI6 /((?:reduce your monthly payment|save you) (between )?\d{2}\s*%|save yourself hundreds of dollars|great rate available|completely unsecured|instantly connect with\s+lenders|get you back on the right financial|get report today|protect against identity|know your credit score|crazy payments)|u.?s.? homeowners|drop.your.rate|in.your.pocket|our.records|apply.for.your/is
body __KAM_REFI7 /(?:loan product|equity cash|house.payment|home.payment|no up front fees|seasoned equity|pay off high rate cards|ARM Program|credit is less than perfect|credit (score )?will not disqualify|plastic money|charge card balances|we offer out loans|floating loan scheme|unsecured guaranteed|President.?s new program|Home Affordable Refinance Program)|save $?[\d\.]+ per (year|month)|low.rate|harp.?2|rates.like.th(is|ese)/is
header __KAM_REFI8 From =~ /great loan|mortgage|financ|Delta|Rate\.?market|credit score|free.?score|harp|mtge|foreclosure|VA loan|lower.my.(bills|debt|mortgage|rate)|refi.(alert|advantage|quote|calc|rate)|obama|lendingtree|(house|home).?payment|home.?payment|lower.rate|\d+\.\d+%|saving|d.r.ct.l.f.|helpline/i
meta KAM_REFI (__KAM_REFI1 + __KAM_REFI2 + __KAM_REFI3 + __KAM_REFI4 + (__KAM_REFI5 + __KAM_REFI6 >= 1) + __KAM_REFI7 + __KAM_REFI8 + (KAM_SHORT || AC_HTML_NONSENSE_TAGS || KAM_EU) >= 4)
describe KAM_REFI Real Estate / Re-Finance Spam
score KAM_REFI 3.0
meta KAM_REFI2 (__KAM_REFI1 + __KAM_REFI2 + __KAM_REFI3 + __KAM_REFI4 + (__KAM_REFI5 + __KAM_REFI6 >= 1) + __KAM_REFI7 + __KAM_REFI8 + (KAM_SHORT || AC_HTML_NONSENSE_TAGS || KAM_EU) >= 6)
describe KAM_REFI2 Real Estate / Re-Finance Spam
score KAM_REFI2 2.75
#KAM ERADICATE DEBTS
body __KAM_DEBT1 /(debts disappear|reduce your payments|piling bills|creditors|late bills|vanish some of your bills|reduce your payments|looming bills|all that debt|outstanding debt|debt.{0,7}accumulated|all my debt|penalties,? and fees are gone|banking laws|select legal|change your life|get out of .?d.?e.?b.?t|Free[- ]Credit Report|debt relief options|are you in debt|pay off all your debt|get better rates|credit card debt|could.be.easy)/is
header __KAM_DEBT2 Subject =~ /(all that you owe|all you owe|everything you owe|eradicate|indebted|sick of bills|debt.{0,7}accumulated|tired of (the )?debt|looming debt|creditors|bank[ ]?rupt|debt ?free|out ?of ?debt|take control of your monthly payments|bills disappear|We can help|consultation regarding bills|get better rates|credit score|FICO Score|eliminate\s{1,2}debt|Erase the debt|loan offer|consolidating.debt)/i
body __KAM_DEBT3 /(bills keeping you|brink of bankruptcy|take all the (stress|pain) away|all the bills|tired of high credit card|make your bills disappear|improve your credit score|b.?a.?n.?k.?r.?u.?p.?t.?c?.?y|monitor your[- ]credit|Wipes out debt|being debt free|interest rates are reasonable|view your credit score|manage.your.finance)/is
meta KAM_DEBT ((__KAM_DEBT1 + __KAM_DEBT2 + __KAM_DEBT3) >= 3)
describe KAM_DEBT Debt eradication spams
score KAM_DEBT 2.5
meta KAM_DEBT2 ((__KAM_DEBT1 + __KAM_DEBT2 + __KAM_DEBT3 + __KAM_ADVERT2) >= 2)
describe KAM_DEBT2 Likely Debt eradication spams
score KAM_DEBT2 1.0
#XtraSize+ Penis Enlargement Scam
header __KAM_SILD1 Subject =~ /Sildenafil Citrate/i
body __KAM_SILD2 /(XtraSize\+|Sildenafil Citrate)/i
meta KAM_SILD (__KAM_SILD1 + __KAM_SILD2 >= 1)
describe KAM_SILD Simple rule to block one more enhancement message
score KAM_SILD 5.0
#if (version < 3.002000)
# #HTML_SHORT_LENGTH DEPENDENCY RULE REMOVED FROM SA 3.2.X
# #KAM NUMBER EMAILS - Thanks to Mark Damrose for the NUMBER3 idea & Jan-Pieter Cornet
# header __KAM_NUMBER1 Subject =~ /^\d+$/
# body __KAM_NUMBER2 /\d{1,6}/
# header __KAM_NUMBER3 Message-ID =~ /\<[a-z]{19}\@/i
#
# meta KAM_NUMBER ((__KAM_NUMBER1 + __KAM_NUMBER2 + MIME_HTML_ONLY + HTML_SHORT_LENGTH + __KAM_NUMBER3) >= 5)
# describe KAM_NUMBER Silly Number Emails
# score KAM_NUMBER 1.0
#endif
#KAM MEDICATION KAM_OVERPAY
body KAM_OVERPAY /O . V . E . R . P . A . Y/i
describe KAM_OVERPAY Common Medicinal Ad Trick
score KAM_OVERPAY 3.5
#VIAGRA AD - CHANGED DUE TO FPS on 2010-05-06 - Replaced [VACLXPSI] with separate rules space separated
replace_rules __KAM_VIAGRA2
body __KAM_VIAGRA1 /V I A G R A|C I A L I S|V A L I U M|X A N A X/i
header __KAM_VIAGRA2 Subject =~ /<V1><I1><A1><G1><R1><A1>/i
meta KAM_VIAGRA1 (__KAM_VIAGRA1 + __KAM_VIAGRA2 >= 1)
describe KAM_VIAGRA1 Common Viagra and Medicinal Table Trick
score KAM_VIAGRA1 3.0
#VIAGRA AD 2
body KAM_VIAGRA2 /(?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer) (?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer) (?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer)/i
describe KAM_VIAGRA2 Common Viagra and Medicinal Table Trick
score KAM_VIAGRA2 3.1
#VIAGRA AD 3 - REMOVED FOR LOW S/O - Thanks to Shane Williams for reporting the FP
#body KAM_VIAGRA3 /(?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer)( \w )(?:ax|lis|ra|ium)/i
#describe KAM_VIAGRA3 Common Viagra and Medicinal Table Trick
#score KAM_VIAGRA3 3.1
#VIAGRA AD 4
body __KAM_VIAGRA4A /V (. )?A (. )?L (. )?[I\/t] (. )?U (. )?M/i
body __KAM_VIAGRA4B /V (. )?[I\/t] (. )?A (. )?G (. )?R (. )?A/i
body __KAM_VIAGRA4C /M (. )?E (. )?R (. )?[I\/t] (. )?D (. )?[I\/] (. )?A/i
# FP FOR "Les Iles du Monde Via Gramsci" OR ITALIAN "WE WISH YOU"
# FP for Via Great thanks to Shane Williams
body __KAM_VIAGRA_FPS /via gre?a|i augur/i
meta KAM_VIAGRA4 ((__KAM_VIAGRA4A + __KAM_VIAGRA4B + __KAM_VIAGRA4C) >= 2)
describe KAM_VIAGRA4 Common Viagra and Medicinal Table Trick
score KAM_VIAGRA4 3.1
#VIAGRA AD 5
body KAM_VIAGRA5 /(V [1li|\]] [a&] G R A|VljAG+R+A)/i
describe KAM_VIAGRA5 Viagra Obfuscation Technique SPAM
score KAM_VIAGRA5 3.1
#VIAGRA AD 6
#Switch to [-_\. ]? to avoid FP's reported by Robin Tan
#Also added a few more boundary checks thanks to Daniele Duca
body __KAM_VIAGRA6A /V[-_\. ]?[IL1][-_\. ]?A.?G.?R.?A/i
body __KAM_VIAGRA6B /(\b|^)A.?M.?B.?[il1].?E.?N($|\b)/i
body __KAM_VIAGRA6C /V.?A.?L.?[il1].?U.?M/i
body __KAM_VIAGRA6D /(\b|^)C.?[il1].?A.?L.?[Il1].?S($|\b)/i
header __KAM_VIAGRA6E From =~ /Viagra|Cialis(\b|$)/i
meta KAM_VIAGRA6 (__KAM_VIAGRA6A + __KAM_VIAGRA6B + __KAM_VIAGRA6C + __KAM_VIAGRA6D + __KAM_VIAGRA6E >= 2)
describe KAM_VIAGRA6 Viagra Obfuscation Technique SPAM
score KAM_VIAGRA6 3.1
#VIAGRA AD 7 - TWEAKING RULE 7B TO PREVENT HITS ON SPECIALIST
body __KAM_VIAGRA7A /V[ij]+AGRA/i
body __KAM_VIAGRA7B /(^|\b)C[ij]+AL[ij]+S($|\b)/i
body __KAM_VIAGRA7C /(^|\b)AMB[ij]+EN($|\b)/i
body __KAM_VIAGRA7D /VAL[ij]+UM/i
meta KAM_VIAGRA7 ((__KAM_VIAGRA7A + __KAM_VIAGRA7B + __KAM_VIAGRA7C + __KAM_VIAGRA7D >= 2) && (KAM_VIAGRA6 < 1))
describe KAM_VIAGRA7 Viagra Obfuscation Technique SPAM
score KAM_VIAGRA7 3.1
#VIAGRA AD 8
body __KAM_VIAGRA8A /VI...?AGRA/i
body __KAM_VIAGRA8B /AM...?BIEN/i
body __KAM_VIAGRA8C /VA...?LIUM/i
body __KAM_VIAGRA8D /CI...?ALIS/i
meta KAM_VIAGRA8 ((__KAM_VIAGRA8A + __KAM_VIAGRA8B + __KAM_VIAGRA8C + __KAM_VIAGRA8D) >= 2)
describe KAM_VIAGRA8 Viagra Obfuscation Technique SPAM
score KAM_VIAGRA8 5.1
#VIAGRA AD 9
body __KAM_VIAGRA9A /V[IL1]A..GRA/i
body __KAM_VIAGRA9B /AMB..IEN/i
body __KAM_VIAGRA9C /VAL..IUM/i
body __KAM_VIAGRA9D /C[IL1]A..LIS/i
meta KAM_VIAGRA9 ((__KAM_VIAGRA9A + __KAM_VIAGRA9B + __KAM_VIAGRA9C + __KAM_VIAGRA9D) >= 2)
describe KAM_VIAGRA9 Viagra Obfuscation Technique SPAM
score KAM_VIAGRA9 5.1
#VIAGRA AD 10 - CONTENT-LESS EMAIL FROM "MALE ENHANCEMENT"
header __KAM_VIAGRA10A From =~ /male enhancement|mens.renewal/i
header __KAM_VIAGRA10B Subject =~ /your intimate partner will (thank|love)|grow.your.manhood|satisfy.your.woman/i
meta KAM_VIAGRA10 (__KAM_VIAGRA10A + __KAM_VIAGRA10B >= 1)
describe KAM_VIAGRA10 Male enhancement spam with no content
score KAM_VIAGRA10 8.0
#NITROXIN - A NEW AND SPAMMY COMPETITOR TO VIAGRA
header __KAM_NITROXIN1A From =~ /nitroxin/i
meta KAM_NITROXIN1 (__KAM_NITROXIN1A >= 1)
describe KAM_NITROXIN1 Another variant of Viagra spam
score KAM_NITROXIN1 8.0
#RE[#] SPAM
#NOTE: Thanks to Jason Haar" <Jason.Haar@trimble.co.nz> for pointing out that I was only doing >=1!
header KAM_RE Subject =~ /^Re(?:\s)*\[\d\]+(?:\s)*:?$/i
describe KAM_RE Subject of Re[0]: etc prevalent in Spam
score KAM_RE 2.0
meta KAM_RE_PLUS (HTML_IMAGE_ONLY_08+KAM_RE >= 2)
describe KAM_RE_PLUS Bad Subject and Image Only rule hit == SPAM!
score KAM_RE_PLUS 4.0
#HOODIA
#RE-WEIGHTING - Thanks to Martin Kaempf and Gareth Blades for pointing out the False Positives!!
#Changed to escape + for 920\+ and changed to rawbody because we don't want to check the subject twice.
#thansk to Michael Denney for the FP report
header __KAM_HOODIA1 Subject =~ /(hoodia|920\+|serotonin|reduce your appetite)/i
rawbody __KAM_HOODIA2 /(?:hoodia|920\+)/i
body __KAM_HOODIA3 /(?:fat loss product|sur?p?press appetite|Reduce Your Appetite)/is
meta KAM_HOODIA (__KAM_HOODIA1 + __KAM_HOODIA2 + __KAM_HOODIA3 >= 2)
describe KAM_HOODIA Hoodia / Weight Loss Product Promotion Spam
score KAM_HOODIA 3.0
#STOCK TIPS
##1 through 120 disabld 5-12-2014 due to age
##body __KAM_STOCKTIP1 /(?:Reynaldo's Mexican Food|RYNL)/is
##body __KAM_STOCKTIP2 /(?:KOKO PETROLEUM|KKPT)/is
##body __KAM_STOCKTIP3 /(?:DARK DYNAMITE|DKDY|D K D Y)/is
##body __KAM_STOCKTIP4 /(?:Remington Ventures|RMVN)/is
##body __KAM_STOCKTIP5 /(?:m-Wise|MWIS|M W I S)/is
##body __KAM_STOCKTIP6 /(?:China World Trade Corporation|CWTD)/is
##body __KAM_STOCKTIP7 /(?:Packets International|IPKL)/is
##body __KAM_STOCKTIP8 /(?:Infinex Ventures|IFNX)/is
##body __KAM_STOCKTIP9 /(?:FacePrint Global Solutions|FCPG)/is
###THANKS TO HOMER PARKER FOR THE FALSE POSSITIVE NOTE!
##body __KAM_STOCKTIP10 /(?:Ever[-_ ~]{0,3}Gl[o0]ry|(^|\b)E[-_~\. =]{0,3}G[-_~\. =]{0,3}L[-_~\. =]{0,3}Y($|\b))/is
##body __KAM_STOCKTIP11 /(?:Gulf Petroleum|GFPE)/is
##body __KAM_STOCKTIP12 /(?:Patriot Mechanical Handling|PMHH)/is
##body __KAM_STOCKTIP13 /(?:KSW Industries|KSWJ)/is
##body __KAM_STOCKTIP14 /(?:Conforce International|CFRI)/is
##body __KAM_STOCKTIP15 /(?:Nano Superlattice Technology|NSLT)/is
##body __KAM_STOCKTIP16 /(?:Morgan Beaumont|MBEU)/is
##body __KAM_STOCKTIP17 /(?:Relay Capital|(^|\b)RLYC($|\b))/is
###THANKS TO DAVID GOLDSMITH FOR POINTING OUT THE POTENTIAL FPs FROM THIS RULE
##body __KAM_STOCKTIP18 /(?:Madison Explorations|(?:^|\b)MDEX(?:$|\b))/is
##body __KAM_STOCKTIP19 /(?:CTR Investments and Consulting|C ?I ?V ?X)/is
##body __KAM_STOCKTIP20 /(?:PREMIER INFORMATION|(?:^|\b)PIFR(?:$|\b))/is
##body __KAM_STOCKTIP21 /(?:Harbin Pingchuan|P G C N|PGCN)/is
##body __KAM_STOCKTIP22 /(?:CLIENT TRACK CORP|CTKR)/is
##body __KAM_STOCKTIP23 /(?:EXTREME INNOVATIONS|(^|\b)EXTI($|\b))/is
##body __KAM_STOCKTIP24 /(?:Medical Home Products|\bMHPT\b)/is
##body __KAM_STOCKTIP25 /(?:AmeraMex International|AMMX)/is
##body __KAM_STOCKTIP26 /(?:Equipment & Systems Engineering|EQUIPMENT & SYS ENGR|EQSE)/is
##body __KAM_STOCKTIP27 /(?:NANOFORCE|NNFC)/i
##body __KAM_STOCKTIP28 /(?:\b|^)(?:Resort Clubs (I|\|)nternational|R[ ]*T[ ]*C[ ]*(?:I|\|))(?:\b|$)/is
##body __KAM_STOCKTIP29 /(?:Innovation Holdings|IVHN)/is
##body __KAM_STOCKTIP30 /(?:GOLDEN APPLE OIL|GAPJ)/is
##body __KAM_STOCKTIP31 /(?:inZon Corporation|(^|\b)I ?Z ?O ?N($|\b))/is
##body __KAM_STOCKTIP32 /(?:Midland Baring Financial Group|MDBF)/is
##body __KAM_STOCKTIP33 /(?:Aradyme Corporation|A D Y E)/is
##body __KAM_STOCKTIP34 /(?:TRANSAKT CORP|TKTJF)/is
##body __KAM_STOCKTIP35 /(?:CTXE|CANTEX ENERGY CORP)/is
##body __KAM_STOCKTIP36 /(?:De Greko|DGKO)/is
##body __KAM_STOCKTIP37 /(?:Deep Earth Resource, Inc|CTFE|DPER)/is
##body __KAM_STOCKTIP38 /(?:Vemics|(\b|^)VMCI(\b|$)|Summit Financial Resources)/is
##body __KAM_STOCKTIP39 /Premium Petroleum/is
##body __KAM_STOCKTIP40 /(?:F ?a ?l ?c ?o ?n ?E ?n ?e ?r ?g ?y|F.?C.?Y.?I)/s
##body __KAM_STOCKTIP41 /(?:CHINA GOLD CORP|CGDC)/is
##body __KAM_STOCKTIP42 /DPEK/i
###FIXED FP THANKS TO BEN LENTZ - Also found that the X ?X ?X ?X concept is causing too many FPs thanks to Homer Parker
##body __KAM_STOCKTIP43 /(?:Amerossi International Group|A M S N(\b|$)|AMSN)/is
##body __KAM_STOCKTIP44 /(?:WATAIRE INDUSTRIES|W ?T ?A ?F)/is
##body __KAM_STOCKTIP45 /(?:ABSOLUTESKY|A ?B ?S ?Y)/i
##body __KAM_STOCKTIP46 /(?:Infinex Ventures|I ?N ? ?F ?X)/is
##body __KAM_STOCKTIP47 /(?:Holly ?wood Intermediate|HYWI|H Y W I)/is
###DISABLED DUPLICATE OF 40
###body __KAM_STOCKTIP48 /(?:Falcon Energy|F ?C ?Y ?I)/is
##body __KAM_STOCKTIP49 /(?:\b|^)(?:AGA Resources|A ?G ?A)(?:\b|$)/is
##body __KAM_STOCKTIP50 /(?:COSCO|CCPI)/i
##body __KAM_STOCKTIP51 /(?:PETRO([- ?])?SUN DRILLING|P[- ]?S[- ]?U[- ]?D)/is
##body __KAM_STOCKTIP52 /(?:KMA Global Solutions International|KMAG)/is
##body __KAM_STOCKTIP53 /(?:Advanced Powerline Technologies|APWL)/is
##body __KAM_STOCKTIP54 /(?:GOLDMARK INDUSTRIES|GDKI)/is
##body __KAM_STOCKTIP55 /(?:QUANTUM ENERGY|QEGY)/is
###FP FIXED THANKS TO Homer Parker
##body __KAM_STOCKTIP56 /(?:AAGA RESOURCE+S NEW|A G A O|(\b|^)AGAO(\b|$))/is
###FP FIXED THANKS TO Homer Parker
##body __KAM_STOCKTIP57 /(?:Bicoastal Communications|BCLC|B C L C)/is
##body __KAM_STOCKTIP58 /(?:Greater China Media \& Ent|G ?C ?M ?E)/is
##body __KAM_STOCKTIP59 /(?:Viva International|(\b|^)VIVI(\b|$))/s
##body __KAM_STOCKTIP60 /(?:WILON RESOURCES|(\b|^)WLON(\b|$))/is
##body __KAM_STOCKTIP61 /(?:Am+erica+n U+ni+ty I+nve+stments|(\b|^)A[ _]?U[ _]?N[ _]?I[ _]?(\b|$))/is
##body __KAM_STOCKTIP62 /(?:DEFENSE DIRECTIVE|(\b|^)DFSE(\b|$))/is
##body __KAM_STOCKTIP63 /(?:Cyberhand Technologies|(\b|^)CYHD(\b|$))/is
##body __KAM_STOCKTIP64 /(?:Texhoma Energy|(\b|^)TXHE(\b|$))/is
##body __KAM_STOCKTIP65 /(?:Equal Trading|(\b|^)EQTD(\b|$))/is
###DISABLED FOR FALSE POSITIVES AND AGE
###body __KAM_STOCKTIP66 /(?:\b|^)W.?B.?R.?S(?:\b|$)/is
##body __KAM_STOCKTIP67 /(?:Mobile Airwaves|(\b|^)M.?W.?B.?C.?(\b|$))/is
##body __KAM_STOCKTIP68 /(?:X-tra Petroleum|(\b|^)XTPT(\b|$))/is
###ADDED FP BOUNDARY CHECK THANKS TO Greg Troxel for reporting the issue
##body __KAM_STOCKTIP69 /(?:Red Reef Laboratories|(\b|^)RREF(\b|$))/is
##body __KAM_STOCKTIP70 /(?:Great American Food Chain|(\b|^)GAMN(\b|$))/is
##body __KAM_STOCKTIP71 /(?:Cana Petroleum|(\b|^)CNPM(\b|$))/is
##body __KAM_STOCKTIP72 /(?:China Health Management|(\b|^)CNHC(\b|$))/is
##body __KAM_STOCKTIP73 /(?:Makeup Limited|MAKU)/is
##body __KAM_STOCKTIP74 /(?:Premier Holdings Group|PMHD)/is
###FP FIXED THANKS TO Christopher X. Candreva
##body __KAM_STOCKTIP75 /(?:VSUS technologies|(\b|^)VSUS($|\b))/is
##body __KAM_STOCKTIP76 /(?:FLAIR PETROLEUM|FPMC)/is
##body __KAM_STOCKTIP77 /(?:Physician Adult Daycare|PHYA)/is
###FP FIXED THANKS TO Homer Parker
##body __KAM_STOCKTIP78 /(?:AlgoDyne Ethanol Energy|(\b|^)ADYN(\b|$))/is
##body __KAM_STOCKTIP79 /(?:Critical Care.{1,3}Inc|CTCX)/is
##body __KAM_STOCKTIP80 /(?:Aerofoam Metals|AFML)/is
##body __KAM_STOCKTIP81 /(?:Ten \& 10|(?:\b|^)TTEN)/is
##body __KAM_STOCKTIP82 /(?:Medical Institutional Services|MISJ(\b|$))/is
##body __KAM_STOCKTIP83 /(?:Harris Exploration|HXPN)/is
##body __KAM_STOCKTIP84 /(?:MARSHAL HOLDINGS|MHII)/is
##body __KAM_STOCKTIP85 /(?:ADVANCED GROWING SYSTEMS|AGWS)/is
##body __KAM_STOCKTIP86 /(?:WEST EXCELSIOR ENT|WEXE)/is
##body __KAM_STOCKTIP87 /(?:Hemisphere Gold|HPGI)/is
##body __KAM_STOCKTIP88 /(?:Victory Energy Corporation|VYEY)/is
##body __KAM_STOCKTIP89 /UTEV/i
##body __KAM_STOCKTIP90 /(?:CHINA BIOLIFE ENTERP|CBFE)/is
##body __KAM_STOCKTIP91 /(?:Critical Care|C ?T ?C ?X)/is
##body __KAM_STOCKTIP92 /CBRJ/i
##body __KAM_STOCKTIP93 /(?:LAS VEGAS CENTRAL RESERVATIONS|LVCC)/is
##body __KAM_STOCKTIP94 /GTAP/i
##body __KAM_STOCKTIP95 /(North American Energy Group|N-?N-?Y-?R)/is
###FP FIXED THANKS TO BRETT GARRETT
##body __KAM_STOCKTIP96 /(\b|^)C\.?C\.?T\.?I(\b|$)/i
##body __KAM_STOCKTIP97 /(C ?E ?O AMERICA|C ? E ? O ?A)/is
##body __KAM_STOCKTIP98 /PLMA/i
##body __KAM_STOCKTIP99 /CDYV/i
##body __KAM_STOCKTIP100 /(Fire (Mountain|Mtn) Beverage Company|(^|\b)F[ _]?B[ _]?V[ _]?G($|\b))/is
###Added boundary check thanks to Michael Denney
##body __KAM_STOCKTIP101 /(\b|^)WDSC(\b|$)/i
##body __KAM_STOCKTIP102 /(Distributed Power|DPWI)/is
##body __KAM_STOCKTIP103 /(HUMET-PBC|L9Z\.F)/is
##body __KAM_STOCKTIP104 /ASVP/is
##body __KAM_STOCKTIP105 /CHVC/is
##body __KAM_STOCKTIP106 /(China Datacom|CDPN)/is
##body __KAM_STOCKTIP107 /(ORAMED PHARMA|OJU\.F)/is
##body __KAM_STOCKTIP108 /(DSDI|DSI Direct Sales)/is
##body __KAM_STOCKTIP109 /(Monolith Athletic Club|M[-_ ]?N[-_ ]?A[-_ ]?B)/is
###DUPLICATED STOCKTIP #51
###body __KAM_STOCKTIP110 /(PETRO-SUN|P[- ]?S[- ]?U[- ]?D)/is
##body __KAM_STOCKTIP111 /(COMPLIANCE SYSTEMS|(\b|^)COPI(\b|$))/is
###FP Fixed thanks to Greg Troxel
##body __KAM_STOCKTIP112 /(Global Pay Solutions|(\b|^)GPSI(\b|$))/is
##body __KAM_STOCKTIP113 /(MEGOLA|MGOA)/i
###FP FIXED THANKS TO Antonio Falzarano
##body __KAM_STOCKTIP114 /(\b|^)ADOV(\b|$)/i
##body __KAM_STOCKTIP115 /(Oncology Med|(\b|^)ONCO(\b|$))/is
##body __KAM_STOCKTIP116 /(Strategy X|SGXI)/is
##body __KAM_STOCKTIP117 /(Spotlight Homes|COST CONTAINMENT TEC|SPHM)/is
###FALSE POSITIVE ON DANSREALESTATE.
##body __KAM_STOCKTIP118 /((\b|^)SREA(\b|$)|Score One)/is
##body __KAM_STOCKTIP119 /(Monster Motors|MRMT)/is
##body __KAM_STOCKTIP120 /(EntreMetrix|ERMX)/i
body __KAM_STOCKTIP121 /(VISION AIRSHIPS|(\b|^)VPSN(\b|$))/is
body __KAM_STOCKTIP122 /(Shandong Zhouyuan Seed and Nursery|(\b|^)SZSN(\b|$))/is
body __KAM_STOCKTIP123 /(Puerto Rico 7|(\b|^)P ?R ?T ?H(\b|$))/is
body __KAM_STOCKTIP124 /(VGPM|Vega Promotional Sys)/is
body __KAM_STOCKTIP125 /((\b|^)D[- ]?M[- ]?X[- ]?C(\b|$))/i
body __KAM_STOCKTIP126 /((\b|^)C\.?W\.?T\.?E(\b|$)|C'Watre International)/is
body __KAM_STOCKTIP127 /(Physical Property Holdings|(\b|^)PPYH(\b|$))/is
#FP ON MNUM IN PLAIN TEXT HTML CONVERSION - Thanks to Kevin Lewis
body __KAM_STOCKTIP128 /(MONUMENTAL MARKETING|(\b|^)MNUM(\b|$))/is
body __KAM_STOCKTIP129 /(EnerBrite Technologies Group|(\b|^)eTgU(\b|$))/is
body __KAM_STOCKTIP130 /(Pricester|(\b|^)PRCC(\b|$))/is
#Added boundary check thanks to Michael Denney
body __KAM_STOCKTIP131 /(Greenstone Holdings|(\b|^)GSHN(\b|$))/is
body __KAM_STOCKTIP132 /((\b|^)AGMS(\b|$)|Angstrom[- ]Microsystems)/is
body __KAM_STOCKTIP133 /(Pluris Energy|(\b|^)PEYG(\b|$))/is
body __KAM_STOCKTIP134 /(United Consortium|(\b|^)UCSO(\b|$))/is
body __KAM_STOCKTIP135 /(Dominion Minerals|(\b|^)DMNM(\b|$))/is
body __KAM_STOCKTIP136 /(PrimeGen Energy|(\b|$)PGNE(\b|^))/is
body __KAM_STOCKTIP137 /Dynamic Response Group|(\b|^)DRGZ(\b|$)/is
body __KAM_STOCKTIP138 /Cobra Oil (and|&) Gas|(\b|^)CGCA(\b|$)/is
body __KAM_STOCKTIP139 /Solanex Management|(\b|^)SLNX(\b|$)/is
body __KAM_STOCKTIP140 /BIO-SOLUTIONS|(\b|^)BISU(\b|$)/is
#FP IN French email on 3/2/2017
#body __KAM_STOCKTIP141 /(\b|^)FORC(\b|$)/is
body __KAM_STOCKTIP142 /Hawk Systems Inc|(\b|^)HWSYD(\b|$)/is
body __KAM_STOCKTIP143 /AmeriLithium/is #|(\b|^)AMEL(\b|$)/is # FP 9/10/15
body __KAM_STOCKTIP144 /Fleet Management Solutions|(\b|^)FLMG(\b|$)/is
body __KAM_STOCKTIP145 /Nuvilex|(\b|^)N.?V.?L.?X.?(\b|$)/is
body __KAM_STOCKTIP146 /Plandai|(\b|^)PLPL(\b|$)/is
#FP on Bozic 3/9/2021 - Thanks to Lars Einarsen
body __KAM_STOCKTIP147 /Beamz Interactive|(\b|^)BZIC(\b|$)/is
body __KAM_STOCKTIP148 /(\b|^)STBV(\b|$)/i
body __KAM_STOCKTIP149 /LifeApps|(\b|^)LFAP(\b|$)/i
body __KAM_STOCKTIP150 /MONARCHY RESOURCES/i
body __KAM_STOCKTIP151 /Alanco Tech/i
body __KAM_STOCKTIP152 /Siga Resources/i
body __KAM_STOCKTIP153 /INSCOR|(\b|^)IOGA(\b|$)/is
body __KAM_STOCKTIP154 /mLight Tech|(\b|^)MLGT(\b|$)/is
body __KAM_STOCKTIP155 /Alanco Technologies/is
body __KAM_STOCKTIP156 /Progress Watch|(\b|^)PROW(\b|$)/is
#body __KAM_STOCKTIP157 /(\b|^)PRFC(\b|$)/is
body __KAM_STOCKTIP158 /(\b|^)(RCHA|R\.+C\.+H\.+A|R\/C\/H\/A)(\b|$)/is
body __KAM_STOCKTIP159 /(\b|^)(RNBI|R.N.B.I)(\b|$)/is
body __KAM_STOCKTIP160 /(\b|^)(CNRMF|C.N.R.M.F)(\b|$)/is
body __KAM_STOCKTIP161 /(\b|^)(NUAN|N[- ]U[- ]A[- ]N)(\b|$)|NUANCE COMMUNICATIONS/is
body __KAM_STOCKTIP162 /(\b|^)(CHICF|C.H.I.C.F)(\b|$)/is
body __KAM_STOCKTIP163 /(\b|^)(brixmor)(\b|$)/is
body __KAM_STOCKTIP164 /(\b|^)(KBLB|K.B.L.B)(\b|$)/is
body __KAM_STOCKTIP165 /(\b|^)(SCRF|S.C.R.F)(\b|$)/is
body __KAM_STOCKTIP166 /(\b|^)(INCT|Incapta)(\b|$)/is
body __KAM_STOCKTIP167 /(\b|^)(QSMS|Quest Science Management Gate)(\b|$)/is
body __KAM_STOCKTIP168 /(\b|^)(QSMG|Q.S.M.G|Stemvax)(\b|$)/is
body __KAM_STOCKTIP169 /(\b|^)E.?C.?G.?R(\b|$)/s
body __KAM_STOCKOTC /(OTC|OTC ?BB|OTC Pink Sheets|NASDAQ|NYSE|StockWatch):/is
body __KAM_STOCKSYM /S[ ]?[iy][ ]?m[ ]?[�b8][ ]?[o0][ ]?[l1]|Siymbol/i
body __KAM_STOCKSYM2 /(SYM[ ]?[-\:]|\bTicker|Pr+ice\s*\:|Volume\s*\:|Target\s*\:|Current(ly)? ?\??:|Projected:|Smybol:|Stcok\s*\:|Stock\s*\:|S\s*t\s*o\s*c\s*k\s*\:|Trad[ ]?e\:|short-?sell|book value|S\.umbol|Action:|Symb\s?[-:]|Price Today:|SYmN-|Lookup:|RADAR:|PK PAPER:|PINKSHEETS:|f[o0]rward ?l[0o]{2}king)/i
body __KAM_STOCKSHR /\b(Shares|Investments|invest|Stock|acquisitions?|broker|joint[ -]?venture|underperforming|(uncap|ventilated|public(ity)?) on friday|dividend opportunities|set your buy|financial safe haven|before the bell)\b/i
body __KAM_STOCKBULL /bull (run|market)|very.rich|high.return/is
body __KAM_STOCKSCTR /(energy sector|mineral rights|mineral wealth|natural resources|gold deposits)/is
header __KAM_STOCKHEAD Subject =~ /{stk-sub}|on your radar|st0ck|best.stocktip|huge.winner|breaking.news/i
body __KAM_STOCKJUMP /(up|jumps) \d\d(\.\d)?\%/i
body __KAM_INSTOCK /in stock/i
# ADDED A CAVEAT FOR in stock so gibberish links don't hit a stock symbol
meta KAM_STOCKTIP (__KAM_STOCKHEAD + __KAM_STOCKOTC + __KAM_STOCKSYM + __KAM_STOCKJUMP + __KAM_STOCKSHR + __KAM_STOCKSYM2 + __KAM_STOCKBULL + __KAM_STOCKSCTR >= 1) && (__KAM_INSTOCK < 1) && (__KAM_STOCKTIP121 + __KAM_STOCKTIP122 + __KAM_STOCKTIP123 + __KAM_STOCKTIP124 + __KAM_STOCKTIP125 + __KAM_STOCKTIP126 + __KAM_STOCKTIP127 + __KAM_STOCKTIP128 + __KAM_STOCKTIP129 + __KAM_STOCKTIP130 + __KAM_STOCKTIP131 + __KAM_STOCKTIP132 + __KAM_STOCKTIP133 + __KAM_STOCKTIP134 + __KAM_STOCKTIP135 + __KAM_STOCKTIP136 + __KAM_STOCKTIP137 + __KAM_STOCKTIP138 + __KAM_STOCKTIP139 + __KAM_STOCKTIP140 + __KAM_STOCKTIP142 + __KAM_STOCKTIP143 + __KAM_STOCKTIP144 + __KAM_STOCKTIP145 + __KAM_STOCKTIP146 + __KAM_STOCKTIP147 + __KAM_STOCKTIP148 + __KAM_STOCKTIP149 + __KAM_STOCKTIP150 + __KAM_STOCKTIP151 + __KAM_STOCKTIP152 + __KAM_STOCKTIP153 + __KAM_STOCKTIP154 + __KAM_STOCKTIP155 + __KAM_STOCKTIP156 + __KAM_STOCKTIP158 + __KAM_STOCKTIP159 + __KAM_STOCKTIP160 + __KAM_STOCKTIP161 + __KAM_STOCKTIP162 + __KAM_STOCKTIP163 + __KAM_STOCKTIP164 + __KAM_STOCKTIP165 + __KAM_STOCKTIP166 + __KAM_STOCKTIP167 + __KAM_STOCKTIP168 + __KAM_STOCKTIP169 >= 1)
describe KAM_STOCKTIP Email Contains Pump & Dump Stock Tip
score KAM_STOCKTIP 7.1
#KAM STOCK RULE #3 BASED HEAVILY ON WONDERFUL INPUT BY GARETH OF LINGUAPHONE
body __KAM_STOCK3 /([sS].?ymbol|Sym|SYM|SYMB|Symb|SYMBOL|SYmN|SYMN|Symn|Ticker|TICKER|Lookup|PINKSHEETS)\s*[-_:]\s*[A-Z0-9][-\._ ]?[A-Z0-9][-\._ ]?[A-Z0-9][-\._ ]?[A-Z0-9]/
score __KAM_STOCK3 0.1
describe __KAM_STOCK3 Email Looks like it references a 4 character stock symbol
#GENERIC STOCK RULE
meta KAM_STOCKGEN (__KAM_STOCKHEAD + __KAM_STOCKOTC + __KAM_STOCKSYM + __KAM_STOCKSHR + __KAM_STOCKSYM2 + __KAM_STOCKBULL + __KAM_STOCKSCTR >= 1) && (__KAM_STOCK3 >= 1) && (KAM_STOCKTIP < 1)
describe KAM_STOCKGEN Email Contains Generic Pump & Dump Stock Tip
score KAM_STOCKGEN 1.5
#KAM STOCK RULE #2
body __KAM_STOCK2_1 /(good trader|trading experience|bad trading day|hard trading day|FREE Stock Market Outlook|Market Watch)|more.than.\d+%|most.valuable|morning.report|real.?estate.authority|commercial.real.estate/i
body __KAM_STOCK2_2 /(easy cash|losses and victories|backstage trading|market facts|succeed in trading|destined to skyrocket|make traders rich|times your principal)|good.investment|overvalued.companies|company.is.soaring|economic.opportunity|amazing.company|take.notice|rental.yield|high.return/i
body __KAM_STOCK2_3 /stock/i
body __KAM_STOCK2_4 /trader|investor|analyst|royalties/i
header __KAM_STOCK2_5 Subject =~ /stock|bull market|penny|traders|go.getter|thousand.percent|this.company|opportunity|pct.rally|private.investment/i
header __KAM_STOCK2_6 From =~ /investment|daily.tip|bloomberg|selectedotc|penny|fortune|stock|finance|real.?estate|promotion/i
meta KAM_STOCK2 (__KAM_STOCK2_1 + __KAM_STOCK2_2 + __KAM_STOCK2_3 + __KAM_STOCK2_4 + __KAM_STOCK2_5 + __KAM_STOCK2_6) >= 4
score KAM_STOCK2 2.5
describe KAM_STOCK2 Another Round of Pump & Dump Stock Scams
#JUDGEMENTS
body __KAM_JUDGE1 /(unpaid court|(un-?collected|unsatisfied) judgments)/is
body __KAM_JUDGE2 /(funds|receive what) you are (due|owed)/is
#HALF-WEIGHTED RULES
body __KAM_JUDGE3 /collect your money/is
body __KAM_JUDGE4 /judgment/i
#FULL-WEIGHT
header __KAM_JUDGE5 Subject =~ /judgment/i
meta KAM_JUDGE (__KAM_JUDGE1 + __KAM_JUDGE2 + ((__KAM_JUDGE3 + __KAM_JUDGE4) / 2) + __KAM_JUDGE5 >= 2)
describe KAM_JUDGE Email Contains Judicial Judgment Solicitation
score KAM_JUDGE 2.5
#MEDS
body __KAM_MED1 /e.?c.?o.?n.?o.?m.?i.?z.?e.{1,10}med/i
body __KAM_MED2 /\d\d ?%/
describe KAM_MED Economizing your meds spam
meta KAM_MED (__KAM_MED1 + __KAM_MED2 >= 2)
score KAM_MED 1.5
#MEDS2- THANKS TO RES FOR POINTING OUT A REGEX STUPIDITY
header __KAM_MED2_1 Subject =~ /Pharmacy order \#\d{5}/i
describe KAM_MED2 More Medical SPAM
meta KAM_MED2 (__KAM_MED2_1 >= 1)
score KAM_MED2 1.0
#TIME PIECE
header __KAM_TIME1 Subject =~ /(replica(\b|$)|designer[-_ ](watch|piece|collection)|(old|replica|style|luxury|trendy|elegant) watch|time[-_ ](keeper|piece)|wrist|chronometer|watches are in fashion|low budget|deliver your watch|(number|amount) of watches)|excellent.watch/i
#0.50 WEIGHTED TESTS
body __KAM_TIME2 /(replica(\b|$)|diamond|designer[-_ ](piece|collections|watch)|time[-_ ]piece|wrist|time-keeper|\/\/atch)/is
header __KAM_TIME3 Subject =~ /(\b|^)(time|watch)(\b|$)/i
body __KAM_TIME4 /(\b|^)(time|watch)(\b|$)/i
body __KAM_TIME5 /(funny|low) price|treat.yourself/i
#REMOVED WORD OMEGA FROM BRANDS. TOO MANY FPs.
body __KAM_TIME6 /(Cx?ARTIER|Bx?REITLING|Px?ATEK|Rx?OLEX|Bx?VLGARI|Tx?IFFANY)/i
meta KAM_TIME __KAM_TIME1 + ((__KAM_TIME2 + __KAM_TIME3 + __KAM_TIME4 + __KAM_TIME5 + __KAM_TIME6)/2) >= 2
describe KAM_TIME Pssss. Hey Buddy, wanna buy a watch?
score KAM_TIME 3.0
meta KAM_TIMEGEO (KAM_GEO_STRING2 && KAM_TIME)
describe KAM_TIMEGEO Email references geocities & wrist watch sales
score KAM_TIMEGEO 3.5
#YOUR HOME
body __KAM_HOME1 /YOUR HOME|Federal Housing Assistance Program|near.your.area/i
body __KAM_HOME2 /Build your equity faster|refund is not reversible|rent.to.own/i
body __KAM_HOME3 /tax saving plans|\d+K Mortgage Credit|no.more.of/i
header __KAM_HOME4 From =~ /rent.?and.?own|rent.own.list/i
header __KAM_HOME5 Subject =~ /homes.near.you|near.your.city|\d+ (bed|bath)|low.monthly/i
meta KAM_HOME (__KAM_HOME1 + __KAM_HOME2 + __KAM_HOME3 + __KAM_HOME4 + __KAM_HOME5 >= 3)
describe KAM_HOME Mortage & Refinance Spam Rule
score KAM_HOME 3.5
#UNIVERSITY RULE
body __KAM_UNIV1 /(University Administration|University Enrollment|Education Assessment|Faculty Assessment|University Degree|Administration Office|Education office|Schools office|Enrollment Office|Online University)/is
body __KAM_UNIV2 /\d (week|month).{0,30}degree/is
body __KAM_UNIV3 /(past work|based on your|earned from|life|life and work|present work) experience/is
body __KAM_UNIV4 /not official degree|non[ -]?accredited/is
body __KAM_UNIV5 /novelty (degree|use)/is
body __KAM_UNIV6 /verifiable University Degree/is
body __KAM_UNIV7 /(life|work) experience (diploma|degree|transcript)/is
body __KAM_UNIV8 /Career Path/is
body __KAM_UNIV9 /non[- ]?ac(creditee?d)?.{1,10}universit/is
body __KAM_UNIV10 /(graduating|diploma) (within|in) (as little as)? (one|two|three|\d) (week|month)/is
body __KAM_UNIV11 /(degree|transcript) in any field|Field of yourr? ch[o�][i�]ce/is
body __KAM_UNIV12 /(obtain your diploma|diploma that you want|Criminal Justice or Homeland Security degree)/is
body __KAM_UNIV13 /(degree|field|diploma) of your (choice|expertise)/is
body __KAM_UNIV14 /(earn a|full) transcript/is
body __KAM_UNIV15 /(No Study Required|Without Exams|No (examinations|[e�]xams)|without attending a single class|no classes|no textbooks|no (?:required )?tests|degree .{0,30}you deserve)/is
body __KAM_UNIV16 /\d weeks.{0,30}graduated/is
header __KAM_UNIV17 Subject =~ /(dip(i|l)oma|degree|transcript|award|increase ?your ?income|degree online|Ph\.?D|Add an mba)/i
body __KAM_UNIV18 /100% discrete/is
body __KAM_UNIV1B /\d (months|weeks)/i
body __KAM_UNIV2B /d[_\. ]?e[_\. ]?g[_\. ]?r[_\. ]?e[_\. ]?e/i
body __KAM_UNIV3B /(dead end job|improve your future, and your income|high paying jobs|bec[�o]me a do[c�]tor|get your diploma today)/is
body __KAM_UNIV4B /1.?0.?0.?% (legit|verifiable|online|no pre|non[- ]?accredited)/is
body __KAM_UNIV5B /F A S T[ ]{0,4}T R A C K/is
body __KAM_UNIV6B /DIP\sLOMA/
meta KAM_UNIV ((__KAM_UNIV1 + __KAM_UNIV2 + __KAM_UNIV3 + __KAM_UNIV4 + __KAM_UNIV5 + __KAM_UNIV6 + __KAM_UNIV7 + __KAM_UNIV8 + __KAM_UNIV9 + __KAM_UNIV10 + __KAM_UNIV11 + __KAM_UNIV12 + __KAM_UNIV13 + __KAM_UNIV14 + __KAM_UNIV15 + __KAM_UNIV16 + __KAM_UNIV17 + __KAM_UNIV18) >= 2 || (__KAM_UNIV1B + __KAM_UNIV2B + __KAM_UNIV3B + __KAM_UNIV4B + __KAM_UNIV5B + __KAM_UNIV6B) >= 3)
describe KAM_UNIV Diploma Mill Rule
score KAM_UNIV 4.5
#URUNIT
body __KAM_URUNIT1 /\bur (unit|liveliness|energy level|endurance level)/is
body __KAM_URUNIT2 /\bur (gf|girl|wife|size|thing|partner|significant other)/is
body __KAM_URUNIT3A /\b(exasperated|fatigued|drained|tired) all the time/is
#HALF-WEIGHTED RULES
body __KAM_URUNIT3 /(unsatisfied|not satisfied|nagging|complaining|complaints|complained|unlimited prowess|increase your volume)/is
body __KAM_URUNIT4 /(bedroom|the bed|nighttime activit|male power|show your girl)/is
body __KAM_URUNIT5 /(size of (there|their|your) .{0,11}(unit|thing)|using them for a couple months|enhancing formula)/is
body __KAM_URUNIT6 /(majority of women|shrinking .{0,12} baby fat|winning guy|huge explosion)/is
#FULL-WEIGHT
header __KAM_URUNIT7 Subject =~ /(\b|^)ur (unit|wife|girlfriend|GF|size|thing|partner|significant other|livelyehood)/i
header __KAM_URUNIT8 Subject =~ /(pleasure|sensation|grow|your teeny|impress your mate|being small|how big|more intense)/i
meta KAM_URUNIT ((__KAM_URUNIT1 + __KAM_URUNIT2 + ((__KAM_URUNIT3 + __KAM_URUNIT4 + __KAM_URUNIT5 + __KAM_URUNIT6) / 2) + __KAM_URUNIT7 + __KAM_URUNIT8 + __KAM_URUNIT3A) >= 2)
describe KAM_URUNIT Recent penile and body enhancement spams
score KAM_URUNIT 0.5
#UR ZEST
body __KAM_URZEST1 /(?:your|ur) (?:power|strength|zal|zeal|liveliness|zest|intensity|spontaneity|activity)(?: level)?(?: been)?(?: feeling| down)? ?(?:lately|recently|anew)?/i
body __KAM_URZEST2 /or still (?:jaded|worn|drained|exasperated) all the time/i
body __KAM_URZEST3 /(?:(?:wanting|looking|seeking) to get in the gym|(?:dreaming|seeking|hoping) to get (?:into shape|fit))/i
body __KAM_URZEST4 /(wks it has been|been mos) since we('| ha)ve chatted/i
body __KAM_URZEST5 /(back into shape|made me healthier after my disease)/i
meta KAM_URZEST (__KAM_URZEST1 + __KAM_URZEST2 + __KAM_URZEST3 + __KAM_URZEST4 + __KAM_URZEST5 >= 2)
describe KAM_URZEST Recent penile and body enhancement spams
score KAM_URZEST 3.0
#JOB LET GO
body __KAM_JOB1 /let go from (a job|my employment) I held for.{1,19} (month|year|forever|life)/is
body __KAM_JOB2 /twice as much/is
meta KAM_JOB (__KAM_JOB1 + __KAM_JOB2 >=2)
describe KAM_JOB People let go, work at home, earn billions!
score KAM_JOB 4.3
#PERIMETERPARK
body KAM_PERPARK /P e r i m e t e r P a r k C e n t e r/i
describe KAM_PERPARK Obfuscated address appearing in SPAM Feb 06
score KAM_PERPARK 2.5
#HOLLYWOOD WAY
body KAM_HOLLY /1 0 2 0 N H o l l y w o o d W a y /i
describe KAM_HOLLY Obfuscated address appearing in SPAM Jun 06
score KAM_HOLLY 2.5
#PUMP & DUMP STOCK GRAPHICS
header __KAM_STOCKG1 Subject =~ /^Fw: \d{6}$/i
header __KAM_STOCKG2 Subject =~ /(^|\b)(stocks?|small-cap)(\b|$)/i
meta KAM_STOCKG ((HTML_IMAGE_ONLY_12 || HTML_IMAGE_ONLY_16 || HTML_IMAGE_ONLY_24) && HTML_MESSAGE && (__KAM_STOCKG1 || __KAM_STOCKG2))
describe KAM_STOCKG Graphical Pump and Dump Scams
score KAM_STOCKG 3.0
#CEP Diploma Mill
body __KAM_CEP1 /Job Prospect Newsletter|training.workshop/i
body __KAM_CEP2 /legitimate verifiable degree|build a better you|domain.knowledge/i
body __KAM_CEP3 /Career Education program|customize a learning program|certified.instructor/i
body __KAM_CEP4 /(MBA|CEP)/
body __KAM_CEP5 /degree\/certificates|certification/i
body __KAM_CEP6 /\d (week|month)/i
header __KAM_CEP7 From =~ /certificate program/i
meta KAM_CEP ((__KAM_CEP1 + __KAM_CEP2 + __KAM_CEP3 + __KAM_CEP4 + __KAM_CEP5 + __KAM_CEP6 + __KAM_CEP7) >= 3)
describe KAM_CEP CEP Diploma Mill Rule
score KAM_CEP 3.5
#Commented since 3.2.0 is pretty old now
#if (version < 3.200000)
# #BLANK EMAILS - CURRENTLY REQUIRES 99_FVGT_meta.cf for FM_NO_FROM AND NO_TO. UNDISC_RECIPS MIGHT BE REMOVED IN 3.2+
# #HTML_SHORT_LENGTH DEPENDENCY RULE REMOVED FROM SA 3.2
# meta KAM_BLANK01 (MISSING_SUBJECT && (UNDISC_RECIPS || FM_NO_FROM_OR_TO || FM_NO_TO))
# describe KAM_BLANK01 Blank emails
# score KAM_BLANK01 1.0
#
# #MSGID_FROM_MTA_ID REMOVED IN NEWER SPAMASSASSIN 3.2
# meta KAM_BLANK02 (KAM_BLANK01 && MSGID_FROM_MTA_ID)
# describe KAM_BLANK02 Blank emails with MTA Headers
# score KAM_BLANK02 1.0
#endif
#KAM GEOCITIES SPAM
# Updated by KAM based on Work by Dallas L. Engelken <dallase@nmgi.com> (T_GEO_QUERY_STRING)
uri KAM_GEO_STRING2 /^http:\/\/(?:\w{1,5}\.)?geocities(?:\.yahoo)?\.com(?:\.\w{1,5})?(?::\d*)?\/.+?/i
describe KAM_GEO_STRING2 Use of geocities/yahoo very likely spam as of Dec 2005
score KAM_GEO_STRING2 4.7
#KAM GOOGLE SPAM
uri KAM_GOOGLE_STRING /^http:\/\/www.google.com\/url\?q=/i
describe KAM_GOOGLE_STRING Use of Google redir appearing in spam July 2006
score KAM_GOOGLE_STRING 1.0
#MSN Brasil REDIRECTOR - Known exploit since at least 2007!! http://www.xssed.com/mirror/14129/
uri KAM_MSNBR_REDIR /g.msn.com.br\/BR9\/1369.0/i
describe KAM_MSNBR_REDIR Use of MSN Brasil Redirector for Spam seen in 2011
score KAM_MSNBR_REDIR 5.0
#KAM MSN SPAM
uri __KAM_MSN_STRING1 /^http:\/\/spaces\.msn\.com(?::\d*)?\/.+\//i
uri __KAM_MSN_STRING2 /^http:\/\/.{0,20}\.spaces\.live\.com/i
meta KAM_MSN_STRING (__KAM_MSN_STRING1 + __KAM_MSN_STRING2 >=1)
describe KAM_MSN_STRING spaces.msn.com likely spam (Mar 2006) + spaces.live.com (Mar 2010)
score KAM_MSN_STRING 2.5
#KAM LIVEJOURNAL SPAM
uri __KAM_LIVE1 /^http:\/\/.{0,20}\.(blogspot|livejournal)\.com/i
meta KAM_LIVE (__KAM_LIVE1)
describe KAM_LIVE blogspot.com & livejournal.com likely spam (Apr 2010)
score KAM_LIVE 1.0
#KAM PAGE.TL SPAM - idea from Benny Pedersen
uri __KAM_PAGE1 /^http:\/\/.{0,20}\.(page\.tl)/i
meta KAM_PAGE (__KAM_PAGE1)
describe KAM_PAGE Page.TL likely spam (Nov 2011)
score KAM_PAGE 2.0
# This rule is to mark emails using the exploit of the URI parsing
uri KAM_URIPARSE /(\%0[01]|\0).{1,100}\@/i
describe KAM_URIPARSE Attempted use of URI bug-high probability of fraud
score KAM_URIPARSE 7.0
#Ebay Closed their Redirector - Disabled 4-9-05
# This rule is to mark emails using the exploit of the eBay redirector
#uri KAM_EBAYREDIR /.*.ebay.com.*RedirectToDomain/i
#describe KAM_EBAYREDIR Attempted use of eBay redirect-likely fraud
#score KAM_EBAYREDIR 7.0
# Rule based on Kelson Vibber's MD code for bogus AOL Addresses
# Check for bogus AOL addresses as described at
# http://postmaster.aol.com/faq/mailerfaq.html#syntax
# - all alphanumeric, starting with a letter, from 3 to 16 characters long.
#
#
#What is the correct syntax for AOL e-mail addresses?
#The "user name" is the part of the address that appears before the @ symbol: username@aol.com.
#Valid AOL e-mail addresses can not:
#Be shorter than 3 or longer than 16 characters.
#Begin with numbers.
#Contain punctuation of any kind (such as periods, underscores, or dashes).
#
#
#2017-10-24 upon evidence that AOL no longer follows their syntax.
#Awaiting an updated version however KAM predicts that with the merger that this
#is likely to accommodate other systems like Verizon coming under the same infrastructure.
#UPDATED 2018-02-20
#THANKS to Angel from 16bits for this research:
#Based on tests at https://i.aol.com/reg/signup shows:
#
#Username cannot
#
#a) "Be shorter than 3"
# This is being enforced: «Please make sure that the username field is at
#least 3 characters long
#
#b) or longer than 16 characters.
#The userName field has a maxlength of 32
#(intriguingly, there's also a hidden usernameEmail of up to 97
#characters)
#
#c) Begin with numbers.
#This is being enforced «Your username must begin with a letter.»
#
#d) Contain punctuation of any kind (such as periods, underscores, or
#dashes).
#Both periods and underscores are accepted (they are even offered in the
#dropbox), dashes are not.
#«Your username may not contain characters such as @, !, * or $.»
#
#Periods and underscores may not begin or end the username, or be
#consecutive (not between themselves), ie. these two characters may only
#appear when surrounded by alphanumeric ones.
#
#(this condition for periods actually comes from rfc5321, assuming you
#want to avoid quoting the local part)
#
#
#Basically, it seems they added . and _ to the allowed characters, and
#doubled the username size.
#
#
#The error messages at
#https://sns-static.aolcdn.com/1.19/reg/resources/js/webreg_validate5-built.js also provide relevant information for gathering the rules:
#
#"Please make sure that the username field is at least 3 characters
#long."
#"Please make sure that the username field is at least 3 characters
#long."
#"Your username may not exceed "+regPageData.snMax+" characters."
#"Your username must begin with a letter."
#"Your username may not contain characters such as @, !, * or $.",
#"Your username may not contain characters such as @, !, * or $." (funnily, this is shown if you enter a space)
#"Your username may not contain characters such as @, !, * or $." (this is if it is deemed "not alphanumeric")
#"Usernames cannot end with a dot (.) or underscore (_)."
#"Usernames cannot have consecutive dots (..) or underscores (__)."
#
#"Please make sure that the email address is at least 3 characters long."
#"Your email address may not exceed 97 characters."
header __KAM_AOL From:addr =~ /\@aol\.(com|co\.uk)/i
# username portion must be between 3 & 16 chars, starting with a letter
header __KAM_GOODAOL1 From:addr =~ /^[a-z].{2,15}\@aol\.(com|co\.uk)/i
# certain punctuation not allowed - This is likely not exhaustive
header __KAM_BADAOL1 From:addr =~ /[-\!\*\$].*\@aol\.(com|co\.uk)/
# no consectutive periods or underscores
header __KAM_BADAOL2 From:addr =~ /(\.\.|__).*\@aol\.(com|co\.uk)/
# cannot end with . or underscore
header __KAM_BADAOL3 From:addr =~ /(\.|_)\@aol\.(com|co\.uk)/i
meta KAM_BADAOL (__KAM_AOL && !__KAM_GOODAOL1) || (__KAM_BADAOL1 + __KAM_BADAOL2 + __KAM_BADAOL3 >= 1)
describe KAM_BADAOL Invalid AOL Address
score KAM_BADAOL 7.0
meta KAM_GOODAOL __KAM_AOL && (__KAM_GOODAOL1 && !KAM_BADAOL) && SPF_PASS
describe KAM_GOODAOL Valid AOL Email Address
score KAM_GOODAOL -1.0
# Rule to mark emails from adv@somewhere accounts a bit higher on the SPAM scale
header KAM_ADV_EMAIL From:addr =~ /adv\@/i
describe KAM_ADV_EMAIL Marks adv@<domain.com> Addresses as likely SPAM
score KAM_ADV_EMAIL 5.0
#SEXUALLY EXPLICIT EMAILS - With updates courtesy of Mark Damrose
header __KAM_SEX_EXPLICIT1 Subject =~ /SEXUAL{2,3}Y[-_, ]{0,1}EXPL{1,2}I{1,2}CI{1,2}T/i
#EXPANDED TO INCLUDE HEADERS FOR SPAMS PREVALENT MAR 2007
header __KAM_SEX_EXPLICIT2 Subject =~ /(?:fuck .*suck|suck .*fuck|pussy .*cock|cock .*pussy|horny amateur|couch sex|slut fuck|naked celebrity|pissing babes|ass[- ]fuck|animal cock|(^|\b)P[^a-zA-Z\d]O[^a-zA-Z\d]R[^a-zA-Z\d]N |exposes sexy ass|drunk babe nude|masturbate|looking.for.sex|breast.implants|pedophile|child predator|explore.being.bad|double.penetration|hardcore.slut|getting.laid|your.disco.stick|having.sex.*begging|f.ckbook|xxx gay|asian porn|blowjob|anal xxx|huge tits tube|xxx tube|porn tube|porn video|sexy.clip|portal for xxx|3d porn|hard(er)?.erect)|dreaming of f.?cking|(^|\b)sex.in.the.car|horny.virgin|sex.acts|best.intercourse|sex request|dripping wet and need to get/i
#TRYING TO GET RID OF FPs WITH LAST NAMES
header __KAM_SEX_EXPLICIT3 From =~ /(?:better sex|sextrick|ashleymadison|booty.call|breast.(aug|surg|redu)|throbing.member|f[\*u]?ckbook|Local MILFs|fuck(s|ing)?(\b|^))/i
#MODIFIED TO FIX FP THANKS TO DOC SCHNEIDER AND MARK MARTINEC - REMOVED castrate|sexual.encounter|casual.sex|discreet.encounter 5/19/15
body __KAM_SEX_EXPLICIT4 /(?:fucked hardcore|dildoes her tight ass|kinky watersports|schoolgirls? slut|teens? porn|first anal(\b|$)|pussy lips|kinky lesbian|sucks? cock|rub puss|spreads? cunt|fetish babe|kinky pee|muffdived \& fuck|deepthroat on knees|hello.naughty.boy|certain.type.of.guy|girlfriend.trick|sexual.stamina|sex...toy|porn.link|cunt.fuck|c-o-c-k|non.stop.sex|porn.industry|stronger.erection|make.her.moan|extreme.pro.abortion|erection.problem|your.erection|get.an.erection|hardest.erection|get.erect|xxx gay|asian porn|blowjob porn|anal xxx|huge tits tube|xxx tube|porn tube|fuckbook|portal for xxx|3d porn|DrPEnterprise|girlfriends.porn|\bsex.galler|pussy.eaten|shemale|(\b|^)anal.adventure|black.girls.video|gay.porn|pussy.wet|make.her.horny|crave sex|women.fuck|women.horny|wanting.to.bang|getting.laid.is.simple|woman.on.her.knees|b r e a s t|generic.ed.product|best.sex|f[^a-z]cking.you|f[^a-z]ckbuddy|F\#ckFriends|Milf Selfies|need.a.horny.man|cute.sex.lover|horny.as.f.ck|fun.in.the.bedroom|my.tits.are|be.horny|horny.girl|horny.i.am|horny.latina|huge.dildo|made.me.climax|sex in my office|a.good.f\@ck|married.horny.woman|sucked.your.d\@ck|horny.milf|suck.you.off|horny.stories|all.my.h[o0]les|cum.heavily|sucking.your.c[o0]ck|to.get.f[^a-z]cked)|h00kup|s\*xy|\bh0rny|ch0ked|pu\$\$y|f\*cked|F\*ck_|find milfs/i
#remove f\#ck for FPs
header __KAM_SEX_EXPLICIT5 Subject =~ /(?:Babe.*dildo|milk.*pussy|licks.*lesbian.*tits|mud.*wrestling.*sluts|rock.*hard.*cock|working.*pussy|(anal|suck|lick|hot|cock|wife).*f.?u.?c.?k|sneaky.*upskirt.*shots|hairy.*(pussy|cunt)|chicks.*cum|shows.*off.*titties|tits.*milf.*sex|riding.*big.*dick|dildo.*pussy|slut.*sex|suck.*dick|show.*off.*pink.*slit|coed.*pussy|squirt.*pussy|polish.*cock|femdom.*fist|schoolgirl.*(f.?u.?c.?k|blowjob)|mistress.*finger.*slave|cervix.*examined|tits.*vibrator|licks.*lesbian|slut.*anal|slurp.*pecker|master.*hogtie|bitch.*stroke.*guy|huge.*cock.*bang|take.*dick.*ride|milf.*nailed|girl.*in.*panties|Slut.*Doing.*it|barely.*legal.*teen|perverted.*girl.*works.*ass|slut.*milking|caught.*fucking|F.?u.?c.?k.*(dick)|shemale.*strips|chick.*drilled|\bass.*screw|teen.*pussy|fucked.*hard|bimbo.*hooter|cuntbanged|tittyfucked|fuck.*cock|blowing and nailed|lesbians.*masturbat|shaking wet booty|pussy.*lip|lick.*asshole|kinky lesbian|suck.*cock|rub puss|tits.*cunt|kinky pee|fetish babe|exposes sexy ass|drunk babe nude|muff.*fuck|cock.?suck.*blonde|fuck.*vibrator|threeway.*orgy|sex.life.*new.level|your.sex.life|hotsex|f.cktonight|my.?pu[s\$]{1,5}y|InstaSext|SnapHookup|InstaAffair|InstaHookup|SexiSnap|SnapF.ck|snapbangmsg)/i
body __KAM_SEX_EXPLICIT6 /virus on a porn web/i
meta KAM_SEX_EXPLICIT (__KAM_SEX_EXPLICIT1 + __KAM_SEX_EXPLICIT2 + __KAM_SEX_EXPLICIT3 + __KAM_SEX_EXPLICIT4 + __KAM_SEX_EXPLICIT5 + __KAM_SEX_EXPLICIT6 >= 1)
describe KAM_SEX_EXPLICIT Subject or body indicates Sexually Explicit material
score KAM_SEX_EXPLICIT 16.0
#SOLICITING AFFAIR SPAM
header __KAM_SEX_AFFAIR1 Subject =~ /Have an affair|Your Affair is Waiting|sick of your wife|find you a girlfriend/i
header __KAM_SEX_AFFAIR2 From =~ /Ashley.?Madison|Let's have fun/i
rawbody __KAM_SEX_AFFAIR3 /have an affair|ashleymadison/i
rawbody __KAM_SEX_AFFAIR4 /looking.for.affair/i
meta KAM_SEX_AFFAIR (__KAM_SEX_AFFAIR1 + __KAM_SEX_AFFAIR2 + __KAM_SEX_AFFAIR3 + __KAM_SEX_AFFAIR4 >= 2)
describe KAM_SEX_AFFAIR Subject or body soliciting an affair
score KAM_SEX_AFFAIR 8.0
#KAM_TELEWORK
body __KAM_TELEWORK1 /(generate|make) .{0,10}1.5K? (to|-) 3.5K (a day|daily|per day|per month)|makes? \$[\d,]+\/month|upgrade your salary/is
body __KAM_TELEWORK2 /have a (?:tele)?phone|money making challenge|has full internet/is
body __KAM_TELEWORK3 /return(?:ing)? (phone )?calls|working a few hours each day|positive work environment/is
body __KAM_TELEWORK4 /fully qualified|no experience needed|all the training|managing expectations|accountability|stronger results/is
body __KAM_TELEWORK5 /work (?:online )?from home|process(?:ing)? rebates (?:at|from) home|set your own hours|100% no risk|Western Union fees|new job or career/is
body __KAM_TELEWORK6 /earning up to \d+USD|earn thousands of dollars|\d% commission|get rich quick|manager training|real.payoff/is
header __KAM_TELEWORK7 Subject =~ /process rebates|easy work and great pay|making money today|earn money|vacancies in your city|internet jobs|bad ecomomy|(manager|supervisor).training|handling difficult|work.from.home/i
header __KAM_TELEWORK8 From =~ /training|online/i
meta KAM_TELEWORK (__KAM_TELEWORK1 + __KAM_TELEWORK2 + __KAM_TELEWORK3 + __KAM_TELEWORK4 + __KAM_TELEWORK5 + __KAM_TELEWORK6 + __KAM_TELEWORK7 + __KAM_TELEWORK8 >= 3)
describe KAM_TELEWORK Stupid telework and training scams
score KAM_TELEWORK 3.0
#Changed to meta 2017-10-17
#2017-10-23 - Removed .link. Uniregistry has committed to reviewing abuse concerns.
#2019-11-24 - Removed .bid for FPs
#2020-06-04 - Added FP check for td.date and div.top
#2020-08-23 - Added guru
header __KAM_SOMETLD_ARE_BAD_TLD_FROM From:addr =~ /\.(pw|stream|trade|press|top|date|guru|casa)$/i
uri __KAM_SOMETLD_ARE_BAD_TLD_URI /\.(pw|stream|trade|press|top|date|guru|Casa)($|\/)/i
#FPs
uri __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE /(^|\b)td\.date|div\.top($|\/)/i
meta KAM_SOMETLD_ARE_BAD_TLD (__KAM_SOMETLD_ARE_BAD_TLD_FROM) || (__KAM_SOMETLD_ARE_BAD_TLD_URI && !__KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE)
describe KAM_SOMETLD_ARE_BAD_TLD .stream, .trade, .pw, .top, .press, .guru, .casa & .date TLD Abuse
score KAM_SOMETLD_ARE_BAD_TLD 5.0
#2019-11-24 - Test to do the SOMETLD with WLBLEval - Doesn't work because no uri check for the body
#ifplugin Mail::SpamAssassin::Plugin::WLBLEval
# enlist_addrlist (BADTLDS) *@*.pw
# enlist_addrlist (BADTLDS) *@*.stream
# enlist_addrlist (BADTLDS) *@*.trade
# enlist_addrlist (BADTLDS) *@*.bid
# enlist_addrlist (BADTLDS) *@*.press
# enlist_addrlist (BADTLDS) *@*.top
# enlist_addrlist (BADTLDS) *@*.date
#
# header __KAM_SOMETLD_ARE_BAD_TLD_FROM eval:check_from_in_list('BADTLDS')
# body __KAM_SOMETLD_ARE_BAD_TLD_URI eval:check_uri_host_listed('BADTLDS')
#endif
#CHANGED TO KAMOnly
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
#TESTING RULE
body KAM_LOCAL_TEST1 /myspamtest12341234/
describe KAM_LOCAL_TEST1 This is a unique phrase to trigger a + score
score KAM_LOCAL_TEST1 50
#REVERSE DNS TESTS FROM MIMEDEFANG - UNLESS YOU HAVE A TEST FOR REVERSE POINTERS, YOU CAN COMMENT THIS OUT
header KAM_RPTR_FAILED X-KAM-Reverse =~ /^Failed/
describe KAM_RPTR_FAILED Failed Mail Relay Reverse DNS Test
score KAM_RPTR_FAILED 6.0
header __KAM_RPTR_SUSPECT X-KAM-Reverse =~ /^Suspect/
meta KAM_RPTR_SUSPECT (KAM_BODY_MARKETINGBL_PCCC < 1 && __KAM_RPTR_SUSPECT >= 1)
describe KAM_RPTR_SUSPECT Suspected Dynamic IP/Bad TLD/Spammy TLD from Mail Relay Reverse DNS Test
score KAM_RPTR_SUSPECT 2.45
#REMOVED __URIBL_ANY DEPENDENCY AS THE RULE IS GONE. NOTED by David Goldsmith.
header __KAM_RPTR_PASSED X-KAM-Reverse =~ /^Passed/
meta KAM_RPTR_PASSED (__KAM_RPTR_PASSED && (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + KAM_SPAMJDR + KAM_LOTTO3 + __KAM_URIBL_PCCC + __KAM_MX + SPF_SOFTFAIL + SPF_FAIL + KAM_INFOUSMEBIZ + KAM_TOLL < 1))
describe KAM_RPTR_PASSED Passed Mail Relay Reverse DNS Test
score KAM_RPTR_PASSED -1.0
header KAM_RPTR_MISSING X-KAM-Reverse =~ /^Missing/
describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing!
score KAM_RPTR_MISSING 9.0
#DWDTECHSPAM /ETC
header KAM_RPTR_BADHOST X-KAM-Reverse =~ /dwdtechllc.com|inculloop.net|donapex.net|wriltay.com|raptornode.com|voicitr.us|premiumjobhunt.com|newsocialdeals.com|dailysummercoupons.com|nm-priorityhosting.com|hypernia.com|queryfoundry.net|colocrossing.com|pawlitenews.com|hosted-by-i3d.net/i
describe KAM_RPTR_BADHOST Very Spammy Hosting Company Identified
score KAM_RPTR_BADHOST 9.0
#CUSTOM SCORES THAT KAM LIKES
#score SARE_GIF_ATTACH 3.0
score CHARSET_FARAWAY_HEADER 1.6
score MIME_CHARSET_FARAWAY 1.25
score FH_FROM_CASH 2.0
score EWG_BAD_40 1.5
score EWG_BAD_47 1.5
score EWG_BAD_54 1.5
score FREEMAIL_ENVFROM_END_DIGIT 1.0
score FREEMAIL_REPLYTO 1.0
score KHOP_BIG_TO_CC 1.5
score URIBL_DBL_SPAM 5.0
score AC_HTML_NONSENSE_TAGS 4.0
#ENABLING DNSWL - BUG 6668
score RCVD_IN_DNSWL_NONE 0 -0.0001 0 -0.0001
score RCVD_IN_DNSWL_LOW 0 -0.7 0 -0.7
score RCVD_IN_DNSWL_MED 0 -2.3 0 -2.3
score RCVD_IN_DNSWL_HI 0 -5 0 -5
#COMPLETE WHOIS IS DOWN
#score __RCVD_IN_WHOIS 0
#score RCVD_IN_WHOIS_INVALID 0
#score URIBL_COMPLETEWHOIS 0
#Custom subject whitelist
#header FRANCHISE_JERRY Subject =~ /: (Franchise Application|Request Franchise Information)$/i
#score FRANCHISE_JERRY -99.0
#describe FRANCHISE_JERRY Jerry's Franchise Application or Request
header KAM_INVALID_FROM X-KAM-From =~ /From Header Missing Host/
describe KAM_INVALID_FROM From header missing host portion
score KAM_INVALID_FROM 4.0
#RAPTOR ALTERED EMAILS
#body __KAM_RAPTOR1 /altered by our Raptor filters/i
#header __KAM_RAPTOR2 X-KAM-Raptor-Alter =~ /True/
#meta KAM_RAPTOR (__KAM_RAPTOR1 + __KAM_RAPTOR2 >= 1)
#describe KAM_RAPTOR PCCC Raptor altered the email
#score KAM_RAPTOR 3.5
#NJABL Shutdown Bug 6913 - Check after 3/3/2013 update if these can be removed
score RCVD_IN_NJABL_CGI 0
score RCVD_IN_NJABL_MULTI 0
score RCVD_IN_NJABL_PROXY 0
score RCVD_IN_NJABL_RELAY 0
score RCVD_IN_NJABL_SPAM 0
score __RCVD_IN_NJABL 0
if can(Mail::SpamAssassin::Conf::feature_dns_query_restriction)
dns_query_restriction deny njabl.org
endif
#KAM Bad Attach
header KAM_RPTR_MISSING X-KAM-Reverse =~ /^Missing/
describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing!
score KAM_RPTR_MISSING 9.0
#KAM Bad Attach
header KAM_RPTR_MISSING X-KAM-Reverse =~ /^Missing/
describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing!
score KAM_RPTR_MISSING 9.0
#KAM Bad Attach
header KAM_RPTR_MISSING X-KAM-Reverse =~ /^Missing/
describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing!
score KAM_RPTR_MISSING 9.0
#KAM Bad Attach
header KAM_BADATTACH X-KAM-BadAttach =~ /^True/
describe KAM_BADATTACH Mail contains a bad attachment
score KAM_BADATTACH 15.0
#RHS_DOB not working 10/6/2014 - Resolved 10/9/2014
#score URIBL_RHS_DOB 0.0
else
# no KAMOnly, stub rules
meta KAM_RAPTOR_ALTERED 0
score KAM_RAPTOR_ALTERED 0
meta CBJ_GiveMeABreak 0
score CBJ_GiveMeABreak 0
meta KAM_RPTR_SUSPECT 0
score KAM_RPTR_SUSPECT 0
meta KAM_RPTR_FAILED 0
score KAM_RPTR_FAILED 0
meta KAM_RPTR_PASSED 0
score KAM_RPTR_PASSED 0
endif
#$6c822ecf@ - Idea from Jailer-Daemon on SARE
header KAM_6C822ECF Message-Id =~ /\$6c822ecf\@/i
describe KAM_6C822ECF $6c822ecf@ VERY prevalent message-ID header in SPAMs
score KAM_6C822ECF 7.0
#DRILLING & MUST READ - With updates courtesy of Mark Damrose
header __KAM_MUSTREAD1 Subject =~ /you (?:must|should|require|need|have) to read\.$/i
header __KAM_MUSTREAD2 Subject =~ /^(?:Weighty|Very important|Serious|Momentous|Significant|Grand|Essential) (?:message|letter|note)\./i
meta KAM_MUSTREAD (__KAM_MUSTREAD1 + __KAM_MUSTREAD2 >= 1)
describe KAM_MUSTREAD Subject indicative of a SPAM message
score KAM_MUSTREAD 1.25
body __KAM_DRILL1 /drilling/i
body __KAM_DRILL2 /oil (company|partnership|and gas rights)/i
body __KAM_DRILL3 /(exceed(ed)? .{0,10}expectations|see your brokers website)/i
body __KAM_DRILL4 /(buy today|Check this deal out)/i
meta KAM_DRILL (KAM_MUSTREAD + __KAM_DRILL1 + __KAM_DRILL2 + __KAM_DRILL3 + __KAM_DRILL4 >= 4)
describe KAM_DRILL Oil Drilling SPAM
score KAM_DRILL 1.5
#CHANGED TO KAMOnly
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
#WE USE MIMEDEFANG TO DISABLE ANY IFRAME, OBJECT OR SCRIPT TAGS IN EMAILS
header KAM_IFRAME X-IframeWarning =~ /Iframe\/Object\/Script tag\(s\) deactivated by MIMEDefang/
describe KAM_IFRAME Email contained Iframe, Object or Script tags
score KAM_IFRAME 1.0
body KAM_IFRAME2 /you need a browser with javascript/i
describe KAM_IFRAME2 Email contains phrase instructing javascript use
score KAM_IFRAME2 1.0
meta KAM_IFRAME3 (KAM_IFRAME + KAM_IFRAME2 + T_HTML_ATTACH >=3)
score KAM_IFRAME3 5.0
describe KAM_IFRAME3 Likely email exploit - Email shouldn't require javascript in an email attachment
#XEROX SCANS
header __KAM_XEROX1 Subject =~ /Scan from a Xerox WorkCentre Pro \#\d+|Scanned from a Xerox Multifunction Device/i
meta KAM_XEROX (__KAM_XEROX1 + (KAM_IFRAME && T_HTML_ATTACH) + KAM_RAPTOR_ALTERED >= 2)
score KAM_XEROX 5.0
describe KAM_XEROX Likely Fake Xerox Attachment
else
# no KAMOnly, stub rules
meta KAM_IFRAME 0
score KAM_IFRAME 0
endif
#STUPID REMOVE "*" to make the link working.
body __KAM_STAR1 /REMOVE ("\*"|space) (in the above|to make the) link/i
meta KAM_STAR (__KAM_STAR1 >= 1)
describe KAM_STAR Stupid Obfuscated Link SPAMs
score KAM_STAR 2.0
#IN LATE FEB 2007, WE BEGAN RECEIVING TONS OF EMAILS FORMATED ALL THE SAME.
body __KAM_SPAMKING1 /This advertisement is presented by/is
body __KAM_SPAMKING2 /If you have any questions or concerns regarding this communication, please send correspondence/is
body __KAM_SPAMKING3 /To .{0,30}(?:unsubscribe|stop|remove) .{0,35}(?:email|messages) from third party advertisers/is
body __KAM_SPAMKING4 /notify .{0,30} that you no longer wish to receive (?:promotional )?messages/is
body __KAM_SPAMKING5 /This (communication|message) was delivered to you by/is
body __KAM_SPAMKING6 /(?:please send|Forward postal) correspondence to/is
meta KAM_SPAMKING (__KAM_SPAMKING1 + __KAM_SPAMKING2 + __KAM_SPAMKING3 + __KAM_SPAMKING4 + __KAM_SPAMKING5 + __KAM_SPAMKING6 >= 3)
describe KAM_SPAMKING SPAM using throw-away domains and addresses. SpamKing's Heir!
score KAM_SPAMKING 1.0
#THIS HEADER SEEMS TO BE PREVALENT IN SPAMS
header KAM_SPAMJDR X-Mailerinfo =~ /OTHR_JDR/
describe KAM_SPAMJDR Emails seen with SPAM containing this header X-Mailerinfo: OTHR_JDR1173771
score KAM_SPAMJDR 2.0
meta KAM_COMBOJDR (KAM_SPAMJDR + KAM_SPAMKING >= 2)
describe KAM_COMBOJDR Spam Test for Rules Combined with KAM_SPAMJDR
score KAM_COMBOJDR 5.0
#LOTTO CRUD
body __KAM_LOTTO1 /((you |e-?mail )(?:address,? )?(has |have )?(emerged as one of (the|our) winning|emerged as a category "A" Winner|came out as the winning coupon|emerged a winner|has won|(?:was |is )?attached( to)?\s+(winning number|serial|ticket|reference)|was one of the ten winners|has been selected as one of the lucky)|random selection in our computerized email selection system|procuring your prize|email id identified with coupon|e-mail addresses are picked randomly|send your winning identification|final recipients? of a cash|selected as the one of the beneficiaries|receiving your donation|facebook name was selected)/is
body __KAM_LOTTO2 /((ticket|serial|lucky) number|secret pin ?code|pin number|batch number|reference number|promotion date|lottery|sweepstake|\d+ lucky recipients|for claim and inquiring)|Micros(oft)? ID/is
body __KAM_LOTTO3 /(won|claim|cash prize|pounds? sterling|over \$500|award sum of US\$|NOTIFICATION FOR CASH AID)/is
body __KAM_LOTTO4 /(claims (office|agent|manager|requirement)|lottery coordinator|(certificate|fiduciary) (officer|agent|claims)|accredited agent|payment agency board|promotion manager|promotions? department|Name of +Agent:|executive secretary|claims & Management|lottery approved courier|promo.team)/is
body __KAM_LOTTO5 /(POWERBALL-?LOTTO|freelotto group|(microsoft|Royal Heritage) (promotion|Lottery)|(British|UK) National( Online)? Lottery|U\.?K\.? Grand Promotions|Lottery Department UK|Euromillion Loteria|Luckyday International Lottery|International Lottery|Euro - Afro Asian Sweepstake|urawinner|Free Lotto Sweepstakes|PROMOTION DEPARTMENT|PROMOTION\/PRIZE AWARD|Nederlandse Internationale Loterij|EURO MILLIONS|APPLE LOTTERY ONLINE|MSW MEGA JACKPOT|MICROSOFT EMAIL PROMO|MSNlottery|ECOWAS|Nigeria|National Lottery|claim.{1,10}your.gbp|won.you.{1,10}gbp)|cola lotto online|on-?line promotion/is
body __KAM_LOTTO6 /(Dear (Award|Consultation Prize|Lucky) Winner|Winning Notification|Attention:Winner|Dear:? Winner|Amount won:|Sincere Congratulations|Lucky Numbers:|you are a winner|prize attached|prize notification|claims requirement|winning number|winning sum|payout of|qualification number)|attached.file|numbers.on.email|active email address|dear e-?mail/is
header __KAM_LOTTO7 Subject =~ /(Your Lucky Day|Final Notice|CONGRATULATION|(Attention:|ONLINE) WINNER|Winning Notification|Claim Fund|YOU HAVE WON|Online Notification|Your Winning Amount|PROMOTIONS MANAGER|Winnin?g Alert|NOTICE FOR YOUR CLAIM|WINNER|Reference Number|payment of (prize|claim))/i
header __KAM_LOTTO8 From =~ /Lottery|powerball|western.union/i
header __KAM_LOTTO9 Subject =~ /\d{3},\d{3}|eligibility.for.claims|promo.desk|deserves.\$\d/i
meta KAM_LOTTO1 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 >= 3)
describe KAM_LOTTO1 Likely to be an e-Lotto Scam Email
score KAM_LOTTO1 0.75
meta KAM_LOTTO2 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 >= 4)
describe KAM_LOTTO2 Highly Likely to be an e-Lotto Scam Email
score KAM_LOTTO2 1.25
meta KAM_LOTTO3 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 + LOTS_OF_MONEY >= 5)
describe KAM_LOTTO3 Almost certain to be an e-Lotto Scam Email
score KAM_LOTTO3 3.0
#ABOUT YOUR INTERNET ACTIVITIES SPYWARE CRUD
header __KAM_ABOUT1 Subject =~ /About your Internet (activities|activity)/i
body __KAM_ABOUT2 /Spyware/i
meta KAM_ABOUT (__KAM_ABOUT1 + __KAM_ABOUT2 >=2)
describe KAM_ABOUT Email Scam Hawking Anti-Spyware
score KAM_ABOUT 1.0
#EMAIL ADVERTISING
body __KAM_ADVERT1 /email advertising|\d{3}%.roi/is
body __KAM_ADVERT2 /instant traffic (to your website|and sales)|demand.generation/is
body __KAM_ADVERT3 /Email Ad Broadcast|Double OPT IN list|making.some.changes/is
header __KAM_ADVERT4 Subject =~ /(get (instant|more) (sales|business|orders)|instant traffic, leads and sales|within 24 hours|increase in business|Ten Time Increase in Sales and Traffic|Emails Sent to Get You Sales)|sales.goal/i
meta KAM_ADVERT (__KAM_ADVERT1 + __KAM_ADVERT2 + __KAM_ADVERT3 + __KAM_ADVERT4 >= 4)
describe KAM_ADVERT Mailing List Scammers Hawking Their Lists / Services
score KAM_ADVERT 2.5
#DOMAIN ADVERTISING
body KAM_ADVERT3 /AllExpiringDomains.com/i
describe KAM_ADVERT3 Traffic / Expiring Domain List Spam
score KAM_ADVERT3 5.0
#ADVERTISEMENT
body KAM_ADVERT2 /No longer interested in our offers|This (message|email)? is an Ad|Continue in your Secure Web Browser|Can\'t see the images( below|, continue)|To view this email as a webpage|see images for this offer|support best practices in responsible email marketing|This email is not unsolicited|You registered with one of our partners websites|a d v e r t i s (?:e )?m e n t|No\-?Images? Click|Program is not endorsed, sponsored by or affiliated|can\'t read or see this email|By clicking any image and\/or text link in this Email|This is a (commercial|commericial)|This message brought to you|THIS EMAIL IS A COMMERCIAL|If you no longer wish to receive further offers|business solicitation message|link is for removal|end these weekly ad\-messages|cancel these Ads go|This is an email advertisement|end all Advertisements go below|We are not spammers|Unsolicited email\?|Quit receiving these admail|I.{0,3}am not spamming|commercial.advertisement|adv.ertisement|if.you.are.not.interested|Brought to you by\:|This communication is an advertisement|removal from further update|inbox by requesting removal|No more incoming messages will be delivered|Never receive these again|This is an ad\-coresspondance|this page is an advertise?ment|this is an \(adver\-?tisement\)|this page are an.ad|statements above are an.ad|advertis.e.ment/is
describe KAM_ADVERT2 This is probably an unwanted commercial email...
score KAM_ADVERT2 0.75
#ONE LINE ADVERTISEMENTS
body __KAM_1LINE1 /(free score and report|Did you overpay\?)/is
header __KAM_1LINE2 Subject =~ /(free online score & report|I need tax savings? tip)/i
meta KAM_1LINE (__KAM_1LINE1 + __KAM_1LINE2 >= 2)
describe KAM_1LINE One liner SPAMs
score KAM_1LINE 2.5
#CAN SPAM
body KAM_CANSPAM /(full compliance with the U.S. Federal-?Can-?Spam-Act|provides CAN-SPAM compliant email|consistent with the provisions of the CAN-SPAM Act|compliance with the CanSpam Act|no deceptive subject lines|compliant with all legal provisions of the CAN-SPAM Act)/is
describe KAM_CANSPAM SPAM = Lack of Consent (not a Legal Definition)
score KAM_CANSPAM 1.0
#GIFTS / GIFT CARDS
body __KAM_GIFT1 /(Claim your free \$500 Target Gift Card|complimentary gift-?card|received a Victoria's Secret Giftcard|\$500 airline gift card|\$1000 gift card for you to shop|\$\d+.{0,50}gift card|Secret gift card)|costco.coupon|facebook.gift|claim.my.credit/is
body __KAM_GIFT2 /(unsubscribe from this advertiseme(tn|nt)|exit future communications|to unsubscribe from this|to stop any offers from us)/is
body __KAM_GIFT3 /every girl loves to buy|do you need a new|offer pass you by|shopping.online|best.price|activate.my|valued.{0,20}user|extra.deals|sign.up.today/i
body __KAM_GIFT4 /card will be yours free|card on us|buy you the dyson animal|amazon.gift.?card|superstore|starbucks.card|card.egift|redeem.before|offering.you.this|enter.promo.code/i
body __KAM_GIFT5 /member incentive program|complet(e|ing) the survey|your.customer.id|security.code|promotional.points/i
header __KAM_GIFT6 From =~ /\$\d+ ?gift ?card|coupon|home.improvement|reward|voucher|starbucks|exclusive|amazon|ehost/i
meta KAM_GIFT ((__KAM_GIFT1 + __KAM_GIFT2 + __KAM_GIFT3 + __KAM_GIFT4 + __KAM_GIFT5 + KAM_LOTSOFHASH + KAM_SHORT >= 3) && __KAM_GIFT6)
describe KAM_GIFT Gift Card Scams
score KAM_GIFT 3.5
meta KAM_GIFT2 ((__KAM_GIFT1 + __KAM_GIFT2 + __KAM_GIFT3 + __KAM_GIFT4 + __KAM_GIFT5 + KAM_LOTSOFHASH + KAM_ADVERT2 >= 4) && __KAM_GIFT6)
describe KAM_GIFT2 Gift Card Scams
score KAM_GIFT2 3.5
#MYSTERY SHOPPER
body __KAM_SHOP1 /chosen to participate as a Mystery Shopper/is
body __KAM_SHOP2 /Do you like to shop/is
body __KAM_SHOP3 /make money while you shop/is
meta KAM_SHOP (__KAM_SHOP1 + __KAM_SHOP2 + __KAM_SHOP3 >= 3)
describe KAM_SHOP Mystery Shopper Scams
score KAM_SHOP 2.0
#FAST CASH
rawbody __KAM_FAST1 /make fast cash in real estate/is
meta KAM_FAST (__KAM_FAST1 + KAM_ADVERT2 >=2)
describe KAM_FAST Get Rich Quick, Make Money Fast Schemes
score KAM_FAST 1.8
#BIZ CARDS FREE!
body __KAM_BIZ1 /You always need new cards|free full color business cards|get 250 more ?- ?free|business card offer|500 business cards/is
header __KAM_BIZ2 Subject =~ /(do not pay for|Stop paying for|free) business cards|get( your)? 250 Free|BOGO|500 cards for|all for \$1\.99/i
header __KAM_BIZ3 From =~ /Free Business Cards|Custom Printing|Premium Cards/i
meta KAM_BIZ (__KAM_BIZ1 + __KAM_BIZ2 + __KAM_BIZ3 >= 2)
describe KAM_BIZ Free Business Card Emails
score KAM_BIZ 2.5
#FDA
body __KAM_FDA1 /statements.{1,10}not.{1,10}evaluated.{1,10}(FDA|Food ?(and|&) ?Drug Administration)/i
body __KAM_FDA2 /not intended to diagnose,? treat,? cure,? or prevent/i
body __KAM_FDA3 /FDA Recall/i
meta KAM_FDA (__KAM_FDA1 + __KAM_FDA2 + __KAM_FDA3)
describe KAM_FDA Carries a not evaluated by the FDA warning or recall warning
score KAM_FDA 0.5
#WEIGHT LOSS
body __KAM_WEIGHT1 /(overweight|extra weight|glutting|shed fat|burns fat|burn calories|appetite suppressant|stimulate your metabolism|unwanted weight|duet of the year|healthy energy boost|Suppresses Appetite|internal cleansing|detoxify|cellulite|unsightly bulges|fat burn|Diet of the year|acai|cuts cholesterol|cleanse excess waste|free sample|unwanted weight|Acai suppl[ie]ments|Diet\/Detox|\#1 Weight Loss|lose body fat|(lose|drop) (about )?\d+\s*[li]b|calorie burning machine|before eating carbs)|flush.fat.away|slimming.down|\d+.pounds.gone|lose.\dx|highest.rated.episode|unwanted..?gain|too.goo?d.to.be.true|get.slim|tv.segment|weird.solution/is
body __KAM_WEIGHT2 /(\d pounds|lose[_ ]weight|suppress appetite|appetite out of control|Oprah|for cancer patients|colon cure|colon cleanse|colonmate|avai berry|acai burn|ultraslim|feel energized|excess[_ ]weight|no diet changes|no exercise|hollywood'?s hottest -?diet|acai berry edge|Acai Diet|top secret diet|Power HCG|Sensa|shocking method|Jennifer Aniston|before eating carbs|all natural weight.?loss|green fruit|top celeb's diet)|one.secret|enjoying.food|f-a-t|melt.fat|squeeze into them|crazy.workout|celebs.everywhere|zero.effort|nothing.to.lose/is
header __KAM_WEIGHT3 Subject =~ /(leaner|slimmer|stop gaining weight|fat loss|weight management|now available without a script|wuYi tea|(drop|lost|shed|knocked) \d+.?(pounds|[li]bs?)|FRS Healthy Energy|instant diet|colonmate|trimmer you|body cleanse|acai berry|acai burn|Fatburner|cholesterol reduction|cholestapro|Ephedra|W[EA]IGHT[- ]LOSS PRODUCT OF THE YEAR|t-r-i-a-l|try our trial|cleanse your system|no exc?ercise|Acai Advanced|toxic sludge|cleanse your body|Acai Diet|Acai Elite|Acai Super|losing weight fast|weight loss|detox product|Power HCG|Weight Loss System|shocking (?:weight|weihgt) loss)|before eating carbs|all natural weight.?loss|eat this fruit|Jennifer An+iston's secret|drop.\d.dress.sizes|fat.burning|burn..?fat|get.slim|drop.the.weight|(drop|shed).[li]bs?|move.\.*.?the scale|step.by.step|drop..?pounds|perfect.body|lose.the.weight|half.my.size|special.nutrition|workout|skinny|simple.way|to.get.slim|workout.for.the..?lazy|start.losing.weight|melt.fat|celebs.boycott|celebs.did|overeating|without.any.effort|doctors.tv|oprah|results.are.in|as.seen.on|slim.?spray|zero.effort/i
#rawbody __KAM_WEIGHT4 /shocking method|Jennifer Aniston|nationally known|never.seen.anything.like.this|unusual.(new.)?tip|your.metabolism|need.a.boost|this.is.not.a."?(joke|hoax|fad|trend)|no working out|no starving|a trimmer you|celebrity.doctor|seen.on.(cnn|abc|cbs)|\d+%.?off|oprah.and.celeb|beer.belly|thunder.thigh|flush.fat.fast|get.skinny|Women's Health|dress.size|feel.good|physical.activity|starving|hit.a.plateau|flat.belly|brakes on your appetite/i
header __KAM_WEIGHT5 From =~ /celeb.weightloss|no.work.workout|(drop|shed).pounds|(drop|shed).\d+[il]bs?|inches off|your.waist|nutrisystem|fat.burn|magic.slim|slim.pack|get.?slim|overweight|becomingslim|slimmer|skinny.tee|flush.fat|slimming.down|hot.trend|curves.?\dweek|stubborn.fat|\d+.pounds|look.great|lazy.workout|bikini|fit.community|slim.?spray|shave.off.(the.)?(pound|lb)|f-a-t|fit.in.\d+.day|days.to.slim|oprah|belly|biggestloser/i
#ANATRIM / GREEN TEA / CORTITHERM / ETC
body __KAM_ANA1 /(anatrim|Green ?Tea|cortitherm|PHENTERTHIN|Phentremine|Acai Ultra|Civ-xR|WuYi Tea|Wu-?Yi Source|FRS Healthy Energy|Acai Berry|Chinese secret|Ephedra|Cholestapro|ColonMedic|Pure Cleanse|AcaiBurn|Acai Elite|Garcinia|Chlorogenic Acid|green coffee)/i
header __KAM_ANA2 From =~ /green ?tea|Ultra ?Energy|weight ?loss|colon? ?clean|colon ?aid|acai|As seen on|Garcinia|sensa/i
meta KAM_ANA (__KAM_ANA1 + __KAM_ANA2 + (__KAM_OZ1 || __KAM_OZ2 || __KAM_OZ3) + __KAM_WEIGHT1 + __KAM_WEIGHT2 + __KAM_WEIGHT3 + __KAM_WEIGHT5 + KAM_FDA + (__KAM_HTML1 || KAM_INFOUSMEBIZ) >= 3)
describe KAM_ANA Likely Weight-loss / Medical Spam
score KAM_ANA 3.0
meta KAM_ANA2 (__KAM_ANA1 + __KAM_ANA2 + __KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 + __KAM_WEIGHT1 + __KAM_WEIGHT2 + __KAM_WEIGHT3 + __KAM_WEIGHT5 + KAM_FDA + (__KAM_HTML1 || KAM_INFOUSMEBIZ) >= 5)
describe KAM_ANA2 Higher probability of Weight-loss / Medical Spam
score KAM_ANA2 3.5
#REPLACE
body __KAM_REP1 /Replace \[?[-!~\.]\]? with \./is
body __KAM_REP2 /www\s+[-!~\.]/i
body __KAM_REP2_1 /(Just|Please|all you need to do is to) (copy|type):? (www\s)?.{0,10}[\[\(]([-!~\.]|dot)[\]\)]/is
body __KAM_REP2_2 /in your (IE|internet|explorer|browser)/i
body __KAM_REP3_1 /\*omit empty spaces/is
body __KAM_REP3_2 /.\s+(COM|org|net|info)$/i
meta KAM_REPLACE (__KAM_REP1 + __KAM_REP2 >= 2) || (__KAM_REP2_1 + __KAM_REP2_2 >=2) || (__KAM_REP3_1 + __KAM_REP3_2 >=2)
describe KAM_REPLACE Spams that use obfuscated URLs with instructions
score KAM_REPLACE 2.0
#EVEN MORE NIGERIAN SCAMS AND VARIANTS
body __KAM_NIGERIAN1 /(?:payment officer|personal treasurer|experienced marketers|Chairman of the Finance Committee|contact my secretary|field of Financial Services|Head of Human Resources|Public Relation Officer|field of Business Services|payment agent|representing partner|vacancy in my company|representative\/book ?keeper|executor|search and selection of both experienced|retired chief economist|foreign partner|diplomatic courier|senior auditor|online book-?keeper)|in.your.country|united.state[^s]|states?.citizen|retired.ceo|nigeria|origin.finland|serious.illness|brain.(tumor|cancer)|former.minister|investment.partner|got.mugged|losing.my.(wife|only.son)/is
body __KAM_NIGERIAN2 /(?:looking for dynamic representative|seek your partnership|new online business model|seek to transfer this money|completely legal activity|never ask you to pay or invest|in search of trustworthy representatives|establishing a new liaison network|rec[ei]{2}ving payment on our behalf|assist me in transferring those funds|make money at home|requiring rep to work on a part time|part time job\/full time|organization for the good work of the lord|job search directory|investor willing to invest in lebanon|invest in Real Estate|Your kind assistance|next of kin|gold.exportation|calgary.lotto)|oil.producing|import.firm|oil.and.gas|petroleum|asset.available|urgent.reply|(cash|credit.cards?|cell(.phone)?).(were|was).stolen/is
body __KAM_NIGERIAN3 /(?:\d{1,2}\% (?:commission on each transaction|of the total will be set|will be mapped out|is made available to you|of the total sum for your partner|of the money for your effort|for\s+sales)|pay for performance|floating deficit|for your compensation|financial independence|their financial dreams|work from home part\s*-?\s*time|employing your services|get extra income|deduct your weekly salary \d\d%|transfer of the funds|make successful career at us|you will get \d{1,2}% on each|funds can be directed to your account as a grant|reasonable parentage|dormant domiciliary account|share would be \d+\%|pay you \d+%)|invest|have.a.sum|make.a.donation|immense.benefits|transact.a?.?business|company.sponsor|loan me \$/is
body __KAM_NIGERIAN4 /(?:American oil merchant|independent contractor|removallink|claim the funds|international corporation|bank draft|becoming our contract staff|contractual employment|customers\s*in Europe,\s*America|new partner from UK|great investment site|money orders|cashiers check|access to the funds|piloting the business|moving the funds|next of kin|syrian.refugees|reply.for.detail)|security.reason|(his|her).account|new.investor|directly.beneficial|business.discussion|promise.to|need.to.spend/is
body __KAM_NIGERIAN5 /Western Union Money Transfer|Money Gram|form of Money Orders|to apply for this job, please send the following|process our payments|not traceable|risk free transation|transfer to a designated bank account|inheritance return|my.inheritance|my.wealth|donation.to.you|out.of.country|charitable.trust/i
meta KAM_NIGERIAN (__KAM_NIGERIAN1 + __KAM_NIGERIAN2 + __KAM_NIGERIAN3 + __KAM_NIGERIAN4 + __KAM_NIGERIAN5 + LOTS_OF_MONEY + __KAM_REFI4 >= 4)
describe KAM_NIGERIAN Nigerian Scam and Variants
score KAM_NIGERIAN 2.5
#I LIKE YOUR SPAM
body __KAM_LIKE1 /been working (extremely|very) hard on my friend's website/is
body __KAM_LIKE2 /a link from .{1,54} would be greatly appreciated/is
body __KAM_LIKE3 /(link exchange|in return to me linking back)/is
body __KAM_LIKE4 /HTML code for the link/is
body __KAM_LIKE5 /I apologize if this message was sent, in error/is
meta KAM_LIKE (__KAM_LIKE1 + __KAM_LIKE2 + __KAM_LIKE3 + __KAM_LIKE4 + __KAM_LIKE5 >= 5)
describe KAM_LIKE I like your website link exchange spam
score KAM_LIKE 2.0
#PUBLICLY AVAILABLE LISTS?
body KAM_PUBLIC /obtained your email address from a publicly available list|find your mail in public forum/is
describe KAM_PUBLIC Obtained from Public List != to Consent == SPAM!
score KAM_PUBLIC 9.0
#SEXUALLY EXPLICIT RULES ROUND TWO - Fixed some FPs from Scunthorpe thanks to Stefan Morrell
body __KAM_SEX1 /(?:double[ -]?headed|pornstar|huge weenie|male power|\d\dper\. of men|male enhancement product|enlarge patch|boost up your virility|clinically tested|improve manhood|Bigger Pen..is|Big Penis|incredible gains to your manhood|muscular manhood|nights unsatisfied|climaxes|sensual enhancer|love instrument|bigger member|excitement with girls|fucker|animal sex)|adds \d inches to your manhood|pussy licked|hard.erection/i
body __KAM_SEX2 /(?:(\b|^)cunt(\b|$)|busty|interracial|hardcore|peni(s|le) enlarge|generic quality|enlarge your manhood|stone-hard manhood|XXL Dick|intense pleasure|spend a night with you|efficient medicine|turn on your wife|with your boner|dick dangl)|\d.(extra.)?inches.of.girth|best.sex/i
header __KAM_SEX3 Subject =~ /(double dildo|bunsfuck|dominatrix|huge tits|anti-ED|most confident man|for men over 30|peni(s|le) enlargement|interracial gobble|bitch sucking dong|product actually does work|update your penis|mans mall|endurerx|more excitement|love package|add more fire|her best male|average guys|monster cocks|first anal|anal fucking|love with monsters|horse sex|be the stud)/i
body __KAM_SEX4 /(?:bring your girlfriend back|satisfied with their size|penis so huge and heavy|more semen|volume of your loads|wondercum|ejaculate|bargain offers on medic|improve xxx|improve your lovemaking|youngest teen|teen pics|monster in his pants|(female|multiple) orgasms|extreme penetration)/i
describe KAM_SEX Sexually Explicit SPAM / Penis Enlargement Scam
score KAM_SEX 7.0
meta KAM_SEX (__KAM_SEX1 + __KAM_SEX2 + __KAM_SEX3 + __KAM_SEX4 + __HTML_IMG_ONLY + (__KAM_VIAGRA6A + __KAM_VIAGRA6E + __KAM_VIAGRA7A >= 1 && !__KAM_VIAGRA_FPS) >= 2)
#STUPID PICTURE SPAMS
body __KAM_PIC1 /(tired|bored) (this )?(today|tonight|evening|morning|afternoon)|saw your email address|online right now|can name me|found you on this site|I am alone|my next boyfriend|blonde with blue|like the girls|crush on you/is
body __KAM_PIC2 /(nice girl|2\d years old|25 y.o. girl|pretty russian|I russian girl|age is 25|long legs, cute|see my pictures|I'm 19|searching for a bad girl|meet with such attractive|cute lady)/is
body __KAM_PIC3 /like to chat|feelings can be true|like to have friendship|friendly guy|gave me your photos|waiting on you|found your pictures|send me a note|more information about you|text me ASAP/is
body __KAM_PIC4 /(like to share some of my pics|some (?:great )?pictures of me|sending some of my pictures|To see my pic|hope you like my pic|will reply with my pics|show you some pic|chat with me and see|that's my photo)|will send you my pictures|view my profile|describe yourself|chat with me|bad girl|view your snapshot|want to watch video|erotic pics/is
body __KAM_PIC5 /picture|photo|my pics|appended my pic/i
describe KAM_PIC Share Pictures and Chat SPAM
score KAM_PIC 3.5
meta KAM_PIC (__KAM_PIC1 + __KAM_PIC2 + __KAM_PIC3 + __KAM_PIC4 + __KAM_PIC5 + __KAM_PRIV3 >= 4)
#STUPID MAILING LIST SPAMS
body __KAM_LIST1 /((Hospital|MD) directory|Nursing Home (List|directory)|doctor lists|marketing lists|Licensed Physicians|practicing MDs|practicing Medical doctors|Physicians in America|emails for every state|(vip|laywers|planners|Business Email|HR Directors Email|Sales & Marketing Directors|Managing Director Email) database)/is
body __KAM_LIST2 /(?:hospital|dentist|chiropractor|physician|medical doctors|nursing directors|medical marketing|\d sortable fields|records all with emails|business director(y|ies)|direct marketing data)|nursing assistant/is
body __KAM_LIST3 /price\:|prices for our director/is
body __KAM_LIST4 /(?:database|list|[\d,]+ (total records|e-?mails))/is
body __KAM_LIST5 /(reply with "stop" as a subject|Send an email with "rem" in the subject to discontinue|put "cease" in the subject of an email|for termination of this e?mail|reply with .{1,8} in the subject)|you will have your email taken off|for the datacard|send.a.reply/is
header __KAM_LIST6 Subject =~ /Database of (neurological|surgeons|doctors|nurses|mds)|MD Database|looking for list|email database|we have that list|marketing database|list.of.\d/i
describe KAM_LIST Mailing List Database SPAM
score KAM_LIST 3.0
meta KAM_LIST (__KAM_LIST1 + __KAM_LIST2 + __KAM_LIST3 + __KAM_LIST4 + __KAM_LIST5 + __KAM_LIST6 >= 4)
#YET MORE DRUG SCAMS
body __KAM_DRUG1 /Quality and cheap|premier quality|supor-collosal mixture|Discount-?Pharmacy|hi.quality.drug/is
body __KAM_DRUG2 /cheaper|redeem in bulk and save|bigger quantities and Save|drugstore accredi[dt]ations|economical (?:value|amount)|drug.online.supplies/is
rawbody __KAM_DRUG3 /local drugstore|(hush-hush|secret) with no waiting rooms|confidential package|distributed securely|shape is our main concern/is
body __KAM_DRUG4 /click to buy|no previous doctors direction|No prescript[oi]{2}n needed|no script necessary|medicine assistance supplier|mail[- ]?order medicine/is
describe KAM_DRUG More Viagra, Medicine, et al Scams
score KAM_DRUG 2.5
meta KAM_DRUG (__KAM_DRUG1 + __KAM_DRUG2 + __KAM_DRUG3 + __KAM_DRUG4 + __KAM_VIAGRA6A + __KAM_VIAGRA7A + KAM_REPLACE >= 4)
#DUE TO THE RASH OF IP BASED LINKS IN EMAILS DUE TO STORM BOTS, THESE ARE TESTS FOR IPS IN EMAILS
#Thanks to Jamie for pointing out I missed a 1918 range.
rawbody __KAM_GOODIPHTTP /https?:\/\/(192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)/i
rawbody __KAM_IPHTTP /https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/i
describe KAM_BADIPHTTP Due to the Storm Bot Network, IPs in emails is bad
score KAM_BADIPHTTP 2.0
meta KAM_BADIPHTTP (__KAM_IPHTTP - __KAM_GOODIPHTTP >= 1)
body __KAM_HIDDEN_URI1 /\[DOT\]com/is
body __KAM_HIDDEN_URI2 /replace "?\[DOT\]/is
meta KAM_HIDDEN_URI (__KAM_HIDDEN_URI1 + __KAM_HIDDEN_URI2 >= 2)
describe KAM_HIDDEN_URI URI obfuscation techniques
score KAM_HIDDEN_URI 4.0
#ODD INFO URL - MATCH A URL-LIKE STRING THAT ENDS IN A QUESTIONABLE TLD, FOLLOWED BY A WORD BOUNDARY OR A SLASH (BUT NOT A DOT, OR IT WILL FP ON SUBDOMAINS LIKE FOO.INFO.LEGIT.COM)
rawbody __KAM_INFOUSMEBIZ1 /http:\/\/(?:www.)?.{4,30}\.(info|us|me|me\.uk|biz)(?![-\.])(\b|\/)/i
header __KAM_INFOUSMEBIZ2 From:addr =~ /\.(info|us|me|me\.uk|biz|xyz|id|rocks|life)$/i
header __KAM_INFOUSMEBIZ3 Return-Path =~ /\.(info|us|me|me\.uk|biz|xyz|id|rocks|life)>?$/i
meta KAM_INFOUSMEBIZ (__KAM_INFOUSMEBIZ1 + __KAM_INFOUSMEBIZ2 + __KAM_INFOUSMEBIZ3 >= 1)
score KAM_INFOUSMEBIZ 0.75
describe KAM_INFOUSMEBIZ Prevalent use of .info|.us|.me|.me.uk|.biz|xyz|id|rocks|life domains in spam/malware
# OTHER QUESTIONABLE / CHEAP TLDS - .click, .work, .rocks, .science, .casa
rawbody __KAM_OTHER_BAD_TLD1 /http:\/\/(?:www.)?.{4,30}\.(click|farm|work|rocks|science|club|casa)(?![-\.])(\b|\/)/i
header __KAM_OTHER_BAD_TLD2 From:addr =~ /\.(click|farm|work|rocks|science|club|casa)$/i
header __KAM_OTHER_BAD_TLD3 Return-Path =~ /\.(click|farm|work|rocks|science|club|casa)>?$/i
meta KAM_OTHER_BAD_TLD (__KAM_OTHER_BAD_TLD1 + __KAM_OTHER_BAD_TLD2 + __KAM_OTHER_BAD_TLD3 >= 1)
score KAM_OTHER_BAD_TLD 0.75
describe KAM_OTHER_BAD_TLD Other untrustworthy TLDs
#RECENT RASH OF VIRII/TROJAN PAYLOADS USING GREETING CARD NOTICES - IPHTTP IDEA BY STEPHEN FORD
body __KAM_CARD1 /(worshipper|friend|Neighbou?r|partner|mate|colleague|member|worshipper|cousin|pal|brother|somebody|father|mother|uncle|aunt|daughter|son|nephew)(\(.{0,35}\))?(?: has)? (?:sen[dt] you|created) (?:an|a)?\s*(?:funny|love|post|greeting|birthday|animated|musical|holiday|love|hallmark|thank you|e)\s*(e|post)?-?card/i
body __KAM_CARD2 /(laughing kitty|crazy cat) card|enjoy your awesome card|Click on your .{0,15}card('s)? (link|direct www address) below|To see your custom .{0,15}card, simply click on the (link below|following)|(as you can see on the ecard)|^your .{1,15}card link:$|I bet your wife won\'?t do this for you|Your temporary Login Info|temp\.? password id|pics I took of my Ex-Wife|card will be aviailable|our.new.collection/i
body __KAM_CARD3 /I['`]m in hurry, but i still love you...|has (issued you a greeting|made you an Ecard)|^(Follow this link:|click (here to enter our secure server:))?\s*?http:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|eCard, open attached/i
header __KAM_CARD4 Subject =~ /Here is some pics to say thanks|do you like em?|here is my picture|bra is too tight|look what I like to do|hot news|(\s|^)e-?cards?(\s|$)|greeting.e?card/i
rawbody __KAM_CARD5 /postcard(\.gif)?\.exe|card.zip|groups.google.com|blaqseal/i
describe KAM_CARD Trojan or Virus Payload from fake ecard notice
score KAM_CARD 3.5
meta KAM_CARD (__KAM_CARD1 + __KAM_CARD2 + __KAM_CARD3 + __KAM_CARD4 + __KAM_CARD5 + KAM_INFOUSMEBIZ + __KAM_IPHTTP + KAM_RPTR_SUSPECT >= 3)
#INSURANCE / CAR / LIFE / HEALTH SCAMS - fixed $ bug thanks to Mark Chaney
header __KAM_INSURE1 Subject =~ /get (low )?affordable health (coverage|insurance)|reduce health costs|without health coverage|\d+K(?:.in)?.(term.)?life|overypay for auto insurance|Policy.Payment|GAs Prices|Auto Insurance|get your 20\d\d quote|\$\d00,000 coverage|no exam|Insurance.Payment|child's financial future|\d+K in coverage|health insurance (?:plans|coverage)|(Omaba|obama).?care|Secure \d+k coverage|\$\d\d\d,\d\d\d of term life|life insurance coverage|save up to \d+% on .{0,10}insurance|Protect.your.family|homeowners insurance|home.?.?protection|read.asap|auto.policy|protect your|\$\d+K..?term|auto.?insurance|\d+k.available|simplified.protection|policy.update|view.policy|med(ical)?.exam|term.life|protection|\d+k.available|policy.review|business.insurance|your.health|care.policy|life.cover|life.secure|life.insured/i
body __KAM_INSURE2 /find better Health Insurance Rates Today|get information about health coverage|protect your family|overpay for auto insurance|been recently,? lowered|gas prices are going up|Auto Insurnace go with it|no examination|get (?:a )?free quote|have been.{0,2}reduced|AutoWarranty|plans as low as|plans starting at|complete your health profile|Secure \d+k coverage|growing.family|milestone|special.enroll|updated.rate|lifeinsurance|no.medical.exam|accuquote|no.tobacco.rate|denied.coverage|business.policy|reduced.rate|coverage.starts.immediately|obama|respect.your.privacy/i
header __KAM_INSURE3 From =~ /Cheaper Auto|Insurance|health.quote.direct|fidelity|gerber|lifeplan|notice|warranty.expir|auto-repairs.{0,30}no longer covered|affordable.?health|Health.?care|AIG|accuquote|life.?rate|eCoverage|humana|ahs.warranty|policy|farmer|qualify|term.life|milestone|payout|secure|out.of.pocket|\d+k|take.comfort/i
body __KAM_INSURE4 /why pay more for.{0,30}coverage|save up to \d+%|accuquote|Life Insurance Coverage|protect.your.family.{1,20}insurance|Protect home and belonging|Affordable Care Act|new health insurance plan for you|home.?.?protection|\d+k.life.insurance|eligible for auto.coverage|set to expire|\$\d+\/mo|new.rate|your.auto.?insurance.policy|term.life|update.policy|legacy|estate|your.package|your.own.life|prepared.for.anything|paying.(far.)?too/i
describe KAM_INSURE Life, Health, Auto, etc. Insurance SPAMs
score KAM_INSURE 2.5
meta KAM_INSURE (__KAM_INSURE1 + __KAM_INSURE2 + __KAM_INSURE3 + __KAM_INSURE4 + (KAM_ADVERT2 || KAM_LOTSOFHASH || KAM_INFOUSMEBIZ || CBJ_GiveMeABreak) >= 3)
describe KAM_INSURE2 Higher Probability of Life, Health, Auto, etc. Insurance SPAMs
score KAM_INSURE2 2.5
meta KAM_INSURE2 (__KAM_INSURE1 + __KAM_INSURE2 + __KAM_INSURE3 + __KAM_INSURE4 + (KAM_ADVERT2 || KAM_LOTSOFHASH || KAM_INFOUSMEBIZ || CBJ_GiveMeABreak) >= 4)
#HEALTH INSURANCE
body __KAM_HEALTH1 /as low as \$\d+\s*(per|\/)\s*month|at \$\d+ including dental/i
body __KAM_HEALTH2 /save up to \d+% on health insurance|affordable health coverage|quality term life insurance|nationalhealthxchange.com|view.rate|no.obligation|start.saving/i
rawbody __KAM_HEALTH3 /easy and it's free|receive daily health news|check our rates|Call to qualify|no physical exam|set.to.expire|immediately.available|you.can.afford/i
rawbody __KAM_HEALTH4 /health insurance (coverage|rates)|free .{0,3}personalized.quote|get a quote for health insurance|fast and easy term|life.milestone|instant.free.quote/i
header __KAM_HEALTH5 Subject =~ /\$38 Health Insurance|health insurance quote|Save up to \d%|term.life|New Health Insurance|\$\d+\/mo|lifepolicy/i
describe KAM_HEALTH Health/Life Insurance Spam Emails
score KAM_HEALTH 3.0
meta KAM_HEALTH (__KAM_HEALTH1 + __KAM_HEALTH2 + __KAM_HEALTH3 + __KAM_HEALTH4 + __KAM_HEALTH5 + KAM_ADVERT2 >= 4)
#HEALTH INSURANCE
body __KAM_HEALTH2_1 /affordable health coverage/i
header __KAM_HEALTH2_2 Subject =~ /health insurance quote/i
describe KAM_HEALTH2 Health Insurance Spam Emails
score KAM_HEALTH2 3.0
meta KAM_HEALTH2 (__KAM_HEALTH2_1 + __KAM_HEALTH2_2 + HTML_MESSAGE >= 3)
#HEALTH INSURANCE
header __KAM_HEALTH3_1 Subject =~ /Term Life Coverage/i
header __KAM_HEALTH3_2 Subject =~ /\d\d\/mo/i
header __KAM_HEALTH3_3 From =~ /fidelity/i
describe KAM_HEALTH3 Term Life Insurance Spam
score KAM_HEALTH3 3.0
meta KAM_HEALTH3 (__KAM_HEALTH3_1 + __KAM_HEALTH3_2 + __KAM_HEALTH3_3 >= 3)
#REAL ESTATE INVESTMENT SCAMS
body __KAM_REAL2_1 /(?:Property available|on the water|costa rica|mountain.top)/i
body __KAM_REAL2_2 /(?:pre-development prices|finish building|torn down to build|exclusive place|ready.for.construction)/i
body __KAM_REAL2_3 /(?:unbelievable deals|buyer with CA[s\$]h|pennies.on.the.dollar)/i
body __KAM_REAL2_4 /(?:home sites|raw land|vacation home|wooded.property)/i
body __KAM_REAL2_5 /(?:developers|estates|buyer flying in|retirement plans|liquidation)/i
describe KAM_REAL2 Real-estate investment scams
score KAM_REAL2 1.0
meta KAM_REAL2 (__KAM_REAL2_1 + __KAM_REAL2_2 + __KAM_REAL2_3 + __KAM_REAL2_4 + __KAM_REAL2_5 >= 5)
#BASED on JIM MCCULLARS' IDEA AND DALLAS' GREAT PDFINFO RULES
ifplugin Mail::SpamAssassin::Plugin::PDFInfo
#Thanks to Ben Lentz for pointing out a lint error with this.
describe KAM_BADPDF Prevalent Junk PDF SPAMs - BAD SUBJECT
score KAM_BADPDF 2.5
header KAM_BADPDF Subject =~ /(?:^.{0,15}(document|confirmation|marketwatch|pinksheets|wire info|pinksheets|investor_report|proposal|invest_today|alert|invoice|investor_letter|check)-\d{5,12}$|^basic[- _]chart-|^Active[- _](stocks|trader)|^Analyst[- _]Coverage|^Income[- _](report|details|statement)|^Market[- _](advice|watch)|^Investor[- _]news|^real-?time[- _]quotes)/i
describe KAM_BADPDF1 Prevalent Junk PDF SPAMs - EMPTY BODY & ENCRYPTED
score KAM_BADPDF1 2.5
meta KAM_BADPDF1 (GMD_PDF_EMPTY_BODY + GMD_PDF_ENCRYPTED >= 2)
#2009-03-11 - Found FP on this rule where a bad reverse PTR and a Subject triggered this rule. That was NOT the intent.
describe KAM_BADPDF2 Prevalent Junk PDF SPAMs - 3 STRIKES
score KAM_BADPDF2 2.5
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
meta KAM_BADPDF2 (KAM_BADPDF + KAM_BADPDF1 + MISSING_SUBJECT >= 2) && (KAM_RPTR_SUSPECT + KAM_RPTR_FAILED >=1)
else
meta KAM_BADPDF2 (KAM_BADPDF + KAM_BADPDF1 + MISSING_SUBJECT >= 2) && (KAM_RPTR_SUSPECT >=1)
endif
endif
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_BADPO1 Content-Type =~ /Purchase.Order|New.Invoice/i
mimeheader __KAM_BADPO2 Content-type =~ /PDF\.html?/i
endif
header __KAM_BADPO3 Subject =~ /New Order|PO(\b|$)|PO\d\d\d|Purchase Order|Invoice/i
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
meta KAM_BADPO (KAM_RAPTOR_ALTERED + __KAM_BADPO3 >= 2)
describe KAM_BADPO Bad Purchase Orders
score KAM_BADPO 5.0
endif
meta KAM_BADPO2 (__KAM_BADPO1 + __KAM_BADPO2 + T_HTML_ATTACH >= 3)
describe KAM_BADPO2 Bad Purchase Orders
score KAM_BADPO2 5.0
#PDFCOUNT
#FAKE PDF READER/WRITE
body __KAM_FAKEPDF1 /Download PDF Reader.Writer/is
body __KAM_FAKEPDF2 /Reader 2010/is
header __KAM_FAKEPDF3 From =~ /adobe/is
header __KAM_FAKEPDF4 Subject =~ /reader.writer version 2010/is
meta KAM_FAKEPDF (__KAM_FAKEPDF1 + __KAM_FAKEPDF2 + __KAM_FAKEPDF3 + __KAM_FAKEPDF4 >= 3)
describe KAM_FAKEPDF Fake PDF Reader / Writer
score KAM_FAKEPDF 4.0
#VACU AND VARIOUS PHISHING SCAMS
#SUBJECTS
header __KAM_PHISH2_1 Subject =~ /(VACU Message|Virgini?a Credit|Account Verification|account might be compromised|Account Status Notification|important.alert|payment.advice|important.update|card.declined)/i
#BANKS
body __KAM_PHISH2_2 /Virginia Credit Union|Lloyds|HSBC|usaa|barclay|credit card account/is
#BAD LINKS
rawbody __KAM_PHISH2_3 /https?:\/\/.{5,30}\.(kr|hk|edu|pl|ie|it|pro)\//i
#STUPID STATEMENTS
body __KAM_PHISH2_4 /unauthori[sz]ed use|security.enhancement|dropbox|hold.(on.)?your.fund/i
body __KAM_PHISH2_5 /account suspension|temporary locked|temporarily.suspend|your.reference|accurately.detail/i
body __KAM_PHISH2_6 /confirm your online banking details|payment.advice|online.fraud|billing.information/i
body __KAM_PHISH2_7 /extra security check|security.tip/i
describe KAM_PHISH2 Prevalent Phishing Scam emails
score KAM_PHISH2 2.0
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
meta KAM_PHISH2 (__KAM_PHISH2_1 + __KAM_PHISH2_2 >= 2) && ((__KAM_IPHTTP + __KAM_URIBL_PCCC + __KAM_PHISH2_3 >= 1) || (__KAM_PHISH2_4 + __KAM_PHISH2_5 + __KAM_PHISH2_6 + __KAM_PHISH2_7 >= 4))
else
meta KAM_PHISH2 (__KAM_PHISH2_1 + __KAM_PHISH2_2 >= 2) && ((__KAM_IPHTTP + __KAM_PHISH2_3 >= 1) || (__KAM_PHISH2_4 + __KAM_PHISH2_5 + __KAM_PHISH2_6 + __KAM_PHISH2_7 >= 4))
endif
#CRAZY HEX EMPTY MESSAGE
body __KAM_HEX1 /^[a-f0-9]{8}(\b|$)/i
header __KAM_HEX2 Subject =~ /^\d{5,6}$/
describe KAM_HEX Crazy Empty Hex Messages
score KAM_HEX 5.5
meta KAM_HEX (__KAM_HEX1 + __KAM_HEX2 >= 2)
#THE BAT! MAILER USED TOO MUCH FOR SPAM
# I'VE LOOKED AT THIS AND JUST CAN'T ARGUE THAT IT LOOKS LIKE IT WILL HELP.
header KAM_THEBAT X-Mailer =~ /The Bat!/i
describe KAM_THEBAT Abused X-Mailer Header for The Bat! MUA
score KAM_THEBAT 1.9
#MAILER BUGS
body __KAM_MAILER1 /{!firstname_fix}/i
meta KAM_MAILER (__KAM_MAILER1 >= 1)
score KAM_MAILER 2.0
describe KAM_MAILER Automated Mailer Tag Left in Email
#YET ANOTHER NIGERIAN SCAM VARIANT
body __KAM_CHECK1 /delivery fee for your che(que|ck) draft/i
body __KAM_CHECK2 /let me know when you recieve your money/i
describe KAM_CHECK Another Nigerian Bank Draft Scam
score KAM_CHECK 3.0
meta KAM_CHECK (__KAM_CHECK1 + __KAM_CHECK2 + __KAM_REFI4 >= 3)
#SEE OPRAH LIVE!
body __KAM_OPRAH1 /airfare/i
body __KAM_OPRAH2 /hotel/i
body __KAM_OPRAH3 /oprah/i
header __KAM_OPRAH4 Subject =~ /see\s+.*oprah\s+.*live/i
describe KAM_OPRAH SPAMs re: Oprah Winfrey Show
score KAM_OPRAH 2.5
meta KAM_OPRAH (__KAM_OPRAH1 + __KAM_OPRAH2 + __KAM_OPRAH3 + __KAM_OPRAH4 >= 4)
#EBAY TIPS
body __KAM_EBAY1 /Succeed on ebay|thousands with ebay|ebay success|money-making secret/i
body __KAM_EBAY2 /Auction success kit|Great Money Maker|documented program|Chuck Mullaney|more bills than money/i
header __KAM_EBAY3 Subject =~ /ebay .*for dummies|ebay expert|work online|ebay business|secrets to ebay|Chuck Mullaney|living on ebay|build a business|huge cash flows/i
describe KAM_EBAY SPAMs re: eBay Auction Tips
score KAM_EBAY 3.5
meta KAM_EBAY (__KAM_EBAY1 + __KAM_EBAY2 + __KAM_EBAY3 >= 3)
#GAS PRICES, GAS CARDS, OTHER FUEL-RELATED SPAM
body __KAM_GAS1 /Gas prices are at an? all time high|\$\d per gallon|gasoline cards/i
body __KAM_GAS2 /We have a solution|save \d+ cents per gallon|competitive rewards/i
header __KAM_GAS3 Subject =~ /High Gas Prices|ripped off for gas|Save \d+c per gallon/i
header __KAM_GAS4 From =~ /gas/i
describe KAM_GAS SPAMs re: High Gas Prices
score KAM_GAS 4.5
meta KAM_GAS (__KAM_GAS1 + __KAM_GAS2 + __KAM_GAS3 + __KAM_GAS4 >=3)
#WEIRD BODY MESSAGES
body KAM_BODY /{_BODY_HTML}/i
score KAM_BODY 1.0
describe KAM_BODY Odd Erectile Dysfunction Messages with Poor Formatting
#FREE TV, SATELLITE, CABLE INTERNET, ETC
body __KAM_TV1 /watch unlimited television|DTV4PC|Online TV Code|Free DVD-CD Burner|100% legal|Rabbit TV|reliable.cable.service|existing.smart.tv/i
body __KAM_TV2 /without a monthly fee|pay a cable or satellite bill|no monthly fee|watch uncensored|movies online|no censorship|favorite.channels|online.television|\d{3}.channels|high.speed|sysview/i
header __KAM_TV3 Subject =~ /watch uncensored tv|digital TV|internet TV|Free TV|tv online for free|(shows|movies).with.cable|less.than.dish|stream.*channels|\$\d{2}.mo|smart.tv/i
header __KAM_TV4 From =~ /Unlock Internet TV|Movie Download|product alert|cable.tv|tv.stream|high.speed/i
meta KAM_TV (__KAM_TV1 + __KAM_TV2 + __KAM_TV3 + __KAM_TV4 >= 2)
score KAM_TV 3.0
describe KAM_TV Free TV/Cable/etc. Scams
meta KAM_TV2 (KAM_TV + KAM_INFOUSMEBIZ >=2)
score KAM_TV2 3.5
describe KAM_TV2 Higher probability of Free TV/Cable/etc. Spams
#DEGREE SPAMS
body __KAM_CAREER1 /Hospitals need you|Medical Billing and Coding|medical.coding/is
body __KAM_CAREER2 /Get your Healthcare Degree|Billing and Coding degree|job.placement|great.opportunity|training.start(s|ing).soon|job.growth/is
body __KAM_CAREER3 /unstable.economy|secure.a.position|fast.growing|extraordinary.benefits|work.from.home/is
meta KAM_CAREER (__KAM_CAREER1 + __KAM_CAREER2 + __KAM_CAREER3 + KAM_ADVERT2 >= 3)
score KAM_CAREER 5.0
describe KAM_CAREER Spam for Career/Diploma Mills
#NURSE SPAMS
header __KAM_NURSE1 From =~ /nursing|nurses|health.?care/i
header __KAM_NURSE2 Subject =~ /nurses (?:are now in high.?demand|are needed)|become a nurse|open.position|training|cna.education/i
body __KAM_NURSE3 /nurses (?:are NOW in high.?demand|are needed)|nursing Degree|indispensable.position|growing.career|nursing.assist|certified.nurs/i
meta KAM_NURSE (__KAM_NURSE1 + __KAM_NURSE2 + __KAM_NURSE3 >= 3)
score KAM_NURSE 3.0
describe KAM_NURSE Spam for Career/Diploma Mills
#PILLS
header __KAM_PILLS1 Subject =~ /save \d\d% on your (pills|drugs|medications)/i
body __KAM_PILLS2 /be (thrifty|smart|clever), buy your (pills|drugs|medications)/i
meta KAM_PILLS (__KAM_PILLS1 + __KAM_PILLS2 >=2)
score KAM_PILLS 4.0
describe KAM_PILLS Spam for scam pharmacy
#PILLS 2.0
header __KAM_PILLS2_1 From =~ /Enlarge|Men's Supplement/i
header __KAM_PILLS2_2 From =~ /Free Sample/i
meta KAM_PILLS2 (__KAM_PILLS2_1 + __KAM_PILLS2_2 >= 2)
describe KAM_PILLS2 Male enhancement spams
score KAM_PILLS2 2.5
#ALTERNATE EMAIL
body __KAM_ALT1 /reply to my alternative E-?mail/is
meta KAM_ALT (__KAM_ALT1 >= 1)
score KAM_ALT 0.5
describe KAM_ALT Requests use of an alternate email which may indicate spam
#POLITICAL SPAMS
#AS WE ENTER AN ELECTION PERIOD, WE SEE UNSOLICITED MAILS FROM ORGS
#Right vs Left
header __KAM_POLITICS1 From =~ /Right vs Left|Minuteman|Senator|Pennsylvania Transportation Partners|Americans for Limited Government|special election|conservative|liberal|congress|judge|usa.?net|senate|fedup|sen\. |tea.party|the.right.to/i
body __KAM_POLITICS2 /Minuteman Civil Defense Corps|National Campaign Fund|Right vs Left|Restore America PAC|penntransportation.com|getliberty.org|Americans for Limited Government|radical|true.conservative|true.liberal|job.killing|wasteful.spending|senate.takeover|liberal.agenda|smear.campaign|america.s future|liberty|obama|governor|election.day|v-o-t-e|sign.the.petition|paid.for.by|dear.conservative|dear.liberal|winning.the.senate|election.cycle|return.power|failed.policy|(left|right).is.claiming|bigwigs|favorable.voters/i
header __KAM_POLITICS3 Received =~ /\.politicalsystems.net|republican.com|democrat.com|inboxfirst.com/i
header __KAM_POLITICS4 Subject =~ /alert:?.?election|(republican|democratic).party|and.vote|impeach|insanity|election.ad|liberals|conservatives|back.?room.deal|urgent.obama|social.security.mistake|big.social|absentee.info/i
meta KAM_POLITICS (__KAM_POLITICS1 + __KAM_POLITICS2 + (__KAM_POLITICS3 + __KAM_POLITICS4 >= 1) >= 2)
score KAM_POLITICS 4.5
describe KAM_POLITICS Unsolicited Political E-Mails
#SPAMMING COMPANIES
#Wall Street Media
header __KAM_COMPANY1 From =~ /W\$[LM]( |_)(Insurance|Mortgage)( |_)New\$/i
meta KAM_COMPANY1 (__KAM_COMPANY1 >= 1)
score KAM_COMPANY1 5.0
describe KAM_COMPANY1 Egregious spammers that should also be on RBLs (and might be)
#MGM,LLC
body __KAM_COMPANY2_1 /Member Services MGM, LLC/is
meta KAM_COMPANY2 (__KAM_COMPANY2_1 >= 1)
score KAM_COMPANY2 5.0
describe KAM_COMPANY2 Egregious spammers that should also be on RBLs (and might be)
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
#PCCC URIBL Check for bad URIs in body, Received, From and Reply-to
#Thanks to AXB for his help with these!
#2013-10-09 Note
#
#These RBL's below can contain domains that can cause collateral damage.
#We try and only add these domains when the evidence is overwhelming and points to a culture or architecture prone to spaminess.
#And this can include services that have legitimate and illegitimate users; servers for legitimate firms that are compromised; and hosting firms which fail to have adequate anti-spam procedures.
#The lists have high scores which we believe are consistent with the veracity of the research used to compile the lists.
#Additionally, we ONLY use this RBL to improve our scoring and it is not used to block emails outright.
#However, your mileage may very and you might want to seriously dial down the scores especially if you do block/reject/blackhole emails.
#Feedback is appreciated and requests to de-list can be sent via https://raptor.pccc.com/raptor.cgim?template=report_problem
#Or to explicitly skip RBL testing for a domain, use uridnsbl_skip_domain example.com
if (version >= 3.003000)
#HOSTS THAT BEHAVE LIKE TLDS, SUCH AS BLOGSPOT.COM AND OTHER FREE HOSTING - NOTE BLOGSPOT is in 20_aux_tlds.cf ALREADY
util_rb_2tld ning.com
util_rb_2tld mygbiz.com
util_rb_2tld web.com
util_rb_2tld onmicrosoft.com
util_rb_2tld online.de
util_rb_2tld wix.com
util_rb_2tld netdna-cdn.com
util_rb_2tld dreamhost.com
util_rb_2tld noip.us
util_rb_2tld mmsend.com
util_rb_2tld cu-portland.edu
util_rb_2tld jimdo.com
util_rb_2tld doesphotography.com
util_rb_2tld isteaching.com
util_rb_2tld googleapis.com
util_rb_2tld a2hosted.com
endif
# allow URI rules to look at DKIM headers if they exist and our SA version supports it
if (version >= 3.0040001)
parse_dkim_uris 1
endif
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
#BAD URI IN BODY
urirhssub KAM_BODY_URIBL_PCCC wild.pccc.com. A 127.0.0.4
body KAM_BODY_URIBL_PCCC eval:check_uridnsbl('KAM_URIBL_PCCC')
describe KAM_BODY_URIBL_PCCC Body contains URI listed in PCCC URIBL (https://raptor.pccc.com/RBL)
tflags KAM_BODY_URIBL_PCCC net
score KAM_BODY_URIBL_PCCC 9.0
if (version >= 3.004001)
#BAD URI IN FROM
#all from addresses domains - This is a new check available in 3.4.1-rc1+ which will check bob.com for something like bob@test.bob.com - The old code did not properly handle octet subtests
header KAM_FROM_URIBL_PCCC eval:check_rbl_from_domain('pccc-from-uribl', 'wild.pccc.com.', '127.0.0.4')
describe KAM_FROM_URIBL_PCCC From address listed in PCCC URIBL (https://raptor.pccc.com/RBL)
tflags KAM_FROM_URIBL_PCCC net
score KAM_FROM_URIBL_PCCC 9.0
endif
#MARKETING IN BODY - MARKETING RBL IS PRIMARILY FOR META TESTS
urirhssub KAM_BODY_MARKETINGBL_PCCC wild.pccc.com. A 127.0.0.32
body KAM_BODY_MARKETINGBL_PCCC eval:check_uridnsbl('KAM_MARKETINGBL_PCCC')
describe KAM_BODY_MARKETINGBL_PCCC Body contains URI associated with mass-marketing (https://raptor.pccc.com/RBL)
tflags KAM_BODY_MARKETINGBL_PCCC net
score KAM_BODY_MARKETINGBL_PCCC 0.001
if (version >= 3.004001)
#MARKETING IN FROM
header KAM_FROM_MARKETINGBL_PCCC eval:check_rbl_from_domain('pccc-marketing', 'wild.pccc.com.', '127.0.0.32')
describe KAM_FROM_MARKETINGBL_PCCC From address associated with mass-marketing (https://raptor.pccc.com/RBL)
tflags KAM_FROM_MARKETINGBL_PCCC net
score KAM_FROM_MARKETINGBL_PCCC 0.001
meta KAM_MARKETINGBL_PCCC (KAM_BODY_MARKETINGBL_PCCC || KAM_FROM_MARKETINGBL_PCCC)
describe KAM_MARKETINGBL_PCCC Message contains URI associated with mass-marketing (https://raptor.pccc.com/RBL)
score KAM_MARKETINGBL_PCCC 1.0
endif
endif
if (version >= 3.004001)
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
#Compromised URI - In Body
urirhssub KAM_BODY_COMPROMISED_URIBL_PCCC wild.pccc.com. A 127.0.1.2
body KAM_BODY_COMPROMISED_URIBL_PCCC eval:check_uridnsbl('KAM_URIBL2_PCCC')
describe KAM_BODY_COMPROMISED_URIBL_PCCC Body contains URI listed in PCCC Compromised URIBL (https://raptor.pccc.com/RBL)
tflags KAM_BODY_COMPROMISED_URIBL_PCCC net
score KAM_BODY_COMPROMISED_URIBL_PCCC 9.0
#Contains a likely good URI but otherwise compromised by malware/hackers
header KAM_FROM_COMPROMISED_URIBL_PCCC eval:check_rbl_from_domain('pccc-compromised-uribl', 'wild.pccc.com.', '127.0.1.2')
describe KAM_FROM_COMPROMISED_URIBL_PCCC From address listed in PCCC Compromised URIBL (https://raptor.pccc.com/RBL)
tflags KAM_FROM_COMPROMISED_URIBL_PCCC net
score KAM_FROM_COMPROMISED_URIBL_PCCC 9.0
endif
endif
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
#Received - Currently disabled for more research on FPs
#header KAM_RCVD_URIBL_PCCC eval:check_rbl_sub('pccc', '^127\.0\.0\.4$')
#describe KAM_RCVD_URIBL_PCCC Received header contains URL listed in PCCC URIBL (https://raptor.pccc.com/RBL)
#tflags KAM_RCVD_URIBL_PCCC net
#score KAM_RCVD_URIBL_PCCC 5.0
#Reply-to
#NO SOLUTION - Would make a Good Bugzila for a FR
#Test for any hits on PCCC URIBL Rules
meta __KAM_URIBL_PCCC (KAM_BODY_URIBL_PCCC + KAM_FROM_URIBL_PCCC >= 1)
endif
#Test for URIBL Black and Spamhaus DBL per discussion ith Alex Broens
meta KAM_VERY_BLACK_DBL (URIBL_BLACK && URIBL_DBL_SPAM)
describe KAM_VERY_BLACK_DBL Email that hits both URIBL Black and Spamhaus DBL
score KAM_VERY_BLACK_DBL 5.0
endif
#EMAIL BLACKLIST CHECK FOR PCCC RBL
ifplugin Mail::SpamAssassin::Plugin::EmailBL
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
#uses emailbl -all which is the same as -headers and -bodysafe
header KAM_MESSAGE_EMAILBL_PCCC eval:check_emailbl('freemail-all', 'wild.pccc.com', '127.0.0.64')
describe KAM_MESSAGE_EMAILBL_PCCC Message contains freemail address listed in PCCC URIBL (https://raptor.pccc.com/RBL)
tflags KAM_MESSAGE_EMAILBL_PCCC net
score KAM_MESSAGE_EMAILBL_PCCC 6.0
endif
endif
#FAKERBL MX RELATED RULES
header __KAM_MX1 Reply-To =~ /\@mx\d+\./i
header __KAM_MX2 Return-Path =~ /\@mx\d+\./i
header __KAM_MX3 Received =~ /(\(|\b)(pet|ptr|tech|host|mta|mx|vps|vsp|colo|sox|m)\d+\./i
header __KAM_MX4 Received =~ /(\(|\b)[0-9A-F]{8}\.ptr\./i
# Thanks to Markus Clardy for feedback!
header __KAM_MX5 Received =~ /(\(|\b)[a-z]{2,4}[0-9]{1,3}\.[^\s]{1,20}\.info\b/i
meta __KAM_MX (__KAM_MX1 + __KAM_MX2 + __KAM_MX3 + __KAM_MX4 + __KAM_MX5 >= 1)
describe __KAM_MX Odd prevalence of mx records associated with the FAKERBL Spammers
#CHANGED KAMOnly
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
meta KAM_MX (__KAM_MX + (__KAM_URIBL_PCCC + URIBL_BLACK >=1) >= 2)
score KAM_MX 4.0
describe KAM_MX Spammers and MX Rule
endif
meta KAM_MXINFO (__KAM_MX5)
score KAM_MXINFO 1.0
describe KAM_MXINFO MX Record and dot info domains associated with FAKERBL Spammers
#BAD NAMES
body __KAM_BADNAME1 /CocoMedia|CMI Free Stuff|Vista Del Mar Productions|by SuperClub|Buil tech Services|eMarketing Alliance|aSHARPi Media|Satell Center for Executive Education|Pacific Shores Investments|R. Allen Media|The Only Virginia Team|Ban Amnesty Now|Intrust Domains|New Heights Development and Research|Red Base Interactive|RateMarketplace|WORLD COMPANY REGISTER|Mobie Concepts, Inc.|Clickingz IT Research Lab|Leadz[,\.].?Co|Pimsleur Approach|Business Who's Who|Who's Who Among Executives|Buena Vista Catalogue|Ashray Medical Center|Bethany Christian Services|Preston Energy|SteelCityAds|Beyond Human, LLC|Research Promo Center|OmegaK, Inc|Momentum.Ads|Dove Lighting Co|BrandRoot SEO|Team TPW|WEB ANALYTICS MEDIA LLC/i
header __KAM_BADNAME2 From =~ /CMI Free Stuff|Vista Del Mar Productions|Buil tech Services|eMarketing Alliance|aSHARPi Media|Plaza Neptuno|Satell Center for Executive Education|Pacific Shores Investments|rx ?unit|R. Allen Media|The Only Virginia Team|Intrust Domains|American Arbitration Association|Rate\.?Marketplace|Health.Quote.Direct|Pimsleur|Ethika Politika|Disney Movie Club/i
#GRASS SEED
header __KAM_GRASS1 From =~ /(Patch|Perfect|Lawn)/i
header __KAM_GRASS2 Subject =~ /rich beautiful lawn|grow grass|grass seed on steroids/i
body __KAM_GRASS3 /Grass Seed On Steroids|rich beautiful lawn|Patch Perfect Seeds|Grow Grass (anywhere|in the shade)/i
meta KAM_GRASS (__KAM_GRASS1 + __KAM_GRASS2 + __KAM_GRASS3 >= 3)
score KAM_GRASS 2.5
describe KAM_GRASS Spammers hawking lawn products
#PED EGG / BELISI / SKIN PRODUCTS
header __KAM_SKIN1 From =~ /(Ped ?Egg|Healthy Feet|beautiful feet|belisi|skin tightener|medical|Wrinkle|Face ?Lift|Skin Reju|Nuforia|LifeCEll|Miracle Hydrate|beauty tip|lifestyle lift|marine essentials|nufori?a)|skin transformer|lifecell|oz.show|botox|your.skin|rejuvenate|youth|ellen/i
header __KAM_SKIN2 Subject =~ /Ped ?Egg|Healthy Feet|beautiful feet|tighter skin|works for wrinkles|Sera Concepts|Wrinkle Eraser|\d\d years younger|Hollywood(?:'s)? Secret|years younger|perfect skin|anti.?aging|look younger in \d+ day|regain your youthful|years off your appear|flawless.skin|youthful appear|fine.lines|collagen.production|dark.circles|your.skin|looks?.like.this|looks?.great|images?.leaked|looks.\d|ellen.looks/i
rawbody __KAM_SKIN3 /Ped ?Egg|Belisi|Botox|Gabamed|Sera Concepts|Purelift|nuforia|natural collagen|complimentary trials|nugenics|marine essentials|Nufori?a|ellen.has.a|flawless.skin|phyto|facelift|hype.is.real|celeb.trend|twenty.years.younger|face.lift|pics.leaked|rejuvenate/i
body __KAM_SKIN4 /feet feel smooth and healthy|calluses and dead skin|silky smooth skin|tighter skin|\d.years.younger|anti[- ]aging|look younger|free trial|lose 25 years|angered plastic surge|quick and easy trick|anti-?aging|blood pressure low|heart rate monitor|selfies|just.one.month|just.four.weeks|medical.research|rebuild.your.skin|decades.younger|erase.time|gossip|smooth.lines/i
meta KAM_SKIN (KAM_ADVERT2 + __KAM_SKIN1 + __KAM_SKIN2 + __KAM_SKIN3 + __KAM_SKIN4 + __KAM_TRIAL + __KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 >= 3)
score KAM_SKIN 3.5
describe KAM_SKIN Spammers hawking skin/medical/foot products
meta KAM_SKIN2 (KAM_ADVERT2 + __KAM_SKIN1 + __KAM_SKIN2 + __KAM_SKIN3 + __KAM_SKIN4 + __KAM_TRIAL + __KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 >= 4)
score KAM_SKIN2 2.5
describe KAM_SKIN2 Spammers hawking skin/medical/foot products
#NEW CAR / WARRANTY SCAMS
header __KAM_CAR1 Subject =~ /(save thousands|vehicle warranty|paying too much for auto|skyrocketing cost of car|car deals|deal on a new car|cheap(er)? auto insurance|warranty options|afford the car|blowout|auto repair bills)/i
body __KAM_CAR2 /buying a new car|dream car|new car you want|free auto insurance(?:-| )quote|save money on your auto|roadside assistance|extended warranty/i
body __KAM_CAR3 /unbelievable payment terms|no commitment|free price quote|get competitive quotes|offering better rates|no obligation quote|Pay Later|No risk|save up to \d+%/i
header __KAM_CAR4 From =~ /warranty|lender|clearance/i
meta KAM_CAR (__KAM_CAR1 + __KAM_CAR2 + __KAM_CAR3 + __KAM_CAR4 >= 2)
score KAM_CAR 2.0
describe KAM_CAR Spammers hawking new car, insurance or warranties
# MORE NEW CAR SPAMS
header __KAM_AUTO1 Subject =~ /new.vehicle|biggest.discounts|clearance.event|must.go|half.off.auto|blue.book|cars.priced|dirt.cheap|new.car|new.truck|half.off|dealership|dealers.compete|trade.it.in|auto(motive)?.parts|inventory.must.go|\d\d%.off.msrp|all \d\d\d\d.s must go|time.to.drive|all.vehicle|clearance.pric|all.\d\d\d\d.(cars|trucks)/i
header __KAM_AUTO2 From =~ /car.?saving|auto.?deals|%.off|half.(off|price)|ford|gm|clearing.lots|model.year|latest.auto|dealership|clearance|cars?.discount|\d+.model|\d+.half.off|auto.price|best.auto|motor|trade.in|auto.part|imotor|autotrend/i
body __KAM_AUTO3 /(car|truck).dealer|clearance.price|shop.cars|\d+.vehicles|dealership|deep.discount|liquidating|vehicle.options|auto.news|old.clunker|dream.car|clearance.inventory|dealer.clearance|special.clearance|auto(mobile?).recall|clearance.pric|new.ride|dealers.{1,40}.scrambling|sell.yours.for.more|car.is.worth|auto.parts.brand|blowout|incredible.discount/i
meta KAM_AUTO (__KAM_AUTO1 + __KAM_AUTO2 + __KAM_AUTO3 + (KAM_COUK || KAM_OTHER_BAD_TLD || CBJ_GiveMeABreak) >= 3)
describe KAM_AUTO Spam for new cars
score KAM_AUTO 4.5
#HOME WARRANTY SPAMS
header __KAM_WARRANTY1 Subject =~ /home warrant|protect your home|home repair|homeowners insurance|repairing your house/i
body __KAM_WARRANTY2 /Protect your home|choice home warranty|unexpected repair/i
body __KAM_WARRANTY3 /home warrant|complimentary insurance quote/i
header __KAM_WARRANTY4 From =~ /ChoiceHomeWarrant|TotalProtect|home.?Insurance|CHW Home Warranty|AHS.warranty/i
meta KAM_WARRANTY (__KAM_WARRANTY1 + __KAM_WARRANTY2 + __KAM_WARRANTY3 + __KAM_WARRANTY4 + CBJ_GiveMeABreak >= 3)
score KAM_WARRANTY 1.5
describe KAM_WARRANTY Spammers hawking home warranties
meta KAM_WARRANTY2 (KAM_WARRANTY + KAM_INFOUSMEBIZ >= 2)
score KAM_WARRANTY2 3.5
describe KAM_WARRANTY2 Spammers pushing home warranties
meta KAM_WARRANTY3 (__KAM_WARRANTY1 + __KAM_WARRANTY2 + __KAM_WARRANTY3 + __KAM_WARRANTY4 + CBJ_GiveMeABreak >= 4)
score KAM_WARRANTY3 1.5
describe KAM_WARRANTY3 Spammers hawking home warranties
#AWESOME AUGER
header __KAM_AUGER1 Subject =~ /Dig Holes|plant Trees/i
body __KAM_AUGER2 /Awesome Auger/i
meta KAM_AUGER (__KAM_AUGER1 + __KAM_AUGER2 >= 2)
score KAM_AUGER 4.0
describe KAM_AUGER Spammers hawking Awesome Augers?!?
#MOVIE EXTRA
header __KAM_MOVIE1 Subject =~ /Movie Extra/i
body __KAM_MOVIE2 /Movie Extra/i
meta KAM_MOVIE (__KAM_MOVIE1 + __KAM_MOVIE2 >= 2)
score KAM_MOVIE 3.0
describe KAM_MOVIE Spammers hawking Movie Extra positions
#DEBT COLLECTION
header __KAM_COLLECT1 Subject =~ /You Pay Nothing/i
body __KAM_COLLECT2 /No Fee/i
body __KAM_COLLECT3 /collection professionals/i
body __KAM_COLLECT4 /recovery rate/i
meta KAM_COLLECT (__KAM_COLLECT1 + __KAM_COLLECT2 + __KAM_COLLECT3 + __KAM_COLLECT4 + __KAM_SEARCH5 + KAM_ADVERT2 >= 4)
score KAM_COLLECT 5.0
describe KAM_COLLECT Spammers hawking debt collection
#SEARCH ENGINE SPAM
#Subj
header __KAM_SEARCH1 Subject =~ /be seen first on (google|msn|yahoo)|get ranked high|rank high|(no cost|free) website (analysis|search engine)|WEBSITE PROMOTION|social media|blog leads|infotech|(first|1st)(.page)?.result|seo.(package|service)|seo.{1,30}expert|on.your.website|organic.seo|site.ranking|website.health|(first|1st) page/i
#what specific
body __KAM_SEARCH2 /search (ranking|engine)|S\.?E\.?O|bring.traffic|business.development|marketing strateg/i
#ranging
body __KAM_SEARCH3 /(first on|all of) the major search|not ranked number one|Website promotion|popular keywords|mobile.website|complete.solution|back.link|india.based|surfing|not.ranking.on|top in Google|1st page|more (clients|customers)|organic search/i
#how
body __KAM_SEARCH4 /guaranteed type of exposure|free website search engine optimi|increase your revenue|improve your website traffice|website rank higher|marketing service|popular.keyword|media.presence|media.portal|brand.awareness|analytics.certified|optimized.content|white.label|website.optimization|digital.marketing|in.your.industry|high.revenue|plans? and pric|keyword|full proposal|online reputation|(blog|article|pr|search engine) (promotion|submission)/i
#who
rawbody __KAM_SEARCH5 /Click2Call|a1-solutions|fast-response.net|action-pros.net|tops-1.com|vividinfotech.com|internet.marketing|web.solution|(development|marketing) (executive|consultant)|SEO expert|sales manager/i
meta KAM_SEARCH (__KAM_SEARCH1 + __KAM_SEARCH2 + __KAM_SEARCH3 + __KAM_SEARCH4 + __KAM_SEARCH5 >= 4)
score KAM_SEARCH 5.0
describe KAM_SEARCH Spammers hawking SEO
#SEO
header __KAM_SEO1 Subject =~ /Idea for \[|can rank 1st on Google|Organic SEO|SEO (Solution|proposal)|integrated marketing|optimization.service|SEO Outsourcing|affordable package|quick result|ranking report/i
#what we give you
body __KAM_SEO2 /(?:top|first page) (?:in|of) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building|business SEO|ranking report/i
tflags __KAM_SEO2 nosubject
#what we do/fix
body __KAM_SEO3 /(came across|never find) your web.?site|major search engines|paid access to tools|WEBSITE AUDIT REPORT|specific.keyword|targeted.email|visited.your.website|not ranking well|Google rankings/i
#SEO
body __KAM_SEO4 /SEO Specialists|online marketing services|S.?E.?O.? Company in INDIA|google.panda|google.penguin|not.ranking|SEO Packages/i
#costs
body __KAM_SEO5 /more traffic guaranteed|results in thirty day|top 5 organic|high revenue|free.analysis|guaranteed.top|pricelist|completely free|No upfront fees|free trial/i
#SEO Indicators
body __KAM_SEO6 /will not get your website banned|Google.?s SEO policies|six month ongoing campaign|web.promotion|quality junk spam/i
# LEGITIMATE SEO EMAILS WOULD SURELY HAVE AT LEAST ONE URL TO THEIR WEBSITE...
uri __KAM_SEO7 /./
meta KAM_SEO (__KAM_SEO1 + __KAM_SEO2 + __KAM_SEO3 + __KAM_SEO4 + __KAM_SEO5 + __KAM_SEO6 + !__KAM_SEO7 + KAM_ADVERT2 >= 5)
score KAM_SEO 7.0
describe KAM_SEO Spammers hawking SEO
#ABUSED FREEMAIL ACCOUNTS
#header __KAM_FREEMAIL1 From =~ /(?:websolution|seo).{0,15}\@gmail.com/i
#header __KAM_FREEMAIL2 From =~ /speakeasylingerie\@gmail.com/i
#meta __KAM_FREEMAIL (__KAM_FREEMAIL1 + __KAM_FREEMAIL2 >= 1)
#LINGERIE VIDEOS
#header __KAM_LINGERIE1 From =~ /lexi campbell/i
#header __KAM_LINGERIE2 Subject =~ /Exotic modeling Videos/i
#header __KAM_LINGERIE3 Subject =~ /Hustler Magazine/i
#body __KAM_LINGERIE4 /Exotic modelling videos/i
#meta KAM_LINGERIE (__KAM_FREEMAIL + __KAM_LINGERIE1 + __KAM_LINGERIE2 + __KAM_LINGERIE3 >= 4)
#score KAM_LINGERIE 10.0
#describe KAM_LINGERIE Sexually Explicity Lingerie Spam
#WEB DESIGN
header __KAM_WEB1 Subject =~ /Web.?(Design|programming).?Services|Web.?Designing/i
body __KAM_WEB2 /INDIA based IT|indian.based.website|certified.it.company/i
body __KAM_WEB3 /Online Marketing Consultant|possible.redesign|seo.service|mobiles?.app|business.develop|commerce.solution/i
meta KAM_WEB (__KAM_WEB1 + __KAM_WEB2 + __KAM_WEB3 + KAM_ADVERT2 >= 3)
score KAM_WEB 4.0
describe KAM_WEB Web design spams
#DOMAIN NAME AND OTHER RELATED SPAMS
body __KAM_DOMAIN1 /Domain (opportunity|notification|release|Availability|club)|Notification for Domain|availability.notice|time.draws.near|submit.a.bid|your.business|exclusive.rights|free.registration|the.domain.provider|website.wizard|increase.your.{0,50}.traffic|domain.extension|brand.can.leverage|like.to.obtain|buy(ing)?.this.domain/i
body __KAM_DOMAIN2 /(?:available|listed) (?:by|for|at|in) auction|confirm interest in (this domain|owning)|capturing this domain|proposal.on.the.domain|exclusive.owner|online.search|web.form|counting.down|potential.buyer|interested.parties|secure.{1,50}.today|drive.more.leads|targeted.traffic|similar.domain|exclusive.regis/i
body __KAM_DOMAIN3 /(?:have|own) a domain (that is )?.{0,5}similar|(have|own) a similar domain|offer on the Domain|similar to your (current )?domain|Domain Division|all.domains|main.webpage|visibility.platform|solicitation|potential.owner|your.offer|domain.match|domain.notification|domain.will.be|interest.{1,20}.domain.name|fully.responsive|website.included|list.your.website|opportt?unity.regarding|courtesy.notification/i
header __KAM_DOMAIN4 From =~ /domain|submit.site/i
header __KAM_DOMAIN5 Subject =~ /\.com$/i
meta KAM_DOMAIN (__KAM_DOMAIN1 + __KAM_DOMAIN2 + __KAM_DOMAIN3 + __KAM_DOMAIN4 + __KAM_DOMAIN5 >= 3)
score KAM_DOMAIN 8.5
describe KAM_DOMAIN Domain Selling Spams
#MEDICAL TOURISM SPAM
body __KAM_MEDTOUR1 /medical.tourism/i
body __KAM_MEDTOUR2 /lowest cost in India/i
header __KAM_MEDTOUR3 Subject =~ /Medical.Tourism/i
meta KAM_MEDTOUR (__KAM_MEDTOUR1 + __KAM_MEDTOUR2 + __KAM_MEDTOUR3 >= 3)
score KAM_MEDTOUR 3.0
describe KAM_MEDTOUR Medical Tourism Spam
#ACNE SPAM
header __KAM_ACNE1 Subject =~ /Proactiv/i
header __KAM_ACNE2 From =~ /Acne/i
body __KAM_ACNE3 /proactiv/i
body __KAM_ACNE4 /Online Gift Rewards/i
meta KAM_ACNE (__KAM_ACNE1 + __KAM_ACNE2 + __KAM_ACNE3 + __KAM_ACNE4 >= 4)
score KAM_ACNE 5.0
describe KAM_ACNE Spammers hawking Acne products
#SOFTWARE SPAM
header __KAM_SOFTWARE1 Subject =~ /fix Windows File Errors/i
header __KAM_SOFTWARE2 From =~ /registry/i
body __KAM_SOFTWARE3 /Fix file errors/i
body __KAM_SOFTWARE4 /download for no cost|FREE Software|Free Analysis|Free Report/i
meta KAM_SOFTWARE (__KAM_SOFTWARE1 + __KAM_SOFTWARE2 + __KAM_SOFTWARE3 + __KAM_SOFTWARE4 >= 4)
score KAM_SOFTWARE 5.0
describe KAM_SOFTWARE Spammers hawking Software products
#NIGERIAN SCAM SCAN
header __KAM_NIGERIAN2_1 Subject =~ /high court|contact fedex courier|WIRE TRANSFER/i
body __KAM_NIGERIAN2_2 /barrister|director of central bank|bank director|former.minister|gold.dealer/i
body __KAM_NIGERIAN2_3 /high court|central bank|payment center|customs?.officer/i
body __KAM_NIGERIAN2_4 /e-?mail id is found among those that have been scammed|paid the fee for your cheque draft|contact the bank director/i
body __KAM_NIGERIAN2_5 /fund code|cheque|bank draft|oil.and.gas/i
body __KAM_NIGERIAN2_6 /full contact information requested|need your contacts informations|your bank account information|out.of.the.country/i
body __KAM_NIGERIAN2_7 /bank|smuggle/i
body __KAM_NIGERIAN2_8 /courier|diplomat agent|direct wire transfer|my.gold|the.gold/i
body __KAM_NIGERIAN2_9 /scam|don't let them know that it is money|bank transfer charges/i
meta KAM_NIGERIAN2 (__KAM_REFI4 + __KAM_NIGERIAN2_1 + __KAM_NIGERIAN2_2 + __KAM_NIGERIAN2_3 + __KAM_NIGERIAN2_4 + __KAM_NIGERIAN2_5 + __KAM_NIGERIAN2_6 + __KAM_NIGERIAN2_7 + __KAM_NIGERIAN2_8 + __KAM_NIGERIAN2_9 >= 6)
score KAM_NIGERIAN2 5.0
describe KAM_NIGERIAN2 Yet more Nigerian scams. Some even explaining the scam.
#MEDICAL
body __KAM_MEDICAL1 /million who suffer from|suffered from organ failure|Medical Billing and Coding|medical doctor/i
body __KAM_MEDICAL2 /Safe - Natural - Effective/i
header __KAM_MEDICAL3 From =~ /Medical/i
header __KAM_MEDICAL4 Subject =~ /Medical Billing/i
meta KAM_MEDICAL (__KAM_MEDICAL1 + __KAM_MEDICAL2 + __KAM_MEDICAL3 + __KAM_MEDICAL4 >= 3)
score KAM_MEDICAL 4.0
describe KAM_MEDICAL Misc medical spam
#EAR RINGING
body __KAM_TINNI1 /TinniFix/i
body __KAM_TINNI2 /Stop the ringing in your ears/i
header __KAM_TINNI3 Subject =~ /(ringing|buzz) in your ears/i
meta KAM_TINNI (__KAM_MEDICAL1 + __KAM_MEDICAL2 + __KAM_TRIAL + __KAM_TINNI1 + __KAM_TINNI2 + __KAM_TINNI3 >= 5)
score KAM_TINNI 5.0
describe KAM_TINNI Another Medical Scam
#GIVEAWAY
body __KAM_GIVE1 /receive your gift/i
body __KAM_GIVE2 /laptop giveaway|deliver your dell.? laptop/i
body __KAM_GIVE3 /answering a short survey/i
body __KAM_GIVE4 /verify your shipping address/i
meta KAM_GIVE (__KAM_GIVE1 + __KAM_GIVE2 + __KAM_GIVE3 + __KAM_GIVE4 >= 4)
score KAM_GIVE 4.0
describe KAM_GIVE Free stuff "giveaway" scam
#GOVERNMENT MONEY
header __KAM_GOVT1 Subject =~ /Government Funding/i
body __KAM_GOVT2 /government funding/i
body __KAM_GOVT3 /complimentary information kit/i
body __KAM_GOVT4 /No.Money?.{0,4}No.Problem/i
meta KAM_GOVT (__KAM_GOVT1 + __KAM_GOVT2 + __KAM_GOVT3 + __KAM_GOVT4 >= 4)
score KAM_GOVT 4.0
describe KAM_GOVT Your tax dollars at work scam...
#RBL TRUST RULES
meta KAM_RBL (URIBL_BLACK + RCVD_IN_PBL >=2)
score KAM_RBL 2.0
describe KAM_RBL Higher scores for hitting multiple trusted RBLs
#KAM CNN
header __KAM_CNN1 Subject =~ /CNN.com Daily Top/i
meta KAM_CNN (__KAM_CNN1 == 1)
score KAM_CNN 2.0
describe KAM_CNN CNN Daily Top 10 Link Obfuscation spams
#SNUGGIE BLANKETS / SHAM WOW
header __KAM_SHAM1 Subject =~ /Hold 20 times|ShamWow/i
header __KAM_SHAM2 From =~ /Sham ?Wow/i
body __KAM_SHAM3 /ShamWow/i
body __KAM_SHAM4 /20(X| times) its weight/i
meta KAM_SHAM (__KAM_SHAM1 + __KAM_SHAM2 + __KAM_SHAM3 + __KAM_SHAM4 + KAM_ADVERT2 >= 3)
score KAM_SHAM 2.0
describe KAM_SHAM More product scams...
#SANTA LETTERS
header __KAM_SANTA1 Subject =~ /Santa Letter|Letter from Santa|Santa send a letter|Sent by Santa/i
body __KAM_SANTA2 /Santa Letter|Letter from Santa|sent by Santa/i
body __KAM_SANTA3 /the .?perfect.? gift|personalized letter/i
meta KAM_SANTA (__KAM_SANTA1 + __KAM_SANTA2 + __KAM_SANTA3 >= 3)
score KAM_SANTA 3.5
describe KAM_SANTA Ho Ho Holy smokes Batman another Santa Letter spam...
#WORK FOR / LEARN GOOGLE
header __KAM_GOOGLE1 Subject =~ /Learn Google|Google Starter Kit|with Google|Use Google|Google Work|google millionaire|Google Business|Google Pro Sucess|with my Google|Google Home Business|Google ATM|One Hour On Google|Free Money Making|make a fortune on ?line/i
body __KAM_GOOGLE2 /learn how to earn|automated income kit|online from home|as much money as you wish|be the boss/i
body __KAM_GOOGLE3 /tons of money|making \$[\d,]*s with Google|extra cash|making serious money/i
body __KAM_GOOGLE4 /with Google|Google Pie|Google Cash/i
header __KAM_GOOGLE5 From =~ /Google Money/i
meta KAM_GOOGLE (__KAM_GOOGLE1 + __KAM_GOOGLE2 + __KAM_GOOGLE3 + __KAM_GOOGLE4 + __KAM_GOOGLE5 >= 3)
score KAM_GOOGLE 3.5
describe KAM_GOOGLE Google Pyramid Scams
#SECURITY / ALARM
header __KAM_ALARM1 Subject =~ /Free Alarm Quotes|home security|protect your.(house|home)|protect.what.matters.most|adt monitor|keep.watch|monitor.the.home|home.alarm|feel safe|burglar|high.crime|free.security|with.this.offer|crime.can|watching.your.home|adt.is.here|ADT-monitoring/i
body __KAM_ALARM2 /free Quote|burglaries|wireless.security.camera|(Guard|protect) Your Family|ADT is Number One|monitored security system|install from ADT|with ADT security|keep(ing)?.your.home.safe|home.is.your.castle|sleep.with.security|home.security.system|remote.access|video.security/i
rawbody __KAM_ALARM3 /Great rates on Home Security|(1|one) in Alarm System Monitoring|protect your loved ones|protect your business|your source for home security|event on home security|keep.the.home.safe|night.vision|online.monitoring|surveill?ance.camera|ADT.monitor|top.notch.security|exclusive.to.you|home security system/i
header __KAM_ALARM4 From =~ /adt|security.?cam|home.security|wireless.security|security.?camera|author.zed|home.?alarm/i
meta KAM_ALARM (__KAM_ALARM1 + __KAM_ALARM2 + __KAM_ALARM3 + __KAM_ALARM4 + KAM_COUK >= 3)
score KAM_ALARM 4.5
describe KAM_ALARM Security and Alarm Company Spams
rawbody __KAM_ALARM5 /gaylord/i
meta KAM_ALARM2 (KAM_ALARM && __KAM_ALARM5)
score KAM_ALARM2 2.5
describe KAM_ALARM2 High Probability of Security and Alarm Company Spams
#SELL CARDS
header __KAM_SELL1 Subject =~ /Market Credit Cards/i
body __KAM_SELL2 /Easy Money/i
body __KAM_SELL3 /Selling Credit Cards/i
meta KAM_SELL (__KAM_SELL1 + __KAM_SELL2 + __KAM_SELL3 >= 3)
score KAM_SELL 3.5
describe KAM_SELL Selling Cards Marketing Scams
#WHITEN TEETH
header __KAM_WHITEN1 Subject =~ /whiten your teeth/i
body __KAM_WHITEN2 /whitener/i
body __KAM_WHITEN3 /(Celebrity Smile|Carbamide Peroxide)/i
meta KAM_WHITEN (__KAM_WHITEN1 + __KAM_WHITEN2 + __KAM_WHITEN3 >= 3)
score KAM_WHITEN 3.5
describe KAM_WHITEN Teeth Whitening Scams
#URONLINE
body __KAM_URONLINE1 /(chat|chat with me|hook ?up) on Y ?A ?H ?O ?O (tonight|or MSN)|add me with yahoo or msn|view now|press this web link|send me your? photo|can u turn me on|kissing you|begin.a.chat/i
body __KAM_URONLINE2 /wanna talk|ur info|found your mail|found ur profile|mutual friend|katya from russia|you came to russia|my gentle sun|see this page I made|match making heaven|meet that special|comee see it over here|hexten.net|looking for a man|waiting for ur mail|found ur account|waiting for your message|casual.hookup/i
body __KAM_URONLINE3 /get (naked|naughty)|horny|naughty toys|I will do anything|TOTALLY msg me on MSN|tell me your mobile|I remember you|let's talk|ran across someone like u|sexywebdating|chatting with someone|saw you by BJs|private e-?mail|dating portal|looking.for.fun/i
header __KAM_URONLINE4 Subject =~ /i'?m so ho?rny|ur really cute|flirt with u|get the party|lets hookup|MSN messanger|\d\d y.o.|russian soul-?mate|my handsome|want you now|russian girl|costs you nothing|can you feel this|came to russia|I remember you|sexual Russia|take a look|attractive girl writes|found u by accident|tell u something special|hookups.waiting/i
meta KAM_URONLINE (__KAM_URONLINE1 + __KAM_URONLINE2 + __KAM_URONLINE3 + __KAM_URONLINE4 >= 3)
score KAM_URONLINE 4.5
describe KAM_URONLINE Chat Scams
#TIMESHARE
body __KAM_TIMESHARE1 /Get[- ]Cash for Your Timeshare|not using your timeshare|(unwanted|ugly) timeshare|cash out quickly/is
body __KAM_TIMESHARE2 /goldmine|sell or rent it|we pay cash|sell\/rent your time|own a timeshare or condo|get.cash|find.your.value/is
header __KAM_TIMESHARE3 Subject =~ /(rent|sell|buy) your Timeshare|have a timeshare|timeshare money|unwanted timeshare/i
header __KAM_TIMESHARE4 From =~ /Resort.*sales|timeshare/i
meta KAM_TIMESHARE (__KAM_TIMESHARE1 + __KAM_TIMESHARE2 + __KAM_TIMESHARE3 + __KAM_TIMESHARE4>= 3)
score KAM_TIMESHARE 4.0
describe KAM_TIMESHARE Timeshare Scams
#AQUA GLOBE
body __KAM_AQUA1 /Aqua Globe/is
body __KAM_AQUA2 /watering your plants/is
body __KAM_AQUA3 /while on vacation/is
header __KAM_AQUA4 Subject =~ /Waters your Plants/i
meta KAM_AQUA (__KAM_AQUA1 + __KAM_AQUA2 + __KAM_AQUA3 + __KAM_AQUA4 >= 3)
score KAM_AQUA 3.0
describe KAM_AQUA Spams of yet another product du jour
#GEVALIA
body __KAM_GEVALIA1 /Gevalia Kaffe|premium coffee delivered/is
body __KAM_GEVALIA2 /(Gevalia coffee lover's|I love coffee) kit/is
body __KAM_GEVALIA3 /No Further Obligation/is
header __KAM_GEVALIA4 Subject =~ /gevalia|cup of coffee/i
meta KAM_GEVALIA (__KAM_GEVALIA1 + __KAM_GEVALIA2 + __KAM_GEVALIA3 + __KAM_GEVALIA4 >=3)
score KAM_GEVALIA 3.0
describe KAM_GEVALIA Spams of yet another product du jour
#SIMPLYINK
body __KAM_INK1 /Ink (and|&|n) Toner|SimplyInk|101 inks|1ink|printer ink sale|full.price/is
header __KAM_INK2 From =~ /Simply ?Ink|Ink and toner|1ink|ink.*budget|ink.?saver|printer[- ]{0,4}ink/i
header __KAM_INK3 Subject =~ /Ink (and|&) Toner|SimplyInk|printer ink/i
meta KAM_INK (__KAM_INK1 + __KAM_INK2 + __KAM_INK3 >=3)
score KAM_INK 4.0
describe KAM_INK Spams of yet another product du jour
meta KAM_INK2 (KAM_INK + KAM_INFOUSMEBIZ >= 2)
score KAM_INK2 3.0
describe KAM_INK2 Spams for Ink refills
#TITAN PEELER
body __KAM_PEEL1 /Titan Peeler/is
header __KAM_PEEL2 From =~ /Titan Peeler/i
header __KAM_PEEL3 Subject =~ /peeler|stainless|titan peeler/i
meta KAM_PEEL (__KAM_PEEL1 + __KAM_PEEL2 + __KAM_PEEL3 >=2)
score KAM_PEEL 3.0
describe KAM_PEEL Spams of yet another product du jour
#HTML EMAIL REQUIRING IMAGES?
rawbody __KAM_HTML1 /Please enable image viewing in order to view this message/is
#RATWARE
header __KAM_RAT1_1 From =~ /\@fromname\@/i
header __KAM_RAT1_2 Subject =~ /(\[FName\]|\%\{AUTOVALS)/i
meta KAM_RAT1 (__KAM_RAT1_1 + __KAM_RAT1_2 >= 1)
score KAM_RAT1 5.0
describe KAM_RAT1 Variable Replacements Indicative of RatWare/Mass Mailing
body __KAM_RAT2_1 /job description/i
body __KAM_RAT2_2 /dear shopper/i
header __KAM_RAT2_3 From =~ /mystery/i
meta KAM_RAT2 (__KAM_RAT2_1 + __KAM_RAT2_2 + __KAM_RAT2_3 >= 3)
score KAM_RAT2 5.0
describe KAM_RAT2 Another ratware mistake, uninterpolated text
#TITAN EGGER
body __KAM_EGG1 /Egg Genie/is
header __KAM_EGG2 From =~ /Egg Genie/i
header __KAM_EGG3 Subject =~ /medium eggs/i
meta KAM_EGG (__KAM_EGG1 + __KAM_EGG2 + __KAM_EGG3 >=2)
score KAM_EGG 3.0
describe KAM_EGG Spams of yet another product du jour
#USBDRIVES
body __KAM_USB1 /(debi|deborah brown|Melissa Sylvan)/i
body __KAM_USB2 /person (that|who) handles the promotions/i
body __KAM_USB3 /usbsmg.com/i
meta KAM_USB (__KAM_USB1 + __KAM_USB2 + __KAM_USB3 >= 2)
score KAM_USB 4.0
describe KAM_USB USB Promotion Spammer
#GOVT GRANT
body __KAM_GRANT1 /government grant/i
body __KAM_GRANT2 /find out if you qualify/i
body __KAM_GRANT3 /discontinue from this promotion/i
meta KAM_GRANT (__KAM_GRANT1 + __KAM_GRANT2 + __KAM_GRANT3 + __KAM_REFI4 >= 3)
score KAM_GRANT 5.0
describe KAM_GRANT Government Grant Scams
#SEX SCAMS
#MEDICINE REFERENCES
body __KAM_SEX04_1 /(curative|medicinal|salutary|wholesome|beneficial|satisfaction) effect|(first-rated|splendid) drugs|(yellow|blue|famos) (tablet|pill)|good medical supplies|(commendable|valuable) medicines|canadian pharmacy|GNC|nugenix/is
#BED REFERENCES
body __KAM_SEX04_2 /fun in bed|(bed|night) adventures|aid your bed|(lift|heave|ascent|hoist|raise|boost|aid) your (belove|love|darling|sex|sweet)|sexuality with assistance|ascent your sweet|bed experience|love sexuality/is
#SUBJECT REFERENCES
header __KAM_SEX04_3 Subject =~ /your manhood|(bed|night) adventures|sexual experience|empower your (belove|sex)|sweet sex|bed (event|experience)|lover sexuality|(lift|heave|ascent|hoist|raise|boost|aid) your (belove|love|darling|sex|sweet)|discounted drugs/i
#SEXUAL REFENCES
body __KAM_SEX04_4 /longer your tool|sexual experience|empower your (belove|sex)|sweet sex|(not bad|great|nice|special|awesome|free) bonus|sex all night|lovers package|male.vitality|sex with new boys/is
meta KAM_SEX04 (__KAM_SEX04_1 + __KAM_SEX04_2 + __KAM_SEX04_3 + __KAM_SEX04_4 >= 3)
score KAM_SEX04 10.0
describe KAM_SEX04 Sexually Explicit SPAM
meta KAM_SEX04_2 (__KAM_SEX04_1 + __KAM_SEX04_2 + __KAM_SEX04_3 + __KAM_SEX04_4 >= 2 && (KAM_SEX04 < 1))
score KAM_SEX04_2 2.0
describe KAM_SEX04_2 Likely Sexually Explicit SPAM
#Another Sexually Explicit Email
meta KAM_SEX07 (__KAM_SUBJECT_SINGLEWORD + __KAM_SEX04_4 >= 2)
score KAM_SEX07 5.0
describe KAM_SEX07 Sexually Explicit SPAM
#SEX SCAMS ROUND 5
header __KAM_SEX05_1 Subject =~ /upgrade your virility|become a man|bigger instrument|admire your stick|enlarge your member|you have a tiny tool|with more inches|your mega size|improve your love/i
body __KAM_SEX05_2 /buy rubber friends|big bait in your pants|she sees your size|women will be funk|biggest tool|immense monster|women will be daydreaming|have so much meat|prolonging your size|last a lot longer/i
meta KAM_SEX05 (__KAM_SEX05_1 + __KAM_SEX05_2 >= 2)
score KAM_SEX05 5.0
describe KAM_SEX05 Sexually Explicit SPAM
#FOOTBALL CLUB SPAMS
header __KAM_FOOTBALL1 Subject =~ /Amateur Club|Seeks? Player/i
header __KAM_FOOTBALL2 From =~ /Football/i
body __KAM_FOOTBALL3 /Mercato/i
body __KAM_FOOTBALL4 /Football/i
meta KAM_FOOTBALL (__KAM_FOOTBALL1 + __KAM_FOOTBALL2 + __KAM_FOOTBALL3 + __KAM_FOOTBALL4 >= 4)
score KAM_FOOTBALL 4.0
describe KAM_FOOTBALL Spammy Football Club
#DISH NETWORK SPAMS AND OTHER TV SPAM
header __KAM_DISH1 From =~ /Dish Network|TVUpgrade|Satellite|Satellite|Dish.*Promo|dish.author|Wireless.Internet|cable.tv|tv.\&|tv.cable|tv.internet|liveteam/i
header __KAM_DISH2 Subject =~ /Free Next Day Install|Free HD Receiver|Free HBO|free w\/Dish|Holiday Special|Redzone is back|Web-Only Offer|Free HD|with DISH|dish gives you|dish.offers|Wireless Internet provider|sports.package|dish.vs.cable|switch.to.satellite|dish.just|watch.everything|satellite.dish|cable.bill|satellite.bill|paying.too.much|try.satellite|stream.live.tv/i
rawbody __KAM_DISH3 /(American Satellite|Wireless Internet) Provider|gethdsat|free dvr|Satellite Deals|Dish Network|dish.gives.you.more|packages under \$\d+|compare plans|internet service provider|premium.channel|best.cable.deals|fit.your.budget|deals.near.you|online.television|quality.tv/i
meta KAM_DISH (__KAM_DISH1 + __KAM_DISH2 + __KAM_DISH3 >=3)
score KAM_DISH 4.0
describe KAM_DISH Dish Network Spams
meta KAM_DISH2 (KAM_DISH + KAM_INFOUSMEBIZ >= 2)
score KAM_DISH2 4.0
describe KAM_DISH2 Dish Network Spams
#IDENTITY NETWORK
header __KAM_IDENTNET1 From =~ /\@identitynetwork.net/i
body __KAM_IDENTNET2 /ADVERTISE WITH IDENTITY NETWORK/i
meta KAM_IDENTNET (__KAM_IDENTNET1 + __KAM_IDENTNET2 >=2)
score KAM_IDENTNET 8.0
describe KAM_IDENTNET Identity Network Spams
#HONEYPOT HITS
#body __KAM_HONEY1 /Intacct Corporation|Miles Technologies|EcoPhones|businessbrief\.com|pbpinfo\.com|pbp-executivereports\.net|b21pubs\.com|sonar6\.com|cheetahsend\.com|voip-news|microcappress.com|myrtlebeachnow|sosonlinebackup.com|Landslide Technologies|The Performance Institute|ASMI Corporate|Kaseya|Cascio|CarProperty|HSRUpdates.com/i
#header __KAM_HONEY2 From =~ /\@intacct\.com|\@(staff\.)?milestechnologies\.com|\@greenschoolfundraiser\.org|\@business-brief\.(net|com)|\@b21pubs\.com|\@pbp-executivereports\.net|\@sonar6\.com|\@cheetahsend\.com|\@ripple.us.com|\@voip-news\.com|\@.{0,8}.microcappress.com|\@BetterBuysReports.com|\@MyrtleBeachNow.com|\@sosonlinebackup.com|\@next-gen-crm.com|\@TheInstituteWeb.org|\@ASMIweb.com|\@performanceinstitute.org|\@kaseya.com|\@news.interstatemusic.com|\@interstatemusic.com|\@carproperty.com|\@hsrupdates.com/i
#meta KAM_HONEY (__KAM_HONEY1 + __KAM_HONEY2 >= 2)
#score KAM_HONEY 12.0
#describe KAM_HONEY Spammer sending to a honeypot or known spammer through other means
#MEDIA DUCHESS
header __KAM_DUCHESS1 Received =~ /mediaduchessstore.info|mediaduchesslive.info|mymediaduchess.info|mediaduchessonline.info|mytvduchess.info|mediaduchesspro.info|mileshop.info|freegrampro.info|radioduchess.info|acreforyou.info|mileblog.info/i
header __KAM_DUCHESS2 From =~ /mediaduchessstore.info|mediaduchesslive.info|mymediaduchess.info|mediaduchessonline.info|mytvduchess.info|mediaduchesspro.info|mileshop.info|freegrampro.info|radioduchess.info|acreforyou.info|mileblog.info/i
body __KAM_DUCHESS3 /Mr. Media Group|BLM Marketing Services|4801 l[yi]nton b/i
rawbody __KAM_DUCHESS4 /duchess/i
rawbody __KAM_DUCHESS5 /http:\/\/.{4,30}\.info\/[A-Za-z]{30}("|\/)/i
body __KAM_DUCHESS6 /For account number:/i
meta KAM_DUCHESS ((__KAM_DUCHESS1 + __KAM_DUCHESS2 >= 1) + __KAM_DUCHESS3 + __KAM_DUCHESS4 + __KAM_DUCHESS5 + __KAM_DUCHESS6 >= 4)
score KAM_DUCHESS 5.0
describe KAM_DUCHESS Spammer sending emails using a variety of domains and linked images
#UPS
header __KAM_UPS1 Subject =~ /UPS Delivery problem/i
header __KAM_UPS2 From !~ /\@ups\.com[ |>]/i
body __KAM_UPS3 /invoice copy attached/i
meta KAM_UPS (__KAM_UPS1 + __KAM_UPS2 + __KAM_UPS3 >=3)
score KAM_UPS 6.0
describe KAM_UPS UPS doesn't send invoices with delivery problem notes
#Free Calls
header __KAM_SKYPE1 Subject =~ /Free Calls/i
header __KAM_SKYPE2 Received =~ /releasesourcek.com/i
header __KAM_SKYPE3 From =~ /VOIP News/i
body __KAM_SKYPE4 /Promo Code: \d/i
meta KAM_SKYPE (__KAM_SKYPE1 + __KAM_SKYPE2 + __KAM_SKYPE3 + __KAM_SKYPE4 >=3)
score KAM_SKYPE 5.0
describe KAM_SKYPE Skype/Voip scams likely to spread malware
#OWA/EMAIL PHISH
rawbody KAM_OWAPHISH1 /http:\/\/.{5,30}\/owa\/service_directory\/settings.php/i
score KAM_OWAPHISH1 6.0
describe KAM_OWAPHISH1 Rash of OWA setting change emails for phishing
#MORE DRUG SPAM - 2009-05-03
header __KAM_DRUG2_1 Subject =~ /Viagra|male enhanc|easier time making her|hot infatuations|bed tempera?ment|resigned slaves|prick be soft|increased performance|guys in bed|bedroom fun|love more passion|cure ED|(bed|sex) games|spices? (it up in|to the) bed|(bedroom|nights of) pleasure|ladies love|stay hard|satis?fy (your spouse|her)|(problems|strong|help|good) (in|for) bed|bedtime enhanc|p[0o]rn ?star|blue ?pill|great sex|please your gf|(help in the|king of the|great time in|strong night in|performance in|advice for the) bed|intimate life|gain 3\+? inches|sexual (excitement|anxiety|act)|love tool|sexual treatment|make love|make your girl happ|completely impotent|do.you.suffer/i
header __KAM_DRUG2_2 Subject =~ /ambien|Percocet|vicod[i1]n|Meridia|look slim|Phentermin|adderall|codeine|Hydrocodone|Phetermin|oxycodone|no prescription need|(help|trouble) falling asleep|overpriced pharmacy|prescript.medz|Xanx?ax|RxMed|your.rx.meds|fill your meds|pharmacy offers|international pharm|(loved|preferred|favor[ite]{3}) (rx)?med|pain killer|Medi?cati[o0]ns|canadianrx|weightl0ss|no ?prescription|weight l0ss|l0seweight|ritalin|look great|brain.function|cognition|enhance.memory|amazing.energy|joint.pain|nerve.pain/i
body __KAM_DRUG2_3 /Medi?cati[o0]ns|desired meds|favou?red (rx)?med|buy remedies|drug store|medicants|medicaments|sexual stim|sex stim|pain killer|(purchase|loved|preferred|favou?rite) (?:rx.?)?(deal|med)[sz]|rx.?Meds?.?deal|buy your meds|choice of meds|Rx.?(deal|Med|Sale)|v[i1]agra|medz.special|loved meds|(rx|medication) ?discount|Get the edge|joint.pain.relief|neuropathy|nerve.pain/i
body __KAM_DRUG2_4 /grab hold|at[_ ~]your[_ ~]finger[_ ~]?tip|placing your order|questions about drugs|prescription is not|don't care about prescription|without a doctor|no need for a doctor|affor[df]able.prices|best daily rx|Fav.Prescript|unmatched.prices|rx.med|millions.are.praising/i
body __KAM_DRUG2_5 /0nline|hassle[~-]free|favored rx|branded solutions|branded remedies|v[1i]cod[!i]n|Penhtremine|prxpills|ultimaterxhere|insanerx|speedymed4u|mightymeds1|coolestrxhere|hotrxmedspot|topshoprx|mightyrxhere|qualityrxmedz|legitrxlife|dealsformeds|simplyrxdeals|bestrxlight|ezprescriptz|reliablerxsource1|freetrusted-rx|hotmedsourcehere|CabinetOfMeds|mytrusted-rx|RxwarehouseHere|WarehouseofRxMeds|GreatrxMedsRus|rxmedsrus|(come by|Come to|Check Out) our web site|browse [0o]ur (website|selection)|Visit_0ur Web|Order_Now|available_this week|(buy|order) (n[0o]w|today|right.now|instantly|at [0o]nce|immediately)|check it out today|ord3r|0rder|0rd3r|browseour|rx ?unit/i
body __KAM_DRUG2_6 /(Express|Prompt|Day|Trusty|Trustworthy|Reliable|fast|true|discreet|confidential|rapid)[_ ~\.]?Shippin|anonymous packing|shipped.right.away|adderrx|clinically.proven|support.formula/i
header __KAM_DRUG2_7 Subject =~ / {4}[a-z0-9]{2,4}$/i
header __KAM_DRUG2_8 From =~ /aquaflexin/i
meta KAM_DRUG2 ( __KAM_DRUG2_1 + __KAM_DRUG2_2 + __KAM_DRUG2_3 + __KAM_DRUG2_4 + __KAM_DRUG2_5 + __KAM_DRUG2_6 + __KAM_DRUG2_7 + __KAM_DRUG2_8 + KAM_SHORT + KAM_UNSUB1 >= 3)
score KAM_DRUG2 3.5
describe KAM_DRUG2 More online Drug Scams
meta KAM_DRUG2_2 ( __KAM_DRUG2_1 + __KAM_DRUG2_2 + __KAM_DRUG2_3 + __KAM_DRUG2_4 + __KAM_DRUG2_5 + __KAM_DRUG2_6 + __KAM_DRUG2_7 + __KAM_DRUG2_8 + KAM_SHORT + KAM_UNSUB1 >= 5)
score KAM_DRUG2_2 3.0
describe KAM_DRUG2_2 Higher Certainty of Drug Scam
meta KAM_SEXSUBJECT __KAM_DRUG2_1
score KAM_SEXSUBJECT 2.0
describe KAM_SEXSUBJECT Sexually Explicit Subject
#RUSSIAN WIFE/BRIDE SCAMS
header __KAM_WIFE1 Subject =~ /Remember me|(Russian|asian|Ukrai?nian) ?(beaut|single|women|bride|lad|babe)/i
body __KAM_WIFE2 /marry a Russian|sizzling photos|(russian|asian|ukrai?nian) (women|beaut|bride|girl)|Slavic babes|Russian ?lad(y|ies)|sexy photos/i
tflags __KAM_WIFE2 nosubject
header __KAM_WIFE3 From =~ /(asian|russian|ukrai?nian).?(dat|bride|single|women|beaut)|(date|nice).?(russian|asian)/i
meta KAM_WIFE ( __KAM_WIFE1 + __KAM_WIFE2 + __KAM_WIFE3 >= 2)
score KAM_WIFE 8.0
describe KAM_WIFE Mail order bride scams
#PRODUCT SCAMS
header __KAM_PRODUCT1 Subject =~ /Beauty Phone/i
body __KAM_PRODUCT2 /phones for discerning individuals/i
meta KAM_PRODUCT ( __KAM_PRODUCT1 + __KAM_PRODUCT2 >= 2)
score KAM_PRODUCT 3.0
describe KAM_PRODUCT Product scams often used with MSN/Live URIs
#SPACES / LIVE / MSN / ETC. SCAMS
meta KAM_LIVEURI2 ( (KAM_PRODUCT + KAM_DRUG2 + KAM_WIFE >=1) + (KAM_WEBS + KAM_MSN_STRING + KAM_BADSWF >=1) >= 2)
score KAM_LIVEURI2 3.0
describe KAM_LIVEURI2 More online Scams + Known URI
#WEBS.COM
uri KAM_WEBS /.{3,25}\.webs.com/i
score KAM_WEBS 0.5
describe KAM_WEBS webs.com links used in Spams
#IMAGESHACK SWF Files
uri KAM_BADSWF /imageshack.us\/.{3,25}.swf$/i
score KAM_BADSWF 3.0
describe KAM_BADSWF SWF embedded links in Email Scams
#EXE LINK
uri KAM_EXEURI /.exe$/i
score KAM_EXEURI 0.5
describe KAM_EXEURI EXE embedded link
#SETTINGS FILE PHISH
header __KAM_SETTING1 Subject =~ /settings file|maintenance!!/i
body __KAM_SETTING2 /security upgrade|Maintenance Process on our email system /i
body __KAM_SETTING3 /settings?.zip/i
meta KAM_SETTING ( __KAM_SETTING1 + __KAM_SETTING2 >= 2)
score KAM_SETTING 2.5
describe KAM_SETTING Phishing scams w/Setting Files or Webmail
#Fixed small misspelling thanks to Jameel Akari
meta KAM_SETTING2 ( KAM_SETTING + (KAM_EXEURI + __KAM_SETTING3 >=1) >= 2)
score KAM_SETTING2 4.0
describe KAM_SETTING2 Phishing scams w/Setting Files or Webmail + Bad File link
#FARM SPAM
header __KAM_FARM1 Subject =~ /supersized (blueberr|tomato)|(blueberry|tomatoe?) giant|grows in sun or shade|giant (blueberry|tomatoe?)/i
header __KAM_FARM2 From =~ /blueberr|tomato|DIY|garden/i
body __KAM_FARM3 /(blueberry|Tomatoe?) giant/i
meta KAM_FARM (__KAM_FARM1 + __KAM_FARM2 + __KAM_FARM3 >= 3)
score KAM_FARM 4.0
describe KAM_FARM Farming related Spams
#MX URI - Scored lowered from 2.5 to 1.5 due to FPs reported by Christopher X. Candreva - see https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6700 for bug on issue
uri KAM_MXURI /^(?:http:\/\/)?(mail|mx)\..{1,40}\..{1,8}/i
score KAM_MXURI 1.5
describe KAM_MXURI URI begins with a mail exchange prefix, i.e. mx.[...]
#FLASH PLAYER
body __KAM_FLASH1 /Flash Player Code: \d\d/i
body __KAM_FLASH2 /Flash Player Update/i
header __KAM_FLASH3 Subject =~ /Flash Player/i
header __KAM_FLASH4 Subject =~ /activation code/i
header __KAM_FLASH5 From =~ /Flash Player/i
meta KAM_FLASH (__KAM_FLASH1 + __KAM_FLASH2 + __KAM_FLASH3 + __KAM_FLASH4 + __KAM_FLASH5 >= 3)
score KAM_FLASH 4.0
describe KAM_FLASH Fake Flash Player Phishing Scam
#CHANGED TO KAMOnly
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
#FAKE ADWORDS
body __KAM_ADWORD1 /(Advertisement|Adwords) Campaign/i
header __KAM_ADWORD2 From =~ /adwords.com|salesdirect.com/i
header __KAM_ADWORD3 Subject =~ /adwords campaign|ads in adwords/i
body __KAM_ADWORD4 /adwords\.php|index\.php\?isgoogle/i
meta KAM_ADWORD (__KAM_ADWORD1 + __KAM_ADWORD2 + __KAM_ADWORD3 + __KAM_ADWORD4 >= 3) + (KAM_RPTR_SUSPECT + KAM_RPTR_FAILED >= 1) >= 2
score KAM_ADWORD 10.0
describe KAM_ADWORD Fake Adword Campaign notices
endif
#DON NOB & WORK FROM HOME SCAMS
header __KAM_DON1 X-KAM-Reverse =~ /donnob\.(?:biz|net)|emarketnow.com/i
header __KAM_DON2 Subject =~ /(?:\b|^)ATM(?:\b|$)|Just Over Broke|J\.O\.B\./
body __KAM_DON3 /donnob\.(?:biz|net)|emarketnow.com|watersolutiontoday.com/i
body __KAM_DON4 /\$1,000 A Day ATM|J\.O\.B\./i
meta KAM_DON (__KAM_DON1 + __KAM_DON2 + __KAM_DON3 + __KAM_DON4 + __KAM_MED2 + __KAM_REFI4 + __KAM_TV2 >= 4)
score KAM_DON 6.0
describe KAM_DON Work at Home Scams
meta KAM_DON2 (__KAM_DON1 + __KAM_DON2 + __KAM_DON3 + __KAM_DON4 + __KAM_MED2 + __KAM_REFI4 + __KAM_TV2 >= 6)
score KAM_DON2 4.0
describe KAM_DON2 Egregious Work at Home Scams
#GINA SCAMS
header __KAM_GINA1 From =~ /GINA deadline|GINA Update|compliance/i
header __KAM_GINA2 Subject =~ /GINA deadline/i
body __KAM_GINA3 /Genetic Information Nondiscrimination Act/i
body __KAM_GINA4 /mandatory poster|remain in compliance|GINA regulations/i
meta KAM_GINA (__KAM_GINA1 + __KAM_GINA2 + __KAM_GINA3 + __KAM_GINA4 + __KAM_REFI4 >= 4)
score KAM_GINA 6.0
describe KAM_GINA Employment Poster Marketing Spams
#TAX SCAMS
header __KAM_TAX1 Subject =~ /Free (IRS )?Tax Filing|Tax Filing Exten[st]ion|taxes online|irs audit|wage garnish|collections|tax.relief|tax.penalt|tax.resolution|settlement.option|remove.tax|irs.penalt|payback.package|get.help|down.your.neck|tax.research|urgent.tax/i
header __KAM_TAX2 From =~ /tax|HRBlock|marketing|garnish|settlement|installment|IRS|debt|advisory|government|payback|protection.agency/i
body __KAM_TAX3 /File your taxes for free|need more time|back.taxes|tax relief|irs offer|avoid penalty|stop.aggressive.collections|relief.(program|package)|tax.settlement|settlement.package|paying.bills|paying.tax|back.tax|wage..?garnish|tax.help|remove.lien|bankrupt|urgent.tax.notice|could.change.everything|instantly.save.you/i
body __KAM_TAX4 /MSNBC|fox news|CNN|please.confirm|you.qualify|obtain.now|must.see.tax/i
meta KAM_TAX (__KAM_TAX1 + __KAM_TAX2 + __KAM_TAX3 + __KAM_TAX4 + KAM_LOTSOFHASH >=3)
score KAM_TAX 2.5
describe KAM_TAX Tax Filing Scams
meta KAM_TAX2 (__KAM_TAX1 + __KAM_TAX2 + __KAM_TAX3 + __KAM_TAX4 + KAM_LOTSOFHASH >=4)
score KAM_TAX2 2.5
describe KAM_TAX2 Higher Probability of Tax Filing Scams
#SEX SCAM
body __KAM_SEX06_1 /more fire and passion/i
meta KAM_SEX06 (__KAM_SEX06_1 + KAM_MSN_STRING >= 2)
score KAM_SEX06 5.0
describe KAM_SEX06 Sexual Stimulant Spam
#DOG BARK AND OTHER DOG SPAM
body __KAM_BARK1 /Bark.Off|petzoom sonic|comfy control harness|dogs? behavior|four legged/i
header __KAM_BARK2 Subject =~ /Barking|petzoom sonic|dogs any size|dog (is )?misbehaving/i
header __KAM_BARK3 From =~ /Bark.Off|petzoom|control harnesss|dog whisperer/i
meta KAM_BARK (__KAM_BARK1 + __KAM_BARK2 + __KAM_BARK3 >=2)
score KAM_BARK 3.5
describe KAM_BARK Dog Product Scam
#CASINO SPAM
body __KAM_CASINO1 /Elite World Casino/i
body __KAM_CASINO2 /Online Casino/i
header __KAM_CASINO3 Subject =~ /chances to win/i
meta KAM_CASINO (__KAM_CASINO1 + __KAM_CASINO2 + __KAM_CASINO3 >= 3)
score KAM_CASINO 3.5
describe KAM_CASINO Online Casino Spam
#TWITTER PHISHING
header __KAM_TWIT1 From =~ /twitter/i
header __KAM_TWIT2 Subject =~ /twitter \d{3}-\d{2}/i
meta KAM_TWIT (__KAM_TWIT1 + __KAM_TWIT2 + KAM_THEBAT >= 3)
score KAM_TWIT 10
describe KAM_TWIT Twitter bogus phishing emails
#FACEBOOK PHISHING
header __KAM_FACE1 From =~ /password/i
header __KAM_FACE2 Subject =~ /reset your facebook/i
header __KAM_FACE3 X-Mailer =~ /Zuckmail/i
meta KAM_FACE (__KAM_FACE1 + __KAM_FACE2 + __KAM_FACE3 >= 3)
score KAM_FACE 10
describe KAM_FACE Facebook bogus phishing emails
header __KAM_PHISH3_1 Subject =~ /account notification/i
body __KAM_PHISH3_2 /accessed by someone else./
meta KAM_PHISH3 (__KAM_PHISH3_1 + __KAM_PHISH3_2 + __KAM_CLICK >= 3)
score KAM_PHISH3 4
describe KAM_PHISH3 Phishing emails for account notification
#GENERIC TEST FOR CLICK NOTICES INDICATIVE OF SPAM IN META RULES BUT NOT BY ITSELF
body __KAM_CLICK /Please click on the link below|Copy and paste this link into your internet browser/i
#DIRECT BUY
header __KAM_DIRECT1 From =~ /Direct ?Buy|Wholesale/i
header __KAM_DIRECT2 Subject=~ /complimentary|visitor|settle for retail|top .rands at wholesale|guest pass and catalog|direct.?buy/i
body __KAM_DIRECT3 /(Complimentary|Visitor|attend our open house|30-day member|VIP Pass|Wholesale Direct Pricing|guest pass and catalog)/i
body __KAM_DIRECT4 /Direct.?Buy/i
meta KAM_DIRECT (__KAM_DIRECT1 + __KAM_DIRECT2 + __KAM_DIRECT3 + __KAM_DIRECT4 >= 3)
score KAM_DIRECT 3.0
describe KAM_DIRECT DirectBuy Spam
#SWIPE BIDS
header __KAM_SWIPE1 From =~ /SwipeBids|Auction|Deal ?hunter|bigger.bid|bidder|Overstocked|daily.?deals|quibids|iphone|penny.stock/i
header __KAM_SWIPE2 Subject=~ /auction|bid on great|\d% off retail|Iphones for Under|Big Items|ipads|Macbook Pro|top.?.?of the line..?electronic|buy or sell|never.pay.retail|2011 line up|ebay|pay retail|ipad for \$\d\d\.|bids in real.?time|penny.stock|exclusive.savings|economic|prediction:/i
body __KAM_SWIPE3 /pennies on the dollar|join, bid|penny (auctions|stock)|\d% .{0,10}retail|ipads on auction|bid now|factory sealed ipads|cheap ipads|for pennies|ebay killer|Inventory Clearance on iPads|crazy auctions|XPS for \d\dUSD|iphone.{1,10}clearance|the.hottest/i
body __KAM_SWIPE4 /SwipeBids|Swipe Auction|CIRCLE MEDIA BIDS|Wavee|BIGGER BIDDER|Bidooka|Sellmoo|overstocked auctions|for pennies|\d{1,2} cent/i
meta KAM_SWIPE (__KAM_SWIPE1 + __KAM_SWIPE2 + __KAM_SWIPE3 + __KAM_SWIPE4 >= 3)
score KAM_SWIPE 2.0
describe KAM_SWIPE SwipeBid Spam / Penny Auction Spams
meta KAM_SWIPE2 (__KAM_SWIPE1 + __KAM_SWIPE2 >= 2)
score KAM_SWIPE2 0.5
describe KAM_SWIPE2 SwipeBid Spam / Penny Auction Spams
#WE THE SPAMMERS
header __KAM_WTA1 From =~ /@(wethealliance\.(org|com|net)|wta\d\d\d\.com|socalsecurityinstitute.org)|Lawrence.{0,4}Hunter/i
body __KAM_WTA2 /Alliance for Retirement Prosperity Association|Social Security Institute/is
meta KAM_WTA (__KAM_WTA1 + __KAM_WTA2 >= 2)
score KAM_WTA 9.0
describe KAM_WTA Ridiculous campaign by unapologetic spammers purposefully using throwaway domains
#SMOKELESS
body __KAM_SMOKE1 /smoke.anywhere|electronic cig|smoking alternative|prado|e.?-?cig|wanting to quit/i
header __KAM_SMOKE2 Subject =~ /smoke|e-cig|perfect.?.gift|no cancer|electronic cig|never smoke|e.?-?cig/i
header __KAM_SMOKE3 From =~ /smoke|smoking|e.?-?cig|electronic cig|vapex|vapor|starter.kit/i
body __KAM_SMOKE4 /No carbon monoxide|Smokeless Direct|No Tobacco|no tar|no cancer|quit smoking|electronic cig|sinless.vapor/i
body __KAM_SMOKE5 /you have qualified/i
meta KAM_SMOKE (__KAM_CLICK + __KAM_SMOKE1 + __KAM_SMOKE2 + __KAM_SMOKE3 + __KAM_SMOKE4 + __KAM_SMOKE5 >= 3)
score KAM_SMOKE 4.5
describe KAM_SMOKE Smokeless cigarette and quitting spam
meta KAM_SMOKE2 (__KAM_CLICK + __KAM_SMOKE1 + __KAM_SMOKE2 + __KAM_SMOKE3 + __KAM_SMOKE4 + __KAM_SMOKE5 >= 4)
score KAM_SMOKE2 3.0
describe KAM_SMOKE2 Higher probability of spam
#OBF URL - need to make this more generic and perhaps something for RBL lookups when these techniques are used.
body __KAM_OBFURL1 /A\s+D\s+I\s+L\s+I\s+Z\+E\s+R\s+.\s+C\s+O\s+M|insidesaleswiz\.\s+com/i
meta KAM_OBFURL (__KAM_OBFURL1 >= 1)
score KAM_OBFURL 15.0
describe KAM_OBFURL Obfuscated URL
#SHARP FOR LIFE
body __KAM_SHARP1 /sharp for life/i
body __KAM_SHARP2 /yoshiblade/i
body __KAM_SHARP3 /zirconium oxide/i
body __KAM_SHARP4 /ceramic knife/i
header __KAM_SHARP5 Subject =~ /ceramic knief|yoshiblade|sharp for life/i
header __KAM_SHARP6 From =~ /yoshi/i
meta KAM_SHARP (__KAM_SHARP1 + __KAM_SHARP2 + __KAM_SHARP3 + __KAM_SHARP4 + __KAM_SHARP5 + __KAM_SHARP6 >= 4)
score KAM_SHARP 4.5
describe KAM_SHARP Ceramic Blade Spam
#HIP REPLACEMENT
body __KAM_HIP1 /hip replacement|medical alert/i
body __KAM_HIP2 /implant recall|recall list/i
header __KAM_HIP3 Subject =~ /dupuy recall|hip recall|hip implants|hip replacement/i
header __KAM_HIP4 From =~ /recall/i
meta KAM_HIP (__KAM_HIP1 + __KAM_HIP2 + __KAM_HIP3 + __KAM_HIP4 >= 3)
score KAM_HIP 4.5
describe KAM_HIP Hip Replacement Recall Spam
#WORK AT HOME
body __KAM_WORKHOME1 /online jobs|Full-time (and|&) Part-time|at home employment/i
body __KAM_WORKHOME2 /\#1 site|view here|information here/i
header __KAM_WORKHOME3 Subject =~ /work at home|work \@ home|home positions/i
meta KAM_WORKHOME (__KAM_WORKHOME1 + __KAM_WORKHOME2 + __KAM_WORKHOME3 >= 3)
score KAM_WORKHOME 4.5
describe KAM_WORKHOME Work at Home Spam
meta KAM_WORKHOME2 (__KAM_WORKHOME3 + KAM_SHORT + __KAM_REFI4 >=3)
score KAM_WORKHOME2 4.5
describe KAM_WORKHOME2 Work at Home Spam
#HSR UPDATES
body __KAM_HSR1 /hsrupdates.com|progressiverailroading.com/i
header __KAM_HSR2 Subject =~ /hi-speed rail|HSR Funds|U.?S.? DOT|railroads/i
header __KAM_HSR3 From =~ /HSRUpdates.com|progressive ?railroading/i
meta KAM_HSR (__KAM_HSR1 + __KAM_HSR2 + __KAM_HSR3 >= 3)
score KAM_HSR 4.5
describe KAM_HSR High Speed Rail Spam
#SELLPHONE
body __KAM_SELLPHONE1 /Turn iphones into cash/i
body __KAM_SELLPHONE2 /used or broken|pre-paid envelope/i
header __KAM_SELLPHONE3 Subject =~ /sell your old iphone/i
meta KAM_SELLPHONE (__KAM_SELLPHONE1 + __KAM_SELLPHONE2 + __KAM_SELLPHONE3 >= 3)
score KAM_SELLPHONE 4.5
describe KAM_SELLPHONE Used Equipment Spam
#STORAGE LIMIT
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
replace_rules __KAM_MAILBOX1 __KAM_MAILBOX2 __KAM_MAILBOX3
#ISSUE
body __KAM_MAILBOX1 /mailbox .{0,12}exceeded|(storage|email|mailbox).(limit|quota|size|capacity)|(box|quota) is (a<L1>most )?fu<L1><L1>|have been rejected|new version|(prevented|pending) (the )?(delivery|messages)|quota is low|annual upgrade|(held|important) message|messages pending|messages (are|placed) on.?hold|upgrade to our service|recent attack|(request(ed)? to|account) de-?activat|de-?activat(ed|e|ing) (from using|all mailbox)|close down.{0,10}account|(sync|communication) failure|de<A1>ctiv<A1>ted if no <A1>ction|invalid users|request .{0,13}shutdown|migrating all email|del<I1>v<E1>ry <O1>f \d|messages.{0,6}returned|\d.{0,2}(unreceived|failed|undelivered|incoming|valid) (undelivered|incoming|message|e?mail)|synchronize \d email|messages.{1,10}suspend|report your account|(validation|configuration|service) error|updating stage|blacklisted|(server|quota|quarantine|suspension|mail|upgrade) (alert|noti)|mailbox agreement|(system|security|server) (reasons|update|upgrade|alert)|system malfunction|due for an update|mailbox managment|automatically renew|.\d. pending|due for (upgrade|update|reconfirmation)|has been outdated|(due|about) to expire|not confirmed the email|(failed|couldn't be|refused to) deliver|temporarily suspend|failure to proceed|data plan limit|blocked from (sending|receiving)|sending unsolicited|\d\% full|confirm your request|security turned off|blocked or suspended|update warning|account .{1,9}?(restricted|closed)|old versions|mail malfunction|messages now queue|password expir|virus|expire on \d+\/|DNS Upgrad|encountered error|will be shut ?down|unauthorized (person|access)|prevent (further reject|loss of account)|avoid lose access|ensure safety|problem occurred|wrong password|suspicious sign.?in|\d quarantined? (e?mail|message|incoming)|deactivated tempor|low disk space|shutdown robot|suspended email|webmail security|account hijacked|will be suspended/i
tflags __KAM_MAILBOX1 nosubject
#ACTION
body __KAM_MAILBOX2 /(verify|update|upgrade|increase|validate|confirm|disable)"? (their|your)? {0,5}(address|password|<A1>ccount|(web-?)?mail|info|email|web ?mail|ownership)|(increase|upgrade) (my|your?) (inbox |email )?quota|(security|quota) (configuration|upgrade)|(increase disk|create some additional) storage|(setup|upgrade) (your )?mailbox|mail malfunction|click here to update|update account|validated within \d\d|deleted (automatically|in our server)|release .{0,40}(message|pending mess)|account to be close|remain active|termination of your account|choose what happens|blacklisting inactive|continue (using|the usage)|untrusted activity|(retrieve|review|view) (message|e?mail)|(verify|validate) (here|now)|reset below|verification (check|process)|email disk usage|auto extend your disk|confirm your (email|details)|mandetory file|retrieve here|expected to reactivate|keep your webmail|data will be lost|(block|release|review) them|view undelivered sent|reconfirm .{0,40}password|will be deactivat|avoid suspension|start the process|fake payment|(will be|automatically) cancel|mail verification|turn on (security|authentication)|Office 365-?Secure|an usual location|automatically delete|(retrieve|review|reload) (your )?(undelivered|pending)|view, release or delete|reload below|unblock (your )?incoming|rectify below|fix now|Company.Assigned Outlook|fix delivery|restore your roundcube|re-?authenticate (now|below)|manage your quarantine|manually fi|manually fix|review and take action|view (withheld|recent) (incoming|messages|e?mail)|use the button|reduce your mai<L1>|deliver recent mail|keep (current|same) password|change password|stop (this action|account removal)|fix your email/i
tflags __KAM_MAILBOX2 nosubject
#SUBJECT
header __KAM_MAILBOX3 Subject =~ /(mail|exceeded|insufficient) (storage|quota|upgrade)|Inbox almost full|(urgent|important|admin|last|suspension|server|account|administrator|system|disk ?usage|max size) (alert|rectification|attention|warning|noti)|needs to be upgraded|(incoming|pending|unreceived) +((e-?)?mail|document|message)|(del<I1>v<E1>ry|synchronization|processing) (problem|is blocked|failure|err<O1>r)|storage (is )?full|inbox full|(unread|upgrade|delayed) (messages|e?mail)|release your message|pending (new )?((e-?)?mail|message)|365 .{0,10} Update|new privacy policy|mandatory up|(sign in|Final|security|account|password|emails?) (closing|removal|update|upgrade|alert|notification|review)|quarantine|rejected|undelivered|(mailbox|limit) .{0,10}exceeded|confirmation required|(mail|mailbox|account|password) (shutdown|verification|Veirification|Verfication|account)|(blocked|held) message|technology services|(server|mail|account).{1,8}err<O1>r|validat|messages.{1,10}(suspend|hinder)|account (is )?(blocked|limited)|please verify.{1,10}account|mail.{1,6}Notice|email account.{1,11}full|final warning|help\-?desk|mail ownership|point files|(d|r)e-?activation|delayed for \d+ (hour|day)|undeliverable|confirmation required|closure of.{1,15}(\@|account)|(password|mail) (has|will) expire|did you make|password (reset|due|recovery|expir)|recovery option|\d+ new mess|email activity|Immediate action|action required|avoid block|review recent e?mail|final +alert|storage limit|ver<I1>f<I1>cat<I1>on|\@.{1,25}notification|notification \d+\/\d+\/|notification for .{1,25}\@|New Sign-in|deliver.{1,4}(issue|error|fail)|Unsuccessful Email|Mail DNS|ICT Maintenance|sync err|mailer un.?delivery|unauthorized (person|access)|configuration setting|reminder +for|re-?authenticate|change in your ip|shutdown request|Failure.{0,2}Report|\d emails? suspended/i
meta KAM_MAILBOX (__KAM_MAILBOX1 + __KAM_MAILBOX2 + __KAM_MAILBOX3 >=2) && (T_FREEMAIL_DOC_PDF + (KAM_SENDGRID + KAM_SENDGRID2 >= 1) + HTML_MIME_NO_HTML_TAG >= 2)
score KAM_MAILBOX 7.75
describe KAM_MAILBOX Mailbox Quota Phishing Scams
meta KAM_MAILBOX2 (__KAM_MAILBOX1 + __KAM_MAILBOX2 + __KAM_MAILBOX3 >=3) && !KAM_MAILBOX
score KAM_MAILBOX2 6.25
describe KAM_MAILBOX2 Mailbox Quota Phishing Scams
meta KAM_MAILBOX3 (KAM_MAILBOX + KAM_MAILBOX2 >= 1) && (KAM_SENDGRID + KAM_SENDGRID2 >= 1)
describe KAM_MAILBOX3 Enhanced Scoring for Mailbox Quota Phishing
score KAM_MAILBOX3 3.75
endif
#SHORTERNERS
meta KAM_SHORT (__KAM_SHORT + __KAM_TINYDOMAIN >= 1)
score KAM_SHORT 0.001
describe KAM_SHORT Use of a URL Shortener for very short URL
#URL SHORTENER - META RULE TO SEE IF URL SHORTENER IS IN USE - THANKS TO SHANE WILLIAMS and RW for HELP - More thanks to Giovanni Bechis
uri __KAM_SHORT /^http:\/\/(?:bit\.(do|ly)|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|justpaste\.it|l\.linklyhq\.com)\/[^\/]{3}\/?/
# GENERIC RULE FOR TINY DOMAINS, WHICH WILL LIKELY BE URL SHORTENERS
uri __KAM_TINYDOMAIN /https?:\/\/(?:[^\/]{1,4})\..{2,7}\//i
#POWER CHAIRS
body __KAM_POWER1 /hoveround/i
header __KAM_POWER2 Subject =~ /Get your freedom|power Chairs/i
header __KAM_POWER3 From =~ /Get your freedom|power Chairs/i
meta KAM_POWER (__KAM_POWER1 + __KAM_POWER2 + __KAM_POWER3 >= 3)
score KAM_POWER 3.0
describe KAM_POWER Motorized Chair Spams
#GUN ALERTS
body __KAM_GUN1 /Keep and Bear Arms/i
header __KAM_GUN2 From =~ /gunalerts.com/i
header __KAM_GUN3 Subject =~ /gun/i
meta KAM_GUN (__KAM_GUN1 + __KAM_GUN2 + __KAM_GUN3 >= 3)
score KAM_GUN 2.0
describe KAM_GUN Gun Alert Spams
#GET RICH QUICK SCHEME
body __KAM_RICH1 /financial.success story/i
body __KAM_RICH2 /see me on the channel \d news/i
body __KAM_RICH3 /talking about my blog/i
body __KAM_RICH4 /bec.me financially independent/i
meta KAM_RICH (__KAM_RICH1 + __KAM_RICH2 + __KAM_RICH3 + __KAM_RICH4 >= 4)
score KAM_RICH 3.5
describe KAM_RICH Get Rich Quick Schemes
#INVALID FROM HEADER
header __KAM_INVFROM1 From =~ /<[^>]*$/
header __KAM_INVFROM2 From =~ /^[^<]*>/
meta KAM_INVFROM (__KAM_INVFROM1 + __KAM_INVFROM2 >= 1)
score KAM_INVFROM 2.0
describe KAM_INVFROM Invalid From Header containing mismatched <>'s
#YAHOO GROUP EMAIL RULE BASED ON WORK FROM Jim McCullars - University of Alabama in Huntsville
header __KAM_UAH_YAHOOGR_4 X-Mailer =~ /Yahoo Groups Message Poster/
ifplugin Mail::SpamAssassin::Plugin::DKIM
meta KAM_UAH_YAHOOGROUP_SENDER __DOS_HAS_LIST_UNSUB && __ML2 && __DOS_HAS_MAILING_LIST && __KAM_UAH_YAHOOGR_4 && !FORGED_YAHOO_RCVD && DKIM_VALID
else
meta KAM_UAH_YAHOOGROUP_SENDER __DOS_HAS_LIST_UNSUB && __ML2 && __DOS_HAS_MAILING_LIST && __KAM_UAH_YAHOOGR_4 && !FORGED_YAHOO_RCVD
endif
describe KAM_UAH_YAHOOGROUP_SENDER Sender appears to be a legit Yahoo! Group Mail
score KAM_UAH_YAHOOGROUP_SENDER -20.0
#GALLERY
header __KAM_GALLERY1 Subject =~ /(Infinite|Multi|Elite|Extreme|Complete|Instant|Ultimate|Multi|approved|Free|HD|Guaranteed|Unreal) Access|(Ultimate|Babes|Elite|Extreme|P.?o.?r.?n) Collection|(Girls|Adu.?lt|Babes|Celeb.?rities) Passwords|(Ultimate|p.?o.?r.?n|extreme|elite|Girls) gallery|HD Video|Access Now/i
body __KAM_GALLERY2 /(?:Infinite|Multi|Elite|Extreme|Complete|Instant|Ultimate|Multi|approved|Free|HD|Guaranteed|Unreal) Access|(?:Ultimate|Babes|Elite|Extreme|P.?o.?r.?n) Collection|(?:Girls|Adu.?lt|Babes|Celeb.?rities) Passwords|(?:Ultimate|p.?o.?r.?n|extreme|elite|Girls) gallery|HD Video|Access Now/i
header __KAM_GALLERY3 Subject =~ /(Fantastic|Insane|Mega|Extreme|Extreme|New|Many|Fresh|Your|Check) P.?o.?r.?n|cele.?brities elite|(Insane|P.?o.?r.?n|More|Awesome|All|Mega) Model|(Your|Mega|Asian|Bad|Cool|Fresh|Real|Awesome|More) Girl|(Sweet|Incredible|Insane|The|Grand) chick|(Many|New|Infinite|Cool|All) Cele.?b|The N.?u.?des|(Infinite|Awesome|Many|Sweet|Bad|Get|Fresh|Hot|More|Black) Babe|Amat.?e.?urs|(All|Fresh|Fantastic|The|Mega) Adu.?lt|(Extraordinary) Chicks/i
body __KAM_GALLERY4 /(Fantastic|Insane|Mega|Extreme|Extreme|New|Many|Fresh|Your|Check) P.?o.?r.?n|cele.?brities elite|(Insane|P.?o.?r.?n|More|Awesome|All|Mega) Model|(Your|Mega|Asian|Bad|Cool|Fresh|Real|Awesome|More) Girl|(Sweet|Incredible|Insane|The|Grand) chick|(Many|New|Infinite|Cool|All) Cele.?b|The N.?u.?des|(Infinite|Awesome|Many|Sweet|Bad|Get|Fresh|Hot|More|Black) Babe|Amat.?e.?urs|(All|Fresh|Fantastic|The|Mega) Adu.?lt|(Extraordinary) Chicks/i
rawbody __KAM_GALLERY5 /wp-content|_vti_cnf|cache|wp-admin|wordpress/i
meta KAM_GALLERY (__KAM_GALLERY1 + __KAM_GALLERY2 + __KAM_GALLERY3 + __KAM_GALLERY4 + __KAM_GALLERY5 >=4)
describe KAM_GALLERY Exploited Gallery with Porn
score KAM_GALLERY 5.0
meta KAM_GALLERY2 (__KAM_GALLERY1 + __KAM_GALLERY2 + __KAM_GALLERY3 + __KAM_GALLERY4 + __KAM_GALLERY5 >=5)
describe KAM_GALLERY2 Higher Likelihood of Exploited Gallery with Porn
score KAM_GALLERY2 2.0
#CHANGELOG
header __KAM_CHANGELOG1 Subject =~ /^Re: Changelog (Oct.|Nov.|Dec.)$/i
body __KAM_CHANGELOG2 /as promised chnglog update/i
meta KAM_CHANGELOG (__KAM_CHANGELOG1 + __KAM_CHANGELOG2 >= 2)
describe KAM_CHANGELOG Phishing Email
score KAM_CHANGELOG 2.5
#NIGERIAN VARIANT
body __KAM_BUS1 /business proposal/i
body __KAM_BUS2 /sensitive by nature/i
body __KAM_BUS3 /have not met/i
body __KAM_BUS4 /view my attach/i
meta KAM_BUS (__KAM_BUS1 + __KAM_BUS2 + __KAM_BUS3 + __KAM_BUS4 >= 4)
describe KAM_BUS Yet another Nigerian Scam/Phishing Variant
score KAM_BUS 4.0
#PRIVATE MESSAGE
body __KAM_PRIV1 /private message|horny|sweet ass/i
body __KAM_PRIV2 /(personal|private) video/i
body __KAM_PRIV3 /the attache?ment|attached file/i
meta KAM_PRIV (__KAM_PRIV1 + __KAM_PRIV2 + __KAM_PRIV3 >=2 && T_HTML_ATTACH)
describe KAM_PRIV Private Messages using Exploits in attached HTML files
score KAM_PRIV 5.0
#DIV
rawbody __KAM_DIV1 /(Viagr?|Cial?)<div/i
rawbody __KAM_DIV2 /<\/div>r?a\|l?is/i
meta KAM_DIV (__KAM_DIV1 + __KAM_DIV2 >= 2)
describe KAM_DIV Use of divs to hide Medical Spams
score KAM_DIV 2.0
#CREDIT SCORE
header __KAM_CREDIT1 Subject =~ /CRITICAL:.*change to.* (EXPERIAN|Transunion|Equifax) score|Recent 3 Bureau Credit|(credit|score).score|credit has changed|check your rating|yearly review|scores?.(?:may.have|has.been|have.been).changed|(?:EXPERIAN|Transunion|Equifax) scores? delivered|your credit report|all three sources|credit (may )?ha(ve|s) been revised|credit ?card ?processing|merchant account|TransUnion..?Experian . Equifax Scores|all 3 scores|update to your score|your 3 scores|is your score correct|score (report|review)|latest.score|updated.score|update:|derogatory.(info|item)|affecting.your.score|scores.this.week|EQUIFAX..?EXPERIAN..?(and|&).TRANSUNION|(EXPERIAN|Transunion|Equifax)..?score|\d{4}.scores?.detail|((equifax|experian|transunion)..?){3}|score.today|score.w\//i
body __KAM_CREDIT2 /View (all 3 reports|your credit score|your up.to.the.minute credit)|(EXPERIAN|Transunion|Equifax) report|check my credit score|3.free credit scores|credit restoration|changes in your.score|get your \d+ score online|3 major sources|all three bureau|all 3 credit score|credit (may )?ha(ve|s) been revised|payment.options|complimentary 3 scores|credit scores? in seconds|TRANSUNION,\s+EQUIFAX,\s+(and|.)\s+EXPERIAN|just (been )?changed|score.breakdown|credit.summary|score.is.waiting|confirmation \#\d+|average.credit.score|what.?s.your.score|(3|three).free.score|check.your.score|we.can.help|credit.record|complimentary.score/i
body __KAM_CREDIT3 /NO COST|it's on us|3 companies for free|freescore360|Scoresense|score.report(?:ing)?.team|stand in the rating scales|view your higher credit|(score|credit).alert|provide.faster.service|your credit score|free.credit.score|score.generation|new.score.immediately|score.notification|your report/i
body __KAM_CREDIT4 /CHANGES TO YOUR CREDIT[- ]SCORE|credit score has changed|Triple Bureau Credit Alerts|score\s+may\s+have\s+(been)?\s*changed|ThinkCredit|Debunk Credit Card Processing Myths|costs for your business|TransUnion,? Experian and Equifax Scores|ha(s|ve).been.updated|what.?s.your.credit|sensitive.information/i
header __KAM_CREDIT5 From =~ /Credit|score|bureau|finance|report|advisory/i
#EXPERIMENTAL UTF-8
# SecureCRT in UTF-8 Session Options - terminal>appearance>character encoding and set to utf-8 & Set this in VI :set encoding=utf-8 :set fileencodings=utf-8
#Useful Resources for Tags
#https://www.utf8-chartable.de/unicode-utf8-table.pl?start=1024&number=128&names=-&utf8=string-literal
#https://www.branah.com/unicode-converter
#look at the encoding type and the charset. For base64 utf-8, something like this tool will help https://www.base64decode.org/ then hexdump -C or something like https://onlineutf8tools.com/convert-utf8-to-hexadecimal or perl -e '$u=unpack("H*",$ARGV[0]);print "[\\x$1]" while ($u=~/(..)/g)' '<PASTE>'
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
#renamed to A1, C1, etc. to avoid collissions with stock rules
#Thanks to John Hardin for his help! and thanks to Giovanni for the help with the 4-byte chars
#thanks as well to Henrik Krohns
replace_tag A1 (?:a|[\xf0\x9d\x97\xae]|[\xf0\x9d\x9a\x8a]|[\xd0][\xb0]|[\xc9][\x91]|α|\@)
replace_tag B1 (?:b|[\xce][\x92]|[\xce][\xb2]|[\xc2]|[\xe2]|[\xf0\x9d\x97\xaf]|[xf0\x9d\x9a\x8b])
replace_tag C1 (?:c|[\xd0][\xa1]|[\xd1][\x81]|[\xf0\x9d\x97\xb0]|[\xf0\x9d\x9a\x8c])
replace_tag D1 (?:d|[\xf0\x9d\x9a\x8d])
replace_tag E1 (?:e|[\xd0][\xb5]|[\xc4][\x97]|[\xf0\x9d\x97\xb2]|[\xf0\x9d\x9a\x8e])
replace_tag G1 (?:g|[\xf0\x9d\x97\x80])
replace_tag I1 (?:i|[\xd1][\x96]|[\xc4][\xab]|[\xce][\xb9]|[\xe9]|[\xf0\x9d\x97\xb6]|[\xf0\x9d\x9a\x92]|l|1)
replace_tag L1 (?:l|i)
replace_tag M1 (?:m|[\xca][\x8d]|[\xf0\x9d\x97\xba])
replace_tag N1 (?:n|[\xe7]|[\xf0\x9d\x97\xbc]|[\xf0\x9d\x9a\x97])
replace_tag O1 (?:o|0|[\xd0][\xbe]|[\xce][\xbf]|[\xef]|[\xf0\x9d\x97\xbc]|[\xf0\x9d\x9a\x98])
replace_tag P1 (?:p|[\xd1][\x80]|[\xc7][\xb7]|[\xcf][\x81]|[\xf1]|[\xf0\x9d\x97\xbd]|[\xf0\x9d\x9a\x99])
replace_tag R1 (?:r|[\xf0\x9d\x97\xbf]|[\xf0\x9d\x9a\x9b])
replace_tag S1 (?:s|[\xd0][\x85]|[\xf0\x9d\x98\x80]|[\xf0\x9d\x9a\x9c])
replace_tag T1 (?:t|[\xcf][\x84]|[\xf4]|[\xf0\x9d\x98\x81]|[\xf0\x9d\x9a\x9d])
replace_tag U1 (?:u|[\xf0\x9d\x98\x82])
replace_tag V1 (?:v|[\xf0\x9d\x96\xb5])
replace_tag W1 (?:w|[\xf0\x9d\x98\x84]|[\xf0\x9d\x9a\xa0])
replace_tag Y1 (?:y|[\xf0\x9d\x98\x80]|[\xf0\x9d\x9a\xa2])
replace_tag SPACE1 (?: |[\xc2\xa0])
header __KAM_CREDIT6 Subject =~ /<C1>ompl<I1>mentary (<C1>red<I1>t|EXPERIAN|Transunion|Equifax)/i
header __KAM_CREDIT7 From =~ /<S1>core.?<S1>ense/i
replace_rules __KAM_CREDIT6 __KAM_CREDIT7
endif
meta KAM_CREDIT (__KAM_CREDIT1 + __KAM_CREDIT2 + __KAM_CREDIT3 + __KAM_CREDIT4 + __KAM_CREDIT5 + __KAM_CREDIT6 + __KAM_CREDIT7 + (__KAM_THIRD || KAM_LOTSOFHASH || KAM_INFOUSMEBIZ) >= 4)
describe KAM_CREDIT Credit Score Spams
score KAM_CREDIT 4.5
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
meta KAM_CREDIT2 (__KAM_CREDIT1 + __KAM_CREDIT5 + __KAM_CREDIT6 + __KAM_CREDIT7 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3 && KAM_CREDIT < 1)
describe KAM_CREDIT2 Credit Score Spams
score KAM_CREDIT2 4.5
endif
#OBFUSCATED URI
rawbody KAM_OBFURI /http:\/\/.{2,30}\.c=E2=93=9Em?/
describe KAM_OBFURI Obfuscated URI trick
score KAM_OBFURI 4.0
#ADVANCE
header __KAM_ADVANCE1 Subject =~ /Advance for \d.\d\d\d/i
body __KAM_ADVANCE2 /Advance Details/i
body __KAM_ADVANCE3 /Pre-Approved/i
header __KAM_ADVANCE4 From =~ /Advance|Approv|Financ/i
meta KAM_ADVANCE (__KAM_ADVANCE1 + __KAM_ADVANCE2 + __KAM_ADVANCE3 + __KAM_ADVANCE4 >= 3)
describe KAM_ADVANCE Advance Spams
score KAM_ADVANCE 3.5
#PAYPAL NON SPF - FP fixed by Piper Andreas
header __KAM_PAYPAL1A From =~ /\@[a-z\.]*paypal.com>?$/i
meta KAM_PAYPAL1 (__KAM_PAYPAL1A + SPF_FAIL >=2)
describe KAM_PAYPAL1 rampant paypal phishing scams
score KAM_PAYPAL1 16.0
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
#PAYPAL IMPERSONATING MALWARE
body __KAM_PAYPAL2A /paypal/i
body __KAM_PAYPAL2B /protection services department|download(ing)?.the.attach/i
meta KAM_PAYPAL2 (__KAM_PAYPAL2A + __KAM_PAYPAL2B + KAM_RAPTOR_ALTERED >= 3)
describe KAM_PAYPAL2 Malware disguised as a paypal email
score KAM_PAYPAL2 8.0
endif
#PAYPAL PHISH
header __KAM_PAYPAL3A From =~ /paypal/i
header __KAM_PAYPAL3B From !~ /paypal.com(\.au)?>?$/i
header __KAM_PAYPAL3C Subject =~ /your.paypal.account/i
body __KAM_PAYPAL3D /security.process|more.information|has.limitation|verify.your.information/i
meta KAM_PAYPAL3 ((__KAM_PAYPAL3A && __KAM_PAYPAL3B) + __KAM_PAYPAL3C + __KAM_PAYPAL3D + KAM_LAZY_DOMAIN_SECURITY >= 3)
score KAM_PAYPAL3 8.0
describe KAM_PAYPAL3 Phish disguised as a paypal email
#COMPROMISED ACCOUNT SPAMS - SCORED HIGH BECAUSE THESE ARE COMPROMISED ACCOUNTS
header __KAM_COMPROMISED1A From =~ /\@(yahoo.com|yahoo.com.id|rocketmail.com)/i
header __KAM_COMPROMISED1B X-Mailer =~ /Yahoo/i
header __KAM_COMPROMISED2 Subject =~ /^(FOR |Hey$|hi$|look at this$|great!?$|amazing!?|the best!?$|excellent!?$|very good!?$|great!?$|question?$|Fwd: (?:latest |top )?news$)|have a look/
body __KAM_COMPROMISED3 /\d{1,2}[\\\/]\d{1,2}[\\\/]\d{2,4} \d{1,2}\:\d{1,2}\:\d{1,2} (AM|PM)/
body __KAM_COMPROMISED4 /How are you\? Look at this.{0,70}Do you know about this site|look at this site right now|I found (an amazing|great) site|hey\. please have a look|have a look right now|breaking news/i
meta KAM_COMPROMISED ((__KAM_COMPROMISED1A + __KAM_COMPROMISED1B >=1 ) + __KAM_COMPROMISED2 + __KAM_COMPROMISED3 + __KAM_COMPROMISED4 + __KAM_BODY_LENGTH_LT_128 + MISSING_SUBJECT >= 3)
describe KAM_COMPROMISED Compromised Accounts Sending Spam
score KAM_COMPROMISED 8.25
#GROUPS THAT ARE BAD - RENAMED TO AVOID COLLISSION - THANKS TO DAVID FUNK
header __KAM_LIST2A List-ID =~ /^<?(wareeed\d*|ArabBusinessmen-and-DecisionMakers-Network|MediaJO\d*|arabjo\d*|prime\-?media\d*|mediajoshoot\d*|bareedw\d*|mghadeh\d*|tawzeef-online|jordanianadd\d*|ssjo\d*|jaracast|ads-shooter-j\d*|jomarketing\d*|jomedia\d*|jobird\d*info|uhrda-\d*|mohanndahad\d*|caragcom\d*|marwahr\d*|sonjobonjo\d*|golrozz\d*|golbanoo\d*)\.googlegroups.com>?$/i
header __KAM_LIST2B Sender =~ /(mediajo\d*|aloulaonline\d*|jomedia\d*|golbanoo\d*)\@googlegroups\.com/i
meta KAM_LIST2 (__KAM_LIST2A + __KAM_LIST2B >= 1)
describe KAM_LIST2 Known Bad Groups
score KAM_LIST2 60.0
#LIMITED ACCESS/QUOTA SCAMS - ISP THAT SEND LEGITIMATE NOTICES MIGHT WANT TO LOWER THE SCORE
body __KAM_QUOTA1 /Mailbox Quota Has Exceeded|exceeded its storage limit/i
body __KAM_QUOTA2 /Limited Access|termination of your email|restore.your.account|will.not.be.able/i
meta KAM_QUOTA (__KAM_QUOTA1 + __KAM_QUOTA2 >= 2)
describe KAM_QUOTA Limited Access / Quota Phishing Scam
score KAM_QUOTA 3.0
# BACKGROUND CHECK SPAM
body __KAM_BACK1 /backgrounds in seconds|Instant..?Checkmate|federal.record|background.report|reputation/i
body __KAM_BACK2 /(Property & Personal history|Asset & Background) (Investigation|Search)|check anyone|know.anything|registered.offense|their.name|publicly.available/is
body __KAM_BACK3 /(background check|detective|investigator|investigate backgrounds|arrest.record|public.record)|remain.anonymous|anonymous.report|says.about.you|instant.database|the.truth|reveal.the.information|screening.services/is
header __KAM_BACK4 Subject =~ /background..?check|date-smart|detective|finding people|instant checkmate|pedophile|who.lives.next.?door|reports.are.now.posted|screening.results|police.record|confirm.identity|records.enclosed|local.report|criminal|public.record|complete.record|arrest|posted.online|information.posted|info.updated|who.they.are|uncover.any|public.records|private.eye|investigate.background/i
header __KAM_BACK5 From =~ /Background.?check|instant.?check|arrest.record|pedophile|trust|criminal|urgent.info|find.out|who.is.s?he|trouble|shady|public.record|private.?eye/i
describe KAM_BACK Background Check SPAM
meta KAM_BACK (__KAM_BACK1 + __KAM_BACK2 + __KAM_BACK3 + __KAM_BACK4 + __KAM_BACK5 >=3)
score KAM_BACK 5.5
#ARREST RECORD SCAMS
header __KAM_ARREST1 Subject =~ /arrest record|with.a.criminal|child.predator|public.safety.alert|full.report|reports?.now.posted|records?.(now.)?(available|posted)|predator.identified/i
body __KAM_ARREST2 /Instant Checkmate|dirty Truth|\brapist\b|criminal.(background|record)|predator|stay.safe|child.offender|think.you.know|know.everything|database.screening|know.something|wanted.to.know|arrest.record/i
header __KAM_ARREST3 From =~ /Checkmate|alert|protect|arrest|neighborhood|criminal|live.safe/i
meta KAM_ARREST (__KAM_ARREST1 + __KAM_ARREST2 + __KAM_ARREST3 >=3) || (__KAM_ARREST1 + KAM_SHORT + __KAM_BODY_LENGTH_LT_128 >=3)
describe KAM_ARREST Arrest Record Scams
score KAM_ARREST 5.0
#MORE DIET SCAMS
header __KAM_DIET2_1 From =~ /Coffee.?Bean|Fat.?Burning.?Hormone|Saffron|Lifestyle|burn.fat|slim/i
header __KAM_DIET2_2 Subject =~ /diet|flatten your belly|calorie count|metabolism|lose the belly|belly flub/i
body __KAM_DIET2_3 /secret to being skinny|doctors? are raving|testosterone|could be \d+ ?lbs? lighter|feeling chubby/i
meta KAM_DIET2 (__KAM_DIET2_1 + __KAM_DIET2_2 + __KAM_DIET2_3 + KAM_INFOUSMEBIZ >=3)
describe KAM_DIET2 Diet Scams
score KAM_DIET2 5.0
#CIGAR SCAMS
header __KAM_CIGAR1 Subject =~ /Premium Cigar|Essentials for Dad|cigar lover/i
header __KAM_CIGAR2 From =~ /Cigar/i
body __KAM_CIGAR3 /Thompson Cigar|Premium Cigar/i
meta KAM_CIGAR (__KAM_CIGAR1 + __KAM_CIGAR2 + __KAM_CIGAR3 + __KAM_THIRD >= 3)
describe KAM_CIGAR Cigar Scam Emails
score KAM_CIGAR 6.0
#TK DOMAINS
rawbody KAM_TK /https?:\/\/.{5,30}\.tk\//i
describe KAM_TK Abuse of .tk domain registrar which offers free domains
score KAM_TK 5.0
#THIRD PARTY / SENT BY XXXX
body __KAM_THIRD /advertisement.{0,12}sent by a third-?party|sent.by.tb.systems|is.an.advert[il]se?ment/i
#LASIK
header __KAM_LASIK1 From =~ /Lasik/i
header __KAM_LASIK2 Subject =~ /Lasik|free eval|A great use for your Tax Refund|eye.surgery/i
body __KAM_LASIK3 /free (?:Lasik )?eval|\d+ per eye|get lasik info|L.SI. V....n In.t.tut. Summ.r S.v.ng.|works.faster.than/i
uri __KAM_LASIK4 /lasik\.php/i
meta KAM_LASIK (__KAM_LASIK1 + __KAM_LASIK2 + __KAM_LASIK3 + (__KAM_LASIK4 || KAM_EU) >= 3)
describe KAM_LASIK Lasik Treatment Spams
score KAM_LASIK 4.5
#FAKE NOTIFIES
header __KAM_NOTIFY1 From =~ /Support|Notifier|Reminder|Assistance|Administrator|RuneScape|Wells ?Fargo|Scotia|Diablo|MAILER-DAEMON|Notifications/i
body __KAM_NOTIFY2 /[2-9] friend request( |\b)|sell your personal|mandatory validation|verify your Account|unread messages/i
header __KAM_NOTIFY3 From =~ /\.br>/i
meta KAM_NOTIFY (__KAM_NOTIFY1 + __KAM_PHISH2_3 + __KAM_NOTIFY2 + __KAM_NOTIFY3 >= 3)
describe KAM_NOTIFY Fake Notifications
score KAM_NOTIFY 4.0
meta KAM_NOTIFY2 (KAM_NOTIFY + (KAM_IFRAME || HEADER_FROM_DIFFERENT_DOMAINS) >= 2)
describe KAM_NOTIFY2 Higher likelihood of fake notification
score KAM_NOTIFY2 3.0
#LANGUAGE
header __KAM_LANG1 From =~ /Pimsleur|learnalanguage/i
header __KAM_LANG2 Subject =~ /language barrier|(?:learn|speak)(?:ing)? (?:a|any) (?:new )?language|Pimsleur/i
body __KAM_LANG3 /pimsleur|Language in just \d+ Day/i
meta KAM_LANG (__KAM_LANG1 + __KAM_LANG2 + __KAM_LANG3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_LANG Language Method Spams
score KAM_LANG 4.5
#FAKE TRACK
header __KAM_TRACK1 From =~ /Worldwide Express|Priority Mail|First-Class Mail|Express Mail/i
meta KAM_TRACK (__KAM_PHISH2_3 + __KAM_TRACK1 >= 2)
describe KAM_TRACK Fake Tracking Emails
score KAM_TRACK 3.0
#BACK TO SCHOOL
header __KAM_SCHOOL1 From =~ /Classes/i
header __KAM_SCHOOL2 Subject =~ /(?:Return|Back) to School/i
meta KAM_SCHOOL (__KAM_SCHOOL1 + __KAM_SCHOOL2 + KAM_INFOUSMEBIZ >= 3)
describe KAM_SCHOOL School Spams
score KAM_SCHOOL 5.0
#MEMBERS
header __KAM_MEMBER1 From =~ /(\b|^|)Date|(\b|^|)Dating|eharmony(.com)?.?partner|(..?en..?or|black)..?e.ple..?eet|cougars|singles|match|our.?time|lonely|affair/i
header __KAM_MEMBER2 Subject =~ /naughty|looking for love|single & dating|Dating.site|free.this.weekend|free.communication.weekend|True Love|(Older|black|available|latin[oa]|jewish) Single|single.women|single.photo|local.cougar|want to date|fall in love|meet...1000s|dream.date|meet.single|your.matches|for.single|singles|eharmony(.com)?.match|50\+.{0,5}ngles|your.ex.back|married.dating|(anonymous|secret).affair|unlimited.pics|dating.(video|movie)|fetish|still.single/i
body __KAM_MEMBER3 /(\b|^)dating|eharmony|Find.Your.Perfect.Match|thousands.of.single.women|singles?.photos?|local.cougar|successfully matched|blind date|(available|black|latin[oa]|jewish).singles|photos of 50\+/i
rawbody __KAM_MEMBER4 /special promotion|free.this.weekend|personal matchmaker|dating service|fall in love|looking.for.someone|kindle.the.passion|cheating.member|dating.mega.site|free.dating|free.fetish/i
meta __KAM_MEMBER5 (KAM_INFOUSMEBIZ || KAM_COUK)
#header __KAM_MEMBER6 From =~ /Updat/i
meta KAM_MEMBER (__KAM_MEMBER1 + __KAM_MEMBER2 + __KAM_MEMBER3 + __KAM_MEMBER4 + __KAM_MEMBER5 >= 3)
describe KAM_MEMBER Dating Scams
score KAM_MEMBER 4.5
#MEDICARE
header __KAM_MEDICARE1 From =~ /(Medicare|health.?options|enrollment)/i
header __KAM_MEDICARE2 Subject =~ /medicare|message for senior|baby-boomer|save up to|compare.quotes|enrollment.plan/i
body __KAM_MEDICARE3 /medicare.(plan|recipient|annual election)/i
tflags __KAM_MEDICARE3 nosubject
body __KAM_MEDICARE4 /over.(65|sixty.?five)|most.affordable|lower.your.premium|medicare basics guide/i
meta KAM_MEDICARE (__KAM_MEDICARE1 + __KAM_MEDICARE2 + (__KAM_MEDICARE3 + __KAM_MEDICARE4 >= 1) + (KAM_INFOUSMEBIZ || KAM_COUK) >= 3)
describe KAM_MEDICARE Medicare Scams
score KAM_MEDICARE 4.0
#BILLS
header __KAM_BILLS1 From =~ /LowerMyBills|mortgage/i
header __KAM_BILLS2 Subject =~ /Save up to \$\d|refi requirement|refi.program/i
meta KAM_BILLS (__KAM_BILLS1 + __KAM_BILLS2 + KAM_INFOUSMEBIZ >= 3)
describe KAM_BILLS Bill Pay Spams
score KAM_BILLS 4.0
#HOSE
header __KAM_HOSE1 From =~ /Pocket Hose/i
header __KAM_HOSE2 Subject =~ /garden hose|kinks/i
body __KAM_HOSE3 /pocket hose|garden.hose|stays.strong|grows.to.full.size|never.kinks/i
meta KAM_HOSE (__KAM_HOSE1 + __KAM_HOSE2 + __KAM_HOSE3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_HOSE Garden Hose Spams
score KAM_HOSE 4.5
#AV
header __KAM_AV1 From =~ /Norton/i
header __KAM_AV2 Subject =~ /Update now|Are you protected/i
meta KAM_AV (__KAM_AV1 + __KAM_AV2 + KAM_INFOUSMEBIZ >= 3)
describe KAM_AV Anti-Virus Spams
score KAM_AV 4.0
#MASCARA
header __KAM_MASCARA1 From =~ /smartlash/i
header __KAM_MASCARA2 Subject =~ /mascara/i
body __KAM_MASCARA3 /smartlash/i
meta KAM_MASCARA (__KAM_MASCARA1 + __KAM_MASCARA2 + __KAM_MASCARA3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_MASCARA Make-up Spams
score KAM_MASCARA 4.5
#COLLEGE
header __KAM_COLLEGE1 From =~ /degree|doctorate|online/i
header __KAM_COLLEGE2 Subject =~ /college|ph\.?d|earning your degree|online doctorate|advance your career/i
rawbody __KAM_COLLEGE3 /online degree|ph\.?d online|online doctorate|advance your career with a degree/i
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
meta KAM_COLLEGE (__KAM_COLLEGE1 + __KAM_COLLEGE2 + __KAM_COLLEGE3 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3)
describe KAM_COLLEGE Online Degree/Aid Spams
score KAM_COLLEGE 4.0
endif
#SURVEY
header __KAM_SURVEY1 From =~ /Survey|safecount|privacy/i
header __KAM_SURVEY2 Subject =~ /win an ipad/i
body __KAM_SURVEY3 /Do You Use Instagram|Complete the survey|win a great prize/i
meta KAM_SURVEY (__KAM_SURVEY1 + __KAM_SURVEY2 + __KAM_SURVEY3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_SURVEY Online Survey Spams
score KAM_SURVEY 4.5
#LAKE
#REMOVED 1/7/2014
#rawbody KAM_LAKE /http:\/\/.{0,13}(lak|ake|iver).{0,10}\.(com|info)\//i
#describe KAM_LAKE Odd spamming engine LAKE signature on URLs
#score KAM_LAKE 0.25
#SNORE
header __KAM_SNORE1 From =~ /snoring|zquiet/i
header __KAM_SNORE2 Subject =~ /zquiet|Jaw Supporter|z{6}|the.only.thing/i
body __KAM_SNORE3 /stop snoring|zquiet|Jaw Supporter|get.rest|end.snoring|more.rest|to.be.tired/i
meta KAM_SNORE (__KAM_SNORE1 + __KAM_SNORE2 + __KAM_SNORE3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_SNORE Snoring Aid Spams
score KAM_SNORE 4.0
#VACATION
header __KAM_VACATION1 From =~ /Promotions|cruise|vacation/i
header __KAM_VACATION2 Subject =~ /Free Florida vacation|(carr?ibb?ean|alaskan?).cruise|european destination/i
body __KAM_VACATION3 /Resorts FOR FREE|(carr?ibb?ean|alaskan?).cruise|top deals/i
meta KAM_VACATION (__KAM_VACATION1 + __KAM_VACATION2 + __KAM_VACATION3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_VACATION Vacation Spams
score KAM_VACATION 4.0
#BLOOD PRESSURE
header __KAM_BLOOD1 From =~ /Marine Essent|blood.pressure/i
header __KAM_BLOOD2 Subject =~ /Blood Pressure|the.(nurse|doctor).said|do.this.or.die|bp.med/i
body __KAM_BLOOD3 /Secret Big Pharma|conspiracy|Breaking.Health.Stories/i
body __KAM_BLOOD4 /Marine Essentials|this mineral|drug.companies.hate/i
body __KAM_BLOOD5 /Anti-Aging Expert|worst.food/i
body __KAM_BLOOD6 /Blood pressure/i
meta KAM_BLOOD ( __KAM_BLOOD1 + __KAM_BLOOD2 + __KAM_BLOOD3 + __KAM_BLOOD4 + __KAM_BLOOD5 + __KAM_BLOOD6 + KAM_INFOUSMEBIZ >= 4)
describe KAM_BLOOD Blood Pressure Spams
score KAM_BLOOD 4.75
#SCOOTER
header __KAM_SCOOTER1 From =~ /Scooter Store/i
header __KAM_SCOOTER2 Subject =~ /lack of mobility/i
body __KAM_SCOOTER3 /the scooter store/i
meta KAM_SCOOTER ( __KAM_SCOOTER1 + __KAM_SCOOTER2 + __KAM_SCOOTER3 + __KAM_MEDICARE2 + KAM_INFOUSMEBIZ >= 4)
describe KAM_SCOOTER Blood Pressure Spams
score KAM_SCOOTER 4.75
#ANATABLOC
header __KAM_ANATA1 From =~ /Anatabloc/i
header __KAM_ANATA2 Subject =~ /(back|joint) pain|arthritis/i
meta KAM_ANATA (__KAM_ANATA1 + __KAM_ANATA2 >= 2)
describe KAM_ANATA Drug Spam
score KAM_ANATA 4.5
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
#BBB Phish
header __KAM_BBB1 From =~ /bbb.org/i
body __KAM_BBB2 /consumer's *(?:worry|uneasiness|anxiety|disturbance|concern|trouble)/i
body __KAM_BBB3 /has been registered the above|(?:visiting|review at) a link below|above-referenced complaint/i
body __KAM_BBB4 /about your *(?:glance|belief|judgment)/i
header __KAM_BBB5 Subject =~ /(?:client|customer).{0,5}preten|(?:Appeal|Claim|Case|No\.|Complaint).{0,3}[A-Z\d]{5}/i
meta KAM_BBB (__KAM_BBB1 + __KAM_BBB2 + __KAM_BBB3 + __KAM_BBB4 + __KAM_BBB5 + SPF_FAIL + __KAM_GALLERY5 + KAM_RAPTOR_ALTERED >= 4)
describe KAM_BBB Better Business Bureau Phishing
score KAM_BBB 5.0
endif
#PREV MARK
header __KAM_MARK1 Subject =~ /[\[\<]ADV[\>\]]/i
header __KAM_MARK2 Subject =~ /[\(\[\<\{\*]\s*(BULK|SPAM)\??\s*[\*\>\]\)\}]/i
header __KAM_MARK3 Subject =~ /[\[\<\*]\s*VIRUS\s*[\*\>\]]/i
meta KAM_MARKADV (__KAM_MARK1 >= 1)
describe KAM_MARKADV Email arrived marked as an Advertisement
score KAM_MARKADV 10.0
meta KAM_MARKSPAM (__KAM_MARK2 >= 1)
describe KAM_MARKSPAM Email arrived marked as Spam
score KAM_MARKSPAM 4.0
meta KAM_MARKVIRI (__KAM_MARK3 >= 1)
describe KAM_MARKVIRI Email arrived marked as Virus
score KAM_MARKVIRI 10.0
#H1QNUM ENGINE
rawbody __KAM_H1QNUM1 /<h1>(vv5|ORG1|IN2|OR3|AR1|FO1|Q22)<\/h1>/i
header __KAM_H1QNUM2 Subject =~ /Russian Women|Free Lasik|Criminal Records|Background Check|Stop Alcoholism|Alcohol Addiction|Hybrid cars|solar energy|electrical bill|fly in luxury/i
uri __KAM_H1QNUM3 /\.co\.uk/i
meta KAM_H1QNUM (__KAM_H1QNUM1 >= 1)
describe KAM_H1QNUM H1 Qnum indicator
score KAM_H1QNUM 4.0
meta KAM_H1QNUM2 ( KAM_H1QNUM + __KAM_H1QNUM2 + __KAM_H1QNUM3 >= 2 )
describe KAM_H1QNUM2 H1 Qnum higher spamminess indicators
score KAM_H1QNUM2 5.0
#AP
header __KAM_AP1 From =~ /AP/
header __KAM_AP2 Subject =~ /Community & educational development/i
body __KAM_AP3 /American Grants and Loans Catalog/i
meta KAM_AP (__KAM_AP1 + __KAM_AP2 + __KAM_AP3 >= 3)
describe KAM_AP American Publishing Spam
score KAM_AP 4.5
#CO.UK
header KAM_COUK From =~ /\@.{1,30}\.co\.uk/i
describe KAM_COUK Scoring .co.uk emails higher due to poor registry security.
score KAM_COUK 0.85
#FAKE FACEBOOKMAIL
#REAL FB DOMAIN
header __KAM_FACEBOOKMAIL1 From =~ /\@facebookmail.com/i
#SPECIFIC PEOPLE
header __KAM_FACEBOOKMAIL2 From =~ /Ramakanth Raavi/i
meta KAM_FACEBOOKMAIL ((__KAM_FACEBOOKMAIL2 >= 1) || (__KAM_FACEBOOKMAIL1 >=1 && (SPF_FAIL + DKIM_ADSP_ALL >=1)))
describe KAM_FACEBOOKMAIL Fake or Abused Facebook Mail
score KAM_FACEBOOKMAIL 8.0
#FAKE DHL/FEDEX/ETC
body __KAM_FAKEDELIVER1 /courier couldn.?t make the delivery|Courier was unable to deliver|courier company was not able to deliver|memo.of.application|delivering.address|make.the.delivery|see.attached.file|attention.please|event.invitation|could not deliver|delivery.label|postal.noti(fication|ce)|parcels.(has|have).been.shipped|shipment.label.is.attached|confirm your shipping|view file in attach|unable to locate your address/i
header __KAM_FAKEDELIVER2 Subject =~ /Invalid Address|shipping service|(ship|postal|delivery) notification|Delivery Failure|Delivery Information|Delivery status|Package Delivery|package is available for pickup|your.package.arrived|attention.please|delivery.problem|id.\d{6}|deliver.(your|the).parcel|shipping confirmation|confirm your address|shipment request/i
#DHL
header __KAM_FAKEDELIVER3 From:name =~ /DHL/i
header __KAM_FAKEDELIVER4 From:addr !~ /dhl.com/i
#FEDEX
rawbody __KAM_FAKEDELIVER5 /Fed ?ex/i
header __KAM_FAKEDELIVER6 From !~ /fedex.com/i
#USPS
body __KAM_FAKEDELIVER7 /USPS/i
header __KAM_FAKEDELIVER8 From !~ /usps.com/i
#CARGO
body __KAM_FAKEDELIVER9 /CARGO/
header __KAM_FAKEDELIVER10 From =~ /shipping|economy|priority/i
#USPS
body __KAM_FAKEDELIVER11 /DPD/i
header __KAM_FAKEDELIVER12 From !~ /dpd.com|dpd.co.uk/i
uri __KAM_FAKEDELIVER13 /(cdn.discordapp.com|wp-conten)/i
meta KAM_FAKE_DELIVER (__KAM_FAKEDELIVER1 + __KAM_FAKEDELIVER2 + ((__KAM_FAKEDELIVER3 + __KAM_FAKEDELIVER4 >= 2) + (__KAM_FAKEDELIVER5 + __KAM_FAKEDELIVER6 >= 2) + (__KAM_FAKEDELIVER7 + __KAM_FAKEDELIVER8 >= 2) + (__KAM_FAKEDELIVER11 + __KAM_FAKEDELIVER12 >= 2) + (__KAM_FAKEDELIVER9 + __KAM_FAKEDELIVER10 >= 2) >= 1) + (HEADER_FROM_DIFFERENT_DOMAINS + SPF_SOFTFAIL + KAM_RAPTOR_ALTERED + __KAM_FAKEDELIVER13 >= 1) >= 3)
describe KAM_FAKE_DELIVER Fake delivery notifications
score KAM_FAKE_DELIVER 6.25
meta KAM_REALLY_FAKE_DELIVER (KAM_FAKE_DELIVER + KAM_RPTR_PASSED + (__KAM_FAKEDELIVER4 && __KAM_FAKEDELIVER6 && __KAM_FAKEDELIVER8) >= 3)
score KAM_REALLY_FAKE_DELIVER 2.5
describe KAM_REALLY_FAKE_DELIVER Definitely fake delivery notifications
#SOLAR POWER
header __KAM_SOLAR1 From =~ /Solar|electric|regard|energy|.olar..etwork/i
header __KAM_SOLAR2 Subject =~ /power bill|sells power|electric(al)? bill|subsidize your solar|switching to solar|save \d+\%|solar system saves|solar power plant|solar.america|energy.use|solar.incentive|utility.option|go.solar|govt.rebate|.overnment.incentive|electricity|obama.rebate/i
body __KAM_SOLAR3 /power bill in half|go solar|approved for solar|solar system saves|reduce your electric|energy.cost|energy.bill|government.incentive|can.profit|utility.bill|switch(ing)?.to.solar|solar.incentive|solar.now|US Solar Dept|your.electric.bill|your.home.qualifies|yard lights|solarglow/i
meta KAM_SOLAR (__KAM_SOLAR1 + __KAM_SOLAR2 + __KAM_SOLAR3 >=2)
describe KAM_SOLAR Solar Power Spams
score KAM_SOLAR 1.9
meta KAM_SOLAR2 (__KAM_SOLAR1 + __KAM_SOLAR2 + __KAM_SOLAR3 >=3)
describe KAM_SOLAR2 Definite Solar Power Spams
score KAM_SOLAR2 1.9
#ASIAN BRIDE
header __KAM_ASIAN1 Subject =~ /Asian Bride/i
body __KAM_ASIAN2 /Adoring Asian/i
header __KAM_ASIAN3 From =~ /asian/i
meta KAM_ASIAN (__KAM_ASIAN1 + __KAM_ASIAN2 + __KAM_ASIAN3 >= 3)
describe KAM_ASIAN Asian Bride Spams
score KAM_ASIAN 3.5
#DR OZ SPAM
header __KAM_OZ1 From =~ /(Dr|Doc).{0,2}[o0]z|[o0]z.([a-z]+.)?(daily|tip|show|weight)|rapid.loss|ellen|drop.lbs/i #NOTE THE ZERO
header __KAM_OZ2 Subject =~ /Fatburning|healthy?.tip|melt your fat|must.read.tip|i can help|fat to flat|perfect.skin|workout|drop.\d+.?[il]bs?|without.exercise|must.read|oz.in.your.corner|It (does not|doesn't) have to be hard|racha?el and oz|doc.?oz insid|life.changing|\d+%.increase|anti.aging|she.looks.\d+|ellen.did.this|(Dr|Doc).{0,2}[o0]z|[o0]z.([a-z]+.)?(daily|tip|show)/i
body __KAM_OZ3 /burn off your (?:body.?)?fat|(?:burn away|burn|melt) your fat|fox news video|melt the extra pounds|lost (an average of )?\d+ lbs|body.flab|look years younger|get perfect skin|healthy tips|without diet|it was just gossip|weight.loss|dropping.pounds|losing.weight|\d+.years|facelift|(Dr|Doc).{0,2}[o0]z/i
#meta KAM_OZ (__KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 >= 3)
#describe KAM_OZ Fake Dr. Oz Spam's
#score KAM_OZ 3.5
#STUDENT LOAN
header __KAM_STUDENT1 From =~ /Student.?Loan|government/i
header __KAM_STUDENT2 Subject =~ /NEW GOVERNMENT PROGRAM|payback.package|assistance.package|student.loan|consolidate.loan/i
body __KAM_STUDENT3 /penalt(y|ies)|garnish|your.debt|president.loan|reduce.(your.)?(student.)?loan|forgiveness.plan|qualify.for|federal.program|low.monthly/i
meta KAM_STUDENT (__KAM_STUDENT1 + __KAM_STUDENT2 + __KAM_STUDENT3 + (KAM_INFOUSMEBIZ || KAM_COUK || KAM_HTMLNOISE || KAM_SHORT) >= 3)
describe KAM_STUDENT Student Loan Forgiveness Spams
score KAM_STUDENT 4.0
#TIP
header __KAM_TIP1 From =~ /Beauty Tips/i
header __KAM_TIP2 Subject =~ /Dark-Circles|undereye bags/i
body __KAM_TIP3 /undereye bags/i
body __KAM_TIP4 /Find Out This Quick New Trick/i
meta KAM_TIP (__KAM_TIP1 + __KAM_TIP2 + __KAM_TIP3 + __KAM_TIP4 >= 3)
describe KAM_TIP Beauty Tip Spams
score KAM_TIP 4.3
#WhatsApp
header __KAM_WHATS1 From =~ /WhatsApp/i
header __KAM_WHATS2 Subject =~ /Voice Message Notification/i
body __KAM_WHATS3 /WhatsApp/
meta KAM_WHATS (__KAM_WHATS1 + __KAM_WHATS2 + __KAM_WHATS3 >= 3)
describe KAM_WHATS WhatsApp Spams
score KAM_WHATS 3.0
#QTJars
header __KAM_QTJARS1 From =~ /qtjar/i
header __KAM_QTJARS2 Subject =~ /qtjar|left you a message|new message/i
body __KAM_QTJARS3 /qtjars/
body __KAM_QTJARS4 /private message/
meta KAM_QTJARS (__KAM_QTJARS1 + __KAM_QTJARS2 + __KAM_QTJARS3 + __KAM_QTJARS4 >= 3)
describe KAM_QTJARS QTJars Spams
score KAM_QTJARS 3.0
#GOOGLE DOCS PHISH
# view the agreement.
body __KAM_GOOGLEPHISH1 /copy of the signed agreement/i
rawbody __KAM_GOOGLEPHISH2 /http:\/\/.{5,50}\/http\/docs\.google\.com\/login\//i
meta KAM_GOOGLEPHISH (__KAM_GOOGLEPHISH1 + __KAM_GOOGLEPHISH2 >= 2)
describe KAM_GOOGLEPHISH Google Login Phishing Scam
score KAM_GOOGLEPHISH 5.0
#POLITICAL SPAM
header __KAM_POLY1 Subject =~ /Barack Obama/i
body __KAM_POLY2 /The End of Barack Obama/i
meta KAM_POLY (__KAM_POLY1 + __KAM_POLY2 >= 2)
describe KAM_POLY Political Spams
score KAM_POLY 3.0
#MAID
header __KAM_MAID1 Subject =~ /Maid Services|housekeeping.service/i
header __KAM_MAID2 From =~ /Maid|Housekeeper/i
body __KAM_MAID3 /Pre-Screened Housekeepers|local.maid/i
meta KAM_MAID (__KAM_MAID1 + __KAM_MAID2 + __KAM_MAID3 >= 3)
describe KAM_MAID Maid Service Spams
score KAM_MAID 3.0
#TUB
header __KAM_TUB1 Subject =~ /Walk.?in.*tub|bath and massage/i
header __KAM_TUB2 From =~ /jacuzzi|walk.?in.?tub|premier.?care|improvement.center|bathing..?easy/i
body __KAM_TUB3 /Walk.?in (hot.?|bath.?)?tub|bath and massage|easy transfer from a wheelchair/i
meta KAM_TUB (__KAM_TUB1 + __KAM_TUB2 + __KAM_TUB3 >= 3)
describe KAM_TUB Tub Spams
score KAM_TUB 4.0
#OBFUSCATE PORN
header __KAM_OBF1 Subject =~ /(\b|^)(P.{0,2}O.{0,2}R.{0,2}N|S.{0,2}E.{0,2}.X.{0,2})/i
header __KAM_OBF2 Subject =~ /[-:\#\/_\(\)].{0,10}[-:\#\/_\(\)].{0,10}[-:\#\/_\(\)]/
header __KAM_OBF3 Subject =~ /(\b|^)P.{0,2}r.{0,2}e.{0,2}m.{0,2}i.{0,2}u.{0,2}m/i
header __KAM_OBF4 Subject =~ /(\b|^)P.{0,2}a.{0,2}s.{0,2}s.{0,2}/i
header __KAM_OBF5 Subject =~ /(\b|^)S.{0,2}i.{0,2}t.{0,2}e.{0,2}/i
header __KAM_OBF6 Subject =~ /(\b|^)F.{0,2}r.{0,2}e.{0,2}e.{0,2}/i
header __KAM_OBF7 Subject =~ /(\b|^)F.{0,2}i.{0,2}l.{0,2}m.{0,2}/i
header __KAM_OBF8 Subject =~ /X.X.X/
meta KAM_OBF ((__KAM_OBF3 + __KAM_OBF4 + __KAM_OBF5 + __KAM_OBF6 + __KAM_OBF7 >= 1) + __KAM_OBF1 + (__KAM_OBF2 - BODY_8BITS) >= 3)
describe KAM_OBF Obfuscated Porn Spams
score KAM_OBF 4.0
meta KAM_OBF (__KAM_OBF8 + __KAM_OBF2 >= 2)
describe KAM_OBF Obfuscated Porn Spams
score KAM_OBF 2.0
#SHARK TANK
header __KAM_SHARKTANK_SUBJ Subject =~ /shark tank/i
body __KAM_SHARKTANK_BODY /shark tank/i
meta KAM_SHARKTANK (__KAM_SHARKTANK_SUBJ + __KAM_SHARKTANK_BODY >= 1)
score KAM_SHARKTANK 1.0
describe KAM_SHARKTANK Mentions Shark Tank
rawbody __KAM_SHARKPROD /high blood pressure|moles|Dermabellix|follicles|drop 20|(^|\b)IQ($|\b)|keto SS/is
meta KAM_SHARKPROD (__KAM_SHARKPROD + KAM_SHARKTANK >= 2)
score KAM_SHARKPROD 5.0
describe KAM_SHARKPROD Shark Tank Spam
#ICU TLD PROBLEMS
header __KAM_ICUTLD_FROM From:addr =~ /\.icu$/i
uri __KAM_ICUTLD_URI /\.icu($|\/)/i
meta KAM_ICU_BAD_TLD (__KAM_ICUTLD_FROM + __KAM_ICUTLD_URI) >= 1
describe KAM_ICU_BAD_TLD .icu TLD Abuse
score KAM_ICU_BAD_TLD 2.0
#HAIR LOSS / GREYING / REMOVAL
header __KAM_HAIR1 Subject =~ /(Regrows?|restore your|regain your|thinning) hair|Get Your Hair Back|hair regrowth|masculine|gr[ae]y hair|hair.loss|the.hottest.concept|hair.removal|all.your.hair|(fuller|thicker).hair|hair growth/i
header __KAM_HAIR2 From =~ /K.ranique|Hair Loss Solutions|hair transplant|bosley|gr[ae]y hair|hair.removal|preserve|keranique|hair.?news/i
rawbody __KAM_HAIR3 /k.ranique|Hair Los Solution|Get Your Hair Back|restore your hair naturally and permanently|hair restoration|original color|dye gr[ae]y hair|defeat.your.hair.loss|stop.hair.loss|fda.approve|hair will return|reactivate dormant hair/i
rawbody __KAM_HAIR4 /Hair Regrowth|Hair Club for Men|Bosley|Rejuvalex/i
rawbody __KAM_NEWSLETTER /<title>Newsletter<\/title>/i
meta KAM_HAIR (__KAM_HAIR1 + __KAM_HAIR2 + __KAM_HAIR3 + __KAM_HAIR4 + __KAM_TRIAL + __KAM_NEWSLETTER + KAM_WEIRDTRICK1 + KAM_SHARKTANK + KAM_ADVERT2 >=4)
describe KAM_HAIR Hair Loss / Removal Spams
score KAM_HAIR 4.5
#TRIAL
body __KAM_TRIAL /RISK-FREE Trial|Free \d+ day trial|try it free|free.dvd.info|free.info.kit|limited..?trial|claim.package/i
#UNSUB
body __KAM_UNSUB1 /cancel 0ffers/i #note the zero
body __KAM_UNSUB2 /u +n +s +u +b +s +c +r +i +b +e/i
meta KAM_UNSUB (__KAM_UNSUB1 + __KAM_UNSUB2 >= 1)
describe KAM_UNSUB Completely ridiculous unsubscribe text found
score KAM_UNSUB 5.0
#MAINTENANCE / Email Phish Scams
body __KAM_EMAILPHISH1 /Please login to complete update process/i
meta KAM_EMAILPHISH (__KAM_EMAILPHISH1 + KAM_SHORT >= 2)
describe KAM_EMAILPHISH Email Phishing Scams
score KAM_EMAILPHISH 3.5
#MASSMAILER ERRORS
header __KAM_MASSERROR1 Reply-to =~ /\@domain\]\]/i
meta KAM_MASSERROR (__KAM_MASSERROR1 >= 1)
describe KAM_MASSERROR Error in usage of a mass mailing software
score KAM_MASSERROR 2.0
#CAR DEAL SPAMS
header __KAM_CARDEAL1 Subject =~ /great car deal|new vehicles near you|brand new cars|cars on clearance/i
header __KAM_CARDEAL2 From =~ /dealer|clearance|veh.cle/i
body __KAM_CARDEAL3 /201\d Closeout pricing|New Vehicles near you|new automobiles|brand new car|\d{4} makes and models/i
meta KAM_CARDEAL (__KAM_CARDEAL1 + __KAM_CARDEAL2 + __KAM_CARDEAL3 >= 3)
describe KAM_CARDEAL Car Deal Spams
score KAM_CARDEAL 3.0
#Quick Sale Scams
header __KAM_HOMESALE1 Subject =~ /buyer interested in your ho/i
header __KAM_HOMESALE2 From =~ /Fastcash/i
body __KAM_HOMESALE3 /Cash Offer for Your Home/i
meta KAM_HOMESALE (__KAM_HOMESALE1 + __KAM_HOMESALE2 + __KAM_HOMESALE3 >= 3)
describe KAM_HOMESALE Home Sale Spams
score KAM_HOMESALE 3.5
#ADVERTISEMENTS FOR LOANS
header __KAM_LOAN1 Subject =~ /pay bills|borrow|business loan|help your business grow|small business|propel your business goals|with a loan|results you need|\$[\d.,]+ (tomorrow|down loan)|loan.fund|lender|are.you.broke|get.cash|approval.notice|loan \d.\d% offer|money by tomorrow|one monthly payment/i
header __KAM_LOAN2 From =~ /payday|loans for you|approval|small.?business|direct.wire|cash|loan offer|loan department|zippy ?loan|clear ?one/i
body __KAM_LOAN3 /Financial Relief|need to borrow|Business Loan|instant.funds|approval department|\$\d+ down|loan option|offer.loan|expenses|times.are.tough|money.problems|zippy ?loan|advanced lender|pay off debt|development.project|just.been.approved|for.your.business|loan.solution|ease your stress/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_LOAN5A Content-Type =~ /loan offer/i
mimeheader __KAM_LOAN5B Content-Disposition =~ /loan offer/i
endif
meta KAM_LOAN (__KAM_LOAN1 + __KAM_LOAN2 + __KAM_LOAN3 + (__KAM_LOAN5A + __KAM_LOAN5B >= 1) >= 3)
describe KAM_LOAN Payday and other loan spams
score KAM_LOAN 4.5
#HANGOVER SPAM
header __KAM_HANGOVER1 Subject =~ /hangover patch/i
header __KAM_HANGOVER2 From =~ /hangover/i
body __KAM_HANGOVER3 /hangover patch/i
meta KAM_HANGOVER (__KAM_HANGOVER1 + __KAM_HANGOVER2 + __KAM_HANGOVER3 >= 3)
describe KAM_HANGOVER Hangover Patch Spams
score KAM_HANGOVER 3.5
#RX PLAN SPAM
header __KAM_RXPLAN1 Subject =~ /Medigap|prescription drug plan/i
header __KAM_RXPLAN2 From =~ /Better.?Rx|medigap/i
body __KAM_RXPLAN3 /gap coverage/i
meta KAM_RXPLAN (__KAM_RXPLAN1 + __KAM_RXPLAN2 + __KAM_RXPLAN3 >= 3)
describe KAM_RXPLAN Rx Plan Spams
score KAM_RXPLAN 3.5
#SIDE SOCKET
header __KAM_SOCKET1 Subject =~ /tangled mess|socket capacity|messy cords/i
header __KAM_SOCKET2 From =~ /side.?socket/i
body __KAM_SOCKET3 /side socket/i
meta KAM_SOCKET (__KAM_SOCKET1 + __KAM_SOCKET2 + __KAM_SOCKET3 >= 3)
describe KAM_SOCKET Product Spam du Jour
score KAM_SOCKET 3.5
#TESTOSTERONE
header __KAM_TESTOSTERONE1 Subject =~ /Boost your testosterone|Testoril|turning you into a woman|men into women|low.testosterone/i
header __KAM_TESTOSTERONE2 From =~ /Testoril|mens health|low-T|for.men/i
body __KAM_TESTOSTERONE3 /Boost your testosterone|get your body back|low.testosterone/i
body __KAM_TESTOSTERONE4 /Testoril|sexual confidence|androgel|axiron+androderm/i
meta KAM_TESTOSTERONE (__KAM_TESTOSTERONE1 + __KAM_TESTOSTERONE2 + __KAM_TESTOSTERONE3 + __KAM_TESTOSTERONE4 >= 3)
describe KAM_TESTOSTERONE Product Spam du Jour
score KAM_TESTOSTERONE 4.5
#FLEXHOSE
header __KAM_FLEXHOSE1 Subject =~ /stretch but not kink|flex.{0,8}hose|expands.and.contracts|\d-in-\d.hose/i
header __KAM_FLEXHOSE2 From =~ /hose/i
body __KAM_FLEXHOSE3 /stretch but not kink|flex.?hose|expanding.hose|garden.hose/i
meta KAM_FLEXHOSE (__KAM_FLEXHOSE1 + __KAM_FLEXHOSE2 + __KAM_FLEXHOSE3 >= 3)
describe KAM_FLEXHOSE Product Spam du Jour
score KAM_FLEXHOSE 3.5
#PET
header __KAM_PET1 Subject =~ /pet health insurance|dog.product.coupon/i
header __KAM_PET2 From =~ /pet.?insurance|dog.?coupon/i
body __KAM_PET3 /pet health insurance|doggy.loot|coupon.notice|reduce.your.cost/i
meta KAM_PET (__KAM_PET1 + __KAM_PET2 + __KAM_PET3 >= 3)
describe KAM_PET Insurance and other pet-related spam
score KAM_PET 4.5
meta KAM_PET2 (KAM_PET + KAM_INFOUSMEBIZ >= 2)
describe KAM_PET2 Even more likely insurance and other pet-related spam
score KAM_PET2 3.5
#COBRA
header __KAM_COBRA1 Subject =~ /Cobra Health/i
header __KAM_COBRA2 From =~ /Cobra|Health/i
body __KAM_COBRA3 /find cobra health/i
meta KAM_COBRA (__KAM_COBRA1 + __KAM_COBRA2 + __KAM_COBRA3 >= 3)
describe KAM_COBRA Cobra Insurance Spam
score KAM_COBRA 3.5
#Discount Air
header __KAM_DISCAIR1 Subject =~ /Fly Cheap|Discount Air/i
header __KAM_DISCAIR2 From =~ /Discount Air/i
body __KAM_DISCAIR3 /Fly Cheap in Business Class/i
meta KAM_DISCAIR (__KAM_DISCAIR1 + __KAM_DISCAIR2 + __KAM_DISCAIR3 >= 3)
describe KAM_DISCAIR Discount Airfare Spam
score KAM_DISCAIR 3.5
#PEST
header __KAM_PEST1 Subject =~ /pes?t control system/i
header __KAM_PEST2 From =~ /Riddex|pest/i
body __KAM_PEST3 /revolutionary pes?t control system/i
meta KAM_PEST (__KAM_PEST1 + __KAM_PEST2 + __KAM_PEST3 >= 3)
describe KAM_PEST Spam for Pest Control
score KAM_PEST 3.5
#PROPHET
header __KAM_PROPHET1 Subject =~ /beezelbub|communique|prophecy|Christian Media/i
header __KAM_PROPHET2 From =~ /christian.*(media|prophe)|twintongues/i
body __KAM_PROPHET3 /Dear Christian Friend/i
body __KAM_PROPHET4 /Christian ?Media ?(Daily|Ministry)/i
body __KAM_PROPHET5 /prophecy|rapture/i
meta KAM_PROPHET (__KAM_PROPHET1 + __KAM_PROPHET2 + __KAM_PROPHET3 + __KAM_PROPHET4 + __KAM_PROPHET5 >= 4)
describe KAM_PROPHET Spam for Prophecy
score KAM_PROPHET 6.0
#HEART
header __KAM_HEART1 Subject =~ /save your life|prevent (a|your)?.?heart attacks?|\d+ second trick|sudden death|easy trick|heart health secret/i
header __KAM_HEART2 From =~ /He.rt.?Att.ck|omegaK/i
body __KAM_HEART3 /Knowing this could very well save your life|\d+.second trick|\#1 Trick|Prevent(ing)? A Heart Attack|will you be killed|heart disease|silent heart attack/i
meta KAM_HEART (__KAM_HEART1 + __KAM_HEART2 + __KAM_HEART3 >= 3)
describe KAM_HEART Spam for Heart Attack prevention
score KAM_HEART 4.5
#JOINT
header __KAM_JOINT1 Subject =~ /joint relief/i
header __KAM_JOINT2 From =~ /Tfx/i
body __KAM_JOINT3 /TFX.?(?:health|flex)|tflex/i
body __KAM_JOINT4 /Joint Relief|effective as glucosamine/i
body __KAM_JOINT5 /free bottle/i
meta KAM_JOINT (__KAM_JOINT1 + __KAM_JOINT2 + __KAM_JOINT3 + __KAM_JOINT4 + __KAM_JOINT5 + __KAM_SKIN4 >= 4)
describe KAM_JOINT Joint relief Spam
score KAM_JOINT 4.0
#REHAB
header __KAM_REHAB1 Subject =~ /(?:drug|alcohol) (recovery|rehab|dependenc|addict|treatment)|choose sobriety|battling alcohol|stop drinking|addiction|drinking problem|normal life|tr..?at..?ng.alcohol|overcome..lcohol|change.your.life/i
header __KAM_REHAB2 From =~ /(?:drug|alcohol).?(recovery|rehab|dependenc|add..?ct|treatment)|alcoholism|rehab center|.lc.h.lism|rehabdirectory/i
body __KAM_REHAB3 /(?:drug|alcohol) (recovery|rehab|dependenc|addict|treatment)|help for alcoholism|life from alcohol|end your drinking|think about rehab/i
meta KAM_REHAB (__KAM_REHAB1 + __KAM_REHAB2 + (__KAM_REHAB3 || KAM_OTHER_BAD_TLD) >= 2)
describe KAM_REHAB Rehab Spam
score KAM_REHAB 3.0
#HAIRTRANS
header __KAM_HAIRTRANS1 Subject =~ /hair restoration|man look as young|losing your hair|hair ?loss|consultations?.available/i
header __KAM_HAIRTRANS2 From =~ /Bosley|hair restoration|hair.loss.expert/i
body __KAM_HAIRTRANS3 /hair restoration|man look as young|losing your hair|hair ?loss|get.your.hair|(look|feel).younger/i
meta KAM_HAIRTRANS (__KAM_HAIRTRANS1 + __KAM_HAIRTRANS2 + __KAM_HAIRTRANS3 + KAM_GIFT >= 2)
describe KAM_HAIRTRANS Spam for Hair Restoration
score KAM_HAIRTRANS 3.5
meta KAM_HAIRTRANS2 (__KAM_HAIRTRANS1 + __KAM_HAIRTRANS2 + __KAM_HAIRTRANS3 + (KAM_GIFT || KAM_UNSUB1) >= 3)
describe KAM_HAIRTRANS2 Higher probability of spam for Hair Restoration
score KAM_HAIRTRANS2 2.0
#OUR GIFT
body __KAM_GIFTCERT1 /Our gift to you/i
body __KAM_GIFTCERT2 /\$\d+ gift certificate/i
header __KAM_GIFTCERT3 Subject =~ /Our gift to you/i
meta KAM_GIFTCERT (__KAM_GIFTCERT1 + __KAM_GIFTCERT2 + __KAM_GIFTCERT3 >= 2)
score KAM_GIFTCERT 1.5
describe KAM_GIFTCERT Gift Certificate Spams
#TIRES
header __KAM_TIRES1 Subject =~ /discount tire|tire coupon|tire offers|best deals/i
header __KAM_TIRES2 From =~ /Tire/i
body __KAM_TIRES3 /savings on tire|new tires/i
meta KAM_TIRES (__KAM_TIRES1 + __KAM_TIRES2 + __KAM_TIRES3 >= 3)
describe KAM_TIRES Spam for Tires
score KAM_TIRES 3.0
#SLICEOMATIC
header __KAM_SLICEOMATIC1 Subject =~ /Slice-O-Matic|Precision Cutting Blade/i
header __KAM_SLICEOMATIC2 From =~ /Slice-o-matic/i
body __KAM_SLICEOMATIC3 /Slice-o-matic/i
meta KAM_SLICEOMATIC (__KAM_SLICEOMATIC1 + __KAM_SLICEOMATIC2 + __KAM_SLICEOMATIC3 >= 3)
describe KAM_SLICEOMATIC Spam for Kitchen Tools
score KAM_SLICEOMATIC 3.0
#FINDYOURWINDOWS AND OTHER WINDOW SPAM
header __KAM_WINDOWS1 Subject =~ /Top Window Companies|(old|your|bedroom|new|replacement|discounted|awning|cheap).window|allow.(light|ventilation)|window.(installation|discount|replacement)|home.depot|anders.n.window/i
header __KAM_WINDOWS2 From =~ /FindYourWindows|(old|your|bedroom|new|replacement|discounted).?window|window.?(install|discount|replacement)|install.windows|remodel/i
body __KAM_WINDOWS3 /Find Your Windows|replacement.window|window.design|home.a.new.look|dingy.old.windows|high.heating|high.cooling|let a draft|energy.efficient|double.pane.window|shop.windows|energy.tax|window.(installation|discount|replacement)|summer.is.coming/i
meta KAM_WINDOWS (__KAM_WINDOWS1 + __KAM_WINDOWS2 + __KAM_WINDOWS3 + KAM_ADVERT2 >= 3)
describe KAM_WINDOWS Spam for House Windows
score KAM_WINDOWS 4.5
#EMMAPP.WEB.COM - DUE TO SA SILLINESS WE ARE UNABLE TO RBL THIS PARTICULAR SUBDOMAIN WITHOUT BLOCKING ALL OF WEB.COM
#POISON PILL
uri __KAM_EMMAP_WEB_COM1 /emmapp\.web\.com/i
meta KAM_EMMAPP_WEB_COM (__KAM_EMMAP_WEB_COM1 >= 1)
describe KAM_EMMAPP_WEB_COM Spam from emmapp.web.com
score KAM_EMMAPP_WEB_COM 20.0
#NEW CREDIT CARD
header __KAM_NEW_CREDITCARD1 Subject =~ /with this credit card|charge card|credit card|cards?.reward|cards?.rate|top.rated/i
header __KAM_NEW_CREDITCARD2 From =~ /Spend-Charge|platinum credit|business credit|card.approval|approval.match/i
body __KAM_NEW_CREDITCARD3 /Select your new card|Increase Your Spending|Higher Limit|rewards|business credit|which.credit.card|find.out.now/i
meta KAM_NEW_CREDITCARD (__KAM_NEW_CREDITCARD1 + __KAM_NEW_CREDITCARD2 + __KAM_NEW_CREDITCARD3 >= 3)
describe KAM_NEW_CREDITCARD Spam for new credit cards
score KAM_NEW_CREDITCARD 4.0
#WEIRD GERMAN SPAM
header __KAM_GERMAN_BUSINESS_CONTACTS1 Subject =~ /Wichtige Nach?richt|Important message/i
header __KAM_GERMAN_BUSINESS_CONTACTS2 From =~ /Merkel/i
body __KAM_GERMAN_BUSINESS_CONTACTS3 /German business phone numbers/i
body __KAM_GERMAN_BUSINESS_CONTACTS4 /Unlimited exportation capabilities/i
meta KAM_GERMAN_BUSINESS_CONTACTS (__KAM_GERMAN_BUSINESS_CONTACTS1 + __KAM_GERMAN_BUSINESS_CONTACTS2 + __KAM_GERMAN_BUSINESS_CONTACTS3 + __KAM_GERMAN_BUSINESS_CONTACTS4 >= 3)
describe KAM_GERMAN_BUSINESS_CONTACTS Weird German business contact info spam
score KAM_GERMAN_BUSINESS_CONTACTS 3.0
#WEIRD SENIOR DATING SPAM
header __KAM_SENIOR_DATING1 From =~ /SeniorPeopleMeet/i
meta KAM_SENIOR_DATING (__KAM_SENIOR_DATING1 >= 1)
describe KAM_SENIOR_DATING Senior dating spam
score KAM_SENIOR_DATING 2.0
#NEWS!
header __KAM_NEWS1 Subject =~ /^(?:Fwd: ?)?(?:NEWS|WEBSITE|ARTICLE)$|how.are.you/i
body __KAM_NEWS2 /(?:Hello|hey|hi)!/i
meta KAM_NEWS (__KAM_NEWS1 + __KAM_NEWS2 + __KAM_BODY_LENGTH_LT_128 + KAM_MANYTO >= 3)
describe KAM_NEWS Forged Emails with NEWS!
score KAM_NEWS 9.0
#URI COUNT - REQUIRES 3.3 OR LATER
if (version >= 3.003000)
uri __KAM_COUNT_URIS /^./
tflags __KAM_COUNT_URIS multiple maxhits=16
describe __KAM_COUNT_URIS A multiple match used to count URIs in a message, including http:// and email@email.com - use one of the meta rules below instead of directly using this one
meta __KAM_HAS_0_URIS (__KAM_COUNT_URIS == 0)
meta __KAM_HAS_1_URIS (__KAM_COUNT_URIS >= 1)
meta __KAM_HAS_2_URIS (__KAM_COUNT_URIS >= 2)
meta __KAM_HAS_3_URIS (__KAM_COUNT_URIS >= 3)
meta __KAM_HAS_4_URIS (__KAM_COUNT_URIS >= 4)
meta __KAM_HAS_5_URIS (__KAM_COUNT_URIS >= 5)
meta __KAM_HAS_10_URIS (__KAM_COUNT_URIS >= 10)
meta __KAM_HAS_15_URIS (__KAM_COUNT_URIS >= 15)
endif
#DISCLAIMER STUB FOR FUTURE RESOURCE
body __KAM_DISCLAIMER1 /receives compensation/i
#FAKE AT&T
#header __KAM_FAKE_ATT1 From =~ /AT.?T/i
#header __KAM_FAKE_ATT2 Subject =~ /AT.?T cordless phone|deals.at.at.?t|phone.from.at.?t/i
#uri __KAM_FAKE_ATT3 /att-mail.com/i
#
#meta KAM_FAKE_ATT (__KAM_FAKE_ATT1 + __KAM_FAKE_ATT2 + __KAM_FAKE_ATT3 >= 2)
#describe KAM_FAKE_ATT Fake AT&T newsletters
#score KAM_FAKE_ATT 3.0
#YOU HAVE BEEN CHOSEN
header __KAM_CHOSEN1 Subject =~ /Invitation to|open.house|come.join.me/i
header __KAM_CHOSEN2 From =~ /marketing|invitation/i
body __KAM_CHOSEN3 /You (were|have been|are) (recently )?(chosen|invited)|you.are.(very.)?welcome/i
meta KAM_CHOSEN (__KAM_CHOSEN1 + __KAM_CHOSEN2 + __KAM_CHOSEN3 >= 3)
describe KAM_CHOSEN Spam claiming the recipient has been chosen for something
score KAM_CHOSEN 2.0
#JURY DUTY AND OTHER FAKE COURT NOTICES
header __KAM_JURY1 Subject =~ /in court|court (hearing )?notice|judicial summons|hearing.of.your.case|case.in.court|notice.of.appearance/i
header __KAM_JURY2 From =~ /Notice (to|of) Appear|court attendance|pretrial notice|lawyer/i
header __KAM_JURY3 From !~ /\.gov/i
body __KAM_JURY4 /in Court|hearing date|notice to appear|Pretrial notice|compulsory.attendance|court.notice/i
meta KAM_JURY (__KAM_JURY1 + __KAM_JURY2 + __KAM_JURY3 + __KAM_JURY4 + KAM_RAPTOR_ALTERED >= 4)
describe KAM_JURY Spam claiming the recipient must serve jury duty
score KAM_JURY 8.0
#BITCOIN
header __KAM_BITCOIN1 Subject =~ /bitcoin|dumping.?their.?gold|dumped.?the.?dollar/i
body __KAM_BITCOIN2 /price.of.bitcoin|bitcoin.price|crypto.?currenc(y|ies)|currency.pioneer|cartel|financial.security|abandoned.our.dollar|money.map/i
header __KAM_BITCOIN3 From =~ /bitcoin/i
meta KAM_BITCOIN (KAM_INFOUSMEBIZ + __KAM_BITCOIN1 + __KAM_BITCOIN2 + __KAM_BITCOIN3 >= 3)
describe KAM_BITCOIN Spam related to investing in bitcoin and other cryptocurrency
score KAM_BITCOIN 4.5
#RELIGIOUS
header __KAM_RELIGION1 Subject =~ /Christian Media/i
header __KAM_RELIGION2 From =~ /Bible Prophecy/i
body __KAM_RELIGION3 /Dear Christian|Christian Media/i
meta KAM_RELIGION (__KAM_RELIGION1 + __KAM_RELIGION2 + __KAM_RELIGION3 >= 3)
describe KAM_RELIGION Generic religious spam
score KAM_RELIGION 2.5
#BUSINESS PHONE
header __KAM_BUSINESSPHONE1 Subject =~ /customer calls|phone system|phone system upgrade|business success/i
header __KAM_BUSINESSPHONE2 From =~ /business phone/i
body __KAM_BUSINESSPHONE3 /business phone system/i
meta KAM_BUSINESSPHONE (__KAM_BUSINESSPHONE1 + __KAM_BUSINESSPHONE2 + __KAM_BUSINESSPHONE3 >= 3)
describe KAM_BUSINESSPHONE Advertising for business phone systems
score KAM_BUSINESSPHONE 5.5
#NUMEROLOGY
header __KAM_NUMEROLOGY1 Subject =~ /success and joy in life/i
header __KAM_NUMEROLOGY2 From =~ /Numerology/i
body __KAM_NUMEROLOGY3 /Control your destiny/i
meta KAM_NUMEROLOGY (__KAM_NUMEROLOGY1 + __KAM_NUMEROLOGY2 + __KAM_NUMEROLOGY3 >= 3)
describe KAM_NUMEROLOGY Pseudo-scientific spam
score KAM_NUMEROLOGY 3.5
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
#VOICEMAIL SPAM
header __KAM_VOICEMAIL1 Subject =~ /new voice.?mail message|news|Fax Message for/i
header __KAM_VOICEMAIL2 From =~ /voice.?mail|news/i
body __KAM_VOICEMAIL3 /new voice.?mail message|voice.redirected/i
meta KAM_VOICEMAIL (__KAM_VOICEMAIL1 + __KAM_VOICEMAIL2 + __KAM_VOICEMAIL3 + KAM_RAPTOR_ALTERED >= 3)
describe KAM_VOICEMAIL Common malware that tricks the user into opening a fake VOIP voicemail
score KAM_VOICEMAIL 5.0
endif
#SPAM ADVERTISING SPAM - HAS SCIENCE GONE TOO FAR?
header __KAM_SPAMFORSPAM1 Subject =~ /email marketing|marketing solution|connect with your audience|reaching your customers|marketing ideas|business.contacts/i
header __KAM_SPAMFORSPAM2 From =~ /email marketing|mailing lists|listz/i
rawbody __KAM_SPAMFORSPAM3 /email marketing|Keep your customers informed|expand your brand|(grow|improve) your business|Acquire New Customers|business reach|your.customer.base|demand.generation/i
meta KAM_SPAMFORSPAM (__KAM_SPAMFORSPAM1 + __KAM_SPAMFORSPAM2 + __KAM_SPAMFORSPAM3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_SPAMFORSPAM Spam advertising spam services
score KAM_SPAMFORSPAM 5.5
#ALZHEIMERS / NEUROLOGICAL MEDICAL SPAM
header __KAM_NEUROLOGICAL1 Subject =~ /alzheimers|doctors hate him/i
header __KAM_NEUROLOGICAL2 From =~ /alzheimers|cognizine/i
body __KAM_NEUROLOGICAL3 /at risk for alzheimers|alzheimers conspiracy|doctors hate him/i
meta KAM_NEUROLOGICAL (__KAM_NEUROLOGICAL1 + __KAM_NEUROLOGICAL2 + __KAM_NEUROLOGICAL3 >= 3)
describe KAM_NEUROLOGICAL Variant of medical spam targeting neurological ailments
score KAM_NEUROLOGICAL 3.5
#EXCESSIVE HASHES AND OTHER IDENTIFIER STRINGS
body __KAM_LOTSOFHASH /[abcdef1234567890]{20}/i
tflags __KAM_LOTSOFHASH multiple maxhits=10
meta KAM_LOTSOFHASH (__KAM_LOTSOFHASH >= 10)
describe KAM_LOTSOFHASH Emails with lots of hash-like gibberish
score KAM_LOTSOFHASH 0.25
#SPAM THAT SHOWS SEVERAL QUESTIONABLE BEHAVIORS IN COMBINATION
meta KAM_GRABBAG1 (__KAM_THIRD + __KAM_DOMAINDOTCOM + __KAM_TILDEFROM + HTML_FONT_LOW_CONTRAST + T_REMOTE_IMAGE + __KAM_EPISODE + __KAM_LOTSOFNBSP + __KAM_IPUNSUB + (__KAM_LOTSOFHASH >= 6) >= 4)
describe KAM_GRABBAG1 A combination of tricks that when combined indicate spam
score KAM_GRABBAG1 3.5
#TV DOCTOR TRASH
header __KAM_TVDOCTOR1 Subject =~ /hormones|(dr.?|doc.?) [o0]z|flatter belly|anti.?.?aging.tip|\d+.years.younger|wrinkle.(reduction|prevention)|weight.loss|models.use.this|reverse.\d+.years/i
header __KAM_TVDOCTOR2 From =~ /(dr.?|doc.?) ?[o0]z|dr.? steve|oz skin tip|skinny|drop \d+lb/i
body __KAM_TVDOCTOR3 /clinical|miracle|dermatologist|anti.?.?aging.tip|\d+.years.younger|wrinkle.(reduction|prevention)|\bOMG!\b|loose.\d+.lb|tv.doctor/i
meta KAM_TVDOCTOR (__KAM_TVDOCTOR1 + __KAM_TVDOCTOR2 + __KAM_TVDOCTOR3 + (KAM_INFOUSMEBIZ || KAM_WEIRDTRICK1) >= 3)
describe KAM_TVDOCTOR Spam for TV doctor stuff
score KAM_TVDOCTOR 3.5
# 1-800-DENTIST
header __KAM_DENTIST1 Subject =~ /dentist/i
header __KAM_DENTIST2 From =~ /1-?800-?dentist/i
body __KAM_DENTIST3 /Find a dentist/i
meta KAM_DENTIST (__KAM_DENTIST1 + __KAM_DENTIST2 + __KAM_DENTIST3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_DENTIST Spam for 1-800-DENTIST
score KAM_DENTIST 3.5
# GOLD AND DIAMOND JEWELRY
header __KAM_JEWELRY1 Subject =~ /jewell?rey online|shop now/i
header __KAM_JEWELRY2 From =~ /bluestone.com/i
meta KAM_JEWELRY (__KAM_JEWELRY1 + __KAM_JEWELRY2 >= 2)
describe KAM_JEWELRY Spam for Gold and Diamond Jewelry
score KAM_JEWELRY 3.5
# PSSST, WANNA BUY SOME POT
body __KAM_MARIJUANA1 /marijuana|cannabis/i
body __KAM_MARIJUANA2 /medicinal|recreational|legal.cannabis/i
body __KAM_MARIJUANA3 /colorado|washington|profit|without.a.(prescription|doctor)|lets.you.vape|no.doctor/i
header __KAM_MARIJUANA4 From =~ /marijuana|cannabis/i
meta KAM_MARIJUANA (__KAM_MARIJUANA1 + __KAM_MARIJUANA2 + (__KAM_MARIJUANA3 + KAM_INFOUSMEBIZ >= 1) >= 3)
describe KAM_MARIJUANA Spam pertaining to marijuana
score KAM_MARIJUANA 3.5
meta KAM_MARIJUANA2 (__KAM_MARIJUANA4 + (__KAM_MARIJUANA3 || __KAM_MARIJUANA2) >= 2)
score KAM_MARIJUANA2 8.0
describe KAM_MARIJUANA2 Definitely spam for marijuana
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
# EVICTION NOTICE
header __KAM_EVICTION1 From =~ /eviction|vacate immediately/i
header __KAM_EVICTION2 Subject =~ /notice|notification|occupant/i
body __KAM_EVICTION3 /eviction|foreclosed|trespasser/i
meta KAM_EVICTION (__KAM_EVICTION1 + __KAM_EVICTION2 + __KAM_EVICTION3 + KAM_RAPTOR_ALTERED >= 4)
describe KAM_EVICTION Malware disguised as eviction notice
score KAM_EVICTION 4.5
endif
# WALK IN TUBS
header __KAM_WALKINTUB1 From =~ /walk.?in.?tub/i
header __KAM_WALKINTUB2 Subject =~ /walk.?in.?tub/i
body __KAM_WALKINTUB3 /walk.?in.?tub/i
meta KAM_WALKINTUB (__KAM_WALKINTUB1 + __KAM_WALKINTUB2 + __KAM_WALKINTUB3 >= 3)
describe KAM_WALKINTUB Ads for walk-in tubs
score KAM_WALKINTUB 3.5
# SUBJECTS BEGINNING WITH "EMAIL - QUESTION" AND OTHER VARIANTS
header __KAM_EMAILQUESTION1 Subject =~ /^(<)?([^@\s]+@[^@\s]+)( - |> )/i
header __KAM_EMAILQUESTION2 Subject =~ /break away from the pack|make your own wine|\d figures a day|unlock the secret|you need to see|let me show you|at their own game|drop \d+ pounds|potty trained|you can actually|your dog is being poisoned|control your destiny|buy a new|check out these|arthritis/i
meta KAM_EMAILQUESTION (__KAM_EMAILQUESTION1 + __KAM_EMAILQUESTION2 >= 2)
describe KAM_EMAILQUESTION Subjects beginning with an email address and followed by a spammy subject
score KAM_EMAILQUESTION 3.5
# BECOME BEYOND SUPERHUMAN / SUPERMAN
header __KAM_SUPERHUMAN1 From =~ /(become[ _]?)?(beyond[ _]?)?(super|hu)man/i
header __KAM_SUPERHUMAN2 Subject =~ /relationship problems|better sex|regain your former glory|(male|men) over (\d\d|fou?rty)/i
body __KAM_SUPERHUMAN3 /reclaim your glory|stay hot and sexy|unfair.advantage|better sex|weird trick|testosterone/i
meta KAM_SUPERHUMAN (__KAM_SUPERHUMAN1 + __KAM_SUPERHUMAN2 + __KAM_SUPERHUMAN3 >= 3)
describe KAM_SUPERHUMAN Male enhancement of the day
score KAM_SUPERHUMAN 8.0
# VALENTINES
header __KAM_VALENTINE1 From =~ /smartbuys|valentine|ecard|flower|fingerhut/i
header __KAM_VALENTINE2 Subject =~ /valentine|(bouquets|expressions) of love|win her over|swoon.?worthy bouquet|grow more in love|\$\d\d.\d\d bouquet|love at (the )?first/i
rawbody __KAM_VALENTINE3 /amazing gifts|perfect for valentine|irresist.ble perfume|send an ecard|most memorable flowers|(bouquets|expressions) of love|valentine.?s?.(day.)?(gift|ecard|flower|delivery|is february 14|bouquet)|grow more in love|Saint Valentine|your valentine/i
meta KAM_VALENTINE (__KAM_VALENTINE1 + __KAM_VALENTINE2 + __KAM_VALENTINE3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_VALENTINE Spam for valentine gifts and other holiday stuff
score KAM_VALENTINE 4.5
header __KAM_MOTHER1 From =~ /flower|seventeen/i
header __KAM_MOTHER2 Subject =~ /mother.?s.?day|\d+%.off.flower|pro.?flowers|guaranteed.delivery|beautiful bouquets|celebrate.mom/i
body __KAM_MOTHER3 /pro.?flowers|flowers.fresh|freshness.guarantee|shop.now|mom.?s.delight/i
meta KAM_MOTHER (__KAM_MOTHER1 + __KAM_MOTHER2 + __KAM_MOTHER3 >= 3)
describe KAM_MOTHER Spam for mother's day
score KAM_MOTHER 4.5
# WHO'S WHO
header __KAM_WHOSWHO1 From =~ /whos_who|who.?s.who/i
header __KAM_WHOSWHO2 Subject =~ /your exclusive invitation|who.?s.who|your invitation|you have been selected/i
body __KAM_WHOSWHO3 /(global|executive) who.s who|represent your community|you have been selected|complete your listing|prominent registry|accomplished individuals/i
uri __KAM_WHOSWHO4 /whoswho/i
meta KAM_WHOSWHO (__KAM_WHOSWHO1 + __KAM_WHOSWHO2 + __KAM_WHOSWHO3 >= 2)
describe KAM_WHOSWHO Ads for network of important people
score KAM_WHOSWHO 5.0
meta KAM_WHOSWHO2 (KAM_WHOSWHO && __KAM_WHOSWHO4)
describe KAM_WHOSWHO2 Definitely ads for network of important people
score KAM_WHOSWHO2 1.0
# GARAGE FLOOR COATING
header __KAM_GARAGE1 From =~ /garage|surface.protection|protection.plus|esurface/i
header __KAM_GARAGE2 Subject =~ /garage floor coating|industrial strength|protect your floors|protect.and.beautify|esurface|what.you.should.know/i
body __KAM_GARAGE3 /surface protection plus|industrial strength|Concrete.{0,5}metal.{0,8}wood|protect.and.beautify|industrial.grade|common.flooring|treat.your.deck|professional.coating/i
meta KAM_GARAGE (__KAM_GARAGE1 + __KAM_GARAGE2 + __KAM_GARAGE3 + (HTML_FONT_LOW_CONTRAST || SPF_FAIL || SPF_HELO_FAIL) >= 3)
describe KAM_GARAGE Garage floor coating product of the day
score KAM_GARAGE 4.0
meta KAM_GARAGE2 (KAM_GARAGE + (HTML_FONT_LOW_CONTRAST || SPF_FAIL) >= 2)
score KAM_GARAGE2 1.0
describe KAM_GARAGE2 More likely garage floor coating spam
#PAINT - NEED TO LOOK FOR CROSSOVER ON KAM_GARAGE AND KAM_PAINT
header __KAM_PAINT1 From =~ /Coating|Paint|Surface|Sealer/i
header __KAM_PAINT2 Subject =~ /surface Paint/i
meta KAM_PAINT (__KAM_PAINT1 + __KAM_PAINT2 + KAM_INFOUSMEBIZ >= 3)
describe KAM_PAINT Paint Spams
score KAM_PAINT 4.0
# HURRICANE MOP
header __KAM_MOP1 From =~ /hurricane mop/i
header __KAM_MOP2 Subject =~ /filthy floor|cut cleaning time|absorbs \d+x its own weight|the mop that/i
body __KAM_MOP3 /filthy floor|cut cleaning time+absorbs \d+x its own weight|the mop that/i
meta KAM_MOP (__KAM_MOP1 + __KAM_MOP2 + __KAM_MOP3 >= 3)
describe KAM_MOP Hurricane mop product of the day
score KAM_MOP 3.5
# DATING TIPS
header __KAM_DATINGTIPS1 From =~ /girlfriendtrick|seduction|the.real/i
header __KAM_DATINGTIPS2 Subject =~ /girlfriend.trick|women.excited|real.moment/i
body __KAM_DATINGTIPS3 /seduction|certain.type.of.guy|secret to their hearts|women.excited|real.love|one.night.stand/i
meta KAM_DATINGTIPS (__KAM_DATINGTIPS1 + __KAM_DATINGTIPS2 + __KAM_DATINGTIPS3 >= 3)
describe KAM_DATINGTIPS Tips for dating
score KAM_DATINGTIPS 4.5
# CANDY
header __KAM_CANDY1 From =~ /candy/i
header __KAM_CANDY2 Subject =~ /candy/i
body __KAM_CANDY3 /you deserve a treat|sweet tooth/i
meta KAM_CANDY (__KAM_CANDY1 + __KAM_CANDY2 + __KAM_CANDY3 >= 3)
describe KAM_CANDY Ads for candy
score KAM_CANDY 4.5
# EXCESSIVE TEXT IN THE FORMAT OF =## - http://en.wikipedia.org/wiki/Quoted-printable
# MATCH ONLY ESCAPES THAT ARE LESS THAN 0x80 - HIGH BIT NOT SET - THESE CAN BE EXPRESSED JUST FINE AS ASCII
# DISABLED PENDING UPDATES TO SA - RAWBODY IS NOT RAW ENOUGH TO GET UN-DECODED QP
#rawbody KAM_EXCESSIVEQP /(=[0-7][a-f0-9]){10}/i
#score KAM_EXCESSIVEQP 2.5
#describe KAM_EXCESSIVEQP Excessive use of pointless Quoted-printable
# ONE WEIRD THING THAT GETS YOU MARKED AS SPAM
header __KAM_WEIRDTRICK1 Subject =~ /(one|ten|\d+) '?weird'?|'?weird'? trick|strange trick|shocking.truth|\d.words.that/i
body __KAM_WEIRDTRICK2 /'?(weird|odd|strange)'?.(new.)?(trick|tip)|strange trick|shocking.truth/i
header __KAM_WEIRDTRICK3 Subject =~ /girlfriend|aging|old.age|cut \d+ years|PSA|horny/i
header __KAM_WEIRDTRICK4 From =~ /girlfriend|freedom/i
meta KAM_WEIRDTRICK1 __KAM_WEIRDTRICK2
describe KAM_WEIRDTRICK1 Huge family of spam that uses the word weird to grab attention
score KAM_WEIRDTRICK1 1.5
meta KAM_WEIRDTRICK2 (__KAM_WEIRDTRICK1 + __KAM_WEIRDTRICK2 + (KAM_INFOUSMEBIZ + KAM_LOTSOFHASH + AC_HTML_NONSENSE_TAGS + HTML_FONT_LOW_CONTRAST + T_REMOTE_IMAGE >= 3) >= 3)
describe KAM_WEIRDTRICK2 Huge family of spam that uses the word weird to grab attention
score KAM_WEIRDTRICK2 3.5
meta KAM_WEIRDTRICK3 (__KAM_WEIRDTRICK1 + __KAM_WEIRDTRICK2 + __KAM_WEIRDTRICK3 + __KAM_WEIRDTRICK4 >= 3)
describe KAM_WEIRDTRICK3 Weird/Strange Trick
score KAM_WEIRDTRICK3 3.0
#MATCH MAKER SPAM
header __KAM_MATCH1 From =~ /Match/i
header __KAM_MATCH2 Subject =~ /Find love|available singles|free.to.look|meet.singles/i
meta KAM_MATCH (__KAM_MATCH1 + __KAM_MATCH2 + (HTML_IMAGE_RATIO_06 || SPF_FAIL) >= 3)
describe KAM_MATCH Match Maker Spams
score KAM_MATCH 3.5
#CAR INSURANCE
header __KAM_CARINSURE1 From =~ /insurance/i
header __KAM_CARINSURE2 Subject =~ /save on car insurance|smarter.way/i
meta KAM_CARINSURE (__KAM_CARINSURE1 + __KAM_CARINSURE2 >= 2)
describe KAM_CARINSURE Car Insurance Spams
score KAM_CARINSURE 3.0
#DATA IMG
rawbody __KAM_DATAIMG /<img src="data:image/i
#FAKE MMS
rawbody __KAM_MMS1 /base64,G011K60C12QKQ9790AIFQ5L/s
meta KAM_MMS (__KAM_DATAIMG + __KAM_MMS1 >= 2)
describe KAM_MMS Fake MMS Spam
score KAM_MMS 6.0
#LEARNMORE
rawbody __KAM_LEARN1 /base64,R0lGODlh3gA9APcAAAFlmUK/
meta KAM_LEARN (__KAM_DATAIMG + __KAM_LEARN1 >= 2)
describe KAM_LEARN Learn More Spam
score KAM_LEARN 6.0
#UNSUB1
header __KAM_UNSUB1_1 List-Unsubscribe =~ /^\<(?:mailto:)?unsub1\@/i
rawbody __KAM_UNSUB1_2 /:\s?unsub1\@|unsubscribe<[^\/]|click here<h/i
meta KAM_UNSUB1 (__KAM_UNSUB1_1 + __KAM_UNSUB1_2 >= 1)
describe KAM_UNSUB1 Unsubscription Spams
score KAM_UNSUB1 0.1
uri __KAM_DOMAINDOTCOM /domain\.com/i
meta KAM_UNSUB2 ((KAM_UNSUB1 || KAM_ADVERT2) + __KAM_DOMAINDOTCOM >= 2)
score KAM_UNSUB2 3.5
describe KAM_UNSUB2 Improperly configured spam engines that leave placeholder domains in the body
# DUTCH GLOW AND OTHER WOODWORKING SPAM
header __KAM_DUTCHGLOW1 From =~ /dutch.?glow|original.?dutch|easy.woodwork/i
header __KAM_DUTCHGLOW2 Subject =~ /wood milk|cleaning the wood|woodwork|cleaning.formula|repel.dust|natural.beauty|furniture|amish|woodworking.plans/i
body __KAM_DUTCHGLOW3 /wood milk|dutch glow|wood's natural beauty|nourish wood|wax build up|your furniture|woodworking.plans/i
meta KAM_DUTCHGLOW (__KAM_DUTCHGLOW1 + __KAM_DUTCHGLOW2 + __KAM_DUTCHGLOW3 >= 3)
describe KAM_DUTCHGLOW Woodworking spam
score KAM_DUTCHGLOW 3.0
# FUNERAL HOME SPAM
header __KAM_FUNERAL1 From =~ /Funeral/i
header __KAM_FUNERAL2 Subject =~ /condolence|funeral announcement|funeral of your friend|death notification|burial.(life.)?insurance/i
body __KAM_FUNERAL3 /untimely death|death notification|funeral.costs/i
uri __KAM_FUNERAL4 /\/home\.php\?funeral/i
meta KAM_FUNERAL (__KAM_FUNERAL1 + __KAM_FUNERAL2 + __KAM_FUNERAL3 >= 3)
describe KAM_FUNERAL Likely Fake funeral notices
score KAM_FUNERAL 2.0
meta KAM_FUNERAL2 (__KAM_FUNERAL4 >= 1)
describe KAM_FUNERAL2 Fake funeral notices
score KAM_FUNERAL2 3.0
# WEB VIEW OBFUSCATION
body __KAM_WEB_OBFUSCATION1 /check over this commercial|see the commercial.advertisement/i
rawbody __KAM_WEB_OBFUSCATION2 /(you'll have to press me)\s*<\/a>/i
meta KAM_WEB_OBFUSCATION (__KAM_WEB_OBFUSCATION1 + __KAM_WEB_OBFUSCATION2 >= 2)
describe KAM_WEB_OBFUSCATION Obfuscated web view links
score KAM_WEB_OBFUSCATION 0.1
# TUPPERWARE
header __KAM_TUPPERWARE1 From =~ /Mr\. Lid|Food Storage|Storage Container/i
header __KAM_TUPPERWARE2 Subject =~ /tupperware|food storage|storage container/i
body __KAM_TUPPERWARE3 /tupperware lid|food storage|storage container/i
meta KAM_TUPPERWARE (__KAM_TUPPERWARE1 + __KAM_TUPPERWARE2 + __KAM_TUPPERWARE3 >= 3)
describe KAM_TUPPERWARE Ads for tupperware
score KAM_TUPPERWARE 3.5
# PATRIOT SURVIVAL AND OTHER DISASTER / NATIONALISM / CONSPIRACY SPAM
header __KAM_PATRIOT1 From =~ /patriot|disaster|emergency|USAF|shocking|for.truth|nwo|expat|special.op|christianmedia/i
header __KAM_PATRIOT2 Subject =~ /the truth about|financial collapse|your guns|hidden (agenda|truth)|unprecedented.crisis|worst.crisis|obama.?care|do not ignore|get a lot worse|coffins.ordered.by.fema|depression|prepared.for.war|free.our.marine|survival.guide|beloved.usa|civil war|shocking.footage|cia.economist|collapse.is.imminent|attack.on|wants.war|disturbing.issue|plane.crash|nuke.deal|extortion|prophecy/i
body __KAM_PATRIOT3 /the truth about|financial collapse|your guns|hidden agenda|unprecedented.crisis|disaster|fema (stock.?piling|storing)|Gor?vernment Not Telling|survival.plan|nation.gone.under|blind.with.patriotism|government shutdown|only chance|civil.unrest|high.crimes|behind.our.back|know.the.truth|PatriotNewsNet|second civil war|for.the.cia|market.crash|american.meltdown|concerned.american|military force|we.were.right|our.suspicions|vindicated|abuse.of.power|american.empire/i
body __KAM_PATRIOT4 /projectprophet|financial.threat|nuke.deal/i
meta KAM_PATRIOT (__KAM_PATRIOT1 + __KAM_PATRIOT2 + __KAM_PATRIOT3 + __KAM_PATRIOT4 >= 3)
describe KAM_PATRIOT conspiracy spam
score KAM_PATRIOT 4.0
meta KAM_PATRIOT2 (__KAM_PATRIOT1 + __KAM_PATRIOT2 + __KAM_PATRIOT3 + __KAM_PATRIOT4 >= 2)
describe KAM_PATRIOT2 Likely conspiracy spam
score KAM_PATRIOT2 1.5
# PAYMENT LOWERED
header __KAM_PAYMENT_LOWERED1 Subject =~ /insurance payment/i
body __KAM_PAYMENT_LOWERED2 /new monthly payment|just.recently.been..?lowered/i
body __KAM_PAYMENT_LOWERED3 /ID.?\#.?[\da-f]{20}/i
meta KAM_PAYMENT_LOWERED (__KAM_PAYMENT_LOWERED1 + __KAM_PAYMENT_LOWERED2 + __KAM_PAYMENT_LOWERED3 + KAM_LOTSOFHASH >= 3)
describe KAM_PAYMENT_LOWERED Spam that says your insurance payment has already been lowered
score KAM_PAYMENT_LOWERED 4.5
meta KAM_PAYMENT_LOWERED (__KAM_PAYMENT_LOWERED1 + __KAM_PAYMENT_LOWERED2 + __KAM_PAYMENT_LOWERED3 + KAM_LOTSOFHASH >= 4)
describe KAM_PAYMENT_LOWERED Higher probability of lowered payment spam
score KAM_PAYMENT_LOWERED 2.0
#NEW NOTICE
body __KAM_NEWNOTICE1 /- - -\s?(start |begin )?(of |new )?(notification|notice)( \d\d\/\d\d\/\d\d)?\s?- - -|notice of/i
body __KAM_NEWNOTICE2 /- - -\s?(finish |end )?(of |new )?(notification|notice)( \d\d\/\d\d\/\d\d)?\s?- - -|end notice:/i
header __KAM_NEWNOTICE3 From =~ /Notice|Notification|Credit/i
meta KAM_NEWNOTICE (__KAM_NEWNOTICE1 + __KAM_NEWNOTICE2 + __KAM_NEWNOTICE3 >= 3)
describe KAM_NEWNOTICE New Notice Spam
score KAM_NEWNOTICE 4.25
meta KAM_NEWNOTICE2 (KAM_NEWNOTICE + KAM_LOTSOFHASH >= 2)
describe KAM_NEWNOTICE2 Higher Probability of New Notice Spam
score KAM_NEWNOTICE2 2.0
#REFI NEW NOTICE
header __KAM_REFINEW1 Subject =~ /refl.rates|Rates.(now.)?Dropped.Again|score.*recently.changed/i
body __KAM_REFINEW2 /(rate|payment).reduction|score-update/i
meta KAM_REFINEW (__KAM_REFINEW1 + __KAM_REFINEW2 >=2)
describe KAM_REFINEW New Refi/Credit Notice spam
score KAM_REFINEW 2.0
meta KAM_REFINEW2 (KAM_REFINEW) && (KAM_NEWNOTICE + KAM_LOTSOFHASH >= 1)
describe KAM_REFINEW2 Higher Probability Refi Spam
score KAM_REFINEW2 2.0
#AUTO INSURE / LOAN
header __KAM_AUTONEW1 Subject =~ /Auto.{0,2}(Insurance|policy).{0,2}Payment|auto.warranty|finance|policy.saving|your.quote|car.loan|bad..credit.ok/i
body __KAM_AUTONEW2 /car.{1,2}insurance.{1,2}payment|monthly.payment|plan.has.expired|auto.loan|auto.coverage|coverage.benefits|premium.reduc|compare.quote|financing.your.way/i
body __KAM_AUTONEW3 /just.{1,2}been.{1,2}lowered|reduced.recently|has been reduced|free.repair|easy.steps|overpaying|view.plan|overpaid.your|premiums?.as.low|lenders.compete/i
header __KAM_AUTONEW4 From =~ /notice|credit|coverag3|auto.cover|lower.auto|auto.finance/i
meta KAM_AUTONEW (__KAM_AUTONEW1 + __KAM_AUTONEW2 + __KAM_AUTONEW3 + __KAM_AUTONEW4 >= 3)
describe KAM_AUTONEW New Auto insurance spam
score KAM_AUTONEW 3.0
meta KAM_AUTONEW2 (KAM_AUTONEW) && (KAM_NEWNOTICE + KAM_SUBJECTNOTICE + KAM_LOTSOFHASH + KAM_INFOUSMEBIZ + KAM_ASCII_DIVIDERS >= 1)
describe KAM_AUTONEW2 Higher Probability Insurance Spam
score KAM_AUTONEW2 2.0
#STATLER
header __KAM_STATLER1 Subject =~ /Mike Statler|finance news|invest in ....(\b)/i
header __KAM_STATLER2 Subject =~ /quintuple/i
body __KAM_STATLER3 /Mike Statler/i
meta KAM_STATLER (__KAM_STATLER1 + __KAM_STATLER2 + __KAM_STATLER3 >= 3)
describe KAM_STATLER Mike Statler Spams
score KAM_STATLER 6.0
#LEARNING TO WRITE
header __KAM_WRITING1 From =~ /writing/i
header __KAM_WRITING2 Subject =~ /writing resources|get published/i
body __KAM_WRITING3 /Professional Writing|world famous (writer|poet)/i
meta KAM_WRITING (__KAM_WRITING1 + __KAM_WRITING2 + __KAM_WRITING3 >= 3)
describe KAM_WRITING Spam for writing lessons
score KAM_WRITING 3.5
#RASH OF .EU EXPLOITS
rawbody KAM_EU /https?:\/\/(?:www.)?.{4,30}\.(eu)(\b|\/)/i
score KAM_EU 0.50
describe KAM_EU Prevalent use of .eu in spam/malware
#CSS USING A 12-BIT RGBA COLOR, WHICH IS NOT WIDELY SUPPORTED
rawbody __KAM_12BITCOLOR /color: \#[\da-f]{12}/i
meta KAM_GRABBAG2 KAM_EU && (__KAM_12BITCOLOR + KAM_ADVERT2 + AC_HTML_NONSENSE_TAGS + URIBL_BLACK + URIBL_RED >= 1)
score KAM_GRABBAG2 5.0
describe KAM_GRABBAG2 Grabbag of Spams hitting EU domains and other indicators
#END DIABETES SPAM
body __KAM_DIABETES1 /- - Diabetes News Today - -|diabetes.health|blood.sugar/i
body __KAM_DIABETES2 /Reverse.{0,10}(Diabetes|type.2|type.1)|reverse.type.2|beat.type.2|conventional.medical/i
header __KAM_DIABETES3 Subject =~ /End Diabetes|diabetes.association|every.diabetic/i
meta KAM_DIABETES (__KAM_DIABETES1 + __KAM_DIABETES2 + __KAM_DIABETES3 >= 2)
score KAM_DIABETES 4.5
describe KAM_DIABETES End Diabetes Spam
#SPY CAMERAS, ETC
header __KAM_SPY1 From =~ /spy.?camera/i
header __KAM_SPY2 Subject =~ /spy.?camera/i
body __KAM_SPY3 /spy.?camera.?system|hidden.spy.camera|valuables.safe|protect.your.children/i
meta KAM_SPY (__KAM_SPY1 + __KAM_SPY2 + __KAM_SPY3 >= 3)
describe KAM_SPY Spy cameras and similar products
score KAM_SPY 3.5
#HARP
header __KAM_HARP1 From =~ /\bharp\b|obamacare|save|healthcare/i
header __KAM_HARP2 Subject =~ /\bHARP\b|obamacare|tax benefit|age bracket|protect yourself|mortgage|save.thousands/i
header __KAM_HARP3 From !~ /\.gov>?$/i
meta KAM_HARP (__KAM_HARP1 + __KAM_HARP2 + __KAM_HARP3 + KAM_SUBJECTNOTICE >= 3)
describe KAM_HARP HARP Refinance Spams
score KAM_HARP 4.5
#LUNAR SLEEP AND OTHER SLEEPING AIDS
header __KAM_LUNAR1 From =~ /lunar.?sleep|peak.life/i
header __KAM_LUNAR2 Subject =~ /tired again|sleep(ing)? aid|miracle.sleep|free.sample|sleep.well|fall.asleep|waking.up|sleep.?spray|doctors.discover|the.secret|nights?.sleep/i
uri __KAM_LUNAR3 /lunar.?sleep/i
body __KAM_LUNAR4 /sleep you really need|sleep(ing)? aid|trouble.sleeping|miracle.sleep|lunar.?sleep|all.natural|fall.asleep|refreshed|sleep.cycle|sleep.aid|lack.of.sleep|stay.asleep|somnapure|weird.trick/i
meta KAM_LUNAR (__KAM_LUNAR1 + __KAM_LUNAR2 + MISSING_HEADERS + __KAM_LUNAR3 + __KAM_LUNAR4 >= 3)
describe KAM_LUNAR Sleeping aid spam
score KAM_LUNAR 4.5
meta KAM_LUNAR2 (__KAM_LUNAR1 + __KAM_LUNAR2 + MISSING_HEADERS + __KAM_LUNAR3 + __KAM_LUNAR4 >= 4)
describe KAM_LUNAR2 Definitely sleeping aid spam
score KAM_LUNAR2 2.0
#OCEANS BOUNTY
header __KAM_OCEANSBOUNTY1 From =~ /oceans.?bounty/i
header __KAM_OCEANSBOUNTY2 Subject =~ /pain.free|turn.back.the.clock|reactivate.your.heart/i
body __KAM_OCEANSBOUNTY3 /years.of.aging|medical.doctor|age.revers|turn.back.the.clock|reactivate.your.heart/i
meta KAM_OCEANSBOUNTY (__KAM_OCEANSBOUNTY1 + __KAM_OCEANSBOUNTY2 + __KAM_OCEANSBOUNTY3 >= 3)
describe KAM_OCEANSBOUNTY More medical spam
score KAM_OCEANSBOUNTY 4.5
#ANDROGEL
header __KAM_ANDROGEL1 From =~ /testosterone|androgel|entitled|enclosed|medwatch|axiron|fda|natural.man|mega.product|\.mobi/i
header __KAM_ANDROGEL2 Subject =~ /androgel|axiron|product.of.the.year|free.sample|raise.your.testosterone/i
body __KAM_ANDROGEL3 /healthcare|medwatch|drug|testosterone|therapy|manhood|your.woman/i
meta KAM_ANDROGEL (__KAM_ANDROGEL1 + __KAM_ANDROGEL2 + __KAM_ANDROGEL3 >= 3)
describe KAM_ANDROGEL More medical spam
score KAM_ANDROGEL 4.5
#CELL PHONES
header __KAM_CELL1 From =~ /phone/i
header __KAM_CELL2 Subject =~ /cell.?phone|mobile.communication|newest.mobile|smartphone|phones.*get.one|phone.bargain|hottest.phone|new.phone/i
body __KAM_CELL3 /phone.(information|deals|reviews)|(free|latest|hottest)..?(cell)?.?phone|selection.of.phones|hottest.(brands|models)|check.out.these.smartphones|smartphones.do.more|refurbished.phone|bored.with.your.phone/i
meta KAM_CELL (__KAM_CELL1 + __KAM_CELL2 + __KAM_CELL3 >= 3)
describe KAM_CELL Ads for cell phones
score KAM_CELL 3.5
header __KAM_FOUNTAINOFYOUTH1 From =~ /deepseasecret/i
header __KAM_FOUNTAINOFYOUTH2 Subject =~ /fountain.of.youth/i
body __KAM_FOUNTAINOFYOUTH3 /look & feel old|\d+.years.of.aging|weird.\d+.second.trick/i
meta KAM_FOUNTAINOFYOUTH (__KAM_FOUNTAINOFYOUTH1 + __KAM_FOUNTAINOFYOUTH2 + __KAM_FOUNTAINOFYOUTH3 >= 3)
score KAM_FOUNTAINOFYOUTH 5.0
describe KAM_FOUNTAINOFYOUTH Anti-aging ad
#HERPES
header __KAM_HERPES1 From =~ /herpes/i
header __KAM_HERPES2 Subject =~ /your.herpes/i
body __KAM_HERPES3 /permanent.remedy|ugly.sores|herpes.episode|got.herpes|your.herpes|herpes.issue/i
meta KAM_HERPES (__KAM_HERPES1 + __KAM_HERPES2 + __KAM_HERPES3 >= 2)
describe KAM_HERPES Ads for herpes medication
score KAM_HERPES 5.0
#FAKE VOUCHER/REWARD EMAIL
header __KAM_FAKEVOUCHER1 From =~ /(amazon|target).*(reward|voucher|appreciation|customer)|\$\d+ gift|(spring|summer|fall|autumn|winter) (reward|bonus)|(january|february|march|april|may|june|july|august|september|october|november|december).?(reward|bonus)|day.reward|macy.?s?.reward|rewards?.?center/i
body __KAM_FAKEVOUCHER2 /\$\d+ amazon(.com)? Card|redeem.your.\$\d+|join.amazon|bonus voucher|spring.rewards|new.gift.card|exclusive.for|shopper.bucks|activate.here|cash.in.your/i
header __KAM_FAKEVOUCHER3 Subject =~ /special.thanks|thank.you|amazon.appreciation|(spring|summer|fall|autumn|winter) .?(reward|bonus|bucks)|short.survey|\$\d+..?(gift|issued|voucher|e.?gift)|register.reward|target.reward|\d+.(dollar.)?gift.card|claim.your.*reward/i
body __KAM_FAKEVOUCHER4 /your.opinion|submit.your.email/i
meta KAM_FAKEVOUCHER (__KAM_FAKEVOUCHER1 + __KAM_FAKEVOUCHER2 + __KAM_FAKEVOUCHER3 + __KAM_FAKEVOUCHER4 >= 3)
describe KAM_FAKEVOUCHER Fake voucher/reward email
score KAM_FAKEVOUCHER 4.5
#ATTORNEY SPAM
header __KAM_ATTORNEY1 From =~ /attorney/i
header __KAM_ATTORNEY2 Subject =~ /right.attorney|quick.divorce|advertisement/i
body __KAM_ATTORNEY3 /find.a.\b[a-z]+\b.attorney/i
meta KAM_ATTORNEY (__KAM_ATTORNEY1 + __KAM_ATTORNEY2 + __KAM_ATTORNEY3 >= 3)
score KAM_ATTORNEY 3.5
describe KAM_ATTORNEY Ads for legal services
#PRODUCT RECALL
header __KAM_RECALL1 From =~ /dog.?food/i
header __KAM_RECALL2 Subject =~ /recall|thousands.of.dogs.die/i
body __KAM_RECALL3 /protect.your.dog|recall?s.on.dog.?food|processing.standards|commercial.food/i
meta KAM_RECALL (__KAM_RECALL1 + __KAM_RECALL2 + __KAM_RECALL3 >= 3)
score KAM_RECALL 3.5
describe KAM_RECALL Spam for product recall notices
#REMOTE IMAGES WITH ENORMOUS SRC URLS - COMMONLY USED FOR IMAGE TRACKING
rawbody __KAM_HUGEIMGSRC /<img[^>]*\ssrc=["']?http[^\s>"']{120}/i
tflags __KAM_HUGEIMGSRC multiple maxhits=6
meta KAM_HUGEIMGSRC (__KAM_HUGEIMGSRC >= 6)
score KAM_HUGEIMGSRC 0.2
describe KAM_HUGEIMGSRC Message contains many image tags with huge http urls
describe KAM_REALLYHUGEIMGSRC Spam with image tags with ridiculously huge http urls
rawbody KAM_REALLYHUGEIMGSRC /<img[^>]*\ssrc=["']?http[^\s]{300}/i
score KAM_REALLYHUGEIMGSRC 0.5
rawbody KAM_TRACKIMAGE /<img[^>]*\ssrc=["']?https?:\/\/track/i
describe KAM_TRACKIMAGE Message has a remote image explicitly meant for tracking
score KAM_TRACKIMAGE 0.2
#BAG OF SPAM THAT TRIES DESPERATELY TO TRACK RECIPIENTS
meta KAM_GRABBAG3 (KAM_TRACKIMAGE + KAM_HUGEIMGSRC + (KAM_UNSUB1 || KAM_INFOUSMEBIZ || __KAM_IMGMAP_LINK_OBFU || __KAM_HAS_10_URIS) >= 3)
score KAM_GRABBAG3 3.0
describe KAM_GRABBAG3 Grab bag of spam that employs multiple tricks that indicate tracking of recipients
#MANY SEQUENTIAL EMPTY <A HREF> TAGS WITH NOTHING IN BETWEEN
#IMPORTANTLY, DO NOT MATCH ON EMPTY <A LINK> TAGS, WHICH ARE MEANT TO BE EMPTY
rawbody __KAM_EMPTYLINK /(?:<a[^>]*\shref=[^>]*><\/a>\s*){10}/i
meta KAM_EMPTYLINK (__KAM_EMPTYLINK)
describe KAM_EMPTYLINK Many empty a tags with href all in a row
score KAM_EMPTYLINK 3.5
header __KAM_TILDEFROM From =~ /^\s*"'?\s*~/i
describe __KAM_TILDEFROM Spam with a from name that starts with tilde
# WORDS THAT "A R E S P A C E D O U T" LIKE SO
body __KAM_SPACEY_WORDS /a +v +e +n +u +e/i
# SPAM THAT WOULD LIKE TO INVEST IN YOUR COUNTRY
header __KAM_INVESTCOUNTRY1 Subject =~ /Confidential Contract Proposal/i
body __KAM_INVESTCOUNTRY2 /invest in your country/i
meta KAM_INVESTCOUNTRY (__KAM_INVESTCOUNTRY1 + __KAM_INVESTCOUNTRY2 >= 2)
score KAM_INVESTCOUNTRY 3.5
describe KAM_INVESTCOUNTRY Spam for investing in your country
# SPAM FOR FLAGS
header __KAM_FLAG1 From =~ /flag/i
header __KAM_FLAG2 Subject =~ /find.the.flag|what flags|new.flag|patriotism|looking.for.a.flag/i
body __KAM_FLAG3 /performance.flags|shopping.online|scoop on flags|need your flag|best flag|flag design|new flag|flag.needs|flags?.you.need/i
meta KAM_FLAG (__KAM_FLAG1 + __KAM_FLAG2 + __KAM_FLAG3 >= 3)
score KAM_FLAG 3.5
describe KAM_FLAG Spam that sells flags
rawbody __KAM_BIGSMALL /<small><big>|<big><small>/i
describe __KAM_BIGSMALL Spam engine that is using nested big and small tags
rawbody __KAM_DIVTITLE /<div (title|alt)/i
describe __KAM_DIVTITLE Div tag with custom alt text
rawbody __KAM_IMGMAP_LINK_OBFU /<map[^>]+><area[^>]+><\/map>/i
describe __KAM_IMGMAP_LINK_OBFU Image links obfuscated by an image map with a single area
meta KAM_GRABBAG4 (__KAM_DIVTITLE + __KAM_IMGMAP_LINK_OBFU + KAM_HUGEIMGSRC >= 3)
describe KAM_GRABBAG4 Another spam engine that displays unique quirks
score KAM_GRABBAG4 3.5
header __KAM_KORS1 From =~ /Michael Kors/i
header __KAM_KORS2 Subject =~ /Michael Kors|out.of.the.ordinary/i
body __KAM_KORS3 /sent you this item|register to receive|latest updates|win great prizes|shop michael kors|kors insider|handbag collection/i
meta KAM_KORS (__KAM_KORS1 + __KAM_KORS2 + __KAM_KORS3 >= 3)
score KAM_KORS 3.5
describe KAM_KORS Spam for Michael Kors
header __KAM_HOLIDAY1 From =~ /holidays/i
header __KAM_HOLIDAY2 Subject =~ /\d\d\d\d offers/i
body __KAM_HOLIDAY3 /star special|Hotel Opening|(Request|order) a brochure/i
meta KAM_HOLIDAY (__KAM_HOLIDAY1 + __KAM_HOLIDAY2 + __KAM_HOLIDAY3 >= 3)
describe KAM_HOLIDAY Generic holiday deals
score KAM_HOLIDAY 3.5
#Thanks to Dave Wreski for his idea on commas
header __KAM_MANYTO To =~ />,/i
tflags __KAM_MANYTO multiple maxhits=5
header __KAM_MANYTO2 To =~ /, /
tflags __KAM_MANYTO2 multiple maxhits=25
meta KAM_MANYTO (__KAM_MANYTO >= 5 || __KAM_MANYTO2 >= 25)
score KAM_MANYTO 0.2
describe KAM_MANYTO Email has more than one To Header or more than 25 recipients
meta KAM_GRABBAG5 (KAM_MANYTO && FORGED_YAHOO_RCVD)
score KAM_GRABBAG5 5.0
describe KAM_GRABBAG5 Forged Yahoo emails that are sent to lots of recipients
body __KAM_MILLIONAIRE1 /internet millionai?re/i
body __KAM_MILLIONAIRE2 /huge success stor(y|ies)|controversial/i
header __KAM_MILLIONAIRE3 Subject =~ /see this video/i
meta KAM_MILLIONAIRE (__KAM_MILLIONAIRE1 + __KAM_MILLIONAIRE2 + __KAM_MILLIONAIRE3 + LOTS_OF_MONEY >= 3)
score KAM_MILLIONAIRE 4.5
describe KAM_MILLIONAIRE Internet millionaire guarantees money
header __KAM_OILCHANGE1 From =~ /oil.?change|coupon|vehicle service/i
header __KAM_OILCHANGE2 Subject =~ /oil change|vehicle service/i
body __KAM_OILCHANGE3 /fresh savings|find your favorite|discount.coupons|oil.change.is.due|local.provider|favorite.location|coupon/i
meta KAM_OILCHANGE (__KAM_OILCHANGE1 + __KAM_OILCHANGE2 + __KAM_OILCHANGE3 >= 3)
score KAM_OILCHANGE 4.5
describe KAM_OILCHANGE Spam for oil changes
header __KAM_ADHD1 From =~ /ADH?D/i
header __KAM_ADHD2 Subject =~ /know.the.signs|could.have.adh?d|adult adh?d/i
body __KAM_ADHD3 /struggling with adh?d|treatment options/i
meta KAM_ADHD (__KAM_ADHD1 + __KAM_ADHD2 + __KAM_ADHD3 >= 3)
score KAM_ADHD 3.5
describe KAM_ADHD Spam for ADD and ADHD treatment
# AUTO REPAIR
header __KAM_REPAIR1_1 From =~ /repair.your.auto|auto.expert|auto.repair|warranty|support|pops.a.dent|vehicle.protect/i
header __KAM_REPAIR1_2 Subject =~ /auto.service|auto.repair|having.problems|all.repair|take.care.of|car.trouble|save.\d+%|repair.bill|fix.dents/i
body __KAM_REPAIR1_3 /car.repair|Auto Protection|repair.bill|lowest.rates|need.repairs|cost.you.thousands|auto.warranty|costs.keep.rising|repair.cost|do.it.yourself|auto.body|body.repair|protection.quote/i
meta KAM_REPAIR1 (__KAM_REPAIR1_1 + __KAM_REPAIR1_2 + __KAM_REPAIR1_3 >= 3)
score KAM_REPAIR1 3.5
describe KAM_REPAIR1 Spam for auto repair services
# HOME REPAIR
header __KAM_REPAIR2_1 From =~ /warranty|support|home.repair|your.roof/i
header __KAM_REPAIR2_2 Subject =~ /roof.repair|warranty.plan|home.warranty|never.pay.for|home.repair|repairing.your|new.roof/i
body __KAM_REPAIR2_3 /never.pay|covered.home.repair|the.trouble|warning.signs|roofing.problem|roof.repair/i
meta KAM_REPAIR2 (__KAM_REPAIR2_1 + __KAM_REPAIR2_2 + __KAM_REPAIR2_3 >= 3)
score KAM_REPAIR2 3.5
describe KAM_REPAIR2 Spam for home repair services
body __KAM_EPISODE /episode \d+/i
header __KAM_CLOUD1 From =~ /cloud.?(storage|computing|provider)|efolder/i
header __KAM_CLOUD2 Subject =~ /private.cloud|data.loss.happens|share.securely/i
body __KAM_CLOUD3 /big data|powering apps|reduce.tech.costs|backup.solution|bundling.the.service/i
body __KAM_CLOUD4 /hacking|complimentary.(lunch|breakfast)/i
meta KAM_CLOUD (__KAM_CLOUD1 + __KAM_CLOUD2 + __KAM_CLOUD3 + __KAM_CLOUD4 >= 3)
score KAM_CLOUD 3.5
describe KAM_CLOUD Spam for cloud services
#FAX AND PAPERLESS SPAM
header __KAM_PAPERLESS1 From =~ /paperless|fax|admin/i
header __KAM_PAPERLESS2 Subject =~ /paperless|fax (document|thru email|to email|message)|send document|(receive|send|new) fax|voice.message|have.received/i
body __KAM_PAPERLESS3 /fax service|service plan|view.(fax|this.fax)|\d.page.fax|voice.message/i
body __KAM_PAPERLESS4 /link expires/i
meta KAM_PAPERLESS (__KAM_PAPERLESS1 + __KAM_PAPERLESS2 + __KAM_PAPERLESS3 + __KAM_PAPERLESS4 + HEADER_FROM_DIFFERENT_DOMAINS >= 4)
score KAM_PAPERLESS 4.5
describe KAM_PAPERLESS Paperless spam for the paperless office
rawbody __KAM_LOTSOFNBSP /( ?){30}/i
header __KAM_IPUNSUB List-Unsubscribe =~ /http:\/\/\d+\.\d+\.\d+\.\d+/i
# PASSWORD PHISH - Fixed FP thanks to Thijs Eilander
header __KAM_PASSWORD1 Subject =~ /password/i
body __KAM_PASSWORD2 /validate.your.email/i
meta KAM_PASSWORD (__KAM_PASSWORD1 + __KAM_PASSWORD2 >= 2)
score KAM_PASSWORD 1.5
describe KAM_PASSWORD Message tries to phish for password
# SEMINARS AND WORKSHOPS SPAM
header __KAM_WEBINAR1 From =~ /education|career|manage|learning|webinar|project|efolder/i
header __KAM_WEBINAR2 Subject =~ /last chance|increase productivity|workplace morale|payroll dept|trauma.training|case.study|issues|follow.up|service.desk|vip.(lunch|breakfast)|manage.your|private.business|professional.checklist|customers.safer|great.timesaver|prep.course|crash.course|hunger.to.learn|(keys|tips).(to|for).smarter/i
header __KAM_WEBINAR3 Subject =~ /webinar|strateg|seminar|owners.meeting|webcast|our.\d.new|sales.video/i
body __KAM_WEBINAR4 /executive.education|contactid|register now|\d+.minute webinar|management.position|supervising.skills|discover.tips|register.early|take.control|marketing.capabilit|drive.more.sales|leveraging.cloud|solution.provider|have.a.handle|plan.to.divest|being.informed|upcoming.webinar|spearfishing.email|increase.revenue|industry.podcast|\d+.in.depth.tips|early.bird.offer|pmp.certified|lunch.briefing/i
meta KAM_WEBINAR (__KAM_WEBINAR1 + __KAM_WEBINAR2 + __KAM_WEBINAR3 + __KAM_WEBINAR4 >= 3)
describe KAM_WEBINAR Spam for webinars
score KAM_WEBINAR 3.5
meta KAM_WEBINAR2 (__KAM_WEBINAR1 + __KAM_WEBINAR2 + __KAM_WEBINAR3 + __KAM_WEBINAR4 >= 4)
describe KAM_WEBINAR2 Spam for webinars
score KAM_WEBINAR2 3.5
header __KAM_CONTACTME1 Subject =~ /^contact me$/i
body __KAM_CONTACTME2 /read the attached letter/i
meta KAM_CONTACTME (__KAM_CONTACTME1 + __KAM_CONTACTME2 >= 2)
score KAM_CONTACTME 3.5
describe KAM_CONTACTME Spam that wants you to reply
header __KAM_MESH1 From =~ /consumer|connect|claim/i
header __KAM_MESH2 Subject =~ /surgical mesh|serious injuries|increased risk|experiencing problems|mesh recall/i
body __KAM_MESH3 /have a mesh implant|entitled to compensation|consumer injury|injured consumer/i
meta KAM_MESH (__KAM_MESH1 + __KAM_MESH2 + __KAM_MESH3 >= 3)
describe KAM_MESH Spam for surgical mesh
score KAM_MESH 3.5
header __KAM_ALERT1 From =~ /medical.?alert/i
header __KAM_ALERT2 Subject =~ /medical.alert|emergency coverage/i
body __KAM_ALERT3 /help button/i
meta KAM_ALERT (__KAM_ALERT1 + __KAM_ALERT2 + __KAM_ALERT3 >= 3)
score KAM_ALERT 3.5
describe KAM_ALERT Spam for medical alerts
# SPAM FOR RECENT HEARTBLEED CVE AND OTHER SECURITY STUFF
header __KAM_SECURITY1 From =~ /Digital Defense/i
header __KAM_SECURITY2 Subject =~ /heartbleed|hijack/i
body __KAM_SECURITY3 /information.security|cyber.?criminal/i
meta KAM_SECURITY (__KAM_SECURITY1 + __KAM_SECURITY2 + __KAM_SECURITY3 >= 3)
describe KAM_SECURITY Spam related to online security
score KAM_SECURITY 6.0
body __KAM_JESUS1 /jesus lovely|the.lord|touched.by.christ/i
body __KAM_JESUS2 /sister.in.the.lord|need for bible/i
body __KAM_JESUS3 /nigeria|muslim.women/i
meta KAM_JESUS (__KAM_JESUS1 + __KAM_JESUS2 >= 2)
describe KAM_JESUS Christian spam
score KAM_JESUS 4.5
header __KAM_CLAIMS1 From =~ /claims.payment/i
header __KAM_CLAIMS2 Subject =~ /confirm/i
body __KAM_CLAIMS3 /claim.payment|claim.processing|kindly.confirm/i
meta KAM_CLAIMS (__KAM_CLAIMS1 + __KAM_CLAIMS2 + __KAM_CLAIMS3 >= 3)
describe KAM_CLAIMS Spam for claims processing
score KAM_CLAIMS 4.5
# VISION SPAM
header __KAM_VISION1 From =~ /clear.?vision|20.20|glasses|perfect.vision|mind.blowing|my.vision|oakley|quantum.vision/i
header __KAM_VISION2 Subject =~ /20\/20|vision|your.glasses|your.contacts|your.eyes|dangers?.of.glasses|focus.on.here/i
body __KAM_VISION3 /100%.natural|vision.restored|currently.wear.(glasses|contacts)|perfect.vision|risky.surgery|corrective.surgery|dangers.of.surgery|laser.eye|eye.care|making.your.eyes.worse|your.glasses|worsen.your.vision|special.prices|vision.in.\d+.day|vision.in.\d+.week/i
meta KAM_VISION (__KAM_VISION1 + __KAM_VISION2 + __KAM_VISION3 + (KAM_WEIRDTRICK1 || RDNS_NONE) >= 3)
describe KAM_VISION Spam for vision improvement
score KAM_VISION 4.5
body KAM_TRUTHINESS /[Tt]he TRUTH/
describe KAM_TRUTHINESS Spam that wants you to learn "The TRUTH"
score KAM_TRUTHINESS 1.5
header __KAM_KITCHEN1 From =~ /sears|kitchen|cabinet/i
header __KAM_KITCHEN2 Subject =~ /kitchen.upgrade|kitchen.remodel|cabinet.install|new.kitchen/i
body __KAM_KITCHEN3 /special.gift|kitchen.remodel|special.offer/i
meta KAM_KITCHEN (__KAM_KITCHEN1 + __KAM_KITCHEN2 + __KAM_KITCHEN3 >= 3)
score KAM_KITCHEN 4.5
describe KAM_KITCHEN Spam for kitchen improvement
# ALL-ENCOMPASSING RULES FOR HEALTH RELATED SPAM, INCLUDING SKIN, WEIGHT, VISION, ETC
header __KAM_GENERICHEALTH1 From =~ /(dr.?|doc.?)[ -]?([o0]z|gupta)|skinny|\d+.?(pounds|[li1]bs?)|[o0]z.([a-z]+.)?(daily|tip|show|weight)|ellen|rapid|vision|20.20|perfect|mind.blowing|healthy|beaut|medical|wrinkle|miracle|energy|weight|as.seen.on|celeb|workout|inches.off|slim|overweight|skinny|trend|curve|stubborn|bikini|f-a-t|trim|youth|belly|unwanted.pounds|gone.easily|heavy|diabetes|oz.?report|years.younger|anti.?aging|look.\d|old.age|without.trying|annoying.pounds|fat.melt|women.?s.health|forskolin|phyto|garcinia|mayo.clinic|gain.mass|nuforia|miracle.cure|notify|champion|healthly|food.health|health.news|nutrisystem|doctor.s.choice|age..prevention|diet.{0,4}report|sharp..?mind|face.?lift/i
header __KAM_GENERICHEALTH2 Subject =~ /PSA|\[video\]|doctor|\d+.day|(zero|any).effort|oprah|(Dr|Doc).{0,2}[o0]z|[o0]z.([a-z]+.)?(daily|tip|show|weight|quick)|ellen|most.viewed|metabolism|danger|hormone|must.read|life.changing|healthy|perfect|younger|beautiful|hollywood|secret|aging|youth|flawless|as.seen.on|simple.way|workout|nutrition|shocking|detox|exercise|cleanse|diet|\d+(\+?).?(pounds|[li1]bs?)|images?.leaked|wow,|the.pics|don.t.tell|makeup|f-a-t|of.skin|on.(cnn|abc|cbs)|for.(summer|fall|autumn|winter|spring)|unwanted.fat|oz: |backfire|and.oz|and.racha?el|racha?el.talk|your.legs|slim.and.tone|fit.wom[ea]n|tummy|dress.size|wrinkle.reduc|younger.skin|solid.meds|belly.fat|your.calories|champion|is.it.possible|worse.than.smok|meds.online|jump-start.your.weightloss|cure.your.diabetes|weight.loss..?cure|magic.weight.loss|youth.and.vitality|get.thin.with|mental.decline|by.exercising|kidney.beans|drinking.this|treats?.the.(root.)?cause|reverse.\d+.years/i
body __KAM_GENERICHEALTH3 /aging|clinical|dermatologist|aging|younger|wrinkle|omg|reduction|prevention|(body|your).fat|extra.pounds|perfect.skin|healthy|diet|gossip|\d+.years|facelift|(Dr|Doc).{0,2}[o0]z|weight|calories|metabolism|appetite|detox|unsightly|cholesterol|free.sample|\d+\s*[li]b|slimming|episode|tv.segment|oprah|colon|hollywood|shocking|workout|trend|starving|\d+%.?off|dress.size|flat.belly|silky|younger|free.trial|\d+.years|easy.trick|selfies|medical|\d+.?(lb|pounds)|exercise|the.mirror|fda.approved|slimmer|oz.blog|the.bulge|plant.based|online.store|respected.doctor|cure.your.diabete|with.forskolin|belly.fat|miracle.pill|burn.fat.fast|the.root.cause|drink(ing)?.this.shake/i
meta KAM_GENERICHEALTH (__KAM_GENERICHEALTH1 + __KAM_GENERICHEALTH2 + __KAM_GENERICHEALTH3 + (KAM_EU || KAM_OTHER_BAD_TLD) >= 3)
score KAM_GENERICHEALTH 1.75
describe KAM_GENERICHEALTH Matches generic health-related advert/blurbs
header __KAM_SALE1 From =~ /ipad|hdtv|\$\d+|auction|laptop|easyviewing/i
header __KAM_SALE2 Subject =~ /blowout|became.perfect|great.products|your.ipad.forever|weird.device|change.how.you.use|transform.your.piad|laptop.replacement/i
body __KAM_SALE3 /\d+%.off|just.shipped|touch.?fire|just.became.perfect|transform.your.ipad/i
header __KAM_SALEA_1 From =~ /touch.?fire/i
header __KAM_SALEA_2 Received =~ /touchfire|tfire/i
body __KAM_SALEA_3 /touchfire|just.became.perfect|never.be.the.same/i
meta KAM_SALE (__KAM_SALE1 + __KAM_SALE2 + (__KAM_SALE3 || BODY_8BITS) >= 3)
score KAM_SALE 4.0
describe KAM_SALE Spam for things on sale
meta KAM_SALEA ((__KAM_SALEA_1 || __KAM_SALE1 || __KAM_SALEA_2) + __KAM_SALEA_3 >= 2)
score KAM_SALEA 8.0
describe KAM_SALEA A very persistent ipad spam campaign
# SPAM THAT USES ASCII FORMATTING TRICKS TO EVADE HTML-BASED RULES
body __KAM_ASCII_DIVIDERS /[-~<>=_]{20}/i
tflags __KAM_ASCII_DIVIDERS multiple maxhits=4
meta KAM_ASCII_DIVIDERS ((__KAM_ASCII_DIVIDERS >= 4) && !HTML_MESSAGE)
describe KAM_ASCII_DIVIDERS Spam that uses ascii formatting tricks
score KAM_ASCII_DIVIDERS 0.8
# RATWARE THAT CAN'T EVEN PRETEND TO BE AUTHORIZED
header __KAM_NOTINMYNETWORK1 X-No-Relay =~ /./i
rawbody __KAM_HTMLNOISE1 /<big><\/big>|<small><\/small>|<style><\/style>/i
meta KAM_HTMLNOISE (__KAM_HTMLNOISE1 + __KAM_BIGSMALL >= 1)
score KAM_HTMLNOISE 1.0
describe KAM_HTMLNOISE Spam containing useless HTML padding
header __KAM_CHICKEN1 From =~ /coop/i
header __KAM_CHICKEN2 Subject =~ /chicken.coop|cost.of.buying/i
body __KAM_CHICKEN3 /your.own.chicken|fresh.egg|chicken.coop|build.your.own/i
meta KAM_CHICKEN (__KAM_CHICKEN1 + __KAM_CHICKEN2 + __KAM_CHICKEN3 >= 3)
score KAM_CHICKEN 4.5
describe KAM_CHICKEN Spam for chicken coops
# SPAM THAT TRIES TO BYPASS RULES LIKE CBJ_GiveMeABreak
rawbody __KAM_LINEPADDING /(\n[^\n]){8}/
meta KAM_LINEPADDING (__KAM_LINEPADDING >= 1)
score KAM_LINEPADDING 1.2
describe KAM_LINEPADDING Spam that tries to get past blank line filters
# DRAPES SPAM
header __KAM_DRAPES1 From =~ /drapes/i
header __KAM_DRAPES2 Subject =~ /table.drapes|visibility/i
body __KAM_DRAPES3 /banner.stand|print.project/i
meta KAM_DRAPES (__KAM_DRAPES1 + __KAM_DRAPES2 + __KAM_DRAPES3 >= 3)
score KAM_DRAPES 3.5
describe KAM_DRAPES Spam for drapes
header __KAM_NUWAVE1 From =~ /nuwave|cooktop/i
header __KAM_NUWAVE2 Subject =~ /cooking.needs/i
body __KAM_NUWAVE3 /nuwave|energy.saving|temperature.control|meal.prep|cooktop/i
meta KAM_NUWAVE (__KAM_NUWAVE1 + __KAM_NUWAVE2 + __KAM_NUWAVE3 >= 3)
describe KAM_NUWAVE Spam for cooking tools
score KAM_NUWAVE 3.5
rawbody __KAM_MANYCOMMENTS /<!--[^>]{200,}-->/i
tflags __KAM_MANYCOMMENTS multiple maxhits=6
meta KAM_MANYCOMMENTS (__KAM_MANYCOMMENTS >= 6)
describe KAM_MANYCOMMENTS Spam engine that uses large html noise comments
score KAM_MANYCOMMENTS 1.2
header __KAM_HIRE1 From =~ /recruit/i
header __KAM_HIRE2 Subject =~ /checking.in/i
body __KAM_HIRE3 /hiring.situation|recruiting|plans.to.hire|altera.staff/i
meta KAM_HIRE (__KAM_HIRE1 + __KAM_HIRE2 + __KAM_HIRE3 >= 3)
describe KAM_HIRE Spam for hiring services
score KAM_HIRE 4.5
header __KAM_DEALS1 From =~ /deal.?hunter/i
header __KAM_DEALS2 Subject =~ /exclusive.saving|the.hottest/i
body __KAM_DEALS3 /exclusive.savings/i
meta KAM_DEALS (__KAM_DEALS1 + __KAM_DEALS2 + __KAM_DEALS3 >= 3)
score KAM_DEALS 3.5
describe KAM_DEALS Generic advertising for deals
header __KAM_CONTRACT1 From =~ /samanage/i
header __KAM_CONTRACT2 Subject =~ /contract cost|itsm contract/i
body __KAM_CONTRACT3 /buy you out|service management|management solution/i
meta KAM_CONTRACT (__KAM_CONTRACT1 + __KAM_CONTRACT2 + __KAM_CONTRACT3 >= 3)
score KAM_CONTRACT 4.5
describe KAM_CONTRACT Spam that will buy your service contract
#KAM_TOLL
header __KAM_TOLL1 From =~ /e.?z.?pass|collection/i
header __KAM_TOLL2 Subject =~ /on.(the.)?toll.road|(pay|indebted).for.driving/i
body __KAM_TOLL3 /have.not.paid|your.debt|invoice/i
meta KAM_TOLL (__KAM_TOLL1 + __KAM_TOLL2 + __KAM_TOLL3 >= 3)
describe KAM_TOLL Spam for road tolls
score KAM_TOLL 8.0
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
#KAM_AMAZON
header __KAM_AMAZON1 From =~ /amazon\.com/i
meta KAM_AMAZON (__KAM_AMAZON1 + KAM_RAPTOR_ALTERED >= 2)
score KAM_AMAZON 4.5
describe KAM_AMAZON Fake Amazon email with malware
endif
# LANDSCAPING
header __KAM_LANDSCAPE1 From =~ /landscaping/i
header __KAM_LANDSCAPE2 Subject =~ /turn.your.yard|mtv.crib|swimming.pool/i
body __KAM_LANDSCAPE3 /landscape.designs|(simple|cheap).strategies|design.troph/i
body __KAM_LANDSCAPE4 /stone.carving/i
meta KAM_LANDSCAPING (__KAM_LANDSCAPE1 + __KAM_LANDSCAPE2 + __KAM_LANDSCAPE3 + __KAM_LANDSCAPE4 >= 3)
describe KAM_LANDSCAPING Spam for landscaping
score KAM_LANDSCAPING 3.5
# SINGING LESSONS
header __KAM_SINGING1 From =~ /singing/i
header __KAM_SINGING2 Subject =~ /professional.singer/i
body __KAM_SINGING3 /terrible.singer|more.talent|love.songs/i
meta KAM_SINGING (__KAM_SINGING1 + __KAM_SINGING2 + __KAM_SINGING3 >= 3)
describe KAM_SINGING Spam for singing lessons
score KAM_SINGING 4.5
# SPAM FOR ADS
header __KAM_ADVERTISE1 From =~ /gmail/i
header __KAM_ADVERTISE2 Subject =~ /samsung..galaxy.s\d/i
body __KAM_ADVERTISE3 /advertising.for.samsung|no.application.fee|carry.this.advert/i
meta KAM_ADVERTISE (__KAM_ADVERTISE1 + __KAM_ADVERTISE2 + __KAM_ADVERTISE3 >= 3)
describe KAM_ADVERTISE Spam that wants you to advertise for them
score KAM_ADVERTISE 4.5
# RULE FOR DOMAINS THAT HAVE NOT IMPLEMENTED ANY ANTI-FORGERY MECHANISMS - Thanks to Christian Kueppers for the request to encapsulate with DKIM and SPF plugin checks!
if (version >= 3.003002)
ifplugin Mail::SpamAssassin::Plugin::DKIM
ifplugin Mail::SpamAssassin::Plugin::SPF
# We may recommend people start raising the score for this to force more people to use SPF or DKIM Since Gmail and AOL work much better with / require SPF.
header __KAM_SPF_NONE eval:check_for_spf_none()
meta KAM_LAZY_DOMAIN_SECURITY (!__DKIM_EXISTS && __KAM_SPF_NONE)
score KAM_LAZY_DOMAIN_SECURITY 1.0
describe KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any anti-forgery methods
endif
endif
endif
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
# FORGED EMAILS WITH A VIRUS ATTACHED
meta KAM_FORGED_ATTACHED (SPF_HELO_FAIL + KAM_RAPTOR_ALTERED >= 2)
score KAM_FORGED_ATTACHED 4.5
describe KAM_FORGED_ATTACHED Forged email with a malware attachment
endif
# LOTS OF PERIODS IN SUBJECT
header __KAM_MANYDOTS1 Subject =~ /\.{20}/i
meta KAM_MANYDOTS (__KAM_MANYDOTS1 + KAM_HUGEIMGSRC >= 2)
describe KAM_MANYDOTS Spam with lots of periods in subject
score KAM_MANYDOTS 3.5
# FINAL NOTICE SPAM
header __KAM_SUBJECTNOTICE1 Subject =~ /Notice: \d+$|final.notice|rpt: \d+$/i
meta KAM_SUBJECTNOTICE __KAM_SUBJECTNOTICE1
describe KAM_SUBJECTNOTICE Spam notices
score KAM_SUBJECTNOTICE 1.0
# SPAM FOR BACKUP SERVICE
header __KAM_BACKUP1 From =~ /backup/i
header __KAM_BACKUP2 Subject =~ /continuity|\d.reasons|traditional.backup/i
body __KAM_BACKUP3 /backup.necessary|marketing|infographic|charge.more/i
meta KAM_BACKUP (__KAM_BACKUP1 + __KAM_BACKUP2 + __KAM_BACKUP3 >= 3)
describe KAM_BACKUP Spam for backup services
score KAM_BACKUP 4.5
# SPAM THAT TRIES TO AVOID DETECTION WITH NUMBERS IN THE FROM
header KAM_FROMNUM From:name =~ /\.\d{7,}$/
describe KAM_FROMNUM Spam with large numbers in the from header
score KAM_FROMNUM 1.0
# LAZY SPAM WITH BARELY MORE THAN A LINK TO A BAD DOMAIN
meta KAM_LINKBAIT (KAM_LAZY_DOMAIN_SECURITY + __KAM_BODY_LENGTH_LT_512 + (__KAM_COUNT_URIS >= 1) >= 3)
score KAM_LINKBAIT 2.5
describe KAM_LINKBAIT Short messages containing little more than a link, from a domain with no security in place
uri __KAM_WP_INCLUDES /(?:wp-includes|wp-content)/i
meta KAM_LINKBAIT2 KAM_LINKBAIT + __KAM_WP_INCLUDES >= 2
score KAM_LINKBAIT2 1.5
describe KAM_LINKBAIT2 Linkbait that points to wordpress - usually means a compromised site
# FREEMAIL LINKBAIT
meta KAM_LINKBAIT3 (KAM_SHORT + FREEMAIL_FROM + __KAM_BODY_LENGTH_LT_512 >= 3)
score KAM_LINKBAIT3 1.5
describe KAM_LINKBAIT3 Freemail linkbait with a url shortener
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
# MALWARE IN EMAILS THAT MENTION LOTS OF MONEY
meta KAM_PHISHY_DOLLARS (KAM_RAPTOR_ALTERED + LOTS_OF_MONEY >= 2)
score KAM_PHISHY_DOLLARS 3.5
describe KAM_PHISHY_DOLLARS Emails with malware and large dollar amounts
endif
# RATWARE DU JOUR, MULTIPLE FROM HEADERS AND WONKY SUBJECT LINE
header __KAM_MULTIPLE_FROM From =~ /^./
tflags __KAM_MULTIPLE_FROM multiple maxhits=2
header __KAM_SUBJECT_WHITESPACE_START Subject =~ /^\s{10}/
meta KAM_GRABBAG6 ((__KAM_MULTIPLE_FROM >= 2) + __KAM_SUBJECT_WHITESPACE_START >= 2)
describe KAM_GRABBAG6 Ratware with multiple from headers and subject beginning with whitespace
score KAM_GRABBAG6 4.5
# GENERIC GREETINGS THAT YOU WOULD NEVER GET FROM A LEGIT EMAIL
header KAM_GENERICHELLO Subject =~ /dear.email.user|hi.there/i
score KAM_GENERICHELLO 1.5
describe KAM_GENERICHELLO Spam with generic greetings in the subject
# FAKE GOOGLE EMAILS - Thanks to Marc Jouan for pointing out the double rule / T_HK rule name change
header __KAM_GOOGLE2_1 From =~ /google\+/i
header __KAM_GOOGLE2_2 From !~ /google.com/i
meta KAM_GOOGLE2 (__KAM_GOOGLE2_1 + __KAM_GOOGLE2_2 + (HK_SPAMMY_FILENAME || KAM_LAZY_DOMAIN_SECURITY) >= 3)
score KAM_GOOGLE2 4.5
describe KAM_GOOGLE2 Fake Google spam
# MORE NIGERIAN VARIANTS
body __KAM_NIGERIAN3_1 /congo/i
meta KAM_NIGERIAN3 (__KAM_NIGERIAN3_1 + DEAR_SOMETHING + LOTS_OF_MONEY >= 3)
score KAM_NIGERIAN3 4.5
describe KAM_NIGERIAN3 Nigerian scam variant
# FINGERHUT SPAMS
header __KAM_FINGERHUT1 From =~ /finger.?hut/i
header __KAM_FINGERHUT2 Subject =~ /your.budget|credit.account|qualify|finger.?hut|credit|your.account/i
body __KAM_FINGERHUT3 /important.message|what.you.want|monthly.pay|your.account|credit.account|holiday.shopping|are.you.approved|fingerhut.buying/i
meta KAM_FINGERHUT (__KAM_FINGERHUT1 + __KAM_FINGERHUT2 + __KAM_FINGERHUT3 >= 3)
score KAM_FINGERHUT 4.5
describe KAM_FINGERHUT Spam for fingerhut
# FRIEND REQUEST SPAM
header __KAM_FRIEND1 Subject =~ /new.notification/i
body __KAM_FRIEND2 /wants.to.follow/i
meta KAM_FRIEND (__KAM_FRIEND1 + __KAM_FRIEND2 >= 2)
score KAM_FRIEND 1.5
describe KAM_FRIEND Friend request spam
# ELIMINATE A BUNCH OF RECENT BAD ATTACHMENT SPAM
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
meta KAM_VERY_MALWARE (KAM_LAZY_DOMAIN_SECURITY && KAM_RAPTOR_ALTERED >= 2)
score KAM_VERY_MALWARE 3.5
describe KAM_VERY_MALWARE A message with malware that is definitely unwanted
endif
#MERCHANT ACCOUNTS SPAM
header __KAM_MERCHANT1 Subject =~ /finance.department/i
body __KAM_MERCHANT2 /business.owner|merchant.processor|processing.fee|average.bank|interchange.fee/i
body __KAM_MERCHANT3 /merchant.processing|small.business|yearly.credit|monthly.fee|100%.free/i
meta KAM_MERCHANT (__KAM_MERCHANT1 + __KAM_MERCHANT2 + __KAM_MERCHANT3 >= 3)
score KAM_MERCHANT 4.5
describe KAM_MERCHANT Spam for merchant processing
# ZERO DAY ATTACHMENTS THAT ARE OBVIOUSLY CRAP BUT NOT CAUGHT BY AV
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_ZERODAY1 Content-Type =~ /msword|ms-excel|spreadsheet|office|octet/i
header __KAM_ZERODAY2 X-Mailer =~ /foxmail/i
# DISABLED 7/16 FOR NO LONGER BEING RELEVANT
#meta KAM_ZERODAY (__SUBJECT_ENCODED_B64 + __KAM_ZERODAY1 + __KAM_ZERODAY2 >= 3)
#describe KAM_ZERODAY obviously a malware email that was not caught
#score KAM_ZERODAY 8.0
# ANOTHER ONE
header __KAM_ZERODAY3 Subject =~ /remittance advice|invoice|resume|the.open.message|please.the.open|visa.chip/i
meta KAM_ZERODAY2 (__KAM_ZERODAY1 + __KAM_ZERODAY3 + KAM_LAZY_DOMAIN_SECURITY >= 3)
score KAM_ZERODAY2 1.0
describe KAM_ZERODAY2 Another obvious zero-day malware
meta KAM_ZERODAY3 (KAM_ZERODAY2 + T_OBFU_DOC_ATTACH >= 2)
score KAM_ZERODAY3 3.5
describe KAM_ZERODAY3 Another obvious zero-day malware
endif
# FAMILY TREE SPAM
header __KAM_ANCESTOR1 From =~ /ancestry/i
header __KAM_ANCESTOR2 Subject =~ /free.family.tree|find.your.ancestor/i
body __KAM_ANCESTOR3 /family.history|your family|share.the.stories/i
meta KAM_ANCESTOR (__KAM_ANCESTOR1 + __KAM_ANCESTOR2 + __KAM_ANCESTOR3 >= 3)
describe KAM_ANCESTOR Spam for family trees
score KAM_ANCESTOR 3.5
# REMEMBER WHEN YOU GOT THAT SPAM
header __KAM_REMEMBERWHEN1 Subject =~ /sup|hello|for.you.bro|how.are.you/i
body __KAM_REMEMBERWHEN2 /hello.brother|remember(ed)?.you|i.remember/i
body __KAM_REMEMBERWHEN3 /medication|\d+%.discount|lots?.of.drug/i
meta KAM_REMEMBERWHEN (__KAM_REMEMBERWHEN1 + __KAM_REMEMBERWHEN2 + __KAM_REMEMBERWHEN3 >= 3)
score KAM_REMEMBERWHEN 4.5
describe KAM_REMEMBERWHEN Reminder of something that never happened
# THE LATEST TRAILING NOISE FORMAT
body __KAM_NOISE1 /([a-z0-9],){12}/i
body __KAM_NOISE2 /([a-z]{1,10},){10}/i
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
meta KAM_NOISE1 (__KAM_NOISE1 + __KAM_NOISE2 + (CBJ_GiveMeABreak || __CBJ_GiveMeABreak2) >= 3)
describe KAM_NOISE1 Pattern of noise words at the end of an email
score KAM_NOISE1 2.5
endif
# FREE PIZZA WOO!
header __KAM_PIZZA1 From =~ /pizza/i
header __KAM_PIZZA2 Subject =~ /^free pizza$/i
body __KAM_PIZZA3 /free.pizza.coupon/i
meta KAM_PIZZA (__KAM_PIZZA1 + __KAM_PIZZA2 + __KAM_PIZZA3 >= 3)
score KAM_PIZZA 3.5
describe KAM_PIZZA Spam for free pizza
# ENGINEERING SPAM
header __KAM_ENGINEER1 Subject =~ /engineering . architect|engineering.industry/i
body __KAM_ENGINEER2 /email.list|target.audience|databank|verified.email/i
body __KAM_ENGINEER3 /construction.engineering|engineering . architect|marketing.manager/i
meta KAM_ENGINEER (__KAM_ENGINEER1 + __KAM_ENGINEER2 + __KAM_ENGINEER3 >= 3)
score KAM_ENGINEER 3.5
describe KAM_ENGINEER Spam for engineering contact information
# SUNGLASSES
header __KAM_SUNGLASSES1 Subject =~ /rayban/i
body __KAM_SUNGLASSES2 /great ray|hot.deal/i
body __KAM_SUNGLASSES3 /style rocks|today.only/i
meta KAM_SUNGLASSES (__KAM_SUNGLASSES1 + __KAM_SUNGLASSES2 + __KAM_SUNGLASSES3 >= 3)
describe KAM_SUNGLASSES Spam for sunglasses
score KAM_SUNGLASSES 3.5
# INVOICE SPAM OF THE DAY
header __KAM_INVOICE1 From =~ /billing/i
header __KAM_INVOICE2 Subject =~ /past.due|invoice/i
header __KAM_INVOICE3 Subject =~ /invoice (error|issue)/i
body __KAM_INVOICE4 /(billing error|problem with the address).{2,10}invoice/i
uri __KAM_INVOICE5 /overdue|final.account/i
meta KAM_INVOICE (__KAM_INVOICE1 + __KAM_INVOICE2 + SPF_FAIL >= 3)
score KAM_INVOICE 4.5
describe KAM_INVOICE Phishing invoice spam
meta KAM_INVOICE2 (__KAM_INVOICE1 + __KAM_INVOICE3 + __KAM_INVOICE4 + __KAM_INVOICE5 + SPF_FAIL >= 3)
score KAM_INVOICE2 5.5
describe KAM_INVOICE2 Phishing invoice spam
# GRIPEEZ
header __KAM_GRIPPY1 From =~ /gripeez/i
header __KAM_GRIPPY2 Subject =~ /bonus.offer|gripeez/i
body __KAM_GRIPPY3 /gripeez.bonus|interior.decorator|sticky.grip/i
meta KAM_GRIPPY (__KAM_GRIPPY1 + __KAM_GRIPPY2 + __KAM_GRIPPY3 >= 3)
score KAM_GRIPPY 4.5
describe KAM_GRIPPY Spam for sticky grip products
# LIMITED / DISABLED ACCOUNT, ACTIVATION, SECURITY ALERTS, AND OTHER ACCOUNT PHISHES
header __KAM_ACCOUNTPHISH1 From =~ /[il]tunes|account|costco|walgreen|amazon|ebay|internal|admin|gold|webmail|provider|marketing/i
header __KAM_ACCOUNTPHISH2 Subject =~ /your.account|is.limited|activate|recover|acknowledgment|of.order|buying.from|order.(status|confirm)|help.?desk|update.your|security|document|(^secure$)|download.failed|click.to.activate|status.approved|notification.message|storage.exceeded|maintenance routine|storage.warning|size.notification|administrative.notice/i
body __KAM_ACCOUNTPHISH3 /update.your.information|problems.with.your|billing.information|order.details|personal.data|detailed.order|order.information|for.activation|account.{1,30}.inactive|information.required|secure.browser|recently.compromised|classified.document|with.your.email|complete.your.account|account.confirmed|claim.your.order|free.money|forced.to.cancel|immediate.access|upgrading.all.staff|advice.to.update|confirm.your.account/i
body __KAM_ACCOUNTPHISH4 /webmail|all.systems|storage.limit|get.back.into|update.your.account|kindly.click|very.private.message|this.is.honest|fill.the.form|click.on.send|follow.here|for.all.user|one.click.away|mail.desk/i
meta KAM_ACCOUNTPHISH ((__KAM_ACCOUNTPHISH1 || FREEMAIL_FROM || KAM_LAZY_DOMAIN_SECURITY) + __KAM_ACCOUNTPHISH2 + __KAM_ACCOUNTPHISH3 + __KAM_ACCOUNTPHISH4 >= 3)
score KAM_ACCOUNTPHISH 3.20
describe KAM_ACCOUNTPHISH Spam that tries to get account information
# BUY PROPERTY
header __KAM_PROPERTY1 From =~ /high.rise|condo/i
header __KAM_PROPERTY2 Subject =~ /condo|move.in.soon|developer/i
body __KAM_PROPERTY3 /convenient.location/i
meta KAM_PROPERTY (__KAM_PROPERTY1 + __KAM_PROPERTY2 + __KAM_PROPERTY3 >= 3)
score KAM_PROPERTY 2.5
describe KAM_PROPERTY Spam for buying property
# FAKE AMEX
header __KAM_FAKEAMEX1 From =~ /aexp.com/i
meta KAM_FAKEAMEX (__KAM_FAKEAMEX1 + SPF_FAIL >= 2)
score KAM_FAKEAMEX 8.0
describe KAM_FAKEAMEX A rash of spam that is phishing for American Express information
header KAM_HUGESUBJECT Subject =~ /^.{500}/
score KAM_HUGESUBJECT 2.5
describe KAM_HUGESUBJECT Email with a subject longer than any mail client would let you enter
#HOOKUP
header __KAM_HOOKUP1 Subject =~ /hookup with local singles/i
uri __KAM_HOOKUP2 /justhookup/i
body __KAM_HOOKUP3 /match.?me.?networks/i
meta KAM_HOOKUP (__KAM_HOOKUP1 + __KAM_HOOKUP2 + __KAM_HOOKUP3 >= 3)
score KAM_HOOKUP 10.5
describe KAM_HOOKUP Spam for Local Hookup Service
#PSYCHIC
header __KAM_PSYCHIC1 Subject =~ /horoscope|psychic/i
uri __KAM_PSYCHIC2 /free.psychic/i
body __KAM_PSYCHIC3 /psychic Chris|free psychic reading/i
meta KAM_PSYCHIC (__KAM_PSYCHIC1 + __KAM_PSYCHIC2 + __KAM_PSYCHIC3 >= 3)
score KAM_PSYCHIC 4.5
describe KAM_PSYCHIC Current Psychic Product Spam du Jour
#UNSUB BADDIES
body __KAM_BADUNSUB /(?:remove|Unsubscribe) from (?:MindTCommunications|LunarMessages)/i
meta KAM_BADUNSUB (__KAM_BADUNSUB >= 1)
score KAM_BADUNSUB 3.0
describe KAM_BADUNSUB Bad Unsubscribe Messages
#GRABBAG FOR A ROUND OF WORDPRESS HACKS
rawbody __KAM_GRABBAG7_1 /wp-content|wp-includes|\/plugins\//
meta KAM_GRABBAG7 ((HTML_MIME_NO_HTML_TAG || MIME_HTML_ONLY) + __KAM_GRABBAG7_1 + (SPF_FAIL || SPF_HELO_FAIL) >= 3)
score KAM_GRABBAG7 3.0
describe KAM_GRABBAG7 Spam pattern with bad HTML message
#TINYURL OBFUSCATION
uri __KAM_TINYURL1 /tinyurl.com\/.{0,10}(hookup|sexual|online-riches|predator-zipcode|nothnx|imtaken)/i
meta KAM_TINYURL (__KAM_TINYURL1)
score KAM_TINYURL 4.0
describe KAM_TINYURL Spammy urls that hide behind a link shortener
# FAKE DROPBOX
header __KAM_DROPBOX1 From =~ /dropbox/i
header __KAM_DROPBOX2 From !~ /dropbox.com/i
body __KAM_DROPBOX3 /shared.a.folder/i
meta KAM_DROPBOX (__KAM_DROPBOX1 + __KAM_DROPBOX2 + __KAM_DROPBOX3 >= 3)
score KAM_DROPBOX 4.5
describe KAM_DROPBOX Fake Dropbox emails
# BAD YAHOO! DON'T SEND EMAIL FROM A MULTICAST IP!
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
header __KAM_YAHOO_MISTAKE1 From =~ /\@yahoo\./i
meta KAM_YAHOO_MISTAKE (SPF_PASS && __KAM_YAHOO_MISTAKE1 && RCVD_ILLEGAL_IP)
describe KAM_YAHOO_MISTAKE Reversing score for some idiotic Yahoo received headers
score KAM_YAHOO_MISTAKE -3.0
endif
# GARBAGE FREEMAIL
meta KAM_GRABBAG9 (MALFORMED_FREEMAIL + SUBJ_ALL_CAPS + FREEMAIL_ENVFROM_END_DIGIT >= 3)
score KAM_GRABBAG9 4.5
describe KAM_GRABBAG9 Garbage email from a garbage freemail account
# AQUA RUG
header __KAM_AQUARUG1 From =~ /aqua.?rug/i
header __KAM_AQUARUG2 Subject =~ /(bath|shower).mat|for.your.shower/i
body __KAM_AQUARUG3 /stop.slipping|unique.carpet|aqua.rug|bare.feet.love/i
meta KAM_AQUARUG (__KAM_AQUARUG1 + __KAM_AQUARUG2 + __KAM_AQUARUG3 >= 3)
score KAM_AQUARUG 3.5
describe KAM_AQUARUG Spam for aqua rug product
# FAKE ITC SPAM
# Fixed FP thanks to j.marshall
header __KAM_ITC1 From =~ /thetradecouncil.com/i
body __KAM_ITC2 /International Trade Council/i
body __KAM_ITC3 /enclosed/i
meta KAM_ITC (__KAM_ITC1 < 1) && (__KAM_ITC2 >= 1) && (__KAM_ITC3 + KAM_BADIPHTTP >= 1)
score KAM_ITC 4.5
describe KAM_ITC Fake email from International Trade Council
# HAVE YOU SEEN THIS
body __KAM_SEENTHIS1 /have.you.seen|seen.this/i
meta KAM_SEENTHIS (__KAM_SEENTHIS1 + __KAM_OPRAH3 + (KAM_LAZY_DOMAIN_SECURITY || KAM_MANYTO) >= 3)
score KAM_SEENTHIS 4.5
describe KAM_SEENTHIS Have you seen this spam?
# DETOX
header __KAM_DETOX1 From =~ /detox/i
header __KAM_DETOX2 Subject =~ /detox.service|discover.detox|clear.your.system|how.detox.(could|can)/i
body __KAM_DETOX3 /detox.program|right.for.you|clean(ing)? up your life|a.little.easier/i
meta KAM_DETOX (__KAM_DETOX1 + __KAM_DETOX2 + __KAM_DETOX3 >= 3)
score KAM_DETOX 2.5
describe KAM_DETOX Spam for trendy detox stuff
# DEATH INSURANCE
header __KAM_DEATHINSURE1 From =~ /live.sure/i
header __KAM_DEATHINSURE2 Subject =~ /life.will|cheaper.than.today/i
body __KAM_DEATHINSURE3 /inheritance.tax|your.loved.ones|funeral.costs/i
meta KAM_DEATHINSURE (__KAM_DEATHINSURE1 + __KAM_DEATHINSURE2 + __KAM_DEATHINSURE3 >= 3)
describe KAM_DEATHINSURE Spam for death insurance
score KAM_DEATHINSURE 3.5
# REACHBASE
body KAM_REACHBASE /ReachBase is committed to providing you with relevant business information/i
score KAM_REACHBASE 2.5
describe KAM_REACHBASE Marketing email pretending to be business info
# DIGITAL WALLET SPAM
header __KAM_DIGITALWALLET1 From =~ /apple.?pay/i
header __KAM_DIGITALWALLET2 Subject =~ /(ready.for|introducing|complimentary).apple.?pay|paying.too.much/i
body __KAM_DIGITALWALLET3 /business.ready|no.setup.fee|only.$?[\d\.]+%?.(per|a).swipe|apple.?pay.equipment|free,equipment/i
meta KAM_DIGITALWALLET (__KAM_DIGITALWALLET1 + __KAM_DIGITALWALLET2 + __KAM_DIGITALWALLET3 + (HELO_DYNAMIC_DHCP || KAM_EU || KAM_INFOUSMEBIZ) >= 3)
score KAM_DIGITALWALLET 3.5
describe KAM_DIGITALWALLET Spam for digital wallet services
# BAD PHP
header __KAM_BADPHP1 X-PHP-Originating-Script =~ /eval..'d code/i
header __KAM_BADPHP2 X-Source-Args =~ /css.php/i
meta KAM_BADPHP (__KAM_BADPHP1 || __KAM_BADPHP2)
score KAM_BADPHP 3.5
describe KAM_BADPHP Questionable PHP mailer headers
# TINNITUS
header __KAM_TINNITUS1 From =~ /tinnitus.?(911|breakthrough)/i
header __KAM_TINNITUS2 Subject =~ /new.tip|only.(1|one).week|pandemic/i
body __KAM_TINNITUS3 /scientifically.proven|end.tinnitus|get rid of the ringing/i
meta KAM_TINNITUS (__KAM_TINNITUS1 + __KAM_TINNITUS2 + __KAM_TINNITUS3 >= 3)
describe KAM_TINNITUS Tinnitus spam
score KAM_TINNITUS 4.5
# KIWIBANK
header __KAM_KIWIBANK1 From =~ /kiwibank/i
header __KAM_KIWIBANK2 Subject =~ /verification.required/i
body __KAM_KIWIBANK3 /security.procedure|customer.safety|security.details/i
meta KAM_KIWIBANK (__KAM_KIWIBANK1 + __KAM_KIWIBANK2 + __KAM_KIWIBANK3 >= 3)
describe KAM_KIWIBANK Account phish for Kiwibank
score KAM_KIWIBANK 3.5
# HAPPY TALK
header __KAM_HAPPYTALK1 Subject =~ /^hello$/i
body __KAM_HAPPYTALK2 /honest.and.nice/i
body __KAM_HAPPYTALK3 /beautiful.mail/i
meta KAM_HAPPYTALK (__KAM_HAPPYTALK1 + __KAM_HAPPYTALK2 + __KAM_HAPPYTALK3 >= 3)
score KAM_HAPPYTALK 3.5
describe KAM_HAPPYTALK Weirdly happy spam
# SETTLEMENT SPAM
header __KAM_SETTLEMENT1 From =~ /xarelto/i
header __KAM_SETTLEMENT2 Subject =~ /settlements?.available/i
body __KAM_SETTLEMENT3 /lawsuit.information/i
meta KAM_SETTLEMENT (__KAM_SETTLEMENT1 + __KAM_SETTLEMENT2 + __KAM_SETTLEMENT3 >= 3)
score KAM_SETTLEMENT 3.5
describe KAM_SETTLEMENT Spam offering lawsuit settlement
# CAD SPAM
header __KAM_CAD1 Subject =~ /cad.drawing/i
body __KAM_CAD2 /we.specialize.in/i
body __KAM_CAD3 /our.products/i
meta KAM_CAD (__KAM_CAD1 + __KAM_CAD2 + __KAM_CAD3 >= 3)
describe KAM_CAD Spam for CAD services
score KAM_CAD 3.5
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
#SPAM WITH OFFICE MACROS
header __KAM_VBMACRO X-KAM-VBMacro =~ /True/i
meta KAM_VBMACRO ((__KAM_VBMACRO >= 1) && !KAM_OLEMACRO)
describe KAM_VBMACRO Message contains attachment with VB macro
score KAM_VBMACRO 6.5
#SPAM THAT INDICATES DYNAMIC IP
header KAM_DYNIP X-KAM-DynamicIndicator =~ /True/i
describe KAM_DYNIP Message contains Dynamic IP Address Indicator
score KAM_DYNIP 6.5
endif
# YELP AND OTHER REVIEW SITES
header __KAM_REVIEW1 From =~ /contractor/i
header __KAM_REVIEW2 Subject =~ /verify.accuracy|your.listing|listing.on.yelp/i
body __KAM_REVIEW3 /unverified|major.local.search|search.sites|company(.s)?.information/i
meta KAM_REVIEW (__KAM_REVIEW1 + __KAM_REVIEW2 + __KAM_REVIEW3 >= 3)
describe KAM_REVIEW Spam for review sites
score KAM_REVIEW 4.5
# TOURS AND EVENTS
header __KAM_TOURS1 From =~ /festival/i
header __KAM_TOURS2 Subject =~ /adventure.tour/i
body __KAM_TOURS3 /your.adventure.tour|your.event/i
meta KAM_TOURS (__KAM_TOURS1 + __KAM_TOURS2 + __KAM_TOURS3 >= 3)
score KAM_TOURS 3.5
describe KAM_TOURS Spam for tours and events
# NO MORE SPAM ENGINES
body __KAM_NOMORE1 /no.more.of.this/i
body __KAM_NOMORE2 /no.more.at.all/i
meta KAM_NOMORE (__KAM_NOMORE1 + __KAM_NOMORE2 >= 2)
describe KAM_NOMORE Another predictable spam engine
score KAM_NOMORE 3.5
# NOT REALLY CONFIDENTIAL
body __KAM_NOCONFIDENCE1 /confidential.information/i
meta KAM_NOCONFIDENCE (KAM_LAZY_DOMAIN_SECURITY + __KAM_NOCONFIDENCE1 >= 2)
score KAM_NOCONFIDENCE 0.5
describe KAM_NOCONFIDENCE Confidential information sent with no security
# YER GON GET SASSINATED
header __KAM_ASSASSIN1 Subject =~ /want you dead/i
body __KAM_ASSASSIN2 /my identity/i
body __KAM_ASSASSIN3 /assassinate/i
body __KAM_ASSASSIN4 /like.an.accident/i
meta KAM_ASSASSIN (__KAM_ASSASSIN1 + __KAM_ASSASSIN2 + __KAM_ASSASSIN3 + __KAM_ASSASSIN4 >= 3)
score KAM_ASSASSIN 4.5
describe KAM_ASSASSIN Assassination spam
# GIMME FLASH DRIVES
header __KAM_DRIVE1 From =~ /purchase|manager/i
header __KAM_DRIVE2 Subject =~ /quotation/i
body __KAM_DRIVE3 /to.be.furnished|office.equipment.item/i
meta KAM_DRIVE (__KAM_DRIVE1 + __KAM_DRIVE2 + __KAM_DRIVE3 >= 3)
score KAM_DRIVE 3.5
describe KAM_DRIVE Spam for ordering office equipment
#BAD TLD - TESTING NEW blacklist_uri_host feature
#PASSED TEST BUT THIS IS 100 points - Instead modify SOMETLD_ARE_BAD_TLD TO PREVENT FPs
#if (version >= 3.004000)
# blacklist_uri_host link
#endif
#LOOKING TO SHUTDOWN MISUSE OF DNSWL AND HOSTKARMA
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1)
score KAM_QUITE_BAD_DNSWL 3.25
describe KAM_QUITE_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
else
meta KAM_QUITE_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1)
score KAM_QUITE_BAD_DNSWL 3.25
describe KAM_QUITE_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
endif
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + __KAM_URIBL_PCCC + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
score KAM_BAD_DNSWL 7.0
describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
else
meta KAM_BAD_DNSWL (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
score KAM_BAD_DNSWL 7.0
describe KAM_BAD_DNSWL Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
endif
# HEARING LOSS
header __JMQ_HEARINGLOSS1 From =~ /hearing.?loss|deaf \& angry/i
header __JMQ_HEARINGLOSS2 Subject =~ /reverse.your.hearing|hearing.loss|\d+.year.old.method|hearing.aids/i
body __JMQ_HEARINGLOSS3 /going.crazy|natural.formula|restore.your.hearing|click.here.to.see|off.hearing.aid/i
meta JMQ_HEARINGLOSS (__JMQ_HEARINGLOSS1 + __JMQ_HEARINGLOSS2 + __JMQ_HEARINGLOSS3 >= 3)
score JMQ_HEARINGLOSS 3.5
describe JMQ_HEARINGLOSS Spam for hearing loss solutions
# TRACKR
header __JMQ_TRACKR1 From =~ /trackr/i
header __JMQ_TRACKR2 Subject =~ /trackr|never.lose|find.any|lost.items/i
body __JMQ_TRACKR3 /locate anything|find.anything|never.lose.anything|new.invention|never.lose.your|tired.of.losing|find.any.lost/i
meta JMQ_TRACKR (__JMQ_TRACKR1 + __JMQ_TRACKR2 + __JMQ_TRACKR3 >= 3)
score JMQ_TRACKR 4.5
describe JMQ_TRACKR Spam for TrackR
# CONGRATULATION
header __JMQ_CONGRAT1 From =~ /award|claim/i
header __JMQ_CONGRAT2 Subject =~ /congratulation|open.attachment|good.news.for/i
meta JMQ_CONGRAT (__JMQ_CONGRAT1 + __JMQ_CONGRAT2 + (KAM_RAPTOR_ALTERED || T_FREEMAIL_DOC_PDF || HK_SPAMMY_FILENAME) >= 3)
score JMQ_CONGRAT 3.5
describe JMQ_CONGRAT Open attachment to claim your free spam
# PICKUP
header __JMQ_PICKUP1 Subject =~ /hey there|(^hey$)/i
body __JMQ_PICKUP2 /(dirty|freaky|naughty|good)(pix|pic)|hey.cutie/i
header __JMQ_PICKUP3 X-Mailer =~ /php/i
body __JMQ_PICKUP4 /\d+.year.old|female/i
meta JMQ_PICKUP (__JMQ_PICKUP1 + __JMQ_PICKUP2 + __JMQ_PICKUP3 + __JMQ_PICKUP4 >= 3)
score JMQ_PICKUP 8.0
describe JMQ_PICKUP spam that wants your number
# COMPROMISED DROPBOX
header __JMQ_DROPBOX1 Subject =~ /(payment|transfer)/i
header __JMQ_DROPBOX2 Subject =~ /\([a-z]\d+\)/i
body __JMQ_DROPBOX3 /ach.(payment|transfer)/i
meta JMQ_DROPBOX (__JMQ_DROPBOX1 + __JMQ_DROPBOX2 + __JMQ_DROPBOX3 >= 3)
score JMQ_DROPBOX 3.0
describe JMQ_DROPBOX Spam from what appears to be compromised dropbox accounts
#FIX BAD REVIEW
header __KAM_BAD_REVIEW1 Subject =~ /fix bad reviews/i
body __KAM_BAD_REVIEW2 /Reputation Giant/i
meta KAM_BAD_REVIEW (__KAM_BAD_REVIEW1 + __KAM_BAD_REVIEW2 >= 2)
score KAM_BAD_REVIEW 4.0
describe KAM_BAD_REVIEW Online reputation spammers
#GOOGLE AWARD
header __KAM_GOOGLE_AWARD1 From =~ /Google UK/i
body __KAM_GOOGLE_AWARD2 /selected as a winner/i
body __KAM_GOOGLE_AWARD3 /Dear Google/i
body __KAM_GOOGLE_AWARD4 /Official Notification Letter/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_GOOGLE_AWARD5A Content-Type =~ /Google Award/i
mimeheader __KAM_GOOGLE_AWARD5B Content-Disposition =~ /Google Award/i
endif
meta KAM_GOOGLE_AWARD (__KAM_GOOGLE_AWARD1 + __KAM_GOOGLE_AWARD2 + __KAM_GOOGLE_AWARD3 + __KAM_GOOGLE_AWARD4 + (__KAM_GOOGLE_AWARD5A + __KAM_GOOGLE_AWARD5B >= 1) >= 4)
score KAM_GOOGLE_AWARD 5.0
describe KAM_GOOGLE_AWARD Fake Google Awards
#OBFUSCATED LOANS
body KAM_OBFU_LOANS /Stüdént Lóans/i
score KAM_OBFU_LOANS 5.0
describe KAM_OBFU_LOANS Obfuscated Loan Verbiage
#WORK FROM HOME
body __KAM_WORKFROMHOME1 /work from home/i
meta KAM_WORKFROMHOME (KAM_SHORT + __KAM_WORKFROMHOME1 >= 2)
score KAM_WORKFROMHOME 1.75
describe KAM_WORKFROMHOME Work from Home Spams
#STUDENT LOAN
body __KAM_STUDENTLOAN1 /(National|Federal) Student Loan Status/i
body __KAM_STUDENTLOAN2 /consolidate your loan/i
body __KAM_STUDENTLOAN3 /doesn't injured/i
body __KAM_STUDENTLOAN4 /866-351-4693/i
body __KAM_STUDENTLOAN5 /(financial troubles|debt) is (understood|forgiven)/i
meta KAM_STUDENTLOAN (__KAM_STUDENTLOAN1 + __KAM_STUDENTLOAN2 + __KAM_STUDENTLOAN3 + __KAM_STUDENTLOAN4 + __KAM_STUDENTLOAN5 >= 3)
score KAM_STUDENTLOAN 4.5
describe KAM_STUDENTLOAN Student Loan Scam
#RESUME
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
header __JMQ_RESUME1 Subject =~ /resume/i
body __JMQ_RESUME2 /hello my name|my name is/i
body __JMQ_RESUME3 /appreciate.your.cooperation|my.resume.is.pdf|resume.attach|pdf.file.is|is.my.resume/i
mimeheader __JMQ_RESUME4 Content-Type =~ /x-zip-comp/i
mimeheader __JMQ_RESUME5 Content-Type =~ /my_resume\.zip/i
meta JMQ_RESUME ((__JMQ_RESUME1 + __JMQ_RESUME2 + __JMQ_RESUME3 + __JMQ_RESUME5 >= 3) && __JMQ_RESUME4)
score JMQ_RESUME 4.5
describe JMQ_RESUME Spam for bad attached resumes
endif
#LED/SOLAR LIGHTS
header __KAM_LED1 From =~ /light? ?bulb|garage ?light|Sun.?like?.?Bulb|LED.?Sun/i
body __KAM_LED2 /(garage|LED Fan) Light|sun-?like|\dx the brightness/i
tflags __KAM_LED2 nosubject
header __KAM_LED3 Subject =~ /LED Lighting|L\.E\.D\.? Bulb|Innovative Light|energy bill|one bulb|Garage LED/i
meta KAM_LED (__KAM_LED1 + __KAM_LED2 + __KAM_LED3 >= 3)
describe KAM_LED LED Lighting Spams
score KAM_LED 4.5
# REAL ESTATE
header __JMQ_REALESTATE1 From =~ /tom.brice/i
header __JMQ_REALESTATE2 Subject =~ /real.estate/i
body __JMQ_REALESTATE3 /preferred.choice|looking.for.real.estate|online.platform|systems.placement/i
meta JMQ_REALESTATE (__JMQ_REALESTATE1 + __JMQ_REALESTATE2 + __JMQ_REALESTATE3 >= 3)
describe JMQ_REALESTATE Real estate spam
score JMQ_REALESTATE 4.5
# IP IN FROM
header JMQ_IPINFROM From =~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/
score JMQ_IPINFROM 2.5
describe JMQ_IPINFROM Spam with IP in the from address
# IFFY PAYPAL OF THE DAY
header __JMQ_PAYPAL2 From =~ /paypai/i
meta JMQ_PAYPAL2 (JMQ_IPINFROM + __JMQ_PAYPAL2 >= 2)
score JMQ_PAYPAL2 4.5
describe JMQ_PAYPAL2 PayPal spam of the day
# RESUME SPAM REDUX PART 2 (WOOHOO)
meta JMQ_RESUME3 (__JMQ_RESUME1 && __JMQ_RESUME2 && KAM_THEBAT)
score JMQ_RESUME3 3.5
describe JMQ_RESUME3 Yet more resume spam
# SPF THAT DOESN'T REALLY CARE IF EMAIL IS A FORGERY -
ifplugin Mail::SpamAssassin::Plugin::AskDNS
askdns JMQ_SPF_NEUTRAL _SENDERDOMAIN_ TXT /^v=spf1 .*\?all/
describe JMQ_SPF_NEUTRAL SPF set to ?all
score JMQ_SPF_NEUTRAL 0.5
askdns JMQ_SPF_ALL _SENDERDOMAIN_ TXT /^v=spf1 .*\+all/
describe JMQ_SPF_ALL SPF set to +all!
score JMQ_SPF_ALL 0.5
endif
# IMPORTANT MESSAGE
header __JMQ_IMPORTANT1 Subject =~ /(fw|re):? important/i
body __JMQ_IMPORTANT2 /important message/i
body __JMQ_IMPORTANT3 /please visit/i
meta JMQ_IMPORTANT (__JMQ_IMPORTANT1 + __JMQ_IMPORTANT2 + __JMQ_IMPORTANT3 + KAM_LAZY_DOMAIN_SECURITY >= 4)
score JMQ_IMPORTANT 4.5
describe JMQ_IMPORTANT Spam that thinks it is important
# IMAGE TRACKERS
uri __JMQ_TRACKER1 /sidekickopen\d*\.com/i
meta JMQ_TRACKER (__JMQ_TRACKER1 >= 1)
score JMQ_TRACKER 0.5
describe JMQ_TRACKER Message uses image-based tracker
# WIRE TRANSFERS
header __JMQ_WIRE1 Subject =~ /wire.*fund|request.*wire|(fwd|re): request/i
body __JMQ_WIRE2 /medical.support|payment.sent/i
body __JMQ_WIRE3 /bank.wire|sent.out.asap/i
meta JMQ_WIRE (__JMQ_WIRE1 + __JMQ_WIRE2 + __JMQ_WIRE3 + (LOTS_OF_MONEY || KAM_LAZY_DOMAIN_SECURITY || HEADER_FROM_DIFFERENT_DOMAINS) >= 3)
score JMQ_WIRE 4.5
describe JMQ_WIRE Attempt to steal money via wire transfer
#bindata code in RTF
#rawbody __KAM_BADRTF1 /<w:binData/
#rawbody __KAM_BADRTF2 /QWN0aXZlTWltZQ/
#meta KAM_BADRTF (__KAM_BADRTF1 + __KAM_BADRTF2 >= 2)
#describe KAM_BADRTF Message contains binary data in RTF format
#score KAM_BADRTF 5.0
#Fake Order
body __KAM_ORDER1 /Please find document attached/i
header __KAM_ORDER2 Subject =~ /Order \d+ (\(Acknowledgement\))?/i
meta KAM_ORDER __KAM_ORDER1 + __KAM_ORDER2 + __BODY_LE_200 >= 3
score KAM_ORDER 3.0
describe KAM_ORDER Fraudulent Order Emails
rawbody __RB_LE_200 /^.{2,200}$/s
tflags __RB_LE_200 multiple maxhits=2
rawbody __RB_GT_200 /^.{201}/s
meta __BODY_LE_200 (__RB_LE_200 == 1) && !__RB_GT_200
#SHOCKING BEVERAGE
body __KAM_SHOCK1 /shocking.beverage/i
header __KAM_SHOCK2 Subject =~ /(Bill O.Reilly|Donald Trump)/i
body __KAM_SHOCK3 /drinking this beverage/i
meta KAM_SHOCK __KAM_SHOCK1 + __KAM_SHOCK2 + __KAM_SHOCK3 >= 2
score KAM_SHOCK 4.0
describe KAM_SHOCK Spams with energy drinks
#BEAUTY SCAM
body __KAM_BEAUTY1 /she now looks \d+/i
body __KAM_BEAUTY2 /reveals exactly/i
body __KAM_BEAUTY3 /most amazing transformation/i
header __KAM_BEAUTY4 Subject =~ /now looks \d+/i
meta KAM_BEAUTY __KAM_BEAUTY1 + __KAM_BEAUTY2 + __KAM_BEAUTY3 + __KAM_BEAUTY4 >= 3
score KAM_BEAUTY 4.0
describe KAM_BEAUTY Youth and Beauty Product Scams
#WEED
body __KAM_WEED1 /legal.weed|jim kramer|kevin james/i
header __KAM_WEED2 Subject =~ /Legal.Weed|pot.stock/i
body __KAM_WEED3 /doubled? (there|their) money|Triple this afternoon/i
body __KAM_WEED4 /(weed|pot).stock/i
meta KAM_WEED __KAM_WEED1 + __KAM_WEED2 + __KAM_WEED3 + __KAM_WEED4 >= 3
score KAM_WEED 8.0
describe KAM_WEED Legal Weed and related investment scams
#LOGOS
body __KAM_LOGO1 /guru.level logo/i
header __KAM_LOGO2 Subject =~ /guru.level logo/i
body __KAM_LOGO3 /(guru.level|ready.made) logo/i
meta KAM_LOGO __KAM_LOGO1 + __KAM_LOGO2 + __KAM_LOGO3 >= 3
score KAM_LOGO 5.25
describe KAM_LOGO Logo Spam
#TRUMP COIN
body __KAM_TRUMPCOIN1 /Donald Trump/i
header __KAM_TRUMPCOIN2 Subject =~ /trump.coin/i
body __KAM_TRUMPCOIN3 /special colored coin/i
meta KAM_TRUMPCOIN __KAM_TRUMPCOIN1 + __KAM_TRUMPCOIN2 + __KAM_TRUMPCOIN3 >= 3
score KAM_TRUMPCOIN 5.25
describe KAM_TRUMPCOIN Trump Coin Spam
#WATER
body __KAM_WATER1 /Never Drink Water/i
header __KAM_WATER2 Subject =~ /bottled water/i
body __KAM_WATER3 /filtered tap water/i
meta KAM_WATER __KAM_WATER1 + __KAM_WATER2 + __KAM_WATER3 >= 3
score KAM_WATER 5.25
describe KAM_WATER Water Poison Scam
#BANK
body __KAM_RUIN1 /do not deposit/i
header __KAM_RUIN2 Subject =~ /money into your bank/i
body __KAM_RUIN3 /banking institutions/i
meta KAM_RUIN __KAM_RUIN1 + __KAM_RUIN2 + __KAM_RUIN3 >= 3
score KAM_RUIN 5.25
describe KAM_RUIN Bank Phishing Scam
#WEIGHT
body __KAM_WEIGHT2_1 /goodbye to her waist|wild transformation/i
header __KAM_WEIGHT2_2 Subject =~ /looks \d+ overnight|no gym/i
body __KAM_WEIGHT2_3 /melissa mccarthy|now looks \d+/i
meta KAM_WEIGHT2 __KAM_WEIGHT2_1 + __KAM_WEIGHT2_2 + __KAM_WEIGHT2_3 >= 3
score KAM_WEIGHT2 5.25
describe KAM_WEIGHT2 Weight loss process du jour
#AMAZING LENS
body __KAM_LENS1 /pro quality (pho|pic)|Bill gates|best camera/i
header __KAM_LENS2 Subject =~ /(amazing|incredible) photos|gadget of the year|coolest product|camera/i
body __KAM_LENS3 /amazing lens|hdx-lens|hdrx/i
header __KAM_LENS4 From =~ /hdcam|lens|inhd/i
meta KAM_LENS __KAM_LENS1 + __KAM_LENS2 + __KAM_LENS3 + __KAM_LENS4 >= 3
score KAM_LENS 5.25
describe KAM_LENS Amazing Lens Scam
#HONOR
body __KAM_HONOR1 /greatest thing of your life/i
header __KAM_HONOR2 Subject =~ /Congrats, on the honor/i
body __KAM_HONOR3 /profession women/i
body __KAM_HONOR4 /invitation/i
meta KAM_HONOR __KAM_HONOR1 + __KAM_HONOR2 + __KAM_HONOR3 + __KAM_HONOR4 >= 3
score KAM_HONOR 6.25
describe KAM_HONOR Professional Network Scam
#Rule Dev
#Idea from John Hardin so you can see all URI's - ONLY for rule development - Then all the detected URIs appear in the rule hits debug output.
#uri __ALL_URI /.*/
#tflags __ALL_URI multiple
#Bad UTF-8 content type and transfer encoding - Thanks to Pedro David Marco for alerting to issue
header __KAM_BAD_UTF8_1 Content-Type =~ /text\/html; charset=\"utf-8\"/i
header __KAM_BAD_UTF8_2 Content-Transfer-Encoding =~ /base64/i
full __RW_BAD_UTF8_3 /^(?:[^\n]|\n(?!\n))*\nContent-Transfer-Encoding:\s+base64(?:[^\n]|\n(?!\n))*\n\n[\s\n]{0,300}[^\s\n].{0,300}[^a-z0-9+\/=\n][^\s\n]/si
meta KAM_BAD_UTF8 (__KAM_BAD_UTF8_1 + __KAM_BAD_UTF8_2 + __RW_BAD_UTF8_3 >= 3)
score KAM_BAD_UTF8 14.0
describe KAM_BAD_UTF8 Bad Content Type and Transfer Encoding that attempts to evade SA scanning
#DEATH
body __KAM_DEATH1 /prevent early.death/i
header __KAM_DEATH2 Subject =~ /(early|unexpected).death/i
body __KAM_DEATH3 /Eating this|before it.?s too late/i
body __KAM_DEATH4 /heart.(attack|stops)/i
meta KAM_DEATH __KAM_DEATH1 + __KAM_DEATH2 + __KAM_DEATH3 + __KAM_DEATH4 >= 4
score KAM_DEATH 6.25
describe KAM_DEATH Supplement Scam
#REWARD
body __KAM_REWARD1 /walgreens|ikea|sephora|sams.?club/i
header __KAM_REWARD2 Subject =~ /weekend.*reward|reward.*weekend|(reward|perk).{0,60}(expiring|ending)/i
header __KAM_REWARD3 Subject =~ /(Cert|coup|ending now|ending|expiring|expiring.now)(..)?(\d+|\[num)/i
header __KAM_REWARD4 From =~ /ikea|sephora|shopper|walgreen|sale/i
meta KAM_REWARD __KAM_REWARD1 + __KAM_REWARD2 + __KAM_REWARD3 + __KAM_REWARD4 + KAM_NUMSUBJECT >= 4
score KAM_REWARD 5.25
describe KAM_REWARD Coupon Scam
#PACKAGE
body __KAM_PACKAGE1 /dysfunction|\dx longer/i
body __KAM_PACKAGE2 /sexual.performance|longer.in.bed/i
header __KAM_PACKAGE3 Subject =~ /sex/i
header __KAM_PACKAGE4 From =~ /function|fivex/i
meta KAM_PACKAGE __KAM_PACKAGE1 + __KAM_PACKAGE2 + __KAM_PACKAGE3 + __KAM_PACKAGE4 >= 3
score KAM_PACKAGE 4.25
describe KAM_PACKAGE Sexual Enhancement Scam
#NUM
header __KAM_NUMSUBJECT Subject =~ /\d+$/
header __KAM_SUBJECTYEAR Subject =~ /20[1-2][0-9]$/
meta KAM_NUMSUBJECT (__KAM_NUMSUBJECT >=1 && __KAM_SUBJECTYEAR <= 0)
score KAM_NUMSUBJECT 0.5
describe KAM_NUMSUBJECT Subject ends in numbers excluding current years
#BAD PDF
mimeheader KAM_MGCS Content-Type =~ /\+\-\+\-\+\-MGCS\-\+\-\+\-\+|[\xC2\xB7]pdf(?=)?"$/i
score KAM_MGCS 10.0
describe KAM_MGCS Boundary Content Indicative of Ratware
#NetWeaver - Disabled 7/24
#header KAM_NW X-Mailer =~ /SAP NetWeaver/i
#score KAM_NW 2.75
#describe KAM_NW Spam Indicator
#STOCKTIP OBFU
body __KAM_STOCKOBFU1 /make up the \d letter symbol/i
body __KAM_STOCKOBFU2 /first letter/i
header __KAM_STOCKOBFU3 Subject =~ /less than \d days|ten bagger|ten ?fold your principle/i
meta KAM_STOCKOBFU (__KAM_STOCKOBFU1 + __KAM_STOCKOBFU2 + __KAM_STOCKOBFU3 >= 3)
describe KAM_STOCKOBFU Stock Spam Tips that are being sneaky
score KAM_STOCKOBFU 4.5
#FAKE BBB/FLSA NOTICES
header __KAM_FAKEBBB1 Subject =~ /(incident:|case:)?[\d:;]{5}/i
body __KAM_FAKEBBB2 /(Fair Labor Standards Act|Safety and Health act|Better Business Bureau|(\b|$)BBB(\b|^))/i
body __KAM_FAKEBBB3 /(complaint|compliant|Abuse) ID/i
body __KAM_FAKEBBB4 /(incident:|case:)[\d:;]{6,}/i
meta KAM_FAKEBBB (__KAM_FAKEBBB1 + __KAM_FAKEBBB2 + KAM_SHORT + __KAM_FAKEBBB3 + __KAM_FAKEBBB4>= 4)
describe KAM_FAKEBBB Fake Notices for Various Business Violations
score KAM_FAKEBBB 12.0
#HOWRU
#header __KAM_HOWRU1 Subject =~ /How are you?|Hi|What's Up|Hey, Sweety/i
body __KAM_HOWRU2 /My name is|what's your name|ask your name|keep company with you/i
body __KAM_HOWRU3 /visit the site|visit this site|visiting this website|have some social networks|meet you in private|write me tomorrow/i
body __KAM_HOWRU4 /gmx.com|rambler.ru/i
meta KAM_HOWRU (__KB_WAM_SUBJECT_HELLO_ONLY + __KAM_HOWRU2 + __KAM_HOWRU3 + __KAM_HOWRU4 >=4)
describe KAM_HOWRU Female Chat Scam
score KAM_HOWRU 8.0
# 2017-11-01, note 56146
body __KAM_DOMAIN_SALE1 /\b(related|similar) domain\b/i
body __KAM_DOMAIN_SALE2 /\b(interested in|obtaining) .{5,20} domain\b/i
body __KAM_DOMAIN_SALE3 /\bdomain (name owner|advanced avail|backordering)\b/i
body __KAM_DOMAIN_SALE4 /\b(domain you might be interested|interested in the domain|interested in obtain|benefit acquiring|complete ownership transfer|brokering the domain)\b/i
body __KAM_INTRUDE /\b(hope I am not intruding|out of the blue|I will never contact you again if you go here)\b/i
meta KAM_DOMAIN_SALE_2 (__KAM_DOMAIN_SALE1 + __KAM_DOMAIN_SALE2 + __KAM_DOMAIN_SALE3 + __KAM_DOMAIN_SALE4 >=2)
meta KAM_DOMAIN_SALE_3 (__KAM_DOMAIN_SALE1 + __KAM_DOMAIN_SALE2 + __KAM_DOMAIN_SALE3 + __KAM_DOMAIN_SALE4 >=3)
score KAM_DOMAIN_SALE_2 3.0
score KAM_DOMAIN_SALE_3 1.0
meta KAM_DOMAIN_SALE_INTRUDE (__KAM_INTRUDE && KAM_DOMAIN_SALE_2)
score KAM_DOMAIN_SALE_INTRUDE 1.0
describe KAM_DOMAIN_SALE_2 Domain Selling Spam
describe KAM_DOMAIN_SALE_3 Domain Selling Spam
describe KAM_DOMAIN_SALE_INTRUDE Domain Selling Spam
# 2017-11-08, lonely russian women Whack-A-Mole
# Likely Overlap with HOWRU rules, similar target. No real-life
# overlap in rules hit observed so far, KB_WAM_OVERLAP to look out for
# it.
header __KB_WAM_FROM_NAME_SINGLEWORD From:name =~ /^[a-z]+$/i
header __KAM_SUBJECT_SINGLEWORD Subject =~ /^[a-z]+$/i
header __KB_WAM_SUBJECT_HELLO_ONLY Subject =~ /^(hi|hi there|hello|hey|yo|how are you|What's Up|Hey, Sweety)[?!\.]?$/i
meta KB_WAM_LONELY_WOMEN (__KB_WAM_FROM_NAME_SINGLEWORD + __KB_WAM_SUBJECT_HELLO_ONLY + __KAM_HOWRU4 + (__KAM_HOWRU2 || __KB_WAM_LONELY_WOMEN_PHRASE_01) >= 4)
score KB_WAM_LONELY_WOMEN 5.0
describe KB_WAM_LONELY_WOMEN Lonely Women Scam of the Day
body __KB_WAM_LONELY_WOMEN_PHRASE_01 /\b(I am missing you all the time|I am waiting for your answer|I send you my tender love|I would really like to know you|quest of love|I am lonely and tired)\b/i
#meta KB_WAM_OVERLAP ( KAM_HOWRU && KB_WAM_LONELY_WOMEN )
#score KB_WAM_OVERLAP -0.01
#describe KB_WAM_OVERLAP Rule to test for overlap with another similar ruleset
#MAILSPLOIT CONTROL CHARACTER - Thanks to Jan-Pieter Cornet for the idea
#All Control chars like NUL except \n which should exist once legitimately
#Investigating double-byte language FP. Reverting back to just \0
#header __KAM_MAILSPLOIT1 From =~ /[\x00-\x09\x0b-\x1f]/
header __KAM_MAILSPLOIT1 From =~ /[\0]/
describe __KAM_MAILSPLOIT1 RFC2047 Exploit https://www.mailsploit.com/index
#\n Multiple in the From Header
header __KAM_MAILSPLOIT2 From =~ /[\n]/
describe __KAM_MAILSPLOIT2 RFC2047 Exploit https://www.mailsploit.com/index
tflags __KAM_MAILSPLOIT2 multiple maxhits=2
meta KAM_MAILSPLOIT (__KAM_MAILSPLOIT1 || (__KAM_MAILSPLOIT2 >= 2))
describe KAM_MAILSPLOIT Mail triggers known exploits per mailsploit.com
score KAM_MAILSPLOIT 10.0
#cc in From - Thanks to Dave Jones for idea
header KAM_CCFROM1 From =~ /\b(to|cc|bcc|from):/i
describe KAM_CCFROM1 Addition of cc: and similar as a phishing tactic
score KAM_CCFROM1 5.0
#MailBox Verify Phish - Also See KAM_MAILBOX
header __KAM_BOXWARNING_SUBJECT Subject =~ /FINAL WARNING/i
header __KAM_BOXVERIFICATION_SUBJECT Subject =~ /VERIFICATION.{4,20}MAIL.?BOX/i
body __KAM_BOXVERIFY /Verify.{0,10}Mail.?box|retrieve messages/i
body __KAM_BOXQUOTA /mailbox.{0,5}exceeded.{4,14}quota|low email storage/i
header __KAM_MAILBOXFROM From =~ /mailbox/i
meta KAM_BOXPHISH ((__KAM_BOXWARNING_SUBJECT + __KAM_BOXVERIFICATION_SUBJECT >= 1) + __UPGR_MAILBOX + __KAM_MAILBOXFROM + __KAM_BOXVERIFY + __KAM_BOXQUOTA + __KAM_MAILBOX1 >= 4)
describe KAM_BOXPHISH Mailbox verification phishing scams
score KAM_BOXPHISH 6.5
#SWISSCOIN, ETC.
body __KAM_CRYPTO1 /swiss.?coin|[{(]SIC[)}]/i
header __KAM_CRYPTO2 Subject =~ /forget about bitcoin|crypto (currency|coin) .{0,10}could (turn|go)/i
meta KAM_CRYPTO (__KAM_CRYPTO1 + __KAM_CRYPTO2 >= 2)
describe KAM_CRYPTO Crypto Currency Spam Du Jour
score KAM_CRYPTO 8.0
#COMPROMISED CMS - Thanks to Jing Shan for the idea
uri __KAM_CMS1 /VALIDATE\/mail\.htm/i
uri __KAM_CMS2 /\/erroreng\/erroreng\//i
uri __KAM_CMS3 /twentythirteen\/Upgrade\/?email=/i
meta KAM_CMS (__KAM_CMS1 + __KAM_CMS2 + __KAM_CMS3) >= 1
describe KAM_CMS Indicators that a CMS has been exploited for Spammers
score KAM_CMS 1.0
#WESTERN UNION SCANS
header __KAM_WU1 from:addr !~ /\@westernunion.com/i
header __KAM_WU2 Subject =~ /WUMT|Western.?Union/i
uri __KAM_WU3 /western.umt/i
meta KAM_WU (__KAM_WU1 + __KAM_WU2 + __KAM_WU3 + LOTS_OF_MONEY >= 3)
describe KAM_WU Western Union Scam
score KAM_WU 5.0
#WEB CRIMINALS
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
replace_rules __KAM_CRIM1 __KAM_CRIM2 __KAM_CRIM3 __KAM_CRIM4 __KAM_CRIM5 __KAM_CRIM6 __KAM_CRIM7
body __KAM_CRIM1 /(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A1>lw<A1>r<E1> <O1>n th<E1> w<E1>b|footage of you|you do not know who I am|mercenary|hack phones|(monitored|infected) your device|double.screen video|keylogger|ruin your life|collection officer|turned on your c<A1>mera|cameras? and a mic|I am a hacker|brows(er|ing) history|trojan virus|automatically infect|inject some code|google translator|<P1>l<A1><C1><E1>d (a )?m<A1>lw<A1>r<E1>|<S1><P1><Y1><W1><A1><R1><E1>|hacked your (OS|operating)|got hacked|hidden app|managed to hack/i
#Bitcoin
body __KAM_CRIM2 /(<B1><I1><T1>\-?<C1><O1><I1><N1>|BTC|DSH|cryptocurrency|bc[13][a-km-zA-HJ-NP-Z0-9]{26,39})|(remove|manually) all spaces|contains spaces/i
#Payment
body __KAM_CRIM3 /make (<T1>he|a) paymen<T1>|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C1><O1><I1>n w<A1>ll|(m<A1>k<I1>ng|<C1><O1>mpl<E1>et<E1>) th<E1> tr<A1>ns<A1><C1>t<I1><O1>n|send me \d+ dollars|send [\d\.]+ USD|addr<E1>ss f<O1>r p<A1>ym<E1>nt|(dollars|euros) (worth )?in bit-?coin|wallet number|bitcoin network|BTC to this Bitcoin|paym<E1>nt by b<I1>tco<I1>n|\d\d\d usd|DSH\)? address|Address part|<D1><O1><N1><A1><T1><I1><O1><N1>|negotiation|USD.? in bitcoin/i
#Sexually explicit
body __KAM_CRIM4 /erotica|<P1><O1><R1><N1>|p(ro|or)nographic movie|promising evidence|<M1><A1><S1><T1><U1><R1><B1><A1><T1>|playing with yourself|wanking|l<I1>f<E1> <C1><A1>n b<E1> ru<I1>n<E1>d|explosi|lead azide|hexogen|banana|perversion|secured \d+ video/i
#TIME
body __KAM_CRIM5 /(twenty.?four|24).?h<O1>urs|(72|24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O1>urs)? <A1>ft<E1>r y<O1><U> <O1>p<E1>n|hours for payment|days?\)? to (send|perform|make|transfer) the (amount|payment|dash|fund)|short-term support|48h plz|deadline|hours *(only )?to send the (pay|fund)|address immediately|tr<A1>nsfer the (amount|funds)|get back to me now/i
#Subject
header __KAM_CRIM6 Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O1><U> <A1>r<E1> my v<I1><C1>t<I1>m|visit the police|hi. vi<C1>tim|bomb|rescue|your building|<M1>asturbat|hi perv|account has been hacked|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you|<P1>orn|(share|forward|leak) (your|the) video|Read me now|want to read this|i have you/i
#From
header __KAM_CRIM7 From =~ /h<A1>ck<E1>r|know/i
meta KAM_CRIM (__KAM_CRIM1 + __KAM_CRIM2 + __KAM_CRIM3 + __KAM_CRIM4 + __KAM_CRIM5 + __KAM_CRIM6 + __KAM_CRIM7 + FUZZY_BITCOIN >= 4)
describe KAM_CRIM Extortion Email
score KAM_CRIM 8.5
endif
#KAM_CRIM_V2
body __KAM_CRIM2_1 /bit.{0,2}coin/i
body __KAM_CRIM2_2 /address\:/i
body __KAM_CRIM2_3 /adult.{0,2}video|sex.{0,2}sites/is
meta KAM_CRIM2 (__KAM_CRIM2_1 + __KAM_CRIM2_2 + __KAM_CRIM2_3 + HTML_FONT_LOW_CONTRAST >= 4)
describe KAM_CRIM2 Extortion Email
score KAM_CRIM2 7.5
#ZWNJ
#ZWNJ 200C 157 https://en.wikipedia.org/wiki/Windows-1256
# Also want to look at Unicode U+200C.
# Also 'zero-width joiner' which is Windows-1256 0x9E and Unicode U+200D. $a
# Per RW, switching for this to work with 'normalize_charset 1', \x9d needs to be replaced with (?:\x9d|\xe2\x80\x8c)
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_ZWNJ1 Content-Type =~ /charset.+windows-1256/i
endif
body __KAM_ZWNJ2 /(?:\x9D|\xe2\x80\x8c)/
tflags __KAM_ZWNJ2 multiple maxhits=16
body __KAM_ZWNJ3 /\&\#x200B;/i
describe KAM_ZWNJ Use of null characters indicates a goal to elude scanners
meta KAM_ZWNJ (__KAM_ZWNJ1 + (__KAM_ZWNJ2 >= 16) >= 2)
describe KAM_ZWNJ Use of null characters indicates a goal to elude scanners
score KAM_ZWNJ 7.0
describe KAM_ZWNJBAD Attempted & failed Use of zero-width characters indicates a goal to elude scanners
meta KAM_ZWNJBAD (__KAM_ZWNJ3 >=1)
score KAM_ZWNJBAD 2.0
#GIRLS
body __KAM_GIRLS1 /Lack of sex/i
meta KAM_GIRLS ( __SINGLE_WORD_SUBJ + __KAM_GIRLS1 >= 2)
describe KAM_GIRLS Girl Chat Scam du Jour
score KAM_GIRLS 7.0
#SKINCELL PRO Spam Du Jour
body __KAM_SKINCELL1 /Skincell.Pro/i
header __KAM_SKINCELL2 Subject =~ /Skincell.Pro/i
meta KAM_SKINCELL (__KAM_SKINCELL1 + __KAM_SKINCELL2 >= 1)
describe KAM_SKINCELL Skincare Scam du Jour
score KAM_SKINCELL 7.0
#UK INVOICE - Thanks to Andy Smith for his help on this
uri __KAM_UKINV1 /\/(client|share|documentview)$/i
body __KAM_UKINV2 /View (and pay )?(scan|invoice)/i
body __KAM_UKINV3 /INV-\d+|Check out what .{4,30} shared with you/i
body __KAM_UKINV4 /£/i
header __KAM_UKINV5 Subject =~ /(invoice INV-\d+|wants to share scan)/i
header __KAM_UKINV6 Subject =~ /invoice/i
meta KAM_UKINV (__KAM_UKINV1 + __KAM_UKINV2 + __KAM_UKINV3 + __KAM_UKINV4 + __KAM_UKINV5 >= 4) || (__KAM_UKINV1 + __KAM_UKINV2 + __KAM_UKINV3 + __KAM_UKINV4 + __KAM_UKINV6 + HTML_TITLE_SUBJ_DIFF && HTML_OBFUSCATE_10_20 >= 6)
describe KAM_UKINV Fake Invoice/Scan Scams
score KAM_UKINV 5.5
#LIST SELLERS
body __KAM_LISTSALE1 /interested in acquiring/i
body __KAM_LISTSALE2 /contact list|list of customers|list of decision makers|list for marketing/i
body __KAM_LISTSALE3 /share counts and samples|send focused campaigns|compiled a dataset/i
header __KAM_LISTSALE4 Subject =~ /users|leads/i
header __KAM_LISTSALE5 From =~ /leads/i
meta KAM_LISTSALE (__KAM_LISTSALE1 + __KAM_LISTSALE2 + __KAM_LISTSALE3 >=2) && (__KAM_LISTSALE4 + __KAM_LISTSALE5 >= 1)
describe KAM_LISTSALE List sellers
score KAM_LISTSALE 5.0
#Google Short?
uri KAM_GOOGLESHORT /\/www.google.com\/url\?q=.{4,16}bit\.ly/i
describe KAM_GOOGLESHORT Obfuscated links using Google and URL Shorteners
score KAM_GOOGLESHORT 9.0
#HEART ATTACK SPAM
body __KAM_HEARTPROD1 /heart ?attack/i
body __KAM_HEARTPROD2 /enzyme/i
header __KAM_HEARTPROD3 Subject =~ /heart attack|healthy.{4,10}cells/i
header __KAM_HEARTPROD4 From =~ /clear 7/i
meta KAM_HEARTPROD (__KAM_HEARTPROD1 + __KAM_HEARTPROD2 + __KAM_HEARTPROD3 + __KAM_HEARTPROD4 >= 4)
describe KAM_HEARTPROD Snake Oil Heart Health du Jour
score KAM_HEARTPROD 7.0
# LINES FULL OF SHORT WORDS. SCC='SOLID CLUES CONSULTING'=BILL COLE
describe __SCC_SHORT_WORDS A line with lots of short words
body __SCC_SHORT_WORDS /\W(\D\w{1,3}\W{1,3}){11}/
tflags __SCC_SHORT_WORDS multiple maxhits=40
describe SCC_5_SHORT_WORD_LINES 5 lines with many short words
meta SCC_5_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 5
describe SCC_10_SHORT_WORD_LINES 10 lines with many short words
meta SCC_10_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 10
describe SCC_20_SHORT_WORD_LINES 20 lines with many short words
meta SCC_20_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 20
describe SCC_35_SHORT_WORD_LINES 35 lines with many short words
meta SCC_35_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 35
# A pattern seen in subscription-bombings
describe SCC_SUBBOMB_SUBJ_1 An unusual string pattern seen in subscription bombing subjects
header SCC_SUBBOMB_SUBJ_1 Subject =~ /[sxz][vwz]usa[fly]me[a-z0-9]{7}GP/
score SCC_SUBBOMB_SUBJ_1 5
# cPanel Phishing
header __SCC_HELO_CPANELNET X-Spam-Relays-Untrusted =~ / helo=cpanel\.net /
describe __SCC_HELO_CPANELNET HELO is bare cpanel.net
meta SCC_FAKE_CPANEL __SCC_HELO_CPANELNET && ! (SPF_PASS || SPF_HELO_PASS)
score SCC_FAKE_CPANEL 6
header KAM_PHISHCP From =~ /\@cpanel\d+\.com/i
describe KAM_PHISHCP Fraudulent notices purporting to be from cPanel
score KAM_PHISHCP 15.0
uri KAM_PHISHCP2 /(\.|\/)cpanel\d+\.com(\/|\b|\?)/i
describe KAM_PHISHCP2 Fraudulent notices purporting to be from cPanel
score KAM_PHISHCP2 15.0
body __KAM_PHISHCP3_1 /cPanel Cloud Service/
meta KAM_PHISHCP3 (__KAM_TINYDOMAIN + __KAM_PHISHCP3_1 >=2)
describe KAM_PHISHCP3 Fraudulent notices purporting to be from cPanel
score KAM_PHISHCP3 15.0
#https://www.csoonline.com/article/3333916/windows-security/i-can-get-and-crack-your-password-hashes-from-email.html?upd=1547922397157
body KAM_FILE /file:\/\/\/\//i
describe KAM_FILE Potential attempt for NTLM attack
score KAM_FILE 4.5
#FUN SPAM RUN
header __KAM_FUN1 From =~ /\.fun|\.icu|\.pro|\.stream|\.world|\.monster|\.best|\.store|\.surf|\.rest|\.bar|\.asia|\.casa|\.uno|\.london|\.info|\.cam|\.work|\.cyou>?$/i
header __KAM_FUN1A From:name =~ /Bite Pro|Diabetes|Blood Sugar|Sugar Disease|Fish Oil|ultra ?boost|Gutter|time ?share|Affiliate|arctic ?blast|splash ?wine|date|fat ?loss|nutrisystem|Silver ?Single|Insta ?Heater/i
body __KAM_FUN2 /Addify Link|Kennett Pike|PetPlan|Newton Sq|1st Avenue|Jones Blvd|permanently opt-out from our all newsletters|(wish|prefer) (to not|not to|to) receive (these|future) (messages|emails)|purehealth|leave any time|too good to be true|try(ing)? this trick|doesn?'t like this update|(click here|wish) +to unsubscribe|send post-mail to|to be removed from receiving|to unsubscribe.+click|no longer like to receive|this is an advertisement/i
body __KAM_FUN3 /This Offer is (only )?for (unite. state|USA)|(can ?not|won\'t|can\'t) see this image|visit the page below|Continue Reading|watch now|this is an ad|update preferences|click here now/i
uri __KAM_FUN3A /imgstore.host/i
#Subject
header __KAM_FUN4 Subject =~ /Gutter|Assisted Living|Refi|rate|livewave|mortgage|E\.D\.|Single|Superfood|tax|protection|debt|mastercard|safety charge|supplement|pillow|Inogenone|learn a language|Roadside safety|carry a gun|minute survey|roofing Deals|fungus|insurance|pain|gold|hair|knife|warranty|reflexology|accufeet|keto|sound|heartburn|skincare|terminix|zippy|sneeze|healthcare|yoga|heal|jesus|virus|neuropathy|BP med|perfect vision|parasites|wine|willie nelson|InstaFresh|InstaSavings|carriers|CPAP|melt your belly|heart attack|power of plants|immunity|smart.?watch|fever|hearing aids|diabetes|gum problem|bad breath|fish oil|ultra ?boost|boost your internet|christmas list|(energy|cooling) (bill|cost)|time ?share|interstate move|vanishes pain|wine order|chat rooms|\d+ ?lbs|dementia|nutrisystem|personal plan|Printer Ink|america strong|perfect gifts|Someone Special|Insta ?heater|asian girls/i
#How many/How Soon
body __KAM_FUN5 /\d million americans|less than \d+ (weeks|days|hours)|temporary feeling|\d+ ?lbs|[\d+,]+ Asian babes/i
#miracle!
body __KAM_FUN6 /finds the secret|new discovery|natural medicine|health channel|medicinal plants|simple tweak|doctors are shocked|mysterious liquid|massive mistake|scientifically shown/i
#what
body __KAM_FUN7 /nerve pain|poor vision|lasik|sleep deeper|smart.?watch|fever|hearing aids|diabetes|gum problem|blood sugar|sugar disease|bad breath|fish oil|ultra ?boost|soothing relief|older women|belly fat|reverse alzheimer|personal safety|gadget.?junk|Insta ?heater|need boyfriends/i
tflags __KAM_FUN7 nosubject
meta KAM_FUN ((__KAM_FUN1 + __KAM_FUN1A >=1) + __KAM_FUN2 + (__KAM_FUN3 + __KAM_FUN3A >= 1) + __KAM_FUN4 >=3)
describe KAM_FUN Spam Engine Hawking Various Goods and Abusing a Lot of Domains
score KAM_FUN 7.75
meta KAM_FUN2 ((__KAM_FUN1 + __KAM_FUN1A >= 1) + __KAM_FUN4 + __KAM_FUN5 + __KAM_FUN6 + __KAM_FUN7 >= 5)
describe KAM_FUN2 Spam Engine Hawking Various Goods and Abusing a Lot of Domains
score KAM_FUN2 7.5
#GOOGLE DRIVE PORN - Thanks to Mark Sapiro for the bug fix
uri KAM_DRIVENUM /\d+\.drive\.google.com/i
describe KAM_DRIVENUM Drive Links Prevalent in Spam
score KAM_DRIVENUM 5.0
#SWIFT PAYMENT SCAMS
header __KAM_SWIFT1 Subject =~ /Swift/i
body __KAM_SWIFT2 /swift copy/i
body __KAM_SWIFT3 /balance payment/i
meta KAM_SWIFT (__KAM_SWIFT1 + __KAM_SWIFT2 + __KAM_SWIFT3 >= 3)
describe KAM_SWIFT SWIFT payment scam
score KAM_SWIFT 3.0
ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
# Custom score
score FROMNAME_SPOOFED_EMAIL 0.3
meta GB_FROMNAME_SPOOF_EQUALS_TO (PDS_FROMNAME_SPOOFED_EMAIL && __PLUGIN_FROMNAME_EQUALS_TO)
describe GB_FROMNAME_SPOOF_EQUALS_TO From:name is spoof to look like To: address
score GB_FROMNAME_SPOOF_EQUALS_TO 0.3
meta GB_FROMNAME_SPOOF_FREEMAIL (FREEMAIL_FROM && PDS_FROMNAME_SPOOFED_EMAIL)
describe GB_FROMNAME_SPOOF_FREEMAIL From:name spoof and Freemail From:address
score GB_FROMNAME_SPOOF_FREEMAIL 0.4
ifplugin Mail::SpamAssassin::Plugin::FreeMail
header __FROM_EQ_REPLY eval:check_fromname_equals_replyto()
meta GB_FREEM_FROM_NOT_REPLY ( !__FROM_EQ_REPLY && FREEMAIL_FROM && FREEMAIL_REPLYTO )
describe GB_FREEM_FROM_NOT_REPLY From: and Reply-To: have different freemail domains
score GB_FREEM_FROM_NOT_REPLY 0.4
endif
endif
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
header KAM_RAPTOR_ALTERED X-KAM-Raptor-Alter =~ /True/i
describe KAM_RAPTOR_ALTERED Raptor identified a dangerous attachment
score KAM_RAPTOR_ALTERED 2.0
endif
#BAD INVOICE SCAMS
header __KAM_PROFORMA1 Subject =~ /Proforma/i
body __KAM_PROFORMA2 /no responds/i
body __KAM_PROFORMA3 /highly encrypted/i
body __KAM_PROFORMA4 /Proforma Invoice/i
uri __KAM_PROFORMA5 /\.php/i
meta KAM_PROFORMA (__KAM_PROFORMA1 + __KAM_PROFORMA2 + __KAM_PROFORMA3 + __KAM_PROFORMA4 + __KAM_PROFORMA5 >= 5)
describe KAM_PROFORMA Invoice scam
score KAM_PROFORMA 7.5
#BAD INVOICE SCAMS
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
header __KAM_INVOICEPO1 Subject =~ /Invoice copies/i
body __KAM_INVOICEPO2 /consignment/i
body __KAM_INVOICEPO3 /invoice copies/i
mimeheader __KAM_INVOICEPO4 Content-Type =~ /invoice copies.{0,100}\.html/i
meta KAM_INVOICEPO (__KAM_INVOICEPO1 + __KAM_INVOICEPO2 + __KAM_INVOICEPO3 + __KAM_INVOICEPO4 >= 4)
describe KAM_INVOICEPO Invoice scam
score KAM_INVOICEPO 4.0
mimeheader KAM_HTMLINVOICE Content-Type =~ /invoice.{0,100}\.html/i
describe KAM_HTMLINVOICE Invoice scam
score KAM_HTMLINVOICE 1.5
mimeheader KAM_HTMLINVOICE2 Content-Type =~ /(order confirmation|po attachments.{0,100})\.xls\.html/i
describe KAM_HTMLINVOICE2 Invoice scam
score KAM_HTMLINVOICE2 3.5
endif
# Spear phishing rules
ifplugin Mail::SpamAssassin::Plugin::FreeMail
header __GB_TO_ADDR_FREEMAIL eval:check_freemail_header('To:addr')
header __GB_TO_NAME_FREEMAIL eval:check_freemail_header('To:name')
meta GB_TO_NAME_FREEMAIL ( !__GB_TO_ADDR_FREEMAIL && __GB_TO_NAME_FREEMAIL )
describe GB_TO_NAME_FREEMAIL Freemail spear phish with free mail
score GB_TO_NAME_FREEMAIL 0.01
header __GB_FROM_ADDR_FREEMAIL eval:check_freemail_header('From:addr')
header __GB_FROM_NAME_FREEMAIL eval:check_freemail_header('From:name')
header __GB_FROM_NAME_EMAIL From:name =~ /\@/
meta GB_FROM_NAME_FREEMAIL ( __GB_FROM_NAME_EMAIL && __GB_FROM_ADDR_FREEMAIL && !__GB_FROM_NAME_FREEMAIL )
describe GB_FROM_NAME_FREEMAIL Freemail spear phish with free mail
score GB_FROM_NAME_FREEMAIL 0.01
endif
# Disable possible CPU burning rule, reported to SA users list -- 2019-05-29
# FIXED rule distributed via sa-update since 2019-05-31
# meta __STYLE_GIBBERISH_1 0
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
# Allow googleapis.com to be blacklisted due to spam runs in June 2019 exploiting it
clear_uridnsbl_skip_domain googleapis.com
endif
# Need a favor phishing
header __KAM_FAVOR1 Subject =~ /Request|Quick Reply/i
body __KAM_FAVOR2 /I need a favor from you|Are you available to work on a request for me today/i
body __KAM_FAVOR3 /email me back as soon as possible|send me your personal cell phone number/i
meta KAM_FAVOR (__KAM_FAVOR1 + __KAM_FAVOR2 + __KAM_FAVOR3 + FREEMAIL_FROM >= 4)
describe KAM_FAVOR Phishing Attempt
score KAM_FAVOR 7.5
# WHITELIST PCCC/MCGRAIL
whitelist_auth *@pccc.com *@mcgrail.com
#trusted_networks 69.171.29.0/25
#trusted_networks 38.124.232.0/24
# CONTACTS / LISTS - This would be a good rule for tflags nosubject which requires 3.4.3 release
header __KAM_LIST3_1 Subject =~ /Contacts|Visitor|Attendee|User|Professional|Meeting|Expo|Emails|Exhibit|Companies|trade ?show|marketing|retailer|list|outreach|customers|campaign|show|data|leaders|partnership|lead|(accou?nt|Contacts?|buyers?) (list|information)|install base|offices and clinics|healthcare/i
#title
body __KAM_LIST3_2 /list services|email campaign|global marketing|(sales|event|campaign) manager|marketing (coordinator|campaign|manager|exec|project|team)|(lead|demand) generation|(business|Data|event) (analyst|coordinator)|(potential|professionals?|qualified) lead|(marketing|lead|attendees?|data) specialist|(marketing|Business) Co-?ordinator|marketing and comm|inside sales|pre-?sales|(email|attendee)s? list|global leads/i
#db for sale
body __KAM_LIST3_3 /(information|data) field|verified email|(\d{4,8}|complete) (contact|details)|with email address|target geograph|counts and pric|decision maker|specific parameters|job titles|Specific lists|current attendee|each record|post show attendee|(attendees|counts)\:|(List|contacts|fields) (consists?|Contains?|includes?)|visitors and price|pricing, counts|information about the list|sample (file|record)|direct email|100\% populated|installed users|(compiled|selling) (a )?list|pricing and further|(validated|buy a) dataset|counts, pricing|procure the list|samples for (your )?review|attendees who might|decision.makers|samples and pricing|pricing details|demographics|few samples|database (organization|provider)|expense and count|(samples|counts?) and cost|multichannel marketing|count of email|users of the following/i
#db what
body __KAM_LIST3_4 /contacts and email|(visitors?|contacts?|attendee.?s?|users?) (mailing )?(list|record|database)|end users|our lists|\d\+? (attendee|contact)|users? database|Opt-in email list|(professionals?|user'?s|attendees?) (contact|list)|not spammer|delegates|marketing (analyst|campaigns)|(complete|emailed) list|unique account|contacts\:|titles\:|business profiles|database of|list from USA|(complete|contact) (Name|information|details)|geography|target audience|list.database|data (intelligence|include)|emails, phone|marketing list|unlimited usage|target (attendees|audience|industry)|opt-?in (contact|emails)|offices and clinics|specialties\:|showcase our capabilit|share samples|list includes/i
meta KAM_LIST3 (__KAM_LIST3_1 + __KAM_LIST3_2 + __KAM_LIST3_3 + __KAM_LIST3_4 >= 4)
describe KAM_LIST3 Mailing List Purveyor Spam
score KAM_LIST3 12.25
#NO SUBJ MATCH
meta KAM_LIST3_1 (KAM_LIST3 < 1) && (__KAM_LIST3_1 + __KAM_LIST3_2 + __KAM_LIST3_3 + __KAM_LIST3_4 >= 3)
describe KAM_LIST3_1 Likely Mailing List Purveyor Spam
score KAM_LIST3_1 5.75
#MONCLER
header __KAM_MONCLER1 Subject =~ /moncler/i
header __KAM_MONCLER2 From =~ /moncler/i
meta KAM_MONCLER (__KAM_MONCLER1 + __KAM_MONCLER2 + KAM_SOMETLD_ARE_BAD_TLD >= 3)
describe KAM_MONCLER Fashionista Spammers
score KAM_MONCLER 6.0
#ERP
header __KAM_ERP1 Subject =~ /ERP/
body __KAM_ERP2 /K9ERP/i
meta KAM_ERP (__KAM_ERP1 + __KAM_ERP2 >=2)
describe KAM_ERP ERP Spammers
score KAM_ERP 4.0
#DMARC POLICY RULES - Thanks to Giovanni Bechis for the original idea plus Jesse Norell and Amir Caspi for additional suggestions & testing!
#
#https://tools.ietf.org/html/rfc7489 and https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/
#
#"To pass DMARC, a message must pass SPF authentication and SPF alignment and/or DKIM authentication and DKIM alignment. A message will fail DMARC if the message fails both (1) SPF or SPF alignment and (2) DKIM or DKIM alignment."
#
# We expect edge cases with DKIM where a parent (gateway) domain signing for a subdomain author (e.g., parent.gov signing for sub.parent.gov). This is a common and a sane implementation of DKIM, but is not supported in the current SA DKIM/DMARC implementation -- it results in DKIM_VALID but not DKIM_VALID_AU. The SPF || DKIM logic below will allow this scenario.
#
# Note: Certain glues like MailScanner will modify an email before testing. That will cause many DKIM failures. If you have a known broken system for DKIM like this, you should likely disable the plugin.
ifplugin Mail::SpamAssassin::Plugin::AskDNS
ifplugin Mail::SpamAssassin::Plugin::DKIM
ifplugin Mail::SpamAssassin::Plugin::SPF
askdns __KAM_DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=none;/
askdns __KAM_DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=quarantine;/
askdns __KAM_DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=reject;/
askdns __KAM_DMARC_POLICY_DKIM_STRICT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\badkim=s;/
#Checks if either DKIM Passed with Alignment and the policy is strict or VALID and alignment didn't pass
meta KAM_DMARC_STATUS !((DKIM_VALID_AU && __KAM_DMARC_POLICY_DKIM_STRICT) || (DKIM_VALID && !__KAM_DMARC_POLICY_DKIM_STRICT))
describe KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict Alignment
score KAM_DMARC_STATUS 0.01
meta KAM_DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_REJECT
describe KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message and the domain has a DMARC reject policy
score KAM_DMARC_REJECT 3.0
meta KAM_DMARC_QUARANTINE !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_QUAR
describe KAM_DMARC_QUARANTINE DKIM has Failed or SPF has failed on the message and the domain has a DMARC quarantine policy
score KAM_DMARC_QUARANTINE 1.5
meta KAM_DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_NONE
describe KAM_DMARC_NONE DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy
score KAM_DMARC_NONE 0.25
endif
endif
endif
#OLE/VB MACROs
ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro
# increase number of mime parts checked
olemacro_num_mime 10
if (version >= 3.0040005)
body KAM_OLEMACRO eval:check_olemacro()
describe KAM_OLEMACRO Attachment has an Office Macro
score KAM_OLEMACRO 7.5
body KAM_OLEMACRO_MALICE eval:check_olemacro_malice()
describe KAM_OLEMACRO_MALICE Potentially malicious Office Macro
score KAM_OLEMACRO_MALICE 10.0
body KAM_OLEMACRO_ENCRYPTED eval:check_olemacro_encrypted()
describe KAM_OLEMACRO_ENCRYPTED Has an Office doc that is encrypted
score KAM_OLEMACRO_ENCRYPTED 3.0
#This may cause more CPU usage
olemacro_extended_scan 1
body KAM_OLEMACRO_RENAME eval:check_olemacro_renamed()
describe KAM_OLEMACRO_RENAME Has an Office doc that has been renamed
score KAM_OLEMACRO_RENAME 0.5
meta GB_OLEMACRO_REN_VIR ( KAM_OLEMACRO_RENAME && FORGED_OUTLOOK_HTML )
describe GB_OLEMACRO_REN_VIR Olemacro and fake Outlook
score GB_OLEMACRO_REN_VIR 10
endif
body KAM_OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
describe KAM_OLEMACRO_ZIP_PW Has an Office doc that is password protected in a zip
score KAM_OLEMACRO_ZIP_PW 1.0
body KAM_OLEMACRO_CSV eval:check_olemacro_csv()
describe KAM_OLEMACRO_CSV Macro in csv file
score KAM_OLEMACRO_CSV 5.0
#meta KAM_OLEMACRO_ZIP_PW_NOMID ( KAM_OLEMACRO_ZIP_PW && MISSING_MID )
#describe KAM_OLEMACRO_ZIP_PW_NOMID OLE macro sent by a bot / ratware
#score KAM_OLEMACRO_ZIP_PW_NOMID 5.0
meta KAM_OLEMACRO_ZIP_BOT ( KAM_OLEMACRO_ZIP_PW && ( MISSING_MID || PDS_FROMNAME_SPOOFED_EMAIL ) )
describe KAM_OLEMACRO_ZIP_BOT OLE macro sent by a bot / ratware
score KAM_OLEMACRO_ZIP_BOT 5.0
endif
#Testing Rule for Subject Prefixes - See note 58397
#if can(Mail::SpamAssassin::Conf::feature_subjprefix)
# enlist_addrlist (INTERNAL) *@pccc.com
# header __FROM_INTERNAL eval:check_from_in_list('INTERNAL')
#
# meta EXTERNAL (!__FROM_INTERNAL)
# describe EXTERNAL External users to PCCC Test Rule
# score EXTERNAL 0.001
# subjprefix EXTERNAL [EXTERNAL]
#endif
#Testing Rule for NoSubject Rules - See note 58246
#if (version >= 3.004003)
# #SHOULD HIT
# body NOSUBJECT_TEST_HIT /example/i
# describe NOSUBJECT_TEST_HIT This should hit on an email with example in the subject but not in the body because subjects are automatically prepending for testing.
#
# #SHOULD NOT HIT
# body NOSUBJECT_TEST_FAIL /example/i
# describe NOSUBJECT_TEST_FAIL This should NOT hit on an email with example in the subject not not in the body because the tflags nosubject will stop the automatic prepending of subjects for testing.
# tflags NOSUBJECT_TEST_FAIL nosubject
#endif
if (version >= 3.004003)
ifplugin Mail::SpamAssassin::Plugin::HashBL
# BTC address present in BTC blacklist
# thanks to Henrik Krohns for the regexp
body BTC_HASHBL_BLACK eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b(?<!=)([13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})\b')
priority BTC_HASHBL_BLACK -100
tflags BTC_HASHBL_BLACK net
describe BTC_HASHBL_BLACK Message contains BTC address found on BTC blacklist
score BTC_HASHBL_BLACK 5.0
endif
endif
#Testing of HASHBL Additions - Note 58246
if (version >= 3.004003)
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
ifplugin Mail::SpamAssassin::Plugin::HashBL
rbl_headers EnvelopeFrom,Reply-To,X-Sender,X-Source-IP
# mass-marketing domain found in headers (EnvelopeFrom,Reply-To,X-Sender,X-Source-IP)
header PCCC_HDR_MARKETINGBL eval:check_rbl_headers('pccc-hdr-marketing', 'wild.pccc.com.', '127.0.0.32')
describe PCCC_HDR_MARKETINGBL Address in email headers associated with mass-marketing (https://raptor.pccc.com/RBL)
tflags PCCC_HDR_MARKETINGBL net
score PCCC_HDR_MARKETINGBL 0.001
priority PCCC_HDR_MARKETINGBL -100
header PCCC_HDR_REPLYTO eval:check_rbl_headers('pccc-hdr-repto', 'wild.pccc.com.', '127.0.0.4', 'Reply-To')
describe PCCC_HDR_REPLYTO Address in email headers associated with compromised uris (https://raptor.pccc.com/RBL)
tflags PCCC_HDR_REPLYTO net
score PCCC_HDR_REPLYTO 3.5
priority PCCC_HDR_REPLYTO -100
# compromised domain found in headers (X-Sender,X-Source-IP,X-SRS-Sender)
header PCCC_SENDER_COMPROMISED eval:check_rbl_headers('pccc-sender', 'wild.pccc.com.', '127.0.1.2', 'X-Sender,X-Source-IP,X-SRS-Sender')
describe PCCC_SENDER_COMPROMISED Sender address associated with compromised uris (https://raptor.pccc.com/RBL)
tflags PCCC_SENDER_COMPROMISED net
score PCCC_SENDER_COMPROMISED 2.0
priority PCCC_SENDER_COMPROMISED -100
# compromised domain found in received headers
header PCCC_RECEIVED_HDR_COMPROMISED eval:check_rbl_rcvd('pccc-rcvd', 'wild.pccc.com.', '127.0.1.2')
describe PCCC_RECEIVED_HDR_COMPROMISED Compromised domain found in received headers found on PCCC RBL (https://raptor.pccc.com/RBL)
tflags PCCC_RECEIVED_HDR_COMPROMISED net
score PCCC_RECEIVED_HDR_COMPROMISED 2.0
priority PCCC_RECEIVED_HDR_COMPROMISED -100
# dns server of From address found on PCCC RBL
header PCCC_FROM_BAD_NS eval:check_rbl_ns_from('pccc-ns', 'wild.pccc.com.', '127.0.1.1')
describe PCCC_FROM_BAD_NS DNS server of From address found on PCCC RBL (https://raptor.pccc.com/RBL)
tflags PCCC_FROM_BAD_NS net
score PCCC_FROM_BAD_NS 2.0
priority PCCC_FROM_BAD_NS -100
# Freemail address in Reply-To header found on PCCC HashBL
# this rule needs 99_hashbl.cf to work
header PCCC_HASHBL_FREEMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5', 'Reply-To', '^127\.', 'freemail')
describe PCCC_HASHBL_FREEMAIL Message contains freemail address in reply-to found on PCCC HashBL (https://raptor.pccc.com/RBL)
tflags PCCC_HASHBL_FREEMAIL net
score PCCC_HASHBL_FREEMAIL 3.5
priority PCCC_HASHBL_FREEMAIL -100
# Email address in X-Sender header found on PCCC HashBL
header PCCC_HASHBL_EMAIL_SEND eval:check_hashbl_emails('wild.pccc.com', 'md5', 'X-Sender', '^127\.', 'all')
describe PCCC_HASHBL_EMAIL_SEND Message contains sender email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
tflags PCCC_HASHBL_EMAIL_SEND net
score PCCC_HASHBL_EMAIL_SEND 1.5
priority PCCC_HASHBL_EMAIL_SEND -100
# Email address in X-SRS-Sender header found on PCCC HashBL
header PCCC_HASHBL_EMAIL_SRS eval:check_hashbl_emails('wild.pccc.com', 'md5', 'X-SRS-Sender', '^127\.', 'all')
describe PCCC_HASHBL_EMAIL_SRS Message contains srs email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
tflags PCCC_HASHBL_EMAIL_SRS net
score PCCC_HASHBL_EMAIL_SRS 1.5
priority PCCC_HASHBL_EMAIL_SRS -100
# Email address in email headers found on PCCC HashBL
header PCCC_HASHBL_EMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5')
describe PCCC_HASHBL_EMAIL Message contains email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
tflags PCCC_HASHBL_EMAIL net
score PCCC_HASHBL_EMAIL 1.5
priority PCCC_HASHBL_EMAIL -100
# Email address in custom email headers found on PCCC HashBL
header PCCC_HASHBL_HDR_EMAIL eval:check_hashbl_emails('wild.pccc.com', 'md5', 'Reply-To/Disposition-Notification-To/X-Original-Sender/X-Sender', '^127\.', 'all')
describe PCCC_HASHBL_HDR_EMAIL Message contains email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
tflags PCCC_HASHBL_HDR_EMAIL net
score PCCC_HASHBL_HDR_EMAIL 0.5
priority PCCC_HASHBL_HDR_EMAIL -100
#Move this to a file like 99_hashbl_settings.cf when KAM rules become a channel
hashbl_acl_freemail 020.co.uk
hashbl_acl_freemail 111mail.com
hashbl_acl_freemail 123.com
hashbl_acl_freemail 123box.net
hashbl_acl_freemail 123india.com
hashbl_acl_freemail 123iran.com
hashbl_acl_freemail 123mail.cl
hashbl_acl_freemail 123mail.org
hashbl_acl_freemail 123qwe.co.uk
hashbl_acl_freemail 126.com
hashbl_acl_freemail 138mail.com
hashbl_acl_freemail 139.com
hashbl_acl_freemail 141.ro
hashbl_acl_freemail 150mail.com
hashbl_acl_freemail 150ml.com
hashbl_acl_freemail 163.com
hashbl_acl_freemail 16mail.com
hashbl_acl_freemail 188.com
hashbl_acl_freemail 189.cn
hashbl_acl_freemail 1963chevrolet.com
hashbl_acl_freemail 1963pontiac.com
hashbl_acl_freemail 1netdrive.com
hashbl_acl_freemail 1st-website.com
hashbl_acl_freemail 1stpd.net
hashbl_acl_freemail 2-mail.com
hashbl_acl_freemail 20after4.com
hashbl_acl_freemail 21cn.com
hashbl_acl_freemail 24h.co.jp
hashbl_acl_freemail 24horas.com
hashbl_acl_freemail 263.net
hashbl_acl_freemail 271soundview.com
hashbl_acl_freemail 2die4.com
hashbl_acl_freemail 2mydns.com
hashbl_acl_freemail 2net.us
hashbl_acl_freemail 3000.it
hashbl_acl_freemail 37.com
hashbl_acl_freemail 3ammagazine.com
hashbl_acl_freemail 3email.com
hashbl_acl_freemail 3xl.net
hashbl_acl_freemail 4-music-today.com
hashbl_acl_freemail 420email.com
hashbl_acl_freemail 444.net
hashbl_acl_freemail 4degreez.com
hashbl_acl_freemail 4email.com
hashbl_acl_freemail 4email.net
hashbl_acl_freemail 4newyork.com
hashbl_acl_freemail 4xn.de
hashbl_acl_freemail 5005.lv
hashbl_acl_freemail 50mail.com
hashbl_acl_freemail 55mail.cc
hashbl_acl_freemail 5fm.za.com
hashbl_acl_freemail 5x2.de
hashbl_acl_freemail 5x2.me
hashbl_acl_freemail 6210.hu
hashbl_acl_freemail 6sens.com
hashbl_acl_freemail 702mail.co.za
hashbl_acl_freemail 7110.hu
hashbl_acl_freemail 8848.net
hashbl_acl_freemail 8m.com
hashbl_acl_freemail 8m.net
hashbl_acl_freemail 8u8.com
hashbl_acl_freemail 8u8.hk
hashbl_acl_freemail 8u8.tw
hashbl_acl_freemail 8x.com.br
hashbl_acl_freemail 9.cn
hashbl_acl_freemail a-teens.net
hashbl_acl_freemail a-topmail.at
hashbl_acl_freemail a.org.ua
hashbl_acl_freemail abha.cc
hashbl_acl_freemail about.com
hashbl_acl_freemail abv.bg
hashbl_acl_freemail acatperson.com
hashbl_acl_freemail acceso.or.cr
hashbl_acl_freemail access4less.net
hashbl_acl_freemail accessgcc.com
hashbl_acl_freemail accountant.com
hashbl_acl_freemail acdcfan.com
hashbl_acl_freemail acmemail.net
hashbl_acl_freemail actingbiz.com
hashbl_acl_freemail activist.com
hashbl_acl_freemail adexec.com
hashbl_acl_freemail adiga.com
hashbl_acl_freemail adinet.com.uy
hashbl_acl_freemail adogperson.com
hashbl_acl_freemail adres.nl
hashbl_acl_freemail advalvas.be
hashbl_acl_freemail aeiou.pt
hashbl_acl_freemail aeneasmail.com
hashbl_acl_freemail africamail.com
hashbl_acl_freemail afrik.com
hashbl_acl_freemail afropoets.com
hashbl_acl_freemail agadir.cc
hashbl_acl_freemail aggies.com
hashbl_acl_freemail ahaa.dk
hashbl_acl_freemail ahsa.ws
hashbl_acl_freemail aichi.com
hashbl_acl_freemail aim.com
hashbl_acl_freemail aircraftmail.com
hashbl_acl_freemail airpost.net
hashbl_acl_freemail aiutamici.com
hashbl_acl_freemail ajman.cc
hashbl_acl_freemail ajman.us
hashbl_acl_freemail ajman.ws
hashbl_acl_freemail aklan.com
hashbl_acl_freemail aknet.kg
hashbl_acl_freemail alabama.usa.com
hashbl_acl_freemail alaska.usa.com
hashbl_acl_freemail alavatotal.com
hashbl_acl_freemail albafind.com
hashbl_acl_freemail albaha.cc
hashbl_acl_freemail albawaba.com
hashbl_acl_freemail alburaq.net
hashbl_acl_freemail aldeax.com
hashbl_acl_freemail aldeax.com.ar
hashbl_acl_freemail alex4all.com
hashbl_acl_freemail alexandria.cc
hashbl_acl_freemail algeria.com
hashbl_acl_freemail algerie.cc
hashbl_acl_freemail alice.it
hashbl_acl_freemail alinto.com
hashbl_acl_freemail aliyun.com
hashbl_acl_freemail all4theskins.com
hashbl_acl_freemail allergist.com
hashbl_acl_freemail allhiphop.com
hashbl_acl_freemail allmail.net
hashbl_acl_freemail allsportsrock.com
hashbl_acl_freemail alriyadh.cc
hashbl_acl_freemail alskens.dk
hashbl_acl_freemail altavista.se
hashbl_acl_freemail altbox.org
hashbl_acl_freemail alternativagratis.com
hashbl_acl_freemail alum.com
hashbl_acl_freemail alumni.com
hashbl_acl_freemail alumnidirector.com
hashbl_acl_freemail alunos.unipar.br
hashbl_acl_freemail alvilag.hu
hashbl_acl_freemail alwaysgrilling.com
hashbl_acl_freemail alwaysinthekitchen.com
hashbl_acl_freemail alwayswatchingmovies.com
hashbl_acl_freemail alwayswatchingtv.com
hashbl_acl_freemail amenworld.com
hashbl_acl_freemail america.hm
hashbl_acl_freemail americamail.com
hashbl_acl_freemail amman.cc
hashbl_acl_freemail amnetsal.com
hashbl_acl_freemail amorous.com
hashbl_acl_freemail ananzi.co.za
hashbl_acl_freemail anatomicrock.com
hashbl_acl_freemail anet.ne.jp
hashbl_acl_freemail anfmail.com
hashbl_acl_freemail angelfire.com
hashbl_acl_freemail angelic.com
hashbl_acl_freemail animail.net
hashbl_acl_freemail animeone.com
hashbl_acl_freemail aniverse.com
hashbl_acl_freemail anjungcafe.com
hashbl_acl_freemail another.com
hashbl_acl_freemail antedoonsub.com
hashbl_acl_freemail antwerpen.com
hashbl_acl_freemail anunciador.net
hashbl_acl_freemail anytimenow.com
hashbl_acl_freemail aol.co.uk
hashbl_acl_freemail aol.com
hashbl_acl_freemail aon.at
hashbl_acl_freemail apexmail.com
hashbl_acl_freemail apollo.lv
hashbl_acl_freemail appraiser.net
hashbl_acl_freemail approvers.net
hashbl_acl_freemail aprava.com
hashbl_acl_freemail apropo.ro
hashbl_acl_freemail aqaba.cc
hashbl_acl_freemail arab.ir
hashbl_acl_freemail arar.ws
hashbl_acl_freemail archaeologist.com
hashbl_acl_freemail arcor.de
hashbl_acl_freemail arcticmail.com
hashbl_acl_freemail argentina.com
hashbl_acl_freemail arizona.usa.com
hashbl_acl_freemail arkansas.usa.com
hashbl_acl_freemail armmail.com
hashbl_acl_freemail army.com
hashbl_acl_freemail arnet.com.ar
hashbl_acl_freemail aroma.com
hashbl_acl_freemail arrl.net
hashbl_acl_freemail artlover.com
hashbl_acl_freemail aruba.it
hashbl_acl_freemail asheville.com
hashbl_acl_freemail asia-links.com
hashbl_acl_freemail asia-mail.com
hashbl_acl_freemail asia.com
hashbl_acl_freemail asiamail.com
hashbl_acl_freemail asiancutes.com
hashbl_acl_freemail assala.com
hashbl_acl_freemail assamesemail.com
hashbl_acl_freemail asurfer.com
hashbl_acl_freemail aswan.cc
hashbl_acl_freemail asylum.com
hashbl_acl_freemail atheist.com
hashbl_acl_freemail atl.lv
hashbl_acl_freemail atlas.cz
hashbl_acl_freemail atlas.sk
hashbl_acl_freemail atozasia.com
hashbl_acl_freemail atreillou.com
hashbl_acl_freemail att.ne.jp
hashbl_acl_freemail att.net
hashbl_acl_freemail au.ru
hashbl_acl_freemail aubenin.com
hashbl_acl_freemail auctioneer.net
hashbl_acl_freemail auf-steroide.de
hashbl_acl_freemail aufdrogen.de
hashbl_acl_freemail aus-city.com
hashbl_acl_freemail ausi.com
hashbl_acl_freemail aussiemail.com.au
hashbl_acl_freemail australiamail.com
hashbl_acl_freemail autoindia.com
hashbl_acl_freemail autopm.com
hashbl_acl_freemail avasmail.com.mv
hashbl_acl_freemail axarnet.com
hashbl_acl_freemail ayna.com
hashbl_acl_freemail azet.sk
hashbl_acl_freemail b-boy.com
hashbl_acl_freemail baalbeck.cc
hashbl_acl_freemail babbalu.com
hashbl_acl_freemail badgers.com
hashbl_acl_freemail bahraini.cc
hashbl_acl_freemail bakpaka.com
hashbl_acl_freemail bakpaka.net
hashbl_acl_freemail balochistan.org
hashbl_acl_freemail baluch.com
hashbl_acl_freemail bama-fan.com
hashbl_acl_freemail bancora.net
hashbl_acl_freemail banha.cc
hashbl_acl_freemail bankersmail.com
hashbl_acl_freemail barlick.net
hashbl_acl_freemail barriolife.com
hashbl_acl_freemail bartender.net
hashbl_acl_freemail basketball-email.com
hashbl_acl_freemail beabookworm.com
hashbl_acl_freemail beagolfer.com
hashbl_acl_freemail beahealthnut.com
hashbl_acl_freemail beautifulboy.com
hashbl_acl_freemail beeebank.com
hashbl_acl_freemail beehive.org
hashbl_acl_freemail been-there.com
hashbl_acl_freemail beirut.com
hashbl_acl_freemail believeinliberty.com
hashbl_acl_freemail belizehome.com
hashbl_acl_freemail belizemail.net
hashbl_acl_freemail belizeweb.com
hashbl_acl_freemail bellair.net
hashbl_acl_freemail bellsouth.net
hashbl_acl_freemail berlin.com
hashbl_acl_freemail berlin.de
hashbl_acl_freemail besser-als-du.de
hashbl_acl_freemail bestcoolcars.com
hashbl_acl_freemail bestjobcandidate.com
hashbl_acl_freemail bestmail.us
hashbl_acl_freemail besure2vote.com
hashbl_acl_freemail bflomail.com
hashbl_acl_freemail bgay.com
hashbl_acl_freemail bgnmail.com
hashbl_acl_freemail bharatmail.com
hashbl_acl_freemail bicycledata.com
hashbl_acl_freemail bicycling.com
hashbl_acl_freemail big-orange.com
hashbl_acl_freemail bigboss.cz
hashbl_acl_freemail bigfoot.com
hashbl_acl_freemail bigger.com
hashbl_acl_freemail bigheavyworld.com
hashbl_acl_freemail bigmailbox.com
hashbl_acl_freemail bigmailbox.net
hashbl_acl_freemail bigmir.net
hashbl_acl_freemail bigpond.com
hashbl_acl_freemail bigstring.com
hashbl_acl_freemail bigtimecatperson.com
hashbl_acl_freemail bigtimedogperson.com
hashbl_acl_freemail bigtimereader.com
hashbl_acl_freemail bigtimesportsfan.com
hashbl_acl_freemail bikerheaven.net
hashbl_acl_freemail bikerider.com
hashbl_acl_freemail bikermail.com
hashbl_acl_freemail billssite.com
hashbl_acl_freemail bip.net
hashbl_acl_freemail birdlover.com
hashbl_acl_freemail bitwiser.com
hashbl_acl_freemail biz.by
hashbl_acl_freemail bizerte.cc
hashbl_acl_freemail bizhosting.com
hashbl_acl_freemail black-sea.ro
hashbl_acl_freemail blackandchristian.com
hashbl_acl_freemail blackburnmail.com
hashbl_acl_freemail blackcity.net
hashbl_acl_freemail blackglobalnetwork.net
hashbl_acl_freemail blackvault.com
hashbl_acl_freemail blackvoices.com
hashbl_acl_freemail blader.com
hashbl_acl_freemail blida.info
hashbl_acl_freemail blink182.net
hashbl_acl_freemail blue.devils.com
hashbl_acl_freemail bluebottle.com
hashbl_acl_freemail bluemail.ch
hashbl_acl_freemail blumail.org
hashbl_acl_freemail blvds.com
hashbl_acl_freemail bmx.lv
hashbl_acl_freemail bmxtrix.com
hashbl_acl_freemail boardermail.com
hashbl_acl_freemail boarderzone.com
hashbl_acl_freemail boatnerd.com
hashbl_acl_freemail bol.com.br
hashbl_acl_freemail bolando.com
hashbl_acl_freemail bolbox.com
hashbl_acl_freemail bollywood2000.com
hashbl_acl_freemail bollywoodz.com
hashbl_acl_freemail bombka.dyn.pl
hashbl_acl_freemail bonbon.net
hashbl_acl_freemail bongmail.com
hashbl_acl_freemail boom.com
hashbl_acl_freemail bootmail.com
hashbl_acl_freemail bostonoffice.com
hashbl_acl_freemail bowl.com
hashbl_acl_freemail box.az
hashbl_acl_freemail boxbg.com
hashbl_acl_freemail boxemail.com
hashbl_acl_freemail brain.com.pk
hashbl_acl_freemail brainsurfer.de
hashbl_acl_freemail brasilia.net
hashbl_acl_freemail bravanese.com
hashbl_acl_freemail brazilmail.com
hashbl_acl_freemail brazilmail.com.br
hashbl_acl_freemail breathe.com
hashbl_acl_freemail brestonline.com
hashbl_acl_freemail brew-master.com
hashbl_acl_freemail brew-meister.com
hashbl_acl_freemail brfree.com.br
hashbl_acl_freemail brujula.net
hashbl_acl_freemail bsdmail.com
hashbl_acl_freemail btcc.org
hashbl_acl_freemail buffaloes.com
hashbl_acl_freemail bulgaria.com
hashbl_acl_freemail bulldogs.com
hashbl_acl_freemail bumerang.ro
hashbl_acl_freemail buraydah.cc
hashbl_acl_freemail burntmail.com
hashbl_acl_freemail butch-femme.net
hashbl_acl_freemail butch-femme.org
hashbl_acl_freemail buzy.com
hashbl_acl_freemail buzzjakkerz.com
hashbl_acl_freemail byke.com
hashbl_acl_freemail c-box.cz
hashbl_acl_freemail c3.hu
hashbl_acl_freemail c4.com
hashbl_acl_freemail cadinfo.net
hashbl_acl_freemail calcfacil.com.br
hashbl_acl_freemail calcware.org
hashbl_acl_freemail california.usa.com
hashbl_acl_freemail californiamail.com
hashbl_acl_freemail calle22.com
hashbl_acl_freemail callnetuk.com
hashbl_acl_freemail camaroclubsweden.com
hashbl_acl_freemail cameroon.cc
hashbl_acl_freemail canada-11.com
hashbl_acl_freemail canada.com
hashbl_acl_freemail canal21.com
hashbl_acl_freemail cannabismail.com
hashbl_acl_freemail canoemail.com
hashbl_acl_freemail capsfanatic.com
hashbl_acl_freemail capshockeyfan.com
hashbl_acl_freemail capsred.com
hashbl_acl_freemail car-nut.net
hashbl_acl_freemail caramail.com
hashbl_acl_freemail cardblvd.com
hashbl_acl_freemail care-mail.com
hashbl_acl_freemail care2.com
hashbl_acl_freemail caress.com
hashbl_acl_freemail carioca.net
hashbl_acl_freemail cash4u.com
hashbl_acl_freemail cashette.com
hashbl_acl_freemail casino.com
hashbl_acl_freemail casinomail.com
hashbl_acl_freemail cat-person.com
hashbl_acl_freemail cataloniamail.com
hashbl_acl_freemail catalunyamail.com
hashbl_acl_freemail cataz.com
hashbl_acl_freemail catcha.com
hashbl_acl_freemail catholic.org
hashbl_acl_freemail caths.co.uk
hashbl_acl_freemail catlover.com
hashbl_acl_freemail catlovers.com
hashbl_acl_freemail catpeoplerule.com
hashbl_acl_freemail caxess.net
hashbl_acl_freemail cbrmail.com
hashbl_acl_freemail cc.lv
hashbl_acl_freemail cemelli.com
hashbl_acl_freemail centoper.it
hashbl_acl_freemail centralpets.com
hashbl_acl_freemail centrum.cz
hashbl_acl_freemail centrum.sk
hashbl_acl_freemail centurylink.net
hashbl_acl_freemail cercaziende.it
hashbl_acl_freemail certifiedbitches.com
hashbl_acl_freemail cgac.es
hashbl_acl_freemail chaiyo.com
hashbl_acl_freemail chaiyomail.com
hashbl_acl_freemail championboxing.com
hashbl_acl_freemail chance2mail.com
hashbl_acl_freemail channelonetv.com
hashbl_acl_freemail charter.net
hashbl_acl_freemail chat-with-me.com
hashbl_acl_freemail chattown.com
hashbl_acl_freemail chatway.com
hashbl_acl_freemail cheatasrule.com
hashbl_acl_freemail checkitmail.at
hashbl_acl_freemail cheerful.com
hashbl_acl_freemail chef.net
hashbl_acl_freemail chelny.com
hashbl_acl_freemail chemist.com
hashbl_acl_freemail cheshiremail.com
hashbl_acl_freemail chewiemail.com
hashbl_acl_freemail chil-e.com
hashbl_acl_freemail chillaxer.de
hashbl_acl_freemail chillimail.com
hashbl_acl_freemail chillymail.com
hashbl_acl_freemail china.com
hashbl_acl_freemail chinamail.com
hashbl_acl_freemail christianmail.org
hashbl_acl_freemail ciaoweb.it
hashbl_acl_freemail cine.com
hashbl_acl_freemail ciphercom.net
hashbl_acl_freemail circlemail.com
hashbl_acl_freemail cititrustbank1.cjb.net
hashbl_acl_freemail citromail.hu
hashbl_acl_freemail citynetusa.com
hashbl_acl_freemail ciudad.com.ar
hashbl_acl_freemail claramail.com
hashbl_acl_freemail classicmail.co.za
hashbl_acl_freemail classprod.com
hashbl_acl_freemail classycouples.com
hashbl_acl_freemail clerk.com
hashbl_acl_freemail cliffhanger.com
hashbl_acl_freemail clix.pt
hashbl_acl_freemail close2you.net
hashbl_acl_freemail clovermail.net
hashbl_acl_freemail clubmember.org
hashbl_acl_freemail cluemail.com
hashbl_acl_freemail clujnapoca.ro
hashbl_acl_freemail collector.org
hashbl_acl_freemail collegeclub.com
hashbl_acl_freemail colombia.com
hashbl_acl_freemail colorado.usa.com
hashbl_acl_freemail columnist.com
hashbl_acl_freemail comcast.net
hashbl_acl_freemail comfortable.com
hashbl_acl_freemail comic.com
hashbl_acl_freemail company.org.ua
hashbl_acl_freemail compaqnet.fr
hashbl_acl_freemail compuserve.com
hashbl_acl_freemail computer.net
hashbl_acl_freemail computer4u.com
hashbl_acl_freemail computermail.net
hashbl_acl_freemail computhouse.com
hashbl_acl_freemail conevyt.org.mx
hashbl_acl_freemail congiu.net
hashbl_acl_freemail connect4free.net
hashbl_acl_freemail connecticut.usa.com
hashbl_acl_freemail consultant.com
hashbl_acl_freemail contractor.net
hashbl_acl_freemail coolgoose.com
hashbl_acl_freemail coolkiwi.com
hashbl_acl_freemail coollist.com
hashbl_acl_freemail coolmail.com
hashbl_acl_freemail coolmail.net
hashbl_acl_freemail coolmail.ru
hashbl_acl_freemail coolsend.com
hashbl_acl_freemail coolshit.com
hashbl_acl_freemail coolsite.net
hashbl_acl_freemail cooltoad.com
hashbl_acl_freemail cooperation.net
hashbl_acl_freemail copacabana.com
hashbl_acl_freemail copticmail.com
hashbl_acl_freemail corporateattorneys.com
hashbl_acl_freemail corporation.net
hashbl_acl_freemail corpusmail.com
hashbl_acl_freemail correios.net.br
hashbl_acl_freemail correomagico.com
hashbl_acl_freemail cosmo.com
hashbl_acl_freemail cosmosurf.net
hashbl_acl_freemail cougars.com
hashbl_acl_freemail counsellor.com
hashbl_acl_freemail count.com
hashbl_acl_freemail countrybass.com
hashbl_acl_freemail couple.com
hashbl_acl_freemail coxinet.net
hashbl_acl_freemail crazy4baseball.com
hashbl_acl_freemail crazy4homeimprovement.com
hashbl_acl_freemail crazy4mail.com
hashbl_acl_freemail crazyaboutfilms.net
hashbl_acl_freemail crazycarfan.com
hashbl_acl_freemail crazyforemail.com
hashbl_acl_freemail crazymoviefan.com
hashbl_acl_freemail criticalpath.net
hashbl_acl_freemail critterpost.com
hashbl_acl_freemail crosspaths.net
hashbl_acl_freemail crosswinds.net
hashbl_acl_freemail cryingmail.com
hashbl_acl_freemail cs.com
hashbl_acl_freemail csucsposta.hu
hashbl_acl_freemail cumbriamail.com
hashbl_acl_freemail curio-city.com
hashbl_acl_freemail custmail.com
hashbl_acl_freemail cutey.com
hashbl_acl_freemail cwazy.co.uk
hashbl_acl_freemail cwazy.net
hashbl_acl_freemail cww.de
hashbl_acl_freemail cyber-wizard.com
hashbl_acl_freemail cyberaccess.com.pk
hashbl_acl_freemail cyberdude.com
hashbl_acl_freemail cybergal.com
hashbl_acl_freemail cybergirls.dk
hashbl_acl_freemail cyberguys.dk
hashbl_acl_freemail cyberkriminell.de
hashbl_acl_freemail cybernet.it
hashbl_acl_freemail cyberservices.com
hashbl_acl_freemail cyberunlimited.org
hashbl_acl_freemail cycledata.com
hashbl_acl_freemail cymail.net
hashbl_acl_freemail dabsol.net
hashbl_acl_freemail dada.net
hashbl_acl_freemail dadanet.it
hashbl_acl_freemail dailypioneer.com
hashbl_acl_freemail dallasmail.com
hashbl_acl_freemail damuc.org.br
hashbl_acl_freemail danneben.so
hashbl_acl_freemail dansegulvet.com
hashbl_acl_freemail darkfear.com
hashbl_acl_freemail darkforces.com
hashbl_acl_freemail darkhorsefan.net
hashbl_acl_freemail data54.com
hashbl_acl_freemail daum.net
hashbl_acl_freemail davegracey.com
hashbl_acl_freemail dayzers.com
hashbl_acl_freemail dbmail.com
hashbl_acl_freemail dbzmail.com
hashbl_acl_freemail dcemail.com
hashbl_acl_freemail dcsi.net
hashbl_acl_freemail deacons.com
hashbl_acl_freemail deadlymob.org
hashbl_acl_freemail deal-maker.com
hashbl_acl_freemail dearriba.com
hashbl_acl_freemail degoo.com
hashbl_acl_freemail delajaonline.org
hashbl_acl_freemail delaware.usa.com
hashbl_acl_freemail delfi.lv
hashbl_acl_freemail delhimail.com
hashbl_acl_freemail deliveryman.com
hashbl_acl_freemail demon.deacons.com
hashbl_acl_freemail denmark.ir
hashbl_acl_freemail descriptivemail.com
hashbl_acl_freemail desertonline.com
hashbl_acl_freemail desidrivers.com
hashbl_acl_freemail deskpilot.com
hashbl_acl_freemail despammed.com
hashbl_acl_freemail detik.com
hashbl_acl_freemail devils.com
hashbl_acl_freemail dexara.net
hashbl_acl_freemail dhahran.cc
hashbl_acl_freemail dhmail.net
hashbl_acl_freemail dhofar.cc
hashbl_acl_freemail di-ve.com
hashbl_acl_freemail didamail.com
hashbl_acl_freemail differentmail.com
hashbl_acl_freemail digitaltrue.com
hashbl_acl_freemail dino.lv
hashbl_acl_freemail diplomats.com
hashbl_acl_freemail direccion.com
hashbl_acl_freemail director-general.com
hashbl_acl_freemail diri.com
hashbl_acl_freemail dirtythird.com
hashbl_acl_freemail discardmail.com
hashbl_acl_freemail disciples.com
hashbl_acl_freemail discofan.com
hashbl_acl_freemail discoverymail.net
hashbl_acl_freemail disinfo.net
hashbl_acl_freemail disposable.com
hashbl_acl_freemail djibouti.cc
hashbl_acl_freemail djmillenium.com
hashbl_acl_freemail dmailman.com
hashbl_acl_freemail dnsmadeeasy.com
hashbl_acl_freemail do.net.ar
hashbl_acl_freemail doctor.com
hashbl_acl_freemail dodgeit.com
hashbl_acl_freemail dog-person.com
hashbl_acl_freemail doglover.com
hashbl_acl_freemail dogmail.co.uk
hashbl_acl_freemail dogpeoplerule.com
hashbl_acl_freemail doityourself.com
hashbl_acl_freemail domaindiscover.com
hashbl_acl_freemail domainmanager.com
hashbl_acl_freemail dominican.cc
hashbl_acl_freemail doneasy.com
hashbl_acl_freemail dontexist.org
hashbl_acl_freemail dopefiends.com
hashbl_acl_freemail doramail.com
hashbl_acl_freemail dores.com
hashbl_acl_freemail dostmail.com
hashbl_acl_freemail dot5hosting.com
hashbl_acl_freemail dotcom.fr
hashbl_acl_freemail dotnow.com
hashbl_acl_freemail dott.it
hashbl_acl_freemail doubt.com
hashbl_acl_freemail dplanet.ch
hashbl_acl_freemail dr-dre.com
hashbl_acl_freemail dr.com
hashbl_acl_freemail draac.com
hashbl_acl_freemail dragoncon.net
hashbl_acl_freemail dragonfans.com
hashbl_acl_freemail drakmail.net
hashbl_acl_freemail dreamstop.com
hashbl_acl_freemail dropzone.com
hashbl_acl_freemail dserver.org
hashbl_acl_freemail dubaiwebcity.com
hashbl_acl_freemail dublin.com
hashbl_acl_freemail dublin.ie
hashbl_acl_freemail dustdevil.com
hashbl_acl_freemail dutchmail.com
hashbl_acl_freemail dynamitemail.com
hashbl_acl_freemail dyndns.org
hashbl_acl_freemail e-apollo.lv
hashbl_acl_freemail e-hkma.com
hashbl_acl_freemail e-mail.am
hashbl_acl_freemail e-mail.cz
hashbl_acl_freemail e-mail.ph
hashbl_acl_freemail e-mailanywhere.com
hashbl_acl_freemail e-milio.com
hashbl_acl_freemail e-tapaal.com
hashbl_acl_freemail e-webtec.com
hashbl_acl_freemail earthalliance.com
hashbl_acl_freemail earthling.net
hashbl_acl_freemail eastmail.com
hashbl_acl_freemail eastrolog.com
hashbl_acl_freemail easy-pages.com
hashbl_acl_freemail easy.com
hashbl_acl_freemail easydoesit.com
hashbl_acl_freemail easyinfomail.co.za
hashbl_acl_freemail easypeasy.com
hashbl_acl_freemail echina.com
hashbl_acl_freemail eclub.lv
hashbl_acl_freemail ecn.org
hashbl_acl_freemail ecplaza.net
hashbl_acl_freemail edsamail.com.ph
hashbl_acl_freemail educacao.te.pt
hashbl_acl_freemail edumail.co.za
hashbl_acl_freemail eeism.com
hashbl_acl_freemail ego.co.th
hashbl_acl_freemail egypt.ir
hashbl_acl_freemail egypt.net
hashbl_acl_freemail eircom.net
hashbl_acl_freemail ekolay.net
hashbl_acl_freemail elforotv.com.ar
hashbl_acl_freemail elitemail.org
hashbl_acl_freemail elsitio.com
hashbl_acl_freemail eltimon.com
hashbl_acl_freemail elvis.com
hashbl_acl_freemail elvisfan.com
hashbl_acl_freemail email.bg
hashbl_acl_freemail email.com
hashbl_acl_freemail email.com.br
hashbl_acl_freemail email.cz
hashbl_acl_freemail email.it
hashbl_acl_freemail email.lu
hashbl_acl_freemail email.lviv.ua
hashbl_acl_freemail email.nu
hashbl_acl_freemail email.ro
hashbl_acl_freemail email.si
hashbl_acl_freemail email2me.com
hashbl_acl_freemail emailacc.com
hashbl_acl_freemail emailaccount.com
hashbl_acl_freemail emailaddresses.com
hashbl_acl_freemail emailchoice.com
hashbl_acl_freemail emailcorner.net
hashbl_acl_freemail emailengine.net
hashbl_acl_freemail emailengine.org
hashbl_acl_freemail emailfast.com
hashbl_acl_freemail emailgaul.com
hashbl_acl_freemail emailgroups.net
hashbl_acl_freemail emailhut.net
hashbl_acl_freemail emailn.de
hashbl_acl_freemail emailpinoy.com
hashbl_acl_freemail emailplanet.com
hashbl_acl_freemail emailplus.org
hashbl_acl_freemail emailuser.net
hashbl_acl_freemail ematic.com
hashbl_acl_freemail embarqmail.com
hashbl_acl_freemail embroideryforums.com
hashbl_acl_freemail eml.cc
hashbl_acl_freemail emoka.ro
hashbl_acl_freemail emptymail.com
hashbl_acl_freemail enel.net
hashbl_acl_freemail enelpunto.net
hashbl_acl_freemail engineer.com
hashbl_acl_freemail england.com
hashbl_acl_freemail englandmail.com
hashbl_acl_freemail enterate.com.ar
hashbl_acl_freemail entryweb.it
hashbl_acl_freemail entusiastisk.com
hashbl_acl_freemail enusmail.com
hashbl_acl_freemail envirocitizen.com
hashbl_acl_freemail epatra.com
hashbl_acl_freemail epix.net
hashbl_acl_freemail epomail.com
hashbl_acl_freemail epost.de
hashbl_acl_freemail eprompter.com
hashbl_acl_freemail eqqu.com
hashbl_acl_freemail eramail.co.za
hashbl_acl_freemail eresmas.com
hashbl_acl_freemail eriga.lv
hashbl_acl_freemail eritrea.cc
hashbl_acl_freemail ertelecom.ru
hashbl_acl_freemail escapeartist.com
hashbl_acl_freemail esde-s.org
hashbl_acl_freemail esfera.cl
hashbl_acl_freemail estadao.com.br
hashbl_acl_freemail etllao.com
hashbl_acl_freemail euromail.net
hashbl_acl_freemail europe.com
hashbl_acl_freemail europemail.com
hashbl_acl_freemail euroseek.com
hashbl_acl_freemail euskalmail.com
hashbl_acl_freemail evafan.com
hashbl_acl_freemail everyday.com.kh
hashbl_acl_freemail everymail.net
hashbl_acl_freemail everyone.net
hashbl_acl_freemail excite.co.uk
hashbl_acl_freemail excite.com
hashbl_acl_freemail execs.com
hashbl_acl_freemail execs2k.com
hashbl_acl_freemail executivemail.co.za
hashbl_acl_freemail expertrenovator.com
hashbl_acl_freemail expn.com
hashbl_acl_freemail expressivemail.com
hashbl_acl_freemail expressmail.dk
hashbl_acl_freemail ezilon.com
hashbl_acl_freemail ezrs.com
hashbl_acl_freemail ezsweeps.com
hashbl_acl_freemail f-m.fm
hashbl_acl_freemail facilmail.com
hashbl_acl_freemail fadrasha.net
hashbl_acl_freemail fadrasha.org
hashbl_acl_freemail faithhighway.com
hashbl_acl_freemail faithmail.com
hashbl_acl_freemail falasteen.cc
hashbl_acl_freemail familymailbox.com
hashbl_acl_freemail familyroll.com
hashbl_acl_freemail familysafeweb.net
hashbl_acl_freemail famous.as
hashbl_acl_freemail fan.com
hashbl_acl_freemail fan.net
hashbl_acl_freemail fanaticos.com
hashbl_acl_freemail fanofbooks.com
hashbl_acl_freemail fanofcomputers.com
hashbl_acl_freemail fanofcooking.com
hashbl_acl_freemail fanoftheweb.com
hashbl_acl_freemail faroweb.com
hashbl_acl_freemail farts.com
hashbl_acl_freemail fast-email.com
hashbl_acl_freemail fast-mail.org
hashbl_acl_freemail fastem.com
hashbl_acl_freemail fastemail.us
hashbl_acl_freemail fastemailer.com
hashbl_acl_freemail fastermail.com
hashbl_acl_freemail fastest.cc
hashbl_acl_freemail fastimap.com
hashbl_acl_freemail fastmail.co.uk
hashbl_acl_freemail fastmail.com
hashbl_acl_freemail fastmailbox.net
hashbl_acl_freemail fastmessaging.com
hashbl_acl_freemail fastservice.com
hashbl_acl_freemail fastwebmail.it
hashbl_acl_freemail fawz.net
hashbl_acl_freemail fea.st
hashbl_acl_freemail federalcontractors.com
hashbl_acl_freemail fedxmail.com
hashbl_acl_freemail feelingnaughty.com
hashbl_acl_freemail feelings.com
hashbl_acl_freemail female.ru
hashbl_acl_freemail fepg.net
hashbl_acl_freemail ffanet.com
hashbl_acl_freemail fiberia.com
hashbl_acl_freemail fieldmail.com
hashbl_acl_freemail filipinolinks.com
hashbl_acl_freemail financesource.com
hashbl_acl_freemail financier.com
hashbl_acl_freemail findmail.com
hashbl_acl_freemail fireman.net
hashbl_acl_freemail firemyst.com
hashbl_acl_freemail fiscal.net
hashbl_acl_freemail fit.lv
hashbl_acl_freemail flashmail.com
hashbl_acl_freemail fleetmail.com
hashbl_acl_freemail flipcode.com
hashbl_acl_freemail florida.usa.com
hashbl_acl_freemail floridagators.com
hashbl_acl_freemail fmail.co.uk
hashbl_acl_freemail fmailbox.com
hashbl_acl_freemail fmgirl.com
hashbl_acl_freemail fmguy.com
hashbl_acl_freemail fnmail.com
hashbl_acl_freemail focusedonprofits.com
hashbl_acl_freemail focusedonreturns.com
hashbl_acl_freemail footballer.com
hashbl_acl_freemail forfree.at
hashbl_acl_freemail forsythmissouri.org
hashbl_acl_freemail fortuncity.com
hashbl_acl_freemail forum.dk
hashbl_acl_freemail foxmail.com
hashbl_acl_freemail free.com.pe
hashbl_acl_freemail free.fr
hashbl_acl_freemail free.net.nz
hashbl_acl_freemail freeaccess.nl
hashbl_acl_freemail freegates.be
hashbl_acl_freemail freeghana.com
hashbl_acl_freemail freehosting.nl
hashbl_acl_freemail freei.co.th
hashbl_acl_freemail freeler.nl
hashbl_acl_freemail freemail.com
hashbl_acl_freemail freemail.globalsite.com.br
hashbl_acl_freemail freemailen.de
hashbl_acl_freemail freemailn.de
hashbl_acl_freemail freemuslim.net
hashbl_acl_freemail freenet.de
hashbl_acl_freemail freenet.kg
hashbl_acl_freemail freeola.net
hashbl_acl_freemail freeonline.com
hashbl_acl_freemail freepgs.com
hashbl_acl_freemail freesbee.fr
hashbl_acl_freemail freeservers.com
hashbl_acl_freemail freestart.hu
hashbl_acl_freemail freesurf.ch
hashbl_acl_freemail freesurf.fr
hashbl_acl_freemail freesurf.nl
hashbl_acl_freemail freeuk.com
hashbl_acl_freemail freeuk.net
hashbl_acl_freemail freeweb.it
hashbl_acl_freemail freewebemail.com
hashbl_acl_freemail freeyellow.com
hashbl_acl_freemail frisurf.no
hashbl_acl_freemail frontiernet.net
hashbl_acl_freemail fsmail.net
hashbl_acl_freemail fsnet.co.uk
hashbl_acl_freemail ftml.net
hashbl_acl_freemail fudge.com
hashbl_acl_freemail fuelie.org
hashbl_acl_freemail fujairah.cc
hashbl_acl_freemail fujairah.us
hashbl_acl_freemail fujairah.ws
hashbl_acl_freemail fun-greetings-jokes.com
hashbl_acl_freemail fun.21cn.com
hashbl_acl_freemail funkytimes.com
hashbl_acl_freemail fusemail.com
hashbl_acl_freemail fut.es
hashbl_acl_freemail futboladdict.com
hashbl_acl_freemail gabes.cc
hashbl_acl_freemail gafsa.cc
hashbl_acl_freemail gala.net
hashbl_acl_freemail galaxyhit.com
hashbl_acl_freemail galmail.co.za
hashbl_acl_freemail gamebox.net
hashbl_acl_freemail gamecocks.com
hashbl_acl_freemail gamerssolution.com
hashbl_acl_freemail games.com
hashbl_acl_freemail gardener.com
hashbl_acl_freemail gawab.com
hashbl_acl_freemail gay.com
hashbl_acl_freemail gaymailbox.com
hashbl_acl_freemail gaza.net
hashbl_acl_freemail gazabo.net
hashbl_acl_freemail gazeta.pl
hashbl_acl_freemail gci.net
hashbl_acl_freemail gdi.net
hashbl_acl_freemail geeklife.com
hashbl_acl_freemail gemari.or.id
hashbl_acl_freemail genxemail.com
hashbl_acl_freemail geologist.com
hashbl_acl_freemail geopia.com
hashbl_acl_freemail georgia.usa.com
hashbl_acl_freemail germanymail.com
hashbl_acl_freemail getintobooks.com
hashbl_acl_freemail getmail.no
hashbl_acl_freemail ggaweb.ch
hashbl_acl_freemail giga4u.de
hashbl_acl_freemail giza.cc
hashbl_acl_freemail gjk.dk
hashbl_acl_freemail glay.org
hashbl_acl_freemail glendale.net
hashbl_acl_freemail glittergrrrls.com
hashbl_acl_freemail globalfree.it
hashbl_acl_freemail globalpinoy.com
hashbl_acl_freemail globalsite.com.br
hashbl_acl_freemail globalum.com
hashbl_acl_freemail globetrotter.net
hashbl_acl_freemail globomail.com
hashbl_acl_freemail gmail.com
hashbl_acl_freemail gmx.com
hashbl_acl_freemail go-bama.com
hashbl_acl_freemail go-cavs.com
hashbl_acl_freemail go-chargers.com
hashbl_acl_freemail go-dawgs.com
hashbl_acl_freemail go-gators.com
hashbl_acl_freemail go-hogs.com
hashbl_acl_freemail go-irish.com
hashbl_acl_freemail go-spartans.com
hashbl_acl_freemail go-tigers.com
hashbl_acl_freemail go.aggies.com
hashbl_acl_freemail go.air-force.com
hashbl_acl_freemail go.badgers.com
hashbl_acl_freemail go.big-orange.com
hashbl_acl_freemail go.blue.devils.com
hashbl_acl_freemail go.buffaloes.com
hashbl_acl_freemail go.bulldogs.com
hashbl_acl_freemail go.com
hashbl_acl_freemail go.cougars.com
hashbl_acl_freemail go.dores.com
hashbl_acl_freemail go.gamecocks.com
hashbl_acl_freemail go.huskies.com
hashbl_acl_freemail go.longhorns.com
hashbl_acl_freemail go.mustangs.com
hashbl_acl_freemail go.rebels.com
hashbl_acl_freemail go.ro
hashbl_acl_freemail go.ru
hashbl_acl_freemail go.terrapins.com
hashbl_acl_freemail go.wildcats.com
hashbl_acl_freemail go.wolverines.com
hashbl_acl_freemail go.yellow-jackets.com
hashbl_acl_freemail go2net.com
hashbl_acl_freemail go4.it
hashbl_acl_freemail goatrance.com
hashbl_acl_freemail goddess.com
hashbl_acl_freemail gofree.co.uk
hashbl_acl_freemail gohip.com
hashbl_acl_freemail golfemail.com
hashbl_acl_freemail goliadtexas.com
hashbl_acl_freemail gomail.com.ua
hashbl_acl_freemail gonowmail.com
hashbl_acl_freemail gonuts4free.com
hashbl_acl_freemail googlemail.com
hashbl_acl_freemail goplay.com
hashbl_acl_freemail gorontalo.net
hashbl_acl_freemail gospelcity.com
hashbl_acl_freemail gothicgirl.com
hashbl_acl_freemail gotmail.com
hashbl_acl_freemail gotomy.com
hashbl_acl_freemail govzone.com
hashbl_acl_freemail grad.com
hashbl_acl_freemail graduate.org
hashbl_acl_freemail graffiti.net
hashbl_acl_freemail grapemail.net
hashbl_acl_freemail graphic-designer.com
hashbl_acl_freemail gratisweb.com
hashbl_acl_freemail greatautos.org
hashbl_acl_freemail greenmail.net
hashbl_acl_freemail groupmail.com
hashbl_acl_freemail gtechnics.com
hashbl_acl_freemail guate.net
hashbl_acl_freemail guessmail.com
hashbl_acl_freemail guinea.cc
hashbl_acl_freemail guy.com
hashbl_acl_freemail gwalla.com
hashbl_acl_freemail h-mail.us
hashbl_acl_freemail haberx.com
hashbl_acl_freemail hacker.am
hashbl_acl_freemail hackermail.com
hashbl_acl_freemail hail2theskins.com
hashbl_acl_freemail hailmail.net
hashbl_acl_freemail hairdresser.net
hashbl_acl_freemail haitisurf.com
hashbl_acl_freemail halejob.com
hashbl_acl_freemail hamptonroads.com
hashbl_acl_freemail hamra.cc
hashbl_acl_freemail handbag.com
hashbl_acl_freemail hanmail.net
hashbl_acl_freemail happemail.com
hashbl_acl_freemail happycounsel.com
hashbl_acl_freemail happyhippo.com
hashbl_acl_freemail hasakah.com
hashbl_acl_freemail hateinthebox.com
hashbl_acl_freemail hawaii.com
hashbl_acl_freemail hawaii.usa.com
hashbl_acl_freemail hayahaya.tg
hashbl_acl_freemail hebron.tv
hashbl_acl_freemail hedgeai.com
hashbl_acl_freemail heesun.net
hashbl_acl_freemail heremail.com
hashbl_acl_freemail hetnet.nl
hashbl_acl_freemail highveldmail.co.za
hashbl_acl_freemail hilarious.com
hashbl_acl_freemail hildebrands.de
hashbl_acl_freemail hingis.org
hashbl_acl_freemail hiphopfan.com
hashbl_acl_freemail hispavista.com
hashbl_acl_freemail hitmanrecords.com
hashbl_acl_freemail hitthepuck.com
hashbl_acl_freemail hockeyghiaccio.com
hashbl_acl_freemail hockeymail.com
hashbl_acl_freemail holapuravida.com
hashbl_acl_freemail home.no.net
hashbl_acl_freemail home.ro
hashbl_acl_freemail home.se
hashbl_acl_freemail homelocator.com
hashbl_acl_freemail homemail.co.za
hashbl_acl_freemail homemail.com
hashbl_acl_freemail homenetmail.com
hashbl_acl_freemail homestead.com
hashbl_acl_freemail homosexual.net
hashbl_acl_freemail homs.cc
hashbl_acl_freemail hong-kong-1.com
hashbl_acl_freemail hongkong.com
hashbl_acl_freemail hopthu.com
hashbl_acl_freemail hosanna.net
hashbl_acl_freemail hot-shot.com
hashbl_acl_freemail hot.ee
hashbl_acl_freemail hotbot.com
hashbl_acl_freemail hotbox.ru
hashbl_acl_freemail hotcoolmail.com
hashbl_acl_freemail hotdak.com
hashbl_acl_freemail hotfire.net
hashbl_acl_freemail hotinbox.com
hashbl_acl_freemail hotmail.co.uk
hashbl_acl_freemail hotmail.com
hashbl_acl_freemail hotpop.com
hashbl_acl_freemail hotvoice.com
hashbl_acl_freemail hour.com
hashbl_acl_freemail housemail.com
hashbl_acl_freemail houseofhorrors.com
hashbl_acl_freemail howling.com
hashbl_acl_freemail hugkiss.com
hashbl_acl_freemail huhmail.com
hashbl_acl_freemail hullnumber.com
hashbl_acl_freemail human.lv
hashbl_acl_freemail humanoid.net
hashbl_acl_freemail humour.com
hashbl_acl_freemail hurra.de
hashbl_acl_freemail hush.ai
hashbl_acl_freemail hush.com
hashbl_acl_freemail hushmail.com
hashbl_acl_freemail huskies.com
hashbl_acl_freemail hutchcity.com
hashbl_acl_freemail i-dig-movies.com
hashbl_acl_freemail i-france.com
hashbl_acl_freemail i-love-restaurants.com
hashbl_acl_freemail i-p.com
hashbl_acl_freemail i12.com
hashbl_acl_freemail i2828.com
hashbl_acl_freemail ibatam.com
hashbl_acl_freemail ibest.com.br
hashbl_acl_freemail ibizdns.com
hashbl_acl_freemail ibra.cc
hashbl_acl_freemail icafe.com
hashbl_acl_freemail ice.is
hashbl_acl_freemail icestorm.com
hashbl_acl_freemail icloud.com
hashbl_acl_freemail icq.com
hashbl_acl_freemail icq.ir
hashbl_acl_freemail icqmail.com
hashbl_acl_freemail icrazy.com
hashbl_acl_freemail id.ru
hashbl_acl_freemail idaho.usa.com
hashbl_acl_freemail idigcomputers.com
hashbl_acl_freemail idigelectronics.com
hashbl_acl_freemail idigvideos.com
hashbl_acl_freemail idirect.com
hashbl_acl_freemail idncafe.com
hashbl_acl_freemail idunno4recipes.com
hashbl_acl_freemail ieg.com.br
hashbl_acl_freemail iespalomeras.net
hashbl_acl_freemail iespana.es
hashbl_acl_freemail ifrance.com
hashbl_acl_freemail ig.com.br
hashbl_acl_freemail ignazio.it
hashbl_acl_freemail ihatenetscape.com
hashbl_acl_freemail ilike2helpothers.com
hashbl_acl_freemail ilike2invest.com
hashbl_acl_freemail ilike2workout.com
hashbl_acl_freemail ilikeelectronics.com
hashbl_acl_freemail ilikeworkingout.com
hashbl_acl_freemail illinois.usa.com
hashbl_acl_freemail ilovehomeprojects.com
hashbl_acl_freemail iloveourteam.com
hashbl_acl_freemail iloveworkingout.com
hashbl_acl_freemail ilse.net
hashbl_acl_freemail ilse.nl
hashbl_acl_freemail imail.ru
hashbl_acl_freemail imailbox.com
hashbl_acl_freemail imap-mail.com
hashbl_acl_freemail imap.cc
hashbl_acl_freemail imapmail.org
hashbl_acl_freemail imel.org
hashbl_acl_freemail in-box.net
hashbl_acl_freemail in.com
hashbl_acl_freemail in2autos.net
hashbl_acl_freemail iname.acom
hashbl_acl_freemail iname.com
hashbl_acl_freemail inbox.com
hashbl_acl_freemail inbox.ge
hashbl_acl_freemail inbox.lv
hashbl_acl_freemail inbox.net
hashbl_acl_freemail inbox.ru
hashbl_acl_freemail incamail.com
hashbl_acl_freemail indexa.fr
hashbl_acl_freemail india.com
hashbl_acl_freemail indiamail.com
hashbl_acl_freemail indiana.usa.com
hashbl_acl_freemail indiatimes.com
hashbl_acl_freemail induquimica.org
hashbl_acl_freemail inet.com.ua
hashbl_acl_freemail infinito.it
hashbl_acl_freemail infoapex.com
hashbl_acl_freemail infohq.com
hashbl_acl_freemail infomail.es
hashbl_acl_freemail infomart.or.jp
hashbl_acl_freemail infosat.net
hashbl_acl_freemail infovia.com.ar
hashbl_acl_freemail inicia.es
hashbl_acl_freemail inmail.sk
hashbl_acl_freemail inmail24.com
hashbl_acl_freemail innocent.com
hashbl_acl_freemail inorbit.com
hashbl_acl_freemail inoutbox.com
hashbl_acl_freemail instruction.com
hashbl_acl_freemail instructor.net
hashbl_acl_freemail insurer.com
hashbl_acl_freemail intelnet.net.gt
hashbl_acl_freemail intelnett.com
hashbl_acl_freemail interblod.com
hashbl_acl_freemail interestedinthejob.com
hashbl_acl_freemail interfree.it
hashbl_acl_freemail interia.pl
hashbl_acl_freemail interlap.com.ar
hashbl_acl_freemail intermail.hu
hashbl_acl_freemail internet-e-mail.com
hashbl_acl_freemail internet-mail.org
hashbl_acl_freemail internet.lu
hashbl_acl_freemail internetegypt.com
hashbl_acl_freemail internetemails.net
hashbl_acl_freemail internetmailing.net
hashbl_acl_freemail intimatefire.com
hashbl_acl_freemail intomotors.com
hashbl_acl_freemail inwind.it
hashbl_acl_freemail iobox.com
hashbl_acl_freemail iobox.fi
hashbl_acl_freemail iol.it
hashbl_acl_freemail iol.pt
hashbl_acl_freemail iowa.usa.com
hashbl_acl_freemail ip3.com
hashbl_acl_freemail ipermitmail.com
hashbl_acl_freemail iphon.biz
hashbl_acl_freemail iqemail.com
hashbl_acl_freemail iquebec.com
hashbl_acl_freemail ir.ae
hashbl_acl_freemail iran.com
hashbl_acl_freemail irangate.net
hashbl_acl_freemail iraq.ir
hashbl_acl_freemail irbid.ws
hashbl_acl_freemail ire.ir
hashbl_acl_freemail ireland.ir
hashbl_acl_freemail irelandmail.com
hashbl_acl_freemail irow.com
hashbl_acl_freemail irr.ir
hashbl_acl_freemail iscool.net
hashbl_acl_freemail islandmama.com
hashbl_acl_freemail ismailia.cc
hashbl_acl_freemail ismart.net
hashbl_acl_freemail isonews2.com
hashbl_acl_freemail isonfire.com
hashbl_acl_freemail isp9.net
hashbl_acl_freemail ispey.com
hashbl_acl_freemail israelmail.com
hashbl_acl_freemail ist-der-mann.de
hashbl_acl_freemail ist-der-wahnsinn.de
hashbl_acl_freemail ist-echt.so
hashbl_acl_freemail ist-genialer.de
hashbl_acl_freemail ist-schlauer.de
hashbl_acl_freemail ist-supersexy.de
hashbl_acl_freemail istecht.so
hashbl_acl_freemail italymail.com
hashbl_acl_freemail itelgua.com
hashbl_acl_freemail itloox.com
hashbl_acl_freemail itmom.com
hashbl_acl_freemail ivenus.com
hashbl_acl_freemail iwan-fals.com
hashbl_acl_freemail iwatchrealitytv.com
hashbl_acl_freemail iwon.com
hashbl_acl_freemail ixp.net
hashbl_acl_freemail jadida.cc
hashbl_acl_freemail jadida.org
hashbl_acl_freemail japan.com
hashbl_acl_freemail jaydemail.com
hashbl_acl_freemail jazzemail.com
hashbl_acl_freemail jedrzejow.pl
hashbl_acl_freemail jerash.cc
hashbl_acl_freemail jetemail.net
hashbl_acl_freemail jingjo.net
hashbl_acl_freemail jippii.fi
hashbl_acl_freemail jizan.cc
hashbl_acl_freemail jmail.co.za
hashbl_acl_freemail job4u.com
hashbl_acl_freemail jojomail.com
hashbl_acl_freemail jouf.cc
hashbl_acl_freemail journalist.com
hashbl_acl_freemail jovem.te.pt
hashbl_acl_freemail joymail.com
hashbl_acl_freemail jpg.ir
hashbl_acl_freemail juanitabynum.com
hashbl_acl_freemail jubii.dk
hashbl_acl_freemail jubiipost.dk
hashbl_acl_freemail jumpy.it
hashbl_acl_freemail juno.com
hashbl_acl_freemail justemail.net
hashbl_acl_freemail justmailz.com
hashbl_acl_freemail k.ro
hashbl_acl_freemail kaazoo.com
hashbl_acl_freemail kabissa.org
hashbl_acl_freemail kairouan.cc
hashbl_acl_freemail kaixo.com
hashbl_acl_freemail kalluritimes.com
hashbl_acl_freemail kalpoint.com
hashbl_acl_freemail kann.so
hashbl_acl_freemail kanoodle.com
hashbl_acl_freemail kansas.usa.com
hashbl_acl_freemail karak.cc
hashbl_acl_freemail katamail.com
hashbl_acl_freemail kataweb.it
hashbl_acl_freemail kayafmmail.co.za
hashbl_acl_freemail keko.com.ar
hashbl_acl_freemail kentucky.usa.com
hashbl_acl_freemail keptprivate.com
hashbl_acl_freemail keromail.com
hashbl_acl_freemail khaimah.cc
hashbl_acl_freemail khartoum.cc
hashbl_acl_freemail khobar.cc
hashbl_acl_freemail kickboxing.com
hashbl_acl_freemail kidrock.com
hashbl_acl_freemail kimo.com
hashbl_acl_freemail kinkyemail.com
hashbl_acl_freemail kissfans.com
hashbl_acl_freemail kittymail.com
hashbl_acl_freemail kiwitown.com
hashbl_acl_freemail klik.it
hashbl_acl_freemail klikni.cz
hashbl_acl_freemail kmtn.ru
hashbl_acl_freemail koko.com
hashbl_acl_freemail kolozsvar.ro
hashbl_acl_freemail kombud.com
hashbl_acl_freemail kool-things.com
hashbl_acl_freemail koreamail.com
hashbl_acl_freemail koreanmail.com
hashbl_acl_freemail kotaksuratku.info
hashbl_acl_freemail krunis.com
hashbl_acl_freemail ksa.ir
hashbl_acl_freemail kukamail.com
hashbl_acl_freemail kuronowish.com
hashbl_acl_freemail kuwait.ir
hashbl_acl_freemail kuwaiti.tv
hashbl_acl_freemail kyokodate.com
hashbl_acl_freemail kyokofukada.net
hashbl_acl_freemail kyrgyzstan.cc
hashbl_acl_freemail ladymail.cz
hashbl_acl_freemail lagoon.nc
hashbl_acl_freemail lahaonline.com
hashbl_acl_freemail lamalla.net
hashbl_acl_freemail lancsmail.com
hashbl_acl_freemail land.ru
hashbl_acl_freemail laposte.net
hashbl_acl_freemail latakia.cc
hashbl_acl_freemail latchess.com
hashbl_acl_freemail latinabarbie.com
hashbl_acl_freemail latinmail.com
hashbl_acl_freemail latinogreeks.com
hashbl_acl_freemail lawyer.com
hashbl_acl_freemail lawyersmail.com
hashbl_acl_freemail lawyerzone.com
hashbl_acl_freemail lebanese.cc
hashbl_acl_freemail lebanonatlas.com
hashbl_acl_freemail leehom.net
hashbl_acl_freemail leesville.com
hashbl_acl_freemail legislator.com
hashbl_acl_freemail lemondrop.com
hashbl_acl_freemail leonardo.it
hashbl_acl_freemail leonlai.net
hashbl_acl_freemail letsjam.com
hashbl_acl_freemail letterbox.org
hashbl_acl_freemail letterboxes.org
hashbl_acl_freemail levele.com
hashbl_acl_freemail lexpress.net
hashbl_acl_freemail libero.it
hashbl_acl_freemail liberomail.com
hashbl_acl_freemail libertysurf.net
hashbl_acl_freemail libre.net
hashbl_acl_freemail lightwines.org
hashbl_acl_freemail linkmaster.com
hashbl_acl_freemail linuxfreemail.com
hashbl_acl_freemail linuxmail.org
hashbl_acl_freemail lionsfan.com.au
hashbl_acl_freemail live.com
hashbl_acl_freemail livedoor.com
hashbl_acl_freemail llandudno.com
hashbl_acl_freemail llangollen.com
hashbl_acl_freemail lmxmail.sk
hashbl_acl_freemail lobbyist.com
hashbl_acl_freemail loggain.net
hashbl_acl_freemail loggain.nu
hashbl_acl_freemail lolnetwork.net
hashbl_acl_freemail london.com
hashbl_acl_freemail london.ir
hashbl_acl_freemail longhorns.com
hashbl_acl_freemail look.com
hashbl_acl_freemail looksmart.co.uk
hashbl_acl_freemail looksmart.com
hashbl_acl_freemail looksmart.com.au
hashbl_acl_freemail loteria.net
hashbl_acl_freemail lotonazo.com
hashbl_acl_freemail louisiana.usa.com
hashbl_acl_freemail louiskoo.com
hashbl_acl_freemail love2exercise.com
hashbl_acl_freemail love2workout.com
hashbl_acl_freemail loveable.com
hashbl_acl_freemail lovecat.com
hashbl_acl_freemail loveemail.com
hashbl_acl_freemail lovefantasysports.com
hashbl_acl_freemail loveis.lv
hashbl_acl_freemail lovemail.com
hashbl_acl_freemail lovetoexercise.com
hashbl_acl_freemail lovingjesus.com
hashbl_acl_freemail lowrider.com
hashbl_acl_freemail lpemail.com
hashbl_acl_freemail lubnan.cc
hashbl_acl_freemail lubnan.ws
hashbl_acl_freemail lucky7lotto.net
hashbl_acl_freemail luckymail.com
hashbl_acl_freemail luso.pt
hashbl_acl_freemail lusoweb.pt
hashbl_acl_freemail luukku.com
hashbl_acl_freemail luvfishing.com
hashbl_acl_freemail luvgolfing.com
hashbl_acl_freemail luvsoccer.com
hashbl_acl_freemail lv-inter.net
hashbl_acl_freemail lycos.co.uk
hashbl_acl_freemail lycos.com
hashbl_acl_freemail lycosmail.com
hashbl_acl_freemail mac.com
hashbl_acl_freemail machinecandy.com
hashbl_acl_freemail macmail.com
hashbl_acl_freemail mad.scientist.com
hashbl_acl_freemail madcrazy.com
hashbl_acl_freemail madeniggaz.net
hashbl_acl_freemail madinah.cc
hashbl_acl_freemail madonnafan.com
hashbl_acl_freemail madonno.com
hashbl_acl_freemail madrid.com
hashbl_acl_freemail mag-spam.net
hashbl_acl_freemail mag2.com
hashbl_acl_freemail maghreb.cc
hashbl_acl_freemail magicmail.co.za
hashbl_acl_freemail magik-net.com
hashbl_acl_freemail mail-atlas.net
hashbl_acl_freemail mail-awu.de
hashbl_acl_freemail mail-box.cz
hashbl_acl_freemail mail-center.com
hashbl_acl_freemail mail-central.com
hashbl_acl_freemail mail-jp.org
hashbl_acl_freemail mail-me.com
hashbl_acl_freemail mail-on.us
hashbl_acl_freemail mail-online.dk
hashbl_acl_freemail mail-page.com
hashbl_acl_freemail mail-x-change.com
hashbl_acl_freemail mail.austria.com
hashbl_acl_freemail mail.az
hashbl_acl_freemail mail.be
hashbl_acl_freemail mail.bg
hashbl_acl_freemail mail.bulgaria.com
hashbl_acl_freemail mail.by
hashbl_acl_freemail mail.co.za
hashbl_acl_freemail mail.com
hashbl_acl_freemail mail.de
hashbl_acl_freemail mail.dk
hashbl_acl_freemail mail.ee
hashbl_acl_freemail mail.goo.ne.jp
hashbl_acl_freemail mail.gr
hashbl_acl_freemail mail.lawguru.com
hashbl_acl_freemail mail.md
hashbl_acl_freemail mail.mn
hashbl_acl_freemail mail.org
hashbl_acl_freemail mail.pf
hashbl_acl_freemail mail.pt
hashbl_acl_freemail mail.ru
hashbl_acl_freemail mail.yahoo.co.jp
hashbl_acl_freemail mail15.com
hashbl_acl_freemail mail3000.com
hashbl_acl_freemail mail333.com
hashbl_acl_freemail mail4me.com
hashbl_acl_freemail mail8.com
hashbl_acl_freemail mailandftp.com
hashbl_acl_freemail mailandnews.com
hashbl_acl_freemail mailas.com
hashbl_acl_freemail mailasia.com
hashbl_acl_freemail mailbg.com
hashbl_acl_freemail mailblocks.com
hashbl_acl_freemail mailbolt.com
hashbl_acl_freemail mailbomb.com
hashbl_acl_freemail mailbox.as
hashbl_acl_freemail mailbox.co.za
hashbl_acl_freemail mailbox.gr
hashbl_acl_freemail mailbox.hu
hashbl_acl_freemail mailbox.sk
hashbl_acl_freemail mailc.net
hashbl_acl_freemail mailcan.com
hashbl_acl_freemail mailcircuit.com
hashbl_acl_freemail mailclub.fr
hashbl_acl_freemail mailclub.net
hashbl_acl_freemail maildozy.com
hashbl_acl_freemail mailfly.com
hashbl_acl_freemail mailforce.net
hashbl_acl_freemail mailftp.com
hashbl_acl_freemail mailglobal.net
hashbl_acl_freemail mailhaven.com
hashbl_acl_freemail mailinator.com
hashbl_acl_freemail mailingaddress.org
hashbl_acl_freemail mailingweb.com
hashbl_acl_freemail mailisent.com
hashbl_acl_freemail mailite.com
hashbl_acl_freemail mailme.dk
hashbl_acl_freemail mailmight.com
hashbl_acl_freemail mailmij.nl
hashbl_acl_freemail mailnew.com
hashbl_acl_freemail mailops.com
hashbl_acl_freemail mailpanda.com
hashbl_acl_freemail mailpersonal.com
hashbl_acl_freemail mailroom.com
hashbl_acl_freemail mailru.com
hashbl_acl_freemail mails.de
hashbl_acl_freemail mailsent.net
hashbl_acl_freemail mailserver.dk
hashbl_acl_freemail mailservice.ms
hashbl_acl_freemail mailsnare.net
hashbl_acl_freemail mailsurf.com
hashbl_acl_freemail mailup.net
hashbl_acl_freemail mailvault.com
hashbl_acl_freemail mailworks.org
hashbl_acl_freemail maine.usa.com
hashbl_acl_freemail majorana.martina-franca.ta.it
hashbl_acl_freemail majorgolfer.com
hashbl_acl_freemail majorshopaholic.com
hashbl_acl_freemail majortechie.com
hashbl_acl_freemail maktoob.com
hashbl_acl_freemail malayalamtelevision.net
hashbl_acl_freemail malayalapathram.com
hashbl_acl_freemail male.ru
hashbl_acl_freemail manager.de
hashbl_acl_freemail manama.cc
hashbl_acl_freemail manlymail.net
hashbl_acl_freemail mansoura.tv
hashbl_acl_freemail mantrafreenet.com
hashbl_acl_freemail mantramail.com
hashbl_acl_freemail mantraonline.com
hashbl_acl_freemail marchmail.com
hashbl_acl_freemail marihuana.ro
hashbl_acl_freemail marijuana.nl
hashbl_acl_freemail marillion.net
hashbl_acl_freemail marketweighton.com
hashbl_acl_freemail marrakesh.cc
hashbl_acl_freemail maryland.usa.com
hashbl_acl_freemail mascara.ws
hashbl_acl_freemail masrawy.com
hashbl_acl_freemail massachusetts.usa.com
hashbl_acl_freemail mauimail.com
hashbl_acl_freemail mbox.com.au
hashbl_acl_freemail mcom.com
hashbl_acl_freemail mcrmail.com
hashbl_acl_freemail me.by
hashbl_acl_freemail me.com
hashbl_acl_freemail medicinatv.com
hashbl_acl_freemail meetingmall.com
hashbl_acl_freemail mega-schlau.de
hashbl_acl_freemail megamail.pt
hashbl_acl_freemail megarave.com
hashbl_acl_freemail meknes.cc
hashbl_acl_freemail menara.ma
hashbl_acl_freemail merseymail.com
hashbl_acl_freemail mesra.net
hashbl_acl_freemail messagez.com
hashbl_acl_freemail metacrawler.com
hashbl_acl_freemail metalfan.com
hashbl_acl_freemail mexico.com
hashbl_acl_freemail mexicomail.com
hashbl_acl_freemail miaoweb.net
hashbl_acl_freemail michigan.usa.com
hashbl_acl_freemail micro2media.com
hashbl_acl_freemail miesto.sk
hashbl_acl_freemail mighty.co.za
hashbl_acl_freemail milacamn.net
hashbl_acl_freemail milmail.com
hashbl_acl_freemail mindless.com
hashbl_acl_freemail mindviz.com
hashbl_acl_freemail minister.com
hashbl_acl_freemail minnesota.usa.com
hashbl_acl_freemail mississippi.usa.com
hashbl_acl_freemail missouri.usa.com
hashbl_acl_freemail mixmail.com
hashbl_acl_freemail ml1.net
hashbl_acl_freemail ml2clan.com
hashbl_acl_freemail mlanime.com
hashbl_acl_freemail mm.st
hashbl_acl_freemail mmail.com
hashbl_acl_freemail mobimail.mn
hashbl_acl_freemail mobsters.com
hashbl_acl_freemail mobstop.com
hashbl_acl_freemail modemnet.net
hashbl_acl_freemail modomail.com
hashbl_acl_freemail mofa.com
hashbl_acl_freemail moldova.com
hashbl_acl_freemail moldovacc.com
hashbl_acl_freemail monarchy.com
hashbl_acl_freemail montana.usa.com
hashbl_acl_freemail montevideo.com.uy
hashbl_acl_freemail moomia.com
hashbl_acl_freemail moose-mail.com
hashbl_acl_freemail mosaicfx.com
hashbl_acl_freemail moscowmail.com
hashbl_acl_freemail motley.com
hashbl_acl_freemail motor-nut.com
hashbl_acl_freemail motormania.com
hashbl_acl_freemail movemail.com
hashbl_acl_freemail moviefan.com
hashbl_acl_freemail mr.outblaze.com
hashbl_acl_freemail mrspender.com
hashbl_acl_freemail mscold.com
hashbl_acl_freemail msn.co.uk
hashbl_acl_freemail msn.com
hashbl_acl_freemail msnzone.cn
hashbl_acl_freemail mundo-r.com
hashbl_acl_freemail munich.com
hashbl_acl_freemail muscat.tv
hashbl_acl_freemail muscat.ws
hashbl_acl_freemail music.com
hashbl_acl_freemail musician.net
hashbl_acl_freemail musician.org
hashbl_acl_freemail musicsites.com
hashbl_acl_freemail muslim.com
hashbl_acl_freemail muslimsonline.com
hashbl_acl_freemail muss.so
hashbl_acl_freemail mustangs.com
hashbl_acl_freemail mxs.de
hashbl_acl_freemail myblue.cc
hashbl_acl_freemail mycabin.com
hashbl_acl_freemail mycapitalsmail.com
hashbl_acl_freemail mycatiscool.com
hashbl_acl_freemail mycity.com
hashbl_acl_freemail mycommail.com
hashbl_acl_freemail mycool.com
hashbl_acl_freemail mydomain.com
hashbl_acl_freemail myeweb.com
hashbl_acl_freemail myfantasyteamrules.com
hashbl_acl_freemail myfastmail.com
hashbl_acl_freemail myfunnymail.com
hashbl_acl_freemail mygamingconsoles.com
hashbl_acl_freemail mygrande.net
hashbl_acl_freemail myiris.com
hashbl_acl_freemail myjazzmail.com
hashbl_acl_freemail mykolab.com
hashbl_acl_freemail mymacmail.com
hashbl_acl_freemail mymail.dk
hashbl_acl_freemail mymail.ph.inter.net
hashbl_acl_freemail mymail.ro
hashbl_acl_freemail mynet.com
hashbl_acl_freemail mynet.com.tr
hashbl_acl_freemail myopera.com
hashbl_acl_freemail myotw.net
hashbl_acl_freemail myownemail.com
hashbl_acl_freemail mypersonalemail.com
hashbl_acl_freemail myplace.com
hashbl_acl_freemail myrealbox.com
hashbl_acl_freemail myself.com
hashbl_acl_freemail myspace.com
hashbl_acl_freemail myt.mu
hashbl_acl_freemail myteamisbest.com
hashbl_acl_freemail myway.com
hashbl_acl_freemail mzgchaos.de
hashbl_acl_freemail n2.com
hashbl_acl_freemail n2business.com
hashbl_acl_freemail n2mail.com
hashbl_acl_freemail n2software.com
hashbl_acl_freemail nabble.com
hashbl_acl_freemail nabeul.cc
hashbl_acl_freemail nabeul.info
hashbl_acl_freemail nablus.cc
hashbl_acl_freemail nador.cc
hashbl_acl_freemail najaf.cc
hashbl_acl_freemail name.com
hashbl_acl_freemail nameplanet.com
hashbl_acl_freemail nanamail.co.il
hashbl_acl_freemail nanaseaikawa.com
hashbl_acl_freemail nandomail.com
hashbl_acl_freemail narod.ru
hashbl_acl_freemail naseej.com
hashbl_acl_freemail nastything.com
hashbl_acl_freemail nate.com
hashbl_acl_freemail national-champs.com
hashbl_acl_freemail nativeweb.net
hashbl_acl_freemail naveganas.com
hashbl_acl_freemail naver.com
hashbl_acl_freemail nebraska.usa.com
hashbl_acl_freemail nemra1.com
hashbl_acl_freemail nenter.com
hashbl_acl_freemail nerd4life.de
hashbl_acl_freemail nerdshack.com
hashbl_acl_freemail nervhq.org
hashbl_acl_freemail net-shopping.com
hashbl_acl_freemail net-surf.com
hashbl_acl_freemail net.hr
hashbl_acl_freemail net4b.pt
hashbl_acl_freemail net4jesus.com
hashbl_acl_freemail net4you.at
hashbl_acl_freemail netbounce.com
hashbl_acl_freemail netbroadcaster.com
hashbl_acl_freemail netbusiness.com
hashbl_acl_freemail netcabo.pt
hashbl_acl_freemail netcape.net
hashbl_acl_freemail netcourrier.com
hashbl_acl_freemail netexecutive.com
hashbl_acl_freemail netfingers.com
hashbl_acl_freemail netfirms.com
hashbl_acl_freemail netkushi.com
hashbl_acl_freemail netmongol.com
hashbl_acl_freemail netpiper.com
hashbl_acl_freemail netposta.net
hashbl_acl_freemail netscape.com
hashbl_acl_freemail netscape.net
hashbl_acl_freemail netscapeonline.co.uk
hashbl_acl_freemail netsquare.com
hashbl_acl_freemail nettaxi.com
hashbl_acl_freemail netti.fi
hashbl_acl_freemail networld.com
hashbl_acl_freemail netzero.com
hashbl_acl_freemail netzero.net
hashbl_acl_freemail neustreet.com
hashbl_acl_freemail nevada.usa.com
hashbl_acl_freemail newhampshire.usa.com
hashbl_acl_freemail newjersey.usa.com
hashbl_acl_freemail newmail.com
hashbl_acl_freemail newmail.net
hashbl_acl_freemail newmail.ok.com
hashbl_acl_freemail newmail.ru
hashbl_acl_freemail newmexico.usa.com
hashbl_acl_freemail news-fanatic.com
hashbl_acl_freemail newspaperemail.com
hashbl_acl_freemail newspaperfan.com
hashbl_acl_freemail newyork.com
hashbl_acl_freemail newyork.usa.com
hashbl_acl_freemail newyorkcity.com
hashbl_acl_freemail nfmail.com
hashbl_acl_freemail nicegal.com
hashbl_acl_freemail nightimeuk.com
hashbl_acl_freemail nightly.com
hashbl_acl_freemail nightmail.com
hashbl_acl_freemail nightmail.ru
hashbl_acl_freemail ninfan.com
hashbl_acl_freemail noavar.com
hashbl_acl_freemail nocharge.com
hashbl_acl_freemail noemail.com
hashbl_acl_freemail nokiamail.com
hashbl_acl_freemail nonomail.com
hashbl_acl_freemail nonpartisan.com
hashbl_acl_freemail noolhar.com
hashbl_acl_freemail northcarolina.usa.com
hashbl_acl_freemail northdakota.usa.com
hashbl_acl_freemail nospammail.net
hashbl_acl_freemail nowzer.com
hashbl_acl_freemail null.net
hashbl_acl_freemail ny.com
hashbl_acl_freemail nyc.com
hashbl_acl_freemail nycmail.com
hashbl_acl_freemail nz11.com
hashbl_acl_freemail nzoomail.com
hashbl_acl_freemail o2.pl
hashbl_acl_freemail oath.com
hashbl_acl_freemail oceanfree.net
hashbl_acl_freemail ocsnet.net
hashbl_acl_freemail oddpost.com
hashbl_acl_freemail odeon.pl
hashbl_acl_freemail odmail.com
hashbl_acl_freemail offcolormail.com
hashbl_acl_freemail offshorewebmail.com
hashbl_acl_freemail ofir.dk
hashbl_acl_freemail ohio.usa.com
hashbl_acl_freemail ohne-drogen-gehts.net
hashbl_acl_freemail oicexchange.com
hashbl_acl_freemail ok.ru
hashbl_acl_freemail oklahoma.usa.com
hashbl_acl_freemail ole.com
hashbl_acl_freemail oleco.net
hashbl_acl_freemail olympist.net
hashbl_acl_freemail omani.ws
hashbl_acl_freemail omaninfo.com
hashbl_acl_freemail omdurman.cc
hashbl_acl_freemail on-steroids.de
hashbl_acl_freemail onatoo.com
hashbl_acl_freemail ondikoi.com
hashbl_acl_freemail onebox.com
hashbl_acl_freemail onenet.com.ar
hashbl_acl_freemail onet.pl
hashbl_acl_freemail ongc.net
hashbl_acl_freemail oninet.pt
hashbl_acl_freemail online.ie
hashbl_acl_freemail online.ru
hashbl_acl_freemail onlinevideosrock.com
hashbl_acl_freemail onlinewiz.com
hashbl_acl_freemail onobox.com
hashbl_acl_freemail open.by
hashbl_acl_freemail openbg.com
hashbl_acl_freemail openforyou.com
hashbl_acl_freemail openmail.cc
hashbl_acl_freemail opentransfer.com
hashbl_acl_freemail operamail.com
hashbl_acl_freemail operationivy.com
hashbl_acl_freemail oplusnet.com
hashbl_acl_freemail optician.com
hashbl_acl_freemail oran.cc
hashbl_acl_freemail orange.es
hashbl_acl_freemail orange.fr
hashbl_acl_freemail orange.jo
hashbl_acl_freemail orange.pl
hashbl_acl_freemail orangehome.co.uk
hashbl_acl_freemail orbitel.bg
hashbl_acl_freemail orcon.net.nz
hashbl_acl_freemail oregon.usa.com
hashbl_acl_freemail oreka.com
hashbl_acl_freemail organizer.net
hashbl_acl_freemail orgio.net
hashbl_acl_freemail orthodontist.net
hashbl_acl_freemail orthodox.com
hashbl_acl_freemail osite.com.br
hashbl_acl_freemail oso.com
hashbl_acl_freemail oued.info
hashbl_acl_freemail oued.org
hashbl_acl_freemail oujda.biz
hashbl_acl_freemail oujda.cc
hashbl_acl_freemail ourbrisbane.com
hashbl_acl_freemail ournet.md
hashbl_acl_freemail ourprofile.net
hashbl_acl_freemail ourwest.com
hashbl_acl_freemail outgun.com
hashbl_acl_freemail outlook.com
hashbl_acl_freemail ownmail.net
hashbl_acl_freemail oxfoot.com
hashbl_acl_freemail ozu.es
hashbl_acl_freemail pacer.com
hashbl_acl_freemail pacific-ocean.com
hashbl_acl_freemail pacificwest.com
hashbl_acl_freemail paginasamarillas.com
hashbl_acl_freemail paidoffers.net
hashbl_acl_freemail pakistani.ws
hashbl_acl_freemail pakistanmail.com
hashbl_acl_freemail palmyra.cc
hashbl_acl_freemail palmyra.ws
hashbl_acl_freemail paltalk.ir
hashbl_acl_freemail pandawa.com
hashbl_acl_freemail pando.com
hashbl_acl_freemail pandora.be
hashbl_acl_freemail paris.com
hashbl_acl_freemail parsimail.com
hashbl_acl_freemail parspage.com
hashbl_acl_freemail patmail.com
hashbl_acl_freemail pattayacitythailand.com
hashbl_acl_freemail pc4me.us
hashbl_acl_freemail pcbee.com
hashbl_acl_freemail pcpostal.com
hashbl_acl_freemail pediatrician.com
hashbl_acl_freemail penguinmaster.com
hashbl_acl_freemail pennsylvania.usa.com
hashbl_acl_freemail peoplepc.com
hashbl_acl_freemail peopleweb.com
hashbl_acl_freemail persian.com
hashbl_acl_freemail personal.ro
hashbl_acl_freemail personales.com
hashbl_acl_freemail peru.com
hashbl_acl_freemail petlover.com
hashbl_acl_freemail petml.com
hashbl_acl_freemail petrofind.com
hashbl_acl_freemail photographer.net
hashbl_acl_freemail phreaker.net
hashbl_acl_freemail phunkybitches.com
hashbl_acl_freemail physicist.net
hashbl_acl_freemail pigeonportal.com
hashbl_acl_freemail pikaguam.com
hashbl_acl_freemail pilu.com
hashbl_acl_freemail pimagop.com
hashbl_acl_freemail pinkcity.net
hashbl_acl_freemail pinoymail.com
hashbl_acl_freemail pipni.cz
hashbl_acl_freemail pisem.net
hashbl_acl_freemail pitbullmail.com
hashbl_acl_freemail planet-school.de
hashbl_acl_freemail planetaccess.com
hashbl_acl_freemail planetmail.com
hashbl_acl_freemail planetmail.net
hashbl_acl_freemail planetout.com
hashbl_acl_freemail planetsmeg.com
hashbl_acl_freemail plasa.com
hashbl_acl_freemail playersodds.com
hashbl_acl_freemail playful.com
hashbl_acl_freemail pluno.com
hashbl_acl_freemail plusmail.com.br
hashbl_acl_freemail pmail.net
hashbl_acl_freemail pnetmail.co.za
hashbl_acl_freemail pobox.ru
hashbl_acl_freemail pobox.sk
hashbl_acl_freemail pochta.ru
hashbl_acl_freemail pochtamt.ru
hashbl_acl_freemail poczta.fm
hashbl_acl_freemail poetic.com
hashbl_acl_freemail pogowave.com
hashbl_acl_freemail polandmail.com
hashbl_acl_freemail polbox.com
hashbl_acl_freemail politician.com
hashbl_acl_freemail pookmail.com
hashbl_acl_freemail poop.com
hashbl_acl_freemail poormail.com
hashbl_acl_freemail pop.co.th
hashbl_acl_freemail pop3.ru
hashbl_acl_freemail popmail.com
hashbl_acl_freemail poppymail.com
hashbl_acl_freemail popsmail.com
hashbl_acl_freemail popstar.com
hashbl_acl_freemail portafree.com
hashbl_acl_freemail portaldosalunos.com
hashbl_acl_freemail portsaid.cc
hashbl_acl_freemail portugalmail.com
hashbl_acl_freemail portugalmail.pt
hashbl_acl_freemail post.com
hashbl_acl_freemail post.cz
hashbl_acl_freemail post.expart.ne.jp
hashbl_acl_freemail post.pl
hashbl_acl_freemail post.sk
hashbl_acl_freemail posta.ge
hashbl_acl_freemail postaccesslite.com
hashbl_acl_freemail postiloota.net
hashbl_acl_freemail postinbox.com
hashbl_acl_freemail postino.ch
hashbl_acl_freemail postino.it
hashbl_acl_freemail postmaster.co.uk
hashbl_acl_freemail postpro.net
hashbl_acl_freemail potsmokersnet.com
hashbl_acl_freemail powdermail.com
hashbl_acl_freemail praize.com
hashbl_acl_freemail presidency.com
hashbl_acl_freemail press.co.jp
hashbl_acl_freemail priest.com
hashbl_acl_freemail primetap.com
hashbl_acl_freemail primposta.com
hashbl_acl_freemail printesamargareta.ro
hashbl_acl_freemail private.21cn.com
hashbl_acl_freemail probemail.com
hashbl_acl_freemail profesional.com
hashbl_acl_freemail profession.freemail.com.br
hashbl_acl_freemail programmer.net
hashbl_acl_freemail proinbox.com
hashbl_acl_freemail project420.com
hashbl_acl_freemail prolife.net
hashbl_acl_freemail promessage.com
hashbl_acl_freemail prontomail.com
hashbl_acl_freemail protestant.com
hashbl_acl_freemail protonmail.ch
hashbl_acl_freemail protonmail.com
hashbl_acl_freemail provincial.net
hashbl_acl_freemail publicaccounting.com
hashbl_acl_freemail publicist.com
hashbl_acl_freemail puertoricowow.com
hashbl_acl_freemail punkass.com
hashbl_acl_freemail puppetweb.com
hashbl_acl_freemail puppy.com.my
hashbl_acl_freemail q.com
hashbl_acl_freemail qassem.cc
hashbl_acl_freemail qatar.io
hashbl_acl_freemail qlmail.com
hashbl_acl_freemail qq.com
hashbl_acl_freemail qrio.com
hashbl_acl_freemail qsl.net
hashbl_acl_freemail qualityservice.com
hashbl_acl_freemail quds.cc
hashbl_acl_freemail qudsmail.com
hashbl_acl_freemail queerplaces.com
hashbl_acl_freemail quepasa.com
hashbl_acl_freemail quick.cz
hashbl_acl_freemail quickwebmail.com
hashbl_acl_freemail r-o-o-t.com
hashbl_acl_freemail r320.hu
hashbl_acl_freemail raakim.com
hashbl_acl_freemail rabat.cc
hashbl_acl_freemail racingseat.com
hashbl_acl_freemail radicalz.com
hashbl_acl_freemail radiojobbank.com
hashbl_acl_freemail radiologist.net
hashbl_acl_freemail rafah.cc
hashbl_acl_freemail ragingbull.com
hashbl_acl_freemail raisingadaughter.com
hashbl_acl_freemail rallye-webmail.com
hashbl_acl_freemail ramallah.cc
hashbl_acl_freemail rambler.ru
hashbl_acl_freemail ranmamail.com
hashbl_acl_freemail rapstar.com
hashbl_acl_freemail rapworld.com
hashbl_acl_freemail rastamall.com
hashbl_acl_freemail ratedx.net
hashbl_acl_freemail ravearena.com
hashbl_acl_freemail ravemail.co.za
hashbl_acl_freemail ravemail.com
hashbl_acl_freemail ravermail.com
hashbl_acl_freemail razormail.com
hashbl_acl_freemail rbcmail.ru
hashbl_acl_freemail rbox.co
hashbl_acl_freemail rbox.me
hashbl_acl_freemail real.ro
hashbl_acl_freemail realbookfan.com
hashbl_acl_freemail realemail.net
hashbl_acl_freemail realhealthnut.com
hashbl_acl_freemail realitytvaddict.net
hashbl_acl_freemail realitytvnut.com
hashbl_acl_freemail reallyfast.biz
hashbl_acl_freemail reallyfast.info
hashbl_acl_freemail reallyintomusic.com
hashbl_acl_freemail realtravelfan.com
hashbl_acl_freemail realtyagent.com
hashbl_acl_freemail rebels.com
hashbl_acl_freemail reborn.com
hashbl_acl_freemail recife.net
hashbl_acl_freemail recme.net
hashbl_acl_freemail rediffmail.com
hashbl_acl_freemail rediffmailpro.com
hashbl_acl_freemail redseven.de
hashbl_acl_freemail redskinscheer.com
hashbl_acl_freemail redskinsfamily.com
hashbl_acl_freemail redskinsfancentral.com
hashbl_acl_freemail redskinshog.com
hashbl_acl_freemail redskinsrule.com
hashbl_acl_freemail redskinsspecialteams.com
hashbl_acl_freemail redskinsultimatefan.com
hashbl_acl_freemail redwhitearmy.com
hashbl_acl_freemail reggaefan.com
hashbl_acl_freemail registerednurses.com
hashbl_acl_freemail reincarnate.com
hashbl_acl_freemail relapsecult.com
hashbl_acl_freemail relia.com
hashbl_acl_freemail religious.com
hashbl_acl_freemail remixer.com
hashbl_acl_freemail repairman.com
hashbl_acl_freemail representative.com
hashbl_acl_freemail rescueteam.com
hashbl_acl_freemail revenue.com
hashbl_acl_freemail rexian.com
hashbl_acl_freemail rhodeisland.usa.com
hashbl_acl_freemail ritmes.net
hashbl_acl_freemail rn.com
hashbl_acl_freemail roanokemail.com
hashbl_acl_freemail rochester-mail.com
hashbl_acl_freemail rock.com
hashbl_acl_freemail rockeros.com
hashbl_acl_freemail rocketmail.com
hashbl_acl_freemail rocketship.com
hashbl_acl_freemail rockfan.com
hashbl_acl_freemail rockinghamgateway.com
hashbl_acl_freemail rojname.com
hashbl_acl_freemail rol.ro
hashbl_acl_freemail rollin.com
hashbl_acl_freemail romance106fm.com
hashbl_acl_freemail rome.com
hashbl_acl_freemail romymichele.com
hashbl_acl_freemail royal.net
hashbl_acl_freemail rpharmacist.com
hashbl_acl_freemail rt.nl
hashbl_acl_freemail ru.ru
hashbl_acl_freemail runbox.com
hashbl_acl_freemail rushpost.com
hashbl_acl_freemail russiamail.com
hashbl_acl_freemail rxpost.net
hashbl_acl_freemail s-mail.com
hashbl_acl_freemail saabnet.com
hashbl_acl_freemail sacbeemail.com
hashbl_acl_freemail sacmail.com
hashbl_acl_freemail safat.biz
hashbl_acl_freemail safat.info
hashbl_acl_freemail safat.us
hashbl_acl_freemail safat.ws
hashbl_acl_freemail safe-mail.net
hashbl_acl_freemail safe-mailbox.com
hashbl_acl_freemail safrica.com
hashbl_acl_freemail saigonnet.vn
hashbl_acl_freemail saint-mike.org
hashbl_acl_freemail saintly.com
hashbl_acl_freemail salalah.cc
hashbl_acl_freemail salesperson.net
hashbl_acl_freemail salmiya.biz
hashbl_acl_freemail samerica.com
hashbl_acl_freemail samilan.net
hashbl_acl_freemail sanaa.cc
hashbl_acl_freemail sandiego.com
hashbl_acl_freemail sanfranmail.com
hashbl_acl_freemail sanook.com
hashbl_acl_freemail sanriotown.com
hashbl_acl_freemail sapibon.com
hashbl_acl_freemail sapo.pt
hashbl_acl_freemail saturnfans.com
hashbl_acl_freemail sayhi.net
hashbl_acl_freemail sbcglobal.com
hashbl_acl_freemail scfn.net
hashbl_acl_freemail scheint.so
hashbl_acl_freemail schweiz.org
hashbl_acl_freemail sci.fi
hashbl_acl_freemail sciaga.pl
hashbl_acl_freemail scientist.com
hashbl_acl_freemail scotlandmail.com
hashbl_acl_freemail scoutmail.com
hashbl_acl_freemail scrapbookscrapbook.com
hashbl_acl_freemail seapole.com
hashbl_acl_freemail search417.com
hashbl_acl_freemail seark.com
hashbl_acl_freemail sebil.com
hashbl_acl_freemail secretary.net
hashbl_acl_freemail secretservices.net
hashbl_acl_freemail secure-jlnet.com
hashbl_acl_freemail seductive.com
hashbl_acl_freemail seeb.cc
hashbl_acl_freemail sendmail.ru
hashbl_acl_freemail sendme.cz
hashbl_acl_freemail sent.as
hashbl_acl_freemail sent.at
hashbl_acl_freemail sent.com
hashbl_acl_freemail serga.com.ar
hashbl_acl_freemail sermix.com
hashbl_acl_freemail server4free.de
hashbl_acl_freemail serverwench.com
hashbl_acl_freemail sesmail.com
hashbl_acl_freemail sexmagnet.com
hashbl_acl_freemail sexriga.lv
hashbl_acl_freemail seznam.cz
hashbl_acl_freemail sfax.ws
hashbl_acl_freemail shadango.com
hashbl_acl_freemail sharm.cc
hashbl_acl_freemail she.com
hashbl_acl_freemail shuf.com
hashbl_acl_freemail siamlocalhost.com
hashbl_acl_freemail siamnow.net
hashbl_acl_freemail sify.com
hashbl_acl_freemail sina.cn
hashbl_acl_freemail sina.com
hashbl_acl_freemail sinai.cc
hashbl_acl_freemail sinamail.com
hashbl_acl_freemail sinanail.com
hashbl_acl_freemail singalongcenter.com
hashbl_acl_freemail singapore.com
hashbl_acl_freemail singmail.com
hashbl_acl_freemail singnet.com.sg
hashbl_acl_freemail siraj.org
hashbl_acl_freemail siria.cc
hashbl_acl_freemail sirindia.com
hashbl_acl_freemail sirunet.com
hashbl_acl_freemail sister.com
hashbl_acl_freemail sistersbrothers.com
hashbl_acl_freemail sizzling.com
hashbl_acl_freemail sketchyfriends.com
hashbl_acl_freemail skins4life.com
hashbl_acl_freemail slamdunkfan.com
hashbl_acl_freemail slayerized.com
hashbl_acl_freemail slickriffs.co.uk
hashbl_acl_freemail slingshot.com
hashbl_acl_freemail slo.net
hashbl_acl_freemail slomusic.net
hashbl_acl_freemail smartemail.co.uk
hashbl_acl_freemail smartstocks.com
hashbl_acl_freemail smtp.ru
hashbl_acl_freemail snail-mail.net
hashbl_acl_freemail snakebite.com
hashbl_acl_freemail sndt.net
hashbl_acl_freemail sneakemail.com
hashbl_acl_freemail snoopymail.com
hashbl_acl_freemail snowboarding.com
hashbl_acl_freemail so-simple.org
hashbl_acl_freemail socamail.com
hashbl_acl_freemail socialworker.net
hashbl_acl_freemail sociologist.com
hashbl_acl_freemail softhome.net
hashbl_acl_freemail sohu.com
hashbl_acl_freemail sol.dk
hashbl_acl_freemail solidmail.com
hashbl_acl_freemail solution4u.com
hashbl_acl_freemail songwriter.net
hashbl_acl_freemail soon.com
hashbl_acl_freemail sos.lv
hashbl_acl_freemail soulja-beatz.org
hashbl_acl_freemail soundvillage.org
hashbl_acl_freemail sousse.cc
hashbl_acl_freemail southcarolina.usa.com
hashbl_acl_freemail southdakota.usa.com
hashbl_acl_freemail space.com
hashbl_acl_freemail spacetowns.com
hashbl_acl_freemail spain.ir
hashbl_acl_freemail spainmail.com
hashbl_acl_freemail spamex.com
hashbl_acl_freemail spartapiet.com
hashbl_acl_freemail specialoperations.com
hashbl_acl_freemail speed-racer.com
hashbl_acl_freemail speedpost.net
hashbl_acl_freemail speedymail.net
hashbl_acl_freemail speedymail.org
hashbl_acl_freemail spells.com
hashbl_acl_freemail spils.com
hashbl_acl_freemail spinfinder.com
hashbl_acl_freemail sportemail.com
hashbl_acl_freemail spray.net
hashbl_acl_freemail spray.no
hashbl_acl_freemail spray.se
hashbl_acl_freemail spymac.com
hashbl_acl_freemail srbbs.com
hashbl_acl_freemail srilankan.net
hashbl_acl_freemail ssan.com
hashbl_acl_freemail ssl-mail.com
hashbl_acl_freemail staatsterrorist.de
hashbl_acl_freemail stade.fr
hashbl_acl_freemail stalag13.com
hashbl_acl_freemail stampmail.com
hashbl_acl_freemail starbuzz.com
hashbl_acl_freemail stargate2.com
hashbl_acl_freemail stargateatlantis.com
hashbl_acl_freemail stargatefanclub.com
hashbl_acl_freemail stargatesg1.com
hashbl_acl_freemail stargateu.com
hashbl_acl_freemail starline.ee
hashbl_acl_freemail starmail.com
hashbl_acl_freemail starmail.org
hashbl_acl_freemail starmedia.com
hashbl_acl_freemail starspath.com
hashbl_acl_freemail start.com.au
hashbl_acl_freemail start.no
hashbl_acl_freemail streetracing.com
hashbl_acl_freemail stribmail.com
hashbl_acl_freemail strompost.com
hashbl_acl_freemail student.com
hashbl_acl_freemail student.ednet.ns.ca
hashbl_acl_freemail studmail.com
hashbl_acl_freemail subspacemail.com
hashbl_acl_freemail sudanese.cc
hashbl_acl_freemail sudanmail.net
hashbl_acl_freemail suez.cc
hashbl_acl_freemail sugarray.com
hashbl_acl_freemail suisse.org
hashbl_acl_freemail sunbella.net
hashbl_acl_freemail sunmail1.com
hashbl_acl_freemail sunpoint.net
hashbl_acl_freemail sunrise.ch
hashbl_acl_freemail sunumail.sn
hashbl_acl_freemail sunuweb.net
hashbl_acl_freemail suomi24.fi
hashbl_acl_freemail super-gerissen.de
hashbl_acl_freemail superbikeclub.com
hashbl_acl_freemail superdada.it
hashbl_acl_freemail supereva.com
hashbl_acl_freemail supereva.it
hashbl_acl_freemail superintendents.net
hashbl_acl_freemail supermailbox.com
hashbl_acl_freemail superposta.com
hashbl_acl_freemail surf3.net
hashbl_acl_freemail surfassistant.com
hashbl_acl_freemail surfguiden.com
hashbl_acl_freemail surfsupnet.net
hashbl_acl_freemail surfy.net
hashbl_acl_freemail surgical.net
hashbl_acl_freemail surimail.com
hashbl_acl_freemail surnet.cl
hashbl_acl_freemail sverige.nu
hashbl_acl_freemail svizzera.org
hashbl_acl_freemail sweb.cz
hashbl_acl_freemail sweden.ir
hashbl_acl_freemail swedenmail.com
hashbl_acl_freemail sweetwishes.com
hashbl_acl_freemail swift-mail.com
hashbl_acl_freemail swissinfo.org
hashbl_acl_freemail swissmail.com
hashbl_acl_freemail swissmail.net
hashbl_acl_freemail switched.com
hashbl_acl_freemail switzerland.org
hashbl_acl_freemail syom.com
hashbl_acl_freemail syriamail.com
hashbl_acl_freemail t-mail.com
hashbl_acl_freemail t-net.net.ve
hashbl_acl_freemail t-online.de
hashbl_acl_freemail t2mail.com
hashbl_acl_freemail tabasheer.com
hashbl_acl_freemail tabouk.cc
hashbl_acl_freemail tajikistan.cc
hashbl_acl_freemail talk21.com
hashbl_acl_freemail talkcity.com
hashbl_acl_freemail tangiers.cc
hashbl_acl_freemail tangmonkey.com
hashbl_acl_freemail tanta.cc
hashbl_acl_freemail tatanova.com
hashbl_acl_freemail tattoodesign.com
hashbl_acl_freemail taxcutadvice.com
hashbl_acl_freemail tayef.cc
hashbl_acl_freemail teachers.org
hashbl_acl_freemail teamster.net
hashbl_acl_freemail tech-center.com
hashbl_acl_freemail techemail.com
hashbl_acl_freemail techie.com
hashbl_acl_freemail technisamail.co.za
hashbl_acl_freemail technologist.com
hashbl_acl_freemail teenchatnow.com
hashbl_acl_freemail teenmail.co.uk
hashbl_acl_freemail teenmail.co.za
hashbl_acl_freemail tejary.com
hashbl_acl_freemail telebot.com
hashbl_acl_freemail telefonica.net
hashbl_acl_freemail telegraf.by
hashbl_acl_freemail teleline.es
hashbl_acl_freemail telenet.be
hashbl_acl_freemail telinco.net
hashbl_acl_freemail telkom.net
hashbl_acl_freemail telpage.net
hashbl_acl_freemail telstra.com
hashbl_acl_freemail telusplanet.net
hashbl_acl_freemail tempting.com
hashbl_acl_freemail tenchiclub.com
hashbl_acl_freemail tennessee.usa.com
hashbl_acl_freemail terrapins.com
hashbl_acl_freemail tetouan.cc
hashbl_acl_freemail texas.usa.com
hashbl_acl_freemail texascrossroads.com
hashbl_acl_freemail tfz.net
hashbl_acl_freemail thai.com
hashbl_acl_freemail thaimail.com
hashbl_acl_freemail thaimail.net
hashbl_acl_freemail the-fastest.net
hashbl_acl_freemail the-quickest.com
hashbl_acl_freemail the5thquarter.com
hashbl_acl_freemail theblackmarket.com
hashbl_acl_freemail thegame.com
hashbl_acl_freemail thegamefanatic.com
hashbl_acl_freemail theinternetemail.com
hashbl_acl_freemail theoffice.net
hashbl_acl_freemail theplate.com
hashbl_acl_freemail thepostmaster.net
hashbl_acl_freemail theracetrack.com
hashbl_acl_freemail therapist.net
hashbl_acl_freemail theserverbiz.com
hashbl_acl_freemail thewatercooler.com
hashbl_acl_freemail thewebpros.co.uk
hashbl_acl_freemail thinkpost.net
hashbl_acl_freemail thirdage.com
hashbl_acl_freemail thundermail.com
hashbl_acl_freemail tightmail.com
hashbl_acl_freemail tim.it
hashbl_acl_freemail timemail.com
hashbl_acl_freemail timor.cc
hashbl_acl_freemail tin.it
hashbl_acl_freemail tinati.net
hashbl_acl_freemail tiscali.co.uk
hashbl_acl_freemail tiscali.com
hashbl_acl_freemail tiscali.it
hashbl_acl_freemail tiscalinet.it
hashbl_acl_freemail tjohoo.se
hashbl_acl_freemail tkcity.com
hashbl_acl_freemail tlcfan.com
hashbl_acl_freemail tlen.pl
hashbl_acl_freemail tmicha.net
hashbl_acl_freemail todito.com
hashbl_acl_freemail todoperros.com
hashbl_acl_freemail toke.com
hashbl_acl_freemail tokyo.com
hashbl_acl_freemail tokyo.ir
hashbl_acl_freemail tombstone.ws
hashbl_acl_freemail toothandmail.com
hashbl_acl_freemail toothfairy.com
hashbl_acl_freemail topchat.com
hashbl_acl_freemail topmail.co.ie
hashbl_acl_freemail topmail.co.in
hashbl_acl_freemail topmail.co.nz
hashbl_acl_freemail topmail.co.uk
hashbl_acl_freemail topmail.co.za
hashbl_acl_freemail topmail.com.ar
hashbl_acl_freemail topmail.dk
hashbl_acl_freemail topsurf.com
hashbl_acl_freemail toquedequeda.com
hashbl_acl_freemail torba.com
hashbl_acl_freemail torchmail.com
hashbl_acl_freemail torontomail.com
hashbl_acl_freemail total-techie.com
hashbl_acl_freemail totalfoodnut.com
hashbl_acl_freemail totally-into-cooking.com
hashbl_acl_freemail totallyintobaseball.com
hashbl_acl_freemail totallyintobasketball.com
hashbl_acl_freemail totallyintocooking.com
hashbl_acl_freemail totallyintofootball.com
hashbl_acl_freemail totallyintogolf.com
hashbl_acl_freemail totallyintohockey.com
hashbl_acl_freemail totallyintomusic.com
hashbl_acl_freemail totallyintoreading.com
hashbl_acl_freemail totallyintosports.com
hashbl_acl_freemail totallyintotravel.com
hashbl_acl_freemail totalmail.com
hashbl_acl_freemail totalmoviefan.com
hashbl_acl_freemail totalsurf.com
hashbl_acl_freemail totonline.net
hashbl_acl_freemail tough.com
hashbl_acl_freemail toughguy.net
hashbl_acl_freemail trav.se
hashbl_acl_freemail travel2newplaces.com
hashbl_acl_freemail trevas.net
hashbl_acl_freemail tripod-mail.com
hashbl_acl_freemail triton.net
hashbl_acl_freemail trmailbox.com
hashbl_acl_freemail troamail.org
hashbl_acl_freemail tsamail.co.za
hashbl_acl_freemail tunisian.cc
hashbl_acl_freemail tunome.com
hashbl_acl_freemail turbonett.com
hashbl_acl_freemail turkey.com
hashbl_acl_freemail tushmail.com
hashbl_acl_freemail tvchannelsurfer.com
hashbl_acl_freemail tvnet.lv
hashbl_acl_freemail tvstar.com
hashbl_acl_freemail twc.com
hashbl_acl_freemail typemail.com
hashbl_acl_freemail u2club.com
hashbl_acl_freemail u2tours.com
hashbl_acl_freemail uae.ac
hashbl_acl_freemail ubbi.com
hashbl_acl_freemail ubbi.com.br
hashbl_acl_freemail uboot.com
hashbl_acl_freemail ugeek.com
hashbl_acl_freemail uk2.net
hashbl_acl_freemail uk2net.com
hashbl_acl_freemail ukr.net
hashbl_acl_freemail ukrpost.net
hashbl_acl_freemail ukrpost.ua
hashbl_acl_freemail uku.co.uk
hashbl_acl_freemail ulimit.com
hashbl_acl_freemail ultimateredskinsfan.com
hashbl_acl_freemail ummah.org
hashbl_acl_freemail umpire.com
hashbl_acl_freemail unbounded.com
hashbl_acl_freemail unendlich-schlau.de
hashbl_acl_freemail unican.es
hashbl_acl_freemail unicum.de
hashbl_acl_freemail unimail.mn
hashbl_acl_freemail unitedemailsystems.com
hashbl_acl_freemail universal.pt
hashbl_acl_freemail universia.cl
hashbl_acl_freemail universia.edu.ve
hashbl_acl_freemail universia.es
hashbl_acl_freemail universia.net.co
hashbl_acl_freemail universia.net.mx
hashbl_acl_freemail universia.pr
hashbl_acl_freemail universia.pt
hashbl_acl_freemail universiabrasil.net
hashbl_acl_freemail unofree.it
hashbl_acl_freemail uol.com.ar
hashbl_acl_freemail uol.com.br
hashbl_acl_freemail uole.com
hashbl_acl_freemail uolmail.com
hashbl_acl_freemail uomail.com
hashbl_acl_freemail uraniomail.com
hashbl_acl_freemail urbi.com.br
hashbl_acl_freemail urdun.cc
hashbl_acl_freemail ureach.com
hashbl_acl_freemail usa.com
hashbl_acl_freemail usanetmail.com
hashbl_acl_freemail userbeam.com
hashbl_acl_freemail utah.usa.com
hashbl_acl_freemail uymail.com
hashbl_acl_freemail uyuyuy.com
hashbl_acl_freemail v-sexi.com
hashbl_acl_freemail v3mail.com
hashbl_acl_freemail vegetarisme.be
hashbl_acl_freemail velnet.com
hashbl_acl_freemail velocall.com
hashbl_acl_freemail vercorreo.com
hashbl_acl_freemail verizonmail.com
hashbl_acl_freemail vermont.usa.com
hashbl_acl_freemail verticalheaven.com
hashbl_acl_freemail veryfast.biz
hashbl_acl_freemail veryspeedy.net
hashbl_acl_freemail vfemail.net
hashbl_acl_freemail videogamesrock.com
hashbl_acl_freemail vietmedia.com
hashbl_acl_freemail vip-client.de
hashbl_acl_freemail vip.126.com
hashbl_acl_freemail vip.163.com
hashbl_acl_freemail vip.188.com
hashbl_acl_freemail vip.gr
hashbl_acl_freemail vip.qq.com
hashbl_acl_freemail vip.sina.com
hashbl_acl_freemail vip.sohu.com
hashbl_acl_freemail vip.sohu.net
hashbl_acl_freemail vip.tom.com
hashbl_acl_freemail vipsohu.net
hashbl_acl_freemail virgilio.it
hashbl_acl_freemail virgin.net
hashbl_acl_freemail virginia.usa.com
hashbl_acl_freemail virtual-mail.com
hashbl_acl_freemail visitmail.com
hashbl_acl_freemail visto.com
hashbl_acl_freemail vitalogy.org
hashbl_acl_freemail vivelared.com
hashbl_acl_freemail vjtimail.com
hashbl_acl_freemail vnn.vn
hashbl_acl_freemail vodafone.com
hashbl_acl_freemail vodafone.it
hashbl_acl_freemail vodamail.co.za
hashbl_acl_freemail voila.fr
hashbl_acl_freemail volkermord.com
hashbl_acl_freemail volunteeringisawesome.com
hashbl_acl_freemail vosforums.com
hashbl_acl_freemail vsnl.com
hashbl_acl_freemail vsnl.net
hashbl_acl_freemail w.cn
hashbl_acl_freemail walla.co.il
hashbl_acl_freemail walla.com
hashbl_acl_freemail wallet.com
hashbl_acl_freemail wam.co.za
hashbl_acl_freemail wanex.ge
hashbl_acl_freemail wap.hu
hashbl_acl_freemail wapda.com
hashbl_acl_freemail wapicode.com
hashbl_acl_freemail wappi.com
hashbl_acl_freemail warpmail.net
hashbl_acl_freemail washington.usa.com
hashbl_acl_freemail wassup.com
hashbl_acl_freemail waterloo.com
hashbl_acl_freemail waumail.com
hashbl_acl_freemail wayintocomputers.com
hashbl_acl_freemail wazmail.com
hashbl_acl_freemail wearab.net
hashbl_acl_freemail web-mail.com.ar
hashbl_acl_freemail web.de
hashbl_acl_freemail web.nl
hashbl_acl_freemail web2mail.com
hashbl_acl_freemail webaddressbook.com
hashbl_acl_freemail webbworks.com
hashbl_acl_freemail webcity.ca
hashbl_acl_freemail webdream.com
hashbl_acl_freemail webemaillist.com
hashbl_acl_freemail webindia123.com
hashbl_acl_freemail webinfo.fi
hashbl_acl_freemail webjump.com
hashbl_acl_freemail webl-3.br.inter.net
hashbl_acl_freemail webmail.co.yu
hashbl_acl_freemail webmail.co.za
hashbl_acl_freemail webmails.com
hashbl_acl_freemail webmailv.com
hashbl_acl_freemail webname.com
hashbl_acl_freemail webpim.cc
hashbl_acl_freemail webspawner.com
hashbl_acl_freemail webstation.com
hashbl_acl_freemail websurfer.co.za
hashbl_acl_freemail webtopmail.com
hashbl_acl_freemail webtribe.net
hashbl_acl_freemail webtv.net
hashbl_acl_freemail weedmail.com
hashbl_acl_freemail weekonline.com
hashbl_acl_freemail weirdness.com
hashbl_acl_freemail westvirginia.usa.com
hashbl_acl_freemail whale-mail.com
hashbl_acl_freemail whatisthis.com
hashbl_acl_freemail whatmail.com
hashbl_acl_freemail when.com
hashbl_acl_freemail whipmail.com
hashbl_acl_freemail who.net
hashbl_acl_freemail whoever.com
hashbl_acl_freemail wild4music.com
hashbl_acl_freemail wildaboutelectronics.com
hashbl_acl_freemail wildcats.com
hashbl_acl_freemail wildmail.com
hashbl_acl_freemail will-keinen-spam.de
hashbl_acl_freemail williams.net.ar
hashbl_acl_freemail winning.com
hashbl_acl_freemail winningteam.com
hashbl_acl_freemail winwinhosting.com
hashbl_acl_freemail wisconsin.usa.com
hashbl_acl_freemail witelcom.com
hashbl_acl_freemail witty.com
hashbl_acl_freemail wolverines.com
hashbl_acl_freemail wooow.it
hashbl_acl_freemail worker.com
hashbl_acl_freemail workingaroundthehouse.com
hashbl_acl_freemail workingonthehouse.com
hashbl_acl_freemail workmail.co.za
hashbl_acl_freemail workmail.com
hashbl_acl_freemail worldcrossing.com
hashbl_acl_freemail worldemail.com
hashbl_acl_freemail worldmedic.com
hashbl_acl_freemail worldonline.de
hashbl_acl_freemail wowmail.com
hashbl_acl_freemail wp.pl
hashbl_acl_freemail wprost.pl
hashbl_acl_freemail wrestlezone.com
hashbl_acl_freemail writeme.com
hashbl_acl_freemail writesoon.com
hashbl_acl_freemail wrongmail.com
hashbl_acl_freemail wtonetwork.com
hashbl_acl_freemail wurtele.net
hashbl_acl_freemail www.com
hashbl_acl_freemail www.consulcredit.it
hashbl_acl_freemail wyoming.usa.com
hashbl_acl_freemail x-mail.net
hashbl_acl_freemail xasa.com
hashbl_acl_freemail xemail.com
hashbl_acl_freemail xfreehosting.com
hashbl_acl_freemail xmail.net
hashbl_acl_freemail xmasmail.com
hashbl_acl_freemail xmsg.com
hashbl_acl_freemail xnmsn.cn
hashbl_acl_freemail xoom.com
hashbl_acl_freemail xpectmore.com
hashbl_acl_freemail xrea.com
hashbl_acl_freemail xsmail.com
hashbl_acl_freemail xtra.co.nz
hashbl_acl_freemail xuite.net
hashbl_acl_freemail xzapmail.com
hashbl_acl_freemail y7mail.com
hashbl_acl_freemail ya.com
hashbl_acl_freemail ya.ru
hashbl_acl_freemail yahala.co.il
hashbl_acl_freemail yaho.com
hashbl_acl_freemail yahoo.co.uk
hashbl_acl_freemail yahoo.com
hashbl_acl_freemail yahoomail.com
hashbl_acl_freemail yalla.com.lb
hashbl_acl_freemail yam.com
hashbl_acl_freemail yamal.info
hashbl_acl_freemail yanbo.cc
hashbl_acl_freemail yandex.ru
hashbl_acl_freemail yapost.com
hashbl_acl_freemail yawmail.com
hashbl_acl_freemail yeah.net
hashbl_acl_freemail yebox.com
hashbl_acl_freemail yehey.com
hashbl_acl_freemail yellow-jackets.com
hashbl_acl_freemail yellowstone.net
hashbl_acl_freemail yemeni.cc
hashbl_acl_freemail yenimail.com
hashbl_acl_freemail yepmail.net
hashbl_acl_freemail yifan.net
hashbl_acl_freemail ymail.com
hashbl_acl_freemail yopmail.com
hashbl_acl_freemail your-mail.com
hashbl_acl_freemail yours.com
hashbl_acl_freemail yourwap.com
hashbl_acl_freemail yunus.cc
hashbl_acl_freemail yyhmail.com
hashbl_acl_freemail z11.com
hashbl_acl_freemail z6.com
hashbl_acl_freemail zagazig.cc
hashbl_acl_freemail zambia.cc
hashbl_acl_freemail zednet.co.uk
hashbl_acl_freemail zeeman.nl
hashbl_acl_freemail ziplip.com
hashbl_acl_freemail zipmail.com.br
hashbl_acl_freemail zipmax.com
hashbl_acl_freemail zmail.pt
hashbl_acl_freemail zmail.ru
hashbl_acl_freemail zoho.com
hashbl_acl_freemail zona-andina.net
hashbl_acl_freemail zonai.com
hashbl_acl_freemail zoneview.net
hashbl_acl_freemail zonnet.nl
hashbl_acl_freemail zoomshare.com
hashbl_acl_freemail zoznam.sk
hashbl_acl_freemail zu-geil.de
hashbl_acl_freemail zubee.com
hashbl_acl_freemail zuvio.com
hashbl_acl_freemail zwallet.com
hashbl_acl_freemail zworg.com
hashbl_acl_freemail zybermail.com
hashbl_acl_freemail zzn.com
hashbl_acl_freemail !notify@yahoogroups.com
hashbl_acl_freemail !no-reply@yahoogroups.com
hashbl_acl_freemail !groupsupdates@yahoogroups.com
hashbl_acl_freemail !calendarnotification@outlook.com
hashbl_acl_freemail !nsubscribe@googlegroups.com
hashbl_acl_freemail !ubscribe@googlegroups.com
hashbl_acl_freemail !unsubscribe@googlegroups.com
endif
endif
endif
#END of TEST OF HASHBL ADDITIONS
#LABEL
header __KAM_LABEL1 Subject =~/(Checking in|Appointment|(this|next) week|thoughts|availability|consultation|introduction|let me know|schedule|meeting)/i
body __KAM_LABEL2 /meet at your office|quick lead time/i
body __KAM_LABEL3a /make custom (shirts|sports|jackets|suits)/i
# bug fix thanks to Moritz Friedrich
body __KAM_LABEL3b /PPE/
body __KAM_LABEL4 /(suits start at \$|shirts at \$)|\d\d per mask|\d masks/i
body __KAM_LABEL5 /(premier|top|luxury) (clothing|fabric)|fortune 500/i
body __KAM_LABEL6 /\| Label|Label Health/i
header __KAM_LABEL7 Subject =~ /(^|\b)PPE(\b|$)|(Ply|Face) ?mask/i
body __KAM_LABEL8 /face ?mask|(^|\b)PPE(\b|$)/i
meta KAM_LABEL (__KAM_LABEL1 + __KAM_LABEL2 + (__KAM_LABEL3a + __KAM_LABEL3b >= 1) + __KAM_LABEL4 + __KAM_LABEL5 + __KAM_LABEL6 + __KAM_LABEL7 + __KAM_LABEL8>= 6)
describe KAM_LABEL Tailored clothier spam
score KAM_LABEL 9.0
meta KAM_LABEL2 ((__KAM_LABEL1 + __KAM_LABEL5 >= 1) + __KAM_LABEL6 + __KAM_LABEL7 + __KAM_LABEL8 >= 3)
describe KAM_LABEL2 PPE Spam
score KAM_LABEL2 9.0
#RBLOBFU
body __KAM_RBL_OBFU1 /b2b.{1,4}salesprospects.{1,4}com/i
body __KAM_RBL_OBFU2 /quin.{0,3}for.{0,3}ce.com/i
body __KAM_RBL_OBFU3 /jrgpartners\(\.\)com/i
meta KAM_RBL_OBFU ((__KAM_RBL_OBFU1 + __KAM_RBL_OBFU2 >=1) + FREEMAIL_FROM >= 2)
describe KAM_RBL_OBFU Spammers obfuscating their domain and abusing freemail
score KAM_RBL_OBFU 12.0
meta KAM_RBL_OBFU2 __KAM_RBL_OBFU3
describe KAM_RBL_OBFU2 Spammers obfuscating their domain
score KAM_RBL_OBFU2 9.0
#Shady CC's
body __KAM_SHADYCC1 /(transactions?|purchases?) from your (online store|web-?shop)/i
header __KAM_SHADYCC2 Subject =~ /(illegal|shady) (purchases?|transactions?).*?(credit ?card|mastercard|visa).*?at your site/i
body __KAM_SHADYCC3 /(four|4) of (my|the) (master)?card/i
body __KAM_SHADYCC4 /(detailed|full) statement/i
meta KAM_SHADYCC (__KAM_SHADYCC1 + __KAM_SHADYCC2 + __KAM_SHADYCC3 + __KAM_SHADYCC4 >= 4)
describe KAM_SHADYCC Scam predicated around reporting fraudulent purchase
score KAM_SHADYCC 6.0
#Expo Scams
header __KAM_EXPOPIRATE1 Subject =~ /Hotel Booking/i
body __KAM_EXPOPIRATE2 /Business Traveller/i
meta KAM_EXPOPIRATE (__KAM_EXPOPIRATE1 + __KAM_EXPOPIRATE2 + __KAM_LIST3_2 >= 2)
describe KAM_EXPOPIRATE Scam Pirates trying to Hijack Event Hotel Bookings
score KAM_EXPOPIRATE 4.5
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
#Domain Expiry Scams
header __KAM_DOMAINEXPIRY1 Subject =~ /Domain.*Expiration/i
body __KAM_DOMAINEXPIRY2 /Attached letter/i
meta KAM_DOMAINEXPIRY (__KAM_DOMAINEXPIRY1 + __KAM_DOMAINEXPIRY2 + __KAM_ZERODAY1 >= 3)
describe KAM_DOMAINEXPIRY Domain Expiration Scams
score KAM_DOMAINEXPIRY 4.5
#Payment Scams
header __KAM_PAYMENTSCAM1 Subject =~ /Payment.*(INV|Bookings|Reference|\/201)/i
body __KAM_PAYMENTSCAM2 /attached (payment|herewith)|ready for release/i
mimeheader __KAM_PAYMENTSCAM3 Content-Type =~ /\.doc/i
full __KAM_PAYMENTSCAM4 /\{\\rtf/
meta KAM_PAYMENTSCAM (__KAM_ZERODAY1 + __KAM_PAYMENTSCAM1 + __KAM_PAYMENTSCAM2 + (__KAM_PAYMENTSCAM3 + __KAM_PAYMENTSCAM4 >=2) >= 4)
describe KAM_PAYMENTSCAM Payment Scams with Malware Payloads
score KAM_PAYMENTSCAM 6.5
meta KAM_PAYMENTSCAM2 (DEAR_BENEFICIARY + __KAM_PAYMENTSCAM1 + __KAM_PAYMENTSCAM2 >= 3) && !(KAM_PAYMENTSCAM)
describe KAM_PAYMENTSCAM2 Payment scams
score KAM_PAYMENTSCAM2 4.5
#Password Scams
body __KAM_PASSWORDSCAM1 /pass word/i
meta KAM_PASSWORDSCAM (__KAM_PASSWORDSCAM1 + __SINGLE_WORD_SUBJ + __PDF_ATTACH + __BODY_LE_200 >= 4)
describe KAM_PASSWORDSCAM Password extortion spams
score KAM_PASSWORDSCAM 6.0
endif
#Training Scams
header __KAM_TRAINING1 Subject =~ /mandatory.*training/i
body __KAM_TRAINING2 /intranet|training calendar/i
body __KAM_TRAINING3 /Human Resources/i
meta KAM_TRAINING (__KAM_TRAINING1 + __KAM_TRAINING2+ __KAM_TRAINING3 >= 3)
describe KAM_TRAINING Training Phishing
score KAM_TRAINING 4.5
#Trump Medicare
header __KAM_MEDICARE2_1 Subject =~ /Trump Medicare/i
meta KAM_MEDICARE2 __KAM_MEDICARE2_1 >= 1
describe KAM_MEDICARE2 Medicare Scams
score KAM_MEDICARE2 2.0
#Water hack
header __KAM_WATERHACK1 Subject =~ /Water Hack/i
body __KAM_WATERHACK2 /water hack/i
meta KAM_WATERHACK (__KAM_WATERHACK1 + __KAM_WATERHACK2 + KAM_SHORT >= 3)
describe KAM_WATERHACK Diet Scams
score KAM_WATERHACK 5.0
#Sendgrid Exploits
#thanks to Chip for another Spample on 2020-03-07
header __KAM_SENDGRID1 EnvelopeFrom =~ /\@u\d+\.wl\d+\.sendgrid\.net|bounces.*\@sendgrid\.net/i
header __KAM_SENDGRID1A Return-Path =~ /\@u\d+\.wl\d+\.sendgrid\.net/i
header __KAM_SENDGRID2 Received =~ /ismtp.*?.sendgrid.net|outbound\-mail\.sendgrid\.net \[/i
meta KAM_SENDGRID ((HEADER_FROM_DIFFERENT_DOMAINS || SPF_HELO_NONE) + ((__KAM_SENDGRID1 + __KAM_SENDGRID1A >= 1) + __KAM_SENDGRID2 >= 1) >= 2)
describe KAM_SENDGRID Sendgrid being exploited by scammers
score KAM_SENDGRID 1.50
header __KAM_EDU_FROM From:addr =~ /\.edu$/i
header __KAM_SENDGRID3 Subject =~ /Amex|Wells ?Fargo|American Express|Security (Review|Message)|Quickbooks|Sign-?in Blocked|unusual activity|payment pending|online Payment|Intuit|security Upgrade|you have a document|verify your card|email alert/i
header __KAM_SENDGRID4 From =~ /Amex|Wells ?Fargo|American Express|Schwab|bank|USAA|stripe|intuit|chase/i
meta KAM_SENDGRID2 ((__KAM_EDU_FROM + KAM_SENDGRID >= 1) + (TO_IN_SUBJ + __KAM_SENDGRID3 + __KAM_SENDGRID4 >=1) >= 2)
describe KAM_SENDGRID2 Sendgrid being exploited by scammers
score KAM_SENDGRID2 2.0
#Political Spam
header __KAM_2020_1 Subject =~ /Re-?elect Trump|election t-?shirt|ginsburg shirt|christmas t-?shirt|officially licensed/i
body __KAM_2020_2 /T-?shirt|printed in the US|stink stank stunk|officially licensed|star wars/i
tflags __KAM_2020_2 nosubject
meta KAM_2020 (__KAM_2020_1 + __KAM_2020_2 + FREEMAIL_FROM >= 3)
describe KAM_2020 2020 Political Spams - Vote KAM for 2020 - donate today at www.mcgrail.com
score KAM_2020 7.0
#WeTransfer Spam
uri __KAM_WETRANSFER1 /wetransferfiledownload|\?email=|redirecturl/i
header __KAM_WETRANSFER2 From:name =~ /WeTransfer/i
header __KAM_WETRANSFER3 From:addr !~ /wetransfer\.com/i
header __KAM_WETRANSFER4 Subject =~ /via WeTransfer/i
meta KAM_WETRANSFER (__KAM_WETRANSFER1 + __KAM_WETRANSFER2 + __KAM_WETRANSFER3 + (__KAM_WETRANSFER4 + SPF_FAIL >= 1) >= 4)
score KAM_WETRANSFER 6.0
describe KAM_WETRANSFER WeTransfer Impersonators
#Grey Eagle
header __KAM_GREYEAGLE_1 From =~ /greyeagle|funding|capital|banking|lending/i
body __KAM_GREYEAGLE_2 /grey eagle funding/i
meta KAM_GREYEAGLE (__KAM_GREYEAGLE_1 + __KAM_GREYEAGLE_2 >= 2)
describe KAM_GREYEAGLE Spammy Funding Company w/lots of Domains
score KAM_GREYEAGLE 10.0
#Google Storage APIs
uri KAM_STORAGE_GOOGLE /storage.googleapis.com|\.web.app\//i
describe KAM_STORAGE_GOOGLE Google Storage API being abused by spammers
score KAM_STORAGE_GOOGLE 2.25
#Spam Du Jour
header __KAM_DUJOUR1 Subject =~ /(Worst Food|Tinnitus|Reflux|Gift Card)/i
body __KAM_DUJOUR2 /(Worst Food|Tinnitus|Reflux|CVS Gift Card)/i
tflags __KAM_DUJOUR2 nosubject
header __KAM_DUJOUR3 From =~ /(Probio|Tinnitus|Reflux|CVS)/i
meta KAM_DUJOUR (KAM_STORAGE_GOOGLE + __KAM_DUJOUR1 + __KAM_DUJOUR2 + __KAM_DUJOUR3 >= 3)
describe KAM_DUJOUR Spam of the Day hocking various products
score KAM_DUJOUR 4.5
#QUINFORCE
body __KAM_QUINFORCE1 /q.?u.?i.?n.?f.?o.?r.?c.?e/i
meta KAM_QUINFORCE1 (__KAM_QUINFORCE1 >= 1)
describe KAM_QUINFORCE1 Obfuscating spamming firm
score KAM_QUINFORCE1 6.0
#SPAMDUJOUR
body __KAM_CBD1 /Meridian CBD/i
meta KAM_CBD (__KAM_CBD1 + __KAM_OTHER_BAD_TLD2 >= 2)
describe KAM_CBD Spam du jour for CBD
score KAM_CBD 4.5
#COVID SCAMS
body __KAM_COVID1 /International Monetary fund|world health organization|empowerment fund/i
header __KAM_COVID2 Subject =~ /COVID?.{0,12}(payment|fund)/i
body __KAM_COVID3 /COVID.{0,12}(empowerment|payment)|W\.?H\.?O\.? trust.?fund/i
tflags __KAM_COVID3 nosubject
header __KAM_COVID4 From =~ /COVID|world ?Health|WHO/i
body __KAM_COVID5 /00 ?(EUR|USD|Dollar)/i
meta KAM_COVID ((__KAM_COVID5 + LOTS_OF_MONEY >= 1) + __KAM_COVID1 + __KAM_COVID2 + __KAM_COVID3 + __KAM_COVID4 >= 4)
describe KAM_COVID Scams revolving around the pandemic
score KAM_COVID 6.0
#COVID SCAMS
body __KAM_COVID2_1 /COVID-19 (CHARITY )?(fund|donated relief)/i
tflags __KAM_COVID2_1 nosubject
header __KAM_COVID2_2 Subject =~ /(little|COVID-19) (fund|donation)/i
meta KAM_COVID2 (__KAM_COVID2_1 + __KAM_COVID2_2 + LOTS_OF_MONEY >= 2)
describe KAM_COVID2 Scams revolving around the pandemic
score KAM_COVID2 7.5
#COVID SCAMS
body __KAM_COVID3_1 /Prince/i
body __KAM_COVID3_2 /reliable source/i
body __KAM_COVID3_3 /\$[\d\.,]+ mil/i
body __KAM_COVID3_4 /assist me/i
body __KAM_COVID3_5 /Saudi Arabia/i
meta KAM_COVID3 (__KAM_COVID3_1 + __KAM_COVID3_2 + __KAM_COVID3_3 + __KAM_COVID3_4 + __KAM_COVID3_5 >= 5)
describe KAM_COVID3 Scams revolving around the pandemic
score KAM_COVID3 7.5
#VOICEMAIL SCAM
uri __KAM_VM1 /storage.googleapis.com\/.*?htm|appspot\.com|\/api\/v1\/click\|\.sharepoint\.com\/personal\//i
header __KAM_VM2 Subject =~ /VN Audio|message for|voice Message|Voicemail|Fax Message|OneDrive File/i
body __KAM_VM3 /(Voice ?Audio|VN Audio|VM Meant|Listen to (your )?Voice|voicemail message|Fax(ed)? (document|message)|new voicemail)/i
tflags __KAM_VM3 nosubject
body __KAM_VM4 /recorded voice|audio message|Caller.id|CID:|mailbox \d|sign document/i
tflags __KAM_VM4 nosubject
meta KAM_VM (__KAM_VM1 + __KAM_VM2 + __KAM_VM3 + __KAM_VM4 >= 3)
score KAM_VM 4.5
describe KAM_VM Voice Mail & Fax Scams
#Admin Notice Fraud
header __KAM_ADMIN1 From =~ /admin/i
header __KAM_ADMIN2 Subject =~ /For /i
body __KAM_ADMIN3 /next tax return/i
body __KAM_ADMIN4 /read this document/i
meta KAM_ADMIN (HEADER_FROM_DIFFERENT_DOMAINS + HTML_OBFUSCATE_10_20 + __KAM_ADMIN1 + __KAM_ADMIN2 + __KAM_ADMIN3 + __KAM_ADMIN4 >= 6)
describe KAM_ADMIN Phishing attempt spoofing admins
score KAM_ADMIN 9.0
#BENEFICIARY
replace_rules __KAM_BENEFICIARY2
header __KAM_BENEFICIARY1 Subject =~ /(your|Urgent) Help|refugee|Attention|Inherit|donation|refund|beloved|^Hello$|dear friend|compensated|get back to me|hope to hear|my dear|postal service|From.....|compliment|sincere apology|proposal|How are you|congratulations|ATM VISA Card|good (day|news)|beneficiary|cc|best regards|dearest one|^Att$|^Reply$|partnership|greeting'?s|atm fund|postmaster general/i
#what
body __KAM_BENEFICIARY2 /(consignment|fund(\b|$)|person of trust|don't know me|emails only|apologize for intrud|formal relationship|diplomatic agent|ATM VISA CARD|unsolicited manner|proposition|solicit your|trustworthy relation|verily|random people|you a beneficiary|help<SPACE1>+widow|same last ?name|(same|similar) surname|investment manager)|level of maturity|important project|jackpot|investment opp|something important|unclaimed trunk|estate investment|donation recipient|bank draft/i
tflags __KAM_BENEFICIARY2 nosubject
#bus
body __KAM_BENEFICIARY3 /(gold|diamonds|inherit|foreign customer|risk.?free|less.privilege|next of kin|nearest airport|certain funds|partnership to transfer|repatriation|co.fiscate|separate account|christian activit|receiving bank|donate the sum|money left|sweepstakes|lucky winner|get rich|\d% of the total|investment fund)|moving some money|god has blessed|contributions to humanity|partake in the deal|pledge dep|over-?due compensation|left your check/i
#where
body __KAM_BENEFICIARY4 /(Ghana|South Africa|China|Greece|Estonia|United kingdom|foreign|(your|my) country|Benin|africa|Foreign Op|international Airport|portugal|business trip|Ivory Coast|Royal Bank|Syria|Libyan|Ministry of |Buffett Foundation|audit unit)|postmaster general/i
#how much
body __KAM_BENEFICIARY5 /\d+ ?(kilo|kg)|donat|assignment|last wishes|charity org|million dollars|secret account|overdue winnings|handsomely compensate|large amount|share of fund|one digit interest|beneficial business|anticipated cooperation|\d% (with|for) you|fiscal cash|huge amount|(half|99 percent) of (his|their|her) fortune/i
#sob
body __KAM_BENEFICIARY6 /(deceased|late) (customer|husband|client|father)|death of my husband|cancer|power of attorney|customer who died|orphan|no beneficiary|terminal|family treasure|not criminal|send (you )?more (information|details)|wife ran away|inability to release|terrorist attack|sterile|foreigner who died|corrupt officials|could not complete/i
meta KAM_BENEFICIARY ((LOTS_OF_MONEY + __KAM_BENEFICIARY5 >=1) + (KAM_BLANKSUBJECT + __KAM_BENEFICIARY1 >=1) + __KAM_BENEFICIARY2 + __KAM_BENEFICIARY3 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 + FREEMAIL_FROM >= 6)
describe KAM_BENEFICIARY Beneficiary scams
score KAM_BENEFICIARY 10.5
meta KAM_BENEFICIARYLOW ((LOTS_OF_MONEY + __KAM_BENEFICIARY5 >=1) + (KAM_BLANKSUBJECT + __KAM_BENEFICIARY1 >=1) + __KAM_BENEFICIARY2 + __KAM_BENEFICIARY3 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 + FREEMAIL_FROM >= 5) && !KAM_BENEFICIARY && !__KAM_NPO1
describe KAM_BENEFICIARYLOW Beneficiary scams (Lower Confidence)
score KAM_BENEFICIARYLOW 6.0
#NPO
body __KAM_NPO1 /501\(?c\)?\(?3\)?|501 c 3/i
#BENEFICIARY
meta KAM_BENEFICIARY2 (GMD_PDF_EMPTY_BODY + DEAR_BENEFICIARY >= 2)
describe KAM_BENEFICIARY2 Beneficiary scams
score KAM_BENEFICIARY2 3.0
#Person Beneficiary
body __KAM_BENEFICIARY3_1 /Mikhail Fridman/i
header __KAM_BENEFICIARY3_2 From =~ /Mikhail Fridman/i
uri __KAM_BENEFICIARY3_3 /www.rt.com/i
meta KAM_BENEFICIARY3 (__KAM_BENEFICIARY3_1 + __KAM_BENEFICIARY3_2 + __KAM_BENEFICIARY3_3 + __KAM_DIDYOUSUBJ >= 3)
describe KAM_BENEFICIARY3 Beneficiary scams
score KAM_BENEFICIARY3 4.5
#Did you get my message?
header __KAM_DIDYOUSUBJ Subject =~ /Did you (receive it|get my message)/i
body __KAM_DIDYOUBODY /Did you (receive it|get my message)/i
tflags __KAM_DIDYOUBODY nosubject
#Nothing but sig
#body __KAM_SIGONLY1 /^.{0,10}--\b/im
#tflags __KAM_SIGONLY1 nosubject
#
#meta KAM_SIGONLY (__KAM_SIGONLY1 >= 2)
#score KAM_SIGONLY 1.5
#describe KAM_SIGONLY Messages is (mostly) just a signature
#
##SigOnly spam
#meta KAM_SIGONLY2 (KAM_SIGONLY + (__KAM_DIDYOUBODY + __KAM_DIDYOUSUBJ >= 1) >= 2)
#score KAM_SIGONLY2 1.5
#describe KAM_SIGONLY2 Junk Messages using (mostly) just a signature
#Blank Subject
header KAM_BLANKSUBJECT Subject =~ /^\s*$/i
describe KAM_BLANKSUBJECT Message has a blank Subject
score KAM_BLANKSUBJECT 0.25
#Job
#what
header __KAM_JOB2_1 Subject =~ /doing the job/i
body __KAM_JOB2_2 /represent the company/i
#Where
body __KAM_JOB2_3 /Singapore/i
#how much
body __KAM_JOB2_4 /\d,?000 USD (monthly|weekly)/i
meta KAM_JOB2 (FREEMAIL_FROM + __KAM_JOB2_1 + __KAM_JOB2_2 + __KAM_JOB2_3 + __KAM_JOB2_4 >= 5)
describe KAM_JOB2 Employment scams
score KAM_JOB2 7.5
#WEB
header __KAM_WEB2_1 Subject =~ /follow|next step|website work/i
body __KAM_WEB2_2 /affordable (quot|price)|less than half/i
body __KAM_WEB2_3 /web (designer|develop)|new website/i
body __KAM_WEB2_4 /portfolio|sample|insights/i
meta KAM_WEB2 (FREEMAIL_FROM + __KAM_WEB2_1 + __KAM_WEB2_2 + __KAM_WEB2_3 + __KAM_WEB2_4 >=5)
describe KAM_WEB2 Unsolicited web workers
score KAM_WEB2 7.5
#BANK
header __KAM_BANK_1 Subject =~ /Welcome to (Central )?(Money ?Gram|Bank)|Funding|Banker|congratulations/i
body __KAM_BANK_2 /beneficiary|agent|investment group|deceased/i
body __KAM_BANK_3 /re\-?verification|clearance tax|possible funding|same last name|nominated bank account/i
meta KAM_BANK (FREEMAIL_FROM + LOTS_OF_MONEY + __KAM_BANK_1 + __KAM_BANK_2 + __KAM_BANK_3 >= 5)
describe KAM_BANK Bank scams
score KAM_BANK 7.5
#FAKE CERTIFICATES
header __KAM_CERT1 Subject =~ /Medical Certificate/i
body __KAM_CERT2 /review this certificate/i
body __KAM_CERT3 /link below/i
meta KAM_CERT (__KAM_CERT1 + __KAM_CERT2 + __KAM_CERT3 + __PLUGIN_FROMNAME_SPOOF >= 3)
describe KAM_CERT Fake Certificate Scams
score KAM_CERT 4.5
#URGENT
header __KAM_URGENT1 Subject =~ /^Hello$/i
body __KAM_URGENT2 /urgent respond/i
body __KAM_URGENT3 /private e?mail/i
body __KAM_URGENT4 /god bless/i
body __KAM_URGENT5 /address still valid/i
meta KAM_URGENT ( __KAM_URGENT1 + __KAM_URGENT2 + __KAM_URGENT3 + __KAM_URGENT4 + __KAM_URGENT5 >= 5)
describe KAM_URGENT Urgent Scams
score KAM_URGENT 7.5
#INVESTMENT
header __KAM_INVEST1 Subject =~ /Investment|(hello|congrats|dear) friend|urgent|greetings|^HELLO$|mutual business|contact him|mail for you|confirming your email|business opportunity|important|interest/i
#looking/why
body __KAM_INVEST2 /apprehensive|unstable investment|(honest|well.?established|reliable) (individual|partner|person)|wealthy client|legal paper|branch manager|director finance|business man|family asset|personal assistant|found your (detail|contact)|consultant|project financing|my name is|i am the lawyer|need your assistance/i
#money/deal
body __KAM_INVEST3 /earn \d+\%|(more|full|elaborate) details|discuss further|risk.?free|give details|profitable|\% (yearly|commission)|bank draft|remuneration|(needs|seek|seeks|seeking) fund|employ you|split.?ration|(receive|secure) my fund/i
#what/where
body __KAM_INVEST4 /malta|oil company|joint venture|(fund|business) proposal|dubai|mutual business|bahrain|compensation fund|barrister|minister of|ghana|strategic development|your region|Mineral.Rich|africa|non.?european|your country/i
tflags __KAM_INVEST4 nosubject
meta KAM_INVEST (LOTS_OF_MONEY + FREEMAIL_FROM + __KAM_INVEST1 + __KAM_INVEST2 + __KAM_INVEST3 + __KAM_INVEST4 >= 4)
describe KAM_INVEST Investment Scams
score KAM_INVEST 6.0
#SIGNON
header __KAM_SIGN1 Subject =~ /New Sign-?[io]n/i
body __KAM_SIGN2 /review your account/i
body __KAM_SIGN3 /verification is processed/i
meta KAM_SIGN (KAM_STORAGE_GOOGLE + __KAM_SIGN1 + __KAM_SIGN2 + __KAM_SIGN3 >= 4)
describe KAM_SIGN Sign-in Verification Scams
score KAM_SIGN 6.0
#COVID SPAM
header __KAM_WEIRDC19_1 Subject =~ /The virus that causes COVID-19/i
header __KAM_WEIRDC19_2 From =~ /John Robert/i
body __KAM_WEIRDC19_3 /The virus that causes COVID-19/i
tflags __KAM_WEIRDC19_3 nosubject
meta KAM_WEIRDC19 (FREEMAIL_FROM + __KAM_BODY_LENGTH_LT_512 + __KAM_WEIRDC19_1 + __KAM_WEIRDC19_2 + __KAM_WEIRDC19_3 >= 5)
describe KAM_WEIRDC19 Odd Covid-19 spam with information
score KAM_WEIRDC19 7.5
#PRODUCT DUJOUR
header __KAM_CELEB1 Subject =~ /Celebrity Doc/i
body __KAM_CELEB2 /resugar/i
body __KAM_CELEB3 /fat.burning/i
meta KAM_CELEB (__KAM_CELEB1 + __KAM_CELEB2 + __KAM_CELEB3 >= 3)
describe KAM_CELEB Celebrity Health Scams
score KAM_CELEB 4.5
#BEAL AND SIMILAR IMPERSONATOR
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
header __KAM_BEAL1 From:name =~ /Geoff White|(Robert|Bob)( E.)? Beal|(James|Jim) Hoffman|Kevin (A\. )?Mc ?Grail|Chad Coney|Frederic Beuter|Chris(topher)? Surprise|(mike|michael) Charvat|Sheryl Brissett Chapman/i
#header __KAM_BEAL2 From:addr =~ /\@gmail\.com|\@mail\.ru/i
body __KAM_BEAL3 /(Robert|Bob).{1,4}Beal|Geoff White|(James|Jim).{1,4}Hoffman|Kevin (A\. )?Mc ?Grail|Frederic Beuter|Chris(topher)? Surprise|(mike|michael) Charvat|SHERYL Brissett Chapman/i
body __KAM_BEAL4 /(reply with|forward|send me|let me have) your (Cell|Mobile)|task (real quick|quickly)|(urgent|quick|fast) (reply|errand|response|task|request)|make (some|a) purchase|reimburse you|do something for me fast|spare time right now|confirm if you are free|physical or electronic gift card|(done for me|send out) ASAP|available at the moment|(desk|moment) right now/i
body __KAM_BEAL5 /can't talk on the phone|receivable aging report|summary of all w\-?2/i
meta KAM_BEAL ((__KAM_BEAL1 + __KAM_BEAL3 >= 1) + (SPF_SOFTFAIL + FREEMAIL_FROM + FREEMAIL_FORGED_REPLYTO >= 1) + __KAM_BEAL4 + __KAM_BEAL5 >= 3)
describe KAM_BEAL IMPOSTER! Will the real slim shady, please stand up?
score KAM_BEAL 11.0
endif
#PROJECT
header __KAM_PROJECT1 Subject =~ /Project/i
body __KAM_PROJECT2 /business project/i
body __KAM_PROJECT3 /email is active/i
body __KAM_PROJECT4 /please respond/i
meta KAM_PROJECT (__KAM_PROJECT1 + __KAM_PROJECT2 + __KAM_PROJECT3 + __KAM_PROJECT4 >= 4)
describe KAM_PROJECT Scam inquiries about amorphous projects
score KAM_PROJECT 6.0
#FAKEWESTERN
header __KAM_FAKEWEST1 Subject =~ /Attention/i
body __KAM_FAKEWEST2 /Western Union/i
body __KAM_FAKEWEST3 /United Nation/i
body __KAM_FAKEWEST4 /Wrong Transfer/i
body __KAM_FAKEWEST5 /0[\.,]?000[\.,]?00\s?USD/i
meta KAM_FAKEWEST (__KAM_FAKEWEST1 + __KAM_FAKEWEST2 + __KAM_FAKEWEST3 + __KAM_FAKEWEST4 + (__KAM_FAKEWEST5 + LOTS_OF_MONEY >= 1) >= 5)
describe KAM_FAKEWEST Fake money Transfer Scam
score KAM_FAKEWEST 6.0
#FAKEDROPBOX
header __KAM_FAKEDROPBOX2_1 Subject =~ /on Dropbox/i
meta KAM_FAKEDROPBOX2 (__KAM_FAKEDROPBOX2_1 + __KAM_TINYDOMAIN + FREEMAIL_FROM >= 3)
describe KAM_FAKEDROPBOX2 Fake Dropbox Phish
score KAM_FAKEDROPBOX2 4.5
header __KAM_FAKEDROPBOX3_1 Subject =~ /new dropbox message/i
uri __KAM_FAKEDROPBOX3_2 /wp\-includes/i
meta KAM_FAKEDROPBOX3 (__KAM_FAKEDROPBOX3_1 + __KAM_FAKEDROPBOX3_2 >= 2)
describe KAM_FAKEDROPBOX3 Fake Dropbox Phish
score KAM_FAKEDROPBOX3 6.0
#FAKEMONEYGRAM
header __KAM_FAKEMONEYGRAM1 From =~ /Money.?Gram/i
meta KAM_FAKEMONEYGRAM (__KAM_FAKEMONEYGRAM1 + FREEMAIL_FROM >= 2)
describe KAM_FAKEMONEYGRAM Fake Moneygram Phish
score KAM_FAKEMONEYGRAM 5.5
#FAKESHAREPOINT
header __KAM_FAKESHAREPOINT1 Subject =~ /by Sharepoint|payment reminder|shared|Request for Quot/i
header __KAM_FAKESHAREPOINT2 from =~ /sharepoint|accounts? payable|RFQ/i
uri __KAM_FAKESHAREPOINT3 /my\.sharepoint\.com|appdomain\.cloud/i
body __KAM_FAKESHAREPOINT4 /Sharepoint Fileshare/i
mimeheader __KAM_FAKESHAREPOINT5 Content-Type =~ /.html?\"?$/i
meta KAM_FAKESHAREPOINT (__KAM_FAKESHAREPOINT1 + __KAM_FAKESHAREPOINT2 + (__KAM_FAKESHAREPOINT3 + KAM_STORAGE_GOOGLE + __KAM_FAKESHAREPOINT4 >= 1) + __KAM_FAKESHAREPOINT5 >= 3)
describe KAM_FAKESHAREPOINT Fake Sharepoint Phish
score KAM_FAKESHAREPOINT 4.0
#ENCRYPTED ZIP
body __KAM_BADZIP1 /attached (to email|document)|take a look/i
body __KAM_BADZIP2 /Encrypted zip/i
uri __KAM_BADZIP2A /drive.google.com.*export=download/i
body __KAM_BADZIP3 /(order|urgent|report|dialogue)/i
body __KAM_BADZIP4 /password:/i
meta KAM_BADZIP (__KAM_BADZIP1 + (__KAM_BADZIP2 + __KAM_BADZIP2A >= 1) + __KAM_BADZIP3 + __KAM_BADZIP4 >= 4)
describe KAM_BADZIP Encrypted Zip File Indicating a Scam
score KAM_BADZIP 6.0
#VERIZON SCAM
header __KAM_VERIZON1 Subject =~ /verizon wireless security message/i
header __KAM_VERIZON2 From:name =~ /Verizon/i
header __KAM_VERIZON3 From:addr !~ /verizon/i
#What
body __KAM_VERIZON4 /Update required immediately/i
#how
body __KAM_VERIZON5 /update your account information/i
#Problem
body __KAM_VERIZON6 /deactivated/i
#Money
body __KAM_VERIZON7 /credit card|bank account/i
meta KAM_VERIZON (__KAM_VERIZON1 + __KAM_VERIZON2 + __KAM_VERIZON3 >= 3) && (__KAM_VERIZON4 + __KAM_VERIZON5 + __KAM_VERIZON6 + __KAM_VERIZON7 >= 3)
describe KAM_VERIZON Fake Wireless account notices
score KAM_VERIZON 9.5
#Docusign SCAM
header __KAM_DOCUSIGN1 Subject =~ /New e-DocuSign Signature|new e-signature docusign|docusign electronic signature|transfer notice|docusign (electronic|signature) service/i
header __KAM_DOCUSIGN2 From:name =~ /docusign/i
header __KAM_DOCUSIGN3 From:addr !~ /docusign/i
uri __KAM_DOCUSIGN4 /\.weebly\.com|docs\.google\.com/i
meta KAM_DOCUSIGN ((__KAM_DOCUSIGN1 >= 1) + (__KAM_DOCUSIGN2 + __KAM_DOCUSIGN3 >= 2) + (FREEMAIL_FROM + LOTS_OF_MONEY + __KAM_DOCUSIGN4 >= 1) >= 3)
describe KAM_DOCUSIGN Fake Document Signature account notices
score KAM_DOCUSIGN 4.5
#Invalid From
header __KAM_TWODOTS From:addr =~ /\@.*\.\./i
meta KAM_INVALIDFROM (__KAM_TWODOTS >= 1)
describe KAM_INVALIDFROM Invalid From Address
score KAM_INVALIDFROM 5.0
#Client Fake Invoice
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
header __KAM_FAKEINV1 From =~ /headoffice/i
header __KAM_FAKEINV1A Reply-to =~ /no.?reply\@/i
body __KAM_FAKEINV2 /dearest client/i
mimeheader __KAM_FAKEINV3 Content-Type =~ /.xls\"?$/i
meta KAM_FAKEINV ((__KAM_FAKEINV1 + __KAM_FAKEINV1A >=1) + __KAM_FAKEINV2 + __KAM_FAKEINV3 >=3)
describe KAM_FAKEINV Fake Customer Invoices
score KAM_FAKEINV 4.5
endif
#IMAGE ONLY
meta KAM_IMAGEONLY (PDS_OTHER_BAD_TLD + HTML_IMAGE_ONLY_08 >= 2)
describe KAM_IMAGEONLY Email from a questionable TLD that contains primarily just an image
score KAM_IMAGEONLY 0.75
#HOLIDAY 2020 GIFTS
header __KAM_HOLIDAY2020_1 Subject =~ /holiday item|blac.?k friday|(vortex|illusional|this|3d).*rug|canvas print|get your (personalized christmas )?ornament|Christmas sale|novelty household|(perfect|seasonal) gift|Rising.? Stand.?|endoscope/i
body __KAM_HOLIDAY2020_2 /(illusional|Vortex|3d) Rug|wireless earbuds|canvas print|get your (personalized christmas )?ornament|holiday novelty|personalized ornament|rising laptop|HOME Ear endoscope|Gadget ?Junk/i
tflags __KAM_HOLIDAY2020_2 nosubject
header __KAM_HOLIDAY2020_3 From =~ /vortex|christmas|novelty|(laptop|new).?tech|rising.?stand|Clean.?ear|Massager/i
meta KAM_HOLIDAY2020 (__KAM_HOLIDAY2020_1 + __KAM_HOLIDAY2020_2 + __KAM_HOLIDAY2020_3 >= 2)
describe KAM_HOLIDAY2020 Holiday Gifts 2020 Spam
score KAM_HOLIDAY2020 4.0
#GOOGLE FORM
uri __KAM_GOOGLEFORM_1 /docs\.google\.com\/forms\//i
body __KAM_GOOGLEFORM_2 /Untitled|Formulaire sans titre/i
body __KAM_GOOGLEFORM_3 /foundation is donating/i
meta KAM_GOOGLEFORM (__KAM_GOOGLEFORM_1 + (__KAM_GOOGLEFORM_2 + __KAM_GOOGLEFORM_3 >= 1) >= 2)
describe KAM_GOOGLEFORM Untitled or Spam Google Form
score KAM_GOOGLEFORM 4.0
header __GB_RETPATH_GOOG_TRIX Return-Path =~ /\@trix\.bounces\.google\.com/
meta GB_RETPATH_GOOG_TRIX __GB_RETPATH_GOOG_TRIX
describe GB_RETPATH_GOOG_TRIX Email from Google subdomain being abused by spammers
score GB_RETPATH_GOOG_TRIX 2.00
#BENEFICIARY FAKE FORM
body __KAM_DISCLOSE1 /enable me disclose|indicate your? interest|something important/i
meta KAM_FAKEFORM ((__KAM_DISCLOSE1 + LOTS_OF_MONEY >= 1) + (__KAM_BENEFICIARY2 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 >= 1) + (__KAM_GOOGLEFORM_1 >= 1) >= 3)
describe KAM_FAKEFORM Fake Form for Scams
score KAM_FAKEFORM 4.0
#2ND AMMENDMENT
body __KAM_2ND_1 /police can no longer be trusted|protect yourself|anti-?gun ban|no classes/i
body __KAM_2ND_2 /2nd am?mendment|concealed carry|right to carry/i
header __KAM_2ND_3 From =~ /2nd amm?endment|Concealed/i
meta KAM_2ND ((__KAM_FUN1 + __KAM_FUN1A >= 1) + __KAM_2ND_1 + __KAM_2ND_2 + __KAM_2ND_3 >= 3)
describe KAM_2ND Political / 2nd Ammendement Spam
score KAM_2ND 4.5
#SPAM DU JOUR - MASKS
body __KAM_KN_1 /(respirator|KN95) .{0,25}Mask|Ultramasx|upgrade your mask/i
tflags __KAM_KN_1 nosubject
body __KAM_KN_2 /get your|for the public|biden wants to curb|Prevent Corona|quick delivery|do your part|while supplies last|(smart|your) mask/i
tflags __KAM_KN_2 nosubject
header __KAM_KN_3 Subject =~ /KN95 .{0,25}Mask|(curb|curve?)(ing)? C<O1>vid|(your|mandates?) mask|ultimate protection|Protective (face )?mask/i
header __KAM_KN_4 From =~ /KN95|(smart|Face) ?Mask|Mask.?(dept|Special)|Stay ?safe|protective ?gear|World ?safe/i
meta KAM_KN (__KAM_KN_1 + __KAM_KN_2 + __KAM_KN_3 + __KAM_KN_4 >= 3)
describe KAM_KN Spam Du Jour for Masks
score KAM_KN 4.5
#SPAM DU JOUR - BAD CREDIT
body __KAM_BADCRED_1 /bad credit/i
tflags __KAM_BADCRED_1 nosubject
header __KAM_BADCRED_2 Subject =~ /bad credit.*off track/
meta KAM_BADCRED (__KAM_BADCRED_1 + __KAM_BADCRED_2 >= 2)
describe KAM_BADCRED Spam Du Jour for Bad Credit
score KAM_BADCRED 3.0
#SPAM DU JOUR - SPO2
replace_rules __KAM_SPO2_2 __KAM_SPO2_3
body __KAM_SPO2_1 /pulse oximeter|touchless thermometer/i
body __KAM_SPO2_2 /C<O1>VID/i
tflags __KAM_SPO2_2 nosubject
header __KAM_SPO2_3 Subject =~ /C<O1>VID.*(screening|oximeter)|Laser Thermometer|(detecting|screening) C<O1>VID/i
header __KAM_SPO2_4 From =~ /health|infrared|oximeter|Painless/i
meta KAM_SPO2 (__KAM_SPO2_1 + __KAM_SPO2_2 + __KAM_SPO2_3 + __KAM_SPO2_4 >= 3)
describe KAM_SPO2 COVID Spams
score KAM_SPO2 4.5
#SPAM DU JOUR - HEATED VEST
body __KAM_VEST1 /(heated|thermal) vest/i
tflags __KAM_VEST1 nosubject
header __KAM_VEST2 Subject =~ /stay toasty/i
header __KAM_VEST3 From =~ /thermal vest/i
meta KAM_VEST (__KAM_VEST1 + __KAM_VEST2 + __KAM_VEST3 >= 3)
describe KAM_VEST Spam Du Jour for Vests
score KAM_VEST 4.5
#FAKE CVS
header __KAM_CVS1 From =~ /CVS Pharm/i
header __KAM_CVS1A From:addr !~ /\@cvs.com/i
body __KAM_CVS2 /CVS/
tflags __KAM_CVS2 nosubject
header __KAM_CVS3 Subject =~ /CVS Pharm/i
meta KAM_CVS ((__KAM_CVS1 + (FREEMAIL_FROM + __KAM_CVS1A >= 1) >= 2) + __KAM_CVS2 + __KAM_CVS3 >= 3)
describe KAM_CVS Fake CVS Spams
score KAM_CVS 6.0
#HACKED EXPLOIT
body __KAM_HACK1 /(phone|electronic|computer) have been hacked|suspected online scam/i
body __KAM_HACK2 /read attached|click here for verification/i
body __KAM_HACK3 /save yourself|lead to your arrest/i
header __KAM_HACK4 From:name =~ /justice dep/i
meta KAM_HACK (__KAM_HACK1 + __KAM_HACK2 + __KAM_HACK3 + __KAM_HACK4 >= 3)
describe KAM_HACK Hacker Exploitation Email
score KAM_HACK 4.5
#FAKE INVOICES
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
header __KAM_FAKEINV2_1 Subject =~ /lnv (remittance|\& check)/i
body __KAM_FAKEINV2_2 /(find|see) (the )?attach/i
body __KAM_FAKEINV2_3 /not mail the check|typeform\.com/i
mimeheader __KAM_FAKEINV2_4 Content-Type =~ /(ACH W[il]re|Rem[il]ttance adv[il]ce).*xls/i
meta KAM_FAKEINV2 (__KAM_FAKEINV2_1 + __KAM_FAKEINV2_2 + __KAM_FAKEINV2_3 + __KAM_FAKEINV2_4 >= 3)
describe KAM_FAKEINV2 Fake Invoice Scams
score KAM_FAKEINV2 6.0
endif
#FAKE ADS
header __KAM_FAKEAD1 Subject =~ /brand medication|stubborn fat/i
body __KAM_FAKEAD2 /click here to UNSUBSCRIBE|start shopping|here\'s how/i
uri __KAM_FAKEAD3 /\/bit\.ly/i
body __KAM_FAKEAD4 /Sweet passion|no plastic surgery/i
meta KAM_FAKEAD (__KAM_FAKEAD1 + __KAM_FAKEAD2 + __KAM_FAKEAD3 + __KAM_FAKEAD4 >= 4)
describe KAM_FAKEAD Fake Advertisements
score KAM_FAKEAD 6.0
#FAKE REGISTRY SCAMS
body __KAM_FAKE_REGISTRY1 /www(\.|\(dot\))domainregistryasia(\.|\(dot\))net/i
uri __KAM_FAKE_REGISTRY2 /domainregistryasia\.net|domainregistryasia\.cn/i
meta KAM_FAKE_REGISTRY (__KAM_FAKE_REGISTRY1 + __KAM_FAKE_REGISTRY2 >= 1)
describe KAM_FAKE_REGISTRY Fake Domain Registry Scammers trying to get you to buy unneeded domains
score KAM_FAKE_REGISTRY 5.0
#FAKE Fax
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_FAKE_FAX1 Content-Type =~ /.*(fax).*\.htm/i
endif
body __KAM_FAKE_FAX2 /incoming fax|fax received/i
header __KAM_FAKE_FAX3 Subject =~ /Fax/i
body __KAM_FAKE_FAX4 /invoice/i
meta KAM_FAKE_FAX (T_HTML_ATTACH + __KAM_FAKE_FAX1 + __KAM_FAKE_FAX2 + __KAM_FAKE_FAX3 + __KAM_FAKE_FAX4 >= 4)
describe KAM_FAKE_FAX Fake Fax Scam
score KAM_FAKE_FAX 8.0
#FAKE TRUST
body __KAM_FAKE_TRUST1 /Message is from a .{0,40}trusted source/i
meta KAM_FAKE_TRUST (__KAM_FAKE_TRUST1 >= 1 )
describe KAM_FAKE_TRUST Scams about trusted sources
score KAM_FAKE_TRUST 3.5
#FAKE INVOICE
header __KAM_FAKE_INVOICE1 Subject =~ /payment advice/i
body __KAM_FAKE_INVOICE2 /Payment advice/i
meta KAM_FAKE_INVOICE (T_HTML_ATTACH + __KAM_FAKE_INVOICE1 + __KAM_FAKE_INVOICE2 >= 3)
describe KAM_FAKE_INVOICE Fake Invoice Scam
score KAM_FAKE_INVOICE 6.0
#BAD PRODUCTS
header __KAM_BAD_PRODUCT1 Subject =~ /Dolphin Vacuum|Warm any room|rapid thaw/i
body __KAM_BAD_PRODUCT2 /Dolphin sealer|hotstreak plug|Rapid thaw tray/i
meta KAM_BAD_PRODUCT (__KAM_BAD_PRODUCT1 + __KAM_BAD_PRODUCT2 >= 2)
describe KAM_BAD_PRODUCT Spammy Products
score KAM_BAD_PRODUCT 3.0
#BAD LINK
uri __KAM_BAD_LINK1 /\.pdf\.iso$/i
meta KAM_BAD_LINK (__KAM_BAD_LINK1 >= 1)
describe KAM_BAD_LINK Potentially dangerous link in email
score KAM_BAD_LINK 10.0
#BAD CITIZENS
header __KAM_CITIZEN1 Subject =~ /Citizens Bank Ealert/i
body __KAM_CITIZEN2 /Important (message|Notice) From Citizens/i
uri __KAM_CITIZEN3 /phpmailer|wp-admin|.well-known/i
header __KAM_CITIZEN4 From:name =~ /Citizens ?Bank/i
header __KAM_CITIZEN5 From:addr !~ /citizen/i
meta KAM_CITIZEN (__KAM_CITIZEN1 + __KAM_CITIZEN2 + __KAM_CITIZEN3 + __KAM_CITIZEN4 + (__KAM_CITIZEN5 + SPF_FAIL >= 1) >= 5)
describe KAM_CITIZEN Fake Bank Alert Scam
score KAM_CITIZEN 7.5
#BAD PRODUCTS
header __KAM_PRODUCT2_1 Subject =~ /meal delivery|no chopping|(sticker|Children'?s?) book|\$[\d,\.]{5,10} Fast|Car ?Shield|Top Vet|Chew a day|trugreen|(perfect|healthy|your) lawn|slice.?n.?seal|kitchen gadget|small penis|make you bigger/i
body __KAM_PRODUCT2_2 /meal delivery|no chopping|i ?can ?read|zippy ?loan|car ?shield|Lick their paws|excessive scratching|trugreen|slice.?n.?seal|kitchen gadget|savage.?grow/i
header __KAM_PRODUCT2_3 From =~ /veestro|i ?can ?read|zippy ?loan|car ?shieldi|petscy|trugreen|slice.?n.?seal|better.?butter|savage.?grow/i
meta KAM_PRODUCT2 ( __KAM_PRODUCT2_1 + __KAM_PRODUCT2_2 + __KAM_PRODUCT2_3 >= 3)
describe KAM_PRODUCT2 Scammy Products prevalent in spam
score KAM_PRODUCT2 4.5
#BAD_PDF_LINK
#uri_detail KAM_PDF_FAKE text =~ /\.PDF/i cleaned =~ /\.github.io\//i
#describe KAM_PDF_FAKE Links to Fake PDFs
#score KAM_PDF_FAKE 5.0
#SCAM INQUIRY
#what
body __KAM_INQUIRY_1 /inquiry for purchase|product catalog|price list|reply with catalog/i
#subj
header __KAM_INQUIRY_2 Subject =~ /Purchase Order|Urgent (i|e)nquiry/i
#oddities
body __KAM_INQUIRY_3 /terms? (\&|and) conditions?|rightful dep/i
#Forwarder
body __KAM_INQUIRY_4 /certificate of origin|import\export|trading company/i
meta KAM_INQUIRY (__KAM_INQUIRY_1 + __KAM_INQUIRY_2 + __KAM_INQUIRY_3 + __KAM_INQUIRY_4 >= 4)
describe KAM_INQUIRY Product Inquiry Scams
score KAM_INQUIRY 7.0
#FROM NAME SPAM
header __KAM_FROM_NAME_FAKERBL From:name =~ /Savagegrowplus\.com|Lifequote\.selectquote\.com|GoldAlliedTrust\.com/i
meta KAM_FROM_NAME_FAKERBL (__KAM_FROM_NAME_FAKERBL >= 1)
describe KAM_FROM_NAME_FAKERBL From name contains a URL that is spammy
score KAM_FROM_NAME_FAKERBL 6.0
# EOF
Zerion Mini Shell 1.0