#KAM.cf - SpamAssassin Rules #Author: Kevin A. McGrail #Email: Kevin.McGrail@McGrail.com #HomePage: http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf # #This is a collection of special rules that I have developed and use on my system. #They are intended as live research for committal to SpamAssassin's SVN sandbox. # #Copyright 2009 Kevin A. McGrail # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. #PHISHING TEST rawbody KAM_PHISH1 /u style="cursor: pointer"/ describe KAM_PHISH1 Test for PHISH that changes the cursor score KAM_PHISH1 0.01 #KAM REALESTATE / RE-FINANCE SCAM EMAILS - Thanks to David Goldsmith for pointing out my error in the meta rule! body __KAM_REAL1 /(^|\b)RE market/is body __KAM_REAL2 /(crashing|declining)/i body __KAM_REAL3 /(vacation|second) (home|place)/is meta KAM_REAL (__KAM_REAL1 + __KAM_REAL2 + __KAM_REAL3 >= 3) describe KAM_REAL Real Estate or Re-Finance Spam score KAM_REAL 0.5 #REFINANCE SCAM EMAILS header __KAM_REFI1 Subject =~ /(?:I would like to offer you my help|Lower your house payment|follow up email|evaluation enclosed|submit a bid|fixed rates|ARM program|New Program|regardless of credit|loan request|accepting your application|refinance appl?ication|ready to (give a (business )?loan|lend)|good credit or not|refinance without perfect credit|financial independence|Loan Offer|Get a Loan|your urgent loan|credit report)/i body __KAM_REFI2 /(Free Evaluation (?:online|on your (?:current )?home loan)|No hidden costs|no strings attached|good credit or not|personalized consultation|in need of loan|consolidation loan|loan processing|apply by sending|loan of any amount|clean up any inacccuracies)/is body __KAM_REFI3 /(restructure (?:proposal|program|opportunity|your loan)|switch from an adjustable rate to a fixed|new lending program|(low|reasonable) interest (loan|rate)|lowest monthly payment|\d% interest|unsecured personal|better credit terms)/is body __KAM_REFI4 /(\$\d{1,3},\d{1,3}|\d{2,3}k of funds|\d{4,6} USD|\d{4,6}\$ per month|\d{3,5}\/mo)/i body __KAM_REFI5 /([\d,]{5,6}|\d{2}\s*%) savings/is body __KAM_REFI6 /((?:reduce your monthly payment|save you) (between )?\d{2}\s*%|save yourself hundreds of dollars|great rate available|completely unsecured|instantly connect with\s+lenders|get you back on the right financial|get report today)/is body __KAM_REFI7 /(?:loan product|equity cash|monthly house payment|mortgage|no up front fees|seasoned equity|pay off high rate cards|ARM Program|credit is less than perfect|credit (score )?will not disqualify|plastic money|charge card balances|we offer out loans|floating loan scheme|unsecured guaranteed)/is header __KAM_REFI8 From =~ /great (loan|mortgage)|financ/i meta KAM_REFI (__KAM_REFI1 + __KAM_REFI2 + __KAM_REFI3 + __KAM_REFI4 + (__KAM_REFI5 + __KAM_REFI6 >= 1) + __KAM_REFI7 + __KAM_REFI8 >= 4) describe KAM_REFI Real Estate / Re-Finance Spam score KAM_REFI 4.0 #KAM ERADICATE DEBTS body __KAM_DEBT1 /(debts disappear|reduce your payments|piling bills|creditors|late bills|vanish some of your bills|reduce your payments|looming bills|all that debt|outstanding debt|debt.{0,7}accumulated|all my debt|penalties,? and fees are gone|banking laws|select legal|change your life|get out of .?d.?e.?b.?t|Free[- ]Credit Report|debt relief options|are you in debt|pay off all your debt)/is header __KAM_DEBT2 Subject =~ /(all that you owe|all you owe|everything you owe|eradicate|indebted|sick of bills|debt.{0,7}accumulated|tired of (the )?debt|looming debt|creditors|bank[ ]?rupt|debt ?free|out ?of ?debt|take control of your monthly payments|bills disappear|We can help|consultation regarding bills|get better rates|credit score|FICO Score|eliminate\s{1,2}debt|Erase the debt|loan offer)/i body __KAM_DEBT3 /(bills keeping you|brink of bankruptcy|take all the (stress|pain) away|all the bills|tired of high credit card|make your bills disappear|improve your credit score|b.?a.?n.?k.?r.?u.?p.?t.?c?.?y|monitor your[- ]credit|Wipes out debt|being debt free|interest rates are reasonable)/is meta KAM_DEBT ((__KAM_DEBT1 + __KAM_DEBT2 + __KAM_DEBT3) >= 3) describe KAM_DEBT Debt eradication spams score KAM_DEBT 2.5 meta KAM_DEBT2 ((__KAM_DEBT1 + __KAM_DEBT2 + __KAM_DEBT3) >= 2) describe KAM_DEBT2 Likely Debt eradication spams score KAM_DEBT2 1.0 #XtraSize+ Penis Enlargement Scam header __KAM_SILD1 Subject =~ /Sildenafil Citrate/i body __KAM_SILD2 /(XtraSize+|Sildenafil Citrate)/i meta KAM_SILD (__KAM_SILD1 + __KAM_SILD2 >= 1) describe KAM_SILD Simple rule to block one more enhancement message score KAM_SILD 5.0 #if (version < 3.200000) # #HTML_SHORT_LENGTH DEPENDENCY RULE REMOVED FROM SA 3.2.X # #KAM NUMBER EMAILS - Thanks to Mark Damrose for the NUMBER3 idea & Jan-Pieter Cornet # header __KAM_NUMBER1 Subject =~ /^\d+$/ # body __KAM_NUMBER2 /\d{1,6}/ # header __KAM_NUMBER3 Message-ID =~ /\<[a-z]{19}\@/i # # meta KAM_NUMBER ((__KAM_NUMBER1 + __KAM_NUMBER2 + MIME_HTML_ONLY + HTML_SHORT_LENGTH + __KAM_NUMBER3) >= 5) # describe KAM_NUMBER Silly Number Emails # score KAM_NUMBER 1.0 #endif #KAM MEDICATION KAM_OVERPAY body KAM_OVERPAY /O . V . E . R . P . A . Y/i describe KAM_OVERPAY Common Medicinal Ad Trick score KAM_OVERPAY 3.5 #VIAGRA AD body KAM_VIAGRA1 /[VACLXPSI] [VACLXPSI] [VACLXPSI] [VACLXPSI] [VACLXPSI]/i describe KAM_VIAGRA1 Common Viagra and Medicinal Table Trick score KAM_VIAGRA1 3.0 #VIAGRA AD 2 body KAM_VIAGRA2 /(?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer) (?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer) (?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer)/i describe KAM_VIAGRA2 Common Viagra and Medicinal Table Trick score KAM_VIAGRA2 3.1 #VIAGRA AD 3 body KAM_VIAGRA3 /(?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer)( \w )(?:ax|lis|ra|ium)/i describe KAM_VIAGRA3 Common Viagra and Medicinal Table Trick score KAM_VIAGRA3 3.1 #VIAGRA AD 4 body __KAM_VIAGRA4A /V (. )?A (. )?L (. )?[I\/t] (. )?U (. )?M/i body __KAM_VIAGRA4B /V (. )?[I\/t] (. )?A (. )?G (. )?R (. )?A/i body __KAM_VIAGRA4C /M (. )?E (. )?R (. )?[I\/t] (. )?D (. )?[I\/] (. )?A/i meta KAM_VIAGRA4 ((__KAM_VIAGRA4A + __KAM_VIAGRA4B + __KAM_VIAGRA4C) >= 2) describe KAM_VIAGRA4 Common Viagra and Medicinal Table Trick score KAM_VIAGRA4 3.1 #VIAGRA AD 5 body KAM_VIAGRA5 /(V [1li|\]] [a&] G R A|VljAG+R+A)/i describe KAM_VIAGRA5 Viagra Obfuscation Technique SPAM score KAM_VIAGRA5 3.1 #VIAGRA AD 6 body __KAM_VIAGRA6A /V.?[IL1].?A.?G.?R.?A/i body __KAM_VIAGRA6B /A.?M.?B.?[il1].?E.?N/i body __KAM_VIAGRA6C /V.?A.?L.?[il1].?U.?M/i body __KAM_VIAGRA6D /C.?[il1].?A.?L.?[Il1].?S($|\b)/i header __KAM_VIAGRA6E From =~ /Viagra|Cialis/i meta KAM_VIAGRA6 (__KAM_VIAGRA6A + __KAM_VIAGRA6B + __KAM_VIAGRA6C + __KAM_VIAGRA6D + __KAM_VIAGRA6E >= 2) describe KAM_VIAGRA6 Viagra Obfuscation Technique SPAM score KAM_VIAGRA6 3.1 #VIAGRA AD 7 - TWEAKING RULE 7B TO PREVENT HITS ON SPECIALIST body __KAM_VIAGRA7A /V[ij]+AGRA/i body __KAM_VIAGRA7B /C[ij]+AL[ij]+S($|\b)/i body __KAM_VIAGRA7C /AMB[ij]+EN/i body __KAM_VIAGRA7D /VAL[ij]+UM/i meta KAM_VIAGRA7 ((__KAM_VIAGRA7A + __KAM_VIAGRA7B + __KAM_VIAGRA7C + __KAM_VIAGRA7D >= 2) && (KAM_VIAGRA6 < 1)) describe KAM_VIAGRA7 Viagra Obfuscation Technique SPAM score KAM_VIAGRA7 3.1 #VIAGRA AD 8 body __KAM_VIAGRA8A /VI...?AGRA/i body __KAM_VIAGRA8B /AM...?BIEN/i body __KAM_VIAGRA8C /VA...?LIUM/i body __KAM_VIAGRA8D /CI...?ALIS/i meta KAM_VIAGRA8 ((__KAM_VIAGRA8A + __KAM_VIAGRA8B + __KAM_VIAGRA8C + __KAM_VIAGRA8D) >= 2) describe KAM_VIAGRA8 Viagra Obfuscation Technique SPAM score KAM_VIAGRA8 5.1 #VIAGRA AD 9 body __KAM_VIAGRA9A /V[IL1]A..GRA/i body __KAM_VIAGRA9B /AMB..IEN/i body __KAM_VIAGRA9C /VAL..IUM/i body __KAM_VIAGRA9D /C[IL1]A..LIS/i meta KAM_VIAGRA9 ((__KAM_VIAGRA9A + __KAM_VIAGRA9B + __KAM_VIAGRA9C + __KAM_VIAGRA9D) >= 2) describe KAM_VIAGRA9 Viagra Obfuscation Technique SPAM score KAM_VIAGRA9 5.1 #RE[#] SPAM #NOTE: Thanks to Jason Haar" for pointing out that I was only doing >=1! header KAM_RE Subject =~ /^Re(?:\s)*\[\d\]+(?:\s)*:?$/i describe KAM_RE Subject of Re[0]: etc prevalent in Spam score KAM_RE 2.0 meta KAM_RE_PLUS (HTML_IMAGE_ONLY_08+KAM_RE >= 2) describe KAM_RE_PLUS Bad Subject and Image Only rule hit == SPAM! score KAM_RE_PLUS 4.0 #HOODIA #RE-WEIGHTING - Thanks to Martin Kaempf and Gareth Blades for pointing out the False Positives!! header __KAM_HOODIA1 Subject =~ /(hoodia|920+)/i body __KAM_HOODIA2 /(?:hoodia|920+)/i body __KAM_HOODIA3 /(?:fat loss product|sur?p?press appetite)/is meta KAM_HOODIA (__KAM_HOODIA1 + __KAM_HOODIA2 + __KAM_HOODIA3 >= 3) describe KAM_HOODIA Hoodia Product Promotion Spam score KAM_HOODIA 6.0 #STOCK TIPS body __KAM_STOCKTIP1 /(?:Reynaldo's Mexican Food|RYNL)/is body __KAM_STOCKTIP2 /(?:KOKO PETROLEUM|KKPT)/is body __KAM_STOCKTIP3 /(?:DARK DYNAMITE|DKDY|D K D Y)/is body __KAM_STOCKTIP4 /(?:Remington Ventures|RMVN)/is body __KAM_STOCKTIP5 /(?:m-Wise|MWIS|M W I S)/is body __KAM_STOCKTIP6 /(?:China World Trade Corporation|CWTD)/is body __KAM_STOCKTIP7 /(?:Packets International|IPKL)/is body __KAM_STOCKTIP8 /(?:Infinex Ventures|IFNX)/is body __KAM_STOCKTIP9 /(?:FacePrint Global Solutions|FCPG)/is #THANKS TO HOMER PARKER FOR THE FALSE POSSITIVE NOTE! body __KAM_STOCKTIP10 /(?:Ever[-_ ~]{0,3}Gl[o0]ry|(^|\b)E[-_~\. =]{0,3}G[-_~\. =]{0,3}L[-_~\. =]{0,3}Y($|\b))/is body __KAM_STOCKTIP11 /(?:Gulf Petroleum|GFPE)/is body __KAM_STOCKTIP12 /(?:Patriot Mechanical Handling|PMHH)/is body __KAM_STOCKTIP13 /(?:KSW Industries|KSWJ)/is body __KAM_STOCKTIP14 /(?:Conforce International|CFRI)/is body __KAM_STOCKTIP15 /(?:Nano Superlattice Technology|NSLT)/is body __KAM_STOCKTIP16 /(?:Morgan Beaumont|MBEU)/is body __KAM_STOCKTIP17 /(?:Relay Capital|RLYC)/is #THANKS TO DAVID GOLDSMITH FOR POINTING OUT THE POTENTIAL FPs FROM THIS RULE body __KAM_STOCKTIP18 /(?:Madison Explorations|(?:^|\b)MDEX(?:$|\b))/is body __KAM_STOCKTIP19 /(?:CTR Investments and Consulting|C ?I ?V ?X)/is body __KAM_STOCKTIP20 /(?:PREMIER INFORMATION|(?:^|\b)PIFR(?:$|\b))/is body __KAM_STOCKTIP21 /(?:Harbin Pingchuan|P G C N|PGCN)/is body __KAM_STOCKTIP22 /(?:CLIENT TRACK CORP|CTKR)/is body __KAM_STOCKTIP23 /(?:EXTREME INNOVATIONS|(^|\b)EXTI($|\b))/is body __KAM_STOCKTIP24 /(?:Medical Home Products|MHPT)/is body __KAM_STOCKTIP25 /(?:AmeraMex International|AMMX)/is body __KAM_STOCKTIP26 /(?:Equipment & Systems Engineering|EQUIPMENT & SYS ENGR|EQSE)/is body __KAM_STOCKTIP27 /(?:NANOFORCE|NNFC)/i body __KAM_STOCKTIP28 /(?:\b|^)(?:Resort Clubs (I|\|)nternational|R[ ]*T[ ]*C[ ]*(?:I|\|))(?:\b|$)/is body __KAM_STOCKTIP29 /(?:Innovation Holdings|IVHN)/is body __KAM_STOCKTIP30 /(?:GOLDEN APPLE OIL|GAPJ)/is body __KAM_STOCKTIP31 /(?:inZon Corporation|(^|\b)I ?Z ?O ?N($|\b))/is body __KAM_STOCKTIP32 /(?:Midland Baring Financial Group|MDBF)/is body __KAM_STOCKTIP33 /(?:Aradyme Corporation|A D Y E)/is body __KAM_STOCKTIP34 /(?:TRANSAKT CORP|TKTJF)/is body __KAM_STOCKTIP35 /(?:CTXE|CANTEX ENERGY CORP)/is body __KAM_STOCKTIP36 /(?:De Greko|DGKO)/is body __KAM_STOCKTIP37 /(?:Deep Earth Resource, Inc|CTFE|DPER)/is body __KAM_STOCKTIP38 /(?:Vemics|VMCI|Summit Financial Resources)/is body __KAM_STOCKTIP39 /Premium Petroleum/is body __KAM_STOCKTIP40 /(?:F ?a ?l ?c ?o ?n ?E ?n ?e ?r ?g ?y|F.?C.?Y.?I)/s body __KAM_STOCKTIP41 /(?:CHINA GOLD CORP|CGDC)/is body __KAM_STOCKTIP42 /DPEK/i #FIXED FP THANKS TO BEN LENTZ - Also found that the X ?X ?X ?X concept is causing too many FPs thanks to Homer Parker body __KAM_STOCKTIP43 /(?:Amerossi International Group|A M S N(\b|$)|AMSN)/is body __KAM_STOCKTIP44 /(?:WATAIRE INDUSTRIES|W ?T ?A ?F)/is body __KAM_STOCKTIP45 /(?:ABSOLUTESKY|A ?B ?S ?Y)/i body __KAM_STOCKTIP46 /(?:Infinex Ventures|I ?N ? ?F ?X)/is body __KAM_STOCKTIP47 /(?:Holly ?wood Intermediate|HYWI|H Y W I)/is #DISABLED DUPLICATE OF 40 #body __KAM_STOCKTIP48 /(?:Falcon Energy|F ?C ?Y ?I)/is body __KAM_STOCKTIP49 /(?:\b|^)(?:AGA Resources|A ?G ?A)(?:\b|$)/is body __KAM_STOCKTIP50 /(?:COSCO|CCPI)/i body __KAM_STOCKTIP51 /(?:PETRO([- ?])?SUN DRILLING|P[- ]?S[- ]?U[- ]?D)/is body __KAM_STOCKTIP52 /(?:KMA Global Solutions International|KMAG)/is body __KAM_STOCKTIP53 /(?:Advanced Powerline Technologies|APWL)/is body __KAM_STOCKTIP54 /(?:GOLDMARK INDUSTRIES|GDKI)/is body __KAM_STOCKTIP55 /(?:QUANTUM ENERGY|QEGY)/is #FP FIXED THANKS TO Homer Parker body __KAM_STOCKTIP56 /(?:AAGA RESOURCE+S NEW|A G A O|(\b|^)AGAO(\b|$))/is #FP FIXED THANKS TO Homer Parker body __KAM_STOCKTIP57 /(?:Bicoastal Communications|BCLC|B C L C)/is body __KAM_STOCKTIP58 /(?:Greater China Media \& Ent|G ?C ?M ?E)/is body __KAM_STOCKTIP59 /(?:Viva International|VIVI)/s body __KAM_STOCKTIP60 /(?:WILON RESOURCES|WLON)/is body __KAM_STOCKTIP61 /(?:Am+erica+n U+ni+ty I+nve+stments|(\b|^)A[ _]?U[ _]?N[ _]?I[ _]?(\b|$))/is body __KAM_STOCKTIP62 /(?:DEFENSE DIRECTIVE|DFSE)/is body __KAM_STOCKTIP63 /(?:Cyberhand Technologies|CYHD)/is body __KAM_STOCKTIP64 /(?:Texhoma Energy|TXHE)/is body __KAM_STOCKTIP65 /(?:Equal Trading|EQTD)/is #DISABLED FOR FALSE POSITIVES AND AGE #body __KAM_STOCKTIP66 /(?:\b|^)W.?B.?R.?S(?:\b|$)/is body __KAM_STOCKTIP67 /(?:Mobile Airwaves|M.?W.?B.?C.?(\b|$))/is body __KAM_STOCKTIP68 /(?:X-tra Petroleum|XTPT)/is body __KAM_STOCKTIP69 /(?:Red Reef Laboratories|RREF)/is body __KAM_STOCKTIP70 /(?:Great American Food Chain|GAMN)/is body __KAM_STOCKTIP71 /(?:Cana Petroleum|CNPM)/is body __KAM_STOCKTIP72 /(?:China Health Management|CNHC)/is body __KAM_STOCKTIP73 /(?:Makeup Limited|MAKU)/is body __KAM_STOCKTIP74 /(?:Premier Holdings Group|PMHD)/is body __KAM_STOCKTIP75 /(?:VSUS technologies|VSUS)/is body __KAM_STOCKTIP76 /(?:FLAIR PETROLEUM|FPMC)/is body __KAM_STOCKTIP77 /(?:Physician Adult Daycare|PHYA)/is #FP FIXED THANKS TO Homer Parker body __KAM_STOCKTIP78 /(?:AlgoDyne Ethanol Energy|(\b|^)ADYN(\b|$))/is body __KAM_STOCKTIP79 /(?:Critical Care.{1,3}Inc|CTCX)/is body __KAM_STOCKTIP80 /(?:Aerofoam Metals|AFML)/is body __KAM_STOCKTIP81 /(?:Ten \& 10|(?:\b|^)TTEN)/is body __KAM_STOCKTIP82 /(?:Medical Institutional Services|MISJ(\b|$))/is body __KAM_STOCKTIP83 /(?:Harris Exploration|HXPN)/is body __KAM_STOCKTIP84 /(?:MARSHAL HOLDINGS|MHII)/is body __KAM_STOCKTIP85 /(?:ADVANCED GROWING SYSTEMS|AGWS)/is body __KAM_STOCKTIP86 /(?:WEST EXCELSIOR ENT|WEXE)/is body __KAM_STOCKTIP87 /(?:Hemisphere Gold|HPGI)/is body __KAM_STOCKTIP88 /(?:Victory Energy Corporation|VYEY)/is body __KAM_STOCKTIP89 /UTEV/i body __KAM_STOCKTIP90 /(?:CHINA BIOLIFE ENTERP|CBFE)/is body __KAM_STOCKTIP91 /(?:Critical Care|C ?T ?C ?X)/is body __KAM_STOCKTIP92 /CBRJ/i body __KAM_STOCKTIP93 /(?:LAS VEGAS CENTRAL RESERVATIONS|LVCC)/is body __KAM_STOCKTIP94 /GTAP/i body __KAM_STOCKTIP95 /(North American Energy Group|N-?N-?Y-?R)/is body __KAM_STOCKTIP96 /C\.?C\.?T\.?I/i body __KAM_STOCKTIP97 /(C ?E ?O AMERICA|C ? E ? O ?A)/is body __KAM_STOCKTIP98 /PLMA/i body __KAM_STOCKTIP99 /CDYV/i body __KAM_STOCKTIP100 /(Fire (Mountain|Mtn) Beverage Company|F[ _]?B[ _]?V[ _]?G)/is body __KAM_STOCKTIP101 /WDSC/i body __KAM_STOCKTIP102 /(Distributed Power|DPWI)/is body __KAM_STOCKTIP103 /(HUMET-PBC|L9Z\.F)/is body __KAM_STOCKTIP104 /ASVP/is body __KAM_STOCKTIP105 /CHVC/is body __KAM_STOCKTIP106 /(China Datacom|CDPN)/is body __KAM_STOCKTIP107 /(ORAMED PHARMA|OJU\.F)/is body __KAM_STOCKTIP108 /(DSDI|DSI Direct Sales)/is body __KAM_STOCKTIP109 /(Monolith Athletic Club|M[-_ ]?N[-_ ]?A[-_ ]?B)/is #DUPLICATED STOCKTIP #51 #body __KAM_STOCKTIP110 /(PETRO-SUN|P[- ]?S[- ]?U[- ]?D)/is body __KAM_STOCKTIP111 /(COMPLIANCE SYSTEMS|(\b|^)COPI(\b|$))/is body __KAM_STOCKTIP112 /(Global Pay Solutions|GPSI)/is body __KAM_STOCKTIP113 /(MEGOLA|MGOA)/i body __KAM_STOCKTIP114 /ADOV/i body __KAM_STOCKTIP115 /(Oncology Med|(\b|^)ONCO(\b|$))/is body __KAM_STOCKTIP116 /(Strategy X|SGXI)/is body __KAM_STOCKTIP117 /(Spotlight Homes|COST CONTAINMENT TEC|SPHM)/is #FALSE POSITIVE ON DANSREALESTATE. body __KAM_STOCKTIP118 /((\b|^)SREA(\b|$)|Score One)/is body __KAM_STOCKTIP119 /(Monster Motors|MRMT)/is body __KAM_STOCKTIP120 /(EntreMetrix|ERMX)/i body __KAM_STOCKTIP121 /(VISION AIRSHIPS|VPSN)/is body __KAM_STOCKTIP122 /(Shandong Zhouyuan Seed and Nursery|SZSN)/is body __KAM_STOCKTIP123 /(Puerto Rico 7|P ?R ?T ?H)/is body __KAM_STOCKTIP124 /(VGPM|Vega Promotional Sys)/is body __KAM_STOCKTIP125 /(D[- ]?M[- ]?X[- ]?C)/i body __KAM_STOCKTIP126 /(C\.?W\.?T\.?E|C'Watre International)/is body __KAM_STOCKTIP127 /(Physical Property Holdings|(\b|^)PPYH(\b|$))/is body __KAM_STOCKTIP128 /(MONUMENTAL MARKETING|MNUM)/is body __KAM_STOCKTIP129 /(EnerBrite Technologies Group|eTgU)/is body __KAM_STOCKTIP130 /(Pricester|PRCC)/is body __KAM_STOCKTIP131 /(Greenstone Holdings|GSHN)/is body __KAM_STOCKTIP132 /(AGMS|Angstrom[- ]Microsystems)/is body __KAM_STOCKTIP133 /(Pluris Energy|PEYG)/is body __KAM_STOCKTIP134 /(United Consortium|(\b|^)UCSO(\b|$))/is body __KAM_STOCKTIP135 /(Dominion Minerals|DMNM)/is body __KAM_STOCKTIP136 /(PrimeGen Energy|PGNE)/is body __KAM_STOCKTIP137 /Dynamic Response Group|DRGZ/is body __KAM_STOCKTIP138 /Cobra Oil (and|&) Gas|CGCA/is body __KAM_STOCKTIP139 /Solanex Management|SLNX/is body __KAM_STOCKTIP140 /BIO-SOLUTIONS|BISU/is body __KAM_STOCKTIP141 /(\b|^)FORC(\b|$)/is body __KAM_STOCKOTC /(OTC|OTC ?BB|OTC Pink Sheets|NASDAQ|StockWatch):/is body __KAM_STOCKSYM /S[ ]?[iy][ ]?m[ ]?[ßb8][ ]?[o0][ ]?[l1]|Siymbol/i body __KAM_STOCKSYM2 /(SYM[ ]?[-\:]|\bTicker|Pr+ice\s*\:|Volume\s*\:|Target\s*\:|Current(ly)? ?\??:|Projected:|Smybol:|Stcok\s*\:|Stock\s*\:|S\s*t\s*o\s*c\s*k\s*\:|Trad[ ]?e\:|short-?sell|book value|S\.umbol|Action:|Symb\s?[-:]|Price Today:|SYmN-|Lookup:|RADAR:|PK PAPER:|PINKSHEETS:)/i body __KAM_STOCKSHR /\b(Shares|Investments|invest|Stock|acquisitions?|broker|joint[ -]?venture|underperforming|(uncap|ventilated|public(ity)?) on friday|dividend opportunities|set your buy|financial safe haven|before the bell)\b/i body __KAM_STOCKBULL /bull (run|market)/is body __KAM_STOCKSCTR /(energy sector|mineral rights|mineral wealth|natural resources|gold deposits)/is header __KAM_STOCKHEAD Subject =~ /{stk-sub}/i body __KAM_STOCKJUMP /(up|jumps) \d\d(\.\d)?\%/i meta KAM_STOCKTIP ((__KAM_STOCKHEAD + __KAM_STOCKOTC + __KAM_STOCKSYM + __KAM_STOCKJUMP + __KAM_STOCKSHR + __KAM_STOCKSYM2 + __KAM_STOCKBULL + __KAM_STOCKSCTR) >= 1) && (__KAM_STOCKTIP1 + __KAM_STOCKTIP2 + __KAM_STOCKTIP3 + __KAM_STOCKTIP4 + __KAM_STOCKTIP5 + __KAM_STOCKTIP6 + __KAM_STOCKTIP7 + __KAM_STOCKTIP8 + __KAM_STOCKTIP9 + __KAM_STOCKTIP10 + __KAM_STOCKTIP11 + __KAM_STOCKTIP12 + __KAM_STOCKTIP13 + __KAM_STOCKTIP14 + __KAM_STOCKTIP15 + __KAM_STOCKTIP16 + __KAM_STOCKTIP17 + __KAM_STOCKTIP18 + __KAM_STOCKTIP19 + __KAM_STOCKTIP20 + __KAM_STOCKTIP21 + __KAM_STOCKTIP22 + __KAM_STOCKTIP23 + __KAM_STOCKTIP24 + __KAM_STOCKTIP25 + __KAM_STOCKTIP26 + __KAM_STOCKTIP27 + __KAM_STOCKTIP28 + __KAM_STOCKTIP29 + __KAM_STOCKTIP30 + __KAM_STOCKTIP31 + __KAM_STOCKTIP32 + __KAM_STOCKTIP33 + __KAM_STOCKTIP34 + __KAM_STOCKTIP35 + __KAM_STOCKTIP36 + __KAM_STOCKTIP37 + __KAM_STOCKTIP38 + __KAM_STOCKTIP39 + __KAM_STOCKTIP40 + __KAM_STOCKTIP41 + __KAM_STOCKTIP42 + __KAM_STOCKTIP43 + __KAM_STOCKTIP44 + __KAM_STOCKTIP45 + __KAM_STOCKTIP46 + __KAM_STOCKTIP47 + __KAM_STOCKTIP49 + __KAM_STOCKTIP50 + __KAM_STOCKTIP51 + __KAM_STOCKTIP52 + __KAM_STOCKTIP53 + __KAM_STOCKTIP54 + __KAM_STOCKTIP55 + __KAM_STOCKTIP56 + __KAM_STOCKTIP57 + __KAM_STOCKTIP58 + __KAM_STOCKTIP59 + __KAM_STOCKTIP60 + __KAM_STOCKTIP61 + __KAM_STOCKTIP62 + __KAM_STOCKTIP63 + __KAM_STOCKTIP64 + __KAM_STOCKTIP65 + __KAM_STOCKTIP67 + __KAM_STOCKTIP68 + __KAM_STOCKTIP69 + __KAM_STOCKTIP70 + __KAM_STOCKTIP71 + __KAM_STOCKTIP72 + __KAM_STOCKTIP73 + __KAM_STOCKTIP74 + __KAM_STOCKTIP75 + __KAM_STOCKTIP76 + __KAM_STOCKTIP77 + __KAM_STOCKTIP78 + __KAM_STOCKTIP79 + __KAM_STOCKTIP80 + __KAM_STOCKTIP81 + __KAM_STOCKTIP82 + __KAM_STOCKTIP83 + __KAM_STOCKTIP84 + __KAM_STOCKTIP85 + __KAM_STOCKTIP86 + __KAM_STOCKTIP87 + __KAM_STOCKTIP88 + __KAM_STOCKTIP89 + __KAM_STOCKTIP90 + __KAM_STOCKTIP91 + __KAM_STOCKTIP92 + __KAM_STOCKTIP93 + __KAM_STOCKTIP94 + __KAM_STOCKTIP95 + __KAM_STOCKTIP96 + __KAM_STOCKTIP97 + __KAM_STOCKTIP98 + __KAM_STOCKTIP99 + __KAM_STOCKTIP100 + __KAM_STOCKTIP101 + __KAM_STOCKTIP102 + __KAM_STOCKTIP103 + __KAM_STOCKTIP104 + __KAM_STOCKTIP105 + __KAM_STOCKTIP106 + __KAM_STOCKTIP107 + __KAM_STOCKTIP108 + __KAM_STOCKTIP109 + __KAM_STOCKTIP111 + __KAM_STOCKTIP112 + __KAM_STOCKTIP113 + __KAM_STOCKTIP114 + __KAM_STOCKTIP115 + __KAM_STOCKTIP116 + __KAM_STOCKTIP117 + __KAM_STOCKTIP118 + __KAM_STOCKTIP119 + __KAM_STOCKTIP120 + __KAM_STOCKTIP121 + __KAM_STOCKTIP122 + __KAM_STOCKTIP123 + __KAM_STOCKTIP124 + __KAM_STOCKTIP125 + __KAM_STOCKTIP126 + __KAM_STOCKTIP127 + __KAM_STOCKTIP128 + __KAM_STOCKTIP129 + __KAM_STOCKTIP130 + __KAM_STOCKTIP131 + __KAM_STOCKTIP132 + __KAM_STOCKTIP133 + __KAM_STOCKTIP134 + __KAM_STOCKTIP135 + __KAM_STOCKTIP136 + __KAM_STOCKTIP137 + __KAM_STOCKTIP138 + __KAM_STOCKTIP139 + __KAM_STOCKTIP140 + __KAM_STOCKTIP141 >= 1) describe KAM_STOCKTIP Email Contains Pump & Dump Stock Tip score KAM_STOCKTIP 5.5 #KAM STOCK RULE #3 BASED HEAVILY ON WONDERFUL INPUT BY GARETH OF LINGUAPHONE body __KAM_STOCK3 /([sS].?ymbol|Sym|SYM|SYMB|Symb|SYMBOL|SYmN|SYMN|Symn|Ticker|TICKER|Lookup|PINKSHEETS)\s*[-_:]\s*[A-Z0-9][-\._ ]?[A-Z0-9][-\._ ]?[A-Z0-9][-\._ ]?[A-Z0-9]/ score __KAM_STOCK3 0.1 describe __KAM_STOCK3 Email Looks like it references a 4 character stock symbol #GENERIC STOCK RULE meta KAM_STOCKGEN (__KAM_STOCKHEAD + __KAM_STOCKOTC + __KAM_STOCKSYM + __KAM_STOCKSHR + __KAM_STOCKSYM2 + __KAM_STOCKBULL + __KAM_STOCKSCTR >= 1) && (__KAM_STOCK3 >= 1) && (KAM_STOCKTIP < 1) describe KAM_STOCKGEN Email Contains Generic Pump & Dump Stock Tip score KAM_STOCKGEN 1.5 #KAM STOCK RULE #2 body __KAM_STOCK2_1 /(good trader|trading experience|bad trading day|hard trading day|FREE Stock Market Outlook|Market Watch)/i body __KAM_STOCK2_2 /(easy cash|losses and victories|backstage trading|market facts|succeed in trading|destined to skyrocket)/i body __KAM_STOCK2_3 /stock/i body __KAM_STOCK2_4 /trader/i header __KAM_STOCK2_5 Subject =~ /stock|bull market|penny/i meta KAM_STOCK2 (__KAM_STOCK2_1 + __KAM_STOCK2_2 + __KAM_STOCK2_3 + __KAM_STOCK2_4 + __KAM_STOCK2_5) >= 4 score KAM_STOCK2 2.5 describe KAM_STOCK2 Another Round of Pump & Dump Stock Scans #JUDGEMENTS body __KAM_JUDGE1 /(unpaid court|(un-?collected|unsatisfied) judgments)/is body __KAM_JUDGE2 /(funds|receive what) you are (due|owed)/is #HALF-WEIGHTED RULES body __KAM_JUDGE3 /collect your money/is body __KAM_JUDGE4 /judgment/i #FULL-WEIGHT header __KAM_JUDGE5 Subject =~ /judgment/i meta KAM_JUDGE (__KAM_JUDGE1 + __KAM_JUDGE2 + ((__KAM_JUDGE3 + __KAM_JUDGE4) / 2) + __KAM_JUDGE5 >= 2) describe KAM_JUDGE Email Contains Judicial Judgment Solicitation score KAM_JUDGE 2.5 body __KAM_BACK1 /NATIONAL/ body __KAM_BACK2 /(Property & Personal history|Asset & Background) (Investigation|Search)/is body __KAM_BACK3 /(background check|detective|investigator)/is header __KAM_BACK4 Subject =~ /(background check|date-smart|detective|finding people)/i describe KAM_BACK Background Check SPAM meta KAM_BACK (__KAM_BACK1 + __KAM_BACK2 + __KAM_BACK3 + __KAM_BACK4 >=2) score KAM_BACK 1.5 #MEDS body __KAM_MED1 /e.?c.?o.?n.?o.?m.?i.?z.?e.{1,10}med/i body __KAM_MED2 /\d\d ?%/ describe KAM_MED Economizing your meds spam meta KAM_MED (__KAM_MED1 + __KAM_MED2 >= 2) score KAM_MED 1.5 #MEDS2- THANKS TO RES FOR POINTING OUT A REGEX STUPIDITY header __KAM_MED2_1 Subject =~ /Pharmacy order \#\d{5}/i describe KAM_MED2 More Medical SPAM meta KAM_MED2 (__KAM_MED2_1 >= 1) score KAM_MED2 1.0 #TIME PIECE header __KAM_TIME1 Subject =~ /(replica|diamond|designer[-_ ](watch|piece|collection)|(old|replica|style|luxury|trendy|elegant) watch|time[-_ ](keeper|piece)|wrist|chronometer|watches are in fashion|low budget|deliver your watch|(number|amount) of watches)/i #0.50 WEIGHTED TESTS body __KAM_TIME2 /(replica|diamond|designer[-_ ](piece|collections|watch)|time[-_ ]piece|wrist|time-keeper|\/\/atch)/is header __KAM_TIME3 Subject =~ /time|watch/i body __KAM_TIME4 /time|watch/i body __KAM_TIME5 /(funny|low) price/i #REMOVED WORD OMEGA FROM BRANDS. TOO MANY FPs. body __KAM_TIME6 /(Cx?ARTIER|Bx?REITLING|Px?ATEK|Rx?OLEX|Bx?VLGARI|Tx?IFFANY)/i meta KAM_TIME ((__KAM_TIME1 + ((__KAM_TIME2 + __KAM_TIME3 + __KAM_TIME4 + __KAM_TIME5 + __KAM_TIME6)/2)) >= 2) describe KAM_TIME Pssss. Hey Buddy, wanna buy a watch? score KAM_TIME 3.0 meta KAM_TIMEGEO (KAM_GEO_STRING2 && KAM_TIME) describe KAM_TIMEGEO Email references geocities & wrist watch sales score KAM_TIMEGEO 3.5 #YOUR HOME body __KAM_HOME1 /YOUR HOME/i body __KAM_HOME2 /Build your equity faster/i body __KAM_HOME3 /tax saving plans/i meta KAM_HOME ((__KAM_HOME1 + __KAM_HOME2 + __KAM_HOME3) >= 2) describe KAM_HOME Mortage & Refinance Spam Rule score KAM_HOME 3.5 #UNIVERSITY RULE body __KAM_UNIV1 /(University Administration|University Enrollment|Education Assessment|Faculty Assessment|University Degree|Administration Office|Education office|Schools office|Enrollment Office|Online University)/is body __KAM_UNIV2 /\d (week|month).{0,30}degree/is body __KAM_UNIV3 /(past work|professional|based on your|earned from|life|life and work|present work) experience/is body __KAM_UNIV4 /not official degree|non[ -]?accredited/is body __KAM_UNIV5 /novelty (degree|use)/is body __KAM_UNIV6 /verifiable University Degree/is body __KAM_UNIV7 /(life|work) experience (diploma|degree|transcript)/is body __KAM_UNIV8 /Career Path/is body __KAM_UNIV9 /non[- ]?ac(creditee?d)?.{1,10}universit/is body __KAM_UNIV10 /(graduating|diploma) (within|in) (as little as)? (one|two|three|\d) (week|month)/is body __KAM_UNIV11 /(degree|transcript) in any field|Field of yourr? ch[oò][iì]ce/is body __KAM_UNIV12 /(obtain your diploma|diploma that you want|Criminal Justice or Homeland Security degree)/is body __KAM_UNIV13 /(degree|field|diploma) of your (choice|expertise)/is body __KAM_UNIV14 /(earn a|full) transcript/is body __KAM_UNIV15 /(No Study Required|Without Exams|No (examinations|[eÉ]xams)|without attending a single class|no classes|no textbooks|no (?:required )?tests|degree .{0,30}you deserve)/is body __KAM_UNIV16 /\d weeks.{0,30}graduated/is header __KAM_UNIV17 Subject =~ /(dip(i|l)oma|degree|transcript|award|increase ?your ?income|degree online|Ph\.?D|Add an mba)/i body __KAM_UNIV18 /100% discrete/is body __KAM_UNIV1B /\d (months|weeks)/i body __KAM_UNIV2B /d[_\. ]?e[_\. ]?g[_\. ]?r[_\. ]?e[_\. ]?e/i body __KAM_UNIV3B /(dead end job|improve your future, and your income|high paying jobs|bec[óo]me a do[cç]tor|get your diploma today)/is body __KAM_UNIV4B /1.?0.?0.?% (legit|verifiable|online|no pre|non[- ]?accredited)/is body __KAM_UNIV5B /F A S T[ ]{0,4}T R A C K/is body __KAM_UNIV6B /DIP\sLOMA/ meta KAM_UNIV ((__KAM_UNIV1 + __KAM_UNIV2 + __KAM_UNIV3 + __KAM_UNIV4 + __KAM_UNIV5 + __KAM_UNIV6 + __KAM_UNIV7 + __KAM_UNIV8 + __KAM_UNIV9 + __KAM_UNIV10 + __KAM_UNIV11 + __KAM_UNIV12 + __KAM_UNIV13 + __KAM_UNIV14 + __KAM_UNIV15 + __KAM_UNIV16 + __KAM_UNIV17 + __KAM_UNIV18) >= 2 || (__KAM_UNIV1B + __KAM_UNIV2B + __KAM_UNIV3B + __KAM_UNIV4B + __KAM_UNIV5B + __KAM_UNIV6B) >= 3) describe KAM_UNIV Diploma Mill Rule score KAM_UNIV 4.5 #URUNIT body __KAM_URUNIT1 /\bur (unit|liveliness|energy level|endurance level)/is body __KAM_URUNIT2 /\bur (gf|girl|wife|size|thing|partner|significant other)/is body __KAM_URUNIT3A /\b(exasperated|fatigued|drained|tired) all the time/is #HALF-WEIGHTED RULES body __KAM_URUNIT3 /(unsatisfied|not satisfied|nagging|complaining|complaints|complained|unlimited prowess|increase your volume)/is body __KAM_URUNIT4 /(bedroom|the bed|nighttime activit|male power|show your girl)/is body __KAM_URUNIT5 /(size of (there|their|your) .{0,11}(unit|thing)|using them for a couple months|enhancing formula)/is body __KAM_URUNIT6 /(majority of women|shrinking .{0,12} baby fat|winning guy|huge explosion)/is #FULL-WEIGHT header __KAM_URUNIT7 Subject =~ /(\b|^)ur (unit|wife|girlfriend|GF|size|thing|partner|significant other|livelyehood)/i header __KAM_URUNIT8 Subject =~ /(pleasure|sensation|grow|your teeny|impress your mate|being small|how big|more intense)/i meta KAM_URUNIT ((__KAM_URUNIT1 + __KAM_URUNIT2 + ((__KAM_URUNIT3 + __KAM_URUNIT4 + __KAM_URUNIT5 + __KAM_URUNIT6) / 2) + __KAM_URUNIT7 + __KAM_URUNIT8 + __KAM_URUNIT3A) >= 2) describe KAM_URUNIT Recent penile and body enhancement spams score KAM_URUNIT 0.5 #UR ZEST body __KAM_URZEST1 /(?:your|ur) (?:power|strength|zal|zeal|liveliness|zest|intensity|spontaneity|activity)(?: level)?(?: been)?(?: feeling| down)? ?(?:lately|recently|anew)?/i body __KAM_URZEST2 /or still (?:jaded|worn|drained|exasperated) all the time/i body __KAM_URZEST3 /(?:(?:wanting|looking|seeking) to get in the gym|(?:dreaming|seeking|hoping) to get (?:into shape|fit))/i body __KAM_URZEST4 /(wks it has been|been mos) since we('| ha)ve chatted/i body __KAM_URZEST5 /(back into shape|made me healthier after my disease)/i meta KAM_URZEST (__KAM_URZEST1 + __KAM_URZEST2 + __KAM_URZEST3 + __KAM_URZEST4 + __KAM_URZEST5 >= 2) describe KAM_URZEST Recent penile and body enhancement spams score KAM_URZEST 3.0 #JOB LET GO body __KAM_JOB1 /let go from (a job|my employment) I held for.{1,19} (month|year|forever|life)/is body __KAM_JOB2 /twice as much/is meta KAM_JOB (__KAM_JOB1 + __KAM_JOB2 >=2) describe KAM_JOB People let go, work at home, earn billions! score KAM_JOB 4.3 #PERIMETERPARK body KAM_PERPARK /P e r i m e t e r P a r k C e n t e r/i describe KAM_PERPARK Obfuscated address appearing in SPAM Feb 06 score KAM_PERPARK 2.5 #HOLLYWOOD WAY body KAM_HOLLY /1 0 2 0 N H o l l y w o o d W a y /i describe KAM_HOLLY Obfuscated address appearing in SPAM Jun 06 score KAM_HOLLY 2.5 #PUMP & DUMP STOCK GRAPHICS header __KAM_STOCKG1 Subject =~ /^Fw: \d{6}$/i header __KAM_STOCKG2 Subject =~ /(^|\b)(stocks?|small-cap)(\b|$)/i meta KAM_STOCKG ((HTML_IMAGE_ONLY_12 || HTML_IMAGE_ONLY_16 || HTML_IMAGE_ONLY_24) && HTML_MESSAGE && (__KAM_STOCKG1 || __KAM_STOCKG2)) score KAM_STOCKG 3.0 #CEP Diploma Mill body __KAM_CEP1 /Job Prospect Newsletter/i body __KAM_CEP2 /legitimate verifiable degree/i body __KAM_CEP3 /Career Education program/i body __KAM_CEP4 /(MBA|CEP)/ body __KAM_CEP5 /degree\/certificates/i body __KAM_CEP6 /\d (week|month)/i meta KAM_CEP ((__KAM_CEP1 + __KAM_CEP2 + __KAM_CEP3 + __KAM_CEP4 + __KAM_CEP5 + __KAM_CEP6) >= 3) describe KAM_CEP CEP Diploma Mill Rule score KAM_CEP 3.5 if (version < 3.200000) #BLANK EMAILS - CURRENTLY REQUIRES 99_FVGT_meta.cf for FM_NO_FROM AND NO_TO. UNDISC_RECIPS MIGHT BE REMOVED IN 3.2+ #HTML_SHORT_LENGTH DEPENDENCY RULE REMOVED FROM SA 3.2 meta KAM_BLANK01 (MISSING_SUBJECT && (UNDISC_RECIPS || FM_NO_FROM_OR_TO || FM_NO_TO)) describe KAM_BLANK01 Blank emails score KAM_BLANK01 1.0 #MSGID_FROM_MTA_ID REMOVED IN NEWER SPAMASSASSIN 3.2 meta KAM_BLANK02 (KAM_BLANK01 && MSGID_FROM_MTA_ID) describe KAM_BLANK02 Blank emails with MTA Headers score KAM_BLANK02 1.0 endif #KAM GEOCITIES SPAM # Updated by KAM based on Work by Dallas L. Engelken (T_GEO_QUERY_STRING) uri KAM_GEO_STRING2 /^http:\/\/(?:\w{1,5}\.)?geocities(?:\.yahoo)?\.com(?:\.\w{1,5})?(?::\d*)?\/.+?/i describe KAM_GEO_STRING2 Use of geocities/yahoo very likely spam as of Dec 2005 score KAM_GEO_STRING2 4.7 #KAM GOOGLE SPAM uri KAM_GOOGLE_STRING /^http:\/\/www.google.com\/url\?q=/i describe KAM_GOOGLE_STRING Use of Google redir appearing in spam July 2006 score KAM_GOOGLE_STRING 1.0 #KAM MSN SPAM uri __KAM_MSN_STRING1 /^http:\/\/spaces\.msn\.com(?::\d*)?\/.+\//i uri __KAM_MSN_STRING2 /^http:\/\/.{0,20}\.spaces\.live\.com/i meta KAM_MSN_STRING (__KAM_MSN_STRING1 + __KAM_MSN_STRING2 >=1) describe KAM_MSN_STRING spaces.msn.com likely spam (Mar 2006) + spaces.live.com (Mar 2010) score KAM_MSN_STRING 2.5 #KAM LIVEJOURNAL SPAM uri __KAM_LIVE1 /^http:\/\/.{0,20}\.(blogspot|livejournal)\.com/i meta KAM_LIVE (__KAM_LIVE1) describe KAM_LIVE blogspot.com & livejournal.com likely spam (Apr 2010) score KAM_LIVE 2.5 # This rule is to mark emails using the exploit of the URI parsing uri KAM_URIPARSE /(\%0[01]|\0).{1,100}\@/i describe KAM_URIPARSE Attempted use of URI bug-high probability of fraud score KAM_URIPARSE 7.0 #Ebay Closed their Redirector - Disabled 4-9-05 # This rule is to mark emails using the exploit of the eBay redirector #uri KAM_EBAYREDIR /.*.ebay.com.*RedirectToDomain/i #describe KAM_EBAYREDIR Attempted use of eBay redirect-likely fraud #score KAM_EBAYREDIR 7.0 # Rule based on Kelson Vibber's MD code for bogus AOL Addresses # Check for bogus AOL addresses as described at # http://postmaster.aol.com/faq/mailerfaq.html#syntax # - all alphanumeric, starting with a letter, from 3 to 16 characters long. header __KAM_AOL From =~ /\@aol.com/i describe __KAM_AOL Partial Rule: Marks AOL Addresses header __KAM_GOODAOL From =~ /[a-z][a-z0-9]{2,15}\@aol.com/i describe __KAM_GOODAOL Partial Rule: Marks Bad AOL Addresses meta KAM_COMBO_BADAOL __KAM_AOL && !(__KAM_GOODAOL) describe KAM_COMBO_BADAOL Invalid AOL Email Address-High probability of spam score KAM_COMBO_BADAOL 3.0 # Rule to mark emails from adv@somewhere accounts a bit higher on the SPAM scale header KAM_ADV_EMAIL From =~ /(^| |<)ADV\@/i describe KAM_ADV_EMAIL Marks adv@ Addresses as likely SPAM score KAM_ADV_EMAIL 16.0 #SEXUALLY EXPLICIT EMAILS - With updates courtesy of Mark Damrose header __KAM_SEX_EXPLICIT1 Subject =~ /SEXUAL{2,3}Y[-_, ]{0,1}EXPL{1,2}I{1,2}CI{1,2}T/i #EXPANDED TO INCLUDE HEADERS FOR SPAMS PREVALENT MAR 2007 header __KAM_SEX_EXPLICIT2 Subject =~ /(fuck .*suck|suck .*fuck|pussy .*cock|cock .*pussy|horny amateur|couch sex|slut fuck|naked celebrity|pissing babes|ass[- ]fuck|animal cock)/i header __KAM_SEX_EXPLICIT3 From =~ /better sex/i #MODIFIED TO FIX FP THANKS TO DOC SCHNEIDER body __KAM_SEX_EXPLICIT4 /fucked hardcore|dildoes her tight ass|kinky watersports|schoolgirls? slut|teens? porn|first anal(\b|$)/i meta KAM_SEX_EXPLICIT (__KAM_SEX_EXPLICIT1 + __KAM_SEX_EXPLICIT2 + __KAM_SEX_EXPLICIT3 + __KAM_SEX_EXPLICIT4 >= 1) describe KAM_SEX_EXPLICIT Subject or body indicates Sexually Explicit material score KAM_SEX_EXPLICIT 16.0 #TESTING RULE body LOCAL_TEST1 /myspamtest12341234/ describe LOCAL_TEST1 This is a unique phrase to trigger a + score score LOCAL_TEST1 50 #KAM_TELEWORK body __KAM_TELEWORK1 /(generate|make) .{0,10}1.5K? (to|-) 3.5K (a day|daily|per day|per month)/is body __KAM_TELEWORK2 /have a (?:tele)?phone|money making challenge|has full internet/is body __KAM_TELEWORK3 /return(?:ing)? (phone )?calls/is body __KAM_TELEWORK4 /fully qualified|no experience needed/is body __KAM_TELEWORK5 /work (?:online )?from home|process(?:ing)? rebates (?:at|from) home|set your own hours|100% no risk|Western Union fees/is body __KAM_TELEWORK6 /earning up to \d*USD|earn thousands of dollars|\d% commission/is header __KAM_TELEWORK7 Subject =~ /process rebates|easy work and great pay|making money today|earn money|vacancies in your city/i meta KAM_TELEWORK (__KAM_TELEWORK1 + __KAM_TELEWORK2 + __KAM_TELEWORK3 + __KAM_TELEWORK4 + __KAM_TELEWORK5 + __KAM_TELEWORK6 + __KAM_TELEWORK7 >= 3) describe KAM_TELEWORK Stupid telework scam score KAM_TELEWORK 3.0 #REVERSE DNS TESTS FROM MIMEDEFANG - UNLESS YOU HAVE A TEST FOR REVERSE POINTERS, YOU CAN COMMENT THIS OUT header KAM_RPTR_FAILED X-KAM-Reverse =~ /^Failed/ describe KAM_RPTR_FAILED Failed Mail Relay Reverse DNS Test score KAM_RPTR_FAILED 6.0 header KAM_RPTR_SUSPECT X-KAM-Reverse =~ /^Suspect/ describe KAM_RPTR_SUSPECT Suspected Dynamic IP from Mail Relay Reverse DNS Test score KAM_RPTR_SUSPECT 3.0 #REMOVED __URIBL_ANY DEPENDENCY AS THE RULE IS GONE. NOTED by David Goldsmith. header __KAM_RPTR_PASSED X-KAM-Reverse =~ /^Passed/ meta KAM_RPTR_PASSED (__KAM_RPTR_PASSED && (URIBL_BLACK + URIBL_SBL + URIBL_SC_SURBL + URIBL_WS_SURBL + URIBL_PH_SURBL + URIBL_OB_SURBL + URIBL_AB_SURBL + URIBL_JP_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BCUDA_RBL + RCVD_IN_BCUDA_RELAY + RCVD_IN_XBL + KAM_SPAMJDR + KAM_LOTTO3 + __KAM_MX + SPF_SOFTFAIL + SPF_FAIL < 1)) describe KAM_RPTR_PASSED Passed Mail Relay Reverse DNS Test score KAM_RPTR_PASSED -1.0 header KAM_RPTR_MISSING X-KAM-Reverse =~ /^Missing/ describe KAM_RPTR_MISSING Mail Relay Reverse DNS Entry Missing! score KAM_RPTR_MISSING 9.0 #$6c822ecf@ - Idea from Jailer-Daemon on SARE header KAM_6C822ECF Message-Id =~ /\$6c822ecf\@/i describe KAM_6C822ECF $6c822ecf@ VERY prevalent message-ID header in SPAMs score KAM_6C822ECF 7.0 #DRILLING & MUST READ - With updates courtesy of Mark Damrose header __KAM_MUSTREAD1 Subject =~ /you (?:must|should|require|need|have) to read\.$/i header __KAM_MUSTREAD2 Subject =~ /^(?:Weighty|Very important|Serious|Momentous|Significant|Grand|Essential) (?:message|letter|note)\./i meta KAM_MUSTREAD (__KAM_MUSTREAD1 + __KAM_MUSTREAD2 >= 1) describe KAM_MUSTREAD Subject indicative of a SPAM message score KAM_MUSTREAD 1.25 body __KAM_DRILL1 /drilling/i body __KAM_DRILL2 /oil (company|partnership|and gas rights)/i body __KAM_DRILL3 /(exceed(ed)? .{0,10}expectations|see your brokers website)/i body __KAM_DRILL4 /(buy today|Check this deal out)/i meta KAM_DRILL (KAM_MUSTREAD + __KAM_DRILL1 + __KAM_DRILL2 + __KAM_DRILL3 + __KAM_DRILL4 >= 4) describe KAM_DRILL Oil Drilling SPAM score KAM_DRILL 1.5 #WE USE MIMEDEFANG TO DISABLE ANY IFRAME, OBJECT OR SCRIPT TAGS IN EMAILS header KAM_IFRAME X-IframeWarning =~ /Iframe\/Object\/Script tag\(s\) deactivated by MIMEDefang/ describe KAM_IFRAME Email contained Iframe, Object or Script tags score KAM_IFRAME 1.0 #STUPID REMOVE "*" to make the link working. body __KAM_STAR1 /REMOVE ("\*"|space) (in the above|to make the) link/i meta KAM_STAR (__KAM_STAR1 >= 1) describe KAM_STAR Stupid Obfuscated Link SPAMs score KAM_STAR 2.0 #IN LATE FEB 2007, WE BEGAN RECEIVING TONS OF EMAILS FORMATED ALL THE SAME. body __KAM_SPAMKING1 /This advertisement is presented by/is body __KAM_SPAMKING2 /If you have any questions or concerns regarding this communication, please send correspondence/is body __KAM_SPAMKING3 /To .{0,30}(?:unsubscribe|stop|remove) .{0,35}(?:email|messages) from third party advertisers/is body __KAM_SPAMKING4 /notify .{0,30} that you no longer wish to receive (?:promotional )?messages/is body __KAM_SPAMKING5 /This (communication|message) was delivered to you by/is body __KAM_SPAMKING6 /(?:please send|Forward postal) correspondence to/is meta KAM_SPAMKING (__KAM_SPAMKING1 + __KAM_SPAMKING2 + __KAM_SPAMKING3 + __KAM_SPAMKING4 + __KAM_SPAMKING5 + __KAM_SPAMKING6 >= 3) describe KAM_SPAMKING SPAM using throw-away domains and addresses. SpamKing's Heir! score KAM_SPAMKING 1.0 #THIS HEADER SEEMS TO BE PREVALENT IN SPAMS header KAM_SPAMJDR X-Mailerinfo =~ /OTHR_JDR/ describe KAM_SPAMJDR Emails seen with SPAM containing this header X-Mailerinfo: OTHR_JDR1173771 score KAM_SPAMJDR 2.0 meta KAM_COMBOJDR (KAM_SPAMJDR + KAM_SPAMKING >= 2) describe KAM_COMBOJDR Spam Test for Rules Combined with KAM_SPAMJDR score KAM_COMBOJDR 5.0 #LOTTO CRUD body __KAM_LOTTO1 /((you |e-?mail )(?:address,? )?(has |have )?(emerged as one of (the|our) winning|emerged as a category "A" Winner|came out as the winning coupon|emerged a winner|has won|(?:was |is )?attached( to)?\s+(winning number|serial|ticket|reference)|was one of the ten winners|has been selected as one of the lucky)|random selection in our computerized email selection system|procuring your prize|email id identified with coupon|e-mail addresses are picked randomly|send your winning identification|final recipients? of a cash|selected as the one of the beneficiaries|receiving your donation)/is body __KAM_LOTTO2 /((ticket|serial|lucky) number|secret pin ?code|pin number|batch number|reference number|promotion date|lottery|sweepstake|\d* lucky recipients|for claim and inquiring)/is body __KAM_LOTTO3 /(won|claim|cash prize|pounds? sterling|over \$500|award sum of US\$|NOTIFICATION FOR CASH AID)/is body __KAM_LOTTO4 /(claims (office|agent|manager)|lottery coordinator|(certificate|fiduciary) (officer|agent)|fiduaciary claims|accredited agent|payment agency board|promotion manager|promotions? department|Name of +Agent:|executive secretary|claims & Management|lottery approved courier)/is body __KAM_LOTTO5 /(POWERBALL LOTTO|freelotto group|Royal Heritage Lottery|(British|UK) National( Online)? Lottery|U\.?K\.? Grand Promotions|Lottery Department UK|Euromillion Loteria|Luckyday International Lottery|International Lottery|Euro - Afro Asian Sweepstake|urawinner|Free Lotto Sweepstakes|PROMOTION DEPARTMENT|PROMOTION\/PRIZE AWARD|Nederlandse Internationale Loterij|EURO MILLIONS|APPLE LOTTERY ONLINE|MSW MEGA JACKPOT|MICROSOFT EMAIL PROMO|MSNlottery|ECOWAS|Nigeria|National Lottery)/is body __KAM_LOTTO6 /(Dear (Award|Consultation Prize|Lucky) Winner|Winning Notification|Attention:Winner|Dear:? Winner|Amount won:|Sincere Congratulations|Lucky Numbers:|you are a winner|prize attached|prize notification|claims requirement|winning number|winning sum|payout of|qualification number)/is header __KAM_LOTTO7 Subject =~ /(Your Lucky Day|Final Notice|CONGRATULATION|(Attention:|ONLINE) WINNER|Winning Notification|Claim Fund|YOU HAVE WON|Online Notification|Your Winning Amount|PROMOTIONS MANAGER|Winnin?g Alert|NOTICE FOR YOUR CLAIM|PRIZE WINNER|Reference Number)/i header __KAM_LOTTO8 From =~ /Lottery/i meta KAM_LOTTO1 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 >= 3) describe KAM_LOTTO1 Likely to be an e-Lotto Scam Email score KAM_LOTTO1 0.5 meta KAM_LOTTO2 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 >= 4) describe KAM_LOTTO2 Highly Likely to be an e-Lotto Scam Email score KAM_LOTTO2 1.0 meta KAM_LOTTO3 (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 >= 5) describe KAM_LOTTO3 Almost certain to be an e-Lotto Scam Email score KAM_LOTTO3 2.0 #ABOUT YOUR INTERNET ACTIVITIES SPYWARE CRUD header __KAM_ABOUT1 Subject =~ /About your Internet (activities|activity)/i body __KAM_ABOUT2 /Spyware/i meta KAM_ABOUT (__KAM_ABOUT1 + __KAM_ABOUT2 >=2) describe KAM_ABOUT Email Scam Hawking Anti-Spyware score KAM_ABOUT 1.0 #EMAIL ADVERTISING body __KAM_ADVERT1 /email advertising/is body __KAM_ADVERT2 /instant traffic (to your website|and sales)/is body __KAM_ADVERT3 /Email Ad Broadcast|Double OPT IN list/is header __KAM_ADVERT4 Subject =~ /(get (instant|more) (sales|business|orders)|instant traffic, leads and sales|within 24 hours|increase in business|Ten Time Increase in Sales and Traffic|Emails Sent to Get You Sales)/i meta KAM_ADVERT (__KAM_ADVERT1 + __KAM_ADVERT2 + __KAM_ADVERT3 + __KAM_ADVERT4 >= 4) describe KAM_ADVERT Mailing List Scammers Hawking Their Lists / Services score KAM_ADVERT 2.5 #DOMAIN ADVERTISING body KAM_ADVERT3 /AllExpiringDomains.com/i describe KAM_ADVERT3 Traffic / Expiring Domain List Spam score KAM_ADVERT3 5.0 #ADVERTISEMENT rawbody KAM_ADVERT2 /(No longer interested in our offers|This (?: message| email)?is an Ad|Continue in your Secure Web Browser|Can\'t see the images( below|, continue)|To view this email as a webpage|see images for this offer|support best practices in responsible email marketing|This email is not unsolicited|You registered with one of our partners websites|a d v e r t i s (?:e )?m e n t|No-?Images? Click|Program is not endorsed, sponsored by or affiliated|can\'t read or see this email|By clicking any image and\/or text link in this Email|This is a commercial message|This message brought to you|THIS EMAIL IS A COMMERCIAL SOLICITATION|If you no longer wish to receive further offers)/is describe KAM_ADVERT2 This is probably an unwanted commercial email... score KAM_ADVERT2 0.55 #ONE LINE ADVERTISEMENTS body __KAM_1LINE1 /(free score and report|Did you overpay\?)/is header __KAM_1LINE2 Subject =~ /(free online score & report|I need tax savings? tip)/i meta KAM_1LINE (__KAM_1LINE1 + __KAM_1LINE2 >= 2) describe KAM_1LINE One liner SPAMs score KAM_1LINE 2.5 #CAN SPAM body KAM_CANSPAM /(full compliance with the U.S. Federal-?Can-?Spam-Act|provides CAN-SPAM compliant email|consistent with the provisions of the CAN-SPAM Act|compliance with the CanSpam Act)/is describe KAM_CANSPAM SPAM = Lack of Consent (not a Legal Definition) score KAM_CANSPAM 1.0 #GIFT CARDS body __KAM_GIFT1 /(Claim your free \$500 Target Gift Card|complimentary gift-?card|received a Victoria's Secret Giftcard|\$500 airline gift card|\$1000 gift card for you to shop|\$\d+ gift card|Secret gift card)/is body __KAM_GIFT2 /(unsubscribe from this advertiseme(tn|nt)|exit future communications|to unsubscribe from this|to stop any offers from us)/is body __KAM_GIFT3 /every girl loves to buy|do you need a new|offer pass you by/i body __KAM_GIFT4 /card will be yours free|card on us|buy you the dyson animal/i body __KAM_GIFT5 /member incentive program/i header __KAM_GIFT6 From =~ /\$\d+ ?gift ?card/i meta KAM_GIFT (__KAM_GIFT1 + __KAM_GIFT2 + __KAM_GIFT3 + __KAM_GIFT4 + __KAM_GIFT5 + __KAM_GIFT6 >= 2) describe KAM_GIFT Gift Card Scams score KAM_GIFT 2.5 #MYSTERY SHOPPER body __KAM_SHOP1 /chosen to participate as a Mystery Shopper/is body __KAM_SHOP2 /Do you like to shop/is body __KAM_SHOP3 /make money while you shop/is meta KAM_SHOP (__KAM_SHOP1 + __KAM_SHOP2 + __KAM_SHOP3 >= 3) describe KAM_SHOP Mystery Shopper Scams score KAM_SHOP 2.0 #FAST CASH rawbody __KAM_FAST1 /make fast cash in real estate/is meta KAM_FAST (__KAM_FAST1 + KAM_ADVERT2 >=2) describe KAM_FAST Get Rich Quick, Make Money Fast Schemes score KAM_FAST 1.8 #BIZ CARDS FREE! body __KAM_BIZ1 /You always need new cards|free full color business cards|get 250 more ?- ?free|business card offer/is header __KAM_BIZ2 Subject =~ /(do not pay for|Stop paying for|free) business cards|get( your)? 250 Free|BOGO|500 cards for/i header __KAM_BIZ3 From =~ /Free Business Cards|Custom Printing|Premium Cards/i meta KAM_BIZ (__KAM_BIZ1 + __KAM_BIZ2 + __KAM_BIZ3 >= 2) describe KAM_BIZ Free Business Card Emails score KAM_BIZ 2.5 #FDA body __KAM_FDA1 /statements.{1,10}not.{1,10}evaluated.{1,10}(FDA|Food ?(and|&) ?Drug Administration)/i body __KAM_FDA2 /not intended to diagnose,? treat,? cure,? or prevent/i body __KAM_FDA3 /FDA Recall/i meta KAM_FDA (__KAM_FDA1 + __KAM_FDA2 + __KAM_FDA3) describe KAM_FDA Carries a not evaluated by the FDA warning or recall warning score KAM_FDA 0.5 #WEIGHT LOSS body __KAM_WEIGHT1 /(overweight|extra weight|glutting|shed fat|burns fat|burn calories|appetite suppressant|stimulate your metabolism|unwanted weight|duet of the year|healthy energy boost|Suppresses Appetite|internal cleansing|detoxify|cellulite|unsightly bulges|fat burn|Diet of the year|acai|cuts cholesterol|cleanse excess waste|free sample|unwanted weight|Acai suppl[ie]ments)/is body __KAM_WEIGHT2 /(\d pounds|lose[_ ]weight|suppress appetite|appetite out of control|Oprah|for cancer patients|colon cure|colon cleanse|colonmate|avai berry|acai burn|ultraslim|feel energized|excess[_ ]weight|no diet changes|no exercise|hollywood'?s hottest -?diet|acai berry edge|Acai Diet|top secret diet)/is header __KAM_WEIGHT3 Subject =~ /(leaner|slimmer|stop gaining weight|fat loss|weight management|now available without a script|green Tea|wuYi tea|(drop|lost) \d* pounds|FRS Healthy Energy|instant diet|colonmate|trimmer you|body cleanse|acai berry|acai burn|Fatburner|cholesterol reduction|cholestapro|Ephedra|W[EA]IGHT[- ]LOSS PRODUCT OF THE YEAR|t-r-i-a-l|try our trial|cleanse your system|no exc?ercise|Acai Advanced|toxic sludge|cleanse your body|Acai Diet|Acai Elite|Acai Super|losing weight fast)/i #ANATRIM / GREEN TEA / CORTITHERM / ETC body __KAM_ANA1 /(anatrim|Green ?Tea|cortitherm|PHENTERTHIN|Phentremine|Acai Ultra|Civ-xR|WuYi Tea|Wu-?Yi Source|FRS Healthy Energy|Acai Berry|Chinese secret|Ephedra|Cholestapro|ColonMedic|Pure Cleanse|AcaiBurn|Acai Elite)/i header __KAM_ANA2 From =~ /green ?tea|Ultra ?Energy|weight ?loss|colon? ?clean|colon ?aid|acai|As seen on/i meta KAM_ANA (__KAM_ANA1 + __KAM_ANA2 + __KAM_WEIGHT1 + __KAM_WEIGHT2 + __KAM_WEIGHT3 + KAM_FDA + __KAM_HTML1 >= 3) describe KAM_ANA Likely Weight-loss / Medical Spam score KAM_ANA 3.25 #REPLACE body __KAM_REP1 /Replace \[?[-!~\.]\]? with \./is body __KAM_REP2 /www\s+[-!~\.]/i body __KAM_REP2_1 /(Just|Please|all you need to do is to) (copy|type):? (www\s)?.{0,10}[\[\(]([-!~\.]|dot)[\]\)]/is body __KAM_REP2_2 /in your (IE|internet|explorer|browser)/i body __KAM_REP3_1 /\*omit empty spaces/is body __KAM_REP3_2 /.\s+(COM|org|net|info)$/i meta KAM_REPLACE (__KAM_REP1 + __KAM_REP2 >= 2) || (__KAM_REP2_1 + __KAM_REP2_2 >=2) || (__KAM_REP3_1 + __KAM_REP3_2 >=2) describe KAM_REPLACE Spams that use obfuscated URLs with instructions score KAM_REPLACE 2.0 #EVEN MORE NIGERIAN SCAMS AND VARIANTS body __KAM_NIGERIAN1 /(?:payment officer|personal treasurer|experienced marketers|Chairman of the Finance Committee|contact my secretary|field of Financial Services|Head of Human Resources|Public Relation Officer|field of Business Services|payment agent|representing partner|vacancy in my company|representative\/book ?keeper|executor|search and selection of both experienced|retired chief economist|foreign partner|diplomatic courier|senior auditor|online book-?keeper)/is body __KAM_NIGERIAN2 /(?:looking for dynamic representative|seek your partnership|new online business model|seek to transfer this money|completely legal activity|never ask you to pay or invest|in search of trustworthy representatives|establishing a new liaison network|rec[ei]{2}ving payment on our behalf|assist me in transferring those funds|make money at home|requiring rep to work on a part time|part time job\/full time|organization for the good work of the lord|job search directory|investor willing to invest in lebanon|invest in Real Estate|Your kind assistance|next of kin)/is body __KAM_NIGERIAN3 /(?:\d{1,2}\% (?:commission on each transaction|of the total will be set|will be mapped out|is made available to you|of the total sum for your partner|of the money for your effort|for\s+sales)|pay for performance|floating deficit|for your compensation|financial independence|their financial dreams|work from home part\s*-?\s*time|employing your services|get extra income|deduct your weekly salary \d\d%|transfer of the funds|make successful career at us|you will get \d{1,2}% on each|funds can be directed to your account as a grant|reasonable parentage|dormant domiciliary account|share would be \d+\%|pay you \d+%)/is body __KAM_NIGERIAN4 /(?:American oil merchant|independent contractor|removallink|claim the funds|international corporation|bank draft|becoming our contract staff|contractual employment|customers\s*in Europe,\s*America|new partner from UK|great investment site|money orders|cashiers check|access to the funds|piloting the business|moving the funds|next of kin)/is body __KAM_NIGERIAN5 /Western Union Money Transfer|Money Gram|form of Money Orders|to apply for this job, please send the following|process our payments|not traceable|risk free transation|transfer to a designated bank account|inheritance return/i meta KAM_NIGERIAN (__KAM_NIGERIAN1 + __KAM_NIGERIAN2 + __KAM_NIGERIAN3 + __KAM_NIGERIAN4 + __KAM_NIGERIAN5 + __KAM_REFI4 >= 4) describe KAM_NIGERIAN Nigerian Scam and Variants score KAM_NIGERIAN 2.5 #I LIKE YOUR SPAM body __KAM_LIKE1 /been working (extremely|very) hard on my friend's website/is body __KAM_LIKE2 /a link from .{1,54} would be greatly appreciated/is body __KAM_LIKE3 /(link exchange|in return to me linking back)/is body __KAM_LIKE4 /HTML code for the link/is body __KAM_LIKE5 /I apologize if this message was sent, in error/is meta KAM_LIKE (__KAM_LIKE1 + __KAM_LIKE2 + __KAM_LIKE3 + __KAM_LIKE4 + __KAM_LIKE5 >= 5) describe KAM_LIKE I like your website link exchange spam score KAM_LIKE 2.0 #PUBLICLY AVAILABLE LISTS? body KAM_PUBLIC /obtained your email address from a publicly available list|find your mail in public forum/is describe KAM_PUBLIC Obtained from Public List != to Consent == SPAM! score KAM_PUBLIC 9.0 #SEXUALLY EXPLICIT RULES ROUND TWO body __KAM_SEX1 /(?:double[ -]?headed|pornstar|huge weenie|male power|\d\dper\. of men|male enhancement product|enlarge patch|boost up your virility|clinically tested|improve manhood|Bigger Pen..is|Big Penis|incredible gains to your manhood|muscular manhood|nights unsatisfied|climaxes|sensual enhancer|love instrument|bigger member|excitement with girls|fucker|animal sex)/i body __KAM_SEX2 /(?:cunt|busty|interracial|hardcore|peni(s|le) enlarge|generic quality|enlarge your manhood|stone-hard manhood|XXL Dick|intense pleasure|spend a night with you|efficient medicine|turn on your wife|with your boner|dick dangl)/i header __KAM_SEX3 Subject =~ /(double dildo|bunsfuck|dominatrix|huge tits|anti-ED|most confident man|for men over 30|peni(s|le) enlargement|interracial gobble|bitch sucking dong|product actually does work|update your penis|mans mall|endurerx|more excitement|love package|add more fire|her best male|average guys|monster cocks|first anal|anal fucking|love with monsters|horse sex|be the stud)/i body __KAM_SEX4 /(?:bring your girlfriend back|satisfied with their size|penis so huge and heavy|more semen|volume of your loads|wondercum|ejaculate|bargain offers on medic|improve xxx|improve your lovemaking|youngest teen|teen pics|monster in his pants|female orgasms|extreme penetration)/i describe KAM_SEX Sexually Explicit SPAM / Penis Enlargement Scam score KAM_SEX 7.0 meta KAM_SEX (__KAM_SEX1 + __KAM_SEX2 + __KAM_SEX3 + __KAM_SEX4 + __HTML_IMG_ONLY + (__KAM_VIAGRA6A + __KAM_VIAGRA6E + __KAM_VIAGRA7A >= 1) >= 2) #STUPID PICTURE SPAMS body __KAM_PIC1 /(tired|bored) (this )?(today|tonight|evening|morning|afternoon)/is body __KAM_PIC2 /(nice|25 y.o.|pretty russian|I russian) girl/is body __KAM_PIC3 /like to chat|feelings can be true/is body __KAM_PIC4 /(like to share some of my pics|some (?:great )?pictures of me|sending some of my pictures|To see my pic|hope you like my pic|will reply with my pics|show you some pic|chat with me and see|that's my photo)/is body __KAM_PIC5 /picture|photo|my pics/i describe KAM_PIC Share Pictures and Chat SPAM score KAM_PIC 3.5 meta KAM_PIC (__KAM_PIC1 + __KAM_PIC2 + __KAM_PIC3 + __KAM_PIC4 + __KAM_PIC5 >= 4) #STUPID MAILING LIST SPAMS body __KAM_LIST1 /((Hospital|MD) directory|Nursing Home (List|directory)|doctor lists|marketing lists|Licensed Physicians|practicing MDs|practicing Medical doctors|Physicians in America|emails for every state)/is body __KAM_LIST2 /(?:hospital|dentist|chiropractor|physician|medical doctors|nursing directors|medical marketing|\d sortable fields)/is body __KAM_LIST3 /price\:/is body __KAM_LIST4 /(?:database|list|[\d,]+ e-?mails)/is body __KAM_LIST5 /(reply with "stop" as a subject|Send an email with "rem" in the subject to discontinue|put "cease" in the subject of an email|for termination of this e?mail|reply with .{1,8} in the subject)|you will have your email taken off|for the datacard/is header __KAM_LIST6 Subject =~ /Database of (neurological|surgeons|doctors|nurses|mds)|MD Database|looking for list|email database/i describe KAM_LIST Mailing List Database SPAM score KAM_LIST 3.0 meta KAM_LIST (__KAM_LIST1 + __KAM_LIST2 + __KAM_LIST3 + __KAM_LIST4 + __KAM_LIST5 + __KAM_LIST6 >= 4) #YET MORE DRUG SCAMS body __KAM_DRUG1 /Quality and cheap|premier quality|supor-collosal mixture|Discount-?Pharmacy/is body __KAM_DRUG2 /cheaper|redeem in bulk and save|bigger quantities and Save|drugstore accredi[dt]ations|economical (?:value|amount)/is rawbody __KAM_DRUG3 /local drugstore|(hush-hush|secret) with no waiting rooms|confidential package|distributed securely|shape is our main concern/is body __KAM_DRUG4 /click to buy|no previous doctors direction|No prescript[oi]{2}n needed|no script necessary|medicine assistance supplier|mail[- ]?order medicine/is describe KAM_DRUG More Viagra, Medicine, et al Scams score KAM_DRUG 2.5 meta KAM_DRUG (__KAM_DRUG1 + __KAM_DRUG2 + __KAM_DRUG3 + __KAM_DRUG4 + __KAM_VIAGRA6A + __KAM_VIAGRA7A + KAM_REPLACE >= 4) #DUE TO THE RASH OF IP BASED LINKS IN EMAILS DUE TO STORM BOTS, THESE ARE TESTS FOR IPS IN EMAILS # I'D LIKE TO TEST THIS WITH ONE RULE BUT HAVEN'T FIGURED OUT HOW. RIGHT NOW, ONE URL THAT IS BAD # AND ONE THAT IS GOOD WILL PASS :-( I'D LIKE TO FIX THAT rawbody __KAM_GOODIPHTTP /https?:\/\/(192\.168|10\.)/i rawbody __KAM_IPHTTP /https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/i describe KAM_BADIPHTTP Due to the Storm Bot Network, IPs in emails is bad score KAM_BADIPHTTP 2.0 meta KAM_BADIPHTTP (__KAM_IPHTTP - __KAM_GOODIPHTTP >= 1) body __KAM_HIDDEN_URI1 /\[DOT\]com/is body __KAM_HIDDEN_URI2 /replace "?\[DOT\]/is meta KAM_HIDDEN_URI (__KAM_HIDDEN_URI1 + __KAM_HIDDEN_URI2 >= 2) describe KAM_HIDDEN_URI URI obfuscation techniques score KAM_HIDDEN_URI 4.0 #ODD INFO URL rawbody KAM_INFO /http:\/\/.{8}\.info/i score KAM_INFO 1.0 describe KAM_INFO Prevalent use of .info domains in spam/malware #RECENT RASH OF VIRII/TROJAN PAYLOADS USING GREETING CARD NOTICES - IPHTTP IDEA BY STEPHEN FORD body __KAM_CARD1 /(worshipper|friend|Neighbou?r|partner|mate|colleague|member|worshipper|cousin|pal|brother|somebody|father|mother|uncle|aunt|daughter|son|nephew)(\(.{0,35}\))?(?: has)? (?:sen[dt] you|created) (?:an|a)?\s*(?:funny|love|post|greeting|birthday|animated|musical|holiday|love|hallmark|thank you|e)\s*(e|post)?-?card/i body __KAM_CARD2 /(laughing kitty|crazy cat) card|enjoy your awesome card|Click on your .{0,15}card('s)? (link|direct www address) below|To see your custom .{0,15}card, simply click on the (link below|following)|(as you can see on the ecard)|^your .{1,15}card link:$|I bet your wife won\'?t do this for you|Your temporary Login Info|temp\.? password id|pics I took of my Ex-Wife|card will be aviailable/i body __KAM_CARD3 /I['`]m in hurry, but i still love you...|has (issued you a greeting|made you an Ecard)|^(Follow this link:|click (here to enter our secure server:))?\s*?http:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|eCard, open attached/i header __KAM_CARD4 Subject =~ /Here is some pics to say thanks|do you like em?|here is my picture|bra is too tight|look what I like to do|(You've|you have) received an? greeting e?card|hot news|(\s|^)e-?cards?(\s|$)/i rawbody __KAM_CARD5 /postcard(\.gif)?\.exe|card.zip|groups.google.com/i describe KAM_CARD Trojan or Virus Payload from fake ecard notice score KAM_CARD 3.5 meta KAM_CARD (__KAM_CARD1 + __KAM_CARD2 + __KAM_CARD3 + __KAM_CARD4 + __KAM_CARD5 + KAM_INFO + __KAM_IPHTTP + KAM_RPTR_SUSPECT >= 3) #INSURANCE SCAMS header __KAM_INSURE1 Subject =~ /get (low )?affordable health (coverage|insurance)|reduce health costs|without health coverage/i body __KAM_INSURE2 /find better Health Insurance Rates Today|get information about health coverage/i describe KAM_INSURE Health Insurance SPAMs score KAM_INSURE 1.0 meta KAM_INSURE (__KAM_INSURE1 + __KAM_INSURE2 + KAM_ADVERT2 >= 2) #HEALTH INSURANCE body __KAM_HEALTH1 /as low as \$\d+\s*(per|\/)\s*month|at \$\d+ including dental/i body __KAM_HEALTH2 /save up to \d+% on health insurance|affordable health coverage|quality term life insurance|nationalhealthxchange.com/i rawbody __KAM_HEALTH3 /easy and it's free|receive daily health news|check our rates|Call to qualify|no physical exam/i rawbody __KAM_HEALTH4 /health insurance (coverage|rates)|free .{0,3}personalized.quote|get a quote for health insurance|fast and easy term/i header __KAM_HEALTH5 Subject =~ /\$38 Health Insurance|health insurance quote|Save up to \d%|term life insurance|New Health Insurance|\$\d+\/mo|lifepolicy/i describe KAM_HEALTH Health/Life Insurance Spam Emails score KAM_HEALTH 3.0 meta KAM_HEALTH (__KAM_HEALTH1 + __KAM_HEALTH2 + __KAM_HEALTH3 + __KAM_HEALTH4 + __KAM_HEALTH5 + KAM_ADVERT2 >= 4) #HEALTH INSURANCE body __KAM_HEALTH2_1 /affordable health coverage/i header __KAM_HEALTH2_2 Subject =~ /health insurance quote/i describe KAM_HEALTH2 Health Insurance Spam Emails score KAM_HEALTH2 3.0 meta KAM_HEALTH2 (__KAM_HEALTH2_1 + __KAM_HEALTH2_2 + HTML_MESSAGE >= 3) #REAL ESTATE INVESTMENT SCAMS body __KAM_REAL2_1 /(?:Property available|on the water|costa rica)/i body __KAM_REAL2_2 /(?:pre-development prices|finish building|torn down to build|exclusive place)/i body __KAM_REAL2_3 /(?:unbelievable deals|buyer with CA[s\$]h|pennies.on.the.dollar)/i body __KAM_REAL2_4 /(?:home sites|raw land|vacation home)/i body __KAM_REAL2_5 /(?:developers|estates|buyer flying in|retirement plans)/i describe KAM_REAL2 Real-estate investment scams score KAM_REAL2 1.0 meta KAM_REAL2 (__KAM_REAL2_1 + __KAM_REAL2_2 + __KAM_REAL2_3 + __KAM_REAL2_4 + __KAM_REAL2_5 >= 5) #BASED on JIM MCCULLARS' IDEA AND DALLAS' GREAT PDFINFO RULES ifplugin Mail::SpamAssassin::Plugin::PDFInfo #Thanks to Ben Lentz for pointing out a lint error with this. describe KAM_BADPDF Prevalent Junk PDF SPAMs - BAD SUBJECT score KAM_BADPDF 2.5 header KAM_BADPDF Subject =~ /(?:^.{0,15}(document|confirmation|marketwatch|pinksheets|wire info|pinksheets|investor_report|proposal|invest_today|alert|invoice|investor_letter|check)-\d{5,12}$|^basic[- _]chart-|^Active[- _](stocks|trader)|^Analyst[- _]Coverage|^Income[- _](report|details|statement)|^Market[- _](advice|watch)|^Investor[- _]news|^real-?time[- _]quotes)/i describe KAM_BADPDF1 Prevalent Junk PDF SPAMs - EMPTY BODY & ENCRYPTED score KAM_BADPDF1 2.5 meta KAM_BADPDF1 (GMD_PDF_EMPTY_BODY + GMD_PDF_ENCRYPTED >= 2) #2009-03-11 - Found FP on this rule where a bad reverse PTR and a Subject triggered this rule. That was NOT the intent. describe KAM_BADPDF2 Prevalent Junk PDF SPAMs - 3 STRIKES score KAM_BADPDF2 2.5 meta KAM_BADPDF2 (KAM_BADPDF + KAM_BADPDF1 + MISSING_SUBJECT >= 2) && (KAM_RPTR_SUSPECT + KAM_RPTR_FAILED >=1) endif #FAKE PDF READER/WRITE body __KAM_FAKEPDF1 /Download PDF Reader.Writer/is body __KAM_FAKEPDF2 /Reader 2010/is header __KAM_FAKEPDF3 From =~ /adobe/is header __KAM_FAKEPDF4 Subject =~ /reader.writer version 2010/is meta KAM_FAKEPDF (__KAM_FAKEPDF1 + __KAM_FAKEPDF2 + __KAM_FAKEPDF3 + __KAM_FAKEPDF4 >= 3) describe KAM_FAKEPDF Fake PDF Reader / Writer score KAM_FAKEPDF 4.0 #VACU AND VARIOUS PHISHING SCAMS #SUBJECTS header __KAM_PHISH2_1 Subject =~ /(VACU Message|Virgini?a Credit|Account Verification|account might be compromised)/i #BANKS body __KAM_PHISH2_2 /Virginia Credit Union|Lloyds/is #BAD LINKS rawbody __KAM_PHISH2_3 /https?:\/\/.{5,30}\.(kr|hk|edu)\//i #STUPID STATEMENTS body __KAM_PHISH2_4 /unauthori[sz]ed use/i body __KAM_PHISH2_5 /account suspension/i body __KAM_PHISH2_6 /confirm your online banking details/i body __KAM_PHISH2_7 /extra security check/i describe KAM_PHISH2 Prevalent Phishing Scam emails score KAM_PHISH2 2.0 meta KAM_PHISH2 (__KAM_PHISH2_1 + __KAM_PHISH2_2 >= 2) && ((__KAM_IPHTTP + __KAM_PHISH2_3 >= 1) || (__KAM_PHISH2_4 + __KAM_PHISH2_5 + __KAM_PHISH2_6 + __KAM_PHISH2_7 >= 4)) #CRAZY HEX EMPTY MESSAGE body __KAM_HEX1 /^[a-f0-9]{8}(\b|$)/i header __KAM_HEX2 Subject =~ /^\d{5,6}$/ describe KAM_HEX Crazy Empty Hex Messages score KAM_HEX 5.5 meta KAM_HEX (__KAM_HEX1 + __KAM_HEX2 >= 2) #THE BAT! MAILER USED TOO MUCH FOR SPAM # I'VE LOOKED AT THIS AND JUST CAN'T ARGUE THAT IT LOOKS LIKE IT WILL HELP. header KAM_THEBAT X-Mailer =~ /The Bat!/i describe KAM_THEBAT Abused X-Mailer Header for The Bat! MUA score KAM_THEBAT 1.9 #MAILER BUGS body __KAM_MAILER1 /{!firstname_fix}/i meta KAM_MAILER (__KAM_MAILER1 >= 1) score KAM_MAILER 2.0 describe KAM_MAILER Automated Mailer Tag Left in Email #YET ANOTHER NIGERIAN SCAM VARIANT body __KAM_CHECK1 /delivery fee for your che(que|ck) draft/i body __KAM_CHECK2 /let me know when you recieve your money/i describe KAM_CHECK Another Nigerian Bank Draft Scam score KAM_CHECK 3.0 meta KAM_CHECK (__KAM_CHECK1 + __KAM_CHECK2 + __KAM_REFI4 >= 3) #SEE OPRAH LIVE! body __KAM_OPRAH1 /airfare/i body __KAM_OPRAH2 /hotel/i body __KAM_OPRAH3 /oprah/i header __KAM_OPRAH4 Subject =~ /see\s+.*oprah\s+.*live/i describe KAM_OPRAH SPAMs re: Oprah Winfrey Show score KAM_OPRAH 2.5 meta KAM_OPRAH (__KAM_OPRAH1 + __KAM_OPRAH2 + __KAM_OPRAH3 + __KAM_OPRAH4 >= 4) #EBAY TIPS body __KAM_EBAY1 /Succeed on ebay|thousands with ebay|ebay success|money-making secret/i body __KAM_EBAY2 /Auction success kit|Great Money Maker|documented program|Chuck Mullaney|more bills than money/i header __KAM_EBAY3 Subject =~ /ebay .*for dummies|ebay expert|work online|ebay business|secrets to ebay|Chuck Mullaney|living on ebay|build a business|huge cash flows/i describe KAM_EBAY SPAMs re: eBay Auction Tips score KAM_EBAY 3.5 meta KAM_EBAY (__KAM_EBAY1 + __KAM_EBAY2 + __KAM_EBAY3 >= 3) #GAS PRICES body __KAM_GAS1 /Gas prices are at an? all time high|\$\d per gallon/i body __KAM_GAS2 /We have a solution|save \d* cents per gallon/i header __KAM_GAS3 Subject =~ /High Gas Prices|ripped off for gas|Save \d*c per gallon/i header __KAM_GAS4 From =~ /gas/i describe KAM_GAS SPAMs re: High Gas Prices score KAM_GAS 4.5 meta KAM_GAS (__KAM_GAS1 + __KAM_GAS2 + __KAM_GAS3 + __KAM_GAS4 >=3) #WEIRD BODY MESSAGES body KAM_BODY /{_BODY_HTML}/i score KAM_BODY 1.0 describe KAM_BODY Odd Erectile Dysfunction Messages with Poor Formatting #FREE TV CABLE ETC body __KAM_TV1 /watch unlimited television|DTV4PC|Online TV Code|Free DVD-CD Burner|100% legal/i body __KAM_TV2 /without a monthly fee|pay a cable or satellite bill|no monthly fee|watch uncensored|movies online|no censorship/i header __KAM_TV3 Subject =~ /watch uncensored tv|digital TV|internet TV|Free TV|tv online for free/i header __KAM_TV4 From =~ /Unlock Internet TV|Movie Download/i meta KAM_TV (__KAM_TV1 + __KAM_TV2 + __KAM_TV3 + __KAM_TV4 >= 2) score KAM_TV 3.0 describe KAM_TV Free TV/Cable/etc. Scams #WORTHLESS DEGREES body __KAM_CAREER1 /Hospitals need you/is body __KAM_CAREER2 /Get your Healthcare Degree/is meta KAM_CAREER (__KAM_CAREER1 + __KAM_CAREER2 + KAM_ADVERT2 >= 3) score KAM_CAREER 2.0 describe KAM_CAREER Spam for Career/Diploma Mills #PILLS header __KAM_PILLS1 Subject =~ /save \d\d% on your (pills|drugs|medications)/i body __KAM_PILLS2 /be (thrifty|smart|clever), buy your (pills|drugs|medications)/i meta KAM_PILLS (__KAM_PILLS1 + __KAM_PILLS2 >=2) score KAM_PILLS 4.0 describe KAM_PILLS Spam for scam pharmacy #ALTERNATE EMAIL body __KAM_ALT1 /reply to my alternative E-?mail/is meta KAM_ALT (__KAM_ALT1 >= 1) score KAM_ALT 0.5 describe KAM_ALT Requests use of an alternate email which may indicate spam #POLITICAL SPAMS #AS WE ENTER THE PRESIDENTIAL ELECTION PERIOD, WE SEE UNSOLICITED MAILS FROM ORGS #Right vs Left header __KAM_POLITICS1 From =~ /Right vs Left|Minuteman|Senator Sam Brownback|Pennsylvania Transportation Partners|Americans for Limited Government/i body __KAM_POLITICS2 /Minuteman Civil Defense Corps|National Campaign Fund|Right vs Left|Restore America PAC|penntransportation.com|getliberty.org|Americans for Limited Government/i header __KAM_POLITICS3 Received =~ /\.politicalsystems.net /i meta KAM_POLITICS (__KAM_POLITICS1 + __KAM_POLITICS2 + __KAM_POLITICS3 >= 2) score KAM_POLITICS 9.0 describe KAM_POLITICS Unsolicited Political E-Mails #SPAMMING COMPANIES #Wall Street Media header __KAM_COMPANY1 From =~ /W\$[LM]( |_)(Insurance|Mortgage)( |_)New\$/i meta KAM_COMPANY1 (__KAM_COMPANY1 >= 1) score KAM_COMPANY1 5.0 describe KAM_COMPANY1 Egregious spammers that should also be on RBLs (and might be) #MGM,LLC body __KAM_COMPANY2_1 /Member Services MGM, LLC/is meta KAM_COMPANY2 (__KAM_COMPANY2_1 >= 1) score KAM_COMPANY2 5.0 describe KAM_COMPANY2 Egregious spammers that should also be on RBLs (and might be) #fleeupload.com / proxenolreviews.com / etc. - THIS WON'T SCALE LIKE THIS - IT'S ALMOST AN RBL AS-IS #OLD DOMAINS #header __KAM_COMPANY3_1 Reply-To =~ /fleeupload.com|proxenolreviews.com|dirtwhiteboard.com|groundworkmag.com|dogsupplydepot.com|ecreditchoices7.com|dungeonmasterguide.com|ripstikreviews.com|app-paradise.com|anonconfession.com|bestasiasuper.com|easycomputersuper.com|bigsuperlive.com|tootruetravel.com|PRIMETIMEWEBDEALS.COM|redcollarcrime.com|SMARTBELLSYSTEMS.com|BEDSTUYLAWYER.COM|BENEFITSBUTLER.COM|LOCALRESTAURANTFINDERS.COM|CHICAGORADIOGUIDE.COM|traceybock.com|mailcallcenter.com|singleroute.com|springsrewards.com|palmierisqualityairsystems.com|thewinningkey.com|jonholston.com|thevirtualstreet.com|quickmovessite.com|spaceaceworld.com|thefourwheel.com|pixelpaintbrush.com|goldstarcarads.com|singletrackvacations.com|superspacestars.com|sandpointlakeonline.com|filmcrack.com|theoneroad.com|thefourstate.com|mybadhost.com|euheadlights.com|jupitersflame.net|1amero.com|theliquidspace.com|succeedhotelsnow.com|centralskey.com|windmatter.com|learntopnex.com|mangoproductonline.com|singletrackmindtours.com|yournyctravel.com|greetingcardscentral.com|PASTASHOPPRODUCTIONS.COM|codecanyon.com|THECALIFORNIAMLS.NET|pointspro.com|tryclockwork.com|phansforhope.com|corbench.com|MONEYBUILDERSITE.COM|happyholidayslive.info|courseserving.com|templateblazer.com|MARCHELLOGOTTI.com|thamovment.com|cancercarechicago.com|luxomni.com|QUANTUMENERGYFIELD.COM|cashcowkuntz.com|tdcarterlaw.com|teamordinary.com|clockwalk.com|remotefeed.net|luxomni.com|oneplanetsports.com|worksmartdirect.com|relaxandfocus.com|stocklogistics.com|usadomainsinc.com|goliatpr.com|THEMLSBYOWNER.com|thinkshot.com|QUAILPLAZA.COM|capitalcitylive.com|redvined.info|petitekitten.com|excura.com|maidomainz.info|TELECOMMUNICATIONSMARKETINGSITE.INFO|secondzineb.info|certainvexer.info|canadagiftsonline.com|consciousweigh.info|easyvoicecheese.info|mygivememoreonline.info|THEDOMAINTEST.INFO|ajathleticz.com|myspeakcheese.info|provps.com|lightmoles.com|freewinterwonderland.info|paperbeans.com|uwannabuy.info|nitrongills.info|grabjacksi.com|airtecportugal.com|kristiehowell.com|wirelessworldsite.com|snowskigallery.com|thefrogtv.net|myspectacular2u.info|phewinterwonderland.info|hopefulhelponline.info|singlehop-170416.com|welcomebackonline.info|classofradio.com|familialpoisonousdestroy.net|narrowlevels.net|werejamminjam.com|carsclubsearch.com|vehicleprodus.com|thebestdatamed.com|HOMEMADEPOWERPLANTONLINE.INFO|publixuserresearchgroup.info|STRUGGLINGHELPSTORE.INFO|snowskiline.com|theboatsusa.com|next-order.com|izmking.com|golfshoppingstore.com|ssltoycartonline.com|getmorewater.com|seasonalsearching.com|aquadayinc.com|allaboutbetterspent.com|pacificwatermarket.com|runningroundtrees.com|inspironmarket.com/i #header __KAM_COMPANY3_2 From =~ /fleeupload.com|proxenolreviews.com|dirtwhiteboard.com|groundworkmag.com|dogsupplydepot.com|ecreditchoices7.com|dungeonmasterguide.com|ripstikreviews.com|app-paradise.com|anonconfession.com|bestasiasuper.com|easycomputersuper.com|bigsuperlive.com|tootruetravel.com|PRIMETIMEWEBDEALS.COM|redcollarcrime.com|SMARTBELLSYSTEMS.com|BEDSTUYLAWYER.COM|BENEFITSBUTLER.COM|LOCALRESTAURANTFINDERS.COM|CHICAGORADIOGUIDE.COM|traceybock.com|mailcallcenter.com|singleroute.com|springsrewards.com|palmierisqualityairsystems.com|thewinningkey.com|jonholston.com|thevirtualstreet.com|quickmovessite.com|spaceaceworld.com|thefourwheel.com|pixelpaintbrush.com|goldstarcarads.com|singletrackvacations.com|superspacestars.com|sandpointlakeonline.com|filmcrack.com|theoneroad.com|thefourstate.com|mybadhost.com|euheadlights.com|jupitersflame.net|1amero.com|theliquidspace.com|succeedhotelsnow.com|centralskey.com|windmatter.com|learntopnex.com|mangoproductonline.com|singletrackmindtours.com|yournyctravel.com|greetingcardscentral.com|PASTASHOPPRODUCTIONS.COM|codecanyon.com|THECALIFORNIAMLS.NET|pointspro.com|tryclockwork.com|phansforhope.com|corbench.com|MONEYBUILDERSITE.COM|happyholidayslive.info|courseserving.com|templateblazer.com|MARCHELLOGOTTI.com|thamovment.com|cancercarechicago.com|luxomni.com|QUANTUMENERGYFIELD.COM|cashcowkuntz.com|tdcarterlaw.com|teamordinary.com|clockwalk.com|remotefeed.net|oneplanetsports.com|worksmartdirect.com|relaxandfocus.com|stocklogistics.com|usadomainsinc.com|goliatpr.com|THEMLSBYOWNER.com|thinkshot.com|QUAILPLAZA.COM|capitalcitylive.com|redvined.info|petitekitten.com|excura.com|maidomainz.info|TELECOMMUNICATIONSMARKETINGSITE.INFO|secondzineb.info|certainvexer.info|canadagiftsonline.com|consciousweigh.info|easyvoicecheese.info|mygivememoreonline.info|THEDOMAINTEST.INFO|ajathleticz.com|myspeakcheese.info|provps.com|lightmoles.com|freewinterwonderland.info|paperbeans.com|uwannabuy.info|nitrongills.info|grabjacksi.com|airtecportugal.com|kristiehowell.com|wirelessworldsite.com|snowskigallery.com|thefrogtv.net|myspectacular2u.info|phewinterwonderland.info|hopefulhelponline.info|singlehop-170416.com|welcomebackonline.info|classofradio.com|familialpoisonousdestroy.net|narrowlevels.net|werejamminjam.com|carsclubsearch.com|vehicleprodus.com|thebestdatamed.com|HOMEMADEPOWERPLANTONLINE.INFO|publixuserresearchgroup.info|STRUGGLINGHELPSTORE.INFO|snowskiline.com|theboatsusa.com|next-order.com|izmking.com|golfshoppingstore.com|ssltoycartonline.com|getmorewater.com|seasonalsearching.com|aquadayinc.com|allaboutbetterspent.com|pacificwatermarket.com|runningroundtrees.com|inspironmarket.com/i #header __KAM_COMPANY3_3 Received =~ /fleeupload.com|proxenolreviews.com|dirtwhiteboard.com|groundworkmag.com|dogsupplydepot.com|ecreditchoices7.com|dungeonmasterguide.com|ripstikreviews.com|app-paradise.com|anonconfession.com|bestasiasuper.com|easycomputersuper.com|bigsuperlive.com|tootruetravel.com|PRIMETIMEWEBDEALS.COM|redcollarcrime.com|SMARTBELLSYSTEMS.com|BEDSTUYLAWYER.COM|BENEFITSBUTLER.COM|LOCALRESTAURANTFINDERS.COM|CHICAGORADIOGUIDE.COM|traceybock.com|mailcallcenter.com|singleroute.com|springsrewards.com|palmierisqualityairsystems.com|thewinningkey.com|jonholston.com|thevirtualstreet.com|quickmovessite.com|spaceaceworld.com|thefourwheel.com|pixelpaintbrush.com|goldstarcarads.com|singletrackvacations.com|superspacestars.com|sandpointlakeonline.com|filmcrack.com|theoneroad.com|thefourstate.com|mybadhost.com|euheadlights.com|jupitersflame.net|1amero.com|theliquidspace.com|succeedhotelsnow.com|centralskey.com|windmatter.com|learntopnex.com|mangoproductonline.com|singletrackmindtours.com|yournyctravel.com|greetingcardscentral.com|PASTASHOPPRODUCTIONS.COM|codecanyon.com|THECALIFORNIAMLS.NET|pointspro.com|tryclockwork.com|phansforhope.com|corbench.com|MONEYBUILDERSITE.COM|happyholidayslive.info|courseserving.com|templateblazer.com|MARCHELLOGOTTI.com|thamovment.com|cancercarechicago.com|luxomni.com|QUANTUMENERGYFIELD.COM|cashcowkuntz.com|tdcarterlaw.com|teamordinary.com|clockwalk.com|remotefeed.net|oneplanetsports.com|worksmartdirect.com|relaxandfocus.com|stocklogistics.com|usadomainsinc.com|goliatpr.com|THEMLSBYOWNER.com|thinkshot.com|QUAILPLAZA.COM|capitalcitylive.com|redvined.info|petitekitten.com|excura.com|maidomainz.info|TELECOMMUNICATIONSMARKETINGSITE.INFO|secondzineb.info|certainvexer.info|canadagiftsonline.com|consciousweigh.info|easyvoicecheese.info|mygivememoreonline.info|THEDOMAINTEST.INFO|ajathleticz.com|myspeakcheese.info|provps.com|lightmoles.com|freewinterwonderland.info|paperbeans.com|uwannabuy.info|nitrongills.info|grabjacksi.com|airtecportugal.com|kristiehowell.com|wirelessworldsite.com|snowskigallery.com|thefrogtv.net|myspectacular2u.info|phewinterwonderland.info|hopefulhelponline.info|singlehop-170416.com|welcomebackonline.info|classofradio.com|familialpoisonousdestroy.net|narrowlevels.net|werejamminjam.com|carsclubsearch.com|vehicleprodus.com|thebestdatamed.com|HOMEMADEPOWERPLANTONLINE.INFO|publixuserresearchgroup.info|STRUGGLINGHELPSTORE.INFO|snowskiline.com|theboatsusa.com|next-order.com|izmking.com|golfshoppingstore.com|ssltoycartonline.com|getmorewater.com|seasonalsearching.com|aquadayinc.com|allaboutbetterspent.com|pacificwatermarket.com|runningroundtrees.com|inspironmarket.com/i header __KAM_COMPANY3_1 Reply-To =~ /inspironmarket.com|leftwingward.com|tellumnet.com|gettheham.info|staringhook.com|zinccarbon.info|swimmingbedroom.com|jacksop.info|onetwobest.info|gazestarz.info|teamgreenbean.info|thewebbanana.info|snowingmasher.info|navinthebean.info|societu.info|firthlapins.info|tomatocorn.info|treeoxygen.info|thebeancoffee.info|grapeagreement.info|snowingguild.info|discountstudent.info|onethreebest.info|endivetaste.info|socialbeancoffee.info|jetsad.info|stewcarrot.info|giftlarge.info|snowinguild.info|echoist.info|grubbye.info|onefourbest.info|snowingtodoor.info|experm.info|flyingtrap.info|carribeanbanks.info|toyprogame.info|lianana.info|choosethestories.info|socious.info|reprole.info|lightgrey.info|funkybeancoffee.info|shiftylefty.info|storiesalon.info|onefivebest.info|storiesburn.info|thebeansoup.info|greatestrates.info|tvtoystore.info|buyboytoy.info/i header __KAM_COMPANY3_2 From =~ /inspironmarket.com|leftwingward.com|tellumnet.com|gettheham.info|staringhook.com|zinccarbon.info|swimmingbedroom.com|jacksop.info|onetwobest.info|gazestarz.info|teamgreenbean.info|thewebbanana.info|snowingmasher.info|navinthebean.info|societu.info|firthlapins.info|tomatocorn.info|treeoxygen.info|thebeancoffee.info|grapeagreement.info|snowingguild.info|discountstudent.info|onethreebest.info|endivetaste.info|socialbeancoffee.info|jetsad.info|stewcarrot.info|giftlarge.info|snowinguild.info|echoist.info|grubbye.info|onefourbest.info|snowingtodoor.info|experm.info|flyingtrap.info|carribeanbanks.info|toyprogame.info|lianana.info|choosethestories.info|socious.info|reprole.info|lightgrey.info|funkybeancoffee.info|shiftylefty.info|storiesalon.info|onefivebest.info|storiesburn.info|thebeansoup.info|greatestrates.info|tvtoystore.info|buyboytoy.info/i header __KAM_COMPANY3_3 Received =~ /inspironmarket.com|leftwingward.com|tellumnet.com|gettheham.info|staringhook.com|zinccarbon.info|swimmingbedroom.com|jacksop.info|onetwobest.info|gazestarz.info|teamgreenbean.info|thewebbanana.info|snowingmasher.info|navinthebean.info|societu.info|firthlapins.info|tomatocorn.info|treeoxygen.info|thebeancoffee.info|grapeagreement.info|snowingguild.info|discountstudent.info|onethreebest.info|endivetaste.info|socialbeancoffee.info|jetsad.info|stewcarrot.info|giftlarge.info|snowinguild.info|echoist.info|grubbye.info|onefourbest.info|snowingtodoor.info|experm.info|flyingtrap.info|carribeanbanks.info|toyprogame.info|lianana.info|choosethestories.info|socious.info|reprole.info|lightgrey.info|funkybeancoffee.info|shiftylefty.info|storiesalon.info|onefivebest.info|storiesburn.info|thebeansoup.info|greatestrates.info|tvtoystore.info|buyboytoy.info/i meta KAM_COMPANY3 (__KAM_COMPANY3_1 + __KAM_COMPANY3_2 + __KAM_COMPANY3_3 >= 1) score KAM_COMPANY3 4.0 describe KAM_COMPANY3 Egregious spammers that should also be on RBLs (and might be) #COMPANY3 MX RELATED RULES header __KAM_MX1 Reply-To =~ /\@mx\d+\./i header __KAM_MX2 Return-Path =~ /\@mx\d+\./i header __KAM_MX3 Received =~ /(\(|\b)(pet|ptr|tech|host|mta|mx|vps|vsp|colo|sox|m)\d+\./i header __KAM_MX4 Received =~ /(\(|\b)[0-9A-F]{8}\.ptr\./i header __KAM_MX5 Received =~ /(\(|\b)[a-z]{2,4}[0-9]{1,3}\..{1,20}\.info/i meta __KAM_MX (__KAM_MX1 + __KAM_MX2 + __KAM_MX3 + __KAM_MX4 + __KAM_MX5 >= 1) describe __KAM_MX Odd prevalence of mx records associated with the COMPANY3 Spammers meta KAM_MX2 (__KAM_MX + KAM_COMPANY3 >= 2) score KAM_MX2 5.0 describe KAM_MX2 COMPANY3 Spammers and MX Rule meta KAM_MX3 (__KAM_MX + URIBL_BLACK >= 2 && KAM_MX2 == 0) score KAM_MX3 4.1 describe KAM_MX3 Odd prevalence of MX records for non-identified Spammers meta KAM_MX4 (__KAM_MX5) score KAM_MX4 3.0 describe KAM_MX4 MX Record and dot info domains associated with COMPANY3 Spammers #BAD ADDRESS / COMPANY NAMES body __KAM_ADDRESS1 /204 N. El Camino Real|CocoMedia|17 Patchogue Road|1128-274 Royal Palm Beach|(848|500) N. Rainbow Dr. Ste \#?(2511|300)|CMI Free Stuff|Vista Del Mar Productions|by SuperClub|Buil tech Services|eMarketing Alliance|aSHARPi Media|Plaza Neptuno|ultimaterxhere|insanerx|speedymed4u|mightymeds1|coolestrxhere|hotrxmedspot|topshoprx|mightyrxhere|qualityrxmedz|legitrxlife|dealsformeds|simplyrxdeals|bestrxlight|ezprescriptz|reliablerxsource1|freetrusted-rx|hotmedsourcehere|CabinetOfMeds|mytrusted-rx|sexywebdating/i meta KAM_ADDRESS (__KAM_ADDRESS1 >= 1) score KAM_ADDRESS 5.0 describe KAM_ADDRESS Addresses and Companies prevalent in spams # END SPAMMING COMPANIES #GRASS SEED header __KAM_GRASS1 From =~ /(Patch|Perfect|Lawn)/i header __KAM_GRASS2 Subject =~ /rich beautiful lawn|grow grass|grass seed on steroids/i body __KAM_GRASS3 /Grass Seed On Steroids|rich beautiful lawn|Patch Perfect Seeds|Grow Grass (anywhere|in the shade)/i meta KAM_GRASS (__KAM_GRASS1 + __KAM_GRASS2 + __KAM_GRASS3 >= 3) score KAM_GRASS 2.5 describe KAM_GRASS Spammers hawking lawn products #PED EGG / BELISI / SKIN PRODUCTS header __KAM_SKIN1 From =~ /(Ped ?Egg|Healthy Feet|beautiful feet|belisi|skin tightener|medical|Wrinkle|Face ?Lift)/i header __KAM_SKIN2 Subject =~ /Ped ?Egg|Healthy Feet|beautiful feet|tighter skin|works for wrinkles|Sera Concepts|Wrinkle Eraser/i body __KAM_SKIN3 /Ped ?Egg|Belisi|Botox|Gabamed|Sera Concepts|Purelift/i body __KAM_SKIN4 /feet feel smooth and healthy|calluses and dead skin|silky smooth skin|tighter skin|\d years younger|anti[- ]aging|look younger/i meta KAM_SKIN (__KAM_SKIN1 + __KAM_SKIN2 + __KAM_SKIN3 + __KAM_SKIN4 >= 3) score KAM_SKIN 2.5 describe KAM_SKIN Spammers hawking skin/medical/foot products #NEW CAR / WARRANTY SCAMS header __KAM_CAR1 Subject =~ /(save thousands|vehicle warranty|paying too much for auto|skyrocketing cost of car|car deals|deal on a new car|cheap(er)? auto insurance|warranty options|afford the car)/i body __KAM_CAR2 /buying a new car|dream car|new car you want|free auto insurance(?:-| )quote|save money on your auto|roadside assistance/i body __KAM_CAR3 /unbelievable payment terms|no commitment|free price quote|get competitive quotes|offering better rates|no obligation quote|Pay Later/i header __KAM_CAR4 From =~ /warranty|lender/i meta KAM_CAR (__KAM_CAR1 + __KAM_CAR2 + __KAM_CAR3 + __KAM_CAR4 >= 2) score KAM_CAR 2.0 describe KAM_CAR Spammers hawking new car, insurance or warranties #HOME WARRANTY SPAMS header __KAM_WARRANTY1 Subject =~ /home warranties/i body __KAM_WARRANTY2 /Protect your home/i body __KAM_WARRANTY3 /home warrant/i meta KAM_WARRANTY (__KAM_WARRANTY1 + __KAM_WARRANTY2 + __KAM_WARRANTY3 >= 3) score KAM_WARRANTY 1.5 describe KAM_WARRANTY Spammers hawking home warranties #AWESOME AUGER header __KAM_AUGER1 Subject =~ /Dig Holes|plant Trees/i body __KAM_AUGER2 /Awesome Auger/i meta KAM_AUGER (__KAM_AUGER1 + __KAM_AUGER2 >= 2) score KAM_AUGER 4.0 describe KAM_AUGER Spammers hawking Awesome Augers?!? #MOVIE EXTRA header __KAM_MOVIE1 Subject =~ /Movie Extra/i body __KAM_MOVIE2 /Movie Extra/i meta KAM_MOVIE (__KAM_MOVIE1 + __KAM_MOVIE2 >= 2) score KAM_MOVIE 3.0 describe KAM_MOVIE Spammers hawking Movie Extra positions #DEBT COLLECTION header __KAM_COLLECT1 Subject =~ /You Pay Nothing/i body __KAM_COLLECT2 /No Fee/i body __KAM_COLLECT3 /collection professionals/i body __KAM_COLLECT4 /recovery rate/i meta KAM_COLLECT (__KAM_COLLECT1 + __KAM_COLLECT2 + __KAM_COLLECT3 + __KAM_COLLECT4 + __KAM_SEARCH5 + KAM_ADVERT2 >= 4) score KAM_COLLECT 5.0 describe KAM_COLLECT Spammers hawking debt collection #SEARCH ENGINE SPAM header __KAM_SEARCH1 Subject =~ /be seen first on (google|msn|yahoo)|get ranked high|rank high|(no cost|free) website (analysis|search engine)/i body __KAM_SEARCH2 /search engine/i body __KAM_SEARCH3 /(first on|all of) the major search|not ranked number one/i body __KAM_SEARCH4 /guaranteed type of exposure|free website search engine optimi|increase your revenue|improve your website traffice/i rawbody __KAM_SEARCH5 /Click2Call|a1-solutions|fast-response.net|action-pros.net|tops-1.com/i meta KAM_SEARCH (__KAM_SEARCH1 + __KAM_SEARCH2 + __KAM_SEARCH3 + __KAM_SEARCH4 + __KAM_SEARCH5 >= 4) score KAM_SEARCH 5.0 describe KAM_SEARCH Spammers hawking SEO #SEO header __KAM_SEO1 Subject =~ /Idea for \[/i body __KAM_SEO2 /first page of (Google|MSN|Yahoo)/i body __KAM_SEO3 /never find your web site/i body __KAM_SEO4 /No upfront fees/i body __KAM_SEO5 /more traffic guaranteed/i body __KAM_SEO6 /will not get your website banned/i meta KAM_SEO (__KAM_SEO1 + __KAM_SEO2 + __KAM_SEO3 + __KAM_SEO4 + __KAM_SEO5 + __KAM_SEO6 >= 5) score KAM_SEO 7.0 describe KAM_SEO Spammers hawking SEO #ACNE SPAM header __KAM_ACNE1 Subject =~ /Proactiv/i header __KAM_ACNE2 From =~ /Acne/i body __KAM_ACNE3 /proactiv/i body __KAM_ACNE4 /Online Gift Rewards/i meta KAM_ACNE (__KAM_ACNE1 + __KAM_ACNE2 + __KAM_ACNE3 + __KAM_ACNE4 >= 4) score KAM_ACNE 5.0 describe KAM_ACNE Spammers hawking Acne products #SOFTWARE SPAM header __KAM_SOFTWARE1 Subject =~ /fix Windows File Errors/i header __KAM_SOFTWARE2 From =~ /registry/i body __KAM_SOFTWARE3 /Fix file errors/i body __KAM_SOFTWARE4 /download for no cost|FREE Software|Free Analysis|Free Report/i meta KAM_SOFTWARE (__KAM_SOFTWARE1 + __KAM_SOFTWARE2 + __KAM_SOFTWARE3 + __KAM_SOFTWARE4 >= 4) score KAM_SOFTWARE 5.0 describe KAM_SOFTWARE Spammers hawking Software products #NIGERIAN SCAM SCAN header __KAM_NIGERIAN2_1 Subject =~ /high court|contact fedex courier|WIRE TRANSFER/i body __KAM_NIGERIAN2_2 /barrister|director of central bank|bank director/i body __KAM_NIGERIAN2_3 /high court|central bank|payment center/i body __KAM_NIGERIAN2_4 /e-?mail id is found among those that have been scammed|paid the fee for your cheque draft|contact the bank director/i body __KAM_NIGERIAN2_5 /fund code|cheque|bank draft/i body __KAM_NIGERIAN2_6 /full contact information requested|need your contacts informations|your bank account information/i body __KAM_NIGERIAN2_7 /bank/i body __KAM_NIGERIAN2_8 /courier|diplomat agent|direct wire transfer/i body __KAM_NIGERIAN2_9 /scam|don't let them know that it is money|bank transfer charges/i meta KAM_NIGERIAN2 (__KAM_REFI4 + __KAM_NIGERIAN2_1 + __KAM_NIGERIAN2_2 + __KAM_NIGERIAN2_3 + __KAM_NIGERIAN2_4 + __KAM_NIGERIAN2_5 + __KAM_NIGERIAN2_6 + __KAM_NIGERIAN2_7 + __KAM_NIGERIAN2_8 + __KAM_NIGERIAN2_9 >= 8) score KAM_NIGERIAN2 5.0 describe KAM_NIGERIAN2 Yet more Nigerian scams. Some even explaining the scam. #MEDICAL body __KAM_MEDICAL1 /million who suffer from|suffered from organ failure/i body __KAM_MEDICAL2 /Safe - Natural - Effective/i body __KAM_MEDICAL3 /Free \d+ day trial/i #EAR RINGING body __KAM_TINNI1 /TinniFix/i body __KAM_TINNI2 /Stop the ringing in your ears/i header __KAM_TINNI3 Subject =~ /(ringing|buzz) in your ears/i meta KAM_TINNI (__KAM_MEDICAL1 + __KAM_MEDICAL2 + __KAM_MEDICAL3 + __KAM_TINNI1 + __KAM_TINNI2 + __KAM_TINNI3 >= 5) score KAM_TINNI 5.0 describe KAM_TINNI Another Medical Scam #GIVEAWAY body __KAM_GIVE1 /receive your gift/i body __KAM_GIVE2 /laptop giveaway|deliver your dell.? laptop/i body __KAM_GIVE3 /answering a short survey/i body __KAM_GIVE4 /verify your shipping address/i meta KAM_GIVE (__KAM_GIVE1 + __KAM_GIVE2 + __KAM_GIVE3 + __KAM_GIVE4 >= 4) score KAM_GIVE 4.0 describe KAM_GIVE Free stuff "giveaway" scam #GOVERNMENT MONEY header __KAM_GOVT1 Subject =~ /Government Funding/i body __KAM_GOVT2 /government funding/i body __KAM_GOVT3 /complimentary information kit/i body __KAM_GOVT4 /No.Money?.{0,4}No.Problem/i meta KAM_GOVT (__KAM_GOVT1 + __KAM_GOVT2 + __KAM_GOVT3 + __KAM_GOVT4 >= 4) score KAM_GOVT 4.0 describe KAM_GOVT Your tax dollars at work scam... #RBL TRUST RULES meta KAM_RBL (URIBL_BLACK + RCVD_IN_PBL >=2) score KAM_RBL 2.0 describe KAM_RBL Higher scores for hitting multiple trusted RBLs #KAM CNN header __KAM_CNN1 Subject =~ /CNN.com Daily Top/i meta KAM_CNN (__KAM_CNN1 == 1) score KAM_CNN 2.0 describe KAM_CNN CNN Daily Top 10 Link Obfuscation spams #SNUGGIE BLANKETS / SHAM WOW header __KAM_SHAM1 Subject =~ /Hold 20 times|ShamWow/i header __KAM_SHAM2 From =~ /Sham ?Wow/i body __KAM_SHAM3 /ShamWow/i body __KAM_SHAM4 /20(X| times) its weight/i meta KAM_SHAM (__KAM_SHAM1 + __KAM_SHAM2 + __KAM_SHAM3 + __KAM_SHAM4 + KAM_ADVERT2 >= 3) score KAM_SHAM 2.0 describe KAM_SHAM More product scams... #SANTA LETTERS header __KAM_SANTA1 Subject =~ /Santa Letter|Letter from Santa|Santa send a letter|Sent by Santa/i body __KAM_SANTA2 /Santa Letter|Letter from Santa|sent by Santa/i body __KAM_SANTA3 /the perfect gift|personalized letter/i meta KAM_SANTA (__KAM_SANTA1 + __KAM_SANTA2 + __KAM_SANTA3 >= 3) score KAM_SANTA 3.5 describe KAM_SANTA Ho Ho Holy smokes Batman another Santa Letter spam... #WORK FOR / LEARN GOOGLE header __KAM_GOOGLE1 Subject =~ /Learn Google|Google Starter Kit|with Google|Use Google|Google Work|google millionaire|Google Business|Google Pro Sucess|with my Google|Google Home Business|Google ATM|One Hour On Google|Free Money Making|make a fortune on ?line/i body __KAM_GOOGLE2 /learn how to earn|automated income kit|online from home|as much money as you wish|be the boss/i body __KAM_GOOGLE3 /tons of money|making \$[\d,]*s with Google|extra cash|making serious money/i body __KAM_GOOGLE4 /with Google|Google Pie|Google Cash/i header __KAM_GOOGLE5 From =~ /Google Money/i meta KAM_GOOGLE (__KAM_GOOGLE1 + __KAM_GOOGLE2 + __KAM_GOOGLE3 + __KAM_GOOGLE4 + __KAM_GOOGLE5 >= 3) score KAM_GOOGLE 3.5 describe KAM_GOOGLE Google Pyramid Scams #SECURITY / ALARM header __KAM_ALARM1 Subject =~ /Free Alarm Quotes/i body __KAM_ALARM2 /free Quotes/i body __KAM_ALARM3 /Burglaries/i meta KAM_ALARM (__KAM_ALARM1 + __KAM_ALARM2 + __KAM_ALARM3 >= 3) score KAM_ALARM 3.5 describe KAM_ALARM Security and Alarm Company Spams #SELL CARDS header __KAM_SELL1 Subject =~ /Market Credit Cards/i body __KAM_SELL2 /Easy Money/i body __KAM_SELL3 /Selling Credit Cards/i meta KAM_SELL (__KAM_SELL1 + __KAM_SELL2 + __KAM_SELL3 >= 3) score KAM_SELL 3.5 describe KAM_SELL Selling Cards Marketing Scams #WHITEN TEETH header __KAM_WHITEN1 Subject =~ /whiten your teeth/i body __KAM_WHITEN2 /whitener/i body __KAM_WHITEN3 /(Celebrity Smile|Carbamide Peroxide)/i meta KAM_WHITEN (__KAM_WHITEN1 + __KAM_WHITEN2 + __KAM_WHITEN3 >= 3) score KAM_WHITEN 3.5 describe KAM_WHITEN Teeth Whitening Scams #URONLINE body __KAM_URONLINE1 /(chat|chat with me|hook ?up) on Y ?A ?H ?O ?O (tonight|or MSN)|add me with yahoo or msn|view now|press this web link/i body __KAM_URONLINE2 /wanna talk|ur info|found your mail|found ur profile|mutual friend|katya from russia|you came to russia|my gentle sun|see this page I made|match making heaven|meet that special/i body __KAM_URONLINE3 /get (naked|naughty)|horny|naughty toys|I will do anything|TOTALLY msg me on MSN|tell me your mobile|I remember you|let's talk|ran across someone like u|sexywebdating|chatting with someone|saw you by BJs/i header __KAM_URONLINE4 Subject =~ /i'?m so ho?rny|ur really cute|flirt with u|get the party|lets hookup|MSN messanger|\d\d y.o.|russian soul-?mate|my handsome|want you now|russian girl|costs you nothing|can you feel this|came to russia|I remember you|sexual Russia/i meta KAM_URONLINE (__KAM_URONLINE1 + __KAM_URONLINE2 + __KAM_URONLINE3 + __KAM_URONLINE4 >= 3) score KAM_URONLINE 4.5 describe KAM_URONLINE Chat Scams #TIMESHARE body __KAM_TIMESHARE1 /Get[- ]Cash for Your Timeshare|not using your timeshare|(unwanted|ugly) timeshare|cash out quickly/is body __KAM_TIMESHARE2 /goldmine|sell or rent it|we pay cash|sell\/rent your time|own a timeshare or condo/is header __KAM_TIMESHARE3 Subject =~ /(rent|sell) your Timeshare|have a timeshare|timeshare money/i meta KAM_TIMESHARE (__KAM_TIMESHARE1 + __KAM_TIMESHARE2 + __KAM_TIMESHARE3 >= 3) score KAM_TIMESHARE 4.0 describe KAM_TIMESHARE Timeshare Scams #AQUA GLOBE body __KAM_AQUA1 /Aqua Globe/is body __KAM_AQUA2 /watering your plants/is body __KAM_AQUA3 /while on vacation/is header __KAM_AQUA4 Subject =~ /Waters your Plants/i meta KAM_AQUA (__KAM_AQUA1 + __KAM_AQUA2 + __KAM_AQUA3 + __KAM_AQUA4 >= 3) score KAM_AQUA 3.0 describe KAM_AQUA Spams of yet another product du jour #GEVALIA body __KAM_GEVALIA1 /Gevalia Kaffe|premium coffee delivered/is body __KAM_GEVALIA2 /(Gevalia coffee lover's|I love coffee) kit/is body __KAM_GEVALIA3 /No Further Obligation/is header __KAM_GEVALIA4 Subject =~ /gevalia|cup of coffee/i meta KAM_GEVALIA (__KAM_GEVALIA1 + __KAM_GEVALIA2 + __KAM_GEVALIA3 + __KAM_GEVALIA4 >=3) score KAM_GEVALIA 3.0 describe KAM_GEVALIA Spams of yet another product du jour #SIMPLYINK body __KAM_INK1 /Ink (and|&|n) Toner|SimplyInk|101 inks/is header __KAM_INK2 From =~ /Simply ?Ink|Ink and toner/i header __KAM_INK3 Subject =~ /Ink (and|&) Toner|SimplyInk/i meta KAM_INK (__KAM_INK1 + __KAM_INK2 + __KAM_INK3 >=2) score KAM_INK 3.0 describe KAM_INK Spams of yet another product du jour #TITAN PEELER body __KAM_PEEL1 /Titan Peeler/is header __KAM_PEEL2 From =~ /Titan Peeler/i header __KAM_PEEL3 Subject =~ /peeler|stainless|titan peeler/i meta KAM_PEEL (__KAM_PEEL1 + __KAM_PEEL2 + __KAM_PEEL3 >=2) score KAM_PEEL 3.0 describe KAM_PEEL Spams of yet another product du jour #HTML EMAIL REQUIRING IMAGES? rawbody __KAM_HTML1 /Please enable image viewing in order to view this message/is #RATWARE header __KAM_RAT1 From =~ /\@fromname\@/i meta KAM_RAT (__KAM_RAT1 >= 1) score KAM_RAT 5.0 describe KAM_RAT Variable Replacements Indicative of RatWare/Mass Mailing #TITAN EGGER body __KAM_EGG1 /Egg Genie/is header __KAM_EGG2 From =~ /Egg Genie/i header __KAM_EGG3 Subject =~ /medium eggs/i meta KAM_EGG (__KAM_EGG1 + __KAM_EGG2 + __KAM_EGG3 >=2) score KAM_EGG 3.0 describe KAM_EGG Spams of yet another product du jour #USBDRIVES body __KAM_USB1 /(debi|deborah brown|Melissa Sylvan)/i body __KAM_USB2 /person (that|who) handles the promotions/i body __KAM_USB3 /usbsmg.com/i meta KAM_USB (__KAM_USB1 + __KAM_USB2 + __KAM_USB3 >= 2) score KAM_USB 4.0 describe KAM_USB USB Promotion Spammer #GOVT GRANT body __KAM_GRANT1 /government grant/i body __KAM_GRANT2 /find out if you qualify/i body __KAM_GRANT3 /discontinue from this promotion/i meta KAM_GRANT (__KAM_GRANT1 + __KAM_GRANT2 + __KAM_GRANT3 + __KAM_REFI4 >= 3) score KAM_GRANT 5.0 describe KAM_GRANT Government Grant Scams #SEX SCAMS #MEDICINE REFERENCES body __KAM_SEX04_1 /(curative|medicinal|salutary|wholesome|beneficial|satisfaction) effect|(first-rated|splendid) drugs|(yellow|blue|famos) (tablet|pill)|good medical supplies|(commendable|valuable) medicines|canadian pharmacy/is #BED REFERENCES body __KAM_SEX04_2 /fun in bed|(bed|night) adventures|aid your bed|(lift|heave|ascent|hoist|raise|boost|aid) your (belove|love|darling|sex|sweet)|sexuality with assistance|ascent your sweet|bed experience|love sexuality/is #SUBJECT REFERENCES header __KAM_SEX04_3 Subject =~ /your manhood|(bed|night) adventures|sexual experience|empower your (belove|sex)|sweet sex|bed (event|experience)|lover sexuality|(lift|heave|ascent|hoist|raise|boost|aid) your (belove|love|darling|sex|sweet)|discounted drugs/i #SEXUAL REFENCES body __KAM_SEX04_4 /longer your tool|sexual experience|empower your (belove|sex)|sweet sex|(not bad|great|nice|special|awesome|free) bonus|sex all night|lovers package/is meta KAM_SEX04 (__KAM_SEX04_1 + __KAM_SEX04_2 + __KAM_SEX04_3 + __KAM_SEX04_4 >= 3) score KAM_SEX04 10.0 describe KAM_SEX04 Sexually Explicit SPAM meta KAM_SEX04_2 (__KAM_SEX04_1 + __KAM_SEX04_2 + __KAM_SEX04_3 + __KAM_SEX04_4 >= 2 && (KAM_SEX04 < 1)) score KAM_SEX04_2 2.0 describe KAM_SEX04_2 Likely Sexually Explicit SPAM #SEX SCAMS ROUND 5 header __KAM_SEX05_1 Subject =~ /upgrade your virility|become a man|bigger instrument|admire your stick|enlarge your member|you have a tiny tool|with more inches|your mega size|improve your love/i body __KAM_SEX05_2 /buy rubber friends|big bait in your pants|she sees your size|women will be funk|biggest tool|immense monster|women will be daydreaming|have so much meat|prolonging your size|last a lot longer/i meta KAM_SEX05 (__KAM_SEX05_1 + __KAM_SEX05_2 >= 2) score KAM_SEX05 5.0 describe KAM_SEX05 Sexually Explicit SPAM #FOOTBALL CLUB SPAMS header __KAM_FOOTBALL1 Subject =~ /Amateur Club|Seeks? Player/i header __KAM_FOOTBALL2 From =~ /Football/i body __KAM_FOOTBALL3 /Mercato/i body __KAM_FOOTBALL4 /Football/i meta KAM_FOOTBALL (__KAM_FOOTBALL1 + __KAM_FOOTBALL2 + __KAM_FOOTBALL3 + __KAM_FOOTBALL4 >= 4) score KAM_FOOTBALL 4.0 describe KAM_FOOTBALL Spammy Football Club #DISH NETWORK SPAMS header __KAM_DISH1 From =~ /Dish Network|TVUpgrade|Satellite HD/i header __KAM_DISH2 Subject =~ /Free Next Day Install|Free HD Receiver|Free HBO|free w\/Dish/i body __KAM_DISH3 /American Satellite Providers/i meta KAM_DISH (__KAM_DISH1 + __KAM_DISH2 + __KAM_DISH3 >=3) score KAM_DISH 6.0 describe KAM_DISH Dish Network Spams #IDENTITY NETWORK header __KAM_IDENTNET1 From =~ /\@identitynetwork.net/i body __KAM_IDENTNET2 /ADVERTISE WITH IDENTITY NETWORK/i meta KAM_IDENTNET (__KAM_IDENTNET1 + __KAM_IDENTNET2 >=2) score KAM_IDENTNET 8.0 describe KAM_IDENTNET Identity Network Spams #HONEYPOT HITS body __KAM_HONEY1 /Intacct Corporation|Miles Technologies|EcoPhones|businessbrief\.com|pbpinfo\.com|pbp-executivereports\.net|b21pubs\.com|sonar6\.com|cheetahsend\.com|voip-news/i header __KAM_HONEY2 From =~ /\@intacct\.com|\@milestechnologies\.com|\@greenschoolfundraiser\.org|\@businessbrief\.com|\@b21pubs\.com|\@pbp-executivereports\.net|\@sonar6\.com|\@cheetahsend\.com|\@voip-news\.com/i meta KAM_HONEY (__KAM_HONEY1 + __KAM_HONEY2 >= 2) score KAM_HONEY 12.0 describe KAM_HONEY Spammer sending to a honeypot or known spammer through other means #MEDIA DUCHESS header __KAM_DUCHESS1 Received =~ /mediaduchessstore.info|mediaduchesslive.info|mymediaduchess.info|mediaduchessonline.info|mytvduchess.info|mediaduchesspro.info|mileshop.info|freegrampro.info|radioduchess.info|acreforyou.info|mileblog.info/i header __KAM_DUCHESS2 From =~ /mediaduchessstore.info|mediaduchesslive.info|mymediaduchess.info|mediaduchessonline.info|mytvduchess.info|mediaduchesspro.info|mileshop.info|freegrampro.info|radioduchess.info|acreforyou.info|mileblog.info/i body __KAM_DUCHESS3 /Mr. Media Group|BLM Marketing Services|4801 l[yi]nton b/i rawbody __KAM_DUCHESS4 /duchess/i rawbody __KAM_DUCHESS5 /http:\/\/.{4,30}\.info\/[A-Za-z]{30}("|\/)/i body __KAM_DUCHESS6 /For account number:/i meta KAM_DUCHESS ((__KAM_DUCHESS1 + __KAM_DUCHESS2 >= 1) + __KAM_DUCHESS3 + __KAM_DUCHESS4 + __KAM_DUCHESS5 + __KAM_DUCHESS6 >= 4) score KAM_DUCHESS 5.0 describe KAM_DUCHESS Spammer sending emails using a variety of domains and linked images #UPS header __KAM_UPS1 Subject =~ /UPS Delivery problem/i header __KAM_UPS2 From !~ /\@ups\.com[ |>]/i body __KAM_UPS3 /invoice copy attached/i meta KAM_UPS (__KAM_UPS1 + __KAM_UPS2 + __KAM_UPS3 >=3) score KAM_UPS 6.0 describe KAM_UPS UPS doesn't send invoices with delivery problem notes #Free Calls header __KAM_SKYPE1 Subject =~ /Free Calls/i header __KAM_SKYPE2 Received =~ /releasesourcek.com/i header __KAM_SKYPE3 From =~ /VOIP News/i body __KAM_SKYPE4 /Promo Code: \d/i meta KAM_SKYPE (__KAM_SKYPE1 + __KAM_SKYPE2 + __KAM_SKYPE3 + __KAM_SKYPE4 >=3) score KAM_SKYPE 5.0 describe KAM_SKYPE Skype/Voip scams likely to spread malware #OWA/EMAIL PHISH rawbody KAM_OWAPHISH1 /http:\/\/.{5,30}\/owa\/service_directory\/settings.php/i score KAM_OWAPHISH1 6.0 describe KAM_OWAPHISH1 Rash of OWA setting change emails for phishing #PEOPLE WHO HAVE SENT SPAM EMAILS header __KAM_SPAM1 From =~ /seminars\@cvent.com|info\@cabininthewoods.us|info\@ceosalesolution.com|\@cfnps.org|\@pbconferences.com/i body __KAM_SPAM2 /www.redshop-biz.com/i meta KAM_SPAM (__KAM_SPAM1 + __KAM_SPAM2 >= 1) score KAM_SPAM 10.0 describe KAM_SPAM These are people who spam me. I'm tired of it. #MORE DRUG SPAM header __KAM_DRUG2_1 Subject =~ /Viagra|male enhancement|ambien|Percocet|vicodin|Meridia|look slim|Phentermin|easier time making her|adderall|codeine|Hydrocodone|Phetermin|oxycodone|no prescription need|hot infatuations|bed tempera?ment|resigned slaves|prick be soft|increased performance|trouble falling asleep|overpriced pharmacy|prescript.medz|Xanx?ax|RxMed|guys in bed|your.rx.meds|fill your meds|bedroom fun/i body __KAM_DRUG2_2 /Medi?cati[o0]ns|desired meds|favou?red (rx)?meds|buy remedies|drug store|medicants|medicaments|sexual stim|sex stim|pain killer|(purchase|preferred|favou?rite) (?:rx.?)?(deal|med)[sz]|rx.?Meds?.?deal|buy your meds|choice of meds|Rx.?(deal|Med)[zs] Online|RxDealz|v[i1]agra|medz.special/i body __KAM_DRUG2_3 /Purchase|grab hold|click here|at your fingertips|placing your order|questions about drugs|prescription is not|don't care about prescription|without a doctor|no need for a doctor|affor[df]able.prices|best daily rx|Fav.Prescript|unmatched.prices|rx.med/i body __KAM_DRUG2_4 /0nline|hassle[~-]free|favored rx|branded solutions|branded remedies|v[1i]cod[!i]n|Penhtremine|prxpills|ultimaterxhere|insanerx|speedymed4u|mightymeds1|coolestrxhere|hotrxmedspot|topshoprx|mightyrxhere|qualityrxmedz|legitrxlife|dealsformeds|simplyrxdeals|bestrxlight|ezprescriptz|reliablerxsource1|freetrusted-rx|hotmedsourcehere|CabinetOfMeds|mytrusted-rx/i body __KAM_DRUG2_5 /(Day|Trusty|Reliable|fast|true|discreet|confidential|rapid)[_ ~\.]Shippin|anonymous packing|shipped.right.away/i meta KAM_DRUG2 ( __KAM_DRUG2_1 + __KAM_DRUG2_2 + __KAM_DRUG2_3 + __KAM_DRUG2_4 + __KAM_DRUG2_5 >= 3) score KAM_DRUG2 3.0 describe KAM_DRUG2 More online Drug Scams #WIFE SCAMS header __KAM_WIFE1 Subject =~ /Remember me/i body __KAM_WIFE2 /marry a Russian/i meta KAM_WIFE ( __KAM_WIFE1 + __KAM_WIFE2 >= 2) score KAM_WIFE 3.0 describe KAM_WIFE Mail order bride scams #PRODUCT SCAMS header __KAM_PRODUCT1 Subject =~ /Beauty Phone/i body __KAM_PRODUCT2 /phones for discerning individuals/i meta KAM_PRODUCT ( __KAM_PRODUCT1 + __KAM_PRODUCT2 >= 2) score KAM_PRODUCT 3.0 describe KAM_PRODUCT Product scams often used with MSN/Live URIs #SPACES / LIVE / MSN / ETC. SCAMS meta KAM_LIVEURI2 ( (KAM_PRODUCT + KAM_DRUG2 + KAM_WIFE >=1) + (KAM_WEBS + KAM_MSN_STRING + KAM_BADSWF >=1) >= 2) score KAM_LIVEURI2 3.0 describe KAM_LIVEURI2 More online Scams + Known URI #WEBS.COM uri KAM_WEBS /.{3,25}\.webs.com/i score KAM_WEBS 0.5 describe KAM_WEBS webs.com links used in Spams #IMAGESHACK SWF Files uri KAM_BADSWF /imageshack.us\/.{3,25}.swf$/i score KAM_BADSWF 3.0 describe KAM_BADSWF SWF embedded links in Email Scams #EXE LINK uri KAM_EXEURI /.exe$/i score KAM_EXEURI 0.5 describe KAM_EXEURI EXE embedded link #SETTINGS FILE PHISH header __KAM_SETTING1 Subject =~ /settings file/i body __KAM_SETTING2 /security upgrade/i body __KAM_SETTING3 /settings?.zip/i meta KAM_SETTING ( __KAM_SETTING1 + __KAM_SETTING2 >= 2) score KAM_SETTING 2.0 describe KAM_SETTING Phishing scams w/Setting Files or Webmail #Fixed small misspelling thanks to Jameel Akari meta KAM_SETTING2 ( KAM_SETTING + (KAM_EXEURI + __KAM_SETTING3 >=1) >= 2) score KAM_SETTING2 4.0 describe KAM_SETTING2 Phishing scams w/Setting Files or Webmail + Bad File link #FARM SPAM header __KAM_FARM1 Subject =~ /supersized (blueberr|tomato)|(blueberry|tomatoe?) giant|grows in sun or shade/i header __KAM_FARM2 From =~ /blueberr|tomato/i body __KAM_FARM3 /(blueberry|Tomatoe?) giant/i meta KAM_FARM (__KAM_FARM1 + __KAM_FARM2 + __KAM_FARM3 >= 3) score KAM_FARM 4.0 describe KAM_FARM Farming related Spams #MX URI uri KAM_MXURI /^(?:http:\/\/)?(mail|mx)\./i score KAM_MXURI 2.5 describe KAM_MXURI URI begins with a mail exchange prefix, i.e. mx.[...] #FLASH PLAYER body __KAM_FLASH1 /Flash Player Code: \d\d/i body __KAM_FLASH2 /Flash Player Update/i header __KAM_FLASH3 Subject =~ /Flash Player/i header __KAM_FLASH4 Subject =~ /activation code/i header __KAM_FLASH5 From =~ /Flash Player/i meta KAM_FLASH (__KAM_FLASH1 + __KAM_FLASH2 + __KAM_FLASH3 + __KAM_FLASH4 + __KAM_FLASH5 >= 3) score KAM_FLASH 4.0 describe KAM_FLASH Fake Flash Player Phishing Scam #FAKE ADWORDS body __KAM_ADWORD1 /(Advertisement|Adwords) Campaign/i header __KAM_ADWORD2 From =~ /adwords.com|salesdirect.com/i header __KAM_ADWORD3 Subject =~ /adwords campaign|ads in adwords/i body __KAM_ADWORD4 /adwords\.php|index\.php\?isgoogle/i meta KAM_ADWORD (__KAM_ADWORD1 + __KAM_ADWORD2 + __KAM_ADWORD3 + __KAM_ADWORD4 >= 3) + (KAM_RPTR_SUSPECT + KAM_RPTR_FAILED >= 1) >= 2 score KAM_ADWORD 10.0 describe KAM_ADWORD Fake Adword Campaign notices #DON NOB & WORK FROM HOME SCAMS header __KAM_DON1 X-KAM-Reverse =~ /donnob\.(?:biz|net)|emarketnow.com/i header __KAM_DON2 Subject =~ /(?:\b|^)ATM(?:\b|$)|Just Over Broke|J\.O\.B\./ body __KAM_DON3 /donnob\.(?:biz|net)|emarketnow.com|watersolutiontoday.com/i body __KAM_DON4 /\$1,000 A Day ATM|J\.O\.B\./i meta KAM_DON (__KAM_DON1 + __KAM_DON2 + __KAM_DON3 + __KAM_DON4 + __KAM_MED2 + __KAM_REFI4 + __KAM_TV2 >= 4) score KAM_DON 6.0 describe KAM_DON Work at Home Scams meta KAM_DON2 (__KAM_DON1 + __KAM_DON2 + __KAM_DON3 + __KAM_DON4 + __KAM_MED2 + __KAM_REFI4 + __KAM_TV2 >= 6) score KAM_DON2 4.0 describe KAM_DON2 Egregious Work at Home Scams #GINA SCAMS header __KAM_GINA1 From =~ /GINA deadline|GINA Update|compliance/i header __KAM_GINA2 Subject =~ /GINA deadline/i body __KAM_GINA3 /Genetic Information Nondiscrimination Act/i body __KAM_GINA4 /mandatory poster|remain in compliance|GINA regulations/i meta KAM_GINA (__KAM_GINA1 + __KAM_GINA2 + __KAM_GINA3 + __KAM_GINA4 + __KAM_REFI4 >= 4) score KAM_GINA 6.0 describe KAM_GINA Employment Poster Marketing Spams #TAX SCAMS header __KAM_TAX1 Subject =~ /Free (IRS )?Tax Filing|Tax Filing Exten[st]ion|taxes online/i header __KAM_TAX2 From =~ /tax|HRBlock|marketing/i body __KAM_TAX3 /File your taxes for free|need more time/i meta KAM_TAX (__KAM_TAX1 + __KAM_TAX2 + __KAM_TAX3 >=3) score KAM_TAX 2.5 describe KAM_TAX Tax Filing Scams #SEX SCAM body __KAM_SEX06_1 /more fire and passion/i meta KAM_SEX06 (__KAM_SEX06_1 + KAM_MSN_STRING >= 2) score KAM_SEX06 5.0 describe KAM_SEX06 Sexual Stimulant Spam #DOG BARK body __KAM_BARK1 /Bark.Off/i header __KAM_BARK2 Subject =~ /Barking/i header __KAM_BARK3 From =~ /Bark.Off/i meta KAM_BARK (__KAM_BARK1 + __KAM_BARK2 + __KAM_BARK3 >=2) score KAM_BARK 3.5 describe KAM_BARK Dog Product Scam #EOF