ok

Mini Shell

Direktori : /etc/mail/spamassassin/
Upload File :
Current File : //etc/mail/spamassassin/KAM.cf

#KAM.cf aka the KAM ruleset - Apache SpamAssassin Rules

#Author: Kevin A. McGrail with contributions from Joe Quinn, Karsten Bräckelmann,
#        Bill Cole & Giovanni Bechis

#Email: Kevin.McGrail@McGrail.com - NOTE: Questions about spam are best submitted
#       at https://raptor.pccc.com/raptor.cgim?template=report_problem

#HomePage: http://www.mcgrail.com/downloads/KAM.cf


#Installation: There are multiple files that make up the KAM ruleset including
#heavyweight, deadweight, & nonKAMrules.  The KAM ruleset is now a channel!
#
#Please see https://mcgrail.com/template/kam.cf_channel for more information


#The ruleset includes internal rules so not every rule will be useful but
#we encapsulate those in a KAMOnly defined loop.

#KAM.cf is maintained by The McGrail Foundation, a 501(c)(3) charity.  Donations
#are appreciated. See www.mcgrail.com for more information on donations and
#sponsorships.

#THANK YOU TO OUR SPONSORS (in Alphabetical Order):
#cPanel, INKY, Invaluement, iSpark, Linode, PCCC, ShipShapeIT and Zix/Appriver


#This is a collection of special rules that I have developed and use on my system.
#
#The exact date is lost to the sands of time but we have been publishing this
#ruleset since at least May 2004.
#
#They are intended as live research for committal to SpamAssassin's SVN sandbox but
#often rely on my corpora so they do not fair well in masschecks.
#
#You are welcome and encouraged to email me directly regarding suggestions.

#To avoid being caught by our filters, False positives and negatives should be
#submitted to https://raptor.pccc.com/raptor.cgim?template=report_problem
#
#I believe the rules are safe and they are in use on production systems so I will
#do my best to respond to FPs *especially* if you can send me an email sample.
#
#IMPORTANT: This cf file is designed for systems with a threshold of 5.0 or higher.


#It is best to save an email sample in mbox format and zip it to attach to get
#around my filters.  It is sometimes best to send samples in a second email so I
#know to go looking for it in my spam folders.
#
#NOTE: I do use some poison pill (i.e. Automatic HAM/SPAM rules).
#
# - I don't view many of my rules as single rules as I typically use meta rules.
#   I view meta rules as multiple rules hence a larger score is acceptable.
#
# - Some content needs to be blocked either due to large number of complaints or
#    for content.  For example, the sexually explicit items and the stock tips.
#    FPs in these rules will be quickly addressed.

#Copyright (c) 2021 Kevin A. McGrail and The McGrail Foundation
#
#   Licensed under the Apache License, Version 2.0 (the "License");
#   you may not use this file except in compliance with the License.
#   You may obtain a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
#   Unless required by applicable law or agreed to in writing, software
#   distributed under the License is distributed on an "AS IS" BASIS,
#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#   See the License for the specific language governing permissions and
#   limitations under the License.

# COURTESY OF Marcin Miros.aw <marcin@mejor.pl>
body     __KAM_MM_FOREX_1 /program.{0,10}ktory\ssam\sgra\sna\sgieldzie|program\sdo\sgry\sna\sgieldzie|Potega\stego\sprogramu\stkwi|program.{0,10}handluje.{0,10}zarabia.{0,10}gieldzie.{0,10}udzialu.{0,10}czlowieka|zarabiaj.{0,10}program.{0,10}nie.{0,10}jest.{0,10}zabroniony|Program.{0,10}zrobi.{0,10}wszystko.{0,10}sam|handluj.{0,10}na.{0,10}gieldzie.{0,10}programowi|100.{0,10}%.{0,10}pewnych.{0,10}transakcji|program.{0,10}100.{0,10}%.{0,10}zysk|handel.{0,10}bedzie.{0,10}zabroniony|program.{0,10}odmieni.{0,10}twoje.{0,10}zycie|system.{0,10}finansow.{0,10}przed.{0,10}upadkiem|grupa.{0,10}niemieckich.{0,10}matematykow.{0,10}inteligentny.{0,10}program|zostan\sobrzydliwie\sbogaty|technologia.{0,10}100%.{0,10}pewne.{0,10}decyzje|zarabianie.{0,10}w.{0,10}sieci|swoja.{0,10}szanse.{0,10}zarabianie|internet.{0,10}doprowadzil.{0,10}pieniedzy|zarabia.{0,10}(w|przez).{0,10}internet|karaluch.{0,10}dom.{0,10}brzeg.{0,10}morza|odmieni.{0,10}zycie|pieniadz|pieniedz|zarabia|zarobi/i

rawbody  __KAM_MM_FOREX_2 /(\[|\<).{1,10}http:\/\/.{1,50}php\?.{1,30}\=.{1,30}(\]|\>).{0,20}(klik|odwiedz|dowiedz|przegap|odnosnik|zarobi|spiesz|majatek|wiecej\sinformacji\sna\sten\stemat\sznajdziesz\s-\stutaj|tutaj\sznajdziesz.{0,10}szczegolowe.{0,10}informacje|odwiedz|zarabia|wchodz)/i

meta   	 KAM_MM_FOREX    __KAM_MM_FOREX_1 && __KAM_MM_FOREX_2
score    KAM_MM_FOREX 2.5
describe KAM_MM_FOREX Polish-language spam from the Forex botnet

#PHISHING TEST
rawbody         KAM_PHISH1      /u style="cursor: pointer"/
describe        KAM_PHISH1      Test for PHISH that changes the cursor
score           KAM_PHISH1      0.01

header          __KAM_PHISH4_1 From =~ /host|apple|amazon|microsoft|windows|express|app.serv|goodluck|bank|support/i
body            __KAM_PHISH4_2 /dear.{0,50}customer|automated.message|spam.activities|attempted.gaining.access|your.account.expires|authorized.government|important.message|message.alert|suspended/i
body            __KAM_PHISH4_3 /(confirm|verify|update).your.(identity|account)|account.password|credit.(bureau|profile)|identity.theft|accredited.commission|security.concern|kindly.find.enclosed|owner of this account/i

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader    __KAM_PHISH4_4 Content-Type =~ /(verification|information|form)\.htm/i
endif

meta            KAM_PHISH4 (__KAM_PHISH4_1 + __KAM_PHISH4_2 + __KAM_PHISH4_3 + __KAM_PHISH4_4 >= 3)
score           KAM_PHISH4 3.5
describe        KAM_PHISH4 Another phishing attempt

#KAM REALESTATE / RE-FINANCE SCAM EMAILS - Thanks to David Goldsmith for pointing out my error in the meta rule!
body		__KAM_REAL1 	/(^|\b)RE market/is
body		__KAM_REAL2	/(crashing|declining)/i
body		__KAM_REAL3	/(vacation|second) (home|place)/is
meta		KAM_REAL	(__KAM_REAL1 + __KAM_REAL2 + __KAM_REAL3 >= 3)
describe	KAM_REAL	Real Estate or Re-Finance Spam
score		KAM_REAL	0.5

#REFINANCE SCAM EMAILS
header		__KAM_REFI1	Subject =~ /(refinance|rates) at \d\.\d*%|(?:I would like to offer you my help|Lower your house payment|follow up email|evaluation enclosed|submit a bid|fixed rates|ARM program|New Program|regardless of credit|loan request|accepting your application|refinance appl?ication|ready to (give a (business )?loan|lend)|good credit or not|refinance without perfect credit|financial independence|Loan Offer|Get a Loan|your urgent loan|credit report|time to refinance|refi.(rates|requirements|plus|program|plan|advice)|rates at historical low|EQUIFAX|TRANSUNION|Experian|rates can be cut|save your home)|Reverse.?Mortgage|obama (extends|waives)|VA loan|harp program|re.?fi.advice|homeowners.owe|harp.extension|\d+\.\d+%.fixed|\d+\.\d+.pct|this.rate|refi(nance)?.rate|lower.refi|refinance.your.mortgage|refinance.now|obama.?s?.refi|monthly.payment|house.payment|monthly.savings|modified.payment|new.payment|overpaying|calculate.your|your.saving|housing.plan|obama.?s.hous|l.f..insuranc.|offer.for.your.home|second.mortgage/i
body		__KAM_REFI2	/(Free Evaluation (?:online|on your (?:current )?home loan)|No hidden costs|no strings attached|good credit or not|personalized consultation|in need of loan|consolidation loan|loan processing|apply by sending|loan of any amount|clean up any inacccuracies|lock in saving|save on monthly mortgage|absolutely no cost|underwater)|Reverse.?Mortgage|qualify for a VA loan|Refi now.? and Save|obama..?announces|rate.calculator|save.thousands|update: \d.\d\d..available|homeowner|over.your.head|rate.service|now.eligi?[bl]{2}e|a.second.mortgage|urgent.loan|loan.offer/is
body		__KAM_REFI3	/(restructure (?:proposal|program|opportunity|your loan)|switch from an adjustable rate to a fixed|new lending program|(low|reasonable) interest (loan|rate)|lowest monthly payment|\d% interest|unsecured personal|better credit terms|lower your mortgage|low-interest refinance|see your credit score|credit score.{1,15}updated|refi with HARP)|obama announce(s|d) (the )?harp program|obama'?s.refi|a.fortune.off|lower.home.rate|your.home|home.loan|gov.program|official.harp|currently.overpaying/is
body		__KAM_REFI4	/(\$\d{1,3},\d{1,3}|\d{2,3}k of funds|\d{4,6} USD|\d{4,6}\$ per month|\d{3,5}\/mo)|refinance at \d\.\d%|\$\d{3,}(\.\d\d)?.(a|per).year|extend.harp|spending.too.much|new.payment|better.rate/i
body		__KAM_REFI5	/([\d,]{5,6}|\d{2}\s*%) savings|principal \d+% less|\d+\.\d+%.fixed|refi.calculator|lowered.requirements|home.?owner/is
body            __KAM_REFI6     /((?:reduce your monthly payment|save you) (between )?\d{2}\s*%|save yourself hundreds of dollars|great rate available|completely unsecured|instantly connect with\s+lenders|get you back on the right financial|get report today|protect against identity|know your credit score|crazy payments)|u.?s.? homeowners|drop.your.rate|in.your.pocket|our.records|apply.for.your/is
body		__KAM_REFI7	/(?:loan product|equity cash|house.payment|home.payment|no up front fees|seasoned equity|pay off high rate cards|ARM Program|credit is less than perfect|credit (score )?will not disqualify|plastic money|charge card balances|we offer out loans|floating loan scheme|unsecured guaranteed|President.?s new program|Home Affordable Refinance Program)|save $?[\d\.]+ per (year|month)|low.rate|harp.?2|rates.like.th(is|ese)/is
header          __KAM_REFI8     From =~ /great loan|mortgage|financ|Delta|Rate\.?market|credit score|free.?score|harp|mtge|foreclosure|VA loan|lower.my.(bills|debt|mortgage|rate)|refi.(alert|advantage|quote|calc|rate)|obama|lendingtree|(house|home).?payment|home.?payment|lower.rate|\d+\.\d+%|saving|d.r.ct.l.f.|helpline/i

meta		KAM_REFI	(__KAM_REFI1 + __KAM_REFI2 + __KAM_REFI3 + __KAM_REFI4 + (__KAM_REFI5 + __KAM_REFI6 >= 1) + __KAM_REFI7 + __KAM_REFI8 + (KAM_SHORT || AC_HTML_NONSENSE_TAGS || KAM_EU) >= 4)
describe	KAM_REFI	Real Estate / Re-Finance Spam
score		KAM_REFI	3.0

meta		KAM_REFI2	(__KAM_REFI1 + __KAM_REFI2 + __KAM_REFI3 + __KAM_REFI4 + (__KAM_REFI5 + __KAM_REFI6 >= 1) + __KAM_REFI7 + __KAM_REFI8 + (KAM_SHORT || AC_HTML_NONSENSE_TAGS || KAM_EU) >= 6)
describe	KAM_REFI2	Real Estate / Re-Finance Spam
score		KAM_REFI2	2.75

#KAM ERADICATE DEBTS
body		__KAM_DEBT1	/(debts disappear|reduce your payments|piling bills|creditors|late bills|vanish some of your bills|reduce your payments|looming bills|all that debt|outstanding debt|debt.{0,7}accumulated|all my debt|penalties,? and fees are gone|banking laws|select legal|change your life|get out of .?d.?e.?b.?t|Free[- ]Credit Report|debt relief options|are you in debt|pay off all your debt|get better rates|credit card debt|could.be.easy)/is
header		__KAM_DEBT2	Subject =~ /(all that you owe|all you owe|everything you owe|eradicate|indebted|sick of bills|debt.{0,7}accumulated|tired of (the )?debt|looming debt|creditors|bank[ ]?rupt|debt ?free|out ?of ?debt|take control of your monthly payments|bills disappear|We can help|consultation regarding bills|get better rates|credit score|FICO Score|eliminate\s{1,2}debt|Erase the debt|loan offer|consolidating.debt)/i
body		__KAM_DEBT3	/(bills keeping you|brink of bankruptcy|take all the (stress|pain) away|all the bills|tired of high credit card|make your bills disappear|improve your credit score|b.?a.?n.?k.?r.?u.?p.?t.?c?.?y|monitor your[- ]credit|Wipes out debt|being debt free|interest rates are reasonable|view your credit score|manage.your.finance)/is

meta		KAM_DEBT	((__KAM_DEBT1 + __KAM_DEBT2 + __KAM_DEBT3) >= 3)
describe	KAM_DEBT	Debt eradication spams
score		KAM_DEBT	2.5

meta            KAM_DEBT2       ((__KAM_DEBT1 + __KAM_DEBT2 + __KAM_DEBT3 + __KAM_ADVERT2) >= 2)
describe        KAM_DEBT2       Likely Debt eradication spams
score           KAM_DEBT2       1.0

#XtraSize+ Penis Enlargement Scam
header          __KAM_SILD1     Subject =~ /Sildenafil Citrate/i
body		__KAM_SILD2	/(XtraSize\+|Sildenafil Citrate)/i

meta		KAM_SILD	(__KAM_SILD1 + __KAM_SILD2 >= 1)

describe        KAM_SILD        Simple rule to block one more enhancement message
score           KAM_SILD        5.0

#if (version < 3.002000)
#  #HTML_SHORT_LENGTH DEPENDENCY RULE REMOVED FROM SA 3.2.X
#  #KAM NUMBER EMAILS - Thanks to Mark Damrose for the NUMBER3 idea & Jan-Pieter Cornet
#  header        __KAM_NUMBER1   Subject =~ /^\d+$/
#  body		__KAM_NUMBER2	/\d{1,6}/
#  header 	__KAM_NUMBER3   Message-ID =~ /\<[a-z]{19}\@/i
#
#  meta          KAM_NUMBER      ((__KAM_NUMBER1 + __KAM_NUMBER2 + MIME_HTML_ONLY + HTML_SHORT_LENGTH + __KAM_NUMBER3) >= 5)
#  describe      KAM_NUMBER      Silly Number Emails
#  score         KAM_NUMBER      1.0
#endif

#KAM MEDICATION	KAM_OVERPAY
body		KAM_OVERPAY	/O . V . E . R . P . A . Y/i
describe	KAM_OVERPAY	Common Medicinal Ad Trick
score		KAM_OVERPAY	3.5

#VIAGRA AD - CHANGED DUE TO FPS on 2010-05-06 - Replaced [VACLXPSI] with separate rules space separated
replace_rules	__KAM_VIAGRA2

body            __KAM_VIAGRA1   /V I A G R A|C I A L I S|V A L I U M|X A N A X/i
header		__KAM_VIAGRA2	Subject =~ /<V1><I1><A1><G1><R1><A1>/i

meta		KAM_VIAGRA1	(__KAM_VIAGRA1 + __KAM_VIAGRA2 >= 1)
describe        KAM_VIAGRA1     Common Viagra and Medicinal Table Trick
score           KAM_VIAGRA1     3.0

#VIAGRA AD 2
body            KAM_VIAGRA2     /(?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer) (?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer) (?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer)/i
describe        KAM_VIAGRA2     Common Viagra and Medicinal Table Trick
score           KAM_VIAGRA2     3.1

#VIAGRA AD 3 - REMOVED FOR LOW S/O - Thanks to Shane Williams for reporting the FP
#body            KAM_VIAGRA3     /(?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer)( \w )(?:ax|lis|ra|ium)/i
#describe        KAM_VIAGRA3     Common Viagra and Medicinal Table Trick
#score           KAM_VIAGRA3     3.1

#VIAGRA AD 4
body		__KAM_VIAGRA4A	/V (. )?A (. )?L (. )?[I\/t] (. )?U (. )?M/i
body		__KAM_VIAGRA4B	/V (. )?[I\/t] (. )?A (. )?G (. )?R (. )?A/i
body		__KAM_VIAGRA4C	/M (. )?E (. )?R (. )?[I\/t] (. )?D (. )?[I\/] (. )?A/i

# FP FOR "Les Iles du Monde Via Gramsci" OR ITALIAN "WE WISH YOU"
# FP for Via Great thanks to Shane Williams
body            __KAM_VIAGRA_FPS /via gre?a|i augur/i

meta		KAM_VIAGRA4	((__KAM_VIAGRA4A + __KAM_VIAGRA4B + __KAM_VIAGRA4C) >= 2)
describe	KAM_VIAGRA4	Common Viagra and Medicinal Table Trick
score		KAM_VIAGRA4	3.1

#VIAGRA AD 5
body		KAM_VIAGRA5	/(V [1li|\]] [a&] G R A|VljAG+R+A)/i
describe	KAM_VIAGRA5	Viagra Obfuscation Technique SPAM
score		KAM_VIAGRA5	3.1

#VIAGRA AD 6
#Switch to [-_\. ]? to avoid FP's reported by Robin Tan
#Also added a few more boundary checks thanks to Daniele Duca
body		__KAM_VIAGRA6A	/V[-_\. ]?[IL1][-_\. ]?A.?G.?R.?A/i
body		__KAM_VIAGRA6B	/(\b|^)A.?M.?B.?[il1].?E.?N($|\b)/i
body		__KAM_VIAGRA6C	/V.?A.?L.?[il1].?U.?M/i
body		__KAM_VIAGRA6D  /(\b|^)C.?[il1].?A.?L.?[Il1].?S($|\b)/i
header		__KAM_VIAGRA6E	From =~ /Viagra|Cialis(\b|$)/i

meta		KAM_VIAGRA6	(__KAM_VIAGRA6A + __KAM_VIAGRA6B + __KAM_VIAGRA6C + __KAM_VIAGRA6D + __KAM_VIAGRA6E >= 2)
describe	KAM_VIAGRA6	Viagra Obfuscation Technique SPAM
score		KAM_VIAGRA6	3.1

#VIAGRA AD 7 - TWEAKING RULE 7B TO PREVENT HITS ON SPECIALIST
body            __KAM_VIAGRA7A  /V[ij]+AGRA/i
body            __KAM_VIAGRA7B  /(^|\b)C[ij]+AL[ij]+S($|\b)/i
body            __KAM_VIAGRA7C  /(^|\b)AMB[ij]+EN($|\b)/i
body            __KAM_VIAGRA7D  /VAL[ij]+UM/i

meta            KAM_VIAGRA7     ((__KAM_VIAGRA7A + __KAM_VIAGRA7B + __KAM_VIAGRA7C + __KAM_VIAGRA7D >= 2) && (KAM_VIAGRA6 < 1))
describe        KAM_VIAGRA7     Viagra Obfuscation Technique SPAM
score           KAM_VIAGRA7     3.1

#VIAGRA AD 8
body            __KAM_VIAGRA8A  /VI...?AGRA/i
body            __KAM_VIAGRA8B  /AM...?BIEN/i
body            __KAM_VIAGRA8C  /VA...?LIUM/i
body            __KAM_VIAGRA8D  /CI...?ALIS/i

meta            KAM_VIAGRA8     ((__KAM_VIAGRA8A + __KAM_VIAGRA8B + __KAM_VIAGRA8C + __KAM_VIAGRA8D) >= 2)
describe        KAM_VIAGRA8     Viagra Obfuscation Technique SPAM
score           KAM_VIAGRA8     5.1

#VIAGRA AD 9
body            __KAM_VIAGRA9A  /V[IL1]A..GRA/i
body            __KAM_VIAGRA9B  /AMB..IEN/i
body            __KAM_VIAGRA9C  /VAL..IUM/i
body            __KAM_VIAGRA9D  /C[IL1]A..LIS/i

meta            KAM_VIAGRA9     ((__KAM_VIAGRA9A + __KAM_VIAGRA9B + __KAM_VIAGRA9C + __KAM_VIAGRA9D) >= 2)
describe        KAM_VIAGRA9     Viagra Obfuscation Technique SPAM
score           KAM_VIAGRA9     5.1

#VIAGRA AD 10 - CONTENT-LESS EMAIL FROM "MALE ENHANCEMENT"
header          __KAM_VIAGRA10A    From =~ /male enhancement|mens.renewal/i
header          __KAM_VIAGRA10B    Subject =~ /your intimate partner will (thank|love)|grow.your.manhood|satisfy.your.woman/i

meta            KAM_VIAGRA10    (__KAM_VIAGRA10A + __KAM_VIAGRA10B >= 1)
describe        KAM_VIAGRA10    Male enhancement spam with no content
score           KAM_VIAGRA10    8.0

#NITROXIN - A NEW AND SPAMMY COMPETITOR TO VIAGRA
header          __KAM_NITROXIN1A   From =~ /nitroxin/i

meta            KAM_NITROXIN1   (__KAM_NITROXIN1A >= 1)
describe        KAM_NITROXIN1   Another variant of Viagra spam
score           KAM_NITROXIN1   8.0

#RE[#] SPAM
#NOTE: Thanks to Jason Haar" <Jason.Haar@trimble.co.nz> for pointing out that I was only doing >=1!
header		KAM_RE		Subject =~ /^Re(?:\s)*\[\d\]+(?:\s)*:?$/i
describe	KAM_RE		Subject of Re[0]: etc prevalent in Spam
score		KAM_RE		2.0

meta		KAM_RE_PLUS	(HTML_IMAGE_ONLY_08+KAM_RE >= 2)
describe	KAM_RE_PLUS	Bad Subject and Image Only rule hit == SPAM!
score		KAM_RE_PLUS	4.0

#HOODIA
#RE-WEIGHTING - Thanks to Martin Kaempf and Gareth Blades for pointing out the False Positives!!
#Changed to escape + for 920\+ and changed to rawbody because we don't want to check the subject twice.
#thansk to Michael Denney for the FP report
header		__KAM_HOODIA1	Subject =~ /(hoodia|920\+|serotonin|reduce your appetite)/i
rawbody		__KAM_HOODIA2	/(?:hoodia|920\+)/i
body		__KAM_HOODIA3	/(?:fat loss product|sur?p?press appetite|Reduce Your Appetite)/is

meta		KAM_HOODIA	(__KAM_HOODIA1 + __KAM_HOODIA2 + __KAM_HOODIA3 >= 2)
describe	KAM_HOODIA	Hoodia / Weight Loss Product Promotion Spam
score		KAM_HOODIA	3.0

#STOCK TIPS

##1 through 120 disabld 5-12-2014 due to age
##body            __KAM_STOCKTIP1 /(?:Reynaldo's Mexican Food|RYNL)/is
##body            __KAM_STOCKTIP2 /(?:KOKO PETROLEUM|KKPT)/is
##body		__KAM_STOCKTIP3 /(?:DARK DYNAMITE|DKDY|D K D Y)/is
##body            __KAM_STOCKTIP4 /(?:Remington Ventures|RMVN)/is
##body		__KAM_STOCKTIP5 /(?:m-Wise|MWIS|M W I S)/is
##body		__KAM_STOCKTIP6 /(?:China World Trade Corporation|CWTD)/is
##body		__KAM_STOCKTIP7 /(?:Packets International|IPKL)/is
##body		__KAM_STOCKTIP8 /(?:Infinex Ventures|IFNX)/is
##body		__KAM_STOCKTIP9 /(?:FacePrint Global Solutions|FCPG)/is
###THANKS TO HOMER PARKER FOR THE FALSE POSSITIVE NOTE!
##body            __KAM_STOCKTIP10 /(?:Ever[-_ ~]{0,3}Gl[o0]ry|(^|\b)E[-_~\. =]{0,3}G[-_~\. =]{0,3}L[-_~\. =]{0,3}Y($|\b))/is
##body		__KAM_STOCKTIP11 /(?:Gulf Petroleum|GFPE)/is
##body		__KAM_STOCKTIP12 /(?:Patriot Mechanical Handling|PMHH)/is
##body		__KAM_STOCKTIP13 /(?:KSW Industries|KSWJ)/is
##body		__KAM_STOCKTIP14 /(?:Conforce International|CFRI)/is
##body		__KAM_STOCKTIP15 /(?:Nano Superlattice Technology|NSLT)/is
##body		__KAM_STOCKTIP16 /(?:Morgan Beaumont|MBEU)/is
##body		__KAM_STOCKTIP17 /(?:Relay Capital|(^|\b)RLYC($|\b))/is
###THANKS TO DAVID GOLDSMITH FOR POINTING OUT THE POTENTIAL FPs FROM THIS RULE
##body		__KAM_STOCKTIP18 /(?:Madison Explorations|(?:^|\b)MDEX(?:$|\b))/is
##body		__KAM_STOCKTIP19 /(?:CTR Investments and Consulting|C ?I ?V ?X)/is
##body		__KAM_STOCKTIP20 /(?:PREMIER INFORMATION|(?:^|\b)PIFR(?:$|\b))/is
##body		__KAM_STOCKTIP21 /(?:Harbin Pingchuan|P G C N|PGCN)/is
##body		__KAM_STOCKTIP22 /(?:CLIENT TRACK CORP|CTKR)/is
##body		__KAM_STOCKTIP23 /(?:EXTREME INNOVATIONS|(^|\b)EXTI($|\b))/is
##body		__KAM_STOCKTIP24 /(?:Medical Home Products|\bMHPT\b)/is
##body		__KAM_STOCKTIP25 /(?:AmeraMex International|AMMX)/is
##body		__KAM_STOCKTIP26 /(?:Equipment & Systems Engineering|EQUIPMENT & SYS ENGR|EQSE)/is
##body		__KAM_STOCKTIP27 /(?:NANOFORCE|NNFC)/i
##body		__KAM_STOCKTIP28 /(?:\b|^)(?:Resort Clubs (I|\|)nternational|R[ ]*T[ ]*C[ ]*(?:I|\|))(?:\b|$)/is
##body		__KAM_STOCKTIP29 /(?:Innovation Holdings|IVHN)/is
##body		__KAM_STOCKTIP30 /(?:GOLDEN APPLE OIL|GAPJ)/is
##body		__KAM_STOCKTIP31 /(?:inZon Corporation|(^|\b)I ?Z ?O ?N($|\b))/is
##body		__KAM_STOCKTIP32 /(?:Midland Baring Financial Group|MDBF)/is
##body            __KAM_STOCKTIP33 /(?:Aradyme Corporation|A D Y E)/is
##body		__KAM_STOCKTIP34 /(?:TRANSAKT CORP|TKTJF)/is
##body		__KAM_STOCKTIP35 /(?:CTXE|CANTEX ENERGY CORP)/is
##body		__KAM_STOCKTIP36 /(?:De Greko|DGKO)/is
##body		__KAM_STOCKTIP37 /(?:Deep Earth Resource, Inc|CTFE|DPER)/is
##body		__KAM_STOCKTIP38 /(?:Vemics|(\b|^)VMCI(\b|$)|Summit Financial Resources)/is
##body		__KAM_STOCKTIP39 /Premium Petroleum/is
##body		__KAM_STOCKTIP40 /(?:F ?a ?l ?c ?o ?n  ?E ?n ?e ?r ?g ?y|F.?C.?Y.?I)/s
##body		__KAM_STOCKTIP41 /(?:CHINA GOLD CORP|CGDC)/is
##body		__KAM_STOCKTIP42 /DPEK/i
###FIXED FP THANKS TO BEN LENTZ - Also found that the X ?X ?X ?X concept is causing too many FPs thanks to Homer Parker
##body		__KAM_STOCKTIP43 /(?:Amerossi International Group|A M S N(\b|$)|AMSN)/is
##body		__KAM_STOCKTIP44 /(?:WATAIRE INDUSTRIES|W ?T ?A ?F)/is
##body		__KAM_STOCKTIP45 /(?:ABSOLUTESKY|A ?B ?S ?Y)/i
##body		__KAM_STOCKTIP46 /(?:Infinex Ventures|I ?N ? ?F ?X)/is
##body		__KAM_STOCKTIP47 /(?:Holly ?wood Intermediate|HYWI|H Y W I)/is
###DISABLED DUPLICATE OF 40
###body		__KAM_STOCKTIP48 /(?:Falcon Energy|F ?C ?Y ?I)/is
##body		__KAM_STOCKTIP49 /(?:\b|^)(?:AGA Resources|A ?G ?A)(?:\b|$)/is
##body		__KAM_STOCKTIP50 /(?:COSCO|CCPI)/i
##body		__KAM_STOCKTIP51 /(?:PETRO([- ?])?SUN DRILLING|P[- ]?S[- ]?U[- ]?D)/is
##body		__KAM_STOCKTIP52 /(?:KMA Global Solutions International|KMAG)/is
##body		__KAM_STOCKTIP53 /(?:Advanced Powerline Technologies|APWL)/is
##body		__KAM_STOCKTIP54 /(?:GOLDMARK INDUSTRIES|GDKI)/is
##body		__KAM_STOCKTIP55 /(?:QUANTUM ENERGY|QEGY)/is
###FP FIXED THANKS TO Homer Parker
##body		__KAM_STOCKTIP56 /(?:AAGA RESOURCE+S NEW|A G A O|(\b|^)AGAO(\b|$))/is
###FP FIXED THANKS TO Homer Parker
##body		__KAM_STOCKTIP57 /(?:Bicoastal Communications|BCLC|B C L C)/is
##body            __KAM_STOCKTIP58 /(?:Greater China Media \& Ent|G ?C ?M ?E)/is
##body		__KAM_STOCKTIP59 /(?:Viva International|(\b|^)VIVI(\b|$))/s
##body		__KAM_STOCKTIP60 /(?:WILON RESOURCES|(\b|^)WLON(\b|$))/is
##body		__KAM_STOCKTIP61 /(?:Am+erica+n U+ni+ty I+nve+stments|(\b|^)A[ _]?U[ _]?N[ _]?I[ _]?(\b|$))/is
##body		__KAM_STOCKTIP62 /(?:DEFENSE DIRECTIVE|(\b|^)DFSE(\b|$))/is
##body		__KAM_STOCKTIP63 /(?:Cyberhand Technologies|(\b|^)CYHD(\b|$))/is
##body		__KAM_STOCKTIP64 /(?:Texhoma Energy|(\b|^)TXHE(\b|$))/is
##body		__KAM_STOCKTIP65 /(?:Equal Trading|(\b|^)EQTD(\b|$))/is
###DISABLED FOR FALSE POSITIVES AND AGE
###body		__KAM_STOCKTIP66 /(?:\b|^)W.?B.?R.?S(?:\b|$)/is
##body		__KAM_STOCKTIP67 /(?:Mobile Airwaves|(\b|^)M.?W.?B.?C.?(\b|$))/is
##body		__KAM_STOCKTIP68 /(?:X-tra Petroleum|(\b|^)XTPT(\b|$))/is
###ADDED FP BOUNDARY CHECK THANKS TO Greg Troxel for reporting the issue
##body		__KAM_STOCKTIP69 /(?:Red Reef Laboratories|(\b|^)RREF(\b|$))/is
##body		__KAM_STOCKTIP70 /(?:Great American Food Chain|(\b|^)GAMN(\b|$))/is
##body		__KAM_STOCKTIP71 /(?:Cana Petroleum|(\b|^)CNPM(\b|$))/is
##body		__KAM_STOCKTIP72 /(?:China Health Management|(\b|^)CNHC(\b|$))/is
##body		__KAM_STOCKTIP73 /(?:Makeup Limited|MAKU)/is
##body		__KAM_STOCKTIP74 /(?:Premier Holdings Group|PMHD)/is
###FP FIXED THANKS TO Christopher X. Candreva
##body		__KAM_STOCKTIP75 /(?:VSUS technologies|(\b|^)VSUS($|\b))/is
##body		__KAM_STOCKTIP76 /(?:FLAIR PETROLEUM|FPMC)/is
##body		__KAM_STOCKTIP77 /(?:Physician Adult Daycare|PHYA)/is
###FP FIXED THANKS TO Homer Parker
##body		__KAM_STOCKTIP78 /(?:AlgoDyne Ethanol Energy|(\b|^)ADYN(\b|$))/is
##body		__KAM_STOCKTIP79 /(?:Critical Care.{1,3}Inc|CTCX)/is
##body		__KAM_STOCKTIP80 /(?:Aerofoam Metals|AFML)/is
##body		__KAM_STOCKTIP81 /(?:Ten \& 10|(?:\b|^)TTEN)/is
##body		__KAM_STOCKTIP82 /(?:Medical Institutional Services|MISJ(\b|$))/is
##body		__KAM_STOCKTIP83 /(?:Harris Exploration|HXPN)/is
##body		__KAM_STOCKTIP84 /(?:MARSHAL HOLDINGS|MHII)/is
##body		__KAM_STOCKTIP85 /(?:ADVANCED GROWING SYSTEMS|AGWS)/is
##body		__KAM_STOCKTIP86 /(?:WEST EXCELSIOR ENT|WEXE)/is
##body		__KAM_STOCKTIP87 /(?:Hemisphere Gold|HPGI)/is
##body		__KAM_STOCKTIP88 /(?:Victory Energy Corporation|VYEY)/is
##body		__KAM_STOCKTIP89 /UTEV/i
##body		__KAM_STOCKTIP90 /(?:CHINA BIOLIFE ENTERP|CBFE)/is
##body		__KAM_STOCKTIP91 /(?:Critical Care|C ?T ?C ?X)/is
##body		__KAM_STOCKTIP92 /CBRJ/i
##body		__KAM_STOCKTIP93 /(?:LAS VEGAS CENTRAL RESERVATIONS|LVCC)/is
##body		__KAM_STOCKTIP94 /GTAP/i
##body		__KAM_STOCKTIP95 /(North American Energy Group|N-?N-?Y-?R)/is
###FP FIXED THANKS TO BRETT GARRETT
##body		__KAM_STOCKTIP96 /(\b|^)C\.?C\.?T\.?I(\b|$)/i
##body		__KAM_STOCKTIP97 /(C ?E ?O AMERICA|C ? E ? O ?A)/is
##body            __KAM_STOCKTIP98 /PLMA/i
##body		__KAM_STOCKTIP99 /CDYV/i
##body		__KAM_STOCKTIP100 /(Fire (Mountain|Mtn) Beverage Company|(^|\b)F[ _]?B[ _]?V[ _]?G($|\b))/is
###Added boundary check thanks to Michael Denney
##body		__KAM_STOCKTIP101 /(\b|^)WDSC(\b|$)/i
##body		__KAM_STOCKTIP102 /(Distributed Power|DPWI)/is
##body		__KAM_STOCKTIP103 /(HUMET-PBC|L9Z\.F)/is
##body		__KAM_STOCKTIP104 /ASVP/is
##body		__KAM_STOCKTIP105 /CHVC/is
##body		__KAM_STOCKTIP106 /(China Datacom|CDPN)/is
##body		__KAM_STOCKTIP107 /(ORAMED PHARMA|OJU\.F)/is
##body		__KAM_STOCKTIP108 /(DSDI|DSI Direct Sales)/is
##body		__KAM_STOCKTIP109 /(Monolith Athletic Club|M[-_ ]?N[-_ ]?A[-_ ]?B)/is
###DUPLICATED STOCKTIP #51
###body		__KAM_STOCKTIP110 /(PETRO-SUN|P[- ]?S[- ]?U[- ]?D)/is
##body		__KAM_STOCKTIP111 /(COMPLIANCE SYSTEMS|(\b|^)COPI(\b|$))/is
###FP Fixed thanks to Greg Troxel
##body		__KAM_STOCKTIP112 /(Global Pay Solutions|(\b|^)GPSI(\b|$))/is
##body		__KAM_STOCKTIP113 /(MEGOLA|MGOA)/i
###FP FIXED THANKS TO Antonio Falzarano
##body		__KAM_STOCKTIP114 /(\b|^)ADOV(\b|$)/i
##body            __KAM_STOCKTIP115 /(Oncology Med|(\b|^)ONCO(\b|$))/is
##body		__KAM_STOCKTIP116 /(Strategy X|SGXI)/is
##body		__KAM_STOCKTIP117 /(Spotlight Homes|COST CONTAINMENT TEC|SPHM)/is
###FALSE POSITIVE ON DANSREALESTATE.
##body		__KAM_STOCKTIP118 /((\b|^)SREA(\b|$)|Score One)/is
##body		__KAM_STOCKTIP119 /(Monster Motors|MRMT)/is
##body		__KAM_STOCKTIP120 /(EntreMetrix|ERMX)/i

body		__KAM_STOCKTIP121 /(VISION AIRSHIPS|(\b|^)VPSN(\b|$))/is
body		__KAM_STOCKTIP122 /(Shandong Zhouyuan Seed and Nursery|(\b|^)SZSN(\b|$))/is
body		__KAM_STOCKTIP123 /(Puerto Rico 7|(\b|^)P ?R ?T ?H(\b|$))/is
body		__KAM_STOCKTIP124 /(VGPM|Vega Promotional Sys)/is
body		__KAM_STOCKTIP125 /((\b|^)D[- ]?M[- ]?X[- ]?C(\b|$))/i
body		__KAM_STOCKTIP126 /((\b|^)C\.?W\.?T\.?E(\b|$)|C'Watre International)/is
body		__KAM_STOCKTIP127 /(Physical Property Holdings|(\b|^)PPYH(\b|$))/is
#FP ON MNUM IN PLAIN TEXT HTML CONVERSION - Thanks to Kevin Lewis
body		__KAM_STOCKTIP128 /(MONUMENTAL MARKETING|(\b|^)MNUM(\b|$))/is
body		__KAM_STOCKTIP129 /(EnerBrite Technologies Group|(\b|^)eTgU(\b|$))/is
body		__KAM_STOCKTIP130 /(Pricester|(\b|^)PRCC(\b|$))/is
#Added boundary check thanks to Michael Denney
body		__KAM_STOCKTIP131 /(Greenstone Holdings|(\b|^)GSHN(\b|$))/is
body		__KAM_STOCKTIP132 /((\b|^)AGMS(\b|$)|Angstrom[- ]Microsystems)/is
body		__KAM_STOCKTIP133 /(Pluris Energy|(\b|^)PEYG(\b|$))/is
body		__KAM_STOCKTIP134 /(United Consortium|(\b|^)UCSO(\b|$))/is
body		__KAM_STOCKTIP135 /(Dominion Minerals|(\b|^)DMNM(\b|$))/is
body		__KAM_STOCKTIP136 /(PrimeGen Energy|(\b|$)PGNE(\b|^))/is
body		__KAM_STOCKTIP137 /Dynamic Response Group|(\b|^)DRGZ(\b|$)/is
body		__KAM_STOCKTIP138 /Cobra Oil (and|&) Gas|(\b|^)CGCA(\b|$)/is
body		__KAM_STOCKTIP139 /Solanex Management|(\b|^)SLNX(\b|$)/is
body		__KAM_STOCKTIP140 /BIO-SOLUTIONS|(\b|^)BISU(\b|$)/is
#FP IN French email on 3/2/2017
#body		__KAM_STOCKTIP141 /(\b|^)FORC(\b|$)/is
body		__KAM_STOCKTIP142 /Hawk Systems Inc|(\b|^)HWSYD(\b|$)/is
body            __KAM_STOCKTIP143 /AmeriLithium/is #|(\b|^)AMEL(\b|$)/is # FP 9/10/15
body		__KAM_STOCKTIP144 /Fleet Management Solutions|(\b|^)FLMG(\b|$)/is
body		__KAM_STOCKTIP145 /Nuvilex|(\b|^)N.?V.?L.?X.?(\b|$)/is
body		__KAM_STOCKTIP146 /Plandai|(\b|^)PLPL(\b|$)/is
#FP on Bozic 3/9/2021 - Thanks to Lars Einarsen
body		__KAM_STOCKTIP147 /Beamz Interactive|(\b|^)BZIC(\b|$)/is
body		__KAM_STOCKTIP148 /(\b|^)STBV(\b|$)/i
body		__KAM_STOCKTIP149 /LifeApps|(\b|^)LFAP(\b|$)/i
body		__KAM_STOCKTIP150 /MONARCHY RESOURCES/i
body		__KAM_STOCKTIP151 /Alanco Tech/i
body		__KAM_STOCKTIP152 /Siga Resources/i
body		__KAM_STOCKTIP153 /INSCOR|(\b|^)IOGA(\b|$)/is
body		__KAM_STOCKTIP154 /mLight Tech|(\b|^)MLGT(\b|$)/is
body		__KAM_STOCKTIP155 /Alanco Technologies/is
body		__KAM_STOCKTIP156 /Progress Watch|(\b|^)PROW(\b|$)/is
#body		__KAM_STOCKTIP157 /(\b|^)PRFC(\b|$)/is
body            __KAM_STOCKTIP158 /(\b|^)(RCHA|R\.+C\.+H\.+A|R\/C\/H\/A)(\b|$)/is
body            __KAM_STOCKTIP159 /(\b|^)(RNBI|R.N.B.I)(\b|$)/is
body            __KAM_STOCKTIP160 /(\b|^)(CNRMF|C.N.R.M.F)(\b|$)/is
body		__KAM_STOCKTIP161 /(\b|^)(NUAN|N[- ]U[- ]A[- ]N)(\b|$)|NUANCE COMMUNICATIONS/is
body		__KAM_STOCKTIP162 /(\b|^)(CHICF|C.H.I.C.F)(\b|$)/is
body		__KAM_STOCKTIP163 /(\b|^)(brixmor)(\b|$)/is
body		__KAM_STOCKTIP164 /(\b|^)(KBLB|K.B.L.B)(\b|$)/is
body		__KAM_STOCKTIP165 /(\b|^)(SCRF|S.C.R.F)(\b|$)/is
body		__KAM_STOCKTIP166 /(\b|^)(INCT|Incapta)(\b|$)/is
body		__KAM_STOCKTIP167 /(\b|^)(QSMS|Quest Science Management Gate)(\b|$)/is
body		__KAM_STOCKTIP168 /(\b|^)(QSMG|Q.S.M.G|Stemvax)(\b|$)/is
body		__KAM_STOCKTIP169 /(\b|^)E.?C.?G.?R(\b|$)/s


body            __KAM_STOCKOTC  /(OTC|OTC ?BB|OTC Pink Sheets|NASDAQ|NYSE|StockWatch):/is
body            __KAM_STOCKSYM  /S[ ]?[iy][ ]?m[ ]?[�b8][ ]?[o0][ ]?[l1]|Siymbol/i
body            __KAM_STOCKSYM2 /(SYM[ ]?[-\:]|\bTicker|Pr+ice\s*\:|Volume\s*\:|Target\s*\:|Current(ly)? ?\??:|Projected:|Smybol:|Stcok\s*\:|Stock\s*\:|S\s*t\s*o\s*c\s*k\s*\:|Trad[ ]?e\:|short-?sell|book value|S\.umbol|Action:|Symb\s?[-:]|Price Today:|SYmN-|Lookup:|RADAR:|PK PAPER:|PINKSHEETS:|f[o0]rward ?l[0o]{2}king)/i
body		__KAM_STOCKSHR	/\b(Shares|Investments|invest|Stock|acquisitions?|broker|joint[ -]?venture|underperforming|(uncap|ventilated|public(ity)?) on friday|dividend opportunities|set your buy|financial safe haven|before the bell)\b/i
body		__KAM_STOCKBULL /bull (run|market)|very.rich|high.return/is
body		__KAM_STOCKSCTR /(energy sector|mineral rights|mineral wealth|natural resources|gold deposits)/is
header		__KAM_STOCKHEAD Subject =~ /{stk-sub}|on your radar|st0ck|best.stocktip|huge.winner|breaking.news/i
body		__KAM_STOCKJUMP /(up|jumps) \d\d(\.\d)?\%/i
body		__KAM_INSTOCK   /in stock/i

# ADDED A CAVEAT FOR in stock so gibberish links don't hit a stock symbol
meta            KAM_STOCKTIP    (__KAM_STOCKHEAD + __KAM_STOCKOTC + __KAM_STOCKSYM + __KAM_STOCKJUMP + __KAM_STOCKSHR + __KAM_STOCKSYM2 + __KAM_STOCKBULL + __KAM_STOCKSCTR >= 1) && (__KAM_INSTOCK < 1) && (__KAM_STOCKTIP121 + __KAM_STOCKTIP122 + __KAM_STOCKTIP123 + __KAM_STOCKTIP124 + __KAM_STOCKTIP125 + __KAM_STOCKTIP126 + __KAM_STOCKTIP127 + __KAM_STOCKTIP128 + __KAM_STOCKTIP129 + __KAM_STOCKTIP130 + __KAM_STOCKTIP131 + __KAM_STOCKTIP132 + __KAM_STOCKTIP133 + __KAM_STOCKTIP134 + __KAM_STOCKTIP135 + __KAM_STOCKTIP136 + __KAM_STOCKTIP137 + __KAM_STOCKTIP138 + __KAM_STOCKTIP139 + __KAM_STOCKTIP140 + __KAM_STOCKTIP142 + __KAM_STOCKTIP143 + __KAM_STOCKTIP144 + __KAM_STOCKTIP145 + __KAM_STOCKTIP146 + __KAM_STOCKTIP147 + __KAM_STOCKTIP148 + __KAM_STOCKTIP149 + __KAM_STOCKTIP150 + __KAM_STOCKTIP151 + __KAM_STOCKTIP152 + __KAM_STOCKTIP153 + __KAM_STOCKTIP154 + __KAM_STOCKTIP155 + __KAM_STOCKTIP156 + __KAM_STOCKTIP158 + __KAM_STOCKTIP159 + __KAM_STOCKTIP160 + __KAM_STOCKTIP161 + __KAM_STOCKTIP162 + __KAM_STOCKTIP163 + __KAM_STOCKTIP164 + __KAM_STOCKTIP165 + __KAM_STOCKTIP166 + __KAM_STOCKTIP167 + __KAM_STOCKTIP168 + __KAM_STOCKTIP169 >= 1)

describe        KAM_STOCKTIP    Email Contains Pump & Dump Stock Tip
score           KAM_STOCKTIP    7.1

#KAM STOCK RULE #3 BASED HEAVILY ON WONDERFUL INPUT BY GARETH OF LINGUAPHONE
body            __KAM_STOCK3    /([sS].?ymbol|Sym|SYM|SYMB|Symb|SYMBOL|SYmN|SYMN|Symn|Ticker|TICKER|Lookup|PINKSHEETS)\s*[-_:]\s*[A-Z0-9][-\._ ]?[A-Z0-9][-\._ ]?[A-Z0-9][-\._ ]?[A-Z0-9]/
score           __KAM_STOCK3    0.1
describe        __KAM_STOCK3    Email Looks like it references a 4 character stock symbol

#GENERIC STOCK RULE
meta		KAM_STOCKGEN	(__KAM_STOCKHEAD + __KAM_STOCKOTC + __KAM_STOCKSYM + __KAM_STOCKSHR + __KAM_STOCKSYM2 + __KAM_STOCKBULL + __KAM_STOCKSCTR >= 1) && (__KAM_STOCK3 >= 1) && (KAM_STOCKTIP < 1)
describe	KAM_STOCKGEN	Email Contains Generic Pump & Dump Stock Tip
score		KAM_STOCKGEN	1.5

#KAM STOCK RULE #2
body		__KAM_STOCK2_1  /(good trader|trading experience|bad trading day|hard trading day|FREE Stock Market Outlook|Market Watch)|more.than.\d+%|most.valuable|morning.report|real.?estate.authority|commercial.real.estate/i
body		__KAM_STOCK2_2  /(easy cash|losses and victories|backstage trading|market facts|succeed in trading|destined to skyrocket|make traders rich|times your principal)|good.investment|overvalued.companies|company.is.soaring|economic.opportunity|amazing.company|take.notice|rental.yield|high.return/i
body		__KAM_STOCK2_3  /stock/i
body		__KAM_STOCK2_4  /trader|investor|analyst|royalties/i
header		__KAM_STOCK2_5	Subject =~ /stock|bull market|penny|traders|go.getter|thousand.percent|this.company|opportunity|pct.rally|private.investment/i
header          __KAM_STOCK2_6  From =~ /investment|daily.tip|bloomberg|selectedotc|penny|fortune|stock|finance|real.?estate|promotion/i

meta		KAM_STOCK2	(__KAM_STOCK2_1 +  __KAM_STOCK2_2 +  __KAM_STOCK2_3 +  __KAM_STOCK2_4 +  __KAM_STOCK2_5 + __KAM_STOCK2_6) >= 4
score		KAM_STOCK2	2.5
describe	KAM_STOCK2	Another Round of Pump & Dump Stock Scams

#JUDGEMENTS
body		__KAM_JUDGE1	/(unpaid court|(un-?collected|unsatisfied) judgments)/is
body		__KAM_JUDGE2	/(funds|receive what) you are (due|owed)/is
#HALF-WEIGHTED RULES
body		__KAM_JUDGE3	/collect your money/is
body		__KAM_JUDGE4	/judgment/i
#FULL-WEIGHT
header		__KAM_JUDGE5	Subject =~ /judgment/i

meta		KAM_JUDGE	(__KAM_JUDGE1 + __KAM_JUDGE2 + ((__KAM_JUDGE3 + __KAM_JUDGE4) / 2) + __KAM_JUDGE5 >= 2)
describe	KAM_JUDGE	Email Contains Judicial Judgment Solicitation
score		KAM_JUDGE	2.5

#MEDS
body		__KAM_MED1	/e.?c.?o.?n.?o.?m.?i.?z.?e.{1,10}med/i
body		__KAM_MED2	/\d\d ?%/

describe	KAM_MED		Economizing your meds spam
meta		KAM_MED		(__KAM_MED1 + __KAM_MED2 >= 2)
score		KAM_MED		1.5

#MEDS2- THANKS TO RES FOR POINTING OUT A REGEX STUPIDITY
header		__KAM_MED2_1	Subject =~ /Pharmacy order \#\d{5}/i

describe	KAM_MED2	More Medical SPAM
meta		KAM_MED2	(__KAM_MED2_1 >= 1)
score		KAM_MED2	1.0

#TIME PIECE
header		__KAM_TIME1	Subject =~ /(replica(\b|$)|designer[-_ ](watch|piece|collection)|(old|replica|style|luxury|trendy|elegant) watch|time[-_ ](keeper|piece)|wrist|chronometer|watches are in fashion|low budget|deliver your watch|(number|amount) of watches)|excellent.watch/i

#0.50 WEIGHTED TESTS
body		__KAM_TIME2	/(replica(\b|$)|diamond|designer[-_ ](piece|collections|watch)|time[-_ ]piece|wrist|time-keeper|\/\/atch)/is
header		__KAM_TIME3	Subject =~ /(\b|^)(time|watch)(\b|$)/i
body		__KAM_TIME4	/(\b|^)(time|watch)(\b|$)/i
body		__KAM_TIME5	/(funny|low) price|treat.yourself/i
 #REMOVED WORD OMEGA FROM BRANDS.  TOO MANY FPs.
body		__KAM_TIME6	/(Cx?ARTIER|Bx?REITLING|Px?ATEK|Rx?OLEX|Bx?VLGARI|Tx?IFFANY)/i


meta		KAM_TIME	__KAM_TIME1 + ((__KAM_TIME2 + __KAM_TIME3 + __KAM_TIME4 + __KAM_TIME5 + __KAM_TIME6)/2) >= 2
describe	KAM_TIME	Pssss.  Hey Buddy, wanna buy a watch?
score		KAM_TIME	3.0

meta		KAM_TIMEGEO	(KAM_GEO_STRING2 && KAM_TIME)
describe	KAM_TIMEGEO	Email references geocities & wrist watch sales
score		KAM_TIMEGEO	3.5

#YOUR HOME
body		__KAM_HOME1	/YOUR HOME|Federal Housing Assistance Program|near.your.area/i
body		__KAM_HOME2	/Build your equity faster|refund is not reversible|rent.to.own/i
body		__KAM_HOME3	/tax saving plans|\d+K Mortgage Credit|no.more.of/i
header          __KAM_HOME4	From =~ /rent.?and.?own|rent.own.list/i
header          __KAM_HOME5	Subject =~ /homes.near.you|near.your.city|\d+ (bed|bath)|low.monthly/i

meta		KAM_HOME	(__KAM_HOME1 + __KAM_HOME2 + __KAM_HOME3 + __KAM_HOME4 + __KAM_HOME5 >= 3)
describe	KAM_HOME	Mortage & Refinance Spam Rule
score		KAM_HOME	3.5

#UNIVERSITY RULE
body		__KAM_UNIV1	/(University Administration|University Enrollment|Education Assessment|Faculty Assessment|University Degree|Administration Office|Education office|Schools office|Enrollment Office|Online University)/is
body		__KAM_UNIV2	/\d (week|month).{0,30}degree/is
body		__KAM_UNIV3	/(past work|based on your|earned from|life|life and work|present work) experience/is
body		__KAM_UNIV4	/not official degree|non[ -]?accredited/is
body		__KAM_UNIV5	/novelty (degree|use)/is
body		__KAM_UNIV6	/verifiable University Degree/is
body		__KAM_UNIV7	/(life|work) experience (diploma|degree|transcript)/is
body		__KAM_UNIV8	/Career Path/is
body		__KAM_UNIV9	/non[- ]?ac(creditee?d)?.{1,10}universit/is
body		__KAM_UNIV10    /(graduating|diploma) (within|in) (as little as)? (one|two|three|\d) (week|month)/is
body		__KAM_UNIV11	/(degree|transcript) in any field|Field of yourr? ch[o�][i�]ce/is
body		__KAM_UNIV12	/(obtain your diploma|diploma that you want|Criminal Justice or Homeland Security degree)/is
body		__KAM_UNIV13	/(degree|field|diploma) of your (choice|expertise)/is
body		__KAM_UNIV14	/(earn a|full) transcript/is
body		__KAM_UNIV15	/(No Study Required|Without Exams|No (examinations|[e�]xams)|without attending a single class|no classes|no textbooks|no (?:required )?tests|degree .{0,30}you deserve)/is
body		__KAM_UNIV16	/\d weeks.{0,30}graduated/is
header		__KAM_UNIV17	Subject =~ /(dip(i|l)oma|degree|transcript|award|increase ?your ?income|degree online|Ph\.?D|Add an mba)/i
body		__KAM_UNIV18	/100% discrete/is

body            __KAM_UNIV1B    /\d (months|weeks)/i
body            __KAM_UNIV2B    /d[_\. ]?e[_\. ]?g[_\. ]?r[_\. ]?e[_\. ]?e/i
body		__KAM_UNIV3B	/(dead end job|improve your future, and your income|high paying jobs|bec[�o]me a do[c�]tor|get your diploma today)/is
body		__KAM_UNIV4B	/1.?0.?0.?% (legit|verifiable|online|no pre|non[- ]?accredited)/is
body		__KAM_UNIV5B	/F A S T[ ]{0,4}T R A C K/is
body		__KAM_UNIV6B	/DIP\sLOMA/

meta		KAM_UNIV	((__KAM_UNIV1 + __KAM_UNIV2 + __KAM_UNIV3 + __KAM_UNIV4 + __KAM_UNIV5 + __KAM_UNIV6 + __KAM_UNIV7 + __KAM_UNIV8 + __KAM_UNIV9 + __KAM_UNIV10 + __KAM_UNIV11 + __KAM_UNIV12 + __KAM_UNIV13 + __KAM_UNIV14 + __KAM_UNIV15 + __KAM_UNIV16 + __KAM_UNIV17 + __KAM_UNIV18) >= 2 || (__KAM_UNIV1B + __KAM_UNIV2B + __KAM_UNIV3B + __KAM_UNIV4B + __KAM_UNIV5B + __KAM_UNIV6B) >= 3)
describe	KAM_UNIV	Diploma Mill Rule
score		KAM_UNIV	4.5

#URUNIT
body		__KAM_URUNIT1	/\bur (unit|liveliness|energy level|endurance level)/is
body		__KAM_URUNIT2	/\bur (gf|girl|wife|size|thing|partner|significant other)/is
body		__KAM_URUNIT3A  /\b(exasperated|fatigued|drained|tired) all the time/is
#HALF-WEIGHTED RULES
body		__KAM_URUNIT3   /(unsatisfied|not satisfied|nagging|complaining|complaints|complained|unlimited prowess|increase your volume)/is
body		__KAM_URUNIT4	/(bedroom|the bed|nighttime activit|male power|show your girl)/is
body		__KAM_URUNIT5   /(size of (there|their|your) .{0,11}(unit|thing)|using them for a couple months|enhancing formula)/is
body		__KAM_URUNIT6	/(majority of women|shrinking .{0,12} baby fat|winning guy|huge explosion)/is
#FULL-WEIGHT
header		__KAM_URUNIT7	Subject =~ /(\b|^)ur (unit|wife|girlfriend|GF|size|thing|partner|significant other|livelyehood)/i
header		__KAM_URUNIT8	Subject =~ /(pleasure|sensation|grow|your teeny|impress your mate|being small|how big|more intense)/i

meta		KAM_URUNIT	((__KAM_URUNIT1 + __KAM_URUNIT2 + ((__KAM_URUNIT3 + __KAM_URUNIT4 + __KAM_URUNIT5 + __KAM_URUNIT6) / 2) + __KAM_URUNIT7 + __KAM_URUNIT8 + __KAM_URUNIT3A) >= 2)

describe	KAM_URUNIT	Recent penile and body enhancement spams
score		KAM_URUNIT	0.5

#UR ZEST
body		__KAM_URZEST1	/(?:your|ur) (?:power|strength|zal|zeal|liveliness|zest|intensity|spontaneity|activity)(?: level)?(?: been)?(?: feeling| down)? ?(?:lately|recently|anew)?/i
body		__KAM_URZEST2	/or still (?:jaded|worn|drained|exasperated) all the time/i
body		__KAM_URZEST3   /(?:(?:wanting|looking|seeking) to get in the gym|(?:dreaming|seeking|hoping) to get (?:into shape|fit))/i
body		__KAM_URZEST4	/(wks it has been|been mos) since we('| ha)ve chatted/i
body		__KAM_URZEST5   /(back into shape|made me healthier after my disease)/i

meta		KAM_URZEST	(__KAM_URZEST1 + __KAM_URZEST2 + __KAM_URZEST3 + __KAM_URZEST4 + __KAM_URZEST5 >= 2)
describe	KAM_URZEST	Recent penile and body enhancement spams
score		KAM_URZEST	3.0

#JOB LET GO
body		__KAM_JOB1	/let go from (a job|my employment) I held for.{1,19} (month|year|forever|life)/is
body		__KAM_JOB2	/twice as much/is

meta		KAM_JOB		(__KAM_JOB1 + __KAM_JOB2 >=2)
describe	KAM_JOB		People let go, work at home, earn billions!
score		KAM_JOB		4.3

#PERIMETERPARK
body		KAM_PERPARK	/P e r i m e t e r P a r k C e n t e r/i
describe	KAM_PERPARK	Obfuscated address appearing in SPAM Feb 06
score		KAM_PERPARK	2.5

#HOLLYWOOD WAY
body		KAM_HOLLY	/1 0 2 0 N H o l l y w o o d W a y /i
describe        KAM_HOLLY       Obfuscated address appearing in SPAM Jun 06
score           KAM_HOLLY       2.5

#PUMP & DUMP STOCK GRAPHICS
header		__KAM_STOCKG1	Subject =~ /^Fw: \d{6}$/i
header		__KAM_STOCKG2	Subject =~ /(^|\b)(stocks?|small-cap)(\b|$)/i
meta		KAM_STOCKG	((HTML_IMAGE_ONLY_12 || HTML_IMAGE_ONLY_16 || HTML_IMAGE_ONLY_24) && HTML_MESSAGE && (__KAM_STOCKG1 || __KAM_STOCKG2))
describe	KAM_STOCKG	Graphical Pump and Dump Scams
score		KAM_STOCKG	3.0

#CEP Diploma Mill
body		__KAM_CEP1	/Job Prospect Newsletter|training.workshop/i
body		__KAM_CEP2	/legitimate verifiable degree|build a better you|domain.knowledge/i
body		__KAM_CEP3	/Career Education program|customize a learning program|certified.instructor/i
body		__KAM_CEP4	/(MBA|CEP)/
body		__KAM_CEP5	/degree\/certificates|certification/i
body            __KAM_CEP6     	/\d (week|month)/i
header          __KAM_CEP7     	From =~ /certificate program/i

meta            KAM_CEP        ((__KAM_CEP1 + __KAM_CEP2 + __KAM_CEP3 + __KAM_CEP4 + __KAM_CEP5 + __KAM_CEP6 + __KAM_CEP7) >= 3)
describe        KAM_CEP        CEP Diploma Mill Rule
score           KAM_CEP        3.5


#Commented since 3.2.0 is pretty old now
#if (version < 3.200000)
#  #BLANK EMAILS - CURRENTLY REQUIRES 99_FVGT_meta.cf for FM_NO_FROM AND NO_TO. UNDISC_RECIPS MIGHT BE REMOVED IN 3.2+
#    #HTML_SHORT_LENGTH DEPENDENCY RULE REMOVED FROM SA 3.2
#  meta    	KAM_BLANK01  	(MISSING_SUBJECT && (UNDISC_RECIPS || FM_NO_FROM_OR_TO || FM_NO_TO))
#  describe	KAM_BLANK01	Blank emails
#  score   	KAM_BLANK01     1.0
#
#    #MSGID_FROM_MTA_ID REMOVED IN NEWER SPAMASSASSIN 3.2
#  meta    	KAM_BLANK02     (KAM_BLANK01 && MSGID_FROM_MTA_ID)
#  describe	KAM_BLANK02	Blank emails with MTA Headers
#  score   	KAM_BLANK02     1.0
#endif

#KAM GEOCITIES SPAM
# Updated by KAM based on Work by Dallas L. Engelken <dallase@nmgi.com> (T_GEO_QUERY_STRING)
uri 		KAM_GEO_STRING2 	/^http:\/\/(?:\w{1,5}\.)?geocities(?:\.yahoo)?\.com(?:\.\w{1,5})?(?::\d*)?\/.+?/i
describe	KAM_GEO_STRING2		Use of geocities/yahoo very likely spam as of Dec 2005
score		KAM_GEO_STRING2		4.7

#KAM GOOGLE SPAM
uri		KAM_GOOGLE_STRING	/^http:\/\/www.google.com\/url\?q=/i
describe	KAM_GOOGLE_STRING	Use of Google redir appearing in spam July 2006
score		KAM_GOOGLE_STRING	1.0

#MSN Brasil REDIRECTOR - Known exploit since at least 2007!! http://www.xssed.com/mirror/14129/
uri		KAM_MSNBR_REDIR		/g.msn.com.br\/BR9\/1369.0/i
describe	KAM_MSNBR_REDIR		Use of MSN Brasil Redirector for Spam seen in 2011
score		KAM_MSNBR_REDIR		5.0

#KAM MSN SPAM
uri             __KAM_MSN_STRING1         /^http:\/\/spaces\.msn\.com(?::\d*)?\/.+\//i
uri		__KAM_MSN_STRING2	       /^http:\/\/.{0,20}\.spaces\.live\.com/i
meta		KAM_MSN_STRING		(__KAM_MSN_STRING1 + __KAM_MSN_STRING2 >=1)
describe        KAM_MSN_STRING         spaces.msn.com likely spam (Mar 2006) + spaces.live.com (Mar 2010)
score           KAM_MSN_STRING         2.5

#KAM LIVEJOURNAL SPAM
uri             __KAM_LIVE1              /^http:\/\/.{0,20}\.(blogspot|livejournal)\.com/i
meta            KAM_LIVE          (__KAM_LIVE1)
describe        KAM_LIVE         blogspot.com & livejournal.com likely spam (Apr 2010)
score           KAM_LIVE         1.0

#KAM PAGE.TL SPAM - idea from Benny Pedersen
uri             __KAM_PAGE1              /^http:\/\/.{0,20}\.(page\.tl)/i
meta            KAM_PAGE          (__KAM_PAGE1)
describe        KAM_PAGE         Page.TL likely spam (Nov 2011)
score           KAM_PAGE         2.0

# This rule is to mark emails using the exploit of the URI parsing
uri 		KAM_URIPARSE       /(\%0[01]|\0).{1,100}\@/i
describe 	KAM_URIPARSE    Attempted use of URI bug-high probability of fraud
score 		KAM_URIPARSE     7.0

#Ebay Closed their Redirector - Disabled 4-9-05
# This rule is to mark emails using the exploit of the eBay redirector
#uri             KAM_EBAYREDIR    /.*.ebay.com.*RedirectToDomain/i
#describe        KAM_EBAYREDIR    Attempted use of eBay redirect-likely fraud
#score           KAM_EBAYREDIR    7.0

# Rule based on Kelson Vibber's MD code for bogus AOL Addresses
# Check for bogus AOL addresses as described at
# http://postmaster.aol.com/faq/mailerfaq.html#syntax
# - all alphanumeric, starting with a letter, from 3 to 16 characters long.
#
#
#What is the correct syntax for AOL e-mail addresses?
#The "user name" is the part of the address that appears before the @ symbol: username@aol.com.
#Valid AOL e-mail addresses can not:
#Be shorter than 3 or longer than 16 characters.
#Begin with numbers.
#Contain punctuation of any kind (such as periods, underscores, or dashes).
#
#

#2017-10-24 upon evidence that AOL no longer follows their syntax.
#Awaiting an updated version however KAM predicts that with the merger that this
#is likely to accommodate other systems like Verizon coming under the same infrastructure.

#UPDATED 2018-02-20
#THANKS to Angel from 16bits for this research:
#Based on tests at https://i.aol.com/reg/signup shows:
#
#Username cannot
#
#a) "Be shorter than 3"
# This is being enforced: «Please make sure that the username field is at
#least 3 characters long
#
#b) or longer than 16 characters.
#The userName field has a maxlength of 32
#(intriguingly, there's also a hidden usernameEmail of up to 97
#characters)
#
#c) Begin with numbers.
#This is being enforced «Your username must begin with a letter.»
#
#d) Contain punctuation of any kind (such as periods, underscores, or
#dashes).
#Both periods and underscores are accepted (they are even offered in the
#dropbox), dashes are not.
#«Your username may not contain characters such as @, !, * or $.»
#
#Periods and underscores may not begin or end the username, or be
#consecutive (not between themselves), ie. these two characters may only
#appear when surrounded by alphanumeric ones.
#
#(this condition for periods actually comes from rfc5321, assuming you
#want to avoid quoting the local part)
#
#
#Basically, it seems they added . and _ to the allowed characters, and
#doubled the username size.
#
#
#The error messages at
#https://sns-static.aolcdn.com/1.19/reg/resources/js/webreg_validate5-built.js also provide relevant information for gathering the rules:
#
#"Please make sure that the username field is at least 3 characters
#long."
#"Please make sure that the username field is at least 3 characters
#long."
#"Your username may not exceed "+regPageData.snMax+" characters."
#"Your username must begin with a letter."
#"Your username may not contain characters such as @, !, * or $.",
#"Your username may not contain characters such as @, !, * or $." (funnily, this is shown if you enter a space)
#"Your username may not contain characters such as @, !, * or $." (this is if it is deemed "not alphanumeric")
#"Usernames cannot end with a dot (.) or underscore (_)."
#"Usernames cannot have consecutive dots (..) or underscores (__)."
#
#"Please make sure that the email address is at least 3 characters long."
#"Your email address may not exceed 97 characters."

header          __KAM_AOL             	From:addr =~ /\@aol\.(com|co\.uk)/i

# username portion must be between 3 & 16 chars, starting with a letter
header		__KAM_GOODAOL1		From:addr =~ /^[a-z].{2,15}\@aol\.(com|co\.uk)/i

# certain punctuation not allowed - This is likely not exhaustive
header		__KAM_BADAOL1		From:addr =~ /[-\!\*\$].*\@aol\.(com|co\.uk)/
# no consectutive periods or underscores
header		__KAM_BADAOL2		From:addr =~ /(\.\.|__).*\@aol\.(com|co\.uk)/
# cannot end with . or underscore
header		__KAM_BADAOL3		From:addr =~ /(\.|_)\@aol\.(com|co\.uk)/i

meta		KAM_BADAOL		(__KAM_AOL && !__KAM_GOODAOL1) || (__KAM_BADAOL1 + __KAM_BADAOL2 + __KAM_BADAOL3 >= 1)
describe	KAM_BADAOL		Invalid AOL Address
score		KAM_BADAOL		7.0

meta            KAM_GOODAOL     	__KAM_AOL && (__KAM_GOODAOL1 && !KAM_BADAOL) && SPF_PASS
describe        KAM_GOODAOL     	Valid AOL Email Address
score           KAM_GOODAOL    		-1.0

# Rule to mark emails from adv@somewhere accounts a bit higher on the SPAM scale
header          KAM_ADV_EMAIL           From:addr =~ /adv\@/i
describe        KAM_ADV_EMAIL           Marks adv@<domain.com> Addresses as likely SPAM
score		KAM_ADV_EMAIL		5.0

#SEXUALLY EXPLICIT EMAILS - With updates courtesy of Mark Damrose
header    __KAM_SEX_EXPLICIT1    Subject =~ /SEXUAL{2,3}Y[-_, ]{0,1}EXPL{1,2}I{1,2}CI{1,2}T/i
#EXPANDED TO INCLUDE HEADERS FOR SPAMS PREVALENT MAR 2007
header    __KAM_SEX_EXPLICIT2    Subject =~ /(?:fuck .*suck|suck .*fuck|pussy .*cock|cock .*pussy|horny amateur|couch sex|slut fuck|naked celebrity|pissing babes|ass[- ]fuck|animal cock|(^|\b)P[^a-zA-Z\d]O[^a-zA-Z\d]R[^a-zA-Z\d]N |exposes sexy ass|drunk babe nude|masturbate|looking.for.sex|breast.implants|pedophile|child predator|explore.being.bad|double.penetration|hardcore.slut|getting.laid|your.disco.stick|having.sex.*begging|f.ckbook|xxx gay|asian porn|blowjob|anal xxx|huge tits tube|xxx tube|porn tube|porn video|sexy.clip|portal for xxx|3d porn|hard(er)?.erect)|dreaming of f.?cking|(^|\b)sex.in.the.car|horny.virgin|sex.acts|best.intercourse|sex request|dripping wet and need to get/i

#TRYING TO GET RID OF FPs WITH LAST NAMES
header	  __KAM_SEX_EXPLICIT3	 From =~ /(?:better sex|sextrick|ashleymadison|booty.call|breast.(aug|surg|redu)|throbing.member|f[\*u]?ckbook|Local MILFs|fuck(s|ing)?(\b|^))/i

#MODIFIED TO FIX FP THANKS TO DOC SCHNEIDER AND MARK MARTINEC - REMOVED castrate|sexual.encounter|casual.sex|discreet.encounter 5/19/15
body	  __KAM_SEX_EXPLICIT4	 /(?:fucked hardcore|dildoes her tight ass|kinky watersports|schoolgirls? slut|teens? porn|first anal(\b|$)|pussy lips|kinky lesbian|sucks? cock|rub puss|spreads? cunt|fetish babe|kinky pee|muffdived \& fuck|deepthroat on knees|hello.naughty.boy|certain.type.of.guy|girlfriend.trick|sexual.stamina|sex...toy|porn.link|cunt.fuck|c-o-c-k|non.stop.sex|porn.industry|stronger.erection|make.her.moan|extreme.pro.abortion|erection.problem|your.erection|get.an.erection|hardest.erection|get.erect|xxx gay|asian porn|blowjob porn|anal xxx|huge tits tube|xxx tube|porn tube|fuckbook|portal for xxx|3d porn|DrPEnterprise|girlfriends.porn|\bsex.galler|pussy.eaten|shemale|(\b|^)anal.adventure|black.girls.video|gay.porn|pussy.wet|make.her.horny|crave sex|women.fuck|women.horny|wanting.to.bang|getting.laid.is.simple|woman.on.her.knees|b r e a s t|generic.ed.product|best.sex|f[^a-z]cking.you|f[^a-z]ckbuddy|F\#ckFriends|Milf Selfies|need.a.horny.man|cute.sex.lover|horny.as.f.ck|fun.in.the.bedroom|my.tits.are|be.horny|horny.girl|horny.i.am|horny.latina|huge.dildo|made.me.climax|sex in my office|a.good.f\@ck|married.horny.woman|sucked.your.d\@ck|horny.milf|suck.you.off|horny.stories|all.my.h[o0]les|cum.heavily|sucking.your.c[o0]ck|to.get.f[^a-z]cked)|h00kup|s\*xy|\bh0rny|ch0ked|pu\$\$y|f\*cked|F\*ck_|find milfs/i
#remove f\#ck for FPs

header	  __KAM_SEX_EXPLICIT5	 Subject =~ /(?:Babe.*dildo|milk.*pussy|licks.*lesbian.*tits|mud.*wrestling.*sluts|rock.*hard.*cock|working.*pussy|(anal|suck|lick|hot|cock|wife).*f.?u.?c.?k|sneaky.*upskirt.*shots|hairy.*(pussy|cunt)|chicks.*cum|shows.*off.*titties|tits.*milf.*sex|riding.*big.*dick|dildo.*pussy|slut.*sex|suck.*dick|show.*off.*pink.*slit|coed.*pussy|squirt.*pussy|polish.*cock|femdom.*fist|schoolgirl.*(f.?u.?c.?k|blowjob)|mistress.*finger.*slave|cervix.*examined|tits.*vibrator|licks.*lesbian|slut.*anal|slurp.*pecker|master.*hogtie|bitch.*stroke.*guy|huge.*cock.*bang|take.*dick.*ride|milf.*nailed|girl.*in.*panties|Slut.*Doing.*it|barely.*legal.*teen|perverted.*girl.*works.*ass|slut.*milking|caught.*fucking|F.?u.?c.?k.*(dick)|shemale.*strips|chick.*drilled|\bass.*screw|teen.*pussy|fucked.*hard|bimbo.*hooter|cuntbanged|tittyfucked|fuck.*cock|blowing and nailed|lesbians.*masturbat|shaking wet booty|pussy.*lip|lick.*asshole|kinky lesbian|suck.*cock|rub puss|tits.*cunt|kinky pee|fetish babe|exposes sexy ass|drunk babe nude|muff.*fuck|cock.?suck.*blonde|fuck.*vibrator|threeway.*orgy|sex.life.*new.level|your.sex.life|hotsex|f.cktonight|my.?pu[s\$]{1,5}y|InstaSext|SnapHookup|InstaAffair|InstaHookup|SexiSnap|SnapF.ck|snapbangmsg)/i
body	  __KAM_SEX_EXPLICIT6	/virus on a porn web/i

meta	  KAM_SEX_EXPLICIT	(__KAM_SEX_EXPLICIT1 + __KAM_SEX_EXPLICIT2 + __KAM_SEX_EXPLICIT3 + __KAM_SEX_EXPLICIT4 + __KAM_SEX_EXPLICIT5 + __KAM_SEX_EXPLICIT6 >= 1)
describe  KAM_SEX_EXPLICIT      Subject or body indicates Sexually Explicit material
score     KAM_SEX_EXPLICIT      16.0

#SOLICITING AFFAIR SPAM
header    __KAM_SEX_AFFAIR1 Subject =~ /Have an affair|Your Affair is Waiting|sick of your wife|find you a girlfriend/i
header    __KAM_SEX_AFFAIR2 From =~ /Ashley.?Madison|Let's have fun/i
rawbody   __KAM_SEX_AFFAIR3 /have an affair|ashleymadison/i
rawbody   __KAM_SEX_AFFAIR4 /looking.for.affair/i

meta      KAM_SEX_AFFAIR    (__KAM_SEX_AFFAIR1 + __KAM_SEX_AFFAIR2 + __KAM_SEX_AFFAIR3 + __KAM_SEX_AFFAIR4 >= 2)
describe  KAM_SEX_AFFAIR    Subject or body soliciting an affair
score     KAM_SEX_AFFAIR    8.0

#KAM_TELEWORK
body		__KAM_TELEWORK1	/(generate|make) .{0,10}1.5K? (to|-) 3.5K (a day|daily|per day|per month)|makes? \$[\d,]+\/month|upgrade your salary/is
body		__KAM_TELEWORK2 /have a (?:tele)?phone|money making challenge|has full internet/is
body		__KAM_TELEWORK3 /return(?:ing)? (phone )?calls|working a few hours each day|positive work environment/is
body		__KAM_TELEWORK4 /fully qualified|no experience needed|all the training|managing expectations|accountability|stronger results/is
body		__KAM_TELEWORK5 /work (?:online )?from home|process(?:ing)? rebates (?:at|from) home|set your own hours|100% no risk|Western Union fees|new job or career/is
body		__KAM_TELEWORK6 /earning up to \d+USD|earn thousands of dollars|\d% commission|get rich quick|manager training|real.payoff/is
header		__KAM_TELEWORK7 Subject =~ /process rebates|easy work and great pay|making money today|earn money|vacancies in your city|internet jobs|bad ecomomy|(manager|supervisor).training|handling difficult|work.from.home/i
header          __KAM_TELEWORK8 From =~ /training|online/i

meta		KAM_TELEWORK	(__KAM_TELEWORK1 + __KAM_TELEWORK2 + __KAM_TELEWORK3 + __KAM_TELEWORK4 + __KAM_TELEWORK5 + __KAM_TELEWORK6 + __KAM_TELEWORK7 + __KAM_TELEWORK8 >= 3)
describe	KAM_TELEWORK	Stupid telework and training scams
score		KAM_TELEWORK	3.0

#Changed to meta 2017-10-17
#2017-10-23 - Removed .link.  Uniregistry has committed to reviewing abuse concerns.
#2019-11-24 - Removed .bid for FPs
#2020-06-04 - Added FP check for td.date and div.top
#2020-08-23 - Added guru
header 		__KAM_SOMETLD_ARE_BAD_TLD_FROM          From:addr =~ /\.(pw|stream|trade|press|top|date|guru|casa)$/i
uri		__KAM_SOMETLD_ARE_BAD_TLD_URI		/\.(pw|stream|trade|press|top|date|guru|Casa)($|\/)/i

#FPs
uri		__KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE	/(^|\b)td\.date|div\.top($|\/)/i

meta		KAM_SOMETLD_ARE_BAD_TLD		(__KAM_SOMETLD_ARE_BAD_TLD_FROM) || (__KAM_SOMETLD_ARE_BAD_TLD_URI && !__KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE)
describe 	KAM_SOMETLD_ARE_BAD_TLD         .stream, .trade, .pw, .top, .press, .guru, .casa & .date TLD Abuse
score 		KAM_SOMETLD_ARE_BAD_TLD         5.0

#2019-11-24 - Test to do the SOMETLD with WLBLEval - Doesn't work because no uri check for the body
#ifplugin Mail::SpamAssassin::Plugin::WLBLEval
#  enlist_addrlist (BADTLDS) *@*.pw
#  enlist_addrlist (BADTLDS) *@*.stream
#  enlist_addrlist (BADTLDS) *@*.trade
#  enlist_addrlist (BADTLDS) *@*.bid
#  enlist_addrlist (BADTLDS) *@*.press
#  enlist_addrlist (BADTLDS) *@*.top
#  enlist_addrlist (BADTLDS) *@*.date
#
#  header 	__KAM_SOMETLD_ARE_BAD_TLD_FROM eval:check_from_in_list('BADTLDS')
#  body 		__KAM_SOMETLD_ARE_BAD_TLD_URI  eval:check_uri_host_listed('BADTLDS')
#endif

#CHANGED TO KAMOnly
ifplugin Mail::SpamAssassin::Plugin::KAMOnly

  #TESTING RULE
  body            KAM_LOCAL_TEST1 	/myspamtest12341234/
  describe        KAM_LOCAL_TEST1 	This is a unique phrase to trigger a + score
  score           KAM_LOCAL_TEST1 	50

  #REVERSE DNS TESTS FROM MIMEDEFANG - UNLESS YOU HAVE A TEST FOR REVERSE POINTERS, YOU CAN COMMENT THIS OUT
  header          KAM_RPTR_FAILED         X-KAM-Reverse =~ /^Failed/
  describe        KAM_RPTR_FAILED         Failed Mail Relay Reverse DNS Test
  score           KAM_RPTR_FAILED         6.0

  header          __KAM_RPTR_SUSPECT       X-KAM-Reverse =~ /^Suspect/
  meta		  KAM_RPTR_SUSPECT	  (KAM_BODY_MARKETINGBL_PCCC < 1 && __KAM_RPTR_SUSPECT >= 1)
  describe        KAM_RPTR_SUSPECT        Suspected Dynamic IP/Bad TLD/Spammy TLD from Mail Relay Reverse DNS Test
  score           KAM_RPTR_SUSPECT        2.45

    #REMOVED __URIBL_ANY DEPENDENCY AS THE RULE IS GONE.  NOTED by David Goldsmith.
  header          __KAM_RPTR_PASSED       X-KAM-Reverse =~ /^Passed/
  meta		  KAM_RPTR_PASSED	  (__KAM_RPTR_PASSED && (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + KAM_SPAMJDR + KAM_LOTTO3 + __KAM_URIBL_PCCC + __KAM_MX + SPF_SOFTFAIL + SPF_FAIL + KAM_INFOUSMEBIZ + KAM_TOLL < 1))
  describe        KAM_RPTR_PASSED         Passed Mail Relay Reverse DNS Test
  score           KAM_RPTR_PASSED         -1.0

  header          KAM_RPTR_MISSING        X-KAM-Reverse =~ /^Missing/
  describe        KAM_RPTR_MISSING        Mail Relay Reverse DNS Entry Missing!
  score           KAM_RPTR_MISSING        9.0

  #DWDTECHSPAM /ETC
  header          KAM_RPTR_BADHOST        X-KAM-Reverse =~ /dwdtechllc.com|inculloop.net|donapex.net|wriltay.com|raptornode.com|voicitr.us|premiumjobhunt.com|newsocialdeals.com|dailysummercoupons.com|nm-priorityhosting.com|hypernia.com|queryfoundry.net|colocrossing.com|pawlitenews.com|hosted-by-i3d.net/i
  describe        KAM_RPTR_BADHOST        Very Spammy Hosting Company Identified
  score           KAM_RPTR_BADHOST        9.0

  #CUSTOM SCORES THAT KAM LIKES
  #score          SARE_GIF_ATTACH         3.0
  score           CHARSET_FARAWAY_HEADER  1.6
  score           MIME_CHARSET_FARAWAY    1.25
  score           FH_FROM_CASH            2.0
  score           EWG_BAD_40              1.5
  score           EWG_BAD_47              1.5
  score           EWG_BAD_54              1.5
  score           FREEMAIL_ENVFROM_END_DIGIT      1.0
  score           FREEMAIL_REPLYTO        1.0
  score		  KHOP_BIG_TO_CC          1.5
  score		  URIBL_DBL_SPAM	  5.0
  score		  AC_HTML_NONSENSE_TAGS	  4.0


  #ENABLING DNSWL - BUG 6668
  score RCVD_IN_DNSWL_NONE 0 -0.0001 0 -0.0001
  score RCVD_IN_DNSWL_LOW 0 -0.7 0 -0.7
  score RCVD_IN_DNSWL_MED 0 -2.3 0 -2.3
  score RCVD_IN_DNSWL_HI 0 -5 0 -5

  #COMPLETE WHOIS IS DOWN
  #score __RCVD_IN_WHOIS 0
  #score RCVD_IN_WHOIS_INVALID 0
  #score URIBL_COMPLETEWHOIS 0

  #Custom subject whitelist
  #header  	FRANCHISE_JERRY 	Subject =~ /: (Franchise Application|Request Franchise Information)$/i
  #score   	FRANCHISE_JERRY 	-99.0
  #describe      FRANCHISE_JERRY 	Jerry's Franchise Application or Request

  header	KAM_INVALID_FROM	X-KAM-From =~ /From Header Missing Host/
  describe	KAM_INVALID_FROM	From header missing host portion
  score 	KAM_INVALID_FROM	4.0

  #RAPTOR ALTERED EMAILS
  #body		__KAM_RAPTOR1		/altered by our Raptor filters/i
  #header	__KAM_RAPTOR2		X-KAM-Raptor-Alter =~ /True/

  #meta		KAM_RAPTOR		(__KAM_RAPTOR1 + __KAM_RAPTOR2 >= 1)
  #describe	KAM_RAPTOR		PCCC Raptor altered the email
  #score		KAM_RAPTOR		3.5

  #NJABL Shutdown Bug 6913 - Check after 3/3/2013 update if these can be removed
  score RCVD_IN_NJABL_CGI 0
  score RCVD_IN_NJABL_MULTI 0
  score RCVD_IN_NJABL_PROXY 0
  score RCVD_IN_NJABL_RELAY 0
  score RCVD_IN_NJABL_SPAM 0
  score __RCVD_IN_NJABL 0

  if can(Mail::SpamAssassin::Conf::feature_dns_query_restriction)
    dns_query_restriction deny njabl.org
  endif

  #KAM Bad Attach
  header          KAM_RPTR_MISSING        X-KAM-Reverse =~ /^Missing/
  describe        KAM_RPTR_MISSING        Mail Relay Reverse DNS Entry Missing!
  score           KAM_RPTR_MISSING        9.0


  #KAM Bad Attach
  header          KAM_RPTR_MISSING        X-KAM-Reverse =~ /^Missing/
  describe        KAM_RPTR_MISSING        Mail Relay Reverse DNS Entry Missing!
  score           KAM_RPTR_MISSING        9.0


  #KAM Bad Attach
  header          KAM_RPTR_MISSING        X-KAM-Reverse =~ /^Missing/
  describe        KAM_RPTR_MISSING        Mail Relay Reverse DNS Entry Missing!
  score           KAM_RPTR_MISSING        9.0


  #KAM Bad Attach
  header          KAM_BADATTACH        X-KAM-BadAttach =~ /^True/
  describe        KAM_BADATTACH        Mail contains a bad attachment
  score           KAM_BADATTACH        15.0

  #RHS_DOB not working 10/6/2014 - Resolved 10/9/2014
  #score 	  URIBL_RHS_DOB 	0.0

else
  # no KAMOnly, stub rules
  meta  KAM_RAPTOR_ALTERED 0
  score KAM_RAPTOR_ALTERED 0
  meta  CBJ_GiveMeABreak 0
  score CBJ_GiveMeABreak 0
  meta  KAM_RPTR_SUSPECT 0
  score KAM_RPTR_SUSPECT 0
  meta  KAM_RPTR_FAILED 0
  score KAM_RPTR_FAILED 0
  meta  KAM_RPTR_PASSED 0
  score KAM_RPTR_PASSED 0
endif

#$6c822ecf@ - Idea from Jailer-Daemon on SARE
header		KAM_6C822ECF		Message-Id =~ /\$6c822ecf\@/i
describe	KAM_6C822ECF		$6c822ecf@ VERY prevalent message-ID header in SPAMs
score		KAM_6C822ECF		7.0

#DRILLING & MUST READ - With updates courtesy of Mark Damrose
header		__KAM_MUSTREAD1	Subject =~ /you (?:must|should|require|need|have) to read\.$/i
header 		__KAM_MUSTREAD2	Subject =~ /^(?:Weighty|Very important|Serious|Momentous|Significant|Grand|Essential) (?:message|letter|note)\./i

meta		KAM_MUSTREAD	(__KAM_MUSTREAD1 + __KAM_MUSTREAD2 >= 1)
describe	KAM_MUSTREAD	Subject indicative of a SPAM message
score		KAM_MUSTREAD	1.25

body		__KAM_DRILL1	/drilling/i
body		__KAM_DRILL2	/oil (company|partnership|and gas rights)/i
body		__KAM_DRILL3	/(exceed(ed)? .{0,10}expectations|see your brokers website)/i
body		__KAM_DRILL4	/(buy today|Check this deal out)/i

meta		KAM_DRILL	(KAM_MUSTREAD + __KAM_DRILL1 + __KAM_DRILL2 + __KAM_DRILL3 + __KAM_DRILL4 >= 4)
describe	KAM_DRILL	Oil Drilling SPAM
score		KAM_DRILL	1.5

#CHANGED TO KAMOnly
ifplugin Mail::SpamAssassin::Plugin::KAMOnly

  #WE USE MIMEDEFANG TO DISABLE ANY IFRAME, OBJECT OR SCRIPT TAGS IN EMAILS
  header	KAM_IFRAME 	X-IframeWarning =~ /Iframe\/Object\/Script tag\(s\) deactivated by MIMEDefang/
  describe	KAM_IFRAME	Email contained Iframe, Object or Script tags
  score		KAM_IFRAME	1.0

  body		KAM_IFRAME2	/you need a browser with javascript/i
  describe	KAM_IFRAME2	Email contains phrase instructing javascript use
  score		KAM_IFRAME2	1.0

  meta		KAM_IFRAME3	(KAM_IFRAME + KAM_IFRAME2 + T_HTML_ATTACH >=3)
  score		KAM_IFRAME3	5.0
  describe	KAM_IFRAME3	Likely email exploit - Email shouldn't require javascript in an email attachment

  #XEROX SCANS
  header          __KAM_XEROX1    Subject =~ /Scan from a Xerox WorkCentre Pro \#\d+|Scanned from a Xerox Multifunction Device/i
  meta            KAM_XEROX       (__KAM_XEROX1 + (KAM_IFRAME && T_HTML_ATTACH) + KAM_RAPTOR_ALTERED >= 2)
  score           KAM_XEROX       5.0
  describe        KAM_XEROX       Likely Fake Xerox Attachment

else
  # no KAMOnly, stub rules
  meta  KAM_IFRAME 0
  score KAM_IFRAME 0
endif

#STUPID REMOVE "*" to make the link working.
body		__KAM_STAR1	/REMOVE ("\*"|space) (in the above|to make the) link/i

meta		KAM_STAR	(__KAM_STAR1 >= 1)
describe	KAM_STAR	Stupid Obfuscated Link SPAMs
score		KAM_STAR	2.0

#IN LATE FEB 2007, WE BEGAN RECEIVING TONS OF EMAILS FORMATED ALL THE SAME.
body		__KAM_SPAMKING1	/This advertisement is presented by/is
body		__KAM_SPAMKING2 /If you have any questions or concerns regarding this communication, please send correspondence/is
body		__KAM_SPAMKING3 /To .{0,30}(?:unsubscribe|stop|remove) .{0,35}(?:email|messages) from third party advertisers/is
body		__KAM_SPAMKING4 /notify .{0,30} that you no longer wish to receive (?:promotional )?messages/is
body		__KAM_SPAMKING5 /This (communication|message) was delivered to you by/is
body		__KAM_SPAMKING6 /(?:please send|Forward postal) correspondence to/is

meta		KAM_SPAMKING	(__KAM_SPAMKING1 + __KAM_SPAMKING2 + __KAM_SPAMKING3 + __KAM_SPAMKING4 + __KAM_SPAMKING5 + __KAM_SPAMKING6 >= 3)
describe	KAM_SPAMKING	SPAM using throw-away domains and addresses.  SpamKing's Heir!
score		KAM_SPAMKING	1.0

#THIS HEADER SEEMS TO BE PREVALENT IN SPAMS
header		KAM_SPAMJDR 	X-Mailerinfo =~ /OTHR_JDR/
describe	KAM_SPAMJDR 	Emails seen with SPAM containing this header X-Mailerinfo: OTHR_JDR1173771
score		KAM_SPAMJDR	2.0

meta		KAM_COMBOJDR	(KAM_SPAMJDR + KAM_SPAMKING >= 2)
describe	KAM_COMBOJDR	Spam Test for Rules Combined with KAM_SPAMJDR
score		KAM_COMBOJDR	5.0

#LOTTO CRUD
body		__KAM_LOTTO1	/((you |e-?mail )(?:address,? )?(has |have )?(emerged as one of (the|our) winning|emerged as a category "A" Winner|came out as the winning coupon|emerged a winner|has won|(?:was |is )?attached( to)?\s+(winning number|serial|ticket|reference)|was one of the ten winners|has been selected as one of the lucky)|random selection in our computerized email selection system|procuring your prize|email id identified with coupon|e-mail addresses are picked randomly|send your winning identification|final recipients? of a cash|selected as the one of the beneficiaries|receiving your donation|facebook name was selected)/is

body		__KAM_LOTTO2	/((ticket|serial|lucky) number|secret pin ?code|pin number|batch number|reference number|promotion date|lottery|sweepstake|\d+ lucky recipients|for claim and inquiring)|Micros(oft)? ID/is

body		__KAM_LOTTO3	/(won|claim|cash prize|pounds? sterling|over \$500|award sum of US\$|NOTIFICATION FOR CASH AID)/is

body		__KAM_LOTTO4	/(claims (office|agent|manager|requirement)|lottery coordinator|(certificate|fiduciary) (officer|agent|claims)|accredited agent|payment agency board|promotion manager|promotions? department|Name of +Agent:|executive secretary|claims & Management|lottery approved courier|promo.team)/is

body		__KAM_LOTTO5	/(POWERBALL-?LOTTO|freelotto group|(microsoft|Royal Heritage) (promotion|Lottery)|(British|UK) National( Online)? Lottery|U\.?K\.? Grand Promotions|Lottery Department UK|Euromillion Loteria|Luckyday International Lottery|International Lottery|Euro - Afro Asian Sweepstake|urawinner|Free Lotto Sweepstakes|PROMOTION DEPARTMENT|PROMOTION\/PRIZE AWARD|Nederlandse Internationale Loterij|EURO MILLIONS|APPLE LOTTERY ONLINE|MSW MEGA JACKPOT|MICROSOFT EMAIL PROMO|MSNlottery|ECOWAS|Nigeria|National Lottery|claim.{1,10}your.gbp|won.you.{1,10}gbp)|cola lotto online|on-?line promotion/is

body		__KAM_LOTTO6    /(Dear (Award|Consultation Prize|Lucky) Winner|Winning Notification|Attention:Winner|Dear:? Winner|Amount won:|Sincere Congratulations|Lucky Numbers:|you are a winner|prize attached|prize notification|claims requirement|winning number|winning sum|payout of|qualification number)|attached.file|numbers.on.email|active email address|dear e-?mail/is

header		__KAM_LOTTO7	Subject =~ /(Your Lucky Day|Final Notice|CONGRATULATION|(Attention:|ONLINE) WINNER|Winning Notification|Claim Fund|YOU HAVE WON|Online Notification|Your Winning Amount|PROMOTIONS MANAGER|Winnin?g Alert|NOTICE FOR YOUR CLAIM|WINNER|Reference Number|payment of (prize|claim))/i

header		__KAM_LOTTO8    From =~ /Lottery|powerball|western.union/i

header		__KAM_LOTTO9	Subject =~ /\d{3},\d{3}|eligibility.for.claims|promo.desk|deserves.\$\d/i

meta		KAM_LOTTO1	(__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 >= 3)
describe	KAM_LOTTO1	Likely to be an e-Lotto Scam Email
score		KAM_LOTTO1	0.75

meta            KAM_LOTTO2      (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 >= 4)
describe        KAM_LOTTO2      Highly Likely to be an e-Lotto Scam Email
score           KAM_LOTTO2      1.25

meta            KAM_LOTTO3      (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 + LOTS_OF_MONEY >= 5)
describe        KAM_LOTTO3      Almost certain to be an e-Lotto Scam Email
score           KAM_LOTTO3      3.0

#ABOUT YOUR INTERNET ACTIVITIES SPYWARE CRUD
header		__KAM_ABOUT1	Subject =~ /About your Internet (activities|activity)/i
body		__KAM_ABOUT2    /Spyware/i

meta		KAM_ABOUT	(__KAM_ABOUT1 + __KAM_ABOUT2 >=2)
describe	KAM_ABOUT	Email Scam Hawking Anti-Spyware
score		KAM_ABOUT	1.0

#EMAIL ADVERTISING
body		__KAM_ADVERT1   /email advertising|\d{3}%.roi/is
body		__KAM_ADVERT2	/instant traffic (to your website|and sales)|demand.generation/is
body		__KAM_ADVERT3   /Email Ad Broadcast|Double OPT IN list|making.some.changes/is
header		__KAM_ADVERT4   Subject =~ /(get (instant|more) (sales|business|orders)|instant traffic, leads and sales|within 24 hours|increase in business|Ten Time Increase in Sales and Traffic|Emails Sent to Get You Sales)|sales.goal/i

meta		KAM_ADVERT	(__KAM_ADVERT1 + __KAM_ADVERT2 + __KAM_ADVERT3 + __KAM_ADVERT4 >= 4)
describe	KAM_ADVERT	Mailing List Scammers Hawking Their Lists / Services
score		KAM_ADVERT	2.5

#DOMAIN ADVERTISING
body		KAM_ADVERT3	/AllExpiringDomains.com/i
describe	KAM_ADVERT3	Traffic / Expiring Domain List Spam
score		KAM_ADVERT3	5.0

#ADVERTISEMENT
body		KAM_ADVERT2	/No longer interested in our offers|This (message|email)? is an Ad|Continue in your Secure Web Browser|Can\'t see the images( below|, continue)|To view this email as a webpage|see images for this offer|support best practices in responsible email marketing|This email is not unsolicited|You registered with one of our partners websites|a d v e r t i s (?:e )?m e n t|No\-?Images? Click|Program is not endorsed, sponsored by or affiliated|can\'t read or see this email|By clicking any image and\/or text link in this Email|This is a (commercial|commericial)|This message brought to you|THIS EMAIL IS A COMMERCIAL|If you no longer wish to receive further offers|business solicitation message|link is for removal|end these weekly ad\-messages|cancel these Ads go|This is an email advertisement|end all Advertisements go below|We are not spammers|Unsolicited email\?|Quit receiving these admail|I.{0,3}am not spamming|commercial.advertisement|adv.ertisement|if.you.are.not.interested|Brought to you by\:|This communication is an advertisement|removal from further update|inbox by requesting removal|No more incoming messages will be delivered|Never receive these again|This is an ad\-coresspondance|this page is an advertise?ment|this is an \(adver\-?tisement\)|this page are an.ad|statements above are an.ad|advertis.e.ment/is
describe	KAM_ADVERT2	This is probably an unwanted commercial email...
score		KAM_ADVERT2	0.75

#ONE LINE ADVERTISEMENTS
body		__KAM_1LINE1	/(free score and report|Did you overpay\?)/is
header		__KAM_1LINE2	Subject =~ /(free online score & report|I need tax savings? tip)/i

meta		KAM_1LINE	(__KAM_1LINE1 + __KAM_1LINE2 >= 2)
describe	KAM_1LINE	One liner SPAMs
score		KAM_1LINE	2.5

#CAN SPAM
body		KAM_CANSPAM	/(full compliance with the U.S. Federal-?Can-?Spam-Act|provides CAN-SPAM compliant email|consistent with the provisions of the CAN-SPAM Act|compliance with the CanSpam Act|no deceptive subject lines|compliant with all legal provisions of the CAN-SPAM Act)/is
describe	KAM_CANSPAM	SPAM = Lack of Consent (not a Legal Definition)
score		KAM_CANSPAM	1.0

#GIFTS / GIFT CARDS
body		__KAM_GIFT1	/(Claim your free \$500 Target Gift Card|complimentary gift-?card|received a Victoria's Secret Giftcard|\$500 airline gift card|\$1000 gift card for you to shop|\$\d+.{0,50}gift card|Secret gift card)|costco.coupon|facebook.gift|claim.my.credit/is
body		__KAM_GIFT2	/(unsubscribe from this advertiseme(tn|nt)|exit future communications|to unsubscribe from this|to stop any offers from us)/is
body		__KAM_GIFT3	/every girl loves to buy|do you need a new|offer pass you by|shopping.online|best.price|activate.my|valued.{0,20}user|extra.deals|sign.up.today/i
body		__KAM_GIFT4	/card will be yours free|card on us|buy you the dyson animal|amazon.gift.?card|superstore|starbucks.card|card.egift|redeem.before|offering.you.this|enter.promo.code/i
body		__KAM_GIFT5	/member incentive program|complet(e|ing) the survey|your.customer.id|security.code|promotional.points/i
header		__KAM_GIFT6	From =~ /\$\d+ ?gift ?card|coupon|home.improvement|reward|voucher|starbucks|exclusive|amazon|ehost/i

meta		KAM_GIFT	((__KAM_GIFT1 + __KAM_GIFT2 + __KAM_GIFT3 + __KAM_GIFT4 + __KAM_GIFT5 + KAM_LOTSOFHASH + KAM_SHORT >= 3) && __KAM_GIFT6)
describe	KAM_GIFT	Gift Card Scams
score		KAM_GIFT	3.5

meta		KAM_GIFT2       ((__KAM_GIFT1 + __KAM_GIFT2 + __KAM_GIFT3 + __KAM_GIFT4 + __KAM_GIFT5 + KAM_LOTSOFHASH + KAM_ADVERT2 >= 4) && __KAM_GIFT6)
describe	KAM_GIFT2       Gift Card Scams
score		KAM_GIFT2       3.5

#MYSTERY SHOPPER
body		__KAM_SHOP1	/chosen to participate as a Mystery Shopper/is
body		__KAM_SHOP2	/Do you like to shop/is
body		__KAM_SHOP3	/make money while you shop/is
meta		KAM_SHOP	(__KAM_SHOP1 + __KAM_SHOP2 + __KAM_SHOP3 >= 3)
describe	KAM_SHOP	Mystery Shopper Scams
score		KAM_SHOP	2.0

#FAST CASH
rawbody		__KAM_FAST1	/make fast cash in real estate/is
meta		KAM_FAST	(__KAM_FAST1 + KAM_ADVERT2 >=2)
describe	KAM_FAST	Get Rich Quick, Make Money Fast Schemes
score		KAM_FAST	1.8

#BIZ CARDS FREE!
body		__KAM_BIZ1	/You always need new cards|free full color business cards|get 250 more ?- ?free|business card offer|500 business cards/is
header		__KAM_BIZ2	Subject =~ /(do not pay for|Stop paying for|free) business cards|get( your)? 250 Free|BOGO|500 cards for|all for \$1\.99/i
header		__KAM_BIZ3	From =~ /Free Business Cards|Custom Printing|Premium Cards/i

meta		KAM_BIZ		(__KAM_BIZ1 + __KAM_BIZ2 + __KAM_BIZ3 >= 2)
describe	KAM_BIZ		Free Business Card Emails
score		KAM_BIZ		2.5

#FDA
body		__KAM_FDA1	/statements.{1,10}not.{1,10}evaluated.{1,10}(FDA|Food ?(and|&) ?Drug Administration)/i
body		__KAM_FDA2	/not intended to diagnose,? treat,? cure,? or prevent/i
body		__KAM_FDA3	/FDA Recall/i

meta		KAM_FDA		(__KAM_FDA1 + __KAM_FDA2 + __KAM_FDA3)
describe	KAM_FDA		Carries a not evaluated by the FDA warning or recall warning
score		KAM_FDA		0.5

#WEIGHT LOSS
body		__KAM_WEIGHT1	/(overweight|extra weight|glutting|shed fat|burns fat|burn calories|appetite suppressant|stimulate your metabolism|unwanted weight|duet of the year|healthy energy boost|Suppresses Appetite|internal cleansing|detoxify|cellulite|unsightly bulges|fat burn|Diet of the year|acai|cuts cholesterol|cleanse excess waste|free sample|unwanted weight|Acai suppl[ie]ments|Diet\/Detox|\#1 Weight Loss|lose body fat|(lose|drop) (about )?\d+\s*[li]b|calorie burning machine|before eating carbs)|flush.fat.away|slimming.down|\d+.pounds.gone|lose.\dx|highest.rated.episode|unwanted..?gain|too.goo?d.to.be.true|get.slim|tv.segment|weird.solution/is
body		__KAM_WEIGHT2	/(\d pounds|lose[_ ]weight|suppress appetite|appetite out of control|Oprah|for cancer patients|colon cure|colon cleanse|colonmate|avai berry|acai burn|ultraslim|feel energized|excess[_ ]weight|no diet changes|no exercise|hollywood'?s hottest -?diet|acai berry edge|Acai Diet|top secret diet|Power HCG|Sensa|shocking method|Jennifer Aniston|before eating carbs|all natural weight.?loss|green fruit|top celeb's diet)|one.secret|enjoying.food|f-a-t|melt.fat|squeeze into them|crazy.workout|celebs.everywhere|zero.effort|nothing.to.lose/is
header		__KAM_WEIGHT3   Subject =~ /(leaner|slimmer|stop gaining weight|fat loss|weight management|now available without a script|wuYi tea|(drop|lost|shed|knocked) \d+.?(pounds|[li]bs?)|FRS Healthy Energy|instant diet|colonmate|trimmer you|body cleanse|acai berry|acai burn|Fatburner|cholesterol reduction|cholestapro|Ephedra|W[EA]IGHT[- ]LOSS PRODUCT OF THE YEAR|t-r-i-a-l|try our trial|cleanse your system|no exc?ercise|Acai Advanced|toxic sludge|cleanse your body|Acai Diet|Acai Elite|Acai Super|losing weight fast|weight loss|detox product|Power HCG|Weight Loss System|shocking (?:weight|weihgt) loss)|before eating carbs|all natural weight.?loss|eat this fruit|Jennifer An+iston's secret|drop.\d.dress.sizes|fat.burning|burn..?fat|get.slim|drop.the.weight|(drop|shed).[li]bs?|move.\.*.?the scale|step.by.step|drop..?pounds|perfect.body|lose.the.weight|half.my.size|special.nutrition|workout|skinny|simple.way|to.get.slim|workout.for.the..?lazy|start.losing.weight|melt.fat|celebs.boycott|celebs.did|overeating|without.any.effort|doctors.tv|oprah|results.are.in|as.seen.on|slim.?spray|zero.effort/i
#rawbody		__KAM_WEIGHT4	/shocking method|Jennifer Aniston|nationally known|never.seen.anything.like.this|unusual.(new.)?tip|your.metabolism|need.a.boost|this.is.not.a."?(joke|hoax|fad|trend)|no working out|no starving|a trimmer you|celebrity.doctor|seen.on.(cnn|abc|cbs)|\d+%.?off|oprah.and.celeb|beer.belly|thunder.thigh|flush.fat.fast|get.skinny|Women's Health|dress.size|feel.good|physical.activity|starving|hit.a.plateau|flat.belly|brakes on your appetite/i
header          __KAM_WEIGHT5   From =~ /celeb.weightloss|no.work.workout|(drop|shed).pounds|(drop|shed).\d+[il]bs?|inches off|your.waist|nutrisystem|fat.burn|magic.slim|slim.pack|get.?slim|overweight|becomingslim|slimmer|skinny.tee|flush.fat|slimming.down|hot.trend|curves.?\dweek|stubborn.fat|\d+.pounds|look.great|lazy.workout|bikini|fit.community|slim.?spray|shave.off.(the.)?(pound|lb)|f-a-t|fit.in.\d+.day|days.to.slim|oprah|belly|biggestloser/i

#ANATRIM / GREEN TEA / CORTITHERM / ETC
body		__KAM_ANA1	/(anatrim|Green ?Tea|cortitherm|PHENTERTHIN|Phentremine|Acai Ultra|Civ-xR|WuYi Tea|Wu-?Yi Source|FRS Healthy Energy|Acai Berry|Chinese secret|Ephedra|Cholestapro|ColonMedic|Pure Cleanse|AcaiBurn|Acai Elite|Garcinia|Chlorogenic Acid|green coffee)/i
header		__KAM_ANA2	From =~ /green ?tea|Ultra ?Energy|weight ?loss|colon? ?clean|colon ?aid|acai|As seen on|Garcinia|sensa/i

meta		KAM_ANA		(__KAM_ANA1 + __KAM_ANA2 + (__KAM_OZ1 || __KAM_OZ2 || __KAM_OZ3) + __KAM_WEIGHT1 + __KAM_WEIGHT2 + __KAM_WEIGHT3 + __KAM_WEIGHT5 + KAM_FDA + (__KAM_HTML1 || KAM_INFOUSMEBIZ) >= 3)
describe	KAM_ANA		Likely Weight-loss / Medical Spam
score		KAM_ANA		3.0

meta		KAM_ANA2	(__KAM_ANA1 + __KAM_ANA2 + __KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 + __KAM_WEIGHT1 + __KAM_WEIGHT2 + __KAM_WEIGHT3 + __KAM_WEIGHT5 + KAM_FDA + (__KAM_HTML1 || KAM_INFOUSMEBIZ) >= 5)
describe	KAM_ANA2	Higher probability of Weight-loss / Medical Spam
score		KAM_ANA2	3.5

#REPLACE
body		__KAM_REP1	/Replace \[?[-!~\.]\]? with \./is
body		__KAM_REP2	/www\s+[-!~\.]/i

body            __KAM_REP2_1    /(Just|Please|all you need to do is to) (copy|type):? (www\s)?.{0,10}[\[\(]([-!~\.]|dot)[\]\)]/is
body            __KAM_REP2_2    /in your (IE|internet|explorer|browser)/i

body		__KAM_REP3_1	/\*omit empty spaces/is
body		__KAM_REP3_2	/.\s+(COM|org|net|info)$/i

meta		KAM_REPLACE	(__KAM_REP1 + __KAM_REP2 >= 2) || (__KAM_REP2_1 + __KAM_REP2_2 >=2) || (__KAM_REP3_1 + __KAM_REP3_2 >=2)
describe	KAM_REPLACE	Spams that use obfuscated URLs with instructions
score		KAM_REPLACE	2.0

#EVEN MORE NIGERIAN SCAMS AND VARIANTS
body		__KAM_NIGERIAN1	/(?:payment officer|personal treasurer|experienced marketers|Chairman of the Finance Committee|contact my secretary|field of Financial Services|Head of Human Resources|Public Relation Officer|field of Business Services|payment agent|representing partner|vacancy in my company|representative\/book ?keeper|executor|search and selection of both experienced|retired chief economist|foreign partner|diplomatic courier|senior auditor|online book-?keeper)|in.your.country|united.state[^s]|states?.citizen|retired.ceo|nigeria|origin.finland|serious.illness|brain.(tumor|cancer)|former.minister|investment.partner|got.mugged|losing.my.(wife|only.son)/is
body		__KAM_NIGERIAN2	/(?:looking for dynamic representative|seek your partnership|new online business model|seek to transfer this money|completely legal activity|never ask you to pay or invest|in search of trustworthy representatives|establishing a new liaison network|rec[ei]{2}ving payment on our behalf|assist me in transferring those funds|make money at home|requiring rep to work on a part time|part time job\/full time|organization for the good work of the lord|job search directory|investor willing to invest in lebanon|invest in Real Estate|Your kind assistance|next of kin|gold.exportation|calgary.lotto)|oil.producing|import.firm|oil.and.gas|petroleum|asset.available|urgent.reply|(cash|credit.cards?|cell(.phone)?).(were|was).stolen/is
body		__KAM_NIGERIAN3	/(?:\d{1,2}\% (?:commission on each transaction|of the total will be set|will be mapped out|is made available to you|of the total sum for your partner|of the money for your effort|for\s+sales)|pay for performance|floating deficit|for your compensation|financial independence|their financial dreams|work from home part\s*-?\s*time|employing your services|get extra income|deduct your weekly salary \d\d%|transfer of the funds|make successful career at us|you will get \d{1,2}% on each|funds can be directed to your account as a grant|reasonable parentage|dormant domiciliary account|share would be \d+\%|pay you \d+%)|invest|have.a.sum|make.a.donation|immense.benefits|transact.a?.?business|company.sponsor|loan me \$/is
body		__KAM_NIGERIAN4	/(?:American oil merchant|independent contractor|removallink|claim the funds|international corporation|bank draft|becoming our contract staff|contractual employment|customers\s*in Europe,\s*America|new partner from UK|great investment site|money orders|cashiers check|access to the funds|piloting the business|moving the funds|next of kin|syrian.refugees|reply.for.detail)|security.reason|(his|her).account|new.investor|directly.beneficial|business.discussion|promise.to|need.to.spend/is
body		__KAM_NIGERIAN5 /Western Union Money Transfer|Money Gram|form of Money Orders|to apply for this job, please send the following|process our payments|not traceable|risk free transation|transfer to a designated bank account|inheritance return|my.inheritance|my.wealth|donation.to.you|out.of.country|charitable.trust/i

meta		KAM_NIGERIAN	(__KAM_NIGERIAN1 + __KAM_NIGERIAN2 + __KAM_NIGERIAN3 + __KAM_NIGERIAN4 + __KAM_NIGERIAN5 + LOTS_OF_MONEY + __KAM_REFI4 >= 4)
describe	KAM_NIGERIAN	Nigerian Scam and Variants
score		KAM_NIGERIAN	2.5

#I LIKE YOUR SPAM
body		__KAM_LIKE1	/been working (extremely|very) hard on my friend's website/is
body		__KAM_LIKE2	/a link from .{1,54} would be greatly appreciated/is
body		__KAM_LIKE3	/(link exchange|in return to me linking back)/is
body		__KAM_LIKE4	/HTML code for the link/is
body		__KAM_LIKE5	/I apologize if this message was sent, in error/is

meta		KAM_LIKE	(__KAM_LIKE1 + __KAM_LIKE2 + __KAM_LIKE3 + __KAM_LIKE4 + __KAM_LIKE5 >= 5)
describe	KAM_LIKE	I like your website link exchange spam
score		KAM_LIKE	2.0

#PUBLICLY AVAILABLE LISTS?
body		KAM_PUBLIC	/obtained your email address from a publicly available list|find your mail in public forum/is
describe	KAM_PUBLIC	Obtained from Public List != to Consent == SPAM!
score		KAM_PUBLIC	9.0

#SEXUALLY EXPLICIT RULES ROUND TWO - Fixed some FPs from Scunthorpe thanks to Stefan Morrell
body		__KAM_SEX1	/(?:double[ -]?headed|pornstar|huge weenie|male power|\d\dper\. of men|male enhancement product|enlarge patch|boost up your virility|clinically tested|improve manhood|Bigger Pen..is|Big Penis|incredible gains to your manhood|muscular manhood|nights unsatisfied|climaxes|sensual enhancer|love instrument|bigger member|excitement with girls|fucker|animal sex)|adds \d inches to your manhood|pussy licked|hard.erection/i
body		__KAM_SEX2	/(?:(\b|^)cunt(\b|$)|busty|interracial|hardcore|peni(s|le) enlarge|generic quality|enlarge your manhood|stone-hard manhood|XXL Dick|intense pleasure|spend a night with you|efficient medicine|turn on your wife|with your boner|dick dangl)|\d.(extra.)?inches.of.girth|best.sex/i
header		__KAM_SEX3	Subject =~ /(double dildo|bunsfuck|dominatrix|huge tits|anti-ED|most confident man|for men over 30|peni(s|le) enlargement|interracial gobble|bitch sucking dong|product actually does work|update your penis|mans mall|endurerx|more excitement|love package|add more fire|her best male|average guys|monster cocks|first anal|anal fucking|love with monsters|horse sex|be the stud)/i
body		__KAM_SEX4	/(?:bring your girlfriend back|satisfied with their size|penis so huge and heavy|more semen|volume of your loads|wondercum|ejaculate|bargain offers on medic|improve xxx|improve your lovemaking|youngest teen|teen pics|monster in his pants|(female|multiple) orgasms|extreme penetration)/i

describe	KAM_SEX		Sexually Explicit SPAM / Penis Enlargement Scam
score		KAM_SEX		7.0
meta		KAM_SEX		(__KAM_SEX1 + __KAM_SEX2 + __KAM_SEX3 + __KAM_SEX4 + __HTML_IMG_ONLY + (__KAM_VIAGRA6A + __KAM_VIAGRA6E + __KAM_VIAGRA7A >= 1 && !__KAM_VIAGRA_FPS) >= 2)

#STUPID PICTURE SPAMS
body		__KAM_PIC1      /(tired|bored) (this )?(today|tonight|evening|morning|afternoon)|saw your email address|online right now|can name me|found you on this site|I am alone|my next boyfriend|blonde with blue|like the girls|crush on you/is
body		__KAM_PIC2      /(nice girl|2\d years old|25 y.o. girl|pretty russian|I russian girl|age is 25|long legs, cute|see my pictures|I'm 19|searching for a bad girl|meet with such attractive|cute lady)/is
body		__KAM_PIC3	/like to chat|feelings can be true|like to have friendship|friendly guy|gave me your photos|waiting on you|found your pictures|send me a note|more information about you|text me ASAP/is
body		__KAM_PIC4	/(like to share some of my pics|some (?:great )?pictures of me|sending some of my pictures|To see my pic|hope you like my pic|will reply with my pics|show you some pic|chat with me and see|that's my photo)|will send you my pictures|view my profile|describe yourself|chat with me|bad girl|view your snapshot|want to watch video|erotic pics/is
body		__KAM_PIC5	/picture|photo|my pics|appended my pic/i

describe	KAM_PIC		Share Pictures and Chat SPAM
score		KAM_PIC		3.5
meta		KAM_PIC		(__KAM_PIC1 + __KAM_PIC2 + __KAM_PIC3 + __KAM_PIC4 + __KAM_PIC5 + __KAM_PRIV3 >= 4)

#STUPID MAILING LIST SPAMS
body		__KAM_LIST1	/((Hospital|MD) directory|Nursing Home (List|directory)|doctor lists|marketing lists|Licensed Physicians|practicing MDs|practicing Medical doctors|Physicians in America|emails for every state|(vip|laywers|planners|Business Email|HR Directors Email|Sales & Marketing Directors|Managing Director Email) database)/is
body		__KAM_LIST2	/(?:hospital|dentist|chiropractor|physician|medical doctors|nursing directors|medical marketing|\d sortable fields|records all with emails|business director(y|ies)|direct marketing data)|nursing assistant/is
body		__KAM_LIST3	/price\:|prices for our director/is
body		__KAM_LIST4	/(?:database|list|[\d,]+ (total records|e-?mails))/is
body		__KAM_LIST5	/(reply with "stop" as a subject|Send an email with "rem" in the subject to discontinue|put "cease" in the subject of an email|for termination of this e?mail|reply with .{1,8} in the subject)|you will have your email taken off|for the datacard|send.a.reply/is
header		__KAM_LIST6	Subject =~ /Database of (neurological|surgeons|doctors|nurses|mds)|MD Database|looking for list|email database|we have that list|marketing database|list.of.\d/i

describe	KAM_LIST	Mailing List Database SPAM
score		KAM_LIST	3.0
meta		KAM_LIST	(__KAM_LIST1 + __KAM_LIST2 + __KAM_LIST3 + __KAM_LIST4 + __KAM_LIST5 + __KAM_LIST6 >= 4)

#YET MORE DRUG SCAMS
body		__KAM_DRUG1     /Quality and cheap|premier quality|supor-collosal mixture|Discount-?Pharmacy|hi.quality.drug/is
body		__KAM_DRUG2	/cheaper|redeem in bulk and save|bigger quantities and Save|drugstore accredi[dt]ations|economical (?:value|amount)|drug.online.supplies/is
rawbody		__KAM_DRUG3	/local drugstore|(hush-hush|secret) with no waiting rooms|confidential package|distributed securely|shape is our main concern/is
body		__KAM_DRUG4	/click to buy|no previous doctors direction|No prescript[oi]{2}n needed|no script necessary|medicine assistance supplier|mail[- ]?order medicine/is

describe	KAM_DRUG	More Viagra, Medicine, et al Scams
score		KAM_DRUG	2.5
meta		KAM_DRUG	(__KAM_DRUG1 + __KAM_DRUG2 + __KAM_DRUG3 + __KAM_DRUG4 + __KAM_VIAGRA6A + __KAM_VIAGRA7A + KAM_REPLACE >= 4)

#DUE TO THE RASH OF IP BASED LINKS IN EMAILS DUE TO STORM BOTS, THESE ARE TESTS FOR IPS IN EMAILS
#Thanks to Jamie for pointing out I missed a 1918 range.
rawbody            __KAM_GOODIPHTTP        /https?:\/\/(192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)/i
rawbody            __KAM_IPHTTP            /https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/i
describe        KAM_BADIPHTTP           Due to the Storm Bot Network, IPs in emails is bad
score           KAM_BADIPHTTP           2.0
meta            KAM_BADIPHTTP           (__KAM_IPHTTP - __KAM_GOODIPHTTP >= 1)

body		__KAM_HIDDEN_URI1	/\[DOT\]com/is
body		__KAM_HIDDEN_URI2	/replace "?\[DOT\]/is
meta		KAM_HIDDEN_URI		(__KAM_HIDDEN_URI1 + __KAM_HIDDEN_URI2 >= 2)
describe	KAM_HIDDEN_URI		URI obfuscation techniques
score		KAM_HIDDEN_URI		4.0

#ODD INFO URL - MATCH A URL-LIKE STRING THAT ENDS IN A QUESTIONABLE TLD, FOLLOWED BY A WORD BOUNDARY OR A SLASH (BUT NOT A DOT, OR IT WILL FP ON SUBDOMAINS LIKE FOO.INFO.LEGIT.COM)
rawbody		__KAM_INFOUSMEBIZ1	/http:\/\/(?:www.)?.{4,30}\.(info|us|me|me\.uk|biz)(?![-\.])(\b|\/)/i
header		__KAM_INFOUSMEBIZ2	From:addr =~ /\.(info|us|me|me\.uk|biz|xyz|id|rocks|life)$/i
header		__KAM_INFOUSMEBIZ3	Return-Path =~ /\.(info|us|me|me\.uk|biz|xyz|id|rocks|life)>?$/i

meta		KAM_INFOUSMEBIZ	(__KAM_INFOUSMEBIZ1 + __KAM_INFOUSMEBIZ2 + __KAM_INFOUSMEBIZ3 >= 1)
score		KAM_INFOUSMEBIZ	0.75
describe	KAM_INFOUSMEBIZ	Prevalent use of .info|.us|.me|.me.uk|.biz|xyz|id|rocks|life domains in spam/malware

# OTHER QUESTIONABLE / CHEAP TLDS - .click, .work, .rocks, .science, .casa
rawbody         __KAM_OTHER_BAD_TLD1      /http:\/\/(?:www.)?.{4,30}\.(click|farm|work|rocks|science|club|casa)(?![-\.])(\b|\/)/i
header          __KAM_OTHER_BAD_TLD2      From:addr =~ /\.(click|farm|work|rocks|science|club|casa)$/i
header          __KAM_OTHER_BAD_TLD3      Return-Path =~ /\.(click|farm|work|rocks|science|club|casa)>?$/i

meta            KAM_OTHER_BAD_TLD (__KAM_OTHER_BAD_TLD1 + __KAM_OTHER_BAD_TLD2 + __KAM_OTHER_BAD_TLD3 >= 1)
score           KAM_OTHER_BAD_TLD 0.75
describe        KAM_OTHER_BAD_TLD Other untrustworthy TLDs


#RECENT RASH OF VIRII/TROJAN PAYLOADS USING GREETING CARD NOTICES - IPHTTP IDEA BY STEPHEN FORD
body		__KAM_CARD1	/(worshipper|friend|Neighbou?r|partner|mate|colleague|member|worshipper|cousin|pal|brother|somebody|father|mother|uncle|aunt|daughter|son|nephew)(\(.{0,35}\))?(?: has)? (?:sen[dt] you|created) (?:an|a)?\s*(?:funny|love|post|greeting|birthday|animated|musical|holiday|love|hallmark|thank you|e)\s*(e|post)?-?card/i
body		__KAM_CARD2	/(laughing kitty|crazy cat) card|enjoy your awesome card|Click on your .{0,15}card('s)? (link|direct www address) below|To see your custom .{0,15}card, simply click on the (link below|following)|(as you can see on the ecard)|^your .{1,15}card link:$|I bet your wife won\'?t do this for you|Your temporary Login Info|temp\.? password id|pics I took of my Ex-Wife|card will be aviailable|our.new.collection/i
body		__KAM_CARD3	/I['`]m in hurry, but i still love you...|has (issued you a greeting|made you an Ecard)|^(Follow this link:|click (here to enter our secure server:))?\s*?http:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|eCard, open attached/i
header		__KAM_CARD4	Subject =~ /Here is some pics to say thanks|do you like em?|here is my picture|bra is too tight|look what I like to do|hot news|(\s|^)e-?cards?(\s|$)|greeting.e?card/i
rawbody		__KAM_CARD5	/postcard(\.gif)?\.exe|card.zip|groups.google.com|blaqseal/i

describe	KAM_CARD	Trojan or Virus Payload from fake ecard notice
score		KAM_CARD	3.5
meta		KAM_CARD	(__KAM_CARD1 + __KAM_CARD2 + __KAM_CARD3 + __KAM_CARD4 + __KAM_CARD5 + KAM_INFOUSMEBIZ + __KAM_IPHTTP + KAM_RPTR_SUSPECT >= 3)

#INSURANCE / CAR / LIFE / HEALTH SCAMS - fixed $ bug thanks to Mark Chaney
header		__KAM_INSURE1	Subject =~ /get (low )?affordable health (coverage|insurance)|reduce health costs|without health coverage|\d+K(?:.in)?.(term.)?life|overypay for auto insurance|Policy.Payment|GAs Prices|Auto Insurance|get your 20\d\d quote|\$\d00,000 coverage|no exam|Insurance.Payment|child's financial future|\d+K in coverage|health insurance (?:plans|coverage)|(Omaba|obama).?care|Secure \d+k coverage|\$\d\d\d,\d\d\d of term life|life insurance coverage|save up to \d+% on .{0,10}insurance|Protect.your.family|homeowners insurance|home.?.?protection|read.asap|auto.policy|protect your|\$\d+K..?term|auto.?insurance|\d+k.available|simplified.protection|policy.update|view.policy|med(ical)?.exam|term.life|protection|\d+k.available|policy.review|business.insurance|your.health|care.policy|life.cover|life.secure|life.insured/i
body		__KAM_INSURE2	/find better Health Insurance Rates Today|get information about health coverage|protect your family|overpay for auto insurance|been recently,? lowered|gas prices are going up|Auto Insurnace go with it|no examination|get (?:a )?free quote|have been.{0,2}reduced|AutoWarranty|plans as low as|plans starting at|complete your health profile|Secure \d+k coverage|growing.family|milestone|special.enroll|updated.rate|lifeinsurance|no.medical.exam|accuquote|no.tobacco.rate|denied.coverage|business.policy|reduced.rate|coverage.starts.immediately|obama|respect.your.privacy/i
header		__KAM_INSURE3	From =~ /Cheaper Auto|Insurance|health.quote.direct|fidelity|gerber|lifeplan|notice|warranty.expir|auto-repairs.{0,30}no longer covered|affordable.?health|Health.?care|AIG|accuquote|life.?rate|eCoverage|humana|ahs.warranty|policy|farmer|qualify|term.life|milestone|payout|secure|out.of.pocket|\d+k|take.comfort/i
body		__KAM_INSURE4	/why pay more for.{0,30}coverage|save up to \d+%|accuquote|Life Insurance Coverage|protect.your.family.{1,20}insurance|Protect home and belonging|Affordable Care Act|new health insurance plan for you|home.?.?protection|\d+k.life.insurance|eligible for auto.coverage|set to expire|\$\d+\/mo|new.rate|your.auto.?insurance.policy|term.life|update.policy|legacy|estate|your.package|your.own.life|prepared.for.anything|paying.(far.)?too/i

describe	KAM_INSURE	Life, Health, Auto, etc. Insurance SPAMs
score		KAM_INSURE	2.5
meta		KAM_INSURE	(__KAM_INSURE1 + __KAM_INSURE2 + __KAM_INSURE3 + __KAM_INSURE4 + (KAM_ADVERT2 || KAM_LOTSOFHASH || KAM_INFOUSMEBIZ || CBJ_GiveMeABreak) >= 3)

describe	KAM_INSURE2     Higher Probability of Life, Health, Auto, etc. Insurance SPAMs
score		KAM_INSURE2     2.5
meta		KAM_INSURE2     (__KAM_INSURE1 + __KAM_INSURE2 + __KAM_INSURE3 + __KAM_INSURE4 + (KAM_ADVERT2 || KAM_LOTSOFHASH || KAM_INFOUSMEBIZ || CBJ_GiveMeABreak) >= 4)

#HEALTH INSURANCE
body            __KAM_HEALTH1   /as low as \$\d+\s*(per|\/)\s*month|at \$\d+ including dental/i
body            __KAM_HEALTH2   /save up to \d+% on health insurance|affordable health coverage|quality term life insurance|nationalhealthxchange.com|view.rate|no.obligation|start.saving/i
rawbody         __KAM_HEALTH3   /easy and it's free|receive daily health news|check our rates|Call to qualify|no physical exam|set.to.expire|immediately.available|you.can.afford/i
rawbody         __KAM_HEALTH4   /health insurance (coverage|rates)|free .{0,3}personalized.quote|get a quote for health insurance|fast and easy term|life.milestone|instant.free.quote/i
header          __KAM_HEALTH5   Subject =~ /\$38 Health Insurance|health insurance quote|Save up to \d%|term.life|New Health Insurance|\$\d+\/mo|lifepolicy/i

describe        KAM_HEALTH      Health/Life Insurance Spam Emails
score           KAM_HEALTH      3.0
meta            KAM_HEALTH      (__KAM_HEALTH1 + __KAM_HEALTH2 + __KAM_HEALTH3 + __KAM_HEALTH4 + __KAM_HEALTH5 + KAM_ADVERT2 >= 4)

#HEALTH INSURANCE
body            __KAM_HEALTH2_1   /affordable health coverage/i
header          __KAM_HEALTH2_2   Subject =~ /health insurance quote/i

describe        KAM_HEALTH2     Health Insurance Spam Emails
score           KAM_HEALTH2     3.0
meta            KAM_HEALTH2     (__KAM_HEALTH2_1 + __KAM_HEALTH2_2 + HTML_MESSAGE >= 3)

#HEALTH INSURANCE
header          __KAM_HEALTH3_1   Subject =~ /Term Life Coverage/i
header          __KAM_HEALTH3_2   Subject =~ /\d\d\/mo/i
header          __KAM_HEALTH3_3   From =~ /fidelity/i

describe        KAM_HEALTH3     Term Life Insurance Spam
score           KAM_HEALTH3     3.0
meta            KAM_HEALTH3     (__KAM_HEALTH3_1 + __KAM_HEALTH3_2 + __KAM_HEALTH3_3 >= 3)

#REAL ESTATE INVESTMENT SCAMS
body		__KAM_REAL2_1	/(?:Property available|on the water|costa rica|mountain.top)/i
body		__KAM_REAL2_2	/(?:pre-development prices|finish building|torn down to build|exclusive place|ready.for.construction)/i
body		__KAM_REAL2_3	/(?:unbelievable deals|buyer with CA[s\$]h|pennies.on.the.dollar)/i
body		__KAM_REAL2_4	/(?:home sites|raw land|vacation home|wooded.property)/i
body		__KAM_REAL2_5	/(?:developers|estates|buyer flying in|retirement plans|liquidation)/i

describe	KAM_REAL2	Real-estate investment scams
score		KAM_REAL2	1.0
meta		KAM_REAL2	(__KAM_REAL2_1 + __KAM_REAL2_2 + __KAM_REAL2_3 + __KAM_REAL2_4 + __KAM_REAL2_5 >= 5)

#BASED on JIM MCCULLARS' IDEA AND DALLAS' GREAT PDFINFO RULES

ifplugin Mail::SpamAssassin::Plugin::PDFInfo
  #Thanks to Ben Lentz for pointing out a lint error with this.

  describe	KAM_BADPDF	Prevalent Junk PDF SPAMs - BAD SUBJECT
  score		KAM_BADPDF	2.5
  header		KAM_BADPDF	Subject =~ /(?:^.{0,15}(document|confirmation|marketwatch|pinksheets|wire info|pinksheets|investor_report|proposal|invest_today|alert|invoice|investor_letter|check)-\d{5,12}$|^basic[- _]chart-|^Active[- _](stocks|trader)|^Analyst[- _]Coverage|^Income[- _](report|details|statement)|^Market[- _](advice|watch)|^Investor[- _]news|^real-?time[- _]quotes)/i

  describe	KAM_BADPDF1 	Prevalent Junk PDF SPAMs - EMPTY BODY & ENCRYPTED
  score		KAM_BADPDF1	2.5
  meta            KAM_BADPDF1     (GMD_PDF_EMPTY_BODY + GMD_PDF_ENCRYPTED >= 2)

  #2009-03-11 - Found FP on this rule where a bad reverse PTR and a Subject triggered this rule.  That was NOT the intent.
  describe        KAM_BADPDF2     Prevalent Junk PDF SPAMs - 3 STRIKES
  score           KAM_BADPDF2     2.5
  ifplugin Mail::SpamAssassin::Plugin::KAMOnly
    meta            KAM_BADPDF2     (KAM_BADPDF + KAM_BADPDF1 + MISSING_SUBJECT >= 2) && (KAM_RPTR_SUSPECT + KAM_RPTR_FAILED >=1)
  else
    meta            KAM_BADPDF2     (KAM_BADPDF + KAM_BADPDF1 + MISSING_SUBJECT >= 2) && (KAM_RPTR_SUSPECT >=1)
  endif
endif


ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader    __KAM_BADPO1 Content-Type =~ /Purchase.Order|New.Invoice/i
  mimeheader    __KAM_BADPO2 Content-type =~ /PDF\.html?/i
endif

header		__KAM_BADPO3	Subject =~ /New Order|PO(\b|$)|PO\d\d\d|Purchase Order|Invoice/i

ifplugin Mail::SpamAssassin::Plugin::KAMOnly
  meta		KAM_BADPO 	(KAM_RAPTOR_ALTERED + __KAM_BADPO3 >= 2)
  describe	KAM_BADPO	Bad Purchase Orders
  score		KAM_BADPO	5.0
endif

meta		KAM_BADPO2	(__KAM_BADPO1 + __KAM_BADPO2 + T_HTML_ATTACH >= 3)
describe	KAM_BADPO2	Bad Purchase Orders
score		KAM_BADPO2	5.0

  #PDFCOUNT

#FAKE PDF READER/WRITE
body		__KAM_FAKEPDF1	/Download PDF Reader.Writer/is
body		__KAM_FAKEPDF2	/Reader 2010/is
header		__KAM_FAKEPDF3  From =~ /adobe/is
header		__KAM_FAKEPDF4  Subject =~ /reader.writer version 2010/is

meta		KAM_FAKEPDF	(__KAM_FAKEPDF1 + __KAM_FAKEPDF2 + __KAM_FAKEPDF3 + __KAM_FAKEPDF4 >= 3)
describe	KAM_FAKEPDF	Fake PDF Reader / Writer
score		KAM_FAKEPDF	4.0

#VACU AND VARIOUS PHISHING SCAMS
  #SUBJECTS
header		__KAM_PHISH2_1	Subject =~ /(VACU Message|Virgini?a Credit|Account Verification|account might be compromised|Account Status Notification|important.alert|payment.advice|important.update|card.declined)/i
  #BANKS
body		__KAM_PHISH2_2	/Virginia Credit Union|Lloyds|HSBC|usaa|barclay|credit card account/is
  #BAD LINKS
rawbody		__KAM_PHISH2_3	/https?:\/\/.{5,30}\.(kr|hk|edu|pl|ie|it|pro)\//i
  #STUPID STATEMENTS
body		__KAM_PHISH2_4	/unauthori[sz]ed use|security.enhancement|dropbox|hold.(on.)?your.fund/i
body		__KAM_PHISH2_5	/account suspension|temporary locked|temporarily.suspend|your.reference|accurately.detail/i
body		__KAM_PHISH2_6  /confirm your online banking details|payment.advice|online.fraud|billing.information/i
body		__KAM_PHISH2_7  /extra security check|security.tip/i

describe	KAM_PHISH2	Prevalent Phishing Scam emails
score		KAM_PHISH2	2.0
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
  meta		KAM_PHISH2	(__KAM_PHISH2_1 + __KAM_PHISH2_2 >= 2) && ((__KAM_IPHTTP + __KAM_URIBL_PCCC + __KAM_PHISH2_3 >= 1) || (__KAM_PHISH2_4 + __KAM_PHISH2_5 + __KAM_PHISH2_6 + __KAM_PHISH2_7 >= 4))
else
  meta		KAM_PHISH2	(__KAM_PHISH2_1 + __KAM_PHISH2_2 >= 2) && ((__KAM_IPHTTP + __KAM_PHISH2_3 >= 1) || (__KAM_PHISH2_4 + __KAM_PHISH2_5 + __KAM_PHISH2_6 + __KAM_PHISH2_7 >= 4))
endif

#CRAZY HEX EMPTY MESSAGE
body		__KAM_HEX1	/^[a-f0-9]{8}(\b|$)/i
header		__KAM_HEX2	Subject =~ /^\d{5,6}$/

describe	KAM_HEX		Crazy Empty Hex Messages
score		KAM_HEX		5.5
meta		KAM_HEX		(__KAM_HEX1 + __KAM_HEX2 >= 2)

#THE BAT! MAILER USED TOO MUCH FOR SPAM
# I'VE LOOKED AT THIS AND JUST CAN'T ARGUE THAT IT LOOKS LIKE IT WILL HELP.
header		KAM_THEBAT	X-Mailer =~ /The Bat!/i
describe	KAM_THEBAT	Abused X-Mailer Header for The Bat! MUA
score		KAM_THEBAT	1.9

#MAILER BUGS
body		__KAM_MAILER1	/{!firstname_fix}/i

meta		KAM_MAILER	(__KAM_MAILER1 >= 1)
score		KAM_MAILER	2.0
describe	KAM_MAILER	Automated Mailer Tag Left in Email

#YET ANOTHER NIGERIAN SCAM VARIANT
body		__KAM_CHECK1	/delivery fee for your che(que|ck) draft/i
body		__KAM_CHECK2	/let me know when you recieve your money/i

describe	KAM_CHECK	Another Nigerian Bank Draft Scam
score		KAM_CHECK	3.0
meta		KAM_CHECK	(__KAM_CHECK1 + __KAM_CHECK2 + __KAM_REFI4 >= 3)

#SEE OPRAH LIVE!
body		__KAM_OPRAH1	/airfare/i
body		__KAM_OPRAH2	/hotel/i
body		__KAM_OPRAH3	/oprah/i
header		__KAM_OPRAH4	Subject =~ /see\s+.*oprah\s+.*live/i

describe	KAM_OPRAH	SPAMs re: Oprah Winfrey Show
score		KAM_OPRAH	2.5
meta		KAM_OPRAH	(__KAM_OPRAH1 + __KAM_OPRAH2  + __KAM_OPRAH3 + __KAM_OPRAH4 >= 4)

#EBAY TIPS
body		__KAM_EBAY1	/Succeed on ebay|thousands with ebay|ebay success|money-making secret/i
body		__KAM_EBAY2	/Auction success kit|Great Money Maker|documented program|Chuck Mullaney|more bills than money/i
header		__KAM_EBAY3	Subject =~ /ebay .*for dummies|ebay expert|work online|ebay business|secrets to ebay|Chuck Mullaney|living on ebay|build a business|huge cash flows/i

describe	KAM_EBAY	SPAMs re: eBay Auction Tips
score		KAM_EBAY	3.5
meta		KAM_EBAY	(__KAM_EBAY1 + __KAM_EBAY2 + __KAM_EBAY3 >= 3)

#GAS PRICES, GAS CARDS, OTHER FUEL-RELATED SPAM
body		__KAM_GAS1	/Gas prices are at an? all time high|\$\d per gallon|gasoline cards/i
body		__KAM_GAS2	/We have a solution|save \d+ cents per gallon|competitive rewards/i
header		__KAM_GAS3	Subject =~ /High Gas Prices|ripped off for gas|Save \d+c per gallon/i
header		__KAM_GAS4	From =~ /gas/i

describe	KAM_GAS		SPAMs re: High Gas Prices
score		KAM_GAS		4.5
meta		KAM_GAS		(__KAM_GAS1 + __KAM_GAS2 + __KAM_GAS3 + __KAM_GAS4 >=3)

#WEIRD BODY MESSAGES
body		KAM_BODY	/{_BODY_HTML}/i
score		KAM_BODY	1.0
describe	KAM_BODY	Odd Erectile Dysfunction Messages with Poor Formatting

#FREE TV, SATELLITE, CABLE INTERNET, ETC
body		__KAM_TV1	/watch unlimited television|DTV4PC|Online TV Code|Free DVD-CD Burner|100% legal|Rabbit TV|reliable.cable.service|existing.smart.tv/i
body		__KAM_TV2	/without a monthly fee|pay a cable or satellite bill|no monthly fee|watch uncensored|movies online|no censorship|favorite.channels|online.television|\d{3}.channels|high.speed|sysview/i
header		__KAM_TV3	Subject =~ /watch uncensored tv|digital TV|internet TV|Free TV|tv online for free|(shows|movies).with.cable|less.than.dish|stream.*channels|\$\d{2}.mo|smart.tv/i
header		__KAM_TV4	From =~ /Unlock Internet TV|Movie Download|product alert|cable.tv|tv.stream|high.speed/i

meta		KAM_TV		(__KAM_TV1 + __KAM_TV2 + __KAM_TV3 + __KAM_TV4 >= 2)
score		KAM_TV		3.0
describe	KAM_TV		Free TV/Cable/etc. Scams

meta		KAM_TV2		(KAM_TV + KAM_INFOUSMEBIZ >=2)
score		KAM_TV2		3.5
describe	KAM_TV2		Higher probability of Free TV/Cable/etc. Spams

#DEGREE SPAMS
body		__KAM_CAREER1	/Hospitals need you|Medical Billing and Coding|medical.coding/is
body		__KAM_CAREER2	/Get your Healthcare Degree|Billing and Coding degree|job.placement|great.opportunity|training.start(s|ing).soon|job.growth/is
body		__KAM_CAREER3	/unstable.economy|secure.a.position|fast.growing|extraordinary.benefits|work.from.home/is

meta		KAM_CAREER	(__KAM_CAREER1 + __KAM_CAREER2 + __KAM_CAREER3 + KAM_ADVERT2 >= 3)
score		KAM_CAREER	5.0
describe	KAM_CAREER	Spam for Career/Diploma Mills

#NURSE SPAMS
header          __KAM_NURSE1   From =~ /nursing|nurses|health.?care/i
header          __KAM_NURSE2   Subject =~ /nurses (?:are now in high.?demand|are needed)|become a nurse|open.position|training|cna.education/i
body            __KAM_NURSE3   /nurses (?:are NOW in high.?demand|are needed)|nursing Degree|indispensable.position|growing.career|nursing.assist|certified.nurs/i

meta            KAM_NURSE      (__KAM_NURSE1 + __KAM_NURSE2 + __KAM_NURSE3 >= 3)
score           KAM_NURSE      3.0
describe        KAM_NURSE      Spam for Career/Diploma Mills

#PILLS
header		__KAM_PILLS1	Subject =~ /save \d\d% on your (pills|drugs|medications)/i
body		__KAM_PILLS2  	/be (thrifty|smart|clever), buy your (pills|drugs|medications)/i

meta		KAM_PILLS	(__KAM_PILLS1 + __KAM_PILLS2 >=2)
score		KAM_PILLS	4.0
describe	KAM_PILLS	Spam for scam pharmacy

#PILLS 2.0
header   	__KAM_PILLS2_1  From =~ /Enlarge|Men's Supplement/i
header 		__KAM_PILLS2_2 	From =~ /Free Sample/i

meta 		KAM_PILLS2 	(__KAM_PILLS2_1 + __KAM_PILLS2_2 >= 2)
describe 	KAM_PILLS2 	Male enhancement spams
score 		KAM_PILLS2 	2.5

#ALTERNATE EMAIL
body		__KAM_ALT1	/reply to my alternative E-?mail/is

meta		KAM_ALT		(__KAM_ALT1 >= 1)
score		KAM_ALT		0.5
describe	KAM_ALT		Requests use of an alternate email which may indicate spam


#POLITICAL SPAMS
#AS WE ENTER AN ELECTION PERIOD, WE SEE UNSOLICITED MAILS FROM ORGS

#Right vs Left
header		__KAM_POLITICS1	From =~ /Right vs Left|Minuteman|Senator|Pennsylvania Transportation Partners|Americans for Limited Government|special election|conservative|liberal|congress|judge|usa.?net|senate|fedup|sen\. |tea.party|the.right.to/i
body		__KAM_POLITICS2	/Minuteman Civil Defense Corps|National Campaign Fund|Right vs Left|Restore America PAC|penntransportation.com|getliberty.org|Americans for Limited Government|radical|true.conservative|true.liberal|job.killing|wasteful.spending|senate.takeover|liberal.agenda|smear.campaign|america.s future|liberty|obama|governor|election.day|v-o-t-e|sign.the.petition|paid.for.by|dear.conservative|dear.liberal|winning.the.senate|election.cycle|return.power|failed.policy|(left|right).is.claiming|bigwigs|favorable.voters/i
header		__KAM_POLITICS3 Received =~ /\.politicalsystems.net|republican.com|democrat.com|inboxfirst.com/i
header          __KAM_POLITICS4 Subject =~ /alert:?.?election|(republican|democratic).party|and.vote|impeach|insanity|election.ad|liberals|conservatives|back.?room.deal|urgent.obama|social.security.mistake|big.social|absentee.info/i

meta		KAM_POLITICS	(__KAM_POLITICS1 + __KAM_POLITICS2 + (__KAM_POLITICS3 + __KAM_POLITICS4 >= 1) >= 2)
score		KAM_POLITICS	4.5
describe	KAM_POLITICS	Unsolicited Political E-Mails

#SPAMMING COMPANIES

#Wall Street Media
header		__KAM_COMPANY1	From =~ /W\$[LM]( |_)(Insurance|Mortgage)( |_)New\$/i

meta		KAM_COMPANY1	(__KAM_COMPANY1 >= 1)
score		KAM_COMPANY1	5.0
describe	KAM_COMPANY1	Egregious spammers that should also be on RBLs (and might be)

#MGM,LLC
body          	__KAM_COMPANY2_1	/Member Services MGM, LLC/is

meta            KAM_COMPANY2   	 	(__KAM_COMPANY2_1 >= 1)
score           KAM_COMPANY2    	5.0
describe        KAM_COMPANY2    	Egregious spammers that should also be on RBLs (and might be)

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL

  #PCCC URIBL Check for bad URIs in body, Received, From and Reply-to
  #Thanks to AXB for his help with these!

  #2013-10-09 Note
  #
  #These RBL's below can contain domains that can cause collateral damage.
  #We try and only add these domains when the evidence is overwhelming and points to a culture or architecture prone to spaminess.
  #And this can include services that have legitimate and illegitimate users; servers for legitimate firms that are compromised; and hosting firms which fail to have adequate anti-spam procedures.
  #The lists have high scores which we believe are consistent with the veracity of the research used to compile the lists.
  #Additionally, we ONLY use this RBL to improve our scoring and it is not used to block emails outright.
  #However, your mileage may very and you might want to seriously dial down the scores especially if you do block/reject/blackhole emails.
  #Feedback is appreciated and requests to de-list can be sent via https://raptor.pccc.com/raptor.cgim?template=report_problem
  #Or to explicitly skip RBL testing for a domain, use uridnsbl_skip_domain example.com

  if (version >= 3.003000)
    #HOSTS THAT BEHAVE LIKE TLDS, SUCH AS BLOGSPOT.COM AND OTHER FREE HOSTING - NOTE BLOGSPOT is in 20_aux_tlds.cf ALREADY
    util_rb_2tld ning.com
    util_rb_2tld mygbiz.com
    util_rb_2tld web.com
    util_rb_2tld onmicrosoft.com
    util_rb_2tld online.de
    util_rb_2tld wix.com
    util_rb_2tld netdna-cdn.com
    util_rb_2tld dreamhost.com
    util_rb_2tld noip.us
    util_rb_2tld mmsend.com
    util_rb_2tld cu-portland.edu
    util_rb_2tld jimdo.com
    util_rb_2tld doesphotography.com
    util_rb_2tld isteaching.com
    util_rb_2tld googleapis.com
    util_rb_2tld a2hosted.com
  endif

  # allow URI rules to look at DKIM headers if they exist and our SA version supports it
  if (version >= 3.0040001)
    parse_dkim_uris 1
  endif

  ifplugin Mail::SpamAssassin::Plugin::KAMOnly
    #BAD URI IN BODY
    urirhssub  KAM_BODY_URIBL_PCCC    wild.pccc.com. A 127.0.0.4
    body       KAM_BODY_URIBL_PCCC    eval:check_uridnsbl('KAM_URIBL_PCCC')
    describe   KAM_BODY_URIBL_PCCC    Body contains URI listed in PCCC URIBL (https://raptor.pccc.com/RBL)
    tflags     KAM_BODY_URIBL_PCCC    net
    score      KAM_BODY_URIBL_PCCC    9.0

    if (version >= 3.004001)
      #BAD URI IN FROM
      #all from addresses domains - This is a new check available in 3.4.1-rc1+ which will check bob.com for something like bob@test.bob.com - The old code did not properly handle octet subtests
      header     KAM_FROM_URIBL_PCCC    eval:check_rbl_from_domain('pccc-from-uribl', 'wild.pccc.com.', '127.0.0.4')
      describe   KAM_FROM_URIBL_PCCC    From address listed in PCCC URIBL (https://raptor.pccc.com/RBL)
      tflags     KAM_FROM_URIBL_PCCC    net
      score      KAM_FROM_URIBL_PCCC    9.0
    endif

    #MARKETING IN BODY - MARKETING RBL IS PRIMARILY FOR META TESTS
    urirhssub  KAM_BODY_MARKETINGBL_PCCC    wild.pccc.com. A 127.0.0.32
    body       KAM_BODY_MARKETINGBL_PCCC    eval:check_uridnsbl('KAM_MARKETINGBL_PCCC')
    describe   KAM_BODY_MARKETINGBL_PCCC    Body contains URI associated with mass-marketing (https://raptor.pccc.com/RBL)
    tflags     KAM_BODY_MARKETINGBL_PCCC    net
    score      KAM_BODY_MARKETINGBL_PCCC    0.001

    if (version >= 3.004001)
      #MARKETING IN FROM
      header     KAM_FROM_MARKETINGBL_PCCC    eval:check_rbl_from_domain('pccc-marketing', 'wild.pccc.com.', '127.0.0.32')
      describe   KAM_FROM_MARKETINGBL_PCCC    From address associated with mass-marketing (https://raptor.pccc.com/RBL)
      tflags     KAM_FROM_MARKETINGBL_PCCC    net

      score      KAM_FROM_MARKETINGBL_PCCC    0.001

      meta       KAM_MARKETINGBL_PCCC (KAM_BODY_MARKETINGBL_PCCC || KAM_FROM_MARKETINGBL_PCCC)
      describe   KAM_MARKETINGBL_PCCC Message contains URI associated with mass-marketing (https://raptor.pccc.com/RBL)
      score      KAM_MARKETINGBL_PCCC 1.0
    endif
  endif

  if (version >= 3.004001)
    ifplugin Mail::SpamAssassin::Plugin::KAMOnly
      #Compromised URI - In Body
      urirhssub  KAM_BODY_COMPROMISED_URIBL_PCCC    wild.pccc.com. A 127.0.1.2
      body       KAM_BODY_COMPROMISED_URIBL_PCCC    eval:check_uridnsbl('KAM_URIBL2_PCCC')
      describe   KAM_BODY_COMPROMISED_URIBL_PCCC    Body contains URI listed in PCCC Compromised URIBL (https://raptor.pccc.com/RBL)
      tflags     KAM_BODY_COMPROMISED_URIBL_PCCC    net
      score      KAM_BODY_COMPROMISED_URIBL_PCCC    9.0

      #Contains a likely good URI but otherwise compromised by malware/hackers
      header     KAM_FROM_COMPROMISED_URIBL_PCCC    eval:check_rbl_from_domain('pccc-compromised-uribl', 'wild.pccc.com.', '127.0.1.2')
      describe   KAM_FROM_COMPROMISED_URIBL_PCCC    From address listed in PCCC Compromised URIBL (https://raptor.pccc.com/RBL)
      tflags     KAM_FROM_COMPROMISED_URIBL_PCCC    net
      score      KAM_FROM_COMPROMISED_URIBL_PCCC    9.0
    endif
  endif

  ifplugin Mail::SpamAssassin::Plugin::KAMOnly
    #Received - Currently disabled for more research on FPs
    #header     KAM_RCVD_URIBL_PCCC    eval:check_rbl_sub('pccc', '^127\.0\.0\.4$')
    #describe   KAM_RCVD_URIBL_PCCC    Received header contains URL listed in PCCC URIBL (https://raptor.pccc.com/RBL)
    #tflags     KAM_RCVD_URIBL_PCCC    net
    #score      KAM_RCVD_URIBL_PCCC    5.0

    #Reply-to
    #NO SOLUTION - Would make a Good Bugzila for a FR

    #Test for any hits on PCCC URIBL Rules
    meta	     __KAM_URIBL_PCCC  (KAM_BODY_URIBL_PCCC + KAM_FROM_URIBL_PCCC >= 1)

  endif

  #Test for URIBL Black and Spamhaus DBL per discussion ith Alex Broens
  meta     KAM_VERY_BLACK_DBL    (URIBL_BLACK && URIBL_DBL_SPAM)
  describe KAM_VERY_BLACK_DBL    Email that hits both URIBL Black and Spamhaus DBL
  score    KAM_VERY_BLACK_DBL    5.0

endif

#EMAIL BLACKLIST CHECK FOR PCCC RBL
ifplugin Mail::SpamAssassin::Plugin::EmailBL
  ifplugin Mail::SpamAssassin::Plugin::KAMOnly
    #uses emailbl -all which is the same as -headers and -bodysafe
    header   KAM_MESSAGE_EMAILBL_PCCC  eval:check_emailbl('freemail-all', 'wild.pccc.com', '127.0.0.64')
    describe KAM_MESSAGE_EMAILBL_PCCC  Message contains freemail address listed in PCCC URIBL (https://raptor.pccc.com/RBL)
    tflags   KAM_MESSAGE_EMAILBL_PCCC  net
    score    KAM_MESSAGE_EMAILBL_PCCC  6.0
  endif
endif

#FAKERBL MX RELATED RULES
header		__KAM_MX1		Reply-To =~ /\@mx\d+\./i
header		__KAM_MX2		Return-Path =~ /\@mx\d+\./i
header		__KAM_MX3		Received =~ /(\(|\b)(pet|ptr|tech|host|mta|mx|vps|vsp|colo|sox|m)\d+\./i
header		__KAM_MX4		Received =~ /(\(|\b)[0-9A-F]{8}\.ptr\./i
# Thanks to Markus Clardy for feedback!
header		__KAM_MX5		Received =~ /(\(|\b)[a-z]{2,4}[0-9]{1,3}\.[^\s]{1,20}\.info\b/i

meta		__KAM_MX		(__KAM_MX1 + __KAM_MX2 + __KAM_MX3 + __KAM_MX4 + __KAM_MX5 >= 1)
describe	__KAM_MX		Odd prevalence of mx records associated with the FAKERBL Spammers

#CHANGED KAMOnly
ifplugin Mail::SpamAssassin::Plugin::KAMOnly

  meta            KAM_MX                 (__KAM_MX + (__KAM_URIBL_PCCC + URIBL_BLACK >=1) >= 2)
  score           KAM_MX                 4.0
  describe        KAM_MX                 Spammers and MX Rule

endif

meta		KAM_MXINFO		(__KAM_MX5)
score		KAM_MXINFO		1.0
describe	KAM_MXINFO		MX Record and dot info domains associated with FAKERBL Spammers

#BAD NAMES
body            __KAM_BADNAME1          /CocoMedia|CMI Free Stuff|Vista Del Mar Productions|by SuperClub|Buil tech Services|eMarketing Alliance|aSHARPi Media|Satell Center for Executive Education|Pacific Shores Investments|R. Allen Media|The Only Virginia Team|Ban Amnesty Now|Intrust Domains|New Heights Development and Research|Red Base Interactive|RateMarketplace|WORLD COMPANY REGISTER|Mobie Concepts, Inc.|Clickingz IT Research Lab|Leadz[,\.].?Co|Pimsleur Approach|Business Who's Who|Who's Who Among Executives|Buena Vista Catalogue|Ashray Medical Center|Bethany Christian Services|Preston Energy|SteelCityAds|Beyond Human, LLC|Research Promo Center|OmegaK, Inc|Momentum.Ads|Dove Lighting Co|BrandRoot SEO|Team TPW|WEB ANALYTICS MEDIA LLC/i

header		__KAM_BADNAME2		From =~ /CMI Free Stuff|Vista Del Mar Productions|Buil tech Services|eMarketing Alliance|aSHARPi Media|Plaza Neptuno|Satell Center for Executive Education|Pacific Shores Investments|rx ?unit|R. Allen Media|The Only Virginia Team|Intrust Domains|American Arbitration Association|Rate\.?Marketplace|Health.Quote.Direct|Pimsleur|Ethika Politika|Disney Movie Club/i

#GRASS SEED
header          __KAM_GRASS1  	From =~ /(Patch|Perfect|Lawn)/i
header		__KAM_GRASS2	Subject =~ /rich beautiful lawn|grow grass|grass seed on steroids/i
body		__KAM_GRASS3 	/Grass Seed On Steroids|rich beautiful lawn|Patch Perfect Seeds|Grow Grass (anywhere|in the shade)/i

meta		KAM_GRASS	(__KAM_GRASS1 + __KAM_GRASS2 + __KAM_GRASS3 >= 3)
score		KAM_GRASS	2.5
describe	KAM_GRASS	Spammers hawking lawn products

#PED EGG / BELISI / SKIN PRODUCTS
header          __KAM_SKIN1    	From =~ /(Ped ?Egg|Healthy Feet|beautiful feet|belisi|skin tightener|medical|Wrinkle|Face ?Lift|Skin Reju|Nuforia|LifeCEll|Miracle Hydrate|beauty tip|lifestyle lift|marine essentials|nufori?a)|skin transformer|lifecell|oz.show|botox|your.skin|rejuvenate|youth|ellen/i
header          __KAM_SKIN2    	Subject =~ /Ped ?Egg|Healthy Feet|beautiful feet|tighter skin|works for wrinkles|Sera Concepts|Wrinkle Eraser|\d\d years younger|Hollywood(?:'s)? Secret|years younger|perfect skin|anti.?aging|look younger in \d+ day|regain your youthful|years off your appear|flawless.skin|youthful appear|fine.lines|collagen.production|dark.circles|your.skin|looks?.like.this|looks?.great|images?.leaked|looks.\d|ellen.looks/i
rawbody         __KAM_SKIN3    	/Ped ?Egg|Belisi|Botox|Gabamed|Sera Concepts|Purelift|nuforia|natural collagen|complimentary trials|nugenics|marine essentials|Nufori?a|ellen.has.a|flawless.skin|phyto|facelift|hype.is.real|celeb.trend|twenty.years.younger|face.lift|pics.leaked|rejuvenate/i
body		__KAM_SKIN4	/feet feel smooth and healthy|calluses and dead skin|silky smooth skin|tighter skin|\d.years.younger|anti[- ]aging|look younger|free trial|lose 25 years|angered plastic surge|quick and easy trick|anti-?aging|blood pressure low|heart rate monitor|selfies|just.one.month|just.four.weeks|medical.research|rebuild.your.skin|decades.younger|erase.time|gossip|smooth.lines/i

meta            KAM_SKIN       (KAM_ADVERT2 + __KAM_SKIN1 + __KAM_SKIN2 + __KAM_SKIN3 + __KAM_SKIN4 +  __KAM_TRIAL + __KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 >= 3)
score           KAM_SKIN       3.5
describe        KAM_SKIN       Spammers hawking skin/medical/foot products

meta            KAM_SKIN2      (KAM_ADVERT2 + __KAM_SKIN1 + __KAM_SKIN2 + __KAM_SKIN3 + __KAM_SKIN4 +  __KAM_TRIAL + __KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 >= 4)
score           KAM_SKIN2      2.5
describe        KAM_SKIN2      Spammers hawking skin/medical/foot products

#NEW CAR / WARRANTY SCAMS
header		__KAM_CAR1	Subject =~ /(save thousands|vehicle warranty|paying too much for auto|skyrocketing cost of car|car deals|deal on a new car|cheap(er)? auto insurance|warranty options|afford the car|blowout|auto repair bills)/i
body		__KAM_CAR2	/buying a new car|dream car|new car you want|free auto insurance(?:-| )quote|save money on your auto|roadside assistance|extended warranty/i
body		__KAM_CAR3	/unbelievable payment terms|no commitment|free price quote|get competitive quotes|offering better rates|no obligation quote|Pay Later|No risk|save up to \d+%/i
header		__KAM_CAR4	From =~ /warranty|lender|clearance/i

meta		KAM_CAR       (__KAM_CAR1 + __KAM_CAR2 + __KAM_CAR3 + __KAM_CAR4 >= 2)
score           KAM_CAR       2.0
describe        KAM_CAR       Spammers hawking new car, insurance or warranties

# MORE NEW CAR SPAMS
header          __KAM_AUTO1 Subject =~ /new.vehicle|biggest.discounts|clearance.event|must.go|half.off.auto|blue.book|cars.priced|dirt.cheap|new.car|new.truck|half.off|dealership|dealers.compete|trade.it.in|auto(motive)?.parts|inventory.must.go|\d\d%.off.msrp|all \d\d\d\d.s must go|time.to.drive|all.vehicle|clearance.pric|all.\d\d\d\d.(cars|trucks)/i
header          __KAM_AUTO2 From =~ /car.?saving|auto.?deals|%.off|half.(off|price)|ford|gm|clearing.lots|model.year|latest.auto|dealership|clearance|cars?.discount|\d+.model|\d+.half.off|auto.price|best.auto|motor|trade.in|auto.part|imotor|autotrend/i
body            __KAM_AUTO3 /(car|truck).dealer|clearance.price|shop.cars|\d+.vehicles|dealership|deep.discount|liquidating|vehicle.options|auto.news|old.clunker|dream.car|clearance.inventory|dealer.clearance|special.clearance|auto(mobile?).recall|clearance.pric|new.ride|dealers.{1,40}.scrambling|sell.yours.for.more|car.is.worth|auto.parts.brand|blowout|incredible.discount/i

meta            KAM_AUTO (__KAM_AUTO1 + __KAM_AUTO2 + __KAM_AUTO3 + (KAM_COUK || KAM_OTHER_BAD_TLD || CBJ_GiveMeABreak) >= 3)
describe        KAM_AUTO Spam for new cars
score           KAM_AUTO 4.5

#HOME WARRANTY SPAMS
header		__KAM_WARRANTY1  Subject =~ /home warrant|protect your home|home repair|homeowners insurance|repairing your house/i
body		__KAM_WARRANTY2	 /Protect your home|choice home warranty|unexpected repair/i
body		__KAM_WARRANTY3  /home warrant|complimentary insurance quote/i
header		__KAM_WARRANTY4	 From =~ /ChoiceHomeWarrant|TotalProtect|home.?Insurance|CHW Home Warranty|AHS.warranty/i

meta		KAM_WARRANTY	(__KAM_WARRANTY1 + __KAM_WARRANTY2 + __KAM_WARRANTY3 + __KAM_WARRANTY4 + CBJ_GiveMeABreak >= 3)
score		KAM_WARRANTY	1.5
describe	KAM_WARRANTY	Spammers hawking home warranties

meta		KAM_WARRANTY2	(KAM_WARRANTY + KAM_INFOUSMEBIZ >= 2)
score		KAM_WARRANTY2	3.5
describe	KAM_WARRANTY2	Spammers pushing home warranties

meta		KAM_WARRANTY3	(__KAM_WARRANTY1 + __KAM_WARRANTY2 + __KAM_WARRANTY3 + __KAM_WARRANTY4 + CBJ_GiveMeABreak >= 4)
score		KAM_WARRANTY3	1.5
describe	KAM_WARRANTY3	Spammers hawking home warranties

#AWESOME AUGER
header		__KAM_AUGER1	Subject =~ /Dig Holes|plant Trees/i
body		__KAM_AUGER2	/Awesome Auger/i

meta		KAM_AUGER	(__KAM_AUGER1 + __KAM_AUGER2 >= 2)
score		KAM_AUGER	4.0
describe	KAM_AUGER	Spammers hawking Awesome Augers?!?

#MOVIE EXTRA
header		__KAM_MOVIE1	Subject =~ /Movie Extra/i
body		__KAM_MOVIE2	/Movie Extra/i

meta		KAM_MOVIE	(__KAM_MOVIE1 + __KAM_MOVIE2 >= 2)
score		KAM_MOVIE	3.0
describe	KAM_MOVIE	Spammers hawking Movie Extra positions

#DEBT COLLECTION
header		__KAM_COLLECT1	Subject =~ /You Pay Nothing/i
body		__KAM_COLLECT2	/No Fee/i
body		__KAM_COLLECT3	/collection professionals/i
body		__KAM_COLLECT4  /recovery rate/i

meta		KAM_COLLECT	(__KAM_COLLECT1 + __KAM_COLLECT2 + __KAM_COLLECT3 + __KAM_COLLECT4 + __KAM_SEARCH5 + KAM_ADVERT2 >= 4)
score		KAM_COLLECT	5.0
describe	KAM_COLLECT	Spammers hawking debt collection


#SEARCH ENGINE SPAM
 #Subj
header		__KAM_SEARCH1	Subject =~ /be seen first on (google|msn|yahoo)|get ranked high|rank high|(no cost|free) website (analysis|search engine)|WEBSITE PROMOTION|social media|blog leads|infotech|(first|1st)(.page)?.result|seo.(package|service)|seo.{1,30}expert|on.your.website|organic.seo|site.ranking|website.health|(first|1st) page/i
 #what specific
body		__KAM_SEARCH2	/search (ranking|engine)|S\.?E\.?O|bring.traffic|business.development|marketing strateg/i
 #ranging
body		__KAM_SEARCH3	/(first on|all of) the major search|not ranked number one|Website promotion|popular keywords|mobile.website|complete.solution|back.link|india.based|surfing|not.ranking.on|top in Google|1st page|more (clients|customers)|organic search/i
 #how
body	__KAM_SEARCH4	/guaranteed type of exposure|free website search engine optimi|increase your revenue|improve your website traffice|website rank higher|marketing service|popular.keyword|media.presence|media.portal|brand.awareness|analytics.certified|optimized.content|white.label|website.optimization|digital.marketing|in.your.industry|high.revenue|plans? and pric|keyword|full proposal|online reputation|(blog|article|pr|search engine) (promotion|submission)/i
 #who
rawbody		__KAM_SEARCH5   /Click2Call|a1-solutions|fast-response.net|action-pros.net|tops-1.com|vividinfotech.com|internet.marketing|web.solution|(development|marketing) (executive|consultant)|SEO expert|sales manager/i

meta 		KAM_SEARCH	(__KAM_SEARCH1 + __KAM_SEARCH2 + __KAM_SEARCH3 + __KAM_SEARCH4 + __KAM_SEARCH5 >= 4)
score		KAM_SEARCH	5.0
describe	KAM_SEARCH	Spammers hawking SEO

#SEO
header		__KAM_SEO1	Subject =~ /Idea for \[|can rank 1st on Google|Organic SEO|SEO (Solution|proposal)|integrated marketing|optimization.service|SEO Outsourcing|affordable package|quick result|ranking report/i
#what we give you
body		__KAM_SEO2	/(?:top|first page) (?:in|of) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building|business SEO|ranking report/i
tflags		__KAM_SEO2	nosubject
#what we do/fix
body		__KAM_SEO3	/(came across|never find) your web.?site|major search engines|paid access to tools|WEBSITE AUDIT REPORT|specific.keyword|targeted.email|visited.your.website|not ranking well|Google rankings/i
#SEO
body		__KAM_SEO4	/SEO Specialists|online marketing services|S.?E.?O.? Company in INDIA|google.panda|google.penguin|not.ranking|SEO Packages/i
#costs
body		__KAM_SEO5	/more traffic guaranteed|results in thirty day|top 5 organic|high revenue|free.analysis|guaranteed.top|pricelist|completely free|No upfront fees|free trial/i
#SEO Indicators
body		__KAM_SEO6	/will not get your website banned|Google.?s SEO policies|six month ongoing campaign|web.promotion|quality junk spam/i
# LEGITIMATE SEO EMAILS WOULD SURELY HAVE AT LEAST ONE URL TO THEIR WEBSITE...
uri             __KAM_SEO7      /./

meta		KAM_SEO		(__KAM_SEO1 + __KAM_SEO2 + __KAM_SEO3 + __KAM_SEO4 + __KAM_SEO5 + __KAM_SEO6 + !__KAM_SEO7 + KAM_ADVERT2 >= 5)
score		KAM_SEO		7.0
describe	KAM_SEO		Spammers hawking SEO

#ABUSED FREEMAIL ACCOUNTS
#header          __KAM_FREEMAIL1 From =~ /(?:websolution|seo).{0,15}\@gmail.com/i
#header		__KAM_FREEMAIL2	From =~ /speakeasylingerie\@gmail.com/i
#meta		__KAM_FREEMAIL	(__KAM_FREEMAIL1 + __KAM_FREEMAIL2 >= 1)

#LINGERIE VIDEOS
#header		__KAM_LINGERIE1	From =~ /lexi campbell/i
#header		__KAM_LINGERIE2	Subject =~ /Exotic modeling Videos/i
#header		__KAM_LINGERIE3 Subject =~ /Hustler Magazine/i
#body		__KAM_LINGERIE4 /Exotic modelling videos/i

#meta		KAM_LINGERIE	(__KAM_FREEMAIL + __KAM_LINGERIE1 + __KAM_LINGERIE2 + __KAM_LINGERIE3 >= 4)
#score		KAM_LINGERIE	10.0
#describe	KAM_LINGERIE	Sexually Explicity Lingerie Spam


#WEB DESIGN
header		__KAM_WEB1	Subject =~ /Web.?(Design|programming).?Services|Web.?Designing/i
body		__KAM_WEB2	/INDIA based IT|indian.based.website|certified.it.company/i
body		__KAM_WEB3	/Online Marketing Consultant|possible.redesign|seo.service|mobiles?.app|business.develop|commerce.solution/i

meta		KAM_WEB		(__KAM_WEB1 + __KAM_WEB2 + __KAM_WEB3 + KAM_ADVERT2 >= 3)
score		KAM_WEB		4.0
describe	KAM_WEB		Web design spams

#DOMAIN NAME AND OTHER RELATED SPAMS
body		__KAM_DOMAIN1	/Domain (opportunity|notification|release|Availability|club)|Notification for Domain|availability.notice|time.draws.near|submit.a.bid|your.business|exclusive.rights|free.registration|the.domain.provider|website.wizard|increase.your.{0,50}.traffic|domain.extension|brand.can.leverage|like.to.obtain|buy(ing)?.this.domain/i
body		__KAM_DOMAIN2	/(?:available|listed) (?:by|for|at|in) auction|confirm interest in (this domain|owning)|capturing this domain|proposal.on.the.domain|exclusive.owner|online.search|web.form|counting.down|potential.buyer|interested.parties|secure.{1,50}.today|drive.more.leads|targeted.traffic|similar.domain|exclusive.regis/i
body		__KAM_DOMAIN3	/(?:have|own) a domain (that is )?.{0,5}similar|(have|own) a similar domain|offer on the Domain|similar to your (current )?domain|Domain Division|all.domains|main.webpage|visibility.platform|solicitation|potential.owner|your.offer|domain.match|domain.notification|domain.will.be|interest.{1,20}.domain.name|fully.responsive|website.included|list.your.website|opportt?unity.regarding|courtesy.notification/i
header		__KAM_DOMAIN4	From =~ /domain|submit.site/i
header          __KAM_DOMAIN5   Subject =~ /\.com$/i

meta		KAM_DOMAIN	(__KAM_DOMAIN1 + __KAM_DOMAIN2 + __KAM_DOMAIN3 + __KAM_DOMAIN4 + __KAM_DOMAIN5 >= 3)
score		KAM_DOMAIN	8.5
describe	KAM_DOMAIN	Domain Selling Spams

#MEDICAL TOURISM SPAM
body		__KAM_MEDTOUR1	/medical.tourism/i
body		__KAM_MEDTOUR2	/lowest cost in India/i
header		__KAM_MEDTOUR3	Subject =~ /Medical.Tourism/i

meta		KAM_MEDTOUR	(__KAM_MEDTOUR1 + __KAM_MEDTOUR2 + __KAM_MEDTOUR3 >= 3)
score		KAM_MEDTOUR	3.0
describe	KAM_MEDTOUR	Medical Tourism Spam

#ACNE SPAM
header		__KAM_ACNE1	Subject =~ /Proactiv/i
header		__KAM_ACNE2	From =~ /Acne/i
body		__KAM_ACNE3	/proactiv/i
body		__KAM_ACNE4	/Online Gift Rewards/i

meta            KAM_ACNE      (__KAM_ACNE1 + __KAM_ACNE2 + __KAM_ACNE3 + __KAM_ACNE4 >= 4)
score           KAM_ACNE      5.0
describe        KAM_ACNE      Spammers hawking Acne products

#SOFTWARE SPAM
header		__KAM_SOFTWARE1		Subject =~ /fix Windows File Errors/i
header		__KAM_SOFTWARE2		From =~ /registry/i
body		__KAM_SOFTWARE3		/Fix file errors/i
body		__KAM_SOFTWARE4		/download for no cost|FREE Software|Free Analysis|Free Report/i

meta		KAM_SOFTWARE	(__KAM_SOFTWARE1 + __KAM_SOFTWARE2 + __KAM_SOFTWARE3 + __KAM_SOFTWARE4 >= 4)
score		KAM_SOFTWARE	5.0
describe	KAM_SOFTWARE	Spammers hawking Software products

#NIGERIAN SCAM SCAN
header		__KAM_NIGERIAN2_1	Subject =~ /high court|contact fedex courier|WIRE TRANSFER/i
body		__KAM_NIGERIAN2_2	/barrister|director of central bank|bank director|former.minister|gold.dealer/i
body		__KAM_NIGERIAN2_3	/high court|central bank|payment center|customs?.officer/i
body		__KAM_NIGERIAN2_4	/e-?mail id is found among those that have been scammed|paid the fee for your cheque draft|contact the bank director/i
body		__KAM_NIGERIAN2_5	/fund code|cheque|bank draft|oil.and.gas/i
body		__KAM_NIGERIAN2_6	/full contact information requested|need your contacts informations|your bank account information|out.of.the.country/i
body		__KAM_NIGERIAN2_7	/bank|smuggle/i
body		__KAM_NIGERIAN2_8	/courier|diplomat agent|direct wire transfer|my.gold|the.gold/i
body		__KAM_NIGERIAN2_9	/scam|don't let them know that it is money|bank transfer charges/i

meta		KAM_NIGERIAN2		(__KAM_REFI4 + __KAM_NIGERIAN2_1 + __KAM_NIGERIAN2_2 + __KAM_NIGERIAN2_3 + __KAM_NIGERIAN2_4 + __KAM_NIGERIAN2_5 + __KAM_NIGERIAN2_6 + __KAM_NIGERIAN2_7 + __KAM_NIGERIAN2_8 + __KAM_NIGERIAN2_9 >= 6)
score		KAM_NIGERIAN2		5.0
describe	KAM_NIGERIAN2		Yet more Nigerian scams. Some even explaining the scam.

#MEDICAL
body		__KAM_MEDICAL1		/million who suffer from|suffered from organ failure|Medical Billing and Coding|medical doctor/i
body		__KAM_MEDICAL2		/Safe - Natural - Effective/i
header          __KAM_MEDICAL3          From =~ /Medical/i
header          __KAM_MEDICAL4          Subject =~ /Medical Billing/i

meta            KAM_MEDICAL             (__KAM_MEDICAL1 + __KAM_MEDICAL2 + __KAM_MEDICAL3 + __KAM_MEDICAL4 >= 3)
score           KAM_MEDICAL             4.0
describe        KAM_MEDICAL             Misc medical spam

#EAR RINGING
body		__KAM_TINNI1		/TinniFix/i
body		__KAM_TINNI2		/Stop the ringing in your ears/i
header		__KAM_TINNI3		Subject =~ /(ringing|buzz) in your ears/i

meta		KAM_TINNI		(__KAM_MEDICAL1 + __KAM_MEDICAL2 + __KAM_TRIAL + __KAM_TINNI1 + __KAM_TINNI2 + __KAM_TINNI3 >= 5)
score		KAM_TINNI		5.0
describe	KAM_TINNI		Another Medical Scam

#GIVEAWAY
body		__KAM_GIVE1		/receive your gift/i
body		__KAM_GIVE2		/laptop giveaway|deliver your dell.? laptop/i
body		__KAM_GIVE3		/answering a short survey/i
body		__KAM_GIVE4		/verify your shipping address/i

meta		KAM_GIVE		(__KAM_GIVE1 + __KAM_GIVE2 + __KAM_GIVE3 + __KAM_GIVE4 >= 4)
score		KAM_GIVE		4.0
describe	KAM_GIVE		Free stuff "giveaway" scam

#GOVERNMENT MONEY
header		__KAM_GOVT1		Subject =~ /Government Funding/i
body		__KAM_GOVT2		/government funding/i
body		__KAM_GOVT3		/complimentary information kit/i
body		__KAM_GOVT4		/No.Money?.{0,4}No.Problem/i

meta		KAM_GOVT		(__KAM_GOVT1 + __KAM_GOVT2 + __KAM_GOVT3 + __KAM_GOVT4 >= 4)
score		KAM_GOVT		4.0
describe	KAM_GOVT		Your tax dollars at work scam...

#RBL TRUST RULES
meta		KAM_RBL		(URIBL_BLACK + RCVD_IN_PBL >=2)
score		KAM_RBL		2.0
describe	KAM_RBL		Higher scores for hitting multiple trusted RBLs

#KAM CNN
header		__KAM_CNN1	Subject =~ /CNN.com Daily Top/i

meta		KAM_CNN		(__KAM_CNN1 == 1)
score		KAM_CNN		2.0
describe	KAM_CNN		CNN Daily Top 10 Link Obfuscation spams

#SNUGGIE BLANKETS / SHAM WOW
header          __KAM_SHAM1             Subject =~ /Hold 20 times|ShamWow/i
header		__KAM_SHAM2		From =~ /Sham ?Wow/i
body            __KAM_SHAM3             /ShamWow/i
body            __KAM_SHAM4             /20(X| times) its weight/i

meta            KAM_SHAM                (__KAM_SHAM1 + __KAM_SHAM2 + __KAM_SHAM3 + __KAM_SHAM4 + KAM_ADVERT2 >= 3)
score           KAM_SHAM                2.0
describe        KAM_SHAM                More product scams...

#SANTA LETTERS
header          __KAM_SANTA1            Subject =~ /Santa Letter|Letter from Santa|Santa send a letter|Sent by Santa/i
body            __KAM_SANTA2            /Santa Letter|Letter from Santa|sent by Santa/i
body            __KAM_SANTA3            /the .?perfect.? gift|personalized letter/i

meta            KAM_SANTA               (__KAM_SANTA1 + __KAM_SANTA2 + __KAM_SANTA3 >= 3)
score           KAM_SANTA               3.5
describe        KAM_SANTA               Ho Ho Holy smokes Batman another Santa Letter spam...

#WORK FOR / LEARN GOOGLE
header          __KAM_GOOGLE1            Subject =~ /Learn Google|Google Starter Kit|with Google|Use Google|Google Work|google millionaire|Google Business|Google Pro Sucess|with my Google|Google Home Business|Google ATM|One Hour On Google|Free Money Making|make a fortune on ?line/i
body            __KAM_GOOGLE2            /learn how to earn|automated income kit|online from home|as much money as you wish|be the boss/i
body            __KAM_GOOGLE3            /tons of money|making \$[\d,]*s with Google|extra cash|making serious money/i
body		__KAM_GOOGLE4	 	 /with Google|Google Pie|Google Cash/i
header		__KAM_GOOGLE5		 From =~ /Google Money/i

meta            KAM_GOOGLE               (__KAM_GOOGLE1 + __KAM_GOOGLE2 + __KAM_GOOGLE3 + __KAM_GOOGLE4 + __KAM_GOOGLE5 >= 3)
score           KAM_GOOGLE               3.5
describe        KAM_GOOGLE               Google Pyramid Scams

#SECURITY / ALARM
header          __KAM_ALARM1            Subject =~ /Free Alarm Quotes|home security|protect your.(house|home)|protect.what.matters.most|adt monitor|keep.watch|monitor.the.home|home.alarm|feel safe|burglar|high.crime|free.security|with.this.offer|crime.can|watching.your.home|adt.is.here|ADT-monitoring/i
body            __KAM_ALARM2            /free Quote|burglaries|wireless.security.camera|(Guard|protect) Your Family|ADT is Number One|monitored security system|install from ADT|with ADT security|keep(ing)?.your.home.safe|home.is.your.castle|sleep.with.security|home.security.system|remote.access|video.security/i
rawbody         __KAM_ALARM3            /Great rates on Home Security|(1|one) in Alarm System Monitoring|protect your loved ones|protect your business|your source for home security|event on home security|keep.the.home.safe|night.vision|online.monitoring|surveill?ance.camera|ADT.monitor|top.notch.security|exclusive.to.you|home security system/i
header		__KAM_ALARM4		From =~ /adt|security.?cam|home.security|wireless.security|security.?camera|author.zed|home.?alarm/i

meta            KAM_ALARM               (__KAM_ALARM1 + __KAM_ALARM2 + __KAM_ALARM3 + __KAM_ALARM4 + KAM_COUK >= 3)
score           KAM_ALARM               4.5
describe        KAM_ALARM               Security and Alarm Company Spams

rawbody         __KAM_ALARM5            /gaylord/i

meta            KAM_ALARM2              (KAM_ALARM && __KAM_ALARM5)
score           KAM_ALARM2              2.5
describe        KAM_ALARM2              High Probability of Security and Alarm Company Spams

#SELL CARDS
header          __KAM_SELL1            Subject =~ /Market Credit Cards/i
body            __KAM_SELL2            /Easy Money/i
body            __KAM_SELL3            /Selling Credit Cards/i

meta            KAM_SELL               (__KAM_SELL1 + __KAM_SELL2 + __KAM_SELL3 >= 3)
score           KAM_SELL               3.5
describe        KAM_SELL               Selling Cards Marketing Scams

#WHITEN TEETH
header          __KAM_WHITEN1            Subject =~ /whiten your teeth/i
body            __KAM_WHITEN2            /whitener/i
body            __KAM_WHITEN3            /(Celebrity Smile|Carbamide Peroxide)/i

meta            KAM_WHITEN               (__KAM_WHITEN1 + __KAM_WHITEN2 + __KAM_WHITEN3 >= 3)
score           KAM_WHITEN               3.5
describe        KAM_WHITEN               Teeth Whitening Scams

#URONLINE
body		__KAM_URONLINE1		/(chat|chat with me|hook ?up) on Y ?A ?H ?O ?O (tonight|or MSN)|add me with yahoo or msn|view now|press this web link|send me your? photo|can u turn me on|kissing you|begin.a.chat/i
body		__KAM_URONLINE2		/wanna talk|ur info|found your mail|found ur profile|mutual friend|katya from russia|you came to russia|my gentle sun|see this page I made|match making heaven|meet that special|comee see it over here|hexten.net|looking for a man|waiting for ur mail|found ur account|waiting for your message|casual.hookup/i
body		__KAM_URONLINE3		/get (naked|naughty)|horny|naughty toys|I will do anything|TOTALLY msg me on MSN|tell me your mobile|I remember you|let's talk|ran across someone like u|sexywebdating|chatting with someone|saw you by BJs|private e-?mail|dating portal|looking.for.fun/i
header          __KAM_URONLINE4		Subject =~ /i'?m so ho?rny|ur really cute|flirt with u|get the party|lets hookup|MSN messanger|\d\d y.o.|russian soul-?mate|my handsome|want you now|russian girl|costs you nothing|can you feel this|came to russia|I remember you|sexual Russia|take a look|attractive girl writes|found u by accident|tell u something special|hookups.waiting/i

meta		KAM_URONLINE		(__KAM_URONLINE1 + __KAM_URONLINE2 + __KAM_URONLINE3 + __KAM_URONLINE4 >= 3)
score		KAM_URONLINE		4.5
describe	KAM_URONLINE		Chat Scams

#TIMESHARE
body		__KAM_TIMESHARE1	/Get[- ]Cash for Your Timeshare|not using your timeshare|(unwanted|ugly) timeshare|cash out quickly/is
body		__KAM_TIMESHARE2	/goldmine|sell or rent it|we pay cash|sell\/rent your time|own a timeshare or condo|get.cash|find.your.value/is
header 		__KAM_TIMESHARE3	Subject =~ /(rent|sell|buy) your Timeshare|have a timeshare|timeshare money|unwanted timeshare/i
header		__KAM_TIMESHARE4	From =~ /Resort.*sales|timeshare/i

meta		KAM_TIMESHARE		(__KAM_TIMESHARE1 + __KAM_TIMESHARE2 + __KAM_TIMESHARE3 + __KAM_TIMESHARE4>= 3)
score		KAM_TIMESHARE		4.0
describe	KAM_TIMESHARE		Timeshare Scams

#AQUA GLOBE
body		__KAM_AQUA1		/Aqua Globe/is
body		__KAM_AQUA2		/watering your plants/is
body		__KAM_AQUA3		/while on vacation/is
header		__KAM_AQUA4		Subject =~ /Waters your Plants/i

meta		KAM_AQUA		(__KAM_AQUA1 + __KAM_AQUA2 + __KAM_AQUA3 + __KAM_AQUA4 >= 3)
score		KAM_AQUA		3.0
describe	KAM_AQUA		Spams of yet another product du jour

#GEVALIA
body		__KAM_GEVALIA1		/Gevalia Kaffe|premium coffee delivered/is
body		__KAM_GEVALIA2		/(Gevalia coffee lover's|I love coffee) kit/is
body		__KAM_GEVALIA3		/No Further Obligation/is
header		__KAM_GEVALIA4		Subject =~ /gevalia|cup of coffee/i

meta		KAM_GEVALIA		(__KAM_GEVALIA1 + __KAM_GEVALIA2 + __KAM_GEVALIA3 + __KAM_GEVALIA4 >=3)
score 		KAM_GEVALIA		3.0
describe        KAM_GEVALIA             Spams of yet another product du jour

#SIMPLYINK
body            __KAM_INK1          /Ink (and|&|n) Toner|SimplyInk|101 inks|1ink|printer ink sale|full.price/is
header          __KAM_INK2          From =~ /Simply ?Ink|Ink and toner|1ink|ink.*budget|ink.?saver|printer[- ]{0,4}ink/i
header          __KAM_INK3          Subject =~ /Ink (and|&) Toner|SimplyInk|printer ink/i

meta            KAM_INK             (__KAM_INK1 + __KAM_INK2 + __KAM_INK3 >=3)
score           KAM_INK             4.0
describe        KAM_INK             Spams of yet another product du jour

meta		KAM_INK2	    (KAM_INK + KAM_INFOUSMEBIZ >= 2)
score		KAM_INK2	    3.0
describe	KAM_INK2	    Spams for Ink refills

#TITAN PEELER
body            __KAM_PEEL1          /Titan Peeler/is
header          __KAM_PEEL2          From =~ /Titan Peeler/i
header          __KAM_PEEL3          Subject =~ /peeler|stainless|titan peeler/i

meta            KAM_PEEL             (__KAM_PEEL1 + __KAM_PEEL2 + __KAM_PEEL3 >=2)
score           KAM_PEEL             3.0
describe        KAM_PEEL             Spams of yet another product du jour

#HTML EMAIL REQUIRING IMAGES?
rawbody		__KAM_HTML1	/Please enable image viewing in order to view this message/is

#RATWARE
header		__KAM_RAT1_1	From =~ /\@fromname\@/i
header		__KAM_RAT1_2	Subject =~ /(\[FName\]|\%\{AUTOVALS)/i

meta		KAM_RAT1	(__KAM_RAT1_1 + __KAM_RAT1_2 >= 1)
score		KAM_RAT1	5.0
describe	KAM_RAT1	Variable Replacements Indicative of RatWare/Mass Mailing

body            __KAM_RAT2_1    /job description/i
body            __KAM_RAT2_2    /dear shopper/i
header          __KAM_RAT2_3    From =~ /mystery/i

meta            KAM_RAT2        (__KAM_RAT2_1 + __KAM_RAT2_2 + __KAM_RAT2_3 >= 3)
score           KAM_RAT2        5.0
describe        KAM_RAT2        Another ratware mistake, uninterpolated text

#TITAN EGGER
body            __KAM_EGG1          /Egg Genie/is
header          __KAM_EGG2          From =~ /Egg Genie/i
header          __KAM_EGG3          Subject =~ /medium eggs/i

meta            KAM_EGG             (__KAM_EGG1 + __KAM_EGG2 + __KAM_EGG3 >=2)
score           KAM_EGG             3.0
describe        KAM_EGG             Spams of yet another product du jour

#USBDRIVES
body		__KAM_USB1	/(debi|deborah brown|Melissa Sylvan)/i
body		__KAM_USB2	/person (that|who) handles the promotions/i
body		__KAM_USB3	/usbsmg.com/i

meta		KAM_USB		(__KAM_USB1 + __KAM_USB2 + __KAM_USB3 >= 2)
score		KAM_USB		4.0
describe	KAM_USB		USB Promotion Spammer

#GOVT GRANT
body		__KAM_GRANT1	/government grant/i
body		__KAM_GRANT2	/find out if you qualify/i
body		__KAM_GRANT3	/discontinue from this promotion/i

meta		KAM_GRANT	(__KAM_GRANT1 + __KAM_GRANT2 + __KAM_GRANT3 + __KAM_REFI4 >= 3)
score		KAM_GRANT	5.0
describe	KAM_GRANT	Government Grant Scams

#SEX SCAMS
 #MEDICINE REFERENCES
body		__KAM_SEX04_1	/(curative|medicinal|salutary|wholesome|beneficial|satisfaction) effect|(first-rated|splendid) drugs|(yellow|blue|famos) (tablet|pill)|good medical supplies|(commendable|valuable) medicines|canadian pharmacy|GNC|nugenix/is
 #BED REFERENCES
body		__KAM_SEX04_2	/fun in bed|(bed|night) adventures|aid your bed|(lift|heave|ascent|hoist|raise|boost|aid) your (belove|love|darling|sex|sweet)|sexuality with assistance|ascent your sweet|bed experience|love sexuality/is
 #SUBJECT REFERENCES
header		__KAM_SEX04_3	Subject =~ /your manhood|(bed|night) adventures|sexual experience|empower your (belove|sex)|sweet sex|bed (event|experience)|lover sexuality|(lift|heave|ascent|hoist|raise|boost|aid) your (belove|love|darling|sex|sweet)|discounted drugs/i
 #SEXUAL REFENCES
body		__KAM_SEX04_4   /longer your tool|sexual experience|empower your (belove|sex)|sweet sex|(not bad|great|nice|special|awesome|free) bonus|sex all night|lovers package|male.vitality|sex with new boys/is

meta		KAM_SEX04	(__KAM_SEX04_1 + __KAM_SEX04_2 + __KAM_SEX04_3 + __KAM_SEX04_4 >= 3)
score		KAM_SEX04	10.0
describe	KAM_SEX04	Sexually Explicit SPAM


meta            KAM_SEX04_2       (__KAM_SEX04_1 + __KAM_SEX04_2 + __KAM_SEX04_3 + __KAM_SEX04_4 >= 2 && (KAM_SEX04 < 1))
score           KAM_SEX04_2       2.0
describe        KAM_SEX04_2       Likely Sexually Explicit SPAM

#Another Sexually Explicit Email
meta		KAM_SEX07	(__KAM_SUBJECT_SINGLEWORD + __KAM_SEX04_4 >= 2)
score		KAM_SEX07	5.0
describe	KAM_SEX07	Sexually Explicit SPAM

#SEX SCAMS ROUND 5
header		__KAM_SEX05_1	Subject =~ /upgrade your virility|become a man|bigger instrument|admire your stick|enlarge your member|you have a tiny tool|with more inches|your mega size|improve your love/i
body		__KAM_SEX05_2	/buy rubber friends|big bait in your pants|she sees your size|women will be funk|biggest tool|immense monster|women will be daydreaming|have so much meat|prolonging your size|last a lot longer/i

meta		KAM_SEX05	(__KAM_SEX05_1 + __KAM_SEX05_2 >= 2)
score		KAM_SEX05	5.0
describe	KAM_SEX05	Sexually Explicit SPAM

#FOOTBALL CLUB SPAMS
header		__KAM_FOOTBALL1		Subject =~ /Amateur Club|Seeks? Player/i
header		__KAM_FOOTBALL2		From =~ /Football/i
body		__KAM_FOOTBALL3		/Mercato/i
body		__KAM_FOOTBALL4		/Football/i

meta		KAM_FOOTBALL	(__KAM_FOOTBALL1 + __KAM_FOOTBALL2 + __KAM_FOOTBALL3 + __KAM_FOOTBALL4 >= 4)
score		KAM_FOOTBALL	4.0
describe	KAM_FOOTBALL	Spammy Football Club

#DISH NETWORK SPAMS AND OTHER TV SPAM
header		__KAM_DISH1	From =~ /Dish Network|TVUpgrade|Satellite|Satellite|Dish.*Promo|dish.author|Wireless.Internet|cable.tv|tv.\&|tv.cable|tv.internet|liveteam/i
header		__KAM_DISH2	Subject =~ /Free Next Day Install|Free HD Receiver|Free HBO|free w\/Dish|Holiday Special|Redzone is back|Web-Only Offer|Free HD|with DISH|dish gives you|dish.offers|Wireless Internet provider|sports.package|dish.vs.cable|switch.to.satellite|dish.just|watch.everything|satellite.dish|cable.bill|satellite.bill|paying.too.much|try.satellite|stream.live.tv/i
rawbody		__KAM_DISH3	/(American Satellite|Wireless Internet) Provider|gethdsat|free dvr|Satellite Deals|Dish Network|dish.gives.you.more|packages under \$\d+|compare plans|internet service provider|premium.channel|best.cable.deals|fit.your.budget|deals.near.you|online.television|quality.tv/i

meta		KAM_DISH	(__KAM_DISH1 + __KAM_DISH2 + __KAM_DISH3 >=3)
score		KAM_DISH	4.0
describe	KAM_DISH	Dish Network Spams

meta		KAM_DISH2	(KAM_DISH + KAM_INFOUSMEBIZ >= 2)
score		KAM_DISH2	4.0
describe	KAM_DISH2	Dish Network Spams

#IDENTITY NETWORK
header		__KAM_IDENTNET1		From =~ /\@identitynetwork.net/i
body		__KAM_IDENTNET2		/ADVERTISE WITH IDENTITY NETWORK/i

meta		KAM_IDENTNET	(__KAM_IDENTNET1 + __KAM_IDENTNET2 >=2)
score		KAM_IDENTNET	8.0
describe	KAM_IDENTNET	Identity Network Spams

#HONEYPOT HITS
#body		__KAM_HONEY1	/Intacct Corporation|Miles Technologies|EcoPhones|businessbrief\.com|pbpinfo\.com|pbp-executivereports\.net|b21pubs\.com|sonar6\.com|cheetahsend\.com|voip-news|microcappress.com|myrtlebeachnow|sosonlinebackup.com|Landslide Technologies|The Performance Institute|ASMI Corporate|Kaseya|Cascio|CarProperty|HSRUpdates.com/i
#header		__KAM_HONEY2	From =~ /\@intacct\.com|\@(staff\.)?milestechnologies\.com|\@greenschoolfundraiser\.org|\@business-brief\.(net|com)|\@b21pubs\.com|\@pbp-executivereports\.net|\@sonar6\.com|\@cheetahsend\.com|\@ripple.us.com|\@voip-news\.com|\@.{0,8}.microcappress.com|\@BetterBuysReports.com|\@MyrtleBeachNow.com|\@sosonlinebackup.com|\@next-gen-crm.com|\@TheInstituteWeb.org|\@ASMIweb.com|\@performanceinstitute.org|\@kaseya.com|\@news.interstatemusic.com|\@interstatemusic.com|\@carproperty.com|\@hsrupdates.com/i

#meta		KAM_HONEY	(__KAM_HONEY1 + __KAM_HONEY2 >= 2)
#score		KAM_HONEY	12.0
#describe	KAM_HONEY	Spammer sending to a honeypot or known spammer through other means

#MEDIA DUCHESS
header		__KAM_DUCHESS1	Received =~ /mediaduchessstore.info|mediaduchesslive.info|mymediaduchess.info|mediaduchessonline.info|mytvduchess.info|mediaduchesspro.info|mileshop.info|freegrampro.info|radioduchess.info|acreforyou.info|mileblog.info/i
header		__KAM_DUCHESS2	From =~ /mediaduchessstore.info|mediaduchesslive.info|mymediaduchess.info|mediaduchessonline.info|mytvduchess.info|mediaduchesspro.info|mileshop.info|freegrampro.info|radioduchess.info|acreforyou.info|mileblog.info/i

body		__KAM_DUCHESS3	/Mr. Media Group|BLM Marketing Services|4801 l[yi]nton b/i
rawbody		__KAM_DUCHESS4	/duchess/i
rawbody		__KAM_DUCHESS5	/http:\/\/.{4,30}\.info\/[A-Za-z]{30}("|\/)/i
body		__KAM_DUCHESS6	/For account number:/i

meta		KAM_DUCHESS	((__KAM_DUCHESS1 + __KAM_DUCHESS2 >= 1) + __KAM_DUCHESS3 + __KAM_DUCHESS4 + __KAM_DUCHESS5 + __KAM_DUCHESS6 >= 4)
score		KAM_DUCHESS	5.0
describe	KAM_DUCHESS	Spammer sending emails using a variety of domains and linked images

#UPS
header		__KAM_UPS1	Subject =~ /UPS Delivery problem/i
header		__KAM_UPS2	From !~ /\@ups\.com[ |>]/i
body		__KAM_UPS3	/invoice copy attached/i

meta		KAM_UPS		(__KAM_UPS1 + __KAM_UPS2 + __KAM_UPS3 >=3)
score		KAM_UPS		6.0
describe	KAM_UPS		UPS doesn't send invoices with delivery problem notes

#Free Calls
header		__KAM_SKYPE1	Subject =~ /Free Calls/i
header		__KAM_SKYPE2	Received =~ /releasesourcek.com/i
header		__KAM_SKYPE3	From =~ /VOIP News/i
body		__KAM_SKYPE4	/Promo Code: \d/i

meta		KAM_SKYPE	(__KAM_SKYPE1 + __KAM_SKYPE2 + __KAM_SKYPE3 + __KAM_SKYPE4 >=3)
score		KAM_SKYPE	5.0
describe	KAM_SKYPE	Skype/Voip scams likely to spread malware

#OWA/EMAIL PHISH
rawbody		KAM_OWAPHISH1	/http:\/\/.{5,30}\/owa\/service_directory\/settings.php/i

score		KAM_OWAPHISH1	6.0
describe	KAM_OWAPHISH1	Rash of OWA setting change emails for phishing

#MORE DRUG SPAM - 2009-05-03
header		__KAM_DRUG2_1	Subject =~ /Viagra|male enhanc|easier time making her|hot infatuations|bed tempera?ment|resigned slaves|prick be soft|increased performance|guys in bed|bedroom fun|love more passion|cure ED|(bed|sex) games|spices? (it up in|to the) bed|(bedroom|nights of) pleasure|ladies love|stay hard|satis?fy (your spouse|her)|(problems|strong|help|good) (in|for) bed|bedtime enhanc|p[0o]rn ?star|blue ?pill|great sex|please your gf|(help in the|king of the|great time in|strong night in|performance in|advice for the) bed|intimate life|gain 3\+? inches|sexual (excitement|anxiety|act)|love tool|sexual treatment|make love|make your girl happ|completely impotent|do.you.suffer/i

header		__KAM_DRUG2_2	Subject =~ /ambien|Percocet|vicod[i1]n|Meridia|look slim|Phentermin|adderall|codeine|Hydrocodone|Phetermin|oxycodone|no prescription need|(help|trouble) falling asleep|overpriced pharmacy|prescript.medz|Xanx?ax|RxMed|your.rx.meds|fill your meds|pharmacy offers|international pharm|(loved|preferred|favor[ite]{3}) (rx)?med|pain killer|Medi?cati[o0]ns|canadianrx|weightl0ss|no ?prescription|weight l0ss|l0seweight|ritalin|look great|brain.function|cognition|enhance.memory|amazing.energy|joint.pain|nerve.pain/i

body		__KAM_DRUG2_3	/Medi?cati[o0]ns|desired meds|favou?red (rx)?med|buy remedies|drug store|medicants|medicaments|sexual stim|sex stim|pain killer|(purchase|loved|preferred|favou?rite) (?:rx.?)?(deal|med)[sz]|rx.?Meds?.?deal|buy your meds|choice of meds|Rx.?(deal|Med|Sale)|v[i1]agra|medz.special|loved meds|(rx|medication) ?discount|Get the edge|joint.pain.relief|neuropathy|nerve.pain/i

body            __KAM_DRUG2_4   /grab hold|at[_ ~]your[_ ~]finger[_ ~]?tip|placing your order|questions about drugs|prescription is not|don't care about prescription|without a doctor|no need for a doctor|affor[df]able.prices|best daily rx|Fav.Prescript|unmatched.prices|rx.med|millions.are.praising/i

body            __KAM_DRUG2_5   /0nline|hassle[~-]free|favored rx|branded solutions|branded remedies|v[1i]cod[!i]n|Penhtremine|prxpills|ultimaterxhere|insanerx|speedymed4u|mightymeds1|coolestrxhere|hotrxmedspot|topshoprx|mightyrxhere|qualityrxmedz|legitrxlife|dealsformeds|simplyrxdeals|bestrxlight|ezprescriptz|reliablerxsource1|freetrusted-rx|hotmedsourcehere|CabinetOfMeds|mytrusted-rx|RxwarehouseHere|WarehouseofRxMeds|GreatrxMedsRus|rxmedsrus|(come by|Come to|Check Out) our web site|browse [0o]ur (website|selection)|Visit_0ur Web|Order_Now|available_this week|(buy|order) (n[0o]w|today|right.now|instantly|at [0o]nce|immediately)|check it out today|ord3r|0rder|0rd3r|browseour|rx ?unit/i

body		__KAM_DRUG2_6	/(Express|Prompt|Day|Trusty|Trustworthy|Reliable|fast|true|discreet|confidential|rapid)[_ ~\.]?Shippin|anonymous packing|shipped.right.away|adderrx|clinically.proven|support.formula/i

header		__KAM_DRUG2_7	Subject =~ / {4}[a-z0-9]{2,4}$/i

header		__KAM_DRUG2_8	From =~ /aquaflexin/i

meta		KAM_DRUG2	( __KAM_DRUG2_1 +  __KAM_DRUG2_2 +  __KAM_DRUG2_3 +  __KAM_DRUG2_4 +  __KAM_DRUG2_5 + __KAM_DRUG2_6 + __KAM_DRUG2_7 + __KAM_DRUG2_8 + KAM_SHORT + KAM_UNSUB1 >= 3)
score		KAM_DRUG2	3.5
describe	KAM_DRUG2	More online Drug Scams

meta            KAM_DRUG2_2     ( __KAM_DRUG2_1 +  __KAM_DRUG2_2 +  __KAM_DRUG2_3 +  __KAM_DRUG2_4 +  __KAM_DRUG2_5 + __KAM_DRUG2_6 + __KAM_DRUG2_7 + __KAM_DRUG2_8 + KAM_SHORT + KAM_UNSUB1 >= 5)
score		KAM_DRUG2_2	3.0
describe	KAM_DRUG2_2	Higher Certainty of Drug Scam

meta		KAM_SEXSUBJECT	__KAM_DRUG2_1
score		KAM_SEXSUBJECT  2.0
describe	KAM_SEXSUBJECT	Sexually Explicit Subject

#RUSSIAN WIFE/BRIDE SCAMS
header		__KAM_WIFE1	Subject =~ /Remember me|(Russian|asian|Ukrai?nian) ?(beaut|single|women|bride|lad|babe)/i
body		__KAM_WIFE2	/marry a Russian|sizzling photos|(russian|asian|ukrai?nian) (women|beaut|bride|girl)|Slavic babes|Russian ?lad(y|ies)|sexy photos/i
tflags		__KAM_WIFE2	nosubject
header		__KAM_WIFE3	From =~ /(asian|russian|ukrai?nian).?(dat|bride|single|women|beaut)|(date|nice).?(russian|asian)/i

meta            KAM_WIFE       ( __KAM_WIFE1 +  __KAM_WIFE2 + __KAM_WIFE3 >= 2)
score           KAM_WIFE       8.0
describe        KAM_WIFE       Mail order bride scams

#PRODUCT SCAMS
header		__KAM_PRODUCT1	Subject =~ /Beauty Phone/i
body		__KAM_PRODUCT2	/phones for discerning individuals/i

meta            KAM_PRODUCT    ( __KAM_PRODUCT1 +  __KAM_PRODUCT2 >= 2)
score           KAM_PRODUCT    3.0
describe        KAM_PRODUCT    Product scams often used with MSN/Live URIs

#SPACES / LIVE / MSN / ETC. SCAMS
meta            KAM_LIVEURI2     ( (KAM_PRODUCT + KAM_DRUG2 + KAM_WIFE >=1) + (KAM_WEBS + KAM_MSN_STRING + KAM_BADSWF >=1) >= 2)
score           KAM_LIVEURI2     3.0
describe        KAM_LIVEURI2     More online Scams + Known URI

#WEBS.COM
uri		KAM_WEBS	/.{3,25}\.webs.com/i
score		KAM_WEBS	0.5
describe	KAM_WEBS	webs.com links used in Spams

#IMAGESHACK SWF Files
uri             KAM_BADSWF	/imageshack.us\/.{3,25}.swf$/i
score		KAM_BADSWF	3.0
describe	KAM_BADSWF	SWF embedded links in Email Scams

#EXE LINK
uri             KAM_EXEURI      /.exe$/i
score           KAM_EXEURI      0.5
describe        KAM_EXEURI      EXE embedded link

#SETTINGS FILE PHISH
header          __KAM_SETTING1  Subject =~ /settings file|maintenance!!/i
body            __KAM_SETTING2  /security upgrade|Maintenance Process on our email system /i
body		__KAM_SETTING3	/settings?.zip/i

meta            KAM_SETTING    ( __KAM_SETTING1 +  __KAM_SETTING2 >= 2)
score           KAM_SETTING    2.5
describe        KAM_SETTING    Phishing scams w/Setting Files or Webmail

 #Fixed small misspelling thanks to Jameel Akari
meta            KAM_SETTING2    ( KAM_SETTING + (KAM_EXEURI + __KAM_SETTING3 >=1) >= 2)
score           KAM_SETTING2    4.0
describe        KAM_SETTING2    Phishing scams w/Setting Files or Webmail + Bad File link

#FARM SPAM
header		__KAM_FARM1	Subject =~ /supersized (blueberr|tomato)|(blueberry|tomatoe?) giant|grows in sun or shade|giant (blueberry|tomatoe?)/i
header		__KAM_FARM2	From =~ /blueberr|tomato|DIY|garden/i
body		__KAM_FARM3	/(blueberry|Tomatoe?) giant/i

meta		KAM_FARM	(__KAM_FARM1 + __KAM_FARM2 + __KAM_FARM3 >= 3)
score		KAM_FARM	4.0
describe	KAM_FARM	Farming related Spams

#MX URI - Scored lowered from 2.5 to 1.5 due to FPs reported by Christopher X. Candreva - see https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6700 for bug on issue
uri		KAM_MXURI	/^(?:http:\/\/)?(mail|mx)\..{1,40}\..{1,8}/i
score		KAM_MXURI	1.5
describe	KAM_MXURI	URI begins with a mail exchange prefix, i.e. mx.[...]

#FLASH PLAYER
body		__KAM_FLASH1	/Flash Player Code: \d\d/i
body		__KAM_FLASH2	/Flash Player Update/i
header		__KAM_FLASH3	Subject =~ /Flash Player/i
header		__KAM_FLASH4	Subject =~ /activation code/i
header		__KAM_FLASH5	From =~ /Flash Player/i

meta		KAM_FLASH	(__KAM_FLASH1 + __KAM_FLASH2 + __KAM_FLASH3 + __KAM_FLASH4 + __KAM_FLASH5 >= 3)
score		KAM_FLASH	4.0
describe	KAM_FLASH	Fake Flash Player Phishing Scam


#CHANGED TO KAMOnly
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
	#FAKE ADWORDS
	body		__KAM_ADWORD1	/(Advertisement|Adwords) Campaign/i
	header		__KAM_ADWORD2	From =~ /adwords.com|salesdirect.com/i
	header		__KAM_ADWORD3	Subject =~ /adwords campaign|ads in adwords/i
	body		__KAM_ADWORD4	/adwords\.php|index\.php\?isgoogle/i

	meta		KAM_ADWORD	(__KAM_ADWORD1 + __KAM_ADWORD2 + __KAM_ADWORD3  + __KAM_ADWORD4 >= 3) + (KAM_RPTR_SUSPECT + KAM_RPTR_FAILED >= 1) >= 2
	score		KAM_ADWORD	10.0
	describe	KAM_ADWORD	Fake Adword Campaign notices
endif


#DON NOB & WORK FROM HOME SCAMS
header 		__KAM_DON1	X-KAM-Reverse =~ /donnob\.(?:biz|net)|emarketnow.com/i
header		__KAM_DON2	Subject =~ /(?:\b|^)ATM(?:\b|$)|Just Over Broke|J\.O\.B\./
body		__KAM_DON3	/donnob\.(?:biz|net)|emarketnow.com|watersolutiontoday.com/i
body		__KAM_DON4	/\$1,000 A Day ATM|J\.O\.B\./i

meta		KAM_DON		(__KAM_DON1 + __KAM_DON2 + __KAM_DON3 + __KAM_DON4 + __KAM_MED2 + __KAM_REFI4 + __KAM_TV2 >= 4)
score		KAM_DON		6.0
describe	KAM_DON		Work at Home Scams

meta            KAM_DON2        (__KAM_DON1 + __KAM_DON2 + __KAM_DON3 + __KAM_DON4 + __KAM_MED2 + __KAM_REFI4 + __KAM_TV2 >= 6)
score		KAM_DON2	4.0
describe	KAM_DON2	Egregious Work at Home Scams

#GINA SCAMS
header		__KAM_GINA1	From =~ /GINA deadline|GINA Update|compliance/i
header		__KAM_GINA2	Subject =~ /GINA deadline/i
body		__KAM_GINA3	/Genetic Information Nondiscrimination Act/i
body		__KAM_GINA4	/mandatory poster|remain in compliance|GINA regulations/i

meta            KAM_GINA	(__KAM_GINA1 + __KAM_GINA2 + __KAM_GINA3 + __KAM_GINA4 + __KAM_REFI4  >= 4)
score		KAM_GINA	6.0
describe	KAM_GINA	Employment Poster Marketing Spams

#TAX SCAMS
header		__KAM_TAX1	Subject =~ /Free (IRS )?Tax Filing|Tax Filing Exten[st]ion|taxes online|irs audit|wage garnish|collections|tax.relief|tax.penalt|tax.resolution|settlement.option|remove.tax|irs.penalt|payback.package|get.help|down.your.neck|tax.research|urgent.tax/i
header		__KAM_TAX2	From =~ /tax|HRBlock|marketing|garnish|settlement|installment|IRS|debt|advisory|government|payback|protection.agency/i
body		__KAM_TAX3	/File your taxes for free|need more time|back.taxes|tax relief|irs offer|avoid penalty|stop.aggressive.collections|relief.(program|package)|tax.settlement|settlement.package|paying.bills|paying.tax|back.tax|wage..?garnish|tax.help|remove.lien|bankrupt|urgent.tax.notice|could.change.everything|instantly.save.you/i
body            __KAM_TAX4      /MSNBC|fox news|CNN|please.confirm|you.qualify|obtain.now|must.see.tax/i

meta		KAM_TAX		(__KAM_TAX1 + __KAM_TAX2 + __KAM_TAX3 + __KAM_TAX4 + KAM_LOTSOFHASH >=3)
score		KAM_TAX		2.5
describe	KAM_TAX		Tax Filing Scams

meta            KAM_TAX2        (__KAM_TAX1 + __KAM_TAX2 + __KAM_TAX3 + __KAM_TAX4 + KAM_LOTSOFHASH >=4)
score		KAM_TAX2	2.5
describe	KAM_TAX2	Higher Probability of Tax Filing Scams

#SEX SCAM
body		__KAM_SEX06_1	/more fire and passion/i

meta		KAM_SEX06	(__KAM_SEX06_1 + KAM_MSN_STRING >= 2)
score		KAM_SEX06	5.0
describe	KAM_SEX06	Sexual Stimulant Spam

#DOG BARK AND OTHER DOG SPAM
body		__KAM_BARK1	/Bark.Off|petzoom sonic|comfy control harness|dogs? behavior|four legged/i
header		__KAM_BARK2	Subject =~ /Barking|petzoom sonic|dogs any size|dog (is )?misbehaving/i
header		__KAM_BARK3	From =~ /Bark.Off|petzoom|control harnesss|dog whisperer/i

meta		KAM_BARK	(__KAM_BARK1 + __KAM_BARK2 + __KAM_BARK3 >=2)
score		KAM_BARK	3.5
describe	KAM_BARK	Dog Product Scam

#CASINO SPAM
body		__KAM_CASINO1	/Elite World Casino/i
body		__KAM_CASINO2	/Online Casino/i
header		__KAM_CASINO3	Subject =~ /chances to win/i

meta		KAM_CASINO	(__KAM_CASINO1 + __KAM_CASINO2 + __KAM_CASINO3 >= 3)
score		KAM_CASINO	3.5
describe	KAM_CASINO	Online Casino Spam

#TWITTER PHISHING
header		__KAM_TWIT1	From =~ /twitter/i
header		__KAM_TWIT2	Subject =~ /twitter \d{3}-\d{2}/i

meta		KAM_TWIT	(__KAM_TWIT1 + __KAM_TWIT2 + KAM_THEBAT >= 3)
score		KAM_TWIT	10
describe	KAM_TWIT	Twitter bogus phishing emails


#FACEBOOK PHISHING
header          __KAM_FACE1     From =~ /password/i
header          __KAM_FACE2     Subject =~ /reset your facebook/i
header		__KAM_FACE3	X-Mailer =~ /Zuckmail/i

meta            KAM_FACE        (__KAM_FACE1 + __KAM_FACE2 + __KAM_FACE3 >= 3)
score           KAM_FACE        10
describe        KAM_FACE        Facebook bogus phishing emails

header		__KAM_PHISH3_1	Subject =~ /account notification/i
body		__KAM_PHISH3_2	/accessed by someone else./

meta		KAM_PHISH3	(__KAM_PHISH3_1 + __KAM_PHISH3_2 + __KAM_CLICK >= 3)
score		KAM_PHISH3	4
describe	KAM_PHISH3	Phishing emails for account notification


#GENERIC TEST FOR CLICK NOTICES INDICATIVE OF SPAM IN META RULES BUT NOT BY ITSELF
body		__KAM_CLICK	/Please click on the link below|Copy and paste this link into your internet browser/i

#DIRECT BUY
header		__KAM_DIRECT1	From =~ /Direct ?Buy|Wholesale/i
header		__KAM_DIRECT2	Subject=~ /complimentary|visitor|settle for retail|top .rands at wholesale|guest pass and catalog|direct.?buy/i
body		__KAM_DIRECT3	/(Complimentary|Visitor|attend our open house|30-day member|VIP Pass|Wholesale Direct Pricing|guest pass and catalog)/i
body		__KAM_DIRECT4	/Direct.?Buy/i

meta		KAM_DIRECT	(__KAM_DIRECT1 + __KAM_DIRECT2 + __KAM_DIRECT3 + __KAM_DIRECT4 >= 3)
score		KAM_DIRECT	3.0
describe	KAM_DIRECT	DirectBuy Spam

#SWIPE BIDS
header          __KAM_SWIPE1   From =~ /SwipeBids|Auction|Deal ?hunter|bigger.bid|bidder|Overstocked|daily.?deals|quibids|iphone|penny.stock/i
header          __KAM_SWIPE2   Subject=~ /auction|bid on great|\d% off retail|Iphones for Under|Big Items|ipads|Macbook Pro|top.?.?of the line..?electronic|buy or sell|never.pay.retail|2011 line up|ebay|pay retail|ipad for \$\d\d\.|bids in real.?time|penny.stock|exclusive.savings|economic|prediction:/i
body            __KAM_SWIPE3   /pennies on the dollar|join, bid|penny (auctions|stock)|\d% .{0,10}retail|ipads on auction|bid now|factory sealed ipads|cheap ipads|for pennies|ebay killer|Inventory Clearance on iPads|crazy auctions|XPS for \d\dUSD|iphone.{1,10}clearance|the.hottest/i
body            __KAM_SWIPE4   /SwipeBids|Swipe Auction|CIRCLE MEDIA BIDS|Wavee|BIGGER BIDDER|Bidooka|Sellmoo|overstocked auctions|for pennies|\d{1,2} cent/i

meta            KAM_SWIPE      (__KAM_SWIPE1 + __KAM_SWIPE2 + __KAM_SWIPE3 + __KAM_SWIPE4 >= 3)
score           KAM_SWIPE      2.0
describe        KAM_SWIPE      SwipeBid Spam / Penny Auction Spams

meta            KAM_SWIPE2     (__KAM_SWIPE1 + __KAM_SWIPE2 >= 2)
score           KAM_SWIPE2     0.5
describe        KAM_SWIPE2     SwipeBid Spam / Penny Auction Spams

#WE THE SPAMMERS
header		__KAM_WTA1	From =~ /@(wethealliance\.(org|com|net)|wta\d\d\d\.com|socalsecurityinstitute.org)|Lawrence.{0,4}Hunter/i
body		__KAM_WTA2	/Alliance for Retirement Prosperity Association|Social Security Institute/is

meta		KAM_WTA		(__KAM_WTA1 + __KAM_WTA2 >= 2)
score		KAM_WTA		9.0
describe	KAM_WTA		Ridiculous campaign by unapologetic spammers purposefully using throwaway domains

#SMOKELESS
body		__KAM_SMOKE1	/smoke.anywhere|electronic cig|smoking alternative|prado|e.?-?cig|wanting to quit/i
header		__KAM_SMOKE2	Subject =~ /smoke|e-cig|perfect.?.gift|no cancer|electronic cig|never smoke|e.?-?cig/i
header		__KAM_SMOKE3	From =~ /smoke|smoking|e.?-?cig|electronic cig|vapex|vapor|starter.kit/i
body		__KAM_SMOKE4	/No carbon monoxide|Smokeless Direct|No Tobacco|no tar|no cancer|quit smoking|electronic cig|sinless.vapor/i
body		__KAM_SMOKE5	/you have qualified/i

meta		KAM_SMOKE	(__KAM_CLICK + __KAM_SMOKE1 + __KAM_SMOKE2 + __KAM_SMOKE3 + __KAM_SMOKE4 + __KAM_SMOKE5 >= 3)
score		KAM_SMOKE	4.5
describe	KAM_SMOKE	Smokeless cigarette and quitting spam

meta            KAM_SMOKE2       (__KAM_CLICK + __KAM_SMOKE1 + __KAM_SMOKE2 + __KAM_SMOKE3 + __KAM_SMOKE4 + __KAM_SMOKE5 >= 4)
score           KAM_SMOKE2       3.0
describe        KAM_SMOKE2       Higher probability of spam

#OBF URL - need to make this more generic and perhaps something for RBL lookups when these techniques are used.
body		__KAM_OBFURL1	/A\s+D\s+I\s+L\s+I\s+Z\+E\s+R\s+.\s+C\s+O\s+M|insidesaleswiz\.\s+com/i

meta		KAM_OBFURL	(__KAM_OBFURL1 >= 1)
score		KAM_OBFURL	15.0
describe	KAM_OBFURL	Obfuscated URL

#SHARP FOR LIFE
body		__KAM_SHARP1	/sharp for life/i
body		__KAM_SHARP2	/yoshiblade/i
body		__KAM_SHARP3	/zirconium oxide/i
body		__KAM_SHARP4	/ceramic knife/i
header		__KAM_SHARP5	Subject =~ /ceramic knief|yoshiblade|sharp for life/i
header		__KAM_SHARP6	From =~ /yoshi/i

meta            KAM_SHARP       (__KAM_SHARP1 + __KAM_SHARP2 + __KAM_SHARP3 + __KAM_SHARP4 + __KAM_SHARP5 + __KAM_SHARP6 >= 4)
score           KAM_SHARP       4.5
describe        KAM_SHARP       Ceramic Blade Spam

#HIP REPLACEMENT
body            __KAM_HIP1    	/hip replacement|medical alert/i
body            __KAM_HIP2    	/implant recall|recall list/i
header          __KAM_HIP3    	Subject =~ /dupuy recall|hip recall|hip implants|hip replacement/i
header		__KAM_HIP4   	From =~ /recall/i

meta            KAM_HIP       	(__KAM_HIP1 + __KAM_HIP2 + __KAM_HIP3 + __KAM_HIP4 >= 3)
score           KAM_HIP         4.5
describe        KAM_HIP         Hip Replacement Recall Spam

#WORK AT HOME
body            __KAM_WORKHOME1      /online jobs|Full-time (and|&) Part-time|at home employment/i
body            __KAM_WORKHOME2      /\#1 site|view here|information here/i
header          __KAM_WORKHOME3      Subject =~ /work at home|work \@ home|home positions/i

meta            KAM_WORKHOME         (__KAM_WORKHOME1 + __KAM_WORKHOME2 + __KAM_WORKHOME3 >= 3)
score           KAM_WORKHOME         4.5
describe        KAM_WORKHOME         Work at Home Spam

meta		KAM_WORKHOME2	(__KAM_WORKHOME3 + KAM_SHORT + __KAM_REFI4 >=3)
score		KAM_WORKHOME2	4.5
describe	KAM_WORKHOME2	Work at Home Spam

#HSR UPDATES
body		__KAM_HSR1	/hsrupdates.com|progressiverailroading.com/i
header		__KAM_HSR2	Subject =~ /hi-speed rail|HSR Funds|U.?S.? DOT|railroads/i
header		__KAM_HSR3	From =~ /HSRUpdates.com|progressive ?railroading/i

meta		KAM_HSR		(__KAM_HSR1 + __KAM_HSR2 + __KAM_HSR3 >= 3)
score		KAM_HSR		4.5
describe	KAM_HSR		High Speed Rail Spam

#SELLPHONE
body		__KAM_SELLPHONE1	/Turn iphones into cash/i
body		__KAM_SELLPHONE2	/used or broken|pre-paid envelope/i
header		__KAM_SELLPHONE3	Subject =~ /sell your old iphone/i

meta		KAM_SELLPHONE	(__KAM_SELLPHONE1 + __KAM_SELLPHONE2 + __KAM_SELLPHONE3 >= 3)
score		KAM_SELLPHONE	4.5
describe	KAM_SELLPHONE	Used Equipment Spam

#STORAGE LIMIT
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

  replace_rules __KAM_MAILBOX1 __KAM_MAILBOX2 __KAM_MAILBOX3

 #ISSUE
  body		__KAM_MAILBOX1	/mailbox .{0,12}exceeded|(storage|email|mailbox).(limit|quota|size|capacity)|(box|quota) is (a<L1>most )?fu<L1><L1>|have been rejected|new version|(prevented|pending) (the )?(delivery|messages)|quota is low|annual upgrade|(held|important) message|messages pending|messages (are|placed) on.?hold|upgrade to our service|recent attack|(request(ed)? to|account) de-?activat|de-?activat(ed|e|ing) (from using|all mailbox)|close down.{0,10}account|(sync|communication) failure|de<A1>ctiv<A1>ted if no <A1>ction|invalid users|request .{0,13}shutdown|migrating all email|del<I1>v<E1>ry <O1>f \d|messages.{0,6}returned|\d.{0,2}(unreceived|failed|undelivered|incoming|valid) (undelivered|incoming|message|e?mail)|synchronize \d email|messages.{1,10}suspend|report your account|(validation|configuration|service) error|updating stage|blacklisted|(server|quota|quarantine|suspension|mail|upgrade) (alert|noti)|mailbox agreement|(system|security|server) (reasons|update|upgrade|alert)|system malfunction|due for an update|mailbox managment|automatically renew|.\d. pending|due for (upgrade|update|reconfirmation)|has been outdated|(due|about) to expire|not confirmed the email|(failed|couldn't be|refused to) deliver|temporarily suspend|failure to proceed|data plan limit|blocked from (sending|receiving)|sending unsolicited|\d\% full|confirm your request|security turned off|blocked or suspended|update warning|account .{1,9}?(restricted|closed)|old versions|mail malfunction|messages now queue|password expir|virus|expire on \d+\/|DNS Upgrad|encountered error|will be shut ?down|unauthorized (person|access)|prevent (further reject|loss of account)|avoid lose access|ensure safety|problem occurred|wrong password|suspicious sign.?in|\d quarantined? (e?mail|message|incoming)|deactivated tempor|low disk space|shutdown robot|suspended email|webmail security|account hijacked|will be suspended/i
  tflags	__KAM_MAILBOX1	nosubject
 #ACTION
  body		__KAM_MAILBOX2	/(verify|update|upgrade|increase|validate|confirm|disable)"? (their|your)? {0,5}(address|password|<A1>ccount|(web-?)?mail|info|email|web ?mail|ownership)|(increase|upgrade) (my|your?) (inbox |email )?quota|(security|quota) (configuration|upgrade)|(increase disk|create some additional) storage|(setup|upgrade) (your )?mailbox|mail malfunction|click here to update|update account|validated within \d\d|deleted (automatically|in our server)|release .{0,40}(message|pending mess)|account to be close|remain active|termination of your account|choose what happens|blacklisting inactive|continue (using|the usage)|untrusted activity|(retrieve|review|view) (message|e?mail)|(verify|validate) (here|now)|reset below|verification (check|process)|email disk usage|auto extend your disk|confirm your (email|details)|mandetory file|retrieve here|expected to reactivate|keep your webmail|data will be lost|(block|release|review) them|view undelivered sent|reconfirm .{0,40}password|will be deactivat|avoid suspension|start the process|fake payment|(will be|automatically) cancel|mail verification|turn on (security|authentication)|Office 365-?Secure|an usual location|automatically delete|(retrieve|review|reload) (your )?(undelivered|pending)|view, release or delete|reload below|unblock (your )?incoming|rectify below|fix now|Company.Assigned Outlook|fix delivery|restore your roundcube|re-?authenticate (now|below)|manage your quarantine|manually fi|manually fix|review and take action|view (withheld|recent) (incoming|messages|e?mail)|use the button|reduce your mai<L1>|deliver recent mail|keep (current|same) password|change password|stop (this action|account removal)|fix your email/i
  tflags	__KAM_MAILBOX2  nosubject
 #SUBJECT
  header	__KAM_MAILBOX3	Subject =~ /(mail|exceeded|insufficient) (storage|quota|upgrade)|Inbox almost full|(urgent|important|admin|last|suspension|server|account|administrator|system|disk ?usage|max size) (alert|rectification|attention|warning|noti)|needs to be upgraded|(incoming|pending|unreceived) +((e-?)?mail|document|message)|(del<I1>v<E1>ry|synchronization|processing) (problem|is blocked|failure|err<O1>r)|storage (is )?full|inbox full|(unread|upgrade|delayed) (messages|e?mail)|release your message|pending (new )?((e-?)?mail|message)|365 .{0,10} Update|new privacy policy|mandatory up|(sign in|Final|security|account|password|emails?) (closing|removal|update|upgrade|alert|notification|review)|quarantine|rejected|undelivered|(mailbox|limit) .{0,10}exceeded|confirmation required|(mail|mailbox|account|password) (shutdown|verification|Veirification|Verfication|account)|(blocked|held) message|technology services|(server|mail|account).{1,8}err<O1>r|validat|messages.{1,10}(suspend|hinder)|account (is )?(blocked|limited)|please verify.{1,10}account|mail.{1,6}Notice|email account.{1,11}full|final warning|help\-?desk|mail ownership|point files|(d|r)e-?activation|delayed for \d+ (hour|day)|undeliverable|confirmation required|closure of.{1,15}(\@|account)|(password|mail) (has|will) expire|did you make|password (reset|due|recovery|expir)|recovery option|\d+ new mess|email activity|Immediate action|action required|avoid block|review recent e?mail|final +alert|storage limit|ver<I1>f<I1>cat<I1>on|\@.{1,25}notification|notification \d+\/\d+\/|notification for .{1,25}\@|New Sign-in|deliver.{1,4}(issue|error|fail)|Unsuccessful Email|Mail DNS|ICT Maintenance|sync err|mailer un.?delivery|unauthorized (person|access)|configuration setting|reminder +for|re-?authenticate|change in your ip|shutdown request|Failure.{0,2}Report|\d emails? suspended/i

  meta		KAM_MAILBOX	(__KAM_MAILBOX1 + __KAM_MAILBOX2 + __KAM_MAILBOX3 >=2) && (T_FREEMAIL_DOC_PDF + (KAM_SENDGRID + KAM_SENDGRID2 >= 1) + HTML_MIME_NO_HTML_TAG >= 2)
  score		KAM_MAILBOX	7.75
  describe	KAM_MAILBOX	Mailbox Quota Phishing Scams

  meta          KAM_MAILBOX2    (__KAM_MAILBOX1 + __KAM_MAILBOX2 + __KAM_MAILBOX3 >=3) && !KAM_MAILBOX
  score         KAM_MAILBOX2    6.25
  describe      KAM_MAILBOX2    Mailbox Quota Phishing Scams

  meta		KAM_MAILBOX3	(KAM_MAILBOX + KAM_MAILBOX2 >= 1) && (KAM_SENDGRID + KAM_SENDGRID2 >= 1)
  describe	KAM_MAILBOX3	Enhanced Scoring for Mailbox Quota Phishing
  score		KAM_MAILBOX3	3.75
endif

#SHORTERNERS
meta		KAM_SHORT	(__KAM_SHORT + __KAM_TINYDOMAIN >= 1)
score		KAM_SHORT	0.001
describe	KAM_SHORT	Use of a URL Shortener for very short URL

#URL SHORTENER - META RULE TO SEE IF URL SHORTENER IS IN USE - THANKS TO SHANE WILLIAMS and RW for HELP - More thanks to Giovanni Bechis
uri		__KAM_SHORT	/^http:\/\/(?:bit\.(do|ly)|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|justpaste\.it|l\.linklyhq\.com)\/[^\/]{3}\/?/

# GENERIC RULE FOR TINY DOMAINS, WHICH WILL LIKELY BE URL SHORTENERS
uri             __KAM_TINYDOMAIN /https?:\/\/(?:[^\/]{1,4})\..{2,7}\//i

#POWER CHAIRS
body		__KAM_POWER1	/hoveround/i
header		__KAM_POWER2	Subject =~ /Get your freedom|power Chairs/i
header		__KAM_POWER3	From =~ /Get your freedom|power Chairs/i

meta		KAM_POWER	(__KAM_POWER1 + __KAM_POWER2 + __KAM_POWER3 >= 3)
score		KAM_POWER	3.0
describe	KAM_POWER	Motorized Chair Spams

#GUN ALERTS
body		__KAM_GUN1	/Keep and Bear Arms/i
header		__KAM_GUN2	From =~ /gunalerts.com/i
header		__KAM_GUN3	Subject =~ /gun/i

meta		KAM_GUN		(__KAM_GUN1 + __KAM_GUN2 + __KAM_GUN3 >= 3)
score		KAM_GUN		2.0
describe	KAM_GUN		Gun Alert Spams

#GET RICH QUICK SCHEME
body		__KAM_RICH1	/financial.success story/i
body		__KAM_RICH2	/see me on the channel \d news/i
body		__KAM_RICH3	/talking about my blog/i
body		__KAM_RICH4	/bec.me financially independent/i

meta		KAM_RICH	(__KAM_RICH1 + __KAM_RICH2 + __KAM_RICH3 + __KAM_RICH4 >= 4)
score		KAM_RICH	3.5
describe	KAM_RICH	Get Rich Quick Schemes

#INVALID FROM HEADER
header		__KAM_INVFROM1	From =~ /<[^>]*$/
header		__KAM_INVFROM2	From =~ /^[^<]*>/

meta		KAM_INVFROM	(__KAM_INVFROM1 + __KAM_INVFROM2 >= 1)
score		KAM_INVFROM	2.0
describe	KAM_INVFROM	Invalid From Header containing mismatched <>'s

#YAHOO GROUP EMAIL RULE BASED ON WORK FROM Jim McCullars - University of Alabama in Huntsville
header          __KAM_UAH_YAHOOGR_4 X-Mailer =~ /Yahoo Groups Message Poster/
ifplugin Mail::SpamAssassin::Plugin::DKIM
  meta            KAM_UAH_YAHOOGROUP_SENDER __DOS_HAS_LIST_UNSUB && __ML2 && __DOS_HAS_MAILING_LIST && __KAM_UAH_YAHOOGR_4 && !FORGED_YAHOO_RCVD && DKIM_VALID
else
  meta            KAM_UAH_YAHOOGROUP_SENDER __DOS_HAS_LIST_UNSUB && __ML2 && __DOS_HAS_MAILING_LIST && __KAM_UAH_YAHOOGR_4 && !FORGED_YAHOO_RCVD
endif
describe	KAM_UAH_YAHOOGROUP_SENDER Sender appears to be a legit Yahoo! Group Mail
score           KAM_UAH_YAHOOGROUP_SENDER -20.0

#GALLERY
header		__KAM_GALLERY1	Subject =~ /(Infinite|Multi|Elite|Extreme|Complete|Instant|Ultimate|Multi|approved|Free|HD|Guaranteed|Unreal) Access|(Ultimate|Babes|Elite|Extreme|P.?o.?r.?n) Collection|(Girls|Adu.?lt|Babes|Celeb.?rities) Passwords|(Ultimate|p.?o.?r.?n|extreme|elite|Girls) gallery|HD Video|Access Now/i
body            __KAM_GALLERY2             /(?:Infinite|Multi|Elite|Extreme|Complete|Instant|Ultimate|Multi|approved|Free|HD|Guaranteed|Unreal) Access|(?:Ultimate|Babes|Elite|Extreme|P.?o.?r.?n) Collection|(?:Girls|Adu.?lt|Babes|Celeb.?rities) Passwords|(?:Ultimate|p.?o.?r.?n|extreme|elite|Girls) gallery|HD Video|Access Now/i

header		__KAM_GALLERY3	Subject =~ /(Fantastic|Insane|Mega|Extreme|Extreme|New|Many|Fresh|Your|Check) P.?o.?r.?n|cele.?brities elite|(Insane|P.?o.?r.?n|More|Awesome|All|Mega) Model|(Your|Mega|Asian|Bad|Cool|Fresh|Real|Awesome|More) Girl|(Sweet|Incredible|Insane|The|Grand) chick|(Many|New|Infinite|Cool|All) Cele.?b|The N.?u.?des|(Infinite|Awesome|Many|Sweet|Bad|Get|Fresh|Hot|More|Black) Babe|Amat.?e.?urs|(All|Fresh|Fantastic|The|Mega) Adu.?lt|(Extraordinary) Chicks/i
body		__KAM_GALLERY4             /(Fantastic|Insane|Mega|Extreme|Extreme|New|Many|Fresh|Your|Check) P.?o.?r.?n|cele.?brities elite|(Insane|P.?o.?r.?n|More|Awesome|All|Mega) Model|(Your|Mega|Asian|Bad|Cool|Fresh|Real|Awesome|More) Girl|(Sweet|Incredible|Insane|The|Grand) chick|(Many|New|Infinite|Cool|All) Cele.?b|The N.?u.?des|(Infinite|Awesome|Many|Sweet|Bad|Get|Fresh|Hot|More|Black) Babe|Amat.?e.?urs|(All|Fresh|Fantastic|The|Mega) Adu.?lt|(Extraordinary) Chicks/i
rawbody		__KAM_GALLERY5  /wp-content|_vti_cnf|cache|wp-admin|wordpress/i

meta		KAM_GALLERY	(__KAM_GALLERY1 + __KAM_GALLERY2 + __KAM_GALLERY3 + __KAM_GALLERY4 + __KAM_GALLERY5 >=4)
describe	KAM_GALLERY	Exploited Gallery with Porn
score		KAM_GALLERY	5.0

meta            KAM_GALLERY2    (__KAM_GALLERY1 + __KAM_GALLERY2 + __KAM_GALLERY3 + __KAM_GALLERY4 + __KAM_GALLERY5 >=5)
describe        KAM_GALLERY2    Higher Likelihood of Exploited Gallery with Porn
score           KAM_GALLERY2    2.0

#CHANGELOG
header		__KAM_CHANGELOG1	Subject =~ /^Re: Changelog (Oct.|Nov.|Dec.)$/i
body		__KAM_CHANGELOG2	/as promised chnglog update/i

meta		KAM_CHANGELOG		(__KAM_CHANGELOG1 + __KAM_CHANGELOG2 >= 2)
describe	KAM_CHANGELOG		Phishing Email
score		KAM_CHANGELOG		2.5

#NIGERIAN VARIANT
body		__KAM_BUS1	/business proposal/i
body		__KAM_BUS2	/sensitive by nature/i
body		__KAM_BUS3	/have not met/i
body		__KAM_BUS4	/view my attach/i

meta		KAM_BUS		(__KAM_BUS1 + __KAM_BUS2 +  __KAM_BUS3 + __KAM_BUS4 >= 4)
describe	KAM_BUS		Yet another Nigerian Scam/Phishing Variant
score		KAM_BUS		4.0

#PRIVATE MESSAGE
body		__KAM_PRIV1	/private message|horny|sweet ass/i
body		__KAM_PRIV2	/(personal|private) video/i
body		__KAM_PRIV3	/the attache?ment|attached file/i

meta		KAM_PRIV	(__KAM_PRIV1 + __KAM_PRIV2 + __KAM_PRIV3 >=2 && T_HTML_ATTACH)
describe	KAM_PRIV	Private Messages using Exploits in attached HTML files
score		KAM_PRIV	5.0

#DIV
rawbody		__KAM_DIV1	/(Viagr?|Cial?)<div/i
rawbody		__KAM_DIV2	/<\/div>r?a\|l?is/i

meta		KAM_DIV		(__KAM_DIV1 + __KAM_DIV2 >= 2)
describe	KAM_DIV		Use of divs to hide Medical Spams
score		KAM_DIV		2.0

#CREDIT SCORE
header		__KAM_CREDIT1	Subject =~ /CRITICAL:.*change to.* (EXPERIAN|Transunion|Equifax) score|Recent 3 Bureau Credit|(credit|score).score|credit has changed|check your rating|yearly review|scores?.(?:may.have|has.been|have.been).changed|(?:EXPERIAN|Transunion|Equifax) scores? delivered|your credit report|all three sources|credit (may )?ha(ve|s) been revised|credit ?card ?processing|merchant account|TransUnion..?Experian . Equifax Scores|all 3 scores|update to your score|your 3 scores|is your score correct|score (report|review)|latest.score|updated.score|update:|derogatory.(info|item)|affecting.your.score|scores.this.week|EQUIFAX..?EXPERIAN..?(and|&).TRANSUNION|(EXPERIAN|Transunion|Equifax)..?score|\d{4}.scores?.detail|((equifax|experian|transunion)..?){3}|score.today|score.w\//i
body		__KAM_CREDIT2	/View (all 3 reports|your credit score|your up.to.the.minute credit)|(EXPERIAN|Transunion|Equifax) report|check my credit score|3.free credit scores|credit restoration|changes in your.score|get your \d+ score online|3 major sources|all three bureau|all 3 credit score|credit (may )?ha(ve|s) been revised|payment.options|complimentary 3 scores|credit scores? in seconds|TRANSUNION,\s+EQUIFAX,\s+(and|.)\s+EXPERIAN|just (been )?changed|score.breakdown|credit.summary|score.is.waiting|confirmation \#\d+|average.credit.score|what.?s.your.score|(3|three).free.score|check.your.score|we.can.help|credit.record|complimentary.score/i
body		__KAM_CREDIT3	/NO COST|it's on us|3 companies for free|freescore360|Scoresense|score.report(?:ing)?.team|stand in the rating scales|view your higher credit|(score|credit).alert|provide.faster.service|your credit score|free.credit.score|score.generation|new.score.immediately|score.notification|your report/i
body		__KAM_CREDIT4	/CHANGES TO YOUR CREDIT[- ]SCORE|credit score has changed|Triple Bureau Credit Alerts|score\s+may\s+have\s+(been)?\s*changed|ThinkCredit|Debunk Credit Card Processing Myths|costs for your business|TransUnion,? Experian and Equifax Scores|ha(s|ve).been.updated|what.?s.your.credit|sensitive.information/i
header		__KAM_CREDIT5	From =~ /Credit|score|bureau|finance|report|advisory/i

#EXPERIMENTAL UTF-8
# SecureCRT in UTF-8 Session Options - terminal>appearance>character encoding and set to utf-8 &  Set this in VI :set encoding=utf-8 :set fileencodings=utf-8

#Useful Resources for Tags
#https://www.utf8-chartable.de/unicode-utf8-table.pl?start=1024&number=128&names=-&utf8=string-literal
#https://www.branah.com/unicode-converter
#look at the encoding type and the charset.  For base64 utf-8, something like this tool will help https://www.base64decode.org/ then hexdump -C or something like https://onlineutf8tools.com/convert-utf8-to-hexadecimal or perl -e '$u=unpack("H*",$ARGV[0]);print "[\\x$1]" while ($u=~/(..)/g)' '<PASTE>'

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

#renamed to A1, C1, etc. to avoid collissions with stock rules
#Thanks to John Hardin for his help! and thanks to Giovanni for the help with the 4-byte chars
#thanks as well to Henrik Krohns
replace_tag     A1      (?:a|[\xf0\x9d\x97\xae]|[\xf0\x9d\x9a\x8a]|[\xd0][\xb0]|[\xc9][\x91]|α|\@)
replace_tag     B1      (?:b|[\xce][\x92]|[\xce][\xb2]|[\xc2]|[\xe2]|[\xf0\x9d\x97\xaf]|[xf0\x9d\x9a\x8b])
replace_tag     C1      (?:c|[\xd0][\xa1]|[\xd1][\x81]|[\xf0\x9d\x97\xb0]|[\xf0\x9d\x9a\x8c])
replace_tag	D1	(?:d|[\xf0\x9d\x9a\x8d])
replace_tag     E1      (?:e|[\xd0][\xb5]|[\xc4][\x97]|[\xf0\x9d\x97\xb2]|[\xf0\x9d\x9a\x8e])
replace_tag	G1	(?:g|[\xf0\x9d\x97\x80])
replace_tag     I1      (?:i|[\xd1][\x96]|[\xc4][\xab]|[\xce][\xb9]|[\xe9]|[\xf0\x9d\x97\xb6]|[\xf0\x9d\x9a\x92]|l|1)
replace_tag	L1	(?:l|i)
replace_tag	M1	(?:m|[\xca][\x8d]|[\xf0\x9d\x97\xba])
replace_tag     N1      (?:n|[\xe7]|[\xf0\x9d\x97\xbc]|[\xf0\x9d\x9a\x97])
replace_tag     O1      (?:o|0|[\xd0][\xbe]|[\xce][\xbf]|[\xef]|[\xf0\x9d\x97\xbc]|[\xf0\x9d\x9a\x98])
replace_tag	P1	(?:p|[\xd1][\x80]|[\xc7][\xb7]|[\xcf][\x81]|[\xf1]|[\xf0\x9d\x97\xbd]|[\xf0\x9d\x9a\x99])
replace_tag	R1	(?:r|[\xf0\x9d\x97\xbf]|[\xf0\x9d\x9a\x9b])
replace_tag     S1      (?:s|[\xd0][\x85]|[\xf0\x9d\x98\x80]|[\xf0\x9d\x9a\x9c])
replace_tag	T1	(?:t|[\xcf][\x84]|[\xf4]|[\xf0\x9d\x98\x81]|[\xf0\x9d\x9a\x9d])
replace_tag	U1	(?:u|[\xf0\x9d\x98\x82])
replace_tag	V1	(?:v|[\xf0\x9d\x96\xb5])
replace_tag	W1	(?:w|[\xf0\x9d\x98\x84]|[\xf0\x9d\x9a\xa0])
replace_tag	Y1	(?:y|[\xf0\x9d\x98\x80]|[\xf0\x9d\x9a\xa2])
replace_tag	SPACE1  (?: |[\xc2\xa0])

header          __KAM_CREDIT6   Subject =~ /<C1>ompl<I1>mentary (<C1>red<I1>t|EXPERIAN|Transunion|Equifax)/i
header          __KAM_CREDIT7   From =~ /<S1>core.?<S1>ense/i

replace_rules   __KAM_CREDIT6 __KAM_CREDIT7

endif

meta            KAM_CREDIT      (__KAM_CREDIT1 + __KAM_CREDIT2 + __KAM_CREDIT3 + __KAM_CREDIT4 + __KAM_CREDIT5 + __KAM_CREDIT6 + __KAM_CREDIT7 + (__KAM_THIRD || KAM_LOTSOFHASH || KAM_INFOUSMEBIZ) >= 4)
describe        KAM_CREDIT      Credit Score Spams
score           KAM_CREDIT      4.5

ifplugin Mail::SpamAssassin::Plugin::KAMOnly
  meta		KAM_CREDIT2	(__KAM_CREDIT1 + __KAM_CREDIT5 + __KAM_CREDIT6 + __KAM_CREDIT7 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3 && KAM_CREDIT < 1)
  describe	KAM_CREDIT2	Credit Score Spams
  score		KAM_CREDIT2	4.5
endif

#OBFUSCATED URI
rawbody         KAM_OBFURI      /http:\/\/.{2,30}\.c=E2=93=9Em?/
describe        KAM_OBFURI      Obfuscated URI trick
score           KAM_OBFURI      4.0

#ADVANCE
header		__KAM_ADVANCE1	Subject =~ /Advance for \d.\d\d\d/i
body		__KAM_ADVANCE2	/Advance Details/i
body		__KAM_ADVANCE3  /Pre-Approved/i
header		__KAM_ADVANCE4	From =~ /Advance|Approv|Financ/i

meta            KAM_ADVANCE     (__KAM_ADVANCE1 + __KAM_ADVANCE2 + __KAM_ADVANCE3 + __KAM_ADVANCE4 >= 3)
describe        KAM_ADVANCE     Advance Spams
score           KAM_ADVANCE     3.5

#PAYPAL NON SPF - FP fixed by Piper Andreas
header		__KAM_PAYPAL1A	From =~ /\@[a-z\.]*paypal.com>?$/i

meta		KAM_PAYPAL1	(__KAM_PAYPAL1A + SPF_FAIL >=2)
describe	KAM_PAYPAL1	rampant paypal phishing scams
score		KAM_PAYPAL1	16.0

ifplugin Mail::SpamAssassin::Plugin::KAMOnly
  #PAYPAL IMPERSONATING MALWARE
  body            __KAM_PAYPAL2A  /paypal/i
  body            __KAM_PAYPAL2B  /protection services department|download(ing)?.the.attach/i

  meta            KAM_PAYPAL2     (__KAM_PAYPAL2A + __KAM_PAYPAL2B + KAM_RAPTOR_ALTERED >= 3)
  describe        KAM_PAYPAL2     Malware disguised as a paypal email
  score           KAM_PAYPAL2     8.0
endif

#PAYPAL PHISH
header          __KAM_PAYPAL3A  From =~ /paypal/i
header          __KAM_PAYPAL3B  From !~ /paypal.com(\.au)?>?$/i
header          __KAM_PAYPAL3C  Subject =~ /your.paypal.account/i
body            __KAM_PAYPAL3D  /security.process|more.information|has.limitation|verify.your.information/i

meta            KAM_PAYPAL3     ((__KAM_PAYPAL3A && __KAM_PAYPAL3B) + __KAM_PAYPAL3C + __KAM_PAYPAL3D + KAM_LAZY_DOMAIN_SECURITY >= 3)
score           KAM_PAYPAL3     8.0
describe        KAM_PAYPAL3     Phish disguised as a paypal email

#COMPROMISED ACCOUNT SPAMS - SCORED HIGH BECAUSE THESE ARE COMPROMISED ACCOUNTS
header		__KAM_COMPROMISED1A	From =~ /\@(yahoo.com|yahoo.com.id|rocketmail.com)/i
header		__KAM_COMPROMISED1B	X-Mailer =~ /Yahoo/i
header		__KAM_COMPROMISED2	Subject =~ /^(FOR |Hey$|hi$|look at this$|great!?$|amazing!?|the best!?$|excellent!?$|very good!?$|great!?$|question?$|Fwd: (?:latest |top )?news$)|have a look/
body		__KAM_COMPROMISED3	/\d{1,2}[\\\/]\d{1,2}[\\\/]\d{2,4} \d{1,2}\:\d{1,2}\:\d{1,2} (AM|PM)/
body		__KAM_COMPROMISED4	/How are you\? Look at this.{0,70}Do you know about this site|look at this site right now|I found (an amazing|great) site|hey\. please have a look|have a look right now|breaking news/i

meta		KAM_COMPROMISED	((__KAM_COMPROMISED1A + __KAM_COMPROMISED1B >=1 ) + __KAM_COMPROMISED2 + __KAM_COMPROMISED3 + __KAM_COMPROMISED4 + __KAM_BODY_LENGTH_LT_128 + MISSING_SUBJECT >= 3)
describe	KAM_COMPROMISED	Compromised Accounts Sending Spam
score		KAM_COMPROMISED	8.25

#GROUPS THAT ARE BAD - RENAMED TO AVOID COLLISSION - THANKS TO DAVID FUNK
header		__KAM_LIST2A	List-ID =~ /^<?(wareeed\d*|ArabBusinessmen-and-DecisionMakers-Network|MediaJO\d*|arabjo\d*|prime\-?media\d*|mediajoshoot\d*|bareedw\d*|mghadeh\d*|tawzeef-online|jordanianadd\d*|ssjo\d*|jaracast|ads-shooter-j\d*|jomarketing\d*|jomedia\d*|jobird\d*info|uhrda-\d*|mohanndahad\d*|caragcom\d*|marwahr\d*|sonjobonjo\d*|golrozz\d*|golbanoo\d*)\.googlegroups.com>?$/i
header		__KAM_LIST2B	Sender =~ /(mediajo\d*|aloulaonline\d*|jomedia\d*|golbanoo\d*)\@googlegroups\.com/i

meta		KAM_LIST2	(__KAM_LIST2A + __KAM_LIST2B >= 1)
describe	KAM_LIST2	Known Bad Groups
score		KAM_LIST2	60.0

#LIMITED ACCESS/QUOTA SCAMS  - ISP THAT SEND LEGITIMATE NOTICES MIGHT WANT TO LOWER THE SCORE
body            __KAM_QUOTA1    /Mailbox Quota Has Exceeded|exceeded its storage limit/i
body            __KAM_QUOTA2    /Limited Access|termination of your email|restore.your.account|will.not.be.able/i

meta		KAM_QUOTA	(__KAM_QUOTA1 + __KAM_QUOTA2 >= 2)
describe	KAM_QUOTA	Limited Access / Quota Phishing Scam
score		KAM_QUOTA	3.0

# BACKGROUND CHECK SPAM
body		__KAM_BACK1	/backgrounds in seconds|Instant..?Checkmate|federal.record|background.report|reputation/i
body		__KAM_BACK2	/(Property & Personal history|Asset & Background) (Investigation|Search)|check anyone|know.anything|registered.offense|their.name|publicly.available/is
body		__KAM_BACK3	/(background check|detective|investigator|investigate backgrounds|arrest.record|public.record)|remain.anonymous|anonymous.report|says.about.you|instant.database|the.truth|reveal.the.information|screening.services/is
header		__KAM_BACK4	Subject =~ /background..?check|date-smart|detective|finding people|instant checkmate|pedophile|who.lives.next.?door|reports.are.now.posted|screening.results|police.record|confirm.identity|records.enclosed|local.report|criminal|public.record|complete.record|arrest|posted.online|information.posted|info.updated|who.they.are|uncover.any|public.records|private.eye|investigate.background/i
header		__KAM_BACK5	From =~ /Background.?check|instant.?check|arrest.record|pedophile|trust|criminal|urgent.info|find.out|who.is.s?he|trouble|shady|public.record|private.?eye/i

describe	KAM_BACK	Background Check SPAM
meta		KAM_BACK	(__KAM_BACK1 + __KAM_BACK2 + __KAM_BACK3 + __KAM_BACK4 + __KAM_BACK5 >=3)
score		KAM_BACK	5.5

#ARREST RECORD SCAMS
header		__KAM_ARREST1	Subject =~ /arrest record|with.a.criminal|child.predator|public.safety.alert|full.report|reports?.now.posted|records?.(now.)?(available|posted)|predator.identified/i
body		__KAM_ARREST2	/Instant Checkmate|dirty Truth|\brapist\b|criminal.(background|record)|predator|stay.safe|child.offender|think.you.know|know.everything|database.screening|know.something|wanted.to.know|arrest.record/i
header		__KAM_ARREST3	From =~ /Checkmate|alert|protect|arrest|neighborhood|criminal|live.safe/i

meta		KAM_ARREST	(__KAM_ARREST1 + __KAM_ARREST2 + __KAM_ARREST3 >=3) || (__KAM_ARREST1  + KAM_SHORT + __KAM_BODY_LENGTH_LT_128 >=3)
describe	KAM_ARREST	Arrest Record Scams
score		KAM_ARREST	5.0

#MORE DIET SCAMS
header		__KAM_DIET2_1	From =~ /Coffee.?Bean|Fat.?Burning.?Hormone|Saffron|Lifestyle|burn.fat|slim/i
header		__KAM_DIET2_2	Subject =~ /diet|flatten your belly|calorie count|metabolism|lose the belly|belly flub/i
body		__KAM_DIET2_3	/secret to being skinny|doctors? are raving|testosterone|could be \d+ ?lbs? lighter|feeling chubby/i

meta		KAM_DIET2	(__KAM_DIET2_1 + __KAM_DIET2_2 + __KAM_DIET2_3 + KAM_INFOUSMEBIZ >=3)
describe	KAM_DIET2	Diet Scams
score		KAM_DIET2	5.0

#CIGAR SCAMS
header		__KAM_CIGAR1	Subject =~ /Premium Cigar|Essentials for Dad|cigar lover/i
header		__KAM_CIGAR2	From =~ /Cigar/i
body		__KAM_CIGAR3	/Thompson Cigar|Premium Cigar/i

meta		KAM_CIGAR	(__KAM_CIGAR1 + __KAM_CIGAR2 + __KAM_CIGAR3 + __KAM_THIRD >= 3)
describe	KAM_CIGAR	Cigar Scam Emails
score		KAM_CIGAR	6.0


#TK DOMAINS
rawbody         KAM_TK  /https?:\/\/.{5,30}\.tk\//i
describe	KAM_TK	Abuse of .tk domain registrar which offers free domains
score		KAM_TK	5.0

#THIRD PARTY / SENT BY XXXX
body		__KAM_THIRD	/advertisement.{0,12}sent by a third-?party|sent.by.tb.systems|is.an.advert[il]se?ment/i

#LASIK
header		__KAM_LASIK1	From =~ /Lasik/i
header		__KAM_LASIK2	Subject =~ /Lasik|free eval|A great use for your Tax Refund|eye.surgery/i
body		__KAM_LASIK3	/free (?:Lasik )?eval|\d+ per eye|get lasik info|L.SI. V....n In.t.tut. Summ.r S.v.ng.|works.faster.than/i
uri             __KAM_LASIK4    /lasik\.php/i

meta		KAM_LASIK	(__KAM_LASIK1 + __KAM_LASIK2 + __KAM_LASIK3 + (__KAM_LASIK4 || KAM_EU) >= 3)
describe	KAM_LASIK	Lasik Treatment Spams
score		KAM_LASIK	4.5

#FAKE NOTIFIES
header		__KAM_NOTIFY1	From =~ /Support|Notifier|Reminder|Assistance|Administrator|RuneScape|Wells ?Fargo|Scotia|Diablo|MAILER-DAEMON|Notifications/i
body		__KAM_NOTIFY2	/[2-9] friend request( |\b)|sell your personal|mandatory validation|verify your Account|unread messages/i
header		__KAM_NOTIFY3	From =~ /\.br>/i

meta		KAM_NOTIFY	(__KAM_NOTIFY1 + __KAM_PHISH2_3 + __KAM_NOTIFY2 + __KAM_NOTIFY3 >= 3)
describe	KAM_NOTIFY	Fake Notifications
score		KAM_NOTIFY	4.0

meta		KAM_NOTIFY2	(KAM_NOTIFY + (KAM_IFRAME || HEADER_FROM_DIFFERENT_DOMAINS) >= 2)
describe	KAM_NOTIFY2	Higher likelihood of fake notification
score		KAM_NOTIFY2	3.0

#LANGUAGE
header		__KAM_LANG1	From =~ /Pimsleur|learnalanguage/i
header		__KAM_LANG2	Subject =~ /language barrier|(?:learn|speak)(?:ing)? (?:a|any) (?:new )?language|Pimsleur/i
body		__KAM_LANG3	/pimsleur|Language in just \d+ Day/i

meta		KAM_LANG	(__KAM_LANG1 + __KAM_LANG2 + __KAM_LANG3 + KAM_INFOUSMEBIZ >= 3)
describe	KAM_LANG	Language Method Spams
score		KAM_LANG	4.5

#FAKE TRACK
header		__KAM_TRACK1	From =~ /Worldwide Express|Priority Mail|First-Class Mail|Express Mail/i

meta		KAM_TRACK	(__KAM_PHISH2_3 + __KAM_TRACK1 >= 2)
describe	KAM_TRACK	Fake Tracking Emails
score		KAM_TRACK	3.0

#BACK TO SCHOOL
header		__KAM_SCHOOL1	From =~ /Classes/i
header		__KAM_SCHOOL2	Subject =~ /(?:Return|Back) to School/i

meta		KAM_SCHOOL	(__KAM_SCHOOL1 + __KAM_SCHOOL2 + KAM_INFOUSMEBIZ >= 3)
describe	KAM_SCHOOL	School Spams
score		KAM_SCHOOL	5.0

#MEMBERS
header          __KAM_MEMBER1   From =~ /(\b|^|)Date|(\b|^|)Dating|eharmony(.com)?.?partner|(..?en..?or|black)..?e.ple..?eet|cougars|singles|match|our.?time|lonely|affair/i
header          __KAM_MEMBER2   Subject =~ /naughty|looking for love|single & dating|Dating.site|free.this.weekend|free.communication.weekend|True Love|(Older|black|available|latin[oa]|jewish) Single|single.women|single.photo|local.cougar|want to date|fall in love|meet...1000s|dream.date|meet.single|your.matches|for.single|singles|eharmony(.com)?.match|50\+.{0,5}ngles|your.ex.back|married.dating|(anonymous|secret).affair|unlimited.pics|dating.(video|movie)|fetish|still.single/i
body		__KAM_MEMBER3	/(\b|^)dating|eharmony|Find.Your.Perfect.Match|thousands.of.single.women|singles?.photos?|local.cougar|successfully matched|blind date|(available|black|latin[oa]|jewish).singles|photos of 50\+/i
rawbody		__KAM_MEMBER4	/special promotion|free.this.weekend|personal matchmaker|dating service|fall in love|looking.for.someone|kindle.the.passion|cheating.member|dating.mega.site|free.dating|free.fetish/i
meta		__KAM_MEMBER5   (KAM_INFOUSMEBIZ || KAM_COUK)
#header		__KAM_MEMBER6	From =~ /Updat/i

meta            KAM_MEMBER      (__KAM_MEMBER1 + __KAM_MEMBER2 + __KAM_MEMBER3 + __KAM_MEMBER4 + __KAM_MEMBER5 >= 3)
describe        KAM_MEMBER      Dating Scams
score           KAM_MEMBER      4.5

#MEDICARE
header          __KAM_MEDICARE1   From =~ /(Medicare|health.?options|enrollment)/i
header          __KAM_MEDICARE2   Subject =~ /medicare|message for senior|baby-boomer|save up to|compare.quotes|enrollment.plan/i
body            __KAM_MEDICARE3   /medicare.(plan|recipient|annual election)/i
tflags		__KAM_MEDICARE3	  nosubject
body            __KAM_MEDICARE4   /over.(65|sixty.?five)|most.affordable|lower.your.premium|medicare basics guide/i

meta            KAM_MEDICARE      (__KAM_MEDICARE1 + __KAM_MEDICARE2 + (__KAM_MEDICARE3 + __KAM_MEDICARE4 >= 1) + (KAM_INFOUSMEBIZ || KAM_COUK) >= 3)
describe        KAM_MEDICARE      Medicare Scams
score           KAM_MEDICARE      4.0

#BILLS
header          __KAM_BILLS1   From =~ /LowerMyBills|mortgage/i
header          __KAM_BILLS2   Subject =~ /Save up to \$\d|refi requirement|refi.program/i

meta            KAM_BILLS      (__KAM_BILLS1 + __KAM_BILLS2 + KAM_INFOUSMEBIZ >= 3)
describe        KAM_BILLS      Bill Pay Spams
score           KAM_BILLS      4.0

#HOSE
header          __KAM_HOSE1   From =~ /Pocket Hose/i
header          __KAM_HOSE2   Subject =~ /garden hose|kinks/i
body		__KAM_HOSE3   /pocket hose|garden.hose|stays.strong|grows.to.full.size|never.kinks/i

meta            KAM_HOSE      (__KAM_HOSE1 + __KAM_HOSE2 + __KAM_HOSE3 + KAM_INFOUSMEBIZ >= 3)
describe        KAM_HOSE      Garden Hose Spams
score           KAM_HOSE      4.5

#AV
header          __KAM_AV1   From =~ /Norton/i
header          __KAM_AV2   Subject =~ /Update now|Are you protected/i

meta            KAM_AV      (__KAM_AV1 + __KAM_AV2 + KAM_INFOUSMEBIZ >= 3)
describe        KAM_AV      Anti-Virus Spams
score           KAM_AV      4.0

#MASCARA
header          __KAM_MASCARA1   From =~ /smartlash/i
header          __KAM_MASCARA2   Subject =~ /mascara/i
body		__KAM_MASCARA3   /smartlash/i

meta            KAM_MASCARA      (__KAM_MASCARA1 + __KAM_MASCARA2 + __KAM_MASCARA3 + KAM_INFOUSMEBIZ >= 3)
describe        KAM_MASCARA      Make-up Spams
score           KAM_MASCARA      4.5

#COLLEGE
header          __KAM_COLLEGE1   From =~ /degree|doctorate|online/i
header          __KAM_COLLEGE2   Subject =~ /college|ph\.?d|earning your degree|online doctorate|advance your career/i
rawbody         __KAM_COLLEGE3   /online degree|ph\.?d online|online doctorate|advance your career with a degree/i

ifplugin Mail::SpamAssassin::Plugin::KAMOnly
  meta            KAM_COLLEGE      (__KAM_COLLEGE1 + __KAM_COLLEGE2 + __KAM_COLLEGE3 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3)
  describe        KAM_COLLEGE      Online Degree/Aid Spams
  score           KAM_COLLEGE      4.0
endif

#SURVEY
header		__KAM_SURVEY1	From =~ /Survey|safecount|privacy/i
header		__KAM_SURVEY2	Subject =~ /win an ipad/i
body		__KAM_SURVEY3	/Do You Use Instagram|Complete the survey|win a great prize/i

meta		KAM_SURVEY	(__KAM_SURVEY1 + __KAM_SURVEY2 + __KAM_SURVEY3 + KAM_INFOUSMEBIZ >= 3)
describe	KAM_SURVEY	Online Survey Spams
score		KAM_SURVEY	4.5

#LAKE
#REMOVED 1/7/2014
#rawbody         KAM_LAKE  	/http:\/\/.{0,13}(lak|ake|iver).{0,10}\.(com|info)\//i
#describe	KAM_LAKE	Odd spamming engine LAKE signature on URLs
#score		KAM_LAKE	0.25

#SNORE
header          __KAM_SNORE1   From =~ /snoring|zquiet/i
header          __KAM_SNORE2   Subject =~ /zquiet|Jaw Supporter|z{6}|the.only.thing/i
body            __KAM_SNORE3   /stop snoring|zquiet|Jaw Supporter|get.rest|end.snoring|more.rest|to.be.tired/i

meta            KAM_SNORE      (__KAM_SNORE1 + __KAM_SNORE2 + __KAM_SNORE3 + KAM_INFOUSMEBIZ >= 3)
describe        KAM_SNORE      Snoring Aid Spams
score           KAM_SNORE      4.0

#VACATION
header          __KAM_VACATION1   From =~ /Promotions|cruise|vacation/i
header          __KAM_VACATION2   Subject =~ /Free Florida vacation|(carr?ibb?ean|alaskan?).cruise|european destination/i
body            __KAM_VACATION3   /Resorts FOR FREE|(carr?ibb?ean|alaskan?).cruise|top deals/i

meta            KAM_VACATION      (__KAM_VACATION1 + __KAM_VACATION2 + __KAM_VACATION3 + KAM_INFOUSMEBIZ >= 3)
describe        KAM_VACATION      Vacation Spams
score           KAM_VACATION      4.0

#BLOOD PRESSURE
header		__KAM_BLOOD1	From =~ /Marine Essent|blood.pressure/i
header		__KAM_BLOOD2	Subject =~ /Blood Pressure|the.(nurse|doctor).said|do.this.or.die|bp.med/i
body		__KAM_BLOOD3	/Secret Big Pharma|conspiracy|Breaking.Health.Stories/i
body		__KAM_BLOOD4    /Marine Essentials|this mineral|drug.companies.hate/i
body		__KAM_BLOOD5	/Anti-Aging Expert|worst.food/i
body		__KAM_BLOOD6	/Blood pressure/i

meta		KAM_BLOOD	( __KAM_BLOOD1 + __KAM_BLOOD2 + __KAM_BLOOD3 + __KAM_BLOOD4 + __KAM_BLOOD5 + __KAM_BLOOD6  + KAM_INFOUSMEBIZ >= 4)
describe	KAM_BLOOD	Blood Pressure Spams
score		KAM_BLOOD	4.75

#SCOOTER
header          __KAM_SCOOTER1    From =~ /Scooter Store/i
header          __KAM_SCOOTER2    Subject =~ /lack of mobility/i
body            __KAM_SCOOTER3    /the scooter store/i

meta            KAM_SCOOTER       ( __KAM_SCOOTER1 + __KAM_SCOOTER2 + __KAM_SCOOTER3 + __KAM_MEDICARE2 + KAM_INFOUSMEBIZ >= 4)
describe        KAM_SCOOTER       Blood Pressure Spams
score           KAM_SCOOTER       4.75

#ANATABLOC
header		__KAM_ANATA1	From =~ /Anatabloc/i
header		__KAM_ANATA2	Subject =~ /(back|joint) pain|arthritis/i

meta		KAM_ANATA	(__KAM_ANATA1 + __KAM_ANATA2 >= 2)
describe	KAM_ANATA	Drug Spam
score		KAM_ANATA	4.5

ifplugin Mail::SpamAssassin::Plugin::KAMOnly
  #BBB Phish
  header		__KAM_BBB1	From =~ /bbb.org/i
  body		__KAM_BBB2	/consumer's *(?:worry|uneasiness|anxiety|disturbance|concern|trouble)/i
  body		__KAM_BBB3	/has been registered the above|(?:visiting|review at) a link below|above-referenced complaint/i
  body		__KAM_BBB4	/about your *(?:glance|belief|judgment)/i
  header		__KAM_BBB5	Subject =~ /(?:client|customer).{0,5}preten|(?:Appeal|Claim|Case|No\.|Complaint).{0,3}[A-Z\d]{5}/i

  meta		KAM_BBB		(__KAM_BBB1 + __KAM_BBB2 + __KAM_BBB3 + __KAM_BBB4 + __KAM_BBB5 + SPF_FAIL + __KAM_GALLERY5 + KAM_RAPTOR_ALTERED >= 4)
  describe	KAM_BBB		Better Business Bureau Phishing
  score		KAM_BBB		5.0
endif

#PREV MARK
header		__KAM_MARK1	Subject =~ /[\[\<]ADV[\>\]]/i
header		__KAM_MARK2     Subject =~ /[\(\[\<\{\*]\s*(BULK|SPAM)\??\s*[\*\>\]\)\}]/i
header		__KAM_MARK3	Subject =~ /[\[\<\*]\s*VIRUS\s*[\*\>\]]/i

meta		KAM_MARKADV	(__KAM_MARK1 >= 1)
describe	KAM_MARKADV	Email arrived marked as an Advertisement
score		KAM_MARKADV	10.0

meta            KAM_MARKSPAM    (__KAM_MARK2 >= 1)
describe        KAM_MARKSPAM    Email arrived marked as Spam
score           KAM_MARKSPAM    4.0

meta            KAM_MARKVIRI    (__KAM_MARK3 >= 1)
describe        KAM_MARKVIRI    Email arrived marked as Virus
score           KAM_MARKVIRI    10.0

#H1QNUM ENGINE
rawbody		__KAM_H1QNUM1 	/<h1>(vv5|ORG1|IN2|OR3|AR1|FO1|Q22)<\/h1>/i
header		__KAM_H1QNUM2	Subject =~ /Russian Women|Free Lasik|Criminal Records|Background Check|Stop Alcoholism|Alcohol Addiction|Hybrid cars|solar energy|electrical bill|fly in luxury/i
uri		__KAM_H1QNUM3	/\.co\.uk/i

meta		KAM_H1QNUM	(__KAM_H1QNUM1 >= 1)
describe	KAM_H1QNUM	H1 Qnum indicator
score		KAM_H1QNUM	4.0

meta		KAM_H1QNUM2	( KAM_H1QNUM + __KAM_H1QNUM2 + __KAM_H1QNUM3 >= 2 )
describe	KAM_H1QNUM2	H1 Qnum higher spamminess indicators
score		KAM_H1QNUM2	5.0

#AP
header		__KAM_AP1	From =~ /AP/
header		__KAM_AP2	Subject =~ /Community & educational development/i
body		__KAM_AP3	/American Grants and Loans Catalog/i

meta		KAM_AP		(__KAM_AP1 + __KAM_AP2 + __KAM_AP3 >= 3)
describe	KAM_AP		American Publishing Spam
score		KAM_AP		4.5

#CO.UK
header		KAM_COUK	From =~ /\@.{1,30}\.co\.uk/i
describe	KAM_COUK	Scoring .co.uk emails higher due to poor registry security.
score		KAM_COUK	0.85

#FAKE FACEBOOKMAIL
 #REAL FB DOMAIN
header		__KAM_FACEBOOKMAIL1	From =~ /\@facebookmail.com/i
 #SPECIFIC PEOPLE
header		__KAM_FACEBOOKMAIL2	From =~ /Ramakanth Raavi/i

meta		KAM_FACEBOOKMAIL	((__KAM_FACEBOOKMAIL2 >= 1) || (__KAM_FACEBOOKMAIL1 >=1 && (SPF_FAIL + DKIM_ADSP_ALL >=1)))
describe	KAM_FACEBOOKMAIL	Fake or Abused Facebook Mail
score		KAM_FACEBOOKMAIL	8.0

#FAKE DHL/FEDEX/ETC
body		__KAM_FAKEDELIVER1	/courier couldn.?t make the delivery|Courier was unable to deliver|courier company was not able to deliver|memo.of.application|delivering.address|make.the.delivery|see.attached.file|attention.please|event.invitation|could not deliver|delivery.label|postal.noti(fication|ce)|parcels.(has|have).been.shipped|shipment.label.is.attached|confirm your shipping|view file in attach|unable to locate your address/i

header		__KAM_FAKEDELIVER2	Subject =~ /Invalid Address|shipping service|(ship|postal|delivery) notification|Delivery Failure|Delivery Information|Delivery status|Package Delivery|package is available for pickup|your.package.arrived|attention.please|delivery.problem|id.\d{6}|deliver.(your|the).parcel|shipping confirmation|confirm your address|shipment request/i

 #DHL
header		__KAM_FAKEDELIVER3	From:name =~ /DHL/i
header		__KAM_FAKEDELIVER4	From:addr !~ /dhl.com/i

 #FEDEX
rawbody         __KAM_FAKEDELIVER5      /Fed ?ex/i
header          __KAM_FAKEDELIVER6      From !~ /fedex.com/i

 #USPS
body		__KAM_FAKEDELIVER7	/USPS/i
header		__KAM_FAKEDELIVER8	From !~ /usps.com/i

 #CARGO
body		__KAM_FAKEDELIVER9      /CARGO/
header		__KAM_FAKEDELIVER10     From =~ /shipping|economy|priority/i

 #USPS
body		__KAM_FAKEDELIVER11	/DPD/i
header		__KAM_FAKEDELIVER12	From !~ /dpd.com|dpd.co.uk/i

uri		__KAM_FAKEDELIVER13	/(cdn.discordapp.com|wp-conten)/i

meta		KAM_FAKE_DELIVER	(__KAM_FAKEDELIVER1 + __KAM_FAKEDELIVER2 + ((__KAM_FAKEDELIVER3 + __KAM_FAKEDELIVER4 >= 2) + (__KAM_FAKEDELIVER5 + __KAM_FAKEDELIVER6 >= 2) + (__KAM_FAKEDELIVER7 + __KAM_FAKEDELIVER8 >= 2) + (__KAM_FAKEDELIVER11 + __KAM_FAKEDELIVER12 >= 2) + (__KAM_FAKEDELIVER9 + __KAM_FAKEDELIVER10 >= 2) >= 1) + (HEADER_FROM_DIFFERENT_DOMAINS + SPF_SOFTFAIL + KAM_RAPTOR_ALTERED + __KAM_FAKEDELIVER13 >= 1) >= 3)
describe	KAM_FAKE_DELIVER	Fake delivery notifications
score		KAM_FAKE_DELIVER	6.25

meta            KAM_REALLY_FAKE_DELIVER   (KAM_FAKE_DELIVER + KAM_RPTR_PASSED + (__KAM_FAKEDELIVER4 && __KAM_FAKEDELIVER6 && __KAM_FAKEDELIVER8) >= 3)
score           KAM_REALLY_FAKE_DELIVER   2.5
describe        KAM_REALLY_FAKE_DELIVER   Definitely fake delivery notifications

#SOLAR POWER
header		__KAM_SOLAR1	From =~ /Solar|electric|regard|energy|.olar..etwork/i
header		__KAM_SOLAR2	Subject =~ /power bill|sells power|electric(al)? bill|subsidize your solar|switching to solar|save \d+\%|solar system saves|solar power plant|solar.america|energy.use|solar.incentive|utility.option|go.solar|govt.rebate|.overnment.incentive|electricity|obama.rebate/i
body		__KAM_SOLAR3	/power bill in half|go solar|approved for solar|solar system saves|reduce your electric|energy.cost|energy.bill|government.incentive|can.profit|utility.bill|switch(ing)?.to.solar|solar.incentive|solar.now|US Solar Dept|your.electric.bill|your.home.qualifies|yard lights|solarglow/i

meta		KAM_SOLAR	(__KAM_SOLAR1 + __KAM_SOLAR2 + __KAM_SOLAR3 >=2)
describe	KAM_SOLAR	Solar Power Spams
score		KAM_SOLAR	1.9

meta		KAM_SOLAR2      (__KAM_SOLAR1 + __KAM_SOLAR2 + __KAM_SOLAR3 >=3)
describe	KAM_SOLAR2      Definite Solar Power Spams
score		KAM_SOLAR2      1.9

#ASIAN BRIDE
header		__KAM_ASIAN1	Subject =~ /Asian Bride/i
body		__KAM_ASIAN2	/Adoring Asian/i
header		__KAM_ASIAN3	From =~ /asian/i

meta		KAM_ASIAN	(__KAM_ASIAN1 + __KAM_ASIAN2 + __KAM_ASIAN3 >= 3)
describe	KAM_ASIAN	Asian Bride Spams
score		KAM_ASIAN	3.5

#DR OZ SPAM
header		__KAM_OZ1	From =~ /(Dr|Doc).{0,2}[o0]z|[o0]z.([a-z]+.)?(daily|tip|show|weight)|rapid.loss|ellen|drop.lbs/i #NOTE THE ZERO
header		__KAM_OZ2	Subject =~ /Fatburning|healthy?.tip|melt your fat|must.read.tip|i can help|fat to flat|perfect.skin|workout|drop.\d+.?[il]bs?|without.exercise|must.read|oz.in.your.corner|It (does not|doesn't) have to be hard|racha?el and oz|doc.?oz insid|life.changing|\d+%.increase|anti.aging|she.looks.\d+|ellen.did.this|(Dr|Doc).{0,2}[o0]z|[o0]z.([a-z]+.)?(daily|tip|show)/i
body		__KAM_OZ3	/burn off your (?:body.?)?fat|(?:burn away|burn|melt) your fat|fox news video|melt the extra pounds|lost (an average of )?\d+ lbs|body.flab|look years younger|get perfect skin|healthy tips|without diet|it was just gossip|weight.loss|dropping.pounds|losing.weight|\d+.years|facelift|(Dr|Doc).{0,2}[o0]z/i

#meta		KAM_OZ		(__KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 >= 3)
#describe	KAM_OZ		Fake Dr. Oz Spam's
#score		KAM_OZ		3.5

#STUDENT LOAN
header		__KAM_STUDENT1	From =~ /Student.?Loan|government/i
header		__KAM_STUDENT2  Subject =~ /NEW GOVERNMENT PROGRAM|payback.package|assistance.package|student.loan|consolidate.loan/i
body  		__KAM_STUDENT3  /penalt(y|ies)|garnish|your.debt|president.loan|reduce.(your.)?(student.)?loan|forgiveness.plan|qualify.for|federal.program|low.monthly/i

meta		KAM_STUDENT	(__KAM_STUDENT1 + __KAM_STUDENT2 + __KAM_STUDENT3 + (KAM_INFOUSMEBIZ || KAM_COUK || KAM_HTMLNOISE || KAM_SHORT) >= 3)
describe	KAM_STUDENT	Student Loan Forgiveness Spams
score		KAM_STUDENT	4.0

#TIP
header          __KAM_TIP1  From =~ /Beauty Tips/i
header          __KAM_TIP2  Subject =~ /Dark-Circles|undereye bags/i
body		__KAM_TIP3  /undereye bags/i
body		__KAM_TIP4  /Find Out This Quick New Trick/i

meta            KAM_TIP     (__KAM_TIP1 + __KAM_TIP2 + __KAM_TIP3 + __KAM_TIP4 >= 3)
describe        KAM_TIP     Beauty Tip Spams
score           KAM_TIP     4.3

#WhatsApp
header		__KAM_WHATS1	From =~ /WhatsApp/i
header		__KAM_WHATS2	Subject =~ /Voice Message Notification/i
body		__KAM_WHATS3	/WhatsApp/

meta		KAM_WHATS	(__KAM_WHATS1 + __KAM_WHATS2 + __KAM_WHATS3 >= 3)
describe	KAM_WHATS	WhatsApp Spams
score		KAM_WHATS	3.0


#QTJars
header          __KAM_QTJARS1    From =~ /qtjar/i
header          __KAM_QTJARS2    Subject =~ /qtjar|left you a message|new message/i
body            __KAM_QTJARS3    /qtjars/
body		__KAM_QTJARS4 	 /private message/

meta            KAM_QTJARS       (__KAM_QTJARS1 + __KAM_QTJARS2 + __KAM_QTJARS3 + __KAM_QTJARS4 >= 3)
describe        KAM_QTJARS       QTJars Spams
score           KAM_QTJARS       3.0

#GOOGLE DOCS PHISH
# view the agreement.
body		__KAM_GOOGLEPHISH1	/copy of the signed agreement/i
rawbody		__KAM_GOOGLEPHISH2	/http:\/\/.{5,50}\/http\/docs\.google\.com\/login\//i

meta		KAM_GOOGLEPHISH		(__KAM_GOOGLEPHISH1 + __KAM_GOOGLEPHISH2 >= 2)
describe	KAM_GOOGLEPHISH		Google Login Phishing Scam
score		KAM_GOOGLEPHISH		5.0

#POLITICAL SPAM
header		__KAM_POLY1	Subject =~ /Barack Obama/i
body		__KAM_POLY2	/The End of Barack Obama/i

meta		KAM_POLY	(__KAM_POLY1 + __KAM_POLY2 >= 2)
describe	KAM_POLY	Political Spams
score		KAM_POLY	3.0

#MAID
header          __KAM_MAID1     Subject =~ /Maid Services|housekeeping.service/i
header		__KAM_MAID2	From =~ /Maid|Housekeeper/i
body            __KAM_MAID3     /Pre-Screened Housekeepers|local.maid/i

meta            KAM_MAID        (__KAM_MAID1 + __KAM_MAID2 + __KAM_MAID3 >= 3)
describe        KAM_MAID        Maid Service Spams
score           KAM_MAID        3.0

#TUB
header          __KAM_TUB1     Subject =~ /Walk.?in.*tub|bath and massage/i
header          __KAM_TUB2     From =~ /jacuzzi|walk.?in.?tub|premier.?care|improvement.center|bathing..?easy/i
body            __KAM_TUB3     /Walk.?in (hot.?|bath.?)?tub|bath and massage|easy transfer from a wheelchair/i

meta            KAM_TUB        (__KAM_TUB1 + __KAM_TUB2 + __KAM_TUB3 >= 3)
describe        KAM_TUB        Tub Spams
score           KAM_TUB        4.0

#OBFUSCATE PORN
header		__KAM_OBF1	Subject =~ /(\b|^)(P.{0,2}O.{0,2}R.{0,2}N|S.{0,2}E.{0,2}.X.{0,2})/i
header		__KAM_OBF2	Subject =~ /[-:\#\/_\(\)].{0,10}[-:\#\/_\(\)].{0,10}[-:\#\/_\(\)]/
header		__KAM_OBF3	Subject =~ /(\b|^)P.{0,2}r.{0,2}e.{0,2}m.{0,2}i.{0,2}u.{0,2}m/i
header		__KAM_OBF4	Subject =~ /(\b|^)P.{0,2}a.{0,2}s.{0,2}s.{0,2}/i
header		__KAM_OBF5	Subject =~ /(\b|^)S.{0,2}i.{0,2}t.{0,2}e.{0,2}/i
header          __KAM_OBF6      Subject =~ /(\b|^)F.{0,2}r.{0,2}e.{0,2}e.{0,2}/i
header          __KAM_OBF7      Subject =~ /(\b|^)F.{0,2}i.{0,2}l.{0,2}m.{0,2}/i
header		__KAM_OBF8	Subject =~ /X.X.X/

meta		KAM_OBF		((__KAM_OBF3 + __KAM_OBF4 + __KAM_OBF5 + __KAM_OBF6 + __KAM_OBF7 >= 1) + __KAM_OBF1 + (__KAM_OBF2 - BODY_8BITS) >= 3)
describe	KAM_OBF		Obfuscated Porn Spams
score		KAM_OBF		4.0

meta            KAM_OBF         (__KAM_OBF8 + __KAM_OBF2 >= 2)
describe        KAM_OBF         Obfuscated Porn Spams
score           KAM_OBF         2.0

#SHARK TANK
header		__KAM_SHARKTANK_SUBJ	Subject =~ /shark tank/i
body		__KAM_SHARKTANK_BODY	/shark tank/i

meta		KAM_SHARKTANK		(__KAM_SHARKTANK_SUBJ + __KAM_SHARKTANK_BODY >= 1)
score		KAM_SHARKTANK		1.0
describe	KAM_SHARKTANK		Mentions Shark Tank

rawbody		__KAM_SHARKPROD		/high blood pressure|moles|Dermabellix|follicles|drop 20|(^|\b)IQ($|\b)|keto SS/is

meta		KAM_SHARKPROD		(__KAM_SHARKPROD + KAM_SHARKTANK >= 2)
score		KAM_SHARKPROD		5.0
describe	KAM_SHARKPROD		Shark Tank Spam

#ICU TLD PROBLEMS
header          __KAM_ICUTLD_FROM          From:addr =~ /\.icu$/i
uri             __KAM_ICUTLD_URI           /\.icu($|\/)/i

meta            KAM_ICU_BAD_TLD         (__KAM_ICUTLD_FROM + __KAM_ICUTLD_URI) >= 1
describe        KAM_ICU_BAD_TLD         .icu TLD Abuse
score           KAM_ICU_BAD_TLD         2.0

#HAIR LOSS / GREYING / REMOVAL
header		__KAM_HAIR1	Subject =~ /(Regrows?|restore your|regain your|thinning) hair|Get Your Hair Back|hair regrowth|masculine|gr[ae]y hair|hair.loss|the.hottest.concept|hair.removal|all.your.hair|(fuller|thicker).hair|hair growth/i
header		__KAM_HAIR2	From =~ /K.ranique|Hair Loss Solutions|hair transplant|bosley|gr[ae]y hair|hair.removal|preserve|keranique|hair.?news/i
rawbody		__KAM_HAIR3	/k.ranique|Hair Los Solution|Get Your Hair Back|restore your hair naturally and permanently|hair restoration|original color|dye gr[ae]y hair|defeat.your.hair.loss|stop.hair.loss|fda.approve|hair will return|reactivate dormant hair/i
rawbody		__KAM_HAIR4	/Hair Regrowth|Hair Club for Men|Bosley|Rejuvalex/i

rawbody		__KAM_NEWSLETTER	/<title>Newsletter<\/title>/i

meta		KAM_HAIR	(__KAM_HAIR1 + __KAM_HAIR2 + __KAM_HAIR3 + __KAM_HAIR4 + __KAM_TRIAL + __KAM_NEWSLETTER + KAM_WEIRDTRICK1 + KAM_SHARKTANK + KAM_ADVERT2 >=4)
describe	KAM_HAIR	Hair Loss / Removal Spams
score		KAM_HAIR	4.5

#TRIAL
body            __KAM_TRIAL     /RISK-FREE Trial|Free \d+ day trial|try it free|free.dvd.info|free.info.kit|limited..?trial|claim.package/i

#UNSUB
body		__KAM_UNSUB1	/cancel 0ffers/i #note the zero
body		__KAM_UNSUB2	/u +n +s +u +b +s +c +r +i +b +e/i

meta		KAM_UNSUB	(__KAM_UNSUB1 + __KAM_UNSUB2 >= 1)
describe	KAM_UNSUB	Completely ridiculous unsubscribe text found
score		KAM_UNSUB	5.0

#MAINTENANCE / Email Phish Scams
body		__KAM_EMAILPHISH1	/Please login to complete update process/i

meta		KAM_EMAILPHISH	(__KAM_EMAILPHISH1 + KAM_SHORT >= 2)
describe	KAM_EMAILPHISH	Email Phishing Scams
score		KAM_EMAILPHISH	3.5

#MASSMAILER ERRORS
header		__KAM_MASSERROR1  Reply-to =~ /\@domain\]\]/i

meta		KAM_MASSERROR	(__KAM_MASSERROR1 >= 1)
describe	KAM_MASSERROR	Error in usage of a mass mailing software
score		KAM_MASSERROR	2.0

#CAR DEAL SPAMS
header		__KAM_CARDEAL1	Subject =~ /great car deal|new vehicles near you|brand new cars|cars on clearance/i
header		__KAM_CARDEAL2	From =~ /dealer|clearance|veh.cle/i
body		__KAM_CARDEAL3	/201\d Closeout pricing|New Vehicles near you|new automobiles|brand new car|\d{4} makes and models/i

meta		KAM_CARDEAL	(__KAM_CARDEAL1 + __KAM_CARDEAL2 + __KAM_CARDEAL3 >= 3)
describe	KAM_CARDEAL	Car Deal Spams
score		KAM_CARDEAL	3.0

#Quick Sale Scams
header		__KAM_HOMESALE1	Subject =~ /buyer interested in your ho/i
header		__KAM_HOMESALE2	From =~ /Fastcash/i
body		__KAM_HOMESALE3	/Cash Offer for Your Home/i

meta		KAM_HOMESALE	(__KAM_HOMESALE1 + __KAM_HOMESALE2 + __KAM_HOMESALE3 >= 3)
describe	KAM_HOMESALE	Home Sale Spams
score		KAM_HOMESALE	3.5

#ADVERTISEMENTS FOR LOANS
header          __KAM_LOAN1 Subject =~ /pay bills|borrow|business loan|help your business grow|small business|propel your business goals|with a loan|results you need|\$[\d.,]+ (tomorrow|down loan)|loan.fund|lender|are.you.broke|get.cash|approval.notice|loan \d.\d% offer|money by tomorrow|one monthly payment/i
header          __KAM_LOAN2 From =~ /payday|loans for you|approval|small.?business|direct.wire|cash|loan offer|loan department|zippy ?loan|clear ?one/i
body            __KAM_LOAN3 /Financial Relief|need to borrow|Business Loan|instant.funds|approval department|\$\d+ down|loan option|offer.loan|expenses|times.are.tough|money.problems|zippy ?loan|advanced lender|pay off debt|development.project|just.been.approved|for.your.business|loan.solution|ease your stress/i

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader    __KAM_LOAN5A Content-Type =~ /loan offer/i
  mimeheader    __KAM_LOAN5B Content-Disposition =~ /loan offer/i
endif

meta            KAM_LOAN    (__KAM_LOAN1 + __KAM_LOAN2 + __KAM_LOAN3 + (__KAM_LOAN5A + __KAM_LOAN5B >= 1) >= 3)
describe        KAM_LOAN    Payday and other loan spams
score           KAM_LOAN    4.5

#HANGOVER SPAM
header          __KAM_HANGOVER1 Subject =~ /hangover patch/i
header          __KAM_HANGOVER2 From =~ /hangover/i
body            __KAM_HANGOVER3 /hangover patch/i

meta            KAM_HANGOVER    (__KAM_HANGOVER1 + __KAM_HANGOVER2 + __KAM_HANGOVER3 >= 3)
describe        KAM_HANGOVER    Hangover Patch Spams
score           KAM_HANGOVER    3.5

#RX PLAN SPAM
header          __KAM_RXPLAN1 Subject =~ /Medigap|prescription drug plan/i
header          __KAM_RXPLAN2 From =~ /Better.?Rx|medigap/i
body            __KAM_RXPLAN3 /gap coverage/i

meta            KAM_RXPLAN    (__KAM_RXPLAN1 + __KAM_RXPLAN2 + __KAM_RXPLAN3 >= 3)
describe        KAM_RXPLAN    Rx Plan Spams
score           KAM_RXPLAN    3.5

#SIDE SOCKET
header          __KAM_SOCKET1 Subject =~ /tangled mess|socket capacity|messy cords/i
header          __KAM_SOCKET2 From =~ /side.?socket/i
body            __KAM_SOCKET3 /side socket/i

meta            KAM_SOCKET    (__KAM_SOCKET1 + __KAM_SOCKET2 + __KAM_SOCKET3 >= 3)
describe        KAM_SOCKET    Product Spam du Jour
score           KAM_SOCKET    3.5

#TESTOSTERONE
header          __KAM_TESTOSTERONE1 Subject =~ /Boost your testosterone|Testoril|turning you into a woman|men into women|low.testosterone/i
header          __KAM_TESTOSTERONE2 From =~ /Testoril|mens health|low-T|for.men/i
body            __KAM_TESTOSTERONE3 /Boost your testosterone|get your body back|low.testosterone/i
body		__KAM_TESTOSTERONE4 /Testoril|sexual confidence|androgel|axiron+androderm/i

meta            KAM_TESTOSTERONE    (__KAM_TESTOSTERONE1 + __KAM_TESTOSTERONE2 + __KAM_TESTOSTERONE3 + __KAM_TESTOSTERONE4 >= 3)
describe        KAM_TESTOSTERONE    Product Spam du Jour
score           KAM_TESTOSTERONE    4.5

#FLEXHOSE
header          __KAM_FLEXHOSE1 Subject =~ /stretch but not kink|flex.{0,8}hose|expands.and.contracts|\d-in-\d.hose/i
header          __KAM_FLEXHOSE2 From =~ /hose/i
body            __KAM_FLEXHOSE3 /stretch but not kink|flex.?hose|expanding.hose|garden.hose/i

meta            KAM_FLEXHOSE    (__KAM_FLEXHOSE1 + __KAM_FLEXHOSE2 + __KAM_FLEXHOSE3 >= 3)
describe        KAM_FLEXHOSE    Product Spam du Jour
score           KAM_FLEXHOSE    3.5

#PET
header          __KAM_PET1 Subject =~ /pet health insurance|dog.product.coupon/i
header          __KAM_PET2 From =~ /pet.?insurance|dog.?coupon/i
body            __KAM_PET3 /pet health insurance|doggy.loot|coupon.notice|reduce.your.cost/i

meta            KAM_PET    (__KAM_PET1 + __KAM_PET2 + __KAM_PET3 >= 3)
describe        KAM_PET    Insurance and other pet-related spam
score           KAM_PET    4.5

meta            KAM_PET2   (KAM_PET + KAM_INFOUSMEBIZ >= 2)
describe        KAM_PET2    Even more likely insurance and other pet-related spam
score           KAM_PET2    3.5

#COBRA
header          __KAM_COBRA1 Subject =~ /Cobra Health/i
header          __KAM_COBRA2 From =~ /Cobra|Health/i
body            __KAM_COBRA3 /find cobra health/i

meta            KAM_COBRA    (__KAM_COBRA1 + __KAM_COBRA2 + __KAM_COBRA3 >= 3)
describe        KAM_COBRA    Cobra Insurance Spam
score           KAM_COBRA    3.5

#Discount Air
header          __KAM_DISCAIR1 Subject =~ /Fly Cheap|Discount Air/i
header          __KAM_DISCAIR2 From =~ /Discount Air/i
body            __KAM_DISCAIR3 /Fly Cheap in Business Class/i

meta            KAM_DISCAIR    (__KAM_DISCAIR1 + __KAM_DISCAIR2 + __KAM_DISCAIR3 >= 3)
describe        KAM_DISCAIR    Discount Airfare Spam
score           KAM_DISCAIR    3.5

#PEST
header          __KAM_PEST1 Subject =~ /pes?t control system/i
header          __KAM_PEST2 From =~ /Riddex|pest/i
body            __KAM_PEST3 /revolutionary pes?t control system/i

meta            KAM_PEST    (__KAM_PEST1 + __KAM_PEST2 + __KAM_PEST3 >= 3)
describe        KAM_PEST    Spam for Pest Control
score           KAM_PEST    3.5


#PROPHET
header          __KAM_PROPHET1 Subject =~ /beezelbub|communique|prophecy|Christian Media/i
header          __KAM_PROPHET2 From =~ /christian.*(media|prophe)|twintongues/i
body            __KAM_PROPHET3 /Dear Christian Friend/i
body		__KAM_PROPHET4 /Christian ?Media ?(Daily|Ministry)/i
body		__KAM_PROPHET5 /prophecy|rapture/i

meta		KAM_PROPHET    (__KAM_PROPHET1 + __KAM_PROPHET2 + __KAM_PROPHET3 + __KAM_PROPHET4 + __KAM_PROPHET5 >= 4)
describe        KAM_PROPHET    Spam for Prophecy
score           KAM_PROPHET    6.0

#HEART
header          __KAM_HEART1 Subject =~ /save your life|prevent (a|your)?.?heart attacks?|\d+ second trick|sudden death|easy trick|heart health secret/i
header          __KAM_HEART2 From =~ /He.rt.?Att.ck|omegaK/i
body            __KAM_HEART3 /Knowing this could very well save your life|\d+.second trick|\#1 Trick|Prevent(ing)? A Heart Attack|will you be killed|heart disease|silent heart attack/i

meta            KAM_HEART    (__KAM_HEART1 + __KAM_HEART2 + __KAM_HEART3  >= 3)
describe        KAM_HEART    Spam for Heart Attack prevention
score           KAM_HEART    4.5

#JOINT
header          __KAM_JOINT1 Subject =~ /joint relief/i
header          __KAM_JOINT2 From =~ /Tfx/i
body            __KAM_JOINT3 /TFX.?(?:health|flex)|tflex/i
body		__KAM_JOINT4 /Joint Relief|effective as glucosamine/i
body		__KAM_JOINT5 /free bottle/i

meta            KAM_JOINT    (__KAM_JOINT1 + __KAM_JOINT2 + __KAM_JOINT3 + __KAM_JOINT4 + __KAM_JOINT5 + __KAM_SKIN4  >= 4)
describe        KAM_JOINT    Joint relief Spam
score           KAM_JOINT    4.0

#REHAB
header          __KAM_REHAB1 Subject =~ /(?:drug|alcohol) (recovery|rehab|dependenc|addict|treatment)|choose sobriety|battling alcohol|stop drinking|addiction|drinking problem|normal life|tr..?at..?ng.alcohol|overcome..lcohol|change.your.life/i
header          __KAM_REHAB2 From =~ /(?:drug|alcohol).?(recovery|rehab|dependenc|add..?ct|treatment)|alcoholism|rehab center|.lc.h.lism|rehabdirectory/i
body            __KAM_REHAB3 /(?:drug|alcohol) (recovery|rehab|dependenc|addict|treatment)|help for alcoholism|life from alcohol|end your drinking|think about rehab/i

meta            KAM_REHAB    (__KAM_REHAB1 + __KAM_REHAB2 + (__KAM_REHAB3 || KAM_OTHER_BAD_TLD)  >= 2)
describe        KAM_REHAB    Rehab Spam
score           KAM_REHAB    3.0

#HAIRTRANS
header          __KAM_HAIRTRANS1 Subject =~ /hair restoration|man look as young|losing your hair|hair ?loss|consultations?.available/i
header          __KAM_HAIRTRANS2 From =~ /Bosley|hair restoration|hair.loss.expert/i
body            __KAM_HAIRTRANS3 /hair restoration|man look as young|losing your hair|hair ?loss|get.your.hair|(look|feel).younger/i

meta            KAM_HAIRTRANS    (__KAM_HAIRTRANS1 + __KAM_HAIRTRANS2 + __KAM_HAIRTRANS3 + KAM_GIFT >= 2)
describe        KAM_HAIRTRANS    Spam for Hair Restoration
score           KAM_HAIRTRANS    3.5

meta            KAM_HAIRTRANS2   (__KAM_HAIRTRANS1 + __KAM_HAIRTRANS2 + __KAM_HAIRTRANS3 + (KAM_GIFT || KAM_UNSUB1) >= 3)
describe        KAM_HAIRTRANS2   Higher probability of spam for Hair Restoration
score           KAM_HAIRTRANS2   2.0

#OUR GIFT
body		__KAM_GIFTCERT1	/Our gift to you/i
body		__KAM_GIFTCERT2	/\$\d+ gift certificate/i
header		__KAM_GIFTCERT3 Subject =~ /Our gift to you/i

meta		KAM_GIFTCERT	(__KAM_GIFTCERT1 + __KAM_GIFTCERT2 + __KAM_GIFTCERT3 >= 2)
score		KAM_GIFTCERT	1.5
describe	KAM_GIFTCERT	Gift Certificate Spams

#TIRES
header          __KAM_TIRES1 Subject =~ /discount tire|tire coupon|tire offers|best deals/i
header          __KAM_TIRES2 From =~ /Tire/i
body            __KAM_TIRES3 /savings on tire|new tires/i

meta            KAM_TIRES    (__KAM_TIRES1 + __KAM_TIRES2 + __KAM_TIRES3  >= 3)
describe        KAM_TIRES    Spam for Tires
score           KAM_TIRES    3.0

#SLICEOMATIC
header          __KAM_SLICEOMATIC1 Subject =~ /Slice-O-Matic|Precision Cutting Blade/i
header          __KAM_SLICEOMATIC2 From =~ /Slice-o-matic/i
body            __KAM_SLICEOMATIC3 /Slice-o-matic/i

meta            KAM_SLICEOMATIC    (__KAM_SLICEOMATIC1 + __KAM_SLICEOMATIC2 + __KAM_SLICEOMATIC3  >= 3)
describe        KAM_SLICEOMATIC    Spam for Kitchen Tools
score           KAM_SLICEOMATIC    3.0

#FINDYOURWINDOWS AND OTHER WINDOW SPAM
header          __KAM_WINDOWS1 Subject =~ /Top Window Companies|(old|your|bedroom|new|replacement|discounted|awning|cheap).window|allow.(light|ventilation)|window.(installation|discount|replacement)|home.depot|anders.n.window/i
header          __KAM_WINDOWS2 From =~ /FindYourWindows|(old|your|bedroom|new|replacement|discounted).?window|window.?(install|discount|replacement)|install.windows|remodel/i
body            __KAM_WINDOWS3 /Find Your Windows|replacement.window|window.design|home.a.new.look|dingy.old.windows|high.heating|high.cooling|let a draft|energy.efficient|double.pane.window|shop.windows|energy.tax|window.(installation|discount|replacement)|summer.is.coming/i

meta            KAM_WINDOWS    (__KAM_WINDOWS1 + __KAM_WINDOWS2 + __KAM_WINDOWS3 + KAM_ADVERT2 >= 3)
describe        KAM_WINDOWS    Spam for House Windows
score           KAM_WINDOWS    4.5

#EMMAPP.WEB.COM - DUE TO SA SILLINESS WE ARE UNABLE TO RBL THIS PARTICULAR SUBDOMAIN WITHOUT BLOCKING ALL OF WEB.COM
#POISON PILL
uri             __KAM_EMMAP_WEB_COM1 /emmapp\.web\.com/i

meta            KAM_EMMAPP_WEB_COM   (__KAM_EMMAP_WEB_COM1 >= 1)
describe        KAM_EMMAPP_WEB_COM   Spam from emmapp.web.com
score           KAM_EMMAPP_WEB_COM   20.0

#NEW CREDIT CARD
header          __KAM_NEW_CREDITCARD1 Subject =~ /with this credit card|charge card|credit card|cards?.reward|cards?.rate|top.rated/i
header          __KAM_NEW_CREDITCARD2 From =~ /Spend-Charge|platinum credit|business credit|card.approval|approval.match/i
body            __KAM_NEW_CREDITCARD3 /Select your new card|Increase Your Spending|Higher Limit|rewards|business credit|which.credit.card|find.out.now/i

meta           KAM_NEW_CREDITCARD     (__KAM_NEW_CREDITCARD1 + __KAM_NEW_CREDITCARD2 + __KAM_NEW_CREDITCARD3 >= 3)
describe       KAM_NEW_CREDITCARD     Spam for new credit cards
score          KAM_NEW_CREDITCARD     4.0

#WEIRD GERMAN SPAM
header         __KAM_GERMAN_BUSINESS_CONTACTS1 Subject =~ /Wichtige Nach?richt|Important message/i
header         __KAM_GERMAN_BUSINESS_CONTACTS2 From =~ /Merkel/i
body           __KAM_GERMAN_BUSINESS_CONTACTS3 /German business phone numbers/i
body           __KAM_GERMAN_BUSINESS_CONTACTS4 /Unlimited exportation capabilities/i

meta           KAM_GERMAN_BUSINESS_CONTACTS    (__KAM_GERMAN_BUSINESS_CONTACTS1 + __KAM_GERMAN_BUSINESS_CONTACTS2 + __KAM_GERMAN_BUSINESS_CONTACTS3 + __KAM_GERMAN_BUSINESS_CONTACTS4 >= 3)
describe       KAM_GERMAN_BUSINESS_CONTACTS    Weird German business contact info spam
score          KAM_GERMAN_BUSINESS_CONTACTS    3.0

#WEIRD SENIOR DATING SPAM
header         __KAM_SENIOR_DATING1 From =~ /SeniorPeopleMeet/i

meta           KAM_SENIOR_DATING    (__KAM_SENIOR_DATING1 >= 1)
describe       KAM_SENIOR_DATING    Senior dating spam
score          KAM_SENIOR_DATING    2.0

#NEWS!
header		__KAM_NEWS1	Subject =~ /^(?:Fwd: ?)?(?:NEWS|WEBSITE|ARTICLE)$|how.are.you/i
body		__KAM_NEWS2	/(?:Hello|hey|hi)!/i

meta		KAM_NEWS	(__KAM_NEWS1 + __KAM_NEWS2 + __KAM_BODY_LENGTH_LT_128 + KAM_MANYTO >= 3)
describe	KAM_NEWS	Forged Emails with NEWS!
score		KAM_NEWS	9.0

#URI COUNT - REQUIRES 3.3 OR LATER
if (version >= 3.003000)
  uri      __KAM_COUNT_URIS /^./
  tflags   __KAM_COUNT_URIS multiple maxhits=16
  describe __KAM_COUNT_URIS A multiple match used to count URIs in a message, including http:// and email@email.com - use one of the meta rules below instead of directly using this one

  meta __KAM_HAS_0_URIS (__KAM_COUNT_URIS == 0)
  meta __KAM_HAS_1_URIS (__KAM_COUNT_URIS >= 1)
  meta __KAM_HAS_2_URIS (__KAM_COUNT_URIS >= 2)
  meta __KAM_HAS_3_URIS (__KAM_COUNT_URIS >= 3)
  meta __KAM_HAS_4_URIS (__KAM_COUNT_URIS >= 4)
  meta __KAM_HAS_5_URIS (__KAM_COUNT_URIS >= 5)
  meta __KAM_HAS_10_URIS (__KAM_COUNT_URIS >= 10)
  meta __KAM_HAS_15_URIS (__KAM_COUNT_URIS >= 15)
endif

#DISCLAIMER STUB FOR FUTURE RESOURCE
body __KAM_DISCLAIMER1 /receives compensation/i

#FAKE AT&T
#header   __KAM_FAKE_ATT1 From =~ /AT.?T/i
#header   __KAM_FAKE_ATT2 Subject =~ /AT.?T cordless phone|deals.at.at.?t|phone.from.at.?t/i
#uri      __KAM_FAKE_ATT3 /att-mail.com/i
#
#meta     KAM_FAKE_ATT (__KAM_FAKE_ATT1 + __KAM_FAKE_ATT2 + __KAM_FAKE_ATT3 >= 2)
#describe KAM_FAKE_ATT Fake AT&T newsletters
#score    KAM_FAKE_ATT 3.0

#YOU HAVE BEEN CHOSEN
header   __KAM_CHOSEN1 Subject =~ /Invitation to|open.house|come.join.me/i
header   __KAM_CHOSEN2 From =~ /marketing|invitation/i
body     __KAM_CHOSEN3 /You (were|have been|are) (recently )?(chosen|invited)|you.are.(very.)?welcome/i

meta     KAM_CHOSEN (__KAM_CHOSEN1 + __KAM_CHOSEN2 + __KAM_CHOSEN3 >= 3)
describe KAM_CHOSEN Spam claiming the recipient has been chosen for something
score    KAM_CHOSEN 2.0

#JURY DUTY AND OTHER FAKE COURT NOTICES
header   __KAM_JURY1 Subject =~ /in court|court (hearing )?notice|judicial summons|hearing.of.your.case|case.in.court|notice.of.appearance/i
header   __KAM_JURY2 From =~ /Notice (to|of) Appear|court attendance|pretrial notice|lawyer/i
header   __KAM_JURY3 From !~ /\.gov/i
body     __KAM_JURY4 /in Court|hearing date|notice to appear|Pretrial notice|compulsory.attendance|court.notice/i

meta     KAM_JURY (__KAM_JURY1 + __KAM_JURY2 + __KAM_JURY3 + __KAM_JURY4 + KAM_RAPTOR_ALTERED >= 4)
describe KAM_JURY Spam claiming the recipient must serve jury duty
score    KAM_JURY 8.0

#BITCOIN
header   __KAM_BITCOIN1 Subject =~ /bitcoin|dumping.?their.?gold|dumped.?the.?dollar/i
body     __KAM_BITCOIN2 /price.of.bitcoin|bitcoin.price|crypto.?currenc(y|ies)|currency.pioneer|cartel|financial.security|abandoned.our.dollar|money.map/i
header   __KAM_BITCOIN3 From =~ /bitcoin/i

meta     KAM_BITCOIN (KAM_INFOUSMEBIZ + __KAM_BITCOIN1 + __KAM_BITCOIN2 + __KAM_BITCOIN3 >= 3)
describe KAM_BITCOIN Spam related to investing in bitcoin and other cryptocurrency
score    KAM_BITCOIN 4.5

#RELIGIOUS
header   __KAM_RELIGION1 Subject =~ /Christian Media/i
header   __KAM_RELIGION2 From =~ /Bible Prophecy/i
body     __KAM_RELIGION3 /Dear Christian|Christian Media/i

meta     KAM_RELIGION (__KAM_RELIGION1 + __KAM_RELIGION2 + __KAM_RELIGION3 >= 3)
describe KAM_RELIGION Generic religious spam
score    KAM_RELIGION 2.5

#BUSINESS PHONE
header   __KAM_BUSINESSPHONE1 Subject =~ /customer calls|phone system|phone system upgrade|business success/i
header   __KAM_BUSINESSPHONE2 From =~ /business phone/i
body     __KAM_BUSINESSPHONE3 /business phone system/i

meta     KAM_BUSINESSPHONE (__KAM_BUSINESSPHONE1 + __KAM_BUSINESSPHONE2 + __KAM_BUSINESSPHONE3 >= 3)
describe KAM_BUSINESSPHONE Advertising for business phone systems
score    KAM_BUSINESSPHONE 5.5

#NUMEROLOGY
header   __KAM_NUMEROLOGY1 Subject =~ /success and joy in life/i
header   __KAM_NUMEROLOGY2 From =~ /Numerology/i
body     __KAM_NUMEROLOGY3 /Control your destiny/i

meta     KAM_NUMEROLOGY (__KAM_NUMEROLOGY1 + __KAM_NUMEROLOGY2 + __KAM_NUMEROLOGY3 >= 3)
describe KAM_NUMEROLOGY Pseudo-scientific spam
score    KAM_NUMEROLOGY 3.5

ifplugin Mail::SpamAssassin::Plugin::KAMOnly
#VOICEMAIL SPAM
header   __KAM_VOICEMAIL1 Subject =~ /new voice.?mail message|news|Fax Message for/i
header   __KAM_VOICEMAIL2 From =~ /voice.?mail|news/i
body     __KAM_VOICEMAIL3 /new voice.?mail message|voice.redirected/i

meta     KAM_VOICEMAIL (__KAM_VOICEMAIL1 + __KAM_VOICEMAIL2 + __KAM_VOICEMAIL3 + KAM_RAPTOR_ALTERED >= 3)
describe KAM_VOICEMAIL Common malware that tricks the user into opening a fake VOIP voicemail
score    KAM_VOICEMAIL 5.0
endif

#SPAM ADVERTISING SPAM - HAS SCIENCE GONE TOO FAR?
header   __KAM_SPAMFORSPAM1 Subject =~ /email marketing|marketing solution|connect with your audience|reaching your customers|marketing ideas|business.contacts/i
header   __KAM_SPAMFORSPAM2 From =~ /email marketing|mailing lists|listz/i
rawbody  __KAM_SPAMFORSPAM3 /email marketing|Keep your customers informed|expand your brand|(grow|improve) your business|Acquire New Customers|business reach|your.customer.base|demand.generation/i

meta     KAM_SPAMFORSPAM (__KAM_SPAMFORSPAM1 + __KAM_SPAMFORSPAM2 + __KAM_SPAMFORSPAM3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_SPAMFORSPAM Spam advertising spam services
score    KAM_SPAMFORSPAM 5.5

#ALZHEIMERS / NEUROLOGICAL MEDICAL SPAM
header   __KAM_NEUROLOGICAL1 Subject =~ /alzheimers|doctors hate him/i
header   __KAM_NEUROLOGICAL2 From =~ /alzheimers|cognizine/i
body     __KAM_NEUROLOGICAL3 /at risk for alzheimers|alzheimers conspiracy|doctors hate him/i

meta     KAM_NEUROLOGICAL (__KAM_NEUROLOGICAL1 + __KAM_NEUROLOGICAL2 + __KAM_NEUROLOGICAL3 >= 3)
describe KAM_NEUROLOGICAL Variant of medical spam targeting neurological ailments
score    KAM_NEUROLOGICAL 3.5

#EXCESSIVE HASHES AND OTHER IDENTIFIER STRINGS
body     __KAM_LOTSOFHASH /[abcdef1234567890]{20}/i
tflags   __KAM_LOTSOFHASH multiple maxhits=10

meta     KAM_LOTSOFHASH (__KAM_LOTSOFHASH >= 10)
describe KAM_LOTSOFHASH Emails with lots of hash-like gibberish
score    KAM_LOTSOFHASH 0.25

#SPAM THAT SHOWS SEVERAL QUESTIONABLE BEHAVIORS IN COMBINATION
meta     KAM_GRABBAG1 (__KAM_THIRD + __KAM_DOMAINDOTCOM + __KAM_TILDEFROM + HTML_FONT_LOW_CONTRAST + T_REMOTE_IMAGE + __KAM_EPISODE + __KAM_LOTSOFNBSP + __KAM_IPUNSUB + (__KAM_LOTSOFHASH >= 6) >= 4)
describe KAM_GRABBAG1 A combination of tricks that when combined indicate spam
score    KAM_GRABBAG1 3.5

#TV DOCTOR TRASH
header   __KAM_TVDOCTOR1 Subject =~ /hormones|(dr.?|doc.?) [o0]z|flatter belly|anti.?.?aging.tip|\d+.years.younger|wrinkle.(reduction|prevention)|weight.loss|models.use.this|reverse.\d+.years/i
header   __KAM_TVDOCTOR2 From =~ /(dr.?|doc.?) ?[o0]z|dr.? steve|oz skin tip|skinny|drop \d+lb/i
body     __KAM_TVDOCTOR3 /clinical|miracle|dermatologist|anti.?.?aging.tip|\d+.years.younger|wrinkle.(reduction|prevention)|\bOMG!\b|loose.\d+.lb|tv.doctor/i

meta     KAM_TVDOCTOR    (__KAM_TVDOCTOR1 + __KAM_TVDOCTOR2 + __KAM_TVDOCTOR3 + (KAM_INFOUSMEBIZ || KAM_WEIRDTRICK1) >= 3)
describe KAM_TVDOCTOR    Spam for TV doctor stuff
score    KAM_TVDOCTOR    3.5

# 1-800-DENTIST
header   __KAM_DENTIST1   Subject =~ /dentist/i
header   __KAM_DENTIST2   From =~ /1-?800-?dentist/i
body     __KAM_DENTIST3   /Find a dentist/i

meta     KAM_DENTIST    (__KAM_DENTIST1 + __KAM_DENTIST2 + __KAM_DENTIST3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_DENTIST    Spam for 1-800-DENTIST
score    KAM_DENTIST    3.5

# GOLD AND DIAMOND JEWELRY
header   __KAM_JEWELRY1   Subject =~ /jewell?rey online|shop now/i
header   __KAM_JEWELRY2   From =~ /bluestone.com/i

meta     KAM_JEWELRY    (__KAM_JEWELRY1 + __KAM_JEWELRY2 >= 2)
describe KAM_JEWELRY    Spam for Gold and Diamond Jewelry
score    KAM_JEWELRY    3.5

# PSSST, WANNA BUY SOME POT
body     __KAM_MARIJUANA1 /marijuana|cannabis/i
body     __KAM_MARIJUANA2 /medicinal|recreational|legal.cannabis/i
body     __KAM_MARIJUANA3 /colorado|washington|profit|without.a.(prescription|doctor)|lets.you.vape|no.doctor/i
header   __KAM_MARIJUANA4 From =~ /marijuana|cannabis/i

meta     KAM_MARIJUANA    (__KAM_MARIJUANA1 + __KAM_MARIJUANA2 + (__KAM_MARIJUANA3 + KAM_INFOUSMEBIZ >= 1) >= 3)
describe KAM_MARIJUANA    Spam pertaining to marijuana
score    KAM_MARIJUANA    3.5

meta     KAM_MARIJUANA2   (__KAM_MARIJUANA4 + (__KAM_MARIJUANA3 || __KAM_MARIJUANA2) >= 2)
score    KAM_MARIJUANA2   8.0
describe KAM_MARIJUANA2   Definitely spam for marijuana

ifplugin Mail::SpamAssassin::Plugin::KAMOnly
# EVICTION NOTICE
header   __KAM_EVICTION1 From =~ /eviction|vacate immediately/i
header   __KAM_EVICTION2 Subject =~ /notice|notification|occupant/i
body     __KAM_EVICTION3 /eviction|foreclosed|trespasser/i

meta     KAM_EVICTION    (__KAM_EVICTION1 + __KAM_EVICTION2 + __KAM_EVICTION3 + KAM_RAPTOR_ALTERED >= 4)
describe KAM_EVICTION    Malware disguised as eviction notice
score    KAM_EVICTION    4.5
endif

# WALK IN TUBS
header   __KAM_WALKINTUB1 From =~ /walk.?in.?tub/i
header   __KAM_WALKINTUB2 Subject =~ /walk.?in.?tub/i
body     __KAM_WALKINTUB3 /walk.?in.?tub/i

meta     KAM_WALKINTUB (__KAM_WALKINTUB1 + __KAM_WALKINTUB2 + __KAM_WALKINTUB3 >= 3)
describe KAM_WALKINTUB Ads for walk-in tubs
score    KAM_WALKINTUB 3.5

# SUBJECTS BEGINNING WITH "EMAIL - QUESTION" AND OTHER VARIANTS
header   __KAM_EMAILQUESTION1 Subject =~ /^(<)?([^@\s]+@[^@\s]+)( - |> )/i
header   __KAM_EMAILQUESTION2 Subject =~ /break away from the pack|make your own wine|\d figures a day|unlock the secret|you need to see|let me show you|at their own game|drop \d+ pounds|potty trained|you can actually|your dog is being poisoned|control your destiny|buy a new|check out these|arthritis/i

meta     KAM_EMAILQUESTION (__KAM_EMAILQUESTION1 + __KAM_EMAILQUESTION2 >= 2)
describe KAM_EMAILQUESTION Subjects beginning with an email address and followed by a spammy subject
score    KAM_EMAILQUESTION 3.5

# BECOME BEYOND SUPERHUMAN / SUPERMAN
header   __KAM_SUPERHUMAN1 From =~ /(become[ _]?)?(beyond[ _]?)?(super|hu)man/i
header   __KAM_SUPERHUMAN2 Subject =~ /relationship problems|better sex|regain your former glory|(male|men) over (\d\d|fou?rty)/i
body     __KAM_SUPERHUMAN3 /reclaim your glory|stay hot and sexy|unfair.advantage|better sex|weird trick|testosterone/i

meta     KAM_SUPERHUMAN (__KAM_SUPERHUMAN1 + __KAM_SUPERHUMAN2 + __KAM_SUPERHUMAN3 >= 3)
describe KAM_SUPERHUMAN Male enhancement of the day
score    KAM_SUPERHUMAN 8.0

# VALENTINES
header   __KAM_VALENTINE1 From =~ /smartbuys|valentine|ecard|flower|fingerhut/i
header   __KAM_VALENTINE2 Subject =~ /valentine|(bouquets|expressions) of love|win her over|swoon.?worthy bouquet|grow more in love|\$\d\d.\d\d bouquet|love at (the )?first/i
rawbody  __KAM_VALENTINE3 /amazing gifts|perfect for valentine|irresist.ble perfume|send an ecard|most memorable flowers|(bouquets|expressions) of love|valentine.?s?.(day.)?(gift|ecard|flower|delivery|is february 14|bouquet)|grow more in love|Saint Valentine|your valentine/i

meta     KAM_VALENTINE (__KAM_VALENTINE1 + __KAM_VALENTINE2 + __KAM_VALENTINE3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_VALENTINE Spam for valentine gifts and other holiday stuff
score    KAM_VALENTINE 4.5

header   __KAM_MOTHER1 From =~ /flower|seventeen/i
header   __KAM_MOTHER2 Subject =~ /mother.?s.?day|\d+%.off.flower|pro.?flowers|guaranteed.delivery|beautiful bouquets|celebrate.mom/i
body     __KAM_MOTHER3 /pro.?flowers|flowers.fresh|freshness.guarantee|shop.now|mom.?s.delight/i

meta     KAM_MOTHER (__KAM_MOTHER1 + __KAM_MOTHER2 + __KAM_MOTHER3 >= 3)
describe KAM_MOTHER Spam for mother's day
score    KAM_MOTHER 4.5

# WHO'S WHO
header   __KAM_WHOSWHO1 From =~ /whos_who|who.?s.who/i
header   __KAM_WHOSWHO2 Subject =~ /your exclusive invitation|who.?s.who|your invitation|you have been selected/i
body     __KAM_WHOSWHO3 /(global|executive) who.s who|represent your community|you have been selected|complete your listing|prominent registry|accomplished individuals/i
uri      __KAM_WHOSWHO4 /whoswho/i

meta     KAM_WHOSWHO (__KAM_WHOSWHO1 + __KAM_WHOSWHO2 + __KAM_WHOSWHO3 >= 2)
describe KAM_WHOSWHO Ads for network of important people
score    KAM_WHOSWHO 5.0

meta     KAM_WHOSWHO2 (KAM_WHOSWHO && __KAM_WHOSWHO4)
describe KAM_WHOSWHO2 Definitely ads for network of important people
score    KAM_WHOSWHO2 1.0

# GARAGE FLOOR COATING
header   __KAM_GARAGE1 From =~ /garage|surface.protection|protection.plus|esurface/i
header   __KAM_GARAGE2 Subject =~ /garage floor coating|industrial strength|protect your floors|protect.and.beautify|esurface|what.you.should.know/i
body     __KAM_GARAGE3 /surface protection plus|industrial strength|Concrete.{0,5}metal.{0,8}wood|protect.and.beautify|industrial.grade|common.flooring|treat.your.deck|professional.coating/i

meta     KAM_GARAGE (__KAM_GARAGE1 + __KAM_GARAGE2 + __KAM_GARAGE3 + (HTML_FONT_LOW_CONTRAST || SPF_FAIL || SPF_HELO_FAIL) >= 3)
describe KAM_GARAGE Garage floor coating product of the day
score    KAM_GARAGE 4.0

meta     KAM_GARAGE2 (KAM_GARAGE + (HTML_FONT_LOW_CONTRAST || SPF_FAIL) >= 2)
score    KAM_GARAGE2 1.0
describe KAM_GARAGE2 More likely garage floor coating spam

#PAINT - NEED TO LOOK FOR CROSSOVER ON KAM_GARAGE AND KAM_PAINT
header          __KAM_PAINT1   From =~ /Coating|Paint|Surface|Sealer/i
header          __KAM_PAINT2   Subject =~ /surface Paint/i

meta            KAM_PAINT      (__KAM_PAINT1 + __KAM_PAINT2 + KAM_INFOUSMEBIZ >= 3)
describe        KAM_PAINT      Paint Spams
score           KAM_PAINT      4.0

# HURRICANE MOP
header   __KAM_MOP1 From =~ /hurricane mop/i
header   __KAM_MOP2 Subject =~ /filthy floor|cut cleaning time|absorbs \d+x its own weight|the mop that/i
body     __KAM_MOP3 /filthy floor|cut cleaning time+absorbs \d+x its own weight|the mop that/i

meta     KAM_MOP (__KAM_MOP1 + __KAM_MOP2 + __KAM_MOP3 >= 3)
describe KAM_MOP Hurricane mop product of the day
score    KAM_MOP 3.5

# DATING TIPS
header   __KAM_DATINGTIPS1 From =~ /girlfriendtrick|seduction|the.real/i
header   __KAM_DATINGTIPS2 Subject =~ /girlfriend.trick|women.excited|real.moment/i
body     __KAM_DATINGTIPS3 /seduction|certain.type.of.guy|secret to their hearts|women.excited|real.love|one.night.stand/i

meta     KAM_DATINGTIPS (__KAM_DATINGTIPS1 + __KAM_DATINGTIPS2 + __KAM_DATINGTIPS3 >= 3)
describe KAM_DATINGTIPS Tips for dating
score    KAM_DATINGTIPS 4.5

# CANDY
header   __KAM_CANDY1 From =~ /candy/i
header   __KAM_CANDY2 Subject =~ /candy/i
body     __KAM_CANDY3 /you deserve a treat|sweet tooth/i

meta     KAM_CANDY (__KAM_CANDY1 + __KAM_CANDY2 + __KAM_CANDY3 >= 3)
describe KAM_CANDY Ads for candy
score    KAM_CANDY 4.5

# EXCESSIVE TEXT IN THE FORMAT OF =## - http://en.wikipedia.org/wiki/Quoted-printable
# MATCH ONLY ESCAPES THAT ARE LESS THAN 0x80 - HIGH BIT NOT SET - THESE CAN BE EXPRESSED JUST FINE AS ASCII
# DISABLED PENDING UPDATES TO SA - RAWBODY IS NOT RAW ENOUGH TO GET UN-DECODED QP
#rawbody  KAM_EXCESSIVEQP /(=[0-7][a-f0-9]){10}/i
#score    KAM_EXCESSIVEQP 2.5
#describe KAM_EXCESSIVEQP Excessive use of pointless Quoted-printable

# ONE WEIRD THING THAT GETS YOU MARKED AS SPAM
header   __KAM_WEIRDTRICK1 Subject =~ /(one|ten|\d+) '?weird'?|'?weird'? trick|strange trick|shocking.truth|\d.words.that/i
body     __KAM_WEIRDTRICK2 /'?(weird|odd|strange)'?.(new.)?(trick|tip)|strange trick|shocking.truth/i
header   __KAM_WEIRDTRICK3 Subject =~ /girlfriend|aging|old.age|cut \d+ years|PSA|horny/i
header   __KAM_WEIRDTRICK4 From =~ /girlfriend|freedom/i

meta     KAM_WEIRDTRICK1 __KAM_WEIRDTRICK2
describe KAM_WEIRDTRICK1 Huge family of spam that uses the word weird to grab attention
score    KAM_WEIRDTRICK1 1.5

meta     KAM_WEIRDTRICK2 (__KAM_WEIRDTRICK1 + __KAM_WEIRDTRICK2 + (KAM_INFOUSMEBIZ + KAM_LOTSOFHASH + AC_HTML_NONSENSE_TAGS + HTML_FONT_LOW_CONTRAST + T_REMOTE_IMAGE >= 3) >= 3)
describe KAM_WEIRDTRICK2 Huge family of spam that uses the word weird to grab attention
score    KAM_WEIRDTRICK2 3.5

meta	 KAM_WEIRDTRICK3 (__KAM_WEIRDTRICK1 + __KAM_WEIRDTRICK2 + __KAM_WEIRDTRICK3 + __KAM_WEIRDTRICK4 >= 3)
describe KAM_WEIRDTRICK3 Weird/Strange Trick
score	 KAM_WEIRDTRICK3 3.0

#MATCH MAKER SPAM
header	__KAM_MATCH1	From =~ /Match/i
header	__KAM_MATCH2	Subject =~ /Find love|available singles|free.to.look|meet.singles/i

meta		KAM_MATCH	(__KAM_MATCH1 + __KAM_MATCH2 + (HTML_IMAGE_RATIO_06 || SPF_FAIL) >= 3)
describe	KAM_MATCH	Match Maker Spams
score		KAM_MATCH	3.5

#CAR INSURANCE
header	__KAM_CARINSURE1	From =~ /insurance/i
header	__KAM_CARINSURE2	Subject =~ /save on car insurance|smarter.way/i

meta		KAM_CARINSURE	(__KAM_CARINSURE1 + __KAM_CARINSURE2 >= 2)
describe	KAM_CARINSURE	Car Insurance Spams
score		KAM_CARINSURE	3.0

#DATA IMG
rawbody		__KAM_DATAIMG	/<img src="data:image/i

#FAKE MMS
rawbody		__KAM_MMS1	/base64,G011K60C12QKQ9790AIFQ5L/s

meta		KAM_MMS		(__KAM_DATAIMG + __KAM_MMS1 >= 2)
describe        KAM_MMS		Fake MMS Spam
score		KAM_MMS		6.0

#LEARNMORE
rawbody		__KAM_LEARN1	/base64,R0lGODlh3gA9APcAAAFlmUK/

meta		KAM_LEARN	(__KAM_DATAIMG + __KAM_LEARN1 >= 2)
describe	KAM_LEARN	Learn More Spam
score		KAM_LEARN	6.0

#UNSUB1
header		__KAM_UNSUB1_1	List-Unsubscribe =~ /^\<(?:mailto:)?unsub1\@/i
rawbody		__KAM_UNSUB1_2	/:\s?unsub1\@|unsubscribe<[^\/]|click here<h/i

meta		KAM_UNSUB1	(__KAM_UNSUB1_1 + __KAM_UNSUB1_2 >= 1)
describe	KAM_UNSUB1	Unsubscription Spams
score		KAM_UNSUB1	0.1

uri             __KAM_DOMAINDOTCOM /domain\.com/i

meta            KAM_UNSUB2      ((KAM_UNSUB1 || KAM_ADVERT2) + __KAM_DOMAINDOTCOM >= 2)
score           KAM_UNSUB2      3.5
describe        KAM_UNSUB2      Improperly configured spam engines that leave placeholder domains in the body

# DUTCH GLOW AND OTHER WOODWORKING SPAM
header   __KAM_DUTCHGLOW1 From =~ /dutch.?glow|original.?dutch|easy.woodwork/i
header   __KAM_DUTCHGLOW2 Subject =~ /wood milk|cleaning the wood|woodwork|cleaning.formula|repel.dust|natural.beauty|furniture|amish|woodworking.plans/i
body     __KAM_DUTCHGLOW3 /wood milk|dutch glow|wood's natural beauty|nourish wood|wax build up|your furniture|woodworking.plans/i

meta     KAM_DUTCHGLOW (__KAM_DUTCHGLOW1 + __KAM_DUTCHGLOW2 + __KAM_DUTCHGLOW3 >= 3)
describe KAM_DUTCHGLOW Woodworking spam
score    KAM_DUTCHGLOW 3.0

# FUNERAL HOME SPAM
header   __KAM_FUNERAL1 From =~ /Funeral/i
header   __KAM_FUNERAL2 Subject =~ /condolence|funeral announcement|funeral of your friend|death notification|burial.(life.)?insurance/i
body     __KAM_FUNERAL3 /untimely death|death notification|funeral.costs/i
uri      __KAM_FUNERAL4 /\/home\.php\?funeral/i

meta     KAM_FUNERAL (__KAM_FUNERAL1 + __KAM_FUNERAL2 + __KAM_FUNERAL3 >= 3)
describe KAM_FUNERAL Likely Fake funeral notices
score    KAM_FUNERAL 2.0

meta     KAM_FUNERAL2 (__KAM_FUNERAL4 >= 1)
describe KAM_FUNERAL2 Fake funeral notices
score    KAM_FUNERAL2 3.0


# WEB VIEW OBFUSCATION
body     __KAM_WEB_OBFUSCATION1 /check over this commercial|see the commercial.advertisement/i
rawbody  __KAM_WEB_OBFUSCATION2 /(you'll have to press me)\s*<\/a>/i

meta     KAM_WEB_OBFUSCATION (__KAM_WEB_OBFUSCATION1 + __KAM_WEB_OBFUSCATION2 >= 2)
describe KAM_WEB_OBFUSCATION Obfuscated web view links
score    KAM_WEB_OBFUSCATION 0.1

# TUPPERWARE
header   __KAM_TUPPERWARE1 From =~ /Mr\. Lid|Food Storage|Storage Container/i
header   __KAM_TUPPERWARE2 Subject =~ /tupperware|food storage|storage container/i
body     __KAM_TUPPERWARE3 /tupperware lid|food storage|storage container/i

meta     KAM_TUPPERWARE (__KAM_TUPPERWARE1 + __KAM_TUPPERWARE2 + __KAM_TUPPERWARE3 >= 3)
describe KAM_TUPPERWARE Ads for tupperware
score    KAM_TUPPERWARE 3.5

# PATRIOT SURVIVAL AND OTHER DISASTER / NATIONALISM / CONSPIRACY SPAM
header   __KAM_PATRIOT1 From =~ /patriot|disaster|emergency|USAF|shocking|for.truth|nwo|expat|special.op|christianmedia/i
header   __KAM_PATRIOT2 Subject =~ /the truth about|financial collapse|your guns|hidden (agenda|truth)|unprecedented.crisis|worst.crisis|obama.?care|do not ignore|get a lot worse|coffins.ordered.by.fema|depression|prepared.for.war|free.our.marine|survival.guide|beloved.usa|civil war|shocking.footage|cia.economist|collapse.is.imminent|attack.on|wants.war|disturbing.issue|plane.crash|nuke.deal|extortion|prophecy/i
body     __KAM_PATRIOT3 /the truth about|financial collapse|your guns|hidden agenda|unprecedented.crisis|disaster|fema (stock.?piling|storing)|Gor?vernment Not Telling|survival.plan|nation.gone.under|blind.with.patriotism|government shutdown|only chance|civil.unrest|high.crimes|behind.our.back|know.the.truth|PatriotNewsNet|second civil war|for.the.cia|market.crash|american.meltdown|concerned.american|military force|we.were.right|our.suspicions|vindicated|abuse.of.power|american.empire/i
body     __KAM_PATRIOT4 /projectprophet|financial.threat|nuke.deal/i

meta     KAM_PATRIOT (__KAM_PATRIOT1 + __KAM_PATRIOT2 + __KAM_PATRIOT3 + __KAM_PATRIOT4 >= 3)
describe KAM_PATRIOT conspiracy spam
score    KAM_PATRIOT 4.0

meta     KAM_PATRIOT2 (__KAM_PATRIOT1 + __KAM_PATRIOT2 + __KAM_PATRIOT3 + __KAM_PATRIOT4 >= 2)
describe KAM_PATRIOT2 Likely conspiracy spam
score    KAM_PATRIOT2 1.5

# PAYMENT LOWERED
header   __KAM_PAYMENT_LOWERED1 Subject =~ /insurance payment/i
body     __KAM_PAYMENT_LOWERED2 /new monthly payment|just.recently.been..?lowered/i
body     __KAM_PAYMENT_LOWERED3 /ID.?\#.?[\da-f]{20}/i

meta     KAM_PAYMENT_LOWERED (__KAM_PAYMENT_LOWERED1 + __KAM_PAYMENT_LOWERED2 + __KAM_PAYMENT_LOWERED3 + KAM_LOTSOFHASH >= 3)
describe KAM_PAYMENT_LOWERED Spam that says your insurance payment has already been lowered
score    KAM_PAYMENT_LOWERED 4.5

meta     KAM_PAYMENT_LOWERED (__KAM_PAYMENT_LOWERED1 + __KAM_PAYMENT_LOWERED2 + __KAM_PAYMENT_LOWERED3 + KAM_LOTSOFHASH >= 4)
describe KAM_PAYMENT_LOWERED Higher probability of lowered payment spam
score    KAM_PAYMENT_LOWERED 2.0

#NEW NOTICE
body	__KAM_NEWNOTICE1	/- - -\s?(start |begin )?(of |new )?(notification|notice)( \d\d\/\d\d\/\d\d)?\s?- - -|notice of/i
body	__KAM_NEWNOTICE2	/- - -\s?(finish |end )?(of |new )?(notification|notice)( \d\d\/\d\d\/\d\d)?\s?- - -|end notice:/i
header  __KAM_NEWNOTICE3        From =~ /Notice|Notification|Credit/i

meta		KAM_NEWNOTICE	(__KAM_NEWNOTICE1 + __KAM_NEWNOTICE2 + __KAM_NEWNOTICE3 >= 3)
describe	KAM_NEWNOTICE	New Notice Spam
score		KAM_NEWNOTICE	4.25

meta            KAM_NEWNOTICE2  (KAM_NEWNOTICE + KAM_LOTSOFHASH >= 2)
describe	KAM_NEWNOTICE2	Higher Probability of New Notice Spam
score		KAM_NEWNOTICE2	2.0

#REFI NEW NOTICE
header		__KAM_REFINEW1	Subject =~ /refl.rates|Rates.(now.)?Dropped.Again|score.*recently.changed/i
body		__KAM_REFINEW2	/(rate|payment).reduction|score-update/i

meta		KAM_REFINEW	(__KAM_REFINEW1 + __KAM_REFINEW2 >=2)
describe	KAM_REFINEW	New Refi/Credit Notice spam
score		KAM_REFINEW	2.0

meta		KAM_REFINEW2	(KAM_REFINEW) && (KAM_NEWNOTICE + KAM_LOTSOFHASH >= 1)
describe	KAM_REFINEW2	Higher Probability Refi Spam
score		KAM_REFINEW2	2.0

#AUTO INSURE / LOAN
header		__KAM_AUTONEW1	Subject =~ /Auto.{0,2}(Insurance|policy).{0,2}Payment|auto.warranty|finance|policy.saving|your.quote|car.loan|bad..credit.ok/i
body		__KAM_AUTONEW2	/car.{1,2}insurance.{1,2}payment|monthly.payment|plan.has.expired|auto.loan|auto.coverage|coverage.benefits|premium.reduc|compare.quote|financing.your.way/i
body		__KAM_AUTONEW3	/just.{1,2}been.{1,2}lowered|reduced.recently|has been reduced|free.repair|easy.steps|overpaying|view.plan|overpaid.your|premiums?.as.low|lenders.compete/i
header          __KAM_AUTONEW4	From =~ /notice|credit|coverag3|auto.cover|lower.auto|auto.finance/i

meta		KAM_AUTONEW	(__KAM_AUTONEW1 + __KAM_AUTONEW2 + __KAM_AUTONEW3 + __KAM_AUTONEW4 >= 3)
describe	KAM_AUTONEW	New Auto insurance spam
score		KAM_AUTONEW	3.0

meta		KAM_AUTONEW2	(KAM_AUTONEW) && (KAM_NEWNOTICE + KAM_SUBJECTNOTICE + KAM_LOTSOFHASH + KAM_INFOUSMEBIZ + KAM_ASCII_DIVIDERS >= 1)
describe	KAM_AUTONEW2	Higher Probability Insurance Spam
score		KAM_AUTONEW2	2.0

#STATLER
header		__KAM_STATLER1	Subject =~ /Mike Statler|finance news|invest in ....(\b)/i
header		__KAM_STATLER2	Subject =~ /quintuple/i
body		__KAM_STATLER3	/Mike Statler/i

meta		KAM_STATLER	(__KAM_STATLER1 + __KAM_STATLER2 + __KAM_STATLER3 >= 3)
describe	KAM_STATLER	Mike Statler Spams
score		KAM_STATLER	6.0

#LEARNING TO WRITE
header   __KAM_WRITING1 From =~ /writing/i
header   __KAM_WRITING2 Subject =~ /writing resources|get published/i
body     __KAM_WRITING3 /Professional Writing|world famous (writer|poet)/i

meta     KAM_WRITING (__KAM_WRITING1 + __KAM_WRITING2 + __KAM_WRITING3 >= 3)
describe KAM_WRITING Spam for writing lessons
score    KAM_WRITING 3.5

#RASH OF .EU EXPLOITS
rawbody         KAM_EU /https?:\/\/(?:www.)?.{4,30}\.(eu)(\b|\/)/i
score           KAM_EU 0.50
describe        KAM_EU Prevalent use of .eu in spam/malware

#CSS USING A 12-BIT RGBA COLOR, WHICH IS NOT WIDELY SUPPORTED
rawbody         __KAM_12BITCOLOR /color: \#[\da-f]{12}/i

meta		KAM_GRABBAG2	KAM_EU && (__KAM_12BITCOLOR + KAM_ADVERT2 + AC_HTML_NONSENSE_TAGS + URIBL_BLACK + URIBL_RED >= 1)
score		KAM_GRABBAG2	5.0
describe	KAM_GRABBAG2	Grabbag of Spams hitting EU domains and other indicators

#END DIABETES SPAM
body		__KAM_DIABETES1 /- - Diabetes News Today - -|diabetes.health|blood.sugar/i
body		__KAM_DIABETES2 /Reverse.{0,10}(Diabetes|type.2|type.1)|reverse.type.2|beat.type.2|conventional.medical/i
header		__KAM_DIABETES3 Subject =~ /End Diabetes|diabetes.association|every.diabetic/i

meta		KAM_DIABETES	(__KAM_DIABETES1 + __KAM_DIABETES2 + __KAM_DIABETES3 >= 2)
score		KAM_DIABETES	4.5
describe	KAM_DIABETES	End Diabetes Spam

#SPY CAMERAS, ETC
header   __KAM_SPY1 From =~ /spy.?camera/i
header   __KAM_SPY2 Subject =~ /spy.?camera/i
body     __KAM_SPY3 /spy.?camera.?system|hidden.spy.camera|valuables.safe|protect.your.children/i

meta     KAM_SPY (__KAM_SPY1 + __KAM_SPY2 + __KAM_SPY3 >= 3)
describe KAM_SPY Spy cameras and similar products
score    KAM_SPY 3.5

#HARP
header	__KAM_HARP1	From =~ /\bharp\b|obamacare|save|healthcare/i
header	__KAM_HARP2	Subject =~ /\bHARP\b|obamacare|tax benefit|age bracket|protect yourself|mortgage|save.thousands/i
header	__KAM_HARP3	From !~ /\.gov>?$/i

meta 	 KAM_HARP	(__KAM_HARP1 + __KAM_HARP2 + __KAM_HARP3 + KAM_SUBJECTNOTICE >= 3)
describe KAM_HARP	HARP Refinance Spams
score	 KAM_HARP	4.5

#LUNAR SLEEP AND OTHER SLEEPING AIDS
header	 __KAM_LUNAR1	From =~ /lunar.?sleep|peak.life/i
header	 __KAM_LUNAR2	Subject =~ /tired again|sleep(ing)? aid|miracle.sleep|free.sample|sleep.well|fall.asleep|waking.up|sleep.?spray|doctors.discover|the.secret|nights?.sleep/i
uri 	 __KAM_LUNAR3	/lunar.?sleep/i
body	 __KAM_LUNAR4   /sleep you really need|sleep(ing)? aid|trouble.sleeping|miracle.sleep|lunar.?sleep|all.natural|fall.asleep|refreshed|sleep.cycle|sleep.aid|lack.of.sleep|stay.asleep|somnapure|weird.trick/i

meta	 KAM_LUNAR (__KAM_LUNAR1 + __KAM_LUNAR2 + MISSING_HEADERS + __KAM_LUNAR3 + __KAM_LUNAR4 >= 3)
describe KAM_LUNAR Sleeping aid spam
score	 KAM_LUNAR 4.5

meta	 KAM_LUNAR2 (__KAM_LUNAR1 + __KAM_LUNAR2 + MISSING_HEADERS + __KAM_LUNAR3 + __KAM_LUNAR4 >= 4)
describe KAM_LUNAR2 Definitely sleeping aid spam
score	 KAM_LUNAR2 2.0

#OCEANS BOUNTY
header   __KAM_OCEANSBOUNTY1 From =~ /oceans.?bounty/i
header   __KAM_OCEANSBOUNTY2 Subject =~ /pain.free|turn.back.the.clock|reactivate.your.heart/i
body     __KAM_OCEANSBOUNTY3 /years.of.aging|medical.doctor|age.revers|turn.back.the.clock|reactivate.your.heart/i

meta     KAM_OCEANSBOUNTY (__KAM_OCEANSBOUNTY1 + __KAM_OCEANSBOUNTY2 + __KAM_OCEANSBOUNTY3 >= 3)
describe KAM_OCEANSBOUNTY More medical spam
score    KAM_OCEANSBOUNTY 4.5

#ANDROGEL
header   __KAM_ANDROGEL1 From =~ /testosterone|androgel|entitled|enclosed|medwatch|axiron|fda|natural.man|mega.product|\.mobi/i
header   __KAM_ANDROGEL2 Subject =~ /androgel|axiron|product.of.the.year|free.sample|raise.your.testosterone/i
body     __KAM_ANDROGEL3 /healthcare|medwatch|drug|testosterone|therapy|manhood|your.woman/i

meta     KAM_ANDROGEL (__KAM_ANDROGEL1 + __KAM_ANDROGEL2 + __KAM_ANDROGEL3 >= 3)
describe KAM_ANDROGEL More medical spam
score    KAM_ANDROGEL 4.5

#CELL PHONES
header   __KAM_CELL1 From =~ /phone/i
header   __KAM_CELL2 Subject =~ /cell.?phone|mobile.communication|newest.mobile|smartphone|phones.*get.one|phone.bargain|hottest.phone|new.phone/i
body     __KAM_CELL3 /phone.(information|deals|reviews)|(free|latest|hottest)..?(cell)?.?phone|selection.of.phones|hottest.(brands|models)|check.out.these.smartphones|smartphones.do.more|refurbished.phone|bored.with.your.phone/i

meta     KAM_CELL (__KAM_CELL1 + __KAM_CELL2 + __KAM_CELL3 >= 3)
describe KAM_CELL Ads for cell phones
score    KAM_CELL 3.5

header   __KAM_FOUNTAINOFYOUTH1 From =~ /deepseasecret/i
header   __KAM_FOUNTAINOFYOUTH2 Subject =~ /fountain.of.youth/i
body     __KAM_FOUNTAINOFYOUTH3 /look & feel old|\d+.years.of.aging|weird.\d+.second.trick/i

meta     KAM_FOUNTAINOFYOUTH (__KAM_FOUNTAINOFYOUTH1 + __KAM_FOUNTAINOFYOUTH2 + __KAM_FOUNTAINOFYOUTH3 >= 3)
score    KAM_FOUNTAINOFYOUTH 5.0
describe KAM_FOUNTAINOFYOUTH Anti-aging ad

#HERPES
header   __KAM_HERPES1 From =~ /herpes/i
header   __KAM_HERPES2 Subject =~ /your.herpes/i
body     __KAM_HERPES3 /permanent.remedy|ugly.sores|herpes.episode|got.herpes|your.herpes|herpes.issue/i

meta     KAM_HERPES (__KAM_HERPES1 + __KAM_HERPES2 + __KAM_HERPES3 >= 2)
describe KAM_HERPES Ads for herpes medication
score    KAM_HERPES 5.0

#FAKE VOUCHER/REWARD EMAIL
header   __KAM_FAKEVOUCHER1 From =~ /(amazon|target).*(reward|voucher|appreciation|customer)|\$\d+ gift|(spring|summer|fall|autumn|winter) (reward|bonus)|(january|february|march|april|may|june|july|august|september|october|november|december).?(reward|bonus)|day.reward|macy.?s?.reward|rewards?.?center/i
body     __KAM_FAKEVOUCHER2 /\$\d+ amazon(.com)? Card|redeem.your.\$\d+|join.amazon|bonus voucher|spring.rewards|new.gift.card|exclusive.for|shopper.bucks|activate.here|cash.in.your/i
header   __KAM_FAKEVOUCHER3 Subject =~ /special.thanks|thank.you|amazon.appreciation|(spring|summer|fall|autumn|winter) .?(reward|bonus|bucks)|short.survey|\$\d+..?(gift|issued|voucher|e.?gift)|register.reward|target.reward|\d+.(dollar.)?gift.card|claim.your.*reward/i
body     __KAM_FAKEVOUCHER4 /your.opinion|submit.your.email/i

meta     KAM_FAKEVOUCHER (__KAM_FAKEVOUCHER1 + __KAM_FAKEVOUCHER2 + __KAM_FAKEVOUCHER3 + __KAM_FAKEVOUCHER4 >= 3)
describe KAM_FAKEVOUCHER Fake voucher/reward email
score    KAM_FAKEVOUCHER 4.5

#ATTORNEY SPAM
header   __KAM_ATTORNEY1 From =~ /attorney/i
header   __KAM_ATTORNEY2 Subject =~ /right.attorney|quick.divorce|advertisement/i
body     __KAM_ATTORNEY3 /find.a.\b[a-z]+\b.attorney/i

meta     KAM_ATTORNEY (__KAM_ATTORNEY1 + __KAM_ATTORNEY2 + __KAM_ATTORNEY3 >= 3)
score    KAM_ATTORNEY 3.5
describe KAM_ATTORNEY Ads for legal services

#PRODUCT RECALL
header   __KAM_RECALL1 From =~ /dog.?food/i
header   __KAM_RECALL2 Subject =~ /recall|thousands.of.dogs.die/i
body     __KAM_RECALL3 /protect.your.dog|recall?s.on.dog.?food|processing.standards|commercial.food/i

meta     KAM_RECALL (__KAM_RECALL1 + __KAM_RECALL2 + __KAM_RECALL3 >= 3)
score    KAM_RECALL 3.5
describe KAM_RECALL Spam for product recall notices

#REMOTE IMAGES WITH ENORMOUS SRC URLS - COMMONLY USED FOR IMAGE TRACKING
rawbody  __KAM_HUGEIMGSRC /<img[^>]*\ssrc=["']?http[^\s>"']{120}/i
tflags   __KAM_HUGEIMGSRC multiple maxhits=6

meta     KAM_HUGEIMGSRC (__KAM_HUGEIMGSRC >= 6)
score    KAM_HUGEIMGSRC 0.2
describe KAM_HUGEIMGSRC Message contains many image tags with huge http urls

describe KAM_REALLYHUGEIMGSRC Spam with image tags with ridiculously huge http urls
rawbody  KAM_REALLYHUGEIMGSRC /<img[^>]*\ssrc=["']?http[^\s]{300}/i
score    KAM_REALLYHUGEIMGSRC 0.5

rawbody  KAM_TRACKIMAGE /<img[^>]*\ssrc=["']?https?:\/\/track/i
describe KAM_TRACKIMAGE Message has a remote image explicitly meant for tracking
score    KAM_TRACKIMAGE 0.2

#BAG OF SPAM THAT TRIES DESPERATELY TO TRACK RECIPIENTS
meta     KAM_GRABBAG3 (KAM_TRACKIMAGE + KAM_HUGEIMGSRC + (KAM_UNSUB1 || KAM_INFOUSMEBIZ || __KAM_IMGMAP_LINK_OBFU || __KAM_HAS_10_URIS) >= 3)
score    KAM_GRABBAG3 3.0
describe KAM_GRABBAG3 Grab bag of spam that employs multiple tricks that indicate tracking of recipients

#MANY SEQUENTIAL EMPTY <A HREF> TAGS WITH NOTHING IN BETWEEN
#IMPORTANTLY, DO NOT MATCH ON EMPTY <A LINK> TAGS, WHICH ARE MEANT TO BE EMPTY
rawbody  __KAM_EMPTYLINK /(?:<a[^>]*\shref=[^>]*><\/a>\s*){10}/i

meta     KAM_EMPTYLINK (__KAM_EMPTYLINK)
describe KAM_EMPTYLINK Many empty a tags with href all in a row
score    KAM_EMPTYLINK 3.5

header   __KAM_TILDEFROM From =~ /^\s*"'?\s*~/i
describe __KAM_TILDEFROM Spam with a from name that starts with tilde

# WORDS THAT "A R E  S P A C E D  O U T" LIKE SO
body     __KAM_SPACEY_WORDS /a +v +e +n +u +e/i

# SPAM THAT WOULD LIKE TO INVEST IN YOUR COUNTRY
header   __KAM_INVESTCOUNTRY1 Subject =~ /Confidential Contract Proposal/i
body     __KAM_INVESTCOUNTRY2 /invest in your country/i

meta     KAM_INVESTCOUNTRY (__KAM_INVESTCOUNTRY1 + __KAM_INVESTCOUNTRY2 >= 2)
score    KAM_INVESTCOUNTRY 3.5
describe KAM_INVESTCOUNTRY Spam for investing in your country

# SPAM FOR FLAGS
header   __KAM_FLAG1 From =~ /flag/i
header   __KAM_FLAG2 Subject =~ /find.the.flag|what flags|new.flag|patriotism|looking.for.a.flag/i
body     __KAM_FLAG3 /performance.flags|shopping.online|scoop on flags|need your flag|best flag|flag design|new flag|flag.needs|flags?.you.need/i

meta     KAM_FLAG (__KAM_FLAG1 + __KAM_FLAG2 + __KAM_FLAG3 >= 3)
score    KAM_FLAG 3.5
describe KAM_FLAG Spam that sells flags

rawbody  __KAM_BIGSMALL /<small><big>|<big><small>/i
describe __KAM_BIGSMALL Spam engine that is using nested big and small tags

rawbody  __KAM_DIVTITLE /<div (title|alt)/i
describe __KAM_DIVTITLE Div tag with custom alt text

rawbody  __KAM_IMGMAP_LINK_OBFU /<map[^>]+><area[^>]+><\/map>/i
describe __KAM_IMGMAP_LINK_OBFU Image links obfuscated by an image map with a single area

meta     KAM_GRABBAG4 (__KAM_DIVTITLE + __KAM_IMGMAP_LINK_OBFU + KAM_HUGEIMGSRC >= 3)
describe KAM_GRABBAG4 Another spam engine that displays unique quirks
score    KAM_GRABBAG4 3.5

header   __KAM_KORS1 From =~ /Michael Kors/i
header   __KAM_KORS2 Subject =~ /Michael Kors|out.of.the.ordinary/i
body     __KAM_KORS3 /sent you this item|register to receive|latest updates|win great prizes|shop michael kors|kors insider|handbag collection/i

meta     KAM_KORS (__KAM_KORS1 + __KAM_KORS2 + __KAM_KORS3 >= 3)
score    KAM_KORS 3.5
describe KAM_KORS Spam for Michael Kors

header   __KAM_HOLIDAY1 From =~ /holidays/i
header   __KAM_HOLIDAY2 Subject =~ /\d\d\d\d offers/i
body     __KAM_HOLIDAY3 /star special|Hotel Opening|(Request|order) a brochure/i

meta     KAM_HOLIDAY (__KAM_HOLIDAY1 + __KAM_HOLIDAY2 + __KAM_HOLIDAY3 >= 3)
describe KAM_HOLIDAY Generic holiday deals
score    KAM_HOLIDAY 3.5

#Thanks to Dave Wreski for his idea on commas
header   __KAM_MANYTO To =~ />,/i
tflags   __KAM_MANYTO multiple maxhits=5

header   __KAM_MANYTO2 To =~ /, /
tflags	 __KAM_MANYTO2 multiple maxhits=25

meta     KAM_MANYTO (__KAM_MANYTO >= 5 || __KAM_MANYTO2 >= 25)
score    KAM_MANYTO 0.2
describe KAM_MANYTO Email has more than one To Header or more than 25 recipients

meta     KAM_GRABBAG5 (KAM_MANYTO && FORGED_YAHOO_RCVD)
score    KAM_GRABBAG5 5.0
describe KAM_GRABBAG5 Forged Yahoo emails that are sent to lots of recipients

body     __KAM_MILLIONAIRE1 /internet millionai?re/i
body     __KAM_MILLIONAIRE2 /huge success stor(y|ies)|controversial/i
header   __KAM_MILLIONAIRE3 Subject =~ /see this video/i

meta     KAM_MILLIONAIRE (__KAM_MILLIONAIRE1 + __KAM_MILLIONAIRE2 + __KAM_MILLIONAIRE3 + LOTS_OF_MONEY >= 3)
score    KAM_MILLIONAIRE 4.5
describe KAM_MILLIONAIRE Internet millionaire guarantees money

header   __KAM_OILCHANGE1 From =~ /oil.?change|coupon|vehicle service/i
header   __KAM_OILCHANGE2 Subject =~ /oil change|vehicle service/i
body     __KAM_OILCHANGE3 /fresh savings|find your favorite|discount.coupons|oil.change.is.due|local.provider|favorite.location|coupon/i

meta     KAM_OILCHANGE (__KAM_OILCHANGE1 + __KAM_OILCHANGE2 + __KAM_OILCHANGE3 >= 3)
score    KAM_OILCHANGE 4.5
describe KAM_OILCHANGE Spam for oil changes

header   __KAM_ADHD1 From =~ /ADH?D/i
header   __KAM_ADHD2 Subject =~ /know.the.signs|could.have.adh?d|adult adh?d/i
body     __KAM_ADHD3 /struggling with adh?d|treatment options/i

meta     KAM_ADHD (__KAM_ADHD1 + __KAM_ADHD2 + __KAM_ADHD3 >= 3)
score    KAM_ADHD 3.5
describe KAM_ADHD Spam for ADD and ADHD treatment

# AUTO REPAIR
header   __KAM_REPAIR1_1 From =~ /repair.your.auto|auto.expert|auto.repair|warranty|support|pops.a.dent|vehicle.protect/i
header   __KAM_REPAIR1_2 Subject =~ /auto.service|auto.repair|having.problems|all.repair|take.care.of|car.trouble|save.\d+%|repair.bill|fix.dents/i
body     __KAM_REPAIR1_3 /car.repair|Auto Protection|repair.bill|lowest.rates|need.repairs|cost.you.thousands|auto.warranty|costs.keep.rising|repair.cost|do.it.yourself|auto.body|body.repair|protection.quote/i

meta     KAM_REPAIR1 (__KAM_REPAIR1_1 + __KAM_REPAIR1_2 + __KAM_REPAIR1_3 >= 3)
score    KAM_REPAIR1 3.5
describe KAM_REPAIR1 Spam for auto repair services

# HOME REPAIR
header   __KAM_REPAIR2_1 From =~ /warranty|support|home.repair|your.roof/i
header   __KAM_REPAIR2_2 Subject =~ /roof.repair|warranty.plan|home.warranty|never.pay.for|home.repair|repairing.your|new.roof/i
body     __KAM_REPAIR2_3 /never.pay|covered.home.repair|the.trouble|warning.signs|roofing.problem|roof.repair/i

meta     KAM_REPAIR2 (__KAM_REPAIR2_1 + __KAM_REPAIR2_2 + __KAM_REPAIR2_3 >= 3)
score    KAM_REPAIR2 3.5
describe KAM_REPAIR2 Spam for home repair services

body __KAM_EPISODE /episode \d+/i

header   __KAM_CLOUD1 From =~ /cloud.?(storage|computing|provider)|efolder/i
header   __KAM_CLOUD2 Subject =~ /private.cloud|data.loss.happens|share.securely/i
body     __KAM_CLOUD3 /big data|powering apps|reduce.tech.costs|backup.solution|bundling.the.service/i
body     __KAM_CLOUD4 /hacking|complimentary.(lunch|breakfast)/i

meta     KAM_CLOUD (__KAM_CLOUD1 + __KAM_CLOUD2 + __KAM_CLOUD3 + __KAM_CLOUD4 >= 3)
score    KAM_CLOUD 3.5
describe KAM_CLOUD Spam for cloud services

#FAX AND PAPERLESS SPAM
header   __KAM_PAPERLESS1 From =~ /paperless|fax|admin/i
header   __KAM_PAPERLESS2 Subject =~ /paperless|fax (document|thru email|to email|message)|send document|(receive|send|new) fax|voice.message|have.received/i
body     __KAM_PAPERLESS3 /fax service|service plan|view.(fax|this.fax)|\d.page.fax|voice.message/i
body	 __KAM_PAPERLESS4 /link expires/i

meta     KAM_PAPERLESS (__KAM_PAPERLESS1 + __KAM_PAPERLESS2 + __KAM_PAPERLESS3 + __KAM_PAPERLESS4 + HEADER_FROM_DIFFERENT_DOMAINS >= 4)
score    KAM_PAPERLESS 4.5
describe KAM_PAPERLESS Paperless spam for the paperless office

rawbody  __KAM_LOTSOFNBSP /(&nbsp; ?){30}/i

header   __KAM_IPUNSUB List-Unsubscribe =~ /http:\/\/\d+\.\d+\.\d+\.\d+/i

# PASSWORD PHISH - Fixed FP thanks to Thijs Eilander
header   __KAM_PASSWORD1 Subject =~ /password/i
body     __KAM_PASSWORD2 /validate.your.email/i

meta     KAM_PASSWORD (__KAM_PASSWORD1 + __KAM_PASSWORD2 >= 2)
score    KAM_PASSWORD 1.5
describe KAM_PASSWORD Message tries to phish for password

# SEMINARS AND WORKSHOPS SPAM
header   __KAM_WEBINAR1 From =~ /education|career|manage|learning|webinar|project|efolder/i
header   __KAM_WEBINAR2 Subject =~ /last chance|increase productivity|workplace morale|payroll dept|trauma.training|case.study|issues|follow.up|service.desk|vip.(lunch|breakfast)|manage.your|private.business|professional.checklist|customers.safer|great.timesaver|prep.course|crash.course|hunger.to.learn|(keys|tips).(to|for).smarter/i
header   __KAM_WEBINAR3 Subject =~ /webinar|strateg|seminar|owners.meeting|webcast|our.\d.new|sales.video/i
body     __KAM_WEBINAR4 /executive.education|contactid|register now|\d+.minute webinar|management.position|supervising.skills|discover.tips|register.early|take.control|marketing.capabilit|drive.more.sales|leveraging.cloud|solution.provider|have.a.handle|plan.to.divest|being.informed|upcoming.webinar|spearfishing.email|increase.revenue|industry.podcast|\d+.in.depth.tips|early.bird.offer|pmp.certified|lunch.briefing/i

meta     KAM_WEBINAR (__KAM_WEBINAR1 + __KAM_WEBINAR2 + __KAM_WEBINAR3 + __KAM_WEBINAR4 >= 3)
describe KAM_WEBINAR Spam for webinars
score    KAM_WEBINAR 3.5

meta     KAM_WEBINAR2 (__KAM_WEBINAR1 + __KAM_WEBINAR2 + __KAM_WEBINAR3 + __KAM_WEBINAR4 >= 4)
describe KAM_WEBINAR2 Spam for webinars
score    KAM_WEBINAR2 3.5

header   __KAM_CONTACTME1 Subject =~ /^contact me$/i
body     __KAM_CONTACTME2 /read the attached letter/i

meta     KAM_CONTACTME (__KAM_CONTACTME1 + __KAM_CONTACTME2 >= 2)
score    KAM_CONTACTME 3.5
describe KAM_CONTACTME Spam that wants you to reply

header   __KAM_MESH1 From =~ /consumer|connect|claim/i
header   __KAM_MESH2 Subject =~ /surgical mesh|serious injuries|increased risk|experiencing problems|mesh recall/i
body     __KAM_MESH3 /have a mesh implant|entitled to compensation|consumer injury|injured consumer/i

meta     KAM_MESH (__KAM_MESH1 + __KAM_MESH2 + __KAM_MESH3 >= 3)
describe KAM_MESH Spam for surgical mesh
score    KAM_MESH 3.5

header   __KAM_ALERT1 From =~ /medical.?alert/i
header   __KAM_ALERT2 Subject =~ /medical.alert|emergency coverage/i
body     __KAM_ALERT3 /help button/i

meta     KAM_ALERT (__KAM_ALERT1 + __KAM_ALERT2 + __KAM_ALERT3 >= 3)
score    KAM_ALERT 3.5
describe KAM_ALERT Spam for medical alerts

# SPAM FOR RECENT HEARTBLEED CVE AND OTHER SECURITY STUFF
header   __KAM_SECURITY1 From =~ /Digital Defense/i
header   __KAM_SECURITY2 Subject =~ /heartbleed|hijack/i
body     __KAM_SECURITY3 /information.security|cyber.?criminal/i

meta     KAM_SECURITY (__KAM_SECURITY1 + __KAM_SECURITY2 + __KAM_SECURITY3 >= 3)
describe KAM_SECURITY Spam related to online security
score    KAM_SECURITY 6.0

body     __KAM_JESUS1 /jesus lovely|the.lord|touched.by.christ/i
body     __KAM_JESUS2 /sister.in.the.lord|need for bible/i
body     __KAM_JESUS3 /nigeria|muslim.women/i

meta     KAM_JESUS (__KAM_JESUS1 + __KAM_JESUS2 >= 2)
describe KAM_JESUS Christian spam
score    KAM_JESUS 4.5

header   __KAM_CLAIMS1 From =~ /claims.payment/i
header   __KAM_CLAIMS2 Subject =~ /confirm/i
body     __KAM_CLAIMS3 /claim.payment|claim.processing|kindly.confirm/i

meta     KAM_CLAIMS (__KAM_CLAIMS1 + __KAM_CLAIMS2 + __KAM_CLAIMS3 >= 3)
describe KAM_CLAIMS Spam for claims processing
score    KAM_CLAIMS 4.5

# VISION SPAM
header   __KAM_VISION1 From =~ /clear.?vision|20.20|glasses|perfect.vision|mind.blowing|my.vision|oakley|quantum.vision/i
header   __KAM_VISION2 Subject =~ /20\/20|vision|your.glasses|your.contacts|your.eyes|dangers?.of.glasses|focus.on.here/i
body     __KAM_VISION3 /100%.natural|vision.restored|currently.wear.(glasses|contacts)|perfect.vision|risky.surgery|corrective.surgery|dangers.of.surgery|laser.eye|eye.care|making.your.eyes.worse|your.glasses|worsen.your.vision|special.prices|vision.in.\d+.day|vision.in.\d+.week/i

meta     KAM_VISION (__KAM_VISION1 + __KAM_VISION2 + __KAM_VISION3 + (KAM_WEIRDTRICK1 || RDNS_NONE) >= 3)
describe KAM_VISION Spam for vision improvement
score    KAM_VISION 4.5

body     KAM_TRUTHINESS /[Tt]he TRUTH/
describe KAM_TRUTHINESS Spam that wants you to learn "The TRUTH"
score    KAM_TRUTHINESS 1.5

header   __KAM_KITCHEN1 From =~ /sears|kitchen|cabinet/i
header   __KAM_KITCHEN2 Subject =~ /kitchen.upgrade|kitchen.remodel|cabinet.install|new.kitchen/i
body     __KAM_KITCHEN3 /special.gift|kitchen.remodel|special.offer/i

meta     KAM_KITCHEN (__KAM_KITCHEN1 + __KAM_KITCHEN2 + __KAM_KITCHEN3 >= 3)
score    KAM_KITCHEN 4.5
describe KAM_KITCHEN Spam for kitchen improvement

# ALL-ENCOMPASSING RULES FOR HEALTH RELATED SPAM, INCLUDING SKIN, WEIGHT, VISION, ETC
header   __KAM_GENERICHEALTH1 From =~ /(dr.?|doc.?)[ -]?([o0]z|gupta)|skinny|\d+.?(pounds|[li1]bs?)|[o0]z.([a-z]+.)?(daily|tip|show|weight)|ellen|rapid|vision|20.20|perfect|mind.blowing|healthy|beaut|medical|wrinkle|miracle|energy|weight|as.seen.on|celeb|workout|inches.off|slim|overweight|skinny|trend|curve|stubborn|bikini|f-a-t|trim|youth|belly|unwanted.pounds|gone.easily|heavy|diabetes|oz.?report|years.younger|anti.?aging|look.\d|old.age|without.trying|annoying.pounds|fat.melt|women.?s.health|forskolin|phyto|garcinia|mayo.clinic|gain.mass|nuforia|miracle.cure|notify|champion|healthly|food.health|health.news|nutrisystem|doctor.s.choice|age..prevention|diet.{0,4}report|sharp..?mind|face.?lift/i

header   __KAM_GENERICHEALTH2 Subject =~ /PSA|\[video\]|doctor|\d+.day|(zero|any).effort|oprah|(Dr|Doc).{0,2}[o0]z|[o0]z.([a-z]+.)?(daily|tip|show|weight|quick)|ellen|most.viewed|metabolism|danger|hormone|must.read|life.changing|healthy|perfect|younger|beautiful|hollywood|secret|aging|youth|flawless|as.seen.on|simple.way|workout|nutrition|shocking|detox|exercise|cleanse|diet|\d+(\+?).?(pounds|[li1]bs?)|images?.leaked|wow,|the.pics|don.t.tell|makeup|f-a-t|of.skin|on.(cnn|abc|cbs)|for.(summer|fall|autumn|winter|spring)|unwanted.fat|oz: |backfire|and.oz|and.racha?el|racha?el.talk|your.legs|slim.and.tone|fit.wom[ea]n|tummy|dress.size|wrinkle.reduc|younger.skin|solid.meds|belly.fat|your.calories|champion|is.it.possible|worse.than.smok|meds.online|jump-start.your.weightloss|cure.your.diabetes|weight.loss..?cure|magic.weight.loss|youth.and.vitality|get.thin.with|mental.decline|by.exercising|kidney.beans|drinking.this|treats?.the.(root.)?cause|reverse.\d+.years/i

body     __KAM_GENERICHEALTH3 /aging|clinical|dermatologist|aging|younger|wrinkle|omg|reduction|prevention|(body|your).fat|extra.pounds|perfect.skin|healthy|diet|gossip|\d+.years|facelift|(Dr|Doc).{0,2}[o0]z|weight|calories|metabolism|appetite|detox|unsightly|cholesterol|free.sample|\d+\s*[li]b|slimming|episode|tv.segment|oprah|colon|hollywood|shocking|workout|trend|starving|\d+%.?off|dress.size|flat.belly|silky|younger|free.trial|\d+.years|easy.trick|selfies|medical|\d+.?(lb|pounds)|exercise|the.mirror|fda.approved|slimmer|oz.blog|the.bulge|plant.based|online.store|respected.doctor|cure.your.diabete|with.forskolin|belly.fat|miracle.pill|burn.fat.fast|the.root.cause|drink(ing)?.this.shake/i

meta     KAM_GENERICHEALTH (__KAM_GENERICHEALTH1 + __KAM_GENERICHEALTH2 + __KAM_GENERICHEALTH3 + (KAM_EU || KAM_OTHER_BAD_TLD) >= 3)
score    KAM_GENERICHEALTH 1.75
describe KAM_GENERICHEALTH Matches generic health-related advert/blurbs

header   __KAM_SALE1 From =~ /ipad|hdtv|\$\d+|auction|laptop|easyviewing/i
header   __KAM_SALE2 Subject =~ /blowout|became.perfect|great.products|your.ipad.forever|weird.device|change.how.you.use|transform.your.piad|laptop.replacement/i
body     __KAM_SALE3 /\d+%.off|just.shipped|touch.?fire|just.became.perfect|transform.your.ipad/i

header   __KAM_SALEA_1 From =~ /touch.?fire/i
header   __KAM_SALEA_2 Received =~ /touchfire|tfire/i
body     __KAM_SALEA_3 /touchfire|just.became.perfect|never.be.the.same/i

meta     KAM_SALE (__KAM_SALE1 + __KAM_SALE2 + (__KAM_SALE3 || BODY_8BITS) >= 3)
score    KAM_SALE 4.0
describe KAM_SALE Spam for things on sale

meta     KAM_SALEA ((__KAM_SALEA_1 || __KAM_SALE1 || __KAM_SALEA_2) + __KAM_SALEA_3 >= 2)
score    KAM_SALEA 8.0
describe KAM_SALEA A very persistent ipad spam campaign

# SPAM THAT USES ASCII FORMATTING TRICKS TO EVADE HTML-BASED RULES
body     __KAM_ASCII_DIVIDERS /[-~<>=_]{20}/i
tflags   __KAM_ASCII_DIVIDERS multiple maxhits=4

meta     KAM_ASCII_DIVIDERS ((__KAM_ASCII_DIVIDERS >= 4) && !HTML_MESSAGE)
describe KAM_ASCII_DIVIDERS Spam that uses ascii formatting tricks
score    KAM_ASCII_DIVIDERS 0.8

# RATWARE THAT CAN'T EVEN PRETEND TO BE AUTHORIZED
header   __KAM_NOTINMYNETWORK1 X-No-Relay =~ /./i

rawbody  __KAM_HTMLNOISE1 /<big><\/big>|<small><\/small>|<style><\/style>/i

meta     KAM_HTMLNOISE (__KAM_HTMLNOISE1 + __KAM_BIGSMALL >= 1)
score    KAM_HTMLNOISE 1.0
describe KAM_HTMLNOISE Spam containing useless HTML padding

header   __KAM_CHICKEN1 From =~ /coop/i
header   __KAM_CHICKEN2 Subject =~ /chicken.coop|cost.of.buying/i
body     __KAM_CHICKEN3 /your.own.chicken|fresh.egg|chicken.coop|build.your.own/i

meta     KAM_CHICKEN (__KAM_CHICKEN1 + __KAM_CHICKEN2 + __KAM_CHICKEN3 >= 3)
score    KAM_CHICKEN 4.5
describe KAM_CHICKEN Spam for chicken coops

# SPAM THAT TRIES TO BYPASS RULES LIKE CBJ_GiveMeABreak
rawbody  __KAM_LINEPADDING /(\n[^\n]){8}/

meta     KAM_LINEPADDING (__KAM_LINEPADDING >= 1)
score    KAM_LINEPADDING 1.2
describe KAM_LINEPADDING Spam that tries to get past blank line filters

# DRAPES SPAM
header   __KAM_DRAPES1 From =~ /drapes/i
header   __KAM_DRAPES2 Subject =~ /table.drapes|visibility/i
body     __KAM_DRAPES3 /banner.stand|print.project/i

meta     KAM_DRAPES (__KAM_DRAPES1 + __KAM_DRAPES2 + __KAM_DRAPES3 >= 3)
score    KAM_DRAPES 3.5
describe KAM_DRAPES Spam for drapes

header   __KAM_NUWAVE1 From =~ /nuwave|cooktop/i
header   __KAM_NUWAVE2 Subject =~ /cooking.needs/i
body     __KAM_NUWAVE3 /nuwave|energy.saving|temperature.control|meal.prep|cooktop/i

meta     KAM_NUWAVE (__KAM_NUWAVE1 + __KAM_NUWAVE2 + __KAM_NUWAVE3 >= 3)
describe KAM_NUWAVE Spam for cooking tools
score    KAM_NUWAVE 3.5

rawbody  __KAM_MANYCOMMENTS /<!--[^>]{200,}-->/i
tflags   __KAM_MANYCOMMENTS multiple maxhits=6

meta     KAM_MANYCOMMENTS (__KAM_MANYCOMMENTS >= 6)
describe KAM_MANYCOMMENTS Spam engine that uses large html noise comments
score    KAM_MANYCOMMENTS 1.2

header   __KAM_HIRE1 From =~ /recruit/i
header   __KAM_HIRE2 Subject =~ /checking.in/i
body     __KAM_HIRE3 /hiring.situation|recruiting|plans.to.hire|altera.staff/i

meta     KAM_HIRE (__KAM_HIRE1 + __KAM_HIRE2 + __KAM_HIRE3 >= 3)
describe KAM_HIRE Spam for hiring services
score    KAM_HIRE 4.5

header   __KAM_DEALS1 From =~ /deal.?hunter/i
header   __KAM_DEALS2 Subject =~ /exclusive.saving|the.hottest/i
body     __KAM_DEALS3 /exclusive.savings/i

meta     KAM_DEALS (__KAM_DEALS1 + __KAM_DEALS2 + __KAM_DEALS3 >= 3)
score    KAM_DEALS 3.5
describe KAM_DEALS Generic advertising for deals

header   __KAM_CONTRACT1 From =~ /samanage/i
header   __KAM_CONTRACT2 Subject =~ /contract cost|itsm contract/i
body     __KAM_CONTRACT3 /buy you out|service management|management solution/i

meta     KAM_CONTRACT (__KAM_CONTRACT1 + __KAM_CONTRACT2 + __KAM_CONTRACT3 >= 3)
score    KAM_CONTRACT 4.5
describe KAM_CONTRACT Spam that will buy your service contract

#KAM_TOLL
header   __KAM_TOLL1 From =~ /e.?z.?pass|collection/i
header   __KAM_TOLL2 Subject =~ /on.(the.)?toll.road|(pay|indebted).for.driving/i
body     __KAM_TOLL3 /have.not.paid|your.debt|invoice/i

meta     KAM_TOLL (__KAM_TOLL1 + __KAM_TOLL2 + __KAM_TOLL3 >= 3)
describe KAM_TOLL Spam for road tolls
score    KAM_TOLL 8.0

ifplugin Mail::SpamAssassin::Plugin::KAMOnly
#KAM_AMAZON
header   __KAM_AMAZON1 From =~ /amazon\.com/i

meta     KAM_AMAZON (__KAM_AMAZON1 + KAM_RAPTOR_ALTERED >= 2)
score    KAM_AMAZON 4.5
describe KAM_AMAZON Fake Amazon email with malware
endif

# LANDSCAPING
header   __KAM_LANDSCAPE1 From =~ /landscaping/i
header   __KAM_LANDSCAPE2 Subject =~ /turn.your.yard|mtv.crib|swimming.pool/i
body     __KAM_LANDSCAPE3 /landscape.designs|(simple|cheap).strategies|design.troph/i
body     __KAM_LANDSCAPE4 /stone.carving/i

meta     KAM_LANDSCAPING (__KAM_LANDSCAPE1 + __KAM_LANDSCAPE2 + __KAM_LANDSCAPE3 + __KAM_LANDSCAPE4 >= 3)
describe KAM_LANDSCAPING Spam for landscaping
score    KAM_LANDSCAPING 3.5

# SINGING LESSONS
header   __KAM_SINGING1 From =~ /singing/i
header   __KAM_SINGING2 Subject =~ /professional.singer/i
body     __KAM_SINGING3 /terrible.singer|more.talent|love.songs/i

meta     KAM_SINGING (__KAM_SINGING1 + __KAM_SINGING2 + __KAM_SINGING3 >= 3)
describe KAM_SINGING Spam for singing lessons
score    KAM_SINGING 4.5

# SPAM FOR ADS
header   __KAM_ADVERTISE1 From =~ /gmail/i
header   __KAM_ADVERTISE2 Subject =~ /samsung..galaxy.s\d/i
body     __KAM_ADVERTISE3 /advertising.for.samsung|no.application.fee|carry.this.advert/i

meta     KAM_ADVERTISE (__KAM_ADVERTISE1 + __KAM_ADVERTISE2 + __KAM_ADVERTISE3 >= 3)
describe KAM_ADVERTISE Spam that wants you to advertise for them
score    KAM_ADVERTISE 4.5

# RULE FOR DOMAINS THAT HAVE NOT IMPLEMENTED ANY ANTI-FORGERY MECHANISMS - Thanks to Christian Kueppers for the request to encapsulate with DKIM and SPF plugin checks!
if (version >= 3.003002)
ifplugin Mail::SpamAssassin::Plugin::DKIM
ifplugin Mail::SpamAssassin::Plugin::SPF
# We may recommend people start raising the score for this to force more people to use SPF or DKIM Since Gmail and AOL work much better with / require SPF.
header   __KAM_SPF_NONE    eval:check_for_spf_none()

meta     KAM_LAZY_DOMAIN_SECURITY (!__DKIM_EXISTS && __KAM_SPF_NONE)
score    KAM_LAZY_DOMAIN_SECURITY 1.0
describe KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any anti-forgery methods
endif
endif
endif

ifplugin Mail::SpamAssassin::Plugin::KAMOnly
# FORGED EMAILS WITH A VIRUS ATTACHED
meta     KAM_FORGED_ATTACHED (SPF_HELO_FAIL + KAM_RAPTOR_ALTERED >= 2)
score    KAM_FORGED_ATTACHED 4.5
describe KAM_FORGED_ATTACHED Forged email with a malware attachment
endif

# LOTS OF PERIODS IN SUBJECT
header   __KAM_MANYDOTS1 Subject =~ /\.{20}/i

meta     KAM_MANYDOTS (__KAM_MANYDOTS1 + KAM_HUGEIMGSRC >= 2)
describe KAM_MANYDOTS Spam with lots of periods in subject
score    KAM_MANYDOTS 3.5

# FINAL NOTICE SPAM
header   __KAM_SUBJECTNOTICE1 Subject =~ /Notice: \d+$|final.notice|rpt: \d+$/i

meta     KAM_SUBJECTNOTICE __KAM_SUBJECTNOTICE1
describe KAM_SUBJECTNOTICE Spam notices
score    KAM_SUBJECTNOTICE 1.0

# SPAM FOR BACKUP SERVICE
header   __KAM_BACKUP1 From =~ /backup/i
header   __KAM_BACKUP2 Subject =~ /continuity|\d.reasons|traditional.backup/i
body     __KAM_BACKUP3 /backup.necessary|marketing|infographic|charge.more/i

meta     KAM_BACKUP (__KAM_BACKUP1 + __KAM_BACKUP2 + __KAM_BACKUP3 >= 3)
describe KAM_BACKUP Spam for backup services
score    KAM_BACKUP 4.5

# SPAM THAT TRIES TO AVOID DETECTION WITH NUMBERS IN THE FROM
header   KAM_FROMNUM From:name =~ /\.\d{7,}$/
describe KAM_FROMNUM Spam with large numbers in the from header
score    KAM_FROMNUM 1.0

# LAZY SPAM WITH BARELY MORE THAN A LINK TO A BAD DOMAIN
meta     KAM_LINKBAIT (KAM_LAZY_DOMAIN_SECURITY + __KAM_BODY_LENGTH_LT_512 + (__KAM_COUNT_URIS >= 1) >= 3)
score    KAM_LINKBAIT 2.5
describe KAM_LINKBAIT Short messages containing little more than a link, from a domain with no security in place

uri	 __KAM_WP_INCLUDES /(?:wp-includes|wp-content)/i

meta 	 KAM_LINKBAIT2	KAM_LINKBAIT + __KAM_WP_INCLUDES >= 2
score	 KAM_LINKBAIT2	1.5
describe KAM_LINKBAIT2  Linkbait that points to wordpress - usually means a compromised site

# FREEMAIL LINKBAIT
meta     KAM_LINKBAIT3 (KAM_SHORT + FREEMAIL_FROM + __KAM_BODY_LENGTH_LT_512 >= 3)
score    KAM_LINKBAIT3 1.5
describe KAM_LINKBAIT3 Freemail linkbait with a url shortener

ifplugin Mail::SpamAssassin::Plugin::KAMOnly
# MALWARE IN EMAILS THAT MENTION LOTS OF MONEY
meta     KAM_PHISHY_DOLLARS (KAM_RAPTOR_ALTERED + LOTS_OF_MONEY >= 2)
score    KAM_PHISHY_DOLLARS 3.5
describe KAM_PHISHY_DOLLARS Emails with malware and large dollar amounts
endif

# RATWARE DU JOUR, MULTIPLE FROM HEADERS AND WONKY SUBJECT LINE
header   __KAM_MULTIPLE_FROM From =~ /^./
tflags   __KAM_MULTIPLE_FROM multiple maxhits=2

header   __KAM_SUBJECT_WHITESPACE_START Subject =~ /^\s{10}/

meta     KAM_GRABBAG6 ((__KAM_MULTIPLE_FROM >= 2) + __KAM_SUBJECT_WHITESPACE_START >= 2)
describe KAM_GRABBAG6 Ratware with multiple from headers and subject beginning with whitespace
score    KAM_GRABBAG6 4.5

# GENERIC GREETINGS THAT YOU WOULD NEVER GET FROM A LEGIT EMAIL
header   KAM_GENERICHELLO Subject =~ /dear.email.user|hi.there/i
score    KAM_GENERICHELLO 1.5
describe KAM_GENERICHELLO Spam with generic greetings in the subject

# FAKE GOOGLE EMAILS - Thanks to Marc Jouan for pointing out the double rule / T_HK rule name change
header   __KAM_GOOGLE2_1 From =~ /google\+/i
header   __KAM_GOOGLE2_2 From !~ /google.com/i

meta     KAM_GOOGLE2 (__KAM_GOOGLE2_1 + __KAM_GOOGLE2_2 + (HK_SPAMMY_FILENAME || KAM_LAZY_DOMAIN_SECURITY) >= 3)
score    KAM_GOOGLE2 4.5
describe KAM_GOOGLE2 Fake Google spam

# MORE NIGERIAN VARIANTS
body     __KAM_NIGERIAN3_1 /congo/i

meta     KAM_NIGERIAN3 (__KAM_NIGERIAN3_1 + DEAR_SOMETHING + LOTS_OF_MONEY >= 3)
score    KAM_NIGERIAN3 4.5
describe KAM_NIGERIAN3 Nigerian scam variant

# FINGERHUT SPAMS
header   __KAM_FINGERHUT1 From =~ /finger.?hut/i
header   __KAM_FINGERHUT2 Subject =~ /your.budget|credit.account|qualify|finger.?hut|credit|your.account/i
body     __KAM_FINGERHUT3 /important.message|what.you.want|monthly.pay|your.account|credit.account|holiday.shopping|are.you.approved|fingerhut.buying/i

meta     KAM_FINGERHUT (__KAM_FINGERHUT1 + __KAM_FINGERHUT2 + __KAM_FINGERHUT3 >= 3)
score    KAM_FINGERHUT 4.5
describe KAM_FINGERHUT Spam for fingerhut

# FRIEND REQUEST SPAM
header   __KAM_FRIEND1 Subject =~ /new.notification/i
body     __KAM_FRIEND2 /wants.to.follow/i

meta     KAM_FRIEND (__KAM_FRIEND1 + __KAM_FRIEND2 >= 2)
score    KAM_FRIEND 1.5
describe KAM_FRIEND Friend request spam

# ELIMINATE A BUNCH OF RECENT BAD ATTACHMENT SPAM
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
meta     KAM_VERY_MALWARE (KAM_LAZY_DOMAIN_SECURITY && KAM_RAPTOR_ALTERED >= 2)
score    KAM_VERY_MALWARE 3.5
describe KAM_VERY_MALWARE A message with malware that is definitely unwanted
endif

#MERCHANT ACCOUNTS SPAM
header   __KAM_MERCHANT1 Subject =~ /finance.department/i
body     __KAM_MERCHANT2 /business.owner|merchant.processor|processing.fee|average.bank|interchange.fee/i
body     __KAM_MERCHANT3 /merchant.processing|small.business|yearly.credit|monthly.fee|100%.free/i

meta     KAM_MERCHANT (__KAM_MERCHANT1 + __KAM_MERCHANT2 + __KAM_MERCHANT3 >= 3)
score    KAM_MERCHANT 4.5
describe KAM_MERCHANT Spam for merchant processing

# ZERO DAY ATTACHMENTS THAT ARE OBVIOUSLY CRAP BUT NOT CAUGHT BY AV
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __KAM_ZERODAY1 Content-Type =~ /msword|ms-excel|spreadsheet|office|octet/i
header     __KAM_ZERODAY2 X-Mailer =~ /foxmail/i

# DISABLED 7/16 FOR NO LONGER BEING RELEVANT
#meta     KAM_ZERODAY (__SUBJECT_ENCODED_B64 + __KAM_ZERODAY1 + __KAM_ZERODAY2 >= 3)
#describe KAM_ZERODAY obviously a malware email that was not caught
#score    KAM_ZERODAY 8.0

# ANOTHER ONE
header   __KAM_ZERODAY3 Subject =~ /remittance advice|invoice|resume|the.open.message|please.the.open|visa.chip/i

meta     KAM_ZERODAY2 (__KAM_ZERODAY1 + __KAM_ZERODAY3 + KAM_LAZY_DOMAIN_SECURITY >= 3)
score    KAM_ZERODAY2 1.0
describe KAM_ZERODAY2 Another obvious zero-day malware

meta     KAM_ZERODAY3 (KAM_ZERODAY2 + T_OBFU_DOC_ATTACH >= 2)
score    KAM_ZERODAY3 3.5
describe KAM_ZERODAY3 Another obvious zero-day malware
endif

# FAMILY TREE SPAM
header   __KAM_ANCESTOR1 From =~ /ancestry/i
header   __KAM_ANCESTOR2 Subject =~ /free.family.tree|find.your.ancestor/i
body     __KAM_ANCESTOR3 /family.history|your family|share.the.stories/i

meta     KAM_ANCESTOR (__KAM_ANCESTOR1 + __KAM_ANCESTOR2 + __KAM_ANCESTOR3 >= 3)
describe KAM_ANCESTOR Spam for family trees
score    KAM_ANCESTOR 3.5

# REMEMBER WHEN YOU GOT THAT SPAM
header   __KAM_REMEMBERWHEN1 Subject =~ /sup|hello|for.you.bro|how.are.you/i
body     __KAM_REMEMBERWHEN2 /hello.brother|remember(ed)?.you|i.remember/i
body     __KAM_REMEMBERWHEN3 /medication|\d+%.discount|lots?.of.drug/i

meta     KAM_REMEMBERWHEN (__KAM_REMEMBERWHEN1 + __KAM_REMEMBERWHEN2 + __KAM_REMEMBERWHEN3 >= 3)
score    KAM_REMEMBERWHEN 4.5
describe KAM_REMEMBERWHEN Reminder of something that never happened

# THE LATEST TRAILING NOISE FORMAT
body     __KAM_NOISE1 /([a-z0-9],){12}/i
body     __KAM_NOISE2 /([a-z]{1,10},){10}/i

ifplugin Mail::SpamAssassin::Plugin::KAMOnly
meta     KAM_NOISE1 (__KAM_NOISE1 + __KAM_NOISE2 + (CBJ_GiveMeABreak || __CBJ_GiveMeABreak2) >= 3)
describe KAM_NOISE1 Pattern of noise words at the end of an email
score    KAM_NOISE1 2.5
endif

# FREE PIZZA WOO!
header   __KAM_PIZZA1 From =~ /pizza/i
header   __KAM_PIZZA2 Subject =~ /^free pizza$/i
body     __KAM_PIZZA3 /free.pizza.coupon/i

meta     KAM_PIZZA (__KAM_PIZZA1 + __KAM_PIZZA2 + __KAM_PIZZA3 >= 3)
score    KAM_PIZZA 3.5
describe KAM_PIZZA Spam for free pizza

# ENGINEERING SPAM
header   __KAM_ENGINEER1 Subject =~ /engineering . architect|engineering.industry/i
body     __KAM_ENGINEER2 /email.list|target.audience|databank|verified.email/i
body     __KAM_ENGINEER3 /construction.engineering|engineering . architect|marketing.manager/i

meta     KAM_ENGINEER (__KAM_ENGINEER1 + __KAM_ENGINEER2 + __KAM_ENGINEER3 >= 3)
score    KAM_ENGINEER 3.5
describe KAM_ENGINEER Spam for engineering contact information

# SUNGLASSES
header   __KAM_SUNGLASSES1 Subject =~ /rayban/i
body     __KAM_SUNGLASSES2 /great ray|hot.deal/i
body     __KAM_SUNGLASSES3 /style rocks|today.only/i

meta     KAM_SUNGLASSES (__KAM_SUNGLASSES1 + __KAM_SUNGLASSES2 + __KAM_SUNGLASSES3 >= 3)
describe KAM_SUNGLASSES Spam for sunglasses
score    KAM_SUNGLASSES 3.5

# INVOICE SPAM OF THE DAY
header   __KAM_INVOICE1 From =~ /billing/i
header   __KAM_INVOICE2 Subject =~ /past.due|invoice/i
header	 __KAM_INVOICE3 Subject =~ /invoice (error|issue)/i
body	 __KAM_INVOICE4 /(billing error|problem with the address).{2,10}invoice/i
uri	 __KAM_INVOICE5 /overdue|final.account/i

meta     KAM_INVOICE (__KAM_INVOICE1 + __KAM_INVOICE2 + SPF_FAIL >= 3)
score    KAM_INVOICE 4.5
describe KAM_INVOICE Phishing invoice spam

meta	 KAM_INVOICE2 (__KAM_INVOICE1 + __KAM_INVOICE3 + __KAM_INVOICE4 + __KAM_INVOICE5 + SPF_FAIL >= 3)
score    KAM_INVOICE2 5.5
describe KAM_INVOICE2 Phishing invoice spam

# GRIPEEZ
header   __KAM_GRIPPY1 From =~ /gripeez/i
header   __KAM_GRIPPY2 Subject =~ /bonus.offer|gripeez/i
body     __KAM_GRIPPY3 /gripeez.bonus|interior.decorator|sticky.grip/i

meta     KAM_GRIPPY (__KAM_GRIPPY1 + __KAM_GRIPPY2 + __KAM_GRIPPY3 >= 3)
score    KAM_GRIPPY 4.5
describe KAM_GRIPPY Spam for sticky grip products

# LIMITED / DISABLED ACCOUNT, ACTIVATION, SECURITY ALERTS, AND OTHER ACCOUNT PHISHES
header   __KAM_ACCOUNTPHISH1 From =~ /[il]tunes|account|costco|walgreen|amazon|ebay|internal|admin|gold|webmail|provider|marketing/i
header   __KAM_ACCOUNTPHISH2 Subject =~ /your.account|is.limited|activate|recover|acknowledgment|of.order|buying.from|order.(status|confirm)|help.?desk|update.your|security|document|(^secure$)|download.failed|click.to.activate|status.approved|notification.message|storage.exceeded|maintenance routine|storage.warning|size.notification|administrative.notice/i
body     __KAM_ACCOUNTPHISH3 /update.your.information|problems.with.your|billing.information|order.details|personal.data|detailed.order|order.information|for.activation|account.{1,30}.inactive|information.required|secure.browser|recently.compromised|classified.document|with.your.email|complete.your.account|account.confirmed|claim.your.order|free.money|forced.to.cancel|immediate.access|upgrading.all.staff|advice.to.update|confirm.your.account/i
body     __KAM_ACCOUNTPHISH4 /webmail|all.systems|storage.limit|get.back.into|update.your.account|kindly.click|very.private.message|this.is.honest|fill.the.form|click.on.send|follow.here|for.all.user|one.click.away|mail.desk/i

meta     KAM_ACCOUNTPHISH ((__KAM_ACCOUNTPHISH1 || FREEMAIL_FROM || KAM_LAZY_DOMAIN_SECURITY) + __KAM_ACCOUNTPHISH2 + __KAM_ACCOUNTPHISH3 + __KAM_ACCOUNTPHISH4 >= 3)
score    KAM_ACCOUNTPHISH 3.20
describe KAM_ACCOUNTPHISH Spam that tries to get account information

# BUY PROPERTY
header   __KAM_PROPERTY1 From =~ /high.rise|condo/i
header   __KAM_PROPERTY2 Subject =~ /condo|move.in.soon|developer/i
body     __KAM_PROPERTY3 /convenient.location/i

meta     KAM_PROPERTY (__KAM_PROPERTY1 + __KAM_PROPERTY2 + __KAM_PROPERTY3 >= 3)
score    KAM_PROPERTY 2.5
describe KAM_PROPERTY Spam for buying property

# FAKE AMEX
header   __KAM_FAKEAMEX1 From =~ /aexp.com/i

meta     KAM_FAKEAMEX (__KAM_FAKEAMEX1 + SPF_FAIL >= 2)
score    KAM_FAKEAMEX 8.0
describe KAM_FAKEAMEX A rash of spam that is phishing for American Express information

header   KAM_HUGESUBJECT Subject =~ /^.{500}/
score    KAM_HUGESUBJECT 2.5
describe KAM_HUGESUBJECT Email with a subject longer than any mail client would let you enter

#HOOKUP
header   __KAM_HOOKUP1 Subject =~ /hookup with local singles/i
uri      __KAM_HOOKUP2 /justhookup/i
body     __KAM_HOOKUP3 /match.?me.?networks/i

meta     KAM_HOOKUP (__KAM_HOOKUP1 + __KAM_HOOKUP2 + __KAM_HOOKUP3 >= 3)
score    KAM_HOOKUP 10.5
describe KAM_HOOKUP Spam for Local Hookup Service

#PSYCHIC
header	 __KAM_PSYCHIC1	Subject =~ /horoscope|psychic/i
uri 	 __KAM_PSYCHIC2	/free.psychic/i
body	 __KAM_PSYCHIC3 /psychic Chris|free psychic reading/i

meta	 KAM_PSYCHIC	(__KAM_PSYCHIC1 + __KAM_PSYCHIC2 + __KAM_PSYCHIC3 >= 3)
score	 KAM_PSYCHIC 	4.5
describe KAM_PSYCHIC	Current Psychic Product Spam du Jour

#UNSUB BADDIES
body	__KAM_BADUNSUB	/(?:remove|Unsubscribe) from (?:MindTCommunications|LunarMessages)/i

meta	 KAM_BADUNSUB	(__KAM_BADUNSUB >= 1)
score	 KAM_BADUNSUB	3.0
describe KAM_BADUNSUB	Bad Unsubscribe Messages

#GRABBAG FOR A ROUND OF WORDPRESS HACKS
rawbody  __KAM_GRABBAG7_1 /wp-content|wp-includes|\/plugins\//

meta     KAM_GRABBAG7 ((HTML_MIME_NO_HTML_TAG || MIME_HTML_ONLY) + __KAM_GRABBAG7_1 + (SPF_FAIL || SPF_HELO_FAIL) >= 3)
score    KAM_GRABBAG7 3.0
describe KAM_GRABBAG7 Spam pattern with bad HTML message

#TINYURL OBFUSCATION
uri      __KAM_TINYURL1 /tinyurl.com\/.{0,10}(hookup|sexual|online-riches|predator-zipcode|nothnx|imtaken)/i

meta     KAM_TINYURL (__KAM_TINYURL1)
score    KAM_TINYURL 4.0
describe KAM_TINYURL Spammy urls that hide behind a link shortener

# FAKE DROPBOX
header   __KAM_DROPBOX1 From =~ /dropbox/i
header   __KAM_DROPBOX2 From !~ /dropbox.com/i
body     __KAM_DROPBOX3 /shared.a.folder/i

meta     KAM_DROPBOX (__KAM_DROPBOX1 + __KAM_DROPBOX2 + __KAM_DROPBOX3 >= 3)
score    KAM_DROPBOX 4.5
describe KAM_DROPBOX Fake Dropbox emails

# BAD YAHOO! DON'T SEND EMAIL FROM A MULTICAST IP!
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
header __KAM_YAHOO_MISTAKE1 From =~ /\@yahoo\./i

meta     KAM_YAHOO_MISTAKE (SPF_PASS && __KAM_YAHOO_MISTAKE1 && RCVD_ILLEGAL_IP)
describe KAM_YAHOO_MISTAKE Reversing score for some idiotic Yahoo received headers
score    KAM_YAHOO_MISTAKE -3.0
endif

# GARBAGE FREEMAIL
meta     KAM_GRABBAG9 (MALFORMED_FREEMAIL + SUBJ_ALL_CAPS + FREEMAIL_ENVFROM_END_DIGIT >= 3)
score    KAM_GRABBAG9 4.5
describe KAM_GRABBAG9 Garbage email from a garbage freemail account

# AQUA RUG
header   __KAM_AQUARUG1 From =~ /aqua.?rug/i
header   __KAM_AQUARUG2 Subject =~ /(bath|shower).mat|for.your.shower/i
body     __KAM_AQUARUG3 /stop.slipping|unique.carpet|aqua.rug|bare.feet.love/i

meta     KAM_AQUARUG (__KAM_AQUARUG1 + __KAM_AQUARUG2 + __KAM_AQUARUG3 >= 3)
score    KAM_AQUARUG 3.5
describe KAM_AQUARUG Spam for aqua rug product

# FAKE ITC SPAM
# Fixed FP thanks to j.marshall
header   __KAM_ITC1 From =~ /thetradecouncil.com/i
body     __KAM_ITC2 /International Trade Council/i
body     __KAM_ITC3 /enclosed/i

meta     KAM_ITC (__KAM_ITC1 < 1) && (__KAM_ITC2 >= 1) && (__KAM_ITC3 + KAM_BADIPHTTP >= 1)
score    KAM_ITC 4.5
describe KAM_ITC Fake email from International Trade Council

# HAVE YOU SEEN THIS
body     __KAM_SEENTHIS1 /have.you.seen|seen.this/i

meta     KAM_SEENTHIS (__KAM_SEENTHIS1 + __KAM_OPRAH3 + (KAM_LAZY_DOMAIN_SECURITY || KAM_MANYTO) >= 3)
score    KAM_SEENTHIS 4.5
describe KAM_SEENTHIS Have you seen this spam?

# DETOX
header   __KAM_DETOX1 From =~ /detox/i
header   __KAM_DETOX2 Subject =~ /detox.service|discover.detox|clear.your.system|how.detox.(could|can)/i
body     __KAM_DETOX3 /detox.program|right.for.you|clean(ing)? up your life|a.little.easier/i

meta     KAM_DETOX (__KAM_DETOX1 + __KAM_DETOX2 + __KAM_DETOX3 >= 3)
score    KAM_DETOX 2.5
describe KAM_DETOX Spam for trendy detox stuff

# DEATH INSURANCE
header   __KAM_DEATHINSURE1 From =~ /live.sure/i
header   __KAM_DEATHINSURE2 Subject =~ /life.will|cheaper.than.today/i
body     __KAM_DEATHINSURE3 /inheritance.tax|your.loved.ones|funeral.costs/i

meta     KAM_DEATHINSURE (__KAM_DEATHINSURE1 + __KAM_DEATHINSURE2 + __KAM_DEATHINSURE3 >= 3)
describe KAM_DEATHINSURE Spam for death insurance
score    KAM_DEATHINSURE 3.5

# REACHBASE
body     KAM_REACHBASE /ReachBase is committed to providing you with relevant business information/i
score    KAM_REACHBASE 2.5
describe KAM_REACHBASE Marketing email pretending to be business info

# DIGITAL WALLET SPAM
header   __KAM_DIGITALWALLET1 From =~ /apple.?pay/i
header   __KAM_DIGITALWALLET2 Subject =~ /(ready.for|introducing|complimentary).apple.?pay|paying.too.much/i
body     __KAM_DIGITALWALLET3 /business.ready|no.setup.fee|only.$?[\d\.]+%?.(per|a).swipe|apple.?pay.equipment|free,equipment/i

meta     KAM_DIGITALWALLET (__KAM_DIGITALWALLET1 + __KAM_DIGITALWALLET2 + __KAM_DIGITALWALLET3 + (HELO_DYNAMIC_DHCP || KAM_EU || KAM_INFOUSMEBIZ) >= 3)
score    KAM_DIGITALWALLET 3.5
describe KAM_DIGITALWALLET Spam for digital wallet services

# BAD PHP
header   __KAM_BADPHP1 X-PHP-Originating-Script =~ /eval..'d code/i
header   __KAM_BADPHP2 X-Source-Args =~ /css.php/i

meta     KAM_BADPHP (__KAM_BADPHP1 || __KAM_BADPHP2)
score    KAM_BADPHP 3.5
describe KAM_BADPHP Questionable PHP mailer headers

# TINNITUS
header   __KAM_TINNITUS1 From =~ /tinnitus.?(911|breakthrough)/i
header   __KAM_TINNITUS2 Subject =~ /new.tip|only.(1|one).week|pandemic/i
body     __KAM_TINNITUS3 /scientifically.proven|end.tinnitus|get rid of the ringing/i

meta     KAM_TINNITUS (__KAM_TINNITUS1 + __KAM_TINNITUS2 + __KAM_TINNITUS3 >= 3)
describe KAM_TINNITUS Tinnitus spam
score    KAM_TINNITUS 4.5

# KIWIBANK
header   __KAM_KIWIBANK1 From =~ /kiwibank/i
header   __KAM_KIWIBANK2 Subject =~ /verification.required/i
body     __KAM_KIWIBANK3 /security.procedure|customer.safety|security.details/i

meta     KAM_KIWIBANK (__KAM_KIWIBANK1 + __KAM_KIWIBANK2 + __KAM_KIWIBANK3 >= 3)
describe KAM_KIWIBANK Account phish for Kiwibank
score    KAM_KIWIBANK 3.5

# HAPPY TALK
header   __KAM_HAPPYTALK1 Subject =~ /^hello$/i
body     __KAM_HAPPYTALK2 /honest.and.nice/i
body     __KAM_HAPPYTALK3 /beautiful.mail/i

meta     KAM_HAPPYTALK (__KAM_HAPPYTALK1 + __KAM_HAPPYTALK2 + __KAM_HAPPYTALK3 >= 3)
score    KAM_HAPPYTALK 3.5
describe KAM_HAPPYTALK Weirdly happy spam

# SETTLEMENT SPAM
header   __KAM_SETTLEMENT1 From =~ /xarelto/i
header   __KAM_SETTLEMENT2 Subject =~ /settlements?.available/i
body     __KAM_SETTLEMENT3 /lawsuit.information/i

meta     KAM_SETTLEMENT (__KAM_SETTLEMENT1 + __KAM_SETTLEMENT2 + __KAM_SETTLEMENT3 >= 3)
score    KAM_SETTLEMENT 3.5
describe KAM_SETTLEMENT Spam offering lawsuit settlement

# CAD SPAM
header   __KAM_CAD1 Subject =~ /cad.drawing/i
body     __KAM_CAD2 /we.specialize.in/i
body     __KAM_CAD3 /our.products/i

meta     KAM_CAD (__KAM_CAD1 + __KAM_CAD2 + __KAM_CAD3 >= 3)
describe KAM_CAD Spam for CAD services
score    KAM_CAD 3.5

ifplugin Mail::SpamAssassin::Plugin::KAMOnly
#SPAM WITH OFFICE MACROS
header   __KAM_VBMACRO X-KAM-VBMacro =~ /True/i

meta	   KAM_VBMACRO ((__KAM_VBMACRO >= 1) && !KAM_OLEMACRO)
describe KAM_VBMACRO Message contains attachment with VB macro
score    KAM_VBMACRO 6.5

#SPAM THAT INDICATES DYNAMIC IP
header   KAM_DYNIP   X-KAM-DynamicIndicator =~ /True/i
describe KAM_DYNIP   Message contains Dynamic IP Address Indicator
score    KAM_DYNIP   6.5
endif


# YELP AND OTHER REVIEW SITES
header   __KAM_REVIEW1 From =~ /contractor/i
header   __KAM_REVIEW2 Subject =~ /verify.accuracy|your.listing|listing.on.yelp/i
body     __KAM_REVIEW3 /unverified|major.local.search|search.sites|company(.s)?.information/i

meta     KAM_REVIEW (__KAM_REVIEW1 + __KAM_REVIEW2 + __KAM_REVIEW3 >= 3)
describe KAM_REVIEW Spam for review sites
score    KAM_REVIEW 4.5

# TOURS AND EVENTS
header   __KAM_TOURS1 From =~ /festival/i
header   __KAM_TOURS2 Subject =~ /adventure.tour/i
body     __KAM_TOURS3 /your.adventure.tour|your.event/i

meta     KAM_TOURS (__KAM_TOURS1 + __KAM_TOURS2 + __KAM_TOURS3 >= 3)
score    KAM_TOURS 3.5
describe KAM_TOURS Spam for tours and events

# NO MORE SPAM ENGINES
body     __KAM_NOMORE1 /no.more.of.this/i
body     __KAM_NOMORE2 /no.more.at.all/i

meta     KAM_NOMORE (__KAM_NOMORE1 + __KAM_NOMORE2 >= 2)
describe KAM_NOMORE Another predictable spam engine
score    KAM_NOMORE 3.5

# NOT REALLY CONFIDENTIAL
body     __KAM_NOCONFIDENCE1 /confidential.information/i

meta     KAM_NOCONFIDENCE (KAM_LAZY_DOMAIN_SECURITY + __KAM_NOCONFIDENCE1 >= 2)
score    KAM_NOCONFIDENCE 0.5
describe KAM_NOCONFIDENCE Confidential information sent with no security

# YER GON GET SASSINATED
header   __KAM_ASSASSIN1 Subject =~ /want you dead/i
body     __KAM_ASSASSIN2 /my identity/i
body     __KAM_ASSASSIN3 /assassinate/i
body     __KAM_ASSASSIN4 /like.an.accident/i

meta     KAM_ASSASSIN (__KAM_ASSASSIN1 + __KAM_ASSASSIN2 + __KAM_ASSASSIN3 + __KAM_ASSASSIN4 >= 3)
score    KAM_ASSASSIN 4.5
describe KAM_ASSASSIN Assassination spam

# GIMME FLASH DRIVES
header   __KAM_DRIVE1 From =~ /purchase|manager/i
header   __KAM_DRIVE2 Subject =~ /quotation/i
body     __KAM_DRIVE3 /to.be.furnished|office.equipment.item/i

meta     KAM_DRIVE (__KAM_DRIVE1 + __KAM_DRIVE2 + __KAM_DRIVE3 >= 3)
score    KAM_DRIVE 3.5
describe KAM_DRIVE Spam for ordering office equipment

#BAD TLD - TESTING NEW blacklist_uri_host feature
#PASSED TEST BUT THIS IS 100 points - Instead modify SOMETLD_ARE_BAD_TLD TO PREVENT FPs
#if (version >= 3.004000)
#  blacklist_uri_host link
#endif

#LOOKING TO SHUTDOWN MISUSE OF DNSWL AND HOSTKARMA
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
meta 	 KAM_QUITE_BAD_DNSWL	(URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + __KAM_URIBL_PCCC +  KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1)
score	 KAM_QUITE_BAD_DNSWL	3.25
describe KAM_QUITE_BAD_DNSWL  Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
else
meta 	 KAM_QUITE_BAD_DNSWL	(URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL +  KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 1)
score	 KAM_QUITE_BAD_DNSWL	3.25
describe KAM_QUITE_BAD_DNSWL  Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
endif

ifplugin Mail::SpamAssassin::Plugin::KAMOnly
meta 	 KAM_BAD_DNSWL	(URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BRBL + RCVD_IN_BRBL_RELAY + RCVD_IN_XBL + __KAM_URIBL_PCCC +  KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
score	 KAM_BAD_DNSWL	7.0
describe KAM_BAD_DNSWL  Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
else
meta 	 KAM_BAD_DNSWL	(URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + RCVD_IN_XBL + KAM_MESSAGE_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
score	 KAM_BAD_DNSWL	7.0
describe KAM_BAD_DNSWL  Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
endif

# HEARING LOSS
header   __JMQ_HEARINGLOSS1 From =~ /hearing.?loss|deaf \& angry/i
header   __JMQ_HEARINGLOSS2 Subject =~ /reverse.your.hearing|hearing.loss|\d+.year.old.method|hearing.aids/i
body     __JMQ_HEARINGLOSS3 /going.crazy|natural.formula|restore.your.hearing|click.here.to.see|off.hearing.aid/i

meta     JMQ_HEARINGLOSS (__JMQ_HEARINGLOSS1 + __JMQ_HEARINGLOSS2 + __JMQ_HEARINGLOSS3 >= 3)
score    JMQ_HEARINGLOSS 3.5
describe JMQ_HEARINGLOSS Spam for hearing loss solutions

# TRACKR
header   __JMQ_TRACKR1 From =~ /trackr/i
header   __JMQ_TRACKR2 Subject =~ /trackr|never.lose|find.any|lost.items/i
body     __JMQ_TRACKR3 /locate anything|find.anything|never.lose.anything|new.invention|never.lose.your|tired.of.losing|find.any.lost/i

meta     JMQ_TRACKR (__JMQ_TRACKR1 + __JMQ_TRACKR2 + __JMQ_TRACKR3 >= 3)
score    JMQ_TRACKR 4.5
describe JMQ_TRACKR Spam for TrackR

# CONGRATULATION
header   __JMQ_CONGRAT1 From =~ /award|claim/i
header   __JMQ_CONGRAT2 Subject =~ /congratulation|open.attachment|good.news.for/i

meta     JMQ_CONGRAT (__JMQ_CONGRAT1 + __JMQ_CONGRAT2 + (KAM_RAPTOR_ALTERED || T_FREEMAIL_DOC_PDF || HK_SPAMMY_FILENAME) >= 3)
score    JMQ_CONGRAT 3.5
describe JMQ_CONGRAT Open attachment to claim your free spam

# PICKUP
header   __JMQ_PICKUP1 Subject =~ /hey there|(^hey$)/i
body     __JMQ_PICKUP2 /(dirty|freaky|naughty|good)(pix|pic)|hey.cutie/i
header   __JMQ_PICKUP3 X-Mailer =~ /php/i
body     __JMQ_PICKUP4 /\d+.year.old|female/i

meta     JMQ_PICKUP (__JMQ_PICKUP1 + __JMQ_PICKUP2 + __JMQ_PICKUP3 + __JMQ_PICKUP4 >= 3)
score    JMQ_PICKUP 8.0
describe JMQ_PICKUP spam that wants your number

# COMPROMISED DROPBOX
header   __JMQ_DROPBOX1 Subject =~ /(payment|transfer)/i
header   __JMQ_DROPBOX2 Subject =~ /\([a-z]\d+\)/i
body     __JMQ_DROPBOX3 /ach.(payment|transfer)/i

meta     JMQ_DROPBOX (__JMQ_DROPBOX1 + __JMQ_DROPBOX2 + __JMQ_DROPBOX3 >= 3)
score    JMQ_DROPBOX 3.0
describe JMQ_DROPBOX Spam from what appears to be compromised dropbox accounts

#FIX BAD REVIEW
header __KAM_BAD_REVIEW1 Subject =~ /fix bad reviews/i
body   __KAM_BAD_REVIEW2 /Reputation Giant/i

meta	KAM_BAD_REVIEW	(__KAM_BAD_REVIEW1 +  __KAM_BAD_REVIEW2 >= 2)
score	KAM_BAD_REVIEW  4.0
describe KAM_BAD_REVIEW	Online reputation spammers

#GOOGLE AWARD
header	__KAM_GOOGLE_AWARD1	From =~ /Google UK/i
body	__KAM_GOOGLE_AWARD2	/selected as a winner/i
body	__KAM_GOOGLE_AWARD3	/Dear Google/i
body	__KAM_GOOGLE_AWARD4	/Official Notification Letter/i

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader	__KAM_GOOGLE_AWARD5A	Content-Type =~ /Google Award/i
mimeheader    __KAM_GOOGLE_AWARD5B    Content-Disposition =~ /Google Award/i
endif

meta	KAM_GOOGLE_AWARD	(__KAM_GOOGLE_AWARD1 + __KAM_GOOGLE_AWARD2 + __KAM_GOOGLE_AWARD3 + __KAM_GOOGLE_AWARD4 + (__KAM_GOOGLE_AWARD5A + __KAM_GOOGLE_AWARD5B >= 1)  >= 4)
score	KAM_GOOGLE_AWARD	5.0
describe	KAM_GOOGLE_AWARD	Fake Google Awards

#OBFUSCATED LOANS
body	KAM_OBFU_LOANS	/Stüdént Lóans/i
score	KAM_OBFU_LOANS	5.0
describe KAM_OBFU_LOANS	Obfuscated Loan Verbiage

#WORK FROM HOME
body	__KAM_WORKFROMHOME1	/work from home/i

meta	KAM_WORKFROMHOME	(KAM_SHORT + __KAM_WORKFROMHOME1 >= 2)
score	KAM_WORKFROMHOME	1.75
describe KAM_WORKFROMHOME	Work from Home Spams

#STUDENT LOAN
body	__KAM_STUDENTLOAN1	/(National|Federal) Student Loan Status/i
body	__KAM_STUDENTLOAN2	/consolidate your loan/i
body	__KAM_STUDENTLOAN3	/doesn't injured/i
body	__KAM_STUDENTLOAN4	/866-351-4693/i
body	__KAM_STUDENTLOAN5	/(financial troubles|debt) is (understood|forgiven)/i

meta	KAM_STUDENTLOAN		(__KAM_STUDENTLOAN1 + __KAM_STUDENTLOAN2 + __KAM_STUDENTLOAN3 + __KAM_STUDENTLOAN4 + __KAM_STUDENTLOAN5 >= 3)
score	KAM_STUDENTLOAN		4.5
describe	KAM_STUDENTLOAN	Student Loan Scam

#RESUME
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
header   __JMQ_RESUME1 Subject =~ /resume/i
body     __JMQ_RESUME2 /hello my name|my name is/i
body     __JMQ_RESUME3 /appreciate.your.cooperation|my.resume.is.pdf|resume.attach|pdf.file.is|is.my.resume/i
mimeheader    __JMQ_RESUME4 Content-Type =~ /x-zip-comp/i
mimeheader    __JMQ_RESUME5 Content-Type =~ /my_resume\.zip/i

meta     JMQ_RESUME ((__JMQ_RESUME1 + __JMQ_RESUME2 + __JMQ_RESUME3 + __JMQ_RESUME5 >= 3) && __JMQ_RESUME4)
score    JMQ_RESUME 4.5
describe JMQ_RESUME Spam for bad attached resumes
endif

#LED/SOLAR LIGHTS
header		__KAM_LED1	From =~ /light? ?bulb|garage ?light|Sun.?like?.?Bulb|LED.?Sun/i
body		__KAM_LED2	/(garage|LED Fan) Light|sun-?like|\dx the brightness/i
tflags		__KAM_LED2	nosubject
header		__KAM_LED3	Subject =~ /LED Lighting|L\.E\.D\.? Bulb|Innovative Light|energy bill|one bulb|Garage LED/i

meta		KAM_LED		(__KAM_LED1 + __KAM_LED2 + __KAM_LED3 >= 3)
describe	KAM_LED		LED Lighting Spams
score		KAM_LED		4.5

# REAL ESTATE
header   __JMQ_REALESTATE1 From =~ /tom.brice/i
header   __JMQ_REALESTATE2 Subject =~ /real.estate/i
body     __JMQ_REALESTATE3 /preferred.choice|looking.for.real.estate|online.platform|systems.placement/i

meta     JMQ_REALESTATE (__JMQ_REALESTATE1 + __JMQ_REALESTATE2 + __JMQ_REALESTATE3 >= 3)
describe JMQ_REALESTATE Real estate spam
score    JMQ_REALESTATE 4.5

# IP IN FROM
header   JMQ_IPINFROM From =~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/
score    JMQ_IPINFROM 2.5
describe JMQ_IPINFROM Spam with IP in the from address

# IFFY PAYPAL OF THE DAY
header   __JMQ_PAYPAL2 From =~ /paypai/i

meta     JMQ_PAYPAL2 (JMQ_IPINFROM + __JMQ_PAYPAL2 >= 2)
score    JMQ_PAYPAL2 4.5
describe JMQ_PAYPAL2 PayPal spam of the day

# RESUME SPAM REDUX PART 2 (WOOHOO)
meta     JMQ_RESUME3 (__JMQ_RESUME1 && __JMQ_RESUME2 && KAM_THEBAT)
score    JMQ_RESUME3 3.5
describe JMQ_RESUME3 Yet more resume spam

# SPF THAT DOESN'T REALLY CARE IF EMAIL IS A FORGERY -
ifplugin Mail::SpamAssassin::Plugin::AskDNS
askdns   JMQ_SPF_NEUTRAL _SENDERDOMAIN_ TXT /^v=spf1 .*\?all/
describe JMQ_SPF_NEUTRAL SPF set to ?all
score    JMQ_SPF_NEUTRAL 0.5

askdns   JMQ_SPF_ALL _SENDERDOMAIN_ TXT /^v=spf1 .*\+all/
describe JMQ_SPF_ALL SPF set to +all!
score    JMQ_SPF_ALL 0.5
endif

# IMPORTANT MESSAGE
header   __JMQ_IMPORTANT1 Subject =~ /(fw|re):? important/i
body     __JMQ_IMPORTANT2 /important message/i
body     __JMQ_IMPORTANT3 /please visit/i

meta     JMQ_IMPORTANT (__JMQ_IMPORTANT1 + __JMQ_IMPORTANT2 + __JMQ_IMPORTANT3 + KAM_LAZY_DOMAIN_SECURITY >= 4)
score    JMQ_IMPORTANT 4.5
describe JMQ_IMPORTANT Spam that thinks it is important

# IMAGE TRACKERS
uri      __JMQ_TRACKER1 /sidekickopen\d*\.com/i

meta     JMQ_TRACKER (__JMQ_TRACKER1 >= 1)
score    JMQ_TRACKER 0.5
describe JMQ_TRACKER Message uses image-based tracker

# WIRE TRANSFERS
header   __JMQ_WIRE1 Subject =~ /wire.*fund|request.*wire|(fwd|re): request/i
body     __JMQ_WIRE2 /medical.support|payment.sent/i
body     __JMQ_WIRE3 /bank.wire|sent.out.asap/i

meta     JMQ_WIRE (__JMQ_WIRE1 + __JMQ_WIRE2 + __JMQ_WIRE3 + (LOTS_OF_MONEY || KAM_LAZY_DOMAIN_SECURITY || HEADER_FROM_DIFFERENT_DOMAINS) >= 3)
score    JMQ_WIRE 4.5
describe JMQ_WIRE Attempt to steal money via wire transfer

#bindata code in RTF
#rawbody	 __KAM_BADRTF1 /<w:binData/
#rawbody	 __KAM_BADRTF2 /QWN0aXZlTWltZQ/

#meta     KAM_BADRTF (__KAM_BADRTF1 + __KAM_BADRTF2 >= 2)
#describe KAM_BADRTF Message contains binary data in RTF format
#score    KAM_BADRTF 5.0

#Fake Order
body	 __KAM_ORDER1	/Please find document attached/i
header	 __KAM_ORDER2	Subject =~ /Order \d+ (\(Acknowledgement\))?/i

meta	 KAM_ORDER	__KAM_ORDER1 + __KAM_ORDER2 + __BODY_LE_200 >= 3
score	 KAM_ORDER	3.0
describe KAM_ORDER	Fraudulent Order Emails

rawbody __RB_LE_200 /^.{2,200}$/s
tflags 	__RB_LE_200 multiple maxhits=2
rawbody __RB_GT_200 /^.{201}/s
meta 	__BODY_LE_200 (__RB_LE_200 == 1) && !__RB_GT_200

#SHOCKING BEVERAGE
body	__KAM_SHOCK1	/shocking.beverage/i
header	__KAM_SHOCK2	Subject =~ /(Bill O.Reilly|Donald Trump)/i
body	__KAM_SHOCK3	/drinking this beverage/i

meta	 KAM_SHOCK	__KAM_SHOCK1 + __KAM_SHOCK2 + __KAM_SHOCK3 >= 2
score 	 KAM_SHOCK	4.0
describe KAM_SHOCK	Spams with energy drinks

#BEAUTY SCAM
body	__KAM_BEAUTY1	/she now looks \d+/i
body	__KAM_BEAUTY2	/reveals exactly/i
body	__KAM_BEAUTY3	/most amazing transformation/i
header	__KAM_BEAUTY4	Subject =~ /now looks \d+/i

meta	 KAM_BEAUTY	__KAM_BEAUTY1 + __KAM_BEAUTY2 + __KAM_BEAUTY3 + __KAM_BEAUTY4 >= 3
score	 KAM_BEAUTY	4.0
describe KAM_BEAUTY	Youth and Beauty Product Scams

#WEED
body	__KAM_WEED1	/legal.weed|jim kramer|kevin james/i
header	__KAM_WEED2	Subject =~ /Legal.Weed|pot.stock/i
body	__KAM_WEED3	/doubled? (there|their) money|Triple this afternoon/i
body	__KAM_WEED4	/(weed|pot).stock/i

meta	 KAM_WEED	__KAM_WEED1 + __KAM_WEED2 + __KAM_WEED3 + __KAM_WEED4 >= 3
score	 KAM_WEED	8.0
describe KAM_WEED	Legal Weed and related investment scams

#LOGOS
body	__KAM_LOGO1	/guru.level logo/i
header	__KAM_LOGO2	Subject =~ /guru.level logo/i
body	__KAM_LOGO3	/(guru.level|ready.made) logo/i

meta	 KAM_LOGO	__KAM_LOGO1 + __KAM_LOGO2 + __KAM_LOGO3 >= 3
score	 KAM_LOGO	5.25
describe KAM_LOGO	Logo Spam

#TRUMP COIN
body    __KAM_TRUMPCOIN1     /Donald Trump/i
header  __KAM_TRUMPCOIN2     Subject =~ /trump.coin/i
body    __KAM_TRUMPCOIN3     /special colored coin/i

meta     KAM_TRUMPCOIN       __KAM_TRUMPCOIN1 + __KAM_TRUMPCOIN2 + __KAM_TRUMPCOIN3 >= 3
score    KAM_TRUMPCOIN       5.25
describe KAM_TRUMPCOIN       Trump Coin Spam

#WATER
body    __KAM_WATER1     /Never Drink Water/i
header  __KAM_WATER2     Subject =~ /bottled water/i
body    __KAM_WATER3     /filtered tap water/i

meta     KAM_WATER       __KAM_WATER1 + __KAM_WATER2 + __KAM_WATER3 >= 3
score    KAM_WATER       5.25
describe KAM_WATER       Water Poison Scam

#BANK
body    __KAM_RUIN1     /do not deposit/i
header  __KAM_RUIN2     Subject =~ /money into your bank/i
body    __KAM_RUIN3     /banking institutions/i

meta     KAM_RUIN       __KAM_RUIN1 + __KAM_RUIN2 + __KAM_RUIN3 >= 3
score    KAM_RUIN       5.25
describe KAM_RUIN       Bank Phishing Scam

#WEIGHT
body    __KAM_WEIGHT2_1     /goodbye to her waist|wild transformation/i
header  __KAM_WEIGHT2_2     Subject =~ /looks \d+ overnight|no gym/i
body    __KAM_WEIGHT2_3     /melissa mccarthy|now looks \d+/i

meta     KAM_WEIGHT2       __KAM_WEIGHT2_1 + __KAM_WEIGHT2_2 + __KAM_WEIGHT2_3 >= 3
score    KAM_WEIGHT2       5.25
describe KAM_WEIGHT2       Weight loss process du jour

#AMAZING LENS
body    __KAM_LENS1     /pro quality (pho|pic)|Bill gates|best camera/i
header  __KAM_LENS2     Subject =~ /(amazing|incredible) photos|gadget of the year|coolest product|camera/i
body    __KAM_LENS3     /amazing lens|hdx-lens|hdrx/i
header	__KAM_LENS4	From =~ /hdcam|lens|inhd/i

meta     KAM_LENS       __KAM_LENS1 + __KAM_LENS2 + __KAM_LENS3 + __KAM_LENS4 >= 3
score    KAM_LENS       5.25
describe KAM_LENS       Amazing Lens Scam

#HONOR
body    __KAM_HONOR1     /greatest thing of your life/i
header  __KAM_HONOR2     Subject =~ /Congrats, on the honor/i
body    __KAM_HONOR3     /profession women/i
body	__KAM_HONOR4	 /invitation/i

meta     KAM_HONOR       __KAM_HONOR1 + __KAM_HONOR2 + __KAM_HONOR3 + __KAM_HONOR4 >= 3
score    KAM_HONOR       6.25
describe KAM_HONOR       Professional Network Scam

#Rule Dev
#Idea from John Hardin so you can see all URI's - ONLY for rule development - Then all the detected URIs appear in the rule hits debug output.
#uri     __ALL_URI   /.*/
#tflags  __ALL_URI   multiple

#Bad UTF-8 content type and transfer encoding - Thanks to Pedro David Marco for alerting to issue
header	 __KAM_BAD_UTF8_1		Content-Type =~ /text\/html; charset=\"utf-8\"/i
header   __KAM_BAD_UTF8_2		Content-Transfer-Encoding =~ /base64/i
full	 __RW_BAD_UTF8_3 		/^(?:[^\n]|\n(?!\n))*\nContent-Transfer-Encoding:\s+base64(?:[^\n]|\n(?!\n))*\n\n[\s\n]{0,300}[^\s\n].{0,300}[^a-z0-9+\/=\n][^\s\n]/si

meta	KAM_BAD_UTF8	(__KAM_BAD_UTF8_1 + __KAM_BAD_UTF8_2 + __RW_BAD_UTF8_3 >= 3)
score	KAM_BAD_UTF8	14.0
describe KAM_BAD_UTF8	Bad Content Type and Transfer Encoding that attempts to evade SA scanning

#DEATH
body    __KAM_DEATH1     /prevent early.death/i
header  __KAM_DEATH2     Subject =~ /(early|unexpected).death/i
body    __KAM_DEATH3     /Eating this|before it.?s too late/i
body    __KAM_DEATH4     /heart.(attack|stops)/i

meta     KAM_DEATH       __KAM_DEATH1 + __KAM_DEATH2 + __KAM_DEATH3 + __KAM_DEATH4 >= 4
score    KAM_DEATH       6.25
describe KAM_DEATH       Supplement Scam

#REWARD
body    __KAM_REWARD1     /walgreens|ikea|sephora|sams.?club/i
header  __KAM_REWARD2     Subject =~ /weekend.*reward|reward.*weekend|(reward|perk).{0,60}(expiring|ending)/i
header	__KAM_REWARD3	  Subject =~ /(Cert|coup|ending now|ending|expiring|expiring.now)(..)?(\d+|\[num)/i
header  __KAM_REWARD4     From =~ /ikea|sephora|shopper|walgreen|sale/i

meta     KAM_REWARD       __KAM_REWARD1 + __KAM_REWARD2 + __KAM_REWARD3 + __KAM_REWARD4 + KAM_NUMSUBJECT >= 4
score    KAM_REWARD       5.25
describe KAM_REWARD       Coupon Scam

#PACKAGE
body    __KAM_PACKAGE1     /dysfunction|\dx longer/i
body    __KAM_PACKAGE2     /sexual.performance|longer.in.bed/i
header  __KAM_PACKAGE3     Subject =~ /sex/i
header  __KAM_PACKAGE4     From =~ /function|fivex/i

meta     KAM_PACKAGE       __KAM_PACKAGE1 + __KAM_PACKAGE2 + __KAM_PACKAGE3 + __KAM_PACKAGE4 >= 3
score    KAM_PACKAGE       4.25
describe KAM_PACKAGE       Sexual Enhancement Scam

#NUM
header	__KAM_NUMSUBJECT		Subject =~ /\d+$/
header  __KAM_SUBJECTYEAR		Subject =~ /20[1-2][0-9]$/

meta	  KAM_NUMSUBJECT	(__KAM_NUMSUBJECT >=1 && __KAM_SUBJECTYEAR <= 0)
score     KAM_NUMSUBJECT        0.5
describe  KAM_NUMSUBJECT        Subject ends in numbers excluding current years

#BAD PDF
mimeheader      KAM_MGCS        Content-Type =~ /\+\-\+\-\+\-MGCS\-\+\-\+\-\+|[\xC2\xB7]pdf(?=)?"$/i
score   	KAM_MGCS	10.0
describe	KAM_MGCS	Boundary Content Indicative of Ratware

#NetWeaver - Disabled 7/24
#header		KAM_NW		X-Mailer =~ /SAP NetWeaver/i
#score		KAM_NW		2.75
#describe	KAM_NW		Spam Indicator

#STOCKTIP OBFU
body		__KAM_STOCKOBFU1	/make up the \d letter symbol/i
body		__KAM_STOCKOBFU2	/first letter/i
header		__KAM_STOCKOBFU3	Subject =~ /less than \d days|ten bagger|ten ?fold your principle/i

meta		KAM_STOCKOBFU		(__KAM_STOCKOBFU1 + __KAM_STOCKOBFU2 + __KAM_STOCKOBFU3 >= 3)
describe	KAM_STOCKOBFU		Stock Spam Tips that are being sneaky
score		KAM_STOCKOBFU		4.5

#FAKE BBB/FLSA NOTICES
header		__KAM_FAKEBBB1		Subject =~ /(incident:|case:)?[\d:;]{5}/i
body		__KAM_FAKEBBB2		/(Fair Labor Standards Act|Safety and Health act|Better Business Bureau|(\b|$)BBB(\b|^))/i
body		__KAM_FAKEBBB3		/(complaint|compliant|Abuse) ID/i
body		__KAM_FAKEBBB4		/(incident:|case:)[\d:;]{6,}/i

meta		KAM_FAKEBBB		(__KAM_FAKEBBB1 + __KAM_FAKEBBB2 + KAM_SHORT + __KAM_FAKEBBB3 + __KAM_FAKEBBB4>= 4)
describe	KAM_FAKEBBB		Fake Notices for Various Business Violations
score		KAM_FAKEBBB		12.0

#HOWRU
#header		__KAM_HOWRU1		Subject =~ /How are you?|Hi|What's Up|Hey, Sweety/i
body		__KAM_HOWRU2		/My name is|what's your name|ask your name|keep company with you/i
body		__KAM_HOWRU3		/visit the site|visit this site|visiting this website|have some social networks|meet you in private|write me tomorrow/i
body		__KAM_HOWRU4		/gmx.com|rambler.ru/i

meta		KAM_HOWRU		(__KB_WAM_SUBJECT_HELLO_ONLY +  __KAM_HOWRU2 +  __KAM_HOWRU3 + __KAM_HOWRU4 >=4)
describe	KAM_HOWRU		Female Chat Scam
score		KAM_HOWRU		8.0

# 2017-11-01, note 56146

body __KAM_DOMAIN_SALE1  /\b(related|similar) domain\b/i
body __KAM_DOMAIN_SALE2  /\b(interested in|obtaining) .{5,20} domain\b/i
body __KAM_DOMAIN_SALE3  /\bdomain (name owner|advanced avail|backordering)\b/i
body __KAM_DOMAIN_SALE4  /\b(domain you might be interested|interested in the domain|interested in obtain|benefit acquiring|complete ownership transfer|brokering the domain)\b/i

body __KAM_INTRUDE  /\b(hope I am not intruding|out of the blue|I will never contact you again if you go here)\b/i

meta KAM_DOMAIN_SALE_2  (__KAM_DOMAIN_SALE1 + __KAM_DOMAIN_SALE2 + __KAM_DOMAIN_SALE3 + __KAM_DOMAIN_SALE4 >=2)

meta KAM_DOMAIN_SALE_3  (__KAM_DOMAIN_SALE1 + __KAM_DOMAIN_SALE2 + __KAM_DOMAIN_SALE3 + __KAM_DOMAIN_SALE4 >=3)

score KAM_DOMAIN_SALE_2  3.0
score KAM_DOMAIN_SALE_3  1.0

meta KAM_DOMAIN_SALE_INTRUDE (__KAM_INTRUDE && KAM_DOMAIN_SALE_2)

score KAM_DOMAIN_SALE_INTRUDE  1.0

describe  KAM_DOMAIN_SALE_2        Domain Selling Spam
describe  KAM_DOMAIN_SALE_3        Domain Selling Spam
describe  KAM_DOMAIN_SALE_INTRUDE  Domain Selling Spam

# 2017-11-08, lonely russian women Whack-A-Mole

# Likely Overlap with HOWRU rules, similar target.  No real-life
# overlap in rules hit observed so far, KB_WAM_OVERLAP to look out for
# it.

header   __KB_WAM_FROM_NAME_SINGLEWORD From:name =~ /^[a-z]+$/i
header	 __KAM_SUBJECT_SINGLEWORD      Subject =~ /^[a-z]+$/i
header   __KB_WAM_SUBJECT_HELLO_ONLY   Subject =~ /^(hi|hi there|hello|hey|yo|how are you|What's Up|Hey, Sweety)[?!\.]?$/i

meta KB_WAM_LONELY_WOMEN    (__KB_WAM_FROM_NAME_SINGLEWORD + __KB_WAM_SUBJECT_HELLO_ONLY + __KAM_HOWRU4 + (__KAM_HOWRU2 || __KB_WAM_LONELY_WOMEN_PHRASE_01) >= 4)

score KB_WAM_LONELY_WOMEN   5.0
describe KB_WAM_LONELY_WOMEN  Lonely Women Scam of the Day

body __KB_WAM_LONELY_WOMEN_PHRASE_01 /\b(I am missing you all the time|I am waiting for your answer|I send you my tender love|I would really like to know you|quest of love|I am lonely and tired)\b/i

#meta KB_WAM_OVERLAP  ( KAM_HOWRU && KB_WAM_LONELY_WOMEN )
#score KB_WAM_OVERLAP  -0.01
#describe KB_WAM_OVERLAP Rule to test for overlap with another similar ruleset

#MAILSPLOIT CONTROL CHARACTER - Thanks to Jan-Pieter Cornet for the idea
#All Control chars like NUL except \n which should exist once legitimately
#Investigating double-byte language FP. Reverting back to just \0
#header   __KAM_MAILSPLOIT1   From =~ /[\x00-\x09\x0b-\x1f]/
header   __KAM_MAILSPLOIT1   From =~ /[\0]/
describe __KAM_MAILSPLOIT1   RFC2047 Exploit https://www.mailsploit.com/index

#\n Multiple in the From Header
header	 __KAM_MAILSPLOIT2    From =~ /[\n]/
describe __KAM_MAILSPLOIT2    RFC2047 Exploit https://www.mailsploit.com/index
tflags	 __KAM_MAILSPLOIT2    multiple maxhits=2

meta		KAM_MAILSPLOIT	(__KAM_MAILSPLOIT1 || (__KAM_MAILSPLOIT2 >= 2))
describe	KAM_MAILSPLOIT	Mail triggers known exploits per mailsploit.com
score		KAM_MAILSPLOIT  10.0

#cc in From - Thanks to Dave Jones for idea
header	  KAM_CCFROM1		From =~ /\b(to|cc|bcc|from):/i
describe  KAM_CCFROM1		Addition of cc: and similar as a phishing tactic
score	  KAM_CCFROM1		5.0

#MailBox Verify Phish - Also See KAM_MAILBOX
header	__KAM_BOXWARNING_SUBJECT	Subject =~ /FINAL WARNING/i
header  __KAM_BOXVERIFICATION_SUBJECT	Subject =~ /VERIFICATION.{4,20}MAIL.?BOX/i
body	__KAM_BOXVERIFY			/Verify.{0,10}Mail.?box|retrieve messages/i
body	__KAM_BOXQUOTA			/mailbox.{0,5}exceeded.{4,14}quota|low email storage/i
header	__KAM_MAILBOXFROM		From =~ /mailbox/i

meta		KAM_BOXPHISH	((__KAM_BOXWARNING_SUBJECT + __KAM_BOXVERIFICATION_SUBJECT >= 1) + __UPGR_MAILBOX + __KAM_MAILBOXFROM + __KAM_BOXVERIFY + __KAM_BOXQUOTA + __KAM_MAILBOX1 >= 4)
describe	KAM_BOXPHISH	Mailbox verification phishing scams
score		KAM_BOXPHISH	6.5

#SWISSCOIN, ETC.
body	__KAM_CRYPTO1		/swiss.?coin|[{(]SIC[)}]/i
header	__KAM_CRYPTO2		Subject =~ /forget about bitcoin|crypto (currency|coin) .{0,10}could (turn|go)/i

meta		KAM_CRYPTO	(__KAM_CRYPTO1 + __KAM_CRYPTO2 >= 2)
describe	KAM_CRYPTO	Crypto Currency Spam Du Jour
score		KAM_CRYPTO	8.0

#COMPROMISED CMS - Thanks to Jing Shan for the idea
uri	__KAM_CMS1 	/VALIDATE\/mail\.htm/i
uri	__KAM_CMS2	/\/erroreng\/erroreng\//i
uri	__KAM_CMS3	/twentythirteen\/Upgrade\/?email=/i

meta		KAM_CMS		(__KAM_CMS1 + __KAM_CMS2 + __KAM_CMS3) >= 1
describe	KAM_CMS		Indicators that a CMS has been exploited for Spammers
score		KAM_CMS		1.0

#WESTERN UNION SCANS
header		__KAM_WU1 	from:addr !~ /\@westernunion.com/i
header		__KAM_WU2	Subject =~ /WUMT|Western.?Union/i
uri		__KAM_WU3	/western.umt/i

meta		KAM_WU		(__KAM_WU1 + __KAM_WU2 + __KAM_WU3 + LOTS_OF_MONEY >= 3)
describe	KAM_WU		Western Union Scam
score		KAM_WU		5.0

#WEB CRIMINALS
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

  replace_rules   __KAM_CRIM1 __KAM_CRIM2 __KAM_CRIM3 __KAM_CRIM4 __KAM_CRIM5 __KAM_CRIM6 __KAM_CRIM7

  body		__KAM_CRIM1	/(group|team) of (hackers|web criminals)|(erase|eliminate|destroy|delete) (the|this) (compromising|promising)? ?(videotape|evidence|evidence)|(visit|complain to|call to) (the )?(cops|police)|m<A1>lw<A1>r<E1> <O1>n th<E1> w<E1>b|footage of you|you do not know who I am|mercenary|hack phones|(monitored|infected) your device|double.screen video|keylogger|ruin your life|collection officer|turned on your c<A1>mera|cameras? and a mic|I am a hacker|brows(er|ing) history|trojan virus|automatically infect|inject some code|google translator|<P1>l<A1><C1><E1>d (a )?m<A1>lw<A1>r<E1>|<S1><P1><Y1><W1><A1><R1><E1>|hacked your (OS|operating)|got hacked|hidden app|managed to hack/i

  #Bitcoin
  body		__KAM_CRIM2	/(<B1><I1><T1>\-?<C1><O1><I1><N1>|BTC|DSH|cryptocurrency|bc[13][a-km-zA-HJ-NP-Z0-9]{26,39})|(remove|manually) all spaces|contains spaces/i

  #Payment
  body		__KAM_CRIM3	/make (<T1>he|a) paymen<T1>|deliver dispatch|have to pay|finish a transaction|transfer me \d+ euro|use my bitcoin|BTC (wallet|cryptocurrency|address)|bit<C1><O1><I1>n w<A1>ll|(m<A1>k<I1>ng|<C1><O1>mpl<E1>et<E1>) th<E1> tr<A1>ns<A1><C1>t<I1><O1>n|send me \d+ dollars|send [\d\.]+ USD|addr<E1>ss f<O1>r p<A1>ym<E1>nt|(dollars|euros) (worth )?in bit-?coin|wallet number|bitcoin network|BTC to this Bitcoin|paym<E1>nt by b<I1>tco<I1>n|\d\d\d usd|DSH\)? address|Address part|<D1><O1><N1><A1><T1><I1><O1><N1>|negotiation|USD.? in bitcoin/i

  #Sexually explicit
  body		__KAM_CRIM4	/erotica|<P1><O1><R1><N1>|p(ro|or)nographic movie|promising evidence|<M1><A1><S1><T1><U1><R1><B1><A1><T1>|playing with yourself|wanking|l<I1>f<E1> <C1><A1>n b<E1> ru<I1>n<E1>d|explosi|lead azide|hexogen|banana|perversion|secured \d+ video/i

  #TIME
  body		__KAM_CRIM5	/(twenty.?four|24).?h<O1>urs|(72|24|32|30|12) ?h\. (since|from) (now|this moment)|one day after opening|tracking pixel|(24|32|30|12) ?h(<O1>urs)? <A1>ft<E1>r y<O1><U> <O1>p<E1>n|hours for payment|days?\)? to (send|perform|make|transfer) the (amount|payment|dash|fund)|short-term support|48h plz|deadline|hours *(only )?to send the (pay|fund)|address immediately|tr<A1>nsfer the (amount|funds)|get back to me now/i

  #Subject
  header		__KAM_CRIM6	Subject =~ /remember.the.lesson|reputation.is.at.stake|we can be silent|very interesting content|compromising video|hide your camera|Y<O1><U> <A1>r<E1> my v<I1><C1>t<I1>m|visit the police|hi. vi<C1>tim|bomb|rescue|your building|<M1>asturbat|hi perv|account has been hacked|(final|last) warning|dirty little secret|bad news|central intelligence|pervert|hackers|access to your account|your hobby|video of you|<P1>orn|(share|forward|leak) (your|the) video|Read me now|want to read this|i have you/i

  #From
  header		__KAM_CRIM7	From =~ /h<A1>ck<E1>r|know/i


  meta		KAM_CRIM	(__KAM_CRIM1 + __KAM_CRIM2 + __KAM_CRIM3 + __KAM_CRIM4 + __KAM_CRIM5 + __KAM_CRIM6 + __KAM_CRIM7 + FUZZY_BITCOIN >= 4)
  describe	KAM_CRIM	Extortion Email
  score		KAM_CRIM	8.5
endif

#KAM_CRIM_V2
body		__KAM_CRIM2_1	/bit.{0,2}coin/i
body		__KAM_CRIM2_2   /address\:/i
body		__KAM_CRIM2_3   /adult.{0,2}video|sex.{0,2}sites/is

meta		KAM_CRIM2	(__KAM_CRIM2_1 + __KAM_CRIM2_2 + __KAM_CRIM2_3 + HTML_FONT_LOW_CONTRAST >= 4)
describe	KAM_CRIM2	Extortion Email
score		KAM_CRIM2	7.5

#ZWNJ
#ZWNJ 200C 157 https://en.wikipedia.org/wiki/Windows-1256
# Also want to look at Unicode U+200C.
# Also 'zero-width joiner' which is Windows-1256 0x9E and Unicode U+200D. $a

# Per RW, switching for this to work with 'normalize_charset 1', \x9d needs to be replaced with (?:\x9d|\xe2\x80\x8c)
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader	__KAM_ZWNJ1	Content-Type =~ /charset.+windows-1256/i
endif
body		__KAM_ZWNJ2	/(?:\x9D|\xe2\x80\x8c)/
tflags   	__KAM_ZWNJ2     multiple maxhits=16
body		__KAM_ZWNJ3	/\&\#x200B;/i

describe	KAM_ZWNJ	Use of null characters indicates a goal to elude scanners

meta		KAM_ZWNJ	(__KAM_ZWNJ1 + (__KAM_ZWNJ2 >= 16) >= 2)
describe	KAM_ZWNJ	Use of null characters indicates a goal to elude scanners
score		KAM_ZWNJ	7.0

describe	KAM_ZWNJBAD	Attempted & failed Use of zero-width characters indicates a goal to elude scanners
meta		KAM_ZWNJBAD	(__KAM_ZWNJ3 >=1)
score		KAM_ZWNJBAD	2.0

#GIRLS
body		__KAM_GIRLS1	/Lack of sex/i

meta		KAM_GIRLS	( __SINGLE_WORD_SUBJ + __KAM_GIRLS1 >= 2)
describe	KAM_GIRLS	Girl Chat Scam du Jour
score		KAM_GIRLS	7.0

#SKINCELL PRO Spam Du Jour
body		__KAM_SKINCELL1	/Skincell.Pro/i
header		__KAM_SKINCELL2 Subject =~ /Skincell.Pro/i

meta		KAM_SKINCELL	(__KAM_SKINCELL1 + __KAM_SKINCELL2 >= 1)
describe	KAM_SKINCELL	Skincare Scam du Jour
score		KAM_SKINCELL	7.0

#UK INVOICE - Thanks to Andy Smith for his help on this
uri		__KAM_UKINV1	/\/(client|share|documentview)$/i
body		__KAM_UKINV2	/View (and pay )?(scan|invoice)/i
body		__KAM_UKINV3	/INV-\d+|Check out what .{4,30} shared with you/i
body		__KAM_UKINV4	/&pound;/i
header		__KAM_UKINV5	Subject =~ /(invoice INV-\d+|wants to share scan)/i
header		__KAM_UKINV6	Subject =~ /invoice/i

meta		KAM_UKINV	(__KAM_UKINV1 + __KAM_UKINV2 + __KAM_UKINV3 + __KAM_UKINV4 + __KAM_UKINV5 >= 4) || (__KAM_UKINV1 + __KAM_UKINV2 + __KAM_UKINV3 + __KAM_UKINV4 + __KAM_UKINV6 + HTML_TITLE_SUBJ_DIFF && HTML_OBFUSCATE_10_20 >= 6)
describe	KAM_UKINV	Fake Invoice/Scan Scams
score		KAM_UKINV	5.5

#LIST SELLERS
body		__KAM_LISTSALE1 /interested in acquiring/i
body            __KAM_LISTSALE2 /contact list|list of customers|list of decision makers|list for marketing/i
body            __KAM_LISTSALE3 /share counts and samples|send focused campaigns|compiled a dataset/i

header		__KAM_LISTSALE4 Subject =~ /users|leads/i
header		__KAM_LISTSALE5 From =~ /leads/i

meta		KAM_LISTSALE	(__KAM_LISTSALE1 + __KAM_LISTSALE2 + __KAM_LISTSALE3 >=2) && (__KAM_LISTSALE4 + __KAM_LISTSALE5 >= 1)
describe	KAM_LISTSALE	List sellers
score		KAM_LISTSALE	5.0

#Google Short?
uri		KAM_GOOGLESHORT	/\/www.google.com\/url\?q=.{4,16}bit\.ly/i
describe	KAM_GOOGLESHORT	Obfuscated links using Google and URL Shorteners
score		KAM_GOOGLESHORT	9.0

#HEART ATTACK SPAM
body            __KAM_HEARTPROD1 /heart ?attack/i
body            __KAM_HEARTPROD2 /enzyme/i
header          __KAM_HEARTPROD3 Subject =~ /heart attack|healthy.{4,10}cells/i
header          __KAM_HEARTPROD4 From =~ /clear 7/i

meta            KAM_HEARTPROD    (__KAM_HEARTPROD1 + __KAM_HEARTPROD2 + __KAM_HEARTPROD3 + __KAM_HEARTPROD4 >= 4)
describe        KAM_HEARTPROD    Snake Oil Heart Health du Jour
score           KAM_HEARTPROD    7.0

# LINES FULL OF SHORT WORDS. SCC='SOLID CLUES CONSULTING'=BILL COLE

describe __SCC_SHORT_WORDS  A line with lots of short words
body	 __SCC_SHORT_WORDS  /\W(\D\w{1,3}\W{1,3}){11}/
tflags   __SCC_SHORT_WORDS  multiple maxhits=40

describe SCC_5_SHORT_WORD_LINES	5 lines with many short words
meta	 SCC_5_SHORT_WORD_LINES	__SCC_SHORT_WORDS >= 5
describe SCC_10_SHORT_WORD_LINES 10 lines with many short words
meta	 SCC_10_SHORT_WORD_LINES	__SCC_SHORT_WORDS >= 10
describe SCC_20_SHORT_WORD_LINES 20 lines with many short words
meta	 SCC_20_SHORT_WORD_LINES	__SCC_SHORT_WORDS >= 20
describe SCC_35_SHORT_WORD_LINES 35 lines with many short words
meta	 SCC_35_SHORT_WORD_LINES	__SCC_SHORT_WORDS >= 35

# A pattern seen in subscription-bombings
describe SCC_SUBBOMB_SUBJ_1	An unusual string pattern seen in subscription bombing subjects
header   SCC_SUBBOMB_SUBJ_1	Subject =~ /[sxz][vwz]usa[fly]me[a-z0-9]{7}GP/
score    SCC_SUBBOMB_SUBJ_1	5

# cPanel Phishing
header       __SCC_HELO_CPANELNET 	X-Spam-Relays-Untrusted =~ / helo=cpanel\.net /
describe     __SCC_HELO_CPANELNET 	HELO is bare cpanel.net
meta         SCC_FAKE_CPANEL  	__SCC_HELO_CPANELNET && ! (SPF_PASS || SPF_HELO_PASS)
score        SCC_FAKE_CPANEL  	6

header		KAM_PHISHCP	From =~ /\@cpanel\d+\.com/i
describe	KAM_PHISHCP	Fraudulent notices purporting to be from cPanel
score		KAM_PHISHCP	15.0

uri		KAM_PHISHCP2	/(\.|\/)cpanel\d+\.com(\/|\b|\?)/i
describe	KAM_PHISHCP2	Fraudulent notices purporting to be from cPanel
score		KAM_PHISHCP2	15.0

body		__KAM_PHISHCP3_1	/cPanel Cloud Service/

meta		KAM_PHISHCP3	(__KAM_TINYDOMAIN + __KAM_PHISHCP3_1 >=2)
describe	KAM_PHISHCP3	Fraudulent notices purporting to be from cPanel
score		KAM_PHISHCP3	15.0


#https://www.csoonline.com/article/3333916/windows-security/i-can-get-and-crack-your-password-hashes-from-email.html?upd=1547922397157
body		KAM_FILE		/file:\/\/\/\//i
describe	KAM_FILE		Potential attempt for NTLM attack
score		KAM_FILE		4.5

#FUN SPAM RUN
header		__KAM_FUN1		From =~ /\.fun|\.icu|\.pro|\.stream|\.world|\.monster|\.best|\.store|\.surf|\.rest|\.bar|\.asia|\.casa|\.uno|\.london|\.info|\.cam|\.work|\.cyou>?$/i
header		__KAM_FUN1A		From:name =~ /Bite Pro|Diabetes|Blood Sugar|Sugar Disease|Fish Oil|ultra ?boost|Gutter|time ?share|Affiliate|arctic ?blast|splash ?wine|date|fat ?loss|nutrisystem|Silver ?Single|Insta ?Heater/i

body		__KAM_FUN2		/Addify Link|Kennett Pike|PetPlan|Newton Sq|1st Avenue|Jones Blvd|permanently opt-out from our all newsletters|(wish|prefer) (to not|not to|to) receive (these|future) (messages|emails)|purehealth|leave any time|too good to be true|try(ing)? this trick|doesn?'t like this update|(click here|wish) +to unsubscribe|send post-mail to|to be removed from receiving|to unsubscribe.+click|no longer like to receive|this is an advertisement/i
body		__KAM_FUN3		/This Offer is (only )?for (unite. state|USA)|(can ?not|won\'t|can\'t) see this image|visit the page below|Continue Reading|watch now|this is an ad|update preferences|click here now/i
uri		__KAM_FUN3A		/imgstore.host/i

#Subject
header		__KAM_FUN4		Subject =~ /Gutter|Assisted Living|Refi|rate|livewave|mortgage|E\.D\.|Single|Superfood|tax|protection|debt|mastercard|safety charge|supplement|pillow|Inogenone|learn a language|Roadside safety|carry a gun|minute survey|roofing Deals|fungus|insurance|pain|gold|hair|knife|warranty|reflexology|accufeet|keto|sound|heartburn|skincare|terminix|zippy|sneeze|healthcare|yoga|heal|jesus|virus|neuropathy|BP med|perfect vision|parasites|wine|willie nelson|InstaFresh|InstaSavings|carriers|CPAP|melt your belly|heart attack|power of plants|immunity|smart.?watch|fever|hearing aids|diabetes|gum problem|bad breath|fish oil|ultra ?boost|boost your internet|christmas list|(energy|cooling) (bill|cost)|time ?share|interstate move|vanishes pain|wine order|chat rooms|\d+ ?lbs|dementia|nutrisystem|personal plan|Printer Ink|america strong|perfect gifts|Someone Special|Insta ?heater|asian girls/i

#How many/How Soon
body		__KAM_FUN5		/\d million americans|less than \d+ (weeks|days|hours)|temporary feeling|\d+ ?lbs|[\d+,]+ Asian babes/i
#miracle!
body		__KAM_FUN6		/finds the secret|new discovery|natural medicine|health channel|medicinal plants|simple tweak|doctors are shocked|mysterious liquid|massive mistake|scientifically shown/i
#what
body		__KAM_FUN7		/nerve pain|poor vision|lasik|sleep deeper|smart.?watch|fever|hearing aids|diabetes|gum problem|blood sugar|sugar disease|bad breath|fish oil|ultra ?boost|soothing relief|older women|belly fat|reverse alzheimer|personal safety|gadget.?junk|Insta ?heater|need boyfriends/i
tflags		__KAM_FUN7		nosubject

meta		KAM_FUN			((__KAM_FUN1 + __KAM_FUN1A >=1) + __KAM_FUN2 + (__KAM_FUN3 + __KAM_FUN3A >= 1) + __KAM_FUN4 >=3)
describe	KAM_FUN			Spam Engine Hawking Various Goods and Abusing a Lot of Domains
score		KAM_FUN			7.75

meta		KAM_FUN2		((__KAM_FUN1 + __KAM_FUN1A >= 1) + __KAM_FUN4 + __KAM_FUN5 + __KAM_FUN6 + __KAM_FUN7 >= 5)
describe	KAM_FUN2		Spam Engine Hawking Various Goods and Abusing a Lot of Domains
score		KAM_FUN2		7.5

#GOOGLE DRIVE PORN - Thanks to Mark Sapiro for the bug fix
uri		KAM_DRIVENUM		/\d+\.drive\.google.com/i
describe	KAM_DRIVENUM		Drive Links Prevalent in Spam
score		KAM_DRIVENUM		5.0

#SWIFT PAYMENT SCAMS
header		__KAM_SWIFT1		Subject =~ /Swift/i
body		__KAM_SWIFT2		/swift copy/i
body		__KAM_SWIFT3		/balance payment/i

meta		KAM_SWIFT		(__KAM_SWIFT1 + __KAM_SWIFT2 + __KAM_SWIFT3 >= 3)
describe	KAM_SWIFT		SWIFT payment scam
score		KAM_SWIFT		3.0

ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
  # Custom score
  score         FROMNAME_SPOOFED_EMAIL 0.3

  meta     GB_FROMNAME_SPOOF_EQUALS_TO  (PDS_FROMNAME_SPOOFED_EMAIL && __PLUGIN_FROMNAME_EQUALS_TO)
  describe GB_FROMNAME_SPOOF_EQUALS_TO From:name is spoof to look like To: address
  score    GB_FROMNAME_SPOOF_EQUALS_TO 0.3

  meta     GB_FROMNAME_SPOOF_FREEMAIL (FREEMAIL_FROM && PDS_FROMNAME_SPOOFED_EMAIL)
  describe GB_FROMNAME_SPOOF_FREEMAIL From:name spoof and Freemail From:address
  score    GB_FROMNAME_SPOOF_FREEMAIL 0.4

  ifplugin Mail::SpamAssassin::Plugin::FreeMail
    header   __FROM_EQ_REPLY            eval:check_fromname_equals_replyto()
    meta     GB_FREEM_FROM_NOT_REPLY    ( !__FROM_EQ_REPLY && FREEMAIL_FROM && FREEMAIL_REPLYTO )
    describe GB_FREEM_FROM_NOT_REPLY    From: and Reply-To: have different freemail domains
    score    GB_FREEM_FROM_NOT_REPLY    0.4
  endif
endif

ifplugin Mail::SpamAssassin::Plugin::KAMOnly
  header	KAM_RAPTOR_ALTERED	X-KAM-Raptor-Alter =~ /True/i
  describe	KAM_RAPTOR_ALTERED	Raptor identified a dangerous attachment
  score		KAM_RAPTOR_ALTERED	2.0
endif

#BAD INVOICE SCAMS
header          __KAM_PROFORMA1         Subject =~ /Proforma/i
body            __KAM_PROFORMA2         /no responds/i
body            __KAM_PROFORMA3         /highly encrypted/i
body		__KAM_PROFORMA4		/Proforma Invoice/i
uri		__KAM_PROFORMA5		/\.php/i

meta            KAM_PROFORMA            (__KAM_PROFORMA1 + __KAM_PROFORMA2 + __KAM_PROFORMA3 + __KAM_PROFORMA4 + __KAM_PROFORMA5 >= 5)
describe        KAM_PROFORMA            Invoice scam
score           KAM_PROFORMA            7.5

#BAD INVOICE SCAMS
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  header          __KAM_INVOICEPO1         Subject =~ /Invoice copies/i
  body            __KAM_INVOICEPO2         /consignment/i
  body            __KAM_INVOICEPO3         /invoice copies/i
  mimeheader      __KAM_INVOICEPO4	   Content-Type =~ /invoice copies.{0,100}\.html/i

  meta            KAM_INVOICEPO            (__KAM_INVOICEPO1 + __KAM_INVOICEPO2 + __KAM_INVOICEPO3 + __KAM_INVOICEPO4 >= 4)
  describe        KAM_INVOICEPO            Invoice scam
  score           KAM_INVOICEPO            4.0

  mimeheader      KAM_HTMLINVOICE         Content-Type =~ /invoice.{0,100}\.html/i
  describe        KAM_HTMLINVOICE         Invoice scam
  score           KAM_HTMLINVOICE         1.5

  mimeheader      KAM_HTMLINVOICE2        Content-Type =~ /(order confirmation|po attachments.{0,100})\.xls\.html/i
  describe	  KAM_HTMLINVOICE2	  Invoice scam
  score		  KAM_HTMLINVOICE2	  3.5
endif

# Spear phishing rules
ifplugin Mail::SpamAssassin::Plugin::FreeMail
  header   __GB_TO_ADDR_FREEMAIL    eval:check_freemail_header('To:addr')
  header   __GB_TO_NAME_FREEMAIL    eval:check_freemail_header('To:name')
  meta     GB_TO_NAME_FREEMAIL      ( !__GB_TO_ADDR_FREEMAIL && __GB_TO_NAME_FREEMAIL )
  describe GB_TO_NAME_FREEMAIL      Freemail spear phish with free mail
  score    GB_TO_NAME_FREEMAIL      0.01

  header   __GB_FROM_ADDR_FREEMAIL  eval:check_freemail_header('From:addr')
  header   __GB_FROM_NAME_FREEMAIL  eval:check_freemail_header('From:name')
  header   __GB_FROM_NAME_EMAIL     From:name =~ /\@/
  meta     GB_FROM_NAME_FREEMAIL    ( __GB_FROM_NAME_EMAIL && __GB_FROM_ADDR_FREEMAIL && !__GB_FROM_NAME_FREEMAIL )
  describe GB_FROM_NAME_FREEMAIL    Freemail spear phish with free mail
  score    GB_FROM_NAME_FREEMAIL    0.01
endif

# Disable possible CPU burning rule, reported to SA users list  -- 2019-05-29
# FIXED rule distributed via sa-update since 2019-05-31
# meta __STYLE_GIBBERISH_1  0

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
  # Allow googleapis.com to be blacklisted due to spam runs in June 2019 exploiting it
  clear_uridnsbl_skip_domain googleapis.com
endif

# Need a favor phishing
header	__KAM_FAVOR1	Subject =~ /Request|Quick Reply/i
body	__KAM_FAVOR2	/I need a favor from you|Are you available to work on a request for me today/i
body	__KAM_FAVOR3	/email me back as soon as possible|send me your personal cell phone number/i

meta		KAM_FAVOR	(__KAM_FAVOR1 + __KAM_FAVOR2 + __KAM_FAVOR3 + FREEMAIL_FROM >= 4)
describe	KAM_FAVOR	Phishing Attempt
score		KAM_FAVOR	7.5

# WHITELIST PCCC/MCGRAIL
whitelist_auth *@pccc.com *@mcgrail.com
#trusted_networks 69.171.29.0/25
#trusted_networks 38.124.232.0/24

# CONTACTS / LISTS - This would be a good rule for tflags nosubject which requires 3.4.3 release
header		__KAM_LIST3_1	Subject =~ /Contacts|Visitor|Attendee|User|Professional|Meeting|Expo|Emails|Exhibit|Companies|trade ?show|marketing|retailer|list|outreach|customers|campaign|show|data|leaders|partnership|lead|(accou?nt|Contacts?|buyers?) (list|information)|install base|offices and clinics|healthcare/i

#title
body		__KAM_LIST3_2	/list services|email campaign|global marketing|(sales|event|campaign) manager|marketing (coordinator|campaign|manager|exec|project|team)|(lead|demand) generation|(business|Data|event) (analyst|coordinator)|(potential|professionals?|qualified) lead|(marketing|lead|attendees?|data) specialist|(marketing|Business) Co-?ordinator|marketing and comm|inside sales|pre-?sales|(email|attendee)s? list|global leads/i
#db for sale
body		__KAM_LIST3_3	/(information|data) field|verified email|(\d{4,8}|complete) (contact|details)|with email address|target geograph|counts and pric|decision maker|specific parameters|job titles|Specific lists|current attendee|each record|post show attendee|(attendees|counts)\:|(List|contacts|fields) (consists?|Contains?|includes?)|visitors and price|pricing, counts|information about the list|sample (file|record)|direct email|100\% populated|installed users|(compiled|selling) (a )?list|pricing and further|(validated|buy a) dataset|counts, pricing|procure the list|samples for (your )?review|attendees who might|decision.makers|samples and pricing|pricing details|demographics|few samples|database (organization|provider)|expense and count|(samples|counts?) and cost|multichannel marketing|count of email|users of the following/i
#db what
body		__KAM_LIST3_4	/contacts and email|(visitors?|contacts?|attendee.?s?|users?) (mailing )?(list|record|database)|end users|our lists|\d\+? (attendee|contact)|users? database|Opt-in email list|(professionals?|user'?s|attendees?) (contact|list)|not spammer|delegates|marketing (analyst|campaigns)|(complete|emailed) list|unique account|contacts\:|titles\:|business profiles|database of|list from USA|(complete|contact) (Name|information|details)|geography|target audience|list.database|data (intelligence|include)|emails, phone|marketing list|unlimited usage|target (attendees|audience|industry)|opt-?in (contact|emails)|offices and clinics|specialties\:|showcase our capabilit|share samples|list includes/i

meta		KAM_LIST3	(__KAM_LIST3_1 + __KAM_LIST3_2 + __KAM_LIST3_3 + __KAM_LIST3_4 >= 4)
describe	KAM_LIST3	Mailing List Purveyor Spam
score		KAM_LIST3	12.25

 #NO SUBJ MATCH
meta            KAM_LIST3_1     (KAM_LIST3 < 1) && (__KAM_LIST3_1 + __KAM_LIST3_2 + __KAM_LIST3_3 + __KAM_LIST3_4 >= 3)
describe        KAM_LIST3_1     Likely Mailing List Purveyor Spam
score           KAM_LIST3_1     5.75

#MONCLER
header		__KAM_MONCLER1	Subject =~ /moncler/i
header		__KAM_MONCLER2	From =~ /moncler/i

meta		KAM_MONCLER	(__KAM_MONCLER1 + __KAM_MONCLER2 +  KAM_SOMETLD_ARE_BAD_TLD >= 3)
describe	KAM_MONCLER	Fashionista Spammers
score		KAM_MONCLER	6.0

#ERP
header		__KAM_ERP1	Subject =~ /ERP/
body		__KAM_ERP2	/K9ERP/i

meta		KAM_ERP		(__KAM_ERP1 + __KAM_ERP2 >=2)
describe	KAM_ERP		ERP Spammers
score		KAM_ERP		4.0

#DMARC POLICY RULES - Thanks to Giovanni Bechis for the original idea plus Jesse Norell and Amir Caspi for additional suggestions & testing!
#
#https://tools.ietf.org/html/rfc7489 and https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/
#
#"To pass DMARC, a message must pass SPF authentication and SPF alignment and/or DKIM authentication and DKIM alignment. A message will fail DMARC if the message fails both (1) SPF or SPF alignment and (2) DKIM or DKIM alignment."
#
# We expect edge cases with DKIM where a parent (gateway) domain signing for a subdomain author (e.g., parent.gov signing for sub.parent.gov).  This is a common and a sane implementation of DKIM, but is not supported in the current SA DKIM/DMARC implementation -- it results in DKIM_VALID but not DKIM_VALID_AU.  The SPF || DKIM logic below will allow this scenario.
#
# Note: Certain glues like MailScanner will modify an email before testing.  That will cause many DKIM failures.  If you have a known broken system for DKIM like this, you should likely disable the plugin.


ifplugin Mail::SpamAssassin::Plugin::AskDNS
  ifplugin Mail::SpamAssassin::Plugin::DKIM
    ifplugin Mail::SpamAssassin::Plugin::SPF
      askdns __KAM_DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=none;/
      askdns __KAM_DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=quarantine;/
      askdns __KAM_DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=reject;/
      askdns __KAM_DMARC_POLICY_DKIM_STRICT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\badkim=s;/

      #Checks if either DKIM Passed with Alignment and the policy is strict or VALID and alignment didn't pass
      meta     KAM_DMARC_STATUS !((DKIM_VALID_AU && __KAM_DMARC_POLICY_DKIM_STRICT) || (DKIM_VALID && !__KAM_DMARC_POLICY_DKIM_STRICT))
      describe KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict Alignment
      score    KAM_DMARC_STATUS 0.01

      meta     KAM_DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_REJECT
      describe KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message and the domain has a DMARC reject policy
      score    KAM_DMARC_REJECT 3.0

      meta     KAM_DMARC_QUARANTINE !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_QUAR
      describe KAM_DMARC_QUARANTINE DKIM has Failed or SPF has failed on the message and the domain has a DMARC quarantine policy
      score    KAM_DMARC_QUARANTINE 1.5

      meta     KAM_DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) && __KAM_DMARC_POLICY_NONE
      describe KAM_DMARC_NONE DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy
      score    KAM_DMARC_NONE 0.25
    endif
  endif
endif

#OLE/VB MACROs
ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro
  # increase number of mime parts checked
  olemacro_num_mime 10

  if (version >= 3.0040005)

    body     KAM_OLEMACRO eval:check_olemacro()
    describe KAM_OLEMACRO Attachment has an Office Macro
    score    KAM_OLEMACRO 7.5

    body     KAM_OLEMACRO_MALICE eval:check_olemacro_malice()
    describe KAM_OLEMACRO_MALICE Potentially malicious Office Macro
    score    KAM_OLEMACRO_MALICE 10.0

    body     KAM_OLEMACRO_ENCRYPTED eval:check_olemacro_encrypted()
    describe KAM_OLEMACRO_ENCRYPTED Has an Office doc that is encrypted
    score    KAM_OLEMACRO_ENCRYPTED 3.0

    #This may cause more CPU usage
    olemacro_extended_scan 1
    body     KAM_OLEMACRO_RENAME eval:check_olemacro_renamed()
    describe KAM_OLEMACRO_RENAME Has an Office doc that has been renamed
    score    KAM_OLEMACRO_RENAME 0.5

    meta     GB_OLEMACRO_REN_VIR ( KAM_OLEMACRO_RENAME && FORGED_OUTLOOK_HTML )
    describe GB_OLEMACRO_REN_VIR Olemacro and fake Outlook
    score    GB_OLEMACRO_REN_VIR 10

  endif

  body     KAM_OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
  describe KAM_OLEMACRO_ZIP_PW Has an Office doc that is password protected in a zip
  score    KAM_OLEMACRO_ZIP_PW 1.0

  body     KAM_OLEMACRO_CSV eval:check_olemacro_csv()
  describe KAM_OLEMACRO_CSV Macro in csv file
  score    KAM_OLEMACRO_CSV 5.0

  #meta     KAM_OLEMACRO_ZIP_PW_NOMID  ( KAM_OLEMACRO_ZIP_PW && MISSING_MID )
  #describe KAM_OLEMACRO_ZIP_PW_NOMID  OLE macro sent by a bot / ratware
  #score    KAM_OLEMACRO_ZIP_PW_NOMID  5.0

  meta     KAM_OLEMACRO_ZIP_BOT    ( KAM_OLEMACRO_ZIP_PW && ( MISSING_MID || PDS_FROMNAME_SPOOFED_EMAIL ) )
  describe KAM_OLEMACRO_ZIP_BOT    OLE macro sent by a bot / ratware
  score    KAM_OLEMACRO_ZIP_BOT    5.0
endif

#Testing Rule for Subject Prefixes - See note 58397
#if can(Mail::SpamAssassin::Conf::feature_subjprefix)
#  enlist_addrlist (INTERNAL) *@pccc.com
#  header __FROM_INTERNAL     eval:check_from_in_list('INTERNAL')
#
#  meta  EXTERNAL             (!__FROM_INTERNAL)
#  describe EXTERNAL          External users to PCCC Test Rule
#  score EXTERNAL             0.001
#  subjprefix EXTERNAL        [EXTERNAL]
#endif

#Testing Rule for NoSubject Rules - See note 58246
#if (version >= 3.004003)
#        #SHOULD HIT
#	body		NOSUBJECT_TEST_HIT	/example/i
#	describe	NOSUBJECT_TEST_HIT	This should hit on an email with example in the subject but not in the body because subjects are automatically prepending for testing.
#
#        #SHOULD NOT HIT
#	body		NOSUBJECT_TEST_FAIL	/example/i
#	describe	NOSUBJECT_TEST_FAIL	This should NOT hit on an email with example in the subject not not in the body because the tflags nosubject will stop the automatic prepending of subjects for testing.
#	tflags		NOSUBJECT_TEST_FAIL	nosubject
#endif

if (version >= 3.004003)
  ifplugin Mail::SpamAssassin::Plugin::HashBL
      # BTC address present in BTC blacklist
      # thanks to Henrik Krohns for the regexp
      body          BTC_HASHBL_BLACK eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b(?<!=)([13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})\b')
      priority      BTC_HASHBL_BLACK -100
      tflags        BTC_HASHBL_BLACK net
      describe      BTC_HASHBL_BLACK Message contains BTC address found on BTC blacklist
      score         BTC_HASHBL_BLACK 5.0
  endif
endif

#Testing of HASHBL Additions - Note 58246
if (version >= 3.004003)
  ifplugin Mail::SpamAssassin::Plugin::KAMOnly
    ifplugin Mail::SpamAssassin::Plugin::HashBL

      rbl_headers EnvelopeFrom,Reply-To,X-Sender,X-Source-IP

      # mass-marketing domain found in headers (EnvelopeFrom,Reply-To,X-Sender,X-Source-IP)
      header     PCCC_HDR_MARKETINGBL    eval:check_rbl_headers('pccc-hdr-marketing', 'wild.pccc.com.', '127.0.0.32')
      describe   PCCC_HDR_MARKETINGBL    Address in email headers associated with mass-marketing (https://raptor.pccc.com/RBL)
      tflags     PCCC_HDR_MARKETINGBL    net
      score      PCCC_HDR_MARKETINGBL    0.001
      priority   PCCC_HDR_MARKETINGBL    -100

      header     PCCC_HDR_REPLYTO          eval:check_rbl_headers('pccc-hdr-repto', 'wild.pccc.com.', '127.0.0.4', 'Reply-To')
      describe   PCCC_HDR_REPLYTO          Address in email headers associated with compromised uris (https://raptor.pccc.com/RBL)
      tflags     PCCC_HDR_REPLYTO          net
      score      PCCC_HDR_REPLYTO          3.5
      priority   PCCC_HDR_REPLYTO          -100

      # compromised domain found in headers (X-Sender,X-Source-IP,X-SRS-Sender)
      header     PCCC_SENDER_COMPROMISED        eval:check_rbl_headers('pccc-sender', 'wild.pccc.com.', '127.0.1.2', 'X-Sender,X-Source-IP,X-SRS-Sender')
      describe   PCCC_SENDER_COMPROMISED        Sender address associated with compromised uris (https://raptor.pccc.com/RBL)
      tflags     PCCC_SENDER_COMPROMISED        net
      score      PCCC_SENDER_COMPROMISED        2.0
      priority   PCCC_SENDER_COMPROMISED        -100

      # compromised domain found in received headers
      header     PCCC_RECEIVED_HDR_COMPROMISED         eval:check_rbl_rcvd('pccc-rcvd', 'wild.pccc.com.', '127.0.1.2')
      describe   PCCC_RECEIVED_HDR_COMPROMISED         Compromised domain found in received headers found on PCCC RBL (https://raptor.pccc.com/RBL)
      tflags     PCCC_RECEIVED_HDR_COMPROMISED         net
      score      PCCC_RECEIVED_HDR_COMPROMISED         2.0
      priority   PCCC_RECEIVED_HDR_COMPROMISED         -100

      # dns server of From address found on PCCC RBL
      header     PCCC_FROM_BAD_NS            eval:check_rbl_ns_from('pccc-ns', 'wild.pccc.com.', '127.0.1.1')
      describe   PCCC_FROM_BAD_NS            DNS server of From address found on PCCC RBL (https://raptor.pccc.com/RBL)
      tflags     PCCC_FROM_BAD_NS            net
      score      PCCC_FROM_BAD_NS            2.0
      priority   PCCC_FROM_BAD_NS            -100

      # Freemail address in Reply-To header found on PCCC HashBL
      # this rule needs 99_hashbl.cf to work
      header     PCCC_HASHBL_FREEMAIL    eval:check_hashbl_emails('wild.pccc.com', 'md5', 'Reply-To', '^127\.', 'freemail')
      describe   PCCC_HASHBL_FREEMAIL    Message contains freemail address in reply-to found on PCCC HashBL (https://raptor.pccc.com/RBL)
      tflags     PCCC_HASHBL_FREEMAIL    net
      score      PCCC_HASHBL_FREEMAIL    3.5
      priority   PCCC_HASHBL_FREEMAIL    -100

      # Email address in X-Sender header found on PCCC HashBL
      header   PCCC_HASHBL_EMAIL_SEND    eval:check_hashbl_emails('wild.pccc.com', 'md5', 'X-Sender', '^127\.', 'all')
      describe PCCC_HASHBL_EMAIL_SEND    Message contains sender email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
      tflags   PCCC_HASHBL_EMAIL_SEND    net
      score    PCCC_HASHBL_EMAIL_SEND    1.5
      priority PCCC_HASHBL_EMAIL_SEND    -100

      # Email address in X-SRS-Sender header found on PCCC HashBL
      header   PCCC_HASHBL_EMAIL_SRS     eval:check_hashbl_emails('wild.pccc.com', 'md5', 'X-SRS-Sender', '^127\.', 'all')
      describe PCCC_HASHBL_EMAIL_SRS     Message contains srs email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
      tflags   PCCC_HASHBL_EMAIL_SRS     net
      score    PCCC_HASHBL_EMAIL_SRS     1.5
      priority PCCC_HASHBL_EMAIL_SRS     -100

      # Email address in email headers found on PCCC HashBL
      header   PCCC_HASHBL_EMAIL         eval:check_hashbl_emails('wild.pccc.com', 'md5')
      describe PCCC_HASHBL_EMAIL         Message contains email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
      tflags   PCCC_HASHBL_EMAIL         net
      score    PCCC_HASHBL_EMAIL         1.5
      priority PCCC_HASHBL_EMAIL         -100

      # Email address in custom email headers found on PCCC HashBL
      header   PCCC_HASHBL_HDR_EMAIL         eval:check_hashbl_emails('wild.pccc.com', 'md5', 'Reply-To/Disposition-Notification-To/X-Original-Sender/X-Sender', '^127\.', 'all')
      describe PCCC_HASHBL_HDR_EMAIL         Message contains email address found on PCCC HashBL (https://raptor.pccc.com/RBL)
      tflags   PCCC_HASHBL_HDR_EMAIL         net
      score    PCCC_HASHBL_HDR_EMAIL         0.5
      priority PCCC_HASHBL_HDR_EMAIL         -100

      #Move this to a file like 99_hashbl_settings.cf when KAM rules become a channel
      hashbl_acl_freemail 020.co.uk
      hashbl_acl_freemail 111mail.com
      hashbl_acl_freemail 123.com
      hashbl_acl_freemail 123box.net
      hashbl_acl_freemail 123india.com
      hashbl_acl_freemail 123iran.com
      hashbl_acl_freemail 123mail.cl
      hashbl_acl_freemail 123mail.org
      hashbl_acl_freemail 123qwe.co.uk
      hashbl_acl_freemail 126.com
      hashbl_acl_freemail 138mail.com
      hashbl_acl_freemail 139.com
      hashbl_acl_freemail 141.ro
      hashbl_acl_freemail 150mail.com
      hashbl_acl_freemail 150ml.com
      hashbl_acl_freemail 163.com
      hashbl_acl_freemail 16mail.com
      hashbl_acl_freemail 188.com
      hashbl_acl_freemail 189.cn
      hashbl_acl_freemail 1963chevrolet.com
      hashbl_acl_freemail 1963pontiac.com
      hashbl_acl_freemail 1netdrive.com
      hashbl_acl_freemail 1st-website.com
      hashbl_acl_freemail 1stpd.net
      hashbl_acl_freemail 2-mail.com
      hashbl_acl_freemail 20after4.com
      hashbl_acl_freemail 21cn.com
      hashbl_acl_freemail 24h.co.jp
      hashbl_acl_freemail 24horas.com
      hashbl_acl_freemail 263.net
      hashbl_acl_freemail 271soundview.com
      hashbl_acl_freemail 2die4.com
      hashbl_acl_freemail 2mydns.com
      hashbl_acl_freemail 2net.us
      hashbl_acl_freemail 3000.it
      hashbl_acl_freemail 37.com
      hashbl_acl_freemail 3ammagazine.com
      hashbl_acl_freemail 3email.com
      hashbl_acl_freemail 3xl.net
      hashbl_acl_freemail 4-music-today.com
      hashbl_acl_freemail 420email.com
      hashbl_acl_freemail 444.net
      hashbl_acl_freemail 4degreez.com
      hashbl_acl_freemail 4email.com
      hashbl_acl_freemail 4email.net
      hashbl_acl_freemail 4newyork.com
      hashbl_acl_freemail 4xn.de
      hashbl_acl_freemail 5005.lv
      hashbl_acl_freemail 50mail.com
      hashbl_acl_freemail 55mail.cc
      hashbl_acl_freemail 5fm.za.com
      hashbl_acl_freemail 5x2.de
      hashbl_acl_freemail 5x2.me
      hashbl_acl_freemail 6210.hu
      hashbl_acl_freemail 6sens.com
      hashbl_acl_freemail 702mail.co.za
      hashbl_acl_freemail 7110.hu
      hashbl_acl_freemail 8848.net
      hashbl_acl_freemail 8m.com
      hashbl_acl_freemail 8m.net
      hashbl_acl_freemail 8u8.com
      hashbl_acl_freemail 8u8.hk
      hashbl_acl_freemail 8u8.tw
      hashbl_acl_freemail 8x.com.br
      hashbl_acl_freemail 9.cn
      hashbl_acl_freemail a-teens.net
      hashbl_acl_freemail a-topmail.at
      hashbl_acl_freemail a.org.ua
      hashbl_acl_freemail abha.cc
      hashbl_acl_freemail about.com
      hashbl_acl_freemail abv.bg
      hashbl_acl_freemail acatperson.com
      hashbl_acl_freemail acceso.or.cr
      hashbl_acl_freemail access4less.net
      hashbl_acl_freemail accessgcc.com
      hashbl_acl_freemail accountant.com
      hashbl_acl_freemail acdcfan.com
      hashbl_acl_freemail acmemail.net
      hashbl_acl_freemail actingbiz.com
      hashbl_acl_freemail activist.com
      hashbl_acl_freemail adexec.com
      hashbl_acl_freemail adiga.com
      hashbl_acl_freemail adinet.com.uy
      hashbl_acl_freemail adogperson.com
      hashbl_acl_freemail adres.nl
      hashbl_acl_freemail advalvas.be
      hashbl_acl_freemail aeiou.pt
      hashbl_acl_freemail aeneasmail.com
      hashbl_acl_freemail africamail.com
      hashbl_acl_freemail afrik.com
      hashbl_acl_freemail afropoets.com
      hashbl_acl_freemail agadir.cc
      hashbl_acl_freemail aggies.com
      hashbl_acl_freemail ahaa.dk
      hashbl_acl_freemail ahsa.ws
      hashbl_acl_freemail aichi.com
      hashbl_acl_freemail aim.com
      hashbl_acl_freemail aircraftmail.com
      hashbl_acl_freemail airpost.net
      hashbl_acl_freemail aiutamici.com
      hashbl_acl_freemail ajman.cc
      hashbl_acl_freemail ajman.us
      hashbl_acl_freemail ajman.ws
      hashbl_acl_freemail aklan.com
      hashbl_acl_freemail aknet.kg
      hashbl_acl_freemail alabama.usa.com
      hashbl_acl_freemail alaska.usa.com
      hashbl_acl_freemail alavatotal.com
      hashbl_acl_freemail albafind.com
      hashbl_acl_freemail albaha.cc
      hashbl_acl_freemail albawaba.com
      hashbl_acl_freemail alburaq.net
      hashbl_acl_freemail aldeax.com
      hashbl_acl_freemail aldeax.com.ar
      hashbl_acl_freemail alex4all.com
      hashbl_acl_freemail alexandria.cc
      hashbl_acl_freemail algeria.com
      hashbl_acl_freemail algerie.cc
      hashbl_acl_freemail alice.it
      hashbl_acl_freemail alinto.com
      hashbl_acl_freemail aliyun.com
      hashbl_acl_freemail all4theskins.com
      hashbl_acl_freemail allergist.com
      hashbl_acl_freemail allhiphop.com
      hashbl_acl_freemail allmail.net
      hashbl_acl_freemail allsportsrock.com
      hashbl_acl_freemail alriyadh.cc
      hashbl_acl_freemail alskens.dk
      hashbl_acl_freemail altavista.se
      hashbl_acl_freemail altbox.org
      hashbl_acl_freemail alternativagratis.com
      hashbl_acl_freemail alum.com
      hashbl_acl_freemail alumni.com
      hashbl_acl_freemail alumnidirector.com
      hashbl_acl_freemail alunos.unipar.br
      hashbl_acl_freemail alvilag.hu
      hashbl_acl_freemail alwaysgrilling.com
      hashbl_acl_freemail alwaysinthekitchen.com
      hashbl_acl_freemail alwayswatchingmovies.com
      hashbl_acl_freemail alwayswatchingtv.com
      hashbl_acl_freemail amenworld.com
      hashbl_acl_freemail america.hm
      hashbl_acl_freemail americamail.com
      hashbl_acl_freemail amman.cc
      hashbl_acl_freemail amnetsal.com
      hashbl_acl_freemail amorous.com
      hashbl_acl_freemail ananzi.co.za
      hashbl_acl_freemail anatomicrock.com
      hashbl_acl_freemail anet.ne.jp
      hashbl_acl_freemail anfmail.com
      hashbl_acl_freemail angelfire.com
      hashbl_acl_freemail angelic.com
      hashbl_acl_freemail animail.net
      hashbl_acl_freemail animeone.com
      hashbl_acl_freemail aniverse.com
      hashbl_acl_freemail anjungcafe.com
      hashbl_acl_freemail another.com
      hashbl_acl_freemail antedoonsub.com
      hashbl_acl_freemail antwerpen.com
      hashbl_acl_freemail anunciador.net
      hashbl_acl_freemail anytimenow.com
      hashbl_acl_freemail aol.co.uk
      hashbl_acl_freemail aol.com
      hashbl_acl_freemail aon.at
      hashbl_acl_freemail apexmail.com
      hashbl_acl_freemail apollo.lv
      hashbl_acl_freemail appraiser.net
      hashbl_acl_freemail approvers.net
      hashbl_acl_freemail aprava.com
      hashbl_acl_freemail apropo.ro
      hashbl_acl_freemail aqaba.cc
      hashbl_acl_freemail arab.ir
      hashbl_acl_freemail arar.ws
      hashbl_acl_freemail archaeologist.com
      hashbl_acl_freemail arcor.de
      hashbl_acl_freemail arcticmail.com
      hashbl_acl_freemail argentina.com
      hashbl_acl_freemail arizona.usa.com
      hashbl_acl_freemail arkansas.usa.com
      hashbl_acl_freemail armmail.com
      hashbl_acl_freemail army.com
      hashbl_acl_freemail arnet.com.ar
      hashbl_acl_freemail aroma.com
      hashbl_acl_freemail arrl.net
      hashbl_acl_freemail artlover.com
      hashbl_acl_freemail aruba.it
      hashbl_acl_freemail asheville.com
      hashbl_acl_freemail asia-links.com
      hashbl_acl_freemail asia-mail.com
      hashbl_acl_freemail asia.com
      hashbl_acl_freemail asiamail.com
      hashbl_acl_freemail asiancutes.com
      hashbl_acl_freemail assala.com
      hashbl_acl_freemail assamesemail.com
      hashbl_acl_freemail asurfer.com
      hashbl_acl_freemail aswan.cc
      hashbl_acl_freemail asylum.com
      hashbl_acl_freemail atheist.com
      hashbl_acl_freemail atl.lv
      hashbl_acl_freemail atlas.cz
      hashbl_acl_freemail atlas.sk
      hashbl_acl_freemail atozasia.com
      hashbl_acl_freemail atreillou.com
      hashbl_acl_freemail att.ne.jp
      hashbl_acl_freemail att.net
      hashbl_acl_freemail au.ru
      hashbl_acl_freemail aubenin.com
      hashbl_acl_freemail auctioneer.net
      hashbl_acl_freemail auf-steroide.de
      hashbl_acl_freemail aufdrogen.de
      hashbl_acl_freemail aus-city.com
      hashbl_acl_freemail ausi.com
      hashbl_acl_freemail aussiemail.com.au
      hashbl_acl_freemail australiamail.com
      hashbl_acl_freemail autoindia.com
      hashbl_acl_freemail autopm.com
      hashbl_acl_freemail avasmail.com.mv
      hashbl_acl_freemail axarnet.com
      hashbl_acl_freemail ayna.com
      hashbl_acl_freemail azet.sk
      hashbl_acl_freemail b-boy.com
      hashbl_acl_freemail baalbeck.cc
      hashbl_acl_freemail babbalu.com
      hashbl_acl_freemail badgers.com
      hashbl_acl_freemail bahraini.cc
      hashbl_acl_freemail bakpaka.com
      hashbl_acl_freemail bakpaka.net
      hashbl_acl_freemail balochistan.org
      hashbl_acl_freemail baluch.com
      hashbl_acl_freemail bama-fan.com
      hashbl_acl_freemail bancora.net
      hashbl_acl_freemail banha.cc
      hashbl_acl_freemail bankersmail.com
      hashbl_acl_freemail barlick.net
      hashbl_acl_freemail barriolife.com
      hashbl_acl_freemail bartender.net
      hashbl_acl_freemail basketball-email.com
      hashbl_acl_freemail beabookworm.com
      hashbl_acl_freemail beagolfer.com
      hashbl_acl_freemail beahealthnut.com
      hashbl_acl_freemail beautifulboy.com
      hashbl_acl_freemail beeebank.com
      hashbl_acl_freemail beehive.org
      hashbl_acl_freemail been-there.com
      hashbl_acl_freemail beirut.com
      hashbl_acl_freemail believeinliberty.com
      hashbl_acl_freemail belizehome.com
      hashbl_acl_freemail belizemail.net
      hashbl_acl_freemail belizeweb.com
      hashbl_acl_freemail bellair.net
      hashbl_acl_freemail bellsouth.net
      hashbl_acl_freemail berlin.com
      hashbl_acl_freemail berlin.de
      hashbl_acl_freemail besser-als-du.de
      hashbl_acl_freemail bestcoolcars.com
      hashbl_acl_freemail bestjobcandidate.com
      hashbl_acl_freemail bestmail.us
      hashbl_acl_freemail besure2vote.com
      hashbl_acl_freemail bflomail.com
      hashbl_acl_freemail bgay.com
      hashbl_acl_freemail bgnmail.com
      hashbl_acl_freemail bharatmail.com
      hashbl_acl_freemail bicycledata.com
      hashbl_acl_freemail bicycling.com
      hashbl_acl_freemail big-orange.com
      hashbl_acl_freemail bigboss.cz
      hashbl_acl_freemail bigfoot.com
      hashbl_acl_freemail bigger.com
      hashbl_acl_freemail bigheavyworld.com
      hashbl_acl_freemail bigmailbox.com
      hashbl_acl_freemail bigmailbox.net
      hashbl_acl_freemail bigmir.net
      hashbl_acl_freemail bigpond.com
      hashbl_acl_freemail bigstring.com
      hashbl_acl_freemail bigtimecatperson.com
      hashbl_acl_freemail bigtimedogperson.com
      hashbl_acl_freemail bigtimereader.com
      hashbl_acl_freemail bigtimesportsfan.com
      hashbl_acl_freemail bikerheaven.net
      hashbl_acl_freemail bikerider.com
      hashbl_acl_freemail bikermail.com
      hashbl_acl_freemail billssite.com
      hashbl_acl_freemail bip.net
      hashbl_acl_freemail birdlover.com
      hashbl_acl_freemail bitwiser.com
      hashbl_acl_freemail biz.by
      hashbl_acl_freemail bizerte.cc
      hashbl_acl_freemail bizhosting.com
      hashbl_acl_freemail black-sea.ro
      hashbl_acl_freemail blackandchristian.com
      hashbl_acl_freemail blackburnmail.com
      hashbl_acl_freemail blackcity.net
      hashbl_acl_freemail blackglobalnetwork.net
      hashbl_acl_freemail blackvault.com
      hashbl_acl_freemail blackvoices.com
      hashbl_acl_freemail blader.com
      hashbl_acl_freemail blida.info
      hashbl_acl_freemail blink182.net
      hashbl_acl_freemail blue.devils.com
      hashbl_acl_freemail bluebottle.com
      hashbl_acl_freemail bluemail.ch
      hashbl_acl_freemail blumail.org
      hashbl_acl_freemail blvds.com
      hashbl_acl_freemail bmx.lv
      hashbl_acl_freemail bmxtrix.com
      hashbl_acl_freemail boardermail.com
      hashbl_acl_freemail boarderzone.com
      hashbl_acl_freemail boatnerd.com
      hashbl_acl_freemail bol.com.br
      hashbl_acl_freemail bolando.com
      hashbl_acl_freemail bolbox.com
      hashbl_acl_freemail bollywood2000.com
      hashbl_acl_freemail bollywoodz.com
      hashbl_acl_freemail bombka.dyn.pl
      hashbl_acl_freemail bonbon.net
      hashbl_acl_freemail bongmail.com
      hashbl_acl_freemail boom.com
      hashbl_acl_freemail bootmail.com
      hashbl_acl_freemail bostonoffice.com
      hashbl_acl_freemail bowl.com
      hashbl_acl_freemail box.az
      hashbl_acl_freemail boxbg.com
      hashbl_acl_freemail boxemail.com
      hashbl_acl_freemail brain.com.pk
      hashbl_acl_freemail brainsurfer.de
      hashbl_acl_freemail brasilia.net
      hashbl_acl_freemail bravanese.com
      hashbl_acl_freemail brazilmail.com
      hashbl_acl_freemail brazilmail.com.br
      hashbl_acl_freemail breathe.com
      hashbl_acl_freemail brestonline.com
      hashbl_acl_freemail brew-master.com
      hashbl_acl_freemail brew-meister.com
      hashbl_acl_freemail brfree.com.br
      hashbl_acl_freemail brujula.net
      hashbl_acl_freemail bsdmail.com
      hashbl_acl_freemail btcc.org
      hashbl_acl_freemail buffaloes.com
      hashbl_acl_freemail bulgaria.com
      hashbl_acl_freemail bulldogs.com
      hashbl_acl_freemail bumerang.ro
      hashbl_acl_freemail buraydah.cc
      hashbl_acl_freemail burntmail.com
      hashbl_acl_freemail butch-femme.net
      hashbl_acl_freemail butch-femme.org
      hashbl_acl_freemail buzy.com
      hashbl_acl_freemail buzzjakkerz.com
      hashbl_acl_freemail byke.com
      hashbl_acl_freemail c-box.cz
      hashbl_acl_freemail c3.hu
      hashbl_acl_freemail c4.com
      hashbl_acl_freemail cadinfo.net
      hashbl_acl_freemail calcfacil.com.br
      hashbl_acl_freemail calcware.org
      hashbl_acl_freemail california.usa.com
      hashbl_acl_freemail californiamail.com
      hashbl_acl_freemail calle22.com
      hashbl_acl_freemail callnetuk.com
      hashbl_acl_freemail camaroclubsweden.com
      hashbl_acl_freemail cameroon.cc
      hashbl_acl_freemail canada-11.com
      hashbl_acl_freemail canada.com
      hashbl_acl_freemail canal21.com
      hashbl_acl_freemail cannabismail.com
      hashbl_acl_freemail canoemail.com
      hashbl_acl_freemail capsfanatic.com
      hashbl_acl_freemail capshockeyfan.com
      hashbl_acl_freemail capsred.com
      hashbl_acl_freemail car-nut.net
      hashbl_acl_freemail caramail.com
      hashbl_acl_freemail cardblvd.com
      hashbl_acl_freemail care-mail.com
      hashbl_acl_freemail care2.com
      hashbl_acl_freemail caress.com
      hashbl_acl_freemail carioca.net
      hashbl_acl_freemail cash4u.com
      hashbl_acl_freemail cashette.com
      hashbl_acl_freemail casino.com
      hashbl_acl_freemail casinomail.com
      hashbl_acl_freemail cat-person.com
      hashbl_acl_freemail cataloniamail.com
      hashbl_acl_freemail catalunyamail.com
      hashbl_acl_freemail cataz.com
      hashbl_acl_freemail catcha.com
      hashbl_acl_freemail catholic.org
      hashbl_acl_freemail caths.co.uk
      hashbl_acl_freemail catlover.com
      hashbl_acl_freemail catlovers.com
      hashbl_acl_freemail catpeoplerule.com
      hashbl_acl_freemail caxess.net
      hashbl_acl_freemail cbrmail.com
      hashbl_acl_freemail cc.lv
      hashbl_acl_freemail cemelli.com
      hashbl_acl_freemail centoper.it
      hashbl_acl_freemail centralpets.com
      hashbl_acl_freemail centrum.cz
      hashbl_acl_freemail centrum.sk
      hashbl_acl_freemail centurylink.net
      hashbl_acl_freemail cercaziende.it
      hashbl_acl_freemail certifiedbitches.com
      hashbl_acl_freemail cgac.es
      hashbl_acl_freemail chaiyo.com
      hashbl_acl_freemail chaiyomail.com
      hashbl_acl_freemail championboxing.com
      hashbl_acl_freemail chance2mail.com
      hashbl_acl_freemail channelonetv.com
      hashbl_acl_freemail charter.net
      hashbl_acl_freemail chat-with-me.com
      hashbl_acl_freemail chattown.com
      hashbl_acl_freemail chatway.com
      hashbl_acl_freemail cheatasrule.com
      hashbl_acl_freemail checkitmail.at
      hashbl_acl_freemail cheerful.com
      hashbl_acl_freemail chef.net
      hashbl_acl_freemail chelny.com
      hashbl_acl_freemail chemist.com
      hashbl_acl_freemail cheshiremail.com
      hashbl_acl_freemail chewiemail.com
      hashbl_acl_freemail chil-e.com
      hashbl_acl_freemail chillaxer.de
      hashbl_acl_freemail chillimail.com
      hashbl_acl_freemail chillymail.com
      hashbl_acl_freemail china.com
      hashbl_acl_freemail chinamail.com
      hashbl_acl_freemail christianmail.org
      hashbl_acl_freemail ciaoweb.it
      hashbl_acl_freemail cine.com
      hashbl_acl_freemail ciphercom.net
      hashbl_acl_freemail circlemail.com
      hashbl_acl_freemail cititrustbank1.cjb.net
      hashbl_acl_freemail citromail.hu
      hashbl_acl_freemail citynetusa.com
      hashbl_acl_freemail ciudad.com.ar
      hashbl_acl_freemail claramail.com
      hashbl_acl_freemail classicmail.co.za
      hashbl_acl_freemail classprod.com
      hashbl_acl_freemail classycouples.com
      hashbl_acl_freemail clerk.com
      hashbl_acl_freemail cliffhanger.com
      hashbl_acl_freemail clix.pt
      hashbl_acl_freemail close2you.net
      hashbl_acl_freemail clovermail.net
      hashbl_acl_freemail clubmember.org
      hashbl_acl_freemail cluemail.com
      hashbl_acl_freemail clujnapoca.ro
      hashbl_acl_freemail collector.org
      hashbl_acl_freemail collegeclub.com
      hashbl_acl_freemail colombia.com
      hashbl_acl_freemail colorado.usa.com
      hashbl_acl_freemail columnist.com
      hashbl_acl_freemail comcast.net
      hashbl_acl_freemail comfortable.com
      hashbl_acl_freemail comic.com
      hashbl_acl_freemail company.org.ua
      hashbl_acl_freemail compaqnet.fr
      hashbl_acl_freemail compuserve.com
      hashbl_acl_freemail computer.net
      hashbl_acl_freemail computer4u.com
      hashbl_acl_freemail computermail.net
      hashbl_acl_freemail computhouse.com
      hashbl_acl_freemail conevyt.org.mx
      hashbl_acl_freemail congiu.net
      hashbl_acl_freemail connect4free.net
      hashbl_acl_freemail connecticut.usa.com
      hashbl_acl_freemail consultant.com
      hashbl_acl_freemail contractor.net
      hashbl_acl_freemail coolgoose.com
      hashbl_acl_freemail coolkiwi.com
      hashbl_acl_freemail coollist.com
      hashbl_acl_freemail coolmail.com
      hashbl_acl_freemail coolmail.net
      hashbl_acl_freemail coolmail.ru
      hashbl_acl_freemail coolsend.com
      hashbl_acl_freemail coolshit.com
      hashbl_acl_freemail coolsite.net
      hashbl_acl_freemail cooltoad.com
      hashbl_acl_freemail cooperation.net
      hashbl_acl_freemail copacabana.com
      hashbl_acl_freemail copticmail.com
      hashbl_acl_freemail corporateattorneys.com
      hashbl_acl_freemail corporation.net
      hashbl_acl_freemail corpusmail.com
      hashbl_acl_freemail correios.net.br
      hashbl_acl_freemail correomagico.com
      hashbl_acl_freemail cosmo.com
      hashbl_acl_freemail cosmosurf.net
      hashbl_acl_freemail cougars.com
      hashbl_acl_freemail counsellor.com
      hashbl_acl_freemail count.com
      hashbl_acl_freemail countrybass.com
      hashbl_acl_freemail couple.com
      hashbl_acl_freemail coxinet.net
      hashbl_acl_freemail crazy4baseball.com
      hashbl_acl_freemail crazy4homeimprovement.com
      hashbl_acl_freemail crazy4mail.com
      hashbl_acl_freemail crazyaboutfilms.net
      hashbl_acl_freemail crazycarfan.com
      hashbl_acl_freemail crazyforemail.com
      hashbl_acl_freemail crazymoviefan.com
      hashbl_acl_freemail criticalpath.net
      hashbl_acl_freemail critterpost.com
      hashbl_acl_freemail crosspaths.net
      hashbl_acl_freemail crosswinds.net
      hashbl_acl_freemail cryingmail.com
      hashbl_acl_freemail cs.com
      hashbl_acl_freemail csucsposta.hu
      hashbl_acl_freemail cumbriamail.com
      hashbl_acl_freemail curio-city.com
      hashbl_acl_freemail custmail.com
      hashbl_acl_freemail cutey.com
      hashbl_acl_freemail cwazy.co.uk
      hashbl_acl_freemail cwazy.net
      hashbl_acl_freemail cww.de
      hashbl_acl_freemail cyber-wizard.com
      hashbl_acl_freemail cyberaccess.com.pk
      hashbl_acl_freemail cyberdude.com
      hashbl_acl_freemail cybergal.com
      hashbl_acl_freemail cybergirls.dk
      hashbl_acl_freemail cyberguys.dk
      hashbl_acl_freemail cyberkriminell.de
      hashbl_acl_freemail cybernet.it
      hashbl_acl_freemail cyberservices.com
      hashbl_acl_freemail cyberunlimited.org
      hashbl_acl_freemail cycledata.com
      hashbl_acl_freemail cymail.net
      hashbl_acl_freemail dabsol.net
      hashbl_acl_freemail dada.net
      hashbl_acl_freemail dadanet.it
      hashbl_acl_freemail dailypioneer.com
      hashbl_acl_freemail dallasmail.com
      hashbl_acl_freemail damuc.org.br
      hashbl_acl_freemail danneben.so
      hashbl_acl_freemail dansegulvet.com
      hashbl_acl_freemail darkfear.com
      hashbl_acl_freemail darkforces.com
      hashbl_acl_freemail darkhorsefan.net
      hashbl_acl_freemail data54.com
      hashbl_acl_freemail daum.net
      hashbl_acl_freemail davegracey.com
      hashbl_acl_freemail dayzers.com
      hashbl_acl_freemail dbmail.com
      hashbl_acl_freemail dbzmail.com
      hashbl_acl_freemail dcemail.com
      hashbl_acl_freemail dcsi.net
      hashbl_acl_freemail deacons.com
      hashbl_acl_freemail deadlymob.org
      hashbl_acl_freemail deal-maker.com
      hashbl_acl_freemail dearriba.com
      hashbl_acl_freemail degoo.com
      hashbl_acl_freemail delajaonline.org
      hashbl_acl_freemail delaware.usa.com
      hashbl_acl_freemail delfi.lv
      hashbl_acl_freemail delhimail.com
      hashbl_acl_freemail deliveryman.com
      hashbl_acl_freemail demon.deacons.com
      hashbl_acl_freemail denmark.ir
      hashbl_acl_freemail descriptivemail.com
      hashbl_acl_freemail desertonline.com
      hashbl_acl_freemail desidrivers.com
      hashbl_acl_freemail deskpilot.com
      hashbl_acl_freemail despammed.com
      hashbl_acl_freemail detik.com
      hashbl_acl_freemail devils.com
      hashbl_acl_freemail dexara.net
      hashbl_acl_freemail dhahran.cc
      hashbl_acl_freemail dhmail.net
      hashbl_acl_freemail dhofar.cc
      hashbl_acl_freemail di-ve.com
      hashbl_acl_freemail didamail.com
      hashbl_acl_freemail differentmail.com
      hashbl_acl_freemail digitaltrue.com
      hashbl_acl_freemail dino.lv
      hashbl_acl_freemail diplomats.com
      hashbl_acl_freemail direccion.com
      hashbl_acl_freemail director-general.com
      hashbl_acl_freemail diri.com
      hashbl_acl_freemail dirtythird.com
      hashbl_acl_freemail discardmail.com
      hashbl_acl_freemail disciples.com
      hashbl_acl_freemail discofan.com
      hashbl_acl_freemail discoverymail.net
      hashbl_acl_freemail disinfo.net
      hashbl_acl_freemail disposable.com
      hashbl_acl_freemail djibouti.cc
      hashbl_acl_freemail djmillenium.com
      hashbl_acl_freemail dmailman.com
      hashbl_acl_freemail dnsmadeeasy.com
      hashbl_acl_freemail do.net.ar
      hashbl_acl_freemail doctor.com
      hashbl_acl_freemail dodgeit.com
      hashbl_acl_freemail dog-person.com
      hashbl_acl_freemail doglover.com
      hashbl_acl_freemail dogmail.co.uk
      hashbl_acl_freemail dogpeoplerule.com
      hashbl_acl_freemail doityourself.com
      hashbl_acl_freemail domaindiscover.com
      hashbl_acl_freemail domainmanager.com
      hashbl_acl_freemail dominican.cc
      hashbl_acl_freemail doneasy.com
      hashbl_acl_freemail dontexist.org
      hashbl_acl_freemail dopefiends.com
      hashbl_acl_freemail doramail.com
      hashbl_acl_freemail dores.com
      hashbl_acl_freemail dostmail.com
      hashbl_acl_freemail dot5hosting.com
      hashbl_acl_freemail dotcom.fr
      hashbl_acl_freemail dotnow.com
      hashbl_acl_freemail dott.it
      hashbl_acl_freemail doubt.com
      hashbl_acl_freemail dplanet.ch
      hashbl_acl_freemail dr-dre.com
      hashbl_acl_freemail dr.com
      hashbl_acl_freemail draac.com
      hashbl_acl_freemail dragoncon.net
      hashbl_acl_freemail dragonfans.com
      hashbl_acl_freemail drakmail.net
      hashbl_acl_freemail dreamstop.com
      hashbl_acl_freemail dropzone.com
      hashbl_acl_freemail dserver.org
      hashbl_acl_freemail dubaiwebcity.com
      hashbl_acl_freemail dublin.com
      hashbl_acl_freemail dublin.ie
      hashbl_acl_freemail dustdevil.com
      hashbl_acl_freemail dutchmail.com
      hashbl_acl_freemail dynamitemail.com
      hashbl_acl_freemail dyndns.org
      hashbl_acl_freemail e-apollo.lv
      hashbl_acl_freemail e-hkma.com
      hashbl_acl_freemail e-mail.am
      hashbl_acl_freemail e-mail.cz
      hashbl_acl_freemail e-mail.ph
      hashbl_acl_freemail e-mailanywhere.com
      hashbl_acl_freemail e-milio.com
      hashbl_acl_freemail e-tapaal.com
      hashbl_acl_freemail e-webtec.com
      hashbl_acl_freemail earthalliance.com
      hashbl_acl_freemail earthling.net
      hashbl_acl_freemail eastmail.com
      hashbl_acl_freemail eastrolog.com
      hashbl_acl_freemail easy-pages.com
      hashbl_acl_freemail easy.com
      hashbl_acl_freemail easydoesit.com
      hashbl_acl_freemail easyinfomail.co.za
      hashbl_acl_freemail easypeasy.com
      hashbl_acl_freemail echina.com
      hashbl_acl_freemail eclub.lv
      hashbl_acl_freemail ecn.org
      hashbl_acl_freemail ecplaza.net
      hashbl_acl_freemail edsamail.com.ph
      hashbl_acl_freemail educacao.te.pt
      hashbl_acl_freemail edumail.co.za
      hashbl_acl_freemail eeism.com
      hashbl_acl_freemail ego.co.th
      hashbl_acl_freemail egypt.ir
      hashbl_acl_freemail egypt.net
      hashbl_acl_freemail eircom.net
      hashbl_acl_freemail ekolay.net
      hashbl_acl_freemail elforotv.com.ar
      hashbl_acl_freemail elitemail.org
      hashbl_acl_freemail elsitio.com
      hashbl_acl_freemail eltimon.com
      hashbl_acl_freemail elvis.com
      hashbl_acl_freemail elvisfan.com
      hashbl_acl_freemail email.bg
      hashbl_acl_freemail email.com
      hashbl_acl_freemail email.com.br
      hashbl_acl_freemail email.cz
      hashbl_acl_freemail email.it
      hashbl_acl_freemail email.lu
      hashbl_acl_freemail email.lviv.ua
      hashbl_acl_freemail email.nu
      hashbl_acl_freemail email.ro
      hashbl_acl_freemail email.si
      hashbl_acl_freemail email2me.com
      hashbl_acl_freemail emailacc.com
      hashbl_acl_freemail emailaccount.com
      hashbl_acl_freemail emailaddresses.com
      hashbl_acl_freemail emailchoice.com
      hashbl_acl_freemail emailcorner.net
      hashbl_acl_freemail emailengine.net
      hashbl_acl_freemail emailengine.org
      hashbl_acl_freemail emailfast.com
      hashbl_acl_freemail emailgaul.com
      hashbl_acl_freemail emailgroups.net
      hashbl_acl_freemail emailhut.net
      hashbl_acl_freemail emailn.de
      hashbl_acl_freemail emailpinoy.com
      hashbl_acl_freemail emailplanet.com
      hashbl_acl_freemail emailplus.org
      hashbl_acl_freemail emailuser.net
      hashbl_acl_freemail ematic.com
      hashbl_acl_freemail embarqmail.com
      hashbl_acl_freemail embroideryforums.com
      hashbl_acl_freemail eml.cc
      hashbl_acl_freemail emoka.ro
      hashbl_acl_freemail emptymail.com
      hashbl_acl_freemail enel.net
      hashbl_acl_freemail enelpunto.net
      hashbl_acl_freemail engineer.com
      hashbl_acl_freemail england.com
      hashbl_acl_freemail englandmail.com
      hashbl_acl_freemail enterate.com.ar
      hashbl_acl_freemail entryweb.it
      hashbl_acl_freemail entusiastisk.com
      hashbl_acl_freemail enusmail.com
      hashbl_acl_freemail envirocitizen.com
      hashbl_acl_freemail epatra.com
      hashbl_acl_freemail epix.net
      hashbl_acl_freemail epomail.com
      hashbl_acl_freemail epost.de
      hashbl_acl_freemail eprompter.com
      hashbl_acl_freemail eqqu.com
      hashbl_acl_freemail eramail.co.za
      hashbl_acl_freemail eresmas.com
      hashbl_acl_freemail eriga.lv
      hashbl_acl_freemail eritrea.cc
      hashbl_acl_freemail ertelecom.ru
      hashbl_acl_freemail escapeartist.com
      hashbl_acl_freemail esde-s.org
      hashbl_acl_freemail esfera.cl
      hashbl_acl_freemail estadao.com.br
      hashbl_acl_freemail etllao.com
      hashbl_acl_freemail euromail.net
      hashbl_acl_freemail europe.com
      hashbl_acl_freemail europemail.com
      hashbl_acl_freemail euroseek.com
      hashbl_acl_freemail euskalmail.com
      hashbl_acl_freemail evafan.com
      hashbl_acl_freemail everyday.com.kh
      hashbl_acl_freemail everymail.net
      hashbl_acl_freemail everyone.net
      hashbl_acl_freemail excite.co.uk
      hashbl_acl_freemail excite.com
      hashbl_acl_freemail execs.com
      hashbl_acl_freemail execs2k.com
      hashbl_acl_freemail executivemail.co.za
      hashbl_acl_freemail expertrenovator.com
      hashbl_acl_freemail expn.com
      hashbl_acl_freemail expressivemail.com
      hashbl_acl_freemail expressmail.dk
      hashbl_acl_freemail ezilon.com
      hashbl_acl_freemail ezrs.com
      hashbl_acl_freemail ezsweeps.com
      hashbl_acl_freemail f-m.fm
      hashbl_acl_freemail facilmail.com
      hashbl_acl_freemail fadrasha.net
      hashbl_acl_freemail fadrasha.org
      hashbl_acl_freemail faithhighway.com
      hashbl_acl_freemail faithmail.com
      hashbl_acl_freemail falasteen.cc
      hashbl_acl_freemail familymailbox.com
      hashbl_acl_freemail familyroll.com
      hashbl_acl_freemail familysafeweb.net
      hashbl_acl_freemail famous.as
      hashbl_acl_freemail fan.com
      hashbl_acl_freemail fan.net
      hashbl_acl_freemail fanaticos.com
      hashbl_acl_freemail fanofbooks.com
      hashbl_acl_freemail fanofcomputers.com
      hashbl_acl_freemail fanofcooking.com
      hashbl_acl_freemail fanoftheweb.com
      hashbl_acl_freemail faroweb.com
      hashbl_acl_freemail farts.com
      hashbl_acl_freemail fast-email.com
      hashbl_acl_freemail fast-mail.org
      hashbl_acl_freemail fastem.com
      hashbl_acl_freemail fastemail.us
      hashbl_acl_freemail fastemailer.com
      hashbl_acl_freemail fastermail.com
      hashbl_acl_freemail fastest.cc
      hashbl_acl_freemail fastimap.com
      hashbl_acl_freemail fastmail.co.uk
      hashbl_acl_freemail fastmail.com
      hashbl_acl_freemail fastmailbox.net
      hashbl_acl_freemail fastmessaging.com
      hashbl_acl_freemail fastservice.com
      hashbl_acl_freemail fastwebmail.it
      hashbl_acl_freemail fawz.net
      hashbl_acl_freemail fea.st
      hashbl_acl_freemail federalcontractors.com
      hashbl_acl_freemail fedxmail.com
      hashbl_acl_freemail feelingnaughty.com
      hashbl_acl_freemail feelings.com
      hashbl_acl_freemail female.ru
      hashbl_acl_freemail fepg.net
      hashbl_acl_freemail ffanet.com
      hashbl_acl_freemail fiberia.com
      hashbl_acl_freemail fieldmail.com
      hashbl_acl_freemail filipinolinks.com
      hashbl_acl_freemail financesource.com
      hashbl_acl_freemail financier.com
      hashbl_acl_freemail findmail.com
      hashbl_acl_freemail fireman.net
      hashbl_acl_freemail firemyst.com
      hashbl_acl_freemail fiscal.net
      hashbl_acl_freemail fit.lv
      hashbl_acl_freemail flashmail.com
      hashbl_acl_freemail fleetmail.com
      hashbl_acl_freemail flipcode.com
      hashbl_acl_freemail florida.usa.com
      hashbl_acl_freemail floridagators.com
      hashbl_acl_freemail fmail.co.uk
      hashbl_acl_freemail fmailbox.com
      hashbl_acl_freemail fmgirl.com
      hashbl_acl_freemail fmguy.com
      hashbl_acl_freemail fnmail.com
      hashbl_acl_freemail focusedonprofits.com
      hashbl_acl_freemail focusedonreturns.com
      hashbl_acl_freemail footballer.com
      hashbl_acl_freemail forfree.at
      hashbl_acl_freemail forsythmissouri.org
      hashbl_acl_freemail fortuncity.com
      hashbl_acl_freemail forum.dk
      hashbl_acl_freemail foxmail.com
      hashbl_acl_freemail free.com.pe
      hashbl_acl_freemail free.fr
      hashbl_acl_freemail free.net.nz
      hashbl_acl_freemail freeaccess.nl
      hashbl_acl_freemail freegates.be
      hashbl_acl_freemail freeghana.com
      hashbl_acl_freemail freehosting.nl
      hashbl_acl_freemail freei.co.th
      hashbl_acl_freemail freeler.nl
      hashbl_acl_freemail freemail.com
      hashbl_acl_freemail freemail.globalsite.com.br
      hashbl_acl_freemail freemailen.de
      hashbl_acl_freemail freemailn.de
      hashbl_acl_freemail freemuslim.net
      hashbl_acl_freemail freenet.de
      hashbl_acl_freemail freenet.kg
      hashbl_acl_freemail freeola.net
      hashbl_acl_freemail freeonline.com
      hashbl_acl_freemail freepgs.com
      hashbl_acl_freemail freesbee.fr
      hashbl_acl_freemail freeservers.com
      hashbl_acl_freemail freestart.hu
      hashbl_acl_freemail freesurf.ch
      hashbl_acl_freemail freesurf.fr
      hashbl_acl_freemail freesurf.nl
      hashbl_acl_freemail freeuk.com
      hashbl_acl_freemail freeuk.net
      hashbl_acl_freemail freeweb.it
      hashbl_acl_freemail freewebemail.com
      hashbl_acl_freemail freeyellow.com
      hashbl_acl_freemail frisurf.no
      hashbl_acl_freemail frontiernet.net
      hashbl_acl_freemail fsmail.net
      hashbl_acl_freemail fsnet.co.uk
      hashbl_acl_freemail ftml.net
      hashbl_acl_freemail fudge.com
      hashbl_acl_freemail fuelie.org
      hashbl_acl_freemail fujairah.cc
      hashbl_acl_freemail fujairah.us
      hashbl_acl_freemail fujairah.ws
      hashbl_acl_freemail fun-greetings-jokes.com
      hashbl_acl_freemail fun.21cn.com
      hashbl_acl_freemail funkytimes.com
      hashbl_acl_freemail fusemail.com
      hashbl_acl_freemail fut.es
      hashbl_acl_freemail futboladdict.com
      hashbl_acl_freemail gabes.cc
      hashbl_acl_freemail gafsa.cc
      hashbl_acl_freemail gala.net
      hashbl_acl_freemail galaxyhit.com
      hashbl_acl_freemail galmail.co.za
      hashbl_acl_freemail gamebox.net
      hashbl_acl_freemail gamecocks.com
      hashbl_acl_freemail gamerssolution.com
      hashbl_acl_freemail games.com
      hashbl_acl_freemail gardener.com
      hashbl_acl_freemail gawab.com
      hashbl_acl_freemail gay.com
      hashbl_acl_freemail gaymailbox.com
      hashbl_acl_freemail gaza.net
      hashbl_acl_freemail gazabo.net
      hashbl_acl_freemail gazeta.pl
      hashbl_acl_freemail gci.net
      hashbl_acl_freemail gdi.net
      hashbl_acl_freemail geeklife.com
      hashbl_acl_freemail gemari.or.id
      hashbl_acl_freemail genxemail.com
      hashbl_acl_freemail geologist.com
      hashbl_acl_freemail geopia.com
      hashbl_acl_freemail georgia.usa.com
      hashbl_acl_freemail germanymail.com
      hashbl_acl_freemail getintobooks.com
      hashbl_acl_freemail getmail.no
      hashbl_acl_freemail ggaweb.ch
      hashbl_acl_freemail giga4u.de
      hashbl_acl_freemail giza.cc
      hashbl_acl_freemail gjk.dk
      hashbl_acl_freemail glay.org
      hashbl_acl_freemail glendale.net
      hashbl_acl_freemail glittergrrrls.com
      hashbl_acl_freemail globalfree.it
      hashbl_acl_freemail globalpinoy.com
      hashbl_acl_freemail globalsite.com.br
      hashbl_acl_freemail globalum.com
      hashbl_acl_freemail globetrotter.net
      hashbl_acl_freemail globomail.com
      hashbl_acl_freemail gmail.com
      hashbl_acl_freemail gmx.com
      hashbl_acl_freemail go-bama.com
      hashbl_acl_freemail go-cavs.com
      hashbl_acl_freemail go-chargers.com
      hashbl_acl_freemail go-dawgs.com
      hashbl_acl_freemail go-gators.com
      hashbl_acl_freemail go-hogs.com
      hashbl_acl_freemail go-irish.com
      hashbl_acl_freemail go-spartans.com
      hashbl_acl_freemail go-tigers.com
      hashbl_acl_freemail go.aggies.com
      hashbl_acl_freemail go.air-force.com
      hashbl_acl_freemail go.badgers.com
      hashbl_acl_freemail go.big-orange.com
      hashbl_acl_freemail go.blue.devils.com
      hashbl_acl_freemail go.buffaloes.com
      hashbl_acl_freemail go.bulldogs.com
      hashbl_acl_freemail go.com
      hashbl_acl_freemail go.cougars.com
      hashbl_acl_freemail go.dores.com
      hashbl_acl_freemail go.gamecocks.com
      hashbl_acl_freemail go.huskies.com
      hashbl_acl_freemail go.longhorns.com
      hashbl_acl_freemail go.mustangs.com
      hashbl_acl_freemail go.rebels.com
      hashbl_acl_freemail go.ro
      hashbl_acl_freemail go.ru
      hashbl_acl_freemail go.terrapins.com
      hashbl_acl_freemail go.wildcats.com
      hashbl_acl_freemail go.wolverines.com
      hashbl_acl_freemail go.yellow-jackets.com
      hashbl_acl_freemail go2net.com
      hashbl_acl_freemail go4.it
      hashbl_acl_freemail goatrance.com
      hashbl_acl_freemail goddess.com
      hashbl_acl_freemail gofree.co.uk
      hashbl_acl_freemail gohip.com
      hashbl_acl_freemail golfemail.com
      hashbl_acl_freemail goliadtexas.com
      hashbl_acl_freemail gomail.com.ua
      hashbl_acl_freemail gonowmail.com
      hashbl_acl_freemail gonuts4free.com
      hashbl_acl_freemail googlemail.com
      hashbl_acl_freemail goplay.com
      hashbl_acl_freemail gorontalo.net
      hashbl_acl_freemail gospelcity.com
      hashbl_acl_freemail gothicgirl.com
      hashbl_acl_freemail gotmail.com
      hashbl_acl_freemail gotomy.com
      hashbl_acl_freemail govzone.com
      hashbl_acl_freemail grad.com
      hashbl_acl_freemail graduate.org
      hashbl_acl_freemail graffiti.net
      hashbl_acl_freemail grapemail.net
      hashbl_acl_freemail graphic-designer.com
      hashbl_acl_freemail gratisweb.com
      hashbl_acl_freemail greatautos.org
      hashbl_acl_freemail greenmail.net
      hashbl_acl_freemail groupmail.com
      hashbl_acl_freemail gtechnics.com
      hashbl_acl_freemail guate.net
      hashbl_acl_freemail guessmail.com
      hashbl_acl_freemail guinea.cc
      hashbl_acl_freemail guy.com
      hashbl_acl_freemail gwalla.com
      hashbl_acl_freemail h-mail.us
      hashbl_acl_freemail haberx.com
      hashbl_acl_freemail hacker.am
      hashbl_acl_freemail hackermail.com
      hashbl_acl_freemail hail2theskins.com
      hashbl_acl_freemail hailmail.net
      hashbl_acl_freemail hairdresser.net
      hashbl_acl_freemail haitisurf.com
      hashbl_acl_freemail halejob.com
      hashbl_acl_freemail hamptonroads.com
      hashbl_acl_freemail hamra.cc
      hashbl_acl_freemail handbag.com
      hashbl_acl_freemail hanmail.net
      hashbl_acl_freemail happemail.com
      hashbl_acl_freemail happycounsel.com
      hashbl_acl_freemail happyhippo.com
      hashbl_acl_freemail hasakah.com
      hashbl_acl_freemail hateinthebox.com
      hashbl_acl_freemail hawaii.com
      hashbl_acl_freemail hawaii.usa.com
      hashbl_acl_freemail hayahaya.tg
      hashbl_acl_freemail hebron.tv
      hashbl_acl_freemail hedgeai.com
      hashbl_acl_freemail heesun.net
      hashbl_acl_freemail heremail.com
      hashbl_acl_freemail hetnet.nl
      hashbl_acl_freemail highveldmail.co.za
      hashbl_acl_freemail hilarious.com
      hashbl_acl_freemail hildebrands.de
      hashbl_acl_freemail hingis.org
      hashbl_acl_freemail hiphopfan.com
      hashbl_acl_freemail hispavista.com
      hashbl_acl_freemail hitmanrecords.com
      hashbl_acl_freemail hitthepuck.com
      hashbl_acl_freemail hockeyghiaccio.com
      hashbl_acl_freemail hockeymail.com
      hashbl_acl_freemail holapuravida.com
      hashbl_acl_freemail home.no.net
      hashbl_acl_freemail home.ro
      hashbl_acl_freemail home.se
      hashbl_acl_freemail homelocator.com
      hashbl_acl_freemail homemail.co.za
      hashbl_acl_freemail homemail.com
      hashbl_acl_freemail homenetmail.com
      hashbl_acl_freemail homestead.com
      hashbl_acl_freemail homosexual.net
      hashbl_acl_freemail homs.cc
      hashbl_acl_freemail hong-kong-1.com
      hashbl_acl_freemail hongkong.com
      hashbl_acl_freemail hopthu.com
      hashbl_acl_freemail hosanna.net
      hashbl_acl_freemail hot-shot.com
      hashbl_acl_freemail hot.ee
      hashbl_acl_freemail hotbot.com
      hashbl_acl_freemail hotbox.ru
      hashbl_acl_freemail hotcoolmail.com
      hashbl_acl_freemail hotdak.com
      hashbl_acl_freemail hotfire.net
      hashbl_acl_freemail hotinbox.com
      hashbl_acl_freemail hotmail.co.uk
      hashbl_acl_freemail hotmail.com
      hashbl_acl_freemail hotpop.com
      hashbl_acl_freemail hotvoice.com
      hashbl_acl_freemail hour.com
      hashbl_acl_freemail housemail.com
      hashbl_acl_freemail houseofhorrors.com
      hashbl_acl_freemail howling.com
      hashbl_acl_freemail hugkiss.com
      hashbl_acl_freemail huhmail.com
      hashbl_acl_freemail hullnumber.com
      hashbl_acl_freemail human.lv
      hashbl_acl_freemail humanoid.net
      hashbl_acl_freemail humour.com
      hashbl_acl_freemail hurra.de
      hashbl_acl_freemail hush.ai
      hashbl_acl_freemail hush.com
      hashbl_acl_freemail hushmail.com
      hashbl_acl_freemail huskies.com
      hashbl_acl_freemail hutchcity.com
      hashbl_acl_freemail i-dig-movies.com
      hashbl_acl_freemail i-france.com
      hashbl_acl_freemail i-love-restaurants.com
      hashbl_acl_freemail i-p.com
      hashbl_acl_freemail i12.com
      hashbl_acl_freemail i2828.com
      hashbl_acl_freemail ibatam.com
      hashbl_acl_freemail ibest.com.br
      hashbl_acl_freemail ibizdns.com
      hashbl_acl_freemail ibra.cc
      hashbl_acl_freemail icafe.com
      hashbl_acl_freemail ice.is
      hashbl_acl_freemail icestorm.com
      hashbl_acl_freemail icloud.com
      hashbl_acl_freemail icq.com
      hashbl_acl_freemail icq.ir
      hashbl_acl_freemail icqmail.com
      hashbl_acl_freemail icrazy.com
      hashbl_acl_freemail id.ru
      hashbl_acl_freemail idaho.usa.com
      hashbl_acl_freemail idigcomputers.com
      hashbl_acl_freemail idigelectronics.com
      hashbl_acl_freemail idigvideos.com
      hashbl_acl_freemail idirect.com
      hashbl_acl_freemail idncafe.com
      hashbl_acl_freemail idunno4recipes.com
      hashbl_acl_freemail ieg.com.br
      hashbl_acl_freemail iespalomeras.net
      hashbl_acl_freemail iespana.es
      hashbl_acl_freemail ifrance.com
      hashbl_acl_freemail ig.com.br
      hashbl_acl_freemail ignazio.it
      hashbl_acl_freemail ihatenetscape.com
      hashbl_acl_freemail ilike2helpothers.com
      hashbl_acl_freemail ilike2invest.com
      hashbl_acl_freemail ilike2workout.com
      hashbl_acl_freemail ilikeelectronics.com
      hashbl_acl_freemail ilikeworkingout.com
      hashbl_acl_freemail illinois.usa.com
      hashbl_acl_freemail ilovehomeprojects.com
      hashbl_acl_freemail iloveourteam.com
      hashbl_acl_freemail iloveworkingout.com
      hashbl_acl_freemail ilse.net
      hashbl_acl_freemail ilse.nl
      hashbl_acl_freemail imail.ru
      hashbl_acl_freemail imailbox.com
      hashbl_acl_freemail imap-mail.com
      hashbl_acl_freemail imap.cc
      hashbl_acl_freemail imapmail.org
      hashbl_acl_freemail imel.org
      hashbl_acl_freemail in-box.net
      hashbl_acl_freemail in.com
      hashbl_acl_freemail in2autos.net
      hashbl_acl_freemail iname.acom
      hashbl_acl_freemail iname.com
      hashbl_acl_freemail inbox.com
      hashbl_acl_freemail inbox.ge
      hashbl_acl_freemail inbox.lv
      hashbl_acl_freemail inbox.net
      hashbl_acl_freemail inbox.ru
      hashbl_acl_freemail incamail.com
      hashbl_acl_freemail indexa.fr
      hashbl_acl_freemail india.com
      hashbl_acl_freemail indiamail.com
      hashbl_acl_freemail indiana.usa.com
      hashbl_acl_freemail indiatimes.com
      hashbl_acl_freemail induquimica.org
      hashbl_acl_freemail inet.com.ua
      hashbl_acl_freemail infinito.it
      hashbl_acl_freemail infoapex.com
      hashbl_acl_freemail infohq.com
      hashbl_acl_freemail infomail.es
      hashbl_acl_freemail infomart.or.jp
      hashbl_acl_freemail infosat.net
      hashbl_acl_freemail infovia.com.ar
      hashbl_acl_freemail inicia.es
      hashbl_acl_freemail inmail.sk
      hashbl_acl_freemail inmail24.com
      hashbl_acl_freemail innocent.com
      hashbl_acl_freemail inorbit.com
      hashbl_acl_freemail inoutbox.com
      hashbl_acl_freemail instruction.com
      hashbl_acl_freemail instructor.net
      hashbl_acl_freemail insurer.com
      hashbl_acl_freemail intelnet.net.gt
      hashbl_acl_freemail intelnett.com
      hashbl_acl_freemail interblod.com
      hashbl_acl_freemail interestedinthejob.com
      hashbl_acl_freemail interfree.it
      hashbl_acl_freemail interia.pl
      hashbl_acl_freemail interlap.com.ar
      hashbl_acl_freemail intermail.hu
      hashbl_acl_freemail internet-e-mail.com
      hashbl_acl_freemail internet-mail.org
      hashbl_acl_freemail internet.lu
      hashbl_acl_freemail internetegypt.com
      hashbl_acl_freemail internetemails.net
      hashbl_acl_freemail internetmailing.net
      hashbl_acl_freemail intimatefire.com
      hashbl_acl_freemail intomotors.com
      hashbl_acl_freemail inwind.it
      hashbl_acl_freemail iobox.com
      hashbl_acl_freemail iobox.fi
      hashbl_acl_freemail iol.it
      hashbl_acl_freemail iol.pt
      hashbl_acl_freemail iowa.usa.com
      hashbl_acl_freemail ip3.com
      hashbl_acl_freemail ipermitmail.com
      hashbl_acl_freemail iphon.biz
      hashbl_acl_freemail iqemail.com
      hashbl_acl_freemail iquebec.com
      hashbl_acl_freemail ir.ae
      hashbl_acl_freemail iran.com
      hashbl_acl_freemail irangate.net
      hashbl_acl_freemail iraq.ir
      hashbl_acl_freemail irbid.ws
      hashbl_acl_freemail ire.ir
      hashbl_acl_freemail ireland.ir
      hashbl_acl_freemail irelandmail.com
      hashbl_acl_freemail irow.com
      hashbl_acl_freemail irr.ir
      hashbl_acl_freemail iscool.net
      hashbl_acl_freemail islandmama.com
      hashbl_acl_freemail ismailia.cc
      hashbl_acl_freemail ismart.net
      hashbl_acl_freemail isonews2.com
      hashbl_acl_freemail isonfire.com
      hashbl_acl_freemail isp9.net
      hashbl_acl_freemail ispey.com
      hashbl_acl_freemail israelmail.com
      hashbl_acl_freemail ist-der-mann.de
      hashbl_acl_freemail ist-der-wahnsinn.de
      hashbl_acl_freemail ist-echt.so
      hashbl_acl_freemail ist-genialer.de
      hashbl_acl_freemail ist-schlauer.de
      hashbl_acl_freemail ist-supersexy.de
      hashbl_acl_freemail istecht.so
      hashbl_acl_freemail italymail.com
      hashbl_acl_freemail itelgua.com
      hashbl_acl_freemail itloox.com
      hashbl_acl_freemail itmom.com
      hashbl_acl_freemail ivenus.com
      hashbl_acl_freemail iwan-fals.com
      hashbl_acl_freemail iwatchrealitytv.com
      hashbl_acl_freemail iwon.com
      hashbl_acl_freemail ixp.net
      hashbl_acl_freemail jadida.cc
      hashbl_acl_freemail jadida.org
      hashbl_acl_freemail japan.com
      hashbl_acl_freemail jaydemail.com
      hashbl_acl_freemail jazzemail.com
      hashbl_acl_freemail jedrzejow.pl
      hashbl_acl_freemail jerash.cc
      hashbl_acl_freemail jetemail.net
      hashbl_acl_freemail jingjo.net
      hashbl_acl_freemail jippii.fi
      hashbl_acl_freemail jizan.cc
      hashbl_acl_freemail jmail.co.za
      hashbl_acl_freemail job4u.com
      hashbl_acl_freemail jojomail.com
      hashbl_acl_freemail jouf.cc
      hashbl_acl_freemail journalist.com
      hashbl_acl_freemail jovem.te.pt
      hashbl_acl_freemail joymail.com
      hashbl_acl_freemail jpg.ir
      hashbl_acl_freemail juanitabynum.com
      hashbl_acl_freemail jubii.dk
      hashbl_acl_freemail jubiipost.dk
      hashbl_acl_freemail jumpy.it
      hashbl_acl_freemail juno.com
      hashbl_acl_freemail justemail.net
      hashbl_acl_freemail justmailz.com
      hashbl_acl_freemail k.ro
      hashbl_acl_freemail kaazoo.com
      hashbl_acl_freemail kabissa.org
      hashbl_acl_freemail kairouan.cc
      hashbl_acl_freemail kaixo.com
      hashbl_acl_freemail kalluritimes.com
      hashbl_acl_freemail kalpoint.com
      hashbl_acl_freemail kann.so
      hashbl_acl_freemail kanoodle.com
      hashbl_acl_freemail kansas.usa.com
      hashbl_acl_freemail karak.cc
      hashbl_acl_freemail katamail.com
      hashbl_acl_freemail kataweb.it
      hashbl_acl_freemail kayafmmail.co.za
      hashbl_acl_freemail keko.com.ar
      hashbl_acl_freemail kentucky.usa.com
      hashbl_acl_freemail keptprivate.com
      hashbl_acl_freemail keromail.com
      hashbl_acl_freemail khaimah.cc
      hashbl_acl_freemail khartoum.cc
      hashbl_acl_freemail khobar.cc
      hashbl_acl_freemail kickboxing.com
      hashbl_acl_freemail kidrock.com
      hashbl_acl_freemail kimo.com
      hashbl_acl_freemail kinkyemail.com
      hashbl_acl_freemail kissfans.com
      hashbl_acl_freemail kittymail.com
      hashbl_acl_freemail kiwitown.com
      hashbl_acl_freemail klik.it
      hashbl_acl_freemail klikni.cz
      hashbl_acl_freemail kmtn.ru
      hashbl_acl_freemail koko.com
      hashbl_acl_freemail kolozsvar.ro
      hashbl_acl_freemail kombud.com
      hashbl_acl_freemail kool-things.com
      hashbl_acl_freemail koreamail.com
      hashbl_acl_freemail koreanmail.com
      hashbl_acl_freemail kotaksuratku.info
      hashbl_acl_freemail krunis.com
      hashbl_acl_freemail ksa.ir
      hashbl_acl_freemail kukamail.com
      hashbl_acl_freemail kuronowish.com
      hashbl_acl_freemail kuwait.ir
      hashbl_acl_freemail kuwaiti.tv
      hashbl_acl_freemail kyokodate.com
      hashbl_acl_freemail kyokofukada.net
      hashbl_acl_freemail kyrgyzstan.cc
      hashbl_acl_freemail ladymail.cz
      hashbl_acl_freemail lagoon.nc
      hashbl_acl_freemail lahaonline.com
      hashbl_acl_freemail lamalla.net
      hashbl_acl_freemail lancsmail.com
      hashbl_acl_freemail land.ru
      hashbl_acl_freemail laposte.net
      hashbl_acl_freemail latakia.cc
      hashbl_acl_freemail latchess.com
      hashbl_acl_freemail latinabarbie.com
      hashbl_acl_freemail latinmail.com
      hashbl_acl_freemail latinogreeks.com
      hashbl_acl_freemail lawyer.com
      hashbl_acl_freemail lawyersmail.com
      hashbl_acl_freemail lawyerzone.com
      hashbl_acl_freemail lebanese.cc
      hashbl_acl_freemail lebanonatlas.com
      hashbl_acl_freemail leehom.net
      hashbl_acl_freemail leesville.com
      hashbl_acl_freemail legislator.com
      hashbl_acl_freemail lemondrop.com
      hashbl_acl_freemail leonardo.it
      hashbl_acl_freemail leonlai.net
      hashbl_acl_freemail letsjam.com
      hashbl_acl_freemail letterbox.org
      hashbl_acl_freemail letterboxes.org
      hashbl_acl_freemail levele.com
      hashbl_acl_freemail lexpress.net
      hashbl_acl_freemail libero.it
      hashbl_acl_freemail liberomail.com
      hashbl_acl_freemail libertysurf.net
      hashbl_acl_freemail libre.net
      hashbl_acl_freemail lightwines.org
      hashbl_acl_freemail linkmaster.com
      hashbl_acl_freemail linuxfreemail.com
      hashbl_acl_freemail linuxmail.org
      hashbl_acl_freemail lionsfan.com.au
      hashbl_acl_freemail live.com
      hashbl_acl_freemail livedoor.com
      hashbl_acl_freemail llandudno.com
      hashbl_acl_freemail llangollen.com
      hashbl_acl_freemail lmxmail.sk
      hashbl_acl_freemail lobbyist.com
      hashbl_acl_freemail loggain.net
      hashbl_acl_freemail loggain.nu
      hashbl_acl_freemail lolnetwork.net
      hashbl_acl_freemail london.com
      hashbl_acl_freemail london.ir
      hashbl_acl_freemail longhorns.com
      hashbl_acl_freemail look.com
      hashbl_acl_freemail looksmart.co.uk
      hashbl_acl_freemail looksmart.com
      hashbl_acl_freemail looksmart.com.au
      hashbl_acl_freemail loteria.net
      hashbl_acl_freemail lotonazo.com
      hashbl_acl_freemail louisiana.usa.com
      hashbl_acl_freemail louiskoo.com
      hashbl_acl_freemail love2exercise.com
      hashbl_acl_freemail love2workout.com
      hashbl_acl_freemail loveable.com
      hashbl_acl_freemail lovecat.com
      hashbl_acl_freemail loveemail.com
      hashbl_acl_freemail lovefantasysports.com
      hashbl_acl_freemail loveis.lv
      hashbl_acl_freemail lovemail.com
      hashbl_acl_freemail lovetoexercise.com
      hashbl_acl_freemail lovingjesus.com
      hashbl_acl_freemail lowrider.com
      hashbl_acl_freemail lpemail.com
      hashbl_acl_freemail lubnan.cc
      hashbl_acl_freemail lubnan.ws
      hashbl_acl_freemail lucky7lotto.net
      hashbl_acl_freemail luckymail.com
      hashbl_acl_freemail luso.pt
      hashbl_acl_freemail lusoweb.pt
      hashbl_acl_freemail luukku.com
      hashbl_acl_freemail luvfishing.com
      hashbl_acl_freemail luvgolfing.com
      hashbl_acl_freemail luvsoccer.com
      hashbl_acl_freemail lv-inter.net
      hashbl_acl_freemail lycos.co.uk
      hashbl_acl_freemail lycos.com
      hashbl_acl_freemail lycosmail.com
      hashbl_acl_freemail mac.com
      hashbl_acl_freemail machinecandy.com
      hashbl_acl_freemail macmail.com
      hashbl_acl_freemail mad.scientist.com
      hashbl_acl_freemail madcrazy.com
      hashbl_acl_freemail madeniggaz.net
      hashbl_acl_freemail madinah.cc
      hashbl_acl_freemail madonnafan.com
      hashbl_acl_freemail madonno.com
      hashbl_acl_freemail madrid.com
      hashbl_acl_freemail mag-spam.net
      hashbl_acl_freemail mag2.com
      hashbl_acl_freemail maghreb.cc
      hashbl_acl_freemail magicmail.co.za
      hashbl_acl_freemail magik-net.com
      hashbl_acl_freemail mail-atlas.net
      hashbl_acl_freemail mail-awu.de
      hashbl_acl_freemail mail-box.cz
      hashbl_acl_freemail mail-center.com
      hashbl_acl_freemail mail-central.com
      hashbl_acl_freemail mail-jp.org
      hashbl_acl_freemail mail-me.com
      hashbl_acl_freemail mail-on.us
      hashbl_acl_freemail mail-online.dk
      hashbl_acl_freemail mail-page.com
      hashbl_acl_freemail mail-x-change.com
      hashbl_acl_freemail mail.austria.com
      hashbl_acl_freemail mail.az
      hashbl_acl_freemail mail.be
      hashbl_acl_freemail mail.bg
      hashbl_acl_freemail mail.bulgaria.com
      hashbl_acl_freemail mail.by
      hashbl_acl_freemail mail.co.za
      hashbl_acl_freemail mail.com
      hashbl_acl_freemail mail.de
      hashbl_acl_freemail mail.dk
      hashbl_acl_freemail mail.ee
      hashbl_acl_freemail mail.goo.ne.jp
      hashbl_acl_freemail mail.gr
      hashbl_acl_freemail mail.lawguru.com
      hashbl_acl_freemail mail.md
      hashbl_acl_freemail mail.mn
      hashbl_acl_freemail mail.org
      hashbl_acl_freemail mail.pf
      hashbl_acl_freemail mail.pt
      hashbl_acl_freemail mail.ru
      hashbl_acl_freemail mail.yahoo.co.jp
      hashbl_acl_freemail mail15.com
      hashbl_acl_freemail mail3000.com
      hashbl_acl_freemail mail333.com
      hashbl_acl_freemail mail4me.com
      hashbl_acl_freemail mail8.com
      hashbl_acl_freemail mailandftp.com
      hashbl_acl_freemail mailandnews.com
      hashbl_acl_freemail mailas.com
      hashbl_acl_freemail mailasia.com
      hashbl_acl_freemail mailbg.com
      hashbl_acl_freemail mailblocks.com
      hashbl_acl_freemail mailbolt.com
      hashbl_acl_freemail mailbomb.com
      hashbl_acl_freemail mailbox.as
      hashbl_acl_freemail mailbox.co.za
      hashbl_acl_freemail mailbox.gr
      hashbl_acl_freemail mailbox.hu
      hashbl_acl_freemail mailbox.sk
      hashbl_acl_freemail mailc.net
      hashbl_acl_freemail mailcan.com
      hashbl_acl_freemail mailcircuit.com
      hashbl_acl_freemail mailclub.fr
      hashbl_acl_freemail mailclub.net
      hashbl_acl_freemail maildozy.com
      hashbl_acl_freemail mailfly.com
      hashbl_acl_freemail mailforce.net
      hashbl_acl_freemail mailftp.com
      hashbl_acl_freemail mailglobal.net
      hashbl_acl_freemail mailhaven.com
      hashbl_acl_freemail mailinator.com
      hashbl_acl_freemail mailingaddress.org
      hashbl_acl_freemail mailingweb.com
      hashbl_acl_freemail mailisent.com
      hashbl_acl_freemail mailite.com
      hashbl_acl_freemail mailme.dk
      hashbl_acl_freemail mailmight.com
      hashbl_acl_freemail mailmij.nl
      hashbl_acl_freemail mailnew.com
      hashbl_acl_freemail mailops.com
      hashbl_acl_freemail mailpanda.com
      hashbl_acl_freemail mailpersonal.com
      hashbl_acl_freemail mailroom.com
      hashbl_acl_freemail mailru.com
      hashbl_acl_freemail mails.de
      hashbl_acl_freemail mailsent.net
      hashbl_acl_freemail mailserver.dk
      hashbl_acl_freemail mailservice.ms
      hashbl_acl_freemail mailsnare.net
      hashbl_acl_freemail mailsurf.com
      hashbl_acl_freemail mailup.net
      hashbl_acl_freemail mailvault.com
      hashbl_acl_freemail mailworks.org
      hashbl_acl_freemail maine.usa.com
      hashbl_acl_freemail majorana.martina-franca.ta.it
      hashbl_acl_freemail majorgolfer.com
      hashbl_acl_freemail majorshopaholic.com
      hashbl_acl_freemail majortechie.com
      hashbl_acl_freemail maktoob.com
      hashbl_acl_freemail malayalamtelevision.net
      hashbl_acl_freemail malayalapathram.com
      hashbl_acl_freemail male.ru
      hashbl_acl_freemail manager.de
      hashbl_acl_freemail manama.cc
      hashbl_acl_freemail manlymail.net
      hashbl_acl_freemail mansoura.tv
      hashbl_acl_freemail mantrafreenet.com
      hashbl_acl_freemail mantramail.com
      hashbl_acl_freemail mantraonline.com
      hashbl_acl_freemail marchmail.com
      hashbl_acl_freemail marihuana.ro
      hashbl_acl_freemail marijuana.nl
      hashbl_acl_freemail marillion.net
      hashbl_acl_freemail marketweighton.com
      hashbl_acl_freemail marrakesh.cc
      hashbl_acl_freemail maryland.usa.com
      hashbl_acl_freemail mascara.ws
      hashbl_acl_freemail masrawy.com
      hashbl_acl_freemail massachusetts.usa.com
      hashbl_acl_freemail mauimail.com
      hashbl_acl_freemail mbox.com.au
      hashbl_acl_freemail mcom.com
      hashbl_acl_freemail mcrmail.com
      hashbl_acl_freemail me.by
      hashbl_acl_freemail me.com
      hashbl_acl_freemail medicinatv.com
      hashbl_acl_freemail meetingmall.com
      hashbl_acl_freemail mega-schlau.de
      hashbl_acl_freemail megamail.pt
      hashbl_acl_freemail megarave.com
      hashbl_acl_freemail meknes.cc
      hashbl_acl_freemail menara.ma
      hashbl_acl_freemail merseymail.com
      hashbl_acl_freemail mesra.net
      hashbl_acl_freemail messagez.com
      hashbl_acl_freemail metacrawler.com
      hashbl_acl_freemail metalfan.com
      hashbl_acl_freemail mexico.com
      hashbl_acl_freemail mexicomail.com
      hashbl_acl_freemail miaoweb.net
      hashbl_acl_freemail michigan.usa.com
      hashbl_acl_freemail micro2media.com
      hashbl_acl_freemail miesto.sk
      hashbl_acl_freemail mighty.co.za
      hashbl_acl_freemail milacamn.net
      hashbl_acl_freemail milmail.com
      hashbl_acl_freemail mindless.com
      hashbl_acl_freemail mindviz.com
      hashbl_acl_freemail minister.com
      hashbl_acl_freemail minnesota.usa.com
      hashbl_acl_freemail mississippi.usa.com
      hashbl_acl_freemail missouri.usa.com
      hashbl_acl_freemail mixmail.com
      hashbl_acl_freemail ml1.net
      hashbl_acl_freemail ml2clan.com
      hashbl_acl_freemail mlanime.com
      hashbl_acl_freemail mm.st
      hashbl_acl_freemail mmail.com
      hashbl_acl_freemail mobimail.mn
      hashbl_acl_freemail mobsters.com
      hashbl_acl_freemail mobstop.com
      hashbl_acl_freemail modemnet.net
      hashbl_acl_freemail modomail.com
      hashbl_acl_freemail mofa.com
      hashbl_acl_freemail moldova.com
      hashbl_acl_freemail moldovacc.com
      hashbl_acl_freemail monarchy.com
      hashbl_acl_freemail montana.usa.com
      hashbl_acl_freemail montevideo.com.uy
      hashbl_acl_freemail moomia.com
      hashbl_acl_freemail moose-mail.com
      hashbl_acl_freemail mosaicfx.com
      hashbl_acl_freemail moscowmail.com
      hashbl_acl_freemail motley.com
      hashbl_acl_freemail motor-nut.com
      hashbl_acl_freemail motormania.com
      hashbl_acl_freemail movemail.com
      hashbl_acl_freemail moviefan.com
      hashbl_acl_freemail mr.outblaze.com
      hashbl_acl_freemail mrspender.com
      hashbl_acl_freemail mscold.com
      hashbl_acl_freemail msn.co.uk
      hashbl_acl_freemail msn.com
      hashbl_acl_freemail msnzone.cn
      hashbl_acl_freemail mundo-r.com
      hashbl_acl_freemail munich.com
      hashbl_acl_freemail muscat.tv
      hashbl_acl_freemail muscat.ws
      hashbl_acl_freemail music.com
      hashbl_acl_freemail musician.net
      hashbl_acl_freemail musician.org
      hashbl_acl_freemail musicsites.com
      hashbl_acl_freemail muslim.com
      hashbl_acl_freemail muslimsonline.com
      hashbl_acl_freemail muss.so
      hashbl_acl_freemail mustangs.com
      hashbl_acl_freemail mxs.de
      hashbl_acl_freemail myblue.cc
      hashbl_acl_freemail mycabin.com
      hashbl_acl_freemail mycapitalsmail.com
      hashbl_acl_freemail mycatiscool.com
      hashbl_acl_freemail mycity.com
      hashbl_acl_freemail mycommail.com
      hashbl_acl_freemail mycool.com
      hashbl_acl_freemail mydomain.com
      hashbl_acl_freemail myeweb.com
      hashbl_acl_freemail myfantasyteamrules.com
      hashbl_acl_freemail myfastmail.com
      hashbl_acl_freemail myfunnymail.com
      hashbl_acl_freemail mygamingconsoles.com
      hashbl_acl_freemail mygrande.net
      hashbl_acl_freemail myiris.com
      hashbl_acl_freemail myjazzmail.com
      hashbl_acl_freemail mykolab.com
      hashbl_acl_freemail mymacmail.com
      hashbl_acl_freemail mymail.dk
      hashbl_acl_freemail mymail.ph.inter.net
      hashbl_acl_freemail mymail.ro
      hashbl_acl_freemail mynet.com
      hashbl_acl_freemail mynet.com.tr
      hashbl_acl_freemail myopera.com
      hashbl_acl_freemail myotw.net
      hashbl_acl_freemail myownemail.com
      hashbl_acl_freemail mypersonalemail.com
      hashbl_acl_freemail myplace.com
      hashbl_acl_freemail myrealbox.com
      hashbl_acl_freemail myself.com
      hashbl_acl_freemail myspace.com
      hashbl_acl_freemail myt.mu
      hashbl_acl_freemail myteamisbest.com
      hashbl_acl_freemail myway.com
      hashbl_acl_freemail mzgchaos.de
      hashbl_acl_freemail n2.com
      hashbl_acl_freemail n2business.com
      hashbl_acl_freemail n2mail.com
      hashbl_acl_freemail n2software.com
      hashbl_acl_freemail nabble.com
      hashbl_acl_freemail nabeul.cc
      hashbl_acl_freemail nabeul.info
      hashbl_acl_freemail nablus.cc
      hashbl_acl_freemail nador.cc
      hashbl_acl_freemail najaf.cc
      hashbl_acl_freemail name.com
      hashbl_acl_freemail nameplanet.com
      hashbl_acl_freemail nanamail.co.il
      hashbl_acl_freemail nanaseaikawa.com
      hashbl_acl_freemail nandomail.com
      hashbl_acl_freemail narod.ru
      hashbl_acl_freemail naseej.com
      hashbl_acl_freemail nastything.com
      hashbl_acl_freemail nate.com
      hashbl_acl_freemail national-champs.com
      hashbl_acl_freemail nativeweb.net
      hashbl_acl_freemail naveganas.com
      hashbl_acl_freemail naver.com
      hashbl_acl_freemail nebraska.usa.com
      hashbl_acl_freemail nemra1.com
      hashbl_acl_freemail nenter.com
      hashbl_acl_freemail nerd4life.de
      hashbl_acl_freemail nerdshack.com
      hashbl_acl_freemail nervhq.org
      hashbl_acl_freemail net-shopping.com
      hashbl_acl_freemail net-surf.com
      hashbl_acl_freemail net.hr
      hashbl_acl_freemail net4b.pt
      hashbl_acl_freemail net4jesus.com
      hashbl_acl_freemail net4you.at
      hashbl_acl_freemail netbounce.com
      hashbl_acl_freemail netbroadcaster.com
      hashbl_acl_freemail netbusiness.com
      hashbl_acl_freemail netcabo.pt
      hashbl_acl_freemail netcape.net
      hashbl_acl_freemail netcourrier.com
      hashbl_acl_freemail netexecutive.com
      hashbl_acl_freemail netfingers.com
      hashbl_acl_freemail netfirms.com
      hashbl_acl_freemail netkushi.com
      hashbl_acl_freemail netmongol.com
      hashbl_acl_freemail netpiper.com
      hashbl_acl_freemail netposta.net
      hashbl_acl_freemail netscape.com
      hashbl_acl_freemail netscape.net
      hashbl_acl_freemail netscapeonline.co.uk
      hashbl_acl_freemail netsquare.com
      hashbl_acl_freemail nettaxi.com
      hashbl_acl_freemail netti.fi
      hashbl_acl_freemail networld.com
      hashbl_acl_freemail netzero.com
      hashbl_acl_freemail netzero.net
      hashbl_acl_freemail neustreet.com
      hashbl_acl_freemail nevada.usa.com
      hashbl_acl_freemail newhampshire.usa.com
      hashbl_acl_freemail newjersey.usa.com
      hashbl_acl_freemail newmail.com
      hashbl_acl_freemail newmail.net
      hashbl_acl_freemail newmail.ok.com
      hashbl_acl_freemail newmail.ru
      hashbl_acl_freemail newmexico.usa.com
      hashbl_acl_freemail news-fanatic.com
      hashbl_acl_freemail newspaperemail.com
      hashbl_acl_freemail newspaperfan.com
      hashbl_acl_freemail newyork.com
      hashbl_acl_freemail newyork.usa.com
      hashbl_acl_freemail newyorkcity.com
      hashbl_acl_freemail nfmail.com
      hashbl_acl_freemail nicegal.com
      hashbl_acl_freemail nightimeuk.com
      hashbl_acl_freemail nightly.com
      hashbl_acl_freemail nightmail.com
      hashbl_acl_freemail nightmail.ru
      hashbl_acl_freemail ninfan.com
      hashbl_acl_freemail noavar.com
      hashbl_acl_freemail nocharge.com
      hashbl_acl_freemail noemail.com
      hashbl_acl_freemail nokiamail.com
      hashbl_acl_freemail nonomail.com
      hashbl_acl_freemail nonpartisan.com
      hashbl_acl_freemail noolhar.com
      hashbl_acl_freemail northcarolina.usa.com
      hashbl_acl_freemail northdakota.usa.com
      hashbl_acl_freemail nospammail.net
      hashbl_acl_freemail nowzer.com
      hashbl_acl_freemail null.net
      hashbl_acl_freemail ny.com
      hashbl_acl_freemail nyc.com
      hashbl_acl_freemail nycmail.com
      hashbl_acl_freemail nz11.com
      hashbl_acl_freemail nzoomail.com
      hashbl_acl_freemail o2.pl
      hashbl_acl_freemail oath.com
      hashbl_acl_freemail oceanfree.net
      hashbl_acl_freemail ocsnet.net
      hashbl_acl_freemail oddpost.com
      hashbl_acl_freemail odeon.pl
      hashbl_acl_freemail odmail.com
      hashbl_acl_freemail offcolormail.com
      hashbl_acl_freemail offshorewebmail.com
      hashbl_acl_freemail ofir.dk
      hashbl_acl_freemail ohio.usa.com
      hashbl_acl_freemail ohne-drogen-gehts.net
      hashbl_acl_freemail oicexchange.com
      hashbl_acl_freemail ok.ru
      hashbl_acl_freemail oklahoma.usa.com
      hashbl_acl_freemail ole.com
      hashbl_acl_freemail oleco.net
      hashbl_acl_freemail olympist.net
      hashbl_acl_freemail omani.ws
      hashbl_acl_freemail omaninfo.com
      hashbl_acl_freemail omdurman.cc
      hashbl_acl_freemail on-steroids.de
      hashbl_acl_freemail onatoo.com
      hashbl_acl_freemail ondikoi.com
      hashbl_acl_freemail onebox.com
      hashbl_acl_freemail onenet.com.ar
      hashbl_acl_freemail onet.pl
      hashbl_acl_freemail ongc.net
      hashbl_acl_freemail oninet.pt
      hashbl_acl_freemail online.ie
      hashbl_acl_freemail online.ru
      hashbl_acl_freemail onlinevideosrock.com
      hashbl_acl_freemail onlinewiz.com
      hashbl_acl_freemail onobox.com
      hashbl_acl_freemail open.by
      hashbl_acl_freemail openbg.com
      hashbl_acl_freemail openforyou.com
      hashbl_acl_freemail openmail.cc
      hashbl_acl_freemail opentransfer.com
      hashbl_acl_freemail operamail.com
      hashbl_acl_freemail operationivy.com
      hashbl_acl_freemail oplusnet.com
      hashbl_acl_freemail optician.com
      hashbl_acl_freemail oran.cc
      hashbl_acl_freemail orange.es
      hashbl_acl_freemail orange.fr
      hashbl_acl_freemail orange.jo
      hashbl_acl_freemail orange.pl
      hashbl_acl_freemail orangehome.co.uk
      hashbl_acl_freemail orbitel.bg
      hashbl_acl_freemail orcon.net.nz
      hashbl_acl_freemail oregon.usa.com
      hashbl_acl_freemail oreka.com
      hashbl_acl_freemail organizer.net
      hashbl_acl_freemail orgio.net
      hashbl_acl_freemail orthodontist.net
      hashbl_acl_freemail orthodox.com
      hashbl_acl_freemail osite.com.br
      hashbl_acl_freemail oso.com
      hashbl_acl_freemail oued.info
      hashbl_acl_freemail oued.org
      hashbl_acl_freemail oujda.biz
      hashbl_acl_freemail oujda.cc
      hashbl_acl_freemail ourbrisbane.com
      hashbl_acl_freemail ournet.md
      hashbl_acl_freemail ourprofile.net
      hashbl_acl_freemail ourwest.com
      hashbl_acl_freemail outgun.com
      hashbl_acl_freemail outlook.com
      hashbl_acl_freemail ownmail.net
      hashbl_acl_freemail oxfoot.com
      hashbl_acl_freemail ozu.es
      hashbl_acl_freemail pacer.com
      hashbl_acl_freemail pacific-ocean.com
      hashbl_acl_freemail pacificwest.com
      hashbl_acl_freemail paginasamarillas.com
      hashbl_acl_freemail paidoffers.net
      hashbl_acl_freemail pakistani.ws
      hashbl_acl_freemail pakistanmail.com
      hashbl_acl_freemail palmyra.cc
      hashbl_acl_freemail palmyra.ws
      hashbl_acl_freemail paltalk.ir
      hashbl_acl_freemail pandawa.com
      hashbl_acl_freemail pando.com
      hashbl_acl_freemail pandora.be
      hashbl_acl_freemail paris.com
      hashbl_acl_freemail parsimail.com
      hashbl_acl_freemail parspage.com
      hashbl_acl_freemail patmail.com
      hashbl_acl_freemail pattayacitythailand.com
      hashbl_acl_freemail pc4me.us
      hashbl_acl_freemail pcbee.com
      hashbl_acl_freemail pcpostal.com
      hashbl_acl_freemail pediatrician.com
      hashbl_acl_freemail penguinmaster.com
      hashbl_acl_freemail pennsylvania.usa.com
      hashbl_acl_freemail peoplepc.com
      hashbl_acl_freemail peopleweb.com
      hashbl_acl_freemail persian.com
      hashbl_acl_freemail personal.ro
      hashbl_acl_freemail personales.com
      hashbl_acl_freemail peru.com
      hashbl_acl_freemail petlover.com
      hashbl_acl_freemail petml.com
      hashbl_acl_freemail petrofind.com
      hashbl_acl_freemail photographer.net
      hashbl_acl_freemail phreaker.net
      hashbl_acl_freemail phunkybitches.com
      hashbl_acl_freemail physicist.net
      hashbl_acl_freemail pigeonportal.com
      hashbl_acl_freemail pikaguam.com
      hashbl_acl_freemail pilu.com
      hashbl_acl_freemail pimagop.com
      hashbl_acl_freemail pinkcity.net
      hashbl_acl_freemail pinoymail.com
      hashbl_acl_freemail pipni.cz
      hashbl_acl_freemail pisem.net
      hashbl_acl_freemail pitbullmail.com
      hashbl_acl_freemail planet-school.de
      hashbl_acl_freemail planetaccess.com
      hashbl_acl_freemail planetmail.com
      hashbl_acl_freemail planetmail.net
      hashbl_acl_freemail planetout.com
      hashbl_acl_freemail planetsmeg.com
      hashbl_acl_freemail plasa.com
      hashbl_acl_freemail playersodds.com
      hashbl_acl_freemail playful.com
      hashbl_acl_freemail pluno.com
      hashbl_acl_freemail plusmail.com.br
      hashbl_acl_freemail pmail.net
      hashbl_acl_freemail pnetmail.co.za
      hashbl_acl_freemail pobox.ru
      hashbl_acl_freemail pobox.sk
      hashbl_acl_freemail pochta.ru
      hashbl_acl_freemail pochtamt.ru
      hashbl_acl_freemail poczta.fm
      hashbl_acl_freemail poetic.com
      hashbl_acl_freemail pogowave.com
      hashbl_acl_freemail polandmail.com
      hashbl_acl_freemail polbox.com
      hashbl_acl_freemail politician.com
      hashbl_acl_freemail pookmail.com
      hashbl_acl_freemail poop.com
      hashbl_acl_freemail poormail.com
      hashbl_acl_freemail pop.co.th
      hashbl_acl_freemail pop3.ru
      hashbl_acl_freemail popmail.com
      hashbl_acl_freemail poppymail.com
      hashbl_acl_freemail popsmail.com
      hashbl_acl_freemail popstar.com
      hashbl_acl_freemail portafree.com
      hashbl_acl_freemail portaldosalunos.com
      hashbl_acl_freemail portsaid.cc
      hashbl_acl_freemail portugalmail.com
      hashbl_acl_freemail portugalmail.pt
      hashbl_acl_freemail post.com
      hashbl_acl_freemail post.cz
      hashbl_acl_freemail post.expart.ne.jp
      hashbl_acl_freemail post.pl
      hashbl_acl_freemail post.sk
      hashbl_acl_freemail posta.ge
      hashbl_acl_freemail postaccesslite.com
      hashbl_acl_freemail postiloota.net
      hashbl_acl_freemail postinbox.com
      hashbl_acl_freemail postino.ch
      hashbl_acl_freemail postino.it
      hashbl_acl_freemail postmaster.co.uk
      hashbl_acl_freemail postpro.net
      hashbl_acl_freemail potsmokersnet.com
      hashbl_acl_freemail powdermail.com
      hashbl_acl_freemail praize.com
      hashbl_acl_freemail presidency.com
      hashbl_acl_freemail press.co.jp
      hashbl_acl_freemail priest.com
      hashbl_acl_freemail primetap.com
      hashbl_acl_freemail primposta.com
      hashbl_acl_freemail printesamargareta.ro
      hashbl_acl_freemail private.21cn.com
      hashbl_acl_freemail probemail.com
      hashbl_acl_freemail profesional.com
      hashbl_acl_freemail profession.freemail.com.br
      hashbl_acl_freemail programmer.net
      hashbl_acl_freemail proinbox.com
      hashbl_acl_freemail project420.com
      hashbl_acl_freemail prolife.net
      hashbl_acl_freemail promessage.com
      hashbl_acl_freemail prontomail.com
      hashbl_acl_freemail protestant.com
      hashbl_acl_freemail protonmail.ch
      hashbl_acl_freemail protonmail.com
      hashbl_acl_freemail provincial.net
      hashbl_acl_freemail publicaccounting.com
      hashbl_acl_freemail publicist.com
      hashbl_acl_freemail puertoricowow.com
      hashbl_acl_freemail punkass.com
      hashbl_acl_freemail puppetweb.com
      hashbl_acl_freemail puppy.com.my
      hashbl_acl_freemail q.com
      hashbl_acl_freemail qassem.cc
      hashbl_acl_freemail qatar.io
      hashbl_acl_freemail qlmail.com
      hashbl_acl_freemail qq.com
      hashbl_acl_freemail qrio.com
      hashbl_acl_freemail qsl.net
      hashbl_acl_freemail qualityservice.com
      hashbl_acl_freemail quds.cc
      hashbl_acl_freemail qudsmail.com
      hashbl_acl_freemail queerplaces.com
      hashbl_acl_freemail quepasa.com
      hashbl_acl_freemail quick.cz
      hashbl_acl_freemail quickwebmail.com
      hashbl_acl_freemail r-o-o-t.com
      hashbl_acl_freemail r320.hu
      hashbl_acl_freemail raakim.com
      hashbl_acl_freemail rabat.cc
      hashbl_acl_freemail racingseat.com
      hashbl_acl_freemail radicalz.com
      hashbl_acl_freemail radiojobbank.com
      hashbl_acl_freemail radiologist.net
      hashbl_acl_freemail rafah.cc
      hashbl_acl_freemail ragingbull.com
      hashbl_acl_freemail raisingadaughter.com
      hashbl_acl_freemail rallye-webmail.com
      hashbl_acl_freemail ramallah.cc
      hashbl_acl_freemail rambler.ru
      hashbl_acl_freemail ranmamail.com
      hashbl_acl_freemail rapstar.com
      hashbl_acl_freemail rapworld.com
      hashbl_acl_freemail rastamall.com
      hashbl_acl_freemail ratedx.net
      hashbl_acl_freemail ravearena.com
      hashbl_acl_freemail ravemail.co.za
      hashbl_acl_freemail ravemail.com
      hashbl_acl_freemail ravermail.com
      hashbl_acl_freemail razormail.com
      hashbl_acl_freemail rbcmail.ru
      hashbl_acl_freemail rbox.co
      hashbl_acl_freemail rbox.me
      hashbl_acl_freemail real.ro
      hashbl_acl_freemail realbookfan.com
      hashbl_acl_freemail realemail.net
      hashbl_acl_freemail realhealthnut.com
      hashbl_acl_freemail realitytvaddict.net
      hashbl_acl_freemail realitytvnut.com
      hashbl_acl_freemail reallyfast.biz
      hashbl_acl_freemail reallyfast.info
      hashbl_acl_freemail reallyintomusic.com
      hashbl_acl_freemail realtravelfan.com
      hashbl_acl_freemail realtyagent.com
      hashbl_acl_freemail rebels.com
      hashbl_acl_freemail reborn.com
      hashbl_acl_freemail recife.net
      hashbl_acl_freemail recme.net
      hashbl_acl_freemail rediffmail.com
      hashbl_acl_freemail rediffmailpro.com
      hashbl_acl_freemail redseven.de
      hashbl_acl_freemail redskinscheer.com
      hashbl_acl_freemail redskinsfamily.com
      hashbl_acl_freemail redskinsfancentral.com
      hashbl_acl_freemail redskinshog.com
      hashbl_acl_freemail redskinsrule.com
      hashbl_acl_freemail redskinsspecialteams.com
      hashbl_acl_freemail redskinsultimatefan.com
      hashbl_acl_freemail redwhitearmy.com
      hashbl_acl_freemail reggaefan.com
      hashbl_acl_freemail registerednurses.com
      hashbl_acl_freemail reincarnate.com
      hashbl_acl_freemail relapsecult.com
      hashbl_acl_freemail relia.com
      hashbl_acl_freemail religious.com
      hashbl_acl_freemail remixer.com
      hashbl_acl_freemail repairman.com
      hashbl_acl_freemail representative.com
      hashbl_acl_freemail rescueteam.com
      hashbl_acl_freemail revenue.com
      hashbl_acl_freemail rexian.com
      hashbl_acl_freemail rhodeisland.usa.com
      hashbl_acl_freemail ritmes.net
      hashbl_acl_freemail rn.com
      hashbl_acl_freemail roanokemail.com
      hashbl_acl_freemail rochester-mail.com
      hashbl_acl_freemail rock.com
      hashbl_acl_freemail rockeros.com
      hashbl_acl_freemail rocketmail.com
      hashbl_acl_freemail rocketship.com
      hashbl_acl_freemail rockfan.com
      hashbl_acl_freemail rockinghamgateway.com
      hashbl_acl_freemail rojname.com
      hashbl_acl_freemail rol.ro
      hashbl_acl_freemail rollin.com
      hashbl_acl_freemail romance106fm.com
      hashbl_acl_freemail rome.com
      hashbl_acl_freemail romymichele.com
      hashbl_acl_freemail royal.net
      hashbl_acl_freemail rpharmacist.com
      hashbl_acl_freemail rt.nl
      hashbl_acl_freemail ru.ru
      hashbl_acl_freemail runbox.com
      hashbl_acl_freemail rushpost.com
      hashbl_acl_freemail russiamail.com
      hashbl_acl_freemail rxpost.net
      hashbl_acl_freemail s-mail.com
      hashbl_acl_freemail saabnet.com
      hashbl_acl_freemail sacbeemail.com
      hashbl_acl_freemail sacmail.com
      hashbl_acl_freemail safat.biz
      hashbl_acl_freemail safat.info
      hashbl_acl_freemail safat.us
      hashbl_acl_freemail safat.ws
      hashbl_acl_freemail safe-mail.net
      hashbl_acl_freemail safe-mailbox.com
      hashbl_acl_freemail safrica.com
      hashbl_acl_freemail saigonnet.vn
      hashbl_acl_freemail saint-mike.org
      hashbl_acl_freemail saintly.com
      hashbl_acl_freemail salalah.cc
      hashbl_acl_freemail salesperson.net
      hashbl_acl_freemail salmiya.biz
      hashbl_acl_freemail samerica.com
      hashbl_acl_freemail samilan.net
      hashbl_acl_freemail sanaa.cc
      hashbl_acl_freemail sandiego.com
      hashbl_acl_freemail sanfranmail.com
      hashbl_acl_freemail sanook.com
      hashbl_acl_freemail sanriotown.com
      hashbl_acl_freemail sapibon.com
      hashbl_acl_freemail sapo.pt
      hashbl_acl_freemail saturnfans.com
      hashbl_acl_freemail sayhi.net
      hashbl_acl_freemail sbcglobal.com
      hashbl_acl_freemail scfn.net
      hashbl_acl_freemail scheint.so
      hashbl_acl_freemail schweiz.org
      hashbl_acl_freemail sci.fi
      hashbl_acl_freemail sciaga.pl
      hashbl_acl_freemail scientist.com
      hashbl_acl_freemail scotlandmail.com
      hashbl_acl_freemail scoutmail.com
      hashbl_acl_freemail scrapbookscrapbook.com
      hashbl_acl_freemail seapole.com
      hashbl_acl_freemail search417.com
      hashbl_acl_freemail seark.com
      hashbl_acl_freemail sebil.com
      hashbl_acl_freemail secretary.net
      hashbl_acl_freemail secretservices.net
      hashbl_acl_freemail secure-jlnet.com
      hashbl_acl_freemail seductive.com
      hashbl_acl_freemail seeb.cc
      hashbl_acl_freemail sendmail.ru
      hashbl_acl_freemail sendme.cz
      hashbl_acl_freemail sent.as
      hashbl_acl_freemail sent.at
      hashbl_acl_freemail sent.com
      hashbl_acl_freemail serga.com.ar
      hashbl_acl_freemail sermix.com
      hashbl_acl_freemail server4free.de
      hashbl_acl_freemail serverwench.com
      hashbl_acl_freemail sesmail.com
      hashbl_acl_freemail sexmagnet.com
      hashbl_acl_freemail sexriga.lv
      hashbl_acl_freemail seznam.cz
      hashbl_acl_freemail sfax.ws
      hashbl_acl_freemail shadango.com
      hashbl_acl_freemail sharm.cc
      hashbl_acl_freemail she.com
      hashbl_acl_freemail shuf.com
      hashbl_acl_freemail siamlocalhost.com
      hashbl_acl_freemail siamnow.net
      hashbl_acl_freemail sify.com
      hashbl_acl_freemail sina.cn
      hashbl_acl_freemail sina.com
      hashbl_acl_freemail sinai.cc
      hashbl_acl_freemail sinamail.com
      hashbl_acl_freemail sinanail.com
      hashbl_acl_freemail singalongcenter.com
      hashbl_acl_freemail singapore.com
      hashbl_acl_freemail singmail.com
      hashbl_acl_freemail singnet.com.sg
      hashbl_acl_freemail siraj.org
      hashbl_acl_freemail siria.cc
      hashbl_acl_freemail sirindia.com
      hashbl_acl_freemail sirunet.com
      hashbl_acl_freemail sister.com
      hashbl_acl_freemail sistersbrothers.com
      hashbl_acl_freemail sizzling.com
      hashbl_acl_freemail sketchyfriends.com
      hashbl_acl_freemail skins4life.com
      hashbl_acl_freemail slamdunkfan.com
      hashbl_acl_freemail slayerized.com
      hashbl_acl_freemail slickriffs.co.uk
      hashbl_acl_freemail slingshot.com
      hashbl_acl_freemail slo.net
      hashbl_acl_freemail slomusic.net
      hashbl_acl_freemail smartemail.co.uk
      hashbl_acl_freemail smartstocks.com
      hashbl_acl_freemail smtp.ru
      hashbl_acl_freemail snail-mail.net
      hashbl_acl_freemail snakebite.com
      hashbl_acl_freemail sndt.net
      hashbl_acl_freemail sneakemail.com
      hashbl_acl_freemail snoopymail.com
      hashbl_acl_freemail snowboarding.com
      hashbl_acl_freemail so-simple.org
      hashbl_acl_freemail socamail.com
      hashbl_acl_freemail socialworker.net
      hashbl_acl_freemail sociologist.com
      hashbl_acl_freemail softhome.net
      hashbl_acl_freemail sohu.com
      hashbl_acl_freemail sol.dk
      hashbl_acl_freemail solidmail.com
      hashbl_acl_freemail solution4u.com
      hashbl_acl_freemail songwriter.net
      hashbl_acl_freemail soon.com
      hashbl_acl_freemail sos.lv
      hashbl_acl_freemail soulja-beatz.org
      hashbl_acl_freemail soundvillage.org
      hashbl_acl_freemail sousse.cc
      hashbl_acl_freemail southcarolina.usa.com
      hashbl_acl_freemail southdakota.usa.com
      hashbl_acl_freemail space.com
      hashbl_acl_freemail spacetowns.com
      hashbl_acl_freemail spain.ir
      hashbl_acl_freemail spainmail.com
      hashbl_acl_freemail spamex.com
      hashbl_acl_freemail spartapiet.com
      hashbl_acl_freemail specialoperations.com
      hashbl_acl_freemail speed-racer.com
      hashbl_acl_freemail speedpost.net
      hashbl_acl_freemail speedymail.net
      hashbl_acl_freemail speedymail.org
      hashbl_acl_freemail spells.com
      hashbl_acl_freemail spils.com
      hashbl_acl_freemail spinfinder.com
      hashbl_acl_freemail sportemail.com
      hashbl_acl_freemail spray.net
      hashbl_acl_freemail spray.no
      hashbl_acl_freemail spray.se
      hashbl_acl_freemail spymac.com
      hashbl_acl_freemail srbbs.com
      hashbl_acl_freemail srilankan.net
      hashbl_acl_freemail ssan.com
      hashbl_acl_freemail ssl-mail.com
      hashbl_acl_freemail staatsterrorist.de
      hashbl_acl_freemail stade.fr
      hashbl_acl_freemail stalag13.com
      hashbl_acl_freemail stampmail.com
      hashbl_acl_freemail starbuzz.com
      hashbl_acl_freemail stargate2.com
      hashbl_acl_freemail stargateatlantis.com
      hashbl_acl_freemail stargatefanclub.com
      hashbl_acl_freemail stargatesg1.com
      hashbl_acl_freemail stargateu.com
      hashbl_acl_freemail starline.ee
      hashbl_acl_freemail starmail.com
      hashbl_acl_freemail starmail.org
      hashbl_acl_freemail starmedia.com
      hashbl_acl_freemail starspath.com
      hashbl_acl_freemail start.com.au
      hashbl_acl_freemail start.no
      hashbl_acl_freemail streetracing.com
      hashbl_acl_freemail stribmail.com
      hashbl_acl_freemail strompost.com
      hashbl_acl_freemail student.com
      hashbl_acl_freemail student.ednet.ns.ca
      hashbl_acl_freemail studmail.com
      hashbl_acl_freemail subspacemail.com
      hashbl_acl_freemail sudanese.cc
      hashbl_acl_freemail sudanmail.net
      hashbl_acl_freemail suez.cc
      hashbl_acl_freemail sugarray.com
      hashbl_acl_freemail suisse.org
      hashbl_acl_freemail sunbella.net
      hashbl_acl_freemail sunmail1.com
      hashbl_acl_freemail sunpoint.net
      hashbl_acl_freemail sunrise.ch
      hashbl_acl_freemail sunumail.sn
      hashbl_acl_freemail sunuweb.net
      hashbl_acl_freemail suomi24.fi
      hashbl_acl_freemail super-gerissen.de
      hashbl_acl_freemail superbikeclub.com
      hashbl_acl_freemail superdada.it
      hashbl_acl_freemail supereva.com
      hashbl_acl_freemail supereva.it
      hashbl_acl_freemail superintendents.net
      hashbl_acl_freemail supermailbox.com
      hashbl_acl_freemail superposta.com
      hashbl_acl_freemail surf3.net
      hashbl_acl_freemail surfassistant.com
      hashbl_acl_freemail surfguiden.com
      hashbl_acl_freemail surfsupnet.net
      hashbl_acl_freemail surfy.net
      hashbl_acl_freemail surgical.net
      hashbl_acl_freemail surimail.com
      hashbl_acl_freemail surnet.cl
      hashbl_acl_freemail sverige.nu
      hashbl_acl_freemail svizzera.org
      hashbl_acl_freemail sweb.cz
      hashbl_acl_freemail sweden.ir
      hashbl_acl_freemail swedenmail.com
      hashbl_acl_freemail sweetwishes.com
      hashbl_acl_freemail swift-mail.com
      hashbl_acl_freemail swissinfo.org
      hashbl_acl_freemail swissmail.com
      hashbl_acl_freemail swissmail.net
      hashbl_acl_freemail switched.com
      hashbl_acl_freemail switzerland.org
      hashbl_acl_freemail syom.com
      hashbl_acl_freemail syriamail.com
      hashbl_acl_freemail t-mail.com
      hashbl_acl_freemail t-net.net.ve
      hashbl_acl_freemail t-online.de
      hashbl_acl_freemail t2mail.com
      hashbl_acl_freemail tabasheer.com
      hashbl_acl_freemail tabouk.cc
      hashbl_acl_freemail tajikistan.cc
      hashbl_acl_freemail talk21.com
      hashbl_acl_freemail talkcity.com
      hashbl_acl_freemail tangiers.cc
      hashbl_acl_freemail tangmonkey.com
      hashbl_acl_freemail tanta.cc
      hashbl_acl_freemail tatanova.com
      hashbl_acl_freemail tattoodesign.com
      hashbl_acl_freemail taxcutadvice.com
      hashbl_acl_freemail tayef.cc
      hashbl_acl_freemail teachers.org
      hashbl_acl_freemail teamster.net
      hashbl_acl_freemail tech-center.com
      hashbl_acl_freemail techemail.com
      hashbl_acl_freemail techie.com
      hashbl_acl_freemail technisamail.co.za
      hashbl_acl_freemail technologist.com
      hashbl_acl_freemail teenchatnow.com
      hashbl_acl_freemail teenmail.co.uk
      hashbl_acl_freemail teenmail.co.za
      hashbl_acl_freemail tejary.com
      hashbl_acl_freemail telebot.com
      hashbl_acl_freemail telefonica.net
      hashbl_acl_freemail telegraf.by
      hashbl_acl_freemail teleline.es
      hashbl_acl_freemail telenet.be
      hashbl_acl_freemail telinco.net
      hashbl_acl_freemail telkom.net
      hashbl_acl_freemail telpage.net
      hashbl_acl_freemail telstra.com
      hashbl_acl_freemail telusplanet.net
      hashbl_acl_freemail tempting.com
      hashbl_acl_freemail tenchiclub.com
      hashbl_acl_freemail tennessee.usa.com
      hashbl_acl_freemail terrapins.com
      hashbl_acl_freemail tetouan.cc
      hashbl_acl_freemail texas.usa.com
      hashbl_acl_freemail texascrossroads.com
      hashbl_acl_freemail tfz.net
      hashbl_acl_freemail thai.com
      hashbl_acl_freemail thaimail.com
      hashbl_acl_freemail thaimail.net
      hashbl_acl_freemail the-fastest.net
      hashbl_acl_freemail the-quickest.com
      hashbl_acl_freemail the5thquarter.com
      hashbl_acl_freemail theblackmarket.com
      hashbl_acl_freemail thegame.com
      hashbl_acl_freemail thegamefanatic.com
      hashbl_acl_freemail theinternetemail.com
      hashbl_acl_freemail theoffice.net
      hashbl_acl_freemail theplate.com
      hashbl_acl_freemail thepostmaster.net
      hashbl_acl_freemail theracetrack.com
      hashbl_acl_freemail therapist.net
      hashbl_acl_freemail theserverbiz.com
      hashbl_acl_freemail thewatercooler.com
      hashbl_acl_freemail thewebpros.co.uk
      hashbl_acl_freemail thinkpost.net
      hashbl_acl_freemail thirdage.com
      hashbl_acl_freemail thundermail.com
      hashbl_acl_freemail tightmail.com
      hashbl_acl_freemail tim.it
      hashbl_acl_freemail timemail.com
      hashbl_acl_freemail timor.cc
      hashbl_acl_freemail tin.it
      hashbl_acl_freemail tinati.net
      hashbl_acl_freemail tiscali.co.uk
      hashbl_acl_freemail tiscali.com
      hashbl_acl_freemail tiscali.it
      hashbl_acl_freemail tiscalinet.it
      hashbl_acl_freemail tjohoo.se
      hashbl_acl_freemail tkcity.com
      hashbl_acl_freemail tlcfan.com
      hashbl_acl_freemail tlen.pl
      hashbl_acl_freemail tmicha.net
      hashbl_acl_freemail todito.com
      hashbl_acl_freemail todoperros.com
      hashbl_acl_freemail toke.com
      hashbl_acl_freemail tokyo.com
      hashbl_acl_freemail tokyo.ir
      hashbl_acl_freemail tombstone.ws
      hashbl_acl_freemail toothandmail.com
      hashbl_acl_freemail toothfairy.com
      hashbl_acl_freemail topchat.com
      hashbl_acl_freemail topmail.co.ie
      hashbl_acl_freemail topmail.co.in
      hashbl_acl_freemail topmail.co.nz
      hashbl_acl_freemail topmail.co.uk
      hashbl_acl_freemail topmail.co.za
      hashbl_acl_freemail topmail.com.ar
      hashbl_acl_freemail topmail.dk
      hashbl_acl_freemail topsurf.com
      hashbl_acl_freemail toquedequeda.com
      hashbl_acl_freemail torba.com
      hashbl_acl_freemail torchmail.com
      hashbl_acl_freemail torontomail.com
      hashbl_acl_freemail total-techie.com
      hashbl_acl_freemail totalfoodnut.com
      hashbl_acl_freemail totally-into-cooking.com
      hashbl_acl_freemail totallyintobaseball.com
      hashbl_acl_freemail totallyintobasketball.com
      hashbl_acl_freemail totallyintocooking.com
      hashbl_acl_freemail totallyintofootball.com
      hashbl_acl_freemail totallyintogolf.com
      hashbl_acl_freemail totallyintohockey.com
      hashbl_acl_freemail totallyintomusic.com
      hashbl_acl_freemail totallyintoreading.com
      hashbl_acl_freemail totallyintosports.com
      hashbl_acl_freemail totallyintotravel.com
      hashbl_acl_freemail totalmail.com
      hashbl_acl_freemail totalmoviefan.com
      hashbl_acl_freemail totalsurf.com
      hashbl_acl_freemail totonline.net
      hashbl_acl_freemail tough.com
      hashbl_acl_freemail toughguy.net
      hashbl_acl_freemail trav.se
      hashbl_acl_freemail travel2newplaces.com
      hashbl_acl_freemail trevas.net
      hashbl_acl_freemail tripod-mail.com
      hashbl_acl_freemail triton.net
      hashbl_acl_freemail trmailbox.com
      hashbl_acl_freemail troamail.org
      hashbl_acl_freemail tsamail.co.za
      hashbl_acl_freemail tunisian.cc
      hashbl_acl_freemail tunome.com
      hashbl_acl_freemail turbonett.com
      hashbl_acl_freemail turkey.com
      hashbl_acl_freemail tushmail.com
      hashbl_acl_freemail tvchannelsurfer.com
      hashbl_acl_freemail tvnet.lv
      hashbl_acl_freemail tvstar.com
      hashbl_acl_freemail twc.com
      hashbl_acl_freemail typemail.com
      hashbl_acl_freemail u2club.com
      hashbl_acl_freemail u2tours.com
      hashbl_acl_freemail uae.ac
      hashbl_acl_freemail ubbi.com
      hashbl_acl_freemail ubbi.com.br
      hashbl_acl_freemail uboot.com
      hashbl_acl_freemail ugeek.com
      hashbl_acl_freemail uk2.net
      hashbl_acl_freemail uk2net.com
      hashbl_acl_freemail ukr.net
      hashbl_acl_freemail ukrpost.net
      hashbl_acl_freemail ukrpost.ua
      hashbl_acl_freemail uku.co.uk
      hashbl_acl_freemail ulimit.com
      hashbl_acl_freemail ultimateredskinsfan.com
      hashbl_acl_freemail ummah.org
      hashbl_acl_freemail umpire.com
      hashbl_acl_freemail unbounded.com
      hashbl_acl_freemail unendlich-schlau.de
      hashbl_acl_freemail unican.es
      hashbl_acl_freemail unicum.de
      hashbl_acl_freemail unimail.mn
      hashbl_acl_freemail unitedemailsystems.com
      hashbl_acl_freemail universal.pt
      hashbl_acl_freemail universia.cl
      hashbl_acl_freemail universia.edu.ve
      hashbl_acl_freemail universia.es
      hashbl_acl_freemail universia.net.co
      hashbl_acl_freemail universia.net.mx
      hashbl_acl_freemail universia.pr
      hashbl_acl_freemail universia.pt
      hashbl_acl_freemail universiabrasil.net
      hashbl_acl_freemail unofree.it
      hashbl_acl_freemail uol.com.ar
      hashbl_acl_freemail uol.com.br
      hashbl_acl_freemail uole.com
      hashbl_acl_freemail uolmail.com
      hashbl_acl_freemail uomail.com
      hashbl_acl_freemail uraniomail.com
      hashbl_acl_freemail urbi.com.br
      hashbl_acl_freemail urdun.cc
      hashbl_acl_freemail ureach.com
      hashbl_acl_freemail usa.com
      hashbl_acl_freemail usanetmail.com
      hashbl_acl_freemail userbeam.com
      hashbl_acl_freemail utah.usa.com
      hashbl_acl_freemail uymail.com
      hashbl_acl_freemail uyuyuy.com
      hashbl_acl_freemail v-sexi.com
      hashbl_acl_freemail v3mail.com
      hashbl_acl_freemail vegetarisme.be
      hashbl_acl_freemail velnet.com
      hashbl_acl_freemail velocall.com
      hashbl_acl_freemail vercorreo.com
      hashbl_acl_freemail verizonmail.com
      hashbl_acl_freemail vermont.usa.com
      hashbl_acl_freemail verticalheaven.com
      hashbl_acl_freemail veryfast.biz
      hashbl_acl_freemail veryspeedy.net
      hashbl_acl_freemail vfemail.net
      hashbl_acl_freemail videogamesrock.com
      hashbl_acl_freemail vietmedia.com
      hashbl_acl_freemail vip-client.de
      hashbl_acl_freemail vip.126.com
      hashbl_acl_freemail vip.163.com
      hashbl_acl_freemail vip.188.com
      hashbl_acl_freemail vip.gr
      hashbl_acl_freemail vip.qq.com
      hashbl_acl_freemail vip.sina.com
      hashbl_acl_freemail vip.sohu.com
      hashbl_acl_freemail vip.sohu.net
      hashbl_acl_freemail vip.tom.com
      hashbl_acl_freemail vipsohu.net
      hashbl_acl_freemail virgilio.it
      hashbl_acl_freemail virgin.net
      hashbl_acl_freemail virginia.usa.com
      hashbl_acl_freemail virtual-mail.com
      hashbl_acl_freemail visitmail.com
      hashbl_acl_freemail visto.com
      hashbl_acl_freemail vitalogy.org
      hashbl_acl_freemail vivelared.com
      hashbl_acl_freemail vjtimail.com
      hashbl_acl_freemail vnn.vn
      hashbl_acl_freemail vodafone.com
      hashbl_acl_freemail vodafone.it
      hashbl_acl_freemail vodamail.co.za
      hashbl_acl_freemail voila.fr
      hashbl_acl_freemail volkermord.com
      hashbl_acl_freemail volunteeringisawesome.com
      hashbl_acl_freemail vosforums.com
      hashbl_acl_freemail vsnl.com
      hashbl_acl_freemail vsnl.net
      hashbl_acl_freemail w.cn
      hashbl_acl_freemail walla.co.il
      hashbl_acl_freemail walla.com
      hashbl_acl_freemail wallet.com
      hashbl_acl_freemail wam.co.za
      hashbl_acl_freemail wanex.ge
      hashbl_acl_freemail wap.hu
      hashbl_acl_freemail wapda.com
      hashbl_acl_freemail wapicode.com
      hashbl_acl_freemail wappi.com
      hashbl_acl_freemail warpmail.net
      hashbl_acl_freemail washington.usa.com
      hashbl_acl_freemail wassup.com
      hashbl_acl_freemail waterloo.com
      hashbl_acl_freemail waumail.com
      hashbl_acl_freemail wayintocomputers.com
      hashbl_acl_freemail wazmail.com
      hashbl_acl_freemail wearab.net
      hashbl_acl_freemail web-mail.com.ar
      hashbl_acl_freemail web.de
      hashbl_acl_freemail web.nl
      hashbl_acl_freemail web2mail.com
      hashbl_acl_freemail webaddressbook.com
      hashbl_acl_freemail webbworks.com
      hashbl_acl_freemail webcity.ca
      hashbl_acl_freemail webdream.com
      hashbl_acl_freemail webemaillist.com
      hashbl_acl_freemail webindia123.com
      hashbl_acl_freemail webinfo.fi
      hashbl_acl_freemail webjump.com
      hashbl_acl_freemail webl-3.br.inter.net
      hashbl_acl_freemail webmail.co.yu
      hashbl_acl_freemail webmail.co.za
      hashbl_acl_freemail webmails.com
      hashbl_acl_freemail webmailv.com
      hashbl_acl_freemail webname.com
      hashbl_acl_freemail webpim.cc
      hashbl_acl_freemail webspawner.com
      hashbl_acl_freemail webstation.com
      hashbl_acl_freemail websurfer.co.za
      hashbl_acl_freemail webtopmail.com
      hashbl_acl_freemail webtribe.net
      hashbl_acl_freemail webtv.net
      hashbl_acl_freemail weedmail.com
      hashbl_acl_freemail weekonline.com
      hashbl_acl_freemail weirdness.com
      hashbl_acl_freemail westvirginia.usa.com
      hashbl_acl_freemail whale-mail.com
      hashbl_acl_freemail whatisthis.com
      hashbl_acl_freemail whatmail.com
      hashbl_acl_freemail when.com
      hashbl_acl_freemail whipmail.com
      hashbl_acl_freemail who.net
      hashbl_acl_freemail whoever.com
      hashbl_acl_freemail wild4music.com
      hashbl_acl_freemail wildaboutelectronics.com
      hashbl_acl_freemail wildcats.com
      hashbl_acl_freemail wildmail.com
      hashbl_acl_freemail will-keinen-spam.de
      hashbl_acl_freemail williams.net.ar
      hashbl_acl_freemail winning.com
      hashbl_acl_freemail winningteam.com
      hashbl_acl_freemail winwinhosting.com
      hashbl_acl_freemail wisconsin.usa.com
      hashbl_acl_freemail witelcom.com
      hashbl_acl_freemail witty.com
      hashbl_acl_freemail wolverines.com
      hashbl_acl_freemail wooow.it
      hashbl_acl_freemail worker.com
      hashbl_acl_freemail workingaroundthehouse.com
      hashbl_acl_freemail workingonthehouse.com
      hashbl_acl_freemail workmail.co.za
      hashbl_acl_freemail workmail.com
      hashbl_acl_freemail worldcrossing.com
      hashbl_acl_freemail worldemail.com
      hashbl_acl_freemail worldmedic.com
      hashbl_acl_freemail worldonline.de
      hashbl_acl_freemail wowmail.com
      hashbl_acl_freemail wp.pl
      hashbl_acl_freemail wprost.pl
      hashbl_acl_freemail wrestlezone.com
      hashbl_acl_freemail writeme.com
      hashbl_acl_freemail writesoon.com
      hashbl_acl_freemail wrongmail.com
      hashbl_acl_freemail wtonetwork.com
      hashbl_acl_freemail wurtele.net
      hashbl_acl_freemail www.com
      hashbl_acl_freemail www.consulcredit.it
      hashbl_acl_freemail wyoming.usa.com
      hashbl_acl_freemail x-mail.net
      hashbl_acl_freemail xasa.com
      hashbl_acl_freemail xemail.com
      hashbl_acl_freemail xfreehosting.com
      hashbl_acl_freemail xmail.net
      hashbl_acl_freemail xmasmail.com
      hashbl_acl_freemail xmsg.com
      hashbl_acl_freemail xnmsn.cn
      hashbl_acl_freemail xoom.com
      hashbl_acl_freemail xpectmore.com
      hashbl_acl_freemail xrea.com
      hashbl_acl_freemail xsmail.com
      hashbl_acl_freemail xtra.co.nz
      hashbl_acl_freemail xuite.net
      hashbl_acl_freemail xzapmail.com
      hashbl_acl_freemail y7mail.com
      hashbl_acl_freemail ya.com
      hashbl_acl_freemail ya.ru
      hashbl_acl_freemail yahala.co.il
      hashbl_acl_freemail yaho.com
      hashbl_acl_freemail yahoo.co.uk
      hashbl_acl_freemail yahoo.com
      hashbl_acl_freemail yahoomail.com
      hashbl_acl_freemail yalla.com.lb
      hashbl_acl_freemail yam.com
      hashbl_acl_freemail yamal.info
      hashbl_acl_freemail yanbo.cc
      hashbl_acl_freemail yandex.ru
      hashbl_acl_freemail yapost.com
      hashbl_acl_freemail yawmail.com
      hashbl_acl_freemail yeah.net
      hashbl_acl_freemail yebox.com
      hashbl_acl_freemail yehey.com
      hashbl_acl_freemail yellow-jackets.com
      hashbl_acl_freemail yellowstone.net
      hashbl_acl_freemail yemeni.cc
      hashbl_acl_freemail yenimail.com
      hashbl_acl_freemail yepmail.net
      hashbl_acl_freemail yifan.net
      hashbl_acl_freemail ymail.com
      hashbl_acl_freemail yopmail.com
      hashbl_acl_freemail your-mail.com
      hashbl_acl_freemail yours.com
      hashbl_acl_freemail yourwap.com
      hashbl_acl_freemail yunus.cc
      hashbl_acl_freemail yyhmail.com
      hashbl_acl_freemail z11.com
      hashbl_acl_freemail z6.com
      hashbl_acl_freemail zagazig.cc
      hashbl_acl_freemail zambia.cc
      hashbl_acl_freemail zednet.co.uk
      hashbl_acl_freemail zeeman.nl
      hashbl_acl_freemail ziplip.com
      hashbl_acl_freemail zipmail.com.br
      hashbl_acl_freemail zipmax.com
      hashbl_acl_freemail zmail.pt
      hashbl_acl_freemail zmail.ru
      hashbl_acl_freemail zoho.com
      hashbl_acl_freemail zona-andina.net
      hashbl_acl_freemail zonai.com
      hashbl_acl_freemail zoneview.net
      hashbl_acl_freemail zonnet.nl
      hashbl_acl_freemail zoomshare.com
      hashbl_acl_freemail zoznam.sk
      hashbl_acl_freemail zu-geil.de
      hashbl_acl_freemail zubee.com
      hashbl_acl_freemail zuvio.com
      hashbl_acl_freemail zwallet.com
      hashbl_acl_freemail zworg.com
      hashbl_acl_freemail zybermail.com
      hashbl_acl_freemail zzn.com

      hashbl_acl_freemail !notify@yahoogroups.com
      hashbl_acl_freemail !no-reply@yahoogroups.com
      hashbl_acl_freemail !groupsupdates@yahoogroups.com
      hashbl_acl_freemail !calendarnotification@outlook.com
      hashbl_acl_freemail !nsubscribe@googlegroups.com
      hashbl_acl_freemail !ubscribe@googlegroups.com
      hashbl_acl_freemail !unsubscribe@googlegroups.com
    endif
  endif
endif
#END of TEST OF HASHBL ADDITIONS

#LABEL
header 	__KAM_LABEL1	Subject =~/(Checking in|Appointment|(this|next) week|thoughts|availability|consultation|introduction|let me know|schedule|meeting)/i
body	__KAM_LABEL2	/meet at your office|quick lead time/i
body	__KAM_LABEL3a	/make custom (shirts|sports|jackets|suits)/i
# bug fix thanks to Moritz Friedrich
body	__KAM_LABEL3b   /PPE/
body	__KAM_LABEL4	/(suits start at \$|shirts at \$)|\d\d per mask|\d masks/i
body	__KAM_LABEL5	/(premier|top|luxury) (clothing|fabric)|fortune 500/i
body	__KAM_LABEL6	/\| Label|Label Health/i

header	__KAM_LABEL7	Subject =~ /(^|\b)PPE(\b|$)|(Ply|Face) ?mask/i
body	__KAM_LABEL8	/face ?mask|(^|\b)PPE(\b|$)/i

meta		KAM_LABEL	(__KAM_LABEL1 + __KAM_LABEL2 + (__KAM_LABEL3a + __KAM_LABEL3b >= 1) + __KAM_LABEL4 + __KAM_LABEL5 + __KAM_LABEL6 + __KAM_LABEL7 + __KAM_LABEL8>= 6)
describe	KAM_LABEL	Tailored clothier spam
score		KAM_LABEL	9.0

meta		KAM_LABEL2	((__KAM_LABEL1 + __KAM_LABEL5 >= 1) + __KAM_LABEL6 + __KAM_LABEL7 + __KAM_LABEL8 >= 3)
describe	KAM_LABEL2	PPE Spam
score		KAM_LABEL2	9.0

#RBLOBFU
body	__KAM_RBL_OBFU1	/b2b.{1,4}salesprospects.{1,4}com/i
body	__KAM_RBL_OBFU2 /quin.{0,3}for.{0,3}ce.com/i
body	__KAM_RBL_OBFU3 /jrgpartners\(\.\)com/i

meta		KAM_RBL_OBFU	((__KAM_RBL_OBFU1 + __KAM_RBL_OBFU2 >=1) + FREEMAIL_FROM >= 2)
describe	KAM_RBL_OBFU	Spammers obfuscating their domain and abusing freemail
score		KAM_RBL_OBFU	12.0

meta		KAM_RBL_OBFU2	__KAM_RBL_OBFU3
describe	KAM_RBL_OBFU2	Spammers obfuscating their domain
score		KAM_RBL_OBFU2	9.0

#Shady CC's
body		__KAM_SHADYCC1	/(transactions?|purchases?) from your (online store|web-?shop)/i
header		__KAM_SHADYCC2	Subject =~ /(illegal|shady) (purchases?|transactions?).*?(credit ?card|mastercard|visa).*?at your site/i
body		__KAM_SHADYCC3	/(four|4) of (my|the) (master)?card/i
body		__KAM_SHADYCC4	/(detailed|full) statement/i

meta		KAM_SHADYCC	(__KAM_SHADYCC1 + __KAM_SHADYCC2 + __KAM_SHADYCC3 + __KAM_SHADYCC4 >= 4)
describe	KAM_SHADYCC	Scam predicated around reporting fraudulent purchase
score		KAM_SHADYCC	6.0

#Expo Scams
header		__KAM_EXPOPIRATE1	Subject =~ /Hotel Booking/i
body		__KAM_EXPOPIRATE2	/Business Traveller/i

meta		KAM_EXPOPIRATE	(__KAM_EXPOPIRATE1 + __KAM_EXPOPIRATE2 + __KAM_LIST3_2 >= 2)
describe	KAM_EXPOPIRATE	Scam Pirates trying to Hijack Event Hotel Bookings
score		KAM_EXPOPIRATE	4.5

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  #Domain Expiry Scams
  header	__KAM_DOMAINEXPIRY1	Subject =~ /Domain.*Expiration/i
  body		__KAM_DOMAINEXPIRY2	/Attached letter/i

  meta		KAM_DOMAINEXPIRY	(__KAM_DOMAINEXPIRY1 + __KAM_DOMAINEXPIRY2 + __KAM_ZERODAY1 >= 3)
  describe	KAM_DOMAINEXPIRY	Domain Expiration Scams
  score		KAM_DOMAINEXPIRY	4.5

  #Payment Scams
  header	__KAM_PAYMENTSCAM1	Subject =~ /Payment.*(INV|Bookings|Reference|\/201)/i
  body		__KAM_PAYMENTSCAM2	/attached (payment|herewith)|ready for release/i
  mimeheader	__KAM_PAYMENTSCAM3	Content-Type =~ /\.doc/i
  full		__KAM_PAYMENTSCAM4	/\{\\rtf/

  meta		KAM_PAYMENTSCAM    	(__KAM_ZERODAY1 + __KAM_PAYMENTSCAM1 + __KAM_PAYMENTSCAM2 + (__KAM_PAYMENTSCAM3 + __KAM_PAYMENTSCAM4 >=2) >= 4)
  describe	KAM_PAYMENTSCAM		Payment Scams with Malware Payloads
  score		KAM_PAYMENTSCAM		6.5

  meta		KAM_PAYMENTSCAM2	(DEAR_BENEFICIARY +  __KAM_PAYMENTSCAM1 + __KAM_PAYMENTSCAM2 >= 3) && !(KAM_PAYMENTSCAM)
  describe	KAM_PAYMENTSCAM2	Payment scams
  score		KAM_PAYMENTSCAM2	4.5


  #Password Scams
  body 		__KAM_PASSWORDSCAM1	/pass word/i

  meta		KAM_PASSWORDSCAM 	(__KAM_PASSWORDSCAM1 + __SINGLE_WORD_SUBJ + __PDF_ATTACH + __BODY_LE_200 >= 4)
  describe	KAM_PASSWORDSCAM	Password extortion spams
  score		KAM_PASSWORDSCAM	6.0
endif

#Training Scams
header		__KAM_TRAINING1		Subject =~ /mandatory.*training/i
body		__KAM_TRAINING2		/intranet|training calendar/i
body		__KAM_TRAINING3		/Human Resources/i

meta		KAM_TRAINING		(__KAM_TRAINING1 + __KAM_TRAINING2+ __KAM_TRAINING3 >= 3)
describe	KAM_TRAINING		Training Phishing
score		KAM_TRAINING		4.5

#Trump Medicare
header		__KAM_MEDICARE2_1	Subject =~ /Trump Medicare/i

meta		KAM_MEDICARE2		__KAM_MEDICARE2_1 >= 1
describe	KAM_MEDICARE2		Medicare Scams
score		KAM_MEDICARE2		2.0

#Water hack
header		__KAM_WATERHACK1	Subject =~ /Water Hack/i
body		__KAM_WATERHACK2	/water hack/i

meta		KAM_WATERHACK		(__KAM_WATERHACK1 + __KAM_WATERHACK2 + KAM_SHORT >= 3)
describe	KAM_WATERHACK		Diet Scams
score		KAM_WATERHACK		5.0

#Sendgrid Exploits
  #thanks to Chip for another Spample on 2020-03-07
header   	__KAM_SENDGRID1		EnvelopeFrom =~ /\@u\d+\.wl\d+\.sendgrid\.net|bounces.*\@sendgrid\.net/i
header		__KAM_SENDGRID1A	Return-Path =~ /\@u\d+\.wl\d+\.sendgrid\.net/i
header		__KAM_SENDGRID2		Received =~ /ismtp.*?.sendgrid.net|outbound\-mail\.sendgrid\.net \[/i

meta		KAM_SENDGRID		((HEADER_FROM_DIFFERENT_DOMAINS || SPF_HELO_NONE) + ((__KAM_SENDGRID1 + __KAM_SENDGRID1A >= 1) + __KAM_SENDGRID2 >= 1) >= 2)
describe	KAM_SENDGRID		Sendgrid being exploited by scammers
score		KAM_SENDGRID		1.50

header		__KAM_EDU_FROM		From:addr =~ /\.edu$/i

header		__KAM_SENDGRID3         Subject =~ /Amex|Wells ?Fargo|American Express|Security (Review|Message)|Quickbooks|Sign-?in Blocked|unusual activity|payment pending|online Payment|Intuit|security Upgrade|you have a document|verify your card|email alert/i
header		__KAM_SENDGRID4		From =~ /Amex|Wells ?Fargo|American Express|Schwab|bank|USAA|stripe|intuit|chase/i

meta            KAM_SENDGRID2           ((__KAM_EDU_FROM + KAM_SENDGRID >= 1) + (TO_IN_SUBJ + __KAM_SENDGRID3 + __KAM_SENDGRID4 >=1) >= 2)
describe        KAM_SENDGRID2           Sendgrid being exploited by scammers
score           KAM_SENDGRID2           2.0

#Political Spam
header		__KAM_2020_1		Subject =~ /Re-?elect Trump|election t-?shirt|ginsburg shirt|christmas t-?shirt|officially licensed/i
body		__KAM_2020_2		/T-?shirt|printed in the US|stink stank stunk|officially licensed|star wars/i
tflags		__KAM_2020_2		nosubject

meta		KAM_2020		(__KAM_2020_1 + __KAM_2020_2 + FREEMAIL_FROM >= 3)
describe	KAM_2020		2020 Political Spams - Vote KAM for 2020 - donate today at www.mcgrail.com
score		KAM_2020		7.0

#WeTransfer Spam
uri		__KAM_WETRANSFER1	/wetransferfiledownload|\?email=|redirecturl/i
header     	__KAM_WETRANSFER2	From:name =~ /WeTransfer/i
header		__KAM_WETRANSFER3	From:addr !~ /wetransfer\.com/i
header          __KAM_WETRANSFER4	Subject =~ /via WeTransfer/i

meta		KAM_WETRANSFER		(__KAM_WETRANSFER1 + __KAM_WETRANSFER2 + __KAM_WETRANSFER3 + (__KAM_WETRANSFER4 + SPF_FAIL >= 1) >= 4)
score		KAM_WETRANSFER		6.0
describe	KAM_WETRANSFER		WeTransfer Impersonators

#Grey Eagle
header	__KAM_GREYEAGLE_1		From =~ /greyeagle|funding|capital|banking|lending/i
body	__KAM_GREYEAGLE_2		/grey eagle funding/i

meta		KAM_GREYEAGLE		(__KAM_GREYEAGLE_1 + __KAM_GREYEAGLE_2 >= 2)
describe	KAM_GREYEAGLE		Spammy Funding Company w/lots of Domains
score		KAM_GREYEAGLE		10.0

#Google Storage APIs
uri		KAM_STORAGE_GOOGLE	/storage.googleapis.com|\.web.app\//i
describe	KAM_STORAGE_GOOGLE	Google Storage API being abused by spammers
score		KAM_STORAGE_GOOGLE	2.25

#Spam Du Jour
header		__KAM_DUJOUR1		Subject =~ /(Worst Food|Tinnitus|Reflux|Gift Card)/i

body		__KAM_DUJOUR2		/(Worst Food|Tinnitus|Reflux|CVS Gift Card)/i
tflags        	__KAM_DUJOUR2  		nosubject

header		__KAM_DUJOUR3		From =~ /(Probio|Tinnitus|Reflux|CVS)/i

meta		KAM_DUJOUR		(KAM_STORAGE_GOOGLE + __KAM_DUJOUR1 + __KAM_DUJOUR2 + __KAM_DUJOUR3 >= 3)
describe	KAM_DUJOUR		Spam of the Day hocking various products
score		KAM_DUJOUR		4.5

#QUINFORCE
body		__KAM_QUINFORCE1	/q.?u.?i.?n.?f.?o.?r.?c.?e/i

meta		KAM_QUINFORCE1		(__KAM_QUINFORCE1 >= 1)
describe	KAM_QUINFORCE1		Obfuscating spamming firm
score		KAM_QUINFORCE1		6.0

#SPAMDUJOUR
body		__KAM_CBD1		/Meridian CBD/i

meta		KAM_CBD			(__KAM_CBD1 + __KAM_OTHER_BAD_TLD2 >= 2)
describe	KAM_CBD			Spam du jour for CBD
score		KAM_CBD			4.5

#COVID SCAMS
body		__KAM_COVID1		/International Monetary fund|world health organization|empowerment fund/i
header		__KAM_COVID2		Subject =~ /COVID?.{0,12}(payment|fund)/i
body		__KAM_COVID3		/COVID.{0,12}(empowerment|payment)|W\.?H\.?O\.? trust.?fund/i
tflags		__KAM_COVID3		nosubject
header		__KAM_COVID4		From =~ /COVID|world ?Health|WHO/i

body		__KAM_COVID5		/00 ?(EUR|USD|Dollar)/i

meta		KAM_COVID		((__KAM_COVID5 + LOTS_OF_MONEY >= 1) + __KAM_COVID1 + __KAM_COVID2 + __KAM_COVID3 + __KAM_COVID4 >= 4)
describe	KAM_COVID		Scams revolving around the pandemic
score		KAM_COVID		6.0

#COVID SCAMS
body		__KAM_COVID2_1		/COVID-19 (CHARITY )?(fund|donated relief)/i
tflags		__KAM_COVID2_1		nosubject
header		__KAM_COVID2_2		Subject =~ /(little|COVID-19) (fund|donation)/i

meta		KAM_COVID2		(__KAM_COVID2_1 + __KAM_COVID2_2 + LOTS_OF_MONEY >= 2)
describe	KAM_COVID2		Scams revolving around the pandemic
score		KAM_COVID2		7.5

#COVID SCAMS
body		__KAM_COVID3_1		/Prince/i
body		__KAM_COVID3_2		/reliable source/i
body		__KAM_COVID3_3		/\$[\d\.,]+ mil/i
body		__KAM_COVID3_4		/assist me/i
body		__KAM_COVID3_5		/Saudi Arabia/i

meta		KAM_COVID3		(__KAM_COVID3_1 + __KAM_COVID3_2 + __KAM_COVID3_3 + __KAM_COVID3_4 + __KAM_COVID3_5 >= 5)
describe	KAM_COVID3		Scams revolving around the pandemic
score		KAM_COVID3		7.5

#VOICEMAIL SCAM
uri		__KAM_VM1		/storage.googleapis.com\/.*?htm|appspot\.com|\/api\/v1\/click\|\.sharepoint\.com\/personal\//i
header		__KAM_VM2		Subject =~ /VN Audio|message for|voice Message|Voicemail|Fax Message|OneDrive File/i
body		__KAM_VM3		/(Voice ?Audio|VN Audio|VM Meant|Listen to (your )?Voice|voicemail message|Fax(ed)? (document|message)|new voicemail)/i
tflags		__KAM_VM3		nosubject
body		__KAM_VM4		/recorded voice|audio message|Caller.id|CID:|mailbox \d|sign document/i
tflags		__KAM_VM4		nosubject

meta		KAM_VM			(__KAM_VM1 +  __KAM_VM2 +  __KAM_VM3 +  __KAM_VM4 >= 3)
score		KAM_VM			4.5
describe	KAM_VM			Voice Mail & Fax Scams

#Admin Notice Fraud
header		__KAM_ADMIN1		From =~ /admin/i
header		__KAM_ADMIN2		Subject =~ /For /i
body		__KAM_ADMIN3		/next tax return/i
body		__KAM_ADMIN4		/read this document/i

meta		KAM_ADMIN		(HEADER_FROM_DIFFERENT_DOMAINS + HTML_OBFUSCATE_10_20 + __KAM_ADMIN1 + __KAM_ADMIN2 + __KAM_ADMIN3 + __KAM_ADMIN4 >= 6)
describe	KAM_ADMIN		Phishing attempt spoofing admins
score		KAM_ADMIN		9.0


#BENEFICIARY
replace_rules	__KAM_BENEFICIARY2

header		__KAM_BENEFICIARY1	Subject =~ /(your|Urgent) Help|refugee|Attention|Inherit|donation|refund|beloved|^Hello$|dear friend|compensated|get back to me|hope to hear|my dear|postal service|From.....|compliment|sincere apology|proposal|How are you|congratulations|ATM VISA Card|good (day|news)|beneficiary|cc|best regards|dearest one|^Att$|^Reply$|partnership|greeting'?s|atm fund|postmaster general/i
#what
body		__KAM_BENEFICIARY2	/(consignment|fund(\b|$)|person of trust|don't know me|emails only|apologize for intrud|formal relationship|diplomatic agent|ATM VISA CARD|unsolicited manner|proposition|solicit your|trustworthy relation|verily|random people|you a beneficiary|help<SPACE1>+widow|same last ?name|(same|similar) surname|investment manager)|level of maturity|important project|jackpot|investment opp|something important|unclaimed trunk|estate investment|donation recipient|bank draft/i
tflags		__KAM_BENEFICIARY2	nosubject

#bus
body		__KAM_BENEFICIARY3	/(gold|diamonds|inherit|foreign customer|risk.?free|less.privilege|next of kin|nearest airport|certain funds|partnership to transfer|repatriation|co.fiscate|separate account|christian activit|receiving bank|donate the sum|money left|sweepstakes|lucky winner|get rich|\d% of the total|investment fund)|moving some money|god has blessed|contributions to humanity|partake in the deal|pledge dep|over-?due compensation|left your check/i
#where
body		__KAM_BENEFICIARY4	/(Ghana|South Africa|China|Greece|Estonia|United kingdom|foreign|(your|my) country|Benin|africa|Foreign Op|international Airport|portugal|business trip|Ivory Coast|Royal Bank|Syria|Libyan|Ministry of |Buffett Foundation|audit unit)|postmaster general/i
#how much
body		__KAM_BENEFICIARY5	/\d+ ?(kilo|kg)|donat|assignment|last wishes|charity org|million dollars|secret account|overdue winnings|handsomely compensate|large amount|share of fund|one digit interest|beneficial business|anticipated cooperation|\d% (with|for) you|fiscal cash|huge amount|(half|99 percent) of (his|their|her) fortune/i
#sob
body		__KAM_BENEFICIARY6	/(deceased|late) (customer|husband|client|father)|death of my husband|cancer|power of attorney|customer who died|orphan|no beneficiary|terminal|family treasure|not criminal|send (you )?more (information|details)|wife ran away|inability to release|terrorist attack|sterile|foreigner who died|corrupt officials|could not complete/i

meta		KAM_BENEFICIARY		((LOTS_OF_MONEY + __KAM_BENEFICIARY5 >=1) + (KAM_BLANKSUBJECT + __KAM_BENEFICIARY1 >=1) + __KAM_BENEFICIARY2 + __KAM_BENEFICIARY3 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 + FREEMAIL_FROM >= 6)
describe	KAM_BENEFICIARY		Beneficiary scams
score		KAM_BENEFICIARY		10.5

meta            KAM_BENEFICIARYLOW       ((LOTS_OF_MONEY + __KAM_BENEFICIARY5 >=1) + (KAM_BLANKSUBJECT + __KAM_BENEFICIARY1 >=1) + __KAM_BENEFICIARY2 + __KAM_BENEFICIARY3 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 + FREEMAIL_FROM >= 5) && !KAM_BENEFICIARY && !__KAM_NPO1
describe        KAM_BENEFICIARYLOW      Beneficiary scams (Lower Confidence)
score           KAM_BENEFICIARYLOW      6.0

#NPO
body		__KAM_NPO1		/501\(?c\)?\(?3\)?|501 c 3/i


#BENEFICIARY
meta            KAM_BENEFICIARY2        (GMD_PDF_EMPTY_BODY + DEAR_BENEFICIARY >= 2)
describe        KAM_BENEFICIARY2        Beneficiary scams
score           KAM_BENEFICIARY2        3.0

#Person Beneficiary
body		__KAM_BENEFICIARY3_1	/Mikhail Fridman/i
header		__KAM_BENEFICIARY3_2	From =~ /Mikhail Fridman/i
uri		__KAM_BENEFICIARY3_3	/www.rt.com/i

meta		KAM_BENEFICIARY3	(__KAM_BENEFICIARY3_1 + __KAM_BENEFICIARY3_2 + __KAM_BENEFICIARY3_3 + __KAM_DIDYOUSUBJ >= 3)
describe        KAM_BENEFICIARY3        Beneficiary scams
score		KAM_BENEFICIARY3	4.5


#Did you get my message?
header		__KAM_DIDYOUSUBJ	Subject =~ /Did you (receive it|get my message)/i
body		__KAM_DIDYOUBODY	/Did you (receive it|get my message)/i
tflags		__KAM_DIDYOUBODY	nosubject

#Nothing but sig
#body		__KAM_SIGONLY1		/^.{0,10}--\b/im
#tflags		__KAM_SIGONLY1		nosubject
#
#meta		KAM_SIGONLY		(__KAM_SIGONLY1 >= 2)
#score		KAM_SIGONLY		1.5
#describe	KAM_SIGONLY		Messages is (mostly) just a signature
#
##SigOnly spam
#meta		KAM_SIGONLY2		(KAM_SIGONLY + (__KAM_DIDYOUBODY + __KAM_DIDYOUSUBJ >= 1) >= 2)
#score		KAM_SIGONLY2		1.5
#describe	KAM_SIGONLY2		Junk Messages using (mostly) just a signature

#Blank Subject
header		KAM_BLANKSUBJECT	Subject =~ /^\s*$/i
describe	KAM_BLANKSUBJECT	Message has a blank Subject
score		KAM_BLANKSUBJECT	0.25
#Job
#what
header		__KAM_JOB2_1		Subject =~ /doing the job/i
body		__KAM_JOB2_2		/represent the company/i
#Where
body		__KAM_JOB2_3		/Singapore/i
#how much
body		__KAM_JOB2_4		/\d,?000 USD (monthly|weekly)/i

meta            KAM_JOB2        	(FREEMAIL_FROM + __KAM_JOB2_1 + __KAM_JOB2_2 + __KAM_JOB2_3 + __KAM_JOB2_4 >= 5)
describe	KAM_JOB2		Employment scams
score		KAM_JOB2		7.5

#WEB
header		__KAM_WEB2_1		Subject =~ /follow|next step|website work/i
body		__KAM_WEB2_2		/affordable (quot|price)|less than half/i
body		__KAM_WEB2_3		/web (designer|develop)|new website/i
body		__KAM_WEB2_4		/portfolio|sample|insights/i

meta		KAM_WEB2		(FREEMAIL_FROM + __KAM_WEB2_1 + __KAM_WEB2_2 + __KAM_WEB2_3 + __KAM_WEB2_4 >=5)
describe	KAM_WEB2		Unsolicited web workers
score		KAM_WEB2		7.5

#BANK
header		__KAM_BANK_1		Subject =~ /Welcome to (Central )?(Money ?Gram|Bank)|Funding|Banker|congratulations/i
body		__KAM_BANK_2		/beneficiary|agent|investment group|deceased/i
body		__KAM_BANK_3		/re\-?verification|clearance tax|possible funding|same last name|nominated bank account/i

meta		KAM_BANK		(FREEMAIL_FROM + LOTS_OF_MONEY + __KAM_BANK_1 + __KAM_BANK_2 + __KAM_BANK_3 >= 5)
describe	KAM_BANK		Bank scams
score		KAM_BANK		7.5

#FAKE CERTIFICATES
header		__KAM_CERT1		Subject =~ /Medical Certificate/i
body		__KAM_CERT2		/review this certificate/i
body		__KAM_CERT3		/link below/i

meta		KAM_CERT		(__KAM_CERT1 + __KAM_CERT2 + __KAM_CERT3 + __PLUGIN_FROMNAME_SPOOF >= 3)
describe	KAM_CERT		Fake Certificate Scams
score		KAM_CERT		4.5

#URGENT
header		__KAM_URGENT1		Subject =~ /^Hello$/i
body		__KAM_URGENT2		/urgent respond/i
body		__KAM_URGENT3		/private e?mail/i
body		__KAM_URGENT4		/god bless/i
body		__KAM_URGENT5		/address still valid/i

meta		KAM_URGENT		( __KAM_URGENT1 +  __KAM_URGENT2 +  __KAM_URGENT3 +  __KAM_URGENT4 +  __KAM_URGENT5 >= 5)
describe	KAM_URGENT		Urgent Scams
score		KAM_URGENT		7.5

#INVESTMENT
header		__KAM_INVEST1		Subject =~ /Investment|(hello|congrats|dear) friend|urgent|greetings|^HELLO$|mutual business|contact him|mail for you|confirming your email|business opportunity|important|interest/i
#looking/why
body		__KAM_INVEST2		/apprehensive|unstable investment|(honest|well.?established|reliable) (individual|partner|person)|wealthy client|legal paper|branch manager|director finance|business man|family asset|personal assistant|found your (detail|contact)|consultant|project financing|my name is|i am the lawyer|need your assistance/i
#money/deal
body		__KAM_INVEST3		/earn \d+\%|(more|full|elaborate) details|discuss further|risk.?free|give details|profitable|\% (yearly|commission)|bank draft|remuneration|(needs|seek|seeks|seeking) fund|employ you|split.?ration|(receive|secure) my fund/i
#what/where
body		__KAM_INVEST4		/malta|oil company|joint venture|(fund|business) proposal|dubai|mutual business|bahrain|compensation fund|barrister|minister of|ghana|strategic development|your region|Mineral.Rich|africa|non.?european|your country/i
tflags		__KAM_INVEST4		nosubject

meta		KAM_INVEST		(LOTS_OF_MONEY + FREEMAIL_FROM + __KAM_INVEST1 + __KAM_INVEST2 + __KAM_INVEST3 + __KAM_INVEST4 >= 4)
describe	KAM_INVEST		Investment Scams
score		KAM_INVEST		6.0

#SIGNON
header		__KAM_SIGN1		Subject =~ /New Sign-?[io]n/i
body		__KAM_SIGN2		/review your account/i
body		__KAM_SIGN3		/verification is processed/i

meta		KAM_SIGN		(KAM_STORAGE_GOOGLE +  __KAM_SIGN1 +  __KAM_SIGN2 +  __KAM_SIGN3 >= 4)
describe	KAM_SIGN		Sign-in Verification Scams
score		KAM_SIGN		6.0

#COVID SPAM
header		__KAM_WEIRDC19_1	Subject =~ /The virus that causes COVID-19/i
header		__KAM_WEIRDC19_2	From =~ /John Robert/i
body		__KAM_WEIRDC19_3	/The virus that causes COVID-19/i
tflags		__KAM_WEIRDC19_3	nosubject

meta		KAM_WEIRDC19		(FREEMAIL_FROM + __KAM_BODY_LENGTH_LT_512 + __KAM_WEIRDC19_1 + __KAM_WEIRDC19_2 + __KAM_WEIRDC19_3 >= 5)
describe	KAM_WEIRDC19		Odd Covid-19 spam with information
score		KAM_WEIRDC19		7.5

#PRODUCT DUJOUR
header		__KAM_CELEB1		Subject =~ /Celebrity Doc/i
body		__KAM_CELEB2		/resugar/i
body		__KAM_CELEB3		/fat.burning/i

meta		KAM_CELEB		(__KAM_CELEB1 + __KAM_CELEB2 + __KAM_CELEB3 >= 3)
describe	KAM_CELEB		Celebrity Health Scams
score		KAM_CELEB		4.5

#BEAL AND SIMILAR IMPERSONATOR
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
  header	__KAM_BEAL1		From:name =~ /Geoff White|(Robert|Bob)( E.)? Beal|(James|Jim) Hoffman|Kevin (A\. )?Mc ?Grail|Chad Coney|Frederic Beuter|Chris(topher)? Surprise|(mike|michael) Charvat|Sheryl Brissett Chapman/i
  #header	__KAM_BEAL2		From:addr =~ /\@gmail\.com|\@mail\.ru/i
  body		__KAM_BEAL3		/(Robert|Bob).{1,4}Beal|Geoff White|(James|Jim).{1,4}Hoffman|Kevin (A\. )?Mc ?Grail|Frederic Beuter|Chris(topher)? Surprise|(mike|michael) Charvat|SHERYL Brissett Chapman/i
  body		__KAM_BEAL4		/(reply with|forward|send me|let me have) your (Cell|Mobile)|task (real quick|quickly)|(urgent|quick|fast) (reply|errand|response|task|request)|make (some|a) purchase|reimburse you|do something for me fast|spare time right now|confirm if you are free|physical or electronic gift card|(done for me|send out) ASAP|available at the moment|(desk|moment) right now/i
  body		__KAM_BEAL5		/can't talk on the phone|receivable aging report|summary of all w\-?2/i

  meta		KAM_BEAL		((__KAM_BEAL1 + __KAM_BEAL3 >= 1) + (SPF_SOFTFAIL + FREEMAIL_FROM + FREEMAIL_FORGED_REPLYTO >= 1) + __KAM_BEAL4 + __KAM_BEAL5 >= 3)
  describe	KAM_BEAL		IMPOSTER! Will the real slim shady, please stand up?
  score		KAM_BEAL		11.0
endif

#PROJECT
header		__KAM_PROJECT1		Subject =~ /Project/i
body		__KAM_PROJECT2		/business project/i
body		__KAM_PROJECT3		/email is active/i
body		__KAM_PROJECT4		/please respond/i

meta		KAM_PROJECT		(__KAM_PROJECT1 + __KAM_PROJECT2 + __KAM_PROJECT3 + __KAM_PROJECT4 >= 4)
describe	KAM_PROJECT		Scam inquiries about amorphous projects
score		KAM_PROJECT		6.0

#FAKEWESTERN
header		__KAM_FAKEWEST1		Subject =~ /Attention/i
body		__KAM_FAKEWEST2		/Western Union/i
body		__KAM_FAKEWEST3		/United Nation/i
body		__KAM_FAKEWEST4		/Wrong Transfer/i
body		__KAM_FAKEWEST5		/0[\.,]?000[\.,]?00\s?USD/i

meta		KAM_FAKEWEST		(__KAM_FAKEWEST1 + __KAM_FAKEWEST2 + __KAM_FAKEWEST3 + __KAM_FAKEWEST4 + (__KAM_FAKEWEST5 + LOTS_OF_MONEY >= 1) >= 5)
describe	KAM_FAKEWEST		Fake money Transfer Scam
score		KAM_FAKEWEST		6.0

#FAKEDROPBOX
header		__KAM_FAKEDROPBOX2_1	Subject =~ /on Dropbox/i

meta		KAM_FAKEDROPBOX2	(__KAM_FAKEDROPBOX2_1 + __KAM_TINYDOMAIN + FREEMAIL_FROM >= 3)
describe	KAM_FAKEDROPBOX2	Fake Dropbox Phish
score		KAM_FAKEDROPBOX2	4.5

header          __KAM_FAKEDROPBOX3_1    Subject =~ /new dropbox message/i
uri		__KAM_FAKEDROPBOX3_2	/wp\-includes/i

meta            KAM_FAKEDROPBOX3        (__KAM_FAKEDROPBOX3_1 + __KAM_FAKEDROPBOX3_2 >= 2)
describe        KAM_FAKEDROPBOX3        Fake Dropbox Phish
score           KAM_FAKEDROPBOX3        6.0


#FAKEMONEYGRAM
header		__KAM_FAKEMONEYGRAM1	From =~ /Money.?Gram/i

meta            KAM_FAKEMONEYGRAM       (__KAM_FAKEMONEYGRAM1 + FREEMAIL_FROM >= 2)
describe        KAM_FAKEMONEYGRAM       Fake Moneygram Phish
score           KAM_FAKEMONEYGRAM       5.5


#FAKESHAREPOINT
header		__KAM_FAKESHAREPOINT1	Subject =~ /by Sharepoint|payment reminder|shared|Request for Quot/i
header		__KAM_FAKESHAREPOINT2	from =~ /sharepoint|accounts? payable|RFQ/i
uri		__KAM_FAKESHAREPOINT3	/my\.sharepoint\.com|appdomain\.cloud/i
body		__KAM_FAKESHAREPOINT4	/Sharepoint Fileshare/i
mimeheader      __KAM_FAKESHAREPOINT5   Content-Type =~ /.html?\"?$/i


meta		KAM_FAKESHAREPOINT	(__KAM_FAKESHAREPOINT1 + __KAM_FAKESHAREPOINT2 + (__KAM_FAKESHAREPOINT3 + KAM_STORAGE_GOOGLE + __KAM_FAKESHAREPOINT4 >= 1) + __KAM_FAKESHAREPOINT5 >= 3)
describe	KAM_FAKESHAREPOINT	Fake Sharepoint Phish
score		KAM_FAKESHAREPOINT	4.0

#ENCRYPTED ZIP
body		__KAM_BADZIP1		/attached (to email|document)|take a look/i
body		__KAM_BADZIP2		/Encrypted zip/i
uri		__KAM_BADZIP2A		/drive.google.com.*export=download/i
body		__KAM_BADZIP3		/(order|urgent|report|dialogue)/i
body		__KAM_BADZIP4		/password:/i

meta		KAM_BADZIP		(__KAM_BADZIP1 + (__KAM_BADZIP2 + __KAM_BADZIP2A >= 1) + __KAM_BADZIP3 + __KAM_BADZIP4 >= 4)
describe	KAM_BADZIP		Encrypted Zip File Indicating a Scam
score		KAM_BADZIP		6.0

#VERIZON SCAM

header		__KAM_VERIZON1		Subject =~ /verizon wireless security message/i
header		__KAM_VERIZON2		From:name =~ /Verizon/i
header		__KAM_VERIZON3		From:addr !~ /verizon/i

#What
body		__KAM_VERIZON4		/Update required immediately/i
#how
body		__KAM_VERIZON5		/update your account information/i
#Problem
body		__KAM_VERIZON6		/deactivated/i
#Money
body		__KAM_VERIZON7		/credit card|bank account/i

meta		KAM_VERIZON		(__KAM_VERIZON1 + __KAM_VERIZON2 + __KAM_VERIZON3 >= 3) && (__KAM_VERIZON4 + __KAM_VERIZON5 + __KAM_VERIZON6 + __KAM_VERIZON7 >= 3)
describe	KAM_VERIZON		Fake Wireless account notices
score		KAM_VERIZON		9.5

#Docusign SCAM
header		__KAM_DOCUSIGN1		Subject =~ /New e-DocuSign Signature|new e-signature docusign|docusign electronic signature|transfer notice|docusign (electronic|signature) service/i
header		__KAM_DOCUSIGN2		From:name =~ /docusign/i
header		__KAM_DOCUSIGN3		From:addr !~ /docusign/i

uri		__KAM_DOCUSIGN4		/\.weebly\.com|docs\.google\.com/i

meta		KAM_DOCUSIGN		((__KAM_DOCUSIGN1 >= 1) + (__KAM_DOCUSIGN2 + __KAM_DOCUSIGN3 >= 2) + (FREEMAIL_FROM + LOTS_OF_MONEY + __KAM_DOCUSIGN4 >= 1) >= 3)
describe	KAM_DOCUSIGN		Fake Document Signature account notices
score		KAM_DOCUSIGN		4.5

#Invalid From
header		__KAM_TWODOTS		From:addr =~ /\@.*\.\./i

meta		KAM_INVALIDFROM		(__KAM_TWODOTS >= 1)
describe	KAM_INVALIDFROM		Invalid From Address
score		KAM_INVALIDFROM		5.0

#Client Fake Invoice
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  header	__KAM_FAKEINV1		From =~ /headoffice/i
  header	__KAM_FAKEINV1A		Reply-to =~ /no.?reply\@/i

  body		__KAM_FAKEINV2		/dearest client/i

  mimeheader    __KAM_FAKEINV3          Content-Type =~ /.xls\"?$/i

  meta		KAM_FAKEINV		((__KAM_FAKEINV1 + __KAM_FAKEINV1A >=1) + __KAM_FAKEINV2 + __KAM_FAKEINV3 >=3)
  describe	KAM_FAKEINV		Fake Customer Invoices
  score		KAM_FAKEINV		4.5
endif

#IMAGE ONLY
meta		KAM_IMAGEONLY		(PDS_OTHER_BAD_TLD + HTML_IMAGE_ONLY_08 >= 2)
describe	KAM_IMAGEONLY		Email from a questionable TLD that contains primarily just an image
score		KAM_IMAGEONLY		0.75

#HOLIDAY 2020 GIFTS
header		__KAM_HOLIDAY2020_1	Subject =~ /holiday item|blac.?k friday|(vortex|illusional|this|3d).*rug|canvas print|get your (personalized christmas )?ornament|Christmas sale|novelty household|(perfect|seasonal) gift|Rising.? Stand.?|endoscope/i
body		__KAM_HOLIDAY2020_2	/(illusional|Vortex|3d) Rug|wireless earbuds|canvas print|get your (personalized christmas )?ornament|holiday novelty|personalized ornament|rising laptop|HOME Ear endoscope|Gadget ?Junk/i
tflags		__KAM_HOLIDAY2020_2	nosubject
header		__KAM_HOLIDAY2020_3	From =~ /vortex|christmas|novelty|(laptop|new).?tech|rising.?stand|Clean.?ear|Massager/i

meta		KAM_HOLIDAY2020		(__KAM_HOLIDAY2020_1 + __KAM_HOLIDAY2020_2 + __KAM_HOLIDAY2020_3 >= 2)
describe	KAM_HOLIDAY2020		Holiday Gifts 2020 Spam
score		KAM_HOLIDAY2020		4.0

#GOOGLE FORM
uri		__KAM_GOOGLEFORM_1	/docs\.google\.com\/forms\//i
body		__KAM_GOOGLEFORM_2	/Untitled|Formulaire sans titre/i
body		__KAM_GOOGLEFORM_3	/foundation is donating/i

meta		KAM_GOOGLEFORM		(__KAM_GOOGLEFORM_1 + (__KAM_GOOGLEFORM_2 + __KAM_GOOGLEFORM_3 >= 1) >= 2)
describe	KAM_GOOGLEFORM		Untitled or Spam Google Form
score		KAM_GOOGLEFORM		4.0

header     	__GB_RETPATH_GOOG_TRIX  Return-Path =~ /\@trix\.bounces\.google\.com/

meta       	GB_RETPATH_GOOG_TRIX    __GB_RETPATH_GOOG_TRIX
describe   	GB_RETPATH_GOOG_TRIX    Email from Google subdomain being abused by spammers
score      	GB_RETPATH_GOOG_TRIX    2.00

#BENEFICIARY FAKE FORM
body		__KAM_DISCLOSE1		/enable me disclose|indicate your? interest|something important/i

meta		KAM_FAKEFORM		((__KAM_DISCLOSE1 + LOTS_OF_MONEY >= 1) + (__KAM_BENEFICIARY2 + __KAM_BENEFICIARY4 + __KAM_BENEFICIARY6 >= 1) + (__KAM_GOOGLEFORM_1 >= 1) >= 3)
describe	KAM_FAKEFORM		Fake Form for Scams
score		KAM_FAKEFORM		4.0

#2ND AMMENDMENT
body		__KAM_2ND_1		/police can no longer be trusted|protect yourself|anti-?gun ban|no classes/i
body		__KAM_2ND_2		/2nd am?mendment|concealed carry|right to carry/i
header		__KAM_2ND_3		From =~ /2nd amm?endment|Concealed/i

meta		KAM_2ND			((__KAM_FUN1 + __KAM_FUN1A >= 1) + __KAM_2ND_1 + __KAM_2ND_2 + __KAM_2ND_3 >= 3)
describe	KAM_2ND			Political / 2nd Ammendement Spam
score		KAM_2ND			4.5

#SPAM DU JOUR - MASKS
body		__KAM_KN_1		/(respirator|KN95) .{0,25}Mask|Ultramasx|upgrade your mask/i
tflags		__KAM_KN_1		nosubject
body		__KAM_KN_2		/get your|for the public|biden wants to curb|Prevent Corona|quick delivery|do your part|while supplies last|(smart|your) mask/i
tflags		__KAM_KN_2		nosubject
header		__KAM_KN_3		Subject =~ /KN95 .{0,25}Mask|(curb|curve?)(ing)? C<O1>vid|(your|mandates?) mask|ultimate protection|Protective (face )?mask/i
header		__KAM_KN_4		From =~ /KN95|(smart|Face) ?Mask|Mask.?(dept|Special)|Stay ?safe|protective ?gear|World ?safe/i

meta		KAM_KN			(__KAM_KN_1 + __KAM_KN_2 + __KAM_KN_3 + __KAM_KN_4 >= 3)
describe	KAM_KN			Spam Du Jour for Masks
score		KAM_KN			4.5

#SPAM DU JOUR - BAD CREDIT
body		__KAM_BADCRED_1		/bad credit/i
tflags		__KAM_BADCRED_1		nosubject
header		__KAM_BADCRED_2		Subject =~ /bad credit.*off track/

meta		KAM_BADCRED		(__KAM_BADCRED_1 + __KAM_BADCRED_2 >= 2)
describe	KAM_BADCRED		Spam Du Jour for Bad Credit
score		KAM_BADCRED		3.0

#SPAM DU JOUR - SPO2
replace_rules	__KAM_SPO2_2 __KAM_SPO2_3

body		__KAM_SPO2_1		/pulse oximeter|touchless thermometer/i
body		__KAM_SPO2_2		/C<O1>VID/i
tflags		__KAM_SPO2_2		nosubject
header		__KAM_SPO2_3		Subject =~ /C<O1>VID.*(screening|oximeter)|Laser Thermometer|(detecting|screening) C<O1>VID/i
header		__KAM_SPO2_4		From =~ /health|infrared|oximeter|Painless/i

meta		KAM_SPO2		(__KAM_SPO2_1 + __KAM_SPO2_2 + __KAM_SPO2_3 + __KAM_SPO2_4 >= 3)
describe	KAM_SPO2		COVID Spams
score		KAM_SPO2		4.5

#SPAM DU JOUR - HEATED VEST
body		__KAM_VEST1		/(heated|thermal) vest/i
tflags		__KAM_VEST1		nosubject
header		__KAM_VEST2		Subject =~ /stay toasty/i
header		__KAM_VEST3		From =~ /thermal vest/i

meta		KAM_VEST		(__KAM_VEST1 + __KAM_VEST2 + __KAM_VEST3 >= 3)
describe	KAM_VEST		Spam Du Jour for Vests
score		KAM_VEST		4.5

#FAKE CVS
header		__KAM_CVS1		From =~ /CVS Pharm/i
header		__KAM_CVS1A		From:addr !~ /\@cvs.com/i
body		__KAM_CVS2		/CVS/
tflags		__KAM_CVS2		nosubject
header		__KAM_CVS3		Subject =~ /CVS Pharm/i

meta		KAM_CVS			((__KAM_CVS1 + (FREEMAIL_FROM + __KAM_CVS1A >= 1) >= 2) + __KAM_CVS2 + __KAM_CVS3 >= 3)
describe	KAM_CVS			Fake CVS Spams
score		KAM_CVS			6.0

#HACKED EXPLOIT
body		__KAM_HACK1		/(phone|electronic|computer) have been hacked|suspected online scam/i
body		__KAM_HACK2		/read attached|click here for verification/i
body		__KAM_HACK3		/save yourself|lead to your arrest/i
header		__KAM_HACK4		From:name =~ /justice dep/i

meta		KAM_HACK		(__KAM_HACK1 + __KAM_HACK2 + __KAM_HACK3 + __KAM_HACK4 >= 3)
describe	KAM_HACK		Hacker Exploitation Email
score		KAM_HACK		4.5

#FAKE INVOICES
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

header		__KAM_FAKEINV2_1	Subject =~ /lnv (remittance|\& check)/i
body		__KAM_FAKEINV2_2	/(find|see) (the )?attach/i
body		__KAM_FAKEINV2_3	/not mail the check|typeform\.com/i
mimeheader    	__KAM_FAKEINV2_4	Content-Type =~ /(ACH W[il]re|Rem[il]ttance adv[il]ce).*xls/i

meta		KAM_FAKEINV2		(__KAM_FAKEINV2_1 + __KAM_FAKEINV2_2 + __KAM_FAKEINV2_3 + __KAM_FAKEINV2_4 >= 3)
describe	KAM_FAKEINV2		Fake Invoice Scams
score		KAM_FAKEINV2		6.0

endif

#FAKE ADS
header		__KAM_FAKEAD1		Subject =~ /brand medication|stubborn fat/i
body		__KAM_FAKEAD2		/click here to UNSUBSCRIBE|start shopping|here\'s how/i
uri		__KAM_FAKEAD3		/\/bit\.ly/i
body		__KAM_FAKEAD4		/Sweet passion|no plastic surgery/i

meta		KAM_FAKEAD		(__KAM_FAKEAD1 + __KAM_FAKEAD2 + __KAM_FAKEAD3 + __KAM_FAKEAD4 >= 4)
describe	KAM_FAKEAD		Fake Advertisements
score		KAM_FAKEAD		6.0

#FAKE REGISTRY SCAMS
body		__KAM_FAKE_REGISTRY1	/www(\.|\(dot\))domainregistryasia(\.|\(dot\))net/i
uri		__KAM_FAKE_REGISTRY2	/domainregistryasia\.net|domainregistryasia\.cn/i

meta		KAM_FAKE_REGISTRY	(__KAM_FAKE_REGISTRY1 + __KAM_FAKE_REGISTRY2 >= 1)
describe	KAM_FAKE_REGISTRY	Fake Domain Registry Scammers trying to get you to buy unneeded domains
score		KAM_FAKE_REGISTRY	5.0

#FAKE Fax
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader    __KAM_FAKE_FAX1 	Content-Type =~ /.*(fax).*\.htm/i
endif
body		__KAM_FAKE_FAX2		/incoming fax|fax received/i
header		__KAM_FAKE_FAX3		Subject =~ /Fax/i
body		__KAM_FAKE_FAX4		/invoice/i

meta		KAM_FAKE_FAX		(T_HTML_ATTACH + __KAM_FAKE_FAX1 + __KAM_FAKE_FAX2 + __KAM_FAKE_FAX3 + __KAM_FAKE_FAX4 >= 4)
describe	KAM_FAKE_FAX		Fake Fax Scam
score		KAM_FAKE_FAX		8.0

#FAKE TRUST
body		__KAM_FAKE_TRUST1	/Message is from a .{0,40}trusted source/i

meta		KAM_FAKE_TRUST		(__KAM_FAKE_TRUST1 >= 1 )
describe	KAM_FAKE_TRUST		Scams about trusted sources
score		KAM_FAKE_TRUST		3.5

#FAKE INVOICE
header          __KAM_FAKE_INVOICE1     Subject =~ /payment advice/i
body            __KAM_FAKE_INVOICE2     /Payment advice/i

meta            KAM_FAKE_INVOICE        (T_HTML_ATTACH + __KAM_FAKE_INVOICE1 + __KAM_FAKE_INVOICE2 >= 3)
describe        KAM_FAKE_INVOICE        Fake Invoice Scam
score           KAM_FAKE_INVOICE        6.0

#BAD PRODUCTS
header		__KAM_BAD_PRODUCT1	Subject =~ /Dolphin Vacuum|Warm any room|rapid thaw/i
body 		__KAM_BAD_PRODUCT2	/Dolphin sealer|hotstreak plug|Rapid thaw tray/i

meta		KAM_BAD_PRODUCT		(__KAM_BAD_PRODUCT1 + __KAM_BAD_PRODUCT2 >= 2)
describe	KAM_BAD_PRODUCT		Spammy Products
score		KAM_BAD_PRODUCT		3.0

#BAD LINK
uri		__KAM_BAD_LINK1		/\.pdf\.iso$/i

meta		KAM_BAD_LINK		(__KAM_BAD_LINK1 >= 1)
describe	KAM_BAD_LINK		Potentially dangerous link in email
score		KAM_BAD_LINK		10.0

#BAD CITIZENS
header		__KAM_CITIZEN1		Subject =~ /Citizens Bank Ealert/i
body		__KAM_CITIZEN2		/Important (message|Notice) From Citizens/i
uri		__KAM_CITIZEN3		/phpmailer|wp-admin|.well-known/i
header		__KAM_CITIZEN4		From:name =~ /Citizens ?Bank/i
header		__KAM_CITIZEN5		From:addr !~ /citizen/i

meta		KAM_CITIZEN		(__KAM_CITIZEN1 + __KAM_CITIZEN2 + __KAM_CITIZEN3 + __KAM_CITIZEN4 + (__KAM_CITIZEN5 + SPF_FAIL >= 1) >= 5)
describe	KAM_CITIZEN		Fake Bank Alert Scam
score		KAM_CITIZEN		7.5

#BAD PRODUCTS
header		__KAM_PRODUCT2_1	Subject =~ /meal delivery|no chopping|(sticker|Children'?s?) book|\$[\d,\.]{5,10} Fast|Car ?Shield|Top Vet|Chew a day|trugreen|(perfect|healthy|your) lawn|slice.?n.?seal|kitchen gadget|small penis|make you bigger/i
body		__KAM_PRODUCT2_2	/meal delivery|no chopping|i ?can ?read|zippy ?loan|car ?shield|Lick their paws|excessive scratching|trugreen|slice.?n.?seal|kitchen gadget|savage.?grow/i
header		__KAM_PRODUCT2_3	From =~ /veestro|i ?can ?read|zippy ?loan|car ?shieldi|petscy|trugreen|slice.?n.?seal|better.?butter|savage.?grow/i

meta		KAM_PRODUCT2		( __KAM_PRODUCT2_1 + __KAM_PRODUCT2_2 + __KAM_PRODUCT2_3 >= 3)
describe	KAM_PRODUCT2		Scammy Products prevalent in spam
score		KAM_PRODUCT2		4.5

#BAD_PDF_LINK
#uri_detail      KAM_PDF_FAKE            text =~ /\.PDF/i  cleaned =~ /\.github.io\//i
#describe	KAM_PDF_FAKE		Links to Fake PDFs
#score		KAM_PDF_FAKE		5.0

#SCAM INQUIRY
#what
body		__KAM_INQUIRY_1		/inquiry for purchase|product catalog|price list|reply with catalog/i
#subj
header		__KAM_INQUIRY_2		Subject =~ /Purchase Order|Urgent (i|e)nquiry/i
#oddities
body		__KAM_INQUIRY_3		/terms? (\&|and) conditions?|rightful dep/i
#Forwarder
body		__KAM_INQUIRY_4		/certificate of origin|import\export|trading company/i

meta		KAM_INQUIRY		(__KAM_INQUIRY_1 + __KAM_INQUIRY_2 + __KAM_INQUIRY_3 + __KAM_INQUIRY_4 >= 4)
describe	KAM_INQUIRY		Product Inquiry Scams
score		KAM_INQUIRY		7.0

#FROM NAME SPAM
header		__KAM_FROM_NAME_FAKERBL	From:name =~ /Savagegrowplus\.com|Lifequote\.selectquote\.com|GoldAlliedTrust\.com/i

meta		KAM_FROM_NAME_FAKERBL	(__KAM_FROM_NAME_FAKERBL >= 1)
describe	KAM_FROM_NAME_FAKERBL	From name contains a URL that is spammy
score		KAM_FROM_NAME_FAKERBL	6.0

# EOF

Zerion Mini Shell 1.0