KAM.cf

#KAM.cf - SpamAssassin Rules
#
#Author: Kevin A. McGrail with significant contributions from Joe Quinn
#
#Email: Kevin.McGrail@McGrail.com - NOTE: Questions about spam are best submitted
#       at https://raptor.pccc.com/raptor.cgim?template=report_problem
#
#HomePage: http://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf
#
#This is a collection of special rules that I have developed and use on my system.
#
#They are intended as live research for committal to SpamAssassin's SVN sandbox but
#often rely on my corpora so they do not fair well in masschecks.
#
#You are welcome and encouraged to email me directly regarding suggestions.
#
#To avoid being caught by our filters, False positives and negatives should be
#submitted to https://raptor.pccc.com/raptor.cgim?template=report_problem
#
#I believe the rules are safe and they are in use on production systems so I will
#do my best to respond to FPs *especially* if you can send me an email sample.
#
#This cf file is designed for systems with a threshold of 5.0 or higher.  
#
#
#It is best to save an email sample in mbox format and zip it to attach to get 
#around my filters.  It is sometimes best to send samples in a second email so I
#know to go looking for it in my spam folders.
#
#NOTE: I do use some poison pill (i.e. Automatic HAM/SPAM rules).
#
# - I don't view many of my rules as single rules as I typically use meta rules.  
#   I view meta rules as multiple rules hence a larger score is acceptable.
#
# - Some content needs to be blocked either due to large number of complaints or
#    for content.  For example, thee sexually explicit items and the stock tips.  
#    FPs in these rules will be quickly addressed.
#
#For a free anti-spam consultation, fill out the form at the following URL:
#https://raptor.pccc.com/free_spam_consultation.cgim

#
#Copyright (c) 2015 Kevin A. McGrail
#
#   Licensed under the Apache License, Version 2.0 (the "License");
#   you may not use this file except in compliance with the License.
#   You may obtain a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
#   Unless required by applicable law or agreed to in writing, software
#   distributed under the License is distributed on an "AS IS" BASIS,
#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#   See the License for the specific language governing permissions and
#   limitations under the License.

# COURTESY OF Marcin Miros.aw <marcin@mejor.pl>
body     __KAM_MM_FOREX_1 /program.{0,10}ktory\ssam\sgra\sna\sgieldzie|program\sdo\sgry\sna\sgieldzie|Potega\stego\sprogramu\stkwi|program.{0,10}handluje.{0,10}zarabia.{0,10}gieldzie.{0,10}udzialu.{0,10}czlowieka|zarabiaj.{0,10}program.{0,10}nie.{0,10}jest.{0,10}zabroniony|Program.{0,10}zrobi.{0,10}wszystko.{0,10}sam|handluj.{0,10}na.{0,10}gieldzie.{0,10}programowi|100.{0,10}%.{0,10}pewnych.{0,10}transakcji|program.{0,10}100.{0,10}%.{0,10}zysk|handel.{0,10}bedzie.{0,10}zabroniony|program.{0,10}odmieni.{0,10}twoje.{0,10}zycie|system.{0,10}finansow.{0,10}przed.{0,10}upadkiem|grupa.{0,10}niemieckich.{0,10}matematykow.{0,10}inteligentny.{0,10}program|zostan\sobrzydliwie\sbogaty|technologia.{0,10}100%.{0,10}pewne.{0,10}decyzje|zarabianie.{0,10}w.{0,10}sieci|swoja.{0,10}szanse.{0,10}zarabianie|internet.{0,10}doprowadzil.{0,10}pieniedzy|zarabia.{0,10}(w|przez).{0,10}internet|karaluch.{0,10}dom.{0,10}brzeg.{0,10}morza|odmieni.{0,10}zycie|pieniadz|pieniedz|zarabia|zarobi/i
rawbody  __KAM_MM_FOREX_2 /(\[|\<).{1,10}http:\/\/.{1,50}php\?.{1,30}\=.{1,30}(\]|\>).{0,20}(klik|odwiedz|dowiedz|przegap|odnosnik|zarobi|spiesz|majatek|wiecej\sinformacji\sna\sten\stemat\sznajdziesz\s-\stutaj|tutaj\sznajdziesz.{0,10}szczegolowe.{0,10}informacje|odwiedz|zarabia|wchodz)/i
meta   	 KAM_MM_FOREX    __KAM_MM_FOREX_1 && __KAM_MM_FOREX_2
score    KAM_MM_FOREX 2.5
describe KAM_MM_FOREX Polish-language spam from the Forex botnet

#PHISHING TEST
rawbody         KAM_PHISH1      /u style="cursor: pointer"/
describe        KAM_PHISH1      Test for PHISH that changes the cursor
score           KAM_PHISH1      0.01

header          __KAM_PHISH4_1 From =~ /host|apple|amazon|microsoft|windows|express|app.serv|goodluck|bank/i
body            __KAM_PHISH4_2 /dear.{0,50}customer|automated.message|spam.activities|attempted.gaining.access|your.account.expires|authorized.government|important.message|message.alert/i
body            __KAM_PHISH4_3 /(confirm|verify|update).your.(identity|account)|account.password|credit.(bureau|profile)|identity.theft|accredited.commission|security.concern|kindly.find.enclosed/i

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader    __KAM_PHISH4_4 Content-Type =~ /(verification|information|form).htm/i
endif

meta            KAM_PHISH4 (__KAM_PHISH4_1 + __KAM_PHISH4_2 + __KAM_PHISH4_3 + __KAM_PHISH4_4 >= 3)
score           KAM_PHISH4 3.5
describe        KAM_PHISH4 Another phishing attempt

#KAM REALESTATE / RE-FINANCE SCAM EMAILS - Thanks to David Goldsmith for pointing out my error in the meta rule!
body		__KAM_REAL1 	/(^|\b)RE market/is
body		__KAM_REAL2	/(crashing|declining)/i
body		__KAM_REAL3	/(vacation|second) (home|place)/is
meta		KAM_REAL	(__KAM_REAL1 + __KAM_REAL2 + __KAM_REAL3 >= 3)
describe	KAM_REAL	Real Estate or Re-Finance Spam
score		KAM_REAL	0.5

#REFINANCE SCAM EMAILS
header		__KAM_REFI1	Subject =~ /(refinance|rates) at \d\.\d*%|(?:I would like to offer you my help|Lower your house payment|follow up email|evaluation enclosed|submit a bid|fixed rates|ARM program|New Program|regardless of credit|loan request|accepting your application|refinance appl?ication|ready to (give a (business )?loan|lend)|good credit or not|refinance without perfect credit|financial independence|Loan Offer|Get a Loan|your urgent loan|credit report|time to refinance|refi.(rates|requirements|plus|program|plan|advice)|rates at historical low|EQUIFAX|TRANSUNION|Experian|rates can be cut|save your home)|Reverse.?Mortgage|obama (extends|waives)|VA loan|harp program|re.?fi.advice|homeowners.owe|harp.extension|\d+\.\d+%.fixed|\d+\.\d+.pct|this.rate|refi(nance)?.rate|lower.refi|refinance.your.mortgage|refinance.now|obama.?s?.refi|monthly.payment|house.payment|monthly.savings|modified.payment|new.payment|overpaying|calculate.your|your.saving|housing.plan|obama.?s.hous|l.f..insuranc.|offer.for.your.home|second.mortgage/i
body		__KAM_REFI2	/(Free Evaluation (?:online|on your (?:current )?home loan)|No hidden costs|no strings attached|good credit or not|personalized consultation|in need of loan|consolidation loan|loan processing|apply by sending|loan of any amount|clean up any inacccuracies|lock in saving|save on monthly mortgage|absolutely no cost|underwater)|Reverse.?Mortgage|qualify for a VA loan|Refi now.? and Save|obama..?announces|rate.calculator|save.thousands|update: \d.\d\d..available|homeowner|over.your.head|rate.service|now.eligi?[bl]{2}e|a.second.mortgage|urgent.loan|loan.offer/is
body		__KAM_REFI3	/(restructure (?:proposal|program|opportunity|your loan)|switch from an adjustable rate to a fixed|new lending program|(low|reasonable) interest (loan|rate)|lowest monthly payment|\d% interest|unsecured personal|better credit terms|lower your mortgage|low-interest refinance|see your credit score|credit score.{1,15}updated|refi with HARP)|obama announce(s|d) (the )?harp program|obama'?s.refi|a.fortune.off|lower.home.rate|your.home|home.loan|gov.program|official.harp|currently.overpaying/is
body		__KAM_REFI4	/(\$\d{1,3},\d{1,3}|\d{2,3}k of funds|\d{4,6} USD|\d{4,6}\$ per month|\d{3,5}\/mo)|refinance at \d\.\d%|\$\d{3,}(\.\d\d)?.(a|per).year|extend.harp|spending.too.much|new.payment|better.rate/i
body		__KAM_REFI5	/([\d,]{5,6}|\d{2}\s*%) savings|principal \d+% less|\d+\.\d+%.fixed|refi.calculator|lowered.requirements|home.?owner/is
body            __KAM_REFI6     /((?:reduce your monthly payment|save you) (between )?\d{2}\s*%|save yourself hundreds of dollars|great rate available|completely unsecured|instantly connect with\s+lenders|get you back on the right financial|get report today|protect against identity|know your credit score|crazy payments)|u.?s.? homeowners|drop.your.rate|in.your.pocket|our.records|apply.for.your/is
body		__KAM_REFI7	/(?:loan product|equity cash|house.payment|home.payment|no up front fees|seasoned equity|pay off high rate cards|ARM Program|credit is less than perfect|credit (score )?will not disqualify|plastic money|charge card balances|we offer out loans|floating loan scheme|unsecured guaranteed|President.?s new program|Home Affordable Refinance Program)|save $?[\d\.]+ per (year|month)|low.rate|harp.?2|rates.like.th(is|ese)/is
header          __KAM_REFI8     From =~ /great loan|mortgage|financ|Delta|Rate\.?market|credit score|free.?score|harp|mtge|foreclosure|VA loan|lower.my.(bills|debt|mortgage|rate)|refi.(alert|advantage|quote|calc|rate)|obama|lendingtree|(house|home).?payment|home.?payment|lower.rate|\d+\.\d+%|saving|d.r.ct.l.f.|helpline/i

meta		KAM_REFI	(__KAM_REFI1 + __KAM_REFI2 + __KAM_REFI3 + __KAM_REFI4 + (__KAM_REFI5 + __KAM_REFI6 >= 1) + __KAM_REFI7 + __KAM_REFI8 + (__KAM_SHORT || AC_HTML_NONSENSE_TAGS || KAM_EU) >= 4)
describe	KAM_REFI	Real Estate / Re-Finance Spam
score		KAM_REFI	4.0

meta		KAM_REFI2	(__KAM_REFI1 + __KAM_REFI2 + __KAM_REFI3 + __KAM_REFI4 + (__KAM_REFI5 + __KAM_REFI6 >= 1) + __KAM_REFI7 + __KAM_REFI8 + (__KAM_SHORT || AC_HTML_NONSENSE_TAGS || KAM_EU) >= 6)
describe	KAM_REFI2	Real Estate / Re-Finance Spam
score		KAM_REFI2	3.0

#KAM ERADICATE DEBTS
body		__KAM_DEBT1	/(debts disappear|reduce your payments|piling bills|creditors|late bills|vanish some of your bills|reduce your payments|looming bills|all that debt|outstanding debt|debt.{0,7}accumulated|all my debt|penalties,? and fees are gone|banking laws|select legal|change your life|get out of .?d.?e.?b.?t|Free[- ]Credit Report|debt relief options|are you in debt|pay off all your debt|get better rates|credit card debt|could.be.easy)/is
header		__KAM_DEBT2	Subject =~ /(all that you owe|all you owe|everything you owe|eradicate|indebted|sick of bills|debt.{0,7}accumulated|tired of (the )?debt|looming debt|creditors|bank[ ]?rupt|debt ?free|out ?of ?debt|take control of your monthly payments|bills disappear|We can help|consultation regarding bills|get better rates|credit score|FICO Score|eliminate\s{1,2}debt|Erase the debt|loan offer|consolidating.debt)/i
body		__KAM_DEBT3	/(bills keeping you|brink of bankruptcy|take all the (stress|pain) away|all the bills|tired of high credit card|make your bills disappear|improve your credit score|b.?a.?n.?k.?r.?u.?p.?t.?c?.?y|monitor your[- ]credit|Wipes out debt|being debt free|interest rates are reasonable|view your credit score|manage.your.finance)/is

meta		KAM_DEBT	((__KAM_DEBT1 + __KAM_DEBT2 + __KAM_DEBT3) >= 3)
describe	KAM_DEBT	Debt eradication spams
score		KAM_DEBT	2.5

meta            KAM_DEBT2       ((__KAM_DEBT1 + __KAM_DEBT2 + __KAM_DEBT3 + __KAM_ADVERT2) >= 2)
describe        KAM_DEBT2       Likely Debt eradication spams
score           KAM_DEBT2       1.0

#XtraSize+ Penis Enlargement Scam
header          __KAM_SILD1     Subject =~ /Sildenafil Citrate/i
body		__KAM_SILD2	/(XtraSize+|Sildenafil Citrate)/i

meta		KAM_SILD	(__KAM_SILD1 + __KAM_SILD2 >= 1)

describe        KAM_SILD        Simple rule to block one more enhancement message
score           KAM_SILD        5.0

#if (version < 3.002000)
#  #HTML_SHORT_LENGTH DEPENDENCY RULE REMOVED FROM SA 3.2.X
#  #KAM NUMBER EMAILS - Thanks to Mark Damrose for the NUMBER3 idea & Jan-Pieter Cornet
#  header        __KAM_NUMBER1   Subject =~ /^\d+$/
#  body		__KAM_NUMBER2	/\d{1,6}/
#  header 	__KAM_NUMBER3   Message-ID =~ /\<[a-z]{19}\@/i
#
#  meta          KAM_NUMBER      ((__KAM_NUMBER1 + __KAM_NUMBER2 + MIME_HTML_ONLY + HTML_SHORT_LENGTH + __KAM_NUMBER3) >= 5)
#  describe      KAM_NUMBER      Silly Number Emails
#  score         KAM_NUMBER      1.0
#endif

#KAM MEDICATION	KAM_OVERPAY	
body		KAM_OVERPAY	/O . V . E . R . P . A . Y/i
describe	KAM_OVERPAY	Common Medicinal Ad Trick
score		KAM_OVERPAY	3.5

#VIAGRA AD - CHANGED DUE TO FPS on 2010-05-06 - Replaced [VACLXPSI] with separate rules space separated
body            KAM_VIAGRA1     /V I A G R A|C I A L I S|V A L I U M|X A N A X/i
describe        KAM_VIAGRA1     Common Viagra and Medicinal Table Trick
score           KAM_VIAGRA1     3.0

#VIAGRA AD 2
body            KAM_VIAGRA2     /(?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer) (?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer) (?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer)/i
describe        KAM_VIAGRA2     Common Viagra and Medicinal Table Trick
score           KAM_VIAGRA2     3.1

#VIAGRA AD 3 - REMOVED FOR LOW S/O - Thanks to Shane Williams for reporting the FP
#body            KAM_VIAGRA3     /(?:Xan|Som|CIA|VAL|VIA|Pro|Amb|Lev|Mer)( \w )(?:ax|lis|ra|ium)/i
#describe        KAM_VIAGRA3     Common Viagra and Medicinal Table Trick
#score           KAM_VIAGRA3     3.1

#VIAGRA AD 4
body		__KAM_VIAGRA4A	/V (. )?A (. )?L (. )?[I\/t] (. )?U (. )?M/i
body		__KAM_VIAGRA4B	/V (. )?[I\/t] (. )?A (. )?G (. )?R (. )?A/i
body		__KAM_VIAGRA4C	/M (. )?E (. )?R (. )?[I\/t] (. )?D (. )?[I\/] (. )?A/i

# FP FOR "Les Iles du Monde Via Gramsci" OR ITALIAN "WE WISH YOU"
body            __KAM_VIAGRA_FPS /via gra|i augur/i

meta		KAM_VIAGRA4	((__KAM_VIAGRA4A + __KAM_VIAGRA4B + __KAM_VIAGRA4C) >= 2)
describe	KAM_VIAGRA4	Common Viagra and Medicinal Table Trick
score		KAM_VIAGRA4	3.1

#VIAGRA AD 5
body		KAM_VIAGRA5	/(V [1li|\]] [a&] G R A|VljAG+R+A)/i 
describe	KAM_VIAGRA5	Viagra Obfuscation Technique SPAM
score		KAM_VIAGRA5	3.1

#VIAGRA AD 6
#Switch to [-_\. ]? to avoid FP's reported by Robin Tan
body		__KAM_VIAGRA6A	/V[-_\. ]?[IL1][-_\. ]?A.?G.?R.?A/i
body		__KAM_VIAGRA6B	/(\b|^)A.?M.?B.?[il1].?E.?N/i
body		__KAM_VIAGRA6C	/V.?A.?L.?[il1].?U.?M/i
body		__KAM_VIAGRA6D  /(\b|^)C.?[il1].?A.?L.?[Il1].?S($|\b)/i
header		__KAM_VIAGRA6E	From =~ /Viagra|Cialis(\b|$)/i

meta		KAM_VIAGRA6	(__KAM_VIAGRA6A + __KAM_VIAGRA6B + __KAM_VIAGRA6C + __KAM_VIAGRA6D + __KAM_VIAGRA6E >= 2)
describe	KAM_VIAGRA6	Viagra Obfuscation Technique SPAM
score		KAM_VIAGRA6	3.1

#VIAGRA AD 7 - TWEAKING RULE 7B TO PREVENT HITS ON SPECIALIST
body            __KAM_VIAGRA7A  /V[ij]+AGRA/i
body            __KAM_VIAGRA7B  /C[ij]+AL[ij]+S($|\b)/i
body            __KAM_VIAGRA7C  /AMB[ij]+EN/i
body            __KAM_VIAGRA7D  /VAL[ij]+UM/i

meta            KAM_VIAGRA7     ((__KAM_VIAGRA7A + __KAM_VIAGRA7B + __KAM_VIAGRA7C + __KAM_VIAGRA7D >= 2) && (KAM_VIAGRA6 < 1))
describe        KAM_VIAGRA7     Viagra Obfuscation Technique SPAM
score           KAM_VIAGRA7     3.1

#VIAGRA AD 8
body            __KAM_VIAGRA8A  /VI...?AGRA/i
body            __KAM_VIAGRA8B  /AM...?BIEN/i
body            __KAM_VIAGRA8C  /VA...?LIUM/i
body            __KAM_VIAGRA8D  /CI...?ALIS/i

meta            KAM_VIAGRA8     ((__KAM_VIAGRA8A + __KAM_VIAGRA8B + __KAM_VIAGRA8C + __KAM_VIAGRA8D) >= 2)
describe        KAM_VIAGRA8     Viagra Obfuscation Technique SPAM
score           KAM_VIAGRA8     5.1

#VIAGRA AD 9
body            __KAM_VIAGRA9A  /V[IL1]A..GRA/i
body            __KAM_VIAGRA9B  /AMB..IEN/i
body            __KAM_VIAGRA9C  /VAL..IUM/i
body            __KAM_VIAGRA9D  /C[IL1]A..LIS/i

meta            KAM_VIAGRA9     ((__KAM_VIAGRA9A + __KAM_VIAGRA9B + __KAM_VIAGRA9C + __KAM_VIAGRA9D) >= 2)
describe        KAM_VIAGRA9     Viagra Obfuscation Technique SPAM
score           KAM_VIAGRA9     5.1

#VIAGRA AD 10 - CONTENT-LESS EMAIL FROM "MALE ENHANCEMENT"
header          __KAM_VIAGRA10A    From =~ /male enhancement|mens.renewal/i
header          __KAM_VIAGRA10B    Subject =~ /your intimate partner will (thank|love)|grow.your.manhood|satisfy.your.woman/i

meta            KAM_VIAGRA10    (__KAM_VIAGRA10A + __KAM_VIAGRA10B >= 1)
describe        KAM_VIAGRA10    Male enhancement spam with no content
score           KAM_VIAGRA10    8.0

#NITROXIN - A NEW AND SPAMMY COMPETITOR TO VIAGRA
header          __KAM_NITROXIN1A   From =~ /nitroxin/i

meta            KAM_NITROXIN1   (__KAM_NITROXIN1A >= 1)
describe        KAM_NITROXIN1   Another variant of Viagra spam
score           KAM_NITROXIN1   8.0

#RE[#] SPAM
#NOTE: Thanks to Jason Haar" <Jason.Haar@trimble.co.nz> for pointing out that I was only doing >=1!
header		KAM_RE		Subject =~ /^Re(?:\s)*\[\d\]+(?:\s)*:?$/i
describe	KAM_RE		Subject of Re[0]: etc prevalent in Spam
score		KAM_RE		2.0

meta		KAM_RE_PLUS	(HTML_IMAGE_ONLY_08+KAM_RE >= 2)
describe	KAM_RE_PLUS	Bad Subject and Image Only rule hit == SPAM!
score		KAM_RE_PLUS	4.0

#HOODIA
#RE-WEIGHTING - Thanks to Martin Kaempf and Gareth Blades for pointing out the False Positives!!
#Changed to escape + for 920\+ and changed to rawbody because we don't want to check the subject twice.
#thansk to Michael Denney for the FP report
header		__KAM_HOODIA1	Subject =~ /(hoodia|920\+|serotonin|reduce your appetite)/i
rawbody		__KAM_HOODIA2	/(?:hoodia|920\+)/i
body		__KAM_HOODIA3	/(?:fat loss product|sur?p?press appetite|Reduce Your Appetite)/is

meta		KAM_HOODIA	(__KAM_HOODIA1 + __KAM_HOODIA2 + __KAM_HOODIA3 >= 2)
describe	KAM_HOODIA	Hoodia / Weight Loss Product Promotion Spam
score		KAM_HOODIA	3.0

#STOCK TIPS

##1 through 120 disabld 5-12-2014 due to age
##body            __KAM_STOCKTIP1 /(?:Reynaldo's Mexican Food|RYNL)/is
##body            __KAM_STOCKTIP2 /(?:KOKO PETROLEUM|KKPT)/is
##body		__KAM_STOCKTIP3 /(?:DARK DYNAMITE|DKDY|D K D Y)/is
##body            __KAM_STOCKTIP4 /(?:Remington Ventures|RMVN)/is
##body		__KAM_STOCKTIP5 /(?:m-Wise|MWIS|M W I S)/is
##body		__KAM_STOCKTIP6 /(?:China World Trade Corporation|CWTD)/is
##body		__KAM_STOCKTIP7 /(?:Packets International|IPKL)/is
##body		__KAM_STOCKTIP8 /(?:Infinex Ventures|IFNX)/is
##body		__KAM_STOCKTIP9 /(?:FacePrint Global Solutions|FCPG)/is
###THANKS TO HOMER PARKER FOR THE FALSE POSSITIVE NOTE!
##body            __KAM_STOCKTIP10 /(?:Ever[-_ ~]{0,3}Gl[o0]ry|(^|\b)E[-_~\. =]{0,3}G[-_~\. =]{0,3}L[-_~\. =]{0,3}Y($|\b))/is
##body		__KAM_STOCKTIP11 /(?:Gulf Petroleum|GFPE)/is
##body		__KAM_STOCKTIP12 /(?:Patriot Mechanical Handling|PMHH)/is
##body		__KAM_STOCKTIP13 /(?:KSW Industries|KSWJ)/is
##body		__KAM_STOCKTIP14 /(?:Conforce International|CFRI)/is
##body		__KAM_STOCKTIP15 /(?:Nano Superlattice Technology|NSLT)/is
##body		__KAM_STOCKTIP16 /(?:Morgan Beaumont|MBEU)/is
##body		__KAM_STOCKTIP17 /(?:Relay Capital|(^|\b)RLYC($|\b))/is
###THANKS TO DAVID GOLDSMITH FOR POINTING OUT THE POTENTIAL FPs FROM THIS RULE
##body		__KAM_STOCKTIP18 /(?:Madison Explorations|(?:^|\b)MDEX(?:$|\b))/is
##body		__KAM_STOCKTIP19 /(?:CTR Investments and Consulting|C ?I ?V ?X)/is
##body		__KAM_STOCKTIP20 /(?:PREMIER INFORMATION|(?:^|\b)PIFR(?:$|\b))/is
##body		__KAM_STOCKTIP21 /(?:Harbin Pingchuan|P G C N|PGCN)/is
##body		__KAM_STOCKTIP22 /(?:CLIENT TRACK CORP|CTKR)/is
##body		__KAM_STOCKTIP23 /(?:EXTREME INNOVATIONS|(^|\b)EXTI($|\b))/is
##body		__KAM_STOCKTIP24 /(?:Medical Home Products|\bMHPT\b)/is
##body		__KAM_STOCKTIP25 /(?:AmeraMex International|AMMX)/is
##body		__KAM_STOCKTIP26 /(?:Equipment & Systems Engineering|EQUIPMENT & SYS ENGR|EQSE)/is
##body		__KAM_STOCKTIP27 /(?:NANOFORCE|NNFC)/i
##body		__KAM_STOCKTIP28 /(?:\b|^)(?:Resort Clubs (I|\|)nternational|R[ ]*T[ ]*C[ ]*(?:I|\|))(?:\b|$)/is
##body		__KAM_STOCKTIP29 /(?:Innovation Holdings|IVHN)/is
##body		__KAM_STOCKTIP30 /(?:GOLDEN APPLE OIL|GAPJ)/is
##body		__KAM_STOCKTIP31 /(?:inZon Corporation|(^|\b)I ?Z ?O ?N($|\b))/is
##body		__KAM_STOCKTIP32 /(?:Midland Baring Financial Group|MDBF)/is
##body            __KAM_STOCKTIP33 /(?:Aradyme Corporation|A D Y E)/is
##body		__KAM_STOCKTIP34 /(?:TRANSAKT CORP|TKTJF)/is
##body		__KAM_STOCKTIP35 /(?:CTXE|CANTEX ENERGY CORP)/is
##body		__KAM_STOCKTIP36 /(?:De Greko|DGKO)/is
##body		__KAM_STOCKTIP37 /(?:Deep Earth Resource, Inc|CTFE|DPER)/is
##body		__KAM_STOCKTIP38 /(?:Vemics|(\b|^)VMCI(\b|$)|Summit Financial Resources)/is
##body		__KAM_STOCKTIP39 /Premium Petroleum/is
##body		__KAM_STOCKTIP40 /(?:F ?a ?l ?c ?o ?n  ?E ?n ?e ?r ?g ?y|F.?C.?Y.?I)/s
##body		__KAM_STOCKTIP41 /(?:CHINA GOLD CORP|CGDC)/is
##body		__KAM_STOCKTIP42 /DPEK/i
###FIXED FP THANKS TO BEN LENTZ - Also found that the X ?X ?X ?X concept is causing too many FPs thanks to Homer Parker
##body		__KAM_STOCKTIP43 /(?:Amerossi International Group|A M S N(\b|$)|AMSN)/is 
##body		__KAM_STOCKTIP44 /(?:WATAIRE INDUSTRIES|W ?T ?A ?F)/is
##body		__KAM_STOCKTIP45 /(?:ABSOLUTESKY|A ?B ?S ?Y)/i
##body		__KAM_STOCKTIP46 /(?:Infinex Ventures|I ?N ? ?F ?X)/is
##body		__KAM_STOCKTIP47 /(?:Holly ?wood Intermediate|HYWI|H Y W I)/is
###DISABLED DUPLICATE OF 40
###body		__KAM_STOCKTIP48 /(?:Falcon Energy|F ?C ?Y ?I)/is
##body		__KAM_STOCKTIP49 /(?:\b|^)(?:AGA Resources|A ?G ?A)(?:\b|$)/is
##body		__KAM_STOCKTIP50 /(?:COSCO|CCPI)/i
##body		__KAM_STOCKTIP51 /(?:PETRO([- ?])?SUN DRILLING|P[- ]?S[- ]?U[- ]?D)/is
##body		__KAM_STOCKTIP52 /(?:KMA Global Solutions International|KMAG)/is
##body		__KAM_STOCKTIP53 /(?:Advanced Powerline Technologies|APWL)/is
##body		__KAM_STOCKTIP54 /(?:GOLDMARK INDUSTRIES|GDKI)/is
##body		__KAM_STOCKTIP55 /(?:QUANTUM ENERGY|QEGY)/is
###FP FIXED THANKS TO Homer Parker
##body		__KAM_STOCKTIP56 /(?:AAGA RESOURCE+S NEW|A G A O|(\b|^)AGAO(\b|$))/is
###FP FIXED THANKS TO Homer Parker
##body		__KAM_STOCKTIP57 /(?:Bicoastal Communications|BCLC|B C L C)/is
##body            __KAM_STOCKTIP58 /(?:Greater China Media \& Ent|G ?C ?M ?E)/is
##body		__KAM_STOCKTIP59 /(?:Viva International|(\b|^)VIVI(\b|$))/s
##body		__KAM_STOCKTIP60 /(?:WILON RESOURCES|(\b|^)WLON(\b|$))/is
##body		__KAM_STOCKTIP61 /(?:Am+erica+n U+ni+ty I+nve+stments|(\b|^)A[ _]?U[ _]?N[ _]?I[ _]?(\b|$))/is
##body		__KAM_STOCKTIP62 /(?:DEFENSE DIRECTIVE|(\b|^)DFSE(\b|$))/is
##body		__KAM_STOCKTIP63 /(?:Cyberhand Technologies|(\b|^)CYHD(\b|$))/is
##body		__KAM_STOCKTIP64 /(?:Texhoma Energy|(\b|^)TXHE(\b|$))/is
##body		__KAM_STOCKTIP65 /(?:Equal Trading|(\b|^)EQTD(\b|$))/is
###DISABLED FOR FALSE POSITIVES AND AGE
###body		__KAM_STOCKTIP66 /(?:\b|^)W.?B.?R.?S(?:\b|$)/is
##body		__KAM_STOCKTIP67 /(?:Mobile Airwaves|(\b|^)M.?W.?B.?C.?(\b|$))/is
##body		__KAM_STOCKTIP68 /(?:X-tra Petroleum|(\b|^)XTPT(\b|$))/is
###ADDED FP BOUNDARY CHECK THANKS TO Greg Troxel for reporting the issue
##body		__KAM_STOCKTIP69 /(?:Red Reef Laboratories|(\b|^)RREF(\b|$))/is
##body		__KAM_STOCKTIP70 /(?:Great American Food Chain|(\b|^)GAMN(\b|$))/is
##body		__KAM_STOCKTIP71 /(?:Cana Petroleum|(\b|^)CNPM(\b|$))/is
##body		__KAM_STOCKTIP72 /(?:China Health Management|(\b|^)CNHC(\b|$))/is
##body		__KAM_STOCKTIP73 /(?:Makeup Limited|MAKU)/is
##body		__KAM_STOCKTIP74 /(?:Premier Holdings Group|PMHD)/is
###FP FIXED THANKS TO Christopher X. Candreva
##body		__KAM_STOCKTIP75 /(?:VSUS technologies|(\b|^)VSUS($|\b))/is
##body		__KAM_STOCKTIP76 /(?:FLAIR PETROLEUM|FPMC)/is
##body		__KAM_STOCKTIP77 /(?:Physician Adult Daycare|PHYA)/is
###FP FIXED THANKS TO Homer Parker
##body		__KAM_STOCKTIP78 /(?:AlgoDyne Ethanol Energy|(\b|^)ADYN(\b|$))/is
##body		__KAM_STOCKTIP79 /(?:Critical Care.{1,3}Inc|CTCX)/is
##body		__KAM_STOCKTIP80 /(?:Aerofoam Metals|AFML)/is
##body		__KAM_STOCKTIP81 /(?:Ten \& 10|(?:\b|^)TTEN)/is
##body		__KAM_STOCKTIP82 /(?:Medical Institutional Services|MISJ(\b|$))/is
##body		__KAM_STOCKTIP83 /(?:Harris Exploration|HXPN)/is
##body		__KAM_STOCKTIP84 /(?:MARSHAL HOLDINGS|MHII)/is
##body		__KAM_STOCKTIP85 /(?:ADVANCED GROWING SYSTEMS|AGWS)/is
##body		__KAM_STOCKTIP86 /(?:WEST EXCELSIOR ENT|WEXE)/is
##body		__KAM_STOCKTIP87 /(?:Hemisphere Gold|HPGI)/is
##body		__KAM_STOCKTIP88 /(?:Victory Energy Corporation|VYEY)/is
##body		__KAM_STOCKTIP89 /UTEV/i
##body		__KAM_STOCKTIP90 /(?:CHINA BIOLIFE ENTERP|CBFE)/is
##body		__KAM_STOCKTIP91 /(?:Critical Care|C ?T ?C ?X)/is
##body		__KAM_STOCKTIP92 /CBRJ/i
##body		__KAM_STOCKTIP93 /(?:LAS VEGAS CENTRAL RESERVATIONS|LVCC)/is
##body		__KAM_STOCKTIP94 /GTAP/i
##body		__KAM_STOCKTIP95 /(North American Energy Group|N-?N-?Y-?R)/is
###FP FIXED THANKS TO BRETT GARRETT
##body		__KAM_STOCKTIP96 /(\b|^)C\.?C\.?T\.?I(\b|$)/i
##body		__KAM_STOCKTIP97 /(C ?E ?O AMERICA|C ? E ? O ?A)/is
##body            __KAM_STOCKTIP98 /PLMA/i
##body		__KAM_STOCKTIP99 /CDYV/i
##body		__KAM_STOCKTIP100 /(Fire (Mountain|Mtn) Beverage Company|(^|\b)F[ _]?B[ _]?V[ _]?G($|\b))/is
###Added boundary check thanks to Michael Denney
##body		__KAM_STOCKTIP101 /(\b|^)WDSC(\b|$)/i
##body		__KAM_STOCKTIP102 /(Distributed Power|DPWI)/is
##body		__KAM_STOCKTIP103 /(HUMET-PBC|L9Z\.F)/is
##body		__KAM_STOCKTIP104 /ASVP/is
##body		__KAM_STOCKTIP105 /CHVC/is
##body		__KAM_STOCKTIP106 /(China Datacom|CDPN)/is
##body		__KAM_STOCKTIP107 /(ORAMED PHARMA|OJU\.F)/is
##body		__KAM_STOCKTIP108 /(DSDI|DSI Direct Sales)/is
##body		__KAM_STOCKTIP109 /(Monolith Athletic Club|M[-_ ]?N[-_ ]?A[-_ ]?B)/is
###DUPLICATED STOCKTIP #51
###body		__KAM_STOCKTIP110 /(PETRO-SUN|P[- ]?S[- ]?U[- ]?D)/is
##body		__KAM_STOCKTIP111 /(COMPLIANCE SYSTEMS|(\b|^)COPI(\b|$))/is
###FP Fixed thanks to Greg Troxel
##body		__KAM_STOCKTIP112 /(Global Pay Solutions|(\b|^)GPSI(\b|$))/is
##body		__KAM_STOCKTIP113 /(MEGOLA|MGOA)/i
###FP FIXED THANKS TO Antonio Falzarano
##body		__KAM_STOCKTIP114 /(\b|^)ADOV(\b|$)/i
##body            __KAM_STOCKTIP115 /(Oncology Med|(\b|^)ONCO(\b|$))/is
##body		__KAM_STOCKTIP116 /(Strategy X|SGXI)/is
##body		__KAM_STOCKTIP117 /(Spotlight Homes|COST CONTAINMENT TEC|SPHM)/is
###FALSE POSITIVE ON DANSREALESTATE.
##body		__KAM_STOCKTIP118 /((\b|^)SREA(\b|$)|Score One)/is
##body		__KAM_STOCKTIP119 /(Monster Motors|MRMT)/is
##body		__KAM_STOCKTIP120 /(EntreMetrix|ERMX)/i

body		__KAM_STOCKTIP121 /(VISION AIRSHIPS|(\b|^)VPSN(\b|$))/is
body		__KAM_STOCKTIP122 /(Shandong Zhouyuan Seed and Nursery|(\b|^)SZSN(\b|$))/is
body		__KAM_STOCKTIP123 /(Puerto Rico 7|(\b|^)P ?R ?T ?H(\b|$))/is
body		__KAM_STOCKTIP124 /(VGPM|Vega Promotional Sys)/is
body		__KAM_STOCKTIP125 /((\b|^)D[- ]?M[- ]?X[- ]?C(\b|$))/i
body		__KAM_STOCKTIP126 /((\b|^)C\.?W\.?T\.?E(\b|$)|C'Watre International)/is
body		__KAM_STOCKTIP127 /(Physical Property Holdings|(\b|^)PPYH(\b|$))/is
#FP ON MNUM IN PLAIN TEXT HTML CONVERSION - Thanks to Kevin Lewis
body		__KAM_STOCKTIP128 /(MONUMENTAL MARKETING|(\b|^)MNUM(\b|$))/is
body		__KAM_STOCKTIP129 /(EnerBrite Technologies Group|(\b|^)eTgU(\b|$))/is
body		__KAM_STOCKTIP130 /(Pricester|(\b|^)PRCC(\b|$))/is
#Added boundary check thanks to Michael Denney
body		__KAM_STOCKTIP131 /(Greenstone Holdings|(\b|^)GSHN(\b|$))/is
body		__KAM_STOCKTIP132 /((\b|^)AGMS(\b|$)|Angstrom[- ]Microsystems)/is
body		__KAM_STOCKTIP133 /(Pluris Energy|(\b|^)PEYG(\b|$))/is
body		__KAM_STOCKTIP134 /(United Consortium|(\b|^)UCSO(\b|$))/is
body		__KAM_STOCKTIP135 /(Dominion Minerals|(\b|^)DMNM(\b|$))/is
body		__KAM_STOCKTIP136 /(PrimeGen Energy|(\b|$)PGNE(\b|^))/is
body		__KAM_STOCKTIP137 /Dynamic Response Group|(\b|^)DRGZ(\b|$)/is
body		__KAM_STOCKTIP138 /Cobra Oil (and|&) Gas|(\b|^)CGCA(\b|$)/is
body		__KAM_STOCKTIP139 /Solanex Management|(\b|^)SLNX(\b|$)/is
body		__KAM_STOCKTIP140 /BIO-SOLUTIONS|(\b|^)BISU(\b|$)/is
body		__KAM_STOCKTIP141 /(\b|^)FORC(\b|$)/is
body		__KAM_STOCKTIP142 /Hawk Systems Inc|(\b|^)HWSYD(\b|$)/is
body            __KAM_STOCKTIP143 /AmeriLithium/is #|(\b|^)AMEL(\b|$)/is # FP 9/10/15
body		__KAM_STOCKTIP144 /Fleet Management Solutions|(\b|^)FLMG(\b|$)/is
body		__KAM_STOCKTIP145 /Nuvilex|(\b|^)N.?V.?L.?X.?(\b|$)/is
body		__KAM_STOCKTIP146 /Plandai|(\b|^)PLPL(\b|$)/is
body		__KAM_STOCKTIP147 /Beamz Interactive|(\b|^)B.?Z.?I.?C(\b|$)/is
body		__KAM_STOCKTIP148 /(\b|^)STBV(\b|$)/i
body		__KAM_STOCKTIP149 /LifeApps|(\b|^)LFAP(\b|$)/i
body		__KAM_STOCKTIP150 /MONARCHY RESOURCES/i
body		__KAM_STOCKTIP151 /Alanco Tech/i
body		__KAM_STOCKTIP152 /Siga Resources/i
body		__KAM_STOCKTIP153 /INSCOR|(\b|^)IOGA(\b|$)/is
body		__KAM_STOCKTIP154 /mLight Tech|(\b|^)MLGT(\b|$)/is
body		__KAM_STOCKTIP155 /Alanco Technologies/is
body		__KAM_STOCKTIP156 /Progress Watch|(\b|^)PROW(\b|$)/is
body		__KAM_STOCKTIP157 /(\b|^)PRFC(\b|$)/is
body            __KAM_STOCKTIP158 /(\b|^)(RCHA|R\.+C\.+H\.+A|R\/C\/H\/A)(\b|$)/is
body            __KAM_STOCKTIP159 /(\b|^)(RNBI|R.N.B.I)(\b|$)/is
body            __KAM_STOCKTIP160 /(\b|^)(CNRMF|C.N.R.M.F)(\b|$)/is
body		__KAM_STOCKTIP161 /(\b|^)(NUAN|N[- ]U[- ]A[- ]N)(\b|$)|NUANCE COMMUNICATIONS/is
body		__KAM_STOCKTIP162 /(\b|^)(CHICF|C.H.I.C.F)(\b|$)/is
body		__KAM_STOCKTIP163 /(\b|^)(brixmor)(\b|$)/is
body		__KAM_STOCKTIP164 /(\b|^)(KBLB|K.B.L.B)(\b|$)/is
body		__KAM_STOCKTIP165 /(\b|^)(SCRF|S.C.R.F)(\b|$)/is


body            __KAM_STOCKOTC  /(OTC|OTC ?BB|OTC Pink Sheets|NASDAQ|NYSE|StockWatch):/is
body            __KAM_STOCKSYM  /S[ ]?[iy][ ]?m[ ]?[ßb8][ ]?[o0][ ]?[l1]|Siymbol/i
body            __KAM_STOCKSYM2 /(SYM[ ]?[-\:]|\bTicker|Pr+ice\s*\:|Volume\s*\:|Target\s*\:|Current(ly)? ?\??:|Projected:|Smybol:|Stcok\s*\:|Stock\s*\:|S\s*t\s*o\s*c\s*k\s*\:|Trad[ ]?e\:|short-?sell|book value|S\.umbol|Action:|Symb\s?[-:]|Price Today:|SYmN-|Lookup:|RADAR:|PK PAPER:|PINKSHEETS:|f[o0]rward ?l[0o]{2}king)/i
body		__KAM_STOCKSHR	/\b(Shares|Investments|invest|Stock|acquisitions?|broker|joint[ -]?venture|underperforming|(uncap|ventilated|public(ity)?) on friday|dividend opportunities|set your buy|financial safe haven|before the bell)\b/i
body		__KAM_STOCKBULL /bull (run|market)|very.rich|high.return/is
body		__KAM_STOCKSCTR /(energy sector|mineral rights|mineral wealth|natural resources|gold deposits)/is
header		__KAM_STOCKHEAD Subject =~ /{stk-sub}|on your radar|st0ck|best.stocktip|huge.winner|breaking.news/i
body		__KAM_STOCKJUMP /(up|jumps) \d\d(\.\d)?\%/i
body		__KAM_INSTOCK   /in stock/i

# ADDED A CAVEAT FOR in stock so gibberish links don't hit a stock symbol
meta            KAM_STOCKTIP    (__KAM_STOCKHEAD + __KAM_STOCKOTC + __KAM_STOCKSYM + __KAM_STOCKJUMP + __KAM_STOCKSHR + __KAM_STOCKSYM2 + __KAM_STOCKBULL + __KAM_STOCKSCTR >= 1) && (__KAM_INSTOCK < 1) && (__KAM_STOCKTIP121 + __KAM_STOCKTIP122 + __KAM_STOCKTIP123 + __KAM_STOCKTIP124 + __KAM_STOCKTIP125 + __KAM_STOCKTIP126 + __KAM_STOCKTIP127 + __KAM_STOCKTIP128 + __KAM_STOCKTIP129 + __KAM_STOCKTIP130 + __KAM_STOCKTIP131 + __KAM_STOCKTIP132 + __KAM_STOCKTIP133 + __KAM_STOCKTIP134 + __KAM_STOCKTIP135 + __KAM_STOCKTIP136 + __KAM_STOCKTIP137 + __KAM_STOCKTIP138 + __KAM_STOCKTIP139 + __KAM_STOCKTIP140 + __KAM_STOCKTIP141 + __KAM_STOCKTIP142 + __KAM_STOCKTIP143 + __KAM_STOCKTIP144 + __KAM_STOCKTIP145 + __KAM_STOCKTIP146 + __KAM_STOCKTIP147 + __KAM_STOCKTIP148 + __KAM_STOCKTIP149 + __KAM_STOCKTIP150 + __KAM_STOCKTIP151 + __KAM_STOCKTIP152 + __KAM_STOCKTIP153 + __KAM_STOCKTIP154 + __KAM_STOCKTIP155 + __KAM_STOCKTIP156 + __KAM_STOCKTIP157 + __KAM_STOCKTIP158 + __KAM_STOCKTIP159 + __KAM_STOCKTIP160 + __KAM_STOCKTIP161 + __KAM_STOCKTIP162 + __KAM_STOCKTIP163 + __KAM_STOCKTIP164 + __KAM_STOCKTIP165 >= 1)

describe        KAM_STOCKTIP    Email Contains Pump & Dump Stock Tip
score           KAM_STOCKTIP    7.1

#KAM STOCK RULE #3 BASED HEAVILY ON WONDERFUL INPUT BY GARETH OF LINGUAPHONE
body            __KAM_STOCK3    /([sS].?ymbol|Sym|SYM|SYMB|Symb|SYMBOL|SYmN|SYMN|Symn|Ticker|TICKER|Lookup|PINKSHEETS)\s*[-_:]\s*[A-Z0-9][-\._ ]?[A-Z0-9][-\._ ]?[A-Z0-9][-\._ ]?[A-Z0-9]/
score           __KAM_STOCK3    0.1
describe        __KAM_STOCK3    Email Looks like it references a 4 character stock symbol

#GENERIC STOCK RULE
meta		KAM_STOCKGEN	(__KAM_STOCKHEAD + __KAM_STOCKOTC + __KAM_STOCKSYM + __KAM_STOCKSHR + __KAM_STOCKSYM2 + __KAM_STOCKBULL + __KAM_STOCKSCTR >= 1) && (__KAM_STOCK3 >= 1) && (KAM_STOCKTIP < 1)
describe	KAM_STOCKGEN	Email Contains Generic Pump & Dump Stock Tip
score		KAM_STOCKGEN	1.5

#KAM STOCK RULE #2
body		__KAM_STOCK2_1  /(good trader|trading experience|bad trading day|hard trading day|FREE Stock Market Outlook|Market Watch)|more.than.\d+%|most.valuable|morning.report|real.?estate.authority|commercial.real.estate/i
body		__KAM_STOCK2_2  /(easy cash|losses and victories|backstage trading|market facts|succeed in trading|destined to skyrocket|make traders rich|times your principal)|good.investment|overvalued.companies|company.is.soaring|economic.opportunity|amazing.company|take.notice|rental.yield|high.return/i
body		__KAM_STOCK2_3  /stock/i
body		__KAM_STOCK2_4  /trader|investor|analyst|royalties/i
header		__KAM_STOCK2_5	Subject =~ /stock|bull market|penny|traders|go.getter|thousand.percent|this.company|opportunity|pct.rally|private.investment/i
header          __KAM_STOCK2_6  From =~ /investment|daily.tip|bloomberg|selectedotc|penny|fortune|stock|finance|real.?estate|promotion/i

meta		KAM_STOCK2	(__KAM_STOCK2_1 +  __KAM_STOCK2_2 +  __KAM_STOCK2_3 +  __KAM_STOCK2_4 +  __KAM_STOCK2_5 + __KAM_STOCK2_6) >= 4
score		KAM_STOCK2	2.5
describe	KAM_STOCK2	Another Round of Pump & Dump Stock Scams

#JUDGEMENTS
body		__KAM_JUDGE1	/(unpaid court|(un-?collected|unsatisfied) judgments)/is
body		__KAM_JUDGE2	/(funds|receive what) you are (due|owed)/is
#HALF-WEIGHTED RULES
body		__KAM_JUDGE3	/collect your money/is
body		__KAM_JUDGE4	/judgment/i
#FULL-WEIGHT
header		__KAM_JUDGE5	Subject =~ /judgment/i

meta		KAM_JUDGE	(__KAM_JUDGE1 + __KAM_JUDGE2 + ((__KAM_JUDGE3 + __KAM_JUDGE4) / 2) + __KAM_JUDGE5 >= 2)
describe	KAM_JUDGE	Email Contains Judicial Judgment Solicitation
score		KAM_JUDGE	2.5

#MEDS
body		__KAM_MED1	/e.?c.?o.?n.?o.?m.?i.?z.?e.{1,10}med/i
body		__KAM_MED2	/\d\d ?%/

describe	KAM_MED		Economizing your meds spam
meta		KAM_MED		(__KAM_MED1 + __KAM_MED2 >= 2)
score		KAM_MED		1.5

#MEDS2- THANKS TO RES FOR POINTING OUT A REGEX STUPIDITY
header		__KAM_MED2_1	Subject =~ /Pharmacy order \#\d{5}/i      

describe	KAM_MED2	More Medical SPAM
meta		KAM_MED2	(__KAM_MED2_1 >= 1)
score		KAM_MED2	1.0

#TIME PIECE
#ADDED A FIX FOR REPLICATION  THANKS TO MARK ROLES
header		__KAM_TIME1	Subject =~ /(replica(\b|$)|diamond|designer[-_ ](watch|piece|collection)|(old|replica|style|luxury|trendy|elegant) watch|time[-_ ](keeper|piece)|wrist|chronometer|watches are in fashion|low budget|deliver your watch|(number|amount) of watches)|excellent.watch/i
#0.50 WEIGHTED TESTS
body		__KAM_TIME2	/(replica(\b|$)|diamond|designer[-_ ](piece|collections|watch)|time[-_ ]piece|wrist|time-keeper|\/\/atch)/is
header		__KAM_TIME3	Subject =~ /time|watch/i
body		__KAM_TIME4	/time|watch/i
body		__KAM_TIME5	/(funny|low) price|treat.yourself/i
 #REMOVED WORD OMEGA FROM BRANDS.  TOO MANY FPs.
body		__KAM_TIME6	/(Cx?ARTIER|Bx?REITLING|Px?ATEK|Rx?OLEX|Bx?VLGARI|Tx?IFFANY)/i


meta		KAM_TIME	((__KAM_TIME1 + ((__KAM_TIME2 + __KAM_TIME3 + __KAM_TIME4 + __KAM_TIME5 + __KAM_TIME6)/2)) >= 2)
describe	KAM_TIME	Pssss.  Hey Buddy, wanna buy a watch?
score		KAM_TIME	3.0

meta		KAM_TIMEGEO	(KAM_GEO_STRING2 && KAM_TIME)
describe	KAM_TIMEGEO	Email references geocities & wrist watch sales
score		KAM_TIMEGEO	3.5

#YOUR HOME
body		__KAM_HOME1	/YOUR HOME|Federal Housing Assistance Program|near.your.area/i
body		__KAM_HOME2	/Build your equity faster|refund is not reversible|rent.to.own/i
body		__KAM_HOME3	/tax saving plans|\d+K Mortgage Credit|no.more.of/i
header          __KAM_HOME4	From =~ /rent.?and.?own|rent.own.list/i
header          __KAM_HOME5	Subject =~ /homes.near.you|near.your.city|\d+ (bed|bath)|low.monthly/i

meta		KAM_HOME	(__KAM_HOME1 + __KAM_HOME2 + __KAM_HOME3 + __KAM_HOME4 + __KAM_HOME5 >= 3)
describe	KAM_HOME	Mortage & Refinance Spam Rule
score		KAM_HOME	3.5

#UNIVERSITY RULE
body		__KAM_UNIV1	/(University Administration|University Enrollment|Education Assessment|Faculty Assessment|University Degree|Administration Office|Education office|Schools office|Enrollment Office|Online University)/is
body		__KAM_UNIV2	/\d (week|month).{0,30}degree/is
body		__KAM_UNIV3	/(past work|based on your|earned from|life|life and work|present work) experience/is
body		__KAM_UNIV4	/not official degree|non[ -]?accredited/is
body		__KAM_UNIV5	/novelty (degree|use)/is
body		__KAM_UNIV6	/verifiable University Degree/is
body		__KAM_UNIV7	/(life|work) experience (diploma|degree|transcript)/is
body		__KAM_UNIV8	/Career Path/is
body		__KAM_UNIV9	/non[- ]?ac(creditee?d)?.{1,10}universit/is
body		__KAM_UNIV10    /(graduating|diploma) (within|in) (as little as)? (one|two|three|\d) (week|month)/is
body		__KAM_UNIV11	/(degree|transcript) in any field|Field of yourr? ch[oò][iì]ce/is
body		__KAM_UNIV12	/(obtain your diploma|diploma that you want|Criminal Justice or Homeland Security degree)/is
body		__KAM_UNIV13	/(degree|field|diploma) of your (choice|expertise)/is
body		__KAM_UNIV14	/(earn a|full) transcript/is
body		__KAM_UNIV15	/(No Study Required|Without Exams|No (examinations|[eÉ]xams)|without attending a single class|no classes|no textbooks|no (?:required )?tests|degree .{0,30}you deserve)/is
body		__KAM_UNIV16	/\d weeks.{0,30}graduated/is
header		__KAM_UNIV17	Subject =~ /(dip(i|l)oma|degree|transcript|award|increase ?your ?income|degree online|Ph\.?D|Add an mba)/i
body		__KAM_UNIV18	/100% discrete/is

body            __KAM_UNIV1B    /\d (months|weeks)/i
body            __KAM_UNIV2B    /d[_\. ]?e[_\. ]?g[_\. ]?r[_\. ]?e[_\. ]?e/i
body		__KAM_UNIV3B	/(dead end job|improve your future, and your income|high paying jobs|bec[óo]me a do[cç]tor|get your diploma today)/is
body		__KAM_UNIV4B	/1.?0.?0.?% (legit|verifiable|online|no pre|non[- ]?accredited)/is
body		__KAM_UNIV5B	/F A S T[ ]{0,4}T R A C K/is
body		__KAM_UNIV6B	/DIP\sLOMA/

meta		KAM_UNIV	((__KAM_UNIV1 + __KAM_UNIV2 + __KAM_UNIV3 + __KAM_UNIV4 + __KAM_UNIV5 + __KAM_UNIV6 + __KAM_UNIV7 + __KAM_UNIV8 + __KAM_UNIV9 + __KAM_UNIV10 + __KAM_UNIV11 + __KAM_UNIV12 + __KAM_UNIV13 + __KAM_UNIV14 + __KAM_UNIV15 + __KAM_UNIV16 + __KAM_UNIV17 + __KAM_UNIV18) >= 2 || (__KAM_UNIV1B + __KAM_UNIV2B + __KAM_UNIV3B + __KAM_UNIV4B + __KAM_UNIV5B + __KAM_UNIV6B) >= 3)
describe	KAM_UNIV	Diploma Mill Rule
score		KAM_UNIV	4.5

#URUNIT
body		__KAM_URUNIT1	/\bur (unit|liveliness|energy level|endurance level)/is
body		__KAM_URUNIT2	/\bur (gf|girl|wife|size|thing|partner|significant other)/is
body		__KAM_URUNIT3A  /\b(exasperated|fatigued|drained|tired) all the time/is
#HALF-WEIGHTED RULES
body		__KAM_URUNIT3   /(unsatisfied|not satisfied|nagging|complaining|complaints|complained|unlimited prowess|increase your volume)/is
body		__KAM_URUNIT4	/(bedroom|the bed|nighttime activit|male power|show your girl)/is
body		__KAM_URUNIT5   /(size of (there|their|your) .{0,11}(unit|thing)|using them for a couple months|enhancing formula)/is
body		__KAM_URUNIT6	/(majority of women|shrinking .{0,12} baby fat|winning guy|huge explosion)/is
#FULL-WEIGHT
header		__KAM_URUNIT7	Subject =~ /(\b|^)ur (unit|wife|girlfriend|GF|size|thing|partner|significant other|livelyehood)/i
header		__KAM_URUNIT8	Subject =~ /(pleasure|sensation|grow|your teeny|impress your mate|being small|how big|more intense)/i

meta		KAM_URUNIT	((__KAM_URUNIT1 + __KAM_URUNIT2 + ((__KAM_URUNIT3 + __KAM_URUNIT4 + __KAM_URUNIT5 + __KAM_URUNIT6) / 2) + __KAM_URUNIT7 + __KAM_URUNIT8 + __KAM_URUNIT3A) >= 2)

describe	KAM_URUNIT	Recent penile and body enhancement spams
score		KAM_URUNIT	0.5

#UR ZEST
body		__KAM_URZEST1	/(?:your|ur) (?:power|strength|zal|zeal|liveliness|zest|intensity|spontaneity|activity)(?: level)?(?: been)?(?: feeling| down)? ?(?:lately|recently|anew)?/i
body		__KAM_URZEST2	/or still (?:jaded|worn|drained|exasperated) all the time/i
body		__KAM_URZEST3   /(?:(?:wanting|looking|seeking) to get in the gym|(?:dreaming|seeking|hoping) to get (?:into shape|fit))/i
body		__KAM_URZEST4	/(wks it has been|been mos) since we('| ha)ve chatted/i
body		__KAM_URZEST5   /(back into shape|made me healthier after my disease)/i

meta		KAM_URZEST	(__KAM_URZEST1 + __KAM_URZEST2 + __KAM_URZEST3 + __KAM_URZEST4 + __KAM_URZEST5 >= 2)
describe	KAM_URZEST	Recent penile and body enhancement spams
score		KAM_URZEST	3.0

#JOB LET GO
body		__KAM_JOB1	/let go from (a job|my employment) I held for.{1,19} (month|year|forever|life)/is
body		__KAM_JOB2	/twice as much/is

meta		KAM_JOB		(__KAM_JOB1 + __KAM_JOB2 >=2)
describe	KAM_JOB		People let go, work at home, earn billions!
score		KAM_JOB		4.3

#PERIMETERPARK
body		KAM_PERPARK	/P e r i m e t e r P a r k C e n t e r/i
describe	KAM_PERPARK	Obfuscated address appearing in SPAM Feb 06
score		KAM_PERPARK	2.5

#HOLLYWOOD WAY
body		KAM_HOLLY	/1 0 2 0 N H o l l y w o o d W a y /i
describe        KAM_HOLLY       Obfuscated address appearing in SPAM Jun 06
score           KAM_HOLLY       2.5

#PUMP & DUMP STOCK GRAPHICS
header		__KAM_STOCKG1	Subject =~ /^Fw: \d{6}$/i
header		__KAM_STOCKG2	Subject =~ /(^|\b)(stocks?|small-cap)(\b|$)/i
meta		KAM_STOCKG	((HTML_IMAGE_ONLY_12 || HTML_IMAGE_ONLY_16 || HTML_IMAGE_ONLY_24) && HTML_MESSAGE && (__KAM_STOCKG1 || __KAM_STOCKG2))
describe	KAM_STOCKG	Graphical Pump and Dump Scams
score		KAM_STOCKG	3.0

#CEP Diploma Mill
body		__KAM_CEP1	/Job Prospect Newsletter|training.workshop/i
body		__KAM_CEP2	/legitimate verifiable degree|build a better you|domain.knowledge/i
body		__KAM_CEP3	/Career Education program|customize a learning program|certified.instructor/i
body		__KAM_CEP4	/(MBA|CEP)/
body		__KAM_CEP5	/degree\/certificates|certification/i
body            __KAM_CEP6     	/\d (week|month)/i
header          __KAM_CEP7     	From =~ /certificate program/i

meta            KAM_CEP        ((__KAM_CEP1 + __KAM_CEP2 + __KAM_CEP3 + __KAM_CEP4 + __KAM_CEP5 + __KAM_CEP6 + __KAM_CEP7) >= 3)
describe        KAM_CEP        CEP Diploma Mill Rule
score           KAM_CEP        3.5


#Commented since 3.2.0 is pretty old now
#if (version < 3.200000)
#  #BLANK EMAILS - CURRENTLY REQUIRES 99_FVGT_meta.cf for FM_NO_FROM AND NO_TO. UNDISC_RECIPS MIGHT BE REMOVED IN 3.2+
#    #HTML_SHORT_LENGTH DEPENDENCY RULE REMOVED FROM SA 3.2
#  meta    	KAM_BLANK01  	(MISSING_SUBJECT && (UNDISC_RECIPS || FM_NO_FROM_OR_TO || FM_NO_TO))
#  describe	KAM_BLANK01	Blank emails
#  score   	KAM_BLANK01     1.0
#  
#    #MSGID_FROM_MTA_ID REMOVED IN NEWER SPAMASSASSIN 3.2
#  meta    	KAM_BLANK02     (KAM_BLANK01 && MSGID_FROM_MTA_ID)
#  describe	KAM_BLANK02	Blank emails with MTA Headers
#  score   	KAM_BLANK02     1.0
#endif

#KAM GEOCITIES SPAM
# Updated by KAM based on Work by Dallas L. Engelken <dallase@nmgi.com> (T_GEO_QUERY_STRING)
uri 		KAM_GEO_STRING2 	/^http:\/\/(?:\w{1,5}\.)?geocities(?:\.yahoo)?\.com(?:\.\w{1,5})?(?::\d*)?\/.+?/i
describe	KAM_GEO_STRING2		Use of geocities/yahoo very likely spam as of Dec 2005
score		KAM_GEO_STRING2		4.7

#KAM GOOGLE SPAM
uri		KAM_GOOGLE_STRING	/^http:\/\/www.google.com\/url\?q=/i
describe	KAM_GOOGLE_STRING	Use of Google redir appearing in spam July 2006
score		KAM_GOOGLE_STRING	1.0

#MSN Brasil REDIRECTOR - Known exploit since at least 2007!! http://www.xssed.com/mirror/14129/
uri		KAM_MSNBR_REDIR		/g.msn.com.br\/BR9\/1369.0/i
describe	KAM_MSNBR_REDIR		Use of MSN Brasil Redirector for Spam seen in 2011
score		KAM_MSNBR_REDIR		5.0

#KAM MSN SPAM
uri             __KAM_MSN_STRING1         /^http:\/\/spaces\.msn\.com(?::\d*)?\/.+\//i
uri		__KAM_MSN_STRING2	       /^http:\/\/.{0,20}\.spaces\.live\.com/i
meta		KAM_MSN_STRING		(__KAM_MSN_STRING1 + __KAM_MSN_STRING2 >=1)
describe        KAM_MSN_STRING         spaces.msn.com likely spam (Mar 2006) + spaces.live.com (Mar 2010)
score           KAM_MSN_STRING         2.5

#KAM LIVEJOURNAL SPAM
uri             __KAM_LIVE1              /^http:\/\/.{0,20}\.(blogspot|livejournal)\.com/i
meta            KAM_LIVE          (__KAM_LIVE1)
describe        KAM_LIVE         blogspot.com & livejournal.com likely spam (Apr 2010)
score           KAM_LIVE         1.0

#KAM PAGE.TL SPAM - idea from Benny Pedersen
uri             __KAM_PAGE1              /^http:\/\/.{0,20}\.(page\.tl)/i
meta            KAM_PAGE          (__KAM_PAGE1)
describe        KAM_PAGE         Page.TL likely spam (Nov 2011)
score           KAM_PAGE         2.0

# This rule is to mark emails using the exploit of the URI parsing
uri 		KAM_URIPARSE       /(\%0[01]|\0).{1,100}\@/i
describe 	KAM_URIPARSE    Attempted use of URI bug-high probability of fraud
score 		KAM_URIPARSE     7.0

#Ebay Closed their Redirector - Disabled 4-9-05
# This rule is to mark emails using the exploit of the eBay redirector
#uri             KAM_EBAYREDIR    /.*.ebay.com.*RedirectToDomain/i
#describe        KAM_EBAYREDIR    Attempted use of eBay redirect-likely fraud
#score           KAM_EBAYREDIR    7.0

# Rule based on Kelson Vibber's MD code for bogus AOL Addresses
# Check for bogus AOL addresses as described at
# http://postmaster.aol.com/faq/mailerfaq.html#syntax
# - all alphanumeric, starting with a letter, from 3 to 16 characters long.
header          __KAM_AOL             	From =~ /\@aol.com/i
describe        __KAM_AOL             	Partial Rule: Marks AOL Addresses
header		__KAM_GOODAOL		From =~ /[a-z][a-z0-9]{2,15}\@aol.com/i
describe	__KAM_GOODAOL		Partial Rule: Marks Bad AOL Addresses
meta            KAM_COMBO_BADAOL     	__KAM_AOL && !(__KAM_GOODAOL)
describe        KAM_COMBO_BADAOL     	Invalid AOL Email Address-High probability of spam
score           KAM_COMBO_BADAOL    	3.0

# Rule to mark emails from adv@somewhere accounts a bit higher on the SPAM scale
header          KAM_ADV_EMAIL           From =~ /(^| |<)ADV\@/i
describe        KAM_ADV_EMAIL           Marks adv@<domain.com> Addresses as likely SPAM
score		KAM_ADV_EMAIL		16.0

#SEXUALLY EXPLICIT EMAILS - With updates courtesy of Mark Damrose
header    __KAM_SEX_EXPLICIT1    Subject =~ /SEXUAL{2,3}Y[-_, ]{0,1}EXPL{1,2}I{1,2}CI{1,2}T/i
#EXPANDED TO INCLUDE HEADERS FOR SPAMS PREVALENT MAR 2007
header    __KAM_SEX_EXPLICIT2    Subject =~ /(?:fuck .*suck|suck .*fuck|pussy .*cock|cock .*pussy|horny amateur|couch sex|slut fuck|naked celebrity|pissing babes|ass[- ]fuck|animal cock|(^|\b)P.O.R.N |exposes sexy ass|drunk babe nude|masturbate|looking.for.sex|breast.implants|pedophile|child predator|explore.being.bad|double.penetration|hardcore.slut|getting.laid|your.disco.stick|having.sex.*begging|f.ckbook|xxx gay|asian porn|blowjob|anal xxx|huge tits tube|xxx tube|porn tube|porn video|sexy.clip|portal for xxx|3d porn|hard(er)?.erect)|dreaming of f.?cking|(^|\b)sex.in.the.car|horny.virgin|sex.acts|best.intercourse|sex request|dripping wet and need to get/i
header	  __KAM_SEX_EXPLICIT3	 From =~ /(?:better sex|sextrick|ashleymadison|booty.call|breast.(aug|surg|redu)|throbing.member|f[\*u]?ckbook|Local MILFs)/i
#MODIFIED TO FIX FP THANKS TO DOC SCHNEIDER AND MARK MARTINEC - REMOVED castrate|sexual.encounter|casual.sex|discreet.encounter 5/19/15
body	  __KAM_SEX_EXPLICIT4	 /(?:fucked hardcore|dildoes her tight ass|kinky watersports|schoolgirls? slut|teens? porn|first anal(\b|$)|pussy lips|kinky lesbian|sucks? cock|rub puss|spreads? cunt|fetish babe|kinky pee|muffdived \& fuck|deepthroat on knees|hello.naughty.boy|certain.type.of.guy|girlfriend.trick|sexual.stamina|sex...toy|porn.link|cunt.fuck|c-o-c-k|non.stop.sex|porn.industry|stronger.erection|make.her.moan|extreme.pro.abortion|erection.problem|your.erection|get.an.erection|hardest.erection|get.erect|xxx gay|asian porn|blowjob porn|anal xxx|huge tits tube|xxx tube|porn tube|fuckbook|portal for xxx|3d porn|DrPEnterprise|girlfriends.porn|\bsex.galler|pussy.eaten|shemale|anal.adventure|black.girls.video|gay.porn|pussy.wet|make.her.horny|crave sex|women.fuck|women.horny|wanting.to.bang|getting.laid.is.simple|woman.on.her.knees|b r e a s t|generic.ed.product|best.sex|f[^a-z]cking.you|f[^a-z]ckbuddy|F\#ckFriends|Milf Selfies|need.a.horny.man|cute.sex.lover|horny.as.f.ck|fun.in.the.bedroom|my.tits.are|be.horny|horny.girl|horny.i.am|horny.latina|huge.dildo|made.me.climax|sex in my office|a.good.f\@ck|married.horny.woman|sucked.your.d\@ck|horny.milf|suck.you.off|horny.stories|all.my.h[o0]les|cum.heavily|sucking.your.c[o0]ck|to.get.f[^a-z]cked)|h00kup|s\*xy|h0rny|ch0ked|pu\$\$y|f\*cked|F\#ck|F\*ck_/i
header	  __KAM_SEX_EXPLICIT5	 Subject =~ /(?:Babe.*dildo|milk.*pussy|licks.*lesbian.*tits|mud.*wrestling.*sluts|rock.*hard.*cock|working.*pussy|(anal|suck|lick|hot|cock|wife).*f.?u.?c.?k|sneaky.*upskirt.*shots|hairy.*(pussy|cunt)|chicks.*cum|shows.*off.*titties|tits.*milf.*sex|riding.*big.*dick|dildo.*pussy|slut.*sex|suck.*dick|show.*off.*pink.*slit|coed.*pussy|squirt.*pussy|polish.*cock|femdom.*fist|schoolgirl.*(f.?u.?c.?k|blowjob)|mistress.*finger.*slave|cervix.*examined|tits.*vibrator|licks.*lesbian|slut.*anal|slurp.*pecker|master.*hogtie|bitch.*stroke.*guy|huge.*cock.*bang|take.*dick.*ride|milf.*nailed|girl.*in.*panties|Slut.*Doing.*it|barely.*legal.*teen|perverted.*girl.*works.*ass|slut.*milking|caught.*fucking|F.?u.?c.?k.*(dick)|shemale.*strips|chick.*drilled|\bass.*screw|teen.*pussy|fucked.*hard|bimbo.*hooter|cuntbanged|tittyfucked|fuck.*cock|blowing and nailed|lesbians.*masturbat|shaking wet booty|pussy.*lip|lick.*asshole|kinky lesbian|suck.*cock|rub puss|tits.*cunt|kinky pee|fetish babe|exposes sexy ass|drunk babe nude|muff.*fuck|cock.?suck.*blonde|fuck.*vibrator|threeway.*orgy|sex.life.*new.level|your.sex.life|hotsex|f.cktonight|my.?pu[s\$]{1,5}y|InstaSext|SnapHookup|InstaAffair|InstaHookup|SexiSnap|SnapF.ck|snapbangmsg)/i

meta	  KAM_SEX_EXPLICIT	(__KAM_SEX_EXPLICIT1 + __KAM_SEX_EXPLICIT2 + __KAM_SEX_EXPLICIT3 + __KAM_SEX_EXPLICIT4 + __KAM_SEX_EXPLICIT5 >= 1)
describe  KAM_SEX_EXPLICIT      Subject or body indicates Sexually Explicit material
score     KAM_SEX_EXPLICIT      16.0

#SOLICITING AFFAIR SPAM
header    __KAM_SEX_AFFAIR1 Subject =~ /Have an affair|Your Affair is Waiting|sick of your wife|find you a girlfriend/i
header    __KAM_SEX_AFFAIR2 From =~ /Ashley.?Madison|Let's have fun/i
rawbody   __KAM_SEX_AFFAIR3 /have an affair|ashleymadison/i
rawbody   __KAM_SEX_AFFAIR4 /looking.for.affair/i

meta      KAM_SEX_AFFAIR    (__KAM_SEX_AFFAIR1 + __KAM_SEX_AFFAIR2 + __KAM_SEX_AFFAIR3 + __KAM_SEX_AFFAIR4 >= 2)
describe  KAM_SEX_AFFAIR    Subject or body soliciting an affair
score     KAM_SEX_AFFAIR    8.0

#KAM_TELEWORK
body		__KAM_TELEWORK1	/(generate|make) .{0,10}1.5K? (to|-) 3.5K (a day|daily|per day|per month)|makes? \$[\d,]+\/month|upgrade your salary/is
body		__KAM_TELEWORK2 /have a (?:tele)?phone|money making challenge|has full internet/is
body		__KAM_TELEWORK3 /return(?:ing)? (phone )?calls|working a few hours each day|positive work environment/is
body		__KAM_TELEWORK4 /fully qualified|no experience needed|all the training|managing expectations|accountability|stronger results/is
body		__KAM_TELEWORK5 /work (?:online )?from home|process(?:ing)? rebates (?:at|from) home|set your own hours|100% no risk|Western Union fees|new job or career/is
body		__KAM_TELEWORK6 /earning up to \d+USD|earn thousands of dollars|\d% commission|get rich quick|manager training|real.payoff/is
header		__KAM_TELEWORK7 Subject =~ /process rebates|easy work and great pay|making money today|earn money|vacancies in your city|internet jobs|bad ecomomy|(manager|supervisor).training|handling difficult|work.from.home/i
header          __KAM_TELEWORK8 From =~ /training|online/i

meta		KAM_TELEWORK	(__KAM_TELEWORK1 + __KAM_TELEWORK2 + __KAM_TELEWORK3 + __KAM_TELEWORK4 + __KAM_TELEWORK5 + __KAM_TELEWORK6 + __KAM_TELEWORK7 + __KAM_TELEWORK8 >= 3)
describe	KAM_TELEWORK	Stupid telework and training scams
score		KAM_TELEWORK	3.0


#.pw TLD - CHANGED TO AN ANCHOR AT THE END THANKS TO Stefan Botter
#.link TLD added - 2014-10-28
header SOMETLD_ARE_BAD_TLD          From:addr =~ /\.(link|pw)$/
describe SOMETLD_ARE_BAD_TLD        .PW & .LINK TLD Abuse
score SOMETLD_ARE_BAD_TLD           10.0


#CHANGED TO KAMOnly
ifplugin Mail::SpamAssassin::Plugin::KAMOnly

  #TESTING RULE
  body            KAM_LOCAL_TEST1 	/myspamtest12341234/
  describe        KAM_LOCAL_TEST1 	This is a unique phrase to trigger a + score
  score           KAM_LOCAL_TEST1 	50

  #REVERSE DNS TESTS FROM MIMEDEFANG - UNLESS YOU HAVE A TEST FOR REVERSE POINTERS, YOU CAN COMMENT THIS OUT
  header          KAM_RPTR_FAILED         X-KAM-Reverse =~ /^Failed/
  describe        KAM_RPTR_FAILED         Failed Mail Relay Reverse DNS Test
  score           KAM_RPTR_FAILED         6.0
  
  header          KAM_RPTR_SUSPECT        X-KAM-Reverse =~ /^Suspect/
  describe        KAM_RPTR_SUSPECT        Suspected Dynamic IP/Bad TLD/Spammy TLD from Mail Relay Reverse DNS Test
  score           KAM_RPTR_SUSPECT        2.45
  
    #REMOVED __URIBL_ANY DEPENDENCY AS THE RULE IS GONE.  NOTED by David Goldsmith.
  header          __KAM_RPTR_PASSED       X-KAM-Reverse =~ /^Passed/
  meta		  KAM_RPTR_PASSED	  (__KAM_RPTR_PASSED && (URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BCUDA_RBL + RCVD_IN_BCUDA_RELAY + RCVD_IN_XBL + KAM_SPAMJDR + KAM_LOTTO3 + __KAM_URIBL_PCCC + __KAM_MX + SPF_SOFTFAIL + SPF_FAIL + KAM_INFOUSMEBIZ + KAM_TOLL < 1))
  describe        KAM_RPTR_PASSED         Passed Mail Relay Reverse DNS Test
  score           KAM_RPTR_PASSED         -1.0
  
  header          KAM_RPTR_MISSING        X-KAM-Reverse =~ /^Missing/
  describe        KAM_RPTR_MISSING        Mail Relay Reverse DNS Entry Missing!
  score           KAM_RPTR_MISSING        9.0

  #DWDTECHSPAM /ETC
  header          KAM_RPTR_BADHOST        X-KAM-Reverse =~ /dwdtechllc.com|inculloop.net|donapex.net|wriltay.com|raptornode.com|voicitr.us|premiumjobhunt.com|newsocialdeals.com|dailysummercoupons.com|nm-priorityhosting.com|hypernia.com|queryfoundry.net|colocrossing.com|pawlitenews.com|hosted-by-i3d.net/i
  describe        KAM_RPTR_BADHOST        Very Spammy Hosting Company Identified
  score           KAM_RPTR_BADHOST        9.0

  #CUSTOM SCORES THAT KAM LIKES
  #score          SARE_GIF_ATTACH         3.0
  score           CHARSET_FARAWAY_HEADER  1.6
  score           MIME_CHARSET_FARAWAY    1.25
  score           FH_FROM_CASH            2.0
  score           EWG_BAD_40              1.5
  score           EWG_BAD_47              1.5
  score           EWG_BAD_54              1.5
  score           FREEMAIL_ENVFROM_END_DIGIT      1.0
  score           FREEMAIL_REPLYTO        1.0
  score		  KHOP_BIG_TO_CC          1.5
  score		  URIBL_DBL_SPAM	  5.0
  score		  AC_HTML_NONSENSE_TAGS	  4.0


  #ENABLING DNSWL - BUG 6668
  score RCVD_IN_DNSWL_NONE 0 -0.0001 0 -0.0001
  score RCVD_IN_DNSWL_LOW 0 -0.7 0 -0.7
  score RCVD_IN_DNSWL_MED 0 -2.3 0 -2.3
  score RCVD_IN_DNSWL_HI 0 -5 0 -5

  #COMPLETE WHOIS IS DOWN
  #score __RCVD_IN_WHOIS 0
  #score RCVD_IN_WHOIS_INVALID 0
  #score URIBL_COMPLETEWHOIS 0

  #Custom subject whitelist
  #header  	FRANCHISE_JERRY 	Subject =~ /: (Franchise Application|Request Franchise Information)$/i
  #score   	FRANCHISE_JERRY 	-99.0
  #describe      FRANCHISE_JERRY 	Jerry's Franchise Application or Request

  header	KAM_INVALID_FROM	X-KAM-From =~ /From Header Missing Host/
  describe	KAM_INVALID_FROM	From header missing host portion
  score 	KAM_INVALID_FROM	4.0

  #RAPTOR ALTERED EMAILS
  body		__KAM_RAPTOR1		/altered by our Raptor filters/i
  header	__KAM_RAPTOR2		X-KAM-Raptor-Alter =~ /True/

  meta		KAM_RAPTOR		(__KAM_RAPTOR1 + __KAM_RAPTOR2 >= 1)
  describe	KAM_RAPTOR		PCCC Raptor altered the email
  score		KAM_RAPTOR		3.5

  #NJABL Shutdown Bug 6913 - Check after 3/3/2013 update if these can be removed
  score RCVD_IN_NJABL_CGI 0
  score RCVD_IN_NJABL_MULTI 0
  score RCVD_IN_NJABL_PROXY 0
  score RCVD_IN_NJABL_RELAY 0
  score RCVD_IN_NJABL_SPAM 0
  score __RCVD_IN_NJABL 0

  if can(Mail::SpamAssassin::Conf::feature_dns_query_restriction)
    dns_query_restriction deny njabl.org 
  endif

  #KAM Bad Attach
  header          KAM_RPTR_MISSING        X-KAM-Reverse =~ /^Missing/
  describe        KAM_RPTR_MISSING        Mail Relay Reverse DNS Entry Missing!
  score           KAM_RPTR_MISSING        9.0


  #KAM Bad Attach
  header          KAM_RPTR_MISSING        X-KAM-Reverse =~ /^Missing/
  describe        KAM_RPTR_MISSING        Mail Relay Reverse DNS Entry Missing!
  score           KAM_RPTR_MISSING        9.0


  #KAM Bad Attach
  header          KAM_RPTR_MISSING        X-KAM-Reverse =~ /^Missing/
  describe        KAM_RPTR_MISSING        Mail Relay Reverse DNS Entry Missing!
  score           KAM_RPTR_MISSING        9.0


  #KAM Bad Attach
  header          KAM_BADATTACH        X-KAM-BadAttach =~ /^True/
  describe        KAM_BADATTACH        Mail contains a bad attachment
  score           KAM_BADATTACH        15.0

  #RHS_DOB not working 10/6/2014 - Resolved 10/9/2014
  #score 	  URIBL_RHS_DOB 	0.0

else
  # no KAMOnly, stub rules
  meta  KAM_RAPTOR 0
  score KAM_RAPTOR 0
  meta  CBJ_GiveMeABreak 0
  score CBJ_GiveMeABreak 0
  meta  KAM_RPTR_SUSPECT 0
  score KAM_RPTR_SUSPECT 0
  meta  KAM_RPTR_FAILED 0
  score KAM_RPTR_FAILED 0
  meta  KAM_RPTR_PASSED 0
  score KAM_RPTR_PASSED 0
endif

#$6c822ecf@ - Idea from Jailer-Daemon on SARE
header		KAM_6C822ECF		Message-Id =~ /\$6c822ecf\@/i
describe	KAM_6C822ECF		$6c822ecf@ VERY prevalent message-ID header in SPAMs
score		KAM_6C822ECF		7.0

#DRILLING & MUST READ - With updates courtesy of Mark Damrose
header		__KAM_MUSTREAD1	Subject =~ /you (?:must|should|require|need|have) to read\.$/i
header 		__KAM_MUSTREAD2	Subject =~ /^(?:Weighty|Very important|Serious|Momentous|Significant|Grand|Essential) (?:message|letter|note)\./i

meta		KAM_MUSTREAD	(__KAM_MUSTREAD1 + __KAM_MUSTREAD2 >= 1)
describe	KAM_MUSTREAD	Subject indicative of a SPAM message
score		KAM_MUSTREAD	1.25

body		__KAM_DRILL1	/drilling/i
body		__KAM_DRILL2	/oil (company|partnership|and gas rights)/i
body		__KAM_DRILL3	/(exceed(ed)? .{0,10}expectations|see your brokers website)/i
body		__KAM_DRILL4	/(buy today|Check this deal out)/i

meta		KAM_DRILL	(KAM_MUSTREAD + __KAM_DRILL1 + __KAM_DRILL2 + __KAM_DRILL3 + __KAM_DRILL4 >= 4)
describe	KAM_DRILL	Oil Drilling SPAM
score		KAM_DRILL	1.5

#CHANGED TO KAMOnly
ifplugin Mail::SpamAssassin::Plugin::KAMOnly

  #WE USE MIMEDEFANG TO DISABLE ANY IFRAME, OBJECT OR SCRIPT TAGS IN EMAILS
  header	KAM_IFRAME 	X-IframeWarning =~ /Iframe\/Object\/Script tag\(s\) deactivated by MIMEDefang/
  describe	KAM_IFRAME	Email contained Iframe, Object or Script tags
  score		KAM_IFRAME	1.0
  
  body		KAM_IFRAME2	/you need a browser with javascript/i
  describe	KAM_IFRAME2	Email contains phrase instructing javascript use
  score		KAM_IFRAME2	1.0
  
  meta		KAM_IFRAME3	(KAM_IFRAME + KAM_IFRAME2 + T_HTML_ATTACH >=3)
  score		KAM_IFRAME3	5.0
  describe	KAM_IFRAME3	Likely email exploit - Email shouldn't require javascript in an email attachment

  #XEROX SCANS
  header          __KAM_XEROX1    Subject =~ /Scan from a Xerox WorkCentre Pro \#\d+|Scanned from a Xerox Multifunction Device/i
  meta            KAM_XEROX       (__KAM_XEROX1 + (KAM_IFRAME && T_HTML_ATTACH) + KAM_RAPTOR >= 2)
  score           KAM_XEROX       5.0
  describe        KAM_XEROX       Likely Fake Xerox Attachment

else
  # no KAMOnly, stub rules
  meta  KAM_IFRAME 0
  score KAM_IFRAME 0
endif

#STUPID REMOVE "*" to make the link working.
body		__KAM_STAR1	/REMOVE ("\*"|space) (in the above|to make the) link/i

meta		KAM_STAR	(__KAM_STAR1 >= 1)
describe	KAM_STAR	Stupid Obfuscated Link SPAMs
score		KAM_STAR	2.0

#IN LATE FEB 2007, WE BEGAN RECEIVING TONS OF EMAILS FORMATED ALL THE SAME. 
body		__KAM_SPAMKING1	/This advertisement is presented by/is
body		__KAM_SPAMKING2 /If you have any questions or concerns regarding this communication, please send correspondence/is
body		__KAM_SPAMKING3 /To .{0,30}(?:unsubscribe|stop|remove) .{0,35}(?:email|messages) from third party advertisers/is
body		__KAM_SPAMKING4 /notify .{0,30} that you no longer wish to receive (?:promotional )?messages/is
body		__KAM_SPAMKING5 /This (communication|message) was delivered to you by/is
body		__KAM_SPAMKING6 /(?:please send|Forward postal) correspondence to/is

meta		KAM_SPAMKING	(__KAM_SPAMKING1 + __KAM_SPAMKING2 + __KAM_SPAMKING3 + __KAM_SPAMKING4 + __KAM_SPAMKING5 + __KAM_SPAMKING6 >= 3)
describe	KAM_SPAMKING	SPAM using throw-away domains and addresses.  SpamKing's Heir!
score		KAM_SPAMKING	1.0

#THIS HEADER SEEMS TO BE PREVALENT IN SPAMS
header		KAM_SPAMJDR 	X-Mailerinfo =~ /OTHR_JDR/
describe	KAM_SPAMJDR 	Emails seen with SPAM containing this header X-Mailerinfo: OTHR_JDR1173771 
score		KAM_SPAMJDR	2.0

meta		KAM_COMBOJDR	(KAM_SPAMJDR + KAM_SPAMKING >= 2)
describe	KAM_COMBOJDR	Spam Test for Rules Combined with KAM_SPAMJDR
score		KAM_COMBOJDR	5.0

#LOTTO CRUD
body		__KAM_LOTTO1	/((you |e-?mail )(?:address,? )?(has |have )?(emerged as one of (the|our) winning|emerged as a category "A" Winner|came out as the winning coupon|emerged a winner|has won|(?:was |is )?attached( to)?\s+(winning number|serial|ticket|reference)|was one of the ten winners|has been selected as one of the lucky)|random selection in our computerized email selection system|procuring your prize|email id identified with coupon|e-mail addresses are picked randomly|send your winning identification|final recipients? of a cash|selected as the one of the beneficiaries|receiving your donation)/is
body		__KAM_LOTTO2	/((ticket|serial|lucky) number|secret pin ?code|pin number|batch number|reference number|promotion date|lottery|sweepstake|\d+ lucky recipients|for claim and inquiring)/is
body		__KAM_LOTTO3	/(won|claim|cash prize|pounds? sterling|over \$500|award sum of US\$|NOTIFICATION FOR CASH AID)/is
body		__KAM_LOTTO4	/(claims (office|agent|manager)|lottery coordinator|(certificate|fiduciary) (officer|agent)|fiduaciary claims|accredited agent|payment agency board|promotion manager|promotions? department|Name of +Agent:|executive secretary|claims & Management|lottery approved courier|promo.team)/is
body		__KAM_LOTTO5	/(POWERBALL LOTTO|freelotto group|Royal Heritage Lottery|(British|UK) National( Online)? Lottery|U\.?K\.? Grand Promotions|Lottery Department UK|Euromillion Loteria|Luckyday International Lottery|International Lottery|Euro - Afro Asian Sweepstake|urawinner|Free Lotto Sweepstakes|PROMOTION DEPARTMENT|PROMOTION\/PRIZE AWARD|Nederlandse Internationale Loterij|EURO MILLIONS|APPLE LOTTERY ONLINE|MSW MEGA JACKPOT|MICROSOFT EMAIL PROMO|MSNlottery|ECOWAS|Nigeria|National Lottery|claim.{1,10}your.gbp|won.you.{1,10]gbp)/is
body		__KAM_LOTTO6    /(Dear (Award|Consultation Prize|Lucky) Winner|Winning Notification|Attention:Winner|Dear:? Winner|Amount won:|Sincere Congratulations|Lucky Numbers:|you are a winner|prize attached|prize notification|claims requirement|winning number|winning sum|payout of|qualification number)|attached.file|numbers.on.email/is
header		__KAM_LOTTO7	Subject =~ /(Your Lucky Day|Final Notice|CONGRATULATION|(Attention:|ONLINE) WINNER|Winning Notification|Claim Fund|YOU HAVE WON|Online Notification|Your Winning Amount|PROMOTIONS MANAGER|Winnin?g Alert|NOTICE FOR YOUR CLAIM|WINNER|Reference Number)/i
header		__KAM_LOTTO8    From =~ /Lottery|powerball|western.union/i
header		__KAM_LOTTO9	Subject =~ /\d{3},\d{3}|eligibility.for.claims|promo.desk|deserves.\$\d/i

meta		KAM_LOTTO1	(__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 >= 3)
describe	KAM_LOTTO1	Likely to be an e-Lotto Scam Email
score		KAM_LOTTO1	0.5

meta            KAM_LOTTO2      (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 >= 4)
describe        KAM_LOTTO2      Highly Likely to be an e-Lotto Scam Email
score           KAM_LOTTO2      1.0

meta            KAM_LOTTO3      (__KAM_LOTTO1 + __KAM_LOTTO2 + __KAM_LOTTO3 + __KAM_LOTTO4 + __KAM_LOTTO5 + __KAM_LOTTO6 + __KAM_LOTTO7 + __KAM_LOTTO8 + __KAM_LOTTO9 >= 5)
describe        KAM_LOTTO3      Almost certain to be an e-Lotto Scam Email
score           KAM_LOTTO3      2.0

#ABOUT YOUR INTERNET ACTIVITIES SPYWARE CRUD
header		__KAM_ABOUT1	Subject =~ /About your Internet (activities|activity)/i
body		__KAM_ABOUT2    /Spyware/i

meta		KAM_ABOUT	(__KAM_ABOUT1 + __KAM_ABOUT2 >=2) 
describe	KAM_ABOUT	Email Scam Hawking Anti-Spyware
score		KAM_ABOUT	1.0

#EMAIL ADVERTISING
body		__KAM_ADVERT1   /email advertising|\d{3}%.roi/is
body		__KAM_ADVERT2	/instant traffic (to your website|and sales)|demand.generation/is
body		__KAM_ADVERT3   /Email Ad Broadcast|Double OPT IN list|making.some.changes/is
header		__KAM_ADVERT4   Subject =~ /(get (instant|more) (sales|business|orders)|instant traffic, leads and sales|within 24 hours|increase in business|Ten Time Increase in Sales and Traffic|Emails Sent to Get You Sales)|sales.goal/i

meta		KAM_ADVERT	(__KAM_ADVERT1 + __KAM_ADVERT2 + __KAM_ADVERT3 + __KAM_ADVERT4 >= 4)
describe	KAM_ADVERT	Mailing List Scammers Hawking Their Lists / Services
score		KAM_ADVERT	2.5

#DOMAIN ADVERTISING
body		KAM_ADVERT3	/AllExpiringDomains.com/i
describe	KAM_ADVERT3	Traffic / Expiring Domain List Spam
score		KAM_ADVERT3	5.0

#ADVERTISEMENT
rawbody		KAM_ADVERT2	/(?:No longer interested in our offers|This (?: message| email)?is an Ad|Continue in your Secure Web Browser|Can\'t see the images( below|, continue)|To view this email as a webpage|see images for this offer|support best practices in responsible email marketing|This email is not unsolicited|You registered with one of our partners websites|a d v e r t i s (?:e )?m e n t|No-?Images? Click|Program is not endorsed, sponsored by or affiliated|can\'t read or see this email|By clicking any image and\/or text link in this Email|This is a commercial message|This message brought to you|THIS EMAIL IS A COMMERCIAL SOLICITATION|If you no longer wish to receive further offers|business solicitation message|link is for removal|end these weekly ad-messages|cancel these Ads go|This is an email advertisement|end all Advertisements go below|We are not spammers|Unsolicited email\?|Quit receiving these admail|I.{0,3}am not spamming)|commercial.advertisement|adv.ertisement|if.you.are.not.interested|Brought to you by:|This communication is an advertisement/is
describe	KAM_ADVERT2	This is probably an unwanted commercial email...
score		KAM_ADVERT2	0.55

#ONE LINE ADVERTISEMENTS
body		__KAM_1LINE1	/(free score and report|Did you overpay\?)/is
header		__KAM_1LINE2	Subject =~ /(free online score & report|I need tax savings? tip)/i

meta		KAM_1LINE	(__KAM_1LINE1 + __KAM_1LINE2 >= 2)
describe	KAM_1LINE	One liner SPAMs
score		KAM_1LINE	2.5

#CAN SPAM
body		KAM_CANSPAM	/(full compliance with the U.S. Federal-?Can-?Spam-Act|provides CAN-SPAM compliant email|consistent with the provisions of the CAN-SPAM Act|compliance with the CanSpam Act|no deceptive subject lines)/is
describe	KAM_CANSPAM	SPAM = Lack of Consent (not a Legal Definition)
score		KAM_CANSPAM	1.0

#GIFTS / GIFT CARDS
body		__KAM_GIFT1	/(Claim your free \$500 Target Gift Card|complimentary gift-?card|received a Victoria's Secret Giftcard|\$500 airline gift card|\$1000 gift card for you to shop|\$\d+.{0,50}gift card|Secret gift card)|costco.coupon|facebook.gift|claim.my.credit/is
body		__KAM_GIFT2	/(unsubscribe from this advertiseme(tn|nt)|exit future communications|to unsubscribe from this|to stop any offers from us)/is
body		__KAM_GIFT3	/every girl loves to buy|do you need a new|offer pass you by|shopping.online|best.price|activate.my|valued.{0,20}user|extra.deals|sign.up.today/i
body		__KAM_GIFT4	/card will be yours free|card on us|buy you the dyson animal|amazon.gift.?card|superstore|starbucks.card|card.egift|redeem.before|offering.you.this|enter.promo.code/i
body		__KAM_GIFT5	/member incentive program|complet(e|ing) the survey|your.customer.id|security.code|promotional.points/i
header		__KAM_GIFT6	From =~ /\$\d+ ?gift ?card|coupon|home.improvement|reward|voucher|starbucks|exclusive|amazon|ehost/i

meta		KAM_GIFT	((__KAM_GIFT1 + __KAM_GIFT2 + __KAM_GIFT3 + __KAM_GIFT4 + __KAM_GIFT5 + KAM_LOTSOFHASH + __KAM_SHORT >= 3) && __KAM_GIFT6)
describe	KAM_GIFT	Gift Card Scams
score		KAM_GIFT	3.5

meta		KAM_GIFT2       ((__KAM_GIFT1 + __KAM_GIFT2 + __KAM_GIFT3 + __KAM_GIFT4 + __KAM_GIFT5 + KAM_LOTSOFHASH + KAM_ADVERT2 >= 4) && __KAM_GIFT6)
describe	KAM_GIFT2       Gift Card Scams
score		KAM_GIFT2       3.5

# URL SHORTENERS
#REPLACED BY __KAM_SHORT - uri             __KAM_XDOTCO    /x\.co/

#MYSTERY SHOPPER
body		__KAM_SHOP1	/chosen to participate as a Mystery Shopper/is
body		__KAM_SHOP2	/Do you like to shop/is
body		__KAM_SHOP3	/make money while you shop/is
meta		KAM_SHOP	(__KAM_SHOP1 + __KAM_SHOP2 + __KAM_SHOP3 >= 3)
describe	KAM_SHOP	Mystery Shopper Scams
score		KAM_SHOP	2.0

#FAST CASH
rawbody		__KAM_FAST1	/make fast cash in real estate/is
meta		KAM_FAST	(__KAM_FAST1 + KAM_ADVERT2 >=2)
describe	KAM_FAST	Get Rich Quick, Make Money Fast Schemes
score		KAM_FAST	1.8

#BIZ CARDS FREE!
body		__KAM_BIZ1	/You always need new cards|free full color business cards|get 250 more ?- ?free|business card offer|500 business cards/is
header		__KAM_BIZ2	Subject =~ /(do not pay for|Stop paying for|free) business cards|get( your)? 250 Free|BOGO|500 cards for|all for \$1\.99/i
header		__KAM_BIZ3	From =~ /Free Business Cards|Custom Printing|Premium Cards/i

meta		KAM_BIZ		(__KAM_BIZ1 + __KAM_BIZ2 + __KAM_BIZ3 >= 2)
describe	KAM_BIZ		Free Business Card Emails
score		KAM_BIZ		2.5

#FDA
body		__KAM_FDA1	/statements.{1,10}not.{1,10}evaluated.{1,10}(FDA|Food ?(and|&) ?Drug Administration)/i
body		__KAM_FDA2	/not intended to diagnose,? treat,? cure,? or prevent/i
body		__KAM_FDA3	/FDA Recall/i

meta		KAM_FDA		(__KAM_FDA1 + __KAM_FDA2 + __KAM_FDA3)
describe	KAM_FDA		Carries a not evaluated by the FDA warning or recall warning
score		KAM_FDA		0.5

#WEIGHT LOSS
body		__KAM_WEIGHT1	/(overweight|extra weight|glutting|shed fat|burns fat|burn calories|appetite suppressant|stimulate your metabolism|unwanted weight|duet of the year|healthy energy boost|Suppresses Appetite|internal cleansing|detoxify|cellulite|unsightly bulges|fat burn|Diet of the year|acai|cuts cholesterol|cleanse excess waste|free sample|unwanted weight|Acai suppl[ie]ments|Diet\/Detox|\#1 Weight Loss|lose body fat|(lose|drop) (about )?\d+\s*[li]b|calorie burning machine|before eating carbs)|flush.fat.away|slimming.down|\d+.pounds.gone|lose.\dx|highest.rated.episode|unwanted..?gain|too.goo?d.to.be.true|get.slim|tv.segment|weird.solution/is
body		__KAM_WEIGHT2	/(\d pounds|lose[_ ]weight|suppress appetite|appetite out of control|Oprah|for cancer patients|colon cure|colon cleanse|colonmate|avai berry|acai burn|ultraslim|feel energized|excess[_ ]weight|no diet changes|no exercise|hollywood'?s hottest -?diet|acai berry edge|Acai Diet|top secret diet|Power HCG|Sensa|shocking method|Jennifer Aniston|before eating carbs|all natural weight.?loss|green fruit|top celeb's diet)|one.secret|enjoying.food|f-a-t|melt.fat|squeeze into them|crazy.workout|celebs.everywhere|zero.effort|nothing.to.lose/is
header		__KAM_WEIGHT3   Subject =~ /(leaner|slimmer|stop gaining weight|fat loss|weight management|now available without a script|wuYi tea|(drop|lost|shed|knocked) \d+.?(pounds|[li]bs?)|FRS Healthy Energy|instant diet|colonmate|trimmer you|body cleanse|acai berry|acai burn|Fatburner|cholesterol reduction|cholestapro|Ephedra|W[EA]IGHT[- ]LOSS PRODUCT OF THE YEAR|t-r-i-a-l|try our trial|cleanse your system|no exc?ercise|Acai Advanced|toxic sludge|cleanse your body|Acai Diet|Acai Elite|Acai Super|losing weight fast|weight loss|detox product|Power HCG|Weight Loss System|shocking (?:weight|weihgt) loss)|before eating carbs|all natural weight.?loss|eat this fruit|Jennifer An+iston's secret|drop.\d.dress.sizes|fat.burning|burn..?fat|get.slim|drop.the.weight|(drop|shed).[li]bs?|move.\.*.?the scale|step.by.step|drop..?pounds|perfect.body|lose.the.weight|half.my.size|special.nutrition|workout|skinny|simple.way|to.get.slim|workout.for.the..?lazy|start.losing.weight|melt.fat|celebs.boycott|celebs.did|overeating|without.any.effort|doctors.tv|oprah|results.are.in|as.seen.on|slim.?spray|zero.effort/i
rawbody		__KAM_WEIGHT4	/shocking method|Jennifer Aniston|nationally known|never.seen.anything.like.this|unusual.(new.)?tip|your.metabolism|need.a.boost|this.is.not.a."?(joke|hoax|fad|trend)|no working out|no starving|a trimmer you|celebrity.doctor|seen.on.(cnn|abc|cbs)|\d+%.?off|oprah.and.celeb|beer.belly|thunder.thigh|flush.fat.fast|get.skinny|Women's Health|dress.size|feel.good|physical.activity|starving|hit.a.plateau|flat.belly|brakes on your appetite/i
header          __KAM_WEIGHT5   From =~ /celeb.weightloss|no.work.workout|(drop|shed).pounds|(drop|shed).\d+[il]bs?|inches off|your.waist|nutrisystem|fat.burn|magic.slim|slim.pack|get.?slim|overweight|becomingslim|slimmer|skinny.tee|flush.fat|slimming.down|hot.trend|curves.?\dweek|stubborn.fat|\d+.pounds|look.great|lazy.workout|bikini|fit.community|slim.?spray|shave.off.(the.)?(pound|lb)|f-a-t|fit.in.\d+.day|days.to.slim|oprah|belly|biggestloser/i

#ANATRIM / GREEN TEA / CORTITHERM / ETC
body		__KAM_ANA1	/(anatrim|Green ?Tea|cortitherm|PHENTERTHIN|Phentremine|Acai Ultra|Civ-xR|WuYi Tea|Wu-?Yi Source|FRS Healthy Energy|Acai Berry|Chinese secret|Ephedra|Cholestapro|ColonMedic|Pure Cleanse|AcaiBurn|Acai Elite|Garcinia|Chlorogenic Acid|green coffee)/i
header		__KAM_ANA2	From =~ /green ?tea|Ultra ?Energy|weight ?loss|colon? ?clean|colon ?aid|acai|As seen on|Garcinia|sensa/i

meta		KAM_ANA		(__KAM_ANA1 + __KAM_ANA2 + (__KAM_OZ1 || __KAM_OZ2 || __KAM_OZ3) + __KAM_WEIGHT1 + __KAM_WEIGHT2 + __KAM_WEIGHT3 + __KAM_WEIGHT4 + __KAM_WEIGHT5 + KAM_FDA + (__KAM_HTML1 || KAM_INFOUSMEBIZ) >= 3)
describe	KAM_ANA		Likely Weight-loss / Medical Spam
score		KAM_ANA		3.5

meta		KAM_ANA2	(__KAM_ANA1 + __KAM_ANA2 + __KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 + __KAM_WEIGHT1 + __KAM_WEIGHT2 + __KAM_WEIGHT3 + __KAM_WEIGHT4 + __KAM_WEIGHT5 + KAM_FDA + (__KAM_HTML1 || KAM_INFOUSMEBIZ) >= 5)
describe	KAM_ANA2	Higher probability of Weight-loss / Medical Spam
score		KAM_ANA2	3.5

#REPLACE
body		__KAM_REP1	/Replace \[?[-!~\.]\]? with \./is
body		__KAM_REP2	/www\s+[-!~\.]/i

body            __KAM_REP2_1    /(Just|Please|all you need to do is to) (copy|type):? (www\s)?.{0,10}[\[\(]([-!~\.]|dot)[\]\)]/is
body            __KAM_REP2_2    /in your (IE|internet|explorer|browser)/i

body		__KAM_REP3_1	/\*omit empty spaces/is
body		__KAM_REP3_2	/.\s+(COM|org|net|info)$/i

meta		KAM_REPLACE	(__KAM_REP1 + __KAM_REP2 >= 2) || (__KAM_REP2_1 + __KAM_REP2_2 >=2) || (__KAM_REP3_1 + __KAM_REP3_2 >=2)
describe	KAM_REPLACE	Spams that use obfuscated URLs with instructions
score		KAM_REPLACE	2.0

#EVEN MORE NIGERIAN SCAMS AND VARIANTS
body		__KAM_NIGERIAN1	/(?:payment officer|personal treasurer|experienced marketers|Chairman of the Finance Committee|contact my secretary|field of Financial Services|Head of Human Resources|Public Relation Officer|field of Business Services|payment agent|representing partner|vacancy in my company|representative\/book ?keeper|executor|search and selection of both experienced|retired chief economist|foreign partner|diplomatic courier|senior auditor|online book-?keeper)|in.your.country|united.state[^s]|states?.citizen|retired.ceo|nigeria|origin.finland|serious.illness|brain.(tumor|cancer)|former.minister|investment.partner|got.mugged|losing.my.(wife|only.son)/is
body		__KAM_NIGERIAN2	/(?:looking for dynamic representative|seek your partnership|new online business model|seek to transfer this money|completely legal activity|never ask you to pay or invest|in search of trustworthy representatives|establishing a new liaison network|rec[ei]{2}ving payment on our behalf|assist me in transferring those funds|make money at home|requiring rep to work on a part time|part time job\/full time|organization for the good work of the lord|job search directory|investor willing to invest in lebanon|invest in Real Estate|Your kind assistance|next of kin|gold.exportation|calgary.lotto)|oil.producing|import.firm|oil.and.gas|petroleum|asset.available|urgent.reply|(cash|credit.cards?|cell(.phone)?).(were|was).stolen/is
body		__KAM_NIGERIAN3	/(?:\d{1,2}\% (?:commission on each transaction|of the total will be set|will be mapped out|is made available to you|of the total sum for your partner|of the money for your effort|for\s+sales)|pay for performance|floating deficit|for your compensation|financial independence|their financial dreams|work from home part\s*-?\s*time|employing your services|get extra income|deduct your weekly salary \d\d%|transfer of the funds|make successful career at us|you will get \d{1,2}% on each|funds can be directed to your account as a grant|reasonable parentage|dormant domiciliary account|share would be \d+\%|pay you \d+%)|invest|have.a.sum|make.a.donation|immense.benefits|transact.a?.?business|company.sponsor|loan me \$/is
body		__KAM_NIGERIAN4	/(?:American oil merchant|independent contractor|removallink|claim the funds|international corporation|bank draft|becoming our contract staff|contractual employment|customers\s*in Europe,\s*America|new partner from UK|great investment site|money orders|cashiers check|access to the funds|piloting the business|moving the funds|next of kin|syrian.refugees|reply.for.detail)|security.reason|(his|her).account|new.investor|directly.beneficial|business.discussion|promise.to|need.to.spend/is
body		__KAM_NIGERIAN5 /Western Union Money Transfer|Money Gram|form of Money Orders|to apply for this job, please send the following|process our payments|not traceable|risk free transation|transfer to a designated bank account|inheritance return|my.inheritance|my.wealth|donation.to.you|out.of.country|charitable.trust/i

meta		KAM_NIGERIAN	(__KAM_NIGERIAN1 + __KAM_NIGERIAN2 + __KAM_NIGERIAN3 + __KAM_NIGERIAN4 + __KAM_NIGERIAN5 + LOTS_OF_MONEY + __KAM_REFI4 >= 4)
describe	KAM_NIGERIAN	Nigerian Scam and Variants
score		KAM_NIGERIAN	2.5

#I LIKE YOUR SPAM
body		__KAM_LIKE1	/been working (extremely|very) hard on my friend's website/is
body		__KAM_LIKE2	/a link from .{1,54} would be greatly appreciated/is
body		__KAM_LIKE3	/(link exchange|in return to me linking back)/is
body		__KAM_LIKE4	/HTML code for the link/is
body		__KAM_LIKE5	/I apologize if this message was sent, in error/is

meta		KAM_LIKE	(__KAM_LIKE1 + __KAM_LIKE2 + __KAM_LIKE3 + __KAM_LIKE4 + __KAM_LIKE5 >= 5)
describe	KAM_LIKE	I like your website link exchange spam
score		KAM_LIKE	2.0

#PUBLICLY AVAILABLE LISTS?
body		KAM_PUBLIC	/obtained your email address from a publicly available list|find your mail in public forum/is
describe	KAM_PUBLIC	Obtained from Public List != to Consent == SPAM!
score		KAM_PUBLIC	9.0

#SEXUALLY EXPLICIT RULES ROUND TWO - Fixed some FPs from Scunthorpe thanks to Stefan Morrell
body		__KAM_SEX1	/(?:double[ -]?headed|pornstar|huge weenie|male power|\d\dper\. of men|male enhancement product|enlarge patch|boost up your virility|clinically tested|improve manhood|Bigger Pen..is|Big Penis|incredible gains to your manhood|muscular manhood|nights unsatisfied|climaxes|sensual enhancer|love instrument|bigger member|excitement with girls|fucker|animal sex)|adds \d inches to your manhood|pussy licked|hard.erection/i
body		__KAM_SEX2	/(?:(\b|^)cunt(\b|$)|busty|interracial|hardcore|peni(s|le) enlarge|generic quality|enlarge your manhood|stone-hard manhood|XXL Dick|intense pleasure|spend a night with you|efficient medicine|turn on your wife|with your boner|dick dangl)|\d.(extra.)?inches.of.girth|best.sex/i
header		__KAM_SEX3	Subject =~ /(double dildo|bunsfuck|dominatrix|huge tits|anti-ED|most confident man|for men over 30|peni(s|le) enlargement|interracial gobble|bitch sucking dong|product actually does work|update your penis|mans mall|endurerx|more excitement|love package|add more fire|her best male|average guys|monster cocks|first anal|anal fucking|love with monsters|horse sex|be the stud)/i
body		__KAM_SEX4	/(?:bring your girlfriend back|satisfied with their size|penis so huge and heavy|more semen|volume of your loads|wondercum|ejaculate|bargain offers on medic|improve xxx|improve your lovemaking|youngest teen|teen pics|monster in his pants|(female|multiple) orgasms|extreme penetration)/i

describe	KAM_SEX		Sexually Explicit SPAM / Penis Enlargement Scam
score		KAM_SEX		7.0
meta		KAM_SEX		(__KAM_SEX1 + __KAM_SEX2 + __KAM_SEX3 + __KAM_SEX4 + __HTML_IMG_ONLY + (__KAM_VIAGRA6A + __KAM_VIAGRA6E + __KAM_VIAGRA7A >= 1 && !__KAM_VIAGRA_FPS) >= 2)

#STUPID PICTURE SPAMS
body		__KAM_PIC1      /(tired|bored) (this )?(today|tonight|evening|morning|afternoon)|saw your email address|online right now|can name me|found you on this site|I am alone|my next boyfriend|blonde with blue|like the girls|crush on you/is
body		__KAM_PIC2      /(nice girl|2\d years old|25 y.o. girl|pretty russian|I russian girl|age is 25|long legs, cute|see my pictures|I'm 19|searching for a bad girl|meet with such attractive|cute lady)/is
body		__KAM_PIC3	/like to chat|feelings can be true|like to have friendship|friendly guy|gave me your photos|waiting on you|found your pictures|send me a note|more information about you|text me ASAP/is
body		__KAM_PIC4	/(like to share some of my pics|some (?:great )?pictures of me|sending some of my pictures|To see my pic|hope you like my pic|will reply with my pics|show you some pic|chat with me and see|that's my photo)|will send you my pictures|view my profile|describe yourself|chat with me|bad girl|view your snapshot|want to watch video|erotic pics/is
body		__KAM_PIC5	/picture|photo|my pics|appended my pic/i

describe	KAM_PIC		Share Pictures and Chat SPAM
score		KAM_PIC		3.5
meta		KAM_PIC		(__KAM_PIC1 + __KAM_PIC2 + __KAM_PIC3 + __KAM_PIC4 + __KAM_PIC5 + __KAM_PRIV3 >= 4)

#STUPID MAILING LIST SPAMS
body		__KAM_LIST1	/((Hospital|MD) directory|Nursing Home (List|directory)|doctor lists|marketing lists|Licensed Physicians|practicing MDs|practicing Medical doctors|Physicians in America|emails for every state|(vip|laywers|planners|Business Email|HR Directors Email|Sales & Marketing Directors|Managing Director Email) database)/is
body		__KAM_LIST2	/(?:hospital|dentist|chiropractor|physician|medical doctors|nursing directors|medical marketing|\d sortable fields|records all with emails|business director(y|ies)|direct marketing data)|nursing assistant/is
body		__KAM_LIST3	/price\:|prices for our director/is
body		__KAM_LIST4	/(?:database|list|[\d,]+ (total records|e-?mails))/is
body		__KAM_LIST5	/(reply with "stop" as a subject|Send an email with "rem" in the subject to discontinue|put "cease" in the subject of an email|for termination of this e?mail|reply with .{1,8} in the subject)|you will have your email taken off|for the datacard|send.a.reply/is
header		__KAM_LIST6	Subject =~ /Database of (neurological|surgeons|doctors|nurses|mds)|MD Database|looking for list|email database|we have that list|marketing database|list.of.\d/i

describe	KAM_LIST	Mailing List Database SPAM
score		KAM_LIST	3.0
meta		KAM_LIST	(__KAM_LIST1 + __KAM_LIST2 + __KAM_LIST3 + __KAM_LIST4 + __KAM_LIST5 + __KAM_LIST6 >= 4)

#YET MORE DRUG SCAMS
body		__KAM_DRUG1     /Quality and cheap|premier quality|supor-collosal mixture|Discount-?Pharmacy|hi.quality.drug/is
body		__KAM_DRUG2	/cheaper|redeem in bulk and save|bigger quantities and Save|drugstore accredi[dt]ations|economical (?:value|amount)|drug.online.supplies/is
rawbody		__KAM_DRUG3	/local drugstore|(hush-hush|secret) with no waiting rooms|confidential package|distributed securely|shape is our main concern/is
body		__KAM_DRUG4	/click to buy|no previous doctors direction|No prescript[oi]{2}n needed|no script necessary|medicine assistance supplier|mail[- ]?order medicine/is

describe	KAM_DRUG	More Viagra, Medicine, et al Scams
score		KAM_DRUG	2.5
meta		KAM_DRUG	(__KAM_DRUG1 + __KAM_DRUG2 + __KAM_DRUG3 + __KAM_DRUG4 + __KAM_VIAGRA6A + __KAM_VIAGRA7A + KAM_REPLACE >= 4)

#DUE TO THE RASH OF IP BASED LINKS IN EMAILS DUE TO STORM BOTS, THESE ARE TESTS FOR IPS IN EMAILS
# I'D LIKE TO TEST THIS WITH ONE RULE BUT HAVEN'T FIGURED OUT HOW.  RIGHT NOW, ONE URL THAT IS BAD 
# AND ONE THAT IS GOOD WILL PASS :-(  I'D LIKE TO FIX THAT
rawbody            __KAM_GOODIPHTTP        /https?:\/\/(192\.168|10\.)/i
rawbody            __KAM_IPHTTP            /https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/i
describe        KAM_BADIPHTTP           Due to the Storm Bot Network, IPs in emails is bad
score           KAM_BADIPHTTP           1.0
meta            KAM_BADIPHTTP           (__KAM_IPHTTP - __KAM_GOODIPHTTP >= 1)

body		__KAM_HIDDEN_URI1	/\[DOT\]com/is
body		__KAM_HIDDEN_URI2	/replace "?\[DOT\]/is
meta		KAM_HIDDEN_URI		(__KAM_HIDDEN_URI1 + __KAM_HIDDEN_URI2 >= 2)
describe	KAM_HIDDEN_URI		URI obfuscation techniques
score		KAM_HIDDEN_URI		4.0

#ODD INFO URL - MATCH A URL-LIKE STRING THAT ENDS IN A QUESTIONABLE TLD, FOLLOWED BY A WORD BOUNDARY OR A SLASH (BUT NOT A DOT, OR IT WILL FP ON SUBDOMAINS LIKE FOO.INFO.LEGIT.COM)
rawbody		__KAM_INFOUSMEBIZ1	/http:\/\/(?:www.)?.{4,30}\.(info|us|me|me\.uk|biz)(?![-\.])(\b|\/)/i
header		__KAM_INFOUSMEBIZ2	From:addr =~ /\.(info|us|me|me\.uk|biz)$/i
header		__KAM_INFOUSMEBIZ3	Return-Path =~ /\.(info|us|me|me\.uk|biz)>?$/i

meta		KAM_INFOUSMEBIZ	(__KAM_INFOUSMEBIZ1 + __KAM_INFOUSMEBIZ2 + __KAM_INFOUSMEBIZ3 >= 1)
score		KAM_INFOUSMEBIZ	0.75
describe	KAM_INFOUSMEBIZ	Prevalent use of .info|.us|.me|.me.uk|.biz domains in spam/malware

# OTHER QUESTIONABLE / CHEAP TLDS - .click, .work, .rocks, .science
rawbody         __KAM_OTHER_BAD_TLD1      /http:\/\/(?:www.)?.{4,30}\.(click|work|rocks|science|club)(?![-\.])(\b|\/)/i
header          __KAM_OTHER_BAD_TLD2      From:addr =~ /\.(click|work|rocks|science|club)$/i
header          __KAM_OTHER_BAD_TLD3      Return-Path =~ /\.(click|work|rocks|science|club)>?$/i

meta            KAM_OTHER_BAD_TLD (__KAM_OTHER_BAD_TLD1 + __KAM_OTHER_BAD_TLD2 + __KAM_OTHER_BAD_TLD3 >= 1)
score           KAM_OTHER_BAD_TLD 0.75
describe        KAM_OTHER_BAD_TLD Other untrustworthy TLDs


#RECENT RASH OF VIRII/TROJAN PAYLOADS USING GREETING CARD NOTICES - IPHTTP IDEA BY STEPHEN FORD
body		__KAM_CARD1	/(worshipper|friend|Neighbou?r|partner|mate|colleague|member|worshipper|cousin|pal|brother|somebody|father|mother|uncle|aunt|daughter|son|nephew)(\(.{0,35}\))?(?: has)? (?:sen[dt] you|created) (?:an|a)?\s*(?:funny|love|post|greeting|birthday|animated|musical|holiday|love|hallmark|thank you|e)\s*(e|post)?-?card/i
body		__KAM_CARD2	/(laughing kitty|crazy cat) card|enjoy your awesome card|Click on your .{0,15}card('s)? (link|direct www address) below|To see your custom .{0,15}card, simply click on the (link below|following)|(as you can see on the ecard)|^your .{1,15}card link:$|I bet your wife won\'?t do this for you|Your temporary Login Info|temp\.? password id|pics I took of my Ex-Wife|card will be aviailable|our.new.collection/i
body		__KAM_CARD3	/I['`]m in hurry, but i still love you...|has (issued you a greeting|made you an Ecard)|^(Follow this link:|click (here to enter our secure server:))?\s*?http:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|eCard, open attached/i
header		__KAM_CARD4	Subject =~ /Here is some pics to say thanks|do you like em?|here is my picture|bra is too tight|look what I like to do|hot news|(\s|^)e-?cards?(\s|$)|greeting.e?card/i
rawbody		__KAM_CARD5	/postcard(\.gif)?\.exe|card.zip|groups.google.com|blaqseal/i

describe	KAM_CARD	Trojan or Virus Payload from fake ecard notice
score		KAM_CARD	3.5
meta		KAM_CARD	(__KAM_CARD1 + __KAM_CARD2 + __KAM_CARD3 + __KAM_CARD4 + __KAM_CARD5 + KAM_INFOUSMEBIZ + __KAM_IPHTTP + KAM_RPTR_SUSPECT >= 3)

#INSURANCE / CAR / LIFE / HEALTH SCAMS - fixed $ bug thanks to Mark Chaney
header		__KAM_INSURE1	Subject =~ /get (low )?affordable health (coverage|insurance)|reduce health costs|without health coverage|\d+K(?:.in)?.(term.)?life|overypay for auto insurance|Policy.Payment|GAs Prices|Auto Insurance|get your 20\d\d quote|\$\d00,000 coverage|no exam|Insurance.Payment|child's financial future|\d+K in coverage|health insurance (?:plans|coverage)|(Omaba|obama).?care|Secure \d+k coverage|\$\d\d\d,\d\d\d of term life|life insurance coverage|save up to \d+% on .{0,10}insurance|Protect.your.family|homeowners insurance|home.?.?protection|read.asap|auto.policy|protect your|\$\d+K..?term|auto.?insurance|\d+k.available|simplified.protection|policy.update|view.policy|med(ical)?.exam|term.life|protection|\d+k.available|policy.review|business.insurance|your.health|care.policy|life.cover|life.secure|life.insured/i
body		__KAM_INSURE2	/find better Health Insurance Rates Today|get information about health coverage|protect your family|overpay for auto insurance|been recently,? lowered|gas prices are going up|Auto Insurnace go with it|no examination|get (?:a )?free quote|have been.{0,2}reduced|AutoWarranty|plans as low as|plans starting at|complete your health profile|Secure \d+k coverage|growing.family|milestone|special.enroll|updated.rate|lifeinsurance|no.medical.exam|accuquote|no.tobacco.rate|denied.coverage|business.policy|reduced.rate|coverage.starts.immediately|obama|respect.your.privacy/i
header		__KAM_INSURE3	From =~ /Cheaper Auto|Insurance|health.quote.direct|fidelity|gerber|lifeplan|notice|warranty.expir|auto-repairs.{0,30}no longer covered|affordable.?health|Health.?care|AIG|accuquote|life.?rate|eCoverage|humana|ahs.warranty|policy|farmer|qualify|term.life|milestone|payout|secure|out.of.pocket|\d+k|take.comfort/i
body		__KAM_INSURE4	/why pay more for.{0,30}coverage|save up to \d+%|accuquote|Life Insurance Coverage|protect.your.family.{1,20}insurance|Protect home and belonging|Affordable Care Act|new health insurance plan for you|home.?.?protection|\d+k.life.insurance|eligible for auto.coverage|set to expire|\$\d+\/mo|new.rate|your.auto.?insurance.policy|term.life|update.policy|legacy|estate|your.package|your.own.life|prepared.for.anything|paying.(far.)?too/i

describe	KAM_INSURE	Life, Health, Auto, etc. Insurance SPAMs
score		KAM_INSURE	3.5
meta		KAM_INSURE	(__KAM_INSURE1 + __KAM_INSURE2 + __KAM_INSURE3 + __KAM_INSURE4 + (KAM_ADVERT2 || KAM_LOTSOFHASH || KAM_INFOUSMEBIZ || CBJ_GiveMeABreak) >= 3)

describe	KAM_INSURE2     Higher Probability of Life, Health, Auto, etc. Insurance SPAMs
score		KAM_INSURE2     1.5
meta		KAM_INSURE2     (__KAM_INSURE1 + __KAM_INSURE2 + __KAM_INSURE3 + __KAM_INSURE4 + (KAM_ADVERT2 || KAM_LOTSOFHASH || KAM_INFOUSMEBIZ || CBJ_GiveMeABreak) >= 4)

#HEALTH INSURANCE
body            __KAM_HEALTH1   /as low as \$\d+\s*(per|\/)\s*month|at \$\d+ including dental/i
body            __KAM_HEALTH2   /save up to \d+% on health insurance|affordable health coverage|quality term life insurance|nationalhealthxchange.com|view.rate|no.obligation|start.saving/i
rawbody         __KAM_HEALTH3   /easy and it's free|receive daily health news|check our rates|Call to qualify|no physical exam|set.to.expire|immediately.available|you.can.afford/i
rawbody         __KAM_HEALTH4   /health insurance (coverage|rates)|free .{0,3}personalized.quote|get a quote for health insurance|fast and easy term|life.milestone|instant.free.quote/i
header          __KAM_HEALTH5   Subject =~ /\$38 Health Insurance|health insurance quote|Save up to \d%|term.life|New Health Insurance|\$\d+\/mo|lifepolicy/i

describe        KAM_HEALTH      Health/Life Insurance Spam Emails
score           KAM_HEALTH      3.0
meta            KAM_HEALTH      (__KAM_HEALTH1 + __KAM_HEALTH2 + __KAM_HEALTH3 + __KAM_HEALTH4 + __KAM_HEALTH5 + KAM_ADVERT2 >= 4)

#HEALTH INSURANCE
body            __KAM_HEALTH2_1   /affordable health coverage/i
header          __KAM_HEALTH2_2   Subject =~ /health insurance quote/i

describe        KAM_HEALTH2     Health Insurance Spam Emails
score           KAM_HEALTH2     3.0
meta            KAM_HEALTH2     (__KAM_HEALTH2_1 + __KAM_HEALTH2_2 + HTML_MESSAGE >= 3)

#HEALTH INSURANCE
header          __KAM_HEALTH3_1   Subject =~ /Term Life Coverage/i
header          __KAM_HEALTH3_2   Subject =~ /\d\d\/mo/i
header          __KAM_HEALTH3_3   From =~ /fidelity/i

describe        KAM_HEALTH3     Term Life Insurance Spam
score           KAM_HEALTH3     3.0
meta            KAM_HEALTH3     (__KAM_HEALTH3_1 + __KAM_HEALTH3_2 + __KAM_HEALTH3_3 >= 3)

#REAL ESTATE INVESTMENT SCAMS
body		__KAM_REAL2_1	/(?:Property available|on the water|costa rica|mountain.top)/i
body		__KAM_REAL2_2	/(?:pre-development prices|finish building|torn down to build|exclusive place|ready.for.construction)/i
body		__KAM_REAL2_3	/(?:unbelievable deals|buyer with CA[s\$]h|pennies.on.the.dollar)/i
body		__KAM_REAL2_4	/(?:home sites|raw land|vacation home|wooded.property)/i
body		__KAM_REAL2_5	/(?:developers|estates|buyer flying in|retirement plans|liquidation)/i

describe	KAM_REAL2	Real-estate investment scams
score		KAM_REAL2	1.0
meta		KAM_REAL2	(__KAM_REAL2_1 + __KAM_REAL2_2 + __KAM_REAL2_3 + __KAM_REAL2_4 + __KAM_REAL2_5 >= 5)

#BASED on JIM MCCULLARS' IDEA AND DALLAS' GREAT PDFINFO RULES

ifplugin Mail::SpamAssassin::Plugin::PDFInfo
  #Thanks to Ben Lentz for pointing out a lint error with this.

  describe	KAM_BADPDF	Prevalent Junk PDF SPAMs - BAD SUBJECT
  score		KAM_BADPDF	2.5
  header		KAM_BADPDF	Subject =~ /(?:^.{0,15}(document|confirmation|marketwatch|pinksheets|wire info|pinksheets|investor_report|proposal|invest_today|alert|invoice|investor_letter|check)-\d{5,12}$|^basic[- _]chart-|^Active[- _](stocks|trader)|^Analyst[- _]Coverage|^Income[- _](report|details|statement)|^Market[- _](advice|watch)|^Investor[- _]news|^real-?time[- _]quotes)/i
  
  describe	KAM_BADPDF1 	Prevalent Junk PDF SPAMs - EMPTY BODY & ENCRYPTED
  score		KAM_BADPDF1	2.5
  meta            KAM_BADPDF1     (GMD_PDF_EMPTY_BODY + GMD_PDF_ENCRYPTED >= 2)
 
  #2009-03-11 - Found FP on this rule where a bad reverse PTR and a Subject triggered this rule.  That was NOT the intent. 
  describe        KAM_BADPDF2     Prevalent Junk PDF SPAMs - 3 STRIKES
  score           KAM_BADPDF2     2.5
  ifplugin Mail::SpamAssassin::Plugin::KAMOnly
    meta            KAM_BADPDF2     (KAM_BADPDF + KAM_BADPDF1 + MISSING_SUBJECT >= 2) && (KAM_RPTR_SUSPECT + KAM_RPTR_FAILED >=1)
  else
    meta            KAM_BADPDF2     (KAM_BADPDF + KAM_BADPDF1 + MISSING_SUBJECT >= 2) && (KAM_RPTR_SUSPECT >=1)
  endif

endif

#FAKE PDF READER/WRITE
body		__KAM_FAKEPDF1	/Download PDF Reader.Writer/is
body		__KAM_FAKEPDF2	/Reader 2010/is
header		__KAM_FAKEPDF3  From =~ /adobe/is
header		__KAM_FAKEPDF4  Subject =~ /reader.writer version 2010/is

meta		KAM_FAKEPDF	(__KAM_FAKEPDF1 + __KAM_FAKEPDF2 + __KAM_FAKEPDF3 + __KAM_FAKEPDF4 >= 3) 
describe	KAM_FAKEPDF	Fake PDF Reader / Writer
score		KAM_FAKEPDF	4.0

#VACU AND VARIOUS PHISHING SCAMS
  #SUBJECTS
header		__KAM_PHISH2_1	Subject =~ /(VACU Message|Virgini?a Credit|Account Verification|account might be compromised|Account Status Notification|important.alert|payment.advice|important.update|card.declined)/i
  #BANKS
body		__KAM_PHISH2_2	/Virginia Credit Union|Lloyds|HSBC|usaa|barclay|credit card account/is
  #BAD LINKS
rawbody		__KAM_PHISH2_3	/https?:\/\/.{5,30}\.(kr|hk|edu|pl|ie|it|pro)\//i
  #STUPID STATEMENTS
body		__KAM_PHISH2_4	/unauthori[sz]ed use|security.enhancement|dropbox|hold.(on.)?your.fund/i
body		__KAM_PHISH2_5	/account suspension|temporary locked|temporarily.suspend|your.reference|accurately.detail/i
body		__KAM_PHISH2_6  /confirm your online banking details|payment.advice|online.fraud|billing.information/i
body		__KAM_PHISH2_7  /extra security check|security.tip/i

describe	KAM_PHISH2	Prevalent Phishing Scam emails
score		KAM_PHISH2	2.0
meta		KAM_PHISH2	(__KAM_PHISH2_1 + __KAM_PHISH2_2 >= 2) && ((__KAM_IPHTTP + __KAM_URIBL_PCCC + __KAM_PHISH2_3 >= 1) || (__KAM_PHISH2_4 + __KAM_PHISH2_5 + __KAM_PHISH2_6 + __KAM_PHISH2_7 >= 4))


#CRAZY HEX EMPTY MESSAGE
body		__KAM_HEX1	/^[a-f0-9]{8}(\b|$)/i
header		__KAM_HEX2	Subject =~ /^\d{5,6}$/

describe	KAM_HEX		Crazy Empty Hex Messages
score		KAM_HEX		5.5
meta		KAM_HEX		(__KAM_HEX1 + __KAM_HEX2 >= 2)

#THE BAT! MAILER USED TOO MUCH FOR SPAM
# I'VE LOOKED AT THIS AND JUST CAN'T ARGUE THAT IT LOOKS LIKE IT WILL HELP. 
header		KAM_THEBAT	X-Mailer =~ /The Bat!/i
describe	KAM_THEBAT	Abused X-Mailer Header for The Bat! MUA
score		KAM_THEBAT	1.9

#MAILER BUGS
body		__KAM_MAILER1	/{!firstname_fix}/i

meta		KAM_MAILER	(__KAM_MAILER1 >= 1)
score		KAM_MAILER	2.0
describe	KAM_MAILER	Automated Mailer Tag Left in Email

#YET ANOTHER NIGERIAN SCAM VARIANT
body		__KAM_CHECK1	/delivery fee for your che(que|ck) draft/i
body		__KAM_CHECK2	/let me know when you recieve your money/i

describe	KAM_CHECK	Another Nigerian Bank Draft Scam
score		KAM_CHECK	3.0
meta		KAM_CHECK	(__KAM_CHECK1 + __KAM_CHECK2 + __KAM_REFI4 >= 3)

#SEE OPRAH LIVE!
body		__KAM_OPRAH1	/airfare/i
body		__KAM_OPRAH2	/hotel/i
body		__KAM_OPRAH3	/oprah/i
header		__KAM_OPRAH4	Subject =~ /see\s+.*oprah\s+.*live/i

describe	KAM_OPRAH	SPAMs re: Oprah Winfrey Show
score		KAM_OPRAH	2.5
meta		KAM_OPRAH	(__KAM_OPRAH1 + __KAM_OPRAH2  + __KAM_OPRAH3 + __KAM_OPRAH4 >= 4)

#EBAY TIPS
body		__KAM_EBAY1	/Succeed on ebay|thousands with ebay|ebay success|money-making secret/i
body		__KAM_EBAY2	/Auction success kit|Great Money Maker|documented program|Chuck Mullaney|more bills than money/i
header		__KAM_EBAY3	Subject =~ /ebay .*for dummies|ebay expert|work online|ebay business|secrets to ebay|Chuck Mullaney|living on ebay|build a business|huge cash flows/i

describe	KAM_EBAY	SPAMs re: eBay Auction Tips
score		KAM_EBAY	3.5
meta		KAM_EBAY	(__KAM_EBAY1 + __KAM_EBAY2 + __KAM_EBAY3 >= 3)

#GAS PRICES, GAS CARDS, OTHER FUEL-RELATED SPAM
body		__KAM_GAS1	/Gas prices are at an? all time high|\$\d per gallon|gasoline cards/i
body		__KAM_GAS2	/We have a solution|save \d+ cents per gallon|competitive rewards/i
header		__KAM_GAS3	Subject =~ /High Gas Prices|ripped off for gas|Save \d+c per gallon/i
header		__KAM_GAS4	From =~ /gas/i

describe	KAM_GAS		SPAMs re: High Gas Prices
score		KAM_GAS		4.5
meta		KAM_GAS		(__KAM_GAS1 + __KAM_GAS2 + __KAM_GAS3 + __KAM_GAS4 >=3)

#WEIRD BODY MESSAGES
body		KAM_BODY	/{_BODY_HTML}/i
score		KAM_BODY	1.0
describe	KAM_BODY	Odd Erectile Dysfunction Messages with Poor Formatting

#FREE TV, SATELLITE, CABLE INTERNET, ETC
body		__KAM_TV1	/watch unlimited television|DTV4PC|Online TV Code|Free DVD-CD Burner|100% legal|Rabbit TV|reliable.cable.service/i
body		__KAM_TV2	/without a monthly fee|pay a cable or satellite bill|no monthly fee|watch uncensored|movies online|no censorship|favorite.channels|online.television|\d{3}.channels|high.speed/i
header		__KAM_TV3	Subject =~ /watch uncensored tv|digital TV|internet TV|Free TV|tv online for free|(shows|movies).with.cable|less.than.dish|stream.*channels|\$\d{2}.mo/i
header		__KAM_TV4	From =~ /Unlock Internet TV|Movie Download|product alert|cable.tv|tv.stream|high.speed/i

meta		KAM_TV		(__KAM_TV1 + __KAM_TV2 + __KAM_TV3 + __KAM_TV4 >= 2)
score		KAM_TV		3.0
describe	KAM_TV		Free TV/Cable/etc. Scams

meta		KAM_TV2		(KAM_TV + KAM_INFOUSMEBIZ >=2)
score		KAM_TV2		3.5
describe	KAM_TV2		Higher probability of Free TV/Cable/etc. Spams

#DEGREE SPAMS
body		__KAM_CAREER1	/Hospitals need you|Medical Billing and Coding|medical.coding/is
body		__KAM_CAREER2	/Get your Healthcare Degree|Billing and Coding degree|job.placement|great.opportunity|training.start(s|ing).soon|job.growth/is
body		__KAM_CAREER3	/unstable.economy|secure.a.position|fast.growing|extraordinary.benefits|work.from.home/is

meta		KAM_CAREER	(__KAM_CAREER1 + __KAM_CAREER2 + __KAM_CAREER3 + KAM_ADVERT2 >= 3)
score		KAM_CAREER	5.0
describe	KAM_CAREER	Spam for Career/Diploma Mills

#NURSE SPAMS
header          __KAM_NURSE1   From =~ /nursing|nurses|health.?care/i
header          __KAM_NURSE2   Subject =~ /nurses (?:are now in high.?demand|are needed)|become a nurse|open.position|training|cna.education/i
body            __KAM_NURSE3   /nurses (?:are NOW in high.?demand|are needed)|nursing Degree|indispensable.position|growing.career|nursing.assist|certified.nurs/i

meta            KAM_NURSE      (__KAM_NURSE1 + __KAM_NURSE2 + __KAM_NURSE3 >= 3)
score           KAM_NURSE      3.0
describe        KAM_NURSE      Spam for Career/Diploma Mills

#PILLS
header		__KAM_PILLS1	Subject =~ /save \d\d% on your (pills|drugs|medications)/i
body		__KAM_PILLS2  	/be (thrifty|smart|clever), buy your (pills|drugs|medications)/i

meta		KAM_PILLS	(__KAM_PILLS1 + __KAM_PILLS2 >=2)
score		KAM_PILLS	4.0
describe	KAM_PILLS	Spam for scam pharmacy

#PILLS 2.0
header   	__KAM_PILLS2_1  From =~ /Enlarge|Men's Supplement/i
header 		__KAM_PILLS2_2 	From =~ /Free Sample/i

meta 		KAM_PILLS2 	(__KAM_PILLS2_1 + __KAM_PILLS2_2 >= 2)
describe 	KAM_PILLS2 	Male enhancement spams
score 		KAM_PILLS2 	2.5

#ALTERNATE EMAIL
body		__KAM_ALT1	/reply to my alternative E-?mail/is

meta		KAM_ALT		(__KAM_ALT1 >= 1)
score		KAM_ALT		0.5
describe	KAM_ALT		Requests use of an alternate email which may indicate spam


#POLITICAL SPAMS
#AS WE ENTER AN ELECTION PERIOD, WE SEE UNSOLICITED MAILS FROM ORGS

#Right vs Left
header		__KAM_POLITICS1	From =~ /Right vs Left|Minuteman|Senator|Pennsylvania Transportation Partners|Americans for Limited Government|special election|conservative|liberal|congress|judge|usa.?net|senate|fedup|sen\. |tea.party|the.right.to/i
body		__KAM_POLITICS2	/Minuteman Civil Defense Corps|National Campaign Fund|Right vs Left|Restore America PAC|penntransportation.com|getliberty.org|Americans for Limited Government|radical|true.conservative|true.liberal|job.killing|wasteful.spending|senate.takeover|liberal.agenda|smear.campaign|america.s future|liberty|obama|governor|election.day|v-o-t-e|sign.the.petition|paid.for.by|dear.conservative|dear.liberal|winning.the.senate|election.cycle|return.power|failed.policy|(left|right).is.claiming|bigwigs|favorable.voters/i
header		__KAM_POLITICS3 Received =~ /\.politicalsystems.net|republican.com|democrat.com|inboxfirst.com/i
header          __KAM_POLITICS4 Subject =~ /alert:?.?election|^elect|(republican|democratic).party|and.vote|impeach|insanity|for.america|election.ad|liberals|conservatives|back.?room.deal|urgent.obama|social.security.mistake|big.social|absentee.info/i

meta		KAM_POLITICS	(__KAM_POLITICS1 + __KAM_POLITICS2 + (__KAM_POLITICS3 + __KAM_POLITICS4 >= 1) >= 2)
score		KAM_POLITICS	9.0
describe	KAM_POLITICS	Unsolicited Political E-Mails

#SPAMMING COMPANIES

#Wall Street Media
header		__KAM_COMPANY1	From =~ /W\$[LM]( |_)(Insurance|Mortgage)( |_)New\$/i

meta		KAM_COMPANY1	(__KAM_COMPANY1 >= 1)
score		KAM_COMPANY1	5.0
describe	KAM_COMPANY1	Egregious spammers that should also be on RBLs (and might be)

#MGM,LLC
body          	__KAM_COMPANY2_1	/Member Services MGM, LLC/is

meta            KAM_COMPANY2   	 	(__KAM_COMPANY2_1 >= 1)
score           KAM_COMPANY2    	5.0
describe        KAM_COMPANY2    	Egregious spammers that should also be on RBLs (and might be)

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL

  #PCCC URIBL Check for bad URIs in body, Received, From and Reply-to
  #Thanks to AXB for his help with these!

  #2013-10-09 Note
  #
  #These RBL's below can contain domains that can cause collateral damage.  
  #We try and only add these domains when the evidence is overwhelming and points to a culture or architecture prone to spaminess.
  #And this can include services that have legitimate and illegitimate users; servers for legitimate firms that are compromised; and hosting firms which fail to have adequate anti-spam procedures.
  #The lists have high scores which we believe are consistent with the veracity of the research used to compile the lists.
  #Additionally, we ONLY use this RBL to improve our scoring and it is not used to block emails outright.
  #However, your mileage may very and you might want to seriously dial down the scores especially if you do block/reject/blackhole emails.
  #Feedback is appreciated and requests to de-list can be sent via https://raptor.pccc.com/raptor.cgim?template=report_problem
  #Or to explicitly skip RBL testing for a domain, use uridnsbl_skip_domain example.com

  if (version >= 3.003000)
    #HOSTS THAT BEHAVE LIKE TLDS, SUCH AS BLOGSPOT.COM AND OTHER FREE HOSTING - NOTE BLOGSPOT is in 20_aux_tlds.cf ALREADY
    util_rb_2tld ning.com
    util_rb_2tld mygbiz.com
    util_rb_2tld web.com
    util_rb_2tld onmicrosoft.com
    util_rb_2tld online.de
    util_rb_2tld wix.com
    util_rb_2tld netdna-cdn.com
    util_rb_2tld dreamhost.com
    util_rb_2tld noip.us
    util_rb_2tld mmsend.com
    util_rb_2tld cu-portland.edu
    util_rb_2tld jimdo.com
    util_rb_2tld doesphotography.com
    util_rb_2tld isteaching.com
  endif

  # allow URI rules to look at DKIM headers if they exist and our SA version supports it
  if (version >= 3.0040001)
    parse_dkim_uris 1
  endif

  #body
  urirhssub  KAM_BODY_URIBL_PCCC    multi.pccc.com. A 127.0.0.4
  body       KAM_BODY_URIBL_PCCC    eval:check_uridnsbl('KAM_URIBL_PCCC')
  describe   KAM_BODY_URIBL_PCCC    Body contains URI listed in PCCC URIBL (https://raptor.pccc.com/RBL)
  tflags     KAM_BODY_URIBL_PCCC    net
  score      KAM_BODY_URIBL_PCCC    5.0

  urirhssub  KAM_BODY_MARKETINGBL_PCCC    multi.pccc.com. A 127.0.0.32
  body       KAM_BODY_MARKETINGBL_PCCC    eval:check_uridnsbl('KAM_MARKETINGBL_PCCC')
  describe   KAM_BODY_MARKETINGBL_PCCC    Body contains URI associated with mass-marketing (https://raptor.pccc.com/RBL)
  tflags     KAM_BODY_MARKETINGBL_PCCC    net
  score      KAM_BODY_MARKETINGBL_PCCC    0.001


  if (version >= 3.004001) 
    #all from addresses domains - This is a new check available in 3.4.1-rc1+ which will check bob.com for something like bob@test.bob.com - The old code did not properly handle octet subtests
    header     KAM_FROM_URIBL_PCCC    eval:check_rbl_from_domain('pccc', 'multi.pccc.com.', '127.0.0.4')
    describe   KAM_FROM_URIBL_PCCC    From address listed in PCCC URIBL (https://raptor.pccc.com/RBL)
    tflags     KAM_FROM_URIBL_PCCC    net
    score      KAM_FROM_URIBL_PCCC    5.0

    header     KAM_FROM_MARKETINGBL_PCCC    eval:check_rbl_from_domain('pccc', 'multi.pccc.com.', '127.0.0.32')
    describe   KAM_FROM_MARKETINGBL_PCCC    From address associated with mass-marketing (https://raptor.pccc.com/RBL)
    tflags     KAM_FROM_MARKETINGBL_PCCC    net

    score      KAM_FROM_MARKETINGBL_PCCC    0.001

    meta       KAM_MARKETINGBL_PCCC (KAM_BODY_MARKETINGBL_PCCC || KAM_FROM_MARKETINGBL_PCCC)
    describe   KAM_MARKETINGBL_PCCC Message contains URI associated with mass-marketing (https://raptor.pccc.com/RBL)
    score      KAM_MARKETINGBL_PCCC 1.0
  endif

  #Received
  #header     KAM_RCVD_URIBL_PCCC    eval:check_rbl_sub('pccc', '^127\.0\.0\.4$')
  #describe   KAM_RCVD_URIBL_PCCC    Received header contains URL listed in PCCC URIBL (https://raptor.pccc.com/RBL)
  #tflags     KAM_RCVD_URIBL_PCCC    net
  #score      KAM_RCVD_URIBL_PCCC    5.0

  #Reply-to
  #NO SOLUTION

  #Test for any hits
  meta	     __KAM_URIBL_PCCC  (KAM_BODY_URIBL_PCCC + KAM_FROM_URIBL_PCCC >= 1) 

  #Test for URIBL Blank and Spamhaus DBL per discussion ith Alex Broens
  meta     KAM_VERY_BLACK_DBL    (URIBL_BLACK && URIBL_DBL_SPAM)
  describe KAM_VERY_BLACK_DBL    Email that hits both URIBL Black and Spamhaus DBL
  score    KAM_VERY_BLACK_DBL    5.0 

endif

#EMAIL BLACKLIST CHECK FOR PCCC RBL
ifplugin Mail::SpamAssassin::Plugin::EmailBL
  #changed to remove -headers and change to -all which is the same as -headers and -bodysafe
  header   KAM_MESSAGE_EMAILBL_PCCC  eval:check_emailbl('freemail-all', 'multi.pccc.com', '127.0.0.64')
  describe KAM_MESSAGE_EMAILBL_PCCC  Message contains freemail address listed in PCCC URIBL (https://raptor.pccc.com/RBL)
  tflags   KAM_MESSAGE_EMAILBL_PCCC  net
  score    KAM_MESSAGE_EMAILBL_PCCC  5.0
endif

#FAKERBL MX RELATED RULES
header		__KAM_MX1		Reply-To =~ /\@mx\d+\./i
header		__KAM_MX2		Return-Path =~ /\@mx\d+\./i
header		__KAM_MX3		Received =~ /(\(|\b)(pet|ptr|tech|host|mta|mx|vps|vsp|colo|sox|m)\d+\./i
header		__KAM_MX4		Received =~ /(\(|\b)[0-9A-F]{8}\.ptr\./i
header		__KAM_MX5		Received =~ /(\(|\b)[a-z]{2,4}[0-9]{1,3}\..{1,20}\.info/i

meta		__KAM_MX		(__KAM_MX1 + __KAM_MX2 + __KAM_MX3 + __KAM_MX4 + __KAM_MX5 >= 1)
describe	__KAM_MX		Odd prevalence of mx records associated with the FAKERBL Spammers

#CHANGED KAMOnly
ifplugin Mail::SpamAssassin::Plugin::KAMOnly

  meta            KAM_MX2                 (__KAM_MX + (__KAM_URIBL_PCCC + URIBL_BLACK >=1) >= 2)
  score           KAM_MX2                 4.0
  describe        KAM_MX2                 Spammers and MX Rule 

  #meta            KAM_MX3                 (__KAM_MX + URIBL_BLACK >= 2 && KAM_MX2 == 0)
  #score           KAM_MX3                 4.1
  #describe        KAM_MX3                 Odd prevalence of MX records for non-identified Spammers

endif

meta		KAM_MX4			(__KAM_MX5)
score		KAM_MX4			1.0
describe	KAM_MX4			MX Record and dot info domains associated with FAKERBL Spammers


#BAD ADDRESS / COMPANY NAMES 
#FINISHED URL CLEANUP BUT MOST URLS MOVED TO PCCC URIBL
#removed ultimaterxhere|insanerx|speedymed4u|mightymeds1|coolestrxhere|hotrxmedspot|topshoprx|mightyrxhere|qualityrxmedz|legitrxlife|dealsformeds|simplyrxdeals|bestrxlight|ezprescriptz|reliablerxsource1|freetrusted-rx|hotmedsourcehere|CabinetOfMeds|mytrusted-rx|sexywebdating|RxwarehouseHere|WarehouseofRxMeds|GreatrxMedsRus|rxmedsrus
body            __KAM_ADDRESS1          /204 N. El Camino Real|CocoMedia|17 Patchogue Road|1128-274 Royal Palm Beach|(848|500) N. Rainbow Dr. Ste \#?(2511|300)|CMI Free Stuff|Vista Del Mar Productions|by SuperClub|Buil tech Services|eMarketing Alliance|aSHARPi Media|Plaza Neptuno|Satell Center for Executive Education|Pacific Shores Investments|Cascio Interstate Music|R. Allen Media|The Only Virginia Team|Ban Amnesty Now|Intrust Domains|8001 Irvine Center Dr|American Arbitration Association, 1633 Broadway|\+962 79 668 2974|7025 County Rd. 46A|1001 E.Hillsdale Blvd|New Heights Development and Research|Red Base Interactive|RateMarketplace|WORLD COMPANY REGISTER|WhatsApp Inc|Streetdirectory Pte Ltd|4399 Church Street, Brooklyn|Mobie Concepts, Inc.|Clickingz IT Research Lab|Leadz[,\.].?Co|DLF Cyber City Gurgaon India|4447 N Central Expressway, Office \#110|5401 Hangar Court|Pimsleur Approach|1600 JFK Boulevard, 3rd|Business Who's Who|Who's Who Among Executives|Buena Vista Catalogue|10620 Southern Highlands|Ashray Medical Center|Bethany Christian Services|Ashland.Avenue.{0,4}95761|Preston Energy|SteelCityAds|Beyond Human, LLC|Research Promo Center|OmegaK, Inc|320 S. Lemon Blvd \# 1803|1063 (suite.)?([\#\d]+.)?King St|8 White Ln. Mansfield|Momentum.Ads|PO Box 29502 \#24912 Las Vegas|2383.Mystic Dr..Sarasota.FL|1107 Valeria Dr, Marion|321 N Central Expressway Suite 341|PO Box 540488 Houston|Post Office Box 4668 NY|9100 Wilshire Blvd. East Tower Penthouse|Headquarters, 18 True Tower Building|111 Customer Way, Irving|B a y t o w n, TX|adilizer..?com Post.Office.Box 540488|353 Chadwick Pl Fairborn|PO.?Box.295[O0]2.Las.?Vegas|1103 St. Michel|Suite 115-243, San Diego|100 E. Campus View|(3.?2.?0.?5|three two zero five)..?L.?a.?k.?e.S.?a.?r.?a.?h|100 RITCHIE ROAD|M i n n e s o t a|3801 D..?o..?w..?n..?s..?W..?a..?y|515 Oaklane McPherson|74.Lancaster..?RD|202.Albion|One Kimeric Ln|302 Washington St|One.One.Eight.Jason.Ln|PO.Box.227.Moran|V a l e r i a|Dove Lighting Co|BrandRoot SEO|Team TPW|WEB ANALYTICS MEDIA LLC|Scott Walker Inc. Testing the Waters|CARLY for America|Scott Walker for America|Jeb 2016, Inc/i

header		__KAM_ADDRESS2		From =~ /CMI Free Stuff|Vista Del Mar Productions|SuperClub|Buil tech Services|eMarketing Alliance|aSHARPi Media|Plaza Neptuno|Satell Center for Executive Education|Pacific Shores Investments|rx ?unit|Cascio Interstate Music|R. Allen Media|The Only Virginia Team|Intrust Domains|American Arbitration Association|Rate\.?Marketplace|Health.Quote.Direct|Pimsleur|Ethika Politika|Disney Movie Club/i

meta            KAM_ADDRESS             (__KAM_ADDRESS1 + __KAM_ADDRESS2 >= 1)
score           KAM_ADDRESS             13.0
describe        KAM_ADDRESS             Addresses and Companies prevalent in spams

# END SPAMMING COMPANIES

#GRASS SEED
header          __KAM_GRASS1  	From =~ /(Patch|Perfect|Lawn)/i
header		__KAM_GRASS2	Subject =~ /rich beautiful lawn|grow grass|grass seed on steroids/i
body		__KAM_GRASS3 	/Grass Seed On Steroids|rich beautiful lawn|Patch Perfect Seeds|Grow Grass (anywhere|in the shade)/i

meta		KAM_GRASS	(__KAM_GRASS1 + __KAM_GRASS2 + __KAM_GRASS3 >= 3)
score		KAM_GRASS	2.5
describe	KAM_GRASS	Spammers hawking lawn products

#PED EGG / BELISI / SKIN PRODUCTS
header          __KAM_SKIN1    	From =~ /(Ped ?Egg|Healthy Feet|beautiful feet|belisi|skin tightener|medical|Wrinkle|Face ?Lift|Skin Reju|Nuforia|LifeCEll|Miracle Hydrate|beauty tip|lifestyle lift|marine essentials|nufori?a)|skin transformer|lifecell|oz.show|botox|your.skin|rejuvenate|youth|ellen/i
header          __KAM_SKIN2    	Subject =~ /Ped ?Egg|Healthy Feet|beautiful feet|tighter skin|works for wrinkles|Sera Concepts|Wrinkle Eraser|\d\d years younger|Hollywood(?:'s)? Secret|years younger|perfect skin|anti.?aging|look younger in \d+ day|regain your youthful|years off your appear|flawless.skin|youthful appear|fine.lines|collagen.production|dark.circles|your.skin|looks?.like.this|looks?.great|images?.leaked|looks.\d|ellen.looks/i
rawbody         __KAM_SKIN3    	/Ped ?Egg|Belisi|Botox|Gabamed|Sera Concepts|Purelift|nuforia|natural collagen|complimentary trials|nugenics|marine essentials|Nufori?a|ellen.has.a|flawless.skin|phyto|facelift|hype.is.real|celeb.trend|twenty.years.younger|face.lift|pics.leaked|rejuvenate/i
body		__KAM_SKIN4	/feet feel smooth and healthy|calluses and dead skin|silky smooth skin|tighter skin|\d.years.younger|anti[- ]aging|look younger|free trial|lose 25 years|angered plastic surge|quick and easy trick|anti-?aging|blood pressure low|heart rate monitor|selfies|just.one.month|just.four.weeks|medical.research|rebuild.your.skin|decades.younger|erase.time|gossip|smooth.lines/i

meta            KAM_SKIN       (KAM_ADVERT2 + __KAM_SKIN1 + __KAM_SKIN2 + __KAM_SKIN3 + __KAM_SKIN4 +  __KAM_TRIAL + __KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 >= 3)
score           KAM_SKIN       3.5
describe        KAM_SKIN       Spammers hawking skin/medical/foot products

meta            KAM_SKIN2      (KAM_ADVERT2 + __KAM_SKIN1 + __KAM_SKIN2 + __KAM_SKIN3 + __KAM_SKIN4 +  __KAM_TRIAL + __KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 >= 4)
score           KAM_SKIN2      2.5
describe        KAM_SKIN2      Spammers hawking skin/medical/foot products

#NEW CAR / WARRANTY SCAMS
header		__KAM_CAR1	Subject =~ /(save thousands|vehicle warranty|paying too much for auto|skyrocketing cost of car|car deals|deal on a new car|cheap(er)? auto insurance|warranty options|afford the car|blowout|auto repair bills)/i
body		__KAM_CAR2	/buying a new car|dream car|new car you want|free auto insurance(?:-| )quote|save money on your auto|roadside assistance|extended warranty/i
body		__KAM_CAR3	/unbelievable payment terms|no commitment|free price quote|get competitive quotes|offering better rates|no obligation quote|Pay Later|No risk|save up to \d+%/i
header		__KAM_CAR4	From =~ /warranty|lender|clearance/i

meta		KAM_CAR       (__KAM_CAR1 + __KAM_CAR2 + __KAM_CAR3 + __KAM_CAR4 >= 2)
score           KAM_CAR       2.0
describe        KAM_CAR       Spammers hawking new car, insurance or warranties

# MORE NEW CAR SPAMS
header          __KAM_AUTO1 Subject =~ /new.vehicle|biggest.discounts|clearance.event|must.go|half.off.auto|blue.book|cars.priced|dirt.cheap|new.car|new.truck|half.off|dealership|dealers.compete|trade.it.in|auto(motive)?.parts|inventory.must.go|\d\d%.off.msrp|all \d\d\d\d.s must go|time.to.drive|all.vehicle|clearance.pric|all.\d\d\d\d.(cars|trucks)/i
header          __KAM_AUTO2 From =~ /car.?saving|auto.?deals|%.off|half.(off|price)|ford|gm|clearing.lots|model.year|latest.auto|dealership|clearance|cars?.discount|\d+.model|\d+.half.off|auto.price|best.auto|motor|trade.in|auto.part|imotor|autotrend/i
body            __KAM_AUTO3 /(car|truck).dealer|clearance.price|shop.cars|\d+.vehicles|dealership|deep.discount|liquidating|vehicle.options|auto.news|old.clunker|dream.car|clearance.inventory|dealer.clearance|special.clearance|auto(mobile?).recall|clearance.pric|new.ride|dealers.{1,40}.scrambling|sell.yours.for.more|car.is.worth|auto.parts.brand|blowout|incredible.discount/i

meta            KAM_AUTO (__KAM_AUTO1 + __KAM_AUTO2 + __KAM_AUTO3 + (KAM_COUK || KAM_OTHER_BAD_TLD || CBJ_GiveMeABreak) >= 3)
describe        KAM_AUTO Spam for new cars
score           KAM_AUTO 4.5

#HOME WARRANTY SPAMS
header		__KAM_WARRANTY1  Subject =~ /home warrant|protect your home|home repair|homeowners insurance|repairing your house/i
body		__KAM_WARRANTY2	 /Protect your home|choice home warranty|unexpected repair/i
body		__KAM_WARRANTY3  /home warrant|complimentary insurance quote/i
header		__KAM_WARRANTY4	 From =~ /ChoiceHomeWarrant|TotalProtect|home.?Insurance|CHW Home Warranty|AHS.warranty/i

meta		KAM_WARRANTY	(__KAM_WARRANTY1 + __KAM_WARRANTY2 + __KAM_WARRANTY3 + __KAM_WARRANTY4 + CBJ_GiveMeABreak >= 3)
score		KAM_WARRANTY	1.5
describe	KAM_WARRANTY	Spammers hawking home warranties

meta		KAM_WARRANTY2	(KAM_WARRANTY + KAM_INFOUSMEBIZ >= 2)
score		KAM_WARRANTY2	3.5
describe	KAM_WARRANTY2	Spammers pushing home warranties

meta		KAM_WARRANTY3	(__KAM_WARRANTY1 + __KAM_WARRANTY2 + __KAM_WARRANTY3 + __KAM_WARRANTY4 + CBJ_GiveMeABreak >= 4)
score		KAM_WARRANTY3	1.5
describe	KAM_WARRANTY3	Spammers hawking home warranties

#AWESOME AUGER
header		__KAM_AUGER1	Subject =~ /Dig Holes|plant Trees/i
body		__KAM_AUGER2	/Awesome Auger/i

meta		KAM_AUGER	(__KAM_AUGER1 + __KAM_AUGER2 >= 2) 
score		KAM_AUGER	4.0
describe	KAM_AUGER	Spammers hawking Awesome Augers?!?

#MOVIE EXTRA
header		__KAM_MOVIE1	Subject =~ /Movie Extra/i
body		__KAM_MOVIE2	/Movie Extra/i

meta		KAM_MOVIE	(__KAM_MOVIE1 + __KAM_MOVIE2 >= 2)
score		KAM_MOVIE	3.0
describe	KAM_MOVIE	Spammers hawking Movie Extra positions

#DEBT COLLECTION
header		__KAM_COLLECT1	Subject =~ /You Pay Nothing/i
body		__KAM_COLLECT2	/No Fee/i
body		__KAM_COLLECT3	/collection professionals/i
body		__KAM_COLLECT4  /recovery rate/i

meta		KAM_COLLECT	(__KAM_COLLECT1 + __KAM_COLLECT2 + __KAM_COLLECT3 + __KAM_COLLECT4 + __KAM_SEARCH5 + KAM_ADVERT2 >= 4)
score		KAM_COLLECT	5.0
describe	KAM_COLLECT	Spammers hawking debt collection


#SEARCH ENGINE SPAM
header		__KAM_SEARCH1	Subject =~ /be seen first on (google|msn|yahoo)|get ranked high|rank high|(no cost|free) website (analysis|search engine)|WEBSITE PROMOTION|social media|blog leads|infotech|(first|1st)(.page)?.result|seo.service|seo.{1,30}expert|on.your.website|organic.seo|site.ranking|website.health/i
body		__KAM_SEARCH2	/search engine|SEO|bring.traffic|business.development/i
body		__KAM_SEARCH3	/(first on|all of) the major search|not ranked number one|Website promotion|popular keywords|mobile.website|complete.solution|back.link|india.based|surfing|not.ranking.on/i
body		__KAM_SEARCH4	/guaranteed type of exposure|free website search engine optimi|increase your revenue|improve your website traffice|website rank higher|marketing service|popular.keyword|media.presence|media.portal|brand.awareness|analytics.certified|optimized.content|white.label|website.optimization|digital.marketing|in.your.industry/i
rawbody		__KAM_SEARCH5   /Click2Call|a1-solutions|fast-response.net|action-pros.net|tops-1.com|vividinfotech.com|internet.marketing|web.solution/i

meta 		KAM_SEARCH	(__KAM_SEARCH1 + __KAM_SEARCH2 + __KAM_SEARCH3 + __KAM_SEARCH4 + __KAM_SEARCH5 >= 4)
score		KAM_SEARCH	5.0
describe	KAM_SEARCH	Spammers hawking SEO

#SEO
header		__KAM_SEO1	Subject =~ /Idea for \[|can rank 1st on Google|Organic SEO|SEO (Solution|proposal)|integrated marketing|optimization.service/i
body		__KAM_SEO2	/(?:top|first page) (?:in|of) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building/i
body		__KAM_SEO3	/never find your web site|major search engines|link.building|WEBSITE AUDIT REPORT|specific.keyword|targeted.email|visited.your.website/i
body		__KAM_SEO4	/No upfront fees|SEO Specialists|online marketing services|S.?E.?O.? Company in INDIA|google.panda|google.penguin|not.ranking/i
body		__KAM_SEO5	/more traffic guaranteed|results in thirty day|top 5 organic|high revenue|free.analysis|guaranteed.top/i
body		__KAM_SEO6	/will not get your website banned|Google.?s SEO policies|six month ongoing campaign|web.promotion/i
uri             __KAM_SEO7      /./ # LEGITIMATE SEO EMAILS WOULD SURELY HAVE AT LEAST ONE URL TO THEIR WEBSITE...

meta		KAM_SEO		(__KAM_SEO1 + __KAM_SEO2 + __KAM_SEO3 + __KAM_SEO4 + __KAM_SEO5 + __KAM_SEO6 + !__KAM_SEO7 + __KAM_FREEMAIL + KAM_ADVERT2 >= 5)
score		KAM_SEO		7.0
describe	KAM_SEO		Spammers hawking SEO

#ABUSED FREEMAIL ACCOUNTS
header          __KAM_FREEMAIL1 From =~ /(?:websolution|seo).{0,15}\@gmail.com/i
header		__KAM_FREEMAIL2	From =~ /speakeasylingerie\@gmail.com/i
meta		__KAM_FREEMAIL	(__KAM_FREEMAIL1 + __KAM_FREEMAIL2 >= 1)

#LINGERIE VIDEOS
header		__KAM_LINGERIE1	From =~ /lexi campbell/i
header		__KAM_LINGERIE2	Subject =~ /Exotic modeling Videos/i
header		__KAM_LINGERIE3 Subject =~ /Hustler Magazine/i
body		__KAM_LINGERIE4 /Exotic modelling videos/i

meta		KAM_LINGERIE	(__KAM_FREEMAIL + __KAM_LINGERIE1 + __KAM_LINGERIE2 + __KAM_LINGERIE3 >= 4)
score		KAM_LINGERIE	10.0
describe	KAM_LINGERIE	Sexually Explicity Lingerie Spam


#WEB DESIGN
header		__KAM_WEB1	Subject =~ /Web.?(Design|programming).?Services|Web.?Designing/i
body		__KAM_WEB2	/INDIA based IT|indian.based.website|certified.it.company/i
body		__KAM_WEB3	/Online Marketing Consultant|possible.redesign|seo.service|mobiles?.app|business.develop|commerce.solution/i

meta		KAM_WEB		(__KAM_WEB1 + __KAM_WEB2 + __KAM_WEB3 + KAM_ADVERT2 >= 3)
score		KAM_WEB		4.0
describe	KAM_WEB		Web design spams

#DOMAIN NAME AND OTHER RELATED SPAMS
body		__KAM_DOMAIN1	/Domain (opportunity|notification|release|Availability|club)|Notification for Domain|availability.notice|time.draws.near|submit.a.bid|your.business|exclusive.rights|free.registration|the.domain.provider|website.wizard|increase.your.{0,50}.traffic|domain.extension|brand.can.leverage|like.to.obtain|buy(ing)?.this.domain/i
body		__KAM_DOMAIN2	/(?:available|listed) (?:by|for|at|in) auction|confirm interest in (this domain|owning)|capturing this domain|proposal.on.the.domain|exclusive.owner|online.search|web.form|counting.down|potential.buyer|interested.parties|secure.{1,50}.today|drive.more.leads|targeted.traffic|similar.domain|exclusive.regis/i
body		__KAM_DOMAIN3	/(?:have|own) a domain (that is )?.{0,5}similar|(have|own) a similar domain|offer on the Domain|similar to your (current )?domain|Domain Division|all.domains|main.webpage|visibility.platform|solicitation|potential.owner|your.offer|domain.match|domain.notification|domain.will.be|interest.{1,20}.domain.name|fully.responsive|website.included|list.your.website|opportt?unity.regarding|courtesy.notification/i
header		__KAM_DOMAIN4	From =~ /domain|sales|submit.site|inquiries/i
header          __KAM_DOMAIN5   Subject =~ /\.com$/i

meta		KAM_DOMAIN	(__KAM_DOMAIN1 + __KAM_DOMAIN2 + __KAM_DOMAIN3 + __KAM_DOMAIN4 + __KAM_DOMAIN5 >= 3)
score		KAM_DOMAIN	8.5
describe	KAM_DOMAIN	Domain Selling Spams

#MEDICAL TOURISM SPAM
body		__KAM_MEDTOUR1	/medical.tourism/i
body		__KAM_MEDTOUR2	/lowest cost in India/i
header		__KAM_MEDTOUR3	Subject =~ /Medical.Tourism/i

meta		KAM_MEDTOUR	(__KAM_MEDTOUR1 + __KAM_MEDTOUR2 + __KAM_MEDTOUR3 >= 3)
score		KAM_MEDTOUR	3.0
describe	KAM_MEDTOUR	Medical Tourism Spam

#ACNE SPAM
header		__KAM_ACNE1	Subject =~ /Proactiv/i
header		__KAM_ACNE2	From =~ /Acne/i
body		__KAM_ACNE3	/proactiv/i
body		__KAM_ACNE4	/Online Gift Rewards/i

meta            KAM_ACNE      (__KAM_ACNE1 + __KAM_ACNE2 + __KAM_ACNE3 + __KAM_ACNE4 >= 4)
score           KAM_ACNE      5.0
describe        KAM_ACNE      Spammers hawking Acne products

#SOFTWARE SPAM
header		__KAM_SOFTWARE1		Subject =~ /fix Windows File Errors/i
header		__KAM_SOFTWARE2		From =~ /registry/i
body		__KAM_SOFTWARE3		/Fix file errors/i
body		__KAM_SOFTWARE4		/download for no cost|FREE Software|Free Analysis|Free Report/i

meta		KAM_SOFTWARE	(__KAM_SOFTWARE1 + __KAM_SOFTWARE2 + __KAM_SOFTWARE3 + __KAM_SOFTWARE4 >= 4)
score		KAM_SOFTWARE	5.0
describe	KAM_SOFTWARE	Spammers hawking Software products

#NIGERIAN SCAM SCAN
header		__KAM_NIGERIAN2_1	Subject =~ /high court|contact fedex courier|WIRE TRANSFER/i
body		__KAM_NIGERIAN2_2	/barrister|director of central bank|bank director|former.minister|gold.dealer/i
body		__KAM_NIGERIAN2_3	/high court|central bank|payment center|customs?.officer/i
body		__KAM_NIGERIAN2_4	/e-?mail id is found among those that have been scammed|paid the fee for your cheque draft|contact the bank director/i
body		__KAM_NIGERIAN2_5	/fund code|cheque|bank draft|oil.and.gas/i
body		__KAM_NIGERIAN2_6	/full contact information requested|need your contacts informations|your bank account information|out.of.the.country/i
body		__KAM_NIGERIAN2_7	/bank|smuggle/i
body		__KAM_NIGERIAN2_8	/courier|diplomat agent|direct wire transfer|my.gold|the.gold/i
body		__KAM_NIGERIAN2_9	/scam|don't let them know that it is money|bank transfer charges/i

meta		KAM_NIGERIAN2		(__KAM_REFI4 + __KAM_NIGERIAN2_1 + __KAM_NIGERIAN2_2 + __KAM_NIGERIAN2_3 + __KAM_NIGERIAN2_4 + __KAM_NIGERIAN2_5 + __KAM_NIGERIAN2_6 + __KAM_NIGERIAN2_7 + __KAM_NIGERIAN2_8 + __KAM_NIGERIAN2_9 >= 6)
score		KAM_NIGERIAN2		5.0
describe	KAM_NIGERIAN2		Yet more Nigerian scams. Some even explaining the scam.

#MEDICAL
body		__KAM_MEDICAL1		/million who suffer from|suffered from organ failure|Medical Billing and Coding|medical doctor/i
body		__KAM_MEDICAL2		/Safe - Natural - Effective/i
header          __KAM_MEDICAL3          From =~ /Medical/i
header          __KAM_MEDICAL4          Subject =~ /Medical Billing/i

meta            KAM_MEDICAL             (__KAM_MEDICAL1 + __KAM_MEDICAL2 + __KAM_MEDICAL3 + __KAM_MEDICAL4 >= 3)
score           KAM_MEDICAL             4.0
describe        KAM_MEDICAL             Misc medical spam

#EAR RINGING
body		__KAM_TINNI1		/TinniFix/i
body		__KAM_TINNI2		/Stop the ringing in your ears/i
header		__KAM_TINNI3		Subject =~ /(ringing|buzz) in your ears/i

meta		KAM_TINNI		(__KAM_MEDICAL1 + __KAM_MEDICAL2 + __KAM_TRIAL + __KAM_TINNI1 + __KAM_TINNI2 + __KAM_TINNI3 >= 5)
score		KAM_TINNI		5.0
describe	KAM_TINNI		Another Medical Scam

#GIVEAWAY
body		__KAM_GIVE1		/receive your gift/i
body		__KAM_GIVE2		/laptop giveaway|deliver your dell.? laptop/i
body		__KAM_GIVE3		/answering a short survey/i
body		__KAM_GIVE4		/verify your shipping address/i

meta		KAM_GIVE		(__KAM_GIVE1 + __KAM_GIVE2 + __KAM_GIVE3 + __KAM_GIVE4 >= 4)
score		KAM_GIVE		4.0
describe	KAM_GIVE		Free stuff "giveaway" scam

#GOVERNMENT MONEY
header		__KAM_GOVT1		Subject =~ /Government Funding/i
body		__KAM_GOVT2		/government funding/i
body		__KAM_GOVT3		/complimentary information kit/i
body		__KAM_GOVT4		/No.Money?.{0,4}No.Problem/i

meta		KAM_GOVT		(__KAM_GOVT1 + __KAM_GOVT2 + __KAM_GOVT3 + __KAM_GOVT4 >= 4)
score		KAM_GOVT		4.0
describe	KAM_GOVT		Your tax dollars at work scam...

#RBL TRUST RULES
meta		KAM_RBL		(URIBL_BLACK + RCVD_IN_PBL >=2)
score		KAM_RBL		2.0
describe	KAM_RBL		Higher scores for hitting multiple trusted RBLs

#KAM CNN
header		__KAM_CNN1	Subject =~ /CNN.com Daily Top/i

meta		KAM_CNN		(__KAM_CNN1 == 1)
score		KAM_CNN		2.0
describe	KAM_CNN		CNN Daily Top 10 Link Obfuscation spams

#SNUGGIE BLANKETS / SHAM WOW
header          __KAM_SHAM1             Subject =~ /Hold 20 times|ShamWow/i
header		__KAM_SHAM2		From =~ /Sham ?Wow/i
body            __KAM_SHAM3             /ShamWow/i
body            __KAM_SHAM4             /20(X| times) its weight/i

meta            KAM_SHAM                (__KAM_SHAM1 + __KAM_SHAM2 + __KAM_SHAM3 + __KAM_SHAM4 + KAM_ADVERT2 >= 3)
score           KAM_SHAM                2.0
describe        KAM_SHAM                More product scams...

#SANTA LETTERS
header          __KAM_SANTA1            Subject =~ /Santa Letter|Letter from Santa|Santa send a letter|Sent by Santa/i
body            __KAM_SANTA2            /Santa Letter|Letter from Santa|sent by Santa/i
body            __KAM_SANTA3            /the .?perfect.? gift|personalized letter/i

meta            KAM_SANTA               (__KAM_SANTA1 + __KAM_SANTA2 + __KAM_SANTA3 >= 3)
score           KAM_SANTA               3.5
describe        KAM_SANTA               Ho Ho Holy smokes Batman another Santa Letter spam...

#WORK FOR / LEARN GOOGLE
header          __KAM_GOOGLE1            Subject =~ /Learn Google|Google Starter Kit|with Google|Use Google|Google Work|google millionaire|Google Business|Google Pro Sucess|with my Google|Google Home Business|Google ATM|One Hour On Google|Free Money Making|make a fortune on ?line/i
body            __KAM_GOOGLE2            /learn how to earn|automated income kit|online from home|as much money as you wish|be the boss/i
body            __KAM_GOOGLE3            /tons of money|making \$[\d,]*s with Google|extra cash|making serious money/i
body		__KAM_GOOGLE4	 	 /with Google|Google Pie|Google Cash/i
header		__KAM_GOOGLE5		 From =~ /Google Money/i

meta            KAM_GOOGLE               (__KAM_GOOGLE1 + __KAM_GOOGLE2 + __KAM_GOOGLE3 + __KAM_GOOGLE4 + __KAM_GOOGLE5 >= 3)
score           KAM_GOOGLE               3.5
describe        KAM_GOOGLE               Google Pyramid Scams

#SECURITY / ALARM 
header          __KAM_ALARM1            Subject =~ /Free Alarm Quotes|home security|protect your.(house|home)|protect.what.matters.most|adt monitor|keep.watch|monitor.the.home|home.alarm|feel safe|burglar|high.crime|free.security|with.this.offer|crime.can|watching.your.home|adt.is.here/i
body            __KAM_ALARM2            /free Quote|burglaries|wireless.security.camera|(Guard|protect) Your Family|ADT is Number One|monitored security system|install from ADT|with ADT security|keep(ing)?.your.home.safe|home.is.your.castle|sleep.with.security|home.security.system|remote.access|video.security/i
rawbody         __KAM_ALARM3            /Great rates on Home Security|(1|one) in Alarm System Monitoring|protect your loved ones|protect your business|your source for home security|event on home security|keep.the.home.safe|night.vision|online.monitoring|surveill?ance.camera|ADT.monitor|top.notch.security|exclusive.to.you/i
header		__KAM_ALARM4		From =~ /adt|security.?cam|home.security|wireless.security|security.?camera|author.zed|home.?alarm/i

meta            KAM_ALARM               (__KAM_ALARM1 + __KAM_ALARM2 + __KAM_ALARM3 + __KAM_ALARM4 + KAM_COUK >= 3)
score           KAM_ALARM               4.5
describe        KAM_ALARM               Security and Alarm Company Spams

rawbody         __KAM_ALARM5            /gaylord/i

meta            KAM_ALARM2              (KAM_ALARM && __KAM_ALARM5)
score           KAM_ALARM2              2.5
describe        KAM_ALARM2              High Probability of Security and Alarm Company Spams

#SELL CARDS
header          __KAM_SELL1            Subject =~ /Market Credit Cards/i
body            __KAM_SELL2            /Easy Money/i
body            __KAM_SELL3            /Selling Credit Cards/i

meta            KAM_SELL               (__KAM_SELL1 + __KAM_SELL2 + __KAM_SELL3 >= 3)
score           KAM_SELL               3.5
describe        KAM_SELL               Selling Cards Marketing Scams

#WHITEN TEETH
header          __KAM_WHITEN1            Subject =~ /whiten your teeth/i
body            __KAM_WHITEN2            /whitener/i
body            __KAM_WHITEN3            /(Celebrity Smile|Carbamide Peroxide)/i

meta            KAM_WHITEN               (__KAM_WHITEN1 + __KAM_WHITEN2 + __KAM_WHITEN3 >= 3)
score           KAM_WHITEN               3.5
describe        KAM_WHITEN               Teeth Whitening Scams

#URONLINE
body		__KAM_URONLINE1		/(chat|chat with me|hook ?up) on Y ?A ?H ?O ?O (tonight|or MSN)|add me with yahoo or msn|view now|press this web link|send me your? photo|can u turn me on|kissing you|begin.a.chat/i
body		__KAM_URONLINE2		/wanna talk|ur info|found your mail|found ur profile|mutual friend|katya from russia|you came to russia|my gentle sun|see this page I made|match making heaven|meet that special|comee see it over here|hexten.net|looking for a man|waiting for ur mail|found ur account|waiting for your message|casual.hookup/i
body		__KAM_URONLINE3		/get (naked|naughty)|horny|naughty toys|I will do anything|TOTALLY msg me on MSN|tell me your mobile|I remember you|let's talk|ran across someone like u|sexywebdating|chatting with someone|saw you by BJs|private e-?mail|dating portal|looking.for.fun/i
header          __KAM_URONLINE4		Subject =~ /i'?m so ho?rny|ur really cute|flirt with u|get the party|lets hookup|MSN messanger|\d\d y.o.|russian soul-?mate|my handsome|want you now|russian girl|costs you nothing|can you feel this|came to russia|I remember you|sexual Russia|take a look|attractive girl writes|found u by accident|tell u something special|hookups.waiting/i

meta		KAM_URONLINE		(__KAM_URONLINE1 + __KAM_URONLINE2 + __KAM_URONLINE3 + __KAM_URONLINE4 >= 3)
score		KAM_URONLINE		4.5
describe	KAM_URONLINE		Chat Scams

#TIMESHARE
body		__KAM_TIMESHARE1	/Get[- ]Cash for Your Timeshare|not using your timeshare|(unwanted|ugly) timeshare|cash out quickly/is
body		__KAM_TIMESHARE2	/goldmine|sell or rent it|we pay cash|sell\/rent your time|own a timeshare or condo|get.cash|find.your.value/is
header 		__KAM_TIMESHARE3	Subject =~ /(rent|sell|buy) your Timeshare|have a timeshare|timeshare money|unwanted timeshare/i
header		__KAM_TIMESHARE4	From =~ /Resort.*sales|timeshare/i

meta		KAM_TIMESHARE		(__KAM_TIMESHARE1 + __KAM_TIMESHARE2 + __KAM_TIMESHARE3 + __KAM_TIMESHARE4>= 3)
score		KAM_TIMESHARE		4.0
describe	KAM_TIMESHARE		Timeshare Scams

#AQUA GLOBE
body		__KAM_AQUA1		/Aqua Globe/is
body		__KAM_AQUA2		/watering your plants/is
body		__KAM_AQUA3		/while on vacation/is
header		__KAM_AQUA4		Subject =~ /Waters your Plants/i

meta		KAM_AQUA		(__KAM_AQUA1 + __KAM_AQUA2 + __KAM_AQUA3 + __KAM_AQUA4 >= 3)
score		KAM_AQUA		3.0
describe	KAM_AQUA		Spams of yet another product du jour

#GEVALIA
body		__KAM_GEVALIA1		/Gevalia Kaffe|premium coffee delivered/is
body		__KAM_GEVALIA2		/(Gevalia coffee lover's|I love coffee) kit/is
body		__KAM_GEVALIA3		/No Further Obligation/is
header		__KAM_GEVALIA4		Subject =~ /gevalia|cup of coffee/i

meta		KAM_GEVALIA		(__KAM_GEVALIA1 + __KAM_GEVALIA2 + __KAM_GEVALIA3 + __KAM_GEVALIA4 >=3)
score 		KAM_GEVALIA		3.0
describe        KAM_GEVALIA             Spams of yet another product du jour

#SIMPLYINK
body            __KAM_INK1          /Ink (and|&|n) Toner|SimplyInk|101 inks|1ink|printer ink sale|full.price/is
header          __KAM_INK2          From =~ /Simply ?Ink|Ink and toner|1ink|ink.*budget|ink.?saver|printer[- ]{0,4}ink/i
header          __KAM_INK3          Subject =~ /Ink (and|&) Toner|SimplyInk|printer ink/i

meta            KAM_INK             (__KAM_INK1 + __KAM_INK2 + __KAM_INK3 >=2)
score           KAM_INK             4.0
describe        KAM_INK             Spams of yet another product du jour

meta		KAM_INK2	    (KAM_INK + KAM_INFOUSMEBIZ >= 2)
score		KAM_INK2	    3.0
describe	KAM_INK2	    Spams for Ink refills

#TITAN PEELER
body            __KAM_PEEL1          /Titan Peeler/is 
header          __KAM_PEEL2          From =~ /Titan Peeler/i
header          __KAM_PEEL3          Subject =~ /peeler|stainless|titan peeler/i

meta            KAM_PEEL             (__KAM_PEEL1 + __KAM_PEEL2 + __KAM_PEEL3 >=2)
score           KAM_PEEL             3.0
describe        KAM_PEEL             Spams of yet another product du jour

#HTML EMAIL REQUIRING IMAGES?
rawbody		__KAM_HTML1	/Please enable image viewing in order to view this message/is

#RATWARE
header		__KAM_RAT1_1	From =~ /\@fromname\@/i
header		__KAM_RAT1_2	Subject =~ /(\[FName\]|\%\{AUTOVALS)/i

meta		KAM_RAT1	(__KAM_RAT1_1 + __KAM_RAT1_2 >= 1)
score		KAM_RAT1	5.0
describe	KAM_RAT1	Variable Replacements Indicative of RatWare/Mass Mailing

body            __KAM_RAT2_1    /job description/i
body            __KAM_RAT2_2    /dear shopper/i
header          __KAM_RAT2_3    From =~ /mystery/i

meta            KAM_RAT2        (__KAM_RAT2_1 + __KAM_RAT2_2 + __KAM_RAT2_3 >= 3)
score           KAM_RAT2        5.0
describe        KAM_RAT2        Another ratware mistake, uninterpolated text

#TITAN EGGER
body            __KAM_EGG1          /Egg Genie/is
header          __KAM_EGG2          From =~ /Egg Genie/i
header          __KAM_EGG3          Subject =~ /medium eggs/i

meta            KAM_EGG             (__KAM_EGG1 + __KAM_EGG2 + __KAM_EGG3 >=2)
score           KAM_EGG             3.0
describe        KAM_EGG             Spams of yet another product du jour

#USBDRIVES
body		__KAM_USB1	/(debi|deborah brown|Melissa Sylvan)/i
body		__KAM_USB2	/person (that|who) handles the promotions/i
body		__KAM_USB3	/usbsmg.com/i

meta		KAM_USB		(__KAM_USB1 + __KAM_USB2 + __KAM_USB3 >= 2)
score		KAM_USB		4.0
describe	KAM_USB		USB Promotion Spammer

#GOVT GRANT
body		__KAM_GRANT1	/government grant/i
body		__KAM_GRANT2	/find out if you qualify/i
body		__KAM_GRANT3	/discontinue from this promotion/i

meta		KAM_GRANT	(__KAM_GRANT1 + __KAM_GRANT2 + __KAM_GRANT3 + __KAM_REFI4 >= 3)
score		KAM_GRANT	5.0
describe	KAM_GRANT	Government Grant Scams

#SEX SCAMS
 #MEDICINE REFERENCES
body		__KAM_SEX04_1	/(curative|medicinal|salutary|wholesome|beneficial|satisfaction) effect|(first-rated|splendid) drugs|(yellow|blue|famos) (tablet|pill)|good medical supplies|(commendable|valuable) medicines|canadian pharmacy|GNC|nugenix/is
 #BED REFERENCES
body		__KAM_SEX04_2	/fun in bed|(bed|night) adventures|aid your bed|(lift|heave|ascent|hoist|raise|boost|aid) your (belove|love|darling|sex|sweet)|sexuality with assistance|ascent your sweet|bed experience|love sexuality/is
 #SUBJECT REFERENCES
header		__KAM_SEX04_3	Subject =~ /your manhood|(bed|night) adventures|sexual experience|empower your (belove|sex)|sweet sex|bed (event|experience)|lover sexuality|(lift|heave|ascent|hoist|raise|boost|aid) your (belove|love|darling|sex|sweet)|discounted drugs/i
 #SEXUAL REFENCES
body		__KAM_SEX04_4   /longer your tool|sexual experience|empower your (belove|sex)|sweet sex|(not bad|great|nice|special|awesome|free) bonus|sex all night|lovers package|male.vitality/is

meta		KAM_SEX04	(__KAM_SEX04_1 + __KAM_SEX04_2 + __KAM_SEX04_3 + __KAM_SEX04_4 >= 3)
score		KAM_SEX04	10.0
describe	KAM_SEX04	Sexually Explicit SPAM


meta            KAM_SEX04_2       (__KAM_SEX04_1 + __KAM_SEX04_2 + __KAM_SEX04_3 + __KAM_SEX04_4 >= 2 && (KAM_SEX04 < 1))
score           KAM_SEX04_2       2.0
describe        KAM_SEX04_2       Likely Sexually Explicit SPAM

#SEX SCAMS ROUND 5
header		__KAM_SEX05_1	Subject =~ /upgrade your virility|become a man|bigger instrument|admire your stick|enlarge your member|you have a tiny tool|with more inches|your mega size|improve your love/i
body		__KAM_SEX05_2	/buy rubber friends|big bait in your pants|she sees your size|women will be funk|biggest tool|immense monster|women will be daydreaming|have so much meat|prolonging your size|last a lot longer/i

meta		KAM_SEX05	(__KAM_SEX05_1 + __KAM_SEX05_2 >= 2)
score		KAM_SEX05	5.0
describe	KAM_SEX05	Sexually Explicit SPAM

#FOOTBALL CLUB SPAMS
header		__KAM_FOOTBALL1		Subject =~ /Amateur Club|Seeks? Player/i
header		__KAM_FOOTBALL2		From =~ /Football/i
body		__KAM_FOOTBALL3		/Mercato/i
body		__KAM_FOOTBALL4		/Football/i

meta		KAM_FOOTBALL	(__KAM_FOOTBALL1 + __KAM_FOOTBALL2 + __KAM_FOOTBALL3 + __KAM_FOOTBALL4 >= 4)
score		KAM_FOOTBALL	4.0
describe	KAM_FOOTBALL	Spammy Football Club

#DISH NETWORK SPAMS AND OTHER TV SPAM
header		__KAM_DISH1	From =~ /Dish Network|TVUpgrade|Satellite|Satellite|Dish.*Promo|dish.author|Wireless.Internet|cable.tv|tv.\&|tv.cable|tv.internet|liveteam/i
header		__KAM_DISH2	Subject =~ /Free Next Day Install|Free HD Receiver|Free HBO|free w\/Dish|Holiday Special|Redzone is back|Web-Only Offer|Free HD|with DISH|dish gives you|dish.offers|Wireless Internet provider|sports.package|dish.vs.cable|switch.to.satellite|dish.just|watch.everything|satellite.dish|cable.bill|satellite.bill|paying.too.much|try.satellite|stream.live.tv/i
rawbody		__KAM_DISH3	/(American Satellite|Wireless Internet) Provider|gethdsat|free dvr|Satellite Deals|Dish Network|dish.gives.you.more|packages under \$\d+|compare plans|internet service provider|premium.channel|best.cable.deals|fit.your.budget|deals.near.you|online.television|quality.tv/i

meta		KAM_DISH	(__KAM_DISH1 + __KAM_DISH2 + __KAM_DISH3 >=3)
score		KAM_DISH	4.0
describe	KAM_DISH	Dish Network Spams

meta		KAM_DISH2	(KAM_DISH + KAM_INFOUSMEBIZ >= 2)
score		KAM_DISH2	4.0
describe	KAM_DISH2	Dish Network Spams

#IDENTITY NETWORK
header		__KAM_IDENTNET1		From =~ /\@identitynetwork.net/i
body		__KAM_IDENTNET2		/ADVERTISE WITH IDENTITY NETWORK/i

meta		KAM_IDENTNET	(__KAM_IDENTNET1 + __KAM_IDENTNET2 >=2)
score		KAM_IDENTNET	8.0
describe	KAM_IDENTNET	Identity Network Spams

#HONEYPOT HITS
body		__KAM_HONEY1	/Intacct Corporation|Miles Technologies|EcoPhones|businessbrief\.com|pbpinfo\.com|pbp-executivereports\.net|b21pubs\.com|sonar6\.com|cheetahsend\.com|voip-news|microcappress.com|myrtlebeachnow|sosonlinebackup.com|Landslide Technologies|The Performance Institute|ASMI Corporate|Kaseya|Cascio|CarProperty|HSRUpdates.com/i
header		__KAM_HONEY2	From =~ /\@intacct\.com|\@(staff\.)?milestechnologies\.com|\@greenschoolfundraiser\.org|\@business-brief\.(net|com)|\@b21pubs\.com|\@pbp-executivereports\.net|\@sonar6\.com|\@cheetahsend\.com|\@ripple.us.com|\@voip-news\.com|\@.{0,8}.microcappress.com|\@BetterBuysReports.com|\@MyrtleBeachNow.com|\@sosonlinebackup.com|\@next-gen-crm.com|\@TheInstituteWeb.org|\@ASMIweb.com|\@performanceinstitute.org|\@kaseya.com|\@news.interstatemusic.com|\@interstatemusic.com|\@carproperty.com|\@hsrupdates.com/i

meta		KAM_HONEY	(__KAM_HONEY1 + __KAM_HONEY2 >= 2)
score		KAM_HONEY	12.0
describe	KAM_HONEY	Spammer sending to a honeypot or known spammer through other means

#MEDIA DUCHESS
header		__KAM_DUCHESS1	Received =~ /mediaduchessstore.info|mediaduchesslive.info|mymediaduchess.info|mediaduchessonline.info|mytvduchess.info|mediaduchesspro.info|mileshop.info|freegrampro.info|radioduchess.info|acreforyou.info|mileblog.info/i
header		__KAM_DUCHESS2	From =~ /mediaduchessstore.info|mediaduchesslive.info|mymediaduchess.info|mediaduchessonline.info|mytvduchess.info|mediaduchesspro.info|mileshop.info|freegrampro.info|radioduchess.info|acreforyou.info|mileblog.info/i

body		__KAM_DUCHESS3	/Mr. Media Group|BLM Marketing Services|4801 l[yi]nton b/i
rawbody		__KAM_DUCHESS4	/duchess/i
rawbody		__KAM_DUCHESS5	/http:\/\/.{4,30}\.info\/[A-Za-z]{30}("|\/)/i
body		__KAM_DUCHESS6	/For account number:/i

meta		KAM_DUCHESS	((__KAM_DUCHESS1 + __KAM_DUCHESS2 >= 1) + __KAM_DUCHESS3 + __KAM_DUCHESS4 + __KAM_DUCHESS5 + __KAM_DUCHESS6 >= 4)
score		KAM_DUCHESS	5.0
describe	KAM_DUCHESS	Spammer sending emails using a variety of domains and linked images

#UPS
header		__KAM_UPS1	Subject =~ /UPS Delivery problem/i
header		__KAM_UPS2	From !~ /\@ups\.com[ |>]/i
body		__KAM_UPS3	/invoice copy attached/i

meta		KAM_UPS		(__KAM_UPS1 + __KAM_UPS2 + __KAM_UPS3 >=3)
score		KAM_UPS		6.0
describe	KAM_UPS		UPS doesn't send invoices with delivery problem notes

#Free Calls
header		__KAM_SKYPE1	Subject =~ /Free Calls/i
header		__KAM_SKYPE2	Received =~ /releasesourcek.com/i
header		__KAM_SKYPE3	From =~ /VOIP News/i
body		__KAM_SKYPE4	/Promo Code: \d/i

meta		KAM_SKYPE	(__KAM_SKYPE1 + __KAM_SKYPE2 + __KAM_SKYPE3 + __KAM_SKYPE4 >=3)
score		KAM_SKYPE	5.0
describe	KAM_SKYPE	Skype/Voip scams likely to spread malware

#OWA/EMAIL PHISH
rawbody		KAM_OWAPHISH1	/http:\/\/.{5,30}\/owa\/service_directory\/settings.php/i

score		KAM_OWAPHISH1	6.0
describe	KAM_OWAPHISH1	Rash of OWA setting change emails for phishing

#PEOPLE WHO HAVE SENT SPAM EMAILS
header		__KAM_SPAM1	From =~ /seminars\@cvent.com|info\@cabininthewoods.us|info\@ceosalesolution.com|\@cfnps.org|\@pbconferences.com/i
body		__KAM_SPAM2	/www.redshop-biz.com/i

meta		KAM_SPAM	(__KAM_SPAM1 + __KAM_SPAM2 >= 1)
score		KAM_SPAM	10.0
describe	KAM_SPAM	These are people who spam me.  I'm tired of it.

#MORE DRUG SPAM - 2009-05-03
header		__KAM_DRUG2_1	Subject =~ /Viagra|male enhanc|easier time making her|hot infatuations|bed tempera?ment|resigned slaves|prick be soft|increased performance|guys in bed|bedroom fun|love more passion|cure ED|(bed|sex) games|spices? (it up in|to the) bed|(bedroom|nights of) pleasure|ladies love|stay hard|satis?fy (your spouse|her)|(problems|strong|help|good) (in|for) bed|bedtime enhanc|p[0o]rn ?star|blue ?pill|great sex|please your gf|(help in the|king of the|great time in|strong night in|performance in|advice for the) bed|intimate life|gain 3\+? inches|sexual (excitement|anxiety|act)|love tool|sexual treatment|make love|make your girl happ|completely impotent|do.you.suffer/i

header		__KAM_DRUG2_2	Subject =~ /ambien|Percocet|vicod[i1]n|Meridia|look slim|Phentermin|adderall|codeine|Hydrocodone|Phetermin|oxycodone|no prescription need|(help|trouble) falling asleep|overpriced pharmacy|prescript.medz|Xanx?ax|RxMed|your.rx.meds|fill your meds|pharmacy offers|international pharm|(loved|preferred|favor[ite]{3}) (rx)?med|pain killer|Medi?cati[o0]ns|canadianrx|weightl0ss|no ?prescription|weight l0ss|l0seweight|ritalin|look great|brain.function|cognition|enhance.memory|amazing.energy|joint.pain|nerve.pain/i

body		__KAM_DRUG2_3	/Medi?cati[o0]ns|desired meds|favou?red (rx)?med|buy remedies|drug store|medicants|medicaments|sexual stim|sex stim|pain killer|(purchase|loved|preferred|favou?rite) (?:rx.?)?(deal|med)[sz]|rx.?Meds?.?deal|buy your meds|choice of meds|Rx.?(deal|Med|Sale)|v[i1]agra|medz.special|loved meds|(rx|medication) ?discount|Get the edge|joint.pain.relief|neuropathy|nerve.pain/i

body            __KAM_DRUG2_4   /grab hold|at[_ ~]your[_ ~]finger[_ ~]?tip|placing your order|questions about drugs|prescription is not|don't care about prescription|without a doctor|no need for a doctor|affor[df]able.prices|best daily rx|Fav.Prescript|unmatched.prices|rx.med|millions.are.praising/i

body            __KAM_DRUG2_5   /0nline|hassle[~-]free|favored rx|branded solutions|branded remedies|v[1i]cod[!i]n|Penhtremine|prxpills|ultimaterxhere|insanerx|speedymed4u|mightymeds1|coolestrxhere|hotrxmedspot|topshoprx|mightyrxhere|qualityrxmedz|legitrxlife|dealsformeds|simplyrxdeals|bestrxlight|ezprescriptz|reliablerxsource1|freetrusted-rx|hotmedsourcehere|CabinetOfMeds|mytrusted-rx|RxwarehouseHere|WarehouseofRxMeds|GreatrxMedsRus|rxmedsrus|(come by|Come to|Check Out) our web site|browse [0o]ur (website|selection)|Visit_0ur Web|Order_Now|available_this week|(buy|order) (n[0o]w|today|right.now|instantly|at [0o]nce|immediately)|check it out today|ord3r|0rder|0rd3r|browseour|rx ?unit/i

body		__KAM_DRUG2_6	/(Express|Prompt|Day|Trusty|Trustworthy|Reliable|fast|true|discreet|confidential|rapid)[_ ~\.]?Shippin|anonymous packing|shipped.right.away|adderrx|clinically.proven|support.formula/i

header		__KAM_DRUG2_7	Subject =~ / {4}[a-z0-9]{2,4}$/i

header		__KAM_DRUG2_8	From =~ /aquaflexin/i

meta		KAM_DRUG2	( __KAM_DRUG2_1 +  __KAM_DRUG2_2 +  __KAM_DRUG2_3 +  __KAM_DRUG2_4 +  __KAM_DRUG2_5 + __KAM_DRUG2_6 + __KAM_DRUG2_7 + __KAM_DRUG2_8 + __KAM_SHORT + KAM_UNSUB1 >= 3)
score		KAM_DRUG2	3.5
describe	KAM_DRUG2	More online Drug Scams

meta            KAM_DRUG2_2     ( __KAM_DRUG2_1 +  __KAM_DRUG2_2 +  __KAM_DRUG2_3 +  __KAM_DRUG2_4 +  __KAM_DRUG2_5 + __KAM_DRUG2_6 + __KAM_DRUG2_7 + __KAM_DRUG2_8 + __KAM_SHORT + KAM_UNSUB1 >= 5)
score		KAM_DRUG2_2	3.0
describe	KAM_DRUG2_2	Higher Certainty of Drug Scam

meta		KAM_SEXSUBJECT	__KAM_DRUG2_1
score		KAM_SEXSUBJECT  2.0
describe	KAM_SEXSUBJECT	Sexually Explicit Subject

#RUSSIAN WIFE/BRIDE SCAMS
header		__KAM_WIFE1	Subject =~ /Remember me|(Russian|asian) ?(single|women|bride|lad(y|ies)|babe)/i
body		__KAM_WIFE2	/marry a Russian|sizzling photos|(russian|asian) (women|beauties)|Russian ?bride|Slavic babes|Russian ?lad(y|ies)|russian girl/i
header		__KAM_WIFE3	From =~ /Russian.?Dat|russian.?bride|Russian.?single|russian.?women|asian.?beauties/i

meta            KAM_WIFE       ( __KAM_WIFE1 +  __KAM_WIFE2 + __KAM_WIFE3 >= 2)
score           KAM_WIFE       8.0
describe        KAM_WIFE       Mail order bride scams

#PRODUCT SCAMS
header		__KAM_PRODUCT1	Subject =~ /Beauty Phone/i
body		__KAM_PRODUCT2	/phones for discerning individuals/i

meta            KAM_PRODUCT    ( __KAM_PRODUCT1 +  __KAM_PRODUCT2 >= 2)
score           KAM_PRODUCT    3.0
describe        KAM_PRODUCT    Product scams often used with MSN/Live URIs

#SPACES / LIVE / MSN / ETC. SCAMS
meta            KAM_LIVEURI2     ( (KAM_PRODUCT + KAM_DRUG2 + KAM_WIFE >=1) + (KAM_WEBS + KAM_MSN_STRING + KAM_BADSWF >=1) >= 2)
score           KAM_LIVEURI2     3.0
describe        KAM_LIVEURI2     More online Scams + Known URI

#WEBS.COM
uri		KAM_WEBS	/.{3,25}\.webs.com/i
score		KAM_WEBS	0.5
describe	KAM_WEBS	webs.com links used in Spams

#IMAGESHACK SWF Files
uri             KAM_BADSWF	/imageshack.us\/.{3,25}.swf$/i
score		KAM_BADSWF	3.0
describe	KAM_BADSWF	SWF embedded links in Email Scams

#EXE LINK
uri             KAM_EXEURI      /.exe$/i
score           KAM_EXEURI      0.5
describe        KAM_EXEURI      EXE embedded link

#SETTINGS FILE PHISH
header          __KAM_SETTING1  Subject =~ /settings file|maintenance!!/i
body            __KAM_SETTING2  /security upgrade|Maintenance Process on our email system /i
body		__KAM_SETTING3	/settings?.zip/i

meta            KAM_SETTING    ( __KAM_SETTING1 +  __KAM_SETTING2 >= 2)
score           KAM_SETTING    2.5
describe        KAM_SETTING    Phishing scams w/Setting Files or Webmail

 #Fixed small misspelling thanks to Jameel Akari
meta            KAM_SETTING2    ( KAM_SETTING + (KAM_EXEURI + __KAM_SETTING3 >=1) >= 2)
score           KAM_SETTING2    4.0
describe        KAM_SETTING2    Phishing scams w/Setting Files or Webmail + Bad File link

#FARM SPAM
header		__KAM_FARM1	Subject =~ /supersized (blueberr|tomato)|(blueberry|tomatoe?) giant|grows in sun or shade|giant (blueberry|tomatoe?)/i
header		__KAM_FARM2	From =~ /blueberr|tomato|DIY|garden/i
body		__KAM_FARM3	/(blueberry|Tomatoe?) giant/i

meta		KAM_FARM	(__KAM_FARM1 + __KAM_FARM2 + __KAM_FARM3 >= 3)
score		KAM_FARM	4.0
describe	KAM_FARM	Farming related Spams

#MX URI - Scored lowered from 2.5 to 1.5 due to FPs reported by Christopher X. Candreva - see https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6700 for bug on issue
uri		KAM_MXURI	/^(?:http:\/\/)?(mail|mx)\..{1,40}\..{1,8}/i
score		KAM_MXURI	1.5
describe	KAM_MXURI	URI begins with a mail exchange prefix, i.e. mx.[...]

#FLASH PLAYER
body		__KAM_FLASH1	/Flash Player Code: \d\d/i
body		__KAM_FLASH2	/Flash Player Update/i
header		__KAM_FLASH3	Subject =~ /Flash Player/i
header		__KAM_FLASH4	Subject =~ /activation code/i
header		__KAM_FLASH5	From =~ /Flash Player/i

meta		KAM_FLASH	(__KAM_FLASH1 + __KAM_FLASH2 + __KAM_FLASH3 + __KAM_FLASH4 + __KAM_FLASH5 >= 3)
score		KAM_FLASH	4.0
describe	KAM_FLASH	Fake Flash Player Phishing Scam


#CHANGED TO KAMOnly
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
	#FAKE ADWORDS
	body		__KAM_ADWORD1	/(Advertisement|Adwords) Campaign/i
	header		__KAM_ADWORD2	From =~ /adwords.com|salesdirect.com/i
	header		__KAM_ADWORD3	Subject =~ /adwords campaign|ads in adwords/i
	body		__KAM_ADWORD4	/adwords\.php|index\.php\?isgoogle/i
	
	meta		KAM_ADWORD	(__KAM_ADWORD1 + __KAM_ADWORD2 + __KAM_ADWORD3  + __KAM_ADWORD4 >= 3) + (KAM_RPTR_SUSPECT + KAM_RPTR_FAILED >= 1) >= 2
	score		KAM_ADWORD	10.0
	describe	KAM_ADWORD	Fake Adword Campaign notices
endif


#DON NOB & WORK FROM HOME SCAMS
header 		__KAM_DON1	X-KAM-Reverse =~ /donnob\.(?:biz|net)|emarketnow.com/i
header		__KAM_DON2	Subject =~ /(?:\b|^)ATM(?:\b|$)|Just Over Broke|J\.O\.B\./
body		__KAM_DON3	/donnob\.(?:biz|net)|emarketnow.com|watersolutiontoday.com/i
body		__KAM_DON4	/\$1,000 A Day ATM|J\.O\.B\./i

meta		KAM_DON		(__KAM_DON1 + __KAM_DON2 + __KAM_DON3 + __KAM_DON4 + __KAM_MED2 + __KAM_REFI4 + __KAM_TV2 >= 4)
score		KAM_DON		6.0
describe	KAM_DON		Work at Home Scams

meta            KAM_DON2        (__KAM_DON1 + __KAM_DON2 + __KAM_DON3 + __KAM_DON4 + __KAM_MED2 + __KAM_REFI4 + __KAM_TV2 >= 6)
score		KAM_DON2	4.0
describe	KAM_DON2	Egregious Work at Home Scams

#GINA SCAMS
header		__KAM_GINA1	From =~ /GINA deadline|GINA Update|compliance/i
header		__KAM_GINA2	Subject =~ /GINA deadline/i
body		__KAM_GINA3	/Genetic Information Nondiscrimination Act/i
body		__KAM_GINA4	/mandatory poster|remain in compliance|GINA regulations/i

meta            KAM_GINA	(__KAM_GINA1 + __KAM_GINA2 + __KAM_GINA3 + __KAM_GINA4 + __KAM_REFI4  >= 4)
score		KAM_GINA	6.0
describe	KAM_GINA	Employment Poster Marketing Spams

#TAX SCAMS
header		__KAM_TAX1	Subject =~ /Free (IRS )?Tax Filing|Tax Filing Exten[st]ion|taxes online|irs audit|wage garnish|collections|tax.relief|tax.penalt|tax.resolution|settlement.option|remove.tax|irs.penalt|payback.package|get.help|down.your.neck|tax.research|urgent.tax/i
header		__KAM_TAX2	From =~ /tax|HRBlock|marketing|garnish|settlement|installment|IRS|debt|advisory|government|payback|protection.agency/i
body		__KAM_TAX3	/File your taxes for free|need more time|back.taxes|tax relief|irs offer|avoid penalty|stop.aggressive.collections|relief.(program|package)|tax.settlement|settlement.package|paying.bills|paying.tax|back.tax|wage..?garnish|tax.help|remove.lien|bankrupt|urgent.tax.notice|could.change.everything|instantly.save.you/i
body            __KAM_TAX4      /MSNBC|fox news|CNN|please.confirm|you.qualify|obtain.now|must.see.tax/i

meta		KAM_TAX		(__KAM_TAX1 + __KAM_TAX2 + __KAM_TAX3 + __KAM_TAX4 + KAM_LOTSOFHASH >=3)
score		KAM_TAX		2.5
describe	KAM_TAX		Tax Filing Scams

meta            KAM_TAX2        (__KAM_TAX1 + __KAM_TAX2 + __KAM_TAX3 + __KAM_TAX4 + KAM_LOTSOFHASH >=4)
score		KAM_TAX2	2.5
describe	KAM_TAX2	Higher Probability of Tax Filing Scams

#SEX SCAM
body		__KAM_SEX06_1	/more fire and passion/i

meta		KAM_SEX06	(__KAM_SEX06_1 + KAM_MSN_STRING >= 2)
score		KAM_SEX06	5.0
describe	KAM_SEX06	Sexual Stimulant Spam

#DOG BARK AND OTHER DOG SPAM
body		__KAM_BARK1	/Bark.Off|petzoom sonic|comfy control harness|dogs? behavior|four legged/i
header		__KAM_BARK2	Subject =~ /Barking|petzoom sonic|dogs any size|dog (is )?misbehaving/i
header		__KAM_BARK3	From =~ /Bark.Off|petzoom|control harnesss|dog whisperer/i

meta		KAM_BARK	(__KAM_BARK1 + __KAM_BARK2 + __KAM_BARK3 >=2)
score		KAM_BARK	3.5
describe	KAM_BARK	Dog Product Scam

#CASINO SPAM
body		__KAM_CASINO1	/Elite World Casino/i
body		__KAM_CASINO2	/Online Casino/i
header		__KAM_CASINO3	Subject =~ /chances to win/i

meta		KAM_CASINO	(__KAM_CASINO1 + __KAM_CASINO2 + __KAM_CASINO3 >= 3)
score		KAM_CASINO	3.5
describe	KAM_CASINO	Online Casino Spam

#TWITTER PHISHING
header		__KAM_TWIT1	From =~ /twitter/i
header		__KAM_TWIT2	Subject =~ /twitter \d{3}-\d{2}/i

meta		KAM_TWIT	(__KAM_TWIT1 + __KAM_TWIT2 + KAM_THEBAT >= 3)
score		KAM_TWIT	10
describe	KAM_TWIT	Twitter bogus phishing emails


#FACEBOOK PHISHING
header          __KAM_FACE1     From =~ /password/i
header          __KAM_FACE2     Subject =~ /reset your facebook/i
header		__KAM_FACE3	X-Mailer =~ /Zuckmail/i

meta            KAM_FACE        (__KAM_FACE1 + __KAM_FACE2 + __KAM_FACE3 >= 3)
score           KAM_FACE        10
describe        KAM_FACE        Facebook bogus phishing emails

header		__KAM_PHISH3_1	Subject =~ /account notification/i
body		__KAM_PHISH3_2	/accessed by someone else./

meta		KAM_PHISH3	(__KAM_PHISH3_1 + __KAM_PHISH3_2 + __KAM_CLICK >= 3)
score		KAM_PHISH3	4
describe	KAM_PHISH3	Phishing emails for account notification


#GENERIC TEST FOR CLICK NOTICES INDICATIVE OF SPAM IN META RULES BUT NOT BY ITSELF
body		__KAM_CLICK	/Please click on the link below|Copy and paste this link into your internet browser/i

#ONLINE BUSINESS / WEALTH BUILDER
header		__KAM_WEALTH1	Subject =~ /Your friend (Wealth Builder|Great Income|Business Opportunity) has recommended this great product/i
body		__KAM_WEALTH2	/www.(wealthmax|bizrlr).co.cc/i
body		__KAM_WEALTH3	/Wealth Builder/i

meta		KAM_WEALTH	(__KAM_WEALTH1 + __KAM_WEALTH2 + __KAM_WEALTH3 >= 2)
score		KAM_WEALTH	5.0
describe	KAM_WEALTH	Wealth Scheme Spams

#DIRECT BUY
header		__KAM_DIRECT1	From =~ /Direct ?Buy|Wholesale/i
header		__KAM_DIRECT2	Subject=~ /complimentary|visitor|settle for retail|top .rands at wholesale|guest pass and catalog|direct.?buy/i
body		__KAM_DIRECT3	/(Complimentary|Visitor|attend our open house|30-day member|VIP Pass|Wholesale Direct Pricing|guest pass and catalog)/i
body		__KAM_DIRECT4	/Direct.?Buy/i

meta		KAM_DIRECT	(__KAM_DIRECT1 + __KAM_DIRECT2 + __KAM_DIRECT3 + __KAM_DIRECT4 >= 3)
score		KAM_DIRECT	3.0
describe	KAM_DIRECT	DirectBuy Spam

#SWIPE BIDS
header          __KAM_SWIPE1   From =~ /SwipeBids|Auction|Deal ?hunter|bigger.bid|bidder|Overstocked|daily.?deals|quibids|iphone|penny.stock/i
header          __KAM_SWIPE2   Subject=~ /auction|bid on great|\d% off retail|Iphones for Under|Big Items|ipads|Macbook Pro|top.?.?of the line..?electronic|buy or sell|never.pay.retail|2011 line up|ebay|pay retail|ipad for \$\d\d\.|bids in real.?time|penny.stock|exclusive.savings|economic|prediction:/i
body            __KAM_SWIPE3   /pennies on the dollar|join, bid|penny (auctions|stock)|\d% .{0,10}retail|ipads on auction|bid now|factory sealed ipads|cheap ipads|for pennies|ebay killer|Inventory Clearance on iPads|crazy auctions|XPS for \d\dUSD|iphone.{1,10}clearance|the.hottest/i
body            __KAM_SWIPE4   /SwipeBids|Swipe Auction|CIRCLE MEDIA BIDS|Wavee|BIGGER BIDDER|Bidooka|Sellmoo|overstocked auctions|for pennies|\d{1,2} cent/i

meta            KAM_SWIPE      (__KAM_SWIPE1 + __KAM_SWIPE2 + __KAM_SWIPE3 + __KAM_SWIPE4 >= 3)
score           KAM_SWIPE      2.5
describe        KAM_SWIPE      SwipeBid Spam / Penny Auction Spams

meta            KAM_SWIPE2     (__KAM_SWIPE1 + __KAM_SWIPE2 >= 2)
score           KAM_SWIPE2     1.5
describe        KAM_SWIPE2     SwipeBid Spam / Penny Auction Spams

#WE THE SPAMMERS
header		__KAM_WTA1	From =~ /@(wethealliance\.(org|com|net)|wta\d\d\d\.com|socalsecurityinstitute.org)|Lawrence.{0,4}Hunter/i
body		__KAM_WTA2	/Alliance for Retirement Prosperity Association|Social Security Institute/is

meta		KAM_WTA		(__KAM_WTA1 + __KAM_WTA2 >= 2)
score		KAM_WTA		9.0
describe	KAM_WTA		Ridiculous campaign by unapologetic spammers purposefully using throwaway domains

#SMOKELESS
body		__KAM_SMOKE1	/smoke.anywhere|electronic cig|smoking alternative|prado|e.?-?cig|wanting to quit/i
header		__KAM_SMOKE2	Subject =~ /smoke|e-cig|perfect.?.gift|no cancer|electronic cig|never smoke|e.?-?cig/i
header		__KAM_SMOKE3	From =~ /smoke|smoking|e.?-?cig|electronic cig|vapex|vapor|starter.kit/i
body		__KAM_SMOKE4	/No carbon monoxide|Smokeless Direct|No Tobacco|no tar|no cancer|quit smoking|electronic cig|sinless.vapor/i
body		__KAM_SMOKE5	/you have qualified/i

meta		KAM_SMOKE	(__KAM_CLICK + __KAM_SMOKE1 + __KAM_SMOKE2 + __KAM_SMOKE3 + __KAM_SMOKE4 + __KAM_SMOKE5 >= 3)
score		KAM_SMOKE	4.5
describe	KAM_SMOKE	Smokeless cigarette and quitting spam

meta            KAM_SMOKE2       (__KAM_CLICK + __KAM_SMOKE1 + __KAM_SMOKE2 + __KAM_SMOKE3 + __KAM_SMOKE4 + __KAM_SMOKE5 >= 4)
score           KAM_SMOKE2       3.0
describe        KAM_SMOKE2       Higher probability of spam

#OBF URL
body		__KAM_OBFURL1	/A\s+D\s+I\s+L\s+I\s+Z\+E\s+R\s+.\s+C\s+O\s+M/i

meta		KAM_OBFURL	(__KAM_OBFURL1 >= 1)
score		KAM_OBFURL	5.0
describe	KAM_OBFURL	Obfuscated URL

#SHARP FOR LIFE
body		__KAM_SHARP1	/sharp for life/i
body		__KAM_SHARP2	/yoshiblade/i
body		__KAM_SHARP3	/zirconium oxide/i
body		__KAM_SHARP4	/ceramic knife/i
header		__KAM_SHARP5	Subject =~ /ceramic knief|yoshiblade|sharp for life/i
header		__KAM_SHARP6	From =~ /yoshi/i

meta            KAM_SHARP       (__KAM_SHARP1 + __KAM_SHARP2 + __KAM_SHARP3 + __KAM_SHARP4 + __KAM_SHARP5 + __KAM_SHARP6 >= 4)
score           KAM_SHARP       4.5
describe        KAM_SHARP       Ceramic Blade Spam

#HIP REPLACEMENT
body            __KAM_HIP1    	/hip replacement|medical alert/i
body            __KAM_HIP2    	/implant recall|recall list/i
header          __KAM_HIP3    	Subject =~ /dupuy recall|hip recall|hip implants|hip replacement/i
header		__KAM_HIP4   	From =~ /recall/i

meta            KAM_HIP       	(__KAM_HIP1 + __KAM_HIP2 + __KAM_HIP3 + __KAM_HIP4 >= 3)
score           KAM_HIP         4.5
describe        KAM_HIP         Hip Replacement Recall Spam

#WORK AT HOME
body            __KAM_WORKHOME1      /online jobs|Full-time (and|&) Part-time|at home employment/i
body            __KAM_WORKHOME2      /\#1 site|view here|information here/i
header          __KAM_WORKHOME3      Subject =~ /work at home|work \@ home|home positions/i

meta            KAM_WORKHOME         (__KAM_WORKHOME1 + __KAM_WORKHOME2 + __KAM_WORKHOME3 >= 3)
score           KAM_WORKHOME         4.5
describe        KAM_WORKHOME         Work at Home Spam

meta		KAM_WORKHOME2	(__KAM_WORKHOME3 + __KAM_SHORT + __KAM_REFI4 >=3)
score		KAM_WORKHOME2	4.5
describe	KAM_WORKHOME2	Work at Home Spam

#HSR UPDATES
body		__KAM_HSR1	/hsrupdates.com|progressiverailroading.com/i
header		__KAM_HSR2	Subject =~ /hi-speed rail|HSR Funds|U.?S.? DOT|railroads/i
header		__KAM_HSR3	From =~ /HSRUpdates.com|progressive ?railroading/i

meta		KAM_HSR		(__KAM_HSR1 + __KAM_HSR2 + __KAM_HSR3 >= 3)
score		KAM_HSR		4.5
describe	KAM_HSR		High Speed Rail Spam

#SELLPHONE
body		__KAM_SELLPHONE1	/Turn iphones into cash/i
body		__KAM_SELLPHONE2	/used or broken|pre-paid envelope/i
header		__KAM_SELLPHONE3	Subject =~ /sell your old iphone/i

meta		KAM_SELLPHONE	(__KAM_SELLPHONE1 + __KAM_SELLPHONE2 + __KAM_SELLPHONE3 >= 3)
score		KAM_SELLPHONE	4.5
describe	KAM_SELLPHONE	Used Equipment Spam

#STORAGE LIMIT
body		__KAM_MAILBOX1	/mailbox has exceeded the storage limit|storage.quota/i
body		__KAM_MAILBOX2	/re-validate your (mailbox|email)/i

meta		KAM_MAILBOX	(__KAM_MAILBOX1 + __KAM_MAILBOX2 >=2)
score		KAM_MAILBOX	4.0
describe	KAM_MAILBOX	Mailbox Quota Phishing Scams

#URL SHORTENER - PARTIAL RULE TO SEE IF URL SHORTENER IS IN USE - ADDED ANCHORS THANKS TO SHANE WILLIAMS
uri		__KAM_SHORT	/(\/|^|\b)(?:j\.mp|bit\.ly|goo\.gl|x\.co|t\.co|t\.cn|tinyurl\.com|hop\.kz|urla\.ru|fw\.to)(\/|$|\b)/i

# GENERIC RULE FOR TINY DOMAINS, WHICH WILL LIKELY BE URL SHORTENERS
uri             __KAM_TINYDOMAIN /(?:https?:\/\/|^|\b|\.)(?:[^\/]{1,4})\..{2,7}\//i

#POWER CHAIRS
body		__KAM_POWER1	/hoveround/i
header		__KAM_POWER2	Subject =~ /Get your freedom|power Chairs/i
header		__KAM_POWER3	From =~ /Get your freedom|power Chairs/i

meta		KAM_POWER	(__KAM_POWER1 + __KAM_POWER2 + __KAM_POWER3 >= 3)
score		KAM_POWER	3.0
describe	KAM_POWER	Motorized Chair Spams

#GUN ALERTS
body		__KAM_GUN1	/Keep and Bear Arms/i
header		__KAM_GUN2	From =~ /gunalerts.com/i
header		__KAM_GUN3	Subject =~ /gun/i

meta		KAM_GUN		(__KAM_GUN1 + __KAM_GUN2 + __KAM_GUN3 >= 3)
score		KAM_GUN		2.0
describe	KAM_GUN		Gun Alert Spams

#GET RICH QUICK SCHEME
body		__KAM_RICH1	/financial.success story/i
body		__KAM_RICH2	/see me on the channel \d news/i
body		__KAM_RICH3	/talking about my blog/i
body		__KAM_RICH4	/bec.me financially independent/i

meta		KAM_RICH	(__KAM_RICH1 + __KAM_RICH2 + __KAM_RICH3 + __KAM_RICH4 >= 4)
score		KAM_RICH	3.5
describe	KAM_RICH	Get Rich Quick Schemes

#INVALID FROM HEADER
header		__KAM_INVFROM1	From =~ /<[^>]*$/
header		__KAM_INVFROM2	From =~ /^[^<]*>/

meta		KAM_INVFROM	(__KAM_INVFROM1 + __KAM_INVFROM2 >= 1)
score		KAM_INVFROM	2.0
describe	KAM_INVFROM	Invalid From Header containing mismatched <>'s

#YAHOO GROUP EMAIL RULE BASED ON WORK FROM Jim McCullars - University of Alabama in Huntsville
header          __KAM_UAH_YAHOOGR_4 X-Mailer =~ /Yahoo Groups Message Poster/
ifplugin Mail::SpamAssassin::Plugin::DKIM
  meta            KAM_UAH_YAHOOGROUP_SENDER __DOS_HAS_LIST_UNSUB && __ML2 && __DOS_HAS_MAILING_LIST && __KAM_UAH_YAHOOGR_4 && !FORGED_YAHOO_RCVD && DKIM_VALID
else
  meta            KAM_UAH_YAHOOGROUP_SENDER __DOS_HAS_LIST_UNSUB && __ML2 && __DOS_HAS_MAILING_LIST && __KAM_UAH_YAHOOGR_4 && !FORGED_YAHOO_RCVD
endif
describe	KAM_UAH_YAHOOGROUP_SENDER Sender appears to be a legit Yahoo! Group Mail
score           KAM_UAH_YAHOOGROUP_SENDER -20.0

#GALLERY
header		__KAM_GALLERY1	Subject =~ /(Infinite|Multi|Elite|Extreme|Complete|Instant|Ultimate|Multi|approved|Free|HD|Guaranteed|Unreal) Access|(Ultimate|Babes|Elite|Extreme|P.?o.?r.?n) Collection|(Girls|Adu.?lt|Babes|Celeb.?rities) Passwords|(Ultimate|p.?o.?r.?n|extreme|elite|Girls) gallery|HD Video|Access Now/i
body            __KAM_GALLERY2             /(?:Infinite|Multi|Elite|Extreme|Complete|Instant|Ultimate|Multi|approved|Free|HD|Guaranteed|Unreal) Access|(?:Ultimate|Babes|Elite|Extreme|P.?o.?r.?n) Collection|(?:Girls|Adu.?lt|Babes|Celeb.?rities) Passwords|(?:Ultimate|p.?o.?r.?n|extreme|elite|Girls) gallery|HD Video|Access Now/i

header		__KAM_GALLERY3	Subject =~ /(Fantastic|Insane|Mega|Extreme|Extreme|New|Many|Fresh|Your|Check) P.?o.?r.?n|cele.?brities elite|(Insane|P.?o.?r.?n|More|Awesome|All|Mega) Model|(Your|Mega|Asian|Bad|Cool|Fresh|Real|Awesome|More) Girl|(Sweet|Incredible|Insane|The|Grand) chick|(Many|New|Infinite|Cool|All) Cele.?b|The N.?u.?des|(Infinite|Awesome|Many|Sweet|Bad|Get|Fresh|Hot|More|Black) Babe|Amat.?e.?urs|(All|Fresh|Fantastic|The|Mega) Adu.?lt|(Extraordinary) Chicks/i
body		__KAM_GALLERY4             /(Fantastic|Insane|Mega|Extreme|Extreme|New|Many|Fresh|Your|Check) P.?o.?r.?n|cele.?brities elite|(Insane|P.?o.?r.?n|More|Awesome|All|Mega) Model|(Your|Mega|Asian|Bad|Cool|Fresh|Real|Awesome|More) Girl|(Sweet|Incredible|Insane|The|Grand) chick|(Many|New|Infinite|Cool|All) Cele.?b|The N.?u.?des|(Infinite|Awesome|Many|Sweet|Bad|Get|Fresh|Hot|More|Black) Babe|Amat.?e.?urs|(All|Fresh|Fantastic|The|Mega) Adu.?lt|(Extraordinary) Chicks/i
rawbody		__KAM_GALLERY5  /wp-content|_vti_cnf|cache|wp-admin|wordpress/i

meta		KAM_GALLERY	(__KAM_GALLERY1 + __KAM_GALLERY2 + __KAM_GALLERY3 + __KAM_GALLERY4 + __KAM_GALLERY5 >=4)
describe	KAM_GALLERY	Exploited Gallery with Porn
score		KAM_GALLERY	5.0

meta            KAM_GALLERY2    (__KAM_GALLERY1 + __KAM_GALLERY2 + __KAM_GALLERY3 + __KAM_GALLERY4 + __KAM_GALLERY5 >=5)
describe        KAM_GALLERY2    Higher Likelihood of Exploited Gallery with Porn
score           KAM_GALLERY2    2.0

#CHANGELOG
header		__KAM_CHANGELOG1	Subject =~ /^Re: Changelog (Oct.|Nov.|Dec.)$/i
body		__KAM_CHANGELOG2	/as promised chnglog update/i

meta		KAM_CHANGELOG		(__KAM_CHANGELOG1 + __KAM_CHANGELOG2 >= 2)
describe	KAM_CHANGELOG		Phishing Email
score		KAM_CHANGELOG		2.5

#NIGERIAN VARIANT
body		__KAM_BUS1	/business proposal/i
body		__KAM_BUS2	/sensitive by nature/i
body		__KAM_BUS3	/have not met/i
body		__KAM_BUS4	/view my attach/i

meta		KAM_BUS		(__KAM_BUS1 + __KAM_BUS2 +  __KAM_BUS3 + __KAM_BUS4 >= 4)
describe	KAM_BUS		Yet another Nigerian Scam/Phishing Variant
score		KAM_BUS		4.0

#PRIVATE MESSAGE
body		__KAM_PRIV1	/private message|horny|sweet ass/i
body		__KAM_PRIV2	/(personal|private) video/i
body		__KAM_PRIV3	/the attache?ment|attached file/i

meta		KAM_PRIV	(__KAM_PRIV1 + __KAM_PRIV2 + __KAM_PRIV3 >=2 && T_HTML_ATTACH)
describe	KAM_PRIV	Private Messages using Exploits in attached HTML files
score		KAM_PRIV	5.0

#DIV
rawbody		__KAM_DIV1	/Viagr?|Cial?<div/i
rawbody		__KAM_DIV2	/<\/div>r?a\|l?is/i

meta		KAM_DIV		(__KAM_DIV1 + __KAM_DIV2 >= 2)
describe	KAM_DIV		Use of divs to hide Medical Spams
score		KAM_DIV		2.0

#CREDIT SCORE
header		__KAM_CREDIT1	Subject =~ /CRITICAL:.*change to.* (EXPERIAN|Transunion|Equifax) score|Recent 3 Bureau Credit|(credit|score).score|credit has changed|check your rating|yearly review|scores?.(?:may.have|has.been|have.been).changed|(?:EXPERIAN|Transunion|Equifax) scores? delivered|your credit report|all three sources|credit (may )?ha(ve|s) been revised|credit ?card ?processing|merchant account|TransUnion..?Experian . Equifax Scores|all 3 scores|update to your score|your 3 scores|is your score correct|score (report|review)|latest.score|updated.score|update:|derogatory.(info|item)|affecting.your.score|scores.this.week|EQUIFAX..?EXPERIAN..?(and|&).TRANSUNION|(EXPERIAN|Transunion|Equifax)..?score|\d{4}.scores?.detail|((equifax|experian|transunion)..?){3}|score.today|score.w\//i
body		__KAM_CREDIT2	/View (all 3 reports|your credit score|your up.to.the.minute credit)|(EXPERIAN|Transunion|Equifax) report|check my credit score|3.free credit scores|credit restoration|changes in your.score|get your \d+ score online|3 major sources|all three bureau|all 3 credit score|credit (may )?ha(ve|s) been revised|payment.options|complimentary 3 scores|credit scores? in seconds|TRANSUNION,\s+EQUIFAX,\s+(and|.)\s+EXPERIAN|just (been )?changed|score.breakdown|credit.summary|score.is.waiting|confirmation \#\d+|average.credit.score|what.?s.your.score|(3|three).free.score|check.your.score|we.can.help|credit.record|complimentary.score/i
body		__KAM_CREDIT3	/NO COST|it's on us|3 companies for free|freescore360|Scoresense|score.report(?:ing)?.team|stand in the rating scales|view your higher credit|(score|credit).alert|provide.faster.service|your credit score|free.credit.score|score.generation|new.score.immediately|score.notification|your report/i
body		__KAM_CREDIT4	/CHANGES TO YOUR CREDIT[- ]SCORE|credit score has changed|Triple Bureau Credit Alerts|score\s+may\s+have\s+(been)?\s*changed|ThinkCredit|Debunk Credit Card Processing Myths|costs for your business|TransUnion,? Experian and Equifax Scores|ha(s|ve).been.updated|what.?s.your.credit|sensitive.information/i
header		__KAM_CREDIT5	From =~ /Credit|score|bureau|finance|report|advisory/i

#EXPERIMENTAL UTF-8
# SecureCRT in UTF-8 Session Options - terminal>appearance>character encoding and set to utf-8 &  Set this in VI :set encoding=utf-8 :set fileencodings=utf-8

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

replace_tag     C       (?:[\xd0][\xa1]|c)
replace_tag     I       (?:[\xd1][\x96]|i)
replace_tag	S	(?:[\xd0][\x85]|s)

header          __KAM_CREDIT6   Subject =~ /<C>ompl<I>mentary (<C>red<I>t|EXPERIAN|Transunion|Equifax)/i
header          __KAM_CREDIT7   From =~ /<S>core.?<S>ense/i

replace_rules   __KAM_CREDIT6 __KAM_CREDIT7

endif

meta            KAM_CREDIT      (__KAM_CREDIT1 + __KAM_CREDIT2 + __KAM_CREDIT3 + __KAM_CREDIT4 + __KAM_CREDIT5 + __KAM_CREDIT6 + __KAM_CREDIT7 + (__KAM_THIRD || KAM_LOTSOFHASH || KAM_INFOUSMEBIZ) >= 4)
describe        KAM_CREDIT      Credit Score Spams
score           KAM_CREDIT      4.5

meta		KAM_CREDIT2	(__KAM_CREDIT1 + __KAM_CREDIT5 + __KAM_CREDIT6 + __KAM_CREDIT7 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3 && KAM_CREDIT < 1)
describe	KAM_CREDIT2	Credit Score Spams
score		KAM_CREDIT2	4.5

#OBFUSCATED URI
rawbody         KAM_OBFURI      /http:\/\/.{2,30}\.c=E2=93=9Em?/
describe        KAM_OBFURI      Obfuscated URI trick
score           KAM_OBFURI      4.0

#ADVANCE
header		__KAM_ADVANCE1	Subject =~ /Advance for \d.\d\d\d/i
body		__KAM_ADVANCE2	/Advance Details/i
body		__KAM_ADVANCE3  /Pre-Approved/i
header		__KAM_ADVANCE4	From =~ /Advance|Approv|Financ/i

meta            KAM_ADVANCE     (__KAM_ADVANCE1 + __KAM_ADVANCE2 + __KAM_ADVANCE3 + __KAM_ADVANCE4 >= 3)
describe        KAM_ADVANCE     Advance Spams
score           KAM_ADVANCE     3.5

#PAYPAL NON SPF - FP fixed by Piper Andreas
header		__KAM_PAYPAL1A	From =~ /\@[a-z\.]*paypal.com>?$/i

meta		KAM_PAYPAL1	(__KAM_PAYPAL1A + SPF_FAIL >=2)
describe	KAM_PAYPAL1	rampant paypal phishing scams
score		KAM_PAYPAL1	16.0

#PAYPAL IMPERSONATING MALWARE
body            __KAM_PAYPAL2A  /paypal/i
body            __KAM_PAYPAL2B  /protection services department|download(ing)?.the.attach/i

meta            KAM_PAYPAL2     (__KAM_PAYPAL2A + __KAM_PAYPAL2B + KAM_RAPTOR >= 3)
describe        KAM_PAYPAL2     Malware disguised as a paypal email
score           KAM_PAYPAL2     8.0

#PAYPAL PHISH
header          __KAM_PAYPAL3A  From =~ /paypal/i
header          __KAM_PAYPAL3B  From !~ /paypal.com>?$/i
header          __KAM_PAYPAL3C  Subject =~ /your.(paypal.)?account/i
body            __KAM_PAYPAL3D  /security.process|more.information|has.limitation|verify.your.information/i

meta            KAM_PAYPAL3     ((__KAM_PAYPAL3A && __KAM_PAYPAL3B) + __KAM_PAYPAL3C + __KAM_PAYPAL3D + KAM_LAZY_DOMAIN_SECURITY >= 3)
score           KAM_PAYPAL3     8.0
describe        KAM_PAYPAL3     Phish disguised as a paypal email

#COMPROMISED ACCOUNT SPAMS - SCORED HIGH BECAUSE THESE ARE COMPROMISED ACCOUNTS
header		__KAM_COMPROMISED1A	From =~ /\@(yahoo.com|yahoo.com.id|rocketmail.com)/i
header		__KAM_COMPROMISED1B	X-Mailer =~ /Yahoo/i
header		__KAM_COMPROMISED2	Subject =~ /^(FOR |Hey$|hi$|look at this$|great!?$|amazing!?|the best!?$|excellent!?$|very good!?$|great!?$|question?$|Fwd: (?:latest |top )?news$)|have a look/
body		__KAM_COMPROMISED3	/\d{1,2}[\\\/]\d{1,2}[\\\/]\d{2,4} \d{1,2}\:\d{1,2}\:\d{1,2} (AM|PM)/
body		__KAM_COMPROMISED4	/How are you\? Look at this.{0,70}Do you know about this site|look at this site right now|I found (an amazing|great) site|hey\. please have a look|have a look right now|breaking news/i

meta		KAM_COMPROMISED	((__KAM_COMPROMISED1A + __KAM_COMPROMISED1B >=1 ) + __KAM_COMPROMISED2 + __KAM_COMPROMISED3 + __KAM_COMPROMISED4 + __KAM_BODY_LENGTH_LT_128 + MISSING_SUBJECT >= 3)
describe	KAM_COMPROMISED	Compromised Accounts Sending Spam
score		KAM_COMPROMISED	9.0

#GROUPS THAT ARE BAD - RENAMED TO AVOID COLLISSION - THANKS TO DAVID FUNK
header		__KAM_LIST2A	List-ID =~ /^<?(wareeed\d*|ArabBusinessmen-and-DecisionMakers-Network|MediaJO\d*|arabjo\d*|prime\-?media\d*|mediajoshoot\d*|bareedw\d*|mghadeh\d*|tawzeef-online|jordanianadd\d*|ssjo\d*|jaracast|ads-shooter-j\d*|jomarketing\d*|jomedia\d*|jobird\d*info|uhrda-\d*|mohanndahad\d*|caragcom\d*|marwahr\d*|sonjobonjo\d*|golrozz\d*|golbanoo\d*)\.googlegroups.com>?$/i
header		__KAM_LIST2B	Sender =~ /(mediajo\d*|aloulaonline\d*|jomedia\d*|golbanoo\d*)\@googlegroups\.com/i

meta		KAM_LIST2	(__KAM_LIST2A + __KAM_LIST2B >= 1)
describe	KAM_LIST2	Known Bad Groups
score		KAM_LIST2	60.0

#LIMITED ACCESS/QUOTA SCAMS  - ISP THAT SEND LEGITIMATE NOTICES MIGHT WANT TO LOWER THE SCORE 
body            __KAM_QUOTA1    /Mailbox Quota Has Exceeded|exceeded its storage limit/i
body            __KAM_QUOTA2    /Limited Access|termination of your email|restore.your.account|will.not.be.able/i

meta		KAM_QUOTA	(__KAM_QUOTA1 + __KAM_QUOTA2 >= 2)
describe	KAM_QUOTA	Limited Access / Quota Phishing Scam
score		KAM_QUOTA	3.0

# BACKGROUND CHECK SPAM
body		__KAM_BACK1	/backgrounds in seconds|Instant..?Checkmate|federal.record|background.report|criminal|reputation/i
body		__KAM_BACK2	/(Property & Personal history|Asset & Background) (Investigation|Search)|check anyone|know.anything|registered.offense|their.name|publicly.available/is
body		__KAM_BACK3	/(background check|detective|investigator|investigate backgrounds|arrest.record|public.record)|remain.anonymous|anonymous.report|says.about.you|instant.database|the.truth|reveal.the.information|screening.services/is
header		__KAM_BACK4	Subject =~ /background..?check|date-smart|detective|finding people|instant checkmate|pedophile|who.lives.next.?door|reports.are.now.posted|screening.results|police.record|confirm.identity|records.enclosed|local.report|criminal|public.record|complete.record|arrest|posted.online|information.posted|info.updated|who.they.are|uncover.any|public.records|private.eye|investigate.background/i
header		__KAM_BACK5	From =~ /Background.?check|instant.?check|arrest.record|pedophile|trust|criminal|urgent.info|find.out|who.is.s?he|trouble|shady|public.record|private.?eye/i

describe	KAM_BACK	Background Check SPAM
meta		KAM_BACK	(__KAM_BACK1 + __KAM_BACK2 + __KAM_BACK3 + __KAM_BACK4 + __KAM_BACK5 >=3)
score		KAM_BACK	5.5

#ARREST RECORD SCAMS
header		__KAM_ARREST1	Subject =~ /arrest record|with.a.criminal|child.predator|public.safety.alert|full.report|reports?.now.posted|records?.(now.)?(available|posted)|predator.identified/i
body		__KAM_ARREST2	/Instant Checkmate|dirty Truth|\brapist\b|criminal.(background|record)|predator|stay.safe|child.offender|think.you.know|know.everything|database.screening|know.something|wanted.to.know|arrest.record/i
header		__KAM_ARREST3	From =~ /Checkmate|alert|protect|arrest|neighborhood|criminal|live.safe/i

meta		KAM_ARREST	(__KAM_ARREST1 + __KAM_ARREST2 + __KAM_ARREST3 >=2) || (__KAM_ARREST1  + __KAM_SHORT + __KAM_BODY_LENGTH_LT_128 >=3)
describe	KAM_ARREST	Arrest Record Scams
score		KAM_ARREST	5.0

#MORE DIET SCAMS
header		__KAM_DIET2_1	From =~ /Coffee.?Bean|Fat.?Burning.?Hormone|Saffron|Lifestyle|burn.fat|slim/i
header		__KAM_DIET2_2	Subject =~ /diet|flatten your belly|calorie count|metabolism|lose the belly|belly flub/i
body		__KAM_DIET2_3	/secret to being skinny|doctors? are raving|testosterone|could be \d+ ?lbs? lighter|feeling chubby/i

meta		KAM_DIET2	(__KAM_DIET2_1 + __KAM_DIET2_2 + __KAM_DIET2_3 + KAM_INFOUSMEBIZ >=3)
describe	KAM_DIET2	Diet Scams
score		KAM_DIET2	5.0

#CIGAR SCAMS
header		__KAM_CIGAR1	Subject =~ /Premium Cigar|Essentials for Dad|cigar lover/i
header		__KAM_CIGAR2	From =~ /Cigar/i
body		__KAM_CIGAR3	/Thompson Cigar|Premium Cigar/i

meta		KAM_CIGAR	(__KAM_CIGAR1 + __KAM_CIGAR2 + __KAM_CIGAR3 + __KAM_THIRD >= 3)
describe	KAM_CIGAR	Cigar Scam Emails
score		KAM_CIGAR	6.0


#TK DOMAINS
rawbody         KAM_TK  /https?:\/\/.{5,30}\.tk\//i
describe	KAM_TK	Abuse of .tk domain registrar which offers free domains
score		KAM_TK	5.0

#THIRD PARTY / SENT BY XXXX
body		__KAM_THIRD	/advertisement.{0,12}sent by a third-?party|sent.by.tb.systems|is.an.advert[il]se?ment/i

#LASIK
header		__KAM_LASIK1	From =~ /Lasik/i
header		__KAM_LASIK2	Subject =~ /Lasik|free eval|A great use for your Tax Refund|eye.surgery/i
body		__KAM_LASIK3	/free (?:Lasik )?eval|\d+ per eye|get lasik info|L.SI. V....n In.t.tut. Summ.r S.v.ng.|works.faster.than/i
uri             __KAM_LASIK4    /lasik\.php/i

meta		KAM_LASIK	(__KAM_LASIK1 + __KAM_LASIK2 + __KAM_LASIK3 + (__KAM_LASIK4 || KAM_EU) >= 3)
describe	KAM_LASIK	Lasik Treatment Spams
score		KAM_LASIK	4.5

#FAKE NOTIFIES
header		__KAM_NOTIFY1	From =~ /Support|Notifier|Reminder|Assistance|Administrator|RuneScape|Wells Fargo|Scotia|Diablo|MAILER-DAEMON|Notifications/i
body		__KAM_NOTIFY2	/[2-9] friend request( |\b)|sell your personal|mandatory validation|verify your Account|unread messages/i
header		__KAM_NOTIFY3	From =~ /\.br>/i

meta		KAM_NOTIFY	(__KAM_NOTIFY1 + __KAM_PHISH2_3 + __KAM_NOTIFY2 + __KAM_NOTIFY3 >= 3)
describe	KAM_NOTIFY	Fake Notifications
score		KAM_NOTIFY	4.0

meta		KAM_NOTIFY2	(KAM_NOTIFY + (KAM_IFRAME || HEADER_FROM_DIFFERENT_DOMAINS) >= 2)
describe	KAM_NOTIFY2	Higher likelihood of fake notification
score		KAM_NOTIFY2	3.0

#LANGUAGE
header		__KAM_LANG1	From =~ /Pimsleur|learnalanguage/i
header		__KAM_LANG2	Subject =~ /language barrier|(?:learn|speak)(?:ing)? (?:a|any) (?:new )?language|Pimsleur/i
body		__KAM_LANG3	/pimsleur|Language in just \d+ Day/i

meta		KAM_LANG	(__KAM_LANG1 + __KAM_LANG2 + __KAM_LANG3 + KAM_INFOUSMEBIZ >= 3)
describe	KAM_LANG	Language Method Spams
score		KAM_LANG	4.5

#FAKE TRACK
header		__KAM_TRACK1	From =~ /Worldwide Express|Priority Mail|First-Class Mail|Express Mail/i

meta		KAM_TRACK	(__KAM_PHISH2_3 + __KAM_TRACK1 >= 2)
describe	KAM_TRACK	Fake Tracking Emails
score		KAM_TRACK	3.0

#BACK TO SCHOOL
header		__KAM_SCHOOL1	From =~ /Classes/i
header		__KAM_SCHOOL2	Subject =~ /(?:Return|Back) to School/i

meta		KAM_SCHOOL	(__KAM_SCHOOL1 + __KAM_SCHOOL2 + KAM_INFOUSMEBIZ >= 3)
describe	KAM_SCHOOL	School Spams
score		KAM_SCHOOL	5.0

#MEMBERS
header          __KAM_MEMBER1   From =~ /(\b|^|)Date|(\b|^|)Dating|eharmony(.com)?.?partner|(..?en..?or|black)..?e.ple..?eet|cougars|singles|match|our.?time|lonely|affair/i
header          __KAM_MEMBER2   Subject =~ /naughty|looking for love|single & dating|Dating.site|free.this.weekend|free.communication.weekend|True Love|(Older|black|available|latin[oa]|jewish) Single|single.women|single.photo|local.cougar|want to date|fall in love|meet...1000s|dream.date|meet.single|your.matches|for.single|singles|eharmony(.com)?.match|50\+.{0,5}ngles|your.ex.back|married.dating|(anonymous|secret).affair|unlimited.pics|dating.(video|movie)|fetish|still.single/i
body		__KAM_MEMBER3	/(\b|^)dating|eharmony|Find.Your.Perfect.Match|thousands.of.single.women|singles?.photos?|local.cougar|successfully matched|blind date|(available|black|latin[oa]|jewish).singles|photos of 50\+/i
rawbody		__KAM_MEMBER4	/special promotion|free.this.weekend|personal matchmaker|dating service|fall in love|looking.for.someone|kindle.the.passion|cheating.member|dating.mega.site|free.dating|free.fetish/i
meta		__KAM_MEMBER5   (KAM_INFOUSMEBIZ || KAM_COUK)
#header		__KAM_MEMBER6	From =~ /Updat/i

meta            KAM_MEMBER      (__KAM_MEMBER1 + __KAM_MEMBER2 + __KAM_MEMBER3 + __KAM_MEMBER4 + __KAM_MEMBER5 >= 3)
describe        KAM_MEMBER      Dating Scams
score           KAM_MEMBER      4.5

#MEDICARE
header          __KAM_MEDICARE1   From =~ /Medicare|health.?options|enrollment/i
header          __KAM_MEDICARE2   Subject =~ /medicare|message for senior|baby-boomer|save up to|compare.quotes|enrollment.plan/i
body            __KAM_MEDICARE3   /medicare.(plan|recipient)/i
body            __KAM_MEDICARE4   /over.(65|sixty.?five)|most.affordable|lower.your.premium/i

meta            KAM_MEDICARE      (__KAM_MEDICARE1 + __KAM_MEDICARE2 + (__KAM_MEDICARE3 + __KAM_MEDICARE4 >= 1) + (KAM_INFOUSMEBIZ || KAM_COUK) >= 3)
describe        KAM_MEDICARE      Medicare Scams
score           KAM_MEDICARE      4.0

#BILLS
header          __KAM_BILLS1   From =~ /LowerMyBills|mortgage/i
header          __KAM_BILLS2   Subject =~ /Save up to \$\d|refi requirement|refi.program/i

meta            KAM_BILLS      (__KAM_BILLS1 + __KAM_BILLS2 + KAM_INFOUSMEBIZ >= 3)
describe        KAM_BILLS      Bill Pay Spams
score           KAM_BILLS      4.0

#HOSE
header          __KAM_HOSE1   From =~ /Pocket Hose/i
header          __KAM_HOSE2   Subject =~ /garden hose|kinks/i
body		__KAM_HOSE3   /pocket hose|garden.hose|stays.strong|grows.to.full.size|never.kinks/i

meta            KAM_HOSE      (__KAM_HOSE1 + __KAM_HOSE2 + __KAM_HOSE3 + KAM_INFOUSMEBIZ >= 3)
describe        KAM_HOSE      Garden Hose Spams
score           KAM_HOSE      4.5

#AV
header          __KAM_AV1   From =~ /Norton/i
header          __KAM_AV2   Subject =~ /Update now|Are you protected/i

meta            KAM_AV      (__KAM_AV1 + __KAM_AV2 + KAM_INFOUSMEBIZ >= 3)
describe        KAM_AV      Anti-Virus Spams
score           KAM_AV      4.0

#MASCARA
header          __KAM_MASCARA1   From =~ /smartlash/i
header          __KAM_MASCARA2   Subject =~ /mascara/i
body		__KAM_MASCARA3   /smartlash/i

meta            KAM_MASCARA      (__KAM_MASCARA1 + __KAM_MASCARA2 + __KAM_MASCARA3 + KAM_INFOUSMEBIZ >= 3)
describe        KAM_MASCARA      Make-up Spams
score           KAM_MASCARA      4.5

#COLLEGE
header          __KAM_COLLEGE1   From =~ /degree|doctorate|online/i
header          __KAM_COLLEGE2   Subject =~ /college|ph\.?d|earning your degree|online doctorate|advance your career/i
rawbody         __KAM_COLLEGE3   /online degree|ph\.?d online|online doctorate|advance your career with a degree/i

meta            KAM_COLLEGE      (__KAM_COLLEGE1 + __KAM_COLLEGE2 + __KAM_COLLEGE3 + KAM_INFOUSMEBIZ + __KAM_URIBL_PCCC >= 3)
describe        KAM_COLLEGE      Online Degree/Aid Spams
score           KAM_COLLEGE      4.0

#SURVEY
header		__KAM_SURVEY1	From =~ /Survey|safecount|privacy/i
header		__KAM_SURVEY2	Subject =~ /survey|win an ipad/i
body		__KAM_SURVEY3	/Do You Use Instagram|Complete the survey|win a great prize/i

meta		KAM_SURVEY	(__KAM_SURVEY1 + __KAM_SURVEY2 + __KAM_SURVEY3 + KAM_INFOUSMEBIZ >= 3)
describe	KAM_SURVEY	Online Survey Spams
score		KAM_SURVEY	4.5

#LAKE
#REMOVED 1/7/2014
#rawbody         KAM_LAKE  	/http:\/\/.{0,13}(lak|ake|iver).{0,10}\.(com|info)\//i
#describe	KAM_LAKE	Odd spamming engine LAKE signature on URLs
#score		KAM_LAKE	0.25

#SNORE
header          __KAM_SNORE1   From =~ /snoring|zquiet/i
header          __KAM_SNORE2   Subject =~ /zquiet|Jaw Supporter|z{6}|the.only.thing/i
body            __KAM_SNORE3   /stop snoring|zquiet|Jaw Supporter|get.rest|end.snoring|more.rest|to.be.tired/i

meta            KAM_SNORE      (__KAM_SNORE1 + __KAM_SNORE2 + __KAM_SNORE3 + KAM_INFOUSMEBIZ >= 3)
describe        KAM_SNORE      Snoring Aid Spams
score           KAM_SNORE      4.0

#VACATION
header          __KAM_VACATION1   From =~ /Promotions|cruise|vacation/i
header          __KAM_VACATION2   Subject =~ /Free Florida vacation|(carr?ibb?ean|alaskan?).cruise|european destination/i
body            __KAM_VACATION3   /Resorts FOR FREE|(carr?ibb?ean|alaskan?).cruise|top deals/i

meta            KAM_VACATION      (__KAM_VACATION1 + __KAM_VACATION2 + __KAM_VACATION3 + KAM_INFOUSMEBIZ >= 3)
describe        KAM_VACATION      Vacation Spams
score           KAM_VACATION      4.0

#BLOOD PRESSURE
header		__KAM_BLOOD1	From =~ /Marine Essent|blood.pressure/i
header		__KAM_BLOOD2	Subject =~ /Blood Pressure|the.(nurse|doctor).said|do.this.or.die|bp.med/i
body		__KAM_BLOOD3	/Secret Big Pharma|conspiracy|Breaking.Health.Stories/i
body		__KAM_BLOOD4    /Marine Essentials|this mineral|drug.companies.hate/i
body		__KAM_BLOOD5	/Anti-Aging Expert|worst.food/i
body		__KAM_BLOOD6	/Blood pressure/i

meta		KAM_BLOOD	( __KAM_BLOOD1 + __KAM_BLOOD2 + __KAM_BLOOD3 + __KAM_BLOOD4 + __KAM_BLOOD5 + __KAM_BLOOD6  + KAM_INFOUSMEBIZ >= 4)
describe	KAM_BLOOD	Blood Pressure Spams
score		KAM_BLOOD	4.75

#SCOOTER
header          __KAM_SCOOTER1    From =~ /Scooter Store/i
header          __KAM_SCOOTER2    Subject =~ /lack of mobility/i
body            __KAM_SCOOTER3    /the scooter store/i

meta            KAM_SCOOTER       ( __KAM_SCOOTER1 + __KAM_SCOOTER2 + __KAM_SCOOTER3 + __KAM_MEDICARE2 + KAM_INFOUSMEBIZ >= 4)
describe        KAM_SCOOTER       Blood Pressure Spams
score           KAM_SCOOTER       4.75

#ANATABLOC
header		__KAM_ANATA1	From =~ /Anatabloc/i
header		__KAM_ANATA2	Subject =~ /(back|joint) pain|arthritis/i

meta		KAM_ANATA	(__KAM_ANATA1 + __KAM_ANATA2 >= 2)
describe	KAM_ANATA	Drug Spam
score		KAM_ANATA	4.5

#BBB Phish
header		__KAM_BBB1	From =~ /bbb.org/i
body		__KAM_BBB2	/consumer's *(?:worry|uneasiness|anxiety|disturbance|concern|trouble)/i
body		__KAM_BBB3	/has been registered the above|(?:visiting|review at) a link below|above-referenced complaint/i
body		__KAM_BBB4	/about your *(?:glance|belief|judgment)/i
header		__KAM_BBB5	Subject =~ /(?:client|customer).{0,5}preten|(?:Appeal|Claim|Case|No\.|Complaint).{0,3}[A-Z\d]{5}/i

meta		KAM_BBB		(__KAM_BBB1 + __KAM_BBB2 + __KAM_BBB3 + __KAM_BBB4 + __KAM_BBB5 + SPF_FAIL + __KAM_GALLERY5 + KAM_RAPTOR >= 4)
describe	KAM_BBB		Better Business Bureau Phishing
score		KAM_BBB		5.0

#PREV MARK
header		__KAM_MARK1	Subject =~ /[\[\<](?:ADV|SPAM)[\>\]]/i

meta		KAM_MARK	(__KAM_MARK1 >= 1)
describe	KAM_MARK	Email arrived marked as Spam
score		KAM_MARK	10.0

#H1QNUM ENGINE
rawbody		__KAM_H1QNUM1 	/<h1>(vv5|ORG1|IN2|OR3|AR1|FO1|Q22)<\/h1>/i
header		__KAM_H1QNUM2	Subject =~ /Russian Women|Free Lasik|Criminal Records|Background Check|Stop Alcoholism|Alcohol Addiction|Hybrid cars|solar energy|electrical bill|fly in luxury/i
uri		__KAM_H1QNUM3	/\.co\.uk/i

meta		KAM_H1QNUM	(__KAM_H1QNUM1 >= 1)
describe	KAM_H1QNUM	H1 Qnum indicator
score		KAM_H1QNUM	4.0

meta		KAM_H1QNUM2	( KAM_H1QNUM + __KAM_H1QNUM2 + __KAM_H1QNUM3 >= 2 )
describe	KAM_H1QNUM2	H1 Qnum higher spamminess indicators
score		KAM_H1QNUM2	5.0

#AP
header		__KAM_AP1	From =~ /AP/
header		__KAM_AP2	Subject =~ /Community & educational development/i
body		__KAM_AP3	/American Grants and Loans Catalog/i

meta		KAM_AP		(__KAM_AP1 + __KAM_AP2 + __KAM_AP3 >= 3)
describe	KAM_AP		American Publishing Spam
score		KAM_AP		4.5

#CO.UK
header		KAM_COUK	From =~ /\@.{1,30}\.co\.uk/i
describe	KAM_COUK	Scoring .co.uk emails higher due to poor registry security.
score		KAM_COUK	0.0

#FAKE FACEBOOKMAIL
 #REAL FB DOMAIN 
header		__KAM_FACEBOOKMAIL1	From =~ /\@facebookmail.com/i
 #SPECIFIC PEOPLE
header		__KAM_FACEBOOKMAIL2	From =~ /Ramakanth Raavi/i

meta		KAM_FACEBOOKMAIL	((__KAM_FACEBOOKMAIL2 >= 1) || (__KAM_FACEBOOKMAIL1 >=1 && (SPF_FAIL + DKIM_ADSP_ALL >=1)))
describe	KAM_FACEBOOKMAIL	Fake or Abused Facebook Mail
score		KAM_FACEBOOKMAIL	8.0

#FAKE DHL/FEDEX/ETC
body		__KAM_FAKEDELIVER1	/courier couldn.?t make the delivery|Courier was unable to deliver|courier company was not able to deliver|memo.of.application|delivering.address|make.the.delivery|see.attached.file|attention.please|event.invitation|could not deliver|delivery.label|postal.noti(fication|ce)|parcels.(has|have).been.shipped|shipment.label.is.attached/i
header		__KAM_FAKEDELIVER2	Subject =~ /Invalid Address|shipping service|(ship|postal|delivery) notification|Delivery Failure|Delivery Information|Delivery status|Package Delivery|package is available for pickup|your.package.arrived|attention.please|delivery.problem|id.\d{6}|deliver.(your|the).parcel/i

 #DHL
body		__KAM_FAKEDELIVER3	/DHL/
header		__KAM_FAKEDELIVER4	From !~ /dhl.com/i

 #FEDEX
rawbody         __KAM_FAKEDELIVER5      /Fed ?ex/i
header          __KAM_FAKEDELIVER6      From !~ /fedex.com/i

 #USPS
body		__KAM_FAKEDELIVER7	/USPS/i
header		__KAM_FAKEDELIVER8	From !~ /usps.com/i

 #CARGO
body		__KAM_FAKEDELIVER9      /CARGO/
header		__KAM_FAKEDELIVER10     From =~ /shipping|economy|priority/i

 #USPS
body		__KAM_FAKEDELIVER11	/DPD/i
header		__KAM_FAKEDELIVER12	From !~ /dpd.com|dpd.co.uk/i


meta		KAM_FAKE_DELIVER	(__KAM_FAKEDELIVER1 + __KAM_FAKEDELIVER2 + (__KAM_FAKEDELIVER3 + __KAM_FAKEDELIVER4 >= 2) + (__KAM_FAKEDELIVER5 + __KAM_FAKEDELIVER6 >= 2) + (__KAM_FAKEDELIVER7 + __KAM_FAKEDELIVER8 >= 2) + (__KAM_FAKEDELIVER11 + __KAM_FAKEDELIVER12 >= 2) + __KAM_FAKEDELIVER9 + (HEADER_FROM_DIFFERENT_DOMAINS + SPF_SOFTFAIL + KAM_RAPTOR >= 1) >= 3)
describe	KAM_FAKE_DELIVER	Fake delivery notifications
score		KAM_FAKE_DELIVER	5.0

meta            KAM_REALLY_FAKE_DELIVER   (KAM_FAKE_DELIVER + KAM_RPTR_PASSED + (__KAM_FAKEDELIVER4 && __KAM_FAKEDELIVER6 && __KAM_FAKEDELIVER8) >= 3)
score           KAM_REALLY_FAKE_DELIVER   2.5
describe        KAM_REALLY_FAKE_DELIVER   Definitely fake delivery notifications

#SOLAR POWER
header		__KAM_SOLAR1	From =~ /Solar|electric|regard|energy|.olar..etwork/i
header		__KAM_SOLAR2	Subject =~ /power bill|sells power|electrical bill|subsidize your solar|switching to solar|save \d+\%|solar system saves|solar power plant|solar.america|energy.use|solar.incentive|utility.option|go.solar|govt.rebate|.overnment.incentive|electricity|obama.rebate/i
body		__KAM_SOLAR3	/power bill in half|go solar|approved for solar|solar system saves|reduce your electric|energy.cost|energy.bill|government.incentive|can.profit|utility.bill|switch(ing)?.to.solar|solar.incentive|solar.now|US Solar Dept|your.electric.bill|your.home.qualifies/i

meta		KAM_SOLAR	(__KAM_SOLAR1 + __KAM_SOLAR2 + __KAM_SOLAR3 >=2)
describe	KAM_SOLAR	Solar Power Spams
score		KAM_SOLAR	2.0

meta		KAM_SOLAR2      (__KAM_SOLAR1 + __KAM_SOLAR2 + __KAM_SOLAR3 >=3)
describe	KAM_SOLAR2      Definite Solar Power Spams
score		KAM_SOLAR2      2.0

#ASIAN BRIDE
header		__KAM_ASIAN1	Subject =~ /Asian Bride/i
body		__KAM_ASIAN2	/Adoring Asian/i
header		__KAM_ASIAN3	From =~ /asian/i

meta		KAM_ASIAN	(__KAM_ASIAN1 + __KAM_ASIAN2 + __KAM_ASIAN3 >= 3)
describe	KAM_ASIAN	Asian Bride Spams
score		KAM_ASIAN	3.5

#DR OZ SPAM
header		__KAM_OZ1	From =~ /(Dr|Doc).{0,2}[o0]z|[o0]z.([a-z]+.)?(daily|tip|show|weight)|rapid.loss|ellen|drop.lbs/i #NOTE THE ZERO
header		__KAM_OZ2	Subject =~ /Fatburning|healthy?.tip|melt your fat|must.read.tip|i can help|fat to flat|perfect.skin|workout|drop.\d+.?[il]bs?|without.exercise|must.read|oz.in.your.corner|It (does not|doesn't) have to be hard|racha?el and oz|doc.?oz insid|life.changing|\d+%.increase|anti.aging|she.looks.\d+|ellen.did.this|(Dr|Doc).{0,2}[o0]z|[o0]z.([a-z]+.)?(daily|tip|show)/i
body		__KAM_OZ3	/burn off your (?:body.?)?fat|(?:burn away|burn|melt) your fat|fox news video|melt the extra pounds|lost (an average of )?\d+ lbs|body.flab|look years younger|get perfect skin|healthy tips|without diet|it was just gossip|weight.loss|dropping.pounds|losing.weight|\d+.years|facelift|(Dr|Doc).{0,2}[o0]z/i

#meta		KAM_OZ		(__KAM_OZ1 + __KAM_OZ2 + __KAM_OZ3 >= 3)
#describe	KAM_OZ		Fake Dr. Oz Spam's
#score		KAM_OZ		3.5

#STUDENT LOAN
header		__KAM_STUDENT1	From =~ /Student.?Loan|government/i
header		__KAM_STUDENT2  Subject =~ /NEW GOVERNMENT PROGRAM|payback.package|assistance.package|student.loan|consolidate.loan/i
body  		__KAM_STUDENT3  /penalt(y|ies)|garnish|your.debt|president.loan|reduce.(your.)?(student.)?loan|forgiveness.plan|qualify.for|federal.program|low.monthly/i

meta		KAM_STUDENT	(__KAM_STUDENT1 + __KAM_STUDENT2 + __KAM_STUDENT3 + (KAM_INFOUSMEBIZ || KAM_COUK || KAM_HTMLNOISE || __KAM_SHORT) >= 3)
describe	KAM_STUDENT	Student Loan Forgiveness Spams
score		KAM_STUDENT	4.0

#TIP
header          __KAM_TIP1  From =~ /Beauty Tips/i
header          __KAM_TIP2  Subject =~ /Dark-Circles|undereye bags/i
body		__KAM_TIP3  /undereye bags/i
body		__KAM_TIP4  /Find Out This Quick New Trick/i

meta            KAM_TIP     (__KAM_TIP1 + __KAM_TIP2 + __KAM_TIP3 + __KAM_TIP4 >= 3)
describe        KAM_TIP     Beauty Tip Spams
score           KAM_TIP     4.3

#WhatsApp
header		__KAM_WHATS1	From =~ /WhatsApp/i
header		__KAM_WHATS2	Subject =~ /Voice Message Notification/i
body		__KAM_WHATS3	/WhatsApp/

meta		KAM_WHATS	(__KAM_WHATS1 + __KAM_WHATS2 + __KAM_WHATS3 >= 3)
describe	KAM_WHATS	WhatsApp Spams
score		KAM_WHATS	3.0


#QTJars
header          __KAM_QTJARS1    From =~ /qtjar/i
header          __KAM_QTJARS2    Subject =~ /qtjar|left you a message|new message/i
body            __KAM_QTJARS3    /qtjars/
body		__KAM_QTJARS4 	 /private message/

meta            KAM_QTJARS       (__KAM_QTJARS1 + __KAM_QTJARS2 + __KAM_QTJARS3 + __KAM_QTJARS4 >= 3)
describe        KAM_QTJARS       QTJars Spams
score           KAM_QTJARS       3.0

#GOOGLE DOCS PHISH
# view the agreement.
body		__KAM_GOOGLEPHISH1	/copy of the signed agreement/i
rawbody		__KAM_GOOGLEPHISH2	/http:\/\/.{5,50}\/http\/docs.google.com\/login\//i

meta		KAM_GOOGLEPHISH		(__KAM_GOOGLEPHISH1 + __KAM_GOOGLEPHISH2 >= 2)
describe	KAM_GOOGLEPHISH		Google Login Phishing Scam
score		KAM_GOOGLEPHISH		5.0

#POLITICAL SPAM
header		__KAM_POLY1	Subject =~ /Barack Obama/i
body		__KAM_POLY2	/The End of Barack Obama/i

meta		KAM_POLY	(__KAM_POLY1 + __KAM_POLY2 >= 2)
describe	KAM_POLY	Political Spams
score		KAM_POLY	3.0

#MAID
header          __KAM_MAID1     Subject =~ /Maid Services|housekeeping.service/i
header		__KAM_MAID2	From =~ /Maid|Housekeeper/i
body            __KAM_MAID3     /Pre-Screened Housekeepers|local.maid/i

meta            KAM_MAID        (__KAM_MAID1 + __KAM_MAID2 + __KAM_MAID3 >= 3)
describe        KAM_MAID        Maid Service Spams
score           KAM_MAID        3.0

#TUB
header          __KAM_TUB1     Subject =~ /Walk.?in.*tub|bath and massage/i
header          __KAM_TUB2     From =~ /jacuzzi|walk.?in.?tub|premier.?care|improvement.center|bathing..?easy/i
body            __KAM_TUB3     /Walk.?in (hot.?|bath.?)?tub|bath and massage|easy transfer from a wheelchair/i

meta            KAM_TUB        (__KAM_TUB1 + __KAM_TUB2 + __KAM_TUB3 >= 3)
describe        KAM_TUB        Tub Spams
score           KAM_TUB        4.0

#OBFUSCATE PORN
header		__KAM_OBF1	Subject =~ /(\b|^)(P.{0,2}O.{0,2}R.{0,2}N|S.{0,2}E.{0,2}.X.{0,2})/i
header		__KAM_OBF2	Subject =~ /[-:\#\/_\(\)].{0,10}[-:\#\/_\(\)].{0,10}[-:\#\/_\(\)]/
header		__KAM_OBF3	Subject =~ /(\b|^)P.{0,2}r.{0,2}e.{0,2}m.{0,2}i.{0,2}u.{0,2}m/i
header		__KAM_OBF4	Subject =~ /(\b|^)P.{0,2}a.{0,2}s.{0,2}s.{0,2}/i
header		__KAM_OBF5	Subject =~ /(\b|^)S.{0,2}i.{0,2}t.{0,2}e.{0,2}/i
header          __KAM_OBF6      Subject =~ /(\b|^)F.{0,2}r.{0,2}e.{0,2}e.{0,2}/i
header          __KAM_OBF7      Subject =~ /(\b|^)F.{0,2}i.{0,2}l.{0,2}m.{0,2}/i
header		__KAM_OBF8	Subject =~ /X.X.X/

meta		KAM_OBF		((__KAM_OBF3 + __KAM_OBF4 + __KAM_OBF5 + __KAM_OBF6 + __KAM_OBF7 >= 1) + __KAM_OBF1 + (__KAM_OBF2 - BODY_8BITS) >= 3)
describe	KAM_OBF		Obfuscated Porn Spams
score		KAM_OBF		4.0

meta            KAM_OBF         (__KAM_OBF8 + __KAM_OBF2 >= 2)
describe        KAM_OBF         Obfuscated Porn Spams
score           KAM_OBF         2.0


#HAIR LOSS / GREYING / REMOVAL
header		__KAM_HAIR1	Subject =~ /(Regrow|restore your|thinning) hair|Get Your Hair Back|hair regrowth|masculine|gr[ae]y hair|hair.loss|the.hottest.concept|hair.removal|all.your.hair|(fuller|thicker).hair/i
header		__KAM_HAIR2	From =~ /K.ranique|Hair Loss Solutions|hair transplant|bosley|gr[ae]y hair|hair.removal|preserve/i
rawbody		__KAM_HAIR3	/k.ranique|Hair Los Solution|Get Your Hair Back|restore your hair naturally and permanently|hair restoration|original color|dye gr[ae]y hair|defeat.your.hair.loss|stop.hair.loss|fda.approve/i
rawbody		__KAM_HAIR4	/Hair Regrowth|Hair Club for Men|Bosley/i

meta		KAM_HAIR	(__KAM_HAIR1 + __KAM_HAIR2 + __KAM_HAIR3 + __KAM_HAIR4 + __KAM_TRIAL + KAM_WEIRDTRICK1 >=4)
describe	KAM_HAIR	Hair Loss / Removal Spams
score		KAM_HAIR	4.5

#TRIAL
body            __KAM_TRIAL     /RISK-FREE Trial|Free \d+ day trial|try it free|free.dvd.info|free.info.kit|limited..?trial|claim.package/i

#UNSUB
body		__KAM_UNSUB1	/cancel 0ffers/i #note the zero
body		__KAM_UNSUB2	/u +n +s +u +b +s +c +r +i +b +e/i

meta		KAM_UNSUB	(__KAM_UNSUB1 + __KAM_UNSUB2 >= 1)
describe	KAM_UNSUB	Completely ridiculous unsubscribe text found
score		KAM_UNSUB	5.0

#MAINTENANCE / Email Phish Scams
body		__KAM_EMAILPHISH1	/Please login to complete update process/i

meta		KAM_EMAILPHISH	(__KAM_EMAILPHISH1 + __KAM_SHORT >= 2)
describe	KAM_EMAILPHISH	Email Phishing Scams
score		KAM_EMAILPHISH	3.5

#MASSMAILER ERRORS
header		__KAM_MASSERROR1  Reply-to =~ /\@domain\]\]/i

meta		KAM_MASSERROR	(__KAM_MASSERROR1 >= 1)
describe	KAM_MASSERROR	Error in usage of a mass mailing software
score		KAM_MASSERROR	2.0

#CAR DEAL SPAMS
header		__KAM_CARDEAL1	Subject =~ /great car deal|new vehicles near you|brand new cars|cars on clearance/i
header		__KAM_CARDEAL2	From =~ /dealer|clearance|veh.cle/i
body		__KAM_CARDEAL3	/201\d Closeout pricing|New Vehicles near you|new automobiles|brand new car|\d{4} makes and models/i

meta		KAM_CARDEAL	(__KAM_CARDEAL1 + __KAM_CARDEAL2 + __KAM_CARDEAL3 >= 3)
describe	KAM_CARDEAL	Car Deal Spams
score		KAM_CARDEAL	3.0

#Quick Sale Scams
header		__KAM_HOMESALE1	Subject =~ /buyer interested in your ho/i
header		__KAM_HOMESALE2	From =~ /Fastcash/i
body		__KAM_HOMESALE3	/Cash Offer for Your Home/i

meta		KAM_HOMESALE	(__KAM_HOMESALE1 + __KAM_HOMESALE2 + __KAM_HOMESALE3 >= 3)
describe	KAM_HOMESALE	Home Sale Spams
score		KAM_HOMESALE	3.5

#ADVERTISEMENTS FOR LOANS
header          __KAM_LOAN1 Subject =~ /pay bills|borrow|business loan|help your business grow|small business|propel your business goals|with a loan|results you need|\$\d+ down loan|loan.fund|lender|are.you.broke|get.cash|approval.notice|loan \d.\d% offer/i
header          __KAM_LOAN2 From =~ /payday|loans for you|approval|small.?business|direct.wire|cash|loan offer/i
body            __KAM_LOAN3 /Financial Relief|need to borrow|Business Loan|instant.funds|approval department|\$\d+ down|loan option|offer.loan|expenses|times.are.tough|money.problems/i
body            __KAM_LOAN4 /development.project|just.been.approved|for.your.business|loan.solution/i

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader    __KAM_LOAN5A Content-Type =~ /loan offer/i
  mimeheader    __KAM_LOAN5B Content-Disposition =~ /loan offer/i
endif

meta            KAM_LOAN    (__KAM_LOAN1 + __KAM_LOAN2 + __KAM_LOAN3 + __KAM_LOAN4 + (__KAM_LOAN5A + __KAM_LOAN5B >= 1) >= 3)
describe        KAM_LOAN    Payday and other loan spams
score           KAM_LOAN    4.5

#HANGOVER SPAM
header          __KAM_HANGOVER1 Subject =~ /hangover patch/i
header          __KAM_HANGOVER2 From =~ /hangover/i
body            __KAM_HANGOVER3 /hangover patch/i

meta            KAM_HANGOVER    (__KAM_HANGOVER1 + __KAM_HANGOVER2 + __KAM_HANGOVER3 >= 3)
describe        KAM_HANGOVER    Hangover Patch Spams
score           KAM_HANGOVER    3.5

#RX PLAN SPAM
header          __KAM_RXPLAN1 Subject =~ /Medigap|prescription drug plan/i
header          __KAM_RXPLAN2 From =~ /Better.?Rx|medigap/i
body            __KAM_RXPLAN3 /gap coverage/i

meta            KAM_RXPLAN    (__KAM_RXPLAN1 + __KAM_RXPLAN2 + __KAM_RXPLAN3 >= 3)
describe        KAM_RXPLAN    Rx Plan Spams
score           KAM_RXPLAN    3.5

#SIDE SOCKET
header          __KAM_SOCKET1 Subject =~ /tangled mess|socket capacity|messy cords/i
header          __KAM_SOCKET2 From =~ /side.?socket/i
body            __KAM_SOCKET3 /side socket/i

meta            KAM_SOCKET    (__KAM_SOCKET1 + __KAM_SOCKET2 + __KAM_SOCKET3 >= 3)
describe        KAM_SOCKET    Product Spam du Jour
score           KAM_SOCKET    3.5

#TESTOSTERONE
header          __KAM_TESTOSTERONE1 Subject =~ /Boost your testosterone|Testoril|turning you into a woman|men into women|low.testosterone/i
header          __KAM_TESTOSTERONE2 From =~ /Testoril|mens health|low-T|for.men/i
body            __KAM_TESTOSTERONE3 /Boost your testosterone|get your body back|low.testosterone/i
body		__KAM_TESTOSTERONE4 /Testoril|sexual confidence|androgel|axiron+androderm/i

meta            KAM_TESTOSTERONE    (__KAM_TESTOSTERONE1 + __KAM_TESTOSTERONE2 + __KAM_TESTOSTERONE3 + __KAM_TESTOSTERONE4 >= 3)
describe        KAM_TESTOSTERONE    Product Spam du Jour
score           KAM_TESTOSTERONE    4.5

#FLEXHOSE
header          __KAM_FLEXHOSE1 Subject =~ /stretch but not kink|flex.{0,8}hose|expands.and.contracts|\d-in-\d.hose/i
header          __KAM_FLEXHOSE2 From =~ /hose/i
body            __KAM_FLEXHOSE3 /stretch but not kink|flex.?hose|expanding.hose|garden.hose/i

meta            KAM_FLEXHOSE    (__KAM_FLEXHOSE1 + __KAM_FLEXHOSE2 + __KAM_FLEXHOSE3 >= 3)
describe        KAM_FLEXHOSE    Product Spam du Jour
score           KAM_FLEXHOSE    3.5

#PET
header          __KAM_PET1 Subject =~ /pet health insurance|dog.product.coupon/i
header          __KAM_PET2 From =~ /pet.?insurance|dog.?coupon/i
body            __KAM_PET3 /pet health insurance|doggy.loot|coupon.notice|reduce.your.cost/i

meta            KAM_PET    (__KAM_PET1 + __KAM_PET2 + __KAM_PET3 >= 3)
describe        KAM_PET    Insurance and other pet-related spam
score           KAM_PET    4.5

meta            KAM_PET2   (KAM_PET + KAM_INFOUSMEBIZ >= 2)
describe        KAM_PET2    Even more likely insurance and other pet-related spam
score           KAM_PET2    3.5

#COBRA
header          __KAM_COBRA1 Subject =~ /Cobra Health/i
header          __KAM_COBRA2 From =~ /Cobra|Health/i
body            __KAM_COBRA3 /find cobra health/i

meta            KAM_COBRA    (__KAM_COBRA1 + __KAM_COBRA2 + __KAM_COBRA3 >= 3)
describe        KAM_COBRA    Cobra Insurance Spam
score           KAM_COBRA    3.5

#Discount Air
header          __KAM_DISCAIR1 Subject =~ /Fly Cheap|Discount Air/i
header          __KAM_DISCAIR2 From =~ /Discount Air/i
body            __KAM_DISCAIR3 /Fly Cheap in Business Class/i

meta            KAM_DISCAIR    (__KAM_DISCAIR1 + __KAM_DISCAIR2 + __KAM_DISCAIR3 >= 3)
describe        KAM_DISCAIR    Discount Airfare Spam
score           KAM_DISCAIR    3.5

#PEST
header          __KAM_PEST1 Subject =~ /pes?t control system/i
header          __KAM_PEST2 From =~ /Riddex|pest/i
body            __KAM_PEST3 /revolutionary pes?t control system/i

meta            KAM_PEST    (__KAM_PEST1 + __KAM_PEST2 + __KAM_PEST3 >= 3)
describe        KAM_PEST    Spam for Pest Control
score           KAM_PEST    3.5


#PROPHET
header          __KAM_PROPHET1 Subject =~ /beezelbub|communique/i
header          __KAM_PROPHET2 From =~ /christian.*prophe/i
body            __KAM_PROPHET3 /Dear Christian Friend/i
body		__KAM_PROPHET4 /Christian Media Ministry/i
body		__KAM_PROPHET5 /prophecy article|rapture/i

meta            KAM_PROPHET    (__KAM_PROPHET1 + __KAM_PROPHET2 + __KAM_PROPHET3 + __KAM_PROPHET4 + __KAM_PROPHET5 >= 4) 
describe        KAM_PROPHET    Spam for Prophecy 
score           KAM_PROPHET    6.0

#HEART
header          __KAM_HEART1 Subject =~ /save your life|prevent (a|your)?.?heart attacks?|\d+ second trick|sudden death|easy trick|heart health secret/i
header          __KAM_HEART2 From =~ /He.rt.?Att.ck|omegaK/i
body            __KAM_HEART3 /Knowing this could very well save your life|\d+.second trick|\#1 Trick|Prevent(ing)? A Heart Attack|will you be killed|heart disease|silent heart attack/i

meta            KAM_HEART    (__KAM_HEART1 + __KAM_HEART2 + __KAM_HEART3  >= 3)
describe        KAM_HEART    Spam for Heart Attack prevention
score           KAM_HEART    4.5

#JOINT
header          __KAM_JOINT1 Subject =~ /joint relief/i
header          __KAM_JOINT2 From =~ /Tfx/i
body            __KAM_JOINT3 /TFX.?(?:health|flex)|tflex/i
body		__KAM_JOINT4 /Joint Relief|effective as glucosamine/i
body		__KAM_JOINT5 /free bottle/i

meta            KAM_JOINT    (__KAM_JOINT1 + __KAM_JOINT2 + __KAM_JOINT3 + __KAM_JOINT4 + __KAM_JOINT5 + __KAM_SKIN4  >= 4)
describe        KAM_JOINT    Joint relief Spam 
score           KAM_JOINT    4.0

#REHAB
header          __KAM_REHAB1 Subject =~ /(?:drug|alcohol) (recovery|rehab|dependenc|addict|treatment)|choose sobriety|battling alcohol|stop drinking|addiction|drinking problem|normal life|tr..?at..?ng.alcohol|overcome..lcohol|change.your.life/i
header          __KAM_REHAB2 From =~ /(?:drug|alcohol).?(recovery|rehab|dependenc|add..?ct|treatment)|alcoholism|rehab center|.lc.h.lism|rehabdirectory/i
body            __KAM_REHAB3 /(?:drug|alcohol) (recovery|rehab|dependenc|addict|treatment)|help for alcoholism|life from alcohol|end your drinking|think about rehab/i

meta            KAM_REHAB    (__KAM_REHAB1 + __KAM_REHAB2 + (__KAM_REHAB3 || KAM_OTHER_BAD_TLD)  >= 2)
describe        KAM_REHAB    Rehab Spam
score           KAM_REHAB    3.0

#HAIRTRANS
header          __KAM_HAIRTRANS1 Subject =~ /hair restoration|man look as young|losing your hair|hair ?loss|consultations?.available/i
header          __KAM_HAIRTRANS2 From =~ /Bosley|hair restoration|hair.loss.expert/i
body            __KAM_HAIRTRANS3 /hair restoration|man look as young|losing your hair|hair ?loss|get.your.hair|(look|feel).younger/i

meta            KAM_HAIRTRANS    (__KAM_HAIRTRANS1 + __KAM_HAIRTRANS2 + __KAM_HAIRTRANS3 + KAM_GIFT >= 2)
describe        KAM_HAIRTRANS    Spam for Hair Restoration
score           KAM_HAIRTRANS    3.5

meta            KAM_HAIRTRANS2   (__KAM_HAIRTRANS1 + __KAM_HAIRTRANS2 + __KAM_HAIRTRANS3 + (KAM_GIFT || KAM_UNSUB1) >= 3)
describe        KAM_HAIRTRANS2   Higher probability of spam for Hair Restoration
score           KAM_HAIRTRANS2   2.0

#OUR GIFT
body		__KAM_GIFTCERT1	/Our gift to you/i
body		__KAM_GIFTCERT2	/\$\d+ gift certificate/i
header		__KAM_GIFTCERT3 Subject =~ /Our gift to you/i

meta		KAM_GIFTCERT	(__KAM_GIFTCERT1 + __KAM_GIFTCERT2 + __KAM_GIFTCERT3 >= 2)
score		KAM_GIFTCERT	1.5
describe	KAM_GIFTCERT	Gift Certificate Spams

#TIRES
header          __KAM_TIRES1 Subject =~ /discount tire|tire coupon|tire offers|best deals/i
header          __KAM_TIRES2 From =~ /Tire/i
body            __KAM_TIRES3 /savings on tire|new tires/i

meta            KAM_TIRES    (__KAM_TIRES1 + __KAM_TIRES2 + __KAM_TIRES3  >= 3)
describe        KAM_TIRES    Spam for Tires
score           KAM_TIRES    3.0

#SLICEOMATIC
header          __KAM_SLICEOMATIC1 Subject =~ /Slice-O-Matic|Precision Cutting Blade/i
header          __KAM_SLICEOMATIC2 From =~ /Slice-o-matic/i
body            __KAM_SLICEOMATIC3 /Slice-o-matic/i

meta            KAM_SLICEOMATIC    (__KAM_SLICEOMATIC1 + __KAM_SLICEOMATIC2 + __KAM_SLICEOMATIC3  >= 3)
describe        KAM_SLICEOMATIC    Spam for Kitchen Tools
score           KAM_SLICEOMATIC    3.0

#FINDYOURWINDOWS AND OTHER WINDOW SPAM
header          __KAM_WINDOWS1 Subject =~ /Top Window Companies|(old|your|bedroom|new|replacement|discounted|awning|cheap).window|allow.(light|ventilation)|window.(installation|discount|replacement)|home.depot/i
header          __KAM_WINDOWS2 From =~ /FindYourWindows|(old|your|bedroom|new|replacement|discounted).?window|window.?(install|discount|replacement)|install.windows/i
body            __KAM_WINDOWS3 /Find Your Windows|replacement.window|window.design|home.a.new.look|dingy.old.windows|high.heating|high.cooling|let a draft|energy.efficient|double.pane.window|shop.windows|energy.tax|window.(installation|discount|replacement)|summer.is.coming/i

meta            KAM_WINDOWS    (__KAM_WINDOWS1 + __KAM_WINDOWS2 + __KAM_WINDOWS3 + KAM_ADVERT2 >= 3)
describe        KAM_WINDOWS    Spam for House Windows
score           KAM_WINDOWS    4.5

#EMMAPP.WEB.COM - DUE TO SA SILLINESS WE ARE UNABLE TO RBL THIS PARTICULAR SUBDOMAIN WITHOUT BLOCKING ALL OF WEB.COM
#POISON PILL
uri             __KAM_EMMAP_WEB_COM1 /emmapp\.web\.com/i

meta            KAM_EMMAPP_WEB_COM   (__KAM_EMMAP_WEB_COM1 >= 1)
describe        KAM_EMMAPP_WEB_COM   Spam from emmapp.web.com
score           KAM_EMMAPP_WEB_COM   20.0

#NEW CREDIT CARD
header          __KAM_NEW_CREDITCARD1 Subject =~ /with this credit card|charge card|credit card|cards?.reward|cards?.rate|top.rated/i
header          __KAM_NEW_CREDITCARD2 From =~ /Spend-Charge|platinum credit|business credit|card.approval|approval.match/i
body            __KAM_NEW_CREDITCARD3 /Select your new card|Increase Your Spending|Higher Limit|rewards|business credit|which.credit.card|find.out.now/i

meta           KAM_NEW_CREDITCARD     (__KAM_NEW_CREDITCARD1 + __KAM_NEW_CREDITCARD2 + __KAM_NEW_CREDITCARD3 >= 3)
describe       KAM_NEW_CREDITCARD     Spam for new credit cards
score          KAM_NEW_CREDITCARD     4.0

#WEIRD GERMAN SPAM
header         __KAM_GERMAN_BUSINESS_CONTACTS1 Subject =~ /Wichtige Nach?richt|Important message/i
header         __KAM_GERMAN_BUSINESS_CONTACTS2 From =~ /Merkel/i
body           __KAM_GERMAN_BUSINESS_CONTACTS3 /German business phone numbers/i
body           __KAM_GERMAN_BUSINESS_CONTACTS4 /Unlimited exportation capabilities/i

meta           KAM_GERMAN_BUSINESS_CONTACTS    (__KAM_GERMAN_BUSINESS_CONTACTS1 + __KAM_GERMAN_BUSINESS_CONTACTS2 + __KAM_GERMAN_BUSINESS_CONTACTS3 + __KAM_GERMAN_BUSINESS_CONTACTS4 >= 3)
describe       KAM_GERMAN_BUSINESS_CONTACTS    Weird German business contact info spam
score          KAM_GERMAN_BUSINESS_CONTACTS    3.0

#WEIRD SENIOR DATING SPAM
header         __KAM_SENIOR_DATING1 From =~ /SeniorPeopleMeet/i

meta           KAM_SENIOR_DATING    (__KAM_SENIOR_DATING1 >= 1)
describe       KAM_SENIOR_DATING    Senior dating spam
score          KAM_SENIOR_DATING    2.0

#NEWS!
header		__KAM_NEWS1	Subject =~ /^(?:Fwd: ?)?(?:NEWS|WEBSITE|ARTICLE)$|how.are.you/i
body		__KAM_NEWS2	/(?:Hello|hey|hi)!/i

meta		KAM_NEWS	(__KAM_NEWS1 + __KAM_NEWS2 + __KAM_BODY_LENGTH_LT_128 + KAM_MANYTO >= 3)
describe	KAM_NEWS	Forged Emails with NEWS!
score		KAM_NEWS	9.0

#URI COUNT - REQUIRES 3.3 OR LATER
if (version >= 3.003000)
  uri      __KAM_COUNT_URIS /^./
  tflags   __KAM_COUNT_URIS multiple maxhits=16
  describe __KAM_COUNT_URIS A multiple match used to count URIs in a message, including http:// and email@email.com - use one of the meta rules below instead of directly using this one

  meta __KAM_HAS_0_URIS (__KAM_COUNT_URIS == 0)
  meta __KAM_HAS_1_URIS (__KAM_COUNT_URIS >= 1)
  meta __KAM_HAS_2_URIS (__KAM_COUNT_URIS >= 2)
  meta __KAM_HAS_3_URIS (__KAM_COUNT_URIS >= 3)
  meta __KAM_HAS_4_URIS (__KAM_COUNT_URIS >= 4)
  meta __KAM_HAS_5_URIS (__KAM_COUNT_URIS >= 5)
  meta __KAM_HAS_10_URIS (__KAM_COUNT_URIS >= 10)
  meta __KAM_HAS_15_URIS (__KAM_COUNT_URIS >= 15)
endif

#DISCLAIMER STUB FOR FUTURE RESOURCE
body __KAM_DISCLAIMER1 /receives compensation/i

#FAKE AT&T
#header   __KAM_FAKE_ATT1 From =~ /AT.?T/i
#header   __KAM_FAKE_ATT2 Subject =~ /AT.?T cordless phone|deals.at.at.?t|phone.from.at.?t/i
#uri      __KAM_FAKE_ATT3 /att-mail.com/i
#
#meta     KAM_FAKE_ATT (__KAM_FAKE_ATT1 + __KAM_FAKE_ATT2 + __KAM_FAKE_ATT3 >= 2)
#describe KAM_FAKE_ATT Fake AT&T newsletters
#score    KAM_FAKE_ATT 3.0

#YOU HAVE BEEN CHOSEN
header   __KAM_CHOSEN1 Subject =~ /Invitation to|open.house|come.join.me/i
header   __KAM_CHOSEN2 From =~ /marketing|invitation/i
body     __KAM_CHOSEN3 /You (were|have been|are) (recently )?(chosen|invited)|you.are.(very.)?welcome/i

meta     KAM_CHOSEN (__KAM_CHOSEN1 + __KAM_CHOSEN2 + __KAM_CHOSEN3 >= 3)
describe KAM_CHOSEN Spam claiming the recipient has been chosen for something
score    KAM_CHOSEN 2.0

#JURY DUTY AND OTHER FAKE COURT NOTICES
header   __KAM_JURY1 Subject =~ /in court|court (hearing )?notice|judicial summons|hearing.of.your.case|case.in.court|notice.of.appearance/i
header   __KAM_JURY2 From =~ /Notice (to|of) Appear|court attendance|pretrial notice|lawyer/i
header   __KAM_JURY3 From !~ /\.gov/i
body     __KAM_JURY4 /in Court|hearing date|notice to appear|Pretrial notice|compulsory.attendance|court.notice/i

meta     KAM_JURY (__KAM_JURY1 + __KAM_JURY2 + __KAM_JURY3 + __KAM_JURY4 + KAM_RAPTOR >= 4)
describe KAM_JURY Spam claiming the recipient must serve jury duty
score    KAM_JURY 8.0

#BITCOIN
header   __KAM_BITCOIN1 Subject =~ /bitcoin|dumping.?their.?gold|dumped.?the.?dollar/i
body     __KAM_BITCOIN2 /price.of.bitcoin|bitcoin.price|crypto.?currenc(y|ies)|currency.pioneer|cartel|financial.security|abandoned.our.dollar|money.map/i
header   __KAM_BITCOIN3 From =~ /bitcoin/i

meta     KAM_BITCOIN (KAM_INFOUSMEBIZ + __KAM_BITCOIN1 + __KAM_BITCOIN2 + __KAM_BITCOIN3 >= 3)
describe KAM_BITCOIN Spam related to investing in bitcoin and other cryptocurrency
score    KAM_BITCOIN 4.5

#RELIGIOUS
header   __KAM_RELIGION1 Subject =~ /Christian Media/i
header   __KAM_RELIGION2 From =~ /Bible Prophecy/i
body     __KAM_RELIGION3 /Dear Christian|Christian Media/i

meta     KAM_RELIGION (__KAM_RELIGION1 + __KAM_RELIGION2 + __KAM_RELIGION3 >= 3)
describe KAM_RELIGION Generic religious spam
score    KAM_RELIGION 2.5

#BUSINESS PHONE
header   __KAM_BUSINESSPHONE1 Subject =~ /customer calls|phone system|phone system upgrade|business success/i
header   __KAM_BUSINESSPHONE2 From =~ /business phone/i
body     __KAM_BUSINESSPHONE3 /business phone system/i

meta     KAM_BUSINESSPHONE (__KAM_BUSINESSPHONE1 + __KAM_BUSINESSPHONE2 + __KAM_BUSINESSPHONE3 >= 3)
describe KAM_BUSINESSPHONE Advertising for business phone systems
score    KAM_BUSINESSPHONE 5.5

#NUMEROLOGY
header   __KAM_NUMEROLOGY1 Subject =~ /success and joy in life/i
header   __KAM_NUMEROLOGY2 From =~ /Numerology/i
body     __KAM_NUMEROLOGY3 /Control your destiny/i

meta     KAM_NUMEROLOGY (__KAM_NUMEROLOGY1 + __KAM_NUMEROLOGY2 + __KAM_NUMEROLOGY3 >= 3)
describe KAM_NUMEROLOGY Pseudo-scientific spam
score    KAM_NUMEROLOGY 3.5

#VOICEMAIL SPAM
header   __KAM_VOICEMAIL1 Subject =~ /new voice.?mail message|news/i
header   __KAM_VOICEMAIL2 From =~ /voice.?mail|news/i
body     __KAM_VOICEMAIL3 /new voice.?mail message|voice.redirected/i

meta     KAM_VOICEMAIL (__KAM_VOICEMAIL1 + __KAM_VOICEMAIL2 + __KAM_VOICEMAIL3 + KAM_RAPTOR >= 3)
describe KAM_VOICEMAIL Common malware that tricks the user into opening a fake VOIP voicemail
score    KAM_VOICEMAIL 5.0

#SPAM ADVERTISING SPAM - HAS SCIENCE GONE TOO FAR?
header   __KAM_SPAMFORSPAM1 Subject =~ /email marketing|marketing solution|connect with your audience|reaching your customers|marketing ideas|business.contacts/i
header   __KAM_SPAMFORSPAM2 From =~ /email marketing|mailing lists|listz/i
rawbody  __KAM_SPAMFORSPAM3 /email marketing|Keep your customers informed|expand your brand|(grow|improve) your business|Acquire New Customers|business reach|your.customer.base|demand.generation/i

meta     KAM_SPAMFORSPAM (__KAM_SPAMFORSPAM1 + __KAM_SPAMFORSPAM2 + __KAM_SPAMFORSPAM3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_SPAMFORSPAM Spam advertising spam services
score    KAM_SPAMFORSPAM 5.5

#ALZHEIMERS / NEUROLOGICAL MEDICAL SPAM
header   __KAM_NEUROLOGICAL1 Subject =~ /alzheimers|doctors hate him/i
header   __KAM_NEUROLOGICAL2 From =~ /alzheimers|cognizine/i
body     __KAM_NEUROLOGICAL3 /at risk for alzheimers|alzheimers conspiracy|doctors hate him/i

meta     KAM_NEUROLOGICAL (__KAM_NEUROLOGICAL1 + __KAM_NEUROLOGICAL2 + __KAM_NEUROLOGICAL3 >= 3)
describe KAM_NEUROLOGICAL Variant of medical spam targeting neurological ailments
score    KAM_NEUROLOGICAL 3.5

#EXCESSIVE HASHES AND OTHER IDENTIFIER STRINGS
body     __KAM_LOTSOFHASH /[abcdef1234567890]{20}/i
tflags   __KAM_LOTSOFHASH multiple maxhits=10

meta     KAM_LOTSOFHASH (__KAM_LOTSOFHASH >= 10)
describe KAM_LOTSOFHASH Emails with lots of hash-like gibberish
score    KAM_LOTSOFHASH 0.25

#SPAM THAT SHOWS SEVERAL QUESTIONABLE BEHAVIORS IN COMBINATION
meta     KAM_GRABBAG1 (__KAM_THIRD + __KAM_DOMAINDOTCOM + __KAM_TILDEFROM + HTML_FONT_LOW_CONTRAST + T_REMOTE_IMAGE + __KAM_EPISODE + __KAM_LOTSOFNBSP + __KAM_IPUNSUB + (__KAM_LOTSOFHASH >= 6) >= 4)
describe KAM_GRABBAG1 A combination of tricks that when combined indicate spam
score    KAM_GRABBAG1 3.5

#TV DOCTOR TRASH
header   __KAM_TVDOCTOR1 Subject =~ /hormones|(dr.?|doc.?) [o0]z|flatter belly|anti.?.?aging.tip|\d+.years.younger|wrinkle.(reduction|prevention)|weight.loss|models.use.this|reverse.\d+.years/i
header   __KAM_TVDOCTOR2 From =~ /(dr.?|doc.?) ?[o0]z|dr.? steve|oz skin tip|skinny|drop \d+lb/i
body     __KAM_TVDOCTOR3 /clinical|miracle|dermatologist|anti.?.?aging.tip|\d+.years.younger|wrinkle.(reduction|prevention)|\bOMG!\b|loose.\d+.lb|tv.doctor/i

meta     KAM_TVDOCTOR    (__KAM_TVDOCTOR1 + __KAM_TVDOCTOR2 + __KAM_TVDOCTOR3 + (KAM_INFOUSMEBIZ || KAM_WEIRDTRICK1) >= 3)
describe KAM_TVDOCTOR    Spam for TV doctor stuff
score    KAM_TVDOCTOR    3.5

# 1-800-DENTIST
header   __KAM_DENTIST1   Subject =~ /dentist/i
header   __KAM_DENTIST2   From =~ /1-?800-?dentist/i
body     __KAM_DENTIST3   /Find a dentist/i

meta     KAM_DENTIST    (__KAM_DENTIST1 + __KAM_DENTIST2 + __KAM_DENTIST3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_DENTIST    Spam for 1-800-DENTIST
score    KAM_DENTIST    3.5

# GOLD AND DIAMOND JEWELRY
header   __KAM_JEWELRY1   Subject =~ /jewell?rey online|shop now/i
header   __KAM_JEWELRY2   From =~ /bluestone.com/i

meta     KAM_JEWELRY    (__KAM_JEWELRY1 + __KAM_JEWELRY2 >= 2)
describe KAM_JEWELRY    Spam for Gold and Diamond Jewelry
score    KAM_JEWELRY    3.5

# PSSST, WANNA BUY SOME POT
body     __KAM_MARIJUANA1 /marijuana|cannabis/i
body     __KAM_MARIJUANA2 /medicinal|recreational|legal.cannabis/i
body     __KAM_MARIJUANA3 /colorado|washington|profit|without.a.(prescription|doctor)|lets.you.vape|no.doctor/i
header   __KAM_MARIJUANA4 From =~ /marijuana|cannabis/i

meta     KAM_MARIJUANA    (__KAM_MARIJUANA1 + __KAM_MARIJUANA2 + (__KAM_MARIJUANA3 + KAM_INFOUSMEBIZ >= 1) >= 3)
describe KAM_MARIJUANA    Spam pertaining to marijuana
score    KAM_MARIJUANA    4.5

meta     KAM_MARIJUANA2   (__KAM_MARIJUANA4 + (__KAM_MARIJUANA3 || __KAM_MARIJUANA2) >= 2)
score    KAM_MARIJUANA2   8.0
describe KAM_MARIJUANA2   Definitely spam for marijuana

# EVICTION NOTICE
header   __KAM_EVICTION1 From =~ /eviction|vacate immediately/i
header   __KAM_EVICTION2 Subject =~ /notice|notification|occupant/i
body     __KAM_EVICTION3 /eviction|foreclosed|trespasser/i

meta     KAM_EVICTION    (__KAM_EVICTION1 + __KAM_EVICTION2 + __KAM_EVICTION3 + KAM_RAPTOR >= 4)
describe KAM_EVICTION    Malware disguised as eviction notice
score    KAM_EVICTION    4.5

# WALK IN TUBS
header   __KAM_WALKINTUB1 From =~ /walk.?in.?tub/i
header   __KAM_WALKINTUB2 Subject =~ /walk.?in.?tub/i
body     __KAM_WALKINTUB3 /walk.?in.?tub/i

meta     KAM_WALKINTUB (__KAM_WALKINTUB1 + __KAM_WALKINTUB2 + __KAM_WALKINTUB3 >= 3)
describe KAM_WALKINTUB Ads for walk-in tubs
score    KAM_WALKINTUB 3.5

# SUBJECTS BEGINNING WITH "EMAIL - QUESTION" AND OTHER VARIANTS
header   __KAM_EMAILQUESTION1 Subject =~ /^(<)?([^@\s]+@[^@\s]+)( - |> )/i
header   __KAM_EMAILQUESTION2 Subject =~ /break away from the pack|make your own wine|\d figures a day|unlock the secret|you need to see|let me show you|at their own game|drop \d+ pounds|potty trained|you can actually|your dog is being poisoned|control your destiny|buy a new|check out these|arthritis/i

meta     KAM_EMAILQUESTION (__KAM_EMAILQUESTION1 + __KAM_EMAILQUESTION2 >= 2)
describe KAM_EMAILQUESTION Subjects beginning with an email address and followed by a spammy subject
score    KAM_EMAILQUESTION 3.5

# BECOME BEYOND SUPERHUMAN / SUPERMAN
header   __KAM_SUPERHUMAN1 From =~ /(become[ _]?)?(beyond[ _]?)?(super|hu)man/i
header   __KAM_SUPERHUMAN2 Subject =~ /relationship problems|better sex|regain your former glory|(male|men) over (\d\d|fou?rty)/i
body     __KAM_SUPERHUMAN3 /reclaim your glory|stay hot and sexy|unfair.advantage|better sex|weird trick|testosterone/i

meta     KAM_SUPERHUMAN (__KAM_SUPERHUMAN1 + __KAM_SUPERHUMAN2 + __KAM_SUPERHUMAN3 >= 3)
describe KAM_SUPERHUMAN Male enhancement of the day
score    KAM_SUPERHUMAN 8.0

# VALENTINES
header   __KAM_VALENTINE1 From =~ /smartbuys|valentine|ecard|flower|fingerhut/i
header   __KAM_VALENTINE2 Subject =~ /valentine|(bouquets|expressions) of love|win her over|swoon.?worthy bouquet|grow more in love|\$\d\d.\d\d bouquet|love at (the )?first/i
rawbody  __KAM_VALENTINE3 /amazing gifts|perfect for valentine|irresist.ble perfume|send an ecard|most memorable flowers|(bouquets|expressions) of love|valentine.?s?.(day.)?(gift|ecard|flower|delivery|is february 14|bouquet)|grow more in love|Saint Valentine|your valentine/i

meta     KAM_VALENTINE (__KAM_VALENTINE1 + __KAM_VALENTINE2 + __KAM_VALENTINE3 + KAM_INFOUSMEBIZ >= 3)
describe KAM_VALENTINE Spam for valentine gifts and other holiday stuff
score    KAM_VALENTINE 4.5

header   __KAM_MOTHER1 From =~ /flower|seventeen/i
header   __KAM_MOTHER2 Subject =~ /mother.?s.?day|\d+%.off.flower|pro.?flowers|guaranteed.delivery|beautiful bouquets|celebrate.mom/i
body     __KAM_MOTHER3 /pro.?flowers|flowers.fresh|freshness.guarantee|shop.now|mom.?s.delight/i

meta     KAM_MOTHER (__KAM_MOTHER1 + __KAM_MOTHER2 + __KAM_MOTHER3 >= 3)
describe KAM_MOTHER Spam for mother's day
score    KAM_MOTHER 4.5

# WHO'S WHO
header   __KAM_WHOSWHO1 From =~ /whos_who|who.?s.who/i
header   __KAM_WHOSWHO2 Subject =~ /your exclusive invitation|who.?s.who|your invitation|you have been selected/i
body     __KAM_WHOSWHO3 /(global|executive) who.s who|represent your community|you have been selected|complete your listing|prominent registry|accomplished individuals/i
uri      __KAM_WHOSWHO4 /whoswho/i

meta     KAM_WHOSWHO (__KAM_WHOSWHO1 + __KAM_WHOSWHO2 + __KAM_WHOSWHO3 >= 2)
describe KAM_WHOSWHO Ads for network of important people
score    KAM_WHOSWHO 5.0

meta     KAM_WHOSWHO2 (KAM_WHOSWHO && __KAM_WHOSWHO4)
describe KAM_WHOSWHO2 Definitely ads for network of important people
score    KAM_WHOSWHO2 1.0

# GARAGE FLOOR COATING
header   __KAM_GARAGE1 From =~ /garage|surface.protection|protection.plus|esurface/i
header   __KAM_GARAGE2 Subject =~ /garage floor coating|industrial strength|protect your floors|protect.and.beautify|esurface|what.you.should.know/i
body     __KAM_GARAGE3 /surface protection plus|industrial strength|Concrete.{0,5}metal.{0,8}wood|protect.and.beautify|industrial.grade|common.flooring|treat.your.deck|professional.coating/i

meta     KAM_GARAGE (__KAM_GARAGE1 + __KAM_GARAGE2 + __KAM_GARAGE3 + (HTML_FONT_LOW_CONTRAST || SPF_FAIL || SPF_HELO_FAIL) >= 3)
describe KAM_GARAGE Garage floor coating product of the day
score    KAM_GARAGE 4.0

meta     KAM_GARAGE2 (KAM_GARAGE + (HTML_FONT_LOW_CONTRAST || SPF_FAIL) >= 2)
score    KAM_GARAGE2 1.0
describe KAM_GARAGE2 More likely garage floor coating spam

#PAINT - NEED TO LOOK FOR CROSSOVER ON KAM_GARAGE AND KAM_PAINT
header          __KAM_PAINT1   From =~ /Coating|Paint|Surface|Sealer/i
header          __KAM_PAINT2   Subject =~ /surface Paint/i

meta            KAM_PAINT      (__KAM_PAINT1 + __KAM_PAINT2 + KAM_INFOUSMEBIZ >= 3)
describe        KAM_PAINT      Paint Spams
score           KAM_PAINT      4.0

# HURRICANE MOP
header   __KAM_MOP1 From =~ /hurricane mop/i
header   __KAM_MOP2 Subject =~ /filthy floor|cut cleaning time|absorbs \d+x its own weight|the mop that/i
body     __KAM_MOP3 /filthy floor|cut cleaning time+absorbs \d+x its own weight|the mop that/i

meta     KAM_MOP (__KAM_MOP1 + __KAM_MOP2 + __KAM_MOP3 >= 3)
describe KAM_MOP Hurricane mop product of the day
score    KAM_MOP 3.5

# DATING TIPS
header   __KAM_DATINGTIPS1 From =~ /girlfriendtrick|seduction|the.real/i
header   __KAM_DATINGTIPS2 Subject =~ /girlfriend.trick|women.excited|real.moment/i
body     __KAM_DATINGTIPS3 /seduction|certain.type.of.guy|secret to their hearts|women.excited|real.love|one.night.stand/i

meta     KAM_DATINGTIPS (__KAM_DATINGTIPS1 + __KAM_DATINGTIPS2 + __KAM_DATINGTIPS3 >= 3)
describe KAM_DATINGTIPS Tips for dating
score    KAM_DATINGTIPS 4.5

# CANDY
header   __KAM_CANDY1 From =~ /candy/i
header   __KAM_CANDY2 Subject =~ /candy/i
body     __KAM_CANDY3 /you deserve a treat|sweet tooth/i

meta     KAM_CANDY (__KAM_CANDY1 + __KAM_CANDY2 + __KAM_CANDY3 >= 3)
describe KAM_CANDY Ads for candy
score    KAM_CANDY 4.5

# EXCESSIVE TEXT IN THE FORMAT OF =## - http://en.wikipedia.org/wiki/Quoted-printable
# MATCH ONLY ESCAPES THAT ARE LESS THAN 0x80 - HIGH BIT NOT SET - THESE CAN BE EXPRESSED JUST FINE AS ASCII
# DISABLED PENDING UPDATES TO SA - RAWBODY IS NOT RAW ENOUGH TO GET UN-DECODED QP
#rawbody  KAM_EXCESSIVEQP /(=[0-7][a-f0-9]){10}/i
#score    KAM_EXCESSIVEQP 2.5
#describe KAM_EXCESSIVEQP Excessive use of pointless Quoted-printable

# ONE WEIRD THING THAT GETS YOU MARKED AS SPAM
header   __KAM_WEIRDTRICK1 Subject =~ /(one|ten|\d+) '?weird'?|'?weird'? trick|strange trick|shocking.truth|\d.words.that/i
body     __KAM_WEIRDTRICK2 /'?(weird|odd|strange)'?.(new.)?(trick|tip)|strange trick|shocking.truth/i
header   __KAM_WEIRDTRICK3 Subject =~ /girlfriend|aging|old.age|cut \d+ years|PSA|horny/i
header   __KAM_WEIRDTRICK4 From =~ /girlfriend|freedom/i

meta     KAM_WEIRDTRICK1 __KAM_WEIRDTRICK2
describe KAM_WEIRDTRICK1 Huge family of spam that uses the word weird to grab attention
score    KAM_WEIRDTRICK1 1.5

meta     KAM_WEIRDTRICK2 (__KAM_WEIRDTRICK1 + __KAM_WEIRDTRICK2 + (KAM_INFOUSMEBIZ + KAM_LOTSOFHASH + AC_HTML_NONSENSE_TAGS + HTML_FONT_LOW_CONTRAST + T_REMOTE_IMAGE >= 3) >= 3)
describe KAM_WEIRDTRICK2 Huge family of spam that uses the word weird to grab attention
score    KAM_WEIRDTRICK2 3.5

meta	 KAM_WEIRDTRICK3 (__KAM_WEIRDTRICK1 + __KAM_WEIRDTRICK2 + __KAM_WEIRDTRICK3 + __KAM_WEIRDTRICK4 >= 3)
describe KAM_WEIRDTRICK3 Weird/Strange Trick
score	 KAM_WEIRDTRICK3 3.0

#MATCH MAKER SPAM
header	__KAM_MATCH1	From =~ /Match/i
header	__KAM_MATCH2	Subject =~ /Find love|available singles|free.to.look|meet.singles/i

meta		KAM_MATCH	(__KAM_MATCH1 + __KAM_MATCH2 + (HTML_IMAGE_RATIO_06 || SPF_FAIL) >= 3)
describe	KAM_MATCH	Match Maker Spams
score		KAM_MATCH	3.5

#CAR INSURANCE
header	__KAM_CARINSURE1	From =~ /insurance/i
header	__KAM_CARINSURE2	Subject =~ /save on car insurance|smarter.way/i

meta		KAM_CARINSURE	(__KAM_CARINSURE1 + __KAM_CARINSURE2 >= 2)
describe	KAM_CARINSURE	Car Insurance Spams
score		KAM_CARINSURE	3.0

#DATA IMG
rawbody		__KAM_DATAIMG	/<img src="data:image/i

#FAKE MMS
rawbody		__KAM_MMS1	/base64,G011K60C12QKQ9790AIFQ5L/s

meta		KAM_MMS		(__KAM_DATAIMG + __KAM_MMS1 >= 2)
describe        KAM_MMS		Fake MMS Spam
score		KAM_MMS		6.0

#LEARNMORE
rawbody		__KAM_LEARN1	/base64,R0lGODlh3gA9APcAAAFlmUK/

meta		KAM_LEARN	(__KAM_DATAIMG + __KAM_LEARN1 >= 2)
describe	KAM_LEARN	Learn More Spam
score		KAM_LEARN	6.0

#UNSUB1
header		__KAM_UNSUB1_1	List-Unsubscribe =~ /^\<(?:mailto:)?unsub1\@/i
rawbody		__KAM_UNSUB1_2	/:\s?unsub1\@|unsubscribe<[^\/]|click here<h/i

meta		KAM_UNSUB1	(__KAM_UNSUB1_1 + __KAM_UNSUB1_2 >= 1)
describe	KAM_UNSUB1	Unsubscription Spams
score		KAM_UNSUB1	0.1

uri             __KAM_DOMAINDOTCOM /domain\.com/i

meta            KAM_UNSUB2      ((KAM_UNSUB1 || KAM_ADVERT2) + __KAM_DOMAINDOTCOM >= 2)
score           KAM_UNSUB2      3.5
describe        KAM_UNSUB2      Improperly configured spam engines that leave placeholder domains in the body

# DUTCH GLOW AND OTHER WOODWORKING SPAM
header   __KAM_DUTCHGLOW1 From =~ /dutch.?glow|original.?dutch|easy.woodwork/i
header   __KAM_DUTCHGLOW2 Subject =~ /wood milk|cleaning the wood|woodwork|cleaning.formula|repel.dust|natural.beauty|furniture|amish|woodworking.plans/i
body     __KAM_DUTCHGLOW3 /wood milk|dutch glow|wood's natural beauty|nourish wood|wax build up|your furniture|woodworking.plans/i

meta     KAM_DUTCHGLOW (__KAM_DUTCHGLOW1 + __KAM_DUTCHGLOW2 + __KAM_DUTCHGLOW3 >= 2)
describe KAM_DUTCHGLOW Woodworking spam
score    KAM_DUTCHGLOW 3.0

# FUNERAL HOME SPAM
header   __KAM_FUNERAL1 From =~ /Funeral/i
header   __KAM_FUNERAL2 Subject =~ /condolence|funeral announcement|funeral of your friend|death notification|burial.(life.)?insurance/i
body     __KAM_FUNERAL3 /untimely death|death notification|funeral.costs/i
uri      __KAM_FUNERAL4 /\/home\.php\?funeral/i

meta     KAM_FUNERAL (__KAM_FUNERAL1 + __KAM_FUNERAL2 + __KAM_FUNERAL3 >= 3)
describe KAM_FUNERAL Likely Fake funeral notices
score    KAM_FUNERAL 2.0

meta     KAM_FUNERAL2 (__KAM_FUNERAL4 >= 1)
describe KAM_FUNERAL2 Fake funeral notices
score    KAM_FUNERAL2 3.0


# WEB VIEW OBFUSCATION
body     __KAM_WEB_OBFUSCATION1 /check over this commercial|see the commercial.advertisement/i
rawbody  __KAM_WEB_OBFUSCATION2 /(you'll have to press me)\s*<\/a>/i

meta     KAM_WEB_OBFUSCATION (__KAM_WEB_OBFUSCATION1 + __KAM_WEB_OBFUSCATION2 >= 2)
describe KAM_WEB_OBFUSCATION Obfuscated web view links
score    KAM_WEB_OBFUSCATION 0.1

# TUPPERWARE
header   __KAM_TUPPERWARE1 From =~ /Mr\. Lid|Food Storage|Storage Container/i
header   __KAM_TUPPERWARE2 Subject =~ /tupperware|food storage|storage container/i
body     __KAM_TUPPERWARE3 /tupperware lid|food storage|storage container/i

meta     KAM_TUPPERWARE (__KAM_TUPPERWARE1 + __KAM_TUPPERWARE2 + __KAM_TUPPERWARE3 >= 3)
describe KAM_TUPPERWARE Ads for tupperware
score    KAM_TUPPERWARE 3.5

# PATRIOT SURVIVAL AND OTHER DISASTER / NATIONALISM / CONSPIRACY SPAM
header   __KAM_PATRIOT1 From =~ /patriot|disaster|emergency|USAF|shocking|for.truth|nwo|expat|special.op|christianmedia/i
header   __KAM_PATRIOT2 Subject =~ /the truth about|financial collapse|your guns|hidden (agenda|truth)|unprecedented.crisis|worst.crisis|obama.?care|do not ignore|get a lot worse|coffins.ordered.by.fema|depression|prepared.for.war|free.our.marine|survival.guide|beloved.usa|civil war|shocking.footage|cia.economist|collapse.is.imminent|attack.on|wants.war|disturbing.issue|plane.crash|nuke.deal|extortion|prophecy/i
body     __KAM_PATRIOT3 /the truth about|financial collapse|your guns|hidden agenda|unprecedented.crisis|disaster|fema (stock.?piling|storing)|Gor?vernment Not Telling|survival.plan|nation.gone.under|blind.with.patriotism|government shutdown|only chance|civil.unrest|high.crimes|behind.our.back|know.the.truth|PatriotNewsNet|second civil war|for.the.cia|market.crash|american.meltdown|concerned.american|military force|we.were.right|our.suspicions|vindicated|abuse.of.power|american.empire/i
body     __KAM_PATRIOT4 /projectprophet|financial.threat|nuke.deal/i

meta     KAM_PATRIOT (__KAM_PATRIOT1 + __KAM_PATRIOT2 + __KAM_PATRIOT3 + __KAM_PATRIOT4 >= 3)
describe KAM_PATRIOT conspiracy spam
score    KAM_PATRIOT 4.0

meta     KAM_PATRIOT2 (__KAM_PATRIOT1 + __KAM_PATRIOT2 + __KAM_PATRIOT3 + __KAM_PATRIOT4 >= 2)
describe KAM_PATRIOT2 Likely conspiracy spam
score    KAM_PATRIOT2 2.5

# PAYMENT LOWERED
header   __KAM_PAYMENT_LOWERED1 Subject =~ /insurance payment/i
body     __KAM_PAYMENT_LOWERED2 /new monthly payment|just.recently.been..?lowered/i
body     __KAM_PAYMENT_LOWERED3 /ID.?\#.?[\da-f]{20}/i

meta     KAM_PAYMENT_LOWERED (__KAM_PAYMENT_LOWERED1 + __KAM_PAYMENT_LOWERED2 + __KAM_PAYMENT_LOWERED3 + KAM_LOTSOFHASH >= 3)
describe KAM_PAYMENT_LOWERED Spam that says your insurance payment has already been lowered
score    KAM_PAYMENT_LOWERED 4.5

meta     KAM_PAYMENT_LOWERED (__KAM_PAYMENT_LOWERED1 + __KAM_PAYMENT_LOWERED2 + __KAM_PAYMENT_LOWERED3 + KAM_LOTSOFHASH >= 4)
describe KAM_PAYMENT_LOWERED Higher probability of lowered payment spam
score    KAM_PAYMENT_LOWERED 2.0

#NEW NOTICE
body	__KAM_NEWNOTICE1	/- - -\s?(start |begin )?(of |new )?(notification|notice)( \d\d\/\d\d\/\d\d)?\s?- - -|notice of/i
body	__KAM_NEWNOTICE2	/- - -\s?(finish |end )?(of |new )?(notification|notice)( \d\d\/\d\d\/\d\d)?\s?- - -|end notice:/i
header  __KAM_NEWNOTICE3        From =~ /Notice|Notification|Credit/i

meta		KAM_NEWNOTICE	(__KAM_NEWNOTICE1 + __KAM_NEWNOTICE2 + __KAM_NEWNOTICE3 >= 3)
describe	KAM_NEWNOTICE	New Notice Spam
score		KAM_NEWNOTICE	4.25

meta            KAM_NEWNOTICE2  (KAM_NEWNOTICE + KAM_LOTSOFHASH >= 2)
describe	KAM_NEWNOTICE2	Higher Probability of New Notice Spam
score		KAM_NEWNOTICE2	2.0

#REFI NEW NOTICE
header		__KAM_REFINEW1	Subject =~ /refl.rates|Rates.(now.)?Dropped.Again|score.*recently.changed/i
body		__KAM_REFINEW2	/(rate|payment).reduction|score-update/i

meta		KAM_REFINEW	(__KAM_REFINEW1 + __KAM_REFINEW2 >=2)
describe	KAM_REFINEW	New Refi/Credit Notice spam
score		KAM_REFINEW	2.0

meta		KAM_REFINEW2	(KAM_REFINEW) && (KAM_NEWNOTICE + KAM_LOTSOFHASH >= 1)
describe	KAM_REFINEW2	Higher Probability Refi Spam
score		KAM_REFINEW2	2.0

#AUTO INSURE / LOAN
header		__KAM_AUTONEW1	Subject =~ /Auto.{0,2}(Insurance|policy).{0,2}Payment|auto.warranty|finance|policy.saving|your.quote|car.loan|bad..credit.ok/i
body		__KAM_AUTONEW2	/car.{1,2}insurance.{1,2}payment|monthly.payment|plan.has.expired|auto.loan|auto.coverage|coverage.benefits|premium.reduc|compare.quote|financing.your.way/i
body		__KAM_AUTONEW3	/just.{1,2}been.{1,2}lowered|reduced.recently|has been reduced|free.repair|easy.steps|overpaying|view.plan|overpaid.your|premiums?.as.low|lenders.compete/i
header          __KAM_AUTONEW4	From =~ /notice|credit|coverag3|auto.cover|lower.auto|auto.finance/i

meta		KAM_AUTONEW	(__KAM_AUTONEW1 + __KAM_AUTONEW2 + __KAM_AUTONEW3 + __KAM_AUTONEW4 >= 3)
describe	KAM_AUTONEW	New Auto insurance spam
score		KAM_AUTONEW	3.0

meta		KAM_AUTONEW2	(KAM_AUTONEW) && (KAM_NEWNOTICE + KAM_SUBJECTNOTICE + KAM_LOTSOFHASH + KAM_INFOUSMEBIZ + KAM_ASCII_DIVIDERS >= 1)
describe	KAM_AUTONEW2	Higher Probability Insurance Spam
score		KAM_AUTONEW2	2.0

#STATLER
header		__KAM_STATLER1	Subject =~ /Mike Statler|finance news|invest in ....(\b)/i
header		__KAM_STATLER2	Subject =~ /quintuple/i
body		__KAM_STATLER3	/Mike Statler/i

meta		KAM_STATLER	(__KAM_STATLER1 + __KAM_STATLER2 + __KAM_STATLER3 >= 3)
describe	KAM_STATLER	Mike Statler Spams
score		KAM_STATLER	6.0

#LEARNING TO WRITE
header   __KAM_WRITING1 From =~ /writing/i
header   __KAM_WRITING2 Subject =~ /writing resources|get published/i
body     __KAM_WRITING3 /Professional Writing|world famous (writer|poet)/i

meta     KAM_WRITING (__KAM_WRITING1 + __KAM_WRITING2 + __KAM_WRITING3 >= 3)
describe KAM_WRITING Spam for writing lessons
score    KAM_WRITING 3.5

#RASH OF .EU EXPLOITS
rawbody         KAM_EU /http:\/\/(?:www.)?.{4,30}\.(eu)(\b|\/)/i
score           KAM_EU 0.50
describe        KAM_EU Prevalent use of .eu in spam/malware

#CSS USING A 12-BIT RGBA COLOR, WHICH IS NOT WIDELY SUPPORTED
rawbody         __KAM_12BITCOLOR /color: \#[\da-f]{12}/i

meta		KAM_GRABBAG2	KAM_EU && (__KAM_12BITCOLOR + KAM_ADVERT2 + AC_HTML_NONSENSE_TAGS + URIBL_BLACK + URIBL_RED >= 1)
score		KAM_GRABBAG2	5.0
describe	KAM_GRABBAG2	Grabbag of Spams hitting EU domains and other indicators

#END DIABETES SPAM
body		__KAM_DIABETES1 /- - Diabetes News Today - -|diabetes.health|blood.sugar/i
body		__KAM_DIABETES2 /Reverse.{0,10}(Diabetes|type.2|type.1)|reverse.type.2|beat.type.2|conventional.medical/i
header		__KAM_DIABETES3 Subject =~ /End Diabetes|diabetes.association|every.diabetic/i

meta		KAM_DIABETES	(__KAM_DIABETES1 + __KAM_DIABETES2 + __KAM_DIABETES3 >= 2)
score		KAM_DIABETES	4.5
describe	KAM_DIABETES	End Diabetes Spam

#SPY CAMERAS, ETC
header   __KAM_SPY1 From =~ /spy.?camera/i
header   __KAM_SPY2 Subject =~ /spy.?camera/i
body     __KAM_SPY3 /spy.?camera.?system|hidden.spy.camera|valuables.safe|protect.your.children/i

meta     KAM_SPY (__KAM_SPY1 + __KAM_SPY2 + __KAM_SPY3 >= 3)
describe KAM_SPY Spy cameras and similar products
score    KAM_SPY 3.5

#HARP
header	__KAM_HARP1	From =~ /\bharp\b|obamacare|save|healthcare/i
header	__KAM_HARP2	Subject =~ /\bHARP\b|obamacare|tax benefit|age bracket|protect yourself|mortgage|save.thousands/i
header	__KAM_HARP3	From !~ /\.gov>?$/i

meta 	 KAM_HARP	(__KAM_HARP1 + __KAM_HARP2 + __KAM_HARP3 + KAM_SUBJECTNOTICE >= 3)
describe KAM_HARP	HARP Refinance Spams
score	 KAM_HARP	4.5

#LUNAR SLEEP AND OTHER SLEEPING AIDS
header	 __KAM_LUNAR1	From =~ /lunar.?sleep|peak.life/i
header	 __KAM_LUNAR2	Subject =~ /tired again|sleep(ing)? aid|miracle.sleep|free.sample|sleep.well|fall.asleep|waking.up|sleep.?spray|doctors.discover|the.secret|nights?.sleep/i
uri 	 __KAM_LUNAR3	/lunar.?sleep/i
body	 __KAM_LUNAR4   /sleep you really need|sleep(ing)? aid|trouble.sleeping|miracle.sleep|lunar.?sleep|all.natural|fall.asleep|refreshed|sleep.cycle|sleep.aid|lack.of.sleep|stay.asleep|somnapure|weird.trick/i

meta	 KAM_LUNAR (__KAM_LUNAR1 + __KAM_LUNAR2 + MISSING_HEADERS + __KAM_LUNAR3 + __KAM_LUNAR4 >= 3)
describe KAM_LUNAR Sleeping aid spam
score	 KAM_LUNAR 4.5

meta	 KAM_LUNAR2 (__KAM_LUNAR1 + __KAM_LUNAR2 + MISSING_HEADERS + __KAM_LUNAR3 + __KAM_LUNAR4 >= 4)
describe KAM_LUNAR2 Definitely sleeping aid spam
score	 KAM_LUNAR2 2.0

#OCEANS BOUNTY
header   __KAM_OCEANSBOUNTY1 From =~ /oceans.?bounty/i
header   __KAM_OCEANSBOUNTY2 Subject =~ /pain.free|turn.back.the.clock|reactivate.your.heart/i
body     __KAM_OCEANSBOUNTY3 /years.of.aging|medical.doctor|age.revers|turn.back.the.clock|reactivate.your.heart/i

meta     KAM_OCEANSBOUNTY (__KAM_OCEANSBOUNTY1 + __KAM_OCEANSBOUNTY2 + __KAM_OCEANSBOUNTY3 >= 3)
describe KAM_OCEANSBOUNTY More medical spam
score    KAM_OCEANSBOUNTY 4.5

#ANDROGEL
header   __KAM_ANDROGEL1 From =~ /testosterone|androgel|entitled|enclosed|medwatch|axiron|fda|natural.man|mega.product|\.mobi/i
header   __KAM_ANDROGEL2 Subject =~ /androgel|axiron|product.of.the.year|free.sample|raise.your.testosterone/i
body     __KAM_ANDROGEL3 /healthcare|medwatch|drug|testosterone|therapy|manhood|your.woman/i

meta     KAM_ANDROGEL (__KAM_ANDROGEL1 + __KAM_ANDROGEL2 + __KAM_ANDROGEL3 >= 3)
describe KAM_ANDROGEL More medical spam
score    KAM_ANDROGEL 4.5

#CELL PHONES
header   __KAM_CELL1 From =~ /phone/i
header   __KAM_CELL2 Subject =~ /cell.?phone|mobile.communication|newest.mobile|smartphone|phones.*get.one|phone.bargain|hottest.phone|new.phone/i
body     __KAM_CELL3 /phone.(information|deals|reviews)|(free|latest|hottest)..?(cell)?.?phone|selection.of.phones|hottest.(brands|models)|check.out.these.smartphones|smartphones.do.more|refurbished.phone|bored.with.your.phone/i

meta     KAM_CELL (__KAM_CELL1 + __KAM_CELL2 + __KAM_CELL3 >= 3)
describe KAM_CELL Ads for cell phones
score    KAM_CELL 3.5

header   __KAM_FOUNTAINOFYOUTH1 From =~ /deepseasecret/i
header   __KAM_FOUNTAINOFYOUTH2 Subject =~ /fountain.of.youth/i
body     __KAM_FOUNTAINOFYOUTH3 /look & feel old|\d+.years.of.aging|weird.\d+.second.trick/i

meta     KAM_FOUNTAINOFYOUTH (__KAM_FOUNTAINOFYOUTH1 + __KAM_FOUNTAINOFYOUTH2 + __KAM_FOUNTAINOFYOUTH3 >= 3)
score    KAM_FOUNTAINOFYOUTH 5.0
describe KAM_FOUNTAINOFYOUTH Anti-aging ad

#HERPES
header   __KAM_HERPES1 From =~ /herpes/i
header   __KAM_HERPES2 Subject =~ /your.herpes/i
body     __KAM_HERPES3 /permanent.remedy|ugly.sores|herpes.episode|got.herpes|your.herpes|herpes.issue/i

meta     KAM_HERPES (__KAM_HERPES1 + __KAM_HERPES2 + __KAM_HERPES3 >= 2)
describe KAM_HERPES Ads for herpes medication
score    KAM_HERPES 5.0

#FAKE VOUCHER/REWARD EMAIL
header   __KAM_FAKEVOUCHER1 From =~ /(amazon|target).*(reward|voucher|appreciation|customer)|\$\d+ gift|(spring|summer|fall|autumn|winter) (reward|bonus)|(january|february|march|april|may|june|july|august|september|october|november|december).?(reward|bonus)|day.reward|macy.?s?.reward|rewards?.?center/i
body     __KAM_FAKEVOUCHER2 /\$\d+ amazon(.com)? Card|redeem.your.\$\d+|join.amazon|bonus voucher|spring.rewards|new.gift.card|exclusive.for|shopper.bucks|activate.here|cash.in.your/i
header   __KAM_FAKEVOUCHER3 Subject =~ /special.thanks|thank.you|amazon.appreciation|(spring|summer|fall|autumn|winter) .?(reward|bonus|bucks)|short.survey|\$\d+..?(gift|issued|voucher|e.?gift)|register.reward|target.reward|\d+.(dollar.)?gift.card|claim.your.*reward/i
body     __KAM_FAKEVOUCHER4 /your.opinion|submit.your.email/i

meta     KAM_FAKEVOUCHER (__KAM_FAKEVOUCHER1 + __KAM_FAKEVOUCHER2 + __KAM_FAKEVOUCHER3 + __KAM_FAKEVOUCHER4 >= 3)
describe KAM_FAKEVOUCHER Fake voucher/reward email
score    KAM_FAKEVOUCHER 4.5

#ATTORNEY SPAM
header   __KAM_ATTORNEY1 From =~ /attorney/i
header   __KAM_ATTORNEY2 Subject =~ /right.attorney|quick.divorce|advertisement/i
body     __KAM_ATTORNEY3 /find.a.\b[a-z]+\b.attorney/i

meta     KAM_ATTORNEY (__KAM_ATTORNEY1 + __KAM_ATTORNEY2 + __KAM_ATTORNEY3 >= 3)
score    KAM_ATTORNEY 3.5
describe KAM_ATTORNEY Ads for legal services

#PRODUCT RECALL
header   __KAM_RECALL1 From =~ /dog.?food/i
header   __KAM_RECALL2 Subject =~ /recall|thousands.of.dogs.die/i
body     __KAM_RECALL3 /protect.your.dog|recall?s.on.dog.?food|processing.standards|commercial.food/i

meta     KAM_RECALL (__KAM_RECALL1 + __KAM_RECALL2 + __KAM_RECALL3 >= 3)
score    KAM_RECALL 3.5
describe KAM_RECALL Spam for product recall notices

#REMOTE IMAGES WITH ENORMOUS SRC URLS - COMMONLY USED FOR IMAGE TRACKING
#rawbody  __KAM_HUGEIMGSRC /<img[^>]*\ssrc=["']?http[^\s>"']{120}/i
#tflags   __KAM_HUGEIMGSRC multiple maxhits=6

#meta     KAM_HUGEIMGSRC (__KAM_HUGEIMGSRC >= 6)
#score    KAM_HUGEIMGSRC 0.2
#describe KAM_HUGEIMGSRC Message contains many image tags with huge http urls

#describe KAM_REALLYHUGEIMGSRC Spam with image tags with ridiculously huge http urls
#rawbody  KAM_REALLYHUGEIMGSRC /<img[^>]*\ssrc=["']?http[^\s]{300}/i
#score    KAM_REALLYHUGEIMGSRC 1.2

rawbody  KAM_TRACKIMAGE /<img[^>]*\ssrc=["']?https?:\/\/track/i
describe KAM_TRACKIMAGE Message has a remote image explicitly meant for tracking
score    KAM_TRACKIMAGE 0.2

##BAG OF SPAM THAT TRIES DESPERATELY TO TRACK RECIPIENTS
#meta     KAM_GRABBAG3 (KAM_TRACKIMAGE + KAM_HUGEIMGSRC + (KAM_UNSUB1 || KAM_INFOUSMEBIZ || __KAM_IMGMAP_LINK_OBFU || __KAM_HAS_10_URIS) >= 3)
#score    KAM_GRABBAG3 3.5
#describe KAM_GRABBAG3 Grab bag of spam that employs multiple tricks that indicate tracking of recipients

#MANY SEQUENTIAL EMPTY <A HREF> TAGS WITH NOTHING IN BETWEEN
#IMPORTANTLY, DO NOT MATCH ON EMPTY <A LINK> TAGS, WHICH ARE MEANT TO BE EMPTY
rawbody  __KAM_EMPTYLINK /(?:<a[^>]*\shref=[^>]*><\/a>\s*){10}/i

meta     KAM_EMPTYLINK (__KAM_EMPTYLINK)
describe KAM_EMPTYLINK Many empty a tags with href all in a row
score    KAM_EMPTYLINK 3.5

header   __KAM_TILDEFROM From =~ /^\s*"'?\s*~/i
describe __KAM_TILDEFROM Spam with a from name that starts with tilde

# WORDS THAT "A R E  S P A C E D  O U T" LIKE SO
body     __KAM_SPACEY_WORDS /a +v +e +n +u +e/i

# SPAM THAT WOULD LIKE TO INVEST IN YOUR COUNTRY
header   __KAM_INVESTCOUNTRY1 Subject =~ /Confidential Contract Proposal/i
body     __KAM_INVESTCOUNTRY2 /invest in your country/i

meta     KAM_INVESTCOUNTRY (__KAM_INVESTCOUNTRY1 + __KAM_INVESTCOUNTRY2 >= 2)
score    KAM_INVESTCOUNTRY 3.5
describe KAM_INVESTCOUNTRY Spam for investing in your country

# SPAM FOR FLAGS
header   __KAM_FLAG1 From =~ /flag/i
header   __KAM_FLAG2 Subject =~ /find.the.flag|what flags|new.flag|patriotism|looking.for.a.flag/i
body     __KAM_FLAG3 /performance.flags|shopping.online|scoop on flags|need your flag|best flag|flag design|new flag|flag.needs|flags?.you.need/i

meta     KAM_FLAG (__KAM_FLAG1 + __KAM_FLAG2 + __KAM_FLAG3 >= 3)
score    KAM_FLAG 3.5
describe KAM_FLAG Spam that sells flags

rawbody  __KAM_BIGSMALL /<small><big>|<big><small>/i
describe __KAM_BIGSMALL Spam engine that is using nested big and small tags

rawbody  __KAM_DIVTITLE /<div (title|alt)/i
describe __KAM_DIVTITLE Div tag with custom alt text

rawbody  __KAM_IMGMAP_LINK_OBFU /<map[^>]+><area[^>]+><\/map>/i
describe __KAM_IMGMAP_LINK_OBFU Image links obfuscated by an image map with a single area

meta     KAM_GRABBAG4 (__KAM_DIVTITLE + __KAM_IMGMAP_LINK_OBFU + KAM_HUGEIMGSRC >= 3)
describe KAM_GRABBAG4 Another spam engine that displays unique quirks
score    KAM_GRABBAG4 3.5

header   __KAM_KORS1 From =~ /Michael Kors/i
header   __KAM_KORS2 Subject =~ /Michael Kors|out.of.the.ordinary/i
body     __KAM_KORS3 /sent you this item|register to receive|latest updates|win great prizes|shop michael kors|kors insider|handbag collection/i

meta     KAM_KORS (__KAM_KORS1 + __KAM_KORS2 + __KAM_KORS3 >= 3)
score    KAM_KORS 3.5
describe KAM_KORS Spam for Michael Kors

header   __KAM_HOLIDAY1 From =~ /holidays/i
header   __KAM_HOLIDAY2 Subject =~ /\d\d\d\d offers/i
body     __KAM_HOLIDAY3 /star special|Hotel Opening|(Request|order) a brochure/i

meta     KAM_HOLIDAY (__KAM_HOLIDAY1 + __KAM_HOLIDAY2 + __KAM_HOLIDAY3 >= 3)
describe KAM_HOLIDAY Generic holiday deals
score    KAM_HOLIDAY 3.5

header   __KAM_MANYTO To =~ />,/i
tflags   __KAM_MANYTO multiple,maxhits=5

meta     KAM_MANYTO (__KAM_MANYTO >= 5)
score    KAM_MANYTO 0.2
describe KAM_MANYTO Email has more than one To Header

meta     KAM_GRABBAG5 (KAM_MANYTO && FORGED_YAHOO_RCVD)
score    KAM_GRABBAG5 5.0
describe KAM_GRABBAG5 Forged Yahoo emails that are sent to lots of recipients

body     __KAM_MILLIONAIRE1 /internet millionai?re/i
body     __KAM_MILLIONAIRE2 /huge success stor(y|ies)|controversial/i
header   __KAM_MILLIONAIRE3 Subject =~ /see this video/i

meta     KAM_MILLIONAIRE (__KAM_MILLIONAIRE1 + __KAM_MILLIONAIRE2 + __KAM_MILLIONAIRE3 + LOTS_OF_MONEY >= 3)
score    KAM_MILLIONAIRE 4.5
describe KAM_MILLIONAIRE Internet millionaire guarantees money

header   __KAM_OILCHANGE1 From =~ /oil.?change|coupon/i
header   __KAM_OILCHANGE2 Subject =~ /oil change/i
body     __KAM_OILCHANGE3 /fresh savings|find your favorite|discount.coupons|oil.change.is.due|local.provider|favorite.location|coupon/i

meta     KAM_OILCHANGE (__KAM_OILCHANGE1 + __KAM_OILCHANGE2 + __KAM_OILCHANGE3 >= 3)
score    KAM_OILCHANGE 4.5
describe KAM_OILCHANGE Spam for oil changes

header   __KAM_ADHD1 From =~ /ADH?D/i
header   __KAM_ADHD2 Subject =~ /know.the.signs|could.have.adh?d|adult adh?d/i
body     __KAM_ADHD3 /struggling with adh?d|treatment options/i

meta     KAM_ADHD (__KAM_ADHD1 + __KAM_ADHD2 + __KAM_ADHD3 >= 3)
score    KAM_ADHD 3.5
describe KAM_ADHD Spam for ADD and ADHD treatment

# AUTO REPAIR
header   __KAM_REPAIR1_1 From =~ /repair.your.auto|auto.expert|auto.repair|warranty|support|pops.a.dent|vehicle.protect/i
header   __KAM_REPAIR1_2 Subject =~ /auto.service|auto.repair|having.problems|all.repair|take.care.of|car.trouble|save.\d+%|repair.bill|fix.dents/i
body     __KAM_REPAIR1_3 /car.repair|Auto Protection|repair.bill|lowest.rates|need.repairs|cost.you.thousands|auto.warranty|costs.keep.rising|repair.cost|do.it.yourself|auto.body|body.repair|protection.quote/i

meta     KAM_REPAIR1 (__KAM_REPAIR1_1 + __KAM_REPAIR1_2 + __KAM_REPAIR1_3 >= 3)
score    KAM_REPAIR1 3.5
describe KAM_REPAIR1 Spam for auto repair services

# HOME REPAIR
header   __KAM_REPAIR2_1 From =~ /warranty|support|home.repair|your.roof/i
header   __KAM_REPAIR2_2 Subject =~ /roof.repair|warranty.plan|home.warranty|never.pay.for|home.repair|repairing.your|new.roof/i
body     __KAM_REPAIR2_3 /never.pay|covered.home.repair|the.trouble|warning.signs|roofing.problem|roof.repair/i

meta     KAM_REPAIR2 (__KAM_REPAIR2_1 + __KAM_REPAIR2_2 + __KAM_REPAIR2_3 >= 3)
score    KAM_REPAIR2 3.5
describe KAM_REPAIR2 Spam for home repair services

body __KAM_EPISODE /episode \d+/i

header   __KAM_CLOUD1 From =~ /cloud.?(storage|computing|provider)|efolder/i
header   __KAM_CLOUD2 Subject =~ /private.cloud|data.loss.happens|share.securely/i
body     __KAM_CLOUD3 /big data|powering apps|reduce.tech.costs|backup.solution|bundling.the.service/i
body     __KAM_CLOUD4 /hacking|complimentary.(lunch|breakfast)/i

meta     KAM_CLOUD (__KAM_CLOUD1 + __KAM_CLOUD2 + __KAM_CLOUD3 + __KAM_CLOUD4 >= 3)
score    KAM_CLOUD 3.5
describe KAM_CLOUD Spam for cloud services

header   __KAM_PAPERLESS1 From =~ /paperless|fax|admin/i
header   __KAM_PAPERLESS2 Subject =~ /paperless|fax to email|send document|fax thru email|receive faxes|send faxes|fax.message|voice.message|new.fax|have.received/i
body     __KAM_PAPERLESS3 /fax service|service plan|view.this.fax|\d.page.fax|voice.message/i

meta     KAM_PAPERLESS (__KAM_PAPERLESS1 + __KAM_PAPERLESS2 + __KAM_PAPERLESS3 + HEADER_FROM_DIFFERENT_DOMAINS >= 4)
score    KAM_PAPERLESS 4.5
describe KAM_PAPERLESS Paperless spam for the paperless office

rawbody  __KAM_LOTSOFNBSP /(&nbsp; ?){30}/i

header   __KAM_IPUNSUB List-Unsubscribe =~ /http:\/\/\d+\.\d+\.\d+\.\d+/i

# PASSWORD PHISH - Fixed FP thanks to Thijs Eilander
header   __KAM_PASSWORD1 Subject =~ /password/i
body     __KAM_PASSWORD2 /validate.your.email/i

meta     KAM_PASSWORD (__KAM_PASSWORD1 + __KAM_PASSWORD2 >= 2)
score    KAM_PASSWORD 1.5
describe KAM_PASSWORD Message tries to phish for password

# SEMINARS AND WORKSHOPS SPAM
header   __KAM_WEBINAR1 From =~ /education|career|manage|learning|webinar|project|efolder/i
header   __KAM_WEBINAR2 Subject =~ /last chance|increase productivity|workplace morale|payroll dept|trauma.training|case.study|issues|follow.up|service.desk|vip.(lunch|breakfast)|manage.your|private.business|professional.checklist|customers.safer|great.timesaver|prep.course|crash.course|hunger.to.learn|(keys|tips).(to|for).smarter/i
header   __KAM_WEBINAR3 Subject =~ /webinar|strateg|seminar|owners.meeting|webcast|our.\d.new|sales.video/i
body     __KAM_WEBINAR4 /executive.education|contactid|register now|\d+.minute webinar|management.position|supervising.skills|discover.tips|register.early|take.control|marketing.capabilit|drive.more.sales|leveraging.cloud|solution.provider|have.a.handle|plan.to.divest|being.informed|upcoming.webinar|spearfishing.email|increase.revenue|industry.podcast|\d+.in.depth.tips|early.bird.offer|pmp.certified|lunch.briefing/i

meta     KAM_WEBINAR (__KAM_WEBINAR1 + __KAM_WEBINAR2 + __KAM_WEBINAR3 + __KAM_WEBINAR4 >= 3)
describe KAM_WEBINAR Spam for webinars
score    KAM_WEBINAR 3.5

meta     KAM_WEBINAR2 (__KAM_WEBINAR1 + __KAM_WEBINAR2 + __KAM_WEBINAR3 + __KAM_WEBINAR4 >= 4)
describe KAM_WEBINAR2 Spam for webinars
score    KAM_WEBINAR2 3.5

header   __KAM_CONTACTME1 Subject =~ /^contact me$/i
body     __KAM_CONTACTME2 /read the attached letter/i

meta     KAM_CONTACTME (__KAM_CONTACTME1 + __KAM_CONTACTME2 >= 2)
score    KAM_CONTACTME 3.5
describe KAM_CONTACTME Spam that wants you to reply

header   __KAM_MESH1 From =~ /consumer|connect|claim/i
header   __KAM_MESH2 Subject =~ /surgical mesh|serious injuries|increased risk|experiencing problems|mesh recall/i
body     __KAM_MESH3 /have a mesh implant|entitled to compensation|consumer injury|injured consumer/i

meta     KAM_MESH (__KAM_MESH1 + __KAM_MESH2 + __KAM_MESH3 >= 3)
describe KAM_MESH Spam for surgical mesh
score    KAM_MESH 3.5

header   __KAM_ALERT1 From =~ /medical.?alert/i
header   __KAM_ALERT2 Subject =~ /medical.alert|emergency coverage/i
body     __KAM_ALERT3 /help button/i

meta     KAM_ALERT (__KAM_ALERT1 + __KAM_ALERT2 + __KAM_ALERT3 >= 3)
score    KAM_ALERT 3.5
describe KAM_ALERT Spam for medical alerts

# SPAM FOR RECENT HEARTBLEED CVE AND OTHER SECURITY STUFF
header   __KAM_SECURITY1 From =~ /Digital Defense/i
header   __KAM_SECURITY2 Subject =~ /heartbleed|hijack/i
body     __KAM_SECURITY3 /information.security|cyber.?criminal/i

meta     KAM_SECURITY (__KAM_SECURITY1 + __KAM_SECURITY2 + __KAM_SECURITY3 >= 3)
describe KAM_SECURITY Spam related to online security
score    KAM_SECURITY 6.0

body     __KAM_JESUS1 /jesus lovely|the.lord|touched.by.christ/i
body     __KAM_JESUS2 /sister.in.the.lord|need for bible/i
body     __KAM_JESUS3 /nigeria|muslim.women/i

meta     KAM_JESUS (__KAM_JESUS1 + __KAM_JESUS2 >= 2)
describe KAM_JESUS Christian spam
score    KAM_JESUS 4.5

header   __KAM_CLAIMS1 From =~ /claims.payment/i
header   __KAM_CLAIMS2 Subject =~ /confirm/i
body     __KAM_CLAIMS3 /claim.payment|claim.processing|kindly.confirm/i

meta     KAM_CLAIMS (__KAM_CLAIMS1 + __KAM_CLAIMS2 + __KAM_CLAIMS3 >= 3)
describe KAM_CLAIMS Spam for claims processing
score    KAM_CLAIMS 4.5

# VISION SPAM
header   __KAM_VISION1 From =~ /clear.?vision|20.20|glasses|perfect.vision|mind.blowing|my.vision|oakley|quantum.vision/i
header   __KAM_VISION2 Subject =~ /20\/20|vision|your.glasses|your.contacts|your.eyes|dangers?.of.glasses|focus.on.here/i
body     __KAM_VISION3 /100%.natural|vision.restored|currently.wear.(glasses|contacts)|perfect.vision|risky.surgery|corrective.surgery|dangers.of.surgery|laser.eye|eye.care|making.your.eyes.worse|your.glasses|worsen.your.vision|special.prices|vision.in.\d+.day|vision.in.\d+.week/i

meta     KAM_VISION (__KAM_VISION1 + __KAM_VISION2 + __KAM_VISION3 + (KAM_WEIRDTRICK1 || RDNS_NONE) >= 3)
describe KAM_VISION Spam for vision improvement
score    KAM_VISION 4.5

body     KAM_TRUTHINESS /[Tt]he TRUTH/
describe KAM_TRUTHINESS Spam that wants you to learn "The TRUTH"
score    KAM_TRUTHINESS 1.5

header   __KAM_KITCHEN1 From =~ /sears|kitchen|cabinet/i
header   __KAM_KITCHEN2 Subject =~ /kitchen.upgrade|kitchen.remodel|cabinet.install|new.kitchen/i
body     __KAM_KITCHEN3 /special.gift|kitchen.remodel|special.offer/i

meta     KAM_KITCHEN (__KAM_KITCHEN1 + __KAM_KITCHEN2 + __KAM_KITCHEN3 >= 3)
score    KAM_KITCHEN 4.5
describe KAM_KITCHEN Spam for kitchen improvement

# ALL-ENCOMPASSING RULES FOR HEALTH RELATED SPAM, INCLUDING SKIN, WEIGHT, VISION, ETC
header   __KAM_GENERICHEALTH1 From =~ /(dr.?|doc.?)[ -]?([o0]z|gupta)|skinny|\d+.?(pounds|[li1]bs?)|[o0]z.([a-z]+.)?(daily|tip|show|weight)|ellen|rapid|vision|20.20|perfect|mind.blowing|healthy|beaut|medical|wrinkle|miracle|energy|weight|as.seen.on|celeb|workout|inches.off|slim|overweight|skinny|trend|curve|stubborn|bikini|f-a-t|trim|youth|belly|unwanted.pounds|gone.easily|heavy|diabetes|oz.?report|years.younger|anti.?aging|look.\d|old.age|without.trying|annoying.pounds|fat.melt|women.?s.health|forskolin|phyto|garcinia|mayo.clinic|gain.mass|nuforia|miracle.cure|notify|champion|healthly|food.health|health.news|nutrisystem|doctor.s.choice|age..prevention|diet.{0,4}report|sharp..?mind|face.?lift/i

header   __KAM_GENERICHEALTH2 Subject =~ /PSA|\[video\]|doctor|\d+.day|(zero|any).effort|oprah|(Dr|Doc).{0,2}[o0]z|[o0]z.([a-z]+.)?(daily|tip|show|weight|quick)|ellen|most.viewed|metabolism|danger|hormone|must.read|life.changing|healthy|perfect|younger|beautiful|hollywood|secret|aging|youth|flawless|as.seen.on|simple.way|workout|nutrition|shocking|detox|exercise|cleanse|diet|\d+(\+?).?(pounds|[li1]bs?)|images?.leaked|wow,|the.pics|don.t.tell|makeup|f-a-t|of.skin|on.(cnn|abc|cbs)|for.(summer|fall|autumn|winter|spring)|unwanted.fat|oz: |backfire|and.oz|and.racha?el|racha?el.talk|your.legs|slim.and.tone|fit.wom[ea]n|tummy|dress.size|wrinkle.reduc|younger.skin|solid.meds|belly.fat|your.calories|champion|is.it.possible|worse.than.smok|meds.online|jump-start.your.weightloss|cure.your.diabetes|weight.loss..?cure|magic.weight.loss|youth.and.vitality|get.thin.with|mental.decline|by.exercising|kidney.beans|drinking.this|treats?.the.(root.)?cause|reverse.\d+.years/i

body     __KAM_GENERICHEALTH3 /aging|clinical|dermatologist|aging|younger|wrinkle|omg|reduction|prevention|(body|your).fat|extra.pounds|perfect.skin|healthy|diet|gossip|\d+.years|facelift|(Dr|Doc).{0,2}[o0]z|weight|calories|metabolism|appetite|detox|unsightly|cholesterol|free.sample|\d+\s*[li]b|slimming|episode|tv.segment|oprah|colon|hollywood|shocking|workout|trend|starving|\d+%.?off|dress.size|flat.belly|silky|younger|free.trial|\d+.years|easy.trick|selfies|medical|\d+.?(lb|pounds)|exercise|the.mirror|fda.approved|slimmer|oz.blog|the.bulge|plant.based|online.store|respected.doctor|cure.your.diabete|with.forskolin|belly.fat|miracle.pill|burn.fat.fast|the.root.cause|drink(ing)?.this.shake/i

meta     KAM_GENERICHEALTH (__KAM_GENERICHEALTH1 + __KAM_GENERICHEALTH2 + __KAM_GENERICHEALTH3 + (KAM_EU || KAM_OTHER_BAD_TLD) >= 3)
score    KAM_GENERICHEALTH 5.0
describe KAM_GENERICHEALTH Matches generic health-related advert/blurbs

header   __KAM_SALE1 From =~ /ipad|hdtv|\$\d+|auction|laptop|easyviewing/i
header   __KAM_SALE2 Subject =~ /blowout|became.perfect|great.products|your.ipad.forever|weird.device|change.how.you.use|transform.your.piad|laptop.replacement/i
body     __KAM_SALE3 /\d+%.off|just.shipped|touch.?fire|just.became.perfect|transform.your.ipad/i

header   __KAM_SALEA_1 From =~ /touch.?fire/i
header   __KAM_SALEA_2 Received =~ /touchfire|tfire/i
body     __KAM_SALEA_3 /touchfire|just.became.perfect|never.be.the.same/i

meta     KAM_SALE (__KAM_SALE1 + __KAM_SALE2 + (__KAM_SALE3 || BODY_8BITS) >= 3)
score    KAM_SALE 4.0
describe KAM_SALE Spam for things on sale

meta     KAM_SALEA ((__KAM_SALEA_1 || __KAM_SALE1 || __KAM_SALEA_2) + __KAM_SALEA_3 >= 2)
score    KAM_SALEA 8.0
describe KAM_SALEA A very persistent ipad spam campaign

# SPAM THAT USES ASCII FORMATTING TRICKS TO EVADE HTML-BASED RULES
body     __KAM_ASCII_DIVIDERS /[-~<>=_]{20}/i
tflags   __KAM_ASCII_DIVIDERS multiple, maxhits=4

meta     KAM_ASCII_DIVIDERS ((__KAM_ASCII_DIVIDERS >= 4) && !HTML_MESSAGE)
describe KAM_ASCII_DIVIDERS Spam that uses ascii formatting tricks
score    KAM_ASCII_DIVIDERS 0.8

# RATWARE THAT CAN'T EVEN PRETEND TO BE AUTHORIZED
header   __KAM_NOTINMYNETWORK1 X-No-Relay =~ /./i

rawbody  __KAM_HTMLNOISE1 /<big><big>|<small><\/small>|<style><\/style>/i

meta     KAM_HTMLNOISE (__KAM_HTMLNOISE1 + __KAM_BIGSMALL >= 1)
score    KAM_HTMLNOISE 1.0
describe KAM_HTMLNOISE Spam containing useless HTML padding

header   __KAM_CHICKEN1 From =~ /coop/i
header   __KAM_CHICKEN2 Subject =~ /chicken.coop|cost.of.buying/i
body     __KAM_CHICKEN3 /your.own.chicken|fresh.egg|chicken.coop|build.your.own/i

meta     KAM_CHICKEN (__KAM_CHICKEN1 + __KAM_CHICKEN2 + __KAM_CHICKEN3 >= 3)
score    KAM_CHICKEN 4.5
describe KAM_CHICKEN Spam for chicken coops

# SPAM THAT TRIES TO BYPASS RULES LIKE CBJ_GiveMeABreak
rawbody  __KAM_LINEPADDING /(\n[^\n]){8}/

meta     KAM_LINEPADDING (__KAM_LINEPADDING >= 1)
score    KAM_LINEPADDING 1.2
describe KAM_LINEPADDING Spam that tries to get past blank line filters

# DRAPES SPAM
header   __KAM_DRAPES1 From =~ /drapes/i
header   __KAM_DRAPES2 Subject =~ /table.drapes|visibility/i
body     __KAM_DRAPES3 /banner.stand|print.project/i

meta     KAM_DRAPES (__KAM_DRAPES1 + __KAM_DRAPES2 + __KAM_DRAPES3 >= 3)
score    KAM_DRAPES 3.5
describe KAM_DRAPES Spam for drapes

header   __KAM_NUWAVE1 From =~ /nuwave|cooktop/i
header   __KAM_NUWAVE2 Subject =~ /cooking.needs/i
body     __KAM_NUWAVE3 /nuwave|energy.saving|temperature.control|meal.prep|cooktop/i

meta     KAM_NUWAVE (__KAM_NUWAVE1 + __KAM_NUWAVE2 + __KAM_NUWAVE3 >= 3)
describe KAM_NUWAVE Spam for cooking tools
score    KAM_NUWAVE 3.5

rawbody  __KAM_MANYCOMMENTS /<!--[^>]{200,}-->/i
tflags   __KAM_MANYCOMMENTS multiple,maxhits=6

meta     KAM_MANYCOMMENTS (__KAM_MANYCOMMENTS >= 6)
describe KAM_MANYCOMMENTS Spam engine that uses large html noise comments
score    KAM_MANYCOMMENTS 1.2

header   __KAM_HIRE1 From =~ /recruit/i
header   __KAM_HIRE2 Subject =~ /checking.in/i
body     __KAM_HIRE3 /hiring.situation|recruiting|plans.to.hire|altera.staff/i

meta     KAM_HIRE (__KAM_HIRE1 + __KAM_HIRE2 + __KAM_HIRE3 >= 3)
describe KAM_HIRE Spam for hiring services
score    KAM_HIRE 4.5

header   __KAM_DEALS1 From =~ /deal.?hunter/i
header   __KAM_DEALS2 Subject =~ /exclusive.saving|the.hottest/i
body     __KAM_DEALS3 /exclusive.savings/i

meta     KAM_DEALS (__KAM_DEALS1 + __KAM_DEALS2 + __KAM_DEALS3 >= 3)
score    KAM_DEALS 3.5
describe KAM_DEALS Generic advertising for deals

header   __KAM_CONTRACT1 From =~ /samanage/i
header   __KAM_CONTRACT2 Subject =~ /contract cost|itsm contract/i
body     __KAM_CONTRACT3 /buy you out|service management|management solution/i

meta     KAM_CONTRACT (__KAM_CONTRACT1 + __KAM_CONTRACT2 + __KAM_CONTRACT3 >= 3)
score    KAM_CONTRACT 4.5
describe KAM_CONTRACT Spam that will buy your service contract

#KAM_TOLL
header   __KAM_TOLL1 From =~ /e.?z.?pass|collection/i
header   __KAM_TOLL2 Subject =~ /on.(the.)?toll.road|(pay|indebted).for.driving/i
body     __KAM_TOLL3 /have.not.paid|your.debt|invoice/i

meta     KAM_TOLL (__KAM_TOLL1 + __KAM_TOLL2 + __KAM_TOLL3 >= 3)
describe KAM_TOLL Spam for road tolls
score    KAM_TOLL 8.0

#KAM_AMAZON
header   __KAM_AMAZON1 From =~ /amazon\.com/i

meta     KAM_AMAZON (__KAM_AMAZON1 + KAM_RAPTOR >= 2)
score    KAM_AMAZON 4.5
describe KAM_AMAZON Fake Amazon email with malware

# LANDSCAPING
header   __KAM_LANDSCAPE1 From =~ /landscaping/i
header   __KAM_LANDSCAPE2 Subject =~ /turn.your.yard|mtv.crib|swimming.pool/i
body     __KAM_LANDSCAPE3 /landscape.designs|(simple|cheap).strategies|design.troph/i
body     __KAM_LANDSCAPE4 /stone.carving/i

meta     KAM_LANDSCAPING (__KAM_LANDSCAPE1 + __KAM_LANDSCAPE2 + __KAM_LANDSCAPE3 + __KAM_LANDSCAPE4 >= 3)
describe KAM_LANDSCAPING Spam for landscaping
score    KAM_LANDSCAPING 3.5

# SINGING LESSONS
header   __KAM_SINGING1 From =~ /singing/i
header   __KAM_SINGING2 Subject =~ /professional.singer/i
body     __KAM_SINGING3 /terrible.singer|more.talent|love.songs/i

meta     KAM_SINGING (__KAM_SINGING1 + __KAM_SINGING2 + __KAM_SINGING3 >= 3)
describe KAM_SINGING Spam for singing lessons
score    KAM_SINGING 4.5

# SPAM FOR ADS
header   __KAM_ADVERTISE1 From =~ /gmail/i
header   __KAM_ADVERTISE2 Subject =~ /samsung..galaxy.s\d/i
body     __KAM_ADVERTISE3 /advertising.for.samsung|no.application.fee|carry.this.advert/i

meta     KAM_ADVERTISE (__KAM_ADVERTISE1 + __KAM_ADVERTISE2 + __KAM_ADVERTISE3 >= 3)
describe KAM_ADVERTISE Spam that wants you to advertise for them
score    KAM_ADVERTISE 4.5

# RULE FOR DOMAINS THAT HAVE NOT IMPLEMENTED ANY ANTI-FORGERY MECHANISMS
if (version >= 3.003002)
  # We may recommend people start raising the score for this to force more people to use SPF or DKIM Since Gmail and AOL work much better with / require SPF.
  header   __KAM_SPF_NONE    eval:check_for_spf_none()

  meta     KAM_LAZY_DOMAIN_SECURITY (!__DKIM_EXISTS && __KAM_SPF_NONE)
  score    KAM_LAZY_DOMAIN_SECURITY 1.0
  describe KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any anti-forgery methods
endif

# FORGED EMAILS WITH A VIRUS ATTACHED
meta     KAM_FORGED_ATTACHED (SPF_HELO_FAIL + KAM_RAPTOR >= 2)
score    KAM_FORGED_ATTACHED 4.5
describe KAM_FORGED_ATTACHED Forged email with a malware attachment

# LOTS OF PERIODS IN SUBJECT
header   __KAM_MANYDOTS1 Subject =~ /\.{20}/i

meta     KAM_MANYDOTS (__KAM_MANYDOTS1 + KAM_HUGEIMGSRC >= 2)
describe KAM_MANYDOTS Spam with lots of periods in subject
score    KAM_MANYDOTS 3.5

# FINAL NOTICE SPAM
header   __KAM_SUBJECTNOTICE1 Subject =~ /Notice: \d+$|final.notice|rpt: \d+$/i

meta     KAM_SUBJECTNOTICE __KAM_SUBJECTNOTICE1
describe KAM_SUBJECTNOTICE Spam notices
score    KAM_SUBJECTNOTICE 1.0

# SPAM FOR BACKUP SERVICE
header   __KAM_BACKUP1 From =~ /backup/i
header   __KAM_BACKUP2 Subject =~ /continuity|\d.reasons|traditional.backup/i
body     __KAM_BACKUP3 /backup.necessary|marketing|infographic|charge.more/i

meta     KAM_BACKUP (__KAM_BACKUP1 + __KAM_BACKUP2 + __KAM_BACKUP3 >= 3)
describe KAM_BACKUP Spam for backup services
score    KAM_BACKUP 4.5

# SPAM THAT TRIES TO AVOID DETECTION WITH NUMBERS IN THE FROM
header   KAM_FROMNUM From:name =~ /\.\d{7,}$/
describe KAM_FROMNUM Spam with large numbers in the from header
score    KAM_FROMNUM 1.0

# LAZY SPAM WITH BARELY MORE THAN A LINK TO A BAD DOMAIN
meta     KAM_LINKBAIT (KAM_LAZY_DOMAIN_SECURITY + __KAM_BODY_LENGTH_LT_512 + (__KAM_COUNT_URIS >= 1) >= 3)
score    KAM_LINKBAIT 0.5
describe KAM_LINKBAIT Short messages containing little more than a link, from a domain with no security in place

uri	 __KAM_WP_INCLUDES /(?:wp-includes|wp-content)/i

meta 	 KAM_LINKBAIT2	KAM_LINKBAIT + __KAM_WP_INCLUDES >= 2
score	 KAM_LINKBAIT2	1.5
describe KAM_LINKBAIT2  Linkbait that points to wordpress - usually means a compromised site

# FREEMAIL LINKBAIT
meta     KAM_LINKBAIT3 (__KAM_TINYDOMAIN + FREEMAIL_FROM + __KAM_BODY_LENGTH_LT_512 >= 3)
score    KAM_LINKBAIT3 1.5
describe KAM_LINKBAIT3 Freemail linkbait with a url shortener

# MALWARE IN EMAILS THAT MENTION LOTS OF MONEY
meta     KAM_PHISHY_DOLLARS (KAM_RAPTOR + LOTS_OF_MONEY >= 2)
score    KAM_PHISHY_DOLLARS 3.5
describe KAM_PHISHY_DOLLARS Emails with malware and large dollar amounts

# RATWARE DU JOUR, MULTIPLE FROM HEADERS AND WONKY SUBJECT LINE
header   __KAM_MULTIPLE_FROM From =~ /^./
tflags   __KAM_MULTIPLE_FROM multiple,maxhits=2

header   __KAM_SUBJECT_WHITESPACE_START Subject =~ /^\s{10}/

meta     KAM_GRABBAG6 (__KAM_MULTIPLE_FROM + __KAM_SUBJECT_WHITESPACE_START >= 2)
describe KAM_GRABBAG6 Ratware with multiple from headers and subject beginning with whitespace
score    KAM_GRABBAG6 4.5

# GENERIC GREETINGS THAT YOU WOULD NEVER GET FROM A LEGIT EMAIL
header   KAM_GENERICHELLO Subject =~ /dear.email.user|hi.there/i
score    KAM_GENERICHELLO 1.5
describe KAM_GENERICHELLO Spam with generic greetings in the subject

# FAKE GOOGLE EMAILS - Thanks to Marc Jouan for pointing out the double rule / T_HK rule name change
header   __KAM_GOOGLE2_1 From =~ /google\+/i
header   __KAM_GOOGLE2_2 From !~ /google.com/i

meta     KAM_GOOGLE2 (__KAM_GOOGLE2_1 + __KAM_GOOGLE2_2 + (HK_SPAMMY_FILENAME || KAM_LAZY_DOMAIN_SECURITY) >= 3)
score    KAM_GOOGLE2 4.5
describe KAM_GOOGLE2 Fake Google spam

# MORE NIGERIAN VARIANTS
body     __KAM_NIGERIAN2_1 /congo/i

meta     KAM_NIGERIAN2 (__KAM_NIGERIAN2_1 + DEAR_SOMETHING + LOTS_OF_MONEY >= 3)
score    KAM_NIGERIAN2 4.5
describe KAM_NIGERIAN2 Nigerian scam variant

# FINGERHUT SPAMS
header   __KAM_FINGERHUT1 From =~ /finger.?hut/i
header   __KAM_FINGERHUT2 Subject =~ /your.budget|credit.account|qualify|finger.?hut|credit|your.account/i
body     __KAM_FINGERHUT3 /important.message|what.you.want|monthly.pay|your.account|credit.account|holiday.shopping|are.you.approved|fingerhut.buying/i

meta     KAM_FINGERHUT (__KAM_FINGERHUT1 + __KAM_FINGERHUT2 + __KAM_FINGERHUT3 >= 3)
score    KAM_FINGERHUT 4.5
describe KAM_FINGERHUT Spam for fingerhut

# FRIEND REQUEST SPAM
header   __KAM_FRIEND1 Subject =~ /new.notification/i
body     __KAM_FRIEND2 /wants.to.follow/i

meta     KAM_FRIEND (__KAM_FRIEND1 + __KAM_FRIEND2 >= 2)
score    KAM_FRIEND 1.5
describe KAM_FRIEND Friend request spam

# ELIMINATE A BUNCH OF RECENT BAD ATTACHMENT SPAM
meta     KAM_VERY_MALWARE (KAM_LAZY_DOMAIN_SECURITY && KAM_RAPTOR)
score    KAM_VERY_MALWARE 3.5
describe KAM_VERY_MALWARE A message with malware that is definitely unwanted

#MERCHANT ACCOUNTS SPAM
header   __KAM_MERCHANT1 Subject =~ /finance.department/i
body     __KAM_MERCHANT2 /business.owner|merchant.processor|processing.fee|average.bank|interchange.fee/i
body     __KAM_MERCHANT3 /merchant.processing|small.business|yearly.credit|monthly.fee|100%.free/i

meta     KAM_MERCHANT (__KAM_MERCHANT1 + __KAM_MERCHANT2 + __KAM_MERCHANT3 >= 3)
score    KAM_MERCHANT 4.5
describe KAM_MERCHANT Spam for merchant processing

# ZERO DAY ATTACHMENTS THAT ARE OBVIOUSLY CRAP BUT NOT CAUGHT BY AV
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader __KAM_ZERODAY1 Content-Type =~ /msword|ms-excel|spreadsheet|office|octet/i
  header     __KAM_ZERODAY2 X-Mailer =~ /foxmail/i

  # DISABLED 7/16 FOR NO LONGER BEING RELEVANT
  #meta     KAM_ZERODAY (__SUBJECT_ENCODED_B64 + __KAM_ZERODAY1 + __KAM_ZERODAY2 >= 3)
  #describe KAM_ZERODAY obviously a malware email that was not caught
  #score    KAM_ZERODAY 8.0

  # ANOTHER ONE
  header   __KAM_ZERODAY3 Subject =~ /remittance advice|invoice|resume|the.open.message|please.the.open|visa.chip/i

  meta     KAM_ZERODAY2 (__KAM_ZERODAY1 + __KAM_ZERODAY3 + KAM_LAZY_DOMAIN_SECURITY >= 3)
  score    KAM_ZERODAY2 1.5
  describe KAM_ZERODAY2 Another obvious zero-day malware

  meta     KAM_ZERODAY3 (KAM_ZERODAY2 + T_OBFU_DOC_ATTACH >= 2)
  score    KAM_ZERODAY3 3.5
  describe KAM_ZERODAY3 Another obvious zero-day malware
endif

# FAMILY TREE SPAM
header   __KAM_ANCESTOR1 From =~ /ancestry/i
header   __KAM_ANCESTOR2 Subject =~ /free.family.tree|find.your.ancestor/i
body     __KAM_ANCESTOR3 /family.history|your family|share.the.stories/i

meta     KAM_ANCESTOR (__KAM_ANCESTOR1 + __KAM_ANCESTOR2 + __KAM_ANCESTOR3 >= 3)
describe KAM_ANCESTOR Spam for family trees
score    KAM_ANCESTOR 3.5

# REMEMBER WHEN YOU GOT THAT SPAM
header   __KAM_REMEMBERWHEN1 Subject =~ /sup|hello|for.you.bro|how.are.you/i
body     __KAM_REMEMBERWHEN2 /hello.brother|remember(ed)?.you|i.remember/i
body     __KAM_REMEMBERWHEN3 /medication|\d+%.discount|lots?.of.drug/i

meta     KAM_REMEMBERWHEN (__KAM_REMEMBERWHEN1 + __KAM_REMEMBERWHEN2 + __KAM_REMEMBERWHEN3 >= 3)
score    KAM_REMEMBERWHEN 4.5
describe KAM_REMEMBERWHEN Reminder of something that never happened

# THE LATEST TRAILING NOISE FORMAT
body     __KAM_NOISE1 /([a-z0-9],){12}/i
body     __KAM_NOISE2 /([a-z]{1,10},){10}/i

ifplugin Mail::SpamAssassin::Plugin::KAMOnly
  meta     KAM_NOISE1 (__KAM_NOISE1 + __KAM_NOISE2 + (CBJ_GiveMeABreak || __CBJ_GiveMeABreak2) >= 3)
  describe KAM_NOISE1 Pattern of noise words at the end of an email
  score    KAM_NOISE1 2.5
endif

# FREE PIZZA WOO!
header   __KAM_PIZZA1 From =~ /pizza/i
header   __KAM_PIZZA2 Subject =~ /^free pizza$/i
body     __KAM_PIZZA3 /free.pizza.coupon/i

meta     KAM_PIZZA (__KAM_PIZZA1 + __KAM_PIZZA2 + __KAM_PIZZA3 >= 3)
score    KAM_PIZZA 3.5
describe KAM_PIZZA Spam for free pizza

# ENGINEERING SPAM
header   __KAM_ENGINEER1 Subject =~ /engineering . architect|engineering.industry/i
body     __KAM_ENGINEER2 /email.list|target.audience|databank|verified.email/i
body     __KAM_ENGINEER3 /construction.engineering|engineering . architect|marketing.manager/i

meta     KAM_ENGINEER (__KAM_ENGINEER1 + __KAM_ENGINEER2 + __KAM_ENGINEER3 >= 3)
score    KAM_ENGINEER 3.5
describe KAM_ENGINEER Spam for engineering contact information

# SUNGLASSES
header   __KAM_SUNGLASSES1 Subject =~ /rayban/i
body     __KAM_SUNGLASSES2 /great ray|hot.deal/i
body     __KAM_SUNGLASSES3 /style rocks|today.only/i

meta     KAM_SUNGLASSES (__KAM_SUNGLASSES1 + __KAM_SUNGLASSES2 + __KAM_SUNGLASSES3 >= 3)
describe KAM_SUNGLASSES Spam for sunglasses
score    KAM_SUNGLASSES 3.5

# INVOICE SPAM OF THE DAY
header   __KAM_INVOICE1 From =~ /billing/i
header   __KAM_INVOICE2 Subject =~ /past.due|invoice/i

meta     KAM_INVOICE (__KAM_INVOICE1 + __KAM_INVOICE2 + SPF_FAIL >= 3)
score    KAM_INVOICE 4.5
describe KAM_INVOICE Spam for invoices

# GRIPEEZ
header   __KAM_GRIPPY1 From =~ /gripeez/i
header   __KAM_GRIPPY2 Subject =~ /bonus.offer|gripeez/i
body     __KAM_GRIPPY3 /gripeez.bonus|interior.decorator|sticky.grip/i

meta     KAM_GRIPPY (__KAM_GRIPPY1 + __KAM_GRIPPY2 + __KAM_GRIPPY3 >= 3)
score    KAM_GRIPPY 4.5
describe KAM_GRIPPY Spam for sticky grip products

# LIMITED / DISABLED ACCOUNT, ACTIVATION, SECURITY ALERTS, AND OTHER ACCOUNT PHISHES
header   __KAM_ACCOUNTPHISH1 From =~ /[il]tunes|account|costco|walgreen|amazon|ebay|internal|admin|gold|webmail|provider|marketing/i
header   __KAM_ACCOUNTPHISH2 Subject =~ /your.account|is.limited|activate|recover|acknowledgment|of.order|buying.from|order.(status|confirm)|help.?desk|your.order|update.your|security|document|(^secure$)|download.failed|click.to.activate|status.approved|notification.message|storage.exceeded|maintenance routine|storage.warning|size.notification|administrative.notice/i
body     __KAM_ACCOUNTPHISH3 /update.your.information|problems.with.your|billing.information|order.details|personal.data|detailed.order|order.information|for.activation|account.{1,30}.inactive|information.required|secure.browser|recently.compromised|classified.document|with.your.email|complete.your.account|account.confirmed|claim.your.order|free.money|forced.to.cancel|immediate.access|upgrading.all.staff|advice.to.update|confirm.your.account/i
body     __KAM_ACCOUNTPHISH4 /webmail|all.systems|coincide.with|storage.limit|get.back.into|update.your.account|kindly.click|very.private.message|this.is.honest|fill.the.form|click.on.send|follow.here|for.all.user|one.click.away|mail.desk/i

meta     KAM_ACCOUNTPHISH ((__KAM_ACCOUNTPHISH1 || FREEMAIL_FROM || KAM_LAZY_DOMAIN_SECURITY) + __KAM_ACCOUNTPHISH2 + __KAM_ACCOUNTPHISH3 + __KAM_ACCOUNTPHISH4 >= 3)
score    KAM_ACCOUNTPHISH 4.0
describe KAM_ACCOUNTPHISH Spam that tries to get account information

# BUY PROPERTY
header   __KAM_PROPERTY1 From =~ /high.rise|condo/i
header   __KAM_PROPERTY2 Subject =~ /condo|move.in.soon|developer/i
body     __KAM_PROPERTY3 /convenient.location/i

meta     KAM_PROPERTY (__KAM_PROPERTY1 + __KAM_PROPERTY2 + __KAM_PROPERTY3 >= 3)
score    KAM_PROPERTY 2.5
describe KAM_PROPERTY Spam for buying property

# FAKE AMEX
header   __KAM_FAKEAMEX1 From =~ /aexp.com/i

meta     KAM_FAKEAMEX (__KAM_FAKEAMEX1 + SPF_FAIL >= 2)
score    KAM_FAKEAMEX 8.0
describe KAM_FAKEAMEX A rash of spam that is phishing for American Express information

header   KAM_HUGESUBJECT Subject =~ /^.{500}/
score    KAM_HUGESUBJECT 2.5
describe KAM_HUGESUBJECT Email with a subject longer than any mail client would let you enter

#HOOKUP
header   __KAM_HOOKUP1 Subject =~ /hookup with local singles/i
uri      __KAM_HOOKUP2 /justhookup/i
body     __KAM_HOOKUP3 /match.?me.?networks/i

meta     KAM_HOOKUP (__KAM_HOOKUP1 + __KAM_HOOKUP2 + __KAM_HOOKUP3 >= 3)
score    KAM_HOOKUP 10.5
describe KAM_HOOKUP Spam for Local Hookup Service

#PSYCHIC
header	 __KAM_PSYCHIC1	Subject =~ /horoscope|psychic/i
uri 	 __KAM_PSYCHIC2	/free.psychic/i
body	 __KAM_PSYCHIC3 /psychic Chris|free psychic reading/i

meta	 KAM_PSYCHIC	(__KAM_PSYCHIC1 + __KAM_PSYCHIC2 + __KAM_PSYCHIC3 >= 3)
score	 KAM_PSYCHIC 	4.5
describe KAM_PSYCHIC	Current Psychic Product Spam du Jour

#UNSUB BADDIES
body	__KAM_BADUNSUB	/(?:remove|Unsubscribe) from (?:MindTCommunications|LunarMessages)/i

meta	 KAM_BADUNSUB	(__KAM_BADUNSUB >= 1)
score	 KAM_BADUNSUB	3.0
describe KAM_BADUNSUB	Bad Unsubscribe Messages

#GRABBAG FOR A ROUND OF WORDPRESS HACKS
rawbody  __KAM_GRABBAG7_1 /wp-content|wp-includes|\/plugins\//

meta     KAM_GRABBAG7 ((HTML_MIME_NO_HTML_TAG || MIME_HTML_ONLY) + __KAM_GRABBAG7_1 + (SPF_FAIL || SPF_HELO_FAIL) >= 3)
score    KAM_GRABBAG7 3.0
describe KAM_GRABBAG7 Spam pattern with bad HTML message

#TINYURL OBFUSCATION
uri      __KAM_TINYURL1 /tinyurl.com\/.{0,10}(hookup|sexual|online-riches|predator-zipcode|nothnx|imtaken)/i

meta     KAM_TINYURL (__KAM_TINYURL1)
score    KAM_TINYURL 4.0
describe KAM_TINYURL Spammy urls that hide behind a link shortener

# FAKE DROPBOX
header   __KAM_DROPBOX1 From =~ /dropbox/i
header   __KAM_DROPBOX2 From !~ /dropbox.com/i
body     __KAM_DROPBOX3 /shared.a.folder/i

meta     KAM_DROPBOX (__KAM_DROPBOX1 + __KAM_DROPBOX2 + __KAM_DROPBOX3 >= 3)
score    KAM_DROPBOX 4.5
describe KAM_DROPBOX Fake Dropbox emails

# BAD YAHOO! DON'T SEND EMAIL FROM A MULTICAST IP!
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
  header __KAM_YAHOO_MISTAKE1 From =~ /\@yahoo\./i

  meta     KAM_YAHOO_MISTAKE (SPF_PASS && __KAM_YAHOO_MISTAKE1 && RCVD_ILLEGAL_IP)
  describe KAM_YAHOO_MISTAKE Reversing score for some idiotic Yahoo received headers
  score    KAM_YAHOO_MISTAKE -3.0
endif

# GARBAGE FREEMAIL
meta     KAM_GRABBAG9 (MALFORMED_FREEMAIL + SUBJ_ALL_CAPS + FREEMAIL_ENVFROM_END_DIGIT >= 3)
score    KAM_GRABBAG9 4.5
describe KAM_GRABBAG9 Garbage email from a garbage freemail account

# AQUA RUG
header   __KAM_AQUARUG1 From =~ /aqua.?rug/i
header   __KAM_AQUARUG2 Subject =~ /(bath|shower).mat|for.your.shower/i
body     __KAM_AQUARUG3 /stop.slipping|unique.carpet|aqua.rug|bare.feet.love/i

meta     KAM_AQUARUG (__KAM_AQUARUG1 + __KAM_AQUARUG2 + __KAM_AQUARUG3 >= 3)
score    KAM_AQUARUG 3.5
describe KAM_AQUARUG Spam for aqua rug product

# FAKE ITC SPAM
# Fixed FP thanks to j.marshall
header   __KAM_ITC1 From =~ /thetradecouncil.com/i
body     __KAM_ITC2 /International Trade Council/i
body     __KAM_ITC3 /enclosed/i

meta     KAM_ITC (__KAM_ITC1 < 1) && (__KAM_ITC2 >= 1) && (__KAM_ITC3 + KAM_BADIPHTTP >= 1)
score    KAM_ITC 4.5
describe KAM_ITC Fake email from International Trade Council

# HAVE YOU SEEN THIS
body     __KAM_SEENTHIS1 /have.you.seen|seen.this/i
body     __KAM_SEENTHIS2 /oprah/i

meta     KAM_SEENTHIS (__KAM_SEENTHIS1 + __KAM_SEENTHIS2 + (KAM_LAZY_DOMAIN_SECURITY || KAM_MANYTO) >= 3)
score    KAM_SEENTHIS 4.5
describe KAM_SEENTHIS Have you seen this spam?

# DETOX
header   __KAM_DETOX1 From =~ /detox/i
header   __KAM_DETOX2 Subject =~ /detox.service|discover.detox|clear.your.system|how.detox.(could|can)/i
body     __KAM_DETOX3 /detox.program|right.for.you|clean(ing)? up your life|a.little.easier/i

meta     KAM_DETOX (__KAM_DETOX1 + __KAM_DETOX2 + __KAM_DETOX3 >= 3)
score    KAM_DETOX 2.5
describe KAM_DETOX Spam for trendy detox stuff

# DEATH INSURANCE
header   __KAM_DEATHINSURE1 From =~ /live.sure/i
header   __KAM_DEATHINSURE2 Subject =~ /life.will|cheaper.than.today/i
body     __KAM_DEATHINSURE3 /inheritance.tax|your.loved.ones|funeral.costs/i

meta     KAM_DEATHINSURE (__KAM_DEATHINSURE1 + __KAM_DEATHINSURE2 + __KAM_DEATHINSURE3 >= 3)
describe KAM_DEATHINSURE Spam for death insurance
score    KAM_DEATHINSURE 3.5

# REACHBASE
body     KAM_REACHBASE /ReachBase is committed to providing you with relevant business information/i
score    KAM_REACHBASE 2.5
describe KAM_REACHBASE Marketing email pretending to be business info

# DIGITAL WALLET SPAM
header   __KAM_DIGITALWALLET1 From =~ /apple.?pay/i
header   __KAM_DIGITALWALLET2 Subject =~ /(ready.for|introducing|complimentary).apple.?pay|paying.too.much/i
body     __KAM_DIGITALWALLET3 /business.ready|no.setup.fee|only.$?[\d\.]+%?.(per|a).swipe|apple.?pay.equipment|free,equipment/i

meta     KAM_DIGITALWALLET (__KAM_DIGITALWALLET1 + __KAM_DIGITALWALLET2 + __KAM_DIGITALWALLET3 + (HELO_DYNAMIC_DHCP || KAM_EU || KAM_INFOUSMEBIZ) >= 3)
score    KAM_DIGITALWALLET 3.5
describe KAM_DIGITALWALLET Spam for digital wallet services

# BAD PHP
header   __KAM_BADPHP1 X-PHP-Originating-Script =~ /eval..'d code/i
header   __KAM_BADPHP2 X-Source-Args =~ /css.php/i

meta     KAM_BADPHP (__KAM_BADPHP1 || __KAM_BADPHP2)
score    KAM_BADPHP 2.5
describe KAM_BADPHP Questionable PHP mailer headers

# TINNITUS
header   __KAM_TINNITUS1 From =~ /tinnitus.breakthrough/i
header   __KAM_TINNITUS2 Subject =~ /new.tip|only.(1|one).week/i
body     __KAM_TINNITUS3 /scientifically.proven|end.tinnitus/i

meta     KAM_TINNITUS (__KAM_TINNITUS1 + __KAM_TINNITUS2 + __KAM_TINNITUS3 >= 3)
describe KAM_TINNITUS Tinnitus spam
score    KAM_TINNITUS 3.5

# KIWIBANK
header   __KAM_KIWIBANK1 From =~ /kiwibank/i
header   __KAM_KIWIBANK2 Subject =~ /verification.required/i
body     __KAM_KIWIBANK3 /security.procedure|customer.safety|security.details/i

meta     KAM_KIWIBANK (__KAM_KIWIBANK1 + __KAM_KIWIBANK2 + __KAM_KIWIBANK3 >= 3)
describe KAM_KIWIBANK Account phish for Kiwibank
score    KAM_KIWIBANK 3.5

# HAPPY TALK
header   __KAM_HAPPYTALK1 Subject =~ /^hello$/i
body     __KAM_HAPPYTALK2 /honest.and.nice/i
body     __KAM_HAPPYTALK3 /beautiful.mail/i

meta     KAM_HAPPYTALK (__KAM_HAPPYTALK1 + __KAM_HAPPYTALK2 + __KAM_HAPPYTALK3 >= 3)
score    KAM_HAPPYTALK 3.5
describe KAM_HAPPYTALK Weirdly happy spam

# SETTLEMENT SPAM
header   __KAM_SETTLEMENT1 From =~ /xarelto/i
header   __KAM_SETTLEMENT2 Subject =~ /settlements?.available/i
body     __KAM_SETTLEMENT3 /lawsuit.information/i

meta     KAM_SETTLEMENT (__KAM_SETTLEMENT1 + __KAM_SETTLEMENT2 + __KAM_SETTLEMENT3 >= 3)
score    KAM_SETTLEMENT 3.5
describe KAM_SETTLEMENT Spam offering lawsuit settlement

# CAD SPAM
header   __KAM_CAD1 Subject =~ /cad.drawing/i
body     __KAM_CAD2 /we.specialize.in/i
body     __KAM_CAD3 /our.products/i

meta     KAM_CAD (__KAM_CAD1 + __KAM_CAD2 + __KAM_CAD3 >= 3)
describe KAM_CAD Spam for CAD services
score    KAM_CAD 3.5

# SPAM WITH OFFICE MACROS
ifplugin Mail::SpamAssassin::Plugin::KAMOnly
  header   KAM_VBMACRO X-KAM-VBMacro =~ /True/i
  describe KAM_VBMACRO Message contains attachment with VB macro
  score    KAM_VBMACRO 6.5
endif

# YELP AND OTHER REVIEW SITES
header   __KAM_REVIEW1 From =~ /contractor/i
header   __KAM_REVIEW2 Subject =~ /verify.accuracy|your.listing|listing.on.yelp/i
body     __KAM_REVIEW3 /unverified|major.local.search|search.sites|company(.s)?.information/i

meta     KAM_REVIEW (__KAM_REVIEW1 + __KAM_REVIEW2 + __KAM_REVIEW3 >= 3)
describe KAM_REVIEW Spam for review sites
score    KAM_REVIEW 4.5

# TOURS AND EVENTS
header   __KAM_TOURS1 From =~ /festival/i
header   __KAM_TOURS2 Subject =~ /adventure.tour/i
body     __KAM_TOURS3 /your.adventure.tour|your.event/i

meta     KAM_TOURS (__KAM_TOURS1 + __KAM_TOURS2 + __KAM_TOURS3 >= 3)
score    KAM_TOURS 3.5
describe KAM_TOURS Spam for tours and events

# NO MORE SPAM ENGINES
body     __KAM_NOMORE1 /no.more.of.this/i
body     __KAM_NOMORE2 /no.more.at.all/i

meta     KAM_NOMORE (__KAM_NOMORE1 + __KAM_NOMORE2 >= 2)
describe KAM_NOMORE Another predictable spam engine
score    KAM_NOMORE 3.5

# NOT REALLY CONFIDENTIAL
body     __KAM_NOCONFIDENCE1 /confidential.information/i

meta     KAM_NOCONFIDENCE (KAM_LAZY_DOMAIN_SECURITY + __KAM_NOCONFIDENCE1 >= 2)
score    KAM_NOCONFIDENCE 0.5
describe KAM_NOCONFIDENCE Confidential information sent with no security

# YER GON GET SASSINATED
header   __KAM_ASSASSIN1 Subject =~ /want you dead/i
body     __KAM_ASSASSIN2 /my identity/i
body     __KAM_ASSASSIN3 /assassinate/i
body     __KAM_ASSASSIN4 /like.an.accident/i

meta     KAM_ASSASSIN (__KAM_ASSASSIN1 + __KAM_ASSASSIN2 + __KAM_ASSASSIN3 + __KAM_ASSASSIN4 >= 3)
score    KAM_ASSASSIN 4.5
describe KAM_ASSASSIN Assassination spam

# GIMME FLASH DRIVES
header   __KAM_DRIVE1 From =~ /purchase|manager/i
header   __KAM_DRIVE2 Subject =~ /quotation/i
body     __KAM_DRIVE3 /to.be.furnished|office.equipment.item/i

meta     KAM_DRIVE (__KAM_DRIVE1 + __KAM_DRIVE2 + __KAM_DRIVE3 >= 3)
score    KAM_DRIVE 3.5
describe KAM_DRIVE Spam for ordering office equipment

#BAD TLD - TESTING NEW blacklist_uri_host feature
#PASSED TEST BUT THIS IS 100 points - Instead modify SOMETLD_ARE_BAD_TLD TO PREVENT FPs
#if (version >= 3.004000)
#  blacklist_uri_host link
#endif 

#LOOKING TO SHUTDOWN MISUSE OF DNSWL AND HOSTKARMA
meta 	 KAM_BAD_DNSWL	(URIBL_BLACK + URIBL_SBL + URIBL_PH_SURBL + RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SORBS_DUL + IN_BCUDA_RBL + RCVD_IN_BCUDA_RELAY + RCVD_IN_XBL + __KAM_URIBL_PCCC +  KAM_HEADER_EMAILBL_PCCC >= 1) && (RCVD_IN_DNSWL_HI + RCVD_IN_HOSTKARMA_W >= 2)
score	 KAM_BAD_DNSWL	7.0
describe KAM_BAD_DNSWL  Removing HostKarma and DNSWL HI Scoring for Emails in various RBL 

# HEARING LOSS
header   __JMQ_HEARINGLOSS1 From =~ /hearing.?loss|deaf \& angry/i
header   __JMQ_HEARINGLOSS2 Subject =~ /reverse.your.hearing|hearing.loss|\d+.year.old.method|hearing.aids/i
body     __JMQ_HEARINGLOSS3 /going.crazy|natural.formula|restore.your.hearing|click.here.to.see|off.hearing.aid/i

meta     JMQ_HEARINGLOSS (__JMQ_HEARINGLOSS1 + __JMQ_HEARINGLOSS2 + __JMQ_HEARINGLOSS3 >= 3)
score    JMQ_HEARINGLOSS 3.5
describe JMQ_HEARINGLOSS Spam for hearing loss solutions

# TRACKR
header   __JMQ_TRACKR1 From =~ /trackr/i
header   __JMQ_TRACKR2 Subject =~ /trackr|never.lose|find.any|lost.items/i
body     __JMQ_TRACKR3 /locate anything|find.anything|never.lose.anything|new.invention|never.lose.your|tired.of.losing|find.any.lost/i

meta     JMQ_TRACKR (__JMQ_TRACKR1 + __JMQ_TRACKR2 + __JMQ_TRACKR3 >= 3)
score    JMQ_TRACKR 4.5
describe JMQ_TRACKR Spam for TrackR

# CONGRATULATION
header   __JMQ_CONGRAT1 From =~ /award|claim/i
header   __JMQ_CONGRAT2 Subject =~ /congratulation|open.attachment|good.news.for/i

meta     JMQ_CONGRAT (__JMQ_CONGRAT1 + __JMQ_CONGRAT2 + (KAM_RAPTOR || T_FREEMAIL_DOC_PDF || HK_SPAMMY_FILENAME) >= 3)
score    JMQ_CONGRAT 3.5
describe JMQ_CONGRAT Open attachment to claim your free spam

# PICKUP
header   __JMQ_PICKUP1 Subject =~ /hey there|(^hey$)/i
body     __JMQ_PICKUP2 /(dirty|freaky|naughty|good)(pix|pic)|hey.cutie/i
header   __JMQ_PICKUP3 X-Mailer =~ /php/i
body     __JMQ_PICKUP4 /\d+.year.old|female/i

meta     JMQ_PICKUP (__JMQ_PICKUP1 + __JMQ_PICKUP2 + __JMQ_PICKUP3 + __JMQ_PICKUP4 >= 3)
score    JMQ_PICKUP 8.0
describe JMQ_PICKUP spam that wants your number

# COMPROMISED DROPBOX
header   __JMQ_DROPBOX1 Subject =~ /(payment|transfer)/i
header   __JMQ_DROPBOX2 Subject =~ /\([a-z]\d+\)/i
body     __JMQ_DROPBOX3 /ach.(payment|transfer)/i

meta     JMQ_DROPBOX (__JMQ_DROPBOX1 + __JMQ_DROPBOX2 + __JMQ_DROPBOX3 >= 3)
score    JMQ_DROPBOX 3.0
describe JMQ_DROPBOX Spam from what appears to be compromised dropbox accounts

#FIX BAD REVIEW
header __KAM_BAD_REVIEW1 Subject =~ /fix bad reviews/i
body   __KAM_BAD_REVIEW2 /Reputation Giant/i

meta	KAM_BAD_REVIEW	(__KAM_BAD_REVIEW1 +  __KAM_BAD_REVIEW2 >= 2)
score	KAM_BAD_REVIEW  4.0
describe KAM_BAD_REVIEW	Online reputation spammers

#GOOGLE AWARD
header	__KAM_GOOGLE_AWARD1	From =~ /Google UK/i
body	__KAM_GOOGLE_AWARD2	/selected as a winner/i
body	__KAM_GOOGLE_AWARD3	/Dear Google/i
body	__KAM_GOOGLE_AWARD4	/Official Notification Letter/i

ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader	__KAM_GOOGLE_AWARD5A	Content-Type =~ /Google Award/i
  mimeheader    __KAM_GOOGLE_AWARD5B    Content-Disposition =~ /Google Award/i
endif

meta	KAM_GOOGLE_AWARD	(__KAM_GOOGLE_AWARD1 + __KAM_GOOGLE_AWARD2 + __KAM_GOOGLE_AWARD3 + __KAM_GOOGLE_AWARD4 + (__KAM_GOOGLE_AWARD5A + __KAM_GOOGLE_AWARD5B >= 1)  >= 4)
score	KAM_GOOGLE_AWARD	5.0
describe	KAM_GOOGLE_AWARD	Fake Google Awards

#OBFUSCATED LOANS
body	KAM_OBFU_LOANS	/Stüdént Lóans/i
score	KAM_OBFU_LOANS	5.0
describe KAM_OBFU_LOANS	Obfuscated Loan Verbiage

#WORK FROM HOME
body	__KAM_WORKFROMHOME1	/work from home/i

meta	KAM_WORKFROMHOME	(__KAM_SHORT + __KAM_WORKFROMHOME1 >= 2)
score	KAM_WORKFROMHOME	2.5
describe KAM_WORKFROMHOME	Work from Home Spams

#STUDENT LOAN
body	__KAM_STUDENTLOAN1	/(National|Federal) Student Loan Status/i
body	__KAM_STUDENTLOAN2	/consolidate your loan/i
body	__KAM_STUDENTLOAN3	/doesn't injured/i
body	__KAM_STUDENTLOAN4	/866-351-4693/i
body	__KAM_STUDENTLOAN5	/(financial troubles|debt) is (understood|forgiven)/i

meta	KAM_STUDENTLOAN		(__KAM_STUDENTLOAN1 + __KAM_STUDENTLOAN2 + __KAM_STUDENTLOAN3 + __KAM_STUDENTLOAN4 + __KAM_STUDENTLOAN5 >= 3)
score	KAM_STUDENTLOAN		4.5
describe	KAM_STUDENTLOAN	Student Loan Scam

#RESUME
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  header   __JMQ_RESUME1 Subject =~ /resume/i
  body     __JMQ_RESUME2 /hello my name|my name is/i
  body     __JMQ_RESUME3 /appreciate.your.cooperation|my.resume.is.pdf|resume.attach|pdf.file.is|is.my.resume/i
  mimeheader    __JMQ_RESUME4 Content-Type =~ /x-zip-comp/i
  mimeheader    __JMQ_RESUME5 Content-Type =~ /my_resume\.zip/i

  meta     JMQ_RESUME ((__JMQ_RESUME1 + __JMQ_RESUME2 + __JMQ_RESUME3 + __JMQ_RESUME5 >= 3) && __JMQ_RESUME4)
  score    JMQ_RESUME 4.5
  describe JMQ_RESUME Spam for bad attached resumes
endif

#LED/SOLAR LIGHTS
header          __KAM_LED1  Reply-to =~ /huixinsoft\d*\@foxmail.com/i
body		__KAM_LED2	/solar (lighting|led)/i
body		__KAM_LED3	/China aier/i

meta		KAM_LED		(__KAM_LED1 + __KAM_LED2 + __KAM_LED3 >= 2)
describe	KAM_LED		Solar LED Lighting Spams
score		KAM_LED		5.5

# REAL ESTATE
header   __JMQ_REALESTATE1 From =~ /tom.brice/i
header   __JMQ_REALESTATE2 Subject =~ /real.estate/i
body     __JMQ_REALESTATE3 /preferred.choice|looking.for.real.estate|online.platform|systems.placement/i

meta     JMQ_REALESTATE (__JMQ_REALESTATE1 + __JMQ_REALESTATE2 + __JMQ_REALESTATE3 >= 3)
describe JMQ_REALESTATE Real estate spam
score    JMQ_REALESTATE 4.5

# IP IN FROM
header   JMQ_IPINFROM From =~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/
score    JMQ_IPINFROM 2.5
describe JMQ_IPINFROM Spam with IP in the from address

# IFFY PAYPAL OF THE DAY
header   __JMQ_PAYPAL2 From =~ /paypai/i

meta     JMQ_PAYPAL2 (JMQ_IPINFROM + __JMQ_PAYPAL2 >= 2)
score    JMQ_PAYPAL2 4.5
describe JMQ_PAYPAL2 PayPal spam of the day

# RESUME SPAM REDUX PART 2 (WOOHOO)
meta     JMQ_RESUME3 (__JMQ_RESUME1 && __JMQ_RESUME2 && KAM_THEBAT)
score    JMQ_RESUME3 3.5
describe JMQ_RESUME3 Yet more resume spam

# SPF THAT DOESN'T REALLY CARE IF EMAIL IS A FORGERY
ifplugin Mail::SpamAssassin::Plugin::AskDNS
  askdns   JMQ_SPF_NEUTRAL_ALL _SENDERDOMAIN_ TXT /^v=spf1 .+\?all$/
  describe JMQ_SPF_NEUTRAL_ALL SPF set to ?all!
  score    JMQ_SPF_NEUTRAL_ALL 0.5
endif

# IMPORTANT MESSAGE
header   __JMQ_IMPORTANT1 Subject =~ /(fw|re):? important/i
body     __JMQ_IMPORTANT2 /important message/i
body     __JMQ_IMPORTANT3 /please visit/i

meta     JMQ_IMPORTANT (__JMQ_IMPORTANT1 + __JMQ_IMPORTANT2 + __JMQ_IMPORTANT3 + KAM_LAZY_DOMAIN_SECURITY >= 4)
score    JMQ_IMPORTANT 4.5
describe JMQ_IMPORTANT Spam that thinks it is important

# IMAGE TRACKERS
uri      __JMQ_TRACKER1 /sidekickopen\d*\.com/i

meta     JMQ_TRACKER (__JMQ_TRACKER1 >= 1)
score    JMQ_TRACKER 0.5
describe JMQ_TRACKER Message uses image-based tracker

# WIRE TRANSFERS
header   __JMQ_WIRE1 Subject =~ /wire.*fund|request.*wire|(fwd|re): request/i
body     __JMQ_WIRE2 /medical.support|payment.sent/i
body     __JMQ_WIRE3 /bank.wire|sent.out.asap/i

meta     JMQ_WIRE (__JMQ_WIRE1 + __JMQ_WIRE2 + __JMQ_WIRE3 + (LOTS_OF_MONEY || KAM_LAZY_DOMAIN_SECURITY || HEADER_FROM_DIFFERENT_DOMAINS) >= 3)
score    JMQ_WIRE 4.5
describe JMQ_WIRE Attempt to steal money via wire transfer

#bindata code in RTF
#rawbody	 __KAM_BADRTF1 /<w:binData/
#rawbody	 __KAM_BADRTF2 /QWN0aXZlTWltZQ/

#meta     KAM_BADRTF (__KAM_BADRTF1 + __KAM_BADRTF2 >= 2)
#describe KAM_BADRTF Message contains binary data in RTF format
#score    KAM_BADRTF 5.0

#EOF