#02-21-05
#Author: KevinMcGrail@McGrail.com
#Copyright (c) 2005 & Released to the Public Domain

# Rule based on Kelson Vibber's MD code for bogus AOL Addresses
# Check for bogus AOL addresses as described at
# http://postmaster.aol.com/faq/mailerfaq.html#syntax
# - all alphanumeric, starting with a letter, from 3 to 16 characters long.
header          __KAM_AOL               From =~ /\@aol.com/i
describe        __KAM_AOL               Partial Rule: Marks AOL Addresses
header          __KAM_GOODAOL           From =~ /[a-z][a-z0-9]{2,15}\@aol.com/i
describe        __KAM_GOODAOL           Partial Rule: Marks Bad AOL Addresses
meta            KAM_COMBO_BADAOL        __KAM_AOL && !(__KAM_GOODAOL)
describe        KAM_COMBO_BADAOL        From: Invalid AOL Email Address.  High probability of spam.
score           KAM_COMBO_BADAOL        3.0

# This rule is to mark emails using the exploit of the URI parsing
uri             KAM_URIPARSE       /(\%0[01]|\0).*\@/i
describe        KAM_URIPARSE    Attempted use of URI bug.  Very high probability of fraud.
score           KAM_URIPARSE     7.00

# Rule to mark emails from adv@somewhere accounts a bit higher on the SPAM scale
header          KAM_ADV_EMAIL           From =~ /\bADV\@/i
describe        KAM_ADV_EMAIL           Marks adv@<domain.com> Addresses as likely SPAM
score           KAM_ADV_EMAIL           1.0

header 		KAM_SILD         Subject =~ /Sildenafil Citrate/i
describe	KAM_SILD	 Simple rule to block one more Viagra message
score  		KAM_SILD	 5.0

# This rule is to mark emails using the exploit of the eBay redirector
uri             KAM_EBAYREDIR    /.*.ebay.com.*RedirectToDomain/i
describe        KAM_EBAYREDIR    Attempted use of eBay redirect-likely fraud
score           KAM_EBAYREDIR    7.0

# Rule to mark emails from adv@somewhere accounts a bit higher on the SPAM scale
header          KAM_ADV_EMAIL           From =~ /\bADV\@/i
describe        KAM_ADV_EMAIL           Marks adv@<domain.com> Addresses as likely SPAM
score		KAM_ADV_EMAIL		16.0

# Rule to mark emails with GET YOUR UNIVERSITY DIPLOMA higher
body		KAM_DIPLOMA		/GET YOUR UNIVERSITY DIPLOMA/i
describe	KAM_DIPLOMA		Diploma Mill SPAM
score		KAM_DIPLOMA		1.5

# Rule to mark emails with GOGETDEALZ.COM
body            KAM_GOGET             /gogetdealz.com/i
describe        KAM_GOGET             Diploma Mill SPAM
score           KAM_GOGET             3.5

# Rule to mark emails with CheapSoft Crud
body            KAM_CHEAPSOFT         /CheapSoft(Customer|LLC)/
describe        KAM_CHEAPSOFT         CheapSoft SPAM
score           KAM_CHEAPSOFT         3.5

#SEXUALLY EXPLICIT EMAILS
header    KAM_SEX_EXPLICIT      Subject =~ /SEXUALLY[-_, ]{0,1}EXPLICIT/i
describe  KAM_SEX_EXPLICIT      Subject indicates Sexually Explicit material
score     KAM_SEX_EXPLICIT      16.0