#05-08-04

# Rule based on Kelson Vibber's MD code for bogus AOL Addresses
# Check for bogus AOL addresses as described at
# http://postmaster.aol.com/faq/mailerfaq.html#syntax
# - all alphanumeric, starting with a letter, from 3 to 16 characters long.
header          __KAM_AOL               From =~ /\@aol.com/i
describe        __KAM_AOL               Partial Rule: Marks AOL Addresses
header          __KAM_GOODAOL           From =~ /[a-z][a-z0-9]{2,15}\@aol.com/i
describe        __KAM_GOODAOL           Partial Rule: Marks Bad AOL Addresses
meta            KAM_COMBO_BADAOL        __KAM_AOL && !(__KAM_GOODAOL)
describe        KAM_COMBO_BADAOL        From: Invalid AOL Email Address.  High probability of spam.
score           KAM_COMBO_BADAOL        3.0

# This rule is to mark emails using the exploit of the URI parsing
uri             KAM_URIPARSE       /(\%0[01]|\0).*\@/i
describe        KAM_URIPARSE    Attempted use of URI bug.  Very high probability of fraud.
score           KAM_URIPARSE     7.00

# Rule to mark emails from adv@somewhere accounts a bit higher on the SPAM scale
header          KAM_ADV_EMAIL           From =~ /\bADV\@/i
describe        KAM_ADV_EMAIL           Marks adv@<domain.com> Addresses as likely SPAM
score           KAM_ADV_EMAIL           1.0

#COMBO rules to catch phishing expeditions
rawbody         __KAM_PHISH_01  /<input /i
describe        __KAM_PHISH_01  Partial Rule to try and Catch Phishing Emails
body            __KAM_PHISH_02    /\bcredit card fail/i
describe        __KAM_PHISH_02    Partial Rule to try and Catch Phishing Emails
body            __KAM_PHISH_03    /\bauthoriz/i
describe        __KAM_PHISH_03    Partial Rule to try and Catch Phishing Emails
rawbody         __KAM_PHISH_04    /\bname=cc/i
describe        __KAM_PHISH_04    Partial Rule to try and Catch Phishing Emails
rawbody         __KAM_PHISH_05    /\bname=cvv/i
describe        __KAM_PHISH_05    Partial Rule to try and Catch Phishing Emails
rawbody         __KAM_PHISH_06    /\bname=pin/i
describe        __KAM_PHISH_06    Partial Rule to try and Catch Phishing Emails
rawbody         __KAM_PHISH_07    /\bname=date/i
describe        __KAM_PHISH_07    Partial Rule to try and Catch Phishing Emails
rawbody         __KAM_PHISH_08    /\bname=year/i
describe        __KAM_PHISH_08    Partial Rule to try and Catch Phishing Emails
rawbody         __KAM_PHISH_09    /\bname=month/i
describe        __KAM_PHISH_09    Partial Rule to try and Catch Phishing Emails
rawbody         __KAM_PHISH_10    /\btype=submit/i
describe        __KAM_PHISH_10    Partial Rule to try and Catch Phishing Emails
rawbody         __KAM_PHISH_11    /\baccount management\b/i
describe        __KAM_PHISH_11    Partial Rule to try and Catch Phishing Emails
rawbody         __KAM_PHISH_12    /\bname=password/i
describe        __KAM_PHISH_12    Partial Rule to try and Catch Phishing Emails
rawbody         __KAM_PHISH_13    /<form .*action=/i
describe        __KAM_PHISH_13    Partial Rule to try and Catch Phishing Emails
rawbody         __KAM_PHISH_14    /\bname=username/i
describe        __KAM_PHISH_14    Partial Rule to try and Catch Phishing Emails

meta            KAM_combo_PHISH   ((__KAM_PHISH_01 + __KAM_PHISH_02 + __KAM_PHISH_03 + __KAM_PHISH_04 + __KAM_PHISH_05 + __KAM_PHISH_06 + __KAM_PHISH_07 + __KAM_PHISH_08 + __KAM_PHISH_09 + __KAM_PHISH_10 + __KAM_PHISH_11 + __KAM_PHISH_12 + __KAM_PHISH_13 + __KAM_PHISH_14) > 6)
describe        KAM_combo_PHISH   KAM - Phishing Expedition Email Probability High
score           KAM_combo_PHISH   1.0 #RAISE AFTER MORE TESTING