File: //etc/mail/spamassassin/maxer.cf
# Maxer Custom Rules 1.4.43 last updated 27-APR-2022
# This file goes in /etc/mail/spamassassin/maxer.cf
#
# Useful links:
# http://forum.configserver.com/viewtopic.php?t=1570
# https://cwiki.apache.org/confluence/display/SPAMASSASSIN/WritingRules
#
# When these rules are updated, it's a good idea to run:
# rm -Rvf /var/spool/mqueue/.spamassassin && /usr/local/cpanel/3rdparty/bin/sa-learn --force-expire && service MailScanner restart
describe ALL_TRUSTED Give a higher ranking to trusted IPs
score ALL_TRUSTED -2
describe KAM_COUK Ignore scoring of co.uk rule (MAXER)
score KAM_COUK 0
describe KAM_SOMETLD_ARE_BAD_TLD Reduced score for .stream, .trade, .pw, .top, .press, .guru, .casa & .date TLD Abuse
score KAM_SOMETLD_ARE_BAD_TLD 2.0
describe TO_NO_BRKTS_HTML_ONLY To: misformatted and HTML only (MAXER)
score TO_NO_BRKTS_HTML_ONLY 0
describe XPRIO Has X-Priority header (MAXER)
score XPRIO 0
describe FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From (MAXER)
score FREEMAIL_FORGED_REPLYTO 0.2
describe KAM_INFOUSMEBIZ Prevalent use of .info|.us|.me|.me.uk|.biz domains in spam/malware (MAXER)
score KAM_INFOUSMEBIZ 0.1
describe KAM_EU Prevalent use of .eu in spam/malware (MAXER)
score KAM_EU 0.1
describe KAM_OTHER_BAD_TLD Other untrustworthy TLDs (MAXER)
score KAM_OTHER_BAD_TLD 0.1
describe KAM_MARKETINGBL_PCCC Message contains URI associated with mass-marketing (https://raptor.pccc.com/RBL)(MAXER)
score KAM_MARKETINGBL_PCCC 0.1
describe KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any anti-forgery methods (MAXER)
score KAM_LAZY_DOMAIN_SECURITY 0.1
describe KAM_REALLYHUGEIMGSRC Spam with image tags with ridiculously huge http urls rawbody (MAXER)
score KAM_REALLYHUGEIMGSRC 0.1
describe KAM_LINKBAIT Combination of KAM_LINKBAIT2 + KAM_LINKBAIT3
score KAM_LINKBAIT 0.2
describe KAM_DEAR_SOMEBODY Message that does not know who to address
score KAM_DEAR_SOMEBODY 0.5
describe KAM_ACCOUNTPHISH Spam that tries to get account information
score KAM_ACCOUNTPHISH 2
describe KAM_DOMAIN Domain name and other related spam
score KAM_DOMAIN 6
describe TO_IN_SUBJ To address is in Subject.
score TO_IN_SUBJ 1
describe KAM_SUBJECTNOTICE Spam notices
score KAM_SUBJECTNOTICE 2
describe KAM_MARKSPAM Email arrived marked as Spam
score KAM_MARKSPAM 1
header SPAMMY_TLD From =~ /@[a-z0-9\-\.]+\.(date|trade|icu)/i
describe SPAMMY_TLD From address matches a spammy TLD
score SPAMMY_TLD 2.5
body ESTRA_GROUP /(Estra Information Group)/i
describe ESTRA_GROUP Content matches a spammy company
score ESTRA_GROUP 10
#INVESTMENT PROPERTY SPAM
header __FSH_INVEST1 From =~ /Baltic|Doncaster|Hull|Liverpool|Manchester|Opportune|Marbella|Cardiff|Wolverhampton|Preston|Newcastle|REImarket|Costa|Prime|Hotel|Niche|Luton|Estapona|Costa|Birmingham|Proper|Purpose|Benahavis|Doncaster|Edinburgh|York|Rotherham|Scarborough|Park|Tenant|Southhampton|Sierra/i
header __FSH_INVEST2 From =~ /Triangle|Centre|Landmark|Investments|Properties|opulentinvest|Buy-to-Let|Buy To Let|Property Offers|overseas|Options|Opportun(ities)|Showcase|Lifestyle|Urban|Release|Apartment|Build(s)|Affordable|Nueva|(Beach|Water)front|Waterside|Sea View|Luxury|Returns|Built|Stunning|Georgian|(City )Living|Residential|HMO|Development|Exclusive|Blanca/i
header __FSH_INVEST3 Subject=~ /adjective|exceptional|booming|great|landmark|high|net|Discounted|assured|near|updated|luxury|growing|stunning|market|renovated|Spacious|exclusive|risk|prestigious|city centre|town centre|Modern|top qualities|new benchmark|tenanted/i
header __FSH_INVEST4 Subject=~ /noun|investment|showcase|opportunity|rental|yield|studio|price(s|d)|apartments|completion|property|market|euros|development|villa|capital|Selling fast|close to the heart/i
body __FSH_INVEST5 /(Download the Brochure|Download your brochure|Invest from|love to meet|Please enable images|REQUEST (DETAILS|BROCHURE)|long-term income stream)/i
body __FSH_INVEST6 /(prefs\/manage.php|click\/|link.php|aa=|drive.google.com\/uc|track.)/i
meta FSH_INVEST (__FSH_INVEST1 + __FSH_INVEST2 + __FSH_INVEST3 + __FSH_INVEST4 + __FSH_INVEST5 + __FSH_INVEST6 >= 4)
score FSH_INVEST 10
describe FSH_INVEST Investment Property Spam
#HACKING GROUP BLACKMAIL
header __FSH_BLACK_MAIL1 Subject=~ /This is my last warning|Your personal data is at risk|I hacked your device|Vos données personnelles sont en danger/i
body __FSH_BLACK_MAIL2 /(Chaos hacking group|spyware software developer|programmer who cracked|groupe de piratage Chaos)/i
body __FSH_BLACK_MAIL3 /(itcoin|wallet|payment|cryptocurrency)/i
meta FSH_BLACK_MAIL (__FSH_BLACK_MAIL1 + __FSH_BLACK_MAIL2 + __FSH_BLACK_MAIL3 >= 2)
score FSH_BLACK_MAIL 10
describe FSH_BLACK_MAIL Blackmail hacking group spam
#GET HARD SPAM
header __FSH_GET_HARD1 Subject=~ /hard in 15 seconds/i
body __FSH_GET_HARD2 /(Please direct your cursor|send post-mail)/i
body __FSH_GET_HARD3 /(If you do not wish to continue|I was shocked how well it worked)/i
meta FSH_GET_HARD (__FSH_GET_HARD1 + __FSH_GET_HARD2 + __FSH_GET_HARD3 >= 2)
score FSH_GET_HARD 10
describe FSH_GET_HARD Get hard spam
#VOYEUR BLACKMAIL
header __FSH_VOYEUR_BMAIL1 Subject=~ /IMPORTANT! You hαve been recorded|Your account was under attack|Hackers know password from|my FINAL warning/i
body __FSH_VOYEUR_BMAIL2 /(turned on your cam|I can see everything|If I do not receive from you)/i
body __FSH_VOYEUR_BMAIL3 /(save your social life|pornographic website|keep your secret|sneaky program|family members)/i
body __FSH_VOYEUR_BMAIL4 /(itcoin|payment)/i
meta FSH_VOYEUR_BMAIL (__FSH_VOYEUR_BMAIL1 + __FSH_VOYEUR_BMAIL2 + __FSH_VOYEUR_BMAIL3 + __FSH_VOYEUR_BMAIL4 >= 3)
score FSH_VOYEUR_BMAIL 10
describe FSH_VOYEUR_BMAIL Voyeur blackmail spam
#CORPORATE DATABASE FOR SALE
header __FSH_CORP_DATABASE1 Subject=~ /Download our new database for free/i
body __FSH_CORP_DATABASE2 /(We want to help thousands of businesses)/i
body __FSH_CORP_DATABASE3 /(download the large free sample)/i
meta FSH_CORP_DATABASE (__FSH_CORP_DATABASE1 + __FSH_CORP_DATABASE2 + __FSH_CORP_DATABASE3 >= 2)
score FSH_CORP_DATABASE 10
describe FSH_CORP_DATABASE Spam (corporate database for sale)
#SMARTWATCH FOR SALE
header FSH_SMARTWATCH Subject=~ /Smartwatch that take calls|new GX Smartwatch|smartwatch could save your life/i
describe FSH_SMARTWATCH Spam (smartwatch for sale)
score FSH_SMARTWATCH 2
#AER LINGUS SCAM
header __FSH_AER_LINGUS1 Subject=~ /Celebrate with us today|80th Anniversary|anniversary voucher/i
body __FSH_AER_LINGUS2 From =~ /Aer Lingus/i
body __FSH_AER_LINGUS3 /(Download your VOUCHER|Since our first ticket sale|co.za)/i
meta FSH_AER_LINGUS (__FSH_AER_LINGUS1 + __FSH_AER_LINGUS2 + __FSH_AER_LINGUS3 >= 3)
score FSH_AER_LINGUS 10
describe FSH_AER_LINGUS Spam (AER LINGUS SPAM)
#DOMAIN NOTICE SCAM
header __FSH_DOMAIN_NOTICE1 Subject=~ /Final Notice of Domain Listing|Expiration Notice|Cancellation Notice|Final Reminder/i
body __FSH_DOMAIN_NOTICE2 /(DOMAIN SERVICE NOTICE|competing businesses or interested parties|renew this domain service)/i
body __FSH_DOMAIN_NOTICE3 /(PART I: REVIEW NOTICE|section 13.b.9a|the cancellation of this notification)/i
meta FSH_DOMAIN_NOTICE (__FSH_DOMAIN_NOTICE1 + __FSH_DOMAIN_NOTICE2 + __FSH_DOMAIN_NOTICE3 >= 3)
score FSH_DOMAIN_NOTICE 3
describe FSH_DOMAIN_NOTICE Spam (domain notice)
#VISCERAL FAT PUSHES
header __FSH_VISCERAL_FAT1 Subject=~ /Visceral Fat Pushes/i
body __FSH_VISCERAL_FAT2 /(t like this update|NY 10631)/i
body __FSH_VISCERAL_FAT3 /(You have to see the before|Eat this food for a flat belly)/i
meta FSH_VISCERAL_FAT (__FSH_VISCERAL_FAT1 + __FSH_VISCERAL_FAT2 + __FSH_VISCERAL_FAT3 >= 2)
score FSH_VISCERAL_FAT 10
describe FSH_VISCERAL_FAT Visceral fat spam
#PDQ FUNDING
header __FSH_PDQ_FUNDING1 Subject=~ /Unsecured Business Funding|Alternative Business Funding/i
body __FSH_PDQ_FUNDING2 /(PDQ Funding|S40 1SZ|01246 233108)/i
body __FSH_PDQ_FUNDING3 /(business loans between|biz-funding.co.uk)/i
meta FSH_PDQ_FUNDING (__FSH_PDQ_FUNDING1 + __FSH_PDQ_FUNDING2 + __FSH_PDQ_FUNDING3 >= 2)
score FSH_PDQ_FUNDING 10
describe FSH_PDQ_FUNDING PDQ Funding spam
#CPANEL PHISHING EMAILS
header __FSH_CPANEL_PHISHING1 Subject=~ /has reached their disk quota|Important update regarding your cPanel webmail|Mailbox Quota Warning|due for a quota increase/i
body __FSH_CPANEL_PHISHING2 /(follow the link bellow|auto extend|for free as soon as possible|Disk Capacity tool|we are temporarily suspending email accounts that|associated negative impact persist|Password Expiration Notice|recieve more incoming mails)/i
body __FSH_CPANEL_PHISHING3 /(uses 9|cp=|html.php|wmidentity|Keep My Password|index_hash)/i
meta FSH_CPANEL_PHISHING (__FSH_CPANEL_PHISHING1 + __FSH_CPANEL_PHISHING2 + __FSH_CPANEL_PHISHING3 >= 2)
score FSH_CPANEL_PHISHING 10
describe FSH_CPANEL_PHISHING cPanel phishing email
#MCAFEE PHISHING EMAILS
header __FSH_MCAFEE_PHISHING1 Subject=~ /Service Contract # 774829JW399264##/i
body __FSH_MCAFEE_PHISHING2 /(Mcafee Family Net Protection|Mcafee Securities|Mcafee Help Section Page)/i
body __FSH_MCAFEE_PHISHING3 /(MST*RTN Technologies|888-586-5062)/i
meta FSH_MCAFEE_PHISHING (__FSH_MCAFEE_PHISHING1 + __FSH_MCAFEE_PHISHING2 + __FSH_MCAFEE_PHISHING3 >= 2)
score FSH_MCAFEE_PHISHING 10
describe FSH_MCAFEE_PHISHING McAfee phishing email
#EQUITY RELEASE
header __FSH_EQUITY_RELEASE1 Subject=~ /how much money you could release/i
body __FSH_EQUITY_RELEASE2 /(My Equity Release)/i
body __FSH_EQUITY_RELEASE3 /(It takes just 30 seconds|track.travelsuch.com)/i
meta FSH_EQUITY_RELEASE (__FSH_EQUITY_RELEASE1 + __FSH_EQUITY_RELEASE2 + __FSH_EQUITY_RELEASE3 >= 2)
score FSH_EQUITY_RELEASE 10
describe FSH_EQUITY_RELEASE Equity Release spam
#PHP SCRIPTS FROM TRUSTED HOSTNAME
header __MS_FROM_MAXER X-fastsecurehost-MailScanner-From =~ /fastsecurehost\.com|customwebhost\.com/i
header __IS_PHP_MAILER X-Mailer =~ /php/i
header __IS_PHP_SCRIPT exists:X-PHP-Script
header __IS_PHP_ORIG_SCRIPT exists:X-PHP-Originating-Script
meta PHP_SCRIPT_ON_MAXER __MS_FROM_MAXER && (__IS_PHP_MAILER + __IS_PHP_SCRIPT + __IS_PHP_ORIG_SCRIPT >= 1)
describe PHP_SCRIPT_ON_MAXER PHP script or mailer from a trusted hostname
score PHP_SCRIPT_ON_MAXER -2.4
# BEGIN - Whitelist local cPanel notices
# Sender must be cpanel@... (header or envelope)
# header LOCAL_FROM_CPANEL From:addr =~ /^cpanel@/i
# Require that the *Received* line be written by one of our hosts AND show loopback/local injection
# IPv4 loopback
# header __LOCAL_RCVD_V4 Received =~ /^from\s+\[127\.0\.0\.1\](?:\s+\(.*?\))?\s+by\s+(?:[A-Za-z0-9.-]+)\.(?:fastsecurehost\.com|customwebhost\.com)\b/mi
# IPv6 loopback
# header __LOCAL_RCVD_V6 Received =~ /^from\s+\[\:\:1\](?:\s+\(.*?\))?\s+by\s+(?:[A-Za-z0-9.-]+)\.(?:fastsecurehost\.com|customwebhost\.com)\b/mi
# Exim local submission (sendmail/pipe), which doesn't show 127.0.0.1
# header __LOCAL_RCVD_WITH_LOCAL Received =~ /^from\s+\S+\s+by\s+(?:[A-Za-z0-9.-]+)\.(?:fastsecurehost\.com|customwebhost\.com)\s+with\s+local\b/mi
# meta LOCAL_CPANEL_NOTIFICATION (LOCAL_FROM_CPANEL && (__LOCAL_RCVD_V4 || __LOCAL_RCVD_V6 || __LOCAL_RCVD_WITH_LOCAL))
# describe LOCAL_CPANEL_NOTIFICATION Whitelist local cPanel notices (cpanel@ via loopback/local on our MTAs)
# tflags LOCAL_CPANEL_NOTIFICATION nice
# score LOCAL_CPANEL_NOTIFICATION -20
# END - Whitelist local cPanel notices
# Soften over-aggressive Lead Forensics rule from KAM.cf
score KAM_LEAD_FORENSICS 2.0
describe KAM_LEAD_FORENSICS Reference to Lead Forensics (soft-scoring override)
###########################################################################
# HostingIreland template phish (only when NOT from @hostingireland.ie)
# Goal: mark as spam (score >=4) but not "high scoring" (keep <6)
###########################################################################
header __LOCAL_PHISH_HI_SUBJ_PAYISSUE Subject =~ /\b(?:issue\s+with\s+payment\s+for|payment\s+issue\s+for)\b\s*[:\-]?\s*[-]?\s*[a-z0-9][a-z0-9\-\.]*\.[a-z]{2,}\b/i
body __LOCAL_PHISH_HI_BODY_SSL24 /\burgent\b\s*:\s*your\s+ssl\s+certificate\s+expir(?:es|y)\w*\s+in\s+24\s*hours?\b/i
uri __LOCAL_PHISH_HI_WIKILOGO /upload\.wikimedia\.org\/.*Domain_\.ie\.svg/i
body __LOCAL_PHISH_HI_BRAND /\bHostingIreland\b/i
header __LOCAL_HI_FROM_REAL From =~ /\b@hostingireland\.ie\b/i
meta LOCAL_PHISH_HI_COMBO (__LOCAL_PHISH_HI_SUBJ_PAYISSUE && __LOCAL_PHISH_HI_BODY_SSL24 && __LOCAL_PHISH_HI_WIKILOGO && __LOCAL_PHISH_HI_BRAND && !__LOCAL_HI_FROM_REAL)
# Choose a score over 4.0 that flags as spam but stays below "high scoring" 6+
score LOCAL_PHISH_HI_COMBO 4.5
describe LOCAL_PHISH_HI_COMBO HostingIreland-themed payment/SSL phish (not from @hostingireland.ie)
# Decrease Bayes (opposite of CPANEL.cf)
score BAYES_50 0.5
score BAYES_60 1.0
score BAYES_80 1.5
score BAYES_95 2.0
score BAYES_99 2.5
# Decrease other values
score FSL_BULK_SIG 1.0