# LOTTO ADVANCE FEE FRAUD # # Current patterns. # # Updated and verified 4/16/06 # LOCALSCORE=-10 # Check for ALL CAPS SUBJECT LINE. # :0 D * $ ${LOCALSCORE}^0 * H ?? -3^0 ^Subject: [^A-Za-z]+$ * H ?? 3^0 ^Subject: [^a-z]+$ { LOCALSCORE=$= } :0 * $ ${LOCALSCORE}^0 * H ?? -5^0 ^From:.*[^0-9a-z](billing|customerservice|info|sales)@ * B ?? -1^1 (^|[^0-9a-z])(apolog(etics|ist)|brigham young|cults?|devotional|ecumeni(cal|sts?)|evangelists?|false[^a-z]*$?[^a-z]*(doctrines?|religions?)|mormon|(new|old)[^a-z]*$?[^a-z]*testament|theolog(ian|ies|y))([^0-9a-z]|$) * B ?? -1^1 (^|[^0-9a-z])(b.zz|float|mergers?|operating[^a-z]*$?[^a-z]*income|OTC|OTCBB|press|PR campaign|revenues?|sh[@a]res?|st[*o0]cks?|volumes?)([^0-9a-z]|$) * B ?? -1^1 (^|[^0-9a-z])(civil|criminal|defense|law[^a-z]*$?[^a-z]*firms?|legal[^a-z]*$?[^a-z]*research|litigation|outsourcing|probate|torts?)([^0-9a-z]|$) * B ?? -1^1 (^|[^0-9a-z])(CASRO|panel|research|survey)([^0-9a-z]|$) * H ?? 5^0 ^From:.*([0-9a-z]*department[0-9a-z]*(@[0-9a-z][-_0-9a-z]+)?\.[a-z][a-z][a-z]?[a-z]?(\.[a-z][a-z])?(^[0-9a-z.]|$)|\ [0-9a-z]*lott(o|ery|eries?)[0-9a-z]*(@[0-9a-z][-_0-9a-z]+)?(\.[a-z][a-z][a-z]?[a-z]?)?(\.[a-z][a-z])?(^[0-9a-z.]|$)|\ [0-9a-z]*redeem[0-9a-z]*(@[0-9a-z][-_0-9a-z]+)?\.[a-z][a-z][a-z]?[a-z]?(\.[a-z][a-z])?(^[0-9a-z.]|$)|\ [0-9a-z]*royal[0-9a-z]*(@[0-9a-z][-_0-9a-z]+)?\.[a-z][a-z][a-z]?[a-z]?(\.[a-z][a-z])?(^[0-9a-z.]|$)|\ [0-9a-z]*sweepstakes?[0-9a-z]*(@[0-9a-z][-_0-9a-z]+)?\.[a-z][a-z][a-z]?[a-z]?(\.[a-z][a-z])?(^[0-9a-z.]|$)|\ [0-9a-z]*winning[0-9a-z]*(@[0-9a-z][-_0-9a-z]+)?\.[a-z][a-z][a-z]?[a-z]?(\.[a-z][a-z])?(^[0-9a-z.]|$)) * H ?? 5^0 ^From:.*[^0-9a-z](Lott(o|ery|eries)|Lucky(day)?|Sweepstakes?)(^[0-9a-z.]|$) * H ?? 5^0 ^From:.*@(walla\.com|\ walla\.co\.il) * H ?? 1^0 ^From:.*@(3000\.it|\ atlas\.cz|\ docklands\.co\.uk|\ email\.com|\ eramail\.co\.za|\ excite\.[a-z][a-z][a-z]?[a-z]?(\.[a-z][a-z])?|\ expn\.com|\ fastermail\.com|\ free-languages\.com|\ go\.com|\ hotmail\.com|\ ignazio\.[a-z][a-z][a-z]?[a-z]?(\.[a-z][a-z])?|\ iol\.com|\ jmail\.co\.za|\ jumpy\.it|\ katamail\.com|\ lycos\.com|\ manchester\.com|\ myfamily\.com|\ netscape\.net|\ plasa\.com|\ postino\.it|\ serwus\.pl|\ she\.com|\ terra\.es|\ tiscali(net)?\.[a-z][a-z][a-z]?[a-z]?(\.[a-z][a-z])?|\ tsamail\.[a-z][a-z][a-z]?[a-z]?(\.[a-z][a-z])?|\ usermail\.com|\ velocall\.com|\ web\.de|\ yahoo\.[a-z][a-z][a-z]?[a-z]?(\.[a-z][a-z])?|\ zipmail\.com(\.[a-z][a-z])?|\ zwallet\.com)(^[0-9a-z.]|$) * H ?? 2^1 ^Subject:.*[^0-9a-z](awards?|\ bonus promo|\ cash grant|\ congratulations?|\ department|\ lott(o|ery|eries)|\ lucky|\ notice|\ prizes?|\ promo(tion)?s?|\ royal|\ sweepstakes?|\ winn(ers?|ings?))([^0-9a-z]|$) * B ?? 5^0 ^[^0-9a-z]*(THE )?FREELOTTO COMPANY[^0-9a-z]*$ * B ?? 5^0 ^[^0-9a-z]*((EURO(PEAN)?|THE|U(\.)?K(\.)?) )?INTERNATIONAL (LOTT(ERY|O)|SWEEPSTAKES)[^0-9a-z]*$ * B ?? 5^0 (^|[^0-9a-z])World.Trip.Offers([^0-9a-z]|$) * B ?? 5^0 ^[^0-9a-z]*ATTENTION:[^0-9a-z]+LOTTERY[^0-9a-z]+WINNER[^0-9a-z]*$ * B ?? 5^0 (^|[^0-9a-z])CONGRATULATIONS!+([^0-9a-z]|$) * B ?? 5^0 ^[^0-9a-z]*WINNING[^0-9a-z]+NOTI(CE|FICATION)[^0-9a-z]*$ * B ?? 5^0 ^[^0-9a-z]*(INSTANT( )*WINNING( )*)?E.?MAIL( )*LOTTERY( )*INTERNATIONAL[^0-9a-z]*$ * B ?? 5^0 (^|[^0-9a-z])INTERNATIONAL[^a-z]*$?[^a-z]*FUNCTIONARIES([^0-9a-z]|$) * B ?? 5^0 ^[^0-9a-z]*(International[^0-9a-z]+)?Promotions?/Prize[^0-9a-z]+Award[^0-9a-z]+Dep(t|artment)[^0-9a-z]*$ * B ?? 5^0 (^|[^0-9a-z])prize.*$?.*(drawing|lott(o|ery)|sweepstakes)([^0-9a-z]|$) * B ?? 5^0 (^|[^0-9a-z])(lottery[^a-z]*$?[^a-z]*(company|coordinators?|draw|promotions?))([^0-9a-z]|$) * B ?? 5^0 (^|[^0-9a-z])(royal|sweepstakes)[^a-z]*$?[^a-z]*(draw|games|lott(o|ery)|sweepstakes)([^0-9a-z]|$) * B ?? 5^0 (^|[^0-9a-z])e.?mail[^a-z]*$?[^a-z]*(address[^a-z]*$?[^a-z]*)?attached[^a-z]*$?[^a-z]*to[^a-z]*$?[^a-z]*ticket[^a-z]*$?[^a-z]*number([^0-9a-z]|$) * B ?? 5^0 (^|[^0-9a-z])((automated|computer)[^a-z]*$?[^a-z]*ballot(ing)?|draw[^a-z]*$?[^a-z]*conducted|category[^a-z]*$?[^a-z]*draws?|e.?mail.*$?.*ticket[^a-z]*$?[^a-z]*number|lott(ery|ies|o)|lucky[^a-z]*$?[^a-z]*numbers?|prize[^a-z]*$?[^a-z]*money|promotional[^a-z]*$?[^a-z]*draws?|promotions[^a-z]*$?[^a-z]*program|sweepstakes)([^0-9a-z]|$) * B ?? 5^0 (^|[^0-9a-z])((automated|computer)[^a-z]*$?[^a-z]*ballot(ing)?|draw[^a-z]*$?[^a-z]*conducted|category[^a-z]*$?[^a-z]*draws?|e.?mail.*$?.*ticket[^a-z]*$?[^a-z]*number|lott(ery|ies|o)|lucky[^a-z]*$?[^a-z]*numbers?|prize[^a-z]*$?[^a-z]*money|promotional[^a-z]*$?[^a-z]*draws?|promotions[^a-z]*$?[^a-z]*program|sweepstakes)([^0-9a-z]|$) * B ?? 5^0 (^|[^0-9a-z])(drawing|selection).*$?.*random.*$?.*e.?mail([^0-9a-z]|$) * B ?? 5^0 (^|[^0-9a-z])giving[^a-z]*$?[^a-z]*away.*$?.*sum[^a-z]*$?[^a-z]*of.*$?.*millions?([^0-9a-z]|$) * B ?? 5^0 (^|[^0-9a-z])(chosen|selected)[^a-z]*$?[^a-z]*randomly.*$?.*computer[^a-z]*$?[^a-z]*ballot[^a-z]*$?[^a-z]*system([^0-9a-z]|$) * B ?? 5^0 (^|[^0-9a-z])(Winning numbers:|\ Email ticket number:|\ Lotto code number:|\ (The )?file Ref(erence)? number:)([^0-9a-z]|$) * B ?? 3^0 (^|[^0-9a-z])email[^a-z]*$?[^a-z]*lottery([^0-9a-z]|$) * B ?? 3^0 (^|[^0-9a-z])lucky[^a-z]*$?[^a-z]*(numbers?|winners?)([^0-9a-z]|$) * B ?? 3^0 (^|[^0-9a-z])(notification[^a-z]*$?[^a-z]*of[^a-z]*$?[^a-z]*(cash grant|database.*$?.*contact[^a-z]*of[^a-z]*names|donation|prize)|winning[^a-z]*$?[^a-z]*notification|promotional[^a-z]*$?[^a-z]*draw)([^0-9a-z]|$) * B ?? 3^0 (^|[^0-9a-z])send.*$?.*details[^a-z]*$?[^a-z]*(agent|representative)([^0-9a-z]|$) * B ?? 3^0 (^|[^0-9a-z])winners.*$?.*randomly[^a-z]*$?[^a-z]*selected([^0-9a-z]|$) * B ?? 3^1 (^|[^0-9a-z])e.?mail[^a-z]*$?[^a-z]*lottery([^0-9a-z]|$) * B ?? 2^0 (^|[^0-9a-z])(collecting[^a-z]*$?[^a-z]*prize|\ to[^a-z]*$?[^a-z]*claim[^a-z]*$?[^a-z]*your[^a-z]*$?[^a-z]*prize)([^0-9a-z]|$) * B ?? 2^0 (^|[^0-9a-z])(10|ten)[^a-z]*$?[^a-z]*lucky[^a-z]*$?[^a-z]*winners([^0-9a-z]|$) * B ?? 1^0 (^|[^0-9a-z])(banking[^a-z]*$?[^a-z]*details|contact[^a-z]*$?[^a-z]*address(es)?|e.?mail personal|full[^a-z]*$?[^a-z]*particulars|mobile|(personal|private)[^a-z]*$?[^a-z]*(address(es)?|required.*$?.*contact.*$?.*(collection|processing)|(tele)?phones?))([^0-9a-z]|$) * B ?? 1^0 (^|[^0-9a-z])(draw[^a-z]*$?[^a-z]*conducted|lott(ery|ies|o)|lucky[^a-z]*$?[^a-z]*numbers?|prize[^a-z]*$?[^a-z]*money|promotional[^a-z]*$?[^a-z]*draws?|sweepstakes)([^0-9a-z]|$) * B ?? 1^0 (^|[^0-9a-z])((cent[^a-z]*$?[^a-z]*mille|million)[^a-z]*$?[^a-z]*dollars[^a-z]*$?[^a-z]*americain|funds?|huge[^a-z]*$?[^a-z]*sum|hundred[^a-z]*$?[^a-z]*(million|thousand)|letter[^a-z]*$?[^a-z]*of[^a-z]*$?[^a-z]*authority|million[^a-z]*$?[^a-z]*dollars|mon(ey|ies)|securities|united[^a-z]*$?[^a-z]*states[^a-z]*$*[^a-z]*dollars?|U.?S.?[^a-z]*$?[^a-z]*(dollars|euros))([^0-9a-z]|$) { LT3=yes SBLOG="C3R-${TESTNAME} (Pattern Match)" INCLUDERC=${SBDIR}/functions/loglevel.rc }