# MONEY LAUNDERING ADVANCE FEE FRAUD # # Current patterns. # # Updated and verified 4/15/06 # LOCALSCORE=-10 # Check for ALL CAPS SUBJECT LINE. # :0 D * $ ${LOCALSCORE}^0 * H ?? -3^0 ^Subject: [^A-Za-z]+$ * H ?? 3^0 ^Subject: [^a-z]+$ { LOCALSCORE=$= } # Main recipes. # :0 * $ ${LOCALSCORE}^0 * B ?? -1^1 (^|[^0-9a-z])(b.zz|float|mergers?|operating[^a-z]*$?[^a-z]*income|OTC|OTCBB|press|PR campaign|revenues?|sh[@a]res?|st[*o0]cks?|volumes?)([^0-9a-z]|$) * H ?? 5^0 ^From:.*[^0-9a-z](employment agency|\ eresmas\.com)([^0-9a-z.]|$) * H ?? 5^0 ^From:.*@(walla\.com|\ walla\.co\.il) * H ?? 1^0 ^From:.*[^0-9a-z](3xl\.net|\ 3000\.it|\ atlas\.cz|\ docklands\.co\.uk|\ e-apollo\.lv|\ echina\.com|\ email\.com|\ eramail\.co\.za|\ excite\.[a-z][a-z][a-z]?[a-z]?(\.[a-z][a-z])?|\ expn\.com|\ fastermail\.com|\ free-languages\.com|\ freemail\.et|\ go\.com|\ hotmail\.com|\ idial\.net|\ ignazio\.[a-z][a-z][a-z]?[a-z]?(\.[a-z][a-z])?|\ iol\.com|\ jmail\.co\.za|\ jumpy\.it|\ katamail\.com|\ latinmail\.com|\ lycos\.com|\ manchester\.com|\ msn\.com|\ myfamily\.com|\ netscape\.net|\ ozipilotsonline\.com\.au|\ plasa\.com|\ postino\.it|\ she\.com|\ teenmail\.co\.za|\ terra\.[a-z][a-z][a-z]?[a-z]?(\.[a-z][a-z])?|\ tiscali(net)?\.[a-z][a-z][a-z]?[a-z]?(\.[a-z][a-z])?|\ tsamail\.[a-z][a-z][a-z]?[a-z]?(\.[a-z][a-z])?|\ usermail\.com|\ velocall\.com|\ virgilio\.it|\ virgin\.net|\ web\.de|\ web2mail\.com|\ wz\.zj\.cn|\ yahoo\.[a-z][a-z][a-z]?[a-z]?(\.[a-z][a-z])?|\ zipmail\.com(\.[a-z][a-z])?|\ zwallet\.com)([^0-9a-z.]|$) * H ?? 2^0 ^Subject:.*[^0-9a-z](Re:)?( )?((earn|money).*not.*need.*education)([^0-9a-z]|$) * H ?? 2^0 ^Subject:.*[^0-9a-z](Re:)?( )?job(( )*offer)?(\.)?$ * H ?? 2^0 ^Subject:.*[^0-9a-z](employment|job|part[^0-9a-z]*time[^0-9a-z]*work)([^0-9a-z]|$) * B ?? 5^0 (^|[^0-9a-z])about.*$?.*(business|company).*$?.*(shipping|transport(ation|ing)?)([^0-9a-z]|$) * B ?? 5^0 (^|[^0-9a-z])(accept|process)(ing)?[^a-z]*$?[^a-z]*payments?.*$?.*(customers|clients|partners)([^0-9a-z]|$) * B ?? 5^0 (^|[^0-9a-z])authorized[^a-z]*$?[^a-z]*person.*$?.*money[^a-z]*$?[^a-z]*transfers([^0-9a-z]|$) * B ?? 5^0 (^|[^0-9a-z])forbidden.*$?.*foreign.*$?.*accounts?([^0-9a-z]|$) * B ?? 5^0 (^|[^0-9a-z])receiv(e|ing)[^a-z]*$?[^a-z]*(funds|mon(ey|ies)|payments).*$?.*over.?invoiced([^0-9a-z]|$) * B ?? 5^0 (^|[^0-9a-z])RuAmerica([^0-9a-z]|$) * B ?? 3^0 (^|[^0-9a-z])business[^a-z]*$?[^a-z]*partner.*$?.*(America|England|France|Germany|Great[^a-z]*$?[^a-z]*Britian|U(\.)?K(\.)?|United Kingdom|U(\.)?S(\.)?A(\.)?)([^0-9a-z]|$) * B ?? 3^0 (^|[^0-9a-z])co(r|o|-o)p[oe]ration.*$?.*raw[^a-z]*$?[^a-z]*materials([^0-9a-z]|$) * B ?? 3^0 (^|[^0-9a-z])eastern[^a-z]*$?[^a-z]*europe.*$?.*jobs?([^0-9a-z]|$) * B ?? 3^0 (^|[^0-9a-z])export(ers?)?.*$?.*(America|Canada|Europe|U(\.)?S(\.)?(A(\.)?)?)([^0-9a-z]|$) * B ?? 3^0 (^|[^0-9a-z])finance[^a-z]*$?[^a-z]*company.*$?.*jobs?([^0-9a-z]|$) * B ?? 3^0 (^|[^0-9a-z])financial[^a-z]*$?[^a-z]*manager[^a-z]*$?[^a-z]*assistant([^0-9a-z]|$) * B ?? 3^0 (^|[^0-9a-z])((forward|send).*$?.*your[^a-z]*$?[^a-z]*resum[eč]|\ hiring|\ searching.*$?.*(employees?|staff))([^0-9a-z]|$) * B ?? 3^0 (^|[^0-9a-z])(have|open).*$?.*account.*$?.*([a-z]+)?bank([^0-9a-z]|$) * B ?? 3^0 (^|[^0-9a-z])high[^a-z]*$?[^a-z]*professionalism.*$?.*our[^a-z]*$?[^a-z]*company([^0-9a-z]|$) * B ?? 3^0 (^|[^0-9a-z])job[^a-z]*$?[^a-z]*manager([^0-9a-z]|$) * B ?? 3^1 (^|[^0-9a-z])(experience|knowledge).*[^0-9a-z](bank|internet)([^0-9a-z]|$) * B ?? 3^0 (^|[^0-9a-z])local[^a-z]*$?[^a-z]*financial[^a-z]*$?[^a-z]*manager[^a-z]*$?[^a-z]*assistant([^0-9a-z]|$) * B ?? 3^0 (^|[^0-9a-z])making[^a-z]*$?[^a-z]*payments*.$?.*through[^a-z]*$?[^a-z]*you([^0-9a-z]|$) * B ?? 3^0 (^|[^0-9a-z])offer.*$?.*easy[^a-z]*$?[^a-z]*job([^0-9a-z]|$) * B ?? 3^0 (^|[^0-9a-z])personal[^a-z]*$?[^a-z]*bank[^a-z]*$?[^a-z]*account.*$?.*payments?([^0-9a-z]|$) * B ?? 3^0 (^|[^0-9a-z])problems.*$?.*clients.*$?.*refus(e|ing).*$?.*pay([^0-9a-z]|$) * B ?? 3^0 (^|[^0-9a-z])receiv(e|ing).*$?.*(packages|shipments).*$?.*(redirect|(re)?mail|(re)?ship)([^0-9a-z]|$) * B ?? 3^0 (^|[^0-9a-z])represent(ative)?*.$?.*(America|Canada|Europe|U(\.)?S(\.)?(A(\.)?)?)([^0-9a-z]|$) * B ?? 3^0 (^|[^0-9a-z])representative*.$?.*assist.*$?.*clearing[^a-z]*$?[^a-z]*assistant([^0-9a-z]|$) * B ?? 3^0 (^|[^0-9a-z])representative*.$?.*medium.*$?.*(customers|payments)[^a-z]*$?[^a-z]*assistant([^0-9a-z]|$) * B ?? 3^0 (^|[^0-9a-z])(Russian|marriage[^a-z]*$?[^a-z]*agency).*$?.*(looking|seeking).*$?.*business[^a-z]*$?[^a-z]*partner[^a-z]*$?[^a-z]*assistant([^0-9a-z]|$) * B ?? 3^0 (^|[^0-9a-z])searching.*$?.*partnerships?.*$?.*(U(\.)?K(\.)?|U(\.)?S(\.)?A(\.)?) * B ?? 3^0 (^|[^0-9a-z])salary.*$?.*%.*$?.*(each|every)[^a-z]*$?[^a-z]*transfer([^0-9a-z]|$) { LT3=yes SBLOG="C3R-${TESTNAME} (Pattern Match)" INCLUDERC=${SBDIR}/functions/loglevel.rc }