# SARE Fraud Ruleset for SpamAssassin 2.5x and higher # Version: 01.03.02 # NOTE: Please update your scripts to pull this file from it's new location http://www.rulesemporium.com/rules/99_sare_fraud_post25x.cf # Created: 03/09/2004 # Modified: 05/01/2004 # Changes: Added some more phrases # License: Artistic - see http://www.rulesemporium.com/license.txt # Current Maintainer: Matt Yackley - fraud@rulesemporium.com # Current Home: http://www.rulesemporium.com/rules/99_sare_fraud_post25x.cf # Requirements: SpamAssassin 2.5x or higher # SA 3.0 compliant: Yes # If you are running SpamAssassin 2.4x or earlier, you should run 99_sare_fraud_pre25x.cf instead. # Since there some overlap with the pre-existing rules, we have included the option to turn off the default SpamAssassin rules ## body __SARE_FRAUD_BADTHINGS /(?:all funds will be returned|ass?ylum|assassinate|(?:auto|boat|car|plane|train).{1,7}(?:crash|accident|disaster|wreck)|before they both died|brutal acts|cancer|coup attempt|disease|due to the current|\bexile\b|\bfled|\bflee\b|have been frozen|impeach|\bkilled|land dispute|murder|over-invoice|political crisis|poisoned (?:to death )?by|relocate|since the demise|\bslay\b)/i body __SARE_FRAUD_DPTCOMPNY /(?:allied irish bank|amsterdam clearing office|(?:bank|government) (of )?nigeria|charity organization|commerce world directory|correspondent branch|department of mineral resources and energy|diamond safari|embassy|finance and accounts director of inec|foreign contract tenders committee|global oil corporation|holding company|international (?:bank|court of justice)|mainland investment trust bank|mining corporation|ministry of (?:oil (?:and )?mini?eral|organisation worldwide|petroleum and natural resources|urban and rural development)|nigerian national petroleum corporation|prize award dept|securit(?:ies|y) (?:company|firm|storage house)|security & finance firm in amsterdam|sierra leone mining)/i body __SARE_FRAUD_INTRO /(?:(?:may i first|to) introduce my ?self|contact address|i am contacting you)/i body __SARE_FRAUD_REPLY /(?:confidential email|my secure email address|reply (?:me only|urgent)|(?:immediate|swift|urgent) (?:assist|reply|response))/i body __SARE_FRAUD_LOC /\s(?:abidjan|algeria|angola|benin republic|bangladesh|botswana|c.te .{0,2}ivoire|congo|dubai|gabon|ghana|kogi|lagos|liberia|libya|malaysia|nigerian?|phill?ipp?ine.|qatar|republic.du.benin|republic.of.sahara|saharawi|senegal|sierra.leone|solomon islands|south.africa|togo(?:lese)?|u\.a\.e\.i\.|zimbabwe)\s/i body __SARE_FRAUD_MISC /(?:a native of|as the beneficiary|compliments? of the season|confidentiality and professionalism|eagerly await|of (?:the|my) late|on information gathered about you, we believe|(?:relate|share) my testimony|remains unclaimed|several attempts have been made with out success|very big risk|you and your company|youre? country)/i body __SARE_FRAUD_MONEY /(?:abandoned sum|(?:huge|substantial) amount of m[o0]ney|(?:transfer this fund|money transfer|transfer money)|(?:will share the money|your share.{1,10}(?:shall|sum|total|money|funds))|assets have been confiscated|be paid to you|claim a sum of|(?:claim|concerning) (?:the|this) money|family asset|foreign (?:offshore )?(?:bank|account)|how the money will be split|kick.{0,2}back|million usd|offer you a generous compensation|personal bank account|remains unclaimed|secure.{1,10}funds|the total sum|transferring (of|the) funds?|us.{1,9}million|win cash|you are.{0,8}winner|your (?:pr[i1]ze|share shall be))/i body __SARE_FRAUD_PAPERWORK /(?:all necessary legal documents|covering documents|international passport|legal official protocol|letter of authority|Next of Kin Payment Application Form|provide immediately|writing this letter to solicit|vital documents)/i body __SARE_FRAUD_VIPS /(?:(?:white|black|zimbabwean) farmers?|auditor general of the federal republic of nigeria|(?:former|late) (?:president of|.{0,20}minister)|head of state|nigerian gov|president of (the )?phillipine|principal advocate and solicitor)/i body __SARE_FRAUD_FOREIGN /(?:(?:who was a|as a|an? honest|you being a|to any) foreigner|foreign (?:business partner|customer))/i body __SARE_FRAUD_BARRISTER /(?:accredited agent|adviser to late|barrister|fiduciary agent|i am a private investigator|personal attorney to|relationship officer|solicit[oe]r)/i body __SARE_FRAUD_FAMILY /(?:my late (?:husband|wife|brother|uncle|aunt|father|mother) (?:was|is|had|has)|locate(?: .{1,20})? extended relative|next of kin|the (?:eldest|oldest|youngest|first) son|the (?:wife|heir) (?:to|of))/i body __SARE_FRAUD_RELIGION /(?:almighty god|as a born again christian|as a minister|call a prayer line|calvary greeting|eternity is a long t[io]me|fear of god|g[ai]ve.{1,15}life to christ|glorify god'?s name|god (?:has|have|will) forgiven? me|god gives .{1,10}second chance|god want(?:ed|s)? it|goodday pastor|hear from god|if you\'?re? not saved|in the (?:lord'?s name|name of (?:our|the) lord)|jesus is yours|money.{1,15}give.{1,15}ministry|new christian convert|pray daily|read(?:ing)? (?:the|your) bible|sinful habits|spend (?:.{1,20})in hell|the wish of god|true christian|wealth to god|your ministry)/i body __SARE_FRAUD_TINHORN /\s(?:abacha|abubakar|ajobola|anigala|arap moi|aziz|bubenik|ewaen|gebarel|gezi|guei|gumbeze|ibiam|kabbahs|kabila|kamara|kazeem|margai|massaquoi|mbeki|mobutu|momoh|mubune|mugabe|obasanjo|okafor|olonga|olumuyiwa|omo(?:nigho|rodion)|rilwanu|savimbi|seko|tarlor|taylor|zaid|zwinginna)\s/i body __SARE_FRAUD_TRUST /(?:(?:total(?:ly)?|very|strict(?:ly|est)|high(?:est|ly)?|intuitive|utmost) confiden(?:ce|t(?:ai|ia)l)|code of conduct|confidential (?:communications|telephone numbers)|(?:honest|honourable) (?:cooperation|partnership)|keep this matter|mutual understanding|reliable person|secrecy and confidentiality|secretly deposited|smooth transaction|to (?:assure you|redeem)|(?:the importance of|utmost) secrecy|transaction is .{1,15} risk free.|transparent honesty|trust (?:and|&) confidentiality|very honest person|your assurance)/i body __SARE_FRAUD_AGREE /(?:(?:(?:negotiate|reasonable|acc?or?ding|certain|agg?ree).{1,20}percentage|percentage.{1,10}(?:indicat|previous|involved)|favou?rable response|your percentage will)|my proposal is acceptable|acceptable by you|said purposes within your country|total acceptance and commitment)/i body __SARE_FRAUD_LOTTERY /(?:(?:international|luckyday|overseas stake|promo|world) lott(?:o|ery)|lott(?:o|ery) (?:co,?ordinator|international)|intl loteria|prize transfer agent|scientific game promo|award notification)/i body __SARE_FRAUD_PROPOSE /(?:urgent and(?: very)? (?:profitable|confidential) business (?:proposal|proposition)|(?:financial|confiden(?:tial|ce)|safe|mutual|secret|success|risk-?free|details|business).{1,30}\btransaction|transaction\b.{1,30}\b(?:magnitude|diplomatic|strict|absolute|secret|confiden(?:tial|ce)|guarantee))/i body __SARE_FRAUD_CONTACT /(?:your full names?,?(?:and|&)? full contact address|your(?: private)? (?:tele)?phone (?:and|&) fax numbers?|send .{1,30}\byour telefax numbers?)/i body __SARE_FRAUD_FUNWORDS /(?:actualization|arising contigencies|bequest|discursions|magnanimity|modalities|non response|numbered time|(?:should|please) endeavor|receivership)/i body __SARE_FRAUD_LOTTERY2 /(?:attached to ticket number|computer ballot system|drawn ?from.{0,10}\d{2,3},?\d{3}|second categories)/i body __SARE_FRAUD_REFNUM /reff?\.?(?: number|no)? ?\:/i meta SARE_FRAUD_X3 ((__SARE_FRAUD_BADTHINGS + __SARE_FRAUD_DPTCOMPNY + __SARE_FRAUD_INTRO + __SARE_FRAUD_LOC + __SARE_FRAUD_MONEY + __SARE_FRAUD_PAPERWORK + __SARE_FRAUD_VIPS + __SARE_FRAUD_RELIGION + __SARE_FRAUD_TINHORN + __SARE_FRAUD_TRUST + __SARE_FRAUD_AGREE + __SARE_FRAUD_REPLY + __SARE_FRAUD_FAMILY + __SARE_FRAUD_LOTTERY + __SARE_FRAUD_BARRISTER + __SARE_FRAUD_FOREIGN + __SARE_FRAUD_PROPOSE + __SARE_FRAUD_CONTACT + __SARE_FRAUD_FUNWORDS + __SARE_FRAUD_LOTTERY2 + __SARE_FRAUD_REFNUM) > 2) describe SARE_FRAUD_X3 Matches 3+ phrases commonly used in fraud spam score SARE_FRAUD_X3 1.667 meta SARE_FRAUD_X4 ((__SARE_FRAUD_BADTHINGS + __SARE_FRAUD_DPTCOMPNY + __SARE_FRAUD_INTRO + __SARE_FRAUD_LOC + __SARE_FRAUD_MONEY + __SARE_FRAUD_PAPERWORK + __SARE_FRAUD_VIPS + __SARE_FRAUD_RELIGION + __SARE_FRAUD_TINHORN + __SARE_FRAUD_TRUST + __SARE_FRAUD_AGREE + __SARE_FRAUD_REPLY + __SARE_FRAUD_FAMILY + __SARE_FRAUD_LOTTERY + __SARE_FRAUD_BARRISTER + __SARE_FRAUD_FOREIGN + __SARE_FRAUD_PROPOSE + __SARE_FRAUD_CONTACT + __SARE_FRAUD_FUNWORDS + __SARE_FRAUD_LOTTERY2 + __SARE_FRAUD_REFNUM) > 3) describe SARE_FRAUD_X4 Matches 4+ phrases commonly used in fraud spam score SARE_FRAUD_X4 1.667 meta SARE_FRAUD_X5 ((__SARE_FRAUD_BADTHINGS + __SARE_FRAUD_DPTCOMPNY + __SARE_FRAUD_INTRO + __SARE_FRAUD_LOC + __SARE_FRAUD_MONEY + __SARE_FRAUD_PAPERWORK + __SARE_FRAUD_VIPS + __SARE_FRAUD_RELIGION + __SARE_FRAUD_TINHORN + __SARE_FRAUD_TRUST + __SARE_FRAUD_AGREE + __SARE_FRAUD_REPLY + __SARE_FRAUD_FAMILY + __SARE_FRAUD_LOTTERY + __SARE_FRAUD_BARRISTER + __SARE_FRAUD_FOREIGN + __SARE_FRAUD_PROPOSE + __SARE_FRAUD_CONTACT + __SARE_FRAUD_FUNWORDS + __SARE_FRAUD_LOTTERY2 + __SARE_FRAUD_REFNUM) > 4) describe SARE_FRAUD_X5 Matches 5+ phrases commonly used in fraud spam score SARE_FRAUD_X5 1.667 meta SARE_FRAUD_X6 ((__SARE_FRAUD_BADTHINGS + __SARE_FRAUD_DPTCOMPNY + __SARE_FRAUD_INTRO + __SARE_FRAUD_LOC + __SARE_FRAUD_MONEY + __SARE_FRAUD_PAPERWORK + __SARE_FRAUD_VIPS + __SARE_FRAUD_RELIGION + __SARE_FRAUD_TINHORN + __SARE_FRAUD_TRUST + __SARE_FRAUD_AGREE + __SARE_FRAUD_REPLY + __SARE_FRAUD_FAMILY + __SARE_FRAUD_LOTTERY + __SARE_FRAUD_BARRISTER + __SARE_FRAUD_FOREIGN + __SARE_FRAUD_PROPOSE + __SARE_FRAUD_CONTACT + __SARE_FRAUD_FUNWORDS + __SARE_FRAUD_LOTTERY2 + __SARE_FRAUD_REFNUM) > 5) describe SARE_FRAUD_X6 Matches 6+ phrases commonly used in fraud spam score SARE_FRAUD_X6 1.667 ############## # Optional # ############## # score NIGERIAN_BODY1 0.0 # score NIGERIAN_BODY2 0.0 # score NIGERIAN_BODY3 0.0 # score NIGERIAN_BODY4 0.0 # score NIGERIAN_SCAM_VIRTUE 0.0 # score NIGERIAN_SUBJECT1 0.0 # score NIGERIAN_SUBJECT2 0.0 # score NIGERIAN_BODY_GOVT_3 0.0 # score NIGERIAN_SUBJECT6 0.0 # EOF