mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6954 Commits
31 Branches
Tree: 4eac8a4828
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4eac8a4828'
${ noResults }
rspamd/rules/regexp/fraud.lua

fraud.lua 6.9KB
Raw Blame History

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374 
  1. -- Actually these regular expressions were obtained from SpamAssassin project, so they are licensed by apache license:

  2. --

  3. -- Licensed to the Apache Software Foundation (ASF) under one or more

  4. -- contributor license agreements.  See the NOTICE file distributed with

  5. -- this work for additional information regarding copyright ownership.

  6. -- The ASF licenses this file to you under the Apache License, Version 2.0

  7. -- (the "License"); you may not use this file except in compliance with

  8. -- the License.  You may obtain a copy of the License at:

  9. -- 

  10. --     http://www.apache.org/licenses/LICENSE-2.0

  11. -- 

  12. -- Unless required by applicable law or agreed to in writing, software

  13. -- distributed under the License is distributed on an "AS IS" BASIS,

  14. -- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  15. -- See the License for the specific language governing permissions and

  16. -- limitations under the License.

  17. --

  18. -- Fraud messages (Nigeria spam, viagra, etc)

  19. local reconf = config['regexp']

  20. 

  21. local fraud_dbi = '/(?:\\bdollars?\\b|\\busd(?:ollars)?(?:[0-9]|\\b)|\\bus\\$|\\$[0-9,.]{6,}|\\$[0-9].{0,8}[mb]illion|\\$[0-9.,]{2,10} ?m|\\beuros?\\b|u[.]?s[.]? [0-9.]+ m)/irP'

  22. local fraud_kjv = '/(?:claim|concerning) (?:the|this) money/irP'

  23. local fraud_irj = '/(?:finance|holding|securit(?:ies|y)) (?:company|firm|storage house)/irP'

  24. local fraud_neb = '/(?:government|bank) of nigeria/irP'

  25. local fraud_xjr = '/(?:who was a|as a|an? honest|you being a|to any) foreigner/irP'

  26. local fraud_dpr = '/\\b(?:(?:respond|reply) (?:urgently|immediately)|(?:urgent|immediate|earliest) (?:reply|response))\\b/irP'

  27. local fraud_pts = '/\\b(?:ass?ass?inat(?:ed|ion)|murder(?:e?d)?|kill(?:ed|ing)\\b[^.]{0,99}\\b(?:war veterans|rebels?))\\b/irP'

  28. local fraud_bep = '/\\b(?:bank of nigeria|central bank of|trust bank|apex bank|amalgamated bank)\\b/irP'

  29. local fraud_tdp = '/\\b(?:business partner(?:s|ship)?|silent partner(?:s|ship)?)\\b/irP'

  30. local fraud_gan = '/\\b(?:charles taylor|serena|abacha|gu[eйи]i|sese[- ]?seko|kabila)\\b/irP'

  31. local fraud_irt = '/\\b(?:compliments? of the|dear friend|dear sir|yours faithfully|season\'?s greetings)\\b/irP'

  32. local fraud_aon = '/\\b(?:confidential|private|alternate|alternative) (?:(?:e-? *)?mail)\\b/irP'

  33. local fraud_wny = '/\\b(?:disburse?(?:ment)?|incurr?(?:ed)?|remunerr?at(?:ed?|ion)|remm?itt?(?:ed|ance|ing)?)\\b/irP'

  34. local fraud_ipk = '/\\b(?:in|to|visit) your country\\b/irP'

  35. local fraud_qxx = '/\\b(?:my name is|i am) (?:mrs?|engr|barrister|dr|prince(?:ss)?)[. ]/irP'

  36. local fraud_iou = '/\\b(?:no risks?|risk-? *free|free of risks?|100% safe)\\b/irP'

  37. local fraud_ezy = '/\\b(?:of|the) late president\\b/irP'

  38. local fraud_mly = '/\\b(?:reply|respond)\\b[^.]{0,50}\\b(?:to|through)\\b[^.]{0,50}\\@\\b/irP'

  39. local fraud_zfj = '/\\b(?:wife|son|brother|daughter) of the late\\b/irP'

  40. local fraud_kdt = '/\\bU\\.?S\\.?(?:D\\.?)?\\s*(?:\\$\\s*)?(?:\\d+,\\d+,\\d+|\\d+\\.\\d+\\.\\d+|\\d+(?:\\.\\d+)?\\s*milli?on)/irP'

  41. local fraud_ulk = '/\\baffidavits?\\b/irP'

  42. local fraud_bgp = '/\\battached to ticket number\\b/irP'

  43. local fraud_fbi = '/\\bdisburs/irP'

  44. local fraud_jbu = '/\\bforeign account\\b/irP'

  45. local fraud_yww = '/\\bfurnish you with\\b/irP'

  46. local fraud_jyg = '/\\bgive\\s+you .{0,15}(?:fund|money|total|sum|contact|percent)\\b/irP'

  47. local fraud_xvw = '/\\bhonest cooperation\\b/irP'

  48. local fraud_uuy = '/\\blegitimate business(?:es)?\\b/irP'

  49. local fraud_snt = '/\\blocate(?: .{1,20})? extended relative/irP'

  50. local fraud_ltx = '/\\bmilli?on (?:.{1,25} thousand\\s*)?(?:(?:united states|u\\.?s\\.?) dollars|(?i:U\\.?S\\.?D?))\\b/irP'

  51. local fraud_jnb = '/\\boperat(?:e|ing)\\b[^.]{0,99}\\b(?:for(?:ei|ie)gn|off-? ?shore|over-? ?seas?) (?:bank )?accounts?\\b/irP'

  52. local fraud_qfy = '/\\bover-? *(?:invoiced?|cost(?:s|ing)?)\\b/irP'

  53. local fraud_wdr = '/\\bprivate lawyer\\b/irP'

  54. local fraud_wfc = '/\\bsecur(?:e|ing) (?:the )?(?:funds?|monies)\\b/irP'

  55. local fraud_aum = '/\\bthe desk of\\b/irP'

  56. local fraud_mcq = '/\\btransaction\\b.{1,30}\\b(?:magnitude|diplomatic|strict|absolute|secret|confiden(?:tial|ce)|guarantee)/irP'

  57. local fraud_etx = '/\\byour\\b[^.]{0,99}\\b(?:contact (?:details|information)|private (?:e?[- ]?mail|telephone|tel|phone|fax))\\b/irP'

  58. local fraud_pvn = '/as the beneficiary/irP'

  59. local fraud_fvu = '/award notification/irP'

  60. local fraud_ckf = '/computer ballot system/irP'

  61. local fraud_fcw = '/fiduciary agent/irP'

  62. local fraud_mqo = '/foreign (?:business partner|customer)/irP'

  63. local fraud_tcc = '/foreign (?:offshore )?(?:bank|account)/irP'

  64. local fraud_gbw = '/god gives .{1,10}second chance/irP'

  65. local fraud_nrg = '/i am contacting you/irP'

  66. local fraud_rlx = '/lott(?:o|ery) (?:co,?ordinator|international)/irP'

  67. local fraud_axf = '/magnanimity/irP'

  68. local fraud_thj = '/modalit(?:y|ies)/irP'

  69. local fraud_yqv = '/nigerian? (?:national|government)/irP'

  70. local fraud_yja = '/over-invoice/irP'

  71. local fraud_ypo = '/the total sum/irP'

  72. local fraud_uoq = '/vital documents/irP'

  73. reconf['ADVANCE_FEE_2'] = string.format('((%s) | (%s) | (%s)) & ((%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) >= 2)', reconf['R_UNDISC_RCPT'], reconf['R_BAD_CTE_7BIT'], reconf['R_NO_SPACE_IN_FROM'], fraud_kjv, fraud_irj, fraud_neb, fraud_xjr, fraud_ezy, fraud_zfj, fraud_kdt, fraud_bgp, fraud_fbi, fraud_jbu, fraud_jyg, fraud_xvw, fraud_snt, fraud_ltx, fraud_mcq, fraud_pvn, fraud_fvu, fraud_ckf, fraud_fcw, fraud_mqo, fraud_tcc, fraud_gbw, fraud_nrg, fraud_rlx, fraud_axf, fraud_thj, fraud_yqv, fraud_yja, fraud_ypo, fraud_uoq, fraud_dbi, fraud_bep, fraud_dpr, fraud_qxx, fraud_qfy, fraud_pts, fraud_tdp, fraud_gan, fraud_ipk, fraud_aon, fraud_wny, fraud_aum, fraud_wfc, fraud_yww, fraud_ulk, fraud_iou, fraud_jnb, fraud_irt, fraud_etx, fraud_wdr, fraud_uuy, fraud_mly)

  74. reconf['ADVANCE_FEE_3'] = string.format('((%s) | (%s) | (%s)) & ((%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) >= 3)', reconf['R_UNDISC_RCPT'], reconf['R_BAD_CTE_7BIT'], reconf['R_NO_SPACE_IN_FROM'], fraud_kjv, fraud_irj, fraud_neb, fraud_xjr, fraud_ezy, fraud_zfj, fraud_kdt, fraud_bgp, fraud_fbi, fraud_jbu, fraud_jyg, fraud_xvw, fraud_snt, fraud_ltx, fraud_mcq, fraud_pvn, fraud_fvu, fraud_ckf, fraud_fcw, fraud_mqo, fraud_tcc, fraud_gbw, fraud_nrg, fraud_rlx, fraud_axf, fraud_thj, fraud_yqv, fraud_yja, fraud_ypo, fraud_uoq, fraud_dbi, fraud_bep, fraud_dpr, fraud_qxx, fraud_qfy, fraud_pts, fraud_tdp, fraud_gan, fraud_ipk, fraud_aon, fraud_wny, fraud_aum, fraud_wfc, fraud_yww, fraud_ulk, fraud_iou, fraud_jnb, fraud_irt, fraud_etx, fraud_wdr, fraud_uuy, fraud_mly)