1# JOB/MULE FRAUD
2#
3#  Current patterns.
4#
5#  Updated and verified 10/14/2016
6#
7LOCALSCORE=0
8
9# Job/Mule Fraud From Header Keywords
10#
11:0
12* -1^0
13* H ??   -10^0   ^From:.*[^0-9a-z][-0-9a-z.]*(billing|customerservice|info|sales)[-0-9a-z.]*@
14* H ??     2^0   ^From:.*([^0-9a-z]*[-0-9a-z.]*job[-0-9a-z.]*@[0-9a-z][-_0-9a-z]+\.[a-z][a-z][a-z]?[a-z]?(\.[a-z][a-z])?|\
15                          [^0-9a-z]*[-0-9a-z.]*p+o+s+i+t+i+o+ns*[-0-9a-z.]*@[0-9a-z][-_0-9a-z]+\.[a-z][a-z][a-z]?[a-z]?(\.[a-z][a-z])?)(^[0-9a-z.]|$)
16* H ??     2^0   ^From:.*[^0-9a-z]((Mystery|Secret)( )*Shopper)(^[0-9a-z.]|$)
17{
18 SBLOG="C3T-${TESTNAME} (From Header Keywords)"
19 INCLUDERC=${SBDIR}/functions/loglevel.rc
20
21 :0
22 * $ ${LOCALSCORE}^0
23 * 2^0
24 { LOCALSCORE=$= }
25}
26
27# Job/Mule Fraud Subject Header
28#
29:0
30* -2^0
31* H ??  -10^0    ^Subject:.*[^0-9a-z](account( )*update|\
32                                      account( )*verification|\
33                                      degrees?|\
34                                      diplomas?|\
35                                      st(\*|0|o)cks?|\
36                                      update( )*notification|\
37                                      update.*accounts?|\
38                                      verification.*required|\
39                                      \.(OB|PK))([^0-9a-z.]|$)
40* H ??  -10^0    ^Subject:.*[^0-9a-z]Notification of Limited Account Access$
41* H ??    3^0    ^Subject:.*[^0-9a-z]company.*[^0-9a-z]*different.*[^0-9a-z]*activit(y|ies)([^0-9a-z]|$)
42* H ??    3^0    ^Subject:.*[^0-9a-z]dear[^0-9a-z]respect(ed)?([^0-9a-z]|$)
43* H ??    3^0    ^Subject:.*[^0-9a-z](employees|USA).*[^0-9a-z](USA|employees)([^0-9a-z]|$)
44* H ??    3^0    ^Subject:.*[^0-9a-z](employees|United States).*[^0-9a-z](United States|employees)([^0-9a-z]|$)
45* H ??    3^0    ^Subject:.*[^0-9a-z]end.*[^0-9a-z]crisis!([^0-9a-z]|$)
46* H ??    3^0    ^Subject:.*[^0-9a-z]fill.*[^0-9a-z](positions?|vacanc(y|ies))([^0-9a-z]|$)
47* H ??    3^0    ^Subject:.*[^0-9a-z]for.*[^0-9a-z](employees?|staff).*[^0-9a-z]*(Europe|USA)([^0-9a-z]|$)
48* H ??    3^0    ^Subject:.*[^0-9a-z]home.*[^0-9a-z]based([^0-9a-z]|$)
49* H ??    3^0    ^Subject:.*[^0-9a-z]in.*[^0-9a-z]home([^0-9a-z]|$)
50* H ??    3^0    ^Subject:.*[^0-9a-z]j+o+b+s?([^0-9a-z]|$)
51* H ??    3^0    ^Subject:.*[^0-9a-z](Mystery|Secret)( )*Shopper([^0-9a-z]|$)
52* H ??    3^0    ^Subject:.*[^0-9a-z]p+a+r+t+n+e+r+s*([^0-9a-z]|$)
53* H ??    3^0    ^Subject:.*[^0-9a-z]p+e+r+s+o+n+a+l+( )*a+s+s+i+s+t+a+n+t+s*.*(needed|positions?|required|wanted)([^0-9a-z]|$)
54* H ??    3^0    ^Subject:.*[^0-9a-z]p+o+s+i+t+i+o+n+s*([^0-9a-z]|$)
55* H ??    3^0    ^Subject:.*[^0-9a-z]Processing.*[^0-9a-z]Assistan(ce|ts?)([^0-9a-z]|$)
56* H ??    3^0    ^Subject:.*[^0-9a-z]Prospective.*[^0-9a-z]Hire([^0-9a-z]|$)
57* H ??    3^0    ^Subject:.*[^0-9a-z]regional( )*managers?.*[^0-9a-z](USA|United( )*States)([^0-9a-z]|$)
58* H ??    3^0    ^Subject:.*[^0-9a-z](staff|USA).*[^0-9a-z](USA|staff)([^0-9a-z]|$)
59* H ??    3^0    ^Subject:.*[^0-9a-z](staff|United States).*[^0-9a-z](United States|staff)([^0-9a-z]|$)
60{
61 SBLOG="C3T-${TESTNAME} (Subject Header Keywords)"
62 INCLUDERC=${SBDIR}/functions/loglevel.rc
63
64 :0
65 * $ ${LOCALSCORE}^0
66 * 3^0
67 { LOCALSCORE=$= }
68}
69
70# Job/Mule Fraud Body Keywords
71#
72:0
73* -10^0
74* B ??  -10^0   (^|[^0-9a-z])(degree|diploma)([^0-9a-z]|$)
75* B ??    5^0   (^|[^0-9a-z])(accuracy|promptness).*[^0-9a-z]payments?([^0-9a-z]|$)
76* B ??    5^0   (^|[^0-9a-z])(assistant|executive|position)([^0-9a-z]|$)
77* B ??    5^0   (^|[^0-9a-z])(available|vacant)[^0-9a-z]*$?[^0-9a-z]*(jobs?|positions?)([^0-9a-z]|$)
78* B ??    5^0   (^|[^0-9a-z])bank[^0-9a-z]*$?[^0-9a-z]*accounts[^0-9a-z]*$?[^0-9a-z]*opening([^0-9a-z]|$)
79* B ??    5^0   (^|[^0-9a-z])check[^0-9a-z]*$?[^0-9a-z]*email.*$?.*[^0-9a-z](two[^0-9a-z]*times|twice).*$?.*[^0-9a-z]da(y|ily)([^0-9a-z]|$)
80* B ??    5^0   (^|[^0-9a-z])companies[^0-9a-z]*$?[^0-9a-z]*(setting|winding)-up([^0-9a-z]|$)
81* B ??    5^0   (^|[^0-9a-z])company.*[^0-9a-z]different.*[^0-9a-z]activit(y|ies)([^0-9a-z]|$)
82* B ??    5^0   (^|[^0-9a-z])connect.*[^0-9a-z](buyers|sellers).*[^0-9a-z](buyers|sellers)([^0-9a-z]|$)
83* B ??    5^0   (^|[^0-9a-z])customer[^0-9a-z]*service.*[^0-9a-z]representative([^0-9a-z]|$)
84* B ??    5^0   (^|[^0-9a-z])employ(ed|ment)([^0-9a-z]|$)
85* B ??    5^0   (^|[^0-9a-z])evaluate.*$?.*[^0-9a-z]quality.*$?.*[^0-9a-z](goods|products?|services?)([^0-9a-z]|$)
86* B ??    5^0   (^|[^0-9a-z])(executive|office|personal)( )+assistant( )+position([^0-9a-z]|$)
87* B ??    5^0   (^|[^0-9a-z])expected.*[^0-9a-z](payments?|transactions?)([^0-9a-z]|$)
88* B ??    5^0   (^|[^0-9a-z])experience.*$.*not[^0-9a-z]*$?[^0-9a-z]*necessary([^0-9a-z]|$)
89* B ??    5^0   (^|[^0-9a-z])fill.*$.*[^0-9a-z](positions?|vacanc(y|ies))([^0-9a-z]|$)
90* B ??    5^0   (^|[^0-9a-z])forward([^0-9a-z]*the)?[^0-9a-z]*(balance|rest)([^0-9a-z]|$)
91* B ??    5^0   (^|[^0-9a-z])(greetings*|hello).*[^0-9a-z](candidate|employee)([^0-9a-z]|$)
92* B ??    5^0   (^|[^0-9a-z])hir(e|ed|ing)([^0-9a-z]|$)
93* B ??    5^0   (^|[^0-9a-z])hiring.*$?.*(field[^0-9a-z]*agents?|mystery[^0-9a-z]*shoppers?)([^0-9a-z]|$)
94* B ??    5^0   (^|[^0-9a-z])how.*$?.*[^0-9a-z]apply([^0-9a-z]|$)
95* B ??    5^0   (^|[^0-9a-z])if[^0-9a-z]*interested.*$?.*(appl(ication|y)|reply)[^0-9a-z]*$?[^0-9a-z]*to.*$?.*[^0-9a-z][0-9a-z][-0-9a-z.]+@
96* B ??    5^0   (^|[^0-9a-z])import[^0-9a-z]*export([^0-9a-z]|$)
97* B ??    5^0   (^|[^0-9a-z])interest(.*$)*.*[^0-9a-z]confirmed(.*$)*.*[^0-9a-z](company|details|identity|name|provided)([^0-9a-z]|$)
98* B ??    5^0   (^|[^0-9a-z])job description:(.*$)*.*[^0-9a-z]forward(.*$)*.*[^0-9a-z](instructions|manager)([^0-9a-z]|$)
99* B ??    5^0   (^|[^0-9a-z])job description:(.*$)*.*[^0-9a-z]receive(.*$)*.*[^0-9a-z](correspondence|payments?)([^0-9a-z]|$)
100* B ??    5^0   (^|[^0-9a-z])job description:(.*$)*.*[^0-9a-z]ship(.*$)*.*[^0-9a-z](packages?|payments?)([^0-9a-z]|$)
101* B ??    5^0   (^|[^0-9a-z])job.*$.*[^0-9a-z](opening|opportunity|search)([^0-9a-z]|$)
102* B ??    5^0   (^|[^0-9a-z])legitimate(.*$)*.*[^0-9a-z](employment|offer)([^0-9a-z]|$)
103* B ??    5^0   (^|[^0-9a-z])making.*[^0-9a-z]payments?([^0-9a-z]|$)
104* B ??    5^0   (^|[^0-9a-z])manage.*[^0-9a-z]transactions?([^0-9a-z]|$)
105* B ??    5^0   (^|[^0-9a-z])no.*[^0-9a-z]experience([^0-9a-z]|$)
106* B ??    5^0   (^|[^0-9a-z])number of.*[^0-9a-z](payments?|per (week|month)|transactions?)([^0-9a-z]|$)
107* B ??    5^0   (^|[^0-9a-z])offer.*$?.*[^0-9a-z](employ(ment)?|job)([^0-9a-z]|$)
108* B ??    5^0   (^|[^0-9a-z])(provide|training).*$?.*[^0-9a-z](provided|training)([^0-9a-z]|$)
109* B ??    5^0   (^|[^0-9a-z])private[^0-9a-z]*$?[^0-9a-z]*undertaking[^0-9a-z]*$?[^0-9a-z]*services([^0-9a-z]|$)
110* B ??    5^0   (^|[^0-9a-z])process(ing)?.*$?.*[^0-9a-z](payments?|transactions).*$?.*[^0-9a-z](clients?|customers?)([^0-9a-z]|$)
111* B ??    5^0   (^|[^0-9a-z])prospective[^0-9a-z]*$?[^0-9a-z]*(assistant|employee|hire)([^0-9a-z]|$)
112* B ??    5^0   (^|[^0-9a-z])receiv(e|ing).*[^0-9a-z](account|bank|funds|payments?)([^0-9a-z]|$)
113* B ??    5^0   (^|[^0-9a-z])remote[^0-9a-z]*employees?([^0-9a-z]|$)
114* B ??    5^0   (^|[^0-9a-z])requirements?:(.*$)*.*[^0-9a-z](adult|minimum[^0-9a-z]*$?[^0-9a-z]*age)([^0-9a-z]|$)
115* B ??    5^0   (^|[^0-9a-z])requirements?:(.*$)*.*[^0-9a-z]bank[^0-9a-z]*$?[^0-9a-z]*account([^0-9a-z]|$)
116* B ??    5^0   (^|[^0-9a-z])requirements?:(.*$)*.*[^0-9a-z](computer)([^0-9a-z]|$)
117* B ??    5^0   (^|[^0-9a-z])requirements?:(.*$)*.*[^0-9a-z]e[^0-9a-z]?mail([^0-9a-z]|$)
118* B ??    5^0   (^|[^0-9a-z])requirements?:(.*$)*.*[^0-9a-z](fluent|speak)(.*$)*.*[^0-9a-z]English([^0-9a-z]|$)
119* B ??    5^0   (^|[^0-9a-z])requirements?:(.*$)*.*[^0-9a-z](mobile|cell|landline|stationary)[^0-9a-z]*$?[^0-9a-z]*((tele)?phone)([^0-9a-z]|$)
120* B ??    5^0   (^|[^0-9a-z])requirements?:(.*$)*.*[^0-9a-z]resident of(.*$)*.*[^0-9a-z](united|U[^0-9a-z]?S[^0-9a-z]?A?[^0-9a-z]?)([^0-9a-z]|$)
121* B ??    5^0   (^|[^0-9a-z])salary:(.*$)*.*[^0-9a-z]per[^0-9a-z]*$[^0-9a-z]*(payment|package|transaction)([^0-9a-z]|$)
122* B ??    5^0   (^|[^0-9a-z])search.*$.*[^0-9a-z](jobs?|partners?)([^0-9a-z]|$)
123* B ??    5^0   (^|[^0-9a-z])(secret|mystery).*$.*[^0-9a-z]shoppers?([^0-9a-z]|$)
124* B ??    5^0   (^|[^0-9a-z])send.*$.*[^0-9a-z]contact[^0-9a-z]*$?[^0-9a-z]*information([^0-9a-z]|$)
125* B ??    5^0   (^|[^0-9a-z])specializes in.*[^0-9a-z](marketing)([^0-9a-z]|$)
126* B ??    5^0   (^|[^0-9a-z])Surname:
127* B ??    5^0   (^|[^0-9a-z])use.*$?.*[^0-9a-z]hiring[^0-9a-z]*$?[^0-9a-z]*agency([^0-9a-z]|$)
128* B ??    5^0   (^|[^0-9a-z])vacancies.*$?.*[^0-9a-z]limited([^0-9a-z]|$)
129* B ??    5^0   (^|[^0-9a-z])visit.*$?.*[^0-9a-z](shop|store|mall)([^0-9a-z]|$)
130* B ??    5^0   (^|[^0-9a-z])weekly[^0-9a-z]*$?[^0-9a-z]*commissions?([^0-9a-z]|$)
131* B ??    5^0   (^|[^0-9a-z])work(ing).*[^a-z](executive|office|personal)( )+assistant([^0-9a-z]|$)
132* B ??    5^0   (^|[^0-9a-z])work.*[^0-9a-z]from.*[^0-9a-z](home|house|residence)([^0-9a-z]|$)
133* B ??    3^0   (^|[^0-9a-z])flexible[^0-9a-z]*hours([^0-9a-z]|$)
134* B ??    3^0   (^|[^0-9a-z])great[^0-9a-z]*pay([^0-9a-z]|$)
135* B ??    5^0   (^|[^0-9a-z])send.*$.*[^0-9a-z]payment([^0-9a-z]|$)
136{
137 SBLOG="C3T-${TESTNAME} (Body Keywords)"
138 INCLUDERC=${SBDIR}/functions/loglevel.rc
139
140 :0
141 * $ ${LOCALSCORE}^0
142 * 5^0
143 { LOCALSCORE=$= }
144}
145
146:0
147* -6^0
148* $ ${LOCALSCORE}^0
149{
150 TESTNAME="${TESTNAME}"
151 TESTSCORE=${TESTSCORE}
152 LT4=yes
153}
154
155 :0 E
156 * -3^0
157 * $ ${LOCALSCORE}^0
158 {
159  TESTNAME="Probable ${TESTNAME}"
160  TESTSCORE=${TESTSCORE2}
161  LT4=yes
162 }
163