Some time ago I realized the possibility Clamav logical signatures allow to build heuristic filters. Something close to Bayesian method. They are not exact Bayesian but based on the idea to create phrase lists: one list of phrases found mainly in spam and the other (stoplist) with phrases often found in ham. However, Clamav logical signatures do not allow to assign a real weight for each phrase. Fortunately, instead, they allow to specify minimal or maximal number of appearances of phrase in text.
I tried to use results from Bayesian analysis for one big signature but without success - unfortunately phrase lists are too big. Clamav allows no more than 64 subsignatures in one logical signature.
So I tried to focus on one narrow, well distinctive type of spam and to create a signature to detect it with as low FP rate as possible.
I created signatures for detection of 4 different types of "Nigerian" scams: bank, bussiness, lotto and donator. I have successfully tested them on my server since the beginning of September. I improved them after each FP. Because of shortage of place for phrase stoplist ("ham" phrases), I could not reduce FP rate to zero but I got quite reasonable results using features specific to Clamav (limits of phrase appearence): test on real mail stream of ca 100.000 mails catched 183 scams with only 3 false positives. This was the last filter applied only to the approved mails. I mean all other filters, including Sanesecurity set, were applied before. My signatures were applied only to mails that passed all other tests but also after applying several whitelist rules (known current correspondence was not tested). Last but not least, I must mention that my users are mostly Polish so 2/3 of mails are Polish ones. Now I catch 2-3 scams every day that have not been catched with any other method.
All FP were attorney documents with content close to what we can find in scams but in fact they were true.
This is only an idea. If anyone wants to test my signatures or improve them, then below are technical details. I explain all details on the example of the beginning of one signature. It is not the exact format for logical rule but this is used as input for my signature generator:
PiK.Nigeria.Bank;Target:37:0,5000;(0|1)=0&2<4&3&(4|5|6|7|8|9|10|11)&(12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31)
&(32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52|53|54|55|56|57|58|59);
news( |l);subscrib;http{-1}://€
bank€
sum €mil{-1}ion€thousand€dollars€ us(d|$)€pounds€ fund(s| )€
$(1|2|3|4|5|6|7|8|9){2-4}m €
deceased€deposit €next(-| )of(-| )kin€ heir€suffer€late client€late mr€ died€
...... (next phrases) .......
Target:37 - it generates two rules: of type 3 (html) and 7 (text/plain)
0,5000 - this is (Offset,Maxshift). It is not located in this place in clamav ldb file.
My script replaces each "€" with ";offset,maxsift:"
I look for subsignatures (all but stopwords) only at the beginning of text (4|5|6|7|8|9|10|11) means at least one subsignature from this group must appear in text (0|1)=0 means any subsignature from this group cannot appear in text (stoplist)(33|34|35|36|37|38|39)>2,3 means at least 3 different subsignatures from this group must appear (used in other signatures)
At the beginning of my trials, many FP appeared in newsletters from news agencies. There was not too much place for stopwords. Fortunately, newsletters, unlike scams, contain a lot of links, so 2<4 turned out excellent rule - it means not more than 3 appearances of "http://"; (or https) in text Warning: due to a bug in Clamav 0.96.4 this does not work. Clamav does not count logical subsignatures. It triggers FP. Fixed in 0.96.5
https://wwws.clamav.net/bugzilla/show_bug.cgi?id=2053 https://wwws.clamav.net/bugzilla/show_bug.cgi?id=2393I attached two files: human readable input for generator and sig (.ldb) file. I am not sure if they pass: if freelist.org cut attachments then I supply links for the files.
PiK
PiK.Nigeria.Bank3;Target:3;(0|1)=0&2<4&3&(4|5|6|7|8|9|10|11)&(12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31)&(32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52|53|54|55|56|57|58|59);6E657773(20|6C);7375627363726962;68747470{-1}3A2F2F;0,5000:62616E6B;0,5000:73756D20;0,5000:6D696C{-1}696F6E;0,5000:74686F7573616E64;0,5000:646F6C6C617273;0,5000:207573(64|24);0,5000:706F756E6473;0,5000:2066756E64(73|20);0,5000:2024(31|32|33|34|35|36|37|38|39){2-4}6D20;0,5000:6465636561736564;0,5000:6465706F73697420;0,5000:6E657874(2D|20)6F66(2D|20)6B696E;0,5000:2068656972;0,5000:737566666572;0,5000:6C61746520636C69656E74;0,5000:6C617465206D72;0,5000:2064696564;0,5000:6465617468;0,5000:206B696C6C;0,5000:64656D697365;0,5000:63616E636572;0,5000:64697374757262;0,5000:6865617274(2D|20)72656C61746564;0,5000:7669746374696D;0,5000:65617274687175616B65;0,5000:7473756E616D69;0,5000:6372617368;0,5000:6163636964656E74;0,5000:6469736173746572;0,5000:6E696765726961;0,5000:206C61676F73;0,5000:69766F727920636F617374;0,5000:636F746520642769766F697265;0,5000:616269646A616E;0,5000:6C6567616C;0,5000:757267656E74;0,5000:75746D6F7374;0,5000:6D757475616C;0,5000:6C65676974696D617465;0,5000:7269736B2066726565;0,5000:696E64756C67656E6365;0,5000:627573{-1}696E6573{-1}2070726F706F73;0,5000:62656E656669(74|63);0,5000:636C61696D(20|73|65);0,5000:636F{-1}6F7065726174696F6E;0,5000:7472616E73(66|61)(65|63)(72|74);0,5000:7369722F6D6164616D;0,5000:6174746E;0,5000:617474656E74696F6E;0,5000:6D79206E616D65206973;0,5000:626172726973746572;0,5000:6920616D20(6D|74)(72|68)(2E|73|65);0,5000:6174746F726E6579;0,5000:7375727072697365;0,5000:(66|6D)6F72(65|20){-8}696E666F726D6174696F6E;0,5000:(66|6D)6F72(65|20){-8}64657461696C;0,5000:77696C6C696E67
PiK.Nigeria.Bank7;Target:7;(0|1)=0&2<4&3&(4|5|6|7|8|9|10|11)&(12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31)&(32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52|53|54|55|56|57|58|59);6E657773(20|6C);7375627363726962;68747470{-1}3A2F2F;0,5000:62616E6B;0,5000:73756D20;0,5000:6D696C{-1}696F6E;0,5000:74686F7573616E64;0,5000:646F6C6C617273;0,5000:207573(64|24);0,5000:706F756E6473;0,5000:2066756E64(73|20);0,5000:2024(31|32|33|34|35|36|37|38|39){2-4}6D20;0,5000:6465636561736564;0,5000:6465706F73697420;0,5000:6E657874(2D|20)6F66(2D|20)6B696E;0,5000:2068656972;0,5000:737566666572;0,5000:6C61746520636C69656E74;0,5000:6C617465206D72;0,5000:2064696564;0,5000:6465617468;0,5000:206B696C6C;0,5000:64656D697365;0,5000:63616E636572;0,5000:64697374757262;0,5000:6865617274(2D|20)72656C61746564;0,5000:7669746374696D;0,5000:65617274687175616B65;0,5000:7473756E616D69;0,5000:6372617368;0,5000:6163636964656E74;0,5000:6469736173746572;0,5000:6E696765726961;0,5000:206C61676F73;0,5000:69766F727920636F617374;0,5000:636F746520642769766F697265;0,5000:616269646A616E;0,5000:6C6567616C;0,5000:757267656E74;0,5000:75746D6F7374;0,5000:6D757475616C;0,5000:6C65676974696D617465;0,5000:7269736B2066726565;0,5000:696E64756C67656E6365;0,5000:627573{-1}696E6573{-1}2070726F706F73;0,5000:62656E656669(74|63);0,5000:636C61696D(20|73|65);0,5000:636F{-1}6F7065726174696F6E;0,5000:7472616E73(66|61)(65|63)(72|74);0,5000:7369722F6D6164616D;0,5000:6174746E;0,5000:617474656E74696F6E;0,5000:6D79206E616D65206973;0,5000:626172726973746572;0,5000:6920616D20(6D|74)(72|68)(2E|73|65);0,5000:6174746F726E6579;0,5000:7375727072697365;0,5000:(66|6D)6F72(65|20){-8}696E666F726D6174696F6E;0,5000:(66|6D)6F72(65|20){-8}64657461696C;0,5000:77696C6C696E67
PiK.Nigeria.Bussiness3;Target:3;(0|1)=0&2<4&(3|4|5|6|7|8|9)&(((10|11|12|13|14|15|16)&(17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52|53|54|55|56|57|58|59|60|61|62)>2,3)|((10|11|12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32)&(33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52|53|54|55|56|57|58|59|60|61|62)>2,3)|((10|11|12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32)>1,2&(33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52|53|54|55|56|57|58|59|60|61|62)));6E657773(20|6C);7375627363726962;68747470{-1}3A2F2F;0,5000:73756D20;0,5000:6D696C{-1}696F6E;0,5000:646F6C6C617273;0,5000:207573(64|24);0,5000:706F756E6473;0,5000:2066756E64(73|20);0,5000:6D6F6E6579;0,5000:6D79206E616D65206973;0,5000:6920616D20(6D|74)(72|68)(2E|73|65);0,5000:626172726973746572;0,5000:6174746F726E6579;0,5000:7375727072697365;0,5000:74686973{-6}20697320746F20{-12}(69|6E)(6E|6F)(66|74)(6F|69)(72|66)(6D|79)20796F75;0,5000:20736F6C6963697420;0,5000:6E696765726961;0,5000:206C61676F73;0,5000:69766F727920636F617374;0,5000:636F746520642769766F697265;0,5000:616269646A616E;0,5000:757267656E74;0,5000:75746D6F7374;0,5000:6D757475616C;0,5000:6C65676974696D617465;0,5000:7269736B2066726565;0,5000:696E64756C67656E6365;0,5000:627573{-1}696E6573{-1}2070726F706F73;0,5000:636F{-1}6F7065726174696F6E;0,5000:62656E656669(74|63);0,5000:617373697374616E6365;0,5000:7472616E73(66|61)(65|63)(72|74);0,5000:6465636561736564;0,5000:6465706F73697420;0,5000:737566666572;0,5000:6C61746520636C69656E74;0,5000:6C617465206D72;0,5000:2064696564;0,5000:6465617468;0,5000:206B696C6C;0,5000:64656D697365;0,5000:63616E636572;0,5000:64697374757262;0,5000:6865617274(2D|20)72656C61746564;0,5000:7669746374696D;0,5000:65617274687175616B65;0,5000:7473756E616D69;0,5000:6372617368;0,5000:6163636964656E74;0,5000:6469736173746572;0,5000:(66|6D)6F72(65|20){-8}696E666F726D6174696F6E;0,5000:(66|6D)6F72(65|20){-8}64657461696C;0,5000:20(31|32|33|34|35)3025;0,5000:77696C6C696E67;0,5000:63616C6C206D65;0,5000:6F636375706174696F6E;0,5000:796F757220616765;0,5000:66756C6C206E616D65;0,5000:6D61726974616C20737461747573;0,5000:(68|79|74)(69|6F|61)(6D|61|75|63)(65|6C|72|74)206164{-1}726573;0,5000:67656E646572;0,5000:70686F6E65206E756D626572
PiK.Nigeria.Bussiness7;Target:7;(0|1)=0&2<4&(3|4|5|6|7|8|9)&(((10|11|12|13|14|15|16)&(17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52|53|54|55|56|57|58|59|60|61|62)>2,3)|((10|11|12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32)&(33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52|53|54|55|56|57|58|59|60|61|62)>2,3)|((10|11|12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32)>1,2&(33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52|53|54|55|56|57|58|59|60|61|62)));6E657773(20|6C);7375627363726962;68747470{-1}3A2F2F;0,5000:73756D20;0,5000:6D696C{-1}696F6E;0,5000:646F6C6C617273;0,5000:207573(64|24);0,5000:706F756E6473;0,5000:2066756E64(73|20);0,5000:6D6F6E6579;0,5000:6D79206E616D65206973;0,5000:6920616D20(6D|74)(72|68)(2E|73|65);0,5000:626172726973746572;0,5000:6174746F726E6579;0,5000:7375727072697365;0,5000:74686973{-6}20697320746F20{-12}(69|6E)(6E|6F)(66|74)(6F|69)(72|66)(6D|79)20796F75;0,5000:20736F6C6963697420;0,5000:6E696765726961;0,5000:206C61676F73;0,5000:69766F727920636F617374;0,5000:636F746520642769766F697265;0,5000:616269646A616E;0,5000:757267656E74;0,5000:75746D6F7374;0,5000:6D757475616C;0,5000:6C65676974696D617465;0,5000:7269736B2066726565;0,5000:696E64756C67656E6365;0,5000:627573{-1}696E6573{-1}2070726F706F73;0,5000:636F{-1}6F7065726174696F6E;0,5000:62656E656669(74|63);0,5000:617373697374616E6365;0,5000:7472616E73(66|61)(65|63)(72|74);0,5000:6465636561736564;0,5000:6465706F73697420;0,5000:737566666572;0,5000:6C61746520636C69656E74;0,5000:6C617465206D72;0,5000:2064696564;0,5000:6465617468;0,5000:206B696C6C;0,5000:64656D697365;0,5000:63616E636572;0,5000:64697374757262;0,5000:6865617274(2D|20)72656C61746564;0,5000:7669746374696D;0,5000:65617274687175616B65;0,5000:7473756E616D69;0,5000:6372617368;0,5000:6163636964656E74;0,5000:6469736173746572;0,5000:(66|6D)6F72(65|20){-8}696E666F726D6174696F6E;0,5000:(66|6D)6F72(65|20){-8}64657461696C;0,5000:20(31|32|33|34|35)3025;0,5000:77696C6C696E67;0,5000:63616C6C206D65;0,5000:6F636375706174696F6E;0,5000:796F757220616765;0,5000:66756C6C206E616D65;0,5000:6D61726974616C20737461747573;0,5000:(68|79|74)(69|6F|61)(6D|61|75|63)(65|6C|72|74)206164{-1}726573;0,5000:67656E646572;0,5000:70686F6E65206E756D626572
PiK.Nigeria.Lotto3;Target:3;(0|1|2|3|4|5|6|7|8|9|10)&(11|12|13)&(14|15|16|17|18)&(19|20|21|22|23|24|25|26|27|28|29|30)>1,2;6C6F74746F;0,4000:6C6F7474657279;0,4000:6177617264;0,4000:77696E6E6572;0,4000:796F75{-4}20776F6E;0,4000:72616E646F6D;0,4000:2065{-1}6D61696C73;0,4000:6170{-1}726F766564;0,4000:62616C6C6F74;0,4000:70726F6D6F74696F6E20;0,4000:74686973{-6}20697320746F20{-12}(69|6E)(6E|6F)(66|74)(6F|69)(72|66)(6D|79)20796F75;0,4000:6D696C{-1}696F6E;0,4000:74686F7573616E64;0,4000:(20|2C)303030;0,4000:646F6C6C617273;0,4000:207573(64|24);0,4000:706F756E6473;0,4000:206575726F(28|29|73|20|2E|3A|31|32|33|34|35|36|37|38|39);0,4000:20657572(28|29|20|2E|3A|31|32|33|34|35|36|37|38|39);0,4000:64657461696C73;0,4000:6F636375706174696F6E;0,4000:66756C6C206E616D65;0,4000:6D61726974616C20737461747573;0,4000:(68|79|74)(69|6F|61)(6D|61|75|63)(65|6C|72|74)206164{-1}726573;0,4000:67656E646572;0,4000:70686F6E65206E756D626572;0,4000:666178206E756D626572;0,4000:636F756E747279;0,4000:66696C6520726566;0,4000:6261746368206E756D626572;0,4000:636C61696D(20|73)
PiK.Nigeria.Lotto7;Target:7;(0|1|2|3|4|5|6|7|8|9|10)&(11|12|13)&(14|15|16|17|18)&(19|20|21|22|23|24|25|26|27|28|29|30)>1,2;6C6F74746F;0,4000:6C6F7474657279;0,4000:6177617264;0,4000:77696E6E6572;0,4000:796F75{-4}20776F6E;0,4000:72616E646F6D;0,4000:2065{-1}6D61696C73;0,4000:6170{-1}726F766564;0,4000:62616C6C6F74;0,4000:70726F6D6F74696F6E20;0,4000:74686973{-6}20697320746F20{-12}(69|6E)(6E|6F)(66|74)(6F|69)(72|66)(6D|79)20796F75;0,4000:6D696C{-1}696F6E;0,4000:74686F7573616E64;0,4000:(20|2C)303030;0,4000:646F6C6C617273;0,4000:207573(64|24);0,4000:706F756E6473;0,4000:206575726F(28|29|73|20|2E|3A|31|32|33|34|35|36|37|38|39);0,4000:20657572(28|29|20|2E|3A|31|32|33|34|35|36|37|38|39);0,4000:64657461696C73;0,4000:6F636375706174696F6E;0,4000:66756C6C206E616D65;0,4000:6D61726974616C20737461747573;0,4000:(68|79|74)(69|6F|61)(6D|61|75|63)(65|6C|72|74)206164{-1}726573;0,4000:67656E646572;0,4000:70686F6E65206E756D626572;0,4000:666178206E756D626572;0,4000:636F756E747279;0,4000:66696C6520726566;0,4000:6261746368206E756D626572;0,4000:636C61696D(20|73)
PiK.Nigeria.Donator3;Target:3;(0|1)=0&2<4&(3|4|5|6|7|8|9|10|11)&(12|13|14|15|16|17|18|19|20|21|22|23|24)>1,2&(25|26|27|28)&(29|30|31|32|33|34|35|36|37|38|39|40);6E657773(20|6C);7375627363726962;68747470{-1}3A2F2F;0,8000:73756D20;0,8000:6D696C{-1}696F6E;0,8000:74686F7573616E64;0,8000:646F6C6C617273;0,8000:207573(64|24);0,8000:706F756E6473;0,8000:2066756E64(73|20);0,8000:6D6F6E6579;0,8000:737566666572;0,8000:696C6C6E657373;0,8000:7369636B6E657373;0,8000:6C6174652068757362616E64;6465617468;0,8000:63616E636572;0,8000:6865617274(2D|20)72656C61746564;0,8000:692077696C6C20646965;0,8000:65766572796F6E652077696C6C20646965;0,8000:7669746374696D;0,8000:65617274687175616B65;0,8000:7473756E616D69;0,8000:6163636964656E74;0,8000:736563757269747920636F6D70616E;0,8000:616C6D6967687479;0,8000:6F727068616E;0,8000:63686172697479206F7267616E69;0,8000:20646F6E6174(65|69);0,8000:(66|6D)6F72(65|20){-8}696E666F726D6174696F6E;0,8000:(66|6D)6F72(65|20){-8}64657461696C73;0,8000:64657461696C{-2}20696E666F;0,8000:6F636375706174696F6E;0,8000:70726F76696465{-18}696E666F726D6174;0,8000:77696C6C696E67;0,8000:796F757220616765;0,8000:66756C6C206E616D65;0,8000:6D61726974616C20737461747573;0,8000:(68|79|74)(69|6F|61)(6D|61|75|63)(65|6C|72|74)206164{-1}726573;0,8000:67656E646572;0,8000:70686F6E65206E756D626572
PiK.Nigeria.Donator7;Target:7;(0|1)=0&2<4&(3|4|5|6|7|8|9|10|11)&(12|13|14|15|16|17|18|19|20|21|22|23|24)>1,2&(25|26|27|28)&(29|30|31|32|33|34|35|36|37|38|39|40);6E657773(20|6C);7375627363726962;68747470{-1}3A2F2F;0,8000:73756D20;0,8000:6D696C{-1}696F6E;0,8000:74686F7573616E64;0,8000:646F6C6C617273;0,8000:207573(64|24);0,8000:706F756E6473;0,8000:2066756E64(73|20);0,8000:6D6F6E6579;0,8000:737566666572;0,8000:696C6C6E657373;0,8000:7369636B6E657373;0,8000:6C6174652068757362616E64;6465617468;0,8000:63616E636572;0,8000:6865617274(2D|20)72656C61746564;0,8000:692077696C6C20646965;0,8000:65766572796F6E652077696C6C20646965;0,8000:7669746374696D;0,8000:65617274687175616B65;0,8000:7473756E616D69;0,8000:6163636964656E74;0,8000:736563757269747920636F6D70616E;0,8000:616C6D6967687479;0,8000:6F727068616E;0,8000:63686172697479206F7267616E69;0,8000:20646F6E6174(65|69);0,8000:(66|6D)6F72(65|20){-8}696E666F726D6174696F6E;0,8000:(66|6D)6F72(65|20){-8}64657461696C73;0,8000:64657461696C{-2}20696E666F;0,8000:6F636375706174696F6E;0,8000:70726F76696465{-18}696E666F726D6174;0,8000:77696C6C696E67;0,8000:796F757220616765;0,8000:66756C6C206E616D65;0,8000:6D61726974616C20737461747573;0,8000:(68|79|74)(69|6F|61)(6D|61|75|63)(65|6C|72|74)206164{-1}726573;0,8000:67656E646572;0,8000:70686F6E65206E756D626572
PiK.Nigeria.Bank;Target:37:0,5000;(0|1)=0&2<4&3&(4|5|6|7|8|9|10|11)&(12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31)
&(32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52|53|54|55|56|57|58|59);
news( |l);subscrib;http{-1}://?
bank?
sum ?mil{-1}ion?thousand?dollars? us(d|$)?pounds? fund(s| )?
$(1|2|3|4|5|6|7|8|9){2-4}m ?
deceased?deposit ?next(-| )of(-| )kin? heir?suffer?late client?late mr?
died?death? kill?demise?cancer?disturb?heart(-|
)related?vitctim?earthquake?tsunami?crash?accident?disaster?
nigeria? lagos?ivory coast?cote
d'ivoire?abidjan?legal?urgent?utmost?mutual?legitimate?risk
free?indulgence?bus{-1}ines{-1} propos?
benefi(t|c)?claim( |s|e)?co{-1}operation?trans(f|a)(e|c)(r|t)?
sir/madam?attn?attention?my name is?barrister?i am
(m|t)(r|h)(.|s|e)?attorney?surprise?
(f|m)or(e| ){-8}information?(f|m)or(e| ){-8}detail?willing
PiK.Nigeria.Bussiness;Target:37:0,5000;(0|1)=0&2<4&(3|4|5|6|7|8|9)&
(
((10|11|12|13|14|15|16)&(17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48
|49|50|51|52|53|54|55|56|57|58|59|60|61|62)>2,3
) | (
(10|11|12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32)
&(33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52|53|54|55|56|57|58|59|60|61|62)>2,3
) | (
(10|11|12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32)>1,2
&(33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52|53|54|55|56|57|58|59|60|61|62)
)
);
news( |l);subscrib;http{-1}://?
sum ?mil{-1}ion?dollars? us(d|$)?pounds? fund(s| )?money?
my name is?i am (m|t)(r|h)(.|s|e)?barrister?attorney?surprise?this{-6} is to
{-12}(i|n)(n|o)(f|t)(o|i)(r|f)(m|y) you? solicit ?
nigeria? lagos?ivory coast?cote
d'ivoire?abidjan?urgent?utmost?mutual?legitimate?risk
free?indulgence?bus{-1}ines{-1} propos?co{-1}operation?
benefi(t|c)?assistance?trans(f|a)(e|c)(r|t)?
deceased?deposit ?suffer?late client?late mr? died?death?
kill?demise?cancer?disturb?heart(-|
)related?vitctim?earthquake?tsunami?crash?accident?disaster?
(f|m)or(e| ){-8}information?(f|m)or(e| ){-8}detail? (1|2|3|4|5)0%?willing?call
me?
occupation?your age?full name?marital status?(h|y|t)(i|o|a)(m|a|u|c)(e|l|r|t)
ad{-1}res?gender?phone number
PiK.Nigeria.Lotto;Target:37:0,4000;(0|1|2|3|4|5|6|7|8|9|10)&(11|12|13)&(14|15|16|17|18)&(19|20|21|22|23|24|25|26|27|28|29|30)>1,2;
lotto?lottery?award?winner?you{-4} won?random?
e{-1}mails?ap{-1}roved?ballot?promotion ?this{-6} is to
{-12}(i|n)(n|o)(f|t)(o|i)(r|f)(m|y) you?
mil{-1}ion?thousand?( |,)000?dollars? us(d|$)?pounds? euro((|)|s|
|.|:|1|2|3|4|5|6|7|8|9)? eur((|)| |.|:|1|2|3|4|5|6|7|8|9)?
details?occupation?full name?marital status?(h|y|t)(i|o|a)(m|a|u|c)(e|l|r|t)
ad{-1}res?gender?phone number?fax number?country?file ref?batch number?claim(
|s)
PiK.Nigeria.Donator;Target:37:0,8000;(0|1)=0&2<4
&(3|4|5|6|7|8|9|10|11)&(12|13|14|15|16|17|18|19|20|21|22|23|24)>1,2&(25|26|27|28)&(29|30|31|32|33|34|35|36|37|38|39|40);
news( |l);subscrib;http{-1}://?
sum ?mil{-1}ion?thousand?dollars? us(d|$)?pounds? fund(s| )?money?
suffer?illness?sickness?late husband;death?cancer?heart(-| )related?i will
die?everyone will die?vitctim?earthquake?tsunami?accident?security compan?
almighty?orphan?charity organi? donat(e|i)?
(f|m)or(e| ){-8}information?(f|m)or(e| ){-8}details?detail{-2}
info?occupation?provide{-18}informat?willing?
your age?full name?marital status?(h|y|t)(i|o|a)(m|a|u|c)(e|l|r|t)
ad{-1}res?gender?phone number
