Advance Fee Fraud (AFF) from freemail provider or suspicious TLD

type.inbound
and (
  sender.email.domain.domain in $free_email_providers
  or (
    length(headers.reply_to) > 0
    and all(headers.reply_to,
            (
              .email.domain.root_domain in $free_email_providers
              or .email.domain.tld in $suspicious_tlds
            )
            and .email.email != sender.email.email
    )
  )
  or sender.email.domain.tld in $suspicious_tlds
)
and (
  any(ml.nlu_classifier(body.current_thread.text).intents,
      .name == "advance_fee" and .confidence in ("medium", "high")
  )
  or (
    length(body.current_thread.text) < 200
    and regex.icontains(body.current_thread.text,
                        '(donation|inheritence|\$\d,\d{3}\,\d{3}|lottery)'
    )
    and (
      (
        (
          length(headers.references) > 0
          or not any(headers.hops,
                     any(.fields, strings.ilike(.name, "In-Reply-To"))
          )
        )
        and not (
          (
            strings.istarts_with(subject.subject, "RE:")
            // out of office auto-reply
            or strings.istarts_with(subject.subject, "Automatic reply:")
            or strings.istarts_with(subject.subject, "R:")
            or strings.istarts_with(subject.subject, "ODG:")
            or strings.istarts_with(subject.subject, "答复:")
            or strings.istarts_with(subject.subject, "AW:")
            or strings.istarts_with(subject.subject, "TR:")
            or strings.istarts_with(subject.subject, "FWD:")
            or regex.icontains(subject.subject,
                               '^(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:'
            )
          )
        )
      )
      or any(headers.reply_to, .email.email != sender.email.email)
    )
  )
)
and (
  not profile.by_sender().solicited
  or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_false_positives