Anatomy of a €4,500 scam: the 9 layers that caught it

The message arrived at a Squarespace contact form this week:

"DEAREST BELOVED, I am writing to inform you of an URGENT business proposal worth €4,500. My…" · Mr. Adebayo Williams · [email protected]

Verdict from our classifier:

Classic advance-fee scam: an unsolicited offer of money from a stranger, with a request for personal banking details.

It was quarantined. The customer never saw it in their normal inbox. They saw it in the Pengon dashboard, tagged spam, with one click to recover it if we got it wrong (we didn't).

What's interesting isn't that we caught it. It's which layer caught it. Eight of our nine layers, the cheap ones we run first to keep AI inference costs down, correctly let this message through. Only the ninth one could actually see what it was.

The pipeline, briefly

Every submission that hits Pengon goes through a defence-in-depth pipeline, ordered cheapest-first. The gist:

Most submissions get killed by layers 1 to 8 before we ever pay for an AI inference call. That's the point: AI is the most expensive layer, so we only use it on submissions that survived all the cheaper checks.

For Mr. Adebayo, every cheap check passed.

Walking through the layers

Layer 1 (IP blocklist): First time we'd seen this IP. ✓ pass.

Layer 2 (Payload cap): A "DEAREST BELOVED" letter is under a kilobyte. ✓ pass.

Layer 3 (Site lookup): The customer's site exists and is active. ✓ pass.

Layer 4 (Origin verification): The submission came from the registered Squarespace domain via our snippet. ✓ pass. (If this had been a headless script hitting /v1/check directly, layer 4 would have killed it. It wasn't. It was a real browser, on a real page, with a real form submit.)

Layer 5 (Page-load token): A real browser fetched /v1/token when it loaded the form, waited the human-required 800ms minimum, then submitted with a valid HMAC. ✓ pass. The scammer (or their tool) is rendering pages, not POSTing blind.

Layer 6 (Per-IP rate limit): One submission. ✓ pass.

Layer 7 (Per-site rate limit): One submission, well under 60/min. ✓ pass.

Layer 8 (Field-length caps): Message comfortably under 10,000 characters. Truncation didn't fire. ✓ pass.

Layer 9 (Pipeline → AI): Inside layer 9 the cheap signals ran first: honeypot field empty (it was a real browser, so no honeypot fill), ProtonMail isn't on the disposable-email list (it's a real, legitimate provider), the message doesn't contain literal phrases from our keyword list ("crypto", "investment opportunity", "rank #1"). Cheap-layer score: low. AI gets called.

The Mistral classifier reads the message and returns:

"Classic advance-fee scam: an unsolicited offer of money from a stranger, with a request for personal banking details."

The verdict lands above our spam threshold. Blocked.

Why the AI was the right layer here

This is a 419 scam, the genre named after section 419 of the Nigerian criminal code, the most-trained-on spam pattern in any modern LLM's corpus. Mistral instantly recognized:

• The salutation pattern (DEAREST BELOVED, exclusively used in advance-fee letters, never in real correspondence)
• The windfall shape (€4,500, an unsolicited sum from a stranger paired with a vague "business proposal")
• The implied banking-details request that always follows

Could we have caught it with a keyword list? Yes, by adding "DEAREST BELOVED" and "barrister" and "business proposal" to the keyword layer. But every one of those strings appears in legitimate correspondence too. A keyword filter aggressive enough to catch this would also flag the lawyer writing a real proposal email and the customer who unironically greets you with "Dearest Friend". Over-flag and you lose the customer's trust faster than the spam ever could.

The AI doesn't have to choose. It reads the message in context. It sees DEAREST BELOVED + unsolicited money from a stranger + ProtonMail address + no specific business detail and recognizes the pattern. A real lawyer with a real proposal writes nothing like this.

This is the spam class the AI layer exists for: semantically obvious to a human, structurally clean on every other signal.

What the earlier layers DO catch

For balance, here's what gets killed before AI ever runs:

• Layers 1, 6, 7 kill scrapers and rotation attacks: anyone POSTing thousands of forms a minute from the same IP, or one IP rotating across thousands of site_ids
• Layer 4 kills anyone who scraped a site_id from public HTML and tried to abuse it from outside the snippet
• Layer 5 kills headless bots that don't render JavaScript long enough to fetch a token
• Layer 8 (inside layer 9) kills submissions with disposable email addresses (mailinator, tempmail, etc.), submissions from "[email protected]" pattern emails, and submissions containing the obvious 2010-era keyword spam ("rank #1 on Google", "casino", "viagra")

The first 8 layers handle the volume. The 9th handles the cleverness.

Where this is going

The 419 family is well-defined and stable, the templates haven't meaningfully changed since the early 2000s, and Mistral already recognizes them at 24B parameters. So this is a perfect candidate for a future optimization: once we've seen 50+ examples in our training corpus, a small fine-tune (LoRA) on the cheap-layer side can recognize the same pattern without needing an AI inference call. That saves cost and latency, and the AI then specializes in the harder cases: the polished AI outreach, the "warm lead" pretenders, the stealth-startup-no-NDA-can-we-call pitches we've written about elsewhere.

For now though, this is the model working as designed. Eight cheap layers triaging volume. One smart layer reading meaning. A "€4,500" letter never reaching a customer's inbox.

Pengon is an AI spam filter for Squarespace contact forms. We're in our founding-member window:  $50 USD once, lifetime, 20 seats, or start a 21 day free trial, no credit card. Built in Zürich by Quad Studio.