Predatory Academic Journal Solicitation

Detects messages related to academic research and publishing that contain suspicious patterns including character manipulation, flattering language, time pressure tactics, and domain registration anomalies. Focuses on unsolicited invitations for manuscript submissions, peer reviews, or editorial roles.

Sublime rule (View on GitHub)

  1name: "Predatory Academic Journal Solicitation"
  2description: "Detects messages related to academic research and publishing that contain suspicious patterns including character manipulation, flattering language, time pressure tactics, and domain registration anomalies. Focuses on unsolicited invitations for manuscript submissions, peer reviews, or editorial roles."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and any(beta.ml_topic(body.current_thread.text).topics,
  8          .name == "Educational and Research"
  9          and .confidence in ("medium", "high")
 10  )
 11  and not any(beta.ml_topic(body.current_thread.text).topics,
 12              .name in ("Health and Wellness") and .confidence == "high"
 13  )
 14  and ml.nlu_classifier(body.current_thread.text).language == "english"
 15  and 3 of (
 16    regex.count(body.current_thread.text,
 17                '[Æ×æı-ijʼnŒœƁƄƇƊƍƓƖƘƠơƤƦƧƬƳƷƼƽǀǁLJ-njDZ-dzȜȢȣɑɡɣɩɪɯʋʏʣʦʪʫ˛ͺͿΑΒΕ-ΗΙΚΜΝΟΡΤΥΧαγινορσυϒϜϨϱ-ϳϹϺЅІЈАВЕЗКМ-ОР-УХЫЬЮабгеорсухѕіјѡѴѵґҮүһҽӀӏӔӕӠԁԌԛ-ԝՍՏՕագզհոռսցքօ׀וטןסװױاه١٥٧ھہە۱۵۷߀ߊ०০৪৭੦੧੪ଠ୦୨ഠ൦๐໐ဝ၀ყჿሀዐᎠ-ᎢᎤᎥᎩ-ᎬᎳᎷᎻᎽᏀᏂᏃᏎᏏᏒᏔᏕᏙᏚᏞᏟᏢᏦᏧᏮᏳᏴᐯᑌᑧᑭᑯᑲᒆ-ᒈᒍᒪᒿᕁᕼᕽᖇᖯᖴᗅᗞᗪᗰᗷ᙭᙮ᚷᛁᛕᛖᴄᴏᴑᴜᴠ-ᴢᴦᵫᶃᶌẝỿι‖₨₶℀-ℂ℅℆ℊ-ℎℐ-ℓℕ№ℙ-ℝ℡ℤℨℬ-ℱℳℴℹ℻ℽⅅ-ⅉⅠ-ⅿ∞∣∥∨∪⊤⋁⋃⋿⍳⍴⍺⏽⑴-⒵╳⟙⤫⤬⨯ⲅⲎⲒⲔⲘⲚⲞⲟⲢ-ⲦⲨⲬⳊⳌⳐⳒⴸⴹⵏⵔⵕⵝ〇ꓐ-ꓔꓖꓗꓙꓚꓜꓝꓟ-ꓣꓦꓧꓪ-ꓬꓮꓰꓲ-ꓴꙄꙇꚘꚙꛟꛯꜨꜱ-ꜽꝎꝏꝚꝪꝮꝷꭵꮁꮃꮓꮩꮪꮯff-fflstﮦ-ﮭﺍﺎﻩ-ﻬA-CEH-KM-PSTX-Zaceg-jlopsvxy│𐊂𐊆𐊇𐊊𐊐𐊒𐊕-𐊗𐊠-𐊢𐊥𐊫𐊰-𐊲𐊴𐋏𐋵𐌁𐌂𐌉𐌑𐌕𐌗𐌚𐌠𐌢𐐄𐐕𐐛𐐠𐐬𐐽𐑈𐒴𐓂𐓎𐓒𐓪𐓶𐔓𐔖𐔘𐔜𐔝𐔥-𐔧𑓐𑜀𑜆𑜊𑜎𑜏𑢠𑢢-𑢤𑢦𑢩𑢬𑢮𑢯𑢲𑢵𑢸𑢻𑢼𑣀-𑣄𑣆𑣈𑣊𑣌𑣕-𑣘𑣜𑣠𑣣𑣥𑣦𑣩𑣬𑣯𑣲𖼈𖼊𖼖𖼨𖼵𖼺𖼻𖽀𖽂𖽃𝐀-𝑔𝑖-𝒜𝒞𝒟𝒢𝒥𝒦𝒩-𝒬𝒮-𝒹𝒻𝒽-𝓃𝓅-𝔅𝔇-𝔊𝔍-𝔔𝔖-𝔜𝔞-𝔹𝔻-𝔾𝕀-𝕄𝕆𝕊-𝕐𝕒-𝚤𝚨𝚩𝚬-𝚮𝚰𝚱𝚳𝚴𝚶𝚸𝚻𝚼𝚾𝛂𝛄𝛊𝛎𝛐𝛒𝛔𝛖𝛠𝛢𝛣𝛦-𝛨𝛪𝛫𝛭𝛮𝛰𝛲𝛵𝛶𝛸𝛼𝛾𝜄𝜈𝜊𝜌𝜎𝜐𝜚𝜜𝜝𝜠-𝜢𝜤𝜥𝜧𝜨𝜪𝜬𝜯𝜰𝜲𝜶𝜸𝜾𝝂𝝄𝝆𝝈𝝊𝝔𝝖𝝗𝝚-𝝜𝝞𝝟𝝡𝝢𝝤𝝦𝝩𝝪𝝬𝝰𝝲𝝸𝝼𝝾𝞀𝞂𝞄𝞎𝞐𝞑𝞔-𝞖𝞘𝞙𝞛𝞜𝞞𝞠𝞣𝞤𝞦𝞪𝞬𝞲𝞶𝞸𝞺𝞼𝞾𝟈𝟊𝟎]'
 18    ) > 100,
 19    regex.icontains(strings.replace_confusables(body.current_thread.text),
 20                    "Impact Factor",
 21                    "Special Issue",
 22                    "Guest Editor",
 23                    "peer-review",
 24                    "manuscript",
 25                    "workshop",
 26                    "journal (of|editor)",
 27                    "inclusive research",
 28                    "abstract",
 29                    "open-access",
 30                    "upcoming edition",
 31                    "title of (your (work|published article)|the study)",
 32                    "your paper's title",
 33                    "and the abstract",
 34                    "abstract of (your work|the study)",
 35                    "detailed abstract",
 36                    'contribution\b',
 37                    "accepted paper",
 38                    "submit.{0,20}.(manuscript|article)",
 39                    "call for editorial",
 40                    "reviewer team",
 41                    "review.{0,15}.(journal|issue)"
 42    ),
 43  
 44    // flattering language, as seen in previous research
 45    regex.icontains(strings.replace_confusables(body.current_thread.text),
 46                    'your\s+(article|paper|research|publication|work)\s+"?[^"]+?"?\s+(is\s+very\s+excellent|strongly\s+reflects|will\s+be\s+a\s+valuable)',
 47                    'we\s+believe\s+(that\s+)?your\s+(experience|perspective|expertise|comments?)\s+(will\s+add|can\s+play|will\s+be)\s+.{0,100}(important|valuable)',
 48                    '(you\s+are\s+one\s+of\s+the\s+leading\s+experts?|someone\s+of\s+your\s+caliber)',
 49                    '(emerging\s+voices?\s+like\s+yours|shape\s+the\s+scholarly\s+direction)',
 50                    '(learning\s+from\s+the\s+internet|know\s+your\s+"[^"]+"\s+is\s+very\s+excellent)',
 51                    '(world''s|global|international)\s+(foremost|leading|top|premier)\s+(authorities|experts|researchers)',
 52                    // The "highly valued" variants
 53                    'your\s+(participation|contribution|presence|involvement)\s+(would\s+be|is)\s+(highly|greatly|immensely|extremely)\s+(valued|appreciated|welcomed)',
 54  
 55                    // Time pressure tactics
 56                    '(short\s+notice|busy\s+schedule|quick\s+turnaround|urgent\s+deadline|limited\s+slots)',
 57  
 58                    // "No charge" red flags
 59                    '(no\s+charge|free\s+of\s+charge|waived\s+fee|complimentary|at\s+no\s+cost)',
 60  
 61                    // Vague topic promises
 62                    '(topic\s+of\s+your\s+choice|any\s+topic\s+related|broad\s+range\s+of\s+topics|multidisciplinary\s+approach)',
 63  
 64                    // Easy publication promises
 65                    '(guaranteed\s+publication|fast\s+track\s+review|expedited\s+process|will\s+not\s+be\s+too\s+time-consuming)',
 66  
 67                    // Template giveaways
 68                    '(do\s+hope\s+you\s+can\s+make\s+time|kindly\s+submit|gentle\s+reminder|esteemed\s+researcher)'
 69    ),
 70  
 71    // Message contains the users last name, but not their first name
 72    // Presumably, this is because names are listed that way on academic papers
 73    strings.icontains(body.current_thread.text, mailbox.last_name)
 74    and not strings.icontains(body.current_thread.text, mailbox.first_name)
 75    and not any(recipients.to,
 76                strings.icontains(body.current_thread.text, .email.email)
 77    )
 78    and length(mailbox.last_name) > 4,
 79  
 80    // Or, message contains the users last, first
 81    // Example: Doe, John
 82    // Presumably, this is because names are listed that way on academic papers
 83    strings.icontains(body.current_thread.text,
 84                      strings.concat(mailbox.last_name, ", ", mailbox.first_name)
 85    ),
 86  
 87    // new sender or link domain
 88    network.whois(sender.email.domain).days_old < 90,
 89    any(body.links, network.whois(.href_url.domain).days_old < 90),
 90  
 91    // Crossref DOI registration abuse (https://doi.org/10.29328)
 92    any(body.links,
 93        .href_url.domain.root_domain == "doi.org"
 94        and strings.istarts_with(.href_url.path, '/10.29328')
 95    ),
 96  
 97    // Sender does not match original thread sender
 98    length(body.previous_threads) > 0
 99    and any(regex.iextract(body.html.display_text, 'From: (?P<email_address>\S*)'),
100            strings.parse_email(.named_groups['email_address']).email != sender.email.email
101    ),
102  
103    // sent from Windows Server with default name
104    strings.contains(headers.message_id, "@DESKTOP-"),
105  
106    // requesting a manuscript review
107    strings.ilike(body.current_thread.text, "*review*")
108    and strings.ilike(body.current_thread.text, "*manuscript*", "*submission*"),
109  
110    // Chinese registrant country
111    network.whois(sender.email.domain).registrant_country_code == "CN",
112    any(body.links,
113        network.whois(.href_url.domain).registrant_country_code == "CN"
114    ),
115  
116    // Alibaba infrastructure
117    any(headers.domains, .root_domain in ("aliyun.com", "aliyun-inc.com")),
118  
119    // Known predatory journals that we've observed and matched to beallslist.net
120    sender.email.domain.root_domain in (
121      "iris-research.net",
122      "irispublishers.com",
123      "lidsen.com"
124    ),
125  
126    // sender domain and body link domains do not match, but have the same registration details
127    (
128      length(body.links) > 0
129      and all(body.links,
130              (
131                network.whois(.href_url.domain).registrant_company == network.whois(sender.email.domain
132                ).registrant_company
133                and network.whois(.href_url.domain).registrar_name == network.whois(sender.email.domain
134                ).registrar_name
135              )
136              and .href_url.domain.root_domain != sender.email.domain.root_domain
137      )
138    ),
139  
140    // known patterns
141    any(body.links, regex.imatch(.href_url.path, '^/ey[a-z]/.{2,}$'))
142  )  
143
144attack_types:
145  - "BEC/Fraud"
146  - "Spam"
147tactics_and_techniques:
148  - "Social engineering"
149  - "Impersonation: Brand"
150  - "Lookalike domain"
151  - "Evasion"
152detection_methods:
153  - "Natural Language Understanding"
154  - "Content analysis"
155  - "Sender analysis"
156  - "URL analysis"
157  - "Whois"
158id: "263ca56b-d31b-5b38-b00e-c1c45e5e96bb"
to-top