Spam: Attendee List solicitation
This rule detects messages claiming to have the attendee list from a specific event, they may list various information such as the number of contacts, the demographic and sample contacts. The messages typically offer to send pricing information upon request.
Sublime rule (View on GitHub)
1name: "Spam: Attendee List solicitation"
2description: "This rule detects messages claiming to have the attendee list from a specific event, they may list various information such as the number of contacts, the demographic and sample contacts. The messages typically offer to send pricing information upon request."
3type: "rule"
4severity: "low"
5source: |
6 type.inbound
7 and length(body.current_thread.text) < 2000
8 and length(body.links) < 5
9 and (
10 (
11 (
12 any([subject.subject, body.current_thread.text],
13 (
14 regex.icontains(.,
15 '(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(?:[[:punct:]]*s)?(?:\s\w*){0,9}(?:list(?:\b|[^ei])|database)'
16 )
17 and not (
18 regex.icount(., 'email(?:[[:punct:]]*s)?(?:\s\w*){0,9}list') == 1
19 and regex.icontains(.,
20 '(?:unsub|remove|safe|delete)[[:punct:]]*s?(?:\s\w*){0,9}(mailing|email).{0,9}list(?:\b|[^ei])',
21 'email list(?:\b|[^ei])[[:punct:]]*s?(\s\w*){0,5}(?:unsub|remove|safe|delete)'
22 )
23 )
24 )
25 or regex.icontains(.,
26 '(?:list|database)(?:[[:punct:]]*s)?(\s\w*){0,9}(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)s?'
27 )
28 )
29 )
30 and regex.icontains(body.current_thread.text,
31 "(?:interested|accessing|purchas|obtain|acuir|sample)"
32 )
33 and not regex.icontains(body.current_thread.text,
34 "(?:debit card|transaction.{0,20}processed)"
35 )
36 )
37 // if there are indicators of a previous thread, also inspect the previous thread
38 or (
39 // contains references to the previous thread
40 2 of (
41 regex.icontains(body.current_thread.text, '(?:get|got|had) a chance'),
42 regex.icontains(body.current_thread.text,
43 '(?:below|previous|last|prior) email'
44 ),
45 regex.icontains(body.current_thread.text, 'follow(?:ing)? up'),
46 regex.icontains(body.current_thread.text, '(?:contact|attendee)s? list'),
47 strings.icontains(body.current_thread.text, 'heard back'),
48 )
49 and any([body.html.display_text, body.plain.raw],
50 (
51 3 of (
52 strings.icontains(., "from:"),
53 strings.icontains(., "to:"),
54 strings.icontains(., "sent:"),
55 strings.icontains(., "date:"),
56 strings.icontains(., "cc:"),
57 strings.icontains(., "subject:")
58 )
59 or strings.icontains(.,
60 strings.concat(sender.display_name,
61 " <",
62 sender.email.email,
63 "> wrote:"
64 )
65 )
66 )
67 // match _after_ the previous thread indciators
68 and (
69 regex.icontains(.,
70 '(?:from|to|sent|date|cc|subject|wrote):.*(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(?:[[:punct:]]*s)?(?:\s\w*){0,9}(?:list(?:\b|[^ei])|database)'
71 )
72 or regex.icontains(.,
73 '(?:from|to|sent|date|cc|subject|wrote):.*(?:list(?:\b|[^ei])|database)(?:[[:punct:]]*s)?(\s\w*){0,9}(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)s?'
74 )
75 or (
76 2 of (
77 strings.icontains(., "provide counts"),
78 regex.icontains(., "(?:verified|fresh) data"),
79 strings.icontains(., "precise targeting"),
80 strings.icontains(., "deliverability")
81 )
82 and regex.icontains(., '(?:list(?:\b|[^ei])|database)')
83 )
84 )
85 )
86 )
87 )
88 and not profile.by_sender().solicited
89 and not profile.by_sender().any_false_positives
90tags:
91 - "Attack surface reduction"
92attack_types:
93 - "Spam"
94detection_methods:
95 - "Content analysis"
96 - "Sender analysis"
97id: "69715b62-7747-5f85-a399-dc72c3f8cb7d"