Spam: Attendee list solicitation

This rule detects messages claiming to have the attendee list from a specific event, they may list various information such as the number of contacts, the demographic and sample contacts. The messages typically offer to send pricing information upon request.

Sublime rule (View on GitHub)

  1name: "Spam: Attendee list solicitation"
  2description: "This rule detects messages claiming to have the attendee list from a specific event, they may list various information such as the number of contacts, the demographic and sample contacts. The messages typically offer to send pricing information upon request."
  3type: "rule"
  4severity: "low"
  5source: |
  6  type.inbound
  7  and length(body.current_thread.text) < 2000
  8  and length(body.links) < 5
  9  and any(ml.nlu_classifier(coalesce(body.html.display_text, body.plain.raw)).topics,
 10          .name in ("Contact List Solicitation", "B2B Cold Outreach")
 11          and .confidence in ("medium", "high")
 12  )
 13  and (
 14    (
 15      (
 16        any([subject.subject, body.current_thread.text],
 17            (
 18              regex.icontains(.,
 19                              '(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor|Store|Grocer|Lead)(?:[[:punct:]]*s)?(?:\s\w*){0,9}(?:\blist(?:\b|[^ei])|database)'
 20              )
 21              and not (
 22                regex.icount(.,
 23                             '(email|contact)(?:[[:punct:]]*s)?(?:\s\w*){0,9}list'
 24                ) == 1
 25                and regex.icontains(.,
 26                                    '(?:unsub|remove|safe|delete|leave|update|part of|be added|safe)[[:punct:]]*s?(?:\s\w*){0,9}(mailing|email|my|sender)(?:\s\w*){0,9}list(?:\b|[^ei])',
 27                                    'email list(?:\b|[^ei])[[:punct:]]*s?(\s\w*){0,5}(?:unsub|remove|safe|delete|leave|up to date|part of|be added)'
 28                )
 29              )
 30            )
 31            or regex.icontains(.,
 32                               '\b(?:list|database)(?:[[:punct:]]*s)?\b(\s\w*){0,9}(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor|Store|Grocer)s?'
 33            )
 34        )
 35      )
 36      and (
 37        regex.icontains(body.current_thread.text,
 38                        "(?:interest(s|ed)|accessing|purchas|obtain|acuir|sample|provide.{0,10}samples|counts|pricing)"
 39        )
 40        or any(body.previous_threads,
 41               regex.icontains(.text,
 42                               "(?:interest(s|ed)|accessing|purchas|obtain|acuir|sample|provide.{0,10}samples|counts|pricing)"
 43               )
 44        )
 45      )
 46      and not regex.icontains(body.current_thread.text,
 47                              "(?:debit card|transaction.{0,20}processed)"
 48      )
 49    )
 50    // if there are indicators of a previous thread, also inspect the previous thread
 51    or (
 52      // contains references to the previous thread
 53      2 of (
 54        regex.icontains(body.current_thread.text, '(?:get|got|had) a chance'),
 55        regex.icontains(body.current_thread.text, '(take|move)(\Wthis)?\Wforward'),
 56        regex.icontains(body.current_thread.text,
 57                        '(review|drop me a line about) (my|this|it)'
 58        ),
 59        regex.icontains(body.current_thread.text, 'missed it( the)? first time'),
 60        regex.icontains(body.current_thread.text,
 61                        '(?:below|previous(ly)?|last|prior|earlier) (message|email|sent)'
 62        ),
 63        regex.icontains(body.current_thread.text,
 64                        // "the email I sent you earlier"
 65                        '(e?mail|message).{0,20}(sent).{0,20}(?:below|previous(ly)?|last|prior|earlier)'
 66        ),
 67        regex.icontains(body.current_thread.text,
 68                        '(sent).{0,50}(e?mail|message) (?:below|previous(ly)?|last|prior|earlier)'
 69        ),
 70        regex.icontains(body.current_thread.text, 'follow(?:ing)?(-| )up'),
 71        regex.icontains(body.current_thread.text, '(?:contact|attendee)s? list'),
 72        regex.icontains(body.current_thread.text, '(any|get an) update.{0,50}\?'),
 73        regex.icontains(body.current_thread.text, '(heard?|circling) back'),
 74        strings.icontains(body.current_thread.text, 'recently sent'),
 75        strings.icontains(body.current_thread.text, 'still interested'),
 76        regex.icontains(body.current_thread.text,
 77                        'did you (get|receive) (it|my (message|e?mail))'
 78        ),
 79        regex.icontains(body.current_thread.text, '(swift|quick|short) response'),
 80        regex.icontains(body.current_thread.text, 'kindly.{0,30}.interested'),
 81      )
 82      and any([body.html.display_text, body.plain.raw],
 83              (
 84                3 of (
 85                  strings.icontains(., "from:"),
 86                  strings.icontains(., "to:"),
 87                  strings.icontains(., "sent:"),
 88                  strings.icontains(., "date:"),
 89                  strings.icontains(., "cc:"),
 90                  strings.icontains(., "subject:"),
 91                  strings.icontains(., "--Original Message--")
 92                )
 93                or strings.icontains(.,
 94                                     strings.concat(sender.display_name,
 95                                                    " <",
 96                                                    sender.email.email,
 97                                                    "> wrote:"
 98                                     )
 99                )
100              )
101              // match _after_ the previous thread indciators
102              and (
103                regex.icontains(.,
104                                '(?:from|to|sent|date|cc|subject|wrote):(.|\W)*(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor|Mailing)(?:[[:punct:]]*s)?(?:\s\w*){0,9}(?:list(?:\b|[^ei])|database)'
105                )
106                or regex.icontains(.,
107                                   '(?:from|to|sent|date|cc|subject|wrote):(.|\W)*(?:list(?:\b|[^ei])|database)(?:[[:punct:]]*s)?(\s\w*){0,9}(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor|Mailing)s?'
108                )
109                or (
110                  2 of (
111                    strings.icontains(., "provide counts"),
112                    regex.icontains(., "(?:verified|fresh) data"),
113                    strings.icontains(., "precise targeting"),
114                    strings.icontains(., "deliverability"),
115                    regex.icontains(., "target (verticals|regions|criteria)")
116                  )
117                  and regex.icontains(., '(?:list(?:\b|[^ei])|database)')
118                )
119              )
120      )
121    )
122  )
123  // negate Zendesk support tickets
124  and not any(body.links,
125              .href_url.domain.root_domain in ('zendesk.com')
126              and .display_text == 'Zendesk'
127  )
128  and not profile.by_sender().solicited
129  and not profile.by_sender().any_messages_benign  
130
131tags:
132  - "Attack surface reduction"
133attack_types:
134  - "Spam"
135detection_methods:
136  - "Content analysis"
137  - "Sender analysis"
138id: "69715b62-7747-5f85-a399-dc72c3f8cb7d"

Related rules

to-top