Spam: Attendee List solicitation
This rule detects messages claiming to have the attendee list from a specific event, they may list various information such as the number of contacts, the demographic and sample contacts. The messages typically offer to send pricing information upon request.
Sublime rule (View on GitHub)
1name: "Spam: Attendee List solicitation"
2description: "This rule detects messages claiming to have the attendee list from a specific event, they may list various information such as the number of contacts, the demographic and sample contacts. The messages typically offer to send pricing information upon request."
3type: "rule"
4severity: "low"
5source: |
6 type.inbound
7 and length(body.current_thread.text) < 2000
8 and length(body.links) < 5
9 and (
10 (
11 (
12 any([subject.subject, body.current_thread.text],
13 (
14 regex.icontains(.,
15 '(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(?:[[:punct:]]*s)?(?:\s\w*){0,9}(?:list(?:\b|[^ei])|database)'
16 )
17 and not (
18 regex.icount(., 'email(?:[[:punct:]]*s)?(?:\s\w*){0,9}list') == 1
19 and regex.icontains(.,
20 '(?:unsub|remove|safe|delete)[[:punct:]]*s?(?:\s\w*){0,9}(mailing|email)(?:\s\w*){0,9}list(?:\b|[^ei])',
21 'email list(?:\b|[^ei])[[:punct:]]*s?(\s\w*){0,5}(?:unsub|remove|safe|delete)'
22 )
23 )
24 )
25 or regex.icontains(.,
26 '(?:list|database)(?:[[:punct:]]*s)?(\s\w*){0,9}(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)s?'
27 )
28 )
29 )
30 and regex.icontains(body.current_thread.text,
31 "(?:interested|accessing|purchas|obtain|acuir|sample)"
32 )
33 and not regex.icontains(body.current_thread.text,
34 "(?:debit card|transaction.{0,20}processed)"
35 )
36 )
37 // if there are indicators of a previous thread, also inspect the previous thread
38 or (
39 // contains references to the previous thread
40 2 of (
41 regex.icontains(body.current_thread.text, '(?:get|got|had) a chance'),
42 regex.icontains(body.current_thread.text,
43 '(?:below|previous|last|prior) email'
44 ),
45 regex.icontains(body.current_thread.text, 'follow(?:ing)? up'),
46 regex.icontains(body.current_thread.text, '(?:contact|attendee)s? list'),
47 regex.icontains(body.current_thread.text, '(any|get an) update.{0,50}\?'),
48 strings.icontains(body.current_thread.text, 'heard back'),
49 strings.icontains(body.current_thread.text, 'swift response'),
50 )
51 and any([body.html.display_text, body.plain.raw],
52 (
53 3 of (
54 strings.icontains(., "from:"),
55 strings.icontains(., "to:"),
56 strings.icontains(., "sent:"),
57 strings.icontains(., "date:"),
58 strings.icontains(., "cc:"),
59 strings.icontains(., "subject:")
60 )
61 or strings.icontains(.,
62 strings.concat(sender.display_name,
63 " <",
64 sender.email.email,
65 "> wrote:"
66 )
67 )
68 )
69 // match _after_ the previous thread indciators
70 and (
71 regex.icontains(.,
72 '(?:from|to|sent|date|cc|subject|wrote):.*(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(?:[[:punct:]]*s)?(?:\s\w*){0,9}(?:list(?:\b|[^ei])|database)'
73 )
74 or regex.icontains(.,
75 '(?:from|to|sent|date|cc|subject|wrote):.*(?:list(?:\b|[^ei])|database)(?:[[:punct:]]*s)?(\s\w*){0,9}(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)s?'
76 )
77 or (
78 2 of (
79 strings.icontains(., "provide counts"),
80 regex.icontains(., "(?:verified|fresh) data"),
81 strings.icontains(., "precise targeting"),
82 strings.icontains(., "deliverability")
83 )
84 and regex.icontains(., '(?:list(?:\b|[^ei])|database)')
85 )
86 )
87 )
88 )
89 )
90 and not profile.by_sender().solicited
91 and not profile.by_sender().any_false_positives
92tags:
93 - "Attack surface reduction"
94attack_types:
95 - "Spam"
96detection_methods:
97 - "Content analysis"
98 - "Sender analysis"
99id: "69715b62-7747-5f85-a399-dc72c3f8cb7d"