Spam: Attendee list solicitation
This rule detects messages claiming to have the attendee list from a specific event, they may list various information such as the number of contacts, the demographic and sample contacts. The messages typically offer to send pricing information upon request.
Sublime rule (View on GitHub)
1name: "Spam: Attendee list solicitation"
2description: "This rule detects messages claiming to have the attendee list from a specific event, they may list various information such as the number of contacts, the demographic and sample contacts. The messages typically offer to send pricing information upon request."
3type: "rule"
4severity: "low"
5source: |
6 type.inbound
7 and length(body.current_thread.text) < 2000
8 and length(body.links) < 5
9 and any(ml.nlu_classifier(coalesce(body.html.display_text, body.plain.raw)).topics,
10 .name in ("Contact List Solicitation", "B2B Cold Outreach")
11 and .confidence in ("medium", "high")
12 )
13 and (
14 (
15 (
16 any([subject.subject, body.current_thread.text],
17 (
18 regex.icontains(.,
19 '(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor|Store|Grocer|Lead)(?:[[:punct:]]*s)?(?:\s\w*){0,9}(?:\blist(?:\b|[^ei])|database)'
20 )
21 and not (
22 regex.icount(.,
23 '(email|contact)(?:[[:punct:]]*s)?(?:\s\w*){0,9}list'
24 ) == 1
25 and regex.icontains(.,
26 '(?:unsub|remove|safe|delete|leave|update|part of|be added|safe)[[:punct:]]*s?(?:\s\w*){0,9}(mailing|email|my|sender)(?:\s\w*){0,9}list(?:\b|[^ei])',
27 'email list(?:\b|[^ei])[[:punct:]]*s?(\s\w*){0,5}(?:unsub|remove|safe|delete|leave|up to date|part of|be added)'
28 )
29 )
30 )
31 or regex.icontains(.,
32 '\b(?:list|database)(?:[[:punct:]]*s)?\b(\s\w*){0,9}(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor|Store|Grocer)s?'
33 )
34 )
35 )
36 and (
37 regex.icontains(body.current_thread.text,
38 "(?:interest(s|ed)|accessing|purchas|obtain|acuir|sample|provide.{0,10}samples|counts|pricing)"
39 )
40 or any(body.previous_threads,
41 regex.icontains(.text,
42 "(?:interest(s|ed)|accessing|purchas|obtain|acuir|sample|provide.{0,10}samples|counts|pricing)"
43 )
44 )
45 )
46 and not regex.icontains(body.current_thread.text,
47 "(?:debit card|transaction.{0,20}processed)"
48 )
49 )
50 // if there are indicators of a previous thread, also inspect the previous thread
51 or (
52 // contains references to the previous thread
53 2 of (
54 regex.icontains(body.current_thread.text, '(?:get|got|had) a chance'),
55 regex.icontains(body.current_thread.text, '(take|move)(\Wthis)?\Wforward'),
56 regex.icontains(body.current_thread.text,
57 '(review|drop me a line about) (my|this|it)'
58 ),
59 regex.icontains(body.current_thread.text, 'missed it( the)? first time'),
60 regex.icontains(body.current_thread.text,
61 '(?:below|previous(ly)?|last|prior|earlier) (message|email|sent)'
62 ),
63 regex.icontains(body.current_thread.text,
64 // "the email I sent you earlier"
65 '(e?mail|message).{0,20}(sent).{0,20}(?:below|previous(ly)?|last|prior|earlier)'
66 ),
67 regex.icontains(body.current_thread.text,
68 '(sent).{0,50}(e?mail|message) (?:below|previous(ly)?|last|prior|earlier)'
69 ),
70 regex.icontains(body.current_thread.text, 'follow(?:ing)?(-| )up'),
71 regex.icontains(body.current_thread.text, '(?:contact|attendee)s? list'),
72 regex.icontains(body.current_thread.text, '(any|get an) update.{0,50}\?'),
73 regex.icontains(body.current_thread.text, '(heard?|circling) back'),
74 strings.icontains(body.current_thread.text, 'recently sent'),
75 strings.icontains(body.current_thread.text, 'still interested'),
76 regex.icontains(body.current_thread.text,
77 'did you (get|receive) (it|my (message|e?mail))'
78 ),
79 regex.icontains(body.current_thread.text, '(swift|quick|short) response'),
80 regex.icontains(body.current_thread.text, 'kindly.{0,30}.interested'),
81 )
82 and any([body.html.display_text, body.plain.raw],
83 (
84 3 of (
85 strings.icontains(., "from:"),
86 strings.icontains(., "to:"),
87 strings.icontains(., "sent:"),
88 strings.icontains(., "date:"),
89 strings.icontains(., "cc:"),
90 strings.icontains(., "subject:"),
91 strings.icontains(., "--Original Message--")
92 )
93 or strings.icontains(.,
94 strings.concat(sender.display_name,
95 " <",
96 sender.email.email,
97 "> wrote:"
98 )
99 )
100 )
101 // match _after_ the previous thread indciators
102 and (
103 regex.icontains(.,
104 '(?:from|to|sent|date|cc|subject|wrote):(.|\W)*(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor|Mailing)(?:[[:punct:]]*s)?(?:\s\w*){0,9}(?:list(?:\b|[^ei])|database)'
105 )
106 or regex.icontains(.,
107 '(?:from|to|sent|date|cc|subject|wrote):(.|\W)*(?:list(?:\b|[^ei])|database)(?:[[:punct:]]*s)?(\s\w*){0,9}(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor|Mailing)s?'
108 )
109 or (
110 2 of (
111 strings.icontains(., "provide counts"),
112 regex.icontains(., "(?:verified|fresh) data"),
113 strings.icontains(., "precise targeting"),
114 strings.icontains(., "deliverability"),
115 regex.icontains(., "target (verticals|regions|criteria)")
116 )
117 and regex.icontains(., '(?:list(?:\b|[^ei])|database)')
118 )
119 )
120 )
121 )
122 )
123 // negate Zendesk support tickets
124 and not any(body.links,
125 .href_url.domain.root_domain in ('zendesk.com')
126 and .display_text == 'Zendesk'
127 )
128 and not profile.by_sender().solicited
129 and not profile.by_sender().any_messages_benign
130
131tags:
132 - "Attack surface reduction"
133attack_types:
134 - "Spam"
135detection_methods:
136 - "Content analysis"
137 - "Sender analysis"
138id: "69715b62-7747-5f85-a399-dc72c3f8cb7d"