Spam: Attendee List solicitation

This rule detects messages claiming to have the attendee list from a specific event, they may list various information such as the number of contacts, the demographic and sample contacts. The messages typically offer to send pricing information upon request.

Sublime rule (View on GitHub)

  1name: "Spam: Attendee List solicitation"
  2description: "This rule detects messages claiming to have the attendee list from a specific event, they may list various information such as the number of contacts, the demographic and sample contacts. The messages typically offer to send pricing information upon request."
  3type: "rule"
  4severity: "low"
  5source: |
  6  type.inbound
  7  and length(body.current_thread.text) < 2000
  8  and length(body.links) < 5
  9  and (
 10    (
 11      (
 12        any([subject.subject, body.current_thread.text],
 13            (
 14              regex.icontains(.,
 15                              '(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(?:[[:punct:]]*s)?(?:\s\w*){0,9}(?:list(?:\b|[^ei])|database)'
 16              )
 17              and not (
 18                regex.icount(., 'email(?:[[:punct:]]*s)?(?:\s\w*){0,9}list') == 1
 19                and regex.icontains(.,
 20                                    '(?:unsub|remove|safe|delete|leave|update|part of|be added)[[:punct:]]*s?(?:\s\w*){0,9}(mailing|email)(?:\s\w*){0,9}list(?:\b|[^ei])',
 21                                    'email list(?:\b|[^ei])[[:punct:]]*s?(\s\w*){0,5}(?:unsub|remove|safe|delete|leave|up to date|part of|be added)'
 22                )
 23              )
 24            )
 25            or regex.icontains(.,
 26                               '(?:list|database)(?:[[:punct:]]*s)?(\s\w*){0,9}(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)s?'
 27            )
 28        )
 29      )
 30      and regex.icontains(body.current_thread.text,
 31                          "(?:interested|accessing|purchas|obtain|acuir|sample)"
 32      )
 33      and not regex.icontains(body.current_thread.text,
 34                              "(?:debit card|transaction.{0,20}processed|receipt)"
 35      )
 36    )
 37    // if there are indicators of a previous thread, also inspect the previous thread
 38    or (
 39      // contains references to the previous thread
 40      2 of (
 41        regex.icontains(body.current_thread.text, '(?:get|got|had) a chance'),
 42        regex.icontains(body.current_thread.text,
 43                        '(?:below|previous|last|prior) email'
 44        ),
 45        regex.icontains(body.current_thread.text, 'follow(?:ing)? up'),
 46        regex.icontains(body.current_thread.text, '(?:contact|attendee)s? list'),
 47        regex.icontains(body.current_thread.text, '(any|get an) update.{0,50}\?'),
 48        strings.icontains(body.current_thread.text, 'heard back'),
 49        strings.icontains(body.current_thread.text, 'recently sent'),
 50        strings.icontains(body.current_thread.text, 'still interested'),
 51        regex.icontains(body.current_thread.text, '(swift|quick|short) response'),
 52      )
 53      and any([body.html.display_text, body.plain.raw],
 54              (
 55                3 of (
 56                  strings.icontains(., "from:"),
 57                  strings.icontains(., "to:"),
 58                  strings.icontains(., "sent:"),
 59                  strings.icontains(., "date:"),
 60                  strings.icontains(., "cc:"),
 61                  strings.icontains(., "subject:")
 62                )
 63                or strings.icontains(.,
 64                                     strings.concat(sender.display_name,
 65                                                    " <",
 66                                                    sender.email.email,
 67                                                    "> wrote:"
 68                                     )
 69                )
 70              )
 71              // match _after_ the previous thread indciators
 72              and (
 73                regex.icontains(.,
 74                                '(?:from|to|sent|date|cc|subject|wrote):.*(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(?:[[:punct:]]*s)?(?:\s\w*){0,9}(?:list(?:\b|[^ei])|database)'
 75                )
 76                or regex.icontains(.,
 77                                   '(?:from|to|sent|date|cc|subject|wrote):.*(?:list(?:\b|[^ei])|database)(?:[[:punct:]]*s)?(\s\w*){0,9}(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)s?'
 78                )
 79                or (
 80                  2 of (
 81                    strings.icontains(., "provide counts"),
 82                    regex.icontains(., "(?:verified|fresh) data"),
 83                    strings.icontains(., "precise targeting"),
 84                    strings.icontains(., "deliverability")
 85                  )
 86                  and regex.icontains(., '(?:list(?:\b|[^ei])|database)')
 87                )
 88              )
 89      )
 90    )
 91  )
 92  and not profile.by_sender().solicited
 93  and not profile.by_sender().any_false_positives  
 94tags:
 95  - "Attack surface reduction"
 96attack_types:
 97  - "Spam"
 98detection_methods:
 99  - "Content analysis"
100  - "Sender analysis"
101id: "69715b62-7747-5f85-a399-dc72c3f8cb7d"

Related rules

to-top