Spam: Attendee List solicitation
This rule detects messages claiming to have the attendee list from a specific event, they may list various information such as the number of contacts, the demographic and sample contacts. The messages typically offer to send pricing information upon request.
Sublime rule (View on GitHub)
1name: "Spam: Attendee List solicitation"
2description: "This rule detects messages claiming to have the attendee list from a specific event, they may list various information such as the number of contacts, the demographic and sample contacts. The messages typically offer to send pricing information upon request."
3type: "rule"
4severity: "low"
5source: |
6 type.inbound
7 and length(body.current_thread.text) < 2000
8 and length(body.links) < 5
9 and (
10 (
11 (
12 any([subject.subject, body.current_thread.text],
13 (
14 regex.icontains(.,
15 '(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor|Store|Grocer)(?:[[:punct:]]*s)?(?:\s\w*){0,9}(?:list(?:\b|[^ei])|database)'
16 )
17 and not (
18 regex.icount(.,
19 '(email|contact)(?:[[:punct:]]*s)?(?:\s\w*){0,9}list'
20 ) == 1
21 and regex.icontains(.,
22 '(?:unsub|remove|safe|delete|leave|update|part of|be added|safe)[[:punct:]]*s?(?:\s\w*){0,9}(mailing|email|my|sender)(?:\s\w*){0,9}list(?:\b|[^ei])',
23 'email list(?:\b|[^ei])[[:punct:]]*s?(\s\w*){0,5}(?:unsub|remove|safe|delete|leave|up to date|part of|be added)'
24 )
25 )
26 )
27 or regex.icontains(.,
28 '\b(?:list|database)(?:[[:punct:]]*s)?\b(\s\w*){0,9}(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor|Store|Grocer)s?'
29 )
30 )
31 )
32 and regex.icontains(body.current_thread.text,
33 "(?:interest(s|ed)|accessing|purchas|obtain|acuir|sample|provide.{0,10}samples|counts|pricing)"
34 )
35 and not regex.icontains(body.current_thread.text,
36 "(?:debit card|transaction.{0,20}processed|receipt)"
37 )
38 )
39 // if there are indicators of a previous thread, also inspect the previous thread
40 or (
41 // contains references to the previous thread
42 2 of (
43 regex.icontains(body.current_thread.text, '(?:get|got|had) a chance'),
44 regex.icontains(body.current_thread.text, '(take|move)(\Wthis)?\Wforward'),
45 regex.icontains(body.current_thread.text,
46 '(review|drop me a line about) (my|this|it)'
47 ),
48 regex.icontains(body.current_thread.text,
49 'missed it( the)? first time'
50 ),
51 regex.icontains(body.current_thread.text,
52 '(?:below|previous(ly)?|last|prior|earlier) (message|email|sent)'
53 ),
54 regex.icontains(body.current_thread.text,
55 // "the email I sent you earlier"
56 '(e?mail|message).{0,20}(sent).{0,20}(?:below|previous(ly)?|last|prior|earlier)'
57 ),
58 regex.icontains(body.current_thread.text,
59 '(sent).{0,50}(e?mail|message) (?:below|previous(ly)?|last|prior|earlier)'
60 ),
61 regex.icontains(body.current_thread.text, 'follow(?:ing)?(-| )up'),
62 regex.icontains(body.current_thread.text, '(?:contact|attendee)s? list'),
63 regex.icontains(body.current_thread.text, '(any|get an) update.{0,50}\?'),
64 regex.icontains(body.current_thread.text, '(heard?|circling) back'),
65 strings.icontains(body.current_thread.text, 'recently sent'),
66 strings.icontains(body.current_thread.text, 'still interested'),
67 regex.icontains(body.current_thread.text, 'did you (get|receive) (it|my (message|e?mail))'),
68 regex.icontains(body.current_thread.text, '(swift|quick|short) response'),
69 regex.icontains(body.current_thread.text, 'kindly.{0,30}.interested'),
70 )
71 and any([body.html.display_text, body.plain.raw],
72 (
73 3 of (
74 strings.icontains(., "from:"),
75 strings.icontains(., "to:"),
76 strings.icontains(., "sent:"),
77 strings.icontains(., "date:"),
78 strings.icontains(., "cc:"),
79 strings.icontains(., "subject:"),
80 strings.icontains(., "--Original Message--")
81 )
82 or strings.icontains(.,
83 strings.concat(sender.display_name,
84 " <",
85 sender.email.email,
86 "> wrote:"
87 )
88 )
89 )
90 // match _after_ the previous thread indciators
91 and (
92 regex.icontains(.,
93 '(?:from|to|sent|date|cc|subject|wrote):(.|\W)*(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor|Mailing)(?:[[:punct:]]*s)?(?:\s\w*){0,9}(?:list(?:\b|[^ei])|database)'
94 )
95 or regex.icontains(.,
96 '(?:from|to|sent|date|cc|subject|wrote):(.|\W)*(?:list(?:\b|[^ei])|database)(?:[[:punct:]]*s)?(\s\w*){0,9}(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor|Mailing)s?'
97
98 )
99 or (
100 2 of (
101 strings.icontains(., "provide counts"),
102 regex.icontains(., "(?:verified|fresh) data"),
103 strings.icontains(., "precise targeting"),
104 strings.icontains(., "deliverability"),
105 regex.icontains(., "target (verticals|regions|criteria)")
106 )
107 and regex.icontains(., '(?:list(?:\b|[^ei])|database)')
108 )
109 )
110 )
111 )
112 )
113 // negate Zendesk support tickets
114 and not any(body.links,
115 .href_url.domain.root_domain in ('zendesk.com')
116 and .display_text == 'Zendesk'
117 )
118 and not profile.by_sender().solicited
119 and not profile.by_sender().any_false_positives
120tags:
121 - "Attack surface reduction"
122attack_types:
123 - "Spam"
124detection_methods:
125 - "Content analysis"
126 - "Sender analysis"
127id: "69715b62-7747-5f85-a399-dc72c3f8cb7d"