Spam: Ghostwriting services scam with manipulative language

calendar Oct 17, 2025  ·
Share on: linkedin copy

Detects unsolicited messages promoting ghostwriting or book publishing services that use manipulative language patterns commonly seen in scams, such as offering complimentary samples, expressing fascination with the recipient's achievements, or requesting personal information under the guise of writing assistance.

Sublime rule (View on GitHub)

 1name: "Spam: Ghostwriting services scam with manipulative language"
 2description: "Detects unsolicited messages promoting ghostwriting or book publishing services that use manipulative language patterns commonly seen in scams, such as offering complimentary samples, expressing fascination with the recipient's achievements, or requesting personal information under the guise of writing assistance."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.current_thread.text) < 1500
 8  and (
 9    // Ghostwriting and book-related terms in subject
10    strings.icontains(subject.subject, "book project")
11    or strings.icontains(subject.subject, "ghostwriting")
12    or strings.icontains(subject.subject, "becoming an author")
13    or strings.icontains(subject.subject, "your book")
14    or strings.icontains(subject.subject, "writing project")
15    or strings.icontains(subject.subject, "publish")
16    or strings.icontains(subject.subject, " author ")
17  
18    // Body contains ghostwriting service offers
19    or strings.icontains(body.current_thread.text, "ghostwriting")
20    or strings.icontains(body.current_thread.text, "ghostwriter")
21    or strings.icontains(body.current_thread.text, "writing firm")
22    or strings.icontains(body.current_thread.text, "book writing")
23    or strings.icontains(body.current_thread.text, "publishing")
24  )
25  // Common scam language patterns
26  and (
27    (
28      strings.icontains(body.current_thread.text, "complimentary")
29      and (
30        strings.icontains(body.current_thread.text, "sample")
31        or strings.icontains(body.current_thread.text, "chapter")
32        or strings.icontains(body.current_thread.text, "consultation")
33      )
34    )
35    or (
36      strings.icontains(body.current_thread.text, "fascinated")
37      and strings.icontains(body.current_thread.text, "what you have done")
38    )
39    or strings.icontains(body.current_thread.text, "inspiring stories")
40    or strings.icontains(body.current_thread.text, "gather some information")
41    or strings.icontains(body.current_thread.text, "few minutes of your time")
42    or strings.icontains(body.current_thread.text, "absolutely no obligation")
43    or strings.icontains(body.current_thread.text, "writing team")
44  )
45  and not (
46    any(ml.nlu_classifier(body.current_thread.text).topics,
47        .name in (
48          "Newsletters and Digests",
49          "Events and Webinars",
50          "Educational and Research",
51          "Financial Communications",
52          "Advertising and Promotions",
53          "Legal and Compliance",
54          "Professional and Career Development"
55        )
56        and .confidence == "high"
57    )
58  )
59  
60  // Standard negations
61  and (
62    (
63      sender.email.domain.root_domain in $high_trust_sender_root_domains
64      and not headers.auth_summary.dmarc.pass
65    )
66    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
67  )  
68
69attack_types:
70  - "Spam"
71tactics_and_techniques:
72  - "Social engineering"
73detection_methods:
74  - "Content analysis"
75  - "Sender analysis"
76id: "b747c3ea-509e-5a0d-ab00-3376cf7ba68b"
to-top