Spam: Sexually explicit content with emoji in subject from freemail provider

calendar Mar 10, 2026  ยท
Share on: linkedin copy

Detects messages from free email providers that contain sexually explicit content and include emojis in the subject line.

Sublime rule (View on GitHub)

 1name: "Spam: Sexually explicit content with emoji in subject from freemail provider"
 2description: "Detects messages from free email providers that contain sexually explicit content and include emojis in the subject line."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  // sender is a freemail domain
 8  and sender.email.domain.root_domain in $free_email_providers
 9  // look for commonly used emojis in sexually explicit messages
10  and regex.icontains(subject.subject,
11                      '(\x{1F346}|\x{1F608}|\x{1F609}|\x{1F351}|\x{2764}|\x{1F60D}|\x{1F618}|\x{1F48B}|\x{1F63B}|\x{1F445}|\x{1F51E}|\x{1F525}|\x{1F4F7})'
12  )
13  and any(ml.nlu_classifier(body.current_thread.text).topics,
14          .name == 'Sexually Explicit Messages'
15  )  
16
17attack_types:
18  - "Spam"
19tactics_and_techniques:
20  - "Free email provider"
21  - "Social engineering"
22detection_methods:
23  - "Content analysis"
24  - "Header analysis"
25  - "Natural Language Understanding"
26  - "Sender analysis"
27id: "4a2326d4-7f22-5a0c-9f91-6e302ee1987a"
to-top