type.inbound
and (
sender.email.domain.domain in $free_email_providers
or (
length(headers.reply_to) > 0
and all(headers.reply_to,
(
.email.domain.root_domain in $free_email_providers
or .email.domain.tld in $suspicious_tlds
)
and .email.email != sender.email.email
)
)
or sender.email.domain.tld in $suspicious_tlds
or strings.iends_with(sender.email.domain.tld, ".jp")
)
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "advance_fee" and .confidence in ("medium", "high")
)
or (
length(body.current_thread.text) < 200
and regex.icontains(body.current_thread.text,
'(donation|inheritence|\$\d,\d{3}\,\d{3}|lottery)'
)
and not regex.icontains(body.current_thread.text,
'(closed.{0,50})?\$\d,\d{3}\,\d{3}.{0,100}(homes|realty|sale)?'
)
and not any(body.links,
regex.icontains(.href_url.url,
'(donation|inheritence|\$\d,\d{3}\,\d{3}|lottery)'
)
)
and (
(
(
length(headers.references) > 0
or not any(headers.hops,
any(.fields, strings.ilike(.name, "In-Reply-To"))
)
)
and not (
(
strings.istarts_with(subject.subject, "RE:")
// out of office auto-reply
or strings.istarts_with(subject.subject, "Automatic reply:")
or strings.istarts_with(subject.subject, "R:")
or strings.istarts_with(subject.subject, "ODG:")
or strings.istarts_with(subject.subject, "答复:")
or strings.istarts_with(subject.subject, "AW:")
or strings.istarts_with(subject.subject, "TR:")
or strings.istarts_with(subject.subject, "FWD:")
or regex.icontains(subject.subject,
'^(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:'
)
)
)
)
or any(headers.reply_to, .email.email != sender.email.email)
)
)
)
and (
not profile.by_sender().solicited
or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_messages_benign
Playground
Test against your own EMLs or sample data.