type.inbound
and (
(
sender.email.domain.root_domain == 'ledger.com'
and headers.return_path.domain.root_domain not in (
'ledger.com',
'amazonses.com',
'ledger.fr',
'hubspotemail.net'
)
)
or (
(
// only match ledger actual domains if dmarc fails
not (
sender.email.domain.root_domain in~ ('ledger.com', 'ledger.fr')
and headers.auth_summary.dmarc.pass
)
or not sender.email.domain.root_domain in~ ('ledger.com', 'ledger.fr')
)
and (
strings.ilike(sender.email.email, '*-ledger.com*')
or sender.display_name =~ "ledger"
or strings.istarts_with(sender.display_name, "ledger")
or strings.ilevenshtein(sender.email.domain.sld, "ledger") <= 1
)
and (
// if this comes from a free email provider,
// flag if org has never sent an email to sender's email before
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
// if this comes from a custom domain,
// flag if org has never sent an email to sender's domain before
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
)
)
)
)
and sender.email.domain.root_domain not in (
// Fortune has a newsletter called "The Ledger"
'fortune.com',
'velocityledger.com',
'lever.co',
'queensledger.com',
'libertyledger.com',
'uledger.io',
'ledgers.org.uk',
'leger.co.uk',
'xledger.net'
)
Playground
Test against your own EMLs or sample data.