Constant Contact link infrastructure abuse

type.inbound
and (
  (
    length(body.links) < 15
    and any(body.links,
            .href_url.domain.root_domain in (
              "rs6.net",
              "constantcontactpages.com"
            )
    )
  )
  or (
    length(attachments) <= 3
    and (
      any(attachments,
          (.file_type in $file_types_images or .file_type == "pdf")
          //
          // This rule makes use of a beta feature and is subject to change without notice
          // using the beta feature in custom rules is not suggested until it has been formally released
          //
          and any(beta.scan_qr(.).items,
                  .type is not null
                  and .url.domain.root_domain in (
                    "rs6.net",
                    "constantcontactpages.com"
                  )
          )
          //
          // This rule makes use of a beta feature and is subject to change without notice
          // using the beta feature in custom rules is not suggested until it has been formally released
          //
          // exclude images taken with mobile cameras and screenshots from android
          and not any(beta.parse_exif(.).fields,
                      .key == "Model"
                      or (
                        .key == "Software"
                        and strings.starts_with(.value, "Android")
                      )
          )
          // exclude images taken with mobile cameras and screenshots from Apple
          and not any(beta.parse_exif(.).fields,
                      .key == "DeviceManufacturer"
                      and .value == "Apple Computer Inc."
          )
      )
      or (
        length(attachments) == 0
        and (
          //
          // This rule makes use of a beta feature and is subject to change without notice
          // using the beta feature in custom rules is not suggested until it has been formally released
          //
          beta.parse_exif(file.message_screenshot()).image_height < 2000
          and beta.parse_exif(file.message_screenshot()).image_width < 2000
          and beta.scan_qr(file.message_screenshot()).found
          and any(beta.scan_qr(file.message_screenshot()).items,
                  .type is not null and .url.domain.root_domain == "rs6.net"
          )
        )
      )
    )
  )
)
and not (
  any(headers.hops,
      strings.icontains(.authentication_results.spf_details.designator,
                        "constantcontact.com"
      )
  )
  or any(headers.hops,
         strings.icontains(.received_spf.designator, "constantcontact.com")
  )
  or (
    (
      any(headers.hops,
          any(.authentication_results.dkim_details,
              .domain == "auth.ccsend.com"
          )
      )
    )
    and headers.auth_summary.dmarc.pass
  )
  or any(headers.references, strings.iends_with(., "ccsend.com"))
)
// negating legit replies
and not (
  (
    strings.istarts_with(subject.subject, "RE:")
    or strings.istarts_with(subject.subject, "FW:")
    or strings.istarts_with(subject.subject, "FWD:")
    or strings.istarts_with(subject.subject, "Automatic reply:")
    or regex.imatch(subject.subject,
                    '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
    )
  )
  and (
    length(headers.references) > 0
    or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
  )
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and profile.by_sender().prevalence in ("new", "outlier", "rare")