type.inbound
and sender.email.domain.domain != 'gmail.com'
and (
// subject and sender
sender.email.domain.root_domain in (
"chromeforextension.com",
"forextensions.com",
"supportchromestore.com"
)
or (
2 of (
strings.icontains(sender.email.domain.root_domain, 'chrome'),
strings.icontains(sender.email.domain.root_domain, 'support'),
strings.icontains(sender.email.domain.root_domain, 'extension'),
strings.icontains(sender.email.domain.root_domain, 'webstore')
)
)
or strings.icontains(sender.email.local_part, 'chromewebstore')
or strings.icontains(sender.display_name, "Webstore Extension")
or strings.icontains(subject.subject, 'Chrome Web Store Policy')
// body and html
or strings.icontains(body.html.raw,
'<div style="background-color:rgb(65,132,243);padding:50px 20px 0px">'
)
or regex.icontains(body.current_thread.text,
'Item name: [^\s]+ security extension'
)
or strings.icontains(body.current_thread.text,
'Chrome Web Store Developer Support'
)
or strings.icontains(body.current_thread.text, 'Developer Program Policies')
or strings.icontains(body.current_thread.text,
'Relevant section of the program policy:'
)
or strings.icontains(body.current_thread.text,
'Please accept our policies to continue publishing your products.'
)
// links
or (
length(distinct(body.links, .href_url.domain.root_domain)) < 10
and any(body.links,
.href_url.domain.root_domain in (
"checkpolicy.site",
"extensionpolicyprivacy.com",
"extensionpolicy.net",
"policyextension.info"
)
or .href_url.path == '/extension-policy-check'
or .display_text == "Go To Policy"
)
)
)
// negate messages sent by Google support
and not (
sender.email.domain.root_domain == 'google.com'
and headers.auth_summary.dmarc.pass
)
Playground
Test against your own EMLs or sample data.