type.inbound
// no previous threads
and length(body.previous_threads) == 0
// few links
and 0 < length(body.current_thread.links) < 10
// undisclosed recipients or all recipients cc'd
and (
any(recipients.to, strings.ilike(.display_name, "undisclosed?recipients"))
or (length(recipients.cc) > 0 and length(recipients.to) == 0)
or (length(recipients.bcc) > 0 and length(recipients.to) == 0)
or (
length(recipients.to) == 1
and length(recipients.cc) == 0
and length(recipients.bcc) == 0
and all(recipients.to, .email.email == sender.email.email)
and all(recipients.to, .email.email != mailbox.email.email)
)
)
// links to free file hosts or free subdomain hosts
and any(body.current_thread.links,
(
.href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.root_domain in $free_subdomain_hosts
)
and .href_url.domain.subdomain is not null
and .visible
and not (
.href_url.domain.root_domain == "googleusercontent.com"
and strings.istarts_with(.href_url.path, "/mail-sig")
)
)
// negate listmailers & benign threads
and not (
any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "benign" and .confidence == "high"
)
)
// unsolicited and passing auth, or failing/missing dmarc
and (
(
coalesce(headers.auth_summary.dmarc.pass, false)
and not profile.by_sender().solicited
)
or (not coalesce(headers.auth_summary.dmarc.pass, false))
)
Playground
Test against your own EMLs or sample data.