type.inbound
and any(body.links,
// Any body link domains contain "ipfs"
(
strings.icontains(.href_url.domain.domain, "ipfs")
and not .href_url.domain.root_domain == "ipfs.com"
)
// Or the path contains ipfs anchored to a leading and trailing '-', '/', '.'
or (
regex.icontains(.href_url.query_params, '[\.-/]ipfs[\.-/]')
and .href_url.domain.domain not in $org_domains
and (
(
// don't include high rep domains
.href_url.domain.domain not in $tranco_1m
and .href_url.domain.domain not in $umbrella_1m
)
// if it's in Tranco or Umbrella, still include it if it's one of these
or .href_url.domain.domain in $free_file_hosts
or .href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.root_domain in $free_subdomain_hosts
)
)
)
// adding negation block for legitimate domains with ipfs in their name
and not sender.email.domain.domain in ("shipfsl.com")
// negate ipfs.com issues
and not any(recipients.to, .email.domain.domain == "ipfs.com")
and not (
sender.email.domain.root_domain is not null
and sender.email.domain.root_domain == "ipfs.com"
and headers.auth_summary.dmarc.pass
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
Playground
Test against your own EMLs or sample data.