type.inbound
and (
// no previous threads
length(body.previous_threads) == 0
// or is a fake thread
or (
(length(headers.references) == 0 or headers.in_reply_to is null)
and (
subject.is_reply
or subject.is_forward
or length(body.previous_threads) > 0
)
)
)
and any(body.links,
strings.contains(.display_url.url, ':8443')
and network.whois(.href_url.domain).days_old <= 365
)
// Negate noreply-spamdigest senders
and not (
sender.email.email == "noreply-spamdigest@google.com"
and headers.auth_summary.dmarc.pass
)
Playground
Test against your own EMLs or sample data.