type.inbound
and length(body.current_thread.text) <= 20
and length(subject.base) <= 15
// exclude messages with previous thread context (forwards/replies)
and length(body.previous_threads) == 0
// detect generic greetings
and (
any(ml.nlu_classifier(body.current_thread.text).entities, .name == "greeting")
or strings.ilike(body.current_thread.text, "*hi*", "*hello*", "*hey*")
or length(body.current_thread.text) <= 5
)
// external freemail sender
and sender.email.domain.root_domain in $free_email_providers
and sender.email.domain.root_domain not in (
recipients.to[0].email.domain.root_domain
)
and (
length(recipients.cc) == 0
or (
length(recipients.cc) > 0
and all(recipients.cc,
.email.domain.root_domain != sender.email.domain.root_domain
)
)
)
and (
length(recipients.bcc) == 0
or (
length(recipients.bcc) > 0
and all(recipients.bcc,
.email.domain.root_domain != sender.email.domain.root_domain
)
)
)
// no attachments or links
and length(attachments) == 0
and length(body.current_thread.links) == 0
// negate sender profiles completely if auth is failing
and (
(
not (
headers.auth_summary.dmarc.pass == false
or headers.auth_summary.spf.pass == false
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
and not profile.by_sender().any_false_positives
)
or (
headers.auth_summary.dmarc.pass == false
or headers.auth_summary.spf.pass == false
)
)
Playground
Test against your own EMLs or sample data.