type.inbound
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Financial Communications")
)
and not any(ml.nlu_classifier(body.current_thread.text).topics,
.name in (
'Newsletters and Digests',
'News and Current Events',
'Legal and Compliance'
)
)
and not any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "benign" and .confidence == "high"
)
// action word
and (
strings.ilike(subject.base, '*airdrop*')
or strings.like(body.current_thread.text, '*airdrop*')
or strings.ilike(subject.base, '*giveaway*')
or strings.like(body.current_thread.text, '*giveaway*')
or regex.icontains(body.current_thread.text, 'receive \$\d{2,5} worth')
or regex.icontains(body.current_thread.text,
'claim your (allocation|airdrop|bonus|share|\$\d{2,5})'
)
or regex.icontains(body.current_thread.text, 'connect .{0,20} wallet')
)
and not regex.icontains(body.current_thread.text, '\$\d{2,4} (off|cash)')
and (
// crypto keyword
regex.icontains(body.current_thread.text,
'\bmetamask\b',
'\bethereum\b',
'\bbinance\b',
'\bgemini\b',
'\bwallet\b',
'\bkraken\b',
'\bsolana\b',
'\btrezor\b',
'\bledger\b'
)
// token name, e.g. $USDT
or regex.contains(body.current_thread.text, '\s\$[A-Z]{3,4}\s')
)
and not (
sender.email.domain.root_domain in (
"gemini.com",
"ledger.com",
"binance.com",
"trezor.io",
"kraken.com",
"solana.com",
"metamask.com",
"ethereum.org",
"bloomberg.com"
)
and headers.auth_summary.dmarc.pass
)
Playground
Test against your own EMLs or sample data.