Medium Severity

Spam: Ghostwriting services scam with manipulative language

Labels

Description

Detects unsolicited messages promoting ghostwriting or book publishing services that use manipulative language patterns commonly seen in scams, such as offering complimentary samples, expressing fascination with the recipient's achievements, or requesting personal information under the guise of writing assistance.

References

No references.

Sublime Security

Created Oct 17th, 2025 • Last updated Oct 17th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and length(body.current_thread.text) < 1500
and (
  // Ghostwriting and book-related terms in subject
  strings.icontains(subject.subject, "book project")
  or strings.icontains(subject.subject, "ghostwriting")
  or strings.icontains(subject.subject, "becoming an author")
  or strings.icontains(subject.subject, "your book")
  or strings.icontains(subject.subject, "writing project")
  or strings.icontains(subject.subject, "publish")
  or strings.icontains(subject.subject, " author ")

  // Body contains ghostwriting service offers
  or strings.icontains(body.current_thread.text, "ghostwriting")
  or strings.icontains(body.current_thread.text, "ghostwriter")
  or strings.icontains(body.current_thread.text, "writing firm")
  or strings.icontains(body.current_thread.text, "book writing")
  or strings.icontains(body.current_thread.text, "publishing")
)
// Common scam language patterns
and (
  (
    strings.icontains(body.current_thread.text, "complimentary")
    and (
      strings.icontains(body.current_thread.text, "sample")
      or strings.icontains(body.current_thread.text, "chapter")
      or strings.icontains(body.current_thread.text, "consultation")
    )
  )
  or (
    strings.icontains(body.current_thread.text, "fascinated")
    and strings.icontains(body.current_thread.text, "what you have done")
  )
  or strings.icontains(body.current_thread.text, "inspiring stories")
  or strings.icontains(body.current_thread.text, "gather some information")
  or strings.icontains(body.current_thread.text, "few minutes of your time")
  or strings.icontains(body.current_thread.text, "absolutely no obligation")
  or strings.icontains(body.current_thread.text, "writing team")
)
and not (
  any(ml.nlu_classifier(body.current_thread.text).topics,
      .name in (
        "Newsletters and Digests",
        "Events and Webinars",
        "Educational and Research",
        "Financial Communications",
        "Advertising and Promotions",
        "Legal and Compliance",
        "Professional and Career Development"
      )
      and .confidence == "high"
  )
)

// Standard negations
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.