type.inbound
and any(body.links,
// Check root domain first
.href_url.domain.root_domain in ("r2.dev", "pages.dev", "workers.dev")
// Check the specific pub-{hex}.r2.dev subdomain pattern only for r2.dev
)
// negate emails with unsubscribe links
and not any(body.links,
strings.icontains(.href_url.url, "unsubscribe")
or strings.icontains(.display_text, "unsubscribe")
)
// negate bulk mailer domains
and not any(body.links,
.href_url.domain.root_domain in $bulk_mailer_url_root_domains
)
and not (
any(ml.nlu_classifier(body.current_thread.text).topics,
.name in (
"Newsletters and Digests",
"Advertising and Promotions",
"Educational and Research",
"B2B Cold Outreach",
"Health and Wellness",
"Professional and Career Development",
"Romance",
"Sexually Explicit Messages",
"Software and App Updates",
"Acts of Violence",
"Voicemail Call and Missed Call Notifications"
)
and .confidence == "high"
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
Playground
Test against your own EMLs or sample data.