type.inbound
and (
strings.ilike(headers.mailer,
"Microsoft CDO for Windows 2000",
"PHPMailer*",
"nodemailer*"
)
or any(headers.hops, any(.fields, .value == "Produced By Microsoft MimeOLE"))
)
and (
any(headers.hops, .index == 0 and .received.server.raw == "smtp.gmail.com")
or headers.return_path.domain.root_domain in ("gmail.com", "googlemail.com")
)
and not profile.by_sender().any_messages_benign
Playground
Test against your own EMLs or sample data.