type.inbound
and (
sender.email.domain.domain == "public.govdelivery.com"
or any(headers.domains, .root_domain == "govdelivery.com")
)
and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
and length(body.links) < 10
and any(body.links,
any(filter(regex.extract(.href_url.path, '/CL0/(?P<url>.*?)/1/'),
strings.parse_url(.named_groups["url"]).domain.root_domain not in (
"google.com",
"govdelivery.com",
"granicus.com",
"legistar1.com" // domain owned by granicus
)
and strings.parse_url(.named_groups["url"]).domain.tld not in (
"gov"
)
),
// this is inside the filtered results to avoid flagging this condition on known link domains, as listed above
strings.parse_url(.named_groups["url"]).domain.domain in $url_shorteners
or strings.parse_url(.named_groups["url"]).domain.domain in $social_landing_hosts
or strings.parse_url(.named_groups["url"]).domain.root_domain in $url_shorteners
or strings.parse_url(.named_groups["url"]).domain.root_domain in $social_landing_hosts
or strings.parse_url(.named_groups["url"]).domain.domain in $free_subdomain_hosts
or strings.parse_url(.named_groups["url"]).domain.root_domain in $free_subdomain_hosts
or network.whois(strings.parse_url(.named_groups["url"]).domain).days_old < 30
or any(ml.link_analysis(strings.parse_url(.named_groups["url"])).redirect_history,
network.whois(.domain).days_old < 30
or strings.icontains(.domain.domain, "ipfs")
or regex.icontains(.query_params, '[\.-/]ipfs[\.-/]')
)
// page redirects to common website, observed when evasion happens
or (
length(ml.link_analysis(strings.parse_url(.named_groups["url"])).redirect_history
) > 1
and ml.link_analysis(strings.parse_url(.named_groups["url"])).effective_url.domain.root_domain in $tranco_10k
)
)
)
Playground
Test against your own EMLs or sample data.