[Shared Samples] [PR #4380] added rule: PR# 4380 - Spam: Website errors solicitation

github-actions[bot] · github-actions[bot] · commit da4576abc78b · 2026-04-21T23:45:45.000Z
diff --git a/detection-rules/4380_spam_web_errors_solicitation.yml b/detection-rules/4380_spam_web_errors_solicitation.yml
@@ -0,0 +1,135 @@
+name: "PR# 4380 - Spam: Website errors solicitation"
+description: "This rule detects messages claiming to have identified errors on a website. The messages typically offer to send pricing or information upon request."
+type: "rule"
+severity: "low"
+source: |
+  type.inbound
+  and not profile.by_sender().solicited
+  // no attachments
+  and length(attachments) == 0
+  // subject must contain SEO or web dev spam keywords or be short
+  and (
+    (
+      // SEO or web development service keywords
+      regex.icontains(strings.replace_confusables(subject.subject),
+                      '(?:proposal|cost|estimate|error|bug|audit|screenshot|strategy|rankings|issues|fix|website|design|review|price)'
+      )
+      or regex.icontains(subject.base,
+                         '[^\x{2600}-\x{27BF}\x{1F300}-\x{1F9FF}][\x{2600}-\x{27BF}\x{1F300}-\x{1F9FF}]\x{FE0F}?$'
+      )
+      // report and follow up keywords
+      or (
+        strings.icontains(strings.replace_confusables(subject.subject), "report")
+        and regex.icontains(strings.replace_confusables(body.current_thread.text),
+                            "(?:free|send you|can i send|may i send|let me know|interested|get back to me|reply back|just reply)"
+        )
+      )
+      // short subject
+      or length(subject.base) < 5
+    )
+    // or a reply or forward in a thread that mentions website or screenshots
+    or (
+      (length(subject.base) < 5 or subject.is_reply or subject.is_forward)
+      and any(body.previous_threads,
+              regex.icontains(strings.replace_confusables(.text),
+                              "(?:screenshot|website)"
+              )
+      )
+    )
+  )
+  // body structure and content patterns
+  and (
+    // Single thread with no links
+    (
+      length(body.links) == 0
+      and length(body.previous_threads) == 0
+      // short message between 20 and 500 chars
+      and 20 < length(body.current_thread.text) < 500
+      // service offering keywords
+      and regex.icontains(strings.replace_confusables(body.current_thread.text),
+                          "(?:available|screenshot|error list|plan|quote|rank|professional|price|mistake|visibility|improvement|review|emailed.{0,10}more details)"
+      )
+      // generic greeting
+      and regex.icontains(strings.replace_confusables(body.current_thread.text),
+                          'h(?:i|ello|ey)\b'
+      )
+      // problem or urgency keywords
+      and regex.icontains(strings.replace_confusables(body.current_thread.text),
+                          '(?:error|report|issues|website|repair|redesign|upgrade|Google\s+.{0,15}find it|glitch)'
+      )
+      // website or page mention
+      and regex.icontains(strings.replace_confusables(body.current_thread.text),
+                          "(?:site|website|page)"
+      )
+      and regex.icontains(strings.replace_confusables(body.current_thread.text),
+                          '(mail\.|mx|\.u)?\.?@?(aol|yahoo|hotmail|google|gmail|googlemail)\.com'
+      )
+    )
+    or any(body.links, regex.icontains(.display_text, '\.?@?(hotmail)\.com'))
+    // Single thread with unsubscribe link or $org_domains link
+    or (
+      length(body.links) <= 3
+      and (
+        // unsubscribe mailto link
+        regex.icontains(body.html.raw, "mailto:*[++unsubscribe@]")
+        // or link to found in org_domains
+        or any(body.links, .href_url.domain.root_domain in~ $org_domains)
+      )
+      and length(body.previous_threads) == 0
+      // short message between 20 and 500 chars
+      and 20 < length(body.current_thread.text) < 500
+      // service offering keywords
+      and regex.icontains(strings.replace_confusables(body.current_thread.text),
+                          "(?:screenshot|error list|plan|quote|rank|professional|price|mistake)"
+      )
+      // generic greeting
+      and regex.icontains(strings.replace_confusables(body.current_thread.text),
+                          '(?:h(?:i|ello|ey)|morning)\b'
+      )
+      // problem or urgency keywords
+      and regex.icontains(strings.replace_confusables(body.current_thread.text),
+                          '(?:error|report|issues|website|repair|redesign|upgrade|Google\s+.{0,15}find it)'
+      )
+      // website or page mention
+      and regex.icontains(strings.replace_confusables(body.current_thread.text),
+                          "(?:site|website|page)"
+      )
+    )
+    // Multiple thread messages
+    or (
+      length(body.links) == 0
+      // small thread with less than 5 messages
+      and length(body.previous_threads) < 5
+      // check previous messages for spam characteristics
+      and any(body.previous_threads,
+              // short previous messages less than 400 chars
+              length(.text) < 400
+              and (
+                // generic greeting
+                regex.icontains(strings.replace_confusables(.text),
+                                '(?:h(?:i|ello|ey)|morning)\b'
+                )
+                // service offering keywords
+                and regex.icontains(strings.replace_confusables(.text),
+                                    '(?:\berror(?:\s+list)?\b|screenshot|report|plan)'
+                )
+                // previous threads written in English
+                and ml.nlu_classifier(.text).language == "english"
+              )
+      )
+    )
+  )
+tags:
+  - "Attack surface reduction"
+  - pr_author_cybher0808
+  - created_from_open_prs
+  - rule_status_renamed
+attack_types:
+  - "Spam"
+detection_methods:
+  - "Content analysis"
+  - "Sender analysis"
+  - "Natural Language Understanding"
+id: "5c1bac1a-407f-5ac9-81ed-800b666a7447"
+references:
+  - https://github.com/sublime-security/sublime-rules/pull/4380
