[Shared Samples] [PR #4379] added rule: PR# 4379 - Spam: Website errors solicitation

github-actions[bot] · github-actions[bot] · commit f23a36b7c02c · 2026-04-21T22:46:31.000Z
diff --git a/detection-rules/4379_spam_website_errors_solicitation.yml b/detection-rules/4379_spam_website_errors_solicitation.yml
@@ -0,0 +1,136 @@
+name: "PR# 4379 - Spam: Website errors solicitation"
+description: "This rule detects messages claiming to have identified errors on a website. The messages typically offer to send pricing or information upon request."
+type: "rule"
+severity: "low"
+source: |
+ type.inbound
+ and not profile.by_sender().solicited
+ // no attachments
+ and length(attachments) == 0
+ // subject must contain SEO or web dev spam keywords or be short
+ and (
+   (
+     // SEO or web development service keywords
+     regex.icontains(strings.replace_confusables(subject.subject),
+                     '(?:proposal|cost|estimate|error|bug|audit|screenshot|strategy|rankings|issues|fix|website|design|review|price)'
+     )
+     or regex.icontains(subject.base,
+                        '[^\x{2600}-\x{27BF}\x{1F300}-\x{1F9FF}][\x{2600}-\x{27BF}\x{1F300}-\x{1F9FF}]\x{FE0F}?$'
+     )
+     // report and follow up keywords
+     or (
+       strings.icontains(strings.replace_confusables(subject.subject), "report")
+       and regex.icontains(strings.replace_confusables(body.current_thread.text),
+                           "(?:free|send you|can i send|may i send|let me know|interested|get back to me|reply back|just reply)"
+       )
+     )
+     // short subject
+     or length(subject.base) < 5
+   )
+   // or a reply or forward in a thread that mentions website or screenshots
+   or (
+     (length(subject.base) < 5 or subject.is_reply or subject.is_forward)
+     and any(body.previous_threads,
+             regex.icontains(strings.replace_confusables(.text),
+                             "(?:screenshot|website)"
+             )
+     )
+   )
+ )
+ // body structure and content patterns
+ and (
+   // Single thread with no links
+   (
+     length(body.links) == 0
+     and length(body.previous_threads) == 0
+     // short message between 20 and 500 chars
+     and 20 < length(body.current_thread.text) < 500
+     // service offering keywords
+     and regex.icontains(strings.replace_confusables(body.current_thread.text),
+                         "(?:available|screenshot|error list|plan|quote|rank|professional|price|mistake|visibility|improvement|review|emailed.{0,10}more details)"
+     )
+     // generic greeting
+     and regex.icontains(strings.replace_confusables(body.current_thread.text),
+                         'h(?:i|ello|ey)\b'
+     )
+     // problem or urgency keywords
+     and regex.icontains(strings.replace_confusables(body.current_thread.text),
+                         '(?:error|report|issues|website|repair|redesign|upgrade|Google\s+.{0,15}find it|glitch)'
+     )
+     // website or page mention
+     and regex.icontains(strings.replace_confusables(body.current_thread.text),
+                         "(?:site|website|page)"
+     )
+     and regex.icontains(strings.replace_confusables(body.current_thread.text),
+                         '(mail\.|mx|\.u)?\.?@?(aol|yahoo|hotmail|google|gmail|googlemail)\.com'
+     )
+   )
+   or any(body.links, regex.icontains(.display_text, '\.?@?(hotmail)\.com'))
+ )
+ 
+ // Single thread with unsubscribe link or $org_domains link
+ or (
+   length(body.links) <= 3
+   and (
+     // unsubscribe mailto link
+     regex.icontains(body.html.raw, "mailto:*[++unsubscribe@]")
+     // or link to found in org_domains
+     or any(body.links, .href_url.domain.root_domain in~ $org_domains)
+   )
+   and length(body.previous_threads) == 0
+   // short message between 20 and 500 chars
+   and 20 < length(body.current_thread.text) < 500
+   // service offering keywords
+   and regex.icontains(strings.replace_confusables(body.current_thread.text),
+                       "(?:screenshot|error list|plan|quote|rank|professional|price|mistake)"
+   )
+   // generic greeting
+   and regex.icontains(strings.replace_confusables(body.current_thread.text),
+                       '(?:h(?:i|ello|ey)|morning)\b'
+   )
+   // problem or urgency keywords
+   and regex.icontains(strings.replace_confusables(body.current_thread.text),
+                       '(?:error|report|issues|website|repair|redesign|upgrade|Google\s+.{0,15}find it)'
+   )
+   // website or page mention
+   and regex.icontains(strings.replace_confusables(body.current_thread.text),
+                       "(?:site|website|page)"
+   )
+ )
+ // Multiple thread messages
+ or (
+   length(body.links) == 0
+   // small thread with less than 5 messages
+   and length(body.previous_threads) < 5
+   // check previous messages for spam characteristics
+   and any(body.previous_threads,
+           // short previous messages less than 400 chars
+           length(.text) < 400
+           and (
+             // generic greeting
+             regex.icontains(strings.replace_confusables(.text),
+                             '(?:h(?:i|ello|ey)|morning)\b'
+             )
+             // service offering keywords
+             and regex.icontains(strings.replace_confusables(.text),
+                                 '(?:\berror(?:\s+list)?\b|screenshot|report|plan)'
+             )
+             // previous threads written in English
+             and ml.nlu_classifier(.text).language == "english"
+           )
+   )
+ )
+tags:
+  - "Attack surface reduction"
+  - pr_author_cybher0808
+  - created_from_open_prs
+  - rule_status_modified
+attack_types:
+  - "Spam"
+detection_methods:
+  - "Content analysis"
+  - "Sender analysis"
+  - "Natural Language Understanding"
+id: "033af5ca-2d78-546d-806b-7aad14e8860d"
+references:
+  - https://github.com/sublime-security/sublime-rules/pull/4379
