Update spam_website_errors_solicitation.yml (#3614)

JFarina5 · web-flow · commit cc13a52afc2e · 2025-12-08T22:09:52.000Z
diff --git a/detection-rules/spam_website_errors_solicitation.yml b/detection-rules/spam_website_errors_solicitation.yml
@@ -16,17 +16,31 @@ source: |
       and length(body.previous_threads) == 0
       and 20 < length(body.current_thread.text) < 500
       and regex.icontains(strings.replace_confusables(body.current_thread.text),
-                          "screenshot|error list|plan|quote|rank|professional|price"
+                          "(?:screenshot|error list|plan|quote|rank|professional|price|mistake)"
       )
-      and regex.icontains(strings.replace_confusables(body.current_thread.text), ".*(hi|hello|hey)")
       and regex.icontains(strings.replace_confusables(body.current_thread.text),
-                          ".*(error|report|issues|website)"
+                          'h(?:i|ello|ey)\b'
       )
       and regex.icontains(strings.replace_confusables(body.current_thread.text),
-                          ".*(site|website|page)"
+                          "(?:error|report|issues|repair|redesign|upgrade)"
       )
-      and regex.icontains(strings.replace_confusables(subject.subject),
-                          ".*(proposal|cost|report|error|audit|screenshot|strategy)"
+      and regex.icontains(strings.replace_confusables(body.current_thread.text),
+                          "(?:site|website|page)"
+      )
+      and (
+        regex.icontains(strings.replace_confusables(subject.subject),
+                        "(?:proposal|cost|estimate|error|bug|audit|screenshot|strategy|rankings|issues|fix|website|design)"
+        )
+        or (
+          strings.icontains(strings.replace_confusables(subject.subject),
+                            "report"
+          )
+          and regex.icontains(strings.replace_confusables(body.current_thread.text
+                              ),
+                              "(?:free|send you|can i send|may i send|let me know|interested|get back to me|reply back)"
+          )
+        )
+        or length(subject.base) < 5
       )
     ),
     // Single thread message groups but with 1 unsubscribe link or link is recipient
@@ -40,36 +54,66 @@ source: |
       and length(body.previous_threads) == 0
       and 20 < length(body.current_thread.text) < 500
       and regex.icontains(strings.replace_confusables(body.current_thread.text),
-                          "screenshot|error list|plan|quote|rank|professional|price"
+                          "(?:screenshot|error list|plan|quote|rank|professional|price)"
       )
-      and regex.icontains(strings.replace_confusables(body.current_thread.text), ".*(hi|hello|hey)")
       and regex.icontains(strings.replace_confusables(body.current_thread.text),
-                          ".*(error|report|issues|website)"
+                          'h(?:i|ello|ey)\b'
       )
       and regex.icontains(strings.replace_confusables(body.current_thread.text),
-                          ".*(site|website)"
+                          "(?:error|report|issues|website|repair|redesign|upgrade)"
       )
-      and regex.icontains(strings.replace_confusables(subject.subject),
-                          ".*(proposal|cost|report|error|audit|screenshot|strategy)"
+      and regex.icontains(strings.replace_confusables(body.current_thread.text),
+                          "(?:site|website|page)"
+      )
+      and (
+        regex.icontains(strings.replace_confusables(subject.subject),
+                        "(?:proposal|cost|estimate|error|bug|audit|screenshot|strategy|rankings|issues|fix|website|design)"
+        )
+        or (
+          strings.icontains(strings.replace_confusables(subject.subject),
+                            "report"
+          )
+          and regex.icontains(strings.replace_confusables(body.current_thread.text),
+                              "(?:free|send you|can i send|may i send|let me know|interested|get back to me|reply back)"
+          )
+        )
+        or length(subject.base) < 5
       )
     ),
     // Multiple thread message groups
     (
       length(attachments) == 0
       and length(body.links) == 0
       and length(body.previous_threads) < 5
-      and regex.icontains(strings.replace_confusables(subject.subject),
-                          ".*(proposal|cost|report|error|audit|screenshot|strategy)"
+      and (
+        regex.icontains(strings.replace_confusables(subject.subject),
+                        "(?:proposal|cost|estimate|error|bug|audit|screenshot|strategy|rankings|issues|fix|website|design)"
+        )
+        or (
+          (
+            length(subject.base) < 5
+            or subject.is_reply or subject.is_forward
+          )
+          and any(body.previous_threads,
+                  regex.icontains(strings.replace_confusables(.text),
+                                  "(?:screenshot|website)"
+                  )
+          )
+        )
       )
       and any(body.previous_threads,
               length(.text) < 400
-              and regex.icontains(strings.replace_confusables(.text), 
-              '.*(hey|hi|hello)'
+              and (
+                regex.icontains(strings.replace_confusables(.text),
+                                'h(?:i|ello|ey)\b'
+                )
+                or strings.icontains(strings.replace_confusables(.text),
+                                     "morning"
+                )
               )
               and regex.icontains(strings.replace_confusables(.text),
-                                  '.*(\berror(?:\s+list)?\b|screenshot|report|plan)'
+                                  '(?:\berror(?:\s+list)?\b|screenshot|report|plan)'
               )
-              and strings.count(.text, "?") >= 3
               and ml.nlu_classifier(.text).language == "english"
       )
     )
