From 2cb40f02f2600dbf38692e21e05f9a9152088cc4 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Wed, 8 Jan 2025 11:36:14 -0800 Subject: [PATCH 1/3] Update spam_fake_photo_share.yml --- detection-rules/spam_fake_photo_share.yml | 36 +++++++++++++++-------- 1 file changed, 24 insertions(+), 12 deletions(-) diff --git a/detection-rules/spam_fake_photo_share.yml b/detection-rules/spam_fake_photo_share.yml index 15e90a8cd2f..de084399344 100644 --- a/detection-rules/spam_fake_photo_share.yml +++ b/detection-rules/spam_fake_photo_share.yml @@ -55,20 +55,32 @@ source: | ) ) ) - or ( - body.plain.raw is not null - and body.html.display_text is null - and length(body.current_thread.text) == 0 - and strings.ilike(body.plain.raw, - "*picture*", - "*photo*", - "*image*", - "*sad news*", - "*pics*" + or ( + body.plain.raw is not null + and body.html.display_text is null + and ( + length(body.current_thread.text) == 0 + or ( + length(body.current_thread.text) < 500 + // fake forward indicator in the plain text body + and regex.contains(body.plain.raw, + 'On (Sunday|Monday|Tuesday|Wednesday|Thursday|Friday|Saturday).{0,50} wrote' + ) + and not regex.contains(body.current_thread.text, + 'On (Sunday|Monday|Tuesday|Wednesday|Thursday|Friday|Saturday).{0,50} wrote' + ) + and not any(headers.hops, any(.fields, .name == "Resent-From")) ) - and not strings.istarts_with(body.plain.raw, "[cid:image") - and strings.icontains(subject.subject, sender.display_name) ) + and strings.ilike(body.plain.raw, + "*picture*", + "*photo*", + "*image*", + "*sad news*", + "*pics*" + ) + and not strings.istarts_with(body.plain.raw, "[cid:image") + and strings.icontains(subject.subject, sender.display_name) ) and length(body.links) < 5 and any(body.links, From f014731acc39d52dcc6272d10e54f995c3c0916a Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Wed, 8 Jan 2025 11:40:12 -0800 Subject: [PATCH 2/3] Update spam_fake_photo_share.yml --- detection-rules/spam_fake_photo_share.yml | 59 ++++++++++++----------- 1 file changed, 32 insertions(+), 27 deletions(-) diff --git a/detection-rules/spam_fake_photo_share.yml b/detection-rules/spam_fake_photo_share.yml index de084399344..058dbf9f1cd 100644 --- a/detection-rules/spam_fake_photo_share.yml +++ b/detection-rules/spam_fake_photo_share.yml @@ -19,7 +19,8 @@ source: | "*picture*", "*photo*", "*image*", - "*sad news*" + "*sad news*", + "*new pics*" ) ) or ( @@ -32,7 +33,8 @@ source: | "*picture*", "*photo*", "*image*", - "*sad news*" + "*sad news*", + "*new pics*" ) ) or ( @@ -41,7 +43,8 @@ source: | "*picture*", "*photo*", "*image*", - "*sad news*" + "*sad news*", + "*new pics*" ) and not strings.icontains(body.plain.raw, "[cid:image") ) @@ -51,36 +54,38 @@ source: | "*picture*", "*photo*", "*image*", - "*sad news*" + "*sad news*", + "*new pics*" ) ) ) - or ( - body.plain.raw is not null - and body.html.display_text is null - and ( - length(body.current_thread.text) == 0 - or ( - length(body.current_thread.text) < 500 - // fake forward indicator in the plain text body - and regex.contains(body.plain.raw, - 'On (Sunday|Monday|Tuesday|Wednesday|Thursday|Friday|Saturday).{0,50} wrote' - ) - and not regex.contains(body.current_thread.text, - 'On (Sunday|Monday|Tuesday|Wednesday|Thursday|Friday|Saturday).{0,50} wrote' + or ( + body.plain.raw is not null + and body.html.display_text is null + and ( + length(body.current_thread.text) == 0 + or ( + length(body.current_thread.text) < 500 + // fake forward indicator in the plain text body + and regex.contains(body.plain.raw, + 'On (Sunday|Monday|Tuesday|Wednesday|Thursday|Friday|Saturday).{0,50} wrote' + ) + and not regex.contains(body.current_thread.text, + 'On (Sunday|Monday|Tuesday|Wednesday|Thursday|Friday|Saturday).{0,50} wrote' + ) + and not any(headers.hops, any(.fields, .name == "Resent-From")) ) - and not any(headers.hops, any(.fields, .name == "Resent-From")) ) + and strings.ilike(body.plain.raw, + "*picture*", + "*photo*", + "*image*", + "*sad news*", + "*pics*" + ) + and not strings.istarts_with(body.plain.raw, "[cid:image") + and strings.icontains(subject.subject, sender.display_name) ) - and strings.ilike(body.plain.raw, - "*picture*", - "*photo*", - "*image*", - "*sad news*", - "*pics*" - ) - and not strings.istarts_with(body.plain.raw, "[cid:image") - and strings.icontains(subject.subject, sender.display_name) ) and length(body.links) < 5 and any(body.links, From 7a2631de8f232263ef8cacc2863cbfafb157a859 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Wed, 8 Jan 2025 13:21:07 -0800 Subject: [PATCH 3/3] Update spam_fake_photo_share.yml --- detection-rules/spam_fake_photo_share.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/detection-rules/spam_fake_photo_share.yml b/detection-rules/spam_fake_photo_share.yml index 058dbf9f1cd..59d19b1434b 100644 --- a/detection-rules/spam_fake_photo_share.yml +++ b/detection-rules/spam_fake_photo_share.yml @@ -67,12 +67,16 @@ source: | or ( length(body.current_thread.text) < 500 // fake forward indicator in the plain text body - and regex.contains(body.plain.raw, - 'On (Sunday|Monday|Tuesday|Wednesday|Thursday|Friday|Saturday).{0,50} wrote' + and ( + regex.contains(body.plain.raw, + 'On (Sunday|Monday|Tuesday|Wednesday|Thursday|Friday|Saturday).{0,50} wrote' + ) + or strings.icontains(body.plain.raw, 'Original Message') ) and not regex.contains(body.current_thread.text, 'On (Sunday|Monday|Tuesday|Wednesday|Thursday|Friday|Saturday).{0,50} wrote' ) + and not strings.icontains(body.current_thread.text, 'Original Message') and not any(headers.hops, any(.fields, .name == "Resent-From")) ) )