diff --git a/detection-rules/scam_piano.yml b/detection-rules/scam_piano.yml index dfe5fb11cec..7f3109cee5e 100644 --- a/detection-rules/scam_piano.yml +++ b/detection-rules/scam_piano.yml @@ -4,7 +4,7 @@ type: "rule" severity: "medium" source: | length(body.links) < 10 - and length(body.current_thread.text) < 1500 + and length(body.current_thread.text) < 2000 and ( // body detection // be sure to update the attachment detection regexes too! @@ -19,6 +19,7 @@ source: | // Piano/Keyboards or regex.icontains(body.current_thread.text, '(?:Yamaha|Kawai|Baldwin|Roland|Stei?nway(?: (?:&|and) Sons?)?|\d{4})\s*[^\r\n]{0,50}(?:baby.grand|piano|baby.grand.piano|keyboard)', + '(?:baby.grand|piano|baby.grand.piano|keyboard)\s*[^\r\n]{0,50}(?:Yamaha|Kawai|Baldwin|Roland|Stei?nway(?: (?:&|and) Sons?)?|\d{4})', // strong indicators for generalized instrument '(?:piano|keyboard)\s*[^\r\n]{0,50}(?:available|sale|rehome|gift)' ) @@ -42,6 +43,7 @@ source: | strings.ilike(body.current_thread.text, '* downsizing *', '* relocating *', + '* to relocate *', '* relocation *', '* moving *' ) @@ -72,7 +74,9 @@ source: | "* special piece*", "* a lot of meaning*", "* profound sentimental*", - '* will cherish*' + '* will cherish*', + '* passion for music*', + '* treasured items *' ) ) and ( @@ -81,6 +85,7 @@ source: | 'shipping (?:fee|cost|arrangement)', '(?:responsible|pay) for shipping', 'no (?:local\s)?pick.?up', + '(?:local\s)?pick.?up.{0,50}not available', 'delivery only', 'moving company' ) @@ -124,6 +129,7 @@ source: | '(?:private|personal) (?:e-?)?mail' ) or strings.icontains(body.current_thread.text, ' kindly ') + or strings.icontains(body.current_thread.text, ' (kindly ') ) ) ) @@ -139,6 +145,7 @@ source: | // Piano/Keyboards or regex.icontains(file.parse_text(.).text, '(?:Yamaha|Kawai|Baldwin|Roland|Stei?nway(?: (?:&|and) Sons?)?)\s*[^\r\n]{0,50}(?:baby.grand|piano|baby.grand.piano|keyboard)', + '(?:baby.grand|piano|baby.grand.piano|keyboard)\s*[^\r\n]{0,50}(?:Yamaha|Kawai|Baldwin|Roland|Stei?nway(?: (?:&|and) Sons?)?|\d{4})', // strong indicators for generalized instrument '(?:piano|keyboard)\s*[^\r\n]{0,50}(?:available|sale|rehome|gift)' ) @@ -162,8 +169,8 @@ source: | strings.ilike(file.parse_text(.).text, '* downsizing *', '* relocating *', + '* to relocate *', '* relocation *', - '* moving *' ) or strings.ilike(file.parse_text(.).text, '* give away*', @@ -192,7 +199,9 @@ source: | "* special piece*", "* a lot of meaning*", "* profound sentimental*", - '* will cherish*' + '* will cherish*', + '* passion for music*', + '* treasured items *' ) ) and ( @@ -201,6 +210,7 @@ source: | 'shipping (?:fee|cost|arrangement)', '(?:responsible|pay) for shipping', 'no (?:local\s)?pick.?up', + '(?:local\s)?pick.?up.{0,50}not available', 'delivery only', 'moving company' ) @@ -242,6 +252,7 @@ source: | '(?:private|personal) (?:e-?)?mail' ) or strings.icontains(file.parse_text(.).text, ' kindly ') + or strings.icontains(file.parse_text(.).text, ' (kindly ') ) ) )