diff --git a/detection-rules/impersonation_github.yml b/detection-rules/impersonation_github.yml
index 7f60c752bac..8b3b3e79a5f 100644
--- a/detection-rules/impersonation_github.yml
+++ b/detection-rules/impersonation_github.yml
@@ -13,6 +13,11 @@ source: |
     or strings.ilike(sender.email.email, '*github*')
     or strings.ilevenshtein(sender.email.domain.sld, 'github') <= 1
   )
+  // negating listservs
+  and not (
+      any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
+      and strings.contains(sender.display_name, "via")
+  )
   and sender.email.domain.root_domain not in (
     'github.com',
     'gitlab.com',