From 0cb574fe6ec1a972d7e7798832d3aa6f311be442 Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Thu, 17 Oct 2024 14:22:17 -0400
Subject: [PATCH 1/9] Update spam_attendee_list_solicitation.yml

---
 .../spam_attendee_list_solicitation.yml           | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/detection-rules/spam_attendee_list_solicitation.yml b/detection-rules/spam_attendee_list_solicitation.yml
index 602dd9f6038..8b63673c9a4 100644
--- a/detection-rules/spam_attendee_list_solicitation.yml
+++ b/detection-rules/spam_attendee_list_solicitation.yml
@@ -11,20 +11,23 @@ source: |
                     "(Attendee|Member|Participant|User|Visitor|Registrant|Buyer|Email)(s)?[^\n\r]{0,20}(list|database)"
     )
     or regex.icontains(body.current_thread.text,
-                    "(list|database)[^\n\r]{0,20}(Attendee|Member|Participant|User|Visitor|Registrant|Buyer|Email)(s)?"
+                       "(list|database)[^\n\r]{0,20}(Attendee|Member|Participant|User|Visitor|Registrant|Buyer|Email)(s)?"
     )
-    or regex.icontains(body.current_thread.text,
-                       '((demand|lead\b|marketing)[^\n\r]{0,20}(manager|head|lead|supervisor|executive))'
+    or (
+      regex.icontains(body.current_thread.text,
+                      '((demand|lead\b|marketing)[^\n\r]{0,20}(manager|head|lead|supervisor|executive))'
+      )
+      and regex.icontains(body.current_thread.text,
+                          "(list|database)"
+      )
     )
   )
   and regex.icontains(body.current_thread.text,
                       "(interested|accessing|purchas|obtain|acuir|sample)"
   )
   and not regex.icontains(body.current_thread.text,
-                    "(debit card|transaction.{0,20}processed)"
+                          "(debit card|transaction.{0,20}processed)"
   )
-  
-  
   and not profile.by_sender().solicited
   and not profile.by_sender().any_false_positives
 

From 43a4937ac1dacba84f38d844b88f7098bdd99f5a Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Thu, 17 Oct 2024 14:44:11 -0400
Subject: [PATCH 2/9] Update spam_attendee_list_solicitation.yml

---
 .../spam_attendee_list_solicitation.yml       | 22 ++++++-------------
 1 file changed, 7 insertions(+), 15 deletions(-)

diff --git a/detection-rules/spam_attendee_list_solicitation.yml b/detection-rules/spam_attendee_list_solicitation.yml
index 8b63673c9a4..a52cb616620 100644
--- a/detection-rules/spam_attendee_list_solicitation.yml
+++ b/detection-rules/spam_attendee_list_solicitation.yml
@@ -7,19 +7,13 @@ source: |
   and length(body.current_thread.text) < 2000
   and length(body.links) < 5
   and (
-    regex.icontains(body.current_thread.text,
-                    "(Attendee|Member|Participant|User|Visitor|Registrant|Buyer|Email)(s)?[^\n\r]{0,20}(list|database)"
-    )
-    or regex.icontains(body.current_thread.text,
-                       "(list|database)[^\n\r]{0,20}(Attendee|Member|Participant|User|Visitor|Registrant|Buyer|Email)(s)?"
-    )
-    or (
-      regex.icontains(body.current_thread.text,
-                      '((demand|lead\b|marketing)[^\n\r]{0,20}(manager|head|lead|supervisor|executive))'
-      )
-      and regex.icontains(body.current_thread.text,
-                          "(list|database)"
-      )
+    any([subject.subject, body.current_thread.text],
+        regex.icontains(.,
+                        '(Attendee|Member|Participant|User|Visitor|Registrant|Buyer|Email|Contact)(s)?(\s\w*){0,9}(list|database)'
+        )
+        or regex.icontains(.,
+                           '(list|database)(\s\w*){0,9}(Attendee|Member|Participant|User|Visitor|Registrant|Buyer|Email|Contact)(s)?'
+        )
     )
   )
   and regex.icontains(body.current_thread.text,
@@ -28,8 +22,6 @@ source: |
   and not regex.icontains(body.current_thread.text,
                           "(debit card|transaction.{0,20}processed)"
   )
-  and not profile.by_sender().solicited
-  and not profile.by_sender().any_false_positives
 
 tags:
   - "Attack surface reduction"

From c06a48ad7fc0cb8369d3ed25d1965bd1af354e6c Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Thu, 17 Oct 2024 15:51:17 -0400
Subject: [PATCH 3/9] Update spam_attendee_list_solicitation.yml

---
 .../spam_attendee_list_solicitation.yml       | 88 ++++++++++++++++---
 1 file changed, 76 insertions(+), 12 deletions(-)

diff --git a/detection-rules/spam_attendee_list_solicitation.yml b/detection-rules/spam_attendee_list_solicitation.yml
index a52cb616620..f0b1b801ec3 100644
--- a/detection-rules/spam_attendee_list_solicitation.yml
+++ b/detection-rules/spam_attendee_list_solicitation.yml
@@ -7,20 +7,84 @@ source: |
   and length(body.current_thread.text) < 2000
   and length(body.links) < 5
   and (
-    any([subject.subject, body.current_thread.text],
-        regex.icontains(.,
-                        '(Attendee|Member|Participant|User|Visitor|Registrant|Buyer|Email|Contact)(s)?(\s\w*){0,9}(list|database)'
-        )
-        or regex.icontains(.,
-                           '(list|database)(\s\w*){0,9}(Attendee|Member|Participant|User|Visitor|Registrant|Buyer|Email|Contact)(s)?'
+    (
+      (
+        any([subject.subject, body.current_thread.text],
+            (
+              regex.icontains(.,
+                              '(Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(s)?(\s\w*){0,9}(list|database)'
+              )
+              and not (
+                regex.icount(., "email list") == 1
+                and regex.icontains(.,
+                                    '(?:unsub|remove)(\s\w*){0,5}email list',
+                                    'email list(\s\w*){0,5}(?:unsub|remove)'
+                )
+              )
+            )
+            or regex.icontains(.,
+                               '(list|database)(\s\w*){0,9}(Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(s)?'
+            )
+            or strings.icontains(., 'list of ')
         )
+      )
+      and regex.icontains(body.current_thread.text,
+                          "(interested|accessing|purchas|obtain|acuir|sample)"
+      )
+      and not regex.icontains(body.current_thread.text,
+                              "(debit card|transaction.{0,20}processed)"
+      )
+    )
+    // if there are indicators of a previous thread, also inspect the previous thread
+    or (
+      // contains references to the previous thread
+      2 of (
+        regex.icontains(body.current_thread.text, '(?:get|got|had) a chance'),
+        regex.icontains(body.current_thread.text,
+                        '(?:below|previous|last|prior) email'
+        ),
+        regex.icontains(body.current_thread.text, 'follow(?:ing)? up'),
+        regex.icontains(body.current_thread.text, '(contacts?|attendees?) list'),
+        strings.icontains(body.current_thread.text, 'heard back'),
+      )
+      and any([body.html.display_text, body.plain.raw],
+              (
+                3 of (
+                  strings.icontains(., "from:"),
+                  strings.icontains(., "to:"),
+                  strings.icontains(., "sent:"),
+                  strings.icontains(., "date:"),
+                  strings.icontains(., "cc:"),
+                  strings.icontains(., "subject:")
+                )
+                or strings.icontains(.,
+                                     strings.concat(sender.display_name,
+                                                    " <",
+                                                    sender.email.email,
+                                                    "> wrote:"
+                                     )
+                )
+              )
+              // match _after_ the previous thread indciators
+              and (
+                regex.icontains(.,
+                                '(from|to|sent|date|cc|subject|wrote):.*(Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(s)?(\s\w*){0,9}(list|database)'
+                )
+                or regex.icontains(.,
+                                   '(from|to|sent|date|cc|subject|wrote):.*(list|database)(\s\w*){0,9}(Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(s)?'
+                )
+                or (
+                  2 of (
+                    strings.icontains(., "provide counts"),
+                    regex.icontains(., "(?:verified|fresh) data"),
+                    strings.icontains(., "precise targeting"),
+                    strings.icontains(., "deliverability")
+                  )
+                  and regex.icontains(., "(?:list|database)")
+                )
+              )
+      )
     )
-  )
-  and regex.icontains(body.current_thread.text,
-                      "(interested|accessing|purchas|obtain|acuir|sample)"
-  )
-  and not regex.icontains(body.current_thread.text,
-                          "(debit card|transaction.{0,20}processed)"
   )
 
 tags:

From 2b0f6540329b7d6311fb6274255e7a0007ab1b31 Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Thu, 17 Oct 2024 15:56:03 -0400
Subject: [PATCH 4/9] Update spam_attendee_list_solicitation.yml

---
 detection-rules/spam_attendee_list_solicitation.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/detection-rules/spam_attendee_list_solicitation.yml b/detection-rules/spam_attendee_list_solicitation.yml
index f0b1b801ec3..fea1de2523c 100644
--- a/detection-rules/spam_attendee_list_solicitation.yml
+++ b/detection-rules/spam_attendee_list_solicitation.yml
@@ -12,7 +12,7 @@ source: |
         any([subject.subject, body.current_thread.text],
             (
               regex.icontains(.,
-                              '(Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(s)?(\s\w*){0,9}(list|database)'
+                              '(Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(s)?(\s\w*){0,9}(list(s|\b)|database)'
               )
               and not (
                 regex.icount(., "email list") == 1
@@ -86,7 +86,6 @@ source: |
       )
     )
   )
-
 tags:
   - "Attack surface reduction"
 attack_types:

From 4c913311accbcfe93e77cd5eee9a38dc0c61a4c3 Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Fri, 18 Oct 2024 13:35:31 -0400
Subject: [PATCH 5/9] Update spam_attendee_list_solicitation.yml

---
 .../spam_attendee_list_solicitation.yml       | 28 ++++++++-----------
 1 file changed, 11 insertions(+), 17 deletions(-)

diff --git a/detection-rules/spam_attendee_list_solicitation.yml b/detection-rules/spam_attendee_list_solicitation.yml
index fea1de2523c..f3b1e16fea8 100644
--- a/detection-rules/spam_attendee_list_solicitation.yml
+++ b/detection-rules/spam_attendee_list_solicitation.yml
@@ -10,29 +10,20 @@ source: |
     (
       (
         any([subject.subject, body.current_thread.text],
-            (
-              regex.icontains(.,
-                              '(Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(s)?(\s\w*){0,9}(list(s|\b)|database)'
-              )
-              and not (
-                regex.icount(., "email list") == 1
-                and regex.icontains(.,
-                                    '(?:unsub|remove)(\s\w*){0,5}email list',
-                                    'email list(\s\w*){0,5}(?:unsub|remove)'
-                )
-              )
+            regex.icontains(.,
+                            '(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(?:[[:punct:]]*s)?(?:\s\w*){0,9}(?:list|database)'
             )
             or regex.icontains(.,
-                               '(list|database)(\s\w*){0,9}(Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(s)?'
+                               '(?:list|database)(?:[[:punct:]]*s)?(\s\w*){0,9}(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)s?'
             )
             or strings.icontains(., 'list of ')
         )
       )
       and regex.icontains(body.current_thread.text,
-                          "(interested|accessing|purchas|obtain|acuir|sample)"
+                          "(?:interested|accessing|purchas|obtain|acuir|sample)"
       )
       and not regex.icontains(body.current_thread.text,
-                              "(debit card|transaction.{0,20}processed)"
+                              "(?:debit card|transaction.{0,20}processed)"
       )
     )
     // if there are indicators of a previous thread, also inspect the previous thread
@@ -44,7 +35,7 @@ source: |
                         '(?:below|previous|last|prior) email'
         ),
         regex.icontains(body.current_thread.text, 'follow(?:ing)? up'),
-        regex.icontains(body.current_thread.text, '(contacts?|attendees?) list'),
+        regex.icontains(body.current_thread.text, '(?:contact|attendee)s? list'),
         strings.icontains(body.current_thread.text, 'heard back'),
       )
       and any([body.html.display_text, body.plain.raw],
@@ -68,10 +59,10 @@ source: |
               // match _after_ the previous thread indciators
               and (
                 regex.icontains(.,
-                                '(from|to|sent|date|cc|subject|wrote):.*(Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(s)?(\s\w*){0,9}(list|database)'
+                                '(?:from|to|sent|date|cc|subject|wrote):.*(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(?:[[:punct:]]*s)?(?:\s\w*){0,9}(?:list|database)'
                 )
                 or regex.icontains(.,
-                                   '(from|to|sent|date|cc|subject|wrote):.*(list|database)(\s\w*){0,9}(Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(s)?'
+                                   '(?:from|to|sent|date|cc|subject|wrote):.*(?:list|database)(?:[[:punct:]]*s)?(\s\w*){0,9}(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)s?'
                 )
                 or (
                   2 of (
@@ -86,6 +77,9 @@ source: |
       )
     )
   )
+  
+  and not profile.by_sender().solicited
+  and not profile.by_sender().any_false_positives
 tags:
   - "Attack surface reduction"
 attack_types:

From 7ccc1c01241a65aa6cc56d685dc78815d6cc07f6 Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Mon, 21 Oct 2024 11:21:28 -0400
Subject: [PATCH 6/9] Update spam_attendee_list_solicitation.yml

---
 .../spam_attendee_list_solicitation.yml          | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/detection-rules/spam_attendee_list_solicitation.yml b/detection-rules/spam_attendee_list_solicitation.yml
index f3b1e16fea8..13d5c4c8510 100644
--- a/detection-rules/spam_attendee_list_solicitation.yml
+++ b/detection-rules/spam_attendee_list_solicitation.yml
@@ -10,13 +10,21 @@ source: |
     (
       (
         any([subject.subject, body.current_thread.text],
-            regex.icontains(.,
-                            '(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(?:[[:punct:]]*s)?(?:\s\w*){0,9}(?:list|database)'
+            (
+              regex.icontains(.,
+                              '(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(?:[[:punct:]]*s)?(?:\s\w*){0,9}(?:list|database)'
+              )
+              and not (
+                regex.icount(., "email list") == 1
+                and regex.icontains(.,
+                                    '(?:unsub|remove|safe)[[:punct:]]*s?(?:\s\w*){0,9}email list',
+                                    'email list[[:punct:]]*s?(\s\w*){0,5}(?:unsub|remove|safe)'
+                )
+              )
             )
             or regex.icontains(.,
                                '(?:list|database)(?:[[:punct:]]*s)?(\s\w*){0,9}(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)s?'
             )
-            or strings.icontains(., 'list of ')
         )
       )
       and regex.icontains(body.current_thread.text,
@@ -77,7 +85,7 @@ source: |
       )
     )
   )
-  
+
   and not profile.by_sender().solicited
   and not profile.by_sender().any_false_positives
 tags:

From 8d77df8332569327ca5fb512c7fdcff0d5ef0b0b Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Mon, 21 Oct 2024 13:35:31 -0400
Subject: [PATCH 7/9] Update spam_attendee_list_solicitation.yml

---
 detection-rules/spam_attendee_list_solicitation.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/detection-rules/spam_attendee_list_solicitation.yml b/detection-rules/spam_attendee_list_solicitation.yml
index 13d5c4c8510..0f3075686ce 100644
--- a/detection-rules/spam_attendee_list_solicitation.yml
+++ b/detection-rules/spam_attendee_list_solicitation.yml
@@ -12,13 +12,13 @@ source: |
         any([subject.subject, body.current_thread.text],
             (
               regex.icontains(.,
-                              '(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(?:[[:punct:]]*s)?(?:\s\w*){0,9}(?:list|database)'
+                              '(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(?:[[:punct:]]*s)?(?:\s\w*){0,9}(?:list[^ei]|database)'
               )
               and not (
-                regex.icount(., "email list") == 1
+                regex.icount(., 'email(?:[[:punct:]]*s)?(?:\s\w*){0,9}list') == 1
                 and regex.icontains(.,
-                                    '(?:unsub|remove|safe)[[:punct:]]*s?(?:\s\w*){0,9}email list',
-                                    'email list[[:punct:]]*s?(\s\w*){0,5}(?:unsub|remove|safe)'
+                                    '(?:unsub|remove|safe|delete)[[:punct:]]*s?(?:\s\w*){0,9}(mailing|email) list',
+                                    'email list[^ei][[:punct:]]*s?(\s\w*){0,5}(?:unsub|remove|safe|delete)'
                 )
               )
             )
@@ -79,7 +79,7 @@ source: |
                     strings.icontains(., "precise targeting"),
                     strings.icontains(., "deliverability")
                   )
-                  and regex.icontains(., "(?:list|database)")
+                  and regex.icontains(., "(?:list[^ie]|database)")
                 )
               )
       )

From b6ecf5892c5d9829b0ba8c19dca4502207c43e6d Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Tue, 22 Oct 2024 17:16:31 -0400
Subject: [PATCH 8/9] Update spam_attendee_list_solicitation.yml

---
 detection-rules/spam_attendee_list_solicitation.yml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/detection-rules/spam_attendee_list_solicitation.yml b/detection-rules/spam_attendee_list_solicitation.yml
index 0f3075686ce..c21763f0ffc 100644
--- a/detection-rules/spam_attendee_list_solicitation.yml
+++ b/detection-rules/spam_attendee_list_solicitation.yml
@@ -17,7 +17,7 @@ source: |
               and not (
                 regex.icount(., 'email(?:[[:punct:]]*s)?(?:\s\w*){0,9}list') == 1
                 and regex.icontains(.,
-                                    '(?:unsub|remove|safe|delete)[[:punct:]]*s?(?:\s\w*){0,9}(mailing|email) list',
+                                    '(?:unsub|remove|safe|delete)[[:punct:]]*s?(?:\s\w*){0,9}(mailing|email).{0,9}list[^ei]',
                                     'email list[^ei][[:punct:]]*s?(\s\w*){0,5}(?:unsub|remove|safe|delete)'
                 )
               )
@@ -67,10 +67,10 @@ source: |
               // match _after_ the previous thread indciators
               and (
                 regex.icontains(.,
-                                '(?:from|to|sent|date|cc|subject|wrote):.*(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(?:[[:punct:]]*s)?(?:\s\w*){0,9}(?:list|database)'
+                                '(?:from|to|sent|date|cc|subject|wrote):.*(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(?:[[:punct:]]*s)?(?:\s\w*){0,9}(?:list[^ei]|database)'
                 )
                 or regex.icontains(.,
-                                   '(?:from|to|sent|date|cc|subject|wrote):.*(?:list|database)(?:[[:punct:]]*s)?(\s\w*){0,9}(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)s?'
+                                   '(?:from|to|sent|date|cc|subject|wrote):.*(?:list[^ei]|database)(?:[[:punct:]]*s)?(\s\w*){0,9}(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)s?'
                 )
                 or (
                   2 of (
@@ -85,7 +85,6 @@ source: |
       )
     )
   )
-
   and not profile.by_sender().solicited
   and not profile.by_sender().any_false_positives
 tags:

From a3161d11faad41f7d8bbcf1d1f3b3a3156e9d7cd Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Fri, 25 Oct 2024 12:48:03 -0400
Subject: [PATCH 9/9] Update spam_attendee_list_solicitation.yml

---
 detection-rules/spam_attendee_list_solicitation.yml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/detection-rules/spam_attendee_list_solicitation.yml b/detection-rules/spam_attendee_list_solicitation.yml
index c21763f0ffc..c594fc40668 100644
--- a/detection-rules/spam_attendee_list_solicitation.yml
+++ b/detection-rules/spam_attendee_list_solicitation.yml
@@ -12,13 +12,13 @@ source: |
         any([subject.subject, body.current_thread.text],
             (
               regex.icontains(.,
-                              '(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(?:[[:punct:]]*s)?(?:\s\w*){0,9}(?:list[^ei]|database)'
+                              '(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(?:[[:punct:]]*s)?(?:\s\w*){0,9}(?:list(?:\b|[^ei])|database)'
               )
               and not (
                 regex.icount(., 'email(?:[[:punct:]]*s)?(?:\s\w*){0,9}list') == 1
                 and regex.icontains(.,
-                                    '(?:unsub|remove|safe|delete)[[:punct:]]*s?(?:\s\w*){0,9}(mailing|email).{0,9}list[^ei]',
-                                    'email list[^ei][[:punct:]]*s?(\s\w*){0,5}(?:unsub|remove|safe|delete)'
+                                    '(?:unsub|remove|safe|delete)[[:punct:]]*s?(?:\s\w*){0,9}(mailing|email).{0,9}list(?:\b|[^ei])',
+                                    'email list(?:\b|[^ei])[[:punct:]]*s?(\s\w*){0,5}(?:unsub|remove|safe|delete)'
                 )
               )
             )
@@ -67,10 +67,10 @@ source: |
               // match _after_ the previous thread indciators
               and (
                 regex.icontains(.,
-                                '(?:from|to|sent|date|cc|subject|wrote):.*(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(?:[[:punct:]]*s)?(?:\s\w*){0,9}(?:list[^ei]|database)'
+                                '(?:from|to|sent|date|cc|subject|wrote):.*(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(?:[[:punct:]]*s)?(?:\s\w*){0,9}(?:list(?:\b|[^ei])|database)'
                 )
                 or regex.icontains(.,
-                                   '(?:from|to|sent|date|cc|subject|wrote):.*(?:list[^ei]|database)(?:[[:punct:]]*s)?(\s\w*){0,9}(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)s?'
+                                   '(?:from|to|sent|date|cc|subject|wrote):.*(?:list(?:\b|[^ei])|database)(?:[[:punct:]]*s)?(\s\w*){0,9}(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)s?'
                 )
                 or (
                   2 of (
@@ -79,7 +79,7 @@ source: |
                     strings.icontains(., "precise targeting"),
                     strings.icontains(., "deliverability")
                   )
-                  and regex.icontains(., "(?:list[^ie]|database)")
+                  and regex.icontains(., '(?:list(?:\b|[^ei])|database)')
                 )
               )
       )