heroui logo

Fuzzy Attack Score: Advanced Graymail Detection

Sublime Rules

View Source
Summary
This rule detects graymail by invoking a beta function fuzzy_attack_score on inbound events. The rule requires two conditions: the event type is inbound (type.inbound) and the verdict returned by the fuzzy_attack_score function equals graymail. When both conditions are met, the rule fires with medium severity to flag potential graymail for downstream handling. The rule explicitly uses a beta feature, noting that it is subject to change and not recommended for production until formally released. The intent is to augment inbound content analysis (such as email or messaging payloads) with a content-scoring step that can classify nuisance or promotional messages as graymail rather than unmistakable spam. Because the underlying beta feature is not yet stable, operators should anticipate possible API changes, false positives, and evolving verdict taxonomy. This rule does not replace existing anti-spam controls but provides an additional signal for triage, enabling automated routing or manual review when inbound content is labeled as graymail by the fuzzy score. Operational considerations include enabling the beta feature in a non-production environment, validating with representative inbound data, and coordinating with mail or messaging workflows to ensure actions (quarantine, tagging, or escalation) align with policy.
Categories
  • Network
Data Sources
  • Network Traffic
Created: 2026-07-17