Update spam_attendee_list_solicitation.yml (#2288)

detection-rules/spam_attendee_list_solicitation.yml

@@ -17,8 +17,8 @@ source: |
               and not (
                 regex.icount(., 'email(?:[[:punct:]]*s)?(?:\s\w*){0,9}list') == 1
                 and regex.icontains(.,
-                                    '(?:unsub|remove|safe|delete)[[:punct:]]*s?(?:\s\w*){0,9}(mailing|email)(?:\s\w*){0,9}list(?:\b|[^ei])',
-                                    'email list(?:\b|[^ei])[[:punct:]]*s?(\s\w*){0,5}(?:unsub|remove|safe|delete)'
+                                    '(?:unsub|remove|safe|delete|leave|update|part of|be added)[[:punct:]]*s?(?:\s\w*){0,9}(mailing|email)(?:\s\w*){0,9}list(?:\b|[^ei])',
+                                    'email list(?:\b|[^ei])[[:punct:]]*s?(\s\w*){0,5}(?:unsub|remove|safe|delete|leave|up to date|part of|be added)'
                 )
               )
             )
@@ -31,7 +31,7 @@ source: |
                           "(?:interested|accessing|purchas|obtain|acuir|sample)"
       )
       and not regex.icontains(body.current_thread.text,
-                              "(?:debit card|transaction.{0,20}processed)"
+                              "(?:debit card|transaction.{0,20}processed|receipt)"
       )
     )
     // if there are indicators of a previous thread, also inspect the previous thread
@@ -48,7 +48,7 @@ source: |
         strings.icontains(body.current_thread.text, 'heard back'),
         strings.icontains(body.current_thread.text, 'recently sent'),
         strings.icontains(body.current_thread.text, 'still interested'),
-        strings.icontains(body.current_thread.text, 'swift response'),
+        regex.icontains(body.current_thread.text, '(swift|quick|short) response'),
       )
       and any([body.html.display_text, body.plain.raw],
               (