There are a variety of named lists that can be accessed via MQL. List names are always prepended with $ when referenced in MQL. Today, lists are only created and updated by the Sublime team or by the Platform itself. In the future, we'll enable arbitrary list creation, updating, and sharing.

📘

How to use lists in rules

See the lists syntax for usage instructions.

System Lists

System lists are created and managed by your Sublime instance and include information specific to your environment. These lists are populated at runtime to ensure they're always up-to-date.

Recipient domains

$recipient_domains

A list of all domains anyone in your organization has sent an email to. This includes any domain that has appeared in the "to", "cc", and "bcc" fields of any outbound message.

Example usage:

sender.email.domain.domain not in $recipient_domains

Recipient emails

$recipient_emails

A list of all email addresses anyone in your organization has sent an email to. This includes all email addresses that have appeared in the "to", "cc", and "bcc" fields of any outbound message.

Example usage:

sender.email.email not in $recipient_emails

Sender domains

$sender_domains

A list of all domains anyone in your organization has received an email from.

Example usage:

sender.email.domain.domain not in $sender_domains

Sender emails

$sender_emails

A list of all email addresses anyone in your organization has received an email from.

Example usage:

sender.email.email not in $sender_emails

Sublime Lists

Sublime lists are maintained by the Sublime team and are open-source on GitHub.

Alexa Top 1 Million Domains

$alexa_1m

The top 1 million domains, as ranked by Alexa.

Example usage:

any(body.links, .href_url.domain.domain not in $alexa_1m)

Disposable Email Providers

$disposable_email_providers

Domains of disposable (or temporary) email providers that generate short-lived email addresses not owned by or attributable to any single user.

Example usage:

any(recipients.to, .email.domain.domain in $disposable_email_providers)

Free Email Providers

$free_email_providers

Domains of free email ("freemail") providers that allow anyone to create an email address. This is important to ensure the email address does not inherit the reputation of the freemail provider's domain. This list also includes the contents of $disposable_email_providers.

Example usage:

sender.email.domain.domain in $free_email_providers

Free File Hosts

$free_file_hosts

Domains of free file hosting sites that allow anyone to upload and serve arbitrary files.

Example usage:

any(body.links, .href_url.domain.domain in $free_file_hosts)

Free Subdomain Hosts

$free_subdomain_hosts

Free subdomain sites that allow anyone to create their own subdomain and host arbitrary content. This is important to ensure the subdomains do not inherit the reputation of the root domain.

Example usage:

any(body.links, .href_url.domain.root_domain in $free_subdomain_hosts)

Majestic Million Domains

$majestic_million

The Majestic Million is a collection of 1 million domains that have the most referring subnets.

Example usage:

any(body.links, .href_url.domain.domain not in $majestic_million)

Suspicious TLDs

$suspicious_tlds

Top-level domains that are either frequently abused, free to register, or otherwise not generally used in the normal course of business or email communication.

Example usage:

any(body.links, .href_url.domain.tld in $suspicious_tlds)

Tranco Top 1 Million Domains

$tranco_1m

The top 1 million domains found by Tranco ranking, a research-oriented top sites ranking hardened against manipulation.

Example usage:

any(body.links, .href_url.domain.domain not in $tranco_1m)

Cisco Umbrella Top 1 Million Domains

$umbrella_1m

Top 1 million most popular domains as ranked by Cisco Umbrella (based on passive DNS data).

Example usage:

any(body.links, .href_url.domain.domain not in $umbrella_1m)

Umbrella Top TLDs

$umbrella_1m_tld

The TLDs found in $umbrella_1m.

Example usage:

any(body.links, .href_url.domain.tld not in $umbrella_1m_tld)

URL Shorteners

$url_shorteners

Known URL shorteners that allow anyone to host arbitrary content.

Example usage:

any(body.links, .href_url.domain.root_domain  in $url_shorteners)