External form with auto-submit targeting third-party domain (CSRF)
csrf-form-in-email
What this tier means
High-confidence threat indicator — phishing, impersonation, BEC, or scam pattern. Strong contributor to the trash decision.
How Gorganizer detects this
Email HTML contains a <form> with an action pointing to an external domain AND has auto-submit indicators (onload, document.forms, submit(), autosubmit, or hidden inputs). The form action domain differs from the sender domain. This compound signal detects CSRF attacks where opening the email triggers actions on third-party sites using the victim's session cookies. Requires 2+ conditions: external form action, auto-submit indicators, sender domain mismatch.
False-positive guard
Every signal in Gorganizer feeds a multi-module score — never a sole verdict. This is a threat-tier signal — it adds a strong contribution to the trash score. The full pipeline still requires convergence across multiple modules + a margin over the safety floor before deletion happens, and Gmail's trash (30-day recovery) is always used — never permanent delete.
About the scoring engine
Gorganizer's scoring engine emits over 1,800 signals across six modules — headers, sender, subject, body, attachments, and structural metadata. Every email is scored by every module independently; the final verdict requires multiple modules to agree and the trash score to beat the safety floor by a margin.
Sacred safety guards — never delete starred emails, replies, calendar invites, receipts/invoices, or attachments — apply unconditionally regardless of any signal.
Ready to clean your inbox?
Gorganizer scans your Gmail with this signal and 1,800+ others, then cleans everything in one click. $4.99 one-time, no subscription.
Get started