On Fri, 5 Oct 2018, Zinski, Steve wrote:
Here's how I'm blocking bitcoin emails with Unicode characters embedded:body __BTC1 /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/ body __BTC2 /\b\W*b\W*i\W*t\W*c\W*o\W*i\W*n\W*\b/i body __BTC3 /\b\W*b\W*t\W*c\W*\b/i body __BTC4 /\bb[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i meta LOCAL_BITCOIN ( __BTC1 && ( __BTC2 || __BTC3 || __BTC4 ) ) score LOCAL_BITCOIN 10.0 Works like a charm in my environment.
To clarify: I added a rule for general obfuscation using the zero-width Unicode glyph. It's not bitcoin-specific.
With your permission I can add that to my sandbox and see how it does in masscheck.
On 10/5/18, 10:54 AM, "John Hardin" <jhar...@impsec.org> wrote: On Fri, 5 Oct 2018, Pedro David Marco wrote: > >On Thursday, October 4, 2018, 9:08:10 PM GMT+2, Kevin A. McGrail <kmcgr...@apache.org> wrote: > >Interesting. Any chance for an unmodified pastebin spample? > > Yes please Joseph... any change for it, please? We are hungry... Test rule checked into my sandbox last night... Initial results aren't too promising.
-- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- It is not the place of government to make right every tragedy and woe that befalls every resident of the nation. ----------------------------------------------------------------------- 554 days since the first commercial re-flight of an orbital booster (SpaceX)
