Yes, absolutely.
On 10/5/18, 1:42 PM, "John Hardin" <jhar...@impsec.org> wrote:
On Fri, 5 Oct 2018, Zinski, Steve wrote:
> Here's how I'm blocking bitcoin emails with Unicode characters embedded:
>
> body __BTC1 /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/
> body __BTC2 /\b\W*b\W*i\W*t\W*c\W*o\W*i\W*n\W*\b/i
> body __BTC3 /\b\W*b\W*t\W*c\W*\b/i
> body __BTC4
/\bb[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i
> meta LOCAL_BITCOIN ( __BTC1 && ( __BTC2 || __BTC3 || __BTC4 ) )
> score LOCAL_BITCOIN 10.0
>
> Works like a charm in my environment.
To clarify: I added a rule for general obfuscation using the zero-width
Unicode glyph. It's not bitcoin-specific.
With your permission I can add that to my sandbox and see how it does in
masscheck.
> On 10/5/18, 10:54 AM, "John Hardin" <jhar...@impsec.org> wrote:
>
> On Fri, 5 Oct 2018, Pedro David Marco wrote:
>
> > >On Thursday, October 4, 2018, 9:08:10 PM GMT+2, Kevin A. McGrail
<kmcgr...@apache.org> wrote:
> > >Interesting. Any chance for an unmodified pastebin spample?
> >
> > Yes please Joseph... any change for it, please? We are hungry...
>
> Test rule checked into my sandbox last night...
>
> Initial results aren't too promising.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
It is not the place of government to make right every tragedy and
woe that befalls every resident of the nation.
-----------------------------------------------------------------------
554 days since the first commercial re-flight of an orbital booster
(SpaceX)
