https://pastebin.com/TRD7FzRQ
i have a sample here Am 05.10.2018 um 19:50 schrieb Zinski, Steve:
Yes, absolutely. On 10/5/18, 1:42 PM, "John Hardin" <jhar...@impsec.org> wrote: On Fri, 5 Oct 2018, Zinski, Steve wrote:> Here's how I'm blocking bitcoin emails with Unicode characters embedded:> > body __BTC1 /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/ > body __BTC2 /\b\W*b\W*i\W*t\W*c\W*o\W*i\W*n\W*\b/i > body __BTC3 /\b\W*b\W*t\W*c\W*\b/i > body __BTC4 /\bb[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i > meta LOCAL_BITCOIN ( __BTC1 && ( __BTC2 || __BTC3 || __BTC4 ) ) > score LOCAL_BITCOIN 10.0 > > Works like a charm in my environment.To clarify: I added a rule for general obfuscation using the zero-widthUnicode glyph. It's not bitcoin-specific.With your permission I can add that to my sandbox and see how it does inmasscheck.> On 10/5/18, 10:54 AM, "John Hardin" <jhar...@impsec.org> wrote:> > On Fri, 5 Oct 2018, Pedro David Marco wrote: > > > >On Thursday, October 4, 2018, 9:08:10 PM GMT+2, Kevin A. McGrail <kmcgr...@apache.org> wrote: > > >Interesting. Any chance for an unmodified pastebin spample? > > > > Yes please Joseph... any change for it, please? We are hungry... > > Test rule checked into my sandbox last night... > > Initial results aren't too promising.--John Hardin KA7OHZ http://www.impsec.org/~jhardin/ jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- It is not the place of government to make right every tragedy and woe that befalls every resident of the nation. ----------------------------------------------------------------------- 554 days since the first commercial re-flight of an orbital booster (SpaceX)
