Re: Bitcoin update

Sun, 07 Oct 2018 17:49:19 -0700 

    > The trouble with this is that you would be adding 10 point to anything
    > with a bitcoin address whether anything's obfuscated or not. If you want
    > to avoid this take a look at the FUZZY_* rules.


Well, actually, no. I sent you a snippet of my rule and inflated the score to 
10 for those of you who wanted to detect emails with obfuscated (Unicode) 
bitcoin addresses within.

I use the following rules to block the sextortion emails that are so rampant 
right now. As you can see, it assigns a 0.1 score to the bitcoin portion, then 
the following rule uses that to test for sextortion emails (also obfuscated 
with Unicode characters). These two rules work great for me in stopping the 
vast majority of sextortion emails coming to our campus.

body    __BTC1          /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/
body    __BTC2          /\b\W*b\W*i\W*t\W*c\W*o\W*i\W*n\W*\b/i
body    __BTC3          /\b\W*b\W*t\W*c\W*\b/i
body    __BTC4          /\bb[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i
meta    LOCAL_BITCOIN   ( __BTC1 && ( __BTC2 || __BTC3 || __BTC4 ) )
score   LOCAL_BITCOIN   0.1

body    __UCporn        /\b\W*p\W*o\W*r\W*n\W*\b/
body    __UCpixel       /\b\W*p\W*i\W*x\W*e\W*l\W*\b/
body    __UCvideos      /\b\W*v\W*i\W*d\W*(e\W*o\W*)?(s)?\W*\b/
body    __UCwebcam      /\b\W*(w\W*e\W*b\W*)?c\W*a\W*m\W*(e\W*r\W*a)?\W*\b/
body    __UCkeylogger   /\b\W*k\W*e\W*y\W*l\W*o\W*g\W*g\W*e\W*r\W*\b/
body    __UCviruses     /\b\W*v\W*i\W*r\W*u\W*s\W*(e\W*s)?\W*\b/
body    __UCmalware     /\b\W*m\W*a\W*l\W*w\W*a\W*r\W*e\W*\b/
body    __UCtrojan      /\b\W*t\W*r\W*o\W*j\W*a\W*n\W*\b/
body    __UCrecording   /\b\W*r\W*e\W*c\W*o\W*r\W*d\W*i\W*n\W*g\W*\b/
body    __UChacked      /\b\W*h\W*a\W*c\W*k\W*e\W*d\W*\b/
meta    LOCAL_SEXTORTION     ( LOCAL_BITCOIN && ( __UCporn || __UCpixel || 
__UCvideos || __UCwebcam) && ( __UCkeylogger || __UCviruses || __UCmalware || 
__UCtrojan || __UCrecording || __UChacked ) )
score   LOCAL_SEXTORTION    20.0

The gist of the SEXTORTION rule is the email must contain a bitcoin address AND 
(porn or pixel or video/videos or webcam/camera/cam) AND (keylogger or 
virus/viruses or malware or trojan or recording or hacked). Every sextortion 
email that I've seen contains those words.

It's not pretty, but it works (until the scammers change tactics).

Reply via email to