On Mon, 8 Oct 2018, Zinski, Steve wrote:
> The trouble with this is that you would be adding 10 point to anything
> with a bitcoin address whether anything's obfuscated or not. If you want
> to avoid this take a look at the FUZZY_* rules.
Well, actually, no. I sent you a snippet of my rule and inflated the score to
10 for those of you who wanted to detect emails with obfuscated (Unicode)
bitcoin addresses within.
The point was, __BTC4 will hit on non-obfuscated "bitcoin", so the meta
should hit on any email with clear "bitcoin" and a bitcoin ID.
I recommend this:
body __BTC4
/\bb(?!itcoin)[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i
...to rule that out.
I use the following rules to block the sextortion emails that are so rampant
right now. As you can see, it assigns a 0.1 score to the bitcoin portion, then
the following rule uses that to test for sextortion emails (also obfuscated
with Unicode characters). These two rules work great for me in stopping the
vast majority of sextortion emails coming to our campus.
body __BTC1 /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/
body __BTC2 /\b\W*b\W*i\W*t\W*c\W*o\W*i\W*n\W*\b/i
body __BTC3 /\b\W*b\W*t\W*c\W*\b/i
body __BTC4 /\bb[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i
meta LOCAL_BITCOIN ( __BTC1 && ( __BTC2 || __BTC3 || __BTC4 ) )
score LOCAL_BITCOIN 0.1
body __UCporn /\b\W*p\W*o\W*r\W*n\W*\b/
body __UCpixel /\b\W*p\W*i\W*x\W*e\W*l\W*\b/
body __UCvideos /\b\W*v\W*i\W*d\W*(e\W*o\W*)?(s)?\W*\b/
body __UCwebcam /\b\W*(w\W*e\W*b\W*)?c\W*a\W*m\W*(e\W*r\W*a)?\W*\b/
body __UCkeylogger /\b\W*k\W*e\W*y\W*l\W*o\W*g\W*g\W*e\W*r\W*\b/
body __UCviruses /\b\W*v\W*i\W*r\W*u\W*s\W*(e\W*s)?\W*\b/
body __UCmalware /\b\W*m\W*a\W*l\W*w\W*a\W*r\W*e\W*\b/
body __UCtrojan /\b\W*t\W*r\W*o\W*j\W*a\W*n\W*\b/
body __UCrecording /\b\W*r\W*e\W*c\W*o\W*r\W*d\W*i\W*n\W*g\W*\b/
body __UChacked /\b\W*h\W*a\W*c\W*k\W*e\W*d\W*\b/
meta LOCAL_SEXTORTION ( LOCAL_BITCOIN && ( __UCporn || __UCpixel || __UCvideos
|| __UCwebcam) && ( __UCkeylogger || __UCviruses || __UCmalware || __UCtrojan ||
__UCrecording || __UChacked ) )
score LOCAL_SEXTORTION 20.0
The gist of the SEXTORTION rule is the email must contain a bitcoin address AND
(porn or pixel or video/videos or webcam/camera/cam) AND (keylogger or
virus/viruses or malware or trojan or recording or hacked). Every sextortion
email that I've seen contains those words.
It's not pretty, but it works (until the scammers change tactics).
It's also a bit dangerous. "*" in a body rule opens you to DoS attacks.
I recommend \W{0,10} instead of \W* to reduce that exposure.
Also, it's a bit more efficient to not use capturing parens if you're not
going to do anything with the match:
/\b\W*(?:w\W*e\W*b\W*)?c\W*a\W*m\W*(?:e\W*r\W*a)?\W*\b/
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Politicians never accuse you of "greed" for wanting other people's
money, only for wanting to keep your own money. -- Joseph Sobran
-----------------------------------------------------------------------
557 days since the first commercial re-flight of an orbital booster (SpaceX)
