On Thu, Dec 13, 2018 at 09:33:58PM -0000, Chip M. wrote:
> As requested:
> http://puffin.net/software/spam/samples/0061_bitcoin_splosion.txt
> I MUNGED the "To".
> It's the latest of two sent to me by an awesome volunteer. :)
>
> First thoughts:
> Both were base64 encoded.
> Both have "disclaimers" that they're not terrorists. :roll-eyes:
>
this rule works iff you are using SA 4.x:
body HASHBL_BTC eval:check_hashbl_bodyre('bl.btcblack.it',
'raw/max=10/shuffle', '\b([13][a-km-zA-HJ-NP-Z1-9]{25,34})\b')
describe HASHBL_BTC Message contains BTC address found on BTCBL
priority HASHBL_BTC -100 # required priority to launch async lookups
It will check if the btc address has been used for fraudolent purposes and it
has been reported to
bitcoinabuse or bitcoinwhoswho web sites.
Giovanni
