On 5/1/2020 10:23 AM, AJ Weber wrote: > I am seeing a number of extortion emails where the hacker has gotten > my email address and an old password from "the dark web". (Probably > one of many lists that are out there from one of the many mega-hacks > that have occurred.) > > Is there a way to check for a specific 1-2 words in the body being > repeated > n times? The emails seem to be camouflaging their body > with random HTML and encoding chars. But they like to repeat my old > username and an old password a large number of times pretty clearly (I > guess to get our attention). > > If I can check for these terms (individually would be fine), I think I > could setup some meta rules that would score the number of hits in > ranges. Once or twice would probably be no score. 3-5 times would be > a reasonable score. >5 hits would be an almost automatic spam score. > > Please help, apparently this person "knows everything about me" :)
Hi AJ, in KAM.cf, see my CRIM ruleset. It's what I use for these type of scam emails. For your specific question, look at maxhits / multiple and the __KAM_COUNT_URIS might get you a hint. Regards, KAM
