On 2021-02-25 10:54, John Hardin wrote:
On Thu, 25 Feb 2021, RW wrote:
On Wed, 24 Feb 2021 18:37:42 -0800 (PST)
John Hardin wrote:
On Wed, 24 Feb 2021, Alan wrote:
After a little more research, a better regex for an obfuscated BTC
address is
/[13][ \-]([a-km-zA-HJ-NP-Z0-9][ \-]){25,32}[a-km-zA-HJ-NP-Z0-9]/
It might be worth adding = and _ to the obfuscating delimiters.
YMMV.
I've updated __BITCOIN_ID with -, = and _ obfuscations, which I
haven't seen myself yet.
Thanks!
Possibly
(?:[-_=\s][a-km-zA-HJ-NP-Z1-9]){25,34}|[a-km-zA-HJ-NP-Z1-9]{25,34})
should be
(?:[-_=\s]*[a-km-zA-HJ-NP-Z1-9]){25,34}
It's shorter and more general.
I'd prefer:
(?:[-_=\s]?[a-km-zA-HJ-NP-Z1-9]){25,34}
The reason I haven't is I have not seen a mixture yet - it's either
all spaced or not at all.
I'll take a look at that tonight when I have some time.
The more loose you get with matching obfuscation the greater the
chance of false positives. Consider, for example, the PGP key in my
.sig (which has a zero, but I'd wager there are PGP key signatures
that look like obfuscated bitcoin wallet addresses...)
Also, there's a limit to how complex the obfuscation can get before
the recipient can't (or won't) follow the instructions.
Bitcoin addresses start with either 1 or 3. It's less general
specifically to avoid FPs. Personally I'm weighting this pretty high so
I don't want to trigger on non-obfuscated BTC addresses. So far, all of
my targets send a plain text version so "just a space" has been working.
All that said, another potential obfuscation would be a period. I'm
going to add that.
--
For SpamAsassin Users List
