On 12/1/19 6:30 PM, John Hardin wrote: > On Sun, 1 Dec 2019, Giovanni Bechis wrote: > >> in this bitcoin spam email (https://pastebin.com/da6qgg83) __BITCOIN_ID rule >> does not trigger >> because the bitcoin address has been divided in two pieces; any idea for a >> regexp that will match >> this case as well ? > > Well, here we start to get into standard whack-a-mole territory - where the > spammer tries to obfuscate the information enough to bypass scanning without > making it totally meaningless or too complicated to be usable by the target. > > Adding optional whitespace is simple enough. But it's first whitespace, then > punctuation, then combinations, then HTML formatting... > a bit more complex spample: https://pastebin.com/58LX7J5q
I think it will become every day more complex to match __BITCOIN_ID Giovanni
