On Fri, 6 Dec 2019, Giovanni Bechis wrote:
On 12/1/19 6:30 PM, John Hardin wrote:
On Sun, 1 Dec 2019, Giovanni Bechis wrote:
in this bitcoin spam email (https://pastebin.com/da6qgg83) __BITCOIN_ID rule
does not trigger
because the bitcoin address has been divided in two pieces; any idea for a
regexp that will match
this case as well ?
Well, here we start to get into standard whack-a-mole territory - where the
spammer tries to obfuscate the information enough to bypass scanning without
making it totally meaningless or too complicated to be usable by the target.
Adding optional whitespace is simple enough. But it's first whitespace, then
punctuation, then combinations, then HTML formatting...
a bit more complex spample:
https://pastebin.com/58LX7J5q
I think it will become every day more complex to match __BITCOIN_ID
Indeed. I suspect there will need to be a BITCOIN_EXTORT variant that
doesn't rely on a detectable ID being present.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
[email protected] FALaholic #11174 pgpk -a [email protected]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
Tomorrow: The 78th anniversary of Pearl Harbor
