> The trouble with this is that you would be adding 10 point to anything
> with a bitcoin address whether anything's obfuscated or not. If you want
> to avoid this take a look at the FUZZY_* rules.
Well, actually, no. I sent you a snippet of my rule and inflated the score to
10 for those of you who wanted to detect emails with obfuscated (Unicode)
bitcoin addresses within.
I use the following rules to block the sextortion emails that are so rampant
right now. As you can see, it assigns a 0.1 score to the bitcoin portion, then
the following rule uses that to test for sextortion emails (also obfuscated
with Unicode characters). These two rules work great for me in stopping the
vast majority of sextortion emails coming to our campus.
body__BTC1 /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/
body__BTC2 /\b\W*b\W*i\W*t\W*c\W*o\W*i\W*n\W*\b/i
body__BTC3 /\b\W*b\W*t\W*c\W*\b/i
body__BTC4 /\bb[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i
metaLOCAL_BITCOIN ( __BTC1 && ( __BTC2 || __BTC3 || __BTC4 ) )
score LOCAL_BITCOIN 0.1
body__UCporn/\b\W*p\W*o\W*r\W*n\W*\b/
body__UCpixel /\b\W*p\W*i\W*x\W*e\W*l\W*\b/
body__UCvideos /\b\W*v\W*i\W*d\W*(e\W*o\W*)?(s)?\W*\b/
body__UCwebcam /\b\W*(w\W*e\W*b\W*)?c\W*a\W*m\W*(e\W*r\W*a)?\W*\b/
body__UCkeylogger /\b\W*k\W*e\W*y\W*l\W*o\W*g\W*g\W*e\W*r\W*\b/
body__UCviruses /\b\W*v\W*i\W*r\W*u\W*s\W*(e\W*s)?\W*\b/
body__UCmalware /\b\W*m\W*a\W*l\W*w\W*a\W*r\W*e\W*\b/
body__UCtrojan /\b\W*t\W*r\W*o\W*j\W*a\W*n\W*\b/
body__UCrecording /\b\W*r\W*e\W*c\W*o\W*r\W*d\W*i\W*n\W*g\W*\b/
body__UChacked /\b\W*h\W*a\W*c\W*k\W*e\W*d\W*\b/
metaLOCAL_SEXTORTION ( LOCAL_BITCOIN && ( __UCporn || __UCpixel ||
__UCvideos || __UCwebcam) && ( __UCkeylogger || __UCviruses || __UCmalware ||
__UCtrojan || __UCrecording || __UChacked ) )
score LOCAL_SEXTORTION20.0
The gist of the SEXTORTION rule is the email must contain a bitcoin address AND
(porn or pixel or video/videos or webcam/camera/cam) AND (keylogger or
virus/viruses or malware or trojan or recording or hacked). Every sextortion
email that I've seen contains those words.
It's not pretty, but it works (until the scammers change tactics).