Re: Bitcoin update

2018-10-07 Thread Zinski, Steve 
> The trouble with this is that you would be adding 10 point to anything
> with a bitcoin address whether anything's obfuscated or not. If you want
> to avoid this take a look at the FUZZY_* rules.


Well, actually, no. I sent you a snippet of my rule and inflated the score to 
10 for those of you who wanted to detect emails with obfuscated (Unicode) 
bitcoin addresses within.

I use the following rules to block the sextortion emails that are so rampant 
right now. As you can see, it assigns a 0.1 score to the bitcoin portion, then 
the following rule uses that to test for sextortion emails (also obfuscated 
with Unicode characters). These two rules work great for me in stopping the 
vast majority of sextortion emails coming to our campus.

body__BTC1  /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/
body__BTC2  /\b\W*b\W*i\W*t\W*c\W*o\W*i\W*n\W*\b/i
body__BTC3  /\b\W*b\W*t\W*c\W*\b/i
body__BTC4  /\bb[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i
metaLOCAL_BITCOIN   ( __BTC1 && ( __BTC2 || __BTC3 || __BTC4 ) )
score   LOCAL_BITCOIN   0.1

body__UCporn/\b\W*p\W*o\W*r\W*n\W*\b/
body__UCpixel   /\b\W*p\W*i\W*x\W*e\W*l\W*\b/
body__UCvideos  /\b\W*v\W*i\W*d\W*(e\W*o\W*)?(s)?\W*\b/
body__UCwebcam  /\b\W*(w\W*e\W*b\W*)?c\W*a\W*m\W*(e\W*r\W*a)?\W*\b/
body__UCkeylogger   /\b\W*k\W*e\W*y\W*l\W*o\W*g\W*g\W*e\W*r\W*\b/
body__UCviruses /\b\W*v\W*i\W*r\W*u\W*s\W*(e\W*s)?\W*\b/
body__UCmalware /\b\W*m\W*a\W*l\W*w\W*a\W*r\W*e\W*\b/
body__UCtrojan  /\b\W*t\W*r\W*o\W*j\W*a\W*n\W*\b/
body__UCrecording   /\b\W*r\W*e\W*c\W*o\W*r\W*d\W*i\W*n\W*g\W*\b/
body__UChacked  /\b\W*h\W*a\W*c\W*k\W*e\W*d\W*\b/
metaLOCAL_SEXTORTION ( LOCAL_BITCOIN && ( __UCporn || __UCpixel || 
__UCvideos || __UCwebcam) && ( __UCkeylogger || __UCviruses || __UCmalware || 
__UCtrojan || __UCrecording || __UChacked ) )
score   LOCAL_SEXTORTION20.0

The gist of the SEXTORTION rule is the email must contain a bitcoin address AND 
(porn or pixel or video/videos or webcam/camera/cam) AND (keylogger or 
virus/viruses or malware or trojan or recording or hacked). Every sextortion 
email that I've seen contains those words.

It's not pretty, but it works (until the scammers change tactics).

Re: spamassassin-3.4.2 and reload command

2018-10-07 Thread Vlad Shpolyanskiy 
Hi!
Yep, you are right!

After start the command looks like:
/usr/local/bin/perl -T -w /usr/local/bin/spamd -m 5 -4 -d -r
/var/run/spamd/spamd.pid

But after reload:
/usr/local/bin/perl5 -T -w /usr/local/bin/spamd -m 5 -4 -d -r
/var/run/spamd/spamd.pid

So, it is  perl vs perl5.
Probably that is the cause of failure for subsequent reloads.



--
Sent from: http://spamassassin.1065346.n5.nabble.com/SpamAssassin-Users-f3.html