On Tue, 18 Dec 2018 19:33:19 +0000
Zinski, Steve wrote:
> I’m seriously thinking about doing the same (block all emails that
> contain a bitcoin address).
Effectively you already have. A legitimate email with a bitcoin address
will almost certainly contain either 'btc' or 'bitcoin' and your rules
__BTC2 to __BTC5 match a non-obfuscated 'bitcoin' or 'btc'.
The the only real advantage that LOCAL_BITCOIN has over scoring __BTC1
directly is that __BTC1 might match on something that isn't actually a
bitcoin address, but this comes at the expense of spammers being able
to evade the rule by using other obfuscations.
Take a look at __BITCOIN_ID for how to avoid __BTC1 FPs from URIs. Also
take a look at the FUZZY rules for how to test for actual obfuscation.
> I’ve had good luck with my custom rule
> that also tests for Unicode obfuscation:
>
> body __BTC1 /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/
> body __BTC2 /\b\W*b\W*i\W*t\W*c\W*o\W*i\W*n\W*\b/i
> body __BTC3 /\b\W*b\W*t\W*c\W*\b/i
> body __BTC4 /bt[c\x{0441}]/i
> body
> __BTC5 /b[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n/i
> meta LOCAL_BITCOIN ( __BTC1 && ( __BTC2 || __BTC3 || __BTC4 ||
> __BTC5 ) ) score LOCAL_BITCOIN 10.0
