On Tue, 18 Dec 2018 19:33:19 +0000 Zinski, Steve wrote: > I’m seriously thinking about doing the same (block all emails that > contain a bitcoin address).
Effectively you already have. A legitimate email with a bitcoin address will almost certainly contain either 'btc' or 'bitcoin' and your rules __BTC2 to __BTC5 match a non-obfuscated 'bitcoin' or 'btc'. The the only real advantage that LOCAL_BITCOIN has over scoring __BTC1 directly is that __BTC1 might match on something that isn't actually a bitcoin address, but this comes at the expense of spammers being able to evade the rule by using other obfuscations. Take a look at __BITCOIN_ID for how to avoid __BTC1 FPs from URIs. Also take a look at the FUZZY rules for how to test for actual obfuscation. > I’ve had good luck with my custom rule > that also tests for Unicode obfuscation: > > body __BTC1 /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/ > body __BTC2 /\b\W*b\W*i\W*t\W*c\W*o\W*i\W*n\W*\b/i > body __BTC3 /\b\W*b\W*t\W*c\W*\b/i > body __BTC4 /bt[c\x{0441}]/i > body > __BTC5 /b[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n/i > meta LOCAL_BITCOIN ( __BTC1 && ( __BTC2 || __BTC3 || __BTC4 || > __BTC5 ) ) score LOCAL_BITCOIN 10.0