On Sun, 1 Dec 2019, Giovanni Bechis wrote:
in this bitcoin spam email (https://pastebin.com/da6qgg83) __BITCOIN_ID rule does not trigger because the bitcoin address has been divided in two pieces; any idea for a regexp that will match this case as well ?
Well, here we start to get into standard whack-a-mole territory - where the spammer tries to obfuscate the information enough to bypass scanning without making it totally meaningless or too complicated to be usable by the target.
Adding optional whitespace is simple enough. But it's first whitespace, then punctuation, then combinations, then HTML formatting...
I've added the whitespace, and some of the German-language bits. It's hitting BITCOIN_EXTORT now. Thanks for the sample.
-- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- Activist: Someone who gets involved. Unregistered Lobbyist: Someone who gets involved with something the MSM doesn't approve of. -- WizardPC ----------------------------------------------------------------------- 976 days since the first commercial re-flight of an orbital booster (SpaceX)
