Example: Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt In windows-1256, the presence of =9D between characters under decimal-128 is suspicious, regardless of Bitcoin. It seems like a simple rule but even rawbody does not check quoted-printable patterns. Plugin maybe? Has this already been done and I've missed it?
Joseph Brennan Columbia U I T On Mon, Nov 19, 2018 at 11:49 AM Mark London <m...@psfc.mit.edu> wrote: > On 11/19/2018 10:35 AM, users-digest-h...@spamassassin.apache.org wrote: > > I ran it as-is, and it scored poorly. > > After I manually de-borked the headers, and retested, it hit SA's > > "OBFU_BITCOIN" and my own anti-bitcoin/sextortion & hi-Ascii-count > tests. > > OBFU_BITCOIN was hit because the =9D character was not inserted in the > bitcoin string itself, and rules like __BTC_OBFU_2 were hite, because > they are designed to look for obfuscated forms of BTC. > > So, any rules that taken into account obfuscated words, solves the > problem of inserted 9D characters. > > This tactic seem to be limited right now, to a few (one?) spammer, who > is presently using it in their porn blackmail spam. > > - Mark > > > > -- Joseph Brennan Lead, Email and Systems Applications