On Wed, 5 Dec 2018, Mark London wrote:
No longer just embedded =9D characters.
From: =?utf-8?B?bmlnaHRt0LByZQ==?= <pe...@yfsgroup.com>
To: <x...@psfc.mit.edu>
Subject: You are my victim.
Date: Tue, 4 Dec 2018 15:56:36 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="a0d0993ce53319101c19af03d5311b0976b26b"
X-Scanned-By: MIMEDefang 2.79 on 18.18.166.11
--a0d0993ce53319101c19af03d5311b0976b26b
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Hi, my pr=D0=B5y.
This is my last warning.
I write you inasmuch as I put a virus on the web page with porno which yo=
u have viewed.
My tr=D0=BEjan c=D0=B0=D1=80tured all y=D0=BEur =D1=80rivat=D0=B5 dat=D0=B0=
=D0=B0nd switched on your c=D0=B0mer=D0=B0 which r=D0=B5=D1=81=D0=BErded=
...etc
Those aren't zero-width, those are just standard Unicode obfuscations of
regular ASCII text. The _ZW rule isn't intended to catch that.
I've added a "too many [ascii][unicode][ascii]" rule based on that but I
suspect it will be pretty FP-prone and will be pretty large if we want to
avoid whack-a-mole syndrome. For this, normalize + bayes is probably the
best bet.
I've added some of the new phrases from that to the bitcoin extort
components.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The call to let 16-year-olds vote is a call to amplify the votes
of teachers' unions. If you think political indoctrination in the
schools is bad now, wait until it has the direct power to tip
election results. -- Robert Tracinski
-----------------------------------------------------------------------
2 days until The 77th anniversary of Pearl Harbor