On Tue, 3 Dec 2019, Mark London wrote:
It seems to me that the rule for detecting a BITCOIN in an email, is
incorrect. See below:
body __BITCOIN_ID /\b(?<!=)[13](?:\s?[a-km-zA-HJ-NP-Z1-9]){25,34}\b/
Why is there a \s in this rule? I didn't think that a BITCOIN id has a
space.
Recent obfuscation seen in RL extortion spams.
This rule is triggered, on a simple line like this, because of the fact that
the line has a "1" in it:
For sure figure 1 is convincing that nqR is a good organising
Ugh.
Maybe this rule needs tweaking? Thanks.
I'm not sure we'd be able to detect obfuscation and not have FPs.
I'm open to suggestions. Reverting for now.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Collectivism: forever just one more execution away from Paradise.
-----------------------------------------------------------------------
4 days until The 78th anniversary of Pearl Harbor
