Bitcoin update

classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

Bitcoin update

Joseph Brennan

Two days ago the Bitcoin threats from Outlook.com started arriving in the Windows-1256 charset, which is Arabic, but including Latin characters. The text has Arabic character 9D all over the place. 9D is "ZERO WIDTH NON-JOINER" so it takes up no space and the English language text looks normal. But it breaks pattern matching.

That ALL of the Bitcoin threats from outlook.com changed the evening of October 1 means they are all from one source.

Sample of the mime part header and a raw paragraph:

--_000_AM0PR04MB488298EB0071C1677D7C5BA9BAE90AM0PR04MB4882eurp_
Content-Type: text/plain; charset="windows-1256"
Content-Transfer-Encoding: quoted-printable

Yo=9Du wi=9Dll ha=9Dv=9De two diff=9Derent so=9Dluti=9Do=9Dns. Why dont w=
=9De check o=9Dut =9Dea=9Dch on=9De o=9Df thes=9De o=9Dpti=9Dons in deta=9D=
i=9Dls:


Joseph Brennan
Columbia U I T

Reply | Threaded
Open this post in threaded view
|

Re: Bitcoin update

Kevin A. McGrail-5
Interesting.  Any chance for an unmodified pastebin spample?

On Thu, Oct 4, 2018, 12:07 Joseph Brennan <[hidden email]> wrote:

Two days ago the Bitcoin threats from Outlook.com started arriving in the Windows-1256 charset, which is Arabic, but including Latin characters. The text has Arabic character 9D all over the place. 9D is "ZERO WIDTH NON-JOINER" so it takes up no space and the English language text looks normal. But it breaks pattern matching.

That ALL of the Bitcoin threats from outlook.com changed the evening of October 1 means they are all from one source.

Sample of the mime part header and a raw paragraph:

--_000_AM0PR04MB488298EB0071C1677D7C5BA9BAE90AM0PR04MB4882eurp_
Content-Type: text/plain; charset="windows-1256"
Content-Transfer-Encoding: quoted-printable

Yo=9Du wi=9Dll ha=9Dv=9De two diff=9Derent so=9Dluti=9Do=9Dns. Why dont w=
=9De check o=9Dut =9Dea=9Dch on=9De o=9Df thes=9De o=9Dpti=9Dons in deta=9D=
i=9Dls:


Joseph Brennan
Columbia U I T

Reply | Threaded
Open this post in threaded view
|

Re: Bitcoin update

PeterD


>On Thursday, October 4, 2018, 9:08:10 PM GMT+2, Kevin A. McGrail <[hidden email]> wrote:

>Interesting.  Any chance for an unmodified pastebin spample?


Yes please Joseph... any  change for it, please?  We are hungry... 


-------
PedroD
Reply | Threaded
Open this post in threaded view
|

Re: Bitcoin update

John Hardin
On Fri, 5 Oct 2018, Pedro David Marco wrote:

>   >On Thursday, October 4, 2018, 9:08:10 PM GMT+2, Kevin A. McGrail <[hidden email]> wrote:
> >Interesting.  Any chance for an unmodified pastebin spample?
>
> Yes please Joseph... any  change for it, please?  We are hungry... 

Test rule checked into my sandbox last night...

Initial results aren't too promising.

--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  [hidden email]    FALaholic #11174     pgpk -a [hidden email]
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  554 days since the first commercial re-flight of an orbital booster (SpaceX)
Reply | Threaded
Open this post in threaded view
|

Re: Bitcoin update

Zinski, Steve
Here's how I'm blocking bitcoin emails with Unicode characters embedded:

body    __BTC1          /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/
body    __BTC2          /\b\W*b\W*i\W*t\W*c\W*o\W*i\W*n\W*\b/i
body    __BTC3          /\b\W*b\W*t\W*c\W*\b/i
body    __BTC4          /\bb[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i
meta    LOCAL_BITCOIN   ( __BTC1 && ( __BTC2 || __BTC3 || __BTC4 ) )
score   LOCAL_BITCOIN   10.0

Works like a charm in my environment.



On 10/5/18, 10:54 AM, "John Hardin" <[hidden email]> wrote:

    On Fri, 5 Oct 2018, Pedro David Marco wrote:
   
    >   >On Thursday, October 4, 2018, 9:08:10 PM GMT+2, Kevin A. McGrail <[hidden email]> wrote:
    > >Interesting.  Any chance for an unmodified pastebin spample?
    >
    > Yes please Joseph... any  change for it, please?  We are hungry...
   
    Test rule checked into my sandbox last night...
   
    Initial results aren't too promising.
   
    --
      John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
      [hidden email]    FALaholic #11174     pgpk -a [hidden email]
      key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
    -----------------------------------------------------------------------
      554 days since the first commercial re-flight of an orbital booster (SpaceX)

Reply | Threaded
Open this post in threaded view
|

Re: Bitcoin update

John Hardin
On Fri, 5 Oct 2018, Zinski, Steve wrote:

> Here's how I'm blocking bitcoin emails with Unicode characters embedded:
>
> body    __BTC1          /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/
> body    __BTC2          /\b\W*b\W*i\W*t\W*c\W*o\W*i\W*n\W*\b/i
> body    __BTC3          /\b\W*b\W*t\W*c\W*\b/i
> body    __BTC4          /\bb[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i
> meta    LOCAL_BITCOIN   ( __BTC1 && ( __BTC2 || __BTC3 || __BTC4 ) )
> score   LOCAL_BITCOIN   10.0
>
> Works like a charm in my environment.
To clarify: I added a rule for general obfuscation using the zero-width
Unicode glyph. It's not bitcoin-specific.

With your permission I can add that to my sandbox and see how it does in
masscheck.

> On 10/5/18, 10:54 AM, "John Hardin" <[hidden email]> wrote:
>
>    On Fri, 5 Oct 2018, Pedro David Marco wrote:
>
>    >   >On Thursday, October 4, 2018, 9:08:10 PM GMT+2, Kevin A. McGrail <[hidden email]> wrote:
>    > >Interesting.  Any chance for an unmodified pastebin spample?
>    >
>    > Yes please Joseph... any  change for it, please?  We are hungry...
>
>    Test rule checked into my sandbox last night...
>
>    Initial results aren't too promising.
--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  [hidden email]    FALaholic #11174     pgpk -a [hidden email]
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   It is not the place of government to make right every tragedy and
   woe that befalls every resident of the nation.
-----------------------------------------------------------------------
  554 days since the first commercial re-flight of an orbital booster (SpaceX)
Reply | Threaded
Open this post in threaded view
|

Re: Bitcoin update

Zinski, Steve
Yes, absolutely.


On 10/5/18, 1:42 PM, "John Hardin" <[hidden email]> wrote:

    On Fri, 5 Oct 2018, Zinski, Steve wrote:
   
    > Here's how I'm blocking bitcoin emails with Unicode characters embedded:
    >
    > body    __BTC1          /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/
    > body    __BTC2          /\b\W*b\W*i\W*t\W*c\W*o\W*i\W*n\W*\b/i
    > body    __BTC3          /\b\W*b\W*t\W*c\W*\b/i
    > body    __BTC4          /\bb[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i
    > meta    LOCAL_BITCOIN   ( __BTC1 && ( __BTC2 || __BTC3 || __BTC4 ) )
    > score   LOCAL_BITCOIN   10.0
    >
    > Works like a charm in my environment.
   
    To clarify: I added a rule for general obfuscation using the zero-width
    Unicode glyph. It's not bitcoin-specific.
   
    With your permission I can add that to my sandbox and see how it does in
    masscheck.
   
    > On 10/5/18, 10:54 AM, "John Hardin" <[hidden email]> wrote:
    >
    >    On Fri, 5 Oct 2018, Pedro David Marco wrote:
    >
    >    >   >On Thursday, October 4, 2018, 9:08:10 PM GMT+2, Kevin A. McGrail <[hidden email]> wrote:
    >    > >Interesting.  Any chance for an unmodified pastebin spample?
    >    >
    >    > Yes please Joseph... any  change for it, please?  We are hungry...
    >
    >    Test rule checked into my sandbox last night...
    >
    >    Initial results aren't too promising.
   
    --
      John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
      [hidden email]    FALaholic #11174     pgpk -a [hidden email]
      key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
    -----------------------------------------------------------------------
       It is not the place of government to make right every tragedy and
       woe that befalls every resident of the nation.
    -----------------------------------------------------------------------
      554 days since the first commercial re-flight of an orbital booster (SpaceX)

Reply | Threaded
Open this post in threaded view
|

Re: Bitcoin update

sebastian@debianfan.de
https://pastebin.com/TRD7FzRQ

i have a sample here

Am 05.10.2018 um 19:50 schrieb Zinski, Steve:

> Yes, absolutely.
>
>
> On 10/5/18, 1:42 PM, "John Hardin" <[hidden email]> wrote:
>
>      On Fri, 5 Oct 2018, Zinski, Steve wrote:
>      
>      > Here's how I'm blocking bitcoin emails with Unicode characters embedded:
>      >
>      > body    __BTC1          /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/
>      > body    __BTC2          /\b\W*b\W*i\W*t\W*c\W*o\W*i\W*n\W*\b/i
>      > body    __BTC3          /\b\W*b\W*t\W*c\W*\b/i
>      > body    __BTC4          /\bb[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i
>      > meta    LOCAL_BITCOIN   ( __BTC1 && ( __BTC2 || __BTC3 || __BTC4 ) )
>      > score   LOCAL_BITCOIN   10.0
>      >
>      > Works like a charm in my environment.
>      
>      To clarify: I added a rule for general obfuscation using the zero-width
>      Unicode glyph. It's not bitcoin-specific.
>      
>      With your permission I can add that to my sandbox and see how it does in
>      masscheck.
>      
>      > On 10/5/18, 10:54 AM, "John Hardin" <[hidden email]> wrote:
>      >
>      >    On Fri, 5 Oct 2018, Pedro David Marco wrote:
>      >
>      >    >   >On Thursday, October 4, 2018, 9:08:10 PM GMT+2, Kevin A. McGrail <[hidden email]> wrote:
>      >    > >Interesting.  Any chance for an unmodified pastebin spample?
>      >    >
>      >    > Yes please Joseph... any  change for it, please?  We are hungry...
>      >
>      >    Test rule checked into my sandbox last night...
>      >
>      >    Initial results aren't too promising.
>      
>      --
>        John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
>        [hidden email]    FALaholic #11174     pgpk -a [hidden email]
>        key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
>      -----------------------------------------------------------------------
>         It is not the place of government to make right every tragedy and
>         woe that befalls every resident of the nation.
>      -----------------------------------------------------------------------
>        554 days since the first commercial re-flight of an orbital booster (SpaceX)
>
Reply | Threaded
Open this post in threaded view
|

Re: Bitcoin update

John Hardin
On Fri, 5 Oct 2018, [hidden email] wrote:

> https://pastebin.com/TRD7FzRQ
>
> i have a sample here

There doesn't appear to be any obfuscation (apart from the email address)
in that message...

--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  [hidden email]    FALaholic #11174     pgpk -a [hidden email]
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Running away is the coward's way out of a war;
   appeasement is the coward's way into a war.               -- Thorax
-----------------------------------------------------------------------
  554 days since the first commercial re-flight of an orbital booster (SpaceX)
Reply | Threaded
Open this post in threaded view
|

Re: Bitcoin update

John Hardin
In reply to this post by Zinski, Steve
On Fri, 5 Oct 2018, Zinski, Steve wrote:

> Yes, absolutely.

OK, cleaned up a bit and checked in. We'll see what masscheck thinks...

> On 10/5/18, 1:42 PM, "John Hardin" <[hidden email]> wrote:
>
>    On Fri, 5 Oct 2018, Zinski, Steve wrote:
>
>    > Here's how I'm blocking bitcoin emails with Unicode characters embedded:
>    >
>    > body    __BTC1          /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/
>    > body    __BTC2          /\b\W*b\W*i\W*t\W*c\W*o\W*i\W*n\W*\b/i
>    > body    __BTC3          /\b\W*b\W*t\W*c\W*\b/i
>    > body    __BTC4          /\bb[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i
>    > meta    LOCAL_BITCOIN   ( __BTC1 && ( __BTC2 || __BTC3 || __BTC4 ) )
>    > score   LOCAL_BITCOIN   10.0
>    >
>    > Works like a charm in my environment.
>
>    To clarify: I added a rule for general obfuscation using the zero-width
>    Unicode glyph. It's not bitcoin-specific.
>
>    With your permission I can add that to my sandbox and see how it does in
>    masscheck.
--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  [hidden email]    FALaholic #11174     pgpk -a [hidden email]
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Venezuela is busy reaping the benefits of Socialism:
   in one year 75% of the population has, on average, lost 19 pounds
   due to insufficient food, and 82% of households are below the
   poverty line. (2016 Venezuelan "Living Conditions Survey")
-----------------------------------------------------------------------
  554 days since the first commercial re-flight of an orbital booster (SpaceX)
Reply | Threaded
Open this post in threaded view
|

Re: Bitcoin update

Rupert Gallagher
In reply to this post by sebastian@debianfan.de
https://pastebin.com/TRD7FzRQ

> I have a sample here

There are at least three reasons to reject that e-mail upfront, with no need to parse its body. 
Reply | Threaded
Open this post in threaded view
|

Re: Bitcoin update

Antony Stone
On Friday 05 October 2018 at 23:26:12, Rupert Gallagher wrote:

> > https://pastebin.com/TRD7FzRQ
> >
> > I have a sample here
>
> There are at least three reasons to reject that e-mail upfront, with no
> need to parse its body.

Hints might be appreciated for the uninitiated.


Antony.


PS: Please do NOT set Reply-To to your own address on list postings.

--
"Linux is going to be part of the future. It's going to be like Unix was."

 - Peter Moore, Asia-Pacific general manager, Microsoft

                                                   Please reply to the list;
                                                         please *don't* CC me.
Reply | Threaded
Open this post in threaded view
|

Re: Bitcoin update

David Jones
On 10/5/18 4:38 PM, Antony Stone wrote:

> On Friday 05 October 2018 at 23:26:12, Rupert Gallagher wrote:
>
>>> https://pastebin.com/TRD7FzRQ
>>>
>>> I have a sample here
>>
>> There are at least three reasons to reject that e-mail upfront, with no
>> need to parse its body.
>
> Hints might be appreciated for the uninitiated.
>
>
> Antony.
>
>
> PS: Please do NOT set Reply-To to your own address on list postings.
>

Are you doing any RBLs at the MTA?  This thing looks really bad and
would never have made it past my Postfix postscreen_dnsbl_sites list.

     http://multirbl.valli.org/lookup/114.46.223.46.html

If it had made it to SpamAssassin, here's what my rules would have scored:

Content analysis details:   (29.8 points, 5.0 required)

  pts rule name              description
---- ----------------------
--------------------------------------------------
  5.2 BAYES_99               BODY: Bayes spam probability is 99 to 100%
                             [score: 1.0000]
  3.2 BAYES_999              BODY: Bayes spam probability is 99.9 to 100%
                             [score: 1.0000]
  0.5 FROM_DOMAIN_NOVOWEL    From: domain has series of non-vowel letters
  1.5 CK_HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname
                             (Split IP)
  0.2 CK_HELO_GENERIC        Relay used name indicative of a Dynamic Pool or
                             Generic rPTR
  1.9 DATE_IN_FUTURE_06_12   Date: is 6 to 12 hours after Received: date
  3.2 DCC_CHECK              Detected as bulk mail by DCC (dcc-servers.net)
  0.1 FROM_EQUALS_TO         From: and To: have the same username
  0.0 KHOP_DYNAMIC           Relay looks like a dynamic address
  3.6 HELO_DYNAMIC_IPADDR2   Relay HELO'd using suspicious hostname (IP addr
                             2)
  1.0 RDNS_DYNAMIC           Delivered to internal network by host with
                             dynamic-looking rDNS
  2.2 ENA_RELAY_NOT_US       Relayed from outside the US and not on
whitelists
  0.1 HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam
                             (FTSDMCXX/boundary variant) + direct-to-MX
  2.0 MIMEOLE_DIRECT_TO_MX   MIMEOLE + direct-to-MX
  2.5 DOS_OE_TO_MX           Delivered direct to MX with OE headers
  2.5 NO_FM_NAME_IP_HOSTN    No From name + hostname using IP address
  0.0 ENA_BAD_SPAM           Spam hitting really bad rules.


--
David Jones
Reply | Threaded
Open this post in threaded view
|

Re: Bitcoin update

Rupert Gallagher
You did well. Not perfect, but nearly there. 

The key words here are: dynamic, helo, from and to. No need to use a black list.

The message was sent from a dynamic IP. No reputable email server does that. 

The next reason to reject is the failure of SPF. The recipient should implement SPF correctly. 

The third reason is the Message-ID.

RG



On Fri, Oct 5, 2018 at 23:57, David Jones <[hidden email]> wrote:
On 10/5/18 4:38 PM, Antony Stone wrote:

> On Friday 05 October 2018 at 23:26:12, Rupert Gallagher wrote:
>
>>> https://pastebin.com/TRD7FzRQ
>>>
>>> I have a sample here
>>
>> There are at least three reasons to reject that e-mail upfront, with no
>> need to parse its body.
>
> Hints might be appreciated for the uninitiated.
>
>
> Antony.
>
>
> PS: Please do NOT set Reply-To to your own address on list postings.
>

Are you doing any RBLs at the MTA? This thing looks really bad and
would never have made it past my Postfix postscreen_dnsbl_sites list.

http://multirbl.valli.org/lookup/114.46.223.46.html

If it had made it to SpamAssassin, here's what my rules would have scored:

Content analysis details: (29.8 points, 5.0 required)

pts rule name description
---- ----------------------
--------------------------------------------------
5.2 BAYES_99 BODY: Bayes spam probability is 99 to 100%
[score: 1.0000]
3.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
[score: 1.0000]
0.5 FROM_DOMAIN_NOVOWEL From: domain has series of non-vowel letters
1.5 CK_HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname
(Split IP)
0.2 CK_HELO_GENERIC Relay used name indicative of a Dynamic Pool or
Generic rPTR
1.9 DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date
3.2 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
0.1 FROM_EQUALS_TO From: and To: have the same username
0.0 KHOP_DYNAMIC Relay looks like a dynamic address
3.6 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr
2)
1.0 RDNS_DYNAMIC Delivered to internal network by host with
dynamic-looking rDNS
2.2 ENA_RELAY_NOT_US Relayed from outside the US and not on
whitelists
0.1 HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam
(FTSDMCXX/boundary variant) + direct-to-MX
2.0 MIMEOLE_DIRECT_TO_MX MIMEOLE + direct-to-MX
2.5 DOS_OE_TO_MX Delivered direct to MX with OE headers
2.5 NO_FM_NAME_IP_HOSTN No From name + hostname using IP address
0.0 ENA_BAD_SPAM Spam hitting really bad rules.


--
David Jones
Reply | Threaded
Open this post in threaded view
|

Re: Bitcoin update

RW-15
In reply to this post by Zinski, Steve
On Fri, 5 Oct 2018 16:34:51 +0000
Zinski, Steve wrote:

> Here's how I'm blocking bitcoin emails with Unicode characters
> embedded:
>
> body    __BTC1          /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/
> body    __BTC2          /\b\W*b\W*i\W*t\W*c\W*o\W*i\W*n\W*\b/i
> body    __BTC3          /\b\W*b\W*t\W*c\W*\b/i
> body
> __BTC4          /\bb[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i
> meta    LOCAL_BITCOIN   ( __BTC1 && ( __BTC2 || __BTC3 || __BTC4 ) )
> score   LOCAL_BITCOIN   10.0
>
> Works like a charm in my environment.

The trouble with this is that you would be adding 10 point to anything
with a bitcoin address whether anything's obfuscated or not. If you want
to avoid this take a look at the FUZZY_* rules.


Reply | Threaded
Open this post in threaded view
|

Re: Bitcoin update

John Hardin
On Sat, 6 Oct 2018, RW wrote:

> On Fri, 5 Oct 2018 16:34:51 +0000
> Zinski, Steve wrote:
>
>> Here's how I'm blocking bitcoin emails with Unicode characters
>> embedded:
>>
>> body    __BTC1          /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/
>> body    __BTC2          /\b\W*b\W*i\W*t\W*c\W*o\W*i\W*n\W*\b/i
>> body    __BTC3          /\b\W*b\W*t\W*c\W*\b/i
>> body
>> __BTC4          /\bb[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i
>> meta    LOCAL_BITCOIN   ( __BTC1 && ( __BTC2 || __BTC3 || __BTC4 ) )
>> score   LOCAL_BITCOIN   10.0
>>
>> Works like a charm in my environment.
>
> The trouble with this is that you would be adding 10 point to anything
> with a bitcoin address whether anything's obfuscated or not. If you want
> to avoid this take a look at the FUZZY_* rules.

The version of this in my sandbox doesn't have that weakness. I did some
tuning compared to what Steve proposed.

BTW, Steve, your emails appear to be going to the list multiple times (or
is that just me?)


--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  [hidden email]    FALaholic #11174     pgpk -a [hidden email]
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Show me somebody who waxes poetic about "Being at one with Nature"
   and I'll show you someone who hasn't figured out that Nature is an
   infinite stomach demanding to be fed.     -- Atomic, at Wapsi forum
-----------------------------------------------------------------------
  555 days since the first commercial re-flight of an orbital booster (SpaceX)
Reply | Threaded
Open this post in threaded view
|

Re: Bitcoin update

PeterD


On Saturday, October 6, 2018, 8:36:11 PM GMT+2, John Hardin <[hidden email]> wrote:


>The version of this in my sandbox doesn't have that weakness. I did some  tuning compared to what Steve proposed.


John, would it be possible for you to share with us those improvments???


Thanks,


----
PedroD
Reply | Threaded
Open this post in threaded view
|

Re: Bitcoin update

John Hardin
On Sat, 6 Oct 2018, Pedro David Marco wrote:

>    On Saturday, October 6, 2018, 8:36:11 PM GMT+2, John Hardin <[hidden email]> wrote:
>
>> The version of this in my sandbox doesn't have that weakness. I did some  tuning compared to what Steve proposed.
>
> John, would it be possible for you to share with us those improvments???
>
> Thanks,

They are checked into my sandbox and are publicly visible.

https://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/

I'd recommend against implementing them locally right now. I still have
some more tuning changes in mind after I review the masscheck results, and
if they perform at all well in masscheck they'd be published as part of
the base ruleset.

--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  [hidden email]    FALaholic #11174     pgpk -a [hidden email]
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   If the rock of doom requires a gentle nudge away from Gaia to
   prevent a very bad day for Earthlings, NASA won’t be riding to the
   rescue. These days, NASA does dodgy weather research and outreach
   programs, not stuff in actual space with rockets piloted by
   flinty-eyed men called Buzz.                       -- Daily Bayonet
-----------------------------------------------------------------------
  555 days since the first commercial re-flight of an orbital booster (SpaceX)
Reply | Threaded
Open this post in threaded view
|

Re: Bitcoin update

Zinski, Steve
In reply to this post by John Hardin
    > The trouble with this is that you would be adding 10 point to anything
    > with a bitcoin address whether anything's obfuscated or not. If you want
    > to avoid this take a look at the FUZZY_* rules.


Well, actually, no. I sent you a snippet of my rule and inflated the score to 10 for those of you who wanted to detect emails with obfuscated (Unicode) bitcoin addresses within.

I use the following rules to block the sextortion emails that are so rampant right now. As you can see, it assigns a 0.1 score to the bitcoin portion, then the following rule uses that to test for sextortion emails (also obfuscated with Unicode characters). These two rules work great for me in stopping the vast majority of sextortion emails coming to our campus.

body    __BTC1          /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/
body    __BTC2          /\b\W*b\W*i\W*t\W*c\W*o\W*i\W*n\W*\b/i
body    __BTC3          /\b\W*b\W*t\W*c\W*\b/i
body    __BTC4          /\bb[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i
meta    LOCAL_BITCOIN   ( __BTC1 && ( __BTC2 || __BTC3 || __BTC4 ) )
score   LOCAL_BITCOIN   0.1

body    __UCporn        /\b\W*p\W*o\W*r\W*n\W*\b/
body    __UCpixel       /\b\W*p\W*i\W*x\W*e\W*l\W*\b/
body    __UCvideos      /\b\W*v\W*i\W*d\W*(e\W*o\W*)?(s)?\W*\b/
body    __UCwebcam      /\b\W*(w\W*e\W*b\W*)?c\W*a\W*m\W*(e\W*r\W*a)?\W*\b/
body    __UCkeylogger   /\b\W*k\W*e\W*y\W*l\W*o\W*g\W*g\W*e\W*r\W*\b/
body    __UCviruses     /\b\W*v\W*i\W*r\W*u\W*s\W*(e\W*s)?\W*\b/
body    __UCmalware     /\b\W*m\W*a\W*l\W*w\W*a\W*r\W*e\W*\b/
body    __UCtrojan      /\b\W*t\W*r\W*o\W*j\W*a\W*n\W*\b/
body    __UCrecording   /\b\W*r\W*e\W*c\W*o\W*r\W*d\W*i\W*n\W*g\W*\b/
body    __UChacked      /\b\W*h\W*a\W*c\W*k\W*e\W*d\W*\b/
meta    LOCAL_SEXTORTION     ( LOCAL_BITCOIN && ( __UCporn || __UCpixel || __UCvideos || __UCwebcam) && ( __UCkeylogger || __UCviruses || __UCmalware || __UCtrojan || __UCrecording || __UChacked ) )
score   LOCAL_SEXTORTION    20.0

The gist of the SEXTORTION rule is the email must contain a bitcoin address AND (porn or pixel or video/videos or webcam/camera/cam) AND (keylogger or virus/viruses or malware or trojan or recording or hacked). Every sextortion email that I've seen contains those words.

It's not pretty, but it works (until the scammers change tactics).
 
 

Reply | Threaded
Open this post in threaded view
|

Re: Bitcoin update

John Hardin
On Mon, 8 Oct 2018, Zinski, Steve wrote:

>    > The trouble with this is that you would be adding 10 point to anything
>    > with a bitcoin address whether anything's obfuscated or not. If you want
>    > to avoid this take a look at the FUZZY_* rules.
>
> Well, actually, no. I sent you a snippet of my rule and inflated the score to 10 for those of you who wanted to detect emails with obfuscated (Unicode) bitcoin addresses within.

The point was, __BTC4 will hit on non-obfuscated "bitcoin", so the meta
should hit on any email with clear "bitcoin" and a bitcoin ID.

I recommend this:

   body    __BTC4     /\bb(?!itcoin)[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i

...to rule that out.

> I use the following rules to block the sextortion emails that are so rampant right now. As you can see, it assigns a 0.1 score to the bitcoin portion, then the following rule uses that to test for sextortion emails (also obfuscated with Unicode characters). These two rules work great for me in stopping the vast majority of sextortion emails coming to our campus.
>
> body    __BTC1          /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/
> body    __BTC2          /\b\W*b\W*i\W*t\W*c\W*o\W*i\W*n\W*\b/i
> body    __BTC3          /\b\W*b\W*t\W*c\W*\b/i
> body    __BTC4          /\bb[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i
> meta    LOCAL_BITCOIN   ( __BTC1 && ( __BTC2 || __BTC3 || __BTC4 ) )
> score   LOCAL_BITCOIN   0.1
>
> body    __UCporn        /\b\W*p\W*o\W*r\W*n\W*\b/
> body    __UCpixel       /\b\W*p\W*i\W*x\W*e\W*l\W*\b/
> body    __UCvideos      /\b\W*v\W*i\W*d\W*(e\W*o\W*)?(s)?\W*\b/
> body    __UCwebcam      /\b\W*(w\W*e\W*b\W*)?c\W*a\W*m\W*(e\W*r\W*a)?\W*\b/
> body    __UCkeylogger   /\b\W*k\W*e\W*y\W*l\W*o\W*g\W*g\W*e\W*r\W*\b/
> body    __UCviruses     /\b\W*v\W*i\W*r\W*u\W*s\W*(e\W*s)?\W*\b/
> body    __UCmalware     /\b\W*m\W*a\W*l\W*w\W*a\W*r\W*e\W*\b/
> body    __UCtrojan      /\b\W*t\W*r\W*o\W*j\W*a\W*n\W*\b/
> body    __UCrecording   /\b\W*r\W*e\W*c\W*o\W*r\W*d\W*i\W*n\W*g\W*\b/
> body    __UChacked      /\b\W*h\W*a\W*c\W*k\W*e\W*d\W*\b/
> meta    LOCAL_SEXTORTION     ( LOCAL_BITCOIN && ( __UCporn || __UCpixel || __UCvideos || __UCwebcam) && ( __UCkeylogger || __UCviruses || __UCmalware || __UCtrojan || __UCrecording || __UChacked ) )
> score   LOCAL_SEXTORTION    20.0
>
> The gist of the SEXTORTION rule is the email must contain a bitcoin address AND (porn or pixel or video/videos or webcam/camera/cam) AND (keylogger or virus/viruses or malware or trojan or recording or hacked). Every sextortion email that I've seen contains those words.
>
> It's not pretty, but it works (until the scammers change tactics).

It's also a bit dangerous. "*" in a body rule opens you to DoS attacks.

I recommend   \W{0,10}    instead of   \W*  to reduce that exposure.

Also, it's a bit more efficient to not use capturing parens if you're not
going to do anything with the match:

    /\b\W*(?:w\W*e\W*b\W*)?c\W*a\W*m\W*(?:e\W*r\W*a)?\W*\b/


--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  [hidden email]    FALaholic #11174     pgpk -a [hidden email]
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Politicians never accuse you of "greed" for wanting other people's
   money, only for wanting to keep your own money.    -- Joseph Sobran
-----------------------------------------------------------------------
  557 days since the first commercial re-flight of an orbital booster (SpaceX)