Mailing List Archive

Bitcoin ransom mail
A user here reported a new twist on the bitcoin ransom mail. New to me,
anyway.

From: Casper Mitten <rwbcapricepze@outlook.com>
Sent: Monday, December 9, 2019 10:00 PM

The Subject was a single word, supposedly a password.
The message was a jpg picture of text.
Although it was in English, many vowels were accented special characters.
The recipient was expected to scan a QR code in the picture to get the
bitcoin string!

I'm sending this purely for information. The user's report (as usual) does
not include headers so I don't know what scored. It must have hit a rule
for a message with no text and an image. There isn't much else there.


--
Joseph Brennan
Lead, Email and Systems Applications
Re: Bitcoin ransom mail [ In reply to ]
Am 2019-12-10 19:03, schrieb Joseph Brennan:
> A user here reported a new twist on the bitcoin ransom mail. New to
> me, anyway.
>
> From: Casper Mitten <rwbcapricepze@outlook.com>
> Sent: Monday, December 9, 2019 10:00 PM
>
> The Subject was a single word, supposedly a password.
>
> The message was a jpg picture of text.
> Although it was in English, many vowels were accented special
> characters.
> The recipient was expected to scan a QR code in the picture to get the
> bitcoin string!
>
> I'm sending this purely for information. The user's report (as usual)
> does not include headers so I don't know what scored. It must have hit
> a rule for a message with no text and an image. There isn't much else
> there.
>
> --
>
> Joseph Brennan
> Lead, Email and Systems Applications


My copy hit

BODY_SINGLE_WORD=1.347, HTML_IMAGE_ONLY_04=1.172, MPART_ALT_DIFF=0.79

not enough to mark it as spammy.

Michael
Re: Bitcoin ransom mail [ In reply to ]
On 12/10/19 7:49 PM, Michael Storz wrote:
[...]
> My copy hit
>
> BODY_SINGLE_WORD=1.347, HTML_IMAGE_ONLY_04=1.172, MPART_ALT_DIFF=0.79
>
> not enough to mark it as spammy.
>
>
could you share a spample (as a pastebin uri or in private) ?

Giovanni
Re: Bitcoin ransom mail [ In reply to ]
Hi PFA...

On 12/11/2019 12:36 AM, Giovanni Bechis wrote:
> On 12/10/19 7:49 PM, Michael Storz wrote:
> [...]
>> My copy hit
>>
>> BODY_SINGLE_WORD=1.347, HTML_IMAGE_ONLY_04=1.172, MPART_ALT_DIFF=0.79
>>
>> not enough to mark it as spammy.
>>
>>
> could you share a spample (as a pastebin uri or in private) ?
>
> Giovanni
Re: Bitcoin ransom mail [ In reply to ]
On 12/11/19 6:21 AM, KADAM, SIDDHESH wrote:
> Hi PFA...
>
> On 12/11/2019 12:36 AM, Giovanni Bechis wrote:
>> On 12/10/19 7:49 PM, Michael Storz wrote:
>> [...]
>>> My copy hit
>>>
>>> BODY_SINGLE_WORD=1.347, HTML_IMAGE_ONLY_04=1.172, MPART_ALT_DIFF=0.79
>>>
>>> not enough to mark it as spammy.
>
FuzzyOcr + bayes is killing this kind of emails for me:

5.0 FUZZY_OCR BODY: Mail contains an image with common spam text
inside
[Words found:]
["cialis" in 2 lines]
[(2 word occurrences found)]

Giovanni
Re: Bitcoin ransom mail [ In reply to ]
On 11 Dec 2019, at 2:39, Giovanni Bechis wrote:

> On 12/11/19 6:21 AM, KADAM, SIDDHESH wrote:
>> Hi PFA...
>>
>> On 12/11/2019 12:36 AM, Giovanni Bechis wrote:
>>> On 12/10/19 7:49 PM, Michael Storz wrote:
>>> [...]
>>>> My copy hit
>>>>
>>>> BODY_SINGLE_WORD=1.347, HTML_IMAGE_ONLY_04=1.172,
>>>> MPART_ALT_DIFF=0.79
>>>>
>>>> not enough to mark it as spammy.
>>
> FuzzyOcr + bayes is killing this kind of emails for me:

FuzzyOcr is unmaintained and doesn't even have an authoritative
repository as far as I can tell. It is computationally very expensive,
to the degree that it isn't safe to just add it to an existing mail
system which does not have a lot of idle CPU and memory capacity.

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
Re: Bitcoin ransom mail [ In reply to ]
Bill Cole skrev den 2019-12-11 15:17:

> FuzzyOcr is unmaintained and doesn't even have an authoritative
> repository as far as I can tell. It is computationally very expensive,
> to the degree that it isn't safe to just add it to an existing mail
> system which does not have a lot of idle CPU and memory capacity.

is there a hope for eXtractText plugin ?, did it die like FuzzyOcr ?

https://cwiki.apache.org/confluence/display/SPAMASSASSIN/UnmaintainedCustomPlugins

if thay was maintained ....
Re: Bitcoin ransom mail [ In reply to ]
On Wed, Dec 11, 2019 at 04:05:50PM +0100, Benny Pedersen wrote:
> Bill Cole skrev den 2019-12-11 15:17:
>
> >FuzzyOcr is unmaintained and doesn't even have an authoritative
> >repository as far as I can tell. It is computationally very expensive,
> >to the degree that it isn't safe to just add it to an existing mail
> >system which does not have a lot of idle CPU and memory capacity.
>
> is there a hope for eXtractText plugin ?, did it die like FuzzyOcr ?
>
> https://cwiki.apache.org/confluence/display/SPAMASSASSIN/UnmaintainedCustomPlugins
>
> if thay was maintained ....

Test this and give feedback

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7727
Re: Bitcoin ransom mail [ In reply to ]
On 12/11/19 3:17 PM, Bill Cole wrote:
> On 11 Dec 2019, at 2:39, Giovanni Bechis wrote:
>
>> On 12/11/19 6:21 AM, KADAM, SIDDHESH wrote:
>>> Hi PFA...
>>>
>>> On 12/11/2019 12:36 AM, Giovanni Bechis wrote:
>>>> On 12/10/19 7:49 PM, Michael Storz wrote:
>>>> [...]
>>>>> My copy hit
>>>>>
>>>>> BODY_SINGLE_WORD=1.347, HTML_IMAGE_ONLY_04=1.172, MPART_ALT_DIFF=0.79
>>>>>
>>>>> not enough to mark it as spammy.
>>>
>> FuzzyOcr + bayes is killing this kind of emails for me:
>
> FuzzyOcr is unmaintained and doesn't even have an authoritative repository as far as I can tell. It is computationally very expensive, to the degree that it isn't safe to just add it to an existing mail system which does not have a lot of idle CPU and memory capacity.
>
it's true that it's unmaintained but I have it running on Perl 5.28 with some patches and it's still useful every now and then (if you have some spare cpu cycles and you know what you are doing).
A new ocr plugin could be definetely a better choice.
Giovanni
Re: Bitcoin ransom mail [ In reply to ]
On Wed, Dec 11, 2019 at 1:58 PM Giovanni Bechis <giovanni@paclan.it> wrote:
>
> On 12/11/19 3:17 PM, Bill Cole wrote:
> > On 11 Dec 2019, at 2:39, Giovanni Bechis wrote:
> >
> >> On 12/11/19 6:21 AM, KADAM, SIDDHESH wrote:
> >>> Hi PFA...
> >>>
> >>> On 12/11/2019 12:36 AM, Giovanni Bechis wrote:
> >>>> On 12/10/19 7:49 PM, Michael Storz wrote:
> >>>> [...]
> >>>>> My copy hit
> >>>>>
> >>>>> BODY_SINGLE_WORD=1.347, HTML_IMAGE_ONLY_04=1.172, MPART_ALT_DIFF=0.79
> >>>>>
> >>>>> not enough to mark it as spammy.
> >>>
> >> FuzzyOcr + bayes is killing this kind of emails for me:
> >
> > FuzzyOcr is unmaintained and doesn't even have an authoritative repository as far as I can tell. It is computationally very expensive, to the degree that it isn't safe to just add it to an existing mail system which does not have a lot of idle CPU and memory capacity.
> >
> it's true that it's unmaintained but I have it running on Perl 5.28 with some patches and it's still useful every now and then (if you have some spare cpu cycles and you know what you are doing).
> A new ocr plugin could be definetely a better choice.
> Giovanni

I asked the project owner if I could put fuzzyocr on github. He said
go for it, so it is now at https://github.com/raubvogel/FuzzyOcr.
Re: Bitcoin ransom mail [ In reply to ]
On 12/11/19 8:00 PM, Mauricio Tavares wrote:
> On Wed, Dec 11, 2019 at 1:58 PM Giovanni Bechis <giovanni@paclan.it> wrote:
>>
>> On 12/11/19 3:17 PM, Bill Cole wrote:
>>> On 11 Dec 2019, at 2:39, Giovanni Bechis wrote:
>>>
>>>> On 12/11/19 6:21 AM, KADAM, SIDDHESH wrote:
>>>>> Hi PFA...
>>>>>
>>>>> On 12/11/2019 12:36 AM, Giovanni Bechis wrote:
>>>>>> On 12/10/19 7:49 PM, Michael Storz wrote:
>>>>>> [...]
>>>>>>> My copy hit
>>>>>>>
>>>>>>> BODY_SINGLE_WORD=1.347, HTML_IMAGE_ONLY_04=1.172, MPART_ALT_DIFF=0.79
>>>>>>>
>>>>>>> not enough to mark it as spammy.
>>>>>
>>>> FuzzyOcr + bayes is killing this kind of emails for me:
>>>
>>> FuzzyOcr is unmaintained and doesn't even have an authoritative repository as far as I can tell. It is computationally very expensive, to the degree that it isn't safe to just add it to an existing mail system which does not have a lot of idle CPU and memory capacity.
>>>
>> it's true that it's unmaintained but I have it running on Perl 5.28 with some patches and it's still useful every now and then (if you have some spare cpu cycles and you know what you are doing).
>> A new ocr plugin could be definetely a better choice.
>> Giovanni
>
> I asked the project owner if I could put fuzzyocr on github. He said
> go for it, so it is now at https://github.com/raubvogel/FuzzyOcr.
>
Cool,
you can grab my patches (if they are needed) here:
http://cvsweb.openbsd.org/ports/mail/p5-FuzzyOcr/patches/

Giovanni
Re: Bitcoin ransom mail [ In reply to ]
On Wed, Dec 11, 2019 at 2:05 PM Giovanni Bechis <giovanni@paclan.it> wrote:
>
> On 12/11/19 8:00 PM, Mauricio Tavares wrote:
> > On Wed, Dec 11, 2019 at 1:58 PM Giovanni Bechis <giovanni@paclan.it> wrote:
> >>
> >> On 12/11/19 3:17 PM, Bill Cole wrote:
> >>> On 11 Dec 2019, at 2:39, Giovanni Bechis wrote:
> >>>
> >>>> On 12/11/19 6:21 AM, KADAM, SIDDHESH wrote:
> >>>>> Hi PFA...
> >>>>>
> >>>>> On 12/11/2019 12:36 AM, Giovanni Bechis wrote:
> >>>>>> On 12/10/19 7:49 PM, Michael Storz wrote:
> >>>>>> [...]
> >>>>>>> My copy hit
> >>>>>>>
> >>>>>>> BODY_SINGLE_WORD=1.347, HTML_IMAGE_ONLY_04=1.172, MPART_ALT_DIFF=0.79
> >>>>>>>
> >>>>>>> not enough to mark it as spammy.
> >>>>>
> >>>> FuzzyOcr + bayes is killing this kind of emails for me:
> >>>
> >>> FuzzyOcr is unmaintained and doesn't even have an authoritative repository as far as I can tell. It is computationally very expensive, to the degree that it isn't safe to just add it to an existing mail system which does not have a lot of idle CPU and memory capacity.
> >>>
> >> it's true that it's unmaintained but I have it running on Perl 5.28 with some patches and it's still useful every now and then (if you have some spare cpu cycles and you know what you are doing).
> >> A new ocr plugin could be definetely a better choice.
> >> Giovanni
> >
> > I asked the project owner if I could put fuzzyocr on github. He said
> > go for it, so it is now at https://github.com/raubvogel/FuzzyOcr.
> >
> Cool,
> you can grab my patches (if they are needed) here:
> http://cvsweb.openbsd.org/ports/mail/p5-FuzzyOcr/patches/
>
Will do! But, I do want to ensure your work is acknowledged; if
I wanted to claim someone else's work as mine I would be into
politics. ;)

> Giovanni
Re: Bitcoin ransom mail [ In reply to ]
Mauricio Tavares <raubvogel@gmail.com> writes:

> On Wed, Dec 11, 2019 at 2:05 PM Giovanni Bechis <giovanni@paclan.it> wrote:
>>
>> On 12/11/19 8:00 PM, Mauricio Tavares wrote:
>>
>> > I asked the project owner if I could put fuzzyocr on github. He said
>> > go for it, so it is now at https://github.com/raubvogel/FuzzyOcr.
>> >
>> Cool,
>> you can grab my patches (if they are needed) here:
>> http://cvsweb.openbsd.org/ports/mail/p5-FuzzyOcr/patches/
>>
> Will do! But, I do want to ensure your work is acknowledged; if
> I wanted to claim someone else's work as mine I would be into
> politics. ;)

That sounds like a very good news that you are taking back the
maintenance of FuzzyOcr!

Among the future development, I have been playing with the idea of
FuzzyOcr pushing back the decoded text to SA for further analysis rather
than using a local list of words. That is the way PdfAssassin is
working, text is pushed as a text block and image as an image attachment
(so they can be further processed by any image plugin like FuzzyOcr). If
that could work, that would be a very great improvement to FuzzyOcr.

Best regards,

Olivier

--
Re: Bitcoin ransom mail [ In reply to ]
On 2019-12-11 1:58 pm, Giovanni Bechis wrote:
> On 12/11/19 3:17 PM, Bill Cole wrote:
>> On 11 Dec 2019, at 2:39, Giovanni Bechis wrote:
>>
>>> On 12/11/19 6:21 AM, KADAM, SIDDHESH wrote:
>>>> Hi PFA...
>>>>
>>>> On 12/11/2019 12:36 AM, Giovanni Bechis wrote:
>>>>> On 12/10/19 7:49 PM, Michael Storz wrote:
>>>>> [...]
>>>>>> My copy hit
>>>>>>
>>>>>> BODY_SINGLE_WORD=1.347, HTML_IMAGE_ONLY_04=1.172,
>>>>>> MPART_ALT_DIFF=0.79
>>>>>>
>>>>>> not enough to mark it as spammy.
>>>>
>>> FuzzyOcr + bayes is killing this kind of emails for me:
>>
>> FuzzyOcr is unmaintained and doesn't even have an authoritative
>> repository as far as I can tell. It is computationally very expensive,
>> to the degree that it isn't safe to just add it to an existing mail
>> system which does not have a lot of idle CPU and memory capacity.
>>
> it's true that it's unmaintained but I have it running on Perl 5.28
> with some patches and it's still useful every now and then (if you
> have some spare cpu cycles and you know what you are doing).
> A new ocr plugin could be definetely a better choice.
> Giovanni

fuzzyocr is available from the standard repos for Ubuntu 18.04. It's
v3.6.0-10, with a homepage listed as

https://web.archive.org/web/20130117050640/http://fuzzyocr.own-hero.net/

Interestingly I just got one of those bitcoin spams, but fuzzyocr didn't
pick up on it. This is the spam report for it :

==== ======================
==================================================
pts rule name description
---- ----------------------
--------------------------------------------------
2.0 BAYES_80 BODY: Bayes spam probability is 80 to 95%
[score: 0.8391]
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
https://www.dnswl.org/, no
trust
[40.92.254.80 listed in list.dnswl.org]
0.0 FREEMAIL_FROM Sender email is commonly abused enduser
mail provider
(xbdamianta[at]outlook.com)
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
1.2 HTML_IMAGE_ONLY_04 BODY: HTML: images with 0-400 bytes of
words
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
from author's
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK
signature
0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
0.0 TVD_SPACE_RATIO No description available.
0.5 KAM_NUMSUBJECT Subject ends in numbers excluding current
years
Re: Bitcoin ransom mail [ In reply to ]
On 12/13/19 3:21 PM, Dean Carpenter wrote:
> On 2019-12-11 1:58 pm, Giovanni Bechis wrote:
>> On 12/11/19 3:17 PM, Bill Cole wrote:
>>> On 11 Dec 2019, at 2:39, Giovanni Bechis wrote:
>>>
>>>> On 12/11/19 6:21 AM, KADAM, SIDDHESH wrote:
>>>>> Hi PFA...
>>>>>
>>>>> On 12/11/2019 12:36 AM, Giovanni Bechis wrote:
>>>>>> On 12/10/19 7:49 PM, Michael Storz wrote:
>>>>>> [...]
>>>>>>> My copy hit
>>>>>>>
>>>>>>> BODY_SINGLE_WORD=1.347, HTML_IMAGE_ONLY_04=1.172, MPART_ALT_DIFF=0.79
>>>>>>>
>>>>>>> not enough to mark it as spammy.
>>>>>
>>>> FuzzyOcr + bayes is killing this kind of emails for me:
>>>
>>> FuzzyOcr is unmaintained and doesn't even have an authoritative repository as far as I can tell. It is computationally very expensive, to the degree that it isn't safe to just add it to an existing mail system which does not have a lot of idle CPU and memory capacity.
>>>
>> it's true that it's unmaintained but I have it running on Perl 5.28
>> with some patches and it's still useful every now and then (if you
>> have some spare cpu cycles and you know what you are doing).
>> A new ocr plugin could be definetely a better choice.
>>   Giovanni
>
> fuzzyocr is available from the standard repos for Ubuntu 18.04.  It's
> v3.6.0-10, with a homepage listed as
>
> https://web.archive.org/web/20130117050640/http://fuzzyocr.own-hero.net/
>
> Interestingly I just got one of those bitcoin spams, but fuzzyocr didn't pick up on it.  This is the spam report for it :
>
If I remember well, by default fuzzyocr skips images with resolution higher than 800x800, the spam I received had a bigger image.
Giovanni
Re: Bitcoin ransom mail [ In reply to ]
>>>>On 12/11/19 6:21 AM, KADAM, SIDDHESH wrote:
>>>>>Hi PFA...
>>>>>
>>>>>On 12/11/2019 12:36 AM, Giovanni Bechis wrote:
>>>>>>On 12/10/19 7:49 PM, Michael Storz wrote:
>>>>>>[...]
>>>>>>>My copy hit
>>>>>>>
>>>>>>>BODY_SINGLE_WORD=1.347, HTML_IMAGE_ONLY_04=1.172,
>>>>>>>MPART_ALT_DIFF=0.79
>>>>>>>
>>>>>>>not enough to mark it as spammy.

>>>On 11 Dec 2019, at 2:39, Giovanni Bechis wrote:
>>>>FuzzyOcr + bayes is killing this kind of emails for me:

>>On 12/11/19 3:17 PM, Bill Cole wrote:
>>>FuzzyOcr is unmaintained and doesn't even have an authoritative
>>>repository as far as I can tell. It is computationally very
>>>expensive, to the degree that it isn't safe to just add it to an
>>>existing mail system which does not have a lot of idle CPU and
>>>memory capacity.

>On 2019-12-11 1:58 pm, Giovanni Bechis wrote:
>>it's true that it's unmaintained but I have it running on Perl 5.28
>>with some patches and it's still useful every now and then (if you
>>have some spare cpu cycles and you know what you are doing).
>>A new ocr plugin could be definetely a better choice.

On 13.12.19 09:21, Dean Carpenter wrote:
>fuzzyocr is available from the standard repos for Ubuntu 18.04. It's
>v3.6.0-10, with a homepage listed as
>
>https://web.archive.org/web/20130117050640/http://fuzzyocr.own-hero.net/
>
>Interestingly I just got one of those bitcoin spams, but fuzzyocr
>didn't pick up on it. This is the spam report for it :

fuzzyocr only picks up some words and scores on them.

since OCR wasn't reliable much when it was developed, it didn't things like
pushing text back to SA for scanning with other rules.

I believe this could be done now.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
2B|!2B, that's a question!
Re: Bitcoin ransom mail [ In reply to ]
I have a solution with ClamAV for any image that is "not allowed". I my case i create a md5sum from images i don't want to receive and but them into hashtable.
This Hashtable place into /var/lib/clamav/NAME.hsb

/var/lib/clamav/NAME.hsb looks like:
129895eb534a7e568b4284b6860fa93c:1245184:BitcoinImage
hash:size:"VIRUS name"

so any new mail with this attachment get treated as virus

if you want to set score to this image you need this:

in /etc/amavis/conf.d/50-user
insert:

@virus_name_to_spam_score_maps =
(new_RE( # the order matters!
[ qr'BitcoinImage.UNOFFICIAL' => 999],
));


service amavis restart

done



Am 10.12.19 um 19:03 schrieb Joseph Brennan:
> A user here reported a new twist on the bitcoin ransom mail. New to me,
> anyway.
>
> From: Casper Mitten <rwbcapricepze@outlook.com>
> Sent: Monday, December 9, 2019 10:00 PM
>
> The Subject was a single word, supposedly a password.
> The message was a jpg picture of text.
> Although it was in English, many vowels were accented special characters.
> The recipient was expected to scan a QR code in the picture to get the
> bitcoin string!
>
> I'm sending this purely for information. The user's report (as usual) does
> not include headers so I don't know what scored. It must have hit a rule
> for a message with no text and an image. There isn't much else there.
>
>

--
Philipp Ewald
Administrator

DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln
Telefon: +49 221 6500-532, Fax: +49 221 6500-690, E-Mail: philipp.ewald@digionline.de

AG Köln HRB 27711, St.-Nr. 5215 5811 0640
Geschäftsführer: Werner Grafenhain

Informationen zum Datenschutz: www.digionline.de/ds
Re: Bitcoin ransom mail [ In reply to ]
On Thu, 19 Dec 2019, Philipp Ewald wrote:

> I have a solution with ClamAV for any image that is "not allowed". I my case
> i create a md5sum from images i don't want to receive and but them into
> hashtable.
> This Hashtable place into /var/lib/clamav/NAME.hsb
>
> /var/lib/clamav/NAME.hsb looks like:
> 129895eb534a7e568b4284b6860fa93c:1245184:BitcoinImage
> hash:size:"VIRUS name"
>
> so any new mail with this attachment get treated as virus

To a degree that's just whack-a-mole. It would not be excessively
difficult to make minor alterations to the image sufficient to change the
hash without noticeably changing it visually.

It might be prohibitive to do that per-message, but sending a batch of a
hundred messages while you're modifying the image for the next batch would
probably work.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
6 days until Christmas
Re: Bitcoin ransom mail [ In reply to ]
John Hardin wrote:
> On Thu, 19 Dec 2019, Philipp Ewald wrote:
>
>> I have a solution with ClamAV for any image that is "not allowed". I
>> my case i create  a md5sum from images i don't want to receive and but
>> them into hashtable.
>> This Hashtable place into /var/lib/clamav/NAME.hsb
>>
>> /var/lib/clamav/NAME.hsb looks like:
>> 129895eb534a7e568b4284b6860fa93c:1245184:BitcoinImage
>> hash:size:"VIRUS name"
>>
>> so any new mail with this attachment get treated as virus
>
> To a degree that's just whack-a-mole. It would not be excessively
> difficult to make minor alterations to the image sufficient to change
> the hash without noticeably changing it visually.
>
> It might be prohibitive to do that per-message, but sending a batch of a
> hundred messages while you're modifying the image for the next batch
> would probably work.

The ones I've seen are unique per recipient (recipient-specific past
password extracted from some data breach, the phrasing of the text in
the image, and probably the QR codes as well - the couple I've inspected
closely all had different QR codes), and I don't think I've had anyone
report more than two, *maybe* three.

Someone in the spam-sending community is probably making a nice little
Christmas bonus by selling a widget to generate the images...

However, the first ~4K of the samples I've had reported are similar
enough for a pattern signature suitable for a scored Clam instance.

I created a signature using a crude tool I wrote a while ago to take a
set of similar files and spit out a pattern signature for a .ndb
signature file. It essentially runs sigtool --hex-dump on each file,
and then compares the hex values in matching positions.

http://deepnet.cx/~kdeugau/clamtools/siggen

-kgd