Mailing List Archive

Rules for a recent flood of BTC/webcam spam
I've seen a recent flood of "I hacked your camera and caught you doing
stuff" emails. I doubt they'll continue for a long time, but I made some
rules to target them. Find them here https://pastebin.com/B5Q6emBU

--
For SpamAsassin Users List
Re: Rules for a recent flood of BTC/webcam spam [ In reply to ]
On 2021-02-24 17:52, I wrote:
> I've seen a recent flood of "I hacked your camera and caught you doing
> stuff" emails. I doubt they'll continue for a long time, but I made
> some rules to target them. Find them here https://pastebin.com/B5Q6emBU
>
> --
> For SpamAsassin Users List
>
After a little more research, a better regex for an obfuscated BTC
address is

/[13][ \-]([a-km-zA-HJ-NP-Z0-9][ \-]){25,32}[a-km-zA-HJ-NP-Z0-9]/

Also added in more possible keyword misspellings
https://pastebin.com/nCQrLunx

It might be worth adding = and _ to the obfuscating delimiters. YMMV.

--
For SpamAsassin Users List
Re: Rules for a recent flood of BTC/webcam spam [ In reply to ]
On Wed, 24 Feb 2021, Alan wrote:

> I've seen a recent flood of "I hacked your camera and caught you doing stuff"
> emails. I doubt they'll continue for a long time, but I made some rules to
> target them. Find them here https://pastebin.com/B5Q6emBU

There are already rules for that sort of thing in the base ruleset:

BITCOIN_EXTORT_01
BITCOIN_EXTORT_02
BITCOIN_PAY_ME
BITCOIN_DEADLINE
BITCOIN_YOUR_INFO
BITCOIN_MALWARE

and a few others. Are any of these hitting on what you're getting? Perhaps
all you need to do is assign higher local scores to these rules.

I would love to see more spamples to improve them. Feel free to zip up any
bitcoin extortion spams you get and send them to me by private email at
any time.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
270 days since the first private commercial manned orbital mission (SpaceX)
Re: Rules for a recent flood of BTC/webcam spam [ In reply to ]
On Wed, 24 Feb 2021, Alan wrote:

> After a little more research, a better regex for an obfuscated BTC address is
>
> /[13][ \-]([a-km-zA-HJ-NP-Z0-9][ \-]){25,32}[a-km-zA-HJ-NP-Z0-9]/
>
> It might be worth adding = and _ to the obfuscating delimiters. YMMV.

I've updated __BITCOIN_ID with -, = and _ obfuscations, which I haven't
seen myself yet.

Thanks!

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
270 days since the first private commercial manned orbital mission (SpaceX)
Re: Rules for a recent flood of BTC/webcam spam [ In reply to ]
On Wed, 24 Feb 2021 18:37:42 -0800 (PST)
John Hardin wrote:

> On Wed, 24 Feb 2021, Alan wrote:
>
> > After a little more research, a better regex for an obfuscated BTC
> > address is
> >
> > /[13][ \-]([a-km-zA-HJ-NP-Z0-9][ \-]){25,32}[a-km-zA-HJ-NP-Z0-9]/
> >
> > It might be worth adding = and _ to the obfuscating delimiters.
> > YMMV.
>
> I've updated __BITCOIN_ID with -, = and _ obfuscations, which I
> haven't seen myself yet.
>
> Thanks!
>

Possibly

(?:[-_=\s][a-km-zA-HJ-NP-Z1-9]){25,34}|[a-km-zA-HJ-NP-Z1-9]{25,34})

should be

(?:[-_=\s]*[a-km-zA-HJ-NP-Z1-9]){25,34}

It's shorter and more general.
Re: Rules for a recent flood of BTC/webcam spam [ In reply to ]
On Thu, 25 Feb 2021, RW wrote:

> On Wed, 24 Feb 2021 18:37:42 -0800 (PST)
> John Hardin wrote:
>
>> On Wed, 24 Feb 2021, Alan wrote:
>>
>>> After a little more research, a better regex for an obfuscated BTC
>>> address is
>>>
>>> /[13][ \-]([a-km-zA-HJ-NP-Z0-9][ \-]){25,32}[a-km-zA-HJ-NP-Z0-9]/
>>>
>>> It might be worth adding = and _ to the obfuscating delimiters.
>>> YMMV.
>>
>> I've updated __BITCOIN_ID with -, = and _ obfuscations, which I
>> haven't seen myself yet.
>>
>> Thanks!
>>
>
> Possibly
>
> (?:[-_=\s][a-km-zA-HJ-NP-Z1-9]){25,34}|[a-km-zA-HJ-NP-Z1-9]{25,34})
>
> should be
>
> (?:[-_=\s]*[a-km-zA-HJ-NP-Z1-9]){25,34}
>
> It's shorter and more general.

I'd prefer:

(?:[-_=\s]?[a-km-zA-HJ-NP-Z1-9]){25,34}

The reason I haven't is I have not seen a mixture yet - it's either all
spaced or not at all.

I'll take a look at that tonight when I have some time.


The more loose you get with matching obfuscation the greater the chance of
false positives. Consider, for example, the PGP key in my .sig (which has
a zero, but I'd wager there are PGP key signatures that look like
obfuscated bitcoin wallet addresses...)

Also, there's a limit to how complex the obfuscation can get before the
recipient can't (or won't) follow the instructions.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Where are my space habitats? Where is my flying car?
It's 2010 and all I got from the SF books of my youth
is the lousy dystopian government. -- perlhaqr
-----------------------------------------------------------------------
271 days since the first private commercial manned orbital mission (SpaceX)
Re: Rules for a recent flood of BTC/webcam spam [ In reply to ]
On 2021-02-25 10:54, John Hardin wrote:
> On Thu, 25 Feb 2021, RW wrote:
>
>> On Wed, 24 Feb 2021 18:37:42 -0800 (PST)
>> John Hardin wrote:
>>
>>> On Wed, 24 Feb 2021, Alan wrote:
>>>
>>>> After a little more research, a better regex for an obfuscated BTC
>>>> address is
>>>>
>>>> /[13][ \-]([a-km-zA-HJ-NP-Z0-9][ \-]){25,32}[a-km-zA-HJ-NP-Z0-9]/
>>>>
>>>> It might be worth adding = and _ to the obfuscating delimiters.
>>>> YMMV.
>>>
>>> I've updated __BITCOIN_ID with -, = and _ obfuscations, which I
>>> haven't seen myself yet.
>>>
>>> Thanks!
>>>
>>
>> Possibly
>>
>>  (?:[-_=\s][a-km-zA-HJ-NP-Z1-9]){25,34}|[a-km-zA-HJ-NP-Z1-9]{25,34})
>>
>> should be
>>
>>  (?:[-_=\s]*[a-km-zA-HJ-NP-Z1-9]){25,34}
>>
>> It's shorter and more general.
>
> I'd prefer:
>
>  (?:[-_=\s]?[a-km-zA-HJ-NP-Z1-9]){25,34}
>
> The reason I haven't is I have not seen a mixture yet - it's either
> all spaced or not at all.
>
> I'll take a look at that tonight when I have some time.
>
>
> The more loose you get with matching obfuscation the greater the
> chance of false positives. Consider, for example, the PGP key in my
> .sig (which has a zero, but I'd wager there are PGP key signatures
> that look like obfuscated bitcoin wallet addresses...)
>
> Also, there's a limit to how complex the obfuscation can get before
> the recipient can't (or won't) follow the instructions.
>
>
Bitcoin addresses start with either 1 or 3. It's less general
specifically to avoid FPs. Personally I'm weighting this pretty high so
I don't want to trigger on non-obfuscated BTC addresses. So far, all of
my targets send a plain text version so "just a space" has been working.

All that said, another potential obfuscation would be a period. I'm
going to add that.

--
For SpamAsassin Users List
Re: Rules for a recent flood of BTC/webcam spam [ In reply to ]
On Thu, 25 Feb 2021 12:13:59 -0500
Alan wrote:


> Bitcoin addresses start with either 1 or 3.

Most do, but around 13% of those reported to the bitcoin abuse database
are in the format starting with "bc".

> It's less general specifically to avoid FPs. Personally I'm weighting
> this pretty high so I don't want to trigger on non-obfuscated BTC
> addresses.

Now I come to think of it I think we've been here before, and allowing
arbitrary spaces lead to a reported FP on ordinary text.

If you still meta with A4A_PORNSCAM_WORD you can afford to take some
risks with the address match though.

Before __BITCOIN_ID was in the core rules I had my own version for the
^[13] format that checked for mixed case and an additional digit. If
those conditions are not met it's most likely an FP.

It's also possible to tighten the range down to {32,33} or even
{33} without losing many matches:


$ for n in `jot 12 25` ; do printf "$n" ; < bitcoinlist egrep
"^[13].{${n}}$" | wc -l ; done
25 0
26 0
27 0
28 0
29 3
30 1
31 4
32 1659
33 50290
34 8
Re: Rules for a recent flood of BTC/webcam spam [ In reply to ]
On Fri, 26 Feb 2021, RW wrote:

> It's also possible to tighten the range down to {32,33} or even
> {33} without losing many matches:
>
>
> $ for n in `jot 12 25` ; do printf "$n" ; < bitcoinlist egrep
> "^[13].{${n}}$" | wc -l ; done
> 25 0
> 26 0
> 27 0
> 28 0
> 29 3
> 30 1
> 31 4
> 32 1659
> 33 50290
> 34 8

Interesting analysis, thanks. I'll tighten it up a bit based on that.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
USMC Rules of Gunfighting #20: The faster you finish the fight,
the less shot you will get.
-----------------------------------------------------------------------
271 days since the first private commercial manned orbital mission (SpaceX)