[Rules] Add LEAKED_PASSWORD_SCAM rule

author Vsevolod Stakhov <vsevolod@highsecure.ru>

Mon, 29 Oct 2018 16:51:39 +0000 (16:51 +0000)

committer Vsevolod Stakhov <vsevolod@highsecure.ru>

Mon, 29 Oct 2018 16:51:39 +0000 (16:51 +0000)
author Vsevolod Stakhov <vsevolod@highsecure.ru>
Mon, 29 Oct 2018 16:51:39 +0000 (16:51 +0000)
committer Vsevolod Stakhov <vsevolod@highsecure.ru>
Mon, 29 Oct 2018 16:51:39 +0000 (16:51 +0000)
diff --git a/rules/regexp/misc.lua b/rules/regexp/misc.lua

index b9e1b0e6d0c501bf775d3a153c3dda5c87f9c3df..846cb5ee53912b7c4776db021c6899a099e575ba 100644 (file)
--- a/rules/regexp/misc.lua
+++ b/rules/regexp/misc.lua
@@ -60,3 +60,15 @@ reconf['HAS_ONION_URI'] = {
      score = 0.0,
      group = 'experimental'
  }
+
+local password_in_subject = [[Subject=/\bpassword\b/i]]
+local password_in_body = [[/\bpassword\b/i{sa_body}]]
+local btc_wallet = [[/\b[13][0-9a-zA-Z]{25,34}\b/{sa_body}]]
+
+reconf['LEAKED_PASSWORD_SCAM'] = {
+  re = string.format('(%s | %s) & %s', password_in_subject,
+      password_in_body, btc_wallet),
+  description = 'Contains password word and BTC wallet address',
+  score = 5.0,
+  group = 'scams'
+}
+\ No newline at end of file
author	Vsevolod Stakhov <vsevolod@highsecure.ru>
	Mon, 29 Oct 2018 16:51:39 +0000 (16:51 +0000)
committer	Vsevolod Stakhov <vsevolod@highsecure.ru>
	Mon, 29 Oct 2018 16:51:39 +0000 (16:51 +0000)