From 80928e500cca36a6bd4901b3aca50d6515674b61 Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Mon, 29 Oct 2018 16:51:39 +0000
Subject: [PATCH] [Rules] Add LEAKED_PASSWORD_SCAM rule

---
 rules/regexp/misc.lua | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/rules/regexp/misc.lua b/rules/regexp/misc.lua
index b9e1b0e6d0..846cb5ee53 100644
--- a/rules/regexp/misc.lua
+++ b/rules/regexp/misc.lua
@@ -60,3 +60,15 @@ reconf['HAS_ONION_URI'] = {
     score = 0.0,
     group = 'experimental'
 }
+
+local password_in_subject = [[Subject=/\bpassword\b/i]]
+local password_in_body = [[/\bpassword\b/i{sa_body}]]
+local btc_wallet = [[/\b[13][0-9a-zA-Z]{25,34}\b/{sa_body}]]
+
+reconf['LEAKED_PASSWORD_SCAM'] = {
+  re = string.format('(%s | %s) & %s', password_in_subject,
+      password_in_body, btc_wallet),
+  description = 'Contains password word and BTC wallet address',
+  score = 5.0,
+  group = 'scams'
+}
\ No newline at end of file
-- 
2.47.3