Blocking bitcoin scam from reaching your Inbox

Bitcoin related scams have recently become very common and by using clever techniques, the sender is able to deliver the message all the way to victim's Inbox by passing many spam filters.

A sample message appears below

drowssap is your passphrases. Lets get straight to the point. Neither anyone has compensated me to investigate about you. You don't know me and you're most likely wondering why you are getting this email?

in fact, i setup a malware on the 18+ videos (pornography) web site and do you know what, you visited this web site to experience fun (you know what i mean). When you were viewing video clips, your internet browser began functioning as a Remote Desktop having a keylogger which provided me accessibility to your screen and also web cam. after that, my software obtained your entire contacts from your Messenger, Facebook, and email . after that i made a double video. First part shows the video you were watching (you have a good taste haha), and next part displays the view of your web camera, yea its you.

You have got not one but two options. Let us check out each of these possibilities in particulars:

Very first alternative is to skip this email message. as a result, i am going to send your very own video to every one of your contacts and thus think about concerning the shame you will definitely get. and consequently if you are in a romance, exactly how it is going to affect?

Second solution will be to give me $897. i will think of it as a donation. in this situation, i will straight away eliminate your videotape. You will keep your life like this never took place and you will not hear back again from me.

BTC address: 1AVSEj7UKjadhWCjcPcC1mbS5VVv89Hvgb

[CaSe SeNSiTiVe copy and paste it]

Certain characteristics in this message makes it a bit difficult to block. For example:

  • The message often comes from a domain that does not publish SPF record. Therefore, it is not considered a forgery.
  • Message often comes from hijacked SMTP servers and it takes some time before RBL servers catch up.
  • Message does not contain any foreign links, making it look innocent
  • Message contains hidden characters. This is actually the most important trick designed to defeat spam filters.

Analyizing Hidden Characters

Spammer's goal is to defeat filtering software by inserting hidden characters in between actual words. For example, the word bitcoin can easily be written as bit‌coin, which uses a special character called Zero-width non-joiner in between. Often this hidden character is inserted after every visible letter. Because of this trick, parsers cannot find the actual word: bitcoin.

How Xeams Blocks Such Messages

Xeams is designed to handle such tricks by removing such characters before actual parsing occurs, making content filtering very effective. This pre-precessing not only work when searching for regular words, it also works when using regular expression or bayesian analysis.