A simple spam filter for the current Sextortion scams making the rounds
March 11, 2019
For a week or so, an email scam has been making the rounds claiming that a hacker has compromised you computer and caught you doing nasty things with yourself while watching porn videos online. He or she threatens to expose you (no pun intended) unless you pay a ransom of between $1000 and $2000 US in Bitcoins.
While this may cause some people to panic and pay up, most will see it for what it really is: a pathetic sextortion scam. Nobody hacked your computer or planted a video watching virus on it. This is FUD (Fear, Uncertainty and Doubt). But, because these scams are arriving in huge numbers, to multiple mailboxes, it is worth our time to create an email spam filter that detects and even auto-deletes these messages.
This article is mainly presented for MailWasher Pro users, but can also apply to any other email client that allows users to create spam filters from email headers. Think web server email systems...
If you don't use MailWasher Pro, but want to create this spam filter for another email client, or on your website's email server, read these articles I wrote in 2017:
- Use RegEx to filter spam from your mail server - part 1
- Use RegEx to filter spam from your mail server - part 2
Assuming your email client is MailWasher Pro, or otherwise allows for custom Regular Expressions filters, lets create a Sextortion Scam filter.
All of the Sextortion scams I've seen in the last week match the following criteria:
- They all are sent to an email address belonging to you
- They also claim to have been sent from that same email account
- The Reply-To or Return-Path may be the same account, or a different domain entirely
- The subject is either the prefix of your email account, or a phony warning that your account has been hacked
- The body text claims that a hacker has hacked your email, planted a spyware program on your camera and keyboard and demands payment to stay quiet about your online activities.
These are the basic facts. Now, let's drill down into the most current incarnation of the hacker sextortion scam.
- Sent To your account
- Sent From your account (forged header)
- Has your account prefix as the Subject
- Has a completely unrelated Reply-To or Return-Path address
- Is either using Base64 or a .jpg image to display the extortion demand
The Filter
Open MailWasher Pro, go to Settings > Spam Tools > Filters and create a new filter. Set the filter type to Spam and the conditions to match to ALL. Give the filter a name, like this: "To, From and Subject match my email prefix" and create the following rules:
- From: > contains > RegEx:
Your spammed email account prefixes separated by pipe symbols followed by @yourDomain.com (e.g., name1|name2|name3)@yourEmailDomain.com - To: > contains > RegEx:
Same input as above rule - Subject > contains > RegEx:
Prefix of these email accounts only. No @ or domain. - Return-Path > Doesn't contain > RegEx:
yourDomain.com
Set the Action to rate the Spam Score to -200 and the action button option to: "Don't override delete," or "Auto-delete this email," then Save the filter.
In the event that the scammers alter the script again to include your spammed email account in the Return-Path or Reply-To field, just remove that one rule from the filter.
Here is what a sample filter would have in its fields for a single email account:
- From: [email protected]
- To: [email protected]
- Subject: joe
- Return-Path: (Doesn't contain)@joe-job.com
If you have multiple email accounts being scammed, use this sample:
- From: joe|john|[email protected]
- To: joe|john|[email protected]
- Subject: joe|john|ken
- Return-Path: (Doesn't contain)@joe-job.com
If your domain ends in .net, or .info, or some other TLD, change the rules accordingly. Note that these filter rules don't check the body to see if it uses actual text, or Base64, or an image containing scam text. I already posted a filter that checks plain body text.
Interesting fact. Some of the most recent sextortion scams use images that contain really tiny text. The Bitcoin address to send ransoms to must be copied and pasted to avoid mistakes (it says so in the image text!), because they have mixed cases and special characters. However, as everybody who has tried copying text from an image already knows, you can't do that! So, people fooled into making payments from a sextortion scam image will most likely get the wrong characters and fail to send to the actual scammer's Bitcoin Wallet. Either the payments will bounce, or somebody else will receive them.
If you aren't using MailWasher Pro to screen your incoming email for spam, scams and malicious links and attachments, check it out here. If you want to learn more about custom spam filters, including those that I write, look at my Wizcrafts' MailWasher Pro Email Spam Filters page.
Finally, MailWasher Pro users can learn all of the fine points and details about Regular Expressions in filters on the MailWasher Advanced Features page.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.