Detect bitcoin wallet chains RSS Back to forum
@Recoplon:
Hello Recoplon,
Bitcoin addresses typically start with 1 or 3 ("legacy" or "segwit" address) and can be 26-35 characters long. To block such addresses, add the regex below to the Keyword Blacklist of ORF with an "Email subject and body" search scope.
.*\b[13][a-zA-Z0-9]{25,34}\b
Don't forget to save the ORF configuration to apply the settings (Ctrl + S).
I hope this helps.
Hi. Thanks, but the problem is this generates a lot of false positives. For testing, I added this and in 3 minutes I got 4 false positives already, had to back off.
@Recoplon:
My guess is that the regex is probably matching the encapsulation boundaries (or the boundary parameter in the content-type declaration) in multi-part emails. Luckily, those encapsulation boundaries have a mandatory "--" prefix, so we can exclude those matches. They may also contain other special characters which could cause problems (though, 99% of MUAs do not use them) so the new regex will not match if the "address" is preceded by any of those characters. You many find the updated regex below:
.*\b(?<!['"()+\-.\/:=?])[13][a-zA-Z0-9]{25,34}\b
@Daniel Novak (Vamsoft): Thanks. Unfortunately as soon as I added a test block for that regular expression, again got false positives after a few minutes. I guess specifically detecting bitcoin wallet addresses is very difficult.
@Recoplon: I am sorry to hear that. Could you perhaps send us (to ) the legitimate emails (saved in a .eml or .msg format) that were blacklisted by the regex above? I might be able to find a workaround.
I would also like to know if its possible to block this using reliable regex expression.
It really would be an awesome improvement. A lot of dangerous mail have bitcoin wallet addresses.
@tomasz.sokolowski:
I'm trying this one just now ... if this works without false positives - I will let you know.
^[13][a-km-zA-HJ-NP-Z1-9]{25,34}$
per an article found here: http://mokagio.github.io/tech-journal/2014/11/21/regex-bitcoin.html
I have modified the REGEX to: .*\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b
Testing now and will advise if it presents and false positives.
bitcoin address regex as below:
\b(bc1|[13])[a-zA-HJ-NP-Z0-a]{25,39}
Good job
Hello! I am interested in such a question, now many programs are offered to search for wallets by keywords. How realistic is this?
There's lately a lot of scam messages that include a bitcoin wallet to make payments. Would be useful to find a way to detect mails with bitcoin wallet chains. I've tried a few regular expressions with no success. Anybody?