Detect bitcoin wallet chains - ORF Forums

Detect bitcoin wallet chains RSS Back to forum

1

There's lately a lot of scam messages that include a bitcoin wallet to make payments. Would be useful to find a way to detect mails with bitcoin wallet chains. I've tried a few regular expressions with no success. Anybody?

by Recoplon 9 months ago
2

@Recoplon: Hello Recoplon,

Bitcoin addresses typically start with 1 or 3 ("legacy" or "segwit" address) and can be 26-35 characters long. To block such addresses, add the regex below to the Keyword Blacklist of ORF with an "Email subject and body" search scope.

.*\b[13][a-zA-Z0-9]{25,34}\b

Don't forget to save the ORF configuration to apply the settings (Ctrl + S).

I hope this helps.

by Daniel Novak (Vamsoft) 9 months ago
(in reply to this post)

3

Hi. Thanks, but the problem is this generates a lot of false positives. For testing, I added this and in 3 minutes I got 4 false positives already, had to back off.

by Recoplon 9 months ago
4

@Recoplon: My guess is that the regex is probably matching the encapsulation boundaries (or the boundary parameter in the content-type declaration) in multi-part emails. Luckily, those encapsulation boundaries have a mandatory "--" prefix, so we can exclude those matches. They may also contain other special characters which could cause problems (though, 99% of MUAs do not use them) so the new regex will not match if the "address" is preceded by any of those characters. You many find the updated regex below:

.*\b(?<!['"()+\-.\/:=?])[13][a-zA-Z0-9]{25,34}\b

by Daniel Novak (Vamsoft) 9 months ago
(in reply to this post)

5

@Daniel Novak (Vamsoft): Thanks. Unfortunately as soon as I added a test block for that regular expression, again got false positives after a few minutes. I guess specifically detecting bitcoin wallet addresses is very difficult.

by Recoplon 9 months ago
(in reply to this post)

6

@Recoplon: I am sorry to hear that. Could you perhaps send us (to ) the legitimate emails (saved in a .eml or .msg format) that were blacklisted by the regex above? I might be able to find a workaround.

by Daniel Novak (Vamsoft) 9 months ago
(in reply to this post)

7

I would also like to know if its possible to block this using reliable regex expression.

by tomasz.sokolowski 7 months ago
8

It really would be an awesome improvement. A lot of dangerous mail have bitcoin wallet addresses.

by Recoplon 7 months ago
9

@tomasz.sokolowski: I'm trying this one just now ... if this works without false positives - I will let you know.

^[13][a-km-zA-HJ-NP-Z1-9]{25,34}$

by tomasz.sokolowski 7 months ago
(in reply to this post)

10

per an article found here: http://mokagio.github.io/tech-journal/2014/11/21/regex-bitcoin.html

I have modified the REGEX to: .*\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b

Testing now and will advise if it presents and false positives.

by joshua.martin 5 months ago
11

Can you share your experience?

by NorbertFe 3 months ago
12

@joshua.martin: I've had false positives on this one .*\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b

by Stephen 1 week ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2