Detect bitcoin wallet chains - ORF Forums

Detect bitcoin wallet chains RSS Back to forum


There's lately a lot of scam messages that include a bitcoin wallet to make payments. Would be useful to find a way to detect mails with bitcoin wallet chains. I've tried a few regular expressions with no success. Anybody?

by Recoplon 2 years ago

@Recoplon: Hello Recoplon,

Bitcoin addresses typically start with 1 or 3 ("legacy" or "segwit" address) and can be 26-35 characters long. To block such addresses, add the regex below to the Keyword Blacklist of ORF with an "Email subject and body" search scope.


Don't forget to save the ORF configuration to apply the settings (Ctrl + S).

I hope this helps.

by Daniel Novak (Vamsoft) 2 years ago
(in reply to this post)


Hi. Thanks, but the problem is this generates a lot of false positives. For testing, I added this and in 3 minutes I got 4 false positives already, had to back off.

by Recoplon 2 years ago

@Recoplon: My guess is that the regex is probably matching the encapsulation boundaries (or the boundary parameter in the content-type declaration) in multi-part emails. Luckily, those encapsulation boundaries have a mandatory "--" prefix, so we can exclude those matches. They may also contain other special characters which could cause problems (though, 99% of MUAs do not use them) so the new regex will not match if the "address" is preceded by any of those characters. You many find the updated regex below:


by Daniel Novak (Vamsoft) 2 years ago
(in reply to this post)


@Daniel Novak (Vamsoft): Thanks. Unfortunately as soon as I added a test block for that regular expression, again got false positives after a few minutes. I guess specifically detecting bitcoin wallet addresses is very difficult.

by Recoplon 2 years ago
(in reply to this post)


@Recoplon: I am sorry to hear that. Could you perhaps send us (to ) the legitimate emails (saved in a .eml or .msg format) that were blacklisted by the regex above? I might be able to find a workaround.

by Daniel Novak (Vamsoft) 2 years ago
(in reply to this post)


I would also like to know if its possible to block this using reliable regex expression.

by tomasz.sokolowski 2 years ago

It really would be an awesome improvement. A lot of dangerous mail have bitcoin wallet addresses.

by Recoplon 2 years ago

@tomasz.sokolowski: I'm trying this one just now ... if this works without false positives - I will let you know.


by tomasz.sokolowski 2 years ago
(in reply to this post)


per an article found here:

I have modified the REGEX to: .*\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b

Testing now and will advise if it presents and false positives.

by joshua.martin 2 years ago

Can you share your experience?

by NorbertFe 2 years ago

@joshua.martin: I've had false positives on this one .*\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b

by Stephen 2 years ago
(in reply to this post)


bitcoin address regex as below:


Good job

by TA hunter 5 months ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2