Re: Bitcoin rules
On Mon, 22 Oct 2018 12:56:34 +0200 Daniele Duca wrote: > On 22/10/2018 12:37, Paul Stead wrote: > > > > > This can be resolved by hashing the BTC address before lookup and > > looking up the result hash in the DB > > > > Paul > > > Yes, thanks for the suggestions, I would have done that in the next > version coming up in the following days, I wouldn't bother. The probability that two randomly chosen bitcoin addresses have same lower case version is much less than the probability that they same 128 bit hash value.
Re: Bitcoin rules
On 22/10/2018 12:37, Paul Stead wrote: This can be resolved by hashing the BTC address before lookup and looking up the result hash in the DB Paul Yes, thanks for the suggestions, I would have done that in the next version coming up in the following days, where I'd also populate the list with Monero addresses that I saw are being sometime used in ransom/extortions. Daniele
Re: Bitcoin rules
On 22/10/2018, 10:41, "Daniele Duca" wrote: On 21/10/2018 09:15, Henrik K wrote: > I wonder who's going to be the first to offer public bitcoin DNS blacklist, > I could make plugin for it. :-) > > In the meantime, here's something to try.. > I've got a beta public list setup running from this API and a few other smaller sources - anyone interested you're free to contact me off list The only caveat is that rbldnsd is case insensitive, so there MAY be legit BTC addresses that match abused ones, but in my setup is a risk I'm willing to take. This can be resolved by hashing the BTC address before lookup and looking up the result hash in the DB Paul -- Paul Stead Senior Engineer (Tools & Technology) Zen Internet
Re: Bitcoin rules
On 21/10/2018 09:15, Henrik K wrote:
I wonder who's going to be the first to offer public bitcoin DNS blacklist,
I could make plugin for it. :-)
In the meantime, here's something to try..
Hi,
I mantain a local rbldnsd zone with abused BTC addresses (btw, thanks
for bitcoinabuse.com, I didn't know about it).
I then use the dnsbl through a simple SA plugin where I scan the body
for BTC addresses (regex: [13][a-km-zA-HJ-NP-Z1-9]{25,34}) and query
them against the rbldnsd zone.
The only caveat is that rbldnsd is case insensitive, so there MAY be
legit BTC addresses that match abused ones, but in my setup is a risk
I'm willing to take.
Daniele
Re: Bitcoin rules
Thanks Henrik!! It is unbelievable but if you check those BTC wallets from the Stort campaings people is paying! -PedroD
Re: Bitcoin rules
On 10/21/18 4:38 PM, Henrik K wrote: On Sun, Oct 21, 2018 at 04:28:58PM +0200, Axb wrote: On 10/21/18 4:21 PM, Henrik K wrote: On Sun, Oct 21, 2018 at 04:07:40PM +0200, Axb wrote: On 10/21/18 1:25 PM, Jari Fredriksson wrote: ./btcabuse.pl >btcabuse.cf.tmp && mv -f btcabuse.cf.tmp btcabuse.cf would be nice to have it write \b to the cf as in body BTC_16LU6SWU /16LU6SwUDdLsAy7XXHSMg7BRbA1kfDoBnZ/ body BTC_16LU6SWU /\b16LU6SwUDdLsAy7XXHSMg7BRbA1kfDoBnZ\b/ Pretty sure you can manage to add it in right place :-D Didn't bother since FPs would be pretty much impossible and \b is simple to circumvent with underscores ___16LU6SwUDdL was worried that without the boundary it could hit "rawbody" of malformed ham Well it's body and not rawbody.. even using that the amount of random bits would be like winning 10 jackpots in a row.. :-) But sure, plugin could be better checks. I'm surprised__there isn't_more spam___like_this out_there to break__the million \b's rules use.. 15 min later cat /var/log/maillog | grep BTC_ | wc -l 39
Re: Bitcoin rules
On Sun, Oct 21, 2018 at 04:28:58PM +0200, Axb wrote: > On 10/21/18 4:21 PM, Henrik K wrote: > >On Sun, Oct 21, 2018 at 04:07:40PM +0200, Axb wrote: > >>On 10/21/18 1:25 PM, Jari Fredriksson wrote: > >>>./btcabuse.pl >btcabuse.cf.tmp && mv -f btcabuse.cf.tmp btcabuse.cf > >> > >>would be nice to have it write \b to the cf > >> > >>as in > >>body BTC_16LU6SWU /16LU6SwUDdLsAy7XXHSMg7BRbA1kfDoBnZ/ > >>body BTC_16LU6SWU /\b16LU6SwUDdLsAy7XXHSMg7BRbA1kfDoBnZ\b/ > > > >Pretty sure you can manage to add it in right place :-D > > > >Didn't bother since FPs would be pretty much impossible and \b is simple to > >circumvent with underscores ___16LU6SwUDdL > > > > was worried that without the boundary it could hit "rawbody" of malformed > ham Well it's body and not rawbody.. even using that the amount of random bits would be like winning 10 jackpots in a row.. :-) But sure, plugin could be better checks. I'm surprised__there isn't_more spam___like_this out_there to break__the million \b's rules use..
Re: Bitcoin rules
On 10/21/18 4:21 PM, Henrik K wrote: On Sun, Oct 21, 2018 at 04:07:40PM +0200, Axb wrote: On 10/21/18 1:25 PM, Jari Fredriksson wrote: ./btcabuse.pl >btcabuse.cf.tmp && mv -f btcabuse.cf.tmp btcabuse.cf would be nice to have it write \b to the cf as in body BTC_16LU6SWU /16LU6SwUDdLsAy7XXHSMg7BRbA1kfDoBnZ/ body BTC_16LU6SWU /\b16LU6SwUDdLsAy7XXHSMg7BRbA1kfDoBnZ\b/ Pretty sure you can manage to add it in right place :-D Didn't bother since FPs would be pretty much impossible and \b is simple to circumvent with underscores ___16LU6SwUDdL was worried that without the boundary it could hit "rawbody" of malformed ham
Re: Bitcoin rules
On Sun, Oct 21, 2018 at 04:07:40PM +0200, Axb wrote: > On 10/21/18 1:25 PM, Jari Fredriksson wrote: > >./btcabuse.pl >btcabuse.cf.tmp && mv -f btcabuse.cf.tmp btcabuse.cf > > would be nice to have it write \b to the cf > > as in > body BTC_16LU6SWU /16LU6SwUDdLsAy7XXHSMg7BRbA1kfDoBnZ/ > body BTC_16LU6SWU /\b16LU6SwUDdLsAy7XXHSMg7BRbA1kfDoBnZ\b/ Pretty sure you can manage to add it in right place :-D Didn't bother since FPs would be pretty much impossible and \b is simple to circumvent with underscores ___16LU6SwUDdL
Re: Bitcoin rules
On 10/21/18 4:07 PM, Axb wrote: On 10/21/18 1:25 PM, Jari Fredriksson wrote: ./btcabuse.pl >btcabuse.cf.tmp && mv -f btcabuse.cf.tmp btcabuse.cf would be nice to have it write \b to the cf as in body BTC_16LU6SWU /16LU6SwUDdLsAy7XXHSMg7BRbA1kfDoBnZ/ body BTC_16LU6SWU /\b16LU6SwUDdLsAy7XXHSMg7BRbA1kfDoBnZ\b/ print "body BTC_$idshort /\\b$id\\b/$i\n";
Re: Bitcoin rules
On 10/21/18 1:25 PM, Jari Fredriksson wrote: ./btcabuse.pl >btcabuse.cf.tmp && mv -f btcabuse.cf.tmp btcabuse.cf would be nice to have it write \b to the cf as in body BTC_16LU6SWU /16LU6SwUDdLsAy7XXHSMg7BRbA1kfDoBnZ/ body BTC_16LU6SWU /\b16LU6SwUDdLsAy7XXHSMg7BRbA1kfDoBnZ\b/
Re: Bitcoin rules
> Henrik K kirjoitti 21.10.2018 kello 10.15:
>
>
> I wonder who's going to be the first to offer public bitcoin DNS blacklist,
> I could make plugin for it. :-)
>
> In the meantime, here's something to try..
>
> ./btcabuse.pl >btcabuse.cf.tmp && mv -f btcabuse.cf.tmp btcabuse.cf
>
>
> #!/usr/bin/perl -w
>
> use strict;
> use JSON;
> use LWP::UserAgent;
>
> my $url = 'http://www.bitcoinabuse.com/api/reports/distinct';
> my $ua = LWP::UserAgent->new(
>keep_alive => 1, agent => 'Wget/1.17.1 (linux-gnu)');
> my $json;
> my %ids;
>
> sub parse_rule {
>my $id = $_[0]->{address};
>return if $id !~ /^\w{26,35}$/;
>return if defined $ids{$id};
>$ids{$id} = 1;
>my $len = 8;
>my $idshort = uc(substr($id, 0, $len));
>while (defined $ids{$idshort}) {
>$idshort = uc(substr($id, 0, ++$len));
>}
>$ids{$idshort} = 1;
>my $i = $id =~ /^bc1/i ? 'i' : '';
>print "body BTC_$idshort /$id/$i\n";
>print "describe BTC_$idshort https://www.bitcoinabuse.com/reports/$id\n;;
>print "score BTC_$idshort 5\n";
>print "priority BTC_$idshort 2\n";
> }
>
> for (my $i = 20; $i; $i--) {
>my $r = $ua->get($url);
>die $r->status_line unless $r->is_success;
>eval { $json = decode_json($r->decoded_content); }
>or die "JSON parse failed: $@\n";
>die unless $json->{data};
>parse_rule($_) foreach (@{$json->{data}});
>last unless $json->{next_page_url};
>$url = $json->{next_page_url};
>sleep(1);
> }
>
>
Thanks, testing!
br. jarif
