You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Daniele Duca <du...@staff.spin.it> on 2018/10/31 11:03:38 UTC

CryptoBL [was: Bitcoin rules]

Hello everyone,

as said some days ago I started a DNSBL based on abused/malign BTC 
addresses. This list is queried by an SA plugin that  takes the md5 hash 
(I know, outdated algorithm, but good enough for this purpose IMHO) of a 
BTC wallet found in the body and looks it up in the DNSBL.

The DNSBL is (mostly) automatically populated by trap feeds and from 
bitcoinabuse.com

What I'm looking for are people that would like to try it and possibly 
polish the plugin (I'm not a coder) and/or contribute with malign BTC 
wallets, or other cryptovalues found in sextortions.

If interested please PM me offlist

Thanks

Daniele Duca

Re: CryptoBL [was: Bitcoin rules]

Posted by "Kevin A. McGrail" <km...@apache.org>.

+1.  I had the same thought.
--
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171


On Wed, Oct 31, 2018 at 12:21 PM Henrik K <he...@hege.li> wrote:

> On Wed, Oct 31, 2018 at 03:11:51PM +0000, RW wrote:
> > On Wed, 31 Oct 2018 12:03:38 +0100
> > Daniele Duca wrote:
> >
> > > Hello everyone,
> > >
> > > as said some days ago I started a DNSBL based on abused/malign BTC
> > > addresses. This list is queried by an SA plugin that  takes the md5
> > > hash (I know, outdated algorithm, but good enough for this purpose
> > > IMHO)
> >
> > As I pointed out before hashing isn't needed to avoid FPs on case
> > insensitive matches, and it does make things less transparent in
> > debugging.
> >
> > These addresses contain a 160 bit hash of the public key and a 256 bit
> > validity hash. When you convert an alphanumeric string to lower case
> > you only lose about 13% of the entropy, so the probability that two
> > valid and distinct addresses have a case insensitive match is
> > approximately:
> >
> >   1 in 2^360
> >
> > compare that with the probability of the same md5 hash value:
> >
> >    1 in 2^128
> >
> > and the probability that two wallets have the same address:
> >
> >   1 in 2^160
> >
> >
> > With email address lookups the main reason for hashing was privacy,
> > but that obviously doesn't apply here.
>
> No matter, I will implement BTC (and ETH etc), URL and other imaginable
> "hash bl" checks to HashBL.pm with options for raw/md5/sha1 etc.  Everyone
> can run their BLs then how they wish.  ;-)
>
>

Re: CryptoBL [was: Bitcoin rules]

Posted by Henrik K <he...@hege.li>.

On Wed, Oct 31, 2018 at 03:11:51PM +0000, RW wrote:
> On Wed, 31 Oct 2018 12:03:38 +0100
> Daniele Duca wrote:
> 
> > Hello everyone,
> > 
> > as said some days ago I started a DNSBL based on abused/malign BTC 
> > addresses. This list is queried by an SA plugin that  takes the md5
> > hash (I know, outdated algorithm, but good enough for this purpose
> > IMHO) 
> 
> As I pointed out before hashing isn't needed to avoid FPs on case
> insensitive matches, and it does make things less transparent in
> debugging.
> 
> These addresses contain a 160 bit hash of the public key and a 256 bit
> validity hash. When you convert an alphanumeric string to lower case
> you only lose about 13% of the entropy, so the probability that two
> valid and distinct addresses have a case insensitive match is
> approximately:
> 
>   1 in 2^360
> 
> compare that with the probability of the same md5 hash value:
>  
>    1 in 2^128
> 
> and the probability that two wallets have the same address:
> 
>   1 in 2^160
> 
> 
> With email address lookups the main reason for hashing was privacy,
> but that obviously doesn't apply here. 

No matter, I will implement BTC (and ETH etc), URL and other imaginable
"hash bl" checks to HashBL.pm with options for raw/md5/sha1 etc.  Everyone
can run their BLs then how they wish.  ;-)

Re: CryptoBL [was: Bitcoin rules]

Posted by RW <rw...@googlemail.com>.

On Wed, 31 Oct 2018 12:03:38 +0100
Daniele Duca wrote:

> Hello everyone,
> 
> as said some days ago I started a DNSBL based on abused/malign BTC 
> addresses. This list is queried by an SA plugin that  takes the md5
> hash (I know, outdated algorithm, but good enough for this purpose
> IMHO) 

As I pointed out before hashing isn't needed to avoid FPs on case
insensitive matches, and it does make things less transparent in
debugging.

These addresses contain a 160 bit hash of the public key and a 256 bit
validity hash. When you convert an alphanumeric string to lower case
you only lose about 13% of the entropy, so the probability that two
valid and distinct addresses have a case insensitive match is
approximately:

  1 in 2^360

compare that with the probability of the same md5 hash value:

   1 in 2^128

and the probability that two wallets have the same address:

  1 in 2^160

With email address lookups the main reason for hashing was privacy,
but that obviously doesn't apply here.