commit 4cd0665: [Rules] Rework LEAKED_PASSWORD_SCAM rule one more time

Vsevolod Stakhov vsevolod at highsecure.ru
Tue Jun 18 11:56:11 UTC 2019 

Author: Vsevolod Stakhov
Date: 2019-06-18 12:54:44 +0100
URL: https://github.com/rspamd/rspamd/commit/4cd06657503bf26b46a0e64350599bb4ab8dbb2a (HEAD -> master)

[Rules] Rework LEAKED_PASSWORD_SCAM rule one more time

---
 conf/composites.conf  |  7 -----
 rules/regexp/misc.lua | 85 ++-------------------------------------------------
 2 files changed, 3 insertions(+), 89 deletions(-)

diff --git a/conf/composites.conf b/conf/composites.conf
index b0c8d68f6..0f1561017 100644
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -136,13 +136,6 @@ composites {
     score = 3.5;
   }
 
-  LEAKED_PASSWORD_SPAM_FP {
-    description = "Looks like a BTC pattern but address syntax is invalid",
-    expression = "LEAKED_PASSWORD_SCAM_INVALID & LEAKED_PASSWORD_SCAM";
-    policy = "remove_all";
-    score = 0.0; # To negate LEAKED_PASSWORD_SCAM
-  }
-
   IP_SCORE_FREEMAIL {
     description = "Negate IP_SCORE when message comes from FreeMail";
     expression = "FREEMAIL_FROM & IP_SCORE";
diff --git a/rules/regexp/misc.lua b/rules/regexp/misc.lua
index 6b1f58a4b..867b700c1 100644
--- a/rules/regexp/misc.lua
+++ b/rules/regexp/misc.lua
@@ -65,14 +65,14 @@ local my_victim = [[/(?:victim|prey)/{words}]]
 local your_webcam = [[/webcam/{words}]]
 local your_onan = [[/(?:mast[ur]{2}bati(?:on|ng)|onanism|solitary)/{words}]]
 local password_in_words = [[/^pass(?:(?:word)|(?:phrase))$/i{words}]]
-local btc_wallet_address = [[/^[13][1-9A-Za-z]{25,34}$/]]
+local btc_wallet_address = [[has_symbol(BITCOIN_ADDR)]]
 local wallet_word = [[/^wallet$/{words}]]
 local broken_unicode = [[has_flag(bad_unicode)]]
 local list_unsub = [[header_exists(List-Unsubscribe)]]
 local x_php_origin = [[header_exists(X-PHP-Originating-Script)]]
 
 reconf['LEAKED_PASSWORD_SCAM'] = {
-  re = string.format('%s{words} & (%s | %s | %s | %s | %s | %s | %s | %s | %s)',
+  re = string.format('%s & (%s | %s | %s | %s | %s | %s | %s | %s | %s)',
       btc_wallet_address, password_in_words, wallet_word,
       my_victim, your_webcam, your_onan, broken_unicode, 'lua:check_data_images',
       list_unsub, x_php_origin),
@@ -98,83 +98,4 @@ reconf['LEAKED_PASSWORD_SCAM'] = {
   group = 'scams'
 }
 
--- Special routine to validate bitcoin wallets
--- Prepare base58 alphabet
-local fun = require "fun"
-local off = 0
-local base58_dec = fun.tomap(fun.map(
-    function(c)
-      off = off + 1
-      return c,(off - 1)
-    end,
-    "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz"))
-
-local id = rspamd_config:register_symbol{
-  name = 'LEAKED_PASSWORD_SCAM_VALIDATED',
-  callback = function(task)
-    local rspamd_re = require "rspamd_regexp"
-    local hash = require "rspamd_cryptobox_hash"
-
-    if task:has_symbol('LEAKED_PASSWORD_SCAM') then
-      -- Perform BTC wallet check (quite expensive)
-      local wallet_re = rspamd_re.create_cached(btc_wallet_address)
-      local seen_valid = false
-      for _,tp in ipairs(task:get_text_parts()) do
-
-        local words = tp:get_words('raw') or {}
-
-        for _,word in ipairs(words) do
-          if wallet_re:match(word) then
-            -- We have something that looks like a BTC address
-            local bytes = {}
-            for i=1,25 do bytes[i] = 0 end
-            -- Base58 decode loop
-            fun.each(function(ch)
-              local acc = base58_dec[ch] or 0
-              for i=25,1,-1 do
-                acc = acc + (58 * bytes[i]);
-                bytes[i] = acc % 256
-                acc = math.floor(acc / 256);
-              end
-            end, word)
-            -- Now create a validation tag
-            local sha256 = hash.create_specific('sha256')
-            for i=1,21 do
-              sha256:update(string.char(bytes[i]))
-            end
-            sha256 = hash.create_specific('sha256', sha256:bin()):bin()
-
-            -- Compare tags
-            local valid = true
-            for i=1,4 do
-              if string.sub(sha256, i, i) ~= string.char(bytes[21 + i]) then
-                valid = false
-              end
-            end
-
-            if valid then
-              task:insert_result('LEAKED_PASSWORD_SCAM_VALIDATED', 1.0, word)
-              seen_valid = true
-            end
-          end
-        end
-      end
-
-      if not seen_valid then
-        task:insert_result('LEAKED_PASSWORD_SCAM_INVALID', 1.0)
-      end
-    end
-  end,
-  score = 0.0,
-  group = 'scams'
-}
-
-rspamd_config:register_symbol{
-  type = 'virtual',
-  name = 'LEAKED_PASSWORD_SCAM_INVALID',
-  parent = id,
-  score = 0.0,
-}
-
-rspamd_config:register_dependency('LEAKED_PASSWORD_SCAM_VALIDATED',
-    'LEAKED_PASSWORD_SCAM')
\ No newline at end of file
+rspamd_config:register_dependency('LEAKED_PASSWORD_SCAM', 'BITCOIN_ADDR')
\ No newline at end of file

More information about the Commits mailing list