commit c427048: [Feature] Validate BTC addresses in LEAKED_PASSWORD_SCAM
Vsevolod Stakhov
vsevolod at highsecure.ru
Tue Mar 19 16:21:03 UTC 2019
Author: Vsevolod Stakhov
Date: 2019-03-19 16:15:20 +0000
URL: https://github.com/rspamd/rspamd/commit/c427048cec9cbdbd0da8457dfbd6ffbd6bdab02b (HEAD -> master)
[Feature] Validate BTC addresses in LEAKED_PASSWORD_SCAM
---
conf/composites.conf | 7 +++++
rules/regexp/misc.lua | 86 +++++++++++++++++++++++++++++++++++++++++++++++++--
2 files changed, 91 insertions(+), 2 deletions(-)
diff --git a/conf/composites.conf b/conf/composites.conf
index 3436b44ae..96ef9d58e 100644
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -135,6 +135,13 @@ composites {
score = 3.5;
}
+ LEAKED_PASSWORD_SPAM_FP {
+ description = "Looks like a BTC pattern but address syntax is invalid",
+ expression = "LEAKED_PASSWORD_SCAM_INVALID & LEAKED_PASSWORD_SCAM";
+ policy = "remove_all";
+ score = 0.0; # To negate LEAKED_PASSWORD_SCAM
+ }
+
.include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf"
.include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf"
}
diff --git a/rules/regexp/misc.lua b/rules/regexp/misc.lua
index 642a02e21..f7ea49bc2 100644
--- a/rules/regexp/misc.lua
+++ b/rules/regexp/misc.lua
@@ -65,12 +65,12 @@ local my_victim = [[/(?:victim|prey)/{words}]]
local your_webcam = [[/webcam/{words}]]
local your_onan = [[/(?:mast[ur]{2}bati(?:on|ng)|onanism|solitary)/{words}]]
local password_in_words = [[/^pass(?:(?:word)|(?:phrase))$/i{words}]]
-local btc_wallet_address = [[/^[13][0-9a-zA-Z]{25,34}$/{words}]]
+local btc_wallet_address = [[/^[13][1-9a-km-zA-HJ-NP-Z]{25,34}$/]]
local wallet_word = [[/^wallet$/{words}]]
local broken_unicode = [[has_flag(bad_unicode)]]
reconf['LEAKED_PASSWORD_SCAM'] = {
- re = string.format('%s & (%s | %s | %s | %s | %s | %s | lua:check_data_images)',
+ re = string.format('%s{words} & (%s | %s | %s | %s | %s | %s | lua:check_data_images)',
btc_wallet_address, password_in_words, wallet_word,
my_victim, your_webcam, your_onan, broken_unicode),
description = 'Contains password word and BTC wallet address',
@@ -94,3 +94,85 @@ reconf['LEAKED_PASSWORD_SCAM'] = {
score = 7.0,
group = 'scams'
}
+
+-- Special routine to validate bitcoin wallets
+-- Prepare base58 alphabet
+local fun = require "fun"
+local off = 0
+local base58_dec = fun.tomap(fun.map(
+ function(c)
+ off = off + 1
+ return c,(off - 1)
+ end,
+ "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz"))
+
+local id = rspamd_config:register_symbol{
+ name = 'LEAKED_PASSWORD_SCAM_VALIDATED',
+ callback = function(task)
+ local rspamd_re = require "rspamd_regexp"
+ local hash = require "rspamd_cryptobox_hash"
+ local rspamd_logger = require "rspamd_logger"
+
+ if task:has_symbol('LEAKED_PASSWORD_SCAM') then
+ -- Perform BTC wallet check (quite expensive)
+ local wallet_re = rspamd_re.create_cached(btc_wallet_address)
+ local seen_valid = false
+ for _,tp in ipairs(task:get_text_parts()) do
+
+ local words = tp:get_words('raw') or {}
+
+ for _,word in ipairs(words) do
+ if wallet_re:match(word) then
+ -- We have something that looks like a BTC address
+ local bytes = {}
+ for i=1,25 do bytes[i] = 0 end
+ -- Base58 decode loop
+ fun.each(function(ch)
+ local acc = base58_dec[ch] or 0
+ for i=25,1,-1 do
+ acc = acc + (58 * bytes[i]);
+ bytes[i] = math.fmod(acc, 256);
+ acc = math.modf(acc / 256);
+ end
+ end, fun.tail(word)) -- Tail due to first byte is version
+ -- Now create a validation tag
+ local sha256 = hash.create_specific('sha256')
+ for i=1,21 do
+ sha256:update(string.char(bytes[i]))
+ end
+ sha256 = hash.create_specific('sha256', sha256:bin()):bin()
+
+ -- Compare tags
+ local valid = true
+ for i=1,4 do
+ if string.sub(sha256, i, i) ~= string.char(bytes[21 + i]) then
+ valid = false
+ end
+ end
+
+ if valid then
+ task:insert_result('LEAKED_PASSWORD_SCAM_VALIDATED', 1.0, word)
+ seen_valid = true
+ end
+ end
+ end
+ end
+
+ if not seen_valid then
+ task:insert_result('LEAKED_PASSWORD_SCAM_INVALID', 1.0)
+ end
+ end
+ end,
+ score = 0.0,
+ group = 'scams'
+}
+
+rspamd_config:register_symbol{
+ type = 'virtual',
+ name = 'LEAKED_PASSWORD_SCAM_INVALID',
+ parent = id,
+ score = 0.0,
+}
+
+rspamd_config:register_dependency('LEAKED_PASSWORD_SCAM_VALIDATED',
+ 'LEAKED_PASSWORD_SCAM')
\ No newline at end of file
More information about the Commits
mailing list