[Rspamd-Users] Handling of InterPlanetary File System (IPFS) abuse

Tobias Westerhever tobias.westerhever at skyline.link38.eu
Sun Aug 7 17:40:20 UTC 2022


Hello *,

if I may (ab)use this list to solicit a sentiment regarding the handling of IPFS abuse:
Particularly over the course of the last four weeks, malspam leveraging IPFS crops up
here with notable frequency. Most of the time, its (more or less) targeted phishing,
sometimes ordinary malware.

Some news coverage on this:
- https://blog.talosintelligence.com/2022/08/dark-utilities.html
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/ipfs-the-new-hotbed-of-phishing/
- https://www.bleepingcomputer.com/news/security/phishing-attacks-distributed-through-cloudflares-ipfs-gateway/ (2018)

Blocking IPFS gateway FQDNs has some effect, but ultimately leads to a cat-and-mouse-game
I am not overly fond to play. :-) I started building some regular expressions that aim
at IPFS CIDs in conjunction with patterns like "ipfs" in a URL, but don't have sufficiently
diverse test corpse at hand to get an educated guess on how well that performs.

How do you handle this? By simply blocking IPFS gateway FQDNs, and maybe some abused
open redirectors such as googleweblight[.]com? Or do you have something more mature in
your rspamd configuration in place?

Thanks in advance,
Tobias


More information about the Users mailing list