Status:  Beta
Type:  SHA-1 hash

Cloud DNS:  <key>.btc-wallets.mail-beta.abusix.zone.
Rsync File:  beta-lists/btc-wallets.zone

Return Codes:  127.0.4.1
Test Points:   127.0.02

Listing duration:  Approximately 5.2 days after last seen

Description

We developed this list to list BTC Wallet addresses seen in the message body of spam sent to traps.

Because it is not possible to represent a BTC Wallet in a DNS query, the BTC Wallet is SHA-1 hashed and the hash value is used for lookup instead of the URL.

For example:

SHA-1(15GWKdT8e1o6GcDTZMQZRiZng2Q6dLX8Aw) -> 
e108c5b4bde457dcc35f009d05a21fa383eda04c

Note

As this is a completely new type of anti-spam check, it will require support for this to be added to your chosen mail platform.   See below for example code for rspamd.

Rspamd

The following code can be added to /etc/rspamd/rspamd.local.lua to enable rspamd to query this zone.   Note that you should replace "<APIKEY>" with your API key or set the "check_btc_dns" variable appropriately for your DNS namespace if you are using rsync.

local btc_wallet_re = rspamd_regexp.create_cached('/(?:^|\\s)([13][a-km-zA-HJ-NP-Z1-9]{25,34})(?:\\s|$)/')
local check_btc_dns = '.<APIKEY>.btc-wallets.mail-beta.abusix.zone.'

local check_btc_cb = function (task)
    local parts = task:get_text_parts()
    if not parts then return false end
    local r = task:get_resolver()
    for _, part in ipairs(parts) do
        local words = part:get_words('raw')
        for _, word in ipairs(words) do
            local match = btc_wallet_re:match(word)
            if match then
                local btc_hash = rhash.create_specific('sha1', word):hex()
local lookup = btc_hash .. check_btc_dns
local function dns_cb(_,_,results,err)
   if (not results) then return false end
   if (tostring(results[1]) == '127.0.4.1') then
                        rlogger.errx('found BTC wallet %s (%s) in BTC Wallet blacklist', word, btc_hash)
                        return task:insert_result('RBL_AMI_BTC', 1.0, word);
                    end
                end
                r:resolve_a({ task = task, name = lookup , callback = dns_cb, forced = true })
            end
        end
    end
end

local check_btc = rspamd_config:register_symbol({
    name = "RBL_AMI_BTC",
    score = 3.0,
    description = "BTC Wallet found in Abusix BTC Wallet blacklist",
    group = "abusix",
    type = "callback",
    callback = check_btc_cb
})

Did this answer your question?