Mailing List Archive

CryptoBL [was: Bitcoin rules]
Hello everyone,

as said some days ago I started a DNSBL based on abused/malign BTC
addresses. This list is queried by an SA plugin that  takes the md5 hash
(I know, outdated algorithm, but good enough for this purpose IMHO) of a
BTC wallet found in the body and looks it up in the DNSBL.

The DNSBL is (mostly) automatically populated by trap feeds and from
bitcoinabuse.com

What I'm looking for are people that would like to try it and possibly
polish the plugin (I'm not a coder) and/or contribute with malign BTC
wallets, or other cryptovalues found in sextortions.

If interested please PM me offlist

Thanks

Daniele Duca
Re: CryptoBL [was: Bitcoin rules] [ In reply to ]
On Wed, 31 Oct 2018 12:03:38 +0100
Daniele Duca wrote:

> Hello everyone,
>
> as said some days ago I started a DNSBL based on abused/malign BTC
> addresses. This list is queried by an SA plugin that  takes the md5
> hash (I know, outdated algorithm, but good enough for this purpose
> IMHO)

As I pointed out before hashing isn't needed to avoid FPs on case
insensitive matches, and it does make things less transparent in
debugging.

These addresses contain a 160 bit hash of the public key and a 256 bit
validity hash. When you convert an alphanumeric string to lower case
you only lose about 13% of the entropy, so the probability that two
valid and distinct addresses have a case insensitive match is
approximately:

1 in 2^360

compare that with the probability of the same md5 hash value:

1 in 2^128

and the probability that two wallets have the same address:

1 in 2^160


With email address lookups the main reason for hashing was privacy,
but that obviously doesn't apply here.
Re: CryptoBL [was: Bitcoin rules] [ In reply to ]
On Wed, Oct 31, 2018 at 03:11:51PM +0000, RW wrote:
> On Wed, 31 Oct 2018 12:03:38 +0100
> Daniele Duca wrote:
>
> > Hello everyone,
> >
> > as said some days ago I started a DNSBL based on abused/malign BTC
> > addresses. This list is queried by an SA plugin that? takes the md5
> > hash (I know, outdated algorithm, but good enough for this purpose
> > IMHO)
>
> As I pointed out before hashing isn't needed to avoid FPs on case
> insensitive matches, and it does make things less transparent in
> debugging.
>
> These addresses contain a 160 bit hash of the public key and a 256 bit
> validity hash. When you convert an alphanumeric string to lower case
> you only lose about 13% of the entropy, so the probability that two
> valid and distinct addresses have a case insensitive match is
> approximately:
>
> 1 in 2^360
>
> compare that with the probability of the same md5 hash value:
>
> 1 in 2^128
>
> and the probability that two wallets have the same address:
>
> 1 in 2^160
>
>
> With email address lookups the main reason for hashing was privacy,
> but that obviously doesn't apply here.

No matter, I will implement BTC (and ETH etc), URL and other imaginable
"hash bl" checks to HashBL.pm with options for raw/md5/sha1 etc. Everyone
can run their BLs then how they wish. ;-)
Re: CryptoBL [was: Bitcoin rules] [ In reply to ]
+1. I had the same thought.
--
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171


On Wed, Oct 31, 2018 at 12:21 PM Henrik K <hege@hege.li> wrote:

> On Wed, Oct 31, 2018 at 03:11:51PM +0000, RW wrote:
> > On Wed, 31 Oct 2018 12:03:38 +0100
> > Daniele Duca wrote:
> >
> > > Hello everyone,
> > >
> > > as said some days ago I started a DNSBL based on abused/malign BTC
> > > addresses. This list is queried by an SA plugin that takes the md5
> > > hash (I know, outdated algorithm, but good enough for this purpose
> > > IMHO)
> >
> > As I pointed out before hashing isn't needed to avoid FPs on case
> > insensitive matches, and it does make things less transparent in
> > debugging.
> >
> > These addresses contain a 160 bit hash of the public key and a 256 bit
> > validity hash. When you convert an alphanumeric string to lower case
> > you only lose about 13% of the entropy, so the probability that two
> > valid and distinct addresses have a case insensitive match is
> > approximately:
> >
> > 1 in 2^360
> >
> > compare that with the probability of the same md5 hash value:
> >
> > 1 in 2^128
> >
> > and the probability that two wallets have the same address:
> >
> > 1 in 2^160
> >
> >
> > With email address lookups the main reason for hashing was privacy,
> > but that obviously doesn't apply here.
>
> No matter, I will implement BTC (and ETH etc), URL and other imaginable
> "hash bl" checks to HashBL.pm with options for raw/md5/sha1 etc. Everyone
> can run their BLs then how they wish. ;-)
>
>