How to Fix: Block Bitcoin Email Spam (Regex, Postfix)

Infopackets Reader Sam G. writes:

" Dear Dennis,

I came across your website while researching a postfix question. I am also a Linux systems administrator. As of late our organization has been bombarded with scam emails from 'hackers' purporting to have hacked our email accounts and PCs, and are demanding $800 in the form of bitcoin ('hush money') to keep things quiet. Is there any way to block all emails with bitcoin wallet requests? I would say 9.9 times out of 10, any bitcoin wallet money request through email is a scam. "

My response:

For the record this same bitcoin scam email is being sent to smartphone users where the "hackers" claim to have hacked the phone and demand bitcoin payment.

I asked Sam if he would like me to look into this further using my remote desktop support service, and he agreed.

How to Fix: Block Bitcoin Email Spam (Regex, Postfix)

While the solution I'm about to provide is written specifically for Postfix (a mail transport agent [MTA] used on Linux servers), it can be applied to other MTAs or set up as a mail rule on Windows email clients that accept regular expressions as part of their filter rules.

A regular expression ("regex") is an algorithmic way to match a pattern of text. In this case, a bitcoin wallet has a specific text pattern. For example, a sample bitcoin wallet previously used for spam is: 182PJESsEWbuJ8PEgfM58p64jbok3i1gNU.

This bitcoin wallet has an identifier of 26-35 alphanumeric characters, begins with the number 1 or 3, has random digits, uppercase, and lowercase letters. A bitcoin wallet also has exceptions such that the uppercase letter O, uppercase letter I, lowercase letter l, and the number 0 are never used to prevent visual ambiguity.

To set Postfix to reject all messages with a bitcoin wallet, do the following:

1. Connect to the Linux server that runs Postfix, then navigate to the postfix installation directory (typically /etc/postfix).
    
2. Edit main.cf and include the line below near the bottom of the configuration file. When complete, save the file. Comments begin with ####.
   
   ####if using nano:
   ####nano -w /etc/postfix/main.cf
   
   body_checks = regexp:/etc/postfix/body_checks
    
3. Create a new file called /etc/postfix/body_checks, include the below information, then save the file:
   
   ####if using nano:
   ####nano -w /etc/postfix/body_checks
   ####no need to postmap this file!
   ####service postfix restart
   ####CASE INSENSITIVE
   
   /\s+[13][a-km-zA-HJ-NP-Z1-9]{25,34}/ REJECT SPAM: Your email appears to contain a bitcoin address. Contact here instead: [web form address]
    
4.  At the command line, restart postfix to accept the changes. There is no need to postmap a regex configuration file.
   
   ####using centos, restart postfix:
   service postfix restart
    
5. Send a test email to your organization using a bitcoin wallet. An example bitcoin wallet previously used for spam would be 182PJESsEWbuJ8PEgfM58p64jbok3i1gNU.

Now, any emails with a bitcoin wallet will be rejected by the mail transport agent (Postfix), along with a custom error message defined in the /etc/postfix/body_checks file. In this case the, rejection message tells the user to use the web form to contact instead. Most spammers don't read rejection letters because they send out emails to millions of users at a time. If the email is a legitimate request, either the person sending the message will delete the bitcoin wallet out of the email body or will use the contact form as requested.

Rejecting Bitcoin Spam Emails using a Windows Email Client

If you use a Windows email client that supports regular expressions as part of its filtering mechanism, you would have the program search for the regular expression "\s+[13][a-km-zA-HJ-NP-Z1-9]{25,34}" (no quotes) in the body of the message, then mark the message for deletion. Mailwasher Pro supports regular expressions, as an example.

This does not reject the email from the email server but will reject it at the email client (or delete it, depending on how you set up your rule).

I hope that helps!

Additional 1-on-1 Support: From Dennis

If all of this is over your head, or if you need help to block bitcoin spam emails from your email web server (or email client, depending if it supports regex), I can help using my remote desktop support service. Simply contact me, briefly describing the issue and I will get back to you as soon as possible.

Got a Computer Question or Problem? Ask Dennis!

I need more computer questions. If you have a computer question - or even a computer problem that needs fixing - please email me with your question so that I can write more articles like this one. I can't promise I'll respond to all the messages I receive (depending on the volume), but I'll do my best.

About the author: Dennis Faas is the owner and operator of Infopackets.com. With over 30 years of computing experience, Dennis' areas of expertise are a broad range and include PC hardware, Microsoft Windows, Linux, network administration, and virtualization. Dennis holds a Bachelors degree in Computer Science (1999) and has authored 6 books on the topics of MS Windows and PC Security. If you like the advice you received on this page, please up-vote / Like this page and share it with friends. For technical support inquiries, Dennis can be reached via Live chat online this site using the Zopim Chat service (currently located at the bottom left of the screen); optionally, you can contact Dennis through the website contact form.