unrealircd- supernets unrealircd source & configuration |
| git clone git://git.acid.vegas/unrealircd.git |
| Log | Files | Refs | Archive | README | LICENSE |
spamfilter.conf.patch (10687B)
1 --- spamfilter.conf.old 2015-06-27 18:29:01.084559805 +0200 2 +++ spamfilter.conf 2019-04-04 18:29:38.390647262 +0200 3 @@ -1,232 +1,154 @@ 4 /* 5 - * This an example spamfilter file, it contains several 6 - * real and useful spamfilters. This should give you an 7 - * idea of how powerful spamfilter can be in real-life 8 - * situations. 9 + * This configuration file contains example spamfilter rules. 10 + * They are real rules that were useful a long time ago. 11 + * Since 2005 these rules are no longer maintained. 12 + * The main purpose nowadays is to serve as an example 13 + * to give you an idea of how powerful spamfilters can 14 + * be in real-life situations. 15 * 16 - * $Id$ 17 + * Documentation on spamfilter is available at: 18 + * https://www.unrealircd.org/docs/Spamfilter 19 */ 20 21 -/* Guidelines on the 'action' field: 22 - * As a general rule we use 'action block' for any newly added 23 - * spamfilters at first, later on (after knowing about false 24 - * positives) we might change some to viruschan/kill/gline/etc.. 25 +/* General note: 26 + * If you want to use a \ in a spamfilter, or in fact 27 + * anywhere in the configuration file, then you need 28 + * to escape this to \\ instead. 29 */ 30 31 -spamfilter { 32 - match-type posix; 33 - match "\x01DCC (SEND|RESUME)[ ]+\"(.+ ){20}"; 34 - target { private; channel; }; 35 - action kill; 36 - reason "mIRC 6.0-6.11 exploit attempt"; 37 -}; 38 39 -spamfilter { 40 - match-type posix; 41 - match "\x01DCC (SEND|RESUME).{225}"; 42 - target { private; channel; }; 43 - action kill; 44 - reason "Possible mIRC 6.12 exploit attempt"; 45 -}; 46 +/* First some spamfilters with match-type 'simple'. 47 + * The only matchers available are * and ? 48 + * PRO's: very fast, easy matching: everyone can do this. 49 + * CON's: limited ability to fine-tune spamfilters 50 + */ 51 52 spamfilter { 53 - match-type posix; 54 - match "Come watch me on my webcam and chat /w me :-\) http://.+:\d+/me\.mpg"; 55 + match-type simple; 56 + match "Come watch me on my webcam and chat /w me :-) http://*:*/me.mpg"; 57 target private; 58 action gline; 59 reason "Infected by fyle trojan: see http://www.sophos.com/virusinfo/analyses/trojfylexa.html"; 60 }; 61 62 +/* This signature uses a \ which has to escaped to \\ in the configuration file */ 63 spamfilter { 64 - match-type posix; 65 - match "Speed up your mIRC DCC Transfer by up to 75%.*www\.freewebs\.com/mircupdate/mircspeedup\.exe"; 66 - target private; 67 - action gline; 68 - reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html"; 69 -}; 70 - 71 -spamfilter { 72 - match-type posix; 73 - match "^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!"; 74 - target private; 75 + match-type simple; 76 + match "C:\\WINNT\\system32\\*.zip"; 77 + target dcc; 78 action block; 79 - reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml"; 80 + reason "Infected by Gaggle worm?"; 81 }; 82 83 spamfilter { 84 - match-type posix; 85 - match "^FREE PORN: http://free:porn@([0-9]{1,3}\.){3}[0-9]{1,3}:8180$"; 86 + match-type simple; 87 + match "Speed up your mIRC DCC Transfer by up to 75%*www.freewebs.com/mircupdate/mircspeedup.exe"; 88 target private; 89 action gline; 90 - reason "Infected by aplore worm: see http://www.f-secure.com/v-descs/aplore.shtml"; 91 -}; 92 - 93 -spamfilter { 94 - match-type posix; 95 - match "^!login Wasszup!$"; 96 - target channel; 97 - action gline; 98 - reason "Attempting to login to a GTBot"; 99 -}; 100 - 101 -spamfilter { 102 - match-type posix; 103 - match "^!login grrrr yeah baby!$"; 104 - target channel; 105 - action gline; 106 - reason "Attempting to login to a GTBot"; 107 -}; 108 - 109 -spamfilter { 110 - match-type posix; 111 - match "^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}"; 112 - target channel; 113 - action gline; 114 - reason "Attempting to use a GTBot"; 115 -}; 116 - 117 -spamfilter { 118 - match-type posix; 119 - match "^!icqpagebomb ([0-9]{1,15} ){2}.+"; 120 - target channel; 121 - action gline; 122 - reason "Attempting to use a GTBot"; 123 + reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html"; 124 }; 125 126 spamfilter { 127 - match-type posix; 128 - match "^!pfast [0-9]{1,15} ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5}$"; 129 - target channel; 130 + match-type simple; 131 + match "STOP SPAM, USE THIS COMMAND: //write nospam $decode(*) | .load -rs nospam | //mode $me +R"; 132 + target private; 133 action gline; 134 - reason "Attempting to use a GTBot"; 135 + reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm"; 136 }; 137 138 -spamfilter { 139 - match-type posix; 140 - match "^!portscan ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5} [0-9]{1,5}$"; 141 - target channel; 142 - action gline; 143 - reason "Attempting to use a GTBot"; 144 -}; 145 146 -spamfilter { 147 - match-type posix; 148 - match "^.u(dp)? ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15} [0-9]{1,15} [0-9]{1,15}( [0-9])*$"; 149 - target channel; 150 - action gline; 151 - reason "Attempting to use an SDBot"; 152 -}; 153 +/* Now spamfilters of type 'regex'. 154 + * These use powerful regular expressions (Perl/PCRE style) 155 + * You may have to learn more about "regex" first before you 156 + * can use them. For example the dot ('.') has special meaning. 157 + */ 158 159 +/* This regex shows a pattern which requires 20 paramaters, 160 + * such as "x x x x x x x x x x x x x x x x x x x x" 161 + */ 162 spamfilter { 163 - match-type posix; 164 - match "^.syn ((([0-9]{1,3}\.){3}[0-9]{1,3})|([a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_.-]+)) [0-9]{1,5} [0-9]{1,15} [0-9]{1,15}"; 165 - target { channel; private; }; 166 - action gline; 167 - reason "Attempting to use a SpyBot"; 168 + match-type regex; 169 + match "\x01DCC (SEND|RESUME)[ ]+\"(.+ ){20}"; 170 + target { private; channel; }; 171 + action kill; 172 + reason "mIRC 6.0-6.11 exploit attempt"; 173 }; 174 175 +/* Similarly, this regex shows a pattern that matches 176 + * against at least 225 characters in length. 177 + */ 178 spamfilter { 179 - match-type posix; 180 - match "^porn! porno! http://.+\/sexo\.exe"; 181 - target private; 182 - action gline; 183 - reason "Infected by soex trojan: see http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FSOEX.A"; 184 + match-type regex; 185 + match "\x01DCC (SEND|RESUME).{225}"; 186 + target { private; channel; }; 187 + action kill; 188 + reason "Possible mIRC 6.12 exploit attempt"; 189 }; 190 191 +/* Earlier you saw an example of a $decode exploit which used 192 + * match-type 'simple' and - indeed - the filter was quite simple. 193 + * The following uses a regex with a similar example. 194 + * Regular expressions are very powerful but here you can see 195 + * that it actually complicates writing a filter quite a bit. 196 + * With regex in this filter we need to escape the ( and all 197 + * the dots, question marks, etc. if we want to match these 198 + * characters in literal text. 199 + */ 200 spamfilter { 201 - match-type posix; 202 - match "(^wait a minute plz\. i am updating my site|.*my erotic video).*http://.+/erotic(a)?/myvideo\.exe$"; 203 + match-type regex; 204 + match "^Want To Be An IRCOp\? Try This New Bug Type: //write \$decode\(.+=.?,m\) \| \.load -rs \$decode\(.+=.?,m\)$"; 205 target private; 206 - action gline; 207 - reason "Infected by some trojan (erotica?)"; 208 + action block; 209 + reason "Spamming users with an mIRC trojan. Type '/unload -rs newb' to remove the trojan."; 210 }; 211 212 spamfilter { 213 - match-type posix; 214 - match "^STOP SPAM, USE THIS COMMAND: //write nospam \$decode\(.+\) \| \.load -rs nospam \| //mode \$me \+R$"; 215 + match-type regex; 216 + match "^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!"; 217 target private; 218 - action gline; 219 - reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm"; 220 + action block; 221 + reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml"; 222 }; 223 224 +/* This shows a regex which specifically matches an entire line by 225 + * the use of ^ and $ 226 + */ 227 spamfilter { 228 - match-type posix; 229 - match "^FOR MATRIX 2 DOWNLOAD, USE THIS COMMAND: //write Matrix2 \$decode\(.+=,m\) \| \.load -rs Matrix2 \| //mode \$me \+R$"; 230 - target private; 231 + match-type regex; 232 + match "^!login Wasszup!$"; 233 + target channel; 234 action gline; 235 - reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm"; 236 + reason "Attempting to login to a GTBot"; 237 }; 238 239 +/* An example of how to match against an IP address in text (IPv4 only) */ 240 spamfilter { 241 - match-type posix; 242 - match "^hey .* to get OPs use this hack in the chan but SHH! //\$decode\(.*,m\) \| \$decode\(.*,m\)$"; 243 - target private; 244 + match-type regex; 245 + match "^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}"; 246 + target channel; 247 action gline; 248 - reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm"; 249 + reason "Attempting to use a GTBot"; 250 }; 251 252 +/* A slightly more complex example with a partial OR matcher (|) */ 253 spamfilter { 254 - match-type posix; 255 - match ".*(http://jokes\.clubdepeche\.com|http://horny\.69sexy\.net|http://private\.a123sdsdssddddgfg\.com).*"; 256 + match-type regex; 257 + match "(^wait a minute plz\. i am updating my site|.*my erotic video).*http://.+/erotic(a)?/myvideo\.exe$"; 258 target private; 259 action gline; 260 - reason "Infected by LOI trojan"; 261 -}; 262 - 263 -/* This is a 'general sig' which might have a tad more false positives, hence just 'block' is used */ 264 -spamfilter { 265 - match-type posix; 266 - match "C:\\WINNT\\system32\\[][0-9a-z_-{|}`]+\.zip"; 267 - target dcc; 268 - action block; 269 - reason "Infected by Gaggle worm?"; 270 + reason "Infected by some trojan (erotica?)"; 271 }; 272 273 +/* In regex a \ is special and needs to be escaped to \\ 274 + * However in this configuration file, \ is also special and 275 + * needs to be escaped to \\ as well. 276 + * The result is that we need double escaping: 277 + * To match a \ you need to write \\\\ in the configuration file. 278 + */ 279 spamfilter { 280 - match-type posix; 281 - match "C:\\WINNT\\system32\\(notes|videos|xxx|ManualSeduccion|postal|hechizos|images|sex|avril)\.zip"; 282 + match-type regex; 283 + match "C:\\\\WINNT\\\\system32\\\\(notes|videos|xxx|ManualSeduccion|postal|hechizos|images|sex|avril)\.zip"; 284 target dcc; 285 action dccblock; 286 reason "Infected by Gaggle worm"; 287 }; 288 - 289 -spamfilter { 290 - match-type posix; 291 - match "http://.+\.lycos\..+/[iy]server[0-9]/[a-z]{4,11}\.(gif|jpg|avi|txt)"; 292 - target { private; quit; }; 293 - action block; 294 - reason "Infected by Gaggle worm"; 295 -}; 296 - 297 -spamfilter { 298 - match-type posix; 299 - match "^Free porn pic.? and movies (www\.sexymovies\.da\.ru|www\.girlporn\.org)"; 300 - target private; 301 - action block; 302 - reason "Unknown virus. Site causes Backdoor.Delf.lq infection"; 303 -}; 304 - 305 -spamfilter { 306 - match-type posix; 307 - match "^LOL! //echo -a \$\(\$decode\(.+,m\),[0-9]\)$"; 308 - target channel; 309 - action block; 310 - reason "$decode exploit"; 311 -}; 312 - 313 -/* 314 -spamfilter { 315 - regex "//write \$decode\(.+\|.+load -rs"; 316 - target { private; channel; }; 317 - reason "Generic $decode exploit"; 318 - action block; 319 -}; 320 -*/ 321 - 322 -spamfilter { 323 - match-type posix; 324 - match "^Want To Be An IRCOp\? Try This New Bug Type: //write \$decode\(.+=.?,m\) \| \.load -rs \$decode\(.+=.?,m\)$"; 325 - target private; 326 - action block; 327 - reason "Spamming users with an mIRC trojan. Type '/unload -rs newb' to remove the trojan."; 328 -};