unrealircd

- supernets unrealircd source & configuration
git clone git://git.acid.vegas/unrealircd.git
Log | Files | Refs | Archive | README | LICENSE

spamfilter.conf.patch (10687B)

      1 --- spamfilter.conf.old	2015-06-27 18:29:01.084559805 +0200
      2 +++ spamfilter.conf	2019-04-04 18:29:38.390647262 +0200
      3 @@ -1,232 +1,154 @@
      4  /*
      5 - * This an example spamfilter file, it contains several
      6 - * real and useful spamfilters. This should give you an
      7 - * idea of how powerful spamfilter can be in real-life
      8 - * situations.
      9 + * This configuration file contains example spamfilter rules.
     10 + * They are real rules that were useful a long time ago.
     11 + * Since 2005 these rules are no longer maintained.
     12 + * The main purpose nowadays is to serve as an example
     13 + * to give you an idea of how powerful spamfilters can
     14 + * be in real-life situations.
     15   *
     16 - * $Id$
     17 + * Documentation on spamfilter is available at:
     18 + * https://www.unrealircd.org/docs/Spamfilter
     19   */
     20  
     21 -/* Guidelines on the 'action' field:
     22 - * As a general rule we use 'action block' for any newly added
     23 - * spamfilters at first, later on (after knowing about false
     24 - * positives) we might change some to viruschan/kill/gline/etc..
     25 +/* General note:
     26 + * If you want to use a \ in a spamfilter, or in fact
     27 + * anywhere in the configuration file, then you need
     28 + * to escape this to \\ instead.
     29   */
     30  
     31 -spamfilter {
     32 -	match-type posix;
     33 -	match "\x01DCC (SEND|RESUME)[ ]+\"(.+ ){20}";
     34 -	target { private; channel; };
     35 -	action kill;
     36 -	reason "mIRC 6.0-6.11 exploit attempt";
     37 -};
     38  
     39 -spamfilter {
     40 -	match-type posix;
     41 -	match "\x01DCC (SEND|RESUME).{225}";
     42 -	target { private; channel; };
     43 -	action kill;
     44 -	reason "Possible mIRC 6.12 exploit attempt";
     45 -};
     46 +/* First some spamfilters with match-type 'simple'.
     47 + * The only matchers available are * and ?
     48 + * PRO's: very fast, easy matching: everyone can do this.
     49 + * CON's: limited ability to fine-tune spamfilters
     50 + */
     51  
     52  spamfilter {
     53 -	match-type posix;
     54 -	match "Come watch me on my webcam and chat /w me :-\) http://.+:\d+/me\.mpg";
     55 +	match-type simple;
     56 +	match "Come watch me on my webcam and chat /w me :-) http://*:*/me.mpg";
     57  	target private;
     58  	action gline;
     59  	reason "Infected by fyle trojan: see http://www.sophos.com/virusinfo/analyses/trojfylexa.html";
     60  };
     61  
     62 +/* This signature uses a \ which has to escaped to \\ in the configuration file */
     63  spamfilter {
     64 -	match-type posix;
     65 -	match "Speed up your mIRC DCC Transfer by up to 75%.*www\.freewebs\.com/mircupdate/mircspeedup\.exe";
     66 -	target private;
     67 -	action gline;
     68 -	reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html";
     69 -};
     70 -
     71 -spamfilter {
     72 -	match-type posix;
     73 -	match "^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!";
     74 -	target private;
     75 +	match-type simple;
     76 +	match "C:\\WINNT\\system32\\*.zip";
     77 +	target dcc;
     78  	action block;
     79 -	reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml";
     80 +	reason "Infected by Gaggle worm?";
     81  };
     82  
     83  spamfilter {
     84 -	match-type posix;
     85 -	match "^FREE PORN: http://free:porn@([0-9]{1,3}\.){3}[0-9]{1,3}:8180$";
     86 +	match-type simple;
     87 +	match "Speed up your mIRC DCC Transfer by up to 75%*www.freewebs.com/mircupdate/mircspeedup.exe";
     88  	target private;
     89  	action gline;
     90 -	reason "Infected by aplore worm: see http://www.f-secure.com/v-descs/aplore.shtml";
     91 -};
     92 -
     93 -spamfilter {
     94 -	match-type posix;
     95 -	match "^!login Wasszup!$";
     96 -	target channel;
     97 -	action gline;
     98 -	reason "Attempting to login to a GTBot";
     99 -};
    100 -
    101 -spamfilter {
    102 -	match-type posix;
    103 -	match "^!login grrrr yeah baby!$";
    104 -	target channel;
    105 -	action gline;
    106 -	reason "Attempting to login to a GTBot";
    107 -};
    108 -
    109 -spamfilter {
    110 -	match-type posix;
    111 -	match "^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}";
    112 -	target channel;
    113 -	action gline;
    114 -	reason "Attempting to use a GTBot";
    115 -};
    116 -
    117 -spamfilter {
    118 -	match-type posix;
    119 -	match "^!icqpagebomb ([0-9]{1,15} ){2}.+";
    120 -	target channel;
    121 -	action gline;
    122 -	reason "Attempting to use a GTBot";
    123 +	reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html";
    124  };
    125  
    126  spamfilter {
    127 -	match-type posix;
    128 -	match "^!pfast [0-9]{1,15} ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5}$";
    129 -	target channel;
    130 +	match-type simple;
    131 +	match "STOP SPAM, USE THIS COMMAND: //write nospam $decode(*) | .load -rs nospam | //mode $me +R";
    132 +	target private;
    133  	action gline;
    134 -	reason "Attempting to use a GTBot";
    135 +	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
    136  };
    137  
    138 -spamfilter {
    139 -	match-type posix;
    140 -	match "^!portscan ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5} [0-9]{1,5}$";
    141 -	target channel;
    142 -	action gline;
    143 -	reason "Attempting to use a GTBot";
    144 -};
    145  
    146 -spamfilter {
    147 -	match-type posix;
    148 -	match "^.u(dp)? ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15} [0-9]{1,15} [0-9]{1,15}( [0-9])*$";
    149 -	target channel;
    150 -	action gline;
    151 -	reason "Attempting to use an SDBot";
    152 -};
    153 +/* Now spamfilters of type 'regex'.
    154 + * These use powerful regular expressions (Perl/PCRE style)
    155 + * You may have to learn more about "regex" first before you
    156 + * can use them. For example the dot ('.') has special meaning.
    157 + */
    158  
    159 +/* This regex shows a pattern which requires 20 paramaters,
    160 + * such as "x x x x x x x x x x x x x x x x x x x x"
    161 + */
    162  spamfilter {
    163 -	match-type posix;
    164 -	match "^.syn ((([0-9]{1,3}\.){3}[0-9]{1,3})|([a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_.-]+)) [0-9]{1,5} [0-9]{1,15} [0-9]{1,15}";
    165 -	target { channel; private; };
    166 -	action gline;
    167 -	reason "Attempting to use a SpyBot";
    168 +	match-type regex;
    169 +	match "\x01DCC (SEND|RESUME)[ ]+\"(.+ ){20}";
    170 +	target { private; channel; };
    171 +	action kill;
    172 +	reason "mIRC 6.0-6.11 exploit attempt";
    173  };
    174  
    175 +/* Similarly, this regex shows a pattern that matches
    176 + * against at least 225 characters in length.
    177 + */
    178  spamfilter {
    179 -	match-type posix;
    180 -	match "^porn! porno! http://.+\/sexo\.exe";
    181 -	target private;
    182 -	action gline;
    183 -	reason "Infected by soex trojan: see http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FSOEX.A";
    184 +	match-type regex;
    185 +	match "\x01DCC (SEND|RESUME).{225}";
    186 +	target { private; channel; };
    187 +	action kill;
    188 +	reason "Possible mIRC 6.12 exploit attempt";
    189  };
    190  
    191 +/* Earlier you saw an example of a $decode exploit which used
    192 + * match-type 'simple' and - indeed - the filter was quite simple.
    193 + * The following uses a regex with a similar example.
    194 + * Regular expressions are very powerful but here you can see
    195 + * that it actually complicates writing a filter quite a bit.
    196 + * With regex in this filter we need to escape the ( and all
    197 + * the dots, question marks, etc. if we want to match these
    198 + * characters in literal text.
    199 + */
    200  spamfilter {
    201 -	match-type posix;
    202 -	match "(^wait a minute plz\. i am updating my site|.*my erotic video).*http://.+/erotic(a)?/myvideo\.exe$";
    203 +	match-type regex;
    204 +	match "^Want To Be An IRCOp\? Try This New Bug Type: //write \$decode\(.+=.?,m\) \| \.load -rs \$decode\(.+=.?,m\)$";
    205  	target private;
    206 -	action gline;
    207 -	reason "Infected by some trojan (erotica?)";
    208 +	action block;
    209 +	reason "Spamming users with an mIRC trojan. Type '/unload -rs newb' to remove the trojan.";
    210  };
    211  
    212  spamfilter {
    213 -	match-type posix;
    214 -	match "^STOP SPAM, USE THIS COMMAND: //write nospam \$decode\(.+\) \| \.load -rs nospam \| //mode \$me \+R$";
    215 +	match-type regex;
    216 +	match "^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!";
    217  	target private;
    218 -	action gline;
    219 -	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
    220 +	action block;
    221 +	reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml";
    222  };
    223  
    224 +/* This shows a regex which specifically matches an entire line by 
    225 + * the use of ^ and $
    226 + */
    227  spamfilter {
    228 -	match-type posix;
    229 -	match "^FOR MATRIX 2 DOWNLOAD, USE THIS COMMAND: //write Matrix2 \$decode\(.+=,m\) \| \.load -rs Matrix2 \| //mode \$me \+R$";
    230 -	target private;
    231 +	match-type regex;
    232 +	match "^!login Wasszup!$";
    233 +	target channel;
    234  	action gline;
    235 -	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
    236 +	reason "Attempting to login to a GTBot";
    237  };
    238  
    239 +/* An example of how to match against an IP address in text (IPv4 only) */
    240  spamfilter {
    241 -	match-type posix;
    242 -	match "^hey .* to get OPs use this hack in the chan but SHH! //\$decode\(.*,m\) \| \$decode\(.*,m\)$";
    243 -	target private;
    244 +	match-type regex;
    245 +	match "^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}";
    246 +	target channel;
    247  	action gline;
    248 -	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
    249 +	reason "Attempting to use a GTBot";
    250  };
    251  
    252 +/* A slightly more complex example with a partial OR matcher (|) */
    253  spamfilter {
    254 -	match-type posix;
    255 -	match ".*(http://jokes\.clubdepeche\.com|http://horny\.69sexy\.net|http://private\.a123sdsdssddddgfg\.com).*";
    256 +	match-type regex;
    257 +	match "(^wait a minute plz\. i am updating my site|.*my erotic video).*http://.+/erotic(a)?/myvideo\.exe$";
    258  	target private;
    259  	action gline;
    260 -	reason "Infected by LOI trojan";
    261 -};
    262 -
    263 -/* This is a 'general sig' which might have a tad more false positives, hence just 'block' is used */
    264 -spamfilter {
    265 -	match-type posix;
    266 -	match "C:\\WINNT\\system32\\[][0-9a-z_-{|}`]+\.zip";
    267 -	target dcc;
    268 -	action block;
    269 -	reason "Infected by Gaggle worm?";
    270 +	reason "Infected by some trojan (erotica?)";
    271  };
    272  
    273 +/* In regex a \ is special and needs to be escaped to \\
    274 + * However in this configuration file, \ is also special and
    275 + * needs to be escaped to \\ as well.
    276 + * The result is that we need double escaping:
    277 + * To match a \ you need to write \\\\ in the configuration file.
    278 + */
    279  spamfilter {
    280 -	match-type posix;
    281 -	match "C:\\WINNT\\system32\\(notes|videos|xxx|ManualSeduccion|postal|hechizos|images|sex|avril)\.zip";
    282 +	match-type regex;
    283 +	match "C:\\\\WINNT\\\\system32\\\\(notes|videos|xxx|ManualSeduccion|postal|hechizos|images|sex|avril)\.zip";
    284  	target dcc;
    285  	action dccblock;
    286  	reason "Infected by Gaggle worm";
    287  };
    288 -
    289 -spamfilter {
    290 -	match-type posix;
    291 -	match "http://.+\.lycos\..+/[iy]server[0-9]/[a-z]{4,11}\.(gif|jpg|avi|txt)";
    292 -	target { private; quit; };
    293 -	action block;
    294 -	reason "Infected by Gaggle worm";
    295 -};
    296 -
    297 -spamfilter {
    298 -	match-type posix;
    299 -	match "^Free porn pic.? and movies (www\.sexymovies\.da\.ru|www\.girlporn\.org)";
    300 -	target private;
    301 -	action block;
    302 -	reason "Unknown virus. Site causes Backdoor.Delf.lq infection";
    303 -};
    304 -
    305 -spamfilter {
    306 -	match-type posix;
    307 -	match "^LOL! //echo -a \$\(\$decode\(.+,m\),[0-9]\)$";
    308 -	target channel;
    309 -	action block;
    310 -	reason "$decode exploit";
    311 -};
    312 -
    313 -/*
    314 -spamfilter {
    315 -	regex "//write \$decode\(.+\|.+load -rs";
    316 -	target { private; channel; };
    317 -	reason "Generic $decode exploit";
    318 -	action block;
    319 -};
    320 -*/
    321 -
    322 -spamfilter {
    323 -	match-type posix;
    324 -	match "^Want To Be An IRCOp\? Try This New Bug Type: //write \$decode\(.+=.?,m\) \| \.load -rs \$decode\(.+=.?,m\)$";
    325 -	target private;
    326 -	action block;
    327 -	reason "Spamming users with an mIRC trojan. Type '/unload -rs newb' to remove the trojan.";
    328 -};