unrealircd/extras/patches/spamfilter.conf.patch

--- spamfilter.conf.old	2015-06-27 18:29:01.084559805 +0200
+++ spamfilter.conf	2019-04-04 18:29:38.390647262 +0200
@@ -1,232 +1,154 @@
 /*
- * This an example spamfilter file, it contains several
- * real and useful spamfilters. This should give you an
- * idea of how powerful spamfilter can be in real-life
- * situations.
+ * This configuration file contains example spamfilter rules.
+ * They are real rules that were useful a long time ago.
+ * Since 2005 these rules are no longer maintained.
+ * The main purpose nowadays is to serve as an example
+ * to give you an idea of how powerful spamfilters can
+ * be in real-life situations.
  *
- * $Id$
+ * Documentation on spamfilter is available at:
+ * https://www.unrealircd.org/docs/Spamfilter
  */
 
-/* Guidelines on the 'action' field:
- * As a general rule we use 'action block' for any newly added
- * spamfilters at first, later on (after knowing about false
- * positives) we might change some to viruschan/kill/gline/etc..
+/* General note:
+ * If you want to use a \ in a spamfilter, or in fact
+ * anywhere in the configuration file, then you need
+ * to escape this to \\ instead.
  */
 
-spamfilter {
-	match-type posix;
-	match "\x01DCC (SEND|RESUME)[ ]+\"(.+ ){20}";
-	target { private; channel; };
-	action kill;
-	reason "mIRC 6.0-6.11 exploit attempt";
-};
 
-spamfilter {
-	match-type posix;
-	match "\x01DCC (SEND|RESUME).{225}";
-	target { private; channel; };
-	action kill;
-	reason "Possible mIRC 6.12 exploit attempt";
-};
+/* First some spamfilters with match-type 'simple'.
+ * The only matchers available are * and ?
+ * PRO's: very fast, easy matching: everyone can do this.
+ * CON's: limited ability to fine-tune spamfilters
+ */
 
 spamfilter {
-	match-type posix;
-	match "Come watch me on my webcam and chat /w me :-\) http://.+:\d+/me\.mpg";
+	match-type simple;
+	match "Come watch me on my webcam and chat /w me :-) http://*:*/me.mpg";
 	target private;
 	action gline;
 	reason "Infected by fyle trojan: see http://www.sophos.com/virusinfo/analyses/trojfylexa.html";
 };
 
+/* This signature uses a \ which has to escaped to \\ in the configuration file */
 spamfilter {
-	match-type posix;
-	match "Speed up your mIRC DCC Transfer by up to 75%.*www\.freewebs\.com/mircupdate/mircspeedup\.exe";
-	target private;
-	action gline;
-	reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html";
-};
-
-spamfilter {
-	match-type posix;
-	match "^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!";
-	target private;
+	match-type simple;
+	match "C:\\WINNT\\system32\\*.zip";
+	target dcc;
 	action block;
-	reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml";
+	reason "Infected by Gaggle worm?";
 };
 
 spamfilter {
-	match-type posix;
-	match "^FREE PORN: http://free:porn@([0-9]{1,3}\.){3}[0-9]{1,3}:8180$";
+	match-type simple;
+	match "Speed up your mIRC DCC Transfer by up to 75%*www.freewebs.com/mircupdate/mircspeedup.exe";
 	target private;
 	action gline;
-	reason "Infected by aplore worm: see http://www.f-secure.com/v-descs/aplore.shtml";
-};
-
-spamfilter {
-	match-type posix;
-	match "^!login Wasszup!$";
-	target channel;
-	action gline;
-	reason "Attempting to login to a GTBot";
-};
-
-spamfilter {
-	match-type posix;
-	match "^!login grrrr yeah baby!$";
-	target channel;
-	action gline;
-	reason "Attempting to login to a GTBot";
-};
-
-spamfilter {
-	match-type posix;
-	match "^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}";
-	target channel;
-	action gline;
-	reason "Attempting to use a GTBot";
-};
-
-spamfilter {
-	match-type posix;
-	match "^!icqpagebomb ([0-9]{1,15} ){2}.+";
-	target channel;
-	action gline;
-	reason "Attempting to use a GTBot";
+	reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html";
 };
 
 spamfilter {
-	match-type posix;
-	match "^!pfast [0-9]{1,15} ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5}$";
-	target channel;
+	match-type simple;
+	match "STOP SPAM, USE THIS COMMAND: //write nospam $decode(*) | .load -rs nospam | //mode $me +R";
+	target private;
 	action gline;
-	reason "Attempting to use a GTBot";
+	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
 };
 
-spamfilter {
-	match-type posix;
-	match "^!portscan ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5} [0-9]{1,5}$";
-	target channel;
-	action gline;
-	reason "Attempting to use a GTBot";
-};
 
-spamfilter {
-	match-type posix;
-	match "^.u(dp)? ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15} [0-9]{1,15} [0-9]{1,15}( [0-9])*$";
-	target channel;
-	action gline;
-	reason "Attempting to use an SDBot";
-};
+/* Now spamfilters of type 'regex'.
+ * These use powerful regular expressions (Perl/PCRE style)
+ * You may have to learn more about "regex" first before you
+ * can use them. For example the dot ('.') has special meaning.
+ */
 
+/* This regex shows a pattern which requires 20 paramaters,
+ * such as "x x x x x x x x x x x x x x x x x x x x"
+ */
 spamfilter {
-	match-type posix;
-	match "^.syn ((([0-9]{1,3}\.){3}[0-9]{1,3})|([a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_.-]+)) [0-9]{1,5} [0-9]{1,15} [0-9]{1,15}";
-	target { channel; private; };
-	action gline;
-	reason "Attempting to use a SpyBot";
+	match-type regex;
+	match "\x01DCC (SEND|RESUME)[ ]+\"(.+ ){20}";
+	target { private; channel; };
+	action kill;
+	reason "mIRC 6.0-6.11 exploit attempt";
 };
 
+/* Similarly, this regex shows a pattern that matches
+ * against at least 225 characters in length.
+ */
 spamfilter {
-	match-type posix;
-	match "^porn! porno! http://.+\/sexo\.exe";
-	target private;
-	action gline;
-	reason "Infected by soex trojan: see http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FSOEX.A";
+	match-type regex;
+	match "\x01DCC (SEND|RESUME).{225}";
+	target { private; channel; };
+	action kill;
+	reason "Possible mIRC 6.12 exploit attempt";
 };
 
+/* Earlier you saw an example of a $decode exploit which used
+ * match-type 'simple' and - indeed - the filter was quite simple.
+ * The following uses a regex with a similar example.
+ * Regular expressions are very powerful but here you can see
+ * that it actually complicates writing a filter quite a bit.
+ * With regex in this filter we need to escape the ( and all
+ * the dots, question marks, etc. if we want to match these
+ * characters in literal text.
+ */
 spamfilter {
-	match-type posix;
-	match "(^wait a minute plz\. i am updating my site|.*my erotic video).*http://.+/erotic(a)?/myvideo\.exe$";
+	match-type regex;
+	match "^Want To Be An IRCOp\? Try This New Bug Type: //write \$decode\(.+=.?,m\) \| \.load -rs \$decode\(.+=.?,m\)$";
 	target private;
-	action gline;
-	reason "Infected by some trojan (erotica?)";
+	action block;
+	reason "Spamming users with an mIRC trojan. Type '/unload -rs newb' to remove the trojan.";
 };
 
 spamfilter {
-	match-type posix;
-	match "^STOP SPAM, USE THIS COMMAND: //write nospam \$decode\(.+\) \| \.load -rs nospam \| //mode \$me \+R$";
+	match-type regex;
+	match "^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!";
 	target private;
-	action gline;
-	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
+	action block;
+	reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml";
 };
 
+/* This shows a regex which specifically matches an entire line by 
+ * the use of ^ and $
+ */
 spamfilter {
-	match-type posix;
-	match "^FOR MATRIX 2 DOWNLOAD, USE THIS COMMAND: //write Matrix2 \$decode\(.+=,m\) \| \.load -rs Matrix2 \| //mode \$me \+R$";
-	target private;
+	match-type regex;
+	match "^!login Wasszup!$";
+	target channel;
 	action gline;
-	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
+	reason "Attempting to login to a GTBot";
 };
 
+/* An example of how to match against an IP address in text (IPv4 only) */
 spamfilter {
-	match-type posix;
-	match "^hey .* to get OPs use this hack in the chan but SHH! //\$decode\(.*,m\) \| \$decode\(.*,m\)$";
-	target private;
+	match-type regex;
+	match "^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}";
+	target channel;
 	action gline;
-	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
+	reason "Attempting to use a GTBot";
 };
 
+/* A slightly more complex example with a partial OR matcher (|) */
 spamfilter {
-	match-type posix;
-	match ".*(http://jokes\.clubdepeche\.com|http://horny\.69sexy\.net|http://private\.a123sdsdssddddgfg\.com).*";
+	match-type regex;
+	match "(^wait a minute plz\. i am updating my site|.*my erotic video).*http://.+/erotic(a)?/myvideo\.exe$";
 	target private;
 	action gline;
-	reason "Infected by LOI trojan";
-};
-
-/* This is a 'general sig' which might have a tad more false positives, hence just 'block' is used */
-spamfilter {
-	match-type posix;
-	match "C:\\WINNT\\system32\\[][0-9a-z_-{|}`]+\.zip";
-	target dcc;
-	action block;
-	reason "Infected by Gaggle worm?";
+	reason "Infected by some trojan (erotica?)";
 };
 
+/* In regex a \ is special and needs to be escaped to \\
+ * However in this configuration file, \ is also special and
+ * needs to be escaped to \\ as well.
+ * The result is that we need double escaping:
+ * To match a \ you need to write \\\\ in the configuration file.
+ */
 spamfilter {
-	match-type posix;
-	match "C:\\WINNT\\system32\\(notes|videos|xxx|ManualSeduccion|postal|hechizos|images|sex|avril)\.zip";
+	match-type regex;
+	match "C:\\\\WINNT\\\\system32\\\\(notes|videos|xxx|ManualSeduccion|postal|hechizos|images|sex|avril)\.zip";
 	target dcc;
 	action dccblock;
 	reason "Infected by Gaggle worm";
 };
-
-spamfilter {
-	match-type posix;
-	match "http://.+\.lycos\..+/[iy]server[0-9]/[a-z]{4,11}\.(gif|jpg|avi|txt)";
-	target { private; quit; };
-	action block;
-	reason "Infected by Gaggle worm";
-};
-
-spamfilter {
-	match-type posix;
-	match "^Free porn pic.? and movies (www\.sexymovies\.da\.ru|www\.girlporn\.org)";
-	target private;
-	action block;
-	reason "Unknown virus. Site causes Backdoor.Delf.lq infection";
-};
-
-spamfilter {
-	match-type posix;
-	match "^LOL! //echo -a \$\(\$decode\(.+,m\),[0-9]\)$";
-	target channel;
-	action block;
-	reason "$decode exploit";
-};
-
-/*
-spamfilter {
-	regex "//write \$decode\(.+\|.+load -rs";
-	target { private; channel; };
-	reason "Generic $decode exploit";
-	action block;
-};
-*/
-
-spamfilter {
-	match-type posix;
-	match "^Want To Be An IRCOp\? Try This New Bug Type: //write \$decode\(.+=.?,m\) \| \.load -rs \$decode\(.+=.?,m\)$";
-	target private;
-	action block;
-	reason "Spamming users with an mIRC trojan. Type '/unload -rs newb' to remove the trojan.";
-};
Initial commit 2020-03-29 09:16:53 +00:00			`--- spamfilter.conf.old 2015-06-27 18:29:01.084559805 +0200`
			`+++ spamfilter.conf 2019-04-04 18:29:38.390647262 +0200`
			`@@ -1,232 +1,154 @@`
			`/*`
			`- * This an example spamfilter file, it contains several`
			`- * real and useful spamfilters. This should give you an`
			`- * idea of how powerful spamfilter can be in real-life`
			`- * situations.`
			`+ * This configuration file contains example spamfilter rules.`
			`+ * They are real rules that were useful a long time ago.`
			`+ * Since 2005 these rules are no longer maintained.`
			`+ * The main purpose nowadays is to serve as an example`
			`+ * to give you an idea of how powerful spamfilters can`
			`+ * be in real-life situations.`
			`*`
			`- * $Id$`
			`+ * Documentation on spamfilter is available at:`
			`+ * https://www.unrealircd.org/docs/Spamfilter`
			`*/`

			`-/* Guidelines on the 'action' field:`
			`- * As a general rule we use 'action block' for any newly added`
			`- * spamfilters at first, later on (after knowing about false`
			`- * positives) we might change some to viruschan/kill/gline/etc..`
			`+/* General note:`
			`+ * If you want to use a \ in a spamfilter, or in fact`
			`+ * anywhere in the configuration file, then you need`
			`+ * to escape this to \\ instead.`
			`*/`

			`-spamfilter {`
			`- match-type posix;`
			`- match "\x01DCC (SEND\|RESUME)[ ]+\"(.+ ){20}";`
			`- target { private; channel; };`
			`- action kill;`
			`- reason "mIRC 6.0-6.11 exploit attempt";`
			`-};`

			`-spamfilter {`
			`- match-type posix;`
			`- match "\x01DCC (SEND\|RESUME).{225}";`
			`- target { private; channel; };`
			`- action kill;`
			`- reason "Possible mIRC 6.12 exploit attempt";`
			`-};`
			`+/* First some spamfilters with match-type 'simple'.`
			`+ * The only matchers available are * and ?`
			`+ * PRO's: very fast, easy matching: everyone can do this.`
			`+ * CON's: limited ability to fine-tune spamfilters`
			`+ */`

			`spamfilter {`
			`- match-type posix;`
			`- match "Come watch me on my webcam and chat /w me :-\) http://.+:\d+/me\.mpg";`
			`+ match-type simple;`
			`+ match "Come watch me on my webcam and chat /w me :-) http://:/me.mpg";`
			`target private;`
			`action gline;`
			`reason "Infected by fyle trojan: see http://www.sophos.com/virusinfo/analyses/trojfylexa.html";`
			`};`

			`+/* This signature uses a \ which has to escaped to \\ in the configuration file */`
			`spamfilter {`
			`- match-type posix;`
			`- match "Speed up your mIRC DCC Transfer by up to 75%.*www\.freewebs\.com/mircupdate/mircspeedup\.exe";`
			`- target private;`
			`- action gline;`
			`- reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html";`
			`-};`
			`-`
			`-spamfilter {`
			`- match-type posix;`
			`- match "^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!";`
			`- target private;`
			`+ match-type simple;`
			`+ match "C:\\WINNT\\system32\\*.zip";`
			`+ target dcc;`
			`action block;`
			`- reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml";`
			`+ reason "Infected by Gaggle worm?";`
			`};`

			`spamfilter {`
			`- match-type posix;`
			`- match "^FREE PORN: http://free:porn@([0-9]{1,3}\.){3}[0-9]{1,3}:8180$";`
			`+ match-type simple;`
			`+ match "Speed up your mIRC DCC Transfer by up to 75%*www.freewebs.com/mircupdate/mircspeedup.exe";`
			`target private;`
			`action gline;`
			`- reason "Infected by aplore worm: see http://www.f-secure.com/v-descs/aplore.shtml";`
			`-};`
			`-`
			`-spamfilter {`
			`- match-type posix;`
			`- match "^!login Wasszup!$";`
			`- target channel;`
			`- action gline;`
			`- reason "Attempting to login to a GTBot";`
			`-};`
			`-`
			`-spamfilter {`
			`- match-type posix;`
			`- match "^!login grrrr yeah baby!$";`
			`- target channel;`
			`- action gline;`
			`- reason "Attempting to login to a GTBot";`
			`-};`
			`-`
			`-spamfilter {`
			`- match-type posix;`
			`- match "^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}";`
			`- target channel;`
			`- action gline;`
			`- reason "Attempting to use a GTBot";`
			`-};`
			`-`
			`-spamfilter {`
			`- match-type posix;`
			`- match "^!icqpagebomb ([0-9]{1,15} ){2}.+";`
			`- target channel;`
			`- action gline;`
			`- reason "Attempting to use a GTBot";`
			`+ reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html";`
			`};`

			`spamfilter {`
			`- match-type posix;`
			`- match "^!pfast [0-9]{1,15} ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5}$";`
			`- target channel;`
			`+ match-type simple;`
			`+ match "STOP SPAM, USE THIS COMMAND: //write nospam $decode(*) \| .load -rs nospam \| //mode $me +R";`
			`+ target private;`
			`action gline;`
			`- reason "Attempting to use a GTBot";`
			`+ reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";`
			`};`

			`-spamfilter {`
			`- match-type posix;`
			`- match "^!portscan ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5} [0-9]{1,5}$";`
			`- target channel;`
			`- action gline;`
			`- reason "Attempting to use a GTBot";`
			`-};`

			`-spamfilter {`
			`- match-type posix;`
			`- match "^.u(dp)? ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15} [0-9]{1,15} [0-9]{1,15}( [0-9])*$";`
			`- target channel;`
			`- action gline;`
			`- reason "Attempting to use an SDBot";`
			`-};`
			`+/* Now spamfilters of type 'regex'.`
			`+ * These use powerful regular expressions (Perl/PCRE style)`
			`+ * You may have to learn more about "regex" first before you`
			`+ * can use them. For example the dot ('.') has special meaning.`
			`+ */`

			`+/* This regex shows a pattern which requires 20 paramaters,`
			`+ * such as "x x x x x x x x x x x x x x x x x x x x"`
			`+ */`
			`spamfilter {`
			`- match-type posix;`
			`- match "^.syn ((([0-9]{1,3}\.){3}[0-9]{1,3})\|([a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_.-]+)) [0-9]{1,5} [0-9]{1,15} [0-9]{1,15}";`
			`- target { channel; private; };`
			`- action gline;`
			`- reason "Attempting to use a SpyBot";`
			`+ match-type regex;`
			`+ match "\x01DCC (SEND\|RESUME)[ ]+\"(.+ ){20}";`
			`+ target { private; channel; };`
			`+ action kill;`
			`+ reason "mIRC 6.0-6.11 exploit attempt";`
			`};`

			`+/* Similarly, this regex shows a pattern that matches`
			`+ * against at least 225 characters in length.`
			`+ */`
			`spamfilter {`
			`- match-type posix;`
			`- match "^porn! porno! http://.+\/sexo\.exe";`
			`- target private;`
			`- action gline;`
			`- reason "Infected by soex trojan: see http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FSOEX.A";`
			`+ match-type regex;`
			`+ match "\x01DCC (SEND\|RESUME).{225}";`
			`+ target { private; channel; };`
			`+ action kill;`
			`+ reason "Possible mIRC 6.12 exploit attempt";`
			`};`

			`+/* Earlier you saw an example of a $decode exploit which used`
			`+ * match-type 'simple' and - indeed - the filter was quite simple.`
			`+ * The following uses a regex with a similar example.`
			`+ * Regular expressions are very powerful but here you can see`
			`+ * that it actually complicates writing a filter quite a bit.`
			`+ * With regex in this filter we need to escape the ( and all`
			`+ * the dots, question marks, etc. if we want to match these`
			`+ * characters in literal text.`
			`+ */`
			`spamfilter {`
			`- match-type posix;`
			`- match "(^wait a minute plz\. i am updating my site\|.my erotic video).http://.+/erotic(a)?/myvideo\.exe$";`
			`+ match-type regex;`
			`+ match "^Want To Be An IRCOp\? Try This New Bug Type: //write \$decode\(.+=.?,m\) \\| \.load -rs \$decode\(.+=.?,m\)$";`
			`target private;`
			`- action gline;`
			`- reason "Infected by some trojan (erotica?)";`
			`+ action block;`
			`+ reason "Spamming users with an mIRC trojan. Type '/unload -rs newb' to remove the trojan.";`
			`};`

			`spamfilter {`
			`- match-type posix;`
			`- match "^STOP SPAM, USE THIS COMMAND: //write nospam \$decode\(.+\) \\| \.load -rs nospam \\| //mode \$me \+R$";`
			`+ match-type regex;`
			`+ match "^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!";`
			`target private;`
			`- action gline;`
			`- reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";`
			`+ action block;`
			`+ reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml";`
			`};`

			`+/* This shows a regex which specifically matches an entire line by`
			`+ * the use of ^ and $`
			`+ */`
			`spamfilter {`
			`- match-type posix;`
			`- match "^FOR MATRIX 2 DOWNLOAD, USE THIS COMMAND: //write Matrix2 \$decode\(.+=,m\) \\| \.load -rs Matrix2 \\| //mode \$me \+R$";`
			`- target private;`
			`+ match-type regex;`
			`+ match "^!login Wasszup!$";`
			`+ target channel;`
			`action gline;`
			`- reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";`
			`+ reason "Attempting to login to a GTBot";`
			`};`

			`+/* An example of how to match against an IP address in text (IPv4 only) */`
			`spamfilter {`
			`- match-type posix;`
			`- match "^hey .* to get OPs use this hack in the chan but SHH! //\$decode\(.,m\) \\| \$decode\(.,m\)$";`
			`- target private;`
			`+ match-type regex;`
			`+ match "^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}";`
			`+ target channel;`
			`action gline;`
			`- reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";`
			`+ reason "Attempting to use a GTBot";`
			`};`

			`+/* A slightly more complex example with a partial OR matcher (\|) */`
			`spamfilter {`
			`- match-type posix;`
			`- match ".(http://jokes\.clubdepeche\.com\|http://horny\.69sexy\.net\|http://private\.a123sdsdssddddgfg\.com).";`
			`+ match-type regex;`
			`+ match "(^wait a minute plz\. i am updating my site\|.my erotic video).http://.+/erotic(a)?/myvideo\.exe$";`
			`target private;`
			`action gline;`
			`- reason "Infected by LOI trojan";`
			`-};`
			`-`
			`-/* This is a 'general sig' which might have a tad more false positives, hence just 'block' is used */`
			`-spamfilter {`
			`- match-type posix;`
			- match "C:\\WINNT\\system32\\[][0-9a-z_-{\|}`]+\.zip";
			`- target dcc;`
			`- action block;`
			`- reason "Infected by Gaggle worm?";`
			`+ reason "Infected by some trojan (erotica?)";`
			`};`

			`+/* In regex a \ is special and needs to be escaped to \\`
			`+ * However in this configuration file, \ is also special and`
			`+ * needs to be escaped to \\ as well.`
			`+ * The result is that we need double escaping:`
			`+ * To match a \ you need to write \\\\ in the configuration file.`
			`+ */`
			`spamfilter {`
			`- match-type posix;`
			`- match "C:\\WINNT\\system32\\(notes\|videos\|xxx\|ManualSeduccion\|postal\|hechizos\|images\|sex\|avril)\.zip";`
			`+ match-type regex;`
			`+ match "C:\\\\WINNT\\\\system32\\\\(notes\|videos\|xxx\|ManualSeduccion\|postal\|hechizos\|images\|sex\|avril)\.zip";`
			`target dcc;`
			`action dccblock;`
			`reason "Infected by Gaggle worm";`
			`};`
			`-`
			`-spamfilter {`
			`- match-type posix;`
			`- match "http://.+\.lycos\..+/[iy]server[0-9]/[a-z]{4,11}\.(gif\|jpg\|avi\|txt)";`
			`- target { private; quit; };`
			`- action block;`
			`- reason "Infected by Gaggle worm";`
			`-};`
			`-`
			`-spamfilter {`
			`- match-type posix;`
			`- match "^Free porn pic.? and movies (www\.sexymovies\.da\.ru\|www\.girlporn\.org)";`
			`- target private;`
			`- action block;`
			`- reason "Unknown virus. Site causes Backdoor.Delf.lq infection";`
			`-};`
			`-`
			`-spamfilter {`
			`- match-type posix;`
			`- match "^LOL! //echo -a \$\(\$decode\(.+,m\),[0-9]\)$";`
			`- target channel;`
			`- action block;`
			`- reason "$decode exploit";`
			`-};`
			`-`
			`-/*`
			`-spamfilter {`
			`- regex "//write \$decode\(.+\\|.+load -rs";`
			`- target { private; channel; };`
			`- reason "Generic $decode exploit";`
			`- action block;`
			`-};`
			`-*/`
			`-`
			`-spamfilter {`
			`- match-type posix;`
			`- match "^Want To Be An IRCOp\? Try This New Bug Type: //write \$decode\(.+=.?,m\) \\| \.load -rs \$decode\(.+=.?,m\)$";`
			`- target private;`
			`- action block;`
			`- reason "Spamming users with an mIRC trojan. Type '/unload -rs newb' to remove the trojan.";`
			`-};`