mirror of
git://git.acid.vegas/unrealircd.git
synced 2024-12-27 08:46:37 +00:00
329 lines
10 KiB
Diff
329 lines
10 KiB
Diff
|
--- spamfilter.conf.old 2015-06-27 18:29:01.084559805 +0200
|
||
|
+++ spamfilter.conf 2019-04-04 18:29:38.390647262 +0200
|
||
|
@@ -1,232 +1,154 @@
|
||
|
/*
|
||
|
- * This an example spamfilter file, it contains several
|
||
|
- * real and useful spamfilters. This should give you an
|
||
|
- * idea of how powerful spamfilter can be in real-life
|
||
|
- * situations.
|
||
|
+ * This configuration file contains example spamfilter rules.
|
||
|
+ * They are real rules that were useful a long time ago.
|
||
|
+ * Since 2005 these rules are no longer maintained.
|
||
|
+ * The main purpose nowadays is to serve as an example
|
||
|
+ * to give you an idea of how powerful spamfilters can
|
||
|
+ * be in real-life situations.
|
||
|
*
|
||
|
- * $Id$
|
||
|
+ * Documentation on spamfilter is available at:
|
||
|
+ * https://www.unrealircd.org/docs/Spamfilter
|
||
|
*/
|
||
|
|
||
|
-/* Guidelines on the 'action' field:
|
||
|
- * As a general rule we use 'action block' for any newly added
|
||
|
- * spamfilters at first, later on (after knowing about false
|
||
|
- * positives) we might change some to viruschan/kill/gline/etc..
|
||
|
+/* General note:
|
||
|
+ * If you want to use a \ in a spamfilter, or in fact
|
||
|
+ * anywhere in the configuration file, then you need
|
||
|
+ * to escape this to \\ instead.
|
||
|
*/
|
||
|
|
||
|
-spamfilter {
|
||
|
- match-type posix;
|
||
|
- match "\x01DCC (SEND|RESUME)[ ]+\"(.+ ){20}";
|
||
|
- target { private; channel; };
|
||
|
- action kill;
|
||
|
- reason "mIRC 6.0-6.11 exploit attempt";
|
||
|
-};
|
||
|
|
||
|
-spamfilter {
|
||
|
- match-type posix;
|
||
|
- match "\x01DCC (SEND|RESUME).{225}";
|
||
|
- target { private; channel; };
|
||
|
- action kill;
|
||
|
- reason "Possible mIRC 6.12 exploit attempt";
|
||
|
-};
|
||
|
+/* First some spamfilters with match-type 'simple'.
|
||
|
+ * The only matchers available are * and ?
|
||
|
+ * PRO's: very fast, easy matching: everyone can do this.
|
||
|
+ * CON's: limited ability to fine-tune spamfilters
|
||
|
+ */
|
||
|
|
||
|
spamfilter {
|
||
|
- match-type posix;
|
||
|
- match "Come watch me on my webcam and chat /w me :-\) http://.+:\d+/me\.mpg";
|
||
|
+ match-type simple;
|
||
|
+ match "Come watch me on my webcam and chat /w me :-) http://*:*/me.mpg";
|
||
|
target private;
|
||
|
action gline;
|
||
|
reason "Infected by fyle trojan: see http://www.sophos.com/virusinfo/analyses/trojfylexa.html";
|
||
|
};
|
||
|
|
||
|
+/* This signature uses a \ which has to escaped to \\ in the configuration file */
|
||
|
spamfilter {
|
||
|
- match-type posix;
|
||
|
- match "Speed up your mIRC DCC Transfer by up to 75%.*www\.freewebs\.com/mircupdate/mircspeedup\.exe";
|
||
|
- target private;
|
||
|
- action gline;
|
||
|
- reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html";
|
||
|
-};
|
||
|
-
|
||
|
-spamfilter {
|
||
|
- match-type posix;
|
||
|
- match "^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!";
|
||
|
- target private;
|
||
|
+ match-type simple;
|
||
|
+ match "C:\\WINNT\\system32\\*.zip";
|
||
|
+ target dcc;
|
||
|
action block;
|
||
|
- reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml";
|
||
|
+ reason "Infected by Gaggle worm?";
|
||
|
};
|
||
|
|
||
|
spamfilter {
|
||
|
- match-type posix;
|
||
|
- match "^FREE PORN: http://free:porn@([0-9]{1,3}\.){3}[0-9]{1,3}:8180$";
|
||
|
+ match-type simple;
|
||
|
+ match "Speed up your mIRC DCC Transfer by up to 75%*www.freewebs.com/mircupdate/mircspeedup.exe";
|
||
|
target private;
|
||
|
action gline;
|
||
|
- reason "Infected by aplore worm: see http://www.f-secure.com/v-descs/aplore.shtml";
|
||
|
-};
|
||
|
-
|
||
|
-spamfilter {
|
||
|
- match-type posix;
|
||
|
- match "^!login Wasszup!$";
|
||
|
- target channel;
|
||
|
- action gline;
|
||
|
- reason "Attempting to login to a GTBot";
|
||
|
-};
|
||
|
-
|
||
|
-spamfilter {
|
||
|
- match-type posix;
|
||
|
- match "^!login grrrr yeah baby!$";
|
||
|
- target channel;
|
||
|
- action gline;
|
||
|
- reason "Attempting to login to a GTBot";
|
||
|
-};
|
||
|
-
|
||
|
-spamfilter {
|
||
|
- match-type posix;
|
||
|
- match "^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}";
|
||
|
- target channel;
|
||
|
- action gline;
|
||
|
- reason "Attempting to use a GTBot";
|
||
|
-};
|
||
|
-
|
||
|
-spamfilter {
|
||
|
- match-type posix;
|
||
|
- match "^!icqpagebomb ([0-9]{1,15} ){2}.+";
|
||
|
- target channel;
|
||
|
- action gline;
|
||
|
- reason "Attempting to use a GTBot";
|
||
|
+ reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html";
|
||
|
};
|
||
|
|
||
|
spamfilter {
|
||
|
- match-type posix;
|
||
|
- match "^!pfast [0-9]{1,15} ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5}$";
|
||
|
- target channel;
|
||
|
+ match-type simple;
|
||
|
+ match "STOP SPAM, USE THIS COMMAND: //write nospam $decode(*) | .load -rs nospam | //mode $me +R";
|
||
|
+ target private;
|
||
|
action gline;
|
||
|
- reason "Attempting to use a GTBot";
|
||
|
+ reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
|
||
|
};
|
||
|
|
||
|
-spamfilter {
|
||
|
- match-type posix;
|
||
|
- match "^!portscan ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5} [0-9]{1,5}$";
|
||
|
- target channel;
|
||
|
- action gline;
|
||
|
- reason "Attempting to use a GTBot";
|
||
|
-};
|
||
|
|
||
|
-spamfilter {
|
||
|
- match-type posix;
|
||
|
- match "^.u(dp)? ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15} [0-9]{1,15} [0-9]{1,15}( [0-9])*$";
|
||
|
- target channel;
|
||
|
- action gline;
|
||
|
- reason "Attempting to use an SDBot";
|
||
|
-};
|
||
|
+/* Now spamfilters of type 'regex'.
|
||
|
+ * These use powerful regular expressions (Perl/PCRE style)
|
||
|
+ * You may have to learn more about "regex" first before you
|
||
|
+ * can use them. For example the dot ('.') has special meaning.
|
||
|
+ */
|
||
|
|
||
|
+/* This regex shows a pattern which requires 20 paramaters,
|
||
|
+ * such as "x x x x x x x x x x x x x x x x x x x x"
|
||
|
+ */
|
||
|
spamfilter {
|
||
|
- match-type posix;
|
||
|
- match "^.syn ((([0-9]{1,3}\.){3}[0-9]{1,3})|([a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_.-]+)) [0-9]{1,5} [0-9]{1,15} [0-9]{1,15}";
|
||
|
- target { channel; private; };
|
||
|
- action gline;
|
||
|
- reason "Attempting to use a SpyBot";
|
||
|
+ match-type regex;
|
||
|
+ match "\x01DCC (SEND|RESUME)[ ]+\"(.+ ){20}";
|
||
|
+ target { private; channel; };
|
||
|
+ action kill;
|
||
|
+ reason "mIRC 6.0-6.11 exploit attempt";
|
||
|
};
|
||
|
|
||
|
+/* Similarly, this regex shows a pattern that matches
|
||
|
+ * against at least 225 characters in length.
|
||
|
+ */
|
||
|
spamfilter {
|
||
|
- match-type posix;
|
||
|
- match "^porn! porno! http://.+\/sexo\.exe";
|
||
|
- target private;
|
||
|
- action gline;
|
||
|
- reason "Infected by soex trojan: see http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FSOEX.A";
|
||
|
+ match-type regex;
|
||
|
+ match "\x01DCC (SEND|RESUME).{225}";
|
||
|
+ target { private; channel; };
|
||
|
+ action kill;
|
||
|
+ reason "Possible mIRC 6.12 exploit attempt";
|
||
|
};
|
||
|
|
||
|
+/* Earlier you saw an example of a $decode exploit which used
|
||
|
+ * match-type 'simple' and - indeed - the filter was quite simple.
|
||
|
+ * The following uses a regex with a similar example.
|
||
|
+ * Regular expressions are very powerful but here you can see
|
||
|
+ * that it actually complicates writing a filter quite a bit.
|
||
|
+ * With regex in this filter we need to escape the ( and all
|
||
|
+ * the dots, question marks, etc. if we want to match these
|
||
|
+ * characters in literal text.
|
||
|
+ */
|
||
|
spamfilter {
|
||
|
- match-type posix;
|
||
|
- match "(^wait a minute plz\. i am updating my site|.*my erotic video).*http://.+/erotic(a)?/myvideo\.exe$";
|
||
|
+ match-type regex;
|
||
|
+ match "^Want To Be An IRCOp\? Try This New Bug Type: //write \$decode\(.+=.?,m\) \| \.load -rs \$decode\(.+=.?,m\)$";
|
||
|
target private;
|
||
|
- action gline;
|
||
|
- reason "Infected by some trojan (erotica?)";
|
||
|
+ action block;
|
||
|
+ reason "Spamming users with an mIRC trojan. Type '/unload -rs newb' to remove the trojan.";
|
||
|
};
|
||
|
|
||
|
spamfilter {
|
||
|
- match-type posix;
|
||
|
- match "^STOP SPAM, USE THIS COMMAND: //write nospam \$decode\(.+\) \| \.load -rs nospam \| //mode \$me \+R$";
|
||
|
+ match-type regex;
|
||
|
+ match "^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!";
|
||
|
target private;
|
||
|
- action gline;
|
||
|
- reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
|
||
|
+ action block;
|
||
|
+ reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml";
|
||
|
};
|
||
|
|
||
|
+/* This shows a regex which specifically matches an entire line by
|
||
|
+ * the use of ^ and $
|
||
|
+ */
|
||
|
spamfilter {
|
||
|
- match-type posix;
|
||
|
- match "^FOR MATRIX 2 DOWNLOAD, USE THIS COMMAND: //write Matrix2 \$decode\(.+=,m\) \| \.load -rs Matrix2 \| //mode \$me \+R$";
|
||
|
- target private;
|
||
|
+ match-type regex;
|
||
|
+ match "^!login Wasszup!$";
|
||
|
+ target channel;
|
||
|
action gline;
|
||
|
- reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
|
||
|
+ reason "Attempting to login to a GTBot";
|
||
|
};
|
||
|
|
||
|
+/* An example of how to match against an IP address in text (IPv4 only) */
|
||
|
spamfilter {
|
||
|
- match-type posix;
|
||
|
- match "^hey .* to get OPs use this hack in the chan but SHH! //\$decode\(.*,m\) \| \$decode\(.*,m\)$";
|
||
|
- target private;
|
||
|
+ match-type regex;
|
||
|
+ match "^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}";
|
||
|
+ target channel;
|
||
|
action gline;
|
||
|
- reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
|
||
|
+ reason "Attempting to use a GTBot";
|
||
|
};
|
||
|
|
||
|
+/* A slightly more complex example with a partial OR matcher (|) */
|
||
|
spamfilter {
|
||
|
- match-type posix;
|
||
|
- match ".*(http://jokes\.clubdepeche\.com|http://horny\.69sexy\.net|http://private\.a123sdsdssddddgfg\.com).*";
|
||
|
+ match-type regex;
|
||
|
+ match "(^wait a minute plz\. i am updating my site|.*my erotic video).*http://.+/erotic(a)?/myvideo\.exe$";
|
||
|
target private;
|
||
|
action gline;
|
||
|
- reason "Infected by LOI trojan";
|
||
|
-};
|
||
|
-
|
||
|
-/* This is a 'general sig' which might have a tad more false positives, hence just 'block' is used */
|
||
|
-spamfilter {
|
||
|
- match-type posix;
|
||
|
- match "C:\\WINNT\\system32\\[][0-9a-z_-{|}`]+\.zip";
|
||
|
- target dcc;
|
||
|
- action block;
|
||
|
- reason "Infected by Gaggle worm?";
|
||
|
+ reason "Infected by some trojan (erotica?)";
|
||
|
};
|
||
|
|
||
|
+/* In regex a \ is special and needs to be escaped to \\
|
||
|
+ * However in this configuration file, \ is also special and
|
||
|
+ * needs to be escaped to \\ as well.
|
||
|
+ * The result is that we need double escaping:
|
||
|
+ * To match a \ you need to write \\\\ in the configuration file.
|
||
|
+ */
|
||
|
spamfilter {
|
||
|
- match-type posix;
|
||
|
- match "C:\\WINNT\\system32\\(notes|videos|xxx|ManualSeduccion|postal|hechizos|images|sex|avril)\.zip";
|
||
|
+ match-type regex;
|
||
|
+ match "C:\\\\WINNT\\\\system32\\\\(notes|videos|xxx|ManualSeduccion|postal|hechizos|images|sex|avril)\.zip";
|
||
|
target dcc;
|
||
|
action dccblock;
|
||
|
reason "Infected by Gaggle worm";
|
||
|
};
|
||
|
-
|
||
|
-spamfilter {
|
||
|
- match-type posix;
|
||
|
- match "http://.+\.lycos\..+/[iy]server[0-9]/[a-z]{4,11}\.(gif|jpg|avi|txt)";
|
||
|
- target { private; quit; };
|
||
|
- action block;
|
||
|
- reason "Infected by Gaggle worm";
|
||
|
-};
|
||
|
-
|
||
|
-spamfilter {
|
||
|
- match-type posix;
|
||
|
- match "^Free porn pic.? and movies (www\.sexymovies\.da\.ru|www\.girlporn\.org)";
|
||
|
- target private;
|
||
|
- action block;
|
||
|
- reason "Unknown virus. Site causes Backdoor.Delf.lq infection";
|
||
|
-};
|
||
|
-
|
||
|
-spamfilter {
|
||
|
- match-type posix;
|
||
|
- match "^LOL! //echo -a \$\(\$decode\(.+,m\),[0-9]\)$";
|
||
|
- target channel;
|
||
|
- action block;
|
||
|
- reason "$decode exploit";
|
||
|
-};
|
||
|
-
|
||
|
-/*
|
||
|
-spamfilter {
|
||
|
- regex "//write \$decode\(.+\|.+load -rs";
|
||
|
- target { private; channel; };
|
||
|
- reason "Generic $decode exploit";
|
||
|
- action block;
|
||
|
-};
|
||
|
-*/
|
||
|
-
|
||
|
-spamfilter {
|
||
|
- match-type posix;
|
||
|
- match "^Want To Be An IRCOp\? Try This New Bug Type: //write \$decode\(.+=.?,m\) \| \.load -rs \$decode\(.+=.?,m\)$";
|
||
|
- target private;
|
||
|
- action block;
|
||
|
- reason "Spamming users with an mIRC trojan. Type '/unload -rs newb' to remove the trojan.";
|
||
|
-};
|