mirror of https://github.com/pissnet/pissircd.git
155 lines
4.8 KiB
Plaintext
155 lines
4.8 KiB
Plaintext
/*
|
|
* This configuration file contains example spamfilter rules.
|
|
* They are real rules that were useful a long time ago.
|
|
* Since 2005 these rules are no longer maintained.
|
|
* The main purpose nowadays is to serve as an example
|
|
* to give you an idea of how powerful spamfilters can
|
|
* be in real-life situations.
|
|
*
|
|
* Documentation on spamfilter is available at:
|
|
* https://www.unrealircd.org/docs/Spamfilter
|
|
*/
|
|
|
|
/* General notes:
|
|
* 1) We use match 'xyz' instead of match "xyz". When using single quotes
|
|
* you don't risk it being interpreted as an URL for remote includes.
|
|
* 2) If you want to use a \ in a spamfilter, or in fact anywhere in the
|
|
* configuration file, then you need to escape this to \\ instead.
|
|
*/
|
|
|
|
/* First some spamfilters with match-type 'simple'.
|
|
* The only matchers available are * and ?
|
|
* PRO's: very fast, easy matching: everyone can do this.
|
|
* CON's: limited ability to fine-tune spamfilters
|
|
*/
|
|
|
|
spamfilter {
|
|
match-type simple;
|
|
match 'Come watch me on my webcam and chat /w me :-) http://*:*/me.mpg';
|
|
target private;
|
|
action gline;
|
|
reason "Infected by fyle trojan: see http://www.sophos.com/virusinfo/analyses/trojfylexa.html";
|
|
}
|
|
|
|
/* This signature uses a \ which has to escaped to \\ in the configuration file */
|
|
spamfilter {
|
|
match-type simple;
|
|
match 'C:\\WINNT\\system32\\*.zip';
|
|
target dcc;
|
|
action block;
|
|
reason "Infected by Gaggle worm?";
|
|
}
|
|
|
|
spamfilter {
|
|
match-type simple;
|
|
match 'Speed up your mIRC DCC Transfer by up to 75%*www.freewebs.com/mircupdate/mircspeedup.exe';
|
|
target private;
|
|
action gline;
|
|
reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html";
|
|
}
|
|
|
|
spamfilter {
|
|
match-type simple;
|
|
match 'STOP SPAM, USE THIS COMMAND: //write nospam $decode(*) | .load -rs nospam | //mode $me +R';
|
|
target private;
|
|
action gline;
|
|
reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
|
|
}
|
|
|
|
|
|
/* Now spamfilters of type 'regex'.
|
|
* These use powerful regular expressions (Perl/PCRE style)
|
|
* You may have to learn more about "regex" first before you
|
|
* can use them. For example the dot ('.') has special meaning.
|
|
*/
|
|
|
|
/* This regex shows a pattern which requires 20 paramaters,
|
|
* such as "x x x x x x x x x x x x x x x x x x x x"
|
|
*/
|
|
spamfilter {
|
|
match-type regex;
|
|
match '\x01DCC (SEND|RESUME)[ ]+\"(.+ ){20}';
|
|
target { private; channel; }
|
|
action kill;
|
|
reason "mIRC 6.0-6.11 exploit attempt";
|
|
}
|
|
|
|
/* Similarly, this regex shows a pattern that matches
|
|
* against at least 225 characters in length.
|
|
*/
|
|
spamfilter {
|
|
match-type regex;
|
|
match '\x01DCC (SEND|RESUME).{225}';
|
|
target { private; channel; }
|
|
action kill;
|
|
reason "Possible mIRC 6.12 exploit attempt";
|
|
}
|
|
|
|
/* Earlier you saw an example of a $decode exploit which used
|
|
* match-type 'simple' and - indeed - the filter was quite simple.
|
|
* The following uses a regex with a similar example.
|
|
* Regular expressions are very powerful but here you can see
|
|
* that it actually complicates writing a filter quite a bit.
|
|
* With regex in this filter we need to escape the ( and all
|
|
* the dots, question marks, etc. if we want to match these
|
|
* characters in literal text.
|
|
*/
|
|
spamfilter {
|
|
match-type regex;
|
|
match '^Want To Be An IRCOp\? Try This New Bug Type: //write \$decode\(.+=.?,m\) \| \.load -rs \$decode\(.+=.?,m\)$';
|
|
target private;
|
|
action block;
|
|
reason "Spamming users with an mIRC trojan. Type '/unload -rs newb' to remove the trojan.";
|
|
}
|
|
|
|
spamfilter {
|
|
match-type regex;
|
|
match '^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!';
|
|
target private;
|
|
action block;
|
|
reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml";
|
|
}
|
|
|
|
/* This shows a regex which specifically matches an entire line by
|
|
* the use of ^ and $
|
|
*/
|
|
spamfilter {
|
|
match-type regex;
|
|
match '^!login Wasszup!$';
|
|
target channel;
|
|
action gline;
|
|
reason "Attempting to login to a GTBot";
|
|
}
|
|
|
|
/* An example of how to match against an IP address in text (IPv4 only) */
|
|
spamfilter {
|
|
match-type regex;
|
|
match '^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}';
|
|
target channel;
|
|
action gline;
|
|
reason "Attempting to use a GTBot";
|
|
}
|
|
|
|
/* A slightly more complex example with a partial OR matcher (|) */
|
|
spamfilter {
|
|
match-type regex;
|
|
match '(^wait a minute plz\. i am updating my site|.*my erotic video).*http://.+/erotic(a)?/myvideo\.exe$';
|
|
target private;
|
|
action gline;
|
|
reason "Infected by some trojan (erotica?)";
|
|
}
|
|
|
|
/* In regex a \ is special and needs to be escaped to \\
|
|
* However in this configuration file, \ is also special and
|
|
* needs to be escaped to \\ as well.
|
|
* The result is that we need double escaping:
|
|
* To match a \ you need to write \\\\ in the configuration file.
|
|
*/
|
|
spamfilter {
|
|
match-type regex;
|
|
match 'C:\\\\WINNT\\\\system32\\\\(notes|videos|xxx|ManualSeduccion|postal|hechizos|images|sex|avril)\.zip';
|
|
target dcc;
|
|
action dccblock;
|
|
reason "Infected by Gaggle worm";
|
|
}
|