mirror of
https://github.com/pissnet/pissircd.git
synced 2024-06-05 07:48:44 +01:00
4e75af79fa
'posix' to 'regex' if the user is using the exact same spamfilter.conf that shipped with UnrealIRCd 4.x until now. Otherwise, we do not update anything. Also, custom spamfilters in this file are not touched. Let's hope this will apply to most of our users to ensure that they will have no or less issues with the 'posix' to 'regex' conversion process.
328 lines
10 KiB
Diff
328 lines
10 KiB
Diff
--- spamfilter.conf.old 2015-06-27 18:29:01.084559805 +0200
|
|
+++ spamfilter.conf 2019-04-04 18:29:38.390647262 +0200
|
|
@@ -1,232 +1,154 @@
|
|
/*
|
|
- * This an example spamfilter file, it contains several
|
|
- * real and useful spamfilters. This should give you an
|
|
- * idea of how powerful spamfilter can be in real-life
|
|
- * situations.
|
|
+ * This configuration file contains example spamfilter rules.
|
|
+ * They are real rules that were useful a long time ago.
|
|
+ * Since 2005 these rules are no longer maintained.
|
|
+ * The main purpose nowadays is to serve as an example
|
|
+ * to give you an idea of how powerful spamfilters can
|
|
+ * be in real-life situations.
|
|
*
|
|
- * $Id$
|
|
+ * Documentation on spamfilter is available at:
|
|
+ * https://www.unrealircd.org/docs/Spamfilter
|
|
*/
|
|
|
|
-/* Guidelines on the 'action' field:
|
|
- * As a general rule we use 'action block' for any newly added
|
|
- * spamfilters at first, later on (after knowing about false
|
|
- * positives) we might change some to viruschan/kill/gline/etc..
|
|
+/* General note:
|
|
+ * If you want to use a \ in a spamfilter, or in fact
|
|
+ * anywhere in the configuration file, then you need
|
|
+ * to escape this to \\ instead.
|
|
*/
|
|
|
|
-spamfilter {
|
|
- match-type posix;
|
|
- match "\x01DCC (SEND|RESUME)[ ]+\"(.+ ){20}";
|
|
- target { private; channel; };
|
|
- action kill;
|
|
- reason "mIRC 6.0-6.11 exploit attempt";
|
|
-};
|
|
|
|
-spamfilter {
|
|
- match-type posix;
|
|
- match "\x01DCC (SEND|RESUME).{225}";
|
|
- target { private; channel; };
|
|
- action kill;
|
|
- reason "Possible mIRC 6.12 exploit attempt";
|
|
-};
|
|
+/* First some spamfilters with match-type 'simple'.
|
|
+ * The only matchers available are * and ?
|
|
+ * PRO's: very fast, easy matching: everyone can do this.
|
|
+ * CON's: limited ability to fine-tune spamfilters
|
|
+ */
|
|
|
|
spamfilter {
|
|
- match-type posix;
|
|
- match "Come watch me on my webcam and chat /w me :-\) http://.+:\d+/me\.mpg";
|
|
+ match-type simple;
|
|
+ match "Come watch me on my webcam and chat /w me :-) http://*:*/me.mpg";
|
|
target private;
|
|
action gline;
|
|
reason "Infected by fyle trojan: see http://www.sophos.com/virusinfo/analyses/trojfylexa.html";
|
|
};
|
|
|
|
+/* This signature uses a \ which has to escaped to \\ in the configuration file */
|
|
spamfilter {
|
|
- match-type posix;
|
|
- match "Speed up your mIRC DCC Transfer by up to 75%.*www\.freewebs\.com/mircupdate/mircspeedup\.exe";
|
|
- target private;
|
|
- action gline;
|
|
- reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html";
|
|
-};
|
|
-
|
|
-spamfilter {
|
|
- match-type posix;
|
|
- match "^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!";
|
|
- target private;
|
|
+ match-type simple;
|
|
+ match "C:\\WINNT\\system32\\*.zip";
|
|
+ target dcc;
|
|
action block;
|
|
- reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml";
|
|
+ reason "Infected by Gaggle worm?";
|
|
};
|
|
|
|
spamfilter {
|
|
- match-type posix;
|
|
- match "^FREE PORN: http://free:porn@([0-9]{1,3}\.){3}[0-9]{1,3}:8180$";
|
|
+ match-type simple;
|
|
+ match "Speed up your mIRC DCC Transfer by up to 75%*www.freewebs.com/mircupdate/mircspeedup.exe";
|
|
target private;
|
|
action gline;
|
|
- reason "Infected by aplore worm: see http://www.f-secure.com/v-descs/aplore.shtml";
|
|
-};
|
|
-
|
|
-spamfilter {
|
|
- match-type posix;
|
|
- match "^!login Wasszup!$";
|
|
- target channel;
|
|
- action gline;
|
|
- reason "Attempting to login to a GTBot";
|
|
-};
|
|
-
|
|
-spamfilter {
|
|
- match-type posix;
|
|
- match "^!login grrrr yeah baby!$";
|
|
- target channel;
|
|
- action gline;
|
|
- reason "Attempting to login to a GTBot";
|
|
-};
|
|
-
|
|
-spamfilter {
|
|
- match-type posix;
|
|
- match "^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}";
|
|
- target channel;
|
|
- action gline;
|
|
- reason "Attempting to use a GTBot";
|
|
-};
|
|
-
|
|
-spamfilter {
|
|
- match-type posix;
|
|
- match "^!icqpagebomb ([0-9]{1,15} ){2}.+";
|
|
- target channel;
|
|
- action gline;
|
|
- reason "Attempting to use a GTBot";
|
|
+ reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html";
|
|
};
|
|
|
|
spamfilter {
|
|
- match-type posix;
|
|
- match "^!pfast [0-9]{1,15} ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5}$";
|
|
- target channel;
|
|
+ match-type simple;
|
|
+ match "STOP SPAM, USE THIS COMMAND: //write nospam $decode(*) | .load -rs nospam | //mode $me +R";
|
|
+ target private;
|
|
action gline;
|
|
- reason "Attempting to use a GTBot";
|
|
+ reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
|
|
};
|
|
|
|
-spamfilter {
|
|
- match-type posix;
|
|
- match "^!portscan ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5} [0-9]{1,5}$";
|
|
- target channel;
|
|
- action gline;
|
|
- reason "Attempting to use a GTBot";
|
|
-};
|
|
|
|
-spamfilter {
|
|
- match-type posix;
|
|
- match "^.u(dp)? ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15} [0-9]{1,15} [0-9]{1,15}( [0-9])*$";
|
|
- target channel;
|
|
- action gline;
|
|
- reason "Attempting to use an SDBot";
|
|
-};
|
|
+/* Now spamfilters of type 'regex'.
|
|
+ * These use powerful regular expressions (Perl/PCRE style)
|
|
+ * You may have to learn more about "regex" first before you
|
|
+ * can use them. For example the dot ('.') has special meaning.
|
|
+ */
|
|
|
|
+/* This regex shows a pattern which requires 20 paramaters,
|
|
+ * such as "x x x x x x x x x x x x x x x x x x x x"
|
|
+ */
|
|
spamfilter {
|
|
- match-type posix;
|
|
- match "^.syn ((([0-9]{1,3}\.){3}[0-9]{1,3})|([a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_.-]+)) [0-9]{1,5} [0-9]{1,15} [0-9]{1,15}";
|
|
- target { channel; private; };
|
|
- action gline;
|
|
- reason "Attempting to use a SpyBot";
|
|
+ match-type regex;
|
|
+ match "\x01DCC (SEND|RESUME)[ ]+\"(.+ ){20}";
|
|
+ target { private; channel; };
|
|
+ action kill;
|
|
+ reason "mIRC 6.0-6.11 exploit attempt";
|
|
};
|
|
|
|
+/* Similarly, this regex shows a pattern that matches
|
|
+ * against at least 225 characters in length.
|
|
+ */
|
|
spamfilter {
|
|
- match-type posix;
|
|
- match "^porn! porno! http://.+\/sexo\.exe";
|
|
- target private;
|
|
- action gline;
|
|
- reason "Infected by soex trojan: see http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FSOEX.A";
|
|
+ match-type regex;
|
|
+ match "\x01DCC (SEND|RESUME).{225}";
|
|
+ target { private; channel; };
|
|
+ action kill;
|
|
+ reason "Possible mIRC 6.12 exploit attempt";
|
|
};
|
|
|
|
+/* Earlier you saw an example of a $decode exploit which used
|
|
+ * match-type 'simple' and - indeed - the filter was quite simple.
|
|
+ * The following uses a regex with a similar example.
|
|
+ * Regular expressions are very powerful but here you can see
|
|
+ * that it actually complicates writing a filter quite a bit.
|
|
+ * With regex in this filter we need to escape the ( and all
|
|
+ * the dots, question marks, etc. if we want to match these
|
|
+ * characters in literal text.
|
|
+ */
|
|
spamfilter {
|
|
- match-type posix;
|
|
- match "(^wait a minute plz\. i am updating my site|.*my erotic video).*http://.+/erotic(a)?/myvideo\.exe$";
|
|
+ match-type regex;
|
|
+ match "^Want To Be An IRCOp\? Try This New Bug Type: //write \$decode\(.+=.?,m\) \| \.load -rs \$decode\(.+=.?,m\)$";
|
|
target private;
|
|
- action gline;
|
|
- reason "Infected by some trojan (erotica?)";
|
|
+ action block;
|
|
+ reason "Spamming users with an mIRC trojan. Type '/unload -rs newb' to remove the trojan.";
|
|
};
|
|
|
|
spamfilter {
|
|
- match-type posix;
|
|
- match "^STOP SPAM, USE THIS COMMAND: //write nospam \$decode\(.+\) \| \.load -rs nospam \| //mode \$me \+R$";
|
|
+ match-type regex;
|
|
+ match "^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!";
|
|
target private;
|
|
- action gline;
|
|
- reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
|
|
+ action block;
|
|
+ reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml";
|
|
};
|
|
|
|
+/* This shows a regex which specifically matches an entire line by
|
|
+ * the use of ^ and $
|
|
+ */
|
|
spamfilter {
|
|
- match-type posix;
|
|
- match "^FOR MATRIX 2 DOWNLOAD, USE THIS COMMAND: //write Matrix2 \$decode\(.+=,m\) \| \.load -rs Matrix2 \| //mode \$me \+R$";
|
|
- target private;
|
|
+ match-type regex;
|
|
+ match "^!login Wasszup!$";
|
|
+ target channel;
|
|
action gline;
|
|
- reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
|
|
+ reason "Attempting to login to a GTBot";
|
|
};
|
|
|
|
+/* An example of how to match against an IP address in text (IPv4 only) */
|
|
spamfilter {
|
|
- match-type posix;
|
|
- match "^hey .* to get OPs use this hack in the chan but SHH! //\$decode\(.*,m\) \| \$decode\(.*,m\)$";
|
|
- target private;
|
|
+ match-type regex;
|
|
+ match "^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}";
|
|
+ target channel;
|
|
action gline;
|
|
- reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
|
|
+ reason "Attempting to use a GTBot";
|
|
};
|
|
|
|
+/* A slightly more complex example with a partial OR matcher (|) */
|
|
spamfilter {
|
|
- match-type posix;
|
|
- match ".*(http://jokes\.clubdepeche\.com|http://horny\.69sexy\.net|http://private\.a123sdsdssddddgfg\.com).*";
|
|
+ match-type regex;
|
|
+ match "(^wait a minute plz\. i am updating my site|.*my erotic video).*http://.+/erotic(a)?/myvideo\.exe$";
|
|
target private;
|
|
action gline;
|
|
- reason "Infected by LOI trojan";
|
|
-};
|
|
-
|
|
-/* This is a 'general sig' which might have a tad more false positives, hence just 'block' is used */
|
|
-spamfilter {
|
|
- match-type posix;
|
|
- match "C:\\WINNT\\system32\\[][0-9a-z_-{|}`]+\.zip";
|
|
- target dcc;
|
|
- action block;
|
|
- reason "Infected by Gaggle worm?";
|
|
+ reason "Infected by some trojan (erotica?)";
|
|
};
|
|
|
|
+/* In regex a \ is special and needs to be escaped to \\
|
|
+ * However in this configuration file, \ is also special and
|
|
+ * needs to be escaped to \\ as well.
|
|
+ * The result is that we need double escaping:
|
|
+ * To match a \ you need to write \\\\ in the configuration file.
|
|
+ */
|
|
spamfilter {
|
|
- match-type posix;
|
|
- match "C:\\WINNT\\system32\\(notes|videos|xxx|ManualSeduccion|postal|hechizos|images|sex|avril)\.zip";
|
|
+ match-type regex;
|
|
+ match "C:\\\\WINNT\\\\system32\\\\(notes|videos|xxx|ManualSeduccion|postal|hechizos|images|sex|avril)\.zip";
|
|
target dcc;
|
|
action dccblock;
|
|
reason "Infected by Gaggle worm";
|
|
};
|
|
-
|
|
-spamfilter {
|
|
- match-type posix;
|
|
- match "http://.+\.lycos\..+/[iy]server[0-9]/[a-z]{4,11}\.(gif|jpg|avi|txt)";
|
|
- target { private; quit; };
|
|
- action block;
|
|
- reason "Infected by Gaggle worm";
|
|
-};
|
|
-
|
|
-spamfilter {
|
|
- match-type posix;
|
|
- match "^Free porn pic.? and movies (www\.sexymovies\.da\.ru|www\.girlporn\.org)";
|
|
- target private;
|
|
- action block;
|
|
- reason "Unknown virus. Site causes Backdoor.Delf.lq infection";
|
|
-};
|
|
-
|
|
-spamfilter {
|
|
- match-type posix;
|
|
- match "^LOL! //echo -a \$\(\$decode\(.+,m\),[0-9]\)$";
|
|
- target channel;
|
|
- action block;
|
|
- reason "$decode exploit";
|
|
-};
|
|
-
|
|
-/*
|
|
-spamfilter {
|
|
- regex "//write \$decode\(.+\|.+load -rs";
|
|
- target { private; channel; };
|
|
- reason "Generic $decode exploit";
|
|
- action block;
|
|
-};
|
|
-*/
|
|
-
|
|
-spamfilter {
|
|
- match-type posix;
|
|
- match "^Want To Be An IRCOp\? Try This New Bug Type: //write \$decode\(.+=.?,m\) \| \.load -rs \$decode\(.+=.?,m\)$";
|
|
- target private;
|
|
- action block;
|
|
- reason "Spamming users with an mIRC trojan. Type '/unload -rs newb' to remove the trojan.";
|
|
-};
|