unrealircd/doc/conf/spamfilter.conf

/*
 * This an example spamfilter file, it contains several
 * real and useful spamfilters. This should give you an
 * idea of how powerful spamfilter can be in real-life
 * situations.
 *
 * $Id$
 */

/* Guidelines on the 'action' field:
 * As a general rule we use 'action block' for any newly added
 * spamfilters at first, later on (after knowing about false
 * positives) we might change some to viruschan/kill/gline/etc..
 */

spamfilter {
	match-type posix;
	match "\x01DCC (SEND|RESUME)[ ]+\"(.+ ){20}";
	target { private; channel; };
	action kill;
	reason "mIRC 6.0-6.11 exploit attempt";
};

spamfilter {
	match-type posix;
	match "\x01DCC (SEND|RESUME).{225}";
	target { private; channel; };
	action kill;
	reason "Possible mIRC 6.12 exploit attempt";
};

spamfilter {
	match-type posix;
	match "Come watch me on my webcam and chat /w me :-\) http://.+:\d+/me\.mpg";
	target private;
	action gline;
	reason "Infected by fyle trojan: see http://www.sophos.com/virusinfo/analyses/trojfylexa.html";
};

spamfilter {
	match-type posix;
	match "Speed up your mIRC DCC Transfer by up to 75%.*www\.freewebs\.com/mircupdate/mircspeedup\.exe";
	target private;
	action gline;
	reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html";
};

spamfilter {
	match-type posix;
	match "^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!";
	target private;
	action block;
	reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml";
};

spamfilter {
	match-type posix;
	match "^FREE PORN: http://free:porn@([0-9]{1,3}\.){3}[0-9]{1,3}:8180$";
	target private;
	action gline;
	reason "Infected by aplore worm: see http://www.f-secure.com/v-descs/aplore.shtml";
};

spamfilter {
	match-type posix;
	match "^!login Wasszup!$";
	target channel;
	action gline;
	reason "Attempting to login to a GTBot";
};

spamfilter {
	match-type posix;
	match "^!login grrrr yeah baby!$";
	target channel;
	action gline;
	reason "Attempting to login to a GTBot";
};

spamfilter {
	match-type posix;
	match "^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}";
	target channel;
	action gline;
	reason "Attempting to use a GTBot";
};

spamfilter {
	match-type posix;
	match "^!icqpagebomb ([0-9]{1,15} ){2}.+";
	target channel;
	action gline;
	reason "Attempting to use a GTBot";
};

spamfilter {
	match-type posix;
	match "^!pfast [0-9]{1,15} ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5}$";
	target channel;
	action gline;
	reason "Attempting to use a GTBot";
};

spamfilter {
	match-type posix;
	match "^!portscan ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5} [0-9]{1,5}$";
	target channel;
	action gline;
	reason "Attempting to use a GTBot";
};

spamfilter {
	match-type posix;
	match "^.u(dp)? ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15} [0-9]{1,15} [0-9]{1,15}( [0-9])*$";
	target channel;
	action gline;
	reason "Attempting to use an SDBot";
};

spamfilter {
	match-type posix;
	match "^.syn ((([0-9]{1,3}\.){3}[0-9]{1,3})|([a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_.-]+)) [0-9]{1,5} [0-9]{1,15} [0-9]{1,15}";
	target { channel; private; };
	action gline;
	reason "Attempting to use a SpyBot";
};

spamfilter {
	match-type posix;
	match "^porn! porno! http://.+\/sexo\.exe";
	target private;
	action gline;
	reason "Infected by soex trojan: see http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FSOEX.A";
};

spamfilter {
	match-type posix;
	match "(^wait a minute plz\. i am updating my site|.*my erotic video).*http://.+/erotic(a)?/myvideo\.exe$";
	target private;
	action gline;
	reason "Infected by some trojan (erotica?)";
};

spamfilter {
	match-type posix;
	match "^STOP SPAM, USE THIS COMMAND: //write nospam \$decode\(.+\) \| \.load -rs nospam \| //mode \$me \+R$";
	target private;
	action gline;
	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
};

spamfilter {
	match-type posix;
	match "^FOR MATRIX 2 DOWNLOAD, USE THIS COMMAND: //write Matrix2 \$decode\(.+=,m\) \| \.load -rs Matrix2 \| //mode \$me \+R$";
	target private;
	action gline;
	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
};

spamfilter {
	match-type posix;
	match "^hey .* to get OPs use this hack in the chan but SHH! //\$decode\(.*,m\) \| \$decode\(.*,m\)$";
	target private;
	action gline;
	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
};

spamfilter {
	match-type posix;
	match ".*(http://jokes\.clubdepeche\.com|http://horny\.69sexy\.net|http://private\.a123sdsdssddddgfg\.com).*";
	target private;
	action gline;
	reason "Infected by LOI trojan";
};

/* This is a 'general sig' which might have a tad more false positives, hence just 'block' is used */
spamfilter {
	match-type posix;
	match "C:\\WINNT\\system32\\[][0-9a-z_-{|}`]+\.zip";
	target dcc;
	action block;
	reason "Infected by Gaggle worm?";
};

spamfilter {
	match-type posix;
	match "C:\\WINNT\\system32\\(notes|videos|xxx|ManualSeduccion|postal|hechizos|images|sex|avril)\.zip";
	target dcc;
	action dccblock;
	reason "Infected by Gaggle worm";
};

spamfilter {
	match-type posix;
	match "http://.+\.lycos\..+/[iy]server[0-9]/[a-z]{4,11}\.(gif|jpg|avi|txt)";
	target { private; quit; };
	action block;
	reason "Infected by Gaggle worm";
};

spamfilter {
	match-type posix;
	match "^Free porn pic.? and movies (www\.sexymovies\.da\.ru|www\.girlporn\.org)";
	target private;
	action block;
	reason "Unknown virus. Site causes Backdoor.Delf.lq infection";
};

spamfilter {
	match-type posix;
	match "^LOL! //echo -a \$\(\$decode\(.+,m\),[0-9]\)$";
	target channel;
	action block;
	reason "$decode exploit";
};

/*
spamfilter {
	regex "//write \$decode\(.+\|.+load -rs";
	target { private; channel; };
	reason "Generic $decode exploit";
	action block;
};
*/

spamfilter {
	match-type posix;
	match "^Want To Be An IRCOp\? Try This New Bug Type: //write \$decode\(.+=.?,m\) \| \.load -rs \$decode\(.+=.?,m\)$";
	target private;
	action block;
	reason "Spamming users with an mIRC trojan. Type '/unload -rs newb' to remove the trojan.";
};