1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-01 21:26:37 +02:00
Files
unrealircd/doc/conf/spamfilter.conf
T
Bram Matthys eaded2d12f Use spamfilter::match with single quotes in example spamfilter.conf
and give a hint to do that so they are not misinterpreted by an URL
since that may happen for other spamfilters (not the one included
in this file though). Suggested by Lord255.
2021-12-30 09:57:57 +01:00

155 lines
4.8 KiB
Plaintext

/*
* This configuration file contains example spamfilter rules.
* They are real rules that were useful a long time ago.
* Since 2005 these rules are no longer maintained.
* The main purpose nowadays is to serve as an example
* to give you an idea of how powerful spamfilters can
* be in real-life situations.
*
* Documentation on spamfilter is available at:
* https://www.unrealircd.org/docs/Spamfilter
*/
/* General notes:
* 1) We use match 'xyz' instead of match "xyz". When using single quotes
* you don't risk it being interpreted as an URL for remote includes.
* 2) If you want to use a \ in a spamfilter, or in fact anywhere in the
* configuration file, then you need to escape this to \\ instead.
*/
/* First some spamfilters with match-type 'simple'.
* The only matchers available are * and ?
* PRO's: very fast, easy matching: everyone can do this.
* CON's: limited ability to fine-tune spamfilters
*/
spamfilter {
match-type simple;
match 'Come watch me on my webcam and chat /w me :-) http://*:*/me.mpg';
target private;
action gline;
reason "Infected by fyle trojan: see http://www.sophos.com/virusinfo/analyses/trojfylexa.html";
}
/* This signature uses a \ which has to escaped to \\ in the configuration file */
spamfilter {
match-type simple;
match 'C:\\WINNT\\system32\\*.zip';
target dcc;
action block;
reason "Infected by Gaggle worm?";
}
spamfilter {
match-type simple;
match 'Speed up your mIRC DCC Transfer by up to 75%*www.freewebs.com/mircupdate/mircspeedup.exe';
target private;
action gline;
reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html";
}
spamfilter {
match-type simple;
match 'STOP SPAM, USE THIS COMMAND: //write nospam $decode(*) | .load -rs nospam | //mode $me +R';
target private;
action gline;
reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
}
/* Now spamfilters of type 'regex'.
* These use powerful regular expressions (Perl/PCRE style)
* You may have to learn more about "regex" first before you
* can use them. For example the dot ('.') has special meaning.
*/
/* This regex shows a pattern which requires 20 paramaters,
* such as "x x x x x x x x x x x x x x x x x x x x"
*/
spamfilter {
match-type regex;
match '\x01DCC (SEND|RESUME)[ ]+\"(.+ ){20}';
target { private; channel; }
action kill;
reason "mIRC 6.0-6.11 exploit attempt";
}
/* Similarly, this regex shows a pattern that matches
* against at least 225 characters in length.
*/
spamfilter {
match-type regex;
match '\x01DCC (SEND|RESUME).{225}';
target { private; channel; }
action kill;
reason "Possible mIRC 6.12 exploit attempt";
}
/* Earlier you saw an example of a $decode exploit which used
* match-type 'simple' and - indeed - the filter was quite simple.
* The following uses a regex with a similar example.
* Regular expressions are very powerful but here you can see
* that it actually complicates writing a filter quite a bit.
* With regex in this filter we need to escape the ( and all
* the dots, question marks, etc. if we want to match these
* characters in literal text.
*/
spamfilter {
match-type regex;
match '^Want To Be An IRCOp\? Try This New Bug Type: //write \$decode\(.+=.?,m\) \| \.load -rs \$decode\(.+=.?,m\)$';
target private;
action block;
reason "Spamming users with an mIRC trojan. Type '/unload -rs newb' to remove the trojan.";
}
spamfilter {
match-type regex;
match '^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!';
target private;
action block;
reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml";
}
/* This shows a regex which specifically matches an entire line by
* the use of ^ and $
*/
spamfilter {
match-type regex;
match '^!login Wasszup!$';
target channel;
action gline;
reason "Attempting to login to a GTBot";
}
/* An example of how to match against an IP address in text (IPv4 only) */
spamfilter {
match-type regex;
match '^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}';
target channel;
action gline;
reason "Attempting to use a GTBot";
}
/* A slightly more complex example with a partial OR matcher (|) */
spamfilter {
match-type regex;
match '(^wait a minute plz\. i am updating my site|.*my erotic video).*http://.+/erotic(a)?/myvideo\.exe$';
target private;
action gline;
reason "Infected by some trojan (erotica?)";
}
/* In regex a \ is special and needs to be escaped to \\
* However in this configuration file, \ is also special and
* needs to be escaped to \\ as well.
* The result is that we need double escaping:
* To match a \ you need to write \\\\ in the configuration file.
*/
spamfilter {
match-type regex;
match 'C:\\\\WINNT\\\\system32\\\\(notes|videos|xxx|ManualSeduccion|postal|hechizos|images|sex|avril)\.zip';
target dcc;
action dccblock;
reason "Infected by Gaggle worm";
}