docker-unrealircd/conf/spamfilter.conf

/*
 * This configuration file contains example spamfilter rules.
 * They are real rules that were useful a long time ago.
 * Since 2005 these rules are no longer maintained.
 * The main purpose nowadays is to serve as an example
 * to give you an idea of how powerful spamfilters can
 * be in real-life situations.
 *
 * Documentation on spamfilter is available at:
 * https://www.unrealircd.org/docs/Spamfilter
 */

/* General note:
 * If you want to use a \ in a spamfilter, or in fact
 * anywhere in the configuration file, then you need
 * to escape this to \\ instead.
 */


/* First some spamfilters with match-type 'simple'.
 * The only matchers available are * and ?
 * PRO's: very fast, easy matching: everyone can do this.
 * CON's: limited ability to fine-tune spamfilters
 */

spamfilter {
	match-type simple;
	match "Come watch me on my webcam and chat /w me :-) http://*:*/me.mpg";
	target private;
	action gline;
	reason "Infected by fyle trojan: see http://www.sophos.com/virusinfo/analyses/trojfylexa.html";
}

/* This signature uses a \ which has to escaped to \\ in the configuration file */
spamfilter {
	match-type simple;
	match "C:\\WINNT\\system32\\*.zip";
	target dcc;
	action block;
	reason "Infected by Gaggle worm?";
}

spamfilter {
	match-type simple;
	match "Speed up your mIRC DCC Transfer by up to 75%*www.freewebs.com/mircupdate/mircspeedup.exe";
	target private;
	action gline;
	reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html";
}

spamfilter {
	match-type simple;
	match "STOP SPAM, USE THIS COMMAND: //write nospam $decode(*) | .load -rs nospam | //mode $me +R";
	target private;
	action gline;
	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
}


/* Now spamfilters of type 'regex'.
 * These use powerful regular expressions (Perl/PCRE style)
 * You may have to learn more about "regex" first before you
 * can use them. For example the dot ('.') has special meaning.
 */

/* This regex shows a pattern which requires 20 paramaters,
 * such as "x x x x x x x x x x x x x x x x x x x x"
 */
spamfilter {
	match-type regex;
	match "\x01DCC (SEND|RESUME)[ ]+\"(.+ ){20}";
	target { private; channel; }
	action kill;
	reason "mIRC 6.0-6.11 exploit attempt";
}

/* Similarly, this regex shows a pattern that matches
 * against at least 225 characters in length.
 */
spamfilter {
	match-type regex;
	match "\x01DCC (SEND|RESUME).{225}";
	target { private; channel; }
	action kill;
	reason "Possible mIRC 6.12 exploit attempt";
}

/* Earlier you saw an example of a $decode exploit which used
 * match-type 'simple' and - indeed - the filter was quite simple.
 * The following uses a regex with a similar example.
 * Regular expressions are very powerful but here you can see
 * that it actually complicates writing a filter quite a bit.
 * With regex in this filter we need to escape the ( and all
 * the dots, question marks, etc. if we want to match these
 * characters in literal text.
 */
spamfilter {
	match-type regex;
	match "^Want To Be An IRCOp\? Try This New Bug Type: //write \$decode\(.+=.?,m\) \| \.load -rs \$decode\(.+=.?,m\)$";
	target private;
	action block;
	reason "Spamming users with an mIRC trojan. Type '/unload -rs newb' to remove the trojan.";
}

spamfilter {
	match-type regex;
	match "^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!";
	target private;
	action block;
	reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml";
}

/* This shows a regex which specifically matches an entire line by 
 * the use of ^ and $
 */
spamfilter {
	match-type regex;
	match "^!login Wasszup!$";
	target channel;
	action gline;
	reason "Attempting to login to a GTBot";
}

/* An example of how to match against an IP address in text (IPv4 only) */
spamfilter {
	match-type regex;
	match "^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}";
	target channel;
	action gline;
	reason "Attempting to use a GTBot";
}

/* A slightly more complex example with a partial OR matcher (|) */
spamfilter {
	match-type regex;
	match "(^wait a minute plz\. i am updating my site|.*my erotic video).*http://.+/erotic(a)?/myvideo\.exe$";
	target private;
	action gline;
	reason "Infected by some trojan (erotica?)";
}

/* In regex a \ is special and needs to be escaped to \\
 * However in this configuration file, \ is also special and
 * needs to be escaped to \\ as well.
 * The result is that we need double escaping:
 * To match a \ you need to write \\\\ in the configuration file.
 */
spamfilter {
	match-type regex;
	match "C:\\\\WINNT\\\\system32\\\\(notes|videos|xxx|ManualSeduccion|postal|hechizos|images|sex|avril)\.zip";
	target dcc;
	action dccblock;
	reason "Infected by Gaggle worm";
}
Initial 2021-10-12 02:40:30 +03:00			`/*`
			`* This configuration file contains example spamfilter rules.`
			`* They are real rules that were useful a long time ago.`
			`* Since 2005 these rules are no longer maintained.`
			`* The main purpose nowadays is to serve as an example`
			`* to give you an idea of how powerful spamfilters can`
			`* be in real-life situations.`
			`*`
			`* Documentation on spamfilter is available at:`
			`* https://www.unrealircd.org/docs/Spamfilter`
			`*/`

			`/* General note:`
			`* If you want to use a \ in a spamfilter, or in fact`
			`* anywhere in the configuration file, then you need`
			`* to escape this to \\ instead.`
			`*/`


			`/* First some spamfilters with match-type 'simple'.`
			`* The only matchers available are * and ?`
			`* PRO's: very fast, easy matching: everyone can do this.`
			`* CON's: limited ability to fine-tune spamfilters`
			`*/`

			`spamfilter {`
			`match-type simple;`
			`match "Come watch me on my webcam and chat /w me :-) http://:/me.mpg";`
			`target private;`
			`action gline;`
			`reason "Infected by fyle trojan: see http://www.sophos.com/virusinfo/analyses/trojfylexa.html";`
			`}`

			`/* This signature uses a \ which has to escaped to \\ in the configuration file */`
			`spamfilter {`
			`match-type simple;`
			`match "C:\\WINNT\\system32\\*.zip";`
			`target dcc;`
			`action block;`
			`reason "Infected by Gaggle worm?";`
			`}`

			`spamfilter {`
			`match-type simple;`
			`match "Speed up your mIRC DCC Transfer by up to 75%*www.freewebs.com/mircupdate/mircspeedup.exe";`
			`target private;`
			`action gline;`
			`reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html";`
			`}`

			`spamfilter {`
			`match-type simple;`
			`match "STOP SPAM, USE THIS COMMAND: //write nospam $decode(*) \| .load -rs nospam \| //mode $me +R";`
			`target private;`
			`action gline;`
			`reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";`
			`}`


			`/* Now spamfilters of type 'regex'.`
			`* These use powerful regular expressions (Perl/PCRE style)`
			`* You may have to learn more about "regex" first before you`
			`* can use them. For example the dot ('.') has special meaning.`
			`*/`

			`/* This regex shows a pattern which requires 20 paramaters,`
			`* such as "x x x x x x x x x x x x x x x x x x x x"`
			`*/`
			`spamfilter {`
			`match-type regex;`
			`match "\x01DCC (SEND\|RESUME)[ ]+\"(.+ ){20}";`
			`target { private; channel; }`
			`action kill;`
			`reason "mIRC 6.0-6.11 exploit attempt";`
			`}`

			`/* Similarly, this regex shows a pattern that matches`
			`* against at least 225 characters in length.`
			`*/`
			`spamfilter {`
			`match-type regex;`
			`match "\x01DCC (SEND\|RESUME).{225}";`
			`target { private; channel; }`
			`action kill;`
			`reason "Possible mIRC 6.12 exploit attempt";`
			`}`

			`/* Earlier you saw an example of a $decode exploit which used`
			`* match-type 'simple' and - indeed - the filter was quite simple.`
			`* The following uses a regex with a similar example.`
			`* Regular expressions are very powerful but here you can see`
			`* that it actually complicates writing a filter quite a bit.`
			`* With regex in this filter we need to escape the ( and all`
			`* the dots, question marks, etc. if we want to match these`
			`* characters in literal text.`
			`*/`
			`spamfilter {`
			`match-type regex;`
			`match "^Want To Be An IRCOp\? Try This New Bug Type: //write \$decode\(.+=.?,m\) \\| \.load -rs \$decode\(.+=.?,m\)$";`
			`target private;`
			`action block;`
			`reason "Spamming users with an mIRC trojan. Type '/unload -rs newb' to remove the trojan.";`
			`}`

			`spamfilter {`
			`match-type regex;`
			`match "^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!";`
			`target private;`
			`action block;`
			`reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml";`
			`}`

			`/* This shows a regex which specifically matches an entire line by`
			`* the use of ^ and $`
			`*/`
			`spamfilter {`
			`match-type regex;`
			`match "^!login Wasszup!$";`
			`target channel;`
			`action gline;`
			`reason "Attempting to login to a GTBot";`
			`}`

			`/* An example of how to match against an IP address in text (IPv4 only) */`
			`spamfilter {`
			`match-type regex;`
			`match "^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}";`
			`target channel;`
			`action gline;`
			`reason "Attempting to use a GTBot";`
			`}`

			`/* A slightly more complex example with a partial OR matcher (\|) */`
			`spamfilter {`
			`match-type regex;`
			`match "(^wait a minute plz\. i am updating my site\|.my erotic video).http://.+/erotic(a)?/myvideo\.exe$";`
			`target private;`
			`action gline;`
			`reason "Infected by some trojan (erotica?)";`
			`}`

			`/* In regex a \ is special and needs to be escaped to \\`
			`* However in this configuration file, \ is also special and`
			`* needs to be escaped to \\ as well.`
			`* The result is that we need double escaping:`
			`* To match a \ you need to write \\\\ in the configuration file.`
			`*/`
			`spamfilter {`
			`match-type regex;`
			`match "C:\\\\WINNT\\\\system32\\\\(notes\|videos\|xxx\|ManualSeduccion\|postal\|hechizos\|images\|sex\|avril)\.zip";`
			`target dcc;`
			`action dccblock;`
			`reason "Infected by Gaggle worm";`
			`}`