/* * This configuration file contains example spamfilter rules. * They are real rules that were useful a long time ago. * Since 2005 these rules are no longer maintained. * The main purpose nowadays is to serve as an example * to give you an idea of how powerful spamfilters can * be in real-life situations. * * Documentation on spamfilter is available at: * https://www.unrealircd.org/docs/Spamfilter */ /* General note: * If you want to use a \ in a spamfilter, or in fact * anywhere in the configuration file, then you need * to escape this to \\ instead. */ /* First some spamfilters with match-type 'simple'. * The only matchers available are * and ? * PRO's: very fast, easy matching: everyone can do this. * CON's: limited ability to fine-tune spamfilters */ spamfilter { match-type simple; match "Come watch me on my webcam and chat /w me :-) http://*:*/me.mpg"; target private; action gline; reason "Infected by fyle trojan: see http://www.sophos.com/virusinfo/analyses/trojfylexa.html"; } /* This signature uses a \ which has to escaped to \\ in the configuration file */ spamfilter { match-type simple; match "C:\\WINNT\\system32\\*.zip"; target dcc; action block; reason "Infected by Gaggle worm?"; } spamfilter { match-type simple; match "Speed up your mIRC DCC Transfer by up to 75%*www.freewebs.com/mircupdate/mircspeedup.exe"; target private; action gline; reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html"; } spamfilter { match-type simple; match "STOP SPAM, USE THIS COMMAND: //write nospam $decode(*) | .load -rs nospam | //mode $me +R"; target private; action gline; reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm"; } /* Now spamfilters of type 'regex'. * These use powerful regular expressions (Perl/PCRE style) * You may have to learn more about "regex" first before you * can use them. For example the dot ('.') has special meaning. */ /* This regex shows a pattern which requires 20 paramaters, * such as "x x x x x x x x x x x x x x x x x x x x" */ spamfilter { match-type regex; match "\x01DCC (SEND|RESUME)[ ]+\"(.+ ){20}"; target { private; channel; } action kill; reason "mIRC 6.0-6.11 exploit attempt"; } /* Similarly, this regex shows a pattern that matches * against at least 225 characters in length. */ spamfilter { match-type regex; match "\x01DCC (SEND|RESUME).{225}"; target { private; channel; } action kill; reason "Possible mIRC 6.12 exploit attempt"; } /* Earlier you saw an example of a $decode exploit which used * match-type 'simple' and - indeed - the filter was quite simple. * The following uses a regex with a similar example. * Regular expressions are very powerful but here you can see * that it actually complicates writing a filter quite a bit. * With regex in this filter we need to escape the ( and all * the dots, question marks, etc. if we want to match these * characters in literal text. */ spamfilter { match-type regex; match "^Want To Be An IRCOp\? Try This New Bug Type: //write \$decode\(.+=.?,m\) \| \.load -rs \$decode\(.+=.?,m\)$"; target private; action block; reason "Spamming users with an mIRC trojan. Type '/unload -rs newb' to remove the trojan."; } spamfilter { match-type regex; match "^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!"; target private; action block; reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml"; } /* This shows a regex which specifically matches an entire line by * the use of ^ and $ */ spamfilter { match-type regex; match "^!login Wasszup!$"; target channel; action gline; reason "Attempting to login to a GTBot"; } /* An example of how to match against an IP address in text (IPv4 only) */ spamfilter { match-type regex; match "^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}"; target channel; action gline; reason "Attempting to use a GTBot"; } /* A slightly more complex example with a partial OR matcher (|) */ spamfilter { match-type regex; match "(^wait a minute plz\. i am updating my site|.*my erotic video).*http://.+/erotic(a)?/myvideo\.exe$"; target private; action gline; reason "Infected by some trojan (erotica?)"; } /* In regex a \ is special and needs to be escaped to \\ * However in this configuration file, \ is also special and * needs to be escaped to \\ as well. * The result is that we need double escaping: * To match a \ you need to write \\\\ in the configuration file. */ spamfilter { match-type regex; match "C:\\\\WINNT\\\\system32\\\\(notes|videos|xxx|ManualSeduccion|postal|hechizos|images|sex|avril)\.zip"; target dcc; action dccblock; reason "Infected by Gaggle worm"; }