This repository has been archived on 2024-11-04. You can view files and clone it, but cannot push or open issues or pull requests.
docker-unrealircd/conf/spamfilter.conf
2021-10-12 02:40:30 +03:00

155 lines
4.6 KiB
Plaintext

/*
* This configuration file contains example spamfilter rules.
* They are real rules that were useful a long time ago.
* Since 2005 these rules are no longer maintained.
* The main purpose nowadays is to serve as an example
* to give you an idea of how powerful spamfilters can
* be in real-life situations.
*
* Documentation on spamfilter is available at:
* https://www.unrealircd.org/docs/Spamfilter
*/
/* General note:
* If you want to use a \ in a spamfilter, or in fact
* anywhere in the configuration file, then you need
* to escape this to \\ instead.
*/
/* First some spamfilters with match-type 'simple'.
* The only matchers available are * and ?
* PRO's: very fast, easy matching: everyone can do this.
* CON's: limited ability to fine-tune spamfilters
*/
spamfilter {
match-type simple;
match "Come watch me on my webcam and chat /w me :-) http://*:*/me.mpg";
target private;
action gline;
reason "Infected by fyle trojan: see http://www.sophos.com/virusinfo/analyses/trojfylexa.html";
}
/* This signature uses a \ which has to escaped to \\ in the configuration file */
spamfilter {
match-type simple;
match "C:\\WINNT\\system32\\*.zip";
target dcc;
action block;
reason "Infected by Gaggle worm?";
}
spamfilter {
match-type simple;
match "Speed up your mIRC DCC Transfer by up to 75%*www.freewebs.com/mircupdate/mircspeedup.exe";
target private;
action gline;
reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html";
}
spamfilter {
match-type simple;
match "STOP SPAM, USE THIS COMMAND: //write nospam $decode(*) | .load -rs nospam | //mode $me +R";
target private;
action gline;
reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
}
/* Now spamfilters of type 'regex'.
* These use powerful regular expressions (Perl/PCRE style)
* You may have to learn more about "regex" first before you
* can use them. For example the dot ('.') has special meaning.
*/
/* This regex shows a pattern which requires 20 paramaters,
* such as "x x x x x x x x x x x x x x x x x x x x"
*/
spamfilter {
match-type regex;
match "\x01DCC (SEND|RESUME)[ ]+\"(.+ ){20}";
target { private; channel; }
action kill;
reason "mIRC 6.0-6.11 exploit attempt";
}
/* Similarly, this regex shows a pattern that matches
* against at least 225 characters in length.
*/
spamfilter {
match-type regex;
match "\x01DCC (SEND|RESUME).{225}";
target { private; channel; }
action kill;
reason "Possible mIRC 6.12 exploit attempt";
}
/* Earlier you saw an example of a $decode exploit which used
* match-type 'simple' and - indeed - the filter was quite simple.
* The following uses a regex with a similar example.
* Regular expressions are very powerful but here you can see
* that it actually complicates writing a filter quite a bit.
* With regex in this filter we need to escape the ( and all
* the dots, question marks, etc. if we want to match these
* characters in literal text.
*/
spamfilter {
match-type regex;
match "^Want To Be An IRCOp\? Try This New Bug Type: //write \$decode\(.+=.?,m\) \| \.load -rs \$decode\(.+=.?,m\)$";
target private;
action block;
reason "Spamming users with an mIRC trojan. Type '/unload -rs newb' to remove the trojan.";
}
spamfilter {
match-type regex;
match "^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!";
target private;
action block;
reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml";
}
/* This shows a regex which specifically matches an entire line by
* the use of ^ and $
*/
spamfilter {
match-type regex;
match "^!login Wasszup!$";
target channel;
action gline;
reason "Attempting to login to a GTBot";
}
/* An example of how to match against an IP address in text (IPv4 only) */
spamfilter {
match-type regex;
match "^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}";
target channel;
action gline;
reason "Attempting to use a GTBot";
}
/* A slightly more complex example with a partial OR matcher (|) */
spamfilter {
match-type regex;
match "(^wait a minute plz\. i am updating my site|.*my erotic video).*http://.+/erotic(a)?/myvideo\.exe$";
target private;
action gline;
reason "Infected by some trojan (erotica?)";
}
/* In regex a \ is special and needs to be escaped to \\
* However in this configuration file, \ is also special and
* needs to be escaped to \\ as well.
* The result is that we need double escaping:
* To match a \ you need to write \\\\ in the configuration file.
*/
spamfilter {
match-type regex;
match "C:\\\\WINNT\\\\system32\\\\(notes|videos|xxx|ManualSeduccion|postal|hechizos|images|sex|avril)\.zip";
target dcc;
action dccblock;
reason "Infected by Gaggle worm";
}