]>
Commit | Line | Data |
---|---|---|
6feeb23a BM |
1 | /* |
2 | * This an example spamfilter file, it contains several | |
3 | * real and useful spamfilters. This should give you an | |
4 | * idea of how powerful spamfilter can be in real-life | |
5 | * situations. | |
6 | * | |
7 | * $Id$ | |
8 | */ | |
9 | ||
00bd34ad BM |
10 | /* Guidelines on the 'action' field: |
11 | * As a general rule we use 'action block' for any newly added | |
12 | * spamfilters at first, later on (after knowing about false | |
13 | * positives) we might change some to viruschan/kill/gline/etc.. | |
14 | */ | |
15 | ||
6feeb23a | 16 | spamfilter { |
00bd34ad | 17 | regex "(.+ ){20}"; |
6feeb23a | 18 | target dcc; |
00bd34ad | 19 | reason "mIRC 6.0-6.11 exploit attempt"; |
6feeb23a BM |
20 | action kill; |
21 | }; | |
22 | ||
23 | spamfilter { | |
00bd34ad BM |
24 | regex ".{225}"; |
25 | target dcc; | |
26 | reason "mIRC 6.12 exploit attempt"; | |
27 | action block; | |
28 | }; | |
29 | ||
30 | spamfilter { | |
31 | regex "Come watch me on my webcam and chat /w me :-\) http://.+:\d+/me\.mpg"; | |
6feeb23a BM |
32 | target private; |
33 | reason "Infected by fyle trojan: see http://www.sophos.com/virusinfo/analyses/trojfylexa.html"; | |
00bd34ad | 34 | action gline; |
6feeb23a BM |
35 | }; |
36 | ||
37 | spamfilter { | |
38 | regex "Speed up your mIRC DCC Transfer by up to 75%.*www\.freewebs\.com/mircupdate/mircspeedup\.exe"; | |
39 | target private; | |
40 | reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html"; | |
00bd34ad | 41 | action gline; |
6feeb23a BM |
42 | }; |
43 | ||
44 | spamfilter { | |
45 | regex "^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!"; | |
46 | target private; | |
47 | reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml"; | |
48 | action block; | |
49 | }; | |
50 | ||
51 | spamfilter { | |
52 | regex "^FREE PORN: http://free:porn@([0-9]{1,3}\.){3}[0-9]{1,3}:8180$"; | |
53 | target private; | |
54 | reason "Infected by aplore worm: see http://www.f-secure.com/v-descs/aplore.shtml"; | |
00bd34ad | 55 | action gline; |
6feeb23a BM |
56 | }; |
57 | ||
58 | spamfilter { | |
59 | regex "^!login Wasszup!$"; | |
60 | target channel; | |
61 | reason "Attempting to login to a GTBot"; | |
00bd34ad | 62 | action gline; |
6feeb23a BM |
63 | }; |
64 | ||
65 | spamfilter { | |
66 | regex "^!login grrrr yeah baby!$"; | |
67 | target channel; | |
68 | reason "Attempting to login to a GTBot"; | |
00bd34ad | 69 | action gline; |
6feeb23a BM |
70 | }; |
71 | ||
72 | spamfilter { | |
73 | regex "^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}"; | |
74 | target channel; | |
75 | reason "Attempting to use a GTBot"; | |
00bd34ad | 76 | action gline; |
6feeb23a BM |
77 | }; |
78 | ||
79 | spamfilter { | |
80 | regex "^!icqpagebomb ([0-9]{1,15} ){2}.+"; | |
81 | target channel; | |
82 | reason "Attempting to use a GTBot"; | |
00bd34ad | 83 | action gline; |
6feeb23a BM |
84 | }; |
85 | ||
86 | spamfilter { | |
87 | regex "^!pfast [0-9]{1,15} ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5}$"; | |
88 | target channel; | |
89 | reason "Attempting to use a GTBot"; | |
00bd34ad | 90 | action gline; |
6feeb23a BM |
91 | }; |
92 | ||
93 | spamfilter { | |
94 | regex "^!portscan ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5} [0-9]{1,5}$"; | |
95 | target channel; | |
96 | reason "Attempting to use a GTBot"; | |
00bd34ad | 97 | action gline; |
6feeb23a BM |
98 | }; |
99 | ||
100 | spamfilter { | |
101 | regex "^.u(dp)? ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15} [0-9]{1,15} [0-9]{1,15}( [0-9])*$"; | |
102 | target channel; | |
103 | reason "Attempting to use an SDBot"; | |
00bd34ad | 104 | action gline; |
6feeb23a BM |
105 | }; |
106 | ||
6feeb23a BM |
107 | spamfilter { |
108 | regex "^.syn ((([0-9]{1,3}\.){3}[0-9]{1,3})|([a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_.-]+)) [0-9]{1,5} [0-9]{1,15} [0-9]{1,15}"; | |
109 | target { channel; private; }; | |
110 | reason "Attempting to use a SpyBot"; | |
00bd34ad BM |
111 | action gline; |
112 | }; | |
113 | ||
114 | spamfilter { | |
115 | regex "^porn! porno! http://.+\/sexo\.exe"; | |
116 | target private; | |
117 | action gline; | |
118 | reason "Infected by soex trojan: see http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FSOEX.A"; | |
119 | }; | |
120 | ||
121 | spamfilter { | |
122 | regex "(^wait a minute plz\. i am updating my site|.*my erotic video).*http://.+/erotic(a)?/myvideo\.exe$"; | |
123 | target private; | |
124 | action gline; | |
125 | reason "Infected by some trojan (erotica?)"; | |
126 | }; | |
127 | ||
128 | spamfilter { | |
129 | regex "^STOP SPAM, USE THIS COMMAND: //write nospam \$decode\(.+\) \| \.load -rs nospam \| //mode \$me \+R$"; | |
130 | target private; | |
131 | action gline; | |
132 | reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm"; | |
133 | }; | |
134 | ||
135 | spamfilter { | |
136 | regex "^FOR MATRIX 2 DOWNLOAD, USE THIS COMMAND: //write Matrix2 \$decode\(.+=,m\) \| \.load -rs Matrix2 \| //mode \$me \+R$"; | |
137 | target private; | |
138 | action gline; | |
139 | reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm"; | |
140 | }; | |
141 | ||
142 | spamfilter { | |
143 | regex "^hey .* to get OPs use this hack in the chan but SHH! //\$decode\(.*,m\) \| \$decode\(.*,m\)$"; | |
144 | target private; | |
145 | action gline; | |
146 | reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm"; | |
147 | }; | |
148 | ||
149 | spamfilter { | |
150 | regex ".*(http://jokes\.clubdepeche\.com|http://horny\.69sexy\.net|http://private\.a123sdsdssddddgfg\.com).*"; | |
151 | target private; | |
152 | action block; | |
153 | reason "Infected by LOI trojan"; /* Name is still unsure */ | |
154 | }; | |
155 | ||
156 | /* This is a 'general sig' which might have a tad more false positives, hence just 'block' is used */ | |
157 | spamfilter { | |
158 | regex "C:\\WINNT\\system32\\[][0-9a-z_-{|}`]+\.zip"; | |
159 | target dcc; | |
160 | action block; | |
161 | reason "Infected by Gaggle worm?"; | |
162 | }; | |
163 | ||
164 | spamfilter { | |
165 | regex "C:\\WINNT\\system32\\(notes|videos|xxx|ManualSeduccion|postal|hechizos|images|sex|avril)\.zip"; | |
166 | target dcc; | |
167 | action dccblock; | |
168 | reason "Infected by Gaggle worm"; | |
169 | }; | |
170 | ||
171 | spamfilter { | |
172 | regex "http://.+\.lycos\..+/[iy]server[0-9]/[a-z]{4,11}\.(gif|jpg|avi|txt)"; | |
173 | target { private; quit; }; | |
6feeb23a | 174 | action block; |
00bd34ad | 175 | reason "Infected by Gaggle worm"; |
6feeb23a | 176 | }; |