[irc/unrealircd/unrealircd.git] / spamfilter.conf

/*
 * This an example spamfilter file, it contains several
 * real and useful spamfilters. This should give you an
 * idea of how powerful spamfilter can be in real-life
 * situations.
 *
 * $Id$
 */

/* Guidelines on the 'action' field:
 * As a general rule we use 'action block' for any newly added
 * spamfilters at first, later on (after knowing about false
 * positives) we might change some to viruschan/kill/gline/etc..
 */

spamfilter {
	regex "(.+ ){20}";
	target dcc;
	reason "mIRC 6.0-6.11 exploit attempt";
	action kill;
};

spamfilter {
	regex ".{225}";
	target dcc;
	reason "mIRC 6.12 exploit attempt";
	action block;
};

spamfilter {
	regex "Come watch me on my webcam and chat /w me :-\) http://.+:\d+/me\.mpg";
	target private;
	reason "Infected by fyle trojan: see http://www.sophos.com/virusinfo/analyses/trojfylexa.html";
	action gline;
};

spamfilter {
	regex "Speed up your mIRC DCC Transfer by up to 75%.*www\.freewebs\.com/mircupdate/mircspeedup\.exe";
	target private;
	reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html";
	action gline;
};

spamfilter {
	regex "^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!";
	target private;
	reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml";
	action block;
};

spamfilter {
	regex "^FREE PORN: http://free:porn@([0-9]{1,3}\.){3}[0-9]{1,3}:8180$";
	target private;
	reason "Infected by aplore worm: see http://www.f-secure.com/v-descs/aplore.shtml";
	action gline;
};

spamfilter {
	regex "^!login Wasszup!$";
	target channel;
	reason "Attempting to login to a GTBot";
	action gline;
};

spamfilter {
	regex "^!login grrrr yeah baby!$";
	target channel;
	reason "Attempting to login to a GTBot";
	action gline;
};

spamfilter {
	regex "^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}";
	target channel;
	reason "Attempting to use a GTBot";
	action gline;
};

spamfilter {
	regex "^!icqpagebomb ([0-9]{1,15} ){2}.+";
	target channel;
	reason "Attempting to use a GTBot";
	action gline;
};

spamfilter {
	regex "^!pfast [0-9]{1,15} ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5}$";
	target channel;
	reason "Attempting to use a GTBot";
	action gline;
};

spamfilter {
	regex "^!portscan ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5} [0-9]{1,5}$";
	target channel;
	reason "Attempting to use a GTBot";
	action gline;
};

spamfilter {
	regex "^.u(dp)? ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15} [0-9]{1,15} [0-9]{1,15}( [0-9])*$";
	target channel;
	reason "Attempting to use an SDBot";
	action gline;
};

spamfilter {
	regex "^.syn ((([0-9]{1,3}\.){3}[0-9]{1,3})|([a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_.-]+)) [0-9]{1,5} [0-9]{1,15} [0-9]{1,15}";
	target { channel; private; };
	reason "Attempting to use a SpyBot";
	action gline;
};

spamfilter {
	regex "^porn! porno! http://.+\/sexo\.exe";
	target private;
	action gline;
	reason "Infected by soex trojan: see http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FSOEX.A";
};

spamfilter {
	regex "(^wait a minute plz\. i am updating my site|.*my erotic video).*http://.+/erotic(a)?/myvideo\.exe$";
	target private;
	action gline;
	reason "Infected by some trojan (erotica?)";
};

spamfilter {
	regex "^STOP SPAM, USE THIS COMMAND: //write nospam \$decode\(.+\) \| \.load -rs nospam \| //mode \$me \+R$";
	target private;
	action gline;
	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
};

spamfilter {
	regex "^FOR MATRIX 2 DOWNLOAD, USE THIS COMMAND: //write Matrix2 \$decode\(.+=,m\) \| \.load -rs Matrix2 \| //mode \$me \+R$";
	target private;
	action gline;
	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
};

spamfilter {
	regex "^hey .* to get OPs use this hack in the chan but SHH! //\$decode\(.*,m\) \| \$decode\(.*,m\)$";
	target private;
	action gline;
	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
};

spamfilter {
	regex ".*(http://jokes\.clubdepeche\.com|http://horny\.69sexy\.net|http://private\.a123sdsdssddddgfg\.com).*";
	target private;
	action block;
	reason "Infected by LOI trojan"; /* Name is still unsure */
};

/* This is a 'general sig' which might have a tad more false positives, hence just 'block' is used */
spamfilter {
	regex "C:\\WINNT\\system32\\[][0-9a-z_-{|}`]+\.zip";
	target dcc;
	action block;
	reason "Infected by Gaggle worm?";
};

spamfilter {
	regex "C:\\WINNT\\system32\\(notes|videos|xxx|ManualSeduccion|postal|hechizos|images|sex|avril)\.zip";
	target dcc;
	action dccblock;
	reason "Infected by Gaggle worm";
};

spamfilter {
	regex "http://.+\.lycos\..+/[iy]server[0-9]/[a-z]{4,11}\.(gif|jpg|avi|txt)";
	target { private; quit; };
	action block;
	reason "Infected by Gaggle worm";
};
Commit	Line	Data
6feeb23a BM	1	/*
	2	* This an example spamfilter file, it contains several
	3	* real and useful spamfilters. This should give you an
	4	* idea of how powerful spamfilter can be in real-life
	5	* situations.
	6	*
	7	* $Id$
	8	*/
	9
00bd34ad BM	10	/* Guidelines on the 'action' field:
	11	* As a general rule we use 'action block' for any newly added
	12	* spamfilters at first, later on (after knowing about false
	13	* positives) we might change some to viruschan/kill/gline/etc..
	14	*/
	15
6feeb23a	16	spamfilter {
00bd34ad	17	regex "(.+ ){20}";
6feeb23a	18	target dcc;
00bd34ad	19	reason "mIRC 6.0-6.11 exploit attempt";
6feeb23a BM	20	action kill;
	21	};
	22
	23	spamfilter {
00bd34ad BM	24	regex ".{225}";
	25	target dcc;
	26	reason "mIRC 6.12 exploit attempt";
	27	action block;
	28	};
	29
	30	spamfilter {
	31	regex "Come watch me on my webcam and chat /w me :-\) http://.+:\d+/me\.mpg";
6feeb23a BM	32	target private;
6feeb23a BM	33	reason "Infected by fyle trojan: see http://www.sophos.com/virusinfo/analyses/trojfylexa.html";
00bd34ad	34	action gline;
6feeb23a BM	35	};
	36
	37	spamfilter {
	38	regex "Speed up your mIRC DCC Transfer by up to 75%.*www\.freewebs\.com/mircupdate/mircspeedup\.exe";
	39	target private;
	40	reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html";
00bd34ad	41	action gline;
6feeb23a BM	42	};
	43
	44	spamfilter {
	45	regex "^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!";
	46	target private;
	47	reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml";
	48	action block;
	49	};
	50
	51	spamfilter {
	52	regex "^FREE PORN: http://free:porn@([0-9]{1,3}\.){3}[0-9]{1,3}:8180$";
	53	target private;
	54	reason "Infected by aplore worm: see http://www.f-secure.com/v-descs/aplore.shtml";
00bd34ad	55	action gline;
6feeb23a BM	56	};
	57
	58	spamfilter {
	59	regex "^!login Wasszup!$";
	60	target channel;
	61	reason "Attempting to login to a GTBot";
00bd34ad	62	action gline;
6feeb23a BM	63	};
	64
	65	spamfilter {
	66	regex "^!login grrrr yeah baby!$";
	67	target channel;
	68	reason "Attempting to login to a GTBot";
00bd34ad	69	action gline;
6feeb23a BM	70	};
	71
	72	spamfilter {
	73	regex "^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}";
	74	target channel;
	75	reason "Attempting to use a GTBot";
00bd34ad	76	action gline;
6feeb23a BM	77	};
	78
	79	spamfilter {
	80	regex "^!icqpagebomb ([0-9]{1,15} ){2}.+";
	81	target channel;
	82	reason "Attempting to use a GTBot";
00bd34ad	83	action gline;
6feeb23a BM	84	};
	85
	86	spamfilter {
	87	regex "^!pfast [0-9]{1,15} ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5}$";
	88	target channel;
	89	reason "Attempting to use a GTBot";
00bd34ad	90	action gline;
6feeb23a BM	91	};
	92
	93	spamfilter {
	94	regex "^!portscan ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5} [0-9]{1,5}$";
	95	target channel;
	96	reason "Attempting to use a GTBot";
00bd34ad	97	action gline;
6feeb23a BM	98	};
	99
	100	spamfilter {
	101	regex "^.u(dp)? ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15} [0-9]{1,15} [0-9]{1,15}( [0-9])*$";
	102	target channel;
	103	reason "Attempting to use an SDBot";
00bd34ad	104	action gline;
6feeb23a BM	105	};
6feeb23a BM	106
6feeb23a BM	107	spamfilter {
	108	regex "^.syn ((([0-9]{1,3}\.){3}[0-9]{1,3})\|([a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_.-]+)) [0-9]{1,5} [0-9]{1,15} [0-9]{1,15}";
	109	target { channel; private; };
	110	reason "Attempting to use a SpyBot";
00bd34ad BM	111	action gline;
	112	};
	113
	114	spamfilter {
	115	regex "^porn! porno! http://.+\/sexo\.exe";
	116	target private;
	117	action gline;
	118	reason "Infected by soex trojan: see http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FSOEX.A";
	119	};
	120
	121	spamfilter {
	122	regex "(^wait a minute plz\. i am updating my site\|.my erotic video).http://.+/erotic(a)?/myvideo\.exe$";
	123	target private;
	124	action gline;
	125	reason "Infected by some trojan (erotica?)";
	126	};
	127
	128	spamfilter {
	129	regex "^STOP SPAM, USE THIS COMMAND: //write nospam \$decode\(.+\) \\| \.load -rs nospam \\| //mode \$me \+R$";
	130	target private;
	131	action gline;
	132	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
	133	};
	134
	135	spamfilter {
	136	regex "^FOR MATRIX 2 DOWNLOAD, USE THIS COMMAND: //write Matrix2 \$decode\(.+=,m\) \\| \.load -rs Matrix2 \\| //mode \$me \+R$";
	137	target private;
	138	action gline;
	139	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
	140	};
	141
	142	spamfilter {
	143	regex "^hey .* to get OPs use this hack in the chan but SHH! //\$decode\(.,m\) \\| \$decode\(.,m\)$";
	144	target private;
	145	action gline;
	146	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
	147	};
	148
	149	spamfilter {
	150	regex ".(http://jokes\.clubdepeche\.com\|http://horny\.69sexy\.net\|http://private\.a123sdsdssddddgfg\.com).";
	151	target private;
	152	action block;
	153	reason "Infected by LOI trojan"; /* Name is still unsure */
	154	};
	155
	156	/* This is a 'general sig' which might have a tad more false positives, hence just 'block' is used */
	157	spamfilter {
	158	regex "C:\\WINNT\\system32\\[][0-9a-z_-{\|}`]+\.zip";
	159	target dcc;
	160	action block;
	161	reason "Infected by Gaggle worm?";
	162	};
	163
	164	spamfilter {
	165	regex "C:\\WINNT\\system32\\(notes\|videos\|xxx\|ManualSeduccion\|postal\|hechizos\|images\|sex\|avril)\.zip";
	166	target dcc;
	167	action dccblock;
	168	reason "Infected by Gaggle worm";
	169	};
	170
	171	spamfilter {
	172	regex "http://.+\.lycos\..+/[iy]server[0-9]/[a-z]{4,11}\.(gif\|jpg\|avi\|txt)";
	173	target { private; quit; };
6feeb23a	174	action block;
00bd34ad	175	reason "Infected by Gaggle worm";
6feeb23a	176	};