]>
Commit | Line | Data |
---|---|---|
29eb8190 BM |
1 | /* |
2 | * This an example spamfilter file, it contains several | |
3 | * real and useful spamfilters. This should give you an | |
4 | * idea of how powerful spamfilter can be in real-life | |
5 | * situations. | |
6 | * | |
7 | * $Id$ | |
8 | */ | |
9 | ||
445a8587 BM |
10 | /* Guidelines on the 'action' field: |
11 | * As a general rule we use 'action block' for any newly added | |
12 | * spamfilters at first, later on (after knowing about false | |
13 | * positives) we might change some to viruschan/kill/gline/etc.. | |
14 | */ | |
15 | ||
29eb8190 | 16 | spamfilter { |
704b6260 BM |
17 | regex "\x01DCC (SEND|RESUME)[ ]+\"(.+ ){20}"; |
18 | target { private; channel; }; | |
445a8587 | 19 | reason "mIRC 6.0-6.11 exploit attempt"; |
29eb8190 BM |
20 | action kill; |
21 | }; | |
22 | ||
23 | spamfilter { | |
704b6260 BM |
24 | regex "\x01DCC (SEND|RESUME).{225}"; |
25 | target { private; channel; }; | |
26 | reason "Possible mIRC 6.12 exploit attempt"; | |
27 | action kill; | |
445a8587 BM |
28 | }; |
29 | ||
30 | spamfilter { | |
31 | regex "Come watch me on my webcam and chat /w me :-\) http://.+:\d+/me\.mpg"; | |
29eb8190 | 32 | target private; |
61ab744d | 33 | reason "Infected by fyle trojan: see http://www.sophos.com/virusinfo/analyses/trojfylexa.html"; |
ef942d39 | 34 | action gline; |
29eb8190 BM |
35 | }; |
36 | ||
16802a8b | 37 | spamfilter { |
61ab744d | 38 | regex "Speed up your mIRC DCC Transfer by up to 75%.*www\.freewebs\.com/mircupdate/mircspeedup\.exe"; |
16802a8b | 39 | target private; |
61ab744d | 40 | reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html"; |
ef942d39 | 41 | action gline; |
16802a8b BM |
42 | }; |
43 | ||
44 | spamfilter { | |
c324f145 | 45 | regex "^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!"; |
16802a8b BM |
46 | target private; |
47 | reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml"; | |
48 | action block; | |
49 | }; | |
6e05e85d BM |
50 | |
51 | spamfilter { | |
c324f145 | 52 | regex "^FREE PORN: http://free:porn@([0-9]{1,3}\.){3}[0-9]{1,3}:8180$"; |
6e05e85d BM |
53 | target private; |
54 | reason "Infected by aplore worm: see http://www.f-secure.com/v-descs/aplore.shtml"; | |
ef942d39 | 55 | action gline; |
6e05e85d | 56 | }; |
c324f145 | 57 | |
58 | spamfilter { | |
59 | regex "^!login Wasszup!$"; | |
60 | target channel; | |
61 | reason "Attempting to login to a GTBot"; | |
ef942d39 | 62 | action gline; |
c324f145 | 63 | }; |
64 | ||
65 | spamfilter { | |
66 | regex "^!login grrrr yeah baby!$"; | |
67 | target channel; | |
68 | reason "Attempting to login to a GTBot"; | |
ef942d39 | 69 | action gline; |
c324f145 | 70 | }; |
71 | ||
72 | spamfilter { | |
7bc23b42 | 73 | regex "^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}"; |
c324f145 | 74 | target channel; |
75 | reason "Attempting to use a GTBot"; | |
ef942d39 | 76 | action gline; |
c324f145 | 77 | }; |
78 | ||
79 | spamfilter { | |
7bc23b42 | 80 | regex "^!icqpagebomb ([0-9]{1,15} ){2}.+"; |
c324f145 | 81 | target channel; |
82 | reason "Attempting to use a GTBot"; | |
ef942d39 | 83 | action gline; |
c324f145 | 84 | }; |
85 | ||
86 | spamfilter { | |
7bc23b42 | 87 | regex "^!pfast [0-9]{1,15} ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5}$"; |
c324f145 | 88 | target channel; |
89 | reason "Attempting to use a GTBot"; | |
ef942d39 | 90 | action gline; |
c324f145 | 91 | }; |
92 | ||
93 | spamfilter { | |
94 | regex "^!portscan ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5} [0-9]{1,5}$"; | |
95 | target channel; | |
96 | reason "Attempting to use a GTBot"; | |
ef942d39 | 97 | action gline; |
c324f145 | 98 | }; |
301dbe6e | 99 | |
7bc23b42 | 100 | spamfilter { |
101 | regex "^.u(dp)? ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15} [0-9]{1,15} [0-9]{1,15}( [0-9])*$"; | |
102 | target channel; | |
103 | reason "Attempting to use an SDBot"; | |
ef942d39 | 104 | action gline; |
7bc23b42 | 105 | }; |
106 | ||
301dbe6e BM |
107 | spamfilter { |
108 | regex "^.syn ((([0-9]{1,3}\.){3}[0-9]{1,3})|([a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_.-]+)) [0-9]{1,5} [0-9]{1,15} [0-9]{1,15}"; | |
109 | target { channel; private; }; | |
61ab744d | 110 | reason "Attempting to use a SpyBot"; |
ef942d39 | 111 | action gline; |
301dbe6e | 112 | }; |
0f320469 BM |
113 | |
114 | spamfilter { | |
115 | regex "^porn! porno! http://.+\/sexo\.exe"; | |
116 | target private; | |
ef942d39 | 117 | action gline; |
0f320469 BM |
118 | reason "Infected by soex trojan: see http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FSOEX.A"; |
119 | }; | |
f1bd72ff BM |
120 | |
121 | spamfilter { | |
122 | regex "(^wait a minute plz\. i am updating my site|.*my erotic video).*http://.+/erotic(a)?/myvideo\.exe$"; | |
123 | target private; | |
ef942d39 | 124 | action gline; |
f1bd72ff BM |
125 | reason "Infected by some trojan (erotica?)"; |
126 | }; | |
4e5ebba5 | 127 | |
128 | spamfilter { | |
129 | regex "^STOP SPAM, USE THIS COMMAND: //write nospam \$decode\(.+\) \| \.load -rs nospam \| //mode \$me \+R$"; | |
130 | target private; | |
ef942d39 | 131 | action gline; |
4e5ebba5 | 132 | reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm"; |
133 | }; | |
134 | ||
135 | spamfilter { | |
136 | regex "^FOR MATRIX 2 DOWNLOAD, USE THIS COMMAND: //write Matrix2 \$decode\(.+=,m\) \| \.load -rs Matrix2 \| //mode \$me \+R$"; | |
137 | target private; | |
ef942d39 | 138 | action gline; |
4e5ebba5 | 139 | reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm"; |
140 | }; | |
141 | ||
142 | spamfilter { | |
143 | regex "^hey .* to get OPs use this hack in the chan but SHH! //\$decode\(.*,m\) \| \$decode\(.*,m\)$"; | |
144 | target private; | |
ef942d39 | 145 | action gline; |
4e5ebba5 | 146 | reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm"; |
147 | }; | |
db7e7563 BM |
148 | |
149 | spamfilter { | |
150 | regex ".*(http://jokes\.clubdepeche\.com|http://horny\.69sexy\.net|http://private\.a123sdsdssddddgfg\.com).*"; | |
151 | target private; | |
704b6260 | 152 | action gline; |
db7e7563 BM |
153 | reason "Infected by LOI trojan"; /* Name is still unsure */ |
154 | }; | |
376494f3 BM |
155 | |
156 | /* This is a 'general sig' which might have a tad more false positives, hence just 'block' is used */ | |
157 | spamfilter { | |
704b6260 | 158 | regex "C:\\\\WINNT\\\\system32\\\\[][0-9a-z_-{|}`]+\.zip"; |
376494f3 BM |
159 | target dcc; |
160 | action block; | |
161 | reason "Infected by Gaggle worm?"; | |
162 | }; | |
163 | ||
376494f3 | 164 | spamfilter { |
704b6260 | 165 | regex "C:\\\\WINNT\\\\system32\\\\(notes|videos|xxx|ManualSeduccion|postal|hechizos|images|sex|avril)\.zip"; |
376494f3 BM |
166 | target dcc; |
167 | action dccblock; | |
168 | reason "Infected by Gaggle worm"; | |
169 | }; | |
170 | ||
376494f3 BM |
171 | spamfilter { |
172 | regex "http://.+\.lycos\..+/[iy]server[0-9]/[a-z]{4,11}\.(gif|jpg|avi|txt)"; | |
0a790a56 | 173 | target { private; quit; }; |
376494f3 BM |
174 | action block; |
175 | reason "Infected by Gaggle worm"; | |
176 | }; | |
704b6260 BM |
177 | |
178 | spamfilter { | |
179 | regex "^Free porn pic.? and movies (www\.sexymovies\.da\.ru|www\.girlporn\.org)"; | |
180 | target private; | |
181 | reason "Unknown virus. Site causes Backdoor.Delf.lq infection"; | |
182 | action block; | |
183 | }; | |
184 | ||
185 | spamfilter { | |
186 | regex "^LOL! //echo -a \$\(\$decode\(.+,m\),[0-9]\)$"; | |
187 | target channel; | |
188 | reason "$decode exploit"; | |
189 | action block; | |
190 | }; | |
191 | ||
192 | /* | |
193 | spamfilter { | |
194 | regex "//write \$decode\(.+\|.+load -rs"; | |
195 | target { private; channel; }; | |
196 | reason "Generic $decode exploit"; | |
197 | action block; | |
198 | }; | |
199 | */ | |
200 | ||
201 | spamfilter { | |
202 | regex "^Want To Be An IRCOp\? Try This New Bug Type: //write \$decode\(.+=.?,m\) \| \.load -rs \$decode\(.+=.?,m\)$"; | |
203 | target private; | |
204 | action block; | |
205 | reason "Spamming users with an mIRC trojan. Type '/unload -rs newb' to remove the trojan."; | |
206 | }; |