[irc/unrealircd/unrealircd.git] / spamfilters.conf.sample

/*
 * This an example spamfilter file, it contains several
 * real and useful spamfilters. This should give you an
 * idea of how powerful spamfilter can be in real-life
 * situations.
 *
 * $Id$
 */

/* Guidelines on the 'action' field:
 * As a general rule we use 'action block' for any newly added
 * spamfilters at first, later on (after knowing about false
 * positives) we might change some to viruschan/kill/gline/etc..
 */

spamfilter {
	regex "\x01DCC (SEND|RESUME)[ ]+\"(.+ ){20}";
	target { private; channel; };
	reason "mIRC 6.0-6.11 exploit attempt";
	action kill;
};

spamfilter {
	regex "\x01DCC (SEND|RESUME).{225}";
	target { private; channel; };
	reason "Possible mIRC 6.12 exploit attempt";
	action kill;
};

spamfilter {
	regex "Come watch me on my webcam and chat /w me :-\) http://.+:\d+/me\.mpg";
	target private;
	reason "Infected by fyle trojan: see http://www.sophos.com/virusinfo/analyses/trojfylexa.html";
	action gline;
};

spamfilter {
	regex "Speed up your mIRC DCC Transfer by up to 75%.*www\.freewebs\.com/mircupdate/mircspeedup\.exe";
	target private;
	reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html";
	action gline;
};

spamfilter {
	regex "^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!";
	target private;
	reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml";
	action block;
};

spamfilter {
	regex "^FREE PORN: http://free:porn@([0-9]{1,3}\.){3}[0-9]{1,3}:8180$";
	target private;
	reason "Infected by aplore worm: see http://www.f-secure.com/v-descs/aplore.shtml";
	action gline;
};

spamfilter {
	regex "^!login Wasszup!$";
	target channel;
	reason "Attempting to login to a GTBot";
	action gline;
};

spamfilter {
	regex "^!login grrrr yeah baby!$";
	target channel;
	reason "Attempting to login to a GTBot";
	action gline;
};

spamfilter {
	regex "^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}";
	target channel;
	reason "Attempting to use a GTBot";
	action gline;
};

spamfilter {
	regex "^!icqpagebomb ([0-9]{1,15} ){2}.+";
	target channel;
	reason "Attempting to use a GTBot";
	action gline;
};

spamfilter {
	regex "^!pfast [0-9]{1,15} ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5}$";
	target channel;
	reason "Attempting to use a GTBot";
	action gline;
};

spamfilter {
	regex "^!portscan ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5} [0-9]{1,5}$";
	target channel;
	reason "Attempting to use a GTBot";
	action gline;
};

spamfilter {
	regex "^.u(dp)? ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15} [0-9]{1,15} [0-9]{1,15}( [0-9])*$";
	target channel;
	reason "Attempting to use an SDBot";
	action gline;
};

spamfilter {
	regex "^.syn ((([0-9]{1,3}\.){3}[0-9]{1,3})|([a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_.-]+)) [0-9]{1,5} [0-9]{1,15} [0-9]{1,15}";
	target { channel; private; };
	reason "Attempting to use a SpyBot";
	action gline;
};

spamfilter {
	regex "^porn! porno! http://.+\/sexo\.exe";
	target private;
	action gline;
	reason "Infected by soex trojan: see http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FSOEX.A";
};

spamfilter {
	regex "(^wait a minute plz\. i am updating my site|.*my erotic video).*http://.+/erotic(a)?/myvideo\.exe$";
	target private;
	action gline;
	reason "Infected by some trojan (erotica?)";
};

spamfilter {
	regex "^STOP SPAM, USE THIS COMMAND: //write nospam \$decode\(.+\) \| \.load -rs nospam \| //mode \$me \+R$";
	target private;
	action gline;
	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
};

spamfilter {
	regex "^FOR MATRIX 2 DOWNLOAD, USE THIS COMMAND: //write Matrix2 \$decode\(.+=,m\) \| \.load -rs Matrix2 \| //mode \$me \+R$";
	target private;
	action gline;
	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
};

spamfilter {
	regex "^hey .* to get OPs use this hack in the chan but SHH! //\$decode\(.*,m\) \| \$decode\(.*,m\)$";
	target private;
	action gline;
	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
};

spamfilter {
	regex ".*(http://jokes\.clubdepeche\.com|http://horny\.69sexy\.net|http://private\.a123sdsdssddddgfg\.com).*";
	target private;
	action gline;
	reason "Infected by LOI trojan"; /* Name is still unsure */
};

/* This is a 'general sig' which might have a tad more false positives, hence just 'block' is used */
spamfilter {
	regex "C:\\\\WINNT\\\\system32\\\\[][0-9a-z_-{|}`]+\.zip";
	target dcc;
	action block;
	reason "Infected by Gaggle worm?";
};

spamfilter {
	regex "C:\\\\WINNT\\\\system32\\\\(notes|videos|xxx|ManualSeduccion|postal|hechizos|images|sex|avril)\.zip";
	target dcc;
	action dccblock;
	reason "Infected by Gaggle worm";
};

spamfilter {
	regex "http://.+\.lycos\..+/[iy]server[0-9]/[a-z]{4,11}\.(gif|jpg|avi|txt)";
	target { private; quit; };
	action block;
	reason "Infected by Gaggle worm";
};

spamfilter {
     regex "^Free porn pic.? and movies (www\.sexymovies\.da\.ru|www\.girlporn\.org)";
     target private;
     reason "Unknown virus. Site causes Backdoor.Delf.lq infection";
     action block;
};

spamfilter {
	regex "^LOL! //echo -a \$\(\$decode\(.+,m\),[0-9]\)$";
	target channel;
	reason "$decode exploit";
	action block;
};

/*
spamfilter {
	regex "//write \$decode\(.+\|.+load -rs";
	target { private; channel; };
	reason "Generic $decode exploit";
	action block;
};
*/

spamfilter {
	regex "^Want To Be An IRCOp\? Try This New Bug Type: //write \$decode\(.+=.?,m\) \| \.load -rs \$decode\(.+=.?,m\)$"; 
	target private;
	action block;
	reason "Spamming users with an mIRC trojan. Type '/unload -rs newb' to remove the trojan.";
};
Commit	Line	Data
29eb8190 BM	1	/*
	2	* This an example spamfilter file, it contains several
	3	* real and useful spamfilters. This should give you an
	4	* idea of how powerful spamfilter can be in real-life
	5	* situations.
	6	*
	7	* $Id$
	8	*/
	9
445a8587 BM	10	/* Guidelines on the 'action' field:
	11	* As a general rule we use 'action block' for any newly added
	12	* spamfilters at first, later on (after knowing about false
	13	* positives) we might change some to viruschan/kill/gline/etc..
	14	*/
	15
29eb8190	16	spamfilter {
704b6260 BM	17	regex "\x01DCC (SEND\|RESUME)[ ]+\"(.+ ){20}";
704b6260 BM	18	target { private; channel; };
445a8587	19	reason "mIRC 6.0-6.11 exploit attempt";
29eb8190 BM	20	action kill;
	21	};
	22
	23	spamfilter {
704b6260 BM	24	regex "\x01DCC (SEND\|RESUME).{225}";
	25	target { private; channel; };
	26	reason "Possible mIRC 6.12 exploit attempt";
	27	action kill;
445a8587 BM	28	};
	29
	30	spamfilter {
	31	regex "Come watch me on my webcam and chat /w me :-\) http://.+:\d+/me\.mpg";
29eb8190	32	target private;
61ab744d	33	reason "Infected by fyle trojan: see http://www.sophos.com/virusinfo/analyses/trojfylexa.html";
ef942d39	34	action gline;
29eb8190 BM	35	};
29eb8190 BM	36
16802a8b	37	spamfilter {
61ab744d	38	regex "Speed up your mIRC DCC Transfer by up to 75%.*www\.freewebs\.com/mircupdate/mircspeedup\.exe";
16802a8b	39	target private;
61ab744d	40	reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html";
ef942d39	41	action gline;
16802a8b BM	42	};
	43
	44	spamfilter {
c324f145	45	regex "^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!";
16802a8b BM	46	target private;
	47	reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml";
	48	action block;
	49	};
6e05e85d BM	50
6e05e85d BM	51	spamfilter {
c324f145	52	regex "^FREE PORN: http://free:porn@([0-9]{1,3}\.){3}[0-9]{1,3}:8180$";
6e05e85d BM	53	target private;
6e05e85d BM	54	reason "Infected by aplore worm: see http://www.f-secure.com/v-descs/aplore.shtml";
ef942d39	55	action gline;
6e05e85d	56	};
c324f145	57
	58	spamfilter {
	59	regex "^!login Wasszup!$";
	60	target channel;
	61	reason "Attempting to login to a GTBot";
ef942d39	62	action gline;
c324f145	63	};
	64
	65	spamfilter {
	66	regex "^!login grrrr yeah baby!$";
	67	target channel;
	68	reason "Attempting to login to a GTBot";
ef942d39	69	action gline;
c324f145	70	};
	71
	72	spamfilter {
7bc23b42	73	regex "^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}";
c324f145	74	target channel;
c324f145	75	reason "Attempting to use a GTBot";
ef942d39	76	action gline;
c324f145	77	};
	78
	79	spamfilter {
7bc23b42	80	regex "^!icqpagebomb ([0-9]{1,15} ){2}.+";
c324f145	81	target channel;
c324f145	82	reason "Attempting to use a GTBot";
ef942d39	83	action gline;
c324f145	84	};
	85
	86	spamfilter {
7bc23b42	87	regex "^!pfast [0-9]{1,15} ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5}$";
c324f145	88	target channel;
c324f145	89	reason "Attempting to use a GTBot";
ef942d39	90	action gline;
c324f145	91	};
	92
	93	spamfilter {
	94	regex "^!portscan ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5} [0-9]{1,5}$";
	95	target channel;
	96	reason "Attempting to use a GTBot";
ef942d39	97	action gline;
c324f145	98	};
301dbe6e	99
7bc23b42	100	spamfilter {
	101	regex "^.u(dp)? ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15} [0-9]{1,15} [0-9]{1,15}( [0-9])*$";
	102	target channel;
	103	reason "Attempting to use an SDBot";
ef942d39	104	action gline;
7bc23b42	105	};
7bc23b42	106
301dbe6e BM	107	spamfilter {
	108	regex "^.syn ((([0-9]{1,3}\.){3}[0-9]{1,3})\|([a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_.-]+)) [0-9]{1,5} [0-9]{1,15} [0-9]{1,15}";
	109	target { channel; private; };
61ab744d	110	reason "Attempting to use a SpyBot";
ef942d39	111	action gline;
301dbe6e	112	};
0f320469 BM	113
	114	spamfilter {
	115	regex "^porn! porno! http://.+\/sexo\.exe";
	116	target private;
ef942d39	117	action gline;
0f320469 BM	118	reason "Infected by soex trojan: see http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FSOEX.A";
0f320469 BM	119	};
f1bd72ff BM	120
	121	spamfilter {
	122	regex "(^wait a minute plz\. i am updating my site\|.my erotic video).http://.+/erotic(a)?/myvideo\.exe$";
	123	target private;
ef942d39	124	action gline;
f1bd72ff BM	125	reason "Infected by some trojan (erotica?)";
f1bd72ff BM	126	};
4e5ebba5	127
	128	spamfilter {
	129	regex "^STOP SPAM, USE THIS COMMAND: //write nospam \$decode\(.+\) \\| \.load -rs nospam \\| //mode \$me \+R$";
	130	target private;
ef942d39	131	action gline;
4e5ebba5	132	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
	133	};
	134
	135	spamfilter {
	136	regex "^FOR MATRIX 2 DOWNLOAD, USE THIS COMMAND: //write Matrix2 \$decode\(.+=,m\) \\| \.load -rs Matrix2 \\| //mode \$me \+R$";
	137	target private;
ef942d39	138	action gline;
4e5ebba5	139	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
	140	};
	141
	142	spamfilter {
	143	regex "^hey .* to get OPs use this hack in the chan but SHH! //\$decode\(.,m\) \\| \$decode\(.,m\)$";
	144	target private;
ef942d39	145	action gline;
4e5ebba5	146	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
4e5ebba5	147	};
db7e7563 BM	148
	149	spamfilter {
	150	regex ".(http://jokes\.clubdepeche\.com\|http://horny\.69sexy\.net\|http://private\.a123sdsdssddddgfg\.com).";
	151	target private;
704b6260	152	action gline;
db7e7563 BM	153	reason "Infected by LOI trojan"; /* Name is still unsure */
db7e7563 BM	154	};
376494f3 BM	155
	156	/* This is a 'general sig' which might have a tad more false positives, hence just 'block' is used */
	157	spamfilter {
704b6260	158	regex "C:\\\\WINNT\\\\system32\\\\[][0-9a-z_-{\|}`]+\.zip";
376494f3 BM	159	target dcc;
	160	action block;
	161	reason "Infected by Gaggle worm?";
	162	};
	163
376494f3	164	spamfilter {
704b6260	165	regex "C:\\\\WINNT\\\\system32\\\\(notes\|videos\|xxx\|ManualSeduccion\|postal\|hechizos\|images\|sex\|avril)\.zip";
376494f3 BM	166	target dcc;
	167	action dccblock;
	168	reason "Infected by Gaggle worm";
	169	};
	170
376494f3 BM	171	spamfilter {
376494f3 BM	172	regex "http://.+\.lycos\..+/[iy]server[0-9]/[a-z]{4,11}\.(gif\|jpg\|avi\|txt)";
0a790a56	173	target { private; quit; };
376494f3 BM	174	action block;
	175	reason "Infected by Gaggle worm";
	176	};
704b6260 BM	177
	178	spamfilter {
	179	regex "^Free porn pic.? and movies (www\.sexymovies\.da\.ru\|www\.girlporn\.org)";
	180	target private;
	181	reason "Unknown virus. Site causes Backdoor.Delf.lq infection";
	182	action block;
	183	};
	184
	185	spamfilter {
	186	regex "^LOL! //echo -a \$\(\$decode\(.+,m\),[0-9]\)$";
	187	target channel;
	188	reason "$decode exploit";
	189	action block;
	190	};
	191
	192	/*
	193	spamfilter {
	194	regex "//write \$decode\(.+\\|.+load -rs";
	195	target { private; channel; };
	196	reason "Generic $decode exploit";
	197	action block;
	198	};
	199	*/
	200
	201	spamfilter {
	202	regex "^Want To Be An IRCOp\? Try This New Bug Type: //write \$decode\(.+=.?,m\) \\| \.load -rs \$decode\(.+=.?,m\)$";
	203	target private;
	204	action block;
	205	reason "Spamming users with an mIRC trojan. Type '/unload -rs newb' to remove the trojan.";
	206	};