IrcDefender

[hippytyre]

I was wondering if anyone running IrcDefender could help me with this. I posted it over on their forums but I've not had a reply yet and the forums look a little abandoned.


I'm using the version.pm module that came with ircdefender. I have the deny_version.conf in the root of my defender folder and I have the following lines in the deny_version.conf

Code: Select all

subseven.+ G Subseven trojan drone.

Bottler.+ G XDCC Looker bots are not allowed here!

mIRC.+5\.+Bey W You are running an insecure mirc version, please upgrade.

mIRC.+3\.+ W Why are you running a 10 year old copy of mirc?

x-chat\s2\.0\.5 W Insecure x-chat version, please upgrade asap.

^35\sF$ G Stupid 35 F bots that part and join.

I'm trying to ban bots with the version reply of "35 F" without the quotes but it doesn't seem to be working. I'm no regexp expert but I'm sure my ban is right.
Can anyone help?

IrcDefender is defiantly checking the versions on connect.

Thanks

[Jobe]

Are those the .fr bots who's nick == ident and GECOS == version reply?

[hippytyre]

yeah most of them connect from noos.fr They don't seem to do all that much.

[Casper]

By any chance they use nicknames like lidl22, lola22 ? (It's off-topic, I know, but those bots also connect to my server and I find it very annoying and I want to know who'se sending them..)

[hippytyre]

yeah, thats right it always seems to be girls names too. I'm sure there is an easy way to do it but i'd like to use IRCdefenders Version check for it. Earn its keep ::D

[Casper]

I don't think you need IRCDefender for that, as they connect from like two hostnames, so it would be a lot easier to just ban them manually. At least, that helps the best over here

Good luck and if you find out something more about it, please let me know !

[Jobe]

I don't think you need IRCDefender for that, as they connect from like two hostnames, so it would be a lot easier to just ban them manually. At least, that helps the best over here

Good luck and if you find out something more about it, please let me know !

I've found they connect from varying host names but from only 2 ISP's. wanadoo.fr and noos.fr From which their IP changes.

[Casper]

Hmm, thanks for the information. I don't have any French people connecting, so I just banned the whole ISP.

Do you know by the way wheter there is some organisation sending them or what they do? As far as I found out they just sit in a(n) (empty) empty channel and do like nothing...

[Jobe]

The ones I've had join 5 and only 5 random channels from /list :S

[Casper]

Could it have something to do with the Israeli organisation which turned out to log the chats of several networks? I've heard they operated from several countries. I unfortuantely don't know from what countries..

[hafkensite]

Could it have something to do with the Israeli organisation which turned out to log the chats of several networks? I've heard they operated from several countries. I unfortuantely don't know from what countries..

http://www.techcrunch.com/2007/11/30/wi ... -irc-chat/

[StrawberryKittens]

I had problems with these also. Heres a regex that will stop them.

Code: Select all

^([a-zA-Z0-9]+)!([a-z0-9]+)@[^:]+:h \d\d
^([a-zA-Z0-9]+)!([a-z0-9]+)@[^:]+:\d\d F

Thanks to nate who had helped me with those on my own network.

[robc62]

as an aside to this topic - if anyone still has these bots connecting from *@*.noos.fr ... pm one and it will reply and eventually ask if you have a webcam - 'they' seem to be from some web-cam service and are lightly spamming. The regex's listed by the previous poster work fine

[MiNdErAsR]

In defender's deny_version.conf we have the following which keeps the bots at bay...

Code: Select all

\d{2}\sF\s.+    G       Wanadoo bots begone