Page 1 of 1

Anyone seen these???

Posted: Fri Sep 02, 2005 11:14 pm
by droolin
In the last couple days, we have been getting hit by a series of bots that seem to be a spin off the girl/boy bot from awhile back. where it says, hi im a girl are you a boy. And it asks you to join them for chat off a url.
Follows is a spattering of the nicks that they seem to be:

Code: Select all

BrIDgeTc was ~cizi@200.140.10.46 * denax
HElEnaY is ~yeley@AwesomeChatter-9BCB3457.dynamic.dejazzd.com * yegey
alLISoNa is ~neve@C243CC58.7322E107.4AE596DB.IP * nacede
AGnESY is ~gefon@AwesomeChatter-993EA48.arcor-ip.net * qacoh
CAthAriNeQ is ~yaqu@AwesomeChatter-D6277B83.l4.c3.dsl.pol.co.uk * nonef
SUzYD is ~leye@341B78C0.D7B0BEF3.2D7BC8AE.IP * fimura
CaTaRiNAD is ~fuguw@AwesomeChatter-2F31ADF1.tpgi.com.au * tehul
CAthAriNeQ is ~yaqu@AwesomeChatter-D6277B83.l4.c3.dsl.pol.co.uk * nonef
EMilIeg (~zeme@28-12-178-69.gci.net)
Follows is the spamfilters I set for when they do say something, which do work.

Code: Select all

F p gline 0 162149 10800 Freaken_girl_boy_spam_bot Seti!eatme@1C2986BF.C74A7EC3.C128BEA.IP i'm a girl\. are you a boy\?
F p gline 0 170364 10800 Freaken_sex_spam_bot_begone. Seti!eatme@AwesomeChat.CsopIRCop.Net http:\/\/sexpartner
Does anyone know of a way to stop these suckers on the way in the door.?
Ive received no reply on version, ping, time, or anything else on them.
Any help is appriceated.

droolin

Posted: Fri Sep 02, 2005 11:18 pm
by Syzop
the nick looks like a real name coming from a namelist + a random letter attached to it, but.. I suppose you were that far already ;).

lol, yea I was

Posted: Fri Sep 02, 2005 11:26 pm
by droolin
Im trying to see if I can find a name list any place. I don't see anything like this mentioned in the irc security list. But, I'm still looken.
I have seen that the number of upper and lower case letters vary too. Anything from 4 upper in the complete name to more.
Just was hopeing someone had a possible solution.


droolin

Posted: Sun Sep 04, 2005 7:13 am
by aquanight
I think w00t's seen those on dalnet or something a few times...

Probably easiest way to find the namelist is the actually have a copy of the bot... ;)

Posted: Sun Sep 04, 2005 10:12 am
by w00t
Yup, I've seen them around - and until recently I had a copy of the bot :/ if I'd known, I would've saved a copy before I formatted that drive :p

do you rember the bot name?

Posted: Sun Sep 04, 2005 7:28 pm
by droolin
Do you happen to rember the official bot name? Ill hunt and peck my way through google to see if I can find a copy of it. Actualy, do you rember the description everyone called it by???
I was calling it girl/boy. But, I doubt thats what everyone else called it.

Thanks for the reply. Very much appriceated.

droolin

Posted: Mon Sep 05, 2005 11:22 am
by w00t
no, unfortunatly.. I got it to take a look at it myself when I saw it on dalnet a few months back (~4-5?) but didn't get time to follow it up past getting the .exe..

Posted: Thu Sep 15, 2005 11:02 am
by White_Magic

Code: Select all

BrIDgeTc was ~cizi@200.140.10.46 * denax 

HElEnaY is ~yeley@AwesomeChatter-9BCB3457.dynamic.dejazzd.com * yegey 

alLISoNa is ~neve@C243CC58.7322E107.4AE596DB.IP * nacede 

AGnESY is ~gefon@AwesomeChatter-993EA48.arcor-ip.net * qacoh 

CAthAriNeQ is ~yaqu@AwesomeChatter-D6277B83.l4.c3.dsl.pol.co.uk * nonef 

SUzYD is ~leye@341B78C0.D7B0BEF3.2D7BC8AE.IP * fimura 

CaTaRiNAD is ~fuguw@AwesomeChatter-2F31ADF1.tpgi.com.au * tehul 

CAthAriNeQ is ~yaqu@AwesomeChatter-D6277B83.l4.c3.dsl.pol.co.uk * nonef 

EMilIeg (~zeme@28-12-178-69.gci.net) 
we`ll i gues its a risk but,
every ident and realname, every second letter (character) is a vowel
but then again nearly every word matchs this regex :P
just something i spottted thou

Posted: Thu Sep 15, 2005 4:16 pm
by aquanight
At least it can be filtered though ;)

/spamfilter add u kill - Suspected_drone .+!~([^aeiou][aeiou])*[^aeiou]?@.+:([^aeiou][aeiou])*[^aeiou]?$

ya know, ive looked at that

Posted: Thu Sep 15, 2005 4:49 pm
by droolin
I did not see that, I swear. All I seen was random letters.
I put the spam filter you sugested in, and so far. Have seen only one innocent. I'm sure it will be more. I expanded on the kill message, to assist any innocent user that gets taken out. I'll watch.
Whats intresting is. We have random letter bots also joining, that i loaded the antirandom module for. The ones getting through, are also being caught by this spamfilter.
Have to thank you for the help. Even if I don't keep this spamfilter, it's something I didn't know about those bots that I now do. Very much appriceated.

droolin