Page 1 of 1

anyone else get this spam?

Posted: Fri Sep 30, 2005 3:39 am
by DarkBlood
Hello, I've been recently seeing a lot of these spammers. About 4 a week.

A client joins and says
"..:: I'm infected with I-Worm.Blooger.A coded by CyBeR_AciD ::..[spam url]"

It's different nicknames all the time.. the client joins then quits.. So I think it's a bot.

But anyway, for the spam "spam url", there is a different URL all the time and the URL is an IP not a hostname.

So, anyone ever get that kind of spam?

Posted: Fri Sep 30, 2005 4:39 pm
by aquanight
If it's an IP it's pretty easy to filter. I think it's probably more than likely that at least all these trojans that spam themselves with "constantly-changing-IP" stuff that the IP is more than likely the spammer's IP ;) . (As in: listen on port 80, connect to server, get IP from server, spam it in URL, listen for GET requests, reply with MSHTML exploit + virus or something.)

Anyway, as for filtering it:

/spamfilter + pcnNPq gline 1d Infected_with_virus_please_clean. http://(\d{1,3}\.){3}\d{1,3}(:\d+)?/