Abusing services

These are old archives. They are kept for historic purposes only.
Post Reply
Suchiara
Posts: 64
Joined: Fri May 20, 2005 2:37 pm

Abusing services

Post by Suchiara » Sun Nov 13, 2005 6:23 pm

Hello.

I saw some users on the network having nick such as NeckCrew and etc and sending notices or private messages to other users:

This nickname is registered and protected. If it is your
nick, type /msg NickServ IDENTIFY password. Otherwise,
please choose a different nick.


so, I set up such spamfilter:

spamfilter {
regex "^This nickname is registered and protected\.\ \ If it is your$";
target { private; private-notice; };
reason "Abuse: Trying to fake services' notice messages. Sorry, permanent BAN.";
action gzline;
ban-time 0;
};


However, some users paste their status window or sth and accidently match the filter and get gzlined.. However, they are innocent..

Is there any better regex to stop this abuse?

Syzop
UnrealIRCd head coder
Posts: 1881
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop » Sun Nov 13, 2005 7:00 pm

Well, since you use ^This nickname[etc] you force the line to start exactly with that, so that is good :).
I wonder how other people paste then, since normally it's just like:
[xx:yy] <Somenick> hey I got:
[xx:yy] <Somenick> [xx:yy] <Idiot> This nickname[etc..]
heh.

You sure they are innocent?

Also, how can they paste these things.. they should have never received the message in the first place.
So probably better to check why some slip trough or something?

I dunnow

w00t
Posts: 1136
Joined: Thu Mar 25, 2004 3:31 am
Location: Nowra, Australia

Post by w00t » Mon Nov 14, 2005 4:53 am

I can imagine them (maybe) pasting it in their help channel, or something - in which case, isn't there a way to exempt certain channels from spamfilter?
-ChatSpike IRC Network [http://www.chatspike.net]
-Denora Stats [http://denora.nomadirc.net]
-Omerta [http://www.barafranca.com]

Dukat
Posts: 1083
Joined: Tue Mar 16, 2004 5:44 pm
Location: Switzerland

Post by Dukat » Mon Nov 14, 2005 8:41 am

Of course there is a way to exempt certain channels from spamfilter: set::spamfilter::except :D

But the clients shouldn't have received the messages in the first place if it was blocked correctly... :roll:
If you don't make mistakes, you aren't really trying.
- Coleman Hawkins

Suchiara
Posts: 64
Joined: Fri May 20, 2005 2:37 pm

Post by Suchiara » Mon Nov 14, 2005 4:11 pm

no! they paste like that:

[xx:yy] <Somenick> hey I got:
[xx:yy] <Somenick> [xx:yy] <Idiot> This nickname[etc..]


[xx:yy] <Idiot>[space here]This nickname


it should don't affect the spamfilter, however, the spamfilter still catches it. I'm sure they are innocent because I was unable to reproduce that pasting without getting caught by the spamfilter...

Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Post by Jason » Mon Nov 14, 2005 9:42 pm

Control codes and nonbreaking spaces can be used. You will not be able to filter this well without matching the innocent repasters
Why the hell can't my signature be empty?
"Your message contains too few characters."

igor
Posts: 5
Joined: Mon Dec 05, 2005 4:36 pm

Post by igor » Mon Dec 05, 2005 7:04 pm

why would they paste their status window in a private query anyways? why not just do it in a private channel?

Suchiara
Posts: 64
Joined: Fri May 20, 2005 2:37 pm

Post by Suchiara » Wed Dec 07, 2005 7:24 pm

actually, this spamfilter is to pretect users form those bad guys trying to steal passwords:

-NikcSerw- This nickname is registered and protected. If it is your
-NikcSerw- nick, type /msg NikcSerw IDENTIFY password. Otherwise,
-NikcSerw- please choose a different nick.

Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Post by Jason » Thu Dec 08, 2005 9:58 pm

/spamfilter + npcN gzline 7d Services_Impersonation_/_Password_Stealing /msg (.*[^N][^i][^c][^k][^S][^e][^r][^v].*|.{1,7}) IDENTIFY password

Use that. If they paste it with the nick NickServ, it will not match. If they paste it with anything else (like their own nick, N1ckServ, etc), it will ban them for a week.
Why the hell can't my signature be empty?
"Your message contains too few characters."

aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight » Fri Dec 09, 2005 2:47 am

Maybe I'm just paranoid, but I'd prefer this:

/spamfilter + npcN gzline 7d Services_Impersonation_/_Password_Stealing /msg ([^N]|N[^i]|Ni[^c]|Nic[^k]|Nick[^S]|NickS[^e]|NickSe[^r]|NickSer[^v]|NickServ\S).*

I'm not sure but I don't think you even need to specially handle the < 8 characters deal since if they do something like NickSer IDENTIFY, it'll catch on NickSer[^v] because a space isn't a v :) .

Alternative method, spamfilter on /msg .* IDENTIFY for private notice or msg. The real NickServ is immune to spamfilter.

Alternative method, spamfilter ^IDENTIFY with action block, and reason "Do not use /msg NickServ to identify - use /nickserv or /identify instead." - because aliases don't have spamfilter checking. Like so:
/spamfilter + pn block - Do_not_use_/msg_NickServ_to_identify._Use_/nickserv_or_/identify_instead. ^IDENTIFY
This doesn't block the spam notice, but it does basically keep people from sending their password rendering the spam "useless".
If you use this method, you may want to change your service's code or language files to instruct people to use /nickserv or /identify or else confused newbies will ensue. On that note, maybe you should do it anyway. :)

Post Reply