Page 1 of 1

Abusing services

Posted: Sun Nov 13, 2005 6:23 pm
by Suchiara
Hello.

I saw some users on the network having nick such as NeckCrew and etc and sending notices or private messages to other users:

This nickname is registered and protected. If it is your
nick, type /msg NickServ IDENTIFY password. Otherwise,
please choose a different nick.


so, I set up such spamfilter:

spamfilter {
regex "^This nickname is registered and protected\.\ \ If it is your$";
target { private; private-notice; };
reason "Abuse: Trying to fake services' notice messages. Sorry, permanent BAN.";
action gzline;
ban-time 0;
};


However, some users paste their status window or sth and accidently match the filter and get gzlined.. However, they are innocent..

Is there any better regex to stop this abuse?

Posted: Sun Nov 13, 2005 7:00 pm
by Syzop
Well, since you use ^This nickname[etc] you force the line to start exactly with that, so that is good :).
I wonder how other people paste then, since normally it's just like:
[xx:yy] <Somenick> hey I got:
[xx:yy] <Somenick> [xx:yy] <Idiot> This nickname[etc..]
heh.

You sure they are innocent?

Also, how can they paste these things.. they should have never received the message in the first place.
So probably better to check why some slip trough or something?

I dunnow

Posted: Mon Nov 14, 2005 4:53 am
by w00t
I can imagine them (maybe) pasting it in their help channel, or something - in which case, isn't there a way to exempt certain channels from spamfilter?

Posted: Mon Nov 14, 2005 8:41 am
by Dukat
Of course there is a way to exempt certain channels from spamfilter: set::spamfilter::except :D

But the clients shouldn't have received the messages in the first place if it was blocked correctly... :roll:

Posted: Mon Nov 14, 2005 4:11 pm
by Suchiara
no! they paste like that:

[xx:yy] <Somenick> hey I got:
[xx:yy] <Somenick> [xx:yy] <Idiot> This nickname[etc..]


[xx:yy] <Idiot>[space here]This nickname


it should don't affect the spamfilter, however, the spamfilter still catches it. I'm sure they are innocent because I was unable to reproduce that pasting without getting caught by the spamfilter...

Posted: Mon Nov 14, 2005 9:42 pm
by Jason
Control codes and nonbreaking spaces can be used. You will not be able to filter this well without matching the innocent repasters

Posted: Mon Dec 05, 2005 7:04 pm
by igor
why would they paste their status window in a private query anyways? why not just do it in a private channel?

Posted: Wed Dec 07, 2005 7:24 pm
by Suchiara
actually, this spamfilter is to pretect users form those bad guys trying to steal passwords:

-NikcSerw- This nickname is registered and protected. If it is your
-NikcSerw- nick, type /msg NikcSerw IDENTIFY password. Otherwise,
-NikcSerw- please choose a different nick.

Posted: Thu Dec 08, 2005 9:58 pm
by Jason
/spamfilter + npcN gzline 7d Services_Impersonation_/_Password_Stealing /msg (.*[^N][^i][^c][^k][^S][^e][^r][^v].*|.{1,7}) IDENTIFY password

Use that. If they paste it with the nick NickServ, it will not match. If they paste it with anything else (like their own nick, N1ckServ, etc), it will ban them for a week.

Posted: Fri Dec 09, 2005 2:47 am
by aquanight
Maybe I'm just paranoid, but I'd prefer this:

/spamfilter + npcN gzline 7d Services_Impersonation_/_Password_Stealing /msg ([^N]|N[^i]|Ni[^c]|Nic[^k]|Nick[^S]|NickS[^e]|NickSe[^r]|NickSer[^v]|NickServ\S).*

I'm not sure but I don't think you even need to specially handle the < 8 characters deal since if they do something like NickSer IDENTIFY, it'll catch on NickSer[^v] because a space isn't a v :) .

Alternative method, spamfilter on /msg .* IDENTIFY for private notice or msg. The real NickServ is immune to spamfilter.

Alternative method, spamfilter ^IDENTIFY with action block, and reason "Do not use /msg NickServ to identify - use /nickserv or /identify instead." - because aliases don't have spamfilter checking. Like so:
/spamfilter + pn block - Do_not_use_/msg_NickServ_to_identify._Use_/nickserv_or_/identify_instead. ^IDENTIFY
This doesn't block the spam notice, but it does basically keep people from sending their password rendering the spam "useless".
If you use this method, you may want to change your service's code or language files to instruct people to use /nickserv or /identify or else confused newbies will ensue. On that note, maybe you should do it anyway. :)