Spamfilter Help... - DCC send secrets.exe

These are old archives. They are kept for historic purposes only.
Post Reply
Darvocet
Posts: 105
Joined: Sun Jun 27, 2004 6:40 am
Location: Houston, TX
Contact:

Spamfilter Help... - DCC send secrets.exe

Post by Darvocet »

Hey guys, I needed some help writing a spamfilter to gline bots which are connecting and attempting to send 'secrets.exe' to users.

I tried:

spamfilter {
regex "secrets\.exe";
target dcc;
action gline;
reason "Code 200 - Your client is generating spam which disrupts network. Please visit http://www.epicirc.net/kline or email spam@epicirc.net for more information.";
ban-time 72h;

};

But that didn't work. Any ideas?

Thanks.
- Darvocet
Sr. Network Admin: EpicIRC.Net
SpaceDoG
Posts: 301
Joined: Mon Feb 27, 2006 5:44 am
Contact:

Post by SpaceDoG »

You want to use the deny dcc block...

deny dcc {
filename "secrets.exe"; //wild cards (*) can be used.
reason "You computer is infected with a virus. We are unable to allow the transfer of secrets.exe for this reason";
};
wax
Posts: 72
Joined: Tue Oct 04, 2005 6:32 am
Location: ByNets@Belarus
Contact:

Post by wax »

[Spamfilter] euuoiu!BiTCH@gulch.concordia.ab.ca matches filter 'secrets\.exe': [PRIVMSG [NEдетский_STYLE]PeppEr: 'secrets.exe'] [secrets exe spammer]

:]

/spamfilter add d gzline 30d secrets_exe_spammer secrets\.exe
Darvocet
Posts: 105
Joined: Sun Jun 27, 2004 6:40 am
Location: Houston, TX
Contact:

Post by Darvocet »

wax wrote:[Spamfilter] euuoiu!BiTCH@gulch.concordia.ab.ca matches filter 'secrets\.exe': [PRIVMSG [NEдетский_STYLE]PeppEr: 'secrets.exe'] [secrets exe spammer]

:]

/spamfilter add d gzline 30d secrets_exe_spammer secrets\.exe

Neither of those worked...

[2:55pm] -Groofy- DCC Send secrets.exe (82.73.70.x)

Any other ideas?
- Darvocet
Sr. Network Admin: EpicIRC.Net
Syzop
UnrealIRCd head coder
Posts: 1961
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop »

Darvocet wrote:Neither of those worked...

[2:55pm] -Groofy- DCC Send secrets.exe (82.73.70.x)

Any other ideas?
That's just a notice, not the actual DCC.
SpaceDoG
Posts: 301
Joined: Mon Feb 27, 2006 5:44 am
Contact:

Post by SpaceDoG »

Did you ad the deny dcc block to all of the servers on the network and rehash the config files?
Darvocet
Posts: 105
Joined: Sun Jun 27, 2004 6:40 am
Location: Houston, TX
Contact:

Post by Darvocet »

Syzop wrote:That's just a notice, not the actual DCC.
:) Thank you Syzop for your help. I didn't allow it on my client so didn't even think of that. Doh!

Umm.. yes I added it to all servers and rehashed. This is my third day. So the file is now blocked by the dcc deny field. What is the best way to go about glining them for trying? I did add a spamfilter:

(%) F d gzline 0 72853 259200 Code_200_-_Your_computer_is_infected_with_a_virus._Please_visit_www.epicirc.net/kline_for_more_information. XanaX!admin@epicirc.net secrets\.exe

But that didn't work in our test... I'm going out of town today so I will post again and try to get this done tonight when I get to California.

Thanks!
- Darvocet
Sr. Network Admin: EpicIRC.Net
SpaceDoG
Posts: 301
Joined: Mon Feb 27, 2006 5:44 am
Contact:

Post by SpaceDoG »

Code: Select all

spamfilter {
	regex "secrets\.exe";
	target { private-notice;};
	action gline;
	reason "Code 200 - Your computer is infected with a virus. Please visit www.epicirc.net/kline for more information.";
	bantime 72h;
};
Add that to your conf file on all your servers then rehash them.
WilliamWIkked
Posts: 59
Joined: Sun Jun 20, 2004 3:30 am
Contact:

Post by WilliamWIkked »

I also dcc denied and added the spamfilter to my network. I guess we're not the only one receiving this.
[insert another cliche sig here.]
Jobe
Official supporter
Posts: 1180
Joined: Wed May 03, 2006 7:09 pm
Location: United Kingdom

Post by Jobe »

Ive heard of a few people on a few networks having someone or something try to send them a file of the same name. That sparked an agument between us as to whether DCC required CTCP or not.
Syzop
UnrealIRCd head coder
Posts: 1961
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop »

Technically, DCC is a CTCP, but so is ACTION (like '/me is teh leet').
I don't know where you're after, but if what you meant was if you ignore all ctcps, if you would then also be ignoring DCC? The answer is: it depends on the client. On some (or many) DCC CTCP's are not included in CTCP ignore (which is quite logical). Also ACTION CTCP's are almost never included in CTCP ignore.
Reminds me of those old times where BitchX would kickban or take other actions whenever someone used /me too much, seeing it as a 'CTCP flood' ;)
Jobe
Official supporter
Posts: 1180
Joined: Wed May 03, 2006 7:09 pm
Location: United Kingdom

Post by Jobe »

That post is exactly the example of how it sparked of an agument with me saying it was technically a CTCP and others dneying it was just because their client didnt ignore it along with CTCP's
WilliamWIkked
Posts: 59
Joined: Sun Jun 20, 2004 3:30 am
Contact:

Post by WilliamWIkked »

Does anyone know what this file does or if there's a website to tell more information? I'd like to have a little bit more than "Possibly infected exe"
[insert another cliche sig here.]
SpaceDoG
Posts: 301
Joined: Mon Feb 27, 2006 5:44 am
Contact:

Post by SpaceDoG »

It's not actually a DCC transfer request notice. It's just a client which has been compromised with a worm is noticing users saying to accept that file.
Darvocet
Posts: 105
Joined: Sun Jun 27, 2004 6:40 am
Location: Houston, TX
Contact:

Post by Darvocet »

Thanks for all the help, that eventually did the trick and I haven't heard any complaints! :)
- Darvocet
Sr. Network Admin: EpicIRC.Net
Post Reply