Page 1 of 1

Spamfilter Help... - DCC send secrets.exe

Posted: Wed Nov 15, 2006 5:40 pm
by Darvocet
Hey guys, I needed some help writing a spamfilter to gline bots which are connecting and attempting to send 'secrets.exe' to users.

I tried:

spamfilter {
regex "secrets\.exe";
target dcc;
action gline;
reason "Code 200 - Your client is generating spam which disrupts network. Please visit http://www.epicirc.net/kline or email [email protected] for more information.";
ban-time 72h;

};

But that didn't work. Any ideas?

Thanks.

Posted: Wed Nov 15, 2006 6:37 pm
by SpaceDoG
You want to use the deny dcc block...

deny dcc {
filename "secrets.exe"; //wild cards (*) can be used.
reason "You computer is infected with a virus. We are unable to allow the transfer of secrets.exe for this reason";
};

Posted: Wed Nov 15, 2006 6:59 pm
by wax
[Spamfilter] euuoiu![email protected] matches filter 'secrets\.exe': [PRIVMSG [NEдетский_STYLE]PeppEr: 'secrets.exe'] [secrets exe spammer]

:]

/spamfilter add d gzline 30d secrets_exe_spammer secrets\.exe

Posted: Wed Nov 15, 2006 9:04 pm
by Darvocet
wax wrote:[Spamfilter] euuoiu![email protected] matches filter 'secrets\.exe': [PRIVMSG [NEдетский_STYLE]PeppEr: 'secrets.exe'] [secrets exe spammer]

:]

/spamfilter add d gzline 30d secrets_exe_spammer secrets\.exe

Neither of those worked...

[2:55pm] -Groofy- DCC Send secrets.exe (82.73.70.x)

Any other ideas?

Posted: Wed Nov 15, 2006 9:35 pm
by Syzop
Darvocet wrote:Neither of those worked...

[2:55pm] -Groofy- DCC Send secrets.exe (82.73.70.x)

Any other ideas?
That's just a notice, not the actual DCC.

Posted: Wed Nov 15, 2006 10:06 pm
by SpaceDoG
Did you ad the deny dcc block to all of the servers on the network and rehash the config files?

Posted: Thu Nov 16, 2006 5:07 pm
by Darvocet
Syzop wrote:That's just a notice, not the actual DCC.
:) Thank you Syzop for your help. I didn't allow it on my client so didn't even think of that. Doh!

Umm.. yes I added it to all servers and rehashed. This is my third day. So the file is now blocked by the dcc deny field. What is the best way to go about glining them for trying? I did add a spamfilter:

(%) F d gzline 0 72853 259200 Code_200_-_Your_computer_is_infected_with_a_virus._Please_visit_www.epicirc.net/kline_for_more_information. XanaX![email protected] secrets\.exe

But that didn't work in our test... I'm going out of town today so I will post again and try to get this done tonight when I get to California.

Thanks!

Posted: Thu Nov 16, 2006 7:08 pm
by SpaceDoG

Code: Select all

spamfilter {
	regex "secrets\.exe";
	target { private-notice;};
	action gline;
	reason "Code 200 - Your computer is infected with a virus. Please visit www.epicirc.net/kline for more information.";
	bantime 72h;
};
Add that to your conf file on all your servers then rehash them.

Posted: Sun Nov 19, 2006 9:02 pm
by WilliamWIkked
I also dcc denied and added the spamfilter to my network. I guess we're not the only one receiving this.

Posted: Sun Nov 19, 2006 9:25 pm
by Jobe
Ive heard of a few people on a few networks having someone or something try to send them a file of the same name. That sparked an agument between us as to whether DCC required CTCP or not.

Posted: Sun Nov 19, 2006 10:05 pm
by Syzop
Technically, DCC is a CTCP, but so is ACTION (like '/me is teh leet').
I don't know where you're after, but if what you meant was if you ignore all ctcps, if you would then also be ignoring DCC? The answer is: it depends on the client. On some (or many) DCC CTCP's are not included in CTCP ignore (which is quite logical). Also ACTION CTCP's are almost never included in CTCP ignore.
Reminds me of those old times where BitchX would kickban or take other actions whenever someone used /me too much, seeing it as a 'CTCP flood' ;)

Posted: Mon Nov 20, 2006 1:15 am
by Jobe
That post is exactly the example of how it sparked of an agument with me saying it was technically a CTCP and others dneying it was just because their client didnt ignore it along with CTCP's

Posted: Tue Nov 21, 2006 2:45 am
by WilliamWIkked
Does anyone know what this file does or if there's a website to tell more information? I'd like to have a little bit more than "Possibly infected exe"

Posted: Tue Nov 21, 2006 2:59 am
by SpaceDoG
It's not actually a DCC transfer request notice. It's just a client which has been compromised with a worm is noticing users saying to accept that file.

Posted: Sat Nov 25, 2006 10:34 pm
by Darvocet
Thanks for all the help, that eventually did the trick and I haven't heard any complaints! :)