Delete me

These are old archives. They are kept for historic purposes only.
Post Reply
outz
Posts: 7
Joined: Mon Jun 11, 2007 7:40 pm

Delete me

Post by outz » Mon Jun 11, 2007 7:51 pm

jkj
Last edited by outz on Tue Jul 03, 2007 2:09 pm, edited 2 times in total.

Jobe1986
Official supporter
Posts: 1180
Joined: Wed May 03, 2006 7:09 pm
Location: United Kingdom

Post by Jobe1986 » Mon Jun 11, 2007 8:14 pm

http://www.vulnscan.org/UnrealIRCd/unre ... lnameblock

Might help with the ones using a user-agent string as their real name.

outz
Posts: 7
Joined: Mon Jun 11, 2007 7:40 pm

Post by outz » Mon Jun 11, 2007 9:01 pm

jkj
Last edited by outz on Tue Jul 03, 2007 2:08 pm, edited 1 time in total.

Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Post by Stealth » Mon Jun 11, 2007 9:25 pm

Have you tried the antirandom module?

Jobe1986
Official supporter
Posts: 1180
Joined: Wed May 03, 2006 7:09 pm
Location: United Kingdom

Post by Jobe1986 » Mon Jun 11, 2007 10:05 pm

Stealth wrote:Have you tried the antirandom module?
Sorry if it sounds rude pointing it out but the following is from his first post:

[09:20am] *** Notice -- [antirandom] denied access to user with score 23: cgvpgkuw!dfxhrnhj@modemcable053.7-80-70.mc.videotron.ca:oifsqyhv

outz
Posts: 7
Joined: Mon Jun 11, 2007 7:40 pm

Post by outz » Mon Jun 11, 2007 10:28 pm

jkj
Last edited by outz on Tue Jul 03, 2007 2:08 pm, edited 1 time in total.

Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Post by Stealth » Mon Jun 11, 2007 11:00 pm

Jobe1986 wrote:[09:20am] *** Notice -- [antirandom] denied access to user with score 23: cgvpgkuw!dfxhrnhj@modemcable053.7-80-70.mc.videotron.ca:oifsqyhv
Sorry about that... something you should consider doing is making a script to catch those antirandom doesn't have access to (don't know why it wouldn't have access to those... perhaps they are connecting to a server antirandom isn't loaded on?)

EDIT: nvm about that. The message "[antirandom] denied access to user with score 23:" means antirandom has detected it, and the gline follows. That message is a little misleading (looks like an error) :P

To stop that message, change set::antirandom::show-failedconnects to no.

outz
Posts: 7
Joined: Mon Jun 11, 2007 7:40 pm

Post by outz » Tue Jun 12, 2007 12:47 pm

jkj
Last edited by outz on Tue Jul 03, 2007 2:08 pm, edited 1 time in total.

seraphim
Posts: 36
Joined: Tue Apr 03, 2007 11:10 am

Post by seraphim » Tue Jun 12, 2007 2:27 pm

outz wrote:
outz wrote:Thanks. That was definitely helpful.

Any idea how I would block these?

*** d1j0xm10o8p (rm@E4C09A03.D6356A36.A3922693.IP) has joined #Offtopic
*** v4q4ur6o0a (xx@OBSI-552FA08B.woh.res.rr.com) has joined #Offtopic
*** y3l1ki10w3e (vt@A3361B00.6BBE878B.A6A3CF6.IP) has joined #Offtopic
*** o0m3km5b1s (xn@OBSI-83951A7B.stny.res.rr.com) has joined #Offtopic
*** g9g10ne5x3t (eb@OBSI-712CD4EE.hsd1.mi.comcast.net) has joined #Offtopic
I think I could use a regex that filters 1-letter 1-number 1-letter 1-number and so on - I'm just having trouble with the actual string.
No, there are letter-letter-number-letter-number-number, its random, so regex´ with letter-number-letter-number... won´t work

Do some CTCP on them
/ctcp <nick> version
/ctcp <nick> finger

If you´ve got some special version reply you can ban it at the config with the deny-version Block.
http://www.vulnscan.org/UnrealIRCd/unre ... rsionblock

and at the same special finger reply use the Spamfilter for CTCP reply.

and may these Bots are from 1 or 2 Providers, then you can ban the whole IP Ranges of these providers.

To find out what IP Ranges were used for Spam, flood etc you could use http://www.spamhaus.org/sbl/index.lasso, there u can find out them.

outz
Posts: 7
Joined: Mon Jun 11, 2007 7:40 pm

Post by outz » Tue Jun 12, 2007 5:16 pm

ghj
Last edited by outz on Tue Jul 03, 2007 2:08 pm, edited 1 time in total.

seraphim
Posts: 36
Joined: Tue Apr 03, 2007 11:10 am

Post by seraphim » Tue Jun 12, 2007 6:00 pm

it can take a while to get an ctcp answer, because the attacker uses Proxys.
then you can only collect used IPs and GZLine them, and you should use some Proxyscanner like BOPM oder OPSB at the neostats.

Jobe1986
Official supporter
Posts: 1180
Joined: Wed May 03, 2006 7:09 pm
Location: United Kingdom

Post by Jobe1986 » Tue Jun 12, 2007 6:03 pm

Try this regex on the spamfilter type user:
^[a-z]\d{1,2}[a-z]{2}\d{1,2}[a-z]\d{1,2}[a-z]|[a-z]{2}@

Post Reply