Delete me

These are old archives. They are kept for historic purposes only.
Post Reply
outz
Posts: 7
Joined: Mon Jun 11, 2007 7:40 pm

Delete me

Post by outz »

jkj
Last edited by outz on Tue Jul 03, 2007 2:09 pm, edited 2 times in total.
Jobe
Official supporter
Posts: 1180
Joined: Wed May 03, 2006 7:09 pm
Location: United Kingdom

Post by Jobe »

http://www.vulnscan.org/UnrealIRCd/unre ... lnameblock

Might help with the ones using a user-agent string as their real name.
outz
Posts: 7
Joined: Mon Jun 11, 2007 7:40 pm

Post by outz »

jkj
Last edited by outz on Tue Jul 03, 2007 2:08 pm, edited 1 time in total.
Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Post by Stealth »

Have you tried the antirandom module?
Jobe
Official supporter
Posts: 1180
Joined: Wed May 03, 2006 7:09 pm
Location: United Kingdom

Post by Jobe »

Stealth wrote:Have you tried the antirandom module?
Sorry if it sounds rude pointing it out but the following is from his first post:

[09:20am] *** Notice -- [antirandom] denied access to user with score 23: cgvpgkuw![email protected]:oifsqyhv
outz
Posts: 7
Joined: Mon Jun 11, 2007 7:40 pm

Post by outz »

jkj
Last edited by outz on Tue Jul 03, 2007 2:08 pm, edited 1 time in total.
Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Post by Stealth »

Jobe1986 wrote:[09:20am] *** Notice -- [antirandom] denied access to user with score 23: cgvpgkuw![email protected]:oifsqyhv
Sorry about that... something you should consider doing is making a script to catch those antirandom doesn't have access to (don't know why it wouldn't have access to those... perhaps they are connecting to a server antirandom isn't loaded on?)

EDIT: nvm about that. The message "[antirandom] denied access to user with score 23:" means antirandom has detected it, and the gline follows. That message is a little misleading (looks like an error) :P

To stop that message, change set::antirandom::show-failedconnects to no.
outz
Posts: 7
Joined: Mon Jun 11, 2007 7:40 pm

Post by outz »

jkj
Last edited by outz on Tue Jul 03, 2007 2:08 pm, edited 1 time in total.
seraphim
Posts: 36
Joined: Tue Apr 03, 2007 11:10 am

Post by seraphim »

outz wrote:
outz wrote:Thanks. That was definitely helpful.

Any idea how I would block these?

*** d1j0xm10o8p ([email protected]) has joined #Offtopic
*** v4q4ur6o0a ([email protected]) has joined #Offtopic
*** y3l1ki10w3e ([email protected]) has joined #Offtopic
*** o0m3km5b1s ([email protected]) has joined #Offtopic
*** g9g10ne5x3t ([email protected]) has joined #Offtopic
I think I could use a regex that filters 1-letter 1-number 1-letter 1-number and so on - I'm just having trouble with the actual string.
No, there are letter-letter-number-letter-number-number, its random, so regex´ with letter-number-letter-number... won´t work

Do some CTCP on them
/ctcp <nick> version
/ctcp <nick> finger

If you´ve got some special version reply you can ban it at the config with the deny-version Block.
http://www.vulnscan.org/UnrealIRCd/unre ... rsionblock

and at the same special finger reply use the Spamfilter for CTCP reply.

and may these Bots are from 1 or 2 Providers, then you can ban the whole IP Ranges of these providers.

To find out what IP Ranges were used for Spam, flood etc you could use http://www.spamhaus.org/sbl/index.lasso, there u can find out them.
outz
Posts: 7
Joined: Mon Jun 11, 2007 7:40 pm

Post by outz »

ghj
Last edited by outz on Tue Jul 03, 2007 2:08 pm, edited 1 time in total.
seraphim
Posts: 36
Joined: Tue Apr 03, 2007 11:10 am

Post by seraphim »

it can take a while to get an ctcp answer, because the attacker uses Proxys.
then you can only collect used IPs and GZLine them, and you should use some Proxyscanner like BOPM oder OPSB at the neostats.
Jobe
Official supporter
Posts: 1180
Joined: Wed May 03, 2006 7:09 pm
Location: United Kingdom

Post by Jobe »

Try this regex on the spamfilter type user:
^[a-z]\d{1,2}[a-z]{2}\d{1,2}[a-z]\d{1,2}[a-z]|[a-z]{2}@
Post Reply