Spamfilter for clones

[DeviL69]

i need spamfilter for those kind of bots

* nB7tFmCeLhT H? ~vS8cWiMbY@9117FD79.621348B8.A7830FBA.IP :1 8
* oU2nXdUaXkI Hr? ~yM7jBtIvK@oU2nXdUaXkI.ilirida.net :0 6
* rU6bUgAxSqG Hr? ~cY4aAbMtK@rU6bUgAxSqG.ilirida.net :0 2
* aZ8xLqWzWcO Hr? ~yF4zWsHdO@aZ8xLqWzWcO.ilirida.net :0 8
* gN3eRgHlVbB Hr? ~tT6lNsUuN@gN3eRgHlVbB.ilirida.net :0 2
* nD9hBcJwAjB Hr? ~fU6gDqDaW@nD9hBcJwAjB.ilirida.net :0 5
* qN7eTqRgDpB Hr? ~gQ1eRtIyM@qN7eTqRgDpB.ilirida.net :0 2
* fB8qUnBaGdM Hr? ~lL6rDpCkK@fB8qUnBaGdM.ilirida.net :0 8
* mG3iYhIgEuY Hr? ~uF6tFhRbH@mG3iYhIgEuY.ilirida.net :0 4
* sW5nMsExAiS Hr? ~tE3iFtAjN@sW5nMsExAiS.ilirida.net :0 2
* iQ4xAxYxIkI H? ~bS5jBpFtF@CF9D124A.18EE3E0A.629720A0.IP :0 5
* pC6bXsExUxV H? ~cG5qEwVbF@CF9D124A.18EE3E0A.629720A0.IP :0 9

at the nick there are 2 letters number than 8 letters again and all realnames are with 1 number
thanks

[Stealth]

The regex you will want to use is:

Code: Select all

(?i)[a-z][A-z]\d([a-z][A-Z])+!~?[a-z][A-z]\d([a-z][A-Z])+@[^:]+:\d$

[DeviL69]

thank you Stealth

[DeviL69]

* ISRHLCKQKNteluiivd H? ieltsnjat@ILIRIDA-5178C1C5.rochester.res.rr.com :1 xdwzxpkg
* RVQBYSRYDIthtwgbxb H? jhaegquhh@ILIRIDA-5178C1C5.rochester.res.rr.com :1 xbnrnsvt
* FFUDLEAWJNricppgfx H? bjfavviho@ILIRIDA-5178C1C5.rochester.res.rr.com :1 xkmzkyps

what about those clones?
(sorry if im askin 2 much)

[Stealth]

Code: Select all

(?i)[A-Z]{8}[a-z]{8}!~?[a-z]{9}@[^:]+:\d [a-z]{8}$

However, if the new ones are all coming from the same address, just manually take care of them... It's easier and takes less memory/CPU to do that when they can be taken care of manually.

[DeviL69]

no, i grab that 3 clones but i had much more, and 2night

Gunit-besarZn (Ds@79.120.94.251) :1 y
Gunit-besarSp (Ai@189.60.32.240) :1 b
Gunit-besarHz (De@190.128.148.252) :1 a
Gunit-besarIk (Cr@dhcp-077-250-148-171.chello.nl) :1 f

and all of them after join they changed their nicknames

Guest220132 (Dk@190.128.155.246) has changed his/her nickname to Guest836271

[Jason]

/spamfilter + u gzline 1d Evil_Bots ^(?-i)Gunit-besar[A-Z][a-z]![A-Z][a-z]@

[DeviL69]

PeKJGDq ierjboqn@PUTHJA-93E2BC75.dsl.sfldmi.ameritech.net :1 CmLzUMMjFaBSOhYmFvJKDjdqDCDateSUWHOZTmhHiWEXPWLJrX
NAQiOHDHYjNy qcg@PUTHJA-A207FC8B.hsd1.or.comcast.net :1 FQofpwEfTfuyorXmafFlIUwokTsWQbJYKBVvLndkcRHKuQsZlE
agkDEqESTzP ommyumu@PUTHJA-CB5E5875.hsd1.wa.comcast.net :1 JCddMCCaKCDbapnFQcvnpEcmCXOjOGhPmQhtndgzRkMzGbWmmS
qfYRddWvcRF mmjkyhftyv@PUTHJA-96EF09B4.hsd1.nj.comcast.net :1 efpNIJTwjSHxuKWwpobTPdgYjpoLAmD

bigdave H? bigdave@PUTHJA-B59D8115.manc.cable.ntl.com :1 davebig
Kiki H? Kiki@PUTHJA-C41CEF0D.versanet.de :1 Kiki Kiki
Mustermann H? Mustermann@PUTHJA-6B101FA1.dip.t-dialin.net :1 Herr Mustermann
Bibo H? Bibo@PUTHJA-B81F8CF8.dip.t-dialin.net :1 Bibo b



or u better make a list of all spamfilters for clones that u have used till now so we wont ask every week

[chevyman2002]

(Note this is for my own extensive testing purposes only); I grabbed some similar software to test clones and such, I was wondering what the regex would be to ban clones like these:

m4113 is v6892@869B12F7.6A47A965.7408C8F2.IP * zvjjmx
m4113 is using modes +iwx
m4113 is connecting from *@192.168.1.100 192.168.1.100
m4113 on #services
m4113 using dev.SummitIRC.com Private Dev Server for SummitIRC
m4113 has been idle 28secs, signed on Sun Jan 20 18:31:38
m4113 End of /WHOIS list.
-
i6821 is c868@869B12F7.6A47A965.7408C8F2.IP * yqffip
i6821 is using modes +iwx
i6821 is connecting from *@192.168.1.100 192.168.1.100
i6821 on #services
i6821 using dev.SummitIRC.com Private Dev Server for SummitIRC
i6821 has been idle 27secs, signed on Sun Jan 20 18:31:41
i6821 End of /WHOIS list.

Typically a random char, 4 numbers, etc... though it's completely random.. may have 3 numbers, may have 4, etc... (same for chars) thanks for any input in advance!

[Stealth]

It looks like those are ClonesX clones, a very common clone script used for flooding.

Simple spamfilter to stop them:

Code: Select all

^[a-z]d+!~?[a-z]d+@[^:]+:[A-Z]{6}$

This will catch most of them, but it may also catch some innocent users, so be careful with it.

[chevyman2002]

It looks like those are ClonesX clones, a very common clone script used for flooding.

Simple spamfilter to stop them:

Code: Select all

^[a-z]d+!~?[a-z]d+@[^:]+:[A-Z]{6}$

This will catch most of them, but it may also catch some innocent users, so be careful with it.

Indeed it is ClonesX via aleatory methods.. Unfortunately, it's not caught any of them but it should help. Thanks!

[DeviL69]

* hereNl H? Bs@D77E524F.C3AE708F.782AEE6B.IP :1 t
* hereLk H? Dy@91835CF.DA8294DE.F7FAA227.IP :1 t
* hereEb H? Bf@8300FA36.C7D7AC60.77D6F014.IP :1 l
* hereCc H? Az@D77E524F.C3AE708F.782AEE6B.IP :1 y
* hereRk H? Bx@6E42D14D.5EBA966.77D6F014.IP :1 x
* hereFu H? Bh@EAEA08B7.7820B06C.7BB51C83.IP :1 b
* hereVr H? Co@7A9DC326.16F4C48A.77D6F014.IP :1 q
* hereJn H? Af@3DCEF78C.79301A2C.F7FAA227.IP :1 s
* hereCq H? Dx@72D02233.4899A6FD.759EFDBE.IP :1 w

[Stealth]

Code: Select all

^(?-i)here[A-Z][a-z]![A-Z][a-z]@[^:]+:[a-z]$

[Jason]

Stealth: You missed the numeral.

Code: Select all

^(?-i)here[A-Z][a-z]![A-Z][a-z]@[^:]+:1 [a-z]$

[Stealth]

Stealth: You missed the numeral.

Code: Select all

^(?-i)here[A-Z][a-z]![A-Z][a-z]@[^:]+:1 [a-z]$

The lines pasted are mangled WHO output, so that numeral is the server hops