Spamfilter for clones

DeviL69 · Post by **DeviL69** » Mon Nov 05, 2007 10:12 pm

i need spamfilter for those kind of bots

* nB7tFmCeLhT H? ~vS8cWiMbY@9117FD79.621348B8.A7830FBA.IP :1 8
* oU2nXdUaXkI Hr? ~yM7jBtIvK@oU2nXdUaXkI.ilirida.net :0 6
* rU6bUgAxSqG Hr? ~cY4aAbMtK@rU6bUgAxSqG.ilirida.net :0 2
* aZ8xLqWzWcO Hr? ~yF4zWsHdO@aZ8xLqWzWcO.ilirida.net :0 8
* gN3eRgHlVbB Hr? ~tT6lNsUuN@gN3eRgHlVbB.ilirida.net :0 2
* nD9hBcJwAjB Hr? ~fU6gDqDaW@nD9hBcJwAjB.ilirida.net :0 5
* qN7eTqRgDpB Hr? ~gQ1eRtIyM@qN7eTqRgDpB.ilirida.net :0 2
* fB8qUnBaGdM Hr? ~lL6rDpCkK@fB8qUnBaGdM.ilirida.net :0 8
* mG3iYhIgEuY Hr? ~uF6tFhRbH@mG3iYhIgEuY.ilirida.net :0 4
* sW5nMsExAiS Hr? ~tE3iFtAjN@sW5nMsExAiS.ilirida.net :0 2
* iQ4xAxYxIkI H? ~bS5jBpFtF@CF9D124A.18EE3E0A.629720A0.IP :0 5
* pC6bXsExUxV H? ~cG5qEwVbF@CF9D124A.18EE3E0A.629720A0.IP :0 9

at the nick there are 2 letters number than 8 letters again and all realnames are with 1 number
thanks

Post by **Stealth** » Mon Nov 05, 2007 10:32 pm

The regex you will want to use is:

Code: Select all

(?i)[a-z][A-z]\d([a-z][A-Z])+!~?[a-z][A-z]\d([a-z][A-Z])+@[^:]+:\d$

DeviL69 · Post by **DeviL69** » Mon Nov 05, 2007 11:58 pm

thank you Stealth

DeviL69 · Post by **DeviL69** » Thu Nov 29, 2007 3:36 pm

* ISRHLCKQKNteluiivd H? ieltsnjat@ILIRIDA-5178C1C5.rochester.res.rr.com :1 xdwzxpkg
* RVQBYSRYDIthtwgbxb H? jhaegquhh@ILIRIDA-5178C1C5.rochester.res.rr.com :1 xbnrnsvt
* FFUDLEAWJNricppgfx H? bjfavviho@ILIRIDA-5178C1C5.rochester.res.rr.com :1 xkmzkyps

what about those clones?
(sorry if im askin 2 much)

Post by **Stealth** » Thu Nov 29, 2007 6:08 pm

Code: Select all

(?i)[A-Z]{8}[a-z]{8}!~?[a-z]{9}@[^:]+:\d [a-z]{8}$

However, if the new ones are all coming from the same address, just manually take care of them... It's easier and takes less memory/CPU to do that when they can be taken care of manually.

DeviL69 · Post by **DeviL69** » Sat Dec 01, 2007 10:41 pm

no, i grab that 3 clones but i had much more, and 2night

Gunit-besarZn (Ds@79.120.94.251) :1 y
Gunit-besarSp (Ai@189.60.32.240) :1 b
Gunit-besarHz (De@190.128.148.252) :1 a
Gunit-besarIk (Cr@dhcp-077-250-148-171.chello.nl) :1 f

and all of them after join they changed their nicknames

Guest220132 (Dk@190.128.155.246) has changed his/her nickname to Guest836271

Jason · Post by **Jason** » Sat Dec 01, 2007 11:18 pm

/spamfilter + u gzline 1d Evil_Bots ^(?-i)Gunit-besar[A-Z][a-z]![A-Z][a-z]@

DeviL69 · Post by **DeviL69** » Tue Jan 15, 2008 8:53 pm

PeKJGDq ierjboqn@PUTHJA-93E2BC75.dsl.sfldmi.ameritech.net :1 CmLzUMMjFaBSOhYmFvJKDjdqDCDateSUWHOZTmhHiWEXPWLJrX
NAQiOHDHYjNy qcg@PUTHJA-A207FC8B.hsd1.or.comcast.net :1 FQofpwEfTfuyorXmafFlIUwokTsWQbJYKBVvLndkcRHKuQsZlE
agkDEqESTzP ommyumu@PUTHJA-CB5E5875.hsd1.wa.comcast.net :1 JCddMCCaKCDbapnFQcvnpEcmCXOjOGhPmQhtndgzRkMzGbWmmS
qfYRddWvcRF mmjkyhftyv@PUTHJA-96EF09B4.hsd1.nj.comcast.net :1 efpNIJTwjSHxuKWwpobTPdgYjpoLAmD

bigdave H? bigdave@PUTHJA-B59D8115.manc.cable.ntl.com :1 davebig
Kiki H? Kiki@PUTHJA-C41CEF0D.versanet.de :1 Kiki Kiki
Mustermann H? Mustermann@PUTHJA-6B101FA1.dip.t-dialin.net :1 Herr Mustermann
Bibo H? Bibo@PUTHJA-B81F8CF8.dip.t-dialin.net :1 Bibo b

or u better make a list of all spamfilters for clones that u have used till now so we wont ask every week

chevyman2002 · Post by **chevyman2002** » Mon Jan 21, 2008 12:43 am

(Note this is for my own extensive testing purposes only); I grabbed some similar software to test clones and such, I was wondering what the regex would be to ban clones like these:

m4113 is v6892@869B12F7.6A47A965.7408C8F2.IP * zvjjmx
m4113 is using modes +iwx
m4113 is connecting from *@192.168.1.100 192.168.1.100
m4113 on #services
m4113 using dev.SummitIRC.com Private Dev Server for SummitIRC
m4113 has been idle 28secs, signed on Sun Jan 20 18:31:38
m4113 End of /WHOIS list.
-
i6821 is c868@869B12F7.6A47A965.7408C8F2.IP * yqffip
i6821 is using modes +iwx
i6821 is connecting from *@192.168.1.100 192.168.1.100
i6821 on #services
i6821 using dev.SummitIRC.com Private Dev Server for SummitIRC
i6821 has been idle 27secs, signed on Sun Jan 20 18:31:41
i6821 End of /WHOIS list.

Typically a random char, 4 numbers, etc... though it's completely random.. may have 3 numbers, may have 4, etc... (same for chars) thanks for any input in advance!

Post by **Stealth** » Mon Jan 21, 2008 5:33 am

It looks like those are ClonesX clones, a very common clone script used for flooding.

Simple spamfilter to stop them:

Code: Select all

^[a-z]d+!~?[a-z]d+@[^:]+:[A-Z]{6}$

This will catch most of them, but it may also catch some innocent users, so be careful with it.

chevyman2002 · Post by **chevyman2002** » Tue Jan 22, 2008 1:49 am

Stealth wrote:It looks like those are ClonesX clones, a very common clone script used for flooding.

Simple spamfilter to stop them:
Code: Select all
^[a-z]d+!~?[a-z]d+@[^:]+:[A-Z]{6}$
This will catch most of them, but it may also catch some innocent users, so be careful with it.

Indeed it is ClonesX via aleatory methods.. Unfortunately, it's not caught any of them but it should help. Thanks!

DeviL69 · Post by **DeviL69** » Tue Jan 29, 2008 12:50 am

* hereNl H? Bs@D77E524F.C3AE708F.782AEE6B.IP :1 t
* hereLk H? Dy@91835CF.DA8294DE.F7FAA227.IP :1 t
* hereEb H? Bf@8300FA36.C7D7AC60.77D6F014.IP :1 l
* hereCc H? Az@D77E524F.C3AE708F.782AEE6B.IP :1 y
* hereRk H? Bx@6E42D14D.5EBA966.77D6F014.IP :1 x
* hereFu H? Bh@EAEA08B7.7820B06C.7BB51C83.IP :1 b
* hereVr H? Co@7A9DC326.16F4C48A.77D6F014.IP :1 q
* hereJn H? Af@3DCEF78C.79301A2C.F7FAA227.IP :1 s
* hereCq H? Dx@72D02233.4899A6FD.759EFDBE.IP :1 w

Post by **Stealth** » Tue Jan 29, 2008 12:59 am

Code: Select all

^(?-i)here[A-Z][a-z]![A-Z][a-z]@[^:]+:[a-z]$

Jason · Post by **Jason** » Sat Feb 02, 2008 1:10 am

Stealth: You missed the numeral.

Code: Select all

^(?-i)here[A-Z][a-z]![A-Z][a-z]@[^:]+:1 [a-z]$

Post by **Stealth** » Sat Feb 02, 2008 1:44 am

Jason wrote:Stealth: You missed the numeral.
Code: Select all
^(?-i)here[A-Z][a-z]![A-Z][a-z]@[^:]+:1 [a-z]$

The lines pasted are mangled WHO output, so that numeral is the server hops

UnrealIRCd Forums