Spamfilter for clones

These are old archives. They are kept for historic purposes only.
DeviL69
Posts: 21
Joined: Mon Nov 05, 2007 10:02 pm
Location: Macedonia
Contact:

Spamfilter for clones

Post by DeviL69 »

i need spamfilter for those kind of bots

* nB7tFmCeLhT H? ~[email protected] :1 8
* oU2nXdUaXkI Hr? ~[email protected] :0 6
* rU6bUgAxSqG Hr? ~[email protected] :0 2
* aZ8xLqWzWcO Hr? ~[email protected] :0 8
* gN3eRgHlVbB Hr? ~[email protected] :0 2
* nD9hBcJwAjB Hr? ~[email protected] :0 5
* qN7eTqRgDpB Hr? ~[email protected] :0 2
* fB8qUnBaGdM Hr? ~[email protected] :0 8
* mG3iYhIgEuY Hr? ~[email protected] :0 4
* sW5nMsExAiS Hr? ~[email protected] :0 2
* iQ4xAxYxIkI H? ~[email protected] :0 5
* pC6bXsExUxV H? ~[email protected] :0 9

at the nick there are 2 letters number than 8 letters again and all realnames are with 1 number
thanks
Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Re: Spamfilter for clones

Post by Stealth »

The regex you will want to use is:

Code: Select all

(?i)[a-z][A-z]\d([a-z][A-Z])+!~?[a-z][A-z]\d([a-z][A-Z])+@[^:]+:\d$
DeviL69
Posts: 21
Joined: Mon Nov 05, 2007 10:02 pm
Location: Macedonia
Contact:

Re: Spamfilter for clones

Post by DeviL69 »

thank you Stealth
DeviL69
Posts: 21
Joined: Mon Nov 05, 2007 10:02 pm
Location: Macedonia
Contact:

Spamfilter for clones

Post by DeviL69 »

* ISRHLCKQKNteluiivd H? [email protected] :1 xdwzxpkg
* RVQBYSRYDIthtwgbxb H? [email protected] :1 xbnrnsvt
* FFUDLEAWJNricppgfx H? [email protected] :1 xkmzkyps

what about those clones?
(sorry if im askin 2 much)
Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Re: Spamfilter for clones

Post by Stealth »

Code: Select all

(?i)[A-Z]{8}[a-z]{8}!~?[a-z]{9}@[^:]+:\d [a-z]{8}$
However, if the new ones are all coming from the same address, just manually take care of them... It's easier and takes less memory/CPU to do that when they can be taken care of manually.
DeviL69
Posts: 21
Joined: Mon Nov 05, 2007 10:02 pm
Location: Macedonia
Contact:

Spamfilter for clones

Post by DeviL69 »

no, i grab that 3 clones but i had much more, and 2night

Gunit-besarZn ([email protected]) :1 y
Gunit-besarSp ([email protected]) :1 b
Gunit-besarHz ([email protected]) :1 a
Gunit-besarIk ([email protected]) :1 f

and all of them after join they changed their nicknames

Guest220132 ([email protected]) has changed his/her nickname to Guest836271
Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Re: Spamfilter for clones

Post by Jason »

/spamfilter + u gzline 1d Evil_Bots ^(?-i)Gunit-besar[A-Z][a-z]![A-Z][a-z]@
Why the hell can't my signature be empty?
"Your message contains too few characters."
DeviL69
Posts: 21
Joined: Mon Nov 05, 2007 10:02 pm
Location: Macedonia
Contact:

Spamfilter for clones

Post by DeviL69 »

PeKJGDq [email protected] :1 CmLzUMMjFaBSOhYmFvJKDjdqDCDateSUWHOZTmhHiWEXPWLJrX
NAQiOHDHYjNy [email protected] :1 FQofpwEfTfuyorXmafFlIUwokTsWQbJYKBVvLndkcRHKuQsZlE
agkDEqESTzP [email protected] :1 JCddMCCaKCDbapnFQcvnpEcmCXOjOGhPmQhtndgzRkMzGbWmmS
qfYRddWvcRF [email protected] :1 efpNIJTwjSHxuKWwpobTPdgYjpoLAmD

bigdave H? [email protected] :1 davebig
Kiki H? [email protected] :1 Kiki Kiki
Mustermann H? [email protected] :1 Herr Mustermann
Bibo H? [email protected] :1 Bibo b



or u better make a list of all spamfilters for clones that u have used till now so we wont ask every week :)
chevyman2002
Posts: 62
Joined: Sun Nov 14, 2004 2:55 am
Location: Texas
Contact:

Re: Spamfilter for clones

Post by chevyman2002 »

(Note this is for my own extensive testing purposes only); I grabbed some similar software to test clones and such, I was wondering what the regex would be to ban clones like these:

m4113 is [email protected] * zvjjmx
m4113 is using modes +iwx
m4113 is connecting from *@192.168.1.100 192.168.1.100
m4113 on #services
m4113 using dev.SummitIRC.com Private Dev Server for SummitIRC
m4113 has been idle 28secs, signed on Sun Jan 20 18:31:38
m4113 End of /WHOIS list.
-
i6821 is [email protected] * yqffip
i6821 is using modes +iwx
i6821 is connecting from *@192.168.1.100 192.168.1.100
i6821 on #services
i6821 using dev.SummitIRC.com Private Dev Server for SummitIRC
i6821 has been idle 27secs, signed on Sun Jan 20 18:31:41
i6821 End of /WHOIS list.

Typically a random char, 4 numbers, etc... though it's completely random.. may have 3 numbers, may have 4, etc... (same for chars) thanks for any input in advance!
Your face looks like it was set on fire and put out with an axe ;x.
Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Re: Spamfilter for clones

Post by Stealth »

It looks like those are ClonesX clones, a very common clone script used for flooding.

Simple spamfilter to stop them:

Code: Select all

^[a-z]d+!~?[a-z]d+@[^:]+:[A-Z]{6}$
This will catch most of them, but it may also catch some innocent users, so be careful with it.
chevyman2002
Posts: 62
Joined: Sun Nov 14, 2004 2:55 am
Location: Texas
Contact:

Re: Spamfilter for clones

Post by chevyman2002 »

Stealth wrote:It looks like those are ClonesX clones, a very common clone script used for flooding.

Simple spamfilter to stop them:

Code: Select all

^[a-z]d+!~?[a-z]d+@[^:]+:[A-Z]{6}$
This will catch most of them, but it may also catch some innocent users, so be careful with it.
Indeed it is ClonesX via aleatory methods.. Unfortunately, it's not caught any of them but it should help. Thanks!
Your face looks like it was set on fire and put out with an axe ;x.
DeviL69
Posts: 21
Joined: Mon Nov 05, 2007 10:02 pm
Location: Macedonia
Contact:

Spamfilter for clones

Post by DeviL69 »

* hereNl H? [email protected] :1 t
* hereLk H? [email protected] :1 t
* hereEb H? [email protected] :1 l
* hereCc H? [email protected] :1 y
* hereRk H? [email protected] :1 x
* hereFu H? [email protected] :1 b
* hereVr H? [email protected] :1 q
* hereJn H? [email protected] :1 s
* hereCq H? [email protected] :1 w
Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Re: Spamfilter for clones

Post by Stealth »

Code: Select all

^(?-i)here[A-Z][a-z]![A-Z][a-z]@[^:]+:[a-z]$
Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Re: Spamfilter for clones

Post by Jason »

Stealth: You missed the numeral.

Code: Select all

^(?-i)here[A-Z][a-z]![A-Z][a-z]@[^:]+:1 [a-z]$
Why the hell can't my signature be empty?
"Your message contains too few characters."
Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Re: Spamfilter for clones

Post by Stealth »

Jason wrote:Stealth: You missed the numeral.

Code: Select all

^(?-i)here[A-Z][a-z]![A-Z][a-z]@[^:]+:1 [a-z]$
The lines pasted are mangled WHO output, so that numeral is the server hops :)
Post Reply