Any regex for this ?

These are old archives. They are kept for historic purposes only.
Post Reply
Annihilator90
Posts: 30
Joined: Sat Jun 02, 2007 1:46 pm

Any regex for this ?

Post by Annihilator90 »

Here's an example of clones trying to register on my server. I've caught them in my spamfilter by some means. I found some patterns for their registrations. They use (nickname)(nickname) as their passwords and [email protected] as their emails. Any suggestion for that?



ferri!Ballantine@**** matches filter ***** : [PRIVMSG NickServ: 'register ferriferri [email protected]']

Stable!MatrixIE@**** matches filter *****: [PRIVMSG NickServ: 'register StableStable [email protected]']

But there are a few exceptions too.

Llznuocqsjsbqjjrn!alMor3b@**** matches filter ****: [PRIVMSG NickServ: 'register PenciLPenciL [email protected]']

but it's still 'register wordword [email protected]' pattern.

Thanks a lot !!!
Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Re: Any regex for this ?

Post by Stealth »

Do you already have some kind of filter, or did you make one to match everything so you could see what they are using?
Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Re: Any regex for this ?

Post by Stealth »

If you don't have a spamfilter for these, here's one that should work until the owner of these bots catches on.

For the conf:

Code: Select all

spamfilter {
  regex "register (.+)\1 \1@gmail\.com";
  target private;
  action block;
  reason "Registration information is invalid.";
};
As a command:

Code: Select all

/spamfilter add p block - Registration_information_is_invalid. register (.+)\1 \1@gmail\.com

Another thing you may try doing is blocking gmail email addresses your services. It may anger some users, but gmail is becoming a more abused email domain every day.
Annihilator90
Posts: 30
Joined: Sat Jun 02, 2007 1:46 pm

Re: Any regex for this ?

Post by Annihilator90 »

I just added the word 'register' to the sf list. As anyone who typed the register command would get caught in that sf, I could see the passwords and emails they're using. In this case, the clones'.
Annihilator90
Posts: 30
Joined: Sat Jun 02, 2007 1:46 pm

Re: Any regex for this ?

Post by Annihilator90 »

Stealth wrote:If you don't have a spamfilter for these, here's one that should work until the owner of these bots catches on.

For the conf:

Code: Select all

spamfilter {
  regex "register (.+)\1 \1@gmail\.com";
  target private;
  action block;
  reason "Registration information is invalid.";
};
As a command:

Code: Select all

/spamfilter add p block - Registration_information_is_invalid. register (.+)\1 \1@gmail\.com

Another thing you may try doing is blocking gmail email addresses your services. It may anger some users, but gmail is becoming a more abused email domain every day.
It works. Really thank you. :lol:
Annihilator90
Posts: 30
Joined: Sat Jun 02, 2007 1:46 pm

Re: Any regex for this ?

Post by Annihilator90 »

Hi, they have modified their patterns abit now. It is now like register nicka [email protected]. I also tried to modiy my SF as below but it didn't work.

/spamfilter add p block + Registration_information_is_invalid. register (.+)\1a \1@gmail\.com


example,

|iJoo|!LeEd@**** matches filter ****: [PRIVMSG NickServ: 'register |iJoo|a |iJoo|@gmail.com']

Guest34827!~aqco@**** matches filter ****: [PRIVMSG NickServ: 'register Guest34827a [email protected]']
Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Re: Any regex for this ?

Post by Stealth »

For the conf:

Code: Select all

spamfilter {
  regex "register (.+)a \1@gmail\.com";
  target private;
  action block;
  reason "Registration information is invalid.";
};
As a command:

Code: Select all

/spamfilter add p block - Registration_information_is_invalid. register (.+)a \1@gmail\.com

If they have changed that fast, it's possible whoever is running the bots is on to this method, and will continue changing it. If the person running the bots continues to change it, it is possible you will need to either block all gmail registrations or enable email auth (assuming you don't have it enabled)
Annihilator90
Posts: 30
Joined: Sat Jun 02, 2007 1:46 pm

Re: Any regex for this ?

Post by Annihilator90 »

They change pattern again.

_DJ-Remos!~heuhe@****m matches filter****: [PRIVMSG NickServ: 'register Oolewgfauibgx [email protected]']

BBS`!GuderiaN@**** matches filter ****': [PRIVMSG NickServ: 'register Ljpxidwkawqh [email protected]']

So i tried like

/spamfilter + p block 0 Invalid_Information register (.+)\1 *@\1\.[a-z]{3}

/spamfilter + p block 0 Invalid_Information register (.+)\1 @\1\.[a-z]{3}


But they don't work.

Any suggestions ?
Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Re: Any regex for this ?

Post by Stealth »

Definitely time to turn on your service's email auth. They will continue to change their patterns endlessly.

Another thing you can do is deny user registration (meaning an oper needs to process it for the users).
Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Re: Any regex for this ?

Post by Jason »

Email auth is the way to go. Most services have a feature that requires users to have a valid email. To get their nick, they have to use the password sent to them by email when they try to register.
Why the hell can't my signature be empty?
"Your message contains too few characters."
Post Reply