Using Spamfilter to get rid of rxbot´s

These are old archives. They are kept for historic purposes only.
Post Reply
Andrew

Using Spamfilter to get rid of rxbot´s

Post by Andrew »

hi all

i tried to use /spamfilter to get rid of a botnet (rxbots)

so i tried to use several filter-strings from the output the bots produce like
[SCAN]: Random Port Scan started on x.x.x.x:xxx with a delay of 2 seconds for 0 minutes using 100 threads.
i used the
[SCAN]: Random Port Scan started on
string to filter and akill them, but the spamfilter didnt do anything... i tried this with several other strings from the bots replys (also adding some * in the end and whatnot) but it just sat there and didnt do sh*t

so my last random guess is that it has some probs with the [ ]´s the sentence contains, but i dont know how to do this the right way and failing could end up in a mess..

so i´d appreciate any help :)

thx in advance
Dukat
Posts: 1083
Joined: Tue Mar 16, 2004 5:44 pm
Location: Switzerland

Post by Dukat »

You really should learn Regexp...
There are hundreds of tutorials out there...


Try something like

Code: Select all

^\[SCAN\]: Random Port Scan started on .*
Andrew

Post by Andrew »

thanks for your help and the quick reply...

i made 2 entrys, following your suggestion
F cpnN shun 0 1419 86400 Possible_Botnet_-_Not_Allowed_here Andrew!~[email protected] ^\ [SCAN\ ]: Random Port Scan started on .*
F cpnN shun 0 1436 86400 Possible_Botnet_-_Not_Allowed_here Andrew!~[email protected] ^\ [SCAN\ ]: Already .*
but it still doesnt work... also i tried to set other actions as kill, gline and so on.. i yet have to see some message in the snotice window (yes, i got the appropiate userflags set..)

for learning regexp´s... i know i should do it, but right now i just dont have the time to do it, but i surely will when i got some spare time.

regards
aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight »

Do NOT put a space between the \ and the [ or ].
Andrew

Post by Andrew »

thx, works like a charm now :)

keep it up =)

regards
Post Reply