Page 1 of 1

Can't get spambot filter to work

Posted: Sat Apr 12, 2008 8:45 pm
by JRBlood
I just can't seem to get my head around these u filters. First, here's a short list from the logs:

Code: Select all

LOGUSERS: c5993 (~u1382@83.238.44.8 => 2F23EAF9.518C029E.D8299F22.IP) (mjneldgts) [83.238.44.8] connected to the network
LOGUSERS: i8775 (~s3646@OFSfb-20p2-107.ppp11.odn.ad.jp => echo34-CE9097CC.ppp11.odn.ad.jp) (ivhayzhur) [211.3.203.107] connected to the network
LOGUSERS: z4044 (~q8020@211.140.192.186 => B8DC339F.6EFAA724.90AE7DAA.IP) (ozokhdbpx) [211.140.192.186] connected to the network
LOGUSERS: u5923 (~n4887@200.219.152.6 => 3352C7DA.7EE2550F.DF2312F9.IP) (oyzcijnbt) [200.219.152.6] connected to the network
LOGUSERS: k6166 (~g1463@222.122.249.5 => BA2DE00B.9DADCFDB.17DF3469.IP) (shsunhcwc) [222.122.249.5] connected to the network
LOGUSERS: j2549 (~m1906@misc-148-78-243-37.pool.starband.net => echo34-497D348F.pool.starband.net) (gjqhsaqon) [148.78.243.37] connected to the network
LOGUSERS: f242 (~w1663@203.117.33.5 => F3D03476.730981D2.D9CF94C8.IP) (wmaeemgwo) [203.117.33.5] connected to the network
LOGUSERS: d240 (~h4304@OFSfb-20p2-107.ppp11.odn.ad.jp => echo34-CE9097CC.ppp11.odn.ad.jp) (unbuvhjdq) [211.3.203.107] connected to the network
LOGUSERS: y6632 (~x7785@83.238.44.8 => 2F23EAF9.518C029E.D8299F22.IP) (qhgabgiqi) [83.238.44.8] connected to the network
LOGUSERS: m7681 (~x177@200.219.152.6 => 3352C7DA.7EE2550F.DF2312F9.IP) (xpmuqkkcz) [200.219.152.6] connected to the network
LOGUSERS: m2065 (~u3393@200.21.132.197 => 98D60D00.FDAC7E3F.24A23537.IP) (xwakaivjp) [200.21.132.197] connected to the network
LOGUSERS: z803 (~s94@123.232.9.185 => 626D8F70.1938B83A.A635EB61.IP) (dmuyduekf) [123.232.9.185] connected to the network
LOGUSERS: d2787 (~j2415@190.39.201.145 => 92647EB6.14F47057.3E881385.IP) (qewykigki) [190.39.201.145] connected to the network
LOGUSERS: n6317 (~y576@211.140.192.186 => B8DC339F.6EFAA724.90AE7DAA.IP) (hmbsfrbcu) [211.140.192.186] connected to the network
LOGUSERS: c8316 (~v5048@222.122.249.5 => BA2DE00B.9DADCFDB.17DF3469.IP) (zzbzxicol) [222.122.249.5] connected to the network
LOGUSERS: d3422 (~v4367@200.219.152.6 => 3352C7DA.7EE2550F.DF2312F9.IP) (aifhlgezw) [200.219.152.6] connected to the network
LOGUSERS: r1093 (~l6357@83.238.44.8 => 2F23EAF9.518C029E.D8299F22.IP) (ontoqjjkr) [83.238.44.8] connected to the network (irc.echo34.com).
Earlier in the day I added the following filter which I got from the forum here:

Code: Select all

/spamfilter add u gzline 1h Channel_Flooder ![a-z][0-9]{4}@[^:]+:[a-z]{9}
So somehow they got pass the filter. Am I missing something?
Also, how can I check that this filter will work against entries in my logs? Yes, I'm in the process of RTFM. ;)

Re: Can't get spambot filter to work

Posted: Sun Apr 13, 2008 12:32 am
by Stealth
Because you did not add a part for getting users with no identd respnse

The spamfilter you want is:

Code: Select all

!~?[a-z][0-9]{2,4}@[^:]+:[a-z]{9}
Note the addition of ~? and the change of {4} to {2,4}. These are very crucial parts of the spamfilter if you wish to catch all these clones.

Re: Can't get spambot filter to work

Posted: Sun Apr 13, 2008 1:27 am
by JRBlood
Stealth wrote:Note the addition of ~? and the change of {4} to {2,4}. These are very crucial parts of the spamfilter if you wish to catch all these clones.
As Homer would say: "DOH!" Something told me that I needed something for the lack of IDENT. I was also wondering why, when testing RegEx expressions in BareGrep, that the {4} portion was working, but not catching the [a-z]. I kept trying [a-z]{2} [0-9]{4} and varients of that with no success. Now it all makes sense. :)

Super thanx for that. :) Darn these RegEx rules can be a tough nut to crack.

Re: Can't get spambot filter to work

Posted: Sun Apr 13, 2008 1:59 am
by JRBlood
hmm... I just thought of something. For a bot like:

Code: Select all

LOGUSERS: d3422 ~v4367@200.219.152.6 (aifhlgezw)
Should it be

Code: Select all

!~?[a-z][0-9]{1,4}@[^:]+:[a-z]{9}
Noting {1,4} instead of {2,4}?

Re: Can't get spambot filter to work

Posted: Sun Apr 13, 2008 6:11 am
by Stealth
No. The numbers between {} mean "least, most" occurrences. For example, the [0-9]{2,4} means a single digit occurring at least twice, but no more than 4 times. Because this is only the ident we care about (in this particular section), there are no clones with fewer than 2 numbers, and no more than 4 numbers in their ident.

Re: Can't get spambot filter to work

Posted: Wed Apr 16, 2008 9:19 pm
by JRBlood
Stealth wrote:No. The numbers between {} mean "least, most" occurrences. For example, the [0-9]{2,4} means a single digit occurring at least twice, but no more than 4 times. Because this is only the ident we care about (in this particular section), there are no clones with fewer than 2 numbers, and no more than 4 numbers in their ident.
Ah. OK. I was thinking it had to do with the number of chars. 1,4 meaning 1 letter and 4 numbers, but I see that now. I read about {} from http://www.regular-expressions.info/reference.html, but couldn't quite get my head wrapped around it.

Again I thank you. :)