Page 1 of 1

[N] Allow authorized nicks to bypass banned IP address

Posted: Thu Jan 18, 2018 7:53 am
by ivp
We are having trouble fighting spammers and often using KLINE/ZLINE/GLINE to ban IP addresses. This is not ideal solution, since many users are using dynamic IP addresses.

Wondering how to implement this scenario:

When user connects to IRC server to receive message: "Access from your IP address is forbidden due to IRC policy violation. To continue please identify yourself using nickname and password. For more information please visit: https://..."

Meaning user doesn’t get disconnected immediately, but IRC server allows couple of minutes to register nickname and/or identify himself.

If successfully authorized: check if his nickname is banned and disconnect him in that case. Otherwise, continue regular events as IP is not banned in the first place.

Re: Allow authorized nicks to bypass banned IP address

Posted: Sun Jan 28, 2018 12:01 am
by Gottem
Users don't have dynamic IP addresses in the sense that they can switch on a whim. It's usually possible to force a different IP (at least here lel) by disconnecting your ISP's modem entirely for about 8 hours, which is a much-used duration for DHCP leases. You're more likely seeing proxy connections, so either use Unreal's blacklist module or Anope's dnsbl instead. ;] It's also much less intensive on opers cuz you don't have to keep banning people manually.

Also, in your last sentence you say:
ivp wrote: Thu Jan 18, 2018 7:53 am If successfully authorized: check if his nickname is banned and disconnect him in that case. Otherwise, continue regular events as IP is not banned in the first place.
So if spammers don't register/identify they'll come right through anyways. Also they could just change their nickname and bypass it too. So again, go with one of the blacklist mods. =]

Re: Allow authorized nicks to bypass banned IP address

Posted: Sun Jan 28, 2018 8:23 am
by ivp
We are already using proxy detector, DNSBL and have captcha when connecting.

It is easy to change IP addresses when using mobile broadband modem or mobile phone. Just restart it or turn airplane mode on, wait 2 minutes, then turn it off.

With the new module, spammers wouldn't pass thorough without registering completely new nickname and/or authorizing with existing non-banned nickname. Meaning they would be allowed to enter commands for registering or authorizing existing nickname only when IP is banned using the module.

I guess would have to block disposable temporary email providers, too. Existing captcha would prevent from creating automatic scripts for bypassing this.

Re: Allow authorized nicks to bypass banned IP address

Posted: Sun Feb 11, 2018 6:40 pm
by Gottem
Well Unreal doesn't have a(n easy) way to "hold" a specific client's connection (while only allowing PRIVMSG to NickServ) before X:Line checking is done. Unreal also processes everything in series so if 6 people were to connect at once and the timeout is set to 1 minute, every consecutive client would have to wait at most (clientnumber - 1) * timeout minutes before they're even able to message NickServ.

Proper spamfilters, chanmode +f and DNSBL mods should be enough to work with. ;]