[REQUEST] Honeypot channel

Need a module converted from 3.2.x to UnrealIRCd 4? Or looking for a certain module? Ask here.

Moderators: Gottem, Supporters

Post Reply
CrazyCat
Posts: 65
Joined: Thu Apr 28, 2005 1:05 pm
Location: France
Contact:

[REQUEST] Honeypot channel

Post by CrazyCat » Fri Aug 03, 2018 8:51 am

Hi,

Due to the actual big spam wave on every IRC networks, I'm looking for a way to use a channel as honeypot.
The principe is simple: A channel is defined as honeypot channel (#honey) and everyone which join it is automatically glined (or gzlined). Peharps with an exception list to keep some users in it, because the channel must have users in to be detected by the spam bots.

I also think about adding a target "join" in spamfilter, but it may be more difficult to do ?

I'll create an eggdrop script to do that this weekend, but I hate having an eggdrop ircoped, so if a server module exists, it will be heaven :)
I'm currently Image

Gottem
Posts: 168
Joined: Fri Aug 19, 2016 5:26 pm
Location: NL

Re: [REQUEST] Honeypot channel

Post by Gottem » Sun Aug 05, 2018 2:27 pm

Hah, someone else asked me for something very similar for an already existing module acting on LIST (m_listrestrict). He gave me the following example config:

Code: Select all

loadmodule "third/m_listrestrict";

listrestrict {
    connectdelay 300; // How long a client must have been online for
    needauth 0; // Besides connectdelay, also require authentication w/ services

    exceptions {
    #    all "user@*";
    #    auth "*@123.123.123.*";
    #    connect "someone@some.isp";
    #    connect "need@moar";
        connect "*@127.0.0.1";
        connect "*@192.168.0.*";
        connect "icrawl@*.ircs.me";
    };
    
    prelistchans {
      "#fake1", "channel topic";       <<<-- Spambot Trap Channels for example
      "#fred", "whatever";             <<<-- another Spambot Channel Trap
      "#Chat", "Our Main Channel - Only click this one!";     <<<-- The default network lobby etc
    };
};

The idea behind "prelistchans" is that they are listable BEFORE the "connectdelay" timer ends,
this would be useful to capture any spambots for example who join the wrong channel.

The "Exceptions" of course would not get the spamtrap channel list.
So if I were to do this you could use the prelistchans option to specify #honey, then bots doing /LIST will only see that channel. =] I could maybe even force #honey to appear even though there aren't any users in it. Then you could set a spamfilter for anyone trying to join that channel and g(z)line em. :D In above example they also specified the actual public main channel, so the order of entries in prelistchans would also be the order my (hacked) LIST outputs stuff in.

The only problem is though, there's currently no clean way to do this. I'd have to override the entire LIST function to output only specific channels. I could dumb it down so you can't pass any options (like /LIST *chat*, /LIST >10, etc) until connectdelay passes, but that might not be entirely what you want/need? I could also bug Syzop about implementing an additional hook but it may not be implemented due to the complexity of the requirements for this module addition.
If you like my modules, pls consider donating (through PayPal) or becoming a monthly Patron ;];]

Amiga00
Posts: 10
Joined: Sun Aug 05, 2018 2:51 pm

Re: [REQUEST] Honeypot channel

Post by Amiga00 » Sun Aug 05, 2018 2:59 pm

Yes I am the guilty one who gave Gottem that config :D

I generally only ever use /LIST without parameters anyway, after all it was years(decades) before I even knew you could prefix parameters onto that command.

I had that idea originally, as I have suffered spambot attacks, and by blocking the /LIST off using that module, you find they simply timeout and quit without joining any channels, of course it is not ideal blocking the entire /LIST off but it seems to work with these dumb bots my network is getting currently.
Amiga600 @ irc.unrealircd.org #unreal-support

CrazyCat
Posts: 65
Joined: Thu Apr 28, 2005 1:05 pm
Location: France
Contact:

Re: [REQUEST] Honeypot channel

Post by CrazyCat » Mon Aug 06, 2018 7:13 am

Using the m_listrestrict module is not a bad idea, I have only netsplit crawler to exempt.
But the trap channel (with a real channel) may be simpliest to do than a fake /list result, and the way to automaticaly gline an user trying to join the (fake) channel is alway present.
btw, I don't have a lot of user, and noone use the /list command (they know where they go :D), so restricting the list command for 2 minutes seems to be a temporaly good solution
I'm currently Image

Gottem
Posts: 168
Joined: Fri Aug 19, 2016 5:26 pm
Location: NL

Re: [REQUEST] Honeypot channel

Post by Gottem » Wed Aug 08, 2018 7:24 pm

Well I suppose if nobody cares that LIST is broken for the first few minutes it would be fairly easy to implement. :> You'll know when it's done. ;]
If you like my modules, pls consider donating (through PayPal) or becoming a monthly Patron ;];]

CrazyCat
Posts: 65
Joined: Thu Apr 28, 2005 1:05 pm
Location: France
Contact:

Re: [REQUEST] Honeypot channel

Post by CrazyCat » Thu Aug 09, 2018 7:08 am

The spam wave seems to be stopped, but I used m_listrestrict a few days and it worked fine. I had to put a delay of 180s because the bots wait for 2 minutes before spamming -I guess it was a delay to be sure they get the full list on big networks- and noone complain about that :)
I'm currently Image

Amiga00
Posts: 10
Joined: Sun Aug 05, 2018 2:51 pm

Re: [REQUEST] Honeypot channel

Post by Amiga00 » Thu Aug 09, 2018 9:46 am

Well to stop spambots, I used List Restrict to only Registered Users, which stopped them joining any channels.
I also used the UnrealIRCd Spamfilter System to filter out the crap they posted.
and additionally, since 90% of them were coming from a certain country, I even made a Country Mode Blocker in my PHP Bot.

Doing all that stopped the spambots instantly :D
Amiga600 @ irc.unrealircd.org #unreal-support

Gottem
Posts: 168
Joined: Fri Aug 19, 2016 5:26 pm
Location: NL

Re: [REQUEST] Honeypot channel

Post by Gottem » Sun Aug 12, 2018 10:07 pm

CrazyCat wrote:
Thu Aug 09, 2018 7:08 am
The spam wave seems to be stopped
They'll come back. ;]
Amiga00 wrote:
Thu Aug 09, 2018 9:46 am
Well to stop spambots, I used List Restrict to only Registered Users, which stopped them joining any channels.
I also used the UnrealIRCd Spamfilter System to filter out the crap they posted.
and additionally, since 90% of them were coming from a certain country, I even made a Country Mode Blocker in my PHP Bot.

Doing all that stopped the spambots instantly :D
I simply set like 4 spamfilters and nobody complained about any spam after that. :>
If you like my modules, pls consider donating (through PayPal) or becoming a monthly Patron ;];]

Post Reply