Win/ Bopm help!

Talk about pretty much anything here, but DO NOT USE FOR SUPPORT.

Moderator: Supporters

Locked
White_Magic
Posts: 267
Joined: Tue Jan 18, 2005 3:24 pm
Location: Scotland - United Kingdom

Win/ Bopm help!

Post by White_Magic »

okies so it took me 20mins to get bopm running *noob*
on both linux and win32 (thanks to syzop ;) )

but on the win32 bopm, i added a blacklist server, and restarted it, it worked great took alot of bots but alot of chatters as well.

im not sure *why*

i changed the data read to 2046 after trying it with 3046 and 4046, but it still got alot of " false posatives "

i say " false posatives " becuz the other blacklists dont get them but this particular one does.

the only other thing i can think of is its scanning ports that are open (but then arnt they insecure?)

Config file to look over on request if u can help, im willing to learn :P
i spend 4 hrs a day gaming and 14hrs on irc, for 5days a week, im not an addict :D
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop »

Can you show us what the bopm log(I think it's in the 'var' directory) tells about these false positive users? (feel free to xx out the ip/hostname/etc :P).

I suppose those false positives people were not all running irc servers? Because if they did, have a look at tweaking the 'target_string' (use the 2nd example instead of the 1st).
White_Magic
Posts: 267
Joined: Tue Jan 18, 2005 3:24 pm
Location: Scotland - United Kingdom

Post by White_Magic »

yes, the oppasite it was scanning all connections
:S

yeah sure ...


vixen_01!newuser@* appears in BL zone proxy.relays.osirusoft.com (Socks)
[Sep 03 15:13:59 2005] DNSBL -> oeoauaz!zfceo@* appears in BL zone proxy.relays.osirusoft.com (Socks)
[Sep 03 15:14:13 2005] DNSBL -> James7878!James7878@* appears in BL zone proxy.relays.osirusoft.com (Socks)
[Sep 03 15:14:46 2005] DNSBL -> vixen_01!newuser@* appears in BL zone proxy.relays.osirusoft.com (Socks)
[Sep 03 15:16:17 2005] MAIN -> BOPM 3.1.2 started.
[Sep 03 15:16:17 2005] MAIN -> Reading configuration file...
[Sep 03 15:16:17 2005] CONFIG -> Loading /cygdrive/c/BOPM/etc/bopm.conf
[Sep 03 15:16:17 2005] IRC -> Connected to *:6667
[Sep 03 15:17:32 2005] MAIN -> BOPM 3.1.2 started.
[Sep 03 15:17:32 2005] MAIN -> Reading configuration file...
[Sep 03 15:17:32 2005] CONFIG -> Loading /cygdrive/c/BOPM/etc/bopm.conf
[Sep 03 15:17:33 2005] IRC -> Connected to *:6667
[Sep 03 15:17:39 2005] DNSBL -> CHICKENLENNY!CHICKENLEN@* appears in BL zone proxy.relays.osirusoft.com (Socks)
[Sep 03 15:17:41 2005] DNSBL -> vixen_01!newuser@* appears in BL zone proxy.relays.osirusoft.com (Socks)
[Sep 03 15:17:52 2005] DNSBL -> oCaivuiaF!laoziyu@* appears in BL zone proxy.relays.osirusoft.com (Socks)

this is all i have :S

the people caught there are all webtvs, maybe except 1 or 2 bots and 1 or 2 mirc users, it banned one of our ircops as well :S

[15:42] <%Scrab> DNSBL -> YoungBlood!youngblood@* appears in BL zone proxy.relays.osirusoft.com (Socks)
i spend 4 hrs a day gaming and 14hrs on irc, for 5days a week, im not an addict :D
White_Magic
Posts: 267
Joined: Tue Jan 18, 2005 3:24 pm
Location: Scotland - United Kingdom

Post by White_Magic »

acutally, ive found 1 problem....

the target string is enabled, however the second target string (the NOTICE AUTH " one isnt.

in my file i was sent to me that they use for the linux bopms, the second target string specifys a server name, well if the bopm is scanning all connections, wouldnt that fail to work properly as we have 11 servers, 9 open to public...

Code: Select all

	/* Usually first line sent to client on connection to ircd. 
	 * If your ircd supports a more specific line (see below),
	 * using it will reduce false positives.
	 */
#      target_string = "*** Looking up your hostname...";

	/* Some ircds give a source for the NOTICE AUTH (bahamut for example).
	 * It is recommended you use the following instead of the generic
	 * "*** Looking up your hostname..." if your ircd supports it. 
	 * This will reduce the chances of false positives.
	 */
       target_string = ":Server.ChatUniverse.net NOTICE AUTH :*** Looking up your hostname...";
thats the linux, heres the win32

Code: Select all

	/* Usually first line sent to client on connection to ircd. 
	 * If your ircd supports a more specific line (see below),
	 * using it will reduce false positives.
	 */
	target_string = "*** Looking up your hostname...";

	/* Some ircds give a source for the NOTICE AUTH (bahamut for example).
	 * It is recommended you use the following instead of the generic
	 * "*** Looking up your hostname..." if your ircd supports it. 
	 * This will reduce the chances of false positives.
	 */
#	target_string = ":server2.ChatUniverse.net NOTICE AUTH :*** Looking up your hostname...";
i commented out the second one on purpose when i configured it becuz it failed to work, now i think its becuz the servers doesnt match the server name present.

also on a side note, it seems the first notice of all our servers are


<- :ChatUniverse.net NOTICE ^White_MAgic6 :*** If you are having problems connecting due to ping timeouts, please type etc etc

can i use a regex for that? like .+ to fill in the rest since it always changes or?
i spend 4 hrs a day gaming and 14hrs on irc, for 5days a week, im not an addict :D
White_Magic
Posts: 267
Joined: Tue Jan 18, 2005 3:24 pm
Location: Scotland - United Kingdom

Post by White_Magic »

i changed the target string to match the first notice they get connecting to the server with the string as

"*** if you are having problems connecting due to ping timeouts, .+"

heres the results..

Code: Select all

[11:46] <%Scrab> DNSBL -> WHOREABLE!Loyalty@* appears in BL zone proxy.relays.osirusoft.com (Socks)
[11:46] <%Scrab> DNSBL -> scrawl12!scrawl@*
appears in BL zone proxy.relays.osirusoft.com (Socks)

:S
i spend 4 hrs a day gaming and 14hrs on irc, for 5days a week, im not an addict :D
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop »

It seems the problem is that it says all kinds of users are in the blacklist (so that's even unrelated to scanning etc), but you are saying the ip should notbe in that?

I just googled on the zone you are having problems with (roxy.relays.osirusoft.com), and I came to here (via this):

Code: Select all

Relays.osirusoft.com has not had valid data in well over a year, but people insist on using the data. Please contact the ISPs blocking your mail and ask them to STOP using relays.osirusoft.com to filter email.
(it says mail here because these DNSBLacklists are also used against spammers).

So try removing that from the conf.

Also, how did it end up in your conf in the first place anyway? AFAICT it is not in my default bopm.conf shipped with winbopm, it also not in the official *NIX bopm (3.1.2) either.
White_Magic
Posts: 267
Joined: Tue Jan 18, 2005 3:24 pm
Location: Scotland - United Kingdom

Post by White_Magic »

well i admitt yeah i added the 2 to the config coz i was looking for more blacklists to add to them to see if they could limit the bots we were getting.

hm @ the site being closed down..

the site i got from is...

http://sysadmin.info/spamlinks/filter-d ... ts-proxies

as u can see it lists blacklists for proxys / domains etc, so i guess lesson learned to check them out b4 i add them 8)

i was looking up the SORBS eariler, i get the same thing with them, but they r still in operation hmmmmm!
i spend 4 hrs a day gaming and 14hrs on irc, for 5days a week, im not an addict :D
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop »

Yeah, always be (very) careful with adding any blacklists... some don't work at all, but worse: others ""do work"" but have many false positives because they for example focus mainly on anti-spam things or keep dynamic ips banned for 30 days (which will result in many innocent users).. Things like that :).

The TOR blacklist - if you don't have it already - is said to be a good one. Just one I can think of that is not included by default.

I've also seen discussion of 2 other ones: NJABL (dnsbl.njabl.org) and SORBS which are said to be bad, 2 quotes: "p.s. njabl did about 1000 false _proxy_ positives in 24 hours on my network - the reason we will never use it again.", and "I notice you're using NJABL, SORBS, etc. with this config. It's been my experience in the past that, while they work well for SMTP blacklists, they absolutely suck at IRC blacklists".
White_Magic
Posts: 267
Joined: Tue Jan 18, 2005 3:24 pm
Location: Scotland - United Kingdom

Post by White_Magic »

ty for the quotes 8)
it always interests me how others run and maintain things, more so if they have a very deep knowledge and background on it,

we have the tor, and sorbs only runs on scrab, and the false posative rate for it is very low if not none, so ive left it, i need to check ifwe use NJABL but im too tired to log into my shell, its 4am and ive finshed 4hrs of DJing so ugh yeah, tomorrow :P

i did subscribe to the opm mailing list so hopefully thru that i`ll get more safe servers to use for blacklists, its very hard to find them it seems.
i spend 4 hrs a day gaming and 14hrs on irc, for 5days a week, im not an addict :D
alchemy
Posts: 5
Joined: Mon Jun 30, 2008 5:26 am

Re: Win/ Bopm help!

Post by alchemy »

Do you even require the target_ip / target_port / etc in the bopm.conf?
nate
Posts: 148
Joined: Fri Jul 29, 2005 10:12 am
Location: Johnstown, Pa
Contact:

Re: Win/ Bopm help!

Post by nate »

Before I smack the hell out of you, was reviving a THREE YEAR OLD topic really necessary? : P
Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Re: Win/ Bopm help!

Post by Stealth »

nate wrote:Before I smack the hell out of you, was reviving a THREE YEAR OLD topic really necessary? : P
Why not? :D
Locked