Can't get spambot filter to work

These are old archives. They are kept for historic purposes only.
Post Reply
JRBlood
Posts: 12
Joined: Sat Apr 12, 2008 8:20 pm
Location: Syracuse, NY USA
Contact:

Can't get spambot filter to work

Post by JRBlood »

I just can't seem to get my head around these u filters. First, here's a short list from the logs:

Code: Select all

LOGUSERS: c5993 ([email protected] => 2F23EAF9.518C029E.D8299F22.IP) (mjneldgts) [83.238.44.8] connected to the network
LOGUSERS: i8775 ([email protected] => echo34-CE9097CC.ppp11.odn.ad.jp) (ivhayzhur) [211.3.203.107] connected to the network
LOGUSERS: z4044 ([email protected] => B8DC339F.6EFAA724.90AE7DAA.IP) (ozokhdbpx) [211.140.192.186] connected to the network
LOGUSERS: u5923 ([email protected] => 3352C7DA.7EE2550F.DF2312F9.IP) (oyzcijnbt) [200.219.152.6] connected to the network
LOGUSERS: k6166 ([email protected] => BA2DE00B.9DADCFDB.17DF3469.IP) (shsunhcwc) [222.122.249.5] connected to the network
LOGUSERS: j2549 ([email protected] => echo34-497D348F.pool.starband.net) (gjqhsaqon) [148.78.243.37] connected to the network
LOGUSERS: f242 ([email protected] => F3D03476.730981D2.D9CF94C8.IP) (wmaeemgwo) [203.117.33.5] connected to the network
LOGUSERS: d240 ([email protected] => echo34-CE9097CC.ppp11.odn.ad.jp) (unbuvhjdq) [211.3.203.107] connected to the network
LOGUSERS: y6632 ([email protected] => 2F23EAF9.518C029E.D8299F22.IP) (qhgabgiqi) [83.238.44.8] connected to the network
LOGUSERS: m7681 ([email protected] => 3352C7DA.7EE2550F.DF2312F9.IP) (xpmuqkkcz) [200.219.152.6] connected to the network
LOGUSERS: m2065 ([email protected] => 98D60D00.FDAC7E3F.24A23537.IP) (xwakaivjp) [200.21.132.197] connected to the network
LOGUSERS: z803 ([email protected] => 626D8F70.1938B83A.A635EB61.IP) (dmuyduekf) [123.232.9.185] connected to the network
LOGUSERS: d2787 ([email protected] => 92647EB6.14F47057.3E881385.IP) (qewykigki) [190.39.201.145] connected to the network
LOGUSERS: n6317 ([email protected] => B8DC339F.6EFAA724.90AE7DAA.IP) (hmbsfrbcu) [211.140.192.186] connected to the network
LOGUSERS: c8316 ([email protected] => BA2DE00B.9DADCFDB.17DF3469.IP) (zzbzxicol) [222.122.249.5] connected to the network
LOGUSERS: d3422 ([email protected] => 3352C7DA.7EE2550F.DF2312F9.IP) (aifhlgezw) [200.219.152.6] connected to the network
LOGUSERS: r1093 ([email protected] => 2F23EAF9.518C029E.D8299F22.IP) (ontoqjjkr) [83.238.44.8] connected to the network (irc.echo34.com).
Earlier in the day I added the following filter which I got from the forum here:

Code: Select all

/spamfilter add u gzline 1h Channel_Flooder ![a-z][0-9]{4}@[^:]+:[a-z]{9}
So somehow they got pass the filter. Am I missing something?
Also, how can I check that this filter will work against entries in my logs? Yes, I'm in the process of RTFM. ;)
Image
RaveTrax.com - "Its not a state of mind, Its a way of life."
» Audio Streams - MP3 - 160k MP3 - 64k MP3 - 24k MP3
» Audio Streams - AAC+ - 64k aacPlus v2 - 24k aacPlus v2
Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Re: Can't get spambot filter to work

Post by Stealth »

Because you did not add a part for getting users with no identd respnse

The spamfilter you want is:

Code: Select all

!~?[a-z][0-9]{2,4}@[^:]+:[a-z]{9}
Note the addition of ~? and the change of {4} to {2,4}. These are very crucial parts of the spamfilter if you wish to catch all these clones.
JRBlood
Posts: 12
Joined: Sat Apr 12, 2008 8:20 pm
Location: Syracuse, NY USA
Contact:

Re: Can't get spambot filter to work

Post by JRBlood »

Stealth wrote:Note the addition of ~? and the change of {4} to {2,4}. These are very crucial parts of the spamfilter if you wish to catch all these clones.
As Homer would say: "DOH!" Something told me that I needed something for the lack of IDENT. I was also wondering why, when testing RegEx expressions in BareGrep, that the {4} portion was working, but not catching the [a-z]. I kept trying [a-z]{2} [0-9]{4} and varients of that with no success. Now it all makes sense. :)

Super thanx for that. :) Darn these RegEx rules can be a tough nut to crack.
JRBlood
Posts: 12
Joined: Sat Apr 12, 2008 8:20 pm
Location: Syracuse, NY USA
Contact:

Re: Can't get spambot filter to work

Post by JRBlood »

hmm... I just thought of something. For a bot like:

Code: Select all

LOGUSERS: d3422 [email protected] (aifhlgezw)
Should it be

Code: Select all

!~?[a-z][0-9]{1,4}@[^:]+:[a-z]{9}
Noting {1,4} instead of {2,4}?
Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Re: Can't get spambot filter to work

Post by Stealth »

No. The numbers between {} mean "least, most" occurrences. For example, the [0-9]{2,4} means a single digit occurring at least twice, but no more than 4 times. Because this is only the ident we care about (in this particular section), there are no clones with fewer than 2 numbers, and no more than 4 numbers in their ident.
JRBlood
Posts: 12
Joined: Sat Apr 12, 2008 8:20 pm
Location: Syracuse, NY USA
Contact:

Re: Can't get spambot filter to work

Post by JRBlood »

Stealth wrote:No. The numbers between {} mean "least, most" occurrences. For example, the [0-9]{2,4} means a single digit occurring at least twice, but no more than 4 times. Because this is only the ident we care about (in this particular section), there are no clones with fewer than 2 numbers, and no more than 4 numbers in their ident.
Ah. OK. I was thinking it had to do with the number of chars. 1,4 meaning 1 letter and 4 numbers, but I see that now. I read about {} from http://www.regular-expressions.info/reference.html, but couldn't quite get my head wrapped around it.

Again I thank you. :)
Post Reply