Wave of spam hits IRC

[Syzop]

Since a few days, there are waves of spam hitting many IRC networks. The spam uses this tool https://github.com/acidvegas/efknockr and the text ranges from simple phrases about SUPERNETS to ASCII art, colors, all kinds of stuff, being spammed in both channels and private message.
What sets this spam aside is not so much the content or that it exists, but that it affects so many IRC networks.

So what to do about this? We have some general advice, blacklists play a key role, and a new module. It's not perfect but it should be useful...

General advice
First of all, it is always wise to read the Security guide on the wiki to make sure you have all protection installed and to learn about the various countermeasures UnrealIRCd has to offer.

Spamfilter
For blocking simple phrases, spamfilter is a useful tool. It is said that using the phrase *i*r*c*.*s*u*p*e*r*n*e*t*s*.*o*r*g* in spamfilter is already quite effective.
On a related note, it is recommend to set set::spamfilter::utf8 to yes in your unrealircd.conf if you also want to block UTF8 characters, which are occasionally used. This setting exists in UnrealIRCd 6.0.7 (defaults to 'no') and 'yes' will be the new default in 6.1.2. So:

Code: Select all

set { spamfilter { utf8 yes; } }

Blacklists are very useful
A lot of the bots are caught by DroneBL. DroneBL is a DNS blacklist that we have been shipping with in unrealircd.conf for many years already, so one that you hopefully have (if not, again, check the Security article mentioned above.

New module to recheck blacklists periodically
There is also a new module that will automatically re-check DNS blacklists after a user has been connected for some time. By default it will check after 1 minute connect time and then again every 5 minutes. This will ensure that even drones who passed DNSBL checks at connect time, will still be killed once they get listed at DroneBL and the other blacklists. To install this module, simply use:

Code: Select all

./unrealircd module install third/blacklistrecheck

And then add this to your unrealircd.conf:

Code: Select all

loadmodule "third/blacklistrecheck";

Important: the functionality of this module will be in UnrealIRCd 6.1.2 and later, so don't load the module on 6.1.2 or newer!

Drastic measure: blocking PM or only allowing registered users
If things are really unbearable to you then you could even consider:

• Disable private messages (but they can still spam in channels)
• Allowing only authenticated users on your server

Both are mentioned in the Security guide. Unfortunately these often have a drastic effect on users, so it may not be such a good idea, it also removes the whole "openness" of IRC.

More advice?
I myself have mostly been working on long-term solutions for spam, like building new features and new tools to combat, but that won't help anyone "today". I have not been involved much in combating this particular spam, so this forum thread is an invitation to discuss things. Share your tips, advice, or questions!
IMPORTANT: The spammer will be reading this forum thread too, there is no way around that, but it can still be useful to share things.

[Syzop]

For the private message spam (not the channel spam), we have in UnrealIRCd something that limits the maximum number of "concurrent conversations". Basically how many PM's you can sustain at the same time, how soon you may PM a new person. It is possible to lower this amount, by default it is 10 concurrent for known-users and 4 for unknown-users.

The following example would only allow private messaging with 4 people at the same time, and then next target (5th) is only allowed after 180 seconds and next one (6th) after another 180 seconds. It uses a higher delay than 180 for unknown-users (300). Feel free to tweak

Code: Select all

set {
        anti-flood {
                known-users {
                        max-concurrent-conversations {
                                users 4;
                                new-user-every 180s;
                        }
                }
                unknown-users {
                        max-concurrent-conversations {
                                users 4;
                                new-user-every 300s;
                        }
                }
        }
}

This doesn't solve the problem but will slow the bot down. Also, you will have to think yourself if such a limitation is acceptable for your users.

[Paladinz]

I've seen this on a few networks and threw these together for mIRC and eggdrop.

For mIRC :-
The first section, lines 2 - 5, ban on the spammers announcing channel members to the channel, such as

[16:53:11] <praoling> praoling PHENOM ConXion JenEss Paladinz theoutsiders Uknow cn28h4 X

The remainder counts characters in the spam above ASCII 255, which most people (note most not all) do not use. It bans if over 18 high range characters are used. This will not be useful to everyone and is by no means guaranteed to catch all spammers or not to catch the occassional non-spammer. Use it while attended for a while to ensure it doesn't ban too many non-spammers. It can be adjusted up or down as far as you need, if nobody in your channel ever uses characters above ASCII 255 then banning on 1 character detected is feasible as the eggdrop TCL does.

The 18 in

if ($unicodecount($1-) > 18) {

can be altered as needed. The current spam I've seen has lines containing 19 and 28 high range characters.

Having said those figures I've just now seen spam that I haven't seen before that has 16 high range characters so the code didn't catch that spam but did catch it announcing channel users. So I'd ajust the 18 to 15 and see if it catches any non-spammers before leaving it unattended. you can check the number of detected characters in mIRC after installing the script by manually using the unicodecount alias

//echo -a $unicodecount("S⁠URF⁠\'S UP​ F⁠A⁠G⁠G⁠OT⁠ GET⁠ ON⁠ IR​C.S​UP​ERNE⁠T⁠S⁠.ORG")
16

[15:01:24] —— JOIN #UNOasis «« fluiviest ([email protected]) » ——
[15:02:31] <fluiviest> ⊂_ヽ     "S⁠URF⁠\'S UP​ F⁠A⁠G⁠G⁠OT⁠ GET⁠ ON⁠ IR​C.S​UP​ERNE⁠T⁠S⁠.ORG"
[15:02:33] <fluiviest> 　 ＼＼ Λ＿Λ /
[15:02:35] <fluiviest> 　　 ＼(　ˇωˇ)
[15:02:37] <fluiviest> 　　　 >　⌒ヽ
[15:02:43] <fluiviest> 　　　/VXP へ＼
[15:02:50] <fluiviest>  　　 /　　/　＼＼
[15:02:55] <fluiviest> 　　 ﾚ　ノ　　 ヽ_つ
[15:03:01] <fluiviest> fluiviest ConXion PHENOM Paladinz JenEss theoutsiders Uknow cn28h4 X
[15:03:02] * Paladinz sets mode: +b *!*@207.148.1.136
[15:03:03] * fluiviest was kicked by Uknow (Banned)
[15:13:02] * Paladinz sets mode: -b *!*@207.148.1.136

Only non-op/voice users are checked. The spammers IP is added to a user list and banned on rejoining. The list is cleared whenever mIRC is restarted.

I'm not a scripter so any suggestions or improvements are welcome.

Code: Select all

on @*:text:*:*:{
  if ($nick !isreg $chan) { halt }
  if (($1 ison $chan) && ($2 ison $chan) && ($3 ison $chan) && ($4 ison $chan)) { 
    ban -ku600 $chan $address($nick,2) Spam, spam, spam | auser uspam $address($nick,2) 
  }
  if ($unicodecount($1-) >= 18) {
    if ($me isop #) { 
      ban -u60 # $nick 2
      kick # $nick 0,12<15>0,2<15>12,1«[0 Unicode spam detected 12,1]»0,2<15>0,12<15>
    }
    if ($window(@Spam) == $null) { window -Cnbk0 +e @Spam }
    aline @Spam $timestamp $chan $nick $address($nick,1) $1-
    .auser uspam $address($nick,2) Unicode Spam $day
    halt
  }
}
 
on @uspam:JOIN:#: { 
    kick # $nick 0 144,5<1>1500 144,5<1>150 144,5<1>15 Unicode spam previously detected from this address. 1,5<4>15 1,5<4>15 1,5<4>
    ban -u60 # $nick 2
}
 
alias unicodecount {
  var %temp = $strip($1-)
  var %loop = 1
  var %length = $len(%temp)
  var %count = 0
  var %chr = 0
  while (%loop < %length) {
    %chr = $mid(%temp,%loop,1)
    if ($asc(%chr) > 255) { inc %count }
    inc %loop
  }
  return %count
}
 
on *:start:{
  .rlevel uspam
}
 

The following is similar but in TCL for eggdrop v1.8+ and has not been tested on the current wave, it was for an older spam wave containing spam for Libera.chat, It only checks the first 9 characters and bans if ANY above ASCII 255 is found. This is more likely to ban non-spammers, if channel members happen to use the characters, Op/Voice users are not tested. The number of charaters tested can be altered as needed, change the 9 in

while {$count < 9} {

Code: Select all

## Script to detect & ban Unicode spam
##
## Based on the mIRC script by Moros
##           v1.2

## Requires Eggdrop 1.8 or greater
##
## Catches channel spam such as 
## ／!\ ΤHIЅ CHAⲚΝЕᒪ ዘAᏚ MOᏙᎬD ТΟ ΙRϹ．ᏞIᗷЕᖇA．ⅭΗᎪT #ᎻAΜRAᗪIО ／︕⧵
## ⁄ǃ\ THE ЈΕWS HᎪVE TАΚEN ΟVER FᎡEΕⲚODᎬ, CHATS HАᏙΕ ⅯΟVᎬᎠ TO ΙRⲤ.LIBΕRᎪ．CΗAΤ /!\
##
 
if {($version < "1.8")} { die "Eggdrop version 1.8+ required for Unicode spam detector!" }
 
putlog "Unicode spam detector v1.2 loaded"
 
bind pubm - * unicodespam
 
proc unicodespam {nick uhost handle chan args} {
global botnick
 
if {(![isop $botnick $chan])} { return }
 
  if {(![isop $nick $chan]) && (![isvoice $nick $chan])} {
    set count 0
    set text [stripcodes bcru $args]
    while {$count < 9} {
    set x [string index $text $count]
    set a [achr $x]
    if {($a == 9834) || ($a == 9835)} { return }
    if {($a > 255)} {
      putlog "Unicode spam detected: $chan $nick $uhost $args"
      set host [string tolower [lindex [split [getchanhost $nick $chan] @] 1]]
      newchanban $chan "*!*@$host" "Unicode Spam" "Unicode Spam" 1
      putserv "KICK $chan $nick :\00304(\00312<><>«\[\003 Unicode spam detected \00312\]»<><>\00304)"
      set count 10
      }
    incr count
    }
  }
}
 
proc achr {c} {
  set c [string range $c 0 0] 
  set v 0
  scan $c %c v
#  return [expr $v] 
  return $v
}

Again this was thrown together quick and dirty, suggestions and improvements are welcome.

[amiga2600]

Thanks for highlighting the blacklist information. It's definitely a good resource.

These guys are a joke and there are many ways to detect and block them. One of the funny things about this person(s) is that they seem to be obsessed with IRC but have clearly never read the RFC for IRC.

Aside from the number of flaws in their code ( see https://github.com/internet-relay-chat/IRCP and https://git.acid.vegas ), the bots do dumb things like message non existing rooms - #IRC.SUPERNETS.ORG_<##>. They will also try to register these rooms with chanserv, but everything they do message wise seems to be out of order. Pretty sad since they seem to be quite proud of such badly written code.

[boodle]

'*i*r*c*.*s*u*p*e*r*n*e*t*s*.*o*r*g* kills lots of the spam , its got unicode hidden between the letters

edit: is it possible to build in a response to dronebl so we can add to the database like bopm used to?

[Kjarrval]

Didn't notice this forum post until today and I guess misery loves company.

A few days ago the server I'm running was hit with those ads. On the 7th of July I sent a complaint to [email protected] and asked them to stop or at least message the people who were that this wasn't appropriate, also mentioning irc.supernets.org's own ban policy wouldn't tolerate such behaviour either. The e-mail wasn't responded to directly but a message was delivered onto a channel and in private message to me on my server. Here is a part of it:

skeuple: hey m⁠a⁠n​ im​ r​ea⁠l⁠ly⁠ sorry⁠ f⁠o​r​ sp​am⁠mi⁠n⁠g​ yo⁠ur​ ir⁠c.
skeuple: i ho⁠pe​ y​o​u acc⁠ept t⁠h​i​s s⁠i⁠nce⁠re​ a⁠p⁠o​l​o​gy⁠ f⁠ro​m my​ h⁠e​art​.
skeuple: [*a few words I cut because they are probably banned on this forum*]
skeuple: a⁠h​hhhhhh​h⁠hhhhh​hhh⁠hhhh​ j⁠k⁠ u [*cut*] f⁠uck yo⁠ur​ i⁠rc​
skeuple: i⁠m​ c⁠o⁠m​i​n​ ba⁠ck on​ 100 m⁠or​e ips to sp​a​m⁠ t⁠his⁠ g⁠ay⁠ as⁠s i​rc⁠ c​ha⁠n​ne​l
skeuple: i​f​ u m⁠ad c​ome to i​r​c.s⁠uper⁠n​e⁠t⁠s.org #s​uperbowl bitc⁠h

It became obvious to me that the one running the bot is the admin of supernets.org.

Then I sent this e-mail message to [email protected] later on the 7th of July (which didn't receive an e-mail response either):

Your continuation of the spam/abuse just proved my point that you are childish and abusive and most likely in denial of that fact. Since you don't want to respond under your real name or even respond to this e-mail directly just proves to me that you are also a coward.

I'm not after an apology since I know you are too proud to offer a sincere one. I'm also somewhat sure you'll continue to pretend to be some shell of a tough person by making those threats and will probably attempt to make some tough-guy remarks in one of your so-called witty responses.

By continuing you will further prove that I'm right. You could also try to prove me wrong but I think you're too proud for that.

The spam became worse after that and I deduce I really hit a nerve there. If that was the cause of the increased attacks on other servers, I'm sorry for that.

[acidvegas]

I would just like to publicize my 2 cents on the matter...seems to be a lot of "pointing finger" syndrome going on right now.

As "one" of the many network operators/owners at SuperNETs, I can assure you, I am fully aware that people are in fact sending messages to other networks on a large scale. Our network is comprised of hundereds of users & we (the owners) do not control what people on our network do or say.

The key element of seperation at SuperNETs in dichotomy of others is that we do not have rules here. Described as the "wild west" of IRC, SuperNETs aims to be the one place online you can say or do whatever you want. Every single social platofrm on the internet today is swilled with censorship. It is VERY easy to say 1 thing and get completely banned off of a platofrms. We aim to be the one place that doesnt resort to banning your or kicking you simply because you are annoying or we dont like you. We allow flooding, ascii art, trollling opers, bots, whatever you want. Rarely do we ever issue a network ban manually, as most bans are automated on our network.

With that being said, to simply put the entire blame of the past events on a single network operator is just pointing fingers. What happens if they start flooding irc.unrealircd.org everywhere? Is this now syszops fault? As a result of this finger pointing syndrome, I personally have been DDoS'd about 37 times since the 4th of july. We have a massive increase in bot flooding on SuperNETS. And that is completely fine LOL. As I said, out network is equipped to deal with flooding, and 90% of the time people try and flood us, we end up pumping ascii art faster than they can fill the channel. And denial of service attacks are temporary. Yall get bored eventuallly. The guys doing this "apparently" have been running this on 1000's of hacked routers (classic common port issue...) and having it scan for proxies 24/7. 2 of the users go by the names MR_CHATS and chippy1337. I have asked them to stop before but these guys are very unstable hackers. I dont get involved tbh. Nor do I care, as its just text on a screen lol...

POINT OF THE MATTER IS:
Might be a better idea learning what having +O means than trying to tell me "I reported your host provider".
Not a single bit of flooding is occuring from our server IP addresses. So they wont interviene. Your "logs" have no authenticity because anyone can fabricate a fake log.

Maybe some of you are new to IRC or only chat in 2 servers and dont realize this kind of stuff has been happening on IRC since 2005. You also dont realize that this is the current fucking state of IPv4. Go check your syslog if you run SSH on port 22 and watch the 12000 login attempts every day. And yet here we are still using standard ports for everything. Welcome to the internet.

8) ~ acidvegas

[amiga2600]

As "one" of the many network operators/owners at SuperNETs, I can assure you, I am fully aware that people are in fact sending messages to other networks on a large scale. Our network is comprised of hundereds of users & we (the owners) do not control what people on our network do or say.

...

With that being said, to simply put the entire blame of the past events on a single network operator is just pointing fingers. What happens if they start flooding irc.unrealircd.org everywhere? Is this now syszops fault? As a result of this finger pointing syndrome, I personally have been DDoS'd about 37 times since the 4th of july. We have a massive increase in bot flooding on SuperNETS. And that is completely fine LOL. As I said, out network is equipped to deal with flooding, and 90% of the time people try and flood us, we end up pumping ascii art faster than they can fill the channel. And denial of service attacks are temporary. Yall get bored eventuallly. The guys doing this "apparently" have been running this on 1000's of hacked routers (classic common port issue...) and having it scan for proxies 24/7. 2 of the users go by the names MR_CHATS and chippy1337. I have asked them to stop before but these guys are very unstable hackers. I dont get involved tbh. Nor do I care, as its just text on a screen lol...

When some of the scrolling is coming from bick.dick.acid.vegas, that absolutely is a server that is at least part of your domain. There are also a number of fellow admins that I have spoken to that were attacked more after emailing [email protected]. You can come here and pass the blame off however you want, but stuff is still getting reported. Regarding thousands of of hacked routers, I call bullshit as I've seen < 1,000 IPs so far. This is some script kiddie level attempt going on, but that doesn't make it any less annoying.

You can deflect, say how it isn't a big deal, say it isn't the admins - but people are still going to report you. At the end of the day, you're just making a fool of yourself to the internet at large (to include the hacker community that you claim to be a part of). If you don't want people pointing the finger at you, stop publishing shitty code bases and stop assisting half-assed spam campaigns.

[boodle]

i recommend possibly adding spamrats and tor end node detectors to your blacklist too, this is my setup (i had this running for many years on bopm and unreal's system without any false positives that i'm aware of);

Code: Select all

blacklist tordanme {
        dns {
                name tor.dan.me.uk;
                type record;
                reply { 100; };
        };
        action gline;
        ban-time 24h;
        reason "TOR detected";
};

Code: Select all

blacklist spamrats {
        dns {
                name all.spamrats.com;
                type record;
                reply { 38; };
        };
        action gline;
        ban-time 24h;
        reason "host listed in the SpamRATS database. http://www.spamrats.com/lookup.php?ip=$i";
};