-
Notifications
You must be signed in to change notification settings - Fork 0
/
spamfilter.conf
206 lines (178 loc) · 5.52 KB
/
spamfilter.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
/*
* This an example spamfilter file, it contains several
* real and useful spamfilters. This should give you an
* idea of how powerful spamfilter can be in real-life
* situations.
*
* $Id: spamfilter.conf,v 1.1.6.11 2009/04/13 11:03:55 syzop Exp $
*/
/* Guidelines on the 'action' field:
* As a general rule we use 'action block' for any newly added
* spamfilters at first, later on (after knowing about false
* positives) we might change some to viruschan/kill/gline/etc..
*/
spamfilter {
regex "\x01DCC (SEND|RESUME)[ ]+\"(.+ ){20}";
target { private; channel; };
reason "mIRC 6.0-6.11 exploit attempt";
action kill;
};
spamfilter {
regex "\x01DCC (SEND|RESUME).{225}";
target { private; channel; };
reason "Possible mIRC 6.12 exploit attempt";
action kill;
};
spamfilter {
regex "Come watch me on my webcam and chat /w me :-\) http://.+:\d+/me\.mpg";
target private;
reason "Infected by fyle trojan: see http://www.sophos.com/virusinfo/analyses/trojfylexa.html";
action gline;
};
spamfilter {
regex "Speed up your mIRC DCC Transfer by up to 75%.*www\.freewebs\.com/mircupdate/mircspeedup\.exe";
target private;
reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html";
action gline;
};
spamfilter {
regex "^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!";
target private;
reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml";
action block;
};
spamfilter {
regex "^FREE PORN: http://free:porn@([0-9]{1,3}\.){3}[0-9]{1,3}:8180$";
target private;
reason "Infected by aplore worm: see http://www.f-secure.com/v-descs/aplore.shtml";
action gline;
};
spamfilter {
regex "^!login Wasszup!$";
target channel;
reason "Attempting to login to a GTBot";
action gline;
};
spamfilter {
regex "^!login grrrr yeah baby!$";
target channel;
reason "Attempting to login to a GTBot";
action gline;
};
spamfilter {
regex "^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}";
target channel;
reason "Attempting to use a GTBot";
action gline;
};
spamfilter {
regex "^!icqpagebomb ([0-9]{1,15} ){2}.+";
target channel;
reason "Attempting to use a GTBot";
action gline;
};
spamfilter {
regex "^!pfast [0-9]{1,15} ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5}$";
target channel;
reason "Attempting to use a GTBot";
action gline;
};
spamfilter {
regex "^!portscan ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5} [0-9]{1,5}$";
target channel;
reason "Attempting to use a GTBot";
action gline;
};
spamfilter {
regex "^.u(dp)? ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15} [0-9]{1,15} [0-9]{1,15}( [0-9])*$";
target channel;
reason "Attempting to use an SDBot";
action gline;
};
spamfilter {
regex "^.syn ((([0-9]{1,3}\.){3}[0-9]{1,3})|([a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_.-]+)) [0-9]{1,5} [0-9]{1,15} [0-9]{1,15}";
target { channel; private; };
reason "Attempting to use a SpyBot";
action gline;
};
spamfilter {
regex "^porn! porno! http://.+\/sexo\.exe";
target private;
action gline;
reason "Infected by soex trojan: see http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FSOEX.A";
};
spamfilter {
regex "(^wait a minute plz\. i am updating my site|.*my erotic video).*http://.+/erotic(a)?/myvideo\.exe$";
target private;
action gline;
reason "Infected by some trojan (erotica?)";
};
spamfilter {
regex "^STOP SPAM, USE THIS COMMAND: //write nospam \$decode\(.+\) \| \.load -rs nospam \| //mode \$me \+R$";
target private;
action gline;
reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
};
spamfilter {
regex "^FOR MATRIX 2 DOWNLOAD, USE THIS COMMAND: //write Matrix2 \$decode\(.+=,m\) \| \.load -rs Matrix2 \| //mode \$me \+R$";
target private;
action gline;
reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
};
spamfilter {
regex "^hey .* to get OPs use this hack in the chan but SHH! //\$decode\(.*,m\) \| \$decode\(.*,m\)$";
target private;
action gline;
reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
};
spamfilter {
regex ".*(http://jokes\.clubdepeche\.com|http://horny\.69sexy\.net|http://private\.a123sdsdssddddgfg\.com).*";
target private;
action gline;
reason "Infected by LOI trojan"; /* Name is still unsure */
};
/* This is a 'general sig' which might have a tad more false positives, hence just 'block' is used */
spamfilter {
regex "C:\\\\WINNT\\\\system32\\\\[][0-9a-z_-{|}`]+\.zip";
target dcc;
action block;
reason "Infected by Gaggle worm?";
};
spamfilter {
regex "C:\\\\WINNT\\\\system32\\\\(notes|videos|xxx|ManualSeduccion|postal|hechizos|images|sex|avril)\.zip";
target dcc;
action dccblock;
reason "Infected by Gaggle worm";
};
spamfilter {
regex "http://.+\.lycos\..+/[iy]server[0-9]/[a-z]{4,11}\.(gif|jpg|avi|txt)";
target { private; quit; };
action block;
reason "Infected by Gaggle worm";
};
spamfilter {
regex "^Free porn pic.? and movies (www\.sexymovies\.da\.ru|www\.girlporn\.org)";
target private;
reason "Unknown virus. Site causes Backdoor.Delf.lq infection";
action block;
};
spamfilter {
regex "^LOL! //echo -a \$\(\$decode\(.+,m\),[0-9]\)$";
target channel;
reason "$decode exploit";
action block;
};
/*
spamfilter {
regex "//write \$decode\(.+\|.+load -rs";
target { private; channel; };
reason "Generic $decode exploit";
action block;
};
*/
spamfilter {
regex "^Want To Be An IRCOp\? Try This New Bug Type: //write \$decode\(.+=.?,m\) \| \.load -rs \$decode\(.+=.?,m\)$";
target private;
action block;
reason "Spamming users with an mIRC trojan. Type '/unload -rs newb' to remove the trojan.";
};