Tip of the day: Channel mode +f is a powerful anti-flood feature. It is also slightly complex. Enable it in your most important channels, and consider setting a default in set::modes-on-join.
|
Spamfilter
Spamfilter is a highly advanced system to fight spam, advertising, worms and other bad things on IRC. Spamfilters can be added through the /SPAMFILTER command or through spamfilter { } blocks in the configuration file.
There is also a Central Spamfilter which you can optionally enable to automatically fetch spamfilter rules from unrealircd.org every hour.
SPAMFILTER command
On IRC spamfilters are added via the /SPAMFILTER command which uses the following syntax:
/spamfilter [add|del] [match-type] [target] [action] [tkltime] [reason] [match string]
| Item | Explanation & possible options | |||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| add / del | Indicates if you want to add or remove a spamfilter | |||||||||||||||||||||||||||||||||||||||
| match-type | The type of match string you're going to use (see also the examples later on). There are two choices:
| |||||||||||||||||||||||||||||||||||||||
| target | specifies the target type, the targets this spamfilter will look into:
In many cases you will specify multiple targets, like | |||||||||||||||||||||||||||||||||||||||
| action | specifies the action to be taken, such as kline. See Actions for a list of all possible actions. | |||||||||||||||||||||||||||||||||||||||
| tkltime | The duration of the *line/shun added by the filter. Use '-' to use the default or to skip (eg: if action is 'block') | |||||||||||||||||||||||||||||||||||||||
| reason | Block/*line/shun reason.. you CANNOT use spaces in this, but underscores ('_') will be translated into spaces at runtime. And double underscore ('__') gets an underscore ('_'). Again, use '-' to use the default reason. | |||||||||||||||||||||||||||||||||||||||
| match-string | This is the actual string that should be blocked or that we should perform the specified action on. The syntax of this string depends on the match-type. See also examples below. |
Scroll down for examples of the /SPAMFILTER command.
Spamfilter block
You can also put spamfilters in your configuration file, see the Spamfilter block. For information about each of the fields see above.
Examples
Block simple spam
Say, you see a user mass-spamming in channels and in PM (Private Message). In each case, the user is saying: Hey <NICK>, come watch me on my webcam! connect to http://1.2.3.4:80/. It looks always like that, except for a varying IP/URL. You want any user who says this to be immediately GLINEd for 1 day.
On IRC:
/SPAMFILTER add -simple pc gline 1d You_are_spamming_or_you_have_a_virus! *Hey*come watch me on my webcam*
Or in the configuration file:
spamfilter {
match-type simple;
target { private; channel; };
action gline;
ban-time 1d;
reason "You are spamming or you have a virus!";
match '*Hey*come watch me on my webcam*';
};
Note the use of single quotes for the match field. This is general good practice for spamfilter::match as it prevents URLs from being interpreted by the Remote includes code.
Regex to block mIRC exploit
Regular expressions (regex) are much more powerful than the simple method. Several years ago mIRC had a bug: you could crash any mIRC v6.12 by sending a DCC SEND message with a filename of 225 (or more) characters. With the simple method from above you can't block this, with regex you can. For regex this is even an easy case.
On IRC:
/SPAMFILTER add -regex pc kill - Possible_mIRC_exploit_attempt \x01DCC (SEND|RESUME).{225}
Or in the configuration file:
spamfilter {
match-type regex;
target { private; channel; };
action kill;
reason "Possible mIRC exploit attempt";
match '\x01DCC (SEND|RESUME).{225}';
};
Note the use of single quotes for the match field. This is general good practice for spamfilter::match as it prevents URLs from being interpreted by the Remote includes code.
To learn more about regex, see Introduction to regex (PCRE).
Slow Spamfilter Detection
Spamfilters often consist of complex regular expressions. There is a very small chance that if a regular expression is too complex that it would slow down the IRCd too much, causing issues with responsiveness.
Slow spamfilters are very exceptional but they are possible, so UnrealIRCd has a safety mechanism for this. They are set::spamfilter::detect-slow-warn and set::spamfilter::detect-slow-fatal. If a single spamfilter takes longer than detect-slow-warn then the IRC Server will warn about this spamfilter to IRCOps. If it takes longer than detect-slow-fatal it will remove the spamfilter. The default values for these are 250ms and 500ms respectively (so a quarter of a second and half a second).
Target of spamfilter bans
When a spamfilter is hit by a user, it will by default place ban on *@ip if the ban type is a *LINE (of course not for other actions such as warn). This should be fine for most people. You can, however, change this via the set::automatic-ban-target setting.
Exempting users from spamfilters
IRCOps will not trigger spamfilters by default (they are exempt). That is, if they use an operclass with the immune:server-ban:spamfilter permission (all IRCOps have this by default).
To exempt normal users from spamfilters you can use the Except ban block with type spamfilter or place an ELINE.
You can also exempt targets by name (so recipients! not senders!) via set::spamfilter::except. You can for example put a channel called #spam there that is used for spam reports by ordinary users. Users can then safely put text in the channel without risking to be killed by spamfilters.