Spamfilter

From UnrealIRCd documentation wiki
Jump to: navigation, search
This page contains changes which are not marked for translation.

Other languages:
English • ‎français

Spamfilter is a highly advanced system to fight spam, advertising, worms and other bad things on IRC. Spamfilters can be added through the /SPAMFILTER command or through spamfilter { } blocks in the configuration file.

SPAMFILTER command

On IRC spamfilters are added via the /SPAMFILTER command which uses the following syntax:
/spamfilter [add|del] [match-type] [target] [action] [tkltime] [reason] [match string]

Item Explanation & possible options
add / del Indicates if you want to add or remove a spamfilter
match-type The type of match string you're going to use (see also the examples later on). Right now you have two / three choices:
  • simple means simple matching with ? and * wildcard support
  • regex uses regular expressions (more on that later)
  • posix is the old 3.2.x regex method which is only included for compatibility.
target specifies the target type, the targets this spamfilter will look into:
Character Config item Description
c channel Channel message
p private Private message (from user->user)
n private-notice Private notice
N channel-notice Channel notice
P part Part reason
q quit Quit reason
d dcc DCC filename
a away Away message
t topic Setting a topic
u user User ban, will be matched against nick!user@host:realname

You can (and often will) specify multiple targets, like: cpNn

action specifies the action to be taken, such as kline. See Actions for a list of all possible actions.
tkltime The duration of the *line/shun added by the filter, use '-' to use the default or to skip (eg: if action = 'block')
reason Block/*line/shun reason.. you CANNOT use spaces in this, but underscores ('_') will be translated into spaces at runtime. And double underscore ('__') gets an underscore ('_'). Again, use '-' to use the default reason.
match-string This is the actual string that should be blocked or that we should perform the specified action on. The syntax of this string depends on the match-type. See also examples below.

Spamfilter block

You can also put spamfilters in your configuration file, see the Spamfilter block. For information about each of the fields see above.

Examples

Block simple spam

Say, you see a user mass-spamming in channels and in PM (Private Message). In each case, the user is saying: Hey <NICK>, come watch me on my webcam! connect to http://1.2.3.4:80/. It looks always like that, except for a varying IP/URL. You want any user who says this to be immediately GLINEd for 1 day.

On IRC:

/SPAMFILTER add -simple pc gline 1d You_are_spamming_or_you_have_a_virus! *Hey*come watch me on my webcam*

Or in the configuration file:

spamfilter {
        match-type simple;
        target { private; channel; };
        action gline;
        ban-time 1d;
        reason "You are spamming or you have a virus!";
        match "*Hey*come watch me on my webcam*";
};

Regex to block mIRC exploit

Regular expressions (regex) are much more powerful than the simple method. Several years ago mIRC had a bug: you could crash any mIRC v6.12 by sending a DCC SEND message with a filename of 225 (or more) characters. With the simple method from above you can't block this, with regex you can. For regex this is even an easy case.

On IRC:

/SPAMFILTER add -regex pc kill - Possible_mIRC_exploit_attempt \x01DCC (SEND|RESUME).{225}

Or in the configuration file:

spamfilter {
        match-type regex;
        target { private; channel; };
        action kill;
        reason "Possible mIRC exploit attempt";
        match "\x01DCC (SEND|RESUME).{225}";
};

To learn more about regex, see Introduction to regex (PCRE).

Slow Spamfilter Detection

Spamfilters often consist of complex regular expressions. There is a chance that if a regular expression is too complex that it would slow down the IRCd too much, causing issues with responsiveness.

Slow spamfilters are very exceptional but they are possible so UnrealIRCd has a safety mechanism for this. They are set::spamfilter::detect-slow-warn and set::spamfilter::detect-slow-fatal. If a single spamfilter takes longer than detect-slow-warn then the IRC Server will warn about this spamfilter to IRCOps. If it takes longer than detect-slow-fatal it will remove the spamfilter. The default values for these are 250ms and 500ms respectively (so a quarter of a second and half a second).