Tip of the day: You can use a SSL/TLS certificate fingerprints to exempt trusted users from server bans or allow them to send more commands per second.

Spamfilter block

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

The spamfilter block allows you to add local spam filters (not network-wide). See the Spamfilter article for more information about spamfilters.

Syntax

spamfilter {
        match-type [simple|regex];
	match '<text>';
	rule "<rule>"; /* optional */
	target { <target(s)> };
	action <action>;
	reason <reason>;
	ban-time <time>;
	except { <mask item>; }; /* optional */
};

The match-type is one of:

match is the text to match on, which depends on the match-type. Note the use of single quotes in match 'text'; instead of match "text";. Using single quotes will prevent a regex from accidentally be interpreted as an URL by Remote includes.

You specify the targets via target:

Character Config item Description
c channel Channel message
p private Private message (from user->user)
n private-notice Private notice
N channel-notice Channel notice
P part Part reason
q quit Quit reason
d dcc DCC filename
a away Away message
t topic Setting a topic
T message-tag Ban Message tags sent by the client. This will be matched against name=value or just name if there is no value
u user User ban, will be matched against nick!user@host:realname
R raw Match a raw command / IRC protocol line (except message tags), eg LIST*

reason is used as the reason for the *LINE/kill/block message

ban-time is the duration of the *LINE, it is irrelevant for types like kill, block, etc.

The action specifies the action to be taken, such as kline. There are both "regular" actions and "soft" actions. The soft actions (eg: soft-kill) are not applied to users who are authenticated with Services (preferably with SASL):

Regular name Soft name Description
kill soft-kill Kills the user. The user may still reconnect.
tempshun soft-tempshun Shuns the current session of the user, this makes it so the user cannot send any commands anymore. When the user reconnects, the shun is gone.
shun soft-shun Puts a shun on the IP, this makes it so the user cannot send any commands anymore.
kline soft-kline Puts a kline on the IP. The user can no longer connect to this server.
gline soft-gline Puts a gline on the IP. The user can no longer connect to any server in this IRC network.
zline Puts a zline on the IP. The user can no longer connect to this server.
Note that a ZLINE causes very quick killing which means that SSL/TLS users will not see a proper error message and TKL exceptions won't work. Only use zlines if you are sure the user/IP is hostile, otherwise use a kline instead.
gzline Puts a gzline (global zline) on the IP. The user can no longer connect to any server in this IRC network.
Note that a (G)ZLINE causes very quick killing which means that SSL/TLS users will not see a proper error message and TKL exceptions won't work. Only use gzlines if you are sure the user/IP is hostile, otherwise use a gline instead.
block soft-block Block the message (or action) only
dccblock soft-dccblock Mark the user so they are unable to send files through DCC
viruschan soft-viruschan Part all channels, join set::spamfilter::virus-help-channel, disables all commands except PONG, ADMIN, and msg/notices to set::spamfilter::virus-help-channel
warn soft-warn Send a notice to IRCOps (spamfilter snomask), and inform the user that the message has been intercepted. No further action is taken, the message is not blocked.
set Set a tag on the user (or change REPUTATION). This can be:
  • action { set SCORE=5; } - set SCORE to 5
  • action { set SCORE++; } - increase the value of SCORE with 1
  • action { set SCORE+=5; } - increase the value of SCORE with 5
  • action { set SCORE--; } - decrease the value of SCORE with 1
  • action { set SCORE-=5; } - decrease the value of SCORE with 5

The tag name SCORE is just an example, it can be named anything you want and will persist for the lifetime of the connection.
You can use the special tag name REPUTATION to adjust the Reputation score of the users' IP.
You can evaluate a tag value via tag(SCORE) in spamfilter::rule in the Spamfilter block.
This feature only exists in UnrealIRCd 6.1.2 and higher. If you you decrease the reputation score (REPUTATION) then all your servers need to be on 6.1.2 and higher for this to work properly.

report Report the incident via a Spamreport block. This can be report name-of-spamreport-block; or it can be report; to call all spamreport blocks.
This feature only exists in UnrealIRCd 6.1.2 and higher
stop Stop processing any other spamfilter rules. This only works in spamfilter::action.
This feature only exists in UnrealIRCd 6.1.2 and higher

For action set, see also Spamfilter rule and Setting tags below.

The except is a Mask item. It can be used if you want to exempt users against this particular spamfilter. Such as except { destination "#main"; } or except { security-group { known-users; } }. Note that if you want to exempt a destination from all spamfilters, then you should use set::spamfilter::except instead.

Spamfilter rule

In UnrealIRCd 6.1.2 and later we support spamfilter::rule. If the rule matches, then the spamfilter is executed. This allows you to do complex things like:

rule "!inchannel('#main') && (online_time()<180 || reputation()<50)";

See Crule for the syntax and all the available functions.

If you find crules too complex, you can also exempt someone from the specific spamfilter via spamfilter::except, which is a Mask item. But then do note that spamfilter::rule decides which user to include in the spamfilter while spamfilter::except does the opposite: it decides who not to include.

Setting tags

Since UnrealIRCd 6.1.2 you can set tags of users. And also, you can have multiple actions, like set + block.

You can use any tag name (we use "SCORE" below) and it will exist for the lifetime of connection, until the user gets disconnected.

This would bump the SCORE tag up by 1 (and create it with a value of 1 if it does not exist yet):

action { set SCORE++; }

You can also set+block:

action { set SCORE++; block; }

Combined with #Spamfilter rule this allows you to combine things like:

spamfilter {
        match-type simple;
        match "this is one line";
        target { private; channel; }
        action { set SCORE++; }
        reason "Hit one";
}

spamfilter {
        match-type simple;
        match "this is another line";
        target { private; channel; }
        action { set SCORE++; }
        reason "Hit two";
}

spamfilter {
        rule "tag(SCORE)>1";
        action kill;
        reason "Score is at least 2!";
}

The last spamfilter block from above is special, you can see it has no match and it has no target. Such spamfilter blocks run when a tag has changed in value for the user (like by the "Hit one" and "Hit two" blocks before that).

Reporting hits

If you are sure you are catching good spambots with your spamfitler block, then you can report spamfilter hits to central services like DroneBL or Central spamreport. That way other IRC users benefit from you catching spam/drones (just like you are benefiting from others doing this). See the Spamreport block.

See also

Please see the Spamfilter article for more information and in particular the examples in the same article.

For even more examples have a look at spamfilter.conf in UnrealIRCd.