Tip of the day: You can use a SSL/TLS certificate fingerprints to exempt trusted users from server bans or allow them to send more commands per second. |
Spamfilter block
The spamfilter block allows you to add local spam filters (not network-wide). See the Spamfilter article for more information about spamfilters.
Syntax
spamfilter { match-type [simple|regex]; match '<text>'; rule "<rule>"; /* optional */ target { <target(s)> }; action <action>; reason <reason>; ban-time <time>; except { <mask item>; }; /* optional */ };
The match-type is one of:
- simple (simple matching with ? and * support), or
- regex for regular PCRE2 expressions (see also Introduction to regex (PCRE))
match is the text to match on, which depends on the match-type. Note the use of single quotes in match 'text';
instead of match "text";
. Using single quotes will prevent a regex from accidentally be interpreted as an URL by Remote includes.
You specify the targets via target:
Character | Config item | Description |
---|---|---|
c | channel | Channel message |
p | private | Private message (from user->user) |
n | private-notice | Private notice |
N | channel-notice | Channel notice |
P | part | Part reason |
q | quit | Quit reason |
d | dcc | DCC filename |
a | away | Away message |
t | topic | Setting a topic |
T | message-tag | Ban Message tags sent by the client. This will be matched against name=value or just name if there is no value
|
u | user | User ban, will be matched against nick!user@host:realname
|
R | raw | Match a raw command / IRC protocol line (except message tags), eg LIST*
|
reason is used as the reason for the *LINE/kill/block message
ban-time is the duration of the *LINE, it is irrelevant for types like kill, block, etc.
The action specifies the action to be taken, such as kline
. There are both "regular" actions and "soft" actions. The soft actions (eg: soft-kill) are not applied to users who are authenticated with Services (preferably with SASL):
Regular name | Soft name | Description |
---|---|---|
kill | soft-kill | Kills the user. The user may still reconnect. |
tempshun | soft-tempshun | Shuns the current session of the user, this makes it so the user cannot send any commands anymore. When the user reconnects, the shun is gone. |
shun | soft-shun | Puts a shun on the IP, this makes it so the user cannot send any commands anymore. |
kline | soft-kline | Puts a kline on the IP. The user can no longer connect to this server. |
gline | soft-gline | Puts a gline on the IP. The user can no longer connect to any server in this IRC network. |
zline | Puts a zline on the IP. The user can no longer connect to this server. Note that a ZLINE causes very quick killing which means that SSL/TLS users will not see a proper error message and TKL exceptions won't work. Only use zlines if you are sure the user/IP is hostile, otherwise use a kline instead. | |
gzline | Puts a gzline (global zline) on the IP. The user can no longer connect to any server in this IRC network. Note that a (G)ZLINE causes very quick killing which means that SSL/TLS users will not see a proper error message and TKL exceptions won't work. Only use gzlines if you are sure the user/IP is hostile, otherwise use a gline instead. | |
block | soft-block | Block the message (or action) only |
dccblock | soft-dccblock | Mark the user so they are unable to send files through DCC |
viruschan | soft-viruschan | Part all channels, join set::spamfilter::virus-help-channel, disables all commands except PONG, ADMIN, and msg/notices to set::spamfilter::virus-help-channel |
warn | soft-warn | Send a notice to IRCOps (spamfilter snomask), and inform the user that the message has been intercepted. No further action is taken, the message is not blocked. |
set | Set a tag on the user (or change REPUTATION). This can be:
The tag name | |
report | Report the incident via a Spamreport block. This can be report name-of-spamreport-block; or it can be report; to call all spamreport blocks.This feature only exists in UnrealIRCd 6.1.2 and higher | |
stop | Stop processing any other spamfilter rules. This only works in spamfilter::action. This feature only exists in UnrealIRCd 6.1.2 and higher |
For action set
, see also Spamfilter rule and Setting tags below.
The except is a Mask item. It can be used if you want to exempt users against this particular spamfilter. Such as except { destination "#main"; }
or except { security-group { known-users; } }
. Note that if you want to exempt a destination from all spamfilters, then you should use set::spamfilter::except instead.
Spamfilter rule
In UnrealIRCd 6.1.2 and later we support spamfilter::rule. If the rule matches, then the spamfilter is executed. This allows you to do complex things like:
rule "!inchannel('#main') && (online_time()<180 || reputation()<50)";
See Crule for the syntax and all the available functions.
If you find crules too complex, you can also exempt someone from the specific spamfilter via spamfilter::except, which is a Mask item. But then do note that spamfilter::rule decides which user to include in the spamfilter while spamfilter::except does the opposite: it decides who not to include.
Setting tags
Since UnrealIRCd 6.1.2 you can set tags of users. And also, you can have multiple actions, like set + block.
You can use any tag name (we use "SCORE" below) and it will exist for the lifetime of connection, until the user gets disconnected.
This would bump the SCORE tag up by 1 (and create it with a value of 1 if it does not exist yet):
action { set SCORE++; }
You can also set+block:
action { set SCORE++; block; }
Combined with #Spamfilter rule this allows you to combine things like:
spamfilter { match-type simple; match "this is one line"; target { private; channel; } action { set SCORE++; } reason "Hit one"; } spamfilter { match-type simple; match "this is another line"; target { private; channel; } action { set SCORE++; } reason "Hit two"; } spamfilter { rule "tag(SCORE)>1"; action kill; reason "Score is at least 2!"; }
The last spamfilter block from above is special, you can see it has no match and it has no target. Such spamfilter blocks run when a tag has changed in value for the user (like by the "Hit one" and "Hit two" blocks before that).
Reporting hits
If you are sure you are catching good spambots with your spamfitler block, then you can report spamfilter hits to central services like DroneBL or Central spamreport. That way other IRC users benefit from you catching spam/drones (just like you are benefiting from others doing this). See the Spamreport block.
See also
Please see the Spamfilter article for more information and in particular the examples in the same article.
For even more examples have a look at spamfilter.conf in UnrealIRCd.