Spamfilter

Spamfilter is a highly advanced system to fight spam, advertising, worms and other bad things on IRC. Spamfilters can be added through the /SPAMFILTER command or through spamfilter { } blocks in the configuration file.

SPAMFILTER command
On IRC spamfilters are added via the /SPAMFILTER command which uses the following syntax: /spamfilter [add|del] [match-type] [target] [action] [tkltime] [reason] [match string]

Scroll down for examples of the /SPAMFILTER command.

Spamfilter block
You can also put spamfilters in your configuration file, see the Spamfilter block. For information about each of the fields see above.

Block simple spam
Say, you see a user mass-spamming in channels and in PM (Private Message). In each case, the user is saying: ''Hey , come watch me on my webcam! connect to http://1.2.3.4:80/''. It looks always like that, except for a varying IP/URL. You want any user who says this to be immediately GLINEd for 1 day.

On IRC: /SPAMFILTER add -simple pc gline 1d You_are_spamming_or_you_have_a_virus! *Hey*come watch me on my webcam*

Or in the configuration file: spamfilter { match-type simple; target { private; channel; }; action gline; ban-time 1d; reason "You are spamming or you have a virus!"; match '*Hey*come watch me on my webcam*'; }; Note the use of single quotes for the match field. This is general good practice for spamfilter::match as it prevents URLs from being interpreted by the Remote includes code.

Regex to block mIRC exploit
Regular expressions (regex) are much more powerful than the simple method. Several years ago mIRC had a bug: you could crash any mIRC v6.12 by sending a DCC SEND message with a filename of 225 (or more) characters. With the simple method from above you can't block this, with regex you can. For regex this is even an easy case.

On IRC: /SPAMFILTER add -regex pc kill - Possible_mIRC_exploit_attempt \x01DCC (SEND|RESUME).{225}

Or in the configuration file: spamfilter { match-type regex; target { private; channel; }; action kill; reason "Possible mIRC exploit attempt"; match '\x01DCC (SEND|RESUME).{225}'; }; Note the use of single quotes for the match field. This is general good practice for spamfilter::match as it prevents URLs from being interpreted by the Remote includes code.

To learn more about regex, see Introduction to regex (PCRE).

Slow Spamfilter Detection
Spamfilters often consist of complex regular expressions. There is a very small chance that if a regular expression is too complex that it would slow down the IRCd too much, causing issues with responsiveness.

Slow spamfilters are very exceptional but they are possible, so UnrealIRCd has a safety mechanism for this. They are set::spamfilter::detect-slow-warn and set::spamfilter::detect-slow-fatal. If a single spamfilter takes longer than detect-slow-warn then the IRC Server will warn about this spamfilter to IRCOps. If it takes longer than detect-slow-fatal it will remove the spamfilter. The default values for these are 250ms and 500ms respectively (so a quarter of a second and half a second).

Target of spamfilter bans
When a spamfilter is hit by a user, it will by default place ban on *@ip if the ban type is a *LINE (of course not for other actions such as warn). This should be fine for most people. You can, however, change this via the set::automatic-ban-target setting.

Exempting users from spamfilters
IRCOps will not trigger spamfilters by default (they are exempt). That is, if they use an operclass with the immune:server-ban:spamfilter permission (all IRCOps have this by default).

To exempt normal users from spamfilters you can use the Except ban block with type spamfilter or place an.

You can also exempt targets by name (so recipients! not senders!) via set::spamfilter::except. You can for example put a channel called  there that is used for spam reports by ordinary users. Users can then safely put text in the channel without risking to be killed by spamfilters.