Spamfilter

Spamfilter is a highly advanced system to fight spam, advertising, worms and other bad things on IRC. Spamfilters can be added through the /SPAMFILTER command or through spamfilter { } blocks in the configuration file.

SPAMFILTER command
On IRC spamfilters are added via the /SPAMFILTER command which uses the following syntax: /spamfilter [add|del] [match-type] [target] [action] [tkltime] [reason] [match string]

Spamfilter block
You can also put spamfilters in your configuration file, see the Spamfilter block. For information about each of the fields see above.

Block simple spam
Say, you see a user mass-spamming in channels and in PM (Private Message). In each case, the user is saying: ''Hey , come watch me on my webcam! connect to http://1.2.3.4:80/''. It looks always like that, except for a varying IP/URL. You want any user who says this to be immediately GLINEd for 1 day.

On IRC: /SPAMFILTER add -simple pc gline 1d You_are_spamming_or_you_have_a_virus! *Hey*come watch me on my webcam*

Or in the configuration file: spamfilter { match-type simple; target { private; channel; }; action gline; ban-time 1d; reason "You are spamming or you have a virus!"; match "*Hey*come watch me on my webcam*"; };

Regex to block mIRC exploit
Regular expressions (regex) are much more powerful than the simple method. Several years ago mIRC had a bug: you could crash any mIRC v6.12 by sending a DCC SEND message with a filename of 225 (or more) characters. With the simple method from above you can't block this, with regex you can. For regex this is even an easy case.

On IRC: /SPAMFILTER add -regex pc kill - Possible_mIRC_exploit_attempt \x01DCC (SEND|RESUME).{225}

Or in the configuration file: spamfilter { match-type regex; target { private; channel; }; action kill; reason "Possible mIRC exploit attempt"; match "\x01DCC (SEND|RESUME).{225}"; };

To learn more about regex, see Introduction to regex (PCRE).

Slow Spamfilter Detection
Spamfilters often consist of complex regular expressions. There is a chance that if a regular expression is too complex that it would slow down the IRCd too much, causing issues with responsiveness.

Slow spamfilters are very exceptional but they are possible so UnrealIRCd has a safety mechanism for this. They are set::spamfilter::detect-slow-warn and set::spamfilter::detect-slow-fatal. If a single spamfilter takes longer than detect-slow-warn then the IRC Server will warn about this spamfilter to IRCOps. If it takes longer than detect-slow-fatal it will remove the spamfilter. The default values for these are 250ms and 500ms respectively (so a quarter of a second and half a second).

Target of spamfilter bans
When a spamfilter is hit by a user, it will by default place ban on *@ip (if the ban type is a *LINE, of course not for other actions such as warn). This should be fine for most people. You can, however, change this via the set::automatic-ban-target setting.

Exempting users from spamfilters
IRCOps will not trigger spamfilters by default (they are exempt). That is, if they use an operclass with the immune:server-ban:spamfilter permission.

You can also exempt specific targets by name, such as channels or nicks, via set::spamfilter::except.