UnderNET Anti-Spam CampaignUpdated 13/November/2005 |
|
1466 Hits | Site v2.0 |
| [ Home ] | [ Bots ] | [ Scripts ] | [ Forum ] | [ Mailing List ] | [ Blacklist ] | [ Stats ] | [ Contact ] |
|
|
||||||||
|
|||||||||
Below are some scripts that you can use to help protect your channel against spam bots
I've written a comprehensive script to gather information about spam bots. You can download it here. Save this file to your mIRC folder. (Right click and choose Save As...)
Please make sure you have the latest version, as it may contain vital bugfixes
; -----=[ AntiSpam Script ]=----- ; ; -----=[ By MrZebra ]=----- ; ; -----=[ http://AntiSpam.1337Robotics.com/ ]=----- ; ; -----=[ Version 1.22 - 14/January/2006 ]=----- ; ; Introduction ; ------------ ; ; This script checks public and private message against a list of known spam messages ; held in SpamMessages.txt. It also checks their /whois for patterns known to be used ; by spam bots. ; ; If a match is found, the person is kickbanned, and probed for information. This ; information is then sent back to the Undernet Anti Spam web database for analysis. ; ; By running this script, you can not only help protect your channel from spammers, ; you are actively helping fight them. Note that ops (+o) and voices (+v) will NOT ; trigger the script - it is safe for them to paste messages. Whitelisting has ; been implemented so if the first message the user sends is not spam, all following ; messages will be ignored. This makes it safe for any user to paste spam messages, ; as long as it's not the very first thing they say! This should almost completely ; eliminate false positives. ; ; Make sure you know the difference between SPAM bots and FLOOD bots. This will NOT ; protect you against flood bots. Please don't manually add them to the database, ; either! ; ; Please check the website regularly for updates! There's also a mailing list and ; a forum, so you can be on the forefront of bot-fighting ; ; This script was coded by MrZebra - MrZebra@1337Robotics.com ; E-mail me if you have any questions or comments! ; ; Thanks to RoBorg for the PHP and Database! ; ; This script is copyright (c) MrZebra, 2003 ; You MAY NOT modify this script! (We don't want you to screw up our database!) ; However, you MAY copy and distribute it freely. ; ; Files ; ----- ; ; * AntiSpam.mrc - This file ; ; Installation ; ------------ ; ; 1) Copy "AntiSpam.mrc" into your mIRC folder (default C:\Mirc) ; ; 2) Run mIRC and choose the menu item "Tools -> Remote". ; This will load the Remote editor window. ; ; 3) In the Remote editor window, choose the menu item "File -> Load -> Script". ; Select "AntiSpam.mrc" and press Open. ; ; 4) RESTART MIRC ; ; That's it! ; ; ; False Positives ; --------------- ; ; Did someone you know just paste a spam message, and get added to the database? ; You can remove them by going to http://AntiSpam.1337Robotics.com/database.php and clicking on 'Delete' ; next to the record. You can only delete records you submitted. ; ; To Do ; ----- ; ; * Incremental updates to blacklists ? ; * Wildcard in nick match ; * Disable for $network != Undernet ; ; ; Change Log ; ---------- ; ; * 1.22 - 14/January/2006 ; Made the disk writing faster - SLASHED the download time! ; The update progress dialog is back (disabled by default) ; Timestamps on all the download messages if desired ; Rename %Quiet and %ShowDialog to %AntiSpam_* ; Only update on join if the file is more than 6 hours old ; ; * 1.21 - 17/September/2004 ; Ignore JavaUser bots on Deepspace network ; Made the update timer offline ; ; * 1.20 - 21/November/2003 ; Pattern matching for mtvxxx bots ; ; * 1.19 - 03/September/2003 ; Fixed XML report to contain 'patter' for pattern matched bots ; Added Pragma: no-cache to HTTP GET headers ; /whois results are hidden for /whois commands initiated by the script ; X is ignored for 3 seconds after a kick/ban to hide the reply ; Added timestamps to some messages ; Added 'Quiet' option ; ; * 1.18 - 27/August/2003 ; Will not /whois yourself on join ; Will not /whois or patten match users logged into X and mode +x ; Will not /whois or pattern match known spammers ; ; * 1.17 - 23/August/2003 ; Added Whitelist. Almost no chance of false positives now! ; Removed 407 portscan. These are g-lined by the proxy scanner now (Thanks to us!) ; Changed all web addresses to point to new server ; Checks channel notices as well as private notices ; 100% new HTTP routines - w00t ; Should have banished 'string too long' error for ever ; Automatic update checks to help you keep up to date ; Pattern Matching - Bots can be detected by /whois patterns ; Link direct to added bot ; Manually Add multiple bots at once ; ; * 1.16 - 17/July/2003 ; Minor cosmetic bugfix (was reporting wrong version) ; Removed the downloading dialog, some ppl just don't appreciate a good UI... ; ; * 1.15 - 16/July/2003 ; Minor modification to ON CONNECT code - spam backlist only updated once, even if you connect to multiple servers ; ; * 1.14 - 14/July/2003 ; Kicks will now be made through X if you are not opped ; ; * 1.13 - 14/July/2003 ; Bug fix - stripped control codes from Finger, Version and RealName ; ; * 1.12 - 12/July/2003 ; Added a dialog for database updates ; Added a /AntiSpamVersion to display the current version ; Optimised file downloading ; ; * 1.11 - 11/July/2003 ; Added right click -> Add Spam Bot ; Script now automatically downloads SpamMessages.txt too. w00t ; ; * 1.10 - 11/July/2003 ; Added blacklist for hosts and nicks. ; Automatically downloaded when you connect, and every 12 hours ; Fixed HTTP 400 bug!! ; ; * 1.09 - 29/June/2003 ; Fixed another HTTP Content-Length bug ; ; * 1.08 - 27/June/2003 ; Changed to point to new server URL ; ; * 1.07 - 26/June/2003 ; Fixed HTTP Content-Length bug ; Allowed for longer spam messages ; Optimised encoding functions ; ; * 1.06 - 26/June/2003 ; This is the first public version :) ; |
Thanks to Richard Brooklyn (Ribs) for this TCL script for Eggdrop bots.
bind pubm -|- "*Http://*Is*.Com*" antihot
bind pubm -|- "*Http://*Are*.Com*" antihot
bind pubm -|- "*TripOd*" antihot
bind pubm -|- "*tripod*" antihot
proc antihot {nick uhost hand chan arg} {
if {$hand=="*"} {
set hostmask "*!*[string range $uhost [string first "@" $uhost] end]"
setuser spam HOSTS $hostmask
putkick $chan $nick "Spam bot! DIE DIE DIE!!!"
putserv "MODE $chan +b $hostmask"
}
}
Place it in a plain text file, and load it like you would any other script. Please also create a user "spam" (.+user spam) and give it global kickban status (.chattr spam +k). It was written specifically by me for the purpose to getting rid of this menance.
When the script sees someone spamming, it will kick them out of the channel and ban them. It will also add a hostmask in the form of *!*@host.com to the spam record. The second part is vital; it will make the bot kickban known comprimised hosts in other channels. For example, my bots are in a channel which gets hit all the time, and always gets hit first. By time it hits the other channels, it's usually been seen by my bot, and it is kickbanned before it can spam.
An example of this in action:
[05:55] kaidir (g5b1m@brancoveanu.romanati.ro) joined #amigaone.
[06:17]
[06:17] kaidir kicked from #amigaone by Athena: Spam bot! DIE DIE DIE!!!
[06:17] #amigaone: mode change '+b *!*@brancoveanu.romanati.ro' by Athena!ribs@Ath3na.users.undernet.org
An example of a spam bot that has already been seen by my bots:
[17:58] TWIN^head (l5i1e@danva.b.astral.ro) joined #amigaone.
[17:58] #amigaone: mode change '+b *!l5i1e@*.b.astral.ro' by Athena!ribs@Ath3na.users.undernet.org
[17:58] TWIN^head kicked from #amigaone by Athena: Not today thanks...
This effectivly makes it more difficult for the person running the bots to get more hosts, as the message from the same host is never repeated. Be warned: This scipt may catch out normal users posting normal URLs. This has only happened to me once, but the risk is there. If the user is known to the bot already (regardless of what flags you have given it) the bot will not kick that person.
Addionatly, you may want to put a warning afterwards by adding this after the last putserv command:
putserv "PRIVMSG $chan :Warning: NEVER go to any addresses advertised like that on IRC. Just loading the page may infect your computer with a virus."
If you wish to help fight the bots, you can do so by collecting information. The following is needed:
* Optional, but highly useful ;)
Send all the information you can to MrZebra@1337Robotics.com, or submit it in Spambot Information Interchange Format to the database.
If you wish to write a script that accesses the database, PLEASE CONTACT ME
In order to assist the numerous developers working on anti-spam websites, scripts and bots, we have developed an XML data interchange format to allow people to swap information they have about spambots. The DTD and an example format is given here. (View the source for the DTD)