Need to prevent spam bots

darkwarrior · Lurker Joined: 02 Aug 2008 Posts: 194

Good evening. I'm wondering what kind of techniques you folks use to prevent spam bot attacks? Despite using IRC Defender and BOPM, a network I am on continues to see an increase in spam bot attacks lately. It seems they change their methods every time they are banned in order to evade automatic monitors and protection services like IRC Defender and such.

At first they were joining every channel on the network and spamming some random URL's, and then they'd leave. If they were g-lined, they'd come back a week later using a new IP Address and do the same..

As of late though, they've been joining every channel on the network, send a message with a facebook URL or something else about saving 95% on electronics with a URL given as well, then part and join again, send the same message, part and join , and continue this about 10-20 times.

While a spam filter may be suggested by many folks to block out certain website URLs, but each time the bot attacks, it has a different website URL. It would also not make sense to filter a facebook URL, as legitimate users do use facebook as well and may share their profile link.

I did notice this one spam bot in particular uses the same ISP in the hostmask, "klmzmi.sbcglobal.net", though a different IP every time. I have considered a gline on *@*.klmzmi.sbcglobal.net, but we do have innocent users that would get caught in that, and besides, I'm sure the spam bots would end up finding a way around it as well.

While I'd like to find some sort of service to deal with these before they escalate any further than joining a channel (perhaps there's a way to detetct whether they are spam bots or not?), I realize that may be next to impossible due to the nature of these bots.. So I would settle for something that can limit the duration of these attacks as much as possible. Any suggestions here? IRC Defender and BOPM are already being used, but do not seem to catch them.

Willaim · Idler Joined: 27 Jun 2003 Posts: 321 Location: IRC

I usually use Spamfilters, if you use an IRCd that has them.

Mind posting a few of the spam messages so if anyone else gets attacked we can compare?

Thanks

Badger09 · Newbie Joined: 25 Jan 2009 Posts: 90

My network uses BOPM aswell, its a great tool.

If you run unreal check out the Antirandom script its pritty good, If you need any advice on how to config it hit me a msg on here or say in this forum

darkwarrior · Lurker Joined: 02 Aug 2008 Posts: 194

Thanks Badger and Willaim.. I must have forgot to mention the IRCd... It's Unreal, and Anope services.. As mentioned, BOPM doesn't catch or stop them.. We don't want to use spamfilters on them to block a facebook site from being linked, as legitimate users would then be unable to give their profile links out as well.. And each time they come, it's a new URL anyhow, not always a facebook link.. I'll check into the Antirandom script..

I also didn't post the spam messages as I didn't know if I'd be permitted to do so or not.. But here you go:

Just recently had one:
<name removed> like this if you smoke the cheeeeeebaaaaaa no bitches/cops allowed http://www.facebook.com/pages/Smoke-The-Cheeba/147543761928749

About a week ago:
<name removed> Save up to 95% on Electronics like an Apple iPad or Amazon's Kindle! http://cpa.ly/sKb P.S. this is dead serious

About 2 weeks ago:
<name removed> does he look like a thumb? http://www.facebook.com/pages/L00L-The-guy-who-looks-like-a-thumb/146848638664401

About 2 and a half weeks ago:
<name removed> How awesome are you? http://cpa.ly/sDo

Trixar_za · Posted: Aug 03, 2010 9:19am Post subject:

Which network and lists are you using with BOPM. If you're using the default conf and lists with unrealircd then it won't work very well. By default it only scans on the server it connects to. This doesn't work very well, but you can fix it by using the FAQ info found here.

I would suggest adding the EFNet lists, SwiftBL and ProxyBL.

Have you enabled all of IRC defender's functionality? You actually need to download two text files for certain modules to work. Check out it's readme about this.

Mostly the BL lists I listed above are enough to protect you, but you'll still get one or two though. This is much easier to deal with than a couple of hundred though Smile

Willaim · Idler Joined: 27 Jun 2003 Posts: 321 Location: IRC

The spam messages themselves look kinda hard to filter.

Do you have their /whois info for a bunch of them? Wonder if it'd be easier to block that.

darkwarrior · Lurker Joined: 02 Aug 2008 Posts: 194

I have /whowas but not /whois

The IP changes each time.. And sometimes I do notice it go from the normal *.dsl.klmzmi.sbcglobal.net to *.IP

I looked up the IP's and hostnames they've connected from and there was no entry of them found in any blacklists either, so would BOPM still get them even if I were to have all of those BL's you mentioned Trix? Doesn't seem to be a proxy either.. I forwarded my logs to SBC's abuse department, so maybe they'll do something, maybe not.. I'll definitely look into that and see if we have those already or not.

Yeah, they are hard to filter lol... I was considering a mIRC script when it sees a join/part flood since they do that, as previously mentioned.. *join channel* *advertise* *part* *join* *ad* *part* about 7 times or so, then they hit the next channel on the list.. I also didn't mention they only seem to hit all the channels with at least 5 users in them. I hate to use an mIRC script though, as I'd have to have that client sitting on nearly every channel on the network which I really don't want to do.. I'm also not really sure which channel they hit first anyhow, or I could go for that one.. But then again, sometimes the timing of their join/ad/part is much different than the previous times. I'm beginning to believe it's human controlled and not an actual bot.

Willaim · Idler Joined: 27 Jun 2003 Posts: 321 Location: IRC

What about nickname/ident/gecos? Are they similar? Any patterns?

Trixar_za · Posted: Aug 04, 2010 3:49am Post subject:

Did you check if BOPM was scanning the whole network instead of just the server it connected to? There is a known 'bug' about this in BOPM since Unreal 3.2+: http://wiki.blitzed.org/BOPM/FAQ#Using_Unreal_for_proxy_scanning_a_whole_network

Also some good resources to check open proxies and blacklisted IPs:
http://www.dnsbl.info/
http://www.blacklistalert.org/
http://whatismyipaddress.com/blacklist-check

Compare some of the IPs against them and see which ones they catch, then just add those working lists to BOPM. Should help lighten the load atleast.

darkwarrior · Lurker Joined: 02 Aug 2008 Posts: 194

The nicknames were always different.. Idents were usually related to the advertisements or sometimes the same as the nickname.. The most recent one had the nick "youdont" with the same ident and real name.. But before that when they spammed the facebook "thumb guy" (LOL), the nick and ident was the same as well, "thumbsup"... Another time, the nick was an identifiable female name (I can't exactly remember the name), and the ident was different. I haven't really been able to make out any consistent pattern.

Also something else I noticed, it seems that if they get caught and glined while they're actually there spamming, the next time is much different in terms of whether the nick and ident is matching or not, and the timing between their spam messages (sometimes its every 5 seconds or sometimes every 15 seconds).. It's almost as if they think they were automatically removed by an auto detection script so they change the way they do it to not get caught (one of the reasons I'm thinking its human controlled).. On the other hand, if they're glined after they already left the network, they just simply change the IP.

BOPM is scanning the whole network.. It doesn't really need to though as there's only one server really being used.