|
|
| Author |
Message |
Guest
|
 Posted: Nov 25, 2003 2:30am Post subject: |
 |
|
| does anyone know of somewhere I can get a fake irc server that when someone connects it will just boot them telling them the rr has changed and the new address? I dont really wanna configure another copy of unreal |
|
| Back to top |
|
 |
Ashen
Guest
|
| Posted: Nov 25, 2003 12:43pm Post subject: |
|
|
Just setup a tiny, tiny ircd with no features (like darkfire.... I won't post the url to darkfire, you can use google  ......... and kline *@* with the message 'connect to irc2.network.blah instead'.
-Ashen |
|
| Back to top |
|
|
Maxx
Guest
|
| Posted: Nov 27, 2003 12:39am Post subject: Excellent insight and advice on dealing with these annoying |
|
|
Thanks to everyone here on searchirc.org
Some great reading and advice here on how everyone is dealing these darned bots.
On my network (with Anope Services) we've opted to install the Fizzer and Spambot modules, as well as take advantage of the SQLine option to deal with the problem.
Keep up the good work here! It's been very helpful!
Maxx
Net Admin
Twyster Net |
|
| Back to top |
|
|
[al5001]
Guest
|
| Posted: Nov 27, 2003 6:03pm Post subject: |
|
|
Enable email confirmation on your services to prevent clones from registering their nicks.
I have set a 4hour time limit for confirmation on my network.
It's not that bad. When you think about it, many other things on the internet you have to verify with a registration code. Don't be discouraged by forcing your users to check their email to confirm nickname registration.
Set your channels to +R. This keeps the clones out. And if you set email confirmation on, the clones can't register, unless they are damn good at getting around that too. |
|
| Back to top |
|
|
Maxx
Guest
|
| Posted: Nov 27, 2003 6:48pm Post subject: |
|
|
Good advice on the email registration. We had already done that but I failed to mention it in my last post.
Maxx
Net Admin
Twyster Net |
|
| Back to top |
|
|
DeepBlue
Guest
|
| Posted: Nov 28, 2003 4:17am Post subject: Block words |
|
|
I own a small irc/chat called ChatXplus.com. The software we run allows us to subsitute certain text that people say in either public or p2p to block certain items. Since the arrival of this bot, I have blocked the line "come check out our*.mpg" which grabs the bot everytime.
We see it join the server, then join and part a bunch of rooms. I am assuming its gathering user names. Then parts all rooms as to hide and private messages everyone that weblink which is actually not a pic/video at all. When the bot joins my network, the text is now replaced with an ad of my own to just check out our main or something and the bot is killed off the server instantly. It returns once every 30 to 45 minutes so it works like a nice little timer for my own ads!
Just an idea.... |
|
| Back to top |
|
|
Pberetta
none
Joined: 25 Sep 2003
Posts: 23
|
| Posted: Nov 28, 2003 4:49pm Post subject: |
|
|
I can give a piece of mircscripting that will work for uwold based services.
It might take some editting to work, but will set u in the right direction.
on *:OPEN:?:*Come watch me on my webcam*: {
/msg uworld gline *@ $+ $site 1h Spam
}
Any ircop should be able to adopt teh above to his/her operserv
Good luck
|
|
| Back to top |
|
|
Michael
none
Joined: 18 May 2003
Posts: 48
|
| Posted: Nov 28, 2003 7:04pm Post subject: |
|
|
| At this stage, and given what we know about these bots, I see banning the IP/host as counterproductive. We can't forget that this isn't just the work of a couple people sending out these bots. These bots are coming from unsuspecting people, most who I doubt visit places like this, so there's no argument there. I mean, what if these people ever want to visit your network and see they're banned because of supposedly spamming. The best we can do is the other things that have been suggested in the topic such as qlines, etc. |
|
| Back to top |
|
|
U
Eleet
Joined: 18 Jun 2003
Posts: 521
Location: IRC
|
| Posted: Nov 29, 2003 11:05am Post subject: |
|
|
Thats why you don't set a legnthy akill, and you make the akill contain information as to how to contact your network so they can figure out why they were banned and get the problem solved.
Not banning them will allow them to continue to spam. Qlining them will deny legitimate users the use of some characters in nicknames. You have to do something-just do it with the ability for that person to contact you if they have questions about it. All of my akills by default have "Questions? email akill@foreverchat.net" tacked onto the end of them to allow this to occur. Also, I don't set akills for them for too long, only 10 days, since the IPs of most of them change fairly, but not too, often, it keeps them from coming back for a while. If they get the akill message, mine tells them they were banned because their computer is infected with a virus that spreads itself via irc, and to email the akill address for assistance in getting it removed. I haven't had any takers yet, but if I get any, then I'll help them. Doesn't do me any good to just unakill them and let them keep doing it either |
|
| Back to top |
|
|
awol
Guest
|
| Posted: Nov 29, 2003 2:46pm Post subject: annoying spambots |
|
|
| We are getting these bots on our net too...along with a string of spambots that reveal the words 'Nefis Team' when fingered. In short I made a lil tcl for our channel eggies that fingers each user and bans if it returns Nefis Team. Our eggies are also fitted with mc-8's spamcheck and it works real well. |
|
| Back to top |
|
|
MerCury@GN
Guest
|
| Posted: Dec 01, 2003 2:21pm Post subject: |
|
|
In galaxynet, the finger replies of such spam bots often come back as (nefis team). However, there are new spam bots that give finger replies that not of (nefis team); there is no fixed pattern anymore.
I'm worried in time to come, they get out of hand. |
|
| Back to top |
|
|
Shynx
Guest
|
| Posted: Dec 01, 2003 10:16pm Post subject: Fyle Spambots |
|
|
I've also run the fyle spam bot on vmware and have broken it down also to look at it. It does connect to Undernet where in the topic it displays how you can use them as a BNC which is its primary use. It does nothing more except infect other people if they follow the link.
We have set up a room #A which kills the bots as they join and we are lucky enough to be a small network to tell people to put +s so they bots don't see the rooms when they join.
We have also q:lined their favourite characters they use in the nicks bar a few and that stops a heap of them also.
What I want to know is, can someone code into their IRCd to get the server to send a mode 439 which makes the bot quit and try the next server along. That would be the best way to stop them all.
E-mail me if you know what I'm talking about or want to know more.
Shynx@EYErc.net |
|
| Back to top |
|
|
Devil
none
Joined: 12 Aug 2003
Posts: 35
|
| Posted: Dec 03, 2003 7:18pm Post subject: Drones |
|
|
| These things that are going to network to networks are called drones. When they spam that same site, by clicking on it will make you go(without knowing) to another network and spam that site. That is why the hosts are always different. So that means that they are going to be around for along time. |
|
| Back to top |
|
|
Jackb_
Guest
|
| Posted: Dec 22, 2003 10:56am Post subject: |
|
|
These are very lame bots, made by a script kiddie named Fyle, this is actually the second version of them.
These bots use the $prnick function to create a random nick using letters and characters. They run an httpd on localhost to serve both the exploit and the executable that the exploit dls. They also run a BNC, and you can easily see the implications of this by logging onto undernet and doing a /list `
Some weird anomalies in the bots:
#1) They will crash if sent the numeric 439
#2) An easy way to get rid of them is to set the channels #1 and #fyle on akill
Here's an eggdrop script I use to get rid of the bots:
bind join - "#fyle *" join_antispam
bind join - "#1 *" join_antispam
bind msg - "Come watch me on my webcam*" antispam_msg
proc join_antispam {nick host hand chan} {
global botnick
if {$nick != $botnick} {
putquick "KILL $nick :Die you piece of crap spammer! Die!!!"
}
}
proc antispam_msg { nick host hand arg } {
putquick "KILL $nick :Die you piece of crap spammer! Die!!!"
}
putlog "Die you fyle spambots! DIE!!!" |
|
| Back to top |
|
|
DARK_UK
Guest
|
| Posted: Dec 27, 2003 12:58pm Post subject: ASDAS |
|
|
Hmmmm sounds like a bunch of kids having fun with the out of date lame IE windows media exploit. Anyway its best to advise your users not to click on any links at all and filter http:// www. and com etc etc
Theres 2 exploits floating around
1: IE6 Media exploit
2: IE6 CGI exploit which installs an exe auto with the help of a cgi script server side .. mcafee and most virus scanners detected it but most of the sly ones edit these to make it undetectable even then if your running mcafee with hawk something something enabled it will advise u not to accept it .. but even if u see a link like http://juicyfanny.com/fanny.jpg being advtertised think twice about even going hovering that mouse pointer of yours over it .. UNPATCHED XP WIN2K anyonw running IE6 in risk.
Rest assured only the despo's and most ignorant get into trouble and we dont need them so .. its not that much of a fuss
By the way i belong to a security forum most of the spammers u get advertiseing are probably trying to infect you with the many exploits which are surfaceing for IE6
but if u need any further advise or help let us know emails Mumin@hotmail.com |
|
| Back to top |
|
|
|
|
| |
Register
Log in
