View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0002071 | unreal | ircd | public | 2004-09-13 17:11 | 2015-07-23 22:22 |
| Reporter | aquanight | Assigned To | syzop | ||
| Priority | normal | Severity | feature | Reproducibility | N/A |
| Status | closed | Resolution | no change required | ||
| Product Version | 3.2.1 | ||||
| Summary | 0002071: spamfilter action replace | ||||
| Description | I've noticed that some of the regexes in the official spamfilter.conf makes reference to certain bots (probably ddos bots or something). So I thought, wouldn't it be nice to be able to use spamfilter to rid my network of these bots once and for all via the spamfilter, and I don't mean gline-ing them! Let me make a hypothetical example here: - Suppose I'm running a network which seems to strangely attract botnets. I don't want them around, so I could just go around and gline them, but that would be kind of stupid - if anything it'll probably make my servers the next target for that botnet. - These bots are programmed so that the botnet master must authenticate with a inchannel login command. The prefix in front of the login can be the master's choosing - any further commands must have the same prefix. - Once authenticated, one of the commands the bot master may invoke is an uninstall command, which would permanently remove the bot. - My net shows no other legitimate use of inchannel logins (we probaly use either /msg bot IDENT (eggdrop) or of course, /nickserv IDENTIFY :P), so I decide to use spamfilter to see if these bots can be removed. With .NET regexes, I could use named captures to grab the prefix character (and password) and put it in a little mini-variable that I could use in, for example, the replace string. For example, I could do this: Find: (?<char>.)login (?<password>.+) Replace: \k<char>login \k<password>\n\k<char>uninstall Lets assume that the IRCd would translate the \n into a "message split" - meaning that either side of the \n are sent as seperate PRIVMSGs to the same target. If a bot master comes in with around 3409 bots, and he sends: :BotMaster PRIVMSG #botchannel :%login mypassword The spamfilter picks this up: the named captures cause % to be stored in <char> and mypassword to be stored in <mypassword>. When the replace string is executed, the \k<char> is replaced with % (in .NET regex, \k is "Recall named capture"), and \k<password> is replaced with mypassword. The \n becomes a "Message split" and our spamfilter just turned the message into: :BotMaster PRIVMSG #botchannel :%login mypassword :BotMaster PRIVMSG #botchannel :%uninstall And 3409 bots uninstall and signoff my network forever. And just wait to see the look on the botmaster's face :D . With TRE, this would seem to be different. I don't know much about the TRE API, so I don't know if it seperates regex replaces (then again, badword uses TRE last I heard, so maybe it does). Also, TRE would need to support captures for the example I gave above to work. Granted, badword might be able to do this just as well, but badword would not be helpful on networks that don't force +G on all channels. And even then, the botmaster could reg the chan, and mlock -G :P . Just a thought, of course... *hides* | ||||
| 3rd party modules | |||||
|
|
>so I don't know if it seperates regex replaces Whoops. That should've been "supports". |
|
|
normal replace is kinda on my TODO (suggested by others too), but that multiline/.NET stuff you talk about, uhhh... *cough* |
|
|
[quote]So I thought, wouldn't it be nice to be able to use spamfilter to rid my network of these bots once and for all via the spamfilter, and I don't mean gline-ing them[/quote] Just so you know, such things are illegal in many countries. They'd define that has "hacking." Not all countries make a "good faith" exception to the hacking laws. By uninstalling the trojan, you are accessing their machine and deleting files. That's hacking, as far as those countries are concerned. I'm not saying "no we won't add this," I'm just saying, such regexps would not be included in the standard spamfilter.conf. |
|
|
rather then " replace " why not just have it block the text the botmaster sends (which im sure the spamfilter now could actually do) this way, sure the botnet loads onto the network but theres no way the botmaster can get access to them as spamfilter blocks them. another thing is, botnet makers would proberly just change how to " communcate " with the bots making the spamfilter ineffective or not pick you words to stop the blocking action *edit some botnets require a certain ident in order to fully login, thus the server couldnt successfully uninstall these type of bots* edited on: 2004-09-13 18:47 |
|
|
Hm... yes I didn't think about the whole hacking thing... guess that's all the more reason get those contries to add those kinds of exceptions to their laws :D . Then again, it's not like I'm accessing the machine directly... I'm using a mechanism built into the bot. Guess that depends on what you consider "accessing the machine"... I'm not connecting to it all... Yeah it's fun *hides* [quote] normal replace is kinda on my TODO (suggested by others too), but that multiline/.NET stuff you talk about, uhhh... *cough*[/quote] I'm not suggesting unreal switch regex engines, the whole .NET thing was to serve as an example really... And as to the multiline stuff... hm yeah fun :) . I briefly thought about even using multiline support in the search string, but of course this means storing up messages up to the maximum number of lines needed (like a "message history") and this also means we couldn't effectively use block or replace for that as that would require holding up messages - fun :P . Replace is kinda different though as far as multiline goes... it wouldn't work with the part/quit/dcc targets (channel/private message/notice only) but... I figure this could be useful for one thing maybe: a new version of some big client (like mIRC) shows problems handling messages > 400 characters long so we could use spamfilter to split that message into smaller chunks... the regex required for that esacpes me, at least for TRE. For .NET (notated in perl format :P), s/^(?<firstchunk>).{255}(?<secondchunck>.{145}.+)$/\k<firstchunk>\n\k<secondchunck>/ Basically splitting something more than 400 characters and putting the first 255 and then the rest. We could also use this for things like replacing bad unicode characters with the ? character (this should be done by the client, but as I said, buggy clients :P ). @White_Magic: what's better than unusable bots? nonexistant bots! [quote]another thing is, botnet makers would proberly just change how to " communcate " with the bots making the spamfilter ineffective or not pick you words to stop the blocking action[/quote] I'm presuming that unlike block/kill/etc, replace would make the sender unawares of what happened (sure the snotice still goes out to the appropriate people, but...). And even if they change it... we just update the spamfilters :P . *hides again* [quote]*edit some botnets require a certain ident in order to fully login, thus the server couldnt successfully uninstall these type of bots*[/quote] Well, remember that the :sender PRIVMSG target would pretty much be the same on all resultant messages meaning it would appear as if the bot master sent the commands himself. If he isn't using a correct nick/user/hostmask, then it's not our problem :P . |
|
|
um, if the user presses Ctrl+enter does the spamfilter still scan the text? |
|
|
I honestly don't see any need for the multiline stuff... especially your examples are not convincing :P.. In fact it would rather be severe bloat / lot of crap. |
|
|
@White_Magic: Ctrl+Enter is a client side extension. It's still a message as far as the server cares. @syzop: Perhaps... I can't think of anything better right now. So yeah... maybe that can come later if someone comes up with a good reason for it :P . And even then, probably a better idea to get replace to work with one line, then muck with multiline (if applicable) :P . |
|
|
Bump. Still an issue? |
|
|
Hm. Nobody else asked for this past 10 years, so.. I'm closing this one |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2004-09-13 17:11 | aquanight | New Issue | |
| 2004-09-13 17:13 | aquanight | Note Added: 0007636 | |
| 2004-09-13 18:03 | syzop | Note Added: 0007637 | |
| 2004-09-13 18:16 |
|
Note Added: 0007640 | |
| 2004-09-13 18:45 | White_Magic | Note Added: 0007645 | |
| 2004-09-13 18:47 | White_Magic | Note Edited: 0007645 | |
| 2004-09-14 06:13 | aquanight | Note Added: 0007649 | |
| 2004-09-14 10:21 | White_Magic | Note Added: 0007652 | |
| 2004-09-14 14:09 | syzop | Note Added: 0007657 | |
| 2004-09-14 17:09 | aquanight | Note Added: 0007659 | |
| 2007-04-27 05:37 |
|
Note Added: 0013826 | |
| 2007-04-27 05:37 |
|
Status | new => feedback |
| 2015-07-23 22:22 | syzop | Note Added: 0018549 | |
| 2015-07-23 22:22 | syzop | Status | feedback => closed |
| 2015-07-23 22:22 | syzop | Assigned To | => syzop |
| 2015-07-23 22:22 | syzop | Resolution | open => no change required |
