egghelp/eggheads community

problem

2004-12-20T04:23:47-04:00

the problem all "antiproxy tcl's" they is that enough times they make their BAN users that they have wingates with error configuration

Statistics: Posted by s0ulw4r — Mon Dec 20, 2004 4:23 am

EFNET code

2004-12-20T03:40:13-04:00

Code:

# rblcheck.tcl v0.8.1 - by FireEgl@EFNet - June 2004## Description:# When a user joins a channel this script will dnslookup their hostname to get their IP (if needed),# it will then query a list of RBLs that track IPs that are known open proxy hosts,# and if a match is found, the bot will set a channel ban on the users hostname/ip.# Use .chanset #Channel +rblcheck to enable it on a channel.## Note:# This script isn't finished yet, it hasn't been well tested, and there could still be bugs.namespace eval ::rblcheck {# A note will be sent to these people when a match has been found and a ban set:variable notes $::owner## RBL settings:# priority = The order in which the RBLs are queried.  (Lower priority = Checked first)#            Note: You can have more than one RBL in the same priority and it'll be checked in parallel with the others in that same priority.# rbl = The base hostname used for queries.# desc = The description given to hosts in the RBL.# mainurl = The main URL to the RBL.# checkurl = The URL used to check an IP to see if it's in the RBL's database. (%s will automatically be replaced with the IP)# codes = A list of glob's that indicate a match.# Note: This list is sorted kinda backwards, for testing purposes. (I want to weed out the stupid RBLs)variable rbls {{priority 1 rbl OP.RBL.Kropka.Net desc {Open Proxy} mainurl {http://RBL.Kropka.Net/} checkurl {http://RBL.Kropka.Net/check.php?akcja=sprawdz&form_adres=%s} codes {127.*}}{priority 1 rbl Proxies.Mail-Abuse.Org desc {Open Proxy} mainurl {http://Mail-Abuse.Org/ops/} checkurl {http://www3.Mail-Abuse.Org/cgi-bin/nph-ops?query=%s} codes {127.*}}{priority 1 rbl RBL.Triumf.CA desc {Open Proxy} mainurl {http://Andrew.Triumf.CA/relaytest.html} checkurl {http://DNSStuff.com/tools/lookup.ch?name=%s&type=TXT} codes {127.0.0.4}}{priority 1 rbl RBL.Rangers.EU.Org desc {Worm/Virus Host} mainurl {http://RBL.Rangers.EU.Org/} checkurl {http://www.DNSStuff.Com/tools/ip4r.ch?ip=%s} codes {127.0.0.9}}{priority 1 rbl Probes.DNSBL.Net.AU desc {Probe (Server currently probing other networks)} mainurl {http://DNSBL.Net.AU/probes/} checkurl {http://DNSBL.Net.AU/lookup/?%s} codes {127.0.0.2}}{priority 1 rbl Zombie.DNSBL.SORBS.Net desc {Host hijacked from their original owners} mainurl {http://DNSBL.SORBS.Net/} checkurl {http://DNSBL.SORBS.Net/cgi-bin/lookup?IP=%s} codes {127.*}}{priority 1 rbl SPAM.DNSRBL.Net desc {Open Proxy (if 127.0.0.9)} mainurl {http://www.DNSRBL.Com/} checkurl {http://www.DNSRBL.Com/lookupserver.jsp?server=%s&Submit=Submit} codes {{127.0.0.[6-9]}}}{priority 1 rbl DNS.DNSRBL.Net desc {Open Proxy (if 127.0.0.9)} mainurl {http://www.DNSRBL.Com/} checkurl {http://www.DNSRBL.Com/lookupserver.jsp?server=%s&Submit=Submit} codes {{127.0.0.[6-9]}}}{priority 1 rbl Fraud.RHS.MailPolice.Com desc {Fraud "phishing" Host} mainurl {http://RHS.MailPolice.Com/} checkurl {http://RHS.MailPolice.Com/lookup/index.php?domain=%s} codes {127.0.0.2}}{priority 1 rbl Porn.RHS.MailPolice.Com desc {Porn Host} mainurl {http://RHS.MailPolice.Com/} checkurl {http://RHS.MailPolice.Com/lookup/index.php?domain=%s} codes {127.0.0.2}}{priority 2 rbl No-More-Funn.Moensted.DK desc {Open Proxy} mainurl {http://Moensted.DK/spam/no-more-funn/} checkurl {http://Moensted.DK/spam/no-more-funn/?addr=%s} codes {127.0.0.10}}{priority 3 rbl IRCBL.AHBL.Org desc {Abusive Host / Open Proxy (if 127.0.0.3)} mainurl {http://www.AHBL.Org/} checkurl {http://AHBL.Org/tools/lookup.php?ip=%s} codes {127.0.0.3 {127.0.0.1[4-9]} 127.0.0.10}}{priority 4 rbl CBL.AbuseAt.Org desc {Open Proxy} mainurl {http://CBL.AbuseAt.Org/} checkurl {http://CBL.AbuseAt.Org/lookup.cgi?ip=%s} codes {127.0.0.2}}{priority 5 rbl OPM.Blitzed.Org desc {Open Proxy} mainurl {http://OPM.Blitzed.Org/} checkurl {http://OPM.Blitzed.Org/%s} codes {127.1.0.*}}{priority 6 rbl XBL.Spamhaus.Org desc {Open Proxy or Worm/Virus/Trojan Host} mainurl {http://www.Spamhaus.Org/XBL/} checkurl {http://www.Spamhaus.Org/query/bl?ip=%s} codes {127.0.0.*}}}# These produce false-positives, as their RBL lists usually contain VERY old (as long as a year ago) data.# This basically means they list dynamic IPs which were once open proxies (but probably aren't currently).  (Stupid and useless for any purpose IMO)# But if you're REALLY paranoid about banning people with open proxies, then add them back to the list above.#{priority 5 rbl OSPS.DNSBL.Net.AU desc {Open Proxy} mainurl {http://DNSBL.Net.AU/osps/} checkurl {http://DNSBL.Net.AU/lookup/?%s} codes {127.0.0.2}}#{priority 5 rbl OHPS.DNSBL.Net.AU desc {Open Proxy} mainurl {http://DNSBL.Net.AU/osps/} checkurl {http://DNSBL.Net.AU/lookup/?%s} codes {127.0.0.2}}#{priority 5 rbl OWPS.DNSBL.Net.AU desc {Open Proxy} mainurl {http://DNSBL.Net.AU/osps/} checkurl {http://DNSBL.Net.AU/lookup/?%s} codes {127.0.0.2}}#{priority 6 rbl List.DSBL.Org desc {Open Proxy} mainurl {http://DSBL.Org/} checkurl {http://DSBL.Org/listing?%s} removeurl {http://dsbl.org/removal?ip=%s} codes {127.0.0.2}}#{priority 6 rbl Misc.DNSBL.SORBS.Net desc {Open Proxy} mainurl {http://DNSBL.SORBS.Net/} checkurl {http://DNSBL.US.SORBS.Net/cgi-bin/lookup?IP=%s} codes {127.0.0.4}}#{priority 6 rbl Socks.DNSBL.SORBS.Net desc {Open Proxy} mainurl {http://DNSBL.SORBS.Net/} checkurl {http://DNSBL.US.SORBS.Net/cgi-bin/lookup?IP=%s} codes {127.0.0.3}}#{priority 6 rbl HTTP.DNSBL.SORBS.Net desc {Open Proxy} mainurl {http://DNSBL.SORBS.Net/} checkurl {http://DNSBL.US.SORBS.Net/cgi-bin/lookup?IP=%s} codes {127.0.0.2}}#{priority 6 rbl DNSBL.NJABL.Org desc {Open Proxy} mainurl {http://NJABL.Org/} checkurl {http://NJABL.Org/cgi-bin/lookup.cgi?query=%s} codes {127.0.0.9}}#{priority 7 rbl DSBL.DNSBL.Net.AU desc {Host listed on the Distributed Server Boycott List} mainurl {http://DNSBL.Net.AU/probes/} checkurl {http://DNSBL.Net.AU/lookup/?%s} codes {127.*}}# BTW, you can find more RBLs from this URL: http://www.moensted.dk/spam/# This sorts the rbls list by priority:set rbls [lsort -integer -index 1 $rbls]variable IPsarray unset IPs *array set IPs {}}proc ::rblcheck::Join {nick uhost handle channel} {if {![channel get $channel rblcheck] || $handle != {*} || ![string match {~*} $uhost] || [matchban "$nick!$uhost" $channel] || [matchexempt "$nick!$uhost" $channel] || [matchinvite "$nick!$uhost" $channel]} {return 0} elseif [regexp {^([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])$} [set newhost [lindex [split $uhost @] end]]] {# It's already an IP address.::rblcheck::CheckIP $newhost $newhost 1 $nick $uhost $newhost $channel} else {putloglev d $channel "RBLCheck: Doing DNS lookup on $newhost to get IP..."after idle [list dnslookup $newhost ::rblcheck::CheckIP $nick $uhost $newhost $channel]}}# Runs RBL check(s) on the IP:proc ::rblcheck::CheckIP {ip host status nick uhost orighost channel} {if {$status} {set channel [string tolower $channel]variable IPsif {![info exists IPs($ip)]} {foreach {a b c d} [split $ip .] {break}set IPs($ip) [list reverseip "$d.$c.$b.$a" priority 0 nick $nick ip $ip host $host uhost $uhost orighost $orighost channels [list $channel]]after idle [list ::rblcheck::CheckRBLs $ip]} else {# There's background lookups already for this IP, so we just update some of the info:array set ipinfo $IPs($ip)if {[lsearch -exact $ipinfo(channels) $channel] == -1} { lappend ipinfo(channels) $channel }array set ipinfo [list nick $nick uhost $uhost]set IPs($ip) [array get ipinfo]}} else {putloglev o $channel "RBLCheck: Couldn't resolve $host.  (No further action taken.)"}}proc ::rblcheck::CheckRBLs {ip} { variable IPsarray set ipinfo $IPs($ip)# Check to see if there's any background dnslookups still running, return if there are..if {![llength [array names ipinfo rbl,*]]} {putloglev d * "RBLCheck: No matches for $ip in priority $ipinfo(priority)."variable rblsset highestpriority [lindex [lindex $rbls end] 1]# Do dnslookups on the next priority level:set trying 0while {!$trying && [incr ipinfo(priority)] <= $highestpriority} {putloglev d * "RBLCheck: Trying priority $ipinfo(priority).."foreach r $rbls {array set rblinfo $rif {$rblinfo(priority) == $ipinfo(priority)} {putloglev d * "RBLCheck: ($ipinfo(priority)) Looking up $ipinfo(reverseip).$rblinfo(rbl)"set ipinfo(rbl,$rblinfo(rbl)) [concat [array get rblinfo] [list status -1]]set IPs($ip) [array get ipinfo]after idle [list dnslookup "$ipinfo(reverseip).$rblinfo(rbl)" ::rblcheck::CheckResult $ip $rblinfo(rbl)]set trying 1}}}# If there's no more RBLs left to query, do cleanup and exit:if {!$trying} { unset IPs($ip) }}}# Callback for RBL check(s):proc ::rblcheck::CheckResult {ip host status origip rbl} { variable IPsif {[info exists IPs($origip)]} {array set ipinfo $IPs($origip)array set rblinfo $ipinfo(rbl,$rbl)if {$status == 1} {# status is 1, so maybe one of the code(s) matches the resolved IP:foreach code $rblinfo(codes) {if {[string match $code $ip]} {# A match was found!foreach channel $ipinfo(channels) {putloglev d $channel "RBLCheck ($rblinfo(rbl)): $host => $ip - See: [format $rblinfo(checkurl) $ipinfo(ip)]"if {![matchban "$ipinfo(nick)!$ipinfo(uhost)" $channel] && ![isvoice $ipinfo(nick)] && ![isop $ipinfo(nick)] && ![ishalfop $ipinfo(nick)]} {if {[botisop $channel] || [botishalfop $channel]} {putkick $channel $ipinfo(nick) "Your IP, according to $rblinfo(rbl), is listed as an $rblinfo(desc). See: [format $rblinfo(checkurl) $ipinfo(ip)]"puthelp "NOTICE $ipinfo(nick) :Your IP address was listed by $rblinfo(rbl) as being an $rblinfo(desc).  See for yourself at [format $rblinfo(checkurl) $ipinfo(ip)] and see $rblinfo(mainurl) for more information.   Please note, that if you fix your ident you won't be banned again by this bot.  (People with idents are exempt from the RBL check)"} else {puthelp "NOTICE $channel :$ipinfo(nick)!$ipinfo(uhost)'s IP ($ipinfo(ip)), according to $rblinfo(rbl), is (or was) a known $rblinfo(desc).  See: [format $rblinfo(checkurl) $ipinfo(ip)] and see $rblinfo(mainurl) for more information."}if {[set bantime [expr { [channel get $channel ban-time] - 1 }]] <= 0 && [set bantime [expr { ${::global-ban-time} - 1 }]] <= 0} { set bantime 99 }# Note, the ban needs to be set, even if the bot isn't currently opped.newchanban $channel "*!~*@$ipinfo(orighost)" RBLCheck "$rblinfo(rbl) => $ip - See: [format $rblinfo(checkurl) $ipinfo(ip)]" $bantime}}variable notesif {$notes != {}} { foreach n [split $notes {, }] { if {[validuser $n]} { catch { sendnote RBLCheck $n "RBLCheck: Banned $ipinfo(nick)!$ipinfo(uhost) from [join $ipinfo(channels) {, }] - $rblinfo(rbl) says IP is an $rblinfo(desc) - $host => $ip - See [format $rblinfo(checkurl) $ipinfo(ip)] and $rblinfo(mainurl)" } } } }# A match was found, so there's no need to continue checking any more, so do cleanup and exit:unset IPs($origip)return 0}}}# If we didn't return above, it means there wasn't a match in that RBL.variable rblsif {$ipinfo(priority) >= [lindex [lindex $rbls end] 1]} {# If we've tried all the RBLs, do cleanup and exit:unset IPs($origip)} else {# Clear the info for this RBL:array unset ipinfo rbl,$rblset IPs($origip) [array get ipinfo]# Try the next priority:after idle [list ::rblcheck::CheckRBLs $origip]}}}setudef flag rblcheckbind join - {* *!*@*} ::rblcheck::Joinputlog "rblcheck.tcl v0.8.1 by FireEgl"

Statistics: Posted by s0ulw4r — Mon Dec 20, 2004 3:40 am

code by jamesoff

2004-12-19T22:03:50-04:00

Code:

# open proxy checker for eggdrop# (c) James Seward 2003/4# version 1.0# http://www.jamesoff.net/projects/eggdrop# james@jamesoff.net# Released under the GPL## INSTRUCTIONS################################################################################ This script will check the hosts of people joining channels against one or# RBLs. Choose your RBLs wisely, some of them list DIALUP SPACE and that would# be a bad thing to be matching your IRC users against :P## Enable the 'proxycheck' flag for channels you want the script active on# --> .chanset #somechannel +proxycheck## Users who are +o, +v, or +f in your bot (local or global) won't be checked.## Turn on console level d on the partyline to see some debug from the script# --> .console +d (to enable)# --> .console -d (to disable)## CONFIG################################################################################ space-separated list of RBLs to look inset proxycheck_rbls { "cbl.abuseat.org" "opm.blitzed.org" "dnsbl.ahbl.org" }# time in minutes to ban forset proxycheck_bantime 15# stop editing here unless you're TCL-proof## CODE################################################################################add our channel flagsetudef flag proxycheck#bind our eventsbind join - *!*@* proxycheck_join#swing your pants# catch joinsproc proxycheck_join { nick host handle channel } {  #check we're active  if {![channel get $channel proxycheck]} {    return 0  }  #don't apply to friends, voices, ops  if {[matchattr $handle fov|fov $channel]} {    return 0  }  #get the actual host  regexp ".+@(.+)" $host matches newhost  if [regexp {[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$} $newhost] {    #it's a numeric host, skip the lookup    proxycheck_check2 $newhost $newhost 1 $nick $newhost $channel  } else {    putloglev d * "proxycheck: doing dns lookup on $newhost to get IP"    dnslookup $newhost proxycheck_check2 $nick $newhost $channel  }}# first callback (runs RBL checks)proc proxycheck_check2 { ip host status nick orighost channel } {  global proxycheck_rbls  if {$status} {    putloglev d * "proxycheck: $host resolves to $ip"    # reverse the IP    regexp {([0-9]{1,3}).([0-9]{1,3}).([0-9]{1,3}).([0-9]{1,3})} $ip matches a b c d    set newip "$d.$c.$b.$a"    # look it up in the rbls    foreach rbl $proxycheck_rbls {      putloglev d * "proxycheck: looking up $newip.$rbl"      dnslookup "$newip.$rbl" proxycheck_check3 $nick $host $channel $rbl    }  } else {    putlog "proxycheck: Couldn't resolve $host. (No further action taken.)"  }}# second callback (catches RBL results)proc proxycheck_check3 { ip host status nick orighost channel rbl } {  global proxycheck_bantime  if {$status} {    putlog "proxycheck: got host $host = ip $ip from RBL $rbl ... banning"    newchanban $channel "*@$orighost" "proxychk" "proxycheck: $rbl" $proxycheck_bantime  }  #if we didn't get a host, they're not in RBL}putlog "proxycheck 1.0 by JamesOff loaded"

Statistics: Posted by s0ulw4r — Sun Dec 19, 2004 10:03 pm

Proxy Banning Script

2004-12-19T20:49:01-04:00

Basically, user's matching sequence is a little wide range, with:
Code:
[string match {*[0-9]} $u]
Since you want to ban non-resolving ip's I suggest you can use this kind of format. I am not that good in regexp, but here goes:
Code:
  regexp ".+@(.+)" $host matches newhost  if [regexp {[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$} $newhost] {

you know resolving hosts that end with a digit?

Statistics: Posted by demond — Sun Dec 19, 2004 8:49 pm

Proxy Banning Script

2004-12-19T20:43:39-04:00

Basically, user's matching sequence is a little wide range, with:

Code:

[string match {*[0-9]} $u]

Since you want to ban non-resolving ip's I suggest you can use this kind of format. I am not that good in regexp, but here goes:

Code:

  regexp ".+@(.+)" $host matches newhost  if [regexp {[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$} $newhost] {

Statistics: Posted by awyeah — Sun Dec 19, 2004 8:43 pm

Proxy Banning Script

2004-12-17T23:46:12-04:00

they are spawned by trojans/viruses from infected windows boxes

ohh, dont remember me on this... there are people they believe so much in their current virus scanners that they even ignore major signs like beeing unable to open the task manager and register editor and advances from people having the same sympthoms and just used another scanner to kill it...
Before this trend doesn't stop you will not be able to stop these proxys really effienctly, but known server are usually worth, so if you can ban him 10-20 servers, they might give up, because he runs out of alternitives (but if you really piseed someone off he might trade for more servers from more diffrent ISPs or run a proxy probe scanner over a large IP range of his own ^^).
If I look in my apache logs I see many proxy probs everyday, if I would have such a proxy, I would be found everyday again...

If they have a common way to spam you might find a trick to identify them within 1-2 lines and ban them before more happens. At this point I really love the flood control of the advanced ChanServ which effiently kicks all spammers without the latency every eggdrop has ^^.

Statistics: Posted by De Kus — Fri Dec 17, 2004 11:46 pm

Proxy Banning Script

2004-12-17T17:32:29-04:00

some of the big 4 (i.e. EFnet and IRCnet) have pretty decentralized policies on this, so you might find yourself on a server that scans your hostname on connect for open proxies on well-known ports, or you may be using a server which couldn't care less - it's up to server's admin to install and use a proxy scanner

there are scripts (I've seen at least one) that scan users on join, but this is too heavy burden on eggdrop IMHO - it's far from easy to implement proper and efficient scanner in a script

besides, novadays most spammers don't use open proxies - they are spawned by trojans/viruses from infected windows boxes

Statistics: Posted by demond — Fri Dec 17, 2004 5:32 pm

Proxy Banning Script

2004-12-17T16:51:31-04:00

I do usually always a !seen on the host before considering a wide ban. You might get really busy exempting wished users (and some might never return, because the don't understand IRC well enough to notice you didn't ban them but their whole hostmark style ^^). Maybe you just add wideban for the proxys, there aren't too many as long your Network g-lines open Proxys (and I hope all do today, but probably they don't ^^). If your network doesn't you might contact an IRC oper to ask if it planed.

Statistics: Posted by De Kus — Fri Dec 17, 2004 4:51 pm

Proxy Banning Script

2004-12-17T15:17:53-04:00

user's proc will ban ANYONE with unresolving host (who isn't recognized as a botuser) - not just alleged spammers - so beware what you wish(ed) for, for you might get it

Statistics: Posted by demond — Fri Dec 17, 2004 3:17 pm

Proxy Banning Script

2004-12-17T14:13:20-04:00

so it would be

Code:

bind join - "*" ipchk

Statistics: Posted by toefraz — Fri Dec 17, 2004 2:13 pm

Proxy Banning Script

2004-12-16T21:24:26-04:00

how can i make that to be with all channels?

remove the channel name from the bind (make the mask "*")

Statistics: Posted by user — Thu Dec 16, 2004 9:24 pm

Proxy Banning Script

2004-12-16T20:48:43-04:00

how can i make that to be with all channels?

Statistics: Posted by toefraz — Thu Dec 16, 2004 8:48 pm

Proxy Banning Script

2004-12-16T20:23:10-04:00

thank you

Statistics: Posted by toefraz — Thu Dec 16, 2004 8:23 pm

Re: Proxy Banning Script

2004-12-16T19:52:45-04:00

I need a script to ban hosts that are IPs.
I want it to perm ban them, but I also want it to be able to allow exceptions.

Code:

bind join - "#yourChan *" ipchkproc ipchk {n u h c} {if {![isbotnick $n]&&![validuser $h]&&[string match {*[0-9]} $u]} {newchanban $c *!*@[lindex [split $u @] end] ${::botnet-nick} "I love you"}}

...to exempt people from being banned, add them to your bot. (if you have several regulars that should have no other privileges than being able to join without getting banned, add a single "exempt user" with multiple hosts and no flags

Statistics: Posted by user — Thu Dec 16, 2004 7:52 pm

Proxy Banning Script

2004-12-16T19:29:52-04:00

well, I'd recommend spambuster.tcl

Statistics: Posted by demond — Thu Dec 16, 2004 7:29 pm