more lame drones

General talk about EFnet

Moderators: Website/Forum Admins, EFnet/General Moderators

glassdog
Posts: 4
Joined: Mon Aug 15, 2005 9:02 pm
Location: usa
Contact:

more lame drones

Postby glassdog » Mon Aug 15, 2005 9:22 pm

i know drone is a well hashed issue but i have seen a huge increase in my channel on efnet (#worldchat) the regular bans simply don't cut it anymore. Anyone have a fresh aproach to controlling the msg floods from drones like the ones below ??? We get around 10 - 300 msg's a day depending on wich bans they slip they always join part first
anyhelp would be great thanks Glassdog
[02:47am] [N] Query Started with (aoeNie!~riindt@I.didn't)
[02:47am] <aoeNie> http://www.spammedsite.com
[08:32am] [N] Query Started with (EiYeza!~iireausim@read.the)
[08:32am] <EiYeza> http://www.spammedsite.to
[12:47pm] [N] Query Started with (gOiFiCoVp!b@forum.rules)
[12:47pm] <gOiFiCoVp> http://www.spammedsite.to
User avatar
Pills
Forum Admin
Posts: 312
Joined: Wed Jul 02, 2003 1:14 pm
Location: Long Island, NY
Contact:

Postby Pills » Tue Aug 16, 2005 1:50 pm

/stats p <spammernick>, find an oper/admin, they'll get rid of them.
admin, irc.umich.edu
oper, irc.servercentral.net
glassdog
Posts: 4
Joined: Mon Aug 15, 2005 9:02 pm
Location: usa
Contact:

Postby glassdog » Tue Aug 16, 2005 9:53 pm

Thanks i will do that as much as possible but the short life and volume of the drones makes it kinda fruitless
Hardy
Site Admin
Posts: 394
Joined: Wed Jul 02, 2003 4:54 pm
Location: Oslo, Norway
Contact:

Postby Hardy » Wed Aug 17, 2005 9:38 pm

glassdog wrote:Thanks i will do that as much as possible but the short life and volume of the drones makes it kinda fruitless
We know all about that :)

When we kline a bunch new one comes all the time. The most efficent way is to report them to the serverowner/isp, but that takes alot of time...
-- Hardy
Administrator: irc.underworld.no
Services Administrator
http://www.efnet.org admin/staff
fuuey
Posts: 1
Joined: Tue Aug 23, 2005 1:59 am

Postby fuuey » Tue Aug 23, 2005 2:59 am

shit is fucking ridiculous
poke smot
glassdog
Posts: 4
Joined: Mon Aug 15, 2005 9:02 pm
Location: usa
Contact:

Postby glassdog » Sat Aug 27, 2005 11:51 am

i notice most servers do a drone check via version at connect and i am sure some do scans on connecting, but how often do they update the ports scanned for and how would i get a list of open ports on the drones i am seeing to those that run the server scans ?
User avatar
munky
Site Admin
Posts: 826
Joined: Wed Jul 02, 2003 4:54 pm
Location: Phoenix AZ
Contact:

Postby munky » Sun Aug 28, 2005 1:18 pm

the drones that you are seeing have a version reply identical to mirc v6.16, and do not have open ports that can be scanned by open proxy monitors.
as of right now, all we can do is try to catch them after they've joined and spammed their trojan url. after we catch them the first time, they are blacklisted on rbl.efnet.org for 7 days.
a large percentage of the infected hosts are turkish hosts. if you don't regularly have turks in your channel, you can ban ~*@85.100.0.0/14 and ~*@81.213.0.0/14. i believe that catches almost 1/3 of them.
In God we trust,
Everyone else must have an X.509 certificate.
glassdog
Posts: 4
Joined: Mon Aug 15, 2005 9:02 pm
Location: usa
Contact:

Postby glassdog » Sun Sep 25, 2005 12:48 pm

Ok i had some luck with banning the drones for a while heck they even slowed for several weeks but now they are hitting again in moderate numbers. Do all servers use the rbl.efnet.org database to chek clients ? Also there are several channels that seem to see large numbers of drones do you have spam traps in them ? #adultswim seems to be a non stop flood of drones (not sure who runs the room) #worldchat also gets a large amount of them as the ip ranges change (my room any op welcome anytime)
evil
Posts: 59
Joined: Mon Sep 15, 2003 6:18 pm

Postby evil » Thu Oct 13, 2005 11:45 am

One effective approach I have found is to send abuse email to the site they're spamming. This doesn't work "all" the time but it works most of the time. Normally the webmaster/admin will kill the account. If the drone has no site to spam they magically disappear...for a while.
evil
Posts: 59
Joined: Mon Sep 15, 2003 6:18 pm

Postby evil » Wed Nov 09, 2005 1:41 pm

Pills wrote:/stats p <spammernick>, find an oper/admin, they'll get rid of them.
Well, I have tried that myself many times. There is one spammer that has been coming around for a very long time using proxies and is always on irc.nac.net. Needless to say I have never had any response to /stats p <spammernick>. The spammer continues to live and spam at will. The spammer used to use another server but in the past year has moved to irc.nac.net. I'm sure some of you know which spammer I'm talking about, you know the one that replies with "Do you want to see my photo?" when you message it "hi" or anything else, then it procedes to spam the kidney stones site. If the spammer is using a hostname for the proxy I can usually get rid of it myself but if it's using just an ip I can't connect to irc.nac.net with the proxy because it will only allow one connection per ip. To sum up the rambling, /stats p <spammernick> does not work on irc.nac.net.
User avatar
lucy
Posts: 234
Joined: Wed Jul 02, 2003 6:22 pm
Location: graceland
Contact:

Postby lucy » Wed Nov 09, 2005 2:10 pm

then try messaging an oper you know is active.. like try /stats p the server you are on, maybe they'll have some luck finding a nac.net oper or gline the spammer.

also when you msg the oper, get right to the point... "hi, there's a spammer.... etc" instead of "hi"
personally, I frequently don't reply to just a "hi", but thats just me.
evil
Posts: 59
Joined: Mon Sep 15, 2003 6:18 pm

Postby evil » Wed Nov 09, 2005 6:34 pm

Sorry I probably mistated, I was talking about the spammer that would reply to "hi" or anything else for that matter, not the oper. Also in my personal experience there's a reason the spammer is using nac.net but I won't elaborate. :)
User avatar
lucy
Posts: 234
Joined: Wed Jul 02, 2003 6:22 pm
Location: graceland
Contact:

Postby lucy » Wed Nov 09, 2005 8:11 pm

i knew you were replying about the spammer..

i'm just saying when i get a message and all they say is 'hi' and nothing else, i frequently dont answer... and i get alot of 'hi'

Who is online

Users browsing this forum: No registered users and 3 guests