EFnet IRC Network Forum

I get spam like this everyday...

[08:35:40 pm] <falc> w w v . sexsbul.com
^^falc is ~^^gecewy@88.246.97.150 * FBIx^^3L
^^falc using irc.igs.ca cia.com: VOIP phone service + High speed $39.95/mo
^^falc End of /WHOIS list.

If you view the HTML of that site (which I do not recommend doing unless you know what you're doing), it brings up the following details...

http://extremetracking.com/open;unique?login=sexsbull (This URL is safe).

If you check the details you will notice that most of the visitors are Turkish.

Also if you go back and check the HTML, you will notice a lot of Turkish websites which are owned by the spammers.

I even wrote up an article about this spam: http://www.hm2k.com/articles/trance-spam/

We've all put up with this for far too long now, lets do something about it!

Thanks.

2nd

Sounds like a reasonable solution

jt wrote:Sounds like a reasonable solution

Sarcasm doesn't work on the internet.

I invite you to come up with a better solution.

Go ahead and do it. A lot of channels have turned into wastelands because of those stupid bots and nobody wants to deal with their crap. At least doing this would(hopefully) take care of most of the problem gobble gobble GONE

The current solution, spamtrap, picks these up with no problem
Lots, probably most, of this type of spam isn't even from Turkey
Trying to ban some random country from the network isn't going to accomplish anything
Edit: Oh, and when you do see any spammers you are welcome to tell us in #spamfix

jt wrote:The current solution, spamtrap, picks these up with no problem
Lots, probably most, of this type of spam isn't even from Turkey
Trying to ban some random country from the network isn't going to accomplish anything
Edit: Oh, and when you do see any spammers you are welcome to tell us in #spamfix

We already have spamtrap, which doesn't work due to the nature of these spam bots... they join, get the nick list, part, then spam. spam trap only k-lines them upon receiving spam. The only thing that is good about this is it stops repeat offenders.

Clearly you do not know what you're talking about, as these spam bots ARE from Turkey, they are made by people in Turkey, the spam is aimed at people in Turkey, and consequently a large percentage of the bots are in Turkey.

I have been monitoring these bots for quite some time, I have reverse engineered their bot, I have even spoken to the people controlling them.

As you can see, this is NOT just a random country, this is Turkey, and the reason for banning Turkey from EFnet is because of the reasons I clearly state above.

Banning Turkey would accomplish reduced spam.

I see a spammer about once every 5 minutes, would you like me to report each one as they happen? Or should I perhaps create a daily report?

Perhaps a better idea, is if you join one of the channels being targeted and see for yourself...

I know my idea is outrageous, but its crazy enough to work. What do you think?

I've seen plenty of these sexsbul bots myself and many of them are not from Turkish hosts
It may be true that there needs to be a more effective way for spamtrap to catch them due to their tactics, but certainly no cause for an attempted ban of a country

jt wrote:I've seen plenty of these sexsbul bots myself and many of them are not from Turkish hosts
It may be true that there needs to be a more effective way for spamtrap to catch them due to their tactics, but certainly no cause for an attempted ban of a country

sexsbul? that's just ONE recent spam URL, they've had thousands before that.

You're right many of them aren't on Turkish hosts, but a large percentage of them are, as I have already explained.

Perhaps you can think of a better idea to control this type of spam, but the best approach I could think of was to ban Turkey.

Perhaps I could get jafo to ban Turkey from the irc.efnet.net DNS robin round some how.

Why not ban all Turkish IP ranges from the channel (leaving the bans on 24x7)?

Reverse engineering bot code can help finding patterns in the data they provide to the server. These can be useful to ban spambots as soon as they connect. Problems are that these patterns can be very subtle (requiring complicated code to detect them) and that this way is only really useful if spambots are automatically and immediately banned. Care must also be taken to avoid false positives.

netmunky has seen the code too, there's nothing really significant.

The problem with banning all the Turkish IP ranges is that there are simply too many for the banlist to hold. Usually around 100 hosts can be banned before the list is full.

Here's a few IP ranges to be getting on with...
http://www.cidr-report.org/cgi-bin/as-report?as=AS9121

In many years, I have only seen two things from Turkey: spammers/spambots and trolls looking for sex with children/kiddy kidney stones. Not a single legitimately chatting human, which doesn't mean they don't exist -- I just have never encountered one. However, it would take CIDR bans to ban them from channels, and eggdrops require CIDR bans to be stickies. Most Turkey IP's are not sequential and there are several bazillion of them, being mostly government ISP.

We all have our little list: Turkey, Kuwait, China (.cn not to be confused with Switzerland .ch) flavor-to-taste. Then there's Malaysia, Singapore, and Indonesia (looking for rich Americans to bring them out of their poverty). Brazil (major hackers and DDoSers). The list could go on and on.

don't ban the brazilians! they have lots of hot chicks.

Hi,

My network has been having these bots slam on us for a while. We did some digging and found out that they all share the same CTCP TIME reply.

I don't have it on hand, but the TIME reply was from March of 2006, so if you could do a TIME check on connect, you could deal with them.

~Francisco

That's impossible, i've seen the source code, it has nothing of the sort as far as I am aware.

I will test this further at a later date.