/*
 * This configuration file contains example spamfilter rules.
 * They are real rules that were useful a long time ago.
 * Since 2005 these rules are no longer maintained.
 * The main purpose nowadays is to serve as an example
 * to give you an idea of how powerful spamfilters can
 * be in real-life situations.
 *
 * Documentation on spamfilter is available at:
 * https://www.unrealircd.org/docs/Spamfilter
 */

/* General note:
 * If you want to use a \ in a spamfilter, or in fact
 * anywhere in the configuration file, then you need
 * to escape this to \\ instead.
 */


/* First some spamfilters with match-type 'simple'.
 * The only matchers available are * and ?
 * PRO's: very fast, easy matching: everyone can do this.
 * CON's: limited ability to fine-tune spamfilters
 */

spamfilter {
	match-type simple;
	match "Come watch me on my webcam and chat /w me :-) http://*:*/me.mpg";
	target private;
	action gline;
	reason "Infected by fyle trojan: see http://www.sophos.com/virusinfo/analyses/trojfylexa.html";
};

/* This signature uses a \ which has to escaped to \\ in the configuration file */
spamfilter {
	match-type simple;
	match "C:\\WINNT\\system32\\*.zip";
	target dcc;
	action block;
	reason "Infected by Gaggle worm?";
};

spamfilter {
	match-type simple;
	match "Speed up your mIRC DCC Transfer by up to 75%*www.freewebs.com/mircupdate/mircspeedup.exe";
	target private;
	action gline;
	reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyses/trojmirseeda.html";
};

spamfilter {
	match-type simple;
	match "STOP SPAM, USE THIS COMMAND: //write nospam $decode(*) | .load -rs nospam | //mode $me +R";
	target private;
	action gline;
	reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
};


/* Now spamfilters of type 'regex'.
 * These use powerful regular expressions (Perl/PCRE style)
 * You may have to learn more about "regex" first before you
 * can use them. For example the dot ('.') has special meaning.
 */

/* This regex shows a pattern which requires 20 paramaters,
 * such as "x x x x x x x x x x x x x x x x x x x x"
 */
spamfilter {
	match-type regex;
	match "\x01DCC (SEND|RESUME)[ ]+\"(.+ ){20}";
	target { private; channel; };
	action kill;
	reason "mIRC 6.0-6.11 exploit attempt";
};

/* Similarly, this regex shows a pattern that matches
 * against at least 225 characters in length.
 */
spamfilter {
	match-type regex;
	match "\x01DCC (SEND|RESUME).{225}";
	target { private; channel; };
	action kill;
	reason "Possible mIRC 6.12 exploit attempt";
};

/* Earlier you saw an example of a $decode exploit which used
 * match-type 'simple' and - indeed - the filter was quite simple.
 * The following uses a regex with a similar example.
 * Regular expressions are very powerful but here you can see
 * that it actually complicates writing a filter quite a bit.
 * With regex in this filter we need to escape the ( and all
 * the dots, question marks, etc. if we want to match these
 * characters in literal text.
 */
spamfilter {
	match-type regex;
	match "^Want To Be An IRCOp\? Try This New Bug Type: //write \$decode\(.+=.?,m\) \| \.load -rs \$decode\(.+=.?,m\)$";
	target private;
	action block;
	reason "Spamming users with an mIRC trojan. Type '/unload -rs newb' to remove the trojan.";
};

spamfilter {
	match-type regex;
	match "^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!";
	target private;
	action block;
	reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml";
};

/* This shows a regex which specifically matches an entire line by 
 * the use of ^ and $
 */
spamfilter {
	match-type regex;
	match "^!login Wasszup!$";
	target channel;
	action gline;
	reason "Attempting to login to a GTBot";
};

/* An example of how to match against an IP address in text (IPv4 only) */
spamfilter {
	match-type regex;
	match "^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}";
	target channel;
	action gline;
	reason "Attempting to use a GTBot";
};

/* A slightly more complex example with a partial OR matcher (|) */
spamfilter {
	match-type regex;
	match "(^wait a minute plz\. i am updating my site|.*my erotic video).*http://.+/erotic(a)?/myvideo\.exe$";
	target private;
	action gline;
	reason "Infected by some trojan (erotica?)";
};

/* In regex a \ is special and needs to be escaped to \\
 * However in this configuration file, \ is also special and
 * needs to be escaped to \\ as well.
 * The result is that we need double escaping:
 * To match a \ you need to write \\\\ in the configuration file.
 */
spamfilter {
	match-type regex;
	match "C:\\\\WINNT\\\\system32\\\\(notes|videos|xxx|ManualSeduccion|postal|hechizos|images|sex|avril)\.zip";
	target dcc;
	action dccblock;
	reason "Infected by Gaggle worm";
};