#trance spam bots

This page was made for the users of #Trance, where I am a regular, but it also affects the following channels are affected on EFnet:

#chatzone,#ps3,#pothead,#adultswim,#exdcc,#trance,#ircparty,#khaldiya,#leech,#news,#lool,#ircgreeks,#orkut,#winnipeg,#worldchat

There are also thousands of other channels spanning hundreds of other networks affected by this spam. See: Example of Spam

From what has been seen so far it seems that the whole scheme is run by some people based in Turkey, as such a large amount of spam comes from Turkey as they appear to target Turkish users.

Its very difficult to get rid of them due to the nature of their activity, and because they keep changing the download hosts, trojan, worm, server and centralised spam list.

These bots join the channel, collect the nick list, part again, then send a spam message to each user on the nick list.

I find that most activity from these bots appears to come at certain times of day when they appear to trigger them.

Can’t you just ban them?

No, they come back with different nicks, idents, gecos and hosts.

Can’t you use cidr or mask bans?

Yes, however they span many different ranges, mostly in Turkey.

The problem is that some servers don’t support cidr bans, and that the ban list gets full very quickly.

Why does +k not work?

We have tried before, and slowly but surly the channel died.

  1. New users cannot get in, and old users forget the key
  2. It doesn’t solve the problem, just ignores it
  3. It prevents me from researching them
  4. It means they win, and that sucks

What about +g?

+g is user server side ignore. You can set this by doing: /mode <me> +g

The problem is that the server will still notify that someone is trying to msg you. It also means that other users can’t message you

This is not a reasonable solution for everyone.

Can’t opers do anything about this?

No. It’s almost impossible to properly defend against these bots.

They have tried, and so far failed.

Is there anything else that can be done to stop the spam?

I wrote the following script for mIRC to help users in these channels unlock their channel and simply ignore the spam…

When a user joins the channel the user is set to ignore for 16 seconds, if the user parts within this time period, the ignore will be increased to 180 seconds stopping a spam bot from sending private messages.

;.o0{ #trance AntiSpam v0.3 by HM2K }0o.

;Installation: Simply add the lines below into your remotes (alt+r)

;don’t forget to change #trance if you are using it on another channel instead.

on !*:join:#trance: .ignore -pu16 $iif($address($nick,2),$ifmatch,$nick)
on !*:part:#trance: if ($ignore($iif($address($nick,2),$ifmatch,$nick $+ !*@*.*))) { .ignore -pu180 $ifmatch }

Scripts for other IRC Clients:

irssi users (thanks redondos) issue:

/trigger add -parts -channels ‘EFNet/#trance’ -command “ignore -network EFNET -time 180 $N!*@* MSGS”

Please note: trigger.pl is required, also this has little error checking, unlike the mIRC version.

If you’re looking for a similar script for your IRC client, contact HM2K or ask in the appropriate channel for that client

If you need more information about these spam bots contact me.

Note: This was originally posted on the EFnet forums as well.

3 Comments »

  1. paulmer20003 said,

    March 24, 2007 @ 8:05 pm

    “Can’t you just ban them?
    No, they come back with different nicks, idents, gecos and hosts.”

    Sure you can, just ban all unident’d clients from a /24 or a /16. Example: *!~*@24.25.2.*

    “What about +g?
    +g is user server side ignore. You can set this by doing: /mode +g
    The problem is that the server will still notify that someone is trying to msg you. It also means that other users can’t message you”
    CALLERID (+g) is a great way to deal with spam, and yes, other users can message you, you just have to “screen” people with /ACCEPT so you can get their messages.

  2. firestrk said,

    December 8, 2007 @ 2:41 pm

    I was in #trance and wanted to ask info on this for quite a while, this article is really informative. Great work Hm2K.

  3. Jentec said,

    May 4, 2009 @ 3:18 pm

    ircops can blocking spams with spamfilter “in unrealircd” he can block domains bots change spams all 3-5 days so you can block it for a while ;) i got self the spambots on my network now all die .. channels closed and spams listed on spamfilter on spam /gline ;)

RSS feed for comments on this post · TrackBack URL

Leave a Comment