Detecting Nickname Trojan

[Reynaldo]

Code: Select all

on *:join:#: {
  if ($me !isop $chan) { halt }
  if ( $right($nick,2) isnum 0-99 ) && ( $asc($left($nick,1)) isnum 65-90 ) && ( $asc($left($address,1)) isnum 65-90 ) && ( $left($nick,5) != Guest ) && ( $left($nick,3) != ERR ) && ( $right($nick,3) !isnum ) { 
     .kick $chan $nick Spam!
 }

The script i made for my mirc, and it works fine.
anyone can help me to translate in to tcl scripts?

[Sir_Fz]

Translate it to pseudo or explain what a 'spam nick' is, then we might be able to help you.

[Reynaldo]

Camille27 (UmacCwm@220.??.???.??) has joined #chan

First character of nickname always using Capital letter and the end of nick always 2 number(s), and First character of Identd using Capital letter without ~ character and nick is not GUEST???. that's what i mean a Drone nick.

[Alchera]

Try the Search function in future as there is almost always a solution already posted.

As an example:
antidrone.tcl against bots like agra55, valendra23, vicky75

Just use "drone" or "drone AND nick" for your search criterion and you should easily find what you're after.

[Reynaldo]

for detecting only 2 numbers of nickname

Code: Select all

set check [regsub -all {[0-9]} $nick "" shortnick]
if { $check <= 1 || $check >= 3 } { 
      # the nickname consits only 1 digit or more then 3 (so it can`t be that type for drone) 
}

This proc for detect Capital letter

Code: Select all

proc isupper {letter} {
set caps {A B C D E F G H I
J K L M N O P Q R
S T U V W X Y Z}
if {[lsearch -exact $caps $letter] > -1} {
return 1
} else {
return 0
}
}

how to detect isupper fist character of nick and isupper first character of identd? or i can use this code?

Code: Select all

if {[isupper [string index $nick 1]] && [isupper [string index $uhost 1]] } {
 
 

[Sir_Fz]

You're lucky, I have written this sometime in the past and I found it on my HD:

Code: Select all

bind join - * bitchkick

proc bitchkick {n u h c} {
 set id [string trimleft [lindex [split $u @] 0] ~]
 if {[botisop $c] && [string is alpha $id] && [regexp {[A-Z][a-z]{2,}\d{2}$} $n nm] && [regexp {[^aeiou]{4}} [lindex [split $u @] 0] im] && [regexp -all {[A-Z]} $id] <= 6} {
  putquick "KICK $c $n :Spammer bot detected. (*$nm!$im*) - Banned 120 minutes."
  putquick "mode $c +b [set bm *!*@[lindex [split $u @] 1]]"
  timer 120 [list pushmode $c -b $bm]
  putlog "Detected \002$n\002!\002[lindex [split $u @] 0]\002 on \002$c\002."
 }
}

[Reynaldo]

Code: Select all

set id [string trimleft [lindex [split $u @] 0] ~] 

Drones nick, they are using identd without ~ on it

Code: Select all

set id [lindex [split [maskhost $uhost] "!"] 1]

[Sir_Fz]

If there is a ~ it will be removed, if not then it stays as it is. Some of these bots don't have their idents resolved.

Code: Select all

set id [lindex [split [maskhost $uhost] "!"] 1]

This will return user@host and not user.

[Reynaldo]

this case, all of these bots have their idents resolved. that make them special for me.

Code: Select all

set id [lindex [split [maskhost $uhost] "!"] 1]

This will return user@host and not user.
That's ok. they always using nick like this: Lara22, Kelly20, Sarah19. and with idents: User@host (not user@host), so there's 3 point that make the bots different with user (some hopefully ). It's:
1. First Character of bot nickname is Capital letter, ex: Lara22, Kelly20, etc.
2. First Character of bot ident is Capital letter, ext: User@host (not user@host).
3. Always there the 2number behind the botnick ex: Lara22, Kelly20.

[user]

Code: Select all

if {[regexp {^[A-Z].*?[0-9]{2}![A-Z]} $nick!$uhost]} {
	# the user matches your description
}

[Sir_Fz]

Code: Select all

if {[regexp {^[A-Z].*?[0-9]{2}![A-Z]} $nick!$uhost]} {
	# the user matches your description
}

Exactly, only the script I've wrote has more checks just to make sure (at least increase probability) that the user is indeed a drone.

It checks the following:
1) The ident is made up of alphabets only
2) First alphabet in nick is uppercase followed by at least 2 lowercase alphabets and ends with 2 integers.
3) Ident has at least 4 consecutive alphabets that are not vowels (excluding y)
4) Number of uppercase alphabets in ident is less than or equal to 6 (this is probably useless)

[Garp]

It's a worm using a fixed nicklist.

Code: Select all

set wormnicks "aldora alysia amalina amorita anita april ara aretina barbra becky bella bettina blenda briana bridget caitlin camille cara carla carmen catherin chelsea cindy clarissa damita danielle daria diana donna dora doris ebony eden eliza emily erika eve evelyn faith gale gilda gloria haley helga holly ida idona iris isabel ivana ivory janet jessica jewel joanna julie juliet kacey kali kara kassia katrin katrina kyle lady lara laura linda lisa lolita lynn maia mary melody mimi mona myra nadia naomi natalie nicole nora nova olga olivia pamela peggy queen rachel rae rita rosa ruby sharon silver ula uma valda valora vanessa vicky violet vivian wendy willa xandra xenia xylia zenia zilya zoe"

		if {[regexp {[1-3][0-9]$} $nick] && [regexp {[a-zA-Z]$} [string range $nick 0 end-2]] } {
            if { ![string equal [lsearch -exact [split $wormnicks] [string range $nick 0 end-2]] -1]} {
				## whatever you want to do - do it here
			}
		}

		

The advantage is, it doesn't catch nicks like Dieter19 or Manuela22. The source of that wormspreader is killed, there won't be a upgrade of that wormlist.

[Sir_Fz]

The source of that wormspreader is killed, there won't be a upgrade of that wormlist.

The author of that wormspreader is killed? what, electricity shock from his own PC or some other wormspreader-dude murdered him?

[chandra Sha]

Maybe he killed by his own wormlist
on this 3 days, i'm abble seen taht spam anymore, maybe they got effect from tsunami on taiwan too

BTW for this problem, i using Antidrone by sKy

[silverboy]

## whatever you want to do - do it here

could someone please add a command to ban the spam bot nick for 1minute ?