[bopm] False Positives with Unreal IRCd

Erik Fears strtok at strtok.net
Thu Jun 12 04:26:08 UTC 2008 

I think this has been in the FAQ for years ,and maybe even in the
default config. Just make your targetstring less generic. End of story.

-erik

>       Hi,
>             I run BOPM for an IRC network i am a part of, and recently we
>    decided to open alternative ports for users to use in case 6667 was
>    blocked. These ports are as follows 7000, 7070, 8000, 8001, 8002.  While
>    several of these ports are known to be proxy ports (8000, 8001), and IRCd
>    does not classify as an open proxy.  Unreal IRCd via a web post will
>    respond with:
> 
>  :[1]daedalus.devnode.org NOTICE AUTH :*** Looking up your hostname...
> 
>  :[2]daedalus.devnode.org NOTICE AUTH :*** Found your hostname
>  :[3]daedalus.devnode.org 451 GET :You have not registered
>  :[4]daedalus.devnode.org 451 Host: :You have not registered
> 
>  :[5]daedalus.devnode.org 451 User-Agent: :You have not registered
>  :[6]daedalus.devnode.org 451 Accept: :You have not registered
>  :[7]daedalus.devnode.org 451 Accept-Language: :You have not registered
> 
>  :[8]daedalus.devnode.org 451 Accept-Encoding: :You have not registered
>  :[9]daedalus.devnode.org 451 Accept-Charset: :You have not registered
> 
>  :[10]daedalus.devnode.org 451 Keep-Alive: :You have not registered
>  :[11]daedalus.devnode.org 451 Connection: :You have not registered
> 
>    HTTP post and requests will be more or less true, however if you notice
>    that is IRCd text, and the only reason its coming up as true is because
>    its outputting what the browser is saying. Now, if you were to connect via
>    8000 to [12]daedalus.devnode.org,  you will get the IRC server.  No proxy
>    exists, but this results with BOPM as classifying it as a proxy, which has
>    gotten several of our servers, including mine (above) to be listen in
>    DroneBL.  A quick fix is to either disable the ports on the IRCd or
>    disable checking of those ports on BOPM. This does not have positive
>    results, as BOPM has found several actual proxies on port 8000.  Is there
>    a way to solve this problem, with a better fix, as I don't think open
>    proxys reply with IRC server responses.  :)
> 
>                                                            Thanks...
> 
> References
> 
>    Visible links
>    1. http://daedalus.devnode.org/
>    2. http://daedalus.devnode.org/
>    3. http://daedalus.devnode.org/
>    4. http://daedalus.devnode.org/
>    5. http://daedalus.devnode.org/
>    6. http://daedalus.devnode.org/
>    7. http://daedalus.devnode.org/
>    8. http://daedalus.devnode.org/
>    9. http://daedalus.devnode.org/
>   10. http://daedalus.devnode.org/
>   11. http://daedalus.devnode.org/
>   12. http://daedalus.devnode.org/

More information about the bopm mailing list