freenode bot monitoring

A project created to help fight the spy bot "invasion" on freenode.

Premise

There have been reports of bots following a similar pattern joining channels. Although their true purpose is currently unknown, they can be a nuisance, and people have been suggesting they might be collecting channel and user statistics.

Identifying

Nicknames of the bots usually consist of lowercase letters only, and their username and real name is fully or nearly identical to their nick. Their hostname is an IPv4 address. They don't respond to CTCP requests and private messages. Some of them idle in channels for a while, and others part straight away. A few are capable of rejoining on kick and /remove. They usually quit with the message Remote host closed the connection or Ping timeout.

More recently, we have been seeing the following pattern:

PORT     STATE SERVICE    VERSION
1080/tcp open  socks5     Socks4A (Username/password authentication required)
8080/tcp open  http-proxy 3Proxy http proxy

Ranges

The following is a frequently updated list of active bot IP ranges:

Connect

Join ##botmonitoring on the freenode IRC network (webchat).

Removing the bots

If you wish to ban these bots, execute this command in your channel(s):

/mode +b $j:##botmonitoring-bots$##not-a-honeypot

This will keep your channel's ban list up to date automatically when new bans are added to ##botmonitoring-bots.

For an explanation into how $j works, please see this gist.

Alternatively, you can execute the following commands instead:

Any users matching the bans will be forwarded to ##not-a-honeypot. It might be wise for you to join that channel in case an innocent user gets caught by the bans.

Avoiding the bots

We believe these bots find channels because they appear on /list, which lists every non-secret channel on freenode. You can remove your channel from the list by applying the channel mode +s.

Alternatively, you could use +r to block unregistered users, or +S to block users not using a secure connection (SSL), however these could also cause problems for normal users.

Help on channel modes: https://freenode.net/using_the_network.shtml#modes

Rules

  1. Use common sense.
  2. Do not bring unauthorized bots to the channel. This includes client scripts with automated triggers replying in-channel.
  3. Do not message or CTCP users identified as possible bots in order to try and see if they're indeed a bot, unless you're fairly certain you're dealing with one.