Z
From Slacked
Z is a security service written in perl, it is based on BotServ but has since been heavily modified.
Contents |
Bugs and suggestions
If you think you have found a bug in Z, please report it to #Slacked. If you feel you are able to describe the problem adequately, you may file a bug report here.
If you have suggestions for improving Z, we'd love to hear them. You can file an enhancement here or tell someone in #Slacked about your idea.
#Sticky
The channel #Sticky exists as a spamtrap, since many unsophisticated spambots will simply target the largest channel on the network. If any client messages the channel, or any of the _SlackedZnn clients, they will be immediately frozen.
The _SlackedZ clients
The _SlackedZnn clients are bait, if any client messages one of them, they will be immediately frozen. Approximately every 20 minutes Z will have a random _SlackedZ client cycle each channel, unless that channel has opted-out.
Channel locking
Z monitors the join/part rate of every channel on the network. It samples the current rate of clients joining and parting a channel three times every 15 minutes and uses this information to calculate an average for the channel. The threshold for a channel is calculated by adding an additional 10% to the average, to allow for client 'bursts'. If the threshold for a channel is exceeded, Z will lock the channel by applying channel modes which prevent any additional clients from joining AND prevent non-ops from messaging the channel. The modes are automatically reversed after 60 seconds. A channel operator can remove the modes early.
The locking of channels is done to prevent floodbots from flooding a channel. Usually when this happens channel operators are unable to deal with it because of lag. Therefore, these measures act as a last resort. Channel operators cannot configure channel locking at this time, although this feature may be added in future.
Channel commands
You can control whether Z will cycle your channel by specifying commands in the topic of the channel. You need only change the topic once for the change to take effect.
To have Z ignore your channel, type:
/Z CYCLE STOP <channel>
e.g.
/Z CYCLE STOP #slackdev
Z will then notice your channel to say that your channel will be ignored from now on. If you later decide that you want Z to cycle your channel again, you can have Z stop ignoring your channel by adding:
/Z CYCLE START <channel>
e.g.
/Z CYCLE START #slackdev
You can get further information on these commands by typing:
/Z HELP CYCLE
Banned by Z
[rand] Possible automated drone
Z analyses the nickname, ident and GECOS (real name) of all connecting clients, from this it calculates a random score, which attempts to portray the probability of a given client being 'random'.
Unfortunately, floodbots have started using nickname, ident and GECOS parameters without any discernible pattern. Therefore Z has started to heuristically analyse clients to determine whether they look like a floodbot using random strings in their user information.
As with any heuristic analysis, sometimes it is wrong. However, we work to keep the number of false positives down to a negligible level, while still keeping our network free from the plague of evil bots.
[exp/fyle] Possible fyle bot
Your GECOS looks like that of a fyle bot, usually because it contains an unqualified domain name without an http/www prefix.
[exp/fbot] Possible floodbot
Your nickname, ident, or GECOS match those previously seen during past attacks.
xdcc catcher not allowed
Your client responded to the CTCP LAG request that Z sent to you on connect. A response to a CTCP LAG is indicative of an XDCC bot. You should either ignore Z (you can either ignore everything or just CTCPs) or switch to a client which does not respond to all CTCP requests.
You can ignore Z by typing:
/IGNORE Z!*@* CTCP
or to ignore everything:
/IGNORE Z!*@* ALL
Blacklisted by Z
If you are blacklisted, it is usually because you have been banned multiple times by Z. However, this is not always the case, since administrators can add blacklist entries manually.
Bans of this type will not expire for a long time, you'll need to contact security@slacked.org.
Getting unbanned
You can use the automatic 1-click unban process to have the ban reversed IF you have not been blacklisted OR banned [manually] for abusing the network.
Visit the URL provided in your ban message. Once you're on the ban details page, click on the 1-click unban button. If everything has gone okay, you'll see a message at the bottom saying 'All done'. Now attempt to reconnect. If you still cannot connect, contact security@slacked.org with your AKILL-ID and/or ban message.
You can only use 1-click unban ONCE every 30 days and only where you have not been blacklisted or manually banned by the network administration.
Ban durations
During attacks it is usually necessary to ban many different IP's, because of this the list of bans can become excessive, even numbering in the hundreds. These bans used to not expire for several days and manipulating a list of bans which numbers in the hundreds can be cumbersome. In contrast, floodbots tend to come from a variety of sources and rarely connect from the same host twice in a short period of time.
To counteract this, Z only places bans which last for 5 minutes, this means that after an attack the bans will expire after a short time, leaving the ban list as it was before the attack.
Z keeps track of the bans it has placed, even after the bans have actually expired, up to a period of 60 days. Once a ban has aged 60 days it is removed from Z's history.
If Z places a ban on a host which has previously been banned, it will increase the duration of the ban in a linear fashion each time (5 minutes becomes 10 minutes, which becomes 30 minutes and so on), after several bans have been placed the host will be blacklisted and the duration will be increased to a maximum of 40 days.
Case-specific information
Z assigns each ban a specific AKILL-ID you can use this to find out the details of your ban at http://z.slacked.org (there is also a direct link to a explanation contained in the message given for every ban).
