UnrealIRCd 6.1.2.3

UnrealIRCd 6.1.2 focuses on adding spamfilter features but also contains various other new features and some fixes.

• The 6.1.2.1 release fixed a spamfilter::rule crash in 6.1.2.
• The 6.1.2.2 release fixed tkldb accidentally storing central spamfilters, a crash while booting if you previously used spamfilters with non-UTF-8 characters in them, and fix a possible crash with SETNAME when using the SPAMFILTER u target.
• The 6.1.2.3 release fixed UTF-8 not working in spamfilter { } blocks and a possible crash on REHASH if you have typos or other errors in the config file. Also fixing ::exclude-security-group not working and it now gives DNSBL lookups some more time.

Enhancements

• Upstream now gives tips on (security) best practices depending on settings in your configuration file, such as using plaintext oper passwords in the config file. It is generally suggested to follow this advice, but you could disable such advice via set::best-practices.
• security-group { } block and mask item enhancements:
  • Add support for channel "#xyz"; and channel "@#need_ops_here";
  • Add support for Crule to allow things like rule "inchannel('@#main')||reputation()>1000";
• DNS Blacklists are now checked again some time after the user is connected. This will kill/ban users who are already online and got blacklisted later by for example DroneBL.
  • This is controlled via set::blacklist::recheck-time and can also be set to never if you don't want rechecking.
  • To skip checking for specific blacklists, you can set blacklist::recheck to no.
• The reputation score of connected users (actually IP's) is increased every 5 minutes. Upstream still does this, but only for users who are at least in one channel that has 3 or more members. This setting is tweakable via set::reputation::score-bump-timer-minimum-channel-members. Setting this to 0 means to bump scores also for people who are in no channels at all, which was the behavior in previous UnrealIRCd versions. Note: this new feature won't work properly when you have any older UnrealIRCd servers on the network (older than 6.1.2), as the older servers will still bump scores for everyone, including users in no channels, and this higher score will get synced back eventually to all other servers.
• spamfilter { } block improvements:
  • Spamfilters now always run, even for users that are exempt via a except ban block with type spamfilter. However, for exempt users no action is taken or logged. This allows it to count normal hits and count hits for except users. The idea is that the hits for except users can be a useful measurement to detect false positives. These hit counts are exposed in SPAMFILTER and STATS spamfilter.
  • Optional items allowing more complex rules:
  • spamfilter::rule: with minimal 'if'-like preconditions and functions. If this returns false then the spamfilter will not run at all (no hit).
  • spamfilter::except: this is meant as an alternative to 'rule' and works like a regular except item. If this matches, then the spamfilter will not run at all (no hit).
  • New target type raw (or R on IRC) to match a raw command / IRC protocol line (except message tags), such as LIST*. Naturally one needs to be very careful with these since a wrong filter could cause all/essential traffic to be rejected.
  • The action item now supports multiple actions:
  • A new action stop to stop other spamfilters from processing.
  • A new action set to set a TAG on a user, or change the value of one. It also supports changing the reputation score.
  • A new action report to call a spamreport block, see next.
• A new spamreport { } block:
  • This can do a HTTP(S) call to services like DroneBL to report spam hits, so they can blacklist the IP address and other users on IRC can benefit.
• Optional Central Spamfilter: This will fetch and refresh spamfilter rules every hour from unrealircd.org.
  • This feature is not enabled by default. Use set { central-spamfilter { enabled yes; } } to enable.
  • set::central-spamfilter::feed decides which feed to use: fast for early access to spamfilter rules that are new, and standard (the default) for rules that have been in fast for a while.
  • set::central-spamfilter::except defines who will never be affected by central spamfilters. By default it is: users with a reputation score of more than 2016 (7 days online unregged, or 3.5 days as identified user) or having a host of *.irccloud.com. Spam matches for users that fall in this ::except group are counted as false positives and no action is taken or logged.
  • See the Central Spamfilter article for the disclaimer and all other options you can set.
• set::spamfilter::utf8 is now on by default:
  • This means you can safely use UTF-8 characters in like [] in regex.
  • Case insensitive matches work better. For example, for extended Latin, a spamfilter on ę then also matches Ę.
  • Other PCRE2 features such as \p can then be used. For example the regex \p{Arabic} would block all Arabic script. See also this full list of scripts. Please use this new tool with care. Blocking an entire language or script is quite a drastic measure.
  • You can turn it off via: set { spamfilter { utf8 no; } }
• Via set::spamfilter::show-message-content-on-hit you can now configure to hide the message content in spamfilter hit messages. Generally it is very useful to see if a spamfilter hit is correct or not, so the default is 'always', but it also has privacy implications so there is now this option to disable it.
• You can restrict includes to only contain certain blocks, the style is: include "some-file-or-url" { restrict-config { name-of-block; name-of-block2; } }
• A new ~flood extended ban. This mode allows you to exempt users from channel mode +f and +F. It was actually added in a previous version (6.1.0) but never made it to the release notes. The syntax is: ~flood:types:mask, where types are the same letters as used in channel mode +f. Example: +e ~flood:t:*!*@*.textflood.example.org

Changes

• The argon2 parameters have been lowered a bit, this so the hashing speed is acceptable for upstream's purposes.

Fixes

• Temporary high CPU usage (99%) under some conditions
• UnrealIRCd has watch away notification since 2008, this is indicated in RPL_ISUPPORT via WATCHOPTS=A and then the syntax to actually use this is WATCH A +Nick1 +Nick2 etc.. In UnrealIRCd 6 there was a bug where it would not always correctly inform about the away status, that bug has now been fixed.
• On 32 bit architectures you can now use more than 32 channel modes.
• Set block for a security group: was not working for the unknown-users group.
• A leading slash was silently stripped in config file items, when not in quotes.

Developers and protocol

• Changes in numeric 229 (RPL_STATSSPAMF): Now includes hits and hits for users that are exempt, two counters inserted right before the last argument (the regex).
• Several API changes, like place_host_ban to take_action