Op/Voice Information .....

Ad/Bots Document
November Newsy 1998

Finding Ad/Bots

Recently our #Beginner has seen a huge surge in the amount of ads, usually sex-related ads, that are being posted to our users. It's become more than a minor annoyance, and more of a major headache. To begin this tutorial, let's see exactly what we are talking about -- Advertisers vs. Adbots.

     Sends an ad while inside the channel, is easy to find, and remove.

     Sends an ad to our users, but isn't inside the channel. This means someone, or something, is sending the other person (advertiser) the nicknames of those inside the channel.

Let's review the typical steps involved in trying to track down an Advertiser or Ad/Bot:

  1. Do the /whois nickname, or the /whowas nickname to get the ip.

  2. Type /who #beginner *.domain, or /who #beginner 208.458.389.87 (numeric ip)

  3. Look for a match between the original /whois nickname and the /who #Beginner IP.

  4. If a 'host/domain' matches, then kick/ban out the ad/bot, and put a notch on your belt.

  5. If there is no host match, then check for a domain match. If so, check the channels the nick is sitting in. If suspicious, then set a channel ban, and wait to see if the ads stop. If they do, then give yourself another notch, and ^5 your fellow opers.

  6. Should the /who #beginner not turn up any host/match, nor any domain match, then take a deep breath. :) Look for suspicious nicknames, many times a female name followed by a teenage-age, such as Katie16, or Maggie19. Do a /whois on these suspicious nicknames, and look for a pattern in the other channels they might be sitting in. Once you've isolated a few targets, join those channels and see if you can 'get' the ad again. If so, an option is to set a channel ban, remove the user, and see if the ads discontinue. If so, then smile big and wide. :) you've done good !. If the ads continue, then it's back to the sleuthing.

The following will describe in more detail the steps listed above.

Let's say that while inside the channel, we get an ad from Katie16. We should automatically try to get her /whois katie16, and if she's gone offline already, then we can try to do the /whowas katie16. Her ip shows up as Katie16 was katie16@ppp04.hotnet.com * sexy-me. We'll then want to see if there is anybody matching that host/domain sitting in our channel. We can do that by typing /who #beginner *.domain, or in this case, /who #beginner *.hotnet.com. Nine times out of ten, we'll find a match. In this case, we find a nancy20@ppp04.hotnet.com * xxxxx. Notice the host connection, the 'ppp04'. It's the same, and is in all probability a clone, or bot, running on the same computer.

At this point, we can ban the ip, and if they return with a changed userid (the part before the @), then we may have to set a domain ban. Recently the advertisers have been getting a bit smarter, and simply change their idents to get around a typical ban, and we're needing to set many more domain bans than we'd prefer. But sometimes it's the only way to keep them out, and to protect our users from the garbage.

There are those times though, when the previous steps don't work, and there won't be a host match, but only a domain match. Try doing a /whois on that nickname, and see if they are sitting in the typical channels we see these ad/bots sitting in. There is a list of about 10 channels that consistently seem to attract these types of ads. This list would include channels that are very big, or involve warez, or involve sex, and are a good clue that this could be the source of the trouble. If the ads continue, go ahead and set a channel ban on this person, and remove them from #Beginner. If the ads stop, then *bingo*, you found your match. If the ads persist, then undo the ban, apologize to the person, and keep looking. Let's also remember that one of the tag-team duo might be on a numeric ip. Try getting the /dns of the advertiser's ip, and run that through the /who #beginner search. It might pull up a match that way, and is certainly worth a try.

There is still one more scenario, and these advertisers are the hardest of all to spot. There are times when we get an ad from a domain, let's say from hotnet.com, but there are no users from that domain in #Beginner. Nor are there any users using the /dns of hotnet.com in #Beginner. *sigh* The hours we've spent trying to track them down is staggering. After some experience and time spent working on this, we can draw on that experience, and look through the nickname list, doing a /whois on any nickname that might appear suspicious. If I find what may look like a trouble-maker, then I'll join some of those other channels they are sitting in, and try to get the ad from there. Sometimes that works, sometimes it doesn't.

To be honest, I don't have a perfect solution. It's a matter of trying one thing, then trying another. Sometimes even picking a nick, setting a temporary ban, and waiting. We've been known to get lucky a few times. :)) If all else fails, try to find an IRCop, (type /who 0 o ) report the troubles, and they may 'KILL' the nick. Unfortunately, this is only a temporary fix. We can also log all the information, and send it into the isp provider of the advertiser. We would need to include the /whois, the time, our time zone, and a copy of the ad/log. Many providers will take the time to try to track this person down. (Bravo to them!!) Others, however, may be too busy, or are administering too many users, to be able to track them down. It's ALWAYS worth a shot, though. :)

Folks, these are not foolproof methods, just things that I've been doing during the past many months of trying to track them down. Should anyone like to offer some more advice and helpful encouragement, please feel free to send in your suggestions for the next newsletter. :)