The most important thing I can say about these reports : They need to be taken with a grain of salt. The programs I use to generate them are completely automated, and often make mistakes. Also, the IRC servers themselves, esepcially lately, have been the subject of DNS spoofing, which makes all of the data given in my reports `suspect'. Any report that is emailed to you, you need to go over it carefully before acting upon it's reccomendations. 1) This is automated, based on my stats generating programs. 2) Yes, it can see invisible users. But I don't actually look at the data myself ... I don't feel it to be too much of an invasion of people's privacy. Most people I've talked about this with agree. If you disagree, feel free to let me know. 3) I probably grabbed the email addresses from the /admin lines of your server. I may have done it a few months ago. If you want me to change it, let me know. 4) The threshhold is set to 8 simultaneous logins - if they have fewer sessions than this, it will ignore them. 5) This is run daily. At most, you should receive one email per day, assuming everything works. 6) It sometimes suggests absurd K-lines - for example, it will happily suggest that you ban all your local users. This is one reason why it's suggested K-lines are only suggestions ... 7) It only `polls' the network twice an hour. If somebody isn't clonebotting at the moment it polls, it won't catch it. It's also pretty easy to hide from this program if you know how. But most clonebotters aren't too bright, so ... 8) reports of each `user' are only mailed to the servers that were used, not to everybody - i.e., each report is customized, listing only people who have abused your (among others) server. 9) Obviously single user machines (slip*, ppp*, dialup*, *.aol.com, *.gnn.com, etc - it has a list of such machines, and it's growing as I add more) are treated as such - all sessions from this machine are assumed to be one person. This assumption is usually correct ... 10) The script is stupid. It can't always tell what's a clonebot and what are real users. If there's a site that triggers it when it shouldn't be, let me know, and I'll add this to the `ignore' list. 11) All times given are accurate within a minute or so, and are in the central time zone. If your site doesn't follow daylight's savings time, you may need to correct for that too. 12) None of this has anything to do with my employer ... it's all being done in my own time. 13) I do *not* suggest that you just plug in it's list of suggested K-lines. Do check the rest of the email and make sure they at least make sense. It occasionally will suggest K-lining people who are doing nothing wrong. Things that often cause it to give `false positives' : - many people sharing an account. - many people using a single machine on a SLIP/PPP line. - Ident daemons that return encrypted userids, when the ircd in question lists the encrypted value as the userid. - Firewalls or proxy servers that make all users appear to be using the same account. - Sites where my software isn't able to determine that a user is using a SLIP/PPP account. Check out http://www.comco.com/dougmc/irc-stats/misc/clone.cfg for a current list of dialups that it can detect. Also note that if a site (multi-user, Unix usually) does not run identd, it's trivial for any user there to impersonate any other user. In most cases, these usernames will be flagged with a ~ character. If you see a clonebot report where the username is not authenticated by identd, take it with a grain of salt - it's entirely possible that the person is being `framed'. You may wish to merely ban the entire site until it installs identd. A K-line like : K:site.edu::~* will do this. ircd-2.8.21 does not support K-line comments. ircd-2.8.21.CSxx does. The comments are given in this format : K:site.edu:^OKeep_your_clonebots_off_my_server!:* Note that using spaces can confuse some clients. I suggest using underscores instead of spaces. The ^O refers to a control-O. It is required. ircd-2.8.21.digi does support K-line comments, but I'm not sure about the specifics. It is probably similar to CSxx. ircd.2.9.30 (Undernet) does support K-line comments. K:site.edu:Keep_your_clonebots_off_my_server!:* No ^O needed. K-line comments are great for letting people know why they are banned. Any questions/comments, let me know. - Demon/Doug Last updated : Wed Jun 19 18:09:36 CDT 1996 Ok, a quick rundown of the changes : 1) If you have /quote kline (the CSrXX and ircd/digi servers have it, and hopefully the Undernet servers will have it soon. It's wonderful) you can use it to apply K-lines (and comments.) K-line comments are a very nice feature as well - they allow your users to get some idea of why they were K-lined, and all you to keep short notes in there for you. Undernet, CSrXX and ircd/digi servers support K-line comments. Note that it's best to not put any spaces into a K-line comment - it can crash some clients. As far as I know there are no plans to add /quote kline or K-line comments to the stock Efnet ircd by Avalon (the maintainer of the `stock' Efnet ircd.) The idea has been suggested to him, and rejected for whatever reason. 2) It now gives each clonebotter a `score'. The score consists of two numbers : - The first gives the total number of clones detected. - The second gives the peak number of clones detected. The net is polled twice hourly. So if a guy has 15 clones loaded for two hours, his score will be 60/15 - the net would be polled 4 times while he had his clones up, and the peak number of clones found would have been 15. It's not that complicated :) I suggest keeping this score in a K-line comment, or in a comment next to the K-line, so you can tell just how bad somebody was cloning at a glance. Note also that the total number of clones detected could be higher than that listed in your `Logs' section - if the cloner didn't have any clones on your server at a given time, you will not be informed of it, but their `score' will still go up. Currently it counts anybody with 6 or more simultaneous connections, but will only email somebody if it detects 8 or more at least once. 3) I can now send out notices about clonebots from a given domain, in addition to notices for each server. If you're interested in this, drop me an email with the domain and your email address. No, I'm not going to give you reports on domains other than your own. That would be a can of worms that I do not want to open ... Note that the domain and the server clonebot reports will be sent in two seperate emails, so you could have two very similar emails. For example : Suppose you were getting clonebot reports for both the *.bozo.com server and the *.bozo.com domain. If a bozo.com user clones on the bozo.com server, that will be reported in both emails. If a non bozo.com user clones the bozo.com server, it will only be reported (to you) in the bozo.com server report. If a bozo.com user clones a non bozo.com server, it will only be reported (to you) in the bozo.com domain report. I do these clonebot reports for Efnet and for Undernet. If you get a domain report, you will receive reports of clonebots on both networks, but in seperate emails. So, if you run an Efnet server, and want clonebot reports for your domain, you could receive up to three emails per day. 4) Servers with names like `*.fi' are caused by the new 2.9 server's hostmasking. There is no way for me to tell exactly which server one of these clones is on, only that it is behind, for example, `*.fi'. I don't like it, but I'm stuck with it. 5) Some important things in the clonebot-reports-blurb.txt file that I want to mention again : - these programs can not replace active operators watching your server for abuse. They are totally automated and can easily be fooled. - They do occasionally report users as clones that are not clones. When this happens, please send me an email so I can fix it appropriately. There's two main ways I can `fix' this sort of problem : 1) tell it to ignore a given user@host. I prefer not to do this, but it's appropriate for things like telnet IRC servers or BBS's, where everybody IRCs on one account. 2) I can teach it about another set of dialup lines/single user machines, which it treats a little bit differently. (it ignores the userid part completely, and instead uses the full hostname.) It's important that you scan over the `logs' before you apply a K-line. These programs DO occasionally make mistakes, or suggest K-lines that you would not want to apply. - Don't feel the need to reply to every email saying `K-lines added'. But do let me know if something screws up or something out-of-the ordinary happens, or if you have any questions. If something doesn't work right, let me know - it's quite possible that I've made some mistakes in making these changes. I haven't had much of a chance to test them. Some possible `features' I'd like to add include : 1) - smarter K-line suggestions - find the least restrictive K-line that will work, instead of the stock `*username@*.domain' - Not suggest that you ban your entire domain, ever. 2) give each K-line a `score', so you can k-line only the worst offenders. 3) automatically email the domain contact for the very worst offenders. This may or may not be a good idea for me to do ... I'm not sure yet. 4) Keep track of how many times this person has made the reports ... I'll do these as I have time, if I have time. This list is just off the top of my head ... - Doug McLaren, dougmc@comco.com