So, I finally finished writing my first version of the script for you, so that it would be possible using a connections scan to protect your server from massive penetration of users from proxy addresses.
This may not be all you would like to see to protect your server, but it is better than nothing. In my opinion, it is more efficiently better to catch proxies when connecting to the server than when they are already entering on channels, since their addresses can be encrypted or be a virtual host, and you will be flooded with constant messages about Joins with probable spam. Of course, this code is still raw and may not be perfect, so I suggest you test it for several weeks to collect a report on the errors found and suggestions for improving this code.

Description to v1.0:

  1.Scans all incoming connections to the server and checks users by "IP4" (address must be in the form of numbers). For this, the bot where this script will be installed must have IRCop privileges with snomask (+cC).
  2.You can use the command with the syntax: "!ps <start/stop/reload>". (All nicknames for which this command will be available are recorded in the "%ps_admins" variable).
  3.In the "ps_gettype" alias, you can, if you wish, write your signatures for those DNSBL servers that should describe the proxy type in case of detection.

  4.You can create your own DNSBL server lists in the "proxyscanner_list" alias with which you should check the IP of all connecting users. (Use the provided list as an example, which includes the server name and a comma-separated list of response numbers to act on if they match). Warning: This requires very fine tuning so that there is no false positive and that innocent netizens are not banned. Therefore, it is recommended to first check through similar websites to which reply number the script was correctly triggered. For example, if the "dnsbl.dronebl.org" server answered "9" when checking through the DNSBL, then this is correct in most cases and you will ban the real proxy. And if in the same place the answer is "3" or "14", then this may be a false positive. My advice for a while testing is to turn off the bans and set the variable to "%ps_btype = off" so that you can just watch what is happening and make accurate debugging using the resulting numbers in the response rechecking where the truth is and where the lie.

  5.Through the alias "proxyscanner_set" you can customize the configuration parameters of the script:
      %ps_servers – Contains a comma-separated list of the "irc.server1.com,irc.server2.com" servers on which the script should work. (You can specify "all" for all servers).
      %ps_snomask – All "snomask" modes that must be enabled for the bot to work correctly are indicated here.
      %ps_btype – The type of server ban is indicated here. (Possible options: "ZLINE/KLINE/GLINE" or to disable bans set the value to "off").
      %ps_btime – Contains the time for which the ban will be set for the user.
      %ps_breason – The reason for the ban is indicated here, which will be visible to the banned user.
      %ps_blogo – Here the logo prefix, which will be present in all messages of the script.
      %ps_mchan – Here you specify the channel to which you want to write a message in case of ban the detected proxy.
      %ps_admins – A comma-separated list of aliases for which script control will be available.

I am attaching a screenshot of how the script, after the user is banned, reports in the specified channel about the found proxy through in the DNSBL list:

      [Linked Image from i.ibb.co]

Click on the button to reveal the spoiler. This code must be inserted into the scripts editor. To do this, press the key combination "ALT+R" and save this code as new "File/New" script called "AntiProxyScan.mrc":

Code
#####################################################################
#   Name: AntiProxyScan v1.0
#   Author: Epic (epicnet@mail.ru, http://epicnet.ru)
#   Description: Automatically scans all incoming connections to the server for proxy addresses and sets a server ban if found.
#####################################################################

alias -l proxyscanner_set {
  %ps_servers = all
  %ps_snomask = +cC
  %ps_btype = ZLINE
  %ps_btime = 3d
  %ps_breason = Your IP was found in DNSBL and it is suspected that is (VPN/Tor/Proxy). To unlock contact the chat administration.
  %ps_blogo = DNSBL: 01,04 BAN 
  %ps_mchan = #Services
  %ps_admins = Epic,Sleepyhead,Admin
}
alias -l proxyscanner_list {
  if ($hget(ps-dnsbl,0).item) .hfree -sw ps-dnsbl
  .hadd -m ps-dnsbl dnsbl.dronebl.org 4,5,6,7,8,9,10,13,15,17,255
  .hadd -m ps-dnsbl rbl.efnetrbl.org 1,3,4,5,6,7,8,9,10,11,12,13,14,15
  .hadd -m ps-dnsbl rbl.efnet.org 1,4,5
  .hadd -m ps-dnsbl tor.efnet.org 1
  .hadd -m ps-dnsbl cbl.abuseat.org 1,3,4,5,6,7,8,9,10,11,12,13,14,15
  .hadd -m ps-dnsbl sbl.spamhaus.org 1,5,6,7,8,9,10,12,13,14,15,255
  .hadd -m ps-dnsbl abuse-contacts.abusix.org 2,3,4
  .hadd -m ps-dnsbl safe.dnsbl.sorbs.net 1,3
  .hadd -m ps-dnsbl all.s5h.net 1,3
  .hadd -m ps-dnsbl bl-h1.rbl.polspam.pl 1
  .hadd -m ps-dnsbl postmaster.rfc-clueless.org 3
}
====================================================
on *:LOAD:{ proxyscanner_set | proxyscanner_list | if (!%ps_work) %ps_work = on }
on *:CONNECT: proxyscanner_set | proxyscanner_list | if (!%ps_work) %ps_work = on | if ($istok(%ps_servers,$server,44)) || (%ps_servers == all) { /mode $me +s %ps_snomask }
on *:TEXT:!ps*:#:{
  if ($1 == !ps && $istok(%ps_admins,$nick,44)) {
    if (!$2) { .notice $nick Syntax: !ps <start/stop/reload> | halt }
    if ($2 == start) { %ps_work = on | .notice $nick ProxyScanner on } | if ($2 == stop) { %ps_work = off | .notice $nick ProxyScanner off }
    if ($2 == reload) { proxyscanner_set | proxyscanner_list | .notice $nick ProxyScanner reload }
  }
}
on *:SNOTICE:*Client connecting*:{
  if (%ps_work == on) {
    if ($istok(%ps_servers,$nick,44)) || ($hget(ps,servers) == all) {
      var %ps_mask $remove($wildtok($1-,*@*,1,32),$chr(40),$chr(41)) | var %ps_nick $gettok(%ps_mask,1,33) | var %ps_ip $gettok(%ps_mask,2,64) | var %ps_id $gettok($gettok(%ps_mask,1,64),2,33)
      if ($ps_detectip(%ps_ip)) proxyscanner_check %ps_ip %ps_id %ps_nick
    }
  }
}
====================================================
alias -l proxyscanner_check {
  var %ps_reverse $ps_revip($1) | .hadd -mu60 ps-oip %ps_reverse $1 | .hadd -mu60 ps-oid %ps_reverse $2 | .hadd -mu60 ps-onick %ps_reverse $3
  var %ps_all $hget(ps-dnsbl,0).item | var %ps_q 1 | while (%ps_q <= %ps_all) {
    var %ps_name $hget(ps-dnsbl,%ps_q).item | var %ps_check $+(%ps_reverse,.,%ps_name)
    .dns %ps_check | inc %ps_q
  }
}
on *:DNS:{
  var %ps_i $dns(0) | while (%ps_i > 0) {
    var %ps_dnsname $dns(%ps_i) | var %ps_dnsip $dns(%ps_i).ip | var %ps_dnsnum $gettok(%ps_dnsip,4,46) | var %ps_dnsrip $gettok(%ps_dnsname,1-4,46) | var %ps_dnsrname $gettok(%ps_dnsname,5-,46)
    if (!$hget(ps-banip,%ps_dnsrip) && $istok($hget(ps-dnsbl,%ps_dnsrname),%ps_dnsnum,44)) {
      ;------------------------------------
      if ($me ison %ps_mchan) /msg %ps_mchan %ps_blogo $+(07,$hget(ps-onick,%ps_dnsrip),) => $+(04,$hget(ps-oid,%ps_dnsrip),@,$hget(ps-oip,%ps_dnsrip),) => $+(06,%ps_dnsrname,) $+($chr(40),07,%ps_dnsnum,,$chr(41)) - $ps_gettype(%ps_dnsname,%ps_dnsnum)
      if (%ps_btype == ZLINE) .ZLINE $hget(ps-oip,%ps_dnsrip) %ps_btime %ps_breason
      if (%ps_btype == KLINE) .KLINE $+(*@,$hget(ps-oip,%ps_dnsrip)) %ps_btime %ps_breason
      if (%ps_btype == GLINE) .GLINE $+(*@,$hget(ps-oip,%ps_dnsrip)) %ps_btime %ps_breason
      ;------------------------------------
      .hadd -mu30 ps-banip %ps_dnsrip 1 | .break
    } | dec %ps_i
  }
}
alias -l ps_revip { tokenize 46 $1 | return $+($4,.,$3,.,$2,.,$1) }
alias -l ps_detectip { tokenize 46 $1 | if ($0 == 4 && $1 isnum 0-255 && $2 isnum 0-255 && $3 isnum 0-255 && $4 isnum 0-255) { return 1 } }
alias -l ps_gettype {
  if (dronebl isin $1) { 
    if ($2 == 2) { return Sample }
    if ($2 == 3) { return IRC Drone }
    if ($2 == 5) { return Bottler }
    if ($2 == 6) { return Unknown Spambot/Drone }
    if ($2 == 7) { return DDOS Drone }
    if ($2 == 8) { return SOCKS Proxy }
    if ($2 == 9) { return HTTP Proxy }
    if ($2 == 10) { return Proxy Chain }
    if ($2 == 11) { return Web Page Proxy }
    if ($2 == 12) { return Open DNS Resolver }
    if ($2 == 13) { return Brute Force Attackers }
    if ($2 == 14) { return Open Wingate Proxy }
    if ($2 == 15) { return Compromised Router/Gateway }
    if ($2 == 16) { return Autorooting worms }
    if ($2 == 17) { return Automatically determined botnet IPs (experimental) }
    if ($2 == 18) { return DNS/MX type hostname detected on IRC }
  }
  if (rbl.efnet isin $1) { 
    if ($2 == 1) { return Open Proxy }
    if ($2 == 2) { return Spamtrap666 }
    if ($2 == 3) { return Spamtrap50 }
    if ($2 == 4) { return TOR } 
    if ($2 == 5) { return Drones/Flooding }
  }
  if (tor.efnet isin $1) { return Tor Server }
  if ($2 == 255) { return 10Unknown }
  else { return Unknown Proxy }
}


The script was tested on InspIRCD v3 + mIRC v7.63.

Remember that if something went wrong, or you accidentally erased something, then you can always reinstall this script again.
If you find any errors in the code and in its work, or maybe you have new ideas or if you think that this script needs to be improved, then be sure to write to me here about it, and we are together think about what we can do.


🌐 http://forum.epicnet.ru 📜 irc.epicnet.ru 6667 #Code | mIRC scripts, help, discuss, examples