AntiProxyScan v1.0
  1.Scans all incoming connections to the server and checks users by "IP4" (address must be in the form of numbers). For this, the bot where this script will be installed must have IRCop privileges with snomask (+cC).
  2.You can use the command with the syntax: "!ps
  3.In the "ps_gettype" alias, you can, if you wish, write your signatures for those DNSBL servers that should describe the proxy type in case of detection.
  4.You can create your own DNSBL server lists in the "proxyscanner_list" alias with which you should check the IP of all connecting users. (Use the provided list as an example, which includes the server name and a comma-separated list of response numbers to act on if they match).Warning: This requires very fine tuning so that there is no false positive and that innocent netizens are not banned. Therefore, it is recommended to first check through similar websites to which reply number the script was correctly triggered. For example, if the "dnsbl.dronebl.org" server answered "9" when checking through the DNSBL, then this is correct in most cases and you will ban the real proxy. And if in the same place the answer is "3" or "14", then this may be a false positive. My advice for a while testing is to turn off the bans and set the variable to "%ps_btype = off" so that you can just watch what is happening and make accurate debugging using the resulting numbers in the response rechecking where the truth is and where the lie.
  5.Through the alias "proxyscanner_set" you can customize the configuration parameters of the script:
      %ps_servers – Contains a comma-separated list of the "irc.server1.com,irc.server2.com" servers on which the script should work. (You can specify "all" for all servers).
      %ps_snomask – All "snomask" modes that must be enabled for the bot to work correctly are indicated here.
      %ps_btype – The type of server ban is indicated here. (Possible options: "ZLINE/KLINE/GLINE" or to disable bans set the value to "off").
      %ps_btime – Contains the time for which the ban will be set for the user.
      %ps_breason – The reason for the ban is indicated here, which will be visible to the banned user.
      %ps_blogo – Here the logo prefix, which will be present in all messages of the script.
      %ps_mchan – Here you specify the channel to which you want to write a message in case of ban the detected proxy.
      %ps_admins – A comma-separated list of aliases for which script control will be available.
I am attaching a screenshot of how the script, after the user is banned, reports in the specified channel about the found proxy through in the DNSBL list:
#####################################################################
# Name: AntiProxyScan v1.0
# Author: Epic (epicnet@mail.ru, http://epicnet.ru)
# Description: Automatically scans all incoming connections to the server for proxy addresses and sets a server ban if found.
#####################################################################
alias -l proxyscanner_set {
%ps_servers = all
%ps_snomask = +cC
%ps_btype = ZLINE
%ps_btime = 3d
%ps_breason = Your IP was found in DNSBL and it is suspected that is (VPN/Tor/Proxy). To unlock contact the chat administration.
%ps_blogo = DNSBL: 01,04 BAN
%ps_mchan = #Services
%ps_admins = Epic,Sleepyhead,Admin
}
alias -l proxyscanner_list {
if ($hget(ps-dnsbl,0).item) .hfree -sw ps-dnsbl
.hadd -m ps-dnsbl dnsbl.dronebl.org 4,5,6,7,8,9,10,13,15,17,255
.hadd -m ps-dnsbl rbl.efnetrbl.org 1,3,4,5,6,7,8,9,10,11,12,13,14,15
.hadd -m ps-dnsbl rbl.efnet.org 1,4,5
.hadd -m ps-dnsbl tor.efnet.org 1
.hadd -m ps-dnsbl cbl.abuseat.org 1,3,4,5,6,7,8,9,10,11,12,13,14,15
.hadd -m ps-dnsbl sbl.spamhaus.org 1,5,6,7,8,9,10,12,13,14,15,255
.hadd -m ps-dnsbl abuse-contacts.abusix.org 2,3,4
.hadd -m ps-dnsbl safe.dnsbl.sorbs.net 1,3
.hadd -m ps-dnsbl all.s5h.net 1,3
.hadd -m ps-dnsbl bl-h1.rbl.polspam.pl 1
.hadd -m ps-dnsbl postmaster.rfc-clueless.org 3
}
====================================================
on *:LOAD:{ proxyscanner_set | proxyscanner_list | if (!%ps_work) %ps_work = on }
on *:CONNECT: proxyscanner_set | proxyscanner_list | if (!%ps_work) %ps_work = on | if ($istok(%ps_servers,$server,44)) || (%ps_servers == all) { /mode $me +s %ps_snomask }
on *:TEXT:!ps*:#:{
if ($1 == !ps && $istok(%ps_admins,$nick,44)) {
if (!$2) { .notice $nick Syntax: !ps <start/stop/reload> | halt }
if ($2 == start) { %ps_work = on | .notice $nick ProxyScanner on } | if ($2 == stop) { %ps_work = off | .notice $nick ProxyScanner off }
if ($2 == reload) { proxyscanner_set | proxyscanner_list | .notice $nick ProxyScanner reload }
}
}
on *:SNOTICE:*Client connecting*:{
if (%ps_work == on) {
if ($istok(%ps_servers,$nick,44)) || ($hget(ps,servers) == all) {
var %ps_mask $remove($wildtok($1-,*@*,1,32),$chr(40),$chr(41)) | var %ps_nick $gettok(%ps_mask,1,33) | var %ps_ip $gettok(%ps_mask,2,64) | var %ps_id $gettok($gettok(%ps_mask,1,64),2,33)
if ($ps_detectip(%ps_ip)) proxyscanner_check %ps_ip %ps_id %ps_nick
}
}
}
====================================================
alias -l proxyscanner_check {
var %ps_reverse $ps_revip($1) | .hadd -mu60 ps-oip %ps_reverse $1 | .hadd -mu60 ps-oid %ps_reverse $2 | .hadd -mu60 ps-onick %ps_reverse $3
var %ps_all $hget(ps-dnsbl,0).item | var %ps_q 1 | while (%ps_q <= %ps_all) {
var %ps_name $hget(ps-dnsbl,%ps_q).item | var %ps_check $+(%ps_reverse,.,%ps_name)
.dns %ps_check | inc %ps_q
}
}
on *:DNS:{
var %ps_i $dns(0) | while (%ps_i > 0) {
var %ps_dnsname $dns(%ps_i) | var %ps_dnsip $dns(%ps_i).ip | var %ps_dnsnum $gettok(%ps_dnsip,4,46) | var %ps_dnsrip $gettok(%ps_dnsname,1-4,46) | var %ps_dnsrname $gettok(%ps_dnsname,5-,46)
if (!$hget(ps-banip,%ps_dnsrip) && $istok($hget(ps-dnsbl,%ps_dnsrname),%ps_dnsnum,44)) {
;------------------------------------
if ($me ison %ps_mchan) /msg %ps_mchan %ps_blogo $+(07,$hget(ps-onick,%ps_dnsrip),) => $+(04,$hget(ps-oid,%ps_dnsrip),@,$hget(ps-oip,%ps_dnsrip),) => $+(06,%ps_dnsrname,) $+($chr(40),07,%ps_dnsnum,,$chr(41)) - $ps_gettype(%ps_dnsname,%ps_dnsnum)
if (%ps_btype == ZLINE) .ZLINE $hget(ps-oip,%ps_dnsrip) %ps_btime %ps_breason
if (%ps_btype == KLINE) .KLINE $+(*@,$hget(ps-oip,%ps_dnsrip)) %ps_btime %ps_breason
if (%ps_btype == GLINE) .GLINE $+(*@,$hget(ps-oip,%ps_dnsrip)) %ps_btime %ps_breason
;------------------------------------
.hadd -mu30 ps-banip %ps_dnsrip 1 | .break
} | dec %ps_i
}
}
alias -l ps_revip { tokenize 46 $1 | return $+($4,.,$3,.,$2,.,$1) }
alias -l ps_detectip { tokenize 46 $1 | if ($0 == 4 && $1 isnum 0-255 && $2 isnum 0-255 && $3 isnum 0-255 && $4 isnum 0-255) { return 1 } }
alias -l ps_gettype {
if (dronebl isin $1) {
if ($2 == 2) { return Sample }
if ($2 == 3) { return IRC Drone }
if ($2 == 5) { return Bottler }
if ($2 == 6) { return Unknown Spambot/Drone }
if ($2 == 7) { return DDOS Drone }
if ($2 == 8) { return SOCKS Proxy }
if ($2 == 9) { return HTTP Proxy }
if ($2 == 10) { return Proxy Chain }
if ($2 == 11) { return Web Page Proxy }
if ($2 == 12) { return Open DNS Resolver }
if ($2 == 13) { return Brute Force Attackers }
if ($2 == 14) { return Open Wingate Proxy }
if ($2 == 15) { return Compromised Router/Gateway }
if ($2 == 16) { return Autorooting worms }
if ($2 == 17) { return Automatically determined botnet IPs (experimental) }
if ($2 == 18) { return DNS/MX type hostname detected on IRC }
}
if (rbl.efnet isin $1) {
if ($2 == 1) { return Open Proxy }
if ($2 == 2) { return Spamtrap666 }
if ($2 == 3) { return Spamtrap50 }
if ($2 == 4) { return TOR }
if ($2 == 5) { return Drones/Flooding }
}
if (tor.efnet isin $1) { return Tor Server }
if ($2 == 255) { return 10Unknown }
else { return Unknown Proxy }