UnrealIRCd 6.1.2 released

[Bram M. <sy...@un...>]

(You can unsubscribe from this list here 
<https://sourceforge.net/projects/unreal/lists/unreal-notify/unsubscribe>)

Hi everyone,

I'm happy to announce the release of UnrealIRCd 6.1.2 stable. This 
release focuses on adding spamfilter features but also contains various 
other new features and some fixes.

This release is a little ahead of schedule because I had the impression 
that the Release Candidate(s) were not being tested much, so then there 
is no point in delaying the stable release anymore.


      Enhancements:

  * We now give tips on (security) best practices depending on settings
    in your configuration file, such as using plaintext oper passwords
    in the config file. It is generally suggested to follow this advice,
    but you could disable such advice via set::best-practices
    <https://www.unrealircd.org/docs/Set_block#set::best-practices>.
  * security-group { } block
    <https://www.unrealircd.org/docs/Security-group_block> and mask item
    <https://www.unrealircd.org/docs/Mask_item> enhancements:
      o Add support for |channel "#xyz";| and |channel "@#need_ops_here";|
      o Add support for Crule <https://www.unrealircd.org/docs/Crule> to
        allow things like |rule "inchannel('@#main')||reputation()>1000";|
  * DNS Blacklists are now checked again some time after the user is
    connected. This will kill/ban users who are already online and got
    blacklisted later by for example DroneBL.
      o This is controlled via set::blacklist::recheck-time
        <https://www.unrealircd.org/docs/Set_block#set::blacklist::recheck-time>
        and can also be set to |never| if you don't want rechecking.
      o To skip checking for specific blacklists, you can set
        blacklist::recheck
        <https://www.unrealircd.org/docs/Blacklist_block> to |no|.
  * The reputation score
    <https://www.unrealircd.org/docs/Reputation_score> of connected
    users (actually IP's) is increased every 5 minutes. We still do
    this, but only for users who are at least in one channel that has 3
    or more members. This setting is tweakable via
    set::reputation::score-bump-timer-minimum-channel-members
    <https://www.unrealircd.org/docs/Set_block#set::reputation>. Setting
    this to 0 means to bump scores also for people who are in no
    channels at all, which was the behavior in previous UnrealIRCd versions.
    Note: this new feature won't work properly when you have any older
    UnrealIRCd servers on the network (older than 6.1.2), as the older
    servers will still bump scores for everyone, including users in no
    channels, and this higher score will get synced back eventually to
    all other servers.
  * spamfilter { } block
    <https://www.unrealircd.org/docs/Spamfilter_block> improvements:
      o Spamfilters now always run, even for users that are exempt via a
        except ban block
        <https://www.unrealircd.org/docs/Except_ban_block> with |type
        spamfilter|. However, for exempt users no action is taken or
        logged. This allows us to count normal hits and count hits for
        except users. The idea is that the hits for except users can be
        a useful measurement to detect false positives. These hit counts
        are exposed in |SPAMFILTER| and |STATS spamfilter|.
      o Optional items allowing more complex rules:
          + spamfilter::rule
            <https://www.unrealircd.org/docs/Spamfilter_block#Spamfilter_rule>:
            with minimal 'if'-like preconditions and functions. If this
            returns false then the spamfilter will not run at all (no hit).
          + spamfilter::except: this is meant as an alternative to
            'rule' and works like a regular except item
            <https://www.unrealircd.org/docs/Mask_item>. If this
            matches, then the spamfilter will not run at all (no hit).
      o New target type |raw| (or |R| on IRC) to match a raw command /
        IRC protocol line (except message tags), such as |LIST*|.
        Naturally one needs to be very careful with these since a wrong
        filter could cause all/essential traffic to be rejected.
      o The |action| item now supports multiple actions:
          + A new action |stop| to stop other spamfilters from processing.
          + A new action |set| to set a TAG
            <https://www.unrealircd.org/docs/Spamfilter_block#Setting_tags>
            on a user, or change the value of one. It also supports
            changing the reputation score
            <https://www.unrealircd.org/docs/Reputation_score>.
          + A new action |report| to call a spamreport block, see next.
  * A new spamreport { } block
    <https://www.unrealircd.org/docs/Spamreport_block>:
      o This can do a HTTP(S) call to services like DroneBL to report
        spam hits, so they can blacklist the IP address and other users
        on IRC can benefit.
  * Optional Central Spamfilter
    <https://www.unrealircd.org/docs/Central_spamfilter>: This will
    fetch and refresh spamfilter rules every hour from unrealircd.org.
      o This feature is not enabled by default. Use |set {
        central-spamfilter { enabled yes; } }| to enable.
      o set::central-spamfilter::feed decides which feed to use: |fast|
        for early access to spamfilter rules that are new, and
        |standard| (the default) for rules that have been in fast for a
        while.
      o set::central-spamfilter::except defines who will never be
        affected by central spamfilters. By default it is: users with a
        reputation score of more than 2016 (7 days online unregged, or
        3.5 days as identified user) or having a host of *.irccloud.com.
        Spam matches for users that fall in this ::except group are
        counted as false positives and no action is taken or logged.
      o See the Central Spamfilter
        <https://www.unrealircd.org/docs/Central_spamfilter> article for
        the disclaimer and all other options you can set.
  * set::spamfilter::utf8
    <https://www.unrealircd.org/docs/Set_block#set::spamfilter::utf8> is
    now on by default:
      o This means you can safely use UTF8 characters in like |[]| in regex.
      o Case insensitive matches work better. For example, for extended
        Latin, a spamfilter on |ę| then also matches |Ę|.
      o Other PCRE2 features such as \p
        <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC5>
        can then be used. For example the regex |\p{Arabic}| would block
        all Arabic script. See also this full list of scripts
        <https://www.pcre.org/current/doc/html/pcre2syntax.html#SEC7>.
        Please use this new tool with care. Blocking an entire language
        or script is quite a drastic measure.
      o You can turn it off via: |set { spamfilter { utf8 no; } }|
  * Via set::spamfilter::show-message-content-on-hit
    <https://www.unrealircd.org/docs/Set_block#set::spamfilter::show-message-content-on-hit>
    you can now configure to hide the message content in spamfilter hit
    messages. Generally it is very useful to see if a spamfilter hit is
    correct or not, so the default is 'always', but it also has privacy
    implications so there is now this option to disable it.
  * You can restrict includes to only contain certain blocks, the style is:

    |include "some-file-or-url" { restrict-config { name-of-block;
    name-of-block2; } } |

  * A new |~flood| extended ban
    <https://www.unrealircd.org/docs/Extended_bans>. This mode allows
    you to exempt users from channel mode |+f| and |+F|. It was actually
    added in a previous version (6.1.0) but never made it to the release
    notes. The syntax is: ~flood:types:mask, where /types/ are the same
    letters as used in channel mode +f
    <https://www.unrealircd.org/docs/Channel_anti-flood_settings#Channel_mode_f>.
    Example: |+e ~flood:t:*!*@*.textflood.example.org|


      Changes:

  * We now compile the argon2 library shipped with UnrealIRCd by
    default, because it is often two times faster than the OS library.
    If you don't want this, which would be quite rare but for example
    because you are packaging UnrealIRCd as a .deb or .rpm, then you can
    use |--with-system-argon2| as a configure option.
  * The argon2 parameters have been lowered a bit, this so the hashing
    speed is acceptable for our purposes.


      Fixes:

  * Temporary high CPU usage (99%) under some conditions.
  * UnrealIRCd has watch away notification since 2008, this is indicated
    in RPL_ISUPPORT via |WATCHOPTS=A| and then the syntax to actually
    use this is |WATCH A +Nick1 +Nick2 etc.|. In UnrealIRCd 6 there was
    a bug where it would not always correctly inform about the away
    status, that bug has now been fixed.
  * On 32 bit architectures you can now use more than 32 channel modes.
  * Set block for a security group
    <https://www.unrealircd.org/docs/Set_block#Set_block_for_a_security_group>:
    was not working for the |unknown-users| group.
  * A leading slash was silently stripped in config file items, when not
    in quotes.
  * |./unrealircd module upgrade| only showed output for one module
    upgrade, even when multiple modules were upgraded.


      Developers and protocol:

  * Changes in numeric 229 (RPL_STATSSPAMF): Now includes hits and hits
    for users that are exempt, two counters inserted right before the
    last argument (the regex).
  * Several API changes, like |place_host_ban| to |take_action|

You can download UnrealIRCd from https://www.unrealircd.org/