modified on 22 July 2008 at 01:01 ••• 9,762 views

TeamSpeak spam protection

From MikroTik Wiki

Jump to: navigation, search

Introduction

TeamSpeak is a VoIP application that enables any user to speak with anybody currently online on any TeamSpeak server. It serves the gaming community well, as well as social groups that don’t feel comfortable typing their thoughts. Unfortunately, TeamSpeak became the target of many spammers around the globe who wish to advertise their websites using only a freely available TeamSpeak client application. Bottom line: successfully advertising using this application is a cinch.

The problem

A successfull spam attempt

This is how a typical TeamSpeak spammer operates: First, instead of a regular nickname, something like "www.spamsite.com" is input. Second, a connection is initiated towards a target TeamSpeak server. And finally, third, the user quits after only a second or two, displaying the typical TeamSpeak quit message - "www.spamsite.com quit". (usually this looks like “Joe quit”, or “Jane quit”) The quit message is always displayed, and the link is clickable. A kick or IP ban will not solve the problem since spammers easily switch IP addresses. TeamSpeak itself does not have any protection against this kind of behavior, and scripts such as TS2Perlmod can only move the spammer to another room or kick him, which will still display a clickable link for everyone to see.


The solution

Fortunately, Mikrotik can filter out these packets. First of all, let’s sniff the default TeamSpeak port – UDP 8767 and load it into WireShark:

0000  00 19 db f5 5f 24 00 e0  4c b1 aa 4f 08 00 45 00   ...._$.. L..O..E.
0010  00 d0 37 b3 00 00 7f 11  e4 a6 0a 17 05 64 0a 17   ..7..... .....d..
0020  05 32 f0 b6 22 3f 00 bc  df 3e f4 be 03 00 00 00   .2.."?.. .>......
0030  00 00 00 00 00 00 01 00  00 00 66 67 8a 3b 09 54   ........ ..fg.;.T
0040  65 61 6d 53 70 65 61 6b  00 00 00 00 00 00 00 00   eamSpeak ........
0050  00 00 00 00 00 00 00 00  00 00 00 00 0a 57 69 6e   ........ .....Win
0060  64 6f 77 73 20 4e 54 00  00 00 00 00 00 00 00 00   dows NT. ........
0070  00 00 00 00 00 00 00 00  00 00 02 00 00 00 20 00   ........ ...... .
0080  3c 00 01 02 00 00 00 00  00 00 00 00 00 00 00 00   <....... ........
0090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
00a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
00b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
00c0  10 77 77 77 2e 73 70 61  6d 73 69 74 65 2e 63 6f   .www.spa msite.co
00d0  6d 00 00 00 00 00 00 00  00 00 00 00 00 00         m....... ......  

As expected, the unencrypted login packet (1st packet sent) for TeamSpeak contains the string "www.spamsite.com" which will make it easy for us to ban these kinds of spam attempts.

We need to drop the first packet on port UDP 8767 that contains unwanted keywords - "www", "WWW", "http://", "HTTP://" and such...

Use the following commands to protect your TeamSpeak server if it is behind a Mikrotik router:

/ip firewall filter
add chain=forward src-address=0.0.0.0/0 \
    protocol=udp dst-port=8767 content="www." connection-state=new action=drop comment="TS \
    spam protection" disabled=no 
add chain=forward src-address=0.0.0.0/0 \
    protocol=udp dst-port=8767 content="WWW." connection-state=new action=drop \
    disabled=no 
add chain=forward src-address=0.0.0.0/0 \
    protocol=udp dst-port=8767 content="WwW." connection-state=new action=drop \
    disabled=no 
add chain=forward src-address=0.0.0.0/0 \
    protocol=udp dst-port=8767 content="wWw." connection-state=new action=drop \
    disabled=no 
add chain=forward src-address=0.0.0.0/0 \
    protocol=udp dst-port=8767 content="wwW." connection-state=new action=drop \
    disabled=no 
add chain=forward src-address=0.0.0.0/0 \
    protocol=udp dst-port=8767 content="Www." connection-state=new action=drop \
    disabled=no 
add chain=forward src-address=0.0.0.0/0 \
    protocol=udp dst-port=8767 content="http://" connection-state=new action=drop \
    disabled=no 
add chain=forward src-address=0.0.0.0/0 \
    protocol=udp dst-port=8767 content="Http://" connection-state=new action=drop \
    disabled=no 
add chain=forward src-address=0.0.0.0/0 \
    protocol=udp dst-port=8767 content="HTTP://" connection-state=new action=drop \
    disabled=no 
add chain=forward src-address=0.0.0.0/0 \
    protocol=udp dst-port=8767 content="HTtp://" connection-state=new action=drop \
    disabled=no 
add chain=forward src-address=0.0.0.0/0 \
    protocol=udp dst-port=8767 content="HTTp://" connection-state=new action=drop \
    comment="" disabled=no 
add chain=forward src-address=0.0.0.0/0 \
    protocol=udp dst-port=8767 content="hTTP://" connection-state=new action=drop \
    comment="" disabled=no 
add chain=forward src-address=0.0.0.0/0 \
    protocol=udp dst-port=8767 content="htTP://" connection-state=new action=drop \
    comment="" disabled=no 
add chain=forward src-address=0.0.0.0/0 \
    protocol=udp dst-port=8767 content="httP://" connection-state=new action=drop \
    comment="" disabled=no
add chain=forward src-address=0.0.0.0/0 \
    protocol=udp dst-port=8767 content="hTTp://" connection-state=new action=drop \
    comment="" disabled=no
add chain=forward src-address=0.0.0.0/0 \
    protocol=udp dst-port=8767 content="HttP://" connection-state=new action=drop