TeamSpeak spam protection
From MikroTik Wiki
Introduction
TeamSpeak is a VoIP application that enables any user to speak with anybody currently online on any TeamSpeak server. It serves the gaming community well, as well as social groups that don’t feel comfortable typing their thoughts. Unfortunately, TeamSpeak became the target of many spammers around the globe who wish to advertise their websites using only a freely available TeamSpeak client application. Bottom line: successfully advertising using this application is a cinch.
The problem
This is how a typical TeamSpeak spammer operates: First, instead of a regular nickname, something like "www.spamsite.com" is input. Second, a connection is initiated towards a target TeamSpeak server. And finally, third, the user quits after only a second or two, displaying the typical TeamSpeak quit message - "www.spamsite.com quit". (usually this looks like “Joe quit”, or “Jane quit”) The quit message is always displayed, and the link is clickable. A kick or IP ban will not solve the problem since spammers easily switch IP addresses. TeamSpeak itself does not have any protection against this kind of behavior, and scripts such as TS2Perlmod can only move the spammer to another room or kick him, which will still display a clickable link for everyone to see.
The solution
Fortunately, Mikrotik can filter out these packets. First of all, let’s sniff the default TeamSpeak port – UDP 8767 and load it into WireShark:
0000 00 19 db f5 5f 24 00 e0 4c b1 aa 4f 08 00 45 00 ...._$.. L..O..E. 0010 00 d0 37 b3 00 00 7f 11 e4 a6 0a 17 05 64 0a 17 ..7..... .....d.. 0020 05 32 f0 b6 22 3f 00 bc df 3e f4 be 03 00 00 00 .2.."?.. .>...... 0030 00 00 00 00 00 00 01 00 00 00 66 67 8a 3b 09 54 ........ ..fg.;.T 0040 65 61 6d 53 70 65 61 6b 00 00 00 00 00 00 00 00 eamSpeak ........ 0050 00 00 00 00 00 00 00 00 00 00 00 00 0a 57 69 6e ........ .....Win 0060 64 6f 77 73 20 4e 54 00 00 00 00 00 00 00 00 00 dows NT. ........ 0070 00 00 00 00 00 00 00 00 00 00 02 00 00 00 20 00 ........ ...... . 0080 3c 00 01 02 00 00 00 00 00 00 00 00 00 00 00 00 <....... ........ 0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00c0 10 77 77 77 2e 73 70 61 6d 73 69 74 65 2e 63 6f .www.spa msite.co 00d0 6d 00 00 00 00 00 00 00 00 00 00 00 00 00 m....... ......
As expected, the unencrypted login packet (1st packet sent) for TeamSpeak contains the string "www.spamsite.com" which will make it easy for us to ban these kinds of spam attempts.
We need to drop the first packet on port UDP 8767 that contains unwanted keywords - "www", "WWW", "http://", "HTTP://" and such...
Use the following commands to protect your TeamSpeak server if it is behind a Mikrotik router:
/ip firewall filter
add chain=forward src-address=0.0.0.0/0 \
protocol=udp dst-port=8767 content="www." connection-state=new action=drop comment="TS \
spam protection" disabled=no
add chain=forward src-address=0.0.0.0/0 \
protocol=udp dst-port=8767 content="WWW." connection-state=new action=drop \
disabled=no
add chain=forward src-address=0.0.0.0/0 \
protocol=udp dst-port=8767 content="WwW." connection-state=new action=drop \
disabled=no
add chain=forward src-address=0.0.0.0/0 \
protocol=udp dst-port=8767 content="wWw." connection-state=new action=drop \
disabled=no
add chain=forward src-address=0.0.0.0/0 \
protocol=udp dst-port=8767 content="wwW." connection-state=new action=drop \
disabled=no
add chain=forward src-address=0.0.0.0/0 \
protocol=udp dst-port=8767 content="Www." connection-state=new action=drop \
disabled=no
add chain=forward src-address=0.0.0.0/0 \
protocol=udp dst-port=8767 content="http://" connection-state=new action=drop \
disabled=no
add chain=forward src-address=0.0.0.0/0 \
protocol=udp dst-port=8767 content="Http://" connection-state=new action=drop \
disabled=no
add chain=forward src-address=0.0.0.0/0 \
protocol=udp dst-port=8767 content="HTTP://" connection-state=new action=drop \
disabled=no
add chain=forward src-address=0.0.0.0/0 \
protocol=udp dst-port=8767 content="HTtp://" connection-state=new action=drop \
disabled=no
add chain=forward src-address=0.0.0.0/0 \
protocol=udp dst-port=8767 content="HTTp://" connection-state=new action=drop \
comment="" disabled=no
add chain=forward src-address=0.0.0.0/0 \
protocol=udp dst-port=8767 content="hTTP://" connection-state=new action=drop \
comment="" disabled=no
add chain=forward src-address=0.0.0.0/0 \
protocol=udp dst-port=8767 content="htTP://" connection-state=new action=drop \
comment="" disabled=no
add chain=forward src-address=0.0.0.0/0 \
protocol=udp dst-port=8767 content="httP://" connection-state=new action=drop \
comment="" disabled=no
add chain=forward src-address=0.0.0.0/0 \
protocol=udp dst-port=8767 content="hTTp://" connection-state=new action=drop \
comment="" disabled=no
add chain=forward src-address=0.0.0.0/0 \
protocol=udp dst-port=8767 content="HttP://" connection-state=new action=drop