Yes, for example, you can discard everything with more than 16 sources in an GGEP ALT block. That's 100% spam. I don't know the limit for BearShare but for LimeWire it's 10 and Gtk-Gnutella it's 15.
A few months ago, there appeared some spammers using this for more efficient spamming. The old school spammers still use multiple query hits. Some GUIs don't show this difference.
It's best to dump the raw packets and analyze the raw data. That gives you some clues what can be promptly blocked. Most of the time you can either block packets with certain abnormal characteristics, exact files or otherwise an IP (range). In a few cases, you really have to wait for more information. Just try to get as much information from a suspicious host as possible, that will give you a good idea whether it's really a spammer and if yes, how they work. |