1/*
2
3BOPM sample configuration
4
5*/
6
7options {
8	/*
9	 * Full path and filename for storing the process ID of the running
10	 * BOPM.
11	 */
12	pidfile = "/var/run/bopm/bopm.pid";
13
14	/*
15	 * How many seconds to store the IP address of hosts which are
16	 * confirmed (by previous scans) to be secure.  New users from these
17	 * IP addresses will not be scanned again until this amount of time
18	 * has passed. IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS
19	 * DIRECTIVE, but it is provided due to demand.
20	 *
21	 * The main reason for not using this feature is that anyone capable
22	 * of running a proxy can get abusers onto your network - all they
23	 * need do is shut the proxy down, connect themselves, restart the
24	 * proxy, and tell their friends to come flood.
25	 *
26	 * Keep this directive commented out to disable negative caching.
27	 */
28#	negcache = 3600;
29
30	/*
31	 * Amount of file descriptors to allocate to asynchronous DNS.  64
32	 * should be plenty for almost anyone - previous versions of BOPM only
33	 * did one at a time!
34	 */
35	dns_fdlimit = 64;
36
37	/*
38	 * Put the full path and filename of a logfile here if you wish to log
39	 * every scan done.  Normally BOPM only logs successfully detected
40	 * proxies in the bopm.log, but you may get abuse reports to your ISP
41	 * about portscanning.  Being able to show that it was BOPM that did
42	 * the scan in question can be useful.  Leave commented for no
43	 * logging.
44	 */
45#	scanlog = "/var/log/bopm/scan.log";
46};
47
48
49IRC {
50	/*
51	 * IP to bind to for the IRC connection.  You only need to use this if
52	 * you wish BOPM to use a particular interface (virtual host, IP
53	 * alias, ...) when connecting to the IRC server.  There is another
54	 * "vhost" setting in the scan {} block below for the actual
55	 * portscans.  Note that this directive expects an IP address, not a
56	 * hostname.  Please leave this commented out if you do not
57	 * understand what it does, as most people don't need it.
58	 */
59#	vhost = "0.0.0.0";
60
61	/*
62	 * Nickname for BOPM to use.
63	 */
64	nick = "MyBopm";
65
66	/*
67	 * Text to appear in the "realname" field of BOPM's /whois output.
68	 */
69	realname = "Blitzed Open Proxy Monitor";
70
71	/*
72	 * If you don't have an identd running, what username to use.
73	 */
74	username = "bopm";
75
76	/*
77	 * Hostname (or IP) of the IRC server which BOPM will monitor
78	 * connections on.
79	 */
80	server = "myserver.somenetwork.org";
81
82
83	/*
84	 * Password used to connect to the IRC server (PASS)
85	 */
86
87#	password = "secret";
88
89
90	/*
91	 * Port of the above server to connect to.  This is what BOPM uses to
92	 * get onto IRC itself, it is nothing to do with what ports/protocols
93	 * are scanned, nor do you need to list every port your ircd listens
94	 * on.
95	 */
96	port = 6667;
97
98	/*
99	 * Command to execute to identify to NickServ (if your network uses
100	 * it).  This is the raw IRC command text, and the below example
101	 * corresponds to "/msg nickserv identify password" in a client.  If
102	 * you don't understand, just edit "password" in the line below to be
103	 * your BOPM's nick password.  Leave commented out if you don't need
104	 * to identify to NickServ.
105	 */
106#	nickserv = "privmsg nickserv :identify password";
107
108	/*
109	 * The username and password needed for BOPM to oper up.
110	 */
111	oper = "bopm operpass";
112
113	/*
114	 * Mode string that BOPM needs to set on itself as soon as it opers
115	 * up.  This needs to include the mode for seeing connection notices,
116	 * otherwise BOPM won't scan anyone (that's usually umode +c).  It's
117	 * often also a good idea to remove any helper modes so that users
118	 * don't try to talk to the BOPM.
119	 *
120	 * REMEMBER THAT IRCU AND LATER VERSIONS OF UNREAL DO NOT USE A SIMPLE
121	 * +c !!
122	 */
123	mode = "+c-h";
124
125	/* Example for Bahamut; +F gives BOPM relaxed flood limits */
126#	mode = "+Fc-h";
127
128	/*
129	 * If this is set then BOPM will use it as an /away message as soon as
130	 * it connects.
131	 */
132	away = "I'm a bot.  Your messages will be ignored.";
133
134	/*
135	 * Info about channels you wish BOPM to join in order to accept
136	 * commands.  BOPM will also print messages in these channels every
137	 * time it detects a proxy.  Only IRC operators can command BOPM to do
138	 * anything, but some of the things BOPM reports to these channels
139	 * could be soncidered sensitive, so it's best not to put BOPM into
140	 * public channels.
141	 */
142	channel {
143	   /*
144	    * Channel name.  Local ("&") channels are supported if your ircd
145	    * supports them.
146	    */
147	   name = "#bopm";
148
149	   /*
150	    * If BOPM will need to use a key to enter this channel, this is
151	    * where you specify it.
152	    */
153#	   key = "somekey";
154
155	   /*
156	    * If you use ChanServ then maybe you want to set the channel
157	    * invite-only and have each BOPM do "/msg ChanServ invite" to get
158	    * itself in.  Leave commented if you don't, or if this makes no
159	    * sense to you.
160	    */
161#	   invite = "privmsg chanserv :invite #bopm";
162	};
163
164	/*
165	 * You can define a bunch of channels if you want:
166	 *
167	 * channel { name = "#other"; }; channel { name="#channel"; }
168	 */
169
170	/*
171	 * connregex is a POSIX regular expression used to parse connection
172	 * (+c) notices from the ircd. The complexity of the expression should
173	 * be kept to a minimum.
174	 *
175	 * Items in order MUST be: nick user host IP
176	 *
177	 * BOPM will not work with ircds which do not send an IP in the
178	 * connection notice.
179	 *
180	 * This is fairly complicated stuff, and the consequences of getting
181	 * it wrong are the BOPM does not scan anyone.  Unless you know
182	 * absolutely what you are doing, please just uncomment the example
183	 * below that best matches the type of ircd you use.
184	 *
185	 * !!! NOTE !!! If a connregex for your ircd does not appear here and the
186	 * hybrid connregex does not appear to work, check the BOPM FAQ at
187	 * http://wiki.blitzed.org/BOPM before contacting our lists for help.
188	 *
189	 */
190
191	/* Hybrid / Bahamut / Unreal (in HCN mode) */
192	connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
193
194	/*
195	 * Ultimate ircd  - note the control-B characters around Connect/Exit,
196	 * that is because that text appears in bold in the actual connect
197	 * notice.  Be very careful when editing this, do it as you would put
198	 * bold characters into IRC MOTDs.
199	 */
200#	connregex = "\\*\\*\\* Connect/Exit -- from [^:]+: Client connecting on port [0-9]+: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
201
202	/*
203	 * SorIRCd 1.3.4+ / StarIRCd 5.26+.
204	 */
205#	connregex = "\\*\\*\\* Notice -- Client connecting on port [0-9]+: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
206
207
208	/*
209	 * "kline" controls the command used when an open proxy is confirmed.
210	 * We suggest applying a temporary (no more than a few hours) KLINE on the host.
211	 *
212	 * <WARNING>
213         * Make sure if you need to change this string you also change the
214         * kline command for every DNSBL you enable below.
215	 *
216         * Also note that some servers do not allow you to include ':' characters
217         * inside the KLINE message (e.g. for a http:// address).
218	 *
219	 * Users rewriting this message into something that isn't even a valid
220	 * IRC command is the single most common cause of support requests and
221	 * therefore WE WILL NOT SUPPORT YOU UNLESS YOU USE ONE OF THE EXAMPLE
222	 * KLINE COMMANDS BELOW.
223	 * </WARNING>
224	 *
225	 * That said, should you wish to customise this text, several
226	 * printf-like placeholders are available:
227	 *
228	 *  %n     User's nick
229	 *  %u     User's username
230	 *  %h     User's irc hostname
231	 *  %i     User's IP address
232	 *
233	 */
234	kline = "KLINE *@%h :Open Proxy found on your host. Please visit www.blitzed.org/proxy?ip=%i for more information.";
235
236	/* A GLINE example for IRCu: */
237#       kline = "GLINE +*@%i 1800 :Open proxy found on your host. Please visit www.blitzed.org/proxy?ip=%i for more information.";
238
239        /* An AKILL example for services with OperServ
240         * Your BOPM must have permission to AKILL for this to work! */
241
242#       kline = "PRIVMSG OpenServ :AKILL +3h *@%h Open proxy found on your host. Please visit www.blitzed.org/proxy?ip=%i for more information.";
243
244	/*
245	 * Text to send on connection, these can be stacked and will be sent in this order
246	 *
247	 * !!! UNREAL USERS PLEASE NOTE !!!
248	 * Unreal users will need PROTOCTL HCN to force hybrid connect
249	 * notices.
250	 *
251	 * Yes Unreal users!  That means you!  That means you need the line
252	 * below!  See that thing at the start of the line?  That's what we
253	 * call a comment!  Remove it to UNcomment the line.
254	 */
255#	perform = "PROTOCTL HCN";
256
257};
258
259
260/*
261 * OPM Block defines blacklists and information required to report new proxies
262 * to a dns blacklist.  DNS-based blacklists store IP addresses in a DNS zone
263 * file. There are several blacklist that list IP addresses known to be open
264 * proxies or other forms of IRC abuse. By checking against these blacklists,
265 * BOPMs are able to ban known sources of abuse without completely scanning them.
266 */
267
268OPM {
269	/*
270	 * Blacklist zones to check IPs against.  If you would rather not
271	 * trust a remotely managed blacklist, you could set up your own, or
272	 * leave these commented out in which case every user will be
273	 * scanned. The use of at least one open proxy DNSBL is recommended
274         * however.
275         *
276         * Blitzed is not associated with any of these DNSBLs, please check
277         * the policies of each blacklist you use to check you are comfortable
278         * with using them to block access to your server (and that you are
279         * allowed to use them).
280	 */
281
282        /* DroneBL - http://dronebl.org */
283#	blacklist {
284#	   /* The DNS name of the blacklist */
285#	   name = "dnsbl.dronebl.org";
286#
287#	   /*
288#	    * There are only two values that are valid for this
289#	    * "A record bitmask" and "A record reply"
290#	    * These options affect how the values specified to reply
291#	    * below will be interpreted, a bitmask is where the reply
292#	    * values are 2^n and more than one is added up, a reply is
293#	    * simply where the last octet of the IP is that number.
294#	    * If you are not sure then the values set for dnsbl.dronebl.org
295#	    * will work without any changes.
296#	    */
297#	   type = "A record reply";
298#
299#	   /* Kline types not listed in the reply list below.
300#            *
301#	    * For DNSBLs that are not IRC specific and you just wish to kline
302#            * certain types this can be disabled.
303#	    */
304#	   ban_unknown = yes;
305#
306#	   /* The actual values returned by the dnsbl.dronebl.org blacklist
307#	    * As documented at http://www.dronebl.org/howtouse.do */
308#	   reply {
309#              2 = "Sample";
310#              3 = "IRC Drone";
311#              4 = "Tor";
312#              5 = "Bottler";
313#              6 = "Unknown spambot or drone";
314#              7 = "DDOS Drone";
315#              8 = "SOCKS Proxy";
316#              9 = "HTTP Proxy";
317#              10 = "ProxyChain";
318#              255 = "Unknown";
319#	   };
320#
321#	   /* The kline message sent for this specific blacklist, remember to put
322#	    * the removal method in this.
323#	    */
324#	   kline = "KLINE *@%h :You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup_branded.do?ip=%i&network=Network";
325#	};
326
327#        /* ircbl.ahbl.org - see http://ahbl.org/docs/ircbl
328#         * http://oldwww.temp.ahbl.org/docs/ircbl.php */
329#        blacklist {
330#           name = "ircbl.ahbl.org";
331#           type = "A record reply";
332#           ban_unknown = no;
333#           reply {
334#              2 = "Open proxy";
335#           };
336#           kline = "KLINE *@%h :Listed in ircbl.ahbl.org. See http://ahbl.org/removals";
337#        };
338
339         /* tor.dnsbl.sectoor.de - http://www.sectoor.de/tor.php */
340#        blacklist {
341#           name = "tor.dnsbl.sectoor.de";
342#           type = "A record reply";
343#           reply {
344#              1 = "Tor exit server";
345#           };
346#           ban_unknown = no;
347#           kline = "KLINE *@%h :Tor exit server detected. See www.sectoor.de/tor.php?ip=%i";
348#        };
349
350         /* rbl.efnet.org - http://rbl.efnet.org/ */
351#        blacklist {
352#           name = "rbl.efnet.org";
353#           type = "A record reply";
354#           reply {
355#              1 = "Open proxy";
356#              2 = "Trojan spreader";
357#              3 = "Trojan infected client";
358#              4 = "TOR exit server";
359#              5 = "Drones / Flooding";
360#           };
361#           ban_unknown = yes;
362#           kline = "KLINE *@%h :Listed in rbl.efnet.org. See rbl.efnet.org/?i=%i";
363#        };
364
365
366	/* example: NJABL - please read http://www.njabl.org/use.html before
367	 * uncommenting */
368#	 blacklist {
369#	    name = "dnsbl.njabl.org";
370#	    type = "A record reply";
371#	    reply {
372#	       9 = "Open proxy";
373#	    };
374#	    ban_unknown = no;
375#	    kline = "KLINE *@%h :Open proxy found on your host, please visit www.njabl.org/cgi-bin/lookup.cgi?query=%i";
376#	};
377
378	/*
379	 * You can report the insecure proxies you find to a DNSBL also!
380	 * The remaining directives in this section are only needed if you
381	 * intend to do this.  Reports are sent by email, one email per IP
382	 * address.  The format does support multiple addresses in one email,
383	 * but we don't know of any servers that are detecting enough insecure
384	 * proxies for this to be really necessary.
385	 */
386
387	/*
388	 * Email address to send reports FROM.  If you intend to send reports,
389	 * please pick an email address that we can actually send mail to
390	 * should we ever need to contact you.
391	 */
392#	dnsbl_from = "mybopm@myserver.org";
393
394	/*
395	 * Email address to send reports TO.
396         * For example DroneBL:
397	 */
398#	dnsbl_to = "bopm-report@dronebl.org";
399
400	/*
401	 * Full path to your sendmail binary.  Even if your system does not
402	 * use sendmail, it probably does have a binary called "sendmail"
403	 * present in /usr/sbin or /usr/lib.  If you don't set this, no
404	 * proxies will be reported.
405	 */
406#	sendmail = "/usr/sbin/sendmail";
407};
408
409
410/*
411 * The short explanation:
412 *
413 * This is where you define what ports/protocols to check for.  You can have
414 * multiple scanner blocks and then choose which users will get scanned by
415 * which scanners further down.
416 *
417 * The long explanation:
418 *
419 * Scanner defines a virtual scanner.  For each user being scanned, a scanner
420 * will use a file descriptor (and subsequent connection) for each protocol.
421 * Once connecting it will negotiate the proxy to connect to
422 * target_ip:target_port (target_ip MUST be an IP).
423 *
424 * Once connected, any data passed through the proxy will be checked to see if
425 * target_string is contained within that data.  If it is the proxy is
426 * considered open. If the connection is closed at any point before
427 * target_string is matched, or if at least max_read bytes are read from the
428 * connection, the negotiation is considered failed.
429 */
430
431scanner {
432
433	/*
434	 * Unique name of this scanner.  This is used further down in the
435	 * user {} blocks to decide which users get affected by which
436	 * scanners.
437	 */
438	name="default";
439
440	/*
441	 * HTTP CONNECT - very common proxy protocol supported by widely known
442	 * software such as Squid and Apache.  The most common sort of
443	 * insecure proxy and found on a multitude of weird ports too.  Offers
444	 * transparent two way TCP connections.
445	 */
446	protocol = HTTP:80;
447	protocol = HTTP:8080;
448	protocol = HTTP:3128;
449	protocol = HTTP:6588;
450
451	/*
452	 * SOCKS4/5 - well known proxy protocols, probably the second most
453	 * common for insecure proxies, also offers transparent two way TCP
454	 * connections.  Fortunately largely confined to port 1080.
455	 */
456	protocol = SOCKS4:1080;
457	protocol = SOCKS5:1080;
458
459	/*
460	 * Cisco routers with a default password (yes, it really does happen).
461	 * Also pretty much anything else that will let you telnet to anywhere
462	 * else on the internet.  Fortunately these are always on port 23.
463	 */
464	protocol = ROUTER:23;
465
466	/*
467	 * WinGate is commercial windows proxy software which is now not so
468	 * common, but still to be found, and helpfully presents an interface
469	 * that can be used to telnet out, on port 23.
470	 */
471	protocol = WINGATE:23;
472
473	/*
474	 * The HTTP POST protocol, often dismissed when writing the access
475	 * controls for proxies, but sadly can still be used to abused.
476	 * Offers only the opportunity to send a single block of data, but
477	 * enough of them at once can still make for a devastating flood.
478	 * Found on the same ports that HTTP CONNECT proxies inhabit.
479	 *
480	 * Note that if your ircd has "ping cookies" then clients from HTTP
481	 * POST proxies cannot actually ever get onto your network anyway.  If
482	 * you leave the checks in then you'll still find some (because some
483	 * people IRC from boxes that run them), but if you use BOPM purely as
484	 * a protective measure and you have ping cookies, you need not scan
485	 * for HTTP POST.
486	 */
487	protocol = HTTPPOST:80;
488
489	/*
490	 * IP this scanner will bind to.  Use this if you need your scans to
491	 * come FROM a particular interface on the machine you run BOPM from.
492	 * If you don't understand what this means, please leave this
493	 * commented out, as this is a major source of support queries!
494	 */
495#	vhost = "127.0.0.1";
496
497	/* Maximum file descriptors this scanner can use.  Remember that there
498	 * will be one FD for each protocol listed above.  As this example
499	 * scanner has 8 protocols, it requires 8 FDs per user.  With a 512 FD
500	 * limit, this scanner can be used on 64 users _at the same time_.
501	 * That should be adequate for most servers.
502	 */
503	fd = 512;
504
505	/*
506	 * Maximum data read from a proxy before considering it closed.  Don't
507	 * set this too high, some people have fun setting up lots of ports
508	 * that send endless data to tie up your scanner.  4KB is plenty for
509	 * any known proxy.
510	 */
511	max_read = 4096;
512
513	/*
514	 * Amount of time (in seconds) before a test is considered timed out.
515	 * Again, all but the poorest slowest proxies will be detected within
516	 * 30 seconds, and this helps keep resource usage low.
517	 */
518	timeout = 30;
519
520	/*
521	 * Target IP to tell the proxy to connect to
522	 *
523	 * !!! THIS MUST BE CHANGED !!!
524	 *
525	 * You cannot instruct the proxy to connect to itself! The easiest
526	 * thing to do would be to set this to the IP of your ircd and then
527	 * keep the default target_strings.
528	 *
529	 * Please use an IP that is publically reachable from anywhere on the
530	 * Internet, because you have no way of knowing where the insecure
531	 * proxies will be located.  Just because you and your BOPM can
532	 * connect to your ircd on some private IP like 192.168.0.1, does not
533	 * mean that the insecure proxies out there on the Internet will be
534	 * able to.  And if they never connect, you will never detect them.
535	 *
536	 * Remember to change this setting for every scanner you configure.
537	 *
538	 */
539	target_ip     = "127.0.0.1";
540
541	/*
542	 * Target port to tell the proxy to connect to.  This is usually
543	 * something like 6667.  Basically any client-usable port.
544	 */
545	target_port   = 6667;
546
547	/*
548	 * Target string we check for in the data read back by the scanner.
549	 * This should be some string out of the data that your ircd usually
550	 * sends on connect.  The example below will work on most
551	 * hybrid/bahamut ircds.  Multiple target strings are allowed.
552	 *
553	 * NOTE: Try to keep the number of target strings to a minimum. Two
554	 *       should be fine. One for normal connections and one for throttled
555	 *       connections. Comment out any others for efficiency.
556	 */
557
558	/* Usually first line sent to client on connection to ircd.
559	 * If your ircd supports a more specific line (see below),
560	 * using it will reduce false positives.
561	 */
562	target_string = "*** Looking up your hostname...";
563
564	/* Some ircds give a source for the NOTICE AUTH (bahamut for example).
565	 * It is recommended you use the following instead of the generic
566	 * "*** Looking up your hostname..." if your ircd supports it.
567	 * This will reduce the chances of false positives.
568	 */
569#	target_string = ":server.yournetwork.org NOTICE AUTH :*** Looking up your hostname...";
570
571	/* If you try to connect too fast, you'll be throttled by your own
572	 * ircd.  Here's what a hybrid throttle message looks like:
573	 */
574	target_string = "ERROR :Trying to reconnect too fast.";
575
576	/* And the same for bahamut (comment this out if you're not using bahamut): */
577	target_string = "ERROR :Your host is trying to (re)connect too fast -- throttled.";
578};
579
580scanner {
581	name = "extended";
582
583	protocol = HTTP:81;
584	protocol = HTTP:8000;
585	protocol = HTTP:8001;
586	protocol = HTTP:8081;
587
588	protocol = HTTPPOST:81;
589	protocol = HTTPPOST:6588;
590#	protocol = HTTPPOST:4480;
591	protocol = HTTPPOST:8000;
592	protocol = HTTPPOST:8001;
593	protocol = HTTPPOST:8080;
594	protocol = HTTPPOST:8081;
595
596	/*
597	 * IRCnet have seen many socks5 on these ports, more than on the
598	 * standard ports even.
599	 */
600	protocol = SOCKS4:4914;
601	protocol = SOCKS4:6826;
602	protocol = SOCKS4:7198;
603	protocol = SOCKS4:7366;
604	protocol = SOCKS4:9036;
605
606	protocol = SOCKS5:4438;
607	protocol = SOCKS5:5104;
608	protocol = SOCKS5:5113;
609	protocol = SOCKS5:5262;
610	protocol = SOCKS5:5634;
611	protocol = SOCKS5:6552;
612	protocol = SOCKS5:6561;
613	protocol = SOCKS5:7464;
614	protocol = SOCKS5:7810;
615	protocol = SOCKS5:8130;
616	protocol = SOCKS5:8148;
617	protocol = SOCKS5:8520;
618	protocol = SOCKS5:8814;
619	protocol = SOCKS5:9100;
620	protocol = SOCKS5:9186;
621	protocol = SOCKS5:9447;
622	protocol = SOCKS5:9578;
623
624	/*
625	 * These came courtsey of Keith Dunnett from a bunch of public open
626	 * proxy lists.
627	 */
628	protocol = SOCKS4:29992;
629	protocol = SOCKS4:38884;
630	protocol = SOCKS4:18844;
631	protocol = SOCKS4:17771;
632	protocol = SOCKS4:31121;
633
634	fd = 400;
635
636	/* If required you can add settings such as target_ip here
637	 * they will override the defaults set in the first scanner
638	 * for this and subsequent scanners defined in the config file
639	 * This affects the following options:
640	 * fd, vhost, target_ip, target_port, target_string, timeout and
641	 * max_read.
642	 */
643};
644
645
646
647/*
648 * User blocks define what scanners will be used to scan which hostmasks. When
649 * a user connects they will be scanned on every scanner {} (above) that
650 * matches their host.
651 */
652
653user {
654	/*
655	 * Users matching this host mask will be scanned with all the
656	 * protocols in the scanner named.
657	 */
658	mask = "*!*@*";
659	scanner = "default";
660};
661
662user {
663	/* Connections without ident will match on a vast number of connections
664	 * very few proxies run ident though */
665#	mask = "*!~*@*";
666	mask = "*!squid@*";
667	mask = "*!nobody@*";
668	mask = "*!www-data@*";
669	mask = "*!cache@*";
670	mask = "*!CacheFlowS@*";
671	mask = "*!*@*www*";
672	mask = "*!*@*proxy*";
673	mask = "*!*@*cache*";
674
675	scanner = "extended";
676};
677
678
679/*
680 * Exempt hosts matching certain strings from any form of scanning or dnsbl.
681 * BOPM will check each string against both the hostname and the IP address of
682 * the user.
683 *
684 * There are very few valid reasons to actually use "exempt".  BOPM should
685 * never get false positives, and we would like to know very much if it does.
686 * One possible scenario is that the machine BOPM runs from is specifically
687 * authorized to use certain hosts as proxies, and users from those hosts use
688 * your network.  In this case, without exempt, BOPM will scan these hosts,
689 * find itself able to use them as proxies, and ban them.
690 */
691exempt {
692	mask = "*!*@127.0.0.1";
693};
694