Message Board

http:BL Use/Development

Older Posts ]   [ Newer Posts ]
 Submitting IPs to the http:BL
Author: R.Rodgers2   (26 Jan 16 12:26pm)
I'm working on two different projects from which I could submit my data back to http:BL. One is a honeypot in its own right; the domain on which it's run doesn't have any content, and yet on a regular basis it gets probed for various software packages and exploits. As I keep track of that information in a database, it wouldn't be hard for me to contribute that data, live or otherwise, back to Project Honey Pot's http:BL.

On a separate project, which is going to be some site software, repeated failed attempts to login within a short period results in the origin IP getting blocked automatically for a temporary period of time, and eventually permanently if attempts to access the site continue before the temporary block expires. Again, it wouldn't be difficult to submit those IP addresses back to http:BL.

What I'm not seeing, however, is an API for doing so. Am I just missing it or is it a part of the Apache module?

Thanks,
Raymond
 
 Re: Submitting IPs to the http:BL
Author: R.Rodgers2   (3 May 16 9:27pm)
Still no reply to my message. Is it not possible to submit IPs to the http:BL and is it customary to for the project devs/forum admins to leave messages dangling like this? Even if the answer is "no", that's better than no response at all.
 
 Re: Submitting IPs to the http:BL
Author: H.User1325   (4 May 16 9:04am)
As one user to another, I believe the answer is 'no'.

Project Honey Pot has a system by which they collect data. See <Home> <Manage Honey Pots> or <Home><Manage Quicklink>

By this process they collect the IP addresses of documented harvesters and spammers. When a harvester collects a unique email address from honey Pot, they become a confirmed harvester when an email (spam) is received by that unique mailbox. At the same time the sender is also confirmed as a spammer.

The situations you described address different issues, I think.

Lou
 
 Re: Submitting IPs to the http:BL
Author: R.Rodgers2   (17 May 16 1:22pm)
Given that the API (http://www.projecthoneypot.org/httpbl_api.php ) specifies support for identifying comment spammers, which don't [necessarily] involve harvesters or mail being sent to a MX trap, I would think there would be some method of reporting IPs that posted suspicious or confirmed spam comments. That is, of course, assuming that this portion of the specification and API is actually in use.

But, frankly, I'm not sure that it is.
 
 Re: Submitting IPs to the http:BL
Author: H.User1325   (17 May 16 7:08pm)
Good point. I just check a several of comment spammers on a forum I manage and checking the httpBL I get

1 days 25 score Suspicious Comment Spammer 89.163.135.98, for example

So that does, as you suggest, raise the question of how that data gets into the database.

I do not know. Lou
 
 Re: Submitting IPs to the http:BL
Author: R.Rodgers2   (19 May 16 1:22pm)
Thanks nonetheless, Lou. Hopefully we'll get an answer eventually.
 
 Re: Submitting IPs to the http:BL
Author: D.Howe   (9 Apr 17 1:41pm)
Your answer is in the FAQ:

"In addition to including specially tagged spam trap addresses, some honey pots also include special HTML forms. Comment spammers are identified by watching what information is posted to these forms."
 
 Re: Submitting IPs to the http:BL
Author: R.Rodgers2   (15 Apr 17 12:17am)
Not really; as I indicated, I've already got code that detects attacks, and my primary site that does this doesn't have any forms at all; it's a simple site that happens to record and track requests to pages that don't exist, including POST requests... There's no honeypot at all. All I'd like to do is feed the IPs exhibiting bad behavior (trying to access or POST to pages that never existed on the site, for example) through to Project Honeypot.

Even if I wanted to use the form concept, there's no information on doing that outside of the libraries provided which are out of date and explicitly state you're not really allowed to update or customize them.
 
 Re: Submitting IPs to the http:BL
Author: D.Howe   (15 Apr 17 4:38am)
right. AFAIK, you cannot use your own definition of what is bad behavior and tell this project to blacklist an IP. The supplied honeypots have a mechanism for catching comment spammers, if you don't want to use that then I don't think you have an alternative.
 
 Re: Submitting IPs to the http:BL
Author: R.Rodgers2   (20 Jun 17 7:25pm)
Well, I think the project is missing valuable opportunities, not just from me, but from other developers. Even if you don't take my word for what is plainly malicious behavior, you could add the IP to a greylist, ignoring additional reports for the original reporter for a limited time, but gradually increasing the threat level with reports from other sites. Once it passes a threshold limit, it's officially flagged as a malicious IP. That's how I would do it at least.

For the record, I am writing site software that can use the project to prevent spam in combination with other services, but spam is just one comparatively small avenue of attack on websites.



You may browse the discussion topics, but you must sign in to post. If you do not have an account, you can create one for free.

do not follow this link

Privacy Policy | Terms of Use | About Project Honey Pot | FAQ | Cloudflare Site Protection | Contact Us

Copyright © 2004–24, Unspam Technologies, Inc. All rights reserved.

contact | wiki | email