Message Board

http:BL Use/Development

Inconsistent responses

Author: D.Shechtman (20 May 07 1:02pm)

My phpBB MOD seems to be working OK. However, I noticed that http:BL suffers from occasional glitches, i.e. different responses for the same IP at the same time:

http://forums.phpbb.cc/download.php?id=10

I double-checked my code; you may see for yourself, the package is freely downloadable. If you are downloading version 0.9.1 (or later), the relevant code changes are in httpbl/contrib/admin_inspect_ip.txt

My guess would be that several requests in a row result in mingled responses due to excessive caching.

Post Edited (26 May 07 4:03am)

Re: Inconsistent responses

Author: M.Janssen (20 May 07 3:24pm)

Is your DNS service reliable enough? It might the cause of some problems and return a NXDOMAIN on the first attempt and a valid response on the second attempt.

Re: Inconsistent responses

Author: M.Prince (20 May 07 4:43pm)

Huh. First report of anything like this. Could be caching somewhere along the DNS chain. Could also be different http:BL root DNS servers being slightly out of sync for newly added/updated records and you bouncing between the two. We'll investigate.

Re: Inconsistent responses

Author: E.Langheinrich (20 May 07 7:51pm)

I've checked the http:BL dns servers individually and 128.214.20.204 is not listed on any of them. I also checked the logs to see what responses http:BL has giving for any query ever for 128.214.20.204 and see no response other than an NXDOMAIN has ever been given.

Keep in mind, that the http:BL dns servers do not cache results. Your intermediary DNS server may cache, but the main http:BL servers do not.

Re: Inconsistent responses

Author: D.Shechtman (21 May 07 2:43am)

I see.

Here's another example. 66.232.125.138 is listed as a comment spammer, but was able to register on one of my boards.

Is there an option to query http:BL directly?

Re: Inconsistent responses

Author: D.Shechtman (21 May 07 2:54am)

P.S. 128.241.20.204 is TMCrawler. It maybe not listed on http:BL, but is known to P.H.P.

Re: Inconsistent responses

Author: M.Prince (21 May 07 1:13pm)

A few things.

First, you should not query the root DNS servers of Project Honey Pot, but instead should query your own local DNS. If there is something wrong with your local DNS then I'd suggest using something more reliable. For example, OpenDNS provides a great, free service that should work great in conjunction with http:BL.

Second, in order to figure out what's going on you need to provide more details. You list, for instance, 66.232.125.138. That IP currently is listed in the http:BL. However, it wasn't listed until 5/8/07 -- the date on which it was confirmed as a comment spammer. If the registration was before that date, the the listing would not be active. If the listing was after that date, then I would suspect either something is wrong with the code you're using, or something is wrong with your local DNS.

Finally, please remember that just because something has been seen by our network of traps does not mean that we're going to list it on http:BL. You suggest that 128.241.20.204 is TMCrawler. If the crawler has not exhibited harvesting, comment spamming, or other malicious behavior then we will not list it on http:BL. Imagine if we did otherwise. Suddenly the IPs of a number of our own members, who have visited their own honey pots to make sure they are working, would be listed. This would be a perverse outcome.

Re: Inconsistent responses

Author: D.Shechtman (26 May 07 4:06am)

I don't "suggest that 128.241.20.204 is TMCrawler". Your IP inspection service says so (And this one has been known as a rogue crawler).

I just started a "Known issues" thread on the phpBB.cc forum, inviting users to report http:BL false positives/negatives:

http://forums.phpbb.cc/viewtopic.php?f=9&t=22

Post Edited (26 May 07 4:07am)