Message Board

Tracking Harvesters/Spammers

Older Posts ]   [ Newer Posts ]
 Can We Watch Snoopy?
Author: B.Garner2   (21 Aug 07 6:37pm)
I have been noticing a persistent IP exploring my forum...but yet they have never submitted anything.

I am consistently GBombed by someone, but from various dynamic IPs, open networks etc.

My forum is small, and wide open(which I want), and I have a pretty good handle on my Members' IP/Hosts etc, and do not at all recognise the following as being associated with a member or friend....but yet their explorations "seem" to coincide with major attacks.(both before and after)

I don't wanna seem "overly" paranoid....and of course don't want to block a real or innocent "visitor/participant", so I have let them wander at will and not banned etc.

I'm just wandering if there is any strategy or process that I can implement, or is there maybe some process in the ProHoPo system(s) that would allow me to flag IP for shall we say, "Special Consideration".........ie; enhanced tracking....without really banning. Is there a "Suspected Attacker" process?

The Username, Login, LastPost, Forum, IP and host info is below:
Guest 21 Aug 2007 10:06 pm 21 Aug 2007 10:06 pm Hawaii Disc Golf DISCussion 38.99.44.102 crawl-11.cuill.com

Thanks for ALL!

db33 Admin - http://Resources.db33.com

(EDIT/ADDENDUM)Just went to my forum and there are 9 guests in there, all with the word "planet" in the addresses associated with various educational intitutions....and many diff IP's.

Guest 21 Aug 2007 11:14 pm 21 Aug 2007 11:14 pm Logging on 192.17.239.250 planetlab1.cs.uiuc.edu
Guest 21 Aug 2007 11:14 pm 21 Aug 2007 11:14 pm Viewing profile 128.112.139.75 128.112.139.75
Guest 21 Aug 2007 11:13 pm 21 Aug 2007 11:13 pm Viewing profile 160.36.57.172 pl1.cs.utk.edu
Guest 21 Aug 2007 11:13 pm 21 Aug 2007 11:13 pm Viewing profile 128.112.139.75 128.112.139.75
Guest 21 Aug 2007 11:13 pm 21 Aug 2007 11:13 pm Announcements 192.17.239.253 planetlab4.cs.uiuc.edu
Guest 21 Aug 2007 11:13 pm 21 Aug 2007 11:13 pm Forum index 143.215.129.117 planet4.cc.gt.atl.ga.us
Guest 21 Aug 2007 11:12 pm 21 Aug 2007 11:12 pm Anti-GoogleBombing & Anti-SpamDexing Campaign 156.17.10.51 planetlab1.ci.pwr.wroc.pl
Guest 21 Aug 2007 11:12 pm 21 Aug 2007 11:12 pm Forum index 128.59.20.228 planetlab3.cs.columbia.edu
Guest 21 Aug 2007 11:12 pm 21 Aug 2007 11:12 pm Forum index 143.215.129.116 planet3.cc.gt.atl.ga.us

Post Edited (21 Aug 07 7:20pm)
 
 Re: Can We Watch Snoopy?
Author: P.Hauser   (21 Aug 07 8:15pm)
B.Garner2 wrote on 21 Aug 07 6:37pm:

> Guest 21 Aug 2007 10:06 pm 21 Aug 2007 10:06 pm Hawaii Disc Golf DISCussion 38.99.44.102 crawl-11.cuill.com

For 38.99.44.102 crawl-11.cuill.com please check http://www.cuill.com/twiceler/robot.html or http://www.cuill.com/index.html

B.Garner2 wrote on 21 Aug 07 7:20pm:

> 192.17.239.250 planetlab1.cs.uiuc.edu
> USA - Illinois University of Illinois
> 128.112.139.75 planetlab-7.CS.Princeton.EDU
> USA - New Jersey Princeton University
> 160.36.57.172 pl1.cs.utk.edu
> USA - Tennessee University of Tennessee
> 192.17.239.253 planetlab4.cs.uiuc.edu
> USA - Illinois University of Illinois
> 143.215.129.117 planet4.cc.gt.atl.ga.us
> USA - Georgia Georgia Institute of Technology
> 156.17.10.51 planetlab1.ci.pwr.wroc.pl
> Poland the network covers whole Wroclaw area
> 128.59.20.228 planetlab3.cs.columbia.edu
> USA - New York Columbia University
> 143.215.129.116 planet3.cc.gt.atl.ga.us
> USA - Georgia Georgia Institute of Technology

What's wrong with the word "planet"? All Ips seem to be proxies. You can tell this already from entering the IPs, one after another, into GOOGLE.

The guys could be net-gamers attacking your server with libwww-perl, they could be just reading or whatever evil.

What you cannot really tell from your logs, is what exact URLs the guys are requesting on *.db33.com. Therefor you should check their exact requests in your Apache logs, if available. You seem to be hosted at Yahoo. Ask maybe if you can get access to the Apache-logs and check there.
 
 Re: Can We Watch Snoopy?
Author: P.Hauser   (21 Aug 07 8:19pm)
If access to the Apache-logs is not possible, since you're running a PHP-server, you could include a tracking-script, that could log a more detailed action of certain IPs, that you wanna "watch". To give you an idea, please check e.g. at http://www.kloth.net/internet/bottrap.php .

Though this is a blocking script, you could modifiy it to send you an email, as soon as certain IPs approach. If you're then convinced, an IP is a harvester or an attacker, whatever evil, you could still block it from a second list with such a script. You could also check http:BL here with such a script and then block due to the result automatically.

Lots of additional information and HowTo's can be found here in the forum at the http:BL section or also e.g. at http://www.spamlinks.net/ .

Hope this helps a little.

Post Edited (22 Aug 07 5:03am)



do not follow this link

Privacy Policy | Terms of Use | About Project Honey Pot | FAQ | Cloudflare Site Protection | Contact Us

Copyright © 2004–17, Unspam Technologies, Inc. All rights reserved.

contact | wiki | email