Message Board

Tracking Harvesters/Spammers

Older Posts ]   [ Newer Posts ]
 Port Huron Labs
Author: C.Dijkgraaf   (20 Feb 05 11:28pm)
The Harvester User Agents of Port Huron Labs is showing some interesting behaviour on my site.
1) It is only requesting one page from my site (showall.php) which is a page that shows all entries in my guestbook (a prime e-mail harvesting page, except I've encoded the e-mail addresses with JavaScript).
2) It seems to have started requesting this page on the 17th of Feb and seems to be requesting the page more and more times every day
17th 4 times
18th 5 times
19th 8 times
20th 14 times
In fact on the 20th it was getting close to requesting the page every hour.
3) Both the IP addresses it uses 200.48.92.123 and 200.106.40.145 are in Peru.

Has anyone else noticed this behaviour?

Colin
 
 Re: Port Huron Labs
Author: M.Prince   (21 Feb 05 12:59am)
I searched our records for harvesters with that IP. We've seen lots of traffic from harvesters with the Useragent "Port Huron Labs." In fact, that Useragent is responsible for about 4% of the harvester traffic we see. However, we've seen it almost entirely from the following IPs so far:

68.1.187.15
68.109.72.40
201.240.41.86
200.48.230.25

I did a search of the IPs of "Port Huron Labs" that are hitting your server. While I didn't get exact matches, I did find something "in the neighborhood":

200.48.92.48

Details:

http://www.projecthoneypot.org/i_f9f98347f97aa121d169a21dece97e14

A lot of general "promoting your website" spam messages, but looks like the harvester may be associated with some more professional spammers.
 
 Re: Port Huron Labs
Author: C.Dijkgraaf   (9 Mar 05 10:37pm)
Looking at the stats targeting my site it has
200.106.108.38 5 2005-02-22 2005-02-22
200.106.40.145 4 2005-02-21 2005-02-22
However when I look at my web log I see that 200.106.108.38 hit the page 6 times, and 200.106.40.145 hit the page 5 times, both once more that the stats are showing.
What would be the reason for this difference?

They also visited later [27/Feb/2005:05:33:52 +1300] but from a different IP address 200.60.250.6, but that hasn't been identified as a harvester yet, and as I haven't seen any more sign of them they may have cottened on to the fact their bot was getting redirected to a honeypot.


Colin



do not follow this link

Privacy Policy | Terms of Use | About Project Honey Pot | FAQ | Cloudflare Site Protection | Contact Us

Copyright © 2004–17, Unspam Technologies, Inc. All rights reserved.

contact | wiki | email