Message Board

Bugs & Development

Older Posts ]   [ Newer Posts ]
 Tracking Bots with Dynamic IPs
Author: N.Martin2   (26 Jul 09 11:33am)
Since implementing http:BL, I've noticed that the bots that are still getting through to our own system are almost all ones which are using dynamic IP addresses. It would seem that these bots tend to have lower threat scores because it is distributed across several to many IP addresses. I can easily see from our logs when there are definite or probable dynamic IPs in play ... does Project Honey Pot implement any way to track and associate these dynamic IPs? It doesn't appear that it does, but it would be a heck of a good idea to do that. If you need any help with determining ways to identify the dynamic IPs, let me know.
 
 Re: Tracking Bots with Dynamic IPs
Author: M.Prince   (27 Jul 09 2:21am)
We're working on ways to acquire more data about connection information, including whether the IP is dynamic. We're not yet sure how we'll integrate this data with http:BL, but it should begin showing up on the website shortly.

There's a tradeoff, of course, with increasing the threat rating if someone is coming from a dynamic IP. The risk is that you'll list an IP that was used by a bad guy one day that is then used by a good guy later. Maybe a threat is higher if it comes from a dynamic IP but the listing expires much faster? Not sure what the best way to handle it is.

Beyond that, we're working on a bunch of projects in order to try and better identify connections that belong to known good and bad guys and give our users the information to deal with them.
 
 Re: Tracking Bots with Dynamic IPs
Author: N.Martin2   (27 Jul 09 8:57am)
It is not clear to me how your form traps work, since it appears that my own honey pot only generates the harvester traps (is it possible, by the way, for my honey pot to do both? Or to choose which type of trap it is?) ... do the forms encourage, for example, multiple attempts? Or are there multiple forms available for submission from the same honey pot page? My observation has been that these dynamic IPs invariably incriminate all or several of their counterparts at once, if given the chance. It would be unfortunate if the current system is not capable of identifying that several IPs at once are associated with "bad event(s)."

Also, it may not be clear what I meant by "dynamic IP." I believe that, in most circumstances, dynamic IPs change each time a legitimate user connects to their ISP, not each and every time they load the page on a Web site. My observations have shown that these bots are using a different IP for each time they attempt to submit spam through the forms ... within a matter of (sub)seconds, and submitting the same data, including dynamic form field names which should be unique to every visitor and every visit. Additionally, as an example, the last instance I have observed showed an attempt first from an IP address in the US, then from India, and finally from Japan. This does not sound like a legitimate pool of IPs that would be used by a legitimate user through a legitimate ISP.
 
 Re: Tracking Bots with Dynamic IPs
Author: M.Prince   (27 Jul 09 3:17pm)
There aren't different honey pot types for different kinds of traps. Instead, the honey pots generate a number of different traps depending on the characteristics of the IP that is visiting them. Just because the form traps aren't showing up when you visit your own trap doesn't mean that they're not showing up when suspected comment spammers visit.

As for the bots using different IPs, we are tracking that. There appear to be a growing number of comment spammers who are using two different types of bots: hunters and posters. The hunters look for vulnerable forms and sign up for accounts. The posters then hammer those forms with spam. This follows the email spammer model where there are harvesters that pick up the email addresses and then mail servers than send to them.

Just like the email spammers, the forum/blog/comment spammers appear to be using computers that are part of botnets in order to do the posting. That means they are usually part of a legitimate ISP's network and are being used by a legitimate user whose machine has been compromised by a virus, trojan, or worm. We track those events as they happen and report them back out via http:BL.

The hunter bots we have not tracked as well to date. We're updating our traps in order to track these hunters in the same way we track email harvesters (e.g., make every form slightly unique so that we can associate subsequent posts back to the original hunter). While stopping the posters is important, stopping the hunters is actually an even more effective way to remaining safe from comment spam.
 
 Re: Tracking Bots with Dynamic IPs
Author: N.Martin2   (27 Jul 09 6:21pm)
Not only do I not see forms in my honey pot, it appears that no bots are either, according to my statistics, unless I'm misreading these??

----------------------------------------------------
# Harvester visits to your site(s): 327
# Spam traps issued on your sites: 1,187
# Spam received at your addresses: 520

# Comment spam posts to your site(s): 0
----------------------------------------------------

I know for certain that the form bots definitely visit our sites, in general. Prior to implementing the http:BL, we were getting an average of 400-600 attempted form submissions from bots across ~150 domains on a daily basis, as identified by our own spam prevention system.

Re hunters/posters -- that's interesting, but what I'm referring to seems to be different ... I have seen a single bot attempt to post to the same form up to 6-8 times from 6-8 different IP addresses all within a few seconds.

Post Edited (27 Jul 09 6:22pm)
 
 Re: Tracking Bots with Dynamic IPs
Author: M.Prince   (28 Jul 09 2:27am)
What scripting language is your honey pot?

Just because you're not getting posts doesn't mean the forms aren't showing. It can take time for the hunters to find the forms.
 
 Re: Tracking Bots with Dynamic IPs
Author: N.Martin2   (28 Jul 09 8:28am)
PHP. I find it highly unusual if there have been no form submissions after a few weeks, but if you think that's normal, I guess I should wait a little longer.
 
 Re: Tracking Bots with Dynamic IPs
Author: B.L5   (31 Jul 09 3:58pm)
I have:
----------------------------------------------------
# Harvester visits to your site(s): 36
# Spam traps issued on your sites: 933
# Spam received at your addresses: 84

# Comment spam posts to your site(s): 143
----------------------------------------------------

Try re-downloading your honeypot. It might just be an old version.
 
 Re: Tracking Bots with Dynamic IPs
Author: N.Martin2   (1 Aug 09 5:12pm)
I guess I can try that, but I downloaded it just a couple weeks ago....
 
 Re: Tracking Bots with Dynamic IPs
Author: N.Martin2   (8 Sep 09 9:16am)
Still no form bots showing up after all this time. Last night I set up an output buffer around the project honey pot code, saving a log of the HTML generated for visiting bots. Since last night, there have been 74 visits so far and the HTML for all of them is IDENTICAL, save that the e-mail address is unique in each. There are no forms, thus no form bot submissions....
 
 Re: Tracking Bots with Dynamic IPs
Author: M.Prince   (13 Sep 09 2:32am)
What scripting language do you have installed?
 
 Re: Tracking Bots with Dynamic IPs
Author: C.Anderson3   (21 Apr 10 1:21am)
Potentially, we could also add communication from forums back to the network, ie whenever a post occurred or a user registered on any participating forum, a central service would be notified and could then detect and send bulletins on spamlike trends, such as rapid-fire posting from a particular IP

Clark
ccna
USA
 
 Re: Tracking Bots with Dynamic IPs
Author: H.User1939   (12 Apr 11 11:15am)
Well right now it seems that SMF forums seem to have the most problem with Forum Spambots, so far Project Honeypot can not determin the spam the bots are leaving, but also some evidience that most of the spam that is being sent have theirt Emails hidden, but also due to SMF's code, most are not allowed to display IP addresses, even to all admins, but this could lead to such spam groups such as the Russian Business Network to successfully compromise the server and the forum to where all bots will be directed to that forum, plus they use links to spamvised sites that no Blacklist can see as harmful or spamming, which is not right, and even so, it seems that in Russia, they can get around filters and even Capecha filtering, it is a never ending cycle when it comes to saying Forum Spambots are undetectable and untraceable leading to a roadblock, I just feel that soon, Russia may just take over the entire internet for their economy, and destory others.
 
 Re: Tracking Bots with Dynamic IPs
Author: J.Eaton   (23 Jul 11 6:03am)
Admin are able to see IP addresses in SMF Forums, also you can allow your admin users to see these too, SMF has a built in look up on these IP addresses. there are a couple of mods that can be installed into your forums to stop the bots one is where extra questions have to be answered before registration can be successful. Also block certain email domains @mail.com @gmail.com @mail.ru etc.

Set your forum to admin needs to approve registration and then to authenticate via email. You can also set the forum to prevent links from being posted, in our case until a certain level has been attained. You can mask email addresses within the forums, even have a post to via the forum if need be with captcha every step of the way.

I have found SMF forums to be about the best there is and is modular so you can plug in or out accordingly.

Check it out on (http://tgsquad.com/Scripts/smf/).

As for Russia taking over the internet, it will never happen, the world can and should put the black hole on all of these offending countries who condone or fail to act upon this kind of action.

One of our game servers was receiving some 300-400 port scans every 21 hours out of 24 from China. Now we have a black hole for China and most of the APNIC numbers with only a few IP ranges covering Australia being allowed through.

If Hosts, ISP's and or Countries want to behave badly or allow bad behaviour then they must accept the fact they are going to be Locked out, not too unlike a UN Sanction.



You may browse the discussion topics, but you must sign in to post. If you do not have an account, you can create one for free.

do not follow this link

Privacy Policy | Terms of Use | About Project Honey Pot | FAQ | Cloudflare Site Protection | Contact Us

Copyright © 2004–25, Unspam Technologies, Inc. All rights reserved.

contact | wiki | email