Message Board

Bugs & Development

get trapped myself...

Author: D.Clerici (16 Sep 08 6:16pm)

Well, I already asked it to the support , btw in the last period I got trapped myself in my own honey pots, lol, and even if my IP is clear.

Actually I've 87.15.1.181 , if you look at it you can see that it has been trapped doing nothing (it's my self going trapped on my own site...), simply my traps seems to work for me only.

And, my system here is clean, no viruses or malwares, it did the same whatever OS I'm using (I can use Vista, Mac OS and Linux).

Today I got trapped again (I left only one page with the http:BL check or I couldn't access my board and the script said that it has to be update, went to update and it does not generate the script...

I thought it was for the browser, so I copied the link and pasted to another browser (IE) , the reply was that I was violationg the terms of use and my account will be suspended...

Lol, I don't know what's happening, it worked like a charm till a couple of weeks ago...

Actually I'm forced to uninstall the whole system, whatever Ip I switch (I've dynamic IPs, I simply turn down the router for a while) I got trapped even if the IP is clean...

The other users seems not to be affected by this...

I think I'll be forced to uninstall everything, that's a shame, I've also donated a lot of MX records...

hints are welcome of course...

Re: get trapped myself...

Author: M.Prince (16 Sep 08 11:36pm)

What software are you using to access http:BL? It may be that it is misconfigured.

I'm having our engineers look into whether you're actually listed in http:BL. Since you've visited your honey pot from so many different IPs in the same netblock it may be that you've triggered a rule that lists the entire netblock. However, that'd be very, very strange. The system is designed so that you have to commit at least one bad act (sending to a spamtrap email address, posting to a spam form) in order to make your IP suspicious.

We're looking in to it!

Re: get trapped myself...

Author: D.Clerici (17 Sep 08 8:13am)

Thank you, btw I'm also unable to download the new script for my site (you can see it in my profile) , it simply doesn't make me download anything...

I used different softwares in order to see if it was related to it, or maybe some viruses, btw I used

Internet explorer
Firefox
on Vista64

KDE browser
on linux

and Safari
Firefox

on Mac osx 10.5.4

linux and Leopard are vanilla installations

I also tried with my other laptop, no way, as you said, it looks like a netblock on my ISP (italian provider, telecom italia)

I always used a router, I don't think it's related

i can also modify my own script to use http:BL excluding my ip or my netblock before calling the script (I did it for another italian provider who works like a big internal lan with few external IP shared by all the users, I excluded the single fixed IP of one of my users) but I prefer to have it working because my country is infested by spammers...

tahnk you for help

Post Edited (17 Sep 08 8:18am)

Re: get trapped myself...

Author: M.Prince (17 Sep 08 5:49pm)

I still don't see what script you're using to access http:BL.

The netblock you're in is all listed as suspicious. I don't know if that's because you hit the trap from so many different IPs or because you have naughty neighbors.

One thing you should consider doing is increasing the minimum threat score that triggers an IP being blocked. Your IP is reporting a threat score of "1" -- the lowest possible threat score above "0" (which means safe). That's fairly strict. Increasing that above 1 should solve your problem. I don't know what script you're using, so I'm not sure how you'd go about making that change.

Finally, every script that accesses http:BL should have some mechanism in place to white list individual IPs. We suggest the use of a CAPTCHA or other method for the white listing. I don't know what script you're using to access http:BL, so I can't tell you whether or not it was built to include a white list.

Re: get trapped myself...

Author: D.Clerici (18 Sep 08 4:59pm)

Thank you for the reply, below is my script, It's working on a phpbb board (I removed my key and the name of file with the honey pot of course).

The main use of http:bl on my site is to redirect the spammers to the honey pot, preventing them from using the scripts for posting on phpbb boards. I have also the usual "email honey pots" on the whole site. If they pass the http:bl barrier , there are other antispam systems active (it happens on 2-3% of the spammers attacks).

You can even see how I excluded an idividual IP from checking (213.156.52.110) this IP comes from a netblock of an ISP that uses few public IP adresses and all the costumers are like behind a big lan.

The script is called and if the IP is blacklisted it sends the users to the honey pot, that is why I got trapped, Yes, it's a kind of "loop" but it could be useful to obtain more data from the spammer (for example the scripts that they use to spam change browser agent automatically and randomly)

In order to get back posting to to my board I had to raise the threat score to 3 as you can see.

Well, I have to say that I don't understand the policy to mark a whole neblock as "suspicious", it looks like those CIA public reports about how a country is dangerous, I'm slighty offended by this policy and thought that you marked individual IPs and not whole netblocks. As far as I know a lot of spam are generated by computers infested by viruses and malwares used as slave machines, analyzing the IPs of real spammers attacking my site, I found that they come almost all from the TOR network, so I don't know how fair can be to mark my ISP netblock as suspicious, actually it resulted in marking my actual IP (that is clean) on project honey pot even if it never did anything if not being included in a suspicious netblock (and being trapped on *my own* honey pot).

The Http:BL helped a lot on my site, still, even with threat score set to 1 not all spammers were caught, actually it's called only when an user try to post something (not when it connects to the site, I thought it would have generated a lot of traffic to project honey pot).

I don't know in which way your project is going, btw other systems, like the one used by punkbuster to kick away cheater on online games, keep a trace of the hardware of the offender's PC (typically MAC address and HD internal code), you could think at something like that, as a plugin for the browsers, that sites like mine could ask to the user to have it installed in order to have access some parts of the site, something that geenerates an individual string based on the hardware of the computer. well, everything can be done in order to avoid this check, but it could be a bit hard for "generic" spammers.

So said thank you for your reply, I "fixed" my problem but my site is more vulnerable now, I'll keep a trace of the spammers attacks and then decide if keeping the script with threats score to 3 worths using Http:bl-

------------

<?php
if ( !defined('IN_PHPBB') )
{
die("Hacking attempt");
}
if ($_SERVER['REMOTE_ADDR'] != "213.156.52.110") {
function httpbl_check_referer() {
global $_SERVER;
$key = 'xxxxxxxxx';
$result = explode( ".", gethostbyname( $key . "." . implode ( ".", array_reverse( explode( ".", $_SERVER["REMOTE_ADDR"] ) ) ) . ".dnsbl.httpbl.org" ) );
if ( $result[0] == 127 ) {
// Information for the following three configuration variables can be found at
// http://www.projecthoneypot.org/httpbl_api.php
//
// Consider malicious bots active within the past how many days?
$age_thres = '45';
// Consider malicious bots with a threat score greater than what (0-255)?
$threat_thres = '3';
// Consider malicious which types of bots?
$denied = '1,2,3,4,5,6,7';

// Where do you want to redirect malicious bots? It is recommended that you
// forward them to a Project Honey Pot QuickLink, available here:
// http://www.projecthoneypot.org/manage_quicklink.php
//
// Alternatively, you may leave the default value or blank the value to not use
// redirection at all, like this:
// $hp = ''
$hp = 'xxxxx';
$age = false;
$threat = false;
$deny = false;
if ( $result[1] < $age_thres )
$age = true;
if ( $result[2] > $threat_thres ) {
$threat = true;
}

foreach ( explode( ",", $denied ) as $value ) {
if ( $value == $result[3] ) {
$deny = true;
}
}

if ( $deny && $threat ) {
if ( $hp ) {
header( "HTTP/1.1 301 Moved Permanently ");
header( "Location: $hp" );
exit;
}
else exit;
}
}
}
httpbl_check_referer();
}
?>

Post Edited (18 Sep 08 5:15pm)

Re: get trapped myself...

Author: M.Prince (19 Sep 08 12:33am)

The guy on our team who designed the code that lists suspicious netblocks is out of the country on his honeymoon for the next few days. We'll look into it when he gets back.

The netblock listings are a result of a common pattern we see. A spammer will own like 100 IP addresses. They'll run them all throwing out garbage. While honey pots may catch something here or there, all the IPs won't hit a honey pot fast enough for us to provide useful data out to our users. Therefore we say that if a certain percentage of a netblock is bad, we suspect that other IPs in the netblock may be bad too.

I'm not sure why your netblock is so polluted. Again, I don't know if that's you just banging around a bunch, or you literally have a lot of neighbors doing bad things. In any case, we're trying to come up with better ways of whitelisting the good guys. We have an idea and I think we'll get it up and running soon.

In the meantime, the best thing to do is to turn up the threat score for "suspicious" IPs to "3", but leave it at "1" for Known Harvesters and known Comment Spammers. From your code, looks like that'd take a bit of tinkering. But not too much. Haven't tested this, but something like:

========

<?php
if ( !defined('IN_PHPBB') )
{
die("Hacking attempt");
}
if ($_SERVER['REMOTE_ADDR'] != "213.156.52.110") {
function httpbl_check_referer() {
global $_SERVER;
$key = 'xxxxxxxxx';
$result = explode( ".", gethostbyname( $key . "." . implode ( ".", array_reverse( explode( ".", $_SERVER["REMOTE_ADDR"] ) ) ) . ".dnsbl.httpbl.org" ) );
if ( $result[0] == 127 ) {
// Information for the following three configuration variables can be found at
// http://www.projecthoneypot.org/httpbl_api.php
//
// Consider malicious bots active within the past how many days?
$age_thres = '45';
// Consider malicious bots with a threat score greater than what (0-255)?
$threat_thres = '1';
// Suspicious threat level;
$susp_thres = '3';
// Consider malicious which types of bots?
$denied = '1,2,3,4,5,6,7';
// Suspicious type
$susp_type = '1';

// Where do you want to redirect malicious bots? It is recommended that you
// forward them to a Project Honey Pot QuickLink, available here:
// http://www.projecthoneypot.org/manage_quicklink.php
//
// Alternatively, you may leave the default value or blank the value to not use
// redirection at all, like this:
// $hp = ''
$hp = 'xxxxx';
$age = false;
$threat = false;
$deny = false;
if ( $result[1] < $age_thres )
$age = true;
if ( $result[2] > $threat_thres ) {
$threat = true;
}

foreach ( explode( ",", $denied ) as $value ) {
if ( $value == $result[3] ) {
$deny = true;
if ( ($susp_type == $result[3]) && ($result[2] < $susp_thres)) {
$threat = false;
}
}
}

if ( $deny && $threat ) {
if ( $hp ) {
header( "HTTP/1.1 301 Moved Permanently ");
header( "Location: $hp" );
exit;
}
else exit;
}
}
}
httpbl_check_referer();
}
?>

Post Edited (21 Sep 08 3:03pm)

Re: get trapped myself...

Author: D.Clerici (20 Sep 08 8:25pm)

Thank you very much, I'm going to try your code just now :)

About my netblock, I don't know, I don't want to defend my "netblock" , this ISP is the most used in my country, btw I can say that the level of the internet users is poor, I don't know what happens in other netblocks or countries, btw I'm often called to fix friends' PCs infestested by all known species of vira and malwares and the wireless routers here where I live are kept usually open, everyone could simply go in and use someone else connection.
I don't think of a spammer mania in my netblock, but probably there are a lot of slave machines, I understand that it can't be saved to blacklist their Ip anyway...

Post Edited (20 Sep 08 8:43pm)