Author: D.Clerici (18 Sep 08 4:59pm)
Thank you for the reply, below is my script, It's working on a phpbb board (I removed my key and the name of file with the honey pot of course).
The main use of http:bl on my site is to redirect the spammers to the honey pot, preventing them from using the scripts for posting on phpbb boards. I have also the usual "email honey pots" on the whole site. If they pass the http:bl barrier , there are other antispam systems active (it happens on 2-3% of the spammers attacks).
You can even see how I excluded an idividual IP from checking (213.156.52.110) this IP comes from a netblock of an ISP that uses few public IP adresses and all the costumers are like behind a big lan.
The script is called and if the IP is blacklisted it sends the users to the honey pot, that is why I got trapped, Yes, it's a kind of "loop" but it could be useful to obtain more data from the spammer (for example the scripts that they use to spam change browser agent automatically and randomly)
In order to get back posting to to my board I had to raise the threat score to 3 as you can see.
Well, I have to say that I don't understand the policy to mark a whole neblock as "suspicious", it looks like those CIA public reports about how a country is dangerous, I'm slighty offended by this policy and thought that you marked individual IPs and not whole netblocks. As far as I know a lot of spam are generated by computers infested by viruses and malwares used as slave machines, analyzing the IPs of real spammers attacking my site, I found that they come almost all from the TOR network, so I don't know how fair can be to mark my ISP netblock as suspicious, actually it resulted in marking my actual IP (that is clean) on project honey pot even if it never did anything if not being included in a suspicious netblock (and being trapped on *my own* honey pot).
The Http:BL helped a lot on my site, still, even with threat score set to 1 not all spammers were caught, actually it's called only when an user try to post something (not when it connects to the site, I thought it would have generated a lot of traffic to project honey pot).
I don't know in which way your project is going, btw other systems, like the one used by punkbuster to kick away cheater on online games, keep a trace of the hardware of the offender's PC (typically MAC address and HD internal code), you could think at something like that, as a plugin for the browsers, that sites like mine could ask to the user to have it installed in order to have access some parts of the site, something that geenerates an individual string based on the hardware of the computer. well, everything can be done in order to avoid this check, but it could be a bit hard for "generic" spammers.
So said thank you for your reply, I "fixed" my problem but my site is more vulnerable now, I'll keep a trace of the spammers attacks and then decide if keeping the script with threats score to 3 worths using Http:bl-
------------
<?php
if ( !defined('IN_PHPBB') )
{
die("Hacking attempt");
}
if ($_SERVER['REMOTE_ADDR'] != "213.156.52.110") {
function httpbl_check_referer() {
global $_SERVER;
$key = 'xxxxxxxxx';
$result = explode( ".", gethostbyname( $key . "." . implode ( ".", array_reverse( explode( ".", $_SERVER["REMOTE_ADDR"] ) ) ) . ".dnsbl.httpbl.org" ) );
if ( $result[0] == 127 ) {
// Information for the following three configuration variables can be found at
// http://www.projecthoneypot.org/httpbl_api.php
//
// Consider malicious bots active within the past how many days?
$age_thres = '45';
// Consider malicious bots with a threat score greater than what (0-255)?
$threat_thres = '3';
// Consider malicious which types of bots?
$denied = '1,2,3,4,5,6,7';
// Where do you want to redirect malicious bots? It is recommended that you
// forward them to a Project Honey Pot QuickLink, available here:
// http://www.projecthoneypot.org/manage_quicklink.php
//
// Alternatively, you may leave the default value or blank the value to not use
// redirection at all, like this:
// $hp = ''
$hp = 'xxxxx';
$age = false;
$threat = false;
$deny = false;
if ( $result[1] < $age_thres )
$age = true;
if ( $result[2] > $threat_thres ) {
$threat = true;
}
foreach ( explode( ",", $denied ) as $value ) {
if ( $value == $result[3] ) {
$deny = true;
}
}
if ( $deny && $threat ) {
if ( $hp ) {
header( "HTTP/1.1 301 Moved Permanently ");
header( "Location: $hp" );
exit;
}
else exit;
}
}
}
httpbl_check_referer();
}
?>
Post Edited (18 Sep 08 5:15pm)
|