Message Board

Newbie/Basic Questions

Older Posts ]   [ Newer Posts ]
 noobie with HTTP:BL
Author: P.Murphy2   (23 Feb 12 6:14am)
Hi

I don't understand the implementation of HTTP:BL. I have a good grasp of htlml php etc but I dont get DNS service stuff at all.
"Queries are performed using standard DNS queries" it states.
example : "abcdefghijkl.2.1.9.127.dnsbl.httpbl.org"
Where and how do you do a standard dns query. From a script? like php?

My website is on a shared server, have accesss to cpanel and ftp etc.
I would appreciate if anybody could help me with where this api is called from and how.
 
 Re: noobie with HTTP:BL
Author: R.Woolley2   (11 Mar 12 4:29pm)
Her's how to impliment an example base writtin for PHP.

You have to change it to suit needs for production of course but these will display and save enough to get the idea.

Below this is a sample written for PERL.

Note the initial response should either be....
1) OK, invalid request, NOT listed...
A copy of the sent call code is returned (BLANK response for PERL).
2) Listed in honeypot.org's database...
response returned in IP# octet format with "127" as first octet.
3) anything else is an internal error so the ip really should be passed as OK (or if not using a "capture" input too then at least add one to the form this time).

=====================================
# The second octet (0-255) represents the number of days since last activity.

# The third octet (0-255) represents a threat score for the IP.
# 25 = 100 spam messages
# 50 = 10,000 spam messages
# 75 = 1,000,000 spam messages
# NOTE: ONLY IF 4TH OCTET = 0 (known serach engine)
$engines['0'] = 'Undocumented';
$engines['1'] = 'AltaVista';
$engines['2'] = 'Ask';
$engines['3'] = 'Baidu';
$engines['4'] = 'Excite';
$engines['5'] = 'Google';
$engines['6'] = 'Looksmart';
$engines['7'] = 'Lycos';
$engines['8'] = 'MSN';
$engines['9'] = 'Yahoo';
$engines['10'] = 'Cuil';
$engines['11'] = 'InfoSeek';
$engines['12'] = 'Miscellaneous';

# The fourth octet represents the type of visitor (0 = s/engine + 3rd octet ID, else just this).
$types['0'] = 'Search Engine'; # (0)
$types['1'] = 'Suspicious'; # (1)
$types['2'] = 'Harvester'; # (2)
$types['3'] = 'Suspicious & Harvester'; # (1+2)
$types['4'] = 'Comment Spammer'; # (4)
$types['5'] = 'Suspicious & Comment Spammer'; # (1+4)
$types['6'] = 'Harvester & Comment Spammer'; # (2+4)
$types['7'] = 'Suspicious & Harvester & Comment Spammer'; # (1+2+4)

$result=$logged=$addrs=$valid=$lastactive=$threat=$type='';
$passasok=false;
$addrs = $_SERVER["REMOTE_ADDR"];
#$addrs = '127.9.1.2'; // un-rem to hard code a test ip
echo "remote address: $addrs<br>\n";
$revrsip = implode ( ".", array_reverse( explode( ".",$addrs) ) );
echo "reversed ip#: $revrsip<br>\n";
if(preg_match("/^(\d+)\.(\d+)\.(\d+)\.(\d+)$/",$revrsip) ){
$qtarget = "mysecretidhash.$revrsip.dnsbl.httpbl.org"; // HERE 'TIS
$result = gethostbyname($qtarget); // HERES HOW
echo "result: $result<br>\n";
if( preg_match("/^(127)\.(\d+)\.(\d+)\.(\d+)$/",$result) ) {
// block if 1st octet equals "127"... signifies ip is listed
list($valid, $lastactive, $threat, $type) = explode(".",$result,4);
$type == "0" ? $type = "$types[$type] $engines[$threat]" : $type = "$types[$type]";
$logged = "last seen: $lastactive days, threat level: $threat, type: $type";
}
else{
# pass as invalid test (none or useless data) and ip is OK
$logged = "passed as invalid test (OK)";
$passasok = true;
}
}
else{
// pass as invalid test (useless reversed ip)
$logged = "passed as invalid ip reversal ($revrsip)";
// don't block just because of internal error
$passasok = true;
}

$logged .= ", $addrs, $passasok, " . date("d/m/Y H:i:s", time());
print "[$passasok]: $logged<br>";

if ($handle = fopen('php_dnsbl.httpbl.log', 'a')) {
// if opening or writing fails check dir permissions
@fwrite($handle, $logged."\n");
fclose($handle);
}


exit(0);
========================================

It should be easy to convert fundamentals to any other high level language.

For PERL....
========================================
use Net::hostent;
use Socket;

# The second octet (0-255) represents the number of days since last activity.

# The third octet (0-255) represents a threat score for the IP.
# 25 = 100 spam messages
# 50 = 10,000 spam messages
# 75 = 1,000,000 spam messages
# NOTE: ONLY IF 4TH OCTET = 0 (known serach engine)
$engines{'0'} = 'Undocumented';
$engines{'1'} = 'AltaVista';
$engines{'2'} = 'Ask';
$engines{'3'} = 'Baidu';
$engines{'4'} = 'Excite';
$engines{'5'} = 'Google';
$engines{'6'} = 'Looksmart';
$engines{'7'} = 'Lycos';
$engines{'8'} = 'MSN';
$engines{'9'} = 'Yahoo';
$engines{'10'} = 'Cuil';
$engines{'11'} = 'InfoSeek';
$engines{'12'} = 'Miscellaneous';

# The fourth octet represents the type of visitor (0 = s/engine 3rd octet ID else ignore IDs).
$types{'0'} = 'Search Engine'; # (0)
$types{'1'} = 'Suspicious'; # (1)
$types{'2'} = 'Harvester'; # (2)
$types{'3'} = 'Suspicious & Harvester'; # (1+2)
$types{'4'} = 'Comment Spammer'; # (4)
$types{'5'} = 'Suspicious & Comment Spammer'; # (1+4)
$types{'6'} = 'Harvester & Comment Spammer'; # (2+4)
$types{'7'} = 'Suspicious & Harvester & Comment Spammer'; # (1+2+4)

print"Content-type: text/html\n\n";

$result=$logged=$addrs='';
$passasok=false;
$addrs = $ENV{'REMOTE_ADDR'};
#$addrs = '127.9.1.2'; # un-rem to use a test ip
print "remote address: $addrs<br>";
$revrsip = join '.', reverse( split(/\./,$addrs,4) );
print "reversed ip#: $revrsip<br>";
if( $revrsip =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/ ) {
$qtarget = "mysecretidhash.$revrsip.dnsbl.httpbl.org"; # HERE 'TIS
$h = gethostbyname($qtarget); # HERES HOW
if (defined($h)) {$result = inet_ntoa(@{$h->addr_list}[0]);}
print "result: $result<br>";

if( !$result || $result !~ /^(127)\.(\d+)\.(\d+)\.(\d+)$/ ) {
# pass as invalid (useless) response
$logged = "passed as invalid test";
if($result){$logged.= " ($result)";}
$result = '';
$passasok = true;
}
else{
($valid, $lastactive, $threat, $type) = split(/\./,$result,4);
if($type eq "0") {$type .= " {$engines{$threat}}";}
$type eq "0" ? $type = "$types{$type} $engines{$threat}" : $type = "$types{$type}";
$logged = "last seen: $lastactive days, threat level: $threat, type: $type";
}
}
else{$logged = "passed as invalid ip reversal";} # pass as invalid (useless) test
$logged .= ", $addrs, $passasok, " . &dnsblDatetime();
print "[$passasok]: $logged<br>";
if(open (DLOG, ">>cgi_dnsbl.httpbl.log")){
if(defined &lock){&lock('DLOG',"cgi_dnsbl.httpbl.log");}
print DLOG $logged."\n";
if(defined &lock){&unlock('DLOG',"cgi_dnsbl.httpbl.log");}
}


exit(0);

sub dnsblDatetime{
local$sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$intime;
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday)=(gmtime(time+$gmtPlusMinus));
$mon++;
if($year>99){$year=2000+($year-100);}elsif($year<100){$year="19$year";}
return sprintf("%02d\/%02d\/%04d %02d:%02d:%02d",$mday,$mon,$year,$hour,$min,$sec);
}
===================================

Bad luck the forum post box doesn't support pasting of sample code but a bit of carefull fiddling should bring it back to readable formatting.

Regards.
 
 Re: noobie with HTTP:BL
Author: B.Daoust   (20 Apr 12 9:26pm)
OK, so I'm trying to get this to work, I have my 12 character password, do I use that straight up ?

$qtarget = "mysecretidhash.$revrsip.dnsbl.httpbl.org"; // HERE 'TIS
$result = gethostbyname($qtarget); // HERES HOW

Because when I use the above code
gethostbyname just returns the string I passed in and not a ip address.
 
 Re: noobie with HTTP:BL
Author: E.Langheinrich   (7 May 12 10:35am)
You are probably getting the string you passed into gethostbyname because the IP you are checking isn't currently listed. Try it with the test addresses specified in the API doc.



You may browse the discussion topics, but you must sign in to post. If you do not have an account, you can create one for free.

do not follow this link

Privacy Policy | Terms of Use | About Project Honey Pot | FAQ | Cloudflare Site Protection | Contact Us

Copyright © 2004–24, Unspam Technologies, Inc. All rights reserved.

contact | wiki | email