Message Board

Newbie/Basic Questions

Is this right?

Author: B.Catchem (4 Dec 08 4:40pm)

Hi,

I can't find this anywhere. hope someone can help.

I'm using a php and using
$response = gethostbyname('abcdefghij.111.222.223.224.dnsbl.httpbl.org');

$response is the same as my query ('abcdefghij.111.222.223.224.dnsbl.httpbl.org')

Is this normal?

Thanks.

Re: Is this right?

Author: B.Catchem (4 Dec 08 8:55pm)

I found a solution for the asp problem. Not perfect, but it works.

It's interesting that they were hitting me two at a time and only about 2 seconds apart. Anyway...

I have an ASP settings page that was being hammered by comment spammers.
(Options.asp)

1. Renamed Options.asp to Option.asp

2. Added a new Options.asp page with the following code:
<% response.redirect "./check.php" %>

3. check.php looks like this:
------------------------------------
<?php

// your http:BL key here
$apikey = 'abcdefghijkl';

// IP to test : your visitor's IP
$ip = $_SERVER['REMOTE_ADDR'];

// This is a known bad guy (as of December 5, 2008). Uncomment this to test.
//$ip = '84.52.92.126';

// build the lookup DNS query
// Example : for '127.9.1.2' you should query 'abcdefghijkl.2.1.9.127.dnsbl.httpbl.org'
$lookup = $apikey . '.'.implode('.', array_reverse(explode ('.', $ip ))) .'.dnsbl.httpbl.org';

// ask http:BL to check it.
$response = gethostbyname($lookup);

// check query response
$result = explode( '.', $response);

if ($result[0] == 127) {
// query successful !
$activity = $result[1]; // recorded in case you want to check it for some reason.
$threat = $result[2]; // recorded in case you want to check it for some reason.
$type = $result[3]; // This is the only one I'm using.

if ($type & 0) $typemeaning .= 'Search Engine, ';
if ($type & 1) $typemeaning .= 'Suspicious, ';
if ($type & 2) $typemeaning .= 'Harvester, ';
if ($type & 4) $typemeaning .= 'Comment Spammer, ';
$typemeaning = trim($typemeaning,', ');

If ($type<2){ // I don't care if it's only suspicious.
header( 'Location: Option.asp' );
}else{
// But the fbi might want to know about it. lol.
header( 'Location: https://tips.fbi.gov/' );
}
}else{
// bad result so let them in just in case it's a good guy.
header( 'Location: Option.asp' );
}
?>
------------------------------------

Now when the the bad guys hit the page they get sent away before they can comment their spam, and the good guys get to stay.

Just an FYI:
I've also loaded an ip-to-country database that sends away all visitors from countries that have given me grief (russia,india,all of asia and africa,etc.). They'd never buy my crap anyway.

Post Edited (5 Dec 08 4:36pm)

Re: Is this right?

Author: E.Geier (12 Dec 08 6:58pm)

> sends away all visitors from countries that have given me grief
> (russia,india,all of asia and africa,etc.)

Oops, I think this was not the right approach. If you check the global stats here, the majority of bad sites reside in the USA...

A user from EU, annoyed by the many bad sites from NA.

Re: Is this right?

Author: M.Prince (12 Dec 08 9:17pm)

We actually have a pretty good and representative sample from around the world. If you look at where honey pots are installed, you'll see the US leads the group but there are honey pots all over:

http://www.projecthoneypot.org/more.php

That has meant we tend to see harvesters/spammers/comment spammers from all over too.

The NA listings annoy me too. There are a couple reasons for them:

1. Our geolocation provider sucks. We're working on finding a better provider.
2. We're getting so much data so quickly that doing the geolookups actually creates enough of a bottleneck in the process that it can gum up the works. The solutions to this also likely involve getting a new geolocation provider and also increasing the IOPS on our databases. We're working on it and are currently testing a hardware solution which appears very promising.

Matthew.