Message Board

Tracking Harvesters/Spammers

Older Posts ]   [ Newer Posts ]
 Further detail on identified harvesters
Author: J.Healy   (20 Jul 07 11:38am)

Hi there,

As long time supplier of pages and MX's to the cause, it's been my pleasure to contribute to the identification of many harvesters and spammers.

Whenever I receive notification that I've helped catch a harvester, I contact an appropriate abuse contact for the IP address to report it.

In many cases, the IP is owned by an ISP and the response is similar. Something along the lines of "This is a dynamic IP address. Please tell us when the incident happened so that we can investigate further."

I can see their point. Unless they know who the IP was assigned to when the harvester was running, they can't identify whose system the harvester was running on.

Would it possible to provide this information, or is there a concern that this would start a conversation which would ultimately reveal the identity of a honeypot page, and thereby weaken the overall honeypot project?


 Re: Further detail on identified harvesters
Author: M.Prince   (21 Jul 07 5:01pm)
One thing you can do is encourage the ISP to sign up for the Monitor service we offer. That allows them to look at their entire IP range. If a hit occurs, we send them an email with details including an exact timestamp when the violation occurred.

We'll look into whether we could provide similar detail in the notification emails to Project members who help identify bad IPs.

Thanks for the suggestion and the help with the Project!
 Re: Further detail on identified harvesters
Author: J.Healy   (23 Jul 07 4:41am)
Thanks for that.

In this case, the ISP is British Telecom, not a small operator. I'm not entirely sure that I have sufficient influence over them to get them to sign up to anything. If you post a link, I'll certainly pass it on to them.

In the meantime, is there any way to get the time stamps for any harvesting events?
 Re: Further detail on identified harvesters
Author: P.Hauser   (29 Jul 07 11:07am)
In answer to your last question:

You can provide the timestamps to the ISP as well as here in an IP lookup comment from your own apache logfiles.

That's what I do here: I check my logfiles or also my SPAM-mails for suspicious IPs that I then lookup here and afterwards I post my logfile lines here and send them at the same time to the ISP. The mail headers as well as the logfiles have timestamps.

So my IP lookup comment might help the next reader, what happened from this IP. Can't help it then, if also the spammers read this information here to change their strategies.

In any way just reporting an IP, dynamic or not, to the ISP does not help very much. Some ISPs even already don't accept complaints anymore, if they are older than 14 days.

An up-to-date timestamp, a referer, the used UA or MX or the request given with this IP in combination taken from your logfiles helps a lot more to identify what action was taken.

Additionally you can get more information and do reverse lookups, check server properties, if you are supplied with the appropriate tools to report this.

Don't just paste the long WHOIS-entry of the IP into your complaint, since this can be also done by the UHD-recipient as well and it will not make the information more "human readable" and acceptable.


Post Edited (27 Sep 08 7:16pm)

do not follow this link

Privacy Policy | Terms of Use | About Project Honey Pot | FAQ | Cloudflare Site Protection | Contact Us

Copyright © 2004–18, Unspam Technologies, Inc. All rights reserved.

contact | wiki | email