Welcome, Guest!!
follow us on... rss

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Mur

Pages: [1] 2
1
BotScout Discussion / Re: Gawab and Yandex
« on: September 12, 2009, 03:37:10 PM »
Q: Has there EVER been a legit user from gawab.com or yandex.ru in the history of the universe?

A: Not to my knowledge.

That's funny you should mention Yandex.ru.
I've been discussing this Search site with another bot tracker and they seem to like it while I just keep adding network blocks to my ban ip list.
Today's entry:
inetnum:        77.88.22.0  - 77.88.23.255
netname:        YANDEX-22-0
descr:          Yandex enterprise network
country:        RU

They seem to have added a new range this past week, but I could be wrong and just slow to update the bans.

2
BotScout Discussion / HoneyPot: Tracking by UserAgent ??
« on: September 11, 2009, 01:13:41 PM »
I was wondering if there is a method of tracking the scripts that test your sites forums before the posting bots hit.

(That question is kind of a lead in to something I have been testing.)

A few weeks back when I had browser to CSS issues I started monitoring the UserAgents to make sure the stylesheets were all working with the different browsers.

When I setup to track the UserAgent I also setup a script to track the Unknown Agents.

What I have seen a pattern of UserAgents that seem to be linked to Spam Bot postings.

Here's one example and you have the IP in your database but Stop Forum Spam  Doesnt.

2009-09-11 02:23 PM Innomacaw angelzdark@hotmail.com 84.110.58.133

Hit 1:
9/11/2009 1:32:36 PM
Browser: Unknown
Version: 0
UserAgent: mozilla/0.91 beta (windows)
IP: 84.110.58.133
Query String:
Page Hit: /agreement.asp

Hit 2:
9/11/2009 1:32:50 PM
Browser: Unknown
Version: 0
UserAgent: mozilla/0.91 beta (windows)
IP: 84.110.58.133
Query String:
Page Hit: /agreement.asp

Hit 3:
9/11/2009 1:32:54 PM
Browser: Unknown
Version: 0
UserAgent: mozilla/0.91 beta (windows)
IP: 84.110.58.133
Query String:
Page Hit: /login.asp

Hit 4:
9/11/2009 1:33:04 PM
Browser: Unknown
Version: 0
UserAgent: mozilla/0.91 beta (windows)
IP: 84.110.58.133
Query String:
Page Hit: /login.asp

Hit 5: (Attempted to Register)
9/11/2009 1:33:07 PM
Browser: Unknown
Version: 0
UserAgent: mozilla/0.91 beta (windows)
IP: 84.110.58.133
Query String: em=1&er=1  em=1&er=1
Page Hit: /agreement.asp

Hit 6:
9/11/2009 1:33:12 PM
Browser: Unknown
Version: 0
UserAgent: mozilla/0.91 beta (windows)
IP: 84.110.58.133
Query String: CAT_ID=1  CAT_ID=1
Page Hit: /forum/default.asp

Hit 7:
9/11/2009 1:33:20 PM
Browser: Unknown
Version: 0
UserAgent: mozilla/0.91 beta (windows)
IP: 84.110.58.133
Query String: method=Topic&FORUM_ID=1  method=Topic&FORUM_ID=1
Page Hit: /forum/post.asp

Hit 8:
9/11/2009 1:33:38 PM
Browser: Unknown
Version: 0
UserAgent: mozilla/0.91 beta (windows)
IP: 84.110.58.133
Query String:
Page Hit: /forum/post_info.asp

Hit 9:
9/11/2009 1:33:45 PM
Browser: Unknown
Version: 0
UserAgent: mozilla/0.91 beta (windows)
IP: 84.110.58.133
Query String: method=Topic&FORUM_ID=1  method=Topic&FORUM_ID=1
Page Hit: /forum/post.asp


The tracking will follow only when something is not in check.
In this case beause the mozilla/0.91 is not in my database as a known browser it then triggers the tracking.

I then place the IP in a Warning status and wait for the actual forum post or signup.

I started skipping the waiting around part and just ban by IP when I see this behaviour. I check a day later and have seen the IP listed here and there. So it appears in my case it works. But I tend to Ban full network blocks at times.

Q: Do you all have one of your honeypots setup to track in this fashion?
Q: Do you think it might be a good resource or function to include?


3
BotScout Discussion / Re: Botreport from Users
« on: September 10, 2009, 12:24:06 AM »

I was testing my methods of pretesting today just to make sure I wasn't get a false reading. So far a perfect score out of about 80+ bots today all confirmed plus a fresh new bot just about an hour old.

Here's one that StopForumSpam and BotScout haven't seen.

Now it's time to share real-time some of this good stuff with others.

RAW Data:        Score (10) 2 Sites hit 1 minute apart 2 IP's 1 confirmed.
Spam Score (10)
RAW Data:        Site A
First Name: LoMaxamanPills
Email: coolmax@gmx.us
IP Address : 82.193.114.204
Username: LoMaxamanPills
City: Colorado
State: Canada
Country:
PWD: gkZbwmO895

Site B
First Name: LoMaxamanPills
Email: coolmax@gmx.us
IP Address : 114.46.143.47 This IP is New
Username: LoMaxamanPills
City: Colorado
State: Canada
Country:
PWD: gkZbwmO895

4
BotScout Discussion / Re: Botreport from Users
« on: September 09, 2009, 10:25:16 AM »
IP matching to a predetermined list of cities/state/countries, or....?

Yes, for years I have run my own version of IP to Country and Member Validation type of testing.
It was part of my eCommerce sites that had to screen every connection during checkout.

I tried to get the API running from my site to yours but the feed isn't accepted on my crappy shared over populated with spammers hosting service.

I sure wish I had a full automated system but in the end it's Human input.

5
BotScout Discussion / Re: Botreport from Users
« on: September 09, 2009, 09:07:12 AM »
My "Pretest" is kind of simple and mostly all scripted.
Summary:
I monitor all connections to Posting, Login and Signup pages.
UserAgents that are not formed correctly are sent to a database table with the IP address. I've found most bots send out feelers before they attempt to login or post.
When the new bot attempts a login I've found they have common scripted fields. I have 6 forums and have modified the fields and names.
Typically my favorite bots will attempt to post to all 6 forums within 2 minutes. This flags the monitoring of the IP address.
Then I am notified via email with the information I displayed above.
Also bots enter specific pages where typical users don't.
It's the old "Is it Human" test.
There's more but I'm limited to the space here and I don't want to bore you all.


6
BotScout Discussion / Re: Botreport from Users
« on: September 09, 2009, 07:46:59 AM »
RAW Data:       
First Name: Chofobeeronna (used in other bots)
Email: fdudlak@ozdy.co
IP Address : 99.229.234.61 (Open Proxy Alive proxy 99.229.234.61:1025)
Username: Chofobeeronna
City: Satellite Beach
State: USA
Country:
PWD: 123456789
Sorry, I should have explained my layout.
The above information is provided by the BOT.
In this case the Email, IP, City, State, Country do not match so it failed pretesting.


7
BotScout Discussion / Re: Botreport from Users
« on: September 09, 2009, 07:37:48 AM »
Good Morning,
Just a thought, one day we might need to setup our XML to feed remote databases so we could do away with the manual entry after the bot has been identified.
But until such time;


I score this a (10)
RAW Data:       
First Name: Chofobeeronna (used in other bots)
Email: fdudlak@ozdy.co
IP Address : 99.229.234.61 (Open Proxy Alive proxy 99.229.234.61:1025)
Username: Chofobeeronna
City: Satellite Beach
State: USA
Country:
PWD: 123456789

8
They've either updated or changed VBScript, as your problem is actually;

Code: [Select]
Err.Number: 438
Err.Description: Object doesn't support this property or method

You'll need to determine which line it's referring to if it isn't specifying one, as that will give you a pointer to the issue.

The Vb error occurs after the time-out which shows the XML.Status code.
Here's the order:
xml "GET" (establish connection)
Fails Status Code 12031 (Connection Dropped or Time-out)
It should have reported a status code of 200 (OK) just like any good Header should do.

The next error is caused from the xml.send because it is attempting to send after a "On Error Resume..." and it fines no channel to send the data so it says "Object Not Supported..."

Then that's it..

I sure would have rather used your db as a resource because it saves me time not having to add spammers and bots to my local list.

While all this testing was going on I set back in place my old screening system (asp app).

I could test your PHP code on one of my sites to see if it is only related to the VbScript'ing but that might take me a month of sunday's since PHP is a foreign language to me.


9
Sorry, The Status is 12031 and the dang connection to the remote server couldn't be established.
Test 3 Results: Error at 8/27/2009 7:08:35 AM
XML Status: 12031
Err.Number: 438
Err.Description: Object doesn't support this property or method
Err.Source: Microsoft VBScript runtime error
Err.Page: /testbotscout2.asp


This is from 4 days of testing and emails to dotster technical support.
(I know, you might be thinking, "You could change hosts") but...

I've found when we run into errors that are out of my control I need to code around them.

The XML error code is a time-out issue.
The Server and/or Database end to end (in this case server) is timing out just under 20 seconds.

The connection ran smoothly for weeks but now it just doesn't connect.
I'm guessing a server change or it could be a DNS/Router issue as well.

Thanks for your time working with me.

10
It's only for testing. but I'll leave it active till your hosting co sorts the problem out for you.

Thanks again, I sent them a follow up email.
Now it's only a matter of waiting and waiting then calling and calling.

It's a good start to show the code and the system is working.
Have a good one.

11
It's only for testing. but I'll leave it active till your hosting co sorts the problem out for you.

Great I'll send another service request in and use the functional and MS.disfunctional link to them. They just might figure it out by the end of this month.

Thanks much. 

12
Could you try changing the URL to the following (response text is the same);

http://verify.hosts-file.net/botscout.asp?name={NAME}&ip={IP}&email={MAIL}&key={KEY}

Oh So Cool !!!
That works just fine:
From every type of connection failing to every test connection I have in my test page connected.

See for yourself ... (This will be removed later today)
http://www.bayoushopping.org/testbotscout.asp

I'll add the code to check for response header 200 on the first attempt then have it connect to the second connection.
Unless this is only for testing and shouldn't be setup as a secondary connection link.


13
Wait, I didn't mean to ask for the IP. (( Dang brain))

I'll be working with my host on this issue.
The msxml3.dll error 80072efe error is actually a dumb time-out error and it reports either the feed is down or the host disconnected or "I'm Microsoft and I work Part-Time".

Thanks for the feedback and I'll be working with my hosting provider. (Ugh)

At least now I have a great email notice error trap on that feed. When it doesn't work it at least emails the information to me for manual processing.

Thanks again all.

Have a good day!

14
hehe I'd picked up on it ;)

Sorry for taking so long, fell asleep  :-[

I believe we may need to wait for Mike to respond to this one if it's not a client side issue.

Sleep is good and I don't expect you all to fix my little issue for me I only look for ideas and hints.

Now that my service request came back from my hosting company with words like: "The issue is known..." and "This should be resolved..." ..

I have the feeling they updated something and it put things out of whack.

But it is interesting that all my feeds work from other sites but just can't connect directly to the botscout.com domain.

Do you all have a Static IP for testing?

15
I should have placed a smilie face after my line:
Ok, I've just about reach the point of pulling the hairs off the back of the dog.

That's just my humor when I'm debugging scripts. I have to make fun of the things that drive me nuts.

Just in case you might not have picked up on that.  :D

Pages: [1] 2