Welcome, Guest!!
follow us on... rss

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - Mur

Pages: [1]
1
BotScout Discussion / HoneyPot: Tracking by UserAgent ??
« on: September 11, 2009, 01:13:41 PM »
I was wondering if there is a method of tracking the scripts that test your sites forums before the posting bots hit.

(That question is kind of a lead in to something I have been testing.)

A few weeks back when I had browser to CSS issues I started monitoring the UserAgents to make sure the stylesheets were all working with the different browsers.

When I setup to track the UserAgent I also setup a script to track the Unknown Agents.

What I have seen a pattern of UserAgents that seem to be linked to Spam Bot postings.

Here's one example and you have the IP in your database but Stop Forum Spam  Doesnt.

2009-09-11 02:23 PM Innomacaw angelzdark@hotmail.com 84.110.58.133

Hit 1:
9/11/2009 1:32:36 PM
Browser: Unknown
Version: 0
UserAgent: mozilla/0.91 beta (windows)
IP: 84.110.58.133
Query String:
Page Hit: /agreement.asp

Hit 2:
9/11/2009 1:32:50 PM
Browser: Unknown
Version: 0
UserAgent: mozilla/0.91 beta (windows)
IP: 84.110.58.133
Query String:
Page Hit: /agreement.asp

Hit 3:
9/11/2009 1:32:54 PM
Browser: Unknown
Version: 0
UserAgent: mozilla/0.91 beta (windows)
IP: 84.110.58.133
Query String:
Page Hit: /login.asp

Hit 4:
9/11/2009 1:33:04 PM
Browser: Unknown
Version: 0
UserAgent: mozilla/0.91 beta (windows)
IP: 84.110.58.133
Query String:
Page Hit: /login.asp

Hit 5: (Attempted to Register)
9/11/2009 1:33:07 PM
Browser: Unknown
Version: 0
UserAgent: mozilla/0.91 beta (windows)
IP: 84.110.58.133
Query String: em=1&er=1  em=1&er=1
Page Hit: /agreement.asp

Hit 6:
9/11/2009 1:33:12 PM
Browser: Unknown
Version: 0
UserAgent: mozilla/0.91 beta (windows)
IP: 84.110.58.133
Query String: CAT_ID=1  CAT_ID=1
Page Hit: /forum/default.asp

Hit 7:
9/11/2009 1:33:20 PM
Browser: Unknown
Version: 0
UserAgent: mozilla/0.91 beta (windows)
IP: 84.110.58.133
Query String: method=Topic&FORUM_ID=1  method=Topic&FORUM_ID=1
Page Hit: /forum/post.asp

Hit 8:
9/11/2009 1:33:38 PM
Browser: Unknown
Version: 0
UserAgent: mozilla/0.91 beta (windows)
IP: 84.110.58.133
Query String:
Page Hit: /forum/post_info.asp

Hit 9:
9/11/2009 1:33:45 PM
Browser: Unknown
Version: 0
UserAgent: mozilla/0.91 beta (windows)
IP: 84.110.58.133
Query String: method=Topic&FORUM_ID=1  method=Topic&FORUM_ID=1
Page Hit: /forum/post.asp


The tracking will follow only when something is not in check.
In this case beause the mozilla/0.91 is not in my database as a known browser it then triggers the tracking.

I then place the IP in a Warning status and wait for the actual forum post or signup.

I started skipping the waiting around part and just ban by IP when I see this behaviour. I check a day later and have seen the IP listed here and there. So it appears in my case it works. But I tend to Ban full network blocks at times.

Q: Do you all have one of your honeypots setup to track in this fashion?
Q: Do you think it might be a good resource or function to include?


2
msxml3.dll error The download of the specified resource has failed.

I'm getting the above error in the return after the send.xml  in my ASP code.

It has worked for just about 3 weeks just fine and is running on 10 websites.

Just today it started showing this error when doing the look up.

It seems to be a URL error from what I understand.
Are we having problems with the follow URL today?

http://botscout.com/test/

This is the URL I got from the same codes. Has it changed?

Thanks

3
BotScout Discussion / Scoring methods what are the best practices.
« on: August 11, 2009, 04:36:01 PM »
I have a question about scoring.

I first used the example code and found the (code snip)>=3 isn't a good method.

The Returned information Y|MULTI|IP|22|EMAIL|12|NAME|4 can't just be added to give you a flagging number.
I've noticed numbers as high as 260.

So I started setting up an (If From to range) process.
But that really didn't work well due to what seems to be an unlimited return number for any given field. 

Testing different setups is giving me more ideas but I think it has to be a simple "Weight Added to Field" that will work in the end.
Right now I use:
If IP = 0 and Email = 0 Exit function

If IP = 1 and Email = 1 and Name = 0 Score 10 (blocks)
If IP = 0 and Email = 1 and Name = 0 Score 10 (blocks)
If IP = 1 and Email = 0 and Name = 1 Score  5 (flags but allows)
If IP = 0 and Email = 0 and Name = 1 Score 0 (Allows)
If IP = 1 and Email = 0 and Name = 0 Score 5 (flags but allows)

That's not the actual code and the numbers can be greater than one.
I just wanted to put a starting point here and to get your feedback and experience while scoring. 
I'm looking to limit the score card to a max score of 10 before it blocks the user.

I'm thinking we have to assign weight to each field.
But I'm not sure how much at this point because I don't have statistics on Name IP and Email hits.

Any suggestions or ideas about what percentage of weight to assign to each field?

Pages: [1]