Bots with "real" names

[MysteryFCM]

I was alerted to this by a friend and believe it's something we need to do something about (whitelisting them is all I can think of, but it's gonna be a PITA to do that).

It basically concerns bots blacklisted with "real" names, for example, the one I was notified of, is listed in the BS and SFS database with the username "Martin", which is a real human name that someone legit is very likely to use.

Any thoughts?

[Mike]

Yes, some bots use "real" names, or names that are used by real people. That's why we suggest never matching on a name alone- it's just way too error-prone to be reliable.

We suggest testing the email and/or IP address. If either or both of those are found in the database then it's very very likely that it's a bot. See this discussion here:

http://botscout.com/api_queries.htm

This is an excerpt:

"The "NAME" Query

The NAME query takes a given user name and looks for matches in the BotScout database, searching only in the NAME field. By itself, the NAME query is much less reliable than an IP or MAIL query and should not be relied upon for bot screening. It should be used ONLY as a secondary indicator, and even that is of dubious value. Name collisions are not uncommon since bots use nonsense names as well as "real" names when they run. The NAME query by itself is next to useless; if used it should always be coupled with a MAIL or IP query for reliability. The false positive rate of using the NAME query alone is abysmally high. "

I was alerted to this by a friend and believe it's something we need to do something about (whitelisting them is all I can think of, but it's gonna be a PITA to do that).

It basically concerns bots blacklisted with "real" names, for example, the one I was notified of, is listed in the BS and SFS database with the username "Martin", which is a real human name that someone legit is very likely to use.

Any thoughts?

[MysteryFCM]

hehe you read my mind

Gonna be modifying the SBST soon, to allow user-controlled flags (e.g. match only on username or username + IP or username + e-mail + IP etc etc)

[Mike]

Gonna be modifying the SBST soon, to allow user-controlled flags (e.g. match only on username or username + IP or username + e-mail + IP etc etc)

I wouldn't allow them to match only on the username...that's an accident just waiting to happen.

I'd always make the name test be used along with both the the IP and email. In fact, I'd probably skip the username test altogether since it's next to worthless...it's only of any real value when combined with one or both of the other two tests.

[MysteryFCM]

I had that thought too, so wrote the following to determine the match selection;

Code: [Select]

// What are we matching on?
switch ($MatchBase){
case '1,2': // Match on username and IP
if($bFoundMatch_Username = true && $bFoundMatch_IP = true){
$bFoundMatch = true;
}
break;
case '1,3': // Match on username and Email
if($bFoundMatch_Username = true && $bFoundMatch_Mail = true){
$bFoundMatch = true;
}
break;
case '2,3': // Match on IP and Email
if($bFoundMatch_Mail = true && $bFoundMatch_IP = true){
$bFoundMatch = true;
}
break;
case '1,2,3': // Match on username, IP and E-mail
if($bFoundMatch_Username = true && $bFoundMatch_IP = true && $bFoundMatch_Mail = true){
$bFoundMatch = true;
}
break;
default:
$bFoundMatch = false;
break;
}

[rusticdog]

My bad on this one, I wasn't very thorough with my checks and as it turns out it's not just his username

This is the record here http://www.botscout.com/search.htm?sterm=77.164.186.73&stype=q

Any chance of getting him removed ?

Gidday you you two as well


Cheers
Chris

[Mike]

Rusticdog,

Was this in reference to another post, or.....?

My bad on this one, I wasn't very thorough with my checks and as it turns out it's not just his username

This is the record here http://www.botscout.com/search.htm?sterm=77.164.186.73&stype=q

Any chance of getting him removed ?

Gidday you you two as well


Cheers
Chris

[Mike]

I believe this one would be the most valuable and effective:

Code: [Select]

case '2,3': // Match on IP and Email
if($bFoundMatch_Mail = true && $bFoundMatch_IP = true){
$bFoundMatch = true;
}

[MysteryFCM]

Rusticdog,

Was this in reference to another post, or.....?

My bad on this one, I wasn't very thorough with my checks and as it turns out it's not just his username

This is the record here http://www.botscout.com/search.htm?sterm=77.164.186.73&stype=q

Any chance of getting him removed ?

Gidday you you two as well


Cheers
Chris

Chris was the friend I mentioned that alerted me to it

[MysteryFCM]

I believe this one would be the most valuable and effective:

Code: [Select]

case '2,3': // Match on IP and Email
if($bFoundMatch_Mail = true && $bFoundMatch_IP = true){
$bFoundMatch = true;
}

Cool, cheers

[MysteryFCM]

My bad on this one, I wasn't very thorough with my checks and as it turns out it's not just his username

This is the record here http://www.botscout.com/search.htm?sterm=77.164.186.73&stype=q

Any chance of getting him removed ?

Gidday you you two as well


Cheers
Chris

Chris,
Good to see you over here dude

Looking at those records, chances are his system is/was infected with a spambot (ip4da4ba49.direct-adsl.nl looks like a dynamic IP PTR more than a static one though, so it could've been the customer that had the IP before him)

[Mike]

These look very recent, in fact just 1 day ago:

[REMOVED]

I can remove them, but I think someone's PC is still infected.

My bad on this one, I wasn't very thorough with my checks and as it turns out it's not just his username

This is the record here http://www.botscout.com/search.htm?sterm=77.164.186.73&stype=q

Any chance of getting him removed ?

Gidday you you two as well


Cheers
Chris

Chris,
Good to see you over here dude

Looking at those records, chances are his system is/was infected with a spambot (ip4da4ba49.direct-adsl.nl looks like a dynamic IP PTR more than a static one though, so it could've been the customer that had the IP before him)

[rusticdog]

Those aren't submitted by us are they ? as the email he sent said

"I tried Marty, Marty001 etc but still no access!"

Which strangely matches the more recent additions.

I could be wrong but I think the username Martin got blocked from a bit, and this users later attempts at signing up caused his records (such as IP) to be added on each attempt.   Though I am not sure if we were also submitting data ...

[MysteryFCM]

The SBST doesn't actually submit anything to BS, just queries it's database.

[rusticdog]

That's what I thought, seems an odd coincidence I guess.   So do these Bots actually choose logon names that the infected user would use themselves ? ...pretty sneaky if it is.