Welcome, Guest!!
follow us on... rss

Author Topic: Bots with "real" names  (Read 36896 times)

MysteryFCM

  • Moderator
  • Full Member
  • *****
  • Posts: 200
    • View Profile
    • I.T. Mate
Bots with "real" names
« on: February 21, 2009, 03:01:44 PM »
I was alerted to this by a friend and believe it's something we need to do something about (whitelisting them is all I can think of, but it's gonna be a PITA to do that).

It basically concerns bots blacklisted with "real" names, for example, the one I was notified of, is listed in the BS and SFS database with the username "Martin", which is a real human name that someone legit is very likely to use.

Any thoughts?
Regards
Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

Mike

  • Administrator
  • Sr. Member
  • *****
  • Posts: 300
    • View Profile
Re: Bots with "real" names
« Reply #1 on: February 21, 2009, 03:09:45 PM »
Yes, some bots use "real" names, or names that are used by real people. That's why we suggest never matching on a name alone- it's just way too error-prone to be reliable.

We suggest testing the email and/or IP address. If either or both of those are found in the database then it's very very likely that it's a bot. See this discussion here:

http://botscout.com/api_queries.htm

This is an excerpt:

"The "NAME" Query

The NAME query takes a given user name and looks for matches in the BotScout database, searching only in the NAME field. By itself, the NAME query is much less reliable than an IP or MAIL query and should not be relied upon for bot screening. It should be used ONLY as a secondary indicator, and even that is of dubious value. Name collisions are not uncommon since bots use nonsense names as well as "real" names when they run. The NAME query by itself is next to useless; if used it should always be coupled with a MAIL or IP query for reliability. The false positive rate of using the NAME query alone is abysmally high. "




I was alerted to this by a friend and believe it's something we need to do something about (whitelisting them is all I can think of, but it's gonna be a PITA to do that).

It basically concerns bots blacklisted with "real" names, for example, the one I was notified of, is listed in the BS and SFS database with the username "Martin", which is a real human name that someone legit is very likely to use.

Any thoughts?
Please don't PM me for assistance- post your questions in the forum where others can see them.

MysteryFCM

  • Moderator
  • Full Member
  • *****
  • Posts: 200
    • View Profile
    • I.T. Mate
Re: Bots with "real" names
« Reply #2 on: February 21, 2009, 03:14:30 PM »
hehe you read my mind :)

Gonna be modifying the SBST soon, to allow user-controlled flags (e.g. match only on username or username + IP or username + e-mail + IP etc etc)
Regards
Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

Mike

  • Administrator
  • Sr. Member
  • *****
  • Posts: 300
    • View Profile
Re: Bots with "real" names
« Reply #3 on: February 21, 2009, 04:00:21 PM »
Gonna be modifying the SBST soon, to allow user-controlled flags (e.g. match only on username or username + IP or username + e-mail + IP etc etc)
I wouldn't allow them to match only on the username...that's an accident just waiting to happen.

I'd always make the name test be used along with both the the IP and email. In fact, I'd probably skip the username test altogether since it's next to worthless...it's only of any real value when combined with one or both of the other two tests.
Please don't PM me for assistance- post your questions in the forum where others can see them.

MysteryFCM

  • Moderator
  • Full Member
  • *****
  • Posts: 200
    • View Profile
    • I.T. Mate
Re: Bots with "real" names
« Reply #4 on: February 21, 2009, 04:15:29 PM »
I had that thought too, so wrote the following to determine the match selection;

Code: [Select]
// What are we matching on?
switch ($MatchBase){
case '1,2': // Match on username and IP
if($bFoundMatch_Username = true && $bFoundMatch_IP = true){
$bFoundMatch = true;
}
break;
case '1,3': // Match on username and Email
if($bFoundMatch_Username = true && $bFoundMatch_Mail = true){
$bFoundMatch = true;
}
break;
case '2,3': // Match on IP and Email
if($bFoundMatch_Mail = true && $bFoundMatch_IP = true){
$bFoundMatch = true;
}
break;
case '1,2,3': // Match on username, IP and E-mail
if($bFoundMatch_Username = true && $bFoundMatch_IP = true && $bFoundMatch_Mail = true){
$bFoundMatch = true;
}
break;
default:
$bFoundMatch = false;
break;
}

:)
Regards
Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

rusticdog

  • Newbie
  • *
  • Posts: 12
    • View Profile
Re: Bots with "real" names
« Reply #5 on: February 21, 2009, 05:44:46 PM »
My bad on this one, I wasn't very thorough with my checks and as it turns out it's not just his username

This is the record here http://www.botscout.com/search.htm?sterm=77.164.186.73&stype=q

Any chance of getting him removed ?

Gidday you you two as well :)


Cheers
Chris

Mike

  • Administrator
  • Sr. Member
  • *****
  • Posts: 300
    • View Profile
Re: Bots with "real" names
« Reply #6 on: February 21, 2009, 07:15:32 PM »
Rusticdog,

Was this in reference to another post, or.....?



My bad on this one, I wasn't very thorough with my checks and as it turns out it's not just his username

This is the record here http://www.botscout.com/search.htm?sterm=77.164.186.73&stype=q

Any chance of getting him removed ?

Gidday you you two as well :)


Cheers
Chris
Please don't PM me for assistance- post your questions in the forum where others can see them.

Mike

  • Administrator
  • Sr. Member
  • *****
  • Posts: 300
    • View Profile
Re: Bots with "real" names
« Reply #7 on: February 21, 2009, 07:16:56 PM »
I believe this one would be the most valuable and effective:

Code: [Select]
case '2,3': // Match on IP and Email
if($bFoundMatch_Mail = true && $bFoundMatch_IP = true){
$bFoundMatch = true;
}
Please don't PM me for assistance- post your questions in the forum where others can see them.

MysteryFCM

  • Moderator
  • Full Member
  • *****
  • Posts: 200
    • View Profile
    • I.T. Mate
Re: Bots with "real" names
« Reply #8 on: February 21, 2009, 09:21:06 PM »
Rusticdog,

Was this in reference to another post, or.....?



My bad on this one, I wasn't very thorough with my checks and as it turns out it's not just his username

This is the record here http://www.botscout.com/search.htm?sterm=77.164.186.73&stype=q

Any chance of getting him removed ?

Gidday you you two as well :)


Cheers
Chris

Chris was the friend I mentioned that alerted me to it :)
Regards
Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

MysteryFCM

  • Moderator
  • Full Member
  • *****
  • Posts: 200
    • View Profile
    • I.T. Mate
Re: Bots with "real" names
« Reply #9 on: February 21, 2009, 09:26:47 PM »
I believe this one would be the most valuable and effective:

Code: [Select]
case '2,3': // Match on IP and Email
if($bFoundMatch_Mail = true && $bFoundMatch_IP = true){
$bFoundMatch = true;
}

Cool, cheers :)
Regards
Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

MysteryFCM

  • Moderator
  • Full Member
  • *****
  • Posts: 200
    • View Profile
    • I.T. Mate
Re: Bots with "real" names
« Reply #10 on: February 21, 2009, 09:35:34 PM »
My bad on this one, I wasn't very thorough with my checks and as it turns out it's not just his username

This is the record here http://www.botscout.com/search.htm?sterm=77.164.186.73&stype=q

Any chance of getting him removed ?

Gidday you you two as well :)


Cheers
Chris

Chris,
Good to see you over here dude :)

Looking at those records, chances are his system is/was infected with a spambot (ip4da4ba49.direct-adsl.nl looks like a dynamic IP PTR more than a static one though, so it could've been the customer that had the IP before him)
Regards
Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

Mike

  • Administrator
  • Sr. Member
  • *****
  • Posts: 300
    • View Profile
Re: Bots with "real" names
« Reply #11 on: February 22, 2009, 05:17:03 AM »
These look very recent, in fact just 1 day ago:

[REMOVED]

I can remove them, but I think someone's PC is still infected.




My bad on this one, I wasn't very thorough with my checks and as it turns out it's not just his username

This is the record here http://www.botscout.com/search.htm?sterm=77.164.186.73&stype=q

Any chance of getting him removed ?

Gidday you you two as well :)


Cheers
Chris

Chris,
Good to see you over here dude :)

Looking at those records, chances are his system is/was infected with a spambot (ip4da4ba49.direct-adsl.nl looks like a dynamic IP PTR more than a static one though, so it could've been the customer that had the IP before him)
« Last Edit: February 26, 2009, 02:36:04 PM by MysteryFCM »
Please don't PM me for assistance- post your questions in the forum where others can see them.

rusticdog

  • Newbie
  • *
  • Posts: 12
    • View Profile
Re: Bots with "real" names
« Reply #12 on: February 22, 2009, 04:19:21 PM »
Those aren't submitted by us are they ? as the email he sent said

"I tried Marty, Marty001 etc but still no access!"

Which strangely matches the more recent additions.

I could be wrong but I think the username Martin got blocked from a bit, and this users later attempts at signing up caused his records (such as IP) to be added on each attempt.   Though I am not sure if we were also submitting data ...

MysteryFCM

  • Moderator
  • Full Member
  • *****
  • Posts: 200
    • View Profile
    • I.T. Mate
Re: Bots with "real" names
« Reply #13 on: February 22, 2009, 04:35:21 PM »
The SBST doesn't actually submit anything to BS, just queries it's database.
Regards
Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

rusticdog

  • Newbie
  • *
  • Posts: 12
    • View Profile
Re: Bots with "real" names
« Reply #14 on: February 22, 2009, 04:37:45 PM »
That's what I thought, seems an odd coincidence I guess.   So do these Bots actually choose logon names that the infected user would use themselves ? ...pretty sneaky if it is.