HoneyPot: Tracking by UserAgent ??

[Mur]

I was wondering if there is a method of tracking the scripts that test your sites forums before the posting bots hit.

(That question is kind of a lead in to something I have been testing.)

A few weeks back when I had browser to CSS issues I started monitoring the UserAgents to make sure the stylesheets were all working with the different browsers.

When I setup to track the UserAgent I also setup a script to track the Unknown Agents.

What I have seen a pattern of UserAgents that seem to be linked to Spam Bot postings.

Here's one example and you have the IP in your database but Stop Forum Spam  Doesnt.

2009-09-11 02:23 PM Innomacaw angelzdark@hotmail.com 84.110.58.133

Hit 1:
9/11/2009 1:32:36 PM
Browser: Unknown
Version: 0
UserAgent: mozilla/0.91 beta (windows)
IP: 84.110.58.133
Query String:
Page Hit: /agreement.asp

Hit 2:
9/11/2009 1:32:50 PM
Browser: Unknown
Version: 0
UserAgent: mozilla/0.91 beta (windows)
IP: 84.110.58.133
Query String:
Page Hit: /agreement.asp

Hit 3:
9/11/2009 1:32:54 PM
Browser: Unknown
Version: 0
UserAgent: mozilla/0.91 beta (windows)
IP: 84.110.58.133
Query String:
Page Hit: /login.asp

Hit 4:
9/11/2009 1:33:04 PM
Browser: Unknown
Version: 0
UserAgent: mozilla/0.91 beta (windows)
IP: 84.110.58.133
Query String:
Page Hit: /login.asp

Hit 5: (Attempted to Register)
9/11/2009 1:33:07 PM
Browser: Unknown
Version: 0
UserAgent: mozilla/0.91 beta (windows)
IP: 84.110.58.133
Query String: em=1&er=1  em=1&er=1
Page Hit: /agreement.asp

Hit 6:
9/11/2009 1:33:12 PM
Browser: Unknown
Version: 0
UserAgent: mozilla/0.91 beta (windows)
IP: 84.110.58.133
Query String: CAT_ID=1  CAT_ID=1
Page Hit: /forum/default.asp

Hit 7:
9/11/2009 1:33:20 PM
Browser: Unknown
Version: 0
UserAgent: mozilla/0.91 beta (windows)
IP: 84.110.58.133
Query String: method=Topic&FORUM_ID=1  method=Topic&FORUM_ID=1
Page Hit: /forum/post.asp

Hit 8:
9/11/2009 1:33:38 PM
Browser: Unknown
Version: 0
UserAgent: mozilla/0.91 beta (windows)
IP: 84.110.58.133
Query String:
Page Hit: /forum/post_info.asp

Hit 9:
9/11/2009 1:33:45 PM
Browser: Unknown
Version: 0
UserAgent: mozilla/0.91 beta (windows)
IP: 84.110.58.133
Query String: method=Topic&FORUM_ID=1  method=Topic&FORUM_ID=1
Page Hit: /forum/post.asp


The tracking will follow only when something is not in check.
In this case beause the mozilla/0.91 is not in my database as a known browser it then triggers the tracking.

I then place the IP in a Warning status and wait for the actual forum post or signup.

I started skipping the waiting around part and just ban by IP when I see this behaviour. I check a day later and have seen the IP listed here and there. So it appears in my case it works. But I tend to Ban full network blocks at times.

Q: Do you all have one of your honeypots setup to track in this fashion?
Q: Do you think it might be a good resource or function to include?

[Mike]

Q: Do you all have one of your honeypots setup to track in this fashion?
Q: Do you think it might be a good resource or function to include?

We don't track user agents, primarily because they're so easily spoofed. It's a trivial matter to alter the user agent, and it could be done randomly or programmatically whenever the bot wanted or was told to.

Unfortunately I don't think that UA tracking would be of much use to us- it would be another parameter that, in the end, would act mostly to reduce the detection rate.