Honey Pot'd

[Spectere]

So I wound up having deleting almost an entire page of spambots from the member list today.  And you know what?  I'm mad as hell, and I'm not going to take it anymore.

I decided to give the http:BL SMF mod a shot.  Hopefully the distributed nature of Project Honey Pot will help prevent spammers from combing the site.

I'll give it a week or so and see how effective it is.  Considering this past week I've gotten on average of 8-10 spambot registrations a day I don't think it'll take long before I see an improvement if there's going to be one.

Edit: As always, if you guys run into any problems accessing the site, please e-mail me immediately.  spectere <at> gmail <dot> com.  I believe my e-mail addy will also appear on the OMG UR A BOT page.  E-mail is the best way to get a hold of me since I practically have an umbilical cord to Google (all e-mail going to that account is pushed to my phone).

[Spectere]

Wow, that didn't take bloody long. O.o

I THINK I LIKE IT.

[Sneaky]

Thats some fancy tool you got there. Hope it keeps up the good work and takes a load off your email

[Spectere]

Yeah, hopefully.

One spambot managed to register, but it was from a residential IP.  Those would be borderline impossible to completely protect against since after all this time people still don't realize that clicking on unfamiliar links is bad, m'kay.

I can see this stopping extreme floods from dedicated servers.  I'd say roughly 75% of all spambot registrations come from dedicated servers that spammers rent and will use and abuse until they are inevitably shut down (indeed, I had about 15 registrations from an Ubiguity Servers box over the past couple of days).  The rest come from people who think that XP Antivirus 2010 is a legitimate product.

It's definitely not going to be perfect, but if it at least stops most of the bots from accessing this site and fetching contact info it'll be worth it.

[Bobbias]

Awesome. Never knew SMF had something like that.

[Spectere]

Yep.  I'm thinking there are plugins that connect most major forums up to Project Honey Pot.  It's definitely not a bad idea to install something like that.

Doesn't seem to be doing a whole lot to curb registrations, though, probably because half of them come from "trusted" hosts (i.e. virally infected home PCs, VPS/dedicated servers, exploited boxen, etc).  It's definitely helped cut back on the "lawl random IP" registrations that I got a lot of, but right now I'm dealing primarily with bots registered from VPS/dedis.

Luckily, it's pretty easy to get in touch with them, so I've been shooting them e-mails to report the spammers.

It's kind of funny how much time I spend maintaining this place.  Between yesterday and today I probably spent 2.5 hours just dealing with spammers.  That's pretty ri-goddamn-diculous.

I'd probably dick around and get Akismet working if more of them were able to successfully make posts.  Last time I tried using Akismet here it broke the site.

I'm also considering finishing up that SMF2 theme I was making eons ago and updating the site to SMF 2.0 RC3 so that I can use Bad Behavior, since I heard that it works extremely well.  Considering SMF2 doesn't seem to be on the road to ever becoming "stable," that idea is looking to be more and more attractive as time goes on.

[Bobbias]

Is there a way to forbid certain account registrations based on keywords present in certain information things (kinda like some of the word filters for spam)? That might help curb some extra account registrations.

[Spectere]

Something like Akismet might do it, but stuff like that would be too flaky when it comes to user registration.  Spam bots that register accounts here generally don't have more than one or two links in their signature, so if I were to put something like that into place there would be way too many false positives to make it worthwhile.  I'd spend the time that I currently do dealing with spammers manually fixing people's sigs and stuff.

The scary part is that, on top of this, I'm still getting an alarming number of hits from my old e-mail/IP bans.  Imagine what things would be like if I didn't put that into play as well.

[Bobbias]

Yeah. Is there a way to get a blacklist of emails.

[Spectere]

I dunno.  Never really looked.

Not that it would matter much.  You'd be surprised how many of them register using Gmail and Live accounts.

Edit: HOLY HELL, I already got a ticket response requesting more information from one of the VPS/dedi providers.  I submitted the additional info, and they got back to me quickly to inform me that a complaint was passed to the customer in charge of that hostname.  It took all of an hour and a half...after hours, no less!  I wasn't even expecting a reply for a couple of days.  Yikes.

Color me impressed.

[Bobbias]

Apparently there is some spamming coming form my college :/ I just logged in to the college net, and came here, and got hit by the blocked page. I filled out the questions, because of http://www.projecthoneypot.org/ip_192.139.153.28 I figure we might as well keep it blocked and I'll just fill out the questions when I need to sign in from here :/

[Spectere]

If you run into the blocked page again, could you take a screenshot for me?  I'm curious to see what it looks like.

As for why that address is blocked, I'm guessing it's because it's because someone on your college network got themselves infected (and considering how many infections I've cleaned off of college students' machines, that's a definite possibility) and whatever trojan they managed to nab started going on a spamming frenzy.  That IP is listed as being of a high threat level.

[Bobbias]

Alright, I'll get a picture next time. It'll probably show up next time I connect to the network here, but so far the comp's been connected here all day, so it hasn't had a chance to do it again.

[Bobbias]

So, do you think it'd be possible to allow the IP address I'm on here (my college) to nto have the honey-pot page when I try to post? Preferably linking that to my account, so any other bots on here still have to go through those pages.... I dunno if you can do that, but it' be nice to not have to fill out those pages when I try to post here (I've pretty much always got a cookie to keep me logged in...)

[Spectere]

There isn't an option to whitelist usernames.  I don't even think such a thing would be possible, since the main point of it is to prevent spammers from even recognizing that a proper forum exists at a given address.