phpBB2Refugees.com Logo
Not affiliated with or endorsed by the phpBB Group

Register •  Login 

Continue the legacy...

Welcome to all phpBB2 Refugees!Wave Smilie

This site is intended to continue support for the legacy 2.x line of the phpBB2 bulletin board package. If you are a fan of phpBB2, please, by all means register, post, and help us out by offering your suggestions. We are primarily a community and support network. Our secondary goal is to provide a phpBB2 MOD Author and Styles area.

Starting a new Honeypot Board

Goto page 1, 2  Next
 
Search this topic... | Search phpBB2 Discussion... | Search Box
Register or Login to Post    Index » phpBB2 Discussion  Previous TopicPrint TopicNext Topic
Author Message
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Tue Dec 16, 2008 6:51 pm 
Post subject: Starting a new Honeypot Board

I want to get some data, folks. I plan on adding a data viewer script so anyone can see the data I'm collecting, and also run arbitrary queries on the data.

Here's a link to it: http://dserver.macgui.com/link.html

Data Being Collected Now
- types of forums the spam bots post in. I've got ordinary forums, and obvious spammy/general discussion forums since bots target those
- plaintext password of anyone who signs up.
- complete $_SERVER super-global is serialized and stored for each user registration and post.

Starting 06 Jan 09, the following data is being collected:

- time to submit registration form
- time to submit posting form
- session_id will be added to posts to track # of posts per session

- hidden form fields. I'll make text input fields and hide them with a <div> tag. Robots parsing the HTML should see them. I'll strategically pick field names and record what sort of data is entered into them, if any.

- tracking cookie will be set with a unique value for each user. If it's returned, we'll record data such as time, user id, and ip address. We can then link accounts which are logging in from the same computer. We can also see if spammers clear their cookies. This idea is from Gaia and Google.

- logins and log outs will be recorded and timed. Each login will have recorded the user ID, time, IP address, and session ID. Each log out will record the same. We can now check login frequency and duration. We can also see eif the log out link is explicitly clicked, or if sessions are being allowed to expire from inactivity. This idea is from Facebook.

- failed captcha attempts are logged with the correct captcha text, the incorrect text entered, session id, ip address, and time

Data To Be Collected

- nothing proposed yet


Proposed Changes, after data collection
- language strings, such as in the email. I know for a fact a spam-bot known as Xrumer uses regular expressions to do its work.
- forums. I'll be moving some around, hiding them, changing their status, and locking some.
- captcha.
- adding additional languages, and making them default

The point here is to see what changes yield the best results without installing some anti-spam mod outright (besides the captcha, of course!)

I'll be sharing data as it comes in, and what changes seem to have a good effect.

Some Data Collected so far
29 Dec 08 Here's a small sampling of passwords:

Quote:

3hFGfxe351
123456789
sw2q1A9817
OXA9cu8174
QKdgRun456
Ki0vwac333
kOTI9Ln713
yDace5e564
Diks4ilS
4y9eTK354i
pPCQLn4465
Z0PRoc2611
rQrKXCR818
xaTaAcq593
osbJKa7852
QaYczg1673
y8o3kJ0638
6a6uqSG634
ZKVADFr937

Notice how most end with three digits. Pretty randomized overall, though.

General Observations so far
- The very first forum seems to be most popular.
- Most spam users start new topics. We could focus anti-spam measures there.
- Most spam users' web sites are sub-domains off of free web hosts.
- There are 422 topic subscriptions now (as of 06 Jan 09), and a few days ago there were only around 200. I wonder why this is so.
- Nearly all spam posts and registrations have been through a proxy. This caused the _$SERVER['HTTP_PROXY_*'] global var to be set.

- I'll eat my own hat if Google can't recognize forum spam.

_________________
Moof!
Lincoln's Tomb, Oak Ridge Cemetery, Springfield IL • Mac 512K Blog • Mac GUI
Back to top
dogs and things
Board Member



Joined: 18 Nov 2008

Posts: 621
Location: Spain


flag
PostPosted: Tue Dec 16, 2008 8:47 pm 
Post subject: Re: Starting a new Honeypot Board

Don΄t know if you ever read SPAM protection: easy way to fix capcha to disallow spammers which shows a very simple adjustment of the standard captcha to stop spambots.

Could be an interesting thing to test once you got the board going.

_________________
phpBB2 will never die, I hope!
Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Tue Dec 16, 2008 9:52 pm 
Post subject: Re: Starting a new Honeypot Board

Thanks for the link; some very amusing info there.

I'm on a quest for the solution which involves the least amount of human interaction.

Google is quick to update its index. An hour it took for it to spot the domain on phpbb.com in my sig, and another hour to spot it in my sig on my site. Still no domain itself, and of course the spammers themselves are much slower.

Roughly half of all spam sent gets through.

_________________
Moof!
Lincoln's Tomb, Oak Ridge Cemetery, Springfield IL • Mac 512K Blog • Mac GUI
Back to top
~Cowboy~
Board Member



Joined: 08 Dec 2008

Posts: 297
Location: Chicago


flag
PostPosted: Tue Dec 16, 2008 11:31 pm 
Post subject: Re: Starting a new Honeypot Board

It's been my experience that spam bots like to post in the most recently posted thread.

Not always but it does seam to be a habit.

_________________
Image link
We are not refugees we are trail blazers. icon_wink.gif
Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Mon Dec 29, 2008 10:42 pm 
Post subject: Re: Starting a new Honeypot Board

It's been roughly two weeks later, and I now have plenty of spam. Right off the bat, I see the most spam has been posted in forum ID 1, which is at the top of the forums listing.

Time to analyze all the data I've collected so far. icon_twisted.gif

_________________
Moof!
Lincoln's Tomb, Oak Ridge Cemetery, Springfield IL • Mac 512K Blog • Mac GUI
Back to top
dogs and things
Board Member



Joined: 18 Nov 2008

Posts: 621
Location: Spain


flag
PostPosted: Mon Dec 29, 2008 10:59 pm 
Post subject: Re: Starting a new Honeypot Board

I was wondering about this earlier today. icon_wink.gif

I'm glad to see that your new community is growing and becoming more and more active.

Some nice reading there, I just learned the Backstreet Boys are gay. icon_razz.gif

Do you recall in how many places you posted links to that board to attract the bots?

_________________
phpBB2 will never die, I hope!
Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Tue Dec 30, 2008 6:31 pm 
Post subject: Re: Starting a new Honeypot Board

dogs and things wrote:

Do you recall in how many places you posted links to that board to attract the bots?

Yes.

1.) Here
2.) phpbb.com
3.) My site
4.) A 4th site

I prepared a paper last night with more data I will be collecting. This is in the first post of this topic.

_________________
Moof!
Lincoln's Tomb, Oak Ridge Cemetery, Springfield IL • Mac 512K Blog • Mac GUI
Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Tue Jan 06, 2009 9:20 pm 
Post subject: Updates added

I'm now collecting quite a bit more data. See the first post for the full list of what's being harvested.

Some other changes to the board:
- user passwords viewable by anyone in memberlist or profile. You can sort by password in the memberlist.

- IP address of posts are viewable by anyone, even the ModCP IP address lookup function is viewable by anyone.

- total time to signup is recorded in profile

- total time to post is recorded in each post

Coming soon: Data Viewer
I'm going to set up a MySQL user with read-only access to the database. Anyone will be able to execute arbitrary SELECT statements to gather data which has been recorded.

_________________
Moof!
Lincoln's Tomb, Oak Ridge Cemetery, Springfield IL • Mac 512K Blog • Mac GUI
Back to top
Sylver Cheetah 53
Board Member



Joined: 17 Dec 2008

Posts: 426
Location: Milky Way


flag
PostPosted: Tue Jan 06, 2009 9:49 pm 
Post subject: Re: Starting a new Honeypot Board

What is wrong with your forum? It is full with spam. icon_confused.gif
_________________
Image link
My Forum || My Blog

phpBB2 forever! icon_smile.gif
Back to top
drathbun
Board Member



Joined: 24 Jul 2008

Posts: 653
Location: Texas


flag
PostPosted: Tue Jan 06, 2009 10:43 pm 
Post subject: Re: Starting a new Honeypot Board

Sylver Cheetah 53 wrote:
What is wrong with your forum? It is full with spam. icon_confused.gif

Read this icon_smile.gif

_________________
phpBBDoctor Blog
Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Wed Jan 07, 2009 4:49 pm 
Post subject: Re: Starting a new Honeypot Board

Sylver Cheetah 53 wrote:
What is wrong with your forum? It is full with spam. icon_confused.gif

That's because I have to collect data before I can start running experiments. icon_twisted.gif

_________________
Moof!
Lincoln's Tomb, Oak Ridge Cemetery, Springfield IL • Mac 512K Blog • Mac GUI
Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Wed Jan 07, 2009 5:22 pm 
Post subject: New Data Collected

I'm going to wait a few more days before posting any big conclusions, but here are some trends:

- It looks like spammers do not click 'logout', they merely allow the session to expire
- 42 out of 95 logged logins have been succesful
- Only three users have clicked 'logout' - that was me and a test user
- 50 out of 95 logins have failed due to incorrect username. Most failed logins were attempted more than once from the same session ID
- Out of 33 new posts, 25 were posted in 2 seconds or less, which is impossible for a human who is typing a legitimate post of comparable length.
- 75 captchas have been failed. Many session IDs have failed more than once in a row.
- There has been one new registration and that was me, a test user.
- Out of 225 tracking logs, none have returned the user's unique tracking code. It looks like spammers know exactly what cookies they need.
- The most prolific spam user appears to be a human, and he is online posting messages (and being tracked by me) as I type this sentence now.

All of these data are from the past 20 hours only, as that was approximately when I began collecting it.

_________________
Moof!
Lincoln's Tomb, Oak Ridge Cemetery, Springfield IL • Mac 512K Blog • Mac GUI
Back to top
Sylver Cheetah 53
Board Member



Joined: 17 Dec 2008

Posts: 426
Location: Milky Way


flag
PostPosted: Mon Jan 12, 2009 10:51 pm 
Post subject: Re: Starting a new Honeypot Board

Oh my God, that is a lot of spam. icon_eek.gif
_________________
Image link
My Forum || My Blog

phpBB2 forever! icon_smile.gif
Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Tue Jan 13, 2009 2:56 pm 
Post subject: Re: Starting a new Honeypot Board

Sylver Cheetah 53 wrote:
Oh my God, that is a lot of spam. icon_eek.gif

Yes, but fortunately, I've discovered some easily-detectable patterns in it.

_________________
Moof!
Lincoln's Tomb, Oak Ridge Cemetery, Springfield IL • Mac 512K Blog • Mac GUI
Back to top
Sylver Cheetah 53
Board Member



Joined: 17 Dec 2008

Posts: 426
Location: Milky Way


flag
PostPosted: Tue Jan 13, 2009 3:22 pm 
Post subject: Re: Starting a new Honeypot Board

How many of them choose GMT-12, when registering?
_________________
Image link
My Forum || My Blog

phpBB2 forever! icon_smile.gif
Back to top
Display posts from previous:   
Register or Login to Post    Index » phpBB2 Discussion  Previous TopicPrint TopicNext Topic
Page 1 of 2 All times are GMT
Goto page 1, 2  Next
 
Jump to:  

Index • About • FAQ • Rules • Privacy • Search •  Register •  Login 
Not affiliated with or endorsed by the phpBB Group
Powered by phpBB2 © phpBB Group
Generated in 0.0238 seconds using 15 queries. (SQL 0.0026 Parse 0.0007 Other 0.0205)
phpBB Customizations by the phpBBDoctor.com
Template Design by DeLFlo and MomentsOfLight.com Moments of Light Logo