Bad Behavior for SMF mod

Started by butchs, April 12, 2010, 05:23:56 PM

Previous topic - Next topic

butchs

I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Lazybones

Hide enclosed from Suspicious Visitors requests

1. Please detail what it does, it kind of popped up when I installed and was not expecting it.
2. Please make it optional in the admin options.
3. PLEASE PLEASE PLEASE change the icon, not only does it stand out, it has offended a visually impaired member of my forum. (it looks like a blind man with a cane to me, not sure if that is what it is supposed to be)

Other than that I am glad to see the functions of http:bl maintained in another better mod... So far it is working great.

FYI I Tried running with "HelpLimit honeypot on forum " off I noted that in the top left of my SMF 2 forum that a link is visible when viewed in IE... It looks a bit ugly..

Not sure what the effectiveness difference is with  HelpLimit honeypot on forum on or off.

TheListener

Lazybones

admin> Forum > Posts and topics > BB Code

Untick Suspicious

Lazybones

Quote from: Old Fossil on March 27, 2012, 06:52:35 PM
Lazybones

admin> Forum > Posts and topics > BB Code

Untick Suspicious

Perfect thanks, I expected it to be a mod option.

However my other two comments stand... I didn't see that feature listed with the mod or in the change notes, and the icon still may be offensive in this context to some.

Kindred

Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

butchs

If you make or find a better icon please share it.  O:)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Lazybones

Quote from: Kindred on March 27, 2012, 07:18:50 PM
So get a different icon?

Hidding it is working fine for now, a member of my forum may be working on an alternative.

What criteria is suspicious, not blocked but maybe malicious?



butchs

Yes.

Quote from: Lazybones

1. Please detail what it does, it kind of popped up when I installed and was not expecting it.

It prohibits visitors who enter the "Permitted entries log" from seeing the content enclosed in the BBC code.  These visitors are non members who are suspicious and are not blocked by the mod.

This code was created for posting phone numbers, email addresses and etc...
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Lazybones

My Permitted entries log already contains 20+ entries from Africa and Russia, I think I saw a post a while back where you where interested in what was appearing in the permitted list or should I just keep an eye on them, one of the at least appears to be trying to view the registration page.

butchs

Thank you.  That is good information.  You do not have to try to track them.  I just wanted to see their origins.

8)

A little more info.  The permitted entries log not only includes Bad Behavior suspicious entries but it includes those deemed suspicious by Project Honeypot.
:P
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Lazybones

Quote from: butchs on March 28, 2012, 06:00:33 PM
Thank you.  That is good information.  You do not have to try to track them.  I just wanted to see their origins.

8)

A little more info.  The permitted entries log not only includes Bad Behavior suspicious entries but it includes those deemed suspicious by Project Honeypot.
:P

Would be nice to have the PERMITTED REASON or EXPLANATION field indicate why they are suspicious... IE they where in Project Honeypot but had a low score... MOD http:BL has a little more detail in this respect. It also makes a case for using the suspicious tag....

butchs

I prefer programming for functionality over glitter.  First off the way MOD http:BL does it is by having two threat levels.  One threat level to ban visitors and the other to show that they are possible threats.  My mod does NOT do that.

This mod uses the Project Honeypot's determination as explained in the Http:BL API Specification.

QuoteTo use Project Honeypot a host need simply perform a DSN lookup of a web visitor's IP address. Project Honeypot's DNS system will return a value which indicates the status of the visitor. Visitors may be identified as search engines, suspicious, harvesters, comment spammers, or a combination thereof. The response to the DNS query, as outlined below, indicates what type of visitor is accessing your page...


Value   Meaning
0   Search Engine (0)
1   Suspicious (1)
2   Harvester (2)
3   Suspicious & Harvester (1+2)
4   Comment Spammer (4)
5   Suspicious & Comment Spammer (1+4)
6   Harvester & Comment Spammer (2+4)
7   Suspicious & Harvester & Comment Spammer (1+2+4)
>7   [Reserved for Future Use]

So if the DSN lookup at Project Honeypot returns a 1 the visitor (other conditions may apply) is sent to the permitted entries log.

The code was hard enough to do so I left adding details for a future version.  Right now I am working on a new challenge page...
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Lazybones

So for consistsntcy shouldn't the explanation field say http:bl Suspicious?
Or if the entire Permitted tab is Suspicious why not label it as such?

Just an observation from an end user / admin point of view there is little or no association between the suspicious state and the permit log in the UI.

FYI this isn't a complaint just an observation.

Lazybones

Odd permitted entries that may make for a signature:

Quote
METHOD:    POST
URI:    /index.php?PHPSESSID=7d93629a0466105b9a2ebbadb53d4e78&action=login2
PROTOCOL:    HTTP/1.0
HEADERS:    POST /index.php?PHPSESSID=7d93629a0466105b9a2ebbadb53d4e78&action=login2 HTTP/1.0 Accept: */* User-Agent: Mozilla/0.6 Beta (Windows) Referer: http://forums.mydomain.com/myhoneypot.php Host: forums.mydomain.com Pragma: no-cache Cookie: PHPSESSID=7d93629a0466105b9a2ebbadb53d4e78; bb2_screener_=1333009273+120.43.7.164 Connection: close
AGENT:    Mozilla%2F0.6%20Beta%20%28Windows%29
ENTITY:    user: ogilssvizl passwrd: 77SWvv99CBff cookielength: -1 submit: Login hash_passwrd:

1. The referrer is actually my honeypot page which doesn't have any links on it....
2. Very fake looking user agent.
3. account doesn't exist in the forum and looks like a random mess of characters
4. no forum members from the IP country of origin.

QuoteIP:    187.5.96.141
187-5-96-141.gnale1010.ipd.brasiltelecom.net.br
DATE:    2012-03-28 7:10:24 PM
METHOD:    POST
URI:    /index.php?PHPSESSID=b2ca8fc36d1eafdc735e1c650621b0ce&action=login2
PROTOCOL:    HTTP/1.0
HEADERS:    POST /index.php?PHPSESSID=b2ca8fc36d1eafdc735e1c650621b0ce&action=login2 HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.2; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Referer: http://forums.mydomain.com/myhoneypotpage.php Host: forums.mydomain.com Pragma: no-cache Cookie: PHPSESSID=b2ca8fc36d1eafdc735e1c650621b0ce; bb2_screener_=1332983408+187.5.96.141 Via: 1.0 PROXY Connection: close
AGENT:    Mozilla%2F4.0%20%28compatible%3B%20MSIE%206.0%3B%20America%20Online%20Browser%201.1%3B%20rev1.2%3B%20Windows%20NT%205.1%3B%20SV1%3B%20.NET%20CLR%201.1.4322%29
ENTITY:    user: CraigsList Course passwrd: zediogo200994 cookielength: -1 submit: Login hash_passwrd:
KEY:    00000000

1. The referrer is actually my honeypot page which doesn't have any links on it....
2. Very fake looking user agent.
3. account doesn't exist in the forum
4. no forum members from the IP country of origin.

Since the honeypot page is actually in the Bad Behavior config, I wonder if a rule could not be made to block anyone who uses it as a referrer page...

butchs

Quote from: Lazybones on March 29, 2012, 10:06:37 AM
So for consistency shouldn't the explanation field say http:bl Suspicious?
Or if the entire Permitted tab is Suspicious why not label it as such?

That is not 100% correct.  True it shows them after going through the test if and only if the Project Honeypot service is online.  However, Bad Behavior is on line 100% of the time and contributes to the "Permitted Visitors Log"

This is a Bad Behavior mod and the core author created a log for wordpress called "Show Permitted"  around the same time I created the "Permitted Visitors Log".  Both logs include the Bad Behavior permitted entries (there are way too many reasons you can get here so I will not try to explain) but ONLY the SMF version includes Project Honeypot Suspicious visitors in the same log (hence the different name).

The SMF version is the FIRST and at the time of this writing the ONLY modification has a "Permitted Visitors Log" that includes both Project Honeypot Suspicious visitors and Bad Behavior Permitted Entries that disallow the "Permitted Visitors Log" IP addresses from seeing your forums content via member controlled BBC code.

Trust me, being the first to do anything is not easy...  It is much easier to copy...  So be gentile!
8)


Quote from: Lazybones on March 29, 2012, 11:57:16 AM
user: ogilssvizl passwrd: 77SWvv99CBff cookielength: -1 submit: Login hash_passwrd

A blatant password cracking attempt if I ever saw one...  If they continue after a week try my other mod...

Quote from: Lazybones on March 29, 2012, 11:57:16 AM
Odd permitted entries that may make for a signature:...

Since the honeypot page is actually in the Bad Behavior config, I wonder if a rule could not be made to block anyone who uses it as a referrer page...

The bad Behavior waring page has at least 12 spam trap variations (another first).  If enabled these traps or a portion thereof are on every page.

If that link is in the Bad Behavior "Honeypot Link" and you have a link word then that means the mod caught them in the spam trap, they escaped because they were not previously caught by Project Honeypot or Project Honeypot was down.  Rest assure, this sort of activity will gain them a reputation with Project Honeypot database and they will pay the price and be blocked by all!

So I thank you for catching another spammer!
8)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Lazybones

Quote from: butchs on March 27, 2012, 07:57:56 PM
If you make or find a better icon please share it.  O:)

Attached is what we have replaced the icon with at the moment... Everyone in my forum seems to like it better... The artist has declared it free for use.


Edit: originally attached the wrong version, the version attached correctly aligns with the buttons.

Anpu

Hi, is there a limitation for using this mod? Like daily limit or something?
Yesterday mod was amazingly awesome protecting forum, but today is showing "Project Honey Pot is offline!". I checked the script I uploaded (checked permissions too), link, key and status on HoneyPot and all seem ok. Am I missing something?

butchs

I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Lazybones

Quote from: butchs on April 20, 2012, 06:44:13 AM
No limit.  The honeypot just goes on and off for maintenance.

This is one of the reasons I like Bad Behavior WITH httpBL vs just the mod httpBL... Bad Behaviour still tends to do a good job when the honeypot is down.

jaisi

i have just install this mod but still showing Project Honey Pot is offline.

Advertisement: