Amazing new honeypot blacklist, and question on how to prepend a key in DNS query - ORF Forums

Amazing new honeypot blacklist, and question on how to prepend a key in DNS query RSS Back to forum

1

This may not be new... but new to me, I just found projecthoneypot.org and I am really excited about what they do, it could dramatically improve your hit ratio. They are like a collective honeypot, you can share your honeypot with them, and/or use their black list to check all the spammers they have collected.

Now, the ???, this service requires each DNS lookup to submit your private API auth key to authenticate your DNS lookup. So a lookup for 1.2.3.4 would look like: randomAPIkey.4.3.2.1.dnsbl.httpbl.org

Their documentation is here:
https://www.projecthoneypot.org/httpbl_api.php

But within ORF, I am not sure how to define this list with the key in the front of the lookup, is there a way to do this? Maybe my version is too old, it is only 5.0. Is there a work around for me to hack this, or I have to put in a feature request?

Reply
by john.hyde 6 years ago
2

Hello john.hyde,

According to the API specifications, this service is used by web-admins for keeping harvester, comment spamming and other malicious bots off their websites. In other words, it is not a blacklist that collects the IPs of email spammers, but website spammers (and this is why you will not find this list on popular DNSBL checker sites). That said, I am sure that if you were to check the IPs listed on httpBL against email DNSBLs, you would find that many of them are listed on those as well -- since an IP can be connected to multiple malicious activities.

As for using the API auth key in the DNS query, I am afraid that is not possible, as ORF was designed to work with email DNSBLs and none of those require such a prefix.

Reply
by Daniel Novak (Vamsoft) 6 years ago
3

@Daniel Novak (Vamsoft): I believe this could be done with an ORF external agent if you are so inclined

Reply
by Sam Russo 6 years ago
(in reply to this post)

4

Actually, this product does specifically address email, they just happen to also use scripts on webservers to monitor harvester bot activity. See the about: http://www.projecthoneypot.org/about_us.php

Their stats look pretty high, they have been active since 2004, so there are lots of contributors.
http://www.projecthoneypot.org/statistics.php

Comparing their stats to UCEprotect for example, UCE is reported to have under 100 honey pot servers, while project honeypot has 245,722,827 contributing traps.

I am setting up their script on a couple of servers.

Reply
by john.hyde 6 years ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2