![[Home]](http://meatballwiki.org/meatball.gif)
HoneyPot
MeatballWiki | RecentChanges | Random Page | Indices | CategoriesA frequent if extreme strategy for combatting attacks is a HoneyPot: a dummy target inviting attack, yet in truth under complete observational control of the white hats. The goal is to learn about the attackers. A main problem is they can become a potential vector for misinformation if compromised.
A wiki experiencing frequent LinkSpam attacks on a particular page, ideally one that should never legitimately have links, can usefully turn this page into a HoneyPot, scanning all posts for links and automatically adding them to a blacklist. This page can also serve as a way to quickly add new items to the blacklist without adding an external script, allowing the community to quickly combat spam. This approach would rely on SecurityThroughObscurity to avoid an attacker banning non-compromised URLs.
MeatballWiki has such a HoneyPot; the pagename is available on request, but not listed here to LimitTemptation. See the list of [patterns banned in the last 28 days], and the list of [IPs who've had edits blocked in the last 28 days].
Points to consider:
- The code as written bans domains, not URLs. Creating a new page on a server is trivial and free; getting a new domain registered is non-trivial and not free. As such, though, the approach is no use for banning, say, a geocities account. If that becomes necessary, an external script could be added.
- Unbanning a domain is, for now, an admin task. Other existing approaches, such as LinkVeto, would require a non-trivial external script. I'll think about ways of approaching this.
- The code doesn't revert existing spam. The MB pagebase structure is not conducive to this kind of magic, alas.
The HoneyPot code is now enabled, and the resulting list of spam patterns can be subscribed to as part of a RapidAntiSpam network. For the record, the message sent on triggering the HoneyPot or the blacklist is:
- You have triggered the spam filter. If you are posting link spam, give up now. Otherwise, please try and identify the offending link and remove it; if you cannot find it, contact an admin for help.
Over the last fortnight, I've added many spam patterns to the filter via the HoneyPot, with no need to resort to admin privileges. I've also noticed three other unique IPs adding domains. One could well be a MB regular who's sussed the pot's location, but the other two were definitely spammers banning their own spam. Success! -- ChrisPurcell
- Hazaah! Nice one! -- SunirShah
Looks like on Feb 12th, one guy came along and found his link-spam didn't work. He retried with two different IPs, and neither worked. So he gave up - and this after all the effort of setting up three separate sub-domains on his server. Awwwww. (I suspect it was the same guy, because the links were so similar.) Die, wretched wasps! I'm going to ban the super-domains used in many recent attacks, and save us all the effort of coping with new sub-domains. -- ChrisPurcell
See also an interesting article regarding [the use of a HoneyPot by the BBC].
CategorySpam CategoryHardSecurity