[Home]HoneyPot

MeatballWiki | RecentChanges | Random Page | Indices | Categories

A frequent if extreme strategy for combatting attacks is a HoneyPot: a dummy target inviting attack, yet in truth under complete observational control of the white hats. The goal is to learn about the attackers. A main problem is they can become a potential vector for misinformation if compromised.

A wiki experiencing frequent LinkSpam attacks on a particular page, ideally one that should never legitimately have links, can usefully turn this page into a HoneyPot, scanning all posts for links and automatically adding them to a blacklist. This page can also serve as a way to quickly add new items to the blacklist without adding an external script, allowing the community to quickly combat spam. This approach would rely on SecurityThroughObscurity to avoid an attacker banning non-compromised URLs.

MeatballWiki has such a HoneyPot; the pagename is available on request, but not listed here to LimitTemptation. See the list of [patterns banned in the last 28 days], and the list of [IPs who've had edits blocked in the last 28 days].


Points to consider:

The HoneyPot code is now enabled, and the resulting list of spam patterns can be subscribed to as part of a RapidAntiSpam network. For the record, the message sent on triggering the HoneyPot or the blacklist is:

You have triggered the spam filter. If you are posting link spam, give up now. Otherwise, please try and identify the offending link and remove it; if you cannot find it, contact an admin for help.

Over the last fortnight, I've added many spam patterns to the filter via the HoneyPot, with no need to resort to admin privileges. I've also noticed three other unique IPs adding domains. One could well be a MB regular who's sussed the pot's location, but the other two were definitely spammers banning their own spam. Success! -- ChrisPurcell

Hazaah! Nice one! -- SunirShah

Looks like on Feb 12th, one guy came along and found his link-spam didn't work. He retried with two different IPs, and neither worked. So he gave up - and this after all the effort of setting up three separate sub-domains on his server. Awwwww. (I suspect it was the same guy, because the links were so similar.) Die, wretched wasps! I'm going to ban the super-domains used in many recent attacks, and save us all the effort of coping with new sub-domains. -- ChrisPurcell


See also an interesting article regarding [the use of a HoneyPot by the BBC].
CategorySpam CategoryHardSecurity

Discussion

MeatballWiki | RecentChanges | Random Page | Indices | Categories
Edit text of this page | View other revisions
Search: