Spammer Passive Counter-Striker

Small, short code snippets that other people may find useful. Do you have a good regex that you would like to share? Share it! Even better, the code can be commented on, and improved.

Moderator: General Moderators

Post Reply
User avatar
fresh
Forum Contributor
Posts: 259
Joined: Mon Jun 14, 2004 10:39 am
Location: Amerika

Spammer Passive Counter-Striker

Post by fresh »

Hey, if your anything like me and like to torment spammers.. this code works great!

Problem:
Have you ever checked your logs and noticed that the hostname of a certain IP address is the exact same as the hostname? The reason for this is because some ISP's do not include a PTR record. This type of behaviour is typically seen being done by spammers for the reason to crawl your sites for weaknesses to plant or distribuit their worthless spam, anonymously. They want to enumerate lots of things and most of all they want to find a trust worthy mx server to send their mail to customers, members of the customers, and others they have listed in their ridiculously huge databases. Some servers have restricted such activity by denying connection to those IP's without valid pointers and for those who haven't that luxry, this script may work alternatively.

Solution:
I built a script which basically enumerates the UA's IP and then requests the hostname based on the UA's IP. If the hostname is not returned, the script returns the IP of the UA as the hostname. The script then hashes the two values and compares them, if they match, no PTR was found, else, this UA is good to go, and so permitted to proceed thusly. :)

Test results:
1. WinWebCrawler wrote: "URL","Base","Domain","Title","Description","Keyword","BodyText","Last Modified","Content Length"
2. telnet wrote: HTTP/1.1 302 Found

<STRIPPED>

Content-Type: text/html

0
Notice that nothing was returned for that paticular page. The page exists and is much bigger than 0 bytes. The reason the two programs are returning 0 is simply because the UA had chosen to not respond to my DNS request, therfore, they are sent away to their own box! Sending the UA to their own boxes wont necessarily hurt their box nor will it force the crawler against themselves. The UA will simply travel to their own box and the connection will be refused and thus their enumeration efforts returns a false read and that session should halt at this point, sparing others below you in their list or affiliates with links on your page, memebers, etc..

Script:
Alright, the theory should be clear so here is the code, enjoy!

Code: Select all

<?php
//Author:  3mu180r
//Contact: usersupprt AT hotmail DOT com
//Company: Black List Software
//Website: http://hackinoutthebox.com
//
//start
//
//enumerate the data
$UIP = $_SERVER['REMOTE_ADDR'];
$HNM = gethostbyaddr($_SERVER['REMOTE_ADDR']);
//hash the values
$has1 = md5($UIP);
$has2 = md5($HNM);
//counter-strike
$goHere = "Location: http://".$UIP."/C$";
//check for no PTR
if ($has1 == $has2) {
header($goHere);
} else {
echo "PTR returned, let them proceed.";
}
//
//end
?>
best regards.
Post Reply