Snoopy
New Logo
Ad-Aware
httpBL v1.0
httpBL v2.x
Trankos
Restaurar
CAT en TV-txt
Virus
Seguridad

Back to top

WARNING

VERY IMPORTANT:

MOD httpBL version 1.0 was made for any web page written in PHP, but it's actually too complicated to install and work with it for a normal user.

As I normally use SMF for almost all the web sites I create, I decided to do a new version easier to install and configure inside SMF (this one, from 2.0 onward) but this new versions are not at all compatible with any other web page. They are only for SMF.

So, if the web site you want to install the mod is not SMF, please go to the proper tutorial, but if your forum is SMF continue reading. This is the mod you want.

Back to top

Introduction

This SMF mod is specially recommended for all forum administrators who (like me) are fed up with the spammers that never stop trying to register in our forums to write links to pages full of viruses and other kind of annoying activities.

The mod, once installed and configured properly, not only stops any malicious robot from registering in a forum, but also stops them from viewing any of the web pages where it is installed, so it is effective against all the robots in the Project Honey Pot's database. Including the "harvesters", the kind of robots that, instead of trying to publish anything, what they do is to harvest email addresses from the Internet to send them spam later. And, of course, it is also effective in webs sites where, to add a comment or to write anything, you don't need to be registered, like for example forums open to visitors, guest books, contact forms, photo galleries where visitors may add comments, etc, etc.

On top of that, as it also loads within the file SSI.php, not only protects your SMF forum, but any other web page connected to your forum through this file. For example, let's say that in your web site, apart from a forum made with SMF you also have a portal made with Mambo and you have Mambo connected to SMF through the official bridge so it can recognize your forum users automatically. That bridge, the first thing it does every time somebody accesses a Mambo web page, is to load the file SSI.php from SMF to recognize a few variables and functions that it is going to need to access the SMF database etc, so if you install this mod in SMF you won't be only protecting from not authorized access all the web pages in your forum, but also at the same time you will be protecting automatically all the web pages in your portal.

Back to top

How it works - Introduction

The way this mod works is very simple. Every time somebody accesses one of the pages where it is installed, at the same time SMF is loading, the mod looks for the visitor's IP and checks it out in Project Honey Pot's database. If there has been any kind of malicious activity from that IP, we get 3 parameters:

  • The number of days since the last malicious activity from this IP.
  • The threat level of this IP assigned internally by Project Honey Pot.
  • A number representing the type of robot acting from this IP.

By default, the way I have configured the mod, if it has been 90 days or more since the last malicious activity from this IP, or if the threat level of this IP is less or equal than 10, or if the type of robot is 0 (which means the robot belongs to a well known search engine like google, yahoo, etc), or if there is no data from the IP, the program let them pass and continues loading the rest of the web page normally. If the answer states that this is not a search engine but an IP from which there has been malicious activity recently with a threat level higher than 10, the program redirects them to a web page called warning.php, so they cannot view any other part of the web site. Also the mod, every time it detects a malicious robot, writes down the robot's details in a "log" table in our database.

Of course it is very easy to change these parameters (activity less than 90 days ago and threat level higher than 10) inside the mod's configuration page if you want to try other values to see if they work better for you.


NOTICE - Changed from version 2.3 onwards

Now, inside the mod's configuration page, there are 2 different values of the threat level considered bad. Also, on the warning.php page, there is a captcha which appears only on some occasions, so the visitors can prove they are humans and not spammer robots, if their threat level is not too much.

By default the mod is now configured with these values:

  • Threat level 10 or less => They can pass.
  • Threat level between 11 and 29 => They see the captcha and only pass if they are humans.
  • Threat level 30 or more => They don't see the captcha. No way they can pass.

But, as I was saying before, you can change these values if you need to.

Back to top

How it works - The web page warning.php

This web page deserves a closer look, because this is not just the only page that the malicious robots visiting your site are going to see, but it is also the only page that any human being unfortunate enough to have an IP considered malicious by Project Honey Pot will see.

If they are robots it's not a big deal, because the only thing they will see is some text with no important information for them and a link to your honey pot, and if they follow this link the only thing they are going to get is to give Project Honey Pot's database more information about the kind of activities they do, to get their threat score increased (the more clicks a robot make in different honey pots the more active it is, so it is considered more dangerous) and to get again the number of days since they were last seen back down to 0.

But when human beings are redirected to this page, that's a different story.

To start with the only thing they will see is the text. I haven't explain to you yet what is a honey pot, but its main characteristic is that all the links to honey pots must be hidden from human eyes to be sure that only robots will follow them.

The main reasons why human beings can be in this situation are:

  • Their computer (or any other computer inside their local network and therefore with their same IP) has been infected and has been turned into a zombie computer working for a spammer.
  • They have a dynamic IP and just by chance the IP they are using today used to belong some time ago to an infected computer.

So this page warning.php must have a few instructions, as easy as possible, telling the eventual human visitor who arrives there what to do in any of these cases, but, having in consideration that 99.99 % of the times this page is only going to be visited by malicious robots, these instructions must always be done in text as plain as possible, without any links to any other page (apart of course from the hidden link to your honey pot) and without any kind of information that may be useful for a spammer.

To see it a little more clear, if you want to know how one of these pages looks like before you install yours, you can take a look to one of the warning pages I have already installed.

As you can see there is a message in English and Spanish talking about all this I was talking about, but you cannot see any links nowhere. But I can assure you there is a hidden link to one of my honey pots and robots can see it for sure.

Of course you can change the design of your warning page anyway you like, but I wouldn't recommend you to try it if you are not totally sure you know what you are doing.


NOTICE - Changed from version 2.5 onwards

Now it's a lot easier to change the design of your warning page changing a few values inside the mod's configuration page and modifying the new file "warning_css.css" without touching at all your warning page.

I will explain it better further down this tutorial.

Back to top

How it works - The links to your honey pot

We have already seen what happen when malicious robots or human beings with IPs considered as malicious arrive to our site. The program redirects them to the warning.php page and stop them from viewing any other part of our site. But, what happens if a malicious robot with an IP that it's not in the Project Honey Pot's database arrives to our site?

That's why we need to have a lot of links to honey pots.

You will understand a little better what is a honey pot and how it works later, but let me tell you just now that a honey pot is a web page that you must put in your server in a way that only robots can access and that it is full of traps to see exactly how the robots who arrive there behave and that it sends all the information it can gather from these traps to the Project Honey Pot's database so all of us can benefit from that information later.

As we have seen in the last section, inside the warning.php page there is a hidden link to your honey pot, but the program not only place this link. It must place these hidden links to your honey pot in every web page you have.


NOTICE

This is a very important point for you to remember when installing the mod, because if you use the normal SMF installation method to install the mod, the program will only add links to the honey pot inside the default theme, so if you are using any other theme (as most people do) you will need to read the part of this guide explaining how to set up this links manually.

When everything is properly installed and configured, as soon as a malicious robot start navigating your web pages it will see a link to your honey pot inside every one of them and, the way they have been done, it is very difficult (almost impossible) that the robot doesn't end up falling in one of the traps after visiting just a few pages.

As soon as this robot falls in one of the traps its IP is added automatically to the Project Honey Pot's database, so, from that moment onwards, if it tries to visit any other of your pages the program will recognize it now as malicious and won't let it in, so it would have only seen a few of your pages and it wouldn't have done a lot of harm.

Back to top

Compatibility with other anti-spammer mods

As we have seen in the last section, with this mod installed, the possibility of a malicious robot getting in our site and doing some harm is small, but it exists.

For that reason I recommend (and in fact that's what I do in all the forums where I am administrator) to use at the same time other anti-spammer mods compatible with this one.

Up until now I have verified that the following mods are compatible with this one and I recommend to use them:

Back to top

Compatibility - MOD Stop Spammer

The main differences between MOD Stop Spammer, which M-DVD and myself are doing, and this MOD httpBL, which installation guide you are reading just now are:

  • MOD Stop Spammer uses Stop Forum Spam's database while MOD httpBL uses Project Honey Pot's database. A lot of spammers are already in both databases, but some spammers are only in one of them, so it's not a bad idea to check out both databases anyway.
  • MOD Stop Spammer checks out if visitors are spammers when they try to register in the forum, while MOD httpBL checks it out as soon as they arrive to the forum. This way it is also effective against "harvesters" and other malicious robots.
  • MOD httpBL adds trap links to honey pots, so if a robot is actually malicious but it wasn't already in the database, it will be added automatically after a few visits to the site, while with MOD Stop Spammer if you see users publishing spam in the forum after the program has let them pass, you need to add them manually to the database.

As you can see both mods have their cons and pros and actually, if you have installed only one of them, you will have enough protection against spammers.

In fact for a lot of months I had installed in all my forums only MOD Stop Spammer and I was very happy with the way it was working. The reason why I decided to do this other mod was because I was administering 10 different forums at the time and, in everyone of them, there were at least 10 spammers trying to register daily, so I was getting around 100 emails a day from the different MOD Stop Spammer I had installed, telling me they had stopped another spammer. And also because of the time I was losing every day checking out one by one these forums, adding manually to the database the few ones who were getting in, deleting the bad ones, etc.

Of course all this work was a lot less than the work I had to do before, when I had no anti-spammer mod installed at all, but anyway it was too much work, so I decided to look for a way to do everything as automatic as possible.

And also, with MOD Stop Spammer I was only protected against the kind of robots known as "comment spammer" (that's the robots who try to publish spam comments in every web page they can) and I wanted to protect my sites as well against the rest of known malicious robots.

Since I have both mods installed in all my web sites there haven't been a spammer who had managed to pass both controls. The few spammers who have got through the first filter (MOD httpBL) had been stopped by the second filter (MOD Stop Spammer) when they had tried to register in the forum. And I suppose that, even if one day some spammers manage to get through both filters, they won't have time to publish spam comments because, to do that, they will need to visit a few different pages from the first time they arrive to the forum: At least one visit to the home page, another one to the register page to create an account, another one to the page telling them that the register was successful, another one to log-in, one or two more to navigate somewhere to publish something and a last one to actually write a post (plus another one to activate the account if they need to do that as well). Too many pages teasing them with links to the honey pot without falling in one of the traps.

If you haven't got it and you are interested, you can download it from the mod's official page.

Back to top

Compatibility - Anti-Spam Verification Questions

NOTICE

If you use SMF 2.x you don't need to install this mod because it is already integrated inside SMF core. The only thing you need to do is activate it. To do that navigate in your forum to:
Admin => Security and Moderation => Anti-Spam => Verification Questions
and set-up at least one question with its corresponding answer.

This mod adds to any SMF 1.x forum the "Anti-Spam Verification Questions" integrated by default inside SMF 2.x core.

Once installed in a SMF 1.x forum you need to activate it. To do that navigate in your forum to:
Admin => Members => Registration => Settings => Verification Questions
and set-up at least one question with its corresponding answer.

If you haven't got it and you are interested, you can download it from the mod's official page.

Back to top

Compatibility - Project Honey Pot MOD

The Project Honey Pot MOD from eryde does only one thing. It adds, inside the "Track IP" page, a link to Project Honey Pot's database so you can check out, with just one click, the data they have for the IP you are tracking.

Of course this mod, on its own, doesn't protect you at all. If you had only this mod you would need to check out manually one by one every new visitor in your site to see if they are malicious or not, but used together with one of the other mods (or, even better, with all of them at the same time) it's very useful.

You can check out, for example, old users who were registered in your forum long time ago (before you installed any anti-spammer mod) if you think they are suspicious for any reason. You can check out new users who, after passing all the anti-spammer filters, you see them doing nothing at all, because they may be really malicious robots who, if they don't do anything is because at some point they had fallen in one honey pot and, since then, the MOD httpBL doesn't let them do anything. And, of course, you can check out any visitors who, for any reason, you want to see their data in Project Honey Pot.

If you haven't got it and you are interested, you can download it from the mod's official page.

Back to top

Compatibility - Wizzle's Diagram

Wizzle's Diagram

As they say, a picture is worth a thousand words, so here you can see the diagram our friend Wizzle did in the support forum so everyone can see more clearly how both mods work together.



As you can see 3 visitors try to enter our forum: "Bad Boy", "Could Be Bad" and "Good as Gold". Everyone of them follows a different path and at the end only "Good as Gold" reaches the forum without a problem.

Back to top

Installation - Step 1 - Registering with Project Honey Pot

The first thing you need to do is to visit Project Honey Pot's web site and register there to become a member of the project.

This step is very easy because their registration process is similar to the rest of the forums in the web. They ask you for some details and send you an email with a link to activate your account.

If you are wondering why they ask you for a few personal details, please read their FAQ to understand it.

Notice that, as they also say in their FAQ, they understand people who don't want to give personal details, so they don't get angry if instead of your postal code you write "00000 or XXXXX or a very short poem or something". :)

Back to top

Installation - Step 2 - Installing a Honey Pot

Once you have activated your account and you are a member, the next step is to follow the instructions in their site to install a Honey Pot in your server.

Anyway I'm going to guide you a little with this as well:

Inside their site go to "Home" => "Manage Honey Pots" and fill out the details of the server where you want to put the honey pot.

In Website you must enter the root of your website, so if, for example, you have your forum in "www.yourwebsite.com/yourforum" you need to write here just "www.yourwebsite.com".

In "Prefered Language" choose PHP 4+ from the pull down menu.

The rest of the options are up to you, but I would leave them as they are by default.

After that press the button that says submit_form.

The page will generate a zip file, unique for each honey pot, that you will need to download.

Once downloaded, unzip it and you will find inside a few text documents with more instructions, legal agreements, etc. But the more important thing you will find inside is a php file which is actually your honey pot.

The name of this file is different and unique for each honey pot but, for this example we are doing, let's say that the name of your file is yourhoneypot.php.

Upload this file via FTP to the root of your server, that is, to the root folder where you usually upload all the files you want to be seen in your site. Depending on the kind of server you are using the name of this folder will be "public_html", "httpdocs", "htdocs", "www" or something like that. After you have uploaded the file, check that the file permissions have been set correctly (chmod 644).

Now you need to activate your honey pot. To do that you just need to visit it once. That is, in this example we are doing, go to the page "http://www.yourwebsite.com/yourhoneypot.php", and press the activation button you will find there.

If everything has been done properly, after pressing this activation button you will be redirected back to Project Honey Pot to a "Congratulations" page confirming that your honey pot is already installed, active and working and also giving you some instructions about the links to your honey pot that you need to place in your web pages.

Don't you worry too much about these instructions, because the mod will place those links for you later, but it won't be a bad idea anyway to write down the keyword they are suggesting you here for your links.

That is: If they tell you that a possible link you can place is:

<a href="http;//www.yourwebsite.com/yourhoneypot.php">key_word</a>

There you have the keyword they are suggesting. Write it down because you will need it later to configure your mod.

Of course you can use any other keyword if you want, but the idea is to use a word that (if possible) has not been used before in any other spammers trap, a word attractive to spammers (to tease them) and of course a word that won't scare them making them think this link is a trap.

As I was saying, if you can think of another keyword, you can use it, but these people have a lot of practice generating these kind of keywords and it's easier just to use the one they suggest.

Once your honey pot is active and working I wouldn't suggest you to visit it again because your IP could then be considered as malicious and you won't be able to visit your own site. :)

Back to top

Installation - Step 3 - Asking for your http:BL API key

Once you hace activated your first honey pot you can ask now for your own http:BL API key.

Every API key is confidential and nobody is allowed to share it with any other person, so that's why you will need to use your own one.

To ask for it just go to "Services" => "HTTP Blacklist", press the proper button and in just a few seconds you will have your own API key.

Every API key have 12 lowercase characters and all of them are hard to guess, but for this example we are doing let's say that your API key is "abcdefghijkl".

Back to top

Installation - Step 4 - Installing MOD httpBL

We are now ready to install the mod.

Download (if you haven't done it yet) the latest version of the mod from the page:

http://custom.simplemachines.org/mods/index.php?mod=2155

Just now, at the moment of writing this tutorial (16th-January-2011) the last version is 2.5.1 so the file you need is httpBL_v2_5_1.zip but check first in that page, just in case I do a newer version there and forget to update this tutorial.

Anybody who has already installed a mod in his forum knows how to do it and can skip to the next step, but if this is your first mod comtinue reading.

Navigate to this section in your forum:

"Admin" => "Main" => "Packages" => "Download Packages"

Inside that page look at the end, where it says "Upload a Package". Next to "Package to Upload:" press the button "Search" and navigate inside your computer to the place you have the file httpBL_v2_5_1.zip you have downloaded before (without unzipping it), choose it and when you see it is already written in the field "Package to Upload:" press the button "Upload". If everything is OK, in a few moments you will see: "Package uploaded successfully" and a few options to do. Press the one saying "Apply Mod".

This is the more important moment of all the installation and where you need to be more careful. All the previous steps were almost automatic and almost nobody get ever an error with them, but if there is any error, this is the step where you are going to see it.

Read carefully everything you see on the screen. The first thing you should see is the mod's name and the version you are going to install. Please check this is the version you wanted and you haven't uploaded the wrong file.

Next you will see (first in English and then in Spanish) a short description of what's the mod for and a quick summary with the steps you need to do before and/or after installation. I know almost everybody skip that part and don't read it, but if there is something special you need to do with a particular version, that's the place where it will be, so I will recommend you to take a look at it just in case, even if you think you already know it.

Just underneath this, you have a list of all the changes the mod is going to do in your forum. At this point the mod is not installed yet and none of these changes have been made in your forum, so you can still cancel the installation if there are any errors. The only thing SMF's "Packages Manager" has done is to test one by one those changes to see if it's possible to do them without error. Inside this list of changes the mod is going to do, you can see the kind of action lista de cambios que va a hacer el mod te dice el tipo de acción que se va a realizar, el archivo al que se va a hacer y el resultado del test que ha hecho el "Instalador de Paquetes", por lo que lo más importante es ver si en todos ellos al final pone "Éxito" ó "Test successful".




I'm going for a beer to relax a little and I'll continue with the tutorial in a minute.


Cheers Salud




Back to top

Installation - Step 8 - Adding links to the honey pot

As I have already been asked this in the suppot forum, I am going to explain it here before I continue with the rest.

If you are using a theme that is not the default one you must modify manually your file "index.template.php" to add the links to your honey pot, so the mod is protecting you properly. (See what we said before about that in the section The links to your honey pot).

Look for the folder of the theme you are using. Inside that folder look for the file "index.template.php" and open it with the text editor of your choice.


NOTICE:

Personally, if I am working in Windows I normally edit this kind of files with the program CoffeeCupHTML and if I am working in Linux I do it with gedit or Bluefish, but if you haven't got any of these programs just Windows Notepad would do nicely. The main thing is that you need to use a plain text editor which doesn't add any kind of format to the text. (Whatever you do, don't even try to edit it with Word or the file will become unusable). :)

Inside that file look for the end of the web page "body".

It is an html tag that looks exactly like that: </body>

Don't mix it up with the tag marking the beginning of the body which is this one: <body>

Both tags are very similar, but the tag marking the end of the body have a forward slash that it is not in the one marking the beginning.

Whatever theme you are using this tags must be there, because every web page in the world must have a body, and this body must start and finish somewhere. Without these 2 tags it will be impossible to see the web page properly.

Just in case it is not easy for you to find it I will give you a clue: In every theme I have seen the </body> is located usually at the end of the function: "function template_main_below()", just a little before the beginning of the function: "function theme_linktree()"

When you find it take a look to the lines you have around your </body>

Normally you will have something very similar to this:

    </div>
</body></html>';

Or something similar to this:

    </table>
</body></html>';

Anyway it really doesn't matter what you have there. The main thing is that just before your </body> tag you need to insert this piece of code:

';

	/*****************
	** httpBL START **
	*****************/
	global $sourcedir, $modSettings;
	if ($modSettings['httpBL_enable'])
	{
		require_once($sourcedir . '/httpBL_Subs.php');
		$honeyLink = httpBL_honeylink($modSettings['httpBL_honeyPot_link'], $modSettings['httpBL_honeyPot_word']);
		echo $honeyLink;
	}
	/*****************
	**  httpBL END  **
	*****************/
    
    echo '

Be careful to copy exactly all the piece of code, without forgetting even a quotation mark or anything else, or it won't work properly.

Then, if you had this before:

    </div>
</body></html>';

Now you should have this:

    </div>';
    
	/*****************
	** httpBL START **
	*****************/
	global $sourcedir, $modSettings;
	if ($modSettings['httpBL_enable'])
	{
		require_once($sourcedir . '/httpBL_Subs.php');
		$honeyLink = httpBL_honeylink($modSettings['httpBL_honeyPot_link'], $modSettings['httpBL_honeyPot_word']);
		echo $honeyLink;
	}
	/*****************
	**  httpBL END  **
	*****************/
    
    echo '
</body></html>';

If you have also any other web page connected to your forum through the SSI.php, you will have to insert as well that piece of code just before the </body> in everyone of them.

If you have problems doing this last step, tell us in the right forum what do you have there at the end of the "body" and we will tell you how do you need to change it.

If you want to check if this last step has been done properly, open any page where you have put this piece of code. If everything is ok, you must see the page exactly as it has been always, but if you press in your browser "See source code", you must see at the end of the page a link to your honey pot that you cannot see any other way. (If you see the link using this way, whatever you do, don't click on it or your IP will be added automatically to the database as one of the bad ones.)

You should do other changes but, as these changes will depend on the way I leave the new version I'm doing, and they are not as important as this one, the explanation can wait for now.


Top of the page
Wedge.org