If your serious about catching this "friend", then report it to the local authorities, pass the logs to them. Let them do what they do best. But the thing is, I am not sure that "spamming" forums is illegal. Can you define the "spam"?
Catch the thief
I have a scenario to solve. A slight problem, if you would...
Suppose you host a linux server with an apache webserver on it. The main website is a small forum where certain people come to discuss things. Now there is this guy that keeps coming back (also registers new accouns after being banned) and spams the forum over and over again. You have the apache the logs, but he is using an anonymizer to hide his real IP address or perhaps he connects to someone else's wireless and does it from there. Let's say you suspect that the person in question is in fact one of your internet "friends" or someone you know.
Any ideas on how to catch the criminal and proove he was involved?
I have the card in me head, but you have the memory problems?
If your serious about catching this "friend", then report it to the local authorities, pass the logs to them. Let them do what they do best. But the thing is, I am not sure that "spamming" forums is illegal. Can you define the "spam"?
Try saying in plain english to the person to leave, they might stay around for a little bit then go.
Try finding out the mac of there BB router and block that or ISPs. I think just doing a traceroute to find the hop 1 or 2 before the target, then send a syn packet to that hop directly then read the source mac on the repley.
Sorry forgot about the proxy, install port knocking(knockd) on your server and only tell your group of friends the port combnations.
By spamming I mean posting useless and hate messages all over the forum. The thing is I'd like to know who is doing it, but I am uncertain whether he lives in the same country as I. I can't portscan or trace past the anonymizer, but my logs contain his browser signature that I can compare against suspects, however, that's not enough to jump to any conclusions since a lot of browsers have the same signature (firefox 3). Is there any other data than a browser signature or the IP address that people leave behind when browsing?
My idea is to create a simple flash SWF file and post it inside a honeypot thread. When the spammer opens the thread, he will download the swf, assuming his browser supports it and display it. Hopefully I can make the SWF request a specified file from my server and since the SWF runs in his browser, I assume it will bypass the anonymizer and connect directly to my server, logging the real IP in the process.
I have the card in me head, but you have the memory problems?
If he's using an anonymiser, you can't trace it past that point, and anything you do really going to be pretty useless.
Employing something like the SWF might work, but I'm not sure how you would limit it to just the bad guy, and not everyone reading the thread. It might also be considered a trojan. Tread carefully there. You don't want to be doing anything that might get you in legal trouble.
It depends on the software, but most forum software has some controls you can employ in your favor. First, create an additional group of new members who have zero ability to post. Then, make a 'join delay before posting' policy or one to two weeks. Put all new joins in the new group that is governed by this policy. Only elevate them to regular memberships after that time has elapsed. You can do this manually, but most forums have an abiity to do date based privilege elevations.
Finally, ban the current bad user(s). This will force them to rejoin, and when they do, they will be in the new non-posting group. Most commerical spammers will try to post immediately and give up after, and hate spammers usually don't have the patience to come back after the delay once they been banned a time or two.
We've done something similar to this on three different forums I have a hand in running, and it works well. Spamming by ****tards dropped from about 30 posts a day to zero on one forum. Another has had only two spams in over a year.
Another control is to ID the anonymisers being used, and blocking connections to their DNS name and IP. Also, blocking anonymous email drop services and "anyone can join" email services like Hotmail helps a lot.
Thorn
Stop the TSA now! Boycott the airlines.
Eh, I'm not sure if there's anything illegal about posting a flash and have it load a separate file from my server. Lots of SWF's do that on daily basis eg. the photo albums (deviant art). I'm not really bothered by other people browsing the thread. I have the IP of the anonymizer so when the suspect enters the thread, he'll download the flash via the anonymizer. This is how I'll know it's him. Next, the SWF will link up to download an image file from my server straight away. That way there should be two entries in the logs. The request to download the SWF (has the IP of the anonymizer) and the request to download the image file (has the real IP address).
Yeah, the join delay is a possible solution against spamming, but doesn't say who the suspect is. I'll see if I can implement and/or activate any of the listed features.
I have the card in me head, but you have the memory problems?
...and exactly what do you think you're gonna do when you actually find out who he is? You're on a pointless mission, you may as well just nuke him from orbit, it's the only way to be sure.Originally Posted by xCPPx
A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.
Where does the "thief" part come in?Catch the thief
I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.
I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.
The time lost while reading this thread.
Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69
Just an idea, but if they had a http proxy on there computer that then send everthing to the anonyimzer, your swf i think would only show the third party, unless it was sent to another port apart from dst 80,445,8080 then it might be classed as a trojan
Posting Permissions