Reliable drone scanning


Before I elaborate on this cryptic title, I’m going to make my point upfront:

Twitter developers, PLEASE take note.

In the ircPlanet IRC services project I started in 2005, I never intended to write any kind of service that scans people connecting to IRC to see if they are running an insecured (open) proxy server, allowing anyone to use their host to do just about anything on the internet…including wreaking havoc by way of spam. But, things change, and due to the large amount of spam bots we’ve been getting at Virtuanet recently, we had to implement such a service.

Luckily, it’s possible to scan unobtrusively for an open or otherwise compromised host through the use of DNS blacklists (DNSBL)–a severely underutilized technology that’s been around for years. To dumb things down a bit, a ton of well-intentioned folks on the internet who all have a similar interest have put together a series of freely accessible DNS servers that contain a near-real-time list of IP addresses who are compromised in some way and should not be trusted. There’s a list of the biggest ones over at Wikipedia. Any good mail server has built-in capabilities to perform DNSBL checks before accepting incoming e-mail from another server on the internet.

The really great part is that it’s extremely simple to implement in just about any language, because all you have to perform is a simple DNS lookup. Usually, any successful DNS resolution against one of these DNSBLs signifies that an IP address has been scanned and found to be compromised, or someone has reported it as such. Other DNSBLs will report different responses for different meanings.

If you’re a developer, check out this snippet of code from my ircPlanet project to see how exactly this works in PHP.

When the ircPlanet defense service finds a DNSBL match against a connecting user, they are immediately banned from the network. We’ve been using this on Virtuanet for quite some time now as we’ve had a flood of spam bots connecting for the past few months, and this has stopped them dead in their tracks.

It has about a 95% success rate for us so far, and I’ve been able to get it even higher by complementing the DNSBL scanning with another detection method: a small PHP script that scrapes IP addresses of open proxies from about 20 different sites (and various pages on each, totaling over 200 pages). It builds a comprehensive list every day, saves it into a flat text file, and the defense service will optionally check connecting users’ IP addresses against this blacklist when they connect. Currently it contains about 60,000 IP addresses.

My whole point in mentioning this is the flood of spambot Twitter followers I’ve gotten over the past two weeks. Twitter, for reasons I will never understand, does not require successful e-mail verification before an account can be used. The site could perform a few DNSBL lookups in under a few seconds time, and verily reject any that can’t be trusted.

Maybe someday.


Nobody has posted any comments yet. Be the first!