This site is currently broken

Tuesday, August 26, 2003

distributed behavior modification

ok, this isn’t so much a business model, but, it’s a good-neighbor thing.

i’ve noticed, and i’m sure many other people have noticed that my servers regularly get scanned for exploitable formmail scripts. now, there’s surely some educational value to all this hacking, but it’s a scripted tool, and it’s just not polite.

so, here’s the proposal, it comes in two parts.

part, the first: someone writes a bit of code to monitor the server logs, and watch for multiple attempts to “find” formmail from the same ip in a short period of time. this is pretty strong evidence of a “formmail scan” – and it has to come from an ip. take that ip, do a quick lookup on it, and there is likely to be a net administrator responsible for this ip. they might have an abuse-complaint address. compose a nice, polite (i can’t stress this enough, polite) message to the designated abuse-handler, and explain (maybe with a little paste from the log), that someone’s attempting to use your server without authorization, and would they please look into the matter. vet this bit of code in public, make sure it’s not overly stringent, and get it installed and running on a LOT of servers. this, of course will start a war with the formmail-exploit scripts as they try to avoid detection. that’s ok. here’s that educational value in the hacking again.

part, the second: the isps that get these complaints would like to handle them as quickly and efficiently as possible. so, install a filter that watches for these “automated abuse complaints” (and make sure they’re easy to identify, like, with a designated subject-leader), and “file them.” if several [hundred, thousand] complaints come in from different servers that are being scanned by this ip, then someone is behaving badly, and you can automatically shut them down for a day… a week.. whatever.

the net effect (heh. love that.) script-kiddie formmail exploit attempts get “voted off” the net until they modify their behavior.

this, of course, is extensible. it needs a schema. it needs more buzzwords. but, i like the idea of distributed behavior modification. what do you think?

posted by roj at 8:39 pm