Errantly blocking IP's based on Project Honeypot non-result

[Mike]

File: avh-fdas.spamcheck.php

When the Project Honeypot httpbl service is either down or doesn't have information on an address, you'll get an NXDOMAIN response.  On some systems, the PHP function "gethostbyname" will return the lookup string, but on others it will return the server's IP address.  According to the project honeypot API documentation:

Each octet, other than the first octet, in the IPv4 response has a meaning. The first octet (127 in the example above) is always 127 and is pre-defined to not have a specified meaning related to the particular visitor. If the first octet in the response is not 127 it means an error condition has occurred and your query may not have been formatted correctly.

Since no real (remote) IP address will ever begin with 127, the code needs to make sure the first octet is indeed 127.  This prevents users from getting blocked in the event of an error.

My test script:

Code: [Select]

<?php
echo gethostbyname('<apiKeyCensored>.1.0.0.127.dnsbl.httpbl.org');  //Should return NXDOMAIN, per project honeypot
echo '<br />';
echo gethostbyname('<apiKeyCensored>.147.181.28.195.dnsbl.httpbl.org');  //IP address of known spammer
?>

The result:

Code: [Select]

206.71.x.x  (my server's IP)
127.9.38.5   (httbl response)

I rewrote function doProjectHoneyPotIPCheck () to the following, and it seems to be working correctly:

Code: [Select]

<?php
        public function doProjectHoneyPotIPCheck ()
        {
                if ($this->_core_options['general']['use_php']) {
                        $reverse_ip = implode('.', array_reverse(explode('.', $this->_visiting_ip)));
                        $projecthoneypot_api_key = $this->_core_options['php']['phpapikey'];
                        $this->spaminfo['php'] = NULL;
                        //
                        // Check the IP against projecthoneypot.org
                        //
                        $time_start = microtime(true);
                        $lookup = $projecthoneypot_api_key . '.' . $reverse_ip . '.dnsbl.httpbl.org';

                        if ($lookup != gethostbyname($lookup)) {
                                $info = explode('.', gethostbyname($lookup)); //moved up from below
                                if ($info[0] != '127') return;  //added check for '127' in first octet.
                                $this->spammer_detected = TRUE;
                                $time_end = microtime(true);
                                $time = $time_end - $time_start;
                                $this->spaminfo['php']['time'] = $time;
                                $this->spaminfo['php']['days'] = $info[1];
                                $this->spaminfo['php']['type'] = $info[3];
                                if ('0' == $info[3]) {
                                        $this->spaminfo['php']['score'] = '0';
                                        $this->spaminfo['php']['engine'] = $this->_settings->searchengines[$info[2]];
                                } else {
                                        $this->spaminfo['php']['score'] = $info[2];
                                }
                        }
                }
        }
?>


[Mike]

Crud, I didn't get this typed up in time before you released the fix. Sorry!  One more thing I haven't had a chance to look into:

My IP cache is turned off, but it seems to be storing IP addresses in the database.  I did an experiment and changed the "spam" field to "1" for my IP, and sure enough it blocked me.  Shouldn't it be ignoring/not updating the cache when the cache is disabled?

Mike

[Mike]

Actually, I the problem is two-fold:

• The first octet needs to be confirmed to be 127
• The lookup string needs to be terminated with a period, i.e.    $lookup = $projecthoneypot_api_key . '.' . $reverse_ip . '.dnsbl.httpbl.org.';

The period will prevent the gethostbyname function from returning the server's IP.

[Peter]

Thanks for all this.

I've go tthe IP Cache fixed.