distributed behavior modification
ok, this isn’t so much a business model, but, it’s a good-neighbor thing.
i’ve noticed, and i’m sure many other people have noticed that my servers regularly get scanned for exploitable formmail scripts. now, there’s surely some educational value to all this hacking, but it’s a scripted tool, and it’s just not polite.
so, here’s the proposal, it comes in two parts.
part, the first: someone writes a bit of code to monitor the server logs, and watch for multiple attempts to “find” formmail from the same ip in a short period of time. this is pretty strong evidence of a “formmail scan” - and it has to come from an ip. take that ip, do a quick lookup on it, and there is likely to be a net administrator responsible for this ip. they might have an abuse-complaint address. compose a nice, polite (i can’t stress this enough, polite) message to the designated abuse-handler, and explain (maybe with a little paste from the log), that someone’s attempting to use your server without authorization, and would they please look into the matter. vet this bit of code in public, make sure it’s not overly stringent, and get it installed and running on a LOT of servers. this, of course will start a war with the formmail-exploit scripts as they try to avoid detection. that’s ok. here’s that educational value in the hacking again.
part, the second: the isps that get these complaints would like to handle them as quickly and efficiently as possible. so, install a filter that watches for these “automated abuse complaints” (and make sure they’re easy to identify, like, with a designated subject-leader), and “file them.” if several [hundred, thousand] complaints come in from different servers that are being scanned by this ip, then someone is behaving badly, and you can automatically shut them down for a day… a week.. whatever.
the net effect (heh. love that.) script-kiddie formmail exploit attempts get “voted off” the net until they modify their behavior.
this, of course, is extensible. it needs a schema. it needs more buzzwords. but, i like the idea of distributed behavior modification. what do you think?
distributed blog modification
some time ago, this blog was “tagged” by the now-becoming-infamous comment-spam-from-china. some people blocked the ip within movabletype, some found interesting old techniques for stopping the non-humans. i apparently took a different approach than mo…
Trackback by meta-roj blog — September 3, 2003 @ 3:09 pm
There’s already a tool out there for the Nimda virus that was going around. When it detects the worm, it blackholes the source IP for a few minutes, and emails the responsible party for that IP saying “you’re infected”. Pretty cool stuff.
Ideally, you could combine snort (detection and identification) and spamcop (processing and reporting) into a service that summarizes the virus activity coming from a given ISP once a day, for that ISP. Adding in a monetary damage figure for each worm, you could theoretically file a small claims lawsuit per day against unresponsive providers.
Comment by Richard Soderberg — September 21, 2003 @ 6:46 pm
Comment spam
For such a infrequently read blog as this poor effort,…
Trackback by Anger Management Course — October 12, 2003 @ 6:06 pm