Re: Bots don't honor 301 :(
virgins...@vfemail.net wrote: Date: Mon, 12 Jan 2009 19:46:26 -0500 From: "Ben Scott" dragonh...@gmail.com not to. There are orders of magnitude more bots then web servers. That's quite a claim. Do you have evidence for this? I can't say for the types of payload, which would affect your remediation efforts, carried on the various botnets (which, of course, varies depending on how the authors and their sublettors use the botnets), but the Storm botnet was enormous by most estimates. Kraken the current (known) king is supposed to be(come) bigger. There are about 186,727,854 web sites currently, though, obviously, far fewer web servers to host them. To, if the estimate of 50,000,000 in the Storm botnet (using the higher numbers) was accurate and, for sake of argument, 10 web sites are hosted on a server on average (purely out of thin air number I made up), there are 19,000,000 web servers. So, for sake of argument (do we need a sake for argument?), there are more botnets than web servers. :-) References: Botnet sizes: http://www.washingtonpost.com/wp-dyn/content/article/2006/02/16/AR2006021601388.html Storm: http://www.neoseeker.com/news/7103-worm-storm-gathers-strength/ Kraken: http://www.darkreading.com/security/perimeter/showArticle.jhtml?articleID=211201307 Websites: http://news.netcraft.com/archives/2008/12/24/december_2008_web_server_survey.html ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Bots don't honor 301 :(
virgins...@vfemail.net wrote: Date: Mon, 12 Jan 2009 19:46:26 -0500 From: Ben Scott dragonh...@gmail.com If you can show me crackbots that autonomously coordinate their attacks like [insert random potentially offensive analogy here], then there's a chance you may be right about this. http://en.wikipedia.org/wiki/Botnet Where can one find/contact these network abuse reporting systems? http://www.google.com/search?q=network+abuse+reporting Queries like that typically return lots of forum posts in which windows users get a lot of stupid answers to a lot of stupid questions. I'd hoped asking that question here would have resulted in a smarter answer. Try whois. Take it easy, -- David Berube Berube Consulting http://berubeconsulting.com (603)-485-9622 ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Bots don't honor 301 :(
Date: Tue, 13 Jan 2009 09:27:27 -0500 From: David Berube djber...@berubeconsulting.com If you can show me crackbots that autonomously coordinate their attacks like [insert random potentially offensive analogy here], then there's a chance you may be right about this. http://en.wikipedia.org/wiki/Botnet This article referrs to DDoS attacks, but that's organizing payload, not organizing propagation. What I was referring to was having bots cooperate to partition and delegate portions of their host space. For exmaple, maybe all the bots would agree only to probe and compromise IP addresses whose last octet is the same as their own IP. That would create 254 separate address spaces, and decrease the effectiveness of any one tarpit by a factor of 254. However, it would still only take 254 tarpits to cut the number of compromised hosts (on average) in half. Where can one find/contact these network abuse reporting systems? http://www.google.com/search?q=network+abuse+reporting Queries like that typically return lots of forum posts in which windows users get a lot of stupid answers to a lot of stupid questions. I'd hoped asking that question here would have resulted in a smarter answer. Try whois. Yeah, that's typically how the smart folk answered the question. Unfortunately, whois isn't integrated, which makes it hard to automate abuse reporting. :( ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Bots don't honor 301 :(
virgins...@vfemail.net wrote: Unfortunately, whois isn't integrated, which makes it hard to automate abuse reporting. :( Unfortunately, automated abuse reporting lends itself to being abused by the very people it should, in theory, protect against. :( Take it easy, -- David Berube Berube Consulting http://berubeconsulting.com (603)-485-9622 ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Bots don't honor 301 :(
Date: Tue, 13 Jan 2009 09:18:31 -0500 From: Dan Jenkins d...@rastech.com CC: gnhlug-discuss@mail.gnhlug.org botnet (using the higher numbers) was accurate and, for sake of argument, 10 web sites are hosted on a server on average (purely out of thin air number I made up), there are 19,000,000 web servers. So, for sake of argument (do we need a sake for argument?), there are more botnets than web servers. :-)br Yes, but the number of compromised hosts isn't critical - it's the number of unique scan queues which is important to evading tarpits. If a botnet has 50,000,000 nodes, is vulnerable to tarpitting, and scans every IP address on the Internet in exactly the same order, then a single tarpit would still save 1/2 the hosts on the Internet from ever being probed. The crucial element is the *order* in which prospective hosts are scanned. Assuming the bot is deterministic, hosts are likely to be scanned in the same order by every copy of the bot. ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Bots don't honor 301 :(
On Tue, Jan 13, 2009 at 12:00 PM, virgins...@vfemail.net wrote: Date: Tue, 13 Jan 2009 09:18:31 -0500 From: Dan Jenkins d...@rastech.com CC: gnhlug-discuss@mail.gnhlug.org botnet (using the higher numbers) was accurate and, for sake of argument, 10 web sites are hosted on a server on average (purely out of thin air number I made up), there are 19,000,000 web servers. So, for sake of argument (do we need a sake for argument?), there are more botnets than web servers. :-)br Yes, but the number of compromised hosts isn't critical - it's the number of unique scan queues which is important to evading tarpits. If a botnet has 50,000,000 nodes, is vulnerable to tarpitting, and scans every IP address on the Internet in exactly the same order, then a single tarpit would still save 1/2 the hosts on the Internet from ever being probed. The crucial element is the *order* in which prospective hosts are scanned. Assuming the bot is deterministic, hosts are likely to be scanned in the same order by every copy of the bot. Even the 1st internet worm (the RTM one) in 1990 picked hosts in random order. I've been reading SANS newsbites and Bruce Schenier's blog for awhile. The botnets have become sophisticated in recent years. It's no longer script kiddies working after school. It's criminals with professional computer experience that are getting paid to do this kind of work. Some of these botnets lease out to other criminals. They'd want to keep that revenue stream free from tarpits, etc. One botnet (that was used for spam at least) got shutdown for a day when an ISP that hosted most of its control bots was taken off the internet. There were some interesting analyses of what it di to reconnect. An argument could be made that these botnets are the early appearence of Cloud Computing. SETI is another one. ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Bots don't honor 301 :(
On Tue, Jan 13, 2009 at 12:00 PM, virgins...@vfemail.net wrote: Assuming the bot is deterministic, hosts are likely to be scanned in the same order by every copy of the bot. And assuming the bot only ever scans one host, we only have to shut off that one host and the problem is solved for all time. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Bots don't honor 301 :(
virgins...@vfemail.net wrote: Yes, but the number of compromised hosts isn't critical - it's the number of unique scan queues which is important to evading tarpits. If a botnet has 50,000,000 nodes, is vulnerable to tarpitting, and scans every IP address on the Internet in exactly the same order, then a single tarpit would still save 1/2 the hosts on the Internet from ever being probed. The crucial element is the *order* in which prospective hosts are scanned. Assuming the bot is deterministic, hosts are likely to be scanned in the same order by every copy of the bot. >From http://www.honeynet.org/node/54: Most botnets use a topic command like: 1. ".advscan lsass 200 5 0 -r -s" The first topic tells the bot to spread further with the help of the LSASS vulnerability. 200 concurrent threads should scan with a delay of 5 seconds for an unlimited time (parameter 0). The scans should be random (parameter -r) and silent (parameter -s), thus avoiding too much traffic due to status reports. Scans are almost always random nowadays. The bots download their commands from an IRC channel or some other command-and-control channel, so they don't have the same list of addresses to scan as the others. The CC spreads the address ranges for scans around to reduce visibility to behavioral analysis tools. There are a number of articles, white papers, research topics available on distributed scanning, address partitioning and management at the CC end. Bots are not deterministic. They get new addresses often. They are updated with new payloads and new behaviors. Portions of them are rented out to others who have differing needs (DDOS, spamming, etc.). Their updates often come from varied sources as those channels are fast fluxed and thus change constantly continually. No two bots are likely to be completely the same. Why would they have them all scan the same addresses or behave in a strictly predictable fashion? Brownian motion provides adequate coverage. Spread the address ranges around to gain greater coverage. Adjust behavior based on success or failure. Delaying a single mind-controlled foot soldier, or even destroying such a soldier, does not prevent, or even slow, the battle from continuing as the swarm is chaotic. It does not need to be lock-step to accomplish its goals. ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Bots don't honor 301 :(
virgins...@vfemail.net wrote:
I was thinking about accepting the connection, maybe sending out a few
headers, and then the stalling the connection.
A friend, back in 2003, was having problems with bad bots so I wrote him
the following script which accepts the connection, logs and emails some
client info, and then goes into a loop sending a dot every second. Just
kicking them out did not seem like enough. They would just come back or
go bother someone else. Felt more like a community service to keep them
tied up for a while, although at the expense of his hosting service.
Some would time out quickly, but he had some held for 2+ hours and one
for 23 hours!
Larry
-
#!/usr/local/bin/perl
require cgi-lib.pl;
require mail-lib.pl;
$| = 1;
print PrintHeader;
print HtmlTop(Spider Trap);
$time = localtime(time());
print p$ENV{REMOTE_ADDR} - [$time] - \$ENV{HTTP_USER_AGENT}\/p\n;
open(LOG, spidertrap.log);
flock(LOG,2);
print LOG $ENV{REMOTE_ADDR} - [$time] - \$ENV{HTTP_USER_AGENT}\\n;
close(LOG);
send_mail(spidertr...@hostdomain.com, use...@user1domain.com
use...@user2domain.com, Gotcha!,
Date Time: $time \n\nRemote IP: $ENV{REMOTE_ADDR}
\nReferer: \$ENV{HTTP_REFERER}\ \nUser Agent:
\$ENV{HTTP_USER_AGENT}\);
$counter=0;
$last=0;
while (1) {
$counter++;
sleep 1;
print .;
if ($counter $last) {
if ($counter = 10) {
print Gotcha!!!;
$counter = 0;
}
print br\n;
$last = $counter;
$counter = 0;
}
}
print HtmlBot;
-
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Bots don't honor 301 :(
On Mon, Jan 12, 2009 at 9:19 AM, Larry Cook lc...@sybase.com wrote: They would just come back or go bother someone else. #ifdef CURMUDGEON They'll do that anyway. This is not a effective deterrent. It's the security equivalent of masturbation. It may make you feel good, but that's all it's doing. If you really want to do something effective, lookup the owner of the IP block and contact their abuse desk, and/or report the source IP address to one of the various network abuse reporting systems. But hey, if you're just looking to feel good, by all means, continue. Who am I to tell you to stop having fun? #endif -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Bots don't honor 301 :(
On Mon, Jan 12, 2009 at 10:35 AM, Ben Scott dragonh...@gmail.com wrote: On Mon, Jan 12, 2009 at 9:19 AM, Larry Cook lc...@sybase.com wrote: They would just come back or go bother someone else. #ifdef CURMUDGEON They'll do that anyway. This is not a effective deterrent. It's the security equivalent of masturbation. It may make you feel good, but that's all it's doing. If you really want to do something effective, lookup the owner of the IP block and contact their abuse desk, and/or report the source IP address to one of the various network abuse reporting systems. But hey, if you're just looking to feel good, by all means, continue. Who am I to tell you to stop having fun? #endif I remember what I considered one of the most effective efforts to shut down spammers, by simply taking away the cost insentive to use the service. Unfortunatly, it was considered a counter attack, and hence shut down.. Anyone recall the name of it? It compiled URLs which spammers where pointing to, and basically had *everyone* on the network start pulling down those web pages. -- -- Thomas ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Bots don't honor 301 :(
Ben Scott wrote: On Mon, Jan 12, 2009 at 9:19 AM, Larry Cook lc...@sybase.com wrote: They would just come back or go bother someone else. This is not a effective deterrent. It's the security equivalent of masturbation. It may make you feel good, but that's all it's doing. It felt good until you pointed this out. :-( Larry ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Bots don't honor 301 :(
On Mon, Jan 12, 2009 at 10:53:19AM -0500, Thomas Charron wrote: I remember what I considered one of the most effective efforts to shut down spammers, by simply taking away the cost insentive to use the service. Unfortunatly, it was considered a counter attack, and hence shut down.. Anyone recall the name of it? It compiled URLs which spammers where pointing to, and basically had *everyone* on the network start pulling down those web pages. IIRC that effort was shut down by concentrated counter attacks by the spammers. As for the name, all I can recall was it had the word blue in it, I think. it was a good idea but lacked sufficient distributed resources and money to carry on the fight. It also may have been a questionable technique due to the inability to prevent damage to innocent parties. For example, Spammer A wants to disrupt the website of someone they don't like so they implement a small spam campaign on behalf of that site and report it to the blue-whatever folks. Result - that someone's website get DDOS'ed by well intentioned but falsely aimed folks. Jeff Kinz. -- Few things are as simple as they appear or as simple as we would like them to be. ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Bots don't honor 301 :(
On Mon, 2009-01-12 at 12:41 -0500, jk...@kinz.org wrote: IIRC that effort was shut down by concentrated counter attacks by the spammers. As for the name, all I can recall was it had the word blue in it, I think. I believe Blue Frog (http://en.wikipedia.org/wiki/Blue_Frog) is what you're speaking of. -- Cole Tuininga co...@code-energy.com Code Energy (http://www.code-energy.com) ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Bots don't honor 301 :(
On Mon, Jan 12, 2009 at 2:38 PM, Cole Tuininga co...@code-energy.com wrote: On Mon, 2009-01-12 at 12:41 -0500, jk...@kinz.org wrote: IIRC that effort was shut down by concentrated counter attacks by the spammers. As for the name, all I can recall was it had the word blue in it, I think. I believe Blue Frog (http://en.wikipedia.org/wiki/Blue_Frog) is what you're speaking of. That was it. The article reminded me of why they went caput. I thought there was some legaleeze reasons as well. *shrug* -- -- Thomas ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Bots don't honor 301 :(
Date: Mon, 12 Jan 2009 10:35:05 -0500 From: Ben Scott dragonh...@gmail.com On Mon, Jan 12, 2009 at 9:19 AM, Larry Cook lc...@sybase.com wrote: They would just come back or go bother someone else. #ifdef CURMUDGEON They'll do that anyway. This is not a effective deterrent. How so? If you're keeping a bot tied up talking to you, you're keeping the bot from probing other systems. (If you're tying up the bot, you're obviously not vulnerable yourself.) Some of these other systems might indeed be vulnerable to the exploit. To me, it seems like keeping bots off of vulnerable hosts *would* be providing a community service. Granted, if the botmaster is using a multithreaded bot implementation with CPU/bandwidth quotas, this won't help anyone. But I really doubt these bots are that sophisticated. In fact, having been teasing them over the past couple of days, I'm learning just how unsophisticated they really are. It's the security equivalent of masturbation. It may make you feel good, but that's all it's doing. Please don't use the word masturbation to describe something you think is worthless. Given the demographics of this list, it's more than likely that at least one person here finds masturbation enjoyable, and could take offense to your reference to masturbation as an empty and unfulfilling experience. If you really want to do something effective, lookup the owner of the IP block and contact their abuse desk, and/or report the source IP address to one of the various network abuse reporting systems. Where can one find/contact these network abuse reporting systems? ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Bots don't honor 301 :(
DISCLAIMER: I always speak only for myself, unless otherwise explicitly indicated. On Mon, Jan 12, 2009 at 3:02 PM, virgins...@vfemail.net wrote: They would just come back or go bother someone else. This is not a effective deterrent. How so? What part of come back or go bother someone else is unclear? If you're keeping a bot tied up talking to you, you're keeping the bot from probing other systems. Sadly, botmasters aren't all morons. They're aware of things like setting timeout values. They often don't care because they can afford not to. There are orders of magnitude more bots then web servers. If you were to wave your magic wand and cause every non-vulnerable web server on the net to start tarpitting, that would simply mean the botmasters would implement timeouts that much sooner. Granted, if the botmaster is using a multithreaded bot implementation They are, just not on the scale you imagine. Their computer is every compromised host on the Internet, each host a CPU. It's the security equivalent of masturbation. It may make you feel good, but that's all it's doing. Please don't use the word masturbation to describe something you think is worthless. You need to work on your reading comprehension. Since I apparently need to spell things out for you: I never called it worthless. I said it was not an effective deterrent, and that all it accomplished was making the operator feel good, and even acknowledged that making the operator feel good is not necessarily a worthless ambition. Where can one find/contact these network abuse reporting systems? http://www.google.com/search?q=network+abuse+reporting -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Bots don't honor 301 :(
Date: Mon, 12 Jan 2009 19:46:26 -0500 From: Ben Scott dragonh...@gmail.com not to. There are orders of magnitude more bots then web servers. That's quite a claim. Do you have evidence for this? In order for the scenario you're suggesting to take place, vulnerable hosts would have to be attacked by *multiple* bots. Furthermore, the bots would have to be independent implementations of the same exploit, unless the author used some pseudorandom process to shuffle the bot's attack queue. Otherwise, any repeat attacks would be shadowed by a tarpit exactly the same as the first attack. Perhaps a better metaphor for your argument (than masturbation) would be pulling one cop off of Rodney King. But the cops attacking Rodney King were coordinated. If you can show me crackbots that autonomously coordinate their attacks like a hateful gang of racist cops, then there's a chance you may be right about this. Where can one find/contact these network abuse reporting systems? http://www.google.com/search?q=network+abuse+reporting Queries like that typically return lots of forum posts in which windows users get a lot of stupid answers to a lot of stupid questions. I'd hoped asking that question here would have resulted in a smarter answer. ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Bots don't honor 301 :(
My httpd logs have been bombarded, lately, with probes by crackbots (mostly for roundcube webmail and mantis bugtracker exploits). This got me wondering, What can I do to keep these buggers off my server? Of course, the iptables -j TARPIT approach came to mind, but that didn't quite seem creative enough. Besides, what if one of the compromised hosts legitimately wants to browse one of my sites? So I got the idea to use status code 301 to redirect these bots to something fun, like: http://cybercrime.fbi.gov/complaints/submit_complaint.php?message=i+am+a+script+kidde+or+robot+attempting+to+compromise+a+computer+at+IP+address,+the+URL+i+am+using+to+do+this+is+$1 So, I set up my servers to trap exploit URLs and 301 them to another server that I control. However, the bots didn't respect the 301, and seemed to treat the 301 much like a 404. :( So, what if I use a fastcgi program to send the bot a 200 response with a new Location: header, I wonder. Has anyone on this list found any fun ways to burn these bots? (BTW, legitimate bots, like googlebot, *do* honor status code 301.) ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Bots don't honor 301 :(
On Sat, Jan 10, 2009 at 10:27 AM, virgins...@vfemail.net wrote: However, the bots didn't respect the 301 ... Why should they? They're looking for vulnerable systems to exploit. If they don't get the reaction they want from their probe, they've established you're not vulnerable, and they move on to the next probe. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Bots don't honor 301 :(
What about a perl (or python, ruby etc) script that will tail your error_log, watching for multiple 404's coming from the same IP within a given timeframe. If the IP is tripping too many 404's for things that don't exist, add them to the DROP chain. I solved a similar problem using iptables rate limiting feature. Just slows down the attempts from hundreds/night to about ~8/night. Just a thought.. ~kurth On Sat, 2009-01-10 at 15:27 +, virgins...@vfemail.net wrote: My httpd logs have been bombarded, lately, with probes by crackbots (mostly for roundcube webmail and mantis bugtracker exploits). This got me wondering, What can I do to keep these buggers off my server? Of course, the iptables -j TARPIT approach came to mind, but that didn't quite seem creative enough. Besides, what if one of the compromised hosts legitimately wants to browse one of my sites? So I got the idea to use status code 301 to redirect these bots to something fun, like: http://cybercrime.fbi.gov/complaints/submit_complaint.php?message=i+am+a+script+kidde+or+robot+attempting+to+compromise+a+computer+at+IP+address,+the+URL+i+am+using+to+do+this+is+$1 So, I set up my servers to trap exploit URLs and 301 them to another server that I control. However, the bots didn't respect the 301, and seemed to treat the 301 much like a 404. :( So, what if I use a fastcgi program to send the bot a 200 response with a new Location: header, I wonder. Has anyone on this list found any fun ways to burn these bots? (BTW, legitimate bots, like googlebot, *do* honor status code 301.) ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Bots don't honor 301 :(
From: H. Kurth Bemis ku...@kurthbemis.com Date: Sat, 10 Jan 2009 15:51:50 -0500 Cc: gnhlug-discuss@mail.gnhlug.org I solved a similar problem using iptables rate limiting feature. Just slows down the attempts from hundreds/night to about ~8/night. I was thinking about accepting the connection, maybe sending out a few headers, and then the stalling the connection. But it's easy to set connect/read timeouts, even on windows. That's something the bot writer is likely to have accounted for. I could return 200 OK, and send an infinite stream of 0xFF at the bot. That might overflow its receive buffer or ehxaust its memory. No one on this list would happen to know if spambots bounds check their reads, would they? (; I might be able to test for it, if there was a way to detect when the client socket is closed. Do win32 clients send a FIN/ACK pair when an app with an open TCP socket unceremoniously crashes? If not, I could interperet a FIN packet to mean that the bot's immune to being drowned with 0xFFs. I can't spend a whole lot of time on this though. If there's something quick and dirty I can put in place that'll take the bots down, I'll use it. I'm just not willing to build a full blown honeypot to do so. ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
