http:BL_CFML – A Project Honeypot Blacklist Implementation for ColdFusion.

At the urging of Charlie Arehart, I’ve cleaned up my http:BL_CFML implementation and added a bit more in the way of comments. I’m putting this here so it’s easy to link to from the http:BL implementations site. For more in depth information about the code, please check out the links to my previous posts listed below.

Stopping Comment Spammers & Email Harvesters with Coldfusion & Project Honeypot

Project Honeypot & Coldfusion Part 2

<cfcomponent displayname="http:BL_CFML v1.01">

<!--- Some original code from (which no longer exists) with modifications by JayB
More detailed explanation available here:

You are free to use or modify this code for any purpose provided links to original posts are maintained.
This CFC contains the following functions

honeypotCheck: Main framework
newVisitorCheck:  Check with our white list table to see if this ip has visited in the last 3 months.
addToWhiteList: IP's that check as clean against http:BL are added to our white list table to increase page load performance.
getHostAddress: does a reverse lookup of the client IP address against the blacklist at http:BL.
reverseIP: return IP in reverse format as required by http:BL api

You need to create a new table to track white listed IP's

CREATE TABLE `visitor_ip_addys` (
`ip_id` int(10) unsigned NOT NULL auto_increment,
`ipaddy` varchar(15) NOT NULL,
`visitdate` datetime NOT NULL,
PRIMARY KEY  (`ip_id`)

CREATE TABLE [dbo].[visitor_ip_addys](
[ip_id] [int] IDENTITY(1,1) NOT NULL,
[ipaddy] [varchar](15) NOT NULL,
[visitdate] [datetime] NOT NULL,
[ip_id] ASC

The table is cleared daily of IP's older than 3 months to revalidate visitors in case they may have been
compromised in the time and to keep table size reasonable

<cffunction name="honeypotCheck" returntype="struct" hint="Check Project HoneyPot http:BL">
<cfargument name="ip" required="yes" type="string">
<cfset var aVal = "">
<!---  Make sure to replace {your_API_key} with the API key you receive from the http:BL project --->
<cfset var hpkey = "{your_API_key}">
<cfset var stRet = structNew()>
<cfset var result="">
<cfinvoke method="newVisitorCheck" returnvariable="result">
<cfinvokeargument name="ip" value="#arguments.ip#" />
<cfif result eq "new">
<!--- do the blacklist lookup IP values --->
<cfset aVal = listToArray(gethostaddress("#hpkey#.#reverseip(arguments.ip)"),".")>
<cfif aVal[1] eq "IP-Address not known">
<!--- then no match on the Black list --->
<!--- set a value indicating ok address --->
<cfset stRet = {type=99}>
<!--- insert into visitor_ip_addys table --->
<cfinvoke method="addToWhiteList" returnvariable="result">
<cfinvokeargument name="ip" value="#arguments.ip#" />
<!--- there was a match so set the return values --->
<cfset stRet.days = aVal[2]>
<cfset stRet.threat = aVal[3]>
<cfset stRet.type = aVal[4]>
<!--- Get the HP info message ie: threat level --->
<cfswitch expression="#aVal[4]#">
<cfcase value="0">
<cfset stRet.message = "Search Engine (0)">
<cfcase value="1">
<cfset stRet.message = "Suspicious (1)">
<cfcase value="2">
<cfset stRet.message = "Harvester (2)">
<cfcase value="3">
<cfset stRet.message = "Suspicious & Harvester (1+2)">
<cfcase value="4">
<cfset stRet.message = "Comment Spammer (4)">
<cfcase value="5">
<cfset stRet.message = "Suspicious & Comment Spammer (1+4)">
<cfcase value="6">
<cfset stRet.message = "Harvester & Comment Spammer (2+4)">
<cfcase value="7">
<cfset stRet.message = "Suspicious & Harvester & Comment Spammer (1+2+4)">
<!--- good address  --->
<cfset stRet = {type=99}>
<cfreturn stRet>

<cffunction name="newVisitorCheck" returntype="string">
<cfargument name="ip" required="yes" type="string">
<cfset var vQry = "">
<cfset var result="">
<cfquery name="vQry" datasource="#local.dsn#">
select ipaddy from visitor_ip_addys where ipaddy = <cfqueryparam cfsqltype="cf_sql_varchar" value="#arguments.ip#">
<cfif vQry.recordcount eq 0>
<!--- then it's a new visitor  --->
<cfset result = "new">
<cfset result ="existing">
<cfreturn result>

<cffunction name="addToWhiteList" hint="I add client IP's that don't match with http:BL entries (ie: not comment spammer)">
<cfargument name="ip" type="string" required="true">
<cfset var iQry = "">
<cfquery name="iQry" datasource="#local.dsn#">
insert into visitor_ip_addys (ipaddy, visitdate) values
(<cfqueryparam cfsqltype="cf_sql_varchar" value="#arguments.ip#">,
<cfqueryparam cfsqltype="cf_sql_timestamp" value="#now()#"> )

<cffunction name="ipTableCleanup" hint="I run from a daily scheduled task">
<cfset var deleteIP = "">
<cfquery name="deleteIP" datasource="#local.dsn#">
delete from visitor_ip_addys where visitdate <= DATE_ADD(CURRENT_TIMESTAMP, INTERVAL -90 day)

<cffunction name="getHostAddress" returntype="string" hint="I do the dns lookup against the http:bl servers">
<cfargument name="host" required="Yes" type="string">
<cfset var obj = "">
<cfset var result="">
<!--- error handling as error is thrown if host lookup has no match in http:BL ie: it's not been reported as a problem --->
<!--- Init class --->
<cfset obj = CreateObject("java", "")>
<cfset result =  obj.getByName(host).getHostAddress() >
<cfcatch type="any">
<!--- an "error" in this case is an unknown address, which means it is not reported to http:BL --->
<cfset result="IP-Address not known">
<!--- Return result --->
<cfreturn result>

<cffunction name="reverseIP" returntype="string" hint=" I return IP in reverse format as required by http:BL api">
<cfargument name="ip" required="Yes" type="string">
<cfset var aIp = listToArray(arguments.ip,".")>
<!--- Return IP reversed --->
<cfreturn aIp[4] & "." & aIp[3] & "." & aIp[2] & "." & aIp[1]>


To use this CFC, simply add the following code to a page on your site where a comment spammer or email harvester would visit. If they are on the Blacklist, they will get a 404 error when they try to visit that page.

You can also add this on a site wide include if you like (but this could have performance implications)

<!--- Check Project HoneyPot --->
<cfinvoke method="honeypotcheck" component="com.HoneyPotdns" returnvariable="stCheck">
<cfinvokeargument name="ip" value="#cgi.remote_addr#" />

<cfif isDefined("stCheck") AND (stCheck.type GTE 4 AND stCheck.type LTE 7)>
<!--- Send a simple 404 message rather than a hey spammer get lost message. No use in poking a hornets nest --->
<cfheader statuscode="404" statustext="Not Found">
404 Not Found


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: