How to Query HTTP:BL for Spamming IP Addresses
They offer a service for querying IP addresses and check if they are listed in those involving in spamming or threatening activities. So, if your visitor has a black listed IP you can block him from accessing or doing something sensitive.
Since it is missing a Java library to use the service, I implemented a Spike following the HTTP:BL API specifications.
This is not production code, is just some (ugly) code I wrote to test how it works.
import static java.lang.Integer.parseInt;
import static java.lang.System.out;
import java.net.InetAddress;
import java.net.UnknownHostException;
// see: http://www.projecthoneypot.org/httpbl_api.php
public class HttpBlackListChecker {
public static void main(String[] args) throws Exception {
if (args.length == 0) help();
String ip = args[0];
out.println("Querying HTTP:BL for IP: " + ip);
String reversed = reversed(ip);
// get your own key at http://www.projecthoneypot.org/httpbl_configure.php
String accessKey = "abcdefghijkl";
String domain = "dnsbl.httpbl.org";
String lookup = accessKey + "." + reversed + "." + domain;
out.println("Lookup for: "+ lookup);
try {
String addr = InetAddress.getByName(lookup).getHostAddress();
translate(addr);
} catch (UnknownHostException e) {
out.println("The IP specified is not listed in HTTP:BL");
}
}
private static void help() {
out.println("Please specify an ip address to check");
System.exit(1);
}
private static void translate(String addr) {
String[] split = split(addr);
out.println("Response Code: " + addr);
out.println("Result: " + (split[0].equals("127") ? "found" : "error"));
out.println("Days since last activity: " + split[1]);
out.println("Treat score (0..255): " + split[2]);
out.print("Type of visitor: ");
int type = parseInt(split[3]);
switch (type) {
case 0:
out.println("Search Engine");
break;
case 1:
out.println("Suspicious");
break;
case 2:
out.println("Harvester");
break;
case 3:
out.println("Suspicious & Harvester");
break;
case 4:
out.println("Comment Spammer");
break;
case 5:
out.println("Suspicious & Comment Spammer");
break;
case 6:
out.println("Harvester & Comment Spammer");
break;
case 7:
out.println("Suspicious & Harvester & Comment Spammer");
break;
default:
out.println("Unknown");
break;
}
}
private static String reversed(String ip) {
String[] split = split(ip);
String reversed = null;
for (String chunk : split)
reversed = (reversed == null) ?
chunk :
chunk + "." + reversed;
return reversed;
}
private static String[] split(String ip) {
return ip.split("\\.");
}
}
This code won’t work if you don’t request an API key from here and replace it at line #16.
Sample output specifying one spamming IP (91.207.8.78):
Querying HTTP:BL for IP: 91.207.8.78 Lookup for: abcdefghijkl.78.8.207.91.dnsbl.httpbl.org Response Code: 127.1.61.5 Result: found Days since last activity: 1 Treat score (0..255): 61 Type of visitor: Suspicious & Comment Spammer
Notice that some ISP DNS server redirect to a “courtesy page” of the ISP itself, when you specify a non-existent host. In this case you’ll get some wrong repose code when the IP is not listed. You’ll see “Result: error” in the output, instead of “The IP specified is not listed in HTTP:BL”. The fault in this case if of your ISP.
(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)
