| |

Cyber "bad events" analysis questions opinions and assumptions.

Publication: 
Nigel Morris-Co...
chiefofficersnet

There are many reports saying that this or that country is the source of the majority of spam, hacking or other internet harms.

But there is one dataset, open to all, that contains relevant and accurate information drawn from active websites all over the world and what that tells us is not what we think we know.

Project HoneyPot is an unsung hero of the internet age. Created in 2002, Project HoneyPot is free for webmasters who fill in a non-intrusive questionnaire about their site and install a single file in a single location in a location that's easy to find. Then simply add a snippet of code - supplied - to the footer of every page and your site is registered. The file is invisible to humans in a browser but spam-bots - which make up the vast majority of malevolent visitors - see it clearly.

There are bells and whistles - for example Drupal users can install a module that intercepts spammers detected by HoneyPot and sends them to a black hole. That, too, is "free" as in it's donation-ware.

Since its creation, Project HoneyPot has identified many millions of IP addresses used by, in particular, form spammers. It's here that the numbers start to raise questions about what we think we know.

The very first "bad event" recorded was a single hit on a single day from an IP address relating to a server in the USA. In fact, the data shows us something we might not expect: in many, many cases, the first and last bad events for a particular IP address are on the same day. This emphasises one of the biggest difficulties that webmasters face: blocking IP addresses may catch more potentially genuine visitors than the unwanted targets.

On that first day, there was, as many would suspect, a preponderance of reports relating to servers in China. There were some from Khazakstan - remember that the "stans" were widely considered a hotbed of internet crime at that time. But Vietnam wasn't far behind China despite, in 2002, having a rudimentary internet, if any, across most of the country. However, the country that stands out is consistent with what we know about internet crime at the time: Brazil features very heavily in the list, far outstripping most of those widely cited as problem sources in reports elsewhere.

But it is in the number of "bad events" that is a surprise.

The single server with the most recorded acts is 176.31.182.86 with 34,364,930 acts between 2015-12-03 and 2018-11-23. It's in France.

The next is in Russia: 192.162.240.162 events: 26,083,043 dates: 2016-02-14 - 2017-03-15

In fact, none of the most active servers are currently active.

You can look over the data, and cut it more or less any way you want, at https://www.projecthoneypot.or...

Form your own conclusions. It will almost certainly surprise you.

---------------- Advertising ----------------

--------------------------------------

hahagotcha