How to query HTTP:BL for spamming IP addresses

1 Comment Published April 18th, 2012 in Internet, Java, Software, Web Tags: antispam, black list, dns, http:bl, ip, Java, lookup, project honey pot, spam.

If you don’t know Project Honey Pot, go and have a look.

They offer a service for querying IP addresses and check if they are listed in those involving in spamming or threatening activities. So, if your visitor has a black listed IP you can block him from accessing or doing something sensitive.

Since it is missing a Java library to use the service, I implemented a Spike following the HTTP:BL API specifications.

This is not production code, is just some (ugly) code I wrote to test how it works.

import static java.lang.Integer.parseInt;
import static java.lang.System.out;

import java.net.InetAddress;
import java.net.UnknownHostException;

// see: http://www.projecthoneypot.org/httpbl_api.php
public class HttpBlackListChecker {

	public static void main(String[] args) throws Exception {
		if (args.length == 0) help();
		String ip = args[0]; 
		out.println("Querying HTTP:BL for IP: " + ip);
		String reversed = reversed(ip); 
		// get your own key at http://www.projecthoneypot.org/httpbl_configure.php
		String accessKey = "abcdefghijkl";                     
		String domain = "dnsbl.httpbl.org";
		String lookup = accessKey + "." + reversed + "." + domain;
		out.println("Lookup for: "+ lookup);
	    try {
	    	String addr = InetAddress.getByName(lookup).getHostAddress();
	    	translate(addr);
		} catch (UnknownHostException e) {
			out.println("The IP specified is not listed in HTTP:BL");
		}
	}

	private static void help() {
		out.println("Please specify an ip address to check");
		System.exit(1);
	}

	private static void translate(String addr) {
		String[] split = split(addr);
		out.println("Response Code: " + addr);
		out.println("Result: " + (split[0].equals("127") ? "found" : "error"));
		out.println("Days since last activity: " + split[1]);
		out.println("Treat score (0..255): " + split[2]);
		out.print("Type of visitor: ");
		int type  = parseInt(split[3]);
		switch (type) {
		case 0:
			out.println("Search Engine");
			break;
		case 1:
			out.println("Suspicious");
			break;
		case 2:
			out.println("Harvester");
			break;
		case 3:
			out.println("Suspicious & Harvester");
			break;
		case 4:
			out.println("Comment Spammer");
			break;
		case 5:
			out.println("Suspicious & Comment Spammer");
			break;
		case 6:
			out.println("Harvester & Comment Spammer");
			break;
		case 7:
			out.println("Suspicious & Harvester & Comment Spammer");
			break;
		default:
			out.println("Unknown");
			break;
		}
	}

	private static String reversed(String ip) {
		String[] split = split(ip);
		String reversed = null;
		for (String chunk : split) 
			reversed = (reversed == null) ? 
						chunk : 
						chunk + "." + reversed;
		return reversed;
	}

	private static String[] split(String ip) {
		return ip.split("\\.");
	}
}

This code won’t work if you don’t request an API key from here and replace it at line #16.

Sample output specifying one spamming IP (91.207.8.78):

Querying HTTP:BL for IP: 91.207.8.78
Lookup for: abcdefghijkl.78.8.207.91.dnsbl.httpbl.org
Response Code: 127.1.61.5
Result: found
Days since last activity: 1
Treat score (0..255): 61
Type of visitor: Suspicious & Comment Spammer

Notice that some ISP DNS server redirect to a “courtesy page” of the ISP itself, when you specify a non-existent host. In this case you’ll get some wrong repose code when the IP is not listed. You’ll see “Result: error” in the output, instead of “The IP specified is not listed in HTTP:BL”. The fault in this case if of your ISP.