[tlug] Behavior vs. identity [was: Blocking unknown and unclear bots]

["Stephen J. Turnbull" <stephen@example.com>]

Curt Sampson writes:
 > On 2010-02-23 12:30 +0900 (Tue), Darren Cook wrote:
 > 
 > > What do you do with bots that are forging their user-agent headers? ;-)
 > 
 > This is why you want to filter bots by desired behaviour, rather than
 > "who" they are.

Right!  I've told this story before, but it's old now and probably ;-)
bears repeating.  Many years ago there was a virus/worm called
"Frethem".  IIRC it copied the so-called "relaying iframe" technique
from another virus.  This technique used a 1 pixel by 1 pixel frame.
So I had a procmail rule that spambucketed any mail that had an *frame
element either of whose sizes matched "[0-2]?[0-9]px" (or something
like that, ie, it had to be at least 30x30).  It was about 3 days
after Frethem hit the streets that one of my colleagues mentioned the
new virus that was driving everybody crazy "and the Norton Antivirus
update is out today!"  So I looked in my bitbucket and found something
like 250 copies (mostly from inside the tsukuba.ac.jp domain).

A Day -1 exploit of the exploiters! :-)