Create a spam honey pot with PHP

Discussion in 'OT Technology' started by Astro, Jan 29, 2004.

  1. Astro

    Astro Code Monkey

    Mar 18, 2000
    Likes Received:
    Cleveland Ohio
    Spammers use a lot of methods to grab your email address. What really frosts my cookies is when they run a bot across my site and grab all the email addresses they can find. Sure, there's 50 million other ways they can snag my email address, but I can fight back this one. By creating a spam honey pot, I can actually record the IP the bot used. Is it bullet proof? Of course not. But the satisfaction is worth the few minutes to set this up.

    Some time ago (probably a year ago actually) I ran into some code that someone put together to create a spam honey pot. I don't know who actually wrote it. I think I tweaked very little of it so I take no credit of it. I'm posting it here so you to can enjoy discovering spam bots.

    The spam honey pot is made up of an email address placed on your site specificially designed to catch spam bots. As they come to the site, the server will have the remote IP address (which in theory they can spoof, but that can be extra coding for the bot coder). The trick is knowing how is a spam bot and who is not - since the browser type can easily be spoofed. So, you setup an email address with the first part identifying the IP address. Trick is you don't really want: [email protected] (for example). But something a bit more cryptic and less obvious AND is email friendly would be great.

    * To make this work, you'll need to have an admin email address where all undeliverables go to, otherwise this won't work. So if I send an email to [email protected] which doesn't exist, it will default to my admin account. If you're not able to make this work, then you can stop here...

    First the HTML.

    I like to hide this particular email address. Web crawlers usually have wised up to this trick, but it seems the lazy spam bot coder hasn't. Here's how I place the email address on the page:

    <a href="mailto: <?=SpamHoneyPot()?>" style="color: #000066; text-decoration: none;">
    <span style="color: #000066"><?=SpamHoneyPot()?></span>
    To make it more authentic, I add the mailto: link as well. Then I set the CSS style properties to match the background color this email address will be placed above. This causes the email address to blend in. Perfect so your visitors won't notice. See if you can find mine: (if you give up, look at the HTML above and do a search in the source HTML)

    Now the function SpamHoneyPot() looks like this:

    function SpamHoneyPot()
    $remaddr $_SERVER["REMOTE_ADDR"];
    $ips explode('.'$remaddr);
    $bst '';
    $ips as $b) {
    $bst $bst chr(intval($b));
    $out str_replace("="""base64_encode($bst));    
    $out '@[Your domain goes here - like ""]';   // 
    }  // end function SpamHoneyPot()
    Someone (visitor and bot) comes to your site and this code converts the IP to base64 encoding which ends up being a reduced form of the IP address. You attach it back on to your domain name and you're honey pot is all set.

    Now you just check your "To" header of your spam email and look for the funky ones. Here's an example of one I got today: [email protected]

    Its funky. It has to be one from the honey pot. To check it out, there's this decoding script:

    $encode explode('@'$_GET['e']);
    $encode $encode[0];

    strlen($encode) % 4)
    $encode .= "=";

    $val base64_decode($encode);

    $a 0$a strlen($val); $a++)
    ord($val[$a]) . '.';
    // end for($a = 0; $a < strlen($val); $a++)
    Just save it in its own file (I called mine dspam.php for giggles). By default, it will show a blank page. When you call this page, you'll want to add an additional parameter on the URL. To decode the email address, I plug in: [email protected]

    If this is a honey pot spam address, then you'll see the IP address that belonged to the server running the bot. If you don't see anything or you see an out of wack IP address, then that email address is not from the honey pot.

    Check it out here:

    http:[email protected]

    Ok. Now what?

    Now you have the IP address. Time to find the owner. Go ahead and use your favorite reverse DNS lookup tool. I found one at google: (look for the reverse DNS input box). Enter the IP address and click. For this IP address, it appears has it. Now its just a matter of sending a FRIENDLY email - usually to abuse@[domain in question] (remember, the admin may not even know they have a bot running on one of their servers). Here's what mine looks like (its lame):

    -- --

    I'm running a spam honey pot which catches web bots trolling for email
    addresses. The spam bot that collected the email address which received
    the message below was: [IP Address goes here]

    This IP address looks to be owned by you guys... Figure I give you a
    heads up.


    -- --

    Just today I got 2 emails from two different folks at one ISP letting me know the account was cancelled last week. Problem solved and I feel better.

    In the future, if I get more of these, I'd like to have PHP perform the reverse DNS lookup for me and even craft the email with the IP included. Then all I'd have to do is click OK or something to send the email off. In the meantime, I'll save that for a project for one of you...
    Last edited: Jan 29, 2004
  2. DAN513

    DAN513 Active Member OT Supporter

    Mar 10, 2003
    Likes Received:
    Damn, that's pretty sweet.
  3. CyberBullets

    CyberBullets I reach to the sky, and call out your name. If I c

    Nov 13, 2001
    Likes Received:
    BC, Canada/Stockholm, Sweden
  4. I am definitely putting one up when I get my server back online :cool:
  5. SLED

    SLED build an idiot proof device and someone else will

    Sep 20, 2001
    Likes Received:
    AZ, like a bauce!
    heh, we get those bot spammer spiders on our sites all the time.. What we finally ended up doing was making all the email addresses images... with no mailto: functionality, and it makes the user actually type out the address into his/her email client, but it works.

Share This Page