[ Outline ] · Standard · Linear+ Try to detect a fake server, sending bogus search results

[AraldoL]

since some days I noticed on nearly every search I get one single fake search result (obviously a dangerous executable) with a very high number of sources so it's always on first position on the search results. The filename is always built of my search term and "_ShareAccelerator.exe", i.e. if I do a global search on "schafkopf" (a german cards game, there are several freeware versions floating around) I get "schafkopf_Shareaccelerator.exe" with about 6500 full sources. There must be at least one bogus server that builds this filename from my search term.

Of course I use a big and weekly updated ipfilter.dat! And I use a self compiled version of current CVS with an self made addition to prevent adding any servers which are located in the United States according to ip2country. So I have no US servers in my list.

To investigate which server it is I tried to find the location in source where the server results are added to the list. I wanted to write a debug line with the server's ip to the debug log to find out which server it is as a first step.

Can someone point me to the proper file and function in source where both server ip and filename from global search results are available?

Araldo

[zegg]

here i am quoting the thing i had wrote in the chat also correcting little write mistakes so that it stays even after i am dead (corrected*)

okay.i hope you add an algorithm instead of only replacing server list file to catch those servers and remove them from the active server list.because disabling the adding new server options really lowers the sources and download.so we better be able to let them stay open, so need an algorithm to filter those crappy ones.shouldnt be hard to make the client to send a few random general searches in the background and filter out the servers with many matching patterns for different files while also no response for that files from other servers.that responding servers having low user and file OR many new results (not received results((files)) from other servers) from 1 server may be treated as an additional heuristic pattern for those crappy servers but just for suspection as a side algorithm , and maybe ask for the user to remove or not, and let it stay until user comfirms* the removal.clear results from the main* algorithm may not require* user approval for server removal..

muleteer: Sat. Mar. 01st, 2008 10:52 PM
zegg: Yes, that is a good idea. We do have countermeasures for clients who do not behave properly; it would be interesting to do something for detecting and filtering fake servers. Problem is, servers don't like unnecessary traffic, and when you consider hundreds of thousands of clients automatically doing useless searches just to find out whether or not a server is bad... well, you get the picture.

the repeatance of such server detection processes are not necesarrily have to be so frequent imo that it would irritate the server..because i dont think they add up or change IP s of fake servers so frequently that when we are to catch up their interval so would irritate the servers..say, it does a 3-4 searches when at the client start, and does renews this process after 3-5hours later again..because the server list size doesnt change get more bigger then a limit size after a certain amount of time because our client does not encounter any more new server existance from connected clients and servers(enabled through options)..so one exeptional process can be put after hmm say 1 hour or half the clients initiliztion(start), assuming it would reach that limit until that time, incase the clients server list was too low at begin or maybe was cleared before closed last time)..and of course if so, "clearing the server list" from the options should reset the time counter as if the clients was reopened.