Outline · [ Standard ] · Linear+ Try to detect a fake server, sending bogus search results

[AraldoL]

Now I think BiG BanG 12 was a false alert. Seems like things are running asynchronous so my debug lines don't show the correct server Now on an installation without BB12 I get a debug log that BB5 is sending this filename.

I need to take a deeper look into the code to get it working properly (in UDPSocket.cpp I get server name and IP as Aw3 showed me above and store it, in CSearchList::AddToList I check the filename and report the last stored server name but seems like this doesn't correspondend.

So I would say that BB12 is innocent and I have to search again which one it is. I'll be back when I get it working.

Araldo

[AraldoL]

Something new on the subject:

1. Dropping those bogus search results does work. I added the red code lines to SearchList.cpp function CSearchList::AddToList at line ~675:

CODE

                        delete pAddedFile;
                        return false;
                  }
            }
      }

      CString strServerFilename = pAddedFile->GetFileName();
      uint32 dwServerFullsources = pAddedFile->GetIntTagValue(FT_COMPLETE_SOURCES);
      if ((dwServerFullsources > 4000) && (strServerFilename.MakeLower().Find(".exe") > 0))
      {
            AddLogLine(false, RGB_LOG_ERROR_TXT _T("Bogus Server sends %u full sources for suspicious file %s - dropped!"),
               dwServerFullsources,strServerFilename);
            delete pAddedFile;
            return false;
      }

      CSearchFile            *pSearchFile;

      for (POSITION pos = list.GetHeadPosition(); pos != NULL; )

To allow logging I had to change SearchList.h as well at line 87:

CODE

class CSearchList : public CLoggable
{

As you see it's only dropped if it's an EXE file and server reports more than 4000 complete(!) sources. Now the file name changes, it's not only shareaccelerator any more. But it's always an EXE file with about 6500 full sources.

2. Detecting the server responsible for this results: Sorry, I wasn't able to find out the proper connection between server IPs and result packets, resulting in wrongly accusing a BigBang server. Perhaps someone can add it to the detection above to filter such a server.

Araldo

This post has been edited by AraldoL: Jan 7 2007, 18:30

[Fuxie - DK]

As you see it's only dropped if it's an EXE file and server reports more than 4000 complete(!) sources. Now the file name changes, it's not only shareaccelerator any more. But it's always an EXE file with about 6500 full sources.

Try doing a search for "exe" in the name-field and "4000" in availability-field..

I get two results:
eMule0.47c-Installer.exe <-- 12870 results...
ud.sarkilari_Web_Hottest_Videos_PersonalPlayer.exe <-- 4457 results...

So by excluding all exe-files simply because they have more than 4000 sources seems a bit dangerous for me...

[Aw3]

Just add the following guys to your ipfilter and delete them from the server list as well:
62.90.175.146
213.8.162.36
66.232.114.92

If you can see another Israel 17.10 server, it might be the same buddy as well...

[AraldoL]

Try doing a search for "exe" in the name-field and "4000" in availability-field..

I get two results:
eMule0.47c-Installer.exe  <-- 12870 results...
ud.sarkilari_Web_Hottest_Videos_PersonalPlayer.exe  <-- 4457 results...

So by excluding all exe-files simply because they have more than 4000 sources seems a bit dangerous for me...

The search packet is only dropped if you get more than 4000 full sources from a single(!) server. So perhaps the first example is dropped from one or two biggest servers that really have 4000 complete sources connected. But even then your global search gets lots of additional results from servers with less than 4000 full sources which are not(!) dropped. It's unlikely that there are more than 4000 sources on a big server and none on the smaller ones. If one packet is dropped you would get 8000 instead of 12000 total sources, still enough I think. If such a download is started the remaining sources are found by source exchange.

Btw, the second example sounds exactly like those fake results! (currently I'm getting xxx_shareaccelerator.exe, xxx_web_hottest_videos_personalplayer.exe, xxx_direct_torrent_search_bar.exe, ...), you could download and launch it and tell me what it does

Araldo

[Aw3]

One more guy for the ipfilter: 069.046.023.148

[AraldoL]

Currently I'm not filtering the whole server but just drop those bogus results with the code posted above (drop level: > 9000 full sources!). No more problems with searching now

Araldo

[Aw3]

You don't know what those servers do -- better to avoid any transfers with them...

[Aw3]

One more: 212.025.103.162

[muleteer]

I think I'll start a thread listing these in the support forum - or should it be the Public info forum?

[Aw3]

There's a similar thread on eMule forum, those addresses will be a part of IPfilter soon (some of them are already there)...

[MaxWilder]

There's a similar thread on eMule forum, those addresses will be a part of IPfilter soon (some of them are already there)...

I looked at that thread, and it had no solution that I could find applicable to eMule Plus.

Though I am certainly not an expert, I have stopped the spam using the following method:

1. Select all current servers, right-click and select "Remove selected Server".
2. Go to Preferences -> Connection -> Server.
3. Check "Auto-update serverlist at startup"
4. Un-check "Update serverlist when connecting to servers and clients".
5. Restart eMule Plus -or- Manually "Update server.met from URL", available through a button on the top-right of the main "Servers" page. Use one of the servers which appears in the dropdown list such as "http://www.gruk.org/server.met.gz".

In my guesstimation, this should guarantee all your servers have been cleared by gruk.org or srv1000.com. I have no idea who they are, but other people seem to respect their lists.

However, this will disable the ability to find new servers through current servers. Meaning your searches may not find as many results. Sad, but now it seems to have become necessary.

Hopefully somebody will post a better long-term solution.

Araldo, the searches are now returning .zip files as well as .exe files. I'm sure they will keep adding more extensions and name permutations, so you might as well remove the .exe part of your code. And if your code becomes widely used, they will probably lower the number of complete sources until they mix with the normal hits. It's a good short-term solution, though.

[LUCA TONI]

to eliminate the problem of spy servers i exclusively use this server list: http://elboiler.p2pforum.it/server.met and i renew my ipfilter at this site: www.emulesecurity.net

[WiZaRd]

The problem cannot be solved by ipfiltering because UDP packets' source IP+Port can be easily faked.
Filtering by the number of sources is also a bad idea, they might just change it to another (high) number and in case of a very popular file you will lose good search results.

The only - proper - way to block them, as far as I am concerned, is to use a simple server search or not to use servers at all (best solution IMHO) but join the KAD network.
The might try to infiltrate it, too, earlier or later but for now we are safe

After all, using your brains to analyze the given search results isn't such a bad thing either...

[muleteer]

I have had reports of bad results from KAD searches too. Friends using oMule report results with a whole heap of 'c's in them. Eg. Ccccccc.