New Feature - Block IPs in the Monitor Incoming Searches
 

I'm a very active user of Gnutella using Limewire and Shareaza

I see a lot of suspicious searches in my monitor,
They search all day the same words
with things like bills, payments, and other personal information.
Looks like a spider or program doing automatic searches on the nodes.

Will be very nice to add a feature to block the IPs of this searches
that are running all the day and night!

Manually:
In Lime Wire this feature could be added in
Monitor -> Show Incoming searches panel
This panel only shows the word in the search
and will be nice to have the IP as well,
with some option like the right click to BLOCK the Host

This way we can stop this dummy searches that overloads the computers
of everyone using Limewire and other softwares.

I'm sure that this feature will be very usefull for thousands of people.

Regards

Ad Ov

More automated feature:
A parameter can be added to limit the # of searches / hour / host
For example if a host make a search every minute during 1 hour.
Block it automatically.

adov, I find that blocking IPs in general is relatively useless. Those kinds of hosts will change to random IPs, and there is always a possibility that when the IP is later claimed by a normal user, they can be cut off from accessing Limewire. (It's happened to me in a chat room once, kinda strange to be G-lined when I'm an oper, but oh well.)

I like the automated idea, to temporarily block those IPs putting out results in every search. I even better like the ability for the user to prevent certain keywords from appearing in your search; for instance, I keep getting 60 spam results every time I try to get results, and they all say "sexy girl has shaking orgasm during sex" as part of the name. For instance, if you search "Jeff Stiles" (random name), you'll get "Jeff Stiles sexy girl has shaking orgasm during sex" as about 60 search results. Try searching for more (nice feature, mind), and you get 60 more, a few other spams, and nothing by Jeff Stiles at all as a followup search.

Can someone please add a way to BAN certain keywords from results, or completely prevent such results from coming up? No matter how many times it tries, I'll never download "sexy girl has shaking orgasm during sex" as I've got more important things to look for. I just don't want those results showing up on my screen for family reasons.

Cyclone

Is Possible.

Tools > Options > Filters > Keywords. Put in Orgasm and that should help.

Here is some good Info offered up by Sleepless.


2. The Keyword Filter

Add .wma to the keyword filter along with words like Sponsored, Unlimited, Afford and any other specific words that keep popping up in your results.

How to add words to the keyword filter Click Me

More words to add for both audio and video Click Me I really suggest you read this !!!

Autogenerated Spam results - Information Link

Sponsored Results - Information Link

Info about .wma files - Information Link (provided by Raaf)

I've learned to limit my searches to audio, so that cuts out a lot of the "bad" results. I just want to kill those last few.

That's a nice suggestion, so I'll give it a shot. :)

Cyclone

controvertial response??
 

i want to say my opinion on this.

puritans may not like it, but I say, fight fire with fire, "dilute the pool".

how many times you downloaded a movie, only to find out it is really something nasty instead? or a song you wanted is really some spam advert? we all been caught at least once!

so, make a note of those files they are looking for, [such and such's] password list, my [some bank] credit card numbers, or worse, etc, etc and prepare some useless lists of your own, such as all of microsoft's IP addresses or just a load of garbage (same thing?) then save your lists as .txt files and .doc files and SHARE THEM. Do the same with a few more dangerous titles, such as porn or worse, but for movie files, download some police recruitment videos and for pictures make up some dangerous message with an official looking police or government logo "STOP, YOUR IP ADDRESS HAS BEEN LOGGED, PLEASE REMAIN WHERE YOU ARE, LAW ENFORCEMENT OFFICERS ARE ON THEIR WAY"

Pollute the file pool for these miscreant hackers and porno peddlers, in the same way they pollute ours. Also, look at your stats and see what the world REALLY does with P2P. You will see these dummy files will be the most popular by far.

If enough people did this, it might make a small difference, maybe those nasty ppl would go away, and P2P would become a purer, better thing.

Of course, the problem of this form of hacking wouldn't be there if people weren't stupid enough in the first place to a) write all their passwords/credit card numbers/etc in a file on their hard disk and b) even more stupid to share it. Limewire (bless) have tried to redress this a little, making it ever so slightly harder to share YOUR ENTIRE HARD DISK, but given that most ppl I know can't read pop up messages, and have no idea what folders are, it is still too easy to share all that private data.

Anyways, if in doubt, blame apple for "inventing" the mouse, and blame microsoft, for giving people the illusion that computers are oh-so-friendly-and-easy-to-use, and for leaving so many hooks inside their OS so that other people can access our info. Did you know many European Intelligence Agencies refuse to use networked Microsoft product because they say it is akin to having all their meetings and filing cabinets in CIA headquarters ?

Still trying to block this robot , strangeactivity-143-109 ;
can file girl invent a patch to alter the upload page so that it gives the full ip address ??

Or , using my console page which i have posted ,can i set up a log in some way to show all the members i have connected to in the last 48 hours ; /??

Need to find out from File_Girl. She doesn't visit the forum that often these days. Last time in December I think.

I'd request an auto-block of port 7001. These seem to be the most common bots programmed to fill people's upload slots. The ones I'm aware of are on the Hostiles list.

Are you using the Hostiles Security blocklist? (This version only works with LW 4 or 5/LPE.)

As we know, the last two numbers of the user ID is 'usually' the last two numbers of their ip address. I found 3 with that last series of numbers in the hostiles.

Are you using LPE or LW 5.3.6? I think with 5.3.6 you 'might' be able to right-click the host that's uploading & get information on that host. The ip address for transfers was dropped from this window either in 5.3 or 5.4 or 5.5. (They said they dropped it for privacy reasons of the hosts. Not forgetting they were under court pressure & made some changes they did not wish to over a couple of years.)

AFAIK the console log only logs the present session. And only logs what you ask it to log. You can save the log at end of a session or a time period, but need to do that manually.

BTW even in the non-Japanese blocklist, that ip range is blocked because it was so full of bad hosts. AaronWalkhouse had this range blocked by 12 June 2011, even before I adopted the Hostiles to keep up to date. ie: 220.150.0.0/16 or 220.150.0.0/255.255.0.0 in the original notation. If you don't wish to use the Security Hostiles blocklist, then you can simply add 220.150.0.0/16 to your ip filter.
I remember I always had issues with hosts in the 220.x.x.x range a few years back & used to manually block them. The majority of the trouble-some ones were usually from Japan, USA or Australia. That specific ip range 220.150. is Japanese. Japan uses about 108-109 out of 255 possible 2nd tier ranges in the 220.x. range. Some are static, some dynamic.

I have 5 . 3 . 6 ;


with lpe , does the upload page give the full ip address if the member only browses the library and does absolutely nothing else ;

No it doesn't. I know the type of bot you mean, the browse bots. All the ones I found are on the security hostiles blocklist. Countries they mostly come from are USA & Japan. Some will browse every 15 mins. Some will browse only but very soon after you start a new session. Birdy's also noted these kind of bots.
Unlike LW 4 which shows each time they browse you, LW 5 simply only lists them once. I used MacOSX's network console to discover how often they'd been browsing & how long apart.

Such bots have been around for a while. I recall hosts doing that last decade. I initially thought they crashed (due to my large shares) & returned & re-browsed. I eventually woke up to who/what they are.

A little off-topic but just thought I'd note this:

When I took over the BearShare hostiles list because it seemed it was not being updated any more, I then considered a similar list for LW. Once I found a way for LW to read it, I changed the format it uses so it uses less memory than the BearShare version.

It did cross my mind to start a list from scratch for LW because it had been suggested in years past the BS one was a little heavy handed. But seemed like a lot of work to do so stuck to a ready made list instead.

I also looked at other blocklists. Both Phex & GTK use the same list which is minimal. But noticed some small differences. For example a small ip sub-range was blocked on BS Hostiles but the Phex version had the opposite end of that range blocked instead. I chuckled. I saw that a few times. I combined that list with the LW one. I also compared to the LW built-in blacklist. I also looked at the Gnucleus blacklist which I think File_Girl put together. That one blocked many world police departments & also music & film production companies & related companies. That sounded appealing to me so I combined it also.
I also looked at the FrostWire hostiles, same format as the BS one. I noticed some differences & incorporated some of those.

As far as police departments go, I discovered one using Phex from USA (twice 9 days apart), a special criminal investigations unit which had a small portion of an ip sub-range allocated to it. Other police dept's I've found were from Melbourne, Sydney, Auckland & somewhere in Portugal. All these added to the LW blacklist. I find it difficult to believe someone working for a police dept. would be using the official connection for casual hobby use-age of the Gnutella network. I think it's best to play it safe when it comes to gnutella users & if they want some protection then this list will at least help.

There's been other suspicious sub-ranges I've blocked due to the multiple users on similar ip's (11-12) connecting to me on multiple occasions. Over 2 years ago, I was uncertain whether they were bots or an organised group of people from Australia & I think Malaysia. (I had snapshots of a couple of these occasions but posted privately.) Example with first number removed: x.98.133.1, x.98.133.2, x.98.133.5, x.98.133.7, x.98.133.16, x.98.133.17, x.98.133.18, x.98.133.21, x.98.133.31, x.98.133.49, x.98.133.50 using FW 4.21.5, MS Windows version. 72 browses or download attempts over 10 min period before I crashed. The LPE pseudo name for the first one listed was AggressiveQual-133.1
Each browsed & several of them downloaded from me (same material.) In retrospect, sounds like bots. ie: Brisbane two occasions, Sydney once, Malaysia once. I mention these ones because they were more local to you. Of course I've mentioned & given examples of other similar bot ranges from USA in the BearShare Hostiles thread & Europe elsewhere. Bots are run from many countries (not referring to proxies.)
[/waffle completed]

Again, a little off-topic. But seems I identified another bot from Europe. Same ip from Belgium. Problem is it's a dynamic address so probably won't add it to the hostiles. Host peers connecting to me with same ip, using LW Music 4.2.0 (multiples) & LimeZilla 2.3.0. No co-relation between ports used. So it could be a difficult one to stop. In general I find Belgium ip's are highly dynamic even when they're supposed to be static. This one via Belgacom Skynet & around late afternoon their time. My LPE was not connected that long, perhaps 2 hrs at most as UP.

Still suffering with the Japanese hostiles here. Hoping when I load WS they will be less of a problem

The above quoted from another thread in the LW Clone section of the forum.

I realise this has become an old topic but thought I'd give you a heads-up on some blocking in regards to port 7001 hosts. There's a particularly bad group that use the following ip's: 208.103.122.163, 208.103.122.164, 208.103.122.165, 208.103.122.167
If you're using LW 5.3.6, LPE or WireShare then the pseudo-names would be:
NiceReindeer-122-63 and NiceReindeer-122-65, etc.
You can block them individually or use 208.103.122.160/29
That range is in the Hostiles-security block updater for January for LimeWire and will be in the next WireShare version release.
The hosts I've seen were ShareAza but I suspect they probably use multiple different gnutella client programs such as like this.

As it is at present, still trying to prevent that port from being active with WireShare's uploads. At least that port will not be able to connect as a leaf or ultrapeer to WireShare.

This just confirms your last post ;

This is one ip address i will be blocking .

Oops yes. Thanks for the confirmation pictures and posts. :) Block all those hosts I listed. The others won't be far away I can assure you. Put 208.103.122.160/29 into your filter blocklist/blacklist will achieve the same thing (it will block a range of 8 sequential addresses starting from 160. Or put in both 208.103.122.163 and 208.103.122.164/30 which will block the next 4 addresses up to 167.)
I had 1.2 million hits from that range over a few days according to my ip blocker. This session it's been 398,479 hits over 16 hours and 48 minutes. I first noticed them whilst using BearShare on the 23rd of last month.
Perhaps this bunch is only using ShareAza.

How about now?
 

All right, so how about now? Does Wireshare have this feature in use automatically? Or is this something I am overlooking? :confused:

If you are using WireShare 5.6.6 or later then a security hostiles file that blocks out spam, etc. is updated periodically. (The earlier Wireshare versions had a static hostiles file.)

Is this the query you were wanting to know? Your question is not very clear.

As for the incoming searches monitor, these are simply reflecting what other hosts within the same search horizon are searching for. It is more or less matter of fact.

Excellent, Yes I suspected it might but glad I asked. Good news. thank you LOTR.

Newbie
 

I am new to this platform, but i have guessed tat looking at the file source is important.
In doing that i get block use name-something. Is this user a security hostile?

From Krazee Oracle: I am new to this platform, but i have guessed tat looking at the file source is important.
In doing that i get block use name-something. Is this user a security hostile?








I assume you are talking about Wireshare? I'm no expert, but if it comes to the message of you are being blocked from seeing this provider's files, my past experiences are that they are either a hostile or a worthless provider. A lot of these guys I have caught putting advertisements or pornographic pictures under music file names (or things that deceive you) Loading something in the wrong place on purpose.

Can you program in python?

Thanks for the heads up. Although (WireShare) there is a listing page with info on downloads/uploads that is a not writeable so i presume a display only into provide location info for more direct ftp methods.

I see. Did not really understand your question in the first place though.

No krazee , i am not a programmer ;

can you ?