• palordrolap@kbin.social
    link
    fedilink
    arrow-up
    237
    ·
    10 months ago

    Put something in robots.txt that isn’t supposed to be hit and is hard to hit by non-robots. Log and ban all IPs that hit it.

    Imperfect, but can’t think of a better solution.

    • Lvxferre@mander.xyz
      link
      fedilink
      English
      arrow-up
      127
      ·
      edit-2
      10 months ago

      Good old honeytrap. I’m not sure, but I think that it’s doable.

      Have a honeytrap page somewhere in your website. Make sure that legit users won’t access it. Disallow crawling the honeytrap page through robots.txt.

      Then if some crawler still accesses it, you could record+ban it as you said… or you could be even nastier and let it do so. Fill the honeytrap page with poison - nonsensical text that would look like something that humans would write.

      • CosmicTurtle@lemmy.world
        link
        fedilink
        English
        arrow-up
        59
        ·
        10 months ago

        I think I used to do something similar with email spam traps. Not sure if it’s still around but basically you could help build NaCL lists by posting an email address on your website somewhere that was visible in the source code but not visible to normal users, like in a div that was way on the left side of the screen.

        Anyway, spammers that do regular expression searches for email addresses would email it and get their IPs added to naughty lists.

        I’d love to see something similar with robots.

        • Lvxferre@mander.xyz
          link
          fedilink
          English
          arrow-up
          32
          ·
          edit-2
          10 months ago

          Yup, it’s the same approach as email spam traps. Except the naughty list, but… holy fuck a shareable bot IP list is an amazing addition, it would increase the damage to those web crawling businesses.

          • Nighed@sffa.community
            link
            fedilink
            English
            arrow-up
            12
            ·
            10 months ago

            but with all of the cloud resources now, you can switch through IP addresses without any trouble. hell, you could just browse by IP6 and not even worry with how cheap those are!

            • Lvxferre@mander.xyz
              link
              fedilink
              English
              arrow-up
              12
              ·
              10 months ago

              Yeah, that throws a monkey wrench into the idea. That’s a shame, because “either respect robots.txt or you’re denied access to a lot of websites!” is appealing.

              • Nighed@sffa.community
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                5
                ·
                10 months ago

                That’s when Google’s browser DRM thing starts sounding like a good idea 😭

      • KairuByte@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        9
        ·
        10 months ago

        I’m the idiot human that digs through robots.txt and the site map to see things that aren’t normally accessible by an end user.

        • Lvxferre@mander.xyz
          link
          fedilink
          English
          arrow-up
          6
          ·
          10 months ago

          For banning: I’m not sure but I don’t think so. It seems to me that prefetching behaviour is dictated by a page linking another, to avoid any issue all that the site owner needs to do is to not prefetch links for the honeytrap.

          For poisoning: I’m fairly certain that it doesn’t. At most you’d prefetch a page full of rubbish.

    • PM_Your_Nudes_Please@lemmy.world
      link
      fedilink
      English
      arrow-up
      16
      ·
      10 months ago

      Yeah, this is a pretty classic honeypot method. Basically make something available but inaccessible to the normal user. Then you know anyone who accesses it is not a normal user.

      I’ve even seen this done with Steam achievements before; There was a hidden game achievement which was only available via hacking. So anyone who used hacks immediately outed themselves with a rare achievement that was visible on their profile.

      • Link@rentadrunk.org
        link
        fedilink
        English
        arrow-up
        13
        ·
        10 months ago

        That’s a bit annoying as it means you can’t 100% the game as there will always be one achievement you can’t get.

      • CileTheSane@lemmy.ca
        link
        fedilink
        English
        arrow-up
        4
        ·
        10 months ago

        There are tools that just flag you as having gotten an achievement on Steam, you don’t even have to have the game open to do it. I’d hardly call that ‘hacking’.

    • Ultraviolet@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      ·
      edit-2
      10 months ago

      Better yet, point the crawler to a massive text file of almost but not quite grammatically correct garbage to poison the model. Something it will recognize as language and internalize, but severely degrade the quality of its output.

    • Aatube@kbin.social
      link
      fedilink
      arrow-up
      10
      arrow-down
      46
      ·
      10 months ago

      robots.txt is purely textual; you can’t run JavaScript or log anything. Plus, one who doesn’t intend to follow robots.txt wouldn’t query it.

      • BrianTheeBiscuiteer@lemmy.world
        link
        fedilink
        English
        arrow-up
        55
        ·
        10 months ago

        If it doesn’t get queried that’s the fault of the webscraper. You don’t need JS built into the robots.txt file either. Just add some line like:

        here-there-be-dragons.html
        

        Any client that hits that page (and maybe doesn’t pass a captcha check) gets banned. Or even better, they get a long stream of nonsense.

      • ShitpostCentral@lemmy.world
        link
        fedilink
        English
        arrow-up
        16
        ·
        10 months ago

        You’re second point is a good one, but you absolutely can log the IP which requested robots.txt. That’s just a standard part of any http server ever, no JavaScript needed.

        • GenderNeutralBro@lemmy.sdf.org
          link
          fedilink
          English
          arrow-up
          11
          ·
          10 months ago

          You’d probably have to go out of your way to avoid logging this. I’ve always seen such logs enabled by default when setting up web servers.

      • ricecake@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        12
        ·
        10 months ago

        People not intending to follow it is the real reason not to bother, but it’s trivial to track who downloaded the file and then hit something they were asked not to.

        Like, 10 minutes work to do right. You don’t need js to do it at all.