search

Munzy / blackbox

A replacement for Black Box Proxy Block
20 stars 7 forks source link

False positive #715

Closed sharoncreech closed 4 years ago

sharoncreech commented 4 years ago

Just wonder why is 209.85.220.41 flagged as proxy? It is an IP from Google Gmail mail-sor-f41.google.com.

Munzy commented 4 years ago

Great question; So let us begin with what the backend actually sees it as, and that is as "hosting." Which then brings in your question, is this a proxy? So I would look at it this way:

  1. Q: Would Gmail ever buy a product from your website? A: No
  2. Q: Would Gmail ever sign in to your website? A: No
  3. Q: Would Gmail ever sign in to your gaming server? A: No
  4. Q: Would Gmail's IP address ever be routed to a cell phone or personal computer? A: No

As such via these constraints and the constraint of only being able to respond via a (Y/N) answer in the original API I'd mark this as "Y". In the newer API, which is still in alpha, we mark this more accurately as "hosting." I've also included what that detection looks like below.

https://blackbox.ipinfo.app/api/v2/209.85.220.41

{
  "ip": "209.85.220.41",
  "asn": {
    "name": "GOOGLE - Google LLC",
    "number": 15169,
    "network": "209.85.128.0",
    "cidr": 17
  },
  "detection": {
    "bogon": false,
    "hosting": true,
    "proxy": false,
    "spamhaus": false,
    "tor": false
  },
  "suggestion": "block"
}
sharoncreech commented 4 years ago

Thanks for reply. I would personally ignore 'hosting' as something that belongs to the group of proxies, TOR, VPN etc ... And to be honest I would completely remove it from the blackbox as it can only confuse, but it's your script is still a great job done. Do you have any function.php script (as you have for version 1) for v2?

Thanks

Munzy commented 4 years ago

Hello @sharoncreech,

We do list on the site that we are "A free proxy, hosting, tor detection api." This is something the previous API did as well, but maybe with not as many hosting networks.

As of the moment, I do not have a PHP function for working with the new v2 API, and it is still in beta.

sharoncreech commented 4 years ago

Thanks for the clarification. Can you explain to me what falls into the definition of “hosting detection.” Are these IP ranges used as web proxies, spam activities, etc ... or ... What is the rule for hosting IP ranges that are within your list?

Thanks

Munzy commented 4 years ago

Hosting would be something like a web site host. We don't expect human traffic to originate from it, but rather traffic generated by bots, scripts, web applications, et cetera.

A good example would be if you had an online store. You would not expect a server to be purchasing an item from a website. As such, you would probably want to verify the order if it was flagged by Blackbox.

sharoncreech commented 4 years ago

I understand what you mean, but there are legitimate hosts that are not malicious and that do not function as a proxy, and are still on the list. Since I have been in these internet waters for a long time I still can’t understand the logic of hosting. Does this mean that under hosting is everything that is hosting and even many who have not had suspicious activities?

If whatever.com that has a unique IP address x.x.x.x is on the list, and the IP address has not participated in any illegal activities in the past found in the list with VPN, Proxy, TOR then in my opinion it is totally confusing.

Munzy commented 4 years ago

We built this list from the viewpoint of a server where we expect the users to be coming from residential and cellular providers.

I think the question here really is what are you trying to do with this list? Can you give me an example of your goals, and wants?

I'd say in the long term, that you probably want to use the /v2/ API. You could easily only block things from tor and or proxy and avoid hosting all-together. The original API however, is rather inflexible.

sharoncreech commented 4 years ago

I created some time ago https://www.ip-lookup.org and since the site is about different types of lookup, from IP lookup through Email and Whois lookup it seemed more than interesting to include a script for detecting proxies, VPN , TOR IP address. Of course, I don't like hosting as I already said, since they are not in the same category with proxies, VPN and TOR addresses. Probably the solution will be API V2 one day when it is a stable version. Thanks a lot for the reply and keep up the good work.

Munzy commented 2 years ago

@sharoncreech

Just a quick re-ping... I've gotten the V2 API up.

https://rapidapi.com/CMunroe/api/blackbox/

Feel free to try it out, and if you like the API... DM me, and maybe we can do something about a free tier for you.

sharoncreech commented 2 years ago

Hi, Thanks for let me know.

Actually I thought to have only more accurate detection for proxies. Right now i use hard coded V1 which works fine:

if ($err) { echo "cURL Error #:" . $err; } elseif ($response === 'Y') { echo "VPN/TOR/Proxy: Detected"; } elseif ($response === 'E') { echo "Request Error"; } else { echo "VPN/TOR/Proxy: Not Detected"; }

I'm not sure how to integrated V2 with similar response as above where it will calculate of only proxy and TOR values are true or not and then show it same way as it has been done above.

Regards, Make

On Fri, Nov 12, 2021 at 6:04 AM Munzy @.***> wrote:

@sharoncreech https://github.com/sharoncreech

Just a quick re-ping... I've gotten the V2 API up.

https://rapidapi.com/CMunroe/api/blackbox/

Feel free to try it out, and if you like the API... DM me, and maybe we can do something about a free tier for you.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Munzy/blackbox/issues/715#issuecomment-966823056, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADKRAYRY5MPR2BR7Q27WUUDULSN5LANCNFSM4OE5ROQQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

Munzy commented 2 years ago

@sharoncreech I think the below will work nicely. You might need to adjust it to work for your setup a bit. 

<?php

$curl = curl_init();

curl_setopt_array($curl, [
    CURLOPT_URL => "https://blackbox.p.rapidapi.com/v2/9.9.9.9",
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_ENCODING => "",
    CURLOPT_MAXREDIRS => 10,
    CURLOPT_TIMEOUT => 30,
    CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
    CURLOPT_CUSTOMREQUEST => "GET",
    CURLOPT_HTTPHEADER => [
        "x-rapidapi-host: blackbox.p.rapidapi.com",
        "x-rapidapi-key: -snipped-"
    ],
]);

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
    echo "cURL Error #:" . $err;
}
else {

    // Json Decode
    $response = json_decode($response);

    // Transition to using the first object.
    $response = $response[0];

    // If a proxy is detected.
    if($response->detection->proxy === true || $response->detection->tor === true){

        echo "VPN/TOR/Proxy: Detected</li>";

    }

    // If a hosting provider is detected.
    else if($response->detection->hosting === true || $response->detection->cloud === true){

        echo "VPN/TOR/Proxy: Likely</li>";
    }

    else {

        echo "VPN/TOR/Proxy: Not Detected";

    }

}

Results:

php test.php 
VPN/TOR/Proxy: Likely</li>
sharoncreech commented 2 years ago

Hi,

Thank you. Everything works fine :)

Can you give me a free tier? I can give you credit for proxy detection part on Terms & Conditions - IP-Lookup.org https://www.ip-lookup.org/iplktos

Regards, Make

On Fri, Nov 12, 2021 at 6:49 PM Munzy @.***> wrote:

@sharoncreech https://github.com/sharoncreech I think the below will work nicely. You might need to adjust it to work for your setup a bit.

<?php

$curl = curl_init();

curl_setopt_array($curl, [ CURLOPT_URL => "https://blackbox.p.rapidapi.com/v2/9.9.9.9", CURLOPT_RETURNTRANSFER => true, CURLOPT_FOLLOWLOCATION => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "GET", CURLOPT_HTTPHEADER => [ "x-rapidapi-host: blackbox.p.rapidapi.com", "x-rapidapi-key: -snipped-" ], ]);

$response = curl_exec($curl); $err = curl_error($curl);

curl_close($curl);

if ($err) { echo "cURL Error #:" . $err; } else {

// Json Decode
$response = json_decode($response);

// Transition to using the first object.
$response = $response[0];

// If a proxy is detected.
if($response->detection->proxy === true || $response->detection->tor === true){

    echo "VPN/TOR/Proxy: Detected</li>";

}

// If a hosting provider is detected.
else if($response->detection->hosting === true || $response->detection->cloud === true){

    echo "VPN/TOR/Proxy: Likely</li>";
}

else {

    echo "VPN/TOR/Proxy: Not Detected";

}

}

Results:

php test.php VPN/TOR/Proxy: Likely

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Munzy/blackbox/issues/715#issuecomment-967301777, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADKRAYWIWJOSDCSKORCQNO3ULVHRNANCNFSM4OE5ROQQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

Munzy commented 2 years ago

I should have offered you access to the "Custom-Mega-Free" tier.

Should be visible here: https://rapidapi.com/CMunroe/api/blackbox/pricing assuming you didn't get an email.