Hey catch-

Originally posted here by catch
Different file extensions for files like .mdb are not going to help at all... it is more likely that an experienced user would select the link for a "save as" rather than attempting to actually open the file. You're better off using a real .mdb file, else the attacker will know something is up before they've even begun.

Also it seems simpler to just make an alernate page for googlebot with the link in plain sight and skip all the CSS crap. This should reduce your false positives to zero (by adding a refresh to deal with google cache hits).

Neat ideas otherwise.

cheers,

catch
They select the link for a save as... and get caught. "Save As" is no different than opening the file. It behaves the same way. It's a .mdb server side script:

1. GET request is made
2. .mdb file is generated server side
3. Attacker details are calculated
4. Log is made
5. Generated .mdb file is returned.

That's how the GHH .mdb honeypot is designed. You were caught as soon as you made the get request.

If you were to make an alternate page for googlebot with the link in plain sight, then users of your site may click the link, firing off the honeypot and creating a bad log entry. The CSS is there to hide the link from the user to prevent that from happening, but still allow the crawler to reach it. There are better and worse ways to handle this problem, as I stated.

Thanks, keep the comments coming if you got more