Honeypots mailing list archives
RE: Using specialized honeypots to build up-to-date spam blacklis ts?
From: Meidinger Chris <chris.meidinger () badenit de>
Date: Mon, 29 Sep 2003 09:56:35 +0100
Hi Jens, the idea is _very_ interesting. I particularly like that you can correlate the crawler bot's IP with the spam. Perhaps these don't change that often. Who knows? Theoretically, if you had a database that included the relative frequency of the crawls from different IP addresses, even search engines could start to block those addresses and shut out the spam-bots. To be really cool, definately encode the requesting IP into the email address. The only thing i would carefully consider at every step is not to DoS some poor home dial-up user who gets an address after an evil spammer hangs up. Now, the tricky part is to prevent fingerprinting. You don't want your site to be blacklisted by spammer-bots. So you could maybe find different people/organizations to help with a spam-pot project. Then use server-side includes for one-pixel graphics to link to your trapped email addresses from all different sites, to addresses at many different domains. (or something like that, you get the idea) The reason we can't just turn the lights out on spam is that there are so many spammers using so many servers targeting so many people. The odds are just on their side. Your pool of fake addresses should be equally large and diverse so that a simple 20 line blacklist won't shut you down. -Chris -----Original Message----- From: Jens Knoell [mailto:jens () ing twinwave net] Sent: Monday, September 29, 2003 1:20 AM To: honeypots () securityfocus com Subject: Using specialized honeypots to build up-to-date spam blacklists? I just thought of something... so it's not totally well-thought-out yet, but so far the idea sounds feasible. The original idea is not from me, I just intend to build on a concept originally invented by a german anti-spam activist. What do you guys think about the following: Part one of the trap: I'll set up a few dummy webpages, put some useless text on it, and a little php script that does nothing else than generate valid-looking but basically invalid email addresses. I.e. the source code of the pages would contain ever-changing invalid addresses in there, for example <a href="mailto:joeuser () poof twinwave net">.</a> If I set it up right, the emails are technically there, but never visible to accidental visitors. Heck, I could even code in the requesting IP into the email address if I feel like it. This page then gets registered at various search engines, and maybe even updated every now and then with whatever crud I can find, to keep them from dropping off search engines as "dead" page. Could even be automated. Now to part two: I'll set up a mailserver for the (otherwise unused) domain poof.twinwave.net. Every mail to this domain gets accepted indiscriminately, but immediately dumped into a little parser which generates some statistics for personal enjoyment... AND... automatically adds the sender IP to the global blacklist that currently protects my mailservers. Sounds like a plan to get an accurate spammer list/relay list, and certainly sounds a lot more accurate than the current lists in use? It should be a piece of cake to set up, and virtually zero maintenance... If it works, I'd then go ahead and blindly forward everything that's @my.domains.here but not used into the parser, thus creating quite a respectable pool of invalid emails. As a result, spammers should have quite poisoned email databases, not to mention that _I_ have a nice accurate relay/spam database. What do you think? Anything I'm overlooking there? Jens
Current thread:
- RE: Using specialized honeypots to build up-to-date spam blacklis ts? Meidinger Chris (Sep 29)
- Re: Using specialized honeypots to build up-to-date spam blacklists? Jens Knoell (Sep 29)