Honeypots mailing list archives
Re: SMTP Honeypots & Honeytokens
From: "Ian Baker" <ibaker () codecutters org>
Date: Wed, 24 Dec 2003 13:14:06 -0000
----- Original Message ----- From: "Nicolas STAMPF" <stampf.bes () free fr> To: "Ian Baker" <ibaker () codecutters org> Cc: "Honeypot Mailing List" <honeypots () securityfocus com> Sent: Wednesday, December 24, 2003 12:47 PM Subject: Re: SMTP Honeypots & Honeytokens
Selon Ian Baker <ibaker () codecutters org>: (...)At time of writing, that was 113 hours ago. Since then, 180, messages
have
been sent to the honeypot, of which 55 would have passed as legitimate emails. Clearly, then, the technique works as an anti-spam measure.(...)Thoughts, anyone?Thumbs up for the "early worm detection" part, nothing else to say. Just a quick note about the bayesian filtering and the SMTP honeypot part. Could it be possible to have multiple of such computer installed in a few places on the net, and have their spam hashed, processed through a
bayesian
filter, put in common and offered to the community as a downloadable initialization package for your very personal bayesian filter? By feeding the system with spam from all over the world, it could end up
as
being very effective, and improve the results of a bayesian filter.
Nicolas, Interesting idea - it could certainly be a good way of collecting spam but, in order to be discriminating, the filter also needs to know about the "ham" (good email). And that varies with each and every person. I tested a few suggested algorithms (one of them a complete duplicate of a shareware product, with the assistance of the author) What I found was that many of the filters that claim 99.5%+ effectiveness - when tested with *my* data, rather than someone else's - generated an awful lot of false positives. So many, in fact, that I ended up using a "softer" Bayesian filter than most, and incorporated things like the honeypot into the design. The result got released this morning. Rather than allow a download of the database (not too much of a problem - it's only about a MB in size), the package includes a GUI that takes existing spam/ham and builds a totally personalised database. Details at http://www.codecutters.org/software/advmserve.html (Windows only - sorry. The IP components aren't available yet for Kylix) What *would* be interesting would be a facility to gather together the honeypot spam in such a way that filters like this could use it. That, in fact, would be fairly simple to do. The downside would be the size of Internet pipe required - with viruses, I'm seeing just under 10MB a day (there's a built-in facility to dump the contents of rejected messages, to make sure that you aren't getting any false positives). I suppose that we could come up with a common format (e.g. 1 word per line, followed by a whitespace and an integer count). Something that has just occurred to me is that /anyone/ with a mail server can do this, assuming that it supports forwarding. Effectively you'd have a honeynet of distributed spam-gathering servers, all forwarding mail to a central point/network for processing. Have to think about that one.. sounds /very/ feasible, given enough bandwidth at the receiving end. Regards, Ian Baker Webmaster, codecutters.org
Current thread:
- SMTP Honeypots & Honeytokens Ian Baker (Dec 20)
- Re: SMTP Honeypots & Honeytokens Nicolas STAMPF (Dec 24)
- Re: SMTP Honeypots & Honeytokens Ian Baker (Dec 24)
- Re: SMTP Honeypots & Honeytokens Nicolas STAMPF (Dec 24)