Honeypots mailing list archives

RE: Honeypot/net IDS System

From: "Michael" <michael () insulin-pumpers org>
Date: Tue, 24 Feb 2004 09:16:14 -0800

I'm puzzled by everyone's interest in "fake honeypot" systems. I've run a
couple of them for several years and there is almost NO traffic even
though I have a bunch of email addy's on web pages for spamscrapers to
find.


is it possible that everone has finally got of the bumps and started
securing their computer systems ? and they are deploying the
honeypots as a part of the "proactive security policy" ;)

Running a tarpit as the front end of our mail system catches bunches of
spammers. Why wouldn't you do that instead? It is much more effective and
eliminates the spam from our incoming MTA as well as killing the net
traffic associated with the spam. Since spam outnumbers real messages by
more than 10 to 1 (at least here), this is beneficial.



running a tar pit can be achieved by using a combination of postfix
+ spam assassain + avirmail cuts the spam by 99% and is very
effective for cutting down all the spam traffic


That is done AFTER the tcpip handshake and after data has moved 
across the net. It imposes no real penalty on the sender. Sure, it 
protects your site and eliminates the incoming spam, but that's it. A 
true tarpit imposes a heavy penalty on the sender and while it does 
not improve the perceived results at our end, if enough of them are 
running (maybe 1,000), it would put a huge dent in spammer resources 
at only a marginal cost to those running the tarpits.


the postfix server can issue a error 550 in the middle of the DATA
statement if needs be if the incomming connection is determined to
be spam. it also works on dns resoultions, the to & from headers and
other cretieria 

- this is very easy to setup and maintain- i use it in my production
network and it net accessiable without any thing in the front.


Ditto, a tarpit.

works like a charm and is rock steady, ofcourse the server running
is hardened openbsd.

You can harden any unix box.... it's not winduhs :-)
Michael () Insulin-Pumpers org

Current thread:

Honeypot/net IDS System Daniel Roth (Feb 22)
- Re: Honeypot/net IDS System Michael Robinton (Feb 22)
  - Re: Honeypot/net IDS System captgoodnight (Feb 22)
  - RE: Honeypot/net IDS System Aditya, ALD [Aditya Lalit Deshmukh] (Feb 24)
    - RE: Honeypot/net IDS System Michael (Feb 24)
    - RE: Honeypot/net IDS System ravivsn (Feb 24)
    - RE: Honeypot/net IDS System Michael (Feb 25)
    - Re: Honeypot/net IDS System Valdis . Kletnieks (Feb 25)
    - Re: Honeypot/net IDS System Ian Baker (Feb 24)
    - Re: Honeypot/net IDS System Michael (Feb 25)
    - RE: Honeypot/net IDS System Aditya, ALD [Aditya Lalit Deshmukh] (Feb 27)
    - RE: Honeypot/net IDS System Michael (Feb 27)
    - Re: Honeypot/net IDS System Niels Provos (Feb 27)