Honeypots mailing list archives
RE: honeypots as spam traps
From: Andy Streule <andy.streule () lythamhigh lancs sch uk>
Date: Mon, 08 Mar 2004 14:35:20 +0000
I'm just a home user with a dsl line and no mail server. So the main use of the honeypot is investigation and research. I'm on a dynamic ip. so each time i reboot (about once a week) it's like a new experience. I've altered the default perl scripts so far to create separate log files in the form "x.fromdomain to destdomain.txt" e.g x.cnc.net to yahoo.com.txt" it's a good way of seeing who the most is directed at. which is obviously yahoo and hotmail. instead of one almighty huge logfile.i was vaguely thinking of someway of having stats/logs on a website or automatically emailing them out to isps. I havent really decided yet. Stuff i discovered so far. the spam starts about 12-24hrs going being online. Whoever is scanning for open proxies that leads to this spam isnt the sort to add proxies to openproxy lists. I tried adding myself to open proxy lists yesterday and had an altogether different experience. If i shutdown the honeypot for a day or so without disconecting and getting a new ip then when i resume use, the spam starts pretty quickly. The last period i ran for the spam was from a smallish number of people. Even tho i was on for a week i didnt seem to get lots of new sources of incoming spam. ~Andy
I'm using KFSensor as a spam trap, I'm in the process of writing some scripts to do something useful with the log files.
what are you going to do with tha log files ? my approach is to stop those ip from connecting to my netwoek at all. all the packets are stopped at the external interface itself. would like to hear more uses of such log files -aditya ________________________________________________________________________ Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) *************************************************************************** This e-mail is confidential and privileged. If you are not the intended recipient do not disclose, copy or distribute information in this e-mail or take any action in reliance on its content. *************************************************************************** *************************************************************************** This email has been checked for known viruses. ***************************************************************************
Current thread:
- honeypots as spam traps Andy Streule (Mar 05)
- Re: honeypots as spam traps Ian Baker (Mar 05)
- Re: honeypots as spam traps Stef (Mar 07)
- Re: honeypots as spam traps Michael (Mar 07)
- Re: honeypots as spam traps Byron Sonne (Mar 08)
- <Possible follow-ups>
- RE: honeypots as spam traps Andy Streule (Mar 08)
- Re: honeypots as spam traps Jack Cleaver (Mar 09)
- Re: honeypots as spam traps Jack Cleaver (Mar 10)