Honeypots mailing list archives
Some production honeypot experience
From: Brad Spencer <brad.madison () tds net>
Date: 15 Jan 2004 22:14:43 -0000
I don't currently run a honeypot, but my first was a standard (but ancient) SMTP client. That's hard to detect other than by trying to spam oneself and seeing that the spam doesn't get through (and some work has been done to help counter that detection technique.) It's hard to detect because it really is an actual MTA - all the honeypot features occur after the spammer has conencted and dropped his load. I stopped running the honeypot about last May and I ran it in essentially receive-only mode for the last months of its lifetime. That meant that primarily I just accepted spammer relay tests. I did force delivery of a few (and the arrival of the test message hours late didn't put off the spammers) to see what spam would follow. A receive-only honeypot is very hard to detect as a honeypot - and some mis-configured servers may look like they are receive-only honeypots. If that convinces the spammer to avoid the IP that's good. My original thought was that the spammers would discover my honeypot and avoid the IP. Then I'd move it so they'd do the same again, until they left my entire subnet alone. At that point I'd convince the university to run honeypots, so that the spammers would eventually leave the university IP space alone. Then I'd expand to .edu, with the same result planned. Then on to the entire net. If discovery by the spammer makes the spammer leave you alone it's not all bad. Mostly (this began in late 1999 or early 2000) te spammers either didn't notice or just quit. Every time I thought they'd marked my IP as bad I got a new wave of spam. That was an old Vaxstation 4000/90. It's still running but I retired and I decided I didn't want to lumber the current administrator with any problems from the honeypot (it's a university system and I still have administrator access to it.) Until it went down it was averaging about 4 relay test messages trapped per day. Most of those were repeat tests, from the same spammers - probably the spammers just do an endless search of the internet, checking all IPs over and over again. Or maybe I was on a hot list of probable open relay IPs - I really can't say why they did what they did. I plan to put the Bubblegum proxypot on my system soon (it's dual-boot.) Until then all I do is consult my software firewall logs. I also have a hardware firewall and I allow SMTP and proxy traffic through that specifically so that it can be logged. I'm fairly certain 64.223.154.227(pool-64-223-154-227.man.east.verizon.net) is an IP used by a spammer - I've logged a couple sets of proxy port scans from that IP. That's why I want to run a proxypot - so that I can gather hard evidence. Actually, I ran the Bubblegum proxypot a few hours today, and caught nothing. I only get proxy scanned about once per day so I simply quit too soon.
Current thread:
- Some production honeypot experience Brad Spencer (Jan 15)