Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

A couple of Production Honeypots used to Fight Spam

From: Brad Spencer <brad.madison () tds net>
Date: 15 Jan 2004 22:04:44 -0000


Here's two free production honeypots for fighting spam:

The Bubblegum proxypot.  An open proxy honeypot for deceiving and detecting spammers.

http://world.std.com/~pacman/proxypot.html

Jackpot, an open relay honeypot, also aimed at spammers.  There still is open relay spam, even today.  Jackpot has a 
web interface, on a port chosen by the operator, so that others may see the collected spam and spammer relay tests.

http://jackpot.uk.net/  (Right now this site rejects my connection attempts - I don't know why.)

Open proxy honeypots (proxypots) have been very effective against spammers - many of whom spam direct from their own 
IPs to open proxies.  The open proxies, of course, anonymize the spammer - but if the open proxy is a fake the spammer 
gives himself away.  Ron Guilmette got over 100 spammer accounts closed in under 3 months last fall, using a network of 
proxypots.  Then he got DDOS'd by spammers (probably) and gave up both the proxypots and monkeys.com, which had a DNSBL 
for open proxies.

Open relay spam isn't as big a portion of spam as it once was (it was almost all of it two to three years ago) but it 
still exists (a friend's Jackpot is grabbing gobs of spam.)   

Any MTA that can be configured to accept relay email and deliver nothing (other than what the operator chooses to be 
delivered) can be an open relay honeypot.  You can learn a lot by selectively delivering only one of the spammer open 
relay test messages you capture.  If the delivery is followed by spam then the probability is high that the spam is due 
to that relay test.  You don't have to deliver anything: just capturing spammer open relay tests is instructive.  If 
you report the tests to the ISP you may get a result.  "The ISP" is both the ISP of the source (although here the 
spamemrs do seem wise enough sometimes to use open proxies to send the tests) and the ISP of the destination address - 
the dropbox.  

Almost all spammer open relay test messages have the tested IP in the message, often encoded.  A frequent encoding 
method is to encode the IP in decimal ascii ("048" encodes "0," etc. in the message-ID.

Before he stopped, Ron Guilmette made several very informative "Top 40 spam source" posts to 
news.admin.net-abuse.email.  To the recipients the spammers may have been  anonymous.  To Ron they were not.
Previous By Date Next
Previous By Thread Next

Current thread: