Honeypots mailing list archives
A couple of Production Honeypots used to Fight Spam
From: Brad Spencer <brad.madison () tds net>
Date: 15 Jan 2004 22:04:44 -0000
Here's two free production honeypots for fighting spam: The Bubblegum proxypot. An open proxy honeypot for deceiving and detecting spammers. http://world.std.com/~pacman/proxypot.html Jackpot, an open relay honeypot, also aimed at spammers. There still is open relay spam, even today. Jackpot has a web interface, on a port chosen by the operator, so that others may see the collected spam and spammer relay tests. http://jackpot.uk.net/ (Right now this site rejects my connection attempts - I don't know why.) Open proxy honeypots (proxypots) have been very effective against spammers - many of whom spam direct from their own IPs to open proxies. The open proxies, of course, anonymize the spammer - but if the open proxy is a fake the spammer gives himself away. Ron Guilmette got over 100 spammer accounts closed in under 3 months last fall, using a network of proxypots. Then he got DDOS'd by spammers (probably) and gave up both the proxypots and monkeys.com, which had a DNSBL for open proxies. Open relay spam isn't as big a portion of spam as it once was (it was almost all of it two to three years ago) but it still exists (a friend's Jackpot is grabbing gobs of spam.) Any MTA that can be configured to accept relay email and deliver nothing (other than what the operator chooses to be delivered) can be an open relay honeypot. You can learn a lot by selectively delivering only one of the spammer open relay test messages you capture. If the delivery is followed by spam then the probability is high that the spam is due to that relay test. You don't have to deliver anything: just capturing spammer open relay tests is instructive. If you report the tests to the ISP you may get a result. "The ISP" is both the ISP of the source (although here the spamemrs do seem wise enough sometimes to use open proxies to send the tests) and the ISP of the destination address - the dropbox. Almost all spammer open relay test messages have the tested IP in the message, often encoded. A frequent encoding method is to encode the IP in decimal ascii ("048" encodes "0," etc. in the message-ID. Before he stopped, Ron Guilmette made several very informative "Top 40 spam source" posts to news.admin.net-abuse.email. To the recipients the spammers may have been anonymous. To Ron they were not.
Current thread:
- A couple of Production Honeypots used to Fight Spam Brad Spencer (Jan 15)
- Re: A couple of Production Honeypots used to Fight Spam Ian Baker (Jan 21)