Honeypots mailing list archives
Re: A couple of Production Honeypots used to Fight Spam
From: "Ian Baker" <ibaker () codecutters org>
Date: Wed, 21 Jan 2004 14:49:35 -0000
Brad, I agree, but there's one thing I would like to add - the addition of a honeytoken. This expands the system you describe from a simple passive relay to something a little more active. 13/01/2004 17:38:40 08D8C15C Client Connected from [217.10.192.252] (Romania) 13/01/2004 17:38:40 08D8C15C Recipient <honeypot () codecutters org> accepted 13/01/2004 17:38:40 08D8C15C Message rejected: honeypot () codecutters org is a honeypot address 13/01/2004 17:38:42 08D8C15D Client Connected from [217.10.192.252] (Romania) 13/01/2004 17:38:42 08D8C15D Recipient <honeypot () codecutters org> accepted 13/01/2004 17:38:43 08D8C15C Client disconnected 13/01/2004 17:38:45 08D8C15D Message rejected: 100.000% probability of prohibited content 13/01/2004 17:38:51 08D8C15D Client disconnected As you can see, the server used hit the honeypot, updated the spam profile, and then immediately tripped the standard heuristic scan on the next attempt. You make a very good point about IP analysis - at present I only do this manually. It would be easy enough to have a stab at automatically analysing the IP - although the CIDR can be a little awkward to parse (various formats, multiple entries). OTOH, you'd also need to whitelist the associated MX for all domains within that block (hopefully just the one), or you'll be tarring legitimate mail as well as bot-spam. Regards, Ian Baker Webmaster, codecutters.org
Current thread:
- A couple of Production Honeypots used to Fight Spam Brad Spencer (Jan 15)
- Re: A couple of Production Honeypots used to Fight Spam Ian Baker (Jan 21)