Re: A couple of Production Honeypots used to Fight Spam

["Ian Baker" <ibaker () codecutters org>]

Brad,
    I agree, but there's one thing I would like to add - the addition of a
honeytoken. This expands the system you describe from a simple passive relay
to something a little more active.

13/01/2004 17:38:40 08D8C15C Client Connected from [217.10.192.252]
(Romania)
13/01/2004 17:38:40 08D8C15C Recipient <honeypot () codecutters org> accepted
13/01/2004 17:38:40 08D8C15C Message rejected: honeypot () codecutters org is a
honeypot address
13/01/2004 17:38:42 08D8C15D Client Connected from [217.10.192.252]
(Romania)
13/01/2004 17:38:42 08D8C15D Recipient <honeypot () codecutters org> accepted
13/01/2004 17:38:43 08D8C15C Client disconnected
13/01/2004 17:38:45 08D8C15D Message rejected: 100.000% probability of
prohibited content
13/01/2004 17:38:51 08D8C15D Client disconnected

As you can see, the server used hit the honeypot, updated the spam profile,
and then immediately tripped the standard heuristic scan on the next
attempt.

You make a very good point about IP analysis - at present I only do this
manually.

It would be easy enough to have a stab at automatically analysing the IP -
although the CIDR can be a little awkward to parse (various formats,
multiple entries). OTOH, you'd also need to whitelist the associated MX for
all domains within that block (hopefully just the one), or you'll be tarring
legitimate mail as well as bot-spam.

Regards,

Ian Baker
Webmaster, codecutters.org