RE: Mail Honeypot Thesis

[Jesper Jurcenoks <jesper.jurcenoks () netvigilance com>]

Hi dotcompex.

Make sure you don't actually relay the emails!
Only emulate an open relay, and then accept the emails for relay, without actually relaying them.

If you relay then you become part of the problem, and not part of the solution.

There should be no need to use TCPdump to capture the email traffic originator, any normal STMP program should put the 
originating IP-address in the logfile. 

You should add a spam filter based on originating IPS to your solution so that you don't accept emails from known 
spammers, this way you will focus on discovering the unknown Originating IPs. If you don't then you will just be using 
your bandwidth on known spammers without the benefit you are seeking.

Honestly I don't see the research value in you discovering a few more originating IPs using known detection methods. 
Most of these IPs will only be spamming for a few days any way.

You could change the focus of your report to have several Open relays on different servers and try to determine if 
spammers prefer one kind of mail server over another.

You could also try and measure how many spammer are using SMTP over TLS(SSL) compared to unencrypted SMTP

This would make your thesis much more interesting to read.

If you are done with the experiment part, then this advise comes a bit late but I hope it helps anyway.

Jesper Jurcenoks

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of dotcompex
Sent: Wednesday, April 22, 2009 6:55 AM
To: honeypots () securityfocus com
Subject: Mail Honeypot Thesis


I'm doing mail honeypot project for my thesis.  Having a little bit problem
in writing good report.  I hope u all can comment it so I can edit before
submit it.  For the start, I attach my abstract.

Electronic mail or in short can be called email is an important
communication method since internet were propagated in the early 1980s. 
People have change their way of communication since the used of email
arising.  However the efficacy of email is being endangered by spam problems
when the Internet was opened up to the public.  As defined by Spamhaus
Project, spam applied to Unsolicited Bulk Email.  Unsolicited means that the
recipient has not approved for the message to be sent.  Bulk means that the
message is sent in large quantities and indistinguishable content.  Mail
servers that run Simple Mail Transfer Protocol (SMTP) service which are open
relay are exposed to be abused by spam.  An open relay mail server will
relay any messages through it.  This project will help to determine the spam
source of origin and their contents.  Methodology used in this project is
experimental approach.  This project will be run on Qmail mail server which
is an open relay and tcpdump for data capturing.  The open relay mail server
will be act as mail honeypot to attract spammers.  Hopefully this project
can benefit others by contributing spam source of origin to be inserted in
spam block list.
-- 
View this message in context: http://www.nabble.com/Mail-Honeypot-Thesis-tp23175462p23175462.html
Sent from the Honeypots mailing list archive at Nabble.com.