spamd and anti-spam honeypots: some comments

[jm () jmason org (Justin Mason)]

Folks --

came across this thread through the power of Google.  (now let's see if I
can post to the list without subscribing ;)

I've been looking into spammer tactics for obvious reasons (I hack on
SpamAssassin), so I have a few insights of note.

It's worth noting that most "effective" spammers will attempt to relay at
least 1 message to themselves through a new open relay, to verify that it
works.  This message typically contains the IP of the relay, and is sent
to a drop-box freemail account.  So a spam-honeypot (spampot?) needs to
relay at least once for a given client IP (or similar).   Not too much
more though, or it really is an open relay ;)

Another issue with tarpitting is that at least 1 recent spamware tool will
apparently use ~4 ESMTP connections in parallel when pumping spam through
a relay.

BTW has anyone mentioned Neale Pickett's honeypot?  Here:
http://woozle.org/~neale/src/python/spampot.py

cheers, and feel free to cause as much trouble for spammers as you can ;),

--j.