RE: Using specialized honeypots to build up-to-date spam blacklis ts?

[Meidinger Chris <chris.meidinger () badenit de>]

Hi Jens,

the idea is _very_ interesting. I particularly like that you can correlate
the crawler bot's IP with the spam. Perhaps these don't change that often.
Who knows? Theoretically, if you had a database that included the relative
frequency of the crawls from different IP addresses, even search engines
could start to block those addresses and shut out the spam-bots. To be
really cool, definately encode the requesting IP into the email address. 

The only thing i would carefully consider at every step is not to DoS some
poor home dial-up user who gets an address after an evil spammer hangs up. 

Now, the tricky part is to prevent fingerprinting. You don't want your site
to be blacklisted by spammer-bots. So you could maybe find different
people/organizations to help with a spam-pot project. Then use server-side
includes for one-pixel graphics to link to your trapped email addresses from
all different sites, to addresses at many different domains. (or something
like that, you get the idea)

The reason we can't just turn the lights out on spam is that there are so
many spammers using so many servers targeting so many people. The odds are
just on their side. Your pool of fake addresses should be equally large and
diverse so that a simple 20 line blacklist won't shut you down.

-Chris

-----Original Message-----
From: Jens Knoell [mailto:jens () ing twinwave net] 
Sent: Monday, September 29, 2003 1:20 AM
To: honeypots () securityfocus com
Subject: Using specialized honeypots to build up-to-date spam blacklists?


I just thought of something... so it's not totally well-thought-out yet, but
so far the idea sounds feasible. The original idea is not from me, I just
intend to build on a concept originally invented by a german anti-spam
activist. What do you guys think about the following:

Part one of the trap:
I'll set up a few dummy webpages, put some useless text on it, and a little
php script that does nothing else than generate valid-looking but basically
invalid email addresses. I.e. the source code of the pages would contain
ever-changing invalid addresses in there, for example <a
href="mailto:joeuser () poof twinwave net">.</a>

If I set it up right, the emails are technically there, but never visible to
accidental visitors. Heck, I could even code in the requesting IP into the
email address if I feel like it.

This page then gets registered at various search engines, and maybe even
updated every now and then with whatever crud I can find, to keep them from
dropping off search engines as "dead" page. Could even be automated.


Now to part two:
I'll set up a mailserver for the (otherwise unused) domain
poof.twinwave.net. Every mail to this domain gets accepted indiscriminately,
but immediately dumped into a little parser which generates some statistics
for personal enjoyment... AND... automatically adds the sender IP to the
global blacklist that currently protects my mailservers.


Sounds like a plan to get an accurate spammer list/relay list, and certainly
sounds a lot more accurate than the current lists in use? It should be a
piece of cake to set up, and virtually zero maintenance...

If it works, I'd then go ahead and blindly forward everything that's
@my.domains.here but not used into the parser, thus creating quite a
respectable pool of invalid emails.

As a result, spammers should have quite poisoned email databases, not to
mention that _I_ have a nice accurate relay/spam database.


What do you think? Anything I'm overlooking there?

Jens