Re: SMTP Honeypots & Honeytokens

["Ian Baker" <ibaker () codecutters org>]

----- Original Message ----- 
From: "Nicolas STAMPF" <stampf.bes () free fr>
To: "Ian Baker" <ibaker () codecutters org>
Cc: "Honeypot Mailing List" <honeypots () securityfocus com>
Sent: Wednesday, December 24, 2003 12:47 PM
Subject: Re: SMTP Honeypots & Honeytokens


> Selon Ian Baker <ibaker () codecutters org>:
> (...)
> > At time of writing, that was 113 hours ago. Since then, 180, messages
have
> > been sent to the honeypot, of which 55 would have passed as legitimate
> > emails.
> >
> > Clearly, then, the technique works as an anti-spam measure.
>
> (...)
>
> > Thoughts, anyone?
>
> Thumbs up for the "early worm detection" part, nothing else to say.
>
> Just a quick note about the bayesian filtering and the SMTP honeypot part.
>
> Could it be possible to have multiple of such computer installed in a few
> places on the net, and have their spam hashed, processed through a
bayesian
> filter, put in common and offered to the community as a downloadable
> initialization package for your very personal bayesian filter?
>
> By feeding the system with spam from all over the world, it could end up
as
> being very effective, and improve the results of a bayesian filter.

Nicolas,
    Interesting idea - it could certainly be a good way of collecting spam
but, in order to be discriminating, the filter also needs to know about the
"ham" (good email). And that varies with each and every person.

I tested a few suggested algorithms (one of them a complete duplicate of a
shareware product, with the assistance of the author) What I found was that
many of the filters that claim 99.5%+ effectiveness - when tested with *my*
data, rather than someone else's - generated an awful lot of false
positives.

So many, in fact, that I ended up using a "softer" Bayesian filter than
most, and incorporated things like the honeypot into the design. The result
got released this morning.

Rather than allow a download of the database (not too much of a problem -
it's only about a MB in size), the package includes a GUI that takes
existing spam/ham and builds a totally personalised database. Details at
http://www.codecutters.org/software/advmserve.html (Windows only - sorry.
The IP components aren't available yet for Kylix)

What *would* be interesting would be a facility to gather together the
honeypot spam in such a way that filters like this could use it. That, in
fact, would be fairly simple to do.

The downside would be the size of Internet pipe required - with viruses, I'm
seeing just under 10MB a day (there's a built-in facility to dump the
contents of rejected messages, to make sure that you aren't getting any
false positives). I suppose that we could come up with a common format (e.g.
1 word per line, followed by a whitespace and an integer count).

Something that has just occurred to me is that /anyone/ with a mail server
can do this, assuming that it supports forwarding.

Effectively you'd have a honeynet of distributed spam-gathering servers, all
forwarding mail to a central point/network for processing.

Have to think about that one.. sounds /very/ feasible, given enough
bandwidth at the receiving end.

Regards,

Ian Baker
Webmaster, codecutters.org