Honeypots mailing list archives

RE: honeypots as spam traps

From: Andy Streule <andy.streule () lythamhigh lancs sch uk>
Date: Mon, 08 Mar 2004 14:35:20 +0000

I'm just a home user with a dsl line and no mail server. So the main use of
the honeypot is investigation and research. I'm on a dynamic ip. so each
time i reboot (about once a week) it's like a new experience. 

I've altered the default perl scripts so far to create separate log files in
the form  "x.fromdomain to destdomain.txt"
e.g x.cnc.net to yahoo.com.txt" 

it's a good way of seeing who the most is directed at. which is obviously
yahoo and hotmail. instead of one almighty huge logfile.i was vaguely
thinking of someway of having stats/logs on a website or automatically
emailing them out to isps. I havent really decided yet. 

Stuff i discovered so far. 

the spam starts about 12-24hrs going being online.  Whoever is scanning for
open proxies that leads to this spam isnt the sort to add proxies to
openproxy lists. I tried adding myself to open proxy lists yesterday and had
an altogether different experience. 

If i shutdown the honeypot for a day or so without disconecting and getting
a new ip then when i resume use, the spam starts pretty quickly.  The last
period i ran for the spam was from a smallish number of people. Even tho i
was on for a week i didnt seem to get lots of new sources of incoming spam.



~Andy

I'm using KFSensor as a spam trap, I'm in the process of writing some
scripts to do something useful with the log files.


what are you going to do with tha log files ? my approach is to stop those
ip from connecting to my netwoek at all. all the packets are stopped at the
external interface itself.

would like to hear more uses of such log files 

-aditya


________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)

***************************************************************************
This e-mail is confidential and privileged.  If you are not the intended
recipient do not disclose, copy or distribute information in this e-mail
or take any action in reliance on its content.
***************************************************************************

***************************************************************************
This email has been checked for known viruses. 
***************************************************************************

Current thread:

honeypots as spam traps Andy Streule (Mar 05)
- Re: honeypots as spam traps Ian Baker (Mar 05)
- Re: honeypots as spam traps Stef (Mar 07)
  - Re: honeypots as spam traps Michael (Mar 07)
- Re: honeypots as spam traps Byron Sonne (Mar 08)
- <Possible follow-ups>
- RE: honeypots as spam traps Andy Streule (Mar 08)
  - Re: honeypots as spam traps Jack Cleaver (Mar 09)
- Re: honeypots as spam traps Jack Cleaver (Mar 10)