Re: honeypots as spam traps

[Jack Cleaver <jackc () jackpot uk net>]

Andy Streule wrote:
> it's a good way of seeing who the most is directed at. which is
> obviously yahoo and hotmail. instead of one almighty huge logfile.i
> was vaguely thinking of someway of having stats/logs on a website or
> automatically emailing them out to isps. I havent really decided yet.
Consider taking a look at my spam relay honeypot:

http://www.jackpot.uk.net

It maintains a database of captured relay attempts, which is used to
dynamically generate web-pages of spams and spam-sources (it contains
its own mini-web-server). I used to LART spam-source hosts and upstreams
with a link to the web-pages.

I'm not particularly suggesting that you should download it and use it -
I've stopped maintaining it. But you might find the documentation pages
interesting.
> Stuff i discovered so far.
>
> the spam starts about 12-24hrs going being online.  Whoever is
> scanning for open proxies that leads to this spam isnt the sort to
> add proxies to openproxy lists. I tried adding myself to open proxy
> lists yesterday and had an altogether different experience.

I haven't run a relay honeypot for over a year, since I now run a proper
MX, and I don't want it blacklisted. When I got DHCP'd, it was fairly
random whether a spammer found the relay within hours or only after a
cpople of weeks. Submitting the relay to an open-relay blocklist usually
had a dramatic effect within 24 hours. Chances are the world has changed
a lot since then.

--
Jack.