Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - another honey pot thought
  FAQ FAQ  Forum Search   Register Register  Login Login

another honey pot thought

 Post Reply Post Reply
Author
Alan View Drop Down
Groupie
Groupie


Joined: 06 May 2005
Location: United States
Status: Offline
Points: 43
Post Options Post Options   Thanks (0) Thanks(0)   Quote Alan Quote  Post ReplyReply Direct Link To This Post Topic: another honey pot thought
    Posted: 11 August 2005 at 11:47am
How about adding a checkbox to add IP's to the honeypot block list who exceed the "maximum concurrent connections from same IP" 
Back to Top
Marco View Drop Down
Senior Member
Senior Member
Avatar

Joined: 07 June 2005
Location: Netherlands
Status: Offline
Points: 137
Post Options Post Options   Thanks (0) Thanks(0)   Quote Marco Quote  Post ReplyReply Direct Link To This Post Posted: 11 August 2005 at 3:47am

ahh, that is exactly what i was referring to, and i see how it happened.

The problem is that an 'unknown' sender is mailing us spam to legit mail adresses. adding those adresses to honeypot list is not an option.

Since the senders don't use honeypot adresses, and some of the incoming mails are relayed throuygh to our primary mailsystem, the possibility that the relay's ip gets trapped is high. This is what happened, and i agree, the honeypot is working fine, but the donotaddiptohoneypot setting needs to be applied to the content tagging system also.

So maybe the tag 'honeypot' is a bit out of place in the keyword filter, perhaps a tag called '::blacklistIP' (or something) would be better.

Regardless, a system that blacklists senders ip's on the basis of mail or subject content could proove invaluable. But caution has to be applied not to blacklist legit ip's.

Another wish that might proove useful if possible is extending the 'automatic blacklisting' when the sender's mail is matched in MAPS and/or surbl search.  Also 'FROM' domain names /attachment filter perhaps.

Thank you for taking the effort in looking into this 'issue' i would gladly help test the new prerelease.

 

Regards,

Marco



Edited by Marco
Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4066
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 10 August 2005 at 10:14pm
Marco,

I'm not sure if you refer to your comment below or not:

==============================
I think the order of filters needs to be looked at again, so that DoNotAddIPToHoneypot has preference again.
==============================

If it's not this comment, but another "hidden bugreport", then it's hidden really good since I have no idea of where it is... Can you repost it?

If instead it was the above comment, it looked like a "wish" not a bug report. Looking over the behavior again, we noticed that the DoNotAddIPToHoneypot optionis doing exactly what it was asked and designed to do. That is, if an email comes in from an email address that is in the honeypot email list, the IP won't be added if it's listed in the DoNotAddIPToHoneypot list.

When we started adding extra tags to add sender's IP to the honeypot blacklist if they triggered other filters, that process ignored the DoNotAddIPToHoneypot. It's technically not a bug... but you're correct, it would be more appropriate if that "whitelist" would be expanded to all other filters as well.

We're pre-testing a build with this ability internally right now. We'll make it available in a few days, but if you wish to test it please let us know and we'll make it available to you.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
Marco View Drop Down
Senior Member
Senior Member
Avatar

Joined: 07 June 2005
Location: Netherlands
Status: Offline
Points: 137
Post Options Post Options   Thanks (0) Thanks(0)   Quote Marco Quote  Post ReplyReply Direct Link To This Post Posted: 09 August 2005 at 3:16am

Maybe you missed the hidden bugreport i mentioned in my earlier post Roberto, just making sure.

The DoNotAddIPToHoneypot ini entry is beeing ignored in build 476

Regards,

 

Marco

Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4066
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 07 August 2005 at 6:57pm
Alan,

We honestly don't see expirations on filters to be available any time soon.

What we do have next on the list however is a "timed cache" on source IPs. If an IP has sent more that "n" number of spams in the last "x" number of minutes, it will be immediately disconnected even before it sends any data for "y" number of minutes. This will save a considerable amount of bandwidth and will prevent filling user's quarantine with massive amounts of spam to sort thru. We're trying to make these options available for each type of filter, so that for example the timer is active on the "virus" filter but not on the "reverse DNS" filter.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
Alan View Drop Down
Groupie
Groupie


Joined: 06 May 2005
Location: United States
Status: Offline
Points: 43
Post Options Post Options   Thanks (0) Thanks(0)   Quote Alan Quote  Post ReplyReply Direct Link To This Post Posted: 05 August 2005 at 5:06pm
Thank you Roberto for getting such a jump on that one.  It really has made a noticable difference already in my testing.  And I do not see any performance hit either.  I am still very impressed at how quickly you have been able to encorporate new ideas and user requests over the years of using SF.

Seems like some of the old requests from years ago are starting to get included in the product now.  So how about some way to set a time limit on filters?  Maybe something like "::NULL/08102005" to have a filter that will no longer be effective as of a certain expiration date (08/10/2005 in this case).  Of course it would be either up to the admin to clean up or you can have the app auto-remove expired filters.  This would be good for outbreaks or spambot attacks where certain is suddenly a big problem but will probably not be in the future.

And another thought, a way to also scan within attached text files such as spoofed bounces resulting from joe-job instances. 

Oh and finally, how about that darned mailing list for registered users so we can be notified immediately of new official and beta versions?  That seems like a no-brainer and another reason for people to pony up for a fine product.
Back to Top
Marco View Drop Down
Senior Member
Senior Member
Avatar

Joined: 07 June 2005
Location: Netherlands
Status: Offline
Points: 137
Post Options Post Options   Thanks (0) Thanks(0)   Quote Marco Quote  Post ReplyReply Direct Link To This Post Posted: 05 August 2005 at 8:21am

ok, one of them badasses sent us one... and it seems to work.. but you guessed it: the ISP's relay server got blocked :)))

I think the order of filters needs to be looked at again, so that DoNotAddIPToHoneypot has preference again.

Other than that it works great! This is gonna give the spammers some serious headaches. How to try and sell something if the text needed to sell it will cause you an ipblock? muhahaha (sorry, was beeing myself for a sec there) :)

regards,

Marco



Edited by Marco
Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams
Back to Top
Marco View Drop Down
Senior Member
Senior Member
Avatar

Joined: 07 June 2005
Location: Netherlands
Status: Offline
Points: 137
Post Options Post Options   Thanks (0) Thanks(0)   Quote Marco Quote  Post ReplyReply Direct Link To This Post Posted: 05 August 2005 at 3:05am

Fantastic! great work roberto.

 

just to make sure, the following lines are correct?

subject:challenged on live tv::honeypot
subject:software,at,incredibly,low,price::honeypot



Edited by Marco
Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4066
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 04 August 2005 at 11:49pm
Marco, Alan, keizersozay, everyone,

We now have a pre-release build that does include support for extra tags in the keyword filter as well. This was done with practically no performance loss. The build is still being tested, but is available in the registered user area as build 2.6.3.476.

The syntax for the extra tag had to be slightly different. In this list you MUST use a double colon rather than a single one to separate the tag from the keyword entries. The updated help file for that sectionis as follows:

Keywords Filter - You can check email content and subject header for specific keyword and/or phrases. If found, the email is rejected. You can also use Regular Expressions (RegEx). If the keyword file does not exist it will be created. The file is reloaded every minute. The contents of the file will be loaded in the memo box, allowing you to make changes to the file. This list supports the ::NULL option to send emails in a black hole. If an entry is in the form keyword::NULL it will cause all emails to be accepted and then sent to NULL right away. Such emails will not cause NDRs, they will not be quarantined, they will not be seen by the users. If an entry is in the form keyword::NoNDR such emails will not cause NDRs as in the DoNotSendNDROnQuarantine parameter in the ini file. This list supports the ::Honeypot option, which will cause the sender's IP address to be automatically blacklisted in the future.  Please note that unlike in other cases, with the keyword list you must enter the ":" symbol twice to specify the extra tag.
 

Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
Marco View Drop Down
Senior Member
Senior Member
Avatar

Joined: 07 June 2005
Location: Netherlands
Status: Offline
Points: 137
Post Options Post Options   Thanks (0) Thanks(0)   Quote Marco Quote  Post ReplyReply Direct Link To This Post Posted: 04 August 2005 at 10:47am

I was going to suggest the exact same (topic), from then on anyone with 'case of fine wine' 'improved cialis without prescription' (to name some) in the subject would get blocked into oblivian.

 

This feature would only need to be active for a limited time, and would catch quite a few of the badasses that got hold of our domain name and are swamping it with spam.

Any users that forward such spam and dont change at least the titles are deserving of a block :->

But i would also like to see a limited timeblock, say - a day- with notification to the sender, so that they are warned not to do it again.

 

Just my 2 cents

 

Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams
Back to Top
Alan View Drop Down
Groupie
Groupie


Joined: 06 May 2005
Location: United States
Status: Offline
Points: 43
Post Options Post Options   Thanks (0) Thanks(0)   Quote Alan Quote  Post ReplyReply Direct Link To This Post Posted: 29 July 2005 at 4:21pm
Thanks Roberto.  This is a big want for me.  It would really help clean up and reduce the size of the quarantine that users would have to look through.
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4066
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 29 July 2005 at 4:15pm
Alan,

We've implemented "modifiers" for many of the blacklists, but as we've talked about i nthe past, the keyword list does not the use of any extra tags. The reason for this is that the list supports wildcard filtering and RegEx filtering. Adding support for a modifier will make the parsing engine do too much extra work to handle it at the moment. We've tested some workarounds (using something other than the defualt ":" to designate a extra tag) but we don't have any time estimates on when it will be implemented yet.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
Alan View Drop Down
Groupie
Groupie


Joined: 06 May 2005
Location: United States
Status: Offline
Points: 43
Post Options Post Options   Thanks (0) Thanks(0)   Quote Alan Quote  Post ReplyReply Direct Link To This Post Posted: 29 July 2005 at 12:43pm
Roberto at one point last year the use of the extra tags (null, nondr) on keywords was talked about being implimented and may have been for test-build, but now it appears it is not.  It may have been a performance issue.

This is still something I would really like to be able to utilize.  While keywords are not my weapon of choice they still act as one layer that catches a lot of spam, especially for certain short term spam campaigns.
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4066
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 11 May 2005 at 10:10pm
keizersozay,

Another valid idea. Most likely it will be included in the next build. If you email us directly we can provide you with an alpha version for you to test (it's available right now).
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
keizersozay View Drop Down
Groupie
Groupie
Avatar

Joined: 26 January 2005
Location: United States
Status: Offline
Points: 77
Post Options Post Options   Thanks (0) Thanks(0)   Quote keizersozay Quote  Post ReplyReply Direct Link To This Post Posted: 11 May 2005 at 12:16pm

Great idea Roberto. Looking forward to it.
Will the anti-virus plugin have this functionality too? If so I would consider purchasing the additional plugin.

Thanks again

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 10 May 2005 at 10:46pm

Real Nice!  Will you list the Black Lists that this tag will be valid in?

Regards,

The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4066
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 10 May 2005 at 10:33pm
In the next build we've added support for an extra tag in some of the blacklists, similar to the :NULL and :NoNDR tags already supported. The new :Honeypot tag will cause the sender's IP to be added to the honeypot blacklist when there's a match for the particlar blacklist entry with the :Honeypot tag.

Unfortunately this does not apply to the keyword filter, as that list does not support the extra tags...
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
keizersozay View Drop Down
Groupie
Groupie
Avatar

Joined: 26 January 2005
Location: United States
Status: Offline
Points: 77
Post Options Post Options   Thanks (0) Thanks(0)   Quote keizersozay Quote  Post ReplyReply Direct Link To This Post Posted: 10 May 2005 at 12:15pm

I really like the new honey pot feature, but I think it can be expanded to also read a file for content. Right now it just checks to see if the 'email to' is in the honey pot address list, but what about adding a honey pot keyword file (with regex support)

This could be real dangerous, but if you know that certain email content is alway spam like... well, I can't think of anything right now, but you know what I mean.

What do you think?

Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.078 seconds.