Print Page | Close Window

another honey pot thought

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5157
Printed Date: 24 October 2017 at 7:27am


Topic: another honey pot thought
Posted By: keizersozay
Subject: another honey pot thought
Date Posted: 10 May 2005 at 12:15pm

I really like the new honey pot feature, but I think it can be expanded to also read a file for content. Right now it just checks to see if the 'email to' is in the honey pot address list, but what about adding a honey pot keyword file (with regex support)

This could be real dangerous, but if you know that certain email content is alway spam like... well, I can't think of anything right now, but you know what I mean.

What do you think?




Replies:
Posted By: LogSat
Date Posted: 10 May 2005 at 10:33pm
In the next build we've added support for an extra tag in some of the blacklists, similar to the :NULL and :NoNDR tags already supported. The new :Honeypot tag will cause the sender's IP to be added to the honeypot blacklist when there's a match for the particlar blacklist entry with the :Honeypot tag.

Unfortunately this does not apply to the keyword filter, as that list does not support the extra tags...


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Desperado
Date Posted: 10 May 2005 at 10:46pm

Real Nice!  Will you list the Black Lists that this tag will be valid in?

Regards,



-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com



Posted By: keizersozay
Date Posted: 11 May 2005 at 12:16pm

Great idea Roberto. Looking forward to it.
Will the anti-virus plugin have this functionality too? If so I would consider purchasing the additional plugin.

Thanks again



Posted By: LogSat
Date Posted: 11 May 2005 at 10:10pm
keizersozay,

Another valid idea. Most likely it will be included in the next build. If you email us directly we can provide you with an alpha version for you to test (it's available right now).


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Alan
Date Posted: 29 July 2005 at 12:43pm
Roberto at one point last year the use of the extra tags (null, nondr) on keywords was talked about being implimented and may have been for test-build, but now it appears it is not.  It may have been a performance issue.

This is still something I would really like to be able to utilize.  While keywords are not my weapon of choice they still act as one layer that catches a lot of spam, especially for certain short term spam campaigns.


Posted By: LogSat
Date Posted: 29 July 2005 at 4:15pm
Alan,

We've implemented "modifiers" for many of the blacklists, but as we've talked about i nthe past, the keyword list does not the use of any extra tags. The reason for this is that the list supports wildcard filtering and RegEx filtering. Adding support for a modifier will make the parsing engine do too much extra work to handle it at the moment. We've tested some workarounds (using something other than the defualt ":" to designate a extra tag) but we don't have any time estimates on when it will be implemented yet.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Alan
Date Posted: 29 July 2005 at 4:21pm
Thanks Roberto.  This is a big want for me.  It would really help clean up and reduce the size of the quarantine that users would have to look through.


Posted By: Marco
Date Posted: 04 August 2005 at 10:47am

I was going to suggest the exact same (topic), from then on anyone with 'case of fine wine' 'improved cialis without prescription' (to name some) in the subject would get blocked into oblivian.

 

This feature would only need to be active for a limited time, and would catch quite a few of the badasses that got hold of our domain name and are swamping it with spam.

Any users that forward such spam and dont change at least the titles are deserving of a block :->

But i would also like to see a limited timeblock, say - a day- with notification to the sender, so that they are warned not to do it again.

 

Just my 2 cents

 



-------------
Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams


Posted By: LogSat
Date Posted: 04 August 2005 at 11:49pm
Marco, Alan, keizersozay, everyone,

We now have a pre-release build that does include support for extra tags in the keyword filter as well. This was done with practically no performance loss. The build is still being tested, but is available in the registered user area as build 2.6.3.476.

The syntax for the extra tag had to be slightly different. In this list you MUST use a double colon rather than a single one to separate the tag from the keyword entries. The updated help file for that sectionis as follows:

Keywords Filter - You can check email content and subject header for specific keyword and/or phrases. If found, the email is rejected. You can also use #Bayesian%20Statistical%20Filtering - Regular Expressions (RegEx). If the keyword file does not exist it will be created. The file is reloaded every minute. The contents of the file will be loaded in the memo box, allowing you to make changes to the file. This list supports the ::NULL option to send emails in a black hole. If an entry is in the form keyword::NULL it will cause all emails to be accepted and then sent to NULL right away. Such emails will not cause NDRs, they will not be quarantined, they will not be seen by the users. If an entry is in the form keyword::NoNDR such emails will not cause NDRs as in the DoNotSendNDROnQuarantine parameter in the ini file. This list supports the ::Honeypot option, which will cause the sender's IP address to be automatically blacklisted in the future.  Please note that unlike in other cases, with the keyword list you must enter the ":" symbol twice to specify the extra tag.
 



-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Marco
Date Posted: 05 August 2005 at 3:05am

Fantastic! great work roberto.

 

just to make sure, the following lines are correct?

subject:challenged on live tv::honeypot
subject:software,at,incredibly,low,price::honeypot



-------------
Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams


Posted By: Marco
Date Posted: 05 August 2005 at 8:21am

ok, one of them badasses sent us one... and it seems to work.. but you guessed it: the ISP's relay server got blocked :)))

I think the order of filters needs to be looked at again, so that DoNotAddIPToHoneypot has preference again.

Other than that it works great! This is gonna give the spammers some serious headaches. How to try and sell something if the text needed to sell it will cause you an ipblock? muhahaha (sorry, was beeing myself for a sec there) :)

regards,

Marco



-------------
Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams


Posted By: Alan
Date Posted: 05 August 2005 at 5:06pm
Thank you Roberto for getting such a jump on that one.  It really has made a noticable difference already in my testing.  And I do not see any performance hit either.  I am still very impressed at how quickly you have been able to encorporate new ideas and user requests over the years of using SF.

Seems like some of the old requests from years ago are starting to get included in the product now.  So how about some way to set a time limit on filters?  Maybe something like "::NULL/08102005" to have a filter that will no longer be effective as of a certain expiration date (08/10/2005 in this case).  Of course it would be either up to the admin to clean up or you can have the app auto-remove expired filters.  This would be good for outbreaks or spambot attacks where certain is suddenly a big problem but will probably not be in the future.

And another thought, a way to also scan within attached text files such as spoofed bounces resulting from joe-job instances. 

Oh and finally, how about that darned mailing list for registered users so we can be notified immediately of new official and beta versions?  That seems like a no-brainer and another reason for people to pony up for a fine product.


Posted By: LogSat
Date Posted: 07 August 2005 at 6:57pm
Alan,

We honestly don't see expirations on filters to be available any time soon.

What we do have next on the list however is a "timed cache" on source IPs. If an IP has sent more that "n" number of spams in the last "x" number of minutes, it will be immediately disconnected even before it sends any data for "y" number of minutes. This will save a considerable amount of bandwidth and will prevent filling user's quarantine with massive amounts of spam to sort thru. We're trying to make these options available for each type of filter, so that for example the timer is active on the "virus" filter but not on the "reverse DNS" filter.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Marco
Date Posted: 09 August 2005 at 3:16am

Maybe you missed the hidden bugreport i mentioned in my earlier post Roberto, just making sure.

The DoNotAddIPToHoneypot ini entry is beeing ignored in build 476

Regards,

 

Marco



-------------
Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams


Posted By: LogSat
Date Posted: 10 August 2005 at 10:14pm
Marco,

I'm not sure if you refer to your comment below or not:

==============================
I think the order of filters needs to be looked at again, so that DoNotAddIPToHoneypot has preference again.
==============================

If it's not this comment, but another "hidden bugreport", then it's hidden really good since I have no idea of where it is... Can you repost it?

If instead it was the above comment, it looked like a "wish" not a bug report. Looking over the behavior again, we noticed that the DoNotAddIPToHoneypot optionis doing exactly what it was asked and designed to do. That is, if an email comes in from an email address that is in the honeypot email list, the IP won't be added if it's listed in the DoNotAddIPToHoneypot list.

When we started adding extra tags to add sender's IP to the honeypot blacklist if they triggered other filters, that process ignored the DoNotAddIPToHoneypot. It's technically not a bug... but you're correct, it would be more appropriate if that "whitelist" would be expanded to all other filters as well.

We're pre-testing a build with this ability internally right now. We'll make it available in a few days, but if you wish to test it please let us know and we'll make it available to you.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Marco
Date Posted: 11 August 2005 at 3:47am

ahh, that is exactly what i was referring to, and i see how it happened.

The problem is that an 'unknown' sender is mailing us spam to legit mail adresses. adding those adresses to honeypot list is not an option.

Since the senders don't use honeypot adresses, and some of the incoming mails are relayed throuygh to our primary mailsystem, the possibility that the relay's ip gets trapped is high. This is what happened, and i agree, the honeypot is working fine, but the donotaddiptohoneypot setting needs to be applied to the content tagging system also.

So maybe the tag 'honeypot' is a bit out of place in the keyword filter, perhaps a tag called '::blacklistIP' (or something) would be better.

Regardless, a system that blacklists senders ip's on the basis of mail or subject content could proove invaluable. But caution has to be applied not to blacklist legit ip's.

Another wish that might proove useful if possible is extending the 'automatic blacklisting' when the sender's mail is matched in MAPS and/or surbl search.  Also 'FROM' domain names /attachment filter perhaps.

Thank you for taking the effort in looking into this 'issue' i would gladly help test the new prerelease.

 

Regards,

Marco



-------------
Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams


Posted By: Alan
Date Posted: 11 August 2005 at 11:47am
How about adding a checkbox to add IP's to the honeypot block list who exceed the "maximum concurrent connections from same IP" 



Print Page | Close Window