LogSat Software

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   Ok let me start with a disclaimer by saying there is a good chance I don't understand how SP is suppose to handle honeypots but lets see if any of this makes sense to you guys.
First of all what is the current method for setting up a honeypot ? I read through all of the post and do you or do you not have to add your honeypot addresses to your AuthorizedTo: list or not ??
Second why do you need to add emails to a list for a honeypot ? Doesn't it make more sense to automatically have a blacklist (or honeypot addresses) built dynamically from emails to addresses that are not in the AuthorizedTo list ?
It seems to me this works backwards because every email I found in my log where addresses were not valid were spam. Wouldn't it make more sense to have a list of emails that should Not be added to a honeypot ?
For example if you have an employee or user who leaves then their email is no longer valid but you may not want to flag the sender as a spammer. So you would keep that address in your AuthorizedTo list for a period of time. But if the name is not in the list then the sender should assume it is spam.
It seems that when I add names to the honeypot I have to guess or go through the log and use the names a spammer is making up. Why not have Spamfilter do that automatically ??
Does any of this makes sense ?
Lee

Edited by Lee

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
Lee Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 04 February 2005 Location: United States Status: Offline Points: 50	Post Options Post Reply Quote Lee Report Post Thanks(0) Quote Reply Topic: Is Honeypot backwards ? Posted: 11 November 2005 at 9:48pm
	Ok let me start with a disclaimer by saying there is a good chance I don't understand how SP is suppose to handle honeypots but lets see if any of this makes sense to you guys. First of all what is the current method for setting up a honeypot ? I read through all of the post and do you or do you not have to add your honeypot addresses to your AuthorizedTo: list or not ?? Second why do you need to add emails to a list for a honeypot ? Doesn't it make more sense to automatically have a blacklist (or honeypot addresses) built dynamically from emails to addresses that are not in the AuthorizedTo list ? It seems to me this works backwards because every email I found in my log where addresses were not valid were spam. Wouldn't it make more sense to have a list of emails that should Not be added to a honeypot ? For example if you have an employee or user who leaves then their email is no longer valid but you may not want to flag the sender as a spammer. So you would keep that address in your AuthorizedTo list for a period of time. But if the name is not in the list then the sender should assume it is spam. It seems that when I add names to the honeypot I have to guess or go through the log and use the names a spammer is making up. Why not have Spamfilter do that automatically ?? Does any of this makes sense ? Lee Edited by Lee

Marco Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 07 June 2005 Location: Netherlands Status: Offline Points: 137	Post Options Post Reply Quote Marco Report Post Thanks(0) Quote Reply Posted: 14 November 2005 at 3:17am
	That would not work, think about people making typo's in the adresses, they would get blacklisted with your method. I use honeypot for specific spammagnet adresses, as well as virus generated adresses (arguable method, but still it reduces spam). All of our contacts use AV software, so if infected mails come in, chances are very high they are people we don't do business with. If a sender truly is legit, and is blacklisted because their system is infected, experience has shown for those people to have phoned us, and in term got instructions for cleaning up their system. With a properly tuned SPF set of filters, the honeypot will start with a high 'hitcount' and drop slowly to allmost zero over time. It does make itself obsolete over time. The spammers are also getting smarter, and by now know that sending to nonexistant adresses will get them blacklisted, the value of the honeypot is going down, so to say. Still it catches the occasional bad IP. You do have to add the honeypot adresses to authed list yes, a small price to pay for getting those ip's that generate a lot of spam. Marco
	Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams

Lee Members Profile Send Private Message Find Members Posts Add to Buddy List Guest Group	Post Options Post Reply Quote Lee Thanks(0) Quote Reply Posted: 14 November 2005 at 12:48pm
	Marco you bring up some very good points and I appreciate clarification about having to add the emails to authorized user list. I don't think that little tidbid is in the docs. :) As far as honeypots and fake addresses. I find mispelled email addresses much less often than spammers guessing names. In fact I am not sure I have seen a mispelled email in my quarrantine. But I can sit and watch the activity window and see hundreds of fake addresses being used. Which is my point, the is a much more common technique of sending spam. In fact I will have to look at the stats but I would say that the most effective filters I have is the MAPS lookups, blocked Country and AuthorizedTo filters. I do not believe Spamfilter tracks rejected authorizedto but watching the activity log is enlighting. To me a honeypot with specific addresses would only be useful if you embedded fake addresses in your web site. By making them the same color as the background and putting the mailto might work. Anyone who has a web site will have their email harvested. But trying to guess what address spammers will use is impossible. Right now I have to look at the log then add those to the honeypot. It still seems to me that I should be able to automatically add those incorrect addresses to the honeypot. Just like your situation yes maybe someone will get blacklisted by mistake but that comes with the fight against spam. If my suggestion was added then you could put the mispelled addresses in the Whitelist and they would not be added to the honeypot. But any made up names would automatically get blacklisted. The question comes down what percentage of email has fake addresses vs. mispelling. In my case its 99.9% fake and .1 mispelled names. Thanks again, Lee

Marco Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 07 June 2005 Location: Netherlands Status: Offline Points: 137	Post Options Post Reply Quote Marco Report Post Thanks(0) Quote Reply Posted: 15 November 2005 at 3:28am
	For that same matter, it has been proven that relatively few IP's are 'phishing' for valid adresses, if only ONE of thewir attempts is present in the honeypot, all further efforts from that particular spammer are useless, untill he/she uses a different IP. My setup here caught roughly 100 bad ip's but that alone cut down the amount of spam and viruses by 60%. On top of that, i use the honeypot harvested ip's to feed into the firewall. I realise i am in the luxureous position of doing this because the amount of traffic is fairly low, we are a relatively small company, not an ISP with hundreds of thousands of mails a day. Still you could create a script that looks through the activity log for the word 'authorizedto', and harvest the following (nonexistant) email adress. Copy paste the list that you generate once a week into the honeypot and you will dramatically cut down the amount of spam. Best regards. Marco
	Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams

LogSat Software

Site Navigation[Skip]

Spam Filter ISP Support Forum

Is Honeypot backwards ?