honeypot related feature request |
Post Reply 
|
| Author | |
vrspock 
Guest Group 
|
 Post Options
 Thanks(0)
 Quote Reply
 Topic: honeypot related feature requestPosted: 27 September 2005 at 9:30pm |
|
I was wondering if there could be some sort of log entry specifying the
date that an ip address was added to the honeypotblockedips list.
The reason being that I have had two false positives reported in the
last few days that were from legitimate ISP mail servers and I'm trying
to figure out what email address in my honeypot list is triggering
this. I'd like to be able to do this without having to scan every
log file in a flury of disk activity to hunt this event down.
On second thought, how about indicating the honeypot entry in the logs that triggered the IP block? This is in contrast to when it gives the honey pot entry when adding an IP to the ban list. If either of these are doable, I'd definetly like to see it in a future release. Thanks. |
|
 |
|
|
LogSat
Admin Group 
Joined: 25 January 2005 Location: United States Status: Offline Points: 4106 |
Post Options
Thanks(0)
Quote Reply
Posted: 27 September 2005 at 11:07pm |
|
vrspock,
Your first request is actually already available. The answer to the second can also be obtained from the logs, even though not in the immediate way you requested (it would take unnecessary additional processing power to lookup that honeypot entry). Please look at the following log snippet. The first section shows an email that caused the sender's IP address to be added to the honeypot list. 09/27/05 22:49:49:703 -- (4760) Connection from: 172.27.4.53 - Originating country : N/A 09/27/05 22:49:49:953 -- (4760) Resolving 172.27.4.53 - Not found 09/27/05 22:49:49:968 -- (4760) - EMail To is in honeypot emails - 09/27/05 22:49:49:968 -- (4760) - Added 172.27.4.53 to honeypot blacklist 09/27/05 22:49:49:968 -- (4760) 172.27.4.53 - Mail from: spamfilter@domain.com To: spamtrap@logsat.com will be rejected 09/27/05 22:49:51:000 -- (4760) EMail from spamfilter@domain.com to spamtrap@logsat.com was received and quarantined. Size: 1 KB, 1024 bytes 09/27/05 22:49:51:046 -- (4552) Time to add Msg to Bayes corpus:0 09/27/05 22:49:51:062 -- (4760) Disconnect The two bolded entries show the unique log entries that identify when an IP is added to the honeypot list. You can search for either of the red text with your favorite grep utility in the logs to find such entries. In the lines immediately following those you will find the spamtrap email address (spamtrap@logsat.com) that triggered the event. Entries related to a specific email will have the same thread ID (in blue above). When an email arrives from an IP (172.27.4.53) that was blacklisted due to the fact that it sent an email to your spamtrap, it will be blocked with log entries like the following: 09/27/05 22:51:27:265 -- (5224) Connection from: 172.27.4.53 - Originating country : N/A 09/27/05 22:51:27:453 -- (5224) Resolving 172.27.4.53 - Not found 09/27/05 22:51:27:453 -- (5224) - IP blocked by honeypot autofilter - 09/27/05 22:51:27:453 -- (5224) 172.27.4.53 - Mail from: spamfilter@domain.com To: user@logsat.com will be rejected 09/27/05 22:51:28:281 -- (5224) EMail from spamfilter@domain.com to user@logsat.com was received and quarantined. Size: 1 KB, 1024 bytes 09/27/05 22:51:28:328 -- (4552) Time to add Msg to Bayes corpus:0 09/27/05 22:51:28:343 -- (5224) Disconnect You can find these events by searching in the logs for the bolded text above. Once you find an entry (172.27.4.53), you can find the honeypot email address that caused the IP to be blacklisted by searching for the presence in the logfiles for a line containing both the IP and the phrase in red in the first log snippet (to honeypot blacklist). For example, you'd look for a line that has both: 172.27.4.53 and to honeypot blacklist |
|
|
|
|
Alan
Groupie 
Joined: 06 May 2005 Location: United States Status: Offline Points: 43 |
Post Options
Thanks(0)
Quote Reply
Posted: 03 October 2005 at 1:18pm |
|
Another honeypot related request:
Add the date the IP is added to the honeypot list, and set an option in SF to only filter based on honeypot entrys that are less than xx days old. (having it remove IP's after a certain age would also be a nice checkbox option) Since spammers often probe,use,then move on it is often good to have entries open again so you are not blocking an innocent in the future who is using the same dynamic IP range as the spammer. Then after the banned date range is done, if the spammer still is using the same IP it will be added again. |
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4106 |
Post Options
Thanks(0)
Quote Reply
Posted: 03 October 2005 at 4:46pm |
|
Alan,
We use the same parsing engine for all black/white lists, and it does not allow for comments in the text files (we do it for performance reasons). Due to this, we won't be able to add the date or extra info to the honeypot list. Sorry... |
|
|
|
|
vrspock
Guest Group
|
Post Options
Thanks(0)
Quote Reply
Posted: 01 December 2005 at 12:03am |
|
Of course, email should never be coming from a dynamic IP address to begin with. It should always be relayed through a mail server with a statically assigned IP. I would still like some way to not have to scan every single log file for an entry indicating when a particular IP address was added to the honey pot list. Although it hasn't been too much of a deal for me as false postives related to honey pot blocked IPs has been a very rare thing. |
|
|
|
Topic Options
Alan wrote:|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.164 seconds.