Honey Pot Update |
Post Reply 
|
| Author | |
kspare 
Senior Member 
Joined: 26 January 2005 Location: Canada Status: Offline Points: 334 |
 Post Options
 Thanks(0)
 Quote Reply
 Topic: Honey Pot UpdatePosted: 16 May 2005 at 11:43am |
|
Could it be possible to setup the ip block list to not block certain ips?
|
|
 |
|
|
lead
Newbie 
Joined: 08 March 2005 Status: Offline Points: 18 |
Post Options
Thanks(0)
Quote Reply
Posted: 16 May 2005 at 11:53am |
|
what like logsats IP?
 I thought there might be difficulties with the honey pot in that regard. With bounced email that has been faked from your domain (which I seem to be getting a lot of lately) it can lead to a hit on the honeypot from delivery failures. I still think it is a great tool, just needs to be managed a bit. kspare what difficulties have you noticed? |
|
|
|
|
Alan
Groupie 
Joined: 06 May 2005 Location: United States Status: Offline Points: 43 |
Post Options
Thanks(0)
Quote Reply
Posted: 16 May 2005 at 1:05pm |
|
This is something I had asked about in another thread. In my case
it was so spam sent directly to secondary MX servers don't end up on
the honeypot IP blacklist. I am thinking that a tag like "IGNORE"
or something added to the specific IP's in HoneypotBlockedIPs would do
it. Not sure where this falls on Roberto's list though.
Lead, no problems with spoofing domains since the IP that gets blacklisted is still the real IP, not a spoofed one. |
|
|
|
|
lead
Newbie
Joined: 08 March 2005 Status: Offline Points: 18 |
Post Options
Thanks(0)
Quote Reply
Posted: 17 May 2005 at 6:49am |
|
I see it. I am guessing that your ISP is the second MX, which just
forwards everything to your primary MX. Spam tends to be sent to all
your MX records, so that can be a real big problem. I had to drop the
ISP's backup as my second MX because of this, if my line goes down both
MXs are out and I have to rely on the sending server doing the right
thing by retrying. You wouldn't want to whitelist the ISP's backup MX,
but don't want it on the honeypot blacklist as well, even though it is
going to forward email to those addresses.
With the spoofing domains, I was saying that if the spam looks like its coming from you (because your address was spoofed as the sender and is the honeypot address) then you are going to get a lot of returns from non-spamming email servers which end up blacklisted. Not a massive problem, just something to be aware of. |
|
|
|
|
kspare
Senior Member
Joined: 26 January 2005 Location: Canada Status: Offline Points: 334 |
Post Options
Thanks(0)
Quote Reply
Posted: 29 May 2005 at 12:51pm |
|
my concern on this is that I have a 3rd offsite server that checks for spam and then forwards ALL mail to my primary server. So when the primary server sees that it is spam, it starts to block EVERYTHING from my backup server. We need to be able to allow an ip no matter what.... |
|
|
|
|
Desperado
Senior Member
Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Quote Reply
Posted: 30 May 2005 at 1:30pm |
|
Kevin, What I do is whitelist the IP of my backup server and live with the fact that the primary can not detect some ot the communication related blocks. Regards, |
|
|
The Desperado
Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com |
|
|
|
|
kspare
Senior Member
Joined: 26 January 2005 Location: Canada Status: Offline Points: 334 |
Post Options
Thanks(0)
Quote Reply
Posted: 30 May 2005 at 1:53pm |
|
But if I whitelist that server, any spam it catches won't be caught....
|
|
|
|
|
Desperado
Senior Member
Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Quote Reply
Posted: 30 May 2005 at 2:14pm |
|
Doesn't the Secondary quarantine to the database? das |
|
|
The Desperado
Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com |
|
|
|
|
kspare
Senior Member
Joined: 26 January 2005 Location: Canada Status: Offline Points: 334 |
Post Options
Thanks(0)
Quote Reply
Posted: 30 May 2005 at 8:04pm |
|
No. And it doesn't do this because it's a 3rd backup server that is offsite. So if our main office goes down it queues up good and bad mail for the main server at our office to commit to the database. We had to do it that way because of the fact that if the main office goes down, the vpn goes down, so any spam found would get dropped and we can't risk that some spam can be false positives and we could loose customer emails. I'm not using it for the time being until we can figure something out or roberto can fix this glitch. It would be nice to have everything on the remote site comitted to database and I tried this out before but it was more of a problem. So I just tag all the email and forward it to the primary spamfilter gateway. But now with the honeypot which works VERY well it is catching some emails. I want to be able to whitelist certain ips from the honeypot only. It would help out alot. |
|
|
|
Topic Options|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.156 seconds.