honeypot related feature request
Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5345
Printed Date: 05 December 2025 at 11:29pm
Topic: honeypot related feature request
Posted By: Guests
Subject: honeypot related feature request
Date Posted: 27 September 2005 at 9:30pm
|
I was wondering if there could be some sort of log entry specifying the
date that an ip address was added to the honeypotblockedips list.
The reason being that I have had two false positives reported in the
last few days that were from legitimate ISP mail servers and I'm trying
to figure out what email address in my honeypot list is triggering
this. I'd like to be able to do this without having to scan every
log file in a flury of disk activity to hunt this event down. On second thought, how about indicating the honeypot entry in the logs that triggered the IP block? This is in contrast to when it gives the honey pot entry when adding an IP to the ban list. If either of these are doable, I'd definetly like to see it in a future release. Thanks. |
Replies:
Posted By: LogSat
Date Posted: 27 September 2005 at 11:07pm
|
vrspock, Your first request is actually already available. The answer to the second can also be obtained from the logs, even though not in the immediate way you requested (it would take unnecessary additional processing power to lookup that honeypot entry). Please look at the following log snippet. The first section shows an email that caused the sender's IP address to be added to the honeypot list. 09/27/05 22:49:49:703 -- (4760) Connection from: 172.27.4.53 - Originating country : N/A 09/27/05 22:49:49:953 -- (4760) Resolving 172.27.4.53 - Not found 09/27/05 22:49:49:968 -- (4760) - EMail To is in honeypot emails - 09/27/05 22:49:49:968 -- (4760) - Added 172.27.4.53 to honeypot blacklist 09/27/05 22:49:49:968 -- (4760) 172.27.4.53 - Mail from: spamfilter@domain.com To: spamtrap@logsat.com will be rejected 09/27/05 22:49:51:000 -- (4760) EMail from spamfilter@domain.com to spamtrap@logsat.com was received and quarantined. Size: 1 KB, 1024 bytes 09/27/05 22:49:51:046 -- (4552) Time to add Msg to Bayes corpus:0 09/27/05 22:49:51:062 -- (4760) Disconnect The two bolded entries show the unique log entries that identify when an IP is added to the honeypot list. You can search for either of the red text with your favorite grep utility in the logs to find such entries. In the lines immediately following those you will find the spamtrap email address (spamtrap@logsat.com) that triggered the event. Entries related to a specific email will have the same thread ID (in blue above). When an email arrives from an IP (172.27.4.53) that was blacklisted due to the fact that it sent an email to your spamtrap, it will be blocked with log entries like the following: 09/27/05 22:51:27:265 -- (5224) Connection from: 172.27.4.53 - Originating country : N/A 09/27/05 22:51:27:453 -- (5224) Resolving 172.27.4.53 - Not found 09/27/05 22:51:27:453 -- (5224) - IP blocked by honeypot autofilter - 09/27/05 22:51:27:453 -- (5224) 172.27.4.53 - Mail from: spamfilter@domain.com To: user@logsat.com will be rejected 09/27/05 22:51:28:281 -- (5224) EMail from spamfilter@domain.com to user@logsat.com was received and quarantined. Size: 1 KB, 1024 bytes 09/27/05 22:51:28:328 -- (4552) Time to add Msg to Bayes corpus:0 09/27/05 22:51:28:343 -- (5224) Disconnect You can find these events by searching in the logs for the bolded text above. Once you find an entry (172.27.4.53), you can find the honeypot email address that caused the IP to be blacklisted by searching for the presence in the logfiles for a line containing both the IP and the phrase in red in the first log snippet (to honeypot blacklist). For example, you'd look for a line that has both: 172.27.4.53 and to honeypot blacklist ------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Posted By: Alan
Date Posted: 03 October 2005 at 1:18pm
|
Another honeypot related request: Add the date the IP is added to the honeypot list, and set an option in SF to only filter based on honeypot entrys that are less than xx days old. (having it remove IP's after a certain age would also be a nice checkbox option) Since spammers often probe,use,then move on it is often good to have entries open again so you are not blocking an innocent in the future who is using the same dynamic IP range as the spammer. Then after the banned date range is done, if the spammer still is using the same IP it will be added again. |
Posted By: LogSat
Date Posted: 03 October 2005 at 4:46pm
|
Alan, We use the same parsing engine for all black/white lists, and it does not allow for comments in the text files (we do it for performance reasons). Due to this, we won't be able to add the date or extra info to the honeypot list. Sorry... ------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Posted By: Guests
Date Posted: 01 December 2005 at 12:03am
|
Of course, email should never be coming from a dynamic IP address to begin with. It should always be relayed through a mail server with a statically assigned IP. I would still like some way to not have to scan every single log file for an entry indicating when a particular IP address was added to the honey pot list. Although it hasn't been too much of a deal for me as false postives related to honey pot blocked IPs has been a very rare thing. |
Alan wrote: