Honeypot logging bug? |
Post Reply 
|
| Author | |
lyndonje 
Senior Member 
Joined: 31 January 2006 Location: United Kingdom Status: Offline Points: 192 |
 Post Options
 Thanks(0)
 Quote Reply
 Topic: Honeypot logging bug?Posted: 21 February 2006 at 4:41am |
|
I'm currently running v2.7.1.523 and may have found a bug or possibly a new settings I'm not aware of related to logging...
A customer has contacted me to ask why an IP address of a sender has been blacklisted. When I search the logs I can see it was rejected because it was in the honeypot. As I want to give the customer information as to why it was added to the honey pot, ie through spambait or virus, I search back in the logs for this IP. Going back in time the first thing I come across as an email being accepted from the IP. So first an email is accepted from this IP, then a few days later an email is rejected from this IP because of the honeypot, but in between I can't find in the logs when or why the IP was added to the honey pot. This has happened a few times now, but though it was just me. Now I'm pritty sure I'm not crazy. Could you have a look at this? Thanks. |
|
 |
|
|
LogSat
Admin Group 
Joined: 25 January 2005 Location: United States Status: Offline Points: 4105 |
Post Options
Thanks(0)
Quote Reply
Posted: 21 February 2006 at 3:33pm |
|
lyndonje,
The honeypot filter actually has two ways it can reject an email. In the first case, an IP sends an email to an email address listed in the honeypot email list. In this case, the email will be rejected, the IP added to the honeypot blacklist, and the event is logged as: "EMail To is in honeypot emails" In the second case, the IP address has been already blocked once bby the above filter, and thus the email is rejected because the IP is in the honeypot IP list. In this case, the even logged will be: "IP blocked by honeypot autofilter" This means that the 1st filter (with the 1st log entry) will be triggered the very 1st time an IP sends an email to a honeypot'd email. If this is the log entry you saw in your logs, then you will not see any prior entry, and this is normal. If the log entry you saw is the one in the 2nd case, then there may indeed be a problem. In this case, we'll need to examine your logs to try to see what is happening. We'll need all of them starting from the date you last found a "good" email from that IP, up to the day the email was blocked for the honeypot filter. We'll also need to know the IP address in question. Please zip and email us the data, and if the zip is too big for email (over 5MB), please let us know and we can either retrieve the lgos from your web/ftp server, or we can provide you with our ftp upload site. |
|
|
|
|
lyndonje
Senior Member
Joined: 31 January 2006 Location: United Kingdom Status: Offline Points: 192 |
Post Options
Thanks(0)
Quote Reply
Posted: 22 February 2006 at 4:44am |
|
On 10/02/06 at 16:13:13:899 an email was received and accepted from the IP in question.
On 14/02/06 at 03:46:16:453 the IP was blocked by honeypot filter. The logs have no other mention of the IP address between these two times. I have emailed the logs in split RAR files. Thanks. |
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4105 |
Post Options
Thanks(0)
Quote Reply
Posted: 22 February 2006 at 4:11pm |
|
Your logs clearly show that on the 10th you had one single successful email from that IP. The following connection from that IP occurred on the 14th, and for some reason it was blocked by the honeypot IP filter. This would mean that, somehow, the IP address was added to that list sometime *after* the initial connection on the 10th. What gratly puzzles us is that there are absolutely no connections from that IP except these two, so there would be no way for that IP to be added to the honepot list...
I'm really at a dead end right now unfortunately, sorry.. If this happens again, could you please zip us the Honeypot.txt and the HoneypotBlockedIPs.txt files *before* you remove the IP from them? We'd like to see "where" in the file it appears, and if there's anything in the file at that particualr time that could have caused the IP to be blocked incorrectly. If you also have a backup of the HoneypotBlockedIPs.txt file close to 02/14/06 03:46:16 that could also be useful in trying to duplicate what happened. |
|
|
|
|
lyndonje
Senior Member
Joined: 31 January 2006 Location: United Kingdom Status: Offline Points: 192 |
Post Options
Thanks(0)
Quote Reply
Posted: 23 February 2006 at 3:33am |
|
Thanks. No I don't have a backup copy, but will keep my eye on things and let you know if I see it happen again.
Regards, Lyndon. |
|
|
|
Topic Options|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.180 seconds.