[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Honeypots?

To: qmail@xxxxxxxxxxxxx
Subject: Re: Honeypots?
From: Thanos Massias <tm@xxxxxxxxxxx>
Date: Thu, 01 Apr 2004 19:41:56 +0300
Delivered-to: de5-qmail@sws5.ornl.gov
Delivered-to: mailing list qmail@list.cr.yp.to
In-reply-to: <1080834043.28457.0.camel@hopper>
Mailing-list: contact qmail-help@list.cr.yp.to; run by ezmlm
Organization: NAVARINO telecom S.A.
References: <007c01c402e4$0e21c630$d0c6d6d8@DRHLAPTOP> <1079041737.5247.25.camel@hopper> <4050E52D.9070206@slaphack.com> <1080834043.28457.0.camel@hopper>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6) Gecko/20040113

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2004-04-01 18:40 [EET],  Matt wrote:

> On Thu, 2004-03-11 at 17:16, David Masover wrote:
>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>Matt wrote:
>>| Hi,
>>| Can anyone recommend any honeypot SPAM software for use with qmail?
>>What I'd like to do is be able to have a few select e-mail addresses
>>that are checked by this honeypot program, and if mail comes in block
>>the sender or ip it is from.
>>|
>>
>>Can you do it on a per-user basis?  Any mail filter should support a
>>blacklist, I just use maildrop, and install it in .qmail
>
>
> I suppose it can be done per user.. but what I'd like to do is have an
IP dumped to my RBLDNS server so I can blacklist instantly.

1) Inject Honeytokens ( http://www.securityfocus.com/infocus/1713 ) in
your website in a way that no visitor could use them but harvesting
robots can add them to their list. A nice format would be someting like
gotcha-RemoteIPAddress_Date@xxxxxxxxxxxxxx
(something like the http://www.securityfocus.com./infocus/1747 example
in PHP)

2) Create a gotcha user and create a .qmail-default file including a
parser ( maybe a Perl script ) that will extract the remote IP, check if
it should be blacklisted ( you don't want to blacklist your secondary
MXs - do you? ) and add it to your blacklist. I personaly would apply
the remoteip.patch ( from http://will.harris.ch/ ) to qmail as this
makes it very easy to extract the remote IP (but maybe use a different
string instead of X-Remote-IP so that senders can't spoof it - say
X-Remote-IP-SomeString).

3) You can now both add IPs to your blacklist and satisfy your curiosity
on what remote IP harvested them in the first place (by examining the
To: header)

Suggested reading: http://www.geocities.com/spamresources/tools-honeypot.htm

PS: I really would like a version of the remoteip.patch that:
a) makes sure that prior X-Remote-IP headers are removed
b) doesn't insert an X-Remote-IP header if RELAYCLIENT is set

- --
Best regards,
Thanos Massias

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-nr1 (Windows 2000)

iD8DBQFAbEZUOs3ahFN/QpkRAmigAKCw4c363Oc6V0SDYIG5InVfiwxAGACg3D50
EwlxhRH4mLMu40wxnSgDMT4=
=LFK4
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: Honeypots?
  - From: Thanos Massias

References:
- Re: Honeypots?
  - From: Matt

Prev by Date: Re: Problem with daemontools not starting - Problem solved
Next by Date: Re: bounces
Previous by thread: Re: Honeypots?
Next by thread: Re: Honeypots?
Index(es):
- Date
- Thread