Honeypots mailing list archives
Re: Using specialized honeypots to build up-to-date spam blacklists?
From: "Jens Knoell" <jens () ing twinwave net>
Date: Mon, 29 Sep 2003 07:21:23 -0600
Hi Chris, On Monday, September 29, 2003 2:56 [GMT-7], Meidinger Chris wrote:
Hi Jens, the idea is _very_ interesting. I particularly like that you can correlate the crawler bot's IP with the spam. Perhaps these don't change that often. Who knows? Theoretically, if you had a database that included the relative frequency of the crawls from different IP addresses, even search engines could start to block those addresses and shut out the spam-bots. To be really cool, definately encode the requesting IP into the email address.
I do have a database that correlates various crawlers over time, mostly to make sure that search engines actually hit the various pages and alert me if they don't. But yeah, it would be a nice tool to correlate that info, to see if they identify with some special browser ID. Personally, I doubt that the majority does that.
The only thing i would carefully consider at every step is not to DoS some poor home dial-up user who gets an address after an evil spammer hangs up.
That was my concern too, and to be honest, while I cannot see any possible way the proposed scheme doing any direct inadvertent damage to home users, it's a definite possibility. Malicious users could just go ahead and spam invalid email addresses via major ISP's and thus knock out communication. I'm not totally sure how to get around that, yet.
Now, the tricky part is to prevent fingerprinting. You don't want your site to be blacklisted by spammer-bots. [...]
True. Then... how about attaching the "additional" mails to legitimate webpages instead? I do have a few hundred, so that would be a little difficult to blacklist... and if they do, it also means they stop harvesting them... right?
The reason we can't just turn the lights out on spam is that there are so many spammers using so many servers targeting so many people. The odds are just on their side. Your pool of fake addresses should be equally large and diverse so that a simple 20 line blacklist won't shut you down.
I thought about dynamically creating fake addresses on _real_ domains. I have a catch-all at the end of every virtual domain listing anyway, although they currently all basically only return an error "This user doesn't exist". Instead, I plan on redirecting the catch-all to a script. The major point I am concerned about: It needs to be safe enough so that noone can DoS it by spamming it via legit mailers - say, AOL user using AOL's server sending a bunch of mails to the fake address, knowing that this will ultimately block AOL's servers.
-Chris
Jens
Current thread:
- RE: Using specialized honeypots to build up-to-date spam blacklis ts? Meidinger Chris (Sep 29)
- Re: Using specialized honeypots to build up-to-date spam blacklists? Jens Knoell (Sep 29)