Re: Using specialized honeypots to build up-to-date spam blacklists?

["Jens Knoell" <jens () ing twinwave net>]

Hi Chris,

On Monday, September 29, 2003 2:56 [GMT-7], Meidinger Chris wrote:
> Hi Jens,
>
> the idea is _very_ interesting. I particularly like that you can
> correlate the crawler bot's IP with the spam. Perhaps these don't
> change that often. Who knows? Theoretically, if you had a database
> that included the relative frequency of the crawls from different IP
> addresses, even search engines could start to block those addresses
> and shut out the spam-bots. To be really cool, definately encode the
> requesting IP into the email address.

I do have a database that correlates various crawlers over time, mostly to
make sure that search engines actually hit the various pages and alert me if
they don't. But yeah, it would be a nice tool to correlate that info, to see
if they identify with some special browser ID. Personally, I doubt that the
majority does that.

> The only thing i would carefully consider at every step is not to DoS
> some poor home dial-up user who gets an address after an evil spammer
> hangs up.

That was my concern too, and to be honest, while I cannot see any possible
way the proposed scheme doing any direct inadvertent damage to home users,
it's a definite possibility. Malicious users could just go ahead and spam
invalid email addresses via major ISP's and thus knock out communication.
I'm not totally sure how to get around that, yet.

> Now, the tricky part is to prevent fingerprinting. You don't want
> your site to be blacklisted by spammer-bots.
> [...]

True. Then... how about attaching the "additional" mails to legitimate
webpages instead? I do have a few hundred, so that would be a little
difficult to blacklist... and if they do, it also means they stop harvesting
them... right?

> The reason we can't just turn the lights out on spam is that there
> are so many spammers using so many servers targeting so many people.
> The odds are just on their side. Your pool of fake addresses should
> be equally large and diverse so that a simple 20 line blacklist won't
> shut you down.

I thought about dynamically creating fake addresses on _real_ domains. I
have a catch-all at the end of every virtual domain listing anyway, although
they currently all basically only return an error "This user doesn't exist".
Instead, I plan on redirecting the catch-all to a script.

The major point I am concerned about: It needs to be safe enough so that
noone can DoS it by spamming it via legit mailers - say, AOL user using
AOL's server sending a bunch of mails to the fake address, knowing that this
will ultimately block AOL's servers.

> -Chris

Jens