Honeypots mailing list archives
Re: Honeypot/net IDS System
From: "Michael" <michael () insulin-pumpers org>
Date: Tue, 24 Feb 2004 16:27:12 -0800
----- Original Message -----I'm puzzled by everyone's interest in "fake honeypot" systems. I've run a couple of them for several years and there is almost NO traffic even though I have a bunch of email addy's on web pages for spamscrapers to find.Ah. But are they on sites that people are likely to find? Even with my modest site, I had the first honeytoken () codecutters org message within 24 hours. Of the 16,722 messages rejected by the SMTP server/honeypot, a full 7,804 have been to the two honeypot addresses. Of these, 144 messages were stopped *only* because of the address (which is basically the purpose of the honeypot, along with keeping the filters up-to-date!) All of this would be fairly pointless if the bot isn't fooled into taking the bait... ;o) Regards, Ian Baker Webmaster, codecutters.org
I think you made my point. We get about 100 or less legit message a day (site traffic stats at: http://www.insulin-pumpers.org/images/traffic-ip.gif) out of roughly 3000 attempted deliveries (averages for last 20 days). Of these about 30-50 slip by that are spam and are re-routed to the tarpit, for all the remaining almost 3000, the remote server delivering them ends up in the tarpit. That is a substantially higher ratio than you show above. You get less than 50% efficiency, I get 98% or basically all that can be identified as spam using DNSBL's or filtering, manual or otherwise. The tarpit in question is not an smtp dummy, but a true TCP/IP tarpit that slams the transmission window shut and hangs on to the server until it gives up or times out., this is sometime days.... and... it is a single thread for all trapped messages. The interesting thing about this tarpit is that once the IP is added to the database, since there is no more traffic, additional attempts at delivery are not even seen so the 60k number is probably higher than indicated by quite a bit. See our stats page at http://www.spamcannibal.org/dnsbl_stats.shtml You can see that the MTA rejects lead the tarpit stats by a fair percentage for both systems. This is the traffic where the source attempts more than one transmission before the batch job puts the IP address in the tarpit. There is an average 7-10 minute access delay caused by the cron task that run every 15 and 20 minutes, respectively on the two systems to check for bad IP addresses. Michael Michael () Insulin-Pumpers org
Current thread:
- Honeypot/net IDS System Daniel Roth (Feb 22)
- Re: Honeypot/net IDS System Michael Robinton (Feb 22)
- Re: Honeypot/net IDS System captgoodnight (Feb 22)
- RE: Honeypot/net IDS System Aditya, ALD [Aditya Lalit Deshmukh] (Feb 24)
- RE: Honeypot/net IDS System Michael (Feb 24)
- RE: Honeypot/net IDS System ravivsn (Feb 24)
- RE: Honeypot/net IDS System Michael (Feb 25)
- Re: Honeypot/net IDS System Valdis . Kletnieks (Feb 25)
- Re: Honeypot/net IDS System Ian Baker (Feb 24)
- Re: Honeypot/net IDS System Michael (Feb 25)
- RE: Honeypot/net IDS System Aditya, ALD [Aditya Lalit Deshmukh] (Feb 27)
- RE: Honeypot/net IDS System Michael (Feb 27)
- Re: Honeypot/net IDS System Niels Provos (Feb 27)
- Re: Honeypot/net IDS System Michael Robinton (Feb 22)