Honeypots mailing list archives
Re: Honeypots
From: "Michael" <michael () insulin-pumpers org>
Date: Tue, 20 Jan 2004 10:54:02 -0800
Michael, Very interesting idea - apparently a wholly legal passive "attack". One thing that I would question (simply because I couldn't find the documentation) is how the blocking-list is determined - there are several ways. There are mentions of WHOIS and DNS lookup (MX?) - I'd be interested to know more.. Regards, Ian Baker Webmaster, codecutters.org
There are several methods. There is a common configuration file for Net::DNSBL::MultiDnsbl and the SpamCannibal cron script sc_BLcheck.pl, which checks incoming IP's that are stored by the dbtarpit daemon. 'multidnsbl' is used in place of RBL checks in the MTA. The action for the MTA is usually configured to bounce the messages tagged by 'multidnsbl'. The action of sc_BLcheck.pl is to place the suspect IP address into the dbtarpit 'tarpit' database. (sc_BLpreen removes it if a subsequent check detects a correction). Criteria: presets: always fail by IP, CIDR, Country conditional: allowed DNSBL reply, in-addr.arpa failure All of this is in the sample configuration file in the distribution sc_Blacklist.conf.sample In addition to these automated tarpit actions, spam that gets through to the master user as either a bounce return with attached message or direct spam can be emailed to a "spam" user for auto addition to the tarpit database. These manual additions are permanent until removed by the administratior. Admin tools allow addition of CIDR blocks from 2 to 256 as well as general database tweaking. Michael
----- Original Message ----- From: "Michael" <michael () insulin-pumpers org> To: <honeypots () securityfocus com> Sent: Tuesday, January 20, 2004 1:33 AM Subject: Re: HoneypotsSpamCannibal blocks spam at the origination server and can be configured to block DoS attacks. SpamCannibal uses a continually updated database containing the IP addresses of spam or DoS servers and blocks their ability to connect using a TCP/IP tarpit, ideally bringing the spam server to a virtual halt for a long time or perhaps indefinitely. This effectively eliminates the network traffic to your site because the spam never leaves the origination server. Widely deployed, SpamCannibal can help eliminate spam from the internet. The operative piece of this gadget is IPTables::IPv4::DBTarpit a module based on Linux IPTABLES that uses the BerkeleyDB database to store IP addresses and other selected information about spammers. Full documentation for SpamCannibal and all the modules is on the SpamCannibal home page and everything is downloadable from CPAN. Prerequisites on the DOWNLOAD page of http://www.spamcannibal.org
Current thread:
- Re: Honeypots Michael (Jan 19)
- <Possible follow-ups>
- Re: Honeypots Michael (Jan 20)
- Re: Honeypots Michael (Jan 20)