Re: Relay honeypots (RE: [Asrg] define spam)

At 02:22 PM 4/4/2003 -0500, you wrote:

> Given that blacklisters range from those who block the IP, to those who 
> block an entire range of IPs.  And given that you are depending on 
> blacklisters testing for delivery and not just existance.  And given that 
> the detection process has to be manual, and has to distinguish between 
> blacklister tests and spammer tests.  I don't think you are going to find 
> a lot of people willing to set up honeypots of this type.
This is ASRG, of IETF.  I take the "engineering" seriously.  I'm a chemist, 
not an engineer, but I worked several years in an engineering group that 
designed a product - a scientific instrument.  I have some concept of what 
engineering is.  Sometimes engineers do a superficial analysis of the 
problem and then leap into implementation of a solution that appears 
useful, based on that analysis.  Often the solution an engineer chooses is 
one that can be characterized as having complexity that is directly related 
to the types of things the engineer wants to do.  That isn't necessarily 
good engineering.  I'm as guilty as anyone: my first honeypot efforts arose 
from a quick analysis and were strongly influenced by my desires: I wanted 
to do as little as possible to achieve a solution.  I put no effort at that 
time into analysis of the overall problem: I just wanted to make a system 
that I couldn't easily or cheaply secure the standard way stop relaying 
spam.  Since I couldn't make it not accept the spam I chose to make it not 
deliver the spam.  That worked, that led to a fuller understanding of the 
concept and of the overall problem. Most of the analysis I did was after 
implementation.  It's still good analysis.  It deserves attention.
The psychology you describe is interesting, may even be pertinent, but I 
ask that such considerations be removed from the engineering aspects while 
the value of a method is being considered.  Honeypots, implemented 
properly, are 100% effective in stopping spam and 100% effective in 
avoiding collateral damage.  They may succeed in identifying the IP a 
spammer is using (this now more likely happens with open proxy honeypots), 
which can allow notice to the spammer's ISP and possible termination of the 
spammer.  In any case a full honeypot, in operation, may succeed in 
stopping significant amounts of spam.  This is spam directed at others but 
it can be several orders of magnitude greater than the spam that would go 
to the operator of that honeypot, were it to have a published email 
address.  Tremendously successful honeypots have been implemented using 
laughable equipment: 1 100 MHz 486 DX4, a 120 MHz Pentium.  Email is an old 
application, ran on old systems.  Honeypots are not computationally 
intensive - they can run on about anything that boots and has a network 
connection.  If I could get Linux running on my old 16 MHz, 4 Mb 386 I have 
no doubt I could run a successful honeypot on it.  On something that old 
I'd just run sendmail -bd.  That system isn't important - the importance 
lies in the very low resource requirements for a honeypot.  Just as 
significantly millions of Windows users can run Jackpot - they have no MTA, 
port 25 is not being used for any real application, their systems have no 
SMTP receiver function.  The resource requirements are low, there are 
millions of potential systems for use, the software is small and easily 
downloaded - the honeypot approach deserves full attention.
For a huge portion of current spam open relays and open proxies are 
used.  From an engineering standpoint it is useful (perhaps necessary) to 
know how spammers find and then abuse open resources.  As it is close to 
the most trivial thing possible to detect the tests used by spammers it 
would seem that any serious effort at stopping spam would include a 
significant effort toward that detection.  Just this morning I captured a 
relay test that looks different from any I've captured before.  With two 
honeypots (home and "work") I'm not likely to see all forms of relay 
test.  I think serious anti-spammers should know all the ways spammers use 
to detect open relays.  In a sense there's only one: send a test message 
and see what happens, but there are differences in the test 
messages.  Knowing more about those differences means you know more about 
the spammers.  Quite possibly it could be seen that there were clusters of 
spammers - some who used one form of relay test, some who used 
another.  This might help in learning more about which spammers are 
associated with other spammers.  It might not, of course - some simply 
could be using the same purchased tool.  Still, watching relay tests is 
watching spammers.  That's worth doing.
So.  If the psychology is ignored what is the value of honeypots?  The 
value may only accrue to those who don't succumb to the psychology - what 
value is there to those brave souls who choose to run honeypots?  If there 
were 10,000 of them would they make a big 
difference?  100?  1000?  10?  The 100 MHz 486 DX4 crippled Ralsky's Dallas 
operation for a while - that was one honeypot.  The situation may have been 
unique and may never occur again but the significance of that success needs 
to be appreciated.  Is there any other way that a major spammer has been 
driven off 3 different ISPs in one weekend on the basis of the information 
gathered by a single computer?  (By the way: the 486 DX4 had other tasks as 
well - the honeypot didn't consume or need all its resources.)
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg