Re: [Asrg] Whitelisting on Message-ID (Was Turing Test ...) honeypot pl

At 08:42 PM 4/6/2003 -0700, you wrote:

> And the honey pot has to continue to work once spammers implement their 
> "test every N'th email to make sure the relay is still working" code 
> widely. Once honeypots become common, so will anti-honeypot technology. 
> And I think honeypots are easier to work around than they are to protect 
> from spammers hunting them; their greatest advantage now is they're rare 
> enough that most spammers probably aren't worrying about them much yet.

First the spammers have to do that.  I delivered something like three test 
messages in February.  I trapped spam into March from the spammer - all 
that while I wasn't even delivering his subsequent test 
messages.  Nonetheless he continued to send spam.  There are dumb spammers, 
and last year Ralsky was one of them.  He trusted the Moscow honeypot so 
much he used to relay reports from spam servers to himself.
I basically only trap relay test messages - I don't routinely deliver 
them.  The ones in February were to see what spam would follow if I did 
deliver the message.  The only defense I can see against a system that 
traps relay test messages is to stop testing it.  If it IP hops then 
eventually the only defense is to stop testing that entire IP 
range.  That's what I want - it is  a success for me.  The spammer has a 
measure of protection if he relay tests through an open proxy - I don't 
know his real IP if he does that - but his dropbox address still is a 
vulnerability. An open proxy honeypot can be the spammers downfall in this 
case.
What you did by accident can be done on purpose.  The spammer found you 
quickly because he constantly sends relay tests (the sendmail logs should 
reveal the source IP and the destination of the test - look for the first 
relayed message through it.)  The speed with which the spammer found your 
new open relay and abused it is his vulnerability - anybody with a spare IP 
in the range the spammer tests to find open relays can catch him as soon as 
he sends his test.
I'll also note that although there are something like 18 known 
vulnerabilities for an MTA what I trap is tests looking for the simplest 
vulnerability: plain old open relay.  The spammers would be far more 
obvious if they did all 18 tests.  I can't prove I'm not on a re-test list 
(check to see if the IP is still open.)
As a side note I'm happy to see I've been tested again today by the spammer 
whose test I delivered in February.  Short memory, perhaps.  Test from 
162.39.58.75, to jela(_at_)borovo(_dot_)net(_dot_)
> So if you have a honey pot, how do you make it tempting to a spammer who's 
> going to test that ti's working, while still make it effective as a 
> honeypot? Assume, for instance, that the spammer has, say, 50 AOL 
> accounts, 100 hotmail accounts, and 100 MSN accounts, all of which forward 
> to his real hideaway, and he tests a honeypot by sending every rand(5000) 
> email to one of his own tester addresses and validates it gets delivered. 
> If too many disappear, he shuts down use of the address and goes elsewhere....

Cross that bridge when I come to it.  Fred Woods is working on a central 
database of spammed IP addresses.  If the spammer re-uses his captive 
address frequently that address will show up as being hit more often.  Once 
you know his captive address you make sure to deliver the spam to 
him.  It's not likely to be an AOL address - AOL stops incoming spam so he 
won't know if the relay stopped the spam or if AOL did. I also in many ways 
don't care - the goal is to end spam, not to trap spam in honeypots.  If 
the spammer is chase away form an IP and ultimately from a range of IPs 
then that is a win.  That would mean you could have a true open relay and 
not have it abused because all of the spammers know not to test the IP.  (I 
don't advocate having a true open relay - I'm just illustrating the 
desirability of the effect.)  If ISPs would learn about relay tests (it's 
shocking and a shame that they don't inherently know about them) then 
reporting a relay test would get the spammer account closed (at a 
minimum.)  If ISPs really learned about relay (and proxy) tests they'd act 
against tests from and to their space - that would make honeypots trivial 
and unnecessary.
If ISPs got truly clued then when a honeypot detected a spammer's captive 
address the ISP could do creative things when that address was reported to 
the ISP.  Right now most ISPs, if they do anything, just close the 
account.  I'd far prefer they would leave the account open but divert email 
addressed to that account elsewhere (like /dev/null, as far as the spammer 
knows.)  That way the spammer would waste some tests before he finally 
figured out the diversion.  The ISP could also go back through its logs and 
know every open relay the spammer found using that dropbox address.
I'm anti-spammer.  I look for ways to interfere with spammers.  That I can 
do it using an ordinary .edu system and my home system (which isn't tested 
very often at the moment) is a big clue that the same approach can be used 
almost anywhere.

This trapped message puzzles me.  It's probably a test but my IP is well 
hidden if it is.  Maybe it's in the sender name or the 
X-precedence-Ref.  The message-ID was added by my MTA - nothing there:
Received: from colo-enc.mazmed.net by X.X.X; Sat, 5 Apr 03 05:51 CST
Message-Id: <33040505512327(_at_)X(_dot_)X(_dot_)X>
Date: Sat, 5 Apr 2003 03:59:02 -0800
From: mike0123891128632(_at_)yahoo(_dot_)com
Subject: Reduce Your Holiday Debt
To: ghfjghfj(_at_)aol(_dot_)com
MIME-Version: 1.0
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Precedence-Ref: 1234056789zxcvbnmlkj
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit


<a href="http://ecomms.org/debt/?N=30010";><img 
src="http://ecomms.org/ad-110.jpg";></a><BR><BR><A 
HREF="http://ecomms.org/remove/";>remove

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg