ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Whitelisting on Message-ID (Was Turing Test ...) honey pot plug

2003-04-09 03:50:00
from [Brad Spencer] [Permanent Link] 
At 10:06 AM 4/9/2003 +0100, Matt Sergeant wrote:
I don't see how an open proxy honeypot would work. With an open relay honeypot you can deliver the test message at any later time. An open proxy probe is realtime.
The open proxy may get two types of use: the spammer may try to test other IPs through it to see if they are open relays or he might try to send spam through it to known open relays. The second is easy: simulate acceptance by the other IP of the email - the spammer is happy, the spam becomes trapped on the open proxy honeypot. The same almost works for the first case but the spammer never receives the test message - it's a NOP. For open relays the spammer sends a message to himself - there's two data points that tell him the IP is an open relay: the IP accepts the test message and the IP delivers the test message. For a proxy the spammer just checks to see that it looks like he reaches something else though it - I've logged empty SMTP transactions (HELO, QUIT) from large numbers of IPs that are probably the SMTP end of proxy tests. If the proxy connects to a SMTP honeypot it will look open to the spammer, it will look successful to the spammer when he sends spam (if he doesn't check delivery in any way.)
If the spammer is trying to send direct to the destination through the open proxy that's still SMTP and the SMTP honeypot connected to the open proxy honeypot still deceives.
As a bonus you may learn the spammer's own IP, if he connected to you direct instead of through another open proxy (some spamware provides for a chain of proxies.) To be complete (third type) it looks like the open proxy honeypot might need to simulate proxy operation at a target IP as well as simulate SMTP operation there. The main point is that if you have the spammer's IP that plus what you trapped is solid evidence he is committing abuse - his ISP should nuke him. Note that if there are open proxy honeypots the spammer increases the chance he'll hit one if he uses a chain of proxies. His chance of hitting a proxy honeypot first, from his own IP, stays the same but he has a higher probability of failed spamming through a chain of proxies, about in proportion to the length of the chain. I'd guess for US spammers that use a chain of proxies the first proxy would typically be offshore, Brazil being a good guess as to where. 

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Asrg] Ban the honeypots?, Brad Spencer
Next by Date:  Re: [Asrg] Whitelisting on Message-ID (Was Turing Test ...) honey pot plug, Matt Sergeant
Previous by Thread:  Re: [Asrg] Whitelisting on Message-ID (Was Turing Test ...) honey pot plug, Matt Sergeant
Next by Thread:  Re: [Asrg] Whitelisting on Message-ID (Was Turing Test ...) honey pot plug, Matt Sergeant
Indexes:  [Date] [Thread] [Top] [All Lists]