At 10:06 AM 4/9/2003 +0100, Matt Sergeant wrote:
I don't see how an open proxy honeypot would work. With an open relay
honeypot you can deliver the test message at any later time. An open proxy
probe is realtime.
The open proxy may get two types of use: the spammer may try to test
other IPs through it to see if they are open relays or he might try to send
spam through it to known open relays. The second is easy: simulate
acceptance by the other IP of the email - the spammer is happy, the spam
becomes trapped on the open proxy honeypot. The same almost works for the
first case but the spammer never receives the test message - it's a
NOP. For open relays the spammer sends a message to himself - there's two
data points that tell him the IP is an open relay: the IP accepts the test
message and the IP delivers the test message. For a proxy the spammer just
checks to see that it looks like he reaches something else though it - I've
logged empty SMTP transactions (HELO, QUIT) from large numbers of IPs that
are probably the SMTP end of proxy tests. If the proxy connects to a SMTP
honeypot it will look open to the spammer, it will look successful to the
spammer when he sends spam (if he doesn't check delivery in any way.)
If the spammer is trying to send direct to the destination through the open
proxy that's still SMTP and the SMTP honeypot connected to the open proxy
honeypot still deceives.
As a bonus you may learn the spammer's own IP, if he connected to you
direct instead of through another open proxy (some spamware provides for a
chain of proxies.) To be complete (third type) it looks like the open
proxy honeypot might need to simulate proxy operation at a target IP as
well as simulate SMTP operation there. The main point is that if you have
the spammer's IP that plus what you trapped is solid evidence he is
committing abuse - his ISP should nuke him. Note that if there are open
proxy honeypots the spammer increases the chance he'll hit one if he uses a
chain of proxies. His chance of hitting a proxy honeypot first, from his
own IP, stays the same but he has a higher probability of failed spamming
through a chain of proxies, about in proportion to the length of the
chain. I'd guess for US spammers that use a chain of proxies the first
proxy would typically be offshore, Brazil being a good guess as to where.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg