At 01:43 PM 4/9/2003 -0600, John Fenley wrote:
This part of one of your sentences seems to be the basis of your whole Idea.
When the spammers run out of IP addresses to test they will have found
every real open relay as well.
Yes. If they'd stand pat and just use the ones they know then honeypots
would be very powerless, other than honeypots slipped in in place of real
open relays. You make an excellent point. I'd have pushed honeypots more
strongly earlier if I'd really known the extent of their testing that seeks
to find new open relays. Catch 22: to know I need honeypots. People could
look at their logs and report tests but they don't, and didn't when I
asked. Most people who do say something about tests seen in their logs say
they are there.
Then Michael Tokarev put up his honeypot and was trapping Ralsky spam
within a few days, "The Mushroom guy" put up his and was trapping spam at
an average rate well over 1/2 million recipients/day - the indication was
that spammers still scan for open relays, at least overseas. I can't know
whether the relay tests I capture are scans or are something else - too
little data. But there's been over 300 tests on that one system so far
this year - enough to make it reasonable to suspect the spammers still
scan. That system was SMTP dead from mid-November to Jan 3. Tests showed
up instantly once SMTP was again running. I think some must be scans.
See my problem? There's a persistent East-coast tester and an obnoxious
West-coast tester (among others), and I can't tell if they are treating me
special or not, because I have no other data points.
But you're right: if they take their list of known relays and never try to
add to it the only way to get a honeypot going would be to substitute it
for a real open relay. Fun, worthwhile, not likely to be a killer, back
burner at best.
That's open relay honeypots. I think they heavily scan for open proxy
honeypots. I've never run one but I can see many advantages to the proxy
honeypot (chief being that nowadays it's the one most likely to be
contacted directly from the spammers system.) The thing I push most is the
idea: go after the abuse done to send spam. That's where attention would
be valuable, to my mind. As an individual I have little chance to do
anything like an ISP-level approach, have little influence to get an
ISP-level approach going. ASRG has the chance and the influence, if it is
determined to be worthwhile.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg