ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] honey pot plugged

2003-04-09 13:59:48
from [Brad Spencer] [Permanent Link] 
At 04:49 PM 4/9/2003 -0400, Daniel Feenberg wrote:



On Wed, 9 Apr 2003, Brad Spencer wrote:

> At 01:43 PM 4/9/2003 -0600, John Fenley wrote:
>
>
> That's open relay honeypots.  I think they heavily scan for open proxy
> honeypots.  I've never run one but I can see many advantages to the proxy
> honeypot (chief being that nowadays it's the one most likely to be
> contacted directly from the spammers system.) The thing I push most is the 
> idea: go after the abuse done to send spam.  That's where attention would
> be valuable, to my mind.  As an  individual I have little chance to do
> anything like an ISP-level approach,  have little influence to get an
> ISP-level approach going.  ASRG has the chance and the influence, if it is
> determined to be worthwhile.
>

Can I ask why open proxies are considered to be such a problem? It would
seem, that since no legitimate mail would come from them, they are perfect
candidates for the RBLs. Are they not fairly easy to detect and confirm?
Why wouldn't they be in any list of open relays, since that is one of the
things they do? Does legitimate mail come from them? That seems unlikely
to me. Is the problem that they are short lived? But why would that be a
problem?

I have a feeling the answer must be obvious, but perhaps there are several
of us here who have missed the obvious.
A proxy could be on a real mail server. I squawk a lot about collateral damage but even I can tolerate blocking an IP that has an abused open proxy but that is how real email could come form a system with an abusable open proxy.
One thing about honeypots is that they work against spam, not spam sources. If the honeypot weren't there a DNSBL that listed every open relay or open proxy, whichever pertains to the spam in question, would block the spam anyway. For that part of the honeypot function there's no real gain. There are also sites that don't use DNSBLs. The honeypot protects those, if the spam first comes to the honeypot. That means fewer marks see the spam, fewer respond to the spammer, he gets a lower return. That's part of the goal, in the short term. Long term you want to so corrupt the open whatever picture that the spammer can't recognize true open whatevers. 

Plus you may find other ways to screw with the spammer using the honeypot.


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] honey pot plugged, Daniel Feenberg
Next by Date:  Re: [Asrg] Whitelisting on Message-ID (Was Turing Test ...) honey pot plug, Kee Hinckley
Previous by Thread:  Re: [Asrg] honey pot plugged, Daniel Feenberg
Next by Thread:  Re: [Asrg] honey pot plugged, Justin Mason
Indexes:  [Date] [Thread] [Top] [All Lists]