here's a definition of a a honey port;
[QUOTE]
In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers.
[/QUOTE]
reference http://en.wikipedia.org/wiki/Honeypot_%28computing%29
Okay so here's my definition of a mailspam pot.
A hosted email MX server that's sets a trap or series of traps, and for collecting potential spammers, and those that use unethical means for harvesting email accounts. It uses a seeded site with a fictitious email address and/or a valid domain, and collects the spammer from_email address and it's mail relay ip address or other potential information.
Okay so in my spampot, I 'm using sendmail and the virutaluser feature. My virtual user table has one big wildcard entry that catches anybody sending to my trap domain.
e.g
-->
/etc/mail/virtusertable
@myspampotdomain.com myspampot
I could have seeded various email accounts like; root@myspampotdomain.com, admin@myspampotdomain.com,etc...
It greps the maillog for any mail received, and pulls this information out, & install it into a simple text file.
e.g ( snippet of my script )
cat maillog | grep ": from=<" | cut -d , -f1 | cut -d "=" -f2 >> mycollection.txt
I police that file and remove any duplicates, I also extract the dates, for post frensic and other analysis that I run. At this point, I can import these into my email security appliance, & apply them to my blacklist table. You have to be very creative as to what you do with the collected data.
As an alternative, once you have collected the sender ip_address, you can now check them against one of the realtime blacklister and see if they have entry or check them in let's say against a mail reputation system.
e.g
http://www.mxtoolbox.com/blacklists.aspx
http://blacklistcheck.com/
http://www.fortiguard.com/ip_rep.php
http://www.senderbase.org/senderbase_queries/detailip?search_string=8.8.8.8
NOTE: This could also confirm validity of their reputation.
The mail spampot is not a mitigation gear, nor takes any mitigation approach. As a matter of fact; it does not even prevent the spam mail. It's used to counter or harvest potential crawlers that finds emails and blindly send email to recipients. As additional matter of fact, we want it to catch spam.
In my design the spampot sits on a VM instance hosted in at a VPS, & uses very limit resources and best of all, it's non critical in function. http://www.vr.org/
In the above myspamspotdomain.com, that 's actually my true spampot domain, purchased just for my trap. Try not to get caught , I'm watching?
background;
I started the mailspam pot awhile back, to prove a hunch that domains that are registered are some how located and blindly spam'd. In my mailspampot domain, I never created any real accounts, sent any email from that domain, nor posted any thing on any website links with any reference or information about that domain.
NOTE: I personally think the registars are selling us out and our information when register domains.
When I first register my myspampotdomain, I had spam within the 1st 128hours after creating the domain and mx records in my dns. So a newly register domain with NO activity, had spam within 128hours of purchasing.
So any mail sent to anybody in that domain is considered spam.
My mailspampot version 2, which is planned in Q3-2013, will use a different approach and installed of running a text file, I plan on harvesting the following information;
- sender's email
- sender's ip_address
- date receipt
- message ID
and insert these into a mysql database.
For how much the spam pot catches, database logging is no required, but a Sql approach would look more professional.
Ken Felix
Freelance Network/Security Engineer
kfelix a--t hyperfeed d--o--t com
No comments:
Post a Comment