Jump to content
Sign in to follow this  
fritz2cat

Reporting automatically ? (honeypot)

Recommended Posts

Hello,

I run my own mail server, acting as an MX for a couple of domains.

This server runs Postfix, and is configured to refuse connections from hosts listed in zen.spamhaus.org, and from refuse e-mail from addresses that have published an SPF record that lead to a HardFail status.

Some addresses are heavily spammed, including addresses that have been harvested with mistakes (such as user[at]domain.com becoming 3duser[at]domain.com or smtpuser[at]domain.com). No human would ever prefix my surname with 3d.

The aim would be to use 3duser[at]domain.com as a honeypot.

Forwarding 3duser[at]domain.com to reports.xxxxx[at]spamcop as an attachment is quite simple and documented in the FAQ. (piece of perl code)

Moreover these reports are highly valuable, as only the connections from IP adresses that are not (yet) blacklisted by zen.spamhaus are processed. This is far less than 1% of all e-mail connections trying to enter. The expected volume is less then 10 submissions a day.

I would like to know whether these automatic submissions could be processed and validated without having to go to the website.

Frédéric

Brussels

Share this post


Link to post
Share on other sites

If you want to host a trap address, you need to contact the deputies directly. You should already have an established history of reporting through spamcop though.

Share this post


Link to post
Share on other sites
I would like to know whether these automatic submissions could be processed and validated without having to go to the website.

The term 'honeypot' has a specific definition, which is not as you tried to use in your Topic-starting Post.

The general question you appear to be asking already has a FAQ entry .. please see;

Can I automatically forward spam from my spamtraps?

Share this post


Link to post
Share on other sites

Thank you for all the replies.

I could feed around 1000 ~ 2500 mails a day ; however I am filtering the incoming connections against zen.spamhaus, which blocks a vast majority of unwanted messages. It lowers the figures to less than 20 a day. The reporting works just fine. (forward as attachment to quick...[at]...spamcop...). I am starting slowly with just a couple of traps.

Now I have 2 questions:

- do you recommend sending the reports to the whois/abuse contacts, or remain silent ? Did you experience countermeasures from angry spamgangs who could track you ?

- what about the unwanted bounce messages you happen to catch (and report ?) when spammers (ab)use your trap address as sender in their spam messages ? Doing so, you would report sysadmins who are themselves victims of spam. These sysadmins should better issue 5xx for their inexistent users during the SMTP transaction, but the world is not perfect :( ... OTOH what can be done against that abuse ?

Regards,

Frédéric

Brussels

Share this post


Link to post
Share on other sites

Misdirected bounces are reportable under SpamCop's current rules.

I would send reports, especially since my current understanding is that Mole reports currently do not help feed the blocklist.

Share this post


Link to post
Share on other sites

A mail server should not be configured to bounce emails back to forged addresses. Those bounces are themselves unsolicited, and spamcop does allow them to reported as such.

I would recommend sending reports. Most are either going to go to a responive ISP that takes action, or a non-responsive ISP that pretty much ignores them. It is very rare for spammers to attempt to retaliate, as it is simply not worth their time to do so.

Share this post


Link to post
Share on other sites

Hello,

I do (quick, automatic) sumbissions.

When a mail comes in, addressed to one of the spamtraps, either I check the blacklist zen.spamhaus.org before letting the mail in, or I could whitelist the trap addresses.

In the first case, the number of submissions is very low (~10 a day). These hosts are probably not yet listed in spamhaus.

In the second case, this number will probably exceed 1500 msgs a day, thus helping in keeping statistics and retaining the offending IP's blacklisted.

I have the choice.

Any recommendation is welcome.

Best Regards,

Frédéric

Brussels

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×