fritz2cat Posted August 14, 2008 Posted August 14, 2008 Hello, I run my own mail server, acting as an MX for a couple of domains. This server runs Postfix, and is configured to refuse connections from hosts listed in zen.spamhaus.org, and from refuse e-mail from addresses that have published an SPF record that lead to a HardFail status. Some addresses are heavily spammed, including addresses that have been harvested with mistakes (such as user[at]domain.com becoming 3duser[at]domain.com or smtpuser[at]domain.com). No human would ever prefix my surname with 3d. The aim would be to use 3duser[at]domain.com as a honeypot. Forwarding 3duser[at]domain.com to reports.xxxxx[at]spamcop as an attachment is quite simple and documented in the FAQ. (piece of perl code) Moreover these reports are highly valuable, as only the connections from IP adresses that are not (yet) blacklisted by zen.spamhaus are processed. This is far less than 1% of all e-mail connections trying to enter. The expected volume is less then 10 submissions a day. I would like to know whether these automatic submissions could be processed and validated without having to go to the website. Frédéric Brussels
Miss Betsy Posted August 14, 2008 Posted August 14, 2008 You can use Quick Reporting. You need to do the Mailhost Configuration first. Miss Betsy
Telarin Posted August 14, 2008 Posted August 14, 2008 If you want to host a trap address, you need to contact the deputies directly. You should already have an established history of reporting through spamcop though.
Wazoo Posted August 14, 2008 Posted August 14, 2008 I would like to know whether these automatic submissions could be processed and validated without having to go to the website. The term 'honeypot' has a specific definition, which is not as you tried to use in your Topic-starting Post. The general question you appear to be asking already has a FAQ entry .. please see; Can I automatically forward spam from my spamtraps?
fritz2cat Posted August 15, 2008 Author Posted August 15, 2008 Thank you for all the replies. I could feed around 1000 ~ 2500 mails a day ; however I am filtering the incoming connections against zen.spamhaus, which blocks a vast majority of unwanted messages. It lowers the figures to less than 20 a day. The reporting works just fine. (forward as attachment to quick...[at]...spamcop...). I am starting slowly with just a couple of traps. Now I have 2 questions: - do you recommend sending the reports to the whois/abuse contacts, or remain silent ? Did you experience countermeasures from angry spamgangs who could track you ? - what about the unwanted bounce messages you happen to catch (and report ?) when spammers (ab)use your trap address as sender in their spam messages ? Doing so, you would report sysadmins who are themselves victims of spam. These sysadmins should better issue 5xx for their inexistent users during the SMTP transaction, but the world is not perfect ... OTOH what can be done against that abuse ? Regards, Frédéric Brussels
StevenUnderwood Posted August 15, 2008 Posted August 15, 2008 Misdirected bounces are reportable under SpamCop's current rules. I would send reports, especially since my current understanding is that Mole reports currently do not help feed the blocklist.
Telarin Posted August 15, 2008 Posted August 15, 2008 A mail server should not be configured to bounce emails back to forged addresses. Those bounces are themselves unsolicited, and spamcop does allow them to reported as such. I would recommend sending reports. Most are either going to go to a responive ISP that takes action, or a non-responsive ISP that pretty much ignores them. It is very rare for spammers to attempt to retaliate, as it is simply not worth their time to do so.
fritz2cat Posted August 17, 2008 Author Posted August 17, 2008 Hello, I do (quick, automatic) sumbissions. When a mail comes in, addressed to one of the spamtraps, either I check the blacklist zen.spamhaus.org before letting the mail in, or I could whitelist the trap addresses. In the first case, the number of submissions is very low (~10 a day). These hosts are probably not yet listed in spamhaus. In the second case, this number will probably exceed 1500 msgs a day, thus helping in keeping statistics and retaining the offending IP's blacklisted. I have the choice. Any recommendation is welcome. Best Regards, Frédéric Brussels
Recommended Posts
Archived
This topic is now archived and is closed to further replies.