Antispam Honeypots Give Spammers Headaches
Can we systematically make spamming difficult?
November 5, 2002
Filtering spam is a good idea, but keeping filtering rules up-to-date without eliminating legitimate email traffic takes skill and effort. In addition to using mail filter software, you can fight spam in other ways, such as by using an antispam honeypot.
As you know, honeypots are traps or decoys that deliberately lure intruders to help prevent unwanted activity against network sources. Honeypots also gather forensic evidence, thereby helping us better understand intruder methodologies. Other Windows & .NET Magazine authors and I have written about various types of honeypots in use today. You can find links to honeypot-related articles below:
http://www.secadministrator.com/articles/index.cfm?articleid=26114
http://www.secadministrator.com/articles/index.cfm?articleid=25679
http://www.secadministrator.com/articles/index.cfm?articleid=22911
http://search.winnetmag.com/
query.html?col=secadmin&qt=honeypot
Last week, Security UPDATE reader Brad Spencer brought antispam honeypots to my attention. Antispam honeypots are services that pose as legitimate mail servers to thwart spammers. Spencer, who runs an antispam honeypot, described to me what antispam honeypots do, how they operate, and where you can get one or find out how to build one. According to Spencer, the real heroes of this technology are Michael Tokarev, who operated an antispam honeypot in Russia and Jack Cleaver, whose program you'll read more about in a moment.
An antispam honeypot operation first detects potential spammers, then thwarts their efforts to send spam through the mail server. Spammers often use mail systems that allow open mail relaying to deliver spam. An open relay lets anyone use the mail server to deliver email messages to anyone else, which is a spammer's dream. In the past, people offered open relays as a courtesy to Internet users to help facilitate easy email delivery. Now, operating an open relay will eventually land your mail server on a blacklist that might prevent legitimate email from arriving at your system. For more information about blacklists, visit the Mail Abuse Prevention System (MAPS) Web site.
Typically, spammers test a mail server for open relaying by simply sending themselves an email message. If the spammer receives the email message, the mail server obviously allows open relaying. Honeypot operators, however, can use the relay test to thwart spammers. The honeypot catches the relay test email message, returns the test email message, and subsequently blocks all other email messages from that spammer. Spammers continue to use the antispam honeypot for spamming, but the spam is never delivered. Meanwhile, the honeypot operator can notify spammers' ISPs and have their Internet accounts canceled. If honeypot operators detect spammers who use open-proxy servers, they can also notify the proxy server operator to lock down the server to prevent further misuse.
If enough users take time to operate antispam honeypots and contact ISPs and open-proxy server operators, they'll systematically make spamming more difficult. Spencer believes that eventually spammers will find it so hard to distinguish honeypots from actual open relays that at least some of them might quit such activities altogether.
Two tools that can help you set up and run an antispam honeypot are a Windows-based version of Sendmail specifically configured as a honeypot and Cleaver's Jackpot Mailswerver program. Jackpot is written in Java and runs on any system that supports the Java platform.
Spencer uses a UNIX-based version of Sendmail to operate his antispam honeypot. (I haven't used the Windows version recently but assume that it's still a direct port that works well.) Spencer details his configuration methods for using Sendmail on his related Web page. Spencer also describes what happens when you operate Sendmail as he does and what to do when Sendmail traps a potential spammer's message.
Jackpot is an SMTP mail server that prevents spam delivery and saves mail traffic information for evidence and research. Jackpot also creates Web-based reports that simplify analysis and tracking. Cleaver writes, "Jackpot saves full details of all spam mail submitted to it as a collection of web-pages. The information is organized into lists, with messages sent from a given host grouped on a page. Jackpot tries to gather some information about the host that sent the spam ... [it also checks to see] if the source [of potential spam] is a known open-proxy or a [known spam operation and uses sources such as] abuse.net to see whether there's a registered [mail] abuse address for the host."
Spencer mentions two additional resources that can help thwart spam: SpamNet and Distributed Checksum Clearinghouse (DCC). According to its Web site, Vipul's Razor, commonly know as SpamNet, "establishes a distributed and constantly updating catalogue of spam in propagation. Clients use this catalogue to filter out known spam." According to the DCC Web page, DCC resembles SpamNet in that it's "a system of many clients and more than 90 servers that collects and counts checksums related to several million mail messages per day, [mostly] as seen by Internet Service Providers." SMTP servers and mail user agents can use the counts to "detect and reject or filter spam or unsolicited bulk mail."
To help prevent spam, explore the resources I've mentioned in this article and consider using them on your networks. Thanks to Brad Spencer for his help in bringing this information to Security UPDATE readers.
About the Author
You May Also Like