16
Automatic Honeypot
Idea shared by Rick Ryan - 1/11/2018 at 9:49 PM
Completed
An email system I used years ago had an automatic honeypot feature that automatically blacklisted any sender that sent an email to a specific address.  A pre-defined email address could be added to your web site in white on white or some other way that wouldn't be obvious to someone in a browser.  Spammers who are scraping would easily find the address.  No legit emailer would ever send a message to that address, and anyone who did would be blacklisted.  Thoughts?

24 Replies

Reply to Thread
1
Yes...Would be great.  
We operate a couple of email systems to where you can identify a specific email as a "honeypot".   And again... ANY email that hits that.. the sending address, and I/P get marked higher marks of spam for X amount of minutes.
 
 
1
Sign us up !  I like that.
www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !
0
Employee Replied
Employee Post
Rick, this is a great idea.  I have added this to our features request list for further consideration by the development team.
0
Thumbs up!
1
Well I'll pass on a little trick that works for me, but I won't go so far as recommending it to anyone.  We have multiple MX Records for all domains. We discovered that many spammers send to the lowest priority MX Record (highest numerical weight).  We also found that while the highest priority SMTP servers were online there were no legitimate messages sent to the lowest priority MX Record (highest numerical weight) server.
 
For example if you have:
IN MX 10 mainserver1.domain.com
IN MX 20 mainserver2.domain.com
IN MX 30 backupserver.domain.com
You will find that nothing but spam will be sent to backupserver.domain.com and will be sent to your main server for processing.
 
But if you change the above to:
IN MX 10 mainserver1.domain.com
IN MX 20 mainserver2.domain.com
IN MX 30 backupserver.domain.com
IN MX 40 dummyserver.domain.com
If you point dummyserver.domain.com to any server with port 25 closed will essentially honeypot or blackhole spam. 
 
The only people that I know of that intentionally would send to the lowest priority (highest numerical weight) SMTP server when the higher priority servers are online are spammers. I have also found that spammers won't take the time to retry different servers.
 
Just my experience... your results may vary.
 
-Joe
0
I like this too. But I would also like to be able to configure an email address that my users can send spam to which would automatically blacklist an email address. Something like you would have to put a keyword in the subject such as BLACKLIST, and then in the body, an email address we cant to blacklist. It would be great if we could blacklist an email address or an entire domain that way. Just a thought. I like these ideas though! Lets see if they ever get implemented.
0
Joe,

We too use the priority to set dummy MX servers at the lowest priority, however unlike you we have seen a small number of instances where legitimate Mail Servers do attempt to deliver to the lowest priority (only about a half dozen in the past 10 years)...and *ONLY* to the lowest priority (in violation of RFC ). However, this practice does drop off a significant chunk of traffic before it even reaches your servers. Although I too strongly recommend this practice be sure to be prepared to field some customer support calls when those rare recipients aren't getting a particular sender's emails.

We do go one step further and automatically set the MX Records for parked domains to Project Honeypot (http://projecthoneypot.org). The smarter Spammers caught on to what we were doing and smartly backed off and stopped hitting domains registered by us and where it's the dumber ones that are left who just keep trying in vain.
1
Matt Petty Replied
Employee Post
This has been implemented in SmarterMail 17 as a spam filter.
Just some notes.
-You can block on the connection level if the IP matches one in the honey pot, granted the IP is not in the whitelist, is not a gateway, and was not IP Bypassed.
-There are 3 levels of spam score, Passed, Triggered, Listed.
-You can set any number of honeypot addresses. If these are found in the recipients of an email the email is given the "Triggered" score.
-The honeypot addresses you set will automatically be accepted in SMTP regardless if this address is in use on your server or not.
-"Triggered" means that the email had a recipient that matched a honeypot address.
-"Listed" means that IP was found in the honeypot.
-"Passed" means the IP was not found in the honeypot nor was the email being delivered to a honeypot address.
 
If you have any questions at all let me know and I will do my best to respond. I'm happy we were able to include this, and other spam checks (stay tuned), in the SmarterMail 17 release!
 
Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com
1
Matt Petty Replied
Employee Post
I've also designed the system to allow remote changes to this list from external programs. This is to facilitate doing some sort of integration where your honey pot addresses are shared with others, maybe something like https://www.projecthoneypot.org

While doing this doesn't really have any applications right now, I'm trying to set this system up for the future in case we want to add more functionality down the road. If I have some time later on I might make an example program that utilizes this "Dynamic" behavior of the HoneyPot.
Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com
0
One thing I think you should add to the v17 spam filtering is the ability to add an API Key to the RBL. There are quite a few very good RBL's that require you to prefix your query with an API Key. We're on the projecthoneypot.org subject and they have a RBL called HTTPBL that is free to use, but you must use your API Key.

SmarterMail would query IP Address 1.2.3.4 to HTTBL as:
4.3.2.1.ns1.httpbl.org But HTTBL will not reply to that query.

The correct HTTBL query would be:

yourapikey.4.3.2.1.ns1.httpbl.org (with your valid API Key of course) but SmarterMail is not capable of this query.

All it would require is another field in the RBL Spam Check settings for an API Key prefix. If empty it could be ignored.

I believe more and more RBL's will be requiring an API Key as time goes on.

Thanks,
-Joe
0
Matt Petty Replied
Employee Post
Thanks for bringing that up Joe, I will add that.
Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com
1
Matt Petty Replied
Employee Post
Joe, I just wanted to let you know you will be able to now set a "Lookup Prefix" allowing you to specify "yourapikey", and it will be prepended to the call along with a dot. This will allow you to put whatever you wish in front, yourapikey.4.3.2.1.ns1.httpbl.org.
Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com
0
Matt,

Sounds great.

Thanks,
-Joe
2
Would also be cool if we could get some global system working with all SM 17 installs that use this feature. IE a Pass Weight, Listed Weight, Triggered Weight and maybe a Global Weight, where SM every say hour or so would pull down and also share its list of IPs to some central system.
1
I found nothing in the documentation on how to use this, set it up, etc. I just installed Xenforo forum'ware and it had a link on how to get a honey pot API key. I'd like to use this but really am not sure and again nothing in the docs outlining this system and how to properly configure it. I see nothing on "yourapikey" in the spam config. I'll keep digging.
1
Matt Petty Replied
Employee Post
Go to Anti-Spam settings, turn on HoneyPot put in a fake email address, any deliveries to that address will be treated like a normal session, except given a triggered honeypot score. Any further deliveries from the sender address will be given the honeypot score.

So for example if we created honeypot@smartertools.com and I sent from test@example.com to honeypot@smartertools.com, that session and any further deliveries in your system from test@example.com will be given a score.

Make sure your fake email is a domain that you serve but that the username does not exist already. If you need further help, lemme know and I can explain further.
Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com
0
It seems this feature and many others in SM17 are not documented.  When will the documentation be updated to reflect this latest, production release? Thank you.
2
ST does itself a disservice when they add new features without explaining how AND why they should be used.
0
The documentation has always been minimalistic sadly. It's enough to say "we have documentation" but is useful? I don't typically find answers within their docs. If they want good docs they should move to a system such as with Atlassian Confluence and have a tech writer do a great job with the docs. Make it a great resource, not just we have docs.
0
I haven't upgraded to v17 yet but I'm glad to see new antispam features being added. As for honeypot email addresses, would you just create a generic bob@domainname.com (for example) and hope for the best? Or would you somehow advertise the honeypot email address on a dummy web page etc. that search engines crawl?
0
Matt Petty Replied
Employee Post
@Matthew,

Yea, using something generic and stick it maybe on the website. If you search for "honeypot css" on Google, the first couple results have resources on how to place and hide honeypot addresses on a website.
Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com
0
Without proper documentation and an intuitive UI, no one knows how to properly configure this. Here is a screenshot of how Xenforo forums does it in their anti-spam area as I just migrated my forums to their latest release. Notice a helpful description, a link to the honeypot web site, etc. I have no clue on this project honeypot, your UI should link me to where I need to go whether your docs, honeypot, etc. and help me use it without googling endlessly.

0
I've tried implementing the Honeypot feature on a test basis, and found it just doesn't work. Messages that go to a honeypot address are identified, but subsequent emails from that sender are not given any additional spam score from what I can tell.
1
Kyle Kerst Replied
Employee Post
@Joe Wolf; the behavior you outlined caught my attention (regarding lower priority MX records.) I believe this is likely because email providers will keep a lower security environment set up as a best effort delivery server listed in MX records to catch email coming from older email servers, email servers in less secure environments, mass mailers, etc. These servers are typically gateway machines, and spammers are probably targeting these records specifically due to potentially lax security. I just wanted to share my thoughts on this. 
Kyle Kerst IT Coordinator SmarterTools Inc. www.smartertools.com

Reply to Thread