Automatic Honeypot
Idea shared by Rick Ryan - January 11 at 9:49 PM
Completed
An email system I used years ago had an automatic honeypot feature that automatically blacklisted any sender that sent an email to a specific address.  A pre-defined email address could be added to your web site in white on white or some other way that wouldn't be obvious to someone in a browser.  Spammers who are scraping would easily find the address.  No legit emailer would ever send a message to that address, and anyone who did would be blacklisted.  Thoughts?

13 Replies

Reply to Thread
1
Yes...Would be great.  
We operate a couple of email systems to where you can identify a specific email as a "honeypot".   And again... ANY email that hits that.. the sending address, and I/P get marked higher marks of spam for X amount of minutes.
 
 
1
Sign us up !  I like that.

www.HawaiianHope.org - Providing technology services to non profit organizations, homeless shelters, clean and sober houses and prisoner reentry programs. To date we have given away over 1,000 free computers.

0
Robert Emmett Replied
Employee Post
Rick, this is a great idea.  I have added this to our features request list for further consideration by the development team.
Robert Emmett
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Thumbs up!
1
Well I'll pass on a little trick that works for me, but I won't go so far as recommending it to anyone.  We have multiple MX Records for all domains. We discovered that many spammers send to the lowest priority MX Record (highest numerical weight).  We also found that while the highest priority SMTP servers were online there were no legitimate messages sent to the lowest priority MX Record (highest numerical weight) server.
 
For example if you have:
IN MX 10 mainserver1.domain.com
IN MX 20 mainserver2.domain.com
IN MX 30 backupserver.domain.com
You will find that nothing but spam will be sent to backupserver.domain.com and will be sent to your main server for processing.
 
But if you change the above to:
IN MX 10 mainserver1.domain.com
IN MX 20 mainserver2.domain.com
IN MX 30 backupserver.domain.com
IN MX 40 dummyserver.domain.com
If you point dummyserver.domain.com to any server with port 25 closed will essentially honeypot or blackhole spam. 
 
The only people that I know of that intentionally would send to the lowest priority (highest numerical weight) SMTP server when the higher priority servers are online are spammers. I have also found that spammers won't take the time to retry different servers.
 
Just my experience... your results may vary.
 
-Joe
0
I like this too. But I would also like to be able to configure an email address that my users can send spam to which would automatically blacklist an email address. Something like you would have to put a keyword in the subject such as BLACKLIST, and then in the body, an email address we cant to blacklist. It would be great if we could blacklist an email address or an entire domain that way. Just a thought. I like these ideas though! Lets see if they ever get implemented.
0
Joe,

We too use the priority to set dummy MX servers at the lowest priority, however unlike you we have seen a small number of instances where legitimate Mail Servers do attempt to deliver to the lowest priority (only about a half dozen in the past 10 years)...and *ONLY* to the lowest priority (in violation of RFC ). However, this practice does drop off a significant chunk of traffic before it even reaches your servers. Although I too strongly recommend this practice be sure to be prepared to field some customer support calls when those rare recipients aren't getting a particular sender's emails.

We do go one step further and automatically set the MX Records for parked domains to Project Honeypot (http://projecthoneypot.org). The smarter Spammers caught on to what we were doing and smartly backed off and stopped hitting domains registered by us and where it's the dumber ones that are left who just keep trying in vain.
1
Matt Petty Replied
Employee Post
This has been implemented in SmarterMail 17 as a spam filter.
Just some notes.
-You can block on the connection level if the IP matches one in the honey pot, granted the IP is not in the whitelist, is not a gateway, and was not IP Bypassed.
-There are 3 levels of spam score, Passed, Triggered, Listed.
-You can set any number of honeypot addresses. If these are found in the recipients of an email the email is given the "Triggered" score.
-The honeypot addresses you set will automatically be accepted in SMTP regardless if this address is in use on your server or not.
-"Triggered" means that the email had a recipient that matched a honeypot address.
-"Listed" means that IP was found in the honeypot.
-"Passed" means the IP was not found in the honeypot nor was the email being delivered to a honeypot address.
 
If you have any questions at all let me know and I will do my best to respond. I'm happy we were able to include this, and other spam checks (stay tuned), in the SmarterMail 17 release!
 
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Matt Petty Replied
Employee Post
I've also designed the system to allow remote changes to this list from external programs. This is to facilitate doing some sort of integration where your honey pot addresses are shared with others, maybe something like https://www.projecthoneypot.org

While doing this doesn't really have any applications right now, I'm trying to set this system up for the future in case we want to add more functionality down the road. If I have some time later on I might make an example program that utilizes this "Dynamic" behavior of the HoneyPot.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
One thing I think you should add to the v17 spam filtering is the ability to add an API Key to the RBL. There are quite a few very good RBL's that require you to prefix your query with an API Key. We're on the projecthoneypot.org subject and they have a RBL called HTTPBL that is free to use, but you must use your API Key.

SmarterMail would query IP Address 1.2.3.4 to HTTBL as:
4.3.2.1.ns1.httpbl.org But HTTBL will not reply to that query.

The correct HTTBL query would be:

yourapikey.4.3.2.1.ns1.httpbl.org (with your valid API Key of course) but SmarterMail is not capable of this query.

All it would require is another field in the RBL Spam Check settings for an API Key prefix. If empty it could be ignored.

I believe more and more RBL's will be requiring an API Key as time goes on.

Thanks,
-Joe
0
Matt Petty Replied
Employee Post
Thanks for bringing that up Joe, I will add that.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Matt Petty Replied
Employee Post
Joe, I just wanted to let you know you will be able to now set a "Lookup Prefix" allowing you to specify "yourapikey", and it will be prepended to the call along with a dot. This will allow you to put whatever you wish in front, yourapikey.4.3.2.1.ns1.httpbl.org.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Matt,

Sounds great.

Thanks,
-Joe

Reply to Thread