Jump to content
xisto Community
NilsC

Stop Spam Harvesters add a Honey Pot to your site

Recommended Posts

A way to stop spam are identifying the top spam harvesters, and shut them down before they reach your mailbox. The time you get spam at a new email address can vary. If you never give out the address on the Internet and the address are not just a first or a last name you may not see spam for years. If you create a website and put your email address anywhere on the page, eventually it will be harvested by a spam bot.

 

Munging the address may help, same if you use ASCII characters that will prevent harvesting for a while.

 

A lot of the block lists used by email providers come from users reporting spam and email hitting spam traps. Project Honey Pot are going one step further by identifying the spam harvesters and bot / spiders they use to crawl over your web-space using your bandwidth stealing your email addresses.

 

This is achieved by handing out a unique email address to every hit on your spam-trap. If a bot follows the link to the honey pot and harvests the address it will be logged. When an email hits that particular email box a spam harvester are identified.

 

It’s a few different ways we can help stop the harvesters and help reduce spam. You can host a honey pot on your website or if that is impossible (like it is for me at the present time) you can put a link to the Project Honey Pots website and help educate others. The last way to help is donating MX addresses to the project. The more MX addresses they have the more variety of spam-traps can be created. If you have a domain name that you are not using donate up to 5 MX records for each domain name.

 

To learn more about the project go to Posted Image. Stop Spam Harvesters, Join Project Honey Pot

 

I’m using the button on company web pages and will add a honey pot as soon as an “.asp” script are ready. I have an average of 5000 to 10000 spam per day hitting a email server with less than 200 users. The 50 to 250 that slip through the filters and spam assassin I report.

 

Nils

Share this post


Link to post
Share on other sites

A way to stop spam are identifying the top spam harvesters, and shut them down before they reach your mailbox. The time you get spam at a new email address can vary. If you never give out the address on the Internet and the address are not just a first or a last name you may not see spam for years. If you create a website and put your email address anywhere on the page, eventually it will be harvested by a spam bot.

 

Munging the address may help, same if you use ASCII characters that will prevent harvesting for a while.

 

A lot of the block lists used by email providers come from users reporting spam and email hitting spam traps. Project Honey Pot are going one step further by identifying the spam harvesters and bot / spiders they use to crawl over your web-space using your bandwidth stealing your email addresses.

 

This is achieved by handing out a unique email address to every hit on your spam-trap. If a bot follows the link to the honey pot and harvests the address it will be logged. When an email hits that particular email box a spam harvester are identified.

 

It’s a few different ways we can help stop the harvesters and help reduce spam. You can host a honey pot on your website or if that is impossible (like it is for me at the present time) you can put a link to the Project Honey Pots website and help educate others. The last way to help is donating MX addresses to the project. The more MX addresses they have the more variety of spam-traps can be created.  If you have a domain name that you are not using donate up to 5 MX records for each domain name.

 

To learn more about the project go to Posted Image.        Stop Spam Harvesters, Join Project Honey Pot

 

I’m using the button on company web pages and will add a honey pot as soon as an “.asp” script are ready. I have an average of 5000 to 10000 spam per day hitting a email server with less than 200 users. The 50 to 250 that slip through the filters and spam assassin I report.

 

Nils

<{POST_SNAPBACK}>


I think that this project is a great idea and as soon as I get a website running I will sign up for it. I will try almost anything to help stop or at least lower the amount of spamming that goes on. Thanks for the link :) .

Share this post


Link to post
Share on other sites

ah cool this is great! finally some people trying to stop spambots. I'm gonna donate some MX records to Project Homey Pot, since i've got a .INFO domain i'm not using...

<{POST_SNAPBACK}>


Daniel,

 

I'm using MX records for domains I own and use. I have different mx record for my real email and donated mx records for the honey pot.

This are the real mx records that point to my email server:

mail.exampledomain.com

pop3.exampledomain.com

smtp.exampledomain.com

This are the donated MX records pointing to Honey Pots servers:

nopop3.exampledomain.com

nomail.exampledomain.com

nosmtp.exampledomain.com

Since it's ilegal harvesting email addresses in the US, the records will be used to help lawenforcement officers shut down spam harversters.

 

If you look at the top 20 list you can see that a lot of the spam bots are collecting the addresses from the same computer that they are sending the spam from (or from the same 0/24 range). The computer may be compromized but if we shudown compromized computers we shut down the spam.

 

Nils

Share this post


Link to post
Share on other sites

Thanks for the link. This is a serious problem on the internet. Assinine individuals who would invade your privacy with spyware and harvesters ought to be lined up and shot. :)

Share this post


Link to post
Share on other sites

Glad to see that someone is finaly taking action afainst these pests.  They do nothing but eat up bandwith and waist valuble time.

<{POST_SNAPBACK}>

[RANT]

spam is a pet peeve of mine... I hate it. I'm an active spam reporter. :) I use spam-traps with some of my posts. I have not done it on this site yet but there are places I put a email address in my sigfile with text color the same as the background color. Only time that address get email is after a spam bot have harvested a forum or newsgroup. :)

[/RANT]

Thanks for the link.  This is a serious problem on the Internet.  Asinine individuals who would invade your privacy with spyware and harvesters ought to be lined up and shot.

 

:(

<{POST_SNAPBACK}>

[RANT]

If you read into the concept it will not stop spam but it will help identify spam harvesters and their IP address, a lot of times the spam bot are operated on zombie hosts without the knowledge of the user/owner. Some of the larger ISP's are ignorant when it comes to spam bot and don't shut them down when a complaint is filed. One of the excuses are "This is a dynamic IP range and it could have been anyone". (Translation, I'm working the abuse desk and I don't feel like checking the log to see who was assigned that IP address at the time of the complaint!) Or you get an auto-response that don't make sense or has anything to do with the problem you reported. I have reported open proxies and got an email back with the statement that this is not one of our email servers so we are not responsible for the spam, please report it to the proper ... bla bla bla.[/RANT] :)

 

When they get a notice from the authorities the response seems to be a lot faster. :)

Thanks for the interest, be an active spamreporter. It's like hunting Osama Bin .... :)

Nils

Share this post


Link to post
Share on other sites

i've heard once that most of this spams is made by email provider and spam assassins. you can also have some bux by just spamming. therefore spamming is business not a bad habit. and in my point of view this project honey pot is another good business :)

Share this post


Link to post
Share on other sites

i've heard once that most of this spams is made by email provider and spam assassins. you can also have some bux by just spamming. therefore spamming is business not a bad habit. and in my point of view this project honey pot is another good business :)

<{POST_SNAPBACK}>

I'm still online even thou I should have gone to bed :)

 

The Honeypot project are like Xisto.com a free service by a company that are working to make money. :)

 

Parent company in 'code' to keep link from non click able :) http://http://www.unspam.com/
is the parent company and they have to be in the business of making money.

 

The inherent problem with things you hear are "they are not first hand knowledge". Most of the income to spammers go to the big spam operations that are sending millions of spam a day. As a added side business they sell email addresses to spammer wannabies<sp> that buy a cd rom and think they can make money.

 

What spammers do are stealing from all of us, everyone on the internet that pay for the connection are paying the cost. spammers steal bandwidth, who pays for that, your ISP and in the end you pay for it.

 

The other issue are slow internet connection, if you are on a 56k dialup line and your pop3 email box are downloading 200 spam because you didn't go online for a couple of days. Are you going to be happy that you couldn't surf the net for 1/2hr because the spam downloaded? You can stop the transmission but then you may miss an important email.

What if your rich uncles email telling you to come and pick up a million $ bounced because your email box on the server was over the limit and your ISP bouncesd it.

 

Is it OK to steal a million $ from 1 person. If you answer no, then is it OK to steal $1.00 from a million people? the sum is the same and they are both wrong.

 

Nils signing off from Mars.

Share this post


Link to post
Share on other sites

Very interesting project. I joined and am now scattering the links all over my site. The idea is great and it's really easy to participate and it doesn't take webspace nor bandwidth much.

Share this post


Link to post
Share on other sites

Interesting project. I think I will start using it. I hope they find a way to detect situations where spammers hijack an IP to use for harvesting and/or spamming

<{POST_SNAPBACK}>

There is a way to detect situations like that. It's used by a lot of companies with their own email servers and it's used by some ISPs (or they use their own version). Emails contain headers - wow what a revelation - :) when you read the headers you can find the IP address the spammer used to mail the spam. Do a Google on DNSbl and you will get about 336,000 hits. Up close to the top are "Spam and Open Relay Blocking System (SORBS)" and DNS Providers Blacklist (DNS-bl). Here you can learn about what is done to prevent realys and open proxies. At SORBS you can submit an IP address for testing, to do this you have to sign up and get a user name. At the DNS-bl you can't submit entries unless you are:

To contribute to the DNS-bl you must be one of the following:

 

    * a commercial DNS provider

    * a free DNS provider

    * a dynamic DNS provider

    * a URL or email forwarder

    * any other entity that provides DNS to a large number of third party domains


If you get a lot of spam and you have looked at a way of reporting this, try spamcop.net and sign up for a free reporting account. spamcop.com is a commercial site dedicated to fight spam. Both place you can submit a email (full headers and body) and they will parse the email for you give you the mail addresses to send a complaint. As a member (spamcop.net) you can submit spam by email and then send the report directly from the parser.

 

Nils

Share this post


Link to post
Share on other sites

There is a way to detect situations like that. It's used by a lot of companies with their own email servers and it's used by some ISPs (or they use their own version). Emails contain headers - wow what a revelation - :) when you read the headers you can find the IP address the spammer used to mail the spam.  ...

Nils

<{POST_SNAPBACK}>


I know email headers hold sender IP details, what I meant is that there is a need for a technology that can distinguish between offending IP addresses and victimised IP addresses that are used to spam. Right now, I can't think of any such approach which would not involve the collective effort of everyone whose IP address could potentially be hijacked. At the moment, the only way to verify that an IP address has been hijacked is to ask innocent people who see their IP addresses listed as suspected offenders to report their innocence and that is not enough because under the right conditions an offender can plead innocence too.

 

Honeypot is a great project idea and so far looks very promising but they need to focus on closing all loopholes

Share this post


Link to post
Share on other sites

Very interesting project. I joined and am now scattering the links all over my site.

 

The idea is great and it's really easy to participate and it doesn't take webspace nor bandwidth much.

<{POST_SNAPBACK}>

It takes a little space, but the spam bots are using bandwidth anyway crawling your pages so why not give them a little poison pill. Welcome to the project (btw I'm just a member I don't work there but I laud the effort)

 

I know email headers hold sender IP details, what I meant is that there is a need for a technology that can distinguish between offending IP addresses and victimised IP addresses that are used to spam. Right now, I can't think of any such approach which would not involve the collective effort of everyone whose IP address could potentially be hijacked. At the moment, the only way to verify that an IP address has been hijacked is to ask innocent people who see their IP addresses listed as suspected offenders to report their innocence and that is not enough because under the right conditions an offender can plead innocence too.

 

Honeypot is a great project idea and so far looks very promising but they need to focus on closing all loopholes

<{POST_SNAPBACK}>

Guess I didn't read your post correctly, sorry about that.

 

I use different techniques to distinguish between offending and victimized IP addresses used to spam. To me victimized computers sending spam is 'still' offending me. :)

 

As for offending IP addresses I see that the trend are going more and more to using 'Hijacked" home computers that are configured wrong and can be used as open proxies.

 

I use the block lists. They have different criteria and are not blocking just known spam sources. I block whole country zones and for USA I block any CIDR /24 or /32 that are marked as "dynamic" by the ISP. A dynamic IP address should not be used to send mail, if you have to send mail from a dynamic address use your ISP server.

 

I block /24 and /32 from known spammers. There are lists out there listing hijacked IP ranges, open form mail servers in china.

The text inside the code box is injected into the email header when a email fails. If the email fails with only one "RBL" only 5 points are added, if it fails with 2 the points added are multiplied by times failed and if the number is to high the message are either rejected or placed in a 'spam review' folder for review.

If the X-lookup does not match the IP it's a no go.

X-RBL-Warning: mail from 61.11.98.164 refused by DSBL, see http://dsbl.org[tab][/tab]mail from 61.11.98.164 refused by CBL, see http://rcbl.abuseat.org[tab][/tab]mail from 61.11.98.164 refused by Blitzed Open Proxy Monitor List, see http://opm.blitzed.org[tab][/tab]mail from 61.11.98.164 is refused by SpamHaus, see http://cbl.abuseat.org/lookup.cgi?ip=61.11.98.164&.submit=Lookup[tab][/tab]mail 61.11.98.164 refused by spamcop.net, see https://www.spamcop.net/bl.shtml?61.11.98.164X-Lookup-Warning&; MAIL lookup on nrhcwkyynt@medun.acad.bg does not match 61.11.98.164

Nils

Share this post


Link to post
Share on other sites

A little update on the Honeypot project!

One of my spamtrap MX addresses had it's first confirmed spam harvester. This is one of 5 MX addresses that I have supplied to the project. The MX records go onto other users websites if they would like to host a spamtrap but don't have spare MX records to use. So far over 69,000 Honey Pot Addresses Issued. This sounds like a lot, it's not. What is needed are more websites incorporating the Honeypots on their websites. I's not adding any overhead, just a little disk-space. The spam harvesters come anyway and they do not obey the robots.txt or metatags that you have.

Identified spam harvester - Malaysia

Look at the Honeypot website to see if this is something you can participate in. Click my sigfile to read up on Honeypots :P

Nils

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.