Re: [Assp-test] Fwd: Honeypot addresses, any way to bypass extremepb?

[Thomas E. <Tho...@th...>]

It is still possible to do honeypotting.
Yes, it requires more than a basic assp knowledge to do it in a perfect 
way - but this is wanted.

To be some how complete, the following hidden parameters can also be used:

our $fakeAUTHsuccess = 0;                # (0/1/2) fake a 235 reply for 
AUTH success - move the connection to NULL - collect the mail in spam - 
used for honeypots - 2=with damping
our $fakeAUTHsuccessSendFake = 0;        # (0/1) send the faked mails from 
the honeypot - make the spammers believe of success - attention: moves 
assp in to something like an open relay for these mails

NOTICE: DON'T use these parameters if you use AUTH with ASSP !!!

'fakeAUTHsuccess' - fakes a successfull AUTH in any case - accepts the 
mail and stores it
'fakeAUTHsuccessSendFake' - needs some more explanation:

>From time to time spammers try to authenticate. If success, they try to 
send (relay !!!) a specific mail through assp to a valid spammers account. 
This mail contains some innocent header and words (no SPAM!!). If they get 
this specific mail back, they know, they have found a SMTP relay server 
using the specific account. Only if they got this mail, they will send the 
really spam.

'fakeAUTHsuccessSendFake' - forces ASSP to deliver this specific mail - 
BUT also any other mail, for an unsuccessfull authentication !!!!

 NEVER leave the parameter 'fakeAUTHsuccessSendFake' enabled 
unattented!!!!!!

Honeypotting as an explicit feature will be too complex or too simple.
Too complex, if anyone wants to decide in detail how a honeypott mail 
should be detected and processed. An dedicated honeypott feature would 
require, that any honeypott setting has to be cross checked against the 
other assp settings. At least, the current code provides such settings and 
behavior.
Too simple for the case : honeypott-address used ->spam collection - this 
behavior is still implemented (see below).

I like the idea, to collect HAM detected honeypott mails in a mailbox. 
This makes it possible to investigate, why they were not spam and to make 
dedicated configuration changes.
Otherwise, defining the honeypott addresses in 'spamaddresses' and setting 
'DoNotBlockCollect' to ON in addition to 'hlSpamLovers' and 'nodelay' , 
should do the tick.

Thomas



Von:    K Post <nnt...@gm...>
An:     ASSP development mailing list <ass...@li...>
Datum:  04.08.2015 17:27
Betreff:        Re: [Assp-test] Fwd: Honeypot addresses,        any way to 
bypass extremepb?



Very interesting Thomas.  Accepting the mail and then reporting is a
fascinating idea!  Gotta figure that out on the MTA side.  I guess I'll 
ask
for complete honeypotting as a feature request in ASSP now, purely as a
pipe-dream, but with the hopes that you'll be so inspired and somehow 
carve
out the time.

Thanks

On Wed, Jul 29, 2015 at 9:41 AM, Thomas Eckardt 
<Tho...@th...>
wrote:

> I do this in a similar way for years.
>
> - my group is [dummy]
> - I replace all addresses of the honeypot-domain one (every time the 
same
> for each spam domain) valid local address
> - nodelay has
> 0.0.0.0/1=>[dummy]
> 128.0.0.0/1=>[dummy]
>
> [dummy] is also in hlSpamLovers - helos should never blocked for the
> honeypot
>
> if a mail is detected as spam - fine - stored - nothing wrong - but..
> NOTHING TO LEARN for assp (BAD until the next complete rebuildspamdb was
> finished)
> if it is not detected as spam, it is delivered to the dummy user - now 
the
> trick - the mailbox of this user has an agent, which spam-reports and
> deletes any incomming mail immediatly
> because the rebuild is running permanent (if configured) - assp learns
> just in time the new reported spam (also for all the other real users)
>
> >The problem is that the volume of spam is causing the sender Ip to goto
> the
> >extremePB.
>
> you should disable this - it is in montor mode (early is disabled) on my
> prod system
>
> Thomas
>
>
>
>
> Von:    K Post <nnt...@gm...>
> An:     ASSP development mailing list <ass...@li...>
> Datum:  29.07.2015 15:18
> Betreff:        [Assp-test] Fwd: Honeypot addresses, any way to bypass
> extremepb?
>
>
>
> I sent this in early June to the user list, but it got no play, so I
> figured that I'd give here a go.
> Thanks
>
> ---------- Forwarded message ----------
> From: K Post <nnt...@gm...>
> Date: Thu, Jun 4, 2015 at 9:34 AM
> Subject: Honeypot addresses, any way to bypass extremepb?
> To: For Users of ASSP <Ass...@li...>
>
>
> I've setup a couple honeypot subdomains.  My intention is to use them to
> gather more and more varied spam messages.
>
> This might just be a case of ASSP not being intended for this, in which
> case I'll just kill the subdomains or donate them to project honeypot.
>  ..or I could just be doing it wrong.
>
> I have the subdomains listed in a group like this
> [HONEYPOT-ADDRESSES]
> @subdomain1.ourcharity.org
> @subdomain2.ourcharity.org
>
> and I have that group listed in SpamAddresses
>
> The problem is that the volume of spam is causing the sender Ip to goto
> the
> extremePB.
>
> in block reports, I see:
> spam reason: (score for xxx.xxx.xxx.xxx is 645, surpassing extreme level
> of
> 601) [--the subject--]
>
> and as such, the messages aren't being collected.
>
> Is there a way to tell ASSP to collect mail into the spam folder for
> specific addresses?  Don't process them, don't block based on IP, just
> gobble up the mail, save it in spam, and give the IP a score.  Maybe 
don't
> even give the sender an error, but don't use extremepb for mails
> exclusively to these addresses  --like a honeypot should work.
>
> Again, if this is a bad idea, counter to ASSP's mission / design, etc,
> I'll
> just ditch the concept.
>
> 
------------------------------------------------------------------------------
> _______________________________________________
> Assp-test mailing list
> Ass...@li...
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, 
legally
> privileged and protected in law and are intended solely for the use of 
the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> 
------------------------------------------------------------------------------
> _______________________________________________
> Assp-test mailing list
> Ass...@li...
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
------------------------------------------------------------------------------
_______________________________________________
Assp-test mailing list
Ass...@li...
https://lists.sourceforge.net/lists/listinfo/assp-test






DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************