From: Thomas E. <Tho...@th...> - 2015-08-06 10:37:18
|
It is still possible to do honeypotting. Yes, it requires more than a basic assp knowledge to do it in a perfect way - but this is wanted. To be some how complete, the following hidden parameters can also be used: our $fakeAUTHsuccess = 0; # (0/1/2) fake a 235 reply for AUTH success - move the connection to NULL - collect the mail in spam - used for honeypots - 2=with damping our $fakeAUTHsuccessSendFake = 0; # (0/1) send the faked mails from the honeypot - make the spammers believe of success - attention: moves assp in to something like an open relay for these mails NOTICE: DON'T use these parameters if you use AUTH with ASSP !!! 'fakeAUTHsuccess' - fakes a successfull AUTH in any case - accepts the mail and stores it 'fakeAUTHsuccessSendFake' - needs some more explanation: >From time to time spammers try to authenticate. If success, they try to send (relay !!!) a specific mail through assp to a valid spammers account. This mail contains some innocent header and words (no SPAM!!). If they get this specific mail back, they know, they have found a SMTP relay server using the specific account. Only if they got this mail, they will send the really spam. 'fakeAUTHsuccessSendFake' - forces ASSP to deliver this specific mail - BUT also any other mail, for an unsuccessfull authentication !!!! NEVER leave the parameter 'fakeAUTHsuccessSendFake' enabled unattented!!!!!! Honeypotting as an explicit feature will be too complex or too simple. Too complex, if anyone wants to decide in detail how a honeypott mail should be detected and processed. An dedicated honeypott feature would require, that any honeypott setting has to be cross checked against the other assp settings. At least, the current code provides such settings and behavior. Too simple for the case : honeypott-address used ->spam collection - this behavior is still implemented (see below). I like the idea, to collect HAM detected honeypott mails in a mailbox. This makes it possible to investigate, why they were not spam and to make dedicated configuration changes. Otherwise, defining the honeypott addresses in 'spamaddresses' and setting 'DoNotBlockCollect' to ON in addition to 'hlSpamLovers' and 'nodelay' , should do the tick. Thomas Von: K Post <nnt...@gm...> An: ASSP development mailing list <ass...@li...> Datum: 04.08.2015 17:27 Betreff: Re: [Assp-test] Fwd: Honeypot addresses, any way to bypass extremepb? Very interesting Thomas. Accepting the mail and then reporting is a fascinating idea! Gotta figure that out on the MTA side. I guess I'll ask for complete honeypotting as a feature request in ASSP now, purely as a pipe-dream, but with the hopes that you'll be so inspired and somehow carve out the time. Thanks On Wed, Jul 29, 2015 at 9:41 AM, Thomas Eckardt <Tho...@th...> wrote: > I do this in a similar way for years. > > - my group is [dummy] > - I replace all addresses of the honeypot-domain one (every time the same > for each spam domain) valid local address > - nodelay has > 0.0.0.0/1=>[dummy] > 128.0.0.0/1=>[dummy] > > [dummy] is also in hlSpamLovers - helos should never blocked for the > honeypot > > if a mail is detected as spam - fine - stored - nothing wrong - but.. > NOTHING TO LEARN for assp (BAD until the next complete rebuildspamdb was > finished) > if it is not detected as spam, it is delivered to the dummy user - now the > trick - the mailbox of this user has an agent, which spam-reports and > deletes any incomming mail immediatly > because the rebuild is running permanent (if configured) - assp learns > just in time the new reported spam (also for all the other real users) > > >The problem is that the volume of spam is causing the sender Ip to goto > the > >extremePB. > > you should disable this - it is in montor mode (early is disabled) on my > prod system > > Thomas > > > > > Von: K Post <nnt...@gm...> > An: ASSP development mailing list <ass...@li...> > Datum: 29.07.2015 15:18 > Betreff: [Assp-test] Fwd: Honeypot addresses, any way to bypass > extremepb? > > > > I sent this in early June to the user list, but it got no play, so I > figured that I'd give here a go. > Thanks > > ---------- Forwarded message ---------- > From: K Post <nnt...@gm...> > Date: Thu, Jun 4, 2015 at 9:34 AM > Subject: Honeypot addresses, any way to bypass extremepb? > To: For Users of ASSP <Ass...@li...> > > > I've setup a couple honeypot subdomains. My intention is to use them to > gather more and more varied spam messages. > > This might just be a case of ASSP not being intended for this, in which > case I'll just kill the subdomains or donate them to project honeypot. > ..or I could just be doing it wrong. > > I have the subdomains listed in a group like this > [HONEYPOT-ADDRESSES] > @subdomain1.ourcharity.org > @subdomain2.ourcharity.org > > and I have that group listed in SpamAddresses > > The problem is that the volume of spam is causing the sender Ip to goto > the > extremePB. > > in block reports, I see: > spam reason: (score for xxx.xxx.xxx.xxx is 645, surpassing extreme level > of > 601) [--the subject--] > > and as such, the messages aren't being collected. > > Is there a way to tell ASSP to collect mail into the spam folder for > specific addresses? Don't process them, don't block based on IP, just > gobble up the mail, save it in spam, and give the IP a score. Maybe don't > even give the sender an error, but don't use extremepb for mails > exclusively to these addresses --like a honeypot should work. > > Again, if this is a bad idea, counter to ASSP's mission / design, etc, > I'll > just ditch the concept. > > ------------------------------------------------------------------------------ > _______________________________________________ > Assp-test mailing list > Ass...@li... > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > > ------------------------------------------------------------------------------ > _______________________________________________ > Assp-test mailing list > Ass...@li... > https://lists.sourceforge.net/lists/listinfo/assp-test > ------------------------------------------------------------------------------ _______________________________________________ Assp-test mailing list Ass...@li... https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* |