Fwd: [OT] open relay honeypot
This is an off topic post from my local LUG list, but pretty interesting. Sort
of spells out the dangers of open mail relays. I wonder if spam would be
ended instantly if we all set one up...
---------- Forwarded Message ----------
Subject: [plug] [OT] open relay honeypot
Date: Fri, 17 Jan 2003 14:41:06 +0800
From: Luke Dudney
* Derek Fountain
This is an off topic post from my local LUG list, but pretty interesting. Sort of spells out the dangers of open mail relays. I wonder if spam would be ended instantly if we all set one up...
---------- Forwarded Message ----------
Subject: [plug] [OT] open relay honeypot Date: Fri, 17 Jan 2003 14:41:06 +0800 From: Luke Dudney
To: plug@plug.linux.org.au A few weeks ago I set up an smtp open relay honeypot using postfix on the end of my DSL line (set mynetworks to the entire world and disabled the 'smtp' transport). It appears to be an open relay but does not actually deliver the message. It took less than a day to be found by the spammers, and in the last three days usage on it has gone through the roof (559 different hosts connected to it!) The initial connections I got were apparently probes (empty message to a throwaway hotmail/yahoo accounts with my IP as the Subject). I forwarded these on manually to give the spammers false positives.
It gives me a good feeling to know that there are 248,977 less spam messages in 241,978 less peoples' inboxes! I wonder how much spam would be stopped if there were a whole lot more similar honeypots on the net. ....chop....chop....
A good feeling and a few minutes of the spammer's line time is probably all you gained besides the increased traffic on the net. Reporting this traffic to the origin's host ISP would have been gain, where you possible caused the spammer to loose his account, or at least made him get a new account. -- Patrick Shanahan http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org
=> A good feeling and a few minutes of the spammer's line time => is probably all you gained besides the increased traffic on the net. => => Reporting this traffic to the origin's host ISP would have => been gain, where you possible caused the spammer to loose => his account, or at least made him get a new account. Agreed - also publishing the list of hosts so we may all block them would be beneficial.
Jon Biddell wrote:
Agreed - also publishing the list of hosts so we may all block them would be beneficial.
Have a look at http://www.ordb.org/ -- JDL
PCWorld had a list of spamming IP's which were to be used in both Linux
and Mickey$oft.
I beleive the Linux instructions included IP Tables setup.
I seem to have lost my copy but the list was only about 100+ long.
CWSIV
On Sat, 18 Jan 2003 11:46:20 +1100 "Jon Biddell"
=> A good feeling and a few minutes of the spammer's line time => is probably all you gained besides the increased traffic on the net. => => Reporting this traffic to the origin's host ISP would have => been gain, where you possible caused the spammer to loose => his account, or at least made him get a new account.
Agreed - also publishing the list of hosts so we may all block them would be beneficial.
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
________________________________________________________________ Sign Up for Juno Platinum Internet Access Today Only $9.95 per month! Visit www.juno.com
The 03.01.17 at 12:34, SuSEnixER wrote:
Reporting this traffic to the origin's host ISP would have been gain, where you possible caused the spammer to loose his account, or at least made him get a new account.
Not all ISPs are sensitive enough. For example, there is a host with a fixed IP, which I think is actually on the ISP premisses (193.152.43.8, ssaflo3.nombres.ttd.es), that keeps probing port 5327 on the whole subnet or more. I complained to the provider, but they answered a month or so later saying something like "insufficient data". -- Cheers, Carlos Robinson
participants (6)
-
Carl William Spitzer IV
-
Carlos E. R.
-
Derek Fountain
-
John Lamb
-
Jon Biddell
-
SuSEnixER