{"id":429,"date":"2008-11-18T22:15:06","date_gmt":"2008-11-18T20:15:06","guid":{"rendered":"http:\/\/www.greenman.co.za\/blog\/?p=429"},"modified":"2008-11-18T22:15:06","modified_gmt":"2008-11-18T20:15:06","slug":"an-attractive-honeypot","status":"publish","type":"post","link":"https:\/\/www.greenman.co.za\/blog\/?p=429","title":{"rendered":"An attractive honeypot"},"content":{"rendered":"

I came across a website recently that, lurking amongst the usual About Us<\/em> and Contact Details<\/em> had an Anti-spam<\/em> link. I followed the link, and came to this page<\/a>.<\/p>\n

It’s a company selling an anti-spam product, and the page was a spam honeypot (or spamtrap<\/a>).<\/p>\n

Spam honeypots are web pages with email addresses that then deliberately aim to get harvested by a spam harvester, but are not actually a real email address.<\/p>\n

This particular honeypot has a few problems though. It generates a whole lot of fake emails, and the page links to itself, so the harvester returns to the page, when it loads another whole load of fake emails.<\/p>\n

When it finally gets to use these emails, they’re of course of no use, just wasting the spammers time.<\/p>\n

But more importantly they also waste the resources of the machines and mail servers sending them, which more often that not start off as a compromised Windows PC, and generate backscatter<\/a>, which is a form of spam itself – a bounced email returning to the ‘sender’, when the sender didn’t in fact send it.<\/p>\n

And even more importantly, I can’t see how the project is a real honeypot, as it appears there’s no followup, and the spammers can just carry on sending to the fake emails, without any real consequences.<\/p>\n

And finally, because the URL is hard-coded, anyone behind a harvester will soon see why and where their harvester is being slowed down, and avoid the URL.<\/p>\n

It doesn’t seem to be very effective at all, and is probably more of a marketing attempt by the company in question.<\/p>\n

A much better alternative is Project Honey Pot<\/a>, which started in 2004.<\/p>\n

Firstly, it’s a distributed system. Anyone with a web server can host a honeypot script. A script can be downloaded from Project Honey Pot for placement on a server. Each script has a different file name. The honeypot script name is randomly generated (or you can specify one yourself), and is available in most scripting languages, so there’s no hard-coded name for a harvester to avoid.<\/p>\n

Once the script is in place, it needs web pages to link to it. Project Honey Pot have added a new feature, Quick Links, so people without access to the web server itself, but who have blogs and so on, can add a link to a honeypot script. Honeypot hosts can decide whether to make their script publicly available or not.<\/p>\n

There are a number of different linking techniques, and these techniques also all come with randomly-generated strings, so there really seems to be no viable way for a harvester to avoid falling into the trap.<\/p>\n

So once the spammer has harvested the mails, and sent them, what happens? Unlike the example above, where the generated mail is simply aimed at wasting the spammer’s time, Project Honey Pot actually collates, processes and shares the data generated by the honeypots. They work with various authorities to track down and prosecute spammers.<\/p>\n

To complete the loop, you can also donate an MX entry, so that the servers used to receive the mails are also distributed, and difficult for spammers to avoid.<\/p>\n

Unlike the first example, Project Honey Pot is an effective project, and everyone with a web server, or a site, should be using their services!<\/p>\n

If you’re interested in taking on local spammers, see the ISOC-ZA Spammer Bounty project<\/a>.<\/p>\n

Related posts:<\/p>\n