Honeypot For Identifying Email-Harvesters 252
Cheese Man writes "Mark Pilgrim describes a simple way to identify email-harvesters: "In each page I serve, I include a bogus email address, encoded with the date of access as well as the host IP address ... This has allowed me to trace spam back to specific hosts and/or robots." There's even a simple one-line example done with PHP. (Thanks to BoingBoing for the links.)"
I say... (Score:5, Interesting)
Re:I say... (Score:3, Interesting)
I think Earthlinks Spam Blocker is using that idea.
-Eyston
Re: I say... (Score:4, Insightful)
Re: I say... (Score:3, Interesting)
Re: I say... (Score:3, Interesting)
Re: I say... (Score:2)
BrightMail's method can only find spam. Their honeypots have absolutely no legitimate use, so all the mail they get must be spam: untargetted, mass mailing, to an unchecked, harvested list of addresses.
Ok, so they have 100% certain spam mail examples. How do they then use them to block new mail? Do they block the From:? That can be forged, and is often a real innocent person. Do they block the IP? That may well be a normal mail server. Etc.
This is just a naive thought, but I was wondering how they so
Re: I say... (Score:2)
Ah. That I don't know. And of course that's the bit that's susceptible to errors.Â
As I said, I haven't noticed a single false positive in the mail it's trapped for me. If it possible that different ISPs use BrightMail's info in different ways? Is it too late to ask if anyone knows any more about this?
Re:I say... (Score:3, Informative)
Re:I say... (Score:3, Informative)
No, spews is only based on reports to a news group and some unknown persons responses to those reports.
Talk about false positives. When you block entire class C networks, you are going to get false positives. I can find a network listed with them, and send email to from a machine on that network (that has NEVER sent spam before) and spews will block it. Was my email spam? NO, therefore it's a false positive.
Plus when it takes over 6 months to get a network removed (if not longer), it is just about
Re:I say... (Score:2)
Mail may be blocked by ISPs referring to the SPEWS listings and deciding whether to let an email pass or not. But SPEWS itself does nothing to the stream of email. SPEWS does not block anything.
SPEWS publishes a listing of IP addresses that have been used to send spam to its bait addresses, and IP addresses of spam-friendly ISPs. If someone spams SPEWS, t
Re:I say... (Score:2)
What, that isn't the reason?
*ahem* I'll be going now...
Let's combine some ideas here. (Score:5, Informative)
Re:Let's combine some ideas here. (Score:2)
Re:I say... (Score:2)
But what can you do about it? (Score:5, Insightful)
Re:But what can you do about it? (Score:2)
Jason
ProfQuotes [profquotes.com]
Re:But what can you do about it? (Score:3, Interesting)
Re:But what can you do about it? (Score:2, Interesting)
Re:But what can you do about it? (Score:2)
And there's little point listing fake addresses on your own domain, because your mailserver still has to handle them.
It might be worth using an email address on another domain if you have such a system, which should get your email address filtered out by spammers.
It's also worth considering people who fi
Re:But what can you do about it? (Score:2)
pro-spam legislation yet anti-DMCA? (Score:2, Insightful)
-Jon
Its called a false dichotomy (Score:5, Informative)
> You're either pro government control or against it,
Why not?
Things are rarely polar opposites. You can't just say, "Well kid, are you a communist or for a lassiez-fair market." There's tons of middle ground.
The formal name for this is the False Dichotomy. [info-pollution.com] More [ucsd.edu]
Extremes only really exist as abstract concepts.
Advocating regulation or laws to protect against abuse is hardly pro-DMCA.
Re:Its called a false dichotomy (Score:2)
I think robert has it backwards.. the quote implies that the world is slowly drifting to the left. In reality, it is drifting right(at least in america). if you could go backwards in time, he might have a point.
But then you have to take apart what liberal and conservative really mean. Some would say it means large vs small government. Others think it means government protection of human right
[OT] Re:Its called a false dichotomy (Score:2)
But if we are going to talk about the true meaning of conservative, then my points change slightly. There really aren't many real conservatives left [in US, no comment on the rest], even while looking at today's liberals. "Liberals" mostly want change, or at least change of today's policy back in line with traditional values, or
Re:pro-spam legislation yet anti-DMCA? (Score:2)
the dmca can prevent fair use. a right most people believe they have.
most spammers are committing fraud. a crime most people believe should be punished.
sometimes I really wonder how people like you get along in the world. I highly doubt you are *one way or the other* in life. No one is.
Re:pro-spam legislation yet anti-DMCA? (Score:2)
Re:But what can you do about it? (Score:3, Interesting)
In the example given, the spam harvester used a unique User-Agent string and a constant IP address for spidering. As a web site owner, you could block requests based on either of those credentials. In addition, you can publish your findings so that other web sites and networks can block the harvesters you find too.
You can also complain to the harvester's ISP. Since spam is often sent with
Re:But what can you do about it? (Score:2)
-Restil
Re:But what can you do about it? (Score:2, Funny)
Use it against them. (Score:2, Funny)
But the postmaster doesn't care (Score:2, Insightful)
postmaster@j3rk.ugh.com doesn't really care.
If, perchance, it is a company that makes its bread and butter collecting and selling e-mail addresses to the gullible, they probably already KNOW what they are doing, and you reminding them does nothing but give you a warm feeling.
Another option is some retail user - there probably is no postmaster@CPE0080c6ef6343-CM0143000000054.cpe.ne t .cable.rogers.com just to pull a random IP address out of my log file.
And finally the last case -- you hit the 'jackpot'
i did this for a while (Score:2)
Nothing new (Score:5, Informative)
Old new
Re:Nothing new (Score:2)
Not quite, I do the same thing, but you still end up with a lot of spam on the e-mail addresses you publish on your web-page, and you do not change these every day by hand.
Re:Nothing new (Score:2, Funny)
Re:Nothing new (Score:3, Interesting)
It came from places you wouldn't expect it. Sideing salesmen were the worst. I was renting an apartment at the time.
wpoison (Score:5, Informative)
Re: wpoison (Score:5, Funny)
> Try wpoision, it's a CGI script to generate a random set of email address, infinitely deep. Very fun.
I'm trying to invent an e-mail address that explodes if anyone tries to use it.
Re: wpoison (Score:2)
joe@abc.com auto-forwards all incoming email to joe@xyz.com
joe@xyz.com auto-forwards all incoming email to joe@abc.com
It's the classic "10 GOTO 20; 20 GOTO 10", but with email accounts. Has anyone out there tried this?
Re: wpoison (Score:2)
Re: wpoison (Score:2)
Re: wpoison (Score:2)
Re: wpoison (Score:2)
It would be rather amusing to r00t a bunch of dirty spammers via this technique. Use their boxes to grab kiddie pr0n from all over the net and then tip off the feds or something.
Re: wpoison (Score:2)
I'm trying to invent an e-mail address that explodes if anyone tries to use it.
I certianly wouldn't want to be near my mail server when a spammer strikes...
Though, suddently, I can't help but think a certian Utah congrescritter might be able to help you :)
Re:wpoison (Score:3, Interesting)
I'd like to see millions of web sites adopt this approach; then perhaps spammers would be overwhelmed by bogus email addresses and it would cost them more money to figure out ways around it, if it's even possible.
The principle is similar to the Nigerian spam baiting [terrytraub.org] that some of us engage in; if thousan
Re:wpoison (Score:2)
You put a line in your robots.txt saying that bots are not allowed to access a certain directory or file. Then you put an invisible link to said directory or file on your home page. Any host that makes a request for the forbidden file is an evil bot, and gets blacklisted and/or reported to some other authority.
Honeypot vs honey hole (Score:3, Funny)
title edit (6/19, 6:47am): Honeypot not "honey hole." Thanks, Cory.
What's the difference between the two? Computer geeks have experience with honeypots!
Re:Honeypot vs honey hole (Score:2)
oh wait, this is slashdot. nevermind.
And the next step is........ (Score:2, Insightful)
Re:And the next step is........ (Score:2)
The fact that there is no law against you collecting data does not mean that the people providing that data can't use the fact that you collected that data to prevent you from sending large volumes of e-mail to them.
Likewise this will rapidly identify open-proxy sources that may also be used to send spam at another time.
-Rusty
Re:And the next step is........ (Score:2)
What they're doing is not illegal, but neither is what I'm doing...
Simon
Re:And the next step is........ (Score:2)
Re:And the next step is........ (Score:2)
If it gets N more people to do it though, we might just make spammers lives that little bit harder
Simon
Re:And the next step is........ (Score:2, Interesting)
Re:And the next step is........ (Score:2)
This is analogous to a junk mailer going down to city hall and getting a list of physical addresses to which to send his promotional material.
There are some important differences:
1. City hall generally will not give up the names and addresses of it's citizens to just anybody.
2. It's illegal to send unrequested solicitations for pornography, specious medical programs, and m
Spammers are pretty simple (for now) (Score:5, Interesting)
It wouldnt take much to find and decode most of the simple spam-protected email addresses. And I dont think it would take long for the spammers to detect a system such as this and bypass it, but I dont think they will bother at the current climate.
But pretty soon I suspect we will get much cleverer email collecting tools and the problem is going to get to the scale of the virus/anti-virus stage.
Re: Spammers are pretty simple (for now) (Score:5, Funny)
> I am plesently suprised that my anti-spam encoded email address still has not been spammed. [...] It wouldnt take much to find and decode most of the simple spam-protected email addresses. [...] But pretty soon I suspect we will get much cleverer email collecting tools and the problem is going to get to the scale of the virus/anti-virus stage.
Then we'll start putting "nospam" in our real addresses!
Re: Spammers are pretty simple (for now) (Score:5, Interesting)
I do. I use myid-nospam@my_domain.org for news groups, dubious web site forms, etc. In several years, I've received exactly one spam at that account. It looks like many of the harvesters remove any address with "spam" in it, because they think it's likely fake (or at least harvester-proofed).
By far most of my spam comes to my old eBay account. Luckily that was myid-ebay@my_domain.org, which will soon be removed in favour of a slightly different permutation.
Re: Spammers are pretty simple (for now) (Score:2)
Okay, serious questions from folks at work then:
If you have x users with a firstname.lastname@domain email address each, is it possible to setup a mailserver such that firstname.lastname.*@domain reaches each person's mailboox, * being a wildcard?
I know this is possible using the 'default' account and filtering: I do this myself, but we'd need to integrate it into a 'proper' email server,
Re: Spammers are pretty simple (for now) (Score:2)
That being said, I haven't done it myself; I just have tons of entries in /etc/aliases. I'm willing to bet, though, that some Google searching will turn up more information. I'll also bet that it'll be difficult to impossible with Exchange.
Re: Spammers are pretty simple (for now) (Score:2)
userid+parameter@foo.com
The exim.conf has a few lines you can uncomment to get it so that this will work.
The reason I don't do this is that I don't know how to block a specific extention. I was using jl-ng@ for newsgroups (so that I could get email replies) and once it was getting to be too much, I changed the alias to a nonaccount so that it would bounce.
Re:Spammers are pretty simple (for now) (Score:2)
The cat's out of the bag: (Score:2)
So some spammers have figur
A new RBL? (Score:4, Interesting)
It would probably impose too much of a performance hit for a popular site, but maybe for smaller stuff -- your bio page, or whatever -- it would be appropriate.
So you found the harvester... (Score:5, Interesting)
These guys come like a thief in the night. They load your page like any other search engine spider. Its like knowing the face of the guy who went through your neighborhood, trying every door knob in the guise of distributing an advertising flyer, then later he disclosed to other thieves, unknown to you, whose at home during the day and who is not.
Yes, its helpful in building a case, like knowing who is going through a neighborhood trying all the doors, but catching the actual guy in the act is not as easy.
Some of this spam is really getting nasty. Just two days ago, I received this spam in my box purporting to be from the fraud department of Best Buy regarding CD players some guy in New York is trying to buy with my credit card. It seemed a really professional email, except they didn't know my name, and apparently had to get my email addy from a national credit bureau agency. When the links did not point as shown, I really became leery. The whole thing was apparently a ruse to get me to log into their site and disclose all sorts of personal information, playing on my fear that if I did not do so, the fraudulent transaction would complete.
Watch out, guys. There's a lot of deception going on out there.
Any tools and techniques we make to help us find out who these little rascals are is really welcome. Being some students just got nailed for their life savings for just their involvement in sharing a few songs, I trust this same environment can be used for those involved in internet scams which often cost not just a few record sales, but often substantial, I mean really substantial, grief for the victim.
Re:So you found the harvester... (Score:3, Informative)
Comment removed (Score:5, Informative)
Re:So you found the harvester... (Score:2, Funny)
Re:So you found the harvester... (Score:2)
Re:Best Buy Fraud (Score:2)
The anti-fraud emails are not from Best Buy either. Hope you didn't click the links.
Easily defeated (Score:2, Interesting)
Surely the email harvester will just 'learn' to remove it's own IP number and possibly a date (or even better, just increment the IP number date to generate an infinite number of email addresses)
A more advanced method would probably hash the ip with the date in a non-obvious way, but it'd have to be a one-to-one mapping of IP's at least and a two way hash to retreive the IP number.
Even storing the IP number as the apache-log line (if that's possible) would work, but real addresses would always work bett
Re:Easily defeated (Score:3, Informative)
Their robots tried to crawl those domains - they kept on querying my DNS servers for about 10 minutes straight even though there was no record for that domain on my DNS
Not that easily defeated (Score:2)
The downside is 2 selects and an insert on a DB for every page, but most sites are database-driven now anyway, and those that aren't probably don't care about the delay...
As for getting the spammers not the harvesters,
The PHP can be a bit more efficient (Score:2, Informative)
<a href="mailto:<?php echo $_SERVER['REMOTE_ADDR'],'_on_',date('y_m_j_Gi'),'
(Slashdot adds an extra space before example.com)
fighting spam (Score:5, Interesting)
Re:fighting spam (Score:2)
I guess you have already blocked me then, even though I've never sent spam. Someone else however has sent SPAM using my name, something I don't find out about until I get bounce messages. I know that I'm not the only person to be victom of this.
Re:fighting spam (Score:3, Interesting)
Generally blocking is done by IP address, not email address. So when the OP receives a spam addressed to blockme, I assume his software adds the source IP address the email came from to his blocklist. So you are not blocked.
You can do the same with a lot of addresses (Score:5, Informative)
For example wheany+sd@iki.fi, wheany+SpamTastesGood@iki.fi, wheany+glahglahglag@iki.fi, wheany+spammer.com_on_06_22_2003@iki.fi all go to the same mailbox.
Re:You can do the same with a lot of addresses (Score:3, Informative)
A startling number of sites (eBay is one, or was last I checked) refuse addresses formatted like this. Sanity-checking run amok, I assume. I've occasionally emailed site admins to point out that they're rejecting RFC-valid addresses, and the answer is invariably "Just set up a throwaway yahoo account to register then."
(My answer to *that* is invariably "Your site's not worth the trouble.")
Re:You can do the same with a lot of addresses (Score:2)
Re:You can do the same with a lot of addresses (Score:2)
I could have a filter that puts any mails coming to the plain address straight to the trash, since I have not used the untagged address (nearly) anywhere.
In addition to that, while the iki.fi server uses "+" as a separator, some servers could use a "-" or any other character as the s
Payback pages (Score:5, Funny)
Re:Payback pages (Score:2)
Giving credit where it is due... (Score:5, Informative)
How Cheese Man got mixed up is beyond me, as comment by George A. Theall is clearly displayed at the bottom of the comment.
I have a "tar pit" on my website (Score:3, Interesting)
mod_spam_die (Score:5, Informative)
I love this whole discussion. (Score:2)
I just wish someone would invent a way that sends a 100,000 volt/amp jolt back to the spammers so that all that's left to be found is a pile of smoking ashes where they were sitting when they went to check their in box...
harvesters (Score:2)
If I ever turn to the dark side and support spam, I'll have to modify my email harvester to discard those. I actually only spent a few hours working on it, but it overcomes some email protection techniques by using a real browser to load the pages (minus images & such), allowing any email descrambling scripts to run. A way to improve it might be to have it "click" all the javascript links on the page, catching attempts to browse to an email link but not actually allowing the browser
What About Open Proxies? (Score:3, Insightful)
So what happens under this scheme when a harvester bounces all their page requests through an open proxy? Does the recorded IP address mis-identify the proxy as the harvester?
I have Zope running on an unpublished IP address and port on one of my machines. About once a day, someone tries to reflect a connection through it, like so:
66.118.187.8 - Anonymous [30/May/2003:09:10:05 -0700] "CONNECT 64.12.136.89:25 HTTP/1.0" 404 264 "" ""
Apparently there are enough mis-configured Web proxies out there (like older RedHats running Squid) to make this type of probing worthwhile. Does this honeypot account for this?
Schwab
Better PHP code (Score:5, Interesting)
Re:Better PHP code (Score:2)
PHP base36 encoding of IP addy - better stealth (Score:2)
// spam bait with host signature by sonny w.
// use freely
// this creates dummy email address with IP
// of email harvester, but it is less obvious
// than some examples posted earlier.
define( "_SPAM_SIGNATURE","goatse");
define( "_MAIL_HOST","mydomain.com");
define( "_SPAM_OFFSET",131435);
function SpamCode($IPquad)
{
if (ereg("([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\. ( [0-9]{1,3})", $IPquad, $result))
{
$My
Brainstorm - don't post your email on your website (Score:3, Insightful)
Re:Brainstorm - don't post your email on your webs (Score:2)
Or just post your email adress as a .jpg?
That's what I've done on websites I've built in the past... or at least that's what I'm saying NOW :D
Yeah, so? (Score:2)
Ya know what I've found? The harvester bots are almost all running on cable modems. They use them for a while, then throw them away. And they rarely, very rarely, send spam from the same host that's out harvesting. In my experience, the harve
Not Mark (Score:3, Insightful)
No he doesn't, George A. Theall does, in a comment attached to an article by Mark.
Talking about honeypots (Score:3, Informative)
Re:I don't know if this would work but... (Score:5, Insightful)
Re:Pointless (Score:2)
Re: (Score:2, Insightful)