 Stop Spam Harvesters, add a Honey Pot to your site |
|
|
|
|
  |
 Dec 29 2004, 10:55 AM
Post
#11
|
|
|
Member [ Level 1 ]  Group: Members Posts: 34 Joined: 12-December 04 Member No.: 1,718  |
Interesting project. I think I will start using it. I hope they find a way to detect situations where spammers hijack an IP to use for harvesting and/or spamming
|
 |
 
|
|
Dec 29 2004, 02:44 PM
Post
#12
|
|
|
To Err Is Human, To Forgive Divine Group: Members Posts: 558 Joined: 24-December 04 From: http://www.ultimatekayakfishing.com/ Member No.: 1,871 |
QUOTE(Dizasta @ Dec 29 2004, 05:55 AM) Interesting project. I think I will start using it. I hope they find a way to detect situations where spammers hijack an IP to use for harvesting and/or spamming  There is a way to detect situations like that. It's used by a lot of companies with their own email servers and it's used by some ISPs (or they use their own version). Emails contain headers - wow what a revelation -  when you read the headers you can find the IP address the spammer used to mail the spam. Do a Google on DNSbl and you will get about 336,000 hits. Up close to the top are "Spam and Open Relay Blocking System (SORBS)" and DNS Providers Blacklist (DNS-bl). Here you can learn about what is done to prevent realys and open proxies. At SORBS you can submit an IP address for testing, to do this you have to sign up and get a user name. At the DNS-bl you can't submit entries unless you are:QUOTE To contribute to the DNS-bl you must be one of the following: * a commercial DNS provider * a free DNS provider * a dynamic DNS provider * a URL or email forwarder * any other entity that provides DNS to a large number of third party domains If you get a lot of spam and you have looked at a way of reporting this, try spamcop.net and sign up for a free reporting account. spamcop.com is a commercial site dedicated to fight spam. Both place you can submit a email (full headers and body) and they will parse the email for you give you the mail addresses to send a complaint. As a member (spamcop.net) you can submit spam by email and then send the report directly from the parser. Nils |
|
|
|
|
Dec 30 2004, 03:19 AM
Post
#13
|
|
|
Member [ Level 1 ] Group: Members Posts: 34 Joined: 12-December 04 Member No.: 1,718 |
QUOTE(NilsC @ Dec 29 2004, 06:44 AM) There is a way to detect situations like that. It's used by a lot of companies with their own email servers and it's used by some ISPs (or they use their own version). Emails contain headers - wow what a revelation - when you read the headers you can find the IP address the spammer used to mail the spam. ...Nils I know email headers hold sender IP details, what I meant is that there is a need for a technology that can distinguish between offending IP addresses and victimised IP addresses that are used to spam. Right now, I can't think of any such approach which would not involve the collective effort of everyone whose IP address could potentially be hijacked. At the moment, the only way to verify that an IP address has been hijacked is to ask innocent people who see their IP addresses listed as suspected offenders to report their innocence and that is not enough because under the right conditions an offender can plead innocence too. Honeypot is a great project idea and so far looks very promising but they need to focus on closing all loopholes |
|
|
|
|
Dec 30 2004, 03:13 PM
Post
#14
|
|
|
To Err Is Human, To Forgive Divine Group: Members Posts: 558 Joined: 24-December 04 From: http://www.ultimatekayakfishing.com/ Member No.: 1,871 |
QUOTE(Hercco @ Dec 29 2004, 04:05 AM) Very interesting project. I joined and am now scattering the links all over my site. The idea is great and it's really easy to participate and it doesn't take webspace nor bandwidth much. It takes a little space, but the spam bots are using bandwidth anyway crawling your pages so why not give them a little poison pill. Welcome to the project (btw I'm just a member I don't work there but I laud the effort) QUOTE(Dizasta @ Dec 29 2004, 10:19 PM) I know email headers hold sender IP details, what I meant is that there is a need for a technology that can distinguish between offending IP addresses and victimised IP addresses that are used to spam. Right now, I can't think of any such approach which would not involve the collective effort of everyone whose IP address could potentially be hijacked. At the moment, the only way to verify that an IP address has been hijacked is to ask innocent people who see their IP addresses listed as suspected offenders to report their innocence and that is not enough because under the right conditions an offender can plead innocence too. Honeypot is a great project idea and so far looks very promising but they need to focus on closing all loopholes Guess I didn't read your post correctly, sorry about that. I use different techniques to distinguish between offending and victimized IP addresses used to spam. To me victimized computers sending spam is 'still' offending me.  As for offending IP addresses I see that the trend are going more and more to using 'Hijacked" home computers that are configured wrong and can be used as open proxies. I use the block lists. They have different criteria and are not blocking just known spam sources. I block whole country zones and for USA I block any CIDR /24 or /32 that are marked as "dynamic" by the ISP. A dynamic IP address should not be used to send mail, if you have to send mail from a dynamic address use your ISP server. I block /24 and /32 from known spammers. There are lists out there listing hijacked IP ranges, open form mail servers in china. The text inside the code box is injected into the email header when a email fails. If the email fails with only one "RBL" only 5 points are added, if it fails with 2 the points added are multiplied by times failed and if the number is to high the message are either rejected or placed in a 'spam review' folder for review. If the X-lookup does not match the IP it's a no go. CODE X-RBL-Warning: mail from 61.11.98.164 refused by DSBL, see http://dsbl.org mail from 61.11.98.164 refused by CBL, see http://rcbl.abuseat.org mail from 61.11.98.164 refused by Blitzed Open Proxy Monitor List, see http://opm.blitzed.org mail from 61.11.98.164 is refused by SpamHaus, see http://cbl.abuseat.org/lookup.cgi?ip=61.11.98.164&.submit=Lookup mail 61.11.98.164 refused by spamcop.net, see http://www.spamcop.net/bl.shtml?61.11.98.164 X-Lookup-Warning: MAIL lookup on nrhcwkyynt@medun.acad.bg does not match 61.11.98.164 Nils |
|
|
|
|
Feb 21 2005, 08:59 PM
Post
#15
|
|
|
To Err Is Human, To Forgive Divine Group: Members Posts: 558 Joined: 24-December 04 From: http://www.ultimatekayakfishing.com/ Member No.: 1,871 |
A little update on the Honeypot project!
One of my spamtrap MX addresses had it's first confirmed spam harvester. This is one of 5 MX addresses that I have supplied to the project. The MX records go onto other users websites if they would like to host a spamtrap but don't have spare MX records to use. So far over 69,000 Honey Pot Addresses Issued. This sounds like a lot, it's not. What is needed are more websites incorporating the Honeypots on their websites. I's not adding any overhead, just a little disk-space. The spam harvesters come anyway and they do not obey the robots.txt or metatags that you have. Identified spam harvester - Malaysia Look at the Honeypot website to see if this is something you can participate in. Click my sigfile to read up on Honeypots Nils |
|
|
|
|
Mar 8 2005, 03:42 PM
Post
#16
|
|
|
Newbie [ Level 2 ] Group: Members Posts: 10 Joined: 7-March 05 Member No.: 2,946 |
I just signed up, it's a fabulous idea!
|
|
|
|
|
Mar 8 2005, 06:15 PM
Post
#17
|
|
|
Teh Teckeh Trekkeh Group: Members Posts: 682 Joined: 8-September 04 From: Scotland, UK Member No.: 389 |
Can you explain how it works, Im still confused after reading there site, its not too clear, also explain if I have to do anything. Ive registered but need to know more and its site seems confusing.
|
|
|
|
|
Mar 8 2005, 08:00 PM
Post
#18
|
|
|
To Err Is Human, To Forgive Divine Group: Members Posts: 558 Joined: 24-December 04 From: http://www.ultimatekayakfishing.com/ Member No.: 1,871 |
They create a php page for you that you add to your website. It's not visible to humans and it have warnings in cleartex in case a user uses page source to get to the page, that is where all the legalese is that makes it legal
On this page there is a email address that changes everytime a spider / bot collects it. The IP and other data are recorded in a database and if the email is used there will be a record of where and when it was collected. Since it's illegal to collect email addresses in a lot of places you can use CODE <meta name="no-email-collection" value="[link to your terms]" /> the no collect meta tag and link to your TOS, place it on all your webpages that way good bot's stay away from the pages. A php script is created for you and you just have to upload it onto the server and place links to it on your webpages. Instructions come with it. The honeypot does the rest, you will have email addresses that are automaticly updated and tracked by the projects servers. Here is a link to the example honeypot http://www.projecthoneypot.org/honey_pot_example.php Nils |
|
|
|
|
Apr 14 2005, 12:52 AM
Post
#19
|
|
|
Member [ Level 2 ] Group: Members Posts: 62 Joined: 13-April 05 Member No.: 3,958 |
QUOTE(NilsC @ Dec 25 2004, 12:09 AM) A way to stop spam are identifying the top spam harvesters, and shut them down before they reach your mailbox. The time you get spam at a new email address can vary. If you never give out the address on the Internet and the address are not just a first or a last name you may not see spam for years. If you create a website and put your email address anywhere on the page, eventually it will be harvested by a spam bot. Munging the address may help, same if you use ASCII characters that will prevent harvesting for a while. A lot of the block lists used by email providers come from users reporting spam and email hitting spam traps. Project Honey Pot are going one step further by identifying the spam harvesters and bot / spiders they use to crawl over your web-space using your bandwidth stealing your email addresses. This is achieved by handing out a unique email address to every hit on your spam-trap. If a bot follows the link to the honey pot and harvests the address it will be logged. When an email hits that particular email box a spam harvester are identified. It’s a few different ways we can help stop the harvesters and help reduce spam. You can host a honey pot on your website or if that is impossible (like it is for me at the present time) you can put a link to the Project Honey Pots website and help educate others. The last way to help is donating MX addresses to the project. The more MX addresses they have the more variety of spam-traps can be created. If you have a domain name that you are not using donate up to 5 MX records for each domain name. To learn more about the project go to  . Stop Spam Harvesters, Join Project Honey PotI’m using the button on company web pages and will add a honey pot as soon as an “.asp” script are ready. I have an average of 5000 to 10000 spam per day hitting a email server with less than 200 users. The 50 to 250 that slip through the filters and spam assassin I report. Nils To those confused, I think this is what the system does: There are programs that go to random websites and pick out email addresses. The honeybot code apparently gets the address of the company that is trying to snag email addresses in order to spam unsuspecting people. The honeybot reports these addresses in order to stop the companies from doing this. I hate spam. I get at least twenty spam messages every few hours, and it is very annoying and it slows down production. I think that this is an ingenious way to fight spam! |
|
|
|
|
Aug 30 2005, 06:41 PM
Post
#20
|
|
|
Newbie [ Level 2 ] Group: Members Posts: 11 Joined: 30-August 05 Member No.: 8,194 |
hhmp.. great idea... once I've got my domain set up... I'll sign up to this program!
|
|
|
|
|
Similar Topics
|
Lo-Fi Version | Time is now: 3rd December 2008 - 08:44 PM |