honeypot

General eFa discussion
Post Reply
Antiloop
Posts: 11
Joined: 20 Mar 2014 13:03

honeypot

Post by Antiloop » 20 Mar 2014 14:24

is there a possibility to setup certains addresses as honeypot in EFA / MailScanner ?

thus auto learning/submitting every mail as spam sent to the honeypot address

User avatar
shawniverson
Posts: 2821
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: honeypot

Post by shawniverson » 20 Mar 2014 22:06

That's an interesting idea. The problem is that you don't want to assume that every email sent to a honeypot is spam, because some of it may not be. So I am not sure how this would work.

Spam assassin has an auto learn feature already built-in, though.
Version eFa 4.0.0 RC3 now available in testing repo. Come join us in advancing eFa!

Antiloop
Posts: 11
Joined: 20 Mar 2014 13:03

Re: honeypot

Post by Antiloop » 22 Mar 2014 00:07

shawniverson wrote:That's an interesting idea. The problem is that you don't want to assume that every email sent to a honeypot is spam, because some of it may not be. So I am not sure how this would work.

Spam assassin has an auto learn feature already built-in, though.
Well I have certain addresses that only receive spam, and in fact have never been used so in those cases I am very sure about emails being spam

operator207
Posts: 8
Joined: 06 May 2014 21:33

Re: honeypot

Post by operator207 » 11 Jul 2014 13:02

Same here, I had a system setup on my previous mail environment that any email to let say "12345@domain.tld" would be spam. I did not hand this email address out, but did put it on a few webpages in the code or on the page with a comment of any email to this address would get your mailserver on a spamlist. Waited a month, and spam galore to that address. I would like to continue to do this as it was effective. Also, I run wildcards on some domains and they get spam to random addresses. I swear someone is taking partial MAC addresses and using them as email addresses. :)

Any work around for now that won't get blown away in an update to EFA would be great. A future addition would be even better!

User avatar
shawniverson
Posts: 2821
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: honeypot

Post by shawniverson » 13 Jul 2014 19:29

It might be possible to route a message to a specific destination address and feed it to sa-learn. I'll need to play with this a little bit...
Version eFa 4.0.0 RC3 now available in testing repo. Come join us in advancing eFa!

operator207
Posts: 8
Joined: 06 May 2014 21:33

Re: honeypot

Post by operator207 » 19 Jul 2014 16:22

shawniverson wrote:It might be possible to route a message to a specific destination address and feed it to sa-learn. I'll need to play with this a little bit...
That would be awesome!

operator207
Posts: 8
Joined: 06 May 2014 21:33

Re: honeypot

Post by operator207 » 31 Jul 2014 01:58

operator207 wrote:
shawniverson wrote:It might be possible to route a message to a specific destination address and feed it to sa-learn. I'll need to play with this a little bit...
That would be awesome!

So thought I would see if I could scrape something together and started looking around. (no need to reinvent the wheel) I found this: https://wiki.apache.org/spamassassin/RemoteImapFolder
It referenced: http://www.rogerbinns.com/isbg/ which does not exist.
Dropped to http://www.rogerbinns.com/ and found a link to here: https://github.com/ook/isbg/wiki which exists.
It links to: http://redmine.ookook.fr/projects/isbg/wiki but does not come up.
This: http://www.stearns.org/doc/spamassassin ... .html#isbg is also referenced, but does not have any new links to get this script.

Unfortunately, I couldn't find the actual script. (http://www.rogerbinns.com/isbg/isbg.py) anywhere.

http://web.archive.org to the rescue! http://web.archive.org/web/200905171302 ... bg/isbg.py

:dance:

So, create a mailbox on your storage server (that has imap running of course) setup all your honeypot email addresses to dump to one address, then setup this script on your EFA box, point it to the honeypot folder and run it as a cronjob. Once a day would probably be ok. Sound sane? While I am not saying this script should be used (I have not gone through it and from the dates in it, it was last touched in 2003 and last hosted in 2009 so it may be riddled with security holes.) I think something like this would be awesome to have. Most storage servers will be running imap or could run imap for something like this.

onestone
Posts: 9
Joined: 24 Oct 2016 20:35

Re: honeypot

Post by onestone » 13 Apr 2017 14:53

Guys,

we are planning to implement the following scenario and would post if afterwards here, what do ya say:

*we are writing a small script which reads a text with honeypot email adresses
*this script via cron will create spamasssassin rules on a periodic basis
*so mails to these honeypot adresses will get fetched and flagged my mailscanner
*with another cron we will fetch those flagged mails from mysql, and pushing those mails into a little node application on the efa server
*now we are doing content analysis (subject, urls within body) and writing spamassassin rules with those combinations

we think this would be the best approach to implement honeypot within efa. any other suggestions? anybody good at content analysis and may help out creating a good logic to minimize false positives?

best regards

Woger
Posts: 60
Joined: 15 Mar 2017 10:54

Re: honeypot

Post by Woger » 19 Apr 2017 06:40

Putting the spam mails directly in spamassassin is offcourse the best option. It will be learned as spam as soon as it arrives. Wil work great when you get a spam bomb. But how do you want to create spamassassin rules? You still have to do that by hand or use very low scores to be sure it won't hit ham.

onestone
Posts: 9
Joined: 24 Oct 2016 20:35

Re: honeypot

Post by onestone » 09 May 2017 04:49

sorry, did not had notfication on here...

what do you mean how, we would try to write custom rules on the base of the content we get - or did i got u wrong?

Post Reply