is there a possibility to setup certains addresses as honeypot in EFA / MailScanner ?
thus auto learning/submitting every mail as spam sent to the honeypot address
honeypot
- shawniverson
- Posts: 3650
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: honeypot
That's an interesting idea. The problem is that you don't want to assume that every email sent to a honeypot is spam, because some of it may not be. So I am not sure how this would work.
Spam assassin has an auto learn feature already built-in, though.
Spam assassin has an auto learn feature already built-in, though.
Re: honeypot
Well I have certain addresses that only receive spam, and in fact have never been used so in those cases I am very sure about emails being spamshawniverson wrote:That's an interesting idea. The problem is that you don't want to assume that every email sent to a honeypot is spam, because some of it may not be. So I am not sure how this would work.
Spam assassin has an auto learn feature already built-in, though.
-
- Posts: 8
- Joined: 06 May 2014 21:33
Re: honeypot
Same here, I had a system setup on my previous mail environment that any email to let say "12345@domain.tld" would be spam. I did not hand this email address out, but did put it on a few webpages in the code or on the page with a comment of any email to this address would get your mailserver on a spamlist. Waited a month, and spam galore to that address. I would like to continue to do this as it was effective. Also, I run wildcards on some domains and they get spam to random addresses. I swear someone is taking partial MAC addresses and using them as email addresses.
Any work around for now that won't get blown away in an update to EFA would be great. A future addition would be even better!
Any work around for now that won't get blown away in an update to EFA would be great. A future addition would be even better!
- shawniverson
- Posts: 3650
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: honeypot
It might be possible to route a message to a specific destination address and feed it to sa-learn. I'll need to play with this a little bit...
-
- Posts: 8
- Joined: 06 May 2014 21:33
Re: honeypot
That would be awesome!shawniverson wrote:It might be possible to route a message to a specific destination address and feed it to sa-learn. I'll need to play with this a little bit...
-
- Posts: 8
- Joined: 06 May 2014 21:33
Re: honeypot
operator207 wrote:That would be awesome!shawniverson wrote:It might be possible to route a message to a specific destination address and feed it to sa-learn. I'll need to play with this a little bit...
So thought I would see if I could scrape something together and started looking around. (no need to reinvent the wheel) I found this: https://wiki.apache.org/spamassassin/RemoteImapFolder
It referenced: http://www.rogerbinns.com/isbg/ which does not exist.
Dropped to http://www.rogerbinns.com/ and found a link to here: https://github.com/ook/isbg/wiki which exists.
It links to: http://redmine.ookook.fr/projects/isbg/wiki but does not come up.
This: http://www.stearns.org/doc/spamassassin ... .html#isbg is also referenced, but does not have any new links to get this script.
Unfortunately, I couldn't find the actual script. (http://www.rogerbinns.com/isbg/isbg.py) anywhere.
http://web.archive.org to the rescue! http://web.archive.org/web/200905171302 ... bg/isbg.py
So, create a mailbox on your storage server (that has imap running of course) setup all your honeypot email addresses to dump to one address, then setup this script on your EFA box, point it to the honeypot folder and run it as a cronjob. Once a day would probably be ok. Sound sane? While I am not saying this script should be used (I have not gone through it and from the dates in it, it was last touched in 2003 and last hosted in 2009 so it may be riddled with security holes.) I think something like this would be awesome to have. Most storage servers will be running imap or could run imap for something like this.
Re: honeypot
Guys,
we are planning to implement the following scenario and would post if afterwards here, what do ya say:
*we are writing a small script which reads a text with honeypot email adresses
*this script via cron will create spamasssassin rules on a periodic basis
*so mails to these honeypot adresses will get fetched and flagged my mailscanner
*with another cron we will fetch those flagged mails from mysql, and pushing those mails into a little node application on the efa server
*now we are doing content analysis (subject, urls within body) and writing spamassassin rules with those combinations
we think this would be the best approach to implement honeypot within efa. any other suggestions? anybody good at content analysis and may help out creating a good logic to minimize false positives?
best regards
we are planning to implement the following scenario and would post if afterwards here, what do ya say:
*we are writing a small script which reads a text with honeypot email adresses
*this script via cron will create spamasssassin rules on a periodic basis
*so mails to these honeypot adresses will get fetched and flagged my mailscanner
*with another cron we will fetch those flagged mails from mysql, and pushing those mails into a little node application on the efa server
*now we are doing content analysis (subject, urls within body) and writing spamassassin rules with those combinations
we think this would be the best approach to implement honeypot within efa. any other suggestions? anybody good at content analysis and may help out creating a good logic to minimize false positives?
best regards
Re: honeypot
Putting the spam mails directly in spamassassin is offcourse the best option. It will be learned as spam as soon as it arrives. Wil work great when you get a spam bomb. But how do you want to create spamassassin rules? You still have to do that by hand or use very low scores to be sure it won't hit ham.
Re: honeypot
sorry, did not had notfication on here...
what do you mean how, we would try to write custom rules on the base of the content we get - or did i got u wrong?
what do you mean how, we would try to write custom rules on the base of the content we get - or did i got u wrong?