Using honeypots to catch spammers?

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
User avatar
ap44
New user
New user
Posts: 11
Joined: 2018-07-28 13:30
Location: Germany

Using honeypots to catch spammers?

Post by ap44 » 2019-08-30 18:33

I'd like to know how you think about honeypots?
Mail addresses that appear hidden on your websites and are used only by spammers.
If someone writes to the address, the IP is automatically banned.
Do you use such a solution? :?:
Frank
hMailServer-5.7.0-B2485-x64 in productive use :D
"SENT: Too many invalid commands. Bye!" :mrgreen:

palinka
Senior user
Senior user
Posts: 1107
Joined: 2017-09-12 17:57

Re: Using honeypots to catch spammers?

Post by palinka » 2019-08-30 21:54

ap44 wrote:
2019-08-30 18:33
I'd like to know how you think about honeypots?
Mail addresses that appear hidden on your websites and are used only by spammers.
If someone writes to the address, the IP is automatically banned.
Do you use such a solution? :?:
I'm curious about this too.

User avatar
RvdH
Senior user
Senior user
Posts: 798
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Using honeypots to catch spammers?

Post by RvdH » 2019-08-30 22:49

I have some honeypots/spam traps in place that automatically are reported/contributed to blocklist.de DNSBL

A few usage examples
https://www.hmailserver.com/forum/viewt ... 97#p209597

scripts can easily be adapted for the more traditional honeypots (in OnSMTPData) you are referring to
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
mattg
Moderator
Moderator
Posts: 20134
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Using honeypots to catch spammers?

Post by mattg » 2019-08-31 00:24

I've been using tarbaby.junkemailfilter.com as an extra MX record for some of my domains, and it seems to work really well.

I don't get any feedback about banning though
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 1107
Joined: 2017-09-12 17:57

Re: Using honeypots to catch spammers?

Post by palinka » 2019-08-31 15:37

mattg wrote:
2019-08-31 00:24
I've been using tarbaby.junkemailfilter.com as an extra MX record for some of my domains, and it seems to work really well.

I don't get any feedback about banning though
I read recently that the founder of junkemailfilter.com died and it was almost a one man show, but his successor is trying to get things running and updated and functional again. The blacklists appear to not have been updated in a while, but i read to expect that to change soon.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8131
Joined: 2011-09-08 17:48

Re: Using honeypots to catch spammers?

Post by jimimaseye » 2019-08-31 15:45

palinka wrote:
2019-08-31 15:37
mattg wrote:
2019-08-31 00:24
I've been using tarbaby.junkemailfilter.com as an extra MX record for some of my domains, and it seems to work really well.

I don't get any feedback about banning though
I read recently that the founder of junkemailfilter.com died and it was almost a one man show, but his successor is trying to get things running and updated and functional again. The blacklists appear to not have been updated in a while, but i read to expect that to change soon.
He (marc perkel) was very vocal about his innovative diy attempts of curing his cancer and regularly kept people informed via the spamassassin mail list. See his attempts here: http://wiki.junkemailfilter.com/index.p ... pal_Effect. He also tried to create a new way of blocking spam but was unable to concert the masses to his new idea. I don't remember the detail but it was tantamount to saying 'only allow the genuine instead of blocking the non-genuine by building a database of genuine'. (Yeah. I know).

Sadly he lost the fight. http://www.dvorak.org/blog/2018/08/27/r ... rc-perkel/

[Entered by mobile. Excuse my spelling.]
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 20134
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Using honeypots to catch spammers?

Post by mattg » 2019-09-01 01:22

Oh that is sad..
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jim.bus
Senior user
Senior user
Posts: 301
Joined: 2011-05-28 11:49
Location: US

Re: Using honeypots to catch spammers?

Post by jim.bus » 2019-09-01 01:42

mattg wrote:
2019-08-31 00:24
I've been using tarbaby.junkemailfilter.com as an extra MX record for some of my domains, and it seems to work really well.

I don't get any feedback about banning though
I didn't know you guys knew of junkemailfilter.com. I have been using it for my Backup MX Email Server. I didn't think you used or knew about it since I believe you once stated you didn't believe Backup MX Email Servers were necessary or maybe that most peopled didn't use them.

What funcition does tarbaby.junkemailfilter.com perform your MX records.

User avatar
mattg
Moderator
Moderator
Posts: 20134
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Using honeypots to catch spammers?

Post by mattg » 2019-09-01 04:05

Simply rejects all messages, but if my server is up at the time, it was meant to add the sender to a spammer list
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jim.bus
Senior user
Senior user
Posts: 301
Joined: 2011-05-28 11:49
Location: US

Re: Using honeypots to catch spammers?

Post by jim.bus » 2019-09-01 07:29

mattg wrote:
2019-09-01 04:05
Simply rejects all messages, but if my server is up at the time, it was meant to add the sender to a spammer list
I am quoting your response here instead of where we discussed not receiving Forum posting email notifications because it seems to involve junkemailfilter.com somehow. As stated elsewhere I rarely get email notifications of a Forum Posting. I have all my Notification Options turned on in my Profile and everything looks like I should get the email notifications. This particular quoted posting of yours was generated at 17:05 today and my hMailServer email server should have been up and running at that time and is the email server which contains my Forum Email ID to respond to. I do let my computer with hMailServer sleep when there is no activity but it is set to wake from sleep when an attempt to connect to it hits the NIC LAN Controller.

Unless it is takes a longer amount of time to send out the Notification, I did not receive an email notification for your Posting of this entry on this topic which I am following in the Forum because I have posted responses on this Topic.

However, I have recently received email notifications on some of my Posting in the Forum and on these Email Notifications the one difference seems to be that junkemailfilter forwarded the Forum email to me as though my hMailServer was down at the time Forum tried to send the Email Notification. I have received two or three such Email Notifications recently and everyone of them has come through junkemailfilter. I did recently add a junkemailfilter IP Address to my Incoming Relays in hMailServer but while I am not sure of this I believe at least one of those notification emails came before the change. Also funny thing is that the IP Addresses I have listed didn't seem to match any of the Incoming Relays IP Addresses in the Message Headers for this Email Notification.

But so far from examining recently my Log Entries it looks like the only time I receive a Forum Email Notification message is when it gets sent to mxbackup1.junkemailfilter.com from my Backup MX record. Do you have any clue as to why seemingly only Notification Emails going through junkemailserver get to me? I'm thinking it just has to be coincidence but this particular notification email if sent promptly should not have gone to the mxbackup.junkemailserver.com server because my hMailServer should have been running yet so far I haven't received the Email Notification for your Posting response.

User avatar
SorenR
Senior user
Senior user
Posts: 3190
Joined: 2006-08-21 15:38
Location: Denmark

Re: Using honeypots to catch spammers?

Post by SorenR » 2019-09-02 13:17

Not sure MX'es are the best place for honeypots.

I use my ISP server as Backup-MX (3 servers in round-robin) and have seen occationally, in my logs, that IF I go off-line or accidentally deny connection by an experimental filter, mails are delivered through the Backup-MX and will continue to do so for up to a week even if my server is back on-line or filter is removed.

So If I followed your example I would loose legitimate emails. Apparently some high traffic servers/listservers hold a "preferred server for delivery" with a grace period.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

palinka
Senior user
Senior user
Posts: 1107
Joined: 2017-09-12 17:57

Re: Using honeypots to catch spammers?

Post by palinka » 2019-09-03 00:59

I used to use junkemailfilter.com as a backup mx but i was getting all spam messages through them sent to me, but get this - they would connect and the logs show the original sender but then the connection would mysteriously quit before actually transmitting the message. I emailed them about this because a) it's cool that you're not actually transmitting spam but b) you're spamming my log files. The answer was a non answer "like, i think our system is just checking to see if you're still online". Obviously that's a non technical answer that wasn't satisfactory to me so i just changed my mx records to remove them. It was very strange, to say the least. It kind of makes sense now that i know what's going on over there. Apparently the new guy is still trying to make sense of all the custom code. I'm hopeful they'll sort everything out. Too bad to hear about Perkel.

User avatar
jim.bus
Senior user
Senior user
Posts: 301
Joined: 2011-05-28 11:49
Location: US

Re: Using honeypots to catch spammers?

Post by jim.bus » 2019-09-03 04:12

palinka wrote:
2019-09-03 00:59
I used to use junkemailfilter.com as a backup mx but i was getting all spam messages through them sent to me, but get this - they would connect and the logs show the original sender but then the connection would mysteriously quit before actually transmitting the message. I emailed them about this because a) it's cool that you're not actually transmitting spam but b) you're spamming my log files. The answer was a non answer "like, i think our system is just checking to see if you're still online". Obviously that's a non technical answer that wasn't satisfactory to me so i just changed my mx records to remove them. It was very strange, to say the least. It kind of makes sense now that i know what's going on over there. Apparently the new guy is still trying to make sense of all the custom code. I'm hopeful they'll sort everything out. Too bad to hear about Perkel.
One thing I used to do with junkemailfilter as my MX Backup was not to put the 'dummy' mxbackup2.junkemailfilter.com MX Record in my DNS as I was running into situations where they may have been filtering out email I did want. If I remember correctly I believe I still saw email possibly being filtered out that I didn't want filtered so I put the mxbacup2 back in. Lately I am unaware of any problem with not getting my email but have wondered sometimes if they were getting my email when I was down. I didn't think too much about it though since I'm up pretty much of the time but I just hadn't seen their MX Backup servers in my logs or Message Headers of any of my email or not as much as I was used to seeing in the past. This was all before I heard about Perkel a few days ago in this Forum.

User avatar
ras07
Normal user
Normal user
Posts: 196
Joined: 2010-03-11 08:51

Re: Using honeypots to catch spammers?

Post by ras07 » 2019-09-05 06:50

palinka wrote:
2019-09-03 00:59
I used to use junkemailfilter.com as a backup mx but i was getting all spam messages through them sent to me, but get this - they would connect and the logs show the original sender but then the connection would mysteriously quit before actually transmitting the message. I emailed them about this because a) it's cool that you're not actually transmitting spam but b) you're spamming my log files. The answer was a non answer "like, i think our system is just checking to see if you're still online". Obviously that's a non technical answer that wasn't satisfactory to me so i just changed my mx records to remove them. It was very strange, to say the least.
Actually that's pretty much how it worked:

1. Sending server contacts junkemailfilter's backup MX
2. junkemailfilter tries to contact your server
3a. If your server is up, junkemailfilter assumes the email is spam, rejects it, and flags the sending IP as a spammer
3b. If your server is down, junkemailfilter accepts the email and stores it to send to you later

I used it for quite a while but it got pretty unreliable when Perkel got sick. AFAIK I didn't experience the "cached preferred server" problem that SorenR describes, but it certainly could have happened without me knowing about it.

palinka
Senior user
Senior user
Posts: 1107
Joined: 2017-09-12 17:57

Re: Using honeypots to catch spammers?

Post by palinka » 2019-09-06 11:54

ras07 wrote:
2019-09-05 06:50
palinka wrote:
2019-09-03 00:59
I used to use junkemailfilter.com as a backup mx but i was getting all spam messages through them sent to me, but get this - they would connect and the logs show the original sender but then the connection would mysteriously quit before actually transmitting the message. I emailed them about this because a) it's cool that you're not actually transmitting spam but b) you're spamming my log files. The answer was a non answer "like, i think our system is just checking to see if you're still online". Obviously that's a non technical answer that wasn't satisfactory to me so i just changed my mx records to remove them. It was very strange, to say the least.
Actually that's pretty much how it worked:

1. Sending server contacts junkemailfilter's backup MX
2. junkemailfilter tries to contact your server
3a. If your server is up, junkemailfilter assumes the email is spam, rejects it, and flags the sending IP as a spammer
3b. If your server is down, junkemailfilter accepts the email and stores it to send to you later

I used it for quite a while but it got pretty unreliable when Perkel got sick. AFAIK I didn't experience the "cached preferred server" problem that SorenR describes, but it certainly could have happened without me knowing about it.
That's weird because it wasn't just a ping or something simple. It went all the way to DATA then quit before transmitting the message. Maybe to let me know the sender and recipient? There was no documentation so i assumed it was a bug.

I have a powershell script that telnets in to check for connectivity in case of a hang (which has sometimes happened during a backup of hmailserver). But my script stops at the first reply (220 mydomain banner). There's no need to spam the log over a connectivity test.

I guess knowing the spammer sender address could be useful. Maybe that was the point of going through the motions.

User avatar
jim.bus
Senior user
Senior user
Posts: 301
Joined: 2011-05-28 11:49
Location: US

Re: Using honeypots to catch spammers?

Post by jim.bus » 2019-09-06 12:32

palinka wrote:
2019-09-06 11:54
ras07 wrote:
2019-09-05 06:50
palinka wrote:
2019-09-03 00:59
I used to use junkemailfilter.com as a backup mx but i was getting all spam messages through them sent to me, but get this - they would connect and the logs show the original sender but then the connection would mysteriously quit before actually transmitting the message. I emailed them about this because a) it's cool that you're not actually transmitting spam but b) you're spamming my log files. The answer was a non answer "like, i think our system is just checking to see if you're still online". Obviously that's a non technical answer that wasn't satisfactory to me so i just changed my mx records to remove them. It was very strange, to say the least.
Actually that's pretty much how it worked:

1. Sending server contacts junkemailfilter's backup MX
2. junkemailfilter tries to contact your server
3a. If your server is up, junkemailfilter assumes the email is spam, rejects it, and flags the sending IP as a spammer
3b. If your server is down, junkemailfilter accepts the email and stores it to send to you later

I used it for quite a while but it got pretty unreliable when Perkel got sick. AFAIK I didn't experience the "cached preferred server" problem that SorenR describes, but it certainly could have happened without me knowing about it.
That's weird because it wasn't just a ping or something simple. It went all the way to DATA then quit before transmitting the message. Maybe to let me know the sender and recipient? There was no documentation so i assumed it was a bug.

I have a powershell script that telnets in to check for connectivity in case of a hang (which has sometimes happened during a backup of hmailserver). But my script stops at the first reply (220 mydomain banner). There's no need to spam the log over a connectivity test.

I guess knowing the spammer sender address could be useful. Maybe that was the point of going through the motions.
Actually I believe it may be slightly different in how it works from what you stated. What you appear to be describing is how the Email MX Backup Server works which I use all the time. That function uses two MX Records. They are mxbackup1.junkemailfilter.com (lowest MX Prefence Number) and mxbackup2.junemailfilter.com (highest MX Preference Number). The theory is that a SPAMMER will try to select the backdoor to your email server system by selecting the highest preference number server (mxbackup2.junkemailfilter.com). The website describes mxbackup2.junkemailfilter.com as a 'Dummy' server just to catch this kind of attack and supposedly this serves to eliminate some if not a lot of SPAM. But if the incoming connection is not a SPAMMER, then that sending email server will follow normal procedure to connect to the lowest preference number email server first which presumably your email server but if your email server is unavailable then the sending email server will connect to the next highest preference number server which presumably is mxbackup1.junkemailfilter.com. The mxbackup1.junkemailfilter.server will then store the email until it detects that your lowest preference email server is available again at which time it will connect to your email server and deliver all the stored email messages it accumulated while your email server was unavailable.

However be aware not all email servers follow the RFCs such as Bank Of America's email servers which apparently will not look for alternate MX Records and only use the lowest Preference MX Record when sending email to your email server or at least that is how it appeared to be working.

palinka
Senior user
Senior user
Posts: 1107
Joined: 2017-09-12 17:57

Re: Using honeypots to catch spammers?

Post by palinka » 2019-09-16 20:26

RvdH wrote:
2019-08-30 22:49
I have some honeypots/spam traps in place that automatically are reported/contributed to blocklist.de DNSBL

A few usage examples
https://www.hmailserver.com/forum/viewt ... 97#p209597

scripts can easily be adapted for the more traditional honeypots (in OnSMTPData) you are referring to
Not sure how this topic got so far off topic, but I am still very much interested in contributing to blacklists. I looked at your fail2ban example and that is not something I can do - all ports for mail (except 25) on my router are closed, and port 25 does not accept authentication. :mrgreen:

Do you know of any other blocklists to which I may be able to contribute?

As far as honeypots go, I do have a couple of old, unused addresses that I finally disabled because they only receive spam. I'm thinking there must be a few things worthy of harvesting if they get past my other filters (spamhaus, etc).

Post Reply