another honey pot thought
Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5157
Printed Date: 05 February 2025 at 11:05am
Topic: another honey pot thought
Posted By: keizersozay
Subject: another honey pot thought
Date Posted: 10 May 2005 at 12:15pm
|
I really like the new honey pot feature, but I think it can be expanded to also read a file for content. Right now it just checks to see if the 'email to' is in the honey pot address list, but what about adding a honey pot keyword file (with regex support)
This could be real dangerous, but if you know that certain email content is alway spam like... well, I can't think of anything right now, but you know what I mean.
What do you think?
|
Replies:
Posted By: LogSat
Date Posted: 10 May 2005 at 10:33pm
In the next build we've added support for an extra tag in some of the
blacklists, similar to the :NULL and :NoNDR tags already supported. The
new :Honeypot tag will cause the sender's IP to be added to the
honeypot blacklist when there's a match for the particlar blacklist
entry with the :Honeypot tag.
Unfortunately this does not apply to the keyword filter, as that list does not support the extra tags...
-------------
Roberto Franceschetti
http://www.logsat.com" rel="nofollow - LogSat Software
http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP
|
Posted By: Desperado
Date Posted: 10 May 2005 at 10:46pm
|
Real Nice! Will you list the Black Lists that this tag will be valid in?
Regards,
-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com
|
Posted By: keizersozay
Date Posted: 11 May 2005 at 12:16pm
|
Great idea Roberto. Looking forward to it.
Will the anti-virus plugin have this functionality too? If so I would consider purchasing the additional plugin.
Thanks again
|
Posted By: LogSat
Date Posted: 11 May 2005 at 10:10pm
keizersozay,
Another valid idea. Most likely it will be included in the next build.
If you email us directly we can provide you with an alpha version for
you to test (it's available right now).
-------------
Roberto Franceschetti
http://www.logsat.com" rel="nofollow - LogSat Software
http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP
|
Posted By: Alan
Date Posted: 29 July 2005 at 12:43pm
Roberto at one point last year the use of the extra tags (null, nondr)
on keywords was talked about being implimented and may have been for
test-build, but now it appears it is not. It may have been a
performance issue.
This is still something I would really like to be able to
utilize. While keywords are not my weapon of choice they still
act as one layer that catches a lot of spam, especially for certain
short term spam campaigns.
|
Posted By: LogSat
Date Posted: 29 July 2005 at 4:15pm
Alan,
We've implemented "modifiers" for many of the blacklists, but as we've
talked about i nthe past, the keyword list does not the use of any
extra tags. The reason for this is that the list supports wildcard
filtering and RegEx filtering. Adding support for a modifier will make
the parsing engine do too much extra work to handle it at the moment.
We've tested some workarounds (using something other than the defualt
":" to designate a extra tag) but we don't have any time estimates on
when it will be implemented yet.
-------------
Roberto Franceschetti
http://www.logsat.com" rel="nofollow - LogSat Software
http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP
|
Posted By: Alan
Date Posted: 29 July 2005 at 4:21pm
|
Thanks Roberto. This is a big want for me. It would really
help clean up and reduce the size of the quarantine that users would
have to look through.
|
Posted By: Marco
Date Posted: 04 August 2005 at 10:47am
|
I was going to suggest the exact same (topic), from then on anyone with 'case of fine wine' 'improved cialis without prescription' (to name some) in the subject would get blocked into oblivian.
This feature would only need to be active for a limited time, and would catch quite a few of the badasses that got hold of our domain name and are swamping it with spam.
Any users that forward such spam and dont change at least the titles are deserving of a block :->
But i would also like to see a limited timeblock, say - a day- with notification to the sender, so that they are warned not to do it again.
Just my 2 cents
-------------
Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams
|
Posted By: LogSat
Date Posted: 04 August 2005 at 11:49pm
Marco, Alan, keizersozay, everyone,
We now have a pre-release build that does include support for extra
tags in the keyword filter as well. This was done with practically no
performance loss. The build is still being tested, but is available in
the registered user area as build 2.6.3.476.
The syntax for the extra tag had to be slightly different. In this list
you MUST use a double colon rather than a single one to separate the
tag from the keyword entries. The updated help file for that sectionis
as follows:
Keywords
Filter - You can
check email content and subject header for specific keyword and/or
phrases. If found, the email is rejected. You can also use #Bayesian%20Statistical%20Filtering - Regular
Expressions (RegEx). If the keyword file does not exist it will
be created. The file is reloaded every minute. The contents of the file
will be loaded in the memo box, allowing you to make changes to the
file. This list supports the ::NULL option to send emails in a black
hole. If an entry is in the form keyword::NULL it will cause all
emails to be accepted and then sent to NULL right away. Such
emails will not cause NDRs, they will not be quarantined, they will not be seen by the users.
If an entry is in the form
keyword::NoNDR such emails will not cause NDRs as in the DoNotSendNDROnQuarantine parameter in the ini file. This list supports the ::Honeypot option, which will cause the sender's IP address to be automatically blacklisted in the future.
Please note that unlike in
other cases, with the keyword list you must enter the ":" symbol twice to
specify the extra tag.
-------------
Roberto Franceschetti
http://www.logsat.com" rel="nofollow - LogSat Software
http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP
|
Posted By: Marco
Date Posted: 05 August 2005 at 3:05am
|
Fantastic! great work roberto.
just to make sure, the following lines are correct?
subject:challenged on live tv::honeypot
subject:software,at,incredibly,low,price::honeypot
-------------
Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams
|
Posted By: Marco
Date Posted: 05 August 2005 at 8:21am
|
ok, one of them badasses sent us one... and it seems to work.. but you guessed it: the ISP's relay server got blocked :)))
I think the order of filters needs to be looked at again, so that DoNotAddIPToHoneypot has preference again.
Other than that it works great! This is gonna give the spammers some serious headaches. How to try and sell something if the text needed to sell it will cause you an ipblock? muhahaha (sorry, was beeing myself for a sec there) :)
regards,
Marco
-------------
Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams
|
Posted By: Alan
Date Posted: 05 August 2005 at 5:06pm
Thank you Roberto for getting such a jump on that one. It really
has made a noticable difference already in my testing. And I do
not see any performance hit either. I am still very impressed at
how quickly you have been able to encorporate new ideas and user
requests over the years of using SF.
Seems like some of the old requests from years ago are starting to get
included in the product now. So how about some way to set a time
limit on filters? Maybe something like "::NULL/08102005" to have
a filter that will no longer be effective as of a certain expiration
date (08/10/2005 in this case). Of course it would be either up
to the admin to clean up or you can have the app auto-remove expired
filters. This would be good for outbreaks or spambot attacks
where certain is suddenly a big problem but will probably not be in the
future.
And another thought, a way to also scan within attached text files such
as spoofed bounces resulting from joe-job instances.
Oh and finally, how about that darned mailing list for registered users
so we can be notified immediately of new official and beta
versions? That seems like a no-brainer and another reason for
people to pony up for a fine product.
|
Posted By: LogSat
Date Posted: 07 August 2005 at 6:57pm
Alan,
We honestly don't see expirations on filters to be available any time soon.
What we do have next on the list however is a "timed cache" on source
IPs. If an IP has sent more that "n" number of spams in the last "x"
number of minutes, it will be immediately disconnected even before it
sends any data for "y" number of minutes. This will save a considerable
amount of bandwidth and will prevent filling user's quarantine with
massive amounts of spam to sort thru. We're trying to make these
options available for each type of filter, so that for example the
timer is active on the "virus" filter but not on the "reverse DNS"
filter.
-------------
Roberto Franceschetti
http://www.logsat.com" rel="nofollow - LogSat Software
http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP
|
Posted By: Marco
Date Posted: 09 August 2005 at 3:16am
|
Maybe you missed the hidden bugreport i mentioned in my earlier post Roberto, just making sure.
The DoNotAddIPToHoneypot ini entry is beeing ignored in build 476
Regards,
Marco
-------------
Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams
|
Posted By: LogSat
Date Posted: 10 August 2005 at 10:14pm
Marco,
I'm not sure if you refer to your comment below or not:
==============================
I think the order of filters needs to be looked at again, so that DoNotAddIPToHoneypot has preference again.
==============================
If it's not this comment, but another "hidden bugreport", then it's
hidden really good since I have no idea of where it is... Can you
repost it?
If instead it was the above comment, it looked like a "wish" not a bug
report. Looking over the behavior again, we noticed that the
DoNotAddIPToHoneypot optionis doing exactly what it was asked and
designed to do. That is, if an email comes in from an email address that is in the honeypot email list, the IP won't be added if it's listed in the DoNotAddIPToHoneypot list.
When we started adding extra tags to add sender's IP to the honeypot
blacklist if they triggered other filters, that process ignored the
DoNotAddIPToHoneypot. It's technically not a bug... but you're correct,
it would be more appropriate if that "whitelist" would be expanded to
all other filters as well.
We're pre-testing a build with this ability internally right now. We'll
make it available in a few days, but if you wish to test it please let
us know and we'll make it available to you.
-------------
Roberto Franceschetti
http://www.logsat.com" rel="nofollow - LogSat Software
http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP
|
Posted By: Marco
Date Posted: 11 August 2005 at 3:47am
|
ahh, that is exactly what i was referring to, and i see how it happened.
The problem is that an 'unknown' sender is mailing us spam to legit mail adresses. adding those adresses to honeypot list is not an option.
Since the senders don't use honeypot adresses, and some of the incoming mails are relayed throuygh to our primary mailsystem, the possibility that the relay's ip gets trapped is high. This is what happened, and i agree, the honeypot is working fine, but the donotaddiptohoneypot setting needs to be applied to the content tagging system also.
So maybe the tag 'honeypot' is a bit out of place in the keyword filter, perhaps a tag called '::blacklistIP' (or something) would be better.
Regardless, a system that blacklists senders ip's on the basis of mail or subject content could proove invaluable. But caution has to be applied not to blacklist legit ip's.
Another wish that might proove useful if possible is extending the 'automatic blacklisting' when the sender's mail is matched in MAPS and/or surbl search. Also 'FROM' domain names /attachment filter perhaps.
Thank you for taking the effort in looking into this 'issue' i would gladly help test the new prerelease.
Regards,
Marco
-------------
Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams
|
Posted By: Alan
Date Posted: 11 August 2005 at 11:47am
|
How about adding a checkbox to add IP's to the honeypot block list who
exceed the "maximum concurrent connections from same IP"
|
|