Is anything going to be done about the problem Marco and I were having with the honeypot and trusted ip's???

I have narrowed it down to that if the honeypot was applied after tagged subject lines it would resolve my problem. or just being able to add in trusted ips in the honey pot.....

Roberto?

thanks a lot Roberto, having a working honeypot for those that are behind a relay server or use some other sort of mail forwarding server can be sure the relay won't get blacklisted when that is implemented.

Regards,

Marco

One big problem I see with Honeypots is this. Now that most ISP's are blocking port 25, spammers are starting to use the Zombie PC's default outgoing ISP to send the spam.  Before too long you end up blocking comcast.net, rr.com, and all major ISP's. Without a way to bypass this issue by a DO NOT BLOCK list like the one that being talked about, the honeypot will die a slow death I believe.

I tried doing something like this a while back and created my own RBL of IP's that had sent me spam and that my then current spam filter detected. I ended up having to scrap it because it was adding so many big ISP's ip numbers that my customers revolted and I had to remove it.

Roberto,

Multiple trusted ip's are accepted too?

DoNotddIPToHoneypot=xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx works?

Regards,

Marco

The honeypot is a great feature, but i think that it should be not a definitely ip ban.

The ip list should be clean every X days, or better, the ip older than X days should be deleted from honeypot ip ban list. This feature could help the virus infected PC that has been cleaned to come up and working.

Don't you think that a days limited ban wuold be better?

Simone

Webguyz, I ran into the same type of problem last week with my SpamFilter honeypot.  It has been working great, reducing a large amount of spam.  But just recently, my honeypot blocked an smtp server that sends my mail server a substantial number of valid emails.  It just happened to be that someone who harvested one of the honeypot emails that I hid on my web site had sent my server mail, using the a smtp server that I often receive good email from.

This seems like an impossible thing to ask, but how does one work around a situation where they receive some good email from a smtp server that has been blocked by the honeypot?  I don’t believe that I have any solid white list criteria that I could add to safeguard the good email that comes in from some of these partially-bad smtp server.  My only solution to this point has been to disable my honeypot.

Below is a snippet from my logs, in which one such smtp server was blocked - adamant.xo.com.  After this, a number of good emails were getting blocked.

11/13/05 01:02:35:960 -- (5012) Connection from: 207.155.248.114  -  Originating country : United States

11/13/05 01:02:36:304 -- (5012) Resolving 207.155.248.114 - adamant.xo.com

11/13/05 01:02:36:304 -- (5012) - EMail To is in honeypot emails -

11/13/05 01:02:36:335 -- (5012) - Added 207.155.248.114 to honeypot blacklist

11/13/05 01:02:36:335 -- (5012) 207.155.248.114 - Mail from: TaraFarber@benker-vermietung.com To: honeypie@***********.*** will be rejected

11/13/05 01:02:37:117 -- (5012) EMail from TaraFarber@benker-vermietung.com to hypot1@msandyou.org was received and quarantined. Size: 20 KB, 20480 bytes

11/13/05 01:02:37:179 -- (7180) Time to add Msg to Bayes corpus:0

11/13/05 01:02:37:195 -- (5012) Disconnect

I appreciate any suggestions, thanks.

Every time a message is released from quarantien(that has been blocked as spam) it is checked against the blacklist, if found it removes the blacklisted IP! This way if HoneyPot has blocked a "valid" senderIP, it will be removed by the first release from quarantine.

(have blacklistedIPs in a DB that I sync with SF every 15min)