Hi all,
We've been experimenting with a dummy smtp server.
A dummy smtp server is software which accepts SMTP connections, but never completes the communication. Ours drops the connection after the DATA command.

basically, i setup a MX 99 on some of our domains (same server as SF different IP address), and started running the program. Within minutes I started getting connections on it. so much so that within 24 hours we've had over 4000 connections (all verified as spam) to just 8 domains. that's an average of 500 messages per domain.

The software we have is somewhat buggy, probably slow, and isn't as resource considerate as SF.

I'd like to know what the people around here think about this as a spam 'fighting' technique, and maybe Roberto can release a stripped down version of SF purely for dummy smtp connections?

Regards
Amir

OK, this may be a dumb question ... If one configures the honeypot as described, how would you get a list of the IP's captured. Are they in a file or do I have to get them from the log?

Jeremy,

The issue we see is a potential waste of bandwidth. If you have a * in the Allowed Domains, SpamFilter will accept *all* emails and will behave as an open relay. While it's true that the "null" option will cause all emails to be sent to la-la land, to the remote sender the email will appear as having been sent successfully. But this also means that the sender is actually sending the entire content of the email, and will continue to send multiple emails, as to them they are all being delivered. But if you have bandwidth to spare, it's not an issue (actually, you're doing the world a favor as spammers think you're a good open relay when in fact, no emails are being delivered....!)

In my setup the IP's are not being saved to a file although the file is specified.  Is there an ini variable I must set? 

Roberto,

your suggestion to use SF as it is at the moment is good, however a few problems may come up.

We've discovered that some list servers actually send 'good' emails to the high number mx record (i think this is by design but am not 100% sure).

 

if we run this with your suggestion then the email is lost, to 'la la land' where as with my original suggestion, the dummy smtp actually drops the connection a couple of seconds after the DATA command is issued. in other words the SMTP conversation is never completed.

the bottom line effect is:

- Spammer don't care, as they don't monitor the conversation.

- Real SMTP servers will try to resend, and will eventually give up this MX record and try another. at least they should.

 

we are only testing this on 8 of our domains out of over 500.

it's working really nicely so far. of course we don't have any of the functionality of SF which we've become so used to like the connection lists, blacklisting of the ip's etc.

 

by the way, we don't have any allowed/disallowed lists. we accept ALL connections, and drop them after the data command. 

 

Amir

dcook,

jerbo128 wrote: I added  10 domains to my dummy smtp. Now, 24 hours later, I have 30,000 ip's in my honeypot list.  I feel like I am taking candy from a baby.  Those stupid idiots  :-)

jerbo128 is absolutely correct. The RFC2821 does not *suggest* that lower preference MX records *should* be used. It is instead very clear and *requires* that the lowest MX records be used first (if they are online...). Any application that does not follow this rule is in violation of the RFCs. If there's a listserver that doesn't follow the standard, it has a bug :-) and it should be reported.

Dan,

is it possible for you guys to share the list of the IPs?

jerbo128 wrote: Webguyz - I have found that spammers will try to send to almost every host that they can find.  www, mail, ns0, etc.   In the 2nd 24 hours of running this, I have collected another 40K ip's.   Jeremy

dcook wrote:   I believe that no good email should go to an IP without an MX record!! So to me it's a great lure.

I also went through the process of setting up a local dnsrbl but it was a handful. I understand your concern about the task of managing it.  

Edited by dcook - 14 December 2007 at 12:21pm

We're following this thread to see if we're needed, but so far everyone is doing great in experimenting :-)
As a side-note, the SFDB is very resilient to false positives. We only blacklist IPs if we receive multiple reports about an IP, all made from different SpamFilter installations. If some of you incorrectly report an IP due to an incorrect honeypot entry, this practically will not influence the SFDB, as it's just a single report.

Now if many of you make the same mistake by reporting the same IP that is being blocked by a honeypot entry, chances are that, since all of you then received the same emails from that IP within a few minutes, again chances are that the email is actually indeed spam as you all received. If it's a newsletter or an email notification with large scopes (for example the Microsoft Updates Security notifications), the IP addresses of these legitimate senders should be already listed in a whitelist of approved senders we use within the SFDB, so the risk of causing false positives should be very low.

jerbo128 wrote: I too would be happy to host a copy of a dnsbl zone.  But I do not have the time to manage it either.  Seems to be the running word of the day!   Jeremy

Edited by WebGuyz - 15 December 2007 at 11:17am