Is anything going to be done about the problem Marco and I were having with the honeypot and trusted ip's???

I have narrowed it down to that if the honeypot was applied after tagged subject lines it would resolve my problem. or just being able to add in trusted ips in the honey pot.....

Roberto?

thanks a lot Roberto, having a working honeypot for those that are behind a relay server or use some other sort of mail forwarding server can be sure the relay won't get blacklisted when that is implemented.

Regards,

Marco

One big problem I see with Honeypots is this. Now that most ISP's are blocking port 25, spammers are starting to use the Zombie PC's default outgoing ISP to send the spam.  Before too long you end up blocking comcast.net, rr.com, and all major ISP's. Without a way to bypass this issue by a DO NOT BLOCK list like the one that being talked about, the honeypot will die a slow death I believe.

I tried doing something like this a while back and created my own RBL of IP's that had sent me spam and that my then current spam filter detected. I ended up having to scrap it because it was adding so many big ISP's ip numbers that my customers revolted and I had to remove it.

Most ISP's are getting smart and are only allowing authenticated users or only ip's from their own network to use their smtp server.

If anything it will force lazy isp's to smarten up....The honeypot works great!

Roberto,

Multiple trusted ip's are accepted too?

DoNotddIPToHoneypot=xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx works?

Regards,

Marco

The honeypot is a great feature, but i think that it should be not a definitely ip ban.

The ip list should be clean every X days, or better, the ip older than X days should be deleted from honeypot ip ban list. This feature could help the virus infected PC that has been cleaned to come up and working.

Don't you think that a days limited ban wuold be better?

Simone

Just as I knew would happen. Got an email from earthlink asking why I had blacklisted one of their smtp servers. Here is the actual letter:

Hello,
Based on your message below it would appear that a block on mail traffic
from the Earthlink network to yours has been put in place, presumably in
response to a spam perceived to have been relayed either through your
network or from one of our users.
Considering Earthlink's considerable anti-spam position and efforts, this
comes as something of a surprise to us.  I'm hoping you can help clarify
this matter for us:

o Do you have outstanding abuse issues with Earthlink?
o What specific event resulted in the imposed mail block?
o What additional assurance do you need from us to have the block removed?

About Earthlink and it's Policy on Net-Abuse: blah blah

Bottom line, this is bound to happen will with every major ISP. I now remember why I stopped my earlier home brew attempts at this (ip blocking on spam hits) and alas will have to stop using the honeypot as well. I think it will eventually hit everyone who is an ISP or does a lot of mail that honeypot is impossible to do without pissing off a lot of people. Anyone else ran into this yet?

Webguyz, I ran into the same type of problem last week with my SpamFilter honeypot.  It has been working great, reducing a large amount of spam.  But just recently, my honeypot blocked an smtp server that sends my mail server a substantial number of valid emails.  It just happened to be that someone who harvested one of the honeypot emails that I hid on my web site had sent my server mail, using the a smtp server that I often receive good email from.

This seems like an impossible thing to ask, but how does one work around a situation where they receive some good email from a smtp server that has been blocked by the honeypot?  I don’t believe that I have any solid white list criteria that I could add to safeguard the good email that comes in from some of these partially-bad smtp server.  My only solution to this point has been to disable my honeypot.

Below is a snippet from my logs, in which one such smtp server was blocked - adamant.xo.com.  After this, a number of good emails were getting blocked.

11/13/05 01:02:35:960 -- (5012) Connection from: 207.155.248.114  -  Originating country : United States

11/13/05 01:02:36:304 -- (5012) Resolving 207.155.248.114 - adamant.xo.com

11/13/05 01:02:36:304 -- (5012) - EMail To is in honeypot emails -

11/13/05 01:02:36:335 -- (5012) - Added 207.155.248.114 to honeypot blacklist

11/13/05 01:02:36:335 -- (5012) 207.155.248.114 - Mail from: TaraFarber@benker-vermietung.com To: honeypie@***********.*** will be rejected

11/13/05 01:02:37:117 -- (5012) EMail from TaraFarber@benker-vermietung.com to hypot1@msandyou.org was received and quarantined. Size: 20 KB, 20480 bytes

11/13/05 01:02:37:179 -- (7180) Time to add Msg to Bayes corpus:0

11/13/05 01:02:37:195 -- (5012) Disconnect

I appreciate any suggestions, thanks.

I had to stop using honeypot because it was blocking emails from AOL, gmail, and others causing a false positive headache.

The biggest thing we do to cut down on false positives is a script that parses our outbound mail server log (using MS Logparser) every 10 minutes get all the FROM:/TO: pairs, and if they are a valid user and the entry is not a dupe, add the FROM|TO pair into AutoWhitelistDelivery.txt file. That file is currently at 2.3 meg but doesn't seem to slow down SF (so far ;-).

Get much fewer calls about mail getting 'stuck'

Every time a message is released from quarantien(that has been blocked as spam) it is checked against the blacklist, if found it removes the blacklisted IP! This way if HoneyPot has blocked a "valid" senderIP, it will be removed by the first release from quarantine.

(have blacklistedIPs in a DB that I sync with SF every 15min)