Results 1 to 5 of 5

Thread: SPAM: Create & Use a Honeypot?

  1. #1
    kazooless is offline Loyal Member
    Join Date
    Mar 2009
    Posts
    89
    Rep Power
    6

    Default SPAM: Create & Use a Honeypot?

    I'm just thinking out loud here.

    I'm pretty happy finally with the state of my Zimbra spam filtering. Everybody here, especially DWMTRACTOR, has been very helpful in the configurations.

    Now, I'm thinking about the possibility of creating a honeypot, but I'm unsure if it would be possible to do with Zimbra. If so, then I don't know exactly how to do it.

    Basically, I think that we would just need to create an account and advertise it all over the blog world, maybe even send a bunch of the chain e-mail letters from it and to it, etc. But that account would have to be exempt from the normal spam. ALL mail coming to it would have to go to the inbox, and then a filter would be run to mark ALL mail as junk.

    Your thoughts? Can this be done? If so, how?

    kazooless

  2. #2
    ewilen's Avatar
    ewilen is offline Moderator
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    8

    Default

    Yes, it would work, now that Bug 37164 - mail filed into Junk by Filters is not used to train anti-spam has been fixed.

    Simply advertise your bogus email account, and create a filter as you say, that files all incoming mail into Junk. You'll also want to give the account a COS that purges Junk more frequently than normal, just to keep the account from filling up.

    The only issue here is that if a message is marked as spam by Zimbra's SpamAssassin, then it will go straight to Junk and it will NOT be used to train the antispam system except if it has certain characteristics. (I believe the criteria are: must score 3 or higher in both header and body tests. See AutolearningNotWorking - Spamassassin Wiki and my posts in More Spam after upgrading to 6.0.5)

    You could probably find a way to force autotraining for all mail that comes to your honeypot account. Possibly if you set zimbraSpamApplyUserFilters TRUE on a given account or COS via zmprov (as described at Bug 34039 - RFE: Option to apply mail filters on Junk Folder), you could have that interact with 37164.

    If you do this, then you can take advantage of the honeypot in another way: use it as a "spamtrap". Although this term is sometimes used synonymously with honeypot, here the idea is somewhat different. What you would do is create a SpamAssassin rule that assigns a high score to any mail that is addressed to the spamtrap address. This way if a spammer tries to deliver an email to multiple addresses in a single SMTP transaction, the presence of the spamtrap address in the list will be an immediate indicator of spamminess.

    If you try any of these ideas, please post a followup in this thread to let us know how it goes!

  3. #3
    kazooless is offline Loyal Member
    Join Date
    Mar 2009
    Posts
    89
    Rep Power
    6

    Default

    This sounds pretty good and I just might try it, though some of it might be a little past my expertise. The COS change and training on the junk folder stuff. It would be nicer if there were an option to turn off SA alltogether for the honeypot user account.

    Thanks again,

    Kazooless

  4. #4
    raj's Avatar
    raj
    raj is offline Moderator
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    10

    Default

    read about @spam_lovers_maps for amavis-new and then go do the setting in
    /opt/zimbra/conf/amavis.conf.in

    you will have to restart zimbra services for it to apply and you may save the copy in case it gets overwritten during zimbra upgrades.

    Raj
    Last edited by raj; 05-06-2010 at 06:06 PM.
    i2k2 Networks
    Dedicated & Shared Zimbra Hosting Provider

  5. #5
    kazooless is offline Loyal Member
    Join Date
    Mar 2009
    Posts
    89
    Rep Power
    6

    Default

    Cool! Will do. Thanks.

    kazooless

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Most of mails showing SPAM & discarded
    By siw919 in forum Administrators
    Replies: 27
    Last Post: 01-12-2010, 01:53 PM
  2. UNAUTHORIZED ACCESS Totally fouled up install
    By Lostin60s in forum Installation Help
    Replies: 0
    Last Post: 08-28-2009, 10:17 PM
  3. Replies: 9
    Last Post: 07-01-2009, 09:20 AM
  4. Weird behaviors and LOTS of spam.
    By zwvpadmin in forum Administrators
    Replies: 7
    Last Post: 01-02-2009, 10:26 AM
  5. Major SPAM to one account
    By CarputerTech in forum Administrators
    Replies: 4
    Last Post: 09-04-2008, 10:54 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •