Hi, On Thu 20/Feb/2020 11:02:47 +0100 Benoit Panizzon via mailop wrote: > > The Spamtrap / HoneyPot in question not only listens to port 25 but also > listens on port 465 (smtps) and 587 (submission). > > If an attacker is doing some dictionary attack on this to check for > valid passwords (every authentication attempt is accepted) or attempts > to relay spam mails (every relay attempt is answered with 200 OK) he > is being blacklisted and an ARF reports is sent to the abuse contact of > the submitting IP range. > > This is what causes those reports, not emails received on port 25. > > But I guess, just silently blacklisting Tor exist nodes and not sending > a ARF report to the ISP could be an option to solve that issue.
If you can detect Tor exit nodes, maybe you can fail authentication when it comes from those IPs. That may make sense if the Tor host is able to detect multiple authentication failures and somehow stop the user. What do they say? I'm still puzzled by that Emerald Onion Repeat Infringer Termination Policy. Perhaps, they have a real time incident reporting system to catch miscreants. Cooperation would increase the value of both your honeypots and their nodes. Best Ale -- _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
