Chris,
On 22/03/2020 20:41, Chris via mailop wrote:
> On 2020-03-22 16:20, Nick Stallman via mailop wrote:
>> I got one of these the other day and I'm scratching my head about it
as what's in the report cannot possibly be correct.
>>
>> The report was for a domain we host the website for, but the domain
has no email at all.
>> The account referenced is also not a valid website login or anything
else I can think of.
>>
>> It's not terribly useful if I'm going to be getting red herrings
like that.
>
> It's been my experience that MOST of them are going to be
red-herrings. I've seen a whole pile of such forged addresses with
userids/passwords that I knew were completely impossible.
I have great respect for you, but I didn't spend a considerable amount
of development time without actually being absolutely certain about what
I was doing. Your experience is not relevant because you do not have
experience with equivalent traps to these - I know this for certain
because I would have come across them, this also proves it:
{ auth_method: 'PLAIN',
auth_password: 'g3tt0ugh!',
auth_username: '<REDACTED>',
source_ip: '185.64.105.8'
}
I just plucked that out of the stream of a newly identified accounts -
that password looks pretty legitimate to me... and at the time of
writing this, that IP wasn't listed on Spamhaus, Invaluement or anywhere
else...
So I can assure you I examined this in detail and proved the value of it
by working with several ISPs.
In this thread, we've got one person that found what looked like actual
compromised accounts and I've had other reports of this off-list, so it
is helping take down this stuff, and that will increase over time as
people add automation to this - which is already starting to happen.
>
> Imagine how useful it's going to be if you have a lot of spamtraps.
I mean, a *LOT* of spamtraps.
>
It's not the size and number of your spamtraps, it's what you do with
them ;-)
Based on yours, Atro's and Rob's feedback on this - I've spent some time
coding to exclude all of your traps from the reporting which is live as
of last night, so you might have gotten one more report, but from
tonight onward the vast majority will be excluded.
I also found that I wasn't discarding some drive-by stuff which is more
akin to what you were talking about so I've also corrected that which
will further reduce the noise, raise the quality and reduce the number
of daily reports being sent.
We are constantly improving our services for customers and for the
greater community on a daily basis by challenging the status quo. We
constantly re-evaluate what we do and how we do it and the wider
positive feedback makes us believe that we are on the right track.
Lastly - I really appreciated Atro's disclaimer - I think I should point
out to anyone that doesn't already know that both you and Rob should
have done the same as you both run competing services.
And that's the last thing I'm going to say on this matter...
Kind regards,
Steve.
--
Steve Freegard
Senior Product Owner
Abusix Intelligence
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
