Re: Spam Honeypot
ok, i think we are both talking in two different directions, because you are still seem to be taking sample sharing and i am still taking analysis mechanism. at this point i wish you well and bow out of the discussion (on list). b alan.gerhard wrote: I must have been unclear - A bayesian spam filter is based on the probability that a given mail is BAD or GOOD from an analysis of a sampling of BAD and GOOD mail. As a user, I would have control over this sampling - described earlier. As a James user, I would like to see this functionality implemented. This differs from your earlier view in that I see a personalized collection as opposed to a larger, centralized collection. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Spam Honeypot
>> James currently touts a Bayesian mailet, but employs only an >> overall data source and is not concerned with individual >> preference; to be an effective SPAM blocker, a relationship >> needs to be established between a specific user and her >> Bayesian lists. >Actually, Alan, you are mistaken; Over zealous, yes ... >From the discussions I have seen here concerning Chris' mailet, and the overall interest in handling SPAM, I wanted to bring attention and ultimately focus to his mailet for eventual inclusion to the core James package. In the future I will refrain from making exaggerated statements when referencing what James does or does not do ;/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Spam Honeypot
Bill, This is a pretty god point, but it diverges from the issue as far as Chris Means' mailet is concerned because a shared corpus is actually a very good starting point for training a system , and more effective than starting from scratch. It is pretty easy to alter the behaviour by forwarding good or bad mail to the appropriate addresses. I carried out a survey of our users who have been training a shared corpus affecting (tagging not filtering) mailing lists and individual accounts, they were very pleased with overall performance and voted to continue to use the system. They were less happy with the effort involved in training, but accepted it as it was obviously (subjectively) effective in altering the behaviour of the tagger. > if you are interested we can discuss this in more detail > off-list, No, discuss it here, so we can all hear it. > but my experience is that cooperative work on > determining what terms. phrases, patterns, etc. are used to catch > specific material are generally more useful than the sharing of > mail that has been identified by cooperative efforts as spam. I believe that this is probably true, but as the Bayesian system can re-create its "patterns" from a collection of mail there is little real difference between sharing the token probabilities and the source material. In fact it would be better in principle to share the source material, as sharing the results alone prevents us from re-analysing the original data, perhaps with new theories, at a later date. d. > > b > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Spam Honeypot
> James currently touts a Bayesian mailet, but employs only an > overall data source and is not concerned with individual > preference; to be an effective SPAM blocker, a relationship > needs to be established between a specific user and her > Bayesian lists. Actually, Alan, you are mistaken; James does not tout Bayesian Analysis anywhere on the website or in any publicity or documentation. There is code around, shared with this list by Chris Means, which quite effectively performs bayesian analysis of mail, but it is not yet part of James, and won't be until it is easy to deploy, configure and use. The code in question is a mailet, and can be configured per-instance to use a particular repository for its corpus. This allows its use on a per-account or per-address basis, deploying it in this way would be up to the administrator who configured the James instance. > and of course the necessary functionality to maintain the > lists ... Chris Means code includes this, and training is very effective, if a little time-consuming. I hope to be able to simplify the administrative process, and add the ability to use filesystem storage as well as database for the corpus and tokens. It is my hope that Chris' Bayesian Analysis mailet will soon be added to the James v3 code under development. d. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Spam Honeypot
> That is exactly my planI will place my honeypot server on the > internet, > open up port 25, capture all the gory details, and then dump the email to > null. But if you do that you won't necessarily get much spam, trust me I've had a number of servers running for a number of years, spam tends to be sent to users. Without users you won't get spam. What you will get will be probing emails which don't give much away. And if you are an open relay you won't get lots of different kinds of mail, just thousands of copies of the same one. d. > From my experience so far, most spammers do not send a test message to see > if the email is actually making it to the end-recipient. No, but they do send a probing message to test if your server is an open relay, and they don't "broadcast" mail at every conceivable username on your system. They use harvested lists, or otherwise validated addresses. One good reason for James not to reject mail because a user is unknown is that by subtraction this allows people to harvest good addresses from a mailserver. There are freeware products out there which do this for this purpose. d. > Thanks to the availibility of cheap dedicated servers (i.e. ServerBeach, > Nocster etc), this is a fun and cheap experiment. Probably more likely to be dull, and make you more enemies than friends. > Ever wonder how spammers survive? Here is the best article I've read on > that topic in awhile: > > http://www.wired.com/news/infostructure/0,1377,57613,00.html This article kind of defeats your argumet, suggesting that it is in fact harvested addresses being used. IMO The only sensible way of dealing with spam is to filter it by content and deny mail from blacklisted relays, even then spam filtering is better carried out at client level, servers can mark spam, but as a false positive is totally unacceptable in most cases it makes sense to delegate the whole task to the client. d. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Spam Honeypot
I must have been unclear - A bayesian spam filter is based on the probability that a given mail is BAD or GOOD from an analysis of a sampling of BAD and GOOD mail. As a user, I would have control over this sampling - described earlier. As a James user, I would like to see this functionality implemented. This differs from your earlier view in that I see a personalized collection as opposed to a larger, centralized collection. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Spam Honeypot
alan.gerhard wrote: This boils down to a collection of 'good mail' and a collection of 'bad mail', that in my opinion needs to reflect the users' interests, therefore I am a bit leery in 'sharing' this data, but am not dismissing it's potential. collection of 'bad mail'? as in sending out a list of e-mail known to be spam? as i have opined earlier i think that 'results' based cooperatives have a major drawback in that the needs of the end users are unique diverge quickly once the most obvious spam is identified. there is a point at which the lack of granularity in the decsion making process (message level) exceeds the value of multiple inputs and makes. you also end up needing a mechanism for determining who is an authority, how to dispute false positives, the messaging format for transmitting 'bad' e-mail, etc... it's not that i am suggesting that you don't pursue it, but that you might want to look through the trials and tribulations of such efforts as vipul's razor to get a feel for the pitfalls and limitations if you haven't done so already. it is a pretty easy system to break. if you are interested we can discuss this in more detail off-list, but my experience is that cooperative work on determining what terms. phrases, patterns, etc. are used to catch specific material are generally more useful than the sharing of mail that has been identified by cooperative efforts as spam. b - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Spam Honeypot
With reference to the Bayesian filter, I am referring to 'pattern matching' as the collection of data used for it's analysis. This boils down to a collection of 'good mail' and a collection of 'bad mail', that in my opinion needs to reflect the users' interests, therefore I am a bit leery in 'sharing' this data, but am not dismissing it's potential. The advantages of this system is that the filtering process will grow with the user, but what's key, is that the user has control over the filtering process. By expanding on Chris Means' mailet to allow for user specific corpus' and then adding the functionality of receiving forwarded mail to the two lists, we end up with a simple yet robust system that adds value to the end users .. > can you expand upon what you consider "pattern data"? > > b > > alan.gerhard wrote: > > back up a bit - > > > > my point differs in that the pattern data collected is > > individual and i do not see too much need for sharing. > > other than that, the outstanding issue is, as a james > > user, how to go about setting up and maintaining > > Repository based data for the Bayesian mailet. > > > > not to cut this discussion off - i just want to > > highlight an addressable issue and explore different > > solutions - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Spam Honeypot
can you expand upon what you consider "pattern data"? b alan.gerhard wrote: back up a bit - my point differs in that the pattern data collected is individual and i do not see too much need for sharing. other than that, the outstanding issue is, as a james user, how to go about setting up and maintaining Repository based data for the Bayesian mailet. not to cut this discussion off - i just want to highlight an addressable issue and explore different solutions - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Spam Honeypot
back up a bit - my point differs in that the pattern data collected is individual and i do not see too much need for sharing. other than that, the outstanding issue is, as a james user, how to go about setting up and maintaining Repository based data for the Bayesian mailet. not to cut this discussion off - i just want to highlight an addressable issue and explore different solutions > > precisely my point (except mine was gender neutral :o). > > the question becomes does james setup a mechanism to allow > for discussions/archiving/development of beyesian filters > or does it look to external resource that users can be > directed to? as i see it there are two key aspects of > this: (1) the format that filters should take (is the > current implementation sufficient or should they be > described in xml with a schema, etc.?); (2) the actual > creation/categorization/archiving of individual filters > for reuse and distribution. > > at first blush, it would seem that this group would be > best suited to focus on the former and figure out how best > to achieve the latter externally (maybe not external to > apache--or james for that matter--but external to james > dev). > > b - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Spam Honeypot
>From my experience so far, most spammers do not send a test message to see >if the email is actually making it to the end-recipient. Well, I have a James running for a year now with the SMTP port open. Every mail coming from something else than 192.168.*.* and not for a local user is forwarded to my admin account just before being rerouted to NULL. I've always (and only) received emails including my IP address either in the subject or in the body. I have never received any other kind of attempts from outside (like pure spam rerouting)... -Original Message- From: Tom Pridham [mailto:[EMAIL PROTECTED] Sent: Monday, February 24, 2003 8:24 PM To: James Users List Subject: RE: Spam Honeypot That is exactly my planI will place my honeypot server on the internet, open up port 25, capture all the gory details, and then dump the email to null. >From my experience so far, most spammers do not send a test message to see if the email is actually making it to the end-recipient. Thanks to the availibility of cheap dedicated servers (i.e. ServerBeach, Nocster etc), this is a fun and cheap experiment. Ever wonder how spammers survive? Here is the best article I've read on that topic in awhile: http://www.wired.com/news/infostructure/0,1377,57613,00.html -Original Message- From: Noel J. Bergman [mailto:[EMAIL PROTECTED] Sent: Monday, February 24, 2003 1:27 PM To: James Users List Subject: RE: Spam Honeypot > i saw the same. however, how is he going to be an 'open relay' > (to attract spammers) and then be dumping stuff to null? You don't need to do anything to attract spammers; they just show up. You don't need to do anything to be probed for being an open relay other than have an available SMTP port on the internet. Your IP will be probed. I recently installed a computer on broadband for my uncle. Within 5 minutes of enabling his computer, the firewall reported the first probes. People looking for SMTP, MS SQL, and other exploits. My own firewall tracks in excess of 20 GIGABYTES of probes per month, all courtesy of Windows machines. Our public mail server blocks anywhere from a few 100 spams per day to 1500+. They seem to run in waves. The numbers were much higher when we first started the server, but they seem to have dropped off; perhaps the spambots are realizing that we aren't productive for them. In any event, since he isn't actively rejecting them (from their perspective), they'll assume that he is an open relay. Unlike DNSRBL scanners, which wait to get a reply. --- Noel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Spam Honeypot
James currently touts a Bayesian mailet, but employs only an overall data source and is not concerned with individual preference; to be an effective SPAM blocker, a relationship needs to be established between a specific user and her [sic] Bayesian lists. and of course the necessary functionality to maintain the lists ... precisely my point (except mine was gender neutral :o). the question becomes does james setup a mechanism to allow for discussions/archiving/development of beyesian filters or does it look to external resource that users can be directed to? as i see it there are two key aspects of this: (1) the format that filters should take (is the current implementation sufficient or should they be described in xml with a schema, etc.?); (2) the actual creation/categorization/archiving of individual filters for reuse and distribution. at first blush, it would seem that this group would be best suited to focus on the former and figure out how best to achieve the latter externally (maybe not external to apache--or james for that matter--but external to james dev). b - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Spam Honeypot
for my money, the best time spent is following the *pattern* based filters and working on ways to share that information amongst others of like interest. a good start would be a site dedicated to the sharing of procmail recipes, beysian formulas, etc. Yes, this sounds like a good starting point. No need to debate the value of open-relays; there is a need, but not in the public circuit. but to bring this back to James, we are looking at implementing mailets to process SPAM. So far, the process is to consult black-hole lists and to feed mail through a Bayesian filters and what not. One problem I see with this is that black-hole lists are arbitrary and pattern matches are too inclusive. Spam filtering needs to be based on user preference as each instance will be different; to quote " Bayesian spam filters are content-based filters that - are specifically trained to recognize the individual email user's spam and good mail, making them highly effective and difficult to adapt to for spammers. - can continually and without much effort or manual analysis adapt to the spammers' latest tricks. - take the individual user's good mail into account and have a very low rate of false positives. Unfortunately, if this causes blind trust in Bayesian anti-spam filters, it renders the occasional mistake even more serious. " (http://email.about.com/library/weekly/aa100702a.htm) The effective SPAM blocker system will be bayesian based user specific systems. James currently touts a Bayesian mailet, but employs only an overall data source and is not concerned with individual preference; to be an effective SPAM blocker, a relationship needs to be established between a specific user and her Bayesian lists. and of course the necessary functionality to maintain the lists ... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Spam Honeypot
as much as i would like to go undercover :o), the problem is that open relays are really a small part of the spam that is sent. true, they represent some of the lower forms of life, but in terms of being an annoyance to end users they are but a fraction of the overall volume. here are some mail stats from one of my servers: blacklists -- ordb.org: 7 njabl.org: 91 spamhaus.org: 22 dsbl.org: 27 bad etiquette - attempted relays: 2 improper domain: 1 other: 0 summary --- total mail:879 total rejected:150 percent rejected: 17% the blacklisting sites are listed in the order that they are consulted by my mail server. note: ordb.org is a pure open relay database. therefore, out of the 150 e-mail that have been rejected as spam via blacklisting only 7 of them were blocked as a result of being used by a known open relay. also of interest is that even after consulting with the rbl sites (and throwing out 20% of incoming e-mail right off the bat!) i still received another 50 or so spam messages during this period that were caught by an upstream [content based] filter. open relays are an issue, but a small fish in a big pond (and growing smaller). for my money, the best time spent is following the *pattern* based filters and working on ways to share that information amongst others of like interest. a good start would be a site dedicated to the sharing of procmail recipes, beysian formulas, etc. ok, i think i am up to four cents now. :o) b Jerome Lacoste (Frisurf) wrote: This reminds me of people trying to infiltrate mafia/drug dealers. It takes years, and they are probably asked to do some bad things before they are able to catch the big fishes. At least that's what happening in movies :) If we try to follow the same principle, some kind of authority should decide to plant infiltrated open relays. They should act as normal open relays from a spammer point of view, deliver the emails (even if its not legal), but giving back important information. I am sure this has been discussed in other places, I understand the non-legality, but when you see the number of open relays, one more will not add too much to the traffic, but if it helps taking legal or technical action faster against big spammers, that may help. But accepting to do so raise some interesting philosophical questions. I wonder how exactly these kind of things happen with other kind of infiltrations? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Spam Honeypot
This reminds me of people trying to infiltrate mafia/drug dealers. It takes years, and they are probably asked to do some bad things before they are able to catch the big fishes. At least that's what happening in movies :) If we try to follow the same principle, some kind of authority should decide to plant infiltrated open relays. They should act as normal open relays from a spammer point of view, deliver the emails (even if its not legal), but giving back important information. I am sure this has been discussed in other places, I understand the non-legality, but when you see the number of open relays, one more will not add too much to the traffic, but if it helps taking legal or technical action faster against big spammers, that may help. But accepting to do so raise some interesting philosophical questions. I wonder how exactly these kind of things happen with other kind of infiltrations? On Mon, 2003-02-24 at 17:44, bill parducci wrote: > unless the spammer is only looking at the SMTP codes (not going into *that* > discussion again :o) the machine is going to have to actually *deliver* the note. at > that point it will be an open relay and will be part of the problem. also, any > spammer worth a darn will have a handful of 'feedback' accounts sprinkled in with > the spam targets to make sure that the process completed (e.g. checking to make sure > that the open relay doesn't stop sending mail--intentionally or not--in the middle > of the job). > > the bottom line is that there isn't a good way to 'pretned' to be an open relay with > the intent of harvesting useful information in my opinion. at most you will be able > to log sites that probe for such bechavior but that can be done on a normally > configured machine. > > there are a number of other ways to attract spam that i believe are more practical. > > b > > Randahl Fink Isaksen wrote: > > That, I believe, is as simple as not requiring the sender to log in and > > not requiring the sender to be in the local network either. I > > accidentally set up my James configuration like this and found my server > > transmitting huge amounts of spam in no time. Often I do not think the > > spammers even care to send a probe e-mail to check that the message > > arrives. Maybe they just bill the clients for the number of e-mails that > > were accepted by the abused servers... > > > > If he is able create some trouble for the spammers in a legal manner I > > wish him the best of luck. > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] -- Jerome Lacoste (Frisurf) <[EMAIL PROTECTED]> CoffeeBreaks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Spam Honeypot
One thing, though. It seems to me as a Java programmer that I could put together a mailet that contained much more sophisticated analysis than just a reverse-dns lookup. If I were to write a mailet that could reliably figure out spam based on more than just the sending host then it seems like there should be a way to allow replication of this knowledge to other instances of James as well. keep in mind that dns is only used here to query sites that have *already* performed some level of analysis. that said, there are indeed many things that you can do that are more sophisticated than what can be practically managed by mailets (but if i told you what they are i would have to kill you :o) given the desire to make the contents of these lists accessible to as many people/platforms as possible, it is awfully hard to beat. Not that I have time to develop this, but it seems like an opportunity to develop something more robust then rbl. If you can get the open source community to work on developing/improving the mailets that analyze incoming messages, then who knows where it may lead... more robust in terms of analysis? yes. accessible as universally? i don't think so. the problem is that as you create more complex evaluation environments specificity of the rule sets (polices in my neck of the woods) increase dramatically. in other words passing around "answers" has its limits, what you want to pass around are the processes that allow you to derive answers that are pertinent to your environment (the 'beysian movement' is an excellent example of this). I'm thinking in general here. If there were a Java interface that people could write to and a way to plug these things (maybe call them 'business rules' or 'spam rules') into James, I'd bet you'd find a lot of people sharing code and ideas. They could be called 'real-time blackout rules' (rbr) instead. Instead of pulling back lists of hosts you could pull back encoded business rules (or even just class files). if there were a common *policy* language and an engine to consume them then you would have the opportunity to establish 'rule libraries' where users could shop around for predefined polices and use/modify them to suit their needs. XACML goes a long ways in creating the lingua franc, but you are going to have to do some heavy lifting to get a full blown policy engine in place to take advantage of it (trust me on that one :o). sun is taking steps in this direction, but i think that you will find that its work to date is slanted towards class/bean protection. still it may be worth a look if you are so inclined: http://sourceforge.net/projects/sunxacml/ however, i think that your best bet right now is to adopt one or more of the popular filtering methodologies (like beysian analysis, etc.) and try to swap filtering techniques/recipes (oops, a little procmail lingo slipped in there; which is a good example of a common toolset--albeit somewhat arcane--in the sendmail, et al. arenas) manually with other afficianados, such as those on this list. that's my 2 cents anyway... b - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Spam Honeypot
That is exactly my planI will place my honeypot server on the internet, open up port 25, capture all the gory details, and then dump the email to null. >From my experience so far, most spammers do not send a test message to see if the email is actually making it to the end-recipient. Thanks to the availibility of cheap dedicated servers (i.e. ServerBeach, Nocster etc), this is a fun and cheap experiment. Ever wonder how spammers survive? Here is the best article I've read on that topic in awhile: http://www.wired.com/news/infostructure/0,1377,57613,00.html -Original Message- From: Noel J. Bergman [mailto:[EMAIL PROTECTED] Sent: Monday, February 24, 2003 1:27 PM To: James Users List Subject: RE: Spam Honeypot > i saw the same. however, how is he going to be an 'open relay' > (to attract spammers) and then be dumping stuff to null? You don't need to do anything to attract spammers; they just show up. You don't need to do anything to be probed for being an open relay other than have an available SMTP port on the internet. Your IP will be probed. I recently installed a computer on broadband for my uncle. Within 5 minutes of enabling his computer, the firewall reported the first probes. People looking for SMTP, MS SQL, and other exploits. My own firewall tracks in excess of 20 GIGABYTES of probes per month, all courtesy of Windows machines. Our public mail server blocks anywhere from a few 100 spams per day to 1500+. They seem to run in waves. The numbers were much higher when we first started the server, but they seem to have dropped off; perhaps the spambots are realizing that we aren't productive for them. In any event, since he isn't actively rejecting them (from their perspective), they'll assume that he is an open relay. Unlike DNSRBL scanners, which wait to get a reply. --- Noel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Spam Honeypot
Bill - Thanks for the excellent run-down on this. One thing, though. It seems to me as a Java programmer that I could put together a mailet that contained much more sophisticated analysis than just a reverse-dns lookup. If I were to write a mailet that could reliably figure out spam based on more than just the sending host then it seems like there should be a way to allow replication of this knowledge to other instances of James as well. Not that I have time to develop this, but it seems like an opportunity to develop something more robust then rbl. If you can get the open source community to work on developing/improving the mailets that analyze incoming messages, then who knows where it may lead... I'm thinking in general here. If there were a Java interface that people could write to and a way to plug these things (maybe call them 'business rules' or 'spam rules') into James, I'd bet you'd find a lot of people sharing code and ideas. They could be called 'real-time blackout rules' (rbr) instead. Instead of pulling back lists of hosts you could pull back encoded business rules (or even just class files). If this seems crazy, then don't mind me - it's late and my mind is going weird places.:) thanks again, K. bill parducci To: James Users List <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> cc: (bcc: Kevin Bedell/Systems/USHO/SunLife) 02/24/2003 11:02 PM Subject: Re: Spam Honeypot Please respond to "James Users List" blacklisting. per james' config.xml: spam Rejected - see http://www.mail-abuse.org/rbl/ spam Dialup - see http://www.mail-abuse.org/dul/ spam Open spam relay - see http://www.mail-abuse.org/rss/ basically what happens is when a note comes into [james in this case] the ip address of the sender is stuck in a 'reverse' dns query and sent to the sites configured above. if a name match comes back, the requested site considers the address to be that of a spammer. james then dumps the message and tells the user that they have been rejected as a result of being a 'known spammer' and being told he makes the claim. (since i don't use this feature on james currently, i assume that the way james handles this is via a returned note--sendmail issues a reject at the smtp level) overall it is pretty darn clever as it gets around all sorts of ugly authentication and database query issues by using a well known query mechanism. there are many rbl sites that can be queried, some free, some fee based. they range from simple open relay testers to sites that perform some pretty aggessive testing to sites that do some really dumb (in my opinion) automated tests. b p.s. i sense a FAQ request coming on... :o) [EMAIL PROTECTED] wrote: > > whole rbl thing? > > > > > > > bill parducci To: James Users List <[EMAIL PROTECTED]> > <[EMAIL PROTECTED]> cc: (bcc: Kevin Bedell/Systems/USHO/SunLife) > 02/24/2003 10:38 PM Subject: Re: Spam Honeypot > Please respond to "James > Users List" > > > > > > > yep, which is kinda how the whole rbl thing works (via dns lookups)... > > b > > [EMAIL PROTECTED] wrote: > >>If it were possible to create addresses that were known to receive only >>spam, then you could set up these servers in a bunch of domains and have >>them all update a central database with info on they capture. >> >>Then you could build into James (or any server I guess) the ability to > > tap > >>this central database to dynamically update it's own spam filters. >> >> >> >> >> >> > > > >> "Tom Pridham" To: > > <[E
Re: Spam Honeypot
blacklisting. per james' config.xml: spam Rejected - see http://www.mail-abuse.org/rbl/ spam Dialup - see http://www.mail-abuse.org/dul/ spam Open spam relay - see http://www.mail-abuse.org/rss/ basically what happens is when a note comes into [james in this case] the ip address of the sender is stuck in a 'reverse' dns query and sent to the sites configured above. if a name match comes back, the requested site considers the address to be that of a spammer. james then dumps the message and tells the user that they have been rejected as a result of being a 'known spammer' and being told he makes the claim. (since i don't use this feature on james currently, i assume that the way james handles this is via a returned note--sendmail issues a reject at the smtp level) overall it is pretty darn clever as it gets around all sorts of ugly authentication and database query issues by using a well known query mechanism. there are many rbl sites that can be queried, some free, some fee based. they range from simple open relay testers to sites that perform some pretty aggessive testing to sites that do some really dumb (in my opinion) automated tests. b p.s. i sense a FAQ request coming on... :o) [EMAIL PROTECTED] wrote: whole rbl thing? bill parducci To: James Users List <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> cc: (bcc: Kevin Bedell/Systems/USHO/SunLife) 02/24/2003 10:38 PM Subject: Re: Spam Honeypot Please respond to "James Users List" yep, which is kinda how the whole rbl thing works (via dns lookups)... b [EMAIL PROTECTED] wrote: If it were possible to create addresses that were known to receive only spam, then you could set up these servers in a bunch of domains and have them all update a central database with info on they capture. Then you could build into James (or any server I guess) the ability to tap this central database to dynamically update it's own spam filters. "Tom Pridham" To: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> cc: (bcc: Kevin Bedell/Systems/USHO/SunLife) 02/23/2003 09:42 PM Subject: Spam Honeypot Please respond to "James Users List" Greetings All, As an avid JAMES user I have decided to take up a new battlethe war on spam. So here is my plan, I have acquired the domain DeletedSpam.com and plan on deploying a JAMES "Honeypot" server with the relay open. I will track all statistics on how much spam I delete each day, where the spam originated etc. Is there already code in a mailet somewhere to do the following: --analyze an email marked as spam to pull out data elements (i.e. Subject title, from address, and all of the "To" addresses I plan on making a one page website that displays in real-time all of the relevant stats on the deleted spam. If anyone can direct me a starting point to create a plug-in for JAMES to analyze the inbound emails prior to sending them to null, I would greatly appreciate it. The reason for this crazy project is: I am the CIO of a legitimate email marketing company and the spammers are really giving "email marketing" a bad name. Plus I want to have some fun sending spam to the bit bucket. Am I crazy? I welcome advice, suggestions etc. Thanks, Tom Pridham - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- This e-mail message (including attachments, if any) is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, proprietary , confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemina
Re: Spam Honeypot
http://www.declude.com/junkmail/support/ip4r.htm "Seek and ye shall find" I guess [EMAIL PROTECTED] To: "James Users List" <[EMAIL PROTECTED]> 02/24/2003 10:44 PM cc: (bcc: Kevin Bedell/Systems/USHO/SunLife) Please respond to "James Subject: Re: Spam Honeypot Users List" whole rbl thing? bill parducci To: James Users List <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> cc: (bcc: Kevin Bedell/Systems/USHO/SunLife) 02/24/2003 10:38 PM Subject: Re: Spam Honeypot Please respond to "James Users List" yep, which is kinda how the whole rbl thing works (via dns lookups)... b [EMAIL PROTECTED] wrote: > > If it were possible to create addresses that were known to receive only > spam, then you could set up these servers in a bunch of domains and have > them all update a central database with info on they capture. > > Then you could build into James (or any server I guess) the ability to tap > this central database to dynamically update it's own spam filters. > > > > > > > > "Tom Pridham" To: <[EMAIL PROTECTED]> > <[EMAIL PROTECTED]> cc: (bcc: Kevin Bedell/Systems/USHO/SunLife) > 02/23/2003 09:42 PM Subject: Spam Honeypot > Please respond to "James > Users List" > > > > > > > Greetings All, > > As an avid JAMES user I have decided to take up a new battlethe war on > spam. So here is my plan, I have acquired the domain DeletedSpam.com and > plan on deploying a JAMES "Honeypot" server with the relay open. I will > track all statistics on how much spam I delete each day, where the spam > originated etc. > > Is there already code in a mailet somewhere to do the following: > --analyze an email marked as spam to pull out data elements (i.e. Subject > title, from address, and all of the "To" addresses > > I plan on making a one page website that displays in real-time all of the > relevant stats on the deleted spam. > > If anyone can direct me a starting point to create a plug-in for JAMES to > analyze the inbound emails prior to sending them to null, I would greatly > appreciate it. > > The reason for this crazy project is: I am the CIO of a legitimate email > marketing company and the spammers are really giving "email marketing" a > bad > name. Plus I want to have some fun sending spam to the bit bucket. > > Am I crazy? I welcome advice, suggestions etc. > > Thanks, > Tom Pridham > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --- > This e-mail message (including attachments, if any) is intended for the use > of the individual or entity to which it is addressed and may contain > information that is privileged, proprietary , confidential and exempt from > disclosure. If you are not the intended recipient, you are notified that > any dissemination, distribution or copying of this communication is > strictly prohibited. If you have received this communication in error, > please notify the sender and erase this e-mail message immediately. > --- > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mai
Re: Spam Honeypot
whole rbl thing? bill parducci To: James Users List <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> cc: (bcc: Kevin Bedell/Systems/USHO/SunLife) 02/24/2003 10:38 PM Subject: Re: Spam Honeypot Please respond to "James Users List" yep, which is kinda how the whole rbl thing works (via dns lookups)... b [EMAIL PROTECTED] wrote: > > If it were possible to create addresses that were known to receive only > spam, then you could set up these servers in a bunch of domains and have > them all update a central database with info on they capture. > > Then you could build into James (or any server I guess) the ability to tap > this central database to dynamically update it's own spam filters. > > > > > > > > "Tom Pridham" To: <[EMAIL PROTECTED]> > <[EMAIL PROTECTED]> cc: (bcc: Kevin Bedell/Systems/USHO/SunLife) > 02/23/2003 09:42 PM Subject: Spam Honeypot > Please respond to "James > Users List" > > > > > > > Greetings All, > > As an avid JAMES user I have decided to take up a new battlethe war on > spam. So here is my plan, I have acquired the domain DeletedSpam.com and > plan on deploying a JAMES "Honeypot" server with the relay open. I will > track all statistics on how much spam I delete each day, where the spam > originated etc. > > Is there already code in a mailet somewhere to do the following: > --analyze an email marked as spam to pull out data elements (i.e. Subject > title, from address, and all of the "To" addresses > > I plan on making a one page website that displays in real-time all of the > relevant stats on the deleted spam. > > If anyone can direct me a starting point to create a plug-in for JAMES to > analyze the inbound emails prior to sending them to null, I would greatly > appreciate it. > > The reason for this crazy project is: I am the CIO of a legitimate email > marketing company and the spammers are really giving "email marketing" a > bad > name. Plus I want to have some fun sending spam to the bit bucket. > > Am I crazy? I welcome advice, suggestions etc. > > Thanks, > Tom Pridham > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --- > This e-mail message (including attachments, if any) is intended for the use > of the individual or entity to which it is addressed and may contain > information that is privileged, proprietary , confidential and exempt from > disclosure. If you are not the intended recipient, you are notified that > any dissemination, distribution or copying of this communication is > strictly prohibited. If you have received this communication in error, > please notify the sender and erase this e-mail message immediately. > --- > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- This e-mail message (including attachments, if any) is intended for the use of the individual or entity to which it is addressed and may contain information that is privilege
Re: Spam Honeypot
yep, which is kinda how the whole rbl thing works (via dns lookups)... b [EMAIL PROTECTED] wrote: If it were possible to create addresses that were known to receive only spam, then you could set up these servers in a bunch of domains and have them all update a central database with info on they capture. Then you could build into James (or any server I guess) the ability to tap this central database to dynamically update it's own spam filters. "Tom Pridham" To: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> cc: (bcc: Kevin Bedell/Systems/USHO/SunLife) 02/23/2003 09:42 PM Subject: Spam Honeypot Please respond to "James Users List" Greetings All, As an avid JAMES user I have decided to take up a new battlethe war on spam. So here is my plan, I have acquired the domain DeletedSpam.com and plan on deploying a JAMES "Honeypot" server with the relay open. I will track all statistics on how much spam I delete each day, where the spam originated etc. Is there already code in a mailet somewhere to do the following: --analyze an email marked as spam to pull out data elements (i.e. Subject title, from address, and all of the "To" addresses I plan on making a one page website that displays in real-time all of the relevant stats on the deleted spam. If anyone can direct me a starting point to create a plug-in for JAMES to analyze the inbound emails prior to sending them to null, I would greatly appreciate it. The reason for this crazy project is: I am the CIO of a legitimate email marketing company and the spammers are really giving "email marketing" a bad name. Plus I want to have some fun sending spam to the bit bucket. Am I crazy? I welcome advice, suggestions etc. Thanks, Tom Pridham - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- This e-mail message (including attachments, if any) is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, proprietary , confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender and erase this e-mail message immediately. --- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Spam Honeypot
If it were possible to create addresses that were known to receive only spam, then you could set up these servers in a bunch of domains and have them all update a central database with info on they capture. Then you could build into James (or any server I guess) the ability to tap this central database to dynamically update it's own spam filters. "Tom Pridham" To: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> cc: (bcc: Kevin Bedell/Systems/USHO/SunLife) 02/23/2003 09:42 PM Subject: Spam Honeypot Please respond to "James Users List" Greetings All, As an avid JAMES user I have decided to take up a new battlethe war on spam. So here is my plan, I have acquired the domain DeletedSpam.com and plan on deploying a JAMES "Honeypot" server with the relay open. I will track all statistics on how much spam I delete each day, where the spam originated etc. Is there already code in a mailet somewhere to do the following: --analyze an email marked as spam to pull out data elements (i.e. Subject title, from address, and all of the "To" addresses I plan on making a one page website that displays in real-time all of the relevant stats on the deleted spam. If anyone can direct me a starting point to create a plug-in for JAMES to analyze the inbound emails prior to sending them to null, I would greatly appreciate it. The reason for this crazy project is: I am the CIO of a legitimate email marketing company and the spammers are really giving "email marketing" a bad name. Plus I want to have some fun sending spam to the bit bucket. Am I crazy? I welcome advice, suggestions etc. Thanks, Tom Pridham - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- This e-mail message (including attachments, if any) is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, proprietary , confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender and erase this e-mail message immediately. --- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Spam Honeypot
> Often I do not think the > spammers even care to send a probe e-mail to check that the message > arrives. They do check, the tiny number of James installations we've heard of that are ever hit by large quantities of spam without probing messages proves this. d. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Spam Honeypot
i have witnessed that first hand, but unfortunately it is almost impossible to have any concrete proof. the only possibility that i can think of is trying to unsubscribe using a 3rd [clean!] address that is not yet on their list. if they are legit they should come back and say that it wasn't found, ignore the request, etc. if you start getting mail on that third address then you know that you have just received a reach around. of course, for this to work you need a clean address for each list you unsubscribe from so as to be able to explicitly identify the abuser. i am playing around with this concept now. shall be interesting to see how it goes... b Chris Means wrote: Another data-point to consider. If you have "successfully" unsubscribed from one spammer. Was there a sudden increase in spam from one or more parties after that initial event? I've heard (comments on /.) that the initial spammer may "honor" your unsubscribe request, but then sell your email address at a higher rate to other spammers, given that they know it's a "real" address. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Spam Honeypot
You don't need to do anything to attract spammers; they just show up. You don't need to do anything to be probed for being an open relay other than have an available SMTP port on the internet. Your IP will be probed. I recently installed a computer on broadband for my uncle. Within 5 minutes of enabling his computer, the firewall reported the first probes. People looking for SMTP, MS SQL, and other exploits. of course, but for the reasons i outlined previously you aren't going to be able to capture much more useful information than" "IP address a.b.c.d tried to perform a relay". as you point out below this can be easily tracked using a typically installed machine (provided you have some ability to process your logs). there isn't a need to try to be a 'faux open relay'. it only invites problems. My own firewall tracks in excess of 20 GIGABYTES of probes per month, all courtesy of Windows machines. Our public mail server blocks anywhere from a few 100 spams per day to 1500+. They seem to run in waves. The numbers were much higher when we first started the server, but they seem to have dropped off; perhaps the spambots are realizing that we aren't productive for them. In any event, since he isn't actively rejecting them (from their perspective), they'll assume that he is an open relay. Unlike DNSRBL scanners, which wait to get a reply. they will assume this for a single session unless they are just trying to propagate viruses (hit & run/script spamming). again, there is value to observing hit & runs, but since james gives OKs to any tp/from address condition under normal operating conditions the above argument continues to hold true. b - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Spam Honeypot
Another data-point to consider. If you have "successfully" unsubscribed from one spammer. Was there a sudden increase in spam from one or more parties after that initial event? I've heard (comments on /.) that the initial spammer may "honor" your unsubscribe request, but then sell your email address at a higher rate to other spammers, given that they know it's a "real" address. > -Original Message- > From: bill parducci [mailto:[EMAIL PROTECTED] > Sent: Monday, February 24, 2003 12:34 PM > To: [EMAIL PROTECTED] > Subject: Re: Spam Honeypot > > > a good place to start is to post an 'uninteresting' note to a > variety of USENET lists using a 'clean' e-mail address. (alt.sex > is one i have used in the past, but the more you spread around > the more likely you are going to get hits). this gets the real > bottom feeders since anyone using that address in bulk e-mails > will have done so via dredging. note: DON'T use this address for > anything else because anything it receives is unsolicited and is > therefore spam by definition. > > with a second address go to sites that manage a lot of groups > (like yahoo groups) and sign up for a list that has 'free' stuff > in it. let the account build up mail for a couple of weeks (they > will be selling your e-mail address to numerous places as quickly > as possible). then as you start gettting mail from the various > mailing lists (and there will be MANY in a relatively short > period of time), try to unsubscribe from each. if after 72 hours > (my preference) you receive any mail from that list (or you get a > bounce/404/etc. in the unsubscribe attempt) consider it spam. of > course, this will take some work because you need to keep a list > of senders that have been notified of your disinterest (and > when). might make for a nice honeypot mailet one of these days. > > there are other ways, however if you are diligent with these two > you will start harvesting a lot of muck off the wire in no time! :o) > > that said, the other option is to let someone like spamhaus.org, > et al. do it (or volunteer to help out) and just rbl filter > levraging the techniques they have devised. james already > supports this out of the box. > > b > > > Randahl Fink Isaksen wrote: > > Would you care to elaborate on those "other ways"? > > > > > > R. > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Spam Honeypot
a good place to start is to post an 'uninteresting' note to a variety of USENET lists using a 'clean' e-mail address. (alt.sex is one i have used in the past, but the more you spread around the more likely you are going to get hits). this gets the real bottom feeders since anyone using that address in bulk e-mails will have done so via dredging. note: DON'T use this address for anything else because anything it receives is unsolicited and is therefore spam by definition. with a second address go to sites that manage a lot of groups (like yahoo groups) and sign up for a list that has 'free' stuff in it. let the account build up mail for a couple of weeks (they will be selling your e-mail address to numerous places as quickly as possible). then as you start gettting mail from the various mailing lists (and there will be MANY in a relatively short period of time), try to unsubscribe from each. if after 72 hours (my preference) you receive any mail from that list (or you get a bounce/404/etc. in the unsubscribe attempt) consider it spam. of course, this will take some work because you need to keep a list of senders that have been notified of your disinterest (and when). might make for a nice honeypot mailet one of these days. there are other ways, however if you are diligent with these two you will start harvesting a lot of muck off the wire in no time! :o) that said, the other option is to let someone like spamhaus.org, et al. do it (or volunteer to help out) and just rbl filter levraging the techniques they have devised. james already supports this out of the box. b Randahl Fink Isaksen wrote: Would you care to elaborate on those "other ways"? R. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Spam Honeypot
> i saw the same. however, how is he going to be an 'open relay' > (to attract spammers) and then be dumping stuff to null? You don't need to do anything to attract spammers; they just show up. You don't need to do anything to be probed for being an open relay other than have an available SMTP port on the internet. Your IP will be probed. I recently installed a computer on broadband for my uncle. Within 5 minutes of enabling his computer, the firewall reported the first probes. People looking for SMTP, MS SQL, and other exploits. My own firewall tracks in excess of 20 GIGABYTES of probes per month, all courtesy of Windows machines. Our public mail server blocks anywhere from a few 100 spams per day to 1500+. They seem to run in waves. The numbers were much higher when we first started the server, but they seem to have dropped off; perhaps the spambots are realizing that we aren't productive for them. In any event, since he isn't actively rejecting them (from their perspective), they'll assume that he is an open relay. Unlike DNSRBL scanners, which wait to get a reply. --- Noel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Spam Honeypot
Would you care to elaborate on those "other ways"? R. -Original Message- From: bill parducci [mailto:[EMAIL PROTECTED] Sent: 24. februar 2003 17:44 To: James Users List Subject: Re: Spam Honeypot unless the spammer is only looking at the SMTP codes (not going into *that* discussion again :o) the machine is going to have to actually *deliver* the note. at that point it will be an open relay and will be part of the problem. also, any spammer worth a darn will have a handful of 'feedback' accounts sprinkled in with the spam targets to make sure that the process completed (e.g. checking to make sure that the open relay doesn't stop sending mail--intentionally or not--in the middle of the job). the bottom line is that there isn't a good way to 'pretned' to be an open relay with the intent of harvesting useful information in my opinion. at most you will be able to log sites that probe for such bechavior but that can be done on a normally configured machine. there are a number of other ways to attract spam that i believe are more practical. b Randahl Fink Isaksen wrote: > That, I believe, is as simple as not requiring the sender to log in and > not requiring the sender to be in the local network either. I > accidentally set up my James configuration like this and found my server > transmitting huge amounts of spam in no time. Often I do not think the > spammers even care to send a probe e-mail to check that the message > arrives. Maybe they just bill the clients for the number of e-mails that > were accepted by the abused servers... > > If he is able create some trouble for the spammers in a legal manner I > wish him the best of luck. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Spam Honeypot
unless the spammer is only looking at the SMTP codes (not going into *that* discussion again :o) the machine is going to have to actually *deliver* the note. at that point it will be an open relay and will be part of the problem. also, any spammer worth a darn will have a handful of 'feedback' accounts sprinkled in with the spam targets to make sure that the process completed (e.g. checking to make sure that the open relay doesn't stop sending mail--intentionally or not--in the middle of the job). the bottom line is that there isn't a good way to 'pretned' to be an open relay with the intent of harvesting useful information in my opinion. at most you will be able to log sites that probe for such bechavior but that can be done on a normally configured machine. there are a number of other ways to attract spam that i believe are more practical. b Randahl Fink Isaksen wrote: That, I believe, is as simple as not requiring the sender to log in and not requiring the sender to be in the local network either. I accidentally set up my James configuration like this and found my server transmitting huge amounts of spam in no time. Often I do not think the spammers even care to send a probe e-mail to check that the message arrives. Maybe they just bill the clients for the number of e-mails that were accepted by the abused servers... If he is able create some trouble for the spammers in a legal manner I wish him the best of luck. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Spam Honeypot
That, I believe, is as simple as not requiring the sender to log in and not requiring the sender to be in the local network either. I accidentally set up my James configuration like this and found my server transmitting huge amounts of spam in no time. Often I do not think the spammers even care to send a probe e-mail to check that the message arrives. Maybe they just bill the clients for the number of e-mails that were accepted by the abused servers... If he is able create some trouble for the spammers in a legal manner I wish him the best of luck. Randahl -Original Message- From: bill parducci [mailto:[EMAIL PROTECTED] Sent: 24. februar 2003 16:25 To: James Users List Subject: Re: Spam Honeypot Noel J. Bergman wrote: > I was going to say that same thing to him. In fact, I had written it in my > note, but then I saw his comment about sending the mail to null, so I think > that he knows not to actually be an open relay. > > --- Noel i saw the same. however, how is he going to be an 'open relay' (to attract spammers) and then be dumping stuff to null? b - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Spam Honeypot
Noel J. Bergman wrote: I was going to say that same thing to him. In fact, I had written it in my note, but then I saw his comment about sending the mail to null, so I think that he knows not to actually be an open relay. --- Noel i saw the same. however, how is he going to be an 'open relay' (to attract spammers) and then be dumping stuff to null? b - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Spam Honeypot
Ther are 2 interresting articles in the Linux Journal of march. I think you should have a look on it. The first is "Math vs Spam: beyond Bayesian filtering" and the second is "Power filtering with Spambayes" Good reading :) Emmanuel -- Le Lundi 24 Février 2003 03:42, Tom Pridham a écrit : > Greetings All, > > As an avid JAMES user I have decided to take up a new battlethe war on > spam. So here is my plan, I have acquired the domain DeletedSpam.com and > plan on deploying a JAMES "Honeypot" server with the relay open. I will > track all statistics on how much spam I delete each day, where the spam > originated etc. > > Is there already code in a mailet somewhere to do the following: > --analyze an email marked as spam to pull out data elements (i.e. Subject > title, from address, and all of the "To" addresses > > I plan on making a one page website that displays in real-time all of the > relevant stats on the deleted spam. > > If anyone can direct me a starting point to create a plug-in for JAMES to > analyze the inbound emails prior to sending them to null, I would greatly > appreciate it. > > The reason for this crazy project is: I am the CIO of a legitimate email > marketing company and the spammers are really giving "email marketing" a > bad name. Plus I want to have some fun sending spam to the bit bucket. > > Am I crazy? I welcome advice, suggestions etc. > > Thanks, > Tom Pridham > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > _ > Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger > http://www.ifrance.com/_reloc/m la 1ère messagerie instantanée de France _ Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger http://www.ifrance.com/_reloc/m la 1ère messagerie instantanée de France - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Spam Honeypot
> > I have acquired the domain DeletedSpam.com and plan on > > deploying a JAMES "Honeypot" server with the relay open. > Erm no, you'd better not, otherwise it will be *you* adding to the problem. I was going to say that same thing to him. In fact, I had written it in my note, but then I saw his comment about sending the mail to null, so I think that he knows not to actually be an open relay. --- Noel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Spam Honeypot
> As an avid JAMES user I have decided to take up a new battlethe war on > spam. So here is my plan, I have acquired the domain DeletedSpam.com and > plan on deploying a JAMES "Honeypot" server with the relay open. Erm no, you'd better not, otherwise it will be *you* adding to the problem. d. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Spam Honeypot
- Original Message - From: "Tom Pridham" <[EMAIL PROTECTED]> > Am I crazy? I welcome advice, suggestions etc. It is a good idea, btw. as a data point. Brightmail does something similar, ie. tries to collect spam mail and update filters in 'real time'. Spamnet or Vipul's Razor is another example of something similar. Also you can get a lot already collected spam from http://www.spamarchive.org/ It would be very cool if your site can collect feeds. A lot of mail server hosts collect spam information(I do) and if you specify a statistics format or mail headers format I am sure folks will be happy to help you fight spam by sharing stats. Regd headers: One thing to think about - Information extraction could occur from mail store(repository) or in mailets. Btw. I would not suggest you delete spam, only mark mail as checked for spam and marked as spam or not. I assume your honepot can recieve legitimate mail too. Harmeet - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Spam Honeypot
Tom, The sample matchers and mailets should provide you with with a good starting point for your code. I would suggest that more than the subject, from and to headers will be of interest. For example, geographical origin, alleged domain, netblock owner, etc. FWIW, my company offers commercial James development. If you are interested, we could do the entire application for you: the mailet(s), the database, the web page(s), as per your specifications. Contact me off-list of you'd like to discuss it. --- Noel -Original Message- From: Tom Pridham [mailto:[EMAIL PROTECTED] Sent: Sunday, February 23, 2003 21:43 To: [EMAIL PROTECTED] Subject: Spam Honeypot Greetings All, As an avid JAMES user I have decided to take up a new battlethe war on spam. So here is my plan, I have acquired the domain DeletedSpam.com and plan on deploying a JAMES "Honeypot" server with the relay open. I will track all statistics on how much spam I delete each day, where the spam originated etc. Is there already code in a mailet somewhere to do the following: --analyze an email marked as spam to pull out data elements (i.e. Subject title, from address, and all of the "To" addresses I plan on making a one page website that displays in real-time all of the relevant stats on the deleted spam. If anyone can direct me a starting point to create a plug-in for JAMES to analyze the inbound emails prior to sending them to null, I would greatly appreciate it. The reason for this crazy project is: I am the CIO of a legitimate email marketing company and the spammers are really giving "email marketing" a bad name. Plus I want to have some fun sending spam to the bit bucket. Am I crazy? I welcome advice, suggestions etc. Thanks, Tom Pridham - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]