subject:"Re\: Spam Honeypot"

I must have been unclear -
A bayesian spam filter is based on the probability that a
given mail is BAD or GOOD from an analysis of a sampling of
BAD and GOOD mail.

As a user, I would have control over this sampling -
described earlier.

As a James user, I would like to see this functionality
implemented.

This differs from your earlier view in that I see a
personalized collection as opposed to a larger, centralized
collection.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Spam Honeypot

2003-02-25 Thread bill parducci

alan.gerhard wrote:

This boils down to a collection of 'good mail' and  a
collection of 'bad mail', that in my opinion needs to
reflect the users' interests, therefore I am a bit leery in
'sharing' this data, but am not dismissing it's potential.
collection of 'bad mail'? as in sending out a list of e-mail known to be spam? as i have opined earlier i think that 'results' based cooperatives have a major drawback in that the needs of the end users are unique diverge quickly once the most obvious spam is identified. there is a point at which the lack of granularity in the decsion making process (message level) exceeds the value of multiple inputs and makes. you also end up needing a mechanism for determining who is an authority, how to dispute false positives, the messaging format for transmitting 'bad' e-mail, etc...  it's not that i am suggesting that you don't pursue it, but that you might want to look through the trials and tribulations of such efforts as vipul's razor to get a feel for the pitfalls and limitations if you haven't done so already. it is a pretty easy system to break.

if you are interested we can discuss this in more detail off-list, but my experience is that cooperative work on determining what terms. phrases, patterns, etc. are used to catch specific material are generally more useful than the sharing of mail that has been identified by cooperative efforts as spam. 

b

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Spam Honeypot

With reference to the Bayesian filter, I am referring to
'pattern matching' as the collection of data used for it's
analysis.

This boils down to a collection of 'good mail' and  a
collection of 'bad mail', that in my opinion needs to
reflect the users' interests, therefore I am a bit leery in
'sharing' this data, but am not dismissing it's potential.

The advantages of this system is that the filtering process
will grow with the user, but what's key, is that the user
has control over the filtering process.

By expanding on Chris Means' mailet to allow for user
specific corpus' and then adding the functionality of
receiving forwarded mail to the two lists, we end up with a
simple yet robust system that adds value to the end users
..

> can you expand upon what you consider "pattern data"?
> 
> b
> 
> alan.gerhard wrote:
> > back up a bit -
> > 
> > my point differs in that the pattern data collected is
> > individual and i do not see too much need for sharing.
> > other than that, the outstanding issue is, as a james
> > user, how to go about setting up and maintaining
> > Repository based data for the Bayesian mailet.
> > 
> > not to cut this discussion off - i just want to
> > highlight an addressable issue and explore different
> > solutions

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Spam Honeypot

2003-02-25 Thread bill parducci

can you expand upon what you consider "pattern data"?

b

alan.gerhard wrote:
back up a bit -

my point differs in that the pattern data collected is
individual and i do not see too much need for sharing.
other than that, the outstanding issue is, as a james user,
how to go about setting up and maintaining Repository based
data for the Bayesian mailet.
not to cut this discussion off - i just want to highlight an
addressable issue and explore different solutions


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Spam Honeypot

back up a bit -

my point differs in that the pattern data collected is
individual and i do not see too much need for sharing.
other than that, the outstanding issue is, as a james user,
how to go about setting up and maintaining Repository based
data for the Bayesian mailet.

not to cut this discussion off - i just want to highlight an
addressable issue and explore different solutions

> 
> precisely my point (except mine was gender neutral :o). 
> 
> the question becomes does james setup a mechanism to allow
> for discussions/archiving/development of beyesian filters
> or does it look to external resource that users can be
> directed to? as i see it there are two key aspects of
> this: (1) the format that filters should take (is the
> current implementation sufficient or should they be
> described in xml with a schema, etc.?); (2) the actual
> creation/categorization/archiving of individual filters
> for reuse and distribution. 
> 
> at first blush, it would seem that this group would be
> best suited to focus on the former and figure out how best
> to achieve the latter externally (maybe not external to
> apache--or james for that matter--but external to james
> dev).
> 
> b

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Spam Honeypot

2003-02-25 Thread Pierre Grimaud

>From my experience so far, most spammers do not send a test message to
see
>if the email is actually making it to the end-recipient.

Well, I have a James running for a year now with the SMTP port open.
Every mail coming from something else than 192.168.*.* and not for a
local user is forwarded to my admin account just before being rerouted
to NULL.

I've always (and only) received emails including my IP address either in
the subject or in the body. I have never received any other kind of
attempts from outside (like pure spam rerouting)...

-Original Message-
From: Tom Pridham [mailto:[EMAIL PROTECTED]
Sent: Monday, February 24, 2003 8:24 PM
To: James Users List
Subject: RE: Spam Honeypot


That is exactly my planI will place my honeypot server on the
internet,
open up port 25, capture all the gory details, and then dump the email
to
null.

>From my experience so far, most spammers do not send a test message to
see
if the email is actually making it to the end-recipient.

Thanks to the availibility of cheap dedicated servers (i.e. ServerBeach,
Nocster etc), this is a fun and cheap experiment.

Ever wonder how spammers survive?  Here is the best article I've read on
that topic in awhile:

http://www.wired.com/news/infostructure/0,1377,57613,00.html



-Original Message-
From: Noel J. Bergman [mailto:[EMAIL PROTECTED]
Sent: Monday, February 24, 2003 1:27 PM
To: James Users List
Subject: RE: Spam Honeypot


> i saw the same. however, how is he going to be an 'open relay'
> (to attract spammers) and then be dumping stuff to null?

You don't need to do anything to attract spammers; they just show up.
You
don't need to do anything to be probed for being an open relay other
than
have an available SMTP port on the internet.  Your IP will be probed.  I
recently installed a computer on broadband for my uncle.  Within 5
minutes
of enabling his computer, the firewall reported the first probes.
People
looking for SMTP, MS SQL, and other exploits.

My own firewall tracks in excess of 20 GIGABYTES of probes per month,
all
courtesy of Windows machines.

Our public mail server blocks anywhere from a few 100 spams per day to
1500+.  They seem to run in waves.  The numbers were much higher when we
first started the server, but they seem to have dropped off; perhaps the
spambots are realizing that we aren't productive for them.

In any event, since he isn't actively rejecting them (from their
perspective), they'll assume that he is an open relay.  Unlike DNSRBL
scanners, which wait to get a reply.

--- Noel


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Spam Honeypot

2003-02-25 Thread bill parducci

James currently touts a Bayesian mailet, but employs only an
overall data source and is not concerned with individual
preference; to be an effective SPAM blocker, a relationship
needs to be established between a specific user and her [sic]
Bayesian lists.
and of course the necessary functionality to maintain the
lists ...
precisely my point (except mine was gender neutral :o). 

the question becomes does james setup a mechanism to allow for discussions/archiving/development of beyesian filters or does it look to external resource that users can be directed to? as i see it there are two key aspects of this: (1) the format that filters should take (is the current implementation sufficient or should they be described in xml with a schema, etc.?); (2) the actual creation/categorization/archiving of individual filters for reuse and distribution. 

at first blush, it would seem that this group would be best suited to focus on the former and figure out how best to achieve the latter externally (maybe not external to apache--or james for that matter--but external to james dev).

b

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Spam Honeypot


for my money, the best time spent is following the *pattern*
based filters and
working on ways to share that information amongst others of
like interest. a good
start would be a site dedicated to the sharing of procmail
recipes, beysian formulas,
etc.


Yes, this sounds like a good starting point.
No need to debate the value of open-relays; there is a need,
but not in the public circuit.

but to bring this back to James, we are looking at
implementing mailets to process SPAM.
So far, the process is to consult black-hole lists and to
feed mail through a Bayesian filters and what not.

One problem I see with this is that black-hole lists are
arbitrary and pattern matches are too inclusive.

Spam filtering needs to be based on user preference as each
instance will be different; to quote

"
Bayesian spam filters are content-based filters that

- are specifically trained to recognize the individual email
user's spam and good mail, making them highly effective and
difficult to adapt to for spammers. 
- can continually and without much effort or manual analysis
adapt to the spammers' latest tricks. 
- take the individual user's good mail into account and have
a very low rate of false positives. Unfortunately, if this
causes blind trust in Bayesian anti-spam filters, it renders
the occasional mistake even more serious. 
" (http://email.about.com/library/weekly/aa100702a.htm)

The effective SPAM blocker system will be bayesian based
user specific systems.

James currently touts a Bayesian mailet, but employs only an
overall data source and is not concerned with individual
preference; to be an effective SPAM blocker, a relationship
needs to be established between a specific user and her
Bayesian lists.

and of course the necessary functionality to maintain the
lists ...

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

as much as i would like to go undercover :o), the problem is that open relays are really a small part of the spam that is sent. true, they represent some of the lower forms of life, but in terms of being an annoyance to end users they are but a fraction of the overall volume. here are some mail stats from one of my servers:

blacklists
--
ordb.org: 7
njabl.org: 91
spamhaus.org: 22
dsbl.org: 27
bad etiquette
-
attempted relays: 2
improper domain: 1
other: 0

summary
---
total mail:879
total rejected:150
percent rejected: 17%

the blacklisting sites are listed in the order that they are consulted by my mail server. note: ordb.org is a pure open relay database. therefore, out of the 150 e-mail that have been rejected as spam via blacklisting only 7 of them were blocked as a result of being used by a known open relay. also of interest is that even after consulting with the rbl sites (and throwing out 20% of incoming e-mail right off the bat!) i still received another 50 or so spam messages during this period that were caught by an upstream [content based] filter.

open relays are an issue, but a small fish in a big pond (and growing smaller).

for my money, the best time spent is following the *pattern* based filters and working on ways to share that information amongst others of like interest. a good start would be a site dedicated to the sharing of procmail recipes, beysian formulas, etc.

ok, i think i am up to four cents now. :o)

Jerome Lacoste (Frisurf) wrote:
This reminds me of people trying to infiltrate mafia/drug dealers. It
takes years, and they are probably asked to do some bad things before
they are able to catch the big fishes. At least that's what happening in
movies :)
If we try to follow the same principle, some kind of authority should
decide to plant infiltrated open relays. They should act as normal open
relays from a spammer point of view, deliver the emails (even if its not
legal), but giving back important information.
I am sure this has been discussed in other places, I understand the
non-legality, but when you see the number of open relays, one more will
not add too much to the traffic, but if it helps taking legal or
technical action faster against big spammers, that may help.
But accepting to do so raise some interesting philosophical questions. I
wonder how exactly these kind of things happen with other kind of
infiltrations?

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Spam Honeypot

2003-02-25 Thread Lacoste (Frisurf)

This reminds me of people trying to infiltrate mafia/drug dealers. It
takes years, and they are probably asked to do some bad things before
they are able to catch the big fishes. At least that's what happening in
movies :)

If we try to follow the same principle, some kind of authority should
decide to plant infiltrated open relays. They should act as normal open
relays from a spammer point of view, deliver the emails (even if its not
legal), but giving back important information.

I am sure this has been discussed in other places, I understand the
non-legality, but when you see the number of open relays, one more will
not add too much to the traffic, but if it helps taking legal or
technical action faster against big spammers, that may help.

But accepting to do so raise some interesting philosophical questions. I
wonder how exactly these kind of things happen with other kind of
infiltrations?

On Mon, 2003-02-24 at 17:44, bill parducci wrote:
> unless the spammer is only looking at the SMTP codes (not going into *that* 
> discussion again :o) the machine is going to have to actually *deliver* the note. at 
> that point it will be an open relay and will be part of the problem. also, any 
> spammer worth a darn will have a handful of 'feedback' accounts sprinkled in with 
> the spam targets to make sure that the process completed (e.g. checking to make sure 
> that the open relay doesn't stop sending mail--intentionally or not--in the middle 
> of the job). 
> 
> the bottom line is that there isn't a good way to 'pretned' to be an open relay with 
> the intent of harvesting useful information in my opinion. at most you will be able 
> to log sites that probe for such bechavior but that can be done on a normally 
> configured machine. 
> 
> there are a number of other ways to attract spam that i believe are more practical.
> 
> b
> 
> Randahl Fink Isaksen wrote:
> > That, I believe, is as simple as not requiring the sender to log in and
> > not requiring the sender to be in the local network either. I
> > accidentally set up my James configuration like this and found my server
> > transmitting huge amounts of spam in no time. Often I do not think the
> > spammers even care to send a probe e-mail to check that the message
> > arrives. Maybe they just bill the clients for the number of e-mails that
> > were accepted by the abused servers...
> > 
> > If he is able create some trouble for the spammers in a legal manner I
> > wish him the best of luck.
> 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
-- 
Jerome Lacoste (Frisurf) <[EMAIL PROTECTED]>
CoffeeBreaks

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Spam Honeypot

One thing, though. It seems to me as a Java programmer that I could put
together a mailet that contained much more sophisticated analysis than just
a reverse-dns lookup. If I were to write a mailet that could reliably
figure out spam based on more than just the sending host then it seems like
there should be a way to allow replication of this knowledge to other
instances of James as well.
keep in mind that dns is only used here to query sites that have *already* performed some level of analysis. that said, there are indeed many things that you can do that are more sophisticated than what can be practically managed by mailets (but if i told you what they are i would have to kill you :o) given the desire to make the contents of these lists accessible to as many people/platforms as possible, it is awfully hard to beat.

Not that I have time to develop this, but it seems like an opportunity to
develop something more robust then rbl. If you can get the open source
community to work on developing/improving the mailets that analyze incoming
messages, then who knows where it may lead...
more robust in terms of analysis? yes. accessible as universally? i don't think so. the problem is that as you create more complex evaluation environments specificity of the rule sets (polices in my neck of the woods) increase dramatically. in other words passing around "answers" has its limits, what you want to pass around are the processes that allow you to derive answers that are pertinent to your environment (the 'beysian movement' is an excellent example of this).

I'm thinking in general here. If there were a Java interface that people
could write to and a way to plug these things (maybe call them 'business
rules' or 'spam rules') into James, I'd bet you'd find a lot of people
sharing code and ideas. They could be called 'real-time blackout rules'
(rbr) instead. Instead of pulling back lists of hosts you could pull back
encoded business rules (or even just class files).
if there were a common *policy* language and an engine to consume them then you would have the opportunity to establish 'rule libraries' where users could shop around for predefined polices and use/modify them to suit their needs. XACML goes a long ways in creating the lingua franc, but you are going to have to do some heavy lifting to get a full blown policy engine in place to take advantage of it (trust me on that one :o). sun is taking steps in this direction, but i think that you will find that its work to date is slanted towards class/bean protection. still it may be worth a look if you are so inclined: http://sourceforge.net/projects/sunxacml/

however, i think that your best bet right now is to adopt one or more of the popular filtering methodologies (like beysian analysis, etc.) and try to swap filtering techniques/recipes (oops, a little procmail lingo slipped in there; which is a good example of a common toolset--albeit somewhat arcane--in the sendmail, et al. arenas) manually with other afficianados, such as those on this list.

that's my 2 cents anyway...

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Spam Honeypot

2003-02-24 Thread Tom Pridham

That is exactly my planI will place my honeypot server on the internet,
open up port 25, capture all the gory details, and then dump the email to
null.

>From my experience so far, most spammers do not send a test message to see
if the email is actually making it to the end-recipient.

Thanks to the availibility of cheap dedicated servers (i.e. ServerBeach,
Nocster etc), this is a fun and cheap experiment.

Ever wonder how spammers survive?  Here is the best article I've read on
that topic in awhile:

http://www.wired.com/news/infostructure/0,1377,57613,00.html



-Original Message-
From: Noel J. Bergman [mailto:[EMAIL PROTECTED]
Sent: Monday, February 24, 2003 1:27 PM
To: James Users List
Subject: RE: Spam Honeypot


> i saw the same. however, how is he going to be an 'open relay'
> (to attract spammers) and then be dumping stuff to null?

You don't need to do anything to attract spammers; they just show up.  You
don't need to do anything to be probed for being an open relay other than
have an available SMTP port on the internet.  Your IP will be probed.  I
recently installed a computer on broadband for my uncle.  Within 5 minutes
of enabling his computer, the firewall reported the first probes.  People
looking for SMTP, MS SQL, and other exploits.

My own firewall tracks in excess of 20 GIGABYTES of probes per month, all
courtesy of Windows machines.

Our public mail server blocks anywhere from a few 100 spams per day to
1500+.  They seem to run in waves.  The numbers were much higher when we
first started the server, but they seem to have dropped off; perhaps the
spambots are realizing that we aren't productive for them.

In any event, since he isn't actively rejecting them (from their
perspective), they'll assume that he is an open relay.  Unlike DNSRBL
scanners, which wait to get a reply.

--- Noel


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Spam Honeypot

Bill -

Thanks for the excellent run-down on this.

One thing, though. It seems to me as a Java programmer that I could put
together a mailet that contained much more sophisticated analysis than just
a reverse-dns lookup. If I were to write a mailet that could reliably
figure out spam based on more than just the sending host then it seems like
there should be a way to allow replication of this knowledge to other
instances of James as well.

Not that I have time to develop this, but it seems like an opportunity to
develop something more robust then rbl. If you can get the open source
community to work on developing/improving the mailets that analyze incoming
messages, then who knows where it may lead...

I'm thinking in general here. If there were a Java interface that people
could write to and a way to plug these things (maybe call them 'business
rules' or 'spam rules') into James, I'd bet you'd find a lot of people
sharing code and ideas. They could be called 'real-time blackout rules'
(rbr) instead. Instead of pulling back lists of hosts you could pull back
encoded business rules (or even just class files).

If this seems crazy, then don't mind me - it's late and my mind is going
weird places.:)

thanks again,

K.

 bill parducci To: James Users List <[EMAIL 
PROTECTED]>
 <[EMAIL PROTECTED]>   cc: (bcc: Kevin 
Bedell/Systems/USHO/SunLife)        
     02/24/2003 11:02 PM   Subject:  Re: Spam Honeypot 

 Please respond to "James  

 Users List"   

blacklisting. per james' config.xml:

  spam 
  Rejected - see  http://www.mail-abuse.org/rbl/ 

  spam 
  Dialup - see http://www.mail-abuse.org/dul/ 

  spam 
  Open spam relay - see http://www.mail-abuse.org/rss/ 

basically what happens is when a note comes into [james in this case] the
ip address of the sender is stuck in a 'reverse' dns query and sent to the
sites configured above. if a name match comes back, the requested site
considers the address to be that of a spammer. james then dumps the message
and tells the user that they have been rejected as a result of being a
'known spammer' and being told he makes the claim. (since i don't use this
feature on james currently, i assume that the way james handles this is via
a returned note--sendmail issues a reject at the smtp level)

overall it is pretty darn clever as it gets around all sorts of ugly
authentication and database query issues by using a well known query
mechanism. there are many rbl sites that can be queried, some free, some
fee based. they range from simple open relay testers to sites that perform
some pretty aggessive testing to sites that do some really dumb (in my
opinion) automated tests.

b

p.s. i sense a FAQ request coming on... :o)

[EMAIL PROTECTED] wrote:
>
> whole rbl thing?
>
>
>
>
>

>

>  bill parducci To: James Users List
<[EMAIL PROTECTED]>
>      <[EMAIL PROTECTED]>   cc: (bcc: Kevin
Bedell/Systems/USHO/SunLife)
>  02/24/2003 10:38 PM   Subject:  Re: Spam
Honeypot
>  Please respond to "James

>  Users List"
>

>

>
>
>
>
> yep, which is kinda how the whole rbl thing works (via dns lookups)...
>
> b
>
> [EMAIL PROTECTED] wrote:
>
>>If it were possible to create addresses that were known to receive only
>>spam, then you could set up these servers in a bunch of domains and have
>>them all update a central database with info on they capture.
>>
>>Then you could build into James (or any server I guess) the ability to
>
> tap
>
>>this central database to dynamically update it's own spam filters.
>>
>>
>>
>>
>>
>>
>
>
>
>> "Tom Pridham" To:
>
> <[E

Re: Spam Honeypot

blacklisting. per james' config.xml:

spam
Rejected - see http://www.mail-abuse.org/rbl/

spam
Dialup - see http://www.mail-abuse.org/dul/

spam
Open spam relay - see http://www.mail-abuse.org/rss/

basically what happens is when a note comes into [james in this case] the ip address of the sender is stuck in a 'reverse' dns query and sent to the sites configured above. if a name match comes back, the requested site considers the address to be that of a spammer. james then dumps the message and tells the user that they have been rejected as a result of being a 'known spammer' and being told he makes the claim. (since i don't use this feature on james currently, i assume that the way james handles this is via a returned note--sendmail issues a reject at the smtp level)

overall it is pretty darn clever as it gets around all sorts of ugly authentication and database query issues by using a well known query mechanism. there are many rbl sites that can be queried, some free, some fee based. they range from simple open relay testers to sites that perform some pretty aggessive testing to sites that do some really dumb (in my opinion) automated tests.

p.s. i sense a FAQ request coming on... :o)

[EMAIL PROTECTED] wrote:
whole rbl thing?

bill parducci To: James Users List <[EMAIL PROTECTED]>
<[EMAIL PROTECTED]> cc: (bcc: Kevin Bedell/Systems/USHO/SunLife)
02/24/2003 10:38 PM Subject: Re: Spam Honeypot
Please respond to "James
Users List"

yep, which is kinda how the whole rbl thing works (via dns lookups)...

[EMAIL PROTECTED] wrote:

If it were possible to create addresses that were known to receive only
spam, then you could set up these servers in a bunch of domains and have
them all update a central database with info on they capture.
Then you could build into James (or any server I guess) the ability to
tap

this central database to dynamically update it's own spam filters.

"Tom Pridham" To:
<[EMAIL PROTECTED]>

<[EMAIL PROTECTED]> cc: (bcc: Kevin
Bedell/Systems/USHO/SunLife)

02/23/2003 09:42 PM Subject: Spam Honeypot

Please respond to "James

Users List"

Greetings All,

As an avid JAMES user I have decided to take up a new battlethe war
on

spam. So here is my plan, I have acquired the domain DeletedSpam.com and
plan on deploying a JAMES "Honeypot" server with the relay open. I will
track all statistics on how much spam I delete each day, where the spam
originated etc.
Is there already code in a mailet somewhere to do the following:
--analyze an email marked as spam to pull out data elements (i.e. Subject
title, from address, and all of the "To" addresses
I plan on making a one page website that displays in real-time all of the
relevant stats on the deleted spam.
If anyone can direct me a starting point to create a plug-in for JAMES to
analyze the inbound emails prior to sending them to null, I would greatly
appreciate it.
The reason for this crazy project is: I am the CIO of a legitimate email
marketing company and the spammers are really giving "email marketing" a
bad
name. Plus I want to have some fun sending spam to the bit bucket.
Am I crazy? I welcome advice, suggestions etc.

Thanks,
Tom Pridham
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

---

This e-mail message (including attachments, if any) is intended for the
use

of the individual or entity to which it is addressed and may contain
information that is privileged, proprietary , confidential and exempt
from

disclosure. If you are not the intended recipient, you are notified that
any dissemina

Re: Spam Honeypot



http://www.declude.com/junkmail/support/ip4r.htm

"Seek and ye shall find" I guess





   

   

 [EMAIL PROTECTED]  To: "James Users List" <[EMAIL PROTECTED]> 
 
 02/24/2003 10:44 PM   cc: (bcc: Kevin 
Bedell/Systems/USHO/SunLife)
 Please respond to "James  Subject:  Re: Spam Honeypot 

 Users List"   

   

   







whole rbl thing?






 bill parducci To: James Users List
<[EMAIL PROTECTED]>
 <[EMAIL PROTECTED]>   cc: (bcc: Kevin
Bedell/Systems/USHO/SunLife)
     02/24/2003 10:38 PM   Subject:  Re: Spam Honeypot

 Please respond to "James

 Users List"







yep, which is kinda how the whole rbl thing works (via dns lookups)...

b

[EMAIL PROTECTED] wrote:
>
> If it were possible to create addresses that were known to receive only
> spam, then you could set up these servers in a bunch of domains and have
> them all update a central database with info on they capture.
>
> Then you could build into James (or any server I guess) the ability to
tap
> this central database to dynamically update it's own spam filters.
>
>
>
>
>
>

>

>  "Tom Pridham" To:
<[EMAIL PROTECTED]>

>  <[EMAIL PROTECTED]>  cc: (bcc: Kevin
Bedell/Systems/USHO/SunLife)
>  02/23/2003 09:42 PM   Subject:  Spam Honeypot

>  Please respond to "James

>  Users List"

>

>

>
>
>
>
> Greetings All,
>
> As an avid JAMES user I have decided to take up a new battlethe war
on
> spam.  So here is my plan, I have acquired the domain DeletedSpam.com and
> plan on deploying a JAMES "Honeypot" server with the relay open.  I will
> track all statistics on how much spam I delete each day, where the spam
> originated etc.
>
> Is there already code in a mailet somewhere to do the following:
> --analyze an email marked as spam to pull out data elements (i.e. Subject
> title, from address, and all of the "To" addresses
>
> I plan on making a one page website that displays in real-time all of the
> relevant stats on the deleted spam.
>
> If anyone can direct me a starting point to create a plug-in for JAMES to
> analyze the inbound emails prior to sending them to null, I would greatly
> appreciate it.
>
> The reason for this crazy project is:  I am the CIO of a legitimate email
> marketing company and the spammers are really giving "email marketing" a
> bad
> name.  Plus I want to have some fun sending spam to the bit bucket.
>
> Am I crazy?  I welcome advice, suggestions etc.
>
> Thanks,
> Tom Pridham
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
>
>
>
---
> This e-mail message (including attachments, if any) is intended for the
use
> of the individual or entity to which it is addressed and may contain
> information that is privileged, proprietary , confidential and exempt
from
> disclosure.  If you are not the intended recipient, you are notified that
> any dissemination, distribution or copying of this communication is
> strictly prohibited.  If you have received this communication in error,
> please notify the sender and erase this e-mail message immediately.
>
---
>
>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mai

Re: Spam Honeypot



whole rbl thing?




   

   

 bill parducci To: James Users List <[EMAIL 
PROTECTED]>
 <[EMAIL PROTECTED]>   cc: (bcc: Kevin 
Bedell/Systems/USHO/SunLife)
 02/24/2003 10:38 PM   Subject:  Re: Spam Honeypot 

 Please respond to "James  

 Users List"   

   

   





yep, which is kinda how the whole rbl thing works (via dns lookups)...

b

[EMAIL PROTECTED] wrote:
>
> If it were possible to create addresses that were known to receive only
> spam, then you could set up these servers in a bunch of domains and have
> them all update a central database with info on they capture.
>
> Then you could build into James (or any server I guess) the ability to
tap
> this central database to dynamically update it's own spam filters.
>
>
>
>
>
>

>

>  "Tom Pridham" To:
<[EMAIL PROTECTED]>

>  <[EMAIL PROTECTED]>  cc: (bcc: Kevin
Bedell/Systems/USHO/SunLife)
>  02/23/2003 09:42 PM   Subject:  Spam Honeypot

>  Please respond to "James

>  Users List"

>

>

>
>
>
>
> Greetings All,
>
> As an avid JAMES user I have decided to take up a new battlethe war
on
> spam.  So here is my plan, I have acquired the domain DeletedSpam.com and
> plan on deploying a JAMES "Honeypot" server with the relay open.  I will
> track all statistics on how much spam I delete each day, where the spam
> originated etc.
>
> Is there already code in a mailet somewhere to do the following:
> --analyze an email marked as spam to pull out data elements (i.e. Subject
> title, from address, and all of the "To" addresses
>
> I plan on making a one page website that displays in real-time all of the
> relevant stats on the deleted spam.
>
> If anyone can direct me a starting point to create a plug-in for JAMES to
> analyze the inbound emails prior to sending them to null, I would greatly
> appreciate it.
>
> The reason for this crazy project is:  I am the CIO of a legitimate email
> marketing company and the spammers are really giving "email marketing" a
> bad
> name.  Plus I want to have some fun sending spam to the bit bucket.
>
> Am I crazy?  I welcome advice, suggestions etc.
>
> Thanks,
> Tom Pridham
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
>
>
>
---
> This e-mail message (including attachments, if any) is intended for the
use
> of the individual or entity to which it is addressed and may contain
> information that is privileged, proprietary , confidential and exempt
from
> disclosure.  If you are not the intended recipient, you are notified that
> any dissemination, distribution or copying of this communication is
> strictly prohibited.  If you have received this communication in error,
> please notify the sender and erase this e-mail message immediately.
>
---
>
>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---
This e-mail message (including attachments, if any) is intended for the use
of the individual or entity to which it is addressed and may contain
information that is privilege

Re: Spam Honeypot

yep, which is kinda how the whole rbl thing works (via dns lookups)...

b

[EMAIL PROTECTED] wrote:
If it were possible to create addresses that were known to receive only
spam, then you could set up these servers in a bunch of domains and have
them all update a central database with info on they capture.
Then you could build into James (or any server I guess) the ability to tap
this central database to dynamically update it's own spam filters.




   
   
 "Tom Pridham" To: <[EMAIL PROTECTED]> 
 <[EMAIL PROTECTED]>  cc: (bcc: Kevin Bedell/Systems/USHO/SunLife)
 02/23/2003 09:42 PM   Subject:  Spam Honeypot 
 Please respond to "James  
 Users List"   
   
   



Greetings All,

As an avid JAMES user I have decided to take up a new battlethe war on
spam.  So here is my plan, I have acquired the domain DeletedSpam.com and
plan on deploying a JAMES "Honeypot" server with the relay open.  I will
track all statistics on how much spam I delete each day, where the spam
originated etc.
Is there already code in a mailet somewhere to do the following:
--analyze an email marked as spam to pull out data elements (i.e. Subject
title, from address, and all of the "To" addresses
I plan on making a one page website that displays in real-time all of the
relevant stats on the deleted spam.
If anyone can direct me a starting point to create a plug-in for JAMES to
analyze the inbound emails prior to sending them to null, I would greatly
appreciate it.
The reason for this crazy project is:  I am the CIO of a legitimate email
marketing company and the spammers are really giving "email marketing" a
bad
name.  Plus I want to have some fun sending spam to the bit bucket.
Am I crazy?  I welcome advice, suggestions etc.

Thanks,
Tom Pridham
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---
This e-mail message (including attachments, if any) is intended for the use
of the individual or entity to which it is addressed and may contain
information that is privileged, proprietary , confidential and exempt from
disclosure.  If you are not the intended recipient, you are notified that
any dissemination, distribution or copying of this communication is
strictly prohibited.  If you have received this communication in error,
please notify the sender and erase this e-mail message immediately.
---


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Spam Honeypot



If it were possible to create addresses that were known to receive only
spam, then you could set up these servers in a bunch of domains and have
them all update a central database with info on they capture.

Then you could build into James (or any server I guess) the ability to tap
this central database to dynamically update it's own spam filters.





   

   

 "Tom Pridham" To: <[EMAIL PROTECTED]> 

 <[EMAIL PROTECTED]>  cc: (bcc: Kevin Bedell/Systems/USHO/SunLife) 
   
 02/23/2003 09:42 PM   Subject:  Spam Honeypot 

 Please respond to "James  

 Users List"   

   

   





Greetings All,

As an avid JAMES user I have decided to take up a new battlethe war on
spam.  So here is my plan, I have acquired the domain DeletedSpam.com and
plan on deploying a JAMES "Honeypot" server with the relay open.  I will
track all statistics on how much spam I delete each day, where the spam
originated etc.

Is there already code in a mailet somewhere to do the following:
--analyze an email marked as spam to pull out data elements (i.e. Subject
title, from address, and all of the "To" addresses

I plan on making a one page website that displays in real-time all of the
relevant stats on the deleted spam.

If anyone can direct me a starting point to create a plug-in for JAMES to
analyze the inbound emails prior to sending them to null, I would greatly
appreciate it.

The reason for this crazy project is:  I am the CIO of a legitimate email
marketing company and the spammers are really giving "email marketing" a
bad
name.  Plus I want to have some fun sending spam to the bit bucket.

Am I crazy?  I welcome advice, suggestions etc.

Thanks,
Tom Pridham


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---
This e-mail message (including attachments, if any) is intended for the use
of the individual or entity to which it is addressed and may contain
information that is privileged, proprietary , confidential and exempt from
disclosure.  If you are not the intended recipient, you are notified that
any dissemination, distribution or copying of this communication is
strictly prohibited.  If you have received this communication in error,
please notify the sender and erase this e-mail message immediately.
---




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Spam Honeypot

2003-02-24 Thread Danny Angus

> Often I do not think the
> spammers even care to send a probe e-mail to check that the message
> arrives. 

They do check, the tiny number of James installations we've heard of that are ever hit 
by large quantities of spam without probing messages proves this.

d.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Spam Honeypot

i have witnessed that first hand, but unfortunately it is almost impossible to have any concrete proof. the only possibility that i can think of is trying to unsubscribe using a 3rd [clean!] address that is not yet on their list. if they are legit they should come back and say that it wasn't found, ignore the request, etc. if you start getting mail on that third address then you know that you have just received a reach around. of course, for this to work you need a clean address for each list you unsubscribe from so as to be able to explicitly identify the abuser.

i am playing around with this concept now. shall be interesting to see how it goes...

b

Chris Means wrote:
Another data-point to consider.

If you have "successfully" unsubscribed from one spammer.  Was there a
sudden increase in spam from one or more parties after that initial event?
I've heard (comments on /.) that the initial spammer may "honor" your
unsubscribe request, but then sell your email address at a higher rate to
other spammers, given that they know it's a "real" address.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Spam Honeypot

You don't need to do anything to attract spammers; they just show up. You
don't need to do anything to be probed for being an open relay other than
have an available SMTP port on the internet. Your IP will be probed. I
recently installed a computer on broadband for my uncle. Within 5 minutes
of enabling his computer, the firewall reported the first probes. People
looking for SMTP, MS SQL, and other exploits.
of course, but for the reasons i outlined previously you aren't going to be able to capture much more useful information than" "IP address a.b.c.d tried to perform a relay". as you point out below this can be easily tracked using a typically installed machine (provided you have some ability to process your logs). there isn't a need to try to be a 'faux open relay'. it only invites problems.

My own firewall tracks in excess of 20 GIGABYTES of probes per month, all
courtesy of Windows machines.
Our public mail server blocks anywhere from a few 100 spams per day to
1500+. They seem to run in waves. The numbers were much higher when we
first started the server, but they seem to have dropped off; perhaps the
spambots are realizing that we aren't productive for them.
In any event, since he isn't actively rejecting them (from their
perspective), they'll assume that he is an open relay. Unlike DNSRBL
scanners, which wait to get a reply.
they will assume this for a single session unless they are just trying to propagate viruses (hit & run/script spamming). again, there is value to observing hit & runs, but since james gives OKs to any tp/from address condition under normal operating conditions the above argument continues to hold true.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Spam Honeypot

2003-02-24 Thread Chris Means

Another data-point to consider.

If you have "successfully" unsubscribed from one spammer.  Was there a
sudden increase in spam from one or more parties after that initial event?

I've heard (comments on /.) that the initial spammer may "honor" your
unsubscribe request, but then sell your email address at a higher rate to
other spammers, given that they know it's a "real" address.

> -Original Message-
> From: bill parducci [mailto:[EMAIL PROTECTED]
> Sent: Monday, February 24, 2003 12:34 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Spam Honeypot
>
>
> a good place to start is to post an 'uninteresting' note to a
> variety of USENET lists using a 'clean' e-mail address. (alt.sex
> is one i have used in the past, but the more you spread around
> the more likely you are going to get hits). this gets the real
> bottom feeders since anyone using that address in bulk e-mails
> will have done so via dredging. note: DON'T use this address for
> anything else because anything it receives is unsolicited and is
> therefore spam by definition.
>
> with a second address go to sites that manage a lot of groups
> (like yahoo groups) and sign up for a list that has 'free' stuff
> in it. let the account build up mail for a couple of weeks (they
> will be selling your e-mail address to numerous places as quickly
> as possible). then as you start gettting mail from the various
> mailing lists (and there will be MANY in a relatively short
> period of time), try to unsubscribe from each.  if after 72 hours
> (my preference) you receive any mail from that list (or you get a
> bounce/404/etc. in the unsubscribe attempt) consider it spam. of
> course, this will take some work because you need to keep a list
> of senders that have been notified of your disinterest (and
> when). might make for a nice honeypot mailet one of these days.
>
> there are other ways, however if you are diligent with these two
> you will start harvesting a lot of muck off the wire in no time! :o)
>
> that said, the other option is to let someone like spamhaus.org,
> et al. do it (or volunteer to help out) and just rbl filter
> levraging the techniques they have devised. james already
> supports this out of the box.
>
> b
>
>
> Randahl Fink Isaksen wrote:
> > Would you care to elaborate on those "other ways"?
> >
> >
> > R.
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Spam Honeypot

a good place to start is to post an 'uninteresting' note to a variety of USENET lists using a 'clean' e-mail address. (alt.sex is one i have used in the past, but the more you spread around the more likely you are going to get hits). this gets the real bottom feeders since anyone using that address in bulk e-mails will have done so via dredging. note: DON'T use this address for anything else because anything it receives is unsolicited and is therefore spam by definition.

with a second address go to sites that manage a lot of groups (like yahoo groups) and sign up for a list that has 'free' stuff in it. let the account build up mail for a couple of weeks (they will be selling your e-mail address to numerous places as quickly as possible). then as you start gettting mail from the various mailing lists (and there will be MANY in a relatively short period of time), try to unsubscribe from each.  if after 72 hours (my preference) you receive any mail from that list (or you get a bounce/404/etc. in the unsubscribe attempt) consider it spam. of course, this will take some work because you need to keep a list of senders that have been notified of your disinterest (and when). might make for a nice honeypot mailet one of these days.

there are other ways, however if you are diligent with these two you will start harvesting a lot of muck off the wire in no time! :o)

that said, the other option is to let someone like spamhaus.org, et al. do it (or volunteer to help out) and just rbl filter levraging the techniques they have devised. james already supports this out of the box.

b

Randahl Fink Isaksen wrote:
Would you care to elaborate on those "other ways"?

R.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Spam Honeypot

2003-02-24 Thread Noel J. Bergman

> i saw the same. however, how is he going to be an 'open relay'
> (to attract spammers) and then be dumping stuff to null?

You don't need to do anything to attract spammers; they just show up.  You
don't need to do anything to be probed for being an open relay other than
have an available SMTP port on the internet.  Your IP will be probed.  I
recently installed a computer on broadband for my uncle.  Within 5 minutes
of enabling his computer, the firewall reported the first probes.  People
looking for SMTP, MS SQL, and other exploits.

My own firewall tracks in excess of 20 GIGABYTES of probes per month, all
courtesy of Windows machines.

Our public mail server blocks anywhere from a few 100 spams per day to
1500+.  They seem to run in waves.  The numbers were much higher when we
first started the server, but they seem to have dropped off; perhaps the
spambots are realizing that we aren't productive for them.

In any event, since he isn't actively rejecting them (from their
perspective), they'll assume that he is an open relay.  Unlike DNSRBL
scanners, which wait to get a reply.

--- Noel


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Spam Honeypot

2003-02-24 Thread Randahl Fink Isaksen

Would you care to elaborate on those "other ways"?

R.

-Original Message-
From: bill parducci [mailto:[EMAIL PROTECTED] 
Sent: 24. februar 2003 17:44
To: James Users List
Subject: Re: Spam Honeypot

unless the spammer is only looking at the SMTP codes (not going into
*that* discussion again :o) the machine is going to have to actually
*deliver* the note. at that point it will be an open relay and will be
part of the problem. also, any spammer worth a darn will have a handful
of 'feedback' accounts sprinkled in with the spam targets to make sure
that the process completed (e.g. checking to make sure that the open
relay doesn't stop sending mail--intentionally or not--in the middle of
the job). 

the bottom line is that there isn't a good way to 'pretned' to be an
open relay with the intent of harvesting useful information in my
opinion. at most you will be able to log sites that probe for such
bechavior but that can be done on a normally configured machine. 

there are a number of other ways to attract spam that i believe are more
practical.

b

Randahl Fink Isaksen wrote:
> That, I believe, is as simple as not requiring the sender to log in
and
> not requiring the sender to be in the local network either. I
> accidentally set up my James configuration like this and found my
server
> transmitting huge amounts of spam in no time. Often I do not think the
> spammers even care to send a probe e-mail to check that the message
> arrives. Maybe they just bill the clients for the number of e-mails
that
> were accepted by the abused servers...
> 
> If he is able create some trouble for the spammers in a legal manner I
> wish him the best of luck.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Spam Honeypot

unless the spammer is only looking at the SMTP codes (not going into *that* discussion again :o) the machine is going to have to actually *deliver* the note. at that point it will be an open relay and will be part of the problem. also, any spammer worth a darn will have a handful of 'feedback' accounts sprinkled in with the spam targets to make sure that the process completed (e.g. checking to make sure that the open relay doesn't stop sending mail--intentionally or not--in the middle of the job).

the bottom line is that there isn't a good way to 'pretned' to be an open relay with the intent of harvesting useful information in my opinion. at most you will be able to log sites that probe for such bechavior but that can be done on a normally configured machine.

there are a number of other ways to attract spam that i believe are more practical.

Randahl Fink Isaksen wrote:
That, I believe, is as simple as not requiring the sender to log in and
not requiring the sender to be in the local network either. I
accidentally set up my James configuration like this and found my server
transmitting huge amounts of spam in no time. Often I do not think the
spammers even care to send a probe e-mail to check that the message
arrives. Maybe they just bill the clients for the number of e-mails that
were accepted by the abused servers...
If he is able create some trouble for the spammers in a legal manner I
wish him the best of luck.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Spam Honeypot

2003-02-24 Thread Randahl Fink Isaksen

That, I believe, is as simple as not requiring the sender to log in and
not requiring the sender to be in the local network either. I
accidentally set up my James configuration like this and found my server
transmitting huge amounts of spam in no time. Often I do not think the
spammers even care to send a probe e-mail to check that the message
arrives. Maybe they just bill the clients for the number of e-mails that
were accepted by the abused servers...

If he is able create some trouble for the spammers in a legal manner I
wish him the best of luck.

Randahl

-Original Message-
From: bill parducci [mailto:[EMAIL PROTECTED] 
Sent: 24. februar 2003 16:25
To: James Users List
Subject: Re: Spam Honeypot

Noel J. Bergman wrote:
> I was going to say that same thing to him.  In fact, I had written it
in my
> note, but then I saw his comment about sending the mail to null, so I
think
> that he knows not to actually be an open relay.
> 
>   --- Noel

i saw the same. however, how is he going to be an 'open relay' (to
attract spammers) and then be dumping stuff to null?

b

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Spam Honeypot