Message Board

Newbie/Basic Questions

Associated IP Addresses

Author: S.Bergman (18 Sep 06 5:00pm)

Hi Could you please provide an explanation on how you have established the association between different IP addresses. I appreciate that you have the IP address of the harvester and then the IP address from any mail server that subsequently sends spam to the honeypot. I am assuming you get the IP of the mail server when it initiates the SMTP session, not from the received email headers? (or do you extract both).

What about associated harvesters and IPs in the neighbourhood, how are these being linked?

Stewart

Re: Associated IP Addresses

Author: M.Prince (18 Sep 06 5:38pm)

We get the IP of the sender from the machine that is actually connecting to one of our mail servers, so we don't have to parse the headers. We keep the headers (along with the rest of the message) around in case we ever want to parse them in the future for anything.

IPs in the neighborhood are other IPs that we have seen (harvesters, dictionary attackers, mail servers) that are within a certain range of the IP you're looking at. So, for example, imagine you're looking at:

192.168.5.100

We'd say that everything from something like 192.168.4.200 - 192.168.6.50 is "in the neighborhood." I can't remember what the exact range is, but I think it's a range of 255 around the IP you're looking at.

Hopefully that answers your questions.

Matthew.

Re: Associated IP Addresses

Author: S.Bergman (18 Sep 06 6:57pm)

Hi Mathew, thanks for that,

the only one you left off was the associated harvesters, how are they linked

thanks

Stewart

Re: Associated IP Addresses

Author: M.Prince (18 Sep 06 10:35pm)

Harvesters are associated with mail servers based on email addresses. Probably easiest to explain it through the chain of events. Imagine a harvester visits a particular honey pot and is handed a spam trap email address. For example:

Harvester IP: 192.168.0.123
Spam Trap: john.smith@xyz-internet.com
Honey Pot: #123543
Timestamp: June 23, 2006 @ 4:55pm

Sometime later the same harvester could visit another honey pot:

Harvester IP: 192.168.0.123
Spam Trap: tjohnson@pillars.ragtag.com
Honey Pot: #543153
Timestamp: July 2, 2006 @ 3:22am

Since each spam trap handed out is unique and only handed out once, we know that if the particular address receives a message then it can reliably be tied back to the harvester to which it was handed. In this case, imagine our mail servers receive a message:

Connecting Server's IP: 192.168.100.5
Sending to: tjohnson@pillars.ragtag.com
Timestamp: August 20, 2006 @ 1:09pm

Now the sender's IP (192.168.100.5) can be associated with the harvester's IP (192.168.0.123). Two more scenarios. First, if another server sends a message to tjohnson@pillars.ragtag.com then we can also associate that sending IP with the original harvester IP. Second, if another sending IP sends to the john.smith@xyz-internet.com address then it too can be included in the profile of the spam servers associated with the harvester.

One thing to remember is that a significant percentage of spam being sent today is being relayed through "zombie" machines. Since more than one spammer may share the same zombie network, you'll often see multiple harvesters associated with a single spam server. In fact, the current ratio is about 50 spam servers for each harvester. That number is actually probably SIGNIFICANTLY higher in reality, and we're making some changes to the project to see a broader swath of the spam servers.

One thing you didn't ask about are dictionary attackers. They're the easiest of all to describe. Since we have a TON of domains pointing at our mail servers, we watch for what email addresses those servers receive mail at. If the address sent to is not one that we have affirmatively handed out then it is likely someone is just attacking the domain space with random usernames. If we notice a pattern over a certain period of time, then the IP gets listed as exhibiting dictionary-attack-like behavior.

Hopefully that all makes sense and answers all your questions.