Message Board

Newbie/Basic Questions

Can't they just check?

Author: D.Barker (27 Oct 04 12:26pm)

Why can't the harvesters check if the MX addresses a Honeypot address, ignore the email address? Seems a hole in our logic. Maybe we should be distributing relays too!

Re: Can't they just check?

Author: M.Prince (27 Oct 04 4:17pm)

First, thanks for the feedback! It's valuable to have people kicking the tires and thinking of issues we may have missed.

I agree with your assessment, and it's one of the issues for which we continue to work to find an elegant solution. While hardly elegant, here's what we've come up with so far. Initially, we think that we have a window of time where we're flying under the radar and spammers will either not know about us or ignore us. After that period, I think spammers will begin to adjust and we'll have to adjust with them. Our crude solution is to just periodically change the IP address of our mail servers and host machines on different providers and different subnets. There is some rate at which spammers are able to adjust themselves and share information with each other. As long as we can stay slightly ahead of that rate, I think we'll be relatively successful. Unfortunately, over time that rate is likely to get faster and faster.

In the longer term, and slightly more elegant, we've looked into basing our mail servers' DNS records on a dynamic and automatically rotating DNS. Getting a big chunk of IP Address space will be challenging, but we've begun talking with different providers on how we can do that. This isn't a complete solution to the problem, but does buy us a bit more time and makes a harvester's job harder. To some extent all technology and law can do in this fight is raise the barriers to entry for spammers and harvesters. While I'm sure professional harvesters will keep playing the arms race (as spam senders have with filter authors), if we can make it too expensive or too difficult for new entrants to get into the market then we will have accomplished something. Not a completely satisfying answer, but hopefully a realistic one.

The one advantage that we have in this particular arms race is that, unlike filtering, we're in the better position. It only takes a few messages arriving at a honey pot address in order to trigger the identification of a harvester. Even if spammers are able to determine a huge percentage of the addresses we use, and stop our messages from going through to our IPs, if one slips through the cracks we've got them. This should have the effect of, at least, changing the harvesting business model. Our anecdotal evidence is that there's a class of individuals participating in the spam trade who do nothing more than harvest and sell their lists. It's going to be difficult for them to provide instructions to every spammer they sell their list to on how to not send to our ever-changing mail servers' IPs.

Finally, if spammers do completely exclude the block of IPs we use then we may start offering our members a new service -- allowing them to route their legitimate mail through our MXs. It may serve as an efficient and effective way to filter out at least a certain spammers -- sort of like the problem of false positives in reverse. In fact, one solution may be to partner with large existing filter companies like MessageLabs, Brightmail, Postini, or various ISPs which already serve as central clearing houses for legitimate mail. If our mail server IPs look, to the outside world, the same as our mail server IPs I think the benefits may be mutual.

We're open to any other ideas -- the problem you point out seems like one of the biggest vulnerabilities to the system, so I welcome your thoughts.

Again, thanks for your feedback!

Matthew.

Re: Can't they just check?

Author: K.Risku (29 Oct 04 11:53am)

Hi!
In addition to donating MX records, I would also be prepared to donate an actual IP-address pointing to my own mailserver for my own MX records. I could then easily configure my mailserver to forward all incoming emails for the donated subdomains directly to a secret Project Honey Pot server, i.e. if any harvester tries to validate the MX records he will find it pointing to my server and suspect absolutely nothing!

Of course, donating capacity from a mailserver is technically a bit more challenging than just donating an MX record, but I bet there are plenty of mailserver administrators with both the interest and knowledge to give this kind of donation.

I'm in!

Regards,
Kai

Re: Can't they just check?

Author: K.Seistrup (21 Nov 04 1:10pm)

Hi,

> I could [...] easily configure my mailserver to forward all incoming
> emails for the donated subdomains directly to a secret Project
> Honey Pot server

So could I, and I'd be happy to do so.

Count me in.

Cheers,

// Klaus

Re: Can't they just check?

Author: C.Kruslicky (21 Nov 04 8:37pm)

This would be a nice next step in my opinion. Especially if it is easy to only do so for donated one's own MX records. I see this as being similar to your (M. Prince) solution in that legitimate mail and spamtraps use the same relay. That may not really be necessary though if there's a decently simple/trustworthy proxy people could install.

Plus there is the added benefit of distributing things a bit, to be more resilient to the DDoS situations that may come up if this is successful.

Re: Can't they just check?

Author: S.Grayban2 (23 Nov 04 1:11am)

I like the idea of multi-mx servers. But the only draw back to that is eventually even those will get sniffed out and tagged by the harvester.

What I propose is something better.

Everyone that wants to donate mx records can do so but the only difference is instead of activating them all at one time we put them in a pool and we monitor the active ones.

So say after 6 months we check the inbound counts and see if the harvest count has gone up/down or stayed steady.

Now if it has gone down and has very little action going on we can safely assume it has been tagged as a honeypot mx. So now all we do is activate a new mx and replace the one that got tagged. If we keep a steady number of active mx to the pooled we can accomplish more traps.

This is alot better because we can rotate hundreds/thousands of donated mx records but we dont need to use them all at one time from each account/user.

It will also keep the harvesters busy trying to figure out what domain is relaying to honeypot.

Re: Can't they just check?

Author: S.Grayban2 (23 Nov 04 1:17am)

Adding to all this we could also ask for donated IP's to act as mail relays we can put in a pool that can be setup prior to its actual use/activation.

I think all this is possible with help from good IT people especially users that control there own networks even at home.

Re: Can't they just check?

Author: C.Brunner (28 Nov 04 12:08am)

Count me in... I'd be glad to donate mail relays and/or IPs... just let me know when you're ready.

Re: Can't they just check?

Author: R.Allard (5 Dec 04 6:46pm)

I am also for donating IP addresses. That's the way to go in my mind. MX only aren't sufficient.
An interesting thing would be to only partially donate an IP, that means, you only forward mails to certain domains (I.E. those donated) to projecthoneypot servers, while still keeping legitimate mails going in with the IP. This is a very good solution, as if your IP is tagged by spammer to not deliver spam, they won't send spam to your legitimate domains as they are on the same IP as the fake ones. Of course, this kind of setup is quite more complicated, but good mail admins should be able to sort this out ;).

Re: Can't they just check?

Author: A.Jezierski (14 Dec 04 12:20pm)

Count me in for relaying the spam. As long as the message traffic doesn't degrade our connection, I'm in.