Message Board

Tracking Harvesters/Spammers

PHP Reports

Author: J.Johnson (24 Mar 05 11:07am)

Though I have elected to receive reports from PHP when a bot that fell into the trap is identified, I appear not to be receiving reports. I am not certain however whether the spambots identified in the stats for my sites spammed addresses associated with the address harvested through the honey pot on my site, or they are identified spambots that happened to hit my sites. If they are spambots that happened to hit my sites, but have not sent spam to an address harvested on their visit, I do not understand the relevance of posting their visit.

Once this is resolved, would it also be reasonable to request that copies of the spam received be forward with the report? My experience has been that abuse desk personnel either have strict limitations on their actions that require a copy of the spam, or, if they simply will not confirm the record on the PHP site, they and management are incapable of thinking outside the box and understand the significance of the records accrued by PHP.

Since confirming that spam was received at an address associated with a bot by clicking over to the PHP site takes time, I'll add that I can't take too critical a position on any abuse personnel who will not do so to verify a report.

I do however wonder whether PHP sends reports to service providers in addition to law enforcement, and, if so, are reports also sent to registrars when the bot can be identified with a domain (and not just an ISP account). My preference, when taking aim on a spammer is to whack their domain, which causes them considerably more pain than the loss of a hosting service they can replace in a matter of hours for chump change.

These factors are important to me, because I have installed my own means of identifying bots, but protect my own addresses and cannot seem to affect action against a perp on the part of service providers without all the evidence.

In part, I suspect I may have outsmarted myself by using complex alpha-numeric usernames in my own bait addresses to preclude the likelihood that the spam may be consequent to a dictionary attack. Does anyone know whether bots may be programmed to discard addresses like M.4907a-pQx_vHZ3d@domain.ext?

In explanation, the ability to differentiate between spam received consequent to an address associated with a spambot and one used in a dictionary attack can provide more targets for my reporting procedures. Whereas spam related to a dictionary attack can reveal both an ISP and hosting account to target, spambots can often be associated with a third account or domain.

Re: PHP Reports

Author: M.Prince (24 Mar 05 12:29pm)

If you select the option in your preferences then you get a notice every time your honey pot is the FIRST to identify a new harvester. If a previously identified harvester visits your site, but your site was not the first to identify it, then it is listed on your top-25 list. (PS - We're working on showing you more than the Top-25 for your own site. We just need to make sure it doesn't create caching issues.)

For typical honey pots, we cannot forward the messages received at your honey pot. There are a number of technical reasons for this. We are beginning to work with law enforcement, ISPs, and other groups involved in the anti-spam fight. We've found so far that these groups are more interested in reports about the space they control, rather than a raw message feed. To that end, we're working on a couple of things to give them these reports.

For example, we're building a service where ISPs can give us their AS-Macro and we'll give them a daily report if any harvesting or spam sending is going on within their IP space. Our intent is to make the service free to any ISPs that are active participants in the Project. We'll have more information on the new service up on the site shortly.

While I'm not sure if your strangely formatted addresses will be ignored by harvesters and removed by lists by spammers, we have checked our own systems. Statistically, there appears to be no preference between the various username formats we are using (e.g., john.smith, john_smith, johnasmith, jsmith, apple42, applejohn, jas48, etc...). Additionally, spammers are as likely to send to an address formed with a 3- or 4-level domain (e.g., level4.level3.example.com) as they are to send to an address formed with a typical 2-level domain.

We've submitted a paper analyzing our data to the upcoming CEAS conference (http://www.ceas.cc/). If we're accepted to that, we'll be presenting a lot of information on what addresses spammers prefer and, maybe more importantly, what addresses they avoid.