Message Board

Bugs & Development

Honeypot detectable?

Author: S.Enbom (7 May 07 9:08am)

Should the honeypot script be made more random and harder to recognize?

To me it seems quite recognizable, so that can write a script that recognizes it as P.H.P and ignores the honey emails/form in it.

Some fuzzy logic like: If file contains "font-family: courier, monospace", roughtly 63? number of lines, roughly x number of email addresses etc etc then it is a P.H.P

Re: Honeypot detectable?

Author: M.Prince (7 May 07 12:39pm)

The headers are randomized at honey pot creation time. This randomizes the honey pot's length, its headers, and virtually every other element of the page. In other words, your honey pot is different from everyone else's honey pot.

Once created, however, your own honey pot will always have the same core content. This is because some very smart harvesters reload the page and look for changes. If they see anything change that shouldn't, they ignore the emails on the page. Virtually all of your page is static other than the content we pass back to it -- and that is cached in such a way as to trick the reloading, clever harvesters.

In terms of the number of addresses handed back, that too is randomized and will change from page load to page load of your honey pot. We control the number of addresses displayed at the server level. Some honey pots will always hand out only a single address. Others, will hand out multiple addresses. This is a relatively recent change to the Project and we are still experimenting with it.

Re: Honeypot detectable?

Author: S.Chu (8 May 07 12:10am)

I also have a concern about Project being detected by spambots. Aren't the donated MX records something the the bots can work on? If I understand correctly, all the MX records contain (I assume) the same honey pot email server address. Don't all the bots need to do is a DNS query to get the server part of harvested email addresses and see if any of those points to P.H.P. servers? I know most bots are not clever enough to do that now. But what's stopping them later?

Sorry if the questions are too stupid. I am new to this kind of things. And I hope this project works for I HATE spams.

Re: Honeypot detectable?

Author: M.Prince (8 May 07 3:09am)

It is certainly true that a clever spammer can probably figure out many of the spam trap addresses, it would be tough to figure all of them out. Not to give away all the secrets, but we do several things to make all our mail servers difficult to locate. But, the problem you describe, is one we've thought a lot about.

Here's something interesting: the day after we announced our big lawsuit we had a measurable drop in the amount of spam we receive. Guess we got the spammers' attention. This seems like a bad thing, but really I think it's an opportunity.

We can play the cat-and-mouse game of hiding our mail server IPs -- and we will -- but ultimately the way to hide our spam traps is to have the same mail servers we use for trapped email also handle legitimate email.

Imagine this: what if we offered a service where our members who ran mail servers could simply point their legitimate mail to our servers and see a significant decrease in the amount of spam they receive, without any risk of false positives. The process would be similar to donating an MX entry. Nothing, beyond your DNS MX settings, would need to change. Whatever you're doing now for spam filtering still works, just on a mail message's path to your mail server it runs briefly through ours.

Then there would literally be no way for a spammer to tell a spam trap address from a regular address. While some spammers would just keep sending their messages, some would decide it was easier to just eliminate any addresses that ended up at our mail servers. If we could eliminate 20% of mail hitting your gateway it would make your existing filters more effective and decrease stress on your systems.

Now, of course, there are a lot of challenges we need to address before we can implement something like this. It would dramatically increase our bandwidth usage so we'd need to charge some nominal fee (we're hoping we can do it $20/year or less). But if you could get a bit less spam with no risk of false positives, and you could help us better hide our spam traps, would it be something you'd be interested in??

If so, let us know.

Re: Honeypot detectable?

Author: S.Chu (8 May 07 9:32pm)

Sure I'd be interested. I'd do anything within my power to make spammers' life harder. :)

Ever thought of some cooperation with major email server operators like google or yahoo? Imagine all the gmail and yahoo email addresses are possible trap addresses. That would be something.