|
|
| About site: Security/Honeypots and Honeynets - Securityfocus: Fighting Spammers With Honeypots |
Return to Computers also Computers
|
| About site: http://www.securityfocus.com/infocus/1747 |
Title: Security/Honeypots and Honeynets - Securityfocus: Fighting Spammers With Honeypots This paper evaluates the usefulness of using honeypots to fight spammers. (November 26, 2003)
|
|
|
|
|
QuickMessenger Sends text messages through the NET SEND command under MS Windows Windows NT/2000/XP/Server 2003 to another user on the network.
| Harbour_Light_Productions Multimedia design and programming. Solutions for web, multimedia and print design needs.
| Exams_guide Java certification resources.
| AtStaff_Inc AtStaff and Physician Scheduler products, and process improvement services target healthcare industry. Product features, news and events, partners, executive profiles and contact details.
| RFC_1257 Isochronous Applications do not Require Jitter-Controlled Networks. C. Partridge. September 1991.
| Great_Church_Sites Faith-based company that designs and hosts church websites.
|
|
| Alexa statistic for http://www.securityfocus.com/infocus/1747 |
Please visit: http://www.securityfocus.com/infocus/1747
|
| Related sites for http://www.securityfocus.com/infocus/1747 |
| The_SimoTime_COBOL_Connection Find out how to do bit-manipulation, display a field in hex-dump format, access a parameter provided from JCL and other tricks. It is all done in COBOL and the source code may be downloaded. | | CERT_Incident_Note__DoS_Attacks_Using_Nameservers Description of how intruders use name servers to execute packet flooding denial of service attacks. (January 15, 2001) | | TechSoup-_Microsoft_Software_Donation_Program How to obtain donated or low cost Microsoft licenses for charitable organizations. | | Buss,_Jonathan University of Waterloo. | | Scarlet_Multimedia Offers web design, Flash, CD authoring, programming, 2D/3D animation, and print design. Offices in New York, United States, Melbourne, Australia, and New Delhi, India. | | DNA_microarray_gene_expression_data A collection of public gene expression data sources maintained by A. Brazma. | | Sinhala_Software_Solutions MADHURA Bilingual software enables computers to work with English and Sinhala languages simultaneously | | RFC_0991 Official ARPA-Internet Protocols. J.K. Reynolds, J. Postel. November 1986. | | Creating_User_Interface_Components_by_CBR "helps a developer to select an application menu from a set of menus that are appropriate for the developer's project. It then inserts that menu directly into the developer's project. This paper use | | Ted\'s_Comprehensive_HTML_Tutorial Short lessons on each HTML tag. Tables and forms are also discussed. | | Stackless_Python An experimental implementation that supports continuations, generators, microthreads, and coroutines. | | Aegean,_University_of,_at_Samos Department of Information and Communication Systems | | GuestCity Banning, customization, admin login, private messages. | | Yep Provides free URL redirection service. | | RFC_2284 PPP Extensible Authentication Protocol (EAP). L. Blunk, J. Vollbrecht. March 1998. | | RAND_Worldwide RAND is a global provider of professional services and technology to the engineering community. They offer consulting, training, and support for CATIA PLM and Autodesk products. | | id-Internet_Design Offers design and online promotion services. Based in Australia. | | #40-chat Has recipes, Sports page, Album, Bulletin board, and member's Webpages. | | Lucky_Eye_Interactive Offered services include consultation, design, management, e-commerce, marketing, and analysis. Also offers a Turkish version of their site. | | Eva\'s_Graphics Linkware web graphics and triple backgrounds, as well as free wallpapers and stationery in several categories. |
|
This is websites2007.org cache of m/ as retrieved on 2008.08.29 websites2007.org's cache is the snapshot that we took of the page as we crawled the web. The page may have changed since that time.
|
var pathname='/infocus';var OAS_listpos = 'Top,Middle,Right1,x30,x28';Fighting Spammers With Honeypots: Part 1    Threat level definition Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Vista News Infocus Foundations Microsoft Unix IDS Incidents Virus Pen-Test Firewalls Columnists Mailing Lists Newsletters Bugtraq Focus on IDS Focus on Linux Focus on Microsoft Forensics Pen-test Security Basics Vuln Dev Vulnerabilities Jobs Job Opportunities Resumes Job Seekers Employers Tools RSS News Vulns Security Research     For stupid spambots';?>This script will dynamically generate a mailto: link, containing a fake email address with the IP of the current Web client and the date. For example:<a href="http://www.securityfocus.com/infocus/1747/mailto:80.13.aa.bb_03-11-17-spamming@frenchhoneynet.org">...If the Web client is a spambot, it will add 80.13.aa.bb_03-11-17-spamming@frenchhoneynet.org in the database of potential targets. Now we suppose that a spammer uses this database. He will probably send an email to this virtual address.Then the mail server administrator can filter incoming emails by looking at the recipients (on your MTA or eventually on your MUA [Mail User Agent]). If you receive an email destined to 80.13.aa.bb_03-11-17-spamming@frenchhoneynet.org, then you surely know that 80.13.aa.bb is the IP address that was used on November 17, 2003. And more than that, you know that this address was a spam harvesting source.# Example of a simple recipient filtering with Mimedefang http://www.mimedefang.org/]# Will filter incoming email containing a recipient address in the form# of those created by the latter PHP example.sub filter_recipient { my ($recipient, $sender, $ip, $hostname, $first, $helo) = @_; if($recipient =~ /^?$/i) { return ("REJECT", "Spamming activity"); } return ("CONTINUE", "ok");}Though those techniques seem to be interesting, they will only work with stupid spambots, ones which are probably not used by skilled spammers. The more sophisticated spammers may use open proxies to crawl the net, and the dynamically created email address will just help with finding such proxies and the spammer will keep his anonymity.2.2 Honeypots and open proxiesOne of the main paths used by spammers to reach mail servers is going through open proxies that accept and freely transmit requests. Those open proxies play the role of screeners for the spammers that hide beyond them.So, would it be so difficult to set up a fake open proxy in a honeypot ? No, and that's what were are going to look at.By looking at your firewalls logs, you'll probably notice attempts to access TCP ports like :1080 socks proxy server3128 squid proxy server8080 web caching serviceMany basement-dwelling people "courageously" hiding behind their monitor, and using tools they don't understand, will scan the net to map all interesting services. Some of them share their information in public lists of proxies on the Internet (just use Google and search for things like "open proxies list"). By connecting to the answering TCP ports, sending a few packets may help to understand if the proxy is open or not (will it accept and go anywhere?).What if we setup some honeypots that will answer positively to incoming requests? We'll be able to fool some spammers.My favorite honeypot, made by Niels Provos, is called Honeyd [ref 9]. To create a fake relay server, simulating open proxies and an open mail relay, you could use such a configuration file :create relay set relay personality "OpenBSD 2.9-stable"add relay tcp port 25 "sh /usr/local/share/honeyd/scripts/sendmail.sh $ipsrc $sport $ipdst $dport"add relay tcp port 3128 "sh /usr/local/share/honeyd/scripts/squid.sh $ipsrc $sport $ipdst $dport"add relay tcp port 8080 "sh /usr/local/share/honeyd/scripts/proxy.sh $ipsrc $sport $ipdst $dport"set relay default tcp action blockset relay default udp action blockbind 192.168.1.66 relayThis will ask Honeyd to simulate an OpenBSD 2.9 computer with the IP 192.168.1.66 and three TCP ports opened: 25, 128 and 8080. For each incoming request coming to those ports, Honeyd will launch the appropriate fake service (sendmail.sh, squid.sh, proxy.sh). If those services want to see what was sent by spammers, they just have to read data from STDIN. To reply to the spammers, they just have to write data to STDOUT (like a classical Inetd process).To fool the remote spammer, we'll have to simulate part or all of the discussion. As an interesting proof of concept, we will look at the tool called Bubblegum Proxypot [ref 10] which is a sharp, small tool. The only goal of this tool is to fool active spammers by simulating an open proxy. In comparison with Honeyd, it cannot simulate something else (Honeyd may be used to simulate anything you need); it cannot change its IP stack behavior, etc. Though it's a simpler tool, we'll quickly learn many things from spammers.Depending of his skill, the spammer will either simply check that the proxy is open, or perhaps try to see if it is working properly. Remember that the spammer's goal is to make money. Thus spammers cannot afford to lose much time sending thousands of emails out for nothing. On my temporary honeypots, I saw both of the above behaviors.With Proxypot, you can choose one of three possible configurations to fool the spammers:smtp1: the whole SMTP connection is faked. Pros : no SMTP outbound traffic is needed, so it will save your network bandwidth. Cons : this will only fool novices and you'll have to chose the kind of SMTP server to simulate. If the spammer connects to the proxy and asks to go to a Sendmail server while you are faking a Qmail server, he may notice that it is a honeypot. smtp2: connect to the real SMTP server, read its 220 banner and maybe issue a HELP command to find out what kind of server it is, then hang up and use that information to fake a more convincing SMTP session. Pros : if the spammer knows the version of the targeted email server, he will believe this is the real one and you won't have much of a fingerprinting problem. Cons : this will generate outbound traffic. You have to be sure of the software used, to avoid being used as either a real spam relay or a hack relay. If the spammer targets an SMTP server he owns, for example for his first email, he will notice that the SMTP session he sees though the proxy is not the same as the one going to his mail server. smtp3: connect to the real SMTP server and pass through all recognized commands except DATA and EXPN. RCPT and VRFY are rate-limited. Pros : this is the extreme simulation and it's almost impossible to do better, because using DATA properly would deliver the email and this is something you want to avoid. Cons : like every simulator, a spammer may discover that this not a real one, and fingerprinting possibilities will still exist. I personally used the option smtp2 and got thousands of spam through it. [Continue to Part 2]  CreditsThanks to Niels Provos for his ideas and reviewing. About the AuthorLaurent OUDOT is a computer security engineer employed by the Commissariat a l'Energie Atomique in France. On his spare time, he is a member of the team Rstack with other security addicts. Concerning honeypots, Laurent is an active member of the French Honeynet Project which is part of the Honeynet Alliance. View more articles by Laurent Oudot on SecurityFocus. References for Part 1 [ref 0] Spam food[ref 1] Monty Python , The SPAM sketch[ref 2] The Infamous Monty Python Spam Skit, in streaming RealVideo[ref 3] Uri Raz, How do spammers harvest email addresses?[ref 4] Snort Intrusion Detection System[ref 5] Lance Spitzner, "Honeypots, tracking the hackers", 2002[ref 6] http://diveintomark.org/archives/2003/02/26/how_to_block_spambots_ban_spybots_and_tell_unwanted_robots_to_go_to_hell[ref 7] Wpoison, a CGI to annoy harvesters with spam bots [ref 8] Live demo of Wpoison[ref 9] Niels Provos, Honeyd the daemon to build honeypots[ref 10] Proxypot, a fake proxy daemon to fool spammers[continued in Part 2] SecurityFocus accepts Infocus article submissions from members of the security community. Articles are published based on outstanding merit and level of technical detail. Full submission guidelines can be found at http://www.securityfocus.com/static/submissions.html. |
|
| |
This | paper | evaluates | the | usefulness | of | using | honeypots | to | fight | spammers. | (November | 26, | 2003) |
|
http://www.securityfocus.com/infocus/1747
Securityfocus: Fighting Spammers With Honeypots 2008 August
dvd rental
dvd
This paper evaluates the usefulness of using honeypots to fight spammers. (November 26, 2003)
Rules
|
© 2008 Internet Explorer 5+ or Netscape 6+
|
|
Recommended Sites: 1.
Arts -
Business -
Computers -
Games -
Health -
Home -
Kids and Teens -
News -
Recreation -
Reference -
Regional -
Science -
Shopping -
Society -
Sports -
World
Miss Gallery
- Top Anime Hentai
- DVD rental by mail
- Advertising - Sportingbet - Savings - Debt Management - Loans
|
