|
|
| About site: Security/Honeypots and Honeynets - Securityfocus: Fighting Spammers With Honeypots |
Return to Computers also Computers
|
| About site: http://www.securityfocus.com/infocus/1747 |
Title: Security/Honeypots and Honeynets - Securityfocus: Fighting Spammers With Honeypots This paper evaluates the usefulness of using honeypots to fight spammers. (November 26, 2003)
|
|
|
|
|
LAPIS University of Victoria Laboratory for Parallel and Intelligent Systems is a research group with interests in concurrent systems, interconnection networks, neural networks, diagnosis and design automat
| Young-Soares,_Nicholas_-__CodeMonkey_Extreme Resume. Example source code, community forum, useful programs, articles.
| Salontec Features include marketing, payroll, bar-coded inventory control, and appointment scheduling.
| Shikatronics_Inc_ Manufactures memory solutions for a wide range of high-end servers, workstations, desktop PCs and notebooks.
| Cartesis Cartesis provides business, corporate, and enterprise performance management software solutions for financial control and reporting, effective business planning, budgeting and forecasting, consolidati
| Jeff\'s_Photoshop_Tips_and_Tricks An assortment of PhotoShop tips, tricks and tutorials. Free fonts, filters, actions and plug-ins.
|
|
| Alexa statistic for http://www.securityfocus.com/infocus/1747 |
Please visit: http://www.securityfocus.com/infocus/1747
|
| Related sites for http://www.securityfocus.com/infocus/1747 |
| Taurus_Software Data extraction-transform-load utilities DataBridge and Bridgeware. Designed to select, extract, manipulate and move data between platforms and databases, and populate data warehouses. Supports data | | Abaco_Internet Provides dialup and broadband access throughout the US and Canada. | | Westfaro_Corp_ Makes software development tools including Kickstart scriptable code generator for Rapid Application Development (RAD) in any programming language. Brunswick, Ohio, USA. | | Enabling_Dimensions Provides outsourcing services for web accessibility solutions, content and applications that comply with WAI and Section 508. | | Comparing_Microsoft_Transaction_Server_to_Enterprise_JavaBeans Provides a comparison between MTS and Enterprise JavaBeans. The two models are compared in terms of transactions support, controlling complexity, portability, interoperability, language choice and adm | | RFC_1946 Native ATM Support for ST2+. S. Jackowski. May 1996. | | RHDL_Page Ruby Hardware Description Language, implements EHDL in Ruby. Tar file download. [Open Source] | | Killer_Freebies Free samples, products, services and information. | | Antenen_Research Maintains a large inventory of new and reconditioned robots and automation equipment. | | netikus_net_software Offers security applications that include customized applications, to monitor WinNT/Win2k. Featured application is EventSentry which monitors the Eventlog. | | Conseq An IBM business partner based in London UK with a primary focus on the design and implementation of collaborative and e-business solutions using both Lotus Notes and Domino and open standard J2EE plat | | runURL_com Make long URL shorter and hides affiliate links. | | DomainToolBox_com Free domain tools, lists, and guides. | | Ant_Installer Open source tool for creating installers for Java applications using the Ant tool. | | Hyperbolic_Software Company has produced Macintosh shareware utilities programs such as DoubletScan, FoldersChecker and EasyLife. | | Boston_Websites Design and hosting assistance for small and medium-sized businesses. Based in Bebington, United Kingdom. | | Multi-Media_Communications,_Inc Hosting services and software development. Gaithersburg, Maryland. | | PixTwix ActiveX control featuring over 100 image processing and related functions. By Softuarium. [Shareware] | | Search_Engine_Watch_Forums__Yahoo_Directory Covers topics related to Yahoo's editor reviewed internet directory. | | mxDateTime Date and Time types for Python. [Open Source] |
|
This is websites2007.org cache of m/ as retrieved on 2008.08.21 websites2007.org's cache is the snapshot that we took of the page as we crawled the web. The page may have changed since that time.
|
var pathname='/infocus';var OAS_listpos = 'Top,Middle,Right1,x30,x28';Fighting Spammers With Honeypots: Part 1    Threat level definition Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Vista News Infocus Foundations Microsoft Unix IDS Incidents Virus Pen-Test Firewalls Columnists Mailing Lists Newsletters Bugtraq Focus on IDS Focus on Linux Focus on Microsoft Forensics Pen-test Security Basics Vuln Dev Vulnerabilities Jobs Job Opportunities Resumes Job Seekers Employers Tools RSS News Vulns Security Research     For stupid spambots';?>This script will dynamically generate a mailto: link, containing a fake email address with the IP of the current Web client and the date. For example:<a href="http://www.securityfocus.com/infocus/1747/mailto:80.13.aa.bb_03-11-17-spamming@frenchhoneynet.org">...If the Web client is a spambot, it will add 80.13.aa.bb_03-11-17-spamming@frenchhoneynet.org in the database of potential targets. Now we suppose that a spammer uses this database. He will probably send an email to this virtual address.Then the mail server administrator can filter incoming emails by looking at the recipients (on your MTA or eventually on your MUA [Mail User Agent]). If you receive an email destined to 80.13.aa.bb_03-11-17-spamming@frenchhoneynet.org, then you surely know that 80.13.aa.bb is the IP address that was used on November 17, 2003. And more than that, you know that this address was a spam harvesting source.# Example of a simple recipient filtering with Mimedefang http://www.mimedefang.org/]# Will filter incoming email containing a recipient address in the form# of those created by the latter PHP example.sub filter_recipient { my ($recipient, $sender, $ip, $hostname, $first, $helo) = @_; if($recipient =~ /^?$/i) { return ("REJECT", "Spamming activity"); } return ("CONTINUE", "ok");}Though those techniques seem to be interesting, they will only work with stupid spambots, ones which are probably not used by skilled spammers. The more sophisticated spammers may use open proxies to crawl the net, and the dynamically created email address will just help with finding such proxies and the spammer will keep his anonymity.2.2 Honeypots and open proxiesOne of the main paths used by spammers to reach mail servers is going through open proxies that accept and freely transmit requests. Those open proxies play the role of screeners for the spammers that hide beyond them.So, would it be so difficult to set up a fake open proxy in a honeypot ? No, and that's what were are going to look at.By looking at your firewalls logs, you'll probably notice attempts to access TCP ports like :1080 socks proxy server3128 squid proxy server8080 web caching serviceMany basement-dwelling people "courageously" hiding behind their monitor, and using tools they don't understand, will scan the net to map all interesting services. Some of them share their information in public lists of proxies on the Internet (just use Google and search for things like "open proxies list"). By connecting to the answering TCP ports, sending a few packets may help to understand if the proxy is open or not (will it accept and go anywhere?).What if we setup some honeypots that will answer positively to incoming requests? We'll be able to fool some spammers.My favorite honeypot, made by Niels Provos, is called Honeyd [ref 9]. To create a fake relay server, simulating open proxies and an open mail relay, you could use such a configuration file :create relay set relay personality "OpenBSD 2.9-stable"add relay tcp port 25 "sh /usr/local/share/honeyd/scripts/sendmail.sh $ipsrc $sport $ipdst $dport"add relay tcp port 3128 "sh /usr/local/share/honeyd/scripts/squid.sh $ipsrc $sport $ipdst $dport"add relay tcp port 8080 "sh /usr/local/share/honeyd/scripts/proxy.sh $ipsrc $sport $ipdst $dport"set relay default tcp action blockset relay default udp action blockbind 192.168.1.66 relayThis will ask Honeyd to simulate an OpenBSD 2.9 computer with the IP 192.168.1.66 and three TCP ports opened: 25, 128 and 8080. For each incoming request coming to those ports, Honeyd will launch the appropriate fake service (sendmail.sh, squid.sh, proxy.sh). If those services want to see what was sent by spammers, they just have to read data from STDIN. To reply to the spammers, they just have to write data to STDOUT (like a classical Inetd process).To fool the remote spammer, we'll have to simulate part or all of the discussion. As an interesting proof of concept, we will look at the tool called Bubblegum Proxypot [ref 10] which is a sharp, small tool. The only goal of this tool is to fool active spammers by simulating an open proxy. In comparison with Honeyd, it cannot simulate something else (Honeyd may be used to simulate anything you need); it cannot change its IP stack behavior, etc. Though it's a simpler tool, we'll quickly learn many things from spammers.Depending of his skill, the spammer will either simply check that the proxy is open, or perhaps try to see if it is working properly. Remember that the spammer's goal is to make money. Thus spammers cannot afford to lose much time sending thousands of emails out for nothing. On my temporary honeypots, I saw both of the above behaviors.With Proxypot, you can choose one of three possible configurations to fool the spammers:smtp1: the whole SMTP connection is faked. Pros : no SMTP outbound traffic is needed, so it will save your network bandwidth. Cons : this will only fool novices and you'll have to chose the kind of SMTP server to simulate. If the spammer connects to the proxy and asks to go to a Sendmail server while you are faking a Qmail server, he may notice that it is a honeypot. smtp2: connect to the real SMTP server, read its 220 banner and maybe issue a HELP command to find out what kind of server it is, then hang up and use that information to fake a more convincing SMTP session. Pros : if the spammer knows the version of the targeted email server, he will believe this is the real one and you won't have much of a fingerprinting problem. Cons : this will generate outbound traffic. You have to be sure of the software used, to avoid being used as either a real spam relay or a hack relay. If the spammer targets an SMTP server he owns, for example for his first email, he will notice that the SMTP session he sees though the proxy is not the same as the one going to his mail server. smtp3: connect to the real SMTP server and pass through all recognized commands except DATA and EXPN. RCPT and VRFY are rate-limited. Pros : this is the extreme simulation and it's almost impossible to do better, because using DATA properly would deliver the email and this is something you want to avoid. Cons : like every simulator, a spammer may discover that this not a real one, and fingerprinting possibilities will still exist. I personally used the option smtp2 and got thousands of spam through it. [Continue to Part 2]  CreditsThanks to Niels Provos for his ideas and reviewing. About the AuthorLaurent OUDOT is a computer security engineer employed by the Commissariat a l'Energie Atomique in France. On his spare time, he is a member of the team Rstack with other security addicts. Concerning honeypots, Laurent is an active member of the French Honeynet Project which is part of the Honeynet Alliance. View more articles by Laurent Oudot on SecurityFocus. References for Part 1 [ref 0] Spam food[ref 1] Monty Python , The SPAM sketch[ref 2] The Infamous Monty Python Spam Skit, in streaming RealVideo[ref 3] Uri Raz, How do spammers harvest email addresses?[ref 4] Snort Intrusion Detection System[ref 5] Lance Spitzner, "Honeypots, tracking the hackers", 2002[ref 6] http://diveintomark.org/archives/2003/02/26/how_to_block_spambots_ban_spybots_and_tell_unwanted_robots_to_go_to_hell[ref 7] Wpoison, a CGI to annoy harvesters with spam bots [ref 8] Live demo of Wpoison[ref 9] Niels Provos, Honeyd the daemon to build honeypots[ref 10] Proxypot, a fake proxy daemon to fool spammers[continued in Part 2] SecurityFocus accepts Infocus article submissions from members of the security community. Articles are published based on outstanding merit and level of technical detail. Full submission guidelines can be found at http://www.securityfocus.com/static/submissions.html. |
|
| |
This | paper | evaluates | the | usefulness | of | using | honeypots | to | fight | spammers. | (November | 26, | 2003) |
|
http://www.securityfocus.com/infocus/1747
Securityfocus: Fighting Spammers With Honeypots 2008 August
dvd rental
dvd
This paper evaluates the usefulness of using honeypots to fight spammers. (November 26, 2003)
Rules
|
© 2008 Internet Explorer 5+ or Netscape 6+
|
|
Recommended Sites: 1.
Arts -
Business -
Computers -
Games -
Health -
Home -
Kids and Teens -
News -
Recreation -
Reference -
Regional -
Science -
Shopping -
Society -
Sports -
World
Miss Gallery
- Top Anime Hentai
- DVD rental by mail
- Advertising - Europe Hotel - Savings - Cheap Car Insurance - Loans
|
