Stopping Spam Before the Gateway: Honeypots

By Steven J. Vaughan-Nichols | Nov 19, 2003 | Print this Page
http://www.enterprisenetworkingplanet.com/netsysm/article.php/10954_3111121_2/Stopping-Spam-Before-the-Gateway-Honeypots.htm

Do you want to be aggressive – very aggressive – in stopping spam on your network? Then what you might want to do is to set up a fake open proxy or e-mail relay as a honeypot.

Honeypots are an ancient but eternally effective security tool. A honeypot in the network sense of the term is a server that looks like it has very attractive files as well as a nice little security hole in it. The idea is that crackers will be drawn to the honeypot in search of pirated copies of games, trade secrets, or such.

In reality, there's nothing of any real value stored in the honeypot. Rather, the value lies in watching who breaks into the honeypot — you can audit would-be attackers as they hunt for the goodies until you know exactly who they are and you can put the cuffs on them.

Some black-list administrators, notably Ron Guilmette, have taken the basic idea of a honeypot and turned it into an anti-spam approach. It works in exactly the same way as other network honepots. Since a spammer doesn't know what proxies or relays are open to abuse by spammers, they are constantly testing sites for new and vulnerable relays. In fact, a spammer probably has no idea what sites he is using to spread spam. Most simply rely on automatic scripts to find new sites as old open relays are either fixed or knocked off the net by being added to a blacklist.

If you're not sure yourself about whether your mail servers are open, you should get a copy of Mail Relay Tester, or run the Abuse.net mail relay test, and test out your own system.

If you're well past the point of needing such tools, you may be ready to try to nail spammers with a honeypot. The most basic way to do it is to simply set up an insecure mail server, aka relay, and wait for the spammers to come to you.

Then, one simply reads your incoming log for a visitor's IP address, looks up what ISP owns that IP address, and reports to the ISP that they have a spammer at x.x.x.x IP addresses as a member. Or, as Brad Spencer, a retired systems manager for the University of Wisconsin and honeypot advocate, puts it, "Boom! There went the much-exaggerated 'anonymity' of the spammers."

If you don't want to build your own open relay honeypot, you can simply download a complete package like Jackpot, which is a ready-to-run Simple Mail Transport Protocol (SMTP) relay honeypot called Bubblegum Proxypot. Bubblegum is written in Perl and runs on Linux, but its developer believes that it should run on most Perl-friendly systems.

Page 2: With Rewards Come Risks

With Rewards Come Risks

To make running a honeypot proxy as easy as possible, it shouldn't have any real users. That way you'll know that anyone who uses the honeypot is a spammer, thus making it even easier to track. You should also be aware that you run a risk of being tagged as an open relay by blacklist programs that search for real open relays. If that happens, no spammer, or anyone else for that matter, will be able to send mail to or via that address, which effectively means your honeypot will have become useless.

Generally speaking, the more sophisticated a proxy honeypot is, the more likely it is to be hammered by a blacklist. Because of this – and the resulting headaches – only senior network and mail administrators working in concert should set up a proxy honeypot. While it's easy enough to do that any technically savvy user should be able to set up a honeypot, the resulting enterprise-wide implications make it a lousy idea for individual users to try to implement.

Indeed, were someone to try to set up such a honeypot on their home PC with their ISP, which is certainly doable, it wouldn't surprise me a bit if the user were to find their own Internet account in jeopardy.

There are also problems with honeypots. In theory, honeypots can be evaded. Relay-finding software for spammers could be written to use tests to make sure an open relay is really an open relay and not a honeypot. Spammers, though, aren't the brightest stars in the heavens, and to date, no one has written such a program. Still, it is a fundamental flaw that will keep honeypots from being a universal solution to putting an end to spammers.

Of course, a lot of spam is also sent via free e-mail accounts or by a spam mail server set up at home using a DSL or cable connection. Still, open relays account for much of the spam that fills our mailboxes and eats up our bandwidth, so honeypots should be considered as a method of finding and targeting spammers.

Unfortunately, spammers can still pick up and start another spam scheme in a matter of minutes, but the profitability of spam is built on minimal investments. The more work we can cause spammers, the more likely it is that they'll stop spamming.

Honeypots, though, come with their own risks. Once it's known that a site uses honeypots, there have been reports that they've been targeted by distributed denial of service (DDoS) attacks. Guilmette himself, for example, had to take down his blacklist service because of DDoS assaults.

In case you haven't noticed, it's war between network administrators and spammers, and spammers won't hesitate to try to stop anti-spam efforts any way they can. Still, the fact that spammers would coordinate such attacks suggests that honeypots can indeed be effective.


» See All Articles by Columnist Steven J. Vaughan-Nichols