Mail Honeypot Thesis Apr 22 2009 01:54PM
dotcompex (deckerz_sya yahoo com) (2 replies)
RE: Mail Honeypot Thesis Apr 22 2009 09:18PM
Ian Bradshaw (ian ianbradshaw net)
RE: Mail Honeypot Thesis Apr 22 2009 09:15PM
Jesper Jurcenoks (jesper jurcenoks netvigilance com)
Hi dotcompex.

Make sure you don't actually relay the emails!
Only emulate an open relay, and then accept the emails for relay, without actually relaying them.

If you relay then you become part of the problem, and not part of the solution.

There should be no need to use TCPdump to capture the email traffic originator, any normal STMP program should put the originating IP-address in the logfile.

You should add a spam filter based on originating IPS to your solution so that you don't accept emails from known spammers, this way you will focus on discovering the unknown Originating IPs. If you don't then you will just be using your bandwidth on known spammers without the benefit you are seeking.

Honestly I don't see the research value in you discovering a few more originating IPs using known detection methods. Most of these IPs will only be spamming for a few days any way.

You could change the focus of your report to have several Open relays on different servers and try to determine if spammers prefer one kind of mail server over another.

You could also try and measure how many spammer are using SMTP over TLS(SSL) compared to unencrypted SMTP

This would make your thesis much more interesting to read.

If you are done with the experiment part, then this advise comes a bit late but I hope it helps anyway.

Jesper Jurcenoks

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of dotcompex
Sent: Wednesday, April 22, 2009 6:55 AM
To: honeypots (at) securityfocus (dot) com [email concealed]
Subject: Mail Honeypot Thesis

I'm doing mail honeypot project for my thesis. Having a little bit problem
in writing good report. I hope u all can comment it so I can edit before
submit it. For the start, I attach my abstract.

Electronic mail or in short can be called email is an important
communication method since internet were propagated in the early 1980s.
People have change their way of communication since the used of email
arising. However the efficacy of email is being endangered by spam problems
when the Internet was opened up to the public. As defined by Spamhaus
Project, spam applied to Unsolicited Bulk Email. Unsolicited means that the
recipient has not approved for the message to be sent. Bulk means that the
message is sent in large quantities and indistinguishable content. Mail
servers that run Simple Mail Transfer Protocol (SMTP) service which are open
relay are exposed to be abused by spam. An open relay mail server will
relay any messages through it. This project will help to determine the spam
source of origin and their contents. Methodology used in this project is
experimental approach. This project will be run on Qmail mail server which
is an open relay and tcpdump for data capturing. The open relay mail server
will be act as mail honeypot to attract spammers. Hopefully this project
can benefit others by contributing spam source of origin to be inserted in
spam block list.
View this message in context: http://www.nabble.com/Mail-Honeypot-Thesis-tp23175462p23175462.html
Sent from the Honeypots mailing list archive at Nabble.com.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus