A Honeypot is, by definition(1),(2), a decoy or a trap whose purpose is to detect and identify unauthorized use in order to prevent breaches.
In Email Security, a Honeypot is a SMTP server setup to process a single domain (or multiple domains) to gather emails all day long. Let’s examine two methods used by email honeypots to lure and detect spammers: the open relay(3), and the spamtrap(4).
Open relays
Open relays have been exploited by spammers since the early days of email. Typically, a properly configured modern SMTP server will only accept email destined to or originating from users within the domain it serves. On the other hand, an open relay is an email server which accepts electronic messages from and to anyone on the Internet. While this was normal behavior during early Internet usage (SMTP being an open architecture store-and-forward mechanism), the rise of email traffic and massive exploitation by spammers and worms in the mid-1990s forced ISPs to block transmissions on port 25 and to later begin using DNSBLs(5) (DNS-based Block Lists) to disallow email from open relay servers.
These days, open relays are rare. Or, let’s say, rarer. They are an invaluable tool for spammers who can transmit their spam campaigns without revealing their own IP address to the destination MTA(6) (Mail Transfer Agent) and avoid having that IP blacklisted (they can also use open proxies(7) to achieve this objective but that is another discussion). Suffice it to say that an open relay is a real gold mine to spammers.
So, if open relays attract spammers like bees to a honey pot ( thus the use of the term), this is a perfect decoy. This ‘fake’ open relay server is visible publicly, does not serve a real domain and doesn’t worry about being blacklisted by RBLs. Spammers connect to it massively, in turn revealing the URLs and destination email addresses they use to validate open relays (or drop boxes), along with their source IP address(es). This information is then used by Anti-Spam engines and RBLs to let legit SMTP servers filter these offending originators (and thus, the spam they produce).
Spamtraps
Email harvesting(8) is another technique that spammers have used from the start. Using crawler engines(9) that behave like search engines, they browse and inspect web pages throughout the Internet in search of email addresses. Many web sites including corporate sites, blogs, discussion forums and personal ads will list one or several email addresses to contact. All these addresses are copied into databases and will either be sold to spammers (or unscrupulous marketing departments which is kind of the same thing) or be used as targets in spam campaigns. While many techniques have been developed to prevent email harvesting, such as list poisoning(10) or address munging(11), email harvesters improved their engines and are still having success.
Email Security honeypots capitalize on this too. For example, we take a new dummy domain we bought solely for this purpose (superhoneytrap.net) and set up a public SMTP server for this domain. We then create a few email addresses (like gluttonous@superhoneytrap.net) and a catch-all(12) address. We then publicize these addresses on as many web sites as possible and start listening. Spammers will harvest these addresses and send spam destined for these exact coordinates. Because there is no real human address on this domain and SMTP server, there can be no legit messages and thus every single email it receives is pure spam. Anti-spam and Email Security companies can then examine this flood of spam mail and catalog offending originators, URLs, patterns, image spam, malware, phishing attempts and other fraudulent activities in real-time, and push automatic updates to anti-spam engines in less time than it takes to write this sentence.
References and tools
Anyone interested in learning more about SMTP (Simple Mail Transfer Protocol), MUA (Mail User Agent), MTA (Mail Transfer Agent), Open relays, Spamtraps, Honeypots and their associated history is invited to read the Wikipedia articles listed in this text.
IT administrators, network administrators and system administrators are also encouraged to periodically verify the security of their SMTP server by performing an open relay test(13),(14). In the event a SMTP server is identified as an open relay, it is important to verify if it has been marked as such in various RBLs(15),(16), to re-validate it as a clean mail server with proper security.
Discuss Honeypots
This article presented Email Security decoy honeypots and two proven techniques used to detect and identify spam and spammers. Did you find this information useful? Do you know of more effective methods? Do you foresee any problems with using these techniques?
(1) Wikipedia: Honeypot (computing) http://en.wikipedia.org/wiki/Honeypot_%28computing%29
(2) SANSInstitute: Honey Pot Systems at http://www.sans.org/security-resources/idfaq/honeypot3.php
(3) Wikipedia: Open mail relay at http://en.wikipedia.org/wiki/Open_mail_relay
(4) Wikipedia: Spamtrap at http://en.wikipedia.org/wiki/Spamtrap
(5) Wikipedia, DNSBL at http://en.wikipedia.org/wiki/DNSBL
(6) Wikipedia, Mail transfer agent at http://en.wikipedia.org/wiki/Mail_transfer_agent
(7) Wikipedia, Open proxy at http://en.wikipedia.org/wiki/Open_proxy
(8) Wikipedia, Email address harvesting at http://en.wikipedia.org/wiki/Email_harvesting
(9) Wikipedia, Web crawler at http://en.wikipedia.org/wiki/Web_crawler
(10) Wikipedia, List poisoning at http://en.wikipedia.org/wiki/List_poisoning
(11) Wikipedia, Address munging at http://en.wikipedia.org/wiki/Address_munging
(12) Wikipedia, Catch-all at http://en.wikipedia.org/wiki/Catch-all
(13) Network Abuse Clearing House at http://www.abuse.net/relay.html
(14) SpamHelp SMTP Open Relay Test at http://www.spamhelp.org/shopenrelay/
(15) The Anti-Abuse Project’s Multi-RBL Check at http://www.anti-abuse.org/multi-rbl-check/
(16) Multi-RBL Check at http://checker.msrbl.com
Honeypots can be easily detected especially if you use a catchall mailbox. All the spammer needs to do is send a bunch of emails to blatantly bogus email addresses @ yourhoneypotdomain.com and if they never get a 550 no such user here, they will stop sending you spam.
It’s not certain that spammers do intentionally probe servers to detect honeypots, but that’s what I would do.
Yves
Yves, given that you are on the good side of that battle, what would you recommend for someone wanting to protect a honeypot from such detection?
1) Don’t rely on a single domain with some sort of ‘catchall’ mailbox. Have multiple domains.
2) Have domains that contain ‘regular’ mailboxes so that spammer will get rejection notices (550 no such user here) on non-existant mailboxes -or-
3) Change your honeypot so that it randomly returns ‘550 no such user here’ notices on some recipients even if said recipients doesn’t really exist (you’re using a catchall afterall).
Great information and tips Yves, thank you very much.