Slashdot Mirror

← Back to Stories (view on slashdot.org)

Honeypot For Identifying Email-Harvesters

Posted by timothy on from the off-with-their-heads dept.

Cheese Man writes "Mark Pilgrim describes a simple way to identify email-harvesters: "In each page I serve, I include a bogus email address, encoded with the date of access as well as the host IP address ... This has allowed me to trace spam back to specific hosts and/or robots." There's even a simple one-line example done with PHP. (Thanks to BoingBoing for the links.)"

14 of 252 comments (clear)

  1. But what can you do about it? by Tuxinatorium · · Score: 4, Insightful

    Unfortunately, there is still no law against email harvesting, so there is nothing you can do to them unless you want a little vigilante justice.

    --
    Repeal the DMCA!
  2. Pointless by Anonymous Coward · · Score: 1, Insightful

    You are just going to get a list of open proxies, comprimised windows machines, throw-away dialup addresses and so on. Useless.

  3. And the next step is........ by evil_roy · · Score: 1, Insightful

    What is it? Do you politely ask the spammers / bots to stop? Why should they. You have a server, they are looking for information.

  4. pro-spam legislation yet anti-DMCA? by jon_c · · Score: 1, Insightful

    Come on, you can't have it both ways. You're either pro government control or against it, you can't say "these people can't have freedom because i don't like them, but don't take away my freedom because people don't like me"

    -Jon

    --
    this is my sig.
  5. spamd by Anonymous Coward · · Score: 1, Insightful

    Combining this method on the web server with something like this on the mail server could be fun.

    bemis
    forgot his password

  6. Re: I say... by gidds · · Score: 3, Insightful

    BrightMail, too. My ISP uses it - it traps about 70% of my spam. The great thing is that it has no false positives, so it just shunts every spam it identifies off to a separate mailbox which you need never bother with - you don't spend time or bandwith downloading it. (A few times a year I take a look at the stuff it's recently trapped just to check, but there's never been a single valid mail.)

    --

    Ceterum censeo subscriptionem esse delendam.

  7. You missed the point by Anonymous Coward · · Score: 1, Insightful

    the idea behind having a throwaway domain was so that they wouldn't harvest the domain and start sending email to something like info@yourdomain.com or do a dictionary attack or something. and you would know that any and all spam sent to this domain would be spam.

    it's an interesing idea but likely more for fun than any real effect

  8. Re:Its called a false dichotomy by Anonymous Coward · · Score: 1, Insightful
    Ok, we're getting way off topic here, but I just have to respond.

    Take a look at what conservative really means. You'll see how Robert Anton Wilson has it exactly right. What I don't understand is how the current bunch of radical Republicans get off calling themselves conservative.

    For more fun, look up liberal. It's nothing like the right wing talk show people say it is. Funny though, it's like the people I know who consider themselves liberal. Sorry about the rant.

    --
    Anonymous only to keep the signal to noise level for this article in check. If you really hate me, mod one of my other posts down. It wouldn't be the first revenge mod, or the last.

  9. Re:I don't know if this would work but... by utd-blaze · · Score: 5, Insightful

    I don't think a list of phony e-mail adresses is going to put a dent in an industry that will send an e-mail to every possible adress on a popular domain in the hopes that a small fraction of those adresses will belong to real people.

    --
    Do me a favor and double it!
  10. Comment removed by account_deleted · · Score: 2, Insightful

    Comment removed based on user account deletion

  11. But the postmaster doesn't care by YankeeInExile · · Score: 2, Insightful

    postmaster@j3rk.ugh.com doesn't really care.

    If, perchance, it is a company that makes its bread and butter collecting and selling e-mail addresses to the gullible, they probably already KNOW what they are doing, and you reminding them does nothing but give you a warm feeling.

    Another option is some retail user - there probably is no postmaster@CPE0080c6ef6343-CM0143000000054.cpe.net .cable.rogers.com just to pull a random IP address out of my log file.

    And finally the last case -- you hit the 'jackpot' -- you find the email address of some overworked sysadmin at medium-nsp.net who COULD do something if she could.

    An anecdote to illustrate:

    I was working as head network/system administration guy for a very successful NSP in the S.F. bay area in the mid 90s, when spam REALLY began to take off. We had a customer who had the domain name PASTA.COM (not really -- to preserve his anonymity I have substituted an equally common word for his).

    A very vigorous spam organization was sending out tens of thousands of emails advertising their spaghetti-sauce and accessory business, directing people to call 1-800-PASTA.CO (M)

    They had no relationship to our (domain-squatter) client, who did not even sell pasta products. He was just hoping that some pasta-manufacturer would give him ten large for the name.

    Every day, my postmaster@... inbox would be filled with vitriolic e-mail demanding that I terminate his connectivity for violating our AUP. (Sadly, our AUP had been drafted before anyone had imagined that spam would be a problem. The closest we had was a paragraph "protection of network")

    Sometimes, if I was feeling argumentative, I would correspond with these sub-people asking exactly how is this customer violating any AUP? By having a domainname that is a common five-letter english word that someone else happened to use in a piece of spam?

    I had my own real job to do -- helping our customers track down and eliminate open mail relays, sending out bills for rack space, taking my turn standing in front of the idiot with the backhoe so he couldn't dig up our OC3, keeping usenet working.

    Eventually, I developed a tecnique that satisfied everybody. I would send out a polite form-letter saying, "Thank you internet user for your vigilance. Please be assured that the most appropriate action is being taken immediately."

    Then I moved their original message into /dev/null.

    --
    How does the Slashdot Effect happen given that no slashdotters ever RTFA?
  12. What About Open Proxies? by ewhac · · Score: 2, Insightful

    So what happens under this scheme when a harvester bounces all their page requests through an open proxy? Does the recorded IP address mis-identify the proxy as the harvester?

    I have Zope running on an unpublished IP address and port on one of my machines. About once a day, someone tries to reflect a connection through it, like so:

    66.118.187.8 - Anonymous [30/May/2003:09:10:05 -0700] "CONNECT 64.12.136.89:25 HTTP/1.0" 404 264 "" ""

    Apparently there are enough mis-configured Web proxies out there (like older RedHats running Squid) to make this type of probing worthwhile. Does this honeypot account for this?

    Schwab

    --
    Editor, A1-AAA AmeriCaptions
  13. Brainstorm - don't post your email on your website by jroysdon · · Score: 2, Insightful

    Only just today I posted this article about how not to get spam for users of my servers. When 97% of all spam emails within a 6 month period come from website-harvested addresses, it's pretty clear that posting your email address on a website is just plain stupid. Use a form to allow users to contact you, but never allow them to be able to get your address.

  14. Not Mark by dorward · · Score: 2, Insightful

    Mark Pilgrim describes...

    No he doesn't, George A. Theall does, in a comment attached to an article by Mark.