Slashdot Mirror

← Back to Stories (view on slashdot.org)

Honeypot For Identifying Email-Harvesters

Posted by timothy on from the off-with-their-heads dept.

Cheese Man writes "Mark Pilgrim describes a simple way to identify email-harvesters: "In each page I serve, I include a bogus email address, encoded with the date of access as well as the host IP address ... This has allowed me to trace spam back to specific hosts and/or robots." There's even a simple one-line example done with PHP. (Thanks to BoingBoing for the links.)"

22 of 252 comments (clear)

  1. I say... by JoeLinux · · Score: 5, Interesting

    That there should be email addresses that the big companies "float" out onto spamming lists. When a mass email comes back with these email addresses, it's a flag that its spam, and block the whole message from going into the system. Of course, security on what those email addresses are would have to be pretty tight...

    1. Re:I say... by Eyston · · Score: 3, Interesting

      This is exactly what a lot of them do.

      I think Earthlinks Spam Blocker is using that idea.

      -Eyston

    2. Re: I say... by JDevers · · Score: 2, Interesting

      BrightMail definitely DOES have false positives. At my summer job (last summer, this year I am covered by assistantship :) as tech support at an ISP that used BrightMail I don't remember a week going by without someone complaining that our spam filter had caught some of their legit mail. Most of these were borderline spam but a sizable chunk were perfectly normal mail that had no "spamness."

    3. Re: I say... by gidds · · Score: 2, Interesting
      I find that very strange, for two reasons:
      1. In my experience, it's caught spams probably into 5 figures by now, of which I've personally checked probably over a thousand, absolutely none of which were spam. And
      2. BrightMail's method can only find spam. Their honeypots have absolutely no legitimate use, so all the mail they get must be spam: untargetted, mass mailing, to an unchecked, harvested list of addresses. Assuming BrightMail then blocks only those mails, then I don't see how it can be blocking legitimate mail as well.
      Are you sure we're talking about the same system? Maybe your ISP used some other filtering as well as BrightMail?
      --

      Ceterum censeo subscriptionem esse delendam.

  2. Re:But what can you do about it? by Anonymous Coward · · Score: 1, Interesting

    Use it to build blacklists. Any email coming from addressed formatted like this can get recorded into a nice bayesian filter as more known spam.

  3. Spammers are pretty simple (for now) by brejc8 · · Score: 5, Interesting

    I am plesently suprised that my anti-spam encoded email address still has not been spammed. And even a recent spam study found that only normal email addresses got spam.
    It wouldnt take much to find and decode most of the simple spam-protected email addresses. And I dont think it would take long for the spammers to detect a system such as this and bypass it, but I dont think they will bother at the current climate.
    But pretty soon I suspect we will get much cleverer email collecting tools and the problem is going to get to the scale of the virus/anti-virus stage.

    --
    Mouse powered Chips, Open source Processors and Lego
    1. Re: Spammers are pretty simple (for now) by mistered · · Score: 4, Interesting
      Then we'll start putting "nospam" in our real addresses!

      I do. I use myid-nospam@my_domain.org for news groups, dubious web site forms, etc. In several years, I've received exactly one spam at that account. It looks like many of the harvesters remove any address with "spam" in it, because they think it's likely fake (or at least harvester-proofed).

      By far most of my spam comes to my old eBay account. Luckily that was myid-ebay@my_domain.org, which will soon be removed in favour of a slightly different permutation.

      --
      Enjoy your job, make lots of money, work within the law. Choose any two.
  4. So... by john_smith_45678 · · Score: 1, Interesting

    What can you do with somebody's IP address (that was in the email they harvested)? Resolve it and hope email sent to abuse@theirdomain.com does something?

    --
    John Kerry is a Joke!
  5. A new RBL? by astrashe · · Score: 3, Interesting

    I wonder if maybe someone could create a network of honeypots, and feed the data into a database that could be accessed in real time by web servers, to deny access.

    It would probably impose too much of a performance hit for a popular site, but maybe for smaller stuff -- your bio page, or whatever -- it would be appropriate.

  6. Re:But what can you do about it? by panaceaa · · Score: 2, Interesting

    While there's no way to pursue email harvesters through legal channels, there's other ways this technique is useful.

    In the example given, the spam harvester used a unique User-Agent string and a constant IP address for spidering. As a web site owner, you could block requests based on either of those credentials. In addition, you can publish your findings so that other web sites and networks can block the harvesters you find too.

    You can also complain to the harvester's ISP. Since spam is often sent with open relays, you can't track down spammers through email headers. But by recording the IP address that harvested your email address, you know the initial source of the spam. The email address gives you a point of contact to start complaining to ISPs and possibly track down spammer's marketing site.

    --
    my blog
  7. So you found the harvester... by anubi · · Score: 5, Interesting
    Its been my experience that even though you find out which IP the harvesting spider operated from, they only sell their harvested stuff to mass marketers, which proceed through several layers of people before ending up in the hands of those doing the mass mailings.

    These guys come like a thief in the night. They load your page like any other search engine spider. Its like knowing the face of the guy who went through your neighborhood, trying every door knob in the guise of distributing an advertising flyer, then later he disclosed to other thieves, unknown to you, whose at home during the day and who is not.

    Yes, its helpful in building a case, like knowing who is going through a neighborhood trying all the doors, but catching the actual guy in the act is not as easy.

    Some of this spam is really getting nasty. Just two days ago, I received this spam in my box purporting to be from the fraud department of Best Buy regarding CD players some guy in New York is trying to buy with my credit card. It seemed a really professional email, except they didn't know my name, and apparently had to get my email addy from a national credit bureau agency. When the links did not point as shown, I really became leery. The whole thing was apparently a ruse to get me to log into their site and disclose all sorts of personal information, playing on my fear that if I did not do so, the fraudulent transaction would complete.

    Watch out, guys. There's a lot of deception going on out there.

    Any tools and techniques we make to help us find out who these little rascals are is really welcome. Being some students just got nailed for their life savings for just their involvement in sharing a few songs, I trust this same environment can be used for those involved in internet scams which often cost not just a few record sales, but often substantial, I mean really substantial, grief for the victim.

    --
    "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]

  8. Easily defeated by BuilderBob · · Score: 2, Interesting

    Surely the email harvester will just 'learn' to remove it's own IP number and possibly a date (or even better, just increment the IP number date to generate an infinite number of email addresses)

    A more advanced method would probably hash the ip with the date in a non-obvious way, but it'd have to be a one-to-one mapping of IP's at least and a two way hash to retreive the IP number.

    Even storing the IP number as the apache-log line (if that's possible) would work, but real addresses would always work better but would require a dummy domain (e.g a dictionary of names stuck together with ._-). But unless you encode the IP you need a lookup table from your logs which is overhead.

    Of course, this still doesn't address the real problem, the people who should be traced and punished are not the spammers but the companies that use the spammers, there will always be foreign companies willing to spam for you if the law makes it illegal. Few of the spams I see are international companies (ok, most of them are porn sites which are probably just harvesters).

    The first link in the story also had a link to Cyveilance, which keeps appearing in my spamcop reports as "3rd party interested in spam), apparently their a chase (suspected) copyright infringement on the web....not sure I want to help them anymore..

    BB
  9. fighting spam by daserver · · Score: 5, Interesting

    The only email address I have on my site is blockme@mydomain and if anyone sends an email to that one they get blacklisted. Easy but effective.

    1. Re:fighting spam by leeward · · Score: 2, Interesting

      Generally blocking is done by IP address, not email address. So when the OP receives a spam addressed to blockme, I assume his software adds the source IP address the email came from to his blocklist. So you are not blocked.

  10. Re:But what can you do about it? by Anonymous Coward · · Score: 3, Interesting

    Nah, just put up a WebPoison page and spoil their ill gotten gains by fooling the harvesters into grabbing lots of apparently valid (tho very fake) email addresses. If enough of their customers get pissed for being sold bad email lists, eventually the problem will be lessened. http://www.monkeys.com/wpoison/ "So the basic idea behind Wpoison is to trap unwary and badly engineered address harvesting web crawlers, and to fool them into adding enormous quantities of completely bogus e-mail addresses to the E-mail address data bases of the spammers, thus polluting those data bases so badly that they become essentially useless, thereby putting the spammers who are using them out of business, or at least shutting them down for a time and causing them some major headaches while they try to clean up the messes in their now-heavily-polluted e-mail address data bases." "...if one of these spammer address harvesting web crawlers is left to try to digest your entire web site, say, overnight, then within a few hours (and certainly by morning) its data base of e-mail addresses will have been well and throughly polluted by millions of utterly bogus e-mail addresses..."

  11. Re:But what can you do about it? by AndroidCat · · Score: 2, Interesting

    WebPoison has been around for a while, so I wouldn't be surprised if spamware can detect and filter wpoison pages. (Barring a wpoison tweak to fool that spamware, followed by a tweak of the spamware, etc.)

    --
    One line blog. I hear that they're called Twitters now.
  12. Re:And the next step is........ by AndroidCat · · Score: 2, Interesting

    If they are misbehaving bots (feed them a robots.txt too), just block their IPs and don't bother being polite. (Or feed them wpoison.)

    --
    One line blog. I hear that they're called Twitters now.
  13. I have a "tar pit" on my website by Hollinger · · Score: 2, Interesting

    You should do what I do, and set up a "tar pit" on your website, with a bunch of bogus randomly generated e-mail addresses, and links back to itself. On last count, I've handed out over 100,000 false e-mail addresses.

    --
    Michael C. Hollinger
  14. Re:wpoison by yog · · Score: 2, Interesting

    great idea; I have a static page with thousands of random email addresses generated by this Perl script, but this wpoison is sweet; the pages seem genuine and it would keep a robot busy for a long time.

    I'd like to see millions of web sites adopt this approach; then perhaps spammers would be overwhelmed by bogus email addresses and it would cost them more money to figure out ways around it, if it's even possible.

    The principle is similar to the Nigerian spam baiting that some of us engage in; if thousands of us did it, these turds would simply be overwhelmed and would have to find some other way to make a living!

    --
    it's = "it is"; its = possessive. E.g., it's flapping its wings.
  15. Better PHP code by Sanity · · Score: 4, Interesting
    Here is some PHP code that will do something similar - it just encodes the IP address, but it does so much more efficiently - resulting in email addresses as short as "fwAAAQ@blah.com". The fwAAAQ can then be decoded using base64_decode to get back to the original IP address.

    $remaddr = $_SERVER["REMOTE_ADDR"];
    $ips = explode(".", $remaddr);
    $bst = "";
    foreach($ips as $b) {
    $bst = $bst . chr(intval($b));
    }
    $out = str_replace("=", "", base64_encode($bst));

    echo("<a href=\"mailto:$out@blah.com\">email me!</a>");
  16. Re:Nothing new by Technician · · Score: 2, Interesting

    It's been a few years ago, but I had a typo on my car registration and title. I was going to get it fixed, but within 2 days of my regestration, I got mail with the same wrong name. Then I started getting sales calls. I never fixed the registration. My vehicle registration was good for about 1/3 of my snail mail junk.

    It came from places you wouldn't expect it. Sideing salesmen were the worst. I was renting an apartment at the time.

    --
    The truth shall set you free!
  17. selection of fake email addy by Anonymous Coward · · Score: 1, Interesting

    I would at least conver the IP address to hex (e.g. ef0f3bad) so its not really obvious what you're doing -- makes the address look more "real" too