Slashdot Mirror
Honeypot For Identifying Email-Harvesters
Cheese Man writes "Mark Pilgrim describes a simple way to identify email-harvesters: "In each page I serve, I include a bogus email address, encoded with the date of access as well as the host IP address ... This has allowed me to trace spam back to specific hosts and/or robots." There's even a simple one-line example done with PHP. (Thanks to BoingBoing for the links.)"
That there should be email addresses that the big companies "float" out onto spamming lists. When a mass email comes back with these email addresses, it's a flag that its spam, and block the whole message from going into the system. Of course, security on what those email addresses are would have to be pretty tight...
Unfortunately, there is still no law against email harvesting, so there is nothing you can do to them unless you want a little vigilante justice.
Repeal the DMCA!
Lots of people, including me, use different middle names or initials when applying for something in writing, by snail mail or by telephone. When junk mail comes back in the mailbox, it's easy to know what company sold your information to whom, or at least which company was the initial recipient of the bogus info and which was the last.
...
Old new
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Try wpoision, it's a CGI script to generate a random set of email address, infinitely deep. Very fun.
I want to delete my account but Slashdot doesn't allow it.
Last line of the article:
title edit (6/19, 6:47am): Honeypot not "honey hole." Thanks, Cory.
What's the difference between the two? Computer geeks have experience with honeypots!
I am plesently suprised that my anti-spam encoded email address still has not been spammed. And even a recent spam study found that only normal email addresses got spam.
It wouldnt take much to find and decode most of the simple spam-protected email addresses. And I dont think it would take long for the spammers to detect a system such as this and bypass it, but I dont think they will bother at the current climate.
But pretty soon I suspect we will get much cleverer email collecting tools and the problem is going to get to the scale of the virus/anti-virus stage.
Mouse powered Chips, Open source Processors and Lego
I wonder if maybe someone could create a network of honeypots, and feed the data into a database that could be accessed in real time by web servers, to deny access.
It would probably impose too much of a performance hit for a popular site, but maybe for smaller stuff -- your bio page, or whatever -- it would be appropriate.
These guys come like a thief in the night. They load your page like any other search engine spider. Its like knowing the face of the guy who went through your neighborhood, trying every door knob in the guise of distributing an advertising flyer, then later he disclosed to other thieves, unknown to you, whose at home during the day and who is not.
Yes, its helpful in building a case, like knowing who is going through a neighborhood trying all the doors, but catching the actual guy in the act is not as easy.
Some of this spam is really getting nasty. Just two days ago, I received this spam in my box purporting to be from the fraud department of Best Buy regarding CD players some guy in New York is trying to buy with my credit card. It seemed a really professional email, except they didn't know my name, and apparently had to get my email addy from a national credit bureau agency. When the links did not point as shown, I really became leery. The whole thing was apparently a ruse to get me to log into their site and disclose all sorts of personal information, playing on my fear that if I did not do so, the fraudulent transaction would complete.
Watch out, guys. There's a lot of deception going on out there.
Any tools and techniques we make to help us find out who these little rascals are is really welcome. Being some students just got nailed for their life savings for just their involvement in sharing a few songs, I trust this same environment can be used for those involved in internet scams which often cost not just a few record sales, but often substantial, I mean really substantial, grief for the victim.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
Surely the email harvester will just 'learn' to remove it's own IP number and possibly a date (or even better, just increment the IP number date to generate an infinite number of email addresses)
A more advanced method would probably hash the ip with the date in a non-obvious way, but it'd have to be a one-to-one mapping of IP's at least and a two way hash to retreive the IP number.
Even storing the IP number as the apache-log line (if that's possible) would work, but real addresses would always work better but would require a dummy domain (e.g a dictionary of names stuck together with ._-). But unless you encode the IP you need a lookup table from your logs which is overhead.
Of course, this still doesn't address the real problem, the people who should be traced and punished are not the spammers but the companies that use the spammers, there will always be foreign companies willing to spam for you if the law makes it illegal. Few of the spams I see are international companies (ok, most of them are porn sites which are probably just harvesters).
The first link in the story also had a link to Cyveilance, which keeps appearing in my spamcop reports as "3rd party interested in spam), apparently their a chase (suspected) copyright infringement on the web....not sure I want to help them anymore..
BBAnd also not require register_globals be on (better for security if you can set it to "off"):
@ EXAMPLE.COM'; ?>" title="Go ahead, Spam me">Here is my email address</a>
<a href="mailto:<?php echo $_SERVER['REMOTE_ADDR'],'_on_',date('y_m_j_Gi'),'
(Slashdot adds an extra space before example.com)
The only email address I have on my site is blockme@mydomain and if anyone sends an email to that one they get blacklisted. Easy but effective.
You can often do this even without a throwaway domain. Many addresses can be tagged by adding a "+" (plus-sign) and anything between the user name and the @-sign.
For example wheany+sd@iki.fi, wheany+SpamTastesGood@iki.fi, wheany+glahglahglag@iki.fi, wheany+spammer.com_on_06_22_2003@iki.fi all go to the same mailbox.
> Come on, you can't have it both ways.
> You're either pro government control or against it,
Why not?
Things are rarely polar opposites. You can't just say, "Well kid, are you a communist or for a lassiez-fair market." There's tons of middle ground.
The formal name for this is the False Dichotomy. More
Extremes only really exist as abstract concepts.
Advocating regulation or laws to protect against abuse is hardly pro-DMCA.
Why bother with honeypots when a Payback Page is far more satisfying :-)
How Cheese Man got mixed up is beyond me, as comment by George A. Theall is clearly displayed at the bottom of the comment.
Comment removed based on user account deletion
If they are misbehaving bots (feed them a robots.txt too), just block their IPs and don't bother being polite. (Or feed them wpoison.)
One line blog. I hear that they're called Twitters now.
I don't think a list of phony e-mail adresses is going to put a dent in an industry that will send an e-mail to every possible adress on a popular domain in the hopes that a small fraction of those adresses will belong to real people.
Do me a favor and double it!
You could bite back. Instead of trying to track them how about including the email address of the postmaster at the machine calling the page. That way when a harvester at j3rk.ugh.com calls your page it sees an address postmaster@j3rk.ugh.com. The harvester then sells his own address to the spammers. Then sit back and hope that the harvester decides to try to grow his organ enough that he doesn't need to do this stuff....
Comment removed based on user account deletion
You should do what I do, and set up a "tar pit" on your website, with a bunch of bogus randomly generated e-mail addresses, and links back to itself. On last count, I've handed out over 100,000 false e-mail addresses.
Michael C. Hollinger
Another tool to throw a spanner in the works for spammers is mod_spam_die for Apache. It generates a random page with recursive links and fake addresses, thus causing the spammer's database to fill up with useless addresses. There's an example at chaz6.com/spam_die.
postmaster@j3rk.ugh.com doesn't really care.
If, perchance, it is a company that makes its bread and butter collecting and selling e-mail addresses to the gullible, they probably already KNOW what they are doing, and you reminding them does nothing but give you a warm feeling.
Another option is some retail user - there probably is no postmaster@CPE0080c6ef6343-CM0143000000054.cpe.net .cable.rogers.com just to pull a random IP address out of my log file.
And finally the last case -- you hit the 'jackpot' -- you find the email address of some overworked sysadmin at medium-nsp.net who COULD do something if she could.
An anecdote to illustrate:
I was working as head network/system administration guy for a very successful NSP in the S.F. bay area in the mid 90s, when spam REALLY began to take off. We had a customer who had the domain name PASTA.COM (not really -- to preserve his anonymity I have substituted an equally common word for his).
A very vigorous spam organization was sending out tens of thousands of emails advertising their spaghetti-sauce and accessory business, directing people to call 1-800-PASTA.CO (M)
They had no relationship to our (domain-squatter) client, who did not even sell pasta products. He was just hoping that some pasta-manufacturer would give him ten large for the name.
Every day, my postmaster@... inbox would be filled with vitriolic e-mail demanding that I terminate his connectivity for violating our AUP. (Sadly, our AUP had been drafted before anyone had imagined that spam would be a problem. The closest we had was a paragraph "protection of network")
Sometimes, if I was feeling argumentative, I would correspond with these sub-people asking exactly how is this customer violating any AUP? By having a domainname that is a common five-letter english word that someone else happened to use in a piece of spam?
I had my own real job to do -- helping our customers track down and eliminate open mail relays, sending out bills for rack space, taking my turn standing in front of the idiot with the backhoe so he couldn't dig up our OC3, keeping usenet working.
Eventually, I developed a tecnique that satisfied everybody. I would send out a polite form-letter saying, "Thank you internet user for your vigilance. Please be assured that the most appropriate action is being taken immediately."
Then I moved their original message into /dev/null.
How does the Slashdot Effect happen given that no slashdotters ever RTFA?
So what happens under this scheme when a harvester bounces all their page requests through an open proxy? Does the recorded IP address mis-identify the proxy as the harvester?
I have Zope running on an unpublished IP address and port on one of my machines. About once a day, someone tries to reflect a connection through it, like so:
66.118.187.8 - Anonymous [30/May/2003:09:10:05 -0700] "CONNECT 64.12.136.89:25 HTTP/1.0" 404 264 "" ""
Apparently there are enough mis-configured Web proxies out there (like older RedHats running Squid) to make this type of probing worthwhile. Does this honeypot account for this?
Schwab
Editor, A1-AAA AmeriCaptions
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
Only just today I posted this article about how not to get spam for users of my servers. When 97% of all spam emails within a 6 month period come from website-harvested addresses, it's pretty clear that posting your email address on a website is just plain stupid. Use a form to allow users to contact you, but never allow them to be able to get your address.
No he doesn't, George A. Theall does, in a comment attached to an article by Mark.
I did a few small honeypots for the spammers to play with. SMTP and proxy.
Do you care about the security of your wireless mouse?