Honeypot not always catching emails - ORF Forums

Honeypot not always catching emails RSS Back to forum

1

Hi,

I have filtered my logs to just one recipient address that I have added (some time ago) to the honeypot list and notice that although sometimes it says "Attempt to send to a honeypot address detected, blacklisting IP for 720 minute(s)."
Also sometimes it says "Blacklisted by the Recipient Validation."
The difference seems to be that the emails with 'recipient validation' have a blank sender addresss.

So firstly why would any emails have a blank sender? just a stuff up by the spammer?
And why would that stop the honeypot system from working and adding that IP to the list?


Thanks

by thomas.waterhouse 3 years ago
2

@thomas.waterhouse: Hello Thomas,

Accoring to SMTP standards, Delivery Status Notifications (or NDRs) must be sent with a blank sender address. Not surprisingly, spammers often try to exploit this rule and send their spam without sender address in an attempt to fool poorly configured filtering software. Of course, spammers make mistakes as well, but more often than not they do this intentionally.

As for your second question, the Honeypot test is always performed before the Recipient Validation test, so - by default - the IP should have been banned by the Honeypot test. Exceptions, however, can be configured in the ORF Administration Tool, so I would appreciate if you could send us (to ) the following for analysis:

• The ORF configuration file called orfent.ini. It can be found in the ORF program directory (default: \Program Files (x86)\ORF Fusion).

• The .log file from the day of the incident (e.g. orf-2015-12-12). It can be found on the configured ORF logging path (default: \Program Files (x86)\ORF Fusion).

• The recipient address that should have triggered the Honeypot ban.

by Daniel Novak (Vamsoft) 3 years ago
(in reply to this post)

3

@Daniel Novak (Vamsoft): Thanks for your reply. That makes sense, I didn't realise NDRs come through with a blank sender. And the default '$' is in the honeypot sender exceptions so I guess that is why those emails are being skipped by the honeypot test. But presumably although spammers might send spam direct with a blank sender, if they've spammed to another server with your email address as the sender and that server rejects it back to me, then I don't want to honepot that IP as it may well be a reputable legit server. So I guess I'll leave it as is.

by thomas.waterhouse 3 years ago
(in reply to this post)

4

@thomas.waterhouse: That is correct Thomas, the purpose of the "$" entry on the Honeypot IP Exception list is to avoid blacklisting legitimate mail servers. If the only emails that get blacklisted by Recipient Validation test instead of the Honeypot test are the ones that arrive without a sender address, then there is nothing to worry about. However, should you find other emails sent to the honeypot/spam-trap address avoiding the IP ban, I would be more than happy to review your ORF configuration and logs in order to identify possible technical issues.

by Daniel Novak (Vamsoft) 3 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2