Honeypot (Spamtrap)

84
Votes

DONE Honeypot (Spamtrap)

| Last activity: more than 10 years ago
Blacklist the sender IP address of those writing to specific local email addresses, e.g. addresses published on the company web site specifically as honeypot (spamtrap) addresses. This feature would be based on the assumption that whoever sends email to the honeypot address(es) must be a wrongdoer, because the honeypot address may be collected only by robots scanning the internet (and the web, specifically) for email addresses, which is a typical spammer behavior.

Comments

Excellent idea that I have wanted for years.
by Anonymous more than 10 years ago
In addition to having a honeypot, have it blacklist the IPs for a configurable amount of time, just in case teh IP ever becomes a legit one.
by Gregg, no longer anonymous! more than 10 years ago
Definitely, the design would include expiration control, because email probes (Directory Harvest Attacks) come from botnets with probably dynamic IPs.
by Peter Karsai (Vamsoft) more than 10 years ago
I have this feature from 2007 as myself external agent and store spammers IP's in my DNS RBL. This agent have contribution to blacklisting 1,05%.
by Pavel more than 10 years ago
@Pavel: Thanks for the feedback, 1.05% is nice considering that a relatively few attempts may reach the External Agent (given it is On Arrival only and among the last tests even at that filtering point).
by Peter Karsai (Vamsoft) more than 10 years ago
I've also wanted this for years
by Kansas more than 10 years ago
Funny, If I rem. well, I have suggested that about a 1000 years ago... I see a huge overlap in these 2 suggestions: Honeypot (Spamtrap) and Directory Harvest Attack (DHA) Protection Both act on invalid addresses, and both deny access. Maybe both suggestions can be combined in one filter like: Block sender IP for x-amount of hours if more than n-amount of non-existent users are attempted for delivery during 60 minutes. (Or user selectable timeframe). - OR - Blacklist sender IP for x-amount of days if the following adresses are attempted for delivery: (User list, like [email protected] etc.)
by Luis more than 10 years ago
I would value this feature, but I also worry about false positives... there is an increasing amount of spam we receive from accounts at the free email providers, e.g. Hotmail and GMail. The accounts are both auto-created by the bad guys who are beating the sign-up process, or they are using hacked accounts via stolen credentials. So the risk of this feature is that one spammer using a legitimate email provider would trigger this feature and temporarily block (to me) the outbound IP of a major source of good email. I don't know how this could be countered reliably, except if there were a decent reputation database that could be referred to override this test on a per-message basis.
by Andrew from Vancouver more than 10 years ago
I do agree with Luis and Andrew
by jhonlone more than 10 years ago
@Andrew: the Honeypot test would have an IP exception list, so you can exclude such large email providers from the Honeypot test. This way, no legitimate MTAs get blocked.
by Krisztian Fekete (Vamsoft) more than 10 years ago
it says I still have 1 vote in here? or has my vote been returned.. want to pile them up into identifying the test, so that I never have to check honeypot spam for false positives.
by chrislow more than 10 years ago

My Comment

Please sign in or sign up to comment.
hnp1 | hnp2