Honeypots: Some production honeypot experience

[Brad Spencer <brad.madison () tds net>]

I don't currently run a honeypot, but my first was a standard (but ancient) SMTP client.  That's hard to detect other 
than by trying to spam oneself and seeing that the spam doesn't get through (and some work has been done to help 
counter that detection technique.)  It's hard to detect because it really is an actual MTA - all the honeypot features 
occur after the spammer has conencted and dropped his load.  I stopped running the honeypot about last May and I ran it 
in essentially receive-only mode for the last months of its lifetime.  That meant that primarily I just accepted 
spammer relay tests.  I did force delivery of a few (and the arrival of the test message hours late didn't put off the 
spammers) to see what spam would follow.  

A receive-only honeypot is very hard to detect as a honeypot - and some mis-configured servers may look like they are 
receive-only honeypots.  If that convinces the spammer to avoid the IP that's good.   My original thought was that the 
spammers would discover my honeypot and avoid the IP.  Then I'd move it so they'd do the same again, until they left my 
entire subnet alone.  At that point I'd convince the university to run honeypots, so that the spammers would eventually 
leave the university IP space alone.  Then I'd expand to .edu, with the same result planned.  Then on to the entire 
net.  If discovery by the spammer makes the spammer leave you alone it's not all bad.  Mostly (this began in late 1999 
or early 2000) te spammers either didn't notice or just quit.  Every time I thought they'd marked my IP as bad I got a 
new wave of spam.  

That was an old Vaxstation 4000/90.  It's still running but I retired and I decided I didn't want to lumber the current 
administrator with any problems from the honeypot (it's a university system and I still have administrator access to 
it.)  Until it went down it was averaging about 4 relay test messages trapped per day.  Most of those were repeat 
tests, from the same spammers - probably the spammers just do an endless search of the internet, checking all IPs over 
and over again.  Or maybe I was on a hot list of probable open relay IPs - I really can't say why they did what they 
did.

I plan to put the Bubblegum proxypot on my system soon (it's dual-boot.)  Until then all I do is consult my software 
firewall logs.  I also have a hardware firewall and I allow SMTP and proxy traffic through that specifically so that it 
can be logged.  I'm fairly certain 64.223.154.227(pool-64-223-154-227.man.east.verizon.net) is an IP used by a spammer 
- I've logged a couple sets of proxy port scans from that IP.  That's why I want to run a proxypot - so that I can 
gather hard evidence.

Actually, I ran the Bubblegum proxypot a few hours today, and caught nothing.  I only get proxy scanned about once per 
day so I simply quit too soon.