Honeypots: Re: Honeypots

["Michael" <michael () insulin-pumpers org>]

> Michael,
>     Very interesting idea - apparently a wholly legal passive
>     "attack".
>
> One thing that I would question (simply because I couldn't find the
> documentation) is how the blocking-list is determined - there are
> several ways. There are mentions of WHOIS and DNS lookup (MX?) - I'd
> be interested to know more..
>
> Regards,
>
> Ian Baker
> Webmaster, codecutters.org
There are several methods. There is a common configuration file for 
Net::DNSBL::MultiDnsbl and the SpamCannibal cron script 
sc_BLcheck.pl, which checks incoming IP's that are stored by the 
dbtarpit daemon. 'multidnsbl' is used in place of RBL checks in the 
MTA.

The action for the MTA is usually configured to bounce the messages 
tagged by 'multidnsbl'. The action of sc_BLcheck.pl is to place the 
suspect IP address into the dbtarpit 'tarpit' database. (sc_BLpreen 
removes it if a subsequent check detects a correction).

Criteria:
presets: always fail by IP, CIDR, Country
conditional: allowed DNSBL reply, in-addr.arpa failure

All of this is in the sample configuration file in the distribution
sc_Blacklist.conf.sample

In addition to these automated tarpit actions, spam that gets through 
to the master user as either a bounce return with attached message or 
direct spam can be emailed to a "spam" user for auto addition to the 
tarpit database. These manual additions are permanent until removed 
by the administratior. Admin tools allow addition of CIDR blocks from 
2 to 256 as well as general database tweaking.

Michael

> ----- Original Message ----- 
> From: "Michael" <michael () insulin-pumpers org>
> To: <honeypots () securityfocus com>
> Sent: Tuesday, January 20, 2004 1:33 AM
> Subject: Re: Honeypots
>
>
> > SpamCannibal blocks spam at the origination server and can be
> > configured to block DoS attacks.
> >
> > SpamCannibal uses a continually updated database containing the IP
> > addresses of spam or DoS servers and blocks their ability to connect
> > using a TCP/IP tarpit, ideally bringing the spam server to a virtual
> > halt for a long time or perhaps indefinitely. This effectively
> > eliminates the network traffic to your site because the spam never
> > leaves the origination server. Widely deployed, SpamCannibal can help
> > eliminate spam from the internet.
> >
> > The operative piece of this gadget is
> >
> > IPTables::IPv4::DBTarpit
> >
> > a module based on Linux IPTABLES that uses the BerkeleyDB database to
> > store IP addresses and other selected information about spammers.
> >
> > Full documentation for SpamCannibal and all the modules is on the
> > SpamCannibal home page and everything is downloadable from CPAN.
> > Prerequisites on the DOWNLOAD page of
> >
> >     http://www.spamcannibal.org