Originally posted here by alphabetarian
I haven't heard anything lately about the exact legality of honeypots, so I couldn't tell you for sure. The whole article spawned from an indpendent study course I did on honeypots last year, in which I used Honeyd, by Neils Provos. At the time, he was a Ph.D student at the Univ. of Michigan and the state gov't passed some DMCA-in-nature law where software that hid it's original source was illegal. Honeyd, through the help of arpd, would take over unused IPs on a subnet and pretend to have actual machines sitting behind those unused IPs. I think that's what caused him problems, so he had it moved of shore for a little bit, but I'm not sure what's going on with it now. Aside from that, that's the only DMCA-ish problem I've ever heard of regarding honeypots. But granted, I've been bad and haven't looked into them in a while.

So, long story short, I'm not sure. I'll google it and report back...

alpha
I tihnk the notion about the possible bad legal ramifications of honeypots came from just one guy (federal employee, a lawyer), whose name I don't recall. His proposed scenario was that an abuser would use a honeypot to commit abuse that damaged someone else and that the operator of the honeypot would be liable. He didn't say how that was worse than the potential liability of the operator of a vulnerable system that got abused nor did he say how it was that a honeypot (which if effective would not allow abuse, even though it might look to the abuser as though it did) would be abused. I sort of suspected at the time that he was deliberately trying to make people fearful of honeypots. If so, it worked.

Note, too, that honeypots don't have to be general: they can be for specific abuse on specific ports (such as Jackpot, or the Bubblegum proxypot.) Those would be much harder to abuse. If the abuse is a spammer then he's simply trying, in a bulk fashion, to find systems he can abuse to send spam. He's not being sophisitcated or spending a long time checking out the system, he's just looking for what looks like it an be abused. (As an aside, it's really fun to fool somene who thinks he's fooling you.)

I have seen Jackpot relay email that it shouldn't, so I eventually configured mine (I no longer run it) to deliver nothing. For an open relay honeypot (which is what Jackpot is) the real power can come from relaying the test messages the abuser-spammer scatter-sends throughout the internet. He knows from the ones that get delivered which IP addresses are the open relays. I've seen many ways of indicating the tested IP address in the message, both in plaintext (xxx.xxx.xxx.xxx) and encoded in some way, for example in the Message-ID, in decimal ASCII. Sometimes they wer edouble-encoded, but not in any way pareticular hard to decipher. Probably the spammer woul djust collect all the test messages he received and use a search program to pick off a unique string (like "Message-ID") and then decode the IP addresses using a simple program.