December 5th, 2005 04:04 AM
Jackpot and the bubblegum Proxypot are (or can be) production honeypots . You don't simply learn from them. they can (and do) capture spam before it reaches the destination server. As they intercept spam that is being sent by an abuse pathway there's no need to filter:i f it comes, it's abuse-related. If the honeypot is configured to indicate to the abuser-spammer that it is an open relay or open proxy (by gioving a psotive response to the spammers' tests) then the spammer is very likely to send spam. (I say "abuse-related" because such honeypots receive both test messagfes and spam. You probably want to deliver the test messages, you don't want to deliver the spam.)
Originally posted here by Soda_Popinsky
Yup, you are correct. I wouldn't put something like this on my business network, it's pretty much only for research. Personally, I am having fun with it and I hope I didn't promote it as a line of defense.
As the honeypot keeps a copy of everything, including the test messages first sent to it before the spam, it's possible to find out where the spammer sends his tests (which are how he learns the IP address of open relays.) If the ISP at that site is agreeable you can cause the spammer further trouble: some, when asked, consented to leave the account active but to divert all email away from it (as the account was for an illegal activity the owner had violated the TOS and had no real legal rights - these were always freemail providers.) For a while, at least, the spammer would think he was finding no open relays. He could check his test-message account for new email but there's never be any. What's he going to do when he figures out what's hit him - sue for not helping him commit abuse? Not likely - he'll just slink away, and maybe never use that freemail provider again for a test message dropbox address. That's a plus.
You also have copies of the spam and know the web sites to which the spammer directed his traffic. nowadays they may be pretty sophisticated and clever about that, of course, and use destinations that are also on zombies, and for which the DNS changes frequently.
Probably you'd want to at least think carefully before putting one on a business network but having one on a university network should be fine. I ran Jackpot for a while at home and caught some stuff. My ISP now doens't allow outgoing port 25 traffic but I still see (using ZoneAlarm) occassional probes of port 25: spammers still are looking. I have never run a proxypot but those can have a wicked effect on the spammers. Zombiepots would, today, also be wicked.
The problem with the internet was that it was designed when trust was a reasonable thing. Now it isn't. The trust that really hurts is the trust the abusers have that their abuse will work: if a system looks like it will allow abuse, it almost always does. Destroy that trust and you destroy spam. Make them fear every IP that looks like it can be abused, make them doubt that looking vulnerable is identical to being vulnerable. All the while you're doing that you can also be delibvering hard body blows to them. Microsoft ran a proxypot for a while and now has a suit with about 20 "John Doe" (som enames are now filled in) defendants. Anybody (in principle) can run a zombiepot. (If you doubt you can, fine: trust that doubt.)