Honeypots Applied to Open Proxies

Honeypots apply to open mail relays in exactly the same way that they apply to open proxies. For this reason, in the following section, I will briefly describe honeypots only as they apply to (1) open proxies and (2) bot-networks.

Recall that an open proxy enables spammers to fully conceal their identities by making all email messages appear to come from the proxy. A cybersleuth could set up an open proxy honeypot and wait for spammers to start using it. This fake open proxy would record the source address of all connections to it along with all traffic routed through it. This could potentially provide significant leads for catching the spammer. The Proxypot Project is an example of an open proxy honeypot specifically designed to catch spammers. It accepts connections from any computer on the Internet, and logs all relevant information about the connection. Most importantly, it logs the address of the computer that initiates each connection. The project also provides tools to search these log files for spam activity. Note that Proxypot actually stops short of sending spam traffic to its destination. It only logs the fact that an attempt to send spam has occurred. By blocking spam routed through it, Proxypot ensures that it does not contribute to the prevalence of spam email.

Honeypot logs can reveal the network address of a spammer. Once spammers discover the open proxy honeypot, they begin to route spam email through it. Unless the spammers take extra precautions, they cannot tell that the open proxy they are using is a honeypot. A few days later, after examining the honeypot’s logs, the cybersleuth can expose the spammer’s network address. Spammers are already implementing methods to evade honeypots. Although open proxy honeypots would seem to be a powerful technique for catching spammers, there are a number of significant drawbacks to this approach. First, spammers are well aware of the existence of honeypots and are implementing counter-measures to avoid them. For example, the Send safe tool is capable of detecting honeypots by sending a test spam email to itself. Since most honeypots block spam email routed through them, the test message will not be delivered and Send-safe will stop routing email through the open proxy honeypot.

Second, spammers can completely fool an open proxy honeypot by using proxy chains. Suppose the spammer identifies three open proxies called A, B, and C. The odds are that at most only one of them will be a honeypot. The spammer then sends email by creating a path through all three servers. The email will travel from the spammer’s machine first to server A, then to server B, then to server C, and finally to the spam recipient. Now, suppose that server C is the honeypot. It only “sees” connections from server B, not from the spammer.As a result, the honeypot’s log would falsely incriminate B as the spammer. In fact, when spammers use proxy chains in this manner, a honeypot log will record absolutely no useful information, unless the honeypot happens to be the first server in the chain. Spammers find proxy chains inconvenient to use since they slow down email delivery and require spammers to identify a greater number of open proxies. Nevertheless, if honeypots become prevalent,it is likely that spammers will simply switch to using proxy chains to evade detection.

Tags : , , , , , ,

If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.

Leave Comment