Posts Tagged ‘Honeypots
One way a cybersleuth might try to identify a spammer is by building a honeypot drone for a bot-network. A honeypot drone is a computer on the Internet that pretends to be part of a bot-network, but is actually under the control of a cybersleuth. By allowing the honeypot to become a part of the bot-network,the cybersleuth could obtain a copy of the bot-network software and could then discover the mechanism by which the spammer issues new instructions to drones. Once the mechanism is known, one could potentially wait for the spammer to issue new instructions and then catch the spammer.
However, sophisticated spammers have already developed ways to evade honeypot detection.First, such spammers realize that they are putting themselves and their bot-networks at risk by connecting directly to a site that provides instructions to drones. To counter this risk, sophisticated spammers no longer connect directly to such sites. Instead, they now post new instructions to drones by using a path through multiple computers, often including computers located outside the United States. In such instances, the information obtained from the honeypot drone is of little use in identifying the spammers’ true network addresses.
A second, and more powerful, spammer technique to evade honeypot detection has arisen more recently. Spammers often now design bot-networks so that the sites with which individual drones communicate are not fixed. For example, drones in the Phatbot network receive instructions using a peer-to-peer network of drones. Because the honeypot drone in such a network only communicates with a few other drones, its view of the bot-network is local and limited, and it would not have access to the network address of the bot-network administrator. Thus, as these two spammer techniques to evade detection illustrate, we can expect this “cat and mouse” pattern to play out repeatedly as sophisticated spammers increasingly use and evolve new such methods to evade honeypot detection.
Honeypots (decoy email addresses) are used for collecting large amounts of spam. These decoy email addresses do not belong to actual end users, but are made public to attract spammers who will think the address is legitimate. Once the spam is collected, identification techniques, such as hashing systems or fingerprinting, are used to process the spam and create a database of known spam. Let’s take a closer look at hashing systems and fingerprinting.
HASHING SYSTEMS: With hashing systems, each spam email receives an identification number,or “hash,” that corresponds to the contents of the spam. A list of known spam emails and their corresponding hash is then created. All incoming email is compared to this list of known spam. If the hashing system determines that an incoming email matches an email in the spam list, then the email is rejected. This technique works as long as spammers send the same or nearly the same email repeatedly. One of the original implementations of this technique was called Razor.
FINGERPRINTING: Fingerprinting techniques examine the characteristics, or fingerprint, of emails previously identified as spam and use this information to identify the same or similar email each time one is intercepted. These real time fingerprint checks are continuously updated and provide a method of identifying spam with nearly zero false positives. Fingerprinting techniques can also look specifically at the URLs contained in a message and compare them against URLs of previously identified as spam propagators.
Honeypots with hashing or fingerprinting can be effective provided similar spam emails are widely sent. If each spam is made unique, these techniques can run into difficulties and fail.
Honeypots apply to open mail relays in exactly the same way that they apply to open proxies. For this reason, in the following section, I will briefly describe honeypots only as they apply to (1) open proxies and (2) bot-networks.
Recall that an open proxy enables spammers to fully conceal their identities by making all email messages appear to come from the proxy. A cybersleuth could set up an open proxy honeypot and wait for spammers to start using it. This fake open proxy would record the source address of all connections to it along with all traffic routed through it. This could potentially provide significant leads for catching the spammer. The Proxypot Project is an example of an open proxy honeypot specifically designed to catch spammers. It accepts connections from any computer on the Internet, and logs all relevant information about the connection. Most importantly, it logs the address of the computer that initiates each connection. The project also provides tools to search these log files for spam activity. Note that Proxypot actually stops short of sending spam traffic to its destination. It only logs the fact that an attempt to send spam has occurred. By blocking spam routed through it, Proxypot ensures that it does not contribute to the prevalence of spam email.
Honeypot logs can reveal the network address of a spammer. Once spammers discover the open proxy honeypot, they begin to route spam email through it. Unless the spammers take extra precautions, they cannot tell that the open proxy they are using is a honeypot. A few days later, after examining the honeypot’s logs, the cybersleuth can expose the spammer’s network address. Spammers are already implementing methods to evade honeypots. Although open proxy honeypots would seem to be a powerful technique for catching spammers, there are a number of significant drawbacks to this approach. First, spammers are well aware of the existence of honeypots and are implementing counter-measures to avoid them. For example, the Send safe tool is capable of detecting honeypots by sending a test spam email to itself. Since most honeypots block spam email routed through them, the test message will not be delivered and Send-safe will stop routing email through the open proxy honeypot.
Second, spammers can completely fool an open proxy honeypot by using proxy chains. Suppose the spammer identifies three open proxies called A, B, and C. The odds are that at most only one of them will be a honeypot. The spammer then sends email by creating a path through all three servers. The email will travel from the spammer’s machine first to server A, then to server B, then to server C, and finally to the spam recipient. Now, suppose that server C is the honeypot. It only “sees” connections from server B, not from the spammer.As a result, the honeypot’s log would falsely incriminate B as the spammer. In fact, when spammers use proxy chains in this manner, a honeypot log will record absolutely no useful information, unless the honeypot happens to be the first server in the chain. Spammers find proxy chains inconvenient to use since they slow down email delivery and require spammers to identify a greater number of open proxies. Nevertheless, if honeypots become prevalent,it is likely that spammers will simply switch to using proxy chains to evade detection.