[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cody@halosec.com: Using LaBrea to slow spam]

To: offtopic@nl.linux.org
Subject: [cody@halosec.com: Using LaBrea to slow spam]
From: Seth Arnold <sarnold@wirex.com>
Date: Mon, 30 Sep 2002 20:17:35 -0700
List-archive: <http://mail.nl.linux.org/offtopic/>
List-help: <mailto:listar@nl.linux.org?Subject=help>
List-owner: <mailto:riel@nl.linux.org>
List-post: <mailto:offtopic@nl.linux.org>
List-software: Listar version 1.0.0
List-subscribe: <mailto:offtopic-request@nl.linux.org?Subject=subscribe>
List-unsubscribe: <mailto:offtopic-request@nl.linux.org?Subject=unsubscribe>
Original-Recipient: rfc822;offtopic-archive@nl.linux.org
Sender: offtopic-bounce@nl.linux.org
User-Agent: Mutt/1.4i

I had no idea LaBrea worked so well against the spammers. Rik, I wonder
the feasibility of tying your RBLs together with LaBrea -- if the
connecting IP isn't on the RBLs, connect to your real mail server, if
they are on the RBL, forward the connection to a LaBrea server instead..

----- Forwarded message from Cody Hatch <cody@halosec.com> -----

From: Cody Hatch <cody@halosec.com>
To: bugtraq@securityfocus.com
Subject: Using LaBrea to slow spam
Date: Tue, 17 Sep 2002 11:34:03 -0600
Cc: honeypots@securityfocus.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I can't find any previous postings about this, or much info on the web, so I 
figured I'd post this idea to get feedback.

I wanted to see the feasability of using LaBrea to tarpit spammer mail 
servers, so I set up a domain with its MX record pointing to a tarpit IP. I 
then tried, using Outlook's Hotmail module along with several types of 
mass-mailing programs, to send email to an email address belonging to the 
tarpit domain, along with several legitimate email addresses. All of the 
tarpit connections worked like a charm, and the respective programs hung. 
Outlook wouldn't send the remaining legitimate emails until I had deleted the 
tarpitted email from the "outbox." The mass-mailing programs hung, with many 
of the programs freezing completely, forcing me to kill the process. Some of 
them just hung, and I had to stop the mass-mailing in order to delete the 
tarpitted addresses before continuing on with the mass-mailing.

All of my tests worked like they were supposed to, and tarpitted the 
connection, in many cases freezing the mass-mailing program completely. I 
feel this would be effective in making spam unprofitable, for the most part. 
In addition, it would be a real punishment for open-relays, as they would 
have their mail server's quality severely degraded by having multiple 
connections tarpitted. 

I've tried many different tactics to stop or slow down spam, and I have found 
this to be the most effective. It would certainly be more effective if many 
people either set up dummy tarpit domains, or sub-domains to be tarpitted. I 
would appreciate any ideas or feedback on this issue.

Regards.
- -- 
Cody Hatch, CCNA
HALO Network Security, Inc.
http://www.halosec.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9h2ePAYnMSC0zNzQRAsLoAJ9j1oO38+9/VkvHUwCl9hwdblW8vACggtEJ
TIlRZwp09VdHE1451W9xtfE=
=z5ea
-----END PGP SIGNATURE-----

----- End forwarded message -----

-- 
http://immunix.org/

PGP signature

Next by Date: Stop collection actions (nKsv4qHT)
Next by thread: Stop collection actions (nKsv4qHT)
Index(es):
- Date
- Thread