Comments on: Fighting spam via Project Honey Pot http://nerhood.wordpress.com/2004/10/27/fighting-spam-via-project-honey-pot/ My digital diary with topics about family, work, computers, technology, books and whatever else comes to mind Wed, 24 Jun 2009 18:27:08 +0000 http://wordpress.com/ hourly 1 By: Ken Nerhood http://nerhood.wordpress.com/2004/10/27/fighting-spam-via-project-honey-pot/#comment-95 Ken Nerhood Wed, 17 Nov 2004 16:33:49 +0000 /?p=240#comment-95 Matthew, Thanks for the kind and detailed followup. It shed a lot of light on the goings on with Project HoneyPot. I too am a little surpised at the seemingly low volume of spam that you have seen, but I belive that the project can go a long way towards combating spam. I wish you and your team the best. --ken Matthew,

Thanks for the kind and detailed followup. It shed a lot of light on the goings on with Project HoneyPot. I too am a little surpised at the seemingly low volume of spam that you have seen, but I belive that the project can go a long way towards combating spam. I wish you and your team the best.

–ken

]]> By: Matthew Prince http://nerhood.wordpress.com/2004/10/27/fighting-spam-via-project-honey-pot/#comment-94 Matthew Prince Tue, 16 Nov 2004 04:12:28 +0000 /?p=240#comment-94 Ken -- Thanks for the link and the kind words. Judging from our logs, lots of visitors to the Project Honey Pot site have come as a result of your referral. We appreciate it. We've been open a bit longer now so I thought I'd respond to the comments above. We've definitively caught about 20 IPs harvesting addresses. We have a bunch more we suspect but do not have enough evidence yet to publish. You can see the list of harvesters online at: <a href="http://www.projecthoneypot.org/bots_and_servers.php">Global Harvester List</a> Click on any of the IPs on that page, or on the pages under that page, in order to see their details. The idea is that you can surf your way through spammers networks.... seeing how harvesters and mail servers are associated. A couple of surprises so far. First, we're astounded how few messages we have received. We expected and architected for a flood, so far it's just been a trickle. Part of the lesson may be that the real danger doesn't come from the average harvesting but from the the guy who harvests and then sells a CD of "100M emails for $19.95." It could be there are some spammer "king pins" out there making money off these sort of CDs or lists of addresses without ever sending a single message. If so, we'll soon know more about them. And they're lists will be mined with our honey pot addresses -- immediately revealing anyone foolish enough to buy one. Second, we're encouraged by some of the initial results. Our hypothesis going into this was that harvesters would be more closely associated with the actual spammers than the proxies they're using to send their messages. Again, the initial data seems to bear this out. Check out the following links: <a href="http://www.projecthoneypot.org/ip_inspector.php?iph=bf6fe39b73cb380420ccebf73aa778c2">Example 1 </a> <a href="http://www.projecthoneypot.org/ip_inspector.php?iph=10f32a7ff8b77065f88fcd5ece326a21">Example 2</a> <a href="http://www.projecthoneypot.org/ip_inspector.php?iph=3ad245bae5a3835f7daa412a3ce75f7f">Example 3</a> These three harvesters, which seem to be generally representative, are almost certainly all the same individual or group of spammers. While they're bouncing their messages off machines around the world, they're using fixed, leased lines to do their harvesting. That means there's likely to be a paper trail back to a real identity. Harvesting alone is against the law which may lead to all sorts of new avenues for prosecution (see, for example, <a href="http://www.projecthoneypot.org/law_of_harvesting.php">our page</a> on the subject), the Project may also identify spammers for even traditional prosecutions. We're really encouraged, if somewhat surprised, by the initial results. Thanks again for your support! Matthew Prince. CEO, Unspam, LLC Adjunct Professor of Law John Marshall Law School Ken –
Thanks for the link and the kind words. Judging from our logs, lots of visitors to the Project Honey Pot site have come as a result of your referral. We appreciate it.

We’ve been open a bit longer now so I thought I’d respond to the comments above. We’ve definitively caught about 20 IPs harvesting addresses. We have a bunch more we suspect but do not have enough evidence yet to publish. You can see the list of harvesters online at:

Global Harvester List

Click on any of the IPs on that page, or on the pages under that page, in order to see their details. The idea is that you can surf your way through spammers networks…. seeing how harvesters and mail servers are associated.

A couple of surprises so far. First, we’re astounded how few messages we have received. We expected and architected for a flood, so far it’s just been a trickle. Part of the lesson may be that the real danger doesn’t come from the average harvesting but from the the guy who harvests and then sells a CD of “100M emails for $19.95.” It could be there are some spammer “king pins” out there making money off these sort of CDs or lists of addresses without ever sending a single message. If so, we’ll soon know more about them. And they’re lists will be mined with our honey pot addresses — immediately revealing anyone foolish enough to buy one.

Second, we’re encouraged by some of the initial results. Our hypothesis going into this was that harvesters would be more closely associated with the actual spammers than the proxies they’re using to send their messages. Again, the initial data seems to bear this out. Check out the following links:

Example 1 Example 2 Example 3

These three harvesters, which seem to be generally representative, are almost certainly all the same individual or group of spammers. While they’re bouncing their messages off machines around the world, they’re using fixed, leased lines to do their harvesting. That means there’s likely to be a paper trail back to a real identity. Harvesting alone is against the law which may lead to all sorts of new avenues for prosecution (see, for example, our page on the subject), the Project may also identify spammers for even traditional prosecutions.

We’re really encouraged, if somewhat surprised, by the initial results. Thanks again for your support!

Matthew Prince.
CEO, Unspam, LLC
Adjunct Professor of Law
John Marshall Law School

]]> By: Ken Nerhood http://nerhood.wordpress.com/2004/10/27/fighting-spam-via-project-honey-pot/#comment-92 Ken Nerhood Fri, 29 Oct 2004 12:49:13 +0000 /?p=240#comment-92 Project Honey Port has online been on-line for about 5 days now, and it will take a while for some momentum to build. An email from the head of the project provides a little more insight. <blockquote>It's hard for us to prove that we're going to do what we promise because we've only been open for 3 days and, to be honest, have only received one spam message so far. (They're start flooding in soon. Our initial tests show that on average there's about 1 week between harvesting and the first messages to arrive.) If you're skeptical of our intent then I just ask that you give us a chance and wait and see how we behave.</blockquote> They have committed to provide the information that they collect to the <a href="http://surbl.org/">SURBL</a> (Spam URI Realtime Blacklist) project. The SURBL project has made a significant impact in the fight against spam. As for how I find projects, sometimes I just get lucky. In this case I was reading a mailling about SpamAssassin, and the poster (one of the SpamAssassin developers) made an off-hand remark about the project. It seemed interesting so the rest is history. Project Honey Port has online been on-line for about 5 days now, and it will take a while for some momentum to build. An email from the head of the project provides a little more insight.

It’s hard for us to prove that we’re going to do what we promise because we’ve only been open for 3 days and, to be honest, have only received one spam message so far. (They’re start flooding in soon. Our initial tests show that on average there’s about 1 week between harvesting and the first messages to arrive.) If you’re skeptical of our intent then I just ask that you give us a chance and wait and see how we behave.

They have committed to provide the information that they collect to the SURBL (Spam URI Realtime Blacklist) project. The SURBL project has made a significant impact in the fight against spam.

As for how I find projects, sometimes I just get lucky. In this case I was reading a mailling about SpamAssassin, and the poster (one of the SpamAssassin developers) made an off-hand remark about the project. It seemed interesting so the rest is history.

]]> By: Keith Strickland http://nerhood.wordpress.com/2004/10/27/fighting-spam-via-project-honey-pot/#comment-93 Keith Strickland Fri, 29 Oct 2004 12:14:04 +0000 /?p=240#comment-93 This seems at first glance to be a very good idea. I was looking at their stats tho on their home page and currently they have only received 2 spam e-mails, no harvesters and only identified 1 spam server. So, how long have they been at this? Hopefully not long at all. But, I might give it a try. I believe this is a sound theory, I guess just need more people to participate. I don't know how you find these projects (phpGedView, Honeypot) but I've liked all the projects you've come across. :-) Keith This seems at first glance to be a very good idea. I was looking at their stats tho on their home page and currently they have only received 2 spam e-mails, no harvesters and only identified 1 spam server. So, how long have they been at this? Hopefully not long at all.

But, I might give it a try. I believe this is a sound theory, I guess just need more people to participate. I don’t know how you find these projects (phpGedView, Honeypot) but I’ve liked all the projects you’ve come across. :-)

Keith

]]>