Fighting Spammers With Honeypots: Part 2
by Laurent Oudot
|[continued from Part 1]
Most of the time, a spammer connecting to the open proxy server will try to send an initial email in order to check how the proxy is working. This moment can be crucial if you want to fool him properly.
Figure 3: Phase one - spammer checks the open proxy
Here is an example of a TCP session from a spammer who connected to my fake Web proxy (port 8080). You will see that he tried to bounce to an SMTP server (CONNECT ?.:25) and then tried to send an email. The body of the mail is quite ridiculous because it tries to fool a potential recipient of the email by saying that it's for a meeting. Who could really think that such an email -- sent over a TCP session on a lost proxy server -- is a real one?
The spammer probably used automatic tools to gather information on the Internet : D9808AFD (in hex) was the IP address of the fake temporary proxy, and 8080 was the TCP port. Proxypot proposes a tool to send a caught email like this: deliverone. With this tool, you can decide whether or not you want to send the email. It can be funny to send the test email of a spammer (check that this is not dangerous) because he will think that the proxy is really open.
When the spammer is sure he has good open proxies, he will try to reach open relays or a usual MTA, by bouncing through the open proxies. If he uses a chain of open proxies, and your fake open proxy is one of the links, you will even be able to guess other open proxies by looking at the TCP sessions. For example:
Figure 4: Phase two - Spam! Spam! Spam!
That's why the use of fake open proxies may help in detecting spammers, slowing spammers (by slowing down the network dialogs) and even blocking spammers (by simulating and avoiding the sending of real spam).
One of the funniest spam emails I blocked was destined to the honeynet project itself:
2.3 Honeypots and open relays
We know that spammers try to find open relays to route bulk emails. Would it be so difficult to create a fake mail server? Definitely not; we'll discuss a couple of examples.
An interesting solution from Brad Spencer is to transform an unused sendmail daemon to fool spammers [ref 11]. This can be easily done by asking sendmail to accept relaying and to queue every email without ever sending one email out. This configuration offers a service that looks like a real open relay. Such a sendmail configuration may log and block incoming emails.
I tried this with sendmail 8.12.3-6.6 by reconfiguring the sendmail.mc file :
As explained by the author of this idea, you just need a running
An excellent way to verify the configuration of such a sendmail server is to use a free service that remotely checks if you are playing the role of a mail relay server. You should see their emails in the directory of queued messages.
Of course, you may want to relay some specific emails, such as test emails used by spammers to check if you are a real open relay. This may be accomplished easily with:
One other great solution is a daemon called Spamd [ref 12] coming from the OpenBSD team [ref 13]. Spamd is a tarpit (sometimes called teergrub which is originally a Deutsch word). This daemon simulates a sendmail-like server which rejects false mail. Used in conjunction with pf [ref 14], the goal is to waste the time and resources of the spam sender. If you have never checked out the Web page maintained by Daniel Hartmeier [ref 13], you definitely should.
Of course, Honeyd is another easy solution to create fake mail servers that simulate the relaying of spam. Now we will talk about architectures, with a great example of using Honeyd.
If you look at the Web page titled Honeyd Research: Spam [ref 15] you will find a perfect way to use Honeyd in the tremendous struggle against spammers. Niels Provos will release more details in the near future about this research.
The following network diagram taken from www.honeyd.org shows the architecture proposed by Niels Provos. This is an excellent example of a real network with honeypot farms [ref 16].
Figure 5: Honeypot farms proposed architecture for fake spam relays
Remote administrators working with Niels redirect ugly incoming spam traffic to one Honeyd daemon over GRE Tunnels (examples: redirecting unused IP addresses, or incoming TCP traffic to ports 25, 3128, etc which are not supposed to run those services). This daemon will then be able to simulate a fake proxy or a fake open relay, and will answer over the tunnel too. Honeyd is able to behave differently depending on the computer it simulates (IP Stack behavior, opened services, etc). In this case, a remote spammer attacking different sites will not realize that this is the same Honeyd daemon that replies to him, and he will not be able to understand where it is located (thanks to GRE).
The collected logs obtained on the Honeyd daemon -- that simulate multiple hosts with open relays and open proxies -- can be used to report spam abuses to official spam classifiers (for updating their blacklists). Therefore, this example of a successful architecture shows that there are ways to fight off spam on the Internet, owing to Honeypots.
By using Proxypot on a single temporary DSL box, the French Honeynet Project received thousands of emails per day coming always from the same countries. On the Web site of Proxypot, you can also find a tool called spamstat. It may be used to generate statistics about spamming activities.
As a small example, during the weekend of November 8th and 9th, we caught 14,789 spam emails destined to 84,243 different users. Here is a sample taken from the logs :
It's probably nothing compared to the huge amount of spam spreading around the cyber world, but what would happen if plenty of annoyed administrators decide to move and fight spammers with honeypots? The Internet would not be so safe and easy for spammers.
Another interesting result obtained by Niels Provos is the fingerprinting of hosts spreading spam. By using passive OS fingerprinting (included in next version of Honeyd, 0.7), he was able to guess that 43% of spammers used Linux boxes. Check the next figure coming from www.honeyd.org:
Figure 6: Operating system distribution for spammers
Another excellent chart shows that spammer activity has grown during the last few months, especially in October 2003 where many spam emails were caught.
Figure 7: Spammer activity in recent months
These kind of results show that honeypots are valuable in the fight against spammers, though they should not be considered as the only solution.
This year, new mail threats have been discovered and spammers have started to use nasty new techniques.
At the beginning of November 2003, different versions of a worm called MiMail [ref 17] were launched, and some performed a Denial Of Service attack on Web servers that were dedicated to the fight against Spam. Those worms targeted the Web sites from spews.org, spamhaus.org and spamcop.net [ref 18].
By the end of October 2003, a new backdoor called Hogle (Proxy-Regate) [ref 19] was found. Its sole purpose is to infect Windows computers and to install a SMTP proxy service (running on TCP port 3355) that will be used by remote spammers. This example is not the only one, and this type of threat continues to grow very quickly (Kalshi, etc) [ref 20].
Should we consider this the end of the use of open proxies? Evil spammers spread worms all around the world to control millions of zombies hosts, and those hosts may be used to launch spam at anytime. It appears to be a dark future for netsurfers.
How valuable could honeypots be in this new kind of struggle? My previous article tried to explain what could be done to fight worms with honeypots [ref 21]. We could even imagine a new type of honeypots, active honeypots, that would be able to simulate an infected computer, claiming it is infected and waiting for remote orders. That would help us with understanding the new techniques and motivations used by thid new kind of dark spammer.
This sounds like an unofficial cyber war. Even commercial tools are created by spammers to fight the honeypot makers [ref 22] in order to support their unwanted bulk mail activities.
To conclude this article on a more positive note, let's summarize. This paper explained how typical spammers work, as well as how honeypots could be used to detect spammers, slow spammers, or even block spammers. If people ask themselves if it is worth using honeypots and similar tools in the fight against spam, let's consider the alternative. Just look at the new worms used to attack legitimate anti-spam supporters -- they are the proof that spammers are annoyed by any attempt that defend against spam. The spammer's miscreant desire to attack legitimate organizations that defend the Internet appears to stem from their desire to make money at any cost.
Honeypots, toward a cleaner Internet.
Thanks to Niels Provos for his ideas and reviewing.
About the Author
View more articles by Laurent Oudot on SecurityFocus.
This article originally appeared on SecurityFocus.com -- reproduction in whole or in part is not allowed without expressed written consent.