[Fwd: Re: tar pit?]

William Burns William.Burns at AEROFLEX.COM
Tue Dec 14 00:29:09 GMT 2004 


------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

    [ Part 2: "Included Message" ]

Date: Mon, 13 Dec 2004 19:27:26 -0500
From: William Burns <William.Burns at aeroflex.com>
To: dave <dmehler26 at woh.rr.com>
Subject: Re: tar pit?

Dave:

Here's another one.
Possibly simpler.

http://pfortin.com/Linux/HoneyPort/

-Bill

dave wrote:

>Hello,
>    I was wondering if you had a howto on setting up a tar pit? I'm using
>FreeBSD 5.x machines, my primary goal for doing this is i'm getting ssh
>connections as well as many people trying to relay mail through me. I've got
>discard rules and they don't succeed, but i'd rather cut them off before
>they can sap my band width.
>    Any help appreciated.
>Thanks.
>Dave.
>
>



------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

    [ Part 3: "Included Message" ]

Date: Mon, 13 Dec 2004 18:45:25 -0500
From: William Burns <William.Burns at aeroflex.com>
To: dave <dmehler26 at woh.rr.com>
Subject: Re: tar pit?

Dave:

The trick here is how to tarpit only the bad-guys while still accepting
mail from every-one else.

The idea of a tarpit is to create a bogus mail port/service to waste
spammers time so that you help the next victim out more than yourself,
however, w/ a list of known spammer IPs, you *could* tarpit the known
spammers while they were trying to SPAM you.

Here's one approach for OpenBSD users that might work for you:
http://www.benzedrine.cx/relaydb.html
http://undeadly.org/cgi?action=article&sid=20041117210044
This PF+spamd approach is very similar to what I describe below.
PF is similar to linux-iptables. spamd is similar to Labrea.

someone mentioned Labrea....
I thought that the author was no longer working on that project. Maybe
work has been resumed.
regardless... Labrea should be a great tarpit 'cause it's also a
honeypot, knowing how to keep a spammer machine thinking that it's
talking to a real mail server.

Later versions of the linux "iptables" firewall have a less intelligent
TARPIT tag/label that you can "-j" (jump) over to.
So... on a linux mail/mailscanner machine, you *could* have an iptables
firewall that you update w/ a list of known spammer IP addresses, and
tarpit just those IP addresses, while letting all other mail through
normally.

You could also do this w/ an additional linux-based firewall/gateway on
another machine.
If you do take that approach, you should be able to selectively NAT
known spammer IPs to another (Labrea?) tarpit machine. (or Labrea
running on a different port of the local firewall machine)

iptables TARPIT
http://www.securityfocus.com/infocus/1723

-Bill

dave wrote:

>Hello,
>    I was wondering if you had a howto on setting up a tar pit? I'm using
>FreeBSD 5.x machines, my primary goal for doing this is i'm getting ssh
>connections as well as many people trying to relay mail through me. I've got
>discard rules and they don't succeed, but i'd rather cut them off before
>they can sap my band width.
>    Any help appreciated.
>Thanks.
>Dave.
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>
>
>



------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list