[pmwiki-users] Honeypots for Spam

Pico pmwiki at ben-amotz.com
Tue Oct 10 20:55:02 CDT 2006


Patrick R. Michaud wrote:
> On Tue, Oct 10, 2006 at 02:07:28PM -0700, Pico wrote:
>>> From: "Patrick R. Michaud" <pmichaud at pobox.com>
>>> _If_ we were to implement a honeypot on pmwiki.org, then we wouldn't
>>> block approved urls, and any honeypot-based blocks would go to a
>>> separate Blocklist-Honeypot page to make it easy to distinguish
>>> the automatic items from the manual ones.
>> Honeypots are often used as tools to gather information about sources of
>> attack.  Making use of that information to provide some realtime
>> response and protection to limit the scope of an attack seems like a
>> nice plus.  Either way, honeypots can be helpful.
> 
> Yes.
> 
> I've gone ahead and set up a honeypot on pmwiki.org on the
> Main.EditPage page, which for some reason seems to be hit 
> semi-regularly by spambots.  Any host that posts an unapproved 
> url to Main.EditPage has the IP immediately blocklisted at
> Site.Blocklist-Honeypot.
> 
> In addition, the time of the post, the author name used, and
> the unapproved url(s) that triggered the honeypot are saved
> in the Blocklist-Honeypot page, so we can do more analysis.
> 
>> FWIW, in my view, while all spam is bad, the worst of the worst are the
>> spam attacks that overwrite existing content on multiple pages within a
>> short period of time.  In an environment such as PmWiki.org, were
>> different people chip in to clean up these attacks, we end up missing
>> an opportunity to learn from these attacks ...
> 
> We still won't learn anything from spambots that don't manage to
> trigger one of the honeypots.  Still, it'll be interesting to see
> what there is to be learned from this little experiment.
> 

Wow, that was fast (meaning both you, in setting up the honeypot, and 
the spammers, in mounting so many attacks on your lone honeypot page).

The contents of Site.Blocklist-Honeypot is very interesting.  Looking at 
the IP address shows that one address range, 195.175.37.*, was 
responsible for several different attacks that used different IP 
addresses and names to promote the same, and different, sites.

What was I expecting?  One address responsible for a bunch of spam, and 
then another (completely different) address for more spam, then another, 
etc.  I was prepared to accept the view that blocking an IP range was 
overkill, but now I am impressed with the efficiency of using an IP range.

Thanks

Pico


         __  /
        /   /
       /___/ _/  ___/  __  /
      /      /  /     /   /
    _/     _/  ____/ ____/

 >>>===pmwiki at ben-amotz.com===>




More information about the pmwiki-users mailing list