[pmwiki-users] Honeypots for Spam
Patrick R. Michaud
pmichaud at pobox.com
Tue Oct 10 18:02:34 CDT 2006
On Tue, Oct 10, 2006 at 02:07:28PM -0700, Pico wrote:
> > From: "Patrick R. Michaud" <pmichaud at pobox.com>
> > _If_ we were to implement a honeypot on pmwiki.org, then we wouldn't
> > block approved urls, and any honeypot-based blocks would go to a
> > separate Blocklist-Honeypot page to make it easy to distinguish
> > the automatic items from the manual ones.
>
> Honeypots are often used as tools to gather information about sources of
> attack. Making use of that information to provide some realtime
> response and protection to limit the scope of an attack seems like a
> nice plus. Either way, honeypots can be helpful.
Yes.
I've gone ahead and set up a honeypot on pmwiki.org on the
Main.EditPage page, which for some reason seems to be hit
semi-regularly by spambots. Any host that posts an unapproved
url to Main.EditPage has the IP immediately blocklisted at
Site.Blocklist-Honeypot.
In addition, the time of the post, the author name used, and
the unapproved url(s) that triggered the honeypot are saved
in the Blocklist-Honeypot page, so we can do more analysis.
> FWIW, in my view, while all spam is bad, the worst of the worst are the
> spam attacks that overwrite existing content on multiple pages within a
> short period of time. In an environment such as PmWiki.org, were
> different people chip in to clean up these attacks, we end up missing
> an opportunity to learn from these attacks ...
We still won't learn anything from spambots that don't manage to
trigger one of the honeypots. Still, it'll be interesting to see
what there is to be learned from this little experiment.
Pm
More information about the pmwiki-users
mailing list