[pmwiki-users] Honeypots for Spam
Pico
pmwiki at ben-amotz.com
Tue Oct 10 20:55:02 CDT 2006
Patrick R. Michaud wrote:
> On Tue, Oct 10, 2006 at 02:07:28PM -0700, Pico wrote:
>>> From: "Patrick R. Michaud" <pmichaud at pobox.com>
>>> _If_ we were to implement a honeypot on pmwiki.org, then we wouldn't
>>> block approved urls, and any honeypot-based blocks would go to a
>>> separate Blocklist-Honeypot page to make it easy to distinguish
>>> the automatic items from the manual ones.
>> Honeypots are often used as tools to gather information about sources of
>> attack. Making use of that information to provide some realtime
>> response and protection to limit the scope of an attack seems like a
>> nice plus. Either way, honeypots can be helpful.
>
> Yes.
>
> I've gone ahead and set up a honeypot on pmwiki.org on the
> Main.EditPage page, which for some reason seems to be hit
> semi-regularly by spambots. Any host that posts an unapproved
> url to Main.EditPage has the IP immediately blocklisted at
> Site.Blocklist-Honeypot.
>
> In addition, the time of the post, the author name used, and
> the unapproved url(s) that triggered the honeypot are saved
> in the Blocklist-Honeypot page, so we can do more analysis.
>
>> FWIW, in my view, while all spam is bad, the worst of the worst are the
>> spam attacks that overwrite existing content on multiple pages within a
>> short period of time. In an environment such as PmWiki.org, were
>> different people chip in to clean up these attacks, we end up missing
>> an opportunity to learn from these attacks ...
>
> We still won't learn anything from spambots that don't manage to
> trigger one of the honeypots. Still, it'll be interesting to see
> what there is to be learned from this little experiment.
>
Wow, that was fast (meaning both you, in setting up the honeypot, and
the spammers, in mounting so many attacks on your lone honeypot page).
The contents of Site.Blocklist-Honeypot is very interesting. Looking at
the IP address shows that one address range, 195.175.37.*, was
responsible for several different attacks that used different IP
addresses and names to promote the same, and different, sites.
What was I expecting? One address responsible for a bunch of spam, and
then another (completely different) address for more spam, then another,
etc. I was prepared to accept the view that blocking an IP range was
overkill, but now I am impressed with the efficiency of using an IP range.
Thanks
Pico
__ /
/ /
/___/ _/ ___/ __ /
/ / / / /
_/ _/ ____/ ____/
>>>===pmwiki at ben-amotz.com===>
More information about the pmwiki-users
mailing list