Stopping Spam before the Gateway: Honeypots

To make running a honeypot proxy as easy as possible, it shouldn’t have any real users. That way you’ll know that anyone who uses the honeypot is a spammer, thus making it even easier to track. You should also beware that you run a risk of being tagged as an open relay by blacklist programs that search for real open relays. If that happens, no spammer, or anyone else for that matter, can send mail to or via that address and your honeypot has just become useless.

Generally speaking, the more sophisticated a proxy honeypot is, the more likely it is to be hammered by a blacklist. Because of this, and the resulting headaches, only senior network and mail administrators working in concert should set up a proxy honeypot. While it’s easy enough to do that any technically savvy user should be able to set up a honeypot, the resulting enterprise wide implications makes it a lousy idea for individual users.

Indeed, were someone to try to set up such a honeypot on their home PC with their ISP, which is certainly doable, it wouldn’t surprise me a bit if the owner found their own Internet account in jeopardy.

There are also problems with honeypots. In theory, honeypots can be evaded. Spammer’s relay-finding software could be written to use tests to make sure an open relay is really an open relay, and not a honeypot. Spammers, though, aren’t the brightest stars in the heavens, and to date, no one has written such a program. Still, it is a fundamental flaw that will keep honeypots from being a universal solution to putting an end to spammers.

Of course, a lot of spam is also send via free e-mail accounts and simply setting up a spam mail server at home using a DSL or cable connection. Still, open relays account for much of the spam that fills our mailboxes and eats up our bandwidth, so honeypots should be considered as a method of finding and targeting spammers.

Unfortunately, spammers can still pick up and start another spam scheme in a matter of minutes, but the profitability of spam is built on minimal investments. The more work we can cause spammers, the more likely it is that they’ll stop spamming.

Honeypots, though, come with their own risks. Once it’s known that a site uses honeypots, there have been reports that they’ve been targeted by distributed denial of service (DDoS) attacks. Guilmette, himself, for example had to take down his blacklist service because of DDoS assaults.

In case you haven’t noticed, it’s war between network administrators and spammers and spammers won’t hesitate to try to stop anti-spam efforts anyway they can. The fact that spammers would co-ordinate such attacks suggests that honeypots can indeed be effective.