An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Topic Options
#7340 - 01/06/10 12:52 PM What is a "honeypot" email address?
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
I've begun receiving emails that my ISP is tagging as "Suspected Junk Email". However, they are not junk but are emails from someone I have corresponded with for a long period of time at the same address. The identification as "junk" was sporadic to start, but is now more regular.

I suggested to the ISP that their Spam Filter may be running amok and they responded that the e-mails being tagged as spam must contain some element that exists on their content filter’s database. These elements will be something like originating IP address, phone number, email address, domain name or image file.

They said there would be a key element in the emails that are being tagged as spam and that person ends up on this list by sending emails to "honeypot" email addresses that should never receive emails from anyone as they are not published anywhere, or they are being reported as spam by other people.

What is a "honeypot" email address?

ryck


Edited by cyn (01/07/10 11:10 AM)
Edit Reason: Topic moved from the Lounge to the Networking forum.
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX712 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#7341 - 01/06/10 01:29 PM Re: What is a "honeypot" email address? [Re: ryck]
jchuzi Offline


Registered: 08/04/09
Loc: New York State
From what I can tell by looking at this Wikipedia search result, it's a lure used by ISPs or others to attract spam. Anything that lands there is classified as junk because nobody would otherwise send emails there. Looks like an ISP's version of a sting operation.
_________________________
Jon

OS 10.14.2, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365

Top
#7353 - 01/06/10 08:08 PM Re: What is a "honeypot" email address? [Re: ryck]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
Yep, Jon's on the right track.

A honeypot is a computer or email address that is connected to the Internet that is never used and should never receive any email or any network traffic. Security researchers will set up honeypots that look like vulnerable copies of Microsoft Windows without security patches, or that look like they are running open proxies, or they will publish email addresses that are never used on Web pages that should never be accessed by people.

The idea is to see if virus writers or spammers will find the honeypot and attempt to use it. For example, if someone is doing scans of computer IP addresses looking for vulnerable computers, or is using computer programs to scan Web pages searching for email addresses to spam, they will find the honeypot. The only reason that anyone would ever connect to a honeypot computer or send email to a honeypot email address is because they were trying to hack the computer or send spam.

I find that explanation somewhat unsatisfactory about why your friend's emails are being spam-trapped, though. It seems unlikely that your friend would be sending any emails to a honeypot address.

There are some more likely scenarios; your friend might be infected with a virus, or might be using an IP address that had virus-infected computer on it at some point in the past, or your friend's computer might be on an IP range that's been a "bad neighborhood" in the past, or even the anti-spam software could simply be wrong.

I do have a couple of questions:

- What is your friend's IP address?
- When you get a spam-tagged email, and you look at the full headers, are there any headers that show anti-spam information? Some spam filters will embed information in the email headers that you can use to determine why the spam software believes the message is spam.
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
#7355 - 01/06/10 10:55 PM Re: What is a "honeypot" email address? [Re: tacit]
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: tacit
It seems unlikely that your friend would be sending any emails to a honeypot address.


That's a correct conclusion. This is not a person who would have anything to do with hacking.

Originally Posted By: tacit
There are some more likely scenarios; your friend might be infected with a virus, or might be using an IP address that had virus-infected computer on it at some point in the past.....


This is an interesting point. The computer sending the 'tagged' emails is a Mac using Parallels for Windows XP. I assume that the Windows part of the machine could be susceptible to viruses.

I have subsequently received a couple of emails from the same address, but sent from a Blackberry, and they were not 'tagged'.

Originally Posted By: tacit
I do have a couple of questions:

- What is your friend's IP address?
- When you get a spam-tagged email, and you look at the full headers, are there any headers that show anti-spam information? Some spam filters will embed information in the email headers that you can use to determine why the spam software believes the message is spam.


I'm not comfortable with posting the IP address here - only because I don't understand the implications. That is, I've always thought IP addresses were something to be protected.

The second part - examining the content of the long header to look for clues - is well beyond my capabilities. I know how to open the long header but I couldn't interpret the information.

ryck
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX712 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#7361 - 01/07/10 10:24 AM Re: What is a "honeypot" email address? [Re: tacit]
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: tacit

There are some more likely scenarios; your friend might be infected with a virus, or might be using an IP address that had virus-infected computer on it at some point in the past, or your friend's computer might be on an IP range that's been a "bad neighborhood" in the past, or even the anti-spam software could simply be wrong.


Curiouser and curiouser........

It appears that whatever is causing the ISP filter to tag the emails may be connected to a GIF. Does that sound right to you?

Info Revision: I was incorrect in saying that the emails originated on a laptop using Parallels. With the exception of the Blackberry mail, they were sent from a desktop Windows machine at a company that has firewalls and virus detection software.

Except for being different machines, the emails in the following scenarios have the same origination.

1. I arranged for two other people to send test emails and they both arrived without being tagged.

2. The original Sender could only think of one thing that has changed in their mail set-up. The signature GIF has been changed (as in replaced, not altered).

Therefore I asked for two test emails - one with the new GIF attached and one without. The first was tagged and the second was not.

So, it appears that the GIF is the problem and also that it is one for the company to fix, so "over to them".

I don't mean to be a pain but I still wonder about the GIF. If I (or anyone else) wanted to create a GIF to dress up our email, is it possible to create it in such a way that it causes ISP spam filters to think there's something wrong with the mail?

ryck
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX712 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#7373 - 01/07/10 07:12 PM Re: What is a "honeypot" email address? [Re: ryck]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
Originally Posted By: ryck
I'm not comfortable with posting the IP address here - only because I don't understand the implications. That is, I've always thought IP addresses were something to be protected.


Nope, IP addresses are nothing to be protected. They are attached to every email you send, every comment you make on a forum, and every Web site you visit--they're public knowledge. There are no special security implications, and if you're on broadband they probably change all the time anyway. For example, my IP address at the moment is 71.59.249.181, which belongs to Comcast.

Originally Posted By: ryck
I don't mean to be a pain but I still wonder about the GIF. If I (or anyone else) wanted to create a GIF to dress up our email, is it possible to create it in such a way that it causes ISP spam filters to think there's something wrong with the mail?


Some spam filters weigh emails with attached images very heavily toward spam, because many spammers attempt to evade detection by sending emails which contain random words or phrases, and the actual "advertisement" in an attached GIF. (This is especially common among phony pharmacy spammers--the ones who sell fake pills that they claim are Viagra--and among pirated software spammers.)

You can examine the headers of an email in Mail by using the View->Message->Raw Source command. You'll see a lot of what looks like gibberish at the start of the message. If you read closely, you'll also probably see some headers inserted by the spam filtering software. For example, here's an actual spam message that was flagged for me by my spam software. The parts of the header that show the spam scoring information are in bold. I've removed my email address and replaced it with (removed).

Return-Path: <bonnetuhv44@seedrack.com>
Delivered-To: (removed)
Received: (qmail 30121 invoked by alias); 7 Jan 2010 13:04:50 -0000
Delivered-To: (removed)
Received: (qmail 30112 invoked by uid 210); 7 Jan 2010 13:04:50 -0000
Received: from 122.167.130.171 by se1 (envelope-from <bonnetuhv44@seedrack.com>, uid 201) with qmail-scanner-1.25st
(clamdscan: 0.88.7/10267. spamassassin: 3.1.3. perlscan: 1.25st.
Clear:RC:0(122.167.130.171):SA:1(6.9/5.0):.
Processed in 13.954543 secs); 07 Jan 2010 13:04:50 -0000
X-Spam-Status: Yes, hits=6.9 required=5.0
X-Spam-Level: ++++++

Received: from unknown (HELO ABTS-KK-Dynamic-171.130.167.122.airtelbroadband.in) (122.167.130.171)
by (removed) with SMTP; 7 Jan 2010 13:04:35 -0000
Received: from 122.167.130.171 by seedrack.com; Thu, 7 Jan 2010 18:34:18 +0530
Message-ID: <000d01ca8f99$ebba16d0$6400a8c0@bonnetuhv44>
From: "Manager Darcy Conrad" <confirmation@myspace.com>
To: (removed)
Subject: SPAM: HIGH * MySpace Password Reset Confirmation! Order NR.3944
Date: Thu, 7 Jan 2010 18:34:18 +0530
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0006_01CA8F99.EBBA16D0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.71.2244.8
X-MimeOLE: Produced By Microsoft MimeOLE V4.71.2244.8

In this case, the spam scanner is showing that it uses a score to determine spam, and that the score is determined by looking at the message and comparing it to "spammy" messages. The minimum score that it needs to tag something as "spam" is 5.0 and this message scored 6.9, meaning the spam software is very confident that it is spam.

Some spam software provides even greater detail, specifying exactly which parts of the message caused the email to be flagged.
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
#7375 - 01/07/10 08:37 PM Re: What is a "honeypot" email address? [Re: tacit]
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
Thank you very much for this. It is quite interesting, and requires a bit of 'soaking up', so I'll spend a bit of time with it before I seek more clarification. I don't want to waste your time with goofy questions.

ryck
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX712 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#7377 - 01/08/10 08:50 AM Re: What is a "honeypot" email address? [Re: tacit]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
In this case, the spam scanner is showing that it uses a score to determine spam, and that the score is determined by looking at the message and comparing it to "spammy" messages. The minimum score that it needs to tag something as "spam" is 5.0 and this message scored 6.9, meaning the spam software is very confident that it is spam.

I don't know what scale they're using. It may be an adjustable thing. At a school where I worked there was a constant battle to bump the threshold number up and down. Too high and we got lots of spam complaints from everyone. Too low and we got complaints from important people losing important email. iirc the number leveled off at 10 but I don't know what scoring system they were using. May have been Spam Assasin.

Score based systems are almost exclusively working off the content of the email.

SA:1(6.9/5.0):.

I believe that says SpamAssasin scored it at 6.9 which met its threshold of 5.0.

They eventually changed to greylisting, which filters out non-rfc-compliant mailservers. (and pays no attention to origin or content) Greylisting is much more effective, which surprises me. You'd think the spammers would simply upgrade their engines, but they don't?
_________________________
I work for the Department of Redundancy Department

Top
#7384 - 01/08/10 02:06 PM Re: What is a "honeypot" email address? [Re: Virtual1]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
Originally Posted By: Virtual1
They eventually changed to greylisting, which filters out non-rfc-compliant mailservers. (and pays no attention to origin or content) Greylisting is much more effective, which surprises me. You'd think the spammers would simply upgrade their engines, but they don't?


Not surprising. Spammers usually send spam through people's PCs that are infected with viruses. The email engine has to be small and lightweight enough to fit into a computer virus, has to be able to send very large amounts of email in a very short time, and will likely be sending large volumes of email to email addresses that are unreachable for whatever reason (invalid, incorrect, closed, whatever--spam lists tend to be pretty dirty). It's not worth the effort to make the email engine retry deferred connections.
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
#7406 - 01/09/10 02:44 PM Re: What is a "honeypot" email address? [Re: tacit]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
The email engine has to be small and lightweight enough to fit into a computer virus,

That was yesterday. No, maybe the day before that even. Nowadays, when your machine gets owned, it connects to the developer's web site and downloads everything it needs. It'll install updates and check periodically for new things to download too.

I watched our poor PC tech try to remove a virus from a machine on Friday that he thought he'd gotten rid of all of it. But no. As soon as he rebooted, it started hitting the switch with heavy network traffic, downloading the parts he'd deleted. Within minutes the popups were back in full force.

Problem is now they plant "hooks" all over the place in the machine, and if you miss just one, it will go download and reinstall all the parts you removed. He finally had to back up and format that one because he couldn't find all the hooks. (usually registry keys, but there was more to it in this case, probably infected DLL files that the scanner didn't catch) That's one way to judge a PC tech's experience, is how often they have to format and reinstall to clean out the nasties. But even the really good techs occasionally run into a system that's just so compromised there's no other option. Seeing has how so many pc owners don't keep (or GET) restore disks, this can be a very unfriendly option.

I believe botnetted machines are much worse in this respect. They're run by intelligent people that have much higher economic motivation, and it's in their best interest to keep as many machines in the herd as possible, so they go to great lengths to make their payload protect, repair, and update itself. That being said, they're still somewhat uncommon. I'd say under 1 in 40 windows machines we see are participating in a botnet. In many cases, they're there for quirky problems, not popups... (usually very slow web browsing or that their ISP has disconnected them for being botnetted) The payload protects the computer from other influences so that (A) they have exclusive use of your machine, and (B) you're not inspired to take it to a tech to clean up.
_________________________
I work for the Department of Redundancy Department

Top

Moderator:  alternaut, dianne, MacManiac