Honeypot
Online Advertising
Honeypot
Spamtrap
In computer terminology, a honeypot is a trap set to detect,
deflect or in some manner counteract attempts at unauthorized use of
information systems. Generally it consists of a
computer, data or a network site that appears to be part of a network
but which is actually isolated and protected, and which seems to contain
information or a resource that would be of value to attackers. A
honeypot that masquerades as an open proxy is known as a sugarcane.
A honeypot is valuable as a surveillance and early-warning tool. While often
a computer, a honeypot can take on other forms, such as files or data records,
or even unused IP address
space. Honeypots should have no production value and hence should not see any
legitimate traffic or activity. Whatever they capture can then be surmised as
malicious or unauthorized. One very practical implication of this is that
honeypots designed to thwart spam by masquerading as systems of the types abused
by spammers to send spam can categorize the material they trap 100% accurately:
it is all illicit. A honeypot needs no spam-recognition capability, no filter to
separate ordinary e-mail from spam. Ordinary e-mail never comes to a honeypot.
Honeypots can carry risks to a network, and must be handled with care. If
they are not properly walled off, an attacker can use them to actually break
into a system.
Etymology
Winnie the Pooh about to get stuck in a honey pot
The term "honeypot" is often understood to refer to the English
children's character Winnie-the-Pooh, a stuffed bear who was lured into various predicaments by
his desire for pots of honey.
During the
Cold War it was an espionage technique, which inspired spy fiction. The term
"honeypot" was used to describe the use of sexual entrapment to gain
information. In a common scenario, a pretty female Communist agent would trick a
male Western official into handing over secret information.
An alternative explanation for the term is a reflection of the sarcastic term
for outhouses
and other methods of collecting feces and other human waste in places that lack
indoor plumbing. Honey is a euphemism for such waste, which is kept in a
honeypot until it is picked up by a honey wagon and taken to a
disposal area. In this usage, attackers are the equivalent of flies, drawn by
the stench of
sewage.
Types of honeypots
Honeypots can generally be divided into different categories,
low-interaction, medium-interaction and high-interaction
honeypots respectively.
honeyd (low-interaction)
is a GPL licensed
daemon, that is able to simulate big network structures on a single host. With
one single instance of the daemon, many different hosts running different
services can be simulated[1].
Services are customizable with userland scripts.
mwcollect, nepenthes (medium-interaction)
mwcollect and nepenthes are both released under the GPL license and can
be used to collect autonomously spreading malware. Automated attacks are not
only logged, the daemons extract information how to obtain the malware binaries
from the exploit payload using known patterns and then actively download a
sample. However, the whole exploitation process is simulated in a virtualized
environment, so the honeypot can never be really infected with the Malware.
Spam honeypots
Spammers
are known to abuse vulnerable resources such as
open mail relays and
open
proxies. Some system administrators have created honeypot programs which
masquerade as these abusable resources in order to discover the activities of
spammers. There are several capabilities such honeypots provide to these
administrators and the existence of such fake abusable systems makes abuse more
difficult or risky. Honeypots can be a powerful countermeasure to the abuse from
those who rely on very high volume abuse (e.g., spammers) .
The capabilities of value to the honeypot operator include determination of
the apparent source (that is, IP address) of the abuse and bulk capture of spam
(which makes possible determination of URLs and response mechanisms used by the
spammers.) For open relay honeypots it is possible to determine the e-mail
addresses ("dropboxes")
spammers use as targets for their test messages, which are the tool they use to
detect open relays. It is then simple to deceive the spammer: transmit any
illicit relay e-mail received addressed to that dropbox e-mail address. That
would indicate to the spammer that the honeypot was a real abusable open relay
and he would often respond by sending large quantities of relay spam to that
honeypot, where it stopped. This was a capability of greatest value to the
(unknown and unpredictable) intended recipients of the spam. The apparent source
may be another abused system: spammers and other abusers may use a chain of
abused systems in order to make detection of the original starting point of the
abuse traffic difficult. This in itself is indicative of the power of honeypots
as anti-spam tools: in the early days of anti-spam honeypot usage spammers
showed little concern for hiding their location and would test for
vulnerabilities and send spam directly from their own systems. It was easy, it
was safe. Honeypots made the abuse less easy, less safe.
Open relays are still used by spammers but the volume of spam sent through
such open relays appears to be much smaller than it was in 2001 to 2002. Some
Asian spammers relay spam to Asian e-mail addresses through open relays they
find in the US. Honeypot operators in the US can detect both the relay tests
from such Asian spammers and intercept whatever spam they attempt to relay
through the honeypot.
Open relay honeypots include Jackpot, written in Java,
smtpot.py, written in
Python and
honeypot.php, written in
PHP. The
Bubblegum Proxypot is an open proxy honeypot (or proxypot.)
E-mail trap
An e-mail address that is not used for any other purpose than to receive spam
can also be considered a spam honeypot. A better term might be
spamtrap,
with the term "honeypot" reserved for systems and techniques used to detect or
counter attacks and probes. Spam arrives at its destination "legitimately" -
exactly as non-spam e-mail would arrive.
An amalgam of these techniques is
Project Honey Pot. The distributed, open source Project uses honeypot pages
installed on websites around the world. These honeypot pages hand out uniquely
tagged spamtrap e-mail addresses.
E-mail address harvesting and
Spammers
can then be tracked as they gather and subsequently send to these spamtrap
e-mail addresses.
Honeypot detection
Just as honeypots are a weapon against spammers, honeypot detection systems
are a spammer-employed counter-weapon. As detection systems would likely use
unique characteristics of specific honeypots to identify, a plethora of
honeypots in use makes the set of unique characteristics larger and more
daunting to those seeking to detect and thereby identify them. This is an
unusual circumstance in software: a situation in which "versionitis" (a large
number of versions of the same software, all differing slightly from each other)
can be beneficial. There's also an advantage in having some easy-to-detect
honeypots deployed. Freh Cohen the inventor of the Deception Tookit even argues that every system running his honeypot should
have a deception port that adversaries can use to detect the honeypot[2].
Cohen believes that this might deter adversaries.
Notes And References
External links
- Products and services
Home | Up | History of spamming | Stopping e-mail abuse | e-Mail spam | e-Mail fraud | Messaging spam | Mobile phone spam | Newsgroup spam | Spit (VoIP spam) | Honeypot | Spamware | Pills porn and poker | Joe job | Spam Prevention Early Warning System
Online Advertising, made by MultiMedia | Free content and software
This guide is licensed under the GNU
Free Documentation License. It uses material from the Wikipedia.
|