The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is there any form of email honey trap ?

Discussion in 'E-mail Discussions' started by keat63, Feb 11, 2015.

  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    There must be a mailing list somewhere out there with a bunch of fake email addresses to our domain, as i quite often see a recurring theme.
    usually when it's some sort of spam run, like the recent aomericanexpress one

    ales@
    alesnn@
    scount@
    tony@


    They of course fail, but is there any sort of honey trap i could set, whereby anything hitting one of these non existent emails is blocked instantly, so it can't send any more.
     
  2. quanin

    quanin Well-Known Member

    Joined:
    Aug 18, 2011
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    I don't think there is, though that would be awesome. Possible feature request?
     
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,472
    Likes Received:
    201
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You should find some very useful tools here:
    https://www.projecthoneypot.org/

    If you take a close look at the new Mod Security tools in WHM, you'll even find a form for adding your own: Project Honey Pot Http:BL API Key
     
  4. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I signed up to HoneyPot and donated a few mx records, but this is a different thing all together.

    Today, i had a spam email which contained a macro virus embedded in to a excel doc.
    The annoying thing is, it hit about 10 non existent mailboxes, before landing in one that existed.
    I caught this and deleted it before anyone had a chance to get to it.
    But I can't sit here 24 hours per day watching.

    Had there been some sort of rule, either be it custom or otherwise, that i could populate with these reoccuring non existant emails, it would have stopped it in it's tracks.

    Ratelimit doesn't work as the sending IP is changing every 4 or 5 emails, but the sending email address remains constant.
    Who would i report this to as a feature request, or are there any exim tweaks anyone could think of?



    - Removed -
     
    #4 keat63, Feb 24, 2015
    Last edited by a moderator: Feb 24, 2015
  5. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    some sort of rule that could be configured which goes along the lines of.

    If to = tony@mydomain.com or marko@mydomain.com or cal.rattlidge@mydomain.com then blacklist sender email address.
    I know spam assassin has an email blacklist, but this appears to be manual.
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,472
    Likes Received:
    201
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    By those messages, your system is working, on its own.

    You'll be populating that list for the rest of your life, and after you're dead and gone, new email addresses will still be used to send spam.

    Automation is key. The response errors quoted above from your post, now edited to remove them, tells us your system is managing them as expected.
     
  7. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    There were two constants in that attack (and others i've encountered recently)
    The supposed email which sends them is constant.
    The email accounts they send to is constant.

    The IP address changes.

    For that particular email i saw at least 100 attempts to send to that domain.
    Of the 100 attempts, 2 or 3 made it through to an end users mailbox.
    If only one end user opened the email and became infected with a phishing virus, i'd say it failed.

    I agree, automation is the key, hence the reason i suggested an automated rule along the lines.

    "If to = tony@mydomain.com or marko@mydomain.com or cal.rattlidge@mydomain.com then blacklist sender email address."

    I read today on Spam Assassin web site about custom rules, but nothing seemed to fit the bill.
    Plus I also assume that while ever EXIM is rejecting them, then they never make it as far as SA.

    So I can see multiple attempts from a spoofed email address, but can't do anything to blacklist that spoofed email address, unless i do this manually, which isn't productive.
     
    #7 keat63, Feb 24, 2015
    Last edited: Feb 24, 2015
  8. itagtodd

    itagtodd Registered

    Joined:
    Nov 28, 2005
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    I thought that is what the Dictionary attack ACL was supposed to do for you.. do you use exim and do you have the Dictionary attack protection turned on?

    - - - Updated - - -

    whewps, missed the part where you said coming from different ip addresses.
     
  9. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I do have dictionary attack enabled, but it's useless as the virus are coming from dozens of zombies.
    I see at least one maybe two every day, with hundreds of failed messages.
    I had one last week, that saw in excess of 1400 failed messages in a 20 hour period.

    Like InfoPro states "your system is managing them as expected", but just every now and then one slips through.
    I have 3 RBL's installed, ClamAv, Internal company firewall with AV and the clients PC's have AV installed, but they all seem useless against macro's.
     
  10. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,472
    Likes Received:
    201
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    That was a different email than a dictionary attack I believe. You, me, many others saw those same emails in our logs.

    No system gets 100% every day.


    Exim Configuration Manager - Basic Editor - cPanel Documentation

    Dictionary attack - Wikipedia
     
  11. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I looked at many options, but sometimes explanations are a little ambiguous.

    Ratelimit incoming connections with only failed recipients.

    "This option allows you to rate-limit incoming SMTP connections that have only sent email to failed recipients during five separate connection times in the past hour."

    I'm still trying to figure out, what this one does exactly.
    Assume a SMTP IP Address sends to 4 failed recipients and then 1 genuine, can it continue without rate limit for another hour ?
    Then the zombie gets bored and stops, but another zombie takes over, or 5 zombies are all trying at the same time.
    They would only need to send to one genuine email address to allow without rate limit.?

    If i get time this weekend, I'm going to do a little digging around Exim Custom Rules, see if I can find anything.
     
    #11 keat63, Feb 24, 2015
    Last edited: Feb 24, 2015
Loading...

Share This Page