On 08/01/2015 05:23, Alex wrote:
I have an old domain with a number of dormant accounts that I'd like to use. The domain also uses several RBLs, so a majority of the spam is rejected before it's ever received, so it's less than effective.
You need to whitelist at least the trap addresses to be effective.
I'm also wondering what exactly you're taking from these messages that are received? Are you blocking based on IP? Creating header/body
Blocking by IP is the most common - providing the addresses you use as traps have never been used, in your case, maybe not such a good idea because you/someone once used them, and it might be an old friend who went grizzly adams for 10 years and came back trying to genuinely talk to you or the recipient.
Or are you only limited to gathering info based on the 'user unknown' messages,
Never ever do that! people make typos all the time.
Do you have scripts that parse your maillog?
twice daily, used to be hourly but thats not nice when they grow to gig a day per server, thinking about changing it to once a day before log rolls.
Do you have any type of revocation ability, to keep track of when they were added so they can be removed after some time?
its a bash script, that uses awk so can add dates with strftime() so I know when it was added, I use this to go through and clean it up every once in a while (listings on trap hits stay for at least 1 yr unless I get delist request)
How about using a domain specifically for creating a honeypot, of
you only need an email@address no point in registering a domain soley for this, some might think its better, but I see no real advantage to it over using a well known existing domain, infact if you examine your logs you might see one already there you can use, for example, I use a few email addresses, my private one only friends have, my list address (this one), my opensource contrib address (yeah its public too), work address (nobody has) and another for usenet, the usenet one was obviously botched by a spambot once and it repeated the user@ component, lets say it was xyz@ausics so I always see hits in mail logs for xyzxyz@ausics rather funny, but awesome, because in addition to my never-used long term trap addresses, I added that one too and it catches several hundred a week alone, obviouly spammers trade lists. So, like I said, you might already be seeing one you can use.
(footnote: that usenet address has been in use for well over 20 years, so YMMV)
sorts? Would you create a basic webpage and populate that with email addresses? Then set up the mail system to accept all mail...
That can help, you'd only need a couple, and join usenet thats a good way to catch em. also pop a fake email address in your sigs on some forums.
