Abstract

Though spam should generally not be considered a real cyber attack, it may be difficult to distinguish between virus-contaminated emails, phishing scams and bothersome ads (those containing tricky JavaScript or specific forged HTML used to track them). Moreover, spammers slow the servers receiving legitimate emails and may cause availability problems. While spammers earn money by embarrassing people, employees and netsurfers lose time by receiving unsolicited emails -- in some cases, hundreds per day. Companies may lose money too, through lost productivity, bandwidth charges, purchasing blacklists, and so on. Typical solutions against this cyber-plague may be to filter emails received by using content analysis or blacklists, and to fix poorly configured servers.

This paper will evaluate the usefulness of using honeypots to fight spammers. The first part of the article will explain some background information on spam. Then, we will try to understand how honeypots may detect, slow and stop such activities while promoting a clean Internet. Finally we will conclude with some future perspectives.

1.0 Introduction to spammers

1.1 What is Spam?

In this paper, we will use the word spam to describe UBE (Unsolicited Bulk E-mail) and UCE (Unsolicited Commercial E-mail). Examples and logs given in this paper are inspired by real-life events, but they were modified to retain anonymity.

1.2 How spammers work

• Harvest: build a database of targets by finding valid email addresses
• Stealth and open proxies: work anonymously while sending ugly emails to their targets
• Spam and open relays: find and use servers that accept to relay emails anywhere

We would need a book to describe everything to do with spam in enough detail, and the Internet is ever full of excellent resources that talk about this already, so let's focus on the important issues.

1.2.1 Email addresses get harvested

Figure 1: Harvesting email addresses

You may also want to read [ref 3] other documents to get more detailed explanations about the harvesting of email addresses.

1.2.2 Open proxies

An open proxy is a proxy service opened to the world for almost any kind of request, allowing anybody to remain anonymous while crawling the net. Such proxies are used a lot in the underground: blackhat people, warez people, etc. Open proxies are also useful for many spammers, because they will be able to stay anonymous while sending their unwanted emails.

Here is an example of a TCP session recorded by snort [ref 4], showing a remote proxy check probably launched by Earthlink. The client connects to the proxy on TCP port 8080, and doesn't ask for a Web page but instead for a TCP session initialized with a remote SMTP server (207.69.200.120) owing to the HTTP CONNECT function. The rest of this TCP session is SMTP, directly sent to the SMTP server (HELO, MAIL FROM, RCPT TO, DATA, QUIT).

$ cat /var/log/snort/192.168.1.66/SESSION\:8080-4072
CONNECT 207.69.200.120:25 HTTP/1.0

HELO [217.128.a.b]
MAIL FROM:<openrelay@abuse.earthlink.net>
RCPT TO:<spaminator@abuse.earthlink.net>
DATA
Message-ID: <36af800461754252ab1107386a9cd8eb@openrelay@abuse.earthlink.net>
To: <spaminator@abuse.earthlink.net>
Subject: Open HTTP CONNECT Proxy
X-Mailer: Proxycheck v0.45

This is a test of third-party relay by open proxy.

These tests are conducted by the EarthLink Abuse Department.
EarthLink, by policy, blocks such systems as they are discovered.

Proxycheck-Type: http
Proxycheck-Address: 217.128.a.b

36af800461754252ab1107386a9cd8eb

Proxycheck-Port: 8080
Proxycheck-Protocol: HTTP CONNECT

This test was performed with the proxycheck program. For further
information see <http://www.corpit.ru/mjt/proxycheck.html/>

.
QUIT

Using a proxy server is quite efficient for a spammer to have anonymity. As proxy owners may have logs, spammers may fear that their IP address could be recorded (remote proxy log). Usually, spammers bet that badly configured proxies don't have logs. Their fear of logs is why sometimes they use chains of proxies to increase their luck -- they connect to an open proxy server (TCP Session), then ask it to connect to another known open proxy server (CONNECT a.b.c.d:3128), etc. For example:

Figure 2: Open relays and spammers

The longer the chain, the stealthier they become, but they will lose time as multiple bounces will result in multiple delays added.

1.2.3 Open relays

Such a poorly configured MTA lends its system and network resources to the remote abuser who is getting paid to send out spam. Usually, an organization that unwittingly relays spam may be blacklisted on international lists (RBL, etc). That would annoy internal users because they couldn't use their own email properly. A big ISP sadly blacklisted would probably lose clients and money.

2.0 Honeypots versus spammers

In this chapter, we will see if it's possible to use honeypots technologies in the following cases:

1. when spammers come to your Web site to steal email addresses and transform them into future targets;
2. when spammers try to connect to your proxy servers and try to bounce elsewhere by abusing your services;
3. when spammers inject SMTP traffic to your email servers in order to send unsolicited emails through you.

2.1 Honeypots and harvesting

During automatic harvesting of valid email addresses on the Web, spammers may sometimes be recognized because of the tools they use by checking the User-Agent field sent by their browser [ref 6]. Some people have decided to either block a specific User-Agent known to be used by spammers, or transparently redirect those Web clients to fake Web pages containing tons of fake email addresses. The trouble is that it's very easy for spammers to change the User-Agent. So those same people defending against spam then decided to create Web links on their pages that would be invisible for a human reader (e.g. white characters on a white background) but visible for a spambot following every link read in the HTML source. Such a Web page waiting for Spam bots will dynamically create fake email addresses to fool the spammers.

One idea could be to create tons of fake addresses. There is a quite good example of a piece of freeware called Wpoison [ref 7]. This CGI script added to your Web site will generate fake email addresses looking like real ones. A live demo can be tried on this Web site [ref 8].

Another technique could be to create a fake address containing specifically chosen information. The day this email address is used as a target of spam, the owner will be able to determine the IP used by the spammer.

<?
// PHP example taken from the frenchhoneynet Web site
// replace by your domain, add recipients filtering on your MTA (mimedefang...)
echo '<a href="mailto:'.$REMOTE_ADDR.'_'.date('y-m-j').'-spamming@frenchhoneynet.org" 
title="There is no spoon">For stupid spambots';
?>

This script will dynamically generate a mailto: link, containing a fake email address with the IP of the current Web client and the date. For example:

<a href=mailto:80.13.aa.bb_03-11-17-spamming@frenchhoneynet.org>...

If the Web client is a spambot, it will add 80.13.aa.bb_03-11-17-spamming@frenchhoneynet.org in the database of potential targets. Now we suppose that a spammer uses this database. He will probably send an email to this virtual address.

Then the mail server administrator can filter incoming emails by looking at the recipients (on your MTA or eventually on your MUA [Mail User Agent]). If you receive an email destined to 80.13.aa.bb_03-11-17-spamming@frenchhoneynet.org, then you surely know that 80.13.aa.bb is the IP address that was used on November 17, 2003. And more than that, you know that this address was a spam harvesting source.

# Example of a simple recipient filtering with Mimedefang http://www.mimedefang.org/]
# Will filter incoming email containing a recipient address in the form
# of those created by the latter PHP example.
sub filter_recipient {
	my ($recipient, $sender, $ip, $hostname, $first, $helo) = @_;
	if($recipient =~ /^<.*-spamming@frenchhoneynet\.org>?$/i)
	{ return ("REJECT", "Spamming activity"); }
	return ("CONTINUE", "ok");
}

Though those techniques seem to be interesting, they will only work with stupid spambots, ones which are probably not used by skilled spammers. The more sophisticated spammers may use open proxies to crawl the net, and the dynamically created email address will just help with finding such proxies and the spammer will keep his anonymity.

2.2 Honeypots and open proxies

So, would it be so difficult to set up a fake open proxy in a honeypot ? No, and that's what were are going to look at.

By looking at your firewalls logs, you'll probably notice attempts to access TCP ports like :

• 1080 socks proxy server
• 3128 squid proxy server
• 8080 web caching service

Many basement-dwelling people "courageously" hiding behind their monitor, and using tools they don't understand, will scan the net to map all interesting services. Some of them share their information in public lists of proxies on the Internet (just use Google and search for things like "open proxies list"). By connecting to the answering TCP ports, sending a few packets may help to understand if the proxy is open or not (will it accept and go anywhere?).

What if we setup some honeypots that will answer positively to incoming requests? We'll be able to fool some spammers.

My favorite honeypot, made by Niels Provos, is called Honeyd [ref 9]. To create a fake relay server, simulating open proxies and an open mail relay, you could use such a configuration file :

create relay 
set relay personality "OpenBSD 2.9-stable"
add relay tcp port 25 "sh /usr/local/share/honeyd/scripts/sendmail.sh $ipsrc $sport $ipdst $dport"
add relay tcp port 3128 "sh /usr/local/share/honeyd/scripts/squid.sh $ipsrc $sport $ipdst $dport"
add relay tcp port 8080 "sh /usr/local/share/honeyd/scripts/proxy.sh $ipsrc $sport $ipdst $dport"
set relay default tcp action block
set relay default udp action block
bind 192.168.1.66 relay

This will ask Honeyd to simulate an OpenBSD 2.9 computer with the IP 192.168.1.66 and three TCP ports opened: 25, 128 and 8080. For each incoming request coming to those ports, Honeyd will launch the appropriate fake service (sendmail.sh, squid.sh, proxy.sh). If those services want to see what was sent by spammers, they just have to read data from STDIN. To reply to the spammers, they just have to write data to STDOUT (like a classical Inetd process).

To fool the remote spammer, we'll have to simulate part or all of the discussion.

As an interesting proof of concept, we will look at the tool called Bubblegum Proxypot [ref 10] which is a sharp, small tool. The only goal of this tool is to fool active spammers by simulating an open proxy. In comparison with Honeyd, it cannot simulate something else (Honeyd may be used to simulate anything you need); it cannot change its IP stack behavior, etc. Though it's a simpler tool, we'll quickly learn many things from spammers.

Depending of his skill, the spammer will either simply check that the proxy is open, or perhaps try to see if it is working properly. Remember that the spammer's goal is to make money. Thus spammers cannot afford to lose much time sending thousands of emails out for nothing. On my temporary honeypots, I saw both of the above behaviors.

With Proxypot, you can choose one of three possible configurations to fool the spammers:

• smtp1: the whole SMTP connection is faked.
  Pros : no SMTP outbound traffic is needed, so it will save your network bandwidth.
  Cons : this will only fool novices and you'll have to chose the kind of SMTP server to simulate. If the spammer connects to the proxy and asks to go to a Sendmail server while you are faking a Qmail server, he may notice that it is a honeypot.
• smtp2: connect to the real SMTP server, read its 220 banner and maybe issue a HELP command to find out what kind of server it is, then hang up and use that information to fake a more convincing SMTP session.
  Pros : if the spammer knows the version of the targeted email server, he will believe this is the real one and you won't have much of a fingerprinting problem.
  Cons : this will generate outbound traffic. You have to be sure of the software used, to avoid being used as either a real spam relay or a hack relay. If the spammer targets an SMTP server he owns, for example for his first email, he will notice that the SMTP session he sees though the proxy is not the same as the one going to his mail server.
• smtp3: connect to the real SMTP server and pass through all recognized commands except DATA and EXPN. RCPT and VRFY are rate-limited.
  Pros : this is the extreme simulation and it's almost impossible to do better, because using DATA properly would deliver the email and this is something you want to avoid.
  Cons : like every simulator, a spammer may discover that this not a real one, and fingerprinting possibilities will still exist.

I personally used the option smtp2 and got thousands of spam through it. [Continue to Part 2]