Project Honeypot: The Joining

Posted: Sat, 9 June 2007 | permalink | No comments

After asking last week if anyone had any experience with Project Honeypot, I got one response, from Chris Samuel, who was pretty positive about the whole thing:

I'm one of the people contributing, from the stats on my site it appears I've contributed to the identification of 6 harvesters and a comment spammer.

I'm only running it on one site at the moment, but it seems to be a useful service and once it's up and running it seems fairly inconspicuous.

I decided to give it a go myself, and signed up.

It's pretty nifty the way it all works. You can do a number of different things to be part of the project, from linking to other people's honeypots (through the trivial act of adding some HTML to your web pages), or you can setup a honeypot of your own (which is done in an ingenious manner, and just requires you to be able to run one of a bunch of different forms of dynamic script -- about ten minutes work, tops). You can also contribute a domain (or subdomain) which the project will use as a spamtrap domain -- all you have to do there is add an MX record. The use of lots of different domains makes it harder for spammers to filter known spamtrap domains out of their lists.

In exchange you get good karma from helping to identify network abusers, and you can monitor chunks of IP space (such as space that your company sub-leases to others, for example) for evidence of abuse, or use the collected data to block abusers from your own web servers through the project's http:BL service.

The http:BL, for me, is probably the most valuable "payback". It lists IP addresses that have been used recently by comment spammers, address harvesters, and other abusers of HTTP resources. It's not a list of spam sources, though -- there's no shortage of DNSBLs for that. The project has an Apache module that can query the list and re-route or block requests from those IP addresses, and there's also a Wordpress plugin that queries the list (not that I use Wordpress, but it's an example of what can be done).

Unlike Chris, I haven't helped to identify any bad activity yet, but there's been some activity on my honeypot, so I'm hoping that I'll catch someone soon.

I think it's worth getting involved and contributing what you can -- there's very little cost involved (I got all my resources setup inside of an hour, and I haven't noticed any increased load on my server or bandwidth), and everyone wants to stop Internet abuse. So please, take a look at the project and consider joining.

Post a comment

All comments are held for moderation; markdown formatting accepted.

This is a honeypot form. Do not use this form unless you want to get your IP address blacklisted. Use the second form below for comments.
Name: (required)
E-mail: (required, not published)
Website: (optional)
Name: (required)
E-mail: (required, not published)
Website: (optional)