Conversation

Notices

1. Embed this notice
   Peter N. M. Hansteen (pitrh@mastodon.social)'s status on Monday, 13-Jan-2025 00:20:06 JST Peter N. M. Hansteen

   An update on #green #cybercrime #prevention: "Harvesting the Noise While it's Fresh, Revisited" https://nxdomain.no/~peter/harvesting_the_noise_revisited.html (tracked, prettified https://bsdly.blogspot.com/2022/12/that-grumpy-bsd-guy-harvesting-noise.html) now has an update about harvesting even more useful data from #openbsd #spamd log file noise.
   #antispam #greytrapping #greencomputing #spam #email #smtp

   • Embed this notice
     Solène :flan_hacker: (solene@bsd.network)'s status on Monday, 13-Jan-2025 00:20:06 JST Solène :flan_hacker:

     in reply to

     @pitrh when do you remove an entry from the blocklist? If an entry was due to a server being hacked, and it has been freshly assigned to a new customer inheriting the IP, how should that person proceed to not be blocked?

     Also, a note about logs, due to GDPR it may not be legal to keep emails logs more than 2 or 3 years 😅 , but I'm not an expert and different laws of countries or EU often collide. It's still something to think about though.

   • Embed this notice
     Peter N. M. Hansteen (pitrh@mastodon.social)'s status on Monday, 13-Jan-2025 03:36:35 JST Peter N. M. Hansteen

     in reply to

     • Solène :flan_hacker:
     • gyptazy

     @gyptazy @solene More specifics and less handwaving and FUD, please.

     The trap addresses are all in domains we own and control.

     In addition anyone mistaking our system for an open SMTP relay will be greytrapped, as described in https://nxdomain.no/~peter/domain-only-trapping.html -- this happens *a lot* -- (or for a fuller but still brief explanation, https://nxdomain.no/~peter/minimalist_spamd_configs.html

   • Embed this notice
     Peter N. M. Hansteen (pitrh@mastodon.social)'s status on Monday, 13-Jan-2025 03:36:37 JST Peter N. M. Hansteen

     in reply to

     • Solène :flan_hacker:
     • gyptazy

     @gyptazy @solene That said, if you run a mail service and you don't entirely trust your users to not get cracked or do stupid things, intercepting any SMTP delivery attempts from your networ to the trap email addresses is likely a good idea for safeguarding your IP reputation score among those who keep track.

   • Embed this notice
     gyptazy (gyptazy@mastodon.gyptazy.com)'s status on Monday, 13-Jan-2025 03:36:37 JST gyptazy

     in reply to

     • Solène :flan_hacker:

     @pitrh @solene somehow I understand his idea but in todays usage such solution can easily turn into the wrong way and make everyone’s life difficult. This would mean, we should move away from email confirmations because everyone would be able to use any fake email including honeypot addresses.

   • Embed this notice
     Peter N. M. Hansteen (pitrh@mastodon.social)'s status on Monday, 13-Jan-2025 03:36:38 JST Peter N. M. Hansteen

     in reply to

     • Solène :flan_hacker:
     • gyptazy

     @gyptazy @solene spamd is a lot more targeted than that (SMTP only).

     Any attempt to deliver mail to the trap addresses will lead to the sender IP getting stuttered at by my system and any similar system that imports my exported data on subsequent SMTP connection attempts for 24 hours.

     If anybody out there uses the exported list of IP addresses for any other purpose, that is both stupid and entirely their responsibility.

     SSH and POP3 gropers on the other hand are subject to "block drop" here.

   • Embed this notice
     Peter N. M. Hansteen (pitrh@mastodon.social)'s status on Monday, 13-Jan-2025 03:36:39 JST Peter N. M. Hansteen

     in reply to

     • Solène :flan_hacker:

     @solene for the spamd generated list, the expiry is 24 hours (IIRC counted from last seen activity). For the others it's six weeks similarly as described in "Badness, Enumerated by Robots" https://nxdomain.no/~peter/badness_enumerated_by_robots.html.

     I offer removal for the kinds of situations you mention (https://www.bsdly.net/~peter/traplist_ethics.shtml) but I have only ever received removal requests for outdated entries and for hosts still actively spamming for some reason.

     I tell them to fix, I will provide evidence for handing to law enforcement.

   • Embed this notice
     gyptazy (gyptazy@mastodon.gyptazy.com)'s status on Monday, 13-Jan-2025 03:36:39 JST gyptazy

     in reply to

     • Solène :flan_hacker:

     So, I basically use one of the listed addresses on any forums, Fediverse instance, etc that sends me immediately an account confirmation mail and the whole service gets blocked? I simply use one of them for account creation on the BSD Cafe or the BSD Forums and they get blocked, because a random user submitted a honey pot email?!

     @pitrh @solene

   • Embed this notice
     Solène :flan_hacker: (solene@bsd.network)'s status on Monday, 13-Jan-2025 03:41:31 JST Solène :flan_hacker:

     in reply to

     • gyptazy

     @pitrh I think what @gyptazy meant, if I understood, was that it's easy to add someone's server to the ban list by filling a form sending an email to your honeypot address, through a registration form on a web service for instance