From owner-freebsd-questions@FreeBSD.ORG Tue Apr 27 08:20:55 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9FF69106564A for ; Tue, 27 Apr 2010 08:20:55 +0000 (UTC) (envelope-from perryh@pluto.rain.com) Received: from agora.rdrop.com (unknown [IPv6:2607:f678:1010::34]) by mx1.freebsd.org (Postfix) with ESMTP id 73D388FC08 for ; Tue, 27 Apr 2010 08:20:55 +0000 (UTC) Received: from agora.rdrop.com (66@localhost [127.0.0.1]) by agora.rdrop.com (8.13.1/8.12.7) with ESMTP id o3R8KrsS068934 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 27 Apr 2010 01:20:54 -0700 (PDT) (envelope-from perryh@pluto.rain.com) Received: (from uucp@localhost) by agora.rdrop.com (8.13.1/8.12.9/Submit) with UUCP id o3R8Kr2b068933; Tue, 27 Apr 2010 01:20:53 -0700 (PDT) Received: from fbsd61 by pluto.rain.com (4.1/SMI-4.1-pluto-M2060407) id AA15240; Tue, 27 Apr 10 01:16:31 PDT Date: Tue, 27 Apr 2010 01:15:11 -0700 From: perryh@pluto.rain.com To: john@starfire.mn.org Message-Id: <4bd69d0f.+BIrPGo/9OZTp5OQ%perryh@pluto.rain.com> References: <4BD3E9B8.2030109@comclark.com> <20100426124453.GB74442@elwood.starfire.mn.org> <20100426143510.GA75532@elwood.starfire.mn.org> In-Reply-To: <20100426143510.GA75532@elwood.starfire.mn.org> User-Agent: nail 11.25 7/29/05 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Wpoison????? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Apr 2010 08:20:55 -0000 John wrote: > > There are better systems that have a pure honeypot which actually > > accepts mail (and add the IPs that send mail to a blacklist) > > OK - where do we find one of THOSE? Unfortunately, THOSE may be a bit too simplistic :( Someone forges an email appearing to come from one of your honeypot addresses, and sends it to a bogus (or on-vacation) address at a legitimate site. The bounce (or vacation response) comes to your honeypot address, causing you to blacklist the legitimate site. No, I am not making this up. More than once I've discovered one of my employer's mail servers on the Spamcop blacklist, causing my home upstream to bounce (as presumed spam) messages I tried to send from office to home. This seemed to have been the mechanism involved.