Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Spam trap
  •  
whaw

Messages: 7
Karma: 0
Send a private message to this user
Hello,

Is it possible to create a spam trap?
For example i create info<_at_>test.com as a spam trap and don't give the address to the public.
When the spammer sends a mail to info<_at_>test.com i know it's someone that is guessing mailaccounts and put them on a blacklist.

I also can create web<_at_>test.com and hide this in the html of our website.

Greets

Jef
  •  
Ernesto (Kerio)

Messages: 86
Karma: 7
Send a private message to this user
Yes, it may be possible.

After creating the 'spam-trap' mailbox (info<_at_>test.com), create a custom rule to increase the spam score by a significant number, 8 for example, on messages directed to that email address (the TO: header contains the 'spam-trap' address). This spam score in combination with SpamAssassin rating will eventually block that sender (it will not be immediate though).

Sales Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
Radek Sip (Kerio)

Messages: 1318
Karma: 48
Send a private message to this user
My trap are files like "addresses.php" or "contacts.php" defined in robots.txt and defined as denied for all bots (crawlers).
User-agent: *
Disallow: /addresses.php


These files contain code for generating of random addresses like "f5a4g<_at_>..." on all my domains. The bots can harvest tens or billions addresses, it's only about their patience Very Happy

The typical scenario:
1. "Good" bots ignores these lists of fake addresses, because are denied in robots.txt
"Evil" bots - harvesters - discover it in robots.txt and catch as many fake addresses as they want and fill spammer's database.
2. in Kerio Connect is set protection against directory harvest attack: WebAdmin -> SMTP Server -> Security Options, the sender's IP is blocked for one hour after 2 wrong recipients. (One is probably mistake, two wrong addresses is attack).

[12/Jan/2017 14:12:04] Attempt to deliver to unknown recipient <5a0483ce9@xxx>, from <viktor<_at_>xxx>, IP address 104.223.117.135
[12/Jan/2017 14:12:04] Attempt to deliver to unknown recipient <94f604@xxx>, from <viktor<_at_>xxx>, IP address 104.223.117.135
[12/Jan/2017 14:12:04] Directory harvest attack from 104.223.117.135 detected

one minute later it tries delivery some message again, but it's blocked
[12/Jan/2017 14:13:26] SMTP connection from 104.223.117.135 rejected: directory harvest attack

Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
whaw

Messages: 7
Karma: 0
Send a private message to this user
Thx for the fun solutions! Smile
  •  
j.a.duke

Messages: 344
Karma: 10
Send a private message to this user
Radek Sip (Kerio) wrote on Thu, 12 January 2017 08:36
My trap are files like "addresses.php" or "contacts.php" defined in robots.txt and defined as denied for all bots (crawlers).
User-agent: *
Disallow: /addresses.php


These files contain code for generating of random addresses like "f5a4g<_at_>..." on all my domains. The bots can harvest tens or billions addresses, it's only about their patience Very Happy

The typical scenario:
1. "Good" bots ignores these lists of fake addresses, because are denied in robots.txt
"Evil" bots - harvesters - discover it in robots.txt and catch as many fake addresses as they want and fill spammer's database.
2. in Kerio Connect is set protection against directory harvest attack: WebAdmin -> SMTP Server -> Security Options, the sender's IP is blocked for one hour after 2 wrong recipients. (One is probably mistake, two wrong addresses is attack).

[12/Jan/2017 14:12:04] Attempt to deliver to unknown recipient <5a0483ce9<_at_>xxx>, from <viktor<_at_>xxx>, IP address 104.223.117.135
[12/Jan/2017 14:12:04] Attempt to deliver to unknown recipient <94f604<_at_>xxx>, from <viktor<_at_>xxx>, IP address 104.223.117.135
[12/Jan/2017 14:12:04] Directory harvest attack from 104.223.117.135 detected

one minute later it tries delivery some message again, but it's blocked
[12/Jan/2017 14:13:26] SMTP connection from 104.223.117.135 rejected: directory harvest attack


Radek,

Where is the setting for how long the IP is blocked? I'm running 9.2.0 and didn't see it on the SMTP Server Security Options tab. I've looked in other sections as well and haven't found the option.

Thanks.

Cheers,
Jon
  •  
r.lechner

Messages: 20
Karma: -4
Send a private message to this user
U can install a trap generator like sugarplum, it will poisening spamers database.
Previous Topic: Need a rule to delete Spam silently.
Next Topic: where are the temporary backup files
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Mar 28 17:57:09 CEST 2017

Total time taken to generate the page: 0.01036 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.