Description^

The policy Honeypot module is an attempt to create a tailored blacklist for your particular mail traffic. All you need is anything from a single mail addresses up to multiple wild card recipient domains which you spread around the interwebs to be harvested by as much spam harvest bots as possible. Of course, those addresses should not be for “real” configuration. Anybody sending you an email to this address(es) has to be a spammer. Therefore, you can blacklist his IP and/or receive the mail and feed them to your SPAM filters. The great thing about it: works automatically.

Wikipedia defines a honeypot as: [..]a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems[..].

Collecting spam for training^

You can use this module in “collection mode”, which will flag and pass (OK) any mail which would otherwise be rejected (and the sender blacklisted). In the ContentFilter, you can use the HoneyCollector module to grep those flagged mails and move them into a honey-directory (for manual training) or even enable the automatic training.

Usage suggestion^

Behind your whitelist and blacklist, before your greylist.

Maintenance^

This module provides a maintenance handler which will cleanup the database. Read here.

Database^

This module requires a database. Depending on the performance of your database, you should consider to swap the entries to a DNS server on a regular basis (such as bind9) and/or reduce the time to live (ttl) for the records. Depending on your mail traffic it could imply a high r/w impact. Here is an SQLite example:

-- TABLE: honeypot_addresses (SQLITE):
CREATE TABLE HONEYPOT_ADDRESSES (created integer, client_address varchar(39), id INTEGER PRIMARY KEY);
CREATE INDEX HONEYPOT_ADDRESSES_CREATED ON HONEYPOT_ADDRESSES (created);
CREATE UNIQUE INDEX HONEYPOT_ADDRESSES_CLIENT_ADDRESS ON HONEYPOT_ADDRESSES (client_address);

Performance^

Runtime: average 0.005 secs