ISSN 1000-1239 CN 11-1777/TP

Journal of Computer Research and Development

Previous Articles     Next Articles

Spampot: A Spam Capture System Based on Distributed Honeypot

Guo Junquan1, Zhuge Jianwei2, Sun Donghong2, and Duan Haixin2   

  1. 1(Department of Computer Science and Technology, Tsinghua University, Beijing 100084) 2(Institute of Network Science and Cyberspace, Tsinghua University, Beijing 100084)
  • Online:2014-05-15

Abstract: Spampot is a spam capturing system based on distributed low-interaction honeypot. Based on the previous research on SMTP, HTTP proxy and SOCKS protocols, we designed a spam honeypot system integrated with open relay and open proxy services and built the repositories of spammers’ attack behaviors, new spam samples, spammers’ IP and their geographic locations, the URLs blacklist from spam. We also discussed some of our considerations when designing the system, including improving the attractiveness for spammers, avoiding being blacklisted by anti-spam organization, and reducing the impact of the honeypot system on the real network. Our experimental deployment in CERNET for 6 months showed that Spampot could attract spammers effectively without being blacklisted by well-known anti-spam organization in the Internet. During the 6 months period, Spampot captured bulks of spam samples and spammers’ attack traffic. Our analysis show that these spammers are mainly from Taiwan, China and Brazil while their main targets are Taiwan (such as yahoo.com.tw and hinet.com). We have also discovered some new spammer behaviors and some new technologies that the spammer used to escape the filtering of anti-spam system. What’s more, through cluster analysis on the spam samples, we have identified some cases in which botnets are used for large-scale spam campaign.

Key words: distributed honeypot, spam, open relay, open proxy, spammer behavior