Spampot: A Spam Capture System Based on Distributed Honeypot

Spampot is a spam capturing system based on distributed low-interaction honeypot. Based on the previous research on SMTP, HTTP proxy and SOCKS protocols, we designed a spam honeypot system integrated with open relay and open proxy services and built the repositories of spammers’ attack behaviors, new spam samples, spammers’ IP and their geographic locations, the URLs blacklist from spam. We also discussed some of our considerations when designing the system, including improving the attractiveness for spammers, avoiding being blacklisted by anti-spam organization, and reducing the impact of the honeypot system on the real network. Our experimental deployment in CERNET for 6 months showed that Spampot could attract spammers effectively without being blacklisted by well-known anti-spam organization in the Internet. During the 6 months period, Spampot captured bulks of spam samples and spammers’ attack traffic. Our analysis show that these spammers are mainly from Taiwan, China and Brazil while their main targets are Taiwan (such as yahoo.com.tw and hinet.com). We have also discovered some new spammer behaviors and some new technologies that the spammer used to escape the filtering of anti-spam system. What’s more, through cluster analysis on the spam samples, we have identified some cases in which botnets are used for large-scale spam campaign.