[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Research honeypot with Zimbra

To: Rich Graves <rgraves@carleton.edu>, zimbra-hied-admins <zimbra-hied-admins@sfu.ca>
Subject: Re: Research honeypot with Zimbra
From: Nathan Lager <lagern@lafayette.edu>
Date: Wed, 13 May 2015 09:18:18 -0400
In-reply-to: <1470544808.5951478.1431522647416.JavaMail.zimbra@carleton.edu>
List-help: <mailto:zimbra-hied-admins-request@sfu.ca?subject=help> (List Instructions)
List-id: <zimbra-hied-admins.sfu.ca>
List-owner: <mailto:owner-zimbra-hied-admins@sfu.ca>
List-unsubscribe: <mailto:zimbra-hied-admins-request@sfu.ca?subject=unsubscribe>
References: <1470544808.5951478.1431522647416.JavaMail.zimbra@carleton.edu>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have rolled this around in my head for years, and never acted on it
(For time, and priorities sake).  Thank you for putting this info
together.  Good idea, and good info.


On 05/13/2015 09:10 AM, Rich Graves wrote:
> Recently, I've put a little (less than expected) time into playing
> with phishing gangs. Nothing terribly new, but some of you might
> find parts of the cookbook on setting up a passive Zimbra honeypot 
> <https://www.dropbox.com/s/lgedfryxfg9lbuv/GCIA-Honeytokens-v2.docx?dl=0>
> interesting.
> 
> The flow goes like this. I responded to a few dozen phish with
> bogus passwords that, when entered into our SSO, silently
> redirected to a honeypot. I also redirected logins from Nigeria and
> a few other places into the honeypot, and started (but did not
> finish) work to automate the feedback loop: if honey token user A
> logs on from IP address X, then also capture use B from the same
> address X. The obvious next steps would be to automate the
> collection of spammer test and reply-to addresses and integrate
> with APERS <https://code.google.com/p/anti-phishing-email-reply/>,
> but I didn't have time for that.
> 
> 

- -- 
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE, RHCVA (#110-011-426)
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlVTTxYACgkQsZqG4IN3sulZ1ACgmc70yozKjOcrGoVb1f5knrK9
zWwAn0UOM4YUdHFRSsaMneFMv/Rd3u3z
=sDzR
-----END PGP SIGNATURE-----

References:
- Research honeypot with Zimbra
  - From: Rich Graves <rgraves@carleton.edu>

Prev by Date: Research honeypot with Zimbra
Next by Date: Current Versions
Previous by thread: Research honeypot with Zimbra
Next by thread: Current Versions
Index(es):
- Date
- Thread