Recently, I've put a little (less than expected) time into playing with phishing gangs. Nothing terribly new, but some of you might find parts of the cookbook on setting up a passive Zimbra honeypot interesting.
The flow goes like this. I responded to a few dozen phish with bogus passwords that, when entered into our SSO, silently redirected to a honeypot. I also redirected logins from Nigeria and a few other places into the honeypot, and started (but did not finish) work to automate the feedback loop: if honey token user A logs on from IP address X, then also capture use B from the same address X.
The obvious next steps would be to automate the collection of spammer test and reply-to addresses and integrate with APERS, but I didn't have time for that.
