[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Research honeypot with Zimbra



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have rolled this around in my head for years, and never acted on it
(For time, and priorities sake).  Thank you for putting this info
together.  Good idea, and good info.


On 05/13/2015 09:10 AM, Rich Graves wrote:
> Recently, I've put a little (less than expected) time into playing
> with phishing gangs. Nothing terribly new, but some of you might
> find parts of the cookbook on setting up a passive Zimbra honeypot 
> <https://www.dropbox.com/s/lgedfryxfg9lbuv/GCIA-Honeytokens-v2.docx?dl=0>
> interesting.
> 
> The flow goes like this. I responded to a few dozen phish with
> bogus passwords that, when entered into our SSO, silently
> redirected to a honeypot. I also redirected logins from Nigeria and
> a few other places into the honeypot, and started (but did not
> finish) work to automate the feedback loop: if honey token user A
> logs on from IP address X, then also capture use B from the same
> address X. The obvious next steps would be to automate the
> collection of spammer test and reply-to addresses and integrate
> with APERS <https://code.google.com/p/anti-phishing-email-reply/>,
> but I didn't have time for that.
> 
> 

- -- 
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE, RHCVA (#110-011-426)
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlVTTxYACgkQsZqG4IN3sulZ1ACgmc70yozKjOcrGoVb1f5knrK9
zWwAn0UOM4YUdHFRSsaMneFMv/Rd3u3z
=sDzR
-----END PGP SIGNATURE-----