[Dshield] l httpd logs

Tomas L. Byrnes tomb at byrneit.net
Thu Jun 21 16:05:36 GMT 2007

Seeding spam traps is already in progress by several efforts. The
problem is that the "well known" spam trap addresses are entered into
legitimate subscription forms by cranks who want to use services but not
give out their real e-mail, or people who just don't like a given
entity, and want to get them blacklisted.

The only way that spam-traps really work is if a: the e-mail addresses
are unknown, and change often, so that the false positive rate is kept
low, b: the IP addresses of the spamtrap servers vary, so that the
spammers can't keep up with which IPs to avoid.

Error log correlation is the "did it hurt" piece, "we saw this" is
something else that might trigger an alert, say an IDS signature.
Correlating the two is a powerful way to develop threat intelligence.

> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Rick Leir
> Sent: Thursday, June 21, 2007 7:48 AM
> To: list at lists.dshield.org
> Subject: Re: [Dshield] l httpd logs
> > The big issue is that HTTP logs are so much larger than 
> firewall logs,
> The error log is smaller than the access log by orders of magnitude.
> Unfortunately, it also shows errors due to mistakes by the 
> people putting up the web content.  These errors would cause 
> a 'long tail'
> effect if we tried to 'dshield' all our logs.
> You mentioned connections to non-existent e-mail addresses, 
> we could 'dshield' the mailserver logs.  First, seed the 
> spammers with fake addresses such as <notaname at domain.com> 
> where domain.com is all the dshield participants then scan 
> the mail logs for this fake user.
> Just an idea, but this could mushroom into a lot of work.
> > Marc calls it: "We saw this, did it hurt?"
> would you explain this pls?
> cheers -- Rick
> _________________________________________
> SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 
> courses, SANS top instructors, and a great tools and 
> solutions expo. Register today!
> http://www.sans.org/info/4651 (brochure code ISC)

More information about the list mailing list