Re: [SLUG] reporting spam - toying with hackers/spammers

From: Mike Branda (
Date: Tue Jan 24 2006 - 13:09:37 EST

On Tue, 2006-01-24 at 12:08 -0500, Robert Snyder wrote:
> Richard Morgan wrote:
> > SA has been pretty good at catching spam on my servers, but sometimes
> > I'll get a
> > couple that slips through. Not that big of a deal. In the past I've
> > traced
> > spam back to the source network and tried to report it to that ISP but
> > usually
> > nothing happens so I don't waste my time with it. Most of the spam
> > now (it
> > seems) is coming from networks outside the U.S. and those companies
> > are harder
> > to deal with, IMHO.
> Hence the reason why you should have geeky fun with the spammers IP
> address instead of dealing with out of country people. Like my favorite
> was the lycos Make love not spam screensaver that did a http get request
> on spammer websites.
> >

It's funny you should mention this approach (in general). I was reading
up on the LaBrea tarpit software (not the actual tarpit) just yesterday
and how the author has discontinued distribution due to a Super-DMCA law
in Illinois. It's an old article but I found it while doing some
research on ssh brute force attacks. Apparently the software "has fun"
with hackers and can be used against worms also. Unfortunately, FL is
now subject to the same S-DMCA crap and you can't do this to my
understanding lest ye risk jail time.

this is the article:

which steams me that this is what goes on while we're not watching and
here's a snip about LaBrea if anybody hasn't heard of it yet:


LaBrea is a program that creates a tarpit or, as some have
      called it, a "sticky honeypot". LaBrea takes over unused IP
      addresses on a network and creates "virtual machines" that
      answer to connection attempts. LaBrea answers those connection
      attempts in a way that causes the machine at the other end to
      get "stuck", sometimes for a very long time.

--- How does it work?

LaBrea works by watching ARP requests and replies. When the pgm sees consecutive ARP requests spaced several seconds apart, without any intervening ARP reply, it assumes that the IP in question is unoccupied. It then "creates" an ARP reply with a bogus MAC address, and fires it back to the requester.

An example (from a tcpdump of LaBrea running on my network): 14:18:28.832187 ARP who-has xx.xx.xx.13 tell xx.xx.xx.1 14:18:29.646402 ARP who-has xx.xx.xx.13 tell xx.xx.xx.1 14:18:31.707295 ARP who-has xx.xx.xx.13 tell xx.xx.xx.1 14:18:31.707574 ARP reply xx.xx.xx.13 is-at 0:0:f:ff:ff:ff

There is no xx.xx.xx.13 machine on my network. In this case, the timeout was set to 3 seconds (it's a command line parameter), and when that final "who-has" came in, the "is-at" reply that you see was generated by LaBrea.


Mike Branda Jr.

----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:04:29 EDT