Hexamail Guard Administration Guide - Honey Pot Matching - Honey Pot Match
Honey Pot Match
This page contains the Honey pot matcher settings.
The honey pot is a dynamic matching technology that gathers evidence from known spam and uses it to build adaptive spam macthing agents called "bees". The bees then identify new spam with similar characteristics.
By setting up 'fake' honey pot addresses for spammers to send spam to you can dynamically collect the most recent forms of spam and have bees automatically created from the email. The bees then monitor other incoming email for similar characteristics. When they identify an email that matches a characteristic, the email is quarantined or deleted according to your configuration. Email in the quarantine is then used to reinforce the bees you have created:
- deleting an email matched by a bee strengthens the bee and extends its life span
- releasing an email trapped by a bee will disable the bee(s) associated with the characteristics of the email released. Future similar email will no longer be caught by the bee.
The honey pot email addresses chosen should NOT correspond with any user or other SMTP email address on your email server : email to honey pot addresses are DELETED or BLOCKED in all cases! It is best to chose eitehr existing addresses that are receiving large volumes of spam but are unused, or a common name at your domain, for example: fred@yourdomain.com or john@yourdomain.com. Spammers will soon guess such addresses and start to send spam to them - this spam is useful, as you use it to identify their spam attacks to legitimate addresses!
NOTE: you can also use the system with no honey pot addresses should you wish to: email deleted from the quarantine can be treated as if it were to a honey pot address, and be used to create and reinforce bees.
Honey Pot
Honey Pot settings
Enable Honey Pot processing
Enable the honey pot matching features. Note that the honey pot comes pretrained with some common matching agents, or bees. These can be disabled if they incorrectly macth email by accepting (releasing) matched email from the quarantine.
On/Off
On
IP matches
This setting determines the action taken on a spam email when a bee matches on an IP address.
Remember that your global settings for enabling mark, block, and deletion actions in the SPAM Blocker/Action will affect what action actually takes place. For example if
you set this to delete but have unchecked delete on the SPAM Blocker/Action page then the bee will be demoted to block, if block is unchecked it will be demoted to marking email.
This setting determines the action taken on a spam email when a bee matches on an image characteristic.
Remember that your global settings for enabling mark, block, and deletion actions in the SPAM Blocker/Action will affect what action actually takes place. For example if
you set this to delete but have unchecked delete on the SPAM Blocker/Action page then the bee will be demoted to block, if block is unchecked it will be demoted to marking email.
This setting determines the action taken on a spam email when a bee matches on a subject characteristic.
Remember that your global settings for enabling mark, block, and deletion actions in the SPAM Blocker/Action will affect what action actually takes place. For example if
you set this to delete but have unchecked delete on the SPAM Blocker/Action page then the bee will be demoted to block, if block is unchecked it will be demoted to marking email.
This setting determines the action taken on a spam email when a bee matches on content.
Remember that your global settings for enabling mark, block, and deletion actions in the SPAM Blocker/Action will affect what action actually takes place. For example if
you set this to delete but have unchecked delete on the SPAM Blocker/Action page then the bee will be demoted to block, if block is unchecked it will be demoted to marking email.
Some IPs relay on information to your installation.
These need to be excluded from honey pot analysis and automatic blocking. If you see email from specific IPs repeatedly incorrectly matched by honey pot bees you can simply add the ip here to prevent future matching.
127.0.0.1
IPs of relay servers or MTAs you never want blocked
Email to the honey pot
Email to the configured honey pot addresses can either be deleted or blocked and stored in the quarantine.
Remember that your global settings for enabling mark, block, and deletion actions in the SPAM Blocker/Action will affect what action actually takes place. For example if
you set this to delete but have unchecked delete on the SPAM Blocker/Action page then the bee will be demoted to block, if block is unchecked it will be demoted to marking email.
A honeypot is a trap for spammers. Email to any of these addresses will be analyzed and potentially DELETED (depending on your chosen setting for email to the honey pot addresses).
Ensure that these addresses do not include any valid addresses of users, groups or automated services in your mailserver!
Email to these addresses will be used to deduce information about spammers and spam you are receiving,
which in turn can be used to block email to other recipients that is similar or from similar sources.
These addresses should be email addresses spammers are already attacking, but are invalid at your email server, or
new email addresses you choose. If you choose a new email address make it easy for a spammer to guess like
john@yourdomain.com or alan@yourdomain.com so they quickly discover it and use it to send spam to(!)
honeypot@*
honeypot@yourdomain.com,jondoe@yourdomain.com
HoneyPotDeleted
This switch allows email deleted from the quarantine by users or the admin to be used to create and reinforce bees
On/Off
On
HoneyPotSent
This switch allows email released from the quarantine by users or the admin to be used to disable bees
