Hexamail Nexus Administration Guide - Honey Pot Matching - Honey Pot Match

Honey Pot Match

This page contains the Honey pot matcher settings. The honey pot is a dynamic matching technology that gathers evidence from known spam and uses it to build adaptive spam macthing agents called "bees". The bees then identify new spam with similar characteristics. By setting up 'fake' honey pot addresses for spammers to send spam to you can dynamically collect the most recent forms of spam and have bees automatically created from the email. The bees then monitor other incoming email for similar characteristics. When they identify an email that matches a characteristic, the email is quarantined or deleted according to your configuration. Email in the quarantine is then used to reinforce the bees you have created:
- deleting an email matched by a bee strengthens the bee and extends its life span
- releasing an email trapped by a bee will disable the bee(s) associated with the characteristics of the email released. Future similar email will no longer be caught by the bee.

The honey pot email addresses chosen should NOT correspond with any user or other SMTP email address on your email server : email to honey pot addresses are DELETED or BLOCKED in all cases! It is best to chose eitehr existing addresses that are receiving large volumes of spam but are unused, or a common name at your domain, for example: fred@yourdomain.com or john@yourdomain.com. Spammers will soon guess such addresses and start to send spam to them - this spam is useful, as you use it to identify their spam attacks to legitimate addresses!

NOTE: you can also use the system with no honey pot addresses should you wish to: email deleted from the quarantine can be treated as if it were to a honey pot address, and be used to create and reinforce bees.

Honey Pot Match

   Honey Pot

Honey Pot settings
Enable Honey Pot processing
Enable the honey pot matching features. Note that the honey pot comes pretrained with some common matching agents, or bees. These can be disabled if they incorrectly macth email by accepting (releasing) matched email from the quarantine.
Example interface
On/Off
On
IP matches
This setting determines the action taken on a spam email when a bee matches on an IP address. Remember that your global settings for enabling mark, block, and deletion actions in the SPAM Blocker/Action will affect what action actually takes place. For example if you set this to delete but have unchecked delete on the SPAM Blocker/Action page then the bee will be demoted to block, if block is unchecked it will be demoted to marking email.
Example interface

(More Info)Off, Mark, Block, Delete
Block
Image matches
This setting determines the action taken on a spam email when a bee matches on an image characteristic. Remember that your global settings for enabling mark, block, and deletion actions in the SPAM Blocker/Action will affect what action actually takes place. For example if you set this to delete but have unchecked delete on the SPAM Blocker/Action page then the bee will be demoted to block, if block is unchecked it will be demoted to marking email.
Example interface

(More Info)Off, Mark, Block, Delete
Block
Subject matches
This setting determines the action taken on a spam email when a bee matches on a subject characteristic. Remember that your global settings for enabling mark, block, and deletion actions in the SPAM Blocker/Action will affect what action actually takes place. For example if you set this to delete but have unchecked delete on the SPAM Blocker/Action page then the bee will be demoted to block, if block is unchecked it will be demoted to marking email.
Example interface

(More Info)Off, Mark, Block, Delete
Block
Content matches
This setting determines the action taken on a spam email when a bee matches on content. Remember that your global settings for enabling mark, block, and deletion actions in the SPAM Blocker/Action will affect what action actually takes place. For example if you set this to delete but have unchecked delete on the SPAM Blocker/Action page then the bee will be demoted to block, if block is unchecked it will be demoted to marking email.
Example interface

(More Info)Off, Mark, Block, Delete
Block
Exclude IPs
Some IPs relay on information to your installation. These need to be excluded from honey pot analysis and automatic blocking. If you see email from specific IPs repeatedly incorrectly matched by honey pot bees you can simply add the ip here to prevent future matching.
Example interface
127.0.0.1
IPs of relay servers or MTAs you never want blocked
Email to the honey pot
Email to the configured honey pot addresses can either be deleted or blocked and stored in the quarantine. Remember that your global settings for enabling mark, block, and deletion actions in the SPAM Blocker/Action will affect what action actually takes place. For example if you set this to delete but have unchecked delete on the SPAM Blocker/Action page then the bee will be demoted to block, if block is unchecked it will be demoted to marking email.
Example interface

(More Info)Block, Delete
Block
Honey pot addresses
A honeypot is a trap for spammers. Email to any of these addresses will be analyzed and potentially DELETED (depending on your chosen setting for email to the honey pot addresses). Ensure that these addresses do not include any valid addresses of users, groups or automated services in your mailserver! Email to these addresses will be used to deduce information about spammers and spam you are receiving, which in turn can be used to block email to other recipients that is similar or from similar sources. These addresses should be email addresses spammers are already attacking, but are invalid at your email server, or new email addresses you choose. If you choose a new email address make it easy for a spammer to guess like john@yourdomain.com or alan@yourdomain.com so they quickly discover it and use it to send spam to(!)
Example interface
honeypot@*
honeypot@yourdomain.com,jondoe@yourdomain.com
HoneyPotDeleted
This switch allows email deleted from the quarantine by users or the admin to be used to create and reinforce bees
Example interface
On/Off
On
HoneyPotSent
This switch allows email released from the quarantine by users or the admin to be used to disable bees
Example interface
On/Off
On