Recent news

21 Dec 2005 - I'm all out of bubblegum. Proxypot evidence led to 2 lawsuits recently filed by the FTC and 1 by the Texas Attorney General. Here are the announcements: FTC vs. Kinion, FTC vs. McMullen, and Texas vs. Williams.

Older news

1 Jun 2005 - Spamstat updates to speed up the generation of the big pages, fix some HTML and URL encoding problems, and introduce the "bynet*" report section which supersedes the "byC" section, allowing report pages to be generated on demand for any network size, not just /24. Also spamstatscrub should work now.

13 May 2005 - The proxypot and related utilites are now organized like a standard perl package, and modularization of the big scripts has begun. The new package also includes the CGI script used for generating dynamic spamstat reports.

29 Apr 2005 - OCR'ed plain text version of the recent criminal complaint is now available

25 Apr 2005 - Correction to the April 22 report: The first criminal case is not over yet. Those first 4 defendants settled their civil case with the FTC. Although the FTC and postal inpsectors are using the same evidence to go after the same people, it's still 2 separate things in court. There may still be more good news to come.

22 Apr 2005 - I'm all out of bubblegum. The first criminal case, filed by USPIS and FTC almost a year ago, has made some progress. The first set of defendants settled their case for a $20,000 fine (too small of course), and a second set has been arrested. Since I haven't seen it show up elsewhere yet, here's a copy of the new criminal complaint against pill spammers John Lin, Steve Yui, Elaine Espinosa, and Daniel Mankani. (Large scanned-text PDF, sorry but that's how it was sent to me.) Be sure to read paragraph 40; it has a great punchline.

20 Apr 2005 - The first denial of service attack occurred today. Or at least the first one that was big enough to be noticed. It's been taken care of. Will the fool try again with a different technique?

8 Feb 2005 - spamstat update (just small stuff, the big stuff is still being worked on, slowly). Fixes bug with perminclude in interactive mode.

13 Jan 2005 - I now have my PGP public key on the web site, and will sign evidence files on request.

2 Dec 2004 - Created a mailing list

19 Oct 2004 - spamstat updates: quieted warnings when running spamstat for the first time. Various updates to URL finding and parsing. New option --interactive=keypress

6 Oct 2004 - new spamstat option: --interactive. Plus assorted minor fixes.

25 Sep 2004 - minor fix to the new spamstat "invisible text" detector. Then another minor fix to remove the debugging hook that was left in by accident again. Damn.

24 Sep 2004 - spamstat now identifies and removes invisible text in an HTML message before picking out links. Result: great reduction in bogus entries in the report.

18 Sep 2004 - spamstat update: reduce DNS lookups of bogus domains

10 Sep 2004 - spamstat updated. major new feature: --export option, which should make evidence submission more efficient.

4 Sep 2004 - spamstat updated mainly to remove a debugging thing that was released by accident

1 Sep 2004 - spamstat has a new --sort option, there is a small bug fix in --htmlsingle (which has no practical use yet anyway); and a somewhat more important bug fix in --remove.

26 Aug 2004 - spamstat's backend storage method has been overhauled to use less memory. The monolithic plain text report no longer exists; only the HTML reports remain. The new tool spamstatcvt must be used to convert old databases.

27 Jul 2004 - proxypot configuration finally moved to external files! spamstat now knows about BSD tar -I. As always, some minor bugfixes are included too.

22 Jul 2004 - DCC support officially disrecommended due to apparent bugginess of the dccifd server. log2mbox made much less memory-hungry. Lots of minor improvements to spamstat. Fixed deliverone bug related to empty HELO.

8 Jul 2004 - Yesterday's proxypot update created a bad situation for spamstat, which didn't know about the new Received header format, so it misidentified the proxypot's IP address as the sender's IP address. This is fixed now.

7 Jul 2004 - proxypot bug fixes (running as non-root and GET parsing in a proxy chain), spamstat URL-recognition bug fixes, and accepted-on IP address in the Received header so deliverone can bind to the correct address.

24 Jun 2004 - I'm all out of bubblegum. It seems that another spammer has been nailed by proxypot, this one terminated by his ISP. And it's in Florida even! The good guys score, right in the heart of spammer-land. (Gory details unavailable because the ISP has not released them.)

22 Jun 2004 - new spamstat doesn't bomb horribly when no messages are found

17 Jun 2004 - spamstat recognizes a few more domains and redirectors

12 Jun 2004 - another performance enhancement for proxypot, and a new --archive option to spamstat which saves expired messages in an archive (requires cpio or tar, and bzip2 or gzip is recommended). More minor bugfixes too.

9 Jun 2004 - restructured proxypot network-read code in a way that may reduce CPU load, improved phone number and mail drop recognition in spamstat, added a new set of options to force inclusion of dead spamvertized web sites, and automatic wildcard detection which reduces DNS traffic (which speeds up spamstat a lot)

30 May 2004 - better handling of empty HELOs, and a new MIME::Parser patch for handling a specific type of bogus message.

27 May 2004 - more flexible configuration of incoming ports, and other minor updates to proxypot and spamstat. domain appears!

23 May 2004 - update deliverone to recognize the new Received header format

22 May 2004 - proxypot update: fix mixed mode chaining, tweak DCC stuff, ports in Received header. Meanwhile, spamstat grows ever smarter. This version requires HTML::LinkExtractor instead of HTML::LinkExtor.

12 May 2004 - just small bug fixes

4 May 2004 - "mixed" proxy mode - run SOCKS and HTTP CONNECT on the same port

29 Apr 2004 - I'm all out of bubblegum. Bubblegum proxypot contributes evidence to the first criminal complaint filed under the CAN-SPAM act. And now I can finally reveal why it was called "Bubblegum" proxypot

26 Feb 2004 - Minor addition to deliverone - don't send X-DCC header.

16 Feb 2004 - D'oh! I forgot to chmod a+r the new proxypot yesterday.

15 Feb 2004 - DCC support

25 Jul 2003 - minor fixes

22 May 2003 - sample report published, deliverone published

21 May 2003 - spamstat gets MUCH cooler, and also much bigger.

8 May 2003 - spamstat gets cooler, maildir delivery gets safer, log2mbox gets published

Ancient history

In the late summer and early fall of 2002, there was a lot of talk on about honeypots. People had built open-relay honeypots and were capturing spam, and there were some attempts at tracking proxy usage, but no one had made a serious attempt at building an open proxy honeypot. It seemed like a pretty big task. After all, SMTP relays are simple to imitate but an open proxy can connect to almost any kind of server. How could you possibly predict what tests will be used, and pass all of them?

It was a challenge I couldn't ignore. I started writing the code, and didn't just do the minimum, but tried to think ahead. How would the spammers respond to this? What new tests will they develop? I wrote code to fool tests that no one had invented yet. I wanted the first open proxy honeypot to be 3 steps ahead of the spammers before anyone ever saw it. Even with such planning, I expected spammers to quickly develop highly sophisticated tests that would be impossible to beat. This was an arms race destined to be won by the bad guys.

In my initial announcement, I predicted the proxypot would "have a useful life of a year". Actually, a year later, most spammers had only begun to wake up to existence of honeypots. Now I realize that while some of them will adapt, there will always be spammers dumb enough to get caught by a honeypot.

The word "proxypot", by the way, is something I came up with after I got tired of writing "open proxy honeypot". As far as I know, nobody had used it before. I wanted to see if I could get people to say it just by using it as if it was already a well-known term. A year and a half later, when I got a call from a US Postal Inspector asking for evidence to use in the case against Daniel Lin, he used the word "proxypot" and then corrected himself, as if he was uncertain whether I would understand what he meant.
Experiment successful.

Because I had decided that "proxypot" was a generic term that should apply to other open proxy honeypots, not just mine, I needed a name to specifically refer to the program I wrote. I called it "Bubblegum proxypot". The reason was not given for a long time - see the 29 Apr 2004 news item above for the revelation.

The first spam ever captured by Bubblegum proxypot was on 18 Feb 2003, titled "Backup your DVD movies", from