Discover honeypot addresses

To discover actual addresses for detection, examine your syslog output for addresses that were rejected as unknown. One way to do this might look like the following, where the actual command is on huge line:


% cd /var/log

% grep "User unknown" syslog* | sed -e 's/.*<//' -e 's/>.*//' -e 's/\.\.\..*//' | sort | uniq -c | sort -n

Here, your mail log file might be called maillog or something else (see your /etc/syslog.conf file if in doubt). Partial output of this command might look like this:


11 janaina.broca@your.domain

12 gj@your.domain

12 gkjhjkhjk@your.domain

13 helen@your.domain

14 asd@your.domain

15 BC1@your.domain

19 CGBNCDHB@your.domain

30 a@your.domain

34 da@your.domain

47 y8jhbg@your.domain

51 cgbncdhb@your.domain

Since these hit your site, you should put the ones you find in your slow.honey and /etc/mail/aliases files.