Discover honeypot addresses

To discover actual addresses for detection, examine your syslog output for addresses that were rejected as unknown. One way to do this might look like the following, where the actual command is on huge line:


% cd /var/log

% grep "User unknown" syslog* | sed -e 's/.*<//' -e 's/>.*//' -e 's/\.\.\..*//' | sort | uniq -c | sort -n

Here, your mail log file might be called maillog or something else (see your /etc/syslog.conf file if in doubt). Partial output of this command might look like this:


11 [email protected]

12 [email protected]

12 [email protected]

13 [email protected]

14 [email protected]

15 [email protected]

19 [email protected]

30 [email protected]

34 [email protected]

47 [email protected]

51 [email protected]

Since these hit your site, you should put the ones you find in your slow.honey and /etc/mail/aliases files.