Guezli/postfix-honeypot-users: extend honeypot wordlist#1832
Open
Guezli wants to merge 1 commit into
Open
Conversation
Based on 90 days of real-world traffic against a production Mailcow deployment, the wordlist is extended with the patterns that consistently showed up but weren't covered yet: - ES / PT i18n variants: teste, prueba, contacto, comercial - accounting / billing honeypots: billing, accounts, account, tech, reception, shared - office-equipment honeypots: copier, fax, scanner, monitor, mailtest, testing - auto-generated mailbox-probe patterns: nonexistent_user(?:_[0-9]+)? -- catches stealth bots that probe with numbered test mailboxes (one such bot in the dataset hammered nonexistent_user_26 ~180 times in 90 days at a rate too slow for per-IP slow-bf to trigger) Test fixture extended with one log line per new class to prove each extension actually fires (9 overflows expected). Docs / inline comments updated to list all four classes. No functional change to existing matches. hubtest + hublint clean.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Based on 90 days of real-world SMTP-AUTH traffic against a production Mailcow
deployment, the honeypot wordlist is extended with the patterns that consistently
showed up in attacker probes but weren't covered yet.
Added
teste,prueba,contacto,comercialbilling,accounts,account,tech,reception,sharedcopier,fax,scanner,monitor,mailtest,testingnonexistent_user(?:_[0-9]+)?—catches stealth bots that probe with numbered test mailboxes
(one such bot in the dataset hammered
nonexistent_user_26~180 timesover 90 days at a rate too slow for per-IP slow-bf to trigger)
What's NOT added (and why)
david@,michael.tieche@) — risk of banningon legitimate user typos
info1@,admin01@,test2@) — wouldneed a regex like
info\d*and risks false positives on legitimateaddresses such as
info2024@<some-company>. Kept out for now.Checklist
nonexistent_user(_<N>)?family).mdupdated, four wordlist classes documentedextension actually fires;
scenario.assertextended from 4 to 9 expectedoverflows
No functional change to existing matches
All previously matched usernames still match the same way.
AI assistance
Claude Code surveyed 90 days of
sasl_username=values from the productionMailcow Postfix container logs, sorted by frequency, identified the new
honeypot classes, and assembled the regex + test fixtures. Class selection
(in / out) was confirmed by the maintainer on a per-username basis to avoid
false positives on legitimate office addresses.