Skip to content

Guezli/postfix-honeypot-users: extend honeypot wordlist#1832

Open
Guezli wants to merge 1 commit into
crowdsecurity:masterfrom
Guezli:extend-Guezli-postfix-honeypot-users-wordlist
Open

Guezli/postfix-honeypot-users: extend honeypot wordlist#1832
Guezli wants to merge 1 commit into
crowdsecurity:masterfrom
Guezli:extend-Guezli-postfix-honeypot-users-wordlist

Conversation

@Guezli

@Guezli Guezli commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

Description

Based on 90 days of real-world SMTP-AUTH traffic against a production Mailcow
deployment, the honeypot wordlist is extended with the patterns that consistently
showed up in attacker probes but weren't covered yet.

Added

  • Spanish / Portuguese i18n variants (heavy in real-world bot wordlists):
    teste, prueba, contacto, comercial
  • Accounting / billing honeypots: billing, accounts, account, tech,
    reception, shared
  • Office-equipment honeypots: copier, fax, scanner, monitor,
    mailtest, testing
  • Auto-generated mailbox-probe patterns: nonexistent_user(?:_[0-9]+)?
    catches stealth bots that probe with numbered test mailboxes
    (one such bot in the dataset hammered nonexistent_user_26 ~180 times
    over 90 days at a rate too slow for per-IP slow-bf to trigger)

What's NOT added (and why)

  • Personal-name variants (david@, michael.tieche@) — risk of banning
    on legitimate user typos
  • Numeric variants of role addresses (info1@, admin01@, test2@) — would
    need a regex like info\d* and risks false positives on legitimate
    addresses such as info2024@<some-company>. Kept out for now.

Checklist

  • Filter regex extended (~18 new patterns; one regex group covers the
    nonexistent_user(_<N>)? family)
  • Inline comments + rendered .md updated, four wordlist classes documented
  • Test fixture extended with one log line per new class to prove each
    extension actually fires; scenario.assert extended from 4 to 9 expected
    overflows
  • hubtest run postfix-honeypot-users --clean -> 15 assertions, all pass
  • hublint check clean

No functional change to existing matches

All previously matched usernames still match the same way.

AI assistance

  • AI was used to generate any/all content of this PR

Claude Code surveyed 90 days of sasl_username= values from the production
Mailcow Postfix container logs, sorted by frequency, identified the new
honeypot classes, and assembled the regex + test fixtures. Class selection
(in / out) was confirmed by the maintainer on a per-username basis to avoid
false positives on legitimate office addresses.

Based on 90 days of real-world traffic against a production Mailcow
deployment, the wordlist is extended with the patterns that consistently
showed up but weren't covered yet:

- ES / PT i18n variants: teste, prueba, contacto, comercial
- accounting / billing honeypots: billing, accounts, account, tech,
  reception, shared
- office-equipment honeypots: copier, fax, scanner, monitor, mailtest,
  testing
- auto-generated mailbox-probe patterns: nonexistent_user(?:_[0-9]+)?
  -- catches stealth bots that probe with numbered test mailboxes
  (one such bot in the dataset hammered nonexistent_user_26 ~180 times
  in 90 days at a rate too slow for per-IP slow-bf to trigger)

Test fixture extended with one log line per new class to prove each
extension actually fires (9 overflows expected). Docs / inline comments
updated to list all four classes.

No functional change to existing matches. hubtest + hublint clean.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant