Those unfamiliar with what Honeypot proxy servers are, please research
the subject in depth, I'm requesting only the individuals with
background knowledge on this matter to answer the question.

I am an anonymity enthusiast. I prefer the commercial spy-crazed
corporations to know less about me than they expect to. I'm a "pro
proxies" sort of a person.

Lately, if you are involved in this sort of a fuss, I noticed more and
more "fake proxies" (honeypot proxies) being set up by different
individuals/companies/groups/ISPs left and right. The purposes are
well known, to combat spam (and hurray for that !), but also it hurts
us, the anonymity freaks. What basically is done is a proxy is set up
on a machine, then the details (IP + PORT) are distributed to the
known proxy sources, where it finally blends in with other "usable"
sources.

Then, the proxy appears to be anonymous when scanned, appears to be
anonymous when used, but really isnt. It either logs your activity (a
big no no), forwards your actual IP to the webservers, forwards your
ip when you use web based email services, and so on.

Once again I'm clearly pro to the reasons why this is done. 

But I believe these sort of actions are ultimately destroying mine
(and other's) ability to stay anonymous online.

Finally to the main goal of this question.

Im looking for methods to do partial/complete checks on a public
(offered through public lists) proxy server, to check whether its a
disguised honeypot.

A few methods are known, example:

- Checking headers that are returned to a web server
- Checking the IP forwarded through the email headers
- Checking whether the proxy actually forwards data when used, and
doesnt just log it. While coming up as usable when processed for
verification.

There are some software packages available that can "half-way" solve
this problem. I've heard about them, but can find little about them.

Would anyone be able to pin point me to a few solutions & especially
software titles ?

Thanks

(PS: Please no offers about switching to paid VPN services of some
sort, using online anonymity tools like anonymizer.com and any other.
Im specifically asking about methods & software to check available
proxy servers for honeypot content)

---

Request for Question Clarification by joseleon-ga on 13 Jan 2004 08:14 PST

Hello, mnklmd:
  Yes, I know what you are referring, but to detect if a proxy is
sending your data to the target server, a simple browse (using that
proxy) to a page that reveals which data "knows" about you, would be
enough. Are you interested on this or I'm missing something?

Regards.

---

Clarification of Question by mnklmd-ga on 13 Jan 2004 08:27 PST

No, perhaps you arent very familiar with the subject.

Lets for example say that you wish to use a normal POP3 account, and
connect using a proxy to the server to send and receive emails.

Now, when checking whether the proxy is real or not, you may think
that going to one of those ProxyJudge sites is enough, or connecting
to a remote server and netstating the connection to see if the proxy
works.

What the Honepot does, is fool you into thinking that it is a proxy,
while if you  (as in our example) attempt to send an email, instead of
putting itself as the source IP, it will forward yours, but without
telling you! This just completely makes the whole purpose of anonymity
go to waste.

---

Request for Question Clarification by joseleon-ga on 13 Jan 2004 08:38 PST

Hello, mnklmd:
  I'm very familiar with that subject, maybe my english is not enough
to express what I want, but I understand perfectly what you want and I
understand what your problem is.

Technically speaking, an http proxy (not a pop one), when you use it
and access a web page through it, it sets a var called:

HTTP_X_FORWARDED_FOR

Which the web server can read to know the "real IP" you are using,
instead being anonymous using the IP of the proxy, you are revealing
your real IP, so that proxy is not anonymous.

To check that var is a way to know if a proxy is anonymous or not.

If I'm still wrong, please, explain more about what you want, but I
think you want to know whether a proxy shows your real IP or not, and
I'm explaining that, how servers know your real IP if the proxy is not
anonymous.

Regards.

---

Clarification of Question by mnklmd-ga on 13 Jan 2004 21:20 PST

http://www.send-safe.com/honeypot-hunter.php

Check out that software title.

If you can find me similar products, I'll be very glad.
Thanks

---

Request for Question Clarification by joseleon-ga on 14 Jan 2004 02:12 PST

Hello, mnklmd:
  I have been doing some research looking for a similar tool and there
are no tools like this, don't know if it's because this tool has been
released recently or it's because this tool automates the discovery of
HoneyPot proxies and the only real use is for spammers.

If you want to know whether a proxy is a honeypot or not, just set it
up and go to ProxyJudge or somewhere else to see if your real IP is
shown.

Please, let me know if you need further information, I will be glad to
solve any question you have on this matter.

Regards.

---

Clarification of Question by mnklmd-ga on 14 Jan 2004 11:03 PST

Hello joseleon-ga,

Sorry to keep on wasting your time.

Basically, I know about ProxyJudge, many "proxy checkers" use such
sites to check their proxies. But the problem with current HoneyPots
is that they fool these Proxy judges by sending the HTTP headers of an
anonymous proxy, but for example as the comment aht-ga made, they
would forward your IP in other places, like email.

Im aware that the sofware I mentioned is made for spammers, but they
do not interest me. Im interested in figuring out whether there's
similar software available. Or is there a software available that can
automate what aht-ga is talking about.

Greatly appreciate your efforts.

---

Request for Question Clarification by joseleon-ga on 14 Jan 2004 11:31 PST

Hello, mnklmd:

  Sorry but it seems I didn't explain my self correctly "again" ;-)

As aht suggests, it's just a matter of send yourself a message through
that proxy and check out the headers, this is the only way someone can
tell where your message comes from because your IP must be there if
the proxy is a honeypot.

I said ProxyJudge just as an example, if you want to know whether a
proxy is a honeypot or not, justs test it, that is, act as a server to
know if you get your IP. HoneyPot Hunter "just automates" that,
nothing more.

Automate such tasks, the same tasks aht and I say, it's very easy by
developing a simple software, in fact, HoneyPot Hunter is really easy
to develop, for HTTP proxies and for POP proxies and probably using a
private server.

Regarding your query about similar software available, I have been
looking for it and I haven't found anything, sorry, but maybe is
because is so easy to do that there is no market for such tool.

Regards.

---

Clarification of Question by mnklmd-ga on 14 Jan 2004 12:24 PST

It is infact easy to do the send email then the POP3 check.

But there should be a tool that automates doing that, for larger lists
of proxies. Infact, I either seen one of those months ago, it just
didnt occur to me that the HoneyPot problem would be so huge. Im
definately sure it is out there.

Perhaps you can find me additional "hardcore" information about
HoneyPots, so I can accept atleast something as the answer.

---

Request for Question Clarification by joseleon-ga on 14 Jan 2004 13:41 PST

Hello, mnklmd:
  I don't think there is such a hardcore info because is not very
complicated to setup a honeypot proxy, there are several packages out
there to do that.

I'm not going to answer this question because my answer is no, there's
no such tools apart of HoneyPot Hunter, so I invite "aht" to post a
full answer, because our mission is to get user satisfaction, so no
problem about the time I have spent on this question, it has been fun
;-)

Maybe I can be more useful the next time...

Regards.

---

Request for Question Clarification by aht-ga on 14 Jan 2004 13:59 PST

mnklmd-ga:

If you can clarify what you would now regard as an acceptable Answer,
first, I will try my best to provide one. In your original question,
you inquired about software packages (similar to Honeypot Hunter) that
would allow you to verify that proxy servers whose addresses are
published on public lists, are indeed anonymous proxies and not
'honeypots' intended to entrap spammers. So far, other than the
Honeypot Hunter that you referred us to, the only other package I have
found is the G-Lock Software package I reference below in the Comments
section.

In a later clarification, you reiterate your desire to find out
whether there are any additional software options out there similar to
Honeypot Hunter. So, I'm quite prepared to go software hunting for
you, to see if I can add to the list of one I've found so far. :)

However, in your most recent clarification, you mention a desire to
find out more about honeypot proxy servers (beyond what has already
been discussed here). If I am able to locate more software options, do
you still want this additional information?

Regards,

aht-ga
Google Answers Researcher

---

Clarification of Question by mnklmd-ga on 16 Jan 2004 06:20 PST

Hello joseleon-ga,

I apolopgize for confusing you. But I was precisely looking for a specific 
piece of data, so if none is available, I guess then I can call it my own 
failure in seeking this information.

Hello aht-ga,

1) I would like ANY sort of a software that does ANY kind of proxy checks 
against them being HoneyPots. Now, I understand that you're thinking there's no 
difference between a non-Anonymous Proxy and  HoneyPot, while there
is. What was suggested
by both of you is to use some sort of _proxy_ checking software, which
will show the
HoneyPots to spit out the IP of the user instead of its own. While it
should be known
that the HoneyPot actually tricks the checkers by spitting out its own IP when 
goingt through the checking process, but when it is attempted to be
used normally -
it unfortunately does its evil job of not hiding your IP. There are
tools for detecting them,
its just very difficult to find them, thats why I need your help. Thus
a part of the answer
would be accepted if it includes :

- Any additional software for HoneyPot detection/checking. Whether
they are used to
check for honeypots that 'entrap' spammers or not, doesnt concern me
as long as they
do the job right. Im already planning to order HoneyPot Checker.

2) I see that little of the above can be found. Thus I would like you
to find some document that
has a very thorough and technical discussion (in a manual-like format
perhaps?) about the
current use of HoneyPots and related software/methods of such
practices. Once again, it can be
either about malicious honeypots, antispam honeypots, ISP honeypots,
intrusion detection honeypots,
or any other. All of them interest me, and the more you find the more
I will be motivated to
rate your answer well and provide you with a bigger tip. 

Please do not include any short, boring, 'description' news articles
or other pages that just
touch the surface of the HoneyPot epidemic.

Thank you.

---

Request for Question Clarification by aht-ga on 16 Jan 2004 09:51 PST

mnklmd-ga:

Thank you for clarifying your requirements to such a high level of
detail! Your request is now clear to me.

However, I unfortunately will be offline for most of next week. Given
the scope of your request, and the lack of easily-found material on
the subject, I believe this question will take some time to research.
I would not want to leave you hanging, waiting for my Answer (which I
most likely would not be able to work on until my return). Therefore,
I hope that joseleon-ga, or one of my other fellow Researchers, can
tackle this question for you and provide you with a rich answer that
meets your requirements.

If, upon my return, this Question has not yet been answered, I will be
happy to take it on for you.

Regards,

aht-ga
Google Answers Researcher

---

Request for Question Clarification by aht-ga on 28 Jan 2004 22:10 PST

mnklmd-ga:

I am sorry for the delay in getting back to you, but I wanted to give
this a good effort before admitting defeat. However, within the scope
you have defined, I have not been able to locate any additional
software that makes the same claims as Honeypot Hunter. This does not
mean such software does not exist, it just means that at this moment,
I have not been able to find anything. I hope that one of my fellow
Researchers has better results and can help provide you with an
Answer.

Best regards,

aht-ga
Google Answers Researcher

---

Request for Question Clarification by majortom-ga on 29 Jan 2004 06:12 PST

What operating system must the solution run on? Is Linux an option? If
you must use Windows, will you accept a solution that requires that
you install the freely available Cygwin package and run a script via
the Unix-like command shell it provides? If I can provide a way to
present a list of proxy servers to a script and get back a yes/no list
showing which are honeypots, will that suffice?

mnklmd-ga:

To add to what joseleon-ga has stated about the simple way to check
the validity of an HTTP proxy, you can accomplish the same thing with
a mail proxy by sending yourself a message through that proxy using a
non-anonymizing mailer, to either your own POP3 account, or to a
web-mail account. Then, view the header information to see if your
actual IP address is included. The advantage of a program  like
Honeypot Hunter is its ability to automate the process. It is highly
likely that Honeypot Hunter works in conjunction with a "safe" server
set up by the software vendor to do exactly what joseleon-ga mentions:
namely, look at the incoming HTTP header info to see if it lists the
IP address of your machine.

Regards,

aht-ga

Regarding the above comment by aht-ga

Is there such a software that can automate the sending of a message
through a proxy and then checking the POP3 for the email and within
the headers verifying that the proxy isnt a HoneyPot?

You're right on the spot about what sort of methods I'm looking for. I
myself can easily run a list of proxies through ProxyJudges, I just
need one that goes beyond that.

Thank you

mnklmd-ga:

It appears that joseleon-ga is working on determining an Answer for
you, so out of respect for his time and effort I feel it best that he
answer this question for you. In the meantime, you may wish to let us
know whether the Proxy Analyzer contained in this following package
meets your needs:

G-Lock Software: Advanced Administrative Tools
http://www.glocksoft.com/aatools.htm
http://www.glocksoft.com/proxy_analyzer.htm

The capability you appear to be most interested in, is the ability to
verify a SOCKS proxy prior to using it for SMTP purposes. Based on my
quick, trial evaluation of AATools, the proxy analyzer should fulfill
this need.

Hopefully, joseleon-ga will be able to provide you with the honeypot
details you mention in your most recent clarification.

Best regards,

aht-ga
Google Answers Researcher

to my fellow Researchers:

Please read through all of the clarifications and comments prior to
answering this question; the client is specifically seeking software
tools to detect honeypot proxy servers. The client is already aware of
tools to check on the operation of anonymous proxy servers, what he is
seeking is information regarding tools that he can use to
automatically detect a honeypot proxy that does not want to be
detected. He is also seeking detailed information on the topic of
honeypots in general, along the lines of a whitepaper discussing how
honeypots are currently implemented, and how they work (at a technical
level).

Regards,

aht-ga
Google Answers Researcher