Channel 24 Spam-Full and 25 Spam-Select share information about email messages sent to email honeypot systems (also known as “spamtraps”). The data available from channel 24 Spam-Full are full copies of emails sent to spamtrap email addresses and the data available from channel 25 Spam-Select are select fields from the emails sent to channel 24. The honeypots have been configured to collect and store all email messages for analysis and they use email addresses that:

While collecting spam sent to honeypots can be as simple as creating email addresses that have never been used, obtaining a large volume of meaningful spam information requires the creation of many email addresses on many different domains.

Farsight partners with a honeypot operator that collects email messages sent to a vast number of spamtraps. The raw email messages are sent to a Farsight system where they are analyzed to extract interesting and meaningful spam information.

The information is then encoded in a consistent and easy-to-process format, eliminating the need to understand and parse various email formats.

About Security Information Exchange (SIE)

The Security Information Exchange (SIE), from Farsight Security® Inc., is a scalable and adaptable real-time data streaming and information sharing platform. SIE collects and provides access to more than 200,000 observations per-second of raw data from its global sensor network. Farsight also applies unique and proprietary methods for improving usability of the data, directly sharing the refined intelligence with SIE customers and DNSDB®, one of the world’s largest passive DNS (pDNS) databases.

The diverse set of data available from SIE includes the following and is relevant and useful for practitioners in various technology roles:

Each unique set of data in SIE is known as a channel and the data acquired from a specific channel can be customized to meet the needs of each customer, enabling you to subscribe to and access only the channels needed to solve your problem. A channel in SIE may be the result from analyzing the data or a subset of data from other channels.

Data Format for 24 Spam-Full

Channel Name DDos Events
Description Full copies of emails sent to spamtrap email addresses
Channel Number 24
Bit Rate 16Kb/sec
Bit Rate (Peak) 55Kb/sec
Payloads 55Kb/sec
Payloads (Peak) 1.5/sec
Available via SIE Batch Yes
SIE Batch format Newline-Delimited JSON (ND-JSON)
Available via SIE Remote Access (SRA) Yes

Data Format for 25 Spam-Select

Channel Name DDos Events
Description Select fields from the emails sent to Channel 24 (Spam-Full)
Channel Number 25
Bit Rate 16Kb/sec
Bit Rate (Peak) 55Kb/sec
Payloads 55Kb/sec
Payloads (Peak) 1.5/sec
Available via SIE Batch Yes
SIE Batch format Newline-Delimited JSON (ND-JSON)
Available via SIE Remote Access (SRA) Yes

Using Spam-Full and Spam-Select Data

These channels use the email.proto record format.

A sample Spam-Full record looks like this:

{
    "time":"2021-09-28 21:01:49.598700994",
    "vname":"base",
    "mname":"email",
    "source":"f4e78b44",
    "message":
        {
        "type":"spamtrap",
        "headers":"Return-Path: <jinchubaoguan@hotmail.com>\nX-Original-To: 
        min@notellmotel.org\nDelivered-To: spam-notellmotel@ops-netman.net\nReceived: 
        from hotmail.com (unknown [112.66.246.219])\n\tby mail.ops-netman.net (Postfix) 
        with ESMTP id B7A13221\n\tfor <min@notellmotel.org>; Tue, 28 Sep 2021 21:01:47 
        +0000 (UTC)\nFrom: jinchubaoguan@hotmail.com\nSubject: 
        =?GB2312?B?s/a/2rGoudhRUToxNTc5MzEzMjk=?=\nTo: min@notellmotel.org\nContent-Type:
        text/plain;charset=\"GB2312\"\nContent-Transfer-Encoding: 8bit\nDate: Wed, 29 
        Sep 2021 05:01:43 +0800\nX-Priority: 3\nX-Mailer: Microsoft Outlook Express 
        6.00.2800.1106",
        "srcip":"112.66.246.219",
        "helo":"hotmail.com",
        "from":"jinchubaoguan@hotmail.com",
        "rcpt":["min@notellmotel.org"],
        "bodyurl":[]
    }
}

A sample Spam-Select record looks like this:

{
    "time":"2021-09-28 21:03:16.155494987",
    "vname":"base",
    "mname":"email",
    "source":"f4e78b44",
    "message":
    {
    "type":"spamtrap",
    "headers":"Return-Path: <up@etc-meisai.jp>\nX-Original-To: 
    mcnaurpton@secsup.net\nDelivered-To: spam-secsupnet@ops-netman.net\nReceived: 
    from etc-meisai.jp (unknown [116.85.19.56])\n\tby mail.ops-netman.net (Postfix) 
    with ESMTP id 49D2C221\n\tfor <mcnaurpton@secsup.net>; Tue, 28 Sep 2021 21:03:14 
    +0000 (UTC)\nMessage-ID: <E31C9500EE02D464ACCC4EAD0DD9BE81@etc-meisai.jp>\nFrom: 
    =?utf-8?B?77yl77y077yj5Yip55So54Wn5Lya44K144O844OT44K5?= <admin@ml.etc-meisai.jp>\nTo: 
    <mcnaurpton@secsup.net>\nSubject: 
    =?utf-8?B?RVRD44Kr44O844OJ44GM5LiA5pmC5YGc5q2i44GV44KM44G+44GX44Gf?=\nDate: Wed, 
    29 Sep 2021 05:03:02 +0800\nMime-Version: 1.0\nContent-Type: multipart/alternative
    ;\n\tboundary=\"----=_NextPart_000_0474_01E73594.
    16AD4380\"\nX-Priority: 3\nX-MSMail-Priority: Normal\nX-Mailer: 
    Microsoft Outlook Express 6.00.2900.5512\nX-MimeOLE: Produced By Microsoft 
    MimeOLE V10.0.17763.1",
    "srcip":"116.85.19.56",
    "helo":"etc-meisai.jp",
    "from":"=?utf-8?B?77yl77y077yj5Yip55So54Wn5Lya44K144O844OT44K5?= <admin@ml.etc-meisai.jp>",
    "rcpt":["<mcnaurpton@secsup.net>"],"bodyurl":[]
    }
}

The bodyurl field

If the spam email contains URLs, those URLs are extracted and presented in the bodyurl field. A bodyurl record can contain zero or more URLs depending on the complexity of the email.

A sample bodyurl would look like this:

"bodyurl":
[
"https://example.com/928dave1042",
"https://example.com/928dave1028",
"https://example.com/928dave1029",
"https://example.com/10240/10240562/products/0x720@1632036731746111fcf=",
"https://example.com/928dave1042>",
"https://example.com/928dave1028>",
"https://example.com/928dave1029>",
"https://example.com/kb928luisdave828-unsub>",
"https://example.com/10240/10240562/products/0x720@16320349745ebf=",
"https://example.com/10240/10240562/products/0x720@163203=",
"https://example.com/928dave1037",
"https://example.com/10240/10240562/products/0x720@1632036500=",
"https://example.com/928dave1045>",
"https://example.com/928dave1045",
"https://example.com/928dave1026tibo>",
"https://example.com/928dave1037>",
"https://example.com/file=",
"https://example.com/kb928l="
]

SIE Access Methods

Data from SIE can be accessed and acquired using the following methods:

For additional information about SIE access methods, please see the SIE Technical Overview document.

Direct Connect

SIE Direct Connect allows a customer to physically connect a server to the Farsight SIE network for maximum data throughput. This can be done in one of two ways:

If a blade server is leased from Farsight, it will be pre-installed with the essential software components needed to acquire, process, compress, buffer, and transfer data from SIE channels to the customer’s data center for additional analysis, enrichment, and storage.

If a customer uses their own server, an order can be submitted for a cross-connect to the SIE switches hosted at select Equinix data centers (Ashburn DC3 and Palo Alto SV8). An FSI account manager can help guide cross-connect provisioning details, hosting, or colocation options.

For additional information about SIE connection methods, please see the SIE Technical Overview document. A Farsight’s sales representatives is happy to share a copy of this document with you. This will help inform and guide you in understanding which connection method will work best for you.

SIE Remote Access (SRA)

SIE Remote Access (SRA) enables a customer to remotely connect to the Security Information Exchange (SIE) from anywhere on the Internet. SRA provides access to SIE channel data on customer’s local servers, allowing their analysis and processing systems to be located in their own data centers rather than physically co-located at a Farsight’s data center.

Due to the technical limitations of transporting high bitrate SIE channels across the Internet, the SRA access method is not available for all SIE channels. Please reference the SIE Channel Guide for channels that can be accessed using SRA.

SRA uses the Advanced Exchange Access (AXA) transport protocol which enables SRA sessions to perform the following:

The streaming search and filtering capabilities of AXA enables SRA to access and acquire meaningful and relevant data from SIE while avoiding the costs of transporting enormous volumes of data across the Internet.

Note: For high volume channels accessed using SRA, it is expected that customer’s will specify a search or filter for IP addresses and DNS domain names or hostnames of interest. The SRA service will only collect and send data matching the specified criteria across the Internet to the customer.

SIE Batch

SIE Batch provides on-demand access for downloading data from SIE channels using a RESTful API or web-based interface. You select the channel and duration of time you are interested in, and then download the data for analysis. The duration of available data is dependent on the channel, but is typically the most recent 12-18 hours. SIE Batch allows you to acquire data from SIE channel using two (2) methods:

Advanced Exchange Access Middleware Daemon (AXAMD)

Farsight also provides a RESTful middleware layer in front of its AXA service. This service is called the AXA Middleware Daemon (AXAMD) and provides a RESTful capability that adds a streaming HTTP interface on top of the AXA toolkit. This enables web-application developers to interface with SIE using SRA. Farsight also published a command line tool and Python extension library called axamd_client https://github.com/farsightsec/axamd_client. This toolkit is licensed under the Apache 2.0 license.

The Advanced Exchange Access (AXA) toolkit https://github.com/farsightsec/axa contains tools and a C library to bring Farsight’s real-time data and services directly from the Farsight Security Information Exchange (SIE) to the customers network.

Advanced Exchange Access Middleware Daemon (AXAMD) is a suite of tools and library code to bring Farsight’s real-time data and services directly from the Farsight Security Information Exchange (SIE) to the customers network.

Due to the technical limitations of transporting high bitrate SIE channels across the Internet, the AXAMD access method is not available for all SIE channels.

Additional Information

Additional information about the creation and use of honeypots/spamtraps is available at:

About Farsight Security

Farsight Security, Inc. is the world’s leading provider of historical and real-time DNS intelligence solutions. We enable security teams to qualify, enrich, and correlate all sources of threat data and ultimately save time when it is most critical - during an attack or investigation. Our solutions provide enterprise, government, and security industry personnel and platforms with unmatched global visibility, context, and response. Farsight Security is headquartered in San Mateo, California, USA. To learn more about how we can empower your security, threat, and intelligence platforms and security organization with Farsight Security passive DNS (pDNS) and threat intelligence solutions, please visit us at www.farsightsecurity.com or follow us on Twitter at @FarsightSecInc.