Honeypot Management¶

Honeypots are the foundation of Smailander's security monitoring. This guide covers creating, configuring, and managing your email honeypots.

Understanding Honeypots¶

What is a Honeypot?¶

An email honeypot is a decoy email address designed to attract malicious emails. When attackers send emails to these addresses, Smailander captures and analyzes them for threat intelligence.

Honeypot Lifecycle¶

graph LR
    A[Create] --> B[Deploy]
    B --> C[Monitor]
    C --> D[Analyze]
    D --> E[Archive]
    E --> F[Delete]
    F --> A

Creating Honeypots¶

Quick Creation¶

The fastest way to create a honeypot:

1. Navigate to Honeypots → Create New
2. Enter email address (e.g., test@company.com)
3. Select purpose: Monitoring, Leak Detection, Testing, or Trap
4. Add optional description
5. Click "Create Honeypot"

Advanced Creation¶

For more control, use the advanced creation form:

Email Address Configuration¶

{
  "email_address": "honeypot@company.com",
  "domain": "company.com",
  "purpose": "monitoring"
}

Options: - Email address: Must be unique and not already exist - Domain: Must be registered in your Smailander settings - Purpose: Monitoring, Leak Detection, Testing, or Trap

Purpose and Categorization¶

{
  "purpose": "leak-detection",
  "category": "third-party",
  "description": "Detect data leaks from third-party vendors",
  "priority": "high",
  "tags": ["vendor", "third-party", "sensitive"]
}

Purpose Types:

Alert Configuration¶

{
  "alerts": {
    "enabled": true,
    "threat_threshold": 70,
    "email_notifications": true,
    "webhook_url": "https://your-server.com/webhook",
    "webhook_secret": "your-secret-key"
  }
}

Alert Settings: - Threat threshold: Minimum threat score to trigger alert (0-100) - Email notifications: Send email alerts to registered users - Webhook URL: Send real-time notifications to your endpoint - Webhook secret: Used for signature verification

Bulk Creation¶

Create multiple honeypots at once using CSV or JSON upload.

CSV Format:

email_address,purpose,description,category
test1@company.com,monitoring,Test honeypot 1,general
test2@company.com,leak-detection,Vendor leak check,vendor
test3@company.com,testing,Filter test,testing

JSON Format:

[
  {
    "email_address": "test1@company.com",
    "purpose": "monitoring",
    "description": "Test honeypot 1",
    "category": "general"
  },
  {
    "email_address": "test2@company.com",
    "purpose": "leak-detection",
    "description": "Vendor leak check",
    "category": "vendor"
  }
]

Managing Honeypots¶

Honeypot List View¶

The honeypot list shows all your honeypots with key information:

Status Indicators¶

Filtering Honeypots¶

Filter honeypots by multiple criteria:

{
  "status": ["active", "inactive"],
  "purpose": "leak-detection",
  "category": "vendor",
  "dateRange": {
    "start": "2026-03-01",
    "end": "2026-03-12"
  },
  "sort": "last_activity",
  "order": "descending"
}

Filter Options: - Status: Active, Inactive, Pending, Suspended - Purpose: Monitoring, Leak Detection, Testing, Trap - Category: User-defined categories - Date Range: Created date or last activity date - Sort: Email count, threat count, last activity, creation date - Order: Ascending or descending

Honeypot Details¶

Overview Section¶

The honeypot overview provides a comprehensive summary:

┌─────────────────────────────────────────────────────────┐
│ Honeypot: test@company.com                             │
│ Status: Active | Purpose: Leak Detection                │
├─────────────────────────────────────────────────────────┤
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐       │
│ │ Total       │ │ Threats     │ │ Last Email  │       │
│ │ 1,247       │ │ 834 (67%)   │ │ 2 min ago   │       │
│ └─────────────┘ └─────────────┘ └─────────────┘       │
├─────────────────────────────────────────────────────────┤
│ Top Senders:                                           │
│ 1. spam@bad1.com (234 emails)                          │
│ 2. phishing@bad2.com (189 emails)                      │
│ 3. malware@bad3.com (156 emails)                       │
├─────────────────────────────────────────────────────────┤
│ Threat Distribution:                                   │
│ Malware: 45% | Spam: 35% | Phishing: 20%              │
└─────────────────────────────────────────────────────────┘

Email Timeline¶

Visual timeline of emails received by this honeypot:

Volume
  ↑
 50│        ●●●●●●●
 40│      ●●●●●●●●●●
 30│    ●●●●●●●●●●●●●●
 20│  ●●●●●●●●●●●●●●●●●●
 10│●●●●●●●●●●●●●●●●●●●●●
  0└─────────────────────────→ Time
    Mon Tue Wed Thu Fri Sat Sun

Features: - Zoom in/out for different time scales - Hover for detailed email information - Click to view email details - Color-coded by threat score

Recent Emails¶

List of most recent emails for this honeypot:

Editing Honeypots¶

Basic Properties¶

Update honeypot basic information:

• Description: Change the description
• Purpose: Change the purpose category
• Tags: Add or remove tags
• Priority: Set priority level (low, medium, high, critical)

Alert Configuration¶

Modify alert settings:

{
  "alerts": {
    "enabled": true,
    "threat_threshold": 80,
    "email_notifications": true,
    "email_recipients": ["security@company.com"],
    "webhook_url": "https://your-server.com/webhook",
    "webhook_secret": "new-secret-key"
  }
}

Changes to make: - Enable/disable alerts: Turn notifications on or off - Adjust threshold: Change minimum threat score for alerts - Add recipients: Add additional email recipients - Update webhook: Change webhook URL or secret - Remove webhook: Disable webhook notifications

Webhook Verification¶

When updating webhook URL, verify the signature:

# Test webhook endpoint
curl -X POST https://your-server.com/webhook \
  -H "Content-Type: application/json" \
  -H "X-Smailander-Signature: sha256=abc123..." \
  -d '{"event":"test","data":"test"}'

# Should receive: {"status":"ok"}

Honeypot Actions¶

Suspend Honeypot¶

Temporarily stop receiving emails:

1. Open honeypot details
2. Click "Suspend"
3. Confirm action
4. Honeypot status changes to "Suspended"

• Suspended honeypots will not receive new emails
• Existing emails remain accessible
• Alerting continues for historical data

Activate Honeypot¶

Resume receiving emails:

1. Open suspended honeypot details
2. Click "Activate"
3. Confirm action
4. Honeypot status changes to "Active"

The honeypot may need re-verification if DNS records were changed

Archive Honeypot¶

Archive inactive honeypots to reduce clutter:

1. Open honeypot details
2. Click "Archive"
3. Confirm action
4. Honeypot is hidden from main view

What happens: - Honeypot removed from active list - All emails remain accessible - Can be restored at any time - No new emails received

Delete Honeypot¶

Permanently remove a honeypot:

1. Open honeypot details
2. Click "Delete"
3. Confirm action
4. Honeypot is permanently removed

• All emails will be deleted
• Configuration is removed
• Cannot be undone
• GDPR deletion compliance required

Honeypot Strategies¶

Data Breach Detection Strategy¶

Deploy unique honeypots for each service or vendor:

graph TD
    A[Honeypot for Amazon] -->|Receives email| B[Amazon Compromised]
    C[Honeypot for Google] -->|Receives email| D[Google Compromised]
    E[Honeypot for GitHub] -->|Receives email| F[GitHub Compromised]

Implementation: 1. Create honeypot for each third-party service 2. Use service name in email: amazon-leak@company.com 3. Set purpose to "leak-detection" 4. Configure alerts for immediate notification 5. Monitor for any email activity

Benefits: - Identify exactly which service was compromised - Immediate notification of data breach - Evidence for vendor accountability - Prioritized incident response

Active Threat Research Strategy¶

Deploy honeypots that attract attackers:

Trap Honeypots: - Use attractive email addresses: admin@company.com - Deploy in visible locations - Monitor for sophisticated attacks - Analyze attack techniques

Monitoring Honeypots: - Deploy across multiple domains - Collect diverse threat data - Build comprehensive threat intelligence - Support security research

Testing Strategy¶

Test your security controls before deploying:

// Test honeypot deployment plan
const testPlan = {
  phase1: "Create test@company.com",
  phase2: "Configure low alert threshold",
  phase3: "Send test emails",
  phase4: "Verify detection accuracy",
  phase5: "Adjust detection rules",
  phase6: "Deploy production honeypots"
};

Test Scenarios: - Spam detection accuracy - Malware scanning effectiveness - Phishing detection precision - Alert delivery reliability - Dashboard performance

Honeypot Analytics¶

Honeypot Performance¶

Track honeypot effectiveness:

Comparative Analysis¶

Compare honeypots to identify patterns:

Honeypot Comparison
┌─────────────────────────────────────────────┐
│ test@company.com                            │
│ Emails: 1,247 | Threats: 834 (67%)         │
│ Top Sender: spam@bad.com (234 emails)       │
│                                             │
│ monitor@company.com                         │
│ Emails: 3,456 | Threats: 2,890 (84%)       │
│ Top Sender: phishing@evil.com (567 emails)  │
│                                             │
│ amazon-leak@company.com                     │
│ Emails: 12 | Threats: 0 (0%)                │
│ Status: No recent activity                  │
└─────────────────────────────────────────────┘

Insights: - High-threat honeypots are attracting sophisticated attacks - Low-threat honeypots may be poorly placed - Inactive honeypots indicate no data leaks (good!) - Adjust strategy based on results

Best Practices¶

1. Strategic Placement¶

• High visibility: Place honeypots where attackers can find them
• Diverse domains: Use multiple domains for broader coverage
• Realistic addresses: Use believable email patterns
• Purpose-driven: Create honeypots with specific purposes

2. Naming Conventions¶

Use clear, descriptive naming:

Good Examples:
- amazon-leak@company.com
- monitor-sales@company.com
- test-filter-2026@company.com
- admin-trap@company.com

Bad Examples:
- test1@company.com (unclear purpose)
- abc123@company.com (no context)
- @company.com (no local part)

3. Alert Configuration¶

• Set appropriate thresholds: Avoid alert fatigue
• Multiple channels: Use email + webhook for reliability
• Prioritize alerts: Critical threats first
• Test alerts: Verify they work before relying on them

4. Regular Review¶

• Weekly: Check honeypot activity
• Monthly: Review and update strategy
• Quarterly: Audit and clean up inactive honeypots
• Annually: Rotate honeypot addresses

Troubleshooting¶

Honeypot Not Receiving Emails¶

Symptom: Honeypot shows no emails

Possible Causes: 1. DNS configuration incorrect 2. Domain not verified 3. Email blocked by spam filters

Solutions: 1. Verify DNS records in Smailander settings 2. Check domain verification status 3. Test email delivery 4. Check spam folder

High False Positive Rate¶

Symptom: Many legitimate emails flagged as threats

Solutions: 1. Adjust detection thresholds 2. Review detection rules 3. Update scanner configurations 4. Provide feedback on misclassified emails

Missing Alerts¶

Symptom: Not receiving email notifications

Solutions: 1. Check email address in settings 2. Verify alert configuration 3. Test webhook URL 4. Check spam folder for alerts 5. Verify API key permissions

Next Steps¶

• Email Monitoring - Analyzing captured emails
• Threat Detection - Understanding threats
• Analytics - Advanced analytics
• API: Email Addresses - Programmatic management

Need Help?¶

• FAQ - Common questions
• Troubleshooting - Solve issues
• API Documentation - API reference
• Contact - Get support