SMTP Relay Honeypot Tutorial
Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: SMTP Relay Honeypot Tutorial

  1. #1

    SMTP Relay Honeypot Tutorial

    SMTP Relay Honeypot Tutorial
    By Soda_Popinsky

    Overview:

    This tutorial details the use of the Jackpot Mailswerver located here:
    http://jackpot.uk.net/

    A honeypot is, to quote Lance Spitzner founder of the Honeynet Project:

    “Information system resource whose value lies in unauthorized or illicit use of that resource.”

    Simply put, a honeypot is something that appears to be vulnerable, but in reality is recording illicit use by malicious attackers. I believe that most of the lure in honeypot technology lies in the sense of control it provides the owner. Network security is about avoidance, prevention, and mitigation, except where honeypots are involved. My interest in honeypots comes from a honeypots aggressive nature. A honeypot enables you to push back.

    Jackpot is a “ready-to-run SMTP relay honeypot, written in pure Java”. With a tool like Jackpot, one can fight back against spammers with accurately logged complaints. The Jackpot website lists organizations you can go to with these complaints:

    http://www.abuse.net/
    http://www.spamhaus.org/index.lasso
    http://www.euro.cauce.org/en/
    http://www.cauce.org/
    http://spam.abuse.net/
    http://www.spamhelp.org/

    Installation:

    Find the download link here:
    http://jackpot.uk.net

    Unzip the file, and open the folder. Configuration is our first priority. Open jackpot.properties in a text editor. These fields are the most important:

    ServerHeader: Change this to a fake server header (Jackpot by default is a dead giveaway, we’ll discuss later)
    SmtpAddress: Specify the IP that jackpot will “serve” on.
    HtmlPath: Change this to a folder name that you will remember
    RoleAccountAlias: Specify the email address that postmaster email will go to
    AdminUser: User ID for web admin
    AdminPassword: User Pass for web admin
    HttpPort: Change this to a port number you will access the web interface from. If left default, it could be a giveaway.
    ServerName: Change this so your machine name isn’t revealed to a HELO command.

    Review the other fields, you may need to tweak depending on your situation or configuration.

    Here is the configuration file I am using:

    #This entry specifies the value retuned in the "Server: " HTTP header returned
    #by Jackpot. By default, Jackpot claims to be "Jackpot" (with the current version number).
    ServerHeader= Current Industries v 1.3

    #IP Address where SMTP will be served, if your host is multi-homed. If the host is
    #multi-homed, and this entry is missing or blank, SMTP will be served on all addresses.
    SmtpAddress=

    #Specifies a virtual path for HTML. This defaults to "html", i.e.
    #the root hosts page is http://<jackpot>:<port>/html/hosts.html.
    #If you set this value to "xyzzy", then HTTP requests must be of the
    #form http://<jackpot>:<port>/xyzzy/something.html, otherwise they
    #will elicit a 404. This is supposed to make it easier for Jackpot to be
    #stealthy.
    HtmlPath=jacklog

    #Specifies an email address to which all mail to postmaster@[jackpot] or
    #abuse@[jackpot] is to be forwarded.
    RoleAccountAlias=SodaP@yahoo.com

    #UserID for access to web-admin.
    AdminUser=honeypot

    #Password for access to Web-admin
    AdminPassword=jackpotpassword

    ################################################################
    #The next section contains stuff you might customise to make
    #this Jackpot look different from other Jackpots. If you want to
    #customise these entries, telnet to a real mailserver and
    #see how *it* behaves.
    ################################################################

    #Port for serving HTTP; it would be a good idea to change this, because the
    #Jackpot server could be fingerprinted by finding it's HTTP server.
    HttpPort=8081

    #This entry specifies the response sent to (all) VRFY requests.
    VrfyResponse=250 User not recognized

    #This entry specifies the response to (all) EXPN requests.
    ExpnResponse=502 Command is disabled

    #This entry specifies the response to (all) TURN requests.
    TurnResponse=502 Command not implemented

    #Specifies the 503 message
    BadSequenceResponse=Bad sequence of commands

    #This entry specifies the response to a DATA request.
    DataResponse=Enter mail, end with \".\" on a line by itself

    #This entry specifies the response to a connection request when no threads are
    #available in ther SMTP pool.
    DiskFullResponse=Disk full

    #Controls whether Jackpot adds a Received: header. Defaults to yes. If it doesn't,
    #it's a badly-broken relay.
    AddReceivedHeader=yes

    #Controls whether any Received: header should show the sending host and address.
    #If not, then the received header will show only the return path from the HELO (which
    #a spammer would normally be forge). If this is No, Jackpot acts as a blind relay.
    ShowReceivedHost=no

    #This entry specifies the name of the mail server, as output in the banner.
    #There are some (commented out) examples below from real mail-servers.
    #MTADescription=Jackpot MailSwerver Version 1.0.0
    MTADescription=ESMTP Sendmail V8

    #This entry specifies the name of this machine, used in the response to HELO/EHLO,
    #in any Received: header added by Jackpot to relayed messages,
    #and to construct a postmaster address. Defaults to the name of your localhost
    #(best setting).
    ServerName=EVER-12E5oP

    ################################################################
    #This section contains stuff related to logging and so on -
    #general system control.
    ################################################################


    #If set to Yes, bounce-messages will be sent for unaliased addresses in this
    #(Jackpot's) domain, and whenever a recipient's mailhosts cannot be contacted.
    #Default is no.
    SendBounceMessages=no

    #This entry specifies the maximum number of recipients in a message-envelope before it is
    #rejected as spam. If you find you are getting relay-requests with multiple recipients,
    #consider raising it.
    MaxRecipients=1

    #Extra time taken to respond to commands when in a spamrun.
    #This is applied to every line entered in a HELO dioalog; the default is 1s. This
    #is enough to make a HTML message from Outlook Express take almost a minute to enter.
    TarpitDelay=3000

    #The amount of time considered 'too soon' for the purposes of determining if a
    #message should be relayed. Messages submitted via SMTP may also be subject to
    #tarpitting if they arrive 'too soon'. Default is 20s.
    MinSpamInterval=20000

    #This entry specifies the location for log output.
    logfile=jackpot.log


    #This entry controls the size of the ThreadPool. Jackpot will
    #politely decline protocol activities on ports 25 and [HTTP-port]
    #once the number of free threads falls below 5.
    MaxThreads = 50

    #Specifies the nameserver to use. If not provided, uses the system default.
    #Doesn't seem to affect anything much.
    #NameServer=

    #Specifies the (comma-delimited)names:ports of the HTTP servers to be updated
    when SMTP traffic is captured.
    LogServers=127.0.0.1

    #Determines whether an Ident service should be offered to abuse.net
    #(speeds up enquiries).
    IdentForAbuse=yes

    #Specifies what kinds of message get output to the system logs. This is a
    #bit-set, the values are as follows:
    # SMTP = 1;
    # HTTP = 2;
    # RELAY = 4;
    # STATUS = 8;
    # PROXY = 16;
    # ENVE = 32;
    # CONFIG = 64;
    # DEBUG = 128;
    FileLogging=255
    ConsoleLogging=31


    #Specifies a limit on the number of spams that should be stored for
    #each spam-source.
    MaxStoragePerSource=100

    ################################################################
    #This section specifies timouts for socket-connections used for
    #several different purposes. Times are in milliseconds.
    ################################################################
    #How long to wait for proxy-test results
    ProxyCheckTimeout=3000

    #How long to wait for abuse.net lookups
    AbuseLookupTimeout=3000

    #How long to wait for SBL lookups
    SBLLookupTimeout=2000

    ################################################################
    #This section controls what is running, and how, at system
    #startup.
    ################################################################

    #Whether to start the HTTP service.
    StartupHttp=yes

    #Whether to start the SMTP service
    StartupSmtp=yes

    #Whether to start up with relaying enabled
    StartupRelay=no

    #Whether to start up with tarpitting enabled
    StartupTarpit=yes

    #Whether to start up with POSTing to storage enabled
    StartupStorage=yes

    #Whether to start up with the SOCKSV4 Proxy Server running
    StartupProxy=no

    ################################################################
    #The last section contains stuff you are unlikely to need to
    #change, at least for now.
    ################################################################

    #Port for serving SMTP; if you change this, you'll probably be the only
    #person who ever sends mail to your Jackpot server.
    SmtpPort=25

    #This entry restricts the maximum number of messages that can be queued at any one time.
    #The queue is in memory, and Spammy will have to send relay-requests on multiple
    #connections simultaneously to have a chance of filling it up.
    MaxQueueSize=100
    To start the honeypot, run jackpot.bat in the console. You will see it begin the “Mailswerver” daemon, as well as it’s web services.

    C:\Documents and Settings\Soda\Desktop\jackpot-1.2.2>jackpot.bat
    C:\Documents and Settings\Soda\Desktop\jackpot-1.2.2>java -Xss32k -Xmx24M -classpath ./classes;dnsjava-1.2.4.jar;jackpot.jar net.jackpot.Jackpot
    05/02/04 19:25:06 GMT STATUS Jackpot Mailswerver version 1.2.2
    05/02/04 19:25:15 GMT STATUS Started SMTP for your.ip.address
    05/02/04 19:25:15 GMT STATUS Serving SMTP on port 25 for your.ip.address
    05/02/04 19:25:15 GMT STATUS Serving HTTP on port 8081
    05/02/04 19:25:15 GMT STATUS Jackpot version 1.2.1 is available at jackpot.uk.net
    05/02/04 19:25:34 GMT SMTP attack.ip.address your.ip.address HELO
    05/02/04 19:25:59 GMT SMTP attack.ip.address your.ip.address HELO
    You'll notice the last 2 lines in the console, they don't appear when you start jackpot. Those are captured attacks, and will appear as they arrive.

    Logging:

    Logging is done in the file jackpot.log. The second column containing ENVE will contain communication with your honeypot.

    Sample snippet from my log (notice the telnet-ish behavior of the attacker)
    05/02/04 08:02:32 GMT ENVE AttackerIP MyIP 250 none-e8alt64jnu
    05/02/04 08:02:56 GMT ENVE AttackerIP MyIP MAIL FROM: asdf@ASDF.com
    05/02/04 08:02:59 GMT ENVE AttackerIP MyIP 250 Sender asdf@ASDF.com OK
    05/02/04 08:03:16 GMT ENVE AttackerIP MyIP RCPT TP O: M<AIL@OTHER>COM
    05/02/04 08:03:19 GMT ENVE AttackerIP MyIP 500 Command garbled
    05/02/04 08:03:38 GMT ENVE AttackerIP MyIP RCPT TPOL: MAIL @ OTHER>COM.
    05/02/04 08:03:41 GMT ENVE AttackerIP MyIP 500 Command garbled
    05/02/04 08:03:53 GMT ENVE AttackerIP MyIP RCPT TO: MAIL@other.com
    05/02/04 08:03:56 GMT ENVE AttackerIP MyIP 250 Recipient MAIL@other.com OK
    05/02/04 08:04:06 GMT ENVE AttackerIP MyIP DATA
    Jackpot also has a web interface, which we configured earlier. Visit http://localhost:[HttpPort]/[HtmlPath]/home.html for your interface. Fill in the fields with the ones defined in your config file.

    The logging interface is very simple, you just click on a host and view the spam attempts they made on your server, including the data that was attempted to be sent, and other useful info for a complaint.

    Admin:

    Your username and password were defined in the config file earlier. Very simple interface for a very simple honeypot. It’s very self explanatory, except for the tarpit feature. That number forces a delay between commands, slowing the spammer down.

    Conclusion:

    Jackpot is hardly an industrial strength honeypot, but it’s good enough to be very useful. I don’t expect anyone will use this tutorial on a production environment, but just be aware that Honeypots introduce a security risk into an environment. So if you know what you are doing, go for it.
    -------------------------------------------------------

    I have no idea how old the Jackpot software is because it isn't shown anywhere on the site. I was able to use it just fine.

    I will have another tutorial coming out on Valentines Day, hopefully. It’s describes new breed of honeypot that you should all enjoy.

  2. #2
    Senior Member
    Join Date
    Jul 2002
    Posts
    339
    Soda, no offense, I find it's better reading the details on the website rather than this "security tutorial".
    I see you've posted some helpful tutorials, but honestly a sample network configuration (along with sample server's IP address, spammer's IP address, etc), sample jackpot.properties file, and sample console output would help.

    Anyway, nice find! Jackpot is a great honeypot.

    I have no idea how old the Jackpot software is because it isn't shown anywhere on the site. I was able to use it just fine.
    I believe it was released on around 2002. See the licensing terms on the website.

    Peace always,
    &lt;jdenny&gt;
    Always listen to experts. They\'ll tell you what can\'t be done and why. Then go and do it. -- Robert Heinlein
    I\'m basically a very lazy person who likes to get credit for things other people actually do. -- Linus Torvalds


  3. #3
    Junior Member
    Join Date
    Feb 2005
    Posts
    1
    thankyou very much

  4. #4
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    SMTP relay honeypot...that sounds like a mix up of ideas...at least at this time in the morning it does.

    A mail relay typically acts as a filter anyway and ensures that your mail server is not directly accessible from the internet, and a honeypot is used to fool attackers into wasting their time attacking target X while your other systems stay safe.

    So, why would you want to make your mail relay a honeypot???

    Unless of course it was a completely fake SMTP relay to begin with.
    Quis custodiet ipsos custodes

  5. #5
    Spammers look for open relays for spamming. Jackpot is a completely fake open relay, and pretty much just wastes a spammers time and collects information about the spammer.

    jdenny- none taken! I'm a selfish tutorial writer, I only write these things when I have a need for them myself (and I needed this one quick last night). If I have time I may plug in some sample configs.

  6. #6
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    So its more of a research tool then anything else?
    Quis custodiet ipsos custodes

  7. #7
    Nearly every (if not all) honeypots are considered research tools. Jackpot is a tool that allows you to catch spammers in the act of exploiting open relays, and allows you to either see what they do, waste their time with the tarpit function, or take action against the spammer.

    I'll be making additions to the tut shortly.

    edit: Additions made

  8. #8
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    Yes I amware of that, but a mail relay honeypot seems to be more of a research tool then a "standard honeypot" which you may use to delay attackers. Whereas I see no point in setting up a fake mail relay for spammers to waste them time with (other then research) as it just chews up your bandwidth. As you just prevent your mail system from allowing external relaying and thats the attack mitigated.
    Quis custodiet ipsos custodes

  9. #9
    Yup, you are correct. I wouldn't put something like this on my business network, it's pretty much only for research. Personally, I am having fun with it and I hope I didn't promote it as a line of defense.

  10. #10
    AFLAAACKKK!!
    Join Date
    Apr 2004
    Posts
    1,065
    Well, personally, I like the idea, it sounds interesting and fun. I would give you AP's but for some reason i'm getting this:

    You have given out too many AntiPoints today, try again later.
    Go figure...
    I am the uber duck!!1
    Proxy Tools

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides