SMTP Relay Honeypot Tutorial
By Soda_Popinsky

Overview:

This tutorial details the use of the Jackpot Mailswerver located here:
http://jackpot.uk.net/

A honeypot is, to quote Lance Spitzner founder of the Honeynet Project:

“Information system resource whose value lies in unauthorized or illicit use of that resource.”

Simply put, a honeypot is something that appears to be vulnerable, but in reality is recording illicit use by malicious attackers. I believe that most of the lure in honeypot technology lies in the sense of control it provides the owner. Network security is about avoidance, prevention, and mitigation, except where honeypots are involved. My interest in honeypots comes from a honeypots aggressive nature. A honeypot enables you to push back.

Jackpot is a “ready-to-run SMTP relay honeypot, written in pure Java”. With a tool like Jackpot, one can fight back against spammers with accurately logged complaints. The Jackpot website lists organizations you can go to with these complaints:

http://www.abuse.net/
http://www.spamhaus.org/index.lasso
http://www.euro.cauce.org/en/
http://www.cauce.org/
http://spam.abuse.net/
http://www.spamhelp.org/

Installation:

Find the download link here:
http://jackpot.uk.net

Unzip the file, and open the folder. Configuration is our first priority. Open jackpot.properties in a text editor. These fields are the most important:

ServerHeader: Change this to a fake server header (Jackpot by default is a dead giveaway, we’ll discuss later)
SmtpAddress: Specify the IP that jackpot will “serve” on.
HtmlPath: Change this to a folder name that you will remember
RoleAccountAlias: Specify the email address that postmaster email will go to
AdminUser: User ID for web admin
AdminPassword: User Pass for web admin
HttpPort: Change this to a port number you will access the web interface from. If left default, it could be a giveaway.
ServerName: Change this so your machine name isn’t revealed to a HELO command.

Review the other fields, you may need to tweak depending on your situation or configuration.

Here is the configuration file I am using:

#This entry specifies the value retuned in the "Server: " HTTP header returned
#by Jackpot. By default, Jackpot claims to be "Jackpot" (with the current version number).
ServerHeader= Current Industries v 1.3

#IP Address where SMTP will be served, if your host is multi-homed. If the host is
#multi-homed, and this entry is missing or blank, SMTP will be served on all addresses.
SmtpAddress=

#Specifies a virtual path for HTML. This defaults to "html", i.e.
#the root hosts page is http://<jackpot>:<port>/html/hosts.html.
#If you set this value to "xyzzy", then HTTP requests must be of the
#form http://<jackpot>:<port>/xyzzy/something.html, otherwise they
#will elicit a 404. This is supposed to make it easier for Jackpot to be
#stealthy.
HtmlPath=jacklog

#Specifies an email address to which all mail to postmaster@[jackpot] or
#abuse@[jackpot] is to be forwarded.
RoleAccountAlias=SodaP@yahoo.com

#UserID for access to web-admin.
AdminUser=honeypot

#Password for access to Web-admin
AdminPassword=jackpotpassword

################################################################
#The next section contains stuff you might customise to make
#this Jackpot look different from other Jackpots. If you want to
#customise these entries, telnet to a real mailserver and
#see how *it* behaves.
################################################################

#Port for serving HTTP; it would be a good idea to change this, because the
#Jackpot server could be fingerprinted by finding it's HTTP server.
HttpPort=8081

#This entry specifies the response sent to (all) VRFY requests.
VrfyResponse=250 User not recognized

#This entry specifies the response to (all) EXPN requests.
ExpnResponse=502 Command is disabled

#This entry specifies the response to (all) TURN requests.
TurnResponse=502 Command not implemented

#Specifies the 503 message
BadSequenceResponse=Bad sequence of commands

#This entry specifies the response to a DATA request.
DataResponse=Enter mail, end with \".\" on a line by itself

#This entry specifies the response to a connection request when no threads are
#available in ther SMTP pool.
DiskFullResponse=Disk full

#Controls whether Jackpot adds a Received: header. Defaults to yes. If it doesn't,
#it's a badly-broken relay.
AddReceivedHeader=yes

#Controls whether any Received: header should show the sending host and address.
#If not, then the received header will show only the return path from the HELO (which
#a spammer would normally be forge). If this is No, Jackpot acts as a blind relay.
ShowReceivedHost=no

#This entry specifies the name of the mail server, as output in the banner.
#There are some (commented out) examples below from real mail-servers.
#MTADescription=Jackpot MailSwerver Version 1.0.0
MTADescription=ESMTP Sendmail V8

#This entry specifies the name of this machine, used in the response to HELO/EHLO,
#in any Received: header added by Jackpot to relayed messages,
#and to construct a postmaster address. Defaults to the name of your localhost
#(best setting).
ServerName=EVER-12E5oP

################################################################
#This section contains stuff related to logging and so on -
#general system control.
################################################################


#If set to Yes, bounce-messages will be sent for unaliased addresses in this
#(Jackpot's) domain, and whenever a recipient's mailhosts cannot be contacted.
#Default is no.
SendBounceMessages=no

#This entry specifies the maximum number of recipients in a message-envelope before it is
#rejected as spam. If you find you are getting relay-requests with multiple recipients,
#consider raising it.
MaxRecipients=1

#Extra time taken to respond to commands when in a spamrun.
#This is applied to every line entered in a HELO dioalog; the default is 1s. This
#is enough to make a HTML message from Outlook Express take almost a minute to enter.
TarpitDelay=3000

#The amount of time considered 'too soon' for the purposes of determining if a
#message should be relayed. Messages submitted via SMTP may also be subject to
#tarpitting if they arrive 'too soon'. Default is 20s.
MinSpamInterval=20000

#This entry specifies the location for log output.
logfile=jackpot.log


#This entry controls the size of the ThreadPool. Jackpot will
#politely decline protocol activities on ports 25 and [HTTP-port]
#once the number of free threads falls below 5.
MaxThreads = 50

#Specifies the nameserver to use. If not provided, uses the system default.
#Doesn't seem to affect anything much.
#NameServer=

#Specifies the (comma-delimited)names:ports of the HTTP servers to be updated
when SMTP traffic is captured.
LogServers=127.0.0.1

#Determines whether an Ident service should be offered to abuse.net
#(speeds up enquiries).
IdentForAbuse=yes

#Specifies what kinds of message get output to the system logs. This is a
#bit-set, the values are as follows:
# SMTP = 1;
# HTTP = 2;
# RELAY = 4;
# STATUS = 8;
# PROXY = 16;
# ENVE = 32;
# CONFIG = 64;
# DEBUG = 128;
FileLogging=255
ConsoleLogging=31


#Specifies a limit on the number of spams that should be stored for
#each spam-source.
MaxStoragePerSource=100

################################################################
#This section specifies timouts for socket-connections used for
#several different purposes. Times are in milliseconds.
################################################################
#How long to wait for proxy-test results
ProxyCheckTimeout=3000

#How long to wait for abuse.net lookups
AbuseLookupTimeout=3000

#How long to wait for SBL lookups
SBLLookupTimeout=2000

################################################################
#This section controls what is running, and how, at system
#startup.
################################################################

#Whether to start the HTTP service.
StartupHttp=yes

#Whether to start the SMTP service
StartupSmtp=yes

#Whether to start up with relaying enabled
StartupRelay=no

#Whether to start up with tarpitting enabled
StartupTarpit=yes

#Whether to start up with POSTing to storage enabled
StartupStorage=yes

#Whether to start up with the SOCKSV4 Proxy Server running
StartupProxy=no

################################################################
#The last section contains stuff you are unlikely to need to
#change, at least for now.
################################################################

#Port for serving SMTP; if you change this, you'll probably be the only
#person who ever sends mail to your Jackpot server.
SmtpPort=25

#This entry restricts the maximum number of messages that can be queued at any one time.
#The queue is in memory, and Spammy will have to send relay-requests on multiple
#connections simultaneously to have a chance of filling it up.
MaxQueueSize=100
To start the honeypot, run jackpot.bat in the console. You will see it begin the “Mailswerver” daemon, as well as it’s web services.

C:\Documents and Settings\Soda\Desktop\jackpot-1.2.2>jackpot.bat
C:\Documents and Settings\Soda\Desktop\jackpot-1.2.2>java -Xss32k -Xmx24M -classpath ./classes;dnsjava-1.2.4.jar;jackpot.jar net.jackpot.Jackpot
05/02/04 19:25:06 GMT STATUS Jackpot Mailswerver version 1.2.2
05/02/04 19:25:15 GMT STATUS Started SMTP for your.ip.address
05/02/04 19:25:15 GMT STATUS Serving SMTP on port 25 for your.ip.address
05/02/04 19:25:15 GMT STATUS Serving HTTP on port 8081
05/02/04 19:25:15 GMT STATUS Jackpot version 1.2.1 is available at jackpot.uk.net
05/02/04 19:25:34 GMT SMTP attack.ip.address your.ip.address HELO
05/02/04 19:25:59 GMT SMTP attack.ip.address your.ip.address HELO
You'll notice the last 2 lines in the console, they don't appear when you start jackpot. Those are captured attacks, and will appear as they arrive.

Logging:

Logging is done in the file jackpot.log. The second column containing ENVE will contain communication with your honeypot.

Sample snippet from my log (notice the telnet-ish behavior of the attacker)
05/02/04 08:02:32 GMT ENVE AttackerIP MyIP 250 none-e8alt64jnu
05/02/04 08:02:56 GMT ENVE AttackerIP MyIP MAIL FROM: asdf@ASDF.com
05/02/04 08:02:59 GMT ENVE AttackerIP MyIP 250 Sender asdf@ASDF.com OK
05/02/04 08:03:16 GMT ENVE AttackerIP MyIP RCPT TP O: M<AIL@OTHER>COM
05/02/04 08:03:19 GMT ENVE AttackerIP MyIP 500 Command garbled
05/02/04 08:03:38 GMT ENVE AttackerIP MyIP RCPT TPOL: MAIL @ OTHER>COM.
05/02/04 08:03:41 GMT ENVE AttackerIP MyIP 500 Command garbled
05/02/04 08:03:53 GMT ENVE AttackerIP MyIP RCPT TO: MAIL@other.com
05/02/04 08:03:56 GMT ENVE AttackerIP MyIP 250 Recipient MAIL@other.com OK
05/02/04 08:04:06 GMT ENVE AttackerIP MyIP DATA
Jackpot also has a web interface, which we configured earlier. Visit http://localhost:[HttpPort]/[HtmlPath]/home.html for your interface. Fill in the fields with the ones defined in your config file.

The logging interface is very simple, you just click on a host and view the spam attempts they made on your server, including the data that was attempted to be sent, and other useful info for a complaint.

Admin:

Your username and password were defined in the config file earlier. Very simple interface for a very simple honeypot. It’s very self explanatory, except for the tarpit feature. That number forces a delay between commands, slowing the spammer down.

Conclusion:

Jackpot is hardly an industrial strength honeypot, but it’s good enough to be very useful. I don’t expect anyone will use this tutorial on a production environment, but just be aware that Honeypots introduce a security risk into an environment. So if you know what you are doing, go for it.
-------------------------------------------------------

I have no idea how old the Jackpot software is because it isn't shown anywhere on the site. I was able to use it just fine.

I will have another tutorial coming out on Valentines Day, hopefully. It’s describes new breed of honeypot that you should all enjoy.