-
November 10th, 2009, 11:14 PM
#1
Junior Member
SMTP Honeypot
Hello,
I'm looking to build an SMTP honeypot. Well...sort of. This won't be a honeypot that's exposed to the internet. Most of the email honeypots I've found (there aren't all that many!) fall short or have been defunct for several years and are designed to emulate open relays. An open relay concept works, but basically I need an email server that will accept and store all email sent to ANY user at ANY domain. Have any ideas?
I appreciate any help...
-
November 12th, 2009, 01:01 PM
#2
Originally Posted by theantiphish
Hello,
I'm looking to build an SMTP honeypot. Well...sort of. This won't be a honeypot that's exposed to the internet. Most of the email honeypots I've found (there aren't all that many!) fall short or have been defunct for several years and are designed to emulate open relays. An open relay concept works, but basically I need an email server that will accept and store all email sent to ANY user at ANY domain. Have any ideas?
I appreciate any help...
I think THIS may be what you're looking for..
http://www.postfix.org/smtp-sink.1.html
(relevant part)
DESCRIPTION
smtp-sink listens on the named host (or address) and port.
It takes SMTP messages from the network and throws them
away. The purpose is to measure client performance, not
protocol compliance.
smtp-sink may also be configured to capture each mail
delivery transaction to file. Since disk latencies are
large compared to network delays, this mode of operation
can reduce the maximal performance by several orders of
magnitude.
Found that courtesy of a post from Wietse Venema (creator of Postfix) Original post: http://archives.neohapsis.com/archiv...7-11/0882.html
While that will probably answer your basic question.. the reverse would be ... why would you want to do this?
Unless you are running this on an IP that has once had a known MX associated, then the only traffic you're likely to see is random worm/virus scanning, or the potential test scan from your ISP or from a group like abuse.net or one of the old timey sorbs/orbs/relay searchers.
You're far more likely to catch spam/spammers in action if you seed a slightly complex email address into some site or web page ... or to use the address to post to newsgroups and see the email address make the rounds into sold address lists ... as the activity picks up, you'll know the address was put into more lists..
ie. jenny2255b ... seems like a plausible email address @somedomain .. and if you've never had a "jenny2255b@" your domain before .... you could set it up, use it on a few popular message boards, and before you know it the trolls will have that address..
Eitherway ... good luck, and if you can, remember to post back about anything you've tried or found that solved the problem ... that's how we as the first two w's in www learn.
Similar Threads
-
By Soda_Popinsky in forum The Security Tutorials Forum
Replies: 1
Last Post: November 12th, 2008, 10:42 PM
-
By Soda_Popinsky in forum The Security Tutorials Forum
Replies: 18
Last Post: December 6th, 2005, 10:18 AM
-
By alphabetarian in forum The Security Tutorials Forum
Replies: 8
Last Post: December 5th, 2005, 04:44 AM
-
By gore in forum Newbie Security Questions
Replies: 11
Last Post: December 29th, 2003, 08:01 AM
-
By sweet_angel in forum Firewall & Honeypot Discussions
Replies: 9
Last Post: January 23rd, 2003, 10:30 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|