Results 1 to 2 of 2

Thread: SMTP Honeypot

  1. #1
    Junior Member
    Join Date
    Nov 2009
    Posts
    1

    SMTP Honeypot

    Hello,

    I'm looking to build an SMTP honeypot. Well...sort of. This won't be a honeypot that's exposed to the internet. Most of the email honeypots I've found (there aren't all that many!) fall short or have been defunct for several years and are designed to emulate open relays. An open relay concept works, but basically I need an email server that will accept and store all email sent to ANY user at ANY domain. Have any ideas?

    I appreciate any help...

  2. #2
    Member
    Join Date
    Jul 2009
    Posts
    45
    Quote Originally Posted by theantiphish View Post
    Hello,

    I'm looking to build an SMTP honeypot. Well...sort of. This won't be a honeypot that's exposed to the internet. Most of the email honeypots I've found (there aren't all that many!) fall short or have been defunct for several years and are designed to emulate open relays. An open relay concept works, but basically I need an email server that will accept and store all email sent to ANY user at ANY domain. Have any ideas?

    I appreciate any help...

    I think THIS may be what you're looking for..

    http://www.postfix.org/smtp-sink.1.html

    (relevant part)
    DESCRIPTION
    smtp-sink listens on the named host (or address) and port.
    It takes SMTP messages from the network and throws them
    away. The purpose is to measure client performance, not
    protocol compliance.

    smtp-sink may also be configured to capture each mail
    delivery transaction to file. Since disk latencies are
    large compared to network delays, this mode of operation
    can reduce the maximal performance by several orders of
    magnitude.


    Found that courtesy of a post from Wietse Venema (creator of Postfix) Original post: http://archives.neohapsis.com/archiv...7-11/0882.html


    While that will probably answer your basic question.. the reverse would be ... why would you want to do this?

    Unless you are running this on an IP that has once had a known MX associated, then the only traffic you're likely to see is random worm/virus scanning, or the potential test scan from your ISP or from a group like abuse.net or one of the old timey sorbs/orbs/relay searchers.

    You're far more likely to catch spam/spammers in action if you seed a slightly complex email address into some site or web page ... or to use the address to post to newsgroups and see the email address make the rounds into sold address lists ... as the activity picks up, you'll know the address was put into more lists..

    ie. jenny2255b ... seems like a plausible email address @somedomain .. and if you've never had a "jenny2255b@" your domain before .... you could set it up, use it on a few popular message boards, and before you know it the trolls will have that address..

    Eitherway ... good luck, and if you can, remember to post back about anything you've tried or found that solved the problem ... that's how we as the first two w's in www learn.

Similar Threads

  1. Custom Web Based Honeypots with GHH
    By Soda_Popinsky in forum The Security Tutorials Forum
    Replies: 1
    Last Post: November 12th, 2008, 10:42 PM
  2. SMTP Relay Honeypot Tutorial
    By Soda_Popinsky in forum The Security Tutorials Forum
    Replies: 18
    Last Post: December 6th, 2005, 10:18 AM
  3. A General Honeypot Tutorial
    By alphabetarian in forum The Security Tutorials Forum
    Replies: 8
    Last Post: December 5th, 2005, 04:44 AM
  4. Tcp/ip
    By gore in forum Newbie Security Questions
    Replies: 11
    Last Post: December 29th, 2003, 08:01 AM
  5. Watching Hacker Attack Using Honeypot
    By sweet_angel in forum Firewall & Honeypot Discussions
    Replies: 9
    Last Post: January 23rd, 2003, 10:30 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •