Originally posted here by Soda_Popinsky
Hi minasbeede-

Jackpot, or any other honeypot, are not specifically defined as "production". So yes, Jackpot could be a production honeypot.

Unfortunately, Jackpot has been ditched and is no longer developed. I wouldn't encourage running it in an production enviroment for obvious reasons.

A quick glance at the proxypot changelog reveals the same (active development until May of this year, and nothing as far as community development it seems) so unless they magically ran out of bugs (or are developing elsewhere) I'd look for a different solution for the job.
Yes - although if it is run in a mode where it delivers nothing it is still useful. I saw that sometimes it did deliver spam, and that's bad enough to be avoided. "Production" is a word chosen by someone, I think Marcus Ranum, to differentiate that sort of usage from "research" usage. "Research" implies you just find things out and do nothing. "Production" implies going beyond finding things out. I think it also implies a narrow honeypot: one that is intended to capture only one specific type of abuse and be secure against all other types.

Originally I advocated running sendmail as a honeypot - the name "minasbeede" is a play on

sendmail -bd

Back then (circa 2001) that was enough to cause sendmail to accept everything but deliver nothing. Since then it's changed. and a bit more is needed. Jackpot isn't the only game in town: "roll your own" works.

Even when Jackpot delivered spam that was less than 1% of the incoming traffic. Many anti-spammers get all huffy about ever delivering any spam (and they do have a point) but when the internet as a whole essentially delivers 100% of the spam sent through it by abuse it's a bit short-sighted to complain about a system that instead stops 99% or so of it. But 100% stoppage is the goal. If Jackpot is run in the "deliver nothing" mode then it should only capture relay tests. There have been Oriental (Taiwan, Hong Kong, Korea, China) spammers who don't rely on receiving back their test messages and start trying to send spam merely because a system accepted a test message. Even in the "deliver nothing" mode Jackpot can stop some spam, and surely is useful for trapping relay tests.

Here's a captured relay test from somebody else's Jackpot:

220 mail.xxx.xxx.xxx ESMTP Sendmail (8.8.3/8.8.3) no UCE. See web page at servername Fri 02 Dec 2005 03:39:40 GMT
HELO yyy.yyy.yyy.yyy
250 mail.xxx.xxx.xxx
MAIL FROM:<[email protected]>
250 Sender <[email protected]> OK
RCPT TO:<[email protected]>
250 Recipient <[email protected]> OK
DATA
Message:

Received: from 58.53.63.222 ([58.53.63.222]) by mail.xxx.xxx.xxx (ESMTP Sendmail (8.8.3/8.8.3) no UCE. See web page at servername); Fri 02 Dec 2005 03:39:45 GMT
Subject: 7534df112cn206:yyy.yyy.yyy.yyy<192.168.0.137>
X-Priority: 1
X-Mail-Priority: Highest
Content-Type: text/plain;


I've replaced the actual IP number with yyy.yyy.yyy.yyy and changed the IP name to mail.xxx.xxx.xxx.

Back a ways in the logs of that Jackpot is a record of 2975 messages with 29680 recipients. that has to have been spam, with perhaps a few relay tests as well. Ah, yes: the subjects so far are all "Viagra/Cialis."


Real simple: the tested IP number is in the Subject. there is no message body.

I contend that the internet would be far different and far less available for abuse if some users would actually watch for the abuse and sometimes take action (like report the abuse to the involved ISPs.) Currently most ISPs probably would not even understand what you were telling them if you told them (as 56.com could be told) that an account on their system was being used as a dropbox for relay tests - that's how amazingly ignorant the internet as a whole is (where it's really the operators who are ignorant, of course.)

Microsoft recently filed a suit with around 20 defendants based, as far as I can tell, on information captured by a single zombie honeypot. Microsoft has the size and budget to be able to follow through with a major lawsuit but in principle anyone could gather similar information.

Some zombie software is sent as a virus, meaning the virus could infect a system anywhere and that system would then "report home" to the spammer of the infection. I fnd it thigh-slapping funny for a spammer to be setting himself up to be gulled by someone who sets up a trap and then does a fake "phone home" as though it really is a zombie.

Spam is improper behavior on the internet. Technical tools don't have to work only technically: they can gather evidence that can be used to alter behavior (such as make sending spam too expensive because of the lawsuits.)