Jackpot fake SMTP server / teergrube / honeypot..., Wasting spammers' time and resources... Options

[HillsCap]

Hi, all.

I've hammered the spammers into submission so badly that I no longer receive spam in any great quantity. I've only gotten 8 over the last month, and that number is still falling.

So, I had to find another method of fighting spammers. I decided to set up the JackPot SMTP teergrube / honeypot, from http://jackpot.uk.net/.

This is a cool Java program... it lets a spammer's test emails be relayed, while blocking the actual spam that is sent. It also keeps a log of spammer activity, and serves that log via a built-in HTTP server. If you open a hole for that HTTP server's port through your firewall/router, you can give the URL for it to ISPs, so they can see for themselves that their users are spamming. And reporting that a user is trying to send hundreds of thousands of spams carries much more weight than reporting that you received a single spam email.

Anyway, I set up JackPot about a month or so ago, but didn't get any hits on it. So, I contacted Jack Cleaver, the author of the program. He suggested that I submit my JackPot to the various websites for open relay testing, which I did.

Apparently, that worked. Over the last week or so, I've been getting nibbles from spammers in Taiwan, sending test messages (which, of course, JackPot let be delivered, to trick the spammers into thinking that it was, indeed, an open relay).

Yesterday, the spammers got serious, and started sending spam, which JackPot is dumping to the bit-bucket. Over the last 24 hours, I've dumped over 200,000 spam emails, mostly addressed to HotMail accounts.

If everyone using SpamCop also ran JackPot, I think that would allow us to catch a lot more spammers, and it could possibly force the spammers to either quit sending spam (because the chances of getting caught goes up dramatically due to more JackPot servers running, and the spammers are wasting more of their time and resources sending to SMTP servers that then just bit-bucket the spam), or to find another method of spamming.

Either way, it's a great way to slow them down. Imagine if 1000 people were running JackPot, each dumping 200,000 spams per day. That's 200,000,000 spams that don't get delivered. And it's a lot more spammers getting caught and shut down.

If you haven't tried it, I highly recommend it.

This post has been edited by HillsCap: May 3 2004, 01:45 AM

[dra007]

I downloaded the file you suggested..setting it up seems somewhat cumbersome and their help files are a bit too scanty for a novice like myself. But I am certainly sold on the idea.

[yourbuddy]

Question ...

Would this not get you blacklisted by some DNSbl?

[dra007]

No.

[StevenUnderwood]

Actually, it is possible it could get you on an open relay type of DNSBL since it does relay the test message, though I would think the writers would have thought of that.

And unless you have your own IP range, you are probably already on some DNSBL's, but since it is generally not acceptable right now to do direct to MX mailing, it should not affect your machine.

[HillsCap]

Here's my jackpot.properties file, to help you in setting it up.

I've obfuscated the admin username and password, the Httpport, the ServerName, and the htmlpath, of course.

#####################################################
#This file contains general configuration data for Jackpot. The first section contains stuff you should customise before running Jackpot for real.

#This entry specifies the value returned in the "Server: " HTTP header returned by Jackpot.
#ServerHeader=SMTPD32-6.06
ServerHeader=Smail 3.1.29.1

#IP Address where SMTP will be served, if your host is multi-homed. If the host is multi-homed, and this entry is missing or blank, SMTP will be served on all addresses.
SmtpAddress=

#Specifies a virtual path for HTML. This defaults to "html", i.e. the root hosts page is http://<jackpot>:<port>/html/hosts.html.
#If you set this value to "xyzzy", then HTTP requests must be of the form http://<jackpot>:<port>/xyzzy/something.html, otherwise they will elicit a 404. This is supposed to make it easier for Jackpot to be stealthy.
HtmlPath=xyzzy

#Specifies an email address to which all mail to postmaster@[jackpot] or abuse@[jackpot] is to be forwarded.
RoleAccountAlias=

#UserID for access to Web-Admin.
AdminUser=admin

#Password for access to Web-Admin
AdminPassword=password

#####################################################
#The next section contains stuff you might customise to make this Jackpot look different from other Jackpots. If you want to customise these entries, telnet to a real mailserver and see how *it* behaves.

#Port for serving HTTP; it would be a good idea to change this, because the Jackpot server could be fingerprinted by finding it's HTTP server.
HttpPort=8080

#This entry specifies the response sent to (all) VRFY requests.
VrfyResponse=502 VRFY not available

#This entry specifies the response to (all) EXPN requests.
ExpnResponse=502 EXPN not available

#This entry specifies the response to (all) TURN requests.
TurnResponse=502 TURN not available

#Specifies the 503 message
BadSequenceResponse=503 bad command sequence

#This entry specifies the response to a DATA request.
DataResponse=enter DATA end with CR.CR

#This entry specifies the response to a connection request when no threads are available in the SMTP pool.
DiskFullResponse=452 services unavailable, try again later

#Controls whether Jackpot adds a Received: header. Defaults to yes. If it doesn't, it's a badly-broken relay.
AddReceivedHeader=yes

#Controls whether any Received: header should show the sending host and address.
#If not, then the received header will show only the return path from the HELO (which a spammer would normally forge). If this is No, Jackpot acts as a blind relay.
ShowReceivedHost=no

#This entry specifies the name of the mail server, as output in the banner.
#There are some (commented out) examples below from real mail-servers.
#MTADescription=ESMTP Sendmail V8
#MTADescription=SMTPD32-6.06
MTADescription=Smail 3.1.29.1

#This entry specifies the name of this machine, used in the response to HELO/EHLO, in any Received: header added by Jackpot to relayed messages,
#and to construct a postmaster address. Defaults to the name of your localhost (best setting).
ServerName=mail.pbi.net

#####################################################
#This section contains stuff related to logging and so on - general system control.

#If set to Yes, bounce-messages will be sent for unaliased addresses in this (Jackpot's) domain, and whenever a recipient's mailhosts cannot be contacted.
#Default is no.
SendBounceMessages=no

#This entry specifies the maximum number of recipients in a message-envelope before it is rejected as spam. If you find you are getting relay-requests with multiple recipients, consider raising it.
MaxRecipients=1

#Extra time taken to respond to commands when in a spam run.
#This is applied to every line entered in a HELO dialog; the default is 1s. This is enough to make a HTML message from Outlook Express take almost a minute to enter.
TarpitDelay=1000

#The amount of time considered 'too soon' for the purposes of determining if a message should be relayed. Messages submitted via SMTP may also be subject to tarpitting if they arrive 'too soon'. Default is 20s.
MinSpamInterval=25000

#This entry specifies the location for log output.
logfile=jackpot.log

#This entry controls the size of the ThreadPool. Jackpot will politely decline protocol activities on ports 25 and [HTTP-port] once the number of free threads falls below 5.
MaxThreads = 150

#Specifies the nameserver to use. If not provided, uses the system default.
#NameServer=

#Specifies the (comma-delimited)names:ports of the HTTP servers to be updated when SMTP traffic is captured.
LogServers=127.0.0.1:8080

#Determines whether an Ident service should be offered to abuse.net (speeds up inquiries).
IdentForAbuse=no

#Specifies what kinds of message get output to the system logs. This is a bit-set, the values are as follows:
# SMTP = 1;
# HTTP = 2;
# RELAY = 4;
# STATUS = 8;
# PROXY = 16;
# ENVE = 32;
# CONFIG = 64;
# DEBUG = 128;
FileLogging=255
ConsoleLogging=255

#Specifies a limit on the number of spams that should be stored for each spam-source.
MaxStoragePerSource=150

#####################################################
#This section specifies timouts for socket-connections used for several different purposes. Times are in milliseconds.

#How long to wait for proxy-test results
ProxyCheckTimeout=10000

#How long to wait for abuse.net lookups
AbuseLookupTimeout=10000

#How long to wait for SBL lookups
SBLLookupTimeout=5000

#####################################################
#This section controls what is running, and how, at system startup.

#Whether to start the HTTP service.
StartupHttp=yes

#Whether to start the SMTP service
StartupSmtp=yes

#Whether to start up with relaying enabled
StartupRelay=yes

#Whether to start up with tarpitting enabled
StartupTarpit=yes

#Whether to start up with POSTing to storage enabled
StartupStorage=yes

#Whether to start up with the SOCKSV4 Proxy Server running
StartupProxy=no

#####################################################
#The last section contains stuff you are unlikely to need to change, at least for now.

#Port for serving SMTP; if you change this, you'll probably be the only person who ever sends mail to your Jackpot server.
SmtpPort=25

#This entry restricts the maximum number of messages that can be queued at any one time.
#The queue is in memory, and Spammy will have to send relay-requests on multiple connections simultaneously to have a chance of filling it up.
MaxQueueSize=1500

[HillsCap]

Hi, all.

Well, I've got 21 spammers connecting to my JackPot teergrube/honeypot right now, and I've blocked around 400,000 spam emails.

Another bit of good news... I just talked with an FTC representative, and we're looking into setting it up so the FTC can check the JackPot logs and use them as evidence against spammers.

Since JackPot records everything (times, dates, IP addresses, headers, message body, etc), it'd be a great resource for them to go after spammers.

This might be the next phase in spammer hunting...

[HillsCap]

Hey, everybody.

I'm up to 47 inbound SMTP connections to my JackPot server, and a total of over 500,000 spams blocked.

I slowed down a bandwidth-intensive distributed computing project I'm participating in to give JackPot more bandwidth. As soon as I did, my IDS/IRS made noise several times (I set up my IDS/IRS to play a specific .WAV file when port 25 is hit, to alert me to spammers using JackPot), signifying that several more SMTP port TCP 25 connections were being made.

They're loading it up so much that the text is flying by so fast I can't read it.

My goal is to monopolize as much of their connection bandwidth as possible, so they send as much spam as possible to my bit-bucket, where I know it's getting dumped. If I ran with less bandwidth, they'd just find another place to spew through, and it could potentially be an actual open relay, which means people would receive spam, and the spammers would get visitors (and buyers).

Too bad I don't have a larger pipe... I'd love to see them trying to fill a 45Mbps connection.

Has anyone else set up JackPot? If so, the first thing you should do is configure it so that when you submit it to the open-relay testing sites, it'll relay pretty much everything. I did this by drastically shortening the time required between email messages (right now, I've got it set up to bit-bucket everything with more than one recipient, and everything sent sooner than 25 seconds after a previous message... you should set it up with a high recipient count and a low time duration between emails before submitting it for testing).

Submit your JackPot for testing... once it passes and you're listed as an open relay (especially if you find overseas testing websites... they're most likely set up by spammers to find and exploit open relays submitted by people who don't know any better), the spammers will come flocking. Then you can tighten up the settings to bit-bucket everything with more than one recipient, or if it's sent sooner than a certain time limit.

Let me know how it goes... perhaps we could keep stats counts to compare how everyone is doing.

[zachariah]

I'm seriously going to look into this. Intriguing idea.

[loafman]

Sounds like a good idea. I've got access to a couple of subnets where I could put the thing without compromising my own mail server. Now all I need is a couple of low end machines.

...Ken

[Mikey]

This has been talked about on here before. I know there are several of these out there although I thoght the JAVA one I saw a couple months ago was called something else other than Jackpot.

Found it... Its called tarproxy at http://www.martiansoftware.com/articles/spammerpain.html

I've looked at this one: http://www.spamcannibal.org/cannibal.cgi but I think it requires a kernel recompile if you don't have the tarpit version of iptables.

You can simply run the LaBrea tarpit http://www.sourceforge.net/labrea/ and dump known address spaces in there (like the entire comcast DSL block from http://www.blackholes.us). I've observed this working against Sendmail and it holds them for at least 10 minutes. Of course most spammer ratware (not Sendmail) is opening up hundreds or thousands of sockets so it probably doesn't have too much effect.

The thing about tarproxy and Jackpot is that they will actually interact with the MTA whereas LaBrea simply ties them up at the IP SYN/ACK level.

Always thought Java was a strange choice of language for this. Whatever works I guess....

[HillsCap]

Actually, the URL for Labrea is:
http://labrea.sourceforge.net/labrea-info.html

I've downloaded it, and will check it out. Unfortunately, JackPot has a memory handle leak that requires me to restart it about twice a day.

But, it sure is working! I've had as many as 95 simultaneous incoming SMTP connections, and I blew past the 1,000,000 spam emails dumped mark. I'm now just over 1,100,000.

Oh, on the jackpot.properties file, you might want to change a few settings:

#Extra time taken to respond to commands when in a spam run.
#This is applied to every line entered in a HELO dialog; the default is 1s. This is enough to make a HTML message from Outlook Express take almost a minute to enter.
TarpitDelay=1000

(You might want to increase this when the number of spammers is high, to keep JackPot from taking too much of your CPU. DO NOT use the 'Administer JackPot' link in the JackPot's HTTP server home page to change this... for some reason, when you do, it causes JackPot to take more CPU time than just changing it manually in jackpot.properties, then restarting JackPot.)


#Specifies what kinds of message get output to the system logs. This is a bit-set, the values are as follows:
# SMTP = 1;
# HTTP = 2;
# RELAY = 4;
# STATUS = 8;
# PROXY = 16;
# ENVE = 32;
# CONFIG = 64;
# DEBUG = 128;
FileLogging=255
ConsoleLogging=255

(Set FileLogging=128, otherwise the logfile collects everything (which is redundant, since everything is also stored elsewhere) and can grow quite large (mine was a couple hundred MB before I deleted it. Setting it to 128 only collects DEBUG messages (i.e.: errors), making the file size much smaller.)


#This entry controls the size of the ThreadPool. Jackpot will politely decline protocol activities on ports 25 and [HTTP-port] once the number of free threads falls below 5.
MaxThreads = 150

(You can control how many spammers can connect at once by changing this... if you set it to 150, only 149 spammers can connect at once. If JackPot it taking too much CPU time, crank this down to around 50 or so.) I'd say the minimum to set this is around 20.)

I'll let you all know how running LaBrea goes...

[HillsCap]

Argh! LaBrea doesn't run under WinXP!

Apparently, LaBrea requires WinPcap, which is not supported for WinXP. So, that's a bust.

[HillsCap]

Hi, all.

A quick update / bump.

The spammers are becoming much more aggressive in the number of connections they establish, as I said in my last post. They're also trying to spew more, by increasing the number of recipients per message.

So far, I'm just over 1,400,000 spam emails blocked.

I've been in contact with Jack Cleaver, the program's author, and due to the recent upswing in interest in the program, he's going to go to work on it to fix the few remaining bugs.

So, hopefully, in a few weeks or so, we'll have a rock stable version out that doesn't have a memory handle leak.

BTW, does anyone know how to force the JRE 1.5.0 b1 to do more aggressive Garbage Collection? I'm trying to get it to clean up those memory handles, since the JRE takes care of memory management, not the program. My thinking is that it might be that the reason the handle count continues upward is that Garbage Collection can't clean up fast enough due to how hard the spammers are hitting my JackPot. By increasing the aggressiveness of the JRE Garbage Collection, I hope to keep the memory handle count under control.

[HillsCap]

Hoo, boy! If you increase the number of threads, be sure your bandwidth and machine can handle it...

I set it so JackPot would use 201 threads. Within 1/2 hour, I had 200 simultaneous incoming SMTP connections.

Fortunately, I've tweaked the memory settings and garbage collection for JackPot, so it's not taking much CPU time, and the memory handle leak isn't so bad.

But, there must be a huge spam ring originating in Taiwan, since all the connections came from there.

And, I drilled a hole through my router for JackPot's HTTP server, so now I'm serving the JackPot log results to the internet. This will allow me to send LART emails (JackPot does an abuse email address lookup for each IP address of the incoming SMTP connections), by clicking on the links in the JackPot logs, then I put the URL to my JackPot HTTP server into that email, and the ISPs can see for themselves what their users are doing, in real time.

Of course, I'll also start Sam Spade and do a quick traceroute, so I can report to the ISPs' upstream as well, to apply a little more pressure on the ISPs to fix their spamming problem (it's giga.net and twnic.net.tw, and they've got a huge spammer problem).

But first, I want to let the spammers waste more of their time and resources sending to the bit-bucket... I figure another 5 million messages collected, then I'll report them. By then, I'll have collected enough data that there'll be irrefutable proof that those ISPs have a spammer problem they can't afford to ignore.

[HillsCap]

I figured out where the memory handle leak in my copy of Jackpot was coming from...

I actually had three resource leak problems...

1) ZoneAlarm:
ZoneAlarm has had a memory leak for quite some time now. The latest update causes users computer to hang for long periods of time, and the memory leak is worse than ever. I dumped ZoneAlarm, and installed Sygate's firewall. It is awesome... much better than ZoneAlarm.

2) WebWasher kept grabbing memory and not releasing it. It got to the point where I had to shut down WebWasher every few hours.

3) JackPot kept grabbing memory handles and not releasing them, building up to the point where it was sometimes taking over 600,000 memory handles.

The WebWasher and JackPot resource leaks were related... for some reason, every time JackPot grabbed a memory handle, WebWasher would take more memory, and every time WebWasher grabbed more memory, it caused JackPot to grab more memory handles. It was a vicious cycle. Shutting down JackPot would make WebWasher stop taking more memory, and shutting down WebWasher would make JackPot stop taking more memory handles.

So, I dumped WebWasher. Now, JackPot is running stably, even with 250 simultaneous incoming Port TCP 25 SMTP connections.

A side benefit of all this is that my internet connection is much faster now (partly due to dumping ZoneAlarm, partly due to dumping WebWasher). Hence, when using FriedSpam.net through anonymous proxies, I'm hitting spamvertised websites much harder now.

Another side benefit (now that I don't have any resource leaks) is that I can LART spammers 24/7 without having to reboot for weeks or months at a time.

Look out spammers, here I come...

[HillsCap]

Hi, all.

If you're looking for a good way to take a hunk out of a spammer's hide, you can easily do so by running up their web hosting costs.

I've used FriedSpam.net in the past (you've probably all read my posts on using anonymous proxies to hammer spamvertised websites), but I've got an even better, faster way of hitting them.

Some of you may have heard of the Lad Vampire, used to hit 419 sites and run up their hosting costs until they're taken offline. I ran it for a while to be sure it was effective. During that time, I downloaded about 100 GB of data, and helped to take down twelve 419 sites.

Since the Lad Vampire source code was contributed anonymously, I figured that Mr. Anonymous probably wouldn't mind if I reworked the code to suit my own purposes. So, that's what I did.

You can get a look at it here:
http://www.hillscapital.com/antispam/index.htm

Feel free to grab the source code and set up a Spam Vampire to use against your own spammers. If everyone did this, spamming would be so expensive that the spammers wouldn't be able to spam anymore.

You don't need a website to run the Spam Vampire, it'll run just as well as a local file on your computer.

If you want to help out, I'm currently hammering a couple of HKNet.com hosted websites that HKNet.com said they'd take down, but didn't, and a couple of USA Lenders Network websites.

[Ralsky's Fatal Tumor]

Feel free to grab the source code and set up a Spam Vampire to use against your own spammers.

Where's the source code? I looked on the aa419 site and a few other places but couldn't manage to dig it up anywhere.

(And it looks like goforvalue.com is hurting now. Kill! Kill! (IMG:style_emoticons/default/ph34r.gif) )

[Merlyn]

There is a discussion in NANAE right now how a person that is running a proxypot is complaining because he is getting listed in loads of lists.

Seems like most say many of them get listed.

[Robmonster]

This Jackpot software sounds very interesting. It prompted me to register to ask a few questions though.....

I only have access to my Home PC which runs on a DSL link. I have a static IP address, but do not run any of my own services (I.E. I use my paid webhosts email servers)

My main worries about trying this program to help waste spammer resources are as follows:

1) Might my static IP address end up on some blacklist, preventing any of my normal day to day email from getting delivered to some people?

2) When I turn off this program to utilise the full speed of my connection for something else (Online gaming for example) will the incoming connection attempts impede my usage of my connection? its a 512 down 256 up connection.

I'd like to be able to help, but I dont want to ruin my own web connectivity in the process.

RM