Jump to content

Jackpot fake SMTP server / teergrube / honeypot...


HillsCap

Recommended Posts

Hi, all.

I've hammered the spammers into submission so badly that I no longer receive spam in any great quantity. I've only gotten 8 over the last month, and that number is still falling.

So, I had to find another method of fighting spammers. I decided to set up the JackPot SMTP teergrube / honeypot, from http://jackpot.uk.net/.

This is a cool Java program... it lets a spammer's test emails be relayed, while blocking the actual spam that is sent. It also keeps a log of spammer activity, and serves that log via a built-in HTTP server. If you open a hole for that HTTP server's port through your firewall/router, you can give the URL for it to ISPs, so they can see for themselves that their users are spamming. And reporting that a user is trying to send hundreds of thousands of spams carries much more weight than reporting that you received a single spam email.

Anyway, I set up JackPot about a month or so ago, but didn't get any hits on it. So, I contacted Jack Cleaver, the author of the program. He suggested that I submit my JackPot to the various websites for open relay testing, which I did.

Apparently, that worked. Over the last week or so, I've been getting nibbles from spammers in Taiwan, sending test messages (which, of course, JackPot let be delivered, to trick the spammers into thinking that it was, indeed, an open relay).

Yesterday, the spammers got serious, and started sending spam, which JackPot is dumping to the bit-bucket. Over the last 24 hours, I've dumped over 200,000 spam emails, mostly addressed to HotMail accounts.

If everyone using SpamCop also ran JackPot, I think that would allow us to catch a lot more spammers, and it could possibly force the spammers to either quit sending spam (because the chances of getting caught goes up dramatically due to more JackPot servers running, and the spammers are wasting more of their time and resources sending to SMTP servers that then just bit-bucket the spam), or to find another method of spamming.

Either way, it's a great way to slow them down. Imagine if 1000 people were running JackPot, each dumping 200,000 spams per day. That's 200,000,000 spams that don't get delivered. And it's a lot more spammers getting caught and shut down.

If you haven't tried it, I highly recommend it.

Link to comment
Share on other sites

Actually, it is possible it could get you on an open relay type of DNSBL since it does relay the test message, though I would think the writers would have thought of that.

And unless you have your own IP range, you are probably already on some DNSBL's, but since it is generally not acceptable right now to do direct to MX mailing, it should not affect your machine.

Link to comment
Share on other sites

Here's my jackpot.properties file, to help you in setting it up.

I've obfuscated the admin username and password, the Httpport, the ServerName, and the htmlpath, of course.

#####################################################

#This file contains general configuration data for Jackpot. The first section contains stuff you should customise before running Jackpot for real.

#This entry specifies the value returned in the "Server: " HTTP header returned by Jackpot.

#ServerHeader=SMTPD32-6.06

ServerHeader=Smail 3.1.29.1

#IP Address where SMTP will be served, if your host is multi-homed. If the host is multi-homed, and this entry is missing or blank, SMTP will be served on all addresses.

SmtpAddress=

#Specifies a virtual path for HTML. This defaults to "html", i.e. the root hosts page is http://<jackpot>:<port>/html/hosts.html.

#If you set this value to "xyzzy", then HTTP requests must be of the form http://<jackpot>:<port>/xyzzy/something.html, otherwise they will elicit a 404. This is supposed to make it easier for Jackpot to be stealthy.

HtmlPath=xyzzy

#Specifies an email address to which all mail to postmaster[at][jackpot] or abuse[at][jackpot] is to be forwarded.

RoleAccountAlias=

#UserID for access to Web-Admin.

AdminUser=admin

#Password for access to Web-Admin

AdminPassword=password

#####################################################

#The next section contains stuff you might customise to make this Jackpot look different from other Jackpots. If you want to customise these entries, telnet to a real mailserver and see how *it* behaves.

#Port for serving HTTP; it would be a good idea to change this, because the Jackpot server could be fingerprinted by finding it's HTTP server.

HttpPort=8080

#This entry specifies the response sent to (all) VRFY requests.

VrfyResponse=502 VRFY not available

#This entry specifies the response to (all) EXPN requests.

ExpnResponse=502 EXPN not available

#This entry specifies the response to (all) TURN requests.

TurnResponse=502 TURN not available

#Specifies the 503 message

BadSequenceResponse=503 bad command sequence

#This entry specifies the response to a DATA request.

DataResponse=enter DATA end with CR.CR

#This entry specifies the response to a connection request when no threads are available in the SMTP pool.

DiskFullResponse=452 services unavailable, try again later

#Controls whether Jackpot adds a Received: header. Defaults to yes. If it doesn't, it's a badly-broken relay.

AddReceivedHeader=yes

#Controls whether any Received: header should show the sending host and address.

#If not, then the received header will show only the return path from the HELO (which a spammer would normally forge). If this is No, Jackpot acts as a blind relay.

ShowReceivedHost=no

#This entry specifies the name of the mail server, as output in the banner.

#There are some (commented out) examples below from real mail-servers.

#MTADescription=ESMTP Sendmail V8

#MTADescription=SMTPD32-6.06

MTADescription=Smail 3.1.29.1

#This entry specifies the name of this machine, used in the response to HELO/EHLO, in any Received: header added by Jackpot to relayed messages,

#and to construct a postmaster address. Defaults to the name of your localhost (best setting).

ServerName=mail.pbi.net

#####################################################

#This section contains stuff related to logging and so on - general system control.

#If set to Yes, bounce-messages will be sent for unaliased addresses in this (Jackpot's) domain, and whenever a recipient's mailhosts cannot be contacted.

#Default is no.

SendBounceMessages=no

#This entry specifies the maximum number of recipients in a message-envelope before it is rejected as spam. If you find you are getting relay-requests with multiple recipients, consider raising it.

MaxRecipients=1

#Extra time taken to respond to commands when in a spam run.

#This is applied to every line entered in a HELO dialog; the default is 1s. This is enough to make a HTML message from Outlook Express take almost a minute to enter.

TarpitDelay=1000

#The amount of time considered 'too soon' for the purposes of determining if a message should be relayed. Messages submitted via SMTP may also be subject to tarpitting if they arrive 'too soon'. Default is 20s.

MinSpamInterval=25000

#This entry specifies the location for log output.

logfile=jackpot.log

#This entry controls the size of the ThreadPool. Jackpot will politely decline protocol activities on ports 25 and [HTTP-port] once the number of free threads falls below 5.

MaxThreads = 150

#Specifies the nameserver to use. If not provided, uses the system default.

#NameServer=

#Specifies the (comma-delimited)names:ports of the HTTP servers to be updated when SMTP traffic is captured.

LogServers=127.0.0.1:8080

#Determines whether an Ident service should be offered to abuse.net (speeds up inquiries).

IdentForAbuse=no

#Specifies what kinds of message get output to the system logs. This is a bit-set, the values are as follows:

# SMTP = 1;

# HTTP = 2;

# RELAY = 4;

# STATUS = 8;

# PROXY = 16;

# ENVE = 32;

# CONFIG = 64;

# DEBUG = 128;

FileLogging=255

ConsoleLogging=255

#Specifies a limit on the number of spams that should be stored for each spam-source.

MaxStoragePerSource=150

#####################################################

#This section specifies timouts for socket-connections used for several different purposes. Times are in milliseconds.

#How long to wait for proxy-test results

ProxyCheckTimeout=10000

#How long to wait for abuse.net lookups

AbuseLookupTimeout=10000

#How long to wait for SBL lookups

SBLLookupTimeout=5000

#####################################################

#This section controls what is running, and how, at system startup.

#Whether to start the HTTP service.

StartupHttp=yes

#Whether to start the SMTP service

StartupSmtp=yes

#Whether to start up with relaying enabled

StartupRelay=yes

#Whether to start up with tarpitting enabled

StartupTarpit=yes

#Whether to start up with POSTing to storage enabled

StartupStorage=yes

#Whether to start up with the SOCKSV4 Proxy Server running

StartupProxy=no

#####################################################

#The last section contains stuff you are unlikely to need to change, at least for now.

#Port for serving SMTP; if you change this, you'll probably be the only person who ever sends mail to your Jackpot server.

SmtpPort=25

#This entry restricts the maximum number of messages that can be queued at any one time.

#The queue is in memory, and Spammy will have to send relay-requests on multiple connections simultaneously to have a chance of filling it up.

MaxQueueSize=1500

Link to comment
Share on other sites

Hi, all.

Well, I've got 21 spammers connecting to my JackPot teergrube/honeypot right now, and I've blocked around 400,000 spam emails.

Another bit of good news... I just talked with an FTC representative, and we're looking into setting it up so the FTC can check the JackPot logs and use them as evidence against spammers.

Since JackPot records everything (times, dates, IP addresses, headers, message body, etc), it'd be a great resource for them to go after spammers.

This might be the next phase in spammer hunting...

Link to comment
Share on other sites

Hey, everybody.

I'm up to 47 inbound SMTP connections to my JackPot server, and a total of over 500,000 spams blocked.

I slowed down a bandwidth-intensive distributed computing project I'm participating in to give JackPot more bandwidth. As soon as I did, my IDS/IRS made noise several times (I set up my IDS/IRS to play a specific .WAV file when port 25 is hit, to alert me to spammers using JackPot), signifying that several more SMTP port TCP 25 connections were being made.

They're loading it up so much that the text is flying by so fast I can't read it.

My goal is to monopolize as much of their connection bandwidth as possible, so they send as much spam as possible to my bit-bucket, where I know it's getting dumped. If I ran with less bandwidth, they'd just find another place to spew through, and it could potentially be an actual open relay, which means people would receive spam, and the spammers would get visitors (and buyers).

Too bad I don't have a larger pipe... I'd love to see them trying to fill a 45Mbps connection.

Has anyone else set up JackPot? If so, the first thing you should do is configure it so that when you submit it to the open-relay testing sites, it'll relay pretty much everything. I did this by drastically shortening the time required between email messages (right now, I've got it set up to bit-bucket everything with more than one recipient, and everything sent sooner than 25 seconds after a previous message... you should set it up with a high recipient count and a low time duration between emails before submitting it for testing).

Submit your JackPot for testing... once it passes and you're listed as an open relay (especially if you find overseas testing websites... they're most likely set up by spammers to find and exploit open relays submitted by people who don't know any better), the spammers will come flocking. Then you can tighten up the settings to bit-bucket everything with more than one recipient, or if it's sent sooner than a certain time limit.

Let me know how it goes... perhaps we could keep stats counts to compare how everyone is doing.

Link to comment
Share on other sites

Sounds like a good idea. I've got access to a couple of subnets where I could put the thing without compromising my own mail server. Now all I need is a couple of low end machines.

...Ken

Link to comment
Share on other sites

This has been talked about on here before. I know there are several of these out there although I thoght the JAVA one I saw a couple months ago was called something else other than Jackpot.

Found it... Its called tarproxy at http://www.martiansoftware.com/articles/spammerpain.html

I've looked at this one: http://www.spamcannibal.org/cannibal.cgi but I think it requires a kernel recompile if you don't have the tarpit version of iptables.

You can simply run the LaBrea tarpit http://www.sourceforge.net/labrea/ and dump known address spaces in there (like the entire comcast DSL block from http://www.blackholes.us). I've observed this working against Sendmail and it holds them for at least 10 minutes. Of course most spammer ratware (not Sendmail) is opening up hundreds or thousands of sockets so it probably doesn't have too much effect.

The thing about tarproxy and Jackpot is that they will actually interact with the MTA whereas LaBrea simply ties them up at the IP SYN/ACK level.

Always thought Java was a strange choice of language for this. Whatever works I guess....

Link to comment
Share on other sites

Actually, the URL for Labrea is:

http://labrea.sourceforge.net/labrea-info.html

I've downloaded it, and will check it out. Unfortunately, JackPot has a memory handle leak that requires me to restart it about twice a day.

But, it sure is working! I've had as many as 95 simultaneous incoming SMTP connections, and I blew past the 1,000,000 spam emails dumped mark. I'm now just over 1,100,000.

Oh, on the jackpot.properties file, you might want to change a few settings:

#Extra time taken to respond to commands when in a spam run.

#This is applied to every line entered in a HELO dialog; the default is 1s. This is enough to make a HTML message from Outlook Express take almost a minute to enter.

TarpitDelay=1000

(You might want to increase this when the number of spammers is high, to keep JackPot from taking too much of your CPU. DO NOT use the 'Administer JackPot' link in the JackPot's HTTP server home page to change this... for some reason, when you do, it causes JackPot to take more CPU time than just changing it manually in jackpot.properties, then restarting JackPot.)

#Specifies what kinds of message get output to the system logs. This is a bit-set, the values are as follows:

# SMTP = 1;

# HTTP = 2;

# RELAY = 4;

# STATUS = 8;

# PROXY = 16;

# ENVE = 32;

# CONFIG = 64;

# DEBUG = 128;

FileLogging=255

ConsoleLogging=255

(Set FileLogging=128, otherwise the logfile collects everything (which is redundant, since everything is also stored elsewhere) and can grow quite large (mine was a couple hundred MB before I deleted it. Setting it to 128 only collects DEBUG messages (i.e.: errors), making the file size much smaller.)

#This entry controls the size of the ThreadPool. Jackpot will politely decline protocol activities on ports 25 and [HTTP-port] once the number of free threads falls below 5.

MaxThreads = 150

(You can control how many spammers can connect at once by changing this... if you set it to 150, only 149 spammers can connect at once. If JackPot it taking too much CPU time, crank this down to around 50 or so.) I'd say the minimum to set this is around 20.)

I'll let you all know how running LaBrea goes...

Link to comment
Share on other sites

Hi, all.

A quick update / bump.

The spammers are becoming much more aggressive in the number of connections they establish, as I said in my last post. They're also trying to spew more, by increasing the number of recipients per message.

So far, I'm just over 1,400,000 spam emails blocked.

I've been in contact with Jack Cleaver, the program's author, and due to the recent upswing in interest in the program, he's going to go to work on it to fix the few remaining bugs.

So, hopefully, in a few weeks or so, we'll have a rock stable version out that doesn't have a memory handle leak.

BTW, does anyone know how to force the JRE 1.5.0 b1 to do more aggressive Garbage Collection? I'm trying to get it to clean up those memory handles, since the JRE takes care of memory management, not the program. My thinking is that it might be that the reason the handle count continues upward is that Garbage Collection can't clean up fast enough due to how hard the spammers are hitting my JackPot. By increasing the aggressiveness of the JRE Garbage Collection, I hope to keep the memory handle count under control.

Link to comment
Share on other sites

Hoo, boy! If you increase the number of threads, be sure your bandwidth and machine can handle it...

I set it so JackPot would use 201 threads. Within 1/2 hour, I had 200 simultaneous incoming SMTP connections.

Fortunately, I've tweaked the memory settings and garbage collection for JackPot, so it's not taking much CPU time, and the memory handle leak isn't so bad.

But, there must be a huge spam ring originating in Taiwan, since all the connections came from there.

And, I drilled a hole through my router for JackPot's HTTP server, so now I'm serving the JackPot log results to the internet. This will allow me to send LART emails (JackPot does an abuse email address lookup for each IP address of the incoming SMTP connections), by clicking on the links in the JackPot logs, then I put the URL to my JackPot HTTP server into that email, and the ISPs can see for themselves what their users are doing, in real time.

Of course, I'll also start Sam Spade and do a quick traceroute, so I can report to the ISPs' upstream as well, to apply a little more pressure on the ISPs to fix their spamming problem (it's giga.net and twnic.net.tw, and they've got a huge spammer problem).

But first, I want to let the spammers waste more of their time and resources sending to the bit-bucket... I figure another 5 million messages collected, then I'll report them. By then, I'll have collected enough data that there'll be irrefutable proof that those ISPs have a spammer problem they can't afford to ignore.

Link to comment
Share on other sites

  • 3 weeks later...

I figured out where the memory handle leak in my copy of Jackpot was coming from...

I actually had three resource leak problems...

1) ZoneAlarm:

ZoneAlarm has had a memory leak for quite some time now. The latest update causes users computer to hang for long periods of time, and the memory leak is worse than ever. I dumped ZoneAlarm, and installed Sygate's firewall. It is awesome... much better than ZoneAlarm.

2) WebWasher kept grabbing memory and not releasing it. It got to the point where I had to shut down WebWasher every few hours.

3) JackPot kept grabbing memory handles and not releasing them, building up to the point where it was sometimes taking over 600,000 memory handles.

The WebWasher and JackPot resource leaks were related... for some reason, every time JackPot grabbed a memory handle, WebWasher would take more memory, and every time WebWasher grabbed more memory, it caused JackPot to grab more memory handles. It was a vicious cycle. Shutting down JackPot would make WebWasher stop taking more memory, and shutting down WebWasher would make JackPot stop taking more memory handles.

So, I dumped WebWasher. Now, JackPot is running stably, even with 250 simultaneous incoming Port TCP 25 SMTP connections.

A side benefit of all this is that my internet connection is much faster now (partly due to dumping ZoneAlarm, partly due to dumping WebWasher). Hence, when using FriedSpam.net through anonymous proxies, I'm hitting spamvertised websites much harder now.

Another side benefit (now that I don't have any resource leaks) is that I can LART spammers 24/7 without having to reboot for weeks or months at a time.

Look out spammers, here I come...

Link to comment
Share on other sites

  • 1 month later...

Hi, all.

If you're looking for a good way to take a hunk out of a spammer's hide, you can easily do so by running up their web hosting costs.

I've used FriedSpam.net in the past (you've probably all read my posts on using anonymous proxies to hammer spamvertised websites), but I've got an even better, faster way of hitting them.

Some of you may have heard of the Lad Vampire, used to hit 419 sites and run up their hosting costs until they're taken offline. I ran it for a while to be sure it was effective. During that time, I downloaded about 100 GB of data, and helped to take down twelve 419 sites.

Since the Lad Vampire source code was contributed anonymously, I figured that Mr. Anonymous probably wouldn't mind if I reworked the code to suit my own purposes. So, that's what I did.

You can get a look at it here:

http://www.hillscapital.com/antispam/index.htm

Feel free to grab the source code and set up a spam Vampire to use against your own spammers. If everyone did this, spamming would be so expensive that the spammers wouldn't be able to spam anymore.

You don't need a website to run the spam Vampire, it'll run just as well as a local file on your computer.

If you want to help out, I'm currently hammering a couple of HKNet.com hosted websites that HKNet.com said they'd take down, but didn't, and a couple of USA Lenders Network websites.

Link to comment
Share on other sites

  • 4 weeks later...

This Jackpot software sounds very interesting. It prompted me to register to ask a few questions though.....

I only have access to my Home PC which runs on a DSL link. I have a static IP address, but do not run any of my own services (I.E. I use my paid webhosts email servers)

My main worries about trying this program to help waste spammer resources are as follows:

1) Might my static IP address end up on some blacklist, preventing any of my normal day to day email from getting delivered to some people?

2) When I turn off this program to utilise the full speed of my connection for something else (Online gaming for example) will the incoming connection attempts impede my usage of my connection? its a 512 down 256 up connection.

I'd like to be able to help, but I dont want to ruin my own web connectivity in the process.

RM

Link to comment
Share on other sites

No.

8590[/snapback]

Actually there have been a few in NANAE complaining that they were placed in blocklists due to this. The final observations were to run it on an IP that will not harm anything for being blocked. Many "are" in the blocklists.

To be a reliable decoy there is no way a scanning engine/relay/proxy checker can tell the difference between a decoy and a bad machine.

Link to comment
Share on other sites

  • 3 weeks later...

hi Hillcap and spamcop fellas, i need to know, how can i make my adsl dynamic ip get enlisted on the internet, so that spammer can notice my jackpot quickly (tired of waiting like fishing), some mention about "reporting" an abuse, where is that place? can it be done here in spamcop? does spamcop listing of open relay have potential of luring spammer to spam home adsl dynamic ip jackpot?

i need to collect data for research, number of size, spam categorization, size of data per spam session something like that.

Can anybody help me?

One more thing, I test relay using web based test relay system, I don't seemed to get the same result like I was forwarding email in my LAN using those HELO, MAIL FROM, RCPT TO, DATA, QUIT stuff.. in my LAN i can get the message "relayed to 1/1 recipient", but using an online system, no message of 'real' relaying appear at my jackpot console.. why? Is my jackpot only relay capable in my LAN and not on the internet? I already did port forwarding of port25 from my modem/router (public port) to the host that runs jackpot (private port), and install sygate personal firewall pro 5.5 for protection (set to allow incoming and outgoing SMTP traffic from all IP address). I used your(HillCap) jackpot.properties file.

Snippets of jackpot log:

-----------------------------------------------------------------------------------------------

04/09/08 10:51:29 GMT STATUS Jackpot version 1.2.1 is available at jackpot.uk.net

04/09/08 10:52:24 GMT ENVE 10.0.0.12 203.59.3.81 220 abc.123.net Microsoft ESMTP MAIL Service, Version: 5.0.2195.4905 ready at Wed 08 Sep 2004 10:52:24 GMT

04/09/08 10:52:25 GMT ENVE 10.0.0.12 203.59.3.81 HELO staff.iinet.net.au

04/09/08 10:52:28 GMT SMTP 203.59.3.81 10.0.0.12 HELO staff.iinet.net.au

04/09/08 10:52:28 GMT ENVE 10.0.0.12 203.59.3.81 250 abc.123.net

04/09/08 10:52:28 GMT ENVE 10.0.0.12 203.59.3.81 MAIL FROM:<spamtest[at]localhost>

04/09/08 10:52:31 GMT ENVE 10.0.0.12 203.59.3.81 250 Sender <spamtest[at]localhost> OK

04/09/08 10:52:31 GMT ENVE 10.0.0.12 203.59.3.81 RCPT TO:<abc123[at]yahoo.com>

04/09/08 10:52:34 GMT ENVE 10.0.0.12 203.59.3.81 250 Recipient <abc123[at]yahoo.com> OK

04/09/08 10:52:34 GMT ENVE 10.0.0.12 203.59.3.81 DATA

04/09/08 10:53:53 GMT STATUS spam interval updated to 409635s.

-----------------------------------------------------------------------------------------------

*abc.123.net and abc123[at]yahoo.com are not actually server name and email i used during the test*

it stops after the DATA command.. some have QUIT command appeared.. after a while DATA command appeared.. hmmm.... ???

Can anybody help me?

Tq..

Link to comment
Share on other sites

when i used the relay test above and other online email relay test/checker (as listed below) no email were sent to my email i set *abc123[at]yahoo.com*, not like the one I manually type HELO, MAIL FROM, RCPT TO etc command it really send an email to my inbox at *abc123[at]yahoo.com*.

The web based open relay tester checker i used are as follows:

Abuse.net relay testing - www.abuse.net/relay.html (traceroute.utanet.at/check.html calls this page)

Open Relay Database Test - ordb.org/submit/

Open Relay Test - members.iinet.net.au/~remmie/relay/

Mail Server Relay Test - www.lucidlogic.com/relay.php

Anonymous Relay Test - www.antispam-ufrj.pads.ufrj.br/test-relay.html

Anonymous Relay Test - www.aupads.org/test-relay.html

Securewall Relay Testing - www.securewall.co.uk/Forms/openrelaytestform.asp - must register

Test your mail server for an open relay - www.trusontechnologies.com/services/spam_tester.php

EyeonSecurity Relay Testing - tools.eyeonsecurity.org/tools/relay.html

Third Party Relay Check - www.rbl.jp/svcheck.php

Open Relay Tester - www.mob.net/~ted/tools/relaytester.php3

LART email Open-Relay Tester - spamlart.homeunix.org

Mailserver Open Relay Check - msv.dk/ms009.asp

SPA Relay Test - www.spa-mail.com/rt.html

RelayCheck - www.relaycheck.com

Hope to hear your opinion.. bye

Link to comment
Share on other sites

  • 2 months later...

Hello HillsCap

I put spam Vampire rolling with sites in my spams. It works nicely with IE but not with the new FireFox for some reason. But that's a little thing.

I wish I had a faster connection, now I only download about 200kb/sec with my cable modem.

Maybe I should make kind of server side version, if for example php-scri_pt on my homepage server would load an image 100 times every time the browser asks it, that would decrease traffic to my pc and increase download traffic from spammersite.

But anyway, I feel much better when I finally can cause even little harm to spammers :)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...