Setting Up a Spam Honeypot
Posted Nov 8, 2005 @ 23:08 EDT
This week's star is the mongoose
Another entry in the "cute carnivore" series, we have the mongoose. Some mongooses are fairly smart and can learn simple tricks. They can be kept as pets to control vermin. (Your landlord will love you.) Mongooses giggle when mating. (I haven't tried that myself but I suspect it wouldn't go over so well.) One of their coolest features is that they are immune to snake neurotoxins because they have acetylcholine receptors! I guess that's why mongooses are sometimes used to hunt or fight venomous snakes.
The concept is simple - make a mailbox that adds the sender's host IP of any mail received to a blacklist, then refuse mail from those hosts in the future. You entice spammers to send to the mailbox by posting the address in a prominent place. I use this with exim4, and here's how:
In system.filter, add this:
if $recipients contains "blacklist-me@domain.example" then pipe "/usr/local/bin/blacklist-me $sender_host_address" endifMake sure you have system_filter_pipe_transport, system_filter_user and system_filter_group defined in your exim config.
Now create /usr/local/bin/blacklist-me:
#!/bin/sh BLACKLIST=/etc/exim/local_host_blacklist echo $* >> $BLACKLISTMake it executable.
Touch the file /etc/exim/local_host_blacklist, making sure it is writable by system_filter_user. Obviously you should adjust all these paths to suit your own config.
Now just make the mailbox valid by putting this in /etc/aliases:
blacklist-me: /dev/null
That's it! Now anyone who mails blacklist-me@domain.example (put your own domain, of course) will have their IP blacklisted from ever sending you mail again. Easy, isn't it?
2008-04-22 Update: If you run Debian Linux, there are some excellent instructions on running your own MTA with Exim, including a variation on this honeypot, at Spencer Stirling's site. (The honeypot instructions are right at the bottom.)