SMTarPit 0.6.0 review
DownloadSMTarPit is a chrooted SMTP honeypot and tarpit. I wrote this program because I looked around the Internet for an SMTP Tarpit/Honeyp
|
|
SMTarPit is a chrooted SMTP honeypot and tarpit.
I wrote this program because I looked around the Internet for an SMTP Tarpit/Honeypot that was: written in Perl; and, was only an SMTP tarpit/honeypot - I couldn't find one.
SMTarPit is a combined SMTP honey 7187 7187pot and tarpit released under the GPL. It is writen in Perl so it should work on virtually any platform that supports Perl (except Windows). It uses xinetd which looks at port 25 (instructions in the tarball) and when someone calls it, smtarpit is launched and then it chroots itself. It then decides whether there is a man or a machine on the other end and sets about wasting their time.
There are plenty of instructions as to how to configure the program - if Perl is not your first language, you should still be able to see what to do. You will certainly need to put a valid domain name in there but it is all well laid out so that you can install it and run it as a part of xinetd.
If you are an ISP with a tarpitted connection, you can tell which one it is from the fact that the tarpitted connection has a paritcular profile of inactivity and persistancy that no normal SMTP connection has. With this in mind, you can look at your RADIUS logs and take action on the spammer - the one thing that you know from monitoring the connection is that there will be many mails to the same domain from the same source address and that none of them will be solicited as there is in reality nobody to solicit them.
Unsolicited bulk email equals spam and with the RADIUS logs, you can notify the authorities and have the spammer arrested and procecuted - or do nothing more than throw them off and let them spam another day. All spam connections are logged by the tarpit.
How does it work?
Every time an incoming call to port 25 happens, xinetd starts a copy of this server. It only has a small memory footprint and doesn't really consume much processor time.
When the server is started, it responds with the usual welcome message and then waits for the client to respond. When the client does respond, it looks at how long it took and tries to work out whether it is a man or machine at the other end (you can adjust this time in the program if you want).
If the server thinks that it is a machine at the other end, it goes into tarpit mode where everything takes a long time. In SMTP, the server response codes have a three figure number and if that is followed by a dash (-), the client has to wait until it receives one with a space after it. This can take an hour or so.
There are time-outs but you can make the response times all different to avoid profiling/finger-printing of the server - SMTarPit can do this automatically. While all of this is going on, the server is just sitting there, asleep. It doesn't take any significant processor time (arguably any at all) and only a few kB in memory. You can limit the number of concurrent servers with xinetd (explanation and example in the program file at the beginning) and impose any other limitations you want.
In other words, this server allows you to tarpit (stall) several spamming processes (up to the limit you define in the program and your xinetd configuration files) for hours at a time with only minor resource consumption on your part. You certainly won't see any bandwidth eaten away by it (50 Bytes per minute on average is typical).
Requirements:
You need...
a computer that runs Perl
xinetd (you can probably run it with inetd - let me know on that one)
The computer does not receive any incoming mail (ie, port 25 on the external ethernet card is not used - there are details on how to configure xinetd if you do use port 25 on internally facing cards or on the local host - download it and read the details)
Port 25 open on the firewall
there is a domain name pointing to that IP address (even a domestic broadband machine can use this - go to DynDNS.Org to see how to get your own domain name for free)
root access
You don't need...
to have Perl in the directory that this program runs in because it doesn't call anything else once it is chrooted (it doesn't before either)
to run it on a mainframe - a home, broadband machine will do it
a great, in-depth knowledge of setting up servers as you can follow the instructions in the Perl script file - you can run this on virtually anything
to run the GUI front end or the CLI front end to run the tarpit
to spend money
You should have (any way)...
a firewall that you can configure to point port 25 traffic to your server
Perl (nothing fancy is needed here, the basic install that comes with your OS should do)
a 24/7 connection to the Internet
a machine that you run all of the time
SMTarPit 0.6.0 search tags