[Dshield] Spam trap code/ virtual machine

Frank Knobbe frank at knobbe.us
Tue May 29 15:43:55 GMT 2007


On Fri, 2007-05-25 at 17:42 -0700, Tomas L. Byrnes wrote:
> Gentleman, I'm not planning on using a real domain that gets mail. 
> 
> I'm going to use one of the many domains for defunct companies that I
> still own, and make it's MX the spam trap. Now all I need is the
> spamtrap code.
> 
> I can't find jackpot, proxypot, SMTPot.py, Spamhole, Back officer
> friendly, or any of a wealth of others referenced in the O'Reilly
> books and wikipedia.

How about just using daemontools? I use it as a honeypot. Configure a
service script that uses tcpserver to simply block the incoming
connection on your firewall of choice. Since the script is held up by
daemontools, it will fire on the next connection. tcpserver delivers you
the remote IP address in $TCPREMOTEIP.

Very simple, very effective :)

run:
#!/bin/sh
exec /usr/local/bin/softlimit -m 5000000 /usr/local/bin/tcpserver -R -v
-p smtp ./block $TCPREMOTEIP 2>&1

block:
#!/bin/sh
echo "@1 block in quick from $1 to any" |ipf -f -


Cheers,
Frank


-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.sans.org/pipermail/list/attachments/20070529/d2ae5638/attachment.bin 


More information about the list mailing list