Thursday, March 7, 2013

mailspam pot

In this post we will talk  generally about the way to approach a mailspam like honey pot. I like to call this my own mailspam pot :)


here's a definition of a a honey port;

[QUOTE]
In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers.
[/QUOTE]

reference  http://en.wikipedia.org/wiki/Honeypot_%28computing%29

Okay so here's my definition of a mailspam pot.

A hosted  email MX server that's sets a trap or series of traps, and  for  collecting  potential spammers, and those that use unethical means for harvesting  email accounts. It uses a seeded site with a fictitious email address and/or a valid domain, and collects  the spammer from_email address and it's mail relay ip address or other potential information.

Okay so in my spampot, I 'm using sendmail and the virutaluser feature.  My virtual user table has  one big wildcard entry that catches anybody sending to my trap domain.

e.g

-->
/etc/mail/virtusertable



@myspampotdomain.com   myspampot


I could have seeded various email accounts like; root@myspampotdomain.com, admin@myspampotdomain.com,etc...
The  column to the right within the virtusertable, is a mailalias that  has hooks into a script that sorts the mailsender and collects  his sender from_email_address and ip_address. This depends on mail log and  the unix syslog services.
 

It greps the maillog for any mail  received,  and pulls this  information out, & install it  into a simple text file.

e.g ( snippet of my script )

cat maillog | grep ": from=<" | cut -d , -f1 | cut -d "=" -f2  >> mycollection.txt


I police that file and remove any duplicates, I also extract the dates, for post frensic and other analysis that I run. At this point, I can import these into my email security appliance, &  apply them to my blacklist table.  You have to be very creative as to what you do with the collected data.

As an alternative, once you have collected the  sender ip_address,  you can now check them against one of the realtime blacklister and see if they have entry or check them in let's say against a mail reputation system.

e.g

http://www.mxtoolbox.com/blacklists.aspx
http://blacklistcheck.com/
http://www.fortiguard.com/ip_rep.php
http://www.senderbase.org/senderbase_queries/detailip?search_string=8.8.8.8

NOTE: This could also confirm validity of their reputation.

The mail spampot is not a mitigation gear, nor takes any mitigation  approach. As a matter of fact; it does not even prevent the spam mail. It's used to counter or harvest  potential crawlers that finds emails and blindly send email to recipients. As additional matter of fact, we want it to catch spam.

In my design the spampot sits on a VM instance  hosted in at a VPS,  & uses very limit resources and best of all, it's non critical in function.  http://www.vr.org/

In the above myspamspotdomain.com, that 's actually my true spampot domain, purchased just for my trap.  Try not to get caught , I'm watching?

background;

I started the mailspam pot awhile back,  to prove a hunch that domains that are registered are some how located and blindly  spam'd. In my mailspampot domain, I never  created any real accounts, sent any email from that domain, nor posted any thing on any website links with any reference or information about that domain. 

NOTE: I personally think the registars are selling us out and our information when  register domains.

When I first register my  myspampotdomain, I had spam within the 1st 128hours after creating the domain and mx records  in my dns. So a newly register domain with NO activity, had spam within 128hours of purchasing.


So any mail sent to anybody in that domain is  considered spam.



My mailspampot version 2, which is planned in Q3-2013, will use a different approach and installed of running a text file, I plan on harvesting the  following information;

  • sender's email
  • sender's ip_address
  • date receipt
  • message ID

and insert these into a mysql database.

For how much the spam pot catches, database logging is no required, but a Sql approach would look more professional.



Happy hacking



Ken Felix
Freelance Network/Security Engineer
kfelix a--t hyperfeed d--o--t com








No comments:

Post a Comment