Setting up a Spamtrap.
So you want to get spam? It's easy and fun -- you just need to setup a dedicated trap. Here we take a look at the situation of being behind a DSL. Here's what to do:
- You can give your outside IP address (which is going to be your MX record, the IP address MTAs are going to use to send you spam) a symbolic name using dynamic DNS services. The idea is that if your external IP changes, you only change the dynamic DNS record and not all your MX records for all the domains you've setup to catch spam.
EasyDNS works well, they will send periodic update asking you to reconfirm that your external IP address is the one they have in their records. They will also provide you with a perl script (ddclient, you'll need
IO::Socket::SSL
andNet::SSLeay
which are easy to get and the configuration looks like:use=web, web=checkip.dyndns.org/, web-skip='IP Address'
server=members.dyndns.org, \
protocol=dyndns2 \
my-easydns-domain
- Find a old server to install Linux on. Make sure you configure IP tables. Whether you want to bother with SE linux is your choice. I don't. Don't give it any domain name.
- Install qmail. Qmail is nice but it's a bit delicate. The software hasn't been updated in a while and the author doesn't allow new releases. So there's the official last distribution and a pletora of patches. After a couple of trials that didn't go very well, I settled for the directions given by qmailrocks which, well, rocks.
I went through all the steps, I didn't install the following options: elzm, autoresponder and maildrop. I certainly installed vpopmail and the web based vpopmail management interface which makes it really easy to create new domains (you might want to register different domains to catch more spam.)
During compilation, I had to create the following symlinks:
cd /usr/include
I also did the same thing with
ln -s /lib/modules/2.6.9-1.667/build/include/linuxasm-generic
(to/usr/include/asm-generic
) andasm-i386
(to/usr/include/asm
) so that/usr/include/linux
exist (that's forerrno.h
, for instance.)My recommendation is that you spend an hour or so reading all the steps to know what's coming to your and prepare everything before running the installation for real.
Qmailrocks.com will walk you through all the steps, all the way down to starting qmail and making sure that it works. As far as domains are concerned (for the virtual domain or the
rcpthost
, I used my-easydns-domain that I registered with EasyDNS.) - Next you create a mail domain -- use the vpopmail user interface that should be running on your mail host. This domain could be the one you registered with EasyDNS, but you can also create others. For now, let's go with my-easydns-domain. Create a
postmaster
for each domain and also an account where all the spam will go, for instancespam
.Make sure that these accounts provide limited access (no pop, no web access for instance.) Since you're going to advertise email address that do not exist (you don't want to add these users manually all the time) and that spammers are going to try their luck with possible email addresses that could exist in your domain, the easiest thing to do is to redirect all incoming email that isn't sent to
postmaster
to thespam
account. It's easy to do: just edit the.qmail-default
file that exists for a particular domain (this file exists in/home/vpopmail/domain/my-easydns-domain
so that it contains:| /home/vpopmail/bin/vdelivermail '' \
/home/vpopmail/domains/my-easydns-domain/spam - From your internal network, you can start testing that things are working. For instance, you can telnet to the port 25 of your mailhost and try a SMTP session. In
bold
is what you type:telnet 192.168.1.4 25
Trying 192.168.1.4...
Connected to host (192.168.1.4).
Escape character is '^]'.
220 my-easydns-domain
HELO foo.edu
250 my-easydns-domain
MAIL FROM bar@foo.edu
250 ok
RCPT TO: baz@my-easydns-domain
250 ok
DATA
354 go ahead
Hello!
.
250 ok 1184182572 qp 17173
QUIT
221 my-easydns-domain Now take a look at
/home/vpopmail/domains/my-easydns-domain/spam/Maildir/new/
and you should see a file name1184182572.17175.hostname,S=240
which contains the RAW mail you just sent to your domain. hostname is the name you gave to your mail host, the string returned when you type the commandhostname.
- It's a good idea to make qmail log all SMTP transaction for further analysis (for instance, you'll be able to write script to identify DHA, a simple knock on your SMTP door or transaction that fail for whatever reasons.) Here's how yo do this (thank you Chris for the tip!)
Modify the file
/service/qmail-smtpd/run
to add/usr/local/bin/recordio
before the invocation of/var/qmail/bin/qmail-smtpd
. Once the modification is done, the file will look like (modification in bold, only the last few lines are shown:)...
exec /usr/local/bin/softlimit -m 30000000 \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
/usr/local/bin/recordio \
/var/qmail/bin/qmail-smtpd my-easydns-domain \
/home/vpopmail/bin/vchkpw /usr/bin/true 2>&1The logs are going to end up in the
/var/log/qmail/qmail-smtpd
directory. First in a file calledcurrent
and then in files named after the date of their last modificatio, using an hexadecimal notation: 8 hexadecimal digits for the number of second since Epoch (as returned by ctime(3)) and the last other 8 hexadecimal digits being the fractions of seconds, all of this using a
prefix that I haven't tried to interpret.@40000000
- Let's summerize what we have:
- We have a TLDN that points to the IP address of our DSL modem
- We have a mailhost that runs qmail. On this mail host we have:
- Domains (such as my-easydns-domain) that we can send emails to, and the user doesn't have to exists, all goes into the
spam
account under/home/vpopmail/domains/my-easydns-domain/spam/Maildir/new
. - qmail will save the logs of the entire SMTP transaction
- Just modify your DLS modem configuration so that incoming SMTP traffic on port 25 is redirected to your mail box, the one running qmail. You can conduct a SMTP test from the outside to make sure that (1) the port rediction works and (2) you're don't have a firewall rule on the DSL box or on the mailbox that prevents traffic coming from the outside to flow through port 25.
- Now register domains with a registar (anyone you want that gives you control over the values you put in your records.) For instance, if you create
serialhacker.org
(this one is taken, sorry!) using the vpopmail web based admin interface, you want to register theserialhacker.org
domain. During registration or after, you just set the MX records for that domain to point to...my-easydns-domain.Once the record have been taken into consideration (this takes more or less 24 hours) you will be able to send mail to
serialhacker.org
using a Yahoo! or gmail account for instance and this mail will be sent to the IP pointed to by my-easydns-domain - The next step is to advertise bogus email address using the domains that you registered. You can add them to web pages you maintain or post test messages to test news groups (you can automate this process using the perl
Net::NNTP
package in a simple script.)
- Soon spam will flow in. It's up to you to do whatever you want with it, but I personally wrote scripts to monitor traffic: where it's coming from, its intensity, etc... These scripts are running as cronjobs to send me email if something happens...
Labels: spamtrap