Jackpot SMTP Tarpit

		Chapter 8 - Other Windows-Based Honeypots Honeypots for Windows by Roger A. Grimes Apress 2005

Along with dinnertime telemarketers, spammers have earned a special place in the hearts of most people. At least with telemarketers, you can tell them to place you on the “do not call” list, but there is no similar mechanism for spammers. According to many research companies, spam now makes up 70% to 80% of all e-mail sent across the Internet.

In order to stop spam, you must make sure that none of the SMTP servers under your control have open relays, and you should also install antispam solutions. Network administrators can take the additional step of blocking all port 25 traffic that doesn’t originate from a legitimate e-mail server. This will prevent spam worms from being able to send unsolicited e-mail from compromised PCs. Unfortunately, to date, there have been no perfect antispam solutions.

If you are frustrated enough, you can take an active antispam role, tracking down hackers, shutting them down at their source ISP, and even taking them to court. A few individuals supplement their incomes by successfully suing spammers in small claims court. Some have won tens of thousands of dollars. If you want to stymie, research, stop, identify, or sue spammers, an antispam honeypot can help.

Because the antispam honeypots are not production servers, any mail they get is unauthorized and probably spam. Many antispammers have used real e-mail servers to set up SMTP tarpits. Sendmail, the most popular SMTP program in the world, can have relaying turned on and be placed in queue processing mode (sendmail –bd) to become a spam tarpit. This queues mail instead of delivering it automatically. See http://www.tracking-hackers.com/solutions/sendmail.html for more details. This offers a simple and quick way to set up an SMTP tarpit, but it doesn’t do much automatically. Standard procedures, such as allowing the spammer’s relay test message to get through but stopping the rest of the bulk e-mail, must be done manually or by custom scripting.

There is a better tool for automating SMTP tarpits and for help in identifying the spammer. Written by Jack Cleaver (mrdemeanour@jackpot.uk.net) in 2002, Jackpot (http://jackpot.uk.net) is a Java- and HTML-based honeypot dedicated to fighting spam. Running on most Windows platforms, it operates as an intelligent SMTP server decoy. Like most tools built for the right job, Jackpot is a significantly better antispam server than using a real SMTP server for the job. It’s relatively easy to install, free, and fast. It comes with dozens of settings to automate the process of trapping and tracking spam, including the following:

• Jackpot offers a web-based GUI to administer the SMTP honeypot. It’s not a feature-rich GUI, but it beats the command line.

• Jackpot automatically detects regular spam versus spammer relay test messages.

• You can designate how many test relay messages you accept from the spammer before refusing to relay messages to legitimate sites.

• Jackpot will relay test messages to known test drop boxes, even though it might otherwise consider the message regular spam. This is to make sure that spammers see their test messages getting through. If the spammer includes test relay messages within a bulk message transmittal, the test messages will get through, while the other messages are stopped.

• You can set the tarpit delay that makes the server very slow when responding to commands. This frustrates the spammer greatly, and any day you can frustrate the spammer is a good day.

• Jackpot saves the full details of all spam mail submitted to it as a collection of web pages. Messages are grouped by originating host address.

• Jackpot automatically tries to gather information on the spam and spammer. It performs lookups at several antispam databases, including Spamcop (http://www.spamcop.net) and the Network Abuse Clearinghouse (http://www.abuse.net).

Most users can get Jackpot up and operating in 30 minutes. It logs spam connections to the screen console, logs all sent messages, and automatically researches spammers. All messages are saved to a separate file called <message id>.cdf. Each connecting spam host and its IP address is stored in a file called <hosts>.cdf, and an activity log is kept on each host in a file called <domainname>.cdf. Although the file extension might make you think all the files are comma-delimited files because of the .cdf extension, the message detail files are plain text.

Installing Jackpot

Jackpot downloads in a single zip file and extracts all the files to one main folder and four subfolders:

• The \DOCS folder contains Jackpot manuals and install instructions.

• The \HTML folder is for Jackpot’s administrative web site. It also contains logs and messages details.

• The \TEMPLATES folder contains HTML files, some duplicates, and miscellaneous administrative files.

• The \master folder has copies of lists allowing and disallowing addresses and servers.

Here are the installation steps:

1. Find a suitable honeypot PC on which to install Jackpot. It should be connected to the Internet with access to port 25.

2. You must have Java 2 Runtime Environment (J2RE) 1.2 or higher installed. A Java Virtual Machine (JVM), such as offered by both Microsoft and Sun as a browser plug-in, will not cut it. Go to http://www.java.com, and download and install the latest J2RE. It was at version 1.4.2 at the time this chapter was written. You will need to reboot your PC after the J2RE is installed.

3. Download Jackpot (http://jackpot.uk.net) and unzip the package into an appropriate directory. I created a folder called C:\jackpot for the files.

Configuring Jackpot

Most of the initial configuration is done in the main directory where the honeypot was unzipped. Jackpot.properties is the main configuration file for Jackpot. It contains a few dozen parameter/ value settings. In most cases, you can modify just a few to get your honeypot up and running. Jackpot.properties is moderately commented, and each setting is briefly explained in the accompanying Properties.html help file in the \DOCS folder.

Mimicking a Microsoft Exchange Server 5.5 machine is a good idea because it will make the spammer think the mail server is older, and thus more possibly neglected and believably left as an open relay. The newer versions of Exchange Server have relaying off by default.

There are a handful of settings that anyone should change, and another few to change if you want to mimic an Exchange Serve 5.5 machine. The Help.txt file contains the message spammers will see if they telnet to the honeypot and type in HELP at the SMTP prompt. You can also modify Jackpot’s default Help.txt file to mimic an Exchange Server 5.5 help screen.

To configure Jackpot to mimic Exchange Server 5.5, you need to edit the Jackpot.properties file located in C:\jackpot using Windows Notepad or some other text editor. Change the following parameter/value sets in Jackpot.properties:

• Specify the SmtpAddress if you have a multihomed server.

• Change RoleAccountAlias to a valid postmaster account, such as postmaster@banneretcs.com.

• Change AdminUser to something other than admin.

• Change AdminPassword to something other than admin.

• Change the HttpPort port to something other than 8080, and write it down so you can use it to contact the honeypot later.

• Change ExpnResponse from 502 Command is disabled to 502 Command not implemented.

• Delete or comment out the TurnResponse parameter and value (the TURN command does not exist in Exchange Server 5.5.)

• Shorten BadSequenceResponse to Bad sequence.

• Change MTADescription to ESMTP Server (Microsoft Exchange Internet Mail Server 5.5.2448.0).

• Change ServerName to reflect your mail server’s fake name, such as mail4.banneretcs.com.

• Change any other settings as desired.

Next, modify the Help.txt file to look like the following (to mimic an Exchange Server 5.5 machine instead of an InterMail server):

 214-Commands:  214- 214-     HELO          MAIL            RCPT     DATA    RSET  214-     NOOP          QUIT            HELP     VRFY    ETRN  214-  XEXCH50  STARTTLS  AUTH  214 End of HELP info  

Running Jackpot

Run Jackpot.bat to run Jackpot. Press Ctrl-C to stop it. You can also make a desktop shortcut and attach the honey.ico icon file to it.

Once activated, Jackpot opens a console window revealing ongoing activity, as shown in Figure 8-19. Screen logging does not track everything. For example, it will report when a connection HELO or EHLO is typed in, but not HELP and many other interactive commands.

Figure 8-19: Jackpot’s console screen showing SMTP connection activity

Most spammers connecting to Jackpot will not be able to tell they are on a tarpit honeypot. It appears and acts like a regular SMTP server, as shown in Figure 8-20.

Figure 8-20: Example of a connected SMTP Jackpot session from the spammer’s computer

At any time, the Jackpot administrator can connect to the tarpit and administer it, as shown in Figure 8-21. You can check on message activity, currently connected spammers, and the number of spam messages. You can also turn on or off relaying, turn on or off the tarpit, browse the spam logs, and read message details.

Figure 8-21: Jackpot main administration screen