Mike Sheinberg on 25 Mar 2010 08:06:01 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Linux SMTP honeypots?


What your proposing doesn't sound too bad, but specifically I was looking for products that are designed for malware collection. Basically, I want to look as appealing as possible to malicious senders in order to gather malware, it doesn't necessarily have to be SMTP now that I think about it; just has to be some type of server where individuals want to send me malware for some-reason. This ideally means I want to make it look like I'm running a very insecure version of sendmail, appear to be an open-relay, etc.. I'm seeking out honeypot projects specifically cause they are geared for this type of task and would already have the proper security configuration and mechanisms in place to extract data and to isolate incoming traffic.

Also because this is a typical IT environment I've been asked to do a lot, in a secure way, without much time alongside lots of other competing projects :) That's why I'm hesitant to build a honeypot from scratch- although in the future I think it would be a lot more fun.

Hope this clears things up a bit.


On Wed, Mar 24, 2010 at 3:49 PM, JP Vossen <jp@jpsdomain.org> wrote:
> Date: Wed, 24 Mar 2010 08:40:56 -0400
> From: Mike Sheinberg <m.sheiny@gmail.com>
> Anyone have any suggestions for Linux-based SMTP honeypots? Specifically, I
> am trying to capture malicious attachments for analysis so I'm looking for
> something that does more than just slow down spammers (like a tarpit). I'm
> running into a lot of honeypot projects that simply stall attackers and
> mimic infected machines but having difficulty finding ones which save files
> that they try to send. Anyways, let me know if anyone has any good tips on
> where to start.

I'd think this would be very easy to do with Postfix.  Lock it down so
it's not a relay, maybe even disable outgoing mail.  Then either create
some users that Postfix will accept mail for, or set up a wildcard
address, then post the trap addresses around.

Or did I misunderstand?  As I re-read, maybe I did.  Above I am assuming
you just want to capture any/all incoming mail (ideally with evil
attachments), but now I think maybe you are wanting to *pretend* to be
an open relay or something, and simply capture rather than send?

Perhaps some clarification is in order?

Sounds interesting,
JP Vossen, CISSP            |:::======|      http://bashcookbook.com/
My Account, My Opinions     |=========|      http://www.jpsdomain.org/
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug