Printable Version of Topic
Click here to view this topic in its original format
XMail Forum > Fighting SPAM > Honeypot Like

Posted by: yartax Oct 25 2011, 03:43 PM

Every day I saw in log files multiple attacks at smtp service, trying to find valid email account to further send spam through. My server is tested and not is a open relay, but spammers massively try to send emails by compromising valid accounts.

I realized that most attacks have same pattern:

1) find mail server in internet (mine for example)
2) determine domain from helo response if possible
3) find a valid account (email) and try password

In one case, a spambot find me a poorly protected account and used it to spam thousands of mails in minutes (Mea culpa).

I thought in the idea to feed rbl lists catching these spambots, (I use rbl lists and do a nice job). Taking the basis of a honeypot, I thought in the idea of create some dummy emails, with trivial password and when an spammer tries to send mails with these accounts, catch the email, and finally block sender IP temporary, says xxx seconds or minutes.

With this email catched, I can send to antispam or abuse lists that can feed back putting spammer in a rbl list, so the effort can take a reward!

I don't know if xmail have support to do this kinds operations through filters. I supose the big deal is to implement blocking incoming emails when dummy account is used.

I would in interest to do some scripts in linux to get an aproach to this feature but I need some starting help with filters. First question I have is, can filters get a message, get sender IP address, and block further attacks from sender? core implementation is needed? Is viable via scripting?

I don't search for any smtp proxy doing spam filtering, I want feed rbl lists and/or feed antispam projects with gathered info.

PD: My server runs in a lenny box, xmail version 1.25-4.

Thanks in advance

Posted by: yartax Jan 4 2012, 01:15 PM
Hi again,

Only comment that finally had badly crafted a bash script to try catching spammers. Works like detecting sender IP address from last 200 (or X mails), if this sender reach at 99% (or X %) from last messages, then capture mail headers and message to later process it and drop current connection preventing sent email. No IDS required, no database required, only with bash and xmail filter functions.

Best that nothing.


Powered by Invision Power Board (
© Invision Power Services (