Friday, May 29, 2015

smtp-mailhost honeypot

I've been working on a mail honeypot for the last year or so. The goal was to analyze  smtp-auth failures on a dummy mailhost that;

        1: I never had any MX/A/TXT/SPF record installed ( the ISP did install generic PTR )
        2: never sent any email 
        3: never received email under any official means

My top smtp-auths failures are show in this simple ms-excel graph.

 The graph here's shows % by continents using a geo-IP lookup  and  against  the 7 continent model

Now to summarize,

  • I took total failures  and reduce any duplicates ( address )  so these where unique event for each user
  • Asia was  the #1 continent by geoIP lookup
  • The "Administrator" was the #1 account that failed

My future goals are to extract the data for developing timed ACL for  repeat offenders. I also want to explore ipv6 mail-abusers to see if this issues exists in the ipv6 domain.

On a different approach I have a few domains being used for email-traps, this is another means for trapping and luring  abuser in regards to mail. The abuser are so blunt  the trap emails have email address such as ; or similar , and the abuser still send spam email.

My domain which was a big target when it was productive back in the later 90s early 2000s is still receive spam emails to various emailserver but yet it has no MX record.

Btw, me and a few friends are setting up a ipv6 only honeypot & for tracking in the next few weeks on a virtual machine to see if we get any hits.

The ideal that if a you have a honeypot & that it ( address ) was never publish and folks are attempting to relay thru you, they are most likely up to no-good

SMTP/POP  honeypots are great for trending and general awareness of abusers. This approach can  be used for both personal awareness & knowledge , of just to see how rampart  mail-abuse exists.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       /  \

No comments:

Post a Comment