I have been asked several times recently ” how to set up an email honeypot, spam trap, malspam trap.” Before we get to the nitty-gritty, lets just make it clear. There are 2 types of honeypots and spam traps.
- Where the aim is to get a list of spammers email addresses, sending IP numbers and other information and use that to block them from your server ( and exchange the information with other blacklists)
- Where we want the spammers, scammers and malware spreaders to send emails containing phishing, malware and scams to us, so we can collect the malware, phishing or scam. Get it submitted to anti-virus companies and Anti-phishing organisations and when appropriate report to Law Enforcement to eventually stop them.
We all know that we will never completely stop spam, scams and malware spreading by email, but that is a discussion for another post.
This quick tutorial is showing how to set up the second type of honeypot, spam, malware trap.
What you need:
- A web / email server. To have any degree of success you really need either a dedicated server or a VPS. Normal web hosting packages will block too much spam and malware. ( Yes I know we all complain about many hosting providers who do let too much spam & malware through, but in general, standard hosting /email packages have a pretty reasonable spam filter, that quite quickly detects and blocks waves of spam and malware).
- I use Cpanel web hosting control panel, which allows various helpful “plugins” to deal with spam etc. Most good hosting providers will offer Cpanel, either included in the dedicated server / VPS or as an extra monthly cost ( normally between about $15 to $40 or equivalent in £ or € )
- You also need several different domain names and at least one website. What domain names you choose will depend on your country and what topics you put up a website about. You really do need at least one live website on the server, preferably with lots of content and pages, where you can scatter email addresses around on each page, so tempting the scammers & spammers to use them. You really need at least a TLD that is in common use in your country, so in UK I use .co.uk, .org.uk and .com. You can try some of the new TLDs but they tend to be used for sending a lot of spam and don’t seem to get much on it.
- You need some sort of mail scanner that gives you the ability to see email on the server, release or forward it to your spam box and allow you to download the malicious attachments or spam / scam / phishing links. I use a set of tools / programs /Cpanel Plugins from https://www.configserver.com/. I will go into the actual ones that I use and the configuration and set up a bit later.
- You then need to spread the email addresses around a bit. The only way to do that is post them on forums, Twitter, Facebook etc where the spammers and scammers use automatic scanning tools to look for email addresses. Make the posts on forums realistic so you don’t get deleted or treated as a spammer. Quite often using something like “This is a honeypot spam testing email address email@example.com or firstname.lastname@example.org as well as common names like email@example.com or firstname.lastname@example.org ” will work well. Also sign up to as many special offers, mailing lists, survey companies etc as you can. Use an individual email address to sign up for each list, that way you can see where the best results come from.
- Firstly set the default email address for the domain. This way any email address that hasn’t got an explicit mailbox will have all mail forwarded to that default email address. Using Cpanel that is easy to do. That way you can get all your spam sent to one email address and have unlimited email addresses to use without actually creating an individual mailbox for each one of them.
- Set up your mailscanner. As I said earlier I use a set of tools from https://www.configserver.com/. I use their complete set of tools, including firewall, Exploit scanner and file explorer interface. For the email scanning I use ConfigServer MailScanner Front-End for cPanel. Set appropriate spam levels, quarantine levels, virus scanning etc for your needs. The default Mailscanner configuration is designed to block spam and malware. Work through the settings and instructions on the configserver pages to set it for your requirements.
- Using the Exim or other mail server configuration make sure Sender Verification and Sender Verification Callouts are disabled and reject DKIM & SPF failures are turned off ( otherwise too much spam & malware will be rejected)
- Make sure your mail server is secure and not able to be used as an open relay and no email address has a simple easily guessed password to stop the criminals taking over your server and sending spam through it.
Sit back and wait for the spam & malware to arrive and get the copies and samples you need to do your job