Integrating the DCC into a honeypot?

Vernon Schryver vjs@calcite.rhyolite.com
Wed May 22 14:41:44 UTC 2002


> From: Ken Herron <kjh-4275@attbi.com>

> I set up my home system as a honeypot a while back,

I trust you don't actually relay any spam.

>                                                     and some spammers 
> finally discovered it.  For the past few days I've had a couple of 
> spammers submitting messages to my "open" relay. Now I'm looking for some 
> advice on the simplest way to report these messages to the DCC.
>
> My first thought was milter, but that doesn't seem to pan out. I'm doing 
> this on Red Hat Linux v7.2, using the sendmail 8.11.6 they supply. 
> Apparently this version doesn't include the milter feature. 

8.11.6 had milter, but you had to compile it into sendmail and build
the libmilter.a.  The DCC installation instructions say how to do that.
It's basically a matter of adding two lines to your site.config.m4
file, running `sh Build` in the libmilter directory, and running `sh
Build` in the sendmail directory.  See the sample misc/site.config.m4
in the DCC source.  If I were doing it, I'd fetch the current sendmail
source from http://www.sendmail.org/8.12.3.html, if only because I
think SMTP-TLS is a Good Thing(tm) that wrecks interception proxies.

>                                                             Further, I 
> didn't see a dccm feature like dccproc's "-t many" feature to explicitly 
> report something as spam.

The -R option of the misc/hackmc script in the DCC source works for me.

> This leaves me with the spool files that sendmail creates to store each 
> message. I'm thinking of scripting something to check the spool every so 
> often and feed new messages into dccproc. Can I just feed the body of a 
> message directly into dccproc, or would it be necessary to reconstruct 
> the message headers as well?

You only need to fake a single header so that dccproc knows it is being
given a mail message.
Thus, something like this should work:

  (echo "From: nobody"; echo; cat /var/spool/mqueue/D.whatever) | dccproc 

Still, I think the misc/hackmc mechanism is quicker and easier.
It would also let you use the DCC to at least mark other spam.


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.