SMTarPit 0.6.0

SMTarPit is a chrooted SMTP honeypot and tarpit.

I wrote this program because I looked around the Internet for an SMTP Tarpit/Honeypot that was: written in Perl; and, was only an SMTP tarpit/honeypot - I couldnt find one.

SMTarPit is a combined SMTP honey 7187 7187pot and tarpit released under the GPL. It is writen in Perl so it should work on virtually any platform that supports Perl (except Windows). It uses xinetd which looks at port 25 (instructions in the tarball) and when someone calls it, smtarpit is launched and then it chroots itself. It then decides whether there is a man or a machine on the other end and sets about wasting their time.

There are plenty of instructions as to how to configure the program - if Perl is not your first language, you should still be able to see what to do. You will certainly need to put a valid domain name in there but it is all well laid out so that you can install it and run it as a part of xinetd.

If you are an ISP with a tarpitted connection, you can tell which one it is from the fact that the tarpitted connection has a paritcular profile of inactivity and persistancy that no normal SMTP connection has. With this in mind, you can look at your RADIUS logs and take action on the spammer - the one thing that you know from monitoring the connection is that there will be many mails to the same domain from the same source address and that none of them will be solicited as there is in reality nobody to solicit them.

Unsolicited bulk email equals spam and with the RADIUS logs, you can notify the authorities and have the spammer arrested and procecuted - or do nothing more than throw them off and let them spam another day. All spam connections are logged by the tarpit.

How does it work?

Every time an incoming call to port 25 happens, xinetd starts a copy of this server. It only has a small memory footprint and doesnt really consume much processor time.
When the server is started, it responds with the usual welcome message and then waits for the client to respond. When the client does respond, it looks at how long it took and tries to work out whether it is a man or machine at the other end (you can adjust this time in the program if you want).

If the server thinks that it is a machine at the other end, it goes into tarpit mode where everything takes a long time. In SMTP, the server response codes have a three figure number and if that is followed by a dash (-), the client has to wait until it receives one with a space after it. This can take an hour or so.

There are time-outs but you can make the response times all different to avoid profiling/finger-printing of the server - SMTarPit can do this automatically. While all of this is going on, the server is just sitting there, asleep. It doesnt take any significant processor time (arguably any at all) and only a few kB in memory. You can limit the number of concurrent servers with xinetd (explanation and example in the program file at the beginning) and impose any other limitations you want.

In other words, this server allows you to tarpit (stall) several spamming processes (up to the limit you define in the program and your xinetd configuration files) for hours at a time with only minor resource consumption on your part. You certainly wont see any bandwidth eaten away by it (50 Bytes per minute on average is typical).