Monday, October 30, 2006

decoy.pl - a decoy mail server

I've written a decoy mail server in Perl. It is a fully RFC 2821-compliant mail server. Except it doesn't do anything.

Well it does something. Basically this is a decoy to catch all the spammers who are intentionally talking to the wrong MX server first.

It works like this.

decoy.pl is attached to an inetd script.
spammer calls on port 25.
decoy.pl says 220 Hows it goin?
spammer says something
decoy.pl says 250 yeah sure whatever
repeat until spammer says "data" (i.e. the thing right before they send the message)
decoy.pl says 451 try again later.
spammer does some more stuff
decoy.pl says 250 yeah sure whatever
spammer gives up and says quit
decoy.pl says 221 don't be a stranger and then hangs up.


There, completely RFC 2821 compliant, yet doesn't do anything. Responding 451 to the "data" command means that this mail server will not accept this email message and the sender should try again later. When sendmail tries to send a message to a decoy mail server, it will timeout in the typical sendmail style (after 5 days).

To use the decoy, set it up using an inetd. Then, advertise it via your DNS MX records. For example on "example.com" would look like:
> dig mx example.com

[snip]

;; ANSWER SECTION:
example.com. 86400 IN MX 20 mx1.example.com.
example.com. 86400 IN MX 20 mx2.example.com.
example.com. 86400 IN MX 20 mx3.example.com.
example.com. 86400 IN MX 40 mx4.example.com.
example.com. 86400 IN MX 99 decoymx.example.com.

[snip]

So, unless really bad circumstances are happening, you'll never talk to "decoymx.example.com". Even when bad circumstances are happening, a proper email server will just try back later.


On domains we've installed this, we've seen lots of spammers talk to our decoy. And I'm finding that after spammers chat with the decoy, they tend not to chat with my other mail servers.

decoy.pl

-Jeff

No comments: