Index of /code/perl/hunnypot-0.6b

      Name                    Last modified       Size  Description


[DIR] Parent Directory        01-May-2008 09:20      -  
[TXT] Artistic                25-Aug-2004 04:55     6k  
[TXT] BUGS                    29-Aug-2004 20:46     1k  
[TXT] ChangeLog               27-Aug-2004 18:18     1k  
[TXT] INSTALL                 28-Aug-2004 01:38     2k  
[DIR] contrib/                26-Aug-2004 23:05      -  
[   ] hunnypot-current.tgz    29-Aug-2004 20:47    10k  GZIP compressed tar ar>
[TXT] hunnypot.pl             27-Aug-2004 02:30     9k  

Hunnypot v0.6b
Copyright 2004 Jeremy Kister
http://jeremy.kister.net/code/perl/hunnypot/

Hunnypot is a SMTP server-like program that harvests information
about machines on the Internet that are sending spam and/or worms.

Hunnypot may be copied and distributed under the terms found in the
Perl "Artistic License".  A copy of this license may be found in the
standard Perl distribution, or in the file "Artistic".

please report all bugs to: hunnypot-devel @t jeremykister.com.

Hunnypot can be used to gather spammer information in three ways:
1.  set the only mx record of domain(s) that get *no* legitimate email
    to your Hunnypot server.
2.  set backup (furthest distance) mx record of any domain(s) to
    your Hunnypot server.
3.  put Hunnypot on the same IP address as the address record of your
    domain (assuming none of your MX records go there).

Hunnypot must be started as root in order to set up the listening
socket on port 25, but immediately drops special priveleges and runs
as user 'nobody'.  It will accept up to 20 concurrent connections, and
will only let any particular IP address make 3 concurrent connections.
Each connection has a 30 second idle timeout.  Connections will be
closed on clients who send more than 1024 bytes of data (this is very
high, considering the 451 error after DATA).

Hunnypot makes best effort to ensure that the primary MXs of a domain
being fed into the honey pot are live.  If they are not live, Hunnypot
assumes a real outage, and will not record any information regarding
incoming connections.  Hunnypot caches the status of primary MXs for
399 seconds.

Hunnypot will start populating your database with ip addresses of
servers that are behaving incorrectly - that is:
A. Servers that are sending mail to domains that shouldnt be
   receiving mail
B. Servers that are sending to your backup MXs instead of your primary 
   MXs (a current fad with spammers, in the hopes to avoid spam
   detection software on assumed less powerfull machines).
C. Servers that are sending to your domain's address record (another
   spammer fad, in hopes of a configuration error)

You can extract and utilize the information in the database however
you wish, such as serving your own RBL, denying the connection via
tcpserver's cdb (for qmail), or denying the connection in sendmail's
cf.  Future versions of Hunnypot will come with several tools to do
some of these things.