Hunnypot v0.6b Copyright 2004 Jeremy Kister http://jeremy.kister.net/code/perl/hunnypot/ Hunnypot is a SMTP server-like program that harvests information about machines on the Internet that are sending spam and/or worms. Hunnypot may be copied and distributed under the terms found in the Perl "Artistic License". A copy of this license may be found in the standard Perl distribution, or in the file "Artistic". please report all bugs to: hunnypot-devel @t jeremykister.com. Hunnypot can be used to gather spammer information in three ways: 1. set the only mx record of domain(s) that get *no* legitimate email to your Hunnypot server. 2. set backup (furthest distance) mx record of any domain(s) to your Hunnypot server. 3. put Hunnypot on the same IP address as the address record of your domain (assuming none of your MX records go there). Hunnypot must be started as root in order to set up the listening socket on port 25, but immediately drops special priveleges and runs as user 'nobody'. It will accept up to 20 concurrent connections, and will only let any particular IP address make 3 concurrent connections. Each connection has a 30 second idle timeout. Connections will be closed on clients who send more than 1024 bytes of data (this is very high, considering the 451 error after DATA). Hunnypot makes best effort to ensure that the primary MXs of a domain being fed into the honey pot are live. If they are not live, Hunnypot assumes a real outage, and will not record any information regarding incoming connections. Hunnypot caches the status of primary MXs for 399 seconds. Hunnypot will start populating your database with ip addresses of servers that are behaving incorrectly - that is: A. Servers that are sending mail to domains that shouldnt be receiving mail B. Servers that are sending to your backup MXs instead of your primary MXs (a current fad with spammers, in the hopes to avoid spam detection software on assumed less powerfull machines). C. Servers that are sending to your domain's address record (another spammer fad, in hopes of a configuration error) You can extract and utilize the information in the database however you wish, such as serving your own RBL, denying the connection via tcpserver's cdb (for qmail), or denying the connection in sendmail's cf. Future versions of Hunnypot will come with several tools to do some of these things.