• Home
• About
• Download
• Contact, Support & Imprint
• License & Disclaimer
• Roadmap
• Changelog
• Tutorials
  • Install
  • Configure Doorman Server
  • Configure Detective server
  • Doorman and Detective interaction
• Configuration
  • Cache & Database
  • Defender
  • Detective
    • Archive
    • Bogofilter
    • ClamAV
    • CRM114
    • DeepDNSBL
    • DKIM Sign
    • DKIM Verify
    • DSPAM
    • HoneyCollector
    • Razor
    • SpamAssassin
  • Doorman
    • Association
    • Basic
    • CWL and CBL
    • DNSBL
    • Geo Weight
    • Greylist
    • Honeypot
    • Sender Permit
    • SPF

Honeypot

Description

The Doorman Honeypot module is an attempt to create a tailored blacklist for your particular mail traffic. All you need is anything from a single mail addresses up to multiple wild card recipient domains which you spread around the interwebs to be harvested by as much SPAM harvest bots as possible. Of course, those addresses should not be for "real" usage, they have to be dedicated to SPAM collecting. The idea is now: anybody sending you an email to those addresses has to be a spammer. Therefore, you can blacklist his IP and/or receive the mail and feed them to your SPAM filters. The great thing about it: works automatically.

Wikipedia defines a honeypot as: [..]a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems[..].

Collecting SPAM for training

You can use this module in "collection mode", which will flag and pass (OK) any mail which would otherwise be rejected (and the sender blacklisted). In the Detective server, you can use the HoneyCollector module to grep those flagged mails and move them into a honey-directory (for manual training) or even enable the automatic training.

Usage suggestion

Behind your whitelist and blacklist, before your greylist.

Configuration

addresses

Allowed values: Arrayref [ 'address@domain.tld', 'otheraddress@domain.tld' ]
Default: empty

List of honeypot addresses.

domains

Allowed values: Arrayref [ 'domain1.tld', 'domain2.tld' ]
Default: empty

List of honeypot domains. All mails sent to those domains are considered SPAM, but you can defined exceptions. See the example below.

reject_message

Allowed values: String
Default: "Your host ip is blacklisted"

Message which will be issued when a mail is already on the honeypot blacklist. Disabled if you use pass_for_collection.

welcome_message

Allowed values: String
Default: "The honey has been served"

Reject message, which will be issued if a new IP is welcomed on the honeypot blacklist. Disabled if you use pass_for_collection.

pass_for_collection

Allowed values: Bool
Default: 0

If enabled: Do not reject honeypot mails, but flag them so that they can be collected via the Detective's HoneyCollector module.

Example

---

disable: 0
pass_for_collection: 1
maintenance_ttl: 14d
addresses:
    - some@address.tld
    - another@domain.tld
domains:
    - spamlover.tld
    -
        domain: somedomain.tld
        exceptions:
            - realuser
            - anotheremail

Maintenance

This module provides a maintenance handler which will cleanup the database. Read here.

Database

This module requires a database. Depending on the performance of your database, you should consider to swap the entries to a DNS server on a regular basis (such as bind9) and/or reduce the time to live (ttl) for the records. Depending on your mail traffic it could imply a high r/w impact. Here is an SQLite example:

-- TABLE: honeypot_addresses (SQLITE):
CREATE TABLE HONEYPOT_ADDRESSES (created integer, client_address varchar(39), id INTEGER PRIMARY KEY);
CREATE INDEX HONEYPOT_ADDRESSES_CREATED ON HONEYPOT_ADDRESSES (created);
CREATE UNIQUE INDEX HONEYPOT_ADDRESSES_CLIENT_ADDRESS ON HONEYPOT_ADDRESSES (client_address);

Performance

Depends on the speed and size of you database, but normally rather fast.