Version v.1.0

lecture: The Digital Cockroach Bait Station

How to Build Spam Honeypots


Spam honeypots are an excellent way to gather malware binaries as well as malicious URLs that attackers use to infect their targets. Many malware campaigns are shotgun blasts of emails sent to very large numbers of email addresses. If you can get your bait address on their list, they essentially send you a copy of the malware or the URL that leads to it. This talk will cover how to setup a spam honeypot for gathering these types of threats. It will also cover how to efficiently sort through the data coming in, what data points are valuable to include in your analysis, and finally how and where to share the threat data that you are gathering. The goal is to give one the tools they need to protect themselves from emerging threats as they appear in the wild.

Detailed Outline

Who am I?
What is a spam honeypot?
What type of data are we looking for?
Header Fields
Which header fields and why?
Some header fields are more valuable in an analysis than others.
The time zone associated with the date can be used to determine the geographical location of the sending mail server, bot, or compromised website.
Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) can both be used to determine if the message has been spoofed or if was sent using a compromised legitimate email account.
Side note on DMARC and getting more data about your adversary.
HELO/EHLO connection string can be used to identify some botnets.
X-Mailer can both be used to identify a botnet, or can be a used to track down a PHP mailer located on a compromised website.
The basics: From, Subject, Reply-to, Return-path, and the envelope sender.
Generating a headhash using a specific set of header fields.
Headhash is similar to a piecewise hash or a import hash used in binary analysis. It can be used to determine how similar or different an email is from a known malicious email.
Many botnets change portions of the header fields while keeping other portions static. A headhash is able to determine related campaigns during automated analysis.
URLs & Attachments
Malicious URLs and attachments can be extracted from the email and further analyzed.
MTA Installation and Configuration
Accepting email from any domain and any username.
Many mail servers are available to server the role of spam honeypot. The example covered here uses Sendmail which is included in the base FreeBSD OS. Very little extra configuration is needed to set this up as a spam honeypot.
Python parsing scripts and Sendmail milters.
Sendmail’s built-in milter capability allows third party software, such as spam honeypot processing scripts, direct access to the email as the MTA is processing it. This is where the interface between the back end processing system and the MTA is located.
DNS/MX Configuration
It is important to remember to include secondary and tertiary MX records for all domains pointing at the honeypot. This is due to spammer tactics of sending spam to backup MXs only in an effort to avoid spam filtration.
Seeding bait addresses in seedy locations.
LinkedIn is a spam multiplier.
Email address generation algorithms.
Giving friends and coworkers lists of bait addresses to seed for you.
Keeping track of where addresses were seeded.
Analyzing what you've captured.
Using ElasticSearch to make heads and tails of the data collected.
What to index?
Sorting through piles of data for what is valuable.
Tools for analyzing the URLs and binaries you have collected.
Sharing indicators and analysis.
Creating YARA and Snort signatures
Open threat intel platforms


Day: 2015-09-12
Start time: 16:45
Duration: 00:45
Room: Tesla



Click here to let us know how you liked this event.

Concurrent events

Situation Awareness for Journalists