Peacham Spam Trap

Version 2.0

The Peacham Spam Trap is a platform-independent tool which allows mail server owners to compile and use their own DNS-based Real-Time Blacklist driven by spam arriving in a "honey-pot" account known only to spammers. It is only of use to organizations which have their own mail servers. Users who download their mail from somebody else's server will not be able to implement it. If you are a domain owner who wants to start running a mail sever, one of the best can be found at http://www.desknow.com.

Overview

The flow of data in using the spam trap is as follows:

1. Messages arrive at the mail server for the domain.
2. Before accepting the mail, the server uses the Domain Name Server to check one or more blacklists. If the sender is blacklisted, the mail is not accepted,
3. The server stores the messages in inboxes for each user.
4. Users read their mail using client programs such as Outlook, Thunderbird, or Eudora.
5. The administrator publishes an e-mail address for a fictitious user on various bulletin boards or web pages.
6. The Spam Trap periodically examines the contents of the inbox for that user. The assumption is that only spam will arrive there.
7. The Spam Trap updates the blacklist information in the local DNS, blocking the spammer

The Mail Server

Your mail server will need to support two standard facilities: POP3 and blacklists. POP3 is the Post Office Protocol used to read the contents of an inbox, and blacklisting is the ability to check the senders address against lists of known spammers. If you have not yet configured your blacklists, go to DNS Stuff DNS tools, DNS hosting tests, WHOIS, traceroute, ping, and other network and domain name tools. This site will help you pick blacklists.

Your mail server should be able to log incoming connections, but you might have to turn the log on. This log will show you if there are any addresses that do not exist, but still get spam sent to them. This would be an excellent candidate for a "honey pot", a tempting target for spammers. If you have multiple such addresses, make them aliases of the same mailbox. The idea is to have a single mailbox on the system that receives as much spam as possible, but only spam.

The Domain Name Server

This server is not too well known. Its function is deceptiveley simple: It translates symbolic addresses such as www.mydomain.com to a numeric address such as 64.129.199.48 which can be used to route data across the Internet. This simple description does not tell you that it is tapping in to a widely distributed, multiply-redundant database of millions of records. For each domain, there are a few servers that are "Authoritative" which means that they provide the only true translation of the domain name. Other servers can copy those records, but each one has a "Time-to-Live" value. When the time expires, the record must be refreshed from an authoritative source.

The DNS system handles many kinds of records. Only a few are of interest here:

• A - The address record gives the numeric address of a domain (or sub-domain)
• MX - The Mail Exchanger record gives the name of the mail server for a domain.
• TXT - A text record with information about a domain.

One other point of interest is how reverse lookup (going from an IP address to a name) is done. By convention a special domain, in-addr.arpa, is used for reverse lookup. To lookup the name of 64.129.199.48, you would ask for the PTR record for domain "48.199.129.64.in-addr.arpa", and it would contain the symbolic name. A similar scheme is used to implement blacklists.

If you are not currently running a DNS, you will need to get one up and running in order to implement the Spam Trap, Having one will also speed up most of your lookups associated with web browsing, mail processing, or other Internet activities. Linux systems come with BIND9, which is the reference implementation of the DNS. There is an excellent version of BIND9 available for Windows, called TreeWalk DNS, available from http://www.ntcanuck.com. It is easy to install and has a good configuration wizard.

Installing the Peacham Spam Trap

Before installing the Spam Trap, it is necessary to have your trap e-mail account configured on the mail server and to have your DNS server up and running. Then perform the following steps:

1. Configuring the DNS
2. Verifying the Mail Server configuration.
3. Configuring the Spam Trap

Operating the Spam Trap

The Spam Trap has two operations that it performs: reading mail, and updating the data base.

Manual Operation

Whenever you feel like it you can perform a manual update cycle as follows:

1. Select File/Read Mail. This will check for new mail and add it to the database.
2. Review the results by selecting View/Data. Clicking on the date column header will resort the entries by date, so you can identify the most recent. If there is an e-mail from a legitimate sender, you can check "Ignore" to avoid blacklisting it. Rows highlighted in yellow are items that are currently in the DNS.
3. Select File/Update DNS to create DNS records and update your blacklist.
4. After you have been operating for a while, some of your public blacklists will have learned about some of the addresses that you are blocking. Select File/Check other DNSBLs to stop blocking addresses that are already blocked by one of them.

Automatic Operation

Automatic repetition of Read Mail followed by Update DNS can be specified by entering a non-zero value for "Update every n minutes" on the Mail tab of the configuration dialog. The main panel will show the results of each cycle. Checking other DNSBLs can also be automated. see the Defer tab.

Reviewing the status

Selecting View/Data will bring up the database display:

The rows highlighted in yellow are the entries currently being blocked by the DNS. Rows highlighted in red are entries created to represent groups of 256 addresses all being blocked. The columns are:

• Ignore - Check this box to ignore this entry and let messages from the IP address through.
• Force - Check this box to block the IP even if the threshold has not been reached.
• IP - The address of the spammer.
• Name - The most recent name of the sending server as shown in the message headers.
• Date - When the most recent item was received.
• Country - The most likely country where the ISP of the spammer is based.
• Count - How many have been received from this address. Note: If the count says "Block", this is a group entry. The IP address will end in zero, and it will blacklist a block of 256 addresses. The individual addresses will not be loaded into the DNS, only the group address. A group entry is created when the number of different spamming addresses in the block exceeds the group threshold.
• Reason - A summary of the most recent spam received from the address.

Any change in Ignore or Force will take effect the next time that the DNS is updated, either manually or automatically.

Manual Data Entry

Even with widespread dissemination, your Spam Trap address will not be known to every spammer in the world. Some spam will still get to you, that wasn't sent to him. You can't just forward it, because that will get you (as the sender) blacklisted on your own system, an undesirable outcome. This is where manual data entry comes in. It operates as follows:

1. Use "Options" or some other function of your e-mail client to display the message headers.
2. Copy them to the clipboard.
3. Use Edit/Paste to enter them into the database.

But Wait! Before you do that make sure that the spam came to you directly from a spammer as opposed to being forwarded from a mailing list or by your brother-in-law. You don't want to block the mailing list, and you have no control over what the mailing list forwards. You might suggest the Peacham Spam Trap to the mailing list owner. Go ahead and block your brother-in-law, if you want to.

Logging

The Peacham Spam Trap will log any errors in the logs folder. You can also log actions taken by starting the Spam Trap with a parameter of "tracelevel=config". In Windows this is done by creating a shortcut to the JAR file and editing the target to read: "C:\WINDOWS\system32\javaw.exe -jar spamtrap.jar tracelevel=config".

License

This work is licensed under the Creative Commons Attribution-No Derivative Works 2.5 License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
 

Credits

Peacham Spam Trap is implemented using Java from SUN Microsystems. Java level 1.5 or above is required.

Access to the Inbox is via the JavaMail API.

Access to the DNS is using DNSJava.

Reading and writing of the database is done using CsvReader.

This application uses the IP-to-Country Database  provided by WebHosting.Info (http://www.webhosting.info), available from http://ip-to-country.webhosting.info."

Comments and questions to the author, Fritz Schneider