Zombie SMTP: interrupt spammers

Japanese << English

Intro

Zombie SMTP is a tool to help interrupt spammers' activity. It pretends to be an SMTP server but all it really does is hold onto a connection for 20 mins if the source IP address of the connection is registered in one or more of the pre-defined RBLs. RBLs (Real-time Blackhole Lists) are databases that contain IP addresses of servers known for sending spam. The purpose of this is to simply waste spammers' time if they try to connect to Zombie SMTP to relay their spam. Any connection from a machine not listed in the RBLs is automatically disconnected, this is to prevent authentic servers from tying up their resources who for some reason try to connect to this SMTP server.

All that is necessary for Zombie SMTP is a server which does not require a MTA (Mailer Transport Agent) such as Sendmail to be running. This is because Zombie SMTP will run on port 25 (the default SMTP port) and will cause problems if there is a genuine MTA trying to run on the same port.

How it works

Unbeknown to most people there are e-mail address collecting agents automatically roaming the internet as we speak searching the HTML code of any web page it comes across for e-mail addresses. This is one of the many ways spammers accumulate e-mail addresses to send their spam to. To utilize Zombie SMTP we use a trap e-mail address. Somewhere in one or more of your HTML pages you will have code like the following with an appropriate trap e-mail address:

<a href="mailto:tad3@tp2.rbl.jp"></a>

We have Zombie SMTP running at tp2.rbl.jp so after a collecting agent has collected the above e-mail address the spammer will eventually try sending a spam to this server. If the spammer sends his spam from a machine with an IP address listed in one of the RBLs then his connection will be left open for 20 mins before being disconnected, otherwise the connection will be cut immediately.

By default all.rbl.jp and relays.ordb.org are the two RBLs pre-defined in Zombie SMTP. You can add/delete to the list any RBL you like. Look in the source code for how to do this.

all.rbl.jp is an RBL that has a database of servers known for sending spam and also virus-infected e-mails. Check out www.rbl.jp for more info.

Briefly explained; RBLs work by taking an IP address (say 1.2.3.4), reversing it and pre-pending it to the hostname of the RBL, for example 4.3.2.1.all.rbl.jp, and doing a DNS lookup on this. If there is no such record then the IP address is not registered in the RBL, if it is then an IP address of 127.0.0.x will be returned.

Setup

You can download Zombie SMTP from here http://www.hart.co.jp/gnu/, it's no. 4 on the list.

You'll now need a server to run this on. As mentioned above, this must be a server where an MTA like Sendmail, Postfix etc. is NOT running, otherwise there'll be port conflicts on port 25. You'll need to use the hostname of the box in the trap e-mail address.

1. Download Zombie SMTP and put it somewhere on your server, say /usr/local/bin, and finally:

chmod 755 zombiesmtp

2. Run it as root:

/usr/local/bin/zombiesmtp &

3. Optionally, you can add this to /etc/rc.local to startup Zombie SMTP automatically.
4. Optionally, modify the list of RBLs to be checked.
5. Inside one or more of your HTML pages insert the following code:

<a href="mailto:XXX@tp2.rbl.jp"></a>

Replace tp2.rbl.jp with the hostname of your server. XXX can be anything because only the mail server address after the @ symbol is important in this case but it's important the e-mail address follows the standard format so it'll be picked up by collection agents.

Now what?

Now all you have to do is wait. E-mail is usually processed by an SMTP server within a number of seconds but here the spammer will have his connection held open for 20 mins. Of course it can't be helped if the mailing software the spammer is using has a timeout function, in which case the spammer might terminate the connection from his end.

Now go annoy those spammers!

RBL.JP