TarPop v0.5.0
Home
Sundew
SMTarPit
TarPop
About
 

Digg
Digg this


del.icio.us
Add to
del.icio.us
 

a POP3 tarpit (teergrub)/honeypot

Contents


About TarPop

I wrote this program for pretty much the same reasons that I wrote SMTarPit.

Like SMTarPit TarPop is a combined SMTP honeypot and tarpit released under the GPL. It is writen in Perl so it should work on virtually any platform that supports Perl (except Windows). It uses xinetd which looks at port 110 (instructions in the tarball) and when someone calls it, tarpop is launched. It then decides whether there is a man or a machine on the other end and sets about wasting their time.

It is meant to complement SMTarPit by presenting the cracker with an open port 110 which seems to have a POP3 server on the other end and potentially, lots of juicy accounts to look at.

There are plenty of instructions as to how to configure the program - if Perl is not your first language, you should still be able to see what to do. You will certainly need to put a valid domain name in there but it is all well laid out so that you can install it and run it as a part of xinetd.


How does it work?

Every time an incoming call to port 110 happens, xinetd starts a copy of this server. It only has a small memory footprint and doesn't really consume much processor time.

When the server is started, it responds with the usual welcome message and then waits for the client to respond. When the client does respond, it looks at how long it took and tries to work out whether it is a man or machine at the other end (you can adjust this time in the program if you want).

If the server thinks that it is a machine at the other end, it goes into tarpit mode where everything takes a long time.


Preparation

You need to have bogus email addresses that the cracker needs to check. You can do this by having a web server on port 80 with a 1 pixel square link to it from a site that is spidered regularly (you can put the other site into Google's spider list if you want). If it is on the same server, any checks to see that email addresses are genuine will show that they are.

Something else you might consider is all of those phishing attacks. If you click on one (to open on a browser not running scripting, preferable not on Windows either) then, where the opportunity arises, add a tarpitted email address - this will get sold on as a valid email address and might create a bit of interest at the same time.


Requirements

You need...

You don't need...
  • to have Perl in the directory that this program runs in because it doesn't call anything else once it is chrooted (it doesn't before either)
  • to run it on a mainframe - a home, broadband machine will do it
  • a great, in-depth knowledge of setting up servers as you can follow the instructions in the Perl script file - you can run this on virtually anything
  • to spend money
You should have (any way)...
  • a firewall that you can configure to point port 110 traffic to your server
  • Perl (nothing fancy is needed here, the basic install that comes with your OS should do)
  • a 24/7 connection to the Internet
  • a machine that you run all of the time


Running Example

In a shell, get the host ip address for "info2.mine.nu"

Open up telnet and point it to the address on port 110. You will get the TarPop honeypot/tarpit. After that, just start using some POP3 commands and see what happens.


Log Example

The following is representative of the output for one session from the full log...

NEW 20601 123.45.67.89 2005 Jan 27 11:29:58
20601 2005 Jan 27 11:29:58 +OK POP3 server ready <20601.1106825398@pop.sbhp.info2.mine.nu>
20601 2005 Jan 27 11:30:13 USER Peter123
20601            --            delta_t = 15 seconds
20601            --            Slow response: selecting honeypot mode
20601 2005 Jan 27 11:30:18 +OK
20601 2005 Jan 27 11:30:31 PASS piper654
20601 2005 Jan 27 11:30:38 -ERR User ID/password combination not recognised
20601 2005 Jan 27 11:30:48 PASS PiPeR654
20601 2005 Jan 27 11:30:55 -ERR Need User ID first
20601 2005 Jan 27 11:31:08 USER Peter123
20601 2005 Jan 27 11:31:11 +OK
20601 2005 Jan 27 11:31:21 PASS PiPeR654
20601 2005 Jan 27 11:31:28 -ERR POP3 server pop.sbhp.info2.mine.nu signing off
20601            --            Reached max UserID fails (max = 3)
20601            --            duration: 90 seconds

... and this from the quicklog

20601 2005 Jan 27 11:31:28 192.168.1.80 - duration = 90

Download

Click here to download the tarball...
Name: tarpop050.tar.gz.
Length: 10,821 Bytes.
MD5 hash: e730157e369a6f662bd850670b35ef19


Version History

0.5.0 Released 27/01/2005 10,821 Bytes
MD5: e730157e369a6f662bd850670b35ef19
 
  • This is the first release. It forms a basic honeypot/tarpit to keep automatic mail clients and basic hacking attempts happy.


Have fun.

Paul Grosse

email paul-grosse at ntlworld dot com

Return to home page