====== Exim4 - Honeypot ======

Honeypots are really cool. The strategy is this: make up an email address on your server that doesn't exist (and probably won't in the future), say "honeypot@example.com" (where "example.com" is your domain).  Now purposefully PLACE this email address in HIDDEN places on your websites (I mean hidden from human viewers).  I have a hidden link on every page!  Yes, let it be harvested.  The following link works for me:

<code html>
<a href="mailto:honeypot@example.com"><font color="white">haha</font></a>
</code>

Here "white" is my background color, so this is invisible (it might be better to put a 1-pixel picture in).  Any email coming to this account will be spam (for sure), so you can use this information to locally blacklist certain hosts.

First configure **/etc/exim4/exim4.conf.template** to set up a local filter.  Somewhere in that file (I put mine at the top of the "main/config-options" section you should put the following stanza:

<file bash /etc/exim4/exim4.conf.template>
# Setup HONEYPOT filters (fake email addresses used as bait).
system_filter = "/etc/exim4/system.filter"
system_filter_user = Debian-exim
system_filter_group = Debian-exim
system_filter_pipe_transport = address_pipe
</file>

Whatever sender IP address ends up in "/etc/exim4/local_host_blacklist" is denied.  However, in the stanza

<code>
  deny
    message = Sender IP address $sender_host_address is locally blacklisted here.  If you think this is wrong, get in touch with postmaster.
    !acl = acl_whitelist_local_deny
    hosts = ${if exists{CONFDIR/local_host_blacklist}\
                 {CONFDIR/local_host_blacklist}\
                 {}}
</code>

I like to change the "message" to

<code>
    message = 550 Unrouteable address : User unknown\n\
              Write "postmaster" for questions
</code>
              
Again, maybe if you send a "user unknown" then you'll be removed from their list.

Now you'll need to set up the filter itself.  Create a file called "/etc/exim4/system.filter" and place the following lines in there (with the appropriate changes):

<file bash /etc/exim4/system.filter>
if $recipients contains "sosweet@example.com"
then
  pipe "/etc/exim4/blacklist-me $sender_host_address"
endif
</file>

Obviously this refers to a shell script called "/etc/exim4/blacklist-me", so create it with the following lines:

<code bash>
#!/bin/sh
BLACKLIST=/etc/exim4/local_host_blacklist
BLACKLISTDATES=/etc/exim4/local_host_blacklist_dates

echo $* >> $BLACKLIST
echo $* `date +"%Y-%m-%d %H:%M:%S"` >> $BLACKLISTDATES
</code>

Make this file executable 

<code bash>
chmod +x /etc/exim4/blacklist-me
</code>

Now, in the "/etc/exim4" directory you need to touch two files:

<code bash>
touch /etc/exim4/local_host_blacklist
touch /etc/exim4/local_host_blacklist_date
</code>

Change the ownership of both of these files to "Debian-exim"

<code bash>
chown Debian-exim:Debian-exim /etc/exim4/local_host_blacklist
chown Debian-exim:Debian-exim /etc/exim4/local_host_blacklist_date
</code>

Now for the final step: add an alias (see above) for our fake user "honeypot@example.com".  In "/etc/exim4/aliases.virtual" add the line

<file bash /etc/exim4/aliases.virtual>
honeypot@example.com: :blackhole:
</file>

That's IT!  Now just sit and trap evil spammers!