Exim4 - Honeypot

Honeypots are really cool. The strategy is this: make up an email address on your server that doesn't exist (and probably won't in the future), say “honeypot@example.com” (where “example.com” is your domain). Now purposefully PLACE this email address in HIDDEN places on your websites (I mean hidden from human viewers). I have a hidden link on every page! Yes, let it be harvested. The following link works for me:

<a href="mailto:honeypot@example.com"><font color="white">haha</font></a>

Here “white” is my background color, so this is invisible (it might be better to put a 1-pixel picture in). Any email coming to this account will be spam (for sure), so you can use this information to locally blacklist certain hosts.

First configure /etc/exim4/exim4.conf.template to set up a local filter. Somewhere in that file (I put mine at the top of the “main/config-options” section you should put the following stanza:

/etc/exim4/exim4.conf.template
# Setup HONEYPOT filters (fake email addresses used as bait).
system_filter = "/etc/exim4/system.filter"
system_filter_user = Debian-exim
system_filter_group = Debian-exim
system_filter_pipe_transport = address_pipe

Whatever sender IP address ends up in “/etc/exim4/local_host_blacklist” is denied. However, in the stanza

  deny
    message = Sender IP address $sender_host_address is locally blacklisted here.  If you think this is wrong, get in touch with postmaster.
    !acl = acl_whitelist_local_deny
    hosts = ${if exists{CONFDIR/local_host_blacklist}\
                 {CONFDIR/local_host_blacklist}\
                 {}}

I like to change the “message” to

    message = 550 Unrouteable address : User unknown\n\
              Write "postmaster" for questions

Again, maybe if you send a “user unknown” then you'll be removed from their list.

Now you'll need to set up the filter itself. Create a file called “/etc/exim4/system.filter” and place the following lines in there (with the appropriate changes):

/etc/exim4/system.filter
if $recipients contains "sosweet@example.com"
then
  pipe "/etc/exim4/blacklist-me $sender_host_address"
endif

Obviously this refers to a shell script called “/etc/exim4/blacklist-me”, so create it with the following lines:

#!/bin/sh
BLACKLIST=/etc/exim4/local_host_blacklist
BLACKLISTDATES=/etc/exim4/local_host_blacklist_dates
 
echo $* >> $BLACKLIST
echo $* `date +"%Y-%m-%d %H:%M:%S"` >> $BLACKLISTDATES

Make this file executable

chmod +x /etc/exim4/blacklist-me

Now, in the “/etc/exim4” directory you need to touch two files:

touch /etc/exim4/local_host_blacklist
touch /etc/exim4/local_host_blacklist_date

Change the ownership of both of these files to “Debian-exim”

chown Debian-exim:Debian-exim /etc/exim4/local_host_blacklist
chown Debian-exim:Debian-exim /etc/exim4/local_host_blacklist_date

Now for the final step: add an alias (see above) for our fake user “honeypot@example.com”. In “/etc/exim4/aliases.virtual” add the line

/etc/exim4/aliases.virtual
honeypot@example.com: :blackhole:

That's IT! Now just sit and trap evil spammers!