How Jackpot Works

Jackpot is an SMTP server, that is, it accepts incoming internet mail messages on TCP port 25 using the SMTP protocol. Unlike a normal SMTP server, however, Jackpot doesn't normally relay the spam to its intended recipients; instead it saves the information, to use as evidence for a complaint or for research).

Read some more about relay-spam.

Selective Relaying

However, Jackpot doesn't always send the mail on to its destination; instead, it inspects incoming messages, and makes a decision as to whether it should relay or not. A Jackpot server is not, after all, responsible for any genuine mail-domain. It has no real mail users of its own; so all the messages that are sent to it are either spam, or messages sent by a spammer to verify that the server does in fact relay.

Jackpot attempts to identify relay test messages, and relays only those messages to the destination on the envelope. Other messages are considered to be spam, and are not relayed. Instead, they are filed for reference.

Jackpot treats any message that is not spam as a relay-test. It treats a message as spam if:

The message was sent from a server in a blacklist;
The message arrives "too soon" after another message;
The message has "too many" recipients.

The meaning of the expressions "too soon" and "too many" is configurable, as is the contents of the blacklist.

In addition to relay tests, Jackpot will also relay mail to any email-addresses that it considers to be relay-test drop-boxes. It will do this even if it has already identified the message as spam; spammers may arrange for the recipients of a spam-run to include some addresses that they own themselves ("salt"), so that they can verify that the spam-run was successful. Jackpot obliges. A mailbox is treated as a drop-box address if it has appeared as a recipient of a relay-test.

In addition, the owner of the Jackpot server can add addresses that he wants his server to always relay to. You might do this if, for some reason, you can't access your ISP's mailserver.

Relaying can easily be suppressed completely; however, if you configure Jackpot to never relay, not even tests, then spammers will have no reason to send messages to it, and you won't have much fun with it.

Web-server

Jackpot saves full details of all spam mail submitted to it as a collection of web-pages. The information is organized into lists, with messages sent from a given host grouped on a page. Jackpot tries to gather some information about the host that sent the spam; apert from determining the host-name, it performs lookups at Osirusoft, to check if the source is a known open-proxy or a spamhaus; and at abuse.net, to see if there's a registered abuse-address for the host.

Jackpot incorporates a simple HTTP-server for serving these pages. When mail arrives, Jackpot performs an HTTP POST to send the details of the spam to the HTTP server. The HTTP server need not, therefore, be on the same box as the Jackpot server. Instead, you could arrange for a cluster of Jackpot servers to all update a single HTTP server. In fact the POST message is quite simple; there's no reason why you couldn't make a simple script to enable Apache (or your favourite HTTP server) to receive the message and update the website.

The HTTP server is pretty primitive; it will report "200 OK" for any HTML method (including CONNECT), although it will return a page saying "404 Page not found" if the requested page doesn't exist or is illegal.

Proxy-tester

Jackpot performs proxy-tests on hosts that connect to port 25. It tests for HTTP CONNECT proxies on ports 80, 3128 and 8080, and for SOCKS V4 and V5 proxies on port 1080. Jackpot itself appears to be a proxy; if Jackpot receives mail from the same host that Jackpot is running on, it will proxy-test itself. So if you run the Jackpot HTTP server on one of the ports 80, 3128 or 8080, then Jackpot's proxy-tests will show a positive for that port.

Proxy-tests are performed under the control of the HTTP service, when the SMTP service updates it with message-data. The test involves asking the spam-sender to create a connection to Jackpot's own port 25, and if successful, this will show up in the log as an SMTP connection.

Using the Web-server to LART

You can send a complaint to the administrators of the source-domain, with a URL that points to your HTTP server. They are then able to verify that their customer is indeed abusing the internet, and research their activities. They will be provided with information that is not available from their own network tools - they can see, for example, what other hosts (in other networks) are being attacked by the same spammer.

Hopefully they will shut down his account in short order. If they don't, however (some ISPs don't seem to understand), then after a certain point, Jackpot will stop filing the spam. Enough is as good as a feast, and we don't want to fill up your disk with a whole spam-run.

Tarpit Facility

Jackpot incorporates a tarpit facility: when this is enabled, it responds very sloooowly to incoming SMTP traffic. Exactly how slowly is configurable. This has two benefits:

The sender of the spam has resources (sockets, memory) tied up for longer.
Spam arrives at your system more slowly (saving your disk-space).

Obviously, it also has the consequence that you will capture less spam.

Configurable

A lot of the behaviour of Jackpot is configurable; you can:

Control which ports and IP addresses Jackpot serves on
Switch on and off the SMTP and HTTP services independently
Configure the responses returned by Jackpot during the SMTP protocol exchange
Control where spam filed for reference is stored (so that you can serve the HTML to system administrators of a different box from the one Jackpot is running on).
Control what state Jackpot starts up in: whether SMTP and HTTP services are on, and whether relaying and tarpitting are enabled.

There are many other configurable options, mostly to enable the operator to disguise his Jackpot.

Home