How Jackpot Works
Jackpot is an SMTP server, that is,
it accepts incoming internet mail messages on TCP port 25 using the SMTP
protocol. Unlike a normal SMTP server, however, Jackpot doesn't normally relay
the spam to its intended recipients; instead it saves the information, to use as
evidence for a complaint or for research).
Read some more about
relay-spam.
Selective Relaying
However, Jackpot doesn't always send the
mail on to its destination; instead, it inspects incoming messages, and makes a
decision as to whether it should relay or not. A Jackpot server is not,
after all, responsible for any genuine mail-domain. It has no real mail users of
its own; so all the messages that are sent to it are either spam, or messages
sent by a spammer to verify that the server does in fact relay.
Jackpot attempts to identify relay test messages, and relays only
those messages to the destination on the envelope. Other messages are considered
to be spam, and are not relayed. Instead, they are filed for reference.
Jackpot treats any message that is not spam as a relay-test. It
treats a message as spam if:
- The message was sent from a server in a blacklist;
- The message arrives "too soon" after another message;
- The message has "too many" recipients.
The meaning of the
expressions "too soon" and "too many" is configurable, as is the contents of the
blacklist.
In addition to relay tests, Jackpot will also relay mail to any
email-addresses that it considers to be relay-test drop-boxes. It will do this
even if it has already identified the message as spam; spammers may arrange for
the recipients of a spam-run to include some addresses that they own themselves
("salt"), so that they can verify that the spam-run was successful.
Jackpot obliges. A mailbox is treated as a drop-box address if it has
appeared as a recipient of a relay-test.
In addition, the owner of the Jackpot server can add addresses that
he wants his server to always relay to. You might do this if, for some reason,
you can't access your ISP's mailserver.
Relaying can easily be suppressed completely; however, if you configure
Jackpot to never relay, not even tests, then spammers will have no reason to
send messages to it, and you won't have much fun with it.
Web-server
Jackpot saves full details of all spam mail
submitted to it as a collection of web-pages. The information is organized into
lists, with messages sent from a given host grouped on a page. Jackpot
tries to gather some information about the host that sent the spam; apert from
determining the host-name, it performs lookups at Osirusoft, to check if the source is a
known open-proxy or a spamhaus; and at abuse.net, to see if there's a
registered abuse-address for the host.
Jackpot incorporates a simple HTTP-server for serving these pages.
When mail arrives, Jackpot performs an HTTP POST to send the details of
the spam to the HTTP server. The HTTP server need not, therefore, be on the same
box as the Jackpot server. Instead, you could arrange for a cluster of
Jackpot servers to all update a single HTTP server. In fact the POST
message is quite simple; there's no reason why you couldn't make a simple script
to enable Apache (or your favourite HTTP server) to receive the message and
update the website.
The HTTP server is pretty primitive; it will report "200 OK" for any HTML
method (including CONNECT), although it will return a page saying "404 Page not
found" if the requested page doesn't exist or is illegal.
Proxy-tester
Jackpot performs proxy-tests on hosts that connect
to port 25. It tests for HTTP CONNECT proxies on ports 80, 3128 and 8080, and
for SOCKS V4 and V5 proxies on port 1080. Jackpot itself appears to be
a proxy; if Jackpot receives mail from the same host that Jackpot is
running on, it will proxy-test itself. So if you run the Jackpot HTTP
server on one of the ports 80, 3128 or 8080, then Jackpot's proxy-tests
will show a positive for that port.
Proxy-tests are performed under the control of the HTTP service, when the
SMTP service updates it with message-data. The test involves asking the
spam-sender to create a connection to Jackpot's own port 25, and if successful,
this will show up in the log as an SMTP connection.
Using the Web-server to LART
You can send a complaint to the
administrators of the source-domain, with a URL that points to your HTTP server.
They are then able to verify that their customer is indeed abusing the internet,
and research their activities. They will be provided with information that is
not available from their own network tools - they can see, for example, what
other hosts (in other networks) are being attacked by the same spammer.
Hopefully they will shut down his account in short order. If they don't,
however (some ISPs don't seem to understand), then after a certain point,
Jackpot will stop filing the spam. Enough is as good as a feast, and we
don't want to fill up your disk with a whole spam-run.
Tarpit Facility
Jackpot incorporates a tarpit facility: when
this is enabled, it responds very sloooowly to incoming SMTP traffic. Exactly
how slowly is configurable. This has two benefits:
- The sender of the spam has resources (sockets, memory) tied up for longer.
- Spam arrives at your system more slowly (saving your disk-space).
Obviously, it also has the consequence that you will capture less
spam.
Configurable
A lot of the behaviour of Jackpot is configurable;
you can:
- Control which ports and IP addresses Jackpot serves on
- Switch on and off the SMTP and HTTP services independently
- Configure the responses returned by Jackpot during the SMTP
protocol exchange
- Control where spam filed for reference is stored (so that you can serve
the HTML to system administrators of a different box from the one
Jackpot is running on).
- Control what state Jackpot starts up in: whether SMTP and HTTP
services are on, and whether relaying and tarpitting are enabled.
There are many other configurable options, mostly to enable the
operator to disguise his Jackpot.
Home