How Jackpot Works
Jackpot is an SMTP server, that is, it accepts incoming internet
mail messages on TCP port 25 using the SMTP protocol. Unlike a normal SMTP server,
however, Jackpot doesn't normally relay the spam to its intended recipients; instead
it saves the information, to use as evidence for a complaint or for research).
Read some more about relay-spam.
Selective Relaying
However, Jackpot doesn't always send the mail on to its destination;
instead, it inspects incoming messages, and makes a decision as to whether
it should relay or not. A Jackpot server is not, after all,
responsible for any genuine mail-domain. It has no real mail users of its
own; so all the messages that are sent to it are either spam, or messages sent
by a spammer to verify that the server does in fact relay.
Jackpot attempts to identify relay test messages, and relays only
those messages to the destination on the envelope. Other messages are
considered to be spam, and are not relayed. Instead, they are filed for
reference.
Jackpot treats any message that is not spam as a relay-test. It
treats a message as spam if:
- The message was sent from a server in a blacklist;
- The message arrives "too soon" after another message;
- The message has "too many" recipients.
The meaning of the expressions "too soon" and "too many"
is configurable, as is the contents of the blacklist.
In addition to relay tests, Jackpot will also relay mail to any
email-addresses that it considers to be relay-test drop-boxes. It will do
this even if it has already identified the message as spam; spammers may
arrange for the recipients of a spam-run to include some addresses that
they own themselves ("salt"), so that they can verify that the spam-run was
successful. Jackpot obliges. A mailbox is treated as a drop-box
address if it has appeared as a recipient of a relay-test.
In addition, the owner of the Jackpot server can add addresses
that he wants his server to always relay to. You might do this if, for some reason,
you can't access your ISP's mailserver.
Relaying can easily be suppressed completely; however, if you configure Jackpot to
never relay, not even tests, then spammers will have no reason to send messages to
it, and you won't have much fun with it.
Web-server
Jackpot saves full details of all spam mail submitted to it as a
collection of web-pages. The information is organized into lists, with messages
sent from a given host grouped on a page. Jackpot tries to gather some
information about the host that sent the spam; apert from determining the host-name,
it performs lookups at Osirusoft, to check
if the source is a known open-proxy or a spamhaus; and at
abuse.net, to see if there's a registered abuse-address
for the host.
Jackpot incorporates a simple HTTP-server for serving these pages. When mail
arrives, Jackpot performs an HTTP POST to send the details of the spam to
the HTTP server. The HTTP server need not, therefore, be on the same box as the
Jackpot server. Instead, you could arrange for a cluster of Jackpot
servers to all update a single HTTP server. In fact the POST message is quite simple;
there's no reason why you couldn't make a simple script to enable Apache (or your
favourite HTTP server) to receive the message and update the website.
The HTTP server is pretty primitive; it will report "200 OK" for any HTML method
(including CONNECT), although it will return a page saying "404 Page not found" if
the requested page doesn't exist or is illegal.
Proxy-tester
Jackpot performs proxy-tests on hosts that connect to port 25. It tests for
HTTP CONNECT proxies on ports 80, 3128 and 8080, and for SOCKS V4 and V5 proxies on
port 1080. Jackpot itself appears to be a proxy; if Jackpot receives
mail from the same host that Jackpot is running on, it will proxy-test itself. So if
you run the Jackpot HTTP server on one of the ports 80, 3128 or 8080,
then Jackpot's proxy-tests will show a positive for that port.
Proxy-tests are performed under the control of the HTTP service, when the SMTP
service updates it with message-data. The test involves asking the spam-sender
to create a connection to Jackpot's own port 25, and if successful, this will show up
in the log as an SMTP connection.
Using the Web-server to LART
You can send a complaint to the administrators of the source-domain, with a URL that
points to your HTTP server. They are then able to verify that their
customer is indeed abusing the internet, and research their activities. They will be
provided with information that is not available from their own network tools - they
can see, for example, what other hosts (in other networks) are being attacked by the
same spammer.
Hopefully they will shut down his account in short order. If they don't, however
(some ISPs don't seem to understand), then after a certain point, Jackpot
will stop filing the spam. Enough is as good as a feast, and we don't want to fill up
your disk with a whole spam-run.
Tarpit Facility
Jackpot incorporates a tarpit facility: when this is enabled, it responds
very sloooowly to incoming SMTP traffic. Exactly how slowly is configurable. This has
two benefits:
- The sender of the spam has resources (sockets, memory) tied up for longer.
- Spam arrives at your system more slowly (saving your disk-space).
Obviously, it also has the consequence that you will capture less spam.
Configurable
A lot of the behaviour of Jackpot is configurable; you can:
- Control which ports and IP addresses Jackpot serves on
- Switch on and off the SMTP and HTTP services independently
- Configure the responses returned by Jackpot during the SMTP protocol exchange
- Control where spam filed for reference is stored (so that you can serve the HTML to
system administrators of a different box from the one Jackpot is running on).
- Control what state Jackpot starts up in: whether SMTP and HTTP services
are on, and whether relaying and tarpitting are enabled.
There are many other configurable options, mostly to enable the operator to disguise
his Jackpot.
Home