In my last blog post I used an ex-email provder’s old domain to jumpstart an email honeypot. But because this used to be a legitimate email provider domain with legitimate email accounts, the honeypot also receives a lot of legitimate email, including but not limited to:

So I won’t be able to share the email stream of that spamtrap publicly. However, in this blog post I outline the complete setup. All you need is:

  1. A domain
  2. A server with CentOS 7 (any cheap VPS will do)
  3. DNS that points your domain to the server IP (any free DNS will do)
  4. You need to run a script on the server and a spamtrap will be setup automagically

1. Domain

You will need a domain name.

A very cheap option is a .xyz domain from Namecheap:

.xyz domain is only €0.91 at Namecheap

.xyz domain is only €0.91 at Namecheap

The .xyz domain at Namecheap also includes WhoisGuard:

WhoisGuard is forever free at Namecheap

WhoisGuard is forever free at Namecheap

WhoisGuard prevents your real information from being listed in the WHOIS record of the domain. Of course you could also register the domain with wrong information. However, you could also quickly loose the domain because of that, which would be a shame if you already put efforts into getting spammers to send spam to your domain.

Buy a domain.

2. Hosting

A very cheap option I found is https://vpscheap.net/. Because you don’t care about uptime or privacy of your spamtrap you can go cheap here.

Select CentOS 7 64bit as the operating system (the script will only work with CentOS 7) and no other addons:

VPSCHEAP NET ordering options: CentOS 7 as OS, no other addons

VPSCHEAP NET ordering options: CentOS 7 as OS, no other addons

Also enter your hostname. I choose the subdomain spamtrap on my xyz domain.

After you bought it copy its IP address and set a root password:

VPSCHEAP NET copy IP of server

VPSCHEAP NET copy IP of server

3. DNS

Cloudflare provides a great free DNS service. Once you log into Cloudflare do the following:

  1. “Add site”
  2. Enter the registered domain name
  3. Select the “Free Plan”
  4. Remove all the existing DNS records (big X after entries)
  5. Add:
spamtrap.domain.tld. IN A

spamtrap.domain.tld. IN A

domain.tld. IN MX 1 spamtrap.domain.tld

domain.tld. IN MX 1 spamtrap.domain.tld

domain.tld. IN TXT v=spf1 mx -all

domain.tld. IN TXT “v=spf1 mx -all”

  1. Make sure all entries are set to “DNS resolution only: Bypasses Cloudflare”. Then hit “Continue”.
  2. Follow the instructions to set Cloudflares DNS servers at Namecheap:
Setting Custom DNS at Namecheap

Setting “Custom DNS” at Namecheap

  1. OPTIONAL: Again in Cloudflare go to the “DNS” tab and enable “DNSSEC”. Depending on the type of top level domain the setup is either automagic (via CDS support) or you need to manual add the DS record at Namecheap (or your domain registrar).

4. Installing the Spamtrap

After this the setup period for your server should be over and it should up and running.

Download the install script: 01_install_spamtrap.sh (full source code on Github)

Install the Spamtrap via:

cat 01_install_spamtrap.sh | ssh root@<serverip>

This takes a while …

Configuring

All configuration is optional.

The hostname of the spamtrap is spamtrap.invalid. You can change this in /etc/postfix/main.cf (myhostname = spamtrap.invalid). However, you then must change /^root@spamtrap\.invalid$/ in /etc/postfix/vmaps as well (and run postmap /etc/postfix/vmaps afterwards to generate the vmaps.db).

In /etc/postfix/main.cf there are comments tagged with MORESPAM with suggestions for lines that can be commented for more spam. However, that spam will then be super low quality stuff.

Postfix is configured to not send any outbound mail at all. So if you would like to change that you need to edit /etc/postfix/main.cf (around # DO NOT SEND ANY MAIL AT ALL) and also setup SASL authentication.

Please note the server does automagic updates including reboots if they are indicated by an update! If you need an update schedule or some such feel free to edit /etc/cron.hourly/9needs-restarting.cron to schedule the checks for reboots differently.

The emails will go to /home/vmail/spamtrap.invalid/spamtrap/new/. System emails (root@localhost) will go to /home/vmail/spamtrap.invalid/root/new/.

5. Test

  1. Check if DNS has propagated:
  2. Connect to the SMTP:
220 spamtrap.invalid ESMTP
HELO <the hostname of your ip you connect to the SMTP>
250 spamtrap.invalid
MAIL FROM:<root@localhost.localdomain>
250 2.1.0 Ok
RCPT TO:<test@test.tld>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: Test

Test

.

250 2.0.0 Ok: queued as 6779A1301D08
QUIT
221 2.0.0 Bye

(If you don’t know how to send email via SMTP commands send a regular mail to whatever@<domain.tld>)

  1. Read mails received by the spamtrap:

(NOTE: Depending on what domain you registered you may not receive any email at all until you spread your email addresses so spammers can find them.)

6. Troubleshooting

NOTE: Please note this install does (aggressive) auto updates. It will check for updates, download and install them and if indicated will also perform a reboot. Reboots are performed via shutdown -r so users on the system should get 1 minute to abort the shutdown with shutdown -c.

In case you are having any other problems feel free to DM me on Twitter.

Future

This install script now already includes the DKIM and SPF checks (Authentication-Results and Received-SPF headers). So you can see whether the emails have been signed and were valid under SPF.

I will also share further improvements to this.

But for now everyone can setup their own spamtrap with minimal time effort and only 20 € (the first year).