mailpot 0.0.1

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2011-2012 Matt Jezorek 
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,14 @@
+# MailPot
+
+MailPot is a simple SMTP honeypot that will catch email and save it to a database
+MailPot works to gain some automatic analysis and probe detection
+
+## Features
+* Catches all email and stores it
+* Works with Attachements
+* Runs as a daemon in the background
+* Written in EventMachine
+
+## How
+1. `gem install mailpot`
+2. `mailpot`

data/VERSION

@@ -0,0 +1 @@
+0.0.1

data/bin/mailpot

@@ -0,0 +1,5 @@
+#!/usr/bin/env ruby
+require "rubygems"
+require "bundler/setup"
+require 'mailpot'
+Mailpot.run!

data/lib/mailpot.rb

@@ -0,0 +1,100 @@
+require "rubygems"
+require "bundler/setup"
+require 'active_support/all'
+require 'eventmachine'
+require 'optparse'
+require 'rbconfig'
+
+module Mailpot extend ActiveSupport::Autoload
+ autoload :Smtp
+ autoload :Mail
+ 
+module_function
+
+ @@defaults = {
+  :smtp_ip => '127.0.0.1',
+  :smtp_port => '1025',
+  :verbose => false,
+  :daemon => true,
+  :key_file => '/etc/mailpot/keys.yml'
+ }
+ 
+ def parse! arguments=ARGV, defaults=@@defaults
+  @@defaults.dup.tap do |options|
+   OptionParser.new do |parser|
+    parser.banner = "Usage: mailpot [options]"
+    parser.version = File.read(File.expand_path("../../VERSION", __FILE__))
+    
+    parser.on("--ip IP", "Set the ip address of the smtp server") do |ip|
+     options[:smtp_ip] = ip
+    end
+    
+    parser.on("--keys KEYFILE", "Set the key file that contains AWS creds") do |f|
+     options[:key_file] = f
+    end
+    
+    parser.on("--port PORT", Integer, "Set the port of the smtp server") do |port|
+     options[:smtp_port] = port
+    end
+    
+    parser.on('-f', '--foreground', 'Run in forground') do
+     options[:daemon] = false
+    end
+    
+    parser.on('-v', '--verbose', 'Be more verbose') do
+     options[:verbose] = true
+    end
+    
+    parser.on('-h', '--help', 'Display help information') do
+     puts parser
+     exit!
+    end
+   end.parse!
+  end
+ end
+ 
+ def get_config
+  options &&= @@defaults.merge options
+  options ||= parse!
+ end
+ 
+ def run! options=nil
+  #options &&= @@defaults.merge options
+  #options ||= parse!
+  #@config = options
+  options = get_config
+  puts "Starting MailPot"
+  EventMachine.run do
+   rescue_port options[:smtp_port] do
+    EventMachine.start_server options[:smtp_ip], options[:smtp_port], Smtp
+    puts "==> smtp://#{options[:smtp_ip]}:#{options[:smtp_port]}"
+   end
+   
+   if options[:daemon]
+    EventMachine.next_tick do
+     puts "*** Mailpot now runs as a daemon by default"
+     Process.daemon
+    end
+   end
+  end
+ end
+
+ def quit!
+  EventMachine.next_tick {EventMachine.stop_event_loop}
+ end
+ 
+protected
+module_function
+ def rescue_port port
+  begin
+   yield
+  rescue RuntimeError
+   if $!.to_s =~ /\bno acceptor\b/
+    puts "~~> ERROR: Somethings using port #{port}. Are you already running MailPot"
+    exit -1
+   else
+    raise
+   end
+  end
+ end
+end

data/lib/mailpot/events.rb

@@ -0,0 +1,4 @@
+require 'eventmachine'
+module Mailpot::Events
+ MessageAdded = EventMachine::Channel.new
+end

data/lib/mailpot/mail.rb

@@ -0,0 +1,54 @@
+require 'eventmachine'
+require 'yaml'
+require 'base64'
+require 'socket'
+require 'zlib'
+require 'digest/md5'
+require 'aws'
+
+module Mailpot::Mail
+module_function
+
+ @initialized = false
+ # setup connections etc
+ def initialize
+  config = Mailpot.get_config
+  yml = YAML.load_file config[:key_file]
+  @bucket = yml['bucket']
+  @queue = yml['queue']
+  @s3 = AWS::S3.new(yml)
+  @sqs = AWS::SQS.new(yml)
+  @initialized = true
+ end
+ 
+ def add_message(message)
+  if !@initialized
+   initialize
+  end
+  msg = Hash.new
+  msg[:source] = message[:source]
+  msg[:sender] = message[:sender]
+  msg[:source_ip] = message[:ip]
+  msg[:recipients] = message[:recipients]
+  # worried about dedupe here and need to come up with a way at 1M messages 
+  # a day this could be a lot of storage
+  encoded_message = Base64.encode64(msg.to_json)
+  deflate_encoded_message = gzdeflate(encoded_message)
+  digest = Digest::MD5.hexdigest(deflate_encoded_message)
+  store_message(digest, deflate_encoded_message)
+ end
+ 
+ def store_message(key, value)
+  Thread.new {
+   mail = @s3.buckets[@bucket].objects[key]
+   mail.write(value)
+   q = @sqs.queues[@queue]
+   msg = q.send_message(key)
+  }
+ end
+ 
+ def gzdeflate(s)
+  Zlib::Deflate.new(nil, -Zlib::MAX_WBITS).deflate(s, Zlib::FINISH)
+ end
+ 
+end

data/lib/mailpot/smtp.rb

@@ -0,0 +1,57 @@
+require 'eventmachine'
+require 'socket'
+class Mailpot::Smtp < EventMachine::Protocols::SmtpServer
+ def current_message
+  @current_message ||= {}
+ end
+ 
+ def receive_reset
+  @current_message = nil
+  true
+ end
+ 
+ def get_server_greeting
+  "ESMTP Sendmail 8.12.9/8.12.9;"
+ end
+ 
+ def get_server_domain
+  Socket.gethostbyname(Socket.gethostname).first
+ end
+ 
+ def receive_sender(sender)
+  current_message[:sender] = sender
+ end
+ 
+ def receive_recipient(recipient)
+  current_message[:recipients] ||= []
+  current_message[:recipients] << recipient
+  true
+ end
+ 
+ def receive_data_chunk(lines)
+  current_message[:source] ||= ""
+  current_message[:source] += lines.join("\n")
+  true
+ end
+ 
+ def receive_message
+  port, ip = Socket.unpack_sockaddr_in(get_peername)
+  current_message[:ip] = ip
+  current_message[:port] = port
+  Mailpot::Mail.add_message current_message
+  puts "==> SMTP: Received message from '#{current_message[:sender]}' (#{current_message[:source].length} bytes)"
+  true
+ rescue
+  puts "*** Error receiving message: #{current_message.inspect}"
+  puts "    Exception: #{$!}"
+  puts "    Backtrace:"
+  $!.backtrace.each do |line|
+   puts "      #{line}"
+  end
+  puts "    Please submit this as an issue at https://github.com/mjezorek/Mailpot/issues"
+  false
+ ensure
+  @current_message = nil
+ end
+  
+end

metadata

@@ -0,0 +1,146 @@
+--- !ruby/object:Gem::Specification 
+name: mailpot
+version: !ruby/object:Gem::Version 
+  hash: 29
+  prerelease: 
+  segments: 
+  - 0
+  - 0
+  - 1
+  version: 0.0.1
+platform: ruby
+authors: 
+- Matt Jezorek
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2012-02-15 00:00:00 Z
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: activesupport
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 7
+        segments: 
+        - 3
+        - 0
+        version: "3.0"
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: eventmachine
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 19
+        segments: 
+        - 0
+        - 12
+        version: "0.12"
+  type: :runtime
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: aws-sdk
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
+  name: rake
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id004
+- !ruby/object:Gem::Dependency 
+  name: rdoc
+  prerelease: false
+  requirement: &id005 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id005
+description: "  MailPot is a simple SMTP server honeypot that will catch emails and store\n  them deduplicated in a database. This will extract links from emails and do \n  other analysis on it. Once probes can be identified they will be passed.\n"
+email: mjezorek@gmail.com
+executables: 
+- mailpot
+extensions: []
+
+extra_rdoc_files: 
+- README.md
+- LICENSE
+files: 
+- README.md
+- LICENSE
+- VERSION
+- bin/mailpot
+- lib/mailpot/events.rb
+- lib/mailpot/mail.rb
+- lib/mailpot/smtp.rb
+- lib/mailpot.rb
+homepage: http://mattjezorek.com/
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 57
+      segments: 
+      - 1
+      - 8
+      - 7
+      version: 1.8.7
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.7.2
+signing_key: 
+specification_version: 3
+summary: Runs an SMTP Server and catches emails, will pass probes when identified as a probe
+test_files: []
+