SMTP module

[SecuriLee]

I believe it would be extremely interesting to add SMTP on TCP/25 to this project.
The expectation is that certain objects could be collected via this method, namely emails (phishing) and binaries (malware). It would be great to be able to save the objects into different folders and (in my case) add to a folder-watching process that uploads the malware to VirusTotal via API.

Ideally the config would also allow for the retention of a volume (size or number of objects) so that my OC does not fill (but I could also do this from the command line).

Background: I have an OC sitting open on the Internet and this feature would be excellent for the research usage I'm putting it to.

[tonoitp]

I agree!
Or even better, a way go configure some services self.
I wanted to make a a few honeypots that looks natural, so one to look like a mailserver i'd like to open 25, 465, 993
A printserver with 80,443,9100, but also a tacacs/radius server.

And there are even more custom ports one likes to monitor

[jayjb]

Hey @SecuriLee,

Its a good thought (thanks for raising it). To be honest, initially I thought we did have it 🙈 😆 I've raised it internally and we are going to add it to the list of services to add. Thanks so much for raising folks.

Of course, if you want to add to this opensource project, I'd be happy to work with you on building this service and adding it.

[tonoitp]

Hi Jay, "I'd be happy to work with you on building this service and adding it." Well.... Though i'm not a programmer by profession, I do have some knowledge on programming.  I surely won't mind to help out. //Tonny

…

On 24/03/2023 19:05, Jay wrote: Hey @SecuriLee <https://github.com/SecuriLee>, Its a good thought (thanks for raising it). To be honest, initially I thought we did have it 🙈 😆 I've raised it internally and we are going to add it to the list of services to add. Thanks so much for raising folks. Of course, if you want to add to this opensource project, I'd be happy to work with you on building this service and adding it. — Reply to this email directly, view it on GitHub <#235 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AJHMJJZJCHWEB6HSUOPTP33W5XO7BANCNFSM6AAAAAAVEAZGBU>. You are receiving this because you commented.Message ID: ***@***.***>

[SecuriLee]

Hey @SecuriLee,

Its a good thought (thanks for raising it). To be honest, initially I thought we did have it 🙈 😆 I've raised it internally and we are going to add it to the list of services to add. Thanks so much for raising folks.

Of course, if you want to add to this opensource project, I'd be happy to work with you on building this service and adding it.

Hi Jay, sorry but I am a CISO, former mail system guy and my last experience of coding was supporting an SMTP gateway being developed for Notes 2.1a on OS/2. I could help verify the functionality according to the SMTP protocol but not coding.

Tonny has some interesting input especially talking about TLS. Since TLS is the norm, bringing some ACME into play and working with Certbot and other ACME tooling would be useful to "appear" more modern.

I have two OpenCanaries facing the Internet and feeding Splunk with most ports and protocols open. It's brilliantly informative and a great indicator of how dirty the Internet is.

[jayjb]

Thanks folks! We still like the idea and will try make some time to get it done. We will certainly ping you both for input once it is ready

[SecuriLee]

This is great, it mght also be an idea to
a) support SMTP over TLS (ACME certs?)
b) have some logic to allow a relay based on a condition (#emails, "test") so that the honeypot remains "interesting"
c) have some logic to throttle relaying based on conditions (volume, size)
d) have some logic to hook into VirusTotal API for URL and file payloads