>decoy.pl – a decoy mail server

>I’ve written a decoy mail server in Perl. It is a fully RFC 2821-compliant mail server. Except it doesn’t do anything.

Well it does something. Basically this is a decoy to catch all the spammers who are intentionally talking to the wrong MX server first.

It works like this.

decoy.pl is attached to an inetd script.
spammer calls on port 25.
decoy.pl says 220 Hows it goin?
spammer says something
decoy.pl says 250 yeah sure whatever
repeat until spammer says “data” (i.e. the thing right before they send the message)
decoy.pl says 451 try again later.
spammer does some more stuff
decoy.pl says 250 yeah sure whatever
spammer gives up and says quit
decoy.pl says 221 don’t be a stranger and then hangs up.

There, completely RFC 2821 compliant, yet doesn’t do anything. Responding 451 to the “data” command means that this mail server will not accept this email message and the sender should try again later. When sendmail tries to send a message to a decoy mail server, it will timeout in the typical sendmail style (after 5 days).

To use the decoy, set it up using an inetd. Then, advertise it via your DNS MX records. For example on “example.com” would look like:

> dig mx example.com


example.com. 86400 IN MX 20 mx1.example.com.
example.com. 86400 IN MX 20 mx2.example.com.
example.com. 86400 IN MX 20 mx3.example.com.
example.com. 86400 IN MX 40 mx4.example.com.
example.com. 86400 IN MX 99 decoymx.example.com.


So, unless really bad circumstances are happening, you’ll never talk to “decoymx.example.com”. Even when bad circumstances are happening, a proper email server will just try back later.

On domains we’ve installed this, we’ve seen lots of spammers talk to our decoy. And I’m finding that after spammers chat with the decoy, they tend not to chat with my other mail servers.



>Ancient Chinese Curse

>Ack! I’ve been hit by that Ancient Chinese Curse: May you live in interesting times.[1]

Oh to live in boring…er…I mean…tranquil times…

>Itzhak Perlman

>We went to see Itzhak Pearlman tonight at the Overture Hall. Words barely begin to describe what that man can do.


>Oct 21!


…and we still have over a week to go in October yet…


>Top Posting

>Paraphrased from out on the Internets:

A: Yes.
>Q: Are you sure?
>>A: Because it breaks the flow of conversation.
>>>Q: Why is top posting bad?

Really, people. Take the time to put your responses at the bottom and delete out unnecessary included cruft leaving enough to get the context. It is a shame that Gmail top posts by default.