Email is one of the biggest vectors for malware delivery and therefore a great source for threat intelligence. This article covers how to get started with a mail server and how to start collecting
I’m starting with a small ec2 instance hosted in AWS, doesnt really need to do much except have disk and receive email. All services will be deploy via Docker to help maintain portability.
First step, add the mx records so mail can actually get delivered to my server. I’m using Cloudflare’s free DNS solution, so simply add an A record for imap.$MYDOMAIN and smtp.$MYDOMAIN. Then add the MX record for the domain to point to smtp.$MYDOMAIN.
SMTP and IMAP
For these I found an existing docker container running postfix for smtp and dovecot for imap, this sets up a domain and a default catch all address, pretty much everything I’m interested in. https://github.com/antespi/docker-imap-devel. To get everything deployed I used the docker compose file provided in the project.
The battle with port 25
After deploying the docker container, I tried to connect to the server using thunderbird, I go through the new account workflow and hit Test, connection fails. Then I made sure the creds were correct and tried again, still no luck. Next up I verified that all ports were open, netstat showed port 25 and port 993 open. Following that it was time for netcat,
nc smtp.$MYDOMAIN 25
and no banner, no log showing up on the server. I tried again from the server itself,
nc smtp.$MYDOMAIN 25
220 2f099f4e1e56 ESMTP Postfix (Ubuntu)
immediately a banner pops up.
Now i’m met with the question of why can’t I reach port 25 when its open. I tired connecting from a different ec2 instances, once again i’m greeted with a postfix banner as soon as i connect. So now the mystery is why can’t I hit port 25 from my home connection, after some google searches it turns out Comcast blocks it.
With this mystery solved setup is complete.
Getting the emails
With SMTP and IMAP and as accessible as needed, I wrote a simple Python script to connect and download any emails.
import imaplibM = imaplib.IMAP4_SSL("imap.MYDOMAIN")
typ, data = M.search(None, 'ALL')
for num in data.split():
typ, data = M.fetch(num, '(RFC822)')
print('Message %s\n%s\n\n\n' % (num, data))
Next up in Part II
Stay tuned for the next post where I try to actually get some malware and phishing emails!