Amazon Web Services SES Spam Honeypot
By:
When AWS released Lambda, the 'serverless' movement began. It’s not well known that receiving emails with Amazon Simple Email Service (Amazon SES) can also trigger AWS Lambda functions. This actually opens up a world of possibilities around email security.
For our first example of a Lambda SES email rule, we show how to create a simple spam honeypot that saves malicious emails to Amazon Simple Storage Service (S3).
Before you can actually write the rule, you need to prepare your environment by completing the following steps:
- Setup SES to receive emails
- Figure out where you want to store the malicious emails
- Create the Lambda filter that will decided whether or not the email should be saved.
Setup SES to receive emails
If you don’t already use SES to receive emails you will need to first point your MX record for one of your domains to SES (be sure to double check the region). Amazon has a tutorial you can follow
Create or Designate an S3 Bucket
First, you will need to create or designate an S3 bucket and namespace that will store your spam emails. In our example, our S3 bucket is "yourbucket" and the namespace is "spam_emails/". When have our ruleset deployed all our spam messages will be stored in this bucket.
Create the AWS Lambda function
This is the function that will collect your spam messages. AWS will scan for viruses and spam, we just need our lamdba function to control the rule flow.
- Create a new function
- Name: spam_trap
- Runtime: Python 3.6
- Role: "Create a new role from templates"
- RoleName: email_spam_lambda
- RoleTemplates: 'Basic Edge Lambda permissions'
- Configure your function
- Set your handler to: ‘lambda_function.spam_trap_filter"
- Copy and paste the code from the following gist to your lambda function.
Create/Edit Your SES Ruleset
The SES Ruleset is what actually runs when you receive emails. If you don’t have an active ruleset, you will need to create a ruleset.
A ruleset is a group of rules you can create that perform specific actions. In our example, we have one rule with 3 actions.
Create a new rule and name it "spam_trap" and make sure spam and virus scanning is enabled.
For this rule, create three actions:
- Call the lamdba function created earlier "email_spam_trap", make sure "RequestResponse" is selected. If the email is spam the lambda function will let it pass, it is not spam it stop this rule continue with the rest of the rules.
- Store the email in the s3 bucket designated in step 2.
- Stop the ruleset. This means malicious emails will be dropped.
Save the rule and make the ruleset your active ruleset. Now send yourself a malicious file and you should see it in S3.
We plan on having more examples in the coming months so stay tuned.
Find Out How We Help Secure Your Perimeter
Augur, the industry’s only PDR platform, raises the bar by predicting attacks, attributing attacks, and adjusting your security posture to block threats before they get to your network. But you don’t have to take our word for it.
Take the Augur Challenge:
Step 1: We’ll collect, aggregate, and correlate your logs
Step 2: Within 72 hours, we will send you:
- A list of compromised hosts in your network
- A list of threat actors targeting your organization
- A checklist of IP ranges associated with these threat actors for you to block
Step 3: After 30 days, we’ll send you a full breakdown of how our predictions stacked up
Seeing is believing. After taking our challenge, we’re convinced that you’ll want to put the power of Augur’s predictive threat intelligence to work full time.
