Hello!
A weak ago i deploied an open relay honeypot. The machine is running a qmail server that seems to be open, accept the messages but never delivers the messages to the destination. The problem is that in 1 weak i was scanned by about 200 ip's but just 3 tried to deliver test messages. My questions are:
1. How can i make spammers scan me(a kind of "advertising" )?
2. Why so many scanned me but so few really tried to send spam?
Thanks in advice!
P.S.: I know that today there are very few open relays, but 200 ip's that scaned me make me think that there are still a lot of spammers that search for an open relay.
Full Version: Open Relay Honeypot
QUOTE(glpetre @ Jan 24 2006, 11:17 AM)
200 ip's that scaned me make me think that there are still a lot of spammers that search for an open relay.
I turned on a new public IP for an internal firewall last week and it was scanned within 5 minutes of being configured. This IP (or any of them) does not even respond to a ping.Not every scan is a spammer looking for open relay. It might be virus infected machines scanning to try and infect something else, or lots of other reasons.
QUOTE(glpetre @ Jan 25 2006, 12:17 AM)
1. How can i make spammers scan me(a kind of "advertising" )?
Have you looked at this thread? http://forum.spamcop.net/forums/index.php?...findpost&p=8476Maybe PM Hillscap for details (I can't reach the link he provided).
QUOTE(Farelf @ Jan 25 2006, 02:09 AM)
Have you looked at this thread? http://forum.spamcop.net/forums/index.php?...findpost&p=8476
Maybe PM Hillscap for details (I can't reach the link he provided).
Maybe PM Hillscap for details (I can't reach the link he provided).
Yes, i read it, but from 2004 i think the spammer strategy had change, and also the jackpot honeypot website is not working.
On the other hand, i tried to connect to undernet on big channels, hoping to be scaned, but the results was disapointment.
QUOTE(StevenUnderwood)
I turned on a new public IP for an internal firewall last week and it was scanned within 5 minutes of being configured. This IP (or any of them) does not even respond to a ping.
My machine was scanned on port 25 after 30 minutes.
QUOTE(glpetre @ Jan 24 2006, 11:17 AM)
Hello!
A weak ago i deploied an open relay honeypot. The machine is running a qmail server that seems to be open, accept the messages but never delivers the messages to the destination. The problem is that in 1 weak i was scanned by about 200 ip's but just 3 tried to deliver test messages. My questions are:
1. How can i make spammers scan me(a kind of "advertising" )?
2. Why so many scanned me but so few really tried to send spam?
Thanks in advice!
P.S.: I know that today there are very few open relays, but 200 ip's that scaned me make me think that there are still a lot of spammers that search for an open relay.
I set up an open relay honeypot several months ago, but I noticed early on that if the spammers' test e-mails do not go through, they will abandon your SMTP server in a hurry.
Fortunately, nearlly all of the spammers that have sent test e-mails on my honeypot have followed a similar pattern: Namely, they always seem to include my IP address on the subject line. Usually something like this: SM:198.77.121.31 (SM for sendmail, I presume). Since this is the typical pattern, I have modified my honeypot program to let these types of e-mails through, and since I did this, my honeypot has been running non-stop night and day. I have dumped litterally millions of e-mails, and some of the same spammers have been using my honeypot for weeks or even months.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.