Jump to content
Sign in to follow this  
glpetre

Open Relay Honeypot

Recommended Posts

Hello!

A weak ago i deploied an open relay honeypot. The machine is running a qmail server that seems to be open, accept the messages but never delivers the messages to the destination. The problem is that in 1 weak i was scanned by about 200 ip's but just 3 tried to deliver test messages. My questions are:

1. How can i make spammers scan me(a kind of "advertising" )?

2. Why so many scanned me but so few really tried to send spam?

Thanks in advice!

P.S.: I know that today there are very few open relays, but 200 ip's that scaned me make me think that there are still a lot of spammers that search for an open relay.

Share this post


Link to post
Share on other sites
200 ip's that scaned me make me think that there are still a lot of spammers that search for an open relay.

39638[/snapback]

I turned on a new public IP for an internal firewall last week and it was scanned within 5 minutes of being configured. This IP (or any of them) does not even respond to a ping.

Not every scan is a spammer looking for open relay. It might be virus infected machines scanning to try and infect something else, or lots of other reasons.

Share this post


Link to post
Share on other sites
Have you looked at this thread?  http://forum.spamcop.net/forums/index.php?...findpost&p=8476

Maybe PM Hillscap for details (I can't reach the link he provided).

39655[/snapback]

Yes, i read it, but from 2004 i think the spammer strategy had change, and also the jackpot honeypot website is not working.

On the other hand, i tried to connect to undernet on big channels, hoping to be scaned, but the results was disapointment.

I turned on a new public IP for an internal firewall last week and it was scanned within 5 minutes of being configured. This IP (or any of them) does not even respond to a ping.

My machine was scanned on port 25 after 30 minutes.

Share this post


Link to post
Share on other sites

Hello!

A weak ago i deploied an open relay honeypot. The machine is running a qmail server that seems to be open, accept the messages but never delivers the messages to the destination. The problem is that in 1 weak i was scanned by about 200 ip's but just 3 tried to deliver test messages. My questions are:

1. How can i make spammers scan me(a kind of "advertising" )?

2. Why so many scanned me but so few really tried to send spam?

Thanks in advice!

P.S.: I know that today there are very few open relays, but 200 ip's that scaned me make me think that there are still a lot of spammers that search for an open relay.

I set up an open relay honeypot several months ago, but I noticed early on that if the spammers' test e-mails do not go through, they will abandon your SMTP server in a hurry.

Fortunately, nearlly all of the spammers that have sent test e-mails on my honeypot have followed a similar pattern: Namely, they always seem to include my IP address on the subject line. Usually something like this: SM:198.77.121.31 (SM for sendmail, I presume). Since this is the typical pattern, I have modified my honeypot program to let these types of e-mails through, and since I did this, my honeypot has been running non-stop night and day. I have dumped litterally millions of e-mails, and some of the same spammers have been using my honeypot for weeks or even months.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×