glpetre Posted January 24, 2006 Share Posted January 24, 2006 Hello! A weak ago i deploied an open relay honeypot. The machine is running a qmail server that seems to be open, accept the messages but never delivers the messages to the destination. The problem is that in 1 weak i was scanned by about 200 ip's but just 3 tried to deliver test messages. My questions are: 1. How can i make spammers scan me(a kind of "advertising" )? 2. Why so many scanned me but so few really tried to send spam? Thanks in advice! P.S.: I know that today there are very few open relays, but 200 ip's that scaned me make me think that there are still a lot of spammers that search for an open relay. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted January 24, 2006 Share Posted January 24, 2006 200 ip's that scaned me make me think that there are still a lot of spammers that search for an open relay. 39638[/snapback] I turned on a new public IP for an internal firewall last week and it was scanned within 5 minutes of being configured. This IP (or any of them) does not even respond to a ping. Not every scan is a spammer looking for open relay. It might be virus infected machines scanning to try and infect something else, or lots of other reasons. Link to comment Share on other sites More sharing options...
Farelf Posted January 25, 2006 Share Posted January 25, 2006 1. How can i make spammers scan me(a kind of "advertising" )?39638[/snapback] Have you looked at this thread? http://forum.spamcop.net/forums/index.php?...findpost&p=8476 Maybe PM Hillscap for details (I can't reach the link he provided). Link to comment Share on other sites More sharing options...
glpetre Posted January 25, 2006 Author Share Posted January 25, 2006 Have you looked at this thread? http://forum.spamcop.net/forums/index.php?...findpost&p=8476 Maybe PM Hillscap for details (I can't reach the link he provided). 39655[/snapback] Yes, i read it, but from 2004 i think the spammer strategy had change, and also the jackpot honeypot website is not working. On the other hand, i tried to connect to undernet on big channels, hoping to be scaned, but the results was disapointment. I turned on a new public IP for an internal firewall last week and it was scanned within 5 minutes of being configured. This IP (or any of them) does not even respond to a ping. My machine was scanned on port 25 after 30 minutes. Link to comment Share on other sites More sharing options...
bgaarsoe Posted February 9, 2007 Share Posted February 9, 2007 Hello! A weak ago i deploied an open relay honeypot. The machine is running a qmail server that seems to be open, accept the messages but never delivers the messages to the destination. The problem is that in 1 weak i was scanned by about 200 ip's but just 3 tried to deliver test messages. My questions are: 1. How can i make spammers scan me(a kind of "advertising" )? 2. Why so many scanned me but so few really tried to send spam? Thanks in advice! P.S.: I know that today there are very few open relays, but 200 ip's that scaned me make me think that there are still a lot of spammers that search for an open relay. I set up an open relay honeypot several months ago, but I noticed early on that if the spammers' test e-mails do not go through, they will abandon your SMTP server in a hurry. Fortunately, nearlly all of the spammers that have sent test e-mails on my honeypot have followed a similar pattern: Namely, they always seem to include my IP address on the subject line. Usually something like this: SM:198.77.121.31 (SM for sendmail, I presume). Since this is the typical pattern, I have modified my honeypot program to let these types of e-mails through, and since I did this, my honeypot has been running non-stop night and day. I have dumped litterally millions of e-mails, and some of the same spammers have been using my honeypot for weeks or even months. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.