Open Relay Honeypot

[glpetre]

Hello!

A weak ago i deploied an open relay honeypot. The machine is running a qmail server that seems to be open, accept the messages but never delivers the messages to the destination. The problem is that in 1 weak i was scanned by about 200 ip's but just 3 tried to deliver test messages. My questions are:

1. How can i make spammers scan me(a kind of "advertising" )?

2. Why so many scanned me but so few really tried to send spam?

Thanks in advice!

P.S.: I know that today there are very few open relays, but 200 ip's that scaned me make me think that there are still a lot of spammers that search for an open relay.

[StevenUnderwood]

200 ip's that scaned me make me think that there are still a lot of spammers that search for an open relay.

39638[/snapback]

I turned on a new public IP for an internal firewall last week and it was scanned within 5 minutes of being configured. This IP (or any of them) does not even respond to a ping.

Not every scan is a spammer looking for open relay. It might be virus infected machines scanning to try and infect something else, or lots of other reasons.

[Farelf]

1. How can i make spammers scan me(a kind of "advertising" )?

39638[/snapback]

Have you looked at this thread? http://forum.spamcop.net/forums/index.php?...findpost&p=8476

Maybe PM Hillscap for details (I can't reach the link he provided).

[glpetre]

Have you looked at this thread?  http://forum.spamcop.net/forums/index.php?...findpost&p=8476

Maybe PM Hillscap for details (I can't reach the link he provided).

39655[/snapback]

Yes, i read it, but from 2004 i think the spammer strategy had change, and also the jackpot honeypot website is not working.

On the other hand, i tried to connect to undernet on big channels, hoping to be scaned, but the results was disapointment.

I turned on a new public IP for an internal firewall last week and it was scanned within 5 minutes of being configured. This IP (or any of them) does not even respond to a ping.

My machine was scanned on port 25 after 30 minutes.

[bgaarsoe]

Hello!

A weak ago i deploied an open relay honeypot. The machine is running a qmail server that seems to be open, accept the messages but never delivers the messages to the destination. The problem is that in 1 weak i was scanned by about 200 ip's but just 3 tried to deliver test messages. My questions are:

1. How can i make spammers scan me(a kind of "advertising" )?

2. Why so many scanned me but so few really tried to send spam?

Thanks in advice!

P.S.: I know that today there are very few open relays, but 200 ip's that scaned me make me think that there are still a lot of spammers that search for an open relay.

I set up an open relay honeypot several months ago, but I noticed early on that if the spammers' test e-mails do not go through, they will abandon your SMTP server in a hurry.

Fortunately, nearlly all of the spammers that have sent test e-mails on my honeypot have followed a similar pattern: Namely, they always seem to include my IP address on the subject line. Usually something like this: SM:198.77.121.31 (SM for sendmail, I presume). Since this is the typical pattern, I have modified my honeypot program to let these types of e-mails through, and since I did this, my honeypot has been running non-stop night and day. I have dumped litterally millions of e-mails, and some of the same spammers have been using my honeypot for weeks or even months.