Jump to content

Open Relay Honeypot


glpetre

Recommended Posts

Hello!

A weak ago i deploied an open relay honeypot. The machine is running a qmail server that seems to be open, accept the messages but never delivers the messages to the destination. The problem is that in 1 weak i was scanned by about 200 ip's but just 3 tried to deliver test messages. My questions are:

1. How can i make spammers scan me(a kind of "advertising" )?

2. Why so many scanned me but so few really tried to send spam?

Thanks in advice!

P.S.: I know that today there are very few open relays, but 200 ip's that scaned me make me think that there are still a lot of spammers that search for an open relay.

Link to comment
Share on other sites

200 ip's that scaned me make me think that there are still a lot of spammers that search for an open relay.

39638[/snapback]

I turned on a new public IP for an internal firewall last week and it was scanned within 5 minutes of being configured. This IP (or any of them) does not even respond to a ping.

Not every scan is a spammer looking for open relay. It might be virus infected machines scanning to try and infect something else, or lots of other reasons.

Link to comment
Share on other sites

Have you looked at this thread?  http://forum.spamcop.net/forums/index.php?...findpost&p=8476

Maybe PM Hillscap for details (I can't reach the link he provided).

39655[/snapback]

Yes, i read it, but from 2004 i think the spammer strategy had change, and also the jackpot honeypot website is not working.

On the other hand, i tried to connect to undernet on big channels, hoping to be scaned, but the results was disapointment.

I turned on a new public IP for an internal firewall last week and it was scanned within 5 minutes of being configured. This IP (or any of them) does not even respond to a ping.

My machine was scanned on port 25 after 30 minutes.

Link to comment
Share on other sites

  • 1 year later...

Hello!

A weak ago i deploied an open relay honeypot. The machine is running a qmail server that seems to be open, accept the messages but never delivers the messages to the destination. The problem is that in 1 weak i was scanned by about 200 ip's but just 3 tried to deliver test messages. My questions are:

1. How can i make spammers scan me(a kind of "advertising" )?

2. Why so many scanned me but so few really tried to send spam?

Thanks in advice!

P.S.: I know that today there are very few open relays, but 200 ip's that scaned me make me think that there are still a lot of spammers that search for an open relay.

I set up an open relay honeypot several months ago, but I noticed early on that if the spammers' test e-mails do not go through, they will abandon your SMTP server in a hurry.

Fortunately, nearlly all of the spammers that have sent test e-mails on my honeypot have followed a similar pattern: Namely, they always seem to include my IP address on the subject line. Usually something like this: SM:198.77.121.31 (SM for sendmail, I presume). Since this is the typical pattern, I have modified my honeypot program to let these types of e-mails through, and since I did this, my honeypot has been running non-stop night and day. I have dumped litterally millions of e-mails, and some of the same spammers have been using my honeypot for weeks or even months.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...