[Dshield] Identifying harvester

Hanke Penning hanke.penning at iap.de
Fri Dec 5 15:03:50 GMT 2003


Am 4 Dec 2003 schrieb Father Peter Darin zum Thema [Dshield] Re: SPAM email using my smtp server hos:

Hello out there!

> It should be fairly easy to spot the
> harvester, esp if you have the USER-AGENT field logged. 

It is not fairly easy to spot the harvester, as he is using normal USER-
AGENT fields and not "I'm the email harvester 1.0".

But you may identify him by some simple tricks:

1) If you use SSI you can include something in your pages like:
<!--#config timefmt="%d.%m.%Y-%H.%M.%S"-->
<A HREF="mailto:pagetrapper-<!--#echo var="DATE_GMT"-->-<!--#echo 
var="REMOTE_ADDR"-->@example.com"></A> 

The address must not be valif, you can identify it by scanning the MTA 
log...

2) If you use PHP:
<A HREF="mailto:pagetrapper-<?php Echo Date("d.m.Y-H.i.s",Time()); ?>-
<?php Echo GetEnv("REMOTE_ADDR"); ?>@example.com"></A>

Yours sincerly

Hanke Penning

IAP GmbH -- Moerkenstrasse 9 -- 22767 Hamburg 
Tel.: 040 / 306803-14 -- Fax: 040 / 306803-10
 http://www.iap.de --- E-Mail: info at iap.de




More information about the list mailing list