[Dshield] strange honeypot captures

Andy Streule andy.streule at lythamhigh.lancs.sch.uk
Wed Mar 17 10:44:07 GMT 2004


for days now my honeypot has been capturing constantly stuff like the
following:
it's not to do with being on a dynamic ip because my honeypot was quiet
until i checked my ports with a certain open proxy checker.
I think the traffic is all coming thru port 8080 http proxy. where's the
mail body?

any thoughts?


CONNECT 200.82.39.99:25 HTTP/1.0

EHLO mail3.126.com
mail from: <replaced at 126.com>
rcpt to: <replaced at aol.com>
rcpt to: <replaced at accex.net>
rcpt to: <replaced at yahoo.com>
rcpt to: <replaced at pager.icq.com>
rcpt to: <replaced at pager.icq.com>
...50 more rcpt to lines


***************************************************************************
This e-mail is confidential and privileged.  If you are not the intended
recipient do not disclose, copy or distribute information in this e-mail
or take any action in reliance on its content.
***************************************************************************

***************************************************************************
This email has been checked for known viruses. 
***************************************************************************




More information about the list mailing list