[Dshield] strange honeypot captures

Bill McCarty bmccarty at pt-net.net
Wed Mar 17 16:52:11 GMT 2004


Hi Andy,

I suspect that the spammer's text intended substitution has failed. 
Possibly this is the result of a typo error. For instance, maybe "replaced" 
should read "%replaced%" and then be substituted by a fake email user ID 
before mailing.

Cheers,

--On Wednesday, March 17, 2004 10:44 AM +0000 Andy Streule 
<andy.streule at lythamhigh.lancs.sch.uk> wrote:

> for days now my honeypot has been capturing constantly stuff like the
> following:
> CONNECT 200.82.39.99:25 HTTP/1.0
>
> EHLO mail3.126.com
> mail from: <replaced at 126.com>
> rcpt to: <replaced at aol.com>
> rcpt to: <replaced at accex.net>
> rcpt to: <replaced at yahoo.com>
> rcpt to: <replaced at pager.icq.com>
> rcpt to: <replaced at pager.icq.com>


---------------------------------------------------
Bill McCarty




More information about the list mailing list