[Dshield] strange honeypot captures

Buzz info at 4201.com
Wed Mar 17 17:11:57 GMT 2004


Wednesday, March 17, 2004, 5:44:07 AM, you wrote:

AS> for days now my honeypot has been capturing constantly stuff like the
AS> following:
AS> it's not to do with being on a dynamic ip because my honeypot was quiet
AS> until i checked my ports with a certain open proxy checker.
AS> I think the traffic is all coming thru port 8080 http proxy. where's the
AS> mail body?

AS> any thoughts?


AS> CONNECT 200.82.39.99:25 HTTP/1.0

AS> EHLO mail3.126.com
AS> mail from: <replaced at 126.com>
AS> rcpt to: <replaced at aol.com>
AS> rcpt to: <replaced at accex.net>
AS> rcpt to: <replaced at yahoo.com>
AS> rcpt to: <replaced at pager.icq.com>
AS> rcpt to: <replaced at pager.icq.com>
AS> ...50 more rcpt to lines


   Was this after you tried the honeypot hunter program?  Makes me wonder if it isn't some spammer version of a open proxy checker like ordb or something - maybe this has something to do with how they determine a box is a honeypot or not?    






More information about the list mailing list