[Dshield] strange honeypot captures

Andy Streule andy.streule at lythamhigh.lancs.sch.uk
Fri Mar 19 09:39:42 GMT 2004


I'll stop trying to protect stuff and just paste it in as is. no chance of
confusion then.
i've hidden my own ip. the sent stuff doesnt send the bits between the
'================'

You see....no email body ???

>replaced
er no. thats what i altered so i wasnt listing potentially real email
addresses.
inretrospect i should have mentioned this. 

>Was this after you tried the honeypot hunter
>program?  Makes me wonder if it isn't some spammer version of a open proxy 
>checker like ordb or something - maybe this has something to do with how
they 
>determine a box is a honeypot or not?    
no i tried that on my workmachine. my honeypot is at home.
it could be somesort of honeypot checking but you'd  think they'd have given
up after a few hours. 



sensorid=KFSensor 
id=31910
type=Connection 
desc=Redirected to internal SMTP emulation 
action=SimStdServer 
name=HTTP Proxy
simname=HTTP Proxy 
protocol=TCP 
<start>2004-03-17 00:01:03:031</start>
<end>2004-03-17 00:01:37:731</end>
<client domain="" ip="61.172.244.208" port="28065"/>
<host ip="xx.xxx.xx.xxx" bindip="" port="8080" />
<connection closedby="Server" />
<recBytes>3207</recBytes>
  <received size="3207" coding="kf">
    <![CDATA[CONNECT 209.15.20.112:25 HTTP/1.0

EHLO xx.xxx.xx.xxx:8080
mail from: <feandvu at hghhyy.com>
rcpt to: <chucksimp at hotmail.com>
rcpt to: <mwilson at soltec.net>
rcpt to: <wicho11 at hotmail.com>
rcpt to: <misbhvngrl at aol.com>
rcpt to: <helmore at minyos.its.rmit.edu.au>
rcpt to: <a1joshman at aol.com>
rcpt to: <piper625 at aol.com>
rcpt to: <bracher at capeinfo.net>
rcpt to: <asaing at hotmail.com>
rcpt to: <spook777 at hotmail.com>
rcpt to: <cartma9454 at aol.com>
rcpt to: <sdicer at hotmail.com>
rcpt to: <31144622 at pager.icq.com>
rcpt to: <mschumacher at hotmail.com>
rcpt to: <raelme at hotmail.com>
rcpt to: <danalj at yahoo.co.uk>
rcpt to: <jdsmith at loa.com>
rcpt to: <gsimm at att.net>
rcpt to: <heinzs2 at netscape.net>
rcpt to: <sc777raver at aol.com>
rcpt to: <matt at acsworld.net>
rcpt to: <mrgator at peoplepc.com>
rcpt to: <seeker at quidditas.com>
rcpt to: <info at gerberlife.com>
rcpt to: <jacky_snow at netscape.net>
rcpt to: <debbies at edpro.com>
rcpt to: <jmstreeter at hotmail.com>
rcpt to: <golem69 at aol.com>
rcpt to: <jgoehle at geocities.com>
rcpt to: <pauljordan at msn.com>
rcpt to: <jayjarr at yahoo.com>
rcpt to: <cnkd555 at mailcity.com>
rcpt to: <stealth888 at aol.com>
rcpt to: <jant at icenet.no>
rcpt to: <daveestes at yahoo.com>
rcpt to: <umolde at aol.com>
rcpt to: <jbiglowski at yahoo.com>
rcpt to: <cratty at earthlink.net>
rcpt to: <0ei7000cxn8fj6 at lmco.com>
rcpt to: <kycaron at aol.com>
rcpt to: <5042081 at pager.icq.com>
rcpt to: <qlpk at aol.com>
rcpt to: <drortho at hotmail.com>
rcpt to: <popa0120 at po-box.mcgill.ca>
rcpt to: <kuklaki23 at aol.com>
rcpt to: <netsrfr5 at aol.com>
rcpt to: <roguelobo at aol.com>
rcpt to: <lulu92898 at aol.com>
rcpt to: <mstreet at talvest.com>
rcpt to: <xarens at hotmail.com>
rcpt to: <fashfosha_2000 at yahoo.com>
rcpt to: <classy at ingen.net>
rcpt to: <tigaress at hotmail.com>
rcpt to: <pete_moyer at dell.com>
rcpt to: <ship2shor at aol.com>
rcpt to: <ajrku at aol.com>
rcpt to: <dmoss at vol.com>
rcpt to: <hoopsmoo at eudoramail.com>
rcpt to: <ali at midcoast.com>
rcpt to: <mandy316 at hotmail.com>
rcpt to: <zhang.weihua at mednut.ki.se>
rcpt to: <chicureo at aol.com>
rcpt to: <freudian at adelphia.net>
rcpt to: <bdelurgio at epiccycle.com>
rcpt to: <derrick_henry at deluxevideo.com>
rcpt to: <bendenrider at aol.com>
rcpt to: <fiere01010 at aol.com>
rcpt to: <dhansen at azstarnet.com>
rcpt to: <alf53 at mailcity.com>
rcpt to: <vistaclemens at yahoo.com>
rcpt to: <nani756 at aol.com>
rcpt to: <fleur at tky.3web.ne.jp>
rcpt to: <hoeckele at local.net>
rcpt to: <crystalcharm9 at yahoo.com>
rcpt to: <u9511aa at mail.lrz-muenchen.de>
rcpt to: <jeffeast21 at aol.com>
rcpt to: <evalaya at yahoo.com>
rcpt to: <krichardson01 at hotmail.com>
rcpt to: <kaseydfoster at yahoo.com>
rcpt to: <anne623973 at aol.com>
rcpt to: <tracy_white at lycos.com>
rcpt to: <mantele at ispi.net>
rcpt to: <6768866 at pager.icq.com>
rcpt to: <scjohns321 at aol.com>
rcpt to: <bertil.olsson at mitec.se>
rcpt to: <ccweeks at ix.netcom.com>
rcpt to: <dimple1069 at yahoo.com>
rcpt to: <hesss at ballardspahr.com>
rcpt to: <aekgonygom at aol.com>
rcpt to: <supra770 at aol.com>
rcpt to: <rpgibson at igiles.net>
rcpt to: <andrew.roberts at nwa.com>
rcpt to: <bburry at aol.com>
rcpt to: <addews at hotmail.com>
rcpt to: <nerk at cort1.com>
rcpt to: <lynn_hyde at hotmail.com>
rcpt to: <dwilli8704 at aol.com>
]]>
  </received>

  <sentBytes>384</sentBytes>
  <sent size="491" coding="kf">
    <![CDATA[
===============
External Script Message
Rule D1
Rule D3
Rules DO NOT allow relay

===============
HTTP/1.0 200 Connection Established

220 mars.hosting4u.net DSMTP ESMTP Mail Server
250-209.15.20.112 Hello [xx.xxx.xx.xxx]
250-TURN
250-SIZE 2097152
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250 OK
250 2.1.0 feandvu at hghhyy.com....Sender OK
250 2.1.5 chucksimp at hotmail.com
250 2.1.5 mwilson at soltec.net
]]>
  </sent>


***************************************************************************
This e-mail is confidential and privileged.  If you are not the intended
recipient do not disclose, copy or distribute information in this e-mail
or take any action in reliance on its content.
***************************************************************************

***************************************************************************
This email has been checked for known viruses. 
***************************************************************************




More information about the list mailing list