honeyd: smtp & attachments
my server went down caused by power supply.
so i put a CNAME record in to point to my homemachine.
the ISP did his work very quickly and i deleted the CNAME.
it had been there for 10 minutes.
-
i'm running honeyd at my homie supporting port 25 ,too.
-
...now i'm receiving large amount of crap like this
(it looks like that first the port 25 got checked by <b>titan.cvpa.usf.edu</b>
and then a mail was sent from different places containing a pdf file):
<code>
--MARK--,"Thu Jul 19 17:06:39 CEST 2007","exchange/SMTP","131.247.128.35","172.16.1.5",30839,25,
"",
--ENDMARK--
--MARK--,"Thu Jul 19 17:12:10 CEST 2007","exchange/SMTP","200.88.42.111","172.16.1.5",3214,25,
"EHLO 111santiagord12.codetel.net.do
MAIL FROM:<ayman431@q.pollard.net>
RCPT TO:<censored@cen.sored.net> (edited)
DATA
Received: from PC01 ([112.192.159.159] helo=PC01)
by 111santiagord12.codetel.net.do ( sendmail 8.13.3/8.13.1) with esmtpa id 1YHEOz-000VPA-qj
for censored@cen.sored.net ; Thu, 19 Jul 2007 09:51:24 -0400 (edited)
Message-ID: <000f01c7ca0b$d6865f90$6f2a58c8@PC01>
From: "ayman Fegerman" <ayman431@q.pollard.net>
To: censored@cen.sored.net (edited)
Subject: Emailing: Rechenschaft86516.pdf
Date: Thu, 19 Jul 2007 09:50:59 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_000B_01C7C9EA.4F74BF90"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
------=_NextPart_000_000B_01C7C9EA.4F74BF90
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_000C_01C7C9EA.4F74BF90"
------=_NextPart_001_000C_01C7C9EA.4F74BF90
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
The message is ready to be sent with the following file or link =
attachments:
Rechenschaft86516.pdf
------snap
</code>
can you comprehend this or have you got information about the host at usf.edu ?
google doesn't help.
tnx
pls ask for full logfile.
nachtrag:
may be you would be able to identify by:
<META content=3D"MSHTML 6.00.2900.3132" name=3DGENERATOR>