Results 1 to 6 of 6

Thread: honeyd: smtp & attachments

  1. #1
    Senior Member
    Join Date
    Aug 2003

    Exclamation honeyd: smtp & attachments

    my server went down caused by power supply.
    so i put a CNAME record in to point to my homemachine.
    the ISP did his work very quickly and i deleted the CNAME.
    it had been there for 10 minutes.
    i'm running honeyd at my homie supporting port 25 ,too.
    ...now i'm receiving large amount of crap like this
    (it looks like that first the port 25 got checked by <b>titan.cvpa.usf.edu</b>
    and then a mail was sent from different places containing a pdf file):
    --MARK--,"Thu Jul 19 17:06:39 CEST 2007","exchange/SMTP","","",30839,25,
    --MARK--,"Thu Jul 19 17:12:10 CEST 2007","exchange/SMTP","","",3214,25,
    "EHLO 111santiagord12.codetel.net.do
    MAIL FROM:<ayman431@q.pollard.net>
    RCPT TO:<censored@cen.sored.net> (edited)
    Received: from PC01 ([] helo=PC01)
    by 111santiagord12.codetel.net.do ( sendmail 8.13.3/8.13.1) with esmtpa id 1YHEOz-000VPA-qj
    for censored@cen.sored.net ; Thu, 19 Jul 2007 09:51:24 -0400 (edited)
    Message-ID: <000f01c7ca0b$d6865f90$6f2a58c8@PC01>
    From: "ayman Fegerman" <ayman431@q.pollard.net>
    To: censored@cen.sored.net (edited)
    Subject: Emailing: Rechenschaft86516.pdf
    Date: Thu, 19 Jul 2007 09:50:59 -0400
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2900.3138
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138

    Content-Type: multipart/alternative;

    Content-Type: text/plain;
    Content-Transfer-Encoding: quoted-printable

    The message is ready to be sent with the following file or link =

    can you comprehend this or have you got information about the host at usf.edu ?
    google doesn't help.


    pls ask for full logfile.

    may be you would be able to identify by:
    <META content=3D"MSHTML 6.00.2900.3132" name=3DGENERATOR>
    Last edited by stanger; July 19th, 2007 at 05:45 PM. Reason: forgot something ;)
    Industry Kills Music.

  2. #2
    Senior Member
    Join Date
    Aug 2003

    lets traceroute it:

    traceroute to luna.vistec.net (, 30 hops max, 38 byte packets
    1 gateway ( 0.497 ms 0.350 ms 0.307 ms
    2 ( 39.911 ms 39.564 ms 39.597 ms
    3 ( 40.207 ms 39.487 ms 39.634 ms
    4 f-eb5.f.de.net.dtag.de ( 44.564 ms 44.366 ms 45.680 ms
    5 ( 196.239 ms 172.021 ms 97.747 ms
    6 ge0-1.cr1.ixfra.de.easynet.net ( 44.047 ms 44.271 ms 43.766 ms
    7 ( 46.314 ms 46.369 ms 47.459 ms
    8 ns.vistec.net ( 46.834 ms 46.370 ms 46.229 ms

    any idea?

    I received mails from other servers , but it was detected as being spam by them.

    100% pdf_spam, 0% image_spam

    Last edited by stanger; July 20th, 2007 at 06:24 AM. Reason: updating
    Industry Kills Music.

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington
    Titan might be an FTP server:


    College of Visual and Performing Arts University of South Florida.

    Which I am afraid doesn't tell you very much

  4. #4
    Senior Member
    Join Date
    Aug 2003
    thx for reply
    the interesting things:
    i never changed the MX record
    the used mailadress contains a subdomain that was created by confixx
    the email adress can be found via google
    the service got shut down one year ago
    MAIL TO: user@sub.domain - missing last letter of username
    the attackers then(after succeedin ) used the subdomains name as "FROM:" with different username (simone@sub.domain)
    the CNAME record was deleted after 10 minutes but yesterday i got a spammail again (adobe OEM with random textarea)

    i'm curious :
    would it be possible to use such behaviour as mailworm/spam trap
    in my opinion it could work
    Industry Kills Music.

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington
    So, it looks like we have a dodgy nameserver (German?) this may be of interest: it is listed


    and this:


    As for the spam, it is pretty much the same as we ban from this site. "buy v*i*a*g*r*a here" then "meet a beautiful Russian Woman"

    As for filtering or trapping, I am no expert, but would have thought that a nameserver shouldn't be sending you e-mails?

  6. #6
    Senior Member
    Join Date
    Aug 2003
    i 'now' solved the MX thing ...
    my ISPs domain script creates a new MX record if new CNAME
    using 'dig' it was easy to find out

    @nihil: thx for the nameserver hint
    Last edited by stanger; August 13th, 2007 at 10:27 AM.
    Industry Kills Music.

Similar Threads

  1. SMTP Relay Honeypot Tutorial
    By Soda_Popinsky in forum The Security Tutorials Forum
    Replies: 18
    Last Post: December 6th, 2005, 10:18 AM
  2. Tcp/ip
    By gore in forum Newbie Security Questions
    Replies: 11
    Last Post: December 29th, 2003, 08:01 AM
  3. Vulnerability: IIS Microsoft SMTP Service Encapsulated SMTP Address
    By s0nIc in forum Microsoft Security Discussions
    Replies: 0
    Last Post: July 14th, 2002, 04:09 PM
  4. SMTP (Reach out and touch someone)
    By Sp1d3r-W0lf in forum The Security Tutorials Forum
    Replies: 0
    Last Post: December 27th, 2001, 05:31 PM
  5. help with ghostmail
    By iraklis777 in forum Security Archives
    Replies: 10
    Last Post: October 23rd, 2001, 08:41 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts