Results 1 to 6 of 6

Thread: honeyd: smtp & attachments

Threaded View

  1. #1
    Senior Member
    Join Date
    Aug 2003
    Posts
    185

    Exclamation honeyd: smtp & attachments

    my server went down caused by power supply.
    so i put a CNAME record in to point to my homemachine.
    the ISP did his work very quickly and i deleted the CNAME.
    it had been there for 10 minutes.
    -
    i'm running honeyd at my homie supporting port 25 ,too.
    -
    ...now i'm receiving large amount of crap like this
    (it looks like that first the port 25 got checked by <b>titan.cvpa.usf.edu</b>
    and then a mail was sent from different places containing a pdf file):
    <code>
    --MARK--,"Thu Jul 19 17:06:39 CEST 2007","exchange/SMTP","131.247.128.35","172.16.1.5",30839,25,
    "",
    --ENDMARK--
    --MARK--,"Thu Jul 19 17:12:10 CEST 2007","exchange/SMTP","200.88.42.111","172.16.1.5",3214,25,
    "EHLO 111santiagord12.codetel.net.do
    MAIL FROM:<ayman431@q.pollard.net>
    RCPT TO:<censored@cen.sored.net> (edited)
    DATA
    Received: from PC01 ([112.192.159.159] helo=PC01)
    by 111santiagord12.codetel.net.do ( sendmail 8.13.3/8.13.1) with esmtpa id 1YHEOz-000VPA-qj
    for censored@cen.sored.net ; Thu, 19 Jul 2007 09:51:24 -0400 (edited)
    Message-ID: <000f01c7ca0b$d6865f90$6f2a58c8@PC01>
    From: "ayman Fegerman" <ayman431@q.pollard.net>
    To: censored@cen.sored.net (edited)
    Subject: Emailing: Rechenschaft86516.pdf
    Date: Thu, 19 Jul 2007 09:50:59 -0400
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_000B_01C7C9EA.4F74BF90"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2900.3138
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138

    ------=_NextPart_000_000B_01C7C9EA.4F74BF90
    Content-Type: multipart/alternative;
    boundary="----=_NextPart_001_000C_01C7C9EA.4F74BF90"


    ------=_NextPart_001_000C_01C7C9EA.4F74BF90
    Content-Type: text/plain;
    charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable


    The message is ready to be sent with the following file or link =
    attachments:
    Rechenschaft86516.pdf
    ------snap
    </code>

    can you comprehend this or have you got information about the host at usf.edu ?
    google doesn't help.

    tnx

    pls ask for full logfile.

    nachtrag:
    may be you would be able to identify by:
    <META content=3D"MSHTML 6.00.2900.3132" name=3DGENERATOR>
    Last edited by stanger; July 19th, 2007 at 05:45 PM. Reason: forgot something ;)
    Industry Kills Music.

Similar Threads

  1. SMTP Relay Honeypot Tutorial
    By Soda_Popinsky in forum The Security Tutorials Forum
    Replies: 18
    Last Post: December 6th, 2005, 10:18 AM
  2. Tcp/ip
    By gore in forum Newbie Security Questions
    Replies: 11
    Last Post: December 29th, 2003, 08:01 AM
  3. Vulnerability: IIS Microsoft SMTP Service Encapsulated SMTP Address
    By s0nIc in forum Microsoft Security Discussions
    Replies: 0
    Last Post: July 14th, 2002, 04:09 PM
  4. SMTP (Reach out and touch someone)
    By Sp1d3r-W0lf in forum The Security Tutorials Forum
    Replies: 0
    Last Post: December 27th, 2001, 05:31 PM
  5. help with ghostmail
    By iraklis777 in forum Security Archives
    Replies: 10
    Last Post: October 23rd, 2001, 08:41 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •