honeyd: smtp & attachments
Results 1 to 6 of 6

Thread: honeyd: smtp & attachments

  1. #1
    Senior Member
    Join Date
    Aug 2003
    Posts
    185

    Exclamation honeyd: smtp & attachments

    my server went down caused by power supply.
    so i put a CNAME record in to point to my homemachine.
    the ISP did his work very quickly and i deleted the CNAME.
    it had been there for 10 minutes.
    -
    i'm running honeyd at my homie supporting port 25 ,too.
    -
    ...now i'm receiving large amount of crap like this
    (it looks like that first the port 25 got checked by <b>titan.cvpa.usf.edu</b>
    and then a mail was sent from different places containing a pdf file):
    <code>
    --MARK--,"Thu Jul 19 17:06:39 CEST 2007","exchange/SMTP","131.247.128.35","172.16.1.5",30839,25,
    "",
    --ENDMARK--
    --MARK--,"Thu Jul 19 17:12:10 CEST 2007","exchange/SMTP","200.88.42.111","172.16.1.5",3214,25,
    "EHLO 111santiagord12.codetel.net.do
    MAIL FROM:<ayman431@q.pollard.net>
    RCPT TO:<censored@cen.sored.net> (edited)
    DATA
    Received: from PC01 ([112.192.159.159] helo=PC01)
    by 111santiagord12.codetel.net.do ( sendmail 8.13.3/8.13.1) with esmtpa id 1YHEOz-000VPA-qj
    for censored@cen.sored.net ; Thu, 19 Jul 2007 09:51:24 -0400 (edited)
    Message-ID: <000f01c7ca0b$d6865f90$6f2a58c8@PC01>
    From: "ayman Fegerman" <ayman431@q.pollard.net>
    To: censored@cen.sored.net (edited)
    Subject: Emailing: Rechenschaft86516.pdf
    Date: Thu, 19 Jul 2007 09:50:59 -0400
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_000B_01C7C9EA.4F74BF90"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2900.3138
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138

    ------=_NextPart_000_000B_01C7C9EA.4F74BF90
    Content-Type: multipart/alternative;
    boundary="----=_NextPart_001_000C_01C7C9EA.4F74BF90"


    ------=_NextPart_001_000C_01C7C9EA.4F74BF90
    Content-Type: text/plain;
    charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable


    The message is ready to be sent with the following file or link =
    attachments:
    Rechenschaft86516.pdf
    ------snap
    </code>

    can you comprehend this or have you got information about the host at usf.edu ?
    google doesn't help.

    tnx

    pls ask for full logfile.

    nachtrag:
    may be you would be able to identify by:
    <META content=3D"MSHTML 6.00.2900.3132" name=3DGENERATOR>
    Last edited by stanger; July 19th, 2007 at 05:45 PM. Reason: forgot something ;)
    Industry Kills Music.

  2. #2
    Senior Member
    Join Date
    Aug 2003
    Posts
    185
    update:
    ------=_NextPart_000_0004_01C7CA37.B8851550--
    --l6JH6eXb011136.1184864800/luna.vistec.net--
    .
    --ENDMARK--

    lets traceroute it:

    traceroute to luna.vistec.net (194.64.40.71), 30 hops max, 38 byte packets
    1 gateway (192.168.1.1) 0.497 ms 0.350 ms 0.307 ms
    2 217.0.116.177 (217.0.116.177) 39.911 ms 39.564 ms 39.597 ms
    3 217.0.74.242 (217.0.74.242) 40.207 ms 39.487 ms 39.634 ms
    4 f-eb5.f.de.net.dtag.de (62.154.17.62) 44.564 ms 44.366 ms 45.680 ms
    5 62.156.139.226 (62.156.139.226) 196.239 ms 172.021 ms 97.747 ms
    6 ge0-1.cr1.ixfra.de.easynet.net (212.224.5.34) 44.047 ms 44.271 ms 43.766 ms
    7 194.64.253.22 (194.64.253.22) 46.314 ms 46.369 ms 47.459 ms
    8 ns.vistec.net (194.64.40.71) 46.834 ms 46.370 ms 46.229 ms

    any idea?

    [update]
    I received mails from other servers , but it was detected as being spam by them.

    100% pdf_spam, 0% image_spam

    http://www.securityfocus.com/news/11475?ref=rss
    Last edited by stanger; July 20th, 2007 at 06:24 AM. Reason: updating
    Industry Kills Music.

  3. #3
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Titan might be an FTP server:

    http://www.freedownloadscenter.com/N...TP_Server.html

    College of Visual and Performing Arts University of South Florida.

    Which I am afraid doesn't tell you very much
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #4
    Senior Member
    Join Date
    Aug 2003
    Posts
    185
    thx for reply
    the interesting things:
    i never changed the MX record
    the used mailadress contains a subdomain that was created by confixx
    the email adress can be found via google
    the service got shut down one year ago
    MAIL TO: user@sub.domain - missing last letter of username
    the attackers then(after succeedin ) used the subdomains name as "FROM:" with different username (simone@sub.domain)
    the CNAME record was deleted after 10 minutes but yesterday i got a spammail again (adobe OEM with random textarea)

    i'm curious :
    would it be possible to use such behaviour as mailworm/spam trap
    in my opinion it could work
    Industry Kills Music.

  5. #5
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    So, it looks like we have a dodgy nameserver (German?) this may be of interest: it is listed

    http://postmaster.gtcs.com/NameserversAmuk.php

    and this:

    http://www.robtex.com/dns/vistec.net.html

    As for the spam, it is pretty much the same as we ban from this site. "buy v*i*a*g*r*a here" then "meet a beautiful Russian Woman"

    As for filtering or trapping, I am no expert, but would have thought that a nameserver shouldn't be sending you e-mails?
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  6. #6
    Senior Member
    Join Date
    Aug 2003
    Posts
    185
    i 'now' solved the MX thing ...
    my ISPs domain script creates a new MX record if new CNAME
    using 'dig' it was easy to find out

    @nihil: thx for the nameserver hint
    Last edited by stanger; August 13th, 2007 at 10:27 AM.
    Industry Kills Music.

Similar Threads

  1. SMTP Relay Honeypot Tutorial
    By Soda_Popinsky in forum The Security Tutorials Forum
    Replies: 18
    Last Post: December 6th, 2005, 09:18 AM
  2. Tcp/ip
    By gore in forum Newbie Security Questions
    Replies: 11
    Last Post: December 29th, 2003, 07:01 AM
  3. Vulnerability: IIS Microsoft SMTP Service Encapsulated SMTP Address
    By s0nIc in forum Microsoft Security Discussions
    Replies: 0
    Last Post: July 14th, 2002, 04:09 PM
  4. SMTP (Reach out and touch someone)
    By Sp1d3r-W0lf in forum The Security Tutorials Forum
    Replies: 0
    Last Post: December 27th, 2001, 04:31 PM
  5. help with ghostmail
    By iraklis777 in forum Security Archives
    Replies: 10
    Last Post: October 23rd, 2001, 08:41 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides