Security Incidents mailing list archives
Re: Account probing for spam relay.
From: pauls () UTDALLAS EDU (Paul L Schmehl)
Date: Mon, 12 Jun 2000 09:11:52 -0500
I believe you are mistaken. If you look at the From: line, you'll see the words "Spade relay check". That is the signature of Sam Spade, an anti-spam tool that is very popular. (See http://www.samspade.org for details.) Is it possible spam was relayed through your honeypot? The Sun version of sendmail that you're running is well known for allowing mail relaying. That would explain why someone would use Sam Spade to check for relaying. They were trying to verify that you do relay before sending a complaint. If you're going to keep running sendmail on your honeypot, at least put a secure version that disallows relaying on it. --On Sunday, June 11, 2000 11:57 AM -0500 Lance Spitzner <lance () SPITZNER NET> wrote:
One of my honeypots was probed for spam relay. I'm attaching the signature here so you know what to look for. Needless to say, I sent our friend a nasty gram. It is obvious he is using automated software to find systems that he can use to relay his spam. I've changed the domain name of my honeynet to mail.example.com for sanitization purposes. However, the source account launching the probe is valid :) --- mail relay check --- 220 mail.example.com. Sendmail SMI-8.6/SMI-SVR4 ready at Sun, 11 Jun 2000 11:27:42 -0500 HELO MAIL.EXAMPLE.COM 250 mail.example.com. Hello [211.54.114.180], pleased to meet you MAIL FROM:<woqjffirst_at_yahoo.com () MAIL EXAMPLE COM> 250 <woqjffirst_at_yahoo.com () MAIL EXAMPLE COM>... Sender ok RCPT TO:<woqjffirst () yahoo com> 250 <woqjffirst () yahoo com>... Recipient ok DATA 354 Enter mail, end with "." on a line by itself qjffirst () yahoo com From: woqjffirst () yahoo com (Spade relay check) Subject: MAIL.EXAMPLE.COM relay check . 250 LAA14291 Message accepted for delivery QUIT 221 mail.example.com. closing connection --- end probe --- Lance Spitzner http://www.enteract.com/~lspitz/papers.html
Paul L. Schmehl, pauls () utdallas edu Technical Support Services Manager The University of Texas at Dallas
Current thread:
- Account probing for spam relay. Lance Spitzner (Jun 11)
- Re: Account probing for spam relay. Paul L Schmehl (Jun 12)
- Re: Account probing for spam relay. Kurt Weiske (Jun 12)
- <Possible follow-ups>
- Re: Account probing for spam relay. Fernando Cardoso (Jun 12)