Security Incidents mailing list archives

Re: Account probing for spam relay.

From: pauls () UTDALLAS EDU (Paul L Schmehl)
Date: Mon, 12 Jun 2000 09:11:52 -0500


I believe you are mistaken.  If you look at the From: line, you'll see the
words "Spade relay check".  That is the signature of Sam Spade, an
anti-spam tool that is very popular.  (See http://www.samspade.org for
details.)

Is it possible spam was relayed through your honeypot?  The Sun version of
sendmail that you're running is well known for allowing mail relaying.
That would explain why someone would use Sam Spade to check for relaying.
They were trying to verify that you do relay before sending a complaint.

If you're going to keep running sendmail on your honeypot, at least put a
secure version that disallows relaying on it.

--On Sunday, June 11, 2000 11:57 AM -0500 Lance Spitzner
<lance () SPITZNER NET> wrote:

One of my honeypots was probed for spam relay.  I'm
attaching the signature here so you know what to look
for.  Needless to say, I sent our friend a nasty gram.
It is obvious he is using automated software to find
systems that he can use to relay his spam.  I've
changed the domain name of my honeynet to
mail.example.com for sanitization purposes.  However,
the source account launching the probe is valid :)

--- mail relay check ---

220 mail.example.com. Sendmail SMI-8.6/SMI-SVR4 ready at Sun, 11 Jun 2000
11:27:42 -0500 HELO MAIL.EXAMPLE.COM
250 mail.example.com. Hello [211.54.114.180], pleased to meet you
MAIL FROM:<woqjffirst_at_yahoo.com () MAIL EXAMPLE COM>
250 <woqjffirst_at_yahoo.com () MAIL EXAMPLE COM>... Sender ok
RCPT TO:<woqjffirst () yahoo com>
250 <woqjffirst () yahoo com>... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
qjffirst () yahoo com
From: woqjffirst () yahoo com (Spade relay check)
Subject: MAIL.EXAMPLE.COM relay check


.
250 LAA14291 Message accepted for delivery
QUIT
221 mail.example.com. closing connection

--- end probe ---

Lance Spitzner
http://www.enteract.com/~lspitz/papers.html


Paul L. Schmehl, pauls () utdallas edu
Technical Support Services Manager
The University of Texas at Dallas

Current thread:

Account probing for spam relay. Lance Spitzner (Jun 11)
- Re: Account probing for spam relay. Paul L Schmehl (Jun 12)
- Re: Account probing for spam relay. Kurt Weiske (Jun 12)
- <Possible follow-ups>
- Re: Account probing for spam relay. Fernando Cardoso (Jun 12)