Anyone using their honeypots to learn about spambot protocols?

[John Draper <lists () webcrunchers com>]

I FINALLY acquired a machine and connectivity to setup a PC WinBlows 
honeypot,
and a large selection of IP blocks I can stick it on.

One of my first ideas is to deliberately infect it,  and sniff the 
network to
watch what kinds of traffic flys over the net,  and hope to acquire 
enough
information to learn about the protocols of the TCPIP and UDP 
connections between
the infected machine what whoever or whatever tries to control it.

Has anyone on this list done this yet?   Can a well configured sniffer 
obtain enough
information to learn and obtain a Snort attack signature which can 
detect this?

I also heard it's possible to detect the 'knock knock' protocol now in 
use by some
spam trojans.  These are specially crafted pings that in effect can 
"wake up" sleeping
trojans previously undetectable by scanning software.   I'm just 
learning of the new
Snort features that might make this possible.

If anyone wants to share info with me, please contact me...

John