Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Anyone with experience w/VirtualMDA?

From: "JP Garcia" <jgarcia () networkadvocates com>
Date: Wed, 30 Mar 2005 13:17:08 -0500
Believe it or not, I think I've isolated how they would "pay" someone,
now, whether they actually pay someone is left for speculation.  It
seems that the client initiates an SMTP connection to a certain site and
closes it.  Immediately after that, they initiate an HTTP connection to
what I believe is their "time log" server, to log the .000001 seconds it
took to send an email.

Here's the funny thing.

We've been using it for some time now, and have not sent 1 piece of
email.  To verify, I removed the computer with VirtualMDA, and put a
machine with an SMTP engine on it and sent a message to another server.
My setup pulled the whole message transmission, no problem.  All
VirtualMDA seems to do is initiate a telnet session and immediately
quit.  I figure that VirtualMDA does this periodically to log and allow
people's dynamic IPs to connect to their servers.

So, back to the "problem," we haven't sent out any mail.  This is good
news, yes, but when using it in a honeypot environment, it doesn't help
catch new spam campaigns.

Any ideas?

-JP

-----Original Message-----
From: Christian Kreibich [mailto:christian () whoop org] 
Sent: Tuesday, March 29, 2005 5:05 PM
To: Honeypots List
Subject: Re: Anyone with experience w/VirtualMDA?

On Tue, 2005-03-29 at 12:11 -0500, JP Garcia wrote:

I'm using it in a "honeypot" of sorts... trying to observe outgoing
traffic to see if I can snarf out spam email signatures.  I'm

listening

passively with ethereal via a network tap (NetOptics... it's great!).
So far, nothing.  Anyone have experience with it?


Heh, I came across virtualmda the other day. If you can figure out how
they do any form of accounting over the spam the client actually pumped
out successfully, I'd be thrilled to hear about it. The way I parse
their small print, there's essentially no way they'll ever pay anyone
anything, so I wonder if they actually *do* any accounting.

Cheers,
Christian.
-- 
________________________________________________________________________
                                          http://www.cl.cam.ac.uk/~cpk25
                                                    http://www.whoop.org
Previous By Date Next
Previous By Thread Next

Current thread: