[Spambayes] spampot -- spam honeypot server
Tim Stone - Four Stones Expressions
tim at fourstonesExpressions.com
Mon Jan 20 21:28:52 EST 2003
Probe detection.... looks like a job for spambayes... - TimS ;)
1/20/2003 5:16:00 PM, "Neale Pickett" <neale at woozle.org> wrote:
>Skip Montanaro <skip at pobox.com> writes:
>
>> Neale,
>>
>> Hopefully I won't sound too much like an idiot, but what's a "probe
>> message"? How do you classify messages which come into spampot, just
>> "probe message" and "everything else"?
>
>So when you kick up a mail server, you'll get a lot of messages like
>this:
>
> SMTP-Hello: master-cv7889w2
> SMTP-Mail-From: <china9988 at 21cn.com>
> SMTP-Rcpt-To: <china9988 at 21cn.com>
> From: china9988 at 21cn.com
> Subject: 192.168.1.2
> To: china9988 at 21cn.com
> Date: Thu, 16 Jan 2003 21:48:41 +0900
> X-Priority: 3
> X-Library: Indy 8.0.25
>
> t_Smtp.LocalIP
>
>This is one of the more baffling probes, since china9988 at 21cn.com gives
>NDRs--maybe really old spam software. But all of the probes I've seen
>so far have the IP address of my honeypot sever in the subject line. It
>makes sense--send out mail blindly, and anything you get back has the IP
>address of an open relay in the subject line.
>
>And yes, currently I only classify as "probe" and "everything else". I
>do this with Maildir flags, though there's really no reason why it
>should have to be in Maildir format, aside from making it easy to view
>with mutt.
>
>Right now my probe detection logic needs work :)
>
>Neale
>
>_______________________________________________
>Spambayes mailing list
>Spambayes at python.org
>http://mail.python.org/mailman/listinfo/spambayes
>
>
c'est moi - TimS
http://www.fourstonesExpressions.com
http://wecanstopspam.org
More information about the Spambayes
mailing list