Re: Account probing for spam relay.

[fernando () BN PT (Fernando Cardoso)]

Hi Lance

Your "friend" is using Sam Spade to check for open relays. I've just tried
it on one of my own mail servers with similar results. Check
www.samspade.org for details.

Cheers

Fernando

_________________________________________________________________
Fernando Cardoso                        Phone:  +351 21 7982186
Network Administrator           Fax:            +351 217982185
National Library                        E-mail: fernando () bn pt
Portugal                                PGP ID: 28551CB8

> -----Original Message-----
> From: Lance Spitzner [mailto:lance () SPITZNER NET]
> Sent: domingo, 11 de Junho de 2000 17:58
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Account probing for spam relay.
>
>
> One of my honeypots was probed for spam relay.  I'm
> attaching the signature here so you know what to look
> for.  Needless to say, I sent our friend a nasty gram.
> It is obvious he is using automated software to find
> systems that he can use to relay his spam.  I've
> changed the domain name of my honeynet to
> mail.example.com for sanitization purposes.  However,
> the source account launching the probe is valid :)
>
> --- mail relay check ---
>
> 220 mail.example.com. Sendmail SMI-8.6/SMI-SVR4 ready at Sun,
> 11 Jun 2000 11:27:42 -0500
> HELO MAIL.EXAMPLE.COM
> 250 mail.example.com. Hello [211.54.114.180], pleased to meet you
> MAIL FROM:<woqjffirst_at_yahoo.com () MAIL EXAMPLE COM>
> 250 <woqjffirst_at_yahoo.com () MAIL EXAMPLE COM>... Sender ok
> RCPT TO:<woqjffirst () yahoo com>
> 250 <woqjffirst () yahoo com>... Recipient ok
> DATA
> 354 Enter mail, end with "." on a line by itself
> qjffirst () yahoo com
> From: woqjffirst () yahoo com (Spade relay check)
> Subject: MAIL.EXAMPLE.COM relay check
>
>
> .
> 250 LAA14291 Message accepted for delivery
> QUIT
> 221 mail.example.com. closing connection
>
> --- end probe ---
>
> Lance Spitzner
> http://www.enteract.com/~lspitz/papers.html