[Spambayes] spampot -- spam honeypot server

Neale Pickett neale at woozle.org
Mon Jan 20 15:16:00 EST 2003

Skip Montanaro <skip at pobox.com> writes:

> Neale,
> Hopefully I won't sound too much like an idiot, but what's a "probe
> message"?  How do you classify messages which come into spampot, just
> "probe message" and "everything else"?

So when you kick up a mail server, you'll get a lot of messages like

  SMTP-Hello: master-cv7889w2
  SMTP-Mail-From: <china9988 at 21cn.com>
  SMTP-Rcpt-To: <china9988 at 21cn.com>
  From: china9988 at 21cn.com
  To: china9988 at 21cn.com
  Date: Thu, 16 Jan 2003 21:48:41 +0900
  X-Priority: 3
  X-Library: Indy 8.0.25


This is one of the more baffling probes, since china9988 at 21cn.com gives
NDRs--maybe really old spam software.  But all of the probes I've seen
so far have the IP address of my honeypot sever in the subject line.  It
makes sense--send out mail blindly, and anything you get back has the IP
address of an open relay in the subject line.

And yes, currently I only classify as "probe" and "everything else".  I
do this with Maildir flags, though there's really no reason why it
should have to be in Maildir format, aside from making it easy to view
with mutt.

Right now my probe detection logic needs work :)


