[Spambayes] spampot -- spam honeypot server

Tim Stone - Four Stones Expressions tim at fourstonesExpressions.com
Mon Jan 20 21:28:52 EST 2003

Probe detection.... looks like a job for spambayes... - TimS  ;)

1/20/2003 5:16:00 PM, "Neale Pickett" <neale at woozle.org> wrote:

>Skip Montanaro <skip at pobox.com> writes:
>> Neale,
>> Hopefully I won't sound too much like an idiot, but what's a "probe
>> message"?  How do you classify messages which come into spampot, just
>> "probe message" and "everything else"?
>So when you kick up a mail server, you'll get a lot of messages like
>  SMTP-Hello: master-cv7889w2
>  SMTP-Mail-From: <china9988 at 21cn.com>
>  SMTP-Rcpt-To: <china9988 at 21cn.com>
>  From: china9988 at 21cn.com
>  Subject:
>  To: china9988 at 21cn.com
>  Date: Thu, 16 Jan 2003 21:48:41 +0900
>  X-Priority: 3
>  X-Library: Indy 8.0.25
>  t_Smtp.LocalIP
>This is one of the more baffling probes, since china9988 at 21cn.com gives
>NDRs--maybe really old spam software.  But all of the probes I've seen
>so far have the IP address of my honeypot sever in the subject line.  It
>makes sense--send out mail blindly, and anything you get back has the IP
>address of an open relay in the subject line.
>And yes, currently I only classify as "probe" and "everything else".  I
>do this with Maildir flags, though there's really no reason why it
>should have to be in Maildir format, aside from making it easy to view
>with mutt.
>Right now my probe detection logic needs work :)
>Spambayes mailing list
>Spambayes at python.org

c'est moi - TimS

More information about the Spambayes mailing list