Dienstag, 18. August 2015

Open SMTP relay search - gogo@linwayedm.com.tw

I received the following request on all of my honeypots
BEGIN OF SMTP DATA
177.70.77.242
Country: BR RiskScore: 5.7 Malware: []
uwfdphjcaq@163.com
gogo@linwayedm.com.tw
507
Message-ID: <KUOQLISRUMNOCFSJTHUIL@163.com>
From: "0806" <ltcxjrerz@163.com>
Reply-To: "0806" <darnexinwsq@163.com>
To: gogo@linwayedm.com.tw
Subject: BC_195.169.125.87
Date: Tue, 18 Aug 2015 09:31:21 +0500
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="--585038594152556471"
X-Priority: 3
X-MSMail-Priority: Normal

----585038594152556471
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable



----585038594152556471--

End of DataEND OF DATA
Actually, I think this is pretty nice. The attacker searches for open smtp relay servers by sending an email to gogo@linwayedm.com.tw with the subject BC_<IPaddress>. So if you have a SPAM honeypo you maybe want to subscribe :-)


Blacklist StatusBLACKLISTED 5/40
IP Address177.70.77.242 ( Websites Lookup )
Reverse DNS242.77.70.177.mksnet.com.br
ASNUnknown
ASN OwnerUnknown
ISPUnknown
ContinentSouth America