spamversand

I finally managed to create my own RBL (realtime blocklist) feeded by my honeypot.
All verified IPs which successfully attacked the honeypot are put into a database, which
provides a rbl for our MXes. The IPs are held for 24 hours except those which have more than 50
successful attacks within the last day. I was wondering if there were any mail-hits to be seen
at all; at least these are totally different attack vectors. But strangely enough I could see
blocked emails because of the entries made by the honeypot. We will see how well this
performs.

Whow.. I finally crossed the 50.000 complaints line. I got about 18.600 replies to
my complaints; either being autoreplies by abuse departments, activity statements of the
providers or “over quota” or similar bounce messages from abuse-mailboxes.
I hope that this service does something good.

Since the beginning of sending automated complaints due to attacks of my honeypot the system now has send out more than 20.000 emails. Some positive reactions have reached me, so I hope that this service is somewhat helpful. Funny are the bounces from the not reachable abuse-addresses .. will put them on a different page soon.

The nepenthes-teammembers have been busy working on a new (low interaction) honeypot.
The name dionaea is taken from another carnivore. Here is the link to the project-homepage. Sounds interesting, since it is written in C with python-modules attached.

When dealing with submit modules of nepenthes, you will find several notices about the favourite one of the authors of nepenthes, namely submit-mwserv (with the appropriate submit-mwserv.conf – file).
However, there is no hint on how to write the necessary ’submit’ application on the receiving server-side..
To see what data is actually sent, I set up a listening socket and wrote the incoming raw – data to a file.
They looked like:

POST /heartbeat HTTP/1.1
User-Agent: nepenthes 0.2.2 (Linux, x86, g++)
Host: www.spamversand.de:8989
Accept: */*
Content-Length: 487
Expect: 100-continue
Content-Type: multipart/form-data; boundary=----------------------------285dc72e
916a

A normal http-post request. Not really normal though, because the Expect: “100-continue” header was new to me. A quick google-check found rfc2616 : 8.2.3 Use of the 100 (Continue) Status So I will answer the request with a “100″ response and will see what data will follow..

Additionally to well known sandboxes like norman or CWsandbox there is a new one
out: Zero Wine. A Python written malware analyzing tool, doing: ”
1. Report: The complete raw report of all the APIs called by the malware. Hard to follow and hard to understand (a 10mb report is not uncommon).
2. Strings: Just the output of the typical unix command “strings”.
3. File headers: All the information gathered from the PE using the library PEFile.
4. Signature: The signature report is an extract of the full raw report with the most interesting calls.”
It is an open sourceforge-project, so you might want to look at it. I personally like the output of cwsandbox a lot more..

There was a posting on the “Full Disclosure” mailing list showing that Dmitry E. Oboukhov reported an insecure temporary file usage within the “test.sh” script, leaving honeyd vulnerable to local attackers (at least for Gentoo Linux)

Are you running a nepenthes-honeypot and want to see what is going on? Try this visualizing software from Emre Bastuz and get som nice stats.

http://www.emre.de/wiki/NepenthesFE