newish style of formmail attempts

From: Walter Roberson (roberson@ibd.nrc.ca)
Date: 09/26/02 

From: roberson@ibd.nrc.ca (Walter Roberson)
Date: 25 Sep 2002 23:02:42 GMT

I operate a formmail honeypot: abusers are shown the interface
as if it's a vulnerable server, but instead of sending of the
messages to the abuser's intended victims, my program merely logs
the details instead.

It's amusing sometimes to allow one of the various probe messages to
go through (Jupz!); invariably within a day or two, someone tries to
use the system to send a few thousand spams.

In the past, the attempted formmail bombs have lasted for several
hours, usually all from the same IP address, but occasionally switching
IP addresses part way through. One time the address switched twice
over about 14 hours.

Today, though, I logged a noticably different run. There was a large
consistant-IP run last night into late this morning (mortgage referals,
something like that), and then this afternoon the new run showed up. In
the new run, every message was the same body content (a sex cam),
but every attempt has a different source IP.

What this means is that someone now has a tool for controlling thousands
of sites, and is using the tool to do formmail runs.

Considering the timings, it seems most likely that the tool is
triggering the puppets in succession; it is plausible, though, that the
honeypot site has merely been added in to a list of sites to be used at
random -- I would expect a bit more clustering if that were true, though.

Ah, interesting, in the last few minutes, another distributed formmail
run has started up (a very different webcam message); the original
is still going on as of this writing.

If someone cares about the detailed traces, drop me a note. 

--
millihamlet: the average coherency of prose created by a single monkey
typing randomly on a keyboard. Usenet postings may be rated in mHl.