id: mailoney-honeypot-detect

info:
  name: Mailoney Honeypot - Detect
  author: UnaPibaGeek
  severity: info
  description: |
    A Mailoney (SMTP) honeypot has been identified.
    The response to the 'HELP' command differs from real installations, signaling a possible deceptive setup.
  metadata:
    max-request: 1
    vendor: mailoney
    product: exim
    shodan-query: cpe:"cpe:2.3:a:exim:exim"
  tags: mailoney,exim,smtp,honeypot,ir,cti,network,tcp
tcp:
  - inputs:
      - data: "HELP\r\n"
        read: 1024

    host:
      - "{{Hostname}}"
    port: 25
    read-size: 1024

    matchers:
      - type: word
        words:
          - "502 Error: command \"HELP\" not implemented"
# digest: 490a0046304402201d4492d2d26403ba17d155a725e71627a8655968f9e34bf09ece9948fdb2ff34022011b3eb29abd7fa6490c6dac7fcfefec7c906b2465f375441f489bfe67804c1bd:922c64590222798bb761d5b6d8e72950