Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] Strange? TLS connections to smtp-server
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
freke
Guru
Guru


Joined: 23 Jan 2003
Posts: 505
Location: Somewhere in Denmark

PostPosted: Fri Sep 06, 2019 11:09 pm    Post subject: [SOLVED] Strange? TLS connections to smtp-server Reply with quote

Hi,

I've recently (last couple of days?) started to see this in my logs
Code:
Sep  7 01:02:16 mail postfix/smtpd[20786]: connect from Starttls-paris.proxy-research.com[15.188.24.147]
Sep  7 01:02:17 mail postfix/smtpd[20786]: Anonymous TLS connection established from starttls-paris.proxy-research.com[15.188.24.147]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Sep  7 01:02:17 mail postfix/smtpd[20786]: lost connection after EHLO from Starttls-paris.proxy-research.com[15.188.24.147]
Sep  7 01:02:17 mail postfix/smtpd[20786]: disconnect from Starttls-paris.proxy-research.com[15.188.24.147] ehlo=2 starttls=1 commands=3
Sep  7 01:02:20 mail postfix/smtpd[20786]: connect from starttls-virginia.proxy-research.com[34.227.19.103]
Sep  7 01:02:21 mail postfix/smtpd[20786]: Anonymous TLS connection established from starttls-virginia.proxy-research.com[34.227.19.103]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Sep  7 01:02:21 mail postfix/smtpd[20786]: lost connection after EHLO from starttls-virginia.proxy-research.com[34.227.19.103]
Sep  7 01:02:21 mail postfix/smtpd[20786]: disconnect from starttls-virginia.proxy-research.com[34.227.19.103] ehlo=2 starttls=1 commands=3
Sep  7 01:02:36 mail postfix/smtpd[20786]: connect from starttls-oregon.proxy-research.com[54.187.79.149]
Sep  7 01:02:37 mail postfix/smtpd[20786]: Anonymous TLS connection established from starttls-oregon.proxy-research.com[54.187.79.149]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Sep  7 01:02:38 mail postfix/smtpd[20786]: lost connection after EHLO from starttls-oregon.proxy-research.com[54.187.79.149]
Sep  7 01:02:38 mail postfix/smtpd[20786]: disconnect from starttls-oregon.proxy-research.com[54.187.79.149] ehlo=2 starttls=1 commands=3
Sep  7 01:02:51 mail postfix/smtpd[20786]: connect from Starttls-saopaulo.proxy-research.com[54.94.237.221]
Sep  7 01:02:52 mail postfix/smtpd[20786]: Anonymous TLS connection established from starttls-saopaulo.proxy-research.com[54.94.237.221]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Sep  7 01:02:53 mail postfix/smtpd[20786]: lost connection after EHLO from Starttls-saopaulo.proxy-research.com[54.94.237.221]
Sep  7 01:02:53 mail postfix/smtpd[20786]: disconnect from Starttls-saopaulo.proxy-research.com[54.94.237.221] ehlo=2 starttls=1 commands=3
Sep  7 01:02:58 mail postfix/smtpd[20786]: connect from mail.proxy-research.com[15.164.73.143]
Sep  7 01:03:00 mail postfix/smtpd[20786]: Anonymous TLS connection established from mail.proxy-research.com[15.164.73.143]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Sep  7 01:03:00 mail postfix/smtpd[20786]: lost connection after EHLO from mail.proxy-research.com[15.164.73.143]
Sep  7 01:03:00 mail postfix/smtpd[20786]: disconnect from mail.proxy-research.com[15.164.73.143] ehlo=2 starttls=1 commands=3
Sep  7 01:03:08 mail postfix/smtpd[20786]: connect from Starttls-sydney.proxy-research.com[3.104.129.119]
Sep  7 01:03:10 mail postfix/smtpd[20786]: Anonymous TLS connection established from starttls-sydney.proxy-research.com[3.104.129.119]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Sep  7 01:03:11 mail postfix/smtpd[20786]: lost connection after EHLO from Starttls-sydney.proxy-research.com[3.104.129.119]
Sep  7 01:03:11 mail postfix/smtpd[20786]: disconnect from Starttls-sydney.proxy-research.com[3.104.129.119] ehlo=2 starttls=1 commands=3

Does anyone know if these are *legit* - or what this is?

TIA


Last edited by freke on Sat Sep 07, 2019 4:19 pm; edited 1 time in total
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6027

PostPosted: Fri Sep 06, 2019 11:58 pm    Post subject: Reply with quote

Probably malware scanners looking for the latest exim exploit.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 44195
Location: 56N 3W

PostPosted: Sat Sep 07, 2019 12:03 am    Post subject: Reply with quote

freke,

Some gentle whois shows that some of those IPs are allocated to AWS and that
Code:
whois proxy-research.com

includes
Code:
    Registrar URL: http://www.godaddy.com
   Updated Date: 2019-05-01T16:02:41Z
   Creation Date: 2019-04-24T01:16:59Z
   Registry Expiry Date: 2020-04-24T01:16:59Z

The domain in a new registration, only registered for a year.

That the registrar is godaddy does not inspire confidence either.

I think you are being probed. Its unlikely to be directed at you. Its someone looking to see what they can find.
Drop everything that resolves to proxy-research.com.

Looking at http://proxy-research.com/ in a browser, it seems mostly harmless.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
freke
Guru
Guru


Joined: 23 Jan 2003
Posts: 505
Location: Somewhere in Denmark

PostPosted: Sat Sep 07, 2019 11:28 am    Post subject: Reply with quote

Thanks for the info NeddySeagoon :)

While I don't get why they would collect certificates from DANE-enabled servers every hour from multiple points (checking for MITM-attacks?) it seems to be merely a project to meassure DANE deployment for mailservers.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 44195
Location: 56N 3W

PostPosted: Sat Sep 07, 2019 11:33 am    Post subject: Reply with quote

freke,

The web page says you can ask them not to.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14390

PostPosted: Sat Sep 07, 2019 3:38 pm    Post subject: Reply with quote

Perhaps they are repeatedly polling to see if the targeted IP is a load balancer that resolves to different underlying servers, some of which have DANE enabled and some of which do not. Testing from multiple sources could be an implementation detail caused by how they spread out the jobs on their side, or it could be an attempt to probe whether your endpoint always resolves to the same host and offers the same configuration, regardless of client source address.
Back to top
View user's profile Send private message
freke
Guru
Guru


Joined: 23 Jan 2003
Posts: 505
Location: Somewhere in Denmark

PostPosted: Sat Sep 07, 2019 4:19 pm    Post subject: Reply with quote

I sent a mail to one of the contacts and got this.

Quote:
Dear Kim,

Thanks for understanding our connection. We're only connecting the domains that support DANE.
One of the reasons why we're connecting them every hour is to observe how well they roll-over their keys.
As you know, if the public key (or certificate) served on STARTTLS is updated, the corresponding TLSA record must be updated beforehand.
However, we have observed that many of those domains do not consider TTL of TLSA records, and sometimes forgot to update TLSA records (after switching certificates) or update TLSA records later.

Hope this might be a good answer to your question.

Thanks a lot and please let me know if you have any questions.

Best Regards
Taejoong Chung

Assistant Professor
B. Thomas Golisano College of Computing and Information Sciences
Rochester Institute of Technology
20 Lomb Memorial Dr
Rochester, NY 14623



On Sat, Sep 7, 2019 at 11:23 AM <xxxx@vlh.dk> wrote:
Hi,

I recently discovered connections every hour from *.proxy-research.com – probably after enabling DANE for my SMTP-server.

Your connections seems quite harmless – I’m just wondering why you’re connecting so often?


As they're not doing any harm for now I think I'll let this continue - just got worried when I saw them connecting every hour yesterday.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum