| View previous topic :: View next topic |
| Author |
Message |
freke
Guru
Joined: 23 Jan 2003
Posts: 505
Location: Somewhere in Denmark
|
 Posted: Fri Sep 06, 2019 11:09 pm Post subject: [SOLVED] Strange? TLS connections to smtp-server |
 |
|
Hi,
I've recently (last couple of days?) started to see this in my logs | Code: | Sep 7 01:02:16 mail postfix/smtpd[20786]: connect from Starttls-paris.proxy-research.com[15.188.24.147]
Sep 7 01:02:17 mail postfix/smtpd[20786]: Anonymous TLS connection established from starttls-paris.proxy-research.com[15.188.24.147]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Sep 7 01:02:17 mail postfix/smtpd[20786]: lost connection after EHLO from Starttls-paris.proxy-research.com[15.188.24.147]
Sep 7 01:02:17 mail postfix/smtpd[20786]: disconnect from Starttls-paris.proxy-research.com[15.188.24.147] ehlo=2 starttls=1 commands=3
Sep 7 01:02:20 mail postfix/smtpd[20786]: connect from starttls-virginia.proxy-research.com[34.227.19.103]
Sep 7 01:02:21 mail postfix/smtpd[20786]: Anonymous TLS connection established from starttls-virginia.proxy-research.com[34.227.19.103]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Sep 7 01:02:21 mail postfix/smtpd[20786]: lost connection after EHLO from starttls-virginia.proxy-research.com[34.227.19.103]
Sep 7 01:02:21 mail postfix/smtpd[20786]: disconnect from starttls-virginia.proxy-research.com[34.227.19.103] ehlo=2 starttls=1 commands=3
Sep 7 01:02:36 mail postfix/smtpd[20786]: connect from starttls-oregon.proxy-research.com[54.187.79.149]
Sep 7 01:02:37 mail postfix/smtpd[20786]: Anonymous TLS connection established from starttls-oregon.proxy-research.com[54.187.79.149]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Sep 7 01:02:38 mail postfix/smtpd[20786]: lost connection after EHLO from starttls-oregon.proxy-research.com[54.187.79.149]
Sep 7 01:02:38 mail postfix/smtpd[20786]: disconnect from starttls-oregon.proxy-research.com[54.187.79.149] ehlo=2 starttls=1 commands=3
Sep 7 01:02:51 mail postfix/smtpd[20786]: connect from Starttls-saopaulo.proxy-research.com[54.94.237.221]
Sep 7 01:02:52 mail postfix/smtpd[20786]: Anonymous TLS connection established from starttls-saopaulo.proxy-research.com[54.94.237.221]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Sep 7 01:02:53 mail postfix/smtpd[20786]: lost connection after EHLO from Starttls-saopaulo.proxy-research.com[54.94.237.221]
Sep 7 01:02:53 mail postfix/smtpd[20786]: disconnect from Starttls-saopaulo.proxy-research.com[54.94.237.221] ehlo=2 starttls=1 commands=3
Sep 7 01:02:58 mail postfix/smtpd[20786]: connect from mail.proxy-research.com[15.164.73.143]
Sep 7 01:03:00 mail postfix/smtpd[20786]: Anonymous TLS connection established from mail.proxy-research.com[15.164.73.143]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Sep 7 01:03:00 mail postfix/smtpd[20786]: lost connection after EHLO from mail.proxy-research.com[15.164.73.143]
Sep 7 01:03:00 mail postfix/smtpd[20786]: disconnect from mail.proxy-research.com[15.164.73.143] ehlo=2 starttls=1 commands=3
Sep 7 01:03:08 mail postfix/smtpd[20786]: connect from Starttls-sydney.proxy-research.com[3.104.129.119]
Sep 7 01:03:10 mail postfix/smtpd[20786]: Anonymous TLS connection established from starttls-sydney.proxy-research.com[3.104.129.119]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Sep 7 01:03:11 mail postfix/smtpd[20786]: lost connection after EHLO from Starttls-sydney.proxy-research.com[3.104.129.119]
Sep 7 01:03:11 mail postfix/smtpd[20786]: disconnect from Starttls-sydney.proxy-research.com[3.104.129.119] ehlo=2 starttls=1 commands=3 |
Does anyone know if these are *legit* - or what this is?
TIA
Last edited by freke on Sat Sep 07, 2019 4:19 pm; edited 1 time in total |
|
| Back to top |
|
 |
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6027
|
| Posted: Fri Sep 06, 2019 11:58 pm Post subject: |
|
|
| Probably malware scanners looking for the latest exim exploit. |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 44195
Location: 56N 3W
|
| Posted: Sat Sep 07, 2019 12:03 am Post subject: |
|
|
freke,
Some gentle whois shows that some of those IPs are allocated to AWS and that | Code: | | whois proxy-research.com |
includes | Code: | Registrar URL: http://www.godaddy.com
Updated Date: 2019-05-01T16:02:41Z
Creation Date: 2019-04-24T01:16:59Z
Registry Expiry Date: 2020-04-24T01:16:59Z |
The domain in a new registration, only registered for a year.
That the registrar is godaddy does not inspire confidence either.
I think you are being probed. Its unlikely to be directed at you. Its someone looking to see what they can find.
Drop everything that resolves to proxy-research.com.
Looking at http://proxy-research.com/ in a browser, it seems mostly harmless.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
freke
Guru
Joined: 23 Jan 2003
Posts: 505
Location: Somewhere in Denmark
|
| Posted: Sat Sep 07, 2019 11:28 am Post subject: |
|
|
Thanks for the info NeddySeagoon 
While I don't get why they would collect certificates from DANE-enabled servers every hour from multiple points (checking for MITM-attacks?) it seems to be merely a project to meassure DANE deployment for mailservers. |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 44195
Location: 56N 3W
|
| Posted: Sat Sep 07, 2019 11:33 am Post subject: |
|
|
freke,
The web page says you can ask them not to.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 14390
|
| Posted: Sat Sep 07, 2019 3:38 pm Post subject: |
|
|
| Perhaps they are repeatedly polling to see if the targeted IP is a load balancer that resolves to different underlying servers, some of which have DANE enabled and some of which do not. Testing from multiple sources could be an implementation detail caused by how they spread out the jobs on their side, or it could be an attempt to probe whether your endpoint always resolves to the same host and offers the same configuration, regardless of client source address. |
|
| Back to top |
|
|
freke
Guru
Joined: 23 Jan 2003
Posts: 505
Location: Somewhere in Denmark
|
| Posted: Sat Sep 07, 2019 4:19 pm Post subject: |
|
|
I sent a mail to one of the contacts and got this.
| Quote: | Dear Kim,
Thanks for understanding our connection. We're only connecting the domains that support DANE.
One of the reasons why we're connecting them every hour is to observe how well they roll-over their keys.
As you know, if the public key (or certificate) served on STARTTLS is updated, the corresponding TLSA record must be updated beforehand.
However, we have observed that many of those domains do not consider TTL of TLSA records, and sometimes forgot to update TLSA records (after switching certificates) or update TLSA records later.
Hope this might be a good answer to your question.
Thanks a lot and please let me know if you have any questions.
Best Regards
Taejoong Chung
Assistant Professor
B. Thomas Golisano College of Computing and Information Sciences
Rochester Institute of Technology
20 Lomb Memorial Dr
Rochester, NY 14623
On Sat, Sep 7, 2019 at 11:23 AM <xxxx@vlh.dk> wrote:
Hi,
I recently discovered connections every hour from *.proxy-research.com – probably after enabling DANE for my SMTP-server.
Your connections seems quite harmless – I’m just wondering why you’re connecting so often?
|
As they're not doing any harm for now I think I'll let this continue - just got worried when I saw them connecting every hour yesterday. |
|
| Back to top |
|
|
|
Networking & Security
