I've now seen something doing SMTP probing of IPv6 addresses
One of the machines that I run my sinkhole SMTP server on has an IPv6 address. This address is present in DNS, but wasn't directly visible as the target of an MX record or anything else that would lead it to clearly being associated with email. To my surprise, yesterday a machine connected to my sinkhole SMTP server on this relatively obscure IPv6 address.
(This machine is the MX target of an old hostname that spammers and other people have latched on to, but the MX target didn't have an IPv6 address, just an IPv4 one.)
The source IPv6 is 2607:ff10:c5:509a::1 in cari.net, and an Internet
search found an interesting report about it,
which seems vaguely sloppy given how easy it usually is to change
IPv6 addresses. The actual activity I saw appears to have been TLS
probes; on its first two connections, it
STARTTLS'd with different
ciphers and then abandoned the connection after TLS had started.
EHLOs were used too, first 'k7wyLkmlLdInG.com' and then
(The first connection used ECDHE-RSA-AES256-GCM-SHA384, a TLS v1.2 cipher; the second used the much older ECDHE-RSA-AES256-SHA, originally from SSLv3.)
Looking at my logs, I've seen similar TLS probes with similar
(especially 'openssl.client.net') from a cari.net IPv4 address,
22.214.171.124. This has a PTR record of 'burger.census.shodan.io',
although the IP address listed for that name doesn't match. If this
is a Shodan source point, SMTP TLS scanning isn't particularly
surprising in general (although it didn't work very well against
my sinkhole SMTP server). It does surprise me that people are clearly
trying IPv6 addresses for this, presumably by crawling DNS to find IPv6
addresses and then probing all ports on them just to see.
(Checking my logs, I see that my SSH daemon refused to talk to 2607:ff10:c5:509a::1 at around the same time, so this is probably port scanning and probing in general and may well be Shodan. Shodan once exploited NTP to find active IPv6 addresses, and may be back to this sort of tricks.)
Going back further in my SMTP logs, I see that 126.96.36.199 aka 'census3.shodan.io' also did this sort of probing. So perhaps Shodan has turned its unblinking eye on my corner of the network world in general, and the IPv6 probes are just a manifestation of this. Sadly that makes them less interesting and means that I've yet to actually encounter a spammer trying to use IPv6. Maybe someday.