I've now seen something doing SMTP probing of IPv6 addresses

October 23, 2017

One of the machines that I run my sinkhole SMTP server on has an IPv6 address. This address is present in DNS, but wasn't directly visible as the target of an MX record or anything else that would lead it to clearly being associated with email. To my surprise, yesterday a machine connected to my sinkhole SMTP server on this relatively obscure IPv6 address.

(This machine is the MX target of an old hostname that spammers and other people have latched on to, but the MX target didn't have an IPv6 address, just an IPv4 one.)

The source IPv6 is 2607:ff10:c5:509a::1 in cari.net, and an Internet search found an interesting report about it, which seems vaguely sloppy given how easy it usually is to change IPv6 addresses. The actual activity I saw appears to have been TLS probes; on its first two connections, it STARTTLS'd with different ciphers and then abandoned the connection after TLS had started. Different EHLOs were used too, first 'k7wyLkmlLdInG.com' and then 'openssl.client.net'.

(The first connection used ECDHE-RSA-AES256-GCM-SHA384, a TLS v1.2 cipher; the second used the much older ECDHE-RSA-AES256-SHA, originally from SSLv3.)

Looking at my logs, I've seen similar TLS probes with similar EHLOs (especially 'openssl.client.net') from a cari.net IPv4 address, This has a PTR record of 'burger.census.shodan.io', although the IP address listed for that name doesn't match. If this is a Shodan source point, SMTP TLS scanning isn't particularly surprising in general (although it didn't work very well against my sinkhole SMTP server). It does surprise me that people are clearly trying IPv6 addresses for this, presumably by crawling DNS to find IPv6 addresses and then probing all ports on them just to see.

(Checking my logs, I see that my SSH daemon refused to talk to 2607:ff10:c5:509a::1 at around the same time, so this is probably port scanning and probing in general and may well be Shodan. Shodan once exploited NTP to find active IPv6 addresses, and may be back to this sort of tricks.)

Going back further in my SMTP logs, I see that aka 'census3.shodan.io' also did this sort of probing. So perhaps Shodan has turned its unblinking eye on my corner of the network world in general, and the IPv6 probes are just a manifestation of this. Sadly that makes them less interesting and means that I've yet to actually encounter a spammer trying to use IPv6. Maybe someday.

Written on 23 October 2017.
« Understanding what our wireless password protects
Our frustrations with OmniOS's 'KYSTY' minimalism »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Oct 23 01:40:19 2017
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.