TLS versions in connections to my spam-catching sinkhole SMTP server

November 30, 2014

I've written before about TLS usage on our real inbound mail gateway and the general TLS breakdown on my sinkhole SMTP server. My sinkhole server didn't initially log the TLS version used, but after Heartbleed hit I changed that because it was now interesting information, and here's a preliminary report. Note that, unlike our main mail gateway, this is all spam sending attempts.

The basic version breakdown is that out of 588 connections that negotiated TLS since I added this logging, 102 used SSL v3, 151 used TLS v1.0, only seven used TLS v1.1, and 328 used TLS v1.2. I looked through the seven by hand and there's no particular pattern. Those connections resulted in only 153 actual message submissions, and the breakdown there is 29 SSL v3, 57 TLS v1.0, 2 TLS v1.1, and 65 with TLS v1.2.

I looked through the email received using SSL v3, and almost all of it is basic advanced fee fraud or phishing spam. The first interesting exception is spam from gallopade.nmsrv.com, which is a name that has been trying to spam me for quite a long time. The other interesting exception is genuine email from Twitter's 'please confirm your new account' system and that apparently comes from an account creation initiated by some sort of spammer. Both messages received using TLS v1.1 were also advanced fee fraud emails, although these seem to come from real ISP systems instead of random and probably ancient mail servers around the Internet.

I did a random spot sampling of the messages received with TLS v1.0 and couldn't spot any particular pattern in the mailers involved; connecting to people's SMTP ports turned up Exim, Sendmail, and 'Microsoft ESMTP MAIL Service' aka Microsoft Mail Server before I got bored. Microsoft was clearly the most popular, followed by Exim (although the Exim versions in SMTP greeting banners varied). Interestingly, both GMail and Yahoo used TLS v1.0 at least once.

The prevalence of SSL v3 and some other things in my sinkhole connections goes along with what I've long thought about the machines exploited to send phish and advance fee fraud, which is that many of them are basically neglected. Old, neglected machines are quite likely to be running old software that only supports old versions of TLS.

Written on 30 November 2014.
« Sometimes you need to turn things into small, readily solvable problems
You should keep your system logs for longer than you probably are »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Nov 30 03:04:42 2014
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.