Topic: qpsmtpd - did it just try calling home?

[piran]

[postedit: OK forget it, my mistake, it's just spam]

[cactus]

Why do you assume it might be calling home? I see no proof of that statement in provided snippets.

[piran]

OK forget it, my mistake, it's just spam.

[cactus]

OK forget it, my mistake, it's just spam.

Please do not edit your previous posts, especially removing the whole content. It is considered bad behavior in this forums. The modify function is to be used to fix minor mistakes.

[piran]

You saw no corroborative data and said so.
I saw a minor mistake and edited it.
Forget it, as I said: "my mistake".

[Stefano]

You saw no corroborative data and said so.
I saw a minor mistake and edited it.
Forget it, as I said: "my mistake".

ok... but please repost the original content for future reference..

rembember that anyone, at any time, could be in your same situation and/or think the same thing.

thank you

Ciao
Stefano

[piran]

Thank you Stefano for the human tone of your words.
I will recompile the deleted data and reiterate my mistake.

[piran]

My mistake...

Code: [Select]

2009-04-02 20:20:44.389619500 1998 Accepted connection 0/40 from 204.8.155.227 / planetlab-02.bu.edu
2009-04-02 20:20:44.389827500 1998 Connection from planetlab-02.bu.edu [204.8.155.227]
2009-04-02 20:21:59.399809500 1998 check_earlytalker plugin: remote host said nothing spontaneous, proceeding
2009-04-02 20:21:59.988401500 1998 check_badcountries plugin: GeoIP Country: US
2009-04-02 20:21:59.995707500 1998 220 my.foo.bah ESMTP
2009-04-02 20:22:00.138853500 1998 dispatching HELP
2009-04-02 20:22:00.139191500 1998 214-This is qpsmtpd
2009-04-02 20:22:00.139325500 1998 214-See http://smtpd.develooper.com/
2009-04-02 20:22:00.139456500 1998 214 To report bugs or send comments, mail to <ask@develooper.com>.
2009-04-02 20:22:00.272800500 1998 dispatching STARTTLS
2009-04-02 20:22:00.273115500 1998 count_unrecognized_commands plugin: Unrecognized command 'starttls'
2009-04-02 20:22:00.273448500 1998 500 Unrecognized command
2009-04-02 20:22:00.806339500 28208 cleaning up after 1998

2009-04-02 21:20:21.512127500 2910 Accepted connection 0/40 from 134.76.81.91 / planetlab1.informatik.uni-goettingen.de
2009-04-02 21:20:21.512345500 2910 Connection from planetlab1.informatik.uni-goettingen.de [134.76.81.91]
2009-04-02 21:21:36.521984500 2910 check_earlytalker plugin: remote host said nothing spontaneous, proceeding
2009-04-02 21:21:36.524386500 2910 check_badcountries plugin: GeoIP Country: DE
2009-04-02 21:21:36.531735500 2910 220 my.foo.bah ESMTP
2009-04-02 21:21:36.624850500 2910 dispatching HELP
2009-04-02 21:21:36.625180500 2910 214-This is qpsmtpd
2009-04-02 21:21:36.625313500 2910 214-See http://smtpd.develooper.com/
2009-04-02 21:21:36.625447500 2910 214 To report bugs or send comments, mail to <ask@develooper.com>.
2009-04-02 21:21:36.705641500 2910 dispatching STARTTLS
2009-04-02 21:21:36.705954500 2910 count_unrecognized_commands plugin: Unrecognized command 'starttls'
2009-04-02 21:21:36.706277500 2910 500 Unrecognized command
2009-04-02 21:21:37.683240500 28208 cleaning up after 2910

Both universities now filtered. Not a problem.
It's spam but of a type that I've not seen before now.
Don't feel that it is a bug, I'm not going to put spam into the Bugzilla.
For me SME Server 7.4 did the right thing, so it's OK to drop it.

[piran]

FWIW the email option for SSMTP remains at default (enabled).
If I believe that this spam (intelligence gathering?) becomes
more of a problem I can 'disable' SSMTP. The box is server and
gateway but I have nobody else 'externally' requiring service.
Only ports 25 (SMTP) and 80 (HTTP) are visible from the
internet ~ according to port scanning from grc dot com.
There are no forwarded ports.

[cactus]

You saw no corroborative data and said so.
I saw a minor mistake and edited it.
Forget it, as I said: "my mistake".

Minor mistakes are considered to be typos and the like not removing a whole post. Thanks for reposting the content though.

[piran]

I only removed my post as a result of your tone annoying me.
Hope the returned content is helpful to somebody else. If
any further appear in the log I think it must be some sort
of intelligence gathering so I intend to then try the disable
option for SSMTP. I have only ever seen these two iterations.

[CharlieBrady]

It's spam but of a type that I've not seen before now.

No, it's not spam - spam is unwanted email - there's no email here. It is someone or something connecting, and then issuing the 'help' and 'starttls' SMTP commands, and then disconnecting.

If I believe that this spam (intelligence gathering?) becomes
more of a problem I can 'disable' SSMTP.

The same probing could be done over SMTP.

You can't stop probes. If you don't want your system probed, don't connect it to the Internet.

[piran]

So it was spam, I didn't want their email. It was
an unwanted and unsolicited email connection.
I still think the connection attempts, issuing
of the 'help' and 'starttls' commands were
iterations of intelligence gathering. The
same probing was done over SMTP. I can
stop probes and have already taken those
steps by a method by which you are already
familiar. I haven't asserted an objection to a
system probe, these things happen. I need
my server connected to the internet.

[cactus]

I only removed my post as a result of your tone annoying me.

That is your interpretation, certainly not intended.

[CharlieBrady]

So it was spam, ...

No, it was not spam. Spam is email - there was no email.

I didn't want their email.

They did not try to send you email.

I still think the connection attempts, issuing
of the 'help' and 'starttls' commands were
iterations of intelligence gathering.

Nobody disagreed with you.

[piran]

cactus: Fair enough. I'm no longer annoyed.

CharlieBrady: qpsmtpd does email. I didn't
want either email. The attempt didn't succeed
because of the effectiveness of the SME code
you developed. I believe they attempted to
get the transport layer security mechanism
running. To use a qpsmtpd server daemon for
anything other than to (attempt to) send an
email doesn't immediately make much sense but
I expect these people have different agendas.
Do you want me to report any further instances?

[CharlieBrady]

Do you want me to report any further instances?

I'm not interested in what idle students do in Boston. If SME server misfunctions in any way, please report via the bug tracker.