On 2024-01-15 at 04:15:53 UTC-0500 (Mon, 15 Jan 2024 10:15:53 +0100)
Admin Beckspaced via Postfix-users <ad...@beckspaced.com>
is rumored to have said:
somoene is trying to use your postfix as http proxy server.
Looks like security scanner.
do you know the type of encoding?
The encoding for the log is octal: characters are either literal or in
\### format for unprintables.
I would like to decode and see the actual commands.
The underlying data looks (by eyeball) to probably be an attempted HTTPS
handshake. That's consistent with the test apparently being done for an
open proxy. Shodan and Censys are nominally legitimate operations that
scan the Internet for possibly vulnerable machines and sell access to
the resulting data. There are others who can be identified by the names
"stretchoid" and "binaryedge.ninja" who are less public about their
scans.
The IPs performing the scans can safely be blocked at the packet level,
if you're into such things. They will never do anything but test your
system.
Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper
command pipelining after CONNECT from
battery.census.shodan.io[93.174.95.106]:
\026\003\003\001\244\001\000\001\240\003\003'>\232\037\250\226/zan\025\307\023\350_\373\253\021W\212\3262\246\223\3378\314/\312\200>\200
\343p5J\020\265q@\355\241\371b\377\236\375\227;\352\202wL\303\204\003\305O\255\273\2319\322\330\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237
Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper
command pipelining after CONNECT from
battery.census.shodan.io[93.174.95.106]:
\026\003\003\001\244\001\000\001\240\003\003pP\244\201Y\346\233\272\340=\365\222\201\333\ba\354\v1V
\356\277\200\370\023\264zR\360\243\307
\270T\336w\204\177\213\220D\317\234\210\220w\2446\b\302\206\376\202\365\317\312\340\353\177\016\370~\032\306\000\212\000\005\000\004\000\a\000\300\000\204\000\272\000A\000\235\300\241\300\235\000=
Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper
command pipelining after CONNECT from
battery.census.shodan.io[93.174.95.106]:
\026\003\003\001U\001\000\001Q\003\003V\021\240\231\032m\243\224\002A\fL-\017n\315\f1g\037k\021\357\245\302EG\317\a\226
\331
\006^\005V[#\265\001\255t\246\340\364\357\020g\247F\301\317\203\253\201U[\324(\221\247\221R9\000F\300\022\300\a\314\024\023\001\023\002\314\251\300s\300r\300,\300\257\300\255
Jan 14 01:57:15 cx20 postfix/submission/smtpd[25122]: improper
command pipelining after CONNECT from
battery.census.shodan.io[93.174.95.106]:
\026\003\002\001\231\001\000\001\225\003\002\003\201\335\374\201\271\a\022!\224@\272z]\362\006\371\001\313\371\233(\245\ne\200\fm\370\270\335{
\366S\224\365\370\220\355\033\237\3706\033\347\237P\312\236\247\274\232a^_\361\227\257,\275\nu\276D\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237
Jan 14 05:05:41 cx20 postfix/submission/smtpd[31071]: improper
command pipelining after CONNECT from
scanner-29.ch1.censys-scanner.com[167.248.133.186]:
\026\003\003\001\244\001\000\001\240\003\003\316@\257\332\b\000\n\337\205^\377\260D\331\344\364\222\250\030\215\234\220\032\341\352\313`\2470K+\306
\265~P\206\337O\364Q\310\236xi\277\017\266\244\020\205\006i\a\273\317\220\006]t0x\216\221\311\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org