# [SOLVED] Strange? TLS connections to smtp-server

## freke

Hi,

I've recently (last couple of days?) started to see this in my logs

```
Sep  7 01:02:16 mail postfix/smtpd[20786]: connect from Starttls-paris.proxy-research.com[15.188.24.147]

Sep  7 01:02:17 mail postfix/smtpd[20786]: Anonymous TLS connection established from starttls-paris.proxy-research.com[15.188.24.147]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

Sep  7 01:02:17 mail postfix/smtpd[20786]: lost connection after EHLO from Starttls-paris.proxy-research.com[15.188.24.147]

Sep  7 01:02:17 mail postfix/smtpd[20786]: disconnect from Starttls-paris.proxy-research.com[15.188.24.147] ehlo=2 starttls=1 commands=3

Sep  7 01:02:20 mail postfix/smtpd[20786]: connect from starttls-virginia.proxy-research.com[34.227.19.103]

Sep  7 01:02:21 mail postfix/smtpd[20786]: Anonymous TLS connection established from starttls-virginia.proxy-research.com[34.227.19.103]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

Sep  7 01:02:21 mail postfix/smtpd[20786]: lost connection after EHLO from starttls-virginia.proxy-research.com[34.227.19.103]

Sep  7 01:02:21 mail postfix/smtpd[20786]: disconnect from starttls-virginia.proxy-research.com[34.227.19.103] ehlo=2 starttls=1 commands=3

Sep  7 01:02:36 mail postfix/smtpd[20786]: connect from starttls-oregon.proxy-research.com[54.187.79.149]

Sep  7 01:02:37 mail postfix/smtpd[20786]: Anonymous TLS connection established from starttls-oregon.proxy-research.com[54.187.79.149]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

Sep  7 01:02:38 mail postfix/smtpd[20786]: lost connection after EHLO from starttls-oregon.proxy-research.com[54.187.79.149]

Sep  7 01:02:38 mail postfix/smtpd[20786]: disconnect from starttls-oregon.proxy-research.com[54.187.79.149] ehlo=2 starttls=1 commands=3

Sep  7 01:02:51 mail postfix/smtpd[20786]: connect from Starttls-saopaulo.proxy-research.com[54.94.237.221]

Sep  7 01:02:52 mail postfix/smtpd[20786]: Anonymous TLS connection established from starttls-saopaulo.proxy-research.com[54.94.237.221]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

Sep  7 01:02:53 mail postfix/smtpd[20786]: lost connection after EHLO from Starttls-saopaulo.proxy-research.com[54.94.237.221]

Sep  7 01:02:53 mail postfix/smtpd[20786]: disconnect from Starttls-saopaulo.proxy-research.com[54.94.237.221] ehlo=2 starttls=1 commands=3

Sep  7 01:02:58 mail postfix/smtpd[20786]: connect from mail.proxy-research.com[15.164.73.143]

Sep  7 01:03:00 mail postfix/smtpd[20786]: Anonymous TLS connection established from mail.proxy-research.com[15.164.73.143]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

Sep  7 01:03:00 mail postfix/smtpd[20786]: lost connection after EHLO from mail.proxy-research.com[15.164.73.143]

Sep  7 01:03:00 mail postfix/smtpd[20786]: disconnect from mail.proxy-research.com[15.164.73.143] ehlo=2 starttls=1 commands=3

Sep  7 01:03:08 mail postfix/smtpd[20786]: connect from Starttls-sydney.proxy-research.com[3.104.129.119]

Sep  7 01:03:10 mail postfix/smtpd[20786]: Anonymous TLS connection established from starttls-sydney.proxy-research.com[3.104.129.119]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

Sep  7 01:03:11 mail postfix/smtpd[20786]: lost connection after EHLO from Starttls-sydney.proxy-research.com[3.104.129.119]

Sep  7 01:03:11 mail postfix/smtpd[20786]: disconnect from Starttls-sydney.proxy-research.com[3.104.129.119] ehlo=2 starttls=1 commands=3
```

Does anyone know if these are *legit* - or what this is?

TIALast edited by freke on Sat Sep 07, 2019 4:19 pm; edited 1 time in total

----------

## Ant P.

Probably malware scanners looking for the latest exim exploit.

----------

## NeddySeagoon

freke,

Some gentle whois shows that some of those IPs are allocated to AWS and that 

```
whois proxy-research.com
```

includes

```
    Registrar URL: http://www.godaddy.com

   Updated Date: 2019-05-01T16:02:41Z

   Creation Date: 2019-04-24T01:16:59Z

   Registry Expiry Date: 2020-04-24T01:16:59Z
```

The domain in a new registration, only registered for a year.

That the registrar is godaddy does not inspire confidence either.

I think you are being probed. Its unlikely to be directed at you. Its someone looking to see what they can find.

Drop everything that resolves to proxy-research.com.

Looking at http://proxy-research.com/ in a browser, it seems mostly harmless.

----------

## freke

Thanks for the info NeddySeagoon  :Smile: 

While I don't get why they would collect certificates from DANE-enabled servers every hour from multiple points (checking for MITM-attacks?) it seems to be merely a project to meassure DANE deployment for mailservers.

----------

## NeddySeagoon

freke,

The web page says you can ask them not to.

----------

## Hu

Perhaps they are repeatedly polling to see if the targeted IP is a load balancer that resolves to different underlying servers, some of which have DANE enabled and some of which do not.  Testing from multiple sources could be an implementation detail caused by how they spread out the jobs on their side, or it could be an attempt to probe whether your endpoint always resolves to the same host and offers the same configuration, regardless of client source address.

----------

## freke

I sent a mail to one of the contacts and got this.

 *Quote:*   

> Dear Kim,
> 
> Thanks for understanding our connection. We're only connecting the domains that support DANE.
> 
> One of the reasons why we're connecting them every hour is to observe how well they roll-over their keys.
> ...

 

As they're not doing any harm for now I think I'll let this continue - just got worried when I saw them connecting every hour yesterday.

----------

