[pfx] Re: improper command pipelining
On 2024-01-15 at 04:15:53 UTC-0500 (Mon, 15 Jan 2024 10:15:53 +0100) Admin Beckspaced via Postfix-users is rumored to have said: somoene is trying to use your postfix as http proxy server. Looks like security scanner. do you know the type of encoding? The encoding for the log is octal: characters are either literal or in \### format for unprintables. I would like to decode and see the actual commands. The underlying data looks (by eyeball) to probably be an attempted HTTPS handshake. That's consistent with the test apparently being done for an open proxy. Shodan and Censys are nominally legitimate operations that scan the Internet for possibly vulnerable machines and sell access to the resulting data. There are others who can be identified by the names "stretchoid" and "binaryedge.ninja" who are less public about their scans. The IPs performing the scans can safely be blocked at the packet level, if you're into such things. They will never do anything but test your system. Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper command pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\003\001\244\001\000\001\240\003\003'>\232\037\250\226/zan\025\307\023\350_\373\253\021W\212\3262\246\223\3378\314/\312\200>\200 \343p5J\020\265q@\355\241\371b\377\236\375\227;\352\202wL\303\204\003\305O\255\273\2319\322\330\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237 Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper command pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\003\001\244\001\000\001\240\003\003pP\244\201Y\346\233\272\340=\365\222\201\333\ba\354\v1V \356\277\200\370\023\264zR\360\243\307 \270T\336w\204\177\213\220D\317\234\210\220w\2446\b\302\206\376\202\365\317\312\340\353\177\016\370~\032\306\000\212\000\005\000\004\000\a\000\300\000\204\000\272\000A\000\235\300\241\300\235\000= Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper command pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\003\001U\001\000\001Q\003\003V\021\240\231\032m\243\224\002A\fL-\017n\315\f1g\037k\021\357\245\302EG\317\a\226 \331 \006^\005V[#\265\001\255t\246\340\364\357\020g\247F\301\317\203\253\201U[\324(\221\247\221R9\000F\300\022\300\a\314\024\023\001\023\002\314\251\300s\300r\300,\300\257\300\255 Jan 14 01:57:15 cx20 postfix/submission/smtpd[25122]: improper command pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\002\001\231\001\000\001\225\003\002\003\201\335\374\201\271\a\022!\224@\272z]\362\006\371\001\313\371\233(\245\ne\200\fm\370\270\335{ \366S\224\365\370\220\355\033\237\3706\033\347\237P\312\236\247\274\232a^_\361\227\257,\275\nu\276D\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237 Jan 14 05:05:41 cx20 postfix/submission/smtpd[31071]: improper command pipelining after CONNECT from scanner-29.ch1.censys-scanner.com[167.248.133.186]: \026\003\003\001\244\001\000\001\240\003\003\316@\257\332\b\000\n\337\205^\377\260D\331\344\364\222\250\030\215\234\220\032\341\352\313`\2470K+\306 \265~P\206\337O\364Q\310\236xi\277\017\266\244\020\205\006i\a\273\317\220\006]t0x\216\221\311\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: improper command pipelining
Admin Beckspaced via Postfix-users: > dear postfix users, > > since the recent SMTP smuggling issue I applied the short term > workaround by setting smtpd_forbid_unauth_pipelining = yes > > I also do a daily scan on journalctl with some keywords, e.g. 'pipelining' > > the following showed up this morning. > > do i need to be worried? > > thanks > & greetings > Becki > > > Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper command > pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: > \026\003\003\001\244\001\000\001\240\003\003'>\232\037\250\226/zan\025\307\023\350_\373\253\021W\212\3262\246\223\3378\314/\312\200>\200 > That looks like a TLSv1.2 client hello packet. Octal \026 (hex 0x16) = handshake Octal \003\003 (hex 0x0303) = TLSv1.2 Presumably the client is confusing port 587 (plaintext, with explicit STARTTLS) and 465 (implicit TLS). Postfix logs "after CONNECT" because this is the first thing that the client sent after CONNECTing to Postfix. No harm is done, just wasting a few bits in ther log. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: improper command pipelining
Dnia 15.01.2024 o godz. 09:34:06 Admin Beckspaced via Postfix-users pisze: > do i need to be worried? As your logs clearly show it's Shodan, then either ignore it or simply block it right away. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: improper command pipelining
Looks like security scanner. do you know the type of encoding? I would like to decode and see the actual commands. after CONNECT usually TLS negotiation occurs, that may be it. I don't know if there's any value in knowing that. thanks i was just curious :) Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper command pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\003\001\244\001\000\001\240\003\003'>\232\037\250\226/zan\025\307\023\350_\373\253\021W\212\3262\246\223\3378\314/\312\200>\200 \343p5J\020\265q@\355\241\371b\377\236\375\227;\352\202wL\303\204\003\305O\255\273\2319\322\330\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237 Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper command pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\003\001\244\001\000\001\240\003\003pP\244\201Y\346\233\272\340=\365\222\201\333\ba\354\v1V \356\277\200\370\023\264zR\360\243\307 \270T\336w\204\177\213\220D\317\234\210\220w\2446\b\302\206\376\202\365\317\312\340\353\177\016\370~\032\306\000\212\000\005\000\004\000\a\000\300\000\204\000\272\000A\000\235\300\241\300\235\000= Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper command pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\003\001U\001\000\001Q\003\003V\021\240\231\032m\243\224\002A\fL-\017n\315\f1g\037k\021\357\245\302EG\317\a\226 \331 \006^\005V[#\265\001\255t\246\340\364\357\020g\247F\301\317\203\253\201U[\324(\221\247\221R9\000F\300\022\300\a\314\024\023\001\023\002\314\251\300s\300r\300,\300\257\300\255 Jan 14 01:57:15 cx20 postfix/submission/smtpd[25122]: improper command pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\002\001\231\001\000\001\225\003\002\003\201\335\374\201\271\a\022!\224@\272z]\362\006\371\001\313\371\233(\245\ne\200\fm\370\270\335{ \366S\224\365\370\220\355\033\237\3706\033\347\237P\312\236\247\274\232a^_\361\227\257,\275\nu\276D\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237 Jan 14 05:05:41 cx20 postfix/submission/smtpd[31071]: improper command pipelining after CONNECT from scanner-29.ch1.censys-scanner.com[167.248.133.186]: \026\003\003\001\244\001\000\001\240\003\003\316@\257\332\b\000\n\337\205^\377\260D\331\344\364\222\250\030\215\234\220\032\341\352\313`\2470K+\306 \265~P\206\337O\364Q\310\236xi\277\017\266\244\020\205\006i\a\273\317\220\006]t0x\216\221\311\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: improper command pipelining
On 15.01.24 10:15, Admin Beckspaced via Postfix-users wrote: somoene is trying to use your postfix as http proxy server. Looks like security scanner. do you know the type of encoding? I would like to decode and see the actual commands. after CONNECT usually TLS negotiation occurs, that may be it. I don't know if there's any value in knowing that. Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper command pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\003\001\244\001\000\001\240\003\003'>\232\037\250\226/zan\025\307\023\350_\373\253\021W\212\3262\246\223\3378\314/\312\200>\200 \343p5J\020\265q@\355\241\371b\377\236\375\227;\352\202wL\303\204\003\305O\255\273\2319\322\330\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237 Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper command pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\003\001\244\001\000\001\240\003\003pP\244\201Y\346\233\272\340=\365\222\201\333\ba\354\v1V \356\277\200\370\023\264zR\360\243\307 \270T\336w\204\177\213\220D\317\234\210\220w\2446\b\302\206\376\202\365\317\312\340\353\177\016\370~\032\306\000\212\000\005\000\004\000\a\000\300\000\204\000\272\000A\000\235\300\241\300\235\000= Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper command pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\003\001U\001\000\001Q\003\003V\021\240\231\032m\243\224\002A\fL-\017n\315\f1g\037k\021\357\245\302EG\317\a\226 \331 \006^\005V[#\265\001\255t\246\340\364\357\020g\247F\301\317\203\253\201U[\324(\221\247\221R9\000F\300\022\300\a\314\024\023\001\023\002\314\251\300s\300r\300,\300\257\300\255 Jan 14 01:57:15 cx20 postfix/submission/smtpd[25122]: improper command pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\002\001\231\001\000\001\225\003\002\003\201\335\374\201\271\a\022!\224@\272z]\362\006\371\001\313\371\233(\245\ne\200\fm\370\270\335{ \366S\224\365\370\220\355\033\237\3706\033\347\237P\312\236\247\274\232a^_\361\227\257,\275\nu\276D\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237 Jan 14 05:05:41 cx20 postfix/submission/smtpd[31071]: improper command pipelining after CONNECT from scanner-29.ch1.censys-scanner.com[167.248.133.186]: \026\003\003\001\244\001\000\001\240\003\003\316@\257\332\b\000\n\337\205^\377\260D\331\344\364\222\250\030\215\234\220\032\341\352\313`\2470K+\306 \265~P\206\337O\364Q\310\236xi\277\017\266\244\020\205\006i\a\273\317\220\006]t0x\216\221\311\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Remember half the people you know are below average. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: improper command pipelining
On Mon, Jan 15, 2024 at 10:15:53AM +0100, Admin Beckspaced via Postfix-users wrote: > > > somoene is trying to use your postfix as http proxy server. > > Looks like security scanner. > do you know the type of encoding? No, by "CONNECT", which is no SMTP command, but a HTTP one. Bastian -- Spock: The odds of surviving another attack are 13562190123 to 1, Captain. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: improper command pipelining
somoene is trying to use your postfix as http proxy server. Looks like security scanner. do you know the type of encoding? I would like to decode and see the actual commands. Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper command pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\003\001\244\001\000\001\240\003\003'>\232\037\250\226/zan\025\307\023\350_\373\253\021W\212\3262\246\223\3378\314/\312\200>\200 \343p5J\020\265q@\355\241\371b\377\236\375\227;\352\202wL\303\204\003\305O\255\273\2319\322\330\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237 Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper command pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\003\001\244\001\000\001\240\003\003pP\244\201Y\346\233\272\340=\365\222\201\333\ba\354\v1V \356\277\200\370\023\264zR\360\243\307 \270T\336w\204\177\213\220D\317\234\210\220w\2446\b\302\206\376\202\365\317\312\340\353\177\016\370~\032\306\000\212\000\005\000\004\000\a\000\300\000\204\000\272\000A\000\235\300\241\300\235\000= Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper command pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\003\001U\001\000\001Q\003\003V\021\240\231\032m\243\224\002A\fL-\017n\315\f1g\037k\021\357\245\302EG\317\a\226 \331 \006^\005V[#\265\001\255t\246\340\364\357\020g\247F\301\317\203\253\201U[\324(\221\247\221R9\000F\300\022\300\a\314\024\023\001\023\002\314\251\300s\300r\300,\300\257\300\255 Jan 14 01:57:15 cx20 postfix/submission/smtpd[25122]: improper command pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\002\001\231\001\000\001\225\003\002\003\201\335\374\201\271\a\022!\224@\272z]\362\006\371\001\313\371\233(\245\ne\200\fm\370\270\335{ \366S\224\365\370\220\355\033\237\3706\033\347\237P\312\236\247\274\232a^_\361\227\257,\275\nu\276D\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237 Jan 14 05:05:41 cx20 postfix/submission/smtpd[31071]: improper command pipelining after CONNECT from scanner-29.ch1.censys-scanner.com[167.248.133.186]: \026\003\003\001\244\001\000\001\240\003\003\316@\257\332\b\000\n\337\205^\377\260D\331\344\364\222\250\030\215\234\220\032\341\352\313`\2470K+\306 \265~P\206\337O\364Q\310\236xi\277\017\266\244\020\205\006i\a\273\317\220\006]t0x\216\221\311\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: improper command pipelining
On 15.01.24 09:34, Admin Beckspaced via Postfix-users wrote: dear postfix users, since the recent SMTP smuggling issue I applied the short term workaround by setting smtpd_forbid_unauth_pipelining = yes I also do a daily scan on journalctl with some keywords, e.g. 'pipelining' the following showed up this morning. do i need to be worried? somoene is trying to use your postfix as http proxy server. Looks like security scanner. Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper command pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\003\001\244\001\000\001\240\003\003'>\232\037\250\226/zan\025\307\023\350_\373\253\021W\212\3262\246\223\3378\314/\312\200>\200 \343p5J\020\265q@\355\241\371b\377\236\375\227;\352\202wL\303\204\003\305O\255\273\2319\322\330\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237 Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper command pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\003\001\244\001\000\001\240\003\003pP\244\201Y\346\233\272\340=\365\222\201\333\ba\354\v1V \356\277\200\370\023\264zR\360\243\307 \270T\336w\204\177\213\220D\317\234\210\220w\2446\b\302\206\376\202\365\317\312\340\353\177\016\370~\032\306\000\212\000\005\000\004\000\a\000\300\000\204\000\272\000A\000\235\300\241\300\235\000= Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper command pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\003\001U\001\000\001Q\003\003V\021\240\231\032m\243\224\002A\fL-\017n\315\f1g\037k\021\357\245\302EG\317\a\226 \331 \006^\005V[#\265\001\255t\246\340\364\357\020g\247F\301\317\203\253\201U[\324(\221\247\221R9\000F\300\022\300\a\314\024\023\001\023\002\314\251\300s\300r\300,\300\257\300\255 Jan 14 01:57:15 cx20 postfix/submission/smtpd[25122]: improper command pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\002\001\231\001\000\001\225\003\002\003\201\335\374\201\271\a\022!\224@\272z]\362\006\371\001\313\371\233(\245\ne\200\fm\370\270\335{ \366S\224\365\370\220\355\033\237\3706\033\347\237P\312\236\247\274\232a^_\361\227\257,\275\nu\276D\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237 Jan 14 05:05:41 cx20 postfix/submission/smtpd[31071]: improper command pipelining after CONNECT from scanner-29.ch1.censys-scanner.com[167.248.133.186]: \026\003\003\001\244\001\000\001\240\003\003\316@\257\332\b\000\n\337\205^\377\260D\331\344\364\222\250\030\215\234\220\032\341\352\313`\2470K+\306 \265~P\206\337O\364Q\310\236xi\277\017\266\244\020\205\006i\a\273\317\220\006]t0x\216\221\311\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: "Let God Debug It!". ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org