Strange SMTP attempts from my tor relay
Hi, I have noticed that my firewall registers connection attempts from my tor-server on port 465 and 587. My relay performs normally, so it appears that they have no significance for the operation. Could somebody please explain the logic behind those SMTP connections? I am a bit puzzled! /Ole Rydahl OS: Fedora Linux 43 (Server Edition), Platform: Tor 0.4.9.8 on Linux
Hey Ole, That is a bad actor on tor, attempting to send spam email that uses smtp ports to using your tor node as a relay, potentially spoofing the source to make it look like your relay is the sender. be sure to block any and all ports for smtp, 25, 465, 587, 2525 (not a comprehensive list of ports) for both incoming and outgoing connections. Your host, once it appears that your server is sending mass amounts of spam, may suspend or terminate your account. just went through this with hetzner this week. On Thu, Jun 11, 2026 at 3:53 AM Ole Rydahl via tor-relays < tor-relays@lists.torproject.org> wrote:
Hi,
I have noticed that my firewall registers connection attempts from my tor-server on port 465 and 587. My relay performs normally, so it appears that they have no significance for the operation.
Could somebody please explain the logic behind those SMTP connections? I am a bit puzzled!
/Ole Rydahl
OS: Fedora Linux 43 (Server Edition), Platform: Tor 0.4.9.8 on Linux
_______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org
-- Thanks, Robert Shults IT Administrator & Solution Architect CEO, TheMadHacker LLC https://themadhacker.net
On Thu, Jun 11, 2026 at 04:01:49AM -0500, TheMadHacker Schism via tor-relays wrote:
That is a bad actor on tor, attempting to send spam email that uses smtp ports to using your tor node as a relay [...]
I have noticed that my firewall registers connection attempts from my tor-server on port 465 and 587. My relay performs normally, so it appears that they have no significance for the operation.
Hm, maybe it is the bad actor you describe, but another option is that these are normal Tor relays listening with their ORPort on port 465 or 587. There is nothing sacred about these numbers, and people can pick them for their ORPort, and it could even be a good idea if it means they are reachable from behind firewalls that other destination ports wouldn't allow. There is nothing wrong here, but you are right that some sysadmins might misunderstand what is going on and get upset at you for making connections on that port. There are 31 relays running with their ORPort set to 465: $ grep "^r " cached-consensus |grep " 465 "|cut -d' ' -f7-8|sort -n 31.57.219.143 465 37.221.209.198 465 45.80.171.211 465 45.84.107.101 465 45.84.107.128 465 45.84.107.142 465 45.84.107.172 465 45.84.107.174 465 45.84.107.17 465 45.84.107.182 465 45.84.107.198 465 45.84.107.222 465 45.84.107.236 465 45.84.107.33 465 45.84.107.44 465 45.84.107.47 465 45.84.107.54 465 45.84.107.55 465 45.84.107.74 465 45.84.107.76 465 45.84.107.84 465 45.84.107.97 465 65.108.136.190 465 81.232.160.94 465 95.217.112.245 465 103.167.234.110 465 176.123.3.14 465 194.147.140.101 465 194.147.140.102 465 194.147.140.106 465 194.147.140.107 465 and a smaller but still non-zero set listening with their ORPort on 587: $ grep "^r " cached-consensus |grep " 587 "|cut -d' ' -f7-8|sort -n 45.80.171.211 587 45.84.107.142 587 45.84.107.236 587 45.84.107.44 587 45.84.107.84 587 78.34.104.67 587 89.25.152.215 587 89.58.5.0 587 89.58.54.129 587 89.58.56.112 587 94.142.241.153 587 --Roger
Am 11.06.26 um 11:01 schrieb TheMadHacker Schism via tor-relays:
be sure to block any and all ports for smtp, 25, 465, 587, 2525 (not a comprehensive list of ports) for both incoming and outgoing connections.
Please read the SMTP RFCs. 25 is for unauthenticated mail and if that is allowed, it can be used as a spambot. 465 and 587 are for authenticated mail. If the user does not have credentials on the remote server, it cannot send mail. 2525 is not standardized at all for mail. Exclude port 25 in the ExitPolicy, not only the firewall. Otherwise your relay might end as a Bad one. -- Gruß Marco Junk-Mail bitte an trashcan@stinkedores.dorfdsl.de
-----Oprindelig meddelelse----- Fra: Roger Dingledine via tor-relays <tor-relays@lists.torproject.org> Sendt: 11. juni 2026 12:06 Til: support and questions about running Tor relays (exit, non-exit, bridge) <tor-relays@lists.torproject.org> Cc: Roger Dingledine <arma@torproject.org> Emne: [tor-relays] Re: Strange SMTP attempts from my tor relay On Thu, Jun 11, 2026 at 04:01:49AM -0500, TheMadHacker Schism via tor-relays wrote:
That is a bad actor on tor, attempting to send spam email that uses smtp ports to using your tor node as a relay [...]
I have noticed that my firewall registers connection attempts from my tor-server on port 465 and 587. My relay performs normally, so it appears that they have no significance for the operation.
Hm, maybe it is the bad actor you describe, but another option is that these are normal Tor relays listening with their ORPort on port 465 or 587. There is nothing sacred about these numbers, and people can pick them for their ORPort, and it could even be a good idea if it means they are reachable from behind firewalls that other destination ports wouldn't allow. There is nothing wrong here, but you are right that some sysadmins might misunderstand what is going on and get upset at you for making connections on that port. There are 31 relays running with their ORPort set to 465: $ grep "^r " cached-consensus |grep " 465 "|cut -d' ' -f7-8|sort -n 31.57.219.143 465 37.221.209.198 465 45.80.171.211 465 45.84.107.101 465 45.84.107.128 465 45.84.107.142 465 45.84.107.172 465 45.84.107.174 465 45.84.107.17 465 45.84.107.182 465 45.84.107.198 465 45.84.107.222 465 45.84.107.236 465 45.84.107.33 465 45.84.107.44 465 45.84.107.47 465 45.84.107.54 465 45.84.107.55 465 45.84.107.74 465 45.84.107.76 465 45.84.107.84 465 45.84.107.97 465 65.108.136.190 465 81.232.160.94 465 95.217.112.245 465 103.167.234.110 465 176.123.3.14 465 194.147.140.101 465 194.147.140.102 465 194.147.140.106 465 194.147.140.107 465 and a smaller but still non-zero set listening with their ORPort on 587: $ grep "^r " cached-consensus |grep " 587 "|cut -d' ' -f7-8|sort -n 45.80.171.211 587 45.84.107.142 587 45.84.107.236 587 45.84.107.44 587 45.84.107.84 587 78.34.104.67 587 89.25.152.215 587 89.58.5.0 587 89.58.54.129 587 89.58.56.112 587 94.142.241.153 587 --Roger [Ole Rydahl ] Thank you Roger! The Wireshark recordings I made fits nicely with your list of ip's using 465/587 as or-port. /Ole _______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org
Thanks for the info on this, you guys, i would not have immediately thought that some relays use 587 / 465 as an ORPort. Learned something new today, and i'll be sure exit policy matches any firewall rules that may be defined, the last thing i want to do is exclude legitimate relays from connecting through mine just because they picked a common port. On Fri, Jun 12, 2026 at 4:53 AM Dennis Bronk via tor-relays < tor-relays@lists.torproject.org> wrote:
Hi,
I have to agree on this one, figure out which IP addresses are being connected to. I have relays running on all kinds of popular ports (80,143,443,465,587,995 and some more), I would strongly advise not to block ports 465 or 587 as was suggested somewhere earlier in this thread. The port you should block, and most likely is already blocked by your provider, is port 25. I recognize some of the IP's in this list as mine, like 37.221.209.198 for example belongs to 3 of my Hungarian guards.
Kind regards,
Dennis Bronk.
On 6/11/26 12:05, Roger Dingledine via tor-relays wrote:
That is a bad actor on tor, attempting to send spam email that uses smtp ports to using your tor node as a relay [...]
I have noticed that my firewall registers connection attempts from my tor-server on port 465 and 587. My relay performs normally, so it appears that they have no significance for the operation. Hm, maybe it is the bad actor you describe, but another option is that these are normal Tor relays listening with their ORPort on port 465 or
On Thu, Jun 11, 2026 at 04:01:49AM -0500, TheMadHacker Schism via tor-relays wrote: 587. There is nothing sacred about these numbers, and people can pick them for their ORPort, and it could even be a good idea if it means they are reachable from behind firewalls that other destination ports wouldn't allow.
There is nothing wrong here, but you are right that some sysadmins might misunderstand what is going on and get upset at you for making connections on that port.
There are 31 relays running with their ORPort set to 465:
$ grep "^r " cached-consensus |grep " 465 "|cut -d' ' -f7-8|sort -n 31.57.219.143 465 37.221.209.198 465 45.80.171.211 465 45.84.107.101 465 45.84.107.128 465 45.84.107.142 465 45.84.107.172 465 45.84.107.174 465 45.84.107.17 465 45.84.107.182 465 45.84.107.198 465 45.84.107.222 465 45.84.107.236 465 45.84.107.33 465 45.84.107.44 465 45.84.107.47 465 45.84.107.54 465 45.84.107.55 465 45.84.107.74 465 45.84.107.76 465 45.84.107.84 465 45.84.107.97 465 65.108.136.190 465 81.232.160.94 465 95.217.112.245 465 103.167.234.110 465 176.123.3.14 465 194.147.140.101 465 194.147.140.102 465 194.147.140.106 465 194.147.140.107 465
and a smaller but still non-zero set listening with their ORPort on 587:
$ grep "^r " cached-consensus |grep " 587 "|cut -d' ' -f7-8|sort -n 45.80.171.211 587 45.84.107.142 587 45.84.107.236 587 45.84.107.44 587 45.84.107.84 587 78.34.104.67 587 89.25.152.215 587 89.58.5.0 587 89.58.54.129 587 89.58.56.112 587 94.142.241.153 587
--Roger
_______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org
_______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org
-- Thanks, Robert Shults IT Administrator & Solution Architect CEO, TheMadHacker LLC https://themadhacker.net
participants (5)
-
Dennis Bronk -
Marco Moock -
Ole Rydahl -
Roger Dingledine -
TheMadHacker Schism