[tor-bugs] #17855 [Flashproxy]: flashproxy-reg-email detected as Kelihos botnet spam by the CBL (Composite Blocking List)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Dec 14 23:52:04 UTC 2015
#17855: flashproxy-reg-email detected as Kelihos botnet spam by the CBL (Composite
Blocking List)
------------------------+---------------------
Reporter: dcf | Owner: dcf
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Flashproxy | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Sponsor: |
------------------------+---------------------
Comment (by dcf):
Someone called Andy at the CBL says:
Fix the EHLO to be something that matches the rest of the infrastructure
and you shouldn't have any further listings from us.
Here's an SMTP transcript of a flashproxy-reg-email session. The reason we
use `[127.0.0.1]` is we don't know our own IP address until we receive one
of the "at your service" lines. We could easily modify the second EHLO
line (after STARTTLS) but not so easily the first. If you don't force an
IP address, Python smtplib will do something stupid like guess the local
hostname with
[https://docs.python.org/2/library/socket.html#socket.getfqdn
socket.getfqdn].
{{{
⇒ EHLO [127.0.0.1]
⇐ 250-mx.google.com at your service, [69.164.193.231]
⇐ 250-SIZE 35882577
⇐ 250-8BITMIME
⇐ 250-STARTTLS
⇐ 250-ENHANCEDSTATUSCODES
⇐ 250-PIPELINING
⇐ 250-CHUNKING
⇐ 250 SMTPUTF8
⇒ STARTTLS
⇐ 220 2.0.0 Ready to start TLS
⇒ ehlo [127.0.0.1]
⇐ 250-mx.google.com at your service, [69.164.193.231]
⇐ 250-SIZE 35882577
⇐ 250-8BITMIME
⇐ 250-ENHANCEDSTATUSCODES
⇐ 250-PIPELINING
⇐ 250-CHUNKING
⇐ 250 SMTPUTF8
⇒ mail FROM:<flashproxyreg.a at gmail.com> size=439
⇐ 250 2.1.0 OK xp4si3037295pab.1 - gsmtp
⇒ rcpt TO:<flashproxyreg.a at gmail.com>
⇐ 250 2.1.5 OK xp4si3037295pab.1 - gsmtp
⇒ data
⇐ 354 Go ahead xp4si3037295pab.1 - gsmtp
⇒ To: flashproxyreg.a at gmail.com
⇒ From: nobody at localhost
⇒ Subject: client reg d60094a2a9
⇒
⇒
CaNRg3izH9hQttn8w+1ud2I4eJRas32izai/fgWWKkLSU4eYk8nOdZcXMxtqNfFRn+4JftiHQanl
⇒
qbS6b2yxJ2ygpGasldKm+m3suJx0+0Dm8EOKAZZMkjqTb048a/iSZyxyiuBFa1oaLig8Y+AO9KE4
⇒
UI2Mniq4rQL1QeUEOl35L3TqFvEPe/5e2tHUKbVP8mSclCKqEzcgNvYxgOj2zPUnNRdmhHEBJ85w
⇒
Ryrwim83tFGUcjSDFeYpNwNWvIH5ZigeY31O46iuT0cQV9EYa68Ldo/ZYUsscyRs+AMJJsFzBBhx
⇒ nEPsQTgGoy8Pk+IjxEVCJdA8Htp81n/IeXyNDQ==
⇒
⇒ .
⇐ 250 2.0.0 OK 1449981129 xp4si3037295pab.1 - gsmtp
⇒ quit
⇐ 221 2.0.0 closing connection xp4si3037295pab.1 - gsmtp
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17855#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list