[tor-bugs] #17855 [Flashproxy]: flashproxy-reg-email detected as Kelihos botnet spam by the CBL (Composite Blocking List)

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Dec 14 23:52:04 UTC 2015 

#17855: flashproxy-reg-email detected as Kelihos botnet spam by the CBL (Composite
Blocking List)
------------------------+---------------------
 Reporter:  dcf         |          Owner:  dcf
     Type:  defect      |         Status:  new
 Priority:  Medium      |      Milestone:
Component:  Flashproxy  |        Version:
 Severity:  Normal      |     Resolution:
 Keywords:              |  Actual Points:
Parent ID:              |         Points:
  Sponsor:              |
------------------------+---------------------

Comment (by dcf):

 Someone called Andy at the CBL says:
   Fix the EHLO to be something that matches the rest of the infrastructure
 and you shouldn't have any further listings from us.

 Here's an SMTP transcript of a flashproxy-reg-email session. The reason we
 use `[127.0.0.1]` is we don't know our own IP address until we receive one
 of the "at your service" lines. We could easily modify the second EHLO
 line (after STARTTLS) but not so easily the first. If you don't force an
 IP address, Python smtplib will do something stupid like guess the local
 hostname with
 [https://docs.python.org/2/library/socket.html#socket.getfqdn
 socket.getfqdn].

 {{{
 ⇒  EHLO [127.0.0.1]
  ⇐ 250-mx.google.com at your service, [69.164.193.231]
  ⇐ 250-SIZE 35882577
  ⇐ 250-8BITMIME
  ⇐ 250-STARTTLS
  ⇐ 250-ENHANCEDSTATUSCODES
  ⇐ 250-PIPELINING
  ⇐ 250-CHUNKING
  ⇐ 250 SMTPUTF8
 ⇒  STARTTLS
  ⇐ 220 2.0.0 Ready to start TLS
 ⇒  ehlo [127.0.0.1]
  ⇐ 250-mx.google.com at your service, [69.164.193.231]
  ⇐ 250-SIZE 35882577
  ⇐ 250-8BITMIME
  ⇐ 250-ENHANCEDSTATUSCODES
  ⇐ 250-PIPELINING
  ⇐ 250-CHUNKING
  ⇐ 250 SMTPUTF8
 ⇒  mail FROM:<flashproxyreg.a at gmail.com> size=439
  ⇐ 250 2.1.0 OK xp4si3037295pab.1 - gsmtp
 ⇒  rcpt TO:<flashproxyreg.a at gmail.com>
  ⇐ 250 2.1.5 OK xp4si3037295pab.1 - gsmtp
 ⇒  data
  ⇐ 354  Go ahead xp4si3037295pab.1 - gsmtp
 ⇒  To: flashproxyreg.a at gmail.com
 ⇒  From: nobody at localhost
 ⇒  Subject: client reg d60094a2a9
 ⇒
 ⇒
 CaNRg3izH9hQttn8w+1ud2I4eJRas32izai/fgWWKkLSU4eYk8nOdZcXMxtqNfFRn+4JftiHQanl
 ⇒
 qbS6b2yxJ2ygpGasldKm+m3suJx0+0Dm8EOKAZZMkjqTb048a/iSZyxyiuBFa1oaLig8Y+AO9KE4
 ⇒
 UI2Mniq4rQL1QeUEOl35L3TqFvEPe/5e2tHUKbVP8mSclCKqEzcgNvYxgOj2zPUnNRdmhHEBJ85w
 ⇒
 Ryrwim83tFGUcjSDFeYpNwNWvIH5ZigeY31O46iuT0cQV9EYa68Ldo/ZYUsscyRs+AMJJsFzBBhx
 ⇒  nEPsQTgGoy8Pk+IjxEVCJdA8Htp81n/IeXyNDQ==
 ⇒
 ⇒  .
  ⇐ 250 2.0.0 OK 1449981129 xp4si3037295pab.1 - gsmtp
 ⇒  quit
  ⇐ 221 2.0.0 closing connection xp4si3037295pab.1 - gsmtp
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17855#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list