tor trying to pop mail from random IPs on win32

Dave Korn davek_throwaway at hotmail.com
Tue Aug 22 17:58:43 UTC 2006


>From: "Joseph B Kowalski" Subject: Re: tor trying to pop mail from random 
>IPs on win32
>Date: Mon, 21 Aug 2006 21:31:54 -0700

>On Mon, 21 Aug 2006 19:47:32 -0700 Roger Dingledine wrote:
> >On Sat, Aug 19, 2006 at 05:04:05PM -0700, Tor question wrote:
> >> Is there a reason why tor would try and POP mail from random IPs
> >while
> >>running in Windows?  I have a log from AVG Antivirus that shows
> >tor is
> >>trying to POP mail.

> >If you are just a Tor client, perhaps there was a Tor server
> >running
> >on 218.46.74.116:110? There's no rule that traffic on port 110
> >will
> >necessarily be pop traffic. But I don't think there was a Tor
> >server at
> >that address.

>Just wanted to add that I had seen this behavior before several
>months back. At the time, I was running AVG anti-virus, which
>includes a real-time email scanning component. Basically, what it
>came down to was that there was a Tor server running it's ORPort on
>either port 25 or 110 (Can't remember which right now). So,
>whenever my Tor client would establish a connection to that server,
>I would get a message popping up indicating that Tor was trying to
>establish an SMTP or POP3 connection, whichever it was. I was
>suspicious at first, of course, but ended up looking at the IP it
>was indicating that Tor was connecting to, taking that IP over to
>the Tor network status site (http://serifos.eecs.harvard.edu/cgi-
>bin/exit.pl), and looking for the IP in question. Sure enough, it
>was a Tor server, and sure enough, it was running it's ORPort on 25
>or 110, whichever it was.
>
>
>There is a good chance that you are experiencing something similar,
>and if so you should be able to verify it the same way that I did.

  I had the exact same experience some time ago as well:

http://archives.seul.org/or/talk/Feb-2006/msg00143.html (and thread)

  In some cases it was a tor server on 110, in others it was a POP server 
but had previously been a TOR server on 110, other cases I couldn't be sure 
about.  I'm not entirely sure that somebody isn't trying to play games with 
carefully constructed extend requests to things that aren't actually tor 
servers and aren't actually listed in the directory.

  Blimey, I just had an interesting idea.  <lightbulb ping>  I bet if you 
start building a circuit, and tell your middleman server to extend it to 
some arbitrary IP/port of your own choosing, you can deduce from the error 
return whether the target port was open (but not running tor) or closed.  
Somebody could be using this technique to turn Tor into an anonymous port 
scanner whilst bypassing exit node restrictions.  How's that for a theory?

    cheers,
        DaveK

_________________________________________________________________
Windows Live™ Messenger has arrived. Click here to download it for free! 
http://imagine-msn.com/messenger/launch80/?locale=en-gb



More information about the tor-talk mailing list