This sounds like reductive reasoning presented under the unhelpful guise of a value judgement. It’s a disappointing response.
I ask questions about things I don’t know. I understand recon (optimize attacks by probing beforehand). I understand attempted break ins (use the system for some other purpose). I understand statistics (data and research are great). But why monitoring? Seriously. I understand why I would want to monitor my system. I want CIA, but why would someone else want to monitor my system? They aren’t maintaining it. They don’t even know how to contact me if this was some benevolent act. Sure they can contact abuse, but do they know I read it? They certainly didn’t send a message to any of the RFC 2142 addresses to tell me what they are doing beforehand. It’s fishy. They also do this from an anonymous Amazon address.
This domain has no references. It doesn’t host a web page to tell me what they are studying which is more weird. Yet every hour it connects. So, the only thing I’ve got to go on is that I have no idea who these people are or what they are looking for and this, most often, falls into the bad actor category.
So, I’ll tell you what I think and why I think this is the most valuable use of your time. What are they getting on a SMTP connection? If they asked once, then we might assume they were doing recon on server versions/configurations, or checking for open relays to send spam. But they check EVERY HOUR.
What is something you could get every hour? A key? A new key generated every hour. So, we need to ask ourselves WHY does getting a new key matter? Well, it shouldn’t. We should be using sufficient sufficient entropy. But what if they know something we don’t? One key every hour isn’t exhausting my entropy pool. But what if that is the test? What if they are looking for a busy mail server that is so busy it uses all its entropy and then generates weak crypto after that? What if they are recording keys and timestamps to make a prediction about the underlying system? OR, worst case, what if they have found a flaw such that they can use an old key to foil perfect forward secrecy. They would need an original key.
This is not FUD or general doom and gloom, just speculation on the behavior of a bad actor because we’ve seen some spectacularly sophisticated bad actors. PRISM and XKEYSCORE siphoned up data not because people were interesting, but they wanted to look through it after the fact. Honestly, this attack seems a bit lazy to be the feds. I would have expected THEM to perform this function across many hosts to blend into background noise, but someone is doing it. And the great thing about lazy scumbags is that it is easier to study them.
So, I have a reasonable suspecion that this is a bad actor. I have logs with which to start a baseline. I can respond in any number of ways.
I could block this attacker at L4 by manually adding them to iptables. I could look for smtp connections that don’t pass mail and chart these over time looking for patterns. I might block such smtp connections after they reach a threshold and age them out. I could report these IPs to their service provider. I could write a watchdog to monitor my entropy pool and alert me if it goes below a certain value. I could suspend services (like smtp) if the entropy pool goes to zero. I could install a hardware entropy generator. The possibilities are only limited to our ingenuity.
I don’t think I need anyone’s “help” per se. In fact I didn’t specifically care about this particular attacker when I posted. I already have a few ideas on what to do with him.
What I wanted was to see what other members were doing. I thought someone here might have already started a baseline, given odd log entries some thought and I was looking to chat about what you found useful.
