[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: tor trying to pop mail from random IPs on win32

To: or-talk@xxxxxxxxxxxxx
Subject: Re: tor trying to pop mail from random IPs on win32
From: "Dave Korn" <davek_throwaway@xxxxxxxxxxx>
Date: Tue, 22 Aug 2006 17:58:43 +0000
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Tue, 22 Aug 2006 13:59:01 -0400
In-reply-to: <20060822043155.66A46DA834@mailserver7.hushmail.com>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

From: "Joseph B Kowalski" Subject: Re: tor trying to pop mail from random IPs on win32 Date: Mon, 21 Aug 2006 21:31:54 -0700

On Mon, 21 Aug 2006 19:47:32 -0700 Roger Dingledine wrote:
>On Sat, Aug 19, 2006 at 05:04:05PM -0700, Tor question wrote:
>> Is there a reason why tor would try and POP mail from random IPs
>while
>>running in Windows?  I have a log from AVG Antivirus that shows
>tor is
>>trying to POP mail.

>If you are just a Tor client, perhaps there was a Tor server
>running
>on 218.46.74.116:110? There's no rule that traffic on port 110
>will
>necessarily be pop traffic. But I don't think there was a Tor
>server at
>that address.

Just wanted to add that I had seen this behavior before several
months back. At the time, I was running AVG anti-virus, which
includes a real-time email scanning component. Basically, what it
came down to was that there was a Tor server running it's ORPort on
either port 25 or 110 (Can't remember which right now). So,
whenever my Tor client would establish a connection to that server,
I would get a message popping up indicating that Tor was trying to
establish an SMTP or POP3 connection, whichever it was. I was
suspicious at first, of course, but ended up looking at the IP it
was indicating that Tor was connecting to, taking that IP over to
the Tor network status site (http://serifos.eecs.harvard.edu/cgi-
bin/exit.pl), and looking for the IP in question. Sure enough, it
was a Tor server, and sure enough, it was running it's ORPort on 25
or 110, whichever it was.


There is a good chance that you are experiencing something similar,
and if so you should be able to verify it the same way that I did.


 I had the exact same experience some time ago as well:

http://archives.seul.org/or/talk/Feb-2006/msg00143.html (and thread)

In some cases it was a tor server on 110, in others it was a POP server but had previously been a TOR server on 110, other cases I couldn't be sure about. I'm not entirely sure that somebody isn't trying to play games with carefully constructed extend requests to things that aren't actually tor servers and aren't actually listed in the directory.

Blimey, I just had an interesting idea. <lightbulb ping> I bet if you start building a circuit, and tell your middleman server to extend it to some arbitrary IP/port of your own choosing, you can deduce from the error return whether the target port was open (but not running tor) or closed. Somebody could be using this technique to turn Tor into an anonymous port scanner whilst bypassing exit node restrictions. How's that for a theory?

   cheers,
       DaveK

_________________________________________________________________ Windows Live? Messenger has arrived. Click here to download it for free! http://imagine-msn.com/messenger/launch80/?locale=en-gb

References:
- Re: tor trying to pop mail from random IPs on win32
  - From: Joseph B Kowalski

Prev by Author: Re: Torque naming daemon
Next by Author: Re: How interesting
Previous by thread: Re: tor trying to pop mail from random IPs on win32
Next by thread: Unable to start Tor in Cygwin
Index(es):
- Author
- Thread