[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] Re: Strange SMTP attempts from my tor relay

To: "support and questions about running Tor relays (exit, non-exit, bridge)" <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Subject: [tor-relays] Re: Strange SMTP attempts from my tor relay
From: Roger Dingledine via tor-relays <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Date: Thu, 11 Jun 2026 06:05:40 -0400
Cc: Roger Dingledine <arma@xxxxxxxxxxxxxx>
In-reply-to: <CADKTsc2oQd_Ms1szNL9n9eZr6H-nVpgZsimccnJmid_P5+tVYg@mail.gmail.com>
List-id: "support and questions about running Tor relays (exit, non-exit, bridge)" <tor-relays.lists.torproject.org>
References: <018901dcf966$a07c8dd0$e175a970$@qp12.dk> <CADKTsc2oQd_Ms1szNL9n9eZr6H-nVpgZsimccnJmid_P5+tVYg@mail.gmail.com>
Reply-to: "support and questions about running Tor relays (exit, non-exit, bridge)" <tor-relays@xxxxxxxxxxxxxxxxxxxx>

On Thu, Jun 11, 2026 at 04:01:49AM -0500, TheMadHacker Schism via tor-relays wrote:
> That is a bad actor on tor, attempting to send  spam email that uses smtp
> ports to using your tor node as a relay
> [...]
> > I have noticed that my firewall registers connection attempts from my
> > tor-server on port 465 and 587. My relay performs normally, so it appears
> > that they have no significance for the operation.

Hm, maybe it is the bad actor you describe, but another option is that
these are normal Tor relays listening with their ORPort on port 465 or
587. There is nothing sacred about these numbers, and people can pick
them for their ORPort, and it could even be a good idea if it means
they are reachable from behind firewalls that other destination ports
wouldn't allow.

There is nothing wrong here, but you are right that some sysadmins
might misunderstand what is going on and get upset at you for making
connections on that port.

There are 31 relays running with their ORPort set to 465:

$ grep "^r " cached-consensus |grep " 465 "|cut -d' ' -f7-8|sort -n
31.57.219.143 465
37.221.209.198 465
45.80.171.211 465
45.84.107.101 465
45.84.107.128 465
45.84.107.142 465
45.84.107.172 465
45.84.107.174 465
45.84.107.17 465
45.84.107.182 465
45.84.107.198 465
45.84.107.222 465
45.84.107.236 465
45.84.107.33 465
45.84.107.44 465
45.84.107.47 465
45.84.107.54 465
45.84.107.55 465
45.84.107.74 465
45.84.107.76 465
45.84.107.84 465
45.84.107.97 465
65.108.136.190 465
81.232.160.94 465
95.217.112.245 465
103.167.234.110 465
176.123.3.14 465
194.147.140.101 465
194.147.140.102 465
194.147.140.106 465
194.147.140.107 465

and a smaller but still non-zero set listening with their ORPort on 587:

$ grep "^r " cached-consensus |grep " 587 "|cut -d' ' -f7-8|sort -n
45.80.171.211 587
45.84.107.142 587
45.84.107.236 587
45.84.107.44 587
45.84.107.84 587
78.34.104.67 587
89.25.152.215 587
89.58.5.0 587
89.58.54.129 587
89.58.56.112 587
94.142.241.153 587

--Roger

_______________________________________________
tor-relays mailing list -- tor-relays@xxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to tor-relays-leave@xxxxxxxxxxxxxxxxxxxx

Follow-Ups:
- [tor-relays] Re: Strange SMTP attempts from my tor relay
  - From: Dennis Bronk via tor-relays
- [tor-relays] Re: Strange SMTP attempts from my tor relay
  - From: Ole Rydahl via tor-relays

References:
- [tor-relays] Strange SMTP attempts from my tor relay
  - From: Ole Rydahl via tor-relays
- [tor-relays] Re: Strange SMTP attempts from my tor relay
  - From: TheMadHacker Schism via tor-relays

Prev by Author: [tor-relays] Strange SMTP attempts from my tor relay
Next by Author: [tor-relays] Re: relayor v26.2.0 is released - Goodbye "MyFamily"
Previous by thread: [tor-relays] Re: Strange SMTP attempts from my tor relay
Next by thread: [tor-relays] Re: Strange SMTP attempts from my tor relay
Index(es):
- Author
- Thread