[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] Re: Strange SMTP attempts from my tor relay

-----Oprindelig meddelelse-----
Fra: Roger Dingledine via tor-relays <tor-relays@xxxxxxxxxxxxxxxxxxxx> 
Sendt: 11. juni 2026 12:06
Til: support and questions about running Tor relays (exit, non-exit, bridge)
<tor-relays@xxxxxxxxxxxxxxxxxxxx>
Cc: Roger Dingledine <arma@xxxxxxxxxxxxxx>
Emne: [tor-relays] Re: Strange SMTP attempts from my tor relay

On Thu, Jun 11, 2026 at 04:01:49AM -0500, TheMadHacker Schism via tor-relays
wrote:
> That is a bad actor on tor, attempting to send  spam email that uses 
> smtp ports to using your tor node as a relay [...]
> > I have noticed that my firewall registers connection attempts from 
> > my tor-server on port 465 and 587. My relay performs normally, so it 
> > appears that they have no significance for the operation.

Hm, maybe it is the bad actor you describe, but another option is that these
are normal Tor relays listening with their ORPort on port 465 or 587. There
is nothing sacred about these numbers, and people can pick them for their
ORPort, and it could even be a good idea if it means they are reachable from
behind firewalls that other destination ports wouldn't allow.

There is nothing wrong here, but you are right that some sysadmins might
misunderstand what is going on and get upset at you for making connections
on that port.

There are 31 relays running with their ORPort set to 465:

$ grep "^r " cached-consensus |grep " 465 "|cut -d' ' -f7-8|sort -n
31.57.219.143 465
37.221.209.198 465
45.80.171.211 465
45.84.107.101 465
45.84.107.128 465
45.84.107.142 465
45.84.107.172 465
45.84.107.174 465
45.84.107.17 465
45.84.107.182 465
45.84.107.198 465
45.84.107.222 465
45.84.107.236 465
45.84.107.33 465
45.84.107.44 465
45.84.107.47 465
45.84.107.54 465
45.84.107.55 465
45.84.107.74 465
45.84.107.76 465
45.84.107.84 465
45.84.107.97 465
65.108.136.190 465
81.232.160.94 465
95.217.112.245 465
103.167.234.110 465
176.123.3.14 465
194.147.140.101 465
194.147.140.102 465
194.147.140.106 465
194.147.140.107 465

and a smaller but still non-zero set listening with their ORPort on 587:

$ grep "^r " cached-consensus |grep " 587 "|cut -d' ' -f7-8|sort -n
45.80.171.211 587
45.84.107.142 587
45.84.107.236 587
45.84.107.44 587
45.84.107.84 587
78.34.104.67 587
89.25.152.215 587
89.58.5.0 587
89.58.54.129 587
89.58.56.112 587
94.142.241.153 587

--Roger


[Ole Rydahl ] Thank you Roger! The Wireshark recordings I made fits nicely
with your list of ip's using 465/587 as or-port. 

/Ole

_______________________________________________
tor-relays mailing list -- tor-relays@xxxxxxxxxxxxxxxxxxxx To unsubscribe
send an email to tor-relays-leave@xxxxxxxxxxxxxxxxxxxx

_______________________________________________
tor-relays mailing list -- tor-relays@xxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to tor-relays-leave@xxxxxxxxxxxxxxxxxxxx