I've noticed this maybe 3-4 years ago. Could not tie it to any legitimate customer or application.
We created rules in our IDS to drop these connections after 5 seconds of inactivity and ban the IP for a week. Didn't hurt any legitimate users. Didn't spend much time analyzing it, but I think it's some sort of bot trying to do some SSL shenaningans. Scott On Sunday, 11/08/2024 at 09:44 Slavko via mailop wrote: Hi all, in recent months i see multiple "idle" connection attempts to 465 port. When i did tcpdump on it, i see that client does success TCP handshake, then nothing is sent over it and finally connection is cleanly closed by client (FIN after ~10 sec). I guess that it is plain SMTP connection to TLS port, expecting server's greeting, but that doesn't happen, as server expects TLS handshake initialized by client... It is not big amount, nothing to worry about, i am just curious, if someone know what botnet/malware is behind that, as i cannot find any details about that. Please is it something known? regards -- Slavko https://www.slavino.sk/ _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
