On Fri, Dec 13, 2019 at 04:35:39PM +0100, ratatouille wrote:
> Dec 13 14:18:43 atlas postfix/postscreen[12510]: CONNECT from
> [71.6.146.186]:46796 to [185.84.80.145]:25
> Dec 13 14:18:43 atlas postfix/postscreen[12510]: PREGREET 137 after 0 from
> [71.6.146.186]:46796:
> \22\3\1\0\132\1\0\0\128\3\3\171\134\163\131Zpgo\187\niuk\249\177f\197;\167j\2223fy\14\2wn:#\220\242\
This sequence of bytes is (the initial part of) a TLS ClientHello message:
\22\3\1\0\132 - TLS 1.0 Handshake Record of 132 bytes
\1 - Type is ClientHello
\0\0\128 - Hello length is 128
\3\3 - Client TLS version is TLS 1.2
...
Sent from:
$ getent hosts 71.6.146.186
71.6.146.186 inspire.census.shodan.io
It probably sent STARTTLS and the ClientHello without waiting for a positive
response to STARTTLS. See https://www.shodan.io/ if you've never heard of
Shodan.
--
Viktor.
