Screw Off criminalip.com 2024-03-05
Recently I saw some of this shit in my mail server logs:
Mar 4 06:48:26 lily postfix/smtpd[9974]: warning: hostname security.criminalip.com does not resolve to address 185.242.226.22
Mar 4 06:48:26 lily postfix/smtpd[9974]: connect from unknown[185.242.226.22]
Mar 4 06:48:26 lily postfix/smtpd[9974]: improper command pipelining after CONNECT from unknown[185.242.226.22]: \026\003\003\001\247\001\000\001\243\003\0038N\207[b\362\201\312\v\325\335\000\020|\001\347\027\242br\231\345\324\266\335s~d\357\344\211v E\233\307Pq3Kf})\376c\272\346\255\252\267\2477\030\207\244\025\257E\273)\356][\306\215\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237
Mar 4 06:48:26 lily postfix/smtpd[9974]: lost connection after CONNECT from unknown[185.242.226.22]
Mar 4 06:48:26 lily postfix/smtpd[9974]: disconnect from unknown[185.242.226.22] commands=0/0
Mar 4 06:48:26 lily postfix/smtpd[9974]: warning: hostname security.criminalip.com does not resolve to address 185.242.226.22
Mar 4 06:48:26 lily postfix/smtpd[9974]: connect from unknown[185.242.226.22]
Mar 4 06:48:26 lily postfix/smtpd[9974]: improper command pipelining after CONNECT from unknown[185.242.226.22]: \026\003\003\001\247\001\000\001\243\003\003C{\244QJ\334\342\316xz\202\273\310S!\0017\261\216\317d'\234\355\016\311\b\025\021B\371{ \331?\373\237wZ\310\377\356r\221(\224iW\372\t\211\212\261\210\241" \036\211\271X\361\245j\355\000\212\000\005\000\004\000\a\000\300\000\204\000\272\000A\000\235\300\241\300\235\000=
Mar 4 06:48:27 lily postfix/smtpd[9974]: lost connection after CONNECT from unknown[185.242.226.22]
Mar 4 06:48:27 lily postfix/smtpd[9974]: disconnect from unknown[185.242.226.22] commands=0/0
Mar 4 06:48:27 lily postfix/smtpd[9974]: warning: hostname security.criminalip.com does not resolve to address 185.242.226.22
Mar 4 06:48:27 lily postfix/smtpd[9974]: connect from unknown[185.242.226.22]
Mar 4 06:48:27 lily postfix/smtpd[9974]: improper command pipelining after CONNECT from unknown[185.242.226.22]: \026\003\003\001X\001\000\001T\003\003i\376RP\213kO,4\332\3673dE\341\341T\\\300\324\376\350\245\342\3327\200\212\255\262\346k i#\023\362K\372\v>/f\320\025\241\236\272.\360\264\b\363;A\261\035\244uX_\364\247\320H\000F\300\022\300\a\314\024\023\001\023\002\314\251\300s\300r\300,\300\257\300\255
Mar 4 06:48:27 lily postfix/smtpd[9974]: lost connection after CONNECT from unknown[185.242.226.22]
Mar 4 06:48:27 lily postfix/smtpd[9974]: disconnect from unknown[185.242.226.22] commands=0/0
Mar 4 06:48:27 lily postfix/smtpd[9974]: warning: hostname security.criminalip.com does not resolve to address 185.242.226.22
Mar 4 06:48:27 lily postfix/smtpd[9974]: connect from unknown[185.242.226.22]
Mar 4 06:48:27 lily postfix/smtpd[9974]: improper command pipelining after CONNECT from unknown[185.242.226.22]: \026\003\003\001J\001\000\001F\003\003\263J\316W'\2043Hf*"\027\366#\245\275\357\260\243\214\207\224\260\017\272?\312\205#s\331\336 \366\362\251\3209\323\t\016x4\026}\337\177\036mE\255\030:\245\2246\017/-\024^]=\030B\000D\300\023\300'\300/\300\024\300(\3000\300`\300a\300v\300w\314\250
Mar 4 06:48:27 lily postfix/smtpd[9974]: lost connection after CONNECT from unknown[185.242.226.22]
Mar 4 06:48:27 lily postfix/smtpd[9974]: disconnect from unknown[185.242.226.22] commands=0/0
Mar 4 06:48:27 lily postfix/smtpd[9974]: warning: hostname security.criminalip.com does not resolve to address 185.242.226.22
Mar 4 06:48:27 lily postfix/smtpd[9974]: connect from unknown[185.242.226.22]
Mar 4 06:48:27 lily postfix/smtpd[9974]: improper command pipelining after CONNECT from unknown[185.242.226.22]: \026\003\003\001\233\001\000\001\227\003\003\27245\n\320\027\036\346\003f.b\000\261\n\a\3213nx\326:V\332\213E\343$\f(\356\034 \006\n\350\303\227\367\304\344cZ\267\343\035\331\321\303\006[h\355S\230\022\367\276\212\335\256\3405\227\317\000\214\352\352\300\022\300\023\300\a\300'\314\024\300/\023\001\300\024\023\002\300(
Mar 4 06:53:27 lily postfix/smtpd[9974]: timeout after CONNECT from unknown[185.242.226.22]
Mar 4 06:53:27 lily postfix/smtpd[9974]: disconnect from unknown[185.242.226.22] commands=0/0
Pipelining is where the SENDING mail server just pumps out all of its commands quickly without waiting for the RECEIVING mail server to acknowledge each step along the way. A typical SMTP transfer involves the sender saying hello (or rather probably EHLO), followed by the receiver saying OK, then the sender sends the MAILFROM command and the receiver sends OK again... and so on. While some folks consider pipelining to be a feature, more recently it has become a problem. Specifically this problem which is being used [especially with the help of Microsoft] to send spam.
185.242.226.22 is an ip address owned by criminalip.com, and their whois record clearly states that their garbage bot
... only reads the response data from basic port requests, and never utilizes vulnerability scanning or other exploit scripts.
and
... differs from malicious acts such as DDoS attacks in that it simply surveys by knocking on the door(port).
This is what we in the computer biz call "bullshit". Pipelining is not a basic port request, and is not knocking on a specific port. It is actively seeking to determine if the mail server supports pipelining, and whether or not the mail server is vulnerable to the SMTP smuggling attack linked above. Now if I thought there was any chance at all that criminalip.com might contact me to tell me they found some specific hack that I am vulnerable to and maybe even links to information on how to fix it, then maybe I'd be okay with it. But I am pretty sure the chances of that are flat out zero. You guys are dicks.