Products > Security

Shadow Server. Like literal spooks.

<< < (3/4) > >>

SiliconWizard:
If it serves no purpose to you, just block it and call it a day.
Yes there will be many others. But since the OP noticed this one enough to bother them, they may as well just block it and move on.

Halcyon:
Government cybersecurity organisations are becoming increasingly proactive, in order to stay one step ahead of the crooks. UK's NCSC are particularly good as is Australia's ACSC. I personally deal with both organisations in both the proactive and reactive side of cybersecurity and we're in the process of developing some incident response guidelines (mostly targeted at businesses).

You're never too small to be the target of cyber threats and crooks a lot of the time will go after the low-hanging fruit. Unfortunately most of the time it's small businesses who don't have very much in the way of cyber security resources or knowledge but I've seen some large organisations get hit multiple times because their management are too ignorant (or too stupid) to take active measures to protect themselves.

Every week, our organisations warn customers about threats specific to their environment and most listen, but there are a handful that think they know better or "it won't happen to them (again)".

golden_labels:
With this message my posts counter became four (decimal) digit! Where is my cake? ;)


--- Quote from: SiliconWizard on September 10, 2023, 01:04:30 am ---If it serves no purpose to you, just block it and call it a day.
Yes there will be many others. But since the OP noticed this one enough to bother them, they may as well just block it and move on.
--- End quote ---
OP is free to do what they want. But I think the value of asking others is receiving feedback and, if the responses point to a problem in one’s decision process, reconsidering the approach used. Spending time on manually whack-a-moling addresses, because they have a nice domain name, is IMO not a case of good reasoning. :)

Identifying and understanding the observation to satisfy curiosity or stay informed is of course worth praise. So I do not find anything wrong in investigating after spotting a pattern. I am commenting on the reaction part only. A descriptive vs prescriptive end of the situation.


--- Quote from: coppercone2 on September 09, 2023, 10:34:17 pm ---your just gonna trust some random people trying to break in?
--- End quote ---
I’m going to avoid answering to loaded questions, false dichotomies and shifting goalposts.


--- Quote from: coppercone2 on September 09, 2023, 10:34:17 pm ---with zero investigation? it could be piggy backed crap even if the reputation is good.
--- End quote ---
While you’re at it, consider also blocking web crawlers and addresses of security companies. After all North Korea can piggyback on Googlebot or other services too.(1)(2) And any public email service may be used to silently learn a lot about your email infra, so block all email deliveries to your MX. Implementing either can be done by disappearing from the internet altogether: low effort, more or less the same result. /s

(1) F5 Labs: Abusing Googlebot services to deliver crypto mining malware
(2) Mirian, Ukani, Foster et al.; Risks of DPI-triggered Data Collection

paulca:
What caught my attention is the UK Government label.

Yes, there are many hits a day on it already from randoms.  It's not the first public service I have run.  I ran webservers through the days of "red alert" worm and what not.  http logs and smtp logs look like a whos whos of the internet most dodgy scripts.

The only reason I am scraring the logs is because the server setup is new and I want to become comfortable it is working as intended and these scattering of exploit scanners are simply bouncing off.

I think it is likely it is legit, in that it is a cyber security org, funded by the UK Government who probably are "white hat" or "team redding" the UK public IP pool.   

As to the threat level, compared to the common lecture examples contained within this thread, it only stands out in the "UK Government" banner, and it's frequency and repetition.   It's being open about it though.

I typically don't trust that kind of government scrutiny and I may just as a matter of course find as many of there scan hosts and block or active reject them.  At very least a regexp match on the reverse lookup.  That would not stop them moving onto a port 80 or a port 22 or an OpenVPN port if I open those.  So a firewall level blacklist might be a better idea.

Anyway.  The service itself is just for "lab" email.  So things can send emails around the network.  The external sending is done via ISP relay and I have other domains for using as actual public email addresses.  I don't expect a lot of traffic and if it does become subject to too much scrutiny I loose nothing closing the port and letting mail spill to /dev/null on others relays.

It has been about 10 years since I ran my own email and web server.  The software has all gone up and up in versions, but it does still seem to be mostly the same software.  Encouraging.

golden_labels:
Note that Shadowserver is not by UK government. It’s a Californian non-profit foundation(1) run by Richard Perlotto, receiving sponsorship from many organisations and having its data used by even more. Including by state institutions. I do not know, what the “UK government” banner does there. Maybe they received a grant from British government. I don’t know British law, but in many circumstances such sponsorship puts a legal obligation to display various banners.

Therefore it is not UK government that you trust (or not).

And I do not think trust should be anywhere in this decision process. The message I am trying to convey is: don’t make such choices on a case-by-case basis. And don’t deploy security policies based on factors, which are not relevant to security. Treat their requests just like any other similar activity, no matter who is the source.

As said before, I wholeheartedly support you investigating and understanding the situation! This comment is about a reaction.

(1) search EIN 26-2267933 in IRS database (unfortunately you must run their crappy webapp, as they block linking specific results).

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod