Shadow Server. Like literal spooks.

[paulca]

Sep  9 05:22:17 mailgw postfix/smtpd[39273]: connect from scan-14.shadowserver.org[184.105.247.195]
Sep  9 05:22:17 mailgw postfix/smtpd[39273]: warning: non-SMTP command from scan-14.shadowserver.org[184.105.247.195]: GET / HTTP/1.1
Sep  9 05:22:17 mailgw postfix/smtpd[39273]: disconnect from scan-14.shadowserver.org[184.105.247.195] unknown=0/1 commands=0/1


This is not unique.  This is at least once a day, sometimes twice.  I already rejected the previous ip on the firewall, I may need to find a way to block the whole domain.  Probably with a ELHO restrictions, but as you can see in the case above, it doesn't even attempt SMTP, it's checking to see if I'm hidding a webserver on port 25!

Who is shadow server? 
https://dashboard.shadowserver.org/

They are a government funded mass "white hat" hacking ring who claim to be helping server admins identify vulnerabilities and to provide a cyber threat overview from the UK (and possibly other) IP pools.

They where onto the mail server within hours of it's MX record going live.  Most obviously because it's a .uk domain and they doubtless have hooks into the Nominet.uk registra.

I'm pondering if I should block it all.  Like use Kali to get a full domain scan for their bots and then block the whole IP range....  or maybe it is genuinely being helpful and if it finds something it will email postmaster@ ?  A bit of googling suggests they are "legit", but with what scope do they define "legit".  If they find a vulernability do they tell me before or after they use it for their own purposes?

[coppercone2]

only a fool would do nothing based on some cover story on a web page

6mo later you find out its some front run by NK

[Monkeh]

And we're fretting over this why? If you don't want anyone trying to attack your service, stop running it.

[paulca]

And we're fretting over this why? If you don't want anyone trying to attack your service, stop running it.

That's a bit like saying if you don't want people picking the lock on your front door, don't put a lock on it.  If you don't want people breaking into your car, don't buy a car!

[Monkeh]

And we're fretting over this why? If you don't want anyone trying to attack your service, stop running it.

That's a bit like saying if you don't want people picking the lock on your front door, don't put a lock on it.  If you don't want people breaking into your car, don't buy a car!

You run a service on a public IP, it will be a target. You cannot prevent that, and getting wound up by one random organisation doing some basic scanning is a waste of energy. Active mapping of exposed services has been going on for years on both sides of the fence and you will never succeed in blocking every attempt. Accept that you're running a service exposed to the public and will receive unwanted traffic.

[BradC]

Give it a week or so and put your ip address into shodan.io.

There are a multitude of scanners out there collecting databases of who is running what, what versions and on what ports. Within hours of an exploit being available they are using commercial subscriptions to these services to narrow down viable targets.

If you are running a public facing service, get used to scans and attacks, and for gods sakes don't do something like having a backup account with the password "backup" because when you set it up the machine wasn't world accessible and you were in a hurry to get something running. Thankfully the account was fairly limited and only had a perl port scanner / bot running when I found it. Allegedly.

We run a local zimbra instance, and that used to show up both IMAP and Activesync / SSL ports. Every time an exploit landed we were inundated with scans. After a bit of "modification" to hide it a bit better it dropped off the scanners databases and within a couple of weeks all the scans stopped. SSH and SMTP get hammered for attempts, but that's just a fact of life when you expose ports.

[madires]

Like BradC already noted, you'll see several 'security projects' scan your server regularly. Some provide the scan results at their webpage available to all for free, some greedy ones just want to make money and sell the results, a few scan for scientific research, and some shady ones for bad intentions. And this is just a small part in comparison to all the botnets and servers at bullet proof hosters. Usually I only block the most nasty ones in the firewall. Especially for email I have an additional MTA internal ACL to prevent some prefixes from delivering emails to my MTAs while everything is logged. This way it's easy to see who is running what kind of attack/scan (counter-intel). Some admins prefer to run tools like fail2ban.

[golden_labels]

only a fool would do nothing based on some cover story on a web page

Only a fool would fail to perform a basic search before spreading conspiracy theories: the first result.

paulca:
Is there any reason this particular entry caught your attention? There are thousands and thousands of attackers in a constant search for vulnerable machines. Even assuming this was a genuine attacker,⁽¹⁾ focusing on this one for their nice domain name means you are ignoring thousands others.

Spotting interesting patterns may be worth attention. If the pattern is relevant to the threat model. A domain name is hardly a good example in the context of vulnerability scans: actual attackers do not strive to make identification easier.

⁽¹⁾ Of course an adversary may be defined in many ways and some may wish to define unsolicited security scans as such. In this case I assumed the definition, where there is the intent to exploit your machine.

[coppercone2]

your just gonna trust some random people trying to break in?

with zero investigation? it could be piggy backed crap even if the reputation is good.

[Shonky]

Block it. Or don't block it. You have a server with open ports. It's going to get probed by any number of things out there.

Once you've blocked this one you'll probably just find another. And then another. And another...

[SiliconWizard]

If it serves no purpose to you, just block it and call it a day.
Yes there will be many others. But since the OP noticed this one enough to bother them, they may as well just block it and move on.

[Halcyon]

Government cybersecurity organisations are becoming increasingly proactive, in order to stay one step ahead of the crooks. UK's NCSC are particularly good as is Australia's ACSC. I personally deal with both organisations in both the proactive and reactive side of cybersecurity and we're in the process of developing some incident response guidelines (mostly targeted at businesses).

You're never too small to be the target of cyber threats and crooks a lot of the time will go after the low-hanging fruit. Unfortunately most of the time it's small businesses who don't have very much in the way of cyber security resources or knowledge but I've seen some large organisations get hit multiple times because their management are too ignorant (or too stupid) to take active measures to protect themselves.

Every week, our organisations warn customers about threats specific to their environment and most listen, but there are a handful that think they know better or "it won't happen to them (again)".

[golden_labels]

With this message my posts counter became four (decimal) digit! Where is my cake?

If it serves no purpose to you, just block it and call it a day.
Yes there will be many others. But since the OP noticed this one enough to bother them, they may as well just block it and move on.

OP is free to do what they want. But I think the value of asking others is receiving feedback and, if the responses point to a problem in one’s decision process, reconsidering the approach used. Spending time on manually whack-a-moling addresses, because they have a nice domain name, is IMO not a case of good reasoning.

Identifying and understanding the observation to satisfy curiosity or stay informed is of course worth praise. So I do not find anything wrong in investigating after spotting a pattern. I am commenting on the reaction part only. A descriptive vs prescriptive end of the situation.

your just gonna trust some random people trying to break in?

I’m going to avoid answering to loaded questions, false dichotomies and shifting goalposts.

with zero investigation? it could be piggy backed crap even if the reputation is good.

While you’re at it, consider also blocking web crawlers and addresses of security companies. After all North Korea can piggyback on Googlebot or other services too.⁽¹⁾⁽²⁾ And any public email service may be used to silently learn a lot about your email infra, so block all email deliveries to your MX. Implementing either can be done by disappearing from the internet altogether: low effort, more or less the same result. /s

⁽¹⁾ F5 Labs: Abusing Googlebot services to deliver crypto mining malware
⁽²⁾ Mirian, Ukani, Foster et al.; Risks of DPI-triggered Data Collection

[paulca]

What caught my attention is the UK Government label.

Yes, there are many hits a day on it already from randoms.  It's not the first public service I have run.  I ran webservers through the days of "red alert" worm and what not.  http logs and smtp logs look like a whos whos of the internet most dodgy scripts.

The only reason I am scraring the logs is because the server setup is new and I want to become comfortable it is working as intended and these scattering of exploit scanners are simply bouncing off.

I think it is likely it is legit, in that it is a cyber security org, funded by the UK Government who probably are "white hat" or "team redding" the UK public IP pool.   

As to the threat level, compared to the common lecture examples contained within this thread, it only stands out in the "UK Government" banner, and it's frequency and repetition.   It's being open about it though.

I typically don't trust that kind of government scrutiny and I may just as a matter of course find as many of there scan hosts and block or active reject them.  At very least a regexp match on the reverse lookup.  That would not stop them moving onto a port 80 or a port 22 or an OpenVPN port if I open those.  So a firewall level blacklist might be a better idea.

Anyway.  The service itself is just for "lab" email.  So things can send emails around the network.  The external sending is done via ISP relay and I have other domains for using as actual public email addresses.  I don't expect a lot of traffic and if it does become subject to too much scrutiny I loose nothing closing the port and letting mail spill to /dev/null on others relays.

It has been about 10 years since I ran my own email and web server.  The software has all gone up and up in versions, but it does still seem to be mostly the same software.  Encouraging.

[golden_labels]

Note that Shadowserver is not by UK government. It’s a Californian non-profit foundation⁽¹⁾ run by Richard Perlotto, receiving sponsorship from many organisations and having its data used by even more. Including by state institutions. I do not know, what the “UK government” banner does there. Maybe they received a grant from British government. I don’t know British law, but in many circumstances such sponsorship puts a legal obligation to display various banners.

Therefore it is not UK government that you trust (or not).

And I do not think trust should be anywhere in this decision process. The message I am trying to convey is: don’t make such choices on a case-by-case basis. And don’t deploy security policies based on factors, which are not relevant to security. Treat their requests just like any other similar activity, no matter who is the source.

As said before, I wholeheartedly support you investigating and understanding the situation! This comment is about a reaction.

⁽¹⁾ search EIN 26-2267933 in IRS database (unfortunately you must run their crappy webapp, as they block linking specific results).

[Monkeh]

I typically don't trust that kind of government scrutiny

I bet MOT day is fun?