This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ATP Alerts Tor Exit Nodes

Hi All,

I wonder if anyone can help me clarify the following, we start receiving standard ATP alerts for the past month as per bellow, usually im able to investigate this alerts and they either are DNS recursive queries performed by out forwarders on Spam domain emails  received and rejected by the SMTP proxy, or Web sessions hijack attempts trying to redirect traffic to malicious domains, but recently i been baffled by a a recurrent alert as bellow where im not able to make much sense, i parsed the logs for our SMTP proxy that shows traffic to a Tor node from what i can only assume being SMTP connections rejected by the UTM  does anyone have any idea on this ?

2021:10:27-12:50:55 srvutm-1 exim-in[8916]: 2021-10-27 12:50:55 SMTP connection from [185.220.100.254]:31034 (TCP/IP connection count = 4)
2021:10:27-12:50:57 srvutm-1 exim-in[23862]: 2021-10-27 12:50:57 TLS error on connection from tor-exit-3.zbau.f3netze.de [185.220.100.254]:31034 SSL_accept: TCP connection closed by peer
2021:10:27-12:50:57 srvutm-1 exim-in[8916]: 2021-10-27 12:50:57 SMTP connection from [185.220.100.254]:32560 (TCP/IP connection count = 4)
2021:10:27-12:51:01 srvutm-1 exim-in[23909]: 2021-10-27 12:51:01 TLS error on connection from tor-exit-3.zbau.f3netze.de [185.220.100.254]:32560 SSL_accept: TCP connection closed by peer
2021:10:27-17:12:32 srvutm-1 exim-in[8916]: 2021-10-27 17:12:32 SMTP connection from [185.220.100.254]:14154 (TCP/IP connection count = 2)
2021:10:27-17:12:33 srvutm-1 exim-in[5631]: 2021-10-27 17:12:33 TLS error on connection from tor-exit-3.zbau.f3netze.de [185.220.100.254]:14154 SSL_accept: TCP connection closed by peer
2021:10:29-03:34:26 srvutm-1 exim-in[6731]: 2021-10-29 03:34:26 SMTP connection from [185.220.100.254]:22392 (TCP/IP connection count = 1)
2021:10:29-03:34:28 srvutm-1 exim-in[18207]: 2021-10-29 03:34:28 TLS error on connection from tor-exit-3.zbau.f3netze.de [185.220.100.254]:22392 SSL_accept: TCP connection closed by peer

A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

Advanced Threat ProtectionDetails
Total Events: 2
User/Host Threat Name Destination Events Origin
1 192.168.7.250 C2/Generic-A 185.220.100.254 
2 192.168.7.250 C2/Generic-A 185.220.100.254 



This thread was automatically locked due to age.
Parents
  • Hi all,

    Got the same problem. Sophos was pointing to the internal DNS. Then I changed everything to best practice. Internal DNS --> Sophos --> WAN.

    Still finding the connection in the SMTP proxy log, but no ATP is raised:

    2022:01:23-06:08:00 utm-2 exim-in[18957]: 2022-01-23 06:08:00 TLS error on connection from tor-exit-1.zbau.f3netze.de [185.220.100.252]:10578 SSL_accept: TCP connection closed by peer

Reply
  • Hi all,

    Got the same problem. Sophos was pointing to the internal DNS. Then I changed everything to best practice. Internal DNS --> Sophos --> WAN.

    Still finding the connection in the SMTP proxy log, but no ATP is raised:

    2022:01:23-06:08:00 utm-2 exim-in[18957]: 2022-01-23 06:08:00 TLS error on connection from tor-exit-1.zbau.f3netze.de [185.220.100.252]:10578 SSL_accept: TCP connection closed by peer

Children
  • We finally did the same last week, since then no ATP messages were raised anymore. Even though the SMTP log still show requests, but these kind of entries are normal anyway...

    For me, this problem is solved

  • I did this change two days ago too. I'll wait for two - three more weeks to be sure, but from my understanding removing the internal DNS from the Sophos should indeed get rid of those ATP alerts. 

    Thanks everyone!

  • yes...
    UTM gets the request from WAN, forwards the request to internal DNS -> internal DNS needs to sent the request to external DNS through the UTM and this is the moment where the ATP alerts are raised.

    Now the UTM directly forwards to external DNS , no need for ATP messages. Slight smile

  • Thank you! This helped me solving the issue. But I keep wondering: Why does SOPHOS UTM block the forwarded DNS Request (which itself pushed to the internal DNS Server) instead of the SMTP connection?