top | item 46314894

(no title)

MrDOS | 2 months ago

You're looking in the wrong place. They don't need to be listening for mail on the machine behind the A/AAAA records for the domain, because they have an MX record indicating that mail should be delivered elsewhere:

    $ dig MX gmai.com +short
    1 mail.h-email.net.

Port 25 is very rare these days, as it implies the possibility of unencrypted traffic; legitimate SMTP traffic uses port 587. That said, I checked a couple of the hosts that that name resolves to, and they all listen for both SMTP and secure SMTP traffic:

    $ nmap -p 25,587 mail.h-email.net
    Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-18 16:31 UTC
    Nmap scan report for mail.h-email.net (165.227.159.144)
    Host is up (0.093s latency).
    Other addresses for mail.h-email.net (not scanned): 91.107.214.206 165.227.156.49 167.235.143.33 5.75.171.74 5.161.194.135 178.62.199.248 5.161.98.212 162.55.164.116 49.13.4.90
    rDNS record for 165.227.159.144: mail2.h-email.net

    PORT    STATE SERVICE
    25/tcp  open  smtp
    587/tcp open  submission

discuss

johndoeee|2 months ago

mail.h-email.net is a Spamhaus spamtrap.

As far as I've been able to research, these typesquatting domain traps started at the same time as Spamhaus CSS blacklist which was actually a company called Deteque.

If the MX has a large number of Hetzner IPs as mailservers, then it's probably Spamhaus.

MrDOS|2 months ago

Ah, neat – that certainly makes me feel a bit better, then.

phsau|2 months ago

Port 25 is only uncommon for client submission, but prevalent for MTA>MTA traffic.