Strange HTTPS 443 outbound traffic to 151.101.2.49, Botnet C&C related?

dohabandit

I just installed a fresh mailcow install on a minimized ubuntu 24.04.2 system. No other ubuntu system I have is doing this, so I am certain it is mailcow related. My firewall and active threatintel blocking is dropping a lot of outbound TCP 443 traffic to 151.101.2.49 which is listed as being related to Botnet C&C servers. I am wondering if this is a false positive and this is related to something rspamd might be doing?

I would think incoming STARTTLS traffic would use a different port than 443. This is also showing the traffic was inititiated by my mailcow instance on a high port, connecting to a TCP 443 destination.

DocFraggle

I just ran a tcpdump for 30 minutes on my mailcow server grepping for “ 151.101”, nothing shows up there

esackbauer

This IP address is from a CDN, so I guess it is a false positive (where did you get this info?)

If you google properly you will find out its from Ubuntu checking firmware updates
fwupd/fwupd6888

dohabandit

esackbauer Yeah, I see that IP address related to fwupd, virustotal and IBM X-force showing it related to botnet C&C, fastly, etc.

What is odd to me is that I have three minimized ubuntu 24.04.2 vm’s and only the mailcow one is attempting to reach that IP.
lsb_release -a Description: Ubuntu 24.04.2 LTS Codename: noble

The timestamps are also not periodic which makes them less likely due to a cron task. There is no defined interval between them.

I believe it is just a CDN related IP, but I am more curious why this VM is trying to reach it on port 443 and other similar VM’s are not.

service --status-all [ + ] apparmor [ + ] apport [ - ] console-setup.sh [ - ] cryptdisks [ - ] cryptdisks-early [ + ] dbus [ + ] docker [ + ] fail2ban [ - ] grub-common [ - ] iscsid [ - ] keyboard-setup.sh [ + ] kmod [ - ] open-iscsi [ + ] open-vm-tools [ + ] plymouth [ + ] plymouth-log [ + ] procps [ + ] ssh [ + ] unattended-upgrades

esackbauer

dohabandit and only the mailcow one is attempting to reach that IP.

Could be a load balancing thing that only mailcow uses this specific IP.

dohabandit why this VM is trying to reach it on port 443 and other similar VM’s are not.

CDNs always use http/https.
In my github link you can see the exact URL where the firmware files do come from.

dohabandit service –status-all

Pls use sudo systemctl | grep fwupd

dohabandit

Okay, so I found the culprit. This is in-fact a false positive related to two abuse.ch domains that are resolving to a CDN that has been used to host malware in the past. (or maybe a spammer falsely reported them as such!)

/var/lib/docker/containers/6601194c55ade3b5a08d6a1cda77b3ebfc9e8d882212c450c7a712ef0d54b86e/6601194c55ade3b5a08d6a1cda77b3ebfc9e8d882212c450c7a712ef0d54b86e-json.log:21964:{"log":"2025-03-12 19:25:51 #38(controller) \u003cc6onet\u003e; map; http_map_error: error reading https://**bazaar.abuse.ch**/export/txt/md5/recent/(151.101.2.49:443): connection with http server terminated incorrectly: ssl connect error: syscall fail: Connection timed out\n","stream":"stderr","time":"2025-03-12T19:25:51.170320692Z"} /var/lib/docker/containers/6601194c55ade3b5a08d6a1cda77b3ebfc9e8d882212c450c7a712ef0d54b86e/6601194c55ade3b5a08d6a1cda77b3ebfc9e8d882212c450c7a712ef0d54b86e-json.log:21979:{"log":"2025-03-12 19:36:26 #38(controller) \u003c7m3drg\u003e; map; http_map_error: error reading https://**urlhaus.abuse.ch**/downloads/text_online/(151.101.2.49:443): connection with http server terminated incorrectly: ssl connect error: syscall fail: Connection timed out\n","stream":"stderr","time":"2025-03-12T19:36:26.050488101Z"}

`; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> urlhaus.abuse.ch
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38090
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;urlhaus.abuse.ch. IN A

;; ANSWER SECTION:
urlhaus.abuse.ch. 17 IN CNAME p2.shared.global.fastly.net.
p2.shared.global.fastly.net. 60 IN A 151.101.2.49
p2.shared.global.fastly.net. 60 IN A 151.101.130.49
p2.shared.global.fastly.net. 60 IN A 151.101.66.49
p2.shared.global.fastly.net. 60 IN A 151.101.194.49
`

DocFraggle

Ah okay, these are configured in rspamd

https://github.com/search?q=repo%3Amailcow%2Fmailcow-dockerized%20abuse.ch&type=code