From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=Gvt1=5T=tu-dortmund.de=tobias.wendorff@sourceware.org>
Received: from unimail.uni-dortmund.de (mx1.hrz.uni-dortmund.de [129.217.128.51])
	by sourceware.org (Postfix) with ESMTPS id 833163858D32
	for <cygwin@cygwin.com>; Sun, 22 Jan 2023 14:32:28 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 833163858D32
Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=tu-dortmund.de
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=tu-dortmund.de
Received: from [192.168.178.23] (dynamic-093-133-133-206.93.133.pool.telefonica.de [93.133.133.206])
	(authenticated bits=0)
	by unimail.uni-dortmund.de (8.17.1.9/8.17.1) with ESMTPSA id 30MEWQUM027014
	(version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT)
	for <cygwin@cygwin.com>; Sun, 22 Jan 2023 15:32:27 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tu-dortmund.de;
	s=unimail; t=1674397947;
	bh=uUdYc+FTPOFLe8lzIJcb0+6Xp6vm0RjC71DExcWpSnk=;
	h=Date:To:From:Subject;
	b=D6vmy7Ww6zBoEja2gXMy+O8reSUs1//xXtggmSiAw2ot0mXdNlNtDky4tpDpwka69
	 /g6Sgwn3VovMV/TVVFcyST1opb0teibKs70C9TLXC2tB4hFb0IEQAKBWCuiwnVjGRA
	 taSVNXMZNjJgQ6bo+jDLiJsS5RkdiNU2FMU5mtKc=
Message-ID: <ae73845c-b970-37ab-f429-65b15cf8540c@tu-dortmund.de>
Date: Sun, 22 Jan 2023 15:32:27 +0100
MIME-Version: 1.0
To: cygwin@cygwin.com
From: Tobias Wendorff <tobias.wendorff@tu-dortmund.de>
Subject: observation: masses of requests to LDAP
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=3.2 required=5.0 tests=BAYES_40,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_BARRACUDACENTRAL,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS,TXREP autolearn=no autolearn_force=no version=3.4.6
X-Spam-Level: ***
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <cygwin.cygwin.com>

Hi there,

our IT department has informed me that masses of requests are being sent 
from my computer to our two LDAP servers on port 389. After a detailed 
investigation, the problem could be clearly traced back to "cygwin".

Firewall logs show that about any tool, even base tools "sort" or 
"less", initiates a request to port 389 on our LDAP servers.

Sorry, I am _not_ going to release "cygcheck.out" to public, since it 
contains sensitive information about the domain and its groups and 
memberships.

Even after reinstalling cygwin from another server, the problem still 
appears. Could it be that this is part of an attack?

Best regards,
Tobias