The Dude sending various non-configured probes

RouterOS The Dude
1

I’ve configured a VM for the sole purposes of running the The Dude, in order to monitor my network. Works great, our not so network-proficient staff can tell where to start looking for problems with a single look on the network map. I’ve also configured it to send alerts when issues arise. The version running at the moment is 6.41.2

I do have an issue though: on my mail server, I can see that the thedude VM (on 192.168.0.46) is trying to send messages every 30" on the spot:

2018-09-05 09:09:07.743385500 7208 Accepted connection 0/40 from 192.168.0.46 / Unknown
2018-09-05 09:09:07.743653500 7208 Connection from Unknown [192.168.0.46]
2018-09-05 09:09:07.829355500 7208 (connect) relay: skip, no match
2018-09-05 09:09:07.829746500 7208 220 mymailserver ESMTP
2018-09-05 09:09:07.830985500 7208 dispatching EHLO admin
2018-09-05 09:09:07.832745500 7208 250-mydomain Hi Unknown [192.168.0.46]
2018-09-05 09:09:07.832747500 7208 250-PIPELINING
2018-09-05 09:09:07.832789500 7208 250-8BITMIME
2018-09-05 09:09:07.832789500 7208 250-SIZE 15000000
2018-09-05 09:09:07.832865500 7208 250-STARTTLS
2018-09-05 09:09:07.832946500 7208 250 AUTH PLAIN LOGIN
2018-09-05 09:09:08.734597500 2059 cleaning up after 7208
...
2018-09-05 09:09:37.751276500 7215 Accepted connection 0/40 from 192.168.0.46 / Unknown
2018-09-05 09:09:37.751468500 7215 Connection from Unknown [192.168.0.46]
2018-09-05 09:09:37.818992500 7215 (connect) relay: skip, no match
2018-09-05 09:09:37.819302500 7215 220 mymailserver ESMTP
2018-09-05 09:09:37.820316500 7215 dispatching EHLO admin
2018-09-05 09:09:37.821760500 7215 250-mydomain Hi Unknown [192.168.0.46]
2018-09-05 09:09:37.821832500 7215 250-PIPELINING
2018-09-05 09:09:37.821893500 7215 250-8BITMIME
2018-09-05 09:09:37.821951500 7215 250-SIZE 15000000
2018-09-05 09:09:37.822008500 7215 250-STARTTLS
2018-09-05 09:09:37.822083500 7215 250 AUTH PLAIN LOGIN
2018-09-05 09:09:38.743357500 2059 cleaning up after 7215

I am not sure on how to proceed and try to locate what causes this message transmission. Best thing I’ve come up with is to open my three network maps and then test whether there’s something with the status “active” under Settings → Outages.

Any idea on what to look for?

2

Hello cosmos,

If you do not need Email notifications to be send at all, you may disable them:

  1. Select all devices on your map → Settings → Polling → Disable Email notification if it present here.
  2. Map → Settings → Polling → Disable Email notifications if it present here.
  3. Dude Server → Settings → Polling → Disable Email notifications if it present.
  4. Delete Email notification → Notifications → Email → -
  5. Verify your Email server on the Dude map and which services monitored on it - disable smtp.
  6. Dude v6 is RouterOS based and if you got connection from Dude side is maybe also from RouterOS itself: Tools → Email.
    And your scripts: System → Scripts.


    Thank you!
3

Hello, perhaps you misunderstood me. I do need mail notifications. The problem is that the dude server is contacting my mail server every 30 seconds, even though there are no alerts pending on my maps. What is even stranger is that I receive no mail messages on my client!

I receive actual messages only when I have an actual alert on the network map. Which is ok, because that’s the way i have configured it.

Is it possible to enable some sort of debug log on the dude server, to understand why it keeps sending mails?

4

Upon digging deeper, it seems that The Dude is not actually sending email. It is instead probing various POP-3 hosts, plus SMTP hosts. The case I described here is most likely an SMTP probe. I did see that in one network segment of our WAN, the systems IDS logged incoming requests for port 110.

Using a network sniffer, all these come from the The Dude VM. I did have some of these systems in probes in a map, but I have deleted that map for some time now. Is it possible that the dude database is corrupted and includes scheduled probes, that are nowhere to be found in the interface?