Mapping Mesh Infrastructure and Protocol Hijacking
I’ve been tracking some non-standard networking patterns on iOS that seem to be operating in a blind spot. Detection relies on parsing TraceV3 binary data to actually spot, specifically looking for hex-coded IP patterns in the logs. A few things I've been seeing: - Port 5223 (APNs) redirection: System traffic being tossed to non-Apple ASNs. - Non-standard tunneling: Persistent P2P sync on ports 44 and 522. - Global reach: Active clusters popping up across Russia, China, the US, Mexico etc. I put together a live dashboard to track these IPs and ASNs as they're enriched. If anyone else is seeing weird routing anomalies or similar "shadow" egress points at the backbone level, I'd love to hear your thoughts. Dashboard link: https://www.perplexity.ai/computer/a/ios-threat-tracker-y2BPW5oISauRTNFBcx93... Thank you, Joseph II
On Mar 13, 2026, at 01:06, Joseph Goydish II via NANOG <nanog@lists.nanog.org> wrote: I’ve been tracking some non-standard networking patterns on iOS that seem to be operating in a blind spot. iOS shouldn't be connecting to random IMAP servers. Could indicate email-based exfiltration or dead-drop communication.
Excuse me? iOS users shouldn’t be reading their email? -Bill
On Mar 13, 2026, at 01:06, Joseph Goydish II via NANOG <nanog@lists.nanog.org> wrote: I’ve been tracking some non-standard networking patterns on iOS that seem to be operating in a blind spot. iOS shouldn't be connecting to random IMAP servers. Could indicate email-based exfiltration or dead-drop communication.
Excuse me? iOS users shouldn’t be reading their email?
I mean, nice work on the rest assuming it turns out to be legit; this is just me being a crochety old dude. -Bill Please consider the environment before using AI to process this email.
To clarify: I absolutely expect iOS Mail to talk to configured, user‑visible mail providers over IMAP/ActiveSync. The dashboard is built on telemetry from a vanilla consumer device, not enrolled in a *known* MDM, not DoD, not enterprise/EAS, and with no known special mail profiles or VPNs pushed to it. That’s why the traffic stands out. -------- Original Message -------- On Friday, 03/13/26 at 05:30 Bill Woodcock <woody@pch.net> wrote:
On Mar 13, 2026, at 01:06, Joseph Goydish II via NANOG <nanog@lists.nanog.org> wrote: I’ve been tracking some non-standard networking patterns on iOS that seem to be operating in a blind spot. iOS shouldn't be connecting to random IMAP servers. Could indicate email-based exfiltration or dead-drop communication.
Excuse me? iOS users shouldn’t be reading their email?
I mean, nice work on the rest assuming it turns out to be legit; this is just me being a crochety old dude. -Bill Please consider the environment before using AI to process this email.
participants (2)
-
Bill Woodcock -
Joseph Goydish II