[Gllug] What's going on?
Mark Lowes
hamster at korenwolf.net
Tue Nov 19 12:14:35 UTC 2002
On Tue, 2002-11-19 at 12:04, Jason Clifford wrote:
> > An entry like this has appeared twice in my apache server log in the last 24
> > hours:
> > pool-141-150-114-101.mad.east.verizon.net - - [18/Nov/2002:08:26:41 +0000]
> > "CONNECT mx00.earthlink.net:25 HTTP/1.0" 405 302 "-" "-"
> >
> > Earthlink say it is nothing to be concerned about (no reply from verizon) -
> > but it looks very odd to me - why is someone trying to get our web server to
> > attach themselves to their mail server?
> Indeed. This is a favoured tactic of many spammers.
yup spammers have moved on to hitting open CONNECT and SOCKS proxies in
preference to open smtp relays and they're harder to pin down and get
decent logging out of to determine the source of the spam.
[...]
> I do wonder why you are running a public web proxy. Do you really need to?
> If not set up your acls properly.
It's probably more a case of a default apache install with mod_proxy
included and (partially?) configured. Certainly the response indicates
that it's been rejected properly, however it is going to be worth
removing the proxy functionality if it's not needed as certain other
'less savoury' types will use open web proxies for scanning for other
security holes or trying to download large amounts of copyright
infringing material or scamming off the likes of porn sites. All using
someone else's bandwidth (nice people :/)
--
The Flying Hamster <hamster at korenwolf.net> http://www.korenwolf.net/
"Notices from the SysAdmin with the words 'catastrophic', 'failure'
and 'lost', all in one sentence, are not good things."
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list