Using http as mail spam engine
Justin W
jlist at jdjlab.com
Tue Nov 6 05:13:57 UTC 2007
John Summerfield wrote:
> Ashley M. Kirchner wrote:
>>
>> I noticed these entries in my apache log today:
>>
>> 60.250.66.175 - - [01/Nov/2007:04:41:01 -0600] "CONNECT
>> 218.32.192.11:25 HTTP/1.0" 200 12439 "-" "-"
>> 60.250.66.175 - - [01/Nov/2007:04:41:04 -0600] "CONNECT
>> 61.31.198.50:25 HTTP/1.0" 200 12439 "-" "-"
>> 60.250.66.175 - - [01/Nov/2007:04:43:28 -0600] "CONNECT
>> 60.249.125.71:25 HTTP/1.0" 200 12439 "-" "-"
>> 159.148.97.91 - - [02/Nov/2007:22:01:40 -0600] "CONNECT
>> 195.175.37.70:8080 HTTP/1.0" 200 14301 "-" "-"
>> 159.148.97.91 - - [02/Nov/2007:22:01:41 -0600] "CONNECT
>> 159.148.96.222:80 HTTP/1.0" 200 14301 "-" "-"
>>
>> And while the first two are specifically targeting port 25, the
>> other two aren't But more importantly, how is this being done, and
>> how do I stop it? Did I forgot to disable something within Apache
>> somewhere?
>>
>
> I don't like those "200" responses you're giving out.
> I suggest you have a close look at your limit (and limitexcept)
> clauses, and read the relevant docs at www.apache.org.
>
> I don't know how to do CONNECT connexions except for https, but I
> gather it's a generic tunneling mechanism, and for sure I don't know
> everything, esp about this, but I'd be every bit as suspicious about
> that as you are.
>
I may be mistaken, but I /think/ CONNECT commands are used when
accessing the web through a proxy, so basically I /think/ somebody is
hoping to use you as a proxy which they can bounce traffic through
anonymously.
More information about the fedora-list
mailing list