Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange CONNECT entries in apache logs

From: Paul Wilson <prw () the-buddha com>
Date: Mon, 9 Jun 2003 11:03:21 -0500
Rajkumar S(listuser) said:
->Hi,
->
->While going through my apache logs, I found some logs indicating CONNECT 
->requests to port 25 of other hosts.
->
->213.130.24.192 [06/Jun/2003:08:44:58 +0530] "CONNECT 194.67.23.20:25 
->HTTP/1.1" 302 5 "-" "-"
->130.94.247.248 [06/Jun/2003:10:26:17 +0530] "CONNECT 207.44.188.67:25 
->HTTP/1.0" 200 14409 "-" "-"
->130.94.247.248 [06/Jun/2003:09:56:21 +0530] "CONNECT smtp.rol.ru:25 
->HTTP/1.0" 200 17757 "-" "-"
->
->I found this in 2 machines in indian ip block. My another server at US 
->is not affected by this. Some one else seeing this? Could this be the 
->next wave of spam ??
->

Nope, not the next wave, it's the current wave. Abusing open proxies is
currently fashionable. It makes spammers extremely difficult to track
without getting a hold of the logs from the abused open proxy. DNSbls
already exist to use to try to block these. Monkeys.com and Osirusoft
both have open proxy DNSbls.

Paul

----------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: