Security Incidents mailing list archives

Re: Strange apache logs: CONNECT maila.microsoft.com:25

From: John Hall <j.hall () f5 com>
Date: Fri, 22 Nov 2002 12:21:23 -0800


Several possible reasons for this:

1. Someone is trying to find open http proxies to abuse Microsoft:
  a) To forward spam through an open relay at Microsoft (maila.microsoft.com
     is on the MX list for microsoft.com, so I hope that it's not an open mail
     relay!).
  b) To attack Microsoft's mail servers.
  c) To attack Microsoft employee's mailboxes through one of the many Exchange
     and Outlook vectors (the proxy is here used to obscure the source of the
     attack).

2. Someone is trying to DoS Microsoft's mail servers.

3. A spammer is trying to find open http proxies that allow port 25 connections
   and is just using maila.microsoft.com because it's likely to be up and
   reachable.

Any of those seem likely?  It might be informative to setup an internal machine
with a SMTP maildrop only (like smtpd from postfix) and to force the SMTP
responses to look just like the ones produced by maila.microsoft.com, then
put a host record in your webserver's /etc/hosts file for maila.microsoft.com
pointing to your new honeypot and see what happens.  Note that the hosts
file entry might prevent your webserver from sending email to anyone at
Microsoft if that is within it's domain of functionality.

JMH

Jeroen Wesbeek wrote:


Hello,

As I was having a look at the access log of a apache daemon I noticed a
strange entry. After grepping the access log it appeared this entry has
occurred 9 times since september this year.

...


68.15.22.55 - - [07/Sep/2002:15:10:16 +0200] "CONNECT maila.microsoft.com:25
/ HTTP/1.0" 302 0
64.231.49.57 - - [29/Oct/2002:08:13:29 +0100] "CONNECT
maila.microsoft.com:25 / HTTP/1.0" 400 370

...

Does anybody got a clue what this might be?

Grtz,


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Strange apache logs: CONNECT maila.microsoft.com:25 Jeroen Wesbeek (Nov 22)
- RE: Strange apache logs: CONNECT maila.microsoft.com:25 Andy Coates (Nov 25)
- <Possible follow-ups>
- Strange apache logs: CONNECT maila.microsoft.com:25 Jeroen Wesbeek (Nov 22)
  - Re: Strange apache logs: CONNECT maila.microsoft.com:25 John Hall (Nov 25)