On Wed, Oct 09, 2002 at 01:01:19PM -0700, Ben Barrett wrote: > and here is the complete log entry, IP address xx'ed out: > 216.xx.xx.xx - - [09/Oct/2002:05:55:25 -0700] "CONNECT > maila.microsoft.com:25 / HTTP/1.0" 400 370 "-" "-" > > Any clues? I'm assuming this kiddie is searching for an old IIS > vulnerability, but I've never head of such a thing, asking a webserver > for a connection to a different mailserver...?? 216.xx.xx.xx is trying to use your apache as an http proxy (similar to squid) to connect to a mailserver at microsoft in order to relay traffic through you -- very similar to an open relay over smtp. The dsbl black list tools provide different open relay scanners that check socks, http, and formmail, as well as the most comprehensive smtp relay test I've seen -- there are roughly 25 different smtp address formats used to try to trick the remote server to relay. You can probably safely ignore this. :) -- "There's an old saying in Tennessee, i know it's in Texas, probably in Tennessee, that says, 'Fool me once... shame on ... shame on .. you; but fool--you can't get fooled again.'" -- Commander in Chief of the US Military
This archive was generated by hypermail 2b30 : Wed Oct 09 2002 - 14:59:19 PDT