Strange apache logs: CONNECT maila.microsoft.com:25

From: Jeroen Wesbeek (duhat_private)
Date: Wed Nov 20 2002 - 00:40:13 PST

  • Next message: ZeroBreak: "RE: Proxy server hit... Any ideas?"

    Hello,
    
    As I was having a look at the access log of a apache daemon I noticed a
    strange entry. After grepping the access log it appeared this entry has
    occurred 9 times since september this year. I also noticed the same entry on
    other servers as well. It looks like something or someone is trying to send
    e-mail through a microsoft smtp server using http daemons however I can't
    seem to find anything relating to these entries on both google as well as
    the securityfocus archives. Most entries (64.*) seem to originate from
    dialup ip-adresses within the netblock of sympatico.ca while the rest are US
    based adresses. 
    
    68.15.22.55 - - [07/Sep/2002:15:10:16 +0200] "CONNECT maila.microsoft.com:25
    / HTTP/1.0" 302 0 
    64.231.49.57 - - [29/Oct/2002:08:13:29 +0100] "CONNECT
    maila.microsoft.com:25 / HTTP/1.0" 400 370 
    65.95.180.128 - - [29/Oct/2002:09:17:51 +0100] "CONNECT
    maila.microsoft.com:25 / HTTP/1.0" 400 370 
    64.231.50.98 - - [31/Oct/2002:23:24:13 +0100] "CONNECT
    maila.microsoft.com:25 / HTTP/1.0" 400 370 
    66.230.222.226 - - [01/Nov/2002:20:07:38 +0100] "CONNECT
    maila.microsoft.com:25 / HTTP/1.0" 400 370 
    64.229.147.12 - - [14/Nov/2002:16:27:30 +0100] "CONNECT
    maila.microsoft.com:25 / HTTP/1.0" 400 370 
    64.228.70.235 - - [15/Nov/2002:11:32:56 +0100] "CONNECT
    maila.microsoft.com:25 / HTTP/1.0" 400 370 
    4.63.221.224 - - [16/Nov/2002:05:49:13 +0100] "CONNECT
    maila.microsoft.com:25 / HTTP/1.0" 400 370 
    64.229.147.19 - - [17/Nov/2002:15:35:24 +0100] "CONNECT
    maila.microsoft.com:25 / HTTP/1.0" 400 370
    
    Does anybody got a clue what this might be? 
    
    Grtz,
    
    
    dowebwedo
    Jeroen Wesbeek
    .programming
    St. Jacobsstraat 16 | 3511 BS Utrecht
    Postbus 448 | 3500 AK Utrecht
    The Netherlands
    www.dowebwedo.com
    p +31 (0) 30 234 81 10 | f  +31 (0) 20 773 83 38
    
    [roses are red, violets are blue, I am schizophrenic and so am I ]
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Nov 22 2002 - 04:05:57 PST