> Hello, > > As I was having a look at the access log of a apache daemon I > noticed a > strange entry. After grepping the access log it appeared this > entry has > occurred 9 times since september this year. I also noticed > the same entry on > other servers as well. It looks like something or someone is > trying to send > e-mail through a microsoft smtp server using http daemons > however I can't > seem to find anything relating to these entries on both > google as well as > the securityfocus archives. Most entries (64.*) seem to originate from > dialup ip-adresses within the netblock of sympatico.ca while > the rest are US > based adresses. > > 68.15.22.55 - - [07/Sep/2002:15:10:16 +0200] "CONNECT > maila.microsoft.com:25 > / HTTP/1.0" 302 0 That's usually what gets logged when a proxy attempt is made. Someone is either trying to spam someone at microsoft by hiding their source ip using your web server as a proxy, or is just testing to see whether you are an "open proxy" - which is normally recorded for later use. If you don't run any proxy software (squid etc) and its just apache, nothing to worry about really. I doubt they're targetting you specifically, more likely a complete network scan if they are repeating the same request day after day. HTH, Andy. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Nov 25 2002 - 08:22:39 PST