Several possible reasons for this:
1. Someone is trying to find open http proxies to abuse Microsoft:
a) To forward spam through an open relay at Microsoft (maila.microsoft.com
is on the MX list for microsoft.com, so I hope that it's not an open mail
relay!).
b) To attack Microsoft's mail servers.
c) To attack Microsoft employee's mailboxes through one of the many Exchange
and Outlook vectors (the proxy is here used to obscure the source of the
attack).
2. Someone is trying to DoS Microsoft's mail servers.
3. A spammer is trying to find open http proxies that allow port 25 connections
and is just using maila.microsoft.com because it's likely to be up and
reachable.
Any of those seem likely? It might be informative to setup an internal machine
with a SMTP maildrop only (like smtpd from postfix) and to force the SMTP
responses to look just like the ones produced by maila.microsoft.com, then
put a host record in your webserver's /etc/hosts file for maila.microsoft.com
pointing to your new honeypot and see what happens. Note that the hosts
file entry might prevent your webserver from sending email to anyone at
Microsoft if that is within it's domain of functionality.
JMH
Jeroen Wesbeek wrote:
>
> Hello,
>
> As I was having a look at the access log of a apache daemon I noticed a
> strange entry. After grepping the access log it appeared this entry has
> occurred 9 times since september this year.
...
>
> 68.15.22.55 - - [07/Sep/2002:15:10:16 +0200] "CONNECT maila.microsoft.com:25
> / HTTP/1.0" 302 0
> 64.231.49.57 - - [29/Oct/2002:08:13:29 +0100] "CONNECT
> maila.microsoft.com:25 / HTTP/1.0" 400 370
...
> Does anybody got a clue what this might be?
>
> Grtz,
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Nov 25 2002 - 09:08:33 PST