On Fri, 6 Jun 2003, Rajkumar S wrote:
>
> While going through my apache logs, I found some logs indicating CONNECT
> requests to port 25 of other hosts.
>
> 213.130.24.192 [06/Jun/2003:08:44:58 +0530] "CONNECT 194.67.23.20:25
> HTTP/1.1" 302 5 "-" "-"
> 130.94.247.248 [06/Jun/2003:10:26:17 +0530] "CONNECT 207.44.188.67:25
> HTTP/1.0" 200 14409 "-" "-"
> 130.94.247.248 [06/Jun/2003:09:56:21 +0530] "CONNECT smtp.rol.ru:25
> HTTP/1.0" 200 17757 "-" "-"
>
> I found this in 2 machines in indian ip block. My another server at US
> is not affected by this. Some one else seeing this? Could this be the
> next wave of spam ??
Some people are using your apache as mailrelay. Did you enable
proxying? Getting a "200" indicates that the connect to those
mailservers was successful. Make sure that you configure your
apache not to accept CONNECTs from everywhere to other than
special ports, if you need proxying at all (if you don't need
it disable that feature).
I see people trying to connect to other servers each day, but
they get an "405" error.
Cheers,
Chris.
--
GeNUA mbH
----------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jun 10 2003 - 13:30:09 PDT