[NBLUG/talk] CONNECT lines in access_log...

Devin Carraway nblug-talk-list at devin.com
Thu Mar 20 21:03:01 PST 2003


On Thu, Mar 20, 2003 at 07:16:06PM -0800, Daniel Smith wrote:
> I just happened to look over my Apache 1.3.27 access_log.
> Do these lines look familiar to anyone?  Is it a spammer
> trying to somehow use Apache as a relay?

Yup.  Those are spammers probing for open proxies (or open-proxy
blacklist services scanning for much the same thing).  HTTP proxies
supplying willing to do an arbitrary CONNECT proxy can be used to carry
SMTP, and hence send spam which will appear from Received: headers to
have originated at the proxy.

Spammers are also looking for open HTTP proxies willing to relay POST
requests -- chances are you've been probed for that as well; it happens
that when you put one entire side of an SMTP conversation into a POST
request, then have the proxy fetch it from http://mailhost:25/, an HTTP
proxy can be used as a spam relay and mask for the originating host.  It
happens that SMTP servers will merely issue syntax errors until the HELO
arrives, and after that it's all potted meat food product:

Here's a recent one from my SMTP logs:

Mar 18 20:12:05 atlantic qmail: 18417 check_earlytalker plugin: remote host [[213.121.248.187] [213.121.248.187] started talking before we said hello:
POST / HTTP/1.0
Via: 1.0 PROXY
Host: 66.92.186.143
Content-Length: 1166
Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive

HELO fwlqrxa
MAIL FROM: <Danvyrm at montevideo.com.uy>
RCPT TO: <debianbug-ezmlm-src-20000620 at devin.com>
DATA

(after which my smtpd unceremoniously closed the connect)



-- 
Devin  \ aqua(at)devin.com, 1024D/E9ABFCD2;  http://www.devin.com
Carraway \ IRC: Requiem  GCS/CC/L s-:--- !a !tv C++++$ ULB+++$ O+@ P L+++
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://nblug.org/pipermail/talk/attachments/20030320/6b477285/attachment.pgp


More information about the talk mailing list