Using http as mail spam engine
Joe Orton
jorton at redhat.com
Tue Nov 6 09:51:38 UTC 2007
On Mon, Nov 05, 2007 at 01:07:13PM -0700, Ashley M. Kirchner wrote:
> I noticed these entries in my apache log today:
>
> 60.250.66.175 - - [01/Nov/2007:04:41:01 -0600] "CONNECT
> 218.32.192.11:25 HTTP/1.0" 200 12439 "-" "-"
> 60.250.66.175 - - [01/Nov/2007:04:41:04 -0600] "CONNECT
> 61.31.198.50:25 HTTP/1.0" 200 12439 "-" "-"
> 60.250.66.175 - - [01/Nov/2007:04:43:28 -0600] "CONNECT
> 60.249.125.71:25 HTTP/1.0" 200 12439 "-" "-"
> 159.148.97.91 - - [02/Nov/2007:22:01:40 -0600] "CONNECT
> 195.175.37.70:8080 HTTP/1.0" 200 14301 "-" "-"
> 159.148.97.91 - - [02/Nov/2007:22:01:41 -0600] "CONNECT
> 159.148.96.222:80 HTTP/1.0" 200 14301 "-" "-"
>
> And while the first two are specifically targeting port 25, the
> other two aren't But more importantly, how is this being done, and how
> do I stop it? Did I forgot to disable something within Apache somewhere?
You'll get a 200 response sent from such CONNECT requests if you have
(e.g.) a PHP page handling the / page for your server. That does not
mean the server is allowing port forwarding!
By default, httpd will not allow CONNECT requests to remote servers. If
ProxyRequests is enabled, it will allow CONNECT requests to ports 443
and 563 only. (ProxyRequests should not be enabled unless the server is
acting as a proxy server, of course!)
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#allowconnect
joe
More information about the fedora-list
mailing list