[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Using http as mail spam engine



On Mon, Nov 05, 2007 at 01:07:13PM -0700, Ashley M. Kirchner wrote:
>    I noticed these entries in my apache log today:
> 
>    60.250.66.175 - - [01/Nov/2007:04:41:01 -0600] "CONNECT 
> 218.32.192.11:25 HTTP/1.0" 200 12439 "-" "-"
>    60.250.66.175 - - [01/Nov/2007:04:41:04 -0600] "CONNECT 
> 61.31.198.50:25 HTTP/1.0" 200 12439 "-" "-"
>    60.250.66.175 - - [01/Nov/2007:04:43:28 -0600] "CONNECT 
> 60.249.125.71:25 HTTP/1.0" 200 12439 "-" "-"
>    159.148.97.91 - - [02/Nov/2007:22:01:40 -0600] "CONNECT 
> 195.175.37.70:8080 HTTP/1.0" 200 14301 "-" "-"
>    159.148.97.91 - - [02/Nov/2007:22:01:41 -0600] "CONNECT 
> 159.148.96.222:80 HTTP/1.0" 200 14301 "-" "-"
> 
>    And while the first two are specifically targeting port 25, the 
> other two aren't  But more importantly, how is this being done, and how 
> do I stop it?  Did I forgot to disable something within Apache somewhere?

You'll get a 200 response sent from such CONNECT requests if you have 
(e.g.) a PHP page handling the / page for your server.  That does not 
mean the server is allowing port forwarding!

By default, httpd will not allow CONNECT requests to remote servers.  If 
ProxyRequests is enabled, it will allow CONNECT requests to ports 443 
and 563 only.  (ProxyRequests should not be enabled unless the server is 
acting as a proxy server, of course!)

http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#allowconnect

joe





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]