Re: [squid-users] Strange access.log ntries

Well they do. There is quite many bastards continously probing the net for
open proxies to abuse in SMTP spamming.

Unless you take action to tighten down the access controls of your proxy to at
least the minimum recommended set shipped in the default squid.conf your
network are very likely to soon be added to SMTP blacklists.

What they gain is

a) Privacy. To the receiving server it will look like it is you who sent the
spam, and the server manager of the receiving server will have a hard time to
track down the spammer.

b) Bypassing of anti-spam filters already in place. It is quite likely the
spammers own network is already blacklisted, and to be able to spam
efficiently he must relay on someone elses server abusing their (your)
resources and reputation.

Regards
Henrik

Stephen Camilleri wrote:
> I am not really worried by firewall rules for the time being. The funny
> thing is that squid has been active for just 12 hours so how on earth could
> someone start relaying off me ?
>
> And as you rightly said, what does someone half a world away have to gain
> by relaying off me!?
>
> Stephen
>
> -----Original Message-----
> From: Billy Macdonald [mailto:whmac33@yahoo.com]
> Sent: 28 August 2002 16:35
> To: Stephen Camilleri; 'Squid-Users Group (E-mail)
> Subject: Re: [squid-users] Strange access.log ntries
>
>
> Could it possibly be that your firewall rules aren't quite tight enough and
> someone is relaying off of you?
>
> And if that is the case what does someone have to gain by relaying off of
> someone elses proxy?
>
> Billy
>
> --- Stephen Camilleri <stephen.camilleri@datastream.com.mt> wrote:
> > Hi all,
> >
> > We've just enabled a Squid cache (Stable 7) in transparent mode running
>
> wccp
>
> > 1 with a cisco router. WCCP is enabled on a selected interface where a
>
> very
>
> > restricted range of IPs are possible. I would understand that in
> > /var/log/access.log I should only see IPs within this restricted subnet.
> > However I keep on getting a large number of entries originating from
> > 204.29.169.241 which it seems is another squid server running stable7 8
> > timezones away!!
> >
> > Any clues would be really appreciated
> >
> > 204.29.169.241 - - [28/Aug/2002:14:25:27 +0200] "CONNECT 65.54.254.129:25
> > HTTP/1.0" 200 448 TCP_MISS:DIRECT
> > 204.29.169.241 - - [28/Aug/2002:14:25:28 +0200] "CONNECT 65.54.254.129:25
> > HTTP/1.0" 200 452 TCP_MISS:DIRECT
> > 204.29.169.241 - - [28/Aug/2002:14:25:29 +0200] "CONNECT 65.54.254.129:25
> > HTTP/1.0" 200 306 TCP_MISS:DIRECT
> >
> >
> > Stephen
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Finance - Get real-time stock quotes
> http://finance.yahoo.com
Received on Wed Aug 28 2002 - 12:36:52 MDT