RE: [squid-users] Odd Logs

From: Pawel Worach <pawel.worach@dont-contact.us>
Date: Tue, 29 Oct 2002 21:39:41 +0100

I have seen the same connect attempts on a iPlanet reverse proxy.
217.35.102.249 - - [29/Oct/2002:14:48:08 +0100] "CONNECT
mx1.mail.yahoo.com:25 / HTTP/1.0" 403 234 - - - - 118 178 - - - - FIN -
-
I would guess that spammers are trying to use badly configured
proxy servers as wingates.

Regards
Pawel

-----Original Message-----
From: AJ Lemke [mailto:aj.lemke@securitylabs.com]
Sent: den 29 oktober 2002 17:59
To: 'Joe Cooper'
Cc: squid-users@squid-cache.org
Subject: RE: [squid-users] Odd Logs

Thanks for the response Joe.

Since I am running in Acceleration Mode will a ACL like this work?

# Access control List
acl localhost src 127.0.0.1
acl purge method PURGE
acl manager proto cache_object
acl all src 0.0.0.0/0.0.0.0
acl accelerated_servers dst ***IP LIST GOES HERE***
acl SSL_Ports port 443 563
acl SMTP_Ports port 25
acl CONNECT method CONNECT

# Access Area
http_access deny CONNECT SSL_Ports
http_access deny CONNECT SMTP_Ports
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access allow all
http_access allow accelerated_servers

AJ

-----Original Message-----
From: Joe Cooper [mailto:joe@swelltech.com]
Sent: Monday, October 28, 2002 7:16 PM
To: AJ Lemke
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] Odd Logs

AJ Lemke wrote:
> Hello all I am going through my squid logs and have noticed a lot if
> weird requests coming in. Here is a snippet:
>
> 138.89.169.242 - - [27/Oct/2002:00:01:01 -0500] "CONNECT
> mx1.mail.yahoo.com:25 HTTP/1.0" 200 271 TCP_MISS:DIRECT [User-Agent:
> Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)\r\nCache-Control:
> private,no-cache\r\nPragma: no-cache\r\n] []
> 138.89.169.242 - - [27/Oct/2002:00:01:02 -0500] "CONNECT
> mx2.mail.yahoo.com:25 HTTP/1.0" 200 276 TCP_MISS:DIRECT [User-Agent:
> Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)\r\nCache-Control:
> private,no-cache\r\nPragma: no-cache\r\n] []
> 138.89.169.242 - - [27/Oct/2002:00:01:04 -0500] "CONNECT
> mx2.mail.yahoo.com:25 HTTP/1.0" 200 271 TCP_MISS:DIRECT [User-Agent:
> Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)\r\nCache-Control:
> private,no-cache\r\nPragma: no-cache\r\n] []
>
> Any ideas why I would have a request from port 25 coming in?

I may be reading the common log format incorrectly, but this doesn't
look like a request coming /from/ port 25 to me. It looks like a
request connecting /to/ port 25 using the CONNECT method to set up a
tunnel. In other words someone is relaying mail through your proxy, and

not getting a TCP_DENIED response. That's a bad thing, and not the
default for Squid.

Fix your SSL_Ports and CONNECT acls to work correctly...(I.e. make sure
the deny CONNECT http_access rule comes before your rules that allow
connections from local users.)

-- 
Joe Cooper <joe@swelltech.com>
Web caching appliances and support.
http://www.swelltech.com
Received on Tue Oct 29 2002 - 13:39:52 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:56 MST