RE: [squid-users] Squid trying to connect to smtp

From: Henrik Nordstrom <hno@dont-contact.us>
Date: 13 Jan 2003 11:01:55 +0100

It depends on where you insert the http_access rule.

  http_access deny !my_networks

can (should) be inserted at the top before any other http_access rules,
to make sure that whatever you do in later http_access rules only
my_network can be allowed as all others have already been denied.

  http_access allow mynetworks

needs to be carefully inserted, usually last, to not override other
http_access rules further restricting access, and any http_access rules
before where you insert this rule needs to be validated to not override
this giving others access who are outside mynetworks.

Regards
Henrik

mån 2003-01-13 klockan 01.52 skrev Jay Turner:
> >acl my_networks src your.local.network.address/mask
> >http_access deny !my_networks
>
> Just out of interest, why wouldn't you use:
>
> acl my_networks src your.local.network.address/mask
> http_access allow my_networks
> http_access deny all
>
> Do these both not acheive the same outcome?
>
> Jay
>
> -----Original Message-----
> From: hno@marasystems.com [mailto:hno@marasystems.com]On Behalf Of
> Henrik Nordstrom
> Sent: Sunday, 12 January 2003 3:51 PM
> To: Intruder
> Cc: squid-users@squid-cache.org
> Subject: Re: [squid-users] Squid trying to connect to smtp
>
>
> Someone on the Internet have found that your proxy is an open proxy with
> no anti-spam rules, and are using your proxy to relay spam.
>
>
> Add the following lines first in your squid.conf to tighten up things
> considerably:
>
> acl my_networks src your.local.network.address/mask
> http_access deny !my_networks
>
> And also the following which is in the standard Squid configuration, but
> appears to have been deactivated in yours:
>
> acl SSL_ports 443
> acl CONNECT method CONNECT
> http_access deny ONNECT !SSL_ports
>
>
> Then review you http_access rules carefully, and also consider
> firewalling your squid servers from the Internet.
>
> Regards
> Henrik
>
>
> Intruder wrote:
> >
> > Hello,
> >
> > I don`t know why but in the access.log I`m having a
> > lot of requests to smtp servers but no one is using
> > the proxy and the client who is requesting the
> > connection to the smtp server It's not in my network !
> > I
> >
> > It doesn't stop trying to request some smtp server,
> > like yahoo.
> >
> > The 209.189.55.0 network It's a known IP Addr. And
> > it's trying to connect to yahoo stmp and others smtps
> > servers.
> >
> > Here is a part of the access.log:
> > 1042343173.132 1323 209.189.55.205 TCP_MISS/200 252
> > CONNECT 64.156.215.5:25 - DIRECT/64.156.215.5 -
> >
> > 1042343173.661 471 209.189.55.205 TCP_MISS/200 39
> > CONNECT 64.157.4.82:25 - DIRECT/64.157.4.82 -
> >
> > 1042343175.244 1223 209.189.55.205 TCP_MISS/200 244
> > CONNECT 64.157.4.82:25 - DIRECT/64.157.4.82 -
> >
> > 1042343175.564 1234 209.189.55.200 TCP_MISS/200 252
> > CONNECT 64.156.215.5:25 - DIRECT/64.156.215.5 -
> >
> > 1042343175.901 2970 209.189.55.205 TCP_MISS/200 420
> > CONNECT 65.54.254.140:25 - DIRECT/65.54.254.140 -
> >
> > 1042343177.542 1380 209.189.55.200 TCP_MISS/200 252
> > CONNECT 64.156.215.5:25 - DIRECT/64.156.215.5 -
> >
> > 1042343177.759 1269 209.189.55.200 TCP_MISS/200 244
> > CONNECT 64.157.4.82:25 - DIRECT/64.157.4.82 -
> >
> > 1042343186.026 1227 209.189.55.205 TCP_MISS/200 244
> > CONNECT 64.157.4.82:25 - DIRECT/64.157.4.82 -
> >
> > 1042343186.378 1268 209.189.55.195 TCP_MISS/200 244
> > CONNECT 64.157.4.82:25 - DIRECT/64.157.4.82 -
> >
> > 1042343186.450 1961 209.189.55.195 TCP_MISS/200 321
> > CONNECT 65.54.254.151:25 - DIRECT/65.54.254.151 -
> >
> > 1042343186.630 3000 209.189.55.195 TCP_MISS/200 419
> > CONNECT 65.54.254.151:25 - DIRECT/65.54.254.151 -
> >
> > 1042343188.731 1274 209.189.55.205 TCP_MISS/200 244
> > CONNECT 216.136.129.18:25 - DIRECT/216.136.129.18 -
> >
> > 1042343188.830 2729 209.189.55.205 TCP_MISS/200 474
> > CONNECT 64.12.136.217:25 - DIRECT/64.12.136.217 -
> >
> > 1042343189.240 2007 209.189.55.200 TCP_MISS/200 315
> > CONNECT 65.54.254.140:25 - DIRECT/65.54.254.140 -
> >
> > 1042343189.390 2540 209.189.55.200 TCP_MISS/200 474
> > CONNECT 64.12.137.184:25 - DIRECT/64.12.137.184 -
> >
> > 1042343190.739 1269 209.189.55.195 TCP_MISS/200 244
> > CONNECT 216.136.129.18:25 - DIRECT/216.136.129.18 -
> >
> > 1042343191.591 1220 209.189.55.205 TCP_MISS/200 244
> > CONNECT 64.157.4.83:25 - DIRECT/64.157.4.83 -
> >
> > 1042343193.269 1239 209.189.55.205 TCP_MISS/200 252
> > CONNECT 64.156.215.5:25 - DIRECT/64.156.215.5 -
> >
> > 1042343193.837 1215 209.189.55.205 TCP_MISS/200 244
> > CONNECT 64.157.4.82:25 - DIRECT/64.157.4.82 -
> >
> > 1042343194.011 1212 209.189.55.205 TCP_MISS/200 244
> > CONNECT 216.136.129.18:25 - DIRECT/216.136.129.18 -
> >
> > 1042343194.320 4830 209.189.55.201 TCP_MISS/200 217
> > CONNECT 208.45.133.107:25 - DIRECT/208.45.133.107 -
> >
> > 1042343194.555 4334 209.189.55.205 TCP_MISS/200 135
> > CONNECT 212.77.101.161:25 - DIRECT/212.77.101.161 -
> >
> > 1042343194.665 2275 209.189.55.205 TCP_MISS/200 239
> > CONNECT 209.228.4.160:25 - DIRECT/209.228.4.160 -
> >
> > 1042343194.780 2961 209.189.55.201 TCP_MISS/200 429
> > CONNECT 65.54.254.140:25 - DIRECT/65.54.254.140 -
> >
> > 1042343194.930 1910 209.189.55.205 TCP_MISS/200 250
> > CONNECT 203.199.70.34:25 - DIRECT/203.199.70.34 -
> >
> > 1042343195.330 3180 209.189.55.195 TCP_MISS/200 421
> > CONNECT 65.54.254.151:25 - DIRECT/65.54.254.151 -
> >
> > HEEEELPPP !!! What is it happening ???
> >
> > Thanks
> >
> > _______________________________________________________________________
> > Busca Yahoo!
> > O melhor lugar para encontrar tudo o que você procura na Internet
> > http://br.busca.yahoo.com/
>
>
Received on Mon Jan 13 2003 - 03:02:05 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:38 MST