On Tue, 23 Mar 2004, Bill Moran wrote:
> I'm trying to finalize the setup of a new squid cache acting as a transparent
> proxy. As we finish up testing and tweak the config, I'm suddenly finding a
> lot of traffic getting TCP_DENIED to (what looks like) port 25.
Probably someone trying to abuse your proxy to forward email
spam/virueses.
> Unfortunatly, I don't have full access to the entire network in question, so
> I can't be 100% sure that there isn't a router somewhere else that's
> misconfigured, but I wanted to check in to see if maybe there's some squid-
> related explanation for this traffic.
> Here's an example log entry:
> 1080054163.917 3 <ip munged> TCP_DENIED/403 1346 CONNECT <ip munged>:25 - NONE/- text/html
It is not a router causing this. The client with <ip munged> is talking
directly to your proxy asking it to connect to port 25. No normal SMTP
traffic will ever do this and you can with 100% probability assume this is
someone trying to do something bad to you.
> The funny thing about the whole situation is that mail is working fine in
> spite of it. You'd think people would be having trouble with email.
It is only the user who tries to abuse your proxy which have trouble due
to this as his abuse attempt is not successful.
> The ":25" means that's the destination port, correct?
Yes.
And is why the SSL_ports restriction exists in the default squid.conf..
Regards
Henrik
Received on Tue Mar 23 2004 - 11:23:38 MST
This archive was generated by hypermail pre-2.1.9 : Thu Apr 01 2004 - 12:00:02 MST