Re: [squid-users] spmmer abusing my proxy server

From: Adrian Chadd <adrian@dont-contact.us>
Date: Sun, 6 May 2007 14:17:03 +0800

On Sun, May 06, 2007, Tek Bahadur Limbu wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dear All,
>
> One of my clients is abusing my proxy server to sent spams to different groups in the internet.
> But I have only been given the details below.
>
> I understand that there should be some kind of X-Forwarded-For IP address right? How do I get the IP of the offending user besides checking all my access logs?

The X-Forwarded-For header is set for HTTP requests. This news post
is done via some HTTP to NNTP gateway program/script and thus doesn't
automagically mean the X-Forwarded-For IP will be in there.

You're more than likely going to have to run through your access logs.

Adrian

>
> Can somebody shed some light into how to prevent these incidents from recurring in the future?
> Thanks in advance!
>
> SPAM Details:
>
> Path:
> authen.puce.readfreenews.net!green.octanews.net!news-out.octanews.net!news.glorb.com!postnews.google.com!u30g2000hsc.googlegroups.com!not-for-mail
> From: spammer@gmail.com
> Newsgroups: alt.comp.freeware
> Subject:
> http://www.jobsnepal.info/idevaffiliate/idevaffiliate.php?id=1515
> Date: 4 May 2007 20:11:14 -0700
> Organization: http://groups.google.com
> Lines: 6
> Message-ID: <1178334674.363813.301290@u30g2000hsc.googlegroups.com>
> NNTP-Posting-Host: 202.xx.xx.xx (IP of my proxy server)
> Mime-Version: 1.0
> Content-Type: text/plain; charset="iso-8859-1"
> X-Trace: posting.google.com 1178334675 27786 127.0.0.1 (5 May 2007
> 03:11:15 GMT)
> X-Complaints-To: groups-abuse@google.com
> NNTP-Posting-Date: Sat, 5 May 2007 03:11:15 +0000 (UTC)
> User-Agent: G2/1.0
> X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
> SV1),gzip(gfe),gzip(gfe)
> X-HTTP-Via: 1.1 myproxy.com:3128 (squid/2.6.STABLE9)
> Complaints-To: groups-abuse@google.com
> Injection-Info: u30g2000hsc.googlegroups.com;
> posting-host=202.xx.xx.xx (IP of my proxy);
> posting-account=qJA5Sw0AAAAEwNnRGJ7bd6V3Qkylk050
> Xref: authen.puce.readfreenews.net alt.comp.freeware:544238
>
>
> Specialize in website design, web hosting, database design and
> internet marketing to improve your web position. Services include meta
> tag programming,online job and many more
> http://www.jobsnepal.info/idevaffiliate/idevaffiliate.php?id=1785
>
> - --
>
>
> With best regards and good wishes,
>
> Yours sincerely,
>
> Tek Bahadur Limbu
>
> (TAG/TDG Group)
> Jwl Systems Department
>
> Worldlink Communications Pvt. Ltd.
>
> Jawalakhel, Nepal
>
> http://www.wlink.com.np
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (FreeBSD)
>
> iD8DBQFGPW0AVrOl+eVhOvYRAgD/AJ9qVREDs4qsyg4u7AaqnIEVbS1K5ACeORdr
> 6NOkWgrczzJjPb2M6TPCEvA=
> =o/1v
> -----END PGP SIGNATURE-----

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level bandwidth-capped VPSes available in WA -
Received on Sun May 06 2007 - 00:17:45 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:04 MDT