[Dshield] Weird SMTP access

Ed Truitt ed.truitt at etee2k.net
Sun Nov 17 18:41:51 GMT 2002


My guess is that someone was using spamware to scan for open web proxies (so
you are correct, IMNSHO.)  I have been getting LOTS of spam recently where
the sender hides behind an open HTTP proxy.  They are easy to verify, too:
I simply put the IP address of the "proxy" in my browser configuration, then
hit "reload" on whatever page I am on at the time.  If the page is
refreshed, then BINGO~!

Now, to figure out a way to convince the ISPs to convince their lusers to
secure these things...

Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net
http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."

----- Original Message -----
From: "Johan Strand" <Johan.Strand at frontend.se>
To: <list at dshield.org>
Sent: Sunday, November 17, 2002 2:51 AM
Subject: [Dshield] Weird SMTP access


> Hi!
>
> I got a strange access-attempt in my SMTP-log today. My guess is an
attempt to use it as a proxy. Is that correct? Does anyone know what to look
for to see if it was successful? The below is the only lines in the log (MS
Exchange).
>
> As usual this is from Chinanet... I'm seriously thinking of blocking them.
Am I overreacting?
>
> Best,
> Johan
>
>
> 218.7.157.195, -, 11/17/2002, 6:34:36, SMTPSVC1, CERBERUS,
XXX.XXX.XXX.XXX, 0, 34, 32, 500, 0, get, -, +http://www.yahoo.com/+HTTP/1.1,
> 218.7.157.195, -, 11/17/2002, 6:34:36, SMTPSVC1, CERBERUS,
XXX.XXX.XXX.XXX, 0, 19, 32, 500, 0, host:, -, +www.yahoo.com,
> 218.7.157.195, -, 11/17/2002, 6:34:36, SMTPSVC1, CERBERUS,
XXX.XXX.XXX.XXX, 0, 11, 32, 500, 0, accept:, -, +*/*,
> 218.7.157.195, -, 11/17/2002, 6:34:36, SMTPSVC1, CERBERUS,
XXX.XXX.XXX.XXX, 0, 16, 32, 500, 0, pragma:, -, +no-cache,
> 218.7.157.195, -, 11/17/2002, 6:34:36, SMTPSVC1, CERBERUS,
XXX.XXX.XXX.XXX, 0, 59, 32, 500, 0, user-agent:, -,
+Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+98),
> 218.7.157.195, -, 11/17/2002, 6:34:38, SMTPSVC1, CERBERUS,
XXX.XXX.XXX.XXX, 1578, 0, 0, 0, 1609, QUIT, -, -,
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list