SV: [Dshield] Weird SMTP access

Johan Strand Johan.Strand at frontend.se
Sun Nov 17 19:39:25 GMT 2002


Thanks Ed!

Tried your method and got the same log entries. Aparently 500 in the log lines means 'Command not recognized'. I got that error message in the bowser as the response after the initial SMTP-greeting.

This is our mail-server and also the internet-gateway (ISA) for our internal office-net. That's why I was worried I had misconfigured something to allow it to function as a proxy for external users.

Best,

	Johan

-----Ursprungligt meddelande-----
Från: Ed Truitt [mailto:ed.truitt at etee2k.net]
Skickat: den 17 november 2002 19:42
Till: list at dshield.org
Ämne: Re: [Dshield] Weird SMTP access


My guess is that someone was using spamware to scan for open web proxies (so
you are correct, IMNSHO.)  I have been getting LOTS of spam recently where
the sender hides behind an open HTTP proxy.  They are easy to verify, too:
I simply put the IP address of the "proxy" in my browser configuration, then
hit "reload" on whatever page I am on at the time.  If the page is
refreshed, then BINGO~!

Now, to figure out a way to convince the ISPs to convince their lusers to
secure these things...

Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net
http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."

----- Original Message -----
From: "Johan Strand" <Johan.Strand at frontend.se>
To: <list at dshield.org>
Sent: Sunday, November 17, 2002 2:51 AM
Subject: [Dshield] Weird SMTP access


> Hi!
>
> I got a strange access-attempt in my SMTP-log today. My guess is an
attempt to use it as a proxy. Is that correct? Does anyone know what to look
for to see if it was successful? The below is the only lines in the log (MS
Exchange).
>
> As usual this is from Chinanet... I'm seriously thinking of blocking them.
Am I overreacting?
>
> Best,
> Johan
>
>
> 218.7.157.195, -, 11/17/2002, 6:34:36, SMTPSVC1, CERBERUS,
XXX.XXX.XXX.XXX, 0, 34, 32, 500, 0, get, -, +http://www.yahoo.com/+HTTP/1.1,
> 218.7.157.195, -, 11/17/2002, 6:34:36, SMTPSVC1, CERBERUS,
XXX.XXX.XXX.XXX, 0, 19, 32, 500, 0, host:, -, +www.yahoo.com,
> 218.7.157.195, -, 11/17/2002, 6:34:36, SMTPSVC1, CERBERUS,
XXX.XXX.XXX.XXX, 0, 11, 32, 500, 0, accept:, -, +*/*,
> 218.7.157.195, -, 11/17/2002, 6:34:36, SMTPSVC1, CERBERUS,
XXX.XXX.XXX.XXX, 0, 16, 32, 500, 0, pragma:, -, +no-cache,
> 218.7.157.195, -, 11/17/2002, 6:34:36, SMTPSVC1, CERBERUS,
XXX.XXX.XXX.XXX, 0, 59, 32, 500, 0, user-agent:, -,
+Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+98),
> 218.7.157.195, -, 11/17/2002, 6:34:38, SMTPSVC1, CERBERUS,
XXX.XXX.XXX.XXX, 1578, 0, 0, 0, 1609, QUIT, -, -,
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list