[Dshield] More interesting proxying attempts

James C Slora Jr Jim.Slora at phra.com
Wed Nov 27 22:12:42 GMT 2002


Since someone else on this list had mentioned proxy attempts to a Microsoft
mail server, these might be worth sharing.

I'm used to seeing proxy attempts for http://mail.yahoo.com/?.intl=us. I
think these are spammers trying to hide the source of their junk.

Today I got these proxy probes that also had bogus user-agents and called
for URLs that I haven't seen before in proxy attempts on my hosts.

2002-11-26 22:29:34 210.200.222.223 GET http://www.intel.com/
User-Agent:Mozilla/5.0 (compatible; MSIE 5.01; Win2000)
Motives for these are hard to guess - they might just be looking to confirm
that proxying works at all by checking an always-up site, or this could be
part of some DoS or other activity against Intel.

2002-11-27 10:23:09 210.52.12.7 GET http://www.spedia.net/sp_login.htm
User-Agent:Mozilla/5.0 (compatible; MSIE 5.01; Win2000)
This one might be someone trying to scam free calling time by referring
themselves from junk usernames through IP addresses that would not call
attention to the scam.




More information about the list mailing list