//flex table opened by JP
PDA

Click to See Complete Forum and Search --> : apache port 25 spamming :(

AdamAdsy
01-06-2004, 05:49 PM
Ive had a web server running for almost a year and this has not happened before but about a week ago i noticed a lot of activity on my webserver (its a laptop and the fans kept spinning up which means it had been doing a lot).

I checked the apache weblogs and had this:
24.28.158.128 - - [06/Jan/2004:20:55:59 +0000] "CONNECT 213.165.64.100:25 HTTP/1.0" 200 12057
24.28.158.128 - - [06/Jan/2004:20:56:05 +0000] "CONNECT 192.220.200.3:25 HTTP/1.0" 200 12057
24.28.158.128 - - [06/Jan/2004:20:56:08 +0000] "CONNECT 142.3.100.69:25 HTTP/1.0" 200 12057
24.28.158.128 - - [06/Jan/2004:20:56:10 +0000] "CONNECT 66.15.12.228:25 HTTP/1.0" 200 12057
24.28.158.128 - - [06/Jan/2004:20:56:12 +0000] "CONNECT 63.150.158.73:25 HTTP/1.0" 200 12057
24.28.158.128 - - [06/Jan/2004:20:56:15 +0000] "CONNECT 64.132.153.196:25 HTTP/1.0" 200 12057
24.28.158.128 - - [06/Jan/2004:20:56:16 +0000] "CONNECT 163.11.1.68:25 HTTP/1.0" 200 7961
24.28.158.128 - - [06/Jan/2004:20:56:16 +0000] "CONNECT 152.3.140.1:25 HTTP/1.0" 200 7961
24.28.158.128 - - [06/Jan/2004:20:56:16 +0000] "CONNECT 216.125.117.20:25 HTTP/1.0" 200 12057
24.28.158.128 - - [06/Jan/2004:20:56:18 +0000] "CONNECT 129.186.140.10:25 HTTP/1.0" 200 12057
24.28.158.128 - - [06/Jan/2004:20:56:19 +0000] "CONNECT 129.97.54.10:25 HTTP/1.0" 200 12057
24.28.158.128 - - [06/Jan/2004:20:56:19 +0000] "CONNECT 195.101.240.114:25 HTTP/1.0" 200 7961
24.28.158.128 - - [06/Jan/2004:20:56:21 +0000] "CONNECT 65.199.34.50:25 HTTP/1.0" 200 12057
24.28.158.128 - - [06/Jan/2004:20:56:29 +0000] "CONNECT 136.142.103.16:25 HTTP/1.0" 200 12057
24.28.158.128 - - [06/Jan/2004:20:56:40 +0000] "CONNECT 168.30.240.16:25 HTTP/1.0" 200 13291
24.28.158.128 - - [06/Jan/2004:20:56:45 +0000] "CONNECT 216.219.253.216:25 HTTP/1.0" 200 12057
24.28.158.128 - - [06/Jan/2004:20:56:46 +0000] "CONNECT 207.127.69.8:25 HTTP/1.0" 200 12057
24.28.158.128 - - [06/Jan/2004:20:56:49 +0000] "CONNECT 216.251.32.110:25 HTTP/1.0" 200 12057
24.28.158.128 - - [06/Jan/2004:20:56:50 +0000] "CONNECT 209.221.176.89:25 HTTP/1.0" 200 12057
24.28.158.128 - - [06/Jan/2004:20:56:53 +0000] "CONNECT 203.15.35.58:25 HTTP/1.0" 200 12057
24.28.158.128 - - [06/Jan/2004:20:56:54 +0000] "CONNECT 12.106.88.32:25 HTTP/1.0" 200 12057


Now this is a very small chunk, the same ip has spammed me ~15000 times which makes for a lot of traffic. The worrying thing is that the webserver has responded with a 200 and the size changes which most likely means my webserver is being abused to openly spam emails.

I could do with some help on how to configure the apache webserver to block these CONNECT requests since i dont think a normal webserver actually needs to respond to them.

Thanks for the help.

(Hope this is the right place to post this)
AdamAdsy
01-07-2004, 11:02 AM
93 views and no help so far :(
fishybawb
01-07-2004, 11:29 AM
Repost your question in the Networking & Internet forum. It's quiet around here at the best of times, and that's not really a programming problem ;)
AdamAdsy
01-07-2004, 02:25 PM
reposted in other section then. This one can be deleted/closed.