Tuesday, July 17, 2007

TIP: spammer sending email using squid

Have you spotted your squid log files of any spammer attempts trying to send email from squid port?

Well, one dirty way of checking your squid logs of these spammer attempts trying to send emails using tunnelled SMTP via squid port.

# cat /var/log/squid/access.log* | grep '\:25'

Here's a few line samples:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1179265950.734 0 220.137.80.170 TCP_DENIED/403 1342 CONNECT msa-mx4.hinet.net:25 - NONE/- text/html
1178647576.706 1 222.156.67.109 TCP_DENIED/403 1346 CONNECT maila.microsoft.com:25 - NONE/- text/html
1180721897.385 146 220.137.85.214 TCP_DENIED/403 1344 CONNECT msa-mx10.hinet.net:25 - NONE/- text/html
...
truncated
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Well, they are basically denied by squid.

But some provider and other websites automatically blocked these attemtps from their logs.
Logically, that could be a reason why your proxy IP address is being blocked by those providers and sites.

You could block those harsh IP address by probably script kiddies trying to test your squid and smtp port or atleast alerts you by email.

# route add -host IP-ADDRESS reject

does that.

0 comments:

Sign up for PayPal and start accepting credit card payments instantly.
ILoveTux - howtos and news | About | Contact | TOS | Policy