How To Check Squid Logs for Possible Tunnelled STMP via HTTP Injection

If MTAs are gettings smarter and better each new stable releases, spammers are also keeping up with them. Email spammers tend to undergo adaptive learning process from these commonly laid out standard and advanced email defense and antispam mechanism.

If antispam features of MTAs are getting more centralized, effective and efficient, email spammers too are evolving to strive quicker on learning MTA flaws and server weakness. They tend to get more challenged to succeed with their spamming activities. If they could afford to hire a programmer to automate their newly found MTA security flaws, they could probably do that. One way or the other, they strive to find alternatives and success on finding SMTP security flaws and better ways to accomlish their email spamming activities.

This entry basically covers a simple approach on checking your squid log file for possible entry and attempt of injected tunnelled STMP connection via Squid HTTP port.

How to check Squid Log Files for Tunnelled SMTP

By default, Squid proxy dumps log files to /var/log/squid/access.log with default log file format of showing URL sites and ports used by proxy clients.

Now, without consideration to Squid access list policies and firewall, here's a quick way to parse squid log files for possible injected SMTP port via HTTP

# tail -f /var/log/squid/access.log | grep -w ':25'

To parse and check all squid log files

# cat /var/log/squid/access.log* | grep -w ':25'

If you are in the country zone where email spamming is too high, this approach could probably give you a lead of local spamming activity occuring inside your local network.

All done.