Re: Strange apache logs: CONNECT maila.microsoft.com:25

From: John Hall <j.hall(at)f5.com>
Date: Fri Nov 22 2002 - 15:21:23 EST

Several possible reasons for this:

1. Someone is trying to find open http proxies to abuse Microsoft:
   1. To forward spam through an open relay at Microsoft (maila.microsoft.com is on the MX list for microsoft.com, so I hope that it's not an open mail relay!).
   2. To attack Microsoft's mail servers.
   3. To attack Microsoft employee's mailboxes through one of the many Exchange and Outlook vectors (the proxy is here used to obscure the source of the attack).
2. Someone is trying to DoS Microsoft's mail servers.
3. A spammer is trying to find open http proxies that allow port 25 connections and is just using maila.microsoft.com because it's likely to be up and reachable.

Any of those seem likely? It might be informative to setup an internal machine with a SMTP maildrop only (like smtpd from postfix) and to force the SMTP responses to look just like the ones produced by maila.microsoft.com, then put a host record in your webserver's /etc/hosts file for maila.microsoft.com pointing to your new honeypot and see what happens. Note that the hosts file entry might prevent your webserver from sending email to anyone at Microsoft if that is within it's domain of functionality.

JMH Jeroen Wesbeek wrote:
>
> Hello,
>
> As I was having a look at the access log of a apache daemon I noticed a
> strange entry. After grepping the access log it appeared this entry has
> occurred 9 times since september this year.
...
>
> 68.15.22.55 - - [07/Sep/2002:15:10:16 +0200] "CONNECT maila.microsoft.com:25
...
> Does anybody got a clue what this might be?

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Mon Nov 25 12:09:35 2002