Re: [squid-users] Odd Logs

From: Joe Cooper <[email protected]>
Date: Mon, 28 Oct 2002 19:16:24 -0600

AJ Lemke wrote:
> Hello all I am going through my squid logs and have noticed a lot if
> weird requests coming in.
> Here is a snippet:
>
> 138.89.169.242 - - [27/Oct/2002:00:01:01 -0500] "CONNECT
> mx1.mail.yahoo.com:25 HTTP/1.0" 200 271 TCP_MISS:DIRECT [User-Agent:
> Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)\r\nCache-Control:
> private,no-cache\r\nPragma: no-cache\r\n] []
> 138.89.169.242 - - [27/Oct/2002:00:01:02 -0500] "CONNECT
> mx2.mail.yahoo.com:25 HTTP/1.0" 200 276 TCP_MISS:DIRECT [User-Agent:
> Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)\r\nCache-Control:
> private,no-cache\r\nPragma: no-cache\r\n] []
> 138.89.169.242 - - [27/Oct/2002:00:01:04 -0500] "CONNECT
> mx2.mail.yahoo.com:25 HTTP/1.0" 200 271 TCP_MISS:DIRECT [User-Agent:
> Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)\r\nCache-Control:
> private,no-cache\r\nPragma: no-cache\r\n] []
>
> Any ideas why I would have a request from port 25 coming in?

I may be reading the common log format incorrectly, but this doesn't
look like a request coming /from/ port 25 to me. It looks like a
request connecting /to/ port 25 using the CONNECT method to set up a
tunnel. In other words someone is relaying mail through your proxy, and
not getting a TCP_DENIED response. That's a bad thing, and not the
default for Squid.

Fix your SSL_Ports and CONNECT acls to work correctly...(I.e. make sure
the deny CONNECT http_access rule comes before your rules that allow
connections from local users.)

-- 
Joe Cooper <joe@swelltech.com>
Web caching appliances and support.
http://www.swelltech.com
Received on Mon Oct 28 2002 - 18:16:27 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:55 MST