Re: [squid-users] Odd Logs

From: Alain Fauconnet <[email protected]>
Date: Tue, 29 Oct 2002 09:25:31 +0700

On Tue, Oct 29, 2002 at 01:11:33PM +1100, Lightfoot.Michael wrote:
> > > 138.89.169.242 - - [27/Oct/2002:00:01:04 -0500] "CONNECT
> > > mx2.mail.yahoo.com:25 HTTP/1.0" 200 271 TCP_MISS:DIRECT
> > [User-Agent:
> > > Mozilla/4.0 (compatible; MSIE 5.01; Windows NT
> > 5.0)\r\nCache-Control:
> > > private,no-cache\r\nPragma: no-cache\r\n] []
> > >
> > > Any ideas why I would have a request from port 25 coming in?
> >
> > I may be reading the common log format incorrectly, but this doesn't
> > look like a request coming /from/ port 25 to me. It looks like a
> > request connecting /to/ port 25 using the CONNECT method to set up a
> > tunnel. In other words someone is relaying mail through your
> > proxy, and
> > not getting a TCP_DENIED response. That's a bad thing, and not the
> > default for Squid.
> >
> No, it is someone using SSL to read their Yahoo mailbox.

What makes you think that? I heartfully agree that this *is* a mail
relay. There's absolutely no way that someone would open a tunnel to
port 25 to *read* mail. If someone was reading mail on Yahoo over SSL,
the tunnel would be over port 443 (and most likely *not* to one of
Yahoo's MX hosts!)

That's definitely mail relaying, and that's a bad thing. The Squid
configuration needs to be fixed ASAP by restricting the ports number
you allow tunnelling to. I have this in my squid.conf:

acl SSL_ports port 443 563
acl CONNECT method CONNECT

...among other http_access lines...
http_access deny CONNECT !SSL_ports

Greets,
_Alain_
Received on Mon Oct 28 2002 - 19:25:47 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:55 MST