Re: Strange apache logs: CONNECT maila.microsoft.com:25

From: John Hall (j.hall@f5.com)
Date: 11/22/02

  • Next message: Etaoin Shrdlu: "Re: Proxy server hit... Any ideas?" 
    From: John Hall <j.hall@f5.com>
To: Jeroen Wesbeek <duh@DoWebWeDo.com>
Date: Fri, 22 Nov 2002 12:21:23 -0800

    Several possible reasons for this:

    1. Someone is trying to find open http proxies to abuse Microsoft:
      a) To forward spam through an open relay at Microsoft (maila.microsoft.com
         is on the MX list for microsoft.com, so I hope that it's not an open mail
         relay!).
      b) To attack Microsoft's mail servers.
      c) To attack Microsoft employee's mailboxes through one of the many Exchange
         and Outlook vectors (the proxy is here used to obscure the source of the
         attack).

    2. Someone is trying to DoS Microsoft's mail servers.

    3. A spammer is trying to find open http proxies that allow port 25 connections
       and is just using maila.microsoft.com because it's likely to be up and
       reachable.

    Any of those seem likely? It might be informative to setup an internal machine
    with a SMTP maildrop only (like smtpd from postfix) and to force the SMTP
    responses to look just like the ones produced by maila.microsoft.com, then
    put a host record in your webserver's /etc/hosts file for maila.microsoft.com
    pointing to your new honeypot and see what happens. Note that the hosts
    file entry might prevent your webserver from sending email to anyone at
    Microsoft if that is within it's domain of functionality.

    JMH

    Jeroen Wesbeek wrote:
    >
    > Hello,
    >
    > As I was having a look at the access log of a apache daemon I noticed a
    > strange entry. After grepping the access log it appeared this entry has
    > occurred 9 times since september this year.
    ...
    >
    > 68.15.22.55 - - [07/Sep/2002:15:10:16 +0200] "CONNECT maila.microsoft.com:25
    > / HTTP/1.0" 302 0
    > 64.231.49.57 - - [29/Oct/2002:08:13:29 +0100] "CONNECT
    > maila.microsoft.com:25 / HTTP/1.0" 400 370
    ...
    > Does anybody got a clue what this might be?
    >
    > Grtz,

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com

    Relevant Pages

    • RE: Fax Routing to Email Failing
      ... I suggest you follow my steps below to block the open relay, ... exchange mmc, servers, servername, protocols, smtp, default smtp virtual ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
      (microsoft.public.windows.server.sbs)
    • Re: Relay Problems
      ... address is also set up per default is you have a multihomed server. ... I understand this issue is: You take a look at Microsoft ... Knowledge Basic articles about "open relay" and configure it on your SBS ... This newsgroup only focuses on SBS technical issues. ...
      (microsoft.public.windows.server.sbs)
    • Re: How to implement CDonts on 2003 server (Cant alter current apps)
      ... check with Microsoft before doing this, so you do not end up with something ... Kristofer Gafvert - IIS MVP ... >> an open relay or interfering with our current server software. ...
      (microsoft.public.inetserver.iis)
    • Re: How to implement CDonts on 2003 server (Cant alter current apps)
      ... check with Microsoft before doing this, so you do not end up with something ... Kristofer Gafvert - IIS MVP ... >> an open relay or interfering with our current server software. ...
      (microsoft.public.windows.server.general)