Security Incidents mailing list archives

Strange apache logs: CONNECT maila.microsoft.com:25

From: Jeroen Wesbeek <duh () DoWebWeDo com>
Date: Wed, 20 Nov 2002 09:40:13 +0100

Hello,

As I was having a look at the access log of a apache daemon I noticed a
strange entry. After grepping the access log it appeared this entry has
occurred 9 times since september this year. I also noticed the same entry on
other servers as well. It looks like something or someone is trying to send
e-mail through a microsoft smtp server using http daemons however I can't
seem to find anything relating to these entries on both google as well as
the securityfocus archives. Most entries (64.*) seem to originate from
dialup ip-adresses within the netblock of sympatico.ca while the rest are US
based adresses. 

68.15.22.55 - - [07/Sep/2002:15:10:16 +0200] "CONNECT maila.microsoft.com:25
/ HTTP/1.0" 302 0 
64.231.49.57 - - [29/Oct/2002:08:13:29 +0100] "CONNECT
maila.microsoft.com:25 / HTTP/1.0" 400 370 
65.95.180.128 - - [29/Oct/2002:09:17:51 +0100] "CONNECT
maila.microsoft.com:25 / HTTP/1.0" 400 370 
64.231.50.98 - - [31/Oct/2002:23:24:13 +0100] "CONNECT
maila.microsoft.com:25 / HTTP/1.0" 400 370 
66.230.222.226 - - [01/Nov/2002:20:07:38 +0100] "CONNECT
maila.microsoft.com:25 / HTTP/1.0" 400 370 
64.229.147.12 - - [14/Nov/2002:16:27:30 +0100] "CONNECT
maila.microsoft.com:25 / HTTP/1.0" 400 370 
64.228.70.235 - - [15/Nov/2002:11:32:56 +0100] "CONNECT
maila.microsoft.com:25 / HTTP/1.0" 400 370 
4.63.221.224 - - [16/Nov/2002:05:49:13 +0100] "CONNECT
maila.microsoft.com:25 / HTTP/1.0" 400 370 
64.229.147.19 - - [17/Nov/2002:15:35:24 +0100] "CONNECT
maila.microsoft.com:25 / HTTP/1.0" 400 370

Does anybody got a clue what this might be? 

Grtz,


dowebwedo
Jeroen Wesbeek
.programming
St. Jacobsstraat 16 | 3511 BS Utrecht
Postbus 448 | 3500 AK Utrecht
The Netherlands
www.dowebwedo.com
p +31 (0) 30 234 81 10 | f  +31 (0) 20 773 83 38

[roses are red, violets are blue, I am schizophrenic and so am I ]



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Strange apache logs: CONNECT maila.microsoft.com:25 Jeroen Wesbeek (Nov 22)
- RE: Strange apache logs: CONNECT maila.microsoft.com:25 Andy Coates (Nov 25)
- <Possible follow-ups>
- Strange apache logs: CONNECT maila.microsoft.com:25 Jeroen Wesbeek (Nov 22)
  - Re: Strange apache logs: CONNECT maila.microsoft.com:25 John Hall (Nov 25)