Adrian Chadd wrote:
On Sun, May 06, 2007, Tek Bahadur Limbu wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear All,
One of my clients is abusing my proxy server to sent spams to different groups in the internet.
But I have only been given the details below.
I understand that there should be some kind of X-Forwarded-For IP address right? How do I get the IP of the offending user besides checking all my access logs?
The X-Forwarded-For header is set for HTTP requests. This news post
is done via some HTTP to NNTP gateway program/script and thus doesn't
automagically mean the X-Forwarded-For IP will be in there.
You're more than likely going to have to run through your access logs.
Adrian
Yes, to find the culprit you will have to check your log. At least
google provide you some helpful info:
Posted: 5 May 2007 03:11:15 GMT
User-Agent: G2/1.0
X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
SV1),gzip(gfe),gzip(gfe)
X-HTTP-Via: 1.1 myproxy.com:3128 (squid/2.6.STABLE9)
Look for a CONNECT or similar method to port 119. If you find one it's
as easy as adding a port deny to your squid acls.
By default and for future with a safely closed proxy you really should have:
acl SSL_Ports port 443
http_access deny CONNECT !SSL_Ports
Other than that ... all you can do is check that the X-Forwarded-For is
sent and call it another googlegroups failure to add it.
from my point it looks like your server is passing one at least one Via:
header (myproxy.com) and google is seeing that.
If myproxy.com is not you, then you will want to block clients access to
port 3128 on remote servers too ;-)
Amos
Can somebody shed some light into how to prevent these incidents from recurring in the future?
Thanks in advance!
SPAM Details:
Path:
authen.puce.readfreenews.net!green.octanews.net!news-out.octanews.net!news.glorb.com!postnews.google.com!u30g2000hsc.googlegroups.com!not-for-mail
From: spammer@xxxxxxxxx
Newsgroups: alt.comp.freeware
Subject:
http://www.jobsnepal.info/idevaffiliate/idevaffiliate.php?id=1515
Date: 4 May 2007 20:11:14 -0700
Organization: http://groups.google.com
Lines: 6
Message-ID: <1178334674.363813.301290@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
NNTP-Posting-Host: 202.xx.xx.xx (IP of my proxy server)
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
X-Trace: posting.google.com 1178334675 27786 127.0.0.1 (5 May 2007
03:11:15 GMT)
X-Complaints-To: groups-abuse@xxxxxxxxxx
NNTP-Posting-Date: Sat, 5 May 2007 03:11:15 +0000 (UTC)
User-Agent: G2/1.0
X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
SV1),gzip(gfe),gzip(gfe)
X-HTTP-Via: 1.1 myproxy.com:3128 (squid/2.6.STABLE9)
Complaints-To: groups-abuse@xxxxxxxxxx
Injection-Info: u30g2000hsc.googlegroups.com;
posting-host=202.xx.xx.xx (IP of my proxy);
posting-account=qJA5Sw0AAAAEwNnRGJ7bd6V3Qkylk050
Xref: authen.puce.readfreenews.net alt.comp.freeware:544238
Specialize in website design, web hosting, database design and
internet marketing to improve your web position. Services include meta
tag programming,online job and many more
http://www.jobsnepal.info/idevaffiliate/idevaffiliate.php?id=1785
yes
