another "CONNECT mailin-03.mx.aol.com" question

Forum Moderators: DixonJones

Message Too Old, No Replies

another "CONNECT mailin-03.mx.aol.com" question

this one has a 200 OK status code

nancyb

7:12 am on Apr 16, 2003 (gmt 0)

I found a strange entry in my logs today

219.93.200.190 - - [13/Apr/2003:22:13:45 -0500] "CONNECT mailin-03.mx.aol.com:25 HTTP/1.0" 200 305 "-" "-"

Searched here and found two threads, which said these were attempts to use a proxy to send email. However, the entries reported were all 400 status codes so, no problem.

Next, I went back through my log files for the last month and found several more of these, also 400. But, there were also 5 entries with 200 status codes.

Doesn't the 200 mean someone actually used my account, probably to send spam emails?

nancyb

6:06 pm on Apr 24, 2003 (gmt 0)

I'm bumping this up since it didn't get a response before and I'm still concerned.

In the mean time, my host told me that they tried and couldn't connect through an aol proxy from my domain (I think that's how they worded it).

However, the two entries in my log file show their attempts as 400s. This week I've two more of these which were 200s again. So far this month there have been 8 attempts that were 200 status and 4 that resulted in 400 status.

I asked my hosting service, twice, why the 200s instead of a 400 - if it doesn't work, but they haven't responded directly to that question. So, I'm still wondering why there are 200s and don't 200s mean the attempts worked? Especially since on the two days this week where there were 200s I received bounced back spam emails that I didn't send. I know they could be forged, but this seems suspicious - I think.

Can someone explain this to me or send me somewhere to learn about it. Thanks,

jdMorgan

6:56 pm on Apr 24, 2003 (gmt 0)

nancyb,

I can't give you an answer, but could you post raw log file examples of the 200 and 400 CONNECTs?

Also, what server are you on?

Jim

nancyb

7:21 pm on Apr 24, 2003 (gmt 0)

Jim,
4.42.106.253 - - [07/Apr/2003:02:31:36 -0500] "CONNECT mailin-03.mx.aol.com:25 HTTP/1.0" 200 305 "-" "-"
12.238.26.161 - - [09/Apr/2003:09:13:35 -0500] "CONNECT mailin-01.mx.aol.com:25 HTTP/1.0" 200 305 "-" "-"
64.172.207.37 - - [10/Apr/2003:06:05:03 -0500] "CONNECT mailin-03.mx.aol.com:25 HTTP/1.0" 200 305 "-" "-"
218.247.140.35 - - [10/Apr/2003:20:48:25 -0500] "CONNECT mailin-02.mx.aol.com:25 HTTP/1.0" 200 305 "-" "-"

219.93.200.190 - - [13/Apr/2003:22:13:45 -0500] "CONNECT mailin-03.mx.aol.com:25 HTTP/1.0" 200 305 "-" "-"
216.71.84.197 - - [16/Apr/2003:00:19:54 -0500] "CONNECT www.google.com:80 HTTP/1.0" 400 381 "-" "-"
209.150.149.90 - - [16/Apr/2003:00:22:37 -0500] "CONNECT mailin-03.mx.aol.com:25 HTTP/1.0" 400 382 "-" "-"
216.71.84.19 - - [16/Apr/2003:00:35:10 -0500] "CONNECT mailin-03.mx.aol.com:25 HTTP/1.0" 200 305 "-" "-"

213.245.88.56 - - [23/Apr/2003:08:58:50 -0500] "CONNECT mailin-01.mx.aol.com:25 HTTP/1.0" 200 305 "-" "-"
216.172.111.19 - - [24/Apr/2003:08:51:22 -0500] "CONNECT mailin-04.mx.aol.com:25 HTTP/1.0" 200 305 "-" "-"

The two with a 400 (April 16) are from host tech support.

Hosting service said 'hosted on a Linux server' and 'this is a windows vunerability so not a worry'. My response "ok, but why a 200?' to which I didn't get an answer.

Thanks for taking a look Jim