Forum Moderators: phranque
ww.#*$!.yyy.zzz - - [xx/Nov/2005:xx:xx:xx -0500] "CONNECT mx2.#*$!.com:25 HTTP/1.0" 200 25682 "-" "-"
ww.xxx.yyy.zzz - - [xx/Nov/2005:xx:xx:xx -0500] "POST http://ww.xxx.yyy.zzz:25/ HTTP/1.1" 200 25691 "-" "-"This is two lines from my access_log... These were the only two lines from this IP and there has been no other activity from this IP. In the 2nd line the POST after the word POST the originating IP was included before the :25 - I'm curious as to what was being attempted. Has anyone seen this behaviour before?
Was this person successful in relaying mail via my server? If so, how do configure Apache to keep this kind of exploit from being successful?
I suspect by restricting access to the CONNECT and POST methods but will I lose some functionality?
Welcome to WebmasterWorld!
Yes, he was successful -- Expect more soon.
I see this behaviour attempted all the time, but I block it and return a 403-Forbidden response.
Restricting the CONNECT method using <LIMIT>, mod_access and mod_setenvif, or mod_rewrite will solve this particular problem.
If you use forms on your site, then you cannot restrict the POST method without breking them. But blocking CONNECT will be sufficient, anyway.
Jim
I added the fol to my .htaccess file
<LimitExcept POST GET>
Require valid-user
</LimitExcept>this, if I'm not mistaken, should limit anonymous users to POST and GET - which is fine for me...
I tried using the same code in httpd.conf but the server would not start where I had it...
Thanks again...
Dan
