[svlug] new type of spam?

William R Ward bill at wards.net
Tue Mar 11 15:57:32 PST 2003

Florin Andrei writes:
>Hey, is this a new type of spam, or what?
> - - [02/Mar/2003:08:36:11 -0800] "GET / HTTP/1.0" 200 928
>"http://www.sex-teen-pic.com/" "Mozilla/4.0 (compatible; MSIE 5.01;
>Windows 98)"
>cab-200-42-56-115.prima.net.ar - - [02/Mar/2003:08:36:13 -0800] "GET /
>HTTP/1.1" 200 928 "http://www.sex-teen-pic.com/" "Mozilla/4.0
>(compatible; MSIE 5.01; Windows 98)"
>This is a fragment of the Apache log files for a website i take care of. I'm
>100% sure this website was never referred by those URLs :-))) it does not
>have that kind of content. ;-)
>The thing is, the hits are from different addresses, yet they came
>almost at the same time. The User-Agent is also the same.
>My question is: what are they trying to achieve? Beyond making me look
>puzzled while i was browsing the webalizer page, i don't see much benefit
>they can get out of this.

You are being probed for an open HTTP proxy.  I'm guessing you have
"Forbidden" requests forwarded to some static page that is 928 bytes
long.  That would explain the status code of 200 and the fact that
every one of those entries shows 928 as the number of bytes

Verify that your server isn't acting as an open HTTP proxy, and then
you can safely ignore those types of log entries.  If you want you
could block the IP addresses at your firewall, but that seems like
overkill unless you're getting DoS'd.

And by the way you should turn off reverse IP lookup in Apache.  It's
silly to do a DNS lookup for every log entry the server tries to
make.  Your log analysis tools should do the DNS-looking-up.


William R Ward            bill at wards.net          http://www.wards.net/~bill/
"A foolish consistency is the hobgoblin of little minds, adored by
 little statesmen and philosophers and divines."        - Emerson

More information about the svlug mailing list