Clarified Spam
RFC 2616 clarifies what was happening with the attack on my server. The RFC defines HTTP 1.1. Section 9 defines the various methods in HTTP, such as GET or POST and even the relatively obscure PUT. I didn’t realize that there was a CONNECT method, but section 9.9 of the RFC contains this single paragraph:
This specification reserves the method name CONNECT for use with a proxy that can dynamically switch to being a tunnel (e.g. SSL tunneling [44]).
So what happened was that the scum at 216.144.230.51 through 216.144.230.56 had for some reason decided that my server was an open proxy, which is one of the more recent approaches to server hijacking that spammers have taken, and were trying to spam through it. Hence the attempts to access my server using the CONNECT method. I’d never really thought about how spammers would use open proxy servers to send spam, but now I know. I wish these bastards would get thrown in jail for theft, because that’s what they do amounts to.
I suppose I can take some solace in the fact that none of their attempts through my server were successful, according to my hosting service. So while the scum-sucking leeches thought they were spamming, they were getting a 403 Forbidden message every ten seconds instead. It still pisses me off, though. And I’m still not pleased that I never heard back from eWAN about my complaint about what one of their clients is doing.
Posted at 10:38 PM
They’re attacking my site too. I also ran traceroute and found that their IP addresses are owned by an ISP called cogent communications. After calling them, I sent my access log to abuse@cogentco.com. I immediately received a reply indicating that they would look into it. I tried adding a directive to my access.conf file to deny’s access from all but that didn’t work. Could you post the directives in your .httpaccess file that caused smaller messages to be sent back to the requestor?
Posted by Jeff Holt at 11:35 AM, November 12, 2002 [Link]