As God as my witness, I thought turkeys could fly

Saturday, November 9, 2002

Clarified Spam

RFC 2616 clarifies what was happening with the attack on my server. The RFC defines HTTP 1.1. Section 9 defines the various methods in HTTP, such as GET or POST and even the relatively obscure PUT. I didn’t realize that there was a CONNECT method, but section 9.9 of the RFC contains this single paragraph:

This specification reserves the method name CONNECT for use with a proxy that can dynamically switch to being a tunnel (e.g. SSL tunneling [44]).

So what happened was that the scum at 216.144.230.51 through 216.144.230.56 had for some reason decided that my server was an open proxy, which is one of the more recent approaches to server hijacking that spammers have taken, and were trying to spam through it. Hence the attempts to access my server using the CONNECT method. I’d never really thought about how spammers would use open proxy servers to send spam, but now I know. I wish these bastards would get thrown in jail for theft, because that’s what they do amounts to.

I suppose I can take some solace in the fact that none of their attempts through my server were successful, according to my hosting service. So while the scum-sucking leeches thought they were spamming, they were getting a 403 Forbidden message every ten seconds instead. It still pisses me off, though. And I’m still not pleased that I never heard back from eWAN about my complaint about what one of their clients is doing.

Posted at 10:38 PM

Comments

They’re attacking my site too. I also ran traceroute and found that their IP addresses are owned by an ISP called cogent communications. After calling them, I sent my access log to abuse@cogentco.com. I immediately received a reply indicating that they would look into it. I tried adding a directive to my access.conf file to deny’s access from all but that didn’t work. Could you post the directives in your .httpaccess file that caused smaller messages to be sent back to the requestor?

Posted by Jeff Holt at 11:35 AM, November 12, 2002 [Link]

In my .htaccess file, I have the following line:

Deny From 216.144.230.51 216.144.230.52 216.144.230.53 216.144.230 .54 216.144.230.55 216.144.230.56

(That’s all as one line). After I placed this line in the file, all accesses from these IP addresses started showing up in my logs as 403 instead of 200, so I know it works.

Posted by ralph at 12:05 PM, November 12, 2002 [Link]

The same IPs having been hitting my little webserver up here in Canada for the past two weeks -- 40,000 CONNECT requests yesterday alone. I followed your advice and sent email to abuse@cogentco.com.

Posted by Peter Rukavina at 11:36 AM, November 13, 2002 [Link]

Another option:

/sbin/route add -host 216.144.230.51 reject

/sbin/route add -host 216.144.230.52 reject

/sbin/route add -host 216.144.230.53 reject

/sbin/route add -host 216.144.230.54 reject

/sbin/route add -host 216.144.230.55 reject

/sbin/route add -host 216.144.230.56 reject

This will drop all network traffic from these IPs before it even hits your server.

Posted by Peter Rukavina at 11:42 AM, November 13, 2002 [Link]

Thanks, Peter. I just want to note that your solution will only work if you administer your own server, since it needs to be done by a superuser.

Posted by ralph at 2:25 PM, November 13, 2002 [Link]

This site is copyright © 2002-2024, Ralph Brandi.