You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by David Reid <da...@jetnet.co.uk> on 2003/07/05 20:41:11 UTC
Fw: Spam postings via Apache to postfix on the same host
Fun.
----- Original Message -----
From: "Info iNetD" <In...@iNetD.nl>
To: <po...@postfix.org>
Sent: Saturday, July 05, 2003 7:34 PM
Subject: Spam postings via Apache to postfix on the same host
>
> Hello,
>
> Hello,
>
> I have found out on two different machines that somebody is posting spam
> to postfix via a certain string to the apache webserver.
>
> All entries in the apache logs look like:
>
> 203.98.177.86 - - [24/Jun/2003:12:33:27 +0200] "POST
> http://xx.xx.xx.xx:25/ HTTP/1.1" 200 208
>
> (like can be wrapped)
>
> where xx.xx.xx.xx is the local machine ip's. All spam is send and
> delivered (until I stopped the webserver of course).
>
> The machine's ip is not in the "mynetworks" list, localhost is however.
> My postfix version is: 2.0.10-20030521
>
> It could also be a configuration problem of Apache of course, I am not
> sure where to look.
>
> Any ideas are welcome.
>
> Thanks in advance.
>
> Arnold.
>
>
> --
> Info iNetD <In...@iNetD.nl>
>
>
RE: Fw: Spam postings via Apache to postfix on the same host
Posted by Jeroen Massar <je...@unfix.org>.
André Malo [mailto:nd@perlig.de] wrote:
> * Joshua Slive wrote:
>
> [spam via proxy]
> > One possible thing we could do is simply remove the sample
> proxy config
> > from our default httpd.conf. These samples make it too
> easy for people to
> > activate a proxy without securing it properly.
>
> +1! Since proxying is not the primary purpose of the httpd I
> won't miss it
> in the default config (commented or not).
Possibly a 'go look in the docs' type question. But for instance:
>From the docs:
8<-----------------
NoProxy Directive
This directive is only useful for Apache proxy servers within intranets. The
NoProxy directive specifies a list of subnets, IP addresses, hosts and/or
domains, separated by spaces. A request to a host which matches one or more
of these is always served directly, without forwarding to the configured
ProxyRemote proxy server(s).
----------------->8
In that the sentence:
"A request to a host which matches one or more of these is always served
directly"
NoProxy 2001:db8::/32
www.example.com AAAA 2001:db8::1
Is a bit dubious, at least for me. It could mean two things:
- GET http://www.example.com/ HTTP/1.1
Would be served 'directly' (from cache, from how?)
- A client from 2001:db8::/32 sending "GET http://www.example.com/
HTTP/1.1"
will be served 'directly'.
It could be my english understanding ofcourse, but if somebody
would like to enlighten me ;)
Then there is also:
<Proxy *>
Order Deny,Allow
Deny from all
Allow from 192.168.0
</Proxy>
But that is for _client's_.
We could have something similar with destination's.
Which could also be usefull for spam-ad blocking etc:
<Proxy *>
Order Allow,Deny
Allow to all
Deny to example.com
Deny to 2001:db8::/32
Deny to ::1
Deny to 127.0.0.1
Deny to port 25
</Proxy>
Having that would be perfect ofcourse.
Next in from the document is the AllowCONNECT Directive.
Maybe at least a AllowProxyPort would be helpful, somewhat
like the above ?
Greets,
Jeroen
Re: Fw: Spam postings via Apache to postfix on the same host
Posted by André Malo <nd...@perlig.de>.
* Joshua Slive wrote:
[spam via proxy]
> One possible thing we could do is simply remove the sample proxy config
> from our default httpd.conf. These samples make it too easy for people to
> activate a proxy without securing it properly.
+1! Since proxying is not the primary purpose of the httpd I won't miss it
in the default config (commented or not).
nd
RE: Fw: Spam postings via Apache to postfix on the same host
Posted by Sander Striker <st...@apache.org>.
> From: Cliff Woolley [mailto:jwoolley@virginia.edu]
> Sent: Sunday, July 06, 2003 4:40 AM
> On Sat, 5 Jul 2003, Joshua Slive wrote:
>
> > One possible thing we could do is simply remove the sample proxy config
> > from our default httpd.conf. These samples make it too easy for people to
> > activate a proxy without securing it properly.
>
> +1
+1.
And if this commit is in by monday I'll roll it into 2.0.47.
Sander
Re: Fw: Spam postings via Apache to postfix on the same host
Posted by Cliff Woolley <jw...@virginia.edu>.
On Sat, 5 Jul 2003, Joshua Slive wrote:
> One possible thing we could do is simply remove the sample proxy config
> from our default httpd.conf. These samples make it too easy for people to
> activate a proxy without securing it properly.
+1
--Cliff
Re: Fw: Spam postings via Apache to postfix on the same host
Posted by David Reid <da...@jetnet.co.uk>.
I figured as much that's why I cross-posted here from the postfix list :)
I'm +1 on removing the default proxy stuff as well. If not then we should
change it to be secure by default if that's possible.
Hopefully the person concerned found all the interest helpful?
david
----- Original Message -----
From: "Joshua Slive" <jo...@slive.ca>
To: <de...@httpd.apache.org>
Sent: Saturday, July 05, 2003 7:44 PM
Subject: Re: Fw: Spam postings via Apache to postfix on the same host
>
> On Sat, 5 Jul 2003, David Reid wrote:
> > > 203.98.177.86 - - [24/Jun/2003:12:33:27 +0200] "POST
> > > http://xx.xx.xx.xx:25/ HTTP/1.1" 200 208
>
> Yes, it's an apache configuration problem. They set "ProxyRequests On"
> without properly securing their proxy server. This means they can be
> abused for tons of purposes, one of which is spam.
>
> One possible thing we could do is simply remove the sample proxy config
> from our default httpd.conf. These samples make it too easy for people to
> activate a proxy without securing it properly.
>
> Joshua.
>
Re: Fw: Spam postings via Apache to postfix on the same host
Posted by Joshua Slive <jo...@slive.ca>.
On Sat, 5 Jul 2003, David Reid wrote:
> > 203.98.177.86 - - [24/Jun/2003:12:33:27 +0200] "POST
> > http://xx.xx.xx.xx:25/ HTTP/1.1" 200 208
Yes, it's an apache configuration problem. They set "ProxyRequests On"
without properly securing their proxy server. This means they can be
abused for tons of purposes, one of which is spam.
One possible thing we could do is simply remove the sample proxy config
from our default httpd.conf. These samples make it too easy for people to
activate a proxy without securing it properly.
Joshua.