Abuse attempts on webserver
At least, tthat’s my suspicion.
I looked into the webserver access log tonight and found that since 02-Dec-2006 theer are attempts to connect to a mail port via the webserver:
72.29.84.95 – – [03/Dec/2006:03:24:45 +0100] “CONNECT 72.29.84.96:25 HTTP/1.0” 403 860
72.29.84.95 – – [03/Dec/2006:03:24:46 +0100] “CONNECT 72.29.84.96:25 HTTP/1.0” 403 860
72.29.84.95 – – [03/Dec/2006:03:24:46 +0100] “CONNECT 72.29.84.96:25 HTTP/1.0” 403 860
209.104.198.4 – – [03/Dec/2006:03:29:40 +0100] “- -” 0 0
66.185.126.163 – – [03/Dec/2006:03:34:56 +0100] “CONNECT 66.185.126.163:25 HTTP/1.0” 403 860
209.104.198.4 – – [03/Dec/2006:03:35:28 +0100] “- -” 0 0
209.104.198.4 – – [03/Dec/2006:03:45:56 +0100] “- -” 0 0
209.104.198.4 – – [03/Dec/2006:03:48:36 +0100] “- -” 0 0
209.104.198.4 – – [03/Dec/2006:03:59:51 +0100] “- -” 0 0
209.104.198.4 – – [03/Dec/2006:04:01:45 +0100] “- -” 0 0
66.185.126.163 – – [03/Dec/2006:04:04:57 +0100] “CONNECT 66.185.126.163:25 HTTP/1.0” 403 860
209.104.198.4 – – [03/Dec/2006:04:14:50 +0100] “- -” 0 0
209.104.198.4 – – [03/Dec/2006:04:16:04 +0100] “- -” 0 0
Of course this fails.
It started, mostly just CONNECT requests to google’s and Microsoft’s mailservers, and appearently to the abuser’s own servers (at least, I would think so given the addresses), from a number of sources. But in time, just those mentioned above are still trying.
These addresses should be excluded COMPLETLY from the network.