IP sending Spam via Squid Server

**esudip** · 10-16-2010

Hello there,

I just saw that my network is slowed so I watches the /var/log/squid/access.log where I get this line continuously....

Code:

1287207802.792  13373 96.44.177.26 TCP_MISS/200 135 CONNECT 203.188.197.10:25 - DIRECT/203.188.197.10 -
1287207802.792  13373 204.152.215.202 TCP_MISS/200 135 CONNECT 203.188.197.10:25 - DIRECT/203.188.197.10 -
1287207802.792  13373 96.44.132.162 TCP_MISS/200 135 CONNECT 203.188.197.10:25 - DIRECT/203.188.197.10 -
1287207802.792  13373 204.152.200.138 TCP_MISS/200 135 CONNECT 203.188.197.10:25 - DIRECT/203.188.197.10 -
1287207802.792  13373 96.44.177.26 TCP_MISS/200 135 CONNECT 203.188.197.9:25 - DIRECT/203.188.197.9 -
1287207802.792  13373 204.152.213.242 TCP_MISS/200 135 CONNECT 203.188.197.10:25 - DIRECT/203.188.197.10 -
1287207802.792  13373 67.215.247.242 TCP_MISS/200 135 CONNECT 203.188.197.9:25 - DIRECT/203.188.197.9 -
1287207802.792  13373 204.152.213.242 TCP_MISS/200 135 CONNECT 203.188.197.10:25 - DIRECT/203.188.197.10 -
1287207802.792  13373 67.215.247.242 TCP_MISS/200 135 CONNECT 203.188.197.9:25 - DIRECT/203.188.197.9 -
1287207802.792  13373 174.138.164.202 TCP_MISS/200 135 CONNECT 203.188.197.9:25 - DIRECT/203.188.197.9 -
1287207802.792  13373 98.143.145.250 TCP_MISS/200 135 CONNECT 203.188.197.9:25 - DIRECT/203.188.197.9 -
1287207802.792  13373 67.215.247.242 TCP_MISS/200 135 CONNECT 203.188.197.9:25 - DIRECT/203.188.197.9 -
1287207802.792  13373 96.44.177.26 TCP_MISS/200 135 CONNECT 203.188.197.10:25 - DIRECT/203.188.197.10 -
1287207802.792  13373 67.215.247.242 TCP_MISS/200 135 CONNECT 203.188.197.9:25 - DIRECT/203.188.197.9 -
1287207802.792  13373 67.215.247.242 TCP_MISS/200 135 CONNECT 203.188.197.10:25 - DIRECT/203.188.197.10 -
1287207802.792  13373 174.138.164.202 TCP_MISS/200 135 CONNECT 203.188.197.9:25 - DIRECT/203.188.197.9 -
1287207802.792  13373 96.44.177.26 TCP_MISS/200 135 CONNECT 203.188.197.9:25 - DIRECT/203.188.197.9 -
1287207802.792  13373 96.44.177.26 TCP_MISS/200 135 CONNECT 203.188.197.9:25 - DIRECT/203.188.197.9 -
1287207802.792  13373 204.152.213.242 TCP_MISS/200 135 CONNECT 203.188.197.9:25 - DIRECT/203.188.197.9 -
1287207802.792  13373 96.44.177.26 TCP_MISS/200 135 CONNECT 203.188.197.9:25 - DIRECT/203.188.197.9 -
1287207802.792  13373 67.215.247.210 TCP_MISS/200 135 CONNECT 203.188.197.10:25 - DIRECT/203.188.197.10 -
1287207802.792  13373 204.152.215.202 TCP_MISS/200 135 CONNECT 203.188.197.10:25 - DIRECT/203.188.197.10 -
1287207802.792  13373 67.215.247.210 TCP_MISS/200 135 CONNECT 203.188.197.9:25 - DIRECT/203.188.197.9 -
1287207802.792  13373 67.215.247.210 TCP_MISS/200 135 CONNECT 203.188.197.10:25 - DIRECT/203.188.197.10 -
1287207802.792  13373 67.215.247.242 TCP_MISS/200 135 CONNECT 203.188.197.10:25 - DIRECT/203.188.197.10 -
1287207802.792  13373 67.215.247.242 TCP_MISS/200 135 CONNECT 203.188.197.10:25 - DIRECT/203.188.197.10 -
1287207802.792  13373 204.152.214.170 TCP_MISS/200 135 CONNECT 203.188.197.10:25 - DIRECT/203.188.197.10 -
1287207802.792  13373 204.152.214.194 TCP_MISS/200 135 CONNECT 203.188.197.10:25 - DIRECT/203.188.197.10 -
1287207802.792  13373 204.152.200.138 TCP_MISS/200 135 CONNECT 203.188.197.10:25 - DIRECT/203.188.197.10 -
1287207802.792  13373 174.138.164.202 TCP_MISS/200 135 CONNECT 203.188.197.9:25 - DIRECT/203.188.197.9 -
1287207802.792  13373 209.188.6.186 TCP_MISS/200 135 CONNECT 203.188.197.10:25 - DIRECT/203.188.197.10 -
1287207802.792  13373 96.44.177.26 TCP_MISS/200 135 CONNECT 203.188.197.9:25 - DIRECT/203.188.197.9 -
1287207802.792  13373 96.44.177.26 TCP_MISS/200 151 CONNECT 67.195.168.31:25 - DIRECT/67.195.168.31 -
1287207802.792  13373 204.152.200.138 TCP_MISS/200 135 CONNECT 203.188.197.9:25 - DIRECT/203.188.197.9 -
1287207802.792  13373 96.44.132.162 TCP_MISS/200 135 CONNECT 203.188.197.9:25 - DIRECT/203.188.197.9 -
1287207802.792  13373 204.152.215.202 TCP_MISS/200 135 CONNECT 203.188.197.10:25 - DIRECT/203.188.197.10 -
1287207802.792  13373 96.44.132.162 TCP_MISS/200 135 CONNECT 203.188.197.10:25 - DIRECT/203.188.197.10 -
1287207802.792  13373 204.152.215.202 TCP_MISS/200 135 CONNECT 203.188.197.10:25 - DIRECT/203.188.197.10 -
1287207802.792  13373 204.152.215.202 TCP_MISS/200 135 CONNECT 203.188.197.10:25 - DIRECT/203.188.197.10 -
1287207802.792  13373 67.215.247.242 TCP_MISS/200 135 CONNECT 203.188.197.9:25 - DIRECT/203.188.197.9 -
1287207802.792  13373 98.143.145.250 TCP_MISS/200 135 CONNECT 203.188.197.9:25 - DIRECT/203.188.197.9 -
1287207802.792  13373 98.143.145.250 TCP_MISS/200 135 CONNECT 203.188.197.9:25 - DIRECT/203.188.197.9 -
1287207802.792  13373 204.152.215.202 TCP_MISS/200 135 CONNECT 203.188.197.9:25 - DIRECT/203.188.197.9 -
1287207802.792  13373 204.152.215.202 TCP_MISS/200 135 CONNECT 203.188.197.9:25 - DIRECT/203.188.197.9 -
1287207802.792  13373 204.152.215.202 TCP_MISS/200 135 CONNECT 203.188.197.9:25 - DIRECT/203.188.197.9 -
1287207802.792  13373 204.152.215.202 TCP_MISS/200 135 CONNECT 203.188.197.10:25 - DIRECT/203.188.197.10 -
1287207802.792  13373 174.138.164.202 TCP_MISS/200 135 CONNECT 203.188.197.10:25 - DIRECT/203.188.197.10 -
1287207802.792  13373 174.138.164.202 TCP_MISS/200 135 CONNECT 203.188.197.10:25 - DIRECT/203.188.197.10 -
1287207802.792  13373 174.138.164.202 TCP_MISS/200 135 CONNECT 203.188.197.9:25 - DIRECT/203.188.197.9 -
1287207802.792  13373 174.138.164.202 TCP_MISS/200 135 CONNECT 203.188.197.9:25 - DIRECT/203.188.197.9 -
1287207802.792  13373 174.138.164.202 TCP_MISS/200 135 CONNECT 203.188.197.9:25 - DIRECT/203.188.197.9 -
1287207802.792  13373 96.44.177.26 TCP_MISS/200 135 CONNECT 203.188.197.10:25 - DIRECT/203.188.197.10 -

I thought that someone running any script so I disconnect all my LAN connection (simply removed the local lan cable) but I saw the connections is going on....so I watch the processes on proxy server but nothing suspicious....So I change my static IP and the spamming stops (I say it is spam b'coz the IP 203.188.197.10 is of yahoomail.com ) but I when I am putting my OLD ip back the connection starts again......I want to put back my old static IP b'coz I have configured it for many services.....Is there any spyware on my machine or someone configured my IP ????

**esudip** · 10-16-2010

I block the port 25 in squid.conf. then its denied but how do I stop this continuous flooding ????

**Lazydog** · 10-19-2010

You could block at the firewall. Looks like you are being attacked by a bot net. I think it would be best to install something like fail2ban and let it block the bot net for you. You are not going to be able to control things on the outside of your network.

**esudip** · 10-19-2010

Thanks for the suggestion.........I already Block the SMTP port and IP and I just installed fail2ban as u suggested hope it will not happen again.
But 1 think I don't understand 'what was that ?'........a kind of bot, spyware, or a kind of hacking ???

Originally Posted by Lazydog

You could block at the firewall. Looks like you are being attacked by a bot net. I think it would be best to install something like fail2ban and let it block the bot net for you. You are not going to be able to control things on the outside of your network.

Thread Tools

Display

IP sending Spam via Squid Server

Thanks

Posting Permissions