Hi That looks like spamming instead of using email they are requesting the url's that they want to spam on your web server. The most people would see them in the access log or in summary stats created using things like webalizer.
If you can configure apache to display a certain page for proxy accesses (eg access denied etc...) then configure that page to be something like /denyip.pl (or whatever your favourite programming language may be), You will need to basically grab the ip address and drop it into your firewall. I do this for code red worm attempts. On Mon, 3 Feb 2003, Peter Vogel wrote: > Thank you to those who provided useful suggestions for firewall > configuration tools. I seem to have that sorted now. > > However I find that I receive about 20mb/day of traffic that I can't > account for. > > I do get "Possible syn flood" messages a few times a day. Could that add > up to megabytes? > > I also have unsucessful access attempts to apache every few seconds. > > Here is a typical couple of munites from my log: > > 217.84.6.34 - - [03/Feb/2003:08:20:38 +1100] "GET >http://www.freemobiletunes.com/cgi-bin/arp/rankem.cgi?action=in&id=chartz HTTP/1.0" >404 1341 "http://www.8ung.at/smartlogo/ringtones.htm"; "Mozilla/4.0 (compatible; MSIE >4.01; Windows 95)" > 24.29.148.128 - - [03/Feb/2003:08:20:52 +1100] "GET >http://www.adpowerzone.com/scripts/diatok.js HTTP/1.0" 404 1225 >"http://www.geocities.com/bassw20/index.html"; "Mozilla/4.0 (compatible; MSIE 5.02; >Windows 98)" > 217.227.90.195 - - [03/Feb/2003:08:21:06 +1100] "GET >http://www.gsmsitez.net/cgi-bin/topsites/topsites.cgi?larsi HTTP/1.1" 404 1286 >"http://www.logotown.de"; "Mozilla/4.5 [fr] (Win95; I)" > 217.227.90.195 - - [03/Feb/2003:08:21:33 +1100] "GET >http://utop.net/cgi-bin/utop.cgi?ID=/150 HTTP/1.1" 404 1172 "http://www.logotown.de"; >"Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" > 62.195.81.215 - - [03/Feb/2003:08:22:55 +1100] "GET >http://www.leadhound.com/show2.php?id=9236&bid=23967 HTTP/1.1" 404 1181 >"http://www.mp3rock.com"; "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" > 62.195.81.215 - - [03/Feb/2003:08:24:30 +1100] "GET >http://banners.webmasterplan.com/view.asp?site=2358&ref=146341&b=2 HTTP/1.1" 404 1201 >"http://www.die-80er-jahre.de"; "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)" > 62.195.81.215 - - [03/Feb/2003:08:24:50 +1100] "GET >http://www.leadhound.com/show2.php?id=9449&bid=24968 HTTP/1.1" 404 1183 >"http://www.rapworld.com"; "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" > 62.195.81.215 - - [03/Feb/2003:08:26:12 +1100] "GET >http://www.leadhound.com/show2.php?id=9236&bid=23966 HTTP/1.0" 404 1181 >"http://www.mp3rock.com"; "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" > 62.131.12.251 - - [03/Feb/2003:08:26:50 +1100] "GET >http://www.1-click-clipart.com/bin/rankem.cgi?action=in&id=1cool HTTP/1.1" 404 1213 >"http://www.top20cool.com/index.html"; "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" > 62.195.81.215 - - [03/Feb/2003:08:27:16 +1100] "GET >http://banners.webmasterplan.com/view.asp?site=2306&ref=145686&b=3 HTTP/1.0" 404 1193 >"http://www.myownmusic.de"; "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)" > > Any ideas what the cause of this is and can I stop it?? > > Thanks > > Peter > -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
