Intentional proxies
I’m logging the xmix trackback spammer. And now annelisabeth is down - the whole server. Just wonder…
Anyway, while logging, I come across some VIA headers. And it turns out, some of those proxies are INTENTIONAL proxies. Here are some VIA headers, and some other headers of interest.
I’m a bit shocked, I have to say. If you intend to run a proxy, at least SECURE IT!
Examples:
218.188.23.162
HTTP_VIA=1.0 PROXY-SERVER
200.21.45.4
HTTP_FORWARDED=by http://mangostino.ut.edu.co:8080 (iPlanet-Web-Proxy-Server/3.6)
203.116.214.2
HTTP_VIA=1.0 SQCNT3
203.150.33.92
HTTP_VIA=1.0 B
209.88.12.61
HTTP_VIA=e500.indumil.gov.co
211.98.24.6
HTTP_VIA=1.0 TIETONG
219.93.211.74
HTTP_VIA=1.0 gw.firewall.dhs:8080 (Squid/2.4.STABLE7)
HTTP_X_FORWARDED_FOR=192.168.1.1
62.0.13.2
HTTP_VIA=webshield.beitberl.ac.il
202.56.231.117
HTTP_ACCEPT=*/*
HTTP_ACCEPT_CHARSET=*
HTTP_ACCEPT_ENCODING=deflate, gzip
HTTP_COOKIE=$Version=0;Bearer-Type=w-TCP;wtls-security-level=none
HTTP_HOST=www.annelisabeth.com
HTTP_TE=deflate, gzip
HTTP_WAP_CONNECTION=Stack-Type=HTTP
80.58.3.172
HTTP_VIA=HTTP/1.0 proxy[AC1E0B47] (Traffic-Server/5.5.1-59360 [uSc ])
HTTP_X_FORWARDED_FOR=213.97.196.205
Footnote: This one might actually be a secure proxy server. Both proxy and forwarded for are from the same ISP.
And that last one might be the real address of the spammer:
213.97.196.205
205.Red-213-97-196.pooles.rima-tde.net
Looks like it’s got some kind of minimal webserver on it. Probably the script he’s got running that requires that.