RE: [squid-users] Strange source-IP-addresses in access.log - ADD ITIONAL INFO

From: Boosten, Peter <Peter.Boosten@dont-contact.us>
Date: Thu, 7 Mar 2002 09:40:28 +0100

# Hi all,
#
# We're experiencing a very strange problem with our Squid 2.2Stable4:
#
# Encountered over one day, we've seen about 400 users (out of
# 6000) browsing
# the internet from their normal IP-addresses, but once in a
# while a strange
# IP-address shows up (in stead of their own IP-address). That strange
# IP-address is out of our own IP-range and somewhere on the internet.
#
# The ip-address isn't traceable or routeable from the internal
# network, so it
# isn't a anonymous proxy.
#
# Right after the request from the strange IP-address, the same
# request is
# logged in access.log with the correct IP-address.
#
# Any one seen this kind of behaviour? We're suspecting some
# kind of spyware,
# but maybe it's just a glitch in Squid.
#

I've discovered some additional info:

After examining logfiles from several days, it seems that these entries
somehow are related to the same sites (a lot of them). I can replicate the
problem by surfing there myself.

One theory could be the (default) ability of Internet Explorer 5.5 to use
HTTP/1.1. The default setting is to use this protocol, but not through
proxies. Does this somehow relate to the problem?

Our squid-conf has "forwarded-for" set to off.

Someone any thoughts on this?

Kind regards,

Peter

Disclaimer
1. This e-mail is for the intended recipient only. If you have received it
by mistake please let us know by reply and then delete it from your system;
access, disclosure, copying, distribution or reliance on any of it by anyone
else is prohibited.

2. If you as intended recipient have received this e-mail incorrectly,
please notify the sender (via e-mail) immediately. This e-mail is
confidential and may be legally privileged. DSM does not guarantee that the
information sent and/or received by or with this e-mail is correct and does
not accept any liability for damages related thereto.
Received on Thu Mar 07 2002 - 01:40:43 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:06:46 MST