
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">


<HTML><HEAD>


<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">


<META content="MSHTML 6.00.2800.1226" name=GENERATOR></HEAD>


<BODY style="MARGIN-TOP: 2px; FONT: 10pt Arial; MARGIN-LEFT: 2px">


<DIV>while viewing the logs (/var/log/httpd/access.log) and seeing a lot MS 


hoax e-mails being deleted by MailMonitor I'm wondering is it possible to block 


certain sites from accessing the web server.  Unlike mail servers where one 


can setup blacklist/blackholes/rbl list is there such a service for web 


servers?</DIV>


<DIV>I've noticed the following:</DIV>


<DIV> </DIV>


<DIV>/var/log/httpd/error.log</DIV>


<DIV>[Sat Sep 20 10:01:12 2003] [error] [client 61.139.60.84] File does not 


exist: /var/www/html/tmpad/banner/itrack.asp<BR>[Sat Sep 20 10:01:13 2003] 


[error] [client 61.139.60.84] File does not exist: /var/www/html/a.htm<BR>[Sat 


Sep 20 10:01:22 2003] [error] [client 210.83.18.98] File does not exist: 


/var/www/html/search.php<BR>[Sat Sep 20 10:01:35 2003] [error] [client 


61.139.60.84] File does not exist: /var/www/html/Affiliate/SB/search1.js</DIV>


<DIV> </DIV>


<DIV><BR>[Sat Sep 20 10:03:19 2003] [error] [client 61.139.60.84] File does not 


exist: /var/www/html/tmpad/banner/itrack.asp<BR>[Sat Sep 20 10:03:23 2003] 


[error] [client 220.113.13.11] File does not exist: 


/var/www/html/tmpad/banner/itrack.asp<BR>[Sat Sep 20 10:03:26 2003] [error] 


[client 61.139.60.84] File does not exist: 


/var/www/html/tmpad/banner/itrack.asp<BR>[Sat Sep 20 10:03:28 2003] [error] 


[client 61.139.60.84] File does not exist: 


/var/www/html/tmpad/banner/itrack.asp<BR>[Sat Sep 20 10:03:35 2003] [error] 


[client 203.234.247.253] File does not exist: /var/www/html/default.ida<BR>[Sat 


Sep 20 10:04:02 2003] [error] [client 220.173.238.48] File does not exist: 


/var/www/html/.sbean<BR>[Sat Sep 20 10:04:37 2003] [error] [client 


220.173.238.48] File does not exist: /var/www/html/ad.php<BR></DIV>


<DIV>I know there was a error in http.conf where the ProxyPass was set to ON and 


this caused spamming through the web server to the mail server.  But this 


has been fixed.</DIV>


<DIV> </DIV>


<DIV>/var/log/httpd/access.log</DIV>


<DIV>220.113.13.11 - - [20/Sep/2003:10:08:04 +0800] "GET <A 


href="http://ad.trafficmp.com/tmpad/banner/itrack.asp?rv=1.2&id=2870">http://ad.trafficmp.com/tmpad/banner/itrack.asp?rv=1.2&id=2870</A> 


HTTP/1.0" 404 217<BR>221.pool0.dsltokyo.att.ne.jp - - [20/Sep/2003:10:08:26 


+0800] "GET / HTTP/1.1" 200 


9515<BR>public2-runc2-5-cust118.manc.broadband.ntl.com - - [20/Sep/2003:10:08:26 


+0800] "GET / HTTP/1.1" 200 9515<BR>61.139.60.84 - - [20/Sep/2003:10:08:37 


+0800] "GET <A 


href="http://www.trlweb.com/a.htm">http://www.trlweb.com/a.htm</A> HTTP/1.0" 404 


199<BR>210.83.18.98 - - [20/Sep/2003:10:09:01 +0800] "POST <A 


href="http://sleuth-hound.com:80/search.php">http://sleuth-hound.com:80/search.php</A> 


HTTP/1.0" 404 204<BR>220.113.13.11 - - [20/Sep/2003:10:09:22 +0800] "GET <A 


href="http://ad.trafficmp.com/tmpad/banner/itrack.asp?rv=1.2&id=2821">http://ad.trafficmp.com/tmpad/banner/itrack.asp?rv=1.2&id=2821</A> 


HTTP/1.0" 404 217<BR>210.83.18.98 - - [20/Sep/2003:10:09:24 +0800] "POST <A 


href="http://sleuth-hound.com:80/search.php">http://sleuth-hound.com:80/search.php</A> 


HTTP/1.0" 404 204<BR>61.139.60.84 - - [20/Sep/2003:10:09:43 +0800] "GET <A 


href="http://ad.trafficmp.com/tmpad/banner/itrack.asp?rv=1.2&id=896">http://ad.trafficmp.com/tmpad/banner/itrack.asp?rv=1.2&id=896</A> 


HTTP/1.0" 404 217</DIV>


<DIV> </DIV>


<DIV>The ones I'm questioning is:</DIV>


<DIV>221.pool0.dsltokyo.att.ne.jp - - [20/Sep/2003:10:08:26 +0800] "GET / 


HTTP/1.1" 200 9515<BR>public2-runc2-5-cust118.manc.broadband.ntl.com - - 


[20/Sep/2003:10:08:26 +0800] "GET / HTTP/1.1" 200 9515<BR></DIV>


<DIV>These may or may not be legit entries, is there a way to tell other than 


bringing those site up.</DIV>


<DIV> </DIV>


<DIV>Any ideas what I can do?</DIV>


<DIV> </DIV>


<DIV>Jon</DIV>


<DIV> </DIV>


<DIV>Jon L. Miller, MCNE, CNS<BR>Director/Sr Systems Consultant<BR>MMT Networks 


Pty Ltd<BR><A 


href="http://www.mmtnetworks.com.au">http://www.mmtnetworks.com.au</A></DIV>


<DIV> </DIV>


<DIV>"I don't know the key to success, but the key to failure<BR> is trying 


to please everybody." -Bill Cosby</DIV>


<DIV> </DIV>


<DIV> </DIV></BODY></HTML>