# [HOWTO] Closing Apache to Spammers

## viperlin

If you have ever seen this type of log output:

```

192.168.0.9 - - [26/Feb/2004:21:17:42 +0000] "CONNECT 1.3.3.7:1337" 200 "-" "-" "-"

```

Then this is a relay spammers can use, i have only recently learned of this and it is not turned off by default.

in the /var/www/localhost/htdocs Directory section of /etc/apache2/commonapacheconf2.conf add this to only allow GET and POST requests:

```

<Limit GET POST>

        Order allow,deny

        Allow from all

    </Limit>

    <LimitExcept GET POST>

        Order deny,allow

        Deny from all

    </LimitExcept>

```

Restart Apache2 and then CONNECT attempts will be denied with a 403 error.

----------

## juliancoccia

Could you explain this briefly ? What does the CONNECT mean and what does that represent a spam abuse threat ?

----------

## viperlin

i beleve they use it's proxy feature to relay spam somehow, i have only done some basic research but i thought it was imprtant enough to post to prevent this.

basicly if your server replies with "200" (= OK) it means you can be abused as connect proxy spammers my use to access an open relay.

----------

## Lews_Therin

Default for this seems to be turned off, my server responds with a 405.

----------

## viperlin

hmm, mine returned 200 originally. using (old?) config file (i dont overwite with etc-update) so it's an older template i would expect.

----------

## juliancoccia

Alright. It seems to be a bug with PHP but it does not mean that your server is being compromised. CONNECT is used by mod_proxy, which is not installed in my server. In theory the server should return a 405 Method not Allowed error, but instead is returning a 200 followed by the contents of my homepage.

I have seen quite a few CONNECTs in my logs requesting different third destinations, they all show 200 as the status which makes you think that in fact a connection has been established with this third host but if you look at the bytecount, in my case it is always the same, as the server returns the contents of your index file.

I have applied the <Limit CONNECT> to my website as you mentioned and now instead of a 200 it returns a 403 Forbidden. I think I like this answer better than a 200 but it does not seem to make a big difference. 

The only advantage I see is that any script in search for open proxies will add you the list when you are not open.... anyway.

There is more info on this bug here:

http://bugs.php.net/bug.php?id=19113

----------

## viperlin

well at least it works as a minor bugfix  :Smile: 

----------

