Re: Spam via proxy

["J.Francois" <frenchie () magusnet com>]

This is a thread I remember from back in the day.

http://www.security-express.com/archives/bugtraq/1998_4/0042.html
http://www.security-express.com/archives/bugtraq/1998_4/0043.html

HTH.

On Sat, Dec 07, 2002 at 11:42:37PM +0550, listuser wrote:
> Hello,
>
> I work at a cable ISP and lots of our customers have open wingate, squid or socks proxies. These are regularly being 
> used by spammers to send their scum. I recently visited some of our customers to get their logs. I would like to know 
> how exactly these spams are being send. ie if some one can tell me how to replicate this via a telnet session to the 
> relevent port it will be great. Also which tools are being used by spammers to scan our network, any one have any IDS 
> signature for the scanning? How these cases are being handled else where. One problem we have faced is that the 
> actual users are clueless about what is going on. Are people blocking squid and socks ports at the border router? How 
> can I scan my own network to see who are all vulnarable?
>
> Any help in tackling this menace will be much appriciated.
>
> regards,
>
> raj
>
> Squid log:
> 1038090742.917  17655 68.152.32.164 TCP_MISS/000 0 CONNECT freewebemail.com:25 - DIRECT/freewebemail.com -
>
> Wingate:
> 12/04/02 08:28:19     206.135.212.7   Guest   0000000001      Requested:      SSL://204.127.134.23:25
>
> Socks:
> 11/05/02 11:12:45     209.203.71.250  Guest   0000002153      Requested:      SOCKS5 Connect 212.209.223.105:25
--
Jean Francois - JLF Sends...This sig is RFC-1855 compliant!
My Resume: http://www.magusnet.com/resume.txt or http://www.magusnet.com/resume.pdf
"Tell them we are not Gods, but UNIX Admins, which is the next best thing."


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com