Security Incidents mailing list archives
Re: Spam via proxy
From: Joe Stewart <jstewart () lurhq com>
Date: Mon, 9 Dec 2002 08:31:59 -0500
On Saturday 07 December 2002 12:52 pm, listuser wrote:
I work at a cable ISP and lots of our customers have open wingate, squid or socks proxies. These are regularly being used by spammers to send their scum. I recently visited some of our customers to get their logs. I would like to know how exactly these spams are being send. ie if some one can tell me how to replicate this via a telnet session to the relevent port it will be great. Also which tools are being used by spammers to scan our network, any one have any IDS signature for the scanning? How these cases are being handled else where. One problem we have faced is that the actual users are clueless about what is going on. Are people blocking squid and socks ports at the border router? How can I scan my own network to see who are all vulnarable?
Hi, You might be surprised at the various types of activity going on with these proxy servers; it's not just spam. I wrote an article on this subject that may be of some interest to you: Exposing the Underground: Adventures of an Open Proxy Server http://www.securitywriters.org/texts.php?op=display&id=54 There are programs to scan for open proxy servers, but you can also just try using nmap on well-known proxy ports (1080,8080,3128... sometimes 80 and 81). Then telnet to the port and try something like: "GET http://www.yahoo.com/ HTTP/1.0" and hit enter twice. This indicates they are at least open to HTTP proxying. This is a problem, but it's not as bad as some servers, which allow you to connect out on any port. For your spam example, try "CONNECT x.x.x.x:25 HTTP/1.0" where x.x.x.x is the address of some mailserver you own. If you get the SMTP banner, your suspicions are confirmed. Good luck!. -Joe -- Joe Stewart <jstewart () lurhq com> Senior Information Security Analyst ----------------------------------------- "24x7 Enterprise Security Monitoring" LURHQ Corporation http://www.lurhq.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Spam via proxy listuser (Dec 08)
- Re: Spam via proxy Christopher X. Candreva (Dec 09)
- Re: Spam via proxy Jefferson Ogata (Dec 09)
- Re: Spam via proxy J.Francois (Dec 09)
- Re: Spam via proxy Volker Tanger (Dec 09)
- Re: Spam via proxy jlewis (Dec 09)
- Re: Spam via proxy Joe Stewart (Dec 09)