RE:

[Hugo van der Kooij <hvdkooij () vanderkooij org>]

On Tue, 15 Oct 2002, Hay,Daniel wrote:

> We are in the same boat, We have udp/tcp 135-139 and 445 blocked but we still see the spam. We have identified 2 
> hosts on campus 1 is a Linux box running RedHat 7.3 the other seems to be a Win2k box. I've done a quick check of the 
> Linux box but it doesn't appear to be compromised, one thing I did notice from external scanning is that RPC on the 
> Linux box is not configured correctly and allows forwarding of RPC requests. I've not checked the windows box yet but 
> I was thinking maybe the requests where being forwarded from outside the campus network to hosts inside via these 
> misconfigured RPC installations. Any thoughts? Am I way off base here?

Any proxy/webserver around?

The most common way to send loads of spam is abusing proxies. I have seen 
at least one attampt in our lab where a cacheflow box (hardware proxy) 
that was supposed to be closed for this type of CONNECT request was 
succesfully used to forward spam.

Hugo.

-- 
 All email sent to me is bound to the rules described on my homepage.
    hvdkooij () vanderkooij org         http://hvdkooij.xs4all.nl/
            Don't meddle in the affairs of sysadmins,
            for they are subtle and quick to anger.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com