Security Incidents mailing list archives
Re: Cacheflow proxy abuse (was: no subject)
From: Hugo van der Kooij <hvdkooij () vanderkooij org>
Date: Wed, 16 Oct 2002 07:49:20 +0200 (CEST)
On Wed, 16 Oct 2002, Alain Fauconnet wrote:
Hugo van der Kooij <hvdkooij () vanderkooij org> wrote:The most common way to send loads of spam is abusing proxies. I have seen at least one attampt in our lab where a cacheflow box (hardware proxy) that was supposed to be closed for this type of CONNECT request was succesfully used to forward spam.Welcome to the club. A Cacheflow 3000 box here has been repeatedly abused to send spam up to the point that I have had to filter out outgoing SMTP on the corresponding router port. Just as you wrote the configuration is "supposed to be correct", meaning that I allow CONNECT only for ports 80 and 443. A quick test (telnet cacheflow 8080 and try various combinations of CONNECT some.mail.server:25 HTTP/1.1) confirms that it is rejected. However, some people *do* manage to get through this, I don't know how. The logs show "normal" abuse URIs i.e. similar the one above, with or without "http://". I'm stuck. Anything you have found?
Unfortunatly not at the monment. I am planning to put the machine up at times when someone can babysit the segment to get a proper trace for analyses. After which we intend to raise hell with CacheFlow. Hugo. -- All email sent to me is bound to the rules described on my homepage. hvdkooij () vanderkooij org http://hvdkooij.xs4all.nl/ Don't meddle in the affairs of sysadmins, for they are subtle and quick to anger. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Hay,Daniel (Oct 15)
- RE: Hugo van der Kooij (Oct 15)
- Cacheflow proxy abuse (was: no subject) Alain Fauconnet (Oct 16)
- Re: Cacheflow proxy abuse (was: no subject) Hugo van der Kooij (Oct 16)
- Cacheflow proxy abuse (was: no subject) Alain Fauconnet (Oct 16)
- RE: popup msg spamming Pavel Kankovsky (Oct 15)
- RPC-Spam issue, was => RE: H C (Oct 15)
- RE: T. Willner, Elitetraderz.com (Oct 16)
- Re: Gary Flynn (Oct 16)
- RE: Hugo van der Kooij (Oct 15)