Cacheflow proxy abuse (was: no subject)

[Alain Fauconnet <alain () cscoms net>]

Hugo van der Kooij <hvdkooij () vanderkooij org> wrote:

> The most common way to send loads of spam is abusing proxies. I have seen 
> at least one attampt in our lab where a cacheflow box (hardware proxy) 
> that was supposed to be closed for this type of CONNECT request was 
> succesfully used to forward spam.

Welcome to the club. A Cacheflow 3000 box  here  has  been  repeatedly
abused to send spam up to the point that I  have  had  to  filter  out
outgoing  SMTP on the corresponding router port. Just as you wrote the
configuration is "supposed  to  be  correct",  meaning  that  I  allow
CONNECT only for ports 80 and 443. A quick test (telnet cacheflow 8080
and  try various combinations of CONNECT some.mail.server:25 HTTP/1.1)
confirms  that it is rejected. However, some people *do* manage to get
through this, I don't know how. The logs show "normal" abuse URIs i.e.
similar   the   one   above, with or without "http://";.

I'm   stuck.   Anything  you  have  found?

BTW this seems to be related to our *downgrading* CacheOS to v3.1  for
stability reasons (4.x is just too unstable  on  this  heavily  loaded
box).

Greets,
_Alain_
"I've RTFM. It says: `see your system administrator'. But... *I* am
the system administrator"
(DECUS US symposium session title, author unknown, ca. 1990)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com