Security Incidents mailing list archives

Re: Spam via proxy

From: Jefferson Ogata <seclists () antibozo net>
Date: Mon, 09 Dec 2002 11:04:34 -0500

listuser wrote:

Hello,

I work at a cable ISP and lots of our customers have open wingate, squid or socks proxies. These are regularly being 
used by spammers to send their scum. I recently visited some of our customers to get their logs. I would like to know 
how exactly these spams are being send. ie if some one can tell me how to replicate this via a telnet session to the 
relevent port it will be great. Also which tools are being used by spammers to scan our network, any one have any IDS 
signature for the scanning? How these cases are being handled else where. One problem we have faced is that the actual 
users are clueless about what is going on. Are people blocking squid and socks ports at the border router? How can I 
scan my own network to see who are all vulnarable?

Any help in tackling this menace will be much appriciated.

regards,

raj

Squid log:
1038090742.917  17655 68.152.32.164 TCP_MISS/000 0 CONNECT freewebemail.com:25 - DIRECT/freewebemail.com -

For squid, test by trying the CONNECT verb on the proxy. Connect to the squidon whatever port is it proxying on (typically 3128), then issue the followingrequest, using a known SMTP server:


CONNECT some.smtp.server.example.com:25 HTTP/1.0

Follow that with a blank line. If you get an SMTP banner, your squid isvulnerable. Most folks want the CONNECT verb enabled to support proxy SSLconnections, but the boilerplate in squid.conf will block access to CONNECTfor ports other than 443 and 563. A better configuration is to make sure thatall access to squid for any request method is blocked for any client that isnot on the local LAN.

Wingate:
12/04/02 08:28:19       206.135.212.7   Guest   0000000001      Requested:      SSL://204.127.134.23:25


Can't help you with Wingate.

Socks:
11/05/02 11:12:45       209.203.71.250  Guest   0000002153      Requested:      SOCKS5 Connect 212.209.223.105:25

For SOCKS, you'll need a SOCKS client to connect to it. You can build theregular SOCKS package and try using rtelnet after setting the SOCKS_SERVERenvironment variable to point to the SOCKS server you want to test. Sorry I'ma little rusty since I haven't touched SOCKS in a few years, but that's thebasic strategy.


--
Jefferson Ogata : Internetworker, Antibozo
<ogata () antibozo net>  http://www.antibozo.net/ogata/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com

Current thread:

Spam via proxy listuser (Dec 08)
- Re: Spam via proxy Christopher X. Candreva (Dec 09)
- Re: Spam via proxy Jefferson Ogata (Dec 09)
- Re: Spam via proxy J.Francois (Dec 09)
- Re: Spam via proxy Volker Tanger (Dec 09)
- Re: Spam via proxy jlewis (Dec 09)
- Re: Spam via proxy Joe Stewart (Dec 09)