Security Incidents mailing list archives
Re: Spam via proxy
From: Volker Tanger <volker.tanger () discon de>
Date: Mon, 09 Dec 2002 11:10:46 +0100
Greetings! listuser wrote:
I work at a cable ISP and lots of our customers have open wingate, squid or socks proxies. These are regularly being used by spammers to send their scum.
The ancient "Proxy vulnerability" as in http://www.securityfocus.com/bid/4131This general problem has been known to be an issue with plain HTTP proxies like the Squid for ages (e.g. http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.14).
ie if some one can tell me how to replicate this via a telnet session to the relevent port it will be great.
The vulnerability can be exploited using the CONNECT method to connect to a different server, e.g. an internal mailserver as port usage is completely unrestricted by the ISVW proxies V 3.6 Example: you = 6.6.6.666 Trendmicro ISVW = 1.1.1.1 (http proxy at port 80) Internal Mailserver = 2.2.2.2 connect with "telnet 1.1.1.1 80" to ISVW proxy and enter followed with two linefeeds: CONNECT 2.2.2.2:25 / HTTP/1.0 response: mail server banner - and running SMTP session e.g. to send SPAM from. You can connect to any TCP port on any machine the proxycan connect to. Telnet, SMTP, POP, etc. You can see it in the logs you provided as CONNECT (squid), SSL (wingate) methods - all to port 25 (smtp).
How these cases are being handled else where. One problem we have faced is that the actual users are clueless about what is going on. Are people blocking squid and socks ports at the border router?
For squid see above URL. For TrendMicro ISVW see http://online.securityfocus.com/archive/1/302200
Generally we (advise to) put any proxy into a (separate) DMZ which only is accessible via a firewall (the usual 3-leg firewall config) that is blocking all but the identified, needed connections.
Bye Volker Tanger IT-Security Consulting -- discon gmbh WrangelstraĆe 100 D-10997 Berlin fon +49 30 6104-3307 fax +49 30 6104-3461 volker.tanger () discon de http://www.discon.de/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Spam via proxy listuser (Dec 08)
- Re: Spam via proxy Christopher X. Candreva (Dec 09)
- Re: Spam via proxy Jefferson Ogata (Dec 09)
- Re: Spam via proxy J.Francois (Dec 09)
- Re: Spam via proxy Volker Tanger (Dec 09)
- Re: Spam via proxy jlewis (Dec 09)
- Re: Spam via proxy Joe Stewart (Dec 09)