Re: Spam via proxy

[jlewis () lewis org]

On Sat, 7 Dec 2002, listuser wrote:

> I work at a cable ISP and lots of our customers have open wingate, squid
> or socks proxies. These are regularly being used by spammers to send
> their scum. I recently visited some of our customers to get their logs.
> I would like to know how exactly these spams are being send. ie if some
> one can tell me how to replicate this via a telnet session to the
> relevent port it will be great. Also which tools are being used by
> spammers to scan our network, any one have any IDS signature for the
> scanning? How these cases are being handled else where. One problem we
> have faced is that the actual users are clueless about what is going on.
> Are people blocking squid and socks ports at the border router? How can
> I scan my own network to see who are all vulnarable?

I have no idea what tools the spammers are using, but the basic idea is to 
find systems with various flavors of open proxies.  As you already know, 
squid, wingate, socks, and others can be abused if left open.  How they're 
abused is really just a matter of speaking the right protocol.  I'm sure 
with a little searching, you'll find several security tools capable of 
scanning for various types of proxies...but in addition to finding them, 
you'd need to also come up with tests for openness.  The first one that 
comes to mine is www.nessus.org (but I don't know if it'll fit your 
needs).

As for how the spam is sent, you connect to the proxy, request a
connection to a mail server on port 25, and then you're talking SMTP to
the mail server through the proxy.

> Squid log: 1038090742.917 17655 68.152.32.164 TCP_MISS/000 0 CONNECT
> freewebemail.com:25 - DIRECT/freewebemail.com -

That one pretty much demonstrates it for HTTP proxies like squid.  i.e. (X
inserted for anonymity) here's another open squid proxy.

$ telnet X.X.148.68 3128
Trying X.X.148.68...
Connected to X.X.148.68.
Escape character is '^]'.
CONNECT 205.206.231.9:25 HTTP/1.0

HTTP/1.0 200 Connection established

220 securityfocus.com ESMTP
helo test
250 securityfocus.com
mail from:<>
250 ok
rcpt to:<>
250 ok
rset
250 flushed
quit
221 securityfocus.com
Connection closed by foreign host.

----------------------------------------------------------------------
 Jon Lewis *jlewis () lewis org*|  I route
 System Administrator        |  therefore you are
 Atlantic Net                |  
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com