Security Incidents mailing list archives

Re: Spam via proxy

From: Joe Stewart <jstewart () lurhq com>
Date: Mon, 9 Dec 2002 08:31:59 -0500

On Saturday 07 December 2002 12:52 pm, listuser wrote:

I work at a cable ISP and lots of our customers have open wingate, squid or
socks proxies. These are regularly being used by spammers to send their
scum. I recently visited some of our customers to get their logs. I would
like to know how exactly these spams are being send. ie if some one can
tell me how to replicate this via a telnet session to the relevent port it
will be great. Also which tools are being used by spammers to scan our
network, any one have any IDS signature for the scanning? How these cases
are being handled else where. One problem we have faced is that the actual
users are clueless about what is going on. Are people blocking squid and
socks ports at the border router? How can I scan my own network to see who
are all vulnarable?


Hi,
You might be surprised at the various types of activity going on with these
proxy servers; it's not just spam. I wrote an article on this subject that may 
be of some interest to you:

Exposing the Underground: Adventures of an Open Proxy Server
http://www.securitywriters.org/texts.php?op=display&id=54

There are programs to scan for open proxy servers, but you can also just
try using nmap on well-known proxy ports (1080,8080,3128... sometimes
80 and 81). Then telnet to the port and try something like:
"GET http://www.yahoo.com/ HTTP/1.0" and hit enter twice. This indicates
they are at least open to HTTP proxying. This is a problem, but it's not as
bad as some servers, which allow you to connect out on any port. For your
spam example, try "CONNECT x.x.x.x:25 HTTP/1.0" where x.x.x.x is the
address of some mailserver you own. If you get the SMTP banner, your
suspicions are confirmed.

Good luck!.

-Joe

-- 
   Joe Stewart  <jstewart () lurhq com>
  Senior Information Security Analyst 
-----------------------------------------
 "24x7 Enterprise Security Monitoring"
LURHQ Corporation  http://www.lurhq.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Spam via proxy listuser (Dec 08)
- Re: Spam via proxy Christopher X. Candreva (Dec 09)
- Re: Spam via proxy Jefferson Ogata (Dec 09)
- Re: Spam via proxy J.Francois (Dec 09)
- Re: Spam via proxy Volker Tanger (Dec 09)
- Re: Spam via proxy jlewis (Dec 09)
- Re: Spam via proxy Joe Stewart (Dec 09)