Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Cacheflow proxy abuse (was: no subject)

From: "Jeremy Junginger" <jjunginger () usbestcrm com>
Date: Wed, 16 Oct 2002 16:06:37 -0700
It may be a good test to see if the cacheflow will proxy for any of your
external addresses (even the ones you have defined as "not to be
cached").  In my experience with the cacheflow, I noticed that it will
act as an anonymous proxy for any external IP it was caching for.  IMHO,
the cacheflow is nothing more than a very heavy, expensive paperweight
or doorstop.  Get rid of it and enjoy the feeling of having a secure
network.

-Jeremy

-----Original Message-----
From: Hugo van der Kooij [mailto:hvdkooij () vanderkooij org] 
Sent: Tuesday, October 15, 2002 10:49 PM
To: Incidents Mailing List
Subject: Re: Cacheflow proxy abuse (was: no subject)


On Wed, 16 Oct 2002, Alain Fauconnet wrote:


Hugo van der Kooij <hvdkooij () vanderkooij org> wrote:


The most common way to send loads of spam is abusing proxies. I have



seen
at least one attampt in our lab where a cacheflow box (hardware

proxy) 

that was supposed to be closed for this type of CONNECT request was 
succesfully used to forward spam.


Welcome to the club. A Cacheflow 3000 box  here  has  been  repeatedly



abused to send spam up to the point that I  have  had  to  filter  out



outgoing  SMTP on the corresponding router port. Just as you wrote the



configuration is "supposed  to  be  correct",  meaning  that  I  allow



CONNECT only for ports 80 and 443. A quick test (telnet cacheflow 8080



and  try various combinations of CONNECT some.mail.server:25 HTTP/1.1)



confirms  that it is rejected. However, some people *do* manage to get



through this, I don't know how. The logs show "normal" abuse URIs i.e.
similar   the   one   above, with or without "http://";.

I'm   stuck.   Anything  you  have  found?


Unfortunatly not at the monment. I am planning to put the machine up at 
times when someone can babysit the segment to get a proper trace for 
analyses.

After which we intend to raise hell with CacheFlow.

Hugo.

-- 
 All email sent to me is bound to the rules described on my homepage.
    hvdkooij () vanderkooij org         http://hvdkooij.xs4all.nl/
            Don't meddle in the affairs of sysadmins,
            for they are subtle and quick to anger.


------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Attachment: smime.p7s
Description:

Previous By Date Next
Previous By Thread Next

Current thread: