Security Incidents mailing list archives
RE: Cacheflow proxy abuse (was: no subject)
From: "Jeremy Junginger" <jjunginger () usbestcrm com>
Date: Wed, 16 Oct 2002 16:06:37 -0700
It may be a good test to see if the cacheflow will proxy for any of your external addresses (even the ones you have defined as "not to be cached"). In my experience with the cacheflow, I noticed that it will act as an anonymous proxy for any external IP it was caching for. IMHO, the cacheflow is nothing more than a very heavy, expensive paperweight or doorstop. Get rid of it and enjoy the feeling of having a secure network. -Jeremy -----Original Message----- From: Hugo van der Kooij [mailto:hvdkooij () vanderkooij org] Sent: Tuesday, October 15, 2002 10:49 PM To: Incidents Mailing List Subject: Re: Cacheflow proxy abuse (was: no subject) On Wed, 16 Oct 2002, Alain Fauconnet wrote:
Hugo van der Kooij <hvdkooij () vanderkooij org> wrote:The most common way to send loads of spam is abusing proxies. I have
seen at least one attampt in our lab where a cacheflow box (hardware
proxy)
that was supposed to be closed for this type of CONNECT request was succesfully used to forward spam.Welcome to the club. A Cacheflow 3000 box here has been repeatedly
abused to send spam up to the point that I have had to filter out
outgoing SMTP on the corresponding router port. Just as you wrote the
configuration is "supposed to be correct", meaning that I allow
CONNECT only for ports 80 and 443. A quick test (telnet cacheflow 8080
and try various combinations of CONNECT some.mail.server:25 HTTP/1.1)
confirms that it is rejected. However, some people *do* manage to get
through this, I don't know how. The logs show "normal" abuse URIs i.e. similar the one above, with or without "http://". I'm stuck. Anything you have found?
Unfortunatly not at the monment. I am planning to put the machine up at times when someone can babysit the segment to get a proper trace for analyses. After which we intend to raise hell with CacheFlow. Hugo. -- All email sent to me is bound to the rules described on my homepage. hvdkooij () vanderkooij org http://hvdkooij.xs4all.nl/ Don't meddle in the affairs of sysadmins, for they are subtle and quick to anger. ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Attachment:
smime.p7s
Description:
Current thread:
- RE: Cacheflow proxy abuse (was: no subject) Jeremy Junginger (Oct 16)