It's not just Checkpoint Firewall that has a problem with HTTP CONNECT. From what I can tell default installations of the CacheFlow web proxy software, some Squid installations, some Apache installations with proxying enabled, and some other web proxy installations I haven't identified allow anyone to use the HTTP CONNECT method. This is being used more and more often to relay spam. This is a boon for spammers because unlike open SMTP relays which usually record some kind of useful Received: header, open web proxies don't put any information in the mail headers about the real origin of the spam. For those of you unfamiliar with the details of this problem, unsecured web proxies allow a remote user to use the HTTP connect method to make arbitrary TCP connections to a specified host and port, like this: $ telnet open.web.proxy.org 80 # or 8080, or maybe other ports Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. CONNECT victim.host.org:25 HTTP/1.0 HTTP/1.0 200 Connection established 220 victim.host.org ESMTP Sendmail 8.11.6/8.11.6; Tue, 19 Feb 2002 14:16:51 -0800 (PST) I went around with someone at CacheFlow about this after unsecured proxies in the cacheflow.com domain were used to relay spam, and after seeing spam come from various unsecured CacheFlow proxies around the Internet. Their position is that this is supposed to be prevented by putting the CacheFlow server behind a firewall, or using configuration options in the CacheFlow software to prevent connections to unwanted destination ports. They seemed unreceptive to the idea of shipping a CacheFlow configuration that did not allow CONNECT by default.
This archive was generated by hypermail 2b30 : Wed Feb 20 2002 - 14:36:29 PST