Re: UPDATE: [wcolburnat_private: SMTP relay through checkpoint firewall]

From: Mike Benham (moxieat_private)
Date: Tue Feb 19 2002 - 14:50:13 PST

Next message: Frank Bulk: "Security issue with GroupWise 6 and LDAP authentication in PostOffice"

Previous message: Bob Fiero: "Re: Citrix NFuse 1.6 - additional network exposure"
In reply to: Steve VanDevender: "UPDATE: [wcolburnat_private: SMTP relay through checkpoint firewall]"
Next in thread: Randal L. Schwartz: "Re: UPDATE: [wcolburnat_private: SMTP relay through checkpoint firewall]"
Next in thread: Jason Haar: "Re: UPDATE: [wcolburnat_private: SMTP relay through checkpoint firewall]"
Reply: Randal L. Schwartz: "Re: UPDATE: [wcolburnat_private: SMTP relay through checkpoint firewall]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

People use the CONNECT method from inside a LAN to make SSL/HTTPS
connections through a proxy.  I think it makes sense for proxies to
support the method by default, since browsing secure pages is very
common, but it shouldn't be accessable from outside the LAN.

- Mike

--
http://www.thoughtcrime.org

On Tue, 19 Feb 2002, Steve VanDevender wrote:

> It's not just Checkpoint Firewall that has a problem with HTTP CONNECT.
> From what I can tell default installations of the CacheFlow web proxy
> software, some Squid installations, some Apache installations with
> proxying enabled, and some other web proxy installations I haven't
> identified allow anyone to use the HTTP CONNECT method.  This is being
> used more and more often to relay spam.  This is a boon for spammers
> because unlike open SMTP relays which usually record some kind of useful
> Received: header, open web proxies don't put any information in the mail
> headers about the real origin of the spam.
>
> For those of you unfamiliar with the details of this problem, unsecured
> web proxies allow a remote user to use the HTTP connect method to make
> arbitrary TCP connections to a specified host and port, like this:
>
> $ telnet open.web.proxy.org 80 # or 8080, or maybe other ports
> Trying 192.168.1.1...
> Connected to 192.168.1.1.
> Escape character is '^]'.
> CONNECT victim.host.org:25 HTTP/1.0
>
> HTTP/1.0 200 Connection established
>
> 220 victim.host.org ESMTP Sendmail 8.11.6/8.11.6; Tue, 19 Feb 2002 14:16:51 -0800 (PST)
>
> I went around with someone at CacheFlow about this after unsecured
> proxies in the cacheflow.com domain were used to relay spam, and after
> seeing spam come from various unsecured CacheFlow proxies around the
> Internet.  Their position is that this is supposed to be prevented by
> putting the CacheFlow server behind a firewall, or using configuration
> options in the CacheFlow software to prevent connections to unwanted
> destination ports.  They seemed unreceptive to the idea of shipping a
> CacheFlow configuration that did not allow CONNECT by default.
>

Next message: Frank Bulk: "Security issue with GroupWise 6 and LDAP authentication in PostOffice"
Previous message: Bob Fiero: "Re: Citrix NFuse 1.6 - additional network exposure"
In reply to: Steve VanDevender: "UPDATE: [wcolburnat_private: SMTP relay through checkpoint firewall]"
Next in thread: Randal L. Schwartz: "Re: UPDATE: [wcolburnat_private: SMTP relay through checkpoint firewall]"
Next in thread: Jason Haar: "Re: UPDATE: [wcolburnat_private: SMTP relay through checkpoint firewall]"
Reply: Randal L. Schwartz: "Re: UPDATE: [wcolburnat_private: SMTP relay through checkpoint firewall]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Feb 20 2002 - 18:54:23 PST