On Wed, 16 Oct 2002, Alain Fauconnet wrote: > Hugo van der Kooij <hvdkooijat_private> wrote: > > > The most common way to send loads of spam is abusing proxies. I have seen > > at least one attampt in our lab where a cacheflow box (hardware proxy) > > that was supposed to be closed for this type of CONNECT request was > > succesfully used to forward spam. > > Welcome to the club. A Cacheflow 3000 box here has been repeatedly > abused to send spam up to the point that I have had to filter out > outgoing SMTP on the corresponding router port. Just as you wrote the > configuration is "supposed to be correct", meaning that I allow > CONNECT only for ports 80 and 443. A quick test (telnet cacheflow 8080 > and try various combinations of CONNECT some.mail.server:25 HTTP/1.1) > confirms that it is rejected. However, some people *do* manage to get > through this, I don't know how. The logs show "normal" abuse URIs i.e. > similar the one above, with or without "http://". > > I'm stuck. Anything you have found? Unfortunatly not at the monment. I am planning to put the machine up at times when someone can babysit the segment to get a proper trace for analyses. After which we intend to raise hell with CacheFlow. Hugo. -- All email sent to me is bound to the rules described on my homepage. hvdkooijat_private http://hvdkooij.xs4all.nl/ Don't meddle in the affairs of sysadmins, for they are subtle and quick to anger. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 15:54:07 PDT