Hugo van der Kooij <hvdkooijat_private> wrote: > The most common way to send loads of spam is abusing proxies. I have seen > at least one attampt in our lab where a cacheflow box (hardware proxy) > that was supposed to be closed for this type of CONNECT request was > succesfully used to forward spam. Welcome to the club. A Cacheflow 3000 box here has been repeatedly abused to send spam up to the point that I have had to filter out outgoing SMTP on the corresponding router port. Just as you wrote the configuration is "supposed to be correct", meaning that I allow CONNECT only for ports 80 and 443. A quick test (telnet cacheflow 8080 and try various combinations of CONNECT some.mail.server:25 HTTP/1.1) confirms that it is rejected. However, some people *do* manage to get through this, I don't know how. The logs show "normal" abuse URIs i.e. similar the one above, with or without "http://". I'm stuck. Anything you have found? BTW this seems to be related to our *downgrading* CacheOS to v3.1 for stability reasons (4.x is just too unstable on this heavily loaded box). Greets, _Alain_ "I've RTFM. It says: `see your system administrator'. But... *I* am the system administrator" (DECUS US symposium session title, author unknown, ca. 1990) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 16:14:43 PDT