RE: Cacheflow proxy abuse (was: no subject)

From: Jeremy Junginger (jjungingerat_private)
Date: Wed Oct 16 2002 - 16:06:37 PDT

Next message: Michael Katz: "Re: Source of Windows PopUp SPAM"

Previous message: Denis Dimick: "Re: Help me identify this IIS DoS attack"
Maybe in reply to: Alain Fauconnet: "Cacheflow proxy abuse (was: no subject)"
Next in thread: Pavel Kankovsky: "RE: popup msg spamming"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It may be a good test to see if the cacheflow will proxy for any of your
external addresses (even the ones you have defined as "not to be
cached").  In my experience with the cacheflow, I noticed that it will
act as an anonymous proxy for any external IP it was caching for.  IMHO,
the cacheflow is nothing more than a very heavy, expensive paperweight
or doorstop.  Get rid of it and enjoy the feeling of having a secure
network.

-Jeremy

-----Original Message-----
From: Hugo van der Kooij [mailto:hvdkooijat_private] 
Sent: Tuesday, October 15, 2002 10:49 PM
To: Incidents Mailing List
Subject: Re: Cacheflow proxy abuse (was: no subject)


On Wed, 16 Oct 2002, Alain Fauconnet wrote:

> Hugo van der Kooij <hvdkooijat_private> wrote:
> 
> > The most common way to send loads of spam is abusing proxies. I have

> > seen
> > at least one attampt in our lab where a cacheflow box (hardware
proxy) 
> > that was supposed to be closed for this type of CONNECT request was 
> > succesfully used to forward spam.
> 
> Welcome to the club. A Cacheflow 3000 box  here  has  been  repeatedly

> abused to send spam up to the point that I  have  had  to  filter  out

> outgoing  SMTP on the corresponding router port. Just as you wrote the

> configuration is "supposed  to  be  correct",  meaning  that  I  allow

> CONNECT only for ports 80 and 443. A quick test (telnet cacheflow 8080

> and  try various combinations of CONNECT some.mail.server:25 HTTP/1.1)

> confirms  that it is rejected. However, some people *do* manage to get

> through this, I don't know how. The logs show "normal" abuse URIs i.e.
> similar   the   one   above, with or without "http://".
> 
> I'm   stuck.   Anything  you  have  found?

Unfortunatly not at the monment. I am planning to put the machine up at 
times when someone can babysit the segment to get a proper trace for 
analyses.

After which we intend to raise hell with CacheFlow.

Hugo.

-- 
 All email sent to me is bound to the rules described on my homepage.
    hvdkooijat_private		http://hvdkooij.xs4all.nl/
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.


------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

application/x-pkcs7-signature attachment: smime.p7s

Next message: Michael Katz: "Re: Source of Windows PopUp SPAM"
Previous message: Denis Dimick: "Re: Help me identify this IIS DoS attack"
Maybe in reply to: Alain Fauconnet: "Cacheflow proxy abuse (was: no subject)"
Next in thread: Pavel Kankovsky: "RE: popup msg spamming"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 20:46:18 PDT