Hello, I work at a cable ISP and lots of our customers have open wingate, squid or socks proxies. These are regularly being used by spammers to send their scum. I recently visited some of our customers to get their logs. I would like to know how exactly these spams are being send. ie if some one can tell me how to replicate this via a telnet session to the relevent port it will be great. Also which tools are being used by spammers to scan our network, any one have any IDS signature for the scanning? How these cases are being handled else where. One problem we have faced is that the actual users are clueless about what is going on. Are people blocking squid and socks ports at the border router? How can I scan my own network to see who are all vulnarable? Any help in tackling this menace will be much appriciated. regards, raj Squid log: 1038090742.917 17655 68.152.32.164 TCP_MISS/000 0 CONNECT freewebemail.com:25 - DIRECT/freewebemail.com - Wingate: 12/04/02 08:28:19 206.135.212.7 Guest 0000000001 Requested: SSL://204.127.134.23:25 Socks: 11/05/02 11:12:45 209.203.71.250 Guest 0000002153 Requested: SOCKS5 Connect 212.209.223.105:25 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Dec 08 2002 - 19:42:19 PST