Re: Spam via proxy

From: Volker Tanger (volker.tangerat_private)
Date: Mon Dec 09 2002 - 02:10:46 PST

Next message: Dave Laird: "Fwd: EBay Fraud Attempt"

Previous message: H C: "Re: netbios vuln"
In reply to: listuser: "Spam via proxy"
Next in thread: jlewisat_private: "Re: Spam via proxy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greetings!

listuser wrote:

> I work at a cable ISP and lots of our customers have open wingate, 
> squid or socks proxies. These are regularly being used by spammers to 
> send their scum. 

The ancient "Proxy vulnerability" as in
http://www.securityfocus.com/bid/4131

This general problem has been known to be an issue with plain HTTP 
proxies like the Squid for ages (e.g. 
http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.14).

> ie if some one can tell me how to replicate this via a telnet session 
> to the relevent port it will be great. 

The vulnerability can be exploited using the CONNECT method to
connect to a different server, e.g. an internal mailserver as
port usage is completely unrestricted by the ISVW proxies V 3.6

Example:
	you = 6.6.6.666
	Trendmicro ISVW = 1.1.1.1  (http proxy at port 80)
	Internal Mailserver = 2.2.2.2

	connect with "telnet 1.1.1.1 80" to ISVW proxy and enter
	followed with two linefeeds:
	CONNECT 2.2.2.2:25 / HTTP/1.0

	response: mail server banner - and running SMTP session e.g.
	to send SPAM from.

You can connect to any TCP port on any machine the proxy
can connect to. Telnet, SMTP, POP, etc. You can see it in the logs you 
provided as CONNECT (squid), SSL (wingate) methods - all to port 25 (smtp).

> How these cases are being handled else where. One problem we have 
> faced is that the actual users are clueless about what is going on. 
> Are people blocking squid and socks ports at the border router? 

For squid see above URL. For TrendMicro ISVW see 
http://online.securityfocus.com/archive/1/302200

Generally we (advise to) put any proxy into a (separate) DMZ which only 
is accessible via a firewall (the usual 3-leg firewall config) that is 
blocking all but the identified, needed connections.

Bye

Volker Tanger
IT-Security Consulting

-- 
discon gmbh
Wrangelstraße 100
D-10997 Berlin

fon    +49 30 6104-3307
fax    +49 30 6104-3461

volker.tangerat_private
http://www.discon.de/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Dave Laird: "Fwd: EBay Fraud Attempt"
Previous message: H C: "Re: netbios vuln"
In reply to: listuser: "Spam via proxy"
Next in thread: jlewisat_private: "Re: Spam via proxy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 09 2002 - 21:33:44 PST