On Sat, 7 Dec 2002, listuser wrote: > I work at a cable ISP and lots of our customers have open wingate, squid > or socks proxies. These are regularly being used by spammers to send > their scum. I recently visited some of our customers to get their logs. > I would like to know how exactly these spams are being send. ie if some > one can tell me how to replicate this via a telnet session to the > relevent port it will be great. Also which tools are being used by > spammers to scan our network, any one have any IDS signature for the > scanning? How these cases are being handled else where. One problem we > have faced is that the actual users are clueless about what is going on. > Are people blocking squid and socks ports at the border router? How can > I scan my own network to see who are all vulnarable? I have no idea what tools the spammers are using, but the basic idea is to find systems with various flavors of open proxies. As you already know, squid, wingate, socks, and others can be abused if left open. How they're abused is really just a matter of speaking the right protocol. I'm sure with a little searching, you'll find several security tools capable of scanning for various types of proxies...but in addition to finding them, you'd need to also come up with tests for openness. The first one that comes to mine is www.nessus.org (but I don't know if it'll fit your needs). As for how the spam is sent, you connect to the proxy, request a connection to a mail server on port 25, and then you're talking SMTP to the mail server through the proxy. > Squid log: 1038090742.917 17655 68.152.32.164 TCP_MISS/000 0 CONNECT > freewebemail.com:25 - DIRECT/freewebemail.com - That one pretty much demonstrates it for HTTP proxies like squid. i.e. (X inserted for anonymity) here's another open squid proxy. $ telnet X.X.148.68 3128 Trying X.X.148.68... Connected to X.X.148.68. Escape character is '^]'. CONNECT 205.206.231.9:25 HTTP/1.0 HTTP/1.0 200 Connection established 220 securityfocus.com ESMTP helo test 250 securityfocus.com mail from:<> 250 ok rcpt to:<> 250 ok rset 250 flushed quit 221 securityfocus.com Connection closed by foreign host. ---------------------------------------------------------------------- Jon Lewis *jlewisat_private*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Dec 09 2002 - 21:50:26 PST