On Saturday 07 December 2002 12:52 pm, listuser wrote: > I work at a cable ISP and lots of our customers have open wingate, squid or > socks proxies. These are regularly being used by spammers to send their > scum. I recently visited some of our customers to get their logs. I would > like to know how exactly these spams are being send. ie if some one can > tell me how to replicate this via a telnet session to the relevent port it > will be great. Also which tools are being used by spammers to scan our > network, any one have any IDS signature for the scanning? How these cases > are being handled else where. One problem we have faced is that the actual > users are clueless about what is going on. Are people blocking squid and > socks ports at the border router? How can I scan my own network to see who > are all vulnarable? Hi, You might be surprised at the various types of activity going on with these proxy servers; it's not just spam. I wrote an article on this subject that may be of some interest to you: Exposing the Underground: Adventures of an Open Proxy Server http://www.securitywriters.org/texts.php?op=display&id=54 There are programs to scan for open proxy servers, but you can also just try using nmap on well-known proxy ports (1080,8080,3128... sometimes 80 and 81). Then telnet to the port and try something like: "GET http://www.yahoo.com/ HTTP/1.0" and hit enter twice. This indicates they are at least open to HTTP proxying. This is a problem, but it's not as bad as some servers, which allow you to connect out on any port. For your spam example, try "CONNECT x.x.x.x:25 HTTP/1.0" where x.x.x.x is the address of some mailserver you own. If you get the SMTP banner, your suspicions are confirmed. Good luck!. -Joe -- Joe Stewart <jstewartat_private> Senior Information Security Analyst ----------------------------------------- "24x7 Enterprise Security Monitoring" LURHQ Corporation http://www.lurhq.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Dec 09 2002 - 22:03:11 PST