Re: Spam via proxy

From: Joe Stewart (jstewartat_private)
Date: Mon Dec 09 2002 - 05:31:59 PST

Next message: Carlo Costanzo: "RE: EBay Fraud Attempt"

Previous message: Bojan Zdrnja: "RE: A small quandary"
In reply to: listuser: "Spam via proxy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Saturday 07 December 2002 12:52 pm, listuser wrote:

> I work at a cable ISP and lots of our customers have open wingate, squid or
> socks proxies. These are regularly being used by spammers to send their
> scum. I recently visited some of our customers to get their logs. I would
> like to know how exactly these spams are being send. ie if some one can
> tell me how to replicate this via a telnet session to the relevent port it
> will be great. Also which tools are being used by spammers to scan our
> network, any one have any IDS signature for the scanning? How these cases
> are being handled else where. One problem we have faced is that the actual
> users are clueless about what is going on. Are people blocking squid and
> socks ports at the border router? How can I scan my own network to see who
> are all vulnarable?

Hi,
You might be surprised at the various types of activity going on with these
proxy servers; it's not just spam. I wrote an article on this subject that may 
be of some interest to you:

Exposing the Underground: Adventures of an Open Proxy Server
http://www.securitywriters.org/texts.php?op=display&id=54

There are programs to scan for open proxy servers, but you can also just
try using nmap on well-known proxy ports (1080,8080,3128... sometimes
80 and 81). Then telnet to the port and try something like:
"GET http://www.yahoo.com/ HTTP/1.0" and hit enter twice. This indicates
they are at least open to HTTP proxying. This is a problem, but it's not as
bad as some servers, which allow you to connect out on any port. For your
spam example, try "CONNECT x.x.x.x:25 HTTP/1.0" where x.x.x.x is the
address of some mailserver you own. If you get the SMTP banner, your
suspicions are confirmed.

Good luck!.

-Joe

-- 
   Joe Stewart  <jstewartat_private>
  Senior Information Security Analyst 
-----------------------------------------
 "24x7 Enterprise Security Monitoring"
LURHQ Corporation  http://www.lurhq.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Carlo Costanzo: "RE: EBay Fraud Attempt"
Previous message: Bojan Zdrnja: "RE: A small quandary"
In reply to: listuser: "Spam via proxy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 09 2002 - 22:03:11 PST