abuse of open transparent proxies

[horape () tinuviel compendium net ar]

¡Hola!

I don't know if this is new or not, but couldn't find anything about this
when googling.

I've just found an interesting attack against a friend's transparent proxy.

The proxy was set up so that any connection to port 80 was proxied (no acl's) 

There is some spammer, herbal-place.com, using DNS views to exploit the proxy.

To everybody but the proxy, it says that www.herbal-place.com's address is the
proxy's one. To the proxy, it answers with their true IP.

Result: my friend pay the bandwidth for the spammers.

They have an automated system controlling this (30 seconds after we close the
proxy they changed to abuse a new one)

Saludos,
                                        HoraPe
---
Horacio J. Peña
horape () compendium com ar
horape () uninet edu
horape () hcdn gov ar

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com