Re: Cacheflow proxy abuse (was: no subject)

[Hugo van der Kooij <hvdkooij () vanderkooij org>]

On Wed, 16 Oct 2002, Alain Fauconnet wrote:

> Hugo van der Kooij <hvdkooij () vanderkooij org> wrote:
>
> > The most common way to send loads of spam is abusing proxies. I have seen 
> > at least one attampt in our lab where a cacheflow box (hardware proxy) 
> > that was supposed to be closed for this type of CONNECT request was 
> > succesfully used to forward spam.
>
> Welcome to the club. A Cacheflow 3000 box  here  has  been  repeatedly
> abused to send spam up to the point that I  have  had  to  filter  out
> outgoing  SMTP on the corresponding router port. Just as you wrote the
> configuration is "supposed  to  be  correct",  meaning  that  I  allow
> CONNECT only for ports 80 and 443. A quick test (telnet cacheflow 8080
> and  try various combinations of CONNECT some.mail.server:25 HTTP/1.1)
> confirms  that it is rejected. However, some people *do* manage to get
> through this, I don't know how. The logs show "normal" abuse URIs i.e.
> similar   the   one   above, with or without "http://";.
>
> I'm   stuck.   Anything  you  have  found?

Unfortunatly not at the monment. I am planning to put the machine up at 
times when someone can babysit the segment to get a proper trace for 
analyses.

After which we intend to raise hell with CacheFlow.

Hugo.

-- 
 All email sent to me is bound to the rules described on my homepage.
    hvdkooij () vanderkooij org         http://hvdkooij.xs4all.nl/
            Don't meddle in the affairs of sysadmins,
            for they are subtle and quick to anger.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com