Security Incidents mailing list archives
Re: sending out spam through IRC server ?
From: "Bronek Kozicki" <brok () rubikon pl>
Date: Thu, 6 Mar 2003 16:39:02 +0100
Bronek Kozicki <brok () rubikon pl> wrote: [...] OK, problem resolved. Thanks all for help. Things were bit more complicated than I was thinking, or rather I missed two important pieces of the puzzle. First piece is that we are running on the same W2K machine Apache . Shame on me, I have not noticed it before, because it was bound to different IP than the one reported in spam (you can run both IIS and Apache on port 80 of one machine, is you disable IIS ConnectionPooling and use different IPs). Anyway this Apache is configured as proxy to some other host, using ProxyPass directive. Some of my colleagues also configured ProxyRequest On, making this server an open proxy. Bad, bad thing, and I was just sure that such stupid mistake cannot happen in my network :( Because this Apache is bound to different IP, I just missed it when searching for possible hole. Well, IP accepting connections does not have to be the same as IP of outgoing connections, and when you add static NAT and PAT to the picture then it's easy to miss something (this is the other piece). Spammers "enjoyed" it for 2 weeks, and I will be forever gratefull to spamcop.net and anonymous spam recipients, who notified me about the problem. Interesting thing is, that this server was an open proxy for much longer time than 2 weeks, and suddenly many spammers became aware of it on Feb 18th. I guess some "spam software seller" scanned it and inserted into database. If anybody is interested, I can disclose more details (like IPs of spammers who abused my server). What helped me was network scanner - I logged TCP connections directed to port 25 of the outside world servers (like legitimate SMTP traffic), then found out that some requests had HTTP headers before "HELO" command. B. ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>
Current thread:
- sending out spam through IRC server ? Bronek Kozicki (Mar 04)
- Re: sending out spam through IRC server ? R Andersson (Mar 05)
- RE: sending out spam through IRC server ? Bill Lavalette (Mar 05)
- Re: sending out spam through IRC server ? Alex Lambert (Mar 05)
- RE: sending out spam through IRC server ? Robert (Mar 05)
- Re: sending out spam through IRC server ? Bronek Kozicki (Mar 06)