nanog mailing list archives

Re: Open relays and open proxies

From: John Payne <john () sackheads org>
Date: Thu, 24 Apr 2003 15:55:30 -0400

--On Thursday, April 24, 2003 12:16 PM -0700 Will Yardley<william+nanog () hq dreamhost com> wrote:


On Thu, Apr 24, 2003 at 02:11:12PM -0500, Adi Linden wrote:

Is there an accepted way of blocking open proxy and open relay traffic
at the network edge?


The obvious way would be to block the commonly abused ports...
presumably, you will have very few customers who actually need to have
port 1080, 3128 8080, or whatever open. Obviously, I can't say whether
this would be effective for your particular application.

This list of "commonly abused ports" is ever increasing. Might as wellblock everything and let through specific stuff if you're going down thatpath.

Also, you could consider running proactive scans on your network with
available proxy-checking tools.

I use proxycheck to manually check hosts for open proxies
(http://www.corpit.ru/mjt/proxycheck.html)... you could script this
(or a similar tool) and run scans of your entire network.

That's what I would suggest. You could also reactively test your customerswhen they make a connection to your webserver or mailserver.

Current thread:

Open relays and open proxies Adi Linden (Apr 24)
- Re: Open relays and open proxies Will Yardley (Apr 24)
  - Re: Open relays and open proxies John Payne (Apr 24)
    - Re: Open relays and open proxies Paul Vixie (Apr 24)
    - Re: Open relays and open proxies John Payne (Apr 24)
- Re: Open relays and open proxies Richard Cox (Apr 24)
  - Re: Open relays and open proxies Neil J. McRae (Apr 25)
    - Re: Open relays and open proxies Roland Verlander (Apr 25)
    - Re: Open relays and open proxies Paul Wouters (Apr 25)
    - Re: Open relays and open proxies Jack Bates (Apr 25)
    - Re: Open relays and open proxies Paul Vixie (Apr 25)
    - Re: Open relays and open proxies Jack Bates (Apr 25)
    - RE: Open relays and open proxies Christopher J. Wolff (Apr 25)

(Thread continues...)