Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > incidents > 02 > 120207.html (Request Expert securityfocus.com Support)

Re: Spam via proxy

From: Joe Stewart <jstewart(at)lurhq.com>
Date: Mon Dec 09 2002 - 08:31:59 EST

On Saturday 07 December 2002 12:52 pm, listuser wrote:

> I work at a cable ISP and lots of our customers have open wingate, squid or

Hi,
You might be surprised at the various types of activity going on with these proxy servers; it's not just spam. I wrote an article on this subject that may be of some interest to you:

Exposing the Underground: Adventures of an Open Proxy Server http://www.securitywriters.org/texts.php?op=display&id=54

There are programs to scan for open proxy servers, but you can also just try using nmap on well-known proxy ports (1080,8080,3128... sometimes 80 and 81). Then telnet to the port and try something like: "GET http://www.yahoo.com/ HTTP/1.0" and hit enter twice. This indicates they are at least open to HTTP proxying. This is a problem, but it's not as bad as some servers, which allow you to connect out on any port. For your spam example, try "CONNECT x.x.x.x:25 HTTP/1.0" where x.x.x.x is the address of some mailserver you own. If you get the SMTP banner, your suspicions are confirmed.

Good luck!.

-Joe 

-- 
   Joe Stewart  
  Senior Information Security Analyst 
-----------------------------------------
 "24x7 Enterprise Security Monitoring"
LURHQ Corporation  
http://www.lurhq.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Received on Tue Dec 10 01:00:30 2002
Do you need help?X

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:54 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library