Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall]
From: "Ronald F. Guilmette" <rfg () monkeys com>
Date: Wed, 20 Feb 2002 16:24:11 -0800


In message <15474.53126.412930.207302 () hexadecimal uoregon edu>, you wrote:

It's not just Checkpoint Firewall that has a problem with HTTP CONNECT.
From what I can tell default installations of the CacheFlow web proxy
software, some Squid installations, some Apache installations with
proxying enabled, and some other web proxy installations I haven't
identified allow anyone to use the HTTP CONNECT method.

A reasonably complete list of the types of HTTP proxies that allow
CONNECT (e.g. to send spam) may be found at:

        http://www.monkeys.com/security/proxies/

(Note that the links that are supposed to point to additional secure con-
figuration information don't work yet, but I'm actively soliciting any and
all information regarding proper security configuration steps for the 70+
different types of HTTP/CONNECT proxies I have already positively identified.)

I collected this data from the Server: headers returned by various kinds
of known open proxies that I have already cataloged on my public open
proxy spam blocking list (proxies.relays.monkeys.com).  More info about
list list is available here:

        http://www.monkeys.com/anti-spam/filtering/proxies.html

This list currently consists of over 15,000 wide open proxies, and thanks
to large ongoing contributions from many contributors in the Internet
community, it is continuing to grow by leaps and bounds.

This is being
used more and more often to relay spam.  This is a boon for spammers
because unlike open SMTP relays which usually record some kind of useful
Received: header, open web proxies don't put any information in the mail
headers about the real origin of the spam.

Correct.  And also, mail admins are only now waking up to the fact that
they have every bit as much reason to want to block incoming e-mail from
open proxies as they do from open relays... only moreso.  (The implications
of wide-open TCP proxies that can connect to any port on any machine on
the net should be apparent to the readers of Bugtraq.)

I went around with someone at CacheFlow about this after unsecured
proxies in the cacheflow.com domain were used to relay spam, and after
seeing spam come from various unsecured CacheFlow proxies around the
Internet.  Their position is that this is supposed to be prevented by
putting the CacheFlow server behind a firewall, or using configuration
options in the CacheFlow software to prevent connections to unwanted
destination ports.  They seemed unreceptive to the idea of shipping a
CacheFlow configuration that did not allow CONNECT by default.

CacheFlow is among the top five in my list of open/abused HTTP proxies,
in terms of raw numbers of separate installations.

If Microsoft did what they are doing (shipping wide open proxies by
default) then I'm sure that some people in the security community would
be screaming bloody murder by now.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]