Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: Spam via proxy

Re: Spam via proxy

From: Joe Stewart <jstewart_at_lurhq.com>
Date: Mon, 9 Dec 2002 08:31:59 -0500

On Saturday 07 December 2002 12:52 pm, listuser wrote:

> I work at a cable ISP and lots of our customers have open wingate, squid or
> socks proxies. These are regularly being used by spammers to send their
> scum. I recently visited some of our customers to get their logs. I would
> like to know how exactly these spams are being send. ie if some one can
> tell me how to replicate this via a telnet session to the relevent port it
> will be great. Also which tools are being used by spammers to scan our
> network, any one have any IDS signature for the scanning? How these cases
> are being handled else where. One problem we have faced is that the actual
> users are clueless about what is going on. Are people blocking squid and
> socks ports at the border router? How can I scan my own network to see who
> are all vulnarable?

Hi,
You might be surprised at the various types of activity going on with these
proxy servers; it's not just spam. I wrote an article on this subject that may
be of some interest to you:

Exposing the Underground: Adventures of an Open Proxy Server
http://www.securitywriters.org/texts.php?op=display&id=54

There are programs to scan for open proxy servers, but you can also just
try using nmap on well-known proxy ports (1080,8080,3128... sometimes
80 and 81). Then telnet to the port and try something like:
"GET http://www.yahoo.com/ HTTP/1.0" and hit enter twice. This indicates
they are at least open to HTTP proxying. This is a problem, but it's not as
bad as some servers, which allow you to connect out on any port. For your
spam example, try "CONNECT x.x.x.x:25 HTTP/1.0" where x.x.x.x is the
address of some mailserver you own. If you get the SMTP banner, your
suspicions are confirmed.

Good luck!.

-Joe 

-- 
   Joe Stewart  <jstewart_at_lurhq.com>
  Senior Information Security Analyst 
-----------------------------------------
 "24x7 Enterprise Security Monitoring"
LURHQ Corporation  http://www.lurhq.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Received on Dec 10 2002
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos