|
Security Incidents
mailing list archives
Cacheflow proxy abuse (was: no subject)
From: Alain Fauconnet <alain () cscoms net>
Date: Wed, 16 Oct 2002 08:45:25 +0700
Hugo van der Kooij <hvdkooij () vanderkooij org> wrote:
The most common way to send loads of spam is abusing proxies. I have seen
at least one attampt in our lab where a cacheflow box (hardware proxy)
that was supposed to be closed for this type of CONNECT request was
succesfully used to forward spam.
Welcome to the club. A Cacheflow 3000 box here has been repeatedly
abused to send spam up to the point that I have had to filter out
outgoing SMTP on the corresponding router port. Just as you wrote the
configuration is "supposed to be correct", meaning that I allow
CONNECT only for ports 80 and 443. A quick test (telnet cacheflow 8080
and try various combinations of CONNECT some.mail.server:25 HTTP/1.1)
confirms that it is rejected. However, some people *do* manage to get
through this, I don't know how. The logs show "normal" abuse URIs i.e.
similar the one above, with or without "http://";.
I'm stuck. Anything you have found?
BTW this seems to be related to our *downgrading* CacheOS to v3.1 for
stability reasons (4.x is just too unstable on this heavily loaded
box).
Greets,
_Alain_
"I've RTFM. It says: `see your system administrator'. But... *I* am
the system administrator"
(DECUS US symposium session title, author unknown, ca. 1990)
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
|
Intro
