RE: Cacheflow proxy abuse (was: no subject)

From: Jeremy Junginger (jjunginger@usbestcrm.com)
Date: 10/17/02


Date: Wed, 16 Oct 2002 16:06:37 -0700
From: "Jeremy Junginger" <jjunginger@usbestcrm.com>
To: "Hugo van der Kooij" <hvdkooij@vanderkooij.org>


It may be a good test to see if the cacheflow will proxy for any of your
external addresses (even the ones you have defined as "not to be
cached"). In my experience with the cacheflow, I noticed that it will
act as an anonymous proxy for any external IP it was caching for. IMHO,
the cacheflow is nothing more than a very heavy, expensive paperweight
or doorstop. Get rid of it and enjoy the feeling of having a secure
network.

-Jeremy

-----Original Message-----
From: Hugo van der Kooij [mailto:hvdkooij@vanderkooij.org]
Sent: Tuesday, October 15, 2002 10:49 PM
To: Incidents Mailing List
Subject: Re: Cacheflow proxy abuse (was: no subject)

On Wed, 16 Oct 2002, Alain Fauconnet wrote:

> Hugo van der Kooij <hvdkooij@vanderkooij.org> wrote:
>
> > The most common way to send loads of spam is abusing proxies. I have

> > seen
> > at least one attampt in our lab where a cacheflow box (hardware
proxy)
> > that was supposed to be closed for this type of CONNECT request was
> > succesfully used to forward spam.
>
> Welcome to the club. A Cacheflow 3000 box here has been repeatedly

> abused to send spam up to the point that I have had to filter out

> outgoing SMTP on the corresponding router port. Just as you wrote the

> configuration is "supposed to be correct", meaning that I allow

> CONNECT only for ports 80 and 443. A quick test (telnet cacheflow 8080

> and try various combinations of CONNECT some.mail.server:25 HTTP/1.1)

> confirms that it is rejected. However, some people *do* manage to get

> through this, I don't know how. The logs show "normal" abuse URIs i.e.
> similar the one above, with or without "http://".
>
> I'm stuck. Anything you have found?

Unfortunatly not at the monment. I am planning to put the machine up at
times when someone can babysit the segment to get a proper trace for
analyses.

After which we intend to raise hell with CacheFlow.

Hugo.

-- 
 All email sent to me is bound to the rules described on my homepage.
    hvdkooij@vanderkooij.org		http://hvdkooij.xs4all.nl/
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.

------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com




Relevant Pages

  • Re: Cacheflow proxy abuse (was: no subject)
    ... >> The most common way to send loads of spam is abusing proxies. ... A Cacheflow 3000 box here has been repeatedly ...
    (Incidents)
  • Cacheflow proxy abuse (was: no subject)
    ... > The most common way to send loads of spam is abusing proxies. ... > at least one attampt in our lab where a cacheflow box ... A Cacheflow 3000 box here has been repeatedly ... the system administrator" ...
    (Incidents)