Re: Spam via proxy

From: Joe Stewart (jstewart@lurhq.com)
Date: 12/09/02

  • Next message: Chris A. Mattingly: "Re: EBay Fraud Attempt" 
    From: Joe Stewart <jstewart@lurhq.com>
To: Rajkumar S <listuser@myrealbox.com>
Date: Mon, 9 Dec 2002 08:31:59 -0500

    On Saturday 07 December 2002 12:52 pm, listuser wrote:

    > I work at a cable ISP and lots of our customers have open wingate, squid or
    > socks proxies. These are regularly being used by spammers to send their
    > scum. I recently visited some of our customers to get their logs. I would
    > like to know how exactly these spams are being send. ie if some one can
    > tell me how to replicate this via a telnet session to the relevent port it
    > will be great. Also which tools are being used by spammers to scan our
    > network, any one have any IDS signature for the scanning? How these cases
    > are being handled else where. One problem we have faced is that the actual
    > users are clueless about what is going on. Are people blocking squid and
    > socks ports at the border router? How can I scan my own network to see who
    > are all vulnarable?

    Hi,
    You might be surprised at the various types of activity going on with these
    proxy servers; it's not just spam. I wrote an article on this subject that may
    be of some interest to you:

    Exposing the Underground: Adventures of an Open Proxy Server
    http://www.securitywriters.org/texts.php?op=display&id=54

    There are programs to scan for open proxy servers, but you can also just
    try using nmap on well-known proxy ports (1080,8080,3128... sometimes
    80 and 81). Then telnet to the port and try something like:
    "GET http://www.yahoo.com/ HTTP/1.0" and hit enter twice. This indicates
    they are at least open to HTTP proxying. This is a problem, but it's not as
    bad as some servers, which allow you to connect out on any port. For your
    spam example, try "CONNECT x.x.x.x:25 HTTP/1.0" where x.x.x.x is the
    address of some mailserver you own. If you get the SMTP banner, your
    suspicions are confirmed.

    Good luck!.

    -Joe 

    -- 
   Joe Stewart  <jstewart@lurhq.com>
  Senior Information Security Analyst 
-----------------------------------------
 "24x7 Enterprise Security Monitoring"
LURHQ Corporation  http://www.lurhq.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com