Re: [squid-users] My Squid Under Attack - Help with info please.

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Mon, 30 Dec 2002 06:54:45 +0100

Henrik Nordstrom wrote:
>
> Cliff wrote:
>
> > I know about port 25. And am not an open relay
> > according to my testing with the ORDB testing
> > services that I have used. I have just checked
> > again...and the results are negative.
> >
> > What does this have to do with port 3128?
> >
> > Why does using the HTTP connect method to port
> > 3128 result in some sort of connection to port 25?
> >
> > What is the exact nature of the exploit?
>
> If you allow CONNECT to port 25 then the hacker may jump via your Squid
> proxy on port 3128 to connect to port 25 on any other server, and can
> most likely circumvent any anti-relay rules of your mail transport agent
> as to your mail-transport-agent it will look like the request is coming
> from your machine.
>
> Exact nature:
>
> Spammer connects to your proxy on port 3128, instructs the proxy to
> connect to port 25 on your (or someones else) mailserver and then sends
> the email. To the mail systems the source of the email is your proxy
> server.

And to clarify: This kind of abuse of open proxy servers is not limited
to port 25. Open proxy servers are abused in a number of different
manners to connect to various services and hiding the users real identiy
from the target.

Regard
Henrik
Received on Sun Dec 29 2002 - 22:55:02 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:15 MST