Re: [squid-users] spmmer abusing my proxy server

From: Amos Jeffries <squid3@dont-contact.us>
Date: Mon, 07 May 2007 02:06:05 +1200

Adrian Chadd wrote:
> On Sun, May 06, 2007, Tek Bahadur Limbu wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Dear All,
>>
>> One of my clients is abusing my proxy server to sent spams to different groups in the internet.
>> But I have only been given the details below.
>>
>> I understand that there should be some kind of X-Forwarded-For IP address right? How do I get the IP of the offending user besides checking all my access logs?
>
> The X-Forwarded-For header is set for HTTP requests. This news post
> is done via some HTTP to NNTP gateway program/script and thus doesn't
> automagically mean the X-Forwarded-For IP will be in there.
>
> You're more than likely going to have to run through your access logs.
>
>
>
> Adrian

Yes, to find the culprit you will have to check your log. At least
google provide you some helpful info:
    Posted: 5 May 2007 03:11:15 GMT
    User-Agent: G2/1.0
    X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
SV1),gzip(gfe),gzip(gfe)
    X-HTTP-Via: 1.1 myproxy.com:3128 (squid/2.6.STABLE9)

Look for a CONNECT or similar method to port 119. If you find one it's
as easy as adding a port deny to your squid acls.
By default and for future with a safely closed proxy you really should have:

   acl SSL_Ports port 443
   http_access deny CONNECT !SSL_Ports

Other than that ... all you can do is check that the X-Forwarded-For is
sent and call it another googlegroups failure to add it.
from my point it looks like your server is passing one at least one Via:
header (myproxy.com) and google is seeing that.

If myproxy.com is not you, then you will want to block clients access to
port 3128 on remote servers too ;-)

Amos

>
>> Can somebody shed some light into how to prevent these incidents from recurring in the future?
>> Thanks in advance!
>>
>> SPAM Details:
>>
>> Path:
>> authen.puce.readfreenews.net!green.octanews.net!news-out.octanews.net!news.glorb.com!postnews.google.com!u30g2000hsc.googlegroups.com!not-for-mail
>> From: spammer@gmail.com
>> Newsgroups: alt.comp.freeware
>> Subject:
>> http://www.jobsnepal.info/idevaffiliate/idevaffiliate.php?id=1515
>> Date: 4 May 2007 20:11:14 -0700
>> Organization: http://groups.google.com
>> Lines: 6
>> Message-ID: <1178334674.363813.301290@u30g2000hsc.googlegroups.com>
>> NNTP-Posting-Host: 202.xx.xx.xx (IP of my proxy server)
>> Mime-Version: 1.0
>> Content-Type: text/plain; charset="iso-8859-1"
>> X-Trace: posting.google.com 1178334675 27786 127.0.0.1 (5 May 2007
>> 03:11:15 GMT)
>> X-Complaints-To: groups-abuse@google.com
>> NNTP-Posting-Date: Sat, 5 May 2007 03:11:15 +0000 (UTC)
>> User-Agent: G2/1.0
>> X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
>> SV1),gzip(gfe),gzip(gfe)
>> X-HTTP-Via: 1.1 myproxy.com:3128 (squid/2.6.STABLE9)
>> Complaints-To: groups-abuse@google.com
>> Injection-Info: u30g2000hsc.googlegroups.com;
>> posting-host=202.xx.xx.xx (IP of my proxy);
>> posting-account=qJA5Sw0AAAAEwNnRGJ7bd6V3Qkylk050
>> Xref: authen.puce.readfreenews.net alt.comp.freeware:544238
>>
>>
>> Specialize in website design, web hosting, database design and
>> internet marketing to improve your web position. Services include meta
>> tag programming,online job and many more
>> http://www.jobsnepal.info/idevaffiliate/idevaffiliate.php?id=1785
>>

yes
Received on Sun May 06 2007 - 08:06:13 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:04 MDT