Proxy servers and SPAM

Thu, 12 Jun 2003 03:11:38 -0700 

It seems that much SPAM originates from hijacked open proxy servers.
    http://www.fr2.cyberabuse.org/?page=abuse-proxy
    http://spamcop.net/fom-serve/cache/278.html

It would be possible to make a plugin, that on the SMTP connect, takes the remote IP 
address and
does a quick check for an open proxy on the remote IP address.  If it finds an open 
proxy, it could
block the connection, and add the IP to a local DB of IPs to block.  It could also 
remember the IPs
that passed if that made sense from a performance standpoint.

Would a plug-in like this be a useful tool? Worth writing?

More Background
===============

An open proxy test appears to be fairly easy:
    From:
    http://cert.uni-stuttgart.de/archive/incidents/2002/12/msg00044.html

There are programs to scan for open proxy servers, but you can also just
try using nmap on well-known proxy ports (1080,8080,3128... sometimes
80 and 81). Then telnet to the port and try something like:
"GET http://www.yahoo.com/ HTTP/1.0" and hit enter twice. This indicates
they are at least open to HTTP proxying. This is a problem, but it's not as
bad as some servers, which allow you to connect out on any port. For your
spam example, try "CONNECT x.x.x.x:25 HTTP/1.0" where x.x.x.x is the
address of some mailserver you own. If you get the SMTP banner, your
suspicions are confirmed.



Info on the Analogx proxy server:
From:


http://groups.google.com/groups?q=analogx+spam&hl=en&lr=&ie=UTF-8&selm=c0-dnWpdCPkk5lajXTWcrg%40inte
rnetpro.net&rnum=1

AnalogX Proxy, a free proxy-server program that has been downloaded by more
than a million people, is automatically in the open state when it is first
installed. Mark Thompson, the author of AnalogX, said he had rebuffed the
requests of many antispam activists to distribute the software with the
security features already activated because doing so would make it harder to
set up.

"The biggest plug for the proxy is it is really easy to get it running," he
explained. Mr. Thompson said he did try to achieve a compromise by revising
the program to give people a warning about security problems every time it
starts.

Even so, Wirehub, a Dutch Internet service provider, says that 45,000 of the
150,000 open proxy servers it has identified as sending spam appear to be
using AnalogX.



Jim

James H. Thompson
[EMAIL PROTECTED]

Reply via email to