Hello Erich, ----- Original Message ----- From: "Erich Titl" <[EMAIL PROTECTED]> To: "Victor Berdin" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, July 02, 2003 4:08 PM Subject: Re: [leaf-user] Safe transparent proxying via DS1.02 and Squid
Vic [snipped] >I am puzzled, I always thought spam was distributed using mail,e.g.SMTP, >port 25, how exactly was your server abused? >Unless your Gateway was completely compromised I do not see how Squid was >used to forward mail. >Please enlighten me Perhaps it is indeed compromised. Only my logs are no longer available as I'm clearing them automatically via cron (due to ramdisk limitations, ouch!). But I really have no idea how to make use of an open proxy server to send out mail spam. But according to my ISP, that's exactly what happened. I notified my ISP soon as I realized that my bandwith is maxed out and my private net has nothing to do with it. What is physically evident is that, during my tests, my external device kept on blinking like mad. Isuing an 'ifconfig' command shows that RX and TX packets of the external device kept on incrementing while the internal RX/TX isn't moving at all. This shows that unwanted packets are simply flowing into the box then back out again (perhaps to the spam target/s), without touching my private net. Then my ISP forwarded me this: > Dear Network Security: > > (You are receiving this message because your local IP registry and/or DNS > showed that you are the owner of this IP address, or that you are the access > provider for this IP address. If you are not responsible for the system at > this address, PLEASE FORWARD to the responsible party!) > > One of your users (IP XXX.XXX.XXX.XXX) is running an open proxy server that > is being used to forward untold tens of thousands of junk emails daily. > PLEASE shut down this abusive user. > > This user has open proxies running on port 80. The proxycheck program > clearly shows the open proxy port: > > [EMAIL PROTECTED] pck XXX.XXX.XXX.XXX > > To check: hosts=1, proto:ports=63, host:proto:ports=63 > > XXX.XXX.XXX.XXX:hc:80: HTTP request successeful (200) > > XXX.XXX.XXX.XXX hc:80 open > > NumOpen=1(1) NRead=119 Time=23 > > Note: There may be other open proxy ports in addition to the ones listed > above. > > This user is so abusive, they have managed to get themselves listed in the > MONKEYS.COM open proxy list: > >http://www.monkeys.com/upl/listed-ip-0.cgi?ip=XXX.XXX.XXX.XXX > > They have also managed to get themselves blacklisted as an open proxy by > NJABL.ORG: > >http://njabl.org/cgi-bin/lookup.cgi?query=XXX.XXX.XXX.XXX > > Finally, the investigation of this IP address was triggered by this system > port scanning our MTA (a common indicator that a proxy server is about to > try to send spam) as shown in the following log record(s): > > Jun 29 16:54:27 trustem01.trustem.net sendmail[953]: h5TKsQlq000953: > [XXX.XXX.XXX.XXX] did not issue MAIL/EXPN/VRFY/ETRN during > connection to MTA [FURTHER MESSAGES SNIPPED] At present I'm scouring the net for info on how to go about with this. This is really embarassing as I had no idea that having an open proxy server is a no-no. (http://theproxyconnection.com/openproxy.html) But it is my requirement to allow EVERYBODY to be able to access my web server in the private net. Perhaps some more squid howto is the answer. But further tips on tightening a firewall is also very much welcome (TIA). The blacklist is lifted now, but I currently opt to use a backup IP until I get this fixed. :o( TIA - Vic ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html