Proxy servers and SPAM

2003-06-12 Thread James H. Thompson 
It seems that much SPAM originates from hijacked open proxy servers.
http://www.fr2.cyberabuse.org/?page=abuse-proxy
http://spamcop.net/fom-serve/cache/278.html

It would be possible to make a plugin, that on the SMTP connect, takes the remote IP 
address and
does a quick check for an open proxy on the remote IP address.  If it finds an open 
proxy, it could
block the connection, and add the IP to a local DB of IPs to block.  It could also 
remember the IPs
that passed if that made sense from a performance standpoint.

Would a plug-in like this be a useful tool? Worth writing?

More Background
===

An open proxy test appears to be fairly easy:
From:
http://cert.uni-stuttgart.de/archive/incidents/2002/12/msg00044.html

There are programs to scan for open proxy servers, but you can also just
try using nmap on well-known proxy ports (1080,8080,3128... sometimes
80 and 81). Then telnet to the port and try something like:
GET http://www.yahoo.com/ HTTP/1.0 and hit enter twice. This indicates
they are at least open to HTTP proxying. This is a problem, but it's not as
bad as some servers, which allow you to connect out on any port. For your
spam example, try CONNECT x.x.x.x:25 HTTP/1.0 where x.x.x.x is the
address of some mailserver you own. If you get the SMTP banner, your
suspicions are confirmed.



Info on the Analogx proxy server:
From:


http://groups.google.com/groups?q=analogx+spamhl=enlr=ie=UTF-8selm=c0-dnWpdCPkk5lajXTWcrg%40inte
rnetpro.netrnum=1

AnalogX Proxy, a free proxy-server program that has been downloaded by more
than a million people, is automatically in the open state when it is first
installed. Mark Thompson, the author of AnalogX, said he had rebuffed the
requests of many antispam activists to distribute the software with the
security features already activated because doing so would make it harder to
set up.

The biggest plug for the proxy is it is really easy to get it running, he
explained. Mr. Thompson said he did try to achieve a compromise by revising
the program to give people a warning about security problems every time it
starts.

Even so, Wirehub, a Dutch Internet service provider, says that 45,000 of the
150,000 open proxy servers it has identified as sending spam appear to be
using AnalogX.



Jim

James H. Thompson
[EMAIL PROTECTED]

Re: Proxy servers and SPAM

2003-06-12 Thread Ask Bjørn Hansen 
On Thursday, Jun 12, 2003, at 03:11 America/Los_Angeles, James H. 
Thompson wrote:

Personally I don't like having to try connecting back when we get an 
incoming connection; there are just too many things that can go wrong 
and having done a big open relay test I know I don't want to bother 
with the billion emails asking what I'm up to.  :-)

For your
spam example, try CONNECT x.x.x.x:25 HTTP/1.0 where x.x.x.x is the
address of some mailserver you own. If you get the SMTP banner, your
suspicions are confirmed.
Devin made a plugin (check_earlytalker) that tries to detect those as 
the request is begin received:
http://xrl.us/jhb (Link to cvs.perl.org)

 - ask

--
http://www.askbjoernhansen.com/

Re: Proxy servers and SPAM

2003-06-12 Thread Ask Bjørn Hansen 
On Thursday, Jun 12, 2003, at 04:31 America/Los_Angeles, Ask Bjørn 
Hansen wrote:

Devin made a plugin (check_earlytalker) that tries to detect those 
as the request is begin received:
http://xrl.us/jhb (Link to cvs.perl.org)
I just checked my logs for the last ~30 hours and it's rejecting quite 
a few mails.  A cursory glance over the logs indicates that it's all at 
least suspicious connections (no reverse DNS and many IPs from China 
and Korea). It's hard to really tell when you disconnect them without 
looking at even their first EHLO.  :-)

Rasjid's count_unrecognized_commands - http://xrl.us/jhc - plugin is 
also blocking a few connections here (it would probably be many more if 
I didn't also use the check_earlytalker plugin).

Thanks Rasjid  Devin!

All that being said, it would be interesting if you can get good 
results out of an instant proxy checker without killing the 
performance too much.  One of the big points of qpsmtpd is exactly to 
make it easier to try out new things.

  - ask

--
http://www.askbjoernhansen.com/