The easiest server to check by hand, and usually quite difficult to create by accident
(unless you are a Microsoft Windows user), and often the most difficult to find.
Checking the server by hand maybe performed with the use of 'telnet' (telnet.exe
for Microsoft users). The protocol is simple and described in full in
RFC 2616, however here you can see
the basics...
These are the simple rules:
First, the protocol is text based, so you can type requests, and see responses.
Second, the requests are terminated with a complete blank line.
Third, each request begins with a 'Method'. (e.g. GET POST CONNECT)
For a spammer only the CONNECT method is generally used and it takes the hostname and port as arguments. (e.g. 'CONNECT myproxy.example.com:80 HTTP/1.0').
Follows is an example of the CONNECT method, going to a correctly configured proxy:
>>> $ telnet oblivion.its.uq.edu.au 8080
<<< Trying 130.102.152.116...
<<< Connected to oblivion.its.uq.edu.au.
<<< Escape character is '^]'.
>>> CONNECT smtp.uq.edu.au:25 HTTP/1.0
>>>
<<< HTTP/1.0 403 Forbidden
<<< Server: Squid/2.4.STABLE4
<<< Mime-Version: 1.0
<<< Date: Tue, 15 Oct 2002 00:24:57 GMT
<<< Content-Type: text/html
<<< Content-Length: 696
<<< Expires: Tue, 15 Oct 2002 00:24:57 GMT
<<< X-Squid-Error: ERR_ACCESS_DENIED 0
<<< X-Cache: MISS from oblivion
<<< Proxy-Connection: close
.
. HTML Cut for clarity.
.
<<< Connection closed by foreign host.
<<< $
Follows is the same proxy server badly configured and therefore open:
>>> $ telnet oblivion.its.uq.edu.au 8080
<<< Trying 130.102.152.116...
<<< Connected to oblivion.its.uq.edu.au.
<<< Escape character is '^]'.
>>> CONNECT smtp.uq.edu.au:25 HTTP/1.0
>>>
<<< HTTP/1.0 200 Connection established
<<<
<<< 220 bunyip.cc.uq.edu.au ESMTP Sendmail 8.9.3/8.9.3; Tue, 15 Oct 2002 10:46:23 (GMT)
>>> QUIT
<<< 221 bunyip.cc.uq.edu.au closing connection
<<< Connection closed by foreign host.
<<< $
As you can see it clearly shows the banner of the target mail server when the connection is successful. If the
mail server is carefully chosen this method can be used to 'compromise' anti-relay rules of any company mail server,
even if the mail server is well administered.
In this case a SQUID proxy server was used, and fortunately by default these
servers are secure. However, unfortunately there are a number of 'clueless' administrators who continue to add lines like:
http_access allow all
above the line:
http_access deny CONNECT !SSL_ports
This allows anyone to connect to anything.
As proxies can talk to other proxies in what is sometimes known as 'proxy chaining' all the world best access control rules
are defeated by getting the proxy server to connect to itself on the localhost, and then getting it to connect to where
ever you want.
Proxy Chaining is even more difficult to to stop as it is quite common for administrators to wrongly trust the localhost, and use it for testing. Consequently even lines such as:
acl localhost src 127.0.0.0/255.0.0.0
acl myservers src 10.0.0.0/255.0.0.0
http_access allow localhost
http_access allow myservers
above the line:
http_access deny CONNECT !SSL_ports
are dangerous, this is particularly the case when the server is bound to all IP addresses.
Note: If you put your proxy server on port 80, and bind the server to all addresses. You should explicitly deny connections,
from the localhost to anywhere.
|