In message <15474.53126.412930.207302@hexadecimal.uoregon.edu>, you wrote: >It's not just Checkpoint Firewall that has a problem with HTTP CONNECT. >>From what I can tell default installations of the CacheFlow web proxy >software, some Squid installations, some Apache installations with >proxying enabled, and some other web proxy installations I haven't >identified allow anyone to use the HTTP CONNECT method. A reasonably complete list of the types of HTTP proxies that allow CONNECT (e.g. to send spam) may be found at: http://www.monkeys.com/security/proxies/ (Note that the links that are supposed to point to additional secure con- figuration information don't work yet, but I'm actively soliciting any and all information regarding proper security configuration steps for the 70+ different types of HTTP/CONNECT proxies I have already positively identified.) I collected this data from the Server: headers returned by various kinds of known open proxies that I have already cataloged on my public open proxy spam blocking list (proxies.relays.monkeys.com). More info about list list is available here: http://www.monkeys.com/anti-spam/filtering/proxies.html This list currently consists of over 15,000 wide open proxies, and thanks to large ongoing contributions from many contributors in the Internet community, it is continuing to grow by leaps and bounds. >This is being >used more and more often to relay spam. This is a boon for spammers >because unlike open SMTP relays which usually record some kind of useful >Received: header, open web proxies don't put any information in the mail >headers about the real origin of the spam. Correct. And also, mail admins are only now waking up to the fact that they have every bit as much reason to want to block incoming e-mail from open proxies as they do from open relays... only moreso. (The implications of wide-open TCP proxies that can connect to any port on any machine on the net should be apparent to the readers of Bugtraq.) >I went around with someone at CacheFlow about this after unsecured >proxies in the cacheflow.com domain were used to relay spam, and after >seeing spam come from various unsecured CacheFlow proxies around the >Internet. Their position is that this is supposed to be prevented by >putting the CacheFlow server behind a firewall, or using configuration >options in the CacheFlow software to prevent connections to unwanted >destination ports. They seemed unreceptive to the idea of shipping a >CacheFlow configuration that did not allow CONNECT by default. CacheFlow is among the top five in my list of open/abused HTTP proxies, in terms of raw numbers of separate installations. If Microsoft did what they are doing (shipping wide open proxies by default) then I'm sure that some people in the security community would be screaming bloody murder by now.
