Search squid archive

Re: prevent squid being used as spam passthrough

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



That's pretty much what I have but is it not possible to use one of these ports as a pass through for spam or would the receiving email servers block it?

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 1863         # MSN messenger
acl ncsa_users proxy_auth REQUIRED
acl maxuser max_user_ip -s 2
acl CONNECT method CONNECT
http_access deny manager
http_access allow ncsa_users
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports


--------------------------------------------------
From: "Amos Jeffries" <squid3@xxxxxxxxxxxxx>
Sent: Monday, December 27, 2010 9:36 PM
To: <squid-users@xxxxxxxxxxxxxxx>
Subject: Re:  prevent squid being used as spam passthrough

On 27/12/10 09:23, J Webster wrote:
Is it possible for a proxy running on port 80 or 8080 to be used as a
pass through or zone origination for spam email?

Maybe. If it has been configured as an open proxy.
http://wiki.squid-cache.org/SquidFaq/SecurityPitfalls

We have had some users sign up with email addresses such as spambot and
other stuff recently. I suspect these are just bots signing up around
the web but got me thinking whether a proxy could be used in a chain or
tunneled somehow and whether that could be blocked?

The default squid.conf http_access controls are designed to prevent this type of thing.

It requires Safe_ports to list only the ports <1024 which are nown to be safe for proxy connections-to. As well as SSL_ports for CONNECT tunnels to only connect to known HTTPS ports.

You can see the quid default settings at
http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid#Squid_configuration

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.10
  Beta testers wanted for 3.2.0.4



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux