[Gllug] spews blacklist/squid
Alistair Mann
alistair at lgeezer.net
Mon Jun 2 21:13:21 UTC 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thus spaketh Doug Winter on Monday 02 June 2003 9:32 pm:
> On Mon 02 Jun Ashley Evans wrote:
> > Could somebody point me to an explaination of how a proxy can be used in
> > this way. Of course I don't want to spam but I am interested in how this
> > works and can be defended against/tracked. I am running squid atm but
> > it's firewalled against all incomming trafic not on the local subnet.
>
> [doug at brie doug]$ telnet localhost 3128
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> CONNECT 217.204.76.170:25 HTTP/1.0
>
> HTTP/1.0 200 Connection established
>
> 220 stilton.pencil.net ESMTP Exim 3.35 #1 Mon, 02 Jun 2003 21:29:50 +0100
> MAIL FROM: <doug at pigeonhold.com>
> 250 <doug at pigeonhold.com> is syntactically correct
> RCPT TO: <doug at pigeonhold.com>
> 250 <doug at pigeonhold.com> verified
> DATA
> 354 Enter message, ending with "." on a line by itself
> Subject: w00t! I am teh evil hax0r!
>
> This is only a test.
>
> .
> 250 OK id=19MvwW-0005Hr-00
> QUIT
> 221 stilton.pencil.net closing connection
> Connection closed by foreign host.
>
> In the above example, 217.204.76.170 is in fact a receiving MTA for
> pigeonhold.com. However, it could easily have been a machine on the
> same network as the proxy, that will relay mail from the proxy host.
Ha ha -- cheeky! What's happening is that Squid is being told to connect to a
mailserver /as if/ it was a webserver running on port 25, then using the http
request exchange to pass SMTP commands. Voila.
OP asked if there was some method of blocking this. I'm not familiar with
Squid's configuration file, but certainly iptables can handle it: block
outbound traffic with -dport 25 and --cmd-owner /usr/local/bin/squid (or
whatever).
Cheers,
- --
Alistair
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE+273yEz+/jt85AfsRAiZXAJ98LtRnMMGdOgdpnrtJxp5vMLt/BQCcC5OX
W8gO4kEJK5/rV4VP+yVeW8c=
=9O7k
-----END PGP SIGNATURE-----
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list