Proxy used for spam

0 views
Skip to first unread message

Paul Lamontagne

unread,
Jul 31, 2002, 9:18:35 AM7/31/02
to
The problem is the transparent proxy used without authentication.
 
Can disable transparent proxy or get ride of default exception for port 80 set up by BorderManager.
 
Look at some posts here further down subject is HTTP Proxy I believe ...This is a recurring problem. I had it myself.

>>> Randy Hermundson<ra...@indps.k12.wi.us> 07/30/02 03:47PM >>>
I recieved an email from our ISP saying our BM server is being used to
relay spam. Where do I start to look to fix this problem?  The only
reference I can find  is about the mail proxy, which I am not using.

Netware 5.0
BM 3.5
NAT
Transparent proxy
HTTP proxy

Thanks in advance,
Randy Hermundson
Independence School District




Craig Johnson

unread,
Aug 1, 2002, 3:51:14 AM8/1/02
to
Do you run GWIA? Is it set to allow relay? (On BMgr or an internal
server).

I would try removing the default filter exception allowing port 80 to
the public IP address in FILTCFG.NLM.

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://nscsysop.hypermart.net ***

Novell Forums

unread,
Oct 23, 2002, 11:24:31 AM10/23/02
to
can't disable transparent (hundreds of pc's)
 
to disable the default exception for port 80, do you mean the allow any port any url?  so I might only allow port 80. or deny port 25?  of course I'm assuming the spammers are using port 25
 
skip
 

Novell Forums

unread,
Oct 23, 2002, 11:24:31 AM10/23/02
to
Hi
 
can't disable transparent easily (hundreds of pc's)
 
what about the default exception. do you mean access rules or filtcfg?  if the spammers use port 25, couldn't I just add a deny rule for port 25?
 
skip thompson
 

Craig Johnson

unread,
Oct 23, 2002, 12:37:04 PM10/23/02
to
In article <Pazt9.20765$CX6.4...@prv-forum2.provo.novell.com>, Novell
Forums wrote:
> can't disable transparent (hundreds of pc's) to disable the
> default exception for port 80, do you mean the allow any port any
> url? so I might only allow port 80. or deny port 25? of course I'm
> assuming the spammers are using port 25 skip
>
You definitely need to prevent relay on port 25. If you are using the
Mail Proxy, there are access rules that need to be used, and settings
for the proxy.cfg file that need to be there.

If you are NOT using the mail proxy, you will have to set up relay
prevention on the smtp server.

As to turning off transparent proxy, see tip #71 at the URL below. For
preventing people from using it from the public side, I strongly
recommend you delete the default filter exception www-http allowing
port 80 to the public IP address.

Novell Forums

unread,
Oct 23, 2002, 4:31:54 PM10/23/02
to
Hi Craig,

just bought and downloaded your book. looks great. need time to implement
it. and scared of filters ;-) so the chicken in me (and the fact I already
had clntrust in the login script) made me try the "rules" solution suggested
in another thread by CAT (CSL)

this server does not have gwia on it (I have secured the one that has it), I
don't use mail proxy. tip 71 is good. have ie 5 or better everywhere,
netscape 4.5 or better also. and full zenworks. so I've got options to
ponder. thanks.

here it is...........
- create a rule to allow your subnets to use the proxy.
** mine is 10.0.1.0 - 10.0.1.255
- enable proxy authenitcation (for instance, SSO) and check the
"authenticate
only when users attempt to access restricted pages" in NWadmn32, BM setup,
Authentication context.
** done...

I have rconsole running on that server with web manager, et al. after
returning to my office across the wan from that school, I can not get in to
any of that. the web server doesn't respond.

I used GFI's Languard to scan it proxy.alma-ais.wsc.k12.ar.us and it
reports

Anonymous logins accepted ?
No
8080 - Trying to determine if we have a web server here
Waiting for UDP thread ..

server never responded. so... am I good for now?

skip

"Craig Johnson" <cra...@ix.netcom.com> wrote in message
news:VA.00002b5...@p1000.bormanjohnsonhome.com...

Craig Johnson

unread,
Oct 24, 2002, 12:33:30 AM10/24/02
to
In article <_GDt9.21179$CX6.4...@prv-forum2.provo.novell.com>, Novell
Forums wrote:
> server never responded. so... am I good for now?
>
I'm not sure - I'm having a hard time trying to decipher what you
wrote!

Skip Thompson

unread,
Oct 24, 2002, 9:30:49 AM10/24/02
to
Hi Craig,

sorry, I was attempting to be complete. I'll try again.

the server in question is not running mail (gwia), mail proxy, it only has
NBM on it. I do want to access rconj, webmanager, etc. because I had just
downloaded but not yet read your book, I was uncomfortable with filters. (I
read it last night) so I attempted the "rules" solution offered by CAT in
another thread.

I will definitely take your (and others) advice about turning off
transparent proxy, but that'll take a few day.

the rules solution is


- create a rule to allow your subnets to use the proxy.

- enable proxy authenitcation (for instance, SSO) and check the
"authenticate only when users attempt to access restricted pages"

this appeared to work in that the school can get out, but I can't get into
the web server, web manager although I can use RconJ. I used LanGuard to
probe it but frankly, I can't determine if I have it "fixed" or not.

so the question for you is. "How do I know that I'm not a spam relay any
longer?"

thanks

skip

"Craig Johnson" <cra...@ix.netcom.com> wrote in message

news:VA.00002b6...@p1000.bormanjohnsonhome.com...

Craig Johnson

unread,
Oct 25, 2002, 12:46:30 AM10/25/02
to
In article <dCSt9.21685$CX6.4...@prv-forum2.provo.novell.com>, Skip
Thompson wrote:
> this appeared to work in that the school can get out, but I can't get into
> the web server, web manager although I can use RconJ. I used LanGuard to
> probe it but frankly, I can't determine if I have it "fixed" or not.
>
OK - I suspect a completely separate issue there, possibly just a filtering
issue. (Do you mean that you cannot get to those services on the inside, or
just from the outside? I can assure that configuring all the NW6 web
services can be very confusing - I just finally got all mine working, and I
had been pecking away at them since December. Spent 14 hours on it last
Sunday nailing down little details).

> So the question for you is. "How do I know that I'm not a spam relay any
> longer?"

As far as I know, spam relay is only done in one of two ways:
1. Relaying via SMTP - if you are not running mail proxy, you must control
this with some setting on the SMTP server itself.
2. Relaying off the SOCKS gateway in BMgr. Not using SOCKS, or closing the
holes opened by the default Dynamic/TCP filter exception is the best answer
here. Patch levels and access rules can prevent it, but I prefer that the
capability not be there, regardless of patch or access rule config.

In any event, you can try relaying off your own server, to see if it can be
done, or you can ask some 3rd party to test for you. Sometimes your ISP
will do that.

William Harmon

unread,
Oct 28, 2002, 11:41:28 PM10/28/02
to
Craig Johnson <cra...@ix.netcom.com> wrote in
news:VA.00002b7...@p1000.bormanjohnsonhome.com:

> In article <dCSt9.21685$CX6.4...@prv-forum2.provo.novell.com>, Skip
> Thompson wrote:

> OK - I suspect a completely separate issue there, possibly just a
> filtering issue. (Do you mean that you cannot get to those services on
> the inside, or just from the outside? I can assure that configuring
> all the NW6 web services can be very confusing - I just finally got all
> mine working, and I had been pecking away at them since December.
> Spent 14 hours on it last Sunday nailing down little details).
>
>> So the question for you is. "How do I know that I'm not a spam relay
>> any longer?"
>
> As far as I know, spam relay is only done in one of two ways:
> 1. Relaying via SMTP - if you are not running mail proxy, you must
> control this with some setting on the SMTP server itself.
> 2. Relaying off the SOCKS gateway in BMgr. Not using SOCKS, or closing
> the holes opened by the default Dynamic/TCP filter exception is the
> best answer here. Patch levels and access rules can prevent it, but I
> prefer that the capability not be there, regardless of patch or access
> rule config.
>

I have seen a third relay technique (and I believe a great number of others
have as well). External inbound connection on port 80 to transparent proxy
with a connection request to an external mail server on port 25. The
requests are in the thousands per hour. The spammers seem to have
Bordermanager sites identified.


Craig Johnson

unread,
Oct 29, 2002, 12:06:20 PM10/29/02
to
In article <Xns92B5E669EFD9bh...@151.164.30.48>, William
Harmon wrote:
> External inbound connection on port 80 to transparent proxy
> with a connection request to an external mail server on port 25.
>
Can you point to some technical details on how that works? I'd like to
know.

Transparent proxy should be OK, with the latest proxy patches AND the
latest tcpip stack, in terms of relay, as long as the public IP address
is set to public only, and not public and private. (Might be OK even
then, as the latest proxy patches specifically tell T.P. not to listen
on a 'public' IP address, though an older tcpip stack issue allowed the
traffic through anyway).

William Harmon

unread,
Oct 29, 2002, 1:56:52 PM10/29/02
to
Craig Johnson <cra...@ix.netcom.com> wrote in
news:VA.00002ba...@p1000.bormanjohnsonhome.com:

> In article <Xns92B5E669EFD9bh...@151.164.30.48>, William
> Harmon wrote:
>> External inbound connection on port 80 to transparent proxy
>> with a connection request to an external mail server on port 25.
>>
> Can you point to some technical details on how that works? I'd like to
> know.

External connection to external email server.
tcp: ================= Transmission Control Protocol =================
Source Port: 55884
Destination Port: 80
Data:
0: |CONNECT 205.188.
10: |156.122:25 HTTP/
20: |1.1..Host: 205.1
30: |88.156.122:25..U
40: |ser-Agent: Mozil
50: |la/4.0 (compatib
60: |le; MSIE 5.5; Wi
70: |ndows 98)....

CERT documents "HTTP Proxy allows arbitrary TCP connections via HTTP
CONNECT Method"

Novell Bordermanager status listed as unknown. I would say it is
vulnerable.
http://www.kb.cert.org/vuls/id/150227

Thanks to You, CAT and others for your support on this forum. Glad to be
able contribute something.

Craig Johnson

unread,
Oct 30, 2002, 7:15:40 PM10/30/02
to
In article <Xns92B6834BBDD84bh...@151.164.30.42>,
William Harmon wrote:
> Novell Bordermanager status listed as unknown. I would say it is
> vulnerable.
> http://www.kb.cert.org/vuls/id/150227
>
I agree, though it depends on a number of factors. Certainly an
unpatched BMgr 3.0-3.6 server with default exceptions and transparent
HTTP proxy is vulnerable, though even then access rules might be able
to prevent that exploit.

William Harmon

unread,
Oct 31, 2002, 11:45:34 PM10/31/02
to
Craig Johnson <cra...@ix.netcom.com> wrote in
> In article <Xns92B6834BBDD84bh...@151.164.30.42>,
> William Harmon wrote:
>> Novell Bordermanager status listed as unknown. I would say it is
>> vulnerable. http://www.kb.cert.org/vuls/id/150227
>>
> I agree, though it depends on a number of factors. Certainly an
> unpatched BMgr 3.0-3.6 server with default exceptions and transparent
> HTTP proxy is vulnerable, though even then access rules might be able
> to prevent that exploit.
>
Yes this exploit can be filtered. However, I have seen the problem on a
BMgr 3.7 patched and running TCP591h with default filters.

A great number of administrators have fairly simple configurations which
have served them well in the past. The spammers seem ever so resourceful.

William

Craig Johnson

unread,
Nov 1, 2002, 10:56:52 PM11/1/02
to
In article <Xns92B8E6E05C620bh...@192.233.80.227>, William
Harmon wrote:
> A great number of administrators have fairly simple configurations which
> have served them well in the past.
>
Yes, those defaults are no longer adequate in some cases.

James Moots

unread,
Nov 7, 2002, 7:49:45 PM11/7/02
to
So how do you stop it? I'm having this exact problem and it's getting worse.
I'm an MCNE but when it come to Bordermanager, I'm an idiot :) In 7 minutes
they've bounced 1500 mail messages off my server. I'm currently blocking
outgoing packets on port 25 to stop the spam from getting out but I want to
keep them from doing this. The only incoming ports I have open are HTTP and
FTP. Outgoing is not restricted at all. How do I stop the spammers from
relaying off of me.

I'm running BM 3.6 on a Netware 6 box. This started happening right after I
upgraded it to Netware 6. I belive I'm patched up but suggestions on what to
check would be very helpful.

Thanks in advance for you time!

James Moots CNA/CNE 5/6, MCNE
"Craig Johnson" <cra...@ix.netcom.com> wrote in message
news:VA.00002bd...@p1000.bormanjohnsonhome.com...

Craig Johnson

unread,
Nov 9, 2002, 12:48:57 AM11/9/02
to
It depends.

In some cases, it appears that people are relaying port 25 (SMTP)
traffic off the transparent proxy on port 80, with a redirect. You
definitely don't want to allow inbound HTTP unless you are running a
web server and need it.

Relaying has been done off SOCKS Gateway on port 1080. This can be
blocked by one or more of the following: latest patches, proper
configuration of IP addresses in BMgr, proper use of access rules,
and/or blocking port 1080 (by not allowing it via the default
dynamic/tcp filter exception). I change the dynamic/tcp exception to
enabled ACK bit filtering.

Now, if someone is relaying SMTP off your MAIL SERVER, you cannot
really filter your way around that, since you have to allow port 25 in
to it in order to receive mail. You need to configure whatever mail
server you have to prevent relay. But a technique I have successfully
used in the past is to allow inbound mail (with filter exceptions) only
from an ISP's mail servers, when the mail servers were set to be
secondary MX records for the domain. This has a number of drawbacks,
and it relies on the ISP to stop the relaying instead of you, but it
can work...

James Moots

unread,
Nov 9, 2002, 7:58:16 AM11/9/02
to
Thank you very much, Craig. My situation was that they were coming in on
port 80 and exploiting that HTTP CONNECT method and redirecting port 25
traffic. They were pumping out 1500 messages every 7 minutes. I applied the
latest BM proxy patch and set a special setting in the CFG file that turns
the HTTP CONNECT abililty off and the port 25 traffic stopped immediately.


"Craig Johnson" <cra...@ix.netcom.com> wrote in message

news:VA.00002c2...@p1000.bormanjohnsonhome.com...

Craig Johnson

unread,
Nov 9, 2002, 10:49:53 PM11/9/02
to
In article <ID7z9.9378$8H3.1...@prv-forum2.provo.novell.com>, James Moots
wrote:

> Thank you very much, Craig. My situation was that they were coming in on
> port 80 and exploiting that HTTP CONNECT method and redirecting port 25
> traffic. They were pumping out 1500 messages every 7 minutes. I applied the
> latest BM proxy patch and set a special setting in the CFG file that turns
> the HTTP CONNECT abililty off and the port 25 traffic stopped immediately.
>
Beware - there may still be a vulnerability.

If you are not running a reverse proxy, delete any default filter exception
allowing WWW-HTTP to the public IP address.

Reply all
Reply to author
Forward
0 new messages