Re: [squid-users] prevent squid being used as spam passthrough

From: J Webster <webster_jack_at_hotmail.com>
Date: Tue, 28 Dec 2010 18:28:04 +0100

That's pretty much what I have but is it not possible to use one of these
ports as a pass through for spam or would the receiving email servers block
it?

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 1863 # MSN messenger
acl ncsa_users proxy_auth REQUIRED
acl maxuser max_user_ip -s 2
acl CONNECT method CONNECT
http_access deny manager
http_access allow ncsa_users
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

--------------------------------------------------
From: "Amos Jeffries" <squid3_at_treenet.co.nz>
Sent: Monday, December 27, 2010 9:36 PM
To: <squid-users_at_squid-cache.org>
Subject: Re: [squid-users] prevent squid being used as spam passthrough

> On 27/12/10 09:23, J Webster wrote:
>> Is it possible for a proxy running on port 80 or 8080 to be used as a
>> pass through or zone origination for spam email?
>
> Maybe. If it has been configured as an open proxy.
> http://wiki.squid-cache.org/SquidFaq/SecurityPitfalls
>
>> We have had some users sign up with email addresses such as spambot and
>> other stuff recently. I suspect these are just bots signing up around
>> the web but got me thinking whether a proxy could be used in a chain or
>> tunneled somehow and whether that could be blocked?
>
> The default squid.conf http_access controls are designed to prevent this
> type of thing.
>
> It requires Safe_ports to list only the ports <1024 which are nown to be
> safe for proxy connections-to. As well as SSL_ports for CONNECT tunnels to
> only connect to known HTTPS ports.
>
> You can see the quid default settings at
> http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid#Squid_configuration
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE9 or 3.1.10
> Beta testers wanted for 3.2.0.4
>
Received on Tue Dec 28 2010 - 17:28:22 MST

This archive was generated by hypermail 2.2.0 : Tue Dec 28 2010 - 12:00:03 MST