rkr@olib.org (Richard Rauch) writes:
> I was peering through my logs, and I saw something that made me gape
> in horror: Someone was connecting to my web-server using a CONNECT
> and going out to port 25 on a remote host.

This is one of the standard techniques for spamming these days (along
with a bunch of other raw tcp proxies like socks.)

There are also quite a few anti-spammers with lists of folks running
open proxies.

Here are the ports commonly probed by spammers for proxy services:

	# port	rationale
	# ----	---------
	# 80	Web server with unsecured/misconfigured proxy function.
	# 3128	Well known port for the "squid" web cache.
	# 8080	Well known port for the "webcache" service.
	# 8081	Well known port for the "tproxy" transparent proxy service.
	# 1080	Well known port for the "socks" proxy service.
	# 23	Well known port for the "telnet" service.
	# ----	---------
	# 6588	The AnalogX product sets up an HTTP-CONNECT proxy here.
	#	  However, the basic scan catches AnalogX with 1080/socks4.

For netowrk admins: Chip Rosenthal's pxytest will test for proxying on
these ports.    http://www.unicom.com/sw/pxytest/

-wolfgang
-- 
Wolfgang S. Rupprecht 		     http://www.wsrcc.com/wolfgang/
      Decoding genes for the sake of cloning is against the DMCA

(NOTE: The email address above is valid.  Edit it at your own peril.)