Ok, well partly my fault, but anyway it appears as though the Astaro implementation of Squid proxy allows miscreants to use HTTP-CONNECT to tunnel SMTP and perhaps other ports via the proxy service.
I had allowed external axx to the proxy port 8080, which created a nice heavy load of spam on the ISP's network. Unfortunately this coincided with me going away on holiday only to return to a pile of high utilisation errors and an email from the ISP.
Anyway Mr Astaro how about preventing abuse of the proxy like the SQUID project do anyway..
This is quoted from section 10.14 in the SQUID FAQ
"It is dangerous to allow Squid to connect to certain port numbers. For example, it has been demonstrated that someone can use Squid as an SMTP (email) relay. As I'm sure you know, SMTP relays are one of the ways that spammers are able to flood our mailboxes. To prevent mail relaying, Squid denies requests when the URL port number is 25. Other ports should be blocked as well, as a precaution.
There are two ways to filter by port number: either allow specific ports, or deny specific ports. By default, Squid does the first. This is the ACL entry that comes in the default squid.conf:
acl Safe_ports port 80 21 443 563 70 210 1025-65535
http_access deny !Safe_ports
The above configuration denies requests when the URL port number is not in the list. The list allows connections to the standard ports for HTTP, FTP, Gopher, SSL, WAIS, and all non-priveleged ports.
Another approach is to deny dangerous ports. The dangerous port list should look something like:
acl Dangerous_ports 7 9 19 22 23 25 53 109 110 119
http_access deny Dangerous_ports
...and probably many others. "
Anyway Im not denying my culpability, however given Squid blocks this by default, why doesnt Astaro???
Rich
This thread was automatically locked due to age.
